/*
construct msDS-UserPasswordExpiryTimeComputed
*/
static int construct_msds_user_password_expiry_time_computed(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_dn *nc_root;
int64_t password_expiry_time;
int ret;
ret = dsdb_find_nc_root(ldb, msg, msg->dn, &nc_root);
if (ret != 0) {
ldb_asprintf_errstring(ldb,
"Failed to find NC root of DN: %s: %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
return ret;
}
if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) != 0) {
/* Only calculate this on our default NC */
return 0;
}
password_expiry_time
= get_msds_user_password_expiry_time_computed(module, msg,
nc_root);
return samdb_msg_add_int64(ldb,
msg->elements, msg,
"msDS-UserPasswordExpiryTimeComputed",
password_expiry_time);
}
static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
struct security_token *token,
struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
struct dom_sid *dag_sid;
struct ldb_dn *nc_root;
int ret;
ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NULL;
}
if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
if (security_token_has_sid(token, sa_sid)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else {
dag_sid = NULL;
}
} else {
dag_sid = NULL;
}
talloc_free(tmp_ctx);
return dag_sid;
}
/*
construct msDS-User-Account-Control-Computed attr
*/
static int construct_msds_user_account_control_computed(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
uint32_t userAccountControl;
uint32_t msDS_User_Account_Control_Computed = 0;
struct ldb_context *ldb = ldb_module_get_ctx(module);
NTTIME now;
struct ldb_dn *nc_root;
int ret;
ret = dsdb_find_nc_root(ldb, msg, msg->dn, &nc_root);
if (ret != 0) {
ldb_asprintf_errstring(ldb,
"Failed to find NC root of DN: %s: %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb_module_get_ctx(module)));
return ret;
}
if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) != 0) {
/* Only calculate this on our default NC */
return 0;
}
/* Test account expire time */
unix_to_nt_time(&now, time(NULL));
userAccountControl = ldb_msg_find_attr_as_uint(msg,
"userAccountControl",
0);
if (!(userAccountControl & _UF_TRUST_ACCOUNTS)) {
int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0);
if (lockoutTime != 0) {
int64_t lockoutDuration = samdb_search_int64(ldb,
msg, 0, nc_root,
"lockoutDuration", NULL);
if (lockoutDuration >= 0) {
msDS_User_Account_Control_Computed |= UF_LOCKOUT;
} else if (lockoutTime - lockoutDuration >= now) {
msDS_User_Account_Control_Computed |= UF_LOCKOUT;
}
}
}
if (!(userAccountControl & _UF_NO_EXPIRY_ACCOUNTS)) {
NTTIME must_change_time
= get_msds_user_password_expiry_time_computed(module,
msg, nc_root);
/* check for expired password */
if (must_change_time < now) {
msDS_User_Account_Control_Computed |= UF_PASSWORD_EXPIRED;
}
}
return samdb_msg_add_int64(ldb,
msg->elements, msg,
"msDS-User-Account-Control-Computed",
msDS_User_Account_Control_Computed);
}
static PyObject *py_dsdb_get_nc_root(PyObject *self, PyObject *args)
{
struct ldb_context *ldb;
struct ldb_dn *dn, *nc_root;
PyObject *py_ldb, *py_ldb_dn, *py_nc_root;
int ret;
if (!PyArg_ParseTuple(args, "OO", &py_ldb, &py_ldb_dn))
return NULL;
PyErr_LDB_OR_RAISE(py_ldb, ldb);
PyErr_LDB_DN_OR_RAISE(py_ldb_dn, dn);
ret = dsdb_find_nc_root(ldb, ldb, dn, &nc_root);
PyErr_LDB_ERROR_IS_ERR_RAISE(py_ldb_get_exception(), ret, ldb);
py_nc_root = pyldb_Dn_FromDn(nc_root);
talloc_unlink(ldb, nc_root);
return py_nc_root;
}
/*
create the role owner source dsa structure
nc_dn: the DN of the subtree being replicated
source_dsa_dn: the DN of the server that we are replicating from
*/
static WERROR drepl_create_extended_source_dsa(struct dreplsrv_service *service,
struct ldb_dn *nc_dn,
struct ldb_dn *source_dsa_dn,
uint64_t min_usn,
struct dreplsrv_partition_source_dsa **_sdsa)
{
struct dreplsrv_partition_source_dsa *sdsa;
struct ldb_context *ldb = service->samdb;
int ret;
WERROR werr;
struct ldb_dn *nc_root;
struct dreplsrv_partition *p;
sdsa = talloc_zero(service, struct dreplsrv_partition_source_dsa);
W_ERROR_HAVE_NO_MEMORY(sdsa);
sdsa->partition = talloc_zero(sdsa, struct dreplsrv_partition);
if (!sdsa->partition) {
talloc_free(sdsa);
return WERR_NOMEM;
}
sdsa->partition->dn = ldb_dn_copy(sdsa->partition, nc_dn);
if (!sdsa->partition->dn) {
talloc_free(sdsa);
return WERR_NOMEM;
}
sdsa->partition->nc.dn = ldb_dn_alloc_linearized(sdsa->partition, nc_dn);
if (!sdsa->partition->nc.dn) {
talloc_free(sdsa);
return WERR_NOMEM;
}
ret = dsdb_find_guid_by_dn(ldb, nc_dn, &sdsa->partition->nc.guid);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find GUID for %s\n",
ldb_dn_get_linearized(nc_dn)));
talloc_free(sdsa);
return WERR_DS_DRA_INTERNAL_ERROR;
}
sdsa->repsFrom1 = &sdsa->_repsFromBlob.ctr.ctr1;
ret = dsdb_find_guid_by_dn(ldb, source_dsa_dn, &sdsa->repsFrom1->source_dsa_obj_guid);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find objectGUID for %s\n",
ldb_dn_get_linearized(source_dsa_dn)));
talloc_free(sdsa);
return WERR_DS_DRA_INTERNAL_ERROR;
}
sdsa->repsFrom1->other_info = talloc_zero(sdsa, struct repsFromTo1OtherInfo);
if (!sdsa->repsFrom1->other_info) {
talloc_free(sdsa);
return WERR_NOMEM;
}
sdsa->repsFrom1->other_info->dns_name = samdb_ntds_msdcs_dns_name(ldb,
sdsa->repsFrom1->other_info,
&sdsa->repsFrom1->source_dsa_obj_guid);
if (!sdsa->repsFrom1->other_info->dns_name) {
talloc_free(sdsa);
return WERR_NOMEM;
}
werr = dreplsrv_out_connection_attach(service, sdsa->repsFrom1, &sdsa->conn);
if (!W_ERROR_IS_OK(werr)) {
DEBUG(0,(__location__ ": Failed to attach connection to %s\n",
ldb_dn_get_linearized(nc_dn)));
talloc_free(sdsa);
return werr;
}
ret = dsdb_find_nc_root(service->samdb, sdsa, nc_dn, &nc_root);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find nc_root for %s\n",
ldb_dn_get_linearized(nc_dn)));
talloc_free(sdsa);
return WERR_DS_DRA_INTERNAL_ERROR;
}
/* use the partition uptodateness vector */
ret = dsdb_load_udv_v2(service->samdb, nc_root, sdsa->partition,
&sdsa->partition->uptodatevector.cursors,
&sdsa->partition->uptodatevector.count);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to load UDV for %s\n",
ldb_dn_get_linearized(nc_root)));
talloc_free(sdsa);
return WERR_DS_DRA_INTERNAL_ERROR;
}
/* find the highwatermark from the partitions list */
for (p=service->partitions; p; p=p->next) {
if (ldb_dn_compare(p->dn, nc_root) == 0) {
struct dreplsrv_partition_source_dsa *s;
werr = dreplsrv_partition_source_dsa_by_guid(p,
&sdsa->repsFrom1->source_dsa_obj_guid,
&s);
if (W_ERROR_IS_OK(werr)) {
sdsa->repsFrom1->highwatermark = s->repsFrom1->highwatermark;
sdsa->repsFrom1->replica_flags = s->repsFrom1->replica_flags;
}
}
}
if (!service->am_rodc) {
sdsa->repsFrom1->replica_flags |= DRSUAPI_DRS_WRIT_REP;
}
*_sdsa = sdsa;
return WERR_OK;
}
