/* Find a domain object in the parents of a particular DN. */
static struct ldb_dn *samldb_search_domain(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct ldb_dn *dn)
{
TALLOC_CTX *local_ctx;
struct ldb_dn *sdn;
struct ldb_result *res = NULL;
int ret = 0;
const char *attrs[] = { NULL };
local_ctx = talloc_new(mem_ctx);
if (local_ctx == NULL) return NULL;
sdn = ldb_dn_copy(local_ctx, dn);
do {
ret = ldb_search(module->ldb, sdn, LDB_SCOPE_BASE,
"(|(objectClass=domain)(objectClass=builtinDomain))", attrs, &res);
if (ret == LDB_SUCCESS) {
talloc_steal(local_ctx, res);
if (res->count == 1) {
break;
}
}
} while ((sdn = ldb_dn_get_parent(local_ctx, sdn)));
if (ret != LDB_SUCCESS || res->count != 1) {
talloc_free(local_ctx);
return NULL;
}
talloc_steal(mem_ctx, sdn);
talloc_free(local_ctx);
return sdn;
}
/*
rename a record
*/
static int lldb_rename(struct lldb_context *lldb_ac)
{
struct ldb_context *ldb;
struct lldb_private *lldb = lldb_ac->lldb;
struct ldb_module *module = lldb_ac->module;
struct ldb_request *req = lldb_ac->req;
const char *rdn_name;
const struct ldb_val *rdn_val;
char *old_dn;
char *newrdn;
char *parentdn;
int ret;
ldb = ldb_module_get_ctx(module);
ldb_request_set_state(req, LDB_ASYNC_PENDING);
old_dn = ldb_dn_alloc_linearized(lldb_ac, req->op.rename.olddn);
if (old_dn == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
rdn_name = ldb_dn_get_rdn_name(req->op.rename.newdn);
rdn_val = ldb_dn_get_rdn_val(req->op.rename.newdn);
if ((rdn_name != NULL) && (rdn_val != NULL)) {
newrdn = talloc_asprintf(lldb_ac, "%s=%s", rdn_name,
rdn_val->length > 0 ? ldb_dn_escape_value(lldb, *rdn_val) : "");
} else {
newrdn = talloc_strdup(lldb_ac, "");
}
if (!newrdn) {
return LDB_ERR_OPERATIONS_ERROR;
}
parentdn = ldb_dn_alloc_linearized(lldb_ac, ldb_dn_get_parent(lldb_ac, req->op.rename.newdn));
if (!parentdn) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ldap_rename(lldb->ldap, old_dn, newrdn, parentdn,
1, NULL, NULL,
&lldb_ac->msgid);
if (ret != LDAP_SUCCESS) {
ldb_set_errstring(ldb, ldap_err2string(ret));
}
return lldb_ldap_to_ldb(ret);
}
/*
refresh a RID Set object for the specified DC
also returns the first RID for the new pool
*/
static int ridalloc_refresh_rid_set_ntds(struct ldb_module *module,
struct ldb_dn *rid_manager_dn,
struct ldb_dn *ntds_dn, uint64_t *new_pool)
{
TALLOC_CTX *tmp_ctx = talloc_new(module);
struct ldb_dn *server_dn, *machine_dn, *rid_set_dn;
struct ldb_context *ldb = ldb_module_get_ctx(module);
int ret;
/* grab a pool from the RID Manager object */
ret = ridalloc_rid_manager_allocate(module, rid_manager_dn, new_pool);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
server_dn = ldb_dn_get_parent(tmp_ctx, ntds_dn);
if (!server_dn) {
ldb_module_oom(module);
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
ret = dsdb_module_reference_dn(module, tmp_ctx, server_dn, "serverReference", &machine_dn);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find serverReference in %s - %s",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_module_reference_dn(module, tmp_ctx, machine_dn, "rIDSetReferences", &rid_set_dn);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find rIDSetReferences in %s - %s",
ldb_dn_get_linearized(machine_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_module_set_integer(module, rid_set_dn, "rIDAllocationPool", *new_pool);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to modify RID Set object %s - %s",
ldb_dn_get_linearized(rid_set_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
static int acl_add(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.add.message->dn);
struct ldb_context *ldb;
struct ldb_message_element *oc_el;
const struct GUID *guid;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.add.message->dn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* Creating an NC. There is probably something we should do here,
* but we will establish that later */
if ((ldb_dn_compare(req->op.add.message->dn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.add.message->dn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.add.message->dn, (ldb_get_root_basedn(ldb))) == 0)) {
return ldb_next_request(module, req);
}
oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
if (!oc_el || oc_el->num_values == 0) {
DEBUG(10,("acl:operation error %s\n", ldb_dn_get_linearized(req->op.add.message->dn)));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
guid = class_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
(char *)oc_el->values[oc_el->num_values-1].data);
if (!insert_in_object_tree(req, guid, SEC_ADS_CREATE_CHILD, &root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, root);
if (ret != LDB_SUCCESS) {
return ret;
}
return ldb_next_request(module, req);
}
/* similar to the modify for the time being.
* We need to concider the special delete tree case, though - TODO */
static int acl_delete(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.del.dn);
struct ldb_context *ldb;
DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn)));
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.del.dn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* first check if we have delete object right */
ret = check_access_on_dn(module, req, req->op.del.dn, SEC_STD_DELETE, NULL);
if (ret == LDB_SUCCESS) {
return ldb_next_request(module, req);
}
/* Nope, we don't have delete object. Lets check if we have delete child on the parent */
/* No parent, so check fails */
if ((ldb_dn_compare(req->op.del.dn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.del.dn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.del.dn, (ldb_get_root_basedn(ldb))) == 0)) {
DEBUG(10,("acl:deleting an NC\n"));
return ldb_module_done(req, NULL, NULL, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS);
}
ret = check_access_on_dn(module, req, parent, SEC_ADS_DELETE_CHILD, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
return ldb_next_request(module, req);
}
static int acl_rename(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *oldparent = ldb_dn_get_parent(req, req->op.rename.olddn);
struct ldb_dn *newparent = ldb_dn_get_parent(req, req->op.rename.newdn);
struct ldb_context *ldb;
struct security_descriptor *sd = NULL;
struct dom_sid *sid = NULL;
struct ldb_result *acl_res;
const struct GUID *guid;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(req);
NTSTATUS status;
uint32_t access_granted;
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
"objectClass",
"objectSid",
NULL
};
DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn)));
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.rename.olddn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* TODO search to include deleted objects */
ret = ldb_search(ldb, req, &acl_res, req->op.rename.olddn,
LDB_SCOPE_BASE, acl_attrs, NULL);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl: failed to find object %s\n",
ldb_dn_get_linearized(req->op.rename.olddn)));
return ret;
}
guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
};
guid = attribute_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
"name");
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
};
ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
return LDB_SUCCESS;
}
ret = get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
status = sec_access_check_ds(sd, acl_user_token(module),
SEC_ADS_WRITE_PROP,
&access_granted,
root,
sid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Object %s nas no wp on name\n",
ldb_dn_get_linearized(req->op.rename.olddn)));
acl_debug(sd,
acl_user_token(module),
req->op.rename.olddn,
true,
10);
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
if (ldb_dn_compare(oldparent, newparent) == 0) {
/* regular rename, not move, nothing more to do */
return ldb_next_request(module, req);
}
/* What exactly to do in this case? It would fail anyway.. */
if ((ldb_dn_compare(req->op.rename.newdn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.rename.newdn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.rename.newdn, (ldb_get_root_basedn(ldb))) == 0)) {
DEBUG(10,("acl:moving as an NC\n"));
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
/* new parent should have create child */
talloc_free(tmp_ctx);
tmp_ctx = talloc_new(req);
root = NULL;
new_node = NULL;
guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
if (!guid) {
DEBUG(10,("acl:renamed object has no object class\n"));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_CREATE_CHILD,
&root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, root);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
return ret;
}
/* do we have delete object on the object? */
status = sec_access_check_ds(sd, acl_user_token(module),
SEC_STD_DELETE,
&access_granted,
NULL,
sid);
if (NT_STATUS_IS_OK(status)) {
return ldb_next_request(module, req);
}
/* what about delete child on the current parent */
ret = check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
return ldb_module_done(req, NULL, NULL, ret);
}
return ldb_next_request(module, req);
}
/*
see if we are on the last pool we have
*/
static int drepl_ridalloc_pool_exhausted(struct ldb_context *ldb,
bool *exhausted,
uint64_t *_alloc_pool)
{
struct ldb_dn *server_dn, *machine_dn, *rid_set_dn;
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
uint64_t alloc_pool;
uint64_t prev_pool;
uint32_t prev_pool_lo, prev_pool_hi;
uint32_t next_rid;
static const char * const attrs[] = {
"rIDAllocationPool",
"rIDPreviousAllocationPool",
"rIDNextRid",
NULL
};
int ret;
struct ldb_result *res;
*exhausted = false;
*_alloc_pool = UINT64_MAX;
server_dn = ldb_dn_get_parent(tmp_ctx, samdb_ntds_settings_dn(ldb));
if (!server_dn) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
ret = samdb_reference_dn(ldb, tmp_ctx, server_dn, "serverReference", &machine_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find serverReference in %s - %s\n",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return ret;
}
ret = samdb_reference_dn(ldb, tmp_ctx, machine_dn, "rIDSetReferences", &rid_set_dn);
if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
*exhausted = true;
*_alloc_pool = 0;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find rIDSetReferences in %s - %s\n",
ldb_dn_get_linearized(machine_dn), ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_search(ldb, tmp_ctx, &res, rid_set_dn, LDB_SCOPE_BASE, attrs, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to load RID Set attrs from %s - %s\n",
ldb_dn_get_linearized(rid_set_dn), ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return ret;
}
alloc_pool = ldb_msg_find_attr_as_uint64(res->msgs[0], "rIDAllocationPool", 0);
prev_pool = ldb_msg_find_attr_as_uint64(res->msgs[0], "rIDPreviousAllocationPool", 0);
prev_pool_lo = prev_pool & 0xFFFFFFFF;
prev_pool_hi = prev_pool >> 32;
next_rid = ldb_msg_find_attr_as_uint(res->msgs[0], "rIDNextRid", 0);
if (alloc_pool != prev_pool) {
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
if (next_rid < (prev_pool_hi + prev_pool_lo)/2) {
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
*exhausted = true;
*_alloc_pool = alloc_pool;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
construct the parent GUID for an entry from a message
*/
static int construct_parent_guid(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
struct ldb_result *res, *parent_res;
const struct ldb_val *parent_guid;
const char *attrs[] = { "instanceType", NULL };
const char *attrs2[] = { "objectGUID", NULL };
uint32_t instanceType;
int ret;
struct ldb_dn *parent_dn;
struct ldb_val v;
/* determine if the object is NC by instance type */
ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs,
DSDB_FLAG_NEXT_MODULE |
DSDB_SEARCH_SHOW_RECYCLED, parent);
if (ret != LDB_SUCCESS) {
return ret;
}
instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
"instanceType", 0);
talloc_free(res);
if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
DEBUG(4,(__location__ ": Object %s is NC\n",
ldb_dn_get_linearized(msg->dn)));
return LDB_SUCCESS;
}
parent_dn = ldb_dn_get_parent(msg, msg->dn);
if (parent_dn == NULL) {
DEBUG(4,(__location__ ": Failed to find parent for dn %s\n",
ldb_dn_get_linearized(msg->dn)));
return LDB_SUCCESS;
}
ret = dsdb_module_search_dn(module, msg, &parent_res, parent_dn, attrs2,
DSDB_FLAG_NEXT_MODULE |
DSDB_SEARCH_SHOW_RECYCLED, parent);
talloc_free(parent_dn);
/* not NC, so the object should have a parent*/
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
return ldb_error(ldb_module_get_ctx(module), LDB_ERR_OPERATIONS_ERROR,
talloc_asprintf(msg, "Parent dn for %s does not exist",
ldb_dn_get_linearized(msg->dn)));
} else if (ret != LDB_SUCCESS) {
return ret;
}
parent_guid = ldb_msg_find_ldb_val(parent_res->msgs[0], "objectGUID");
if (!parent_guid) {
talloc_free(parent_res);
return LDB_SUCCESS;
}
v = data_blob_dup_talloc(parent_res, *parent_guid);
if (!v.data) {
talloc_free(parent_res);
return ldb_oom(ldb_module_get_ctx(module));
}
ret = ldb_msg_add_steal_value(msg, "parentGUID", &v);
talloc_free(parent_res);
return ret;
}
/*
called by DSDB_EXTENDED_ALLOCATE_RID_POOL extended operation in samldb
*/
int ridalloc_allocate_rid_pool_fsmo(struct ldb_module *module, struct dsdb_fsmo_extended_op *exop,
struct ldb_request *parent)
{
struct ldb_dn *ntds_dn, *server_dn, *machine_dn, *rid_set_dn;
struct ldb_dn *rid_manager_dn;
TALLOC_CTX *tmp_ctx = talloc_new(module);
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_result *res;
struct ldb_message *msg;
struct ridalloc_ridset_values oridset, nridset;
ret = dsdb_module_dn_by_guid(module, tmp_ctx, &exop->destination_dsa_guid, &ntds_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, __location__ ": Unable to find NTDS object for guid %s - %s\n",
GUID_string(tmp_ctx, &exop->destination_dsa_guid), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
server_dn = ldb_dn_get_parent(tmp_ctx, ntds_dn);
if (!server_dn) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
ret = dsdb_module_reference_dn(module, tmp_ctx, server_dn, "serverReference", &machine_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, __location__ ": Failed to find serverReference in %s - %s",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, __location__ ": Failed to find RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_module_reference_dn(module, tmp_ctx, machine_dn, "rIDSetReferences", &rid_set_dn, parent);
if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
ret = ridalloc_create_rid_set_ntds(module, tmp_ctx, rid_manager_dn, ntds_dn, &rid_set_dn, parent);
talloc_free(tmp_ctx);
return ret;
}
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find rIDSetReferences in %s - %s",
ldb_dn_get_linearized(machine_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_module_search_dn(module, tmp_ctx, &res, rid_set_dn,
ridalloc_ridset_attrs, DSDB_FLAG_NEXT_MODULE, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, __location__ ": No RID Set %s",
ldb_dn_get_linearized(rid_set_dn));
talloc_free(tmp_ctx);
return ret;
}
ridalloc_get_ridset_values(res->msgs[0], &oridset);
if (oridset.alloc_pool == UINT64_MAX) {
ldb_asprintf_errstring(ldb, __location__ ": Bad RID Set %s",
ldb_dn_get_linearized(rid_set_dn));
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
nridset = oridset;
if (exop->fsmo_info != 0) {
if (nridset.alloc_pool != exop->fsmo_info) {
/* it has already been updated */
DEBUG(2,(__location__ ": rIDAllocationPool fsmo_info mismatch - already changed (0x%llx 0x%llx)\n",
(unsigned long long)exop->fsmo_info,
(unsigned long long)nridset.alloc_pool));
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
}
/* grab a pool from the RID Manager object */
ret = ridalloc_rid_manager_allocate(module, rid_manager_dn, &nridset.alloc_pool, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/*
* update the values
*/
msg = ldb_msg_new(tmp_ctx);
if (msg == NULL) {
return ldb_module_oom(module);
}
msg->dn = rid_set_dn;
ret = ridalloc_set_ridset_values(module, msg,
&oridset, &nridset);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to modify RID Set object %s - %s",
ldb_dn_get_linearized(rid_set_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
create a RID Set object for the specified DC
*/
static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn *rid_manager_dn,
struct ldb_dn *ntds_dn, struct ldb_dn **dn,
struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *server_dn, *machine_dn, *rid_set_dn;
int ret;
struct ldb_message *msg;
struct ldb_context *ldb = ldb_module_get_ctx(module);
static const struct ridalloc_ridset_values o = {
.alloc_pool = UINT64_MAX,
.prev_pool = UINT64_MAX,
.next_rid = UINT32_MAX,
.used_pool = UINT32_MAX,
};
struct ridalloc_ridset_values n = {
.alloc_pool = 0,
.prev_pool = 0,
.next_rid = 0,
.used_pool = 0,
};
/*
steps:
find the machine object for the DC
construct the RID Set DN
load rIDAvailablePool to find next available set
modify RID Manager object to update rIDAvailablePool
add the RID Set object
link to the RID Set object in machine object
*/
server_dn = ldb_dn_get_parent(tmp_ctx, ntds_dn);
if (!server_dn) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
ret = dsdb_module_reference_dn(module, tmp_ctx, server_dn, "serverReference", &machine_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find serverReference in %s - %s",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
rid_set_dn = ldb_dn_copy(tmp_ctx, machine_dn);
if (rid_set_dn == NULL) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
if (! ldb_dn_add_child_fmt(rid_set_dn, "CN=RID Set")) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
/* grab a pool from the RID Manager object */
ret = ridalloc_rid_manager_allocate(module, rid_manager_dn, &n.alloc_pool, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* create the RID Set object */
msg = ldb_msg_new(tmp_ctx);
msg->dn = rid_set_dn;
ret = ldb_msg_add_string(msg, "objectClass", "rIDSet");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ridalloc_set_ridset_values(module, msg, &o, &n);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* we need this to go all the way to the top of the module
* stack, as we need all the extra attributes added (including
* complex ones like ntsecuritydescriptor) */
ret = dsdb_module_add(module, msg, DSDB_FLAG_TOP_MODULE | DSDB_MODIFY_RELAX, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* add the rIDSetReferences link */
msg = ldb_msg_new(tmp_ctx);
msg->dn = machine_dn;
ret = ldb_msg_add_string(msg, "rIDSetReferences", ldb_dn_get_linearized(rid_set_dn));
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
msg->elements[0].flags = LDB_FLAG_MOD_ADD;
ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add rIDSetReferences to %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
(*dn) = talloc_steal(mem_ctx, rid_set_dn);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
create a RID Set object for this DC
*/
static int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn **dn, struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* find the DN of the RID Manager */
ret = dsdb_module_reference_dn(module, tmp_ctx, rid_manager_dn, "fSMORoleOwner", &fsmo_role_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find fSMORoleOwner in RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), fsmo_role_dn) != 0) {
ridalloc_poke_rid_manager(module);
ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh");
talloc_free(tmp_ctx);
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ret = ridalloc_create_rid_set_ntds(module, mem_ctx, rid_manager_dn, fsmo_role_dn, dn, parent);
talloc_free(tmp_ctx);
return ret;
}
/*
create a RID Set object for the specified DC
*/
static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn *rid_manager_dn,
struct ldb_dn *ntds_dn, struct ldb_dn **dn)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *server_dn, *machine_dn, *rid_set_dn;
int ret;
uint64_t dc_pool;
struct ldb_message *msg;
struct ldb_context *ldb = ldb_module_get_ctx(module);
/*
steps:
find the machine object for the DC
construct the RID Set DN
load rIDAvailablePool to find next available set
modify RID Manager object to update rIDAvailablePool
add the RID Set object
link to the RID Set object in machine object
*/
server_dn = ldb_dn_get_parent(tmp_ctx, ntds_dn);
if (!server_dn) {
ldb_module_oom(module);
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
ret = dsdb_module_reference_dn(module, tmp_ctx, server_dn, "serverReference", &machine_dn);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find serverReference in %s - %s",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
rid_set_dn = ldb_dn_copy(tmp_ctx, machine_dn);
if (rid_set_dn == NULL) {
ldb_module_oom(module);
return LDB_ERR_OPERATIONS_ERROR;
}
if (! ldb_dn_add_child_fmt(rid_set_dn, "CN=RID Set")) {
ldb_module_oom(module);
return LDB_ERR_OPERATIONS_ERROR;
}
/* grab a pool from the RID Manager object */
ret = ridalloc_rid_manager_allocate(module, rid_manager_dn, &dc_pool);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* create the RID Set object */
msg = ldb_msg_new(tmp_ctx);
msg->dn = rid_set_dn;
ret = ldb_msg_add_string(msg, "objectClass", "rIDSet");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_msg_add_fmt(msg, "rIDAllocationPool", "%llu", (unsigned long long)dc_pool);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* w2k8-r2 sets these to zero when first created */
ret = ldb_msg_add_fmt(msg, "rIDPreviousAllocationPool", "0");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_msg_add_fmt(msg, "rIDUsedPool", "0");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_msg_add_fmt(msg, "rIDNextRID", "0");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* we need this to go all the way to the top of the module
* stack, as we need all the extra attributes added (including
* complex ones like ntsecuritydescriptor) */
ret = dsdb_module_add(module, msg, DSDB_FLAG_TOP_MODULE | DSDB_MODIFY_RELAX);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* add the rIDSetReferences link */
msg = ldb_msg_new(tmp_ctx);
msg->dn = machine_dn;
ret = ldb_msg_add_string(msg, "rIDSetReferences", ldb_dn_get_linearized(rid_set_dn));
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
msg->elements[0].flags = LDB_FLAG_MOD_ADD;
ret = dsdb_module_modify(module, msg, 0);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add rIDSetReferences to %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
(*dn) = talloc_steal(mem_ctx, rid_set_dn);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
create a RID Set object for the specified DC
*/
static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn *rid_manager_dn,
struct ldb_dn *ntds_dn, struct ldb_dn **dn,
struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *server_dn, *machine_dn, *rid_set_dn;
int ret;
struct ldb_message *msg;
struct ldb_context *ldb = ldb_module_get_ctx(module);
static const struct ridalloc_ridset_values o = {
.alloc_pool = UINT64_MAX,
.prev_pool = UINT64_MAX,
.next_rid = UINT32_MAX,
.used_pool = UINT32_MAX,
};
struct ridalloc_ridset_values n = {
.alloc_pool = 0,
.prev_pool = 0,
.next_rid = 0,
.used_pool = 0,
};
const char *no_attrs[] = { NULL };
struct ldb_result *res;
/*
steps:
find the machine object for the DC
construct the RID Set DN
load rIDAvailablePool to find next available set
modify RID Manager object to update rIDAvailablePool
add the RID Set object
link to the RID Set object in machine object
*/
server_dn = ldb_dn_get_parent(tmp_ctx, ntds_dn);
if (!server_dn) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
ret = dsdb_module_reference_dn(module, tmp_ctx, server_dn, "serverReference", &machine_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find serverReference in %s - %s",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
rid_set_dn = ldb_dn_copy(tmp_ctx, machine_dn);
if (rid_set_dn == NULL) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
if (! ldb_dn_add_child_fmt(rid_set_dn, "CN=RID Set")) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
/* grab a pool from the RID Manager object */
ret = ridalloc_rid_manager_allocate(module, rid_manager_dn, &n.alloc_pool, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* create the RID Set object */
msg = ldb_msg_new(tmp_ctx);
msg->dn = rid_set_dn;
ret = ldb_msg_add_string(msg, "objectClass", "rIDSet");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ridalloc_set_ridset_values(module, msg, &o, &n);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* we need this to go all the way to the top of the module
* stack, as we need all the extra attributes added (including
* complex ones like ntsecuritydescriptor). We must do this
* as system, otherwise a user might end up owning the RID
* set, and that would be bad... */
ret = dsdb_module_add(module, msg,
DSDB_FLAG_TOP_MODULE | DSDB_FLAG_AS_SYSTEM
| DSDB_MODIFY_RELAX, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* add the rIDSetReferences link */
msg = ldb_msg_new(tmp_ctx);
msg->dn = machine_dn;
/* we need the extended DN of the RID Set object for
* rIDSetReferences */
ret = dsdb_module_search_dn(module, msg, &res, rid_set_dn, no_attrs,
DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find extended DN of RID Set %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
rid_set_dn = res->msgs[0]->dn;
ret = ldb_msg_add_string(msg, "rIDSetReferences", ldb_dn_get_extended_linearized(msg, rid_set_dn, 1));
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
msg->elements[0].flags = LDB_FLAG_MOD_ADD;
ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add rIDSetReferences to %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
(*dn) = talloc_steal(mem_ctx, rid_set_dn);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
create a RID Set object for this DC
*/
int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn **dn, struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct GUID fsmo_role_guid;
const struct GUID *our_ntds_guid;
NTSTATUS status;
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* find the DN of the RID Manager */
ret = dsdb_module_reference_dn(module, tmp_ctx, rid_manager_dn, "fSMORoleOwner", &fsmo_role_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find fSMORoleOwner in RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
status = dsdb_get_extended_dn_guid(fsmo_role_dn, &fsmo_role_guid, "GUID");
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return ldb_operr(ldb_module_get_ctx(module));
}
our_ntds_guid = samdb_ntds_objectGUID(ldb_module_get_ctx(module));
if (!our_ntds_guid) {
talloc_free(tmp_ctx);
return ldb_operr(ldb_module_get_ctx(module));
}
if (!GUID_equal(&fsmo_role_guid, our_ntds_guid)) {
ret = ridalloc_poke_rid_manager(module);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb,
"Request for remote creation of "
"RID Set for this DC failed: %s",
ldb_errstring(ldb));
} else {
ldb_asprintf_errstring(ldb,
"Remote RID Set creation needed");
}
talloc_free(tmp_ctx);
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ret = ridalloc_create_rid_set_ntds(module, mem_ctx, rid_manager_dn, fsmo_role_dn, dn, parent);
talloc_free(tmp_ctx);
return ret;
}
static int parse_members(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
struct sss_domain_info *domain,
struct ldb_message_element *el,
const char *parent_name,
const char ***user_members,
const char ***group_members,
int *num_group_members)
{
struct ldb_dn *user_basedn = NULL, *group_basedn = NULL;
struct ldb_dn *parent_dn = NULL;
struct ldb_dn *dn = NULL;
const char **um = NULL, **gm = NULL;
unsigned int um_index = 0, gm_index = 0;
TALLOC_CTX *tmp_ctx = NULL;
int ret;
int i;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
ret = ENOMEM;
goto fail;
}
user_basedn = sysdb_user_base_dn(tmp_ctx, domain);
group_basedn = sysdb_group_base_dn(tmp_ctx, domain);
if (!user_basedn || !group_basedn) {
ret = ENOMEM;
goto fail;
}
um = talloc_array(mem_ctx, const char *, el->num_values+1);
gm = talloc_array(mem_ctx, const char *, el->num_values+1);
if (!um || !gm) {
ret = ENOMEM;
goto fail;
}
for (i = 0; i< el->num_values; ++i) {
dn = ldb_dn_from_ldb_val(tmp_ctx, ldb, &(el->values[i]));
/* user member or group member? */
parent_dn = ldb_dn_get_parent(tmp_ctx, dn);
if (ldb_dn_compare_base(parent_dn, user_basedn) == 0) {
um[um_index] = rdn_as_string(mem_ctx, dn);
if (um[um_index] == NULL) {
ret = ENOMEM;
goto fail;
}
DEBUG(SSSDBG_TRACE_FUNC, "User member %s\n", um[um_index]);
um_index++;
} else if (ldb_dn_compare_base(parent_dn, group_basedn) == 0) {
gm[gm_index] = rdn_as_string(mem_ctx, dn);
if (gm[gm_index] == NULL) {
ret = ENOMEM;
goto fail;
}
if (parent_name && strcmp(gm[gm_index], parent_name) == 0) {
DEBUG(SSSDBG_TRACE_FUNC,
"Skipping circular nesting for group %s\n",
gm[gm_index]);
continue;
}
DEBUG(SSSDBG_TRACE_FUNC, "Group member %s\n", gm[gm_index]);
gm_index++;
} else {
DEBUG(SSSDBG_OP_FAILURE, "Group member not a user nor group: %s\n",
ldb_dn_get_linearized(dn));
ret = EIO;
goto fail;
}
talloc_zfree(dn);
talloc_zfree(parent_dn);
}
um[um_index] = NULL;
gm[gm_index] = NULL;
if (um_index > 0) {
um = talloc_realloc(mem_ctx, um, const char *, um_index+1);
if (!um) {
ret = ENOMEM;
goto fail;
}
} else {
