websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.8.10-2

Browse Source
This commit is contained in:
Timo Aaltonen
2020-11-23 20:48:56 +02:00
committed by Mario Fetka
parent 8bc559c5a1
commit 358acdd85f
917 changed files with 1185414 additions and 1069733 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
daemons/ipa-sam/Makefile.am
View File

@@ -15,7 +15,7 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
-DHAVE_LDAP \
-I$(top_srcdir)/util \
$(CRYPTO_CFLAGS) \

15
daemons/ipa-sam/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -273,6 +273,8 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -315,11 +317,10 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -340,8 +341,6 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -429,7 +428,9 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -456,7 +457,7 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
-DLDAPIDIR=\""$(runstatedir)"\" \
-DHAVE_LDAP \
-I$(top_srcdir)/util \
$(CRYPTO_CFLAGS) \

462
daemons/ipa-sam/ipa_sam.c
View File

@@ -19,7 +19,6 @@
#include <util/data_blob.h>
#include <util/time.h>
#include <util/debug.h>
#include <util/talloc_stack.h>
#ifndef _SAMBA_UTIL_H_
bool trim_string(char *s, const char *front, const char *back);
@@ -105,8 +104,6 @@ enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flag
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
@@ -140,6 +137,7 @@ bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-
#define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
#define LDAP_ATTRIBUTE_HOME_DRIVE "ipaNTHomeDirectoryDrive"
#define LDAP_ATTRIBUTE_HOME_PATH "ipaNTHomeDirectory"
#define LDAP_ATTRIBUTE_HOMEDIRECTORY "homeDirectory"
#define LDAP_ATTRIBUTE_LOGON_SCRIPT "ipaNTLogonScript"
#define LDAP_ATTRIBUTE_PROFILE_PATH "ipaNTProfilePath"
#define LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING "ipaNTSIDBlacklistIncoming"
@@ -261,6 +259,18 @@ static bool sid_compose(struct dom_sid *dst, const struct dom_sid *dom_sid,
return true;
}
static char *sid_talloc_string(struct sss_idmap_ctx *ctx, void *final_ctx, const struct dom_sid *dom_sid)
{
enum idmap_error_code ret;
char *result = NULL;
ret = sss_idmap_smb_sid_to_sid(ctx, discard_const(dom_sid), &result);
if (ret != IDMAP_SUCCESS) {
return NULL;
}
return talloc_move(final_ctx, &result);
}
static bool is_null_sid(const struct dom_sid *sid)
{
size_t c;
@@ -488,9 +498,24 @@ done:
return unix_dn;
}
/* Samba removed unixid_* helpers in c906153cc7af21abe508ddd30c447642327d6a5d */
static void ipasam_unixid_from_uid(struct unixid *id, uint32_t some_uid)
{
if (id) {
id->id = some_uid;
id->type = ID_TYPE_UID;
}
}
static void ipasam_unixid_from_gid(struct unixid *id, uint32_t some_gid)
{
if (id) {
id->id = some_gid;
id->type = ID_TYPE_GID;
}
}
static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
LDAPMessage *entry,
@@ -519,8 +544,18 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
}
if (dom_sid_compare_domain(sid, domain_sid) != 0) {
DEBUG(10, ("SID %s is not in expected domain %s\n",
str, sid_string_dbg(domain_sid)));
char *debug_domain_sid = NULL;
err = sss_idmap_smb_sid_to_sid(idmap_ctx,
discard_const(domain_sid),
&debug_domain_sid);
if (err != IDMAP_SUCCESS) {
DEBUG(10, ("SID %s is not in expected domain.\n",
str));
} else {
DEBUG(10, ("SID %s is not in expected domain %s\n",
str, debug_domain_sid));
talloc_free(debug_domain_sid);
}
res = false;
goto done;
}
@@ -589,7 +624,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
allsids = talloc_asprintf_append_buffer(
allsids, "(%s=%s)",
LDAP_ATTRIBUTE_SID,
sid_string_talloc(mem_ctx, &sid));
sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, &sid));
if (allsids == NULL) {
goto done;
}
@@ -790,7 +825,8 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
filter = talloc_asprintf(mem_ctx,
"(&(%s=%s)"
"(|(objectClass=%s)(objectClass=%s)))",
LDAP_ATTRIBUTE_SID, sid_string_talloc(mem_ctx, sid),
LDAP_ATTRIBUTE_SID,
sid_talloc_string(priv->idmap_ctx, mem_ctx, sid),
LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
if (filter == NULL) {
DEBUG(5, ("talloc_asprintf failed\n"));
@@ -837,7 +873,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
goto done;
}
unixid_from_gid(id, strtoul(gid_str, NULL, 10));
ipasam_unixid_from_gid(id, strtoul(gid_str, NULL, 10));
idmap_cache_set_sid2unixid(sid, id);
@@ -855,7 +891,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
goto done;
}
unixid_from_uid(id, strtoul(value, NULL, 10));
ipasam_unixid_from_uid(id, strtoul(value, NULL, 10));
idmap_cache_set_sid2unixid(sid, id);
@@ -880,9 +916,13 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
struct dom_sid *user_sid = NULL;
int rc;
enum idmap_error_code err;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct unixid id;
TALLOC_CTX *tmp_ctx = talloc_new(priv);
if (tmp_ctx == NULL) {
goto done;
}
/* Fast fail if we get a request for uidNumber=0 because it currently
* will never exist in the directory
* Saves an expensive LDAP call of which failure will never be cached
@@ -932,14 +972,14 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
user_sid_string, &user_sid);
if (err != IDMAP_SUCCESS) {
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
DEBUG(3, ("Error creating sid structure for sid '%s'\n",
user_sid_string));
goto done;
}
sid_copy(sid, user_sid);
unixid_from_uid(&id, uid);
ipasam_unixid_from_uid(&id, uid);
idmap_cache_set_sid2unixid(sid, &id);
@@ -967,9 +1007,13 @@ static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
size_t c;
int rc;
enum idmap_error_code err;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct unixid id;
TALLOC_CTX *tmp_ctx = talloc_new(priv);
if (tmp_ctx == NULL) {
goto done;
}
filter = talloc_asprintf(tmp_ctx,
"(|(&(gidNumber=%u)"
"(objectClass=%s))"
@@ -1044,14 +1088,14 @@ found:
err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
group_sid_string, &group_sid);
if (err != IDMAP_SUCCESS) {
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
DEBUG(3, ("Error creating sid structure for sid '%s'\n",
group_sid_string));
goto done;
}
sid_copy(sid, group_sid);
unixid_from_gid(&id, gid);
ipasam_unixid_from_gid(&id, gid);
idmap_cache_set_sid2unixid(sid, &id);
@@ -1587,11 +1631,11 @@ static bool ipasam_search_grouptype(struct pdb_methods *methods,
state->base = talloc_strdup(search, ipasam_state->base_dn);
state->connection = ipasam_state->ldap_state;
state->scope = LDAP_SCOPE_SUBTREE;
state->filter = talloc_asprintf(search, "(&(objectclass=%s)"
"(%s=%s*))",
LDAP_OBJ_GROUPMAP,
LDAP_ATTRIBUTE_SID,
sid_string_talloc(search, sid));
state->filter = talloc_asprintf(search, "(&(objectclass=%s)(%s=%s*))",
LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
sid_talloc_string(
ipasam_state->idmap_ctx,
search, sid));
state->attrs = talloc_attrs(search, "cn", LDAP_ATTRIBUTE_SID,
"displayName", "description",
NULL);
@@ -1797,9 +1841,10 @@ done:
#define KRB_PRINC_CREATE_DISABLED 0x00000001
#define KRB_PRINC_CREATE_AGENT_PERMISSION 0x00000002
static bool set_krb_princ(struct ipasam_private *ipasam_state,
TALLOC_CTX *mem_ctx,
const char *princ, const char *saltprinc,
const char *princ, const char *alias,
const char *pwd,
const char *base_dn,
uint32_t create_flags)
@@ -1857,14 +1902,15 @@ static bool set_krb_princ(struct ipasam_private *ipasam_state,
LDAP_ATTRIBUTE_KRB_CANONICAL, princ);
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
if (saltprinc) {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_KRB_PRINCIPAL, saltprinc);
}
if (alias) {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_KRB_PRINCIPAL, alias);
}
if ((create_flags & KRB_PRINC_CREATE_DISABLED)) {
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_KRB_TICKET_FLAGS, __TALLOC_STRING_LINE2__(IPASAM_DISALLOW_ALL_TIX));
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_KRB_TICKET_FLAGS,
__TALLOC_STRING_LINE2__(IPASAM_DISALLOW_ALL_TIX));
}
if ((create_flags & KRB_PRINC_CREATE_AGENT_PERMISSION)) {
@@ -1877,18 +1923,19 @@ static bool set_krb_princ(struct ipasam_private *ipasam_state,
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_OBJECTCLASS,
LDAP_OBJ_IPAOPALLOW);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn);
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_IPAOPALLOW,
agent_dn);
agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_ADMINS",%s", ipasam_state->base_dn);
if (agent_dn == NULL) {
DEBUG(1, ("error configuring cross realm principal data for trust admins!\n"));
return false;
}
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn);
smbldap_set_mod(&mods, LDAP_MOD_ADD,
LDAP_ATTRIBUTE_IPAOPALLOW,
agent_dn);
}
if (entry == NULL) {
ret = smbldap_add(ipasam_state->ldap_state, dn, mods);
} else {
@@ -1899,7 +1946,7 @@ static bool set_krb_princ(struct ipasam_private *ipasam_state,
return false;
}
ret = set_cross_realm_pw(ipasam_state, saltprinc ? saltprinc : princ, pwd);
ret = set_cross_realm_pw(ipasam_state, princ, pwd);
if (ret != 0) {
DEBUG(1, ("set_cross_realm_pw failed.\n"));
return false;
@@ -1941,18 +1988,21 @@ enum princ_mod {
};
static bool handle_cross_realm_princs(struct ipasam_private *ipasam_state,
const char *domain, const char *pwd,
const char *domain, const char *flat_name,
const char *pwd_incoming,
const char *pwd_outgoing,
uint32_t trust_direction,
enum princ_mod mod)
{
char *trusted_dn;
char *princ_l;
char *princ_r;
char *princ_tdo;
char *saltprinc_tdo;
char *princ_r_tdo, *princ_l_tdo;
char *remote_realm;
bool ok;
int failed = 0;
TALLOC_CTX *tmp_ctx;
const char *r_tdo_alias, *l_tdo_alias;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -1967,46 +2017,113 @@ static bool handle_cross_realm_princs(struct ipasam_private *ipasam_state,
trusted_dn = trusted_domain_dn(tmp_ctx, ipasam_state, domain);
princ_l = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", remote_realm,
ipasam_state->realm);
princ_l = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
remote_realm, ipasam_state->realm);
princ_l_tdo = talloc_asprintf(tmp_ctx, "%s$@%s",
flat_name, ipasam_state->realm);
l_tdo_alias = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
flat_name, ipasam_state->realm);
princ_r = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
ipasam_state->realm, remote_realm);
ipasam_state->realm, remote_realm);
princ_r_tdo = talloc_asprintf(tmp_ctx, "%s$@%s",
ipasam_state->flat_name, remote_realm);
princ_tdo = talloc_asprintf(tmp_ctx, "%s$@%s",
r_tdo_alias = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
ipasam_state->flat_name, remote_realm);
saltprinc_tdo = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
ipasam_state->flat_name, remote_realm);
if (trusted_dn == NULL || princ_l == NULL ||
princ_r == NULL || princ_tdo == NULL || saltprinc_tdo == NULL) {
if (trusted_dn == NULL || princ_l == NULL || princ_l_tdo == NULL ||
l_tdo_alias == NULL || princ_r == NULL || princ_r_tdo == NULL ||
r_tdo_alias == NULL) {
ok = false;
goto done;
}
switch (mod) {
case SET_PRINC:
/* Create Kerberos principal for inbound trust, enabled by default */
ok = set_krb_princ(ipasam_state, tmp_ctx, princ_r, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT);
/* Create Kerberos principal corresponding to TDO in AD for SSSD usage, disabled by default */
ok |= set_krb_princ(ipasam_state, tmp_ctx, princ_tdo, saltprinc_tdo, pwd, trusted_dn,
KRB_PRINC_CREATE_DISABLED | KRB_PRINC_CREATE_AGENT_PERMISSION);
if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) {
/* Create Kerberos principal for outbound trust, enabled by default */
ok |= set_krb_princ(ipasam_state, tmp_ctx, princ_l, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT);
/* We must use two sets by two principals here because
* they are used for different needs and must have
* different salts */
failed = 0;
/* INBOUND TRUST */
if ((trust_direction & LSA_TRUST_DIRECTION_INBOUND) != 0) {
/* First: krbtgt/<OUR REALM>@<REMOTE REALM>, enabled by default
* in case of the inboud trust */
failed += !set_krb_princ(ipasam_state, tmp_ctx, princ_r, NULL,
pwd_outgoing, trusted_dn,
KRB_PRINC_CREATE_DEFAULT);
/* Second: krbtgt/<OUR FLATNAME>@<REMOTE REALM>
* is only used for SSSD to be able to talk to
* AD DCs but it has to have canonical name set
* to krbtgt/<OUR FLATNAME> and alias it to
* <OUR FLATNAME$> because it is the salt used
* by AD DCs when using this principal,
* otherwise authentication will fail.
*
* *disable* use of this principal on our side as it is
* only used to retrieve trusted domain credentials by
* AD Trust Agents across the IPA topology */
failed += !set_krb_princ(ipasam_state, tmp_ctx,
r_tdo_alias, princ_r_tdo,
pwd_incoming, trusted_dn,
(KRB_PRINC_CREATE_DISABLED |
KRB_PRINC_CREATE_AGENT_PERMISSION));
ok = (failed == 0);
if (!ok) {
goto done;
}
}
if (!ok) {
goto done;
failed = 0;
/* OUTBOUND TRUST */
if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) {
/* First: krbtgt/<REMOTE REALM>@<OUR REALM>, enabled by default */
failed += !set_krb_princ(ipasam_state, tmp_ctx,
princ_l, NULL,
pwd_outgoing, trusted_dn,
KRB_PRINC_CREATE_DEFAULT);
/* Second: <REMOTE FLAT NAME>$@<OUR REALM>, enabled by default
* as it is used for a remote DC to authenticate against IPA Samba
*
* A local account for the outbound trust must have
* POSIX and SMB identities associated with our domain but we associate
* them with the trust domain object itself */
failed += !set_krb_princ(ipasam_state, tmp_ctx,
princ_l_tdo, l_tdo_alias,
pwd_incoming, trusted_dn,
KRB_PRINC_CREATE_DEFAULT);
ok = (failed == 0);
if (!ok) {
goto done;
}
}
break;
case DEL_PRINC:
ok = del_krb_princ(ipasam_state, tmp_ctx, princ_r, trusted_dn);
ok |= del_krb_princ(ipasam_state, tmp_ctx, princ_tdo, trusted_dn);
if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) {
ok |= del_krb_princ(ipasam_state, tmp_ctx, princ_l, trusted_dn);
failed = 0;
if ((trust_direction & LSA_TRUST_DIRECTION_INBOUND) != 0) {
failed += !del_krb_princ(ipasam_state, tmp_ctx, princ_r, trusted_dn);
failed += !del_krb_princ(ipasam_state, tmp_ctx, princ_r_tdo, trusted_dn);
ok = (failed == 0);
if (!ok) {
goto done;
}
}
if (!ok) {
goto done;
failed = 0;
if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) {
failed += !del_krb_princ(ipasam_state, tmp_ctx, princ_l, trusted_dn);
failed += !del_krb_princ(ipasam_state, tmp_ctx, princ_l_tdo, trusted_dn);
ok = (failed == 0);
if (!ok) {
goto done;
}
}
break;
default:
@@ -2022,16 +2139,22 @@ done:
}
static bool set_cross_realm_princs(struct ipasam_private *ipasam_state,
const char *domain, const char *pwd, uint32_t trust_direction)
const char *domain, const char* flat_name,
const char *pwd_incoming, const char *pwd_outgoing,
uint32_t trust_direction)
{
return handle_cross_realm_princs(ipasam_state, domain, pwd, trust_direction, SET_PRINC);
return handle_cross_realm_princs(ipasam_state, domain, flat_name,
pwd_incoming,
pwd_outgoing,
trust_direction, SET_PRINC);
}
static bool del_cross_realm_princs(struct ipasam_private *ipasam_state,
const char *domain)
const char *domain, const char *flat_name)
{
uint32_t trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND;
return handle_cross_realm_princs(ipasam_state, domain, NULL, trust_direction, DEL_PRINC);
return handle_cross_realm_princs(ipasam_state, domain, flat_name,
NULL, NULL, trust_direction, DEL_PRINC);
}
static bool get_trusted_domain_int(struct ipasam_private *ipasam_state,
@@ -2179,7 +2302,6 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
if (dummy == NULL) {
DEBUG(9, ("Attribute %s not present.\n",
LDAP_ATTRIBUTE_TRUST_SID));
ZERO_STRUCT(td->security_identifier);
} else {
err = sss_idmap_sid_to_smb_sid(ipasam_state->idmap_ctx,
dummy, &sid);
@@ -2326,7 +2448,7 @@ static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
char *sid_str;
bool ok;
sid_str = sid_string_talloc(mem_ctx, sid);
sid_str = sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, sid);
if (sid_str == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -2439,8 +2561,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
int ret, i, count;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
char *trustpw;
char *sid;
char *trustpw_incoming, *trustpw_outgoing;
char *sid, *tda_name;
char **in_blacklist = NULL;
char **out_blacklist = NULL;
uint32_t enctypes, trust_offset;
@@ -2465,6 +2587,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
LDAP_OBJ_TRUSTED_DOMAIN);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, "objectClass",
LDAP_OBJ_ID_OBJECT);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, "objectClass",
LDAP_OBJ_POSIXACCOUNT);
}
if (entry != NULL) {
@@ -2477,12 +2601,23 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_GIDNUMBER,
ipasam_state->fallback_primary_group_gid_str);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_HOMEDIRECTORY,
"/dev/null");
}
if (td->netbios_name != NULL) {
tda_name = talloc_asprintf(tmp_ctx, "%s$", td->netbios_name);
if (!tda_name) {
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_FLAT_NAME,
td->netbios_name);
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_UID,
tda_name);
}
if (td->domain_name != NULL) {
@@ -2494,7 +2629,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
if (!is_null_sid(&td->security_identifier)) {
smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
LDAP_ATTRIBUTE_TRUST_SID,
sid_string_talloc(tmp_ctx, &td->security_identifier));
sid_talloc_string(ipasam_state->idmap_ctx,
tmp_ctx, &td->security_identifier));
}
if (td->trust_type != 0) {
@@ -2618,13 +2754,38 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
if (entry == NULL) { /* FIXME: allow password updates here */
status = get_trust_pwd(tmp_ctx, &td->trust_auth_incoming,
&trustpw, NULL);
&trustpw_incoming, NULL);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
res = set_cross_realm_princs(ipasam_state, td->domain_name,
trustpw, td->trust_direction);
memset(trustpw, 0, strlen(trustpw));
status = get_trust_pwd(tmp_ctx, &td->trust_auth_outgoing,
&trustpw_outgoing, NULL);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
res = set_cross_realm_princs(ipasam_state, td->domain_name, td->netbios_name,
trustpw_incoming, trustpw_outgoing,
td->trust_direction);
{
/* Replace memset() use by an explicit loop to avoid
* both compile time and link time optimisations.
* We could have used memset_s() from C++11 but it is
* currently not implemented by GCC or glibc.
*/
volatile char *p = (void *) trustpw_incoming;
volatile char *q = (void *) trustpw_outgoing;
size_t plen = strlen(trustpw_incoming);
size_t qlen = strlen(trustpw_outgoing);
while (plen--) {
*p++ = '\0';
}
while (qlen--) {
*q++ = '\0';
}
}
if (!res) {
DEBUG(1, ("error writing cross realm principals!\n"));
status = NT_STATUS_UNSUCCESSFUL;
@@ -2693,7 +2854,7 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
talloc_get_type_abort(methods->private_data, struct ipasam_private);
LDAPMessage *entry = NULL;
char *dn;
const char *domain_name;
const char *domain_name, *flat_name;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
@@ -2731,7 +2892,17 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
goto done;
}
if (!del_cross_realm_princs(ipasam_state, domain_name)) {
flat_name = get_single_attribute(tmp_ctx, priv2ld(ipasam_state), entry,
LDAP_ATTRIBUTE_FLAT_NAME);
if (flat_name == NULL) {
DEBUG(1, ("Attribute %s not present.\n",
LDAP_ATTRIBUTE_FLAT_NAME));
status = NT_STATUS_INVALID_PARAMETER;
goto done;
}
if (!del_cross_realm_princs(ipasam_state, domain_name, flat_name)) {
DEBUG(1, ("error deleting cross realm principals!\n"));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
@@ -3104,7 +3275,7 @@ static int ipasam_get_sid_by_gid(struct ipasam_private *ipasam_state,
}
sid_copy(_sid, sid);
unixid_from_gid(&id, gid);
ipasam_unixid_from_gid(&id, gid);
idmap_cache_set_sid2unixid(sid, &id);
@@ -3166,7 +3337,7 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
}
}
unixid_from_gid(&id, gid);
ipasam_unixid_from_gid(&id, gid);
idmap_cache_set_sid2unixid(group_sid, &id);
@@ -3187,6 +3358,7 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
LDAPMessage * entry)
{
char *username = NULL;
struct berval **usernames = NULL;
char *domain = NULL;
char *nt_username = NULL;
char *fullname = NULL;
@@ -3197,7 +3369,11 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
char *temp = NULL;
bool ret = false;
bool retval = false;
bool machine_account = false;
int status;
int len = 0;
int idx = 0;
size_t conv_size = 0;
DATA_BLOB nthash;
struct dom_sid *group_sid;
@@ -3216,13 +3392,45 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
goto fn_exit;
}
if (!(username = smbldap_talloc_first_attribute(priv2ld(ipasam_state),
entry, LDAP_ATTRIBUTE_UID, tmp_ctx))) {
usernames = ldap_get_values_len(priv2ld(ipasam_state), entry,
LDAP_ATTRIBUTE_UID);
if (usernames == NULL) {
DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
"this user!\n"));
goto fn_exit;
}
len = ldap_count_values_len(usernames);
if (len > 1) {
/* Extract machine account as a user name if exists.
* If not, extract the first returned value */
for (int i=0; i < len; i++) {
if (usernames[i] != NULL &&
usernames[i]->bv_len > 0 &&
usernames[i]->bv_val[usernames[i]->bv_len-1] == '$') {
idx = i;
machine_account = true;
break;
}
}
}
/* convert_string_talloc() will eventually call smb_iconv() which will
* implicitly allocate space for NULL-termination in an encoding we use,
* thus we are OK with passing non-NULL-terminated source string. */
retval = convert_string_talloc(tmp_ctx,
CH_UTF8, CH_UNIX,
usernames[idx]->bv_val,
usernames[idx]->bv_len,
(void**)&username,
&conv_size);
if (!retval) {
DEBUG(1, ("init_sam_from_ldap: error converting uid to UNIX encoding!\n"));
goto fn_exit;
}
DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
nt_username = talloc_strdup(tmp_ctx, username);
@@ -3293,7 +3501,9 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
}
pdb_set_acct_ctrl(sampass, ACB_NORMAL, PDB_SET);
/* Force machine accounts to be workstation trust type */
pdb_set_acct_ctrl(sampass, machine_account ? ACB_WSTRUST : ACB_NORMAL,
PDB_SET);
retval = smbldap_talloc_single_blob(tmp_ctx,
priv2ld(ipasam_state),
@@ -3336,6 +3546,9 @@ static bool init_sam_from_ldap(struct ipasam_private *ipasam_state,
fn_exit:
if (usernames != NULL) {
ldap_value_free_len(usernames);
}
talloc_free(tmp_ctx);
return ret;
}
@@ -3398,6 +3611,89 @@ done:
return status;
}
/*
* lookup of an account by SID
*
* Samba may ask for an account based on a SID value. Implement a callback to
* return a result of such lookup since we should have SID for every domain
* account that is supposed to be usable through SMB protocol.
*/
static NTSTATUS ipasam_getsampwsid(struct pdb_methods *methods,
struct samu *user,
const struct dom_sid *sid)
{
struct ipasam_private *ipasam_state =
talloc_get_type_abort(methods->private_data, struct ipasam_private);
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
char *filter = NULL;
char *sid_str = NULL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int ret;
int count;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
sid_str = sid_talloc_string(ipasam_state->idmap_ctx, tmp_ctx, sid);
if (sid_str == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
filter = talloc_asprintf(tmp_ctx, "(&(|(%s=%s)(%s=%s))(%s=%s))",
LDAP_ATTRIBUTE_OBJECTCLASS,
LDAP_OBJ_SAMBASAMACCOUNT,
LDAP_ATTRIBUTE_OBJECTCLASS,
LDAP_OBJ_ID_OBJECT,
LDAP_ATTRIBUTE_SID, sid_str);
if (filter == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ret = smbldap_search(ipasam_state->ldap_state,
ipasam_state->base_dn,
LDAP_SCOPE_SUBTREE, filter, NULL, 0,
&result);
if (ret != LDAP_SUCCESS) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
count = ldap_count_entries(priv2ld(ipasam_state), result);
if (count != 1) {
DEBUG(3, ("Expected single entry returned for a SID lookup. "
"Got %d. Refuse lookup by SID %s", count, sid_str));
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
entry = ldap_first_entry(priv2ld(ipasam_state), result);
if (entry == NULL) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (!init_sam_from_ldap(ipasam_state, user, entry)) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
status = NT_STATUS_OK;
done:
if (result != NULL) {
ldap_msgfree(result);
}
talloc_free(tmp_ctx);
return status;
}
static NTSTATUS ipasam_getsampwnam(struct pdb_methods *methods,
struct samu *user,
const char *sname)
@@ -3621,7 +3917,8 @@ static void ipasam_free_private_data(void **vp)
(*ipasam_state)->result = NULL;
}
if ((*ipasam_state)->domain_dn != NULL) {
SAFE_FREE((*ipasam_state)->domain_dn);
free((*ipasam_state)->domain_dn);
(*ipasam_state)->domain_dn = NULL;
}
*ipasam_state = NULL;
@@ -4707,6 +5004,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
ipasam_state->supported_enctypes = enctypes;
(*pdb_method)->getsampwnam = ipasam_getsampwnam;
(*pdb_method)->getsampwsid = ipasam_getsampwsid;
(*pdb_method)->search_users = ipasam_search_users;
(*pdb_method)->search_groups = ipasam_search_groups;
(*pdb_method)->search_aliases = ipasam_search_aliases;