2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "events/events.h"
27 #include "ldb_module.h"
28 #include "ldb_errors.h"
29 #include "../lib/util/util_ldb.h"
30 #include "../lib/crypto/crypto.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "librpc/gen_ndr/ndr_misc.h"
35 #include "../libds/common/flags.h"
36 #include "dsdb/common/proto.h"
37 #include "libcli/ldap/ldap_ndr.h"
38 #include "param/param.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "librpc/gen_ndr/ndr_drsblobs.h"
41 #include "system/locale.h"
42 #include "lib/util/tsort.h"
43 #include "dsdb/common/util.h"
44 #include "lib/socket/socket.h"
45 #include "librpc/gen_ndr/irpc.h"
46 #include "libds/common/flag_mapping.h"
49 search the sam for the specified attributes in a specific domain, filter on
50 objectSid being in domain_sid.
52 int samdb_search_domain(struct ldb_context
*sam_ldb
,
54 struct ldb_dn
*basedn
,
55 struct ldb_message
***res
,
56 const char * const *attrs
,
57 const struct dom_sid
*domain_sid
,
58 const char *format
, ...) _PRINTF_ATTRIBUTE(7,8)
64 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
,
65 res
, attrs
, format
, ap
);
71 struct dom_sid
*entry_sid
;
73 entry_sid
= samdb_result_dom_sid(mem_ctx
, (*res
)[i
], "objectSid");
75 if ((entry_sid
== NULL
) ||
76 (!dom_sid_in_domain(domain_sid
, entry_sid
))) {
77 /* Delete that entry from the result set */
78 (*res
)[i
] = (*res
)[count
-1];
80 talloc_free(entry_sid
);
83 talloc_free(entry_sid
);
91 search the sam for a single string attribute in exactly 1 record
93 const char *samdb_search_string_v(struct ldb_context
*sam_ldb
,
95 struct ldb_dn
*basedn
,
96 const char *attr_name
,
97 const char *format
, va_list ap
) _PRINTF_ATTRIBUTE(5,0)
100 const char *attrs
[2] = { NULL
, NULL
};
101 struct ldb_message
**res
= NULL
;
103 attrs
[0] = attr_name
;
105 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
107 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
108 attr_name
, format
, count
));
115 return ldb_msg_find_attr_as_string(res
[0], attr_name
, NULL
);
119 search the sam for a single string attribute in exactly 1 record
121 const char *samdb_search_string(struct ldb_context
*sam_ldb
,
123 struct ldb_dn
*basedn
,
124 const char *attr_name
,
125 const char *format
, ...) _PRINTF_ATTRIBUTE(5,6)
130 va_start(ap
, format
);
131 str
= samdb_search_string_v(sam_ldb
, mem_ctx
, basedn
, attr_name
, format
, ap
);
137 struct ldb_dn
*samdb_search_dn(struct ldb_context
*sam_ldb
,
139 struct ldb_dn
*basedn
,
140 const char *format
, ...) _PRINTF_ATTRIBUTE(4,5)
144 struct ldb_message
**res
= NULL
;
147 va_start(ap
, format
);
148 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, NULL
, format
, ap
);
151 if (count
!= 1) return NULL
;
153 ret
= talloc_steal(mem_ctx
, res
[0]->dn
);
160 search the sam for a dom_sid attribute in exactly 1 record
162 struct dom_sid
*samdb_search_dom_sid(struct ldb_context
*sam_ldb
,
164 struct ldb_dn
*basedn
,
165 const char *attr_name
,
166 const char *format
, ...) _PRINTF_ATTRIBUTE(5,6)
170 struct ldb_message
**res
;
171 const char *attrs
[2] = { NULL
, NULL
};
174 attrs
[0] = attr_name
;
176 va_start(ap
, format
);
177 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
180 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
181 attr_name
, format
, count
));
187 sid
= samdb_result_dom_sid(mem_ctx
, res
[0], attr_name
);
193 return the count of the number of records in the sam matching the query
195 int samdb_search_count(struct ldb_context
*sam_ldb
,
197 struct ldb_dn
*basedn
,
198 const char *format
, ...) _PRINTF_ATTRIBUTE(4,5)
201 const char *attrs
[] = { NULL
};
204 va_start(ap
, format
);
205 ret
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, NULL
, attrs
, format
, ap
);
213 search the sam for a single integer attribute in exactly 1 record
215 unsigned int samdb_search_uint(struct ldb_context
*sam_ldb
,
217 unsigned int default_value
,
218 struct ldb_dn
*basedn
,
219 const char *attr_name
,
220 const char *format
, ...) _PRINTF_ATTRIBUTE(6,7)
224 struct ldb_message
**res
;
225 const char *attrs
[2] = { NULL
, NULL
};
227 attrs
[0] = attr_name
;
229 va_start(ap
, format
);
230 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
234 return default_value
;
237 return ldb_msg_find_attr_as_uint(res
[0], attr_name
, default_value
);
241 search the sam for a single signed 64 bit integer attribute in exactly 1 record
243 int64_t samdb_search_int64(struct ldb_context
*sam_ldb
,
245 int64_t default_value
,
246 struct ldb_dn
*basedn
,
247 const char *attr_name
,
248 const char *format
, ...) _PRINTF_ATTRIBUTE(6,7)
252 struct ldb_message
**res
;
253 const char *attrs
[2] = { NULL
, NULL
};
255 attrs
[0] = attr_name
;
257 va_start(ap
, format
);
258 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
262 return default_value
;
265 return ldb_msg_find_attr_as_int64(res
[0], attr_name
, default_value
);
269 search the sam for multipe records each giving a single string attribute
270 return the number of matches, or -1 on error
272 int samdb_search_string_multiple(struct ldb_context
*sam_ldb
,
274 struct ldb_dn
*basedn
,
276 const char *attr_name
,
277 const char *format
, ...) _PRINTF_ATTRIBUTE(6,7)
281 const char *attrs
[2] = { NULL
, NULL
};
282 struct ldb_message
**res
= NULL
;
284 attrs
[0] = attr_name
;
286 va_start(ap
, format
);
287 count
= gendb_search_v(sam_ldb
, mem_ctx
, basedn
, &res
, attrs
, format
, ap
);
294 /* make sure its single valued */
295 for (i
=0;i
<count
;i
++) {
296 if (res
[i
]->num_elements
!= 1) {
297 DEBUG(1,("samdb: search for %s %s not single valued\n",
304 *strs
= talloc_array(mem_ctx
, const char *, count
+1);
310 for (i
=0;i
<count
;i
++) {
311 (*strs
)[i
] = ldb_msg_find_attr_as_string(res
[i
], attr_name
, NULL
);
313 (*strs
)[count
] = NULL
;
318 struct ldb_dn
*samdb_result_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
319 const char *attr
, struct ldb_dn
*default_value
)
321 struct ldb_dn
*ret_dn
= ldb_msg_find_attr_as_dn(ldb
, mem_ctx
, msg
, attr
);
323 return default_value
;
329 pull a rid from a objectSid in a result set.
331 uint32_t samdb_result_rid_from_sid(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
332 const char *attr
, uint32_t default_value
)
337 sid
= samdb_result_dom_sid(mem_ctx
, msg
, attr
);
339 return default_value
;
341 rid
= sid
->sub_auths
[sid
->num_auths
-1];
347 pull a dom_sid structure from a objectSid in a result set.
349 struct dom_sid
*samdb_result_dom_sid(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
353 const struct ldb_val
*v
;
355 v
= ldb_msg_find_ldb_val(msg
, attr
);
359 sid
= talloc(mem_ctx
, struct dom_sid
);
363 ok
= sid_blob_parse(*v
, sid
);
372 pull a guid structure from a objectGUID in a result set.
374 struct GUID
samdb_result_guid(const struct ldb_message
*msg
, const char *attr
)
376 const struct ldb_val
*v
;
380 v
= ldb_msg_find_ldb_val(msg
, attr
);
381 if (!v
) return GUID_zero();
383 status
= GUID_from_ndr_blob(v
, &guid
);
384 if (!NT_STATUS_IS_OK(status
)) {
392 pull a sid prefix from a objectSid in a result set.
393 this is used to find the domain sid for a user
395 struct dom_sid
*samdb_result_sid_prefix(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
398 struct dom_sid
*sid
= samdb_result_dom_sid(mem_ctx
, msg
, attr
);
399 if (!sid
|| sid
->num_auths
< 1) return NULL
;
405 pull a NTTIME in a result set.
407 NTTIME
samdb_result_nttime(const struct ldb_message
*msg
, const char *attr
,
408 NTTIME default_value
)
410 return ldb_msg_find_attr_as_uint64(msg
, attr
, default_value
);
414 * Windows stores 0 for lastLogoff.
415 * But when a MS DC return the lastLogoff (as Logoff Time)
416 * it returns 0x7FFFFFFFFFFFFFFF, not returning this value in this case
417 * cause windows 2008 and newer version to fail for SMB requests
419 NTTIME
samdb_result_last_logoff(const struct ldb_message
*msg
)
421 NTTIME ret
= ldb_msg_find_attr_as_uint64(msg
, "lastLogoff",0);
424 ret
= 0x7FFFFFFFFFFFFFFFULL
;
430 * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
431 * indicate an account doesn't expire.
433 * When Windows initially creates an account, it sets
434 * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However,
435 * when changing from an account having a specific expiration date to
436 * that account never expiring, it sets accountExpires = 0.
438 * Consolidate that logic here to allow clearer logic for account expiry in
439 * the rest of the code.
441 NTTIME
samdb_result_account_expires(const struct ldb_message
*msg
)
443 NTTIME ret
= ldb_msg_find_attr_as_uint64(msg
, "accountExpires",
447 ret
= 0x7FFFFFFFFFFFFFFFULL
;
453 construct the allow_password_change field from the PwdLastSet attribute and the
454 domain password settings
456 NTTIME
samdb_result_allow_password_change(struct ldb_context
*sam_ldb
,
458 struct ldb_dn
*domain_dn
,
459 struct ldb_message
*msg
,
462 uint64_t attr_time
= ldb_msg_find_attr_as_uint64(msg
, attr
, 0);
465 if (attr_time
== 0) {
469 minPwdAge
= samdb_search_int64(sam_ldb
, mem_ctx
, 0, domain_dn
, "minPwdAge", NULL
);
471 /* yes, this is a -= not a += as minPwdAge is stored as the negative
472 of the number of 100-nano-seconds */
473 attr_time
-= minPwdAge
;
479 construct the force_password_change field from the PwdLastSet
480 attribute, the userAccountControl and the domain password settings
482 NTTIME
samdb_result_force_password_change(struct ldb_context
*sam_ldb
,
484 struct ldb_dn
*domain_dn
,
485 struct ldb_message
*msg
)
487 int64_t attr_time
= ldb_msg_find_attr_as_int64(msg
, "pwdLastSet", 0);
488 uint32_t userAccountControl
= ldb_msg_find_attr_as_uint(msg
,
489 "userAccountControl",
493 /* Machine accounts don't expire, and there is a flag for 'no expiry' */
494 if (!(userAccountControl
& UF_NORMAL_ACCOUNT
)
495 || (userAccountControl
& UF_DONT_EXPIRE_PASSWD
)) {
496 return 0x7FFFFFFFFFFFFFFFULL
;
499 if (attr_time
== 0) {
502 if (attr_time
== -1) {
503 return 0x7FFFFFFFFFFFFFFFULL
;
506 maxPwdAge
= samdb_search_int64(sam_ldb
, mem_ctx
, 0, domain_dn
,
508 if (maxPwdAge
== 0 || maxPwdAge
== -0x8000000000000000ULL
) {
509 return 0x7FFFFFFFFFFFFFFFULL
;
511 attr_time
-= maxPwdAge
;
518 pull a samr_Password structutre from a result set.
520 struct samr_Password
*samdb_result_hash(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
, const char *attr
)
522 struct samr_Password
*hash
= NULL
;
523 const struct ldb_val
*val
= ldb_msg_find_ldb_val(msg
, attr
);
524 if (val
&& (val
->length
>= sizeof(hash
->hash
))) {
525 hash
= talloc(mem_ctx
, struct samr_Password
);
526 memcpy(hash
->hash
, val
->data
, MIN(val
->length
, sizeof(hash
->hash
)));
532 pull an array of samr_Password structures from a result set.
534 unsigned int samdb_result_hashes(TALLOC_CTX
*mem_ctx
, const struct ldb_message
*msg
,
535 const char *attr
, struct samr_Password
**hashes
)
537 unsigned int count
, i
;
538 const struct ldb_val
*val
= ldb_msg_find_ldb_val(msg
, attr
);
544 count
= val
->length
/ 16;
549 *hashes
= talloc_array(mem_ctx
, struct samr_Password
, count
);
554 for (i
=0;i
<count
;i
++) {
555 memcpy((*hashes
)[i
].hash
, (i
*16)+(char *)val
->data
, 16);
561 NTSTATUS
samdb_result_passwords(TALLOC_CTX
*mem_ctx
, struct loadparm_context
*lp_ctx
, struct ldb_message
*msg
,
562 struct samr_Password
**lm_pwd
, struct samr_Password
**nt_pwd
)
564 struct samr_Password
*lmPwdHash
, *ntPwdHash
;
567 num_nt
= samdb_result_hashes(mem_ctx
, msg
, "unicodePwd", &ntPwdHash
);
570 } else if (num_nt
> 1) {
571 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
573 *nt_pwd
= &ntPwdHash
[0];
577 /* Ensure that if we have turned off LM
578 * authentication, that we never use the LM hash, even
580 if (lpcfg_lanman_auth(lp_ctx
)) {
582 num_lm
= samdb_result_hashes(mem_ctx
, msg
, "dBCSPwd", &lmPwdHash
);
585 } else if (num_lm
> 1) {
586 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
588 *lm_pwd
= &lmPwdHash
[0];
598 pull a samr_LogonHours structutre from a result set.
600 struct samr_LogonHours
samdb_result_logon_hours(TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
, const char *attr
)
602 struct samr_LogonHours hours
;
603 size_t units_per_week
= 168;
604 const struct ldb_val
*val
= ldb_msg_find_ldb_val(msg
, attr
);
609 units_per_week
= val
->length
* 8;
612 hours
.bits
= talloc_array(mem_ctx
, uint8_t, units_per_week
/8);
616 hours
.units_per_week
= units_per_week
;
617 memset(hours
.bits
, 0xFF, units_per_week
/8);
619 memcpy(hours
.bits
, val
->data
, val
->length
);
626 pull a set of account_flags from a result set.
628 Naturally, this requires that userAccountControl and
629 (if not null) the attributes 'attr' be already
632 uint32_t samdb_result_acct_flags(struct ldb_message
*msg
, const char *attr
)
634 uint32_t userAccountControl
= ldb_msg_find_attr_as_uint(msg
, "userAccountControl", 0);
635 uint32_t attr_flags
= 0;
636 uint32_t acct_flags
= ds_uf2acb(userAccountControl
);
638 attr_flags
= ldb_msg_find_attr_as_uint(msg
, attr
, UF_ACCOUNTDISABLE
);
639 if (attr_flags
== UF_ACCOUNTDISABLE
) {
640 DEBUG(0, ("Attribute %s not found, disabling account %s!\n", attr
,
641 ldb_dn_get_linearized(msg
->dn
)));
643 acct_flags
|= ds_uf2acb(attr_flags
);
649 struct lsa_BinaryString
samdb_result_parameters(TALLOC_CTX
*mem_ctx
,
650 struct ldb_message
*msg
,
653 struct lsa_BinaryString s
;
654 const struct ldb_val
*val
= ldb_msg_find_ldb_val(msg
, attr
);
662 s
.array
= talloc_array(mem_ctx
, uint16_t, val
->length
/2);
666 s
.length
= s
.size
= val
->length
;
667 memcpy(s
.array
, val
->data
, val
->length
);
672 /* Find an attribute, with a particular value */
674 /* The current callers of this function expect a very specific
675 * behaviour: In particular, objectClass subclass equivilance is not
676 * wanted. This means that we should not lookup the schema for the
677 * comparison function */
678 struct ldb_message_element
*samdb_find_attribute(struct ldb_context
*ldb
,
679 const struct ldb_message
*msg
,
680 const char *name
, const char *value
)
683 struct ldb_message_element
*el
= ldb_msg_find_element(msg
, name
);
689 for (i
=0;i
<el
->num_values
;i
++) {
690 if (ldb_attr_cmp(value
, (char *)el
->values
[i
].data
) == 0) {
698 int samdb_find_or_add_attribute(struct ldb_context
*ldb
, struct ldb_message
*msg
, const char *name
, const char *set_value
)
700 struct ldb_message_element
*el
;
702 el
= ldb_msg_find_element(msg
, name
);
707 return ldb_msg_add_string(msg
, name
, set_value
);
711 add a dom_sid element to a message
713 int samdb_msg_add_dom_sid(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
714 const char *attr_name
, const struct dom_sid
*sid
)
717 enum ndr_err_code ndr_err
;
719 ndr_err
= ndr_push_struct_blob(&v
, mem_ctx
,
721 (ndr_push_flags_fn_t
)ndr_push_dom_sid
);
722 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
723 return ldb_operr(sam_ldb
);
725 return ldb_msg_add_value(msg
, attr_name
, &v
, NULL
);
730 add a delete element operation to a message
732 int samdb_msg_add_delete(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
733 const char *attr_name
)
735 /* we use an empty replace rather than a delete, as it allows for
736 dsdb_replace() to be used everywhere */
737 return ldb_msg_add_empty(msg
, attr_name
, LDB_FLAG_MOD_REPLACE
, NULL
);
741 add an add attribute value to a message or enhance an existing attribute
742 which has the same name and the add flag set.
744 int samdb_msg_add_addval(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
,
745 struct ldb_message
*msg
, const char *attr_name
,
748 struct ldb_message_element
*el
;
749 struct ldb_val val
, *vals
;
755 v
= talloc_strdup(mem_ctx
, value
);
757 return ldb_oom(sam_ldb
);
760 val
.data
= (uint8_t *) v
;
761 val
.length
= strlen(v
);
763 if (val
.length
== 0) {
764 /* allow empty strings as non-existent attributes */
768 for (i
= 0; i
< msg
->num_elements
; i
++) {
769 el
= &msg
->elements
[i
];
770 if ((ldb_attr_cmp(el
->name
, attr_name
) == 0) &&
771 (LDB_FLAG_MOD_TYPE(el
->flags
) == LDB_FLAG_MOD_ADD
)) {
777 ret
= ldb_msg_add_empty(msg
, attr_name
, LDB_FLAG_MOD_ADD
,
779 if (ret
!= LDB_SUCCESS
) {
784 vals
= talloc_realloc(msg
->elements
, el
->values
, struct ldb_val
,
787 return ldb_oom(sam_ldb
);
790 el
->values
[el
->num_values
] = val
;
797 add a delete attribute value to a message or enhance an existing attribute
798 which has the same name and the delete flag set.
800 int samdb_msg_add_delval(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
,
801 struct ldb_message
*msg
, const char *attr_name
,
804 struct ldb_message_element
*el
;
805 struct ldb_val val
, *vals
;
811 v
= talloc_strdup(mem_ctx
, value
);
813 return ldb_oom(sam_ldb
);
816 val
.data
= (uint8_t *) v
;
817 val
.length
= strlen(v
);
819 if (val
.length
== 0) {
820 /* allow empty strings as non-existent attributes */
824 for (i
= 0; i
< msg
->num_elements
; i
++) {
825 el
= &msg
->elements
[i
];
826 if ((ldb_attr_cmp(el
->name
, attr_name
) == 0) &&
827 (LDB_FLAG_MOD_TYPE(el
->flags
) == LDB_FLAG_MOD_DELETE
)) {
833 ret
= ldb_msg_add_empty(msg
, attr_name
, LDB_FLAG_MOD_DELETE
,
835 if (ret
!= LDB_SUCCESS
) {
840 vals
= talloc_realloc(msg
->elements
, el
->values
, struct ldb_val
,
843 return ldb_oom(sam_ldb
);
846 el
->values
[el
->num_values
] = val
;
853 add a int element to a message
855 int samdb_msg_add_int(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
856 const char *attr_name
, int v
)
858 const char *s
= talloc_asprintf(mem_ctx
, "%d", v
);
860 return ldb_oom(sam_ldb
);
862 return ldb_msg_add_string(msg
, attr_name
, s
);
866 * Add an unsigned int element to a message
868 * The issue here is that we have not yet first cast to int32_t explicitly,
869 * before we cast to an signed int to printf() into the %d or cast to a
870 * int64_t before we then cast to a long long to printf into a %lld.
872 * There are *no* unsigned integers in Active Directory LDAP, even the RID
873 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
874 * (See the schema, and the syntax definitions in schema_syntax.c).
877 int samdb_msg_add_uint(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
878 const char *attr_name
, unsigned int v
)
880 return samdb_msg_add_int(sam_ldb
, mem_ctx
, msg
, attr_name
, (int)v
);
884 add a (signed) int64_t element to a message
886 int samdb_msg_add_int64(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
887 const char *attr_name
, int64_t v
)
889 const char *s
= talloc_asprintf(mem_ctx
, "%lld", (long long)v
);
891 return ldb_oom(sam_ldb
);
893 return ldb_msg_add_string(msg
, attr_name
, s
);
897 * Add an unsigned int64_t (uint64_t) element to a message
899 * The issue here is that we have not yet first cast to int32_t explicitly,
900 * before we cast to an signed int to printf() into the %d or cast to a
901 * int64_t before we then cast to a long long to printf into a %lld.
903 * There are *no* unsigned integers in Active Directory LDAP, even the RID
904 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
905 * (See the schema, and the syntax definitions in schema_syntax.c).
908 int samdb_msg_add_uint64(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
909 const char *attr_name
, uint64_t v
)
911 return samdb_msg_add_int64(sam_ldb
, mem_ctx
, msg
, attr_name
, (int64_t)v
);
915 add a samr_Password element to a message
917 int samdb_msg_add_hash(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
918 const char *attr_name
, const struct samr_Password
*hash
)
921 val
.data
= talloc_memdup(mem_ctx
, hash
->hash
, 16);
923 return ldb_oom(sam_ldb
);
926 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
930 add a samr_Password array to a message
932 int samdb_msg_add_hashes(struct ldb_context
*ldb
,
933 TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
934 const char *attr_name
, struct samr_Password
*hashes
,
939 val
.data
= talloc_array_size(mem_ctx
, 16, count
);
940 val
.length
= count
*16;
944 for (i
=0;i
<count
;i
++) {
945 memcpy(i
*16 + (char *)val
.data
, hashes
[i
].hash
, 16);
947 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
951 add a acct_flags element to a message
953 int samdb_msg_add_acct_flags(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
954 const char *attr_name
, uint32_t v
)
956 return samdb_msg_add_uint(sam_ldb
, mem_ctx
, msg
, attr_name
, ds_acb2uf(v
));
960 add a logon_hours element to a message
962 int samdb_msg_add_logon_hours(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
963 const char *attr_name
, struct samr_LogonHours
*hours
)
966 val
.length
= hours
->units_per_week
/ 8;
967 val
.data
= hours
->bits
;
968 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
972 add a parameters element to a message
974 int samdb_msg_add_parameters(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
975 const char *attr_name
, struct lsa_BinaryString
*parameters
)
978 val
.length
= parameters
->length
;
979 val
.data
= (uint8_t *)parameters
->array
;
980 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
984 * Sets an unsigned int element in a message
986 * The issue here is that we have not yet first cast to int32_t explicitly,
987 * before we cast to an signed int to printf() into the %d or cast to a
988 * int64_t before we then cast to a long long to printf into a %lld.
990 * There are *no* unsigned integers in Active Directory LDAP, even the RID
991 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
992 * (See the schema, and the syntax definitions in schema_syntax.c).
995 int samdb_msg_set_uint(struct ldb_context
*sam_ldb
, TALLOC_CTX
*mem_ctx
,
996 struct ldb_message
*msg
, const char *attr_name
,
999 struct ldb_message_element
*el
;
1001 el
= ldb_msg_find_element(msg
, attr_name
);
1005 return samdb_msg_add_uint(sam_ldb
, mem_ctx
, msg
, attr_name
, v
);
1009 * Handle ldb_request in transaction
1011 static int dsdb_autotransaction_request(struct ldb_context
*sam_ldb
,
1012 struct ldb_request
*req
)
1016 ret
= ldb_transaction_start(sam_ldb
);
1017 if (ret
!= LDB_SUCCESS
) {
1021 ret
= ldb_request(sam_ldb
, req
);
1022 if (ret
== LDB_SUCCESS
) {
1023 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
1026 if (ret
== LDB_SUCCESS
) {
1027 return ldb_transaction_commit(sam_ldb
);
1029 ldb_transaction_cancel(sam_ldb
);
1035 return a default security descriptor
1037 struct security_descriptor
*samdb_default_security_descriptor(TALLOC_CTX
*mem_ctx
)
1039 struct security_descriptor
*sd
;
1041 sd
= security_descriptor_initialise(mem_ctx
);
1046 struct ldb_dn
*samdb_aggregate_schema_dn(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
)
1048 struct ldb_dn
*schema_dn
= ldb_get_schema_basedn(sam_ctx
);
1049 struct ldb_dn
*aggregate_dn
;
1054 aggregate_dn
= ldb_dn_copy(mem_ctx
, schema_dn
);
1055 if (!aggregate_dn
) {
1058 if (!ldb_dn_add_child_fmt(aggregate_dn
, "CN=Aggregate")) {
1061 return aggregate_dn
;
1064 struct ldb_dn
*samdb_partitions_dn(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
)
1066 struct ldb_dn
*new_dn
;
1068 new_dn
= ldb_dn_copy(mem_ctx
, ldb_get_config_basedn(sam_ctx
));
1069 if ( ! ldb_dn_add_child_fmt(new_dn
, "CN=Partitions")) {
1070 talloc_free(new_dn
);
1076 struct ldb_dn
*samdb_infrastructure_dn(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
)
1078 struct ldb_dn
*new_dn
;
1080 new_dn
= ldb_dn_copy(mem_ctx
, ldb_get_default_basedn(sam_ctx
));
1081 if ( ! ldb_dn_add_child_fmt(new_dn
, "CN=Infrastructure")) {
1082 talloc_free(new_dn
);
1088 struct ldb_dn
*samdb_sites_dn(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
)
1090 struct ldb_dn
*new_dn
;
1092 new_dn
= ldb_dn_copy(mem_ctx
, ldb_get_config_basedn(sam_ctx
));
1093 if ( ! ldb_dn_add_child_fmt(new_dn
, "CN=Sites")) {
1094 talloc_free(new_dn
);
1101 work out the domain sid for the current open ldb
1103 const struct dom_sid
*samdb_domain_sid(struct ldb_context
*ldb
)
1105 TALLOC_CTX
*tmp_ctx
;
1106 const struct dom_sid
*domain_sid
;
1107 const char *attrs
[] = {
1111 struct ldb_result
*res
;
1114 /* see if we have a cached copy */
1115 domain_sid
= (struct dom_sid
*)ldb_get_opaque(ldb
, "cache.domain_sid");
1120 tmp_ctx
= talloc_new(ldb
);
1121 if (tmp_ctx
== NULL
) {
1125 ret
= ldb_search(ldb
, tmp_ctx
, &res
, ldb_get_default_basedn(ldb
), LDB_SCOPE_BASE
, attrs
, "objectSid=*");
1127 if (ret
!= LDB_SUCCESS
) {
1131 if (res
->count
!= 1) {
1135 domain_sid
= samdb_result_dom_sid(tmp_ctx
, res
->msgs
[0], "objectSid");
1136 if (domain_sid
== NULL
) {
1140 /* cache the domain_sid in the ldb */
1141 if (ldb_set_opaque(ldb
, "cache.domain_sid", discard_const_p(struct dom_sid
, domain_sid
)) != LDB_SUCCESS
) {
1145 talloc_steal(ldb
, domain_sid
);
1146 talloc_free(tmp_ctx
);
1151 talloc_free(tmp_ctx
);
1156 get domain sid from cache
1158 const struct dom_sid
*samdb_domain_sid_cache_only(struct ldb_context
*ldb
)
1160 return (struct dom_sid
*)ldb_get_opaque(ldb
, "cache.domain_sid");
1163 bool samdb_set_domain_sid(struct ldb_context
*ldb
, const struct dom_sid
*dom_sid_in
)
1165 TALLOC_CTX
*tmp_ctx
;
1166 struct dom_sid
*dom_sid_new
;
1167 struct dom_sid
*dom_sid_old
;
1169 /* see if we have a cached copy */
1170 dom_sid_old
= talloc_get_type(ldb_get_opaque(ldb
,
1171 "cache.domain_sid"), struct dom_sid
);
1173 tmp_ctx
= talloc_new(ldb
);
1174 if (tmp_ctx
== NULL
) {
1178 dom_sid_new
= dom_sid_dup(tmp_ctx
, dom_sid_in
);
1183 /* cache the domain_sid in the ldb */
1184 if (ldb_set_opaque(ldb
, "cache.domain_sid", dom_sid_new
) != LDB_SUCCESS
) {
1188 talloc_steal(ldb
, dom_sid_new
);
1189 talloc_free(tmp_ctx
);
1190 talloc_free(dom_sid_old
);
1195 DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
1196 talloc_free(tmp_ctx
);
1200 bool samdb_set_ntds_settings_dn(struct ldb_context
*ldb
, struct ldb_dn
*ntds_settings_dn_in
)
1202 TALLOC_CTX
*tmp_ctx
;
1203 struct ldb_dn
*ntds_settings_dn_new
;
1204 struct ldb_dn
*ntds_settings_dn_old
;
1206 /* see if we have a forced copy from provision */
1207 ntds_settings_dn_old
= talloc_get_type(ldb_get_opaque(ldb
,
1208 "forced.ntds_settings_dn"), struct ldb_dn
);
1210 tmp_ctx
= talloc_new(ldb
);
1211 if (tmp_ctx
== NULL
) {
1215 ntds_settings_dn_new
= ldb_dn_copy(tmp_ctx
, ntds_settings_dn_in
);
1216 if (!ntds_settings_dn_new
) {
1220 /* set the DN in the ldb to avoid lookups during provision */
1221 if (ldb_set_opaque(ldb
, "forced.ntds_settings_dn", ntds_settings_dn_new
) != LDB_SUCCESS
) {
1225 talloc_steal(ldb
, ntds_settings_dn_new
);
1226 talloc_free(tmp_ctx
);
1227 talloc_free(ntds_settings_dn_old
);
1232 DEBUG(1,("Failed to set our NTDS Settings DN in the ldb!\n"));
1233 talloc_free(tmp_ctx
);
1238 work out the ntds settings dn for the current open ldb
1240 struct ldb_dn
*samdb_ntds_settings_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
1242 TALLOC_CTX
*tmp_ctx
;
1243 const char *root_attrs
[] = { "dsServiceName", NULL
};
1245 struct ldb_result
*root_res
;
1246 struct ldb_dn
*settings_dn
;
1248 /* see if we have a cached copy */
1249 settings_dn
= (struct ldb_dn
*)ldb_get_opaque(ldb
, "forced.ntds_settings_dn");
1251 return ldb_dn_copy(mem_ctx
, settings_dn
);
1254 tmp_ctx
= talloc_new(mem_ctx
);
1255 if (tmp_ctx
== NULL
) {
1259 ret
= ldb_search(ldb
, tmp_ctx
, &root_res
, ldb_dn_new(tmp_ctx
, ldb
, ""), LDB_SCOPE_BASE
, root_attrs
, NULL
);
1260 if (ret
!= LDB_SUCCESS
) {
1261 DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
1262 ldb_errstring(ldb
)));
1266 if (root_res
->count
!= 1) {
1270 settings_dn
= ldb_msg_find_attr_as_dn(ldb
, tmp_ctx
, root_res
->msgs
[0], "dsServiceName");
1272 /* note that we do not cache the DN here, as that would mean
1273 * we could not handle server renames at runtime. Only
1274 * provision sets up forced.ntds_settings_dn */
1276 talloc_steal(mem_ctx
, settings_dn
);
1277 talloc_free(tmp_ctx
);
1282 DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
1283 talloc_free(tmp_ctx
);
1288 work out the ntds settings invocationId for the current open ldb
1290 const struct GUID
*samdb_ntds_invocation_id(struct ldb_context
*ldb
)
1292 TALLOC_CTX
*tmp_ctx
;
1293 const char *attrs
[] = { "invocationId", NULL
};
1295 struct ldb_result
*res
;
1296 struct GUID
*invocation_id
;
1298 /* see if we have a cached copy */
1299 invocation_id
= (struct GUID
*)ldb_get_opaque(ldb
, "cache.invocation_id");
1300 if (invocation_id
) {
1301 SMB_ASSERT(!GUID_all_zero(invocation_id
));
1302 return invocation_id
;
1305 tmp_ctx
= talloc_new(ldb
);
1306 if (tmp_ctx
== NULL
) {
1310 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
, tmp_ctx
), LDB_SCOPE_BASE
, attrs
, NULL
);
1315 if (res
->count
!= 1) {
1319 invocation_id
= talloc(tmp_ctx
, struct GUID
);
1320 if (!invocation_id
) {
1324 *invocation_id
= samdb_result_guid(res
->msgs
[0], "invocationId");
1325 if (GUID_all_zero(invocation_id
)) {
1326 if (ldb_msg_find_ldb_val(res
->msgs
[0], "invocationId")) {
1327 DEBUG(0, ("Failed to find our own NTDS Settings invocationId in the ldb!\n"));
1329 DEBUG(0, ("Failed to find parse own NTDS Settings invocationId from the ldb!\n"));
1334 /* cache the domain_sid in the ldb */
1335 if (ldb_set_opaque(ldb
, "cache.invocation_id", invocation_id
) != LDB_SUCCESS
) {
1339 talloc_steal(ldb
, invocation_id
);
1340 talloc_free(tmp_ctx
);
1342 return invocation_id
;
1345 DEBUG(1,("Failed to find our own NTDS Settings invocationId in the ldb!\n"));
1346 talloc_free(tmp_ctx
);
1350 bool samdb_set_ntds_invocation_id(struct ldb_context
*ldb
, const struct GUID
*invocation_id_in
)
1352 TALLOC_CTX
*tmp_ctx
;
1353 struct GUID
*invocation_id_new
;
1354 struct GUID
*invocation_id_old
;
1356 /* see if we have a cached copy */
1357 invocation_id_old
= (struct GUID
*)ldb_get_opaque(ldb
,
1358 "cache.invocation_id");
1360 tmp_ctx
= talloc_new(ldb
);
1361 if (tmp_ctx
== NULL
) {
1365 invocation_id_new
= talloc(tmp_ctx
, struct GUID
);
1366 if (!invocation_id_new
) {
1370 SMB_ASSERT(!GUID_all_zero(invocation_id_in
));
1371 *invocation_id_new
= *invocation_id_in
;
1373 /* cache the domain_sid in the ldb */
1374 if (ldb_set_opaque(ldb
, "cache.invocation_id", invocation_id_new
) != LDB_SUCCESS
) {
1378 talloc_steal(ldb
, invocation_id_new
);
1379 talloc_free(tmp_ctx
);
1380 talloc_free(invocation_id_old
);
1385 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1386 talloc_free(tmp_ctx
);
1391 work out the ntds settings objectGUID for the current open ldb
1393 const struct GUID
*samdb_ntds_objectGUID(struct ldb_context
*ldb
)
1395 TALLOC_CTX
*tmp_ctx
;
1396 const char *attrs
[] = { "objectGUID", NULL
};
1398 struct ldb_result
*res
;
1399 struct GUID
*ntds_guid
;
1401 /* see if we have a cached copy */
1402 ntds_guid
= (struct GUID
*)ldb_get_opaque(ldb
, "cache.ntds_guid");
1407 tmp_ctx
= talloc_new(ldb
);
1408 if (tmp_ctx
== NULL
) {
1412 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
, tmp_ctx
), LDB_SCOPE_BASE
, attrs
, NULL
);
1417 if (res
->count
!= 1) {
1421 ntds_guid
= talloc(tmp_ctx
, struct GUID
);
1426 *ntds_guid
= samdb_result_guid(res
->msgs
[0], "objectGUID");
1428 /* cache the domain_sid in the ldb */
1429 if (ldb_set_opaque(ldb
, "cache.ntds_guid", ntds_guid
) != LDB_SUCCESS
) {
1433 talloc_steal(ldb
, ntds_guid
);
1434 talloc_free(tmp_ctx
);
1439 DEBUG(1,("Failed to find our own NTDS Settings objectGUID in the ldb!\n"));
1440 talloc_free(tmp_ctx
);
1444 bool samdb_set_ntds_objectGUID(struct ldb_context
*ldb
, const struct GUID
*ntds_guid_in
)
1446 TALLOC_CTX
*tmp_ctx
;
1447 struct GUID
*ntds_guid_new
;
1448 struct GUID
*ntds_guid_old
;
1450 /* see if we have a cached copy */
1451 ntds_guid_old
= (struct GUID
*)ldb_get_opaque(ldb
, "cache.ntds_guid");
1453 tmp_ctx
= talloc_new(ldb
);
1454 if (tmp_ctx
== NULL
) {
1458 ntds_guid_new
= talloc(tmp_ctx
, struct GUID
);
1459 if (!ntds_guid_new
) {
1463 *ntds_guid_new
= *ntds_guid_in
;
1465 /* cache the domain_sid in the ldb */
1466 if (ldb_set_opaque(ldb
, "cache.ntds_guid", ntds_guid_new
) != LDB_SUCCESS
) {
1470 talloc_steal(ldb
, ntds_guid_new
);
1471 talloc_free(tmp_ctx
);
1472 talloc_free(ntds_guid_old
);
1477 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1478 talloc_free(tmp_ctx
);
1483 work out the server dn for the current open ldb
1485 struct ldb_dn
*samdb_server_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
1487 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1492 dn
= ldb_dn_get_parent(mem_ctx
, samdb_ntds_settings_dn(ldb
, tmp_ctx
));
1493 talloc_free(tmp_ctx
);
1499 work out the server dn for the current open ldb
1501 struct ldb_dn
*samdb_server_site_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
1503 struct ldb_dn
*server_dn
;
1504 struct ldb_dn
*servers_dn
;
1505 struct ldb_dn
*server_site_dn
;
1507 /* TODO: there must be a saner way to do this!! */
1508 server_dn
= samdb_server_dn(ldb
, mem_ctx
);
1509 if (!server_dn
) return NULL
;
1511 servers_dn
= ldb_dn_get_parent(mem_ctx
, server_dn
);
1512 talloc_free(server_dn
);
1513 if (!servers_dn
) return NULL
;
1515 server_site_dn
= ldb_dn_get_parent(mem_ctx
, servers_dn
);
1516 talloc_free(servers_dn
);
1518 return server_site_dn
;
1522 find the site name from a computers DN record
1524 int samdb_find_site_for_computer(struct ldb_context
*ldb
,
1525 TALLOC_CTX
*mem_ctx
, struct ldb_dn
*computer_dn
,
1526 const char **site_name
)
1530 const struct ldb_val
*rdn_val
;
1534 ret
= samdb_reference_dn(ldb
, mem_ctx
, computer_dn
, "serverReferenceBL", &dn
);
1535 if (ret
!= LDB_SUCCESS
) {
1539 if (!ldb_dn_remove_child_components(dn
, 2)) {
1541 return LDB_ERR_INVALID_DN_SYNTAX
;
1544 rdn_val
= ldb_dn_get_rdn_val(dn
);
1545 if (rdn_val
== NULL
) {
1546 return LDB_ERR_OPERATIONS_ERROR
;
1549 (*site_name
) = talloc_strndup(mem_ctx
, (const char *)rdn_val
->data
, rdn_val
->length
);
1552 return LDB_ERR_OPERATIONS_ERROR
;
1558 find the NTDS GUID from a computers DN record
1560 int samdb_find_ntdsguid_for_computer(struct ldb_context
*ldb
, struct ldb_dn
*computer_dn
,
1561 struct GUID
*ntds_guid
)
1566 *ntds_guid
= GUID_zero();
1568 ret
= samdb_reference_dn(ldb
, ldb
, computer_dn
, "serverReferenceBL", &dn
);
1569 if (ret
!= LDB_SUCCESS
) {
1573 if (!ldb_dn_add_child_fmt(dn
, "CN=NTDS Settings")) {
1575 return LDB_ERR_OPERATIONS_ERROR
;
1578 ret
= dsdb_find_guid_by_dn(ldb
, dn
, ntds_guid
);
1584 find a 'reference' DN that points at another object
1585 (eg. serverReference, rIDManagerReference etc)
1587 int samdb_reference_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*base
,
1588 const char *attribute
, struct ldb_dn
**dn
)
1590 const char *attrs
[2];
1591 struct ldb_result
*res
;
1594 attrs
[0] = attribute
;
1597 ret
= dsdb_search(ldb
, mem_ctx
, &res
, base
, LDB_SCOPE_BASE
, attrs
, DSDB_SEARCH_ONE_ONLY
|DSDB_SEARCH_SHOW_EXTENDED_DN
, NULL
);
1598 if (ret
!= LDB_SUCCESS
) {
1599 ldb_asprintf_errstring(ldb
, "Cannot find DN %s to get attribute %s for reference dn: %s",
1600 ldb_dn_get_linearized(base
), attribute
, ldb_errstring(ldb
));
1604 *dn
= ldb_msg_find_attr_as_dn(ldb
, mem_ctx
, res
->msgs
[0], attribute
);
1606 if (!ldb_msg_find_element(res
->msgs
[0], attribute
)) {
1607 ldb_asprintf_errstring(ldb
, "Cannot find attribute %s of %s to calculate reference dn", attribute
,
1608 ldb_dn_get_linearized(base
));
1610 ldb_asprintf_errstring(ldb
, "Cannot interpret attribute %s of %s as a dn", attribute
,
1611 ldb_dn_get_linearized(base
));
1614 return LDB_ERR_NO_SUCH_ATTRIBUTE
;
1622 find if a DN (must have GUID component!) is our ntdsDsa
1624 int samdb_dn_is_our_ntdsa(struct ldb_context
*ldb
, struct ldb_dn
*dn
, bool *is_ntdsa
)
1627 struct GUID dn_guid
;
1628 const struct GUID
*our_ntds_guid
;
1629 status
= dsdb_get_extended_dn_guid(dn
, &dn_guid
, "GUID");
1630 if (!NT_STATUS_IS_OK(status
)) {
1631 return LDB_ERR_OPERATIONS_ERROR
;
1634 our_ntds_guid
= samdb_ntds_objectGUID(ldb
);
1635 if (!our_ntds_guid
) {
1636 DEBUG(0, ("Failed to find our NTDS Settings GUID for comparison with %s - %s\n", ldb_dn_get_linearized(dn
), ldb_errstring(ldb
)));
1637 return LDB_ERR_OPERATIONS_ERROR
;
1640 *is_ntdsa
= GUID_equal(&dn_guid
, our_ntds_guid
);
1645 find a 'reference' DN that points at another object and indicate if it is our ntdsDsa
1647 int samdb_reference_dn_is_our_ntdsa(struct ldb_context
*ldb
, struct ldb_dn
*base
,
1648 const char *attribute
, bool *is_ntdsa
)
1651 struct ldb_dn
*referenced_dn
;
1652 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
1653 if (tmp_ctx
== NULL
) {
1654 return LDB_ERR_OPERATIONS_ERROR
;
1656 ret
= samdb_reference_dn(ldb
, tmp_ctx
, base
, attribute
, &referenced_dn
);
1657 if (ret
!= LDB_SUCCESS
) {
1658 DEBUG(0, ("Failed to find object %s for attribute %s - %s\n", ldb_dn_get_linearized(base
), attribute
, ldb_errstring(ldb
)));
1662 ret
= samdb_dn_is_our_ntdsa(ldb
, referenced_dn
, is_ntdsa
);
1664 talloc_free(tmp_ctx
);
1669 find our machine account via the serverReference attribute in the
1672 int samdb_server_reference_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
**dn
)
1674 struct ldb_dn
*server_dn
;
1677 server_dn
= samdb_server_dn(ldb
, mem_ctx
);
1678 if (server_dn
== NULL
) {
1679 return LDB_ERR_NO_SUCH_OBJECT
;
1682 ret
= samdb_reference_dn(ldb
, mem_ctx
, server_dn
, "serverReference", dn
);
1683 talloc_free(server_dn
);
1689 find the RID Manager$ DN via the rIDManagerReference attribute in the
1692 int samdb_rid_manager_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
**dn
)
1694 return samdb_reference_dn(ldb
, mem_ctx
, ldb_get_default_basedn(ldb
),
1695 "rIDManagerReference", dn
);
1699 find the RID Set DN via the rIDSetReferences attribute in our
1702 int samdb_rid_set_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
**dn
)
1704 struct ldb_dn
*server_ref_dn
;
1707 ret
= samdb_server_reference_dn(ldb
, mem_ctx
, &server_ref_dn
);
1708 if (ret
!= LDB_SUCCESS
) {
1711 ret
= samdb_reference_dn(ldb
, mem_ctx
, server_ref_dn
, "rIDSetReferences", dn
);
1712 talloc_free(server_ref_dn
);
1716 const char *samdb_server_site_name(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
1718 const struct ldb_val
*val
= ldb_dn_get_rdn_val(samdb_server_site_dn(ldb
,
1725 return (const char *) val
->data
;
1729 * Finds the client site by using the client's IP address.
1730 * The "subnet_name" returns the name of the subnet if parameter != NULL
1732 const char *samdb_client_site_name(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
,
1733 const char *ip_address
, char **subnet_name
)
1735 const char *attrs
[] = { "cn", "siteObject", NULL
};
1736 struct ldb_dn
*sites_container_dn
, *subnets_dn
, *sites_dn
;
1737 struct ldb_result
*res
;
1738 const struct ldb_val
*val
;
1739 const char *site_name
= NULL
, *l_subnet_name
= NULL
;
1740 const char *allow_list
[2] = { NULL
, NULL
};
1741 unsigned int i
, count
;
1745 * if we don't have a client ip e.g. ncalrpc
1746 * the server site is the client site
1748 if (ip_address
== NULL
) {
1749 return samdb_server_site_name(ldb
, mem_ctx
);
1752 sites_container_dn
= samdb_sites_dn(ldb
, mem_ctx
);
1753 if (sites_container_dn
== NULL
) {
1757 subnets_dn
= ldb_dn_copy(mem_ctx
, sites_container_dn
);
1758 if ( ! ldb_dn_add_child_fmt(subnets_dn
, "CN=Subnets")) {
1759 talloc_free(sites_container_dn
);
1760 talloc_free(subnets_dn
);
1764 ret
= ldb_search(ldb
, mem_ctx
, &res
, subnets_dn
, LDB_SCOPE_ONELEVEL
,
1766 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
1768 } else if (ret
!= LDB_SUCCESS
) {
1769 talloc_free(sites_container_dn
);
1770 talloc_free(subnets_dn
);
1776 for (i
= 0; i
< count
; i
++) {
1777 l_subnet_name
= ldb_msg_find_attr_as_string(res
->msgs
[i
], "cn",
1780 allow_list
[0] = l_subnet_name
;
1782 if (socket_allow_access(mem_ctx
, NULL
, allow_list
, "", ip_address
)) {
1783 sites_dn
= ldb_msg_find_attr_as_dn(ldb
, mem_ctx
,
1786 if (sites_dn
== NULL
) {
1787 /* No reference, maybe another subnet matches */
1791 /* "val" cannot be NULL here since "sites_dn" != NULL */
1792 val
= ldb_dn_get_rdn_val(sites_dn
);
1793 site_name
= talloc_strdup(mem_ctx
,
1794 (const char *) val
->data
);
1796 talloc_free(sites_dn
);
1802 if (site_name
== NULL
) {
1803 /* This is the Windows Server fallback rule: when no subnet
1804 * exists and we have only one site available then use it (it
1805 * is for sure the same as our server site). If more sites do
1806 * exist then we don't know which one to use and set the site
1808 cnt
= samdb_search_count(ldb
, mem_ctx
, sites_container_dn
,
1809 "(objectClass=site)");
1811 site_name
= samdb_server_site_name(ldb
, mem_ctx
);
1813 site_name
= talloc_strdup(mem_ctx
, "");
1815 l_subnet_name
= NULL
;
1818 if (subnet_name
!= NULL
) {
1819 *subnet_name
= talloc_strdup(mem_ctx
, l_subnet_name
);
1822 talloc_free(sites_container_dn
);
1823 talloc_free(subnets_dn
);
1830 work out if we are the PDC for the domain of the current open ldb
1832 bool samdb_is_pdc(struct ldb_context
*ldb
)
1837 ret
= samdb_reference_dn_is_our_ntdsa(ldb
, ldb_get_default_basedn(ldb
), "fsmoRoleOwner",
1839 if (ret
!= LDB_SUCCESS
) {
1840 DEBUG(1,("Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in %s failed: %s\n",
1841 ldb_dn_get_linearized(ldb_get_default_basedn(ldb
)),
1842 ldb_errstring(ldb
)));
1850 work out if we are a Global Catalog server for the domain of the current open ldb
1852 bool samdb_is_gc(struct ldb_context
*ldb
)
1855 if (samdb_ntds_options(ldb
, &options
) != LDB_SUCCESS
) {
1858 return (options
& DS_NTDSDSA_OPT_IS_GC
) != 0;
1861 /* Find a domain object in the parents of a particular DN. */
1862 int samdb_search_for_parent_domain(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
,
1863 struct ldb_dn
**parent_dn
, const char **errstring
)
1865 TALLOC_CTX
*local_ctx
;
1866 struct ldb_dn
*sdn
= dn
;
1867 struct ldb_result
*res
= NULL
;
1868 int ret
= LDB_SUCCESS
;
1869 const char *attrs
[] = { NULL
};
1871 local_ctx
= talloc_new(mem_ctx
);
1872 if (local_ctx
== NULL
) return ldb_oom(ldb
);
1874 while ((sdn
= ldb_dn_get_parent(local_ctx
, sdn
))) {
1875 ret
= ldb_search(ldb
, local_ctx
, &res
, sdn
, LDB_SCOPE_BASE
, attrs
,
1876 "(|(objectClass=domain)(objectClass=builtinDomain))");
1877 if (ret
== LDB_SUCCESS
) {
1878 if (res
->count
== 1) {
1886 if (ret
!= LDB_SUCCESS
) {
1887 *errstring
= talloc_asprintf(mem_ctx
, "Error searching for parent domain of %s, failed searching for %s: %s",
1888 ldb_dn_get_linearized(dn
),
1889 ldb_dn_get_linearized(sdn
),
1890 ldb_errstring(ldb
));
1891 talloc_free(local_ctx
);
1894 if (res
->count
!= 1) {
1895 *errstring
= talloc_asprintf(mem_ctx
, "Invalid dn (%s), not child of a domain object",
1896 ldb_dn_get_linearized(dn
));
1897 DEBUG(0,(__location__
": %s\n", *errstring
));
1898 talloc_free(local_ctx
);
1899 return LDB_ERR_CONSTRAINT_VIOLATION
;
1902 *parent_dn
= talloc_steal(mem_ctx
, res
->msgs
[0]->dn
);
1903 talloc_free(local_ctx
);
1909 * Performs checks on a user password (plaintext UNIX format - attribute
1910 * "password"). The remaining parameters have to be extracted from the domain
1913 * Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
1915 enum samr_ValidationStatus
samdb_check_password(const DATA_BLOB
*utf8_blob
,
1916 const uint32_t pwdProperties
,
1917 const uint32_t minPwdLength
)
1919 const char *utf8_pw
= (const char *)utf8_blob
->data
;
1920 size_t utf8_len
= strlen_m(utf8_pw
);
1922 /* checks if the "minPwdLength" property is satisfied */
1923 if (minPwdLength
> utf8_len
) {
1924 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT
;
1927 /* checks the password complexity */
1928 if (!(pwdProperties
& DOMAIN_PASSWORD_COMPLEX
)) {
1929 return SAMR_VALIDATION_STATUS_SUCCESS
;
1932 if (utf8_len
== 0) {
1933 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH
;
1936 if (!check_password_quality(utf8_pw
)) {
1937 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH
;
1940 return SAMR_VALIDATION_STATUS_SUCCESS
;
1944 * Callback for "samdb_set_password" password change
1946 int samdb_set_password_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
1951 return ldb_request_done(req
, LDB_ERR_OPERATIONS_ERROR
);
1954 if (ares
->error
!= LDB_SUCCESS
) {
1956 req
->context
= talloc_steal(req
,
1957 ldb_reply_get_control(ares
, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID
));
1959 return ldb_request_done(req
, ret
);
1962 if (ares
->type
!= LDB_REPLY_DONE
) {
1964 return ldb_request_done(req
, LDB_ERR_OPERATIONS_ERROR
);
1967 req
->context
= talloc_steal(req
,
1968 ldb_reply_get_control(ares
, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID
));
1970 return ldb_request_done(req
, LDB_SUCCESS
);
1974 * Sets the user password using plaintext UTF16 (attribute "new_password") or
1975 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
1976 * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a
1977 * user change or not. The "rejectReason" gives some more information if the
1980 * Results: NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
1981 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
1983 NTSTATUS
samdb_set_password(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
,
1984 struct ldb_dn
*user_dn
, struct ldb_dn
*domain_dn
,
1985 const DATA_BLOB
*new_password
,
1986 const struct samr_Password
*lmNewHash
,
1987 const struct samr_Password
*ntNewHash
,
1988 const struct samr_Password
*lmOldHash
,
1989 const struct samr_Password
*ntOldHash
,
1990 enum samPwdChangeReason
*reject_reason
,
1991 struct samr_DomInfo1
**_dominfo
)
1993 struct ldb_message
*msg
;
1994 struct ldb_message_element
*el
;
1995 struct ldb_request
*req
;
1996 struct dsdb_control_password_change_status
*pwd_stat
= NULL
;
1998 bool hash_values
= false;
1999 NTSTATUS status
= NT_STATUS_OK
;
2001 #define CHECK_RET(x) \
2002 if (x != LDB_SUCCESS) { \
2004 return NT_STATUS_NO_MEMORY; \
2007 msg
= ldb_msg_new(mem_ctx
);
2009 return NT_STATUS_NO_MEMORY
;
2012 if ((new_password
!= NULL
)
2013 && ((lmNewHash
== NULL
) && (ntNewHash
== NULL
))) {
2014 /* we have the password as plaintext UTF16 */
2015 CHECK_RET(ldb_msg_add_value(msg
, "clearTextPassword",
2016 new_password
, NULL
));
2017 el
= ldb_msg_find_element(msg
, "clearTextPassword");
2018 el
->flags
= LDB_FLAG_MOD_REPLACE
;
2019 } else if ((new_password
== NULL
)
2020 && ((lmNewHash
!= NULL
) || (ntNewHash
!= NULL
))) {
2021 /* we have a password as LM and/or NT hash */
2022 if (lmNewHash
!= NULL
) {
2023 CHECK_RET(samdb_msg_add_hash(ldb
, mem_ctx
, msg
,
2024 "dBCSPwd", lmNewHash
));
2025 el
= ldb_msg_find_element(msg
, "dBCSPwd");
2026 el
->flags
= LDB_FLAG_MOD_REPLACE
;
2028 if (ntNewHash
!= NULL
) {
2029 CHECK_RET(samdb_msg_add_hash(ldb
, mem_ctx
, msg
,
2030 "unicodePwd", ntNewHash
));
2031 el
= ldb_msg_find_element(msg
, "unicodePwd");
2032 el
->flags
= LDB_FLAG_MOD_REPLACE
;
2036 /* the password wasn't specified correctly */
2038 return NT_STATUS_INVALID_PARAMETER
;
2041 /* build modify request */
2042 ret
= ldb_build_mod_req(&req
, ldb
, mem_ctx
, msg
, NULL
, NULL
,
2043 samdb_set_password_callback
, NULL
);
2044 if (ret
!= LDB_SUCCESS
) {
2046 return NT_STATUS_NO_MEMORY
;
2049 /* A password change operation */
2050 if ((ntOldHash
!= NULL
) || (lmOldHash
!= NULL
)) {
2051 struct dsdb_control_password_change
*change
;
2053 change
= talloc(req
, struct dsdb_control_password_change
);
2054 if (change
== NULL
) {
2057 return NT_STATUS_NO_MEMORY
;
2060 change
->old_nt_pwd_hash
= ntOldHash
;
2061 change
->old_lm_pwd_hash
= lmOldHash
;
2063 ret
= ldb_request_add_control(req
,
2064 DSDB_CONTROL_PASSWORD_CHANGE_OID
,
2066 if (ret
!= LDB_SUCCESS
) {
2069 return NT_STATUS_NO_MEMORY
;
2073 ret
= ldb_request_add_control(req
,
2074 DSDB_CONTROL_PASSWORD_HASH_VALUES_OID
,
2076 if (ret
!= LDB_SUCCESS
) {
2079 return NT_STATUS_NO_MEMORY
;
2082 ret
= ldb_request_add_control(req
,
2083 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID
,
2085 if (ret
!= LDB_SUCCESS
) {
2088 return NT_STATUS_NO_MEMORY
;
2091 ret
= dsdb_autotransaction_request(ldb
, req
);
2093 if (req
->context
!= NULL
) {
2094 pwd_stat
= talloc_steal(mem_ctx
,
2095 ((struct ldb_control
*)req
->context
)->data
);
2101 /* Sets the domain info (if requested) */
2102 if (_dominfo
!= NULL
) {
2103 struct samr_DomInfo1
*dominfo
;
2105 dominfo
= talloc_zero(mem_ctx
, struct samr_DomInfo1
);
2106 if (dominfo
== NULL
) {
2107 return NT_STATUS_NO_MEMORY
;
2110 if (pwd_stat
!= NULL
) {
2111 dominfo
->min_password_length
= pwd_stat
->domain_data
.minPwdLength
;
2112 dominfo
->password_properties
= pwd_stat
->domain_data
.pwdProperties
;
2113 dominfo
->password_history_length
= pwd_stat
->domain_data
.pwdHistoryLength
;
2114 dominfo
->max_password_age
= pwd_stat
->domain_data
.maxPwdAge
;
2115 dominfo
->min_password_age
= pwd_stat
->domain_data
.minPwdAge
;
2118 *_dominfo
= dominfo
;
2121 if (reject_reason
!= NULL
) {
2122 if (pwd_stat
!= NULL
) {
2123 *reject_reason
= pwd_stat
->reject_reason
;
2125 *reject_reason
= SAM_PWD_CHANGE_NO_ERROR
;
2129 if (pwd_stat
!= NULL
) {
2130 talloc_free(pwd_stat
);
2133 if (ret
== LDB_ERR_CONSTRAINT_VIOLATION
) {
2134 const char *errmsg
= ldb_errstring(ldb
);
2135 char *endptr
= NULL
;
2136 WERROR werr
= WERR_GENERAL_FAILURE
;
2137 status
= NT_STATUS_UNSUCCESSFUL
;
2138 if (errmsg
!= NULL
) {
2139 werr
= W_ERROR(strtol(errmsg
, &endptr
, 16));
2141 if (endptr
!= errmsg
) {
2142 if (W_ERROR_EQUAL(werr
, WERR_INVALID_PASSWORD
)) {
2143 status
= NT_STATUS_WRONG_PASSWORD
;
2145 if (W_ERROR_EQUAL(werr
, WERR_PASSWORD_RESTRICTION
)) {
2146 status
= NT_STATUS_PASSWORD_RESTRICTION
;
2149 } else if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
2150 /* don't let the caller know if an account doesn't exist */
2151 status
= NT_STATUS_WRONG_PASSWORD
;
2152 } else if (ret
!= LDB_SUCCESS
) {
2153 status
= NT_STATUS_UNSUCCESSFUL
;
2160 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2161 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2162 * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a
2163 * user change or not. The "rejectReason" gives some more information if the
2166 * This wrapper function for "samdb_set_password" takes a SID as input rather
2169 * This call encapsulates a new LDB transaction for changing the password;
2170 * therefore the user hasn't to start a new one.
2172 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2173 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2174 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
2175 * NT_STATUS_TRANSACTION_ABORTED, NT_STATUS_NO_SUCH_USER
2177 NTSTATUS
samdb_set_password_sid(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
,
2178 const struct dom_sid
*user_sid
,
2179 const DATA_BLOB
*new_password
,
2180 const struct samr_Password
*lmNewHash
,
2181 const struct samr_Password
*ntNewHash
,
2182 const struct samr_Password
*lmOldHash
,
2183 const struct samr_Password
*ntOldHash
,
2184 enum samPwdChangeReason
*reject_reason
,
2185 struct samr_DomInfo1
**_dominfo
)
2188 struct ldb_dn
*user_dn
;
2191 ret
= ldb_transaction_start(ldb
);
2192 if (ret
!= LDB_SUCCESS
) {
2193 DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb
)));
2194 return NT_STATUS_TRANSACTION_ABORTED
;
2197 user_dn
= samdb_search_dn(ldb
, mem_ctx
, NULL
,
2198 "(&(objectSid=%s)(objectClass=user))",
2199 ldap_encode_ndr_dom_sid(mem_ctx
, user_sid
));
2201 ldb_transaction_cancel(ldb
);
2202 DEBUG(3, ("samdb_set_password_sid: SID %s not found in samdb, returning NO_SUCH_USER\n",
2203 dom_sid_string(mem_ctx
, user_sid
)));
2204 return NT_STATUS_NO_SUCH_USER
;
2207 nt_status
= samdb_set_password(ldb
, mem_ctx
,
2210 lmNewHash
, ntNewHash
,
2211 lmOldHash
, ntOldHash
,
2212 reject_reason
, _dominfo
);
2213 if (!NT_STATUS_IS_OK(nt_status
)) {
2214 ldb_transaction_cancel(ldb
);
2215 talloc_free(user_dn
);
2219 ret
= ldb_transaction_commit(ldb
);
2220 if (ret
!= LDB_SUCCESS
) {
2221 DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
2222 ldb_dn_get_linearized(user_dn
),
2223 ldb_errstring(ldb
)));
2224 talloc_free(user_dn
);
2225 return NT_STATUS_TRANSACTION_ABORTED
;
2228 talloc_free(user_dn
);
2229 return NT_STATUS_OK
;
2233 NTSTATUS
samdb_create_foreign_security_principal(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
,
2234 struct dom_sid
*sid
, struct ldb_dn
**ret_dn
)
2236 struct ldb_message
*msg
;
2237 struct ldb_dn
*basedn
;
2241 sidstr
= dom_sid_string(mem_ctx
, sid
);
2242 NT_STATUS_HAVE_NO_MEMORY(sidstr
);
2244 /* We might have to create a ForeignSecurityPrincipal, even if this user
2245 * is in our own domain */
2247 msg
= ldb_msg_new(sidstr
);
2249 talloc_free(sidstr
);
2250 return NT_STATUS_NO_MEMORY
;
2253 ret
= dsdb_wellknown_dn(sam_ctx
, sidstr
,
2254 ldb_get_default_basedn(sam_ctx
),
2255 DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER
,
2257 if (ret
!= LDB_SUCCESS
) {
2258 DEBUG(0, ("Failed to find DN for "
2259 "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx
)));
2260 talloc_free(sidstr
);
2261 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
2264 /* add core elements to the ldb_message for the alias */
2266 if ( ! ldb_dn_add_child_fmt(msg
->dn
, "CN=%s", sidstr
)) {
2267 talloc_free(sidstr
);
2268 return NT_STATUS_NO_MEMORY
;
2271 ret
= ldb_msg_add_string(msg
, "objectClass",
2272 "foreignSecurityPrincipal");
2273 if (ret
!= LDB_SUCCESS
) {
2274 talloc_free(sidstr
);
2275 return NT_STATUS_NO_MEMORY
;
2278 /* create the alias */
2279 ret
= ldb_add(sam_ctx
, msg
);
2280 if (ret
!= LDB_SUCCESS
) {
2281 DEBUG(0,("Failed to create foreignSecurityPrincipal "
2283 ldb_dn_get_linearized(msg
->dn
),
2284 ldb_errstring(sam_ctx
)));
2285 talloc_free(sidstr
);
2286 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
2289 *ret_dn
= talloc_steal(mem_ctx
, msg
->dn
);
2290 talloc_free(sidstr
);
2292 return NT_STATUS_OK
;
2297 Find the DN of a domain, assuming it to be a dotted.dns name
2300 struct ldb_dn
*samdb_dns_domain_to_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
, const char *dns_domain
)
2303 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
2304 const char *binary_encoded
;
2305 const char * const *split_realm
;
2312 split_realm
= (const char * const *)str_list_make(tmp_ctx
, dns_domain
, ".");
2314 talloc_free(tmp_ctx
);
2317 dn
= ldb_dn_new(mem_ctx
, ldb
, NULL
);
2318 for (i
=0; split_realm
[i
]; i
++) {
2319 binary_encoded
= ldb_binary_encode_string(tmp_ctx
, split_realm
[i
]);
2320 if (!ldb_dn_add_base_fmt(dn
, "dc=%s", binary_encoded
)) {
2321 DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
2322 binary_encoded
, ldb_dn_get_linearized(dn
)));
2323 talloc_free(tmp_ctx
);
2327 if (!ldb_dn_validate(dn
)) {
2328 DEBUG(2, ("Failed to validated DN %s\n",
2329 ldb_dn_get_linearized(dn
)));
2330 talloc_free(tmp_ctx
);
2333 talloc_free(tmp_ctx
);
2339 Find the DNS equivalent of a DN, in dotted DNS form
2341 char *samdb_dn_to_dns_domain(TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
)
2343 int i
, num_components
= ldb_dn_get_comp_num(dn
);
2344 char *dns_name
= talloc_strdup(mem_ctx
, "");
2345 if (dns_name
== NULL
) {
2349 for (i
=0; i
<num_components
; i
++) {
2350 const struct ldb_val
*v
= ldb_dn_get_component_val(dn
, i
);
2353 talloc_free(dns_name
);
2356 s
= talloc_asprintf_append_buffer(dns_name
, "%*.*s.",
2357 (int)v
->length
, (int)v
->length
, (char *)v
->data
);
2359 talloc_free(dns_name
);
2365 /* remove the last '.' */
2366 if (dns_name
[0] != 0) {
2367 dns_name
[strlen(dns_name
)-1] = 0;
2374 Find the DNS _msdcs name for a given NTDS GUID. The resulting DNS
2375 name is based on the forest DNS name
2377 char *samdb_ntds_msdcs_dns_name(struct ldb_context
*samdb
,
2378 TALLOC_CTX
*mem_ctx
,
2379 const struct GUID
*ntds_guid
)
2381 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
2382 const char *guid_str
;
2383 struct ldb_dn
*forest_dn
;
2384 const char *dnsforest
;
2387 guid_str
= GUID_string(tmp_ctx
, ntds_guid
);
2388 if (guid_str
== NULL
) {
2389 talloc_free(tmp_ctx
);
2392 forest_dn
= ldb_get_root_basedn(samdb
);
2393 if (forest_dn
== NULL
) {
2394 talloc_free(tmp_ctx
);
2397 dnsforest
= samdb_dn_to_dns_domain(tmp_ctx
, forest_dn
);
2398 if (dnsforest
== NULL
) {
2399 talloc_free(tmp_ctx
);
2402 ret
= talloc_asprintf(mem_ctx
, "%s._msdcs.%s", guid_str
, dnsforest
);
2403 talloc_free(tmp_ctx
);
2409 Find the DN of a domain, be it the netbios or DNS name
2411 struct ldb_dn
*samdb_domain_to_dn(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
,
2412 const char *domain_name
)
2414 const char * const domain_ref_attrs
[] = {
2417 const char * const domain_ref2_attrs
[] = {
2420 struct ldb_result
*res_domain_ref
;
2421 char *escaped_domain
= ldb_binary_encode_string(mem_ctx
, domain_name
);
2422 /* find the domain's DN */
2423 int ret_domain
= ldb_search(ldb
, mem_ctx
,
2425 samdb_partitions_dn(ldb
, mem_ctx
),
2428 "(&(nETBIOSName=%s)(objectclass=crossRef))",
2430 if (ret_domain
!= LDB_SUCCESS
) {
2434 if (res_domain_ref
->count
== 0) {
2435 ret_domain
= ldb_search(ldb
, mem_ctx
,
2437 samdb_dns_domain_to_dn(ldb
, mem_ctx
, domain_name
),
2440 "(objectclass=domain)");
2441 if (ret_domain
!= LDB_SUCCESS
) {
2445 if (res_domain_ref
->count
== 1) {
2446 return res_domain_ref
->msgs
[0]->dn
;
2451 if (res_domain_ref
->count
> 1) {
2452 DEBUG(0,("Found %d records matching domain [%s]\n",
2453 ret_domain
, domain_name
));
2457 return samdb_result_dn(ldb
, mem_ctx
, res_domain_ref
->msgs
[0], "nCName", NULL
);
2463 use a GUID to find a DN
2465 int dsdb_find_dn_by_guid(struct ldb_context
*ldb
,
2466 TALLOC_CTX
*mem_ctx
,
2467 const struct GUID
*guid
,
2468 uint32_t dsdb_flags
,
2472 struct ldb_result
*res
;
2473 const char *attrs
[] = { NULL
};
2474 char *guid_str
= GUID_string(mem_ctx
, guid
);
2477 return ldb_operr(ldb
);
2480 ret
= dsdb_search(ldb
, mem_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
, attrs
,
2481 DSDB_SEARCH_SEARCH_ALL_PARTITIONS
|
2482 DSDB_SEARCH_SHOW_EXTENDED_DN
|
2483 DSDB_SEARCH_ONE_ONLY
| dsdb_flags
,
2484 "objectGUID=%s", guid_str
);
2485 talloc_free(guid_str
);
2486 if (ret
!= LDB_SUCCESS
) {
2490 *dn
= talloc_steal(mem_ctx
, res
->msgs
[0]->dn
);
2497 use a DN to find a GUID with a given attribute name
2499 int dsdb_find_guid_attr_by_dn(struct ldb_context
*ldb
,
2500 struct ldb_dn
*dn
, const char *attribute
,
2504 struct ldb_result
*res
;
2505 const char *attrs
[2];
2506 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
2508 attrs
[0] = attribute
;
2511 ret
= dsdb_search_dn(ldb
, tmp_ctx
, &res
, dn
, attrs
,
2512 DSDB_SEARCH_SHOW_DELETED
|
2513 DSDB_SEARCH_SHOW_RECYCLED
);
2514 if (ret
!= LDB_SUCCESS
) {
2515 talloc_free(tmp_ctx
);
2518 if (res
->count
< 1) {
2519 talloc_free(tmp_ctx
);
2520 return LDB_ERR_NO_SUCH_OBJECT
;
2522 *guid
= samdb_result_guid(res
->msgs
[0], attribute
);
2523 talloc_free(tmp_ctx
);
2528 use a DN to find a GUID
2530 int dsdb_find_guid_by_dn(struct ldb_context
*ldb
,
2531 struct ldb_dn
*dn
, struct GUID
*guid
)
2533 return dsdb_find_guid_attr_by_dn(ldb
, dn
, "objectGUID", guid
);
2539 adds the given GUID to the given ldb_message. This value is added
2540 for the given attr_name (may be either "objectGUID" or "parentGUID").
2542 int dsdb_msg_add_guid(struct ldb_message
*msg
,
2544 const char *attr_name
)
2549 TALLOC_CTX
*tmp_ctx
= talloc_init("dsdb_msg_add_guid");
2551 status
= GUID_to_ndr_blob(guid
, tmp_ctx
, &v
);
2552 if (!NT_STATUS_IS_OK(status
)) {
2553 ret
= LDB_ERR_OPERATIONS_ERROR
;
2557 ret
= ldb_msg_add_steal_value(msg
, attr_name
, &v
);
2558 if (ret
!= LDB_SUCCESS
) {
2559 DEBUG(4,(__location__
": Failed to add %s to the message\n",
2567 talloc_free(tmp_ctx
);
2574 use a DN to find a SID
2576 int dsdb_find_sid_by_dn(struct ldb_context
*ldb
,
2577 struct ldb_dn
*dn
, struct dom_sid
*sid
)
2580 struct ldb_result
*res
;
2581 const char *attrs
[] = { "objectSid", NULL
};
2582 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
2587 ret
= dsdb_search_dn(ldb
, tmp_ctx
, &res
, dn
, attrs
,
2588 DSDB_SEARCH_SHOW_DELETED
|
2589 DSDB_SEARCH_SHOW_RECYCLED
);
2590 if (ret
!= LDB_SUCCESS
) {
2591 talloc_free(tmp_ctx
);
2594 if (res
->count
< 1) {
2595 talloc_free(tmp_ctx
);
2596 return LDB_ERR_NO_SUCH_OBJECT
;
2598 s
= samdb_result_dom_sid(tmp_ctx
, res
->msgs
[0], "objectSid");
2600 talloc_free(tmp_ctx
);
2601 return LDB_ERR_NO_SUCH_OBJECT
;
2604 talloc_free(tmp_ctx
);
2609 use a SID to find a DN
2611 int dsdb_find_dn_by_sid(struct ldb_context
*ldb
,
2612 TALLOC_CTX
*mem_ctx
,
2613 struct dom_sid
*sid
, struct ldb_dn
**dn
)
2616 struct ldb_result
*res
;
2617 const char *attrs
[] = { NULL
};
2618 char *sid_str
= ldap_encode_ndr_dom_sid(mem_ctx
, sid
);
2621 return ldb_operr(ldb
);
2624 ret
= dsdb_search(ldb
, mem_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
, attrs
,
2625 DSDB_SEARCH_SEARCH_ALL_PARTITIONS
|
2626 DSDB_SEARCH_SHOW_EXTENDED_DN
|
2627 DSDB_SEARCH_ONE_ONLY
,
2628 "objectSid=%s", sid_str
);
2629 talloc_free(sid_str
);
2630 if (ret
!= LDB_SUCCESS
) {
2634 *dn
= talloc_steal(mem_ctx
, res
->msgs
[0]->dn
);
2641 load a repsFromTo blob list for a given partition GUID
2642 attr must be "repsFrom" or "repsTo"
2644 WERROR
dsdb_loadreps(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
,
2645 const char *attr
, struct repsFromToBlob
**r
, uint32_t *count
)
2647 const char *attrs
[] = { attr
, NULL
};
2648 struct ldb_result
*res
= NULL
;
2649 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
2651 struct ldb_message_element
*el
;
2657 ret
= dsdb_search_dn(sam_ctx
, tmp_ctx
, &res
, dn
, attrs
, 0);
2658 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
2659 /* partition hasn't been replicated yet */
2662 if (ret
!= LDB_SUCCESS
) {
2663 DEBUG(0,("dsdb_loadreps: failed to read partition object: %s\n", ldb_errstring(sam_ctx
)));
2664 talloc_free(tmp_ctx
);
2665 return WERR_DS_DRA_INTERNAL_ERROR
;
2668 el
= ldb_msg_find_element(res
->msgs
[0], attr
);
2670 /* it's OK to be empty */
2671 talloc_free(tmp_ctx
);
2675 *count
= el
->num_values
;
2676 *r
= talloc_array(mem_ctx
, struct repsFromToBlob
, *count
);
2678 talloc_free(tmp_ctx
);
2679 return WERR_DS_DRA_INTERNAL_ERROR
;
2682 for (i
=0; i
<(*count
); i
++) {
2683 enum ndr_err_code ndr_err
;
2684 ndr_err
= ndr_pull_struct_blob(&el
->values
[i
],
2687 (ndr_pull_flags_fn_t
)ndr_pull_repsFromToBlob
);
2688 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2689 talloc_free(tmp_ctx
);
2690 return WERR_DS_DRA_INTERNAL_ERROR
;
2694 talloc_free(tmp_ctx
);
2700 save the repsFromTo blob list for a given partition GUID
2701 attr must be "repsFrom" or "repsTo"
2703 WERROR
dsdb_savereps(struct ldb_context
*sam_ctx
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
,
2704 const char *attr
, struct repsFromToBlob
*r
, uint32_t count
)
2706 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
2707 struct ldb_message
*msg
;
2708 struct ldb_message_element
*el
;
2711 msg
= ldb_msg_new(tmp_ctx
);
2713 if (ldb_msg_add_empty(msg
, attr
, LDB_FLAG_MOD_REPLACE
, &el
) != LDB_SUCCESS
) {
2717 el
->values
= talloc_array(msg
, struct ldb_val
, count
);
2722 for (i
=0; i
<count
; i
++) {
2724 enum ndr_err_code ndr_err
;
2726 ndr_err
= ndr_push_struct_blob(&v
, tmp_ctx
,
2728 (ndr_push_flags_fn_t
)ndr_push_repsFromToBlob
);
2729 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
2737 if (dsdb_modify(sam_ctx
, msg
, 0) != LDB_SUCCESS
) {
2738 DEBUG(0,("Failed to store %s - %s\n", attr
, ldb_errstring(sam_ctx
)));
2742 talloc_free(tmp_ctx
);
2747 talloc_free(tmp_ctx
);
2748 return WERR_DS_DRA_INTERNAL_ERROR
;
2753 load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
2754 object for a partition
2756 int dsdb_load_partition_usn(struct ldb_context
*ldb
, struct ldb_dn
*dn
,
2757 uint64_t *uSN
, uint64_t *urgent_uSN
)
2759 struct ldb_request
*req
;
2761 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
2762 struct dsdb_control_current_partition
*p_ctrl
;
2763 struct ldb_result
*res
;
2765 res
= talloc_zero(tmp_ctx
, struct ldb_result
);
2767 talloc_free(tmp_ctx
);
2768 return ldb_oom(ldb
);
2771 ret
= ldb_build_search_req(&req
, ldb
, tmp_ctx
,
2772 ldb_dn_new(tmp_ctx
, ldb
, "@REPLCHANGED"),
2776 res
, ldb_search_default_callback
,
2778 if (ret
!= LDB_SUCCESS
) {
2779 talloc_free(tmp_ctx
);
2783 p_ctrl
= talloc(req
, struct dsdb_control_current_partition
);
2784 if (p_ctrl
== NULL
) {
2785 talloc_free(tmp_ctx
);
2786 return ldb_oom(ldb
);
2788 p_ctrl
->version
= DSDB_CONTROL_CURRENT_PARTITION_VERSION
;
2791 ret
= ldb_request_add_control(req
,
2792 DSDB_CONTROL_CURRENT_PARTITION_OID
,
2794 if (ret
!= LDB_SUCCESS
) {
2795 talloc_free(tmp_ctx
);
2799 /* Run the new request */
2800 ret
= ldb_request(ldb
, req
);
2802 if (ret
== LDB_SUCCESS
) {
2803 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
2806 if (ret
== LDB_ERR_NO_SUCH_OBJECT
|| ret
== LDB_ERR_INVALID_DN_SYNTAX
) {
2807 /* it hasn't been created yet, which means
2808 an implicit value of zero */
2810 talloc_free(tmp_ctx
);
2814 if (ret
!= LDB_SUCCESS
) {
2815 talloc_free(tmp_ctx
);
2819 if (res
->count
< 1) {
2825 *uSN
= ldb_msg_find_attr_as_uint64(res
->msgs
[0], "uSNHighest", 0);
2827 *urgent_uSN
= ldb_msg_find_attr_as_uint64(res
->msgs
[0], "uSNUrgent", 0);
2831 talloc_free(tmp_ctx
);
2836 int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2
*c1
,
2837 const struct drsuapi_DsReplicaCursor2
*c2
)
2839 return GUID_compare(&c1
->source_dsa_invocation_id
, &c2
->source_dsa_invocation_id
);
2842 int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor
*c1
,
2843 const struct drsuapi_DsReplicaCursor
*c2
)
2845 return GUID_compare(&c1
->source_dsa_invocation_id
, &c2
->source_dsa_invocation_id
);
2850 see if a computer identified by its invocationId is a RODC
2852 int samdb_is_rodc(struct ldb_context
*sam_ctx
, const struct GUID
*objectGUID
, bool *is_rodc
)
2854 /* 1) find the DN for this servers NTDSDSA object
2855 2) search for the msDS-isRODC attribute
2856 3) if not present then not a RODC
2857 4) if present and TRUE then is a RODC
2859 struct ldb_dn
*config_dn
;
2860 const char *attrs
[] = { "msDS-isRODC", NULL
};
2862 struct ldb_result
*res
;
2863 TALLOC_CTX
*tmp_ctx
= talloc_new(sam_ctx
);
2865 config_dn
= ldb_get_config_basedn(sam_ctx
);
2867 talloc_free(tmp_ctx
);
2868 return ldb_operr(sam_ctx
);
2871 ret
= dsdb_search(sam_ctx
, tmp_ctx
, &res
, config_dn
, LDB_SCOPE_SUBTREE
, attrs
,
2872 DSDB_SEARCH_ONE_ONLY
, "objectGUID=%s", GUID_string(tmp_ctx
, objectGUID
));
2874 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
2876 talloc_free(tmp_ctx
);
2880 if (ret
!= LDB_SUCCESS
) {
2881 DEBUG(1,(("Failed to find our own NTDS Settings object by objectGUID=%s!\n"),
2882 GUID_string(tmp_ctx
, objectGUID
)));
2884 talloc_free(tmp_ctx
);
2888 ret
= ldb_msg_find_attr_as_bool(res
->msgs
[0], "msDS-isRODC", 0);
2889 *is_rodc
= (ret
== 1);
2891 talloc_free(tmp_ctx
);
2897 see if we are a RODC
2899 int samdb_rodc(struct ldb_context
*sam_ctx
, bool *am_rodc
)
2901 const struct GUID
*objectGUID
;
2905 /* see if we have a cached copy */
2906 cached
= (bool *)ldb_get_opaque(sam_ctx
, "cache.am_rodc");
2912 objectGUID
= samdb_ntds_objectGUID(sam_ctx
);
2914 return ldb_operr(sam_ctx
);
2917 ret
= samdb_is_rodc(sam_ctx
, objectGUID
, am_rodc
);
2918 if (ret
!= LDB_SUCCESS
) {
2922 cached
= talloc(sam_ctx
, bool);
2923 if (cached
== NULL
) {
2924 return ldb_oom(sam_ctx
);
2928 ret
= ldb_set_opaque(sam_ctx
, "cache.am_rodc", cached
);
2929 if (ret
!= LDB_SUCCESS
) {
2930 talloc_free(cached
);
2931 return ldb_operr(sam_ctx
);
2937 bool samdb_set_am_rodc(struct ldb_context
*ldb
, bool am_rodc
)
2939 TALLOC_CTX
*tmp_ctx
;
2942 tmp_ctx
= talloc_new(ldb
);
2943 if (tmp_ctx
== NULL
) {
2947 cached
= talloc(tmp_ctx
, bool);
2953 if (ldb_set_opaque(ldb
, "cache.am_rodc", cached
) != LDB_SUCCESS
) {
2957 talloc_steal(ldb
, cached
);
2958 talloc_free(tmp_ctx
);
2962 DEBUG(1,("Failed to set our own cached am_rodc in the ldb!\n"));
2963 talloc_free(tmp_ctx
);
2969 * return NTDSSiteSettings options. See MS-ADTS 7.1.1.2.2.1.1
2970 * flags are DS_NTDSSETTINGS_OPT_*
2972 int samdb_ntds_site_settings_options(struct ldb_context
*ldb_ctx
,
2976 TALLOC_CTX
*tmp_ctx
;
2977 struct ldb_result
*res
;
2978 struct ldb_dn
*site_dn
;
2979 const char *attrs
[] = { "options", NULL
};
2981 tmp_ctx
= talloc_new(ldb_ctx
);
2982 if (tmp_ctx
== NULL
)
2985 /* Retrieve the site dn for the ldb that we
2986 * have open. This is our local site.
2988 site_dn
= samdb_server_site_dn(ldb_ctx
, tmp_ctx
);
2989 if (site_dn
== NULL
)
2992 /* Perform a one level (child) search from the local
2993 * site distinguided name. We're looking for the
2994 * "options" attribute within the nTDSSiteSettings
2997 rc
= ldb_search(ldb_ctx
, tmp_ctx
, &res
, site_dn
,
2998 LDB_SCOPE_ONELEVEL
, attrs
,
2999 "objectClass=nTDSSiteSettings");
3001 if (rc
!= LDB_SUCCESS
|| res
->count
!= 1)
3004 *options
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "options", 0);
3006 talloc_free(tmp_ctx
);
3011 DEBUG(1,("Failed to find our NTDS Site Settings options in ldb!\n"));
3012 talloc_free(tmp_ctx
);
3013 return LDB_ERR_NO_SUCH_OBJECT
;
3017 return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
3019 flags are DS_NTDS_OPTION_*
3021 int samdb_ntds_options(struct ldb_context
*ldb
, uint32_t *options
)
3023 TALLOC_CTX
*tmp_ctx
;
3024 const char *attrs
[] = { "options", NULL
};
3026 struct ldb_result
*res
;
3028 tmp_ctx
= talloc_new(ldb
);
3029 if (tmp_ctx
== NULL
) {
3033 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
, tmp_ctx
), LDB_SCOPE_BASE
, attrs
, NULL
);
3034 if (ret
!= LDB_SUCCESS
) {
3038 if (res
->count
!= 1) {
3042 *options
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "options", 0);
3044 talloc_free(tmp_ctx
);
3049 DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n"));
3050 talloc_free(tmp_ctx
);
3051 return LDB_ERR_NO_SUCH_OBJECT
;
3054 const char* samdb_ntds_object_category(TALLOC_CTX
*tmp_ctx
, struct ldb_context
*ldb
)
3056 const char *attrs
[] = { "objectCategory", NULL
};
3058 struct ldb_result
*res
;
3060 ret
= ldb_search(ldb
, tmp_ctx
, &res
, samdb_ntds_settings_dn(ldb
, tmp_ctx
), LDB_SCOPE_BASE
, attrs
, NULL
);
3061 if (ret
!= LDB_SUCCESS
) {
3065 if (res
->count
!= 1) {
3069 return ldb_msg_find_attr_as_string(res
->msgs
[0], "objectCategory", NULL
);
3072 DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
3077 * Function which generates a "lDAPDisplayName" attribute from a "CN" one.
3078 * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
3080 const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX
*mem_ctx
, const char *cn
)
3082 char **tokens
, *ret
;
3085 tokens
= str_list_make(mem_ctx
, cn
, " -_");
3089 /* "tolower()" and "toupper()" should also work properly on 0x00 */
3090 tokens
[0][0] = tolower(tokens
[0][0]);
3091 for (i
= 1; i
< str_list_length((const char * const *)tokens
); i
++)
3092 tokens
[i
][0] = toupper(tokens
[i
][0]);
3094 ret
= talloc_strdup(mem_ctx
, tokens
[0]);
3095 for (i
= 1; i
< str_list_length((const char * const *)tokens
); i
++)
3096 ret
= talloc_asprintf_append_buffer(ret
, "%s", tokens
[i
]);
3098 talloc_free(tokens
);
3104 * This detects and returns the domain functional level (DS_DOMAIN_FUNCTION_*)
3106 int dsdb_functional_level(struct ldb_context
*ldb
)
3108 int *domainFunctionality
=
3109 talloc_get_type(ldb_get_opaque(ldb
, "domainFunctionality"), int);
3110 if (!domainFunctionality
) {
3111 /* this is expected during initial provision */
3112 DEBUG(4,(__location__
": WARNING: domainFunctionality not setup\n"));
3113 return DS_DOMAIN_FUNCTION_2000
;
3115 return *domainFunctionality
;
3119 * This detects and returns the forest functional level (DS_DOMAIN_FUNCTION_*)
3121 int dsdb_forest_functional_level(struct ldb_context
*ldb
)
3123 int *forestFunctionality
=
3124 talloc_get_type(ldb_get_opaque(ldb
, "forestFunctionality"), int);
3125 if (!forestFunctionality
) {
3126 DEBUG(0,(__location__
": WARNING: forestFunctionality not setup\n"));
3127 return DS_DOMAIN_FUNCTION_2000
;
3129 return *forestFunctionality
;
3133 set a GUID in an extended DN structure
3135 int dsdb_set_extended_dn_guid(struct ldb_dn
*dn
, const struct GUID
*guid
, const char *component_name
)
3141 status
= GUID_to_ndr_blob(guid
, dn
, &v
);
3142 if (!NT_STATUS_IS_OK(status
)) {
3143 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
3146 ret
= ldb_dn_set_extended_component(dn
, component_name
, &v
);
3152 return a GUID from a extended DN structure
3154 NTSTATUS
dsdb_get_extended_dn_guid(struct ldb_dn
*dn
, struct GUID
*guid
, const char *component_name
)
3156 const struct ldb_val
*v
;
3158 v
= ldb_dn_get_extended_component(dn
, component_name
);
3160 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3163 return GUID_from_ndr_blob(v
, guid
);
3167 return a uint64_t from a extended DN structure
3169 NTSTATUS
dsdb_get_extended_dn_uint64(struct ldb_dn
*dn
, uint64_t *val
, const char *component_name
)
3171 const struct ldb_val
*v
;
3174 v
= ldb_dn_get_extended_component(dn
, component_name
);
3176 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3178 s
= talloc_strndup(dn
, (const char *)v
->data
, v
->length
);
3179 NT_STATUS_HAVE_NO_MEMORY(s
);
3181 *val
= strtoull(s
, NULL
, 0);
3184 return NT_STATUS_OK
;
3188 return a NTTIME from a extended DN structure
3190 NTSTATUS
dsdb_get_extended_dn_nttime(struct ldb_dn
*dn
, NTTIME
*nttime
, const char *component_name
)
3192 return dsdb_get_extended_dn_uint64(dn
, nttime
, component_name
);
3196 return a uint32_t from a extended DN structure
3198 NTSTATUS
dsdb_get_extended_dn_uint32(struct ldb_dn
*dn
, uint32_t *val
, const char *component_name
)
3200 const struct ldb_val
*v
;
3203 v
= ldb_dn_get_extended_component(dn
, component_name
);
3205 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3208 s
= talloc_strndup(dn
, (const char *)v
->data
, v
->length
);
3209 NT_STATUS_HAVE_NO_MEMORY(s
);
3211 *val
= strtoul(s
, NULL
, 0);
3214 return NT_STATUS_OK
;
3218 return a dom_sid from a extended DN structure
3220 NTSTATUS
dsdb_get_extended_dn_sid(struct ldb_dn
*dn
, struct dom_sid
*sid
, const char *component_name
)
3222 const struct ldb_val
*sid_blob
;
3223 struct TALLOC_CTX
*tmp_ctx
;
3224 enum ndr_err_code ndr_err
;
3226 sid_blob
= ldb_dn_get_extended_component(dn
, component_name
);
3228 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
3231 tmp_ctx
= talloc_new(NULL
);
3233 ndr_err
= ndr_pull_struct_blob_all(sid_blob
, tmp_ctx
, sid
,
3234 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
3235 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
3236 NTSTATUS status
= ndr_map_error2ntstatus(ndr_err
);
3237 talloc_free(tmp_ctx
);
3241 talloc_free(tmp_ctx
);
3242 return NT_STATUS_OK
;
3247 return RMD_FLAGS directly from a ldb_dn
3248 returns 0 if not found
3250 uint32_t dsdb_dn_rmd_flags(struct ldb_dn
*dn
)
3252 const struct ldb_val
*v
;
3254 v
= ldb_dn_get_extended_component(dn
, "RMD_FLAGS");
3255 if (!v
|| v
->length
> sizeof(buf
)-1) return 0;
3256 strncpy(buf
, (const char *)v
->data
, v
->length
);
3258 return strtoul(buf
, NULL
, 10);
3262 return RMD_FLAGS directly from a ldb_val for a DN
3263 returns 0 if RMD_FLAGS is not found
3265 uint32_t dsdb_dn_val_rmd_flags(const struct ldb_val
*val
)
3271 if (val
->length
< 13) {
3274 p
= memmem(val
->data
, val
->length
, "<RMD_FLAGS=", 11);
3278 flags
= strtoul(p
+11, &end
, 10);
3279 if (!end
|| *end
!= '>') {
3280 /* it must end in a > */
3287 return true if a ldb_val containing a DN in storage form is deleted
3289 bool dsdb_dn_is_deleted_val(const struct ldb_val
*val
)
3291 return (dsdb_dn_val_rmd_flags(val
) & DSDB_RMD_FLAG_DELETED
) != 0;
3295 return true if a ldb_val containing a DN in storage form is
3296 in the upgraded w2k3 linked attribute format
3298 bool dsdb_dn_is_upgraded_link_val(struct ldb_val
*val
)
3300 return memmem(val
->data
, val
->length
, "<RMD_VERSION=", 13) != NULL
;
3304 return a DN for a wellknown GUID
3306 int dsdb_wellknown_dn(struct ldb_context
*samdb
, TALLOC_CTX
*mem_ctx
,
3307 struct ldb_dn
*nc_root
, const char *wk_guid
,
3308 struct ldb_dn
**wkguid_dn
)
3310 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
3311 const char *attrs
[] = { NULL
};
3314 struct ldb_result
*res
;
3316 /* construct the magic WKGUID DN */
3317 dn
= ldb_dn_new_fmt(tmp_ctx
, samdb
, "<WKGUID=%s,%s>",
3318 wk_guid
, ldb_dn_get_linearized(nc_root
));
3320 talloc_free(tmp_ctx
);
3321 return ldb_operr(samdb
);
3324 ret
= dsdb_search_dn(samdb
, tmp_ctx
, &res
, dn
, attrs
,
3325 DSDB_SEARCH_SHOW_DELETED
|
3326 DSDB_SEARCH_SHOW_RECYCLED
);
3327 if (ret
!= LDB_SUCCESS
) {
3328 talloc_free(tmp_ctx
);
3332 (*wkguid_dn
) = talloc_steal(mem_ctx
, res
->msgs
[0]->dn
);
3333 talloc_free(tmp_ctx
);
3338 static int dsdb_dn_compare_ptrs(struct ldb_dn
**dn1
, struct ldb_dn
**dn2
)
3340 return ldb_dn_compare(*dn1
, *dn2
);
3344 find a NC root given a DN within the NC
3346 int dsdb_find_nc_root(struct ldb_context
*samdb
, TALLOC_CTX
*mem_ctx
, struct ldb_dn
*dn
,
3347 struct ldb_dn
**nc_root
)
3349 const char *root_attrs
[] = { "namingContexts", NULL
};
3350 TALLOC_CTX
*tmp_ctx
;
3352 struct ldb_message_element
*el
;
3353 struct ldb_result
*root_res
;
3355 struct ldb_dn
**nc_dns
;
3357 tmp_ctx
= talloc_new(samdb
);
3358 if (tmp_ctx
== NULL
) {
3359 return ldb_oom(samdb
);
3362 ret
= ldb_search(samdb
, tmp_ctx
, &root_res
,
3363 ldb_dn_new(tmp_ctx
, samdb
, ""), LDB_SCOPE_BASE
, root_attrs
, NULL
);
3364 if (ret
!= LDB_SUCCESS
) {
3365 DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb
)));
3366 talloc_free(tmp_ctx
);
3370 el
= ldb_msg_find_element(root_res
->msgs
[0], "namingContexts");
3371 if ((el
== NULL
) || (el
->num_values
< 3)) {
3372 struct ldb_message
*tmp_msg
;
3374 DEBUG(5,("dsdb_find_nc_root: Finding a valid 'namingContexts' element in the RootDSE failed. Using a temporary list."));
3376 /* This generates a temporary list of NCs in order to let the
3377 * provisioning work. */
3378 tmp_msg
= ldb_msg_new(tmp_ctx
);
3379 if (tmp_msg
== NULL
) {
3380 talloc_free(tmp_ctx
);
3381 return ldb_oom(samdb
);
3383 ret
= ldb_msg_add_steal_string(tmp_msg
, "namingContexts",
3384 ldb_dn_alloc_linearized(tmp_msg
, ldb_get_schema_basedn(samdb
)));
3385 if (ret
!= LDB_SUCCESS
) {
3386 talloc_free(tmp_ctx
);
3389 ret
= ldb_msg_add_steal_string(tmp_msg
, "namingContexts",
3390 ldb_dn_alloc_linearized(tmp_msg
, ldb_get_config_basedn(samdb
)));
3391 if (ret
!= LDB_SUCCESS
) {
3392 talloc_free(tmp_ctx
);
3395 ret
= ldb_msg_add_steal_string(tmp_msg
, "namingContexts",
3396 ldb_dn_alloc_linearized(tmp_msg
, ldb_get_default_basedn(samdb
)));
3397 if (ret
!= LDB_SUCCESS
) {
3398 talloc_free(tmp_ctx
);
3401 el
= &tmp_msg
->elements
[0];
3404 nc_dns
= talloc_array(tmp_ctx
, struct ldb_dn
*, el
->num_values
);
3406 talloc_free(tmp_ctx
);
3407 return ldb_oom(samdb
);
3410 for (i
=0; i
<el
->num_values
; i
++) {
3411 nc_dns
[i
] = ldb_dn_from_ldb_val(nc_dns
, samdb
, &el
->values
[i
]);
3412 if (nc_dns
[i
] == NULL
) {
3413 talloc_free(tmp_ctx
);
3414 return ldb_operr(samdb
);
3418 TYPESAFE_QSORT(nc_dns
, el
->num_values
, dsdb_dn_compare_ptrs
);
3420 for (i
=0; i
<el
->num_values
; i
++) {
3421 if (ldb_dn_compare_base(nc_dns
[i
], dn
) == 0) {
3422 (*nc_root
) = talloc_steal(mem_ctx
, nc_dns
[i
]);
3423 talloc_free(tmp_ctx
);
3428 talloc_free(tmp_ctx
);
3429 return LDB_ERR_NO_SUCH_OBJECT
;
3434 find the deleted objects DN for any object, by looking for the NC
3435 root, then looking up the wellknown GUID
3437 int dsdb_get_deleted_objects_dn(struct ldb_context
*ldb
,
3438 TALLOC_CTX
*mem_ctx
, struct ldb_dn
*obj_dn
,
3439 struct ldb_dn
**do_dn
)
3441 struct ldb_dn
*nc_root
;
3444 ret
= dsdb_find_nc_root(ldb
, mem_ctx
, obj_dn
, &nc_root
);
3445 if (ret
!= LDB_SUCCESS
) {
3449 ret
= dsdb_wellknown_dn(ldb
, mem_ctx
, nc_root
, DS_GUID_DELETED_OBJECTS_CONTAINER
, do_dn
);
3450 talloc_free(nc_root
);
3455 return the tombstoneLifetime, in days
3457 int dsdb_tombstone_lifetime(struct ldb_context
*ldb
, uint32_t *lifetime
)
3460 dn
= ldb_get_config_basedn(ldb
);
3462 return LDB_ERR_NO_SUCH_OBJECT
;
3464 dn
= ldb_dn_copy(ldb
, dn
);
3466 return ldb_operr(ldb
);
3468 /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
3469 be a wellknown GUID for this */
3470 if (!ldb_dn_add_child_fmt(dn
, "CN=Directory Service,CN=Windows NT,CN=Services")) {
3472 return ldb_operr(ldb
);
3475 *lifetime
= samdb_search_uint(ldb
, dn
, 180, dn
, "tombstoneLifetime", "objectClass=nTDSService");
3481 compare a ldb_val to a string case insensitively
3483 int samdb_ldb_val_case_cmp(const char *s
, struct ldb_val
*v
)
3485 size_t len
= strlen(s
);
3487 if (len
> v
->length
) return 1;
3488 ret
= strncasecmp(s
, (const char *)v
->data
, v
->length
);
3489 if (ret
!= 0) return ret
;
3490 if (v
->length
> len
&& v
->data
[len
] != 0) {
3498 load the UDV for a partition in v2 format
3499 The list is returned sorted, and with our local cursor added
3501 int dsdb_load_udv_v2(struct ldb_context
*samdb
, struct ldb_dn
*dn
, TALLOC_CTX
*mem_ctx
,
3502 struct drsuapi_DsReplicaCursor2
**cursors
, uint32_t *count
)
3504 static const char *attrs
[] = { "replUpToDateVector", NULL
};
3505 struct ldb_result
*r
;
3506 const struct ldb_val
*ouv_value
;
3509 uint64_t highest_usn
= 0;
3510 const struct GUID
*our_invocation_id
;
3511 static const struct timeval tv1970
;
3512 NTTIME nt1970
= timeval_to_nttime(&tv1970
);
3514 ret
= ldb_search(samdb
, mem_ctx
, &r
, dn
, LDB_SCOPE_BASE
, attrs
, NULL
);
3515 if (ret
!= LDB_SUCCESS
) {
3519 ouv_value
= ldb_msg_find_ldb_val(r
->msgs
[0], "replUpToDateVector");
3521 enum ndr_err_code ndr_err
;
3522 struct replUpToDateVectorBlob ouv
;
3524 ndr_err
= ndr_pull_struct_blob(ouv_value
, r
, &ouv
,
3525 (ndr_pull_flags_fn_t
)ndr_pull_replUpToDateVectorBlob
);
3526 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
3528 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
3530 if (ouv
.version
!= 2) {
3531 /* we always store as version 2, and
3532 * replUpToDateVector is not replicated
3534 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
3537 *count
= ouv
.ctr
.ctr2
.count
;
3538 *cursors
= talloc_steal(mem_ctx
, ouv
.ctr
.ctr2
.cursors
);
3546 our_invocation_id
= samdb_ntds_invocation_id(samdb
);
3547 if (!our_invocation_id
) {
3548 DEBUG(0,(__location__
": No invocationID on samdb - %s\n", ldb_errstring(samdb
)));
3549 talloc_free(*cursors
);
3550 return ldb_operr(samdb
);
3553 ret
= ldb_sequence_number(samdb
, LDB_SEQ_HIGHEST_SEQ
, &highest_usn
);
3554 if (ret
!= LDB_SUCCESS
) {
3555 /* nothing to add - this can happen after a vampire */
3556 TYPESAFE_QSORT(*cursors
, *count
, drsuapi_DsReplicaCursor2_compare
);
3560 for (i
=0; i
<*count
; i
++) {
3561 if (GUID_equal(our_invocation_id
, &(*cursors
)[i
].source_dsa_invocation_id
)) {
3562 (*cursors
)[i
].highest_usn
= highest_usn
;
3563 (*cursors
)[i
].last_sync_success
= nt1970
;
3564 TYPESAFE_QSORT(*cursors
, *count
, drsuapi_DsReplicaCursor2_compare
);
3569 (*cursors
) = talloc_realloc(mem_ctx
, *cursors
, struct drsuapi_DsReplicaCursor2
, (*count
)+1);
3571 return ldb_oom(samdb
);
3574 (*cursors
)[*count
].source_dsa_invocation_id
= *our_invocation_id
;
3575 (*cursors
)[*count
].highest_usn
= highest_usn
;
3576 (*cursors
)[*count
].last_sync_success
= nt1970
;
3579 TYPESAFE_QSORT(*cursors
, *count
, drsuapi_DsReplicaCursor2_compare
);
3585 load the UDV for a partition in version 1 format
3586 The list is returned sorted, and with our local cursor added
3588 int dsdb_load_udv_v1(struct ldb_context
*samdb
, struct ldb_dn
*dn
, TALLOC_CTX
*mem_ctx
,
3589 struct drsuapi_DsReplicaCursor
**cursors
, uint32_t *count
)
3591 struct drsuapi_DsReplicaCursor2
*v2
;
3595 ret
= dsdb_load_udv_v2(samdb
, dn
, mem_ctx
, &v2
, count
);
3596 if (ret
!= LDB_SUCCESS
) {
3606 *cursors
= talloc_array(mem_ctx
, struct drsuapi_DsReplicaCursor
, *count
);
3607 if (*cursors
== NULL
) {
3609 return ldb_oom(samdb
);
3612 for (i
=0; i
<*count
; i
++) {
3613 (*cursors
)[i
].source_dsa_invocation_id
= v2
[i
].source_dsa_invocation_id
;
3614 (*cursors
)[i
].highest_usn
= v2
[i
].highest_usn
;
3621 add a set of controls to a ldb_request structure based on a set of
3622 flags. See util.h for a list of available flags
3624 int dsdb_request_add_controls(struct ldb_request
*req
, uint32_t dsdb_flags
)
3627 if (dsdb_flags
& DSDB_SEARCH_SEARCH_ALL_PARTITIONS
) {
3628 struct ldb_search_options_control
*options
;
3629 /* Using the phantom root control allows us to search all partitions */
3630 options
= talloc(req
, struct ldb_search_options_control
);
3631 if (options
== NULL
) {
3632 return LDB_ERR_OPERATIONS_ERROR
;
3634 options
->search_options
= LDB_SEARCH_OPTION_PHANTOM_ROOT
;
3636 ret
= ldb_request_add_control(req
,
3637 LDB_CONTROL_SEARCH_OPTIONS_OID
,
3639 if (ret
!= LDB_SUCCESS
) {
3644 if (dsdb_flags
& DSDB_SEARCH_NO_GLOBAL_CATALOG
) {
3645 ret
= ldb_request_add_control(req
,
3646 DSDB_CONTROL_NO_GLOBAL_CATALOG
,
3648 if (ret
!= LDB_SUCCESS
) {
3653 if (dsdb_flags
& DSDB_SEARCH_SHOW_DELETED
) {
3654 ret
= ldb_request_add_control(req
, LDB_CONTROL_SHOW_DELETED_OID
, true, NULL
);
3655 if (ret
!= LDB_SUCCESS
) {
3660 if (dsdb_flags
& DSDB_SEARCH_SHOW_RECYCLED
) {
3661 ret
= ldb_request_add_control(req
, LDB_CONTROL_SHOW_RECYCLED_OID
, false, NULL
);
3662 if (ret
!= LDB_SUCCESS
) {
3667 if (dsdb_flags
& DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT
) {
3668 ret
= ldb_request_add_control(req
, DSDB_CONTROL_DN_STORAGE_FORMAT_OID
, false, NULL
);
3669 if (ret
!= LDB_SUCCESS
) {
3674 if (dsdb_flags
& DSDB_SEARCH_SHOW_EXTENDED_DN
) {
3675 struct ldb_extended_dn_control
*extended_ctrl
= talloc(req
, struct ldb_extended_dn_control
);
3676 if (!extended_ctrl
) {
3677 return LDB_ERR_OPERATIONS_ERROR
;
3679 extended_ctrl
->type
= 1;
3681 ret
= ldb_request_add_control(req
, LDB_CONTROL_EXTENDED_DN_OID
, true, extended_ctrl
);
3682 if (ret
!= LDB_SUCCESS
) {
3687 if (dsdb_flags
& DSDB_SEARCH_REVEAL_INTERNALS
) {
3688 ret
= ldb_request_add_control(req
, LDB_CONTROL_REVEAL_INTERNALS
, false, NULL
);
3689 if (ret
!= LDB_SUCCESS
) {
3694 if (dsdb_flags
& DSDB_MODIFY_RELAX
) {
3695 ret
= ldb_request_add_control(req
, LDB_CONTROL_RELAX_OID
, false, NULL
);
3696 if (ret
!= LDB_SUCCESS
) {
3701 if (dsdb_flags
& DSDB_MODIFY_PERMISSIVE
) {
3702 ret
= ldb_request_add_control(req
, LDB_CONTROL_PERMISSIVE_MODIFY_OID
, false, NULL
);
3703 if (ret
!= LDB_SUCCESS
) {
3708 if (dsdb_flags
& DSDB_FLAG_AS_SYSTEM
) {
3709 ret
= ldb_request_add_control(req
, LDB_CONTROL_AS_SYSTEM_OID
, false, NULL
);
3710 if (ret
!= LDB_SUCCESS
) {
3715 if (dsdb_flags
& DSDB_TREE_DELETE
) {
3716 ret
= ldb_request_add_control(req
, LDB_CONTROL_TREE_DELETE_OID
, false, NULL
);
3717 if (ret
!= LDB_SUCCESS
) {
3722 if (dsdb_flags
& DSDB_PROVISION
) {
3723 ret
= ldb_request_add_control(req
, LDB_CONTROL_PROVISION_OID
, false, NULL
);
3724 if (ret
!= LDB_SUCCESS
) {
3729 /* This is a special control to bypass the password_hash module for use in pdb_samba4 for Samba3 upgrades */
3730 if (dsdb_flags
& DSDB_BYPASS_PASSWORD_HASH
) {
3731 ret
= ldb_request_add_control(req
, DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID
, true, NULL
);
3732 if (ret
!= LDB_SUCCESS
) {
3737 if (dsdb_flags
& DSDB_PASSWORD_BYPASS_LAST_SET
) {
3739 * This must not be critical, as it will only be
3740 * handled (and need to be handled) if the other
3741 * attributes in the request bring password_hash into
3744 ret
= ldb_request_add_control(req
, DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID
, false, NULL
);
3745 if (ret
!= LDB_SUCCESS
) {
3750 if (dsdb_flags
& DSDB_MODIFY_PARTIAL_REPLICA
) {
3751 ret
= ldb_request_add_control(req
, DSDB_CONTROL_PARTIAL_REPLICA
, false, NULL
);
3752 if (ret
!= LDB_SUCCESS
) {
3761 an add with a set of controls
3763 int dsdb_add(struct ldb_context
*ldb
, const struct ldb_message
*message
,
3764 uint32_t dsdb_flags
)
3766 struct ldb_request
*req
;
3769 ret
= ldb_build_add_req(&req
, ldb
, ldb
,
3773 ldb_op_default_callback
,
3776 if (ret
!= LDB_SUCCESS
) return ret
;
3778 ret
= dsdb_request_add_controls(req
, dsdb_flags
);
3779 if (ret
!= LDB_SUCCESS
) {
3784 ret
= dsdb_autotransaction_request(ldb
, req
);
3791 a modify with a set of controls
3793 int dsdb_modify(struct ldb_context
*ldb
, const struct ldb_message
*message
,
3794 uint32_t dsdb_flags
)
3796 struct ldb_request
*req
;
3799 ret
= ldb_build_mod_req(&req
, ldb
, ldb
,
3803 ldb_op_default_callback
,
3806 if (ret
!= LDB_SUCCESS
) return ret
;
3808 ret
= dsdb_request_add_controls(req
, dsdb_flags
);
3809 if (ret
!= LDB_SUCCESS
) {
3814 ret
= dsdb_autotransaction_request(ldb
, req
);
3821 a delete with a set of flags
3823 int dsdb_delete(struct ldb_context
*ldb
, struct ldb_dn
*dn
,
3824 uint32_t dsdb_flags
)
3826 struct ldb_request
*req
;
3829 ret
= ldb_build_del_req(&req
, ldb
, ldb
,
3833 ldb_op_default_callback
,
3836 if (ret
!= LDB_SUCCESS
) return ret
;
3838 ret
= dsdb_request_add_controls(req
, dsdb_flags
);
3839 if (ret
!= LDB_SUCCESS
) {
3844 ret
= dsdb_autotransaction_request(ldb
, req
);
3851 like dsdb_modify() but set all the element flags to
3852 LDB_FLAG_MOD_REPLACE
3854 int dsdb_replace(struct ldb_context
*ldb
, struct ldb_message
*msg
, uint32_t dsdb_flags
)
3858 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
3859 for (i
=0;i
<msg
->num_elements
;i
++) {
3860 msg
->elements
[i
].flags
= LDB_FLAG_MOD_REPLACE
;
3863 return dsdb_modify(ldb
, msg
, dsdb_flags
);
3868 search for attrs on one DN, allowing for dsdb_flags controls
3870 int dsdb_search_dn(struct ldb_context
*ldb
,
3871 TALLOC_CTX
*mem_ctx
,
3872 struct ldb_result
**_result
,
3873 struct ldb_dn
*basedn
,
3874 const char * const *attrs
,
3875 uint32_t dsdb_flags
)
3878 struct ldb_request
*req
;
3879 struct ldb_result
*res
;
3881 res
= talloc_zero(mem_ctx
, struct ldb_result
);
3883 return ldb_oom(ldb
);
3886 ret
= ldb_build_search_req(&req
, ldb
, res
,
3893 ldb_search_default_callback
,
3895 if (ret
!= LDB_SUCCESS
) {
3900 ret
= dsdb_request_add_controls(req
, dsdb_flags
);
3901 if (ret
!= LDB_SUCCESS
) {
3906 ret
= ldb_request(ldb
, req
);
3907 if (ret
== LDB_SUCCESS
) {
3908 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
3912 if (ret
!= LDB_SUCCESS
) {
3922 search for attrs on one DN, by the GUID of the DN, allowing for
3925 int dsdb_search_by_dn_guid(struct ldb_context
*ldb
,
3926 TALLOC_CTX
*mem_ctx
,
3927 struct ldb_result
**_result
,
3928 const struct GUID
*guid
,
3929 const char * const *attrs
,
3930 uint32_t dsdb_flags
)
3932 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
3936 dn
= ldb_dn_new_fmt(tmp_ctx
, ldb
, "<GUID=%s>", GUID_string(tmp_ctx
, guid
));
3938 talloc_free(tmp_ctx
);
3939 return ldb_oom(ldb
);
3942 ret
= dsdb_search_dn(ldb
, mem_ctx
, _result
, dn
, attrs
, dsdb_flags
);
3943 talloc_free(tmp_ctx
);
3948 general search with dsdb_flags for controls
3950 int dsdb_search(struct ldb_context
*ldb
,
3951 TALLOC_CTX
*mem_ctx
,
3952 struct ldb_result
**_result
,
3953 struct ldb_dn
*basedn
,
3954 enum ldb_scope scope
,
3955 const char * const *attrs
,
3956 uint32_t dsdb_flags
,
3957 const char *exp_fmt
, ...) _PRINTF_ATTRIBUTE(8, 9)
3960 struct ldb_request
*req
;
3961 struct ldb_result
*res
;
3963 char *expression
= NULL
;
3964 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
3966 /* cross-partitions searches with a basedn break multi-domain support */
3967 SMB_ASSERT(basedn
== NULL
|| (dsdb_flags
& DSDB_SEARCH_SEARCH_ALL_PARTITIONS
) == 0);
3969 res
= talloc_zero(tmp_ctx
, struct ldb_result
);
3971 talloc_free(tmp_ctx
);
3972 return ldb_oom(ldb
);
3976 va_start(ap
, exp_fmt
);
3977 expression
= talloc_vasprintf(tmp_ctx
, exp_fmt
, ap
);
3981 talloc_free(tmp_ctx
);
3982 return ldb_oom(ldb
);
3986 ret
= ldb_build_search_req(&req
, ldb
, tmp_ctx
,
3993 ldb_search_default_callback
,
3995 if (ret
!= LDB_SUCCESS
) {
3996 talloc_free(tmp_ctx
);
4000 ret
= dsdb_request_add_controls(req
, dsdb_flags
);
4001 if (ret
!= LDB_SUCCESS
) {
4002 talloc_free(tmp_ctx
);
4003 ldb_reset_err_string(ldb
);
4007 ret
= ldb_request(ldb
, req
);
4008 if (ret
== LDB_SUCCESS
) {
4009 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
4012 if (ret
!= LDB_SUCCESS
) {
4013 talloc_free(tmp_ctx
);
4017 if (dsdb_flags
& DSDB_SEARCH_ONE_ONLY
) {
4018 if (res
->count
== 0) {
4019 talloc_free(tmp_ctx
);
4020 ldb_reset_err_string(ldb
);
4021 return LDB_ERR_NO_SUCH_OBJECT
;
4023 if (res
->count
!= 1) {
4024 talloc_free(tmp_ctx
);
4025 ldb_reset_err_string(ldb
);
4026 return LDB_ERR_CONSTRAINT_VIOLATION
;
4030 *_result
= talloc_steal(mem_ctx
, res
);
4031 talloc_free(tmp_ctx
);
4038 general search with dsdb_flags for controls
4039 returns exactly 1 record or an error
4041 int dsdb_search_one(struct ldb_context
*ldb
,
4042 TALLOC_CTX
*mem_ctx
,
4043 struct ldb_message
**msg
,
4044 struct ldb_dn
*basedn
,
4045 enum ldb_scope scope
,
4046 const char * const *attrs
,
4047 uint32_t dsdb_flags
,
4048 const char *exp_fmt
, ...) _PRINTF_ATTRIBUTE(8, 9)
4051 struct ldb_result
*res
;
4053 char *expression
= NULL
;
4054 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
4056 dsdb_flags
|= DSDB_SEARCH_ONE_ONLY
;
4058 res
= talloc_zero(tmp_ctx
, struct ldb_result
);
4060 talloc_free(tmp_ctx
);
4061 return ldb_oom(ldb
);
4065 va_start(ap
, exp_fmt
);
4066 expression
= talloc_vasprintf(tmp_ctx
, exp_fmt
, ap
);
4070 talloc_free(tmp_ctx
);
4071 return ldb_oom(ldb
);
4073 ret
= dsdb_search(ldb
, tmp_ctx
, &res
, basedn
, scope
, attrs
,
4074 dsdb_flags
, "%s", expression
);
4076 ret
= dsdb_search(ldb
, tmp_ctx
, &res
, basedn
, scope
, attrs
,
4080 if (ret
!= LDB_SUCCESS
) {
4081 talloc_free(tmp_ctx
);
4085 *msg
= talloc_steal(mem_ctx
, res
->msgs
[0]);
4086 talloc_free(tmp_ctx
);
4091 /* returns back the forest DNS name */
4092 const char *samdb_forest_name(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
4094 const char *forest_name
= ldb_dn_canonical_string(mem_ctx
,
4095 ldb_get_root_basedn(ldb
));
4098 if (forest_name
== NULL
) {
4102 p
= strchr(forest_name
, '/');
4110 /* returns back the default domain DNS name */
4111 const char *samdb_default_domain_name(struct ldb_context
*ldb
, TALLOC_CTX
*mem_ctx
)
4113 const char *domain_name
= ldb_dn_canonical_string(mem_ctx
,
4114 ldb_get_default_basedn(ldb
));
4117 if (domain_name
== NULL
) {
4121 p
= strchr(domain_name
, '/');
4130 validate that an DSA GUID belongs to the specified user sid.
4131 The user SID must be a domain controller account (either RODC or
4134 int dsdb_validate_dsa_guid(struct ldb_context
*ldb
,
4135 const struct GUID
*dsa_guid
,
4136 const struct dom_sid
*sid
)
4139 - find DN of record with the DSA GUID in the
4140 configuration partition (objectGUID)
4141 - remove "NTDS Settings" component from DN
4142 - do a base search on that DN for serverReference with
4144 - extract objectSid from resulting serverReference
4146 - check this sid matches the sid argument
4148 struct ldb_dn
*config_dn
;
4149 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
4150 struct ldb_message
*msg
;
4151 const char *attrs1
[] = { NULL
};
4152 const char *attrs2
[] = { "serverReference", NULL
};
4154 struct ldb_dn
*dn
, *account_dn
;
4155 struct dom_sid sid2
;
4158 config_dn
= ldb_get_config_basedn(ldb
);
4160 ret
= dsdb_search_one(ldb
, tmp_ctx
, &msg
, config_dn
, LDB_SCOPE_SUBTREE
,
4161 attrs1
, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx
, dsa_guid
));
4162 if (ret
!= LDB_SUCCESS
) {
4163 DEBUG(1,(__location__
": Failed to find DSA objectGUID %s for sid %s\n",
4164 GUID_string(tmp_ctx
, dsa_guid
), dom_sid_string(tmp_ctx
, sid
)));
4165 talloc_free(tmp_ctx
);
4166 return ldb_operr(ldb
);
4170 if (!ldb_dn_remove_child_components(dn
, 1)) {
4171 talloc_free(tmp_ctx
);
4172 return ldb_operr(ldb
);
4175 ret
= dsdb_search_one(ldb
, tmp_ctx
, &msg
, dn
, LDB_SCOPE_BASE
,
4176 attrs2
, DSDB_SEARCH_SHOW_EXTENDED_DN
,
4177 "(objectClass=server)");
4178 if (ret
!= LDB_SUCCESS
) {
4179 DEBUG(1,(__location__
": Failed to find server record for DSA with objectGUID %s, sid %s\n",
4180 GUID_string(tmp_ctx
, dsa_guid
), dom_sid_string(tmp_ctx
, sid
)));
4181 talloc_free(tmp_ctx
);
4182 return ldb_operr(ldb
);
4185 account_dn
= ldb_msg_find_attr_as_dn(ldb
, tmp_ctx
, msg
, "serverReference");
4186 if (account_dn
== NULL
) {
4187 DEBUG(1,(__location__
": Failed to find account_dn for DSA with objectGUID %s, sid %s\n",
4188 GUID_string(tmp_ctx
, dsa_guid
), dom_sid_string(tmp_ctx
, sid
)));
4189 talloc_free(tmp_ctx
);
4190 return ldb_operr(ldb
);
4193 status
= dsdb_get_extended_dn_sid(account_dn
, &sid2
, "SID");
4194 if (!NT_STATUS_IS_OK(status
)) {
4195 DEBUG(1,(__location__
": Failed to find SID for DSA with objectGUID %s, sid %s\n",
4196 GUID_string(tmp_ctx
, dsa_guid
), dom_sid_string(tmp_ctx
, sid
)));
4197 talloc_free(tmp_ctx
);
4198 return ldb_operr(ldb
);
4201 if (!dom_sid_equal(sid
, &sid2
)) {
4202 /* someone is trying to spoof another account */
4203 DEBUG(0,(__location__
": Bad DSA objectGUID %s for sid %s - expected sid %s\n",
4204 GUID_string(tmp_ctx
, dsa_guid
),
4205 dom_sid_string(tmp_ctx
, sid
),
4206 dom_sid_string(tmp_ctx
, &sid2
)));
4207 talloc_free(tmp_ctx
);
4208 return ldb_operr(ldb
);
4211 talloc_free(tmp_ctx
);
4215 static const char * const secret_attributes
[] = {
4216 DSDB_SECRET_ATTRIBUTES
,
4221 check if the attribute belongs to the RODC filtered attribute set
4222 Note that attributes that are in the filtered attribute set are the
4223 ones that _are_ always sent to a RODC
4225 bool dsdb_attr_in_rodc_fas(const struct dsdb_attribute
*sa
)
4227 /* they never get secret attributes */
4228 if (is_attr_in_list(secret_attributes
, sa
->lDAPDisplayName
)) {
4232 /* they do get non-secret critical attributes */
4233 if (sa
->schemaFlagsEx
& SCHEMA_FLAG_ATTR_IS_CRITICAL
) {
4237 /* they do get non-secret attributes marked as being in the FAS */
4238 if (sa
->searchFlags
& SEARCH_FLAG_RODC_ATTRIBUTE
) {
4242 /* other attributes are denied */
4246 /* return fsmo role dn and role owner dn for a particular role*/
4247 WERROR
dsdb_get_fsmo_role_info(TALLOC_CTX
*tmp_ctx
,
4248 struct ldb_context
*ldb
,
4250 struct ldb_dn
**fsmo_role_dn
,
4251 struct ldb_dn
**role_owner_dn
)
4255 case DREPL_NAMING_MASTER
:
4256 *fsmo_role_dn
= samdb_partitions_dn(ldb
, tmp_ctx
);
4257 ret
= samdb_reference_dn(ldb
, tmp_ctx
, *fsmo_role_dn
, "fSMORoleOwner", role_owner_dn
);
4258 if (ret
!= LDB_SUCCESS
) {
4259 DEBUG(0,(__location__
": Failed to find fSMORoleOwner in Naming Master object - %s",
4260 ldb_errstring(ldb
)));
4261 talloc_free(tmp_ctx
);
4262 return WERR_DS_DRA_INTERNAL_ERROR
;
4265 case DREPL_INFRASTRUCTURE_MASTER
:
4266 *fsmo_role_dn
= samdb_infrastructure_dn(ldb
, tmp_ctx
);
4267 ret
= samdb_reference_dn(ldb
, tmp_ctx
, *fsmo_role_dn
, "fSMORoleOwner", role_owner_dn
);
4268 if (ret
!= LDB_SUCCESS
) {
4269 DEBUG(0,(__location__
": Failed to find fSMORoleOwner in Schema Master object - %s",
4270 ldb_errstring(ldb
)));
4271 talloc_free(tmp_ctx
);
4272 return WERR_DS_DRA_INTERNAL_ERROR
;
4275 case DREPL_RID_MASTER
:
4276 ret
= samdb_rid_manager_dn(ldb
, tmp_ctx
, fsmo_role_dn
);
4277 if (ret
!= LDB_SUCCESS
) {
4278 DEBUG(0, (__location__
": Failed to find RID Manager object - %s", ldb_errstring(ldb
)));
4279 talloc_free(tmp_ctx
);
4280 return WERR_DS_DRA_INTERNAL_ERROR
;
4283 ret
= samdb_reference_dn(ldb
, tmp_ctx
, *fsmo_role_dn
, "fSMORoleOwner", role_owner_dn
);
4284 if (ret
!= LDB_SUCCESS
) {
4285 DEBUG(0,(__location__
": Failed to find fSMORoleOwner in RID Manager object - %s",
4286 ldb_errstring(ldb
)));
4287 talloc_free(tmp_ctx
);
4288 return WERR_DS_DRA_INTERNAL_ERROR
;
4291 case DREPL_SCHEMA_MASTER
:
4292 *fsmo_role_dn
= ldb_get_schema_basedn(ldb
);
4293 ret
= samdb_reference_dn(ldb
, tmp_ctx
, *fsmo_role_dn
, "fSMORoleOwner", role_owner_dn
);
4294 if (ret
!= LDB_SUCCESS
) {
4295 DEBUG(0,(__location__
": Failed to find fSMORoleOwner in Schema Master object - %s",
4296 ldb_errstring(ldb
)));
4297 talloc_free(tmp_ctx
);
4298 return WERR_DS_DRA_INTERNAL_ERROR
;
4301 case DREPL_PDC_MASTER
:
4302 *fsmo_role_dn
= ldb_get_default_basedn(ldb
);
4303 ret
= samdb_reference_dn(ldb
, tmp_ctx
, *fsmo_role_dn
, "fSMORoleOwner", role_owner_dn
);
4304 if (ret
!= LDB_SUCCESS
) {
4305 DEBUG(0,(__location__
": Failed to find fSMORoleOwner in Pd Master object - %s",
4306 ldb_errstring(ldb
)));
4307 talloc_free(tmp_ctx
);
4308 return WERR_DS_DRA_INTERNAL_ERROR
;
4312 return WERR_DS_DRA_INTERNAL_ERROR
;
4317 const char *samdb_dn_to_dnshostname(struct ldb_context
*ldb
,
4318 TALLOC_CTX
*mem_ctx
,
4319 struct ldb_dn
*server_dn
)
4322 struct ldb_result
*res
= NULL
;
4323 const char * const attrs
[] = { "dNSHostName", NULL
};
4325 ldb_ret
= ldb_search(ldb
, mem_ctx
, &res
,
4329 if (ldb_ret
!= LDB_SUCCESS
) {
4330 DEBUG(4, ("Failed to find dNSHostName for dn %s, ldb error: %s",
4331 ldb_dn_get_linearized(server_dn
), ldb_errstring(ldb
)));
4335 return ldb_msg_find_attr_as_string(res
->msgs
[0], "dNSHostName", NULL
);
4339 returns true if an attribute is in the filter,
4340 false otherwise, provided that attribute value is provided with the expression
4342 bool dsdb_attr_in_parse_tree(struct ldb_parse_tree
*tree
,
4346 switch (tree
->operation
) {
4349 for (i
=0;i
<tree
->u
.list
.num_elements
;i
++) {
4350 if (dsdb_attr_in_parse_tree(tree
->u
.list
.elements
[i
],
4356 return dsdb_attr_in_parse_tree(tree
->u
.isnot
.child
, attr
);
4357 case LDB_OP_EQUALITY
:
4358 case LDB_OP_GREATER
:
4361 if (ldb_attr_cmp(tree
->u
.equality
.attr
, attr
) == 0) {
4365 case LDB_OP_SUBSTRING
:
4366 if (ldb_attr_cmp(tree
->u
.substring
.attr
, attr
) == 0) {
4370 case LDB_OP_PRESENT
:
4371 /* (attrname=*) is not filtered out */
4373 case LDB_OP_EXTENDED
:
4374 if (tree
->u
.extended
.attr
&&
4375 ldb_attr_cmp(tree
->u
.extended
.attr
, attr
) == 0) {
4383 bool is_attr_in_list(const char * const * attrs
, const char *attr
)
4387 for (i
= 0; attrs
[i
]; i
++) {
4388 if (ldb_attr_cmp(attrs
[i
], attr
) == 0)
4397 map an ldb error code to an approximate NTSTATUS code
4399 NTSTATUS
dsdb_ldb_err_to_ntstatus(int err
)
4403 return NT_STATUS_OK
;
4405 case LDB_ERR_PROTOCOL_ERROR
:
4406 return NT_STATUS_DEVICE_PROTOCOL_ERROR
;
4408 case LDB_ERR_TIME_LIMIT_EXCEEDED
:
4409 return NT_STATUS_IO_TIMEOUT
;
4411 case LDB_ERR_SIZE_LIMIT_EXCEEDED
:
4412 return NT_STATUS_BUFFER_TOO_SMALL
;
4414 case LDB_ERR_COMPARE_FALSE
:
4415 case LDB_ERR_COMPARE_TRUE
:
4416 return NT_STATUS_REVISION_MISMATCH
;
4418 case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED
:
4419 return NT_STATUS_NOT_SUPPORTED
;
4421 case LDB_ERR_STRONG_AUTH_REQUIRED
:
4422 case LDB_ERR_CONFIDENTIALITY_REQUIRED
:
4423 case LDB_ERR_SASL_BIND_IN_PROGRESS
:
4424 case LDB_ERR_INAPPROPRIATE_AUTHENTICATION
:
4425 case LDB_ERR_INVALID_CREDENTIALS
:
4426 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
:
4427 case LDB_ERR_UNWILLING_TO_PERFORM
:
4428 return NT_STATUS_ACCESS_DENIED
;
4430 case LDB_ERR_NO_SUCH_OBJECT
:
4431 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
4433 case LDB_ERR_REFERRAL
:
4434 case LDB_ERR_NO_SUCH_ATTRIBUTE
:
4435 return NT_STATUS_NOT_FOUND
;
4437 case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION
:
4438 return NT_STATUS_NOT_SUPPORTED
;
4440 case LDB_ERR_ADMIN_LIMIT_EXCEEDED
:
4441 return NT_STATUS_BUFFER_TOO_SMALL
;
4443 case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE
:
4444 case LDB_ERR_INAPPROPRIATE_MATCHING
:
4445 case LDB_ERR_CONSTRAINT_VIOLATION
:
4446 case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
:
4447 case LDB_ERR_INVALID_DN_SYNTAX
:
4448 case LDB_ERR_NAMING_VIOLATION
:
4449 case LDB_ERR_OBJECT_CLASS_VIOLATION
:
4450 case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF
:
4451 case LDB_ERR_NOT_ALLOWED_ON_RDN
:
4452 return NT_STATUS_INVALID_PARAMETER
;
4454 case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS
:
4455 case LDB_ERR_ENTRY_ALREADY_EXISTS
:
4456 return NT_STATUS_ERROR_DS_OBJ_STRING_NAME_EXISTS
;
4459 return NT_STATUS_NETWORK_BUSY
;
4461 case LDB_ERR_ALIAS_PROBLEM
:
4462 case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM
:
4463 case LDB_ERR_UNAVAILABLE
:
4464 case LDB_ERR_LOOP_DETECT
:
4465 case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED
:
4466 case LDB_ERR_AFFECTS_MULTIPLE_DSAS
:
4468 case LDB_ERR_OPERATIONS_ERROR
:
4471 return NT_STATUS_UNSUCCESSFUL
;
4476 create a new naming context that will hold a partial replica
4478 int dsdb_create_partial_replica_NC(struct ldb_context
*ldb
, struct ldb_dn
*dn
)
4480 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
4481 struct ldb_message
*msg
;
4484 msg
= ldb_msg_new(tmp_ctx
);
4486 talloc_free(tmp_ctx
);
4487 return ldb_oom(ldb
);
4491 ret
= ldb_msg_add_string(msg
, "objectClass", "top");
4492 if (ret
!= LDB_SUCCESS
) {
4493 talloc_free(tmp_ctx
);
4494 return ldb_oom(ldb
);
4497 /* [MS-DRSR] implies that we should only add the 'top'
4498 * objectclass, but that would cause lots of problems with our
4499 * objectclass code as top is not structural, so we add
4500 * 'domainDNS' as well to keep things sane. We're expecting
4501 * this new NC to be of objectclass domainDNS after
4502 * replication anyway
4504 ret
= ldb_msg_add_string(msg
, "objectClass", "domainDNS");
4505 if (ret
!= LDB_SUCCESS
) {
4506 talloc_free(tmp_ctx
);
4507 return ldb_oom(ldb
);
4510 ret
= ldb_msg_add_fmt(msg
, "instanceType", "%u",
4511 INSTANCE_TYPE_IS_NC_HEAD
|
4512 INSTANCE_TYPE_NC_ABOVE
|
4513 INSTANCE_TYPE_UNINSTANT
);
4514 if (ret
!= LDB_SUCCESS
) {
4515 talloc_free(tmp_ctx
);
4516 return ldb_oom(ldb
);
4519 ret
= dsdb_add(ldb
, msg
, DSDB_MODIFY_PARTIAL_REPLICA
);
4520 if (ret
!= LDB_SUCCESS
&& ret
!= LDB_ERR_ENTRY_ALREADY_EXISTS
) {
4521 DEBUG(0,("Failed to create new NC for %s - %s (%s)\n",
4522 ldb_dn_get_linearized(dn
),
4523 ldb_errstring(ldb
), ldb_strerror(ret
)));
4524 talloc_free(tmp_ctx
);
4528 DEBUG(1,("Created new NC for %s\n", ldb_dn_get_linearized(dn
)));
4530 talloc_free(tmp_ctx
);
4535 build a GUID from a string
4537 _PUBLIC_ NTSTATUS
NS_GUID_from_string(const char *s
, struct GUID
*guid
)
4539 NTSTATUS status
= NT_STATUS_INVALID_PARAMETER
;
4541 uint32_t time_mid
, time_hi_and_version
;
4542 uint32_t clock_seq
[2];
4547 return NT_STATUS_INVALID_PARAMETER
;
4550 if (11 == sscanf(s
, "%08x-%04x%04x-%02x%02x%02x%02x-%02x%02x%02x%02x",
4551 &time_low
, &time_mid
, &time_hi_and_version
,
4552 &clock_seq
[0], &clock_seq
[1],
4553 &node
[0], &node
[1], &node
[2], &node
[3], &node
[4], &node
[5])) {
4554 status
= NT_STATUS_OK
;
4557 if (!NT_STATUS_IS_OK(status
)) {
4561 guid
->time_low
= time_low
;
4562 guid
->time_mid
= time_mid
;
4563 guid
->time_hi_and_version
= time_hi_and_version
;
4564 guid
->clock_seq
[0] = clock_seq
[0];
4565 guid
->clock_seq
[1] = clock_seq
[1];
4567 guid
->node
[i
] = node
[i
];
4570 return NT_STATUS_OK
;
4573 _PUBLIC_
char *NS_GUID_string(TALLOC_CTX
*mem_ctx
, const struct GUID
*guid
)
4575 return talloc_asprintf(mem_ctx
,
4576 "%08x-%04x%04x-%02x%02x%02x%02x-%02x%02x%02x%02x",
4577 guid
->time_low
, guid
->time_mid
,
4578 guid
->time_hi_and_version
,
4581 guid
->node
[0], guid
->node
[1],
4582 guid
->node
[2], guid
->node
[3],
4583 guid
->node
[4], guid
->node
[5]);