/*
get the DN of the nTDSDSA object from the configuration partition
whose invocationId is 'invocation_id'
put the value on 'dn_str'
*/
static WERROR get_dn_from_invocation_id(TALLOC_CTX *mem_ctx,
struct ldb_context *samdb,
struct GUID *invocation_id,
const char **dn_str)
{
char *invocation_id_str;
const char *attrs_invocation[] = { NULL };
struct ldb_message *msg;
int ret;
invocation_id_str = GUID_string(mem_ctx, invocation_id);
W_ERROR_HAVE_NO_MEMORY(invocation_id_str);
ret = dsdb_search_one(samdb, invocation_id_str, &msg, ldb_get_config_basedn(samdb), LDB_SCOPE_SUBTREE,
attrs_invocation, 0, "(&(objectClass=nTDSDSA)(invocationId=%s))", invocation_id_str);
if (ret != LDB_SUCCESS) {
DEBUG(0, (__location__ ": Failed search for the object DN under %s whose invocationId is %s",
invocation_id_str, ldb_dn_get_linearized(ldb_get_config_basedn(samdb))));
talloc_free(invocation_id_str);
return WERR_INTERNAL_ERROR;
}
*dn_str = ldb_dn_alloc_linearized(mem_ctx, msg->dn);
talloc_free(invocation_id_str);
return WERR_OK;
}
/**
\details Get the organization name (like "First Organization") as a DN.
\param emsmdbp_ctx pointer to the EMSMDBP context
\param basedn pointer to the returned struct ldb_dn
\return MAPI_E_SUCCESS or an error if something happens
*/
_PUBLIC_ enum MAPISTATUS emsmdbp_get_org_dn(struct emsmdbp_context *emsmdbp_ctx, struct ldb_dn **basedn)
{
enum MAPISTATUS retval;
int ret;
struct ldb_result *res = NULL;
char *org_name;
OPENCHANGE_RETVAL_IF(!emsmdbp_ctx, MAPI_E_NOT_INITIALIZED, NULL);
OPENCHANGE_RETVAL_IF(!emsmdbp_ctx->samdb_ctx, MAPI_E_NOT_INITIALIZED, NULL);
OPENCHANGE_RETVAL_IF(!basedn, MAPI_E_INVALID_PARAMETER, NULL);
retval = emsmdbp_fetch_organizational_units(emsmdbp_ctx, emsmdbp_ctx, &org_name, NULL);
OPENCHANGE_RETVAL_IF(retval != MAPI_E_SUCCESS, retval, NULL);
ret = ldb_search(emsmdbp_ctx->samdb_ctx, emsmdbp_ctx, &res,
ldb_get_config_basedn(emsmdbp_ctx->samdb_ctx),
LDB_SCOPE_SUBTREE, NULL,
"(&(objectClass=msExchOrganizationContainer)(cn=%s))",
ldb_binary_encode_string(emsmdbp_ctx, org_name));
talloc_free(org_name);
/* If the search failed */
if (ret != LDB_SUCCESS) {
DEBUG(1, ("emsmdbp_get_org_dn ldb_search failure.\n"));
return MAPI_E_NOT_FOUND;
}
*basedn = ldb_dn_new(emsmdbp_ctx, emsmdbp_ctx->samdb_ctx,
ldb_msg_find_attr_as_string(res->msgs[0], "distinguishedName", NULL));
return MAPI_E_SUCCESS;
}
static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
struct security_token *token,
struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
struct dom_sid *dag_sid;
struct ldb_dn *nc_root;
int ret;
ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NULL;
}
if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
if (security_token_has_sid(token, sa_sid)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else {
dag_sid = NULL;
}
} else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_is_system(token)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else {
dag_sid = NULL;
}
} else {
dag_sid = NULL;
}
talloc_free(tmp_ctx);
return dag_sid;
}
static int acl_add(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.add.message->dn);
struct ldb_context *ldb;
struct ldb_message_element *oc_el;
const struct GUID *guid;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.add.message->dn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* Creating an NC. There is probably something we should do here,
* but we will establish that later */
if ((ldb_dn_compare(req->op.add.message->dn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.add.message->dn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.add.message->dn, (ldb_get_root_basedn(ldb))) == 0)) {
return ldb_next_request(module, req);
}
oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
if (!oc_el || oc_el->num_values == 0) {
DEBUG(10,("acl:operation error %s\n", ldb_dn_get_linearized(req->op.add.message->dn)));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
guid = class_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
(char *)oc_el->values[oc_el->num_values-1].data);
if (!insert_in_object_tree(req, guid, SEC_ADS_CREATE_CHILD, &root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, root);
if (ret != LDB_SUCCESS) {
return ret;
}
return ldb_next_request(module, req);
}
/* similar to the modify for the time being.
* We need to concider the special delete tree case, though - TODO */
static int acl_delete(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.del.dn);
struct ldb_context *ldb;
DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn)));
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.del.dn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* first check if we have delete object right */
ret = check_access_on_dn(module, req, req->op.del.dn, SEC_STD_DELETE, NULL);
if (ret == LDB_SUCCESS) {
return ldb_next_request(module, req);
}
/* Nope, we don't have delete object. Lets check if we have delete child on the parent */
/* No parent, so check fails */
if ((ldb_dn_compare(req->op.del.dn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.del.dn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.del.dn, (ldb_get_root_basedn(ldb))) == 0)) {
DEBUG(10,("acl:deleting an NC\n"));
return ldb_module_done(req, NULL, NULL, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS);
}
ret = check_access_on_dn(module, req, parent, SEC_ADS_DELETE_CHILD, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
return ldb_next_request(module, req);
}
static int acl_rename(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_dn *oldparent = ldb_dn_get_parent(req, req->op.rename.olddn);
struct ldb_dn *newparent = ldb_dn_get_parent(req, req->op.rename.newdn);
struct ldb_context *ldb;
struct security_descriptor *sd = NULL;
struct dom_sid *sid = NULL;
struct ldb_result *acl_res;
const struct GUID *guid;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(req);
NTSTATUS status;
uint32_t access_granted;
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
"objectClass",
"objectSid",
NULL
};
DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn)));
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.rename.olddn)) {
return ldb_next_request(module, req);
}
ldb = ldb_module_get_ctx(module);
/* TODO search to include deleted objects */
ret = ldb_search(ldb, req, &acl_res, req->op.rename.olddn,
LDB_SCOPE_BASE, acl_attrs, NULL);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl: failed to find object %s\n",
ldb_dn_get_linearized(req->op.rename.olddn)));
return ret;
}
guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
};
guid = attribute_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
"name");
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
};
ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
return LDB_SUCCESS;
}
ret = get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
status = sec_access_check_ds(sd, acl_user_token(module),
SEC_ADS_WRITE_PROP,
&access_granted,
root,
sid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Object %s nas no wp on name\n",
ldb_dn_get_linearized(req->op.rename.olddn)));
acl_debug(sd,
acl_user_token(module),
req->op.rename.olddn,
true,
10);
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
if (ldb_dn_compare(oldparent, newparent) == 0) {
/* regular rename, not move, nothing more to do */
return ldb_next_request(module, req);
}
/* What exactly to do in this case? It would fail anyway.. */
if ((ldb_dn_compare(req->op.rename.newdn, (ldb_get_schema_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.rename.newdn, (ldb_get_config_basedn(ldb))) == 0) ||
(ldb_dn_compare(req->op.rename.newdn, (ldb_get_root_basedn(ldb))) == 0)) {
DEBUG(10,("acl:moving as an NC\n"));
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
/* new parent should have create child */
talloc_free(tmp_ctx);
tmp_ctx = talloc_new(req);
root = NULL;
new_node = NULL;
guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
if (!guid) {
DEBUG(10,("acl:renamed object has no object class\n"));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_CREATE_CHILD,
&root, &new_node)) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, root);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
return ret;
}
/* do we have delete object on the object? */
status = sec_access_check_ds(sd, acl_user_token(module),
SEC_STD_DELETE,
&access_granted,
NULL,
sid);
if (NT_STATUS_IS_OK(status)) {
return ldb_next_request(module, req);
}
/* what about delete child on the current parent */
ret = check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
return ldb_module_done(req, NULL, NULL, ret);
}
return ldb_next_request(module, req);
}
/*
work out the principal to use for DRS replication connections
*/
NTSTATUS dreplsrv_get_target_principal(struct dreplsrv_service *s,
TALLOC_CTX *mem_ctx,
const struct repsFromTo1 *rft,
const char **target_principal)
{
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
const char *attrs_server[] = { "dNSHostName", NULL };
const char *attrs_ntds[] = { "msDS-HasDomainNCs", "hasMasterNCs", NULL };
int ret;
const char *hostname, *dnsdomain=NULL;
struct ldb_dn *ntds_dn, *server_dn;
struct ldb_dn *forest_dn, *nc_dn;
*target_principal = NULL;
tmp_ctx = talloc_new(mem_ctx);
/* we need to find their hostname */
ret = dsdb_find_dn_by_guid(s->samdb, tmp_ctx, &rft->source_dsa_obj_guid, &ntds_dn);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
/* its OK for their NTDSDSA DN not to be in our database */
return NT_STATUS_OK;
}
server_dn = ldb_dn_copy(tmp_ctx, ntds_dn);
if (server_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* strip off the NTDS Settings */
if (!ldb_dn_remove_child_components(server_dn, 1)) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, server_dn, attrs_server, 0);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
/* its OK for their server DN not to be in our database */
return NT_STATUS_OK;
}
forest_dn = ldb_get_root_basedn(s->samdb);
if (forest_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
if (hostname != NULL) {
char *local_principal;
/*
if we have the dNSHostName attribute then we can use
the GC/hostname/realm SPN. All DCs should have this SPN
Windows DC may set up it's dNSHostName before setting up
GC/xx/xx SPN. So make sure it exists, before using it.
*/
local_principal = talloc_asprintf(mem_ctx, "GC/%s/%s",
hostname,
samdb_dn_to_dns_domain(tmp_ctx, forest_dn));
if (dreplsrv_spn_exists(s->samdb, ntds_dn, local_principal)) {
*target_principal = local_principal;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
talloc_free(local_principal);
}
/*
if we can't find the dNSHostName then we will try for the
E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
SPN. To use that we need the DNS domain name of the target
DC. We find that by first looking for the msDS-HasDomainNCs
in the NTDSDSA object of the DC, and if we don't find that,
then we look for the hasMasterNCs attribute, and eliminate
the known schema and configuruation DNs. Despite how
bizarre this seems, Hongwei tells us that this is in fact
what windows does to find the SPN!!
*/
ret = dsdb_search_dn(s->samdb, tmp_ctx, &res, ntds_dn, attrs_ntds, 0);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
nc_dn = ldb_msg_find_attr_as_dn(s->samdb, tmp_ctx, res->msgs[0], "msDS-HasDomainNCs");
if (nc_dn != NULL) {
dnsdomain = samdb_dn_to_dns_domain(tmp_ctx, nc_dn);
}
if (dnsdomain == NULL) {
struct ldb_message_element *el;
int i;
el = ldb_msg_find_element(res->msgs[0], "hasMasterNCs");
for (i=0; el && i<el->num_values; i++) {
nc_dn = ldb_dn_from_ldb_val(tmp_ctx, s->samdb, &el->values[i]);
if (nc_dn == NULL ||
ldb_dn_compare(ldb_get_config_basedn(s->samdb), nc_dn) == 0 ||
ldb_dn_compare(ldb_get_schema_basedn(s->samdb), nc_dn) == 0) {
continue;
}
/* it must be a domain DN, get the equivalent
DNS domain name */
dnsdomain = samdb_dn_to_dns_domain(tmp_ctx, nc_dn);
break;
}
}
if (dnsdomain != NULL) {
*target_principal = talloc_asprintf(mem_ctx,
"E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s",
GUID_string(tmp_ctx, &rft->source_dsa_obj_guid),
dnsdomain);
}
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, struct ldb_context *ldb_ctx,
TALLOC_CTX *mem_ctx,
const char *alias_from,
char **alias_to)
{
unsigned int i;
int ret;
struct ldb_result *res;
struct ldb_message_element *spnmappings;
TALLOC_CTX *tmp_ctx;
struct ldb_dn *service_dn;
char *service_dn_str;
const char *directory_attrs[] = {
"sPNMappings",
NULL
};
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
}
service_dn = ldb_dn_new(tmp_ctx, ldb_ctx, "CN=Directory Service,CN=Windows NT,CN=Services");
if ( ! ldb_dn_add_base(service_dn, ldb_get_config_basedn(ldb_ctx))) {
return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
}
service_dn_str = ldb_dn_alloc_linearized(tmp_ctx, service_dn);
if ( ! service_dn_str) {
return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
}
ret = ldb_search(ldb_ctx, tmp_ctx, &res, service_dn, LDB_SCOPE_BASE,
directory_attrs, "(objectClass=nTDSService)");
if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(1, ("ldb_search: dn: %s not found: %s\n", service_dn_str, ldb_errstring(ldb_ctx)));
return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
} else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(1, ("ldb_search: dn: %s not found\n", service_dn_str));
return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
} else if (res->count != 1) {
talloc_free(res);
DEBUG(1, ("ldb_search: dn: %s not found\n", service_dn_str));
return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
}
spnmappings = ldb_msg_find_element(res->msgs[0], "sPNMappings");
if (!spnmappings || spnmappings->num_values == 0) {
DEBUG(1, ("ldb_search: dn: %s no sPNMappings attribute\n", service_dn_str));
talloc_free(tmp_ctx);
return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
}
for (i = 0; i < spnmappings->num_values; i++) {
char *mapping, *p, *str;
mapping = talloc_strdup(tmp_ctx,
(const char *)spnmappings->values[i].data);
if (!mapping) {
DEBUG(1, ("LDB_lookup_spn_alias: ldb_search: dn: %s did not have an sPNMapping\n", service_dn_str));
talloc_free(tmp_ctx);
return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
}
/* C string manipulation sucks */
p = strchr(mapping, '=');
if (!p) {
DEBUG(1, ("ldb_search: dn: %s sPNMapping malformed: %s\n",
service_dn_str, mapping));
talloc_free(tmp_ctx);
return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
}
p[0] = '\0';
p++;
do {
str = p;
p = strchr(p, ',');
if (p) {
p[0] = '\0';
p++;
}
if (strcasecmp(str, alias_from) == 0) {
*alias_to = mapping;
talloc_steal(mem_ctx, mapping);
talloc_free(tmp_ctx);
return DRSUAPI_DS_NAME_STATUS_OK;
}
} while (p);
}
DEBUG(4, ("LDB_lookup_spn_alias: no alias for service %s applicable\n", alias_from));
talloc_free(tmp_ctx);
return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
}
/*
check to see if any deleted objects need scavenging
*/
NTSTATUS kccsrv_check_deleted(struct kccsrv_service *s, TALLOC_CTX *mem_ctx)
{
struct kccsrv_partition *part;
int ret;
uint32_t tombstoneLifetime;
bool do_fs = false;
time_t interval = lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
"check_deleted_full_scan_interval", 86400);
time_t t = time(NULL);
if (t - s->last_deleted_check < lpcfg_parm_int(s->task->lp_ctx, NULL, "kccsrv",
"check_deleted_interval", 600)) {
return NT_STATUS_OK;
}
s->last_deleted_check = t;
ret = dsdb_tombstone_lifetime(s->samdb, &tombstoneLifetime);
if (ret != LDB_SUCCESS) {
DEBUG(1,(__location__ ": Failed to get tombstone lifetime\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (s->last_full_scan_deleted_check > 0 && ((t - s->last_full_scan_deleted_check) > interval )) {
do_fs = true;
s->last_full_scan_deleted_check = t;
}
if (s->last_full_scan_deleted_check == 0) {
/*
* If we never made a full scan set the last full scan event to be in the past
* and that 9/10 of the full scan interval has already passed.
* This is done to avoid the full scan to fire just at the begining of samba
* or a couple of minutes after the start.
* With this "setup" and default values of interval, the full scan will fire
* 2.4 hours after the start of samba
*/
s->last_full_scan_deleted_check = t - ((9 * interval) / 10);
}
for (part=s->partitions; part; part=part->next) {
struct ldb_dn *do_dn;
struct ldb_result *res;
const char *attrs[] = { "whenChanged", NULL };
unsigned int i;
ret = dsdb_get_deleted_objects_dn(s->samdb, mem_ctx, part->dn, &do_dn);
if (ret != LDB_SUCCESS) {
/* some partitions have no Deleted Objects
container */
continue;
}
if (!do_fs && ldb_dn_compare(ldb_get_config_basedn(s->samdb), part->dn)) {
ret = dsdb_search(s->samdb, do_dn, &res, do_dn, LDB_SCOPE_ONELEVEL, attrs,
DSDB_SEARCH_SHOW_RECYCLED, NULL);
} else {
if (do_fs) {
DEBUG(1, ("Doing a full scan on %s and looking for deleted object\n",
ldb_dn_get_linearized(part->dn)));
}
ret = dsdb_search(s->samdb, part->dn, &res, part->dn, LDB_SCOPE_SUBTREE, attrs,
DSDB_SEARCH_SHOW_RECYCLED, "(isDeleted=TRUE)");
}
if (ret != LDB_SUCCESS) {
DEBUG(1,(__location__ ": Failed to search for deleted objects in %s\n",
ldb_dn_get_linearized(do_dn)));
talloc_free(do_dn);
continue;
}
for (i=0; i<res->count; i++) {
const char *tstring;
time_t whenChanged = 0;
if (ldb_dn_compare(do_dn, res->msgs[i]->dn) == 0) {
/* Skip the Deleted Object Container */
continue;
}
tstring = ldb_msg_find_attr_as_string(res->msgs[i], "whenChanged", NULL);
if (tstring) {
whenChanged = ldb_string_to_time(tstring);
}
if (t - whenChanged > tombstoneLifetime*60*60*24) {
ret = dsdb_delete(s->samdb, res->msgs[i]->dn, DSDB_SEARCH_SHOW_DELETED);
if (ret != LDB_SUCCESS) {
DEBUG(1,(__location__ ": Failed to remove deleted object %s\n",
ldb_dn_get_linearized(res->msgs[i]->dn)));
} else {
DEBUG(4,("Removed deleted object %s\n",
ldb_dn_get_linearized(res->msgs[i]->dn)));
}
}
}
talloc_free(do_dn);
}
return NT_STATUS_OK;
}
