WERROR dns_name2dn(struct dns_server *dns,
TALLOC_CTX *mem_ctx,
const char *name,
struct ldb_dn **_dn)
{
struct ldb_dn *base;
struct ldb_dn *dn;
const struct dns_server_zone *z;
size_t host_part_len = 0;
if (name == NULL) {
return DNS_ERR(FORMAT_ERROR);
}
/*TODO: Check if 'name' is a valid DNS name */
if (strcmp(name, "") == 0) {
base = ldb_get_default_basedn(dns->samdb);
dn = ldb_dn_copy(mem_ctx, base);
ldb_dn_add_child_fmt(dn, "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System");
*_dn = dn;
return WERR_OK;
}
for (z = dns->zones; z != NULL; z = z->next) {
bool match;
match = dns_name_match(z->name, name, &host_part_len);
if (match) {
break;
}
}
if (z == NULL) {
return DNS_ERR(NAME_ERROR);
}
if (host_part_len == 0) {
dn = ldb_dn_copy(mem_ctx, z->dn);
ldb_dn_add_child_fmt(dn, "DC=@");
*_dn = dn;
return WERR_OK;
}
dn = ldb_dn_copy(mem_ctx, z->dn);
ldb_dn_add_child_fmt(dn, "DC=%*.*s", (int)host_part_len, (int)host_part_len, name);
*_dn = dn;
return WERR_OK;
}
/*
copy a message, allocating new memory for all parts
*/
struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
const struct ldb_message *msg)
{
struct ldb_message *msg2;
unsigned int i, j;
msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
if (msg2 == NULL) return NULL;
msg2->dn = ldb_dn_copy(msg2, msg2->dn);
if (msg2->dn == NULL) goto failed;
for (i=0;i<msg2->num_elements;i++) {
struct ldb_message_element *el = &msg2->elements[i];
struct ldb_val *values = el->values;
el->name = talloc_strdup(msg2->elements, el->name);
if (el->name == NULL) goto failed;
el->values = talloc_array(msg2->elements, struct ldb_val, el->num_values);
if (el->values == NULL) goto failed;
for (j=0;j<el->num_values;j++) {
el->values[j] = ldb_val_dup(el->values, &values[j]);
if (el->values[j].data == NULL && values[j].length != 0) {
goto failed;
}
}
}
return msg2;
failed:
talloc_free(msg2);
return NULL;
}
/* Find a domain object in the parents of a particular DN. */
static struct ldb_dn *samldb_search_domain(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct ldb_dn *dn)
{
TALLOC_CTX *local_ctx;
struct ldb_dn *sdn;
struct ldb_result *res = NULL;
int ret = 0;
const char *attrs[] = { NULL };
local_ctx = talloc_new(mem_ctx);
if (local_ctx == NULL) return NULL;
sdn = ldb_dn_copy(local_ctx, dn);
do {
ret = ldb_search(module->ldb, sdn, LDB_SCOPE_BASE,
"(|(objectClass=domain)(objectClass=builtinDomain))", attrs, &res);
if (ret == LDB_SUCCESS) {
talloc_steal(local_ctx, res);
if (res->count == 1) {
break;
}
}
} while ((sdn = ldb_dn_get_parent(local_ctx, sdn)));
if (ret != LDB_SUCCESS || res->count != 1) {
talloc_free(local_ctx);
return NULL;
}
talloc_steal(mem_ctx, sdn);
talloc_free(local_ctx);
return sdn;
}
/* Copy a DN with the base DN of the remote partition. */
static struct ldb_dn *ldb_dn_rebase_remote(void *mem_ctx, const struct ldb_map_context *data, struct ldb_dn *dn)
{
struct ldb_dn *new_dn;
new_dn = ldb_dn_copy(mem_ctx, dn);
if ( ! ldb_dn_validate(new_dn)) {
talloc_free(new_dn);
return NULL;
}
/* may be we don't need to rebase at all */
if ( ! data->remote_base_dn || ! data->local_base_dn) {
return new_dn;
}
if ( ! ldb_dn_remove_base_components(new_dn, ldb_dn_get_comp_num(data->local_base_dn))) {
talloc_free(new_dn);
return NULL;
}
if ( ! ldb_dn_add_base(new_dn, data->remote_base_dn)) {
talloc_free(new_dn);
return NULL;
}
return new_dn;
}
/*
* GetUniqueFMID
*
* This function is a copy of original openchangedb_get_new_folderID from libproxy/openchangedb.C
*
* I extract this function because :
* - Function can be implemented directly in the backend
* -
*/
enum MAPISTATUS GetUniqueFMID(struct EasyLinuxContext *elContext, uint64_t *FMID)
{
int ret;
struct ldb_result *res;
struct ldb_message *msg;
const char * const attrs[] = { "*", NULL };
/* Get the current GlobalCount */
ret = ldb_search(elContext->LdbTable, elContext->mem_ctx, &res, ldb_get_root_basedn(elContext->LdbTable),
LDB_SCOPE_SUBTREE, attrs, "(objectClass=server)");
if( ret != LDB_SUCCESS || !res->count )
return MAPI_E_NOT_FOUND;
*FMID = ldb_msg_find_attr_as_uint64(res->msgs[0], "GlobalCount", 0);
/* Update GlobalCount value */
msg = ldb_msg_new(elContext->mem_ctx);
msg->dn = ldb_dn_copy(msg, ldb_msg_find_attr_as_dn(elContext->LdbTable, elContext->mem_ctx, res->msgs[0], "distinguishedName"));
ldb_msg_add_fmt(msg, "GlobalCount", "%llu", (long long unsigned int) ((*FMID) + 1));
msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
ret = ldb_modify(elContext->LdbTable, msg);
if( ret != LDB_SUCCESS || !res->count )
return MAPI_E_NOT_FOUND;
*FMID = (exchange_globcnt(*FMID) << 16) | 0x0001;
return MAPI_E_SUCCESS;
}
/*
allocate a new id, attempting to do it atomically
return 0 on failure, the id on success
*/
static int samldb_set_next_rid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
struct ldb_dn *dn, uint32_t old_id, uint32_t new_id)
{
struct ldb_message msg;
int ret;
struct ldb_val vals[2];
struct ldb_message_element els[2];
if (new_id == 0) {
/* out of IDs ! */
ldb_debug(ldb, LDB_DEBUG_FATAL, "Are we out of valid IDs ?\n");
return LDB_ERR_OPERATIONS_ERROR;
}
/* we do a delete and add as a single operation. That prevents
a race, in case we are not actually on a transaction db */
ZERO_STRUCT(msg);
msg.dn = ldb_dn_copy(mem_ctx, dn);
if (!msg.dn) {
return LDB_ERR_OPERATIONS_ERROR;
}
msg.num_elements = 2;
msg.elements = els;
els[0].num_values = 1;
els[0].values = &vals[0];
els[0].flags = LDB_FLAG_MOD_DELETE;
els[0].name = talloc_strdup(mem_ctx, "nextRid");
if (!els[0].name) {
return LDB_ERR_OPERATIONS_ERROR;
}
els[1].num_values = 1;
els[1].values = &vals[1];
els[1].flags = LDB_FLAG_MOD_ADD;
els[1].name = els[0].name;
vals[0].data = (uint8_t *)talloc_asprintf(mem_ctx, "%u", old_id);
if (!vals[0].data) {
return LDB_ERR_OPERATIONS_ERROR;
}
vals[0].length = strlen((char *)vals[0].data);
vals[1].data = (uint8_t *)talloc_asprintf(mem_ctx, "%u", new_id);
if (!vals[1].data) {
return LDB_ERR_OPERATIONS_ERROR;
}
vals[1].length = strlen((char *)vals[1].data);
ret = ldb_modify(ldb, &msg);
return ret;
}
static int local_db_check_containers(TALLOC_CTX *mem_ctx,
struct local_context *lctx,
struct ldb_dn *leaf_dn)
{
TALLOC_CTX *tmp_ctx;
static const char *attrs[] = { NULL};
struct ldb_result *res = NULL;
struct ldb_dn *dn;
int num;
int ret;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) return ENOMEM;
dn = ldb_dn_copy(tmp_ctx, leaf_dn);
if (!dn) {
ret = ENOMEM;
goto done;
}
/* We need to exclude the leaf as that will be the new child entry,
* We also do not care for the synthetic containers that constitute the
* base path (cn=<uidnumber>,cn=users,cn=secrets), so in total we remove
* 4 components */
num = ldb_dn_get_comp_num(dn) - 4;
for (int i = 0; i < num; i++) {
/* remove the child first (we do not want to check the leaf) */
if (!ldb_dn_remove_child_components(dn, 1)) return EFAULT;
/* and check the parent container exists */
DEBUG(SSSDBG_TRACE_INTERNAL,
"Searching for [%s] at [%s] with scope=base\n",
LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(dn));
ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, LOCAL_CONTAINER_FILTER);
if (ret != LDB_SUCCESS || res->count != 1) {
DEBUG(SSSDBG_TRACE_LIBS,
"DN [%s] does not exist\n", ldb_dn_get_linearized(dn));
return ENOENT;
}
}
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
/*
rename a record
*/
static int ltdb_rename(struct ltdb_context *ctx)
{
struct ldb_module *module = ctx->module;
struct ldb_request *req = ctx->req;
struct ldb_message *msg;
int ret = LDB_SUCCESS;
ldb_request_set_state(req, LDB_ASYNC_PENDING);
if (ltdb_cache_load(ctx->module) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
msg = ldb_msg_new(ctx);
if (msg == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* in case any attribute of the message was indexed, we need
to fetch the old record */
ret = ltdb_search_dn1(module, req->op.rename.olddn, msg);
if (ret != LDB_SUCCESS) {
/* not finding the old record is an error */
return ret;
}
/* Always delete first then add, to avoid conflicts with
* unique indexes. We rely on the transaction to make this
* atomic
*/
ret = ltdb_delete_internal(module, msg->dn);
if (ret != LDB_SUCCESS) {
return ret;
}
msg->dn = ldb_dn_copy(msg, req->op.rename.newdn);
if (msg->dn == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* We don't check single value as we can have more than 1 with
* deleted attributes. We could go through all elements but that's
* maybe not the most efficient way
*/
ret = ltdb_add_internal(module, msg, false);
return ret;
}
/*
rename a record
*/
static int ltdb_rename(struct ltdb_context *ctx)
{
struct ldb_module *module = ctx->module;
struct ldb_request *req = ctx->req;
struct ldb_message *msg;
int ret = LDB_SUCCESS;
ldb_request_set_state(req, LDB_ASYNC_PENDING);
if (ltdb_cache_load(ctx->module) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
msg = talloc(ctx, struct ldb_message);
if (msg == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* in case any attribute of the message was indexed, we need
to fetch the old record */
ret = ltdb_search_dn1(module, req->op.rename.olddn, msg);
if (ret != LDB_SUCCESS) {
/* not finding the old record is an error */
return ret;
}
/* Always delete first then add, to avoid conflicts with
* unique indexes. We rely on the transaction to make this
* atomic
*/
ret = ltdb_delete_internal(module, msg->dn);
if (ret != LDB_SUCCESS) {
return ret;
}
msg->dn = ldb_dn_copy(msg, req->op.rename.newdn);
if (msg->dn == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ltdb_add_internal(module, msg);
return ret;
}
WERROR dcesrv_drsuapi_ListRoles(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
const struct drsuapi_DsNameRequest1 *req1,
struct drsuapi_DsNameCtr1 **ctr1)
{
struct drsuapi_DsNameInfo1 *names;
uint32_t i;
uint32_t count = 5;/*number of fsmo role owners we are going to return*/
*ctr1 = talloc(mem_ctx, struct drsuapi_DsNameCtr1);
W_ERROR_HAVE_NO_MEMORY(*ctr1);
names = talloc_array(mem_ctx, struct drsuapi_DsNameInfo1, count);
W_ERROR_HAVE_NO_MEMORY(names);
for (i = 0; i < count; i++) {
WERROR werr;
struct ldb_dn *role_owner_dn, *fsmo_role_dn, *server_dn;
werr = dsdb_get_fsmo_role_info(mem_ctx, sam_ctx, i,
&fsmo_role_dn, &role_owner_dn);
if(!W_ERROR_IS_OK(werr)) {
return werr;
}
server_dn = ldb_dn_copy(mem_ctx, role_owner_dn);
ldb_dn_remove_child_components(server_dn, 1);
names[i].status = DRSUAPI_DS_NAME_STATUS_OK;
names[i].dns_domain_name = samdb_dn_to_dnshostname(sam_ctx, mem_ctx,
server_dn);
if(!names[i].dns_domain_name) {
DEBUG(4, ("list_roles: Failed to find dNSHostName for server %s\n",
ldb_dn_get_linearized(server_dn)));
}
names[i].result_name = talloc_strdup(mem_ctx, ldb_dn_get_linearized(role_owner_dn));
}
(*ctr1)->count = count;
(*ctr1)->array = names;
return WERR_OK;
}
/*
return the base DN for a zone
*/
static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zone_name,
TALLOC_CTX *mem_ctx, struct ldb_dn **zone_dn)
{
int ret;
TALLOC_CTX *tmp_ctx = talloc_new(state);
const char *attrs[] = { NULL };
int i;
for (i=0; zone_prefixes[i]; i++) {
struct ldb_dn *dn;
struct ldb_result *res;
dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
if (dn == NULL) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
if (!ldb_dn_add_child_fmt(dn, "DC=%s,%s", zone_name, zone_prefixes[i])) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, "objectClass=dnsZone");
if (ret == LDB_SUCCESS) {
if (zone_dn != NULL) {
*zone_dn = talloc_steal(mem_ctx, dn);
}
talloc_free(tmp_ctx);
return ISC_R_SUCCESS;
}
talloc_free(dn);
}
talloc_free(tmp_ctx);
return ISC_R_NOTFOUND;
}
static int construct_msds_isrodc_with_server_dn(struct ldb_module *module,
struct ldb_message *msg,
struct ldb_dn *dn,
struct ldb_request *parent)
{
struct ldb_dn *server_dn;
const char *attr_obj_cat[] = { "objectCategory", NULL };
struct ldb_result *res;
struct ldb_message_element *object_category;
int ret;
server_dn = ldb_dn_copy(msg, dn);
if (!ldb_dn_add_child_fmt(server_dn, "CN=NTDS Settings")) {
DEBUG(4, (__location__ ": Failed to add child to %s \n",
ldb_dn_get_linearized(server_dn)));
return ldb_operr(ldb_module_get_ctx(module));
}
ret = dsdb_module_search_dn(module, msg, &res, server_dn, attr_obj_cat,
DSDB_FLAG_NEXT_MODULE, parent);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(4,(__location__ ": Can't get objectCategory for %s \n",
ldb_dn_get_linearized(server_dn)));
return LDB_SUCCESS;
} else if (ret != LDB_SUCCESS) {
return ret;
}
object_category = ldb_msg_find_element(res->msgs[0], "objectCategory");
if (!object_category) {
DEBUG(4,(__location__ ": Can't find objectCategory for %s \n",
ldb_dn_get_linearized(res->msgs[0]->dn)));
return LDB_SUCCESS;
}
return construct_msds_isrodc_with_dn(module, msg, object_category);
}
/*
configure a writeable zone
*/
_PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, void *dbdata)
{
struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
TALLOC_CTX *tmp_ctx;
struct ldb_dn *dn;
int i;
state->log(ISC_LOG_INFO, "samba_dlz: starting configure");
if (state->writeable_zone == NULL) {
state->log(ISC_LOG_INFO, "samba_dlz: no writeable_zone method available");
return ISC_R_FAILURE;
}
tmp_ctx = talloc_new(state);
for (i=0; zone_prefixes[i]; i++) {
const char *attrs[] = { "name", NULL };
int j, ret;
struct ldb_result *res;
dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
if (dn == NULL) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
if (!ldb_dn_add_child_fmt(dn, "%s", zone_prefixes[i])) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
attrs, "objectClass=dnsZone");
if (ret != LDB_SUCCESS) {
continue;
}
for (j=0; j<res->count; j++) {
isc_result_t result;
const char *zone = ldb_msg_find_attr_as_string(res->msgs[j], "name", NULL);
struct ldb_dn *zone_dn;
if (zone == NULL) {
continue;
}
zone_dn = ldb_dn_copy(tmp_ctx, dn);
if (zone_dn == NULL) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
if (!b9_has_soa(state, zone_dn, zone)) {
continue;
}
result = state->writeable_zone(view, zone);
if (result != ISC_R_SUCCESS) {
state->log(ISC_LOG_ERROR, "samba_dlz: Failed to configure zone '%s'",
zone);
talloc_free(tmp_ctx);
return result;
}
state->log(ISC_LOG_INFO, "samba_dlz: configured writeable zone '%s'", zone);
}
}
talloc_free(tmp_ctx);
return ISC_R_SUCCESS;
}
/*
lookup one record
*/
static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state,
const char *zone, const char *name,
dns_sdlzlookup_t *lookup,
const char **types)
{
TALLOC_CTX *tmp_ctx = talloc_new(state);
const char *attrs[] = { "dnsRecord", NULL };
int ret = LDB_SUCCESS, i;
struct ldb_result *res;
struct ldb_message_element *el;
struct ldb_dn *dn;
for (i=0; zone_prefixes[i]; i++) {
dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
if (dn == NULL) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
if (!ldb_dn_add_child_fmt(dn, "DC=%s,DC=%s,%s", name, zone, zone_prefixes[i])) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, "objectClass=dnsNode");
if (ret == LDB_SUCCESS) {
break;
}
}
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ISC_R_NOTFOUND;
}
el = ldb_msg_find_element(res->msgs[0], "dnsRecord");
if (el == NULL || el->num_values == 0) {
talloc_free(tmp_ctx);
return ISC_R_NOTFOUND;
}
for (i=0; i<el->num_values; i++) {
struct dnsp_DnssrvRpcRecord rec;
enum ndr_err_code ndr_err;
isc_result_t result;
ndr_err = ndr_pull_struct_blob(&el->values[i], tmp_ctx, &rec,
(ndr_pull_flags_fn_t)ndr_pull_dnsp_DnssrvRpcRecord);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s",
ldb_dn_get_linearized(dn));
talloc_free(tmp_ctx);
return ISC_R_FAILURE;
}
result = b9_putrr(state, lookup, &rec, types);
if (result != ISC_R_SUCCESS) {
talloc_free(tmp_ctx);
return result;
}
}
talloc_free(tmp_ctx);
return ISC_R_SUCCESS;
}
/*
perform a zone transfer
*/
_PUBLIC_ isc_result_t dlz_allnodes(const char *zone, void *dbdata,
dns_sdlzallnodes_t *allnodes)
{
struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
const char *attrs[] = { "dnsRecord", NULL };
int ret = LDB_SUCCESS, i, j;
struct ldb_dn *dn;
struct ldb_result *res;
TALLOC_CTX *tmp_ctx = talloc_new(state);
for (i=0; zone_prefixes[i]; i++) {
dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
if (dn == NULL) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
if (!ldb_dn_add_child_fmt(dn, "DC=%s,%s", zone, zone_prefixes[i])) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
attrs, "objectClass=dnsNode");
if (ret == LDB_SUCCESS) {
break;
}
}
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ISC_R_NOTFOUND;
}
for (i=0; i<res->count; i++) {
struct ldb_message_element *el;
TALLOC_CTX *el_ctx = talloc_new(tmp_ctx);
const char *rdn, *name;
const struct ldb_val *v;
el = ldb_msg_find_element(res->msgs[i], "dnsRecord");
if (el == NULL || el->num_values == 0) {
state->log(ISC_LOG_INFO, "failed to find dnsRecord for %s",
ldb_dn_get_linearized(dn));
talloc_free(el_ctx);
continue;
}
v = ldb_dn_get_rdn_val(res->msgs[i]->dn);
if (v == NULL) {
state->log(ISC_LOG_INFO, "failed to find RDN for %s",
ldb_dn_get_linearized(dn));
talloc_free(el_ctx);
continue;
}
rdn = talloc_strndup(el_ctx, (char *)v->data, v->length);
if (rdn == NULL) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
if (strcmp(rdn, "@") == 0) {
name = zone;
} else {
name = talloc_asprintf(el_ctx, "%s.%s", rdn, zone);
}
if (name == NULL) {
talloc_free(tmp_ctx);
return ISC_R_NOMEMORY;
}
for (j=0; j<el->num_values; j++) {
struct dnsp_DnssrvRpcRecord rec;
enum ndr_err_code ndr_err;
isc_result_t result;
ndr_err = ndr_pull_struct_blob(&el->values[j], el_ctx, &rec,
(ndr_pull_flags_fn_t)ndr_pull_dnsp_DnssrvRpcRecord);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s",
ldb_dn_get_linearized(dn));
continue;
}
result = b9_putnamedrr(state, allnodes, name, &rec);
if (result != ISC_R_SUCCESS) {
continue;
}
}
}
talloc_free(tmp_ctx);
return ISC_R_SUCCESS;
}
/*
rename a record
*/
static int ltdb_rename(struct ltdb_context *ctx)
{
struct ldb_module *module = ctx->module;
void *data = ldb_module_get_private(module);
struct ltdb_private *ltdb = talloc_get_type(data, struct ltdb_private);
struct ldb_request *req = ctx->req;
struct ldb_message *msg;
int ret = LDB_SUCCESS;
TDB_DATA tdb_key, tdb_key_old;
ldb_request_set_state(req, LDB_ASYNC_PENDING);
if (ltdb_cache_load(ctx->module) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
msg = ldb_msg_new(ctx);
if (msg == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* we need to fetch the old record to re-add under the new name */
ret = ltdb_search_dn1(module, req->op.rename.olddn, msg);
if (ret != LDB_SUCCESS) {
/* not finding the old record is an error */
return ret;
}
/* We need to, before changing the DB, check if the new DN
* exists, so we can return this error to the caller with an
* unmodified DB */
tdb_key = ltdb_key(module, req->op.rename.newdn);
if (!tdb_key.dptr) {
talloc_free(msg);
return LDB_ERR_OPERATIONS_ERROR;
}
tdb_key_old = ltdb_key(module, req->op.rename.olddn);
if (!tdb_key_old.dptr) {
talloc_free(msg);
talloc_free(tdb_key.dptr);
return LDB_ERR_OPERATIONS_ERROR;
}
/* Only declare a conflict if the new DN already exists, and it isn't a case change on the old DN */
if (tdb_key_old.dsize != tdb_key.dsize || memcmp(tdb_key.dptr, tdb_key_old.dptr, tdb_key.dsize) != 0) {
if (tdb_exists(ltdb->tdb, tdb_key)) {
talloc_free(tdb_key_old.dptr);
talloc_free(tdb_key.dptr);
ldb_asprintf_errstring(ldb_module_get_ctx(module),
"Entry %s already exists",
ldb_dn_get_linearized(msg->dn));
/* finding the new record already in the DB is an error */
talloc_free(msg);
return LDB_ERR_ENTRY_ALREADY_EXISTS;
}
}
talloc_free(tdb_key_old.dptr);
talloc_free(tdb_key.dptr);
/* Always delete first then add, to avoid conflicts with
* unique indexes. We rely on the transaction to make this
* atomic
*/
ret = ltdb_delete_internal(module, msg->dn);
if (ret != LDB_SUCCESS) {
talloc_free(msg);
return ret;
}
msg->dn = ldb_dn_copy(msg, req->op.rename.newdn);
if (msg->dn == NULL) {
talloc_free(msg);
return LDB_ERR_OPERATIONS_ERROR;
}
/* We don't check single value as we can have more than 1 with
* deleted attributes. We could go through all elements but that's
* maybe not the most efficient way
*/
ret = ltdb_add_internal(module, msg, false);
talloc_free(msg);
return ret;
}
/*
create a RID Set object for the specified DC
*/
static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn *rid_manager_dn,
struct ldb_dn *ntds_dn, struct ldb_dn **dn,
struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *server_dn, *machine_dn, *rid_set_dn;
int ret;
struct ldb_message *msg;
struct ldb_context *ldb = ldb_module_get_ctx(module);
static const struct ridalloc_ridset_values o = {
.alloc_pool = UINT64_MAX,
.prev_pool = UINT64_MAX,
.next_rid = UINT32_MAX,
.used_pool = UINT32_MAX,
};
struct ridalloc_ridset_values n = {
.alloc_pool = 0,
.prev_pool = 0,
.next_rid = 0,
.used_pool = 0,
};
/*
steps:
find the machine object for the DC
construct the RID Set DN
load rIDAvailablePool to find next available set
modify RID Manager object to update rIDAvailablePool
add the RID Set object
link to the RID Set object in machine object
*/
server_dn = ldb_dn_get_parent(tmp_ctx, ntds_dn);
if (!server_dn) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
ret = dsdb_module_reference_dn(module, tmp_ctx, server_dn, "serverReference", &machine_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find serverReference in %s - %s",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
rid_set_dn = ldb_dn_copy(tmp_ctx, machine_dn);
if (rid_set_dn == NULL) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
if (! ldb_dn_add_child_fmt(rid_set_dn, "CN=RID Set")) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
/* grab a pool from the RID Manager object */
ret = ridalloc_rid_manager_allocate(module, rid_manager_dn, &n.alloc_pool, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* create the RID Set object */
msg = ldb_msg_new(tmp_ctx);
msg->dn = rid_set_dn;
ret = ldb_msg_add_string(msg, "objectClass", "rIDSet");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ridalloc_set_ridset_values(module, msg, &o, &n);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* we need this to go all the way to the top of the module
* stack, as we need all the extra attributes added (including
* complex ones like ntsecuritydescriptor) */
ret = dsdb_module_add(module, msg, DSDB_FLAG_TOP_MODULE | DSDB_MODIFY_RELAX, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* add the rIDSetReferences link */
msg = ldb_msg_new(tmp_ctx);
msg->dn = machine_dn;
ret = ldb_msg_add_string(msg, "rIDSetReferences", ldb_dn_get_linearized(rid_set_dn));
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
msg->elements[0].flags = LDB_FLAG_MOD_ADD;
ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add rIDSetReferences to %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
(*dn) = talloc_steal(mem_ctx, rid_set_dn);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
create a RID Set object for this DC
*/
static int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn **dn, struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* find the DN of the RID Manager */
ret = dsdb_module_reference_dn(module, tmp_ctx, rid_manager_dn, "fSMORoleOwner", &fsmo_role_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find fSMORoleOwner in RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), fsmo_role_dn) != 0) {
ridalloc_poke_rid_manager(module);
ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh");
talloc_free(tmp_ctx);
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ret = ridalloc_create_rid_set_ntds(module, mem_ctx, rid_manager_dn, fsmo_role_dn, dn, parent);
talloc_free(tmp_ctx);
return ret;
}
/*
samr_OemChangePasswordUser2
*/
NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct samr_OemChangePasswordUser2 *r)
{
NTSTATUS status;
DATA_BLOB new_password, new_unicode_password;
char *new_pass;
struct samr_CryptPassword *pwbuf = r->in.password;
struct ldb_context *sam_ctx;
struct ldb_dn *user_dn;
int ret;
struct ldb_message **res, *mod;
const char * const attrs[] = { "objectSid", "dBCSPwd", NULL };
struct samr_Password *lm_pwd;
DATA_BLOB lm_pwd_blob;
uint8_t new_lm_hash[16];
struct samr_Password lm_verifier;
size_t unicode_pw_len;
if (pwbuf == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
if (r->in.hash == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
/* To change a password we need to open as system */
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
ret = ldb_transaction_start(sam_ctx);
if (ret) {
DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
return NT_STATUS_TRANSACTION_ABORTED;
}
/* we need the users dn and the domain dn (derived from the
user SID). We also need the current lm password hash in
order to decrypt the incoming password */
ret = gendb_search(sam_ctx,
mem_ctx, NULL, &res, attrs,
"(&(sAMAccountName=%s)(objectclass=user))",
r->in.account->string);
if (ret != 1) {
ldb_transaction_cancel(sam_ctx);
/* Don't give the game away: (don't allow anonymous users to prove the existance of usernames) */
return NT_STATUS_WRONG_PASSWORD;
}
user_dn = res[0]->dn;
status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
res[0], &lm_pwd, NULL);
if (!NT_STATUS_IS_OK(status) || !lm_pwd) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
/* decrypt the password we have been given */
lm_pwd_blob = data_blob(lm_pwd->hash, sizeof(lm_pwd->hash));
arcfour_crypt_blob(pwbuf->data, 516, &lm_pwd_blob);
data_blob_free(&lm_pwd_blob);
if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
ldb_transaction_cancel(sam_ctx);
DEBUG(3,("samr: failed to decode password buffer\n"));
return NT_STATUS_WRONG_PASSWORD;
}
if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
CH_DOS, CH_UNIX,
(const char *)new_password.data,
new_password.length,
(void **)&new_pass, NULL, false)) {
DEBUG(3,("samr: failed to convert incoming password buffer to unix charset\n"));
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
CH_DOS, CH_UTF16,
(const char *)new_password.data,
new_password.length,
(void **)&new_unicode_password.data, &unicode_pw_len, false)) {
DEBUG(3,("samr: failed to convert incoming password buffer to UTF16 charset\n"));
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
new_unicode_password.length = unicode_pw_len;
E_deshash(new_pass, new_lm_hash);
E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
mod = ldb_msg_new(mem_ctx);
if (mod == NULL) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_NO_MEMORY;
}
mod->dn = ldb_dn_copy(mod, user_dn);
if (!mod->dn) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_NO_MEMORY;
}
/* set the password on the user DN specified. This may fail
* due to password policies */
status = samdb_set_password(sam_ctx, mem_ctx,
user_dn, NULL,
mod, &new_unicode_password,
NULL, NULL,
true, /* this is a user password change */
NULL,
NULL);
if (!NT_STATUS_IS_OK(status)) {
ldb_transaction_cancel(sam_ctx);
return status;
}
/* The above call only setup the modifications, this actually
* makes the write to the database. */
ret = samdb_replace(sam_ctx, mem_ctx, mod);
if (ret != 0) {
DEBUG(2,("Failed to modify record to change password on %s: %s\n",
ldb_dn_get_linearized(user_dn),
ldb_errstring(sam_ctx)));
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != 0) {
DEBUG(1,("Failed to commit transaction to change password on %s: %s\n",
ldb_dn_get_linearized(user_dn),
ldb_errstring(sam_ctx)));
return NT_STATUS_TRANSACTION_ABORTED;
}
return NT_STATUS_OK;
}
/* Map a DN into the local partition. */
struct ldb_dn *ldb_dn_map_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn)
{
const struct ldb_map_context *data = map_get_context(module);
struct ldb_dn *newdn;
const struct ldb_map_attribute *map;
enum ldb_map_attr_type map_type;
const char *name;
struct ldb_val value;
int i, ret;
if (dn == NULL) {
return NULL;
}
newdn = ldb_dn_copy(mem_ctx, dn);
if (newdn == NULL) {
map_oom(module);
return NULL;
}
/* For each RDN, map the component name and possibly the value */
for (i = 0; i < ldb_dn_get_comp_num(newdn); i++) {
map = map_attr_find_remote(data, ldb_dn_get_component_name(dn, i));
/* Unknown attribute - leave this RDN as is and hope the best... */
if (map == NULL) {
map_type = MAP_KEEP;
} else {
map_type = map->type;
}
switch (map_type) {
case MAP_IGNORE:
case MAP_GENERATE:
ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
"MAP_IGNORE/MAP_GENERATE attribute '%s' "
"used in DN!\n", ldb_dn_get_component_name(dn, i));
goto failed;
case MAP_CONVERT:
if (map->u.convert.convert_remote == NULL) {
ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
"'convert_remote' not set for attribute '%s' "
"used in DN!\n", ldb_dn_get_component_name(dn, i));
goto failed;
}
/* fall through */
case MAP_KEEP:
case MAP_RENAME:
name = map_attr_map_remote(newdn, map, ldb_dn_get_component_name(dn, i));
if (name == NULL) goto failed;
value = ldb_val_map_remote(module, newdn, map, ldb_dn_get_component_val(dn, i));
if (value.data == NULL) goto failed;
ret = ldb_dn_set_component(newdn, i, name, value);
if (ret != LDB_SUCCESS) {
goto failed;
}
break;
}
}
return newdn;
failed:
talloc_free(newdn);
return NULL;
}
/*
work out the principal to use for DRS replication connections
*/
NTSTATUS dreplsrv_get_target_principal(struct dreplsrv_service *s,
TALLOC_CTX *mem_ctx,
const struct repsFromTo1 *rft,
const char **target_principal)
{
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
const char *attrs_server[] = { "dNSHostName", NULL };
const char *attrs_ntds[] = { "msDS-HasDomainNCs", "hasMasterNCs", NULL };
int ret;
const char *hostname, *dnsdomain=NULL;
struct ldb_dn *ntds_dn, *server_dn;
struct ldb_dn *forest_dn, *nc_dn;
*target_principal = NULL;
tmp_ctx = talloc_new(mem_ctx);
/* we need to find their hostname */
ret = dsdb_find_dn_by_guid(s->samdb, tmp_ctx, &rft->source_dsa_obj_guid, &ntds_dn);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
/* its OK for their NTDSDSA DN not to be in our database */
return NT_STATUS_OK;
}
server_dn = ldb_dn_copy(tmp_ctx, ntds_dn);
if (server_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* strip off the NTDS Settings */
if (!ldb_dn_remove_child_components(server_dn, 1)) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, server_dn, attrs_server, 0);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
/* its OK for their server DN not to be in our database */
return NT_STATUS_OK;
}
forest_dn = ldb_get_root_basedn(s->samdb);
if (forest_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
if (hostname != NULL) {
char *local_principal;
/*
if we have the dNSHostName attribute then we can use
the GC/hostname/realm SPN. All DCs should have this SPN
Windows DC may set up it's dNSHostName before setting up
GC/xx/xx SPN. So make sure it exists, before using it.
*/
local_principal = talloc_asprintf(mem_ctx, "GC/%s/%s",
hostname,
samdb_dn_to_dns_domain(tmp_ctx, forest_dn));
if (dreplsrv_spn_exists(s->samdb, ntds_dn, local_principal)) {
*target_principal = local_principal;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
talloc_free(local_principal);
}
/*
if we can't find the dNSHostName then we will try for the
E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
SPN. To use that we need the DNS domain name of the target
DC. We find that by first looking for the msDS-HasDomainNCs
in the NTDSDSA object of the DC, and if we don't find that,
then we look for the hasMasterNCs attribute, and eliminate
the known schema and configuruation DNs. Despite how
bizarre this seems, Hongwei tells us that this is in fact
what windows does to find the SPN!!
*/
ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, ntds_dn, attrs_ntds, 0);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
nc_dn = ldb_msg_find_attr_as_dn(s->samdb, tmp_ctx, res->msgs[0], "msDS-HasDomainNCs");
if (nc_dn != NULL) {
dnsdomain = samdb_dn_to_dns_domain(tmp_ctx, nc_dn);
}
if (dnsdomain == NULL) {
struct ldb_message_element *el;
int i;
el = ldb_msg_find_element(res->msgs[0], "hasMasterNCs");
for (i=0; el && i<el->num_values; i++) {
nc_dn = ldb_dn_from_ldb_val(tmp_ctx, s->samdb, &el->values[i]);
if (nc_dn == NULL ||
ldb_dn_compare(ldb_get_config_basedn(s->samdb), nc_dn) == 0 ||
ldb_dn_compare(ldb_get_schema_basedn(s->samdb), nc_dn) == 0) {
continue;
}
/* it must be a domain DN, get the equivalent
DNS domain name */
dnsdomain = samdb_dn_to_dns_domain(tmp_ctx, nc_dn);
break;
}
}
if (dnsdomain != NULL) {
*target_principal = talloc_asprintf(mem_ctx,
"E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s",
GUID_string(tmp_ctx, &rft->source_dsa_obj_guid),
dnsdomain);
}
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/*
samr_ChangePasswordUser3
*/
NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
TALLOC_CTX *mem_ctx,
struct samr_ChangePasswordUser3 *r)
{
NTSTATUS status;
DATA_BLOB new_password;
struct ldb_context *sam_ctx = NULL;
struct ldb_dn *user_dn;
int ret;
struct ldb_message **res, *mod;
const char * const attrs[] = { "unicodePwd", "dBCSPwd", NULL };
struct samr_Password *nt_pwd, *lm_pwd;
DATA_BLOB nt_pwd_blob;
struct samr_DomInfo1 *dominfo = NULL;
struct samr_ChangeReject *reject = NULL;
enum samr_RejectReason reason = SAMR_REJECT_OTHER;
uint8_t new_nt_hash[16], new_lm_hash[16];
struct samr_Password nt_verifier, lm_verifier;
*r->out.dominfo = NULL;
*r->out.reject = NULL;
if (r->in.nt_password == NULL ||
r->in.nt_verifier == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
/* To change a password we need to open as system */
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
ret = ldb_transaction_start(sam_ctx);
if (ret) {
talloc_free(sam_ctx);
DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
return NT_STATUS_TRANSACTION_ABORTED;
}
/* we need the users dn and the domain dn (derived from the
user SID). We also need the current lm and nt password hashes
in order to decrypt the incoming passwords */
ret = gendb_search(sam_ctx,
mem_ctx, NULL, &res, attrs,
"(&(sAMAccountName=%s)(objectclass=user))",
r->in.account->string);
if (ret != 1) {
/* Don't give the game away: (don't allow anonymous users to prove the existance of usernames) */
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
user_dn = res[0]->dn;
status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
res[0], &lm_pwd, &nt_pwd);
if (!NT_STATUS_IS_OK(status) ) {
goto failed;
}
if (!nt_pwd) {
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
/* decrypt the password we have been given */
nt_pwd_blob = data_blob(nt_pwd->hash, sizeof(nt_pwd->hash));
arcfour_crypt_blob(r->in.nt_password->data, 516, &nt_pwd_blob);
data_blob_free(&nt_pwd_blob);
if (!extract_pw_from_buffer(mem_ctx, r->in.nt_password->data, &new_password)) {
ldb_transaction_cancel(sam_ctx);
DEBUG(3,("samr: failed to decode password buffer\n"));
return NT_STATUS_WRONG_PASSWORD;
}
if (r->in.nt_verifier == NULL) {
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
/* check NT verifier */
mdfour(new_nt_hash, new_password.data, new_password.length);
E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash);
if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) {
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
/* check LM verifier (really not needed as we just checked the
* much stronger NT hash, but the RPC-SAMR test checks for
* this) */
if (lm_pwd && r->in.lm_verifier != NULL) {
char *new_pass;
if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
CH_UTF16, CH_UNIX,
(const char *)new_password.data,
new_password.length,
(void **)&new_pass, NULL, false)) {
E_deshash(new_pass, new_lm_hash);
E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash);
if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash, 16) != 0) {
status = NT_STATUS_WRONG_PASSWORD;
goto failed;
}
}
}
mod = ldb_msg_new(mem_ctx);
if (mod == NULL) {
status = NT_STATUS_NO_MEMORY;
goto failed;
}
mod->dn = ldb_dn_copy(mod, user_dn);
if (!mod->dn) {
status = NT_STATUS_NO_MEMORY;
goto failed;
}
/* set the password on the user DN specified. This may fail
* due to password policies */
status = samdb_set_password(sam_ctx, mem_ctx,
user_dn, NULL,
mod, &new_password,
NULL, NULL,
true, /* this is a user password change */
&reason,
&dominfo);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
/* The above call only setup the modifications, this actually
* makes the write to the database. */
ret = samdb_replace(sam_ctx, mem_ctx, mod);
if (ret != 0) {
DEBUG(2,("samdb_replace failed to change password for %s: %s\n",
ldb_dn_get_linearized(user_dn),
ldb_errstring(sam_ctx)));
status = NT_STATUS_UNSUCCESSFUL;
goto failed;
}
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != 0) {
DEBUG(1,("Failed to commit transaction to change password on %s: %s\n",
ldb_dn_get_linearized(user_dn),
ldb_errstring(sam_ctx)));
status = NT_STATUS_TRANSACTION_ABORTED;
goto failed;
}
return NT_STATUS_OK;
failed:
ldb_transaction_cancel(sam_ctx);
talloc_free(sam_ctx);
reject = talloc(mem_ctx, struct samr_ChangeReject);
*r->out.dominfo = dominfo;
*r->out.reject = reject;
if (reject == NULL) {
return status;
}
ZERO_STRUCTP(reject);
reject->reason = reason;
return status;
}
static bool kpasswd_process_request(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
uint16_t version,
DATA_BLOB *input,
DATA_BLOB *reply)
{
struct auth_session_info *session_info;
size_t pw_len;
if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
&session_info))) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
"gensec_session_info failed!",
reply);
}
switch (version) {
case KRB5_KPASSWD_VERS_CHANGEPW:
{
DATA_BLOB password;
if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
CH_UTF8, CH_UTF16,
(const char *)input->data,
input->length,
(void **)&password.data, &pw_len, false)) {
return false;
}
password.length = pw_len;
return kpasswdd_change_password(kdc, mem_ctx, session_info,
&password, reply);
break;
}
case KRB5_KPASSWD_VERS_SETPW:
{
NTSTATUS status;
enum samPwdChangeReason reject_reason = SAM_PWD_CHANGE_NO_ERROR;
struct samr_DomInfo1 *dominfo = NULL;
struct ldb_context *samdb;
struct ldb_message *msg;
krb5_context context = kdc->smb_krb5_context->krb5_context;
ChangePasswdDataMS chpw;
DATA_BLOB password;
krb5_principal principal;
char *set_password_on_princ;
struct ldb_dn *set_password_on_dn;
size_t len;
int ret;
msg = ldb_msg_new(mem_ctx);
if (!msg) {
return false;
}
ret = decode_ChangePasswdDataMS(input->data, input->length,
&chpw, &len);
if (ret) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"failed to decode password change structure",
reply);
}
if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
CH_UTF8, CH_UTF16,
(const char *)chpw.newpasswd.data,
chpw.newpasswd.length,
(void **)&password.data, &pw_len, false)) {
free_ChangePasswdDataMS(&chpw);
return false;
}
password.length = pw_len;
if ((chpw.targname && !chpw.targrealm)
|| (!chpw.targname && chpw.targrealm)) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"Realm and principal must be both present, or neither present",
reply);
}
if (chpw.targname && chpw.targrealm) {
#ifdef SAMBA4_INTERNAL_HEIMDAL
if (_krb5_principalname2krb5_principal(kdc->smb_krb5_context->krb5_context,
&principal, *chpw.targname,
*chpw.targrealm) != 0) {
free_ChangePasswdDataMS(&chpw);
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"failed to extract principal to set",
reply);
}
#else /* SAMBA4_INTERNAL_HEIMDAL */
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_BAD_VERSION,
"Operation Not Implemented",
reply);
#endif /* SAMBA4_INTERNAL_HEIMDAL */
} else {
free_ChangePasswdDataMS(&chpw);
return kpasswdd_change_password(kdc, mem_ctx, session_info,
&password, reply);
}
free_ChangePasswdDataMS(&chpw);
if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) {
krb5_free_principal(context, principal);
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"krb5_unparse_name failed!",
reply);
}
krb5_free_principal(context, principal);
samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, session_info);
if (!samdb) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
"Unable to open database!",
reply);
}
DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
dom_sid_string(mem_ctx, session_info->security_token->user_sid),
set_password_on_princ));
ret = ldb_transaction_start(samdb);
if (ret) {
status = NT_STATUS_TRANSACTION_ABORTED;
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
SAM_PWD_CHANGE_NO_ERROR,
NULL,
reply);
}
status = crack_user_principal_name(samdb, mem_ctx,
set_password_on_princ,
&set_password_on_dn, NULL);
free(set_password_on_princ);
if (!NT_STATUS_IS_OK(status)) {
ldb_transaction_cancel(samdb);
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
SAM_PWD_CHANGE_NO_ERROR,
NULL,
reply);
}
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
ldb_transaction_cancel(samdb);
status = NT_STATUS_NO_MEMORY;
} else {
msg->dn = ldb_dn_copy(msg, set_password_on_dn);
if (!msg->dn) {
status = NT_STATUS_NO_MEMORY;
}
}
if (NT_STATUS_IS_OK(status)) {
/* Admin password set */
status = samdb_set_password(samdb, mem_ctx,
set_password_on_dn, NULL,
msg, &password, NULL, NULL,
false, /* this is not a user password change */
&reject_reason, &dominfo);
}
if (NT_STATUS_IS_OK(status)) {
/* modify the samdb record */
ret = samdb_replace(samdb, mem_ctx, msg);
if (ret != 0) {
DEBUG(2,("Failed to modify record to set password on %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(samdb)));
status = NT_STATUS_ACCESS_DENIED;
}
}
if (NT_STATUS_IS_OK(status)) {
ret = ldb_transaction_commit(samdb);
if (ret != 0) {
DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(samdb)));
status = NT_STATUS_TRANSACTION_ABORTED;
}
} else {
ldb_transaction_cancel(samdb);
}
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
reject_reason,
dominfo,
reply);
}
default:
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_BAD_VERSION,
talloc_asprintf(mem_ctx,
"Protocol version %u not supported",
version),
reply);
}
return true;
}
struct dsdb_schema *dsdb_schema_copy_shallow(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct dsdb_schema *schema)
{
int ret;
struct dsdb_class *cls;
struct dsdb_attribute *attr;
struct dsdb_schema *schema_copy;
schema_copy = dsdb_new_schema(mem_ctx);
if (!schema_copy) {
return NULL;
}
/* schema base_dn */
schema_copy->base_dn = ldb_dn_copy(schema_copy, schema->base_dn);
if (!schema_copy->base_dn) {
goto failed;
}
/* copy prexiMap & schemaInfo */
schema_copy->prefixmap = dsdb_schema_pfm_copy_shallow(schema_copy,
schema->prefixmap);
if (!schema_copy->prefixmap) {
goto failed;
}
schema_copy->schema_info = talloc_strdup(schema_copy, schema->schema_info);
/* copy classes and attributes*/
for (cls = schema->classes; cls; cls = cls->next) {
struct dsdb_class *class_copy = talloc_memdup(schema_copy,
cls, sizeof(*cls));
if (!class_copy) {
goto failed;
}
DLIST_ADD(schema_copy->classes, class_copy);
}
schema_copy->num_classes = schema->num_classes;
for (attr = schema->attributes; attr; attr = attr->next) {
struct dsdb_attribute *a_copy = talloc_memdup(schema_copy,
attr, sizeof(*attr));
if (!a_copy) {
goto failed;
}
DLIST_ADD(schema_copy->attributes, a_copy);
}
schema_copy->num_attributes = schema->num_attributes;
/* rebuild indexes */
ret = dsdb_setup_sorted_accessors(ldb, schema_copy);
if (ret != LDB_SUCCESS) {
goto failed;
}
/* leave reload_seq_number = 0 so it will be refresh ASAP */
schema_copy->refresh_fn = schema->refresh_fn;
schema_copy->loaded_from_module = schema->loaded_from_module;
return schema_copy;
failed:
talloc_free(schema_copy);
return NULL;
}
static int ldapsrv_load_limits(struct ldapsrv_connection *conn)
{
TALLOC_CTX *tmp_ctx;
const char *attrs[] = { "configurationNamingContext", NULL };
const char *attrs2[] = { "lDAPAdminLimits", NULL };
struct ldb_message_element *el;
struct ldb_result *res = NULL;
struct ldb_dn *basedn;
struct ldb_dn *conf_dn;
struct ldb_dn *policy_dn;
int i,ret;
/* set defaults limits in case of failure */
conn->limits.initial_timeout = 120;
conn->limits.conn_idle_time = 900;
conn->limits.max_page_size = 1000;
conn->limits.search_timeout = 120;
tmp_ctx = talloc_new(conn);
if (tmp_ctx == NULL) {
return -1;
}
basedn = ldb_dn_new(tmp_ctx, conn->ldb, NULL);
if ( ! ldb_dn_validate(basedn)) {
goto failed;
}
ret = ldb_search(conn->ldb, tmp_ctx, &res, basedn, LDB_SCOPE_BASE, attrs, NULL);
if (ret != LDB_SUCCESS) {
goto failed;
}
if (res->count != 1) {
goto failed;
}
conf_dn = ldb_msg_find_attr_as_dn(conn->ldb, tmp_ctx, res->msgs[0], "configurationNamingContext");
if (conf_dn == NULL) {
goto failed;
}
policy_dn = ldb_dn_copy(tmp_ctx, conf_dn);
ldb_dn_add_child_fmt(policy_dn, "CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services");
if (policy_dn == NULL) {
goto failed;
}
ret = ldb_search(conn->ldb, tmp_ctx, &res, policy_dn, LDB_SCOPE_BASE, attrs2, NULL);
if (ret != LDB_SUCCESS) {
goto failed;
}
if (res->count != 1) {
goto failed;
}
el = ldb_msg_find_element(res->msgs[0], "lDAPAdminLimits");
if (el == NULL) {
goto failed;
}
for (i = 0; i < el->num_values; i++) {
char policy_name[256];
int policy_value, s;
s = sscanf((const char *)el->values[i].data, "%255[^=]=%d", policy_name, &policy_value);
if (ret != 2 || policy_value == 0)
continue;
if (strcasecmp("InitRecvTimeout", policy_name) == 0) {
conn->limits.initial_timeout = policy_value;
continue;
}
if (strcasecmp("MaxConnIdleTime", policy_name) == 0) {
conn->limits.conn_idle_time = policy_value;
continue;
}
if (strcasecmp("MaxPageSize", policy_name) == 0) {
conn->limits.max_page_size = policy_value;
continue;
}
if (strcasecmp("MaxQueryDuration", policy_name) == 0) {
conn->limits.search_timeout = policy_value;
continue;
}
}
return 0;
failed:
DEBUG(0, ("Failed to load ldap server query policies\n"));
talloc_free(tmp_ctx);
return -1;
}
/*
samr_ChangePasswordUser
*/
NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
TALLOC_CTX *mem_ctx,
struct samr_ChangePasswordUser *r)
{
struct dcesrv_handle *h;
struct samr_account_state *a_state;
struct ldb_context *sam_ctx;
struct ldb_message **res, *msg;
int ret;
struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
struct samr_Password *lm_pwd, *nt_pwd;
NTSTATUS status = NT_STATUS_OK;
const char * const attrs[] = { "dBCSPwd", "unicodePwd" , NULL };
DCESRV_PULL_HANDLE(h, r->in.user_handle, SAMR_HANDLE_USER);
a_state = h->data;
/* basic sanity checking on parameters. Do this before any database ops */
if (!r->in.lm_present || !r->in.nt_present ||
!r->in.old_lm_crypted || !r->in.new_lm_crypted ||
!r->in.old_nt_crypted || !r->in.new_nt_crypted) {
/* we should really handle a change with lm not
present */
return NT_STATUS_INVALID_PARAMETER_MIX;
}
/* To change a password we need to open as system */
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
ret = ldb_transaction_start(sam_ctx);
if (ret) {
DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
return NT_STATUS_TRANSACTION_ABORTED;
}
/* fetch the old hashes */
ret = gendb_search_dn(sam_ctx, mem_ctx,
a_state->account_dn, &res, attrs);
if (ret != 1) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
msg = res[0];
status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
msg, &lm_pwd, &nt_pwd);
if (!NT_STATUS_IS_OK(status) || !lm_pwd || !nt_pwd) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
/* decrypt and check the new lm hash */
D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
/* decrypt and check the new nt hash */
D_P16(nt_pwd->hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
if (memcmp(checkHash.hash, nt_pwd, 16) != 0) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
/* The NT Cross is not required by Win2k3 R2, but if present
check the nt cross hash */
if (r->in.cross1_present && r->in.nt_cross) {
D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
}
/* The LM Cross is not required by Win2k3 R2, but if present
check the lm cross hash */
if (r->in.cross2_present && r->in.lm_cross) {
D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_WRONG_PASSWORD;
}
}
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_NO_MEMORY;
}
msg->dn = ldb_dn_copy(msg, a_state->account_dn);
if (!msg->dn) {
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_NO_MEMORY;
}
/* setup password modify mods on the user DN specified. This may fail
* due to password policies. */
status = samdb_set_password(sam_ctx, mem_ctx,
a_state->account_dn, a_state->domain_state->domain_dn,
msg, NULL, &new_lmPwdHash, &new_ntPwdHash,
true, /* this is a user password change */
NULL,
NULL);
if (!NT_STATUS_IS_OK(status)) {
ldb_transaction_cancel(sam_ctx);
return status;
}
/* The above call only setup the modifications, this actually
* makes the write to the database. */
ret = samdb_replace(sam_ctx, mem_ctx, msg);
if (ret != 0) {
DEBUG(2,("Failed to modify record to change password on %s: %s\n",
ldb_dn_get_linearized(a_state->account_dn),
ldb_errstring(sam_ctx)));
ldb_transaction_cancel(sam_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* And this confirms it in a transaction commit */
ret = ldb_transaction_commit(sam_ctx);
if (ret != 0) {
DEBUG(1,("Failed to commit transaction to change password on %s: %s\n",
ldb_dn_get_linearized(a_state->account_dn),
ldb_errstring(sam_ctx)));
return NT_STATUS_TRANSACTION_ABORTED;
}
return NT_STATUS_OK;
}
/*
drsuapi_DsGetDomainControllerInfo
*/
static WERROR dcesrv_drsuapi_DsGetDomainControllerInfo_1(struct drsuapi_bind_state *b_state,
TALLOC_CTX *mem_ctx,
struct drsuapi_DsGetDomainControllerInfo *r)
{
struct ldb_dn *sites_dn;
struct ldb_result *res;
const char *attrs_account_1[] = { "cn", "dnsHostName", NULL };
const char *attrs_account_2[] = { "cn", "dnsHostName", "objectGUID", NULL };
const char *attrs_none[] = { NULL };
const char *attrs_site[] = { "objectGUID", NULL };
const char *attrs_ntds[] = { "options", "objectGUID", NULL };
const char *attrs_1[] = { "serverReference", "cn", "dnsHostName", NULL };
const char *attrs_2[] = { "serverReference", "cn", "dnsHostName", "objectGUID", NULL };
const char **attrs;
struct drsuapi_DsGetDCInfoCtr1 *ctr1;
struct drsuapi_DsGetDCInfoCtr2 *ctr2;
int ret, i;
*r->out.level_out = r->in.req->req1.level;
r->out.ctr = talloc(mem_ctx, union drsuapi_DsGetDCInfoCtr);
W_ERROR_HAVE_NO_MEMORY(r->out.ctr);
sites_dn = samdb_sites_dn(b_state->sam_ctx, mem_ctx);
if (!sites_dn) {
return WERR_DS_OBJ_NOT_FOUND;
}
switch (*r->out.level_out) {
case -1:
/* this level is not like the others */
return WERR_UNKNOWN_LEVEL;
case 1:
attrs = attrs_1;
break;
case 2:
attrs = attrs_2;
break;
default:
return WERR_UNKNOWN_LEVEL;
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res, sites_dn, LDB_SCOPE_SUBTREE, attrs,
"objectClass=server");
if (ret) {
DEBUG(1, ("searching for servers in sites DN %s failed: %s\n",
ldb_dn_get_linearized(sites_dn), ldb_errstring(b_state->sam_ctx)));
return WERR_GENERAL_FAILURE;
}
switch (*r->out.level_out) {
case 1:
ctr1 = &r->out.ctr->ctr1;
ctr1->count = res->count;
ctr1->array = talloc_zero_array(mem_ctx,
struct drsuapi_DsGetDCInfo1,
res->count);
for (i=0; i < res->count; i++) {
struct ldb_dn *domain_dn;
struct ldb_result *res_domain;
struct ldb_result *res_account;
struct ldb_dn *ntds_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
struct ldb_dn *ref_dn
= ldb_msg_find_attr_as_dn(b_state->sam_ctx,
mem_ctx, res->msgs[i],
"serverReference");
if (!ntds_dn || !ldb_dn_add_child_fmt(ntds_dn, "CN=NTDS Settings")) {
return WERR_NOMEM;
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_account, ref_dn,
LDB_SCOPE_BASE, attrs_account_1, "objectClass=computer");
if (ret == LDB_SUCCESS && res_account->count == 1) {
const char *errstr;
ctr1->array[i].dns_name
= ldb_msg_find_attr_as_string(res_account->msgs[0], "dNSHostName", NULL);
ctr1->array[i].netbios_name
= ldb_msg_find_attr_as_string(res_account->msgs[0], "cn", NULL);
ctr1->array[i].computer_dn
= ldb_dn_get_linearized(res_account->msgs[0]->dn);
/* Determine if this is the PDC */
ret = samdb_search_for_parent_domain(b_state->sam_ctx,
mem_ctx, res_account->msgs[0]->dn,
&domain_dn, &errstr);
if (ret == LDB_SUCCESS) {
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_domain, domain_dn,
LDB_SCOPE_BASE, attrs_none, "fSMORoleOwner=%s",
ldb_dn_get_linearized(ntds_dn));
if (ret) {
return WERR_GENERAL_FAILURE;
}
if (res_domain->count == 1) {
ctr1->array[i].is_pdc = true;
}
}
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for computer DN %s failed: %s\n",
ldb_dn_get_linearized(ref_dn), ldb_errstring(b_state->sam_ctx)));
}
/* Look at server DN and extract site component */
ctr1->array[i].site_name = result_site_name(res->msgs[i]->dn);
ctr1->array[i].server_dn = ldb_dn_get_linearized(res->msgs[i]->dn);
ctr1->array[i].is_enabled = true;
}
break;
case 2:
ctr2 = &r->out.ctr->ctr2;
ctr2->count = res->count;
ctr2->array = talloc_zero_array(mem_ctx,
struct drsuapi_DsGetDCInfo2,
res->count);
for (i=0; i < res->count; i++) {
struct ldb_dn *domain_dn;
struct ldb_result *res_domain;
struct ldb_result *res_account;
struct ldb_dn *ntds_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
struct ldb_result *res_ntds;
struct ldb_dn *site_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
struct ldb_result *res_site;
struct ldb_dn *ref_dn
= ldb_msg_find_attr_as_dn(b_state->sam_ctx,
mem_ctx, res->msgs[i],
"serverReference");
if (!ntds_dn || !ldb_dn_add_child_fmt(ntds_dn, "CN=NTDS Settings")) {
return WERR_NOMEM;
}
/* Format is cn=<NETBIOS name>,cn=Servers,cn=<site>,cn=sites.... */
if (!site_dn || !ldb_dn_remove_child_components(site_dn, 2)) {
return WERR_NOMEM;
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_ntds, ntds_dn,
LDB_SCOPE_BASE, attrs_ntds, "objectClass=nTDSDSA");
if (ret == LDB_SUCCESS && res_ntds->count == 1) {
ctr2->array[i].is_gc
= (ldb_msg_find_attr_as_int(res_ntds->msgs[0], "options", 0) == 1);
ctr2->array[i].ntds_guid
= samdb_result_guid(res_ntds->msgs[0], "objectGUID");
ctr2->array[i].ntds_dn = ldb_dn_get_linearized(res_ntds->msgs[0]->dn);
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for NTDS DN %s failed: %s\n",
ldb_dn_get_linearized(ntds_dn), ldb_errstring(b_state->sam_ctx)));
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_site, site_dn,
LDB_SCOPE_BASE, attrs_site, "objectClass=site");
if (ret == LDB_SUCCESS && res_site->count == 1) {
ctr2->array[i].site_guid
= samdb_result_guid(res_site->msgs[0], "objectGUID");
ctr2->array[i].site_dn = ldb_dn_get_linearized(res_site->msgs[0]->dn);
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for site DN %s failed: %s\n",
ldb_dn_get_linearized(site_dn), ldb_errstring(b_state->sam_ctx)));
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_account, ref_dn,
LDB_SCOPE_BASE, attrs_account_2, "objectClass=computer");
if (ret == LDB_SUCCESS && res_account->count == 1) {
const char *errstr;
ctr2->array[i].dns_name
= ldb_msg_find_attr_as_string(res_account->msgs[0], "dNSHostName", NULL);
ctr2->array[i].netbios_name
= ldb_msg_find_attr_as_string(res_account->msgs[0], "cn", NULL);
ctr2->array[i].computer_dn = ldb_dn_get_linearized(res_account->msgs[0]->dn);
ctr2->array[i].computer_guid
= samdb_result_guid(res_account->msgs[0], "objectGUID");
/* Determine if this is the PDC */
ret = samdb_search_for_parent_domain(b_state->sam_ctx,
mem_ctx, res_account->msgs[0]->dn,
&domain_dn, &errstr);
if (ret == LDB_SUCCESS) {
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_domain, domain_dn,
LDB_SCOPE_BASE, attrs_none, "fSMORoleOwner=%s",
ldb_dn_get_linearized(ntds_dn));
if (ret == LDB_SUCCESS && res_domain->count == 1) {
ctr2->array[i].is_pdc = true;
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for domain DN %s failed: %s\n",
ldb_dn_get_linearized(domain_dn), ldb_errstring(b_state->sam_ctx)));
}
}
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for computer account DN %s failed: %s\n",
ldb_dn_get_linearized(ref_dn), ldb_errstring(b_state->sam_ctx)));
}
/* Look at server DN and extract site component */
ctr2->array[i].site_name = result_site_name(res->msgs[i]->dn);
ctr2->array[i].server_dn = ldb_dn_get_linearized(res->msgs[i]->dn);
ctr2->array[i].server_guid
= samdb_result_guid(res->msgs[i], "objectGUID");
ctr2->array[i].is_enabled = true;
}
break;
}
return WERR_OK;
}
/**
\details Initialize and create a message object
\param mem_ctx pointer to the memory context to use for allocation
\param ldb_ctx pointer to the ldb context
\param messageID the identifier of the message to create
\param folderID the identifier of the folder where the message is created
\param message_object pointer on pointer to the message object to return
\return MAPI_E_SUCCESS on success, otherwise MAPI error
*/
_PUBLIC_ enum MAPISTATUS openchangedb_message_create(TALLOC_CTX *mem_ctx, struct ldb_context *ldb_ctx,
uint64_t messageID, uint64_t folderID, bool fai,
void **message_object)
{
enum MAPISTATUS retval;
struct openchangedb_message *msg;
struct ldb_dn *basedn;
char *dn;
char *parentDN;
char *mailboxDN;
int i;
/* Sanity checks */
OPENCHANGE_RETVAL_IF(!ldb_ctx, MAPI_E_NOT_INITIALIZED, NULL);
OPENCHANGE_RETVAL_IF(!message_object, MAPI_E_NOT_INITIALIZED, NULL);
/* Retrieve distinguishedName of parent folder */
retval = openchangedb_get_distinguishedName(mem_ctx, ldb_ctx, folderID, &parentDN);
OPENCHANGE_RETVAL_IF(retval, retval, NULL);
/* Retrieve mailboxDN of parent folder */
retval = openchangedb_get_mailboxDN(mem_ctx, ldb_ctx, folderID, &mailboxDN);
if (retval) {
mailboxDN = NULL;
}
dn = talloc_asprintf(mem_ctx, "CN=%"PRIu64",%s", messageID, parentDN);
OPENCHANGE_RETVAL_IF(!dn, MAPI_E_NOT_ENOUGH_MEMORY, NULL);
basedn = ldb_dn_new(mem_ctx, ldb_ctx, dn);
talloc_free(dn);
OPENCHANGE_RETVAL_IF(!ldb_dn_validate(basedn), MAPI_E_BAD_VALUE, NULL);
msg = talloc_zero(mem_ctx, struct openchangedb_message);
OPENCHANGE_RETVAL_IF(!msg, MAPI_E_NOT_ENOUGH_MEMORY, NULL);
msg->status = OPENCHANGEDB_MESSAGE_CREATE;
msg->folderID = folderID;
msg->messageID = messageID;
msg->ldb_ctx = ldb_ctx;
msg->msg = NULL;
msg->res = NULL;
msg->msg = ldb_msg_new((TALLOC_CTX *)msg);
OPENCHANGE_RETVAL_IF(!msg->msg, MAPI_E_NOT_ENOUGH_MEMORY, msg);
msg->msg->dn = ldb_dn_copy((TALLOC_CTX *)msg->msg, basedn);
/* Add openchangedb required attributes */
ldb_msg_add_string(msg->msg, "objectClass", fai ? "faiMessage" : "systemMessage");
ldb_msg_add_fmt(msg->msg, "cn", "%"PRIu64, messageID);
ldb_msg_add_fmt(msg->msg, "PidTagParentFolderId", "%"PRIu64, folderID);
ldb_msg_add_fmt(msg->msg, "PidTagMessageId", "%"PRIu64, messageID);
ldb_msg_add_fmt(msg->msg, "distinguishedName", "%s", ldb_dn_get_linearized(msg->msg->dn));
if (mailboxDN) {
ldb_msg_add_string(msg->msg, "mailboxDN", mailboxDN);
}
/* Add required properties as described in [MS_OXCMSG] 3.2.5.2 */
ldb_msg_add_string(msg->msg, "PidTagDisplayBcc", "");
ldb_msg_add_string(msg->msg, "PidTagDisplayCc", "");
ldb_msg_add_string(msg->msg, "PidTagDisplayTo", "");
/* PidTagMessageSize */
/* PidTagSecurityDescriptor */
/* ldb_msg_add_string(msg->msg, "PidTagCreationTime", ""); */
/* ldb_msg_add_string(msg->msg, "PidTagLastModificationTime", ""); */
/* PidTagSearchKey */
/* PidTagMessageLocalId */
/* PidTagCreatorName */
/* PidTagCreatorEntryId */
ldb_msg_add_fmt(msg->msg, "PidTagHasNamedProperties", "%d", 0x0);
/* PidTagLocaleId same as PidTagMessageLocaleId */
/* PidTagLocalCommitTime same as PidTagCreationTime */
/* Set LDB flag */
for (i = 0; i < msg->msg->num_elements; i++) {
msg->msg->elements[i].flags = LDB_FLAG_MOD_ADD;
}
*message_object = (void *)msg;
return MAPI_E_SUCCESS;
}
static int rdn_rename_callback(struct ldb_request *req, struct ldb_reply *ares)
{
struct ldb_context *ldb;
struct rename_context *ac;
struct ldb_request *mod_req;
const char *rdn_name;
struct ldb_val rdn_val;
struct ldb_message *msg;
int ret;
ac = talloc_get_type(req->context, struct rename_context);
ldb = ldb_module_get_ctx(ac->module);
if (!ares) {
goto error;
}
if (ares->error != LDB_SUCCESS) {
return ldb_module_done(ac->req, ares->controls,
ares->response, ares->error);
}
/* the only supported reply right now is a LDB_REPLY_DONE */
if (ares->type != LDB_REPLY_DONE) {
goto error;
}
/* save reply for caller */
ac->ares = talloc_steal(ac, ares);
msg = ldb_msg_new(ac);
if (msg == NULL) {
goto error;
}
msg->dn = ldb_dn_copy(msg, ac->req->op.rename.newdn);
if (msg->dn == NULL) {
goto error;
}
rdn_name = ldb_dn_get_rdn_name(ac->req->op.rename.newdn);
if (rdn_name == NULL) {
goto error;
}
rdn_val = ldb_val_dup(msg, ldb_dn_get_rdn_val(ac->req->op.rename.newdn));
if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
goto error;
}
if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) {
goto error;
}
if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
goto error;
}
if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) {
goto error;
}
ret = ldb_build_mod_req(&mod_req, ldb,
ac, msg, NULL,
ac, rdn_modify_callback,
req);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
talloc_steal(mod_req, msg);
/* go on with the call chain */
return ldb_next_request(ac->module, mod_req);
error:
return ldb_module_done(ac->req, NULL, NULL,
LDB_ERR_OPERATIONS_ERROR);
}
static bool torture_ldb_dn_extended(struct torture_context *torture)
{
TALLOC_CTX *mem_ctx = talloc_new(torture);
struct ldb_context *ldb;
struct ldb_dn *dn, *dn2;
DATA_BLOB sid_blob = strhex_to_data_blob(mem_ctx, hex_sid);
DATA_BLOB guid_blob = strhex_to_data_blob(mem_ctx, hex_guid);
const char *dn_str = "cn=admin,cn=users,dc=samba,dc=org";
torture_assert(torture,
ldb = ldb_init(mem_ctx, torture->ev),
"Failed to init ldb");
torture_assert_int_equal(torture,
ldb_register_samba_handlers(ldb), 0,
"Failed to register Samba handlers");
ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
/* Check behaviour of a normal DN */
torture_assert(torture,
dn = ldb_dn_new(mem_ctx, ldb, dn_str),
"Failed to create a 'normal' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'normal' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == false,
"Should not find plain DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on plain DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an GUID on plain DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "WKGUID") == NULL,
"Should not find an WKGUID on plain DN");
/* Now make an extended DN */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>;<SID=%s>;%s",
guid, sid, dn_str),
"Failed to create an 'extended' DN");
torture_assert(torture,
dn2 = ldb_dn_copy(mem_ctx, dn),
"Failed to copy the 'extended' DN");
talloc_free(dn);
dn = dn2;
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on extended DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on extended DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), dn_str,
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_casefold(dn), strupper_talloc(mem_ctx, dn_str),
"casefolded DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_component_name(dn, 0), "cn",
"componet zero incorrect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_component_val(dn, 0), data_blob_string_const("admin"),
"componet zero incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
guid, sid, dn_str),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
hex_guid, hex_sid, dn_str),
"HEX extended linearized DN incorrect");
torture_assert(torture, ldb_dn_remove_child_components(dn, 1) == true,
"Failed to remove DN child");
torture_assert(torture, ldb_dn_has_extended(dn) == false,
"Extended DN flag should be cleared after child element removal");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an GUID on DN");
/* TODO: test setting these in the other order, and ensure it still comes out 'GUID first' */
torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "GUID", &guid_blob), 0,
"Failed to set a GUID on DN");
torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "SID", &sid_blob), 0,
"Failed to set a SID on DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "cn=users,dc=samba,dc=org",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
guid, sid, "cn=users,dc=samba,dc=org"),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
hex_guid, hex_sid, "cn=users,dc=samba,dc=org"),
"HEX extended linearized DN incorrect");
/* Now check a 'just GUID' DN (clear format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>",
guid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on this DN");
torture_assert_int_equal(torture, ldb_dn_get_comp_num(dn), 0,
"Should not find an 'normal' componet on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>",
guid),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>",
hex_guid),
"HEX extended linearized DN incorrect");
/* Now check a 'just GUID' DN (HEX format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>",
hex_guid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
/* Now check a 'just SID' DN (clear format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>",
sid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<SID=%s>",
sid),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<SID=%s>",
hex_sid),
"HEX extended linearized DN incorrect");
/* Now check a 'just SID' DN (HEX format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>",
hex_sid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
talloc_free(mem_ctx);
return true;
}
static errno_t find_ipa_ext_memberships(TALLOC_CTX *mem_ctx,
const char *user_name,
struct sss_domain_info *user_dom,
hash_table_t *ext_group_hash,
struct ldb_dn **_user_dn,
char ***_groups)
{
int ret;
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_result *result;
char **groups = NULL;
size_t c;
const char *sid;
hash_key_t key;
hash_value_t value;
hash_entry_t *entry;
struct hash_iter_context_t *iter;
hash_table_t *group_hash;
size_t g_count;
struct ldb_dn *user_dn = NULL;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return ENOMEM;
}
ret = sysdb_initgroups(tmp_ctx, user_dom, user_name, &result);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_initgroups failed.\n");
goto done;
}
if (result->count == 0) {
DEBUG(SSSDBG_MINOR_FAILURE, "User [%s] not found in cache.\n",
user_name);
ret = EOK;
goto done;
}
ret = sss_hash_create(tmp_ctx, 10, &group_hash);
if (ret != HASH_SUCCESS) {
DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n");
goto done;
}
key.type = HASH_KEY_STRING;
/* The IPA external domains can have references to group and user SIDs.
* This means that we not only want to look up the group SIDs but the SID
* of the user (first element of result) as well. */
for (c = 0; c < result->count; c++) {
sid = ldb_msg_find_attr_as_string(result->msgs[c], SYSDB_SID_STR,
NULL);
if (sid == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "Group [%s] does not have a SID.\n",
ldb_dn_get_linearized(result->msgs[c]->dn));
continue;
}
key.str = discard_const(sid);
ret = hash_lookup(ext_group_hash, &key, &value);
if (ret == HASH_ERROR_KEY_NOT_FOUND) {
DEBUG(SSSDBG_TRACE_ALL, "SID [%s] not found in ext group hash.\n",
sid);
} else if (ret == HASH_SUCCESS) {
iter = new_hash_iter_context(value.ptr);
if (iter == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n");
ret = EINVAL;
goto done;
}
while ((entry = iter->next(iter)) != NULL) {
ret = hash_enter(group_hash, &entry->key, &entry->value);
if (ret != HASH_SUCCESS) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to add group [%s].\n",
entry->key.str);
}
}
talloc_free(iter);
} else {
DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed for SID [%s].\n",
sid);
}
}
g_count = hash_count(group_hash);
if (g_count == 0) {
DEBUG(SSSDBG_TRACE_FUNC, "No external groupmemberships found.\n");
ret = EOK;
goto done;
}
groups = talloc_zero_array(mem_ctx, char *, g_count + 1);
if (groups == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
ret = ENOMEM;
goto done;
}
iter = new_hash_iter_context(group_hash);
if (iter == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n");
ret = EINVAL;
goto done;
}
c = 0;
while ((entry = iter->next(iter)) != NULL) {
groups[c] = talloc_strdup(groups, entry->key.str);
if (groups[c] == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
ret = ENOMEM;
goto done;
}
c++;
}
user_dn = ldb_dn_copy(mem_ctx, result->msgs[0]->dn);
if (user_dn == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
ret = ENOMEM;
goto done;
}
ret = EOK;
done:
*_user_dn = user_dn;
*_groups = groups;
talloc_free(tmp_ctx);
return ret;
}
