2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "events/events.h"
27 #include "ldb_errors.h"
28 #include "../lib/util/util_ldb.h"
29 #include "../lib/crypto/crypto.h"
30 #include "dsdb/samdb/samdb.h"
31 #include "libcli/security/security.h"
32 #include "librpc/gen_ndr/ndr_security.h"
33 #include "librpc/gen_ndr/ndr_misc.h"
34 #include "../libds/common/flags.h"
35 #include "dsdb/common/proto.h"
36 #include "libcli/ldap/ldap_ndr.h"
37 #include "param/param.h"
38 #include "libcli/auth/libcli_auth.h"
39 #include "librpc/gen_ndr/ndr_drsblobs.h"
40 #include "system/locale.h"
41 #include "lib/util/tsort.h"
42 #include "dsdb/common/util.h"
43 #include "lib/socket/socket.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
47 search the sam for the specified attributes in a specific domain, filter on
48 objectSid being in domain_sid.
50 int samdb_search_domain(struct ldb_context
*sam_ldb
,
52 struct ldb_dn
*basedn
,
53 struct ldb_message
***res
,
54 const char * const *attrs
,
55 const struct dom_sid
*domain_sid
,
56 const char *format
, ...) _PRINTF_ATTRIBUTE(7,8)
62 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
,
63 res
, attrs
, format
, ap
);
69 struct dom_sid
*entry_sid
;
71 entry_sid
= samdb_result_dom_sid(mem_ctx
, (*res
)[i
], "objectSid");
73 if ((entry_sid
== NULL
) ||
74 (!dom_sid_in_domain(domain_sid
, entry_sid
))) {
75 /* Delete that entry from the result set */
76 (*res
)[i
] = (*res
)[count
-1];
78 talloc_free(entry_sid
);
81 talloc_free(entry_sid
);
89 search the sam for a single string attribute in exactly 1 record
91 const char *samdb_search_string_v(struct ldb_context
*sam_ldb
,
93 struct ldb_dn
*basedn
,
94 const char *attr_name
,
95 const char *format
, va_list ap
) _PRINTF_ATTRIBUTE(5,0)
98 const char *attrs
[2] = { NULL
, NULL
};
99 struct ldb_message
**res
= NULL
;
101 attrs
[0] = attr_name
;
103 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
105 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
106 attr_name
, format
, count
));
113 return samdb_result_string(res
[0], attr_name
, NULL
);
117 search the sam for a single string attribute in exactly 1 record
119 const char *samdb_search_string(struct ldb_context
*sam_ldb
,
121 struct ldb_dn
*basedn
,
122 const char *attr_name
,
123 const char *format
, ...) _PRINTF_ATTRIBUTE(5,6)
128 va_start(ap
, format
);
129 str
= samdb_search_string_v(sam_ldb
, mem_ctx
, basedn
, attr_name
, format
, ap
);
135 struct ldb_dn
*samdb_search_dn(struct ldb_context
*sam_ldb
,
137 struct ldb_dn
*basedn
,
138 const char *format
, ...) _PRINTF_ATTRIBUTE(4,5)
142 struct ldb_message
**res
= NULL
;
145 va_start(ap
, format
);
146 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, NULL
, format
, ap
);
149 if (count
!= 1) return NULL
;
151 ret
= talloc_steal(mem_ctx
, res
[0]->dn
);
158 search the sam for a dom_sid attribute in exactly 1 record
160 struct dom_sid
*samdb_search_dom_sid(struct ldb_context
*sam_ldb
,
162 struct ldb_dn
*basedn
,
163 const char *attr_name
,
164 const char *format
, ...) _PRINTF_ATTRIBUTE(5,6)
168 struct ldb_message
**res
;
169 const char *attrs
[2] = { NULL
, NULL
};
172 attrs
[0] = attr_name
;
174 va_start(ap
, format
);
175 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
178 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
179 attr_name
, format
, count
));
185 sid
= samdb_result_dom_sid(mem_ctx
, res
[0], attr_name
);
191 return the count of the number of records in the sam matching the query
193 int samdb_search_count(struct ldb_context
*sam_ldb
,
194 struct ldb_dn
*basedn
,
195 const char *format
, ...) _PRINTF_ATTRIBUTE(3,4)
198 struct ldb_message
**res
;
199 const char *attrs
[] = { NULL
};
201 TALLOC_CTX
*tmp_ctx
= talloc_new(sam_ldb
);
203 va_start(ap
, format
);
204 ret
= gendb_search_v(sam_ldb
, tmp_ctx
, basedn
, &res
, attrs
, format
, ap
);
206 talloc_free(tmp_ctx
);
213 search the sam for a single integer attribute in exactly 1 record
215 unsigned int samdb_search_uint(struct ldb_context
*sam_ldb
,
217 unsigned int default_value
,
218 struct ldb_dn
*basedn
,
219 const char *attr_name
,
220 const char *format
, ...) _PRINTF_ATTRIBUTE(6,7)
224 struct ldb_message
**res
;
225 const char *attrs
[2] = { NULL
, NULL
};
227 attrs
[0] = attr_name
;
229 va_start(ap
, format
);
230 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
234 return default_value
;
237 return samdb_result_uint(res
[0], attr_name
, default_value
);
241 search the sam for a single signed 64 bit integer attribute in exactly 1 record
243 int64_t samdb_search_int64(struct ldb_context
*sam_ldb
,
245 int64_t default_value
,
246 struct ldb_dn
*basedn
,
247 const char *attr_name
,
248 const char *format
, ...) _PRINTF_ATTRIBUTE(6,7)
252 struct ldb_message
**res
;
253 const char *attrs
[2] = { NULL
, NULL
};
255 attrs
[0] = attr_name
;
257 va_start(ap
, format
);
258 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
262 return default_value
;
265 return samdb_result_int64(res
[0], attr_name
, default_value
);
269 search the sam for multipe records each giving a single string attribute
270 return the number of matches, or -1 on error
272 int samdb_search_string_multiple(struct ldb_context
*sam_ldb
,
274 struct ldb_dn
*basedn
,
276 const char *attr_name
,
277 const char *format
, ...) _PRINTF_ATTRIBUTE(6,7)
281 const char *attrs
[2] = { NULL
, NULL
};
282 struct ldb_message
**res
= NULL
;
284 attrs
[0] = attr_name
;
286 va_start(ap
, format
);
287 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
294 /* make sure its single valued */
295 for (i
=0;i
<count
;i
++) {
296 if (res
[i
]->num_elements
!= 1) {
297 DEBUG(1,("samdb: search for %s %s not single valued\n",
304 *strs
= talloc_array(mem_ctx
, const char *, count
+1);
310 for (i
=0;i
<count
;i
++) {
311 (*strs
)[i
] = samdb_result_string(res
[i
], attr_name
, NULL
);
313 (*strs
)[count
] = NULL
;
319 pull a uint from a result set.
321 unsigned int samdb_result_uint(const struct ldb_message
*msg
, const char *attr
, unsigned int default_value
)
323 return ldb_msg_find_attr_as_uint(msg
, attr
, default_value
);
327 pull a (signed) int64 from a result set.
329 int64_t samdb_result_int64(const struct ldb_message
*msg
, const char *attr
, int64_t default_value
)
331 return ldb_msg_find_attr_as_int64(msg
, attr
, default_value
);
335 pull a string from a result set.
337 const char *samdb_result_string(const struct ldb_message
*msg
, const char *attr
,
338 const char *default_value
)
340 return ldb_msg_find_attr_as_string(msg
, attr
, default_value
);
343 struct ldb_dn
*samdb_result_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
344 const char *attr
, struct ldb_dn
*default_value
)
346 struct ldb_dn
*ret_dn
= ldb_msg_find_attr_as_dn(ldb
, mem_ctx
, msg
, attr
);
348 return default_value
;
354 pull a rid from a objectSid in a result set.
356 uint32_t samdb_result_rid_from_sid(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
357 const char *attr
, uint32_t default_value
)
362 sid
= samdb_result_dom_sid(mem_ctx
, msg
, attr
);
364 return default_value
;
366 rid
= sid
->sub_auths
[sid
->num_auths
-1];
372 pull a dom_sid structure from a objectSid in a result set.
374 struct dom_sid
*samdb_result_dom_sid(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
377 const struct ldb_val
*v
;
379 enum ndr_err_code ndr_err
;
380 v
= ldb_msg_find_ldb_val(msg
, attr
);
384 sid
= talloc(mem_ctx
, struct dom_sid
);
388 ndr_err
= ndr_pull_struct_blob(v
, sid
, NULL
, sid
,
389 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
390 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
398 pull a guid structure from a objectGUID in a result set.
400 struct GUID
samdb_result_guid(const struct ldb_message
*msg
, const char *attr
)
402 const struct ldb_val
*v
;
406 v
= ldb_msg_find_ldb_val(msg
, attr
);
407 if (!v
) return GUID_zero();
409 status
= GUID_from_ndr_blob(v
, &guid
);
410 if (!NT_STATUS_IS_OK(status
)) {
418 pull a sid prefix from a objectSid in a result set.
419 this is used to find the domain sid for a user
421 struct dom_sid
*samdb_result_sid_prefix(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
424 struct dom_sid
*sid
= samdb_result_dom_sid(mem_ctx
, msg
, attr
);
425 if (!sid
|| sid
->num_auths
< 1) return NULL
;
431 pull a NTTIME in a result set.
433 NTTIME
samdb_result_nttime(const struct ldb_message
*msg
, const char *attr
,
434 NTTIME default_value
)
436 return ldb_msg_find_attr_as_uint64(msg
, attr
, default_value
);
440 * Windows stores 0 for lastLogoff.
441 * But when a MS DC return the lastLogoff (as Logoff Time)
442 * it returns 0x7FFFFFFFFFFFFFFF, not returning this value in this case
443 * cause windows 2008 and newer version to fail for SMB requests
445 NTTIME
samdb_result_last_logoff(const struct ldb_message
*msg
)
447 NTTIME ret
= ldb_msg_find_attr_as_uint64(msg
, "lastLogoff",0);
450 ret
= 0x7FFFFFFFFFFFFFFFULL
;
456 * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
457 * indicate an account doesn't expire.
459 * When Windows initially creates an account, it sets
460 * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However,
461 * when changing from an account having a specific expiration date to
462 * that account never expiring, it sets accountExpires = 0.
464 * Consolidate that logic here to allow clearer logic for account expiry in
465 * the rest of the code.
467 NTTIME
samdb_result_account_expires(const struct ldb_message
*msg
)
469 NTTIME ret
= ldb_msg_find_attr_as_uint64(msg
, "accountExpires",
473 ret
= 0x7FFFFFFFFFFFFFFFULL
;
479 pull a uint64_t from a result set.
481 uint64_t samdb_result_uint64(const struct ldb_message
*msg
, const char *attr
,
482 uint64_t default_value
)
484 return ldb_msg_find_attr_as_uint64(msg
, attr
, default_value
);
489 construct the allow_password_change field from the PwdLastSet attribute and the
490 domain password settings
492 NTTIME
samdb_result_allow_password_change(struct ldb_context
*sam_ldb
,
494 struct ldb_dn
*domain_dn
,
495 struct ldb_message
*msg
,
498 uint64_t attr_time
= samdb_result_uint64(msg
, attr
, 0);
501 if (attr_time
== 0) {
505 minPwdAge
= samdb_search_int64(sam_ldb
, mem_ctx
, 0, domain_dn
, "minPwdAge", NULL
);
507 /* yes, this is a -= not a += as minPwdAge is stored as the negative
508 of the number of 100-nano-seconds */
509 attr_time
-= minPwdAge
;
515 construct the force_password_change field from the PwdLastSet
516 attribute, the userAccountControl and the domain password settings
518 NTTIME
samdb_result_force_password_change(struct ldb_context
*sam_ldb
,
520 struct ldb_dn
*domain_dn
,
521 struct ldb_message
*msg
)
523 uint64_t attr_time
= samdb_result_uint64(msg
, "pwdLastSet", 0);
524 uint32_t userAccountControl
= samdb_result_uint64(msg
, "userAccountControl", 0);
527 /* Machine accounts don't expire, and there is a flag for 'no expiry' */
528 if (!(userAccountControl
& UF_NORMAL_ACCOUNT
)
529 || (userAccountControl
& UF_DONT_EXPIRE_PASSWD
)) {
530 return 0x7FFFFFFFFFFFFFFFULL
;
533 if (attr_time
== 0) {
537 maxPwdAge
= samdb_search_int64(sam_ldb
, mem_ctx
, 0, domain_dn
, "maxPwdAge", NULL
);
538 if (maxPwdAge
== 0) {
539 return 0x7FFFFFFFFFFFFFFFULL
;
541 attr_time
-= maxPwdAge
;
548 pull a samr_Password structutre from a result set.
550 struct samr_Password
*samdb_result_hash(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
, const char *attr
)
552 struct samr_Password
*hash
= NULL
;
553 const struct ldb_val
*val
= ldb_msg_find_ldb_val(msg
, attr
);
554 if (val
&& (val
->length
>= sizeof(hash
->hash
))) {
555 hash
= talloc(mem_ctx
, struct samr_Password
);
556 memcpy(hash
->hash
, val
->data
, MIN(val
->length
, sizeof(hash
->hash
)));
562 pull an array of samr_Password structures from a result set.
564 unsigned int samdb_result_hashes(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
565 const char *attr
, struct samr_Password
**hashes
)
567 unsigned int count
, i
;
568 const struct ldb_val
*val
= ldb_msg_find_ldb_val(msg
, attr
);
574 count
= val
->length
/ 16;
579 *hashes
= talloc_array(mem_ctx
, struct samr_Password
, count
);
584 for (i
=0;i
<count
;i
++) {
585 memcpy((*hashes
)[i
].hash
, (i
*16)+(char *)val
->data
, 16);
591 NTSTATUS
samdb_result_passwords(TALLOC_CTX
*mem_ctx
, struct loadparm_context
*lp_ctx
, struct ldb_message
*msg
,
592 struct samr_Password
**lm_pwd
, struct samr_Password
**nt_pwd
)
594 struct samr_Password
*lmPwdHash
, *ntPwdHash
;
597 num_nt
= samdb_result_hashes(mem_ctx
, msg
, "unicodePwd", &ntPwdHash
);
600 } else if (num_nt
> 1) {
601 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
603 *nt_pwd
= &ntPwdHash
[0];
607 /* Ensure that if we have turned off LM
608 * authentication, that we never use the LM hash, even
610 if (lp_lanman_auth(lp_ctx
)) {
612 num_lm
= samdb_result_hashes(mem_ctx
, msg
, "dBCSPwd", &lmPwdHash
);
615 } else if (num_lm
> 1) {
616 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
618 *lm_pwd
= &lmPwdHash
[0];
628 pull a samr_LogonHours structutre from a result set.
630 struct samr_LogonHours
samdb_result_logon_hours(TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
, const char *attr
)
632 struct samr_LogonHours hours
;
633 const int units_per_week
= 168;
634 const struct ldb_val
*val
= ldb_msg_find_ldb_val(msg
, attr
);
636 hours
.bits
= talloc_array(mem_ctx
, uint8_t, units_per_week
);
640 hours
.units_per_week
= units_per_week
;
641 memset(hours
.bits
, 0xFF, units_per_week
);
643 memcpy(hours
.bits
, val
->data
, MIN(val
->length
, units_per_week
));
649 pull a set of account_flags from a result set.
651 This requires that the attributes:
656 uint32_t samdb_result_acct_flags(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
,
657 struct ldb_message
*msg
, struct ldb_dn
*domain_dn
)
659 uint32_t userAccountControl
= ldb_msg_find_attr_as_uint(msg
, "userAccountControl", 0);
660 uint32_t acct_flags
= ds_uf2acb(userAccountControl
);
661 NTTIME must_change_time
;
664 must_change_time
= samdb_result_force_password_change(sam_ctx
, mem_ctx
,
667 /* Test account expire time */
668 unix_to_nt_time(&now
, time(NULL
));
669 /* check for expired password */
670 if (must_change_time
< now
) {
671 acct_flags
|= ACB_PW_EXPIRED
;
676 struct lsa_BinaryString
samdb_result_parameters(TALLOC_CTX
*mem_ctx
,
677 struct ldb_message
*msg
,
680 struct lsa_BinaryString s
;
681 const struct ldb_val
*val
= ldb_msg_find_ldb_val(msg
, attr
);
689 s
.array
= talloc_array(mem_ctx
, uint16_t, val
->length
/2);
693 s
.length
= s
.size
= val
->length
;
694 memcpy(s
.array
, val
->data
, val
->length
);
699 /* Find an attribute, with a particular value */
701 /* The current callers of this function expect a very specific
702 * behaviour: In particular, objectClass subclass equivilance is not
703 * wanted. This means that we should not lookup the schema for the
704 * comparison function */
705 struct ldb_message_element
*samdb_find_attribute(struct ldb_context
*ldb
,
706 const struct ldb_message
*msg
,
707 const char *name
, const char *value
)
710 struct ldb_message_element
*el
= ldb_msg_find_element(msg
, name
);
716 for (i
=0;i
<el
->num_values
;i
++) {
717 if (ldb_attr_cmp(value
, (char *)el
->values
[i
].data
) == 0) {
726 * This is intended for use by the "password hash" module since there
727 * password changes can be specified through one message element with the
728 * new password (to set) and another one with the old password (to unset).
730 * The first which sets a password (new value) can have flags
731 * (LDB_FLAG_MOD_ADD, LDB_FLAG_MOD_REPLACE) but also none (on "add" operations
732 * for entries). The latter (old value) has always specified
733 * LDB_FLAG_MOD_DELETE.
735 * Returns LDB_ERR_NO_SUCH_ATTRIBUTE if the attribute which should be deleted
736 * doesn't contain only one value (this is the Windows Server behaviour)
737 * otherwise LDB_SUCCESS.
739 int samdb_msg_find_old_and_new_ldb_val(const struct ldb_message
*msg
,
741 const struct ldb_val
**new_val
,
742 const struct ldb_val
**old_val
)
753 for (i
= 0; i
< msg
->num_elements
; i
++) {
754 if (ldb_attr_cmp(msg
->elements
[i
].name
, name
) == 0) {
755 if (msg
->elements
[i
].flags
== LDB_FLAG_MOD_DELETE
) {
756 *old_val
= &msg
->elements
[i
].values
[0];
758 *new_val
= &msg
->elements
[i
].values
[0];
766 int samdb_find_or_add_value(struct ldb_context
*ldb
, struct ldb_message
*msg
, const char *name
, const char *set_value
)
768 if (samdb_find_attribute(ldb
, msg
, name
, set_value
) == NULL
) {
769 return samdb_msg_add_string(ldb
, msg
, msg
, name
, set_value
);
774 int samdb_find_or_add_attribute(struct ldb_context
*ldb
, struct ldb_message
*msg
, const char *name
, const char *set_value
)
776 struct ldb_message_element
*el
;
778 el
= ldb_msg_find_element(msg
, name
);
783 return samdb_msg_add_string(ldb
, msg
, msg
, name
, set_value
);
789 add a string element to a message
791 int samdb_msg_add_string(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
792 const char *attr_name
, const char *str
)
794 char *s
= talloc_strdup(mem_ctx
, str
);
795 char *a
= talloc_strdup(mem_ctx
, attr_name
);
796 if (s
== NULL
|| a
== NULL
) {
797 return LDB_ERR_OPERATIONS_ERROR
;
799 return ldb_msg_add_string(msg
, a
, s
);
803 add a dom_sid element to a message
805 int samdb_msg_add_dom_sid(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
806 const char *attr_name
, struct dom_sid
*sid
)
809 enum ndr_err_code ndr_err
;
811 ndr_err
= ndr_push_struct_blob(&v
, mem_ctx
,
812 lp_iconv_convenience(ldb_get_opaque(sam_ldb
, "loadparm")),
814 (ndr_push_flags_fn_t
)ndr_push_dom_sid
);
815 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
816 return LDB_ERR_OPERATIONS_ERROR
;
818 return ldb_msg_add_value(msg
, attr_name
, &v
, NULL
);
823 add a delete element operation to a message
825 int samdb_msg_add_delete(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
826 const char *attr_name
)
828 /* we use an empty replace rather than a delete, as it allows for
829 dsdb_replace() to be used everywhere */
830 return ldb_msg_add_empty(msg
, attr_name
, LDB_FLAG_MOD_REPLACE
, NULL
);
834 add a add attribute value to a message
836 int samdb_msg_add_addval(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
837 const char *attr_name
, const char *value
)
839 struct ldb_message_element
*el
;
842 a
= talloc_strdup(mem_ctx
, attr_name
);
844 return LDB_ERR_OPERATIONS_ERROR
;
845 v
= talloc_strdup(mem_ctx
, value
);
847 return LDB_ERR_OPERATIONS_ERROR
;
848 ret
= ldb_msg_add_string(msg
, a
, v
);
851 el
= ldb_msg_find_element(msg
, a
);
853 return LDB_ERR_OPERATIONS_ERROR
;
854 el
->flags
= LDB_FLAG_MOD_ADD
;
859 add a delete attribute value to a message
861 int samdb_msg_add_delval(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
862 const char *attr_name
, const char *value
)
864 struct ldb_message_element
*el
;
867 a
= talloc_strdup(mem_ctx
, attr_name
);
869 return LDB_ERR_OPERATIONS_ERROR
;
870 v
= talloc_strdup(mem_ctx
, value
);
872 return LDB_ERR_OPERATIONS_ERROR
;
873 ret
= ldb_msg_add_string(msg
, a
, v
);
876 el
= ldb_msg_find_element(msg
, a
);
878 return LDB_ERR_OPERATIONS_ERROR
;
879 el
->flags
= LDB_FLAG_MOD_DELETE
;
884 add a int element to a message
886 int samdb_msg_add_int(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
887 const char *attr_name
, int v
)
889 const char *s
= talloc_asprintf(mem_ctx
, "%d", v
);
890 return samdb_msg_add_string(sam_ldb
, mem_ctx
, msg
, attr_name
, s
);
894 add a unsigned int element to a message
896 int samdb_msg_add_uint(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
897 const char *attr_name
, unsigned int v
)
899 return samdb_msg_add_int(sam_ldb
, mem_ctx
, msg
, attr_name
, (int)v
);
903 add a (signed) int64_t element to a message
905 int samdb_msg_add_int64(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
906 const char *attr_name
, int64_t v
)
908 const char *s
= talloc_asprintf(mem_ctx
, "%lld", (long long)v
);
909 return samdb_msg_add_string(sam_ldb
, mem_ctx
, msg
, attr_name
, s
);
913 add a uint64_t element to a message
915 int samdb_msg_add_uint64(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
916 const char *attr_name
, uint64_t v
)
918 return samdb_msg_add_int64(sam_ldb
, mem_ctx
, msg
, attr_name
, (int64_t)v
);
922 add a samr_Password element to a message
924 int samdb_msg_add_hash(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
925 const char *attr_name
, struct samr_Password
*hash
)
928 val
.data
= talloc_memdup(mem_ctx
, hash
->hash
, 16);
930 return LDB_ERR_OPERATIONS_ERROR
;
933 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
937 add a samr_Password array to a message
939 int samdb_msg_add_hashes(TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
940 const char *attr_name
, struct samr_Password
*hashes
,
945 val
.data
= talloc_array_size(mem_ctx
, 16, count
);
946 val
.length
= count
*16;
948 return LDB_ERR_OPERATIONS_ERROR
;
950 for (i
=0;i
<count
;i
++) {
951 memcpy(i
*16 + (char *)val
.data
, hashes
[i
].hash
, 16);
953 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
957 add a acct_flags element to a message
959 int samdb_msg_add_acct_flags(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
960 const char *attr_name
, uint32_t v
)
962 return samdb_msg_add_uint(sam_ldb
, mem_ctx
, msg
, attr_name
, ds_acb2uf(v
));
966 add a logon_hours element to a message
968 int samdb_msg_add_logon_hours(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
969 const char *attr_name
, struct samr_LogonHours
*hours
)
972 val
.length
= hours
->units_per_week
/ 8;
973 val
.data
= hours
->bits
;
974 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
978 add a parameters element to a message
980 int samdb_msg_add_parameters(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
981 const char *attr_name
, struct lsa_BinaryString
*parameters
)
984 val
.length
= parameters
->length
;
985 val
.data
= (uint8_t *)parameters
->array
;
986 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
989 add a general value element to a message
991 int samdb_msg_add_value(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
992 const char *attr_name
, const struct ldb_val
*val
)
994 return ldb_msg_add_value(msg
, attr_name
, val
, NULL
);
998 sets a general value element to a message
1000 int samdb_msg_set_value(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
1001 const char *attr_name
, const struct ldb_val
*val
)
1003 struct ldb_message_element
*el
;
1005 el
= ldb_msg_find_element(msg
, attr_name
);
1009 return ldb_msg_add_value(msg
, attr_name
, val
, NULL
);
1013 set a string element in a message
1015 int samdb_msg_set_string(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
1016 const char *attr_name
, const char *str
)
1018 struct ldb_message_element
*el
;
1020 el
= ldb_msg_find_element(msg
, attr_name
);
1024 return samdb_msg_add_string(sam_ldb
, mem_ctx
, msg
, attr_name
, str
);
1028 * Handle ldb_request in transaction
1030 static int dsdb_autotransaction_request(struct ldb_context
*sam_ldb
,
1031 struct ldb_request
*req
)
1035 ret
= ldb_transaction_start(sam_ldb
);
1036 if (ret
!= LDB_SUCCESS
) {
1040 ret
= ldb_request(sam_ldb
, req
);
1041 if (ret
== LDB_SUCCESS
) {
1042 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
1045 if (ret
== LDB_SUCCESS
) {
1046 return ldb_transaction_commit(sam_ldb
);
1048 ldb_transaction_cancel(sam_ldb
);
1054 return a default security descriptor
1056 struct security_descriptor
*samdb_default_security_descriptor(TALLOC_CTX
*mem_ctx
)
1058 struct security_descriptor
*sd
;
1060 sd
= security_descriptor_initialise(mem_ctx
);
1065 struct ldb_dn
*samdb_aggregate_schema_dn(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
)
1067 struct ldb_dn
*schema_dn
= ldb_get_schema_basedn(sam_ctx
);
1068 struct ldb_dn
*aggregate_dn
;
1073 aggregate_dn
= ldb_dn_copy(mem_ctx
, schema_dn
);
1074 if (!aggregate_dn
) {
1077 if (!ldb_dn_add_child_fmt(aggregate_dn
, "CN=Aggregate")) {
1080 return aggregate_dn
;
1083 struct ldb_dn
*samdb_partitions_dn(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
)
1085 struct ldb_dn
*new_dn
;
1087 new_dn
= ldb_dn_copy(mem_ctx
, ldb_get_config_basedn(sam_ctx
));
1088 if ( ! ldb_dn_add_child_fmt(new_dn
, "CN=Partitions")) {
1089 talloc_free(new_dn
);
1095 struct ldb_dn
*samdb_infrastructure_dn(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
)
1097 struct ldb_dn
*new_dn
;
1099 new_dn
= ldb_dn_copy(mem_ctx
, ldb_get_default_basedn(sam_ctx
));
1100 if ( ! ldb_dn_add_child_fmt(new_dn
, "CN=Infrastructure")) {
1101 talloc_free(new_dn
);
1107 struct ldb_dn
*samdb_sites_dn(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
)
1109 struct ldb_dn
*new_dn
;
1111 new_dn
= ldb_dn_copy(mem_ctx
, ldb_get_config_basedn(sam_ctx
));
1112 if ( ! ldb_dn_add_child_fmt(new_dn
, "CN=Sites")) {
1113 talloc_free(new_dn
);
1120 work out the domain sid for the current open ldb
1122 const struct dom_sid
*samdb_domain_sid(struct ldb_context
*ldb
)
1124 TALLOC_CTX
*tmp_ctx
;
1125 const struct dom_sid
*domain_sid
;
1126 const char *attrs
[] = {
1130 struct ldb_result
*res
;
1133 /* see if we have a cached copy */
1134 domain_sid
= (struct dom_sid
*)ldb_get_opaque(ldb
, "cache.domain_sid");
1139 tmp_ctx
= talloc_new(ldb
);
1140 if (tmp_ctx
== NULL
) {
1144 ret
= ldb_search(ldb
, tmp_ctx
, &res
, ldb_get_default_basedn(ldb
), LDB_SCOPE_BASE
, attrs
, "objectSid=*");
1146 if (ret
!= LDB_SUCCESS
) {
1150 if (res
->count
!= 1) {
1154 domain_sid
= samdb_result_dom_sid(tmp_ctx
, res
->msgs
[0], "objectSid");
1155 if (domain_sid
== NULL
) {
1159 /* cache the domain_sid in the ldb */
1160 if (ldb_set_opaque(ldb
, "cache.domain_sid", discard_const_p(struct dom_sid
, domain_sid
)) != LDB_SUCCESS
) {
1164 talloc_steal(ldb
, domain_sid
);
1165 talloc_free(tmp_ctx
);
1170 talloc_free(tmp_ctx
);
1175 get domain sid from cache
1177 const struct dom_sid
*samdb_domain_sid_cache_only(struct ldb_context
*ldb
)
1179 return (struct dom_sid
*)ldb_get_opaque(ldb
, "cache.domain_sid");
1182 bool samdb_set_domain_sid(struct ldb_context
*ldb
, const struct dom_sid
*dom_sid_in
)
1184 TALLOC_CTX
*tmp_ctx
;
1185 struct dom_sid
*dom_sid_new
;
1186 struct dom_sid
*dom_sid_old
;
1188 /* see if we have a cached copy */
1189 dom_sid_old
= talloc_get_type(ldb_get_opaque(ldb
,
1190 "cache.domain_sid"), struct dom_sid
);
1192 tmp_ctx
= talloc_new(ldb
);
1193 if (tmp_ctx
== NULL
) {
1197 dom_sid_new
= dom_sid_dup(tmp_ctx
, dom_sid_in
);
1202 /* cache the domain_sid in the ldb */
1203 if (ldb_set_opaque(ldb
, "cache.domain_sid", dom_sid_new
) != LDB_SUCCESS
) {
1207 talloc_steal(ldb
, dom_sid_new
);
1208 talloc_free(tmp_ctx
);
1209 talloc_free(dom_sid_old
);
1214 DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
1215 talloc_free(tmp_ctx
);
1219 bool samdb_set_ntds_settings_dn(struct ldb_context
*ldb
, struct ldb_dn
*ntds_settings_dn_in
)
1221 TALLOC_CTX
*tmp_ctx
;
1222 struct ldb_dn
*ntds_settings_dn_new
;
1223 struct ldb_dn
*ntds_settings_dn_old
;
1225 /* see if we have a cached copy */
1226 ntds_settings_dn_old
= talloc_get_type(ldb_get_opaque(ldb
,
1227 "cache.ntds_settings_dn"), struct ldb_dn
);
1229 tmp_ctx
= talloc_new(ldb
);
1230 if (tmp_ctx
== NULL
) {
1234 ntds_settings_dn_new
= ldb_dn_copy(tmp_ctx
, ntds_settings_dn_in
);
1235 if (!ntds_settings_dn_new
) {
1239 /* cache the domain_sid in the ldb */
1240 if (ldb_set_opaque(ldb
, "cache.ntds_settings_dn", ntds_settings_dn_new
) != LDB_SUCCESS
) {
1244 talloc_steal(ldb
, ntds_settings_dn_new
);
1245 talloc_free(tmp_ctx
);
1246 talloc_free(ntds_settings_dn_old
);
1251 DEBUG(1,("Failed to set our NTDS Settings DN in the ldb!\n"));
1252 talloc_free(tmp_ctx
);
1256 /* Obtain the short name of the flexible single master operator
1257 * (FSMO), such as the PDC Emulator */
1258 const char *samdb_result_fsmo_name(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
1261 /* Format is cn=NTDS Settings,cn=<NETBIOS name of FSMO>,.... */
1262 struct ldb_dn
*fsmo_dn
= ldb_msg_find_attr_as_dn(ldb
, mem_ctx
, msg
, attr
);
1263 const struct ldb_val
*val
= ldb_dn_get_component_val(fsmo_dn
, 1);
1264 const char *name
= ldb_dn_get_component_name(fsmo_dn
, 1);
1266 if (!name
|| (ldb_attr_cmp(name
, "cn") != 0)) {
1267 /* Ensure this matches the format. This gives us a
1268 * bit more confidence that a 'cn' value will be a
1273 return (char *)val
->data
;
1279 work out the ntds settings dn for the current open ldb
1281 struct ldb_dn
*samdb_ntds_settings_dn(struct ldb_context
*ldb
)
1283 TALLOC_CTX
*tmp_ctx
;
1284 const char *root_attrs
[] = { "dsServiceName", NULL
};
1286 struct ldb_result
*root_res
;
1287 struct ldb_dn
*settings_dn
;
1289 /* see if we have a cached copy */
1290 settings_dn
= (struct ldb_dn
*)ldb_get_opaque(ldb
, "cache.ntds_settings_dn");
1295 tmp_ctx
= talloc_new(ldb
);
1296 if (tmp_ctx
== NULL
) {
1300 ret
= ldb_search(ldb
, tmp_ctx
, &root_res
, ldb_dn_new(tmp_ctx
, ldb
, ""), LDB_SCOPE_BASE
, root_attrs
, NULL
);
1302 DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
1303 ldb_errstring(ldb
)));
1307 if (root_res
->count
!= 1) {
1311 settings_dn
= ldb_msg_find_attr_as_dn(ldb
, tmp_ctx
, root_res
->msgs
[0], "dsServiceName");
1313 /* cache the domain_sid in the ldb */
1314 if (ldb_set_opaque(ldb
, "cache.settings_dn", settings_dn
) != LDB_SUCCESS
) {
1318 talloc_steal(ldb
, settings_dn
);
1319 talloc_free(tmp_ctx
);
1324 DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
1325 talloc_free(tmp_ctx
);
1330 work out the ntds settings invocationId for the current open ldb
1332 const struct GUID
*samdb_ntds_invocation_id(struct ldb_context
*ldb
)
1334 TALLOC_CTX
*tmp_ctx
;
1335 const char *attrs
[] = { "invocationId", NULL
};
1337 struct ldb_result
*res
;
1338 struct GUID
*invocation_id
;
1340 /* see if we have a cached copy */
1341 invocation_id
= (struct GUID
*)ldb_get_opaque(ldb
, "cache.invocation_id");
1342 if (invocation_id
) {
1343 return invocation_id
;
1346 tmp_ctx
= talloc_new(ldb
);
1347 if (tmp_ctx
== NULL
) {
1351 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
), LDB_SCOPE_BASE
, attrs
, NULL
);
1356 if (res
->count
!= 1) {
1360 invocation_id
= talloc(tmp_ctx
, struct GUID
);
1361 if (!invocation_id
) {
1365 *invocation_id
= samdb_result_guid(res
->msgs
[0], "invocationId");
1367 /* cache the domain_sid in the ldb */
1368 if (ldb_set_opaque(ldb
, "cache.invocation_id", invocation_id
) != LDB_SUCCESS
) {
1372 talloc_steal(ldb
, invocation_id
);
1373 talloc_free(tmp_ctx
);
1375 return invocation_id
;
1378 DEBUG(1,("Failed to find our own NTDS Settings invocationId in the ldb!\n"));
1379 talloc_free(tmp_ctx
);
1383 bool samdb_set_ntds_invocation_id(struct ldb_context
*ldb
, const struct GUID
*invocation_id_in
)
1385 TALLOC_CTX
*tmp_ctx
;
1386 struct GUID
*invocation_id_new
;
1387 struct GUID
*invocation_id_old
;
1389 /* see if we have a cached copy */
1390 invocation_id_old
= (struct GUID
*)ldb_get_opaque(ldb
,
1391 "cache.invocation_id");
1393 tmp_ctx
= talloc_new(ldb
);
1394 if (tmp_ctx
== NULL
) {
1398 invocation_id_new
= talloc(tmp_ctx
, struct GUID
);
1399 if (!invocation_id_new
) {
1403 *invocation_id_new
= *invocation_id_in
;
1405 /* cache the domain_sid in the ldb */
1406 if (ldb_set_opaque(ldb
, "cache.invocation_id", invocation_id_new
) != LDB_SUCCESS
) {
1410 talloc_steal(ldb
, invocation_id_new
);
1411 talloc_free(tmp_ctx
);
1412 talloc_free(invocation_id_old
);
1417 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1418 talloc_free(tmp_ctx
);
1423 work out the ntds settings objectGUID for the current open ldb
1425 const struct GUID
*samdb_ntds_objectGUID(struct ldb_context
*ldb
)
1427 TALLOC_CTX
*tmp_ctx
;
1428 const char *attrs
[] = { "objectGUID", NULL
};
1430 struct ldb_result
*res
;
1431 struct GUID
*ntds_guid
;
1433 /* see if we have a cached copy */
1434 ntds_guid
= (struct GUID
*)ldb_get_opaque(ldb
, "cache.ntds_guid");
1439 tmp_ctx
= talloc_new(ldb
);
1440 if (tmp_ctx
== NULL
) {
1444 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
), LDB_SCOPE_BASE
, attrs
, NULL
);
1449 if (res
->count
!= 1) {
1453 ntds_guid
= talloc(tmp_ctx
, struct GUID
);
1458 *ntds_guid
= samdb_result_guid(res
->msgs
[0], "objectGUID");
1460 /* cache the domain_sid in the ldb */
1461 if (ldb_set_opaque(ldb
, "cache.ntds_guid", ntds_guid
) != LDB_SUCCESS
) {
1465 talloc_steal(ldb
, ntds_guid
);
1466 talloc_free(tmp_ctx
);
1471 DEBUG(1,("Failed to find our own NTDS Settings objectGUID in the ldb!\n"));
1472 talloc_free(tmp_ctx
);
1476 bool samdb_set_ntds_objectGUID(struct ldb_context
*ldb
, const struct GUID
*ntds_guid_in
)
1478 TALLOC_CTX
*tmp_ctx
;
1479 struct GUID
*ntds_guid_new
;
1480 struct GUID
*ntds_guid_old
;
1482 /* see if we have a cached copy */
1483 ntds_guid_old
= (struct GUID
*)ldb_get_opaque(ldb
, "cache.ntds_guid");
1485 tmp_ctx
= talloc_new(ldb
);
1486 if (tmp_ctx
== NULL
) {
1490 ntds_guid_new
= talloc(tmp_ctx
, struct GUID
);
1491 if (!ntds_guid_new
) {
1495 *ntds_guid_new
= *ntds_guid_in
;
1497 /* cache the domain_sid in the ldb */
1498 if (ldb_set_opaque(ldb
, "cache.ntds_guid", ntds_guid_new
) != LDB_SUCCESS
) {
1502 talloc_steal(ldb
, ntds_guid_new
);
1503 talloc_free(tmp_ctx
);
1504 talloc_free(ntds_guid_old
);
1509 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1510 talloc_free(tmp_ctx
);
1515 work out the server dn for the current open ldb
1517 struct ldb_dn
*samdb_server_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
1519 return ldb_dn_get_parent(mem_ctx
, samdb_ntds_settings_dn(ldb
));
1523 work out the server dn for the current open ldb
1525 struct ldb_dn
*samdb_server_site_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
1527 struct ldb_dn
*server_dn
;
1528 struct ldb_dn
*servers_dn
;
1529 struct ldb_dn
*server_site_dn
;
1531 /* TODO: there must be a saner way to do this!! */
1532 server_dn
= samdb_server_dn(ldb
, mem_ctx
);
1533 if (!server_dn
) return NULL
;
1535 servers_dn
= ldb_dn_get_parent(mem_ctx
, server_dn
);
1536 talloc_free(server_dn
);
1537 if (!servers_dn
) return NULL
;
1539 server_site_dn
= ldb_dn_get_parent(mem_ctx
, servers_dn
);
1540 talloc_free(servers_dn
);
1542 return server_site_dn
;
1546 find a 'reference' DN that points at another object
1547 (eg. serverReference, rIDManagerReference etc)
1549 int samdb_reference_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*base
,
1550 const char *attribute
, struct ldb_dn
**dn
)
1552 const char *attrs
[2];
1553 struct ldb_result
*res
;
1556 attrs
[0] = attribute
;
1559 ret
= ldb_search(ldb
, mem_ctx
, &res
, base
, LDB_SCOPE_BASE
, attrs
, NULL
);
1560 if (ret
!= LDB_SUCCESS
) {
1563 if (res
->count
!= 1) {
1565 return LDB_ERR_NO_SUCH_OBJECT
;
1568 *dn
= ldb_msg_find_attr_as_dn(ldb
, mem_ctx
, res
->msgs
[0], attribute
);
1571 return LDB_ERR_NO_SUCH_ATTRIBUTE
;
1579 find our machine account via the serverReference attribute in the
1582 int samdb_server_reference_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
**dn
)
1584 struct ldb_dn
*server_dn
;
1587 server_dn
= samdb_server_dn(ldb
, mem_ctx
);
1588 if (server_dn
== NULL
) {
1589 return LDB_ERR_NO_SUCH_OBJECT
;
1592 ret
= samdb_reference_dn(ldb
, mem_ctx
, server_dn
, "serverReference", dn
);
1593 talloc_free(server_dn
);
1599 find the RID Manager$ DN via the rIDManagerReference attribute in the
1602 int samdb_rid_manager_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
**dn
)
1604 return samdb_reference_dn(ldb
, mem_ctx
, ldb_get_default_basedn(ldb
),
1605 "rIDManagerReference", dn
);
1609 find the RID Set DN via the rIDSetReferences attribute in our
1612 int samdb_rid_set_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
**dn
)
1614 struct ldb_dn
*server_ref_dn
;
1617 ret
= samdb_server_reference_dn(ldb
, mem_ctx
, &server_ref_dn
);
1618 if (ret
!= LDB_SUCCESS
) {
1621 ret
= samdb_reference_dn(ldb
, mem_ctx
, server_ref_dn
, "rIDSetReferences", dn
);
1622 talloc_free(server_ref_dn
);
1626 const char *samdb_server_site_name(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
1628 const struct ldb_val
*val
= ldb_dn_get_rdn_val(samdb_server_site_dn(ldb
,
1635 return (const char *) val
->data
;
1639 * Finds the client site by using the client's IP address.
1640 * The "subnet_name" returns the name of the subnet if parameter != NULL
1642 const char *samdb_client_site_name(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
,
1643 const char *ip_address
, char **subnet_name
)
1645 const char *attrs
[] = { "cn", "siteObject", NULL
};
1646 struct ldb_dn
*sites_container_dn
, *subnets_dn
, *sites_dn
;
1647 struct ldb_result
*res
;
1648 const struct ldb_val
*val
;
1649 const char *site_name
= NULL
, *l_subnet_name
= NULL
;
1650 const char *allow_list
[2] = { NULL
, NULL
};
1651 unsigned int i
, count
;
1655 * if we don't have a client ip e.g. ncalrpc
1656 * the server site is the client site
1658 if (ip_address
== NULL
) {
1659 return samdb_server_site_name(ldb
, mem_ctx
);
1662 sites_container_dn
= samdb_sites_dn(ldb
, mem_ctx
);
1663 if (sites_container_dn
== NULL
) {
1667 subnets_dn
= ldb_dn_copy(mem_ctx
, sites_container_dn
);
1668 if ( ! ldb_dn_add_child_fmt(subnets_dn
, "CN=Subnets")) {
1669 talloc_free(sites_container_dn
);
1670 talloc_free(subnets_dn
);
1674 ret
= ldb_search(ldb
, mem_ctx
, &res
, subnets_dn
, LDB_SCOPE_ONELEVEL
,
1676 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
1678 } else if (ret
!= LDB_SUCCESS
) {
1679 talloc_free(sites_container_dn
);
1680 talloc_free(subnets_dn
);
1686 for (i
= 0; i
< count
; i
++) {
1687 l_subnet_name
= ldb_msg_find_attr_as_string(res
->msgs
[i
], "cn",
1690 allow_list
[0] = l_subnet_name
;
1692 if (allow_access(mem_ctx
, NULL
, allow_list
, "", ip_address
)) {
1693 sites_dn
= ldb_msg_find_attr_as_dn(ldb
, mem_ctx
,
1696 if (sites_dn
== NULL
) {
1697 /* No reference, maybe another subnet matches */
1701 /* "val" cannot be NULL here since "sites_dn" != NULL */
1702 val
= ldb_dn_get_rdn_val(sites_dn
);
1703 site_name
= talloc_strdup(mem_ctx
,
1704 (const char *) val
->data
);
1706 talloc_free(sites_dn
);
1712 if (site_name
== NULL
) {
1713 /* This is the Windows Server fallback rule: when no subnet
1714 * exists and we have only one site available then use it (it
1715 * is for sure the same as our server site). If more sites do
1716 * exist then we don't know which one to use and set the site
1718 cnt
= samdb_search_count(ldb
, sites_container_dn
,
1719 "(objectClass=site)");
1721 site_name
= samdb_server_site_name(ldb
, mem_ctx
);
1723 site_name
= talloc_strdup(mem_ctx
, "");
1725 l_subnet_name
= NULL
;
1728 if (subnet_name
!= NULL
) {
1729 *subnet_name
= talloc_strdup(mem_ctx
, l_subnet_name
);
1732 talloc_free(sites_container_dn
);
1733 talloc_free(subnets_dn
);
1740 work out if we are the PDC for the domain of the current open ldb
1742 bool samdb_is_pdc(struct ldb_context
*ldb
)
1744 const char *dom_attrs
[] = { "fSMORoleOwner", NULL
};
1746 struct ldb_result
*dom_res
;
1747 TALLOC_CTX
*tmp_ctx
;
1751 tmp_ctx
= talloc_new(ldb
);
1752 if (tmp_ctx
== NULL
) {
1753 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1757 ret
= ldb_search(ldb
, tmp_ctx
, &dom_res
, ldb_get_default_basedn(ldb
), LDB_SCOPE_BASE
, dom_attrs
, NULL
);
1759 DEBUG(1,("Searching for fSMORoleOwner in %s failed: %s\n",
1760 ldb_dn_get_linearized(ldb_get_default_basedn(ldb
)),
1761 ldb_errstring(ldb
)));
1764 if (dom_res
->count
!= 1) {
1768 pdc
= ldb_msg_find_attr_as_dn(ldb
, tmp_ctx
, dom_res
->msgs
[0], "fSMORoleOwner");
1770 if (ldb_dn_compare(samdb_ntds_settings_dn(ldb
), pdc
) == 0) {
1776 talloc_free(tmp_ctx
);
1781 DEBUG(1,("Failed to find if we are the PDC for this ldb\n"));
1782 talloc_free(tmp_ctx
);
1787 work out if we are a Global Catalog server for the domain of the current open ldb
1789 bool samdb_is_gc(struct ldb_context
*ldb
)
1791 const char *attrs
[] = { "options", NULL
};
1793 struct ldb_result
*res
;
1794 TALLOC_CTX
*tmp_ctx
;
1796 tmp_ctx
= talloc_new(ldb
);
1797 if (tmp_ctx
== NULL
) {
1798 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1802 /* Query cn=ntds settings,.... */
1803 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
), LDB_SCOPE_BASE
, attrs
, NULL
);
1805 talloc_free(tmp_ctx
);
1808 if (res
->count
!= 1) {
1809 talloc_free(tmp_ctx
);
1813 options
= ldb_msg_find_attr_as_int(res
->msgs
[0], "options", 0);
1814 talloc_free(tmp_ctx
);
1816 /* if options attribute has the 0x00000001 flag set, then enable the global catlog */
1817 if (options
& 0x000000001) {
1823 /* Find a domain object in the parents of a particular DN. */
1824 int samdb_search_for_parent_domain(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
,
1825 struct ldb_dn
**parent_dn
, const char **errstring
)
1827 TALLOC_CTX
*local_ctx
;
1828 struct ldb_dn
*sdn
= dn
;
1829 struct ldb_result
*res
= NULL
;
1831 const char *attrs
[] = { NULL
};
1833 local_ctx
= talloc_new(mem_ctx
);
1834 if (local_ctx
== NULL
) return LDB_ERR_OPERATIONS_ERROR
;
1836 while ((sdn
= ldb_dn_get_parent(local_ctx
, sdn
))) {
1837 ret
= ldb_search(ldb
, local_ctx
, &res
, sdn
, LDB_SCOPE_BASE
, attrs
,
1838 "(|(objectClass=domain)(objectClass=builtinDomain))");
1839 if (ret
== LDB_SUCCESS
) {
1840 if (res
->count
== 1) {
1848 if (ret
!= LDB_SUCCESS
) {
1849 *errstring
= talloc_asprintf(mem_ctx
, "Error searching for parent domain of %s, failed searching for %s: %s",
1850 ldb_dn_get_linearized(dn
),
1851 ldb_dn_get_linearized(sdn
),
1852 ldb_errstring(ldb
));
1853 talloc_free(local_ctx
);
1856 if (res
->count
!= 1) {
1857 *errstring
= talloc_asprintf(mem_ctx
, "Invalid dn (%s), not child of a domain object",
1858 ldb_dn_get_linearized(dn
));
1859 DEBUG(0,(__location__
": %s\n", *errstring
));
1860 talloc_free(local_ctx
);
1861 return LDB_ERR_CONSTRAINT_VIOLATION
;
1864 *parent_dn
= talloc_steal(mem_ctx
, res
->msgs
[0]->dn
);
1865 talloc_free(local_ctx
);
1871 * Performs checks on a user password (plaintext UNIX format - attribute
1872 * "password"). The remaining parameters have to be extracted from the domain
1875 * Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
1877 enum samr_ValidationStatus
samdb_check_password(const DATA_BLOB
*password
,
1878 const uint32_t pwdProperties
,
1879 const uint32_t minPwdLength
)
1881 /* checks if the "minPwdLength" property is satisfied */
1882 if (minPwdLength
> password
->length
)
1883 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT
;
1885 /* checks the password complexity */
1886 if (((pwdProperties
& DOMAIN_PASSWORD_COMPLEX
) != 0)
1887 && (password
->data
!= NULL
)
1888 && (!check_password_quality((const char *) password
->data
)))
1889 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH
;
1891 return SAMR_VALIDATION_STATUS_SUCCESS
;
1895 * Callback for "samdb_set_password" password change
1897 int samdb_set_password_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
1902 return ldb_request_done(req
, LDB_ERR_OPERATIONS_ERROR
);
1905 if (ares
->error
!= LDB_SUCCESS
) {
1907 req
->context
= talloc_steal(req
,
1908 ldb_reply_get_control(ares
, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID
));
1910 return ldb_request_done(req
, ret
);
1913 if (ares
->type
!= LDB_REPLY_DONE
) {
1915 return ldb_request_done(req
, LDB_ERR_OPERATIONS_ERROR
);
1918 req
->context
= talloc_steal(req
,
1919 ldb_reply_get_control(ares
, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID
));
1921 return ldb_request_done(req
, LDB_SUCCESS
);
1925 * Sets the user password using plaintext UTF16 (attribute "new_password") or
1926 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
1927 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
1928 * gives some more informations if the changed failed.
1930 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
1931 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
1932 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
1934 NTSTATUS
samdb_set_password(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
,
1935 struct ldb_dn
*user_dn
, struct ldb_dn
*domain_dn
,
1936 const DATA_BLOB
*new_password
,
1937 struct samr_Password
*lmNewHash
,
1938 struct samr_Password
*ntNewHash
,
1940 enum samPwdChangeReason
*reject_reason
,
1941 struct samr_DomInfo1
**_dominfo
)
1943 struct ldb_message
*msg
;
1944 struct ldb_message_element
*el
;
1945 struct ldb_request
*req
;
1946 struct dsdb_control_password_change_status
*pwd_stat
= NULL
;
1950 #define CHECK_RET(x) \
1951 if (x != LDB_SUCCESS) { \
1953 return NT_STATUS_NO_MEMORY; \
1956 msg
= ldb_msg_new(mem_ctx
);
1958 return NT_STATUS_NO_MEMORY
;
1961 if ((new_password
!= NULL
)
1962 && ((lmNewHash
== NULL
) && (ntNewHash
== NULL
))) {
1963 /* we have the password as plaintext UTF16 */
1964 CHECK_RET(samdb_msg_add_value(ldb
, mem_ctx
, msg
,
1965 "clearTextPassword", new_password
));
1966 el
= ldb_msg_find_element(msg
, "clearTextPassword");
1967 el
->flags
= LDB_FLAG_MOD_REPLACE
;
1968 } else if ((new_password
== NULL
)
1969 && ((lmNewHash
!= NULL
) || (ntNewHash
!= NULL
))) {
1970 /* we have a password as LM and/or NT hash */
1971 if (lmNewHash
!= NULL
) {
1972 CHECK_RET(samdb_msg_add_hash(ldb
, mem_ctx
, msg
,
1973 "dBCSPwd", lmNewHash
));
1974 el
= ldb_msg_find_element(msg
, "dBCSPwd");
1975 el
->flags
= LDB_FLAG_MOD_REPLACE
;
1977 if (ntNewHash
!= NULL
) {
1978 CHECK_RET(samdb_msg_add_hash(ldb
, mem_ctx
, msg
,
1979 "unicodePwd", ntNewHash
));
1980 el
= ldb_msg_find_element(msg
, "unicodePwd");
1981 el
->flags
= LDB_FLAG_MOD_REPLACE
;
1984 /* the password wasn't specified correctly */
1986 return NT_STATUS_INVALID_PARAMETER
;
1989 /* build modify request */
1990 ret
= ldb_build_mod_req(&req
, ldb
, mem_ctx
, msg
, NULL
, NULL
,
1991 samdb_set_password_callback
, NULL
);
1992 if (ret
!= LDB_SUCCESS
) {
1994 return NT_STATUS_NO_MEMORY
;
1998 /* a user password change and we've checked already the old
1999 * password somewhere else (callers responsability) */
2000 ret
= ldb_request_add_control(req
,
2001 DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID
,
2003 if (ret
!= LDB_SUCCESS
) {
2006 return NT_STATUS_NO_MEMORY
;
2009 ret
= ldb_request_add_control(req
,
2010 DSDB_CONTROL_PASSWORD_HASH_VALUES_OID
,
2012 if (ret
!= LDB_SUCCESS
) {
2015 return NT_STATUS_NO_MEMORY
;
2017 ret
= ldb_request_add_control(req
,
2018 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID
,
2020 if (ret
!= LDB_SUCCESS
) {
2023 return NT_STATUS_NO_MEMORY
;
2026 ret
= dsdb_autotransaction_request(ldb
, req
);
2028 if (req
->context
!= NULL
) {
2029 pwd_stat
= talloc_steal(mem_ctx
,
2030 ((struct ldb_control
*)req
->context
)->data
);
2036 /* Sets the domain info (if requested) */
2037 if (_dominfo
!= NULL
) {
2038 struct samr_DomInfo1
*dominfo
;
2040 dominfo
= talloc_zero(mem_ctx
, struct samr_DomInfo1
);
2041 if (dominfo
== NULL
) {
2042 return NT_STATUS_NO_MEMORY
;
2045 if (pwd_stat
!= NULL
) {
2046 dominfo
->min_password_length
= pwd_stat
->domain_data
.minPwdLength
;
2047 dominfo
->password_properties
= pwd_stat
->domain_data
.pwdProperties
;
2048 dominfo
->password_history_length
= pwd_stat
->domain_data
.pwdHistoryLength
;
2049 dominfo
->max_password_age
= pwd_stat
->domain_data
.maxPwdAge
;
2050 dominfo
->min_password_age
= pwd_stat
->domain_data
.minPwdAge
;
2053 *_dominfo
= dominfo
;
2056 if (reject_reason
!= NULL
) {
2057 if (pwd_stat
!= NULL
) {
2058 *reject_reason
= pwd_stat
->reject_reason
;
2060 *reject_reason
= SAM_PWD_CHANGE_NO_ERROR
;
2064 if (pwd_stat
!= NULL
) {
2065 talloc_free(pwd_stat
);
2068 /* TODO: Error results taken from "password_hash" module. Are they
2070 if (ret
== LDB_ERR_UNWILLING_TO_PERFORM
) {
2071 status
= NT_STATUS_WRONG_PASSWORD
;
2072 } else if (ret
== LDB_ERR_CONSTRAINT_VIOLATION
) {
2073 status
= NT_STATUS_PASSWORD_RESTRICTION
;
2074 } else if (ret
!= LDB_SUCCESS
) {
2075 status
= NT_STATUS_UNSUCCESSFUL
;
2077 status
= NT_STATUS_OK
;
2084 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2085 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2086 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
2087 * gives some more informations if the changed failed.
2089 * This wrapper function for "samdb_set_password" takes a SID as input rather
2092 * This call encapsulates a new LDB transaction for changing the password;
2093 * therefore the user hasn't to start a new one.
2095 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2096 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2097 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
2099 NTSTATUS
samdb_set_password_sid(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
,
2100 const struct dom_sid
*user_sid
,
2101 const DATA_BLOB
*new_password
,
2102 struct samr_Password
*lmNewHash
,
2103 struct samr_Password
*ntNewHash
,
2105 enum samPwdChangeReason
*reject_reason
,
2106 struct samr_DomInfo1
**_dominfo
)
2109 struct ldb_dn
*user_dn
;
2112 ret
= ldb_transaction_start(ldb
);
2113 if (ret
!= LDB_SUCCESS
) {
2114 DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb
)));
2115 return NT_STATUS_TRANSACTION_ABORTED
;
2118 user_dn
= samdb_search_dn(ldb
, mem_ctx
, NULL
,
2119 "(&(objectSid=%s)(objectClass=user))",
2120 ldap_encode_ndr_dom_sid(mem_ctx
, user_sid
));
2122 ldb_transaction_cancel(ldb
);
2123 DEBUG(3, ("samdb_set_password_sid: SID %s not found in samdb, returning NO_SUCH_USER\n",
2124 dom_sid_string(mem_ctx
, user_sid
)));
2125 return NT_STATUS_NO_SUCH_USER
;
2128 nt_status
= samdb_set_password(ldb
, mem_ctx
,
2131 lmNewHash
, ntNewHash
,
2133 reject_reason
, _dominfo
);
2134 if (!NT_STATUS_IS_OK(nt_status
)) {
2135 ldb_transaction_cancel(ldb
);
2136 talloc_free(user_dn
);
2140 ret
= ldb_transaction_commit(ldb
);
2141 if (ret
!= LDB_SUCCESS
) {
2142 DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
2143 ldb_dn_get_linearized(user_dn
),
2144 ldb_errstring(ldb
)));
2145 talloc_free(user_dn
);
2146 return NT_STATUS_TRANSACTION_ABORTED
;
2149 talloc_free(user_dn
);
2150 return NT_STATUS_OK
;
2154 NTSTATUS
samdb_create_foreign_security_principal(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
,
2155 struct dom_sid
*sid
, struct ldb_dn
**ret_dn
)
2157 struct ldb_message
*msg
;
2158 struct ldb_dn
*basedn
;
2162 sidstr
= dom_sid_string(mem_ctx
, sid
);
2163 NT_STATUS_HAVE_NO_MEMORY(sidstr
);
2165 /* We might have to create a ForeignSecurityPrincipal, even if this user
2166 * is in our own domain */
2168 msg
= ldb_msg_new(sidstr
);
2170 talloc_free(sidstr
);
2171 return NT_STATUS_NO_MEMORY
;
2174 ret
= dsdb_wellknown_dn(sam_ctx
, sidstr
,
2175 ldb_get_default_basedn(sam_ctx
),
2176 DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER
,
2178 if (ret
!= LDB_SUCCESS
) {
2179 DEBUG(0, ("Failed to find DN for "
2180 "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx
)));
2181 talloc_free(sidstr
);
2182 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
2185 /* add core elements to the ldb_message for the alias */
2187 if ( ! ldb_dn_add_child_fmt(msg
->dn
, "CN=%s", sidstr
)) {
2188 talloc_free(sidstr
);
2189 return NT_STATUS_NO_MEMORY
;
2192 samdb_msg_add_string(sam_ctx
, msg
, msg
,
2194 "foreignSecurityPrincipal");
2196 /* create the alias */
2197 ret
= ldb_add(sam_ctx
, msg
);
2198 if (ret
!= LDB_SUCCESS
) {
2199 DEBUG(0,("Failed to create foreignSecurityPrincipal "
2201 ldb_dn_get_linearized(msg
->dn
),
2202 ldb_errstring(sam_ctx
)));
2203 talloc_free(sidstr
);
2204 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
2207 *ret_dn
= talloc_steal(mem_ctx
, msg
->dn
);
2208 talloc_free(sidstr
);
2210 return NT_STATUS_OK
;
2215 Find the DN of a domain, assuming it to be a dotted.dns name
2218 struct ldb_dn
*samdb_dns_domain_to_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, const char *dns_domain
)
2221 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
2222 const char *binary_encoded
;
2223 const char **split_realm
;
2230 split_realm
= (const char **)str_list_make(tmp_ctx
, dns_domain
, ".");
2232 talloc_free(tmp_ctx
);
2235 dn
= ldb_dn_new(mem_ctx
, ldb
, NULL
);
2236 for (i
=0; split_realm
[i
]; i
++) {
2237 binary_encoded
= ldb_binary_encode_string(tmp_ctx
, split_realm
[i
]);
2238 if (!ldb_dn_add_base_fmt(dn
, "dc=%s", binary_encoded
)) {
2239 DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
2240 binary_encoded
, ldb_dn_get_linearized(dn
)));
2241 talloc_free(tmp_ctx
);
2245 if (!ldb_dn_validate(dn
)) {
2246 DEBUG(2, ("Failed to validated DN %s\n",
2247 ldb_dn_get_linearized(dn
)));
2248 talloc_free(tmp_ctx
);
2251 talloc_free(tmp_ctx
);
2256 Find the DN of a domain, be it the netbios or DNS name
2258 struct ldb_dn
*samdb_domain_to_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
,
2259 const char *domain_name
)
2261 const char * const domain_ref_attrs
[] = {
2264 const char * const domain_ref2_attrs
[] = {
2267 struct ldb_result
*res_domain_ref
;
2268 char *escaped_domain
= ldb_binary_encode_string(mem_ctx
, domain_name
);
2269 /* find the domain's DN */
2270 int ret_domain
= ldb_search(ldb
, mem_ctx
,
2272 samdb_partitions_dn(ldb
, mem_ctx
),
2275 "(&(nETBIOSName=%s)(objectclass=crossRef))",
2277 if (ret_domain
!= 0) {
2281 if (res_domain_ref
->count
== 0) {
2282 ret_domain
= ldb_search(ldb
, mem_ctx
,
2284 samdb_dns_domain_to_dn(ldb
, mem_ctx
, domain_name
),
2287 "(objectclass=domain)");
2288 if (ret_domain
!= 0) {
2292 if (res_domain_ref
->count
== 1) {
2293 return res_domain_ref
->msgs
[0]->dn
;
2298 if (res_domain_ref
->count
> 1) {
2299 DEBUG(0,("Found %d records matching domain [%s]\n",
2300 ret_domain
, domain_name
));
2304 return samdb_result_dn(ldb
, mem_ctx
, res_domain_ref
->msgs
[0], "nCName", NULL
);
2310 use a GUID to find a DN
2312 int dsdb_find_dn_by_guid(struct ldb_context
*ldb
,
2313 TALLOC_CTX
*mem_ctx
,
2314 const struct GUID
*guid
, struct ldb_dn
**dn
)
2317 struct ldb_result
*res
;
2318 const char *attrs
[] = { NULL
};
2319 char *guid_str
= GUID_string(mem_ctx
, guid
);
2322 return LDB_ERR_OPERATIONS_ERROR
;
2325 ret
= dsdb_search(ldb
, mem_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
, attrs
,
2326 DSDB_SEARCH_SEARCH_ALL_PARTITIONS
|
2327 DSDB_SEARCH_SHOW_EXTENDED_DN
|
2328 DSDB_SEARCH_ONE_ONLY
,
2329 "objectGUID=%s", guid_str
);
2330 talloc_free(guid_str
);
2331 if (ret
!= LDB_SUCCESS
) {
2335 *dn
= talloc_steal(mem_ctx
, res
->msgs
[0]->dn
);
2342 use a DN to find a GUID with a given attribute name
2344 int dsdb_find_guid_attr_by_dn(struct ldb_context
*ldb
,
2345 struct ldb_dn
*dn
, const char *attribute
,
2349 struct ldb_result
*res
;
2350 const char *attrs
[2];
2351 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
2353 attrs
[0] = attribute
;
2356 ret
= dsdb_search_dn(ldb
, tmp_ctx
, &res
, dn
, attrs
, DSDB_SEARCH_SHOW_DELETED
);
2357 if (ret
!= LDB_SUCCESS
) {
2358 talloc_free(tmp_ctx
);
2361 if (res
->count
< 1) {
2362 talloc_free(tmp_ctx
);
2363 return LDB_ERR_NO_SUCH_OBJECT
;
2365 *guid
= samdb_result_guid(res
->msgs
[0], attribute
);
2366 talloc_free(tmp_ctx
);
2371 use a DN to find a GUID
2373 int dsdb_find_guid_by_dn(struct ldb_context
*ldb
,
2374 struct ldb_dn
*dn
, struct GUID
*guid
)
2376 return dsdb_find_guid_attr_by_dn(ldb
, dn
, "objectGUID", guid
);
2382 adds the given GUID to the given ldb_message. This value is added
2383 for the given attr_name (may be either "objectGUID" or "parentGUID").
2385 int dsdb_msg_add_guid(struct ldb_message
*msg
,
2387 const char *attr_name
)
2392 TALLOC_CTX
*tmp_ctx
= talloc_init("dsdb_msg_add_guid");
2394 status
= GUID_to_ndr_blob(guid
, tmp_ctx
, &v
);
2395 if (!NT_STATUS_IS_OK(status
)) {
2396 ret
= LDB_ERR_OPERATIONS_ERROR
;
2400 ret
= ldb_msg_add_steal_value(msg
, attr_name
, &v
);
2401 if (ret
!= LDB_SUCCESS
) {
2402 DEBUG(4,(__location__
": Failed to add %s to the message\n",
2410 talloc_free(tmp_ctx
);
2417 use a DN to find a SID
2419 int dsdb_find_sid_by_dn(struct ldb_context
*ldb
,
2420 struct ldb_dn
*dn
, struct dom_sid
*sid
)
2423 struct ldb_result
*res
;
2424 const char *attrs
[] = { "objectSID", NULL
};
2425 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
2430 ret
= dsdb_search_dn(ldb
, tmp_ctx
, &res
, dn
, attrs
, DSDB_SEARCH_SHOW_DELETED
);
2431 if (ret
!= LDB_SUCCESS
) {
2432 talloc_free(tmp_ctx
);
2435 if (res
->count
< 1) {
2436 talloc_free(tmp_ctx
);
2437 return LDB_ERR_NO_SUCH_OBJECT
;
2439 s
= samdb_result_dom_sid(tmp_ctx
, res
->msgs
[0], "objectSID");
2441 talloc_free(tmp_ctx
);
2442 return LDB_ERR_NO_SUCH_OBJECT
;
2445 talloc_free(tmp_ctx
);
2451 load a repsFromTo blob list for a given partition GUID
2452 attr must be "repsFrom" or "repsTo"
2454 WERROR
dsdb_loadreps(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
,
2455 const char *attr
, struct repsFromToBlob
**r
, uint32_t *count
)
2457 const char *attrs
[] = { attr
, NULL
};
2458 struct ldb_result
*res
= NULL
;
2459 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
2461 struct ldb_message_element
*el
;
2466 if (ldb_search(sam_ctx
, tmp_ctx
, &res
, dn
, LDB_SCOPE_BASE
, attrs
, NULL
) != LDB_SUCCESS
||
2468 DEBUG(0,("dsdb_loadreps: failed to read partition object\n"));
2469 talloc_free(tmp_ctx
);
2470 return WERR_DS_DRA_INTERNAL_ERROR
;
2473 el
= ldb_msg_find_element(res
->msgs
[0], attr
);
2475 /* it's OK to be empty */
2476 talloc_free(tmp_ctx
);
2480 *count
= el
->num_values
;
2481 *r
= talloc_array(mem_ctx
, struct repsFromToBlob
, *count
);
2483 talloc_free(tmp_ctx
);
2484 return WERR_DS_DRA_INTERNAL_ERROR
;
2487 for (i
=0; i
<(*count
); i
++) {
2488 enum ndr_err_code ndr_err
;
2489 ndr_err
= ndr_pull_struct_blob(&el
->values
[i
],
2490 mem_ctx
, lp_iconv_convenience(ldb_get_opaque(sam_ctx
, "loadparm")),
2492 (ndr_pull_flags_fn_t
)ndr_pull_repsFromToBlob
);
2493 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2494 talloc_free(tmp_ctx
);
2495 return WERR_DS_DRA_INTERNAL_ERROR
;
2499 talloc_free(tmp_ctx
);
2505 save the repsFromTo blob list for a given partition GUID
2506 attr must be "repsFrom" or "repsTo"
2508 WERROR
dsdb_savereps(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
,
2509 const char *attr
, struct repsFromToBlob
*r
, uint32_t count
)
2511 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
2512 struct ldb_message
*msg
;
2513 struct ldb_message_element
*el
;
2516 msg
= ldb_msg_new(tmp_ctx
);
2518 if (ldb_msg_add_empty(msg
, attr
, LDB_FLAG_MOD_REPLACE
, &el
) != LDB_SUCCESS
) {
2522 el
->values
= talloc_array(msg
, struct ldb_val
, count
);
2527 for (i
=0; i
<count
; i
++) {
2529 enum ndr_err_code ndr_err
;
2531 ndr_err
= ndr_push_struct_blob(&v
, tmp_ctx
, lp_iconv_convenience(ldb_get_opaque(sam_ctx
, "loadparm")),
2533 (ndr_push_flags_fn_t
)ndr_push_repsFromToBlob
);
2534 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2542 if (ldb_modify(sam_ctx
, msg
) != LDB_SUCCESS
) {
2543 DEBUG(0,("Failed to store %s - %s\n", attr
, ldb_errstring(sam_ctx
)));
2547 talloc_free(tmp_ctx
);
2552 talloc_free(tmp_ctx
);
2553 return WERR_DS_DRA_INTERNAL_ERROR
;
2558 load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
2559 object for a partition
2561 int dsdb_load_partition_usn(struct ldb_context
*ldb
, struct ldb_dn
*dn
,
2562 uint64_t *uSN
, uint64_t *urgent_uSN
)
2564 struct ldb_request
*req
;
2566 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
2567 struct dsdb_control_current_partition
*p_ctrl
;
2568 struct ldb_result
*res
;
2570 res
= talloc_zero(tmp_ctx
, struct ldb_result
);
2572 talloc_free(tmp_ctx
);
2573 return LDB_ERR_OPERATIONS_ERROR
;
2576 ret
= ldb_build_search_req(&req
, ldb
, tmp_ctx
,
2577 ldb_dn_new(tmp_ctx
, ldb
, "@REPLCHANGED"),
2581 res
, ldb_search_default_callback
,
2583 if (ret
!= LDB_SUCCESS
) {
2584 talloc_free(tmp_ctx
);
2588 p_ctrl
= talloc(req
, struct dsdb_control_current_partition
);
2589 if (p_ctrl
== NULL
) {
2591 return LDB_ERR_OPERATIONS_ERROR
;
2593 p_ctrl
->version
= DSDB_CONTROL_CURRENT_PARTITION_VERSION
;
2597 ret
= ldb_request_add_control(req
,
2598 DSDB_CONTROL_CURRENT_PARTITION_OID
,
2600 if (ret
!= LDB_SUCCESS
) {
2601 talloc_free(tmp_ctx
);
2605 /* Run the new request */
2606 ret
= ldb_request(ldb
, req
);
2608 if (ret
== LDB_SUCCESS
) {
2609 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
2612 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
2613 /* it hasn't been created yet, which means
2614 an implicit value of zero */
2616 talloc_free(tmp_ctx
);
2620 if (ret
!= LDB_SUCCESS
) {
2621 talloc_free(tmp_ctx
);
2625 if (res
->count
< 1) {
2631 *uSN
= ldb_msg_find_attr_as_uint64(res
->msgs
[0], "uSNHighest", 0);
2633 *urgent_uSN
= ldb_msg_find_attr_as_uint64(res
->msgs
[0], "uSNUrgent", 0);
2637 talloc_free(tmp_ctx
);
2642 int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2
*c1
,
2643 const struct drsuapi_DsReplicaCursor2
*c2
)
2645 return GUID_compare(&c1
->source_dsa_invocation_id
, &c2
->source_dsa_invocation_id
);
2648 int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor
*c1
,
2649 const struct drsuapi_DsReplicaCursor
*c2
)
2651 return GUID_compare(&c1
->source_dsa_invocation_id
, &c2
->source_dsa_invocation_id
);
2656 see if a computer identified by its invocationId is a RODC
2658 int samdb_is_rodc(struct ldb_context
*sam_ctx
, const struct GUID
*objectGUID
, bool *is_rodc
)
2660 /* 1) find the DN for this servers NTDSDSA object
2661 2) search for the msDS-isRODC attribute
2662 3) if not present then not a RODC
2663 4) if present and TRUE then is a RODC
2665 struct ldb_dn
*config_dn
;
2666 const char *attrs
[] = { "msDS-isRODC", NULL
};
2668 struct ldb_result
*res
;
2669 TALLOC_CTX
*tmp_ctx
= talloc_new(sam_ctx
);
2671 config_dn
= ldb_get_config_basedn(sam_ctx
);
2673 talloc_free(tmp_ctx
);
2674 return LDB_ERR_OPERATIONS_ERROR
;
2677 ret
= dsdb_search(sam_ctx
, tmp_ctx
, &res
, config_dn
, LDB_SCOPE_SUBTREE
, attrs
,
2678 DSDB_SEARCH_ONE_ONLY
, "objectGUID=%s", GUID_string(tmp_ctx
, objectGUID
));
2680 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
2682 talloc_free(tmp_ctx
);
2686 if (ret
!= LDB_SUCCESS
) {
2687 DEBUG(1,(("Failed to find our own NTDS Settings object by objectGUID=%s!\n"),
2688 GUID_string(tmp_ctx
, objectGUID
)));
2690 talloc_free(tmp_ctx
);
2694 ret
= ldb_msg_find_attr_as_bool(res
->msgs
[0], "msDS-isRODC", 0);
2695 *is_rodc
= (ret
== 1);
2697 talloc_free(tmp_ctx
);
2703 see if we are a RODC
2705 int samdb_rodc(struct ldb_context
*sam_ctx
, bool *am_rodc
)
2707 const struct GUID
*objectGUID
;
2708 objectGUID
= samdb_ntds_objectGUID(sam_ctx
);
2710 return LDB_ERR_OPERATIONS_ERROR
;
2712 return samdb_is_rodc(sam_ctx
, objectGUID
, am_rodc
);
2718 return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
2720 flags are DS_NTDS_OPTION_*
2722 int samdb_ntds_options(struct ldb_context
*ldb
, uint32_t *options
)
2724 TALLOC_CTX
*tmp_ctx
;
2725 const char *attrs
[] = { "options", NULL
};
2727 struct ldb_result
*res
;
2729 tmp_ctx
= talloc_new(ldb
);
2730 if (tmp_ctx
== NULL
) {
2734 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
), LDB_SCOPE_BASE
, attrs
, NULL
);
2739 if (res
->count
!= 1) {
2743 *options
= samdb_result_uint(res
->msgs
[0], "options", 0);
2745 talloc_free(tmp_ctx
);
2750 DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n"));
2751 talloc_free(tmp_ctx
);
2752 return LDB_ERR_NO_SUCH_OBJECT
;
2755 const char* samdb_ntds_object_category(TALLOC_CTX
*tmp_ctx
, struct ldb_context
*ldb
)
2757 const char *attrs
[] = { "objectCategory", NULL
};
2759 struct ldb_result
*res
;
2761 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
), LDB_SCOPE_BASE
, attrs
, NULL
);
2766 if (res
->count
!= 1) {
2770 return samdb_result_string(res
->msgs
[0], "objectCategory", NULL
);
2773 DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
2778 * Function which generates a "lDAPDisplayName" attribute from a "CN" one.
2779 * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
2781 const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX
*mem_ctx
, const char *cn
)
2783 char **tokens
, *ret
;
2786 tokens
= str_list_make(mem_ctx
, cn
, " -_");
2790 /* "tolower()" and "toupper()" should also work properly on 0x00 */
2791 tokens
[0][0] = tolower(tokens
[0][0]);
2792 for (i
= 1; i
< str_list_length((const char **)tokens
); i
++)
2793 tokens
[i
][0] = toupper(tokens
[i
][0]);
2795 ret
= talloc_strdup(mem_ctx
, tokens
[0]);
2796 for (i
= 1; i
< str_list_length((const char **)tokens
); i
++)
2797 ret
= talloc_asprintf_append_buffer(ret
, "%s", tokens
[i
]);
2799 talloc_free(tokens
);
2805 return domain functional level
2806 returns DS_DOMAIN_FUNCTION_*
2808 int dsdb_functional_level(struct ldb_context
*ldb
)
2810 int *domainFunctionality
=
2811 talloc_get_type(ldb_get_opaque(ldb
, "domainFunctionality"), int);
2812 if (!domainFunctionality
) {
2813 DEBUG(0,(__location__
": WARNING: domainFunctionality not setup\n"));
2814 return DS_DOMAIN_FUNCTION_2000
;
2816 return *domainFunctionality
;
2820 set a GUID in an extended DN structure
2822 int dsdb_set_extended_dn_guid(struct ldb_dn
*dn
, const struct GUID
*guid
, const char *component_name
)
2828 status
= GUID_to_ndr_blob(guid
, dn
, &v
);
2829 if (!NT_STATUS_IS_OK(status
)) {
2830 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
2833 ret
= ldb_dn_set_extended_component(dn
, component_name
, &v
);
2839 return a GUID from a extended DN structure
2841 NTSTATUS
dsdb_get_extended_dn_guid(struct ldb_dn
*dn
, struct GUID
*guid
, const char *component_name
)
2843 const struct ldb_val
*v
;
2845 v
= ldb_dn_get_extended_component(dn
, component_name
);
2847 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2850 return GUID_from_ndr_blob(v
, guid
);
2854 return a uint64_t from a extended DN structure
2856 NTSTATUS
dsdb_get_extended_dn_uint64(struct ldb_dn
*dn
, uint64_t *val
, const char *component_name
)
2858 const struct ldb_val
*v
;
2861 v
= ldb_dn_get_extended_component(dn
, component_name
);
2863 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2865 s
= talloc_strndup(dn
, (const char *)v
->data
, v
->length
);
2866 NT_STATUS_HAVE_NO_MEMORY(s
);
2868 *val
= strtoull(s
, NULL
, 0);
2871 return NT_STATUS_OK
;
2875 return a NTTIME from a extended DN structure
2877 NTSTATUS
dsdb_get_extended_dn_nttime(struct ldb_dn
*dn
, NTTIME
*nttime
, const char *component_name
)
2879 return dsdb_get_extended_dn_uint64(dn
, nttime
, component_name
);
2883 return a uint32_t from a extended DN structure
2885 NTSTATUS
dsdb_get_extended_dn_uint32(struct ldb_dn
*dn
, uint32_t *val
, const char *component_name
)
2887 const struct ldb_val
*v
;
2890 v
= ldb_dn_get_extended_component(dn
, component_name
);
2892 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2895 s
= talloc_strndup(dn
, (const char *)v
->data
, v
->length
);
2896 NT_STATUS_HAVE_NO_MEMORY(s
);
2898 *val
= strtoul(s
, NULL
, 0);
2901 return NT_STATUS_OK
;
2905 return a dom_sid from a extended DN structure
2907 NTSTATUS
dsdb_get_extended_dn_sid(struct ldb_dn
*dn
, struct dom_sid
*sid
, const char *component_name
)
2909 const struct ldb_val
*sid_blob
;
2910 struct TALLOC_CTX
*tmp_ctx
;
2911 enum ndr_err_code ndr_err
;
2913 sid_blob
= ldb_dn_get_extended_component(dn
, "SID");
2915 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
2918 tmp_ctx
= talloc_new(NULL
);
2920 ndr_err
= ndr_pull_struct_blob_all(sid_blob
, tmp_ctx
, NULL
, sid
,
2921 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
2922 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2923 NTSTATUS status
= ndr_map_error2ntstatus(ndr_err
);
2924 talloc_free(tmp_ctx
);
2928 talloc_free(tmp_ctx
);
2929 return NT_STATUS_OK
;
2934 return RMD_FLAGS directly from a ldb_dn
2935 returns 0 if not found
2937 uint32_t dsdb_dn_rmd_flags(struct ldb_dn
*dn
)
2939 const struct ldb_val
*v
;
2941 v
= ldb_dn_get_extended_component(dn
, "RMD_FLAGS");
2942 if (!v
|| v
->length
> sizeof(buf
)-1) return 0;
2943 strncpy(buf
, (const char *)v
->data
, v
->length
);
2945 return strtoul(buf
, NULL
, 10);
2949 return RMD_FLAGS directly from a ldb_val for a DN
2950 returns 0 if RMD_FLAGS is not found
2952 uint32_t dsdb_dn_val_rmd_flags(struct ldb_val
*val
)
2958 if (val
->length
< 13) {
2961 p
= memmem(val
->data
, val
->length
-2, "<RMD_FLAGS=", 11);
2965 flags
= strtoul(p
+11, &end
, 10);
2966 if (!end
|| *end
!= '>') {
2967 /* it must end in a > */
2974 return true if a ldb_val containing a DN in storage form is deleted
2976 bool dsdb_dn_is_deleted_val(struct ldb_val
*val
)
2978 return (dsdb_dn_val_rmd_flags(val
) & DSDB_RMD_FLAG_DELETED
) != 0;
2982 return true if a ldb_val containing a DN in storage form is
2983 in the upgraded w2k3 linked attribute format
2985 bool dsdb_dn_is_upgraded_link_val(struct ldb_val
*val
)
2987 return memmem(val
->data
, val
->length
, "<RMD_ADDTIME=", 13) != NULL
;
2991 return a DN for a wellknown GUID
2993 int dsdb_wellknown_dn(struct ldb_context
*samdb
, TALLOC_CTX
*mem_ctx
,
2994 struct ldb_dn
*nc_root
, const char *wk_guid
,
2995 struct ldb_dn
**wkguid_dn
)
2997 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
2998 const char *attrs
[] = { NULL
};
3001 struct ldb_result
*res
;
3003 /* construct the magic WKGUID DN */
3004 dn
= ldb_dn_new_fmt(tmp_ctx
, samdb
, "<WKGUID=%s,%s>",
3005 wk_guid
, ldb_dn_get_linearized(nc_root
));
3007 talloc_free(tmp_ctx
);
3008 return LDB_ERR_OPERATIONS_ERROR
;
3011 ret
= dsdb_search_dn(samdb
, tmp_ctx
, &res
, dn
, attrs
, DSDB_SEARCH_SHOW_DELETED
);
3012 if (ret
!= LDB_SUCCESS
) {
3013 talloc_free(tmp_ctx
);
3017 (*wkguid_dn
) = talloc_steal(mem_ctx
, res
->msgs
[0]->dn
);
3018 talloc_free(tmp_ctx
);
3023 static int dsdb_dn_compare_ptrs(struct ldb_dn
**dn1
, struct ldb_dn
**dn2
)
3025 return ldb_dn_compare(*dn1
, *dn2
);
3029 find a NC root given a DN within the NC
3031 int dsdb_find_nc_root(struct ldb_context
*samdb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
,
3032 struct ldb_dn
**nc_root
)
3034 const char *root_attrs
[] = { "namingContexts", NULL
};
3035 TALLOC_CTX
*tmp_ctx
;
3037 struct ldb_message_element
*el
;
3038 struct ldb_result
*root_res
;
3040 struct ldb_dn
**nc_dns
;
3042 tmp_ctx
= talloc_new(samdb
);
3043 if (tmp_ctx
== NULL
) {
3044 return LDB_ERR_OPERATIONS_ERROR
;
3047 ret
= ldb_search(samdb
, tmp_ctx
, &root_res
,
3048 ldb_dn_new(tmp_ctx
, samdb
, ""), LDB_SCOPE_BASE
, root_attrs
, NULL
);
3050 DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb
)));
3051 talloc_free(tmp_ctx
);
3055 el
= ldb_msg_find_element(root_res
->msgs
[0], "namingContexts");
3057 DEBUG(1,("Finding namingContexts element in root_res failed: %s\n",
3058 ldb_errstring(samdb
)));
3059 talloc_free(tmp_ctx
);
3060 return LDB_ERR_NO_SUCH_ATTRIBUTE
;
3063 nc_dns
= talloc_array(tmp_ctx
, struct ldb_dn
*, el
->num_values
);
3065 talloc_free(tmp_ctx
);
3066 return LDB_ERR_OPERATIONS_ERROR
;
3069 for (i
=0; i
<el
->num_values
; i
++) {
3070 nc_dns
[i
] = ldb_dn_from_ldb_val(nc_dns
, samdb
, &el
->values
[i
]);
3071 if (nc_dns
[i
] == NULL
) {
3072 talloc_free(tmp_ctx
);
3073 return LDB_ERR_OPERATIONS_ERROR
;
3077 TYPESAFE_QSORT(nc_dns
, el
->num_values
, dsdb_dn_compare_ptrs
);
3079 for (i
=0; i
<el
->num_values
; i
++) {
3080 if (ldb_dn_compare_base(nc_dns
[i
], dn
) == 0) {
3081 (*nc_root
) = talloc_steal(mem_ctx
, nc_dns
[i
]);
3082 talloc_free(tmp_ctx
);
3087 talloc_free(tmp_ctx
);
3088 return LDB_ERR_NO_SUCH_OBJECT
;
3093 find the deleted objects DN for any object, by looking for the NC
3094 root, then looking up the wellknown GUID
3096 int dsdb_get_deleted_objects_dn(struct ldb_context
*ldb
,
3097 TALLOC_CTX
*mem_ctx
, struct ldb_dn
*obj_dn
,
3098 struct ldb_dn
**do_dn
)
3100 struct ldb_dn
*nc_root
;
3103 ret
= dsdb_find_nc_root(ldb
, mem_ctx
, obj_dn
, &nc_root
);
3104 if (ret
!= LDB_SUCCESS
) {
3108 ret
= dsdb_wellknown_dn(ldb
, mem_ctx
, nc_root
, DS_GUID_DELETED_OBJECTS_CONTAINER
, do_dn
);
3109 talloc_free(nc_root
);
3114 return the tombstoneLifetime, in days
3116 int dsdb_tombstone_lifetime(struct ldb_context
*ldb
, uint32_t *lifetime
)
3119 dn
= ldb_get_config_basedn(ldb
);
3121 return LDB_ERR_NO_SUCH_OBJECT
;
3123 dn
= ldb_dn_copy(ldb
, dn
);
3125 return LDB_ERR_OPERATIONS_ERROR
;
3127 /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
3128 be a wellknown GUID for this */
3129 if (!ldb_dn_add_child_fmt(dn
, "CN=Directory Service,CN=Windows NT,CN=Services")) {
3131 return LDB_ERR_OPERATIONS_ERROR
;
3134 *lifetime
= samdb_search_uint(ldb
, dn
, 180, dn
, "tombstoneLifetime", "objectClass=nTDSService");
3140 compare a ldb_val to a string case insensitively
3142 int samdb_ldb_val_case_cmp(const char *s
, struct ldb_val
*v
)
3144 size_t len
= strlen(s
);
3146 if (len
> v
->length
) return 1;
3147 ret
= strncasecmp(s
, (const char *)v
->data
, v
->length
);
3148 if (ret
!= 0) return ret
;
3149 if (v
->length
> len
&& v
->data
[len
] != 0) {
3157 load the UDV for a partition in v2 format
3158 The list is returned sorted, and with our local cursor added
3160 int dsdb_load_udv_v2(struct ldb_context
*samdb
, struct ldb_dn
*dn
, TALLOC_CTX
*mem_ctx
,
3161 struct drsuapi_DsReplicaCursor2
**cursors
, uint32_t *count
)
3163 static const char *attrs
[] = { "replUpToDateVector", NULL
};
3164 struct ldb_result
*r
;
3165 const struct ldb_val
*ouv_value
;
3168 uint64_t highest_usn
;
3169 const struct GUID
*our_invocation_id
;
3170 struct timeval now
= timeval_current();
3172 ret
= ldb_search(samdb
, mem_ctx
, &r
, dn
, LDB_SCOPE_BASE
, attrs
, NULL
);
3173 if (ret
!= LDB_SUCCESS
) {
3177 ouv_value
= ldb_msg_find_ldb_val(r
->msgs
[0], "replUpToDateVector");
3179 enum ndr_err_code ndr_err
;
3180 struct replUpToDateVectorBlob ouv
;
3182 ndr_err
= ndr_pull_struct_blob(ouv_value
, r
,
3183 lp_iconv_convenience(ldb_get_opaque(samdb
, "loadparm")), &ouv
,
3184 (ndr_pull_flags_fn_t
)ndr_pull_replUpToDateVectorBlob
);
3185 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
3187 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
3189 if (ouv
.version
!= 2) {
3190 /* we always store as version 2, and
3191 * replUpToDateVector is not replicated
3193 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
3196 *count
= ouv
.ctr
.ctr2
.count
;
3197 *cursors
= talloc_steal(mem_ctx
, ouv
.ctr
.ctr2
.cursors
);
3205 our_invocation_id
= samdb_ntds_invocation_id(samdb
);
3206 if (!our_invocation_id
) {
3207 DEBUG(0,(__location__
": No invocationID on samdb - %s\n", ldb_errstring(samdb
)));
3208 talloc_free(*cursors
);
3209 return LDB_ERR_OPERATIONS_ERROR
;
3212 ret
= dsdb_load_partition_usn(samdb
, dn
, &highest_usn
, NULL
);
3213 if (ret
!= LDB_SUCCESS
) {
3214 /* nothing to add - this can happen after a vampire */
3215 TYPESAFE_QSORT(*cursors
, *count
, drsuapi_DsReplicaCursor2_compare
);
3219 for (i
=0; i
<*count
; i
++) {
3220 if (GUID_equal(our_invocation_id
, &(*cursors
)[i
].source_dsa_invocation_id
)) {
3221 (*cursors
)[i
].highest_usn
= highest_usn
;
3222 (*cursors
)[i
].last_sync_success
= timeval_to_nttime(&now
);
3223 TYPESAFE_QSORT(*cursors
, *count
, drsuapi_DsReplicaCursor2_compare
);
3228 (*cursors
) = talloc_realloc(mem_ctx
, *cursors
, struct drsuapi_DsReplicaCursor2
, (*count
)+1);
3230 return LDB_ERR_OPERATIONS_ERROR
;
3233 (*cursors
)[*count
].source_dsa_invocation_id
= *our_invocation_id
;
3234 (*cursors
)[*count
].highest_usn
= highest_usn
;
3235 (*cursors
)[*count
].last_sync_success
= timeval_to_nttime(&now
);
3238 TYPESAFE_QSORT(*cursors
, *count
, drsuapi_DsReplicaCursor2_compare
);
3244 load the UDV for a partition in version 1 format
3245 The list is returned sorted, and with our local cursor added
3247 int dsdb_load_udv_v1(struct ldb_context
*samdb
, struct ldb_dn
*dn
, TALLOC_CTX
*mem_ctx
,
3248 struct drsuapi_DsReplicaCursor
**cursors
, uint32_t *count
)
3250 struct drsuapi_DsReplicaCursor2
*v2
;
3254 ret
= dsdb_load_udv_v2(samdb
, dn
, mem_ctx
, &v2
, count
);
3255 if (ret
!= LDB_SUCCESS
) {
3265 *cursors
= talloc_array(mem_ctx
, struct drsuapi_DsReplicaCursor
, *count
);
3266 if (*cursors
== NULL
) {
3268 return LDB_ERR_OPERATIONS_ERROR
;
3271 for (i
=0; i
<*count
; i
++) {
3272 (*cursors
)[i
].source_dsa_invocation_id
= v2
[i
].source_dsa_invocation_id
;
3273 (*cursors
)[i
].highest_usn
= v2
[i
].highest_usn
;
3280 add a set of controls to a ldb_request structure based on a set of
3281 flags. See util.h for a list of available flags
3283 int dsdb_request_add_controls(struct ldb_request
*req
, uint32_t dsdb_flags
)
3286 if (dsdb_flags
& DSDB_SEARCH_SEARCH_ALL_PARTITIONS
) {
3287 struct ldb_search_options_control
*options
;
3288 /* Using the phantom root control allows us to search all partitions */
3289 options
= talloc(req
, struct ldb_search_options_control
);
3290 if (options
== NULL
) {
3291 return LDB_ERR_OPERATIONS_ERROR
;
3293 options
->search_options
= LDB_SEARCH_OPTION_PHANTOM_ROOT
;
3295 ret
= ldb_request_add_control(req
,
3296 LDB_CONTROL_SEARCH_OPTIONS_OID
,
3298 if (ret
!= LDB_SUCCESS
) {
3303 if (dsdb_flags
& DSDB_SEARCH_SHOW_DELETED
) {
3304 ret
= ldb_request_add_control(req
, LDB_CONTROL_SHOW_DELETED_OID
, true, NULL
);
3305 if (ret
!= LDB_SUCCESS
) {
3310 if (dsdb_flags
& DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT
) {
3311 ret
= ldb_request_add_control(req
, DSDB_CONTROL_DN_STORAGE_FORMAT_OID
, true, NULL
);
3312 if (ret
!= LDB_SUCCESS
) {
3317 if (dsdb_flags
& DSDB_SEARCH_SHOW_EXTENDED_DN
) {
3318 struct ldb_extended_dn_control
*extended_ctrl
= talloc(req
, struct ldb_extended_dn_control
);
3319 if (!extended_ctrl
) {
3320 return LDB_ERR_OPERATIONS_ERROR
;
3322 extended_ctrl
->type
= 1;
3324 ret
= ldb_request_add_control(req
, LDB_CONTROL_EXTENDED_DN_OID
, true, extended_ctrl
);
3325 if (ret
!= LDB_SUCCESS
) {
3330 if (dsdb_flags
& DSDB_SEARCH_REVEAL_INTERNALS
) {
3331 ret
= ldb_request_add_control(req
, LDB_CONTROL_REVEAL_INTERNALS
, false, NULL
);
3332 if (ret
!= LDB_SUCCESS
) {
3337 if (dsdb_flags
& DSDB_MODIFY_RELAX
) {
3338 ret
= ldb_request_add_control(req
, LDB_CONTROL_RELAX_OID
, false, NULL
);
3339 if (ret
!= LDB_SUCCESS
) {
3344 if (dsdb_flags
& DSDB_MODIFY_PERMISSIVE
) {
3345 ret
= ldb_request_add_control(req
, LDB_CONTROL_PERMISSIVE_MODIFY_OID
, false, NULL
);
3346 if (ret
!= LDB_SUCCESS
) {
3351 if (dsdb_flags
& DSDB_FLAG_AS_SYSTEM
) {
3352 ret
= ldb_request_add_control(req
, LDB_CONTROL_AS_SYSTEM_OID
, false, NULL
);
3353 if (ret
!= LDB_SUCCESS
) {
3362 a modify with a set of controls
3364 int dsdb_modify(struct ldb_context
*ldb
, const struct ldb_message
*message
,
3365 uint32_t dsdb_flags
)
3367 struct ldb_request
*req
;
3370 ret
= ldb_build_mod_req(&req
, ldb
, ldb
,
3374 ldb_op_default_callback
,
3377 if (ret
!= LDB_SUCCESS
) return ret
;
3379 ret
= dsdb_request_add_controls(req
, dsdb_flags
);
3380 if (ret
!= LDB_SUCCESS
) {
3385 ret
= dsdb_autotransaction_request(ldb
, req
);
3392 like dsdb_modify() but set all the element flags to
3393 LDB_FLAG_MOD_REPLACE
3395 int dsdb_replace(struct ldb_context
*ldb
, struct ldb_message
*msg
, uint32_t dsdb_flags
)
3399 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
3400 for (i
=0;i
<msg
->num_elements
;i
++) {
3401 msg
->elements
[i
].flags
= LDB_FLAG_MOD_REPLACE
;
3404 return dsdb_modify(ldb
, msg
, dsdb_flags
);
3409 search for attrs on one DN, allowing for dsdb_flags controls
3411 int dsdb_search_dn(struct ldb_context
*ldb
,
3412 TALLOC_CTX
*mem_ctx
,
3413 struct ldb_result
**_res
,
3414 struct ldb_dn
*basedn
,
3415 const char * const *attrs
,
3416 uint32_t dsdb_flags
)
3419 struct ldb_request
*req
;
3420 struct ldb_result
*res
;
3422 res
= talloc_zero(mem_ctx
, struct ldb_result
);
3424 return LDB_ERR_OPERATIONS_ERROR
;
3427 ret
= ldb_build_search_req(&req
, ldb
, res
,
3434 ldb_search_default_callback
,
3436 if (ret
!= LDB_SUCCESS
) {
3441 ret
= dsdb_request_add_controls(req
, dsdb_flags
);
3442 if (ret
!= LDB_SUCCESS
) {
3447 ret
= ldb_request(ldb
, req
);
3448 if (ret
== LDB_SUCCESS
) {
3449 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
3453 if (ret
!= LDB_SUCCESS
) {
3463 general search with dsdb_flags for controls
3465 int dsdb_search(struct ldb_context
*ldb
,
3466 TALLOC_CTX
*mem_ctx
,
3467 struct ldb_result
**_res
,
3468 struct ldb_dn
*basedn
,
3469 enum ldb_scope scope
,
3470 const char * const *attrs
,
3471 uint32_t dsdb_flags
,
3472 const char *exp_fmt
, ...) _PRINTF_ATTRIBUTE(8, 9)
3475 struct ldb_request
*req
;
3476 struct ldb_result
*res
;
3478 char *expression
= NULL
;
3479 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
3481 res
= talloc_zero(tmp_ctx
, struct ldb_result
);
3483 talloc_free(tmp_ctx
);
3484 return LDB_ERR_OPERATIONS_ERROR
;
3488 va_start(ap
, exp_fmt
);
3489 expression
= talloc_vasprintf(tmp_ctx
, exp_fmt
, ap
);
3493 talloc_free(tmp_ctx
);
3494 return LDB_ERR_OPERATIONS_ERROR
;
3498 ret
= ldb_build_search_req(&req
, ldb
, tmp_ctx
,
3505 ldb_search_default_callback
,
3507 if (ret
!= LDB_SUCCESS
) {
3508 talloc_free(tmp_ctx
);
3512 ret
= dsdb_request_add_controls(req
, dsdb_flags
);
3513 if (ret
!= LDB_SUCCESS
) {
3514 talloc_free(tmp_ctx
);
3518 ret
= ldb_request(ldb
, req
);
3519 if (ret
== LDB_SUCCESS
) {
3520 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
3523 if (ret
!= LDB_SUCCESS
) {
3524 talloc_free(tmp_ctx
);
3528 if (dsdb_flags
& DSDB_SEARCH_ONE_ONLY
) {
3529 if (res
->count
== 0) {
3530 talloc_free(tmp_ctx
);
3531 return LDB_ERR_NO_SUCH_OBJECT
;
3533 if (res
->count
!= 1) {
3534 talloc_free(tmp_ctx
);
3535 return LDB_ERR_CONSTRAINT_VIOLATION
;
3539 *_res
= talloc_steal(mem_ctx
, res
);
3540 talloc_free(tmp_ctx
);
3547 general search with dsdb_flags for controls
3548 returns exactly 1 record or an error
3550 int dsdb_search_one(struct ldb_context
*ldb
,
3551 TALLOC_CTX
*mem_ctx
,
3552 struct ldb_message
**msg
,
3553 struct ldb_dn
*basedn
,
3554 enum ldb_scope scope
,
3555 const char * const *attrs
,
3556 uint32_t dsdb_flags
,
3557 const char *exp_fmt
, ...) _PRINTF_ATTRIBUTE(8, 9)
3560 struct ldb_result
*res
;
3562 char *expression
= NULL
;
3563 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
3565 dsdb_flags
|= DSDB_SEARCH_ONE_ONLY
;
3567 res
= talloc_zero(tmp_ctx
, struct ldb_result
);
3569 talloc_free(tmp_ctx
);
3570 return LDB_ERR_OPERATIONS_ERROR
;
3574 va_start(ap
, exp_fmt
);
3575 expression
= talloc_vasprintf(tmp_ctx
, exp_fmt
, ap
);
3579 talloc_free(tmp_ctx
);
3580 return LDB_ERR_OPERATIONS_ERROR
;
3584 ret
= dsdb_search(ldb
, tmp_ctx
, &res
, basedn
, scope
, attrs
,
3585 dsdb_flags
, "%s", expression
);
3586 if (ret
!= LDB_SUCCESS
) {
3587 talloc_free(tmp_ctx
);
3591 *msg
= talloc_steal(mem_ctx
, res
->msgs
[0]);
3592 talloc_free(tmp_ctx
);
3597 /* returns back the forest DNS name */
3598 const char *samdb_forest_name(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
3600 const char *forest_name
= ldb_dn_canonical_string(mem_ctx
,
3601 ldb_get_root_basedn(ldb
));
3604 if (forest_name
== NULL
) {
3608 p
= strchr(forest_name
, '/');
3617 validate that an DSA GUID belongs to the specified user sid.
3618 The user SID must be a domain controller account (either RODC or
3621 int dsdb_validate_dsa_guid(struct ldb_context
*ldb
,
3622 const struct GUID
*dsa_guid
,
3623 const struct dom_sid
*sid
)
3626 - find DN of record with the DSA GUID in the
3627 configuration partition (objectGUID)
3628 - remove "NTDS Settings" component from DN
3629 - do a base search on that DN for serverReference with
3631 - extract objectSID from resulting serverReference
3633 - check this sid matches the sid argument
3635 struct ldb_dn
*config_dn
;
3636 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
3637 struct ldb_message
*msg
;
3638 const char *attrs1
[] = { NULL
};
3639 const char *attrs2
[] = { "serverReference", NULL
};
3641 struct ldb_dn
*dn
, *account_dn
;
3642 struct dom_sid sid2
;
3645 config_dn
= ldb_get_config_basedn(ldb
);
3647 ret
= dsdb_search_one(ldb
, tmp_ctx
, &msg
, config_dn
, LDB_SCOPE_SUBTREE
,
3648 attrs1
, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx
, dsa_guid
));
3649 if (ret
!= LDB_SUCCESS
) {
3650 DEBUG(1,(__location__
": Failed to find DSA objectGUID %s for sid %s\n",
3651 GUID_string(tmp_ctx
, dsa_guid
), dom_sid_string(tmp_ctx
, sid
)));
3652 talloc_free(tmp_ctx
);
3653 return LDB_ERR_OPERATIONS_ERROR
;
3657 if (!ldb_dn_remove_child_components(dn
, 1)) {
3658 talloc_free(tmp_ctx
);
3659 return LDB_ERR_OPERATIONS_ERROR
;
3662 ret
= dsdb_search_one(ldb
, tmp_ctx
, &msg
, dn
, LDB_SCOPE_BASE
,
3663 attrs2
, DSDB_SEARCH_SHOW_EXTENDED_DN
,
3664 "(objectClass=server)");
3665 if (ret
!= LDB_SUCCESS
) {
3666 DEBUG(1,(__location__
": Failed to find server record for DSA with objectGUID %s, sid %s\n",
3667 GUID_string(tmp_ctx
, dsa_guid
), dom_sid_string(tmp_ctx
, sid
)));
3668 talloc_free(tmp_ctx
);
3669 return LDB_ERR_OPERATIONS_ERROR
;
3672 account_dn
= ldb_msg_find_attr_as_dn(ldb
, tmp_ctx
, msg
, "serverReference");
3673 if (account_dn
== NULL
) {
3674 DEBUG(1,(__location__
": Failed to find account_dn for DSA with objectGUID %s, sid %s\n",
3675 GUID_string(tmp_ctx
, dsa_guid
), dom_sid_string(tmp_ctx
, sid
)));
3676 talloc_free(tmp_ctx
);
3677 return LDB_ERR_OPERATIONS_ERROR
;
3680 status
= dsdb_get_extended_dn_sid(account_dn
, &sid2
, "SID");
3681 if (!NT_STATUS_IS_OK(status
)) {
3682 DEBUG(1,(__location__
": Failed to find SID for DSA with objectGUID %s, sid %s\n",
3683 GUID_string(tmp_ctx
, dsa_guid
), dom_sid_string(tmp_ctx
, sid
)));
3684 talloc_free(tmp_ctx
);
3685 return LDB_ERR_OPERATIONS_ERROR
;
3688 if (!dom_sid_equal(sid
, &sid2
)) {
3689 /* someone is trying to spoof another account */
3690 DEBUG(0,(__location__
": Bad DSA objectGUID %s for sid %s - expected sid %s\n",
3691 GUID_string(tmp_ctx
, dsa_guid
),
3692 dom_sid_string(tmp_ctx
, sid
),
3693 dom_sid_string(tmp_ctx
, &sid2
)));
3694 talloc_free(tmp_ctx
);
3695 return LDB_ERR_OPERATIONS_ERROR
;
3698 talloc_free(tmp_ctx
);
3702 const char *rodc_fas_list
[] = {"ms-PKI-DPAPIMasterKeys",
3703 "ms-PKI-AccountCredentials",
3704 "ms-PKI-RoamingTimeStamp",
3705 "ms-FVE-KeyPackage",
3706 "ms-FVE-RecoveryGuid",
3707 "ms-FVE-RecoveryInformation",
3708 "ms-FVE-RecoveryPassword",
3709 "ms-FVE-VolumeGuid",
3710 "ms-TPM-OwnerInformation",
3713 check if the attribute belongs to the RODC filtered attribute set
3715 bool dsdb_attr_in_rodc_fas(uint32_t replica_flags
, const struct dsdb_attribute
*sa
)
3717 int rodc_filtered_flags
= SEARCH_FLAG_RODC_ATTRIBUTE
| SEARCH_FLAG_CONFIDENTIAL
;
3718 bool drs_write_replica
= ((replica_flags
& DRSUAPI_DRS_WRIT_REP
) == 0);
3720 if (drs_write_replica
&& (sa
->searchFlags
& rodc_filtered_flags
)) {
3723 if (drs_write_replica
&& is_attr_in_list(rodc_fas_list
, sa
->cn
)) {