diff options
Diffstat (limited to 'source4/sam')
| -rw-r--r-- | source4/sam/SAM-interface_handles.txt | 123 | ||||
| -rw-r--r-- | source4/sam/account.c | 305 | ||||
| -rw-r--r-- | source4/sam/get_set_account.c | 845 | ||||
| -rw-r--r-- | source4/sam/get_set_domain.c | 263 | ||||
| -rw-r--r-- | source4/sam/get_set_group.c | 106 | ||||
| -rw-r--r-- | source4/sam/group.c | 193 | ||||
| -rw-r--r-- | source4/sam/gumm_tdb.c | 562 | ||||
| -rw-r--r-- | source4/sam/gums.c | 131 | ||||
| -rw-r--r-- | source4/sam/gums_api.c | 1268 | ||||
| -rw-r--r-- | source4/sam/gums_helper.c | 607 | ||||
| -rw-r--r-- | source4/sam/interface.c | 1338 | ||||
| -rwxr-xr-x | source4/sam/sam_ads.c | 1378 | ||||
| -rw-r--r-- | source4/sam/sam_plugin.c | 79 | ||||
| -rw-r--r-- | source4/sam/sam_skel.c | 251 |
14 files changed, 7449 insertions, 0 deletions
diff --git a/source4/sam/SAM-interface_handles.txt b/source4/sam/SAM-interface_handles.txt new file mode 100644 index 00000000000..1c164bd198b --- /dev/null +++ b/source4/sam/SAM-interface_handles.txt @@ -0,0 +1,123 @@ +SAM API
+
+NTSTATUS sam_get_sec_obj(NT_USER_TOKEN *access, DOM_SID *sid, SEC_DESC **sd)
+NTSTATUS sam_set_sec_obj(NT_USER_TOKEN *access, DOM_SID *sid, SEC_DESC *sd)
+
+NTSTATUS sam_lookup_name(NT_USER_TOKEN *access, DOM_SID *domain, char *name, DOM_SID **sid, uint32 *type)
+NTSTATUS sam_lookup_sid(NT_USER_TOKEN *access, DOM_SID *sid, char **name, uint32 *type)
+
+
+Domain API
+
+NTSTATUS sam_update_domain(SAM_DOMAIN_HANDLE *domain)
+
+NTSTATUS sam_enum_domains(NT_USER_TOKEN *access, int32 *domain_count, DOM_SID **domains, char **domain_names)
+NTSTATUS sam_lookup_domain(NT_USER_TOKEN *access, char *domain, DOM_SID **domainsid)
+
+NTSTATUS sam_get_domain_by_sid(NT_USER_TOKEN *access, uint32 access_desired, DOM_SID *domainsid, SAM_DOMAIN_HANDLE **domain)
+
+
+User API
+
+NTSTATUS sam_create_user(NT_USER_TOKEN *access, uint32 access_desired, SAM_USER_HANDLE **user)
+NTSTATUS sam_add_user(SAM_USER_HANDLE *user)
+NTSTATUS sam_update_user(SAM_USER_HANDLE *user)
+NTSTATUS sam_delete_user(SAM_USER_HANDLE * user)
+
+NTSTATUS sam_enum_users(NT_USER_TOKEN *access, DOM_SID *domain, int32 *user_count, SAM_USER_ENUM **users)
+
+NTSTATUS sam_get_user_by_sid(NT_USER_TOKEN *access, uint32 access_desired, DOM_SID *usersid, SAM_USER_HANDLE **user)
+NTSTATUS sam_get_user_by_name(NT_USER_TOKEN *access, uint32 access_desired, char *domain, char *name, SAM_USER_HANDLE **user)
+
+
+Group API
+
+NTSTATUS sam_create_group(NT_USER_TOKEN *access, uint32 access_desired, uint32 typ, SAM_GROUP_HANDLE **group)
+NTSTATUS sam_add_group(SAM_GROUP_HANDLE *samgroup)
+NTSTATUS sam_update_group(SAM_GROUP_HANDLE *samgroup)
+NTSTATUS sam_delete_group(SAM_GROUP_HANDLE *groupsid)
+
+NTSTATUS sam_enum_groups(NT_USER_TOKEN *access, DOM_SID *domainsid, uint32 typ, uint32 *groups_count, SAM_GROUP_ENUM **groups)
+
+NTSTATUS sam_get_group_by_sid(NT_USER_TOKEN *access, uint32 access_desired, DOM_SID *groupsid, SAM_GROUP_HANDLE **group)
+NTSTATUS sam_get_group_by_name(NT_USER_TOKEN *access, uint32 access_desired, char *domain, char *name, SAM_GROUP_HANDLE **group)
+
+NTSTATUS sam_add_member_to_group(SAM_GROUP_HANDLE *group, SAM_GROUP_MEMBER *member)
+NTSTATUS sam_delete_member_from_group(SAM_GROUP_HANDLE *group, SAM_GROUP_MEMBER *member)
+NTSTATUS sam_enum_groupmembers(SAM_GROUP_HANLDE *group, uint32 *members_count, SAM_GROUP_MEMBER **members)
+
+NTSTATUS sam_get_groups_of_user(SAM_USER_HANDLE *user, uint32 typ, uint32 *group_count, SAM_GROUP_ENUM **groups)
+
+
+
+structures
+
+typedef _SAM_GROUP_MEMBER {
+ DOM_SID sid;
+ BOOL group; /* specifies if it is a group or a user */
+
+} SAM_GROUP_MEMBER
+
+typedef struct sam_user_enum {
+ DOM_SID sid;
+ char *username;
+ char *full_name;
+ char *user_desc;
+ uint16 acc_ctrl;
+} SAM_USER_ENUM;
+
+typedef struct sam_group_enum {
+ DOM_SID sid;
+ char *groupname;
+ char *comment;
+} SAM_GROUP_ENUM
+
+NTSTATUS sam_get_domain_sid(SAM_DOMAIN_HANDLE *domain, DOM_SID **sid)
+NTSTATUS sam_get_domain_num_users(SAM_DOMAIN_HANDLE *domain, uint32 *num_users)
+NTSTATUS sam_get_domain_num_groups(SAM_DOMAIN_HANDLE *domain, uint32 *num_groups)
+NTSTATUS sam_get_domain_num_aliases(SAM_DOMAIN_HANDLE *domain, uint32 *num_aliases)
+NTSTATUS sam_{get,set}_domain_name(SAM_DOMAIN_HANDLE *domain, char **domain_name)
+NTSTATUS sam_{get,set}_domain_server(SAM_DOMAIN_HANDLE *domain, char **server_name)
+NTSTATUS sam_{get,set}_domain_max_pwdage(SAM_DOMAIN_HANDLE *domain, NTTIME *max_passwordage)
+NTSTATUS sam_{get,set}_domain_min_pwdage(SAM_DOMAIN_HANDLE *domain, NTTIME *min_passwordage)
+NTSTATUS sam_{get,set}_domain_lockout_duration(SAM_DOMAIN_HANDLE *domain, NTTIME *lockout_duration)
+NTSTATUS sam_{get,set}_domain_reset_count(SAM_DOMAIN_HANDLE *domain, NTTIME *reset_lockout_count)
+NTSTATUS sam_{get,set}_domain_min_pwdlength(SAM_DOMAIN_HANDLE *domain, uint16 *min_passwordlength)
+NTSTATUS sam_{get,set}_domain_pwd_history(SAM_DOMAIN_HANDLE *domain, uin16 *password_history)
+NTSTATUS sam_{get,set}_domain_lockout_count(SAM_DOMAIN_HANDLE *domain, uint16 *lockout_count)
+NTSTATUS sam_{get,set}_domain_force_logoff(SAM_DOMAIN_HANDLE *domain, BOOL *force_logoff)
+NTSTATUS sam_{get,set}_domain_login_pwdchange(SAM_DOMAIN_HANDLE *domain, BOOL *login_pwdchange)
+
+NTSTATUS sam_get_user_sid(SAM_USER_HANDLE *user, DOM_SID **sid)
+NTSTATUS sam_{get,set}_user_pgroup(SAM_USER_HANDLE *user, DOM_SID **pgroup)
+NTSTATUS sam_{get,set}_user_name(SAM_USER_HANDLE *user, char **username)
+NTSTATUS sam_{get,set}_user_fullname(SAM_USER_HANDLE *user, char** fullname)
+NTSTATUS sam_{get,set}_user_description(SAM_USER_HANDLE *user, char **description)
+NTSTATUS sam_{get,set}_user_home_dir(SAM_USER_HANDLE *user, char **home_dir)
+NTSTATUS sam_{get,set}_user_dir_drive(SAM_USER_HANDLE *user, char **dir_drive)
+NTSTATUS sam_{get,set}_user_logon_script(SAM_USER_HANDLE *user, char **logon_script)
+NTSTATUS sam_{get,set}_user_profile_path(SAM_USER_HANDLE *user, char **profile_path)
+NTSTATUS sam_{get,set}_user_workstations(SAM_USER_HANDLE *user, char **workstations)
+NTSTATUS sam_{get,set}_user_munged_dial(SAM_USER_HANDLE *user, char **munged_dial)
+NTSTATUS sam_{get,set}_user_lm_pwd(SAM_USER_HANDLE *user, DATA_BLOB *lm_pwd)
+NTSTATUS sam_{get,set}_user_nt_pwd(SAM_USER_HANDLE *user, DATA_BLOB *nt_pwd)
+NTSTATUS sam_{get,set}_user_plain_pwd(SAM_USER_HANDLE *user, DATA_BLOB *plaintext_pwd)
+NTSTATUS sam_{get,set}_user_acct_ctrl(SAM_USER_HANDLE *user, uint16 *acct_ctrl)
+NTSTATUS sam_{get,set}_user_logon_divs(SAM_USER_HANDLE *user, uint16 *logon_divs)
+NTSTATUS sam_{get,set}_user_hours(SAM_USER_HANDLE *user, uint32 *hours_len, uint8 **hours)
+NTSTATUS sam_{get,set}_user_logon_time(SAM_USER_HANDLE *user, NTTIME *logon_time)
+NTSTATUS sam_{get,set}_user_logoff_time(SAM_USER_HANDLE *user, NTTIME *logoff_time)
+NTSTATUS sam_{get,set}_user_kickoff_time(SAM_USER_HANDLE *user, NTTIME kickoff_time)
+NTSTATUS sam_{get,set}_user_pwd_last_set(SAM_USER_HANDLE *user, NTTIME pwd_last_set)
+NTSTATUS sam_{get,set}_user_pwd_can_change(SAM_USER_HANDLE *user, NTTIME pwd_can_change)
+NTSTATUS sam_{get,set}_user_pwd_must_change(SAM_USER_HANDLE *user, NTTIME pwd_must_change)
+NTSTATUS sam_{get,set}_user_unknown_1(SAM_USER_HANDLE *user, char **unknown_1)
+NTSTATUS sam_{get,set}_user_unknown_2(SAM_USER_HANDLE *user, uint32 *unknown_2)
+NTSTATUS sam_{get,set}_user_unknown_3(SAM_USER_HANDLE *user, uint32 *unknown_3)
+NTSTATUS sam_{get,set}_user_unknown_4(SAM_USER_HANDLE *user, uint32 *unknown_4)
+
+NTSTATUS sam_get_group_sid(SAM_GROUP_HANDLE *group, DOM_SID **sid)
+NTSTATUS sam_get_group_typ(SAM_GROUP_HANDLE *group, uint32 *typ)
+NTSTATUS sam_{get,set}_group_name(SAM_GROUP_HANDLE *group, char **group_name)
+NTSTATUS sam_{get,set}_group_comment(SAM_GROUP_HANDLE *group, char **comment)
+NTSTATUS sam_{get,set}_group_priv_set(SAM_GROUP_HANDLE *group, PRIVILEGE_SET *priv_set)
\ No newline at end of file diff --git a/source4/sam/account.c b/source4/sam/account.c new file mode 100644 index 00000000000..b8336146cda --- /dev/null +++ b/source4/sam/account.c @@ -0,0 +1,305 @@ +/* + Unix SMB/CIFS implementation. + Password and authentication handling + Copyright (C) Jeremy Allison 1996-2001 + Copyright (C) Luke Kenneth Casson Leighton 1996-1998 + Copyright (C) Gerald (Jerry) Carter 2000-2001 + Copyright (C) Andrew Bartlett 2001-2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_SAM + +/************************************************************ + Fill the SAM_ACCOUNT_HANDLE with default values. + ***********************************************************/ + +static void sam_fill_default_account(SAM_ACCOUNT_HANDLE *account) +{ + ZERO_STRUCT(account->private); /* Don't touch the talloc context */ + + /* Don't change these timestamp settings without a good reason. + They are important for NT member server compatibility. */ + + /* FIXME: We should actually call get_nt_time_max() or sthng + * here */ + unix_to_nt_time(&(account->private.logoff_time),get_time_t_max()); + unix_to_nt_time(&(account->private.kickoff_time),get_time_t_max()); + unix_to_nt_time(&(account->private.pass_must_change_time),get_time_t_max()); + account->private.unknown_1 = 0x00ffffff; /* don't know */ + account->private.logon_divs = 168; /* hours per week */ + account->private.hours_len = 21; /* 21 times 8 bits = 168 */ + memset(account->private.hours, 0xff, account->private.hours_len); /* available at all hours */ + account->private.unknown_2 = 0x00000000; /* don't know */ + account->private.unknown_3 = 0x000004ec; /* don't know */ +} + +static void destroy_sam_talloc(SAM_ACCOUNT_HANDLE **account) +{ + if (*account) { + data_blob_clear_free(&((*account)->private.lm_pw)); + data_blob_clear_free(&((*account)->private.nt_pw)); + if((*account)->private.plaintext_pw!=NULL) + memset((*account)->private.plaintext_pw,'\0',strlen((*account)->private.plaintext_pw)); + + talloc_destroy((*account)->mem_ctx); + *account = NULL; + } +} + + +/********************************************************************** + Alloc memory and initialises a SAM_ACCOUNT_HANDLE on supplied mem_ctx. +***********************************************************************/ + +NTSTATUS sam_init_account_talloc(TALLOC_CTX *mem_ctx, SAM_ACCOUNT_HANDLE **account) +{ + SMB_ASSERT(*account != NULL); + + if (!mem_ctx) { + DEBUG(0,("sam_init_account_talloc: mem_ctx was NULL!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + *account=(SAM_ACCOUNT_HANDLE *)talloc(mem_ctx, sizeof(SAM_ACCOUNT_HANDLE)); + + if (*account==NULL) { + DEBUG(0,("sam_init_account_talloc: error while allocating memory\n")); + return NT_STATUS_NO_MEMORY; + } + + (*account)->mem_ctx = mem_ctx; + + (*account)->free_fn = NULL; + + sam_fill_default_account(*account); + + return NT_STATUS_OK; +} + + +/************************************************************* + Alloc memory and initialises a struct sam_passwd. + ************************************************************/ + +NTSTATUS sam_init_account(SAM_ACCOUNT_HANDLE **account) +{ + TALLOC_CTX *mem_ctx; + NTSTATUS nt_status; + + mem_ctx = talloc_init("sam internal SAM_ACCOUNT_HANDLE allocation"); + + if (!mem_ctx) { + DEBUG(0,("sam_init_account: error while doing talloc_init()\n")); + return NT_STATUS_NO_MEMORY; + } + + if (!NT_STATUS_IS_OK(nt_status = sam_init_account_talloc(mem_ctx, account))) { + talloc_destroy(mem_ctx); + return nt_status; + } + + (*account)->free_fn = destroy_sam_talloc; + + return NT_STATUS_OK; +} + +/** + * Free the contents of the SAM_ACCOUNT_HANDLE, but not the structure. + * + * Also wipes the LM and NT hashes and plaintext password from + * memory. + * + * @param account SAM_ACCOUNT_HANDLE to free members of. + **/ + +static void sam_free_account_contents(SAM_ACCOUNT_HANDLE *account) +{ + + /* Kill off sensitive data. Free()ed by the + talloc mechinism */ + + data_blob_clear_free(&(account->private.lm_pw)); + data_blob_clear_free(&(account->private.nt_pw)); + if (account->private.plaintext_pw) + memset(account->private.plaintext_pw,'\0',strlen(account->private.plaintext_pw)); +} + + +/************************************************************ + Reset the SAM_ACCOUNT_HANDLE and free the NT/LM hashes. + ***********************************************************/ + +NTSTATUS sam_reset_sam(SAM_ACCOUNT_HANDLE *account) +{ + SMB_ASSERT(account != NULL); + + sam_free_account_contents(account); + + sam_fill_default_account(account); + + return NT_STATUS_OK; +} + + +/************************************************************ + Free the SAM_ACCOUNT_HANDLE and the member pointers. + ***********************************************************/ + +NTSTATUS sam_free_account(SAM_ACCOUNT_HANDLE **account) +{ + SMB_ASSERT(*account != NULL); + + sam_free_account_contents(*account); + + if ((*account)->free_fn) { + (*account)->free_fn(account); + } + + return NT_STATUS_OK; +} + + +/********************************************************** + Encode the account control bits into a string. + length = length of string to encode into (including terminating + null). length *MUST BE MORE THAN 2* ! + **********************************************************/ + +char *sam_encode_acct_ctrl(uint16 acct_ctrl, size_t length) +{ + static fstring acct_str; + size_t i = 0; + + acct_str[i++] = '['; + + if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N'; + if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D'; + if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H'; + if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T'; + if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U'; + if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M'; + if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W'; + if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S'; + if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L'; + if (acct_ctrl & ACB_PWNOEXP ) acct_str[i++] = 'X'; + if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I'; + + for ( ; i < length - 2 ; i++ ) + acct_str[i] = ' '; + + i = length - 2; + acct_str[i++] = ']'; + acct_str[i++] = '\0'; + + return acct_str; +} + +/********************************************************** + Decode the account control bits from a string. + **********************************************************/ + +uint16 sam_decode_acct_ctrl(const char *p) +{ + uint16 acct_ctrl = 0; + BOOL finished = False; + + /* + * Check if the account type bits have been encoded after the + * NT password (in the form [NDHTUWSLXI]). + */ + + if (*p != '[') + return 0; + + for (p++; *p && !finished; p++) { + switch (*p) { + case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ } + case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ } + case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ } + case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ } + case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ } + case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ } + case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ } + case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ } + case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ } + case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ } + case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ } + case ' ': { break; } + case ':': + case '\n': + case '\0': + case ']': + default: { finished = True; } + } + } + + return acct_ctrl; +} + +/************************************************************* + Routine to set 32 hex password characters from a 16 byte array. +**************************************************************/ + +void sam_sethexpwd(char *p, const unsigned char *pwd, uint16 acct_ctrl) +{ + if (pwd != NULL) { + int i; + for (i = 0; i < 16; i++) + slprintf(&p[i*2], 3, "%02X", pwd[i]); + } else { + if (acct_ctrl & ACB_PWNOTREQ) + safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33); + else + safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33); + } +} + +/************************************************************* + Routine to get the 32 hex characters and turn them + into a 16 byte array. +**************************************************************/ + +BOOL sam_gethexpwd(const char *p, unsigned char *pwd) +{ + int i; + unsigned char lonybble, hinybble; + char *hexchars = "0123456789ABCDEF"; + char *p1, *p2; + + if (!p) + return (False); + + for (i = 0; i < 32; i += 2) { + hinybble = toupper(p[i]); + lonybble = toupper(p[i + 1]); + + p1 = strchr(hexchars, hinybble); + p2 = strchr(hexchars, lonybble); + + if (!p1 || !p2) + return (False); + + hinybble = PTR_DIFF(p1, hexchars); + lonybble = PTR_DIFF(p2, hexchars); + + pwd[i / 2] = (hinybble << 4) | lonybble; + } + return (True); +} diff --git a/source4/sam/get_set_account.c b/source4/sam/get_set_account.c new file mode 100644 index 00000000000..acac281d21a --- /dev/null +++ b/source4/sam/get_set_account.c @@ -0,0 +1,845 @@ +/* + Unix SMB/CIFS implementation. + SAM_ACCOUNT_HANDLE access routines + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Jelmer Vernooij 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_SAM + +NTSTATUS sam_get_account_domain_sid(const SAM_ACCOUNT_HANDLE *sampass, const DOM_SID **sid) +{ + NTSTATUS status; + SAM_DOMAIN_HANDLE *domain; + SAM_ASSERT(!sampass || !sid); + + if (!NT_STATUS_IS_OK(status = sam_get_account_domain(sampass, &domain))){ + DEBUG(0, ("sam_get_account_domain_sid: Can't get domain for account\n")); + return status; + } + + return sam_get_domain_sid(domain, sid); +} + +NTSTATUS sam_get_account_domain_name(const SAM_ACCOUNT_HANDLE *sampass, const char **domain_name) +{ + NTSTATUS status; + SAM_DOMAIN_HANDLE *domain; + SAM_ASSERT(sampass && domain_name); + + if (!NT_STATUS_IS_OK(status = sam_get_account_domain(sampass, &domain))){ + DEBUG(0, ("sam_get_account_domain_name: Can't get domain for account\n")); + return status; + } + + return sam_get_domain_name(domain, domain_name); +} + +NTSTATUS sam_get_account_acct_ctrl(const SAM_ACCOUNT_HANDLE *sampass, uint16 *acct_ctrl) +{ + SAM_ASSERT(sampass && acct_ctrl); + + *acct_ctrl = sampass->private.acct_ctrl; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_logon_time(const SAM_ACCOUNT_HANDLE *sampass, NTTIME *logon_time) +{ + SAM_ASSERT(sampass && logon_time) ; + + *logon_time = sampass->private.logon_time; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_logoff_time(const SAM_ACCOUNT_HANDLE *sampass, NTTIME *logoff_time) +{ + SAM_ASSERT(sampass && logoff_time) ; + + *logoff_time = sampass->private.logoff_time; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_kickoff_time(const SAM_ACCOUNT_HANDLE *sampass, NTTIME *kickoff_time) +{ + SAM_ASSERT(sampass && kickoff_time); + + *kickoff_time = sampass->private.kickoff_time; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_pass_last_set_time(const SAM_ACCOUNT_HANDLE *sampass, NTTIME *pass_last_set_time) +{ + SAM_ASSERT(sampass && pass_last_set_time); + + *pass_last_set_time = sampass->private.pass_last_set_time; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_pass_can_change_time(const SAM_ACCOUNT_HANDLE *sampass, NTTIME *pass_can_change_time) +{ + SAM_ASSERT(sampass && pass_can_change_time); + + *pass_can_change_time = sampass->private.pass_can_change_time; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_pass_must_change_time(const SAM_ACCOUNT_HANDLE *sampass, NTTIME *pass_must_change_time) +{ + SAM_ASSERT(sampass && pass_must_change_time); + + *pass_must_change_time = sampass->private.pass_must_change_time; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_logon_divs(const SAM_ACCOUNT_HANDLE *sampass, uint16 *logon_divs) +{ + SAM_ASSERT(sampass && logon_divs); + + *logon_divs = sampass->private.logon_divs; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_hours_len(const SAM_ACCOUNT_HANDLE *sampass, uint32 *hours_len) +{ + SAM_ASSERT(sampass && hours_len); + + *hours_len = sampass->private.hours_len; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_hours(const SAM_ACCOUNT_HANDLE *sampass, const uint8 **hours) +{ + SAM_ASSERT(sampass && hours); + + *hours = sampass->private.hours; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_nt_pwd(const SAM_ACCOUNT_HANDLE *sampass, DATA_BLOB *nt_pwd) +{ + SAM_ASSERT(sampass); + + SMB_ASSERT((!sampass->private.nt_pw.data) + || sampass->private.nt_pw.length == NT_HASH_LEN); + + *nt_pwd = sampass->private.nt_pw; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_lm_pwd(const SAM_ACCOUNT_HANDLE *sampass, DATA_BLOB *lm_pwd) +{ + SAM_ASSERT(sampass); + + SMB_ASSERT((!sampass->private.lm_pw.data) + || sampass->private.lm_pw.length == LM_HASH_LEN); + + *lm_pwd = sampass->private.lm_pw; + + return NT_STATUS_OK; +} + +/* Return the plaintext password if known. Most of the time + it isn't, so don't assume anything magic about this function. + + Used to pass the plaintext to sam backends that might + want to store more than just the NTLM hashes. +*/ + +NTSTATUS sam_get_account_plaintext_pwd(const SAM_ACCOUNT_HANDLE *sampass, char **plain_pwd) +{ + SAM_ASSERT(sampass && plain_pwd); + + *plain_pwd = sampass->private.plaintext_pw; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_sid(const SAM_ACCOUNT_HANDLE *sampass, const DOM_SID **sid) +{ + SAM_ASSERT(sampass); + + *sid = &(sampass->private.account_sid); + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_pgroup(const SAM_ACCOUNT_HANDLE *sampass, const DOM_SID **sid) +{ + SAM_ASSERT(sampass); + + *sid = &(sampass->private.group_sid); + + return NT_STATUS_OK; +} + +/** + * Get flags showing what is initalised in the SAM_ACCOUNT_HANDLE + * @param sampass the SAM_ACCOUNT_HANDLE in question + * @return the flags indicating the members initialised in the struct. + **/ + +NTSTATUS sam_get_account_init_flag(const SAM_ACCOUNT_HANDLE *sampass, uint32 *initflag) +{ + SAM_ASSERT(sampass); + + *initflag = sampass->private.init_flag; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_name(const SAM_ACCOUNT_HANDLE *sampass, char **account_name) +{ + SAM_ASSERT(sampass); + + *account_name = sampass->private.account_name; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_domain(const SAM_ACCOUNT_HANDLE *sampass, SAM_DOMAIN_HANDLE **domain) +{ + SAM_ASSERT(sampass); + + *domain = sampass->private.domain; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_fullname(const SAM_ACCOUNT_HANDLE *sampass, char **fullname) +{ + SAM_ASSERT(sampass); + + *fullname = sampass->private.full_name; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_homedir(const SAM_ACCOUNT_HANDLE *sampass, char **homedir) +{ + SAM_ASSERT(sampass); + + *homedir = sampass->private.home_dir; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_unix_home_dir(const SAM_ACCOUNT_HANDLE *sampass, char **uhomedir) +{ + SAM_ASSERT(sampass); + + *uhomedir = sampass->private.unix_home_dir; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_dir_drive(const SAM_ACCOUNT_HANDLE *sampass, char **dirdrive) +{ + SAM_ASSERT(sampass); + + *dirdrive = sampass->private.dir_drive; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_logon_script(const SAM_ACCOUNT_HANDLE *sampass, char **logon_script) +{ + SAM_ASSERT(sampass); + + *logon_script = sampass->private.logon_script; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_profile_path(const SAM_ACCOUNT_HANDLE *sampass, char **profile_path) +{ + SAM_ASSERT(sampass); + + *profile_path = sampass->private.profile_path; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_description(const SAM_ACCOUNT_HANDLE *sampass, char **description) +{ + SAM_ASSERT(sampass); + + *description = sampass->private.acct_desc; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_workstations(const SAM_ACCOUNT_HANDLE *sampass, char **workstations) +{ + SAM_ASSERT(sampass); + + *workstations = sampass->private.workstations; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_unknown_str(const SAM_ACCOUNT_HANDLE *sampass, char **unknown_str) +{ + SAM_ASSERT(sampass); + + *unknown_str = sampass->private.unknown_str; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_munged_dial(const SAM_ACCOUNT_HANDLE *sampass, char **munged_dial) +{ + SAM_ASSERT(sampass); + + *munged_dial = sampass->private.munged_dial; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_unknown_1(const SAM_ACCOUNT_HANDLE *sampass, uint32 *unknown1) +{ + SAM_ASSERT(sampass && unknown1); + + *unknown1 = sampass->private.unknown_1; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_unknown_2(const SAM_ACCOUNT_HANDLE *sampass, uint32 *unknown2) +{ + SAM_ASSERT(sampass && unknown2); + + *unknown2 = sampass->private.unknown_2; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_unknown_3(const SAM_ACCOUNT_HANDLE *sampass, uint32 *unknown3) +{ + SAM_ASSERT(sampass && unknown3); + + *unknown3 = sampass->private.unknown_3; + + return NT_STATUS_OK; +} + +/********************************************************************* + Collection of set...() functions for SAM_ACCOUNT_HANDLE_INFO. + ********************************************************************/ + +NTSTATUS sam_set_account_acct_ctrl(SAM_ACCOUNT_HANDLE *sampass, uint16 acct_ctrl) +{ + SAM_ASSERT(sampass); + + sampass->private.acct_ctrl = acct_ctrl; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_logon_time(SAM_ACCOUNT_HANDLE *sampass, NTTIME mytime, BOOL store) +{ + SAM_ASSERT(sampass); + + sampass->private.logon_time = mytime; + + + return NT_STATUS_UNSUCCESSFUL; +} + +NTSTATUS sam_set_account_logoff_time(SAM_ACCOUNT_HANDLE *sampass, NTTIME mytime, BOOL store) +{ + SAM_ASSERT(sampass); + + sampass->private.logoff_time = mytime; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_kickoff_time(SAM_ACCOUNT_HANDLE *sampass, NTTIME mytime, BOOL store) +{ + SAM_ASSERT(sampass); + + sampass->private.kickoff_time = mytime; + + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_pass_can_change_time(SAM_ACCOUNT_HANDLE *sampass, NTTIME mytime, BOOL store) +{ + SAM_ASSERT(sampass); + + sampass->private.pass_can_change_time = mytime; + + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_pass_must_change_time(SAM_ACCOUNT_HANDLE *sampass, NTTIME mytime, BOOL store) +{ + SAM_ASSERT(sampass); + + sampass->private.pass_must_change_time = mytime; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_pass_last_set_time(SAM_ACCOUNT_HANDLE *sampass, NTTIME mytime) +{ + SAM_ASSERT(sampass); + + sampass->private.pass_last_set_time = mytime; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_hours_len(SAM_ACCOUNT_HANDLE *sampass, uint32 len) +{ + SAM_ASSERT(sampass); + + sampass->private.hours_len = len; + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_logon_divs(SAM_ACCOUNT_HANDLE *sampass, uint16 hours) +{ + SAM_ASSERT(sampass); + + sampass->private.logon_divs = hours; + return NT_STATUS_OK; +} + +/** + * Set flags showing what is initalised in the SAM_ACCOUNT_HANDLE + * @param sampass the SAM_ACCOUNT_HANDLE in question + * @param flag The *new* flag to be set. Old flags preserved + * this flag is only added. + **/ + +NTSTATUS sam_set_account_init_flag(SAM_ACCOUNT_HANDLE *sampass, uint32 flag) +{ + SAM_ASSERT(sampass); + + sampass->private.init_flag |= flag; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_sid(SAM_ACCOUNT_HANDLE *sampass, const DOM_SID *u_sid) +{ + SAM_ASSERT(sampass && u_sid); + + sid_copy(&sampass->private.account_sid, u_sid); + + DEBUG(10, ("sam_set_account_sid: setting account sid %s\n", + sid_string_static(&sampass->private.account_sid))); + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_sid_from_string(SAM_ACCOUNT_HANDLE *sampass, const char *u_sid) +{ + DOM_SID new_sid; + SAM_ASSERT(sampass && u_sid); + + DEBUG(10, ("sam_set_account_sid_from_string: setting account sid %s\n", + u_sid)); + + if (!string_to_sid(&new_sid, u_sid)) { + DEBUG(1, ("sam_set_account_sid_from_string: %s isn't a valid SID!\n", u_sid)); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!NT_STATUS_IS_OK(sam_set_account_sid(sampass, &new_sid))) { + DEBUG(1, ("sam_set_account_sid_from_string: could not set sid %s on SAM_ACCOUNT_HANDLE!\n", u_sid)); + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_pgroup_sid(SAM_ACCOUNT_HANDLE *sampass, const DOM_SID *g_sid) +{ + SAM_ASSERT(sampass && g_sid); + + sid_copy(&sampass->private.group_sid, g_sid); + + DEBUG(10, ("sam_set_group_sid: setting group sid %s\n", + sid_string_static(&sampass->private.group_sid))); + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_pgroup_string(SAM_ACCOUNT_HANDLE *sampass, const char *g_sid) +{ + DOM_SID new_sid; + SAM_ASSERT(sampass && g_sid); + + DEBUG(10, ("sam_set_group_sid_from_string: setting group sid %s\n", + g_sid)); + + if (!string_to_sid(&new_sid, g_sid)) { + DEBUG(1, ("sam_set_group_sid_from_string: %s isn't a valid SID!\n", g_sid)); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!NT_STATUS_IS_OK(sam_set_account_pgroup_sid(sampass, &new_sid))) { + DEBUG(1, ("sam_set_group_sid_from_string: could not set sid %s on SAM_ACCOUNT_HANDLE!\n", g_sid)); + return NT_STATUS_UNSUCCESSFUL; + } + return NT_STATUS_OK; +} + +/********************************************************************* + Set the domain name. + ********************************************************************/ + +NTSTATUS sam_set_account_domain(SAM_ACCOUNT_HANDLE *sampass, SAM_DOMAIN_HANDLE *domain) +{ + SAM_ASSERT(sampass); + + sampass->private.domain = domain; + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's NT name. + ********************************************************************/ + +NTSTATUS sam_set_account_name(SAM_ACCOUNT_HANDLE *sampass, const char *account_name) +{ + SAM_ASSERT(sampass); + + DEBUG(10, ("sam_set_account_name: setting nt account_name %s, was %s\n", account_name, sampass->private.account_name)); + + sampass->private.account_name = talloc_strdup(sampass->mem_ctx, account_name); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's full name. + ********************************************************************/ + +NTSTATUS sam_set_account_fullname(SAM_ACCOUNT_HANDLE *sampass, const char *full_name) +{ + SAM_ASSERT(sampass); + + DEBUG(10, ("sam_set_account_fullname: setting full name %s, was %s\n", full_name, sampass->private.full_name)); + + sampass->private.full_name = talloc_strdup(sampass->mem_ctx, full_name); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's logon script. + ********************************************************************/ + +NTSTATUS sam_set_account_logon_script(SAM_ACCOUNT_HANDLE *sampass, const char *logon_script, BOOL store) +{ + SAM_ASSERT(sampass); + + DEBUG(10, ("sam_set_logon_script: from %s to %s\n", logon_script, sampass->private.logon_script)); + + sampass->private.logon_script = talloc_strdup(sampass->mem_ctx, logon_script); + + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's profile path. + ********************************************************************/ + +NTSTATUS sam_set_account_profile_path(SAM_ACCOUNT_HANDLE *sampass, const char *profile_path, BOOL store) +{ + SAM_ASSERT(sampass); + + DEBUG(10, ("sam_set_profile_path: setting profile path %s, was %s\n", profile_path, sampass->private.profile_path)); + + sampass->private.profile_path = talloc_strdup(sampass->mem_ctx, profile_path); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's directory drive. + ********************************************************************/ + +NTSTATUS sam_set_account_dir_drive(SAM_ACCOUNT_HANDLE *sampass, const char *dir_drive, BOOL store) +{ + SAM_ASSERT(sampass); + + DEBUG(10, ("sam_set_dir_drive: setting dir drive %s, was %s\n", dir_drive, + sampass->private.dir_drive)); + + sampass->private.dir_drive = talloc_strdup(sampass->mem_ctx, dir_drive); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's home directory. + ********************************************************************/ + +NTSTATUS sam_set_account_homedir(SAM_ACCOUNT_HANDLE *sampass, const char *home_dir, BOOL store) +{ + SAM_ASSERT(sampass); + + DEBUG(10, ("sam_set_homedir: setting home dir %s, was %s\n", home_dir, + sampass->private.home_dir)); + + sampass->private.home_dir = talloc_strdup(sampass->mem_ctx, home_dir); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's unix home directory. + ********************************************************************/ + +NTSTATUS sam_set_account_unix_homedir(SAM_ACCOUNT_HANDLE *sampass, const char *unix_home_dir) +{ + SAM_ASSERT(sampass); + + DEBUG(10, ("sam_set_unix_homedir: setting home dir %s, was %s\n", unix_home_dir, + sampass->private.unix_home_dir)); + + sampass->private.unix_home_dir = talloc_strdup(sampass->mem_ctx, unix_home_dir); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's account description. + ********************************************************************/ + +NTSTATUS sam_set_account_acct_desc(SAM_ACCOUNT_HANDLE *sampass, const char *acct_desc) +{ + SAM_ASSERT(sampass); + + sampass->private.acct_desc = talloc_strdup(sampass->mem_ctx, acct_desc); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's workstation allowed list. + ********************************************************************/ + +NTSTATUS sam_set_account_workstations(SAM_ACCOUNT_HANDLE *sampass, const char *workstations) +{ + SAM_ASSERT(sampass); + + DEBUG(10, ("sam_set_workstations: setting workstations %s, was %s\n", workstations, + sampass->private.workstations)); + + sampass->private.workstations = talloc_strdup(sampass->mem_ctx, workstations); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's 'unknown_str', whatever the heck this actually is... + ********************************************************************/ + +NTSTATUS sam_set_account_unknown_str(SAM_ACCOUNT_HANDLE *sampass, const char *unknown_str) +{ + SAM_ASSERT(sampass); + + sampass->private.unknown_str = talloc_strdup(sampass->mem_ctx, unknown_str); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's dial string. + ********************************************************************/ + +NTSTATUS sam_set_account_munged_dial(SAM_ACCOUNT_HANDLE *sampass, const char *munged_dial) +{ + SAM_ASSERT(sampass); + + sampass->private.munged_dial = talloc_strdup(sampass->mem_ctx, munged_dial); + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's NT hash. + ********************************************************************/ + +NTSTATUS sam_set_account_nt_pwd(SAM_ACCOUNT_HANDLE *sampass, const DATA_BLOB data) +{ + SAM_ASSERT(sampass); + + sampass->private.nt_pw = data; + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's LM hash. + ********************************************************************/ + +NTSTATUS sam_set_account_lm_pwd(SAM_ACCOUNT_HANDLE *sampass, const DATA_BLOB data) +{ + SAM_ASSERT(sampass); + + sampass->private.lm_pw = data; + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's plaintext password only (base procedure, see helper + below) + ********************************************************************/ + +NTSTATUS sam_set_account_plaintext_pwd(SAM_ACCOUNT_HANDLE *sampass, const char *plain_pwd) +{ + SAM_ASSERT(sampass); + + sampass->private.plaintext_pw = talloc_strdup(sampass->mem_ctx, plain_pwd); + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_unknown_1(SAM_ACCOUNT_HANDLE *sampass, uint32 unkn) +{ + SAM_ASSERT(sampass); + + sampass->private.unknown_1 = unkn; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_unknown_2(SAM_ACCOUNT_HANDLE *sampass, uint32 unkn) +{ + SAM_ASSERT(sampass); + + sampass->private.unknown_2 = unkn; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_unknown_3(SAM_ACCOUNT_HANDLE *sampass, uint32 unkn) +{ + SAM_ASSERT(sampass); + + sampass->private.unknown_3 = unkn; + return NT_STATUS_OK; +} + +NTSTATUS sam_set_account_hours(SAM_ACCOUNT_HANDLE *sampass, const uint8 *hours) +{ + SAM_ASSERT(sampass); + + if (!hours) { + memset ((char *)sampass->private.hours, 0, MAX_HOURS_LEN); + return NT_STATUS_OK; + } + + memcpy(sampass->private.hours, hours, MAX_HOURS_LEN); + + return NT_STATUS_OK; +} + +/* Helpful interfaces to the above */ + +/********************************************************************* + Sets the last changed times and must change times for a normal + password change. + ********************************************************************/ + +NTSTATUS sam_set_account_pass_changed_now(SAM_ACCOUNT_HANDLE *sampass) +{ + uint32 expire; + NTTIME temptime; + + SAM_ASSERT(sampass); + + unix_to_nt_time(&temptime, time(NULL)); + if (!NT_STATUS_IS_OK(sam_set_account_pass_last_set_time(sampass, temptime))) + return NT_STATUS_UNSUCCESSFUL; + + if (!account_policy_get(AP_MAX_PASSWORD_AGE, &expire) + || (expire==(uint32)-1)) { + + get_nttime_max(&temptime); + if (!NT_STATUS_IS_OK(sam_set_account_pass_must_change_time(sampass, temptime, False))) + return NT_STATUS_UNSUCCESSFUL; + + } else { + /* FIXME: Add expire to temptime */ + + if (!NT_STATUS_IS_OK(sam_get_account_pass_last_set_time(sampass,&temptime)) || !NT_STATUS_IS_OK(sam_set_account_pass_must_change_time(sampass, temptime,True))) + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS_OK; +} + +/********************************************************************* + Set the account's PLAINTEXT password. Used as an interface to the above. + Also sets the last change time to NOW. + ********************************************************************/ + +NTSTATUS sam_set_account_passwd(SAM_ACCOUNT_HANDLE *sampass, const char *plaintext) +{ + DATA_BLOB data; + uchar new_lanman_p16[16]; + uchar new_nt_p16[16]; + + SAM_ASSERT(sampass && plaintext); + + nt_lm_owf_gen(plaintext, new_nt_p16, new_lanman_p16); + + data = data_blob(new_nt_p16, 16); + if (!NT_STATUS_IS_OK(sam_set_account_nt_pwd(sampass, data))) + return NT_STATUS_UNSUCCESSFUL; + + data = data_blob(new_lanman_p16, 16); + + if (!NT_STATUS_IS_OK(sam_set_account_lm_pwd(sampass, data))) + return NT_STATUS_UNSUCCESSFUL; + + if (!NT_STATUS_IS_OK(sam_set_account_plaintext_pwd(sampass, plaintext))) + return NT_STATUS_UNSUCCESSFUL; + + if (!NT_STATUS_IS_OK(sam_set_account_pass_changed_now(sampass))) + return NT_STATUS_UNSUCCESSFUL; + + return NT_STATUS_OK; +} + diff --git a/source4/sam/get_set_domain.c b/source4/sam/get_set_domain.c new file mode 100644 index 00000000000..c70a4a3f097 --- /dev/null +++ b/source4/sam/get_set_domain.c @@ -0,0 +1,263 @@ +/* + Unix SMB/CIFS implementation. + SAM_DOMAIN access routines + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Jelmer Vernooij 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_SAM + +NTSTATUS sam_get_domain_sid(SAM_DOMAIN_HANDLE *domain, const DOM_SID **sid) +{ + SAM_ASSERT(domain &&sid); + + *sid = &(domain->private.sid); + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_num_accounts(SAM_DOMAIN_HANDLE *domain, uint32 *num_accounts) +{ + SAM_ASSERT(domain &&num_accounts); + + *num_accounts = domain->private.num_accounts; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_num_groups(SAM_DOMAIN_HANDLE *domain, uint32 *num_groups) +{ + SAM_ASSERT(domain &&num_groups); + + *num_groups = domain->private.num_groups; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_num_aliases(SAM_DOMAIN_HANDLE *domain, uint32 *num_aliases) +{ + SAM_ASSERT(domain &&num_aliases); + + *num_aliases = domain->private.num_aliases; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_name(SAM_DOMAIN_HANDLE *domain, const char **domain_name) +{ + SAM_ASSERT(domain &&domain_name); + + *domain_name = domain->private.name; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_server(SAM_DOMAIN_HANDLE *domain, const char **server_name) +{ + SAM_ASSERT(domain &&server_name); + + *server_name = domain->private.servername; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_max_pwdage(SAM_DOMAIN_HANDLE *domain, NTTIME *max_passwordage) +{ + SAM_ASSERT(domain &&max_passwordage); + + *max_passwordage = domain->private.max_passwordage; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_min_pwdage(SAM_DOMAIN_HANDLE *domain, NTTIME *min_passwordage) +{ + SAM_ASSERT(domain &&min_passwordage); + + *min_passwordage = domain->private.min_passwordage; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_lockout_duration(SAM_DOMAIN_HANDLE *domain, NTTIME *lockout_duration) +{ + SAM_ASSERT(domain &&lockout_duration); + + *lockout_duration = domain->private.lockout_duration; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_reset_count(SAM_DOMAIN_HANDLE *domain, NTTIME *reset_lockout_count) +{ + SAM_ASSERT(domain &&reset_lockout_count); + + *reset_lockout_count = domain->private.reset_count; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_min_pwdlength(SAM_DOMAIN_HANDLE *domain, uint16 *min_passwordlength) +{ + SAM_ASSERT(domain &&min_passwordlength); + + *min_passwordlength = domain->private.min_passwordlength; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_pwd_history(SAM_DOMAIN_HANDLE *domain, uint16 *password_history) +{ + SAM_ASSERT(domain &&password_history); + + *password_history = domain->private.password_history; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_lockout_count(SAM_DOMAIN_HANDLE *domain, uint16 *lockout_count) +{ + SAM_ASSERT(domain &&lockout_count); + + *lockout_count = domain->private.lockout_count; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_domain_force_logoff(SAM_DOMAIN_HANDLE *domain, BOOL *force_logoff) +{ + SAM_ASSERT(domain &&force_logoff); + + *force_logoff = domain->private.force_logoff; + + return NT_STATUS_OK; +} + + +NTSTATUS sam_get_domain_login_pwdchange(SAM_DOMAIN_HANDLE *domain, BOOL *login_pwdchange) +{ + SAM_ASSERT(domain && login_pwdchange); + + *login_pwdchange = domain->private.login_pwdchange; + + return NT_STATUS_OK; +} + +/* Set */ + +NTSTATUS sam_set_domain_name(SAM_DOMAIN_HANDLE *domain, const char *domain_name) +{ + SAM_ASSERT(domain); + + domain->private.name = talloc_strdup(domain->mem_ctx, domain_name); + + return NT_STATUS_OK; +} + + +NTSTATUS sam_set_domain_max_pwdage(SAM_DOMAIN_HANDLE *domain, NTTIME max_passwordage) +{ + SAM_ASSERT(domain); + + domain->private.max_passwordage = max_passwordage; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_domain_min_pwdage(SAM_DOMAIN_HANDLE *domain, NTTIME min_passwordage) +{ + SAM_ASSERT(domain); + + domain->private.min_passwordage = min_passwordage; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_domain_lockout_duration(SAM_DOMAIN_HANDLE *domain, NTTIME lockout_duration) +{ + SAM_ASSERT(domain); + + domain->private.lockout_duration = lockout_duration; + + return NT_STATUS_OK; +} +NTSTATUS sam_set_domain_reset_count(SAM_DOMAIN_HANDLE *domain, NTTIME reset_lockout_count) +{ + SAM_ASSERT(domain); + + domain->private.reset_count = reset_lockout_count; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_domain_min_pwdlength(SAM_DOMAIN_HANDLE *domain, uint16 min_passwordlength) +{ + SAM_ASSERT(domain); + + domain->private.min_passwordlength = min_passwordlength; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_domain_pwd_history(SAM_DOMAIN_HANDLE *domain, uint16 password_history) +{ + SAM_ASSERT(domain); + + domain->private.password_history = password_history; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_domain_lockout_count(SAM_DOMAIN_HANDLE *domain, uint16 lockout_count) +{ + SAM_ASSERT(domain); + + domain->private.lockout_count = lockout_count; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_domain_force_logoff(SAM_DOMAIN_HANDLE *domain, BOOL force_logoff) +{ + SAM_ASSERT(domain); + + domain->private.force_logoff = force_logoff; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_domain_login_pwdchange(SAM_DOMAIN_HANDLE *domain, BOOL login_pwdchange) +{ + SAM_ASSERT(domain); + + domain->private.login_pwdchange = login_pwdchange; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_domain_server(SAM_DOMAIN_HANDLE *domain, const char *server_name) +{ + SAM_ASSERT(domain); + + domain->private.servername = talloc_strdup(domain->mem_ctx, server_name); + + return NT_STATUS_OK; +} diff --git a/source4/sam/get_set_group.c b/source4/sam/get_set_group.c new file mode 100644 index 00000000000..11ea9258a70 --- /dev/null +++ b/source4/sam/get_set_group.c @@ -0,0 +1,106 @@ +/* + Unix SMB/CIFS implementation. + SAM_USER_HANDLE access routines + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Jelmer Vernooij 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_SAM + +/* sam group get functions */ + +NTSTATUS sam_get_group_sid(const SAM_GROUP_HANDLE *group, const DOM_SID **sid) +{ + SAM_ASSERT(group && sid); + + *sid = &(group->private.sid); + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_group_ctrl(const SAM_GROUP_HANDLE *group, uint32 *group_ctrl) +{ + SAM_ASSERT(group && group_ctrl); + + *group_ctrl = group->private.group_ctrl; + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_group_name(const SAM_GROUP_HANDLE *group, const char **group_name) +{ + SAM_ASSERT(group); + + *group_name = group->private.group_name; + + return NT_STATUS_OK; + +} +NTSTATUS sam_get_group_comment(const SAM_GROUP_HANDLE *group, const char **group_desc) +{ + SAM_ASSERT(group); + + *group_desc = group->private.group_desc; + + return NT_STATUS_OK; +} + +/* sam group set functions */ + +NTSTATUS sam_set_group_sid(SAM_GROUP_HANDLE *group, const DOM_SID *sid) +{ + SAM_ASSERT(group); + + if (!sid) + ZERO_STRUCT(group->private.sid); + else + sid_copy(&(group->private.sid), sid); + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_group_group_ctrl(SAM_GROUP_HANDLE *group, uint32 group_ctrl) +{ + SAM_ASSERT(group); + + group->private.group_ctrl = group_ctrl; + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_group_name(SAM_GROUP_HANDLE *group, const char *group_name) +{ + SAM_ASSERT(group); + + group->private.group_name = talloc_strdup(group->mem_ctx, group_name); + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_group_description(SAM_GROUP_HANDLE *group, const char *group_desc) +{ + SAM_ASSERT(group); + + group->private.group_desc = talloc_strdup(group->mem_ctx, group_desc); + + return NT_STATUS_OK; + +} diff --git a/source4/sam/group.c b/source4/sam/group.c new file mode 100644 index 00000000000..101e3dd7ce1 --- /dev/null +++ b/source4/sam/group.c @@ -0,0 +1,193 @@ +/* + Unix SMB/CIFS implementation. + SAM_GROUP_HANDLE /SAM_GROUP_ENUM helpers + + Copyright (C) Stefan (metze) Metzmacher 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_SAM + +/************************************************************ + Fill the SAM_GROUP_HANDLE with default values. + ***********************************************************/ + +static void sam_fill_default_group(SAM_GROUP_HANDLE *group) +{ + ZERO_STRUCT(group->private); /* Don't touch the talloc context */ + +} + +static void destroy_sam_group_handle_talloc(SAM_GROUP_HANDLE **group) +{ + if (*group) { + + talloc_destroy((*group)->mem_ctx); + *group = NULL; + } +} + + +/********************************************************************** + Alloc memory and initialises a SAM_GROUP_HANDLE on supplied mem_ctx. +***********************************************************************/ + +NTSTATUS sam_init_group_talloc(TALLOC_CTX *mem_ctx, SAM_GROUP_HANDLE **group) +{ + SMB_ASSERT(*group != NULL); + + if (!mem_ctx) { + DEBUG(0,("sam_init_group_talloc: mem_ctx was NULL!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + *group=(SAM_GROUP_HANDLE *)talloc(mem_ctx, sizeof(SAM_GROUP_HANDLE)); + + if (*group==NULL) { + DEBUG(0,("sam_init_group_talloc: error while allocating memory\n")); + return NT_STATUS_NO_MEMORY; + } + + (*group)->mem_ctx = mem_ctx; + + (*group)->free_fn = NULL; + + sam_fill_default_group(*group); + + return NT_STATUS_OK; +} + + +/************************************************************* + Alloc memory and initialises a struct SAM_GROUP_HANDLE. + ************************************************************/ + +NTSTATUS sam_init_group(SAM_GROUP_HANDLE **group) +{ + TALLOC_CTX *mem_ctx; + NTSTATUS nt_status; + + mem_ctx = talloc_init("sam internal SAM_GROUP_HANDLE allocation"); + + if (!mem_ctx) { + DEBUG(0,("sam_init_group: error while doing talloc_init()\n")); + return NT_STATUS_NO_MEMORY; + } + + if (!NT_STATUS_IS_OK(nt_status = sam_init_group_talloc(mem_ctx, group))) { + talloc_destroy(mem_ctx); + return nt_status; + } + + (*group)->free_fn = destroy_sam_group_handle_talloc; + + return NT_STATUS_OK; +} + + +/************************************************************ + Reset the SAM_GROUP_HANDLE. + ***********************************************************/ + +NTSTATUS sam_reset_group(SAM_GROUP_HANDLE *group) +{ + SMB_ASSERT(group != NULL); + + sam_fill_default_group(group); + + return NT_STATUS_OK; +} + + +/************************************************************ + Free the SAM_GROUP_HANDLE and the member pointers. + ***********************************************************/ + +NTSTATUS sam_free_group(SAM_ACCOUNT_HANDLE **group) +{ + SMB_ASSERT(*group != NULL); + + if ((*group)->free_fn) { + (*group)->free_fn(group); + } + + return NT_STATUS_OK; +} + + +/********************************************************** + Encode the group control bits into a string. + length = length of string to encode into (including terminating + null). length *MUST BE MORE THAN 2* ! + **********************************************************/ + +char *sam_encode_acct_ctrl(uint16 group_ctrl, size_t length) +{ + static fstring group_str; + size_t i = 0; + + group_str[i++] = '['; + + if (group_ctrl & GCB_LOCAL_GROUP ) group_str[i++] = 'L'; + if (group_ctrl & GCB_GLOBAL_GROUP ) group_str[i++] = 'G'; + + for ( ; i < length - 2 ; i++ ) + group_str[i] = ' '; + + i = length - 2; + group_str[i++] = ']'; + group_str[i++] = '\0'; + + return group_str; +} + +/********************************************************** + Decode the group control bits from a string. + **********************************************************/ + +uint16 sam_decode_group_ctrl(const char *p) +{ + uint16 group_ctrl = 0; + BOOL finished = False; + + /* + * Check if the account type bits have been encoded after the + * NT password (in the form [NDHTUWSLXI]). + */ + + if (*p != '[') + return 0; + + for (p++; *p && !finished; p++) { + switch (*p) { + case 'L': { group_ctrl |= GCB_LOCAL_GROUP; break; /* 'L'ocal Aliases Group. */ } + case 'G': { group_ctrl |= GCB_GLOBAL_GROUP; break; /* 'G'lobal Domain Group. */ } + + case ' ': { break; } + case ':': + case '\n': + case '\0': + case ']': + default: { finished = True; } + } + } + + return group_ctrl; +} + diff --git a/source4/sam/gumm_tdb.c b/source4/sam/gumm_tdb.c new file mode 100644 index 00000000000..52eaab9e172 --- /dev/null +++ b/source4/sam/gumm_tdb.c @@ -0,0 +1,562 @@ +/* + * Unix SMB/CIFS implementation. + * SMB parameters and setup + * Copyright (C) Andrew Tridgell 1992-1998 + * Copyright (C) Simo Sorce 2000-2002 + * Copyright (C) Gerald Carter 2000 + * Copyright (C) Jeremy Allison 2001 + * Copyright (C) Andrew Bartlett 2002 + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" +#include "gums.h" +#include "tdbsam2.h" +#include "tdbsam2_parse_info.h" + +static int tdbgumm_debug_level = DBGC_ALL; +#undef DBGC_CLASS +#define DBGC_CLASS tdbgumm_debug_level + +#define TDBSAM_VERSION "20021215" +#define TDB_FILE_NAME "tdbsam2.tdb" +#define DOMAINPREFIX "DOMAIN_" +#define OBJECTPREFIX "OBJECT_" +#define SIDPREFIX "SID_" +#define PRIVILEGEPREFIX "PRIV_" + +#define TDB_FORMAT_STRING "ddB" + +union tdbsam2_data { + struct tdbsam2_domain_data *domain; + struct tdbsam2_user_data *user; + struct tdbsam2_group_data *group; +}; + +struct tdbsam2_object { + uint32 type; + union tdbsam2_data data; +}; + +static TDB_CONTEXT *tdbsam2_db; + +#define TALLOC_CHECK(ptr, err, label) do { if ((ptr) == NULL) { DEBUG(0, ("%s: Out of memory!\n", __FUNCTION__)); err = NT_STATUS_NO_MEMORY; goto label; } } while(0) +#define SET_OR_FAIL(func, label) do { if (NT_STATUS_IS_ERR(func)) { DEBUG(0, ("%s: Setting gums object data failed!\n", __FUNCTION__)); goto label; } } while(0) + +static NTSTATUS init_tdbsam2_object_from_buffer(struct tdbsam2_object *object, TALLOC_CTX *mem_ctx, char *buffer, int size) { + + return NT_STATUS_OK; +} + +static NTSTATUS tdbsam2_opentdb(void) { + + return NT_STATUS_OK; +} + +static NTSTATUS tdbsam2_get_object_by_name(struct tdbsam2_object *obj, TALLOC_CTX *mem_ctx, const char* name) { + + NTSTATUS ret; + TDB_DATA data, key; + fstring keystr; + fstring objname; + + if (!obj || !mem_ctx || !name) + return NT_STATUS_INVALID_PARAMETER; + + if (tdbsam2_db == NULL) { + if (NT_STATUS_IS_ERR(ret = tdbsam2_opentdb())) { + goto done; + } + } + + unix_strlower(name, -1, objname, sizeof(objname)); + + slprintf(keystr, sizeof(keystr)-1, "%s%s", OBJECTPREFIX, objname); + key.dptr = keystr; + key.dsize = strlen(keystr) + 1; + + data = tdb_fetch(tdbsam2_db, key); + if (!data.dptr) { + DEBUG(5, ("get_domain_sid: Error fetching database, domain entry not found!\n")); + DEBUGADD(5, (" Error: %s\n", tdb_errorstr(tdbsam2_db))); + DEBUGADD(5, (" Key: %s\n", keystr)); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + if (NT_STATUS_IS_ERR(init_tdbsam2_object_from_buffer(obj, mem_ctx, data.dptr, data.dsize))) { + SAFE_FREE(data.dptr); + DEBUG(0, ("get_domain_sid: Error fetching database, malformed entry!\n")); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + SAFE_FREE(data.dptr); + + ret = NT_STATUS_OK; + +done: + return ret; +} + + +static NTSTATUS tdbsam2_store(struct tdbsam2_object *object) { + + NTSTATUS ret; + + return NT_STATUS_OK; +} + +static NTSTATUS tdbsam2_get_next_sid(TALLOC_CTX *mem_ctx, DOM_SID *sid) { + + NTSTATUS ret; + + return NT_STATUS_OK; +} + +static NTSTATUS tdbsam2_user_data_to_gums_object(GUMS_OBJECT **object, struct tdbsam2_user_data *userdata, uint32 type) { + + NTSTATUS ret; + + if (!object || !userdata) { + DEBUG(0, ("tdbsam2_user_data_to_gums_object: no NULL pointers are accepted here!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + /* userdata->xcounter */ + /* userdata->sec_desc */ + + SET_OR_FAIL(gums_set_object_sid(*object, userdata->user_sid), error); + SET_OR_FAIL(gums_set_object_name(*object, userdata->name), error); + + SET_OR_FAIL(gums_set_user_pri_group(*object, userdata->group_sid), error); + + if (userdata->description) + SET_OR_FAIL(gums_set_object_description(*object, userdata->description), error); + + if (userdata->full_name) + SET_OR_FAIL(gums_set_user_fullname(*object, userdata->full_name), error); + + if (userdata->home_dir) + SET_OR_FAIL(gums_set_user_homedir(*object, userdata->home_dir), error); + + if (userdata->dir_drive) + SET_OR_FAIL(gums_set_user_dir_drive(*object, userdata->dir_drive), error); + + if (userdata->logon_script) + SET_OR_FAIL(gums_set_user_logon_script(*object, userdata->logon_script), error); + + if (userdata->profile_path) + SET_OR_FAIL(gums_set_user_profile_path(*object, userdata->profile_path), error); + + if (userdata->workstations) + SET_OR_FAIL(gums_set_user_workstations(*object, userdata->workstations), error); + + if (userdata->unknown_str) + SET_OR_FAIL(gums_set_user_unknown_str(*object, userdata->unknown_str), error); + + if (userdata->munged_dial) + SET_OR_FAIL(gums_set_user_munged_dial(*object, userdata->munged_dial), error); + + SET_OR_FAIL(gums_set_user_logon_divs(*object, userdata->logon_divs), error); + SET_OR_FAIL(gums_set_user_hours_len(*object, userdata->hours_len), error); + + if (userdata->hours) + SET_OR_FAIL(gums_set_user_hours(*object, userdata->hours), error); + + SET_OR_FAIL(gums_set_user_unknown_3(*object, userdata->unknown_3), error); + SET_OR_FAIL(gums_set_user_unknown_5(*object, userdata->unknown_5), error); + SET_OR_FAIL(gums_set_user_unknown_6(*object, userdata->unknown_6), error); + + SET_OR_FAIL(gums_set_user_logon_time(*object, userdata->logon_time), error); + SET_OR_FAIL(gums_set_user_logoff_time(*object, userdata->logoff_time), error); + SET_OR_FAIL(gums_set_user_kickoff_time(*object, userdata->kickoff_time), error); + SET_OR_FAIL(gums_set_user_pass_last_set_time(*object, userdata->pass_last_set_time), error); + SET_OR_FAIL(gums_set_user_pass_can_change_time(*object, userdata->pass_can_change_time), error); + SET_OR_FAIL(gums_set_user_pass_must_change_time(*object, userdata->pass_must_change_time), error); + + ret = NT_STATUS_OK; + return ret; + +error: + talloc_destroy((*object)->mem_ctx); + *object = NULL; + return ret; +} + +static NTSTATUS tdbsam2_group_data_to_gums_object(GUMS_OBJECT **object, struct tdbsam2_group_data *groupdata, uint32 type) { + + NTSTATUS ret; + + if (!object || !groupdata) { + DEBUG(0, ("tdbsam2_group_data_to_gums_object: no NULL pointers are accepted here!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + /* groupdata->xcounter */ + /* groupdata->sec_desc */ + + SET_OR_FAIL(gums_set_object_sid(*object, groupdata->group_sid), error); + SET_OR_FAIL(gums_set_object_name(*object, groupdata->name), error); + + if (groupdata->description) + SET_OR_FAIL(gums_set_object_description(*object, groupdata->description), error); + + if (groupdata->count) + SET_OR_FAIL(gums_set_group_members(*object, groupdata->count, groupdata->members), error); + + ret = NT_STATUS_OK; + return ret; + +error: + talloc_destroy((*object)->mem_ctx); + *object = NULL; + return ret; +} + +static NTSTATUS tdbsam2_domain_data_to_gums_object(GUMS_OBJECT **object, struct tdbsam2_domain_data *domdata, uint32 type) { + + NTSTATUS ret; + + if (!object || !domdata) { + DEBUG(0, ("tdbsam2_domain_data_to_gums_object: no NULL pointers are accepted here!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + /* domdata->xcounter */ + /* domdata->sec_desc */ + + SET_OR_FAIL(gums_set_object_sid(*object, domdata->dom_sid), error); + SET_OR_FAIL(gums_set_object_name(*object, domdata->name), error); + + if (domdata->description) + SET_OR_FAIL(gums_set_object_description(*object, domdata->description), error); + + ret = NT_STATUS_OK; + return ret; + +error: + talloc_destroy((*object)->mem_ctx); + *object = NULL; + return ret; +} + +static NTSTATUS tdbsam2_data_to_gums_object(GUMS_OBJECT **object, struct tdbsam2_object *data) { + + NTSTATUS ret; + + if (!object || !data) { + DEBUG(0, ("tdbsam2_user_data_to_gums_object: no NULL structure pointers are accepted here!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } + + ret = gums_create_object(object, data->type); + if (NT_STATUS_IS_ERR(ret)) { + DEBUG(5, ("tdbsam2_user_data_to_gums_object: error creating gums object!\n")); + goto done; + } + + switch (data->type) { + case GUMS_OBJ_DOMAIN: + ret = tdbsam2_domain_data_to_gums_object(object, data->data.domain, data->type); + break; + + case GUMS_OBJ_NORMAL_USER: + ret = tdbsam2_user_data_to_gums_object(object, data->data.user, data->type); + break; + + case GUMS_OBJ_GROUP: + case GUMS_OBJ_ALIAS: + ret = tdbsam2_group_data_to_gums_object(object, data->data.group, data->type); + break; + + default: + ret = NT_STATUS_UNSUCCESSFUL; + } + +done: + return ret; +} + + + + + +/* GUMM object functions */ + +static NTSTATUS get_domain_sid(DOM_SID *sid, const char* name) { + + NTSTATUS ret; + struct tdbsam2_object obj; + TALLOC_CTX *mem_ctx; + TDB_DATA data, key; + fstring keystr; + fstring domname; + + if (!sid || !name) + return NT_STATUS_INVALID_PARAMETER; + + mem_ctx = talloc_init("get_domain_sid"); + if (!mem_ctx) { + DEBUG(0, ("tdbsam2_new_object: Out of memory!\n")); + return NT_STATUS_NO_MEMORY; + } + + if (tdbsam2_db == NULL) { + if (NT_STATUS_IS_ERR(ret = tdbsam2_opentdb())) { + goto done; + } + } + + unix_strlower(name, -1, domname, sizeof(domname)); + + slprintf(keystr, sizeof(keystr)-1, "%s%s", DOMAINPREFIX, domname); + key.dptr = keystr; + key.dsize = strlen(keystr) + 1; + + data = tdb_fetch(tdbsam2_db, key); + if (!data.dptr) { + DEBUG(5, ("get_domain_sid: Error fetching database, domain entry not found!\n")); + DEBUGADD(5, (" Error: %s\n", tdb_errorstr(tdbsam2_db))); + DEBUGADD(5, (" Key: %s\n", keystr)); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + if (NT_STATUS_IS_ERR(init_tdbsam2_object_from_buffer(&obj, mem_ctx, data.dptr, data.dsize))) { + SAFE_FREE(data.dptr); + DEBUG(0, ("get_domain_sid: Error fetching database, malformed entry!\n")); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + SAFE_FREE(data.dptr); + + if (obj.type != GUMS_OBJ_DOMAIN) { + DEBUG(5, ("get_domain_sid: Requested object is not a domain!\n")); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + sid_copy(sid, obj.data.domain->dom_sid); + + ret = NT_STATUS_OK; + +done: + if (mem_ctx) talloc_destroy(mem_ctx); + return ret; +} + + NTSTATUS (*set_domain_sid) (const DOM_SID *sid, const char *name); + + NTSTATUS (*get_sequence_number) (void); + + +static NTSTATUS tdbsam2_new_object(DOM_SID **sid, const char *name, const int obj_type) { + + NTSTATUS ret; + struct tdbsam2_object obj; + TALLOC_CTX *mem_ctx; + + if (!sid || !name) { + DEBUG(0, ("tdbsam2_new_object: no NULL pointers are accepted here!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + mem_ctx = talloc_init("tdbsam2_new_object"); + if (!mem_ctx) { + DEBUG(0, ("tdbsam2_new_object: Out of memory!\n")); + return NT_STATUS_NO_MEMORY; + } + + switch (obj_type) { + case GUMS_OBJ_NORMAL_USER: + obj.data.user = (struct tdbsam2_user_data *)talloc_zero(mem_ctx, sizeof(struct tdbsam2_user_data)); + TALLOC_CHECK(obj.data.user, ret, done); + + /*obj.data.user->sec_desc*/ + + tdbsam2_get_next_sid(mem_ctx, obj.data.user->user_sid); + TALLOC_CHECK(obj.data.user->user_sid, ret, done); + + obj.data.user->name = talloc_strdup(mem_ctx, name); + TALLOC_CHECK(obj.data.user, ret, done); + + break; + + case GUMS_OBJ_GROUP: + case GUMS_OBJ_ALIAS: + obj.data.group = (struct tdbsam2_group_data *)talloc_zero(mem_ctx, sizeof(struct tdbsam2_group_data)); + TALLOC_CHECK(obj.data.group, ret, done); + + /*obj.data.user->sec_desc*/ + + tdbsam2_get_next_sid(mem_ctx, obj.data.group->group_sid); + TALLOC_CHECK(obj.data.group->group_sid, ret, done); + + obj.data.group->name = talloc_strdup(mem_ctx, name); + TALLOC_CHECK(obj.data.group, ret, done); + + break; + + case GUMS_OBJ_DOMAIN: + /* TODO: SHOULD WE ALLOW TO CREATE NEW DOMAINS ? */ + + default: + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + ret = tdbsam2_store(&obj); + +done: + talloc_destroy(mem_ctx); + return ret; +} + +static NTSTATUS tdbsam2_delete_object(const DOM_SID *sid) { + + NTSTATUS ret; + struct tdbsam2_object obj; + TALLOC_CTX *mem_ctx; + TDB_DATA data, key; + fstring keystr; + fstring sidstr; + char *obj_name = NULL; + int obj_type, obj_version, len; + + if (!sid) { + DEBUG(0, ("tdbsam2_new_object: no NULL pointers are accepted here!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + mem_ctx = talloc_init("tdbsam2_delete_object"); + if (!mem_ctx) { + DEBUG(0, ("tdbsam2_new_object: Out of memory!\n")); + return NT_STATUS_NO_MEMORY; + } + + if (tdbsam2_db == NULL) { + if (NT_STATUS_IS_ERR(ret = tdbsam2_opentdb())) { + goto done; + } + } + + sid_to_string(sidstr, sid); + + slprintf(keystr, sizeof(keystr)-1, "%s%s", SIDPREFIX, sidstr); + key.dptr = keystr; + key.dsize = strlen(keystr) + 1; + + data = tdb_fetch(tdbsam2_db, key); + if (!data.dptr) { + DEBUG(5, ("get_domain_sid: Error fetching database, SID entry not found!\n")); + DEBUGADD(5, (" Error: %s\n", tdb_errorstr(tdbsam2_db))); + DEBUGADD(5, (" Key: %s\n", keystr)); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + len = tdb_unpack(data.dptr, data.dsize, TDB_FORMAT_STRING, + &obj_version, + &obj_type, + &obj_name); + + if (len == -1) { + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + if (tdb_delete(tdbsam2_db, key) != TDB_SUCCESS) { + DEBUG(5, ("tdbsam2_object_delete: Error deleting object!\n")); + DEBUGADD(5, (" Error: %s\n", tdb_errorstr(tdbsam2_db))); + DEBUGADD(5, (" Key: %s\n", keystr)); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + switch (obj_type) { + case GUMS_OBJ_NORMAL_USER: + case GUMS_OBJ_GROUP: + case GUMS_OBJ_ALIAS: + + slprintf(keystr, sizeof(keystr)-1, "%s%s", OBJECTPREFIX, obj_name); + key.dptr = keystr; + key.dsize = strlen(keystr) + 1; + + if (tdb_delete(tdbsam2_db, key) != TDB_SUCCESS) { + DEBUG(5, ("tdbsam2_object_delete: Error deleting object!\n")); + DEBUGADD(5, (" Error: %s\n", tdb_errorstr(tdbsam2_db))); + DEBUGADD(5, (" Key: %s\n", keystr)); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + break; + + case GUMS_OBJ_DOMAIN: + /* TODO: SHOULD WE ALLOW TO DELETE DOMAINS ? */ + + default: + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + +done: + SAFE_FREE(obj_name); + talloc_destroy(mem_ctx); + return ret; +} + + NTSTATUS (*get_object_from_sid) (GUMS_OBJECT **object, const DOM_SID *sid, const int obj_type); + NTSTATUS (*get_sid_from_name) (GUMS_OBJECT **object, const char *name); + /* This function is used to get the list of all objects changed since b_time, it is + used to support PDC<->BDC synchronization */ + NTSTATUS (*get_updated_objects) (GUMS_OBJECT **objects, const NTTIME base_time); + + NTSTATUS (*enumerate_objects_start) (void *handle, const DOM_SID *sid, const int obj_type); + NTSTATUS (*enumerate_objects_get_next) (GUMS_OBJECT **object, void *handle); + NTSTATUS (*enumerate_objects_stop) (void *handle); + + /* This function MUST be used ONLY by PDC<->BDC replication code or recovery tools. + Never use this function to update an object in the database, use set_object_values() */ + NTSTATUS (*set_object) (const GUMS_OBJECT *object); + + /* set object values function */ + NTSTATUS (*set_object_values) (DOM_SID *sid, uint32 count, GUMS_DATA_SET *data_set); + + /* Group related functions */ + NTSTATUS (*add_memberss_to_group) (const DOM_SID *group, const DOM_SID **members); + NTSTATUS (*delete_members_from_group) (const DOM_SID *group, const DOM_SID **members); + NTSTATUS (*enumerate_group_members) (DOM_SID **members, const DOM_SID *sid, const int type); + + NTSTATUS (*get_sid_groups) (DOM_SID **groups, const DOM_SID *sid); + + NTSTATUS (*lock_sid) (const DOM_SID *sid); + NTSTATUS (*unlock_sid) (const DOM_SID *sid); + + /* privileges related functions */ + + NTSTATUS (*add_members_to_privilege) (const LUID_ATTR *priv, const DOM_SID **members); + NTSTATUS (*delete_members_from_privilege) (const LUID_ATTR *priv, const DOM_SID **members); + NTSTATUS (*enumerate_privilege_members) (DOM_SID **members, const LUID_ATTR *priv); + NTSTATUS (*get_sid_privileges) (DOM_SID **privs, const DOM_SID *sid); + /* warning!: set_privilege will overwrite a prior existing privilege if such exist */ + NTSTATUS (*set_privilege) (GUMS_PRIVILEGE *priv); + + +int gumm_init(GUMS_FUNCTIONS **storage) { + + return 0; +} diff --git a/source4/sam/gums.c b/source4/sam/gums.c new file mode 100644 index 00000000000..3a20ef6fc96 --- /dev/null +++ b/source4/sam/gums.c @@ -0,0 +1,131 @@ +/* + Unix SMB/CIFS implementation. + Grops and Users Management System initializations. + Copyright (C) Simo Sorce 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/*#undef DBGC_CLASS +#define DBGC_CLASS DBGC_GUMS*/ + +#define GMV_MAJOR 0 +#define GMV_MINOR 1 + +GUMS_FUNCTIONS *gums_storage; +static void *dl_handle; + +PRIVS privs[] = { + {PRIV_NONE, "no_privs", "No privilege"}, /* this one MUST be first */ + {PRIV_CREATE_TOKEN, "SeCreateToken", "Create Token"}, + {PRIV_ASSIGNPRIMARYTOKEN, "SeAssignPrimaryToken", "Assign Primary Token"}, + {PRIV_LOCK_MEMORY, "SeLockMemory", "Lock Memory"}, + {PRIV_INCREASE_QUOTA, "SeIncreaseQuotaPrivilege", "Increase Quota Privilege"}, + {PRIV_MACHINE_ACCOUNT, "SeMachineAccount", "Machine Account"}, + {PRIV_TCB, "SeTCB", "TCB"}, + {PRIV_SECURITY, "SeSecurityPrivilege", "Security Privilege"}, + {PRIV_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take Ownership Privilege"}, + {PRIV_LOAD_DRIVER, "SeLocalDriverPrivilege", "Local Driver Privilege"}, + {PRIV_SYSTEM_PROFILE, "SeSystemProfilePrivilege", "System Profile Privilege"}, + {PRIV_SYSTEMTIME, "SeSystemtimePrivilege", "System Time"}, + {PRIV_PROF_SINGLE_PROCESS, "SeProfileSingleProcessPrivilege", "Profile Single Process Privilege"}, + {PRIV_INC_BASE_PRIORITY, "SeIncreaseBasePriorityPrivilege", "Increase Base Priority Privilege"}, + {PRIV_CREATE_PAGEFILE, "SeCreatePagefilePrivilege", "Create Pagefile Privilege"}, + {PRIV_CREATE_PERMANENT, "SeCreatePermanent", "Create Permanent"}, + {PRIV_BACKUP, "SeBackupPrivilege", "Backup Privilege"}, + {PRIV_RESTORE, "SeRestorePrivilege", "Restore Privilege"}, + {PRIV_SHUTDOWN, "SeShutdownPrivilege", "Shutdown Privilege"}, + {PRIV_DEBUG, "SeDebugPrivilege", "Debug Privilege"}, + {PRIV_AUDIT, "SeAudit", "Audit"}, + {PRIV_SYSTEM_ENVIRONMENT, "SeSystemEnvironmentPrivilege", "System Environment Privilege"}, + {PRIV_CHANGE_NOTIFY, "SeChangeNotify", "Change Notify"}, + {PRIV_REMOTE_SHUTDOWN, "SeRemoteShutdownPrivilege", "Remote Shutdown Privilege"}, + {PRIV_UNDOCK, "SeUndock", "Undock"}, + {PRIV_SYNC_AGENT, "SeSynchronizationAgent", "Synchronization Agent"}, + {PRIV_ENABLE_DELEGATION, "SeEnableDelegation", "Enable Delegation"}, + {PRIV_ALL, "SaAllPrivs", "All Privileges"} +}; + +NTSTATUS gums_init(const char *module_name) +{ + int (*module_version)(int); + NTSTATUS (*module_init)(); +/* gums_module_init module_init;*/ + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + + DEBUG(5, ("Opening gums module %s\n", module_name)); + dl_handle = sys_dlopen(module_name, RTLD_NOW); + if (!dl_handle) { + DEBUG(0, ("ERROR: Failed to load gums module %s, error: %s\n", module_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + module_version = sys_dlsym(dl_handle, "gumm_version"); + if (!module_version) { + DEBUG(0, ("ERROR: Failed to find gums module version!\n")); + goto error; + } + + if (module_version(GMV_MAJOR) != GUMS_VERSION_MAJOR) { + DEBUG(0, ("ERROR: Module's major version does not match gums version!\n")); + goto error; + } + + if (module_version(GMV_MINOR) != GUMS_VERSION_MINOR) { + DEBUG(1, ("WARNING: Module's minor version does not match gums version!\n")); + } + + module_init = sys_dlsym(dl_handle, "gumm_init"); + if (!module_init) { + DEBUG(0, ("ERROR: Failed to find gums module's init function!\n")); + goto error; + } + + DEBUG(5, ("Initializing module %s\n", module_name)); + + ret = module_init(&gums_storage); + goto done; + +error: + ret = NT_STATUS_UNSUCCESSFUL; + sys_dlclose(dl_handle); + +done: + return ret; +} + +NTSTATUS gums_unload(void) +{ + NSTATUS ret; + NTSTATUS (*module_finalize)(); + + if (!dl_handle) + return NT_STATUS_UNSUCCESSFUL; + + module_close = sys_dlsym(dl_handle, "gumm_finalize"); + if (!module_finalize) { + DEBUG(0, ("ERROR: Failed to find gums module's init function!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(5, ("Finalizing module %s\n", module_name)); + + ret = module_finalize(); + sys_dlclose(dl_handle); + + return ret; +} diff --git a/source4/sam/gums_api.c b/source4/sam/gums_api.c new file mode 100644 index 00000000000..75e32fa8614 --- /dev/null +++ b/source4/sam/gums_api.c @@ -0,0 +1,1268 @@ +/* + Unix SMB/CIFS implementation. + GUMS structures + Copyright (C) Simo Sorce 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern GUMS_FUNCTIONS *gums_storage; + +/* Functions to get/set info from a GUMS object */ + +NTSTATUS gums_get_object_type(uint32 *type, const GUMS_OBJECT *obj) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + *type = obj->type; + return NT_STATUS_OK; +} + +NTSTATUS gums_create_object(GUMS_OBJECT **obj, uint32 type) +{ + TALLOC_CTX *mem_ctx = talloc_init("gums_create_object"); + GUMS_OBJECT *go; + NT_STATUS ret; + + go = talloc_zero(mem_ctx, sizeof(GUMS_OBJECT)); + go->mem_ctx = mem_ctx; + go->type = type; + go->version = GUMS_OBJECT_VERSION; + + switch(type) { + case GUMS_OBJ_DOMAIN: + break; + +/* + case GUMS_OBJ_WORKSTATION_TRUST: + case GUMS_OBJ_SERVER_TRUST: + case GUMS_OBJ_DOMAIN_TRUST: +*/ + case GUMS_OBJ_NORMAL_USER: + go->data = (GUMS_USER *)talloc_zero(mem_ctx, sizeof(GUMS_USER)); + break; + + case GUMS_OBJ_GROUP: + case GUMS_OBJ_ALIAS: + go->data = (GUMS_GROUP *)talloc_zero(mem_ctx, sizeof(GUMS_GROUP)); + break; + + default: + /* TODO: throw error */ + ret = NT_STATUS_OBJECT_TYPE_MISMATCH; + goto error; + } + + if (!(go->data)) { + ret = NT_STATUS_NO_MEMORY; + DEBUG(0, ("gums_create_object: Out of memory!\n")); + goto error; + } + + *obj = go; + return NT_STATUS_OK; + +error: + talloc_destroy(go->mem_ctx); + *obj = NULL; + return ret; +} + +NTSTATUS gums_get_object_seq_num(uint32 *version, const GUMS_OBJECT *obj) +{ + if (!version || !obj) + return NT_STATUS_INVALID_PARAMETER; + + *version = obj->version; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_object_seq_num(GUMS_OBJECT *obj, uint32 version) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + obj->version = version; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_sec_desc(SEC_DESC **sec_desc, const GUMS_OBJECT *obj) +{ + if (!sec_desc || !obj) + return NT_STATUS_INVALID_PARAMETER; + + *sec_desc = obj->sec_desc; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_sec_desc(GUMS_OBJECT *obj, const SEC_DESC *sec_desc) +{ + if (!obj || !sec_desc) + return NT_STATUS_INVALID_PARAMETER; + + obj->sec_desc = dup_sec_desc(obj->mem_ctx, sec_desc); + if (!(obj->sec_desc)) return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_object_sid(DOM_SID **sid, const GUMS_OBJECT *obj) +{ + if (!sid || !obj) + return NT_STATUS_INVALID_PARAMETER; + + *sid = obj->sid; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_object_sid(GUMS_OBJECT *obj, const DOM_SID *sid) +{ + if (!obj || !sid) + return NT_STATUS_INVALID_PARAMETER; + + obj->sid = sid_dup_talloc(obj->mem_ctx, sid); + if (!(obj->sid)) return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_object_name(char **name, const GUMS_OBJECT *obj) +{ + if (!name || !obj) + return NT_STATUS_INVALID_PARAMETER; + + *name = obj->name; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_object_name(GUMS_OBJECT *obj, const char *name) +{ + if (!obj || !name) + return NT_STATUS_INVALID_PARAMETER; + + obj->name = (char *)talloc_strdup(obj->mem_ctx, name); + if (!(obj->name)) return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_object_description(char **description, const GUMS_OBJECT *obj) +{ + if (!description || !obj) + return NT_STATUS_INVALID_PARAMETER; + + *description = obj->description; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_object_description(GUMS_OBJECT *obj, const char *description) +{ + if (!obj || !description) + return NT_STATUS_INVALID_PARAMETER; + + obj->description = (char *)talloc_strdup(obj->mem_ctx, description); + if (!(obj->description)) return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_OK; +} + +/* User specific functions */ + +/* +NTSTATUS gums_get_object_privileges(PRIVILEGE_SET **priv_set, const GUMS_OBJECT *obj) +{ + if (!priv_set) + return NT_STATUS_INVALID_PARAMETER; + + *priv_set = obj->priv_set; + return NT_STATUS_OK; +} +*/ + +NTSTATUS gums_get_user_pri_group(DOM_SID **sid, const GUMS_OBJECT *obj) +{ + if (!sid || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *sid = obj->data.user->group_sid; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_pri_group(GUMS_OBJECT *obj, const DOM_SID *sid) +{ + if (!obj || !sid) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->group_sid = sid_dup_talloc(obj->mem_ctx, sid); + if (!(obj->data.user->group_sid)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_nt_pwd(DATA_BLOB **nt_pwd, const GUMS_OBJECT *obj) +{ + if (!nt_pwd || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *nt_pwd = obj->data.user->nt_pw; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_nt_pwd(GUMS_OBJECT *obj, const DATA_BLOB nt_pwd) +{ + if (!obj || !nt_pwd || nt_pwd != NT_HASH_LEN) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->nt_pwd = data_blob_talloc(obj->mem_ctx, nt_pwd.data, nt_pwd.lenght); + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_lm_pwd(DATA_BLOB **lm_pwd, const GUMS_OBJECT *obj) +{ + if (!lm_pwd || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *lm_pwd = obj->data.user->lm_pw; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_lm_pwd(GUMS_OBJECT *obj, const DATA_BLOB lm_pwd) +{ + if (!obj || !lm_pwd || lm_pwd != LM_HASH_LEN) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->lm_pwd = data_blob_talloc(obj->mem_ctx, lm_pwd.data, lm_pwd.lenght); + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_fullname(char **fullname, const GUMS_OBJECT *obj) +{ + if (!fullname || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *fullname = obj->data.user->full_name; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_fullname(GUMS_OBJECT *obj, const char *fullname) +{ + if (!obj || !fullname) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->full_name = (char *)talloc_strdup(obj->mem_ctx, fullname); + if (!(obj->data.user->full_name)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_homedir(char **homedir, const GUMS_OBJECT *obj) +{ + if (!homedir || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *homedir = obj->data.user->home_dir; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_homedir(GUMS_OBJECT *obj, const char *homedir) +{ + if (!obj || !homedir) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->home_dir = (char *)talloc_strdup(obj->mem_ctx, homedir); + if (!(obj->data.user->home_dir)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_dir_drive(char **dirdrive, const GUMS_OBJECT *obj) +{ + if (!dirdrive || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *dirdrive = obj->data.user->dir_drive; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_dir_drive(GUMS_OBJECT *obj, const char *dir_drive) +{ + if (!obj || !dir_drive) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->dir_drive = (char *)talloc_strdup(obj->mem_ctx, dir_drive); + if (!(obj->data.user->dir_drive)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_logon_script(char **logon_script, const GUMS_OBJECT *obj) +{ + if (!logon_script || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *logon_script = obj->data.user->logon_script; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_logon_script(GUMS_OBJECT *obj, const char *logon_script) +{ + if (!obj || !logon_script) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->logon_script = (char *)talloc_strdup(obj->mem_ctx, logon_script); + if (!(obj->data.user->logon_script)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_profile_path(char **profile_path, const GUMS_OBJECT *obj) +{ + if (!profile_path || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *profile_path = obj->data.user->profile_path; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_profile_path(GUMS_OBJECT *obj, const char *profile_path) +{ + if (!obj || !profile_path) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->profile_path = (char *)talloc_strdup(obj->mem_ctx, profile_path); + if (!(obj->data.user->profile_path)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_workstations(char **workstations, const GUMS_OBJECT *obj) +{ + if (!workstations || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *workstations = obj->data.user->workstations; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_workstations(GUMS_OBJECT *obj, const char *workstations) +{ + if (!obj || !workstations) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->workstations = (char *)talloc_strdup(obj->mem_ctx, workstations); + if (!(obj->data.user->workstations)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_unknown_str(char **unknown_str, const GUMS_OBJECT *obj) +{ + if (!unknown_str || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *unknown_str = obj->data.user->unknown_str; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_unknown_str(GUMS_OBJECT *obj, const char *unknown_str) +{ + if (!obj || !unknown_str) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->unknown_str = (char *)talloc_strdup(obj->mem_ctx, unknown_str); + if (!(obj->data.user->unknown_str)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_munged_dial(char **munged_dial, const GUMS_OBJECT *obj) +{ + if (!munged_dial || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *munged_dial = obj->data.user->munged_dial; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_munged_dial(GUMS_OBJECT *obj, const char *munged_dial) +{ + if (!obj || !munged_dial) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->munged_dial = (char *)talloc_strdup(obj->mem_ctx, munged_dial); + if (!(obj->data.user->munged_dial)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_logon_time(NTTIME *logon_time, const GUMS_OBJECT *obj) +{ + if (!logon_time || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *logon_time = obj->data.user->logon_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_logon_time(GUMS_OBJECT *obj, NTTIME logon_time) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->logon_time = logon_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_logoff_time(NTTIME *logoff_time, const GUMS_OBJECT *obj) +{ + if (!logoff_time || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *logoff_time = obj->data.user->logoff_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_logoff_time(GUMS_OBJECT *obj, NTTIME logoff_time) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->logoff_time = logoff_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_kickoff_time(NTTIME *kickoff_time, const GUMS_OBJECT *obj) +{ + if (!kickoff_time || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *kickoff_time = obj->data.user->kickoff_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_kickoff_time(GUMS_OBJECT *obj, NTTIME kickoff_time) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->kickoff_time = kickoff_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_pass_last_set_time(NTTIME *pass_last_set_time, const GUMS_OBJECT *obj) +{ + if (!pass_last_set_time || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *pass_last_set_time = obj->data.user->pass_last_set_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_pass_last_set_time(GUMS_OBJECT *obj, NTTIME pass_last_set_time) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->pass_last_set_time = pass_last_set_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_pass_can_change_time(NTTIME *pass_can_change_time, const GUMS_OBJECT *obj) +{ + if (!pass_can_change_time || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *pass_can_change_time = obj->data.user->pass_can_change_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_pass_can_change_time(GUMS_OBJECT *obj, NTTIME pass_can_change_time) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->pass_can_change_time = pass_can_change_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_pass_must_change_time(NTTIME *pass_must_change_time, const GUMS_OBJECT *obj) +{ + if (!pass_must_change_time || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *pass_must_change_time = obj->data-user->pass_must_change_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_pass_must_change_time(GUMS_OBJECT *obj, NTTIME pass_must_change_time) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->pass_must_change_time = pass_must_change_time; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_logon_divs(uint16 *logon_divs, const GUMS_OBJECT *obj) +{ + if (!logon_divs || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *logon_divs = obj->data.user->logon_divs; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_logon_divs(GUMS_OBJECT *obj, uint16 logon_divs) +{ + if (!obj || !logon_divs) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->logon_divs = logon_divs; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_hours_len(uint32 *hours_len, const GUMS_OBJECT *obj) +{ + if (!hours_len || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *hours_len = obj->data.user->hours_len; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_hours_len(GUMS_OBJECT *obj, uint32 hours_len) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->hours_len = hours_len; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_hours(uint8 **hours, const GUMS_OBJECT *obj) +{ + if (!hours || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *hours = obj->data.user->hours; + return NT_STATUS_OK; +} + +/* WARNING: always set hours_len before hours */ +NTSTATUS gums_set_user_hours(GUMS_OBJECT *obj, const uint8 *hours) +{ + if (!obj || !hours) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + if (obj->data.user->hours_len == 0) + DEBUG(10, ("gums_set_user_hours: Warning, hours_len is zero!\n")); + + obj->data.user->hours = (uint8 *)talloc_memdup(obj->mem_ctx, hours, obj->data.user->hours_len); + if (!(obj->data.user->hours) & (obj->data.user->hours_len != 0)) return NT_STATUS_NO_MEMORY; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_unknown_3(uint32 *unknown_3, const GUMS_OBJECT *obj) +{ + if (!unknown_3 || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *unknown_3 = obj->data.user->unknown_3; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_unknown_3(GUMS_OBJECT *obj, uint32 unknown_3) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->unknown_3 = unknown_3; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_unknown_5(uint32 *unknown_5, const GUMS_OBJECT *obj) +{ + if (!unknown_5 || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *unknown_5 = obj->data.user->unknown_5; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_unknown_5(GUMS_OBJECT *obj, uint32 unknown_5) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->unknown_5 = unknown_5; + return NT_STATUS_OK; +} + +NTSTATUS gums_get_user_unknown_6(uint32 *unknown_6, const GUMS_OBJECT *obj) +{ + if (!unknown_6 || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *unknown_6 = obj->data.user->unknown_6; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_user_unknown_6(GUMS_OBJECT *obj, uint32 unknown_6) +{ + if (!obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.user->unknown_6 = unknown_6; + return NT_STATUS_OK; +} + +/* Group specific functions */ + +NTSTATUS gums_get_group_members(uint32 *count, DOM_SID **members, const GUMS_OBJECT *obj) +{ + if (!count || !members || !obj) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_GROUP && + obj->type != GUMS_OBJ_ALIAS) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + *count = obj->data.group->count; + *members = obj->data.group->members; + return NT_STATUS_OK; +} + +NTSTATUS gums_set_group_members(GUMS_OBJECT *obj, uint32 count, DOM_SID **members) +{ + uint32 n; + + if (!obj || !members || !members) + return NT_STATUS_INVALID_PARAMETER; + + if (obj->type != GUMS_OBJ_GROUP && + obj->type != GUMS_OBJ_ALIAS) + return NT_STATUS_OBJECT_TYPE_MISMATCH; + + obj->data.group->count = count; + n = 0; + do { + obj->data.group->members[n] = dup_sec_desc(obj->mem_ctx, members[n]); + if (!(obj->data.group->members[n])) return NT_STATUS_NO_MEMORY; + n++; + } while (n < count); + return NT_STATUS_OK; +} + +/* data_store set functions */ + +NTSTATUS gums_create_commit_set(GUMS_COMMIT_SET **com_set, TALLOC_CTX *ctx, DOM_SID *sid, uint32 type) +{ + TALLOC_CTX *mem_ctx; + GUMS_COMMIT_SET *set; + + mem_ctx = talloc_init("commit_set"); + if (mem_ctx == NULL) + return NT_STATUS_NO_MEMORY; + set = (GUMS_COMMIT_SET *)talloc(mem_ctx, sizeof(GUMS_COMMIT_SET)); + if (set == NULL) { + talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + set->mem_ctx = mem_ctx; + set->type = type; + sid_copy(&(set->sid), sid); + set->count = 0; + set->data = NULL; + *com_set = set; + + return NT_STATUS_OK; +} + +NTSTATUS gums_cs_set_sec_desc(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, SEC_DESC *sec_desc) +{ + GUMS_DATA_SET *data_set; + SEC_DESC *new_sec_desc; + + if (!mem_ctx || !com_set || !sec_desc) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = GUMS_SET_SEC_DESC; + new_sec_desc = dup_sec_desc(mem_ctx, sec_desc); + if (new_sec_desc == NULL) + return NT_STATUS_NO_MEMORY; + + (SEC_DESC *)(data_set->data) = new_sec_desc; + + return NT_STATUS_OK; +} + +NTSTATUS gums_cs_add_privilege(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, LUID_ATTR priv) +{ + GUMS_DATA_SET *data_set; + LUID_ATTR *new_priv; + + if (!mem_ctx || !com_set) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = GUMS_ADD_PRIVILEGE; + if (NT_STATUS_IS_ERR(dupalloc_luid_attr(mem_ctx, &new_priv, priv))) + return NT_STATUS_NO_MEMORY; + + (SEC_DESC *)(data_set->data) = new_priv; + + return NT_STATUS_OK; +} + +NTSTATUS gums_cs_del_privilege(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, LUID_ATTR priv) +{ + GUMS_DATA_SET *data_set; + LUID_ATTR *new_priv; + + if (!mem_ctx || !com_set) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = GUMS_DEL_PRIVILEGE; + if (NT_STATUS_IS_ERR(dupalloc_luid_attr(mem_ctx, &new_priv, priv))) + return NT_STATUS_NO_MEMORY; + + (SEC_DESC *)(data_set->data) = new_priv; + + return NT_STATUS_OK; +} + +NTSTATUS gums_cs_set_privilege_set(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, PRIVILEGE_SET *priv_set) +{ + GUMS_DATA_SET *data_set; + PRIVILEGE_SET *new_priv_set; + + if (!mem_ctx || !com_set || !priv_set) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = GUMS_SET_SEC_DESC; + if (NT_STATUS_IS_ERR(dup_priv_set(&new_priv_set, mem_ctx, priv_set))) + return NT_STATUS_NO_MEMORY; + + (SEC_DESC *)(data_set->data) = new_priv_set; + + return NT_STATUS_OK; +} + +NTSTATUS gums_cs_set_string(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, uint32 type, char *str) +{ + GUMS_DATA_SET *data_set; + char *new_str; + + if (!mem_ctx || !com_set || !str || type < GUMS_SET_NAME || type > GUMS_SET_MUNGED_DIAL) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = type; + new_str = talloc_strdup(mem_ctx, str); + if (new_str == NULL) + return NT_STATUS_NO_MEMORY; + + (char *)(data_set->data) = new_str; + + return NT_STATUS_OK; +} + +NTSTATUS gums_cs_set_name(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *name) +{ + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, name); +} + +NTSTATUS gums_cs_set_description(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *desc) +{ + return gums_set_string(mem_ctx, com_set, GUMS_SET_DESCRIPTION, desc); +} + +NTSTATUS gums_cs_set_full_name(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *full_name) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, full_name); +} + +NTSTATUS gums_cs_set_home_directory(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *home_dir) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, home_dir); +} + +NTSTATUS gums_cs_set_drive(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *drive) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, drive); +} + +NTSTATUS gums_cs_set_logon_script(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *logon_script) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, logon_script); +} + +NTSTATUS gums_cs_set_profile_path(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *prof_path) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, prof_path); +} + +NTSTATUS gums_cs_set_workstations(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *wks) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, wks); +} + +NTSTATUS gums_cs_set_unknown_string(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *unkn_str) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, unkn_str); +} + +NTSTATUS gums_cs_set_munged_dial(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, char *munged_dial) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_string(mem_ctx, com_set, GUMS_SET_NAME, munged_dial); +} + +NTSTATUS gums_cs_set_nttime(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, uint32 type, NTTIME *nttime) +{ + GUMS_DATA_SET *data_set; + NTTIME *new_time; + + if (!mem_ctx || !com_set || !nttime || type < GUMS_SET_LOGON_TIME || type > GUMS_SET_PASS_MUST_CHANGE_TIME) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = type; + new_time = talloc(mem_ctx, sizeof(NTTIME)); + if (new_time == NULL) + return NT_STATUS_NO_MEMORY; + + new_time->low = nttime->low; + new_time->high = nttime->high; + (char *)(data_set->data) = new_time; + + return NT_STATUS_OK; +} + +NTSTATUS gums_cs_set_logon_time(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, NTTIME *logon_time) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_nttime(mem_ctx, com_set, GUMS_SET_LOGON_TIME, logon_time); +} + +NTSTATUS gums_cs_set_logoff_time(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, NTTIME *logoff_time) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_nttime(mem_ctx, com_set, GUMS_SET_LOGOFF_TIME, logoff_time); +} + +NTSTATUS gums_cs_set_kickoff_time(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, NTTIME *kickoff_time) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_nttime(mem_ctx, com_set, GUMS_SET_KICKOFF_TIME, kickoff_time); +} + +NTSTATUS gums_cs_set_pass_last_set_time(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, NTTIME *pls_time) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_nttime(mem_ctx, com_set, GUMS_SET_LOGON_TIME, pls_time); +} + +NTSTATUS gums_cs_set_pass_can_change_time(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, NTTIME *pcc_time) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_nttime(mem_ctx, com_set, GUMS_SET_LOGON_TIME, pcc_time); +} + +NTSTATUS gums_cs_set_pass_must_change_time(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, NTTIME *pmc_time) +{ + if (com_set->type != GUMS_OBJ_NORMAL_USER) + return NT_STATUS_INVALID_PARAMETER; + + return gums_set_nttime(mem_ctx, com_set, GUMS_SET_LOGON_TIME, pmc_time); +} + +NTSTATUS gums_cs_add_sids_to_group(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, const DOM_SID **sids, const uint32 count) +{ + GUMS_DATA_SET *data_set; + DOM_SID **new_sids; + int i; + + if (!mem_ctx || !com_set || !sids) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = GUMS_ADD_SID_LIST; + new_sids = (DOM_SID **)talloc(mem_ctx, (sizeof(void *) * count)); + if (new_sids == NULL) + return NT_STATUS_NO_MEMORY; + for (i = 0; i < count; i++) { + new_sids[i] = sid_dup_talloc(mem_ctx, sids[i]); + if (new_sids[i] == NULL) + return NT_STATUS_NO_MEMORY; + } + + (SEC_DESC *)(data_set->data) = new_sids; + + return NT_STATUS_OK; +} + +NTSTATUS gums_cs_add_users_to_group(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, const DOM_SID **sids, const uint32 count) +{ + if (!mem_ctx || !com_set || !sids) + return NT_STATUS_INVALID_PARAMETER; + if (com_set->type != GUMS_OBJ_GROUP || com_set->type != GUMS_OBJ_ALIAS) + return NT_STATUS_INVALID_PARAMETER; + + return gums_add_sids_to_group(mem_ctx, com_set, sids, count); +} + +NTSTATUS gums_cs_add_groups_to_group(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, const DOM_SID **sids, const uint32 count) +{ + if (!mem_ctx || !com_set || !sids) + return NT_STATUS_INVALID_PARAMETER; + if (com_set->type != GUMS_OBJ_ALIAS) + return NT_STATUS_INVALID_PARAMETER; + + return gums_add_sids_to_group(mem_ctx, com_set, sids, count); +} + +NTSTATUS gums_cs_del_sids_from_group(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, const DOM_SID **sids, const uint32 count) +{ + GUMS_DATA_SET *data_set; + DOM_SID **new_sids; + int i; + + if (!mem_ctx || !com_set || !sids) + return NT_STATUS_INVALID_PARAMETER; + if (com_set->type != GUMS_OBJ_GROUP || com_set->type != GUMS_OBJ_ALIAS) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = GUMS_DEL_SID_LIST; + new_sids = (DOM_SID **)talloc(mem_ctx, (sizeof(void *) * count)); + if (new_sids == NULL) + return NT_STATUS_NO_MEMORY; + for (i = 0; i < count; i++) { + new_sids[i] = sid_dup_talloc(mem_ctx, sids[i]); + if (new_sids[i] == NULL) + return NT_STATUS_NO_MEMORY; + } + + (SEC_DESC *)(data_set->data) = new_sids; + + return NT_STATUS_OK; +} + +NTSTATUS gums_ds_set_sids_in_group(TALLOC_CTX *mem_ctx, GUMS_COMMIT_SET *com_set, const DOM_SID **sids, const uint32 count) +{ + GUMS_DATA_SET *data_set; + DOM_SID **new_sids; + int i; + + if (!mem_ctx || !com_set || !sids) + return NT_STATUS_INVALID_PARAMETER; + if (com_set->type != GUMS_OBJ_GROUP || com_set->type != GUMS_OBJ_ALIAS) + return NT_STATUS_INVALID_PARAMETER; + + com_set->count = com_set->count + 1; + if (com_set->count == 1) { /* first data set */ + data_set = (GUMS_DATA_SET *)talloc(mem_ctx, sizeof(GUMS_DATA_SET)); + } else { + data_set = (GUMS_DATA_SET *)talloc_realloc(mem_ctx, com_set->data, sizeof(GUMS_DATA_SET) * com_set->count); + } + if (data_set == NULL) + return NT_STATUS_NO_MEMORY; + + com_set->data = data_set; + data_set = &((com_set->data)[com_set->count - 1]); + + data_set->type = GUMS_SET_SID_LIST; + new_sids = (DOM_SID **)talloc(mem_ctx, (sizeof(void *) * count)); + if (new_sids == NULL) + return NT_STATUS_NO_MEMORY; + for (i = 0; i < count; i++) { + new_sids[i] = sid_dup_talloc(mem_ctx, sids[i]); + if (new_sids[i] == NULL) + return NT_STATUS_NO_MEMORY; + } + + (SEC_DESC *)(data_set->data) = new_sids; + + return NT_STATUS_OK; +} + + +NTSTATUS gums_commit_data(GUMS_COMMIT_SET *set) +{ + return gums_storage->set_object_values(set->sid, set->count, set->data); +} + +NTSTATUS gums_destroy_commit_set(GUMS_COMMIT_SET **com_set) +{ + talloc_destroy((*com_set)->mem_ctx); + *com_set = NULL; + + return NT_STATUS_OK; +} + diff --git a/source4/sam/gums_helper.c b/source4/sam/gums_helper.c new file mode 100644 index 00000000000..8526a2f1cc0 --- /dev/null +++ b/source4/sam/gums_helper.c @@ -0,0 +1,607 @@ +/* + Unix SMB/CIFS implementation. + GUMS backends helper functions + Copyright (C) Simo Sorce 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern GUMS_FUNCTIONS *gums_storage; + +extern DOM_SID global_sid_World; +extern DOM_SID global_sid_Builtin_Administrators; +extern DOM_SID global_sid_Builtin_Power_Users; +extern DOM_SID global_sid_Builtin_Account_Operators; +extern DOM_SID global_sid_Builtin_Server_Operators; +extern DOM_SID global_sid_Builtin_Print_Operators; +extern DOM_SID global_sid_Builtin_Backup_Operators; +extern DOM_SID global_sid_Builtin_Replicator; +extern DOM_SID global_sid_Builtin_Users; +extern DOM_SID global_sid_Builtin_Guests; + + +/* defines */ + +#define ALLOC_CHECK(str, ptr, err, label) do { if ((ptr) == NULL) { DEBUG(0, ("%s: out of memory!\n", str)); err = NT_STATUS_NO_MEMORY; goto label; } } while(0) +#define NTSTATUS_CHECK(str1, str2, err, label) do { if (NT_STATUS_IS_ERR(err)) { DEBUG(0, ("%s: %s failed!\n", str1, str2)); } } while(0) + +/**************************************************************************** + Check if a user is a mapped group. + + This function will check if the group SID is mapped onto a + system managed gid or onto a winbind manged sid. + In the first case it will be threated like a mapped group + and the backend should take the member list with a getgrgid + and ignore any user that have been possibly set into the group + object. + + In the second case, the group is a fully SAM managed group + served back to the system through winbind. In this case the + members of a Local group are "unrolled" to cope with the fact + that unix cannot contain groups inside groups. + The backend MUST never call any getgr* / getpw* function or + loops with winbind may happen. + ****************************************************************************/ + +/* +NTSTATUS is_mapped_group(BOOL *mapped, const DOM_SID *sid) +{ + NTSTATUS result; + gid_t id; + + /* look if mapping exist, do not make idmap alloc an uid if SID is not found * / + result = idmap_get_gid_from_sid(&id, sid, False); + if (NT_STATUS_IS_OK(result)) { + *mapped = gid_is_in_winbind_range(id); + } else { + *mapped = False; + } + + return result; +} +*/ + +/**************************************************************************** + duplicate alloc luid_attr + ****************************************************************************/ +NTSTATUS dupalloc_luid_attr(TALLOC_CTX *ctx, LUID_ATTR **new_la, LUID_ATTR old_la) +{ + *new_la = (LUID_ATTR *)talloc(ctx, sizeof(LUID_ATTR)); + if (*new_la == NULL) { + DEBUG(0,("dupalloc_luid_attr: could not Alloc memory to duplicate LUID_ATTR\n")); + return NT_STATUS_NO_MEMORY; + } + + (*new_la)->luid.high = old_la.luid.high; + (*new_la)->luid.low = old_la.luid.low; + (*new_la)->attr = old_la.attr; + + return NT_STATUS_OK; +} + +/**************************************************************************** + initialise a privilege list + ****************************************************************************/ +void init_privilege(PRIVILEGE_SET *priv_set) +{ + priv_set->count=0; + priv_set->control=0; + priv_set->set=NULL; +} + +/**************************************************************************** + add a privilege to a privilege array + ****************************************************************************/ +NTSTATUS add_privilege(PRIVILEGE_SET *priv_set, TALLOC_CTX *ctx, LUID_ATTR set) +{ + LUID_ATTR *new_set; + + /* check if the privilege is not already in the list */ + if (check_priv_in_privilege(priv_set, set)) + return NT_STATUS_UNSUCCESSFUL; + + /* we can allocate memory to add the new privilege */ + + new_set=(LUID_ATTR *)talloc_realloc(ctx, priv_set->set, (priv_set->count+1)*(sizeof(LUID_ATTR))); + if (new_set==NULL) { + DEBUG(0,("add_privilege: could not Realloc memory to add a new privilege\n")); + return NT_STATUS_NO_MEMORY; + } + + new_set[priv_set->count].luid.high=set.luid.high; + new_set[priv_set->count].luid.low=set.luid.low; + new_set[priv_set->count].attr=set.attr; + + priv_set->count++; + priv_set->set=new_set; + + return NT_STATUS_OK; +} + +/**************************************************************************** + add all the privileges to a privilege array + ****************************************************************************/ +NTSTATUS add_all_privilege(PRIVILEGE_SET *priv_set, TALLOC_CTX *ctx) +{ + NTSTATUS result = NT_STATUS_OK; + LUID_ATTR set; + + set.attr=0; + set.luid.high=0; + + set.luid.low=SE_PRIV_ADD_USERS; + result = add_privilege(priv_set, ctx, set); + NTSTATUS_CHECK("add_all_privilege", "add_privilege", result, done); + + set.luid.low=SE_PRIV_ADD_MACHINES; + result = add_privilege(priv_set, ctx, set); + NTSTATUS_CHECK("add_all_privilege", "add_privilege", result, done); + + set.luid.low=SE_PRIV_PRINT_OPERATOR; + result = add_privilege(priv_set, ctx, set); + NTSTATUS_CHECK("add_all_privilege", "add_privilege", result, done); + +done: + return result; +} + +/**************************************************************************** + check if the privilege list is empty + ****************************************************************************/ +BOOL check_empty_privilege(PRIVILEGE_SET *priv_set) +{ + return (priv_set->count == 0); +} + +/**************************************************************************** + check if the privilege is in the privilege list + ****************************************************************************/ +BOOL check_priv_in_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set) +{ + int i; + + /* if the list is empty, obviously we can't have it */ + if (check_empty_privilege(priv_set)) + return False; + + for (i=0; i<priv_set->count; i++) { + LUID_ATTR *cur_set; + + cur_set=&priv_set->set[i]; + /* check only the low and high part. Checking the attr field has no meaning */ + if( (cur_set->luid.low==set.luid.low) && (cur_set->luid.high==set.luid.high) ) + return True; + } + + return False; +} + +/**************************************************************************** + remove a privilege from a privilege array + ****************************************************************************/ +NTSTATUS remove_privilege(PRIVILEGE_SET *priv_set, TALLOC_CTX *ctx, LUID_ATTR set) +{ + LUID_ATTR *new_set; + LUID_ATTR *old_set; + int i,j; + + /* check if the privilege is in the list */ + if (!check_priv_in_privilege(priv_set, set)) + return NT_STATUS_UNSUCCESSFUL; + + /* special case if it's the only privilege in the list */ + if (priv_set->count==1) { + init_privilege(priv_set); + return NT_STATUS_OK; + } + + /* + * the privilege is there, create a new list, + * and copy the other privileges + */ + + old_set = priv_set->set; + + new_set=(LUID_ATTR *)talloc(ctx, (priv_set->count - 1) * (sizeof(LUID_ATTR))); + if (new_set==NULL) { + DEBUG(0,("remove_privilege: could not malloc memory for new privilege list\n")); + return NT_STATUS_NO_MEMORY; + } + + for (i=0, j=0; i<priv_set->count; i++) { + if ((old_set[i].luid.low == set.luid.low) && + (old_set[i].luid.high == set.luid.high)) { + continue; + } + + new_set[j].luid.low = old_set[i].luid.low; + new_set[j].luid.high = old_set[i].luid.high; + new_set[j].attr = old_set[i].attr; + + j++; + } + + if (j != priv_set->count - 1) { + DEBUG(0,("remove_privilege: mismatch ! difference is not -1\n")); + DEBUGADD(0,("old count:%d, new count:%d\n", priv_set->count, j)); + return NT_STATUS_INTERNAL_ERROR; + } + + /* ok everything is fine */ + + priv_set->count--; + priv_set->set=new_set; + + return NT_STATUS_OK; +} + +/**************************************************************************** + duplicates a privilege array + ****************************************************************************/ +NTSTATUS dup_priv_set(PRIVILEGE_SET **new_priv_set, TALLOC_CTX *mem_ctx, PRIVILEGE_SET *priv_set) +{ + LUID_ATTR *new_set; + LUID_ATTR *old_set; + int i; + + *new_priv_set = (PRIVILEGE_SET *)talloc(mem_ctx, sizeof(PRIVILEGE_SET)); + init_privilege(*new_priv_set); + + /* special case if there are no privileges in the list */ + if (priv_set->count == 0) { + return NT_STATUS_OK; + } + + /* + * create a new list, + * and copy the other privileges + */ + + old_set = priv_set->set; + + new_set = (LUID_ATTR *)talloc(mem_ctx, (priv_set->count - 1) * (sizeof(LUID_ATTR))); + if (new_set==NULL) { + DEBUG(0,("remove_privilege: could not malloc memory for new privilege list\n")); + return NT_STATUS_NO_MEMORY; + } + + for (i=0; i < priv_set->count; i++) { + + new_set[i].luid.low = old_set[i].luid.low; + new_set[i].luid.high = old_set[i].luid.high; + new_set[i].attr = old_set[i].attr; + } + + (*new_priv_set)->count = priv_set->count; + (*new_priv_set)->control = priv_set->control; + (*new_priv_set)->set = new_set; + + return NT_STATUS_OK; +} + +#define ALIAS_DEFAULT_SACL_SA_RIGHTS 0x01050013 +#define ALIAS_DEFAULT_DACL_SA_RIGHTS \ + (READ_CONTROL_ACCESS | \ + SA_RIGHT_ALIAS_LOOKUP_INFO | \ + SA_RIGHT_ALIAS_GET_MEMBERS) /* 0x0002000c */ + +#define ALIAS_DEFAULT_SACL_SEC_ACE_FLAG (SEC_ACE_FLAG_FAILED_ACCESS | SEC_ACE_FLAG_SUCCESSFUL_ACCESS) /* 0xc0 */ + +NTSTATUS create_builtin_alias_default_sec_desc(SEC_DESC **sec_desc, TALLOC_CTX *ctx) +{ + DOM_SID *world = &global_sid_World; + DOM_SID *admins = &global_sid_Builtin_Administrators; + SEC_ACCESS sa; + SEC_ACE sacl_ace; + SEC_ACE dacl_aces[2]; + SEC_ACL *sacl = NULL; + SEC_ACL *dacl = NULL; + size_t psize; + + init_sec_access(&sa, ALIAS_DEFAULT_SACL_SA_RIGHTS); + init_sec_ace(&sacl_ace, world, SEC_ACE_TYPE_SYSTEM_AUDIT, sa, ALIAS_DEFAULT_SACL_SEC_ACE_FLAG); + + sacl = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &sacl_ace); + if (!sacl) { + DEBUG(0, ("build_init_sec_desc: Failed to make SEC_ACL.\n")); + return NT_STATUS_NO_MEMORY; + } + + init_sec_access(&sa, ALIAS_DEFAULT_DACL_SA_RIGHTS); + init_sec_ace(&(dacl_aces[0]), world, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0); + init_sec_access(&sa, SA_RIGHT_ALIAS_ALL_ACCESS); + init_sec_ace(&(dacl_aces[1]), admins, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0); + + dacl = make_sec_acl(ctx, NT4_ACL_REVISION, 2, dacl_aces); + if (!sacl) { + DEBUG(0, ("build_init_sec_desc: Failed to make SEC_ACL.\n")); + return NT_STATUS_NO_MEMORY; + } + + *sec_desc = make_sec_desc(ctx, SEC_DESC_REVISION, admins, admins, sacl, dacl, &psize); + if (!(*sec_desc)) { + DEBUG(0,("get_share_security: Failed to make SEC_DESC.\n")); + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + +NTSTATUS sec_desc_add_ace_to_dacl(SEC_DESC *sec_desc, TALLOC_CTX *ctx, DOM_SID *sid, uint32 mask) +{ + NTSTATUS result; + SEC_ACE *new_aces; + unsigned num_aces; + int i; + + num_aces = sec_desc->dacl->num_aces + 1; + result = sec_ace_add_sid(ctx, &new_aces, sec_desc->dacl->ace, &num_aces, sid, mask); + if (NT_STATUS_IS_OK(result)) { + sec_desc->dacl->ace = new_aces; + sec_desc->dacl->num_aces = num_aces; + sec_desc->dacl->size = SEC_ACL_HEADER_SIZE; + for (i = 0; i < num_aces; i++) { + sec_desc->dacl->size += sec_desc->dacl->ace[i].size; + } + } + return result; +} + +NTSTATUS gums_init_builtin_groups(void) +{ + NTSTATUS result; + GUMS_OBJECT g_obj; + GUMS_GROUP *g_grp; + GUMS_PRIVILEGE g_priv; + + /* Build the well known Builtin Local Groups */ + g_obj.type = GUMS_OBJ_GROUP; + g_obj.version = 1; + g_obj.seq_num = 0; + g_obj.mem_ctx = talloc_init("gums_init_backend_acct"); + if (g_obj.mem_ctx == NULL) { + DEBUG(0, ("gums_init_backend: Out of Memory!\n")); + return NT_STATUS_NO_MEMORY; + } + + /* Administrators */ + + /* alloc group structure */ + g_obj.data = (void *)talloc(g_obj.mem_ctx, sizeof(GUMS_OBJ_GROUP)); + ALLOC_CHECK("gums_init_backend", g_obj.data, result, done); + + /* make admins sid */ + g_grp = (GUMS_GROUP *)g_obj.data; + sid_copy(g_obj.sid, &global_sid_Builtin_Administrators); + + /* make security descriptor */ + result = create_builtin_alias_default_sec_desc(&(g_obj.sec_desc), g_obj.mem_ctx); + NTSTATUS_CHECK("gums_init_backend", "create_builtin_alias_default_sec_desc", result, done); + + /* make privilege set */ + /* From BDC join trace: + SeSecurityPrivilege + SeBackupPrivilege + SeRestorePrivilege + SeSystemtimePrivilege + SeShutdownPrivilege + SeRemoteShutdownPrivilege + SeTakeOwnershipPrivilege + SeDebugPrivilege + SeSystemEnvironmentPrivilege + SeSystemProfilePrivilege + SeProfileSingleProcessPrivilege + SeIncreaseBasePriorityPrivilege + SeLocalDriverPrivilege + SeCreatePagefilePrivilege + SeIncreaseQuotaPrivilege + */ + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Administrators"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ + g_obj.description = talloc_strdup(g_obj.mem_ctx, "Members can fully administer the computer/domain"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* numebr of group members */ + g_grp->count = 0; + g_grp->members = NULL; + + /* store Administrators group */ + result = gums_storage->set_object(&g_obj); + + /* Power Users */ + /* Domain Controllers Does NOT have power Users */ + + sid_copy(g_obj.sid, &global_sid_Builtin_Power_Users); + + /* make privilege set */ + /* SE_PRIV_??? */ + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Power Users"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ +/* > */ g_obj.description = talloc_strdup(g_obj.mem_ctx, "Power Users"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* store Power Users group */ + result = gums_storage->set_object(&g_obj); + + /* Account Operators */ + + sid_copy(g_obj.sid, &global_sid_Builtin_Account_Operators); + + /* make privilege set */ + /* From BDC join trace: + SeShutdownPrivilege + */ + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Account Operators"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ + g_obj.description = talloc_strdup(g_obj.mem_ctx, "Members can administer domain user and group accounts"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* store Account Operators group */ + result = gums_storage->set_object(&g_obj); + + /* Server Operators */ + + sid_copy(g_obj.sid, &global_sid_Builtin_Server_Operators); + + /* make privilege set */ + /* From BDC join trace: + SeBackupPrivilege + SeRestorePrivilege + SeSystemtimePrivilege + SeShutdownPrivilege + SeRemoteShutdownPrivilege + */ + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Server Operators"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ + g_obj.description = talloc_strdup(g_obj.mem_ctx, "Members can administer domain servers"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* store Server Operators group */ + result = gums_storage->set_object(&g_obj); + + /* Print Operators */ + + sid_copy(g_obj.sid, &global_sid_Builtin_Print_Operators); + + /* make privilege set */ + /* From BDC join trace: + SeShutdownPrivilege + */ + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Print Operators"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ + g_obj.description = talloc_strdup(g_obj.mem_ctx, "Members can administer domain printers"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* store Print Operators group */ + result = gums_storage->set_object(&g_obj); + + /* Backup Operators */ + + sid_copy(g_obj.sid, &global_sid_Builtin_Backup_Operators); + + /* make privilege set */ + /* From BDC join trace: + SeBackupPrivilege + SeRestorePrivilege + SeShutdownPrivilege + */ + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Backup Operators"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ + g_obj.description = talloc_strdup(g_obj.mem_ctx, "Members can bypass file security to backup files"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* store Backup Operators group */ + result = gums_storage->set_object(&g_obj); + + /* Replicator */ + + sid_copy(g_obj.sid, &global_sid_Builtin_Replicator); + + /* make privilege set */ + /* From BDC join trace: + SeBackupPrivilege + SeRestorePrivilege + SeShutdownPrivilege + */ + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Replicator"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ + g_obj.description = talloc_strdup(g_obj.mem_ctx, "Supports file replication in a domain"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* store Replicator group */ + result = gums_storage->set_object(&g_obj); + + /* Users */ + + sid_copy(g_obj.sid, &global_sid_Builtin_Users); + + /* add ACE to sec dsec dacl */ + sec_desc_add_ace_to_dacl(g_obj.sec_desc, g_obj.mem_ctx, &global_sid_Builtin_Account_Operators, ALIAS_DEFAULT_DACL_SA_RIGHTS); + sec_desc_add_ace_to_dacl(g_obj.sec_desc, g_obj.mem_ctx, &global_sid_Builtin_Power_Users, ALIAS_DEFAULT_DACL_SA_RIGHTS); + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Users"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ + g_obj.description = talloc_strdup(g_obj.mem_ctx, "Ordinary users"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* store Users group */ + result = gums_storage->set_object(&g_obj); + + /* Guests */ + + sid_copy(g_obj.sid, &global_sid_Builtin_Guests); + + /* set name */ + g_obj.name = talloc_strdup(g_obj.mem_ctx, "Guests"); + ALLOC_CHECK("gums_init_backend", g_obj.name, result, done); + + /* set description */ + g_obj.description = talloc_strdup(g_obj.mem_ctx, "Users granted guest access to the computer/domain"); + ALLOC_CHECK("gums_init_backend", g_obj.description, result, done); + + /* store Guests group */ + result = gums_storage->set_object(&g_obj); + + /* set default privileges */ + g_priv.type = GUMS_OBJ_GROUP; + g_priv.version = 1; + g_priv.seq_num = 0; + g_priv.mem_ctx = talloc_init("gums_init_backend_priv"); + if (g_priv.mem_ctx == NULL) { + DEBUG(0, ("gums_init_backend: Out of Memory!\n")); + return NT_STATUS_NO_MEMORY; + } + + + +done: + talloc_destroy(g_obj.mem_ctx); + talloc_destroy(g_priv.mem_ctx); + return result; +} + diff --git a/source4/sam/interface.c b/source4/sam/interface.c new file mode 100644 index 00000000000..51ae561999c --- /dev/null +++ b/source4/sam/interface.c @@ -0,0 +1,1338 @@ +/* + Unix SMB/CIFS implementation. + Password and authentication handling + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Jelmer Vernooij 2002 + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Kai Krüger 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_SAM + +extern DOM_SID global_sid_Builtin; + +/** List of various built-in sam modules */ + +const struct sam_init_function_entry builtin_sam_init_functions[] = { + { "plugin", sam_init_plugin }, +#ifdef HAVE_LDAP + { "ads", sam_init_ads }, +#endif + { "skel", sam_init_skel }, + { NULL, NULL} +}; + + +static NTSTATUS sam_get_methods_by_sid(const SAM_CONTEXT *context, SAM_METHODS **sam_method, const DOM_SID *domainsid) +{ + SAM_METHODS *tmp_methods; + + DEBUG(5,("sam_get_methods_by_sid: %d\n", __LINE__)); + + /* invalid sam_context specified */ + SAM_ASSERT(context && context->methods); + + tmp_methods = context->methods; + + while (tmp_methods) { + if (sid_equal(domainsid, &(tmp_methods->domain_sid))) + { + (*sam_method) = tmp_methods; + return NT_STATUS_OK; + } + tmp_methods = tmp_methods->next; + } + + DEBUG(3,("sam_get_methods_by_sid: There is no backend specified for domain %s\n", sid_string_static(domainsid))); + + return NT_STATUS_NO_SUCH_DOMAIN; +} + +static NTSTATUS sam_get_methods_by_name(const SAM_CONTEXT *context, SAM_METHODS **sam_method, const char *domainname) +{ + SAM_METHODS *tmp_methods; + + DEBUG(5,("sam_get_methods_by_name: %d\n", __LINE__)); + + /* invalid sam_context specified */ + SAM_ASSERT(context && context->methods); + + tmp_methods = context->methods; + + while (tmp_methods) { + if (strequal(domainname, tmp_methods->domain_name)) + { + (*sam_method) = tmp_methods; + return NT_STATUS_OK; + } + tmp_methods = tmp_methods->next; + } + + DEBUG(3,("sam_get_methods_by_sid: There is no backend specified for domain %s\n", domainname)); + + return NT_STATUS_NO_SUCH_DOMAIN; +} + +static NTSTATUS make_sam_methods(TALLOC_CTX *mem_ctx, SAM_METHODS **methods) +{ + *methods = talloc(mem_ctx, sizeof(SAM_METHODS)); + + if (!*methods) { + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCTP(*methods); + + return NT_STATUS_OK; +} + +/****************************************************************** + Free and cleanup a sam context, any associated data and anything + that the attached modules might have associated. + *******************************************************************/ + +void free_sam_context(SAM_CONTEXT **context) +{ + SAM_METHODS *sam_selected = (*context)->methods; + + while (sam_selected) { + if (sam_selected->free_private_data) { + sam_selected->free_private_data(&(sam_selected->private_data)); + } + sam_selected = sam_selected->next; + } + + talloc_destroy((*context)->mem_ctx); + *context = NULL; +} + +/****************************************************************** + Make a backend_entry from scratch + *******************************************************************/ + +static NTSTATUS make_backend_entry(SAM_BACKEND_ENTRY *backend_entry, char *sam_backend_string) +{ + char *tmp = NULL; + char *tmp_string = sam_backend_string; + + DEBUG(5,("make_backend_entry: %d\n", __LINE__)); + + SAM_ASSERT(sam_backend_string && backend_entry); + + backend_entry->module_name = sam_backend_string; + + DEBUG(5,("makeing backend_entry for %s\n", backend_entry->module_name)); + + if ((tmp = strrchr(tmp_string, '|')) != NULL) { + DEBUGADD(20,("a domain name has been specified\n")); + *tmp = 0; + backend_entry->domain_name = smb_xstrdup(tmp + 1); + tmp_string = tmp + 1; + } + + if ((tmp = strchr(tmp_string, ':')) != NULL) { + DEBUG(20,("options for the backend have been specified\n")); + *tmp = 0; + backend_entry->module_params = smb_xstrdup(tmp + 1); + tmp_string = tmp + 1; + } + + if (backend_entry->domain_name == NULL) { + DEBUG(10,("make_backend_entry: no domain was specified for sam module %s. Using default domain %s\n", + backend_entry->module_name, lp_workgroup())); + backend_entry->domain_name = smb_xstrdup(lp_workgroup()); + } + + if ((backend_entry->domain_sid = (DOM_SID *)malloc(sizeof(DOM_SID))) == NULL) { + DEBUG(0,("make_backend_entry: failed to malloc domain_sid\n")); + return NT_STATUS_NO_MEMORY; + } + + DEBUG(10,("looking up sid for domain %s\n", backend_entry->domain_name)); + + if (!secrets_fetch_domain_sid(backend_entry->domain_name, backend_entry->domain_sid)) { + DEBUG(2,("make_backend_entry: There is no SID stored for domain %s. Creating a new one.\n", + backend_entry->domain_name)); + DEBUG(0, ("FIXME in %s:%d\n", __FILE__, __LINE__)); + ZERO_STRUCTP(backend_entry->domain_sid); + } + + DEBUG(5,("make_backend_entry: module name: %s, module parameters: %s, domain name: %s, domain sid: %s\n", + backend_entry->module_name, backend_entry->module_params, backend_entry->domain_name, sid_string_static(backend_entry->domain_sid))); + + return NT_STATUS_OK; +} + +/****************************************************************** + create sam_methods struct based on sam_backend_entry + *****************************************************************/ + +static NTSTATUS make_sam_methods_backend_entry(SAM_CONTEXT *context, SAM_METHODS **methods_ptr, SAM_BACKEND_ENTRY *backend_entry) +{ + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + SAM_METHODS *methods; + int i; + + DEBUG(5,("make_sam_methods_backend_entry: %d\n", __LINE__)); + + if (!NT_STATUS_IS_OK(nt_status = make_sam_methods(context->mem_ctx, methods_ptr))) { + return nt_status; + } + + methods = *methods_ptr; + methods->backendname = talloc_strdup(context->mem_ctx, backend_entry->module_name); + methods->domain_name = talloc_strdup(context->mem_ctx, backend_entry->domain_name); + sid_copy(&methods->domain_sid, backend_entry->domain_sid); + methods->parent = context; + + DEBUG(5,("Attempting to find sam backend %s\n", backend_entry->module_name)); + for (i = 0; builtin_sam_init_functions[i].module_name; i++) + { + if (strequal(builtin_sam_init_functions[i].module_name, backend_entry->module_name)) + { + DEBUG(5,("Found sam backend %s (at pos %d)\n", backend_entry->module_name, i)); + DEBUGADD(5,("initialising it with options=%s for domain %s\n", backend_entry->module_params, sid_string_static(backend_entry->domain_sid))); + nt_status = builtin_sam_init_functions[i].init(methods, backend_entry->module_params); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5,("sam backend %s has a valid init\n", backend_entry->module_name)); + } else { + DEBUG(2,("sam backend %s did not correctly init (error was %s)\n", + backend_entry->module_name, nt_errstr(nt_status))); + } + return nt_status; + } + } + + DEBUG(2,("could not find backend %s\n", backend_entry->module_name)); + + return NT_STATUS_INVALID_PARAMETER; +} + +static NTSTATUS sam_context_check_default_backends(SAM_CONTEXT *context) +{ + SAM_BACKEND_ENTRY entry; + DOM_SID *global_sam_sid = get_global_sam_sid(); /* lp_workgroup doesn't play nicely with multiple domains */ + SAM_METHODS *methods, *tmpmethods; + NTSTATUS ntstatus; + + DEBUG(5,("sam_context_check_default_backends: %d\n", __LINE__)); + + /* Make sure domain lp_workgroup() is available */ + + ntstatus = sam_get_methods_by_sid(context, &methods, &global_sid_Builtin); + + if (NT_STATUS_EQUAL(ntstatus, NT_STATUS_NO_SUCH_DOMAIN)) { + DEBUG(4,("There was no backend specified for domain %s(%s); using %s\n", + lp_workgroup(), sid_string_static(global_sam_sid), SAM_DEFAULT_BACKEND)); + + SAM_ASSERT(global_sam_sid); + + entry.module_name = SAM_DEFAULT_BACKEND; + entry.module_params = NULL; + entry.domain_name = lp_workgroup(); + entry.domain_sid = (DOM_SID *)malloc(sizeof(DOM_SID)); + sid_copy(entry.domain_sid, global_sam_sid); + + if (!NT_STATUS_IS_OK(ntstatus = make_sam_methods_backend_entry(context, &methods, &entry))) { + DEBUG(4,("make_sam_methods_backend_entry failed\n")); + return ntstatus; + } + + DLIST_ADD_END(context->methods, methods, tmpmethods); + + } else if (!NT_STATUS_IS_OK(ntstatus)) { + DEBUG(2, ("sam_get_methods_by_sid failed for %s\n", lp_workgroup())); + return ntstatus; + } + + /* Make sure the BUILTIN domain is available */ + + ntstatus = sam_get_methods_by_sid(context, &methods, global_sam_sid); + + if (NT_STATUS_EQUAL(ntstatus, NT_STATUS_NO_SUCH_DOMAIN)) { + DEBUG(4,("There was no backend specified for domain BUILTIN; using %s\n", + SAM_DEFAULT_BACKEND)); + entry.module_name = SAM_DEFAULT_BACKEND; + entry.module_params = NULL; + entry.domain_name = "BUILTIN"; + entry.domain_sid = (DOM_SID *)malloc(sizeof(DOM_SID)); + sid_copy(entry.domain_sid, &global_sid_Builtin); + + if (!NT_STATUS_IS_OK(ntstatus = make_sam_methods_backend_entry(context, &methods, &entry))) { + DEBUG(4,("make_sam_methods_backend_entry failed\n")); + return ntstatus; + } + + DLIST_ADD_END(context->methods, methods, tmpmethods); + } else if (!NT_STATUS_IS_OK(ntstatus)) { + DEBUG(2, ("sam_get_methods_by_sid failed for BUILTIN\n")); + return ntstatus; + } + + return NT_STATUS_OK; +} + +static NTSTATUS check_duplicate_backend_entries(SAM_BACKEND_ENTRY **backend_entries, int *nBackends) +{ + int i, j; + + DEBUG(5,("check_duplicate_backend_entries: %d\n", __LINE__)); + + for (i = 0; i < *nBackends; i++) { + for (j = i + 1; j < *nBackends; j++) { + if (sid_equal((*backend_entries)[i].domain_sid, (*backend_entries)[j].domain_sid)) { + DEBUG(0,("two backend modules claim the same domain %s\n", + sid_string_static((*backend_entries)[j].domain_sid))); + return NT_STATUS_INVALID_PARAMETER; + } + } + } + + return NT_STATUS_OK; +} + +NTSTATUS make_sam_context_list(SAM_CONTEXT **context, char **sam_backends_param) +{ + int i = 0, j = 0; + SAM_METHODS *curmethods, *tmpmethods; + int nBackends = 0; + SAM_BACKEND_ENTRY *backends = NULL; + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + + DEBUG(5,("make_sam_context_from_conf: %d\n", __LINE__)); + + if (!sam_backends_param) { + DEBUG(1, ("no SAM backeds specified!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!NT_STATUS_IS_OK(nt_status = make_sam_context(context))) { + DEBUG(4,("make_sam_context failed\n")); + return nt_status; + } + + while (sam_backends_param[nBackends]) + nBackends++; + + DEBUG(6,("There are %d domains listed with their backends\n", nBackends)); + + if ((backends = (SAM_BACKEND_ENTRY *)malloc(sizeof(*backends)*nBackends)) == NULL) { + DEBUG(0,("make_sam_context_list: failed to allocate backends\n")); + return NT_STATUS_NO_MEMORY; + } + + memset(backends, '\0', sizeof(*backends)*nBackends); + + for (i = 0; i < nBackends; i++) { + DEBUG(8,("processing %s\n",sam_backends_param[i])); + if (!NT_STATUS_IS_OK(nt_status = make_backend_entry(&backends[i], sam_backends_param[i]))) { + DEBUG(4,("make_backend_entry failed\n")); + for (j = 0; j < nBackends; j++) SAFE_FREE(backends[j].domain_sid); + SAFE_FREE(backends); + free_sam_context(context); + return nt_status; + } + } + + if (!NT_STATUS_IS_OK(nt_status = check_duplicate_backend_entries(&backends, &nBackends))) { + DEBUG(4,("check_duplicate_backend_entries failed\n")); + for (j = 0; j < nBackends; j++) SAFE_FREE(backends[j].domain_sid); + SAFE_FREE(backends); + free_sam_context(context); + return nt_status; + } + + for (i = 0; i < nBackends; i++) { + if (!NT_STATUS_IS_OK(nt_status = make_sam_methods_backend_entry(*context, &curmethods, &backends[i]))) { + DEBUG(4,("make_sam_methods_backend_entry failed\n")); + for (j = 0; j < nBackends; j++) SAFE_FREE(backends[j].domain_sid); + SAFE_FREE(backends); + free_sam_context(context); + return nt_status; + } + DLIST_ADD_END((*context)->methods, curmethods, tmpmethods); + } + + for (i = 0; i < nBackends; i++) SAFE_FREE(backends[i].domain_sid); + + SAFE_FREE(backends); + return NT_STATUS_OK; +} + +/****************************************************************** + Make a sam_context from scratch. + *******************************************************************/ + +NTSTATUS make_sam_context(SAM_CONTEXT **context) +{ + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_init("sam_context internal allocation context"); + + if (!mem_ctx) { + DEBUG(0, ("make_sam_context: talloc init failed!\n")); + return NT_STATUS_NO_MEMORY; + } + + *context = talloc(mem_ctx, sizeof(**context)); + if (!*context) { + DEBUG(0, ("make_sam_context: talloc failed!\n")); + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCTP(*context); + + (*context)->mem_ctx = mem_ctx; + + (*context)->free_fn = free_sam_context; + + return NT_STATUS_OK; +} + +/****************************************************************** + Return an already initialised sam_context, to facilitate backward + compatibility (see functions below). + *******************************************************************/ + +static struct sam_context *sam_get_static_context(BOOL reload) +{ + static SAM_CONTEXT *sam_context = NULL; + + if ((sam_context) && (reload)) { + sam_context->free_fn(&sam_context); + sam_context = NULL; + } + + if (!sam_context) { + if (!NT_STATUS_IS_OK(make_sam_context_list(&sam_context, lp_sam_backend()))) { + DEBUG(4,("make_sam_context_list failed\n")); + return NULL; + } + + /* Make sure the required domains (default domain, builtin) are available */ + if (!NT_STATUS_IS_OK(sam_context_check_default_backends(sam_context))) { + DEBUG(4,("sam_context_check_default_backends failed\n")); + return NULL; + } + } + + return sam_context; +} + +/*************************************************************** + Initialize the static context (at smbd startup etc). + + If uninitialised, context will auto-init on first use. + ***************************************************************/ + +BOOL initialize_sam(BOOL reload) +{ + return (sam_get_static_context(reload) != NULL); +} + + +/************************************************************** + External API. This is what the rest of the world calls... +***************************************************************/ + +/****************************************************************** + sam_* functions are used to link the external SAM interface + with the internal backends. These functions lookup the appropriate + backends for the domain and pass on to the function in sam_methods + in the selected backend + + When the context parmater is NULL, the default is used. + *******************************************************************/ + +#define SAM_SETUP_CONTEXT if (!context) \ + context = sam_get_static_context(False);\ + if (!context) {\ + return NT_STATUS_UNSUCCESSFUL; \ + }\ + + + +NTSTATUS sam_get_sec_desc(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, const DOM_SID *sid, SEC_DESC **sd) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_get_sec_desc: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, sid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_get_sec_desc) { + DEBUG(3, ("sam_get_sec_desc: sam_methods of the domain did not specify sam_get_sec_desc\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_sec_desc(tmp_methods, access_token, sid, sd))) { + DEBUG(4,("sam_get_sec_desc for %s in backend %s failed\n", sid_string_static(sid), tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_set_sec_desc(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, const DOM_SID *sid, const SEC_DESC *sd) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_set_sec_desc: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, sid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_set_sec_desc) { + DEBUG(3, ("sam_set_sec_desc: sam_methods of the domain did not specify sam_set_sec_desc\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_set_sec_desc(tmp_methods, access_token, sid, sd))) { + DEBUG(4,("sam_set_sec_desc for %s in backend %s failed\n", sid_string_static(sid), tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + + +NTSTATUS sam_lookup_name(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, const char *domain, const char *name, DOM_SID *sid, uint32 *type) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_lookup_name: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_name(context, &tmp_methods, domain))) { + DEBUG(4,("sam_get_methods_by_name failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_lookup_name) { + DEBUG(3, ("sam_lookup_name: sam_methods of the domain did not specify sam_lookup_name\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_lookup_name(tmp_methods, access_token, name, sid, type))) { + DEBUG(4,("sam_lookup_name for %s\\%s in backend %s failed\n", + tmp_methods->domain_name, name, tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_lookup_sid(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, TALLOC_CTX *mem_ctx, const DOM_SID *sid, char **name, uint32 *type) +{ + SAM_METHODS *tmp_methods; + uint32 rid; + NTSTATUS nt_status; + DOM_SID domainsid; + + DEBUG(5,("sam_lookup_sid: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + sid_copy(&domainsid, sid); + if (!sid_split_rid(&domainsid, &rid)) { + DEBUG(3,("sam_lookup_sid: failed to split the sid\n")); + return NT_STATUS_INVALID_SID; + } + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, &domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_lookup_sid) { + DEBUG(3, ("sam_lookup_sid: sam_methods of the domain did not specify sam_lookup_sid\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_lookup_sid(tmp_methods, access_token, mem_ctx, sid, name, type))) { + DEBUG(4,("sam_lookup_name for %s in backend %s failed\n", + sid_string_static(sid), tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + + +NTSTATUS sam_update_domain(const SAM_CONTEXT *context, const SAM_DOMAIN_HANDLE *domain) +{ + const SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_update_domain: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid domain specified */ + SAM_ASSERT(domain && domain->current_sam_methods); + + tmp_methods = domain->current_sam_methods; + + if (!tmp_methods->sam_update_domain) { + DEBUG(3, ("sam_update_domain: sam_methods of the domain did not specify sam_update_domain\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_update_domain(tmp_methods, domain))){ + DEBUG(4,("sam_update_domain in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_enum_domains(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, int32 *domain_count, DOM_SID **domains, char ***domain_names) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + SEC_DESC *sd; + size_t sd_size; + uint32 acc_granted; + int i = 0; + + DEBUG(5,("sam_enum_domains: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid parmaters specified */ + SAM_ASSERT(domain_count && domains && domain_names); + + if (!NT_STATUS_IS_OK(nt_status = samr_make_sam_obj_sd(context->mem_ctx, &sd, &sd_size))) { + DEBUG(4,("samr_make_sam_obj_sd failed\n")); + return nt_status; + } + + if (!se_access_check(sd, access_token, SA_RIGHT_SAM_ENUM_DOMAINS, &acc_granted, &nt_status)) { + DEBUG(3,("sam_enum_domains: ACCESS DENIED\n")); + return nt_status; + } + + tmp_methods= context->methods; + *domain_count = 0; + + while (tmp_methods) { + (*domain_count)++; + tmp_methods= tmp_methods->next; + } + + DEBUG(6,("sam_enum_domains: enumerating %d domains\n", (*domain_count))); + + tmp_methods = context->methods; + + if (((*domains) = malloc( sizeof(DOM_SID) * (*domain_count))) == NULL) { + DEBUG(0,("sam_enum_domains: Out of memory allocating domain SID list\n")); + return NT_STATUS_NO_MEMORY; + } + + if (((*domain_names) = malloc( sizeof(char*) * (*domain_count))) == NULL) { + DEBUG(0,("sam_enum_domains: Out of memory allocating domain name list\n")); + SAFE_FREE((*domains)); + return NT_STATUS_NO_MEMORY; + } + + while (tmp_methods) { + DEBUGADD(7,(" [%d] %s: %s\n", i, tmp_methods->domain_name, sid_string_static(&tmp_methods->domain_sid))); + sid_copy(domains[i],&tmp_methods->domain_sid); + *domain_names[i] = smb_xstrdup(tmp_methods->domain_name); + i++; + tmp_methods= tmp_methods->next; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_lookup_domain(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, const char *domain, DOM_SID **domainsid) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + SEC_DESC *sd; + size_t sd_size; + uint32 acc_granted; + + DEBUG(5,("sam_lookup_domain: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid paramters */ + SAM_ASSERT(access_token && domain && domainsid); + + if (!NT_STATUS_IS_OK(nt_status = samr_make_sam_obj_sd(context->mem_ctx, &sd, &sd_size))) { + DEBUG(4,("samr_make_sam_obj_sd failed\n")); + return nt_status; + } + + if (!se_access_check(sd, access_token, SA_RIGHT_SAM_OPEN_DOMAIN, &acc_granted, &nt_status)) { + DEBUG(3,("sam_lookup_domain: ACCESS DENIED\n")); + return nt_status; + } + + tmp_methods= context->methods; + + while (tmp_methods) { + if (strcmp(domain, tmp_methods->domain_name) == 0) { + (*domainsid) = (DOM_SID *)malloc(sizeof(DOM_SID)); + sid_copy((*domainsid), &tmp_methods->domain_sid); + return NT_STATUS_OK; + } + tmp_methods= tmp_methods->next; + } + + return NT_STATUS_NO_SUCH_DOMAIN; +} + + +NTSTATUS sam_get_domain_by_sid(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, uint32 access_desired, const DOM_SID *domainsid, SAM_DOMAIN_HANDLE **domain) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_get_domain_by_sid: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(access_token && domainsid && domain); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_get_domain_handle) { + DEBUG(3, ("sam_get_domain_by_sid: sam_methods of the domain did not specify sam_get_domain_handle\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_domain_handle(tmp_methods, access_token, access_desired, domain))) { + DEBUG(4,("sam_get_domain_handle for %s in backend %s failed\n", + sid_string_static(domainsid), tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_create_account(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, uint32 access_desired, const DOM_SID *domainsid, const char *account_name, uint16 acct_ctrl, SAM_ACCOUNT_HANDLE **account) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_create_account: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid parmaters */ + SAM_ASSERT(access_token && domainsid && account_name && account); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_create_account) { + DEBUG(3, ("sam_create_account: sam_methods of the domain did not specify sam_create_account\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_create_account(tmp_methods, access_token, access_desired, account_name, acct_ctrl, account))) { + DEBUG(4,("sam_create_account in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_add_account(const SAM_CONTEXT *context, const SAM_ACCOUNT_HANDLE *account) +{ + DOM_SID domainsid; + const DOM_SID *accountsid; + SAM_METHODS *tmp_methods; + uint32 rid; + NTSTATUS nt_status; + + DEBUG(5,("sam_add_account: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid parmaters */ + SAM_ASSERT(account); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_account_sid(account, &accountsid))) { + DEBUG(0,("Can't get account SID\n")); + return nt_status; + } + + sid_copy(&domainsid, accountsid); + if (!sid_split_rid(&domainsid, &rid)) { + DEBUG(3,("sam_get_account_by_sid: failed to split the sid\n")); + return NT_STATUS_INVALID_SID; + } + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, &domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_add_account) { + DEBUG(3, ("sam_add_account: sam_methods of the domain did not specify sam_add_account\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_add_account(tmp_methods, account))){ + DEBUG(4,("sam_add_account in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_update_account(const SAM_CONTEXT *context, const SAM_ACCOUNT_HANDLE *account) +{ + const SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_update_account: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid account specified */ + SAM_ASSERT(account && account->current_sam_methods); + + tmp_methods = account->current_sam_methods; + + if (!tmp_methods->sam_update_account) { + DEBUG(3, ("sam_update_account: sam_methods of the domain did not specify sam_update_account\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_update_account(tmp_methods, account))){ + DEBUG(4,("sam_update_account in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_delete_account(const SAM_CONTEXT *context, const SAM_ACCOUNT_HANDLE *account) +{ + const SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_delete_account: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid account specified */ + SAM_ASSERT(account && account->current_sam_methods); + + tmp_methods = account->current_sam_methods; + + if (!tmp_methods->sam_delete_account) { + DEBUG(3, ("sam_delete_account: sam_methods of the domain did not specify sam_delete_account\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_delete_account(tmp_methods, account))){ + DEBUG(4,("sam_delete_account in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_enum_accounts(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, const DOM_SID *domainsid, uint16 acct_ctrl, int32 *account_count, SAM_ACCOUNT_ENUM **accounts) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_enum_accounts: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(access_token && domainsid && account_count && accounts); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_enum_accounts) { + DEBUG(3, ("sam_enum_accounts: sam_methods of the domain did not specify sam_enum_accounts\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_enum_accounts(tmp_methods, access_token, acct_ctrl, account_count, accounts))) { + DEBUG(4,("sam_enum_accounts for domain %s in backend %s failed\n", + tmp_methods->domain_name, tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + + +NTSTATUS sam_get_account_by_sid(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, uint32 access_desired, const DOM_SID *accountsid, SAM_ACCOUNT_HANDLE **account) +{ + SAM_METHODS *tmp_methods; + uint32 rid; + DOM_SID domainsid; + NTSTATUS nt_status; + + DEBUG(5,("sam_get_account_by_sid: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(access_token && accountsid && account); + + sid_copy(&domainsid, accountsid); + if (!sid_split_rid(&domainsid, &rid)) { + DEBUG(3,("sam_get_account_by_sid: failed to split the sid\n")); + return NT_STATUS_INVALID_SID; + } + + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, &domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_get_account_by_sid) { + DEBUG(3, ("sam_get_account_by_sid: sam_methods of the domain did not specify sam_get_account_by_sid\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_account_by_sid(tmp_methods, access_token, access_desired, accountsid, account))) { + DEBUG(4,("sam_get_account_by_sid for %s in backend %s failed\n", + sid_string_static(accountsid), tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_account_by_name(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *domain, const char *name, SAM_ACCOUNT_HANDLE **account) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_get_account_by_name: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(access_token && domain && name && account); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_name(context, &tmp_methods, domain))) { + DEBUG(4,("sam_get_methods_by_name failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_get_account_by_name) { + DEBUG(3, ("sam_get_account_by_name: sam_methods of the domain did not specify sam_get_account_by_name\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_account_by_name(tmp_methods, access_token, access_desired, name, account))) { + DEBUG(4,("sam_get_account_by_name for %s\\%s in backend %s failed\n", + domain, name, tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_create_group(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, uint32 access_desired, const DOM_SID *domainsid, const char *group_name, uint16 group_ctrl, SAM_GROUP_HANDLE **group) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_create_group: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(access_token && domainsid && group_name && group); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_create_group) { + DEBUG(3, ("sam_create_group: sam_methods of the domain did not specify sam_create_group\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_create_group(tmp_methods, access_token, access_desired, group_name, group_ctrl, group))) { + DEBUG(4,("sam_create_group in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_add_group(const SAM_CONTEXT *context, const SAM_GROUP_HANDLE *group) +{ + DOM_SID domainsid; + const DOM_SID *groupsid; + SAM_METHODS *tmp_methods; + uint32 rid; + NTSTATUS nt_status; + + DEBUG(5,("sam_add_group: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(group); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_group_sid(group, &groupsid))) { + DEBUG(0,("Can't get group SID\n")); + return nt_status; + } + + sid_copy(&domainsid, groupsid); + if (!sid_split_rid(&domainsid, &rid)) { + DEBUG(3,("sam_get_group_by_sid: failed to split the sid\n")); + return NT_STATUS_INVALID_SID; + } + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, &domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_add_group) { + DEBUG(3, ("sam_add_group: sam_methods of the domain did not specify sam_add_group\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_add_group(tmp_methods, group))){ + DEBUG(4,("sam_add_group in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_update_group(const SAM_CONTEXT *context, const SAM_GROUP_HANDLE *group) +{ + const SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_update_group: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid group specified */ + SAM_ASSERT(group && group->current_sam_methods); + + tmp_methods = group->current_sam_methods; + + if (!tmp_methods->sam_update_group) { + DEBUG(3, ("sam_update_group: sam_methods of the domain did not specify sam_update_group\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_update_group(tmp_methods, group))){ + DEBUG(4,("sam_update_group in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_delete_group(const SAM_CONTEXT *context, const SAM_GROUP_HANDLE *group) +{ + const SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_delete_group: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid group specified */ + SAM_ASSERT(group && group->current_sam_methods); + + tmp_methods = group->current_sam_methods; + + if (!tmp_methods->sam_delete_group) { + DEBUG(3, ("sam_delete_group: sam_methods of the domain did not specify sam_delete_group\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_delete_group(tmp_methods, group))){ + DEBUG(4,("sam_delete_group in backend %s failed\n", + tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_enum_groups(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, const DOM_SID *domainsid, uint16 group_ctrl, uint32 *groups_count, SAM_GROUP_ENUM **groups) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_enum_groups: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(access_token && domainsid && groups_count && groups); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_enum_accounts) { + DEBUG(3, ("sam_enum_groups: sam_methods of the domain did not specify sam_enum_groups\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_enum_groups(tmp_methods, access_token, group_ctrl, groups_count, groups))) { + DEBUG(4,("sam_enum_groups for domain %s in backend %s failed\n", + tmp_methods->domain_name, tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_group_by_sid(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, uint32 access_desired, const DOM_SID *groupsid, SAM_GROUP_HANDLE **group) +{ + SAM_METHODS *tmp_methods; + uint32 rid; + NTSTATUS nt_status; + DOM_SID domainsid; + + DEBUG(5,("sam_get_group_by_sid: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(access_token && groupsid && group); + + sid_copy(&domainsid, groupsid); + if (!sid_split_rid(&domainsid, &rid)) { + DEBUG(3,("sam_get_group_by_sid: failed to split the sid\n")); + return NT_STATUS_INVALID_SID; + } + + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_sid(context, &tmp_methods, &domainsid))) { + DEBUG(4,("sam_get_methods_by_sid failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_get_group_by_sid) { + DEBUG(3, ("sam_get_group_by_sid: sam_methods of the domain did not specify sam_get_group_by_sid\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_group_by_sid(tmp_methods, access_token, access_desired, groupsid, group))) { + DEBUG(4,("sam_get_group_by_sid for %s in backend %s failed\n", + sid_string_static(groupsid), tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_group_by_name(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *domain, const char *name, SAM_GROUP_HANDLE **group) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + DEBUG(5,("sam_get_group_by_name: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + SAM_ASSERT(access_token && domain && name && group); + + if (!NT_STATUS_IS_OK(nt_status = sam_get_methods_by_name(context, &tmp_methods, domain))) { + DEBUG(4,("sam_get_methods_by_name failed\n")); + return nt_status; + } + + if (!tmp_methods->sam_get_group_by_name) { + DEBUG(3, ("sam_get_group_by_name: sam_methods of the domain did not specify sam_get_group_by_name\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_group_by_name(tmp_methods, access_token, access_desired, name, group))) { + DEBUG(4,("sam_get_group_by_name for %s\\%s in backend %s failed\n", + domain, name, tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_add_member_to_group(const SAM_CONTEXT *context, const SAM_GROUP_HANDLE *group, const SAM_GROUP_MEMBER *member) +{ + const SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + SAM_SETUP_CONTEXT; + + /* invalid group or member specified */ + SAM_ASSERT(group && group->current_sam_methods && member); + + tmp_methods = group->current_sam_methods; + + if (!tmp_methods->sam_add_member_to_group) { + DEBUG(3, ("sam_add_member_to_group: sam_methods of the domain did not specify sam_add_member_to_group\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_add_member_to_group(tmp_methods, group, member))) { + DEBUG(4,("sam_add_member_to_group in backend %s failed\n", tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; + +} + +NTSTATUS sam_delete_member_from_group(const SAM_CONTEXT *context, const SAM_GROUP_HANDLE *group, const SAM_GROUP_MEMBER *member) +{ + const SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + SAM_SETUP_CONTEXT; + + /* invalid group or member specified */ + SAM_ASSERT(group && group->current_sam_methods && member); + + tmp_methods = group->current_sam_methods; + + if (!tmp_methods->sam_delete_member_from_group) { + DEBUG(3, ("sam_delete_member_from_group: sam_methods of the domain did not specify sam_delete_member_from_group\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_delete_member_from_group(tmp_methods, group, member))) { + DEBUG(4,("sam_delete_member_from_group in backend %s failed\n", tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_enum_groupmembers(const SAM_CONTEXT *context, const SAM_GROUP_HANDLE *group, uint32 *members_count, SAM_GROUP_MEMBER **members) +{ + const SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + SAM_SETUP_CONTEXT; + + /* invalid group specified */ + SAM_ASSERT(group && group->current_sam_methods && members_count && members); + + tmp_methods = group->current_sam_methods; + + if (!tmp_methods->sam_enum_groupmembers) { + DEBUG(3, ("sam_enum_groupmembers: sam_methods of the domain did not specify sam_enum_group_members\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_enum_groupmembers(tmp_methods, group, members_count, members))) { + DEBUG(4,("sam_enum_groupmembers in backend %s failed\n", tmp_methods->backendname)); + return nt_status; + } + + return NT_STATUS_OK; +} + +NTSTATUS sam_get_groups_of_sid(const SAM_CONTEXT *context, const NT_USER_TOKEN *access_token, const DOM_SID **sids, uint16 group_ctrl, uint32 *group_count, SAM_GROUP_ENUM **groups) +{ + SAM_METHODS *tmp_methods; + NTSTATUS nt_status; + + uint32 tmp_group_count; + SAM_GROUP_ENUM *tmp_groups; + + DEBUG(5,("sam_get_groups_of_sid: %d\n", __LINE__)); + + SAM_SETUP_CONTEXT; + + /* invalid sam_context specified */ + SAM_ASSERT(access_token && sids && context && context->methods); + + *group_count = 0; + + *groups = NULL; + + tmp_methods= context->methods; + + while (tmp_methods) { + DEBUG(5,("getting groups from domain \n")); + if (!tmp_methods->sam_get_groups_of_sid) { + DEBUG(3, ("sam_get_groups_of_sid: sam_methods of domain did not specify sam_get_groups_of_sid\n")); + SAFE_FREE(*groups); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!NT_STATUS_IS_OK(nt_status = tmp_methods->sam_get_groups_of_sid(tmp_methods, access_token, sids, group_ctrl, &tmp_group_count, &tmp_groups))) { + DEBUG(4,("sam_get_groups_of_sid in backend %s failed\n", tmp_methods->backendname)); + SAFE_FREE(*groups); + return nt_status; + } + + *groups = Realloc(*groups, ((*group_count) + tmp_group_count) * sizeof(SAM_GROUP_ENUM)); + + memcpy(&(*groups)[*group_count], tmp_groups, tmp_group_count); + + SAFE_FREE(tmp_groups); + + *group_count += tmp_group_count; + + tmp_methods = tmp_methods->next; + } + + return NT_STATUS_OK; +} + + diff --git a/source4/sam/sam_ads.c b/source4/sam/sam_ads.c new file mode 100755 index 00000000000..13e03690049 --- /dev/null +++ b/source4/sam/sam_ads.c @@ -0,0 +1,1378 @@ +/* + Unix SMB/CIFS implementation. + Active Directory SAM backend, for simulate a W2K DC in mixed mode. + + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Andrew Bartlett 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + + +#ifdef HAVE_LDAP + +static int sam_ads_debug_level = DBGC_SAM; + +#undef DBGC_CLASS +#define DBGC_CLASS sam_ads_debug_level + +#ifndef FIXME +#define FIXME( body ) { DEBUG(0,("FIXME: "));\ + DEBUGADD(0,(body));} +#endif + +#define ADS_STATUS_OK ADS_ERROR(0) +#define ADS_STATUS_UNSUCCESSFUL ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL) +#define ADS_STATUS_NOT_IMPLEMENTED ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED) + + +#define ADS_SUBTREE_BUILTIN "CN=Builtin," +#define ADS_SUBTREE_COMPUTERS "CN=Computers," +#define ADS_SUBTREE_DC "CN=Domain Controllers," +#define ADS_SUBTREE_USERS "CN=Users," +#define ADS_ROOT_TREE "" +/* Here are private module structs and functions */ + +typedef struct sam_ads_privates { + ADS_STRUCT *ads_struct; + TALLOC_CTX *mem_ctx; + BOOL bind_plaintext; + char *ads_bind_dn; + char *ads_bind_pw; + char *ldap_uri; + /* did we need something more? */ +}SAM_ADS_PRIVATES; + + +/* get only these LDAP attributes, witch we really need for an account */ +const char *account_attrs[] = { "objectSid", + "objectGUID", + "sAMAccountType", + "sAMAcountName", + "userPrincipalName", + "accountExpires", + "badPasswordTime", + "badPwdCount", + "lastLogoff", + "lastLogon", + "userWorkstations", + "dBCSPwd", + "unicodePwd", + "pwdLastSet", + "userAccountControl", + "profilePath", + "homeDrive", + "scriptPath", + "homeDirectory", + "cn", + "primaryGroupID",/* 513 */ + "nsNPAllowDialIn",/* TRUE */ + "userParameters",/* Dial Back number ...*/ + "codePage",/* 0 */ + "countryCode",/* 0 */ + "adminCount",/* 1 or 0 */ + "logonCount",/* 0 */ + "managedObjects", + "memberOf",/* dn */ + "instanceType",/* 4 */ + "name", /* sync with cn */ + "description", + /* "nTSecurityDescriptor", */ + NULL}; + +/* get only these LDAP attributes, witch we really need for a group */ +const char *group_attrs[] = {"objectSid", + /* "objectGUID", */ + "sAMAccountType", + "sAMAcountName", + "groupType", + /* "member", */ + "description", + "name", /* sync with cn */ + /* "nTSecurityDescriptor", */ + NULL}; + + +/*************************************************** + return our ads connection. We keep the connection + open to make things faster +****************************************************/ +static ADS_STATUS sam_ads_cached_connection(SAM_ADS_PRIVATES *privates) +{ + ADS_STRUCT *ads_struct; + ADS_STATUS ads_status; + + if (!privates->ads_struct) { + privates->ads_struct = ads_init_simple(); + ads_struct = privates->ads_struct; + ads_struct->server.ldap_uri = smb_xstrdup(privates->ldap_uri); + if ((!privates->ads_bind_dn) || (!*privates->ads_bind_dn)) { + ads_struct->auth.flags |= ADS_AUTH_ANON_BIND; + } else { + ads_struct->auth.user_name + = smb_xstrdup(privates->ads_bind_dn); + if (privates->ads_bind_pw) { + ads_struct->auth.password + = smb_xstrdup(privates->ads_bind_pw); + } + } + if (privates->bind_plaintext) { + ads_struct->auth.flags |= ADS_AUTH_SIMPLE_BIND; + } + } else { + ads_struct = privates->ads_struct; + } + + if (ads_struct->ld != NULL) { + /* connection has been opened. ping server. */ + struct sockaddr_un addr; + socklen_t len; + int sd; + if (ldap_get_option(ads_struct->ld, LDAP_OPT_DESC, &sd) == 0 && + getpeername(sd, (struct sockaddr *) &addr, &len) < 0) { + /* the other end has died. reopen. */ + ldap_unbind_ext(ads_struct->ld, NULL, NULL); + ads_struct->ld = NULL; + } + } + + if (ads_struct->ld != NULL) { + DEBUG(5,("sam_ads_cached_connection: allready connected to the LDAP server\n")); + return ADS_SUCCESS; + } + + ads_status = ads_connect(ads_struct); + + ads_status = ads_server_info(ads_struct); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(0,("Can't set server info: %s\n",ads_errstr(ads_status))); + /* return ads_status; */ FIXME("for now we only warn!\n"); + } + + DEBUG(2, ("sam_ads_cached_connection: succesful connection to the LDAP server\n")); + return ADS_SUCCESS; +} + +static ADS_STATUS sam_ads_do_search(SAM_ADS_PRIVATES *privates, const char *bind_path, int scope, const char *exp, const char **attrs, void **res) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + + ads_status = sam_ads_cached_connection(privates); + if (!ADS_ERR_OK(ads_status)) + return ads_status; + + return ads_do_search_retry(privates->ads_struct, bind_path, scope, exp, attrs, res); +} + + +/********************************************* +here we have to check the update serial number + - this is the core of the ldap cache +*********************************************/ +static ADS_STATUS sam_ads_usn_is_valid(SAM_ADS_PRIVATES *privates, uint32 usn_in, uint32 *usn_out) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + + SAM_ASSERT(privates && privates->ads_struct && usn_out); + + ads_status = ads_USN(privates->ads_struct, usn_out); + if (!ADS_ERR_OK(ads_status)) + return ads_status; + + if (*usn_out == usn_in) + return ADS_SUCCESS; + + return ads_status; +} + +/*********************************************** +Initialize SAM_ACCOUNT_HANDLE from an ADS query +************************************************/ +/* not ready :-( */ +static ADS_STATUS ads_entry2sam_account_handle(SAM_ADS_PRIVATES *privates, SAM_ACCOUNT_HANDLE *account ,void *msg) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_NO_SUCH_USER); + NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = account->mem_ctx; + char *tmp_str = NULL; + + SAM_ASSERT(privates && ads_struct && account && mem_ctx && msg); + + FIXME("should we really use ads_pull_username()(or ads_pull_string())?\n"); + if ((account->private.account_name = ads_pull_username(ads_struct, mem_ctx, msg))==NULL) { + DEBUG(0,("ads_pull_username failed\n")); + return ADS_ERROR_NT(NT_STATUS_NO_SUCH_USER); + } + + if ((account->private.full_name = ads_pull_string(ads_struct, mem_ctx, msg,"name"))==NULL) { + DEBUG(3,("ads_pull_string for 'name' failed - skip\n")); + } + + if ((account->private.acct_desc = ads_pull_string(ads_struct, mem_ctx, msg,"description"))!=NULL) { + DEBUG(3,("ads_pull_string for 'acct_desc' failed - skip\n")); + } + + if ((account->private.home_dir = ads_pull_string(ads_struct, mem_ctx, msg,"homeDirectory"))!=NULL) { + DEBUG(3,("ads_pull_string for 'homeDirectory' failed - skip\n")); + } + + if ((account->private.dir_drive = ads_pull_string(ads_struct, mem_ctx, msg,"homeDrive"))!=NULL) { + DEBUG(3,("ads_pull_string for 'homeDrive' failed - skip\n")); + } + + if ((account->private.profile_path = ads_pull_string(ads_struct, mem_ctx, msg,"profilePath"))!=NULL) { + DEBUG(3,("ads_pull_string for 'profilePath' failed - skip\n")); + } + + if ((account->private.logon_script = ads_pull_string(ads_struct, mem_ctx, msg,"scriptPath"))!=NULL) { + DEBUG(3,("ads_pull_string for 'scriptPath' failed - skip\n")); + } + + FIXME("check 'nsNPAllowDialIn' for munged_dial!\n"); + if ((account->private.munged_dial = ads_pull_string(ads_struct, mem_ctx, msg,"userParameters"))!=NULL) { + DEBUG(3,("ads_pull_string for 'userParameters' failed - skip\n")); + } + + if ((account->private.unix_home_dir = ads_pull_string(ads_struct, mem_ctx, msg,"msSFUHomeDrirectory"))!=NULL) { + DEBUG(3,("ads_pull_string for 'msSFUHomeDrirectory' failed - skip\n")); + } + +#if 0 + FIXME("use function intern mem_ctx for pwdLastSet\n"); + if ((tmp_str = ads_pull_string(ads_struct, mem_ctx, msg,"pwdLastSet"))!=NULL) { + DEBUG(3,("ads_pull_string for 'pwdLastSet' failed - skip\n")); + } else { + account->private.pass_last_set_time = ads_parse_nttime(tmp_str); + tmp_str = NULL; + + } +#endif + +#if 0 +typedef struct sam_account_handle { + TALLOC_CTX *mem_ctx; + uint32 access_granted; + const struct sam_methods *current_sam_methods; /* sam_methods creating this handle */ + void (*free_fn)(struct sam_account_handle **); + struct sam_account_data { + uint32 init_flag; + NTTIME logon_time; /* logon time */ + NTTIME logoff_time; /* logoff time */ + NTTIME kickoff_time; /* kickoff time */ + NTTIME pass_last_set_time; /* password last set time */ + NTTIME pass_can_change_time; /* password can change time */ + NTTIME pass_must_change_time; /* password must change time */ + char * account_name; /* account_name string */ + SAM_DOMAIN_HANDLE * domain; /* domain of account */ + char *full_name; /* account's full name string */ + char *unix_home_dir; /* UNIX home directory string */ + char *home_dir; /* home directory string */ + char *dir_drive; /* home directory drive string */ + char *logon_script; /* logon script string */ + char *profile_path; /* profile path string */ + char *acct_desc; /* account description string */ + char *workstations; /* login from workstations string */ + char *unknown_str; /* don't know what this is, yet. */ + char *munged_dial; /* munged path name and dial-back tel number */ + DOM_SID account_sid; /* Primary Account SID */ + DOM_SID group_sid; /* Primary Group SID */ + DATA_BLOB lm_pw; /* .data is Null if no password */ + DATA_BLOB nt_pw; /* .data is Null if no password */ + char *plaintext_pw; /* if Null not available */ + uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */ + uint32 unknown_1; /* 0x00ff ffff */ + uint16 logon_divs; /* 168 - number of hours in a week */ + uint32 hours_len; /* normally 21 bytes */ + uint8 hours[MAX_HOURS_LEN]; + uint32 unknown_2; /* 0x0002 0000 */ + uint32 unknown_3; /* 0x0000 04ec */ + } private; +} SAM_ACCOUNT_HANDLE; +#endif + + return ads_status; +} + + +/*********************************************** +Initialize SAM_GROUP_ENUM from an ads entry +************************************************/ +/* not ready :-( */ +static ADS_STATUS ads_entry2sam_group_enum(SAM_ADS_PRIVATES *privates, TALLOC_CTX *mem_ctx, SAM_GROUP_ENUM **group_enum,const void *entry) +{ + ADS_STATUS ads_status = ADS_STATUS_UNSUCCESSFUL; + ADS_STRUCT *ads_struct = privates->ads_struct; + SAM_GROUP_ENUM __group_enum; + SAM_GROUP_ENUM *_group_enum = &__group_enum; + + SAM_ASSERT(privates && ads_struct && mem_ctx && group_enum && entry); + + *group_enum = _group_enum; + + DEBUG(3,("sam_ads: ads_entry2sam_account_handle\n")); + + if (!ads_pull_sid(ads_struct, &entry, "objectSid", &(_group_enum->sid))) { + DEBUG(0,("No sid for!?\n")); + return ADS_STATUS_UNSUCCESSFUL; + } + + if (!(_group_enum->group_name = ads_pull_string(ads_struct, mem_ctx, &entry, "sAMAccountName"))) { + DEBUG(0,("No groupname found")); + return ADS_STATUS_UNSUCCESSFUL; + } + + if (!(_group_enum->group_desc = ads_pull_string(ads_struct, mem_ctx, &entry, "desciption"))) { + DEBUG(0,("No description found")); + return ADS_STATUS_UNSUCCESSFUL; + } + + DEBUG(0,("sAMAccountName: %s\ndescription: %s\nobjectSid: %s\n", + _group_enum->group_name, + _group_enum->group_desc, + sid_string_static(&(_group_enum->sid)) + )); + + return ads_status; +} + +static ADS_STATUS sam_ads_access_check(SAM_ADS_PRIVATES *privates, const SEC_DESC *sd, const NT_USER_TOKEN *access_token, uint32 access_desired, uint32 *acc_granted) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED); + NTSTATUS nt_status; + uint32 my_acc_granted; + + SAM_ASSERT(privates && sd && access_token); + /* acc_granted can be set to NULL */ + + /* the steps you need are: + 1. get_sec_desc for sid + 2. se_map_generic(accessdesired, generic_mapping) + 3. se_access_check() */ + + if (!se_access_check(sd, access_token, access_desired, (acc_granted)?acc_granted:&my_acc_granted, &nt_status)) { + DEBUG(3,("sam_ads_access_check: ACCESS DENIED\n")); + ads_status = ADS_ERROR_NT(nt_status); + return ads_status; + } + ads_status = ADS_ERROR_NT(nt_status); + return ads_status; +} + +static ADS_STATUS sam_ads_get_tree_sec_desc(SAM_ADS_PRIVATES *privates, const char *subtree, SEC_DESC **sd) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = privates->mem_ctx; + char *search_path; + void *sec_desc_res; + void *sec_desc_msg; + const char *sec_desc_attrs[] = {"nTSecurityDescriptor",NULL}; + + SAM_ASSERT(privates && ads_struct && mem_ctx && sd); + *sd = NULL; + + if (subtree) { + asprintf(&search_path, "%s%s",subtree,ads_struct->config.bind_path); + } else { + asprintf(&search_path, "%s",""); + } + ads_status = sam_ads_do_search(privates, search_path, LDAP_SCOPE_BASE, "(objectClass=*)", sec_desc_attrs, &sec_desc_res); + SAFE_FREE(search_path); + if (!ADS_ERR_OK(ads_status)) + return ads_status; + + if ((sec_desc_msg = ads_first_entry(ads_struct, sec_desc_res))==NULL) { + ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + return ads_status; + } + + if (!ads_pull_sd(ads_struct, mem_ctx, sec_desc_msg, sec_desc_attrs[0], sd)) { + *sd = NULL; + ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + return ads_status; + } + + return ads_status; +} + +static ADS_STATUS sam_ads_account_policy_get(SAM_ADS_PRIVATES *privates, int field, uint32 *value) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + ADS_STRUCT *ads_struct = privates->ads_struct; + void *ap_res; + void *ap_msg; + const char *ap_attrs[] = {"minPwdLength",/* AP_MIN_PASSWORD_LEN */ + "pwdHistoryLength",/* AP_PASSWORD_HISTORY */ + "AP_USER_MUST_LOGON_TO_CHG_PASS",/* AP_USER_MUST_LOGON_TO_CHG_PASS */ + "maxPwdAge",/* AP_MAX_PASSWORD_AGE */ + "minPwdAge",/* AP_MIN_PASSWORD_AGE */ + "lockoutDuration",/* AP_LOCK_ACCOUNT_DURATION */ + "AP_RESET_COUNT_TIME",/* AP_RESET_COUNT_TIME */ + "AP_BAD_ATTEMPT_LOCKOUT",/* AP_BAD_ATTEMPT_LOCKOUT */ + "AP_TIME_TO_LOGOUT",/* AP_TIME_TO_LOGOUT */ + NULL}; + /*lockOutObservationWindow + lockoutThreshold $ pwdProperties*/ + static uint32 ap[9]; + static uint32 ap_usn = 0; + uint32 tmp_usn = 0; + + SAM_ASSERT(privates && ads_struct && value); + + FIXME("We need to decode all account_policy attributes!\n"); + + ads_status = sam_ads_usn_is_valid(privates,ap_usn,&tmp_usn); + if (!ADS_ERR_OK(ads_status)) { + ads_status = sam_ads_do_search(privates, ads_struct->config.bind_path, LDAP_SCOPE_BASE, "(objectClass=*)", ap_attrs, &ap_res); + if (!ADS_ERR_OK(ads_status)) + return ads_status; + + if (ads_count_replies(ads_struct, ap_res) != 1) { + ads_msgfree(ads_struct, ap_res); + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + if (!(ap_msg = ads_first_entry(ads_struct, ap_res))) { + ads_msgfree(ads_struct, ap_res); + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[0], &ap[0])) { + /* AP_MIN_PASSWORD_LEN */ + ap[0] = MINPASSWDLENGTH;/* 5 chars minimum */ + } + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[1], &ap[1])) { + /* AP_PASSWORD_HISTORY */ + ap[1] = 0;/* don't keep any old password */ + } + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[2], &ap[2])) { + /* AP_USER_MUST_LOGON_TO_CHG_PASS */ + ap[2] = 0;/* don't force user to logon */ + } + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[3], &ap[3])) { + /* AP_MAX_PASSWORD_AGE */ + ap[3] = MAX_PASSWORD_AGE;/* 21 days */ + } + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[4], &ap[4])) { + /* AP_MIN_PASSWORD_AGE */ + ap[4] = 0;/* 0 days */ + } + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[5], &ap[5])) { + /* AP_LOCK_ACCOUNT_DURATION */ + ap[5] = 0;/* lockout for 0 minutes */ + } + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[6], &ap[6])) { + /* AP_RESET_COUNT_TIME */ + ap[6] = 0;/* reset immediatly */ + } + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[7], &ap[7])) { + /* AP_BAD_ATTEMPT_LOCKOUT */ + ap[7] = 0;/* don't lockout */ + } + if (!ads_pull_uint32(ads_struct, ap_msg, ap_attrs[8], &ap[8])) { + /* AP_TIME_TO_LOGOUT */ + ap[8] = -1;/* don't force logout */ + } + + ads_msgfree(ads_struct, ap_res); + ap_usn = tmp_usn; + } + + switch(field) { + case AP_MIN_PASSWORD_LEN: + *value = ap[0]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + case AP_PASSWORD_HISTORY: + *value = ap[1]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + case AP_USER_MUST_LOGON_TO_CHG_PASS: + *value = ap[2]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + case AP_MAX_PASSWORD_AGE: + *value = ap[3]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + case AP_MIN_PASSWORD_AGE: + *value = ap[4]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + case AP_LOCK_ACCOUNT_DURATION: + *value = ap[5]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + case AP_RESET_COUNT_TIME: + *value = ap[6]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + case AP_BAD_ATTEMPT_LOCKOUT: + *value = ap[7]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + case AP_TIME_TO_LOGOUT: + *value = ap[8]; + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + break; + default: *value = 0; break; + } + + return ads_status; +} + + +/********************************** +Now the functions off the SAM API +***********************************/ + +/* General API */ +static NTSTATUS sam_ads_get_sec_desc(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, + const DOM_SID *sid, SEC_DESC **sd) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx; + char *sidstr,*filter; + void *sec_desc_res; + void *sec_desc_msg; + const char *sec_desc_attrs[] = {"nTSecurityDescriptor",NULL}; + fstring sid_str; + SEC_DESC *my_sd; + + SAM_ASSERT(sam_method && access_token && sid && sd); + + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL); + + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + sidstr = sid_binstring(sid); + if (asprintf(&filter, "(objectSid=%s)", sidstr) == -1) { + SAFE_FREE(sidstr); + return NT_STATUS_NO_MEMORY; + } + + SAFE_FREE(sidstr); + + ads_status = sam_ads_do_search(privates,ads_struct->config.bind_path, + LDAP_SCOPE_SUBTREE, filter, sec_desc_attrs, + &sec_desc_res); + SAFE_FREE(filter); + + if (!ADS_ERR_OK(ads_status)) { + return ads_ntstatus(ads_status); + } + + if (!(mem_ctx = talloc_init("sec_desc parse in sam_ads"))) { + DEBUG(1, ("talloc_init() failed for sec_desc parse context in sam_ads")); + ads_msgfree(ads_struct, sec_desc_res); + return NT_STATUS_NO_MEMORY; + } + + if (ads_count_replies(ads_struct, sec_desc_res) != 1) { + DEBUG(1,("sam_ads_get_sec_desc: duplicate or 0 results for sid %s\n", + sid_to_string(sid_str, sid))); + talloc_destroy(mem_ctx); + ads_msgfree(ads_struct, sec_desc_res); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!(sec_desc_msg = ads_first_entry(ads_struct, sec_desc_res))) { + talloc_destroy(mem_ctx); + ads_msgfree(ads_struct, sec_desc_res); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!ads_pull_sd(ads_struct, mem_ctx, sec_desc_msg, sec_desc_attrs[0], sd)) { + ads_status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + talloc_destroy(mem_ctx); + ads_msgfree(ads_struct, sec_desc_res); + return ads_ntstatus(ads_status); + } + + /* now, were we allowed to see the SD we just got? */ + + ads_msgfree(ads_struct, sec_desc_res); + talloc_destroy(mem_ctx); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_set_sec_desc(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, + const DOM_SID *sid, const SEC_DESC *sd) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + + +static NTSTATUS sam_ads_lookup_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, + TALLOC_CTX *mem_ctx, const DOM_SID *sid, char **name, + enum SID_NAME_USE *type) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + SEC_DESC *my_sd; + + SAM_ASSERT(sam_method && access_token && mem_ctx && sid && name && type); + + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + return ads_sid_to_name(ads_struct, mem_ctx, sid, name, type); +} + +static NTSTATUS sam_ads_lookup_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, + const char *name, DOM_SID *sid, enum SID_NAME_USE *type) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + SEC_DESC *my_sd; + + SAM_ASSERT(sam_method && access_token && name && sid && type); + + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &my_sd); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, my_sd, access_token, GENERIC_RIGHTS_DOMAIN_READ, NULL); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + return ads_name_to_sid(ads_struct, name, sid, type); +} + + +/* Domain API */ + +static NTSTATUS sam_ads_update_domain(const SAM_METHODS *sam_method, const SAM_DOMAIN_HANDLE *domain) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_get_domain_handle(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, + const uint32 access_desired, SAM_DOMAIN_HANDLE **domain) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + TALLOC_CTX *mem_ctx = privates->mem_ctx; /*Fix me is this right??? */ + SAM_DOMAIN_HANDLE *dom_handle = NULL; + SEC_DESC *sd; + uint32 acc_granted; + uint32 tmp_value; + + DEBUG(5,("sam_ads_get_domain_handle: %d\n",__LINE__)); + + SAM_ASSERT(sam_method && access_token && domain); + + (*domain) = NULL; + + if ((dom_handle = talloc(mem_ctx, sizeof(SAM_DOMAIN_HANDLE))) == NULL) { + DEBUG(0,("failed to talloc dom_handle\n")); + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + return ads_ntstatus(ads_status); + } + + ZERO_STRUCTP(dom_handle); + + dom_handle->mem_ctx = mem_ctx; /*Fix me is this right??? */ + dom_handle->free_fn = NULL; + dom_handle->current_sam_methods = sam_method; + + /* check if access can be granted as requested */ + + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &sd); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + dom_handle->access_granted = acc_granted; + + /* fill all the values of dom_handle */ + sid_copy(&dom_handle->private.sid, &sam_method->domain_sid); + dom_handle->private.name = smb_xstrdup(sam_method->domain_name); + dom_handle->private.servername = "WHOKNOWS"; /* what is the servername */ + + /*Fix me: sam_ads_account_policy_get() return ADS_STATUS! */ + ads_status = sam_ads_account_policy_get(privates, AP_MAX_PASSWORD_AGE, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed for max password age. Useing default\n")); + tmp_value = MAX_PASSWORD_AGE; + } + unix_to_nt_time_abs(&dom_handle->private.max_passwordage,tmp_value); + + ads_status = sam_ads_account_policy_get(privates, AP_MIN_PASSWORD_AGE, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed for min password age. Useing default\n")); + tmp_value = 0; + } + unix_to_nt_time_abs(&dom_handle->private.min_passwordage, tmp_value); + + ads_status = sam_ads_account_policy_get(privates, AP_LOCK_ACCOUNT_DURATION, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed for lockout duration. Useing default\n")); + tmp_value = 0; + } + unix_to_nt_time_abs(&dom_handle->private.lockout_duration, tmp_value); + + ads_status = sam_ads_account_policy_get(privates, AP_RESET_COUNT_TIME, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed for time till locout count is reset. Useing default\n")); + tmp_value = 0; + } + unix_to_nt_time_abs(&dom_handle->private.reset_count, tmp_value); + + ads_status = sam_ads_account_policy_get(privates, AP_MIN_PASSWORD_LEN, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed for min password length. Useing default\n")); + tmp_value = 0; + } + dom_handle->private.min_passwordlength = (uint16)tmp_value; + + ads_status = sam_ads_account_policy_get(privates, AP_PASSWORD_HISTORY, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed password history. Useing default\n")); + tmp_value = 0; + } + dom_handle->private.password_history = (uint16)tmp_value; + + ads_status = sam_ads_account_policy_get(privates, AP_BAD_ATTEMPT_LOCKOUT, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed for bad attempts till lockout. Useing default\n")); + tmp_value = 0; + } + dom_handle->private.lockout_count = (uint16)tmp_value; + + ads_status = sam_ads_account_policy_get(privates, AP_TIME_TO_LOGOUT, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed for force logout. Useing default\n")); + tmp_value = -1; + } + + ads_status = sam_ads_account_policy_get(privates, AP_USER_MUST_LOGON_TO_CHG_PASS, &tmp_value); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(4,("sam_ads_account_policy_get failed for user must login to change password. Useing default\n")); + tmp_value = 0; + } + + /* should the real values of num_accounts, num_groups and num_aliases be retreved? + * I think it is to expensive to bother + */ + dom_handle->private.num_accounts = 3; + dom_handle->private.num_groups = 4; + dom_handle->private.num_aliases = 5; + + *domain = dom_handle; + + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + return ads_ntstatus(ads_status); +} + +/* Account API */ +static NTSTATUS sam_ads_create_account(const SAM_METHODS *sam_method, + const NT_USER_TOKEN *access_token, uint32 access_desired, + const char *account_name, uint16 acct_ctrl, SAM_ACCOUNT_HANDLE **account) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + SEC_DESC *sd = NULL; + uint32 acc_granted; + + SAM_ASSERT(sam_method && privates && access_token && account_name && account); + + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_SUBTREE_USERS, &sd); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = ADS_ERROR_NT(sam_init_account(account)); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + (*account)->access_granted = acc_granted; + + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_add_account(const SAM_METHODS *sam_method, const SAM_ACCOUNT_HANDLE *account) +{ + ADS_STATUS ads_status = ADS_ERROR(LDAP_NO_MEMORY); + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = privates->mem_ctx; + ADS_MODLIST mods; + uint16 acct_ctrl; + char *new_dn; + SEC_DESC *sd; + uint32 acc_granted; + + SAM_ASSERT(sam_method && account); + + ads_status = ADS_ERROR_NT(sam_get_account_acct_ctrl(account,&acct_ctrl)); + if (!ADS_ERR_OK(ads_status)) + goto done; + + if ((acct_ctrl & ACB_WSTRUST)||(acct_ctrl & ACB_SVRTRUST)) { + /* Computer account */ + char *name,*controlstr; + char *hostname,*host_upn,*host_spn; + const char *objectClass[] = {"top", "person", "organizationalPerson", + "user", "computer", NULL}; + + ads_status = ADS_ERROR_NT(sam_get_account_name(account,&name)); + if (!ADS_ERR_OK(ads_status)) + goto done; + + if (!(host_upn = talloc_asprintf(mem_ctx, "%s@%s", name, ads_struct->config.realm))) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + if (!(new_dn = talloc_asprintf(mem_ctx, "CN=%s,CN=Computers,%s", hostname, + ads_struct->config.bind_path))) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + if (!(controlstr = talloc_asprintf(mem_ctx, "%u", ads_acb2uf(acct_ctrl)))) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + if (!(mods = ads_init_mods(mem_ctx))) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + ads_status = ads_mod_str(mem_ctx, &mods, "cn", hostname); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_strlist(mem_ctx, &mods, "objectClass", objectClass); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", host_upn); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "displayName", hostname); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "sAMAccountName", name); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "userAccountControl", controlstr); + if (!ADS_ERR_OK(ads_status)) + goto done; + + ads_status = ads_mod_str(mem_ctx, &mods, "servicePrincipalName", host_spn); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "dNSHostName", hostname); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "userAccountControl", controlstr); + if (!ADS_ERR_OK(ads_status)) + goto done; + /* ads_status = ads_mod_str(mem_ctx, &mods, "operatingSystem", "Samba"); + if (!ADS_ERR_OK(ads_status)) + goto done; + *//* ads_status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion", VERSION); + if (!ADS_ERR_OK(ads_status)) + goto done; + */ + /* End Computer account */ + } else { + /* User account*/ + char *upn, *controlstr; + char *name, *fullname; + const char *objectClass[] = {"top", "person", "organizationalPerson", + "user", NULL}; + + ads_status = ADS_ERROR_NT(sam_get_account_name(account,&name)); + if (!ADS_ERR_OK(ads_status)) + goto done; + + ads_status = ADS_ERROR_NT(sam_get_account_fullname(account,&fullname)); + if (!ADS_ERR_OK(ads_status)) + goto done; + + if (!(upn = talloc_asprintf(mem_ctx, "%s@%s", name, ads_struct->config.realm))) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + if (!(new_dn = talloc_asprintf(mem_ctx, "CN=%s,CN=Users,%s", fullname, + ads_struct->config.bind_path))) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + if (!(controlstr = talloc_asprintf(mem_ctx, "%u", ads_acb2uf(acct_ctrl)))) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + if (!(mods = ads_init_mods(mem_ctx))) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + ads_status = ads_mod_str(mem_ctx, &mods, "cn", fullname); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_strlist(mem_ctx, &mods, "objectClass", objectClass); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", upn); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "displayName", fullname); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "sAMAccountName", name); + if (!ADS_ERR_OK(ads_status)) + goto done; + ads_status = ads_mod_str(mem_ctx, &mods, "userAccountControl", controlstr); + if (!ADS_ERR_OK(ads_status)) + goto done; + }/* End User account */ + + /* Finally at the account */ + ads_status = ads_gen_add(ads_struct, new_dn, mods); + +done: + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_update_account(const SAM_METHODS *sam_method, const SAM_ACCOUNT_HANDLE *account) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_delete_account(const SAM_METHODS *sam_method, const SAM_ACCOUNT_HANDLE *account) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + + + + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_enum_accounts(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, uint16 acct_ctrl, uint32 *account_count, SAM_ACCOUNT_ENUM **accounts) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +#if 0 +static NTSTATUS sam_ads_get_account_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *account_sid, SAM_ACCOUNT_HANDLE **account) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = privates->mem_ctx; + SEC_DESC *sd = NULL; + uint32 acc_granted; + + SAM_ASSERT(sam_method && privates && ads_struct && access_token && account_sid && account); + + ads_status = ADS_ERROR_NT(sam_ads_get_sec_desc(sam_method, access_token, account_sid, &my_sd)); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = ADS_ERROR_NT(sam_init_account(account)); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + (*account)->access_granted = acc_granted; + + return ads_ntstatus(ads_status); +} +#else +static NTSTATUS sam_ads_get_account_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *account_sid, SAM_ACCOUNT_HANDLE **account) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} +#endif + +#if 0 +static NTSTATUS sam_ads_get_account_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *account_name, SAM_ACCOUNT_HANDLE **account) +{ + ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = privates->mem_ctx; + SEC_DESC *sd = NULL; + uint32 acc_granted; + + SAM_ASSERT(sam_method && privates && ads_struct && access_token && account_name && account); + + ads_status = sam_ads_get_tree_sec_desc(privates, ADS_ROOT_TREE, &sd); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = sam_ads_access_check(privates, sd, access_token, access_desired, &acc_granted); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + ads_status = ADS_ERROR_NT(sam_init_account(account)); + if (!ADS_ERR_OK(ads_status)) + return ads_ntstatus(ads_status); + + (*account)->access_granted = acc_granted; + + return ads_ntstatus(ads_status); +} +#else +static NTSTATUS sam_ads_get_account_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *account_name, SAM_ACCOUNT_HANDLE **account) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} +#endif + +/* Group API */ +static NTSTATUS sam_ads_create_group(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *group_name, uint16 group_ctrl, SAM_GROUP_HANDLE **group) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_add_group(const SAM_METHODS *sam_method, const SAM_GROUP_HANDLE *group) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_update_group(const SAM_METHODS *sam_method, const SAM_GROUP_HANDLE *group) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_delete_group(const SAM_METHODS *sam_method, const SAM_GROUP_HANDLE *group) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_enum_groups(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint16 group_ctrl, uint32 *groups_count, SAM_GROUP_ENUM **groups) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + SAM_ADS_PRIVATES *privates = (struct sam_ads_privates *)sam_method->private_data; + ADS_STRUCT *ads_struct = privates->ads_struct; + TALLOC_CTX *mem_ctx = privates->mem_ctx; + void *res = NULL; + void *msg = NULL; + char *filter = NULL; + int i = 0; + + /* get only these LDAP attributes, witch we really need for a group */ + const char *group_enum_attrs[] = {"objectSid", + "description", + "sAMAcountName", + NULL}; + + SAM_ASSERT(sam_method && access_token && groups_count && groups); + + *groups_count = 0; + + DEBUG(3,("ads: enum_dom_groups\n")); + + FIXME("get only group from the wanted Type!\n"); + asprintf(&filter, "(&(objectClass=group)(groupType=%s))", "*"); + ads_status = sam_ads_do_search(privates, ads_struct->config.bind_path, LDAP_SCOPE_SUBTREE, filter, group_enum_attrs, &res); + if (!ADS_ERR_OK(ads_status)) { + DEBUG(1,("enum_groups ads_search: %s\n", ads_errstr(ads_status))); + } + + *groups_count = ads_count_replies(ads_struct, res); + if (*groups_count == 0) { + DEBUG(1,("enum_groups: No groups found\n")); + } + + (*groups) = talloc_zero(mem_ctx, (*groups_count) * sizeof(**groups)); + if (!*groups) { + ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + for (msg = ads_first_entry(ads_struct, res); msg; msg = ads_next_entry(ads_struct, msg)) { + uint32 grouptype; + + if (!ads_pull_uint32(ads_struct, msg, "groupType", &grouptype)) { + ; + } else { + (*groups)->group_ctrl = ads_gtype2gcb(grouptype); + } + + if (!((*groups)->group_name = ads_pull_string(ads_struct, mem_ctx, msg, "sAMAccountName"))) { + ; + } + + if (!((*groups)->group_desc = ads_pull_string(ads_struct, mem_ctx, msg, "description"))) { + ; + } + + if (!ads_pull_sid(ads_struct, msg, "objectSid", &((*groups)->sid))) { + DEBUG(1,("No sid for group %s !?\n", (*groups)->group_name)); + continue; + } + + i++; + } + + (*groups_count) = i; + + ads_status = ADS_ERROR_NT(NT_STATUS_OK); + + DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*groups_count))); + + if (res) ads_msgfree(ads_struct, res); + + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_get_group_by_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const DOM_SID *groupsid, SAM_GROUP_HANDLE **group) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_get_group_by_name(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const uint32 access_desired, const char *name, SAM_GROUP_HANDLE **group) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_add_member_to_group(const SAM_METHODS *sam_method, const SAM_GROUP_HANDLE *group, const SAM_GROUP_MEMBER *member) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_delete_member_from_group(const SAM_METHODS *sam_method, const SAM_GROUP_HANDLE *group, const SAM_GROUP_MEMBER *member) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_enum_groupmembers(const SAM_METHODS *sam_method, const SAM_GROUP_HANDLE *group, uint32 *members_count, SAM_GROUP_MEMBER **members) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +static NTSTATUS sam_ads_get_groups_of_sid(const SAM_METHODS *sam_method, const NT_USER_TOKEN *access_token, const DOM_SID **sids, const uint16 group_ctrl, uint32 *group_count, SAM_GROUP_ENUM **groups) +{ + ADS_STATUS ads_status = ADS_STATUS_NOT_IMPLEMENTED; + DEBUG(0,("sam_ads: %s was called!\n",FUNCTION_MACRO)); + SAM_ASSERT(sam_method); + return ads_ntstatus(ads_status); +} + +/********************************** +Free our private data +***********************************/ +static void sam_ads_free_private_data(void **vp) +{ + SAM_ADS_PRIVATES **sam_ads_state = (SAM_ADS_PRIVATES **)vp; + + if ((*sam_ads_state)->ads_struct->ld) { + ldap_unbind((*sam_ads_state)->ads_struct->ld); + } + + ads_destroy(&((*sam_ads_state)->ads_struct)); + + talloc_destroy((*sam_ads_state)->mem_ctx); + FIXME("maybe we must free some other stuff here\n"); + + *sam_ads_state = NULL; +} + + + +/***************************************************** +Init the ADS SAM backend +******************************************************/ +NTSTATUS sam_init_ads(SAM_METHODS *sam_method, const char *module_params) +{ + ADS_STATUS ads_status; + SAM_ADS_PRIVATES *sam_ads_state; + TALLOC_CTX *mem_ctx; + + SAM_ASSERT(sam_method && sam_method->parent); + + mem_ctx = sam_method->parent->mem_ctx; + + /* Here the SAM API functions of the sam_ads module */ + + /* General API */ + + sam_method->sam_get_sec_desc = sam_ads_get_sec_desc; + sam_method->sam_set_sec_desc = sam_ads_set_sec_desc; + + sam_method->sam_lookup_sid = sam_ads_lookup_sid; + sam_method->sam_lookup_name = sam_ads_lookup_name; + + /* Domain API */ + + sam_method->sam_update_domain = sam_ads_update_domain; + sam_method->sam_get_domain_handle = sam_ads_get_domain_handle; + + /* Account API */ + + sam_method->sam_create_account = sam_ads_create_account; + sam_method->sam_add_account = sam_ads_add_account; + sam_method->sam_update_account = sam_ads_update_account; + sam_method->sam_delete_account = sam_ads_delete_account; + sam_method->sam_enum_accounts = sam_ads_enum_accounts; + + sam_method->sam_get_account_by_sid = sam_ads_get_account_by_sid; + sam_method->sam_get_account_by_name = sam_ads_get_account_by_name; + + /* Group API */ + + sam_method->sam_create_group = sam_ads_create_group; + sam_method->sam_add_group = sam_ads_add_group; + sam_method->sam_update_group = sam_ads_update_group; + sam_method->sam_delete_group = sam_ads_delete_group; + sam_method->sam_enum_groups = sam_ads_enum_groups; + sam_method->sam_get_group_by_sid = sam_ads_get_group_by_sid; + sam_method->sam_get_group_by_name = sam_ads_get_group_by_name; + + sam_method->sam_add_member_to_group = sam_ads_add_member_to_group; + sam_method->sam_delete_member_from_group = sam_ads_delete_member_from_group; + sam_method->sam_enum_groupmembers = sam_ads_enum_groupmembers; + + sam_method->sam_get_groups_of_sid = sam_ads_get_groups_of_sid; + + sam_ads_state = talloc_zero(mem_ctx, sizeof(SAM_ADS_PRIVATES)); + if (!sam_ads_state) { + DEBUG(0, ("talloc() failed for sam_ads private_data!\n")); + return NT_STATUS_NO_MEMORY; + } + + if (!(sam_ads_state->mem_ctx = talloc_init("sam_ads_method"))) { + DEBUG(0, ("talloc_init() failed for sam_ads_state->mem_ctx\n")); + return NT_STATUS_NO_MEMORY; + } + + sam_ads_state->ads_bind_dn = talloc_strdup(sam_ads_state->mem_ctx, lp_parm_string(NULL,"sam_ads","bind as")); + sam_ads_state->ads_bind_pw = talloc_strdup(sam_ads_state->mem_ctx, lp_parm_string(NULL,"sam_ads","bind pw")); + + sam_ads_state->bind_plaintext = strequal(lp_parm_string(NULL, "sam_ads", "plaintext bind"), "yes"); + + if (!sam_ads_state->ads_bind_dn || !sam_ads_state->ads_bind_pw) { + DEBUG(0, ("talloc_strdup() failed for bind dn or password\n")); + return NT_STATUS_NO_MEMORY; + } + + /* Maybe we should not check the result here? Server down on startup? */ + + if (module_params && *module_params) { + sam_ads_state->ldap_uri = talloc_strdup(sam_ads_state->mem_ctx, module_params); + if (!sam_ads_state->ldap_uri) { + DEBUG(0, ("talloc_strdup() failed for bind dn or password\n")); + return NT_STATUS_NO_MEMORY; + } + } else { + sam_ads_state->ldap_uri = "ldapi://"; + } + + ads_status = sam_ads_cached_connection(sam_ads_state); + if (!ADS_ERR_OK(ads_status)) { + return ads_ntstatus(ads_status); + } + + sam_method->private_data = sam_ads_state; + sam_method->free_private_data = sam_ads_free_private_data; + + sam_ads_debug_level = debug_add_class("sam_ads"); + if (sam_ads_debug_level == -1) { + sam_ads_debug_level = DBGC_ALL; + DEBUG(0, ("sam_ads: Couldn't register custom debugging class!\n")); + } else DEBUG(2, ("sam_ads: Debug class number of 'sam_ads': %d\n", sam_ads_debug_level)); + + DEBUG(5, ("Initializing sam_ads\n")); + if (module_params) + DEBUG(10, ("Module Parameters for Domain %s[%s]: %s\n", sam_method->domain_name, sam_method->domain_name, module_params)); + return NT_STATUS_OK; +} + +#else /* HAVE_LDAP */ +void sam_ads_dummy(void) +{ + DEBUG(0,("sam_ads: not supported!\n")); +} +#endif /* HAVE_LDAP */ diff --git a/source4/sam/sam_plugin.c b/source4/sam/sam_plugin.c new file mode 100644 index 00000000000..fd26c4b8d3c --- /dev/null +++ b/source4/sam/sam_plugin.c @@ -0,0 +1,79 @@ +/* + Unix SMB/CIFS implementation. + Loadable san module interface. + Copyright (C) Jelmer Vernooij 2002 + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Stefan (metze) Metzmacher 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_SAM + +NTSTATUS sam_init_plugin(SAM_METHODS *sam_methods, const char *module_params) +{ + void *dl_handle; + char *plugin_params, *plugin_name, *p; + sam_init_function plugin_init; + int (*plugin_version)(void); + + if (module_params == NULL) { + DEBUG(0, ("The plugin module needs an argument!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_name = smb_xstrdup(module_params); + p = strchr(plugin_name, ':'); + if (p) { + *p = 0; + plugin_params = p+1; + trim_string(plugin_params, " ", " "); + } else plugin_params = NULL; + trim_string(plugin_name, " ", " "); + + DEBUG(5, ("Trying to load sam plugin %s\n", plugin_name)); + dl_handle = sys_dlopen(plugin_name, RTLD_NOW); + if (!dl_handle) { + DEBUG(0, ("Failed to load sam plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_version = sys_dlsym(dl_handle, "sam_version"); + if (!plugin_version) { + sys_dlclose(dl_handle); + DEBUG(0, ("Failed to find function 'sam_version' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + if (plugin_version()!=SAM_INTERFACE_VERSION) { + sys_dlclose(dl_handle); + DEBUG(0, ("Wrong SAM_INTERFACE_VERSION! sam plugin has version %d and version %d is needed! Please update!\n", + plugin_version(),SAM_INTERFACE_VERSION)); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_init = sys_dlsym(dl_handle, "sam_init"); + if (!plugin_init) { + sys_dlclose(dl_handle); + DEBUG(0, ("Failed to find function 'sam_init' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(5, ("Starting sam plugin %s with parameters %s for domain %s\n", plugin_name, plugin_params, sam_methods->domain_name)); + return plugin_init(sam_methods, plugin_params); +} diff --git a/source4/sam/sam_skel.c b/source4/sam/sam_skel.c new file mode 100644 index 00000000000..b4d64bb6da7 --- /dev/null +++ b/source4/sam/sam_skel.c @@ -0,0 +1,251 @@ +/* + Unix SMB/CIFS implementation. + this is a skeleton for SAM backend modules. + + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Jelmer Vernooij 2002 + Copyright (C) Andrew Bartlett 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +static int sam_skel_debug_level = DBGC_SAM; + +#undef DBGC_CLASS +#define DBGC_CLASS sam_skel_debug_level + +/* define the version of the SAM interface */ +SAM_MODULE_VERSIONING_MAGIC + +/* General API */ + +static NTSTATUS sam_skel_get_sec_desc(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, const DOM_SID *sid, SEC_DESC **sd) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_set_sec_desc(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, const DOM_SID *sid, const SEC_DESC *sd) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + + +static NTSTATUS sam_skel_lookup_sid(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, TALLOC_CTX *mem_ctx, const DOM_SID *sid, char **name, uint32 *type) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_lookup_name(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, const char *name, DOM_SID *sid, uint32 *type) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + + +/* Domain API */ + +static NTSTATUS sam_skel_update_domain(const SAM_METHODS *sam_methods, const SAM_DOMAIN_HANDLE *domain) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_get_domain_handle(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint32 access_desired, SAM_DOMAIN_HANDLE **domain) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + + +/* Account API */ + +static NTSTATUS sam_skel_create_account(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *account_name, uint16 acct_ctrl, SAM_ACCOUNT_HANDLE **account) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_add_account(const SAM_METHODS *sam_methods, const SAM_ACCOUNT_HANDLE *account) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_update_account(const SAM_METHODS *sam_methods, const SAM_ACCOUNT_HANDLE *account) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_delete_account(const SAM_METHODS *sam_methods, const SAM_ACCOUNT_HANDLE *account) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_enum_accounts(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint16 acct_ctrl, uint32 *account_count, SAM_ACCOUNT_ENUM **accounts) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + + +static NTSTATUS sam_skel_get_account_by_sid(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint32 access_desired, const DOM_SID *accountsid, SAM_ACCOUNT_HANDLE **account) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_get_account_by_name(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *name, SAM_ACCOUNT_HANDLE **account) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + + +/* Group API */ + +static NTSTATUS sam_skel_create_group(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *account_name, uint16 group_ctrl, SAM_GROUP_HANDLE **group) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_add_group(const SAM_METHODS *sam_methods, const SAM_GROUP_HANDLE *group) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_update_group(const SAM_METHODS *sam_methods, const SAM_GROUP_HANDLE *group) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_delete_group(const SAM_METHODS *sam_methods, const SAM_GROUP_HANDLE *group) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_enum_groups(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint16 group_ctrl, uint32 *groups_count, SAM_GROUP_ENUM **groups) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_get_group_by_sid(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint32 access_desired, const DOM_SID *groupsid, SAM_GROUP_HANDLE **group) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_get_group_by_name(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, uint32 access_desired, const char *name, SAM_GROUP_HANDLE **group) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + + +static NTSTATUS sam_skel_add_member_to_group(const SAM_METHODS *sam_methods, const SAM_GROUP_HANDLE *group, const SAM_GROUP_MEMBER *member) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_delete_member_from_group(const SAM_METHODS *sam_methods, const SAM_GROUP_HANDLE *group, const SAM_GROUP_MEMBER *member) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS sam_skel_enum_groupmembers(const SAM_METHODS *sam_methods, const SAM_GROUP_HANDLE *group, uint32 *members_count, SAM_GROUP_MEMBER **members) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + + +static NTSTATUS sam_skel_get_groups_of_sid(const SAM_METHODS *sam_methods, const NT_USER_TOKEN *access_token, const DOM_SID **sids, uint16 group_ctrl, uint32 *group_count, SAM_GROUP_ENUM **groups) +{ + DEBUG(0,("sam_skel: %s was called!\n",FUNCTION_MACRO)); + return NT_STATUS_NOT_IMPLEMENTED; +} + +NTSTATUS sam_init_skel(SAM_METHODS *sam_methods, const char *module_params) +{ + /* Functions your SAM module doesn't provide should be set + * to NULL */ + + sam_methods->sam_get_sec_desc = sam_skel_get_sec_desc; + sam_methods->sam_set_sec_desc = sam_skel_set_sec_desc; + + sam_methods->sam_lookup_sid = sam_skel_lookup_sid; + sam_methods->sam_lookup_name = sam_skel_lookup_name; + + /* Domain API */ + + sam_methods->sam_update_domain = sam_skel_update_domain; + sam_methods->sam_get_domain_handle = sam_skel_get_domain_handle; + + /* Account API */ + + sam_methods->sam_create_account = sam_skel_create_account; + sam_methods->sam_add_account = sam_skel_add_account; + sam_methods->sam_update_account = sam_skel_update_account; + sam_methods->sam_delete_account = sam_skel_delete_account; + sam_methods->sam_enum_accounts = sam_skel_enum_accounts; + + sam_methods->sam_get_account_by_sid = sam_skel_get_account_by_sid; + sam_methods->sam_get_account_by_name = sam_skel_get_account_by_name; + + /* Group API */ + + sam_methods->sam_create_group = sam_skel_create_group; + sam_methods->sam_add_group = sam_skel_add_group; + sam_methods->sam_update_group = sam_skel_update_group; + sam_methods->sam_delete_group = sam_skel_delete_group; + sam_methods->sam_enum_groups = sam_skel_enum_groups; + sam_methods->sam_get_group_by_sid = sam_skel_get_group_by_sid; + sam_methods->sam_get_group_by_name = sam_skel_get_group_by_name; + + sam_methods->sam_add_member_to_group = sam_skel_add_member_to_group; + sam_methods->sam_delete_member_from_group = sam_skel_delete_member_from_group; + sam_methods->sam_enum_groupmembers = sam_skel_enum_groupmembers; + + sam_methods->sam_get_groups_of_sid = sam_skel_get_groups_of_sid; + + sam_methods->free_private_data = NULL; + + + sam_skel_debug_level = debug_add_class("sam_skel"); + if (sam_skel_debug_level == -1) { + sam_skel_debug_level = DBGC_SAM; + DEBUG(0, ("sam_skel: Couldn't register custom debugging class!\n")); + } else DEBUG(2, ("sam_skel: Debug class number of 'sam_skel': %d\n", sam_skel_debug_level)); + + if(module_params) + DEBUG(0, ("Starting 'sam_skel' with parameters '%s' for domain %s\n", module_params, sam_methods->domain_name)); + else + DEBUG(0, ("Starting 'sam_skel' for domain %s without paramters\n", sam_methods->domain_name)); + + return NT_STATUS_OK; +} |