static int construct_msds_isrodc_with_dn(struct ldb_module *module,
struct ldb_message *msg,
struct ldb_message_element *object_category)
{
struct ldb_context *ldb;
struct ldb_dn *dn;
const struct ldb_val *val;
ldb = ldb_module_get_ctx(module);
if (!ldb) {
DEBUG(4, (__location__ ": Failed to get ldb \n"));
return ldb_operr(ldb);
}
dn = ldb_dn_new(msg, ldb, (const char *)object_category->values[0].data);
if (!dn) {
DEBUG(4, (__location__ ": Failed to create dn from %s \n",
(const char *)object_category->values[0].data));
return ldb_operr(ldb);
}
val = ldb_dn_get_rdn_val(dn);
if (!val) {
DEBUG(4, (__location__ ": Failed to get rdn val from %s \n",
ldb_dn_get_linearized(dn)));
return ldb_operr(ldb);
}
if (strequal((const char *)val->data, "NTDS-DSA")) {
ldb_msg_add_string(msg, "msDS-isRODC", "FALSE");
} else {
ldb_msg_add_string(msg, "msDS-isRODC", "TRUE");
}
return LDB_SUCCESS;
}
int dsdb_get_sd_from_ldb_message(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_message *acl_res,
struct security_descriptor **sd)
{
struct ldb_message_element *sd_element;
enum ndr_err_code ndr_err;
sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
if (sd_element == NULL) {
return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS,
"nTSecurityDescriptor is missing");
}
*sd = talloc(mem_ctx, struct security_descriptor);
if(!*sd) {
return ldb_oom(ldb);
}
ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, *sd,
(ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return ldb_operr(ldb);
}
return LDB_SUCCESS;
}
/**
* Writes schema_info structure into schemaInfo
* attribute on SCHEMA partition
*
* @param dsdb_flags DSDB_FLAG_... flag of 0
*/
static int dsdb_module_schema_info_write(struct ldb_module *ldb_module,
uint32_t dsdb_flags,
const struct dsdb_schema_info *schema_info,
struct ldb_request *parent)
{
WERROR werr;
int ret;
DATA_BLOB ndr_blob;
TALLOC_CTX *temp_ctx;
temp_ctx = talloc_new(ldb_module);
if (temp_ctx == NULL) {
return ldb_module_oom(temp_ctx);
}
/* convert schema_info to a blob */
werr = dsdb_blob_from_schema_info(schema_info, temp_ctx, &ndr_blob);
if (!W_ERROR_IS_OK(werr)) {
talloc_free(temp_ctx);
ldb_asprintf_errstring(ldb_module_get_ctx(ldb_module), __location__ ": failed to get schema_info");
return ldb_operr(ldb_module_get_ctx(ldb_module));
}
/* write serialized schemaInfo into LDB */
ret = dsdb_module_schema_info_blob_write(ldb_module, dsdb_flags, &ndr_blob, parent);
talloc_free(temp_ctx);
return ret;
}
int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
struct ldb_result *acl_res,
TALLOC_CTX *mem_ctx,
struct security_token *token,
struct ldb_dn *dn,
uint32_t access_mask,
const struct GUID *guid)
{
struct security_descriptor *sd = NULL;
struct dom_sid *sid = NULL;
struct object_tree *root = NULL;
NTSTATUS status;
uint32_t access_granted;
int ret;
ret = dsdb_get_sd_from_ldb_message(ldb, mem_ctx, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
return ldb_operr(ldb);
}
sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
if (guid) {
if (!insert_in_object_tree(mem_ctx, guid, access_mask, NULL,
&root)) {
return ldb_operr(ldb);
}
}
status = sec_access_check_ds(sd, token,
access_mask,
&access_granted,
root,
sid);
if (!NT_STATUS_IS_OK(status)) {
dsdb_acl_debug(sd,
token,
dn,
true,
10);
ldb_asprintf_errstring(ldb,
"dsdb_access: Access check failed on %s",
ldb_dn_get_linearized(dn));
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
return LDB_SUCCESS;
}
/*
construct msDS-keyVersionNumber attr
TODO: Make this based on the 'win2k' DS huristics bit...
*/
static int construct_msds_keyversionnumber(struct ldb_module *module,
struct ldb_message *msg,
enum ldb_scope scope,
struct ldb_request *parent)
{
uint32_t i;
enum ndr_err_code ndr_err;
const struct ldb_val *omd_value;
struct replPropertyMetaDataBlob *omd;
int ret;
omd_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
if (!omd_value) {
/* We can't make up a key version number without meta data */
return LDB_SUCCESS;
}
if (!omd_value) {
return LDB_SUCCESS;
}
omd = talloc(msg, struct replPropertyMetaDataBlob);
if (!omd) {
ldb_module_oom(module);
return LDB_SUCCESS;
}
ndr_err = ndr_pull_struct_blob(omd_value, omd, omd,
(ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s when trying to add msDS-KeyVersionNumber\n",
ldb_dn_get_linearized(msg->dn)));
return ldb_operr(ldb_module_get_ctx(module));
}
if (omd->version != 1) {
DEBUG(0,(__location__ ": bad version %u in replPropertyMetaData for %s when trying to add msDS-KeyVersionNumber\n",
omd->version, ldb_dn_get_linearized(msg->dn)));
talloc_free(omd);
return LDB_SUCCESS;
}
for (i=0; i<omd->ctr.ctr1.count; i++) {
if (omd->ctr.ctr1.array[i].attid == DRSUAPI_ATTID_unicodePwd) {
ret = samdb_msg_add_uint(ldb_module_get_ctx(module),
msg, msg,
"msDS-KeyVersionNumber",
omd->ctr.ctr1.array[i].version);
if (ret != LDB_SUCCESS) {
talloc_free(omd);
return ret;
}
break;
}
}
return LDB_SUCCESS;
}
/*
construct a canonical name from a message
*/
static int construct_canonical_name(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
char *canonicalName;
canonicalName = ldb_dn_canonical_string(msg, msg->dn);
if (canonicalName == NULL) {
return ldb_operr(ldb_module_get_ctx(module));
}
return ldb_msg_add_steal_string(msg, "canonicalName", canonicalName);
}
/**
* Reads schema_info structure from schemaInfo
* attribute on SCHEMA partition
*
* @param dsdb_flags DSDB_FLAG_... flag of 0
*/
int dsdb_module_schema_info_blob_read(struct ldb_module *ldb_module,
uint32_t dsdb_flags,
TALLOC_CTX *mem_ctx,
struct ldb_val *schema_info_blob,
struct ldb_request *parent)
{
int ldb_err;
const struct ldb_val *blob_val;
struct ldb_dn *schema_dn;
struct ldb_result *schema_res = NULL;
static const char *schema_attrs[] = {
"schemaInfo",
NULL
};
schema_dn = ldb_get_schema_basedn(ldb_module_get_ctx(ldb_module));
if (!schema_dn) {
DEBUG(0,("dsdb_module_schema_info_blob_read: no schema dn present!\n"));
return ldb_operr(ldb_module_get_ctx(ldb_module));
}
ldb_err = dsdb_module_search(ldb_module, mem_ctx, &schema_res, schema_dn,
LDB_SCOPE_BASE, schema_attrs, dsdb_flags, parent,
NULL);
if (ldb_err == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(0,("dsdb_module_schema_info_blob_read: Schema DN not found!\n"));
talloc_free(schema_res);
return ldb_err;
} else if (ldb_err != LDB_SUCCESS) {
DEBUG(0,("dsdb_module_schema_info_blob_read: failed to find schemaInfo attribute\n"));
talloc_free(schema_res);
return ldb_err;
}
blob_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "schemaInfo");
if (!blob_val) {
ldb_asprintf_errstring(ldb_module_get_ctx(ldb_module),
"dsdb_module_schema_info_blob_read: no schemaInfo attribute found");
talloc_free(schema_res);
return LDB_ERR_NO_SUCH_ATTRIBUTE;
}
/* transfer .data ownership to mem_ctx */
schema_info_blob->length = blob_val->length;
schema_info_blob->data = talloc_steal(mem_ctx, blob_val->data);
talloc_free(schema_res);
return LDB_SUCCESS;
}
static int subtree_delete_init(struct ldb_module *module)
{
struct ldb_context *ldb;
int ret;
ldb = ldb_module_get_ctx(module);
ret = ldb_mod_register_control(module, LDB_CONTROL_TREE_DELETE_OID);
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_ERROR,
"subtree_delete: Unable to register control with rootdse!\n");
return ldb_operr(ldb);
}
return ldb_next_init(module);
}
/*
construct msDS-isRODC attr
*/
static int construct_msds_isrodc(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
struct ldb_message_element * object_class;
struct ldb_message_element * object_category;
unsigned int i;
object_class = ldb_msg_find_element(msg, "objectClass");
if (!object_class) {
DEBUG(4,(__location__ ": Can't get objectClass for %s \n",
ldb_dn_get_linearized(msg->dn)));
return ldb_operr(ldb_module_get_ctx(module));
}
for (i=0; i<object_class->num_values; i++) {
if (strequal((const char*)object_class->values[i].data, "nTDSDSA")) {
/* If TO!objectCategory equals the DN of the classSchema object for the nTDSDSA
* object class, then TO!msDS-isRODC is false. Otherwise, TO!msDS-isRODC is true.
*/
object_category = ldb_msg_find_element(msg, "objectCategory");
if (!object_category) {
DEBUG(4,(__location__ ": Can't get objectCategory for %s \n",
ldb_dn_get_linearized(msg->dn)));
return LDB_SUCCESS;
}
return construct_msds_isrodc_with_dn(module, msg, object_category);
}
if (strequal((const char*)object_class->values[i].data, "server")) {
/* Let TN be the nTDSDSA object whose DN is "CN=NTDS Settings," prepended to
* the DN of TO. Apply the previous rule for the "TO is an nTDSDSA object" case,
* substituting TN for TO.
*/
return construct_msds_isrodc_with_server_dn(module, msg, msg->dn, parent);
}
if (strequal((const char*)object_class->values[i].data, "computer")) {
/* Let TS be the server object named by TO!serverReferenceBL. Apply the previous
* rule for the "TO is a server object" case, substituting TS for TO.
*/
return construct_msds_isrodc_with_computer_dn(module, msg, parent);
}
}
return LDB_SUCCESS;
}
int acl_check_access_on_class(struct ldb_module *module,
const struct dsdb_schema *schema,
TALLOC_CTX *mem_ctx,
struct security_descriptor *sd,
struct dom_sid *rp_sid,
uint32_t access_mask,
const char *class_name)
{
int ret;
NTSTATUS status;
uint32_t access_granted;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
const struct GUID *guid;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct security_token *token = acl_user_token(module);
if (class_name) {
guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
if (!guid) {
DEBUG(10, ("acl_search: cannot find class %s\n",
class_name));
goto fail;
}
if (!insert_in_object_tree(tmp_ctx,
guid, access_mask,
&root, &new_node)) {
DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
goto fail;
}
}
status = sec_access_check_ds(sd, token,
access_mask,
&access_granted,
root,
rp_sid);
if (!NT_STATUS_IS_OK(status)) {
ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
else {
ret = LDB_SUCCESS;
}
return ret;
fail:
return ldb_operr(ldb_module_get_ctx(module));
}
/*
setup the ldb_schema_attribute field for a dsdb_attribute
*/
static int dsdb_schema_setup_ldb_schema_attribute(struct ldb_context *ldb,
struct dsdb_attribute *attr)
{
const char *syntax = attr->syntax->ldb_syntax;
const struct ldb_schema_syntax *s;
struct ldb_schema_attribute *a;
if (!syntax) {
syntax = attr->syntax->ldap_oid;
}
s = ldb_samba_syntax_by_lDAPDisplayName(ldb, attr->lDAPDisplayName);
if (s == NULL) {
s = ldb_samba_syntax_by_name(ldb, syntax);
}
if (s == NULL) {
s = ldb_standard_syntax_by_name(ldb, syntax);
}
if (s == NULL) {
return ldb_operr(ldb);
}
attr->ldb_schema_attribute = a = talloc(attr, struct ldb_schema_attribute);
if (attr->ldb_schema_attribute == NULL) {
return ldb_oom(ldb);
}
a->name = attr->lDAPDisplayName;
a->flags = 0;
a->syntax = s;
if (dsdb_schema_unique_attribute(a->name)) {
a->flags |= LDB_ATTR_FLAG_UNIQUE_INDEX;
}
if (attr->isSingleValued) {
a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE;
}
return LDB_SUCCESS;
}
/**
* Reads schema_info structure from schemaInfo
* attribute on SCHEMA partition
*/
static int dsdb_module_schema_info_read(struct ldb_module *ldb_module,
uint32_t dsdb_flags,
TALLOC_CTX *mem_ctx,
struct dsdb_schema_info **_schema_info,
struct ldb_request *parent)
{
int ret;
DATA_BLOB ndr_blob;
TALLOC_CTX *temp_ctx;
WERROR werr;
temp_ctx = talloc_new(mem_ctx);
if (temp_ctx == NULL) {
return ldb_module_oom(ldb_module);
}
/* read serialized schemaInfo from LDB */
ret = dsdb_module_schema_info_blob_read(ldb_module, dsdb_flags, temp_ctx, &ndr_blob, parent);
if (ret != LDB_SUCCESS) {
talloc_free(temp_ctx);
return ret;
}
/* convert NDR blob to dsdb_schema_info object */
werr = dsdb_schema_info_from_blob(&ndr_blob,
mem_ctx,
_schema_info);
talloc_free(temp_ctx);
if (W_ERROR_EQUAL(werr, WERR_DS_NO_ATTRIBUTE_OR_VALUE)) {
return LDB_ERR_NO_SUCH_ATTRIBUTE;
}
if (!W_ERROR_IS_OK(werr)) {
ldb_asprintf_errstring(ldb_module_get_ctx(ldb_module), __location__ ": failed to get schema_info");
return ldb_operr(ldb_module_get_ctx(ldb_module));
}
return LDB_SUCCESS;
}
/**
* Prepares ldb_msg to be used for updating schemaInfo value in DB
*/
static int dsdb_schema_info_write_prepare(struct ldb_context *ldb,
struct ldb_val *schema_info_blob,
TALLOC_CTX *mem_ctx,
struct ldb_message **_msg)
{
int ldb_err;
struct ldb_message *msg;
struct ldb_dn *schema_dn;
struct ldb_message_element *return_el;
schema_dn = ldb_get_schema_basedn(ldb);
if (!schema_dn) {
DEBUG(0,("dsdb_schema_info_write_prepare: no schema dn present\n"));
return ldb_operr(ldb);
}
/* prepare ldb_msg to update schemaInfo */
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
return ldb_oom(ldb);
}
msg->dn = schema_dn;
ldb_err = ldb_msg_add_value(msg, "schemaInfo", schema_info_blob, &return_el);
if (ldb_err != 0) {
ldb_asprintf_errstring(ldb, "dsdb_schema_info_write_prepare: ldb_msg_add_value failed - %s\n",
ldb_strerror(ldb_err));
talloc_free(msg);
return ldb_err;
}
/* mark schemaInfo element for replacement */
return_el->flags = LDB_FLAG_MOD_REPLACE;
*_msg = msg;
return LDB_SUCCESS;
}
/**
* When loading the schema from LDIF files, we don't get the extended DNs.
*
* We need to set these up, so that from the moment we start the provision,
* the defaultObjectCategory links are set up correctly.
*/
int dsdb_schema_fill_extended_dn(struct ldb_context *ldb, struct dsdb_schema *schema)
{
struct dsdb_class *cur;
const struct dsdb_class *target_class;
for (cur = schema->classes; cur; cur = cur->next) {
const struct ldb_val *rdn;
struct ldb_val guid;
NTSTATUS status;
struct ldb_dn *dn = ldb_dn_new(NULL, ldb, cur->defaultObjectCategory);
if (!dn) {
return LDB_ERR_INVALID_DN_SYNTAX;
}
rdn = ldb_dn_get_component_val(dn, 0);
if (!rdn) {
talloc_free(dn);
return LDB_ERR_INVALID_DN_SYNTAX;
}
target_class = dsdb_class_by_cn_ldb_val(schema, rdn);
if (!target_class) {
talloc_free(dn);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
status = GUID_to_ndr_blob(&target_class->objectGUID, dn, &guid);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(dn);
return ldb_operr(ldb);
}
ldb_dn_set_extended_component(dn, "GUID", &guid);
cur->defaultObjectCategory = ldb_dn_get_extended_linearized(cur, dn, 1);
talloc_free(dn);
}
return LDB_SUCCESS;
}
static int construct_msds_isrodc_with_server_dn(struct ldb_module *module,
struct ldb_message *msg,
struct ldb_dn *dn,
struct ldb_request *parent)
{
struct ldb_dn *server_dn;
const char *attr_obj_cat[] = { "objectCategory", NULL };
struct ldb_result *res;
struct ldb_message_element *object_category;
int ret;
server_dn = ldb_dn_copy(msg, dn);
if (!ldb_dn_add_child_fmt(server_dn, "CN=NTDS Settings")) {
DEBUG(4, (__location__ ": Failed to add child to %s \n",
ldb_dn_get_linearized(server_dn)));
return ldb_operr(ldb_module_get_ctx(module));
}
ret = dsdb_module_search_dn(module, msg, &res, server_dn, attr_obj_cat,
DSDB_FLAG_NEXT_MODULE, parent);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(4,(__location__ ": Can't get objectCategory for %s \n",
ldb_dn_get_linearized(server_dn)));
return LDB_SUCCESS;
} else if (ret != LDB_SUCCESS) {
return ret;
}
object_category = ldb_msg_find_element(res->msgs[0], "objectCategory");
if (!object_category) {
DEBUG(4,(__location__ ": Can't find objectCategory for %s \n",
ldb_dn_get_linearized(res->msgs[0]->dn)));
return LDB_SUCCESS;
}
return construct_msds_isrodc_with_dn(module, msg, object_category);
}
/*
* Open sam.ldb.d/metadata.tdb.
*/
static int partition_metadata_open(struct ldb_module *module, bool create)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
TALLOC_CTX *tmp_ctx;
struct partition_private_data *data;
struct loadparm_context *lp_ctx;
const char *sam_name;
char *filename, *dirname;
int open_flags;
struct stat statbuf;
data = talloc_get_type_abort(ldb_module_get_private(module),
struct partition_private_data);
if (!data || !data->metadata) {
return ldb_module_error(module, LDB_ERR_OPERATIONS_ERROR,
"partition_metadata: metadata not initialized");
}
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return ldb_module_oom(module);
}
sam_name = (const char *)ldb_get_opaque(ldb, "ldb_url");
if (!sam_name) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
if (strncmp("tdb://", sam_name, 6) == 0) {
sam_name += 6;
}
filename = talloc_asprintf(tmp_ctx, "%s.d/metadata.tdb", sam_name);
if (!filename) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
open_flags = O_RDWR;
if (create) {
open_flags |= O_CREAT;
/* While provisioning, sam.ldb.d directory may not exist,
* so create it. Ignore errors, if it already exists. */
dirname = talloc_asprintf(tmp_ctx, "%s.d", sam_name);
if (!dirname) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
mkdir(dirname, 0700);
talloc_free(dirname);
} else {
if (stat(filename, &statbuf) != 0) {
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
}
lp_ctx = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"),
struct loadparm_context);
data->metadata->db = tdb_wrap_open(
data->metadata, filename, 10,
lpcfg_tdb_flags(lp_ctx, TDB_DEFAULT), open_flags, 0660);
if (data->metadata->db == NULL) {
talloc_free(tmp_ctx);
if (create) {
ldb_asprintf_errstring(ldb, "partition_metadata: Unable to create %s: %s",
filename, strerror(errno));
} else {
ldb_asprintf_errstring(ldb, "partition_metadata: Unable to open %s: %s",
filename, strerror(errno));
}
if (errno == EACCES || errno == EPERM) {
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
return LDB_ERR_OPERATIONS_ERROR;
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
static int dsdb_schema_set_attributes(struct ldb_context *ldb, struct dsdb_schema *schema, bool write_attributes)
{
int ret = LDB_SUCCESS;
struct ldb_result *res;
struct ldb_result *res_idx;
struct dsdb_attribute *attr;
struct ldb_message *mod_msg;
TALLOC_CTX *mem_ctx;
struct ldb_message *msg;
struct ldb_message *msg_idx;
/* setup our own attribute name to schema handler */
ldb_schema_attribute_set_override_handler(ldb, dsdb_attribute_handler_override, schema);
if (!write_attributes) {
return ret;
}
mem_ctx = talloc_new(ldb);
if (!mem_ctx) {
return ldb_oom(ldb);
}
msg = ldb_msg_new(mem_ctx);
if (!msg) {
ldb_oom(ldb);
goto op_error;
}
msg_idx = ldb_msg_new(mem_ctx);
if (!msg_idx) {
ldb_oom(ldb);
goto op_error;
}
msg->dn = ldb_dn_new(msg, ldb, "@ATTRIBUTES");
if (!msg->dn) {
ldb_oom(ldb);
goto op_error;
}
msg_idx->dn = ldb_dn_new(msg_idx, ldb, "@INDEXLIST");
if (!msg_idx->dn) {
ldb_oom(ldb);
goto op_error;
}
ret = ldb_msg_add_string(msg_idx, "@IDXONE", "1");
if (ret != LDB_SUCCESS) {
goto op_error;
}
ret = ldb_msg_add_string(msg_idx, "@IDXVERSION", SAMDB_INDEXING_VERSION);
if (ret != LDB_SUCCESS) {
goto op_error;
}
for (attr = schema->attributes; attr; attr = attr->next) {
const char *syntax = attr->syntax->ldb_syntax;
if (!syntax) {
syntax = attr->syntax->ldap_oid;
}
/*
* Write out a rough approximation of the schema
* as an @ATTRIBUTES value, for bootstrapping
*/
if (strcmp(syntax, LDB_SYNTAX_INTEGER) == 0) {
ret = ldb_msg_add_string(msg, attr->lDAPDisplayName, "INTEGER");
} else if (strcmp(syntax, LDB_SYNTAX_DIRECTORY_STRING) == 0) {
ret = ldb_msg_add_string(msg, attr->lDAPDisplayName, "CASE_INSENSITIVE");
}
if (ret != LDB_SUCCESS) {
break;
}
if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
ret = ldb_msg_add_string(msg_idx, "@IDXATTR", attr->lDAPDisplayName);
if (ret != LDB_SUCCESS) {
break;
}
}
}
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
return ret;
}
/*
* Try to avoid churning the attributes too much,
* we only want to do this if they have changed
*/
ret = ldb_search(ldb, mem_ctx, &res, msg->dn, LDB_SCOPE_BASE, NULL,
NULL);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
ret = ldb_add(ldb, msg);
} else if (ret != LDB_SUCCESS) {
} else if (res->count != 1) {
ret = ldb_add(ldb, msg);
} else {
ret = LDB_SUCCESS;
/* Annoyingly added to our search results */
ldb_msg_remove_attr(res->msgs[0], "distinguishedName");
ret = ldb_msg_difference(ldb, mem_ctx,
res->msgs[0], msg, &mod_msg);
if (ret != LDB_SUCCESS) {
goto op_error;
}
if (mod_msg->num_elements > 0) {
ret = dsdb_replace(ldb, mod_msg, 0);
}
talloc_free(mod_msg);
}
if (ret == LDB_ERR_OPERATIONS_ERROR || ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS || ret == LDB_ERR_INVALID_DN_SYNTAX) {
/* We might be on a read-only DB or LDAP */
ret = LDB_SUCCESS;
}
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
return ret;
}
/* Now write out the indexes, as found in the schema (if they have changed) */
ret = ldb_search(ldb, mem_ctx, &res_idx, msg_idx->dn, LDB_SCOPE_BASE,
NULL, NULL);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
ret = ldb_add(ldb, msg_idx);
} else if (ret != LDB_SUCCESS) {
} else if (res_idx->count != 1) {
ret = ldb_add(ldb, msg_idx);
} else {
ret = LDB_SUCCESS;
/* Annoyingly added to our search results */
ldb_msg_remove_attr(res_idx->msgs[0], "distinguishedName");
ret = ldb_msg_difference(ldb, mem_ctx,
res_idx->msgs[0], msg_idx, &mod_msg);
if (ret != LDB_SUCCESS) {
goto op_error;
}
if (mod_msg->num_elements > 0) {
ret = dsdb_replace(ldb, mod_msg, 0);
}
talloc_free(mod_msg);
}
if (ret == LDB_ERR_OPERATIONS_ERROR || ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS || ret == LDB_ERR_INVALID_DN_SYNTAX) {
/* We might be on a read-only DB */
ret = LDB_SUCCESS;
}
talloc_free(mem_ctx);
return ret;
op_error:
talloc_free(mem_ctx);
return ldb_operr(ldb);
}
/*
see if we are on the last pool we have
*/
static int drepl_ridalloc_pool_exhausted(struct ldb_context *ldb,
bool *exhausted,
uint64_t *_alloc_pool)
{
struct ldb_dn *server_dn, *machine_dn, *rid_set_dn;
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
uint64_t alloc_pool;
uint64_t prev_pool;
uint32_t prev_pool_lo, prev_pool_hi;
uint32_t next_rid;
static const char * const attrs[] = {
"rIDAllocationPool",
"rIDPreviousAllocationPool",
"rIDNextRid",
NULL
};
int ret;
struct ldb_result *res;
*exhausted = false;
*_alloc_pool = UINT64_MAX;
server_dn = ldb_dn_get_parent(tmp_ctx, samdb_ntds_settings_dn(ldb));
if (!server_dn) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
ret = samdb_reference_dn(ldb, tmp_ctx, server_dn, "serverReference", &machine_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find serverReference in %s - %s\n",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return ret;
}
ret = samdb_reference_dn(ldb, tmp_ctx, machine_dn, "rIDSetReferences", &rid_set_dn);
if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
*exhausted = true;
*_alloc_pool = 0;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find rIDSetReferences in %s - %s\n",
ldb_dn_get_linearized(machine_dn), ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_search(ldb, tmp_ctx, &res, rid_set_dn, LDB_SCOPE_BASE, attrs, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to load RID Set attrs from %s - %s\n",
ldb_dn_get_linearized(rid_set_dn), ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return ret;
}
alloc_pool = ldb_msg_find_attr_as_uint64(res->msgs[0], "rIDAllocationPool", 0);
prev_pool = ldb_msg_find_attr_as_uint64(res->msgs[0], "rIDPreviousAllocationPool", 0);
prev_pool_lo = prev_pool & 0xFFFFFFFF;
prev_pool_hi = prev_pool >> 32;
next_rid = ldb_msg_find_attr_as_uint(res->msgs[0], "rIDNextRid", 0);
if (alloc_pool != prev_pool) {
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
if (next_rid < (prev_pool_hi + prev_pool_lo)/2) {
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
*exhausted = true;
*_alloc_pool = alloc_pool;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
static int set_ldap_credentials(struct ldb_context *ldb, bool use_external)
{
const char *secrets_ldb_path, *sam_ldb_path;
char *private_dir, *p, *error_string;
struct ldb_context *secrets_ldb;
struct cli_credentials *cred;
struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
if (!tmp_ctx) {
return ldb_oom(ldb);
}
cred = cli_credentials_init(ldb);
if (!cred) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
cli_credentials_set_anonymous(cred);
if (use_external) {
cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL");
} else {
cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
/*
* We don't want to use krb5 to talk to our samdb - recursion
* here would be bad, and this account isn't in the KDC
* anyway
*/
cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
/*
* Work out where *our* secrets.ldb is. It must be in
* the same directory as sam.ldb
*/
sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
if (!sam_ldb_path) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
sam_ldb_path += 6;
}
private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
p = strrchr(private_dir, '/');
if (p) {
*p = '\0';
} else {
private_dir = talloc_strdup(tmp_ctx, ".");
}
secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
private_dir);
if (!secrets_ldb_path) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
/*
* Now that we have found the location, connect to
* secrets.ldb so we can read the SamDB Credentials
* record
*/
secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
NULL, NULL, 0);
if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
SECRETS_LDAP_FILTER, &error_string))) {
ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
talloc_free(tmp_ctx);
return LDB_ERR_STRONG_AUTH_REQUIRED;
}
}
/*
* Finally overwrite any supplied credentials with
* these ones, as only secrets.ldb contains the magic
* credentials to talk on the ldapi socket
*/
if (ldb_set_opaque(ldb, "credentials", cred)) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
struct ldb_result *schema_res,
struct ldb_result *attrs_class_res,
struct dsdb_schema **schema_out,
char **error_string)
{
WERROR status;
const struct ldb_val *prefix_val;
const struct ldb_val *info_val;
struct ldb_val info_val_default;
struct dsdb_schema *schema;
struct loadparm_context *lp_ctx = NULL;
int ret;
schema = dsdb_new_schema(mem_ctx);
if (!schema) {
dsdb_oom(error_string, mem_ctx);
return ldb_operr(ldb);
}
schema->base_dn = talloc_steal(schema, schema_res->msgs[0]->dn);
prefix_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "prefixMap");
if (!prefix_val) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: no prefixMap attribute found");
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
info_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "schemaInfo");
if (!info_val) {
status = dsdb_schema_info_blob_new(mem_ctx, &info_val_default);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: dsdb_schema_info_blob_new() failed - %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return ldb_operr(ldb);
}
info_val = &info_val_default;
}
status = dsdb_load_oid_mappings_ldb(schema, prefix_val, info_val);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load oid mappings: %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
ret = dsdb_load_ldb_results_into_schema(mem_ctx, ldb, schema, attrs_class_res, error_string);
if (ret != LDB_SUCCESS) {
return ret;
}
schema->fsmo.master_dn = ldb_msg_find_attr_as_dn(ldb, schema, schema_res->msgs[0], "fSMORoleOwner");
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), schema->fsmo.master_dn) == 0) {
schema->fsmo.we_are_master = true;
} else {
schema->fsmo.we_are_master = false;
}
lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
struct loadparm_context);
if (lp_ctx) {
bool allowed = lpcfg_parm_bool(lp_ctx, NULL,
"dsdb", "schema update allowed",
false);
schema->fsmo.update_allowed = allowed;
} else {
schema->fsmo.update_allowed = false;
}
DEBUG(5, ("schema_fsmo_init: we are master[%s] updates allowed[%s]\n",
(schema->fsmo.we_are_master?"yes":"no"),
(schema->fsmo.update_allowed?"yes":"no")));
*schema_out = schema;
return LDB_SUCCESS;
}
int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
struct ldb_result *schema_res,
struct ldb_result *attrs_res, struct ldb_result *objectclass_res,
struct dsdb_schema **schema_out,
char **error_string)
{
WERROR status;
unsigned int i;
const struct ldb_val *prefix_val;
const struct ldb_val *info_val;
struct ldb_val info_val_default;
struct dsdb_schema *schema;
schema = dsdb_new_schema(mem_ctx);
if (!schema) {
dsdb_oom(error_string, mem_ctx);
return ldb_operr(ldb);
}
schema->base_dn = talloc_steal(schema, schema_res->msgs[0]->dn);
prefix_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "prefixMap");
if (!prefix_val) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: no prefixMap attribute found");
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
info_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "schemaInfo");
if (!info_val) {
status = dsdb_schema_info_blob_new(mem_ctx, &info_val_default);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: dsdb_schema_info_blob_new() failed - %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return ldb_operr(ldb);
}
info_val = &info_val_default;
}
status = dsdb_load_oid_mappings_ldb(schema, prefix_val, info_val);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load oid mappings: %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
for (i=0; i < attrs_res->count; i++) {
status = dsdb_attribute_from_ldb(ldb, schema, attrs_res->msgs[i]);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load attribute definition: %s:%s",
ldb_dn_get_linearized(attrs_res->msgs[i]->dn),
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
for (i=0; i < objectclass_res->count; i++) {
status = dsdb_class_from_ldb(schema, objectclass_res->msgs[i]);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load class definition: %s:%s",
ldb_dn_get_linearized(objectclass_res->msgs[i]->dn),
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
schema->fsmo.master_dn = ldb_msg_find_attr_as_dn(ldb, schema, schema_res->msgs[0], "fSMORoleOwner");
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), schema->fsmo.master_dn) == 0) {
schema->fsmo.we_are_master = true;
} else {
schema->fsmo.we_are_master = false;
}
DEBUG(5, ("schema_fsmo_init: we are master: %s\n",
(schema->fsmo.we_are_master?"yes":"no")));
*schema_out = schema;
return LDB_SUCCESS;
}
/*
construct the parent GUID for an entry from a message
*/
static int construct_parent_guid(struct ldb_module *module,
struct ldb_message *msg, enum ldb_scope scope,
struct ldb_request *parent)
{
struct ldb_result *res, *parent_res;
const struct ldb_val *parent_guid;
const char *attrs[] = { "instanceType", NULL };
const char *attrs2[] = { "objectGUID", NULL };
uint32_t instanceType;
int ret;
struct ldb_dn *parent_dn;
struct ldb_val v;
/* determine if the object is NC by instance type */
ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs,
DSDB_FLAG_NEXT_MODULE |
DSDB_SEARCH_SHOW_RECYCLED, parent);
if (ret != LDB_SUCCESS) {
return ret;
}
instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
"instanceType", 0);
talloc_free(res);
if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
DEBUG(4,(__location__ ": Object %s is NC\n",
ldb_dn_get_linearized(msg->dn)));
return LDB_SUCCESS;
}
parent_dn = ldb_dn_get_parent(msg, msg->dn);
if (parent_dn == NULL) {
DEBUG(4,(__location__ ": Failed to find parent for dn %s\n",
ldb_dn_get_linearized(msg->dn)));
return LDB_SUCCESS;
}
ret = dsdb_module_search_dn(module, msg, &parent_res, parent_dn, attrs2,
DSDB_FLAG_NEXT_MODULE |
DSDB_SEARCH_SHOW_RECYCLED, parent);
talloc_free(parent_dn);
/* not NC, so the object should have a parent*/
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(4,(__location__ ": Parent dn for %s does not exist \n",
ldb_dn_get_linearized(msg->dn)));
return ldb_operr(ldb_module_get_ctx(module));
} else if (ret != LDB_SUCCESS) {
return ret;
}
parent_guid = ldb_msg_find_ldb_val(parent_res->msgs[0], "objectGUID");
if (!parent_guid) {
talloc_free(parent_res);
return LDB_SUCCESS;
}
v = data_blob_dup_talloc(parent_res, parent_guid);
if (!v.data) {
talloc_free(parent_res);
return ldb_oom(ldb_module_get_ctx(module));
}
ret = ldb_msg_add_steal_value(msg, "parentGUID", &v);
talloc_free(parent_res);
return ret;
}
/**
* Increments schemaInfo revision and save it to DB
* setting our invocationID in the process
* NOTE: this function should be called in a transaction
* much in the same way prefixMap update function is called
*
* @param ldb_module current module
* @param schema schema cache
* @param dsdb_flags DSDB_FLAG_... flag of 0
*/
int dsdb_module_schema_info_update(struct ldb_module *ldb_module,
struct dsdb_schema *schema,
int dsdb_flags, struct ldb_request *parent)
{
int ret;
const struct GUID *invocation_id;
DATA_BLOB ndr_blob;
struct dsdb_schema_info *schema_info;
const char *schema_info_str;
WERROR werr;
TALLOC_CTX *temp_ctx = talloc_new(schema);
if (temp_ctx == NULL) {
return ldb_module_oom(ldb_module);
}
invocation_id = samdb_ntds_invocation_id(ldb_module_get_ctx(ldb_module));
if (!invocation_id) {
talloc_free(temp_ctx);
return ldb_operr(ldb_module_get_ctx(ldb_module));
}
/* read serialized schemaInfo from LDB */
ret = dsdb_module_schema_info_read(ldb_module, dsdb_flags, temp_ctx, &schema_info, parent);
if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
/* make default value in case
* we have no schemaInfo value yet */
werr = dsdb_schema_info_new(temp_ctx, &schema_info);
if (!W_ERROR_IS_OK(werr)) {
talloc_free(temp_ctx);
return ldb_module_oom(ldb_module);
}
ret = LDB_SUCCESS;
}
if (ret != LDB_SUCCESS) {
talloc_free(temp_ctx);
return ret;
}
/* update schemaInfo */
schema_info->revision++;
schema_info->invocation_id = *invocation_id;
ret = dsdb_module_schema_info_write(ldb_module, dsdb_flags, schema_info, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb_module_get_ctx(ldb_module),
"dsdb_module_schema_info_update: failed to save schemaInfo - %s\n",
ldb_strerror(ret));
talloc_free(temp_ctx);
return ret;
}
/* finally, update schema_info in the cache */
werr = dsdb_blob_from_schema_info(schema_info, temp_ctx, &ndr_blob);
if (!W_ERROR_IS_OK(werr)) {
ldb_asprintf_errstring(ldb_module_get_ctx(ldb_module), "Failed to get schema info");
talloc_free(temp_ctx);
return ldb_operr(ldb_module_get_ctx(ldb_module));
}
schema_info_str = hex_encode_talloc(schema, ndr_blob.data, ndr_blob.length);
if (!schema_info_str) {
talloc_free(temp_ctx);
return ldb_module_oom(ldb_module);
}
talloc_unlink(schema, discard_const(schema->schema_info));
schema->schema_info = schema_info_str;
talloc_free(temp_ctx);
return LDB_SUCCESS;
}
/*
create a RID Set object for the specified DC
*/
static int ridalloc_create_rid_set_ntds(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn *rid_manager_dn,
struct ldb_dn *ntds_dn, struct ldb_dn **dn,
struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *server_dn, *machine_dn, *rid_set_dn;
int ret;
struct ldb_message *msg;
struct ldb_context *ldb = ldb_module_get_ctx(module);
static const struct ridalloc_ridset_values o = {
.alloc_pool = UINT64_MAX,
.prev_pool = UINT64_MAX,
.next_rid = UINT32_MAX,
.used_pool = UINT32_MAX,
};
struct ridalloc_ridset_values n = {
.alloc_pool = 0,
.prev_pool = 0,
.next_rid = 0,
.used_pool = 0,
};
const char *no_attrs[] = { NULL };
struct ldb_result *res;
/*
steps:
find the machine object for the DC
construct the RID Set DN
load rIDAvailablePool to find next available set
modify RID Manager object to update rIDAvailablePool
add the RID Set object
link to the RID Set object in machine object
*/
server_dn = ldb_dn_get_parent(tmp_ctx, ntds_dn);
if (!server_dn) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
ret = dsdb_module_reference_dn(module, tmp_ctx, server_dn, "serverReference", &machine_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find serverReference in %s - %s",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
rid_set_dn = ldb_dn_copy(tmp_ctx, machine_dn);
if (rid_set_dn == NULL) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
if (! ldb_dn_add_child_fmt(rid_set_dn, "CN=RID Set")) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
}
/* grab a pool from the RID Manager object */
ret = ridalloc_rid_manager_allocate(module, rid_manager_dn, &n.alloc_pool, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* create the RID Set object */
msg = ldb_msg_new(tmp_ctx);
msg->dn = rid_set_dn;
ret = ldb_msg_add_string(msg, "objectClass", "rIDSet");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ridalloc_set_ridset_values(module, msg, &o, &n);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* we need this to go all the way to the top of the module
* stack, as we need all the extra attributes added (including
* complex ones like ntsecuritydescriptor). We must do this
* as system, otherwise a user might end up owning the RID
* set, and that would be bad... */
ret = dsdb_module_add(module, msg,
DSDB_FLAG_TOP_MODULE | DSDB_FLAG_AS_SYSTEM
| DSDB_MODIFY_RELAX, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add RID Set %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* add the rIDSetReferences link */
msg = ldb_msg_new(tmp_ctx);
msg->dn = machine_dn;
/* we need the extended DN of the RID Set object for
* rIDSetReferences */
ret = dsdb_module_search_dn(module, msg, &res, rid_set_dn, no_attrs,
DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find extended DN of RID Set %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
rid_set_dn = res->msgs[0]->dn;
ret = ldb_msg_add_string(msg, "rIDSetReferences", ldb_dn_get_extended_linearized(msg, rid_set_dn, 1));
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
msg->elements[0].flags = LDB_FLAG_MOD_ADD;
ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to add rIDSetReferences to %s - %s",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
(*dn) = talloc_steal(mem_ctx, rid_set_dn);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
create a RID Set object for this DC
*/
int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn **dn, struct ldb_request *parent)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct GUID fsmo_role_guid;
const struct GUID *our_ntds_guid;
NTSTATUS status;
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
/* find the DN of the RID Manager */
ret = dsdb_module_reference_dn(module, tmp_ctx, rid_manager_dn, "fSMORoleOwner", &fsmo_role_dn, parent);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Failed to find fSMORoleOwner in RID Manager object - %s",
ldb_errstring(ldb));
talloc_free(tmp_ctx);
return ret;
}
status = dsdb_get_extended_dn_guid(fsmo_role_dn, &fsmo_role_guid, "GUID");
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return ldb_operr(ldb_module_get_ctx(module));
}
our_ntds_guid = samdb_ntds_objectGUID(ldb_module_get_ctx(module));
if (!our_ntds_guid) {
talloc_free(tmp_ctx);
return ldb_operr(ldb_module_get_ctx(module));
}
if (!GUID_equal(&fsmo_role_guid, our_ntds_guid)) {
ret = ridalloc_poke_rid_manager(module);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb,
"Request for remote creation of "
"RID Set for this DC failed: %s",
ldb_errstring(ldb));
} else {
ldb_asprintf_errstring(ldb,
"Remote RID Set creation needed");
}
talloc_free(tmp_ctx);
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ret = ridalloc_create_rid_set_ntds(module, mem_ctx, rid_manager_dn, fsmo_role_dn, dn, parent);
talloc_free(tmp_ctx);
return ret;
}
