diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-05-17 13:39:42 +1000 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2010-05-18 21:39:42 +0200 |
commit | 7a8e34fe868158ee5591e1640477d28c62de5b67 (patch) | |
tree | d36088a3e3e1a3928bb77bb9d3dbb3389d74ebc8 /source3/passdb/secrets.c | |
parent | 1ffc65d462ab7ebb61efc30e8305e70789d219fb (diff) | |
download | samba-7a8e34fe868158ee5591e1640477d28c62de5b67.tar.gz samba-7a8e34fe868158ee5591e1640477d28c62de5b67.tar.xz samba-7a8e34fe868158ee5591e1640477d28c62de5b67.zip |
s3:split secrets.c to put machine account secrets in a new file
This helps the s3compat effort by allowing these functions to be
replaced by functions that query the cli_credentials and secrets.ldb
APIs.
Also, this changes a couple of DOM_SID to struct dom_sid along the
way.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'source3/passdb/secrets.c')
-rw-r--r-- | source3/passdb/secrets.c | 366 |
1 files changed, 0 insertions, 366 deletions
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index 6d4fd2a41d..a0bc4cea94 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -31,9 +31,6 @@ static struct db_context *db_ctx; -/* Urrrg. global.... */ -bool global_machine_password_needs_changing; - /** * Use a TDB to store an incrementing random seed. * @@ -169,98 +166,6 @@ bool secrets_delete(const char *key) return NT_STATUS_IS_OK(status); } -/** - * Form a key for fetching the domain sid - * - * @param domain domain name - * - * @return keystring - **/ -static const char *domain_sid_keystr(const char *domain) -{ - char *keystr; - - keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s", - SECRETS_DOMAIN_SID, domain); - SMB_ASSERT(keystr != NULL); - return keystr; -} - -bool secrets_store_domain_sid(const char *domain, const DOM_SID *sid) -{ - bool ret; - - ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(DOM_SID)); - - /* Force a re-query, in case we modified our domain */ - if (ret) - reset_global_sam_sid(); - return ret; -} - -bool secrets_fetch_domain_sid(const char *domain, DOM_SID *sid) -{ - DOM_SID *dyn_sid; - size_t size = 0; - - dyn_sid = (DOM_SID *)secrets_fetch(domain_sid_keystr(domain), &size); - - if (dyn_sid == NULL) - return False; - - if (size != sizeof(DOM_SID)) { - SAFE_FREE(dyn_sid); - return False; - } - - *sid = *dyn_sid; - SAFE_FREE(dyn_sid); - return True; -} - -bool secrets_store_domain_guid(const char *domain, struct GUID *guid) -{ - fstring key; - - slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); - strupper_m(key); - return secrets_store(key, guid, sizeof(struct GUID)); -} - -bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid) -{ - struct GUID *dyn_guid; - fstring key; - size_t size = 0; - struct GUID new_guid; - - slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); - strupper_m(key); - dyn_guid = (struct GUID *)secrets_fetch(key, &size); - - if (!dyn_guid) { - if (lp_server_role() == ROLE_DOMAIN_PDC) { - new_guid = GUID_random(); - if (!secrets_store_domain_guid(domain, &new_guid)) - return False; - dyn_guid = (struct GUID *)secrets_fetch(key, &size); - } - if (dyn_guid == NULL) { - return False; - } - } - - if (size != sizeof(struct GUID)) { - DEBUG(1,("UUID size %d is wrong!\n", (int)size)); - SAFE_FREE(dyn_guid); - return False; - } - - *guid = *dyn_guid; - SAFE_FREE(dyn_guid); - return True; -} - bool secrets_store_local_schannel_key(uint8_t schannel_key[16]) { return secrets_store(SECRETS_LOCAL_SCHANNEL_KEY, schannel_key, 16); @@ -287,77 +192,6 @@ bool secrets_fetch_local_schannel_key(uint8_t schannel_key[16]) } /** - * Form a key for fetching the machine trust account sec channel type - * - * @param domain domain name - * - * @return keystring - **/ -static const char *machine_sec_channel_type_keystr(const char *domain) -{ - char *keystr; - - keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s", - SECRETS_MACHINE_SEC_CHANNEL_TYPE, - domain); - SMB_ASSERT(keystr != NULL); - return keystr; -} - -/** - * Form a key for fetching the machine trust account last change time - * - * @param domain domain name - * - * @return keystring - **/ -static const char *machine_last_change_time_keystr(const char *domain) -{ - char *keystr; - - keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s", - SECRETS_MACHINE_LAST_CHANGE_TIME, - domain); - SMB_ASSERT(keystr != NULL); - return keystr; -} - - -/** - * Form a key for fetching the machine trust account password - * - * @param domain domain name - * - * @return keystring - **/ -static const char *machine_password_keystr(const char *domain) -{ - char *keystr; - - keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s", - SECRETS_MACHINE_PASSWORD, domain); - SMB_ASSERT(keystr != NULL); - return keystr; -} - -/** - * Form a key for fetching the machine trust account password - * - * @param domain domain name - * - * @return stored password's key - **/ -static const char *trust_keystr(const char *domain) -{ - char *keystr; - - keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s", - SECRETS_MACHINE_ACCT_PASS, domain); - SMB_ASSERT(keystr != NULL); - return keystr; -} - -/** * Form a key for fetching a trusted domain password * * @param domain trusted domain name @@ -376,108 +210,6 @@ static char *trustdom_keystr(const char *domain) } /************************************************************************ - Lock the trust password entry. -************************************************************************/ - -void *secrets_get_trust_account_lock(TALLOC_CTX *mem_ctx, const char *domain) -{ - if (!secrets_init()) { - return NULL; - } - - return db_ctx->fetch_locked( - db_ctx, mem_ctx, string_term_tdb_data(trust_keystr(domain))); -} - -/************************************************************************ - Routine to get the default secure channel type for trust accounts -************************************************************************/ - -enum netr_SchannelType get_default_sec_channel(void) -{ - if (lp_server_role() == ROLE_DOMAIN_BDC || - lp_server_role() == ROLE_DOMAIN_PDC) { - return SEC_CHAN_BDC; - } else { - return SEC_CHAN_WKSTA; - } -} - -/************************************************************************ - Routine to get the trust account password for a domain. - This only tries to get the legacy hashed version of the password. - The user of this function must have locked the trust password file using - the above secrets_lock_trust_account_password(). -************************************************************************/ - -bool secrets_fetch_trust_account_password_legacy(const char *domain, - uint8 ret_pwd[16], - time_t *pass_last_set_time, - enum netr_SchannelType *channel) -{ - struct machine_acct_pass *pass; - size_t size = 0; - - if (!(pass = (struct machine_acct_pass *)secrets_fetch( - trust_keystr(domain), &size))) { - DEBUG(5, ("secrets_fetch failed!\n")); - return False; - } - - if (size != sizeof(*pass)) { - DEBUG(0, ("secrets were of incorrect size!\n")); - SAFE_FREE(pass); - return False; - } - - if (pass_last_set_time) { - *pass_last_set_time = pass->mod_time; - } - memcpy(ret_pwd, pass->hash, 16); - - if (channel) { - *channel = get_default_sec_channel(); - } - - /* Test if machine password has expired and needs to be changed */ - if (lp_machine_password_timeout()) { - if (pass->mod_time > 0 && time(NULL) > (pass->mod_time + - (time_t)lp_machine_password_timeout())) { - global_machine_password_needs_changing = True; - } - } - - SAFE_FREE(pass); - return True; -} - -/************************************************************************ - Routine to get the trust account password for a domain. - The user of this function must have locked the trust password file using - the above secrets_lock_trust_account_password(). -************************************************************************/ - -bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16], - time_t *pass_last_set_time, - enum netr_SchannelType *channel) -{ - char *plaintext; - - plaintext = secrets_fetch_machine_password(domain, pass_last_set_time, - channel); - if (plaintext) { - DEBUG(4,("Using cleartext machine password\n")); - E_md4hash(plaintext, ret_pwd); - SAFE_FREE(plaintext); - return True; - } - - return secrets_fetch_trust_account_password_legacy(domain, ret_pwd, - pass_last_set_time, - channel); -} - -/************************************************************************ Routine to get account password to trusted domain ************************************************************************/ @@ -571,104 +303,6 @@ bool secrets_store_trusted_domain_password(const char* domain, const char* pwd, } /************************************************************************ - Routine to delete the plaintext machine account password -************************************************************************/ - -bool secrets_delete_machine_password(const char *domain) -{ - return secrets_delete(machine_password_keystr(domain)); -} - -/************************************************************************ - Routine to delete the plaintext machine account password, sec channel type and - last change time from secrets database -************************************************************************/ - -bool secrets_delete_machine_password_ex(const char *domain) -{ - if (!secrets_delete(machine_password_keystr(domain))) { - return false; - } - if (!secrets_delete(machine_sec_channel_type_keystr(domain))) { - return false; - } - return secrets_delete(machine_last_change_time_keystr(domain)); -} - -/************************************************************************ - Routine to delete the domain sid -************************************************************************/ - -bool secrets_delete_domain_sid(const char *domain) -{ - return secrets_delete(domain_sid_keystr(domain)); -} - -/************************************************************************ - Routine to set the plaintext machine account password for a realm -the password is assumed to be a null terminated ascii string -************************************************************************/ - -bool secrets_store_machine_password(const char *pass, const char *domain, - enum netr_SchannelType sec_channel) -{ - bool ret; - uint32 last_change_time; - uint32 sec_channel_type; - - ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1); - if (!ret) - return ret; - - SIVAL(&last_change_time, 0, time(NULL)); - ret = secrets_store(machine_last_change_time_keystr(domain), &last_change_time, sizeof(last_change_time)); - - SIVAL(&sec_channel_type, 0, sec_channel); - ret = secrets_store(machine_sec_channel_type_keystr(domain), &sec_channel_type, sizeof(sec_channel_type)); - - return ret; -} - -/************************************************************************ - Routine to fetch the plaintext machine account password for a realm - the password is assumed to be a null terminated ascii string. -************************************************************************/ - -char *secrets_fetch_machine_password(const char *domain, - time_t *pass_last_set_time, - enum netr_SchannelType *channel) -{ - char *ret; - ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL); - - if (pass_last_set_time) { - size_t size; - uint32 *last_set_time; - last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size); - if (last_set_time) { - *pass_last_set_time = IVAL(last_set_time,0); - SAFE_FREE(last_set_time); - } else { - *pass_last_set_time = 0; - } - } - - if (channel) { - size_t size; - uint32 *channel_type; - channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size); - if (channel_type) { - *channel = IVAL(channel_type,0); - SAFE_FREE(channel_type); - } else { - *channel = get_default_sec_channel(); - } - } - - return ret; -} - -/************************************************************************ Routine to delete the password for trusted domain ************************************************************************/ |