DWORD
VmDirCreateTransientSecurityDescriptor(
BOOLEAN bAllowAnonymousRead,
PVMDIR_SECURITY_DESCRIPTOR pvsd
)
{
DWORD dwError = 0;
PSTR pszDomainDN = NULL;
PSTR pszAdminsGroupSid = NULL;
PSTR pszDomainAdminsGroupSid = NULL;
VMDIR_SECURITY_DESCRIPTOR SecDesc = {0};
pszDomainDN = BERVAL_NORM_VAL(gVmdirServerGlobals.systemDomainDN);
dwError = VmDirGenerateWellknownSid(
pszDomainDN, VMDIR_DOMAIN_ALIAS_RID_ADMINS, &pszAdminsGroupSid);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirGenerateWellknownSid(
pszDomainDN, VMDIR_DOMAIN_ADMINS_RID, &pszDomainAdminsGroupSid);
BAIL_ON_VMDIR_ERROR(dwError);
// Create default security descriptor for internally-created entries.
dwError = VmDirSrvCreateSecurityDescriptor(
VMDIR_ENTRY_ALL_ACCESS_NO_DELETE_CHILD_BUT_DELETE_OBJECT,
BERVAL_NORM_VAL(gVmdirServerGlobals.bvDefaultAdminDN),
pszAdminsGroupSid,
pszDomainAdminsGroupSid,
FALSE,
bAllowAnonymousRead,
bAllowAnonymousRead,
FALSE,
FALSE,
&SecDesc);
BAIL_ON_VMDIR_ERROR(dwError);
pvsd->pSecDesc = SecDesc.pSecDesc;
pvsd->ulSecDesc = SecDesc.ulSecDesc;
pvsd->SecInfo = SecDesc.SecInfo;
cleanup:
VMDIR_SAFE_FREE_STRINGA(pszAdminsGroupSid);
VMDIR_SAFE_FREE_STRINGA(pszDomainAdminsGroupSid);
return dwError;
error:
goto cleanup;
}
static
DWORD
VmDirSrvSetupDomainInstance(
PVDIR_SCHEMA_CTX pSchemaCtx,
BOOLEAN bSetupHost,
BOOLEAN bFirstNodeBootstrap,
PCSTR pszFQDomainName,
PCSTR pszDomainDN,
PCSTR pszUsername,
PCSTR pszPassword
)
{
DWORD dwError = 0;
PCSTR pszUsersContainerName = "Users";
PCSTR pszBuiltInContainerName = "Builtin";
PCSTR pszFSPsContainerName = FSP_CONTAINER_RDN_ATTR_VALUE;
PCSTR pszBuiltInUsersGroupName = "Users";
PCSTR pszBuiltInAdministratorsGroupName = "Administrators";
PSTR pszUsersContainerDN = NULL; // CN=Users,<domain DN>
PSTR pszBuiltInContainerDN = NULL; // CN=BuiltIn,<domain DN>
PSTR pszFSPsContainerDN = NULL; // CN=ForeignSecurityPrincipals,<domain DN>
PSTR pszUserDN = NULL;
PSTR pszBuiltInUsersGroupDN = NULL;
PSTR pszBuiltInAdministratorsGroupDN = NULL;
PSTR pszDefaultPasswdLockoutPolicyDN = NULL;
PSTR pszDCGroupDN = NULL;
PSTR pszDCClientGroupDN = NULL;
PSTR pszCertGroupDN = NULL;
PSTR pszTenantRealmName = NULL;
PSECURITY_DESCRIPTOR_RELATIVE pSecDescRel = NULL;
ULONG ulSecDescRel = 0;
SECURITY_INFORMATION SecInfo = 0;
PSTR pszAdminSid = NULL;
PSTR pszBuiltInUsersGroupSid = NULL;
PSTR pszAdminsGroupSid = NULL;
PSTR pszAdminUserKrbUPN = NULL;
int i = 0;
int startOfRdnInd = 0;
// Create host/tenant domain
dwError = VmDirSrvCreateDomain(pSchemaCtx, bSetupHost, pszDomainDN);
BAIL_ON_VMDIR_ERROR(dwError);
// Create Users container
dwError = VmDirSrvCreateDN( pszUsersContainerName, pszDomainDN, &pszUsersContainerDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSrvCreateContainer( pSchemaCtx, pszUsersContainerDN, pszUsersContainerName);
BAIL_ON_VMDIR_ERROR(dwError);
// Create Builtin container
dwError = VmDirSrvCreateDN( pszBuiltInContainerName, pszDomainDN, &pszBuiltInContainerDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSrvCreateBuiltinContainer( pSchemaCtx, pszBuiltInContainerDN, pszBuiltInContainerName );
BAIL_ON_VMDIR_ERROR(dwError);
// Create ForeignSecurityPrincipals container
dwError = VmDirSrvCreateDN( pszFSPsContainerName, pszDomainDN, &pszFSPsContainerDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSrvCreateContainer( pSchemaCtx, pszFSPsContainerDN, pszFSPsContainerName);
BAIL_ON_VMDIR_ERROR(dwError);
if (bSetupHost)
{
// only do this for the very first node startup.
if (bFirstNodeBootstrap)
{
dwError = VmDirSrvInitKrb(pSchemaCtx, pszFQDomainName, pszDomainDN);
BAIL_ON_VMDIR_ERROR(dwError);
// prepare administrator krb UPN for the very first node
dwError = VmDirAllocateStringAVsnprintf(
&pszAdminUserKrbUPN,
"%s@%s",
pszUsername,
gVmdirKrbGlobals.pszRealm);
BAIL_ON_VMDIR_ERROR(dwError);
}
}
else
{ // setup tenant scenario.
// Though we only support system domain kdc, we need UPN for SRP to function.
dwError = VmDirKrbRealmNameNormalize(pszFQDomainName, &pszTenantRealmName);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirAllocateStringAVsnprintf(
&pszAdminUserKrbUPN,
"%s@%s",
pszUsername,
pszTenantRealmName);
BAIL_ON_VMDIR_ERROR(dwError);
}
// Create Admin user
dwError = VmDirSrvCreateUserDN( pszUsername, pszUsersContainerDN, &pszUserDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirGenerateWellknownSid(pszDomainDN,
VMDIR_DOMAIN_USER_RID_ADMIN,
&pszAdminSid);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSrvCreateUser( pSchemaCtx,
(bSetupHost && bFirstNodeBootstrap) ? DEFAULT_ADMINISTRATOR_ENTRY_ID : 0,
pszUsername, pszUsername, pszFQDomainName, pszUsername, pszPassword,
pszUserDN, pszAdminSid, pszAdminUserKrbUPN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSetAdministratorPasswordNeverExpires();
BAIL_ON_VMDIR_ERROR(dwError);
// Create BuiltInUsers group
dwError = VmDirAllocateStringAVsnprintf( &pszBuiltInUsersGroupDN, "cn=%s,%s", pszBuiltInUsersGroupName,
pszBuiltInContainerDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirGenerateWellknownSid(pszDomainDN,
VMDIR_DOMAIN_ALIAS_RID_USERS,
&pszBuiltInUsersGroupSid);
BAIL_ON_VMDIR_ERROR(dwError);
//
// Create the user group for tenant setup or for first host setup.
//
if (bSetupHost == FALSE || bFirstNodeBootstrap == TRUE)
{
dwError = VmDirSrvCreateBuiltInUsersGroup( pSchemaCtx, pszBuiltInUsersGroupName,
pszBuiltInUsersGroupDN, pszUserDN,
pszBuiltInUsersGroupSid);
BAIL_ON_VMDIR_ERROR(dwError);
}
// Create BuiltInAdministrators group
dwError = VmDirAllocateStringAVsnprintf( &pszBuiltInAdministratorsGroupDN, "cn=%s,%s",
pszBuiltInAdministratorsGroupName, pszBuiltInContainerDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirGenerateWellknownSid(pszDomainDN,
VMDIR_DOMAIN_ALIAS_RID_ADMINS,
&pszAdminsGroupSid);
BAIL_ON_VMDIR_ERROR(dwError);
//
// Create the admin group for tenant setup or for first host setup.
//
if (bSetupHost == FALSE || bFirstNodeBootstrap == TRUE)
{
dwError = VmDirSrvCreateBuiltInAdminGroup( pSchemaCtx, pszBuiltInAdministratorsGroupName,
pszBuiltInAdministratorsGroupDN, pszUserDN,
pszAdminsGroupSid );
BAIL_ON_VMDIR_ERROR(dwError);
}
//
// Create DCadmins/DCClients/CERTAdmins groups only for the very first
// host setup.
//
if ( bSetupHost && bFirstNodeBootstrap )
{
// create DCAdmins Group
dwError = VmDirAllocateStringAVsnprintf( &pszDCGroupDN,
"cn=%s,%s",
VMDIR_DC_GROUP_NAME,
pszBuiltInContainerDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = _VmDirSrvCreateBuiltInGroup( pSchemaCtx,
VMDIR_DC_GROUP_NAME,
pszDCGroupDN);
BAIL_ON_VMDIR_ERROR(dwError);
// create DCClients Group
dwError = VmDirAllocateStringAVsnprintf( &pszDCClientGroupDN,
"cn=%s,%s",
VMDIR_DCCLIENT_GROUP_NAME,
pszBuiltInContainerDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = _VmDirSrvCreateBuiltInGroup( pSchemaCtx,
VMDIR_DCCLIENT_GROUP_NAME,
pszDCClientGroupDN);
BAIL_ON_VMDIR_ERROR(dwError);
// create CertAdmins Group
dwError = VmDirAllocateStringAVsnprintf( &pszCertGroupDN,
"cn=%s,%s",
VMDIR_CERT_GROUP_NAME,
pszBuiltInContainerDN);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = _VmDirSrvCreateBuiltInCertGroup( pSchemaCtx,
VMDIR_CERT_GROUP_NAME,
pszCertGroupDN,
pszUserDN, // member: default administrator
pszDCGroupDN, // member: DCAdmins group
pszDCClientGroupDN); // member: DCClients group
BAIL_ON_VMDIR_ERROR(dwError);
}
// Set up SD for the entries created during instance set up
// Default allows administrator VMDIR_ENTRY_ALL_ACCESS,
// oneself VMDIR_ENTRY_GENERIC_WRITE
dwError = VmDirSrvCreateDefaultSecDescRel( pszUserDN, pszAdminsGroupSid,
&pSecDescRel, &ulSecDescRel, &SecInfo);
BAIL_ON_VMDIR_ERROR(dwError);
// add the same sd for all the objects created during instance set-up
// Set SD for the Domain objects
for (i = (int) VmDirStringLenA(pszDomainDN) - 1; i >= 0; i-- )
{
if (i == 0 || pszDomainDN[i] == RDN_SEPARATOR_CHAR)
{
startOfRdnInd = (i == 0) ? 0 : i + 1 /* for , */;
dwError = VmDirSetSecurityDescriptorForDn( (PSTR)pszDomainDN + startOfRdnInd, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
}
}
dwError = VmDirSetSecurityDescriptorForDn( (PSTR)pszDomainDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
// Set SD for the administrator object
dwError = VmDirSetSecurityDescriptorForDn( pszUserDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
// Set SD for Users container
dwError = VmDirSetSecurityDescriptorForDn( pszUsersContainerDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
// Set SD for Builtin container
dwError = VmDirSetSecurityDescriptorForDn( pszBuiltInContainerDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
// Set SD for ForeignSecurityPrincipals container
dwError = VmDirSetSecurityDescriptorForDn( pszFSPsContainerDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
if (bSetupHost == FALSE || bFirstNodeBootstrap == TRUE)
{
// Set SD for BuiltInUsers group
dwError = VmDirSetSecurityDescriptorForDn( pszBuiltInUsersGroupDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
// Set SD for BuiltInAdministrators group
dwError = VmDirSetSecurityDescriptorForDn( pszBuiltInAdministratorsGroupDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
}
if ( bSetupHost && bFirstNodeBootstrap )
{
// Set SD for BuiltIn DC group
dwError = VmDirSetSecurityDescriptorForDn( pszDCGroupDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
// Set SD for BuiltIn DCClients group
dwError = VmDirSetSecurityDescriptorForDn(pszDCClientGroupDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
// Set SD for BuiltIn Cert group
dwError = VmDirSetSecurityDescriptorForDn( pszCertGroupDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
}
// Create default password and lockout policy
dwError = VmDirSrvCreateDN( PASSWD_LOCKOUT_POLICY_DEFAULT_CN, pszDomainDN, &pszDefaultPasswdLockoutPolicyDN );
BAIL_ON_VMDIR_ERROR(dwError);
dwError = VmDirSrvCreateDefaultPasswdPolicy(pSchemaCtx, pszDefaultPasswdLockoutPolicyDN);
BAIL_ON_VMDIR_ERROR(dwError);
// Set SD for Password lockout policy object
dwError = VmDirSetSecurityDescriptorForDn( pszDefaultPasswdLockoutPolicyDN, SecInfo, pSecDescRel, ulSecDescRel);
BAIL_ON_VMDIR_ERROR(dwError);
cleanup:
VMDIR_SAFE_FREE_MEMORY(pszUsersContainerDN);
VMDIR_SAFE_FREE_MEMORY(pszBuiltInContainerDN);
VMDIR_SAFE_FREE_MEMORY(pszFSPsContainerDN);
VMDIR_SAFE_FREE_MEMORY(pszUserDN);
VMDIR_SAFE_FREE_MEMORY(pszBuiltInUsersGroupDN);
VMDIR_SAFE_FREE_MEMORY(pszBuiltInAdministratorsGroupDN);
VMDIR_SAFE_FREE_MEMORY(pszDefaultPasswdLockoutPolicyDN);
VMDIR_SAFE_FREE_MEMORY(pszDCGroupDN);
VMDIR_SAFE_FREE_MEMORY(pszDCClientGroupDN);
VMDIR_SAFE_FREE_MEMORY(pszCertGroupDN);
VMDIR_SAFE_FREE_MEMORY(pszTenantRealmName);
VMDIR_SAFE_FREE_MEMORY(pSecDescRel);
VMDIR_SAFE_FREE_MEMORY(pszAdminSid);
VMDIR_SAFE_FREE_MEMORY(pszBuiltInUsersGroupSid);
VMDIR_SAFE_FREE_MEMORY(pszAdminsGroupSid);
VMDIR_SAFE_FREE_MEMORY(pszAdminUserKrbUPN);
return dwError;
error:
VmDirLog(LDAP_DEBUG_ANY, "VmDirSrvSetupDomainInstance failed. Error(%u)", dwError);
goto cleanup;
}
