svn commit: samba r20824 - in branches/SAMBA_3_0/source: . auth
include nsswitch passdb rpc_server utils
Michael Adam
ma at sernet.de
Tue Jan 16 12:36:03 GMT 2007
Hi Wilco,
On Tue, Jan 16, 2007 at 11:22:38AM +0100, Wilco Baan Hofman wrote:
> Does this mean all pdb_backends *must* be updated for trust domains to
> work?
No, the default actions installed in pdb_interface.c just call
the former functions from passdb/secrets.c. This only introduces
another layer. A pdb backend *can* provide its own implementation
for pdb_{get,set,del}_trusteddom_pw and pdb_enum_trusteddoms.
If it doesn't (like in the patch), the behaviour remains unchanged.
I am now working on implementations for pdb_ldap to allow for
replication of trusted domain passwords in pdc/bdc setups.
Regards, Michael
> vlendec at samba.org wrote:
> > Author: vlendec
> > Date: 2007-01-16 08:17:26 +0000 (Tue, 16 Jan 2007)
> > New Revision: 20824
> >
> > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20824
> >
> > Log:
> > Send access to the trusted domain passwords through the pdb backend, so that
> > in the next step we can store them in LDAP to be replicated across DCs.
> >
> > Thanks to Michael Adam <ma at sernet.de>
> >
> > Volker
> >
> > Modified:
> > branches/SAMBA_3_0/source/Makefile.in
> > branches/SAMBA_3_0/source/auth/auth_domain.c
> > branches/SAMBA_3_0/source/auth/auth_util.c
> > branches/SAMBA_3_0/source/include/passdb.h
> > branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
> > branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c
> > branches/SAMBA_3_0/source/passdb/lookup_sid.c
> > branches/SAMBA_3_0/source/passdb/passdb.c
> > branches/SAMBA_3_0/source/passdb/pdb_interface.c
> > branches/SAMBA_3_0/source/passdb/secrets.c
> > branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
> > branches/SAMBA_3_0/source/utils/net_rpc.c
> >
> >
> > Changeset:
> > Modified: branches/SAMBA_3_0/source/Makefile.in
> > ===================================================================
> > --- branches/SAMBA_3_0/source/Makefile.in 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/Makefile.in 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -536,6 +536,7 @@
> > $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \
> > rpc_client/cli_pipe.o $(RPC_PARSE_OBJ2) \
> > $(RPC_CLIENT_OBJ1) \
> > + $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(LDB_OBJ) $(GROUPDB_OBJ) \
> > $(LIBMSRPC_GEN_OBJ)
> >
> > TESTPARM_OBJ = utils/testparm.o \
> > @@ -607,6 +608,7 @@
> > CLIENT_OBJ = $(CLIENT_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) \
> > $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(LIBMSRPC_GEN_OBJ) \
> > $(READLINE_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) \
> > + $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(LDB_OBJ) \
> > $(DISPLAY_SEC_OBJ)
> >
> > TOOL_OBJ = client/smbctool.o client/clitar.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
> >
> > Modified: branches/SAMBA_3_0/source/auth/auth_domain.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/auth/auth_domain.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/auth/auth_domain.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -408,8 +408,8 @@
> > * No need to become_root() as secrets_init() is done at startup.
> > */
> >
> > - if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password,
> > - &sid, &last_change_time)) {
> > + if (!pdb_get_trusteddom_pw(user_info->domain, &trust_password,
> > + &sid, &last_change_time)) {
> > DEBUG(0, ("check_trustdomain_security: could not fetch trust "
> > "account password for domain %s\n",
> > user_info->domain));
> >
> > Modified: branches/SAMBA_3_0/source/auth/auth_util.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/auth/auth_util.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/auth/auth_util.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -2142,8 +2142,7 @@
> > become_root();
> > DEBUG (5,("is_trusted_domain: Checking for domain trust with "
> > "[%s]\n", dom_name ));
> > - ret = secrets_fetch_trusted_domain_password(dom_name, NULL,
> > - NULL, NULL);
> > + ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
> > unbecome_root();
> > if (ret)
> > return True;
> >
> > Modified: branches/SAMBA_3_0/source/include/passdb.h
> > ===================================================================
> > --- branches/SAMBA_3_0/source/include/passdb.h 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/include/passdb.h 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -403,6 +403,19 @@
> > BOOL (*rid_algorithm)(struct pdb_methods *methods);
> > BOOL (*new_rid)(struct pdb_methods *methods, uint32 *rid);
> >
> > +
> > + BOOL (*get_trusteddom_pw)(struct pdb_methods *methods,
> > + const char *domain, char** pwd,
> > + DOM_SID *sid, time_t *pass_last_set_time);
> > + BOOL (*set_trusteddom_pw)(struct pdb_methods *methods,
> > + const char* domain, const char* pwd,
> > + const DOM_SID *sid);
> > + BOOL (*del_trusteddom_pw)(struct pdb_methods *methods,
> > + const char *domain);
> > + NTSTATUS (*enum_trusteddoms)(struct pdb_methods *methods,
> > + TALLOC_CTX *mem_ctx, uint32 *num_domains,
> > + struct trustdom_info ***domains);
> > +
> > void *private_data; /* Private data of some kind */
> >
> > void (*free_private_data)(void **);
> >
> > Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -81,7 +81,7 @@
> > DOM_SID sid;
> > time_t last_set_time;
> >
> > - if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
> > + if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
> > ads_destroy( &ads );
> > return NULL;
> > }
> >
> > Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -541,8 +541,7 @@
> > return NT_STATUS_NO_MEMORY;
> > }
> >
> > - nt_status = secrets_trusted_domains(tmp_ctx, num_domains,
> > - &domains);
> > + nt_status = pdb_enum_trusteddoms(tmp_ctx, num_domains, &domains);
> > if (!NT_STATUS_IS_OK(nt_status)) {
> > TALLOC_FREE(tmp_ctx);
> > return nt_status;
> >
> > Modified: branches/SAMBA_3_0/source/passdb/lookup_sid.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/passdb/lookup_sid.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/passdb/lookup_sid.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -178,8 +178,7 @@
> > /* 5. Trusted domains as such, to me it looks as if members don't do
> > this, tested an XP workstation in a NT domain -- vl */
> >
> > - if (IS_DC && (secrets_fetch_trusted_domain_password(name, NULL,
> > - &sid, NULL))) {
> > + if (IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) {
> > /* Swap domain and name */
> > tmp = name; name = domain; domain = tmp;
> > type = SID_NAME_DOMAIN;
> > @@ -581,9 +580,9 @@
> > * and for SIDs that have 4 sub-authorities and thus look like
> > * domains */
> >
> > - if (!NT_STATUS_IS_OK(secrets_trusted_domains(mem_ctx,
> > - &num_domains,
> > - &domains))) {
> > + if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx,
> > + &num_domains,
> > + &domains))) {
> > return False;
> > }
> >
> >
> > Modified: branches/SAMBA_3_0/source/passdb/passdb.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/passdb/passdb.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/passdb/passdb.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -1523,3 +1523,46 @@
> >
> > return True;
> > }
> > +
> > +
> > +/*******************************************************************
> > + Wrapper around retrieving the trust account password
> > +*******************************************************************/
> > +
> > +BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
> > +{
> > + DOM_SID sid;
> > + char *pwd;
> > + time_t last_set_time;
> > +
> > + /* if we are a DC and this is not our domain, then lookup an account
> > + for the domain trust */
> > +
> > + if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
> > + if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time)) {
> > + DEBUG(0, ("get_trust_pw: could not fetch trust "
> > + "account password for trusted domain %s\n",
> > + domain));
> > + return False;
> > + }
> > +
> > + *channel = SEC_CHAN_DOMAIN;
> > + E_md4hash(pwd, ret_pwd);
> > + SAFE_FREE(pwd);
> > +
> > + return True;
> > + }
> > +
> > + /* Just get the account for the requested domain. In the future this
> > + * might also cover to be member of more than one domain. */
> > +
> > + if (secrets_fetch_trust_account_password(domain, ret_pwd,
> > + &last_set_time, channel))
> > + return True;
> > +
> > + DEBUG(5, ("get_trust_pw: could not fetch trust account "
> > + "password for domain %s\n", domain));
> > + return False;
> > +}
> > +
> > +/* END */
> >
> > Modified: branches/SAMBA_3_0/source/passdb/pdb_interface.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/passdb/pdb_interface.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/passdb/pdb_interface.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -1997,6 +1997,77 @@
> > }
> >
> > /*******************************************************************
> > + trustodm methods
> > + *******************************************************************/
> > +
> > +BOOL pdb_get_trusteddom_pw(const char *domain, char** pwd, DOM_SID *sid,
> > + time_t *pass_last_set_time)
> > +{
> > + struct pdb_methods *pdb = pdb_get_methods();
> > + return pdb->get_trusteddom_pw(pdb, domain, pwd, sid,
> > + pass_last_set_time);
> > +}
> > +
> > +BOOL pdb_set_trusteddom_pw(const char* domain, const char* pwd,
> > + const DOM_SID *sid)
> > +{
> > + struct pdb_methods *pdb = pdb_get_methods();
> > + return pdb->set_trusteddom_pw(pdb, domain, pwd, sid);
> > +}
> > +
> > +BOOL pdb_del_trusteddom_pw(const char *domain)
> > +{
> > + struct pdb_methods *pdb = pdb_get_methods();
> > + return pdb->del_trusteddom_pw(pdb, domain);
> > +}
> > +
> > +NTSTATUS pdb_enum_trusteddoms(TALLOC_CTX *mem_ctx, uint32 *num_domains,
> > + struct trustdom_info ***domains)
> > +{
> > + struct pdb_methods *pdb = pdb_get_methods();
> > + return pdb->enum_trusteddoms(pdb, mem_ctx, num_domains, domains);
> > +}
> > +
> > +/*******************************************************************
> > + the defaults for trustdom methods:
> > + these simply call the original passdb/secrets.c actions,
> > + to be replaced by pdb_ldap.
> > + *******************************************************************/
> > +
> > +static BOOL pdb_default_get_trusteddom_pw(struct pdb_methods *methods,
> > + const char *domain,
> > + char** pwd,
> > + DOM_SID *sid,
> > + time_t *pass_last_set_time)
> > +{
> > + return secrets_fetch_trusted_domain_password(domain, pwd,
> > + sid, pass_last_set_time);
> > +
> > +}
> > +
> > +static BOOL pdb_default_set_trusteddom_pw(struct pdb_methods *methods,
> > + const char* domain,
> > + const char* pwd,
> > + const DOM_SID *sid)
> > +{
> > + return secrets_store_trusted_domain_password(domain, pwd, sid);
> > +}
> > +
> > +static BOOL pdb_default_del_trusteddom_pw(struct pdb_methods *methods,
> > + const char *domain)
> > +{
> > + return trusted_domain_password_delete(domain);
> > +}
> > +
> > +static NTSTATUS pdb_default_enum_trusteddoms(struct pdb_methods *methods,
> > + TALLOC_CTX *mem_ctx,
> > + uint32 *num_domains,
> > + struct trustdom_info ***domains)
> > +{
> > + return secrets_trusted_domains(mem_ctx, num_domains, domains);
> > +}
> > +
> > +/*******************************************************************
> > Create a pdb_methods structure and initialize it with the default
> > operations. In this way a passdb module can simply implement
> > the functionality it cares about. However, normally this is done
> > @@ -2060,5 +2131,10 @@
> > (*methods)->search_groups = pdb_default_search_groups;
> > (*methods)->search_aliases = pdb_default_search_aliases;
> >
> > + (*methods)->get_trusteddom_pw = pdb_default_get_trusteddom_pw;
> > + (*methods)->set_trusteddom_pw = pdb_default_set_trusteddom_pw;
> > + (*methods)->del_trusteddom_pw = pdb_default_del_trusteddom_pw;
> > + (*methods)->enum_trusteddoms = pdb_default_enum_trusteddoms;
> > +
> > return NT_STATUS_OK;
> > }
> >
> > Modified: branches/SAMBA_3_0/source/passdb/secrets.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/passdb/secrets.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/passdb/secrets.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -655,47 +655,6 @@
> > return ret;
> > }
> >
> > -/*******************************************************************
> > - Wrapper around retrieving the trust account password
> > -*******************************************************************/
> > -
> > -BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
> > -{
> > - DOM_SID sid;
> > - char *pwd;
> > - time_t last_set_time;
> > -
> > - /* if we are a DC and this is not our domain, then lookup an account
> > - for the domain trust */
> > -
> > - if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
> > - if (!secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
> > - &last_set_time)) {
> > - DEBUG(0, ("get_trust_pw: could not fetch trust "
> > - "account password for trusted domain %s\n",
> > - domain));
> > - return False;
> > - }
> > -
> > - *channel = SEC_CHAN_DOMAIN;
> > - E_md4hash(pwd, ret_pwd);
> > - SAFE_FREE(pwd);
> > -
> > - return True;
> > - }
> > -
> > - /* Just get the account for the requested domain. In the future this
> > - * might also cover to be member of more than one domain. */
> > -
> > - if (secrets_fetch_trust_account_password(domain, ret_pwd,
> > - &last_set_time, channel))
> > - return True;
> > -
> > - DEBUG(5, ("get_trust_pw: could not fetch trust account "
> > - "password for domain %s\n", domain));
> > - return False;
> > -}
> > -
> > /************************************************************************
> > Routine to delete the machine trust account password file for a domain.
> > ************************************************************************/
> >
> > Modified: branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/rpc_server/srv_lsa_nt.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -648,8 +648,7 @@
> > if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION))
> > return NT_STATUS_ACCESS_DENIED;
> >
> > - nt_status = secrets_trusted_domains(p->mem_ctx, &num_domains,
> > - &domains);
> > + nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
> >
> > if (!NT_STATUS_IS_OK(nt_status)) {
> > return nt_status;
> >
> > Modified: branches/SAMBA_3_0/source/utils/net_rpc.c
> > ===================================================================
> > --- branches/SAMBA_3_0/source/utils/net_rpc.c 2007-01-16 01:36:15 UTC (rev 20823)
> > +++ branches/SAMBA_3_0/source/utils/net_rpc.c 2007-01-16 08:17:26 UTC (rev 20824)
> > @@ -5604,9 +5604,7 @@
> > * Store the password in secrets db
> > */
> >
> > - if (!secrets_store_trusted_domain_password(domain_name,
> > - opt_password,
> > - domain_sid)) {
> > + if (!pdb_set_trusteddom_pw(domain_name, opt_password, domain_sid)) {
> > DEBUG(0, ("Storing password for trusted domain failed.\n"));
> > cli_shutdown(cli);
> > return -1;
> > @@ -5644,6 +5642,7 @@
> > static int rpc_trustdom_revoke(int argc, const char **argv)
> > {
> > char* domain_name;
> > + int rc = -1;
> >
> > if (argc < 1) return -1;
> >
> > @@ -5652,13 +5651,16 @@
> > strupper_m(domain_name);
> >
> > /* delete password of the trust */
> > - if (!trusted_domain_password_delete(domain_name)) {
> > + if (!pdb_del_trusteddom_pw(domain_name)) {
> > DEBUG(0, ("Failed to revoke relationship to the trusted domain %s\n",
> > domain_name));
> > - return -1;
> > + goto done;
> > };
> >
> > - return 0;
> > + rc = 0;
> > +done:
> > + SAFE_FREE(domain_name);
> > + return rc;
> > }
> >
> > /**
> > @@ -5744,9 +5746,7 @@
> > goto done;
> > }
> >
> > - if (!secrets_store_trusted_domain_password(trusted_dom_name,
> > - cleartextpwd,
> > - &dom_sid)) {
> > + if (!pdb_set_trusteddom_pw(trusted_dom_name, cleartextpwd, &dom_sid)) {
> > DEBUG(0, ("Storing password for trusted domain failed.\n"));
> > nt_status = NT_STATUS_UNSUCCESSFUL;
> > goto done;
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFrKdu1C6FlsCYaHURAsFyAJ9ZZg7XEWCDJs0lFSmGUrOObekxuwCgtE3N
> I6qEZwWE2WJxDutx+/jYIi8=
> =/CWM
> -----END PGP SIGNATURE-----
--
Michael Adam, SerNet Service Network GmbH
phone: +49-551-370000-0, fax: +49-551-370000-9
More information about the samba-technical
mailing list