LCOV - code coverage report
Current view: top level - source4/dsdb/samdb - samdb.c (source / functions) Hit Total Coverage
Test: coverage report for abartlet/fix-coverage dd10fb34 Lines: 61 72 84.7 %
Date: 2021-09-23 10:06:22 Functions: 3 3 100.0 %

          Line data    Source code
       1             : /* 
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    interface functions for the sam database
       5             : 
       6             :    Copyright (C) Andrew Tridgell 2004
       7             :    Copyright (C) Volker Lendecke 2004
       8             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
       9             : 
      10             :    This program is free software; you can redistribute it and/or modify
      11             :    it under the terms of the GNU General Public License as published by
      12             :    the Free Software Foundation; either version 3 of the License, or
      13             :    (at your option) any later version.
      14             :    
      15             :    This program is distributed in the hope that it will be useful,
      16             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      17             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      18             :    GNU General Public License for more details.
      19             :    
      20             :    You should have received a copy of the GNU General Public License
      21             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      22             : */
      23             : 
      24             : #include "includes.h"
      25             : #include "librpc/gen_ndr/ndr_netlogon.h"
      26             : #include "librpc/gen_ndr/ndr_security.h"
      27             : #include "lib/events/events.h"
      28             : #include "lib/ldb-samba/ldb_wrap.h"
      29             : #include <ldb.h>
      30             : #include <ldb_errors.h>
      31             : #include "libcli/security/security.h"
      32             : #include "libcli/auth/libcli_auth.h"
      33             : #include "libcli/ldap/ldap_ndr.h"
      34             : #include "system/time.h"
      35             : #include "system/filesys.h"
      36             : #include "ldb_wrap.h"
      37             : #include "../lib/util/util_ldb.h"
      38             : #include "dsdb/samdb/samdb.h"
      39             : #include "../libds/common/flags.h"
      40             : #include "param/param.h"
      41             : #include "lib/events/events.h"
      42             : #include "auth/credentials/credentials.h"
      43             : #include "param/secrets.h"
      44             : #include "auth/auth.h"
      45             : #include "lib/tsocket/tsocket.h"
      46             : 
      47             : /*
      48             :   connect to the SAM database specified by URL
      49             :   return an opaque context pointer on success, or NULL on failure
      50             :  */
      51      187449 : int samdb_connect_url(TALLOC_CTX *mem_ctx,
      52             :                       struct tevent_context *ev_ctx,
      53             :                       struct loadparm_context *lp_ctx,
      54             :                       struct auth_session_info *session_info,
      55             :                       unsigned int flags,
      56             :                       const char *url,
      57             :                       const struct tsocket_address *remote_address,
      58             :                       struct ldb_context **ldb_ret,
      59             :                       char **errstring)
      60             : {
      61      187449 :         struct ldb_context *ldb = NULL;
      62             :         int ret;
      63      187449 :         *ldb_ret = NULL;
      64      187449 :         *errstring = NULL;
      65             : 
      66             :         /* We create sam.ldb in provision, and never anywhere else */
      67      187449 :         flags |= LDB_FLG_DONT_CREATE_DB;
      68             : 
      69      187449 :         if (remote_address == NULL) {
      70      134927 :                 ldb = ldb_wrap_find(url, ev_ctx, lp_ctx,
      71             :                                     session_info, NULL, flags);
      72      134927 :                 if (ldb != NULL) {
      73       60981 :                         *ldb_ret = talloc_reference(mem_ctx, ldb);
      74       60981 :                         if (*ldb_ret == NULL) {
      75           0 :                                 return LDB_ERR_OPERATIONS_ERROR;
      76             :                         }
      77       60981 :                         return LDB_SUCCESS;
      78             :                 }
      79             :         }
      80             : 
      81      126468 :         ldb = samba_ldb_init(mem_ctx, ev_ctx, lp_ctx, session_info, NULL);
      82             : 
      83      126468 :         if (ldb == NULL) {
      84           0 :                 *errstring = talloc_asprintf(mem_ctx,
      85             :                                              "Failed to set up Samba ldb "
      86             :                                              "wrappers with samba_ldb_init() "
      87             :                                              "to connect to %s",
      88             :                                              url);
      89           0 :                 return LDB_ERR_OPERATIONS_ERROR;
      90             :         }
      91             : 
      92      126468 :         dsdb_set_global_schema(ldb);
      93             : 
      94      126468 :         ret = samba_ldb_connect(ldb, lp_ctx, url, flags);
      95      126468 :         if (ret != LDB_SUCCESS) {
      96           4 :                 *errstring = talloc_asprintf(mem_ctx,
      97             :                                              "Failed to connect to %s: %s",
      98             :                                              url,
      99             :                                              ldb_errstring(ldb));
     100           4 :                 talloc_free(ldb);
     101           4 :                 return LDB_ERR_OPERATIONS_ERROR;
     102             :         }
     103             : 
     104             :         /*
     105             :          * If a remote_address was specified, then set it on the DB
     106             :          * and do not add to the wrap list (as we need to keep the LDB
     107             :          * pointer unique for the address).
     108             :          *
     109             :          * We use this for audit logging and for the "netlogon" attribute
     110             :          */
     111      126464 :         if (remote_address != NULL) {
     112       52522 :                 ldb_set_opaque(ldb, "remoteAddress",
     113             :                                discard_const(remote_address));
     114       52522 :                 *ldb_ret = ldb;
     115       52522 :                 return LDB_SUCCESS;
     116             :         }
     117             :                 
     118       73942 :         if (!ldb_wrap_add(url, ev_ctx, lp_ctx, session_info, NULL, flags, ldb)) {
     119           0 :                 *errstring = talloc_asprintf(mem_ctx,
     120             :                                              "Failed to add cached DB reference"
     121             :                                              " to %s",
     122             :                                              url);
     123           0 :                 talloc_free(ldb);
     124           0 :                 return LDB_ERR_OPERATIONS_ERROR;
     125             :         }
     126             : 
     127       73942 :         *ldb_ret = ldb;
     128       73942 :         return LDB_SUCCESS;
     129             : }
     130             : 
     131             : 
     132             : /*
     133             :   connect to the SAM database
     134             :   return an opaque context pointer on success, or NULL on failure
     135             :  */
     136      142287 : struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
     137             :                                   struct tevent_context *ev_ctx,
     138             :                                   struct loadparm_context *lp_ctx,
     139             :                                   struct auth_session_info *session_info,
     140             :                                   const struct tsocket_address *remote_address,
     141             :                                   unsigned int flags)
     142             : {
     143             :         char *errstring;
     144             :         struct ldb_context *ldb;
     145      142287 :         int ret = samdb_connect_url(mem_ctx,
     146             :                                     ev_ctx,
     147             :                                     lp_ctx,
     148             :                                     session_info,
     149             :                                     flags,
     150             :                                     "sam.ldb",
     151             :                                     remote_address,
     152             :                                     &ldb,
     153             :                                     &errstring);
     154      142287 :         if (ret == LDB_SUCCESS) {
     155      142283 :                 return ldb;
     156             :         }
     157           4 :         return NULL;
     158             : }
     159             : 
     160             : /****************************************************************************
     161             :  Create the SID list for this user.
     162             : ****************************************************************************/
     163       73553 : NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, 
     164             :                                struct loadparm_context *lp_ctx,
     165             :                                unsigned int num_sids,
     166             :                                struct dom_sid *sids,
     167             :                                uint32_t session_info_flags,
     168             :                                struct security_token **token)
     169             : {
     170             :         struct security_token *ptoken;
     171             :         unsigned int i;
     172             :         NTSTATUS status;
     173             : 
     174       73553 :         ptoken = security_token_initialise(mem_ctx);
     175       73553 :         NT_STATUS_HAVE_NO_MEMORY(ptoken);
     176             : 
     177       73553 :         ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */);
     178       73553 :         NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
     179             : 
     180       73553 :         ptoken->num_sids = 0;
     181             : 
     182      549260 :         for (i = 0; i < num_sids; i++) {
     183             :                 size_t check_sid_idx;
     184     2692492 :                 for (check_sid_idx = 0;
     185     3033062 :                      check_sid_idx < ptoken->num_sids;
     186     2557355 :                      check_sid_idx++) {
     187     2557355 :                         if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) {
     188           0 :                                 break;
     189             :                         }
     190             :                 }
     191             : 
     192      475707 :                 if (check_sid_idx == ptoken->num_sids) {
     193      475707 :                         ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
     194      475707 :                         NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
     195             : 
     196      475707 :                         ptoken->sids[ptoken->num_sids] = sids[i];
     197      475707 :                         ptoken->num_sids++;
     198             :                 }
     199             :         }
     200             : 
     201             :         /* The caller may have requested simple privilages, for example if there isn't a local DB */
     202       73553 :         if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
     203             :                 /* Shortcuts to prevent recursion and avoid lookups */
     204       39443 :                 if (ptoken->sids == NULL) {
     205           0 :                         ptoken->privilege_mask = 0;
     206       39443 :                 } else if (security_token_is_system(ptoken)) {
     207        5409 :                         ptoken->privilege_mask = ~0;
     208       34034 :                 } else if (security_token_is_anonymous(ptoken)) {
     209       31277 :                         ptoken->privilege_mask = 0;
     210        2757 :                 } else if (security_token_has_builtin_administrators(ptoken)) {
     211        1214 :                         ptoken->privilege_mask = ~0;
     212             :                 } else {
     213             :                         /* All other 'users' get a empty priv set so far */
     214        1543 :                         ptoken->privilege_mask = 0;
     215             :                 }
     216             :         } else {
     217             :                 /* setup the privilege mask for this token */
     218       34110 :                 status = samdb_privilege_setup(lp_ctx, ptoken);
     219       34110 :                 if (!NT_STATUS_IS_OK(status)) {
     220           0 :                         talloc_free(ptoken);
     221           0 :                         DEBUG(1,("Unable to access privileges database\n"));
     222           0 :                         return status;
     223             :                 }
     224             :         }
     225             : 
     226       73553 :         security_token_debug(0, 10, ptoken);
     227             : 
     228       73553 :         *token = ptoken;
     229             : 
     230       73553 :         return NT_STATUS_OK;
     231             : }

Generated by: LCOV version 1.13