svn commit: samba r20824 - in branches/SAMBA_3_0/source: . auth
include nsswitch passdb rpc_server utils
Wilco Baan Hofman
wilco at baanhofman.nl
Tue Jan 16 10:22:38 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Does this mean all pdb_backends *must* be updated for trust domains to
work?
It seems so, from looking at the patch.
Regards,
Wilco Baan Hofman
vlendec at samba.org wrote:
> Author: vlendec
> Date: 2007-01-16 08:17:26 +0000 (Tue, 16 Jan 2007)
> New Revision: 20824
>
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20824
>
> Log:
> Send access to the trusted domain passwords through the pdb backend, so that
> in the next step we can store them in LDAP to be replicated across DCs.
>
> Thanks to Michael Adam <ma at sernet.de>
>
> Volker
>
> Modified:
> branches/SAMBA_3_0/source/Makefile.in
> branches/SAMBA_3_0/source/auth/auth_domain.c
> branches/SAMBA_3_0/source/auth/auth_util.c
> branches/SAMBA_3_0/source/include/passdb.h
> branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
> branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c
> branches/SAMBA_3_0/source/passdb/lookup_sid.c
> branches/SAMBA_3_0/source/passdb/passdb.c
> branches/SAMBA_3_0/source/passdb/pdb_interface.c
> branches/SAMBA_3_0/source/passdb/secrets.c
> branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
> branches/SAMBA_3_0/source/utils/net_rpc.c
>
>
> Changeset:
> Modified: branches/SAMBA_3_0/source/Makefile.in
> ===================================================================
> --- branches/SAMBA_3_0/source/Makefile.in 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/Makefile.in 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -536,6 +536,7 @@
> $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \
> rpc_client/cli_pipe.o $(RPC_PARSE_OBJ2) \
> $(RPC_CLIENT_OBJ1) \
> + $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(LDB_OBJ) $(GROUPDB_OBJ) \
> $(LIBMSRPC_GEN_OBJ)
>
> TESTPARM_OBJ = utils/testparm.o \
> @@ -607,6 +608,7 @@
> CLIENT_OBJ = $(CLIENT_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) \
> $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(LIBMSRPC_GEN_OBJ) \
> $(READLINE_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \
> + $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(LDB_OBJ) \
> $(DISPLAY_SEC_OBJ)
>
> TOOL_OBJ = client/smbctool.o client/clitar.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
>
> Modified: branches/SAMBA_3_0/source/auth/auth_domain.c
> ===================================================================
> --- branches/SAMBA_3_0/source/auth/auth_domain.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/auth/auth_domain.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -408,8 +408,8 @@
> * No need to become_root() as secrets_init() is done at startup.
> */
>
> - if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password,
> - &sid, &last_change_time)) {
> + if (!pdb_get_trusteddom_pw(user_info->domain, &trust_password,
> + &sid, &last_change_time)) {
> DEBUG(0, ("check_trustdomain_security: could not fetch trust "
> "account password for domain %s\n",
> user_info->domain));
>
> Modified: branches/SAMBA_3_0/source/auth/auth_util.c
> ===================================================================
> --- branches/SAMBA_3_0/source/auth/auth_util.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/auth/auth_util.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -2142,8 +2142,7 @@
> become_root();
> DEBUG (5,("is_trusted_domain: Checking for domain trust with "
> "[%s]\n", dom_name ));
> - ret = secrets_fetch_trusted_domain_password(dom_name, NULL,
> - NULL, NULL);
> + ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
> unbecome_root();
> if (ret)
> return True;
>
> Modified: branches/SAMBA_3_0/source/include/passdb.h
> ===================================================================
> --- branches/SAMBA_3_0/source/include/passdb.h 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/include/passdb.h 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -403,6 +403,19 @@
> BOOL (*rid_algorithm)(struct pdb_methods *methods);
> BOOL (*new_rid)(struct pdb_methods *methods, uint32 *rid);
>
> +
> + BOOL (*get_trusteddom_pw)(struct pdb_methods *methods,
> + const char *domain, char** pwd,
> + DOM_SID *sid, time_t *pass_last_set_time);
> + BOOL (*set_trusteddom_pw)(struct pdb_methods *methods,
> + const char* domain, const char* pwd,
> + const DOM_SID *sid);
> + BOOL (*del_trusteddom_pw)(struct pdb_methods *methods,
> + const char *domain);
> + NTSTATUS (*enum_trusteddoms)(struct pdb_methods *methods,
> + TALLOC_CTX *mem_ctx, uint32 *num_domains,
> + struct trustdom_info ***domains);
> +
> void *private_data; /* Private data of some kind */
>
> void (*free_private_data)(void **);
>
> Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
> ===================================================================
> --- branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -81,7 +81,7 @@
> DOM_SID sid;
> time_t last_set_time;
>
> - if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
> + if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
> ads_destroy( &ads );
> return NULL;
> }
>
> Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c
> ===================================================================
> --- branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -541,8 +541,7 @@
> return NT_STATUS_NO_MEMORY;
> }
>
> - nt_status = secrets_trusted_domains(tmp_ctx, num_domains,
> - &domains);
> + nt_status = pdb_enum_trusteddoms(tmp_ctx, num_domains, &domains);
> if (!NT_STATUS_IS_OK(nt_status)) {
> TALLOC_FREE(tmp_ctx);
> return nt_status;
>
> Modified: branches/SAMBA_3_0/source/passdb/lookup_sid.c
> ===================================================================
> --- branches/SAMBA_3_0/source/passdb/lookup_sid.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/passdb/lookup_sid.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -178,8 +178,7 @@
> /* 5. Trusted domains as such, to me it looks as if members don't do
> this, tested an XP workstation in a NT domain -- vl */
>
> - if (IS_DC && (secrets_fetch_trusted_domain_password(name, NULL,
> - &sid, NULL))) {
> + if (IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) {
> /* Swap domain and name */
> tmp = name; name = domain; domain = tmp;
> type = SID_NAME_DOMAIN;
> @@ -581,9 +580,9 @@
> * and for SIDs that have 4 sub-authorities and thus look like
> * domains */
>
> - if (!NT_STATUS_IS_OK(secrets_trusted_domains(mem_ctx,
> - &num_domains,
> - &domains))) {
> + if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx,
> + &num_domains,
> + &domains))) {
> return False;
> }
>
>
> Modified: branches/SAMBA_3_0/source/passdb/passdb.c
> ===================================================================
> --- branches/SAMBA_3_0/source/passdb/passdb.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/passdb/passdb.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -1523,3 +1523,46 @@
>
> return True;
> }
> +
> +
> +/*******************************************************************
> + Wrapper around retrieving the trust account password
> +*******************************************************************/
> +
> +BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
> +{
> + DOM_SID sid;
> + char *pwd;
> + time_t last_set_time;
> +
> + /* if we are a DC and this is not our domain, then lookup an account
> + for the domain trust */
> +
> + if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
> + if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time)) {
> + DEBUG(0, ("get_trust_pw: could not fetch trust "
> + "account password for trusted domain %s\n",
> + domain));
> + return False;
> + }
> +
> + *channel = SEC_CHAN_DOMAIN;
> + E_md4hash(pwd, ret_pwd);
> + SAFE_FREE(pwd);
> +
> + return True;
> + }
> +
> + /* Just get the account for the requested domain. In the future this
> + * might also cover to be member of more than one domain. */
> +
> + if (secrets_fetch_trust_account_password(domain, ret_pwd,
> + &last_set_time, channel))
> + return True;
> +
> + DEBUG(5, ("get_trust_pw: could not fetch trust account "
> + "password for domain %s\n", domain));
> + return False;
> +}
> +
> +/* END */
>
> Modified: branches/SAMBA_3_0/source/passdb/pdb_interface.c
> ===================================================================
> --- branches/SAMBA_3_0/source/passdb/pdb_interface.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/passdb/pdb_interface.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -1997,6 +1997,77 @@
> }
>
> /*******************************************************************
> + trustodm methods
> + *******************************************************************/
> +
> +BOOL pdb_get_trusteddom_pw(const char *domain, char** pwd, DOM_SID *sid,
> + time_t *pass_last_set_time)
> +{
> + struct pdb_methods *pdb = pdb_get_methods();
> + return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
> + pass_last_set_time);
> +}
> +
> +BOOL pdb_set_trusteddom_pw(const char* domain, const char* pwd,
> + const DOM_SID *sid)
> +{
> + struct pdb_methods *pdb = pdb_get_methods();
> + return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
> +}
> +
> +BOOL pdb_del_trusteddom_pw(const char *domain)
> +{
> + struct pdb_methods *pdb = pdb_get_methods();
> + return pdb->del_trusteddom_pw(pdb, domain);
> +}
> +
> +NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32 *num_domains,
> + struct trustdom_info ***domains)
> +{
> + struct pdb_methods *pdb = pdb_get_methods();
> + return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
> +}
> +
> +/*******************************************************************
> + the defaults for trustdom methods:
> + these simply call the original passdb/secrets.c actions,
> + to be replaced by pdb_ldap.
> + *******************************************************************/
> +
> +static BOOL pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
> + const char *domain,
> + char** pwd,
> + DOM_SID *sid,
> + time_t *pass_last_set_time)
> +{
> + return secrets_fetch_trusted_domain_password(domain, pwd,
> + sid, pass_last_set_time);
> +
> +}
> +
> +static BOOL pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
> + const char* domain,
> + const char* pwd,
> + const DOM_SID *sid)
> +{
> + return secrets_store_trusted_domain_password(domain, pwd, sid);
> +}
> +
> +static BOOL pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
> + const char *domain)
> +{
> + return trusted_domain_password_delete(domain);
> +}
> +
> +static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
> + TALLOC_CTX *mem_ctx,
> + uint32 *num_domains,
> + struct trustdom_info ***domains)
> +{
> + return secrets_trusted_domains(mem_ctx, num_domains, domains);
> +}
> +
> +/*******************************************************************
> Create a pdb_methods structure and initialize it with the default
> operations. In this way a passdb module can simply implement
> the functionality it cares about. However, normally this is done
> @@ -2060,5 +2131,10 @@
> (*methods)->search_groups = pdb_default_search_groups;
> (*methods)->search_aliases = pdb_default_search_aliases;
>
> + (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
> + (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
> + (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
> + (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
> +
> return NT_STATUS_OK;
> }
>
> Modified: branches/SAMBA_3_0/source/passdb/secrets.c
> ===================================================================
> --- branches/SAMBA_3_0/source/passdb/secrets.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/passdb/secrets.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -655,47 +655,6 @@
> return ret;
> }
>
> -/*******************************************************************
> - Wrapper around retrieving the trust account password
> -*******************************************************************/
> -
> -BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
> -{
> - DOM_SID sid;
> - char *pwd;
> - time_t last_set_time;
> -
> - /* if we are a DC and this is not our domain, then lookup an account
> - for the domain trust */
> -
> - if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
> - if (!secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
> - &last_set_time)) {
> - DEBUG(0, ("get_trust_pw: could not fetch trust "
> - "account password for trusted domain %s\n",
> - domain));
> - return False;
> - }
> -
> - *channel = SEC_CHAN_DOMAIN;
> - E_md4hash(pwd, ret_pwd);
> - SAFE_FREE(pwd);
> -
> - return True;
> - }
> -
> - /* Just get the account for the requested domain. In the future this
> - * might also cover to be member of more than one domain. */
> -
> - if (secrets_fetch_trust_account_password(domain, ret_pwd,
> - &last_set_time, channel))
> - return True;
> -
> - DEBUG(5, ("get_trust_pw: could not fetch trust account "
> - "password for domain %s\n", domain));
> - return False;
> -}
> -
> /************************************************************************
> Routine to delete the machine trust account password file for a domain.
> ************************************************************************/
>
> Modified: branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
> ===================================================================
> --- branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -648,8 +648,7 @@
> if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION))
> return NT_STATUS_ACCESS_DENIED;
>
> - nt_status = secrets_trusted_domains(p->mem_ctx, &num_domains,
> - &domains);
> + nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
>
> if (!NT_STATUS_IS_OK(nt_status)) {
> return nt_status;
>
> Modified: branches/SAMBA_3_0/source/utils/net_rpc.c
> ===================================================================
> --- branches/SAMBA_3_0/source/utils/net_rpc.c 2007-01-16 01:36:15 UTC (rev 20823)
> +++ branches/SAMBA_3_0/source/utils/net_rpc.c 2007-01-16 08:17:26 UTC (rev 20824)
> @@ -5604,9 +5604,7 @@
> * Store the password in secrets db
> */
>
> - if (!secrets_store_trusted_domain_password(domain_name,
> - opt_password,
> - domain_sid)) {
> + if (!pdb_set_trusteddom_pw(domain_name, opt_password, domain_sid)) {
> DEBUG(0, ("Storing password for trusted domain failed.\n"));
> cli_shutdown(cli);
> return -1;
> @@ -5644,6 +5642,7 @@
> static int rpc_trustdom_revoke(int argc, const char **argv)
> {
> char* domain_name;
> + int rc = -1;
>
> if (argc < 1) return -1;
>
> @@ -5652,13 +5651,16 @@
> strupper_m(domain_name);
>
> /* delete password of the trust */
> - if (!trusted_domain_password_delete(domain_name)) {
> + if (!pdb_del_trusteddom_pw(domain_name)) {
> DEBUG(0, ("Failed to revoke relationship to the trusted domain %s\n",
> domain_name));
> - return -1;
> + goto done;
> };
>
> - return 0;
> + rc = 0;
> +done:
> + SAFE_FREE(domain_name);
> + return rc;
> }
>
> /**
> @@ -5744,9 +5746,7 @@
> goto done;
> }
>
> - if (!secrets_store_trusted_domain_password(trusted_dom_name,
> - cleartextpwd,
> - &dom_sid)) {
> + if (!pdb_set_trusteddom_pw(trusted_dom_name, cleartextpwd, &dom_sid)) {
> DEBUG(0, ("Storing password for trusted domain failed.\n"));
> nt_status = NT_STATUS_UNSUCCESSFUL;
> goto done;
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFrKdu1C6FlsCYaHURAsFyAJ9ZZg7XEWCDJs0lFSmGUrOObekxuwCgtE3N
I6qEZwWE2WJxDutx+/jYIi8=
=/CWM
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list