static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
struct security_token *token,
struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
struct dom_sid *dag_sid;
struct ldb_dn *nc_root;
int ret;
ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NULL;
}
if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
if (security_token_has_sid(token, sa_sid)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else {
dag_sid = NULL;
}
} else {
dag_sid = NULL;
}
talloc_free(tmp_ctx);
return dag_sid;
}
/*
compare two dns
*/
static int samba_ldb_dn_link_comparison(struct ldb_context *ldb, void *mem_ctx,
const struct ldb_val *v1, const struct ldb_val *v2)
{
struct ldb_dn *dn1 = NULL, *dn2 = NULL;
int ret;
if (dsdb_dn_is_deleted_val(v1)) {
/* If the DN is deleted, then we can't search for it */
return -1;
}
if (dsdb_dn_is_deleted_val(v2)) {
/* If the DN is deleted, then we can't search for it */
return -1;
}
dn1 = ldb_dn_from_ldb_val(mem_ctx, ldb, v1);
if ( ! ldb_dn_validate(dn1)) return -1;
dn2 = ldb_dn_from_ldb_val(mem_ctx, ldb, v2);
if ( ! ldb_dn_validate(dn2)) {
talloc_free(dn1);
return -1;
}
ret = ldb_dn_compare(dn1, dn2);
talloc_free(dn1);
talloc_free(dn2);
return ret;
}
bool is_root_base_dn(struct ldb_context *ldb, struct ldb_dn *dn_to_check)
{
int result;
struct ldb_dn *root_base_dn = ldb_get_root_basedn(ldb);
result = ldb_dn_compare(root_base_dn,dn_to_check);
return (result==0);
}
static int dn_cmp(const void *p1, const void *p2)
{
const struct ldb_message *msg1, *msg2;
msg1 = *(const struct ldb_message * const *)p1;
msg2 = *(const struct ldb_message * const *)p2;
return ldb_dn_compare(msg1->dn, msg2->dn);
}
static int construct_modifyTimeStamp(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
struct operational_data *data = talloc_get_type(ldb_module_get_private(module), struct operational_data);
struct ldb_context *ldb = ldb_module_get_ctx(module);
/* We may be being called before the init function has finished */
if (!data) {
return LDB_SUCCESS;
}
/* Try and set this value up, if possible. Don't worry if it
* fails, we may not have the DB set up yet.
*/
if (!data->aggregate_dn) {
data->aggregate_dn = samdb_aggregate_schema_dn(ldb, data);
}
if (data->aggregate_dn && ldb_dn_compare(data->aggregate_dn, msg->dn) == 0) {
/*
* If we have the DN for the object with common name = Aggregate and
* the request is for this DN then let's do the following:
* 1) search the object which changedUSN correspond to the one of the loaded
* schema.
* 2) Get the whenChanged attribute
* 3) Generate the modifyTimestamp out of the whenChanged attribute
*/
const struct dsdb_schema *schema = dsdb_get_schema(ldb, NULL);
char *value = ldb_timestring(msg, schema->ts_last_change);
return ldb_msg_add_string(msg, "modifyTimeStamp", value);
}
return ldb_msg_copy_attr(msg, "whenChanged", "modifyTimeStamp");
}
/*
construct msDS-UserPasswordExpiryTimeComputed
*/
static int construct_msds_user_password_expiry_time_computed(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_dn *nc_root;
int64_t password_expiry_time;
int ret;
ret = dsdb_find_nc_root(ldb, msg, msg->dn, &nc_root);
if (ret != 0) {
ldb_asprintf_errstring(ldb,
"Failed to find NC root of DN: %s: %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
return ret;
}
if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) != 0) {
/* Only calculate this on our default NC */
return 0;
}
password_expiry_time
= get_msds_user_password_expiry_time_computed(module, msg,
nc_root);
return samdb_msg_add_int64(ldb,
msg->elements, msg,
"msDS-UserPasswordExpiryTimeComputed",
password_expiry_time);
}
static int do_compare_msg(struct ldb_message **el1,
struct ldb_message **el2,
void *opaque)
{
struct ldb_context *ldb = talloc_get_type(opaque, struct ldb_context);
return ldb_dn_compare(ldb, (*el1)->dn, (*el2)->dn);
}
/*
construct msDS-User-Account-Control-Computed attr
*/
static int construct_msds_user_account_control_computed(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
uint32_t userAccountControl;
uint32_t msDS_User_Account_Control_Computed = 0;
struct ldb_context *ldb = ldb_module_get_ctx(module);
NTTIME now;
struct ldb_dn *nc_root;
int ret;
ret = dsdb_find_nc_root(ldb, msg, msg->dn, &nc_root);
if (ret != 0) {
ldb_asprintf_errstring(ldb,
"Failed to find NC root of DN: %s: %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb_module_get_ctx(module)));
return ret;
}
if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) != 0) {
/* Only calculate this on our default NC */
return 0;
}
/* Test account expire time */
unix_to_nt_time(&now, time(NULL));
userAccountControl = ldb_msg_find_attr_as_uint(msg,
"userAccountControl",
0);
if (!(userAccountControl & _UF_TRUST_ACCOUNTS)) {
int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0);
if (lockoutTime != 0) {
int64_t lockoutDuration = samdb_search_int64(ldb,
msg, 0, nc_root,
"lockoutDuration", NULL);
if (lockoutDuration >= 0) {
msDS_User_Account_Control_Computed |= UF_LOCKOUT;
} else if (lockoutTime - lockoutDuration >= now) {
msDS_User_Account_Control_Computed |= UF_LOCKOUT;
}
}
}
if (!(userAccountControl & _UF_NO_EXPIRY_ACCOUNTS)) {
NTTIME must_change_time
= get_msds_user_password_expiry_time_computed(module,
msg, nc_root);
/* check for expired password */
if (must_change_time < now) {
msDS_User_Account_Control_Computed |= UF_PASSWORD_EXPIRED;
}
}
return samdb_msg_add_int64(ldb,
msg->elements, msg,
"msDS-User-Account-Control-Computed",
msDS_User_Account_Control_Computed);
}
static int acl_add(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.add.message->dn);
struct ldb_context *ldb;
struct ldb_message_element *oc_el;
const struct GUID *guid;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.add.message->dn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* Creating an NC. There is probably something we should do here,
* but we will establish that later */
if ((ldb_dn_compare(req->op.add.message->dn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.add.message->dn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.add.message->dn, (ldb_get_root_basedn(ldb))) == 0)) {
return ldb_next_request(module, req);
}
oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
if (!oc_el || oc_el->num_values == 0) {
DEBUG(10,("acl:operation error %s\n", ldb_dn_get_linearized(req->op.add.message->dn)));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
guid = class_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
(char *)oc_el->values[oc_el->num_values-1].data);
if (!insert_in_object_tree(req, guid, SEC_ADS_CREATE_CHILD, &root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, root);
if (ret != LDB_SUCCESS) {
return ret;
}
return ldb_next_request(module, req);
}
/*
match a simple leaf node
*/
static int ldb_match_equality(struct ldb_context *ldb,
const struct ldb_message *msg,
const struct ldb_parse_tree *tree,
enum ldb_scope scope,
bool *matched)
{
unsigned int i;
struct ldb_message_element *el;
const struct ldb_schema_attribute *a;
struct ldb_dn *valuedn;
int ret;
if (ldb_attr_dn(tree->u.equality.attr) == 0) {
valuedn = ldb_dn_from_ldb_val(ldb, ldb, &tree->u.equality.value);
if (valuedn == NULL) {
return LDB_ERR_INVALID_DN_SYNTAX;
}
ret = ldb_dn_compare(msg->dn, valuedn);
talloc_free(valuedn);
*matched = (ret == 0);
return LDB_SUCCESS;
}
/* TODO: handle the "*" case derived from an extended search
operation without the attibute type defined */
el = ldb_msg_find_element(msg, tree->u.equality.attr);
if (el == NULL) {
*matched = false;
return LDB_SUCCESS;
}
a = ldb_schema_attribute_by_name(ldb, el->name);
if (a == NULL) {
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
}
for (i=0;i<el->num_values;i++) {
if (a->syntax->operator_fn) {
ret = a->syntax->operator_fn(ldb, LDB_OP_EQUALITY, a,
&tree->u.equality.value, &el->values[i], matched);
if (ret != LDB_SUCCESS) return ret;
if (*matched) return LDB_SUCCESS;
} else {
if (a->syntax->comparison_fn(ldb, ldb, &tree->u.equality.value,
&el->values[i]) == 0) {
*matched = true;
return LDB_SUCCESS;
}
}
}
*matched = false;
return LDB_SUCCESS;
}
static NTSTATUS unbecomeDC_ldap_move_computer(struct libnet_UnbecomeDC_state *s)
{
int ret;
struct ldb_result *r;
struct ldb_dn *basedn;
struct ldb_dn *old_dn;
struct ldb_dn *new_dn;
static const char *_1_1_attrs[] = {
"1.1",
NULL
};
basedn = ldb_dn_new_fmt(s, s->ldap.ldb, "<WKGUID=aa312825768811d1aded00c04fd8d5cd,%s>",
s->domain.dn_str);
NT_STATUS_HAVE_NO_MEMORY(basedn);
ret = ldb_search(s->ldap.ldb, s, &r, basedn, LDB_SCOPE_BASE,
_1_1_attrs, "(objectClass=*)");
talloc_free(basedn);
if (ret != LDB_SUCCESS) {
return NT_STATUS_LDAP(ret);
} else if (r->count != 1) {
talloc_free(r);
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
old_dn = ldb_dn_new(r, s->ldap.ldb, s->dest_dsa.computer_dn_str);
NT_STATUS_HAVE_NO_MEMORY(old_dn);
new_dn = r->msgs[0]->dn;
if (!ldb_dn_add_child_fmt(new_dn, "CN=%s", s->dest_dsa.netbios_name)) {
talloc_free(r);
return NT_STATUS_NO_MEMORY;
}
if (ldb_dn_compare(old_dn, new_dn) == 0) {
/* we don't need to rename if the old and new dn match */
talloc_free(r);
return NT_STATUS_OK;
}
ret = ldb_rename(s->ldap.ldb, old_dn, new_dn);
if (ret != LDB_SUCCESS) {
talloc_free(r);
return NT_STATUS_LDAP(ret);
}
s->dest_dsa.computer_dn_str = ldb_dn_alloc_linearized(s, new_dn);
NT_STATUS_HAVE_NO_MEMORY(s->dest_dsa.computer_dn_str);
talloc_free(r);
return NT_STATUS_OK;
}
/*
see if two DNs match, comparing first by GUID, then by SID, and
finally by string components
*/
static int samba_dn_extended_match(struct ldb_context *ldb,
const struct ldb_val *v1,
const struct ldb_val *v2,
bool *matched)
{
TALLOC_CTX *tmp_ctx;
struct ldb_dn *dn1, *dn2;
const struct ldb_val *guid1, *guid2, *sid1, *sid2;
uint32_t rmd_flags1, rmd_flags2;
tmp_ctx = talloc_new(ldb);
dn1 = ldb_dn_from_ldb_val(tmp_ctx, ldb, v1);
dn2 = ldb_dn_from_ldb_val(tmp_ctx, ldb, v2);
if (!dn1 || !dn2) {
/* couldn't parse as DN's */
talloc_free(tmp_ctx);
(*matched) = false;
return LDB_SUCCESS;
}
rmd_flags1 = dsdb_dn_rmd_flags(dn1);
rmd_flags2 = dsdb_dn_rmd_flags(dn2);
if ((rmd_flags1 & DSDB_RMD_FLAG_DELETED) !=
(rmd_flags2 & DSDB_RMD_FLAG_DELETED)) {
/* only match if they have the same deletion status */
talloc_free(tmp_ctx);
(*matched) = false;
return LDB_SUCCESS;
}
guid1 = ldb_dn_get_extended_component(dn1, "GUID");
guid2 = ldb_dn_get_extended_component(dn2, "GUID");
if (guid1 && guid2) {
(*matched) = (data_blob_cmp(guid1, guid2) == 0);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
sid1 = ldb_dn_get_extended_component(dn1, "SID");
sid2 = ldb_dn_get_extended_component(dn2, "SID");
if (sid1 && sid2) {
(*matched) = (data_blob_cmp(sid1, sid2) == 0);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
(*matched) = (ldb_dn_compare(dn1, dn2) == 0);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
static int subtree_delete_sort(struct ldb_message **m1,
struct ldb_message **m2,
void *private_data)
{
struct ldb_dn *dn1 = (*m1)->dn;
struct ldb_dn *dn2 = (*m2)->dn;
/*
* This sorts in tree order, children first
*/
return ldb_dn_compare(dn1, dn2);
}
/* similar to the modify for the time being.
* We need to concider the special delete tree case, though - TODO */
static int acl_delete(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.del.dn);
struct ldb_context *ldb;
DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn)));
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.del.dn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* first check if we have delete object right */
ret = check_access_on_dn(module, req, req->op.del.dn, SEC_STD_DELETE, NULL);
if (ret == LDB_SUCCESS) {
return ldb_next_request(module, req);
}
/* Nope, we don't have delete object. Lets check if we have delete child on the parent */
/* No parent, so check fails */
if ((ldb_dn_compare(req->op.del.dn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.del.dn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.del.dn, (ldb_get_root_basedn(ldb))) == 0)) {
DEBUG(10,("acl:deleting an NC\n"));
return ldb_module_done(req, NULL, NULL, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS);
}
ret = check_access_on_dn(module, req, parent, SEC_ADS_DELETE_CHILD, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
return ldb_next_request(module, req);
}
/*
make sure we only add repsFrom entries for DCs who are masters for
the partition
*/
static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
struct ldb_result *res)
{
struct repsFromTo1 *r1 = &r->ctr.ctr1;
struct GUID invocation_id = r1->source_dsa_invocation_id;
unsigned int i, j;
/* we are expecting only version 1 */
SMB_ASSERT(r->version == 1);
for (i=0; i<res->count; i++) {
struct ldb_message *msg = res->msgs[i];
struct ldb_message_element *el;
struct ldb_dn *dn;
struct GUID id2 = samdb_result_guid(msg, "invocationID");
if (GUID_all_zero(&id2) ||
!GUID_equal(&invocation_id, &id2)) {
continue;
}
el = ldb_msg_find_element(msg, "msDS-hasMasterNCs");
if (!el || el->num_values == 0) {
el = ldb_msg_find_element(msg, "hasMasterNCs");
if (!el || el->num_values == 0) {
continue;
}
}
for (j=0; j<el->num_values; j++) {
dn = ldb_dn_from_ldb_val(p, p->service->samdb, &el->values[j]);
if (!ldb_dn_validate(dn)) {
talloc_free(dn);
continue;
}
if (ldb_dn_compare(dn, p->dn) == 0) {
talloc_free(dn);
DEBUG(5,("%s %s match on %s in %s\n",
r1->other_info->dns_name,
el->name,
ldb_dn_get_linearized(dn),
ldb_dn_get_linearized(msg->dn)));
return true;
}
talloc_free(dn);
}
}
return false;
}
/*
get a new RID pool for ourselves
also returns the first rid for the new pool
*/
static int ridalloc_new_own_pool(struct ldb_module *module, uint64_t *new_pool, struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(module);
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* find the DN of the RID Manager */
ret = dsdb_module_reference_dn(module, tmp_ctx, rid_manager_dn, "fSMORoleOwner", &fsmo_role_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find fSMORoleOwner in RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), fsmo_role_dn) != 0) {
ridalloc_poke_rid_manager(module);
ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh");
talloc_free(tmp_ctx);
return LDB_ERR_UNWILLING_TO_PERFORM;
}
/* grab a pool from the RID Manager object */
ret = ridalloc_rid_manager_allocate(module, rid_manager_dn, new_pool, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
talloc_free(tmp_ctx);
return ret;
}
/*
check if the scope matches in a search result
*/
static int ldb_match_scope(struct ldb_context *ldb,
struct ldb_dn *base,
struct ldb_dn *dn,
enum ldb_scope scope)
{
int ret = 0;
if (base == NULL || dn == NULL) {
return 1;
}
switch (scope) {
case LDB_SCOPE_BASE:
if (ldb_dn_compare(base, dn) == 0) {
ret = 1;
}
break;
case LDB_SCOPE_ONELEVEL:
if (ldb_dn_get_comp_num(dn) == (ldb_dn_get_comp_num(base) + 1)) {
if (ldb_dn_compare_base(base, dn) == 0) {
ret = 1;
}
}
break;
case LDB_SCOPE_SUBTREE:
default:
if (ldb_dn_compare_base(base, dn) == 0) {
ret = 1;
}
break;
}
return ret;
}
static int pdc_fsmo_init(struct ldb_module *module)
{
struct ldb_context *ldb;
TALLOC_CTX *mem_ctx;
struct ldb_dn *pdc_dn;
struct dsdb_pdc_fsmo *pdc_fsmo;
struct ldb_result *pdc_res;
int ret;
static const char *pdc_attrs[] = {
"fSMORoleOwner",
NULL
};
ldb = ldb_module_get_ctx(module);
mem_ctx = talloc_new(module);
if (!mem_ctx) {
return ldb_oom(ldb);
}
pdc_dn = ldb_get_default_basedn(ldb);
if (!pdc_dn) {
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
"pdc_fsmo_init: could not determine default basedn");
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
pdc_fsmo = talloc_zero(mem_ctx, struct dsdb_pdc_fsmo);
if (!pdc_fsmo) {
return ldb_oom(ldb);
}
ldb_module_set_private(module, pdc_fsmo);
ret = dsdb_module_search_dn(module, mem_ctx, &pdc_res,
pdc_dn,
pdc_attrs,
DSDB_FLAG_NEXT_MODULE, NULL);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
ldb_debug(ldb, LDB_DEBUG_TRACE,
"pdc_fsmo_init: no domain object present: (skip loading of domain details)");
talloc_free(mem_ctx);
return ldb_next_init(module);
} else if (ret != LDB_SUCCESS) {
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
"pdc_fsmo_init: failed to search the domain object: %d:%s: %s",
ret, ldb_strerror(ret), ldb_errstring(ldb));
talloc_free(mem_ctx);
return ret;
}
pdc_fsmo->master_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, pdc_res->msgs[0], "fSMORoleOwner");
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), pdc_fsmo->master_dn) == 0) {
pdc_fsmo->we_are_master = true;
} else {
pdc_fsmo->we_are_master = false;
}
if (ldb_set_opaque(ldb, "dsdb_pdc_fsmo", pdc_fsmo) != LDB_SUCCESS) {
return ldb_oom(ldb);
}
talloc_steal(module, pdc_fsmo);
ldb_debug(ldb, LDB_DEBUG_TRACE,
"pdc_fsmo_init: we are master: %s\n",
(pdc_fsmo->we_are_master?"yes":"no"));
talloc_free(mem_ctx);
return ldb_next_init(module);
}
static bool torture_ldb_dn(struct torture_context *torture)
{
TALLOC_CTX *mem_ctx = talloc_new(torture);
struct ldb_context *ldb;
struct ldb_dn *dn;
struct ldb_dn *child_dn;
struct ldb_dn *typo_dn;
torture_assert(torture,
ldb = ldb_init(mem_ctx, torture->ev),
"Failed to init ldb");
torture_assert_int_equal(torture,
ldb_register_samba_handlers(ldb), 0,
"Failed to register Samba handlers");
ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
/* Check behaviour of a normal DN */
torture_assert(torture,
dn = ldb_dn_new(mem_ctx, ldb, NULL),
"Failed to create a NULL DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate NULL DN");
torture_assert(torture,
ldb_dn_add_base_fmt(dn, "dc=org"),
"Failed to add base DN");
torture_assert(torture,
ldb_dn_add_child_fmt(dn, "dc=samba"),
"Failed to add base DN");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "dc=samba,dc=org",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), "dc=samba,dc=org",
"extended linearized DN incorrect");
/* Check child DN comparisons */
torture_assert(torture,
child_dn = ldb_dn_new(mem_ctx, ldb, "CN=users,DC=SAMBA,DC=org"),
"Failed to create child DN");
torture_assert(torture,
ldb_dn_compare(dn, child_dn) != 0,
"Comparison on dc=samba,dc=org and CN=users,DC=SAMBA,DC=org should != 0");
torture_assert(torture,
ldb_dn_compare_base(child_dn, dn) != 0,
"Base Comparison of CN=users,DC=SAMBA,DC=org and dc=samba,dc=org should != 0");
torture_assert(torture,
ldb_dn_compare_base(dn, child_dn) == 0,
"Base Comparison on dc=samba,dc=org and CN=users,DC=SAMBA,DC=org should == 0");
/* Check comparisons with a truncated DN */
torture_assert(torture,
typo_dn = ldb_dn_new(mem_ctx, ldb, "c=samba,dc=org"),
"Failed to create 'typo' DN");
torture_assert(torture,
ldb_dn_compare(dn, typo_dn) != 0,
"Comparison on dc=samba,dc=org and c=samba,dc=org should != 0");
torture_assert(torture,
ldb_dn_compare_base(typo_dn, dn) != 0,
"Base Comparison of c=samba,dc=org and dc=samba,dc=org should != 0");
torture_assert(torture,
ldb_dn_compare_base(dn, typo_dn) != 0,
"Base Comparison on dc=samba,dc=org and c=samba,dc=org should != 0");
talloc_free(mem_ctx);
return true;
}
int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
struct ldb_result *schema_res,
struct ldb_result *attrs_res, struct ldb_result *objectclass_res,
struct dsdb_schema **schema_out,
char **error_string)
{
WERROR status;
unsigned int i;
const struct ldb_val *prefix_val;
const struct ldb_val *info_val;
struct ldb_val info_val_default;
struct dsdb_schema *schema;
schema = dsdb_new_schema(mem_ctx);
if (!schema) {
dsdb_oom(error_string, mem_ctx);
return ldb_operr(ldb);
}
schema->base_dn = talloc_steal(schema, schema_res->msgs[0]->dn);
prefix_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "prefixMap");
if (!prefix_val) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: no prefixMap attribute found");
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
info_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "schemaInfo");
if (!info_val) {
status = dsdb_schema_info_blob_new(mem_ctx, &info_val_default);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: dsdb_schema_info_blob_new() failed - %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return ldb_operr(ldb);
}
info_val = &info_val_default;
}
status = dsdb_load_oid_mappings_ldb(schema, prefix_val, info_val);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load oid mappings: %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
for (i=0; i < attrs_res->count; i++) {
status = dsdb_attribute_from_ldb(ldb, schema, attrs_res->msgs[i]);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load attribute definition: %s:%s",
ldb_dn_get_linearized(attrs_res->msgs[i]->dn),
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
for (i=0; i < objectclass_res->count; i++) {
status = dsdb_class_from_ldb(schema, objectclass_res->msgs[i]);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load class definition: %s:%s",
ldb_dn_get_linearized(objectclass_res->msgs[i]->dn),
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
schema->fsmo.master_dn = ldb_msg_find_attr_as_dn(ldb, schema, schema_res->msgs[0], "fSMORoleOwner");
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), schema->fsmo.master_dn) == 0) {
schema->fsmo.we_are_master = true;
} else {
schema->fsmo.we_are_master = false;
}
DEBUG(5, ("schema_fsmo_init: we are master: %s\n",
(schema->fsmo.we_are_master?"yes":"no")));
*schema_out = schema;
return LDB_SUCCESS;
}
static int acl_rename(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *oldparent = ldb_dn_get_parent(req, req->op.rename.olddn);
struct ldb_dn *newparent = ldb_dn_get_parent(req, req->op.rename.newdn);
struct ldb_context *ldb;
struct security_descriptor *sd = NULL;
struct dom_sid *sid = NULL;
struct ldb_result *acl_res;
const struct GUID *guid;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(req);
NTSTATUS status;
uint32_t access_granted;
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
"objectClass",
"objectSid",
NULL
};
DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn)));
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.rename.olddn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* TODO search to include deleted objects */
ret = ldb_search(ldb, req, &acl_res, req->op.rename.olddn,
LDB_SCOPE_BASE, acl_attrs, NULL);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl: failed to find object %s\n",
ldb_dn_get_linearized(req->op.rename.olddn)));
return ret;
}
guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
};
guid = attribute_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
"name");
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
};
ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
return LDB_SUCCESS;
}
ret = get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
status = sec_access_check_ds(sd, acl_user_token(module),
SEC_ADS_WRITE_PROP,
&access_granted,
root,
sid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Object %s nas no wp on name\n",
ldb_dn_get_linearized(req->op.rename.olddn)));
acl_debug(sd,
acl_user_token(module),
req->op.rename.olddn,
true,
10);
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
if (ldb_dn_compare(oldparent, newparent) == 0) {
/* regular rename, not move, nothing more to do */
return ldb_next_request(module, req);
}
/* What exactly to do in this case? It would fail anyway.. */
if ((ldb_dn_compare(req->op.rename.newdn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.rename.newdn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.rename.newdn, (ldb_get_root_basedn(ldb))) == 0)) {
DEBUG(10,("acl:moving as an NC\n"));
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
/* new parent should have create child */
talloc_free(tmp_ctx);
tmp_ctx = talloc_new(req);
root = NULL;
new_node = NULL;
guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
if (!guid) {
DEBUG(10,("acl:renamed object has no object class\n"));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_CREATE_CHILD,
&root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, root);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
return ret;
}
/* do we have delete object on the object? */
status = sec_access_check_ds(sd, acl_user_token(module),
SEC_STD_DELETE,
&access_granted,
NULL,
sid);
if (NT_STATUS_IS_OK(status)) {
return ldb_next_request(module, req);
}
/* what about delete child on the current parent */
ret = check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
return ldb_module_done(req, NULL, NULL, ret);
}
return ldb_next_request(module, req);
}
static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const char *attr,
const struct dsdb_dn *dn_to_match,
const char *dn_oid,
struct dsdb_dn *to_visit,
struct dsdb_dn ***visited,
unsigned int *visited_count,
bool *matched)
{
TALLOC_CTX *tmp_ctx;
int ret, i, j;
struct ldb_result *res;
struct ldb_message *msg;
struct ldb_message_element *el;
const char *attrs[] = { attr, NULL };
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
/*
* Fetch the entry to_visit
*
* NOTE: This is a new LDB search from the TOP of the module
* stack. This means that this search runs the whole stack
* from top to bottom.
*
* This may seem to be in-efficient, but it is also the only
* way to ensure that the ACLs for this search are applied
* correctly.
*
* Note also that we don't have the original request
* here, so we can not apply controls or timeouts here.
*/
ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
if (res->count != 1) {
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
msg = res->msgs[0];
/* Fetch the attribute to match from the entry being visited */
el = ldb_msg_find_element(msg, attr);
if (el == NULL) {
/* This entry does not have the attribute to match */
talloc_free(tmp_ctx);
*matched = false;
return LDB_SUCCESS;
}
/*
* If the value to match is present in the attribute values of the
* current entry being visited, set matched to true and return OK
*/
for (i=0; i<el->num_values; i++) {
struct dsdb_dn *dn;
dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], dn_oid);
if (dn == NULL) {
talloc_free(tmp_ctx);
*matched = false;
return LDB_ERR_INVALID_DN_SYNTAX;
}
if (ldb_dn_compare(dn_to_match->dn, dn->dn) == 0) {
talloc_free(tmp_ctx);
*matched = true;
return LDB_SUCCESS;
}
}
/*
* If arrived here, the value to match is not in the values of the
* entry being visited. Add the entry being visited (to_visit)
* to the visited array. The array is (re)allocated in the parent
* memory context.
*/
if (visited == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
} else if (*visited == NULL) {
*visited = talloc_array(mem_ctx, struct dsdb_dn *, 1);
if (*visited == NULL) {
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
(*visited)[0] = to_visit;
(*visited_count) = 1;
} else {
int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
struct ldb_result *schema_res,
struct ldb_result *attrs_class_res,
struct dsdb_schema **schema_out,
char **error_string)
{
WERROR status;
const struct ldb_val *prefix_val;
const struct ldb_val *info_val;
struct ldb_val info_val_default;
struct dsdb_schema *schema;
struct loadparm_context *lp_ctx = NULL;
int ret;
schema = dsdb_new_schema(mem_ctx);
if (!schema) {
dsdb_oom(error_string, mem_ctx);
return ldb_operr(ldb);
}
schema->base_dn = talloc_steal(schema, schema_res->msgs[0]->dn);
prefix_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "prefixMap");
if (!prefix_val) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: no prefixMap attribute found");
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
info_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "schemaInfo");
if (!info_val) {
status = dsdb_schema_info_blob_new(mem_ctx, &info_val_default);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: dsdb_schema_info_blob_new() failed - %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return ldb_operr(ldb);
}
info_val = &info_val_default;
}
status = dsdb_load_oid_mappings_ldb(schema, prefix_val, info_val);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load oid mappings: %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
ret = dsdb_load_ldb_results_into_schema(mem_ctx, ldb, schema, attrs_class_res, error_string);
if (ret != LDB_SUCCESS) {
return ret;
}
schema->fsmo.master_dn = ldb_msg_find_attr_as_dn(ldb, schema, schema_res->msgs[0], "fSMORoleOwner");
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), schema->fsmo.master_dn) == 0) {
schema->fsmo.we_are_master = true;
} else {
schema->fsmo.we_are_master = false;
}
lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
struct loadparm_context);
if (lp_ctx) {
bool allowed = lpcfg_parm_bool(lp_ctx, NULL,
"dsdb", "schema update allowed",
false);
schema->fsmo.update_allowed = allowed;
} else {
schema->fsmo.update_allowed = false;
}
DEBUG(5, ("schema_fsmo_init: we are master[%s] updates allowed[%s]\n",
(schema->fsmo.we_are_master?"yes":"no"),
(schema->fsmo.update_allowed?"yes":"no")));
*schema_out = schema;
return LDB_SUCCESS;
}
static bool torture_ldb_dn(struct torture_context *torture)
{
TALLOC_CTX *mem_ctx = talloc_new(torture);
struct ldb_context *ldb;
struct ldb_dn *dn;
struct ldb_dn *child_dn;
struct ldb_dn *typo_dn;
struct ldb_val val;
torture_assert(torture,
ldb = ldb_init(mem_ctx, torture->ev),
"Failed to init ldb");
torture_assert_int_equal(torture,
ldb_register_samba_handlers(ldb), 0,
"Failed to register Samba handlers");
ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
/* Check behaviour of a normal DN */
torture_assert(torture,
dn = ldb_dn_new(mem_ctx, ldb, NULL),
"Failed to create a NULL DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate NULL DN");
torture_assert(torture,
ldb_dn_add_base_fmt(dn, "dc=org"),
"Failed to add base DN");
torture_assert(torture,
ldb_dn_add_child_fmt(dn, "dc=samba"),
"Failed to add base DN");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "dc=samba,dc=org",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), "dc=samba,dc=org",
"extended linearized DN incorrect");
/* Check child DN comparisons */
torture_assert(torture,
child_dn = ldb_dn_new(mem_ctx, ldb, "CN=users,DC=SAMBA,DC=org"),
"Failed to create child DN");
torture_assert(torture,
ldb_dn_compare(dn, child_dn) != 0,
"Comparison on dc=samba,dc=org and CN=users,DC=SAMBA,DC=org should != 0");
torture_assert(torture,
ldb_dn_compare_base(child_dn, dn) != 0,
"Base Comparison of CN=users,DC=SAMBA,DC=org and dc=samba,dc=org should != 0");
torture_assert(torture,
ldb_dn_compare_base(dn, child_dn) == 0,
"Base Comparison on dc=samba,dc=org and CN=users,DC=SAMBA,DC=org should == 0");
/* Check comparisons with a truncated DN */
torture_assert(torture,
typo_dn = ldb_dn_new(mem_ctx, ldb, "c=samba,dc=org"),
"Failed to create 'typo' DN");
torture_assert(torture,
ldb_dn_compare(dn, typo_dn) != 0,
"Comparison on dc=samba,dc=org and c=samba,dc=org should != 0");
torture_assert(torture,
ldb_dn_compare_base(typo_dn, dn) != 0,
"Base Comparison of c=samba,dc=org and dc=samba,dc=org should != 0");
torture_assert(torture,
ldb_dn_compare_base(dn, typo_dn) != 0,
"Base Comparison on dc=samba,dc=org and c=samba,dc=org should != 0");
/* Check DN based on MS-ADTS:3.1.1.5.1.2 Naming Constraints*/
torture_assert(torture,
dn = ldb_dn_new(mem_ctx, ldb, "CN=New\nLine,DC=SAMBA,DC=org"),
"Failed to create a DN with 0xA in it");
/* this is a warning until we work out how the DEL: CNs work */
if (ldb_dn_validate(dn) != false) {
torture_warning(torture,
"should have failed to validate a DN with 0xA in it");
}
val = data_blob_const("CN=Zer\0,DC=SAMBA,DC=org", 23);
torture_assert(torture,
NULL == ldb_dn_from_ldb_val(mem_ctx, ldb, &val),
"should fail to create a DN with 0x0 in it");
talloc_free(mem_ctx);
return true;
}
int sysdb_check_upgrade_02(struct sss_domain_info *domains,
const char *db_path)
{
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_context *ldb;
char *ldb_file;
struct sysdb_ctx *sysdb;
struct sss_domain_info *dom;
struct ldb_message_element *el;
struct ldb_message *msg;
struct ldb_result *res;
struct ldb_dn *verdn;
const char *version = NULL;
bool do_02_upgrade = false;
bool ctx_trans = false;
int ret;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
return ENOMEM;
}
ret = sysdb_get_db_file(tmp_ctx,
"local", "UPGRADE",
db_path, &ldb_file);
if (ret != EOK) {
goto exit;
}
ret = sysdb_ldb_connect(tmp_ctx, ldb_file, &ldb);
if (ret != EOK) {
DEBUG(1, ("sysdb_ldb_connect failed.\n"));
return ret;
}
verdn = ldb_dn_new(tmp_ctx, ldb, SYSDB_BASE);
if (!verdn) {
ret = EIO;
goto exit;
}
ret = ldb_search(ldb, tmp_ctx, &res,
verdn, LDB_SCOPE_BASE,
NULL, NULL);
if (ret != LDB_SUCCESS) {
ret = EIO;
goto exit;
}
if (res->count > 1) {
ret = EIO;
goto exit;
}
if (res->count == 1) {
el = ldb_msg_find_element(res->msgs[0], "version");
if (el) {
if (el->num_values != 1) {
ret = EINVAL;
goto exit;
}
version = talloc_strndup(tmp_ctx,
(char *)(el->values[0].data),
el->values[0].length);
if (!version) {
ret = ENOMEM;
goto exit;
}
if (strcmp(version, SYSDB_VERSION) == 0) {
/* all fine, return */
ret = EOK;
goto exit;
}
DEBUG(4, ("Upgrading DB from version: %s\n", version));
if (strcmp(version, SYSDB_VERSION_0_1) == 0) {
/* convert database */
ret = sysdb_upgrade_01(ldb, &version);
if (ret != EOK) goto exit;
}
if (strcmp(version, SYSDB_VERSION_0_2) == 0) {
/* need to convert database to split files */
do_02_upgrade = true;
}
}
}
if (!do_02_upgrade) {
/* not a v2 upgrade, return and let the normal code take over any
* further upgrade */
ret = EOK;
goto exit;
}
/* == V2->V3 UPGRADE == */
DEBUG(0, ("UPGRADING DB TO VERSION %s\n", SYSDB_VERSION_0_3));
/* ldb uses posix locks,
* posix is stupid and kills all locks when you close *any* file
* descriptor associated to the same file.
* Therefore we must close and reopen the ldb file here */
/* == Backup and reopen ldb == */
/* close */
talloc_zfree(ldb);
/* backup*/
ret = backup_file(ldb_file, 0);
if (ret != EOK) {
goto exit;
}
/* reopen */
ret = sysdb_ldb_connect(tmp_ctx, ldb_file, &ldb);
if (ret != EOK) {
DEBUG(1, ("sysdb_ldb_connect failed.\n"));
return ret;
}
/* open a transaction */
ret = ldb_transaction_start(ldb);
if (ret != LDB_SUCCESS) {
DEBUG(1, ("Failed to start ldb transaction! (%d)\n", ret));
ret = EIO;
goto exit;
}
/* == Upgrade contents == */
for (dom = domains; dom; dom = dom->next) {
struct ldb_dn *domain_dn;
struct ldb_dn *users_dn;
struct ldb_dn *groups_dn;
int i;
/* skip local */
if (strcasecmp(dom->provider, "local") == 0) {
continue;
}
/* create new dom db */
ret = sysdb_domain_init_internal(tmp_ctx, dom,
db_path, false, &sysdb);
if (ret != EOK) {
goto done;
}
ret = ldb_transaction_start(sysdb->ldb);
if (ret != LDB_SUCCESS) {
DEBUG(1, ("Failed to start ldb transaction! (%d)\n", ret));
ret = EIO;
goto done;
}
ctx_trans = true;
/* search all entries for this domain in local,
* copy them all in the new database,
* then remove them from local */
domain_dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb,
SYSDB_DOM_BASE, sysdb->domain->name);
if (!domain_dn) {
ret = ENOMEM;
goto done;
}
ret = ldb_search(ldb, tmp_ctx, &res,
domain_dn, LDB_SCOPE_SUBTREE,
NULL, NULL);
if (ret != LDB_SUCCESS) {
ret = EIO;
goto done;
}
users_dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb,
SYSDB_TMPL_USER_BASE, sysdb->domain->name);
if (!users_dn) {
ret = ENOMEM;
goto done;
}
groups_dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb,
SYSDB_TMPL_GROUP_BASE, sysdb->domain->name);
if (!groups_dn) {
ret = ENOMEM;
goto done;
}
for (i = 0; i < res->count; i++) {
struct ldb_dn *orig_dn;
msg = res->msgs[i];
/* skip pre-created congtainers */
if ((ldb_dn_compare(msg->dn, domain_dn) == 0) ||
(ldb_dn_compare(msg->dn, users_dn) == 0) ||
(ldb_dn_compare(msg->dn, groups_dn) == 0)) {
continue;
}
/* regenerate the DN against the new ldb as it may have different
* casefolding rules (example: name changing from case insensitive
* to case sensitive) */
orig_dn = msg->dn;
msg->dn = ldb_dn_new(msg, sysdb->ldb,
ldb_dn_get_linearized(orig_dn));
if (!msg->dn) {
ret = ENOMEM;
goto done;
}
ret = ldb_add(sysdb->ldb, msg);
if (ret != LDB_SUCCESS) {
DEBUG(0, ("WARNING: Could not add entry %s,"
" to new ldb file! (%d [%s])\n",
ldb_dn_get_linearized(msg->dn),
ret, ldb_errstring(sysdb->ldb)));
}
ret = ldb_delete(ldb, orig_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0, ("WARNING: Could not remove entry %s,"
" from old ldb file! (%d [%s])\n",
ldb_dn_get_linearized(orig_dn),
ret, ldb_errstring(ldb)));
}
}
/* now remove the basic containers from local */
/* these were optional so debug at level 9 in case
* of failure just for tracing */
ret = ldb_delete(ldb, groups_dn);
if (ret != LDB_SUCCESS) {
DEBUG(9, ("WARNING: Could not remove entry %s,"
" from old ldb file! (%d [%s])\n",
ldb_dn_get_linearized(groups_dn),
ret, ldb_errstring(ldb)));
}
ret = ldb_delete(ldb, users_dn);
if (ret != LDB_SUCCESS) {
DEBUG(9, ("WARNING: Could not remove entry %s,"
" from old ldb file! (%d [%s])\n",
ldb_dn_get_linearized(users_dn),
ret, ldb_errstring(ldb)));
}
ret = ldb_delete(ldb, domain_dn);
if (ret != LDB_SUCCESS) {
DEBUG(9, ("WARNING: Could not remove entry %s,"
" from old ldb file! (%d [%s])\n",
ldb_dn_get_linearized(domain_dn),
ret, ldb_errstring(ldb)));
}
ret = ldb_transaction_commit(sysdb->ldb);
if (ret != LDB_SUCCESS) {
DEBUG(1, ("Failed to commit ldb transaction! (%d)\n", ret));
ret = EIO;
goto done;
}
ctx_trans = false;
talloc_zfree(domain_dn);
talloc_zfree(groups_dn);
talloc_zfree(users_dn);
talloc_zfree(res);
}
/* conversion done, upgrade version number */
msg = ldb_msg_new(tmp_ctx);
if (!msg) {
ret = ENOMEM;
goto done;
}
msg->dn = ldb_dn_new(tmp_ctx, ldb, SYSDB_BASE);
if (!msg->dn) {
ret = ENOMEM;
goto done;
}
ret = ldb_msg_add_empty(msg, "version", LDB_FLAG_MOD_REPLACE, NULL);
if (ret != LDB_SUCCESS) {
ret = ENOMEM;
goto done;
}
ret = ldb_msg_add_string(msg, "version", SYSDB_VERSION_0_3);
if (ret != LDB_SUCCESS) {
ret = ENOMEM;
goto done;
}
ret = ldb_modify(ldb, msg);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
}
ret = ldb_transaction_commit(ldb);
if (ret != LDB_SUCCESS) {
DEBUG(1, ("Failed to commit ldb transaction! (%d)\n", ret));
ret = EIO;
goto exit;
}
ret = EOK;
done:
if (ret != EOK) {
if (ctx_trans) {
ret = ldb_transaction_cancel(sysdb->ldb);
if (ret != LDB_SUCCESS) {
DEBUG(1, ("Failed to cancel ldb transaction! (%d)\n", ret));
}
}
ret = ldb_transaction_cancel(ldb);
if (ret != LDB_SUCCESS) {
DEBUG(1, ("Failed to cancel ldb transaction! (%d)\n", ret));
}
}
exit:
talloc_free(tmp_ctx);
return ret;
}
static int traverse_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA _dbuf, void *state)
{
int ret, i, j;
struct ldb_dn *dn = state;
struct ldb_message *msg = talloc_zero(NULL, struct ldb_message);
struct ldb_val dbuf = {
.data = _dbuf.dptr,
.length = _dbuf.dsize,
};
struct ldb_ldif ldif = {
.msg = msg,
.changetype = LDB_CHANGETYPE_NONE
};
if (!msg) {
return -1;
}
ret = ldb_unpack_data(ldb, &dbuf, msg);
if (ret != 0) {
fprintf(stderr, "Failed to parse record %*.*s as an LDB record\n", (int)key.dsize, (int)key.dsize, (char *)key.dptr);
TALLOC_FREE(msg);
return 0;
}
if (dn && ldb_dn_compare(msg->dn, dn) != 0) {
TALLOC_FREE(msg);
return 0;
}
if (!show_index && ldb_dn_is_special(msg->dn)) {
const char *dn_lin = ldb_dn_get_linearized(msg->dn);
if ((strcmp(dn_lin, "@BASEINFO") == 0) || (strncmp(dn_lin, "@INDEX:", strlen("@INDEX:")) == 0)) {
/*
the user has asked not to show index
records. Also exclude BASEINFO as it
contains meta-data which will be re-created
if this database is restored
*/
TALLOC_FREE(msg);
return 0;
}
}
if (!validate_contents || ldb_dn_is_special(msg->dn)) {
ldb_ldif_write_file(ldb, stdout, &ldif);
TALLOC_FREE(msg);
return 0;
}
for (i=0;i<msg->num_elements;i++) {
const struct ldb_schema_attribute *a;
a = ldb_schema_attribute_by_name(ldb, msg->elements[i].name);
for (j=0;j<msg->elements[i].num_values;j++) {
struct ldb_val v;
ret = a->syntax->ldif_write_fn(ldb, msg, &msg->elements[i].values[j], &v);
if (ret != 0) {
v = msg->elements[i].values[j];
if (ldb_should_b64_encode(ldb, &v)) {
v.data = (uint8_t *)ldb_base64_encode(ldb, (char *)v.data, v.length);
v.length = strlen((char *)v.data);
}
fprintf(stderr, "On %s element %s value %d (%*.*s) failed to convert to LDIF correctly, skipping possibly corrupt record\n",
ldb_dn_get_linearized(msg->dn),
msg->elements[i].name,
j, (int)v.length, (int)v.length,
v.data);
TALLOC_FREE(msg);
return 0;
}
}
}
ldb_ldif_write_file(ldb, stdout, &ldif);
TALLOC_FREE(msg);
return 0;
}
static void log_stderr(struct tdb_context *tdb, enum tdb_debug_level level,
const char *fmt, ...) PRINTF_ATTRIBUTE(3,4);
static void log_stderr(struct tdb_context *tdb, enum tdb_debug_level level,
const char *fmt, ...)
{
va_list ap;
const char *name = tdb_name(tdb);
const char *prefix = "";
if (!name)
name = "unnamed";
switch (level) {
case TDB_DEBUG_ERROR:
prefix = "ERROR: ";
break;
case TDB_DEBUG_WARNING:
prefix = "WARNING: ";
break;
case TDB_DEBUG_TRACE:
return;
default:
case TDB_DEBUG_FATAL:
prefix = "FATAL: ";
break;
}
va_start(ap, fmt);
fprintf(stderr, "tdb(%s): %s", name, prefix);
vfprintf(stderr, fmt, ap);
va_end(ap);
}
/*
work out the principal to use for DRS replication connections
*/
NTSTATUS dreplsrv_get_target_principal(struct dreplsrv_service *s,
TALLOC_CTX *mem_ctx,
const struct repsFromTo1 *rft,
const char **target_principal)
{
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
const char *attrs_server[] = { "dNSHostName", NULL };
const char *attrs_ntds[] = { "msDS-HasDomainNCs", "hasMasterNCs", NULL };
int ret;
const char *hostname, *dnsdomain=NULL;
struct ldb_dn *ntds_dn, *server_dn;
struct ldb_dn *forest_dn, *nc_dn;
*target_principal = NULL;
tmp_ctx = talloc_new(mem_ctx);
/* we need to find their hostname */
ret = dsdb_find_dn_by_guid(s->samdb, tmp_ctx, &rft->source_dsa_obj_guid, &ntds_dn);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
/* its OK for their NTDSDSA DN not to be in our database */
return NT_STATUS_OK;
}
server_dn = ldb_dn_copy(tmp_ctx, ntds_dn);
if (server_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* strip off the NTDS Settings */
if (!ldb_dn_remove_child_components(server_dn, 1)) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, server_dn, attrs_server, 0);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
/* its OK for their server DN not to be in our database */
return NT_STATUS_OK;
}
forest_dn = ldb_get_root_basedn(s->samdb);
if (forest_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
if (hostname != NULL) {
char *local_principal;
/*
if we have the dNSHostName attribute then we can use
the GC/hostname/realm SPN. All DCs should have this SPN
Windows DC may set up it's dNSHostName before setting up
GC/xx/xx SPN. So make sure it exists, before using it.
*/
local_principal = talloc_asprintf(mem_ctx, "GC/%s/%s",
hostname,
samdb_dn_to_dns_domain(tmp_ctx, forest_dn));
if (dreplsrv_spn_exists(s->samdb, ntds_dn, local_principal)) {
*target_principal = local_principal;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
talloc_free(local_principal);
}
/*
if we can't find the dNSHostName then we will try for the
E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
SPN. To use that we need the DNS domain name of the target
DC. We find that by first looking for the msDS-HasDomainNCs
in the NTDSDSA object of the DC, and if we don't find that,
then we look for the hasMasterNCs attribute, and eliminate
the known schema and configuruation DNs. Despite how
bizarre this seems, Hongwei tells us that this is in fact
what windows does to find the SPN!!
*/
ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, ntds_dn, attrs_ntds, 0);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
nc_dn = ldb_msg_find_attr_as_dn(s->samdb, tmp_ctx, res->msgs[0], "msDS-HasDomainNCs");
if (nc_dn != NULL) {
dnsdomain = samdb_dn_to_dns_domain(tmp_ctx, nc_dn);
}
if (dnsdomain == NULL) {
struct ldb_message_element *el;
int i;
el = ldb_msg_find_element(res->msgs[0], "hasMasterNCs");
for (i=0; el && i<el->num_values; i++) {
nc_dn = ldb_dn_from_ldb_val(tmp_ctx, s->samdb, &el->values[i]);
if (nc_dn == NULL ||
ldb_dn_compare(ldb_get_config_basedn(s->samdb), nc_dn) == 0 ||
ldb_dn_compare(ldb_get_schema_basedn(s->samdb), nc_dn) == 0) {
continue;
}
/* it must be a domain DN, get the equivalent
DNS domain name */
dnsdomain = samdb_dn_to_dns_domain(tmp_ctx, nc_dn);
break;
}
}
if (dnsdomain != NULL) {
*target_principal = talloc_asprintf(mem_ctx,
"E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s",
GUID_string(tmp_ctx, &rft->source_dsa_obj_guid),
dnsdomain);
}
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/*
load the partitions list based on replicated NC attributes in our
NTDSDSA object
*/
WERROR dreplsrv_load_partitions(struct dreplsrv_service *s)
{
WERROR status;
static const char *attrs[] = { "hasMasterNCs", "msDs-hasMasterNCs", "hasPartialReplicaNCs", "msDS-HasFullReplicaNCs", NULL };
unsigned int a;
int ret;
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
struct ldb_message_element *el;
struct ldb_dn *ntds_dn;
tmp_ctx = talloc_new(s);
W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
ntds_dn = samdb_ntds_settings_dn(s->samdb);
if (!ntds_dn) {
DEBUG(1,(__location__ ": Unable to find ntds_dn: %s\n", ldb_errstring(s->samdb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, ntds_dn, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN);
if (ret != LDB_SUCCESS) {
DEBUG(1,("Searching for hasMasterNCs in NTDS DN failed: %s\n", ldb_errstring(s->samdb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
for (a=0; attrs[a]; a++) {
int i;
el = ldb_msg_find_element(res->msgs[0], attrs[a]);
if (el == NULL) {
continue;
}
for (i=0; i<el->num_values; i++) {
struct ldb_dn *pdn;
struct dreplsrv_partition *p, *tp;
bool found;
pdn = ldb_dn_from_ldb_val(tmp_ctx, s->samdb, &el->values[i]);
if (pdn == NULL) {
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
if (!ldb_dn_validate(pdn)) {
return WERR_DS_DRA_INTERNAL_ERROR;
}
p = talloc_zero(s, struct dreplsrv_partition);
W_ERROR_HAVE_NO_MEMORY(p);
p->dn = talloc_steal(p, pdn);
p->service = s;
if (strcasecmp(attrs[a], "hasPartialReplicaNCs") == 0) {
p->partial_replica = true;
} else if (strcasecmp(attrs[a], "msDS-HasFullReplicaNCs") == 0) {
p->rodc_replica = true;
}
/* Do not add partitions more than once */
found = false;
for (tp = s->partitions; tp; tp = tp->next) {
if (ldb_dn_compare(tp->dn, p->dn) == 0) {
found = true;
break;
}
}
if (found) {
talloc_free(p);
continue;
}
DLIST_ADD(s->partitions, p);
DEBUG(2, ("dreplsrv_partition[%s] loaded\n", ldb_dn_get_linearized(p->dn)));
}
}
talloc_free(tmp_ctx);
status = dreplsrv_refresh_partitions(s);
W_ERROR_NOT_OK_RETURN(status);
return WERR_OK;
}
/*
see if we are low on RIDs in the RID Set rIDAllocationPool. If we
are, then schedule a replication call with DRSUAPI_EXOP_FSMO_RID_ALLOC
to the RID Manager
*/
WERROR dreplsrv_ridalloc_check_rid_pool(struct dreplsrv_service *service)
{
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
TALLOC_CTX *tmp_ctx = talloc_new(service);
struct ldb_context *ldb = service->samdb;
bool exhausted;
WERROR werr;
int ret;
uint64_t alloc_pool;
if (service->am_rodc) {
talloc_free(tmp_ctx);
return WERR_OK;
}
if (service->rid_alloc_in_progress) {
talloc_free(tmp_ctx);
return WERR_OK;
}
/*
steps:
- find who the RID Manager is
- if we are the RID Manager then nothing to do
- find our RID Set object
- load rIDAllocationPool and rIDPreviousAllocationPool
- if rIDAllocationPool != rIDPreviousAllocationPool then
nothing to do
- schedule a getncchanges with DRSUAPI_EXOP_FSMO_RID_ALLOC
to the RID Manager
*/
/* work out who is the RID Manager */
ret = samdb_rid_manager_dn(ldb, tmp_ctx, &rid_manager_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0, (__location__ ": Failed to find RID Manager object - %s\n", ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
/* find the DN of the RID Manager */
ret = samdb_reference_dn(ldb, tmp_ctx, rid_manager_dn, "fSMORoleOwner", &fsmo_role_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in RID Manager object - %s\n",
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), fsmo_role_dn) == 0) {
/* we are the RID Manager - no need to do a
DRSUAPI_EXOP_FSMO_RID_ALLOC */
talloc_free(tmp_ctx);
return WERR_OK;
}
ret = drepl_ridalloc_pool_exhausted(ldb, &exhausted, &alloc_pool);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
if (!exhausted) {
/* don't need a new pool */
talloc_free(tmp_ctx);
return WERR_OK;
}
DEBUG(2,(__location__ ": Requesting more RIDs from RID Manager\n"));
werr = drepl_request_new_rid_pool(service, rid_manager_dn, fsmo_role_dn, alloc_pool);
talloc_free(tmp_ctx);
return werr;
}
/*
fill in the cldap netlogon union for a given version
*/
NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
const char *domain,
const char *netbios_domain,
struct dom_sid *domain_sid,
const char *domain_guid,
const char *user,
uint32_t acct_control,
const char *src_address,
uint32_t version,
struct loadparm_context *lp_ctx,
struct netlogon_samlogon_response *netlogon,
bool fill_on_blank_request)
{
const char *dom_attrs[] = {"objectGUID", NULL};
const char *none_attrs[] = {NULL};
struct ldb_result *dom_res = NULL, *user_res = NULL;
int ret;
const char **services = lpcfg_server_services(lp_ctx);
uint32_t server_type;
const char *pdc_name;
struct GUID domain_uuid;
const char *dns_domain;
const char *forest_domain;
const char *pdc_dns_name;
const char *flatname;
const char *server_site;
const char *client_site;
const char *pdc_ip;
struct ldb_dn *domain_dn = NULL;
struct interface *ifaces;
bool user_known, am_rodc;
NTSTATUS status;
/* the domain parameter could have an optional trailing "." */
if (domain && domain[strlen(domain)-1] == '.') {
domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1);
NT_STATUS_HAVE_NO_MEMORY(domain);
}
/* Lookup using long or short domainname */
if (domain && (strcasecmp_m(domain, lpcfg_dnsdomain(lp_ctx)) == 0)) {
domain_dn = ldb_get_default_basedn(sam_ctx);
}
if (netbios_domain && (strcasecmp_m(netbios_domain, lpcfg_sam_name(lp_ctx)) == 0)) {
domain_dn = ldb_get_default_basedn(sam_ctx);
}
if (domain_dn) {
const char *domain_identifier = domain != NULL ? domain
: netbios_domain;
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
domain_dn, LDB_SCOPE_BASE, dom_attrs,
"objectClass=domain");
if (ret != LDB_SUCCESS) {
DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n",
domain_identifier,
ldb_dn_get_linearized(domain_dn),
ldb_errstring(sam_ctx)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
if (dom_res->count != 1) {
DEBUG(2,("Error finding domain '%s'/'%s' in sam\n",
domain_identifier,
ldb_dn_get_linearized(domain_dn)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
}
/* Lookup using GUID or SID */
if ((dom_res == NULL) && (domain_guid || domain_sid)) {
if (domain_guid) {
struct GUID binary_guid;
struct ldb_val guid_val;
/* By this means, we ensure we don't have funny stuff in the GUID */
status = GUID_from_string(domain_guid, &binary_guid);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* And this gets the result into the binary format we want anyway */
status = GUID_to_ndr_blob(&binary_guid, mem_ctx, &guid_val);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
NULL, LDB_SCOPE_SUBTREE,
dom_attrs,
"(&(objectCategory=DomainDNS)(objectGUID=%s))",
ldb_binary_encode(mem_ctx, guid_val));
} else { /* domain_sid case */
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
NULL, LDB_SCOPE_SUBTREE,
dom_attrs,
"(&(objectCategory=DomainDNS)(objectSid=%s))",
dom_sid_string(mem_ctx, domain_sid));
}
if (ret != LDB_SUCCESS) {
DEBUG(2,("Unable to find a correct reference to GUID '%s' or SID '%s' in sam: %s\n",
domain_guid, dom_sid_string(mem_ctx, domain_sid),
ldb_errstring(sam_ctx)));
return NT_STATUS_NO_SUCH_DOMAIN;
} else if (dom_res->count == 1) {
/* Ok, now just check it is our domain */
if (ldb_dn_compare(ldb_get_default_basedn(sam_ctx),
dom_res->msgs[0]->dn) != 0) {
DEBUG(2,("The GUID '%s' or SID '%s' doesn't identify our domain\n",
domain_guid,
dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
} else {
DEBUG(2,("Unable to find a correct reference to GUID '%s' or SID '%s' in sam\n",
domain_guid, dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
}
if (dom_res == NULL && fill_on_blank_request) {
/* blank inputs gives our domain - tested against
w2k8r2. Without this ADUC on Win7 won't start */
domain_dn = ldb_get_default_basedn(sam_ctx);
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
domain_dn, LDB_SCOPE_BASE, dom_attrs,
"objectClass=domain");
if (ret != LDB_SUCCESS) {
DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n",
lpcfg_dnsdomain(lp_ctx),
ldb_dn_get_linearized(domain_dn),
ldb_errstring(sam_ctx)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
}
if (dom_res == NULL) {
DEBUG(2,(__location__ ": Unable to get domain information with no inputs\n"));
return NT_STATUS_NO_SUCH_DOMAIN;
}
/* work around different inputs for not-specified users */
if (!user) {
user = "";
}
/* Enquire about any valid username with just a CLDAP packet -
* if kerberos didn't also do this, the security folks would
* scream... */
if (user[0]) { \
/* Only allow some bits to be enquired: [MS-ATDS] 7.3.3.2 */
if (acct_control == (uint32_t)-1) {
acct_control = 0;
}
acct_control = acct_control & (ACB_TEMPDUP | ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST);
/* We must exclude disabled accounts, but otherwise do the bitwise match the client asked for */
ret = ldb_search(sam_ctx, mem_ctx, &user_res,
dom_res->msgs[0]->dn, LDB_SCOPE_SUBTREE,
none_attrs,
"(&(objectClass=user)(samAccountName=%s)"
"(!(userAccountControl:" LDB_OID_COMPARATOR_AND ":=%u))"
"(userAccountControl:" LDB_OID_COMPARATOR_OR ":=%u))",
ldb_binary_encode_string(mem_ctx, user),
UF_ACCOUNTDISABLE, ds_acb2uf(acct_control));
if (ret != LDB_SUCCESS) {
DEBUG(2,("Unable to find reference to user '%s' with ACB 0x%8x under %s: %s\n",
user, acct_control, ldb_dn_get_linearized(dom_res->msgs[0]->dn),
ldb_errstring(sam_ctx)));
return NT_STATUS_NO_SUCH_USER;
} else if (user_res->count == 1) {
user_known = true;
} else {
user_known = false;
}
} else {
user_known = true;
}
server_type =
DS_SERVER_DS | DS_SERVER_TIMESERV |
DS_SERVER_GOOD_TIMESERV;
if (samdb_is_pdc(sam_ctx)) {
server_type |= DS_SERVER_PDC;
}
if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
server_type |= DS_SERVER_FULL_SECRET_DOMAIN_6;
}
if (samdb_is_gc(sam_ctx)) {
server_type |= DS_SERVER_GC;
}
if (str_list_check(services, "ldap")) {
server_type |= DS_SERVER_LDAP;
}
if (str_list_check(services, "kdc")) {
server_type |= DS_SERVER_KDC;
}
if (samdb_rodc(sam_ctx, &am_rodc) == LDB_SUCCESS && !am_rodc) {
server_type |= DS_SERVER_WRITABLE;
}
pdc_name = talloc_asprintf(mem_ctx, "\\\\%s",
lpcfg_netbios_name(lp_ctx));
NT_STATUS_HAVE_NO_MEMORY(pdc_name);
domain_uuid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
dns_domain = lpcfg_dnsdomain(lp_ctx);
forest_domain = samdb_forest_name(sam_ctx, mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(forest_domain);
pdc_dns_name = talloc_asprintf(mem_ctx, "%s.%s",
strlower_talloc(mem_ctx,
lpcfg_netbios_name(lp_ctx)),
dns_domain);
NT_STATUS_HAVE_NO_MEMORY(pdc_dns_name);
flatname = lpcfg_workgroup(lp_ctx);
server_site = samdb_server_site_name(sam_ctx, mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(server_site);
client_site = samdb_client_site_name(sam_ctx, mem_ctx,
src_address, NULL);
NT_STATUS_HAVE_NO_MEMORY(client_site);
if (strcasecmp(server_site, client_site) == 0) {
server_type |= DS_SERVER_CLOSEST;
}
load_interface_list(mem_ctx, lp_ctx, &ifaces);
if (src_address) {
pdc_ip = iface_list_best_ip(ifaces, src_address);
} else {
pdc_ip = iface_list_first_v4(ifaces);
}
if (pdc_ip == NULL || !is_ipaddress_v4(pdc_ip)) {
/* this matches windows behaviour */
pdc_ip = "127.0.0.1";
}
ZERO_STRUCTP(netlogon);
/* check if either of these bits is present */
if (version & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP)) {
uint32_t extra_flags = 0;
netlogon->ntver = NETLOGON_NT_VERSION_5EX;
/* could check if the user exists */
if (user_known) {
netlogon->data.nt5_ex.command = LOGON_SAM_LOGON_RESPONSE_EX;
} else {
netlogon->data.nt5_ex.command = LOGON_SAM_LOGON_USER_UNKNOWN_EX;
}
netlogon->data.nt5_ex.pdc_name = pdc_name;
netlogon->data.nt5_ex.user_name = user;
netlogon->data.nt5_ex.domain_name = flatname;
netlogon->data.nt5_ex.domain_uuid = domain_uuid;
netlogon->data.nt5_ex.forest = forest_domain;
netlogon->data.nt5_ex.dns_domain = dns_domain;
netlogon->data.nt5_ex.pdc_dns_name = pdc_dns_name;
netlogon->data.nt5_ex.server_site = server_site;
netlogon->data.nt5_ex.client_site = client_site;
if (version & NETLOGON_NT_VERSION_5EX_WITH_IP) {
/* note that this is always a IPV4 address */
extra_flags = NETLOGON_NT_VERSION_5EX_WITH_IP;
netlogon->data.nt5_ex.sockaddr.sockaddr_family = 2;
netlogon->data.nt5_ex.sockaddr.pdc_ip = pdc_ip;
netlogon->data.nt5_ex.sockaddr.remaining = data_blob_talloc_zero(mem_ctx, 8);
}
netlogon->data.nt5_ex.server_type = server_type;
netlogon->data.nt5_ex.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5EX|extra_flags;
netlogon->data.nt5_ex.lmnt_token = 0xFFFF;
netlogon->data.nt5_ex.lm20_token = 0xFFFF;
} else if (version & NETLOGON_NT_VERSION_5) {
netlogon->ntver = NETLOGON_NT_VERSION_5;
/* could check if the user exists */
if (user_known) {
netlogon->data.nt5.command = LOGON_SAM_LOGON_RESPONSE;
} else {
netlogon->data.nt5.command = LOGON_SAM_LOGON_USER_UNKNOWN;
}
netlogon->data.nt5.pdc_name = pdc_name;
netlogon->data.nt5.user_name = user;
netlogon->data.nt5.domain_name = flatname;
netlogon->data.nt5.domain_uuid = domain_uuid;
netlogon->data.nt5.forest = forest_domain;
netlogon->data.nt5.dns_domain = dns_domain;
netlogon->data.nt5.pdc_dns_name = pdc_dns_name;
netlogon->data.nt5.pdc_ip = pdc_ip;
netlogon->data.nt5.server_type = server_type;
netlogon->data.nt5.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5;
netlogon->data.nt5.lmnt_token = 0xFFFF;
netlogon->data.nt5.lm20_token = 0xFFFF;
} else /* (version & NETLOGON_NT_VERSION_1) and all other cases */ {
netlogon->ntver = NETLOGON_NT_VERSION_1;
/* could check if the user exists */
if (user_known) {
netlogon->data.nt4.command = LOGON_SAM_LOGON_RESPONSE;
} else {
netlogon->data.nt4.command = LOGON_SAM_LOGON_USER_UNKNOWN;
}
netlogon->data.nt4.pdc_name = pdc_name;
netlogon->data.nt4.user_name = user;
netlogon->data.nt4.domain_name = flatname;
netlogon->data.nt4.nt_version = NETLOGON_NT_VERSION_1;
netlogon->data.nt4.lmnt_token = 0xFFFF;
netlogon->data.nt4.lm20_token = 0xFFFF;
}
return NT_STATUS_OK;
}
