/* construct msDS-UserPasswordExpiryTimeComputed */ static int construct_msds_user_password_expiry_time_computed(struct ldb_module *module, struct ldb_message *msg, enum ldb_scope scope, struct ldb_request *parent) { struct ldb_context *ldb = ldb_module_get_ctx(module); struct ldb_dn *nc_root; int64_t password_expiry_time; int ret; ret = dsdb_find_nc_root(ldb, msg, msg->dn, &nc_root); if (ret != 0) { ldb_asprintf_errstring(ldb, "Failed to find NC root of DN: %s: %s", ldb_dn_get_linearized(msg->dn), ldb_errstring(ldb)); return ret; } if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) != 0) { /* Only calculate this on our default NC */ return 0; } password_expiry_time = get_msds_user_password_expiry_time_computed(module, msg, nc_root); return samdb_msg_add_int64(ldb, msg->elements, msg, "msDS-UserPasswordExpiryTimeComputed", password_expiry_time); }
static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct security_token *token, struct ldb_context *ldb) { TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); const struct dom_sid *domain_sid = samdb_domain_sid(ldb); struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS); struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS); struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS); struct dom_sid *dag_sid; struct ldb_dn *nc_root; int ret; ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return NULL; } if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) { if (security_token_has_sid(token, sa_sid)) { dag_sid = dom_sid_dup(mem_ctx, sa_sid); } else if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); } else if (security_token_is_system(token)) { dag_sid = dom_sid_dup(mem_ctx, sa_sid); } else { dag_sid = NULL; } } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) { if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); } else if (security_token_is_system(token)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else { dag_sid = NULL; } } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) { if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); } else if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else if (security_token_is_system(token)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); } else { dag_sid = NULL; } } else { dag_sid = NULL; } talloc_free(tmp_ctx); return dag_sid; }
/* construct msDS-User-Account-Control-Computed attr */ static int construct_msds_user_account_control_computed(struct ldb_module *module, struct ldb_message *msg, enum ldb_scope scope, struct ldb_request *parent) { uint32_t userAccountControl; uint32_t msDS_User_Account_Control_Computed = 0; struct ldb_context *ldb = ldb_module_get_ctx(module); NTTIME now; struct ldb_dn *nc_root; int ret; ret = dsdb_find_nc_root(ldb, msg, msg->dn, &nc_root); if (ret != 0) { ldb_asprintf_errstring(ldb, "Failed to find NC root of DN: %s: %s", ldb_dn_get_linearized(msg->dn), ldb_errstring(ldb_module_get_ctx(module))); return ret; } if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) != 0) { /* Only calculate this on our default NC */ return 0; } /* Test account expire time */ unix_to_nt_time(&now, time(NULL)); userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); if (!(userAccountControl & _UF_TRUST_ACCOUNTS)) { int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0); if (lockoutTime != 0) { int64_t lockoutDuration = samdb_search_int64(ldb, msg, 0, nc_root, "lockoutDuration", NULL); if (lockoutDuration >= 0) { msDS_User_Account_Control_Computed |= UF_LOCKOUT; } else if (lockoutTime - lockoutDuration >= now) { msDS_User_Account_Control_Computed |= UF_LOCKOUT; } } } if (!(userAccountControl & _UF_NO_EXPIRY_ACCOUNTS)) { NTTIME must_change_time = get_msds_user_password_expiry_time_computed(module, msg, nc_root); /* check for expired password */ if (must_change_time < now) { msDS_User_Account_Control_Computed |= UF_PASSWORD_EXPIRED; } } return samdb_msg_add_int64(ldb, msg->elements, msg, "msDS-User-Account-Control-Computed", msDS_User_Account_Control_Computed); }
static PyObject *py_dsdb_get_nc_root(PyObject *self, PyObject *args) { struct ldb_context *ldb; struct ldb_dn *dn, *nc_root; PyObject *py_ldb, *py_ldb_dn, *py_nc_root; int ret; if (!PyArg_ParseTuple(args, "OO", &py_ldb, &py_ldb_dn)) return NULL; PyErr_LDB_OR_RAISE(py_ldb, ldb); PyErr_LDB_DN_OR_RAISE(py_ldb_dn, dn); ret = dsdb_find_nc_root(ldb, ldb, dn, &nc_root); PyErr_LDB_ERROR_IS_ERR_RAISE(py_ldb_get_exception(), ret, ldb); py_nc_root = pyldb_Dn_FromDn(nc_root); talloc_unlink(ldb, nc_root); return py_nc_root; }
/* create the role owner source dsa structure nc_dn: the DN of the subtree being replicated source_dsa_dn: the DN of the server that we are replicating from */ static WERROR drepl_create_extended_source_dsa(struct dreplsrv_service *service, struct ldb_dn *nc_dn, struct ldb_dn *source_dsa_dn, uint64_t min_usn, struct dreplsrv_partition_source_dsa **_sdsa) { struct dreplsrv_partition_source_dsa *sdsa; struct ldb_context *ldb = service->samdb; int ret; WERROR werr; struct ldb_dn *nc_root; struct dreplsrv_partition *p; sdsa = talloc_zero(service, struct dreplsrv_partition_source_dsa); W_ERROR_HAVE_NO_MEMORY(sdsa); sdsa->partition = talloc_zero(sdsa, struct dreplsrv_partition); if (!sdsa->partition) { talloc_free(sdsa); return WERR_NOMEM; } sdsa->partition->dn = ldb_dn_copy(sdsa->partition, nc_dn); if (!sdsa->partition->dn) { talloc_free(sdsa); return WERR_NOMEM; } sdsa->partition->nc.dn = ldb_dn_alloc_linearized(sdsa->partition, nc_dn); if (!sdsa->partition->nc.dn) { talloc_free(sdsa); return WERR_NOMEM; } ret = dsdb_find_guid_by_dn(ldb, nc_dn, &sdsa->partition->nc.guid); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to find GUID for %s\n", ldb_dn_get_linearized(nc_dn))); talloc_free(sdsa); return WERR_DS_DRA_INTERNAL_ERROR; } sdsa->repsFrom1 = &sdsa->_repsFromBlob.ctr.ctr1; ret = dsdb_find_guid_by_dn(ldb, source_dsa_dn, &sdsa->repsFrom1->source_dsa_obj_guid); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to find objectGUID for %s\n", ldb_dn_get_linearized(source_dsa_dn))); talloc_free(sdsa); return WERR_DS_DRA_INTERNAL_ERROR; } sdsa->repsFrom1->other_info = talloc_zero(sdsa, struct repsFromTo1OtherInfo); if (!sdsa->repsFrom1->other_info) { talloc_free(sdsa); return WERR_NOMEM; } sdsa->repsFrom1->other_info->dns_name = samdb_ntds_msdcs_dns_name(ldb, sdsa->repsFrom1->other_info, &sdsa->repsFrom1->source_dsa_obj_guid); if (!sdsa->repsFrom1->other_info->dns_name) { talloc_free(sdsa); return WERR_NOMEM; } werr = dreplsrv_out_connection_attach(service, sdsa->repsFrom1, &sdsa->conn); if (!W_ERROR_IS_OK(werr)) { DEBUG(0,(__location__ ": Failed to attach connection to %s\n", ldb_dn_get_linearized(nc_dn))); talloc_free(sdsa); return werr; } ret = dsdb_find_nc_root(service->samdb, sdsa, nc_dn, &nc_root); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to find nc_root for %s\n", ldb_dn_get_linearized(nc_dn))); talloc_free(sdsa); return WERR_DS_DRA_INTERNAL_ERROR; } /* use the partition uptodateness vector */ ret = dsdb_load_udv_v2(service->samdb, nc_root, sdsa->partition, &sdsa->partition->uptodatevector.cursors, &sdsa->partition->uptodatevector.count); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to load UDV for %s\n", ldb_dn_get_linearized(nc_root))); talloc_free(sdsa); return WERR_DS_DRA_INTERNAL_ERROR; } /* find the highwatermark from the partitions list */ for (p=service->partitions; p; p=p->next) { if (ldb_dn_compare(p->dn, nc_root) == 0) { struct dreplsrv_partition_source_dsa *s; werr = dreplsrv_partition_source_dsa_by_guid(p, &sdsa->repsFrom1->source_dsa_obj_guid, &s); if (W_ERROR_IS_OK(werr)) { sdsa->repsFrom1->highwatermark = s->repsFrom1->highwatermark; sdsa->repsFrom1->replica_flags = s->repsFrom1->replica_flags; } } } if (!service->am_rodc) { sdsa->repsFrom1->replica_flags |= DRSUAPI_DRS_WRIT_REP; } *_sdsa = sdsa; return WERR_OK; }