[testlist] [PR PATCH master 16/22] auth: Split out fetching trusted domain into sam_get_results_trust()
github at samba.org
github at samba.org
Mon Sep 7 00:10:43 UTC 2015
From: Andrew Bartlett <abartlet at samba.org>
This new helper function will also be used by pdb_samba_dsdb.
Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
source4/auth/sam.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++
source4/kdc/db-glue.c | 54 +++++++++++--------------------------
2 files changed, 89 insertions(+), 38 deletions(-)
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f7bc693..3178cb5 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -560,6 +560,79 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
return NT_STATUS_OK;
}
+NTSTATUS sam_get_results_trust(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx, const char *domain,
+ const char *realm, const char * const *attrs,
+ struct ldb_message **msg)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ int lret;
+ struct ldb_dn *system_dn;
+
+ char *filter = NULL;
+
+ struct ldb_result *res = NULL;
+ char *domain_encoded;
+
+ system_dn = ldb_dn_copy(frame, ldb_get_default_basedn(sam_ctx));
+ if (system_dn == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!ldb_dn_add_child_fmt(system_dn, "CN=System")) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain_encoded = ldb_binary_encode_string(mem_ctx, domain);
+ if (!domain_encoded) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ if (realm == NULL) {
+ filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(flatname=%s))",
+ domain_encoded);
+
+ if (!filter) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
+ if (!realm_encoded) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(trustPartner=%s)(flatname=%s)))",
+ realm_encoded, domain_encoded);
+
+ if (!filter) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ }
+
+ lret = dsdb_search(sam_ctx, frame, &res,
+ system_dn,
+ LDB_SCOPE_ONELEVEL, attrs,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG|DSDB_SEARCH_ONE_ONLY,
+ "%s", filter);
+ if (lret != LDB_SUCCESS && lret != LDB_ERR_NO_SUCH_OBJECT) {
+ DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(sam_ctx)));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ } else if (lret == LDB_ERR_NO_SUCH_OBJECT) {
+ DEBUG(3, ("Failed to find result for %s: %s\n", filter, ldb_errstring(sam_ctx)));
+ return NT_STATUS_NOT_FOUND;
+ }
+ talloc_steal(mem_ctx, res->msgs);
+ *msg = res->msgs[0];
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
Supply either a principal or a DN
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index e64fae9..c538ec6 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1079,47 +1079,25 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c
struct ldb_dn *realm_dn,
struct ldb_message **pmsg)
{
- int lret;
- krb5_error_code ret;
- char *filter = NULL;
+ NTSTATUS status;
const char * const *attrs = trust_attrs;
-
- struct ldb_result *res = NULL;
- char *realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
- if (!realm_encoded) {
- if (!filter) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
- return ret;
- }
- }
- filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))",
- realm_encoded, realm_encoded);
-
- if (!filter) {
- talloc_free(realm_encoded);
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
- return ret;
- }
-
- lret = dsdb_search(ldb_ctx, mem_ctx, &res,
- ldb_get_default_basedn(ldb_ctx),
- LDB_SCOPE_SUBTREE, attrs,
- DSDB_SEARCH_NO_GLOBAL_CATALOG,
- "%s", filter);
- if (lret != LDB_SUCCESS) {
- DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
- return HDB_ERR_NOENTRY;
- } else if (res->count == 0 || res->count > 1) {
- DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
- talloc_free(res);
+
+ status = sam_get_results_trust(ldb_ctx,
+ mem_ctx, realm, realm, attrs,
+ pmsg);
+ if (NT_STATUS_IS_OK(status)) {
+ return 0;
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return HDB_ERR_NOENTRY;
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+ int ret = ENOMEM;
+ krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory");
+ return ret;
+ } else {
+ int ret = EINVAL;
+ krb5_set_error_message(context, ret, "get_sam_result_trust: %s", nt_errstr(status));
+ return ret;
}
- talloc_steal(mem_ctx, res->msgs);
- *pmsg = res->msgs[0];
- talloc_free(res);
- return 0;
}
static krb5_error_code samba_kdc_lookup_client(krb5_context context,
--
1.9.1
More information about the testlist
mailing list