svn commit: samba r20824 - in branches/SAMBA_3_0/source: . auth include nsswitch passdb rpc_server utils

Michael Adam ma at sernet.de
Tue Jan 16 12:36:03 GMT 2007


Hi Wilco,

On Tue, Jan 16, 2007 at 11:22:38AM +0100, Wilco Baan Hofman wrote:
> Does this mean all pdb_backends *must* be updated for trust domains to
> work?

No, the default actions installed in pdb_interface.c just call
the former functions from passdb/secrets.c. This only introduces
another layer. A pdb backend *can* provide its own implementation
for pdb_{get,set,del}_trusteddom_pw and pdb_enum_trusteddoms.
If it doesn't (like in the patch), the behaviour remains unchanged.

I am now working on implementations for pdb_ldap to allow for
replication of trusted domain passwords in pdc/bdc setups.

Regards, Michael

> vlendec at samba.org wrote:
> > Author: vlendec
> > Date: 2007-01-16 08:17:26 +0000 (Tue, 16 Jan 2007)
> > New Revision: 20824
> > 
> > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20824
> > 
> > Log:
> > Send access to the trusted domain passwords through the pdb backend, so that
> > in the next step we can store them in LDAP to be replicated across DCs.
> > 
> > Thanks to Michael Adam <ma at sernet.de>
> > 
> > Volker
> > 
> > Modified:
> >    branches/SAMBA_3_0/source/Makefile.in
> >    branches/SAMBA_3_0/source/auth/auth_domain.c
> >    branches/SAMBA_3_0/source/auth/auth_util.c
> >    branches/SAMBA_3_0/source/include/passdb.h
> >    branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
> >    branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c
> >    branches/SAMBA_3_0/source/passdb/lookup_sid.c
> >    branches/SAMBA_3_0/source/passdb/passdb.c
> >    branches/SAMBA_3_0/source/passdb/pdb_interface.c
> >    branches/SAMBA_3_0/source/passdb/secrets.c
> >    branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
> >    branches/SAMBA_3_0/source/utils/net_rpc.c
> > 
> > 
> > Changeset:
> > Modified: branches/SAMBA_3_0/source/Makefile.in
> > ===================================================================
> > --- branches/SAMBA_3_0/source/Makefile.in	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/Makefile.in	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -536,6 +536,7 @@
> >  	     $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \
> >               rpc_client/cli_pipe.o $(RPC_PARSE_OBJ2) \
> >               $(RPC_CLIENT_OBJ1) \
> > +	     $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(LDB_OBJ) $(GROUPDB_OBJ) \
> >               $(LIBMSRPC_GEN_OBJ)
> >  
> >  TESTPARM_OBJ = utils/testparm.o \
> > @@ -607,6 +608,7 @@
> >  CLIENT_OBJ = $(CLIENT_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) \
> >  	     $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(LIBMSRPC_GEN_OBJ) \
> >               $(READLINE_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \
> > +             $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(LDB_OBJ) \
> >  	     $(DISPLAY_SEC_OBJ)
> >  
> >  TOOL_OBJ = client/smbctool.o client/clitar.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
> > 
> > Modified: branches/SAMBA_3_0/source/auth/auth_domain.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/auth/auth_domain.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/auth/auth_domain.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -408,8 +408,8 @@
> >  	 * No need to become_root() as secrets_init() is done at startup.
> >  	 */
> >  
> > -	if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password,
> > -				&sid, &last_change_time)) {
> > +	if (!pdb_get_trusteddom_pw(user_info->domain, &trust_password,
> > +				   &sid, &last_change_time)) {
> >  		DEBUG(0, ("check_trustdomain_security: could not fetch trust "
> >  			  "account password for domain %s\n",
> >  			  user_info->domain));
> > 
> > Modified: branches/SAMBA_3_0/source/auth/auth_util.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/auth/auth_util.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/auth/auth_util.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -2142,8 +2142,7 @@
> >  		become_root();
> >  		DEBUG (5,("is_trusted_domain: Checking for domain trust with "
> >  			  "[%s]\n", dom_name ));
> > -		ret = secrets_fetch_trusted_domain_password(dom_name, NULL,
> > -							    NULL, NULL);
> > +		ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
> >  		unbecome_root();
> >  		if (ret)
> >  			return True;
> > 
> > Modified: branches/SAMBA_3_0/source/include/passdb.h
> > ===================================================================
> > --- branches/SAMBA_3_0/source/include/passdb.h	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/include/passdb.h	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -403,6 +403,19 @@
> >  	BOOL (*rid_algorithm)(struct pdb_methods *methods);
> >  	BOOL (*new_rid)(struct pdb_methods *methods, uint32 *rid);
> >  
> > +
> > +	BOOL (*get_trusteddom_pw)(struct pdb_methods *methods,
> > +				  const char *domain, char** pwd, 
> > +				  DOM_SID *sid, time_t *pass_last_set_time);
> > +	BOOL (*set_trusteddom_pw)(struct pdb_methods *methods, 
> > +				  const char* domain, const char* pwd,
> > +	        	  	  const DOM_SID *sid);
> > +	BOOL (*del_trusteddom_pw)(struct pdb_methods *methods, 
> > +				  const char *domain);
> > +	NTSTATUS (*enum_trusteddoms)(struct pdb_methods *methods,
> > +				     TALLOC_CTX *mem_ctx, uint32 *num_domains,
> > +				     struct trustdom_info ***domains);
> > +
> >  	void *private_data;  /* Private data of some kind */
> >  	
> >  	void (*free_private_data)(void **);
> > 
> > Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -81,7 +81,7 @@
> >  		DOM_SID sid;
> >  		time_t last_set_time;
> >  
> > -		if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
> > +		if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
> >  			ads_destroy( &ads );
> >  			return NULL;
> >  		}
> > 
> > Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -541,8 +541,7 @@
> >  		return NT_STATUS_NO_MEMORY;
> >  	}
> >  
> > -	nt_status = secrets_trusted_domains(tmp_ctx, num_domains,
> > -					    &domains);
> > +	nt_status = pdb_enum_trusteddoms(tmp_ctx, num_domains, &domains);
> >  	if (!NT_STATUS_IS_OK(nt_status)) {
> >  		TALLOC_FREE(tmp_ctx);
> >  		return nt_status;
> > 
> > Modified: branches/SAMBA_3_0/source/passdb/lookup_sid.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/passdb/lookup_sid.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/passdb/lookup_sid.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -178,8 +178,7 @@
> >  	/* 5. Trusted domains as such, to me it looks as if members don't do
> >                this, tested an XP workstation in a NT domain -- vl */
> >  
> > -	if (IS_DC && (secrets_fetch_trusted_domain_password(name, NULL,
> > -							    &sid, NULL))) {
> > +	if (IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) {
> >  		/* Swap domain and name */
> >  		tmp = name; name = domain; domain = tmp;
> >  		type = SID_NAME_DOMAIN;
> > @@ -581,9 +580,9 @@
> >  		 * and for SIDs that have 4 sub-authorities and thus look like
> >  		 * domains */
> >  
> > -		if (!NT_STATUS_IS_OK(secrets_trusted_domains(mem_ctx,
> > -							     &num_domains,
> > -							     &domains))) {
> > +		if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx,
> > +						          &num_domains,
> > +						          &domains))) {
> >  			return False;
> >  		}
> >  
> > 
> > Modified: branches/SAMBA_3_0/source/passdb/passdb.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/passdb/passdb.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/passdb/passdb.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -1523,3 +1523,46 @@
> >  
> >  	return True;
> >  }
> > +
> > +
> > +/*******************************************************************
> > + Wrapper around retrieving the trust account password
> > +*******************************************************************/
> > +
> > +BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
> > +{
> > +	DOM_SID sid;
> > +	char *pwd;
> > +	time_t last_set_time;
> > +                                                                                                                     
> > +	/* if we are a DC and this is not our domain, then lookup an account
> > +		for the domain trust */
> > +                                                                                                                     
> > +	if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
> > +		if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time)) {
> > +			DEBUG(0, ("get_trust_pw: could not fetch trust "
> > +				"account password for trusted domain %s\n",
> > +				domain));
> > +			return False;
> > +		}
> > +                                                                                                                     
> > +		*channel = SEC_CHAN_DOMAIN;
> > +		E_md4hash(pwd, ret_pwd);
> > +		SAFE_FREE(pwd);
> > +
> > +		return True;
> > +	}
> > +                                                                                                                     
> > +	/* Just get the account for the requested domain. In the future this
> > +	 * might also cover to be member of more than one domain. */
> > +                                                                                                                     
> > +	if (secrets_fetch_trust_account_password(domain, ret_pwd,
> > +						&last_set_time, channel))
> > +		return True;
> > +
> > +	DEBUG(5, ("get_trust_pw: could not fetch trust account "
> > +		"password for domain %s\n", domain));
> > +	return False;
> > +}
> > +
> > +/* END */
> > 
> > Modified: branches/SAMBA_3_0/source/passdb/pdb_interface.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/passdb/pdb_interface.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/passdb/pdb_interface.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -1997,6 +1997,77 @@
> >  }
> >  
> >  /*******************************************************************
> > + trustodm methods
> > + *******************************************************************/
> > +
> > +BOOL pdb_get_trusteddom_pw(const char *domain, char** pwd, DOM_SID *sid, 
> > +			   time_t *pass_last_set_time)
> > +{
> > +	struct pdb_methods *pdb = pdb_get_methods();
> > +	return pdb->get_trusteddom_pw(pdb, domain, pwd, sid, 
> > +			pass_last_set_time);
> > +}
> > +
> > +BOOL pdb_set_trusteddom_pw(const char* domain, const char* pwd,
> > +			   const DOM_SID *sid)
> > +{
> > +	struct pdb_methods *pdb = pdb_get_methods();
> > +	return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
> > +}
> > +
> > +BOOL pdb_del_trusteddom_pw(const char *domain)
> > +{
> > +	struct pdb_methods *pdb = pdb_get_methods();
> > +	return pdb->del_trusteddom_pw(pdb, domain);
> > +}
> > +
> > +NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32 *num_domains,
> > +			      struct trustdom_info ***domains)
> > +{
> > +	struct pdb_methods *pdb = pdb_get_methods();
> > +	return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
> > +}
> > +
> > +/*******************************************************************
> > + the defaults for trustdom methods: 
> > + these simply call the original passdb/secrets.c actions,
> > + to be replaced by pdb_ldap.
> > + *******************************************************************/
> > +
> > +static BOOL pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
> > +					  const char *domain, 
> > +					  char** pwd, 
> > +					  DOM_SID *sid, 
> > +	        	 		  time_t *pass_last_set_time)
> > +{
> > +	return secrets_fetch_trusted_domain_password(domain, pwd,
> > +				sid, pass_last_set_time);
> > +
> > +}
> > +
> > +static BOOL pdb_default_set_trusteddom_pw(struct pdb_methods *methods, 
> > +					  const char* domain, 
> > +					  const char* pwd,
> > +	        	  		  const DOM_SID *sid)
> > +{
> > +	return secrets_store_trusted_domain_password(domain, pwd, sid);
> > +}
> > +
> > +static BOOL pdb_default_del_trusteddom_pw(struct pdb_methods *methods, 
> > +					  const char *domain)
> > +{
> > +	return trusted_domain_password_delete(domain);
> > +}
> > +
> > +static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
> > +					     TALLOC_CTX *mem_ctx, 
> > +					     uint32 *num_domains,
> > +					     struct trustdom_info ***domains)
> > +{
> > +	return secrets_trusted_domains(mem_ctx, num_domains, domains);
> > +}
> > +
> > +/*******************************************************************
> >   Create a pdb_methods structure and initialize it with the default
> >   operations.  In this way a passdb module can simply implement
> >   the functionality it cares about.  However, normally this is done 
> > @@ -2060,5 +2131,10 @@
> >  	(*methods)->search_groups = pdb_default_search_groups;
> >  	(*methods)->search_aliases = pdb_default_search_aliases;
> >  
> > +	(*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
> > +	(*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
> > +	(*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
> > +	(*methods)->enum_trusteddoms  = pdb_default_enum_trusteddoms;
> > +
> >  	return NT_STATUS_OK;
> >  }
> > 
> > Modified: branches/SAMBA_3_0/source/passdb/secrets.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/passdb/secrets.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/passdb/secrets.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -655,47 +655,6 @@
> >  	return ret;
> >  }
> >  
> > -/*******************************************************************
> > - Wrapper around retrieving the trust account password
> > -*******************************************************************/
> > -                                                                                                                     
> > -BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
> > -{
> > -	DOM_SID sid;
> > -	char *pwd;
> > -	time_t last_set_time;
> > -                                                                                                                     
> > -	/* if we are a DC and this is not our domain, then lookup an account
> > -		for the domain trust */
> > -                                                                                                                     
> > -	if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
> > -		if (!secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
> > -							&last_set_time)) {
> > -			DEBUG(0, ("get_trust_pw: could not fetch trust "
> > -				"account password for trusted domain %s\n",
> > -				domain));
> > -			return False;
> > -		}
> > -                                                                                                                     
> > -		*channel = SEC_CHAN_DOMAIN;
> > -		E_md4hash(pwd, ret_pwd);
> > -		SAFE_FREE(pwd);
> > -
> > -		return True;
> > -	}
> > -                                                                                                                     
> > -	/* Just get the account for the requested domain. In the future this
> > -	 * might also cover to be member of more than one domain. */
> > -                                                                                                                     
> > -	if (secrets_fetch_trust_account_password(domain, ret_pwd,
> > -						&last_set_time, channel))
> > -		return True;
> > -
> > -	DEBUG(5, ("get_trust_pw: could not fetch trust account "
> > -		"password for domain %s\n", domain));
> > -	return False;
> > -}
> > -
> >  /************************************************************************
> >   Routine to delete the machine trust account password file for a domain.
> >  ************************************************************************/
> > 
> > Modified: branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -648,8 +648,7 @@
> >  	if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION))
> >  		return NT_STATUS_ACCESS_DENIED;
> >  
> > -	nt_status = secrets_trusted_domains(p->mem_ctx, &num_domains,
> > -					    &domains);
> > +	nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
> >  
> >  	if (!NT_STATUS_IS_OK(nt_status)) {
> >  		return nt_status;
> > 
> > Modified: branches/SAMBA_3_0/source/utils/net_rpc.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/utils/net_rpc.c	2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/utils/net_rpc.c	2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -5604,9 +5604,7 @@
> >  	 * Store the password in secrets db
> >  	 */
> >  
> > -	if (!secrets_store_trusted_domain_password(domain_name,
> > -						   opt_password,
> > -						   domain_sid)) {
> > +	if (!pdb_set_trusteddom_pw(domain_name, opt_password, domain_sid)) {
> >  		DEBUG(0, ("Storing password for trusted domain failed.\n"));
> >  		cli_shutdown(cli);
> >  		return -1;
> > @@ -5644,6 +5642,7 @@
> >  static int rpc_trustdom_revoke(int argc, const char **argv)
> >  {
> >  	char* domain_name;
> > +	int rc = -1;
> >  
> >  	if (argc < 1) return -1;
> >  	
> > @@ -5652,13 +5651,16 @@
> >  	strupper_m(domain_name);
> >  
> >  	/* delete password of the trust */
> > -	if (!trusted_domain_password_delete(domain_name)) {
> > +	if (!pdb_del_trusteddom_pw(domain_name)) {
> >  		DEBUG(0, ("Failed to revoke relationship to the trusted domain %s\n",
> >  			  domain_name));
> > -		return -1;
> > +		goto done;
> >  	};
> >  	
> > -	return 0;
> > +	rc = 0;
> > +done:
> > +	SAFE_FREE(domain_name);
> > +	return rc;
> >  }
> >  
> >  /**
> > @@ -5744,9 +5746,7 @@
> >  		goto done;
> >  	}
> >  	
> > -	if (!secrets_store_trusted_domain_password(trusted_dom_name,
> > -						   cleartextpwd,
> > -						   &dom_sid)) {
> > +	if (!pdb_set_trusteddom_pw(trusted_dom_name, cleartextpwd, &dom_sid)) {
> >  		DEBUG(0, ("Storing password for trusted domain failed.\n"));
> >  		nt_status = NT_STATUS_UNSUCCESSFUL;
> >  		goto done;
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFFrKdu1C6FlsCYaHURAsFyAJ9ZZg7XEWCDJs0lFSmGUrOObekxuwCgtE3N
> I6qEZwWE2WJxDutx+/jYIi8=
> =/CWM
> -----END PGP SIGNATURE-----

-- 
Michael Adam,  SerNet Service Network GmbH
phone: +49-551-370000-0,  fax: +49-551-370000-9



More information about the samba-technical mailing list