[PATCH 16/22] auth: Split out fetching trusted domain into sam_get_results_trust()
Jelmer Vernooij
jelmer at samba.org
Mon Aug 25 09:57:33 MDT 2014
On Wed, Aug 20, 2014 at 02:06:51PM +1200, abartlet at samba.org wrote:
> From: Andrew Bartlett <abartlet at samba.org>
>
> This new helper function will also be used by pdb_samba_dsdb.
>
> Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
> Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> ---
> source4/auth/sam.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++
> source4/kdc/db-glue.c | 54 +++++++++++--------------------------
> 2 files changed, 89 insertions(+), 38 deletions(-)
>
> diff --git a/source4/auth/sam.c b/source4/auth/sam.c
> index f7bc693..3178cb5 100644
> --- a/source4/auth/sam.c
> +++ b/source4/auth/sam.c
> @@ -560,6 +560,79 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
> return NT_STATUS_OK;
> }
>
> +NTSTATUS sam_get_results_trust(struct ldb_context *sam_ctx,
> + TALLOC_CTX *mem_ctx, const char *domain,
> + const char *realm, const char * const *attrs,
> + struct ldb_message **msg)
> +{
> + TALLOC_CTX *frame = talloc_stackframe();
> +
> + int lret;
> + struct ldb_dn *system_dn;
> +
> + char *filter = NULL;
Why initialize filter?
> +
> + struct ldb_result *res = NULL;
> + char *domain_encoded;
> +
> + system_dn = ldb_dn_copy(frame, ldb_get_default_basedn(sam_ctx));
> + if (system_dn == NULL) {
> + TALLOC_FREE(frame);
> + return NT_STATUS_NO_MEMORY;
> + }
> +
> + if (!ldb_dn_add_child_fmt(system_dn, "CN=System")) {
> + TALLOC_FREE(frame);
> + return NT_STATUS_NO_MEMORY;
> + }
> +
> + domain_encoded = ldb_binary_encode_string(mem_ctx, domain);
> + if (!domain_encoded) {
> + TALLOC_FREE(frame);
> + return NT_STATUS_NO_MEMORY;
> + }
> + if (realm == NULL) {
> + filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(flatname=%s))",
> + domain_encoded);
Trailing whitespace.
> +
> + if (!filter) {
> + TALLOC_FREE(frame);
> + return NT_STATUS_NO_MEMORY;
> + }
> + } else {
> + char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
> + if (!realm_encoded) {
> + TALLOC_FREE(frame);
> + return NT_STATUS_NO_MEMORY;
> + }
> + filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(trustPartner=%s)(flatname=%s)))",
Line looks like it is too long and has trailing whitespace.
> + realm_encoded, domain_encoded);
> +
> + if (!filter) {
> + TALLOC_FREE(frame);
> + return NT_STATUS_NO_MEMORY;
> + }
> +
> + }
> +
> + lret = dsdb_search(sam_ctx, frame, &res,
> + system_dn,
> + LDB_SCOPE_ONELEVEL, attrs,
> + DSDB_SEARCH_NO_GLOBAL_CATALOG|DSDB_SEARCH_ONE_ONLY,
> + "%s", filter);
> + if (lret != LDB_SUCCESS && lret != LDB_ERR_NO_SUCH_OBJECT) {
> + DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(sam_ctx)));
> + return NT_STATUS_INTERNAL_DB_CORRUPTION;
TALLOC_FREE(frame) ?
> + } else if (lret == LDB_ERR_NO_SUCH_OBJECT) {
> + DEBUG(3, ("Failed to find result for %s: %s\n", filter, ldb_errstring(sam_ctx)));
> + return NT_STATUS_NOT_FOUND;
TALLOC_FREE(frame) ?
> + }
> + talloc_steal(mem_ctx, res->msgs);
> + *msg = res->msgs[0];
> + TALLOC_FREE(frame);
> + return NT_STATUS_OK;
> +}
> +
> /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
>
> Supply either a principal or a DN
> diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
> index e64fae9..c538ec6 100644
> --- a/source4/kdc/db-glue.c
> +++ b/source4/kdc/db-glue.c
> @@ -1079,47 +1079,25 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c
> struct ldb_dn *realm_dn,
> struct ldb_message **pmsg)
> {
> - int lret;
> - krb5_error_code ret;
> - char *filter = NULL;
> + NTSTATUS status;
> const char * const *attrs = trust_attrs;
> -
> - struct ldb_result *res = NULL;
> - char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
> - if (!realm_encoded) {
> - if (!filter) {
> - ret = ENOMEM;
> - krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
> - return ret;
> - }
> - }
> - filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))",
> - realm_encoded, realm_encoded);
> -
> - if (!filter) {
> - talloc_free(realm_encoded);
> - ret = ENOMEM;
> - krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
> - return ret;
> - }
> -
> - lret = dsdb_search(ldb_ctx, mem_ctx, &res,
> - ldb_get_default_basedn(ldb_ctx),
> - LDB_SCOPE_SUBTREE, attrs,
> - DSDB_SEARCH_NO_GLOBAL_CATALOG,
> - "%s", filter);
> - if (lret != LDB_SUCCESS) {
> - DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
> - return HDB_ERR_NOENTRY;
> - } else if (res->count == 0 || res->count > 1) {
> - DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
> - talloc_free(res);
> +
> + status = sam_get_results_trust(ldb_ctx,
> + mem_ctx, realm, realm, attrs,
> + pmsg);
Trailing whitespace.
> + if (NT_STATUS_IS_OK(status)) {
> + return 0;
> + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
> return HDB_ERR_NOENTRY;
> + } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
> + int ret = ENOMEM;
> + krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory");
> + return ret;
> + } else {
> + int ret = EINVAL;
> + krb5_set_error_message(context, ret, "get_sam_result_trust: %s", nt_errstr(status));
> + return ret;
> }
> - talloc_steal(mem_ctx, res->msgs);
> - *pmsg = res->msgs[0];
> - talloc_free(res);
> - return 0;
> }
>
> static krb5_error_code samba_kdc_lookup_client(krb5_context context,
--
Jelmer Vernooij <jelmer at samba.org> - https://jelmer.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140825/2b019762/attachment.pgp>
More information about the samba-technical
mailing list