DWORD VmDirCreateTransientSecurityDescriptor( BOOLEAN bAllowAnonymousRead, PVMDIR_SECURITY_DESCRIPTOR pvsd ) { DWORD dwError = 0; PSTR pszDomainDN = NULL; PSTR pszAdminsGroupSid = NULL; PSTR pszDomainAdminsGroupSid = NULL; VMDIR_SECURITY_DESCRIPTOR SecDesc = {0}; pszDomainDN = BERVAL_NORM_VAL(gVmdirServerGlobals.systemDomainDN); dwError = VmDirGenerateWellknownSid( pszDomainDN, VMDIR_DOMAIN_ALIAS_RID_ADMINS, &pszAdminsGroupSid); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirGenerateWellknownSid( pszDomainDN, VMDIR_DOMAIN_ADMINS_RID, &pszDomainAdminsGroupSid); BAIL_ON_VMDIR_ERROR(dwError); // Create default security descriptor for internally-created entries. dwError = VmDirSrvCreateSecurityDescriptor( VMDIR_ENTRY_ALL_ACCESS_NO_DELETE_CHILD_BUT_DELETE_OBJECT, BERVAL_NORM_VAL(gVmdirServerGlobals.bvDefaultAdminDN), pszAdminsGroupSid, pszDomainAdminsGroupSid, FALSE, bAllowAnonymousRead, bAllowAnonymousRead, FALSE, FALSE, &SecDesc); BAIL_ON_VMDIR_ERROR(dwError); pvsd->pSecDesc = SecDesc.pSecDesc; pvsd->ulSecDesc = SecDesc.ulSecDesc; pvsd->SecInfo = SecDesc.SecInfo; cleanup: VMDIR_SAFE_FREE_STRINGA(pszAdminsGroupSid); VMDIR_SAFE_FREE_STRINGA(pszDomainAdminsGroupSid); return dwError; error: goto cleanup; }
static DWORD VmDirSrvSetupDomainInstance( PVDIR_SCHEMA_CTX pSchemaCtx, BOOLEAN bSetupHost, BOOLEAN bFirstNodeBootstrap, PCSTR pszFQDomainName, PCSTR pszDomainDN, PCSTR pszUsername, PCSTR pszPassword ) { DWORD dwError = 0; PCSTR pszUsersContainerName = "Users"; PCSTR pszBuiltInContainerName = "Builtin"; PCSTR pszFSPsContainerName = FSP_CONTAINER_RDN_ATTR_VALUE; PCSTR pszBuiltInUsersGroupName = "Users"; PCSTR pszBuiltInAdministratorsGroupName = "Administrators"; PSTR pszUsersContainerDN = NULL; // CN=Users,<domain DN> PSTR pszBuiltInContainerDN = NULL; // CN=BuiltIn,<domain DN> PSTR pszFSPsContainerDN = NULL; // CN=ForeignSecurityPrincipals,<domain DN> PSTR pszUserDN = NULL; PSTR pszBuiltInUsersGroupDN = NULL; PSTR pszBuiltInAdministratorsGroupDN = NULL; PSTR pszDefaultPasswdLockoutPolicyDN = NULL; PSTR pszDCGroupDN = NULL; PSTR pszDCClientGroupDN = NULL; PSTR pszCertGroupDN = NULL; PSTR pszTenantRealmName = NULL; PSECURITY_DESCRIPTOR_RELATIVE pSecDescRel = NULL; ULONG ulSecDescRel = 0; SECURITY_INFORMATION SecInfo = 0; PSTR pszAdminSid = NULL; PSTR pszBuiltInUsersGroupSid = NULL; PSTR pszAdminsGroupSid = NULL; PSTR pszAdminUserKrbUPN = NULL; int i = 0; int startOfRdnInd = 0; // Create host/tenant domain dwError = VmDirSrvCreateDomain(pSchemaCtx, bSetupHost, pszDomainDN); BAIL_ON_VMDIR_ERROR(dwError); // Create Users container dwError = VmDirSrvCreateDN( pszUsersContainerName, pszDomainDN, &pszUsersContainerDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirSrvCreateContainer( pSchemaCtx, pszUsersContainerDN, pszUsersContainerName); BAIL_ON_VMDIR_ERROR(dwError); // Create Builtin container dwError = VmDirSrvCreateDN( pszBuiltInContainerName, pszDomainDN, &pszBuiltInContainerDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirSrvCreateBuiltinContainer( pSchemaCtx, pszBuiltInContainerDN, pszBuiltInContainerName ); BAIL_ON_VMDIR_ERROR(dwError); // Create ForeignSecurityPrincipals container dwError = VmDirSrvCreateDN( pszFSPsContainerName, pszDomainDN, &pszFSPsContainerDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirSrvCreateContainer( pSchemaCtx, pszFSPsContainerDN, pszFSPsContainerName); BAIL_ON_VMDIR_ERROR(dwError); if (bSetupHost) { // only do this for the very first node startup. if (bFirstNodeBootstrap) { dwError = VmDirSrvInitKrb(pSchemaCtx, pszFQDomainName, pszDomainDN); BAIL_ON_VMDIR_ERROR(dwError); // prepare administrator krb UPN for the very first node dwError = VmDirAllocateStringAVsnprintf( &pszAdminUserKrbUPN, "%s@%s", pszUsername, gVmdirKrbGlobals.pszRealm); BAIL_ON_VMDIR_ERROR(dwError); } } else { // setup tenant scenario. // Though we only support system domain kdc, we need UPN for SRP to function. dwError = VmDirKrbRealmNameNormalize(pszFQDomainName, &pszTenantRealmName); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirAllocateStringAVsnprintf( &pszAdminUserKrbUPN, "%s@%s", pszUsername, pszTenantRealmName); BAIL_ON_VMDIR_ERROR(dwError); } // Create Admin user dwError = VmDirSrvCreateUserDN( pszUsername, pszUsersContainerDN, &pszUserDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirGenerateWellknownSid(pszDomainDN, VMDIR_DOMAIN_USER_RID_ADMIN, &pszAdminSid); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirSrvCreateUser( pSchemaCtx, (bSetupHost && bFirstNodeBootstrap) ? DEFAULT_ADMINISTRATOR_ENTRY_ID : 0, pszUsername, pszUsername, pszFQDomainName, pszUsername, pszPassword, pszUserDN, pszAdminSid, pszAdminUserKrbUPN); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirSetAdministratorPasswordNeverExpires(); BAIL_ON_VMDIR_ERROR(dwError); // Create BuiltInUsers group dwError = VmDirAllocateStringAVsnprintf( &pszBuiltInUsersGroupDN, "cn=%s,%s", pszBuiltInUsersGroupName, pszBuiltInContainerDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirGenerateWellknownSid(pszDomainDN, VMDIR_DOMAIN_ALIAS_RID_USERS, &pszBuiltInUsersGroupSid); BAIL_ON_VMDIR_ERROR(dwError); // // Create the user group for tenant setup or for first host setup. // if (bSetupHost == FALSE || bFirstNodeBootstrap == TRUE) { dwError = VmDirSrvCreateBuiltInUsersGroup( pSchemaCtx, pszBuiltInUsersGroupName, pszBuiltInUsersGroupDN, pszUserDN, pszBuiltInUsersGroupSid); BAIL_ON_VMDIR_ERROR(dwError); } // Create BuiltInAdministrators group dwError = VmDirAllocateStringAVsnprintf( &pszBuiltInAdministratorsGroupDN, "cn=%s,%s", pszBuiltInAdministratorsGroupName, pszBuiltInContainerDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirGenerateWellknownSid(pszDomainDN, VMDIR_DOMAIN_ALIAS_RID_ADMINS, &pszAdminsGroupSid); BAIL_ON_VMDIR_ERROR(dwError); // // Create the admin group for tenant setup or for first host setup. // if (bSetupHost == FALSE || bFirstNodeBootstrap == TRUE) { dwError = VmDirSrvCreateBuiltInAdminGroup( pSchemaCtx, pszBuiltInAdministratorsGroupName, pszBuiltInAdministratorsGroupDN, pszUserDN, pszAdminsGroupSid ); BAIL_ON_VMDIR_ERROR(dwError); } // // Create DCadmins/DCClients/CERTAdmins groups only for the very first // host setup. // if ( bSetupHost && bFirstNodeBootstrap ) { // create DCAdmins Group dwError = VmDirAllocateStringAVsnprintf( &pszDCGroupDN, "cn=%s,%s", VMDIR_DC_GROUP_NAME, pszBuiltInContainerDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = _VmDirSrvCreateBuiltInGroup( pSchemaCtx, VMDIR_DC_GROUP_NAME, pszDCGroupDN); BAIL_ON_VMDIR_ERROR(dwError); // create DCClients Group dwError = VmDirAllocateStringAVsnprintf( &pszDCClientGroupDN, "cn=%s,%s", VMDIR_DCCLIENT_GROUP_NAME, pszBuiltInContainerDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = _VmDirSrvCreateBuiltInGroup( pSchemaCtx, VMDIR_DCCLIENT_GROUP_NAME, pszDCClientGroupDN); BAIL_ON_VMDIR_ERROR(dwError); // create CertAdmins Group dwError = VmDirAllocateStringAVsnprintf( &pszCertGroupDN, "cn=%s,%s", VMDIR_CERT_GROUP_NAME, pszBuiltInContainerDN); BAIL_ON_VMDIR_ERROR(dwError); dwError = _VmDirSrvCreateBuiltInCertGroup( pSchemaCtx, VMDIR_CERT_GROUP_NAME, pszCertGroupDN, pszUserDN, // member: default administrator pszDCGroupDN, // member: DCAdmins group pszDCClientGroupDN); // member: DCClients group BAIL_ON_VMDIR_ERROR(dwError); } // Set up SD for the entries created during instance set up // Default allows administrator VMDIR_ENTRY_ALL_ACCESS, // oneself VMDIR_ENTRY_GENERIC_WRITE dwError = VmDirSrvCreateDefaultSecDescRel( pszUserDN, pszAdminsGroupSid, &pSecDescRel, &ulSecDescRel, &SecInfo); BAIL_ON_VMDIR_ERROR(dwError); // add the same sd for all the objects created during instance set-up // Set SD for the Domain objects for (i = (int) VmDirStringLenA(pszDomainDN) - 1; i >= 0; i-- ) { if (i == 0 || pszDomainDN[i] == RDN_SEPARATOR_CHAR) { startOfRdnInd = (i == 0) ? 0 : i + 1 /* for , */; dwError = VmDirSetSecurityDescriptorForDn( (PSTR)pszDomainDN + startOfRdnInd, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); } } dwError = VmDirSetSecurityDescriptorForDn( (PSTR)pszDomainDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); // Set SD for the administrator object dwError = VmDirSetSecurityDescriptorForDn( pszUserDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); // Set SD for Users container dwError = VmDirSetSecurityDescriptorForDn( pszUsersContainerDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); // Set SD for Builtin container dwError = VmDirSetSecurityDescriptorForDn( pszBuiltInContainerDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); // Set SD for ForeignSecurityPrincipals container dwError = VmDirSetSecurityDescriptorForDn( pszFSPsContainerDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); if (bSetupHost == FALSE || bFirstNodeBootstrap == TRUE) { // Set SD for BuiltInUsers group dwError = VmDirSetSecurityDescriptorForDn( pszBuiltInUsersGroupDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); // Set SD for BuiltInAdministrators group dwError = VmDirSetSecurityDescriptorForDn( pszBuiltInAdministratorsGroupDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); } if ( bSetupHost && bFirstNodeBootstrap ) { // Set SD for BuiltIn DC group dwError = VmDirSetSecurityDescriptorForDn( pszDCGroupDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); // Set SD for BuiltIn DCClients group dwError = VmDirSetSecurityDescriptorForDn(pszDCClientGroupDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); // Set SD for BuiltIn Cert group dwError = VmDirSetSecurityDescriptorForDn( pszCertGroupDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); } // Create default password and lockout policy dwError = VmDirSrvCreateDN( PASSWD_LOCKOUT_POLICY_DEFAULT_CN, pszDomainDN, &pszDefaultPasswdLockoutPolicyDN ); BAIL_ON_VMDIR_ERROR(dwError); dwError = VmDirSrvCreateDefaultPasswdPolicy(pSchemaCtx, pszDefaultPasswdLockoutPolicyDN); BAIL_ON_VMDIR_ERROR(dwError); // Set SD for Password lockout policy object dwError = VmDirSetSecurityDescriptorForDn( pszDefaultPasswdLockoutPolicyDN, SecInfo, pSecDescRel, ulSecDescRel); BAIL_ON_VMDIR_ERROR(dwError); cleanup: VMDIR_SAFE_FREE_MEMORY(pszUsersContainerDN); VMDIR_SAFE_FREE_MEMORY(pszBuiltInContainerDN); VMDIR_SAFE_FREE_MEMORY(pszFSPsContainerDN); VMDIR_SAFE_FREE_MEMORY(pszUserDN); VMDIR_SAFE_FREE_MEMORY(pszBuiltInUsersGroupDN); VMDIR_SAFE_FREE_MEMORY(pszBuiltInAdministratorsGroupDN); VMDIR_SAFE_FREE_MEMORY(pszDefaultPasswdLockoutPolicyDN); VMDIR_SAFE_FREE_MEMORY(pszDCGroupDN); VMDIR_SAFE_FREE_MEMORY(pszDCClientGroupDN); VMDIR_SAFE_FREE_MEMORY(pszCertGroupDN); VMDIR_SAFE_FREE_MEMORY(pszTenantRealmName); VMDIR_SAFE_FREE_MEMORY(pSecDescRel); VMDIR_SAFE_FREE_MEMORY(pszAdminSid); VMDIR_SAFE_FREE_MEMORY(pszBuiltInUsersGroupSid); VMDIR_SAFE_FREE_MEMORY(pszAdminsGroupSid); VMDIR_SAFE_FREE_MEMORY(pszAdminUserKrbUPN); return dwError; error: VmDirLog(LDAP_DEBUG_ANY, "VmDirSrvSetupDomainInstance failed. Error(%u)", dwError); goto cleanup; }