search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
VERSION: Disable GIT_SNAPSHOT for the 4.16.2 release.
[Samba.git] / source4 / dsdb / common / util.c
blob5da75f2d28f48018153d2f66cbdcbbecc9001bf1
1 /*
2 Unix SMB/CIFS implementation.
3 Samba utility functions
4
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "events/events.h"
26 #include "ldb.h"
27 #include "ldb_module.h"
28 #include "ldb_errors.h"
29 #include "../lib/util/util_ldb.h"
30 #include "../lib/crypto/crypto.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "librpc/gen_ndr/ndr_misc.h"
35 #include "../libds/common/flags.h"
36 #include "dsdb/common/proto.h"
37 #include "libcli/ldap/ldap_ndr.h"
38 #include "param/param.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "librpc/gen_ndr/ndr_drsblobs.h"
41 #include "system/locale.h"
42 #include "system/filesys.h"
43 #include "lib/util/tsort.h"
44 #include "dsdb/common/util.h"
45 #include "lib/socket/socket.h"
46 #include "librpc/gen_ndr/irpc.h"
47 #include "libds/common/flag_mapping.h"
48 #include "lib/util/access.h"
49 #include "lib/util/sys_rw_data.h"
50 #include "libcli/util/ntstatus.h"
51 #include "lib/util/smb_strtox.h"
52
53 #undef strncasecmp
54 #undef strcasecmp
55
56 /*
57 * This included to allow us to handle DSDB_FLAG_REPLICATED_UPDATE in
58 * dsdb_request_add_controls()
59 */
60 #include "dsdb/samdb/ldb_modules/util.h"
61
62 /* default is 30 minutes: -1e7 * 30 * 60 */
63 #define DEFAULT_OBSERVATION_WINDOW -18000000000
64
65 /*
66 search the sam for the specified attributes in a specific domain, filter on
67 objectSid being in domain_sid.
68 */
69 int samdb_search_domain(struct ldb_context *sam_ldb,
70 TALLOC_CTX *mem_ctx,
71 struct ldb_dn *basedn,
72 struct ldb_message ***res,
73 const char * const *attrs,
74 const struct dom_sid *domain_sid,
75 const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
76 {
77 va_list ap;
78 int i, count;
79
80 va_start(ap, format);
81 count = gendb_search_v(sam_ldb, mem_ctx, basedn,
82 res, attrs, format, ap);
83 va_end(ap);
84
85 i=0;
86
87 while (i<count) {
88 struct dom_sid *entry_sid;
89
90 entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
91
92 if ((entry_sid == NULL) ||
93 (!dom_sid_in_domain(domain_sid, entry_sid))) {
94 /* Delete that entry from the result set */
95 (*res)[i] = (*res)[count-1];
96 count -= 1;
97 talloc_free(entry_sid);
98 continue;
99 }
100 talloc_free(entry_sid);
101 i += 1;
102 }
103
104 return count;
105 }
106
107 /*
108 search the sam for a single string attribute in exactly 1 record
109 */
110 const char *samdb_search_string_v(struct ldb_context *sam_ldb,
111 TALLOC_CTX *mem_ctx,
112 struct ldb_dn *basedn,
113 const char *attr_name,
114 const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
115 {
116 int count;
117 const char *attrs[2] = { NULL, NULL };
118 struct ldb_message **res = NULL;
119
120 attrs[0] = attr_name;
121
122 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
123 if (count > 1) {
124 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
125 attr_name, format, count));
126 }
127 if (count != 1) {
128 talloc_free(res);
129 return NULL;
130 }
131
132 return ldb_msg_find_attr_as_string(res[0], attr_name, NULL);
133 }
134
135 /*
136 search the sam for a single string attribute in exactly 1 record
137 */
138 const char *samdb_search_string(struct ldb_context *sam_ldb,
139 TALLOC_CTX *mem_ctx,
140 struct ldb_dn *basedn,
141 const char *attr_name,
142 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
143 {
144 va_list ap;
145 const char *str;
146
147 va_start(ap, format);
148 str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
149 va_end(ap);
150
151 return str;
152 }
153
154 struct ldb_dn *samdb_search_dn(struct ldb_context *sam_ldb,
155 TALLOC_CTX *mem_ctx,
156 struct ldb_dn *basedn,
157 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
158 {
159 va_list ap;
160 struct ldb_dn *ret;
161 struct ldb_message **res = NULL;
162 int count;
163
164 va_start(ap, format);
165 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, NULL, format, ap);
166 va_end(ap);
167
168 if (count != 1) return NULL;
169
170 ret = talloc_steal(mem_ctx, res[0]->dn);
171 talloc_free(res);
172
173 return ret;
174 }
175
176 /*
177 search the sam for a dom_sid attribute in exactly 1 record
178 */
179 struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
180 TALLOC_CTX *mem_ctx,
181 struct ldb_dn *basedn,
182 const char *attr_name,
183 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
184 {
185 va_list ap;
186 int count;
187 struct ldb_message **res;
188 const char *attrs[2] = { NULL, NULL };
189 struct dom_sid *sid;
190
191 attrs[0] = attr_name;
192
193 va_start(ap, format);
194 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
195 va_end(ap);
196 if (count > 1) {
197 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
198 attr_name, format, count));
199 }
200 if (count != 1) {
201 talloc_free(res);
202 return NULL;
203 }
204 sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
205 talloc_free(res);
206 return sid;
207 }
208
209 /*
210 search the sam for a single integer attribute in exactly 1 record
211 */
212 unsigned int samdb_search_uint(struct ldb_context *sam_ldb,
213 TALLOC_CTX *mem_ctx,
214 unsigned int default_value,
215 struct ldb_dn *basedn,
216 const char *attr_name,
217 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
218 {
219 va_list ap;
220 int count;
221 struct ldb_message **res;
222 const char *attrs[2] = { NULL, NULL };
223
224 attrs[0] = attr_name;
225
226 va_start(ap, format);
227 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
228 va_end(ap);
229
230 if (count != 1) {
231 return default_value;
232 }
233
234 return ldb_msg_find_attr_as_uint(res[0], attr_name, default_value);
235 }
236
237 /*
238 search the sam for a single signed 64 bit integer attribute in exactly 1 record
239 */
240 int64_t samdb_search_int64(struct ldb_context *sam_ldb,
241 TALLOC_CTX *mem_ctx,
242 int64_t default_value,
243 struct ldb_dn *basedn,
244 const char *attr_name,
245 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
246 {
247 va_list ap;
248 int count;
249 struct ldb_message **res;
250 const char *attrs[2] = { NULL, NULL };
251
252 attrs[0] = attr_name;
253
254 va_start(ap, format);
255 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
256 va_end(ap);
257
258 if (count != 1) {
259 return default_value;
260 }
261
262 return ldb_msg_find_attr_as_int64(res[0], attr_name, default_value);
263 }
264
265 /*
266 search the sam for multipe records each giving a single string attribute
267 return the number of matches, or -1 on error
268 */
269 int samdb_search_string_multiple(struct ldb_context *sam_ldb,
270 TALLOC_CTX *mem_ctx,
271 struct ldb_dn *basedn,
272 const char ***strs,
273 const char *attr_name,
274 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
275 {
276 va_list ap;
277 int count, i;
278 const char *attrs[2] = { NULL, NULL };
279 struct ldb_message **res = NULL;
280
281 attrs[0] = attr_name;
282
283 va_start(ap, format);
284 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
285 va_end(ap);
286
287 if (count <= 0) {
288 return count;
289 }
290
291 /* make sure its single valued */
292 for (i=0;i<count;i++) {
293 if (res[i]->num_elements != 1) {
294 DEBUG(1,("samdb: search for %s %s not single valued\n",
295 attr_name, format));
296 talloc_free(res);
297 return -1;
298 }
299 }
300
301 *strs = talloc_array(mem_ctx, const char *, count+1);
302 if (! *strs) {
303 talloc_free(res);
304 return -1;
305 }
306
307 for (i=0;i<count;i++) {
308 (*strs)[i] = ldb_msg_find_attr_as_string(res[i], attr_name, NULL);
309 }
310 (*strs)[count] = NULL;
311
312 return count;
313 }
314
315 struct ldb_dn *samdb_result_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
316 const char *attr, struct ldb_dn *default_value)
317 {
318 struct ldb_dn *ret_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
319 if (!ret_dn) {
320 return default_value;
321 }
322 return ret_dn;
323 }
324
325 /*
326 pull a rid from a objectSid in a result set.
327 */
328 uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
329 const char *attr, uint32_t default_value)
330 {
331 struct dom_sid *sid;
332 uint32_t rid;
333
334 sid = samdb_result_dom_sid(mem_ctx, msg, attr);
335 if (sid == NULL) {
336 return default_value;
337 }
338 rid = sid->sub_auths[sid->num_auths-1];
339 talloc_free(sid);
340 return rid;
341 }
342
343 /*
344 pull a dom_sid structure from a objectSid in a result set.
345 */
346 struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
347 const char *attr)
348 {
349 ssize_t ret;
350 const struct ldb_val *v;
351 struct dom_sid *sid;
352 v = ldb_msg_find_ldb_val(msg, attr);
353 if (v == NULL) {
354 return NULL;
355 }
356 sid = talloc(mem_ctx, struct dom_sid);
357 if (sid == NULL) {
358 return NULL;
359 }
360 ret = sid_parse(v->data, v->length, sid);
361 if (ret == -1) {
362 talloc_free(sid);
363 return NULL;
364 }
365 return sid;
366 }
367
368 /*
369 pull a guid structure from a objectGUID in a result set.
370 */
371 struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
372 {
373 const struct ldb_val *v;
374 struct GUID guid;
375 NTSTATUS status;
376
377 v = ldb_msg_find_ldb_val(msg, attr);
378 if (!v) return GUID_zero();
379
380 status = GUID_from_ndr_blob(v, &guid);
381 if (!NT_STATUS_IS_OK(status)) {
382 return GUID_zero();
383 }
384
385 return guid;
386 }
387
388 /*
389 pull a sid prefix from a objectSid in a result set.
390 this is used to find the domain sid for a user
391 */
392 struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
393 const char *attr)
394 {
395 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
396 if (!sid || sid->num_auths < 1) return NULL;
397 sid->num_auths--;
398 return sid;
399 }
400
401 /*
402 pull a NTTIME in a result set.
403 */
404 NTTIME samdb_result_nttime(const struct ldb_message *msg, const char *attr,
405 NTTIME default_value)
406 {
407 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
408 }
409
410 /*
411 * Windows stores 0 for lastLogoff.
412 * But when a MS DC return the lastLogoff (as Logoff Time)
413 * it returns 0x7FFFFFFFFFFFFFFF, not returning this value in this case
414 * cause windows 2008 and newer version to fail for SMB requests
415 */
416 NTTIME samdb_result_last_logoff(const struct ldb_message *msg)
417 {
418 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "lastLogoff",0);
419
420 if (ret == 0)
421 ret = 0x7FFFFFFFFFFFFFFFULL;
422
423 return ret;
424 }
425
426 /*
427 * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
428 * indicate an account doesn't expire.
429 *
430 * When Windows initially creates an account, it sets
431 * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However,
432 * when changing from an account having a specific expiration date to
433 * that account never expiring, it sets accountExpires = 0.
434 *
435 * Consolidate that logic here to allow clearer logic for account expiry in
436 * the rest of the code.
437 */
438 NTTIME samdb_result_account_expires(const struct ldb_message *msg)
439 {
440 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
441 0);
442
443 if (ret == 0)
444 ret = 0x7FFFFFFFFFFFFFFFULL;
445
446 return ret;
447 }
448
449 /*
450 construct the allow_password_change field from the PwdLastSet attribute and the
451 domain password settings
452 */
453 NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
454 TALLOC_CTX *mem_ctx,
455 struct ldb_dn *domain_dn,
456 struct ldb_message *msg,
457 const char *attr)
458 {
459 uint64_t attr_time = ldb_msg_find_attr_as_uint64(msg, attr, 0);
460 int64_t minPwdAge;
461
462 if (attr_time == 0) {
463 return 0;
464 }
465
466 minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "minPwdAge", NULL);
467
468 /* yes, this is a -= not a += as minPwdAge is stored as the negative
469 of the number of 100-nano-seconds */
470 attr_time -= minPwdAge;
471
472 return attr_time;
473 }
474
475 /*
476 pull a samr_Password structutre from a result set.
477 */
478 struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr)
479 {
480 struct samr_Password *hash = NULL;
481 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
482 if (val && (val->length >= sizeof(hash->hash))) {
483 hash = talloc(mem_ctx, struct samr_Password);
484 memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash)));
485 }
486 return hash;
487 }
488
489 /*
490 pull an array of samr_Password structures from a result set.
491 */
492 unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
493 const char *attr, struct samr_Password **hashes)
494 {
495 unsigned int count, i;
496 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
497
498 *hashes = NULL;
499 if (!val) {
500 return 0;
501 }
502 count = val->length / 16;
503 if (count == 0) {
504 return 0;
505 }
506
507 *hashes = talloc_array(mem_ctx, struct samr_Password, count);
508 if (! *hashes) {
509 return 0;
510 }
511
512 for (i=0;i<count;i++) {
513 memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
514 }
515
516 return count;
517 }
518
519 NTSTATUS samdb_result_passwords_from_history(TALLOC_CTX *mem_ctx,
520 struct loadparm_context *lp_ctx,
521 struct ldb_message *msg,
522 unsigned int idx,
523 struct samr_Password **lm_pwd,
524 struct samr_Password **nt_pwd)
525 {
526 struct samr_Password *lmPwdHash, *ntPwdHash;
527
528 if (nt_pwd) {
529 unsigned int num_nt;
530 num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHistory", &ntPwdHash);
531 if (num_nt <= idx) {
532 *nt_pwd = NULL;
533 } else {
534 *nt_pwd = &ntPwdHash[idx];
535 }
536 }
537 if (lm_pwd) {
538 /* Ensure that if we have turned off LM
539 * authentication, that we never use the LM hash, even
540 * if we store it */
541 if (lpcfg_lanman_auth(lp_ctx)) {
542 unsigned int num_lm;
543 num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHistory", &lmPwdHash);
544 if (num_lm <= idx) {
545 *lm_pwd = NULL;
546 } else {
547 *lm_pwd = &lmPwdHash[idx];
548 }
549 } else {
550 *lm_pwd = NULL;
551 }
552 }
553 return NT_STATUS_OK;
554 }
555
556 NTSTATUS samdb_result_passwords_no_lockout(TALLOC_CTX *mem_ctx,
557 struct loadparm_context *lp_ctx,
558 const struct ldb_message *msg,
559 struct samr_Password **lm_pwd,
560 struct samr_Password **nt_pwd)
561 {
562 struct samr_Password *lmPwdHash, *ntPwdHash;
563
564 if (nt_pwd) {
565 unsigned int num_nt;
566 num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash);
567 if (num_nt == 0) {
568 *nt_pwd = NULL;
569 } else if (num_nt > 1) {
570 return NT_STATUS_INTERNAL_DB_CORRUPTION;
571 } else {
572 *nt_pwd = &ntPwdHash[0];
573 }
574 }
575 if (lm_pwd) {
576 /* Ensure that if we have turned off LM
577 * authentication, that we never use the LM hash, even
578 * if we store it */
579 if (lpcfg_lanman_auth(lp_ctx)) {
580 unsigned int num_lm;
581 num_lm = samdb_result_hashes(mem_ctx, msg, "dBCSPwd", &lmPwdHash);
582 if (num_lm == 0) {
583 *lm_pwd = NULL;
584 } else if (num_lm > 1) {
585 return NT_STATUS_INTERNAL_DB_CORRUPTION;
586 } else {
587 *lm_pwd = &lmPwdHash[0];
588 }
589 } else {
590 *lm_pwd = NULL;
591 }
592 }
593 return NT_STATUS_OK;
594 }
595
596 NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx,
597 struct loadparm_context *lp_ctx,
598 const struct ldb_message *msg,
599 struct samr_Password **lm_pwd,
600 struct samr_Password **nt_pwd)
601 {
602 uint16_t acct_flags;
603
604 acct_flags = samdb_result_acct_flags(msg,
605 "msDS-User-Account-Control-Computed");
606 /* Quit if the account was locked out. */
607 if (acct_flags & ACB_AUTOLOCK) {
608 DEBUG(3,("samdb_result_passwords: Account for user %s was locked out.\n",
609 ldb_dn_get_linearized(msg->dn)));
610 return NT_STATUS_ACCOUNT_LOCKED_OUT;
611 }
612
613 return samdb_result_passwords_no_lockout(mem_ctx, lp_ctx, msg,
614 lm_pwd, nt_pwd);
615 }
616
617 /*
618 pull a samr_LogonHours structutre from a result set.
619 */
620 struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
621 {
622 struct samr_LogonHours hours;
623 size_t units_per_week = 168;
624 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
625
626 ZERO_STRUCT(hours);
627
628 if (val) {
629 units_per_week = val->length * 8;
630 }
631
632 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week/8);
633 if (!hours.bits) {
634 return hours;
635 }
636 hours.units_per_week = units_per_week;
637 memset(hours.bits, 0xFF, units_per_week/8);
638 if (val) {
639 memcpy(hours.bits, val->data, val->length);
640 }
641
642 return hours;
643 }
644
645 /*
646 pull a set of account_flags from a result set.
647
648 Naturally, this requires that userAccountControl and
649 (if not null) the attributes 'attr' be already
650 included in msg
651 */
652 uint32_t samdb_result_acct_flags(const struct ldb_message *msg, const char *attr)
653 {
654 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
655 uint32_t attr_flags = 0;
656 uint32_t acct_flags = ds_uf2acb(userAccountControl);
657 if (attr) {
658 attr_flags = ldb_msg_find_attr_as_uint(msg, attr, UF_ACCOUNTDISABLE);
659 if (attr_flags == UF_ACCOUNTDISABLE) {
660 DEBUG(0, ("Attribute %s not found, disabling account %s!\n", attr,
661 ldb_dn_get_linearized(msg->dn)));
662 }
663 acct_flags |= ds_uf2acb(attr_flags);
664 }
665
666 return acct_flags;
667 }
668
669 NTSTATUS samdb_result_parameters(TALLOC_CTX *mem_ctx,
670 struct ldb_message *msg,
671 const char *attr,
672 struct lsa_BinaryString *s)
673 {
674 int i;
675 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
676
677 ZERO_STRUCTP(s);
678
679 if (!val) {
680 return NT_STATUS_OK;
681 }
682
683 if ((val->length % 2) != 0) {
684 /*
685 * If the on-disk data is not even in length, we know
686 * it is corrupt, and can not be safely pushed. We
687 * would either truncate, send either a un-initilaised
688 * byte or send a forced zero byte
689 */
690 return NT_STATUS_INTERNAL_DB_CORRUPTION;
691 }
692
693 s->array = talloc_array(mem_ctx, uint16_t, val->length/2);
694 if (!s->array) {
695 return NT_STATUS_NO_MEMORY;
696 }
697 s->length = s->size = val->length;
698
699 /* The on-disk format is the 'network' format, being UTF16LE (sort of) */
700 for (i = 0; i < s->length / 2; i++) {
701 s->array[i] = SVAL(val->data, i * 2);
702 }
703
704 return NT_STATUS_OK;
705 }
706
707 /* Find an attribute, with a particular value */
708
709 /* The current callers of this function expect a very specific
710 * behaviour: In particular, objectClass subclass equivalence is not
711 * wanted. This means that we should not lookup the schema for the
712 * comparison function */
713 struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb,
714 const struct ldb_message *msg,
715 const char *name, const char *value)
716 {
717 unsigned int i;
718 struct ldb_message_element *el = ldb_msg_find_element(msg, name);
719
720 if (!el) {
721 return NULL;
722 }
723
724 for (i=0;i<el->num_values;i++) {
725 if (ldb_attr_cmp(value, (char *)el->values[i].data) == 0) {
726 return el;
727 }
728 }
729
730 return NULL;
731 }
732
733 static int samdb_find_or_add_attribute_ex(struct ldb_context *ldb,
734 struct ldb_message *msg,
735 const char *name,
736 const char *set_value,
737 unsigned attr_flags,
738 bool *added)
739 {
740 int ret;
741 struct ldb_message_element *el;
742
743 SMB_ASSERT(attr_flags != 0);
744
745 el = ldb_msg_find_element(msg, name);
746 if (el) {
747 if (added != NULL) {
748 *added = false;
749 }
750
751 return LDB_SUCCESS;
752 }
753
754 ret = ldb_msg_add_empty(msg, name,
755 attr_flags,
756 &el);
757 if (ret != LDB_SUCCESS) {
758 return ret;
759 }
760
761 if (set_value != NULL) {
762 ret = ldb_msg_add_string(msg, name, set_value);
763 if (ret != LDB_SUCCESS) {
764 return ret;
765 }
766 }
767
768 if (added != NULL) {
769 *added = true;
770 }
771 return LDB_SUCCESS;
772 }
773
774 int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
775 {
776 return samdb_find_or_add_attribute_ex(ldb, msg, name, set_value, LDB_FLAG_MOD_ADD, NULL);
777 }
778
779 /*
780 add a dom_sid element to a message
781 */
782 int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
783 const char *attr_name, const struct dom_sid *sid)
784 {
785 struct ldb_val v;
786 enum ndr_err_code ndr_err;
787
788 ndr_err = ndr_push_struct_blob(&v, mem_ctx,
789 sid,
790 (ndr_push_flags_fn_t)ndr_push_dom_sid);
791 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
792 return ldb_operr(sam_ldb);
793 }
794 return ldb_msg_add_value(msg, attr_name, &v, NULL);
795 }
796
797
798 /*
799 add a delete element operation to a message
800 */
801 int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
802 const char *attr_name)
803 {
804 /* we use an empty replace rather than a delete, as it allows for
805 dsdb_replace() to be used everywhere */
806 return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
807 }
808
809 /*
810 add an add attribute value to a message or enhance an existing attribute
811 which has the same name and the add flag set.
812 */
813 int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
814 struct ldb_message *msg, const char *attr_name,
815 const char *value)
816 {
817 struct ldb_message_element *el;
818 struct ldb_val val, *vals;
819 char *v;
820 unsigned int i;
821 bool found = false;
822 int ret;
823
824 v = talloc_strdup(mem_ctx, value);
825 if (v == NULL) {
826 return ldb_oom(sam_ldb);
827 }
828
829 val.data = (uint8_t *) v;
830 val.length = strlen(v);
831
832 if (val.length == 0) {
833 /* allow empty strings as non-existent attributes */
834 return LDB_SUCCESS;
835 }
836
837 for (i = 0; i < msg->num_elements; i++) {
838 el = &msg->elements[i];
839 if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
840 (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD)) {
841 found = true;
842 break;
843 }
844 }
845 if (!found) {
846 ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_ADD,
847 &el);
848 if (ret != LDB_SUCCESS) {
849 return ret;
850 }
851 }
852
853 vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
854 el->num_values + 1);
855 if (vals == NULL) {
856 return ldb_oom(sam_ldb);
857 }
858 el->values = vals;
859 el->values[el->num_values] = val;
860 ++(el->num_values);
861
862 return LDB_SUCCESS;
863 }
864
865 /*
866 add a delete attribute value to a message or enhance an existing attribute
867 which has the same name and the delete flag set.
868 */
869 int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
870 struct ldb_message *msg, const char *attr_name,
871 const char *value)
872 {
873 struct ldb_message_element *el;
874 struct ldb_val val, *vals;
875 char *v;
876 unsigned int i;
877 bool found = false;
878 int ret;
879
880 v = talloc_strdup(mem_ctx, value);
881 if (v == NULL) {
882 return ldb_oom(sam_ldb);
883 }
884
885 val.data = (uint8_t *) v;
886 val.length = strlen(v);
887
888 if (val.length == 0) {
889 /* allow empty strings as non-existent attributes */
890 return LDB_SUCCESS;
891 }
892
893 for (i = 0; i < msg->num_elements; i++) {
894 el = &msg->elements[i];
895 if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
896 (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE)) {
897 found = true;
898 break;
899 }
900 }
901 if (!found) {
902 ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_DELETE,
903 &el);
904 if (ret != LDB_SUCCESS) {
905 return ret;
906 }
907 }
908
909 vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
910 el->num_values + 1);
911 if (vals == NULL) {
912 return ldb_oom(sam_ldb);
913 }
914 el->values = vals;
915 el->values[el->num_values] = val;
916 ++(el->num_values);
917
918 return LDB_SUCCESS;
919 }
920
921 /*
922 add a int element to a message
923 */
924 int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
925 const char *attr_name, int v)
926 {
927 const char *s = talloc_asprintf(mem_ctx, "%d", v);
928 if (s == NULL) {
929 return ldb_oom(sam_ldb);
930 }
931 return ldb_msg_add_string(msg, attr_name, s);
932 }
933
934 /*
935 * Add an unsigned int element to a message
936 *
937 * The issue here is that we have not yet first cast to int32_t explicitly,
938 * before we cast to an signed int to printf() into the %d or cast to a
939 * int64_t before we then cast to a long long to printf into a %lld.
940 *
941 * There are *no* unsigned integers in Active Directory LDAP, even the RID
942 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
943 * (See the schema, and the syntax definitions in schema_syntax.c).
944 *
945 */
946 int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
947 const char *attr_name, unsigned int v)
948 {
949 return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v);
950 }
951
952 /*
953 add a (signed) int64_t element to a message
954 */
955 int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
956 const char *attr_name, int64_t v)
957 {
958 const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
959 if (s == NULL) {
960 return ldb_oom(sam_ldb);
961 }
962 return ldb_msg_add_string(msg, attr_name, s);
963 }
964
965 /*
966 * Add an unsigned int64_t (uint64_t) element to a message
967 *
968 * The issue here is that we have not yet first cast to int32_t explicitly,
969 * before we cast to an signed int to printf() into the %d or cast to a
970 * int64_t before we then cast to a long long to printf into a %lld.
971 *
972 * There are *no* unsigned integers in Active Directory LDAP, even the RID
973 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
974 * (See the schema, and the syntax definitions in schema_syntax.c).
975 *
976 */
977 int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
978 const char *attr_name, uint64_t v)
979 {
980 return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v);
981 }
982
983 /*
984 add a samr_Password element to a message
985 */
986 int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
987 const char *attr_name, const struct samr_Password *hash)
988 {
989 struct ldb_val val;
990 val.data = talloc_memdup(mem_ctx, hash->hash, 16);
991 if (!val.data) {
992 return ldb_oom(sam_ldb);
993 }
994 val.length = 16;
995 return ldb_msg_add_value(msg, attr_name, &val, NULL);
996 }
997
998 /*
999 add a samr_Password array to a message
1000 */
1001 int samdb_msg_add_hashes(struct ldb_context *ldb,
1002 TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1003 const char *attr_name, struct samr_Password *hashes,
1004 unsigned int count)
1005 {
1006 struct ldb_val val;
1007 unsigned int i;
1008 val.data = talloc_array_size(mem_ctx, 16, count);
1009 val.length = count*16;
1010 if (!val.data) {
1011 return ldb_oom(ldb);
1012 }
1013 for (i=0;i<count;i++) {
1014 memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
1015 }
1016 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1017 }
1018
1019 /*
1020 add a acct_flags element to a message
1021 */
1022 int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1023 const char *attr_name, uint32_t v)
1024 {
1025 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, ds_acb2uf(v));
1026 }
1027
1028 /*
1029 add a logon_hours element to a message
1030 */
1031 int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1032 const char *attr_name, struct samr_LogonHours *hours)
1033 {
1034 struct ldb_val val;
1035 val.length = hours->units_per_week / 8;
1036 val.data = hours->bits;
1037 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1038 }
1039
1040 /*
1041 add a parameters element to a message
1042 */
1043 int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1044 const char *attr_name, struct lsa_BinaryString *parameters)
1045 {
1046 int i;
1047 struct ldb_val val;
1048 if ((parameters->length % 2) != 0) {
1049 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
1050 }
1051
1052 val.data = talloc_array(mem_ctx, uint8_t, parameters->length);
1053 if (val.data == NULL) {
1054 return LDB_ERR_OPERATIONS_ERROR;
1055 }
1056 val.length = parameters->length;
1057 for (i = 0; i < parameters->length / 2; i++) {
1058 /*
1059 * The on-disk format needs to be in the 'network'
1060 * format, parmeters->array is a uint16_t array of
1061 * length parameters->length / 2
1062 */
1063 SSVAL(val.data, i * 2, parameters->array[i]);
1064 }
1065 return ldb_msg_add_steal_value(msg, attr_name, &val);
1066 }
1067
1068 /*
1069 * Sets an unsigned int element in a message
1070 *
1071 * The issue here is that we have not yet first cast to int32_t explicitly,
1072 * before we cast to an signed int to printf() into the %d or cast to a
1073 * int64_t before we then cast to a long long to printf into a %lld.
1074 *
1075 * There are *no* unsigned integers in Active Directory LDAP, even the RID
1076 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
1077 * (See the schema, and the syntax definitions in schema_syntax.c).
1078 *
1079 */
1080 int samdb_msg_set_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
1081 struct ldb_message *msg, const char *attr_name,
1082 unsigned int v)
1083 {
1084 struct ldb_message_element *el;
1085
1086 el = ldb_msg_find_element(msg, attr_name);
1087 if (el) {
1088 el->num_values = 0;
1089 }
1090 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, v);
1091 }
1092
1093 /*
1094 * Handle ldb_request in transaction
1095 */
1096 int dsdb_autotransaction_request(struct ldb_context *sam_ldb,
1097 struct ldb_request *req)
1098 {
1099 int ret;
1100
1101 ret = ldb_transaction_start(sam_ldb);
1102 if (ret != LDB_SUCCESS) {
1103 return ret;
1104 }
1105
1106 ret = ldb_request(sam_ldb, req);
1107 if (ret == LDB_SUCCESS) {
1108 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
1109 }
1110
1111 if (ret == LDB_SUCCESS) {
1112 return ldb_transaction_commit(sam_ldb);
1113 }
1114 ldb_transaction_cancel(sam_ldb);
1115
1116 return ret;
1117 }
1118
1119 /*
1120 return a default security descriptor
1121 */
1122 struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
1123 {
1124 struct security_descriptor *sd;
1125
1126 sd = security_descriptor_initialise(mem_ctx);
1127
1128 return sd;
1129 }
1130
1131 struct ldb_dn *samdb_aggregate_schema_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1132 {
1133 struct ldb_dn *schema_dn = ldb_get_schema_basedn(sam_ctx);
1134 struct ldb_dn *aggregate_dn;
1135 if (!schema_dn) {
1136 return NULL;
1137 }
1138
1139 aggregate_dn = ldb_dn_copy(mem_ctx, schema_dn);
1140 if (!aggregate_dn) {
1141 return NULL;
1142 }
1143 if (!ldb_dn_add_child_fmt(aggregate_dn, "CN=Aggregate")) {
1144 return NULL;
1145 }
1146 return aggregate_dn;
1147 }
1148
1149 struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1150 {
1151 struct ldb_dn *new_dn;
1152
1153 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1154 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Partitions")) {
1155 talloc_free(new_dn);
1156 return NULL;
1157 }
1158 return new_dn;
1159 }
1160
1161 struct ldb_dn *samdb_infrastructure_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1162 {
1163 struct ldb_dn *new_dn;
1164
1165 new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx));
1166 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Infrastructure")) {
1167 talloc_free(new_dn);
1168 return NULL;
1169 }
1170 return new_dn;
1171 }
1172
1173 struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1174 {
1175 struct ldb_dn *new_dn;
1176
1177 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1178 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Sites")) {
1179 talloc_free(new_dn);
1180 return NULL;
1181 }
1182 return new_dn;
1183 }
1184
1185 struct ldb_dn *samdb_extended_rights_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1186 {
1187 struct ldb_dn *new_dn;
1188
1189 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1190 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Extended-Rights")) {
1191 talloc_free(new_dn);
1192 return NULL;
1193 }
1194 return new_dn;
1195 }
1196 /*
1197 work out the domain sid for the current open ldb
1198 */
1199 const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
1200 {
1201 TALLOC_CTX *tmp_ctx;
1202 const struct dom_sid *domain_sid;
1203 const char *attrs[] = {
1204 "objectSid",
1205 NULL
1206 };
1207 struct ldb_result *res;
1208 int ret;
1209
1210 /* see if we have a cached copy */
1211 domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1212 if (domain_sid) {
1213 return domain_sid;
1214 }
1215
1216 tmp_ctx = talloc_new(ldb);
1217 if (tmp_ctx == NULL) {
1218 goto failed;
1219 }
1220
1221 ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
1222
1223 if (ret != LDB_SUCCESS) {
1224 goto failed;
1225 }
1226
1227 if (res->count != 1) {
1228 goto failed;
1229 }
1230
1231 domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
1232 if (domain_sid == NULL) {
1233 goto failed;
1234 }
1235
1236 /* cache the domain_sid in the ldb */
1237 if (ldb_set_opaque(ldb, "cache.domain_sid", discard_const_p(struct dom_sid, domain_sid)) != LDB_SUCCESS) {
1238 goto failed;
1239 }
1240
1241 talloc_steal(ldb, domain_sid);
1242 talloc_free(tmp_ctx);
1243
1244 return domain_sid;
1245
1246 failed:
1247 talloc_free(tmp_ctx);
1248 return NULL;
1249 }
1250
1251 /*
1252 get domain sid from cache
1253 */
1254 const struct dom_sid *samdb_domain_sid_cache_only(struct ldb_context *ldb)
1255 {
1256 return (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1257 }
1258
1259 bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in)
1260 {
1261 TALLOC_CTX *tmp_ctx;
1262 struct dom_sid *dom_sid_new;
1263 struct dom_sid *dom_sid_old;
1264
1265 /* see if we have a cached copy */
1266 dom_sid_old = talloc_get_type(ldb_get_opaque(ldb,
1267 "cache.domain_sid"), struct dom_sid);
1268
1269 tmp_ctx = talloc_new(ldb);
1270 if (tmp_ctx == NULL) {
1271 goto failed;
1272 }
1273
1274 dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in);
1275 if (!dom_sid_new) {
1276 goto failed;
1277 }
1278
1279 /* cache the domain_sid in the ldb */
1280 if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) {
1281 goto failed;
1282 }
1283
1284 talloc_steal(ldb, dom_sid_new);
1285 talloc_free(tmp_ctx);
1286 talloc_free(dom_sid_old);
1287
1288 return true;
1289
1290 failed:
1291 DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
1292 talloc_free(tmp_ctx);
1293 return false;
1294 }
1295
1296 /*
1297 work out the domain guid for the current open ldb
1298 */
1299 const struct GUID *samdb_domain_guid(struct ldb_context *ldb)
1300 {
1301 TALLOC_CTX *tmp_ctx = NULL;
1302 struct GUID *domain_guid = NULL;
1303 const char *attrs[] = {
1304 "objectGUID",
1305 NULL
1306 };
1307 struct ldb_result *res = NULL;
1308 int ret;
1309
1310 /* see if we have a cached copy */
1311 domain_guid = (struct GUID *)ldb_get_opaque(ldb, "cache.domain_guid");
1312 if (domain_guid) {
1313 return domain_guid;
1314 }
1315
1316 tmp_ctx = talloc_new(ldb);
1317 if (tmp_ctx == NULL) {
1318 goto failed;
1319 }
1320
1321 ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectGUID=*");
1322 if (ret != LDB_SUCCESS) {
1323 goto failed;
1324 }
1325
1326 if (res->count != 1) {
1327 goto failed;
1328 }
1329
1330 domain_guid = talloc(tmp_ctx, struct GUID);
1331 if (domain_guid == NULL) {
1332 goto failed;
1333 }
1334 *domain_guid = samdb_result_guid(res->msgs[0], "objectGUID");
1335
1336 /* cache the domain_sid in the ldb */
1337 if (ldb_set_opaque(ldb, "cache.domain_guid", domain_guid) != LDB_SUCCESS) {
1338 goto failed;
1339 }
1340
1341 talloc_steal(ldb, domain_guid);
1342 talloc_free(tmp_ctx);
1343
1344 return domain_guid;
1345
1346 failed:
1347 talloc_free(tmp_ctx);
1348 return NULL;
1349 }
1350
1351 bool samdb_set_ntds_settings_dn(struct ldb_context *ldb, struct ldb_dn *ntds_settings_dn_in)
1352 {
1353 TALLOC_CTX *tmp_ctx;
1354 struct ldb_dn *ntds_settings_dn_new;
1355 struct ldb_dn *ntds_settings_dn_old;
1356
1357 /* see if we have a forced copy from provision */
1358 ntds_settings_dn_old = talloc_get_type(ldb_get_opaque(ldb,
1359 "forced.ntds_settings_dn"), struct ldb_dn);
1360
1361 tmp_ctx = talloc_new(ldb);
1362 if (tmp_ctx == NULL) {
1363 goto failed;
1364 }
1365
1366 ntds_settings_dn_new = ldb_dn_copy(tmp_ctx, ntds_settings_dn_in);
1367 if (!ntds_settings_dn_new) {
1368 goto failed;
1369 }
1370
1371 /* set the DN in the ldb to avoid lookups during provision */
1372 if (ldb_set_opaque(ldb, "forced.ntds_settings_dn", ntds_settings_dn_new) != LDB_SUCCESS) {
1373 goto failed;
1374 }
1375
1376 talloc_steal(ldb, ntds_settings_dn_new);
1377 talloc_free(tmp_ctx);
1378 talloc_free(ntds_settings_dn_old);
1379
1380 return true;
1381
1382 failed:
1383 DEBUG(1,("Failed to set our NTDS Settings DN in the ldb!\n"));
1384 talloc_free(tmp_ctx);
1385 return false;
1386 }
1387
1388 /*
1389 work out the ntds settings dn for the current open ldb
1390 */
1391 struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1392 {
1393 TALLOC_CTX *tmp_ctx;
1394 const char *root_attrs[] = { "dsServiceName", NULL };
1395 int ret;
1396 struct ldb_result *root_res;
1397 struct ldb_dn *settings_dn;
1398
1399 /* see if we have a cached copy */
1400 settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "forced.ntds_settings_dn");
1401 if (settings_dn) {
1402 return ldb_dn_copy(mem_ctx, settings_dn);
1403 }
1404
1405 tmp_ctx = talloc_new(mem_ctx);
1406 if (tmp_ctx == NULL) {
1407 goto failed;
1408 }
1409
1410 ret = ldb_search(ldb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, ldb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
1411 if (ret != LDB_SUCCESS) {
1412 DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
1413 ldb_errstring(ldb)));
1414 goto failed;
1415 }
1416
1417 if (root_res->count != 1) {
1418 goto failed;
1419 }
1420
1421 settings_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, root_res->msgs[0], "dsServiceName");
1422
1423 /* note that we do not cache the DN here, as that would mean
1424 * we could not handle server renames at runtime. Only
1425 * provision sets up forced.ntds_settings_dn */
1426
1427 talloc_steal(mem_ctx, settings_dn);
1428 talloc_free(tmp_ctx);
1429
1430 return settings_dn;
1431
1432 failed:
1433 DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
1434 talloc_free(tmp_ctx);
1435 return NULL;
1436 }
1437
1438 /*
1439 work out the ntds settings invocationID/objectGUID for the current open ldb
1440 */
1441 static const struct GUID *samdb_ntds_GUID(struct ldb_context *ldb,
1442 const char *attribute,
1443 const char *cache_name)
1444 {
1445 TALLOC_CTX *tmp_ctx;
1446 const char *attrs[] = { attribute, NULL };
1447 int ret;
1448 struct ldb_result *res;
1449 struct GUID *ntds_guid;
1450 struct ldb_dn *ntds_settings_dn = NULL;
1451 const char *errstr = NULL;
1452
1453 /* see if we have a cached copy */
1454 ntds_guid = (struct GUID *)ldb_get_opaque(ldb, cache_name);
1455 if (ntds_guid != NULL) {
1456 return ntds_guid;
1457 }
1458
1459 tmp_ctx = talloc_new(ldb);
1460 if (tmp_ctx == NULL) {
1461 goto failed;
1462 }
1463
1464 ntds_settings_dn = samdb_ntds_settings_dn(ldb, tmp_ctx);
1465 if (ntds_settings_dn == NULL) {
1466 errstr = "samdb_ntds_settings_dn() returned NULL";
1467 goto failed;
1468 }
1469
1470 ret = ldb_search(ldb, tmp_ctx, &res, ntds_settings_dn,
1471 LDB_SCOPE_BASE, attrs, NULL);
1472 if (ret) {
1473 errstr = ldb_errstring(ldb);
1474 goto failed;
1475 }
1476
1477 if (res->count != 1) {
1478 errstr = "incorrect number of results from base search";
1479 goto failed;
1480 }
1481
1482 ntds_guid = talloc(tmp_ctx, struct GUID);
1483 if (ntds_guid == NULL) {
1484 goto failed;
1485 }
1486
1487 *ntds_guid = samdb_result_guid(res->msgs[0], attribute);
1488
1489 if (GUID_all_zero(ntds_guid)) {
1490 if (ldb_msg_find_ldb_val(res->msgs[0], attribute)) {
1491 errstr = "failed to find the GUID attribute";
1492 } else {
1493 errstr = "failed to parse the GUID";
1494 }
1495 goto failed;
1496 }
1497
1498 /* cache the domain_sid in the ldb */
1499 if (ldb_set_opaque(ldb, cache_name, ntds_guid) != LDB_SUCCESS) {
1500 errstr = "ldb_set_opaque() failed";
1501 goto failed;
1502 }
1503
1504 talloc_steal(ldb, ntds_guid);
1505 talloc_free(tmp_ctx);
1506
1507 return ntds_guid;
1508
1509 failed:
1510 DBG_WARNING("Failed to find our own NTDS Settings %s in the ldb: %s!\n",
1511 attribute, errstr);
1512 talloc_free(tmp_ctx);
1513 return NULL;
1514 }
1515
1516 /*
1517 work out the ntds settings objectGUID for the current open ldb
1518 */
1519 const struct GUID *samdb_ntds_objectGUID(struct ldb_context *ldb)
1520 {
1521 return samdb_ntds_GUID(ldb, "objectGUID", "cache.ntds_guid");
1522 }
1523
1524 /*
1525 work out the ntds settings invocationId for the current open ldb
1526 */
1527 const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb)
1528 {
1529 return samdb_ntds_GUID(ldb, "invocationId", "cache.invocation_id");
1530 }
1531
1532 static bool samdb_set_ntds_GUID(struct ldb_context *ldb,
1533 const struct GUID *ntds_guid_in,
1534 const char *attribute,
1535 const char *cache_name)
1536 {
1537 TALLOC_CTX *tmp_ctx;
1538 struct GUID *ntds_guid_new;
1539 struct GUID *ntds_guid_old;
1540
1541 /* see if we have a cached copy */
1542 ntds_guid_old = (struct GUID *)ldb_get_opaque(ldb, cache_name);
1543
1544 tmp_ctx = talloc_new(ldb);
1545 if (tmp_ctx == NULL) {
1546 goto failed;
1547 }
1548
1549 ntds_guid_new = talloc(tmp_ctx, struct GUID);
1550 if (!ntds_guid_new) {
1551 goto failed;
1552 }
1553
1554 *ntds_guid_new = *ntds_guid_in;
1555
1556 /* cache the domain_sid in the ldb */
1557 if (ldb_set_opaque(ldb, cache_name, ntds_guid_new) != LDB_SUCCESS) {
1558 goto failed;
1559 }
1560
1561 talloc_steal(ldb, ntds_guid_new);
1562 talloc_free(tmp_ctx);
1563 talloc_free(ntds_guid_old);
1564
1565 return true;
1566
1567 failed:
1568 DBG_WARNING("Failed to set our own cached %s in the ldb!\n",
1569 attribute);
1570 talloc_free(tmp_ctx);
1571 return false;
1572 }
1573
1574 bool samdb_set_ntds_objectGUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in)
1575 {
1576 return samdb_set_ntds_GUID(ldb,
1577 ntds_guid_in,
1578 "objectGUID",
1579 "cache.ntds_guid");
1580 }
1581
1582 bool samdb_set_ntds_invocation_id(struct ldb_context *ldb, const struct GUID *invocation_id_in)
1583 {
1584 return samdb_set_ntds_GUID(ldb,
1585 invocation_id_in,
1586 "invocationId",
1587 "cache.invocation_id");
1588 }
1589
1590 /*
1591 work out the server dn for the current open ldb
1592 */
1593 struct ldb_dn *samdb_server_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1594 {
1595 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1596 struct ldb_dn *dn;
1597 if (!tmp_ctx) {
1598 return NULL;
1599 }
1600 dn = ldb_dn_get_parent(mem_ctx, samdb_ntds_settings_dn(ldb, tmp_ctx));
1601 talloc_free(tmp_ctx);
1602 return dn;
1603
1604 }
1605
1606 /*
1607 work out the server dn for the current open ldb
1608 */
1609 struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1610 {
1611 struct ldb_dn *server_dn;
1612 struct ldb_dn *servers_dn;
1613 struct ldb_dn *server_site_dn;
1614
1615 /* TODO: there must be a saner way to do this!! */
1616 server_dn = samdb_server_dn(ldb, mem_ctx);
1617 if (!server_dn) return NULL;
1618
1619 servers_dn = ldb_dn_get_parent(mem_ctx, server_dn);
1620 talloc_free(server_dn);
1621 if (!servers_dn) return NULL;
1622
1623 server_site_dn = ldb_dn_get_parent(mem_ctx, servers_dn);
1624 talloc_free(servers_dn);
1625
1626 return server_site_dn;
1627 }
1628
1629 /*
1630 find the site name from a computers DN record
1631 */
1632 int samdb_find_site_for_computer(struct ldb_context *ldb,
1633 TALLOC_CTX *mem_ctx, struct ldb_dn *computer_dn,
1634 const char **site_name)
1635 {
1636 int ret;
1637 struct ldb_dn *dn;
1638 const struct ldb_val *rdn_val;
1639
1640 *site_name = NULL;
1641
1642 ret = samdb_reference_dn(ldb, mem_ctx, computer_dn, "serverReferenceBL", &dn);
1643 if (ret != LDB_SUCCESS) {
1644 return ret;
1645 }
1646
1647 if (!ldb_dn_remove_child_components(dn, 2)) {
1648 talloc_free(dn);
1649 return LDB_ERR_INVALID_DN_SYNTAX;
1650 }
1651
1652 rdn_val = ldb_dn_get_rdn_val(dn);
1653 if (rdn_val == NULL) {
1654 return LDB_ERR_OPERATIONS_ERROR;
1655 }
1656
1657 (*site_name) = talloc_strndup(mem_ctx, (const char *)rdn_val->data, rdn_val->length);
1658 talloc_free(dn);
1659 if (!*site_name) {
1660 return LDB_ERR_OPERATIONS_ERROR;
1661 }
1662 return LDB_SUCCESS;
1663 }
1664
1665 /*
1666 find the NTDS GUID from a computers DN record
1667 */
1668 int samdb_find_ntdsguid_for_computer(struct ldb_context *ldb, struct ldb_dn *computer_dn,
1669 struct GUID *ntds_guid)
1670 {
1671 int ret;
1672 struct ldb_dn *dn;
1673
1674 *ntds_guid = GUID_zero();
1675
1676 ret = samdb_reference_dn(ldb, ldb, computer_dn, "serverReferenceBL", &dn);
1677 if (ret != LDB_SUCCESS) {
1678 return ret;
1679 }
1680
1681 if (!ldb_dn_add_child_fmt(dn, "CN=NTDS Settings")) {
1682 talloc_free(dn);
1683 return LDB_ERR_OPERATIONS_ERROR;
1684 }
1685
1686 ret = dsdb_find_guid_by_dn(ldb, dn, ntds_guid);
1687 talloc_free(dn);
1688 return ret;
1689 }
1690
1691 /*
1692 find a 'reference' DN that points at another object
1693 (eg. serverReference, rIDManagerReference etc)
1694 */
1695 int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *base,
1696 const char *attribute, struct ldb_dn **dn)
1697 {
1698 const char *attrs[2];
1699 struct ldb_result *res;
1700 int ret;
1701
1702 attrs[0] = attribute;
1703 attrs[1] = NULL;
1704
1705 ret = dsdb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_ONE_ONLY|DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
1706 if (ret != LDB_SUCCESS) {
1707 ldb_asprintf_errstring(ldb, "Cannot find DN %s to get attribute %s for reference dn: %s",
1708 ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb));
1709 return ret;
1710 }
1711
1712 *dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
1713 if (!*dn) {
1714 if (!ldb_msg_find_element(res->msgs[0], attribute)) {
1715 ldb_asprintf_errstring(ldb, "Cannot find attribute %s of %s to calculate reference dn", attribute,
1716 ldb_dn_get_linearized(base));
1717 } else {
1718 ldb_asprintf_errstring(ldb, "Cannot interpret attribute %s of %s as a dn", attribute,
1719 ldb_dn_get_linearized(base));
1720 }
1721 talloc_free(res);
1722 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1723 }
1724
1725 talloc_free(res);
1726 return LDB_SUCCESS;
1727 }
1728
1729 /*
1730 find if a DN (must have GUID component!) is our ntdsDsa
1731 */
1732 int samdb_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *dn, bool *is_ntdsa)
1733 {
1734 NTSTATUS status;
1735 struct GUID dn_guid;
1736 const struct GUID *our_ntds_guid;
1737 status = dsdb_get_extended_dn_guid(dn, &dn_guid, "GUID");
1738 if (!NT_STATUS_IS_OK(status)) {
1739 return LDB_ERR_OPERATIONS_ERROR;
1740 }
1741
1742 our_ntds_guid = samdb_ntds_objectGUID(ldb);
1743 if (!our_ntds_guid) {
1744 DEBUG(0, ("Failed to find our NTDS Settings GUID for comparison with %s - %s\n", ldb_dn_get_linearized(dn), ldb_errstring(ldb)));
1745 return LDB_ERR_OPERATIONS_ERROR;
1746 }
1747
1748 *is_ntdsa = GUID_equal(&dn_guid, our_ntds_guid);
1749 return LDB_SUCCESS;
1750 }
1751
1752 /*
1753 find a 'reference' DN that points at another object and indicate if it is our ntdsDsa
1754 */
1755 int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base,
1756 const char *attribute, bool *is_ntdsa)
1757 {
1758 int ret;
1759 struct ldb_dn *referenced_dn;
1760 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
1761 if (tmp_ctx == NULL) {
1762 return LDB_ERR_OPERATIONS_ERROR;
1763 }
1764 ret = samdb_reference_dn(ldb, tmp_ctx, base, attribute, &referenced_dn);
1765 if (ret != LDB_SUCCESS) {
1766 DEBUG(0, ("Failed to find object %s for attribute %s - %s\n", ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb)));
1767 return ret;
1768 }
1769
1770 ret = samdb_dn_is_our_ntdsa(ldb, referenced_dn, is_ntdsa);
1771
1772 talloc_free(tmp_ctx);
1773 return ret;
1774 }
1775
1776 /*
1777 find our machine account via the serverReference attribute in the
1778 server DN
1779 */
1780 int samdb_server_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1781 {
1782 struct ldb_dn *server_dn;
1783 int ret;
1784
1785 server_dn = samdb_server_dn(ldb, mem_ctx);
1786 if (server_dn == NULL) {
1787 return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
1788 }
1789
1790 ret = samdb_reference_dn(ldb, mem_ctx, server_dn, "serverReference", dn);
1791 talloc_free(server_dn);
1792
1793 return ret;
1794 }
1795
1796 /*
1797 find the RID Manager$ DN via the rIDManagerReference attribute in the
1798 base DN
1799 */
1800 int samdb_rid_manager_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1801 {
1802 return samdb_reference_dn(ldb, mem_ctx, ldb_get_default_basedn(ldb),
1803 "rIDManagerReference", dn);
1804 }
1805
1806 /*
1807 find the RID Set DN via the rIDSetReferences attribute in our
1808 machine account DN
1809 */
1810 int samdb_rid_set_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1811 {
1812 struct ldb_dn *server_ref_dn = NULL;
1813 int ret;
1814
1815 ret = samdb_server_reference_dn(ldb, mem_ctx, &server_ref_dn);
1816 if (ret != LDB_SUCCESS) {
1817 return ret;
1818 }
1819 ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn);
1820 talloc_free(server_ref_dn);
1821 return ret;
1822 }
1823
1824 const char *samdb_server_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1825 {
1826 const struct ldb_val *val = ldb_dn_get_rdn_val(samdb_server_site_dn(ldb,
1827 mem_ctx));
1828
1829 if (val == NULL) {
1830 return NULL;
1831 }
1832
1833 return (const char *) val->data;
1834 }
1835
1836 /*
1837 * Finds the client site by using the client's IP address.
1838 * The "subnet_name" returns the name of the subnet if parameter != NULL
1839 *
1840 * Has a Windows-based fallback to provide the only site available, or an empty
1841 * string if there are multiple sites.
1842 */
1843 const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
1844 const char *ip_address, char **subnet_name,
1845 bool fallback)
1846 {
1847 const char *attrs[] = { "cn", "siteObject", NULL };
1848 struct ldb_dn *sites_container_dn = NULL;
1849 struct ldb_dn *subnets_dn = NULL;
1850 struct ldb_dn *sites_dn = NULL;
1851 struct ldb_result *res = NULL;
1852 const struct ldb_val *val = NULL;
1853 const char *site_name = NULL;
1854 const char *l_subnet_name = NULL;
1855 const char *allow_list[2] = { NULL, NULL };
1856 unsigned int i, count;
1857 int ret;
1858
1859 /*
1860 * if we don't have a client ip e.g. ncalrpc
1861 * the server site is the client site
1862 */
1863 if (ip_address == NULL) {
1864 return samdb_server_site_name(ldb, mem_ctx);
1865 }
1866
1867 sites_container_dn = samdb_sites_dn(ldb, mem_ctx);
1868 if (sites_container_dn == NULL) {
1869 goto exit;
1870 }
1871
1872 subnets_dn = ldb_dn_copy(mem_ctx, sites_container_dn);
1873 if ( ! ldb_dn_add_child_fmt(subnets_dn, "CN=Subnets")) {
1874 goto exit;
1875 }
1876
1877 ret = ldb_search(ldb, mem_ctx, &res, subnets_dn, LDB_SCOPE_ONELEVEL,
1878 attrs, NULL);
1879 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1880 count = 0;
1881 } else if (ret != LDB_SUCCESS) {
1882 goto exit;
1883 } else {
1884 count = res->count;
1885 }
1886
1887 for (i = 0; i < count; i++) {
1888 l_subnet_name = ldb_msg_find_attr_as_string(res->msgs[i], "cn",
1889 NULL);
1890
1891 allow_list[0] = l_subnet_name;
1892
1893 if (allow_access_nolog(NULL, allow_list, "", ip_address)) {
1894 sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx,
1895 res->msgs[i],
1896 "siteObject");
1897 if (sites_dn == NULL) {
1898 /* No reference, maybe another subnet matches */
1899 continue;
1900 }
1901
1902 /* "val" cannot be NULL here since "sites_dn" != NULL */
1903 val = ldb_dn_get_rdn_val(sites_dn);
1904 site_name = talloc_strdup(mem_ctx,
1905 (const char *) val->data);
1906
1907 TALLOC_FREE(sites_dn);
1908
1909 break;
1910 }
1911 }
1912
1913 if (site_name == NULL && fallback) {
1914 /* This is the Windows Server fallback rule: when no subnet
1915 * exists and we have only one site available then use it (it
1916 * is for sure the same as our server site). If more sites do
1917 * exist then we don't know which one to use and set the site
1918 * name to "". */
1919 size_t cnt = 0;
1920 ret = dsdb_domain_count(
1921 ldb,
1922 &cnt,
1923 sites_container_dn,
1924 NULL,
1925 LDB_SCOPE_SUBTREE,
1926 "(objectClass=site)");
1927 if (ret != LDB_SUCCESS) {
1928 goto exit;
1929 }
1930 if (cnt == 1) {
1931 site_name = samdb_server_site_name(ldb, mem_ctx);
1932 } else {
1933 site_name = talloc_strdup(mem_ctx, "");
1934 }
1935 l_subnet_name = NULL;
1936 }
1937
1938 if (subnet_name != NULL) {
1939 *subnet_name = talloc_strdup(mem_ctx, l_subnet_name);
1940 }
1941
1942 exit:
1943 TALLOC_FREE(sites_container_dn);
1944 TALLOC_FREE(subnets_dn);
1945 TALLOC_FREE(res);
1946
1947 return site_name;
1948 }
1949
1950 /*
1951 work out if we are the PDC for the domain of the current open ldb
1952 */
1953 bool samdb_is_pdc(struct ldb_context *ldb)
1954 {
1955 int ret;
1956 bool is_pdc;
1957
1958 ret = samdb_reference_dn_is_our_ntdsa(ldb, ldb_get_default_basedn(ldb), "fsmoRoleOwner",
1959 &is_pdc);
1960 if (ret != LDB_SUCCESS) {
1961 DEBUG(1,("Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in %s failed: %s\n",
1962 ldb_dn_get_linearized(ldb_get_default_basedn(ldb)),
1963 ldb_errstring(ldb)));
1964 return false;
1965 }
1966
1967 return is_pdc;
1968 }
1969
1970 /*
1971 work out if we are a Global Catalog server for the domain of the current open ldb
1972 */
1973 bool samdb_is_gc(struct ldb_context *ldb)
1974 {
1975 uint32_t options = 0;
1976 if (samdb_ntds_options(ldb, &options) != LDB_SUCCESS) {
1977 return false;
1978 }
1979 return (options & DS_NTDSDSA_OPT_IS_GC) != 0;
1980 }
1981
1982 /* Find a domain object in the parents of a particular DN. */
1983 int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
1984 struct ldb_dn **parent_dn, const char **errstring)
1985 {
1986 TALLOC_CTX *local_ctx;
1987 struct ldb_dn *sdn = dn;
1988 struct ldb_result *res = NULL;
1989 int ret = LDB_SUCCESS;
1990 const char *attrs[] = { NULL };
1991
1992 local_ctx = talloc_new(mem_ctx);
1993 if (local_ctx == NULL) return ldb_oom(ldb);
1994
1995 while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
1996 ret = ldb_search(ldb, local_ctx, &res, sdn, LDB_SCOPE_BASE, attrs,
1997 "(|(objectClass=domain)(objectClass=builtinDomain))");
1998 if (ret == LDB_SUCCESS) {
1999 if (res->count == 1) {
2000 break;
2001 }
2002 } else {
2003 break;
2004 }
2005 }
2006
2007 if (ret != LDB_SUCCESS) {
2008 *errstring = talloc_asprintf(mem_ctx, "Error searching for parent domain of %s, failed searching for %s: %s",
2009 ldb_dn_get_linearized(dn),
2010 ldb_dn_get_linearized(sdn),
2011 ldb_errstring(ldb));
2012 talloc_free(local_ctx);
2013 return ret;
2014 }
2015 /* should never be true with 'ret=LDB_SUCCESS', here to satisfy clang */
2016 if (res == NULL) {
2017 talloc_free(local_ctx);
2018 return LDB_ERR_OTHER;
2019 }
2020 if (res->count != 1) {
2021 *errstring = talloc_asprintf(mem_ctx, "Invalid dn (%s), not child of a domain object",
2022 ldb_dn_get_linearized(dn));
2023 DEBUG(0,(__location__ ": %s\n", *errstring));
2024 talloc_free(local_ctx);
2025 return LDB_ERR_CONSTRAINT_VIOLATION;
2026 }
2027
2028 *parent_dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2029 talloc_free(local_ctx);
2030 return ret;
2031 }
2032
2033 static void pwd_timeout_debug(struct tevent_context *unused1,
2034 struct tevent_timer *unused2,
2035 struct timeval unused3,
2036 void *unused4)
2037 {
2038 DEBUG(0, ("WARNING: check_password_complexity: password script "
2039 "took more than 1 second to run\n"));
2040 }
2041
2042
2043 /*
2044 * Performs checks on a user password (plaintext UNIX format - attribute
2045 * "password"). The remaining parameters have to be extracted from the domain
2046 * object in the AD.
2047 *
2048 * Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
2049 */
2050 enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx,
2051 struct loadparm_context *lp_ctx,
2052 const char *account_name,
2053 const char *user_principal_name,
2054 const char *full_name,
2055 const DATA_BLOB *utf8_blob,
2056 const uint32_t pwdProperties,
2057 const uint32_t minPwdLength)
2058 {
2059 const struct loadparm_substitution *lp_sub =
2060 lpcfg_noop_substitution();
2061 char *password_script = NULL;
2062 const char *utf8_pw = (const char *)utf8_blob->data;
2063
2064 /*
2065 * This looks strange because it is.
2066 *
2067 * The check for the number of characters in the password
2068 * should clearly not be against the byte length, or else a
2069 * single UTF8 character would count for more than one.
2070 *
2071 * We have chosen to use the number of 16-bit units that the
2072 * password encodes to as the measure of length. This is not
2073 * the same as the number of codepoints, if a password
2074 * contains a character beyond the Basic Multilingual Plane
2075 * (above 65535) it will count for more than one "character".
2076 */
2077
2078 size_t password_characters_roughly = strlen_m(utf8_pw);
2079
2080 /* checks if the "minPwdLength" property is satisfied */
2081 if (minPwdLength > password_characters_roughly) {
2082 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
2083 }
2084
2085 /* We might not be asked to check the password complexity */
2086 if (!(pwdProperties & DOMAIN_PASSWORD_COMPLEX)) {
2087 return SAMR_VALIDATION_STATUS_SUCCESS;
2088 }
2089
2090 if (password_characters_roughly == 0) {
2091 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
2092 }
2093
2094 password_script = lpcfg_check_password_script(lp_ctx, lp_sub, mem_ctx);
2095 if (password_script != NULL && *password_script != '\0') {
2096 int check_ret = 0;
2097 int error = 0;
2098 ssize_t nwritten = 0;
2099 struct tevent_context *event_ctx = NULL;
2100 struct tevent_req *req = NULL;
2101 int cps_stdin = -1;
2102 const char * const cmd[4] = {
2103 "/bin/sh", "-c",
2104 password_script,
2105 NULL
2106 };
2107
2108 event_ctx = tevent_context_init(mem_ctx);
2109 if (event_ctx == NULL) {
2110 TALLOC_FREE(password_script);
2111 return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
2112 }
2113
2114 /* Gives a warning after 1 second, terminates after 10 */
2115 tevent_add_timer(event_ctx, event_ctx,
2116 tevent_timeval_current_ofs(1, 0),
2117 pwd_timeout_debug, NULL);
2118
2119 check_ret = setenv("SAMBA_CPS_ACCOUNT_NAME", account_name, 1);
2120 if (check_ret != 0) {
2121 TALLOC_FREE(password_script);
2122 TALLOC_FREE(event_ctx);
2123 return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
2124 }
2125 if (user_principal_name != NULL) {
2126 check_ret = setenv("SAMBA_CPS_USER_PRINCIPAL_NAME",
2127 user_principal_name, 1);
2128 } else {
2129 unsetenv("SAMBA_CPS_USER_PRINCIPAL_NAME");
2130 }
2131 if (check_ret != 0) {
2132 TALLOC_FREE(password_script);
2133 TALLOC_FREE(event_ctx);
2134 return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
2135 }
2136 if (full_name != NULL) {
2137 check_ret = setenv("SAMBA_CPS_FULL_NAME", full_name, 1);
2138 } else {
2139 unsetenv("SAMBA_CPS_FULL_NAME");
2140 }
2141 if (check_ret != 0) {
2142 TALLOC_FREE(password_script);
2143 TALLOC_FREE(event_ctx);
2144 return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
2145 }
2146
2147 req = samba_runcmd_send(event_ctx, event_ctx,
2148 tevent_timeval_current_ofs(10, 0),
2149 100, 100, cmd, NULL);
2150 unsetenv("SAMBA_CPS_ACCOUNT_NAME");
2151 unsetenv("SAMBA_CPS_USER_PRINCIPAL_NAME");
2152 unsetenv("SAMBA_CPS_FULL_NAME");
2153 if (req == NULL) {
2154 TALLOC_FREE(password_script);
2155 TALLOC_FREE(event_ctx);
2156 return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
2157 }
2158
2159 cps_stdin = samba_runcmd_export_stdin(req);
2160
2161 nwritten = write_data(
2162 cps_stdin, utf8_blob->data, utf8_blob->length);
2163 if (nwritten == -1) {
2164 close(cps_stdin);
2165 TALLOC_FREE(password_script);
2166 TALLOC_FREE(event_ctx);
2167 return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
2168 }
2169
2170 close(cps_stdin);
2171
2172 if (!tevent_req_poll(req, event_ctx)) {
2173 TALLOC_FREE(password_script);
2174 TALLOC_FREE(event_ctx);
2175 return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
2176 }
2177
2178 check_ret = samba_runcmd_recv(req, &error);
2179 TALLOC_FREE(event_ctx);
2180
2181 if (error == ETIMEDOUT) {
2182 DEBUG(0, ("check_password_complexity: check password script took too long!\n"));
2183 TALLOC_FREE(password_script);
2184 return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
2185 }
2186 DEBUG(5,("check_password_complexity: check password script (%s) "
2187 "returned [%d]\n", password_script, check_ret));
2188
2189 if (check_ret != 0) {
2190 DEBUG(1,("check_password_complexity: "
2191 "check password script said new password is not good "
2192 "enough!\n"));
2193 TALLOC_FREE(password_script);
2194 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
2195 }
2196
2197 TALLOC_FREE(password_script);
2198 return SAMR_VALIDATION_STATUS_SUCCESS;
2199 }
2200
2201 TALLOC_FREE(password_script);
2202
2203 /*
2204 * Here are the standard AD password quality rules, which we
2205 * run after the script.
2206 */
2207
2208 if (!check_password_quality(utf8_pw)) {
2209 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
2210 }
2211
2212 return SAMR_VALIDATION_STATUS_SUCCESS;
2213 }
2214
2215 /*
2216 * Callback for "samdb_set_password" password change
2217 */
2218 int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares)
2219 {
2220 int ret;
2221
2222 if (!ares) {
2223 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
2224 }
2225
2226 if (ares->error != LDB_SUCCESS) {
2227 ret = ares->error;
2228 req->context = talloc_steal(req,
2229 ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
2230 talloc_free(ares);
2231 return ldb_request_done(req, ret);
2232 }
2233
2234 if (ares->type != LDB_REPLY_DONE) {
2235 talloc_free(ares);
2236 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
2237 }
2238
2239 req->context = talloc_steal(req,
2240 ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
2241 talloc_free(ares);
2242 return ldb_request_done(req, LDB_SUCCESS);
2243 }
2244
2245 /*
2246 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2247 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2248 * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a
2249 * user change or not. The "rejectReason" gives some more information if the
2250 * change failed.
2251 *
2252 * Results: NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2253 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
2254 */
2255 static NTSTATUS samdb_set_password_internal(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2256 struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
2257 const DATA_BLOB *new_password,
2258 const struct samr_Password *lmNewHash,
2259 const struct samr_Password *ntNewHash,
2260 const struct samr_Password *lmOldHash,
2261 const struct samr_Password *ntOldHash,
2262 enum samPwdChangeReason *reject_reason,
2263 struct samr_DomInfo1 **_dominfo,
2264 bool permit_interdomain_trust)
2265 {
2266 struct ldb_message *msg;
2267 struct ldb_message_element *el;
2268 struct ldb_request *req;
2269 struct dsdb_control_password_change_status *pwd_stat = NULL;
2270 int ret;
2271 bool hash_values = false;
2272 NTSTATUS status = NT_STATUS_OK;
2273
2274 #define CHECK_RET(x) \
2275 if (x != LDB_SUCCESS) { \
2276 talloc_free(msg); \
2277 return NT_STATUS_NO_MEMORY; \
2278 }
2279
2280 msg = ldb_msg_new(mem_ctx);
2281 if (msg == NULL) {
2282 return NT_STATUS_NO_MEMORY;
2283 }
2284 msg->dn = user_dn;
2285 if ((new_password != NULL)
2286 && ((lmNewHash == NULL) && (ntNewHash == NULL))) {
2287 /* we have the password as plaintext UTF16 */
2288 CHECK_RET(ldb_msg_add_value(msg, "clearTextPassword",
2289 new_password, NULL));
2290 el = ldb_msg_find_element(msg, "clearTextPassword");
2291 el->flags = LDB_FLAG_MOD_REPLACE;
2292 } else if ((new_password == NULL)
2293 && ((lmNewHash != NULL) || (ntNewHash != NULL))) {
2294 /* we have a password as LM and/or NT hash */
2295 if (lmNewHash != NULL) {
2296 CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg,
2297 "dBCSPwd", lmNewHash));
2298 el = ldb_msg_find_element(msg, "dBCSPwd");
2299 el->flags = LDB_FLAG_MOD_REPLACE;
2300 }
2301 if (ntNewHash != NULL) {
2302 CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg,
2303 "unicodePwd", ntNewHash));
2304 el = ldb_msg_find_element(msg, "unicodePwd");
2305 el->flags = LDB_FLAG_MOD_REPLACE;
2306 }
2307 hash_values = true;
2308 } else {
2309 /* the password wasn't specified correctly */
2310 talloc_free(msg);
2311 return NT_STATUS_INVALID_PARAMETER;
2312 }
2313
2314 /* build modify request */
2315 ret = ldb_build_mod_req(&req, ldb, mem_ctx, msg, NULL, NULL,
2316 samdb_set_password_callback, NULL);
2317 if (ret != LDB_SUCCESS) {
2318 talloc_free(msg);
2319 return NT_STATUS_NO_MEMORY;
2320 }
2321
2322 /* A password change operation */
2323 if ((ntOldHash != NULL) || (lmOldHash != NULL)) {
2324 struct dsdb_control_password_change *change;
2325
2326 change = talloc(req, struct dsdb_control_password_change);
2327 if (change == NULL) {
2328 talloc_free(req);
2329 talloc_free(msg);
2330 return NT_STATUS_NO_MEMORY;
2331 }
2332
2333 change->old_nt_pwd_hash = ntOldHash;
2334 change->old_lm_pwd_hash = lmOldHash;
2335
2336 ret = ldb_request_add_control(req,
2337 DSDB_CONTROL_PASSWORD_CHANGE_OID,
2338 true, change);
2339 if (ret != LDB_SUCCESS) {
2340 talloc_free(req);
2341 talloc_free(msg);
2342 return NT_STATUS_NO_MEMORY;
2343 }
2344 }
2345 if (hash_values) {
2346 ret = ldb_request_add_control(req,
2347 DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
2348 true, NULL);
2349 if (ret != LDB_SUCCESS) {
2350 talloc_free(req);
2351 talloc_free(msg);
2352 return NT_STATUS_NO_MEMORY;
2353 }
2354 }
2355 if (permit_interdomain_trust) {
2356 ret = ldb_request_add_control(req,
2357 DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID,
2358 false, NULL);
2359 if (ret != LDB_SUCCESS) {
2360 talloc_free(req);
2361 talloc_free(msg);
2362 return NT_STATUS_NO_MEMORY;
2363 }
2364 }
2365 ret = ldb_request_add_control(req,
2366 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
2367 true, NULL);
2368 if (ret != LDB_SUCCESS) {
2369 talloc_free(req);
2370 talloc_free(msg);
2371 return NT_STATUS_NO_MEMORY;
2372 }
2373
2374 ret = dsdb_autotransaction_request(ldb, req);
2375
2376 if (req->context != NULL) {
2377 struct ldb_control *control = talloc_get_type_abort(req->context,
2378 struct ldb_control);
2379 pwd_stat = talloc_get_type_abort(control->data,
2380 struct dsdb_control_password_change_status);
2381 talloc_steal(mem_ctx, pwd_stat);
2382 }
2383
2384 talloc_free(req);
2385 talloc_free(msg);
2386
2387 /* Sets the domain info (if requested) */
2388 if (_dominfo != NULL) {
2389 struct samr_DomInfo1 *dominfo;
2390
2391 dominfo = talloc_zero(mem_ctx, struct samr_DomInfo1);
2392 if (dominfo == NULL) {
2393 return NT_STATUS_NO_MEMORY;
2394 }
2395
2396 if (pwd_stat != NULL) {
2397 dominfo->min_password_length = pwd_stat->domain_data.minPwdLength;
2398 dominfo->password_properties = pwd_stat->domain_data.pwdProperties;
2399 dominfo->password_history_length = pwd_stat->domain_data.pwdHistoryLength;
2400 dominfo->max_password_age = pwd_stat->domain_data.maxPwdAge;
2401 dominfo->min_password_age = pwd_stat->domain_data.minPwdAge;
2402 }
2403
2404 *_dominfo = dominfo;
2405 }
2406
2407 if (reject_reason != NULL) {
2408 if (pwd_stat != NULL) {
2409 *reject_reason = pwd_stat->reject_reason;
2410 } else {
2411 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
2412 }
2413 }
2414
2415 if (pwd_stat != NULL) {
2416 talloc_free(pwd_stat);
2417 }
2418
2419 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
2420 const char *errmsg = ldb_errstring(ldb);
2421 char *endptr = NULL;
2422 WERROR werr = WERR_GEN_FAILURE;
2423 status = NT_STATUS_UNSUCCESSFUL;
2424 if (errmsg != NULL) {
2425 werr = W_ERROR(strtol(errmsg, &endptr, 16));
2426 DBG_WARNING("%s\n", errmsg);
2427 }
2428 if (endptr != errmsg) {
2429 if (W_ERROR_EQUAL(werr, WERR_INVALID_PASSWORD)) {
2430 status = NT_STATUS_WRONG_PASSWORD;
2431 }
2432 if (W_ERROR_EQUAL(werr, WERR_PASSWORD_RESTRICTION)) {
2433 status = NT_STATUS_PASSWORD_RESTRICTION;
2434 }
2435 }
2436 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2437 /* don't let the caller know if an account doesn't exist */
2438 status = NT_STATUS_WRONG_PASSWORD;
2439 } else if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
2440 status = NT_STATUS_ACCESS_DENIED;
2441 } else if (ret != LDB_SUCCESS) {
2442 DEBUG(1, ("Failed to set password on %s: %s\n",
2443 ldb_dn_get_linearized(user_dn),
2444 ldb_errstring(ldb)));
2445 status = NT_STATUS_UNSUCCESSFUL;
2446 }
2447
2448 return status;
2449 }
2450
2451 NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2452 struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
2453 const DATA_BLOB *new_password,
2454 const struct samr_Password *lmNewHash,
2455 const struct samr_Password *ntNewHash,
2456 const struct samr_Password *lmOldHash,
2457 const struct samr_Password *ntOldHash,
2458 enum samPwdChangeReason *reject_reason,
2459 struct samr_DomInfo1 **_dominfo)
2460 {
2461 return samdb_set_password_internal(ldb, mem_ctx,
2462 user_dn, domain_dn,
2463 new_password,
2464 lmNewHash, ntNewHash,
2465 lmOldHash, ntOldHash,
2466 reject_reason, _dominfo,
2467 false); /* reject trusts */
2468 }
2469
2470 /*
2471 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2472 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2473 * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a
2474 * user change or not. The "rejectReason" gives some more information if the
2475 * change failed.
2476 *
2477 * This wrapper function for "samdb_set_password" takes a SID as input rather
2478 * than a user DN.
2479 *
2480 * This call encapsulates a new LDB transaction for changing the password;
2481 * therefore the user hasn't to start a new one.
2482 *
2483 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2484 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2485 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
2486 * NT_STATUS_TRANSACTION_ABORTED, NT_STATUS_NO_SUCH_USER
2487 */
2488 NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2489 const struct dom_sid *user_sid,
2490 const uint32_t *new_version, /* optional for trusts */
2491 const DATA_BLOB *new_password,
2492 const struct samr_Password *lmNewHash,
2493 const struct samr_Password *ntNewHash,
2494 const struct samr_Password *lmOldHash,
2495 const struct samr_Password *ntOldHash,
2496 enum samPwdChangeReason *reject_reason,
2497 struct samr_DomInfo1 **_dominfo)
2498 {
2499 TALLOC_CTX *frame = talloc_stackframe();
2500 NTSTATUS nt_status;
2501 const char * const user_attrs[] = {
2502 "userAccountControl",
2503 "sAMAccountName",
2504 NULL
2505 };
2506 struct ldb_message *user_msg = NULL;
2507 int ret;
2508 uint32_t uac = 0;
2509
2510 ret = ldb_transaction_start(ldb);
2511 if (ret != LDB_SUCCESS) {
2512 DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb)));
2513 TALLOC_FREE(frame);
2514 return NT_STATUS_TRANSACTION_ABORTED;
2515 }
2516
2517 ret = dsdb_search_one(ldb, frame, &user_msg, ldb_get_default_basedn(ldb),
2518 LDB_SCOPE_SUBTREE, user_attrs, 0,
2519 "(&(objectSid=%s)(objectClass=user))",
2520 ldap_encode_ndr_dom_sid(frame, user_sid));
2521 if (ret != LDB_SUCCESS) {
2522 ldb_transaction_cancel(ldb);
2523 DEBUG(3, ("samdb_set_password_sid: SID[%s] not found in samdb %s - %s, "
2524 "returning NO_SUCH_USER\n",
2525 dom_sid_string(frame, user_sid),
2526 ldb_strerror(ret), ldb_errstring(ldb)));
2527 TALLOC_FREE(frame);
2528 return NT_STATUS_NO_SUCH_USER;
2529 }
2530
2531 uac = ldb_msg_find_attr_as_uint(user_msg, "userAccountControl", 0);
2532 if (!(uac & UF_ACCOUNT_TYPE_MASK)) {
2533 ldb_transaction_cancel(ldb);
2534 DEBUG(1, ("samdb_set_password_sid: invalid "
2535 "userAccountControl[0x%08X] for SID[%s] DN[%s], "
2536 "returning NO_SUCH_USER\n",
2537 (unsigned)uac, dom_sid_string(frame, user_sid),
2538 ldb_dn_get_linearized(user_msg->dn)));
2539 TALLOC_FREE(frame);
2540 return NT_STATUS_NO_SUCH_USER;
2541 }
2542
2543 if (uac & UF_INTERDOMAIN_TRUST_ACCOUNT) {
2544 const char * const tdo_attrs[] = {
2545 "trustAuthIncoming",
2546 "trustDirection",
2547 NULL
2548 };
2549 struct ldb_message *tdo_msg = NULL;
2550 const char *account_name = NULL;
2551 uint32_t trust_direction;
2552 uint32_t i;
2553 const struct ldb_val *old_val = NULL;
2554 struct trustAuthInOutBlob old_blob = {
2555 .count = 0,
2556 };
2557 uint32_t old_version = 0;
2558 struct AuthenticationInformation *old_version_a = NULL;
2559 uint32_t _new_version = 0;
2560 struct trustAuthInOutBlob new_blob = {
2561 .count = 0,
2562 };
2563 struct ldb_val new_val = {
2564 .length = 0,
2565 };
2566 struct timeval tv = timeval_current();
2567 NTTIME now = timeval_to_nttime(&tv);
2568 enum ndr_err_code ndr_err;
2569
2570 if (new_password == NULL && ntNewHash == NULL) {
2571 ldb_transaction_cancel(ldb);
2572 DEBUG(1, ("samdb_set_password_sid: "
2573 "no new password provided "
2574 "sAMAccountName for SID[%s] DN[%s], "
2575 "returning INVALID_PARAMETER\n",
2576 dom_sid_string(frame, user_sid),
2577 ldb_dn_get_linearized(user_msg->dn)));
2578 TALLOC_FREE(frame);
2579 return NT_STATUS_INVALID_PARAMETER;
2580 }
2581
2582 if (new_password != NULL && ntNewHash != NULL) {
2583 ldb_transaction_cancel(ldb);
2584 DEBUG(1, ("samdb_set_password_sid: "
2585 "two new passwords provided "
2586 "sAMAccountName for SID[%s] DN[%s], "
2587 "returning INVALID_PARAMETER\n",
2588 dom_sid_string(frame, user_sid),
2589 ldb_dn_get_linearized(user_msg->dn)));
2590 TALLOC_FREE(frame);
2591 return NT_STATUS_INVALID_PARAMETER;
2592 }
2593
2594 if (new_password != NULL && (new_password->length % 2)) {
2595 ldb_transaction_cancel(ldb);
2596 DEBUG(2, ("samdb_set_password_sid: "
2597 "invalid utf16 length (%zu) "
2598 "sAMAccountName for SID[%s] DN[%s], "
2599 "returning WRONG_PASSWORD\n",
2600 new_password->length,
2601 dom_sid_string(frame, user_sid),
2602 ldb_dn_get_linearized(user_msg->dn)));
2603 TALLOC_FREE(frame);
2604 return NT_STATUS_WRONG_PASSWORD;
2605 }
2606
2607 if (new_password != NULL && new_password->length >= 500) {
2608 ldb_transaction_cancel(ldb);
2609 DEBUG(2, ("samdb_set_password_sid: "
2610 "utf16 password too long (%zu) "
2611 "sAMAccountName for SID[%s] DN[%s], "
2612 "returning WRONG_PASSWORD\n",
2613 new_password->length,
2614 dom_sid_string(frame, user_sid),
2615 ldb_dn_get_linearized(user_msg->dn)));
2616 TALLOC_FREE(frame);
2617 return NT_STATUS_WRONG_PASSWORD;
2618 }
2619
2620 account_name = ldb_msg_find_attr_as_string(user_msg,
2621 "sAMAccountName", NULL);
2622 if (account_name == NULL) {
2623 ldb_transaction_cancel(ldb);
2624 DEBUG(1, ("samdb_set_password_sid: missing "
2625 "sAMAccountName for SID[%s] DN[%s], "
2626 "returning NO_SUCH_USER\n",
2627 dom_sid_string(frame, user_sid),
2628 ldb_dn_get_linearized(user_msg->dn)));
2629 TALLOC_FREE(frame);
2630 return NT_STATUS_NO_SUCH_USER;
2631 }
2632
2633 nt_status = dsdb_trust_search_tdo_by_type(ldb,
2634 SEC_CHAN_DOMAIN,
2635 account_name,
2636 tdo_attrs,
2637 frame, &tdo_msg);
2638 if (!NT_STATUS_IS_OK(nt_status)) {
2639 ldb_transaction_cancel(ldb);
2640 DEBUG(1, ("samdb_set_password_sid: dsdb_trust_search_tdo "
2641 "failed(%s) for sAMAccountName[%s] SID[%s] DN[%s], "
2642 "returning INTERNAL_DB_CORRUPTION\n",
2643 nt_errstr(nt_status), account_name,
2644 dom_sid_string(frame, user_sid),
2645 ldb_dn_get_linearized(user_msg->dn)));
2646 TALLOC_FREE(frame);
2647 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2648 }
2649
2650 trust_direction = ldb_msg_find_attr_as_int(tdo_msg,
2651 "trustDirection", 0);
2652 if (!(trust_direction & LSA_TRUST_DIRECTION_INBOUND)) {
2653 ldb_transaction_cancel(ldb);
2654 DEBUG(1, ("samdb_set_password_sid: direction[0x%08X] is "
2655 "not inbound for sAMAccountName[%s] "
2656 "DN[%s] TDO[%s], "
2657 "returning INTERNAL_DB_CORRUPTION\n",
2658 (unsigned)trust_direction,
2659 account_name,
2660 ldb_dn_get_linearized(user_msg->dn),
2661 ldb_dn_get_linearized(tdo_msg->dn)));
2662 TALLOC_FREE(frame);
2663 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2664 }
2665
2666 old_val = ldb_msg_find_ldb_val(tdo_msg, "trustAuthIncoming");
2667 if (old_val != NULL) {
2668 ndr_err = ndr_pull_struct_blob(old_val, frame, &old_blob,
2669 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2670 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2671 ldb_transaction_cancel(ldb);
2672 DEBUG(1, ("samdb_set_password_sid: "
2673 "failed(%s) to parse "
2674 "trustAuthOutgoing sAMAccountName[%s] "
2675 "DN[%s] TDO[%s], "
2676 "returning INTERNAL_DB_CORRUPTION\n",
2677 ndr_map_error2string(ndr_err),
2678 account_name,
2679 ldb_dn_get_linearized(user_msg->dn),
2680 ldb_dn_get_linearized(tdo_msg->dn)));
2681
2682 TALLOC_FREE(frame);
2683 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2684 }
2685 }
2686
2687 for (i = old_blob.current.count; i > 0; i--) {
2688 struct AuthenticationInformation *a =
2689 &old_blob.current.array[i - 1];
2690
2691 switch (a->AuthType) {
2692 case TRUST_AUTH_TYPE_NONE:
2693 if (i == old_blob.current.count) {
2694 /*
2695 * remove TRUST_AUTH_TYPE_NONE at the
2696 * end
2697 */
2698 old_blob.current.count--;
2699 }
2700 break;
2701
2702 case TRUST_AUTH_TYPE_VERSION:
2703 old_version_a = a;
2704 old_version = a->AuthInfo.version.version;
2705 break;
2706
2707 case TRUST_AUTH_TYPE_CLEAR:
2708 break;
2709
2710 case TRUST_AUTH_TYPE_NT4OWF:
2711 break;
2712 }
2713 }
2714
2715 if (new_version == NULL) {
2716 _new_version = 0;
2717 new_version = &_new_version;
2718 }
2719
2720 if (old_version_a != NULL && *new_version != (old_version + 1)) {
2721 old_version_a->LastUpdateTime = now;
2722 old_version_a->AuthType = TRUST_AUTH_TYPE_NONE;
2723 }
2724
2725 new_blob.count = MAX(old_blob.current.count, 2);
2726 new_blob.current.array = talloc_zero_array(frame,
2727 struct AuthenticationInformation,
2728 new_blob.count);
2729 if (new_blob.current.array == NULL) {
2730 ldb_transaction_cancel(ldb);
2731 TALLOC_FREE(frame);
2732 return NT_STATUS_NO_MEMORY;
2733 }
2734 new_blob.previous.array = talloc_zero_array(frame,
2735 struct AuthenticationInformation,
2736 new_blob.count);
2737 if (new_blob.current.array == NULL) {
2738 ldb_transaction_cancel(ldb);
2739 TALLOC_FREE(frame);
2740 return NT_STATUS_NO_MEMORY;
2741 }
2742
2743 for (i = 0; i < old_blob.current.count; i++) {
2744 struct AuthenticationInformation *o =
2745 &old_blob.current.array[i];
2746 struct AuthenticationInformation *p =
2747 &new_blob.previous.array[i];
2748
2749 *p = *o;
2750 new_blob.previous.count++;
2751 }
2752 for (; i < new_blob.count; i++) {
2753 struct AuthenticationInformation *pi =
2754 &new_blob.previous.array[i];
2755
2756 if (i == 0) {
2757 /*
2758 * new_blob.previous is still empty so
2759 * we'll do new_blob.previous = new_blob.current
2760 * below.
2761 */
2762 break;
2763 }
2764
2765 pi->LastUpdateTime = now;
2766 pi->AuthType = TRUST_AUTH_TYPE_NONE;
2767 new_blob.previous.count++;
2768 }
2769
2770 for (i = 0; i < new_blob.count; i++) {
2771 struct AuthenticationInformation *ci =
2772 &new_blob.current.array[i];
2773
2774 ci->LastUpdateTime = now;
2775 switch (i) {
2776 case 0:
2777 if (ntNewHash != NULL) {
2778 ci->AuthType = TRUST_AUTH_TYPE_NT4OWF;
2779 ci->AuthInfo.nt4owf.password = *ntNewHash;
2780 break;
2781 }
2782
2783 ci->AuthType = TRUST_AUTH_TYPE_CLEAR;
2784 ci->AuthInfo.clear.size = new_password->length;
2785 ci->AuthInfo.clear.password = new_password->data;
2786 break;
2787 case 1:
2788 ci->AuthType = TRUST_AUTH_TYPE_VERSION;
2789 ci->AuthInfo.version.version = *new_version;
2790 break;
2791 default:
2792 ci->AuthType = TRUST_AUTH_TYPE_NONE;
2793 break;
2794 }
2795
2796 new_blob.current.count++;
2797 }
2798
2799 if (new_blob.previous.count == 0) {
2800 TALLOC_FREE(new_blob.previous.array);
2801 new_blob.previous = new_blob.current;
2802 }
2803
2804 ndr_err = ndr_push_struct_blob(&new_val, frame, &new_blob,
2805 (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
2806 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2807 ldb_transaction_cancel(ldb);
2808 DEBUG(1, ("samdb_set_password_sid: "
2809 "failed(%s) to generate "
2810 "trustAuthOutgoing sAMAccountName[%s] "
2811 "DN[%s] TDO[%s], "
2812 "returning UNSUCCESSFUL\n",
2813 ndr_map_error2string(ndr_err),
2814 account_name,
2815 ldb_dn_get_linearized(user_msg->dn),
2816 ldb_dn_get_linearized(tdo_msg->dn)));
2817 TALLOC_FREE(frame);
2818 return NT_STATUS_UNSUCCESSFUL;
2819 }
2820
2821 tdo_msg->num_elements = 0;
2822 TALLOC_FREE(tdo_msg->elements);
2823
2824 ret = ldb_msg_add_empty(tdo_msg, "trustAuthIncoming",
2825 LDB_FLAG_MOD_REPLACE, NULL);
2826 if (ret != LDB_SUCCESS) {
2827 ldb_transaction_cancel(ldb);
2828 TALLOC_FREE(frame);
2829 return NT_STATUS_NO_MEMORY;
2830 }
2831 ret = ldb_msg_add_value(tdo_msg, "trustAuthIncoming",
2832 &new_val, NULL);
2833 if (ret != LDB_SUCCESS) {
2834 ldb_transaction_cancel(ldb);
2835 TALLOC_FREE(frame);
2836 return NT_STATUS_NO_MEMORY;
2837 }
2838
2839 ret = ldb_modify(ldb, tdo_msg);
2840 if (ret != LDB_SUCCESS) {
2841 nt_status = dsdb_ldb_err_to_ntstatus(ret);
2842 ldb_transaction_cancel(ldb);
2843 DEBUG(1, ("samdb_set_password_sid: "
2844 "failed to replace "
2845 "trustAuthOutgoing sAMAccountName[%s] "
2846 "DN[%s] TDO[%s], "
2847 "%s - %s\n",
2848 account_name,
2849 ldb_dn_get_linearized(user_msg->dn),
2850 ldb_dn_get_linearized(tdo_msg->dn),
2851 nt_errstr(nt_status), ldb_errstring(ldb)));
2852 TALLOC_FREE(frame);
2853 return nt_status;
2854 }
2855 }
2856
2857 nt_status = samdb_set_password_internal(ldb, mem_ctx,
2858 user_msg->dn, NULL,
2859 new_password,
2860 lmNewHash, ntNewHash,
2861 lmOldHash, ntOldHash,
2862 reject_reason, _dominfo,
2863 true); /* permit trusts */
2864 if (!NT_STATUS_IS_OK(nt_status)) {
2865 ldb_transaction_cancel(ldb);
2866 TALLOC_FREE(frame);
2867 return nt_status;
2868 }
2869
2870 ret = ldb_transaction_commit(ldb);
2871 if (ret != LDB_SUCCESS) {
2872 DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
2873 ldb_dn_get_linearized(user_msg->dn),
2874 ldb_errstring(ldb)));
2875 TALLOC_FREE(frame);
2876 return NT_STATUS_TRANSACTION_ABORTED;
2877 }
2878
2879 TALLOC_FREE(frame);
2880 return NT_STATUS_OK;
2881 }
2882
2883
2884 NTSTATUS samdb_create_foreign_security_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
2885 struct dom_sid *sid, struct ldb_dn **ret_dn)
2886 {
2887 struct ldb_message *msg;
2888 struct ldb_dn *basedn = NULL;
2889 char *sidstr;
2890 int ret;
2891
2892 sidstr = dom_sid_string(mem_ctx, sid);
2893 NT_STATUS_HAVE_NO_MEMORY(sidstr);
2894
2895 /* We might have to create a ForeignSecurityPrincipal, even if this user
2896 * is in our own domain */
2897
2898 msg = ldb_msg_new(sidstr);
2899 if (msg == NULL) {
2900 talloc_free(sidstr);
2901 return NT_STATUS_NO_MEMORY;
2902 }
2903
2904 ret = dsdb_wellknown_dn(sam_ctx, sidstr,
2905 ldb_get_default_basedn(sam_ctx),
2906 DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER,
2907 &basedn);
2908 if (ret != LDB_SUCCESS) {
2909 DEBUG(0, ("Failed to find DN for "
2910 "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx)));
2911 talloc_free(sidstr);
2912 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2913 }
2914
2915 /* add core elements to the ldb_message for the alias */
2916 msg->dn = basedn;
2917 if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr)) {
2918 talloc_free(sidstr);
2919 return NT_STATUS_NO_MEMORY;
2920 }
2921
2922 ret = ldb_msg_add_string(msg, "objectClass",
2923 "foreignSecurityPrincipal");
2924 if (ret != LDB_SUCCESS) {
2925 talloc_free(sidstr);
2926 return NT_STATUS_NO_MEMORY;
2927 }
2928
2929 /* create the alias */
2930 ret = ldb_add(sam_ctx, msg);
2931 if (ret != LDB_SUCCESS) {
2932 DEBUG(0,("Failed to create foreignSecurityPrincipal "
2933 "record %s: %s\n",
2934 ldb_dn_get_linearized(msg->dn),
2935 ldb_errstring(sam_ctx)));
2936 talloc_free(sidstr);
2937 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2938 }
2939
2940 *ret_dn = talloc_steal(mem_ctx, msg->dn);
2941 talloc_free(sidstr);
2942
2943 return NT_STATUS_OK;
2944 }
2945
2946
2947 /*
2948 Find the DN of a domain, assuming it to be a dotted.dns name
2949 */
2950
2951 struct ldb_dn *samdb_dns_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *dns_domain)
2952 {
2953 unsigned int i;
2954 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2955 const char *binary_encoded;
2956 const char * const *split_realm;
2957 struct ldb_dn *dn;
2958
2959 if (!tmp_ctx) {
2960 return NULL;
2961 }
2962
2963 split_realm = (const char * const *)str_list_make(tmp_ctx, dns_domain, ".");
2964 if (!split_realm) {
2965 talloc_free(tmp_ctx);
2966 return NULL;
2967 }
2968 dn = ldb_dn_new(mem_ctx, ldb, NULL);
2969 for (i=0; split_realm[i]; i++) {
2970 binary_encoded = ldb_binary_encode_string(tmp_ctx, split_realm[i]);
2971 if (!ldb_dn_add_base_fmt(dn, "dc=%s", binary_encoded)) {
2972 DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
2973 binary_encoded, ldb_dn_get_linearized(dn)));
2974 talloc_free(tmp_ctx);
2975 return NULL;
2976 }
2977 }
2978 if (!ldb_dn_validate(dn)) {
2979 DEBUG(2, ("Failed to validated DN %s\n",
2980 ldb_dn_get_linearized(dn)));
2981 talloc_free(tmp_ctx);
2982 return NULL;
2983 }
2984 talloc_free(tmp_ctx);
2985 return dn;
2986 }
2987
2988
2989 /*
2990 Find the DNS equivalent of a DN, in dotted DNS form
2991 */
2992 char *samdb_dn_to_dns_domain(TALLOC_CTX *mem_ctx, struct ldb_dn *dn)
2993 {
2994 int i, num_components = ldb_dn_get_comp_num(dn);
2995 char *dns_name = talloc_strdup(mem_ctx, "");
2996 if (dns_name == NULL) {
2997 return NULL;
2998 }
2999
3000 for (i=0; i<num_components; i++) {
3001 const struct ldb_val *v = ldb_dn_get_component_val(dn, i);
3002 char *s;
3003 if (v == NULL) {
3004 talloc_free(dns_name);
3005 return NULL;
3006 }
3007 s = talloc_asprintf_append_buffer(dns_name, "%*.*s.",
3008 (int)v->length, (int)v->length, (char *)v->data);
3009 if (s == NULL) {
3010 talloc_free(dns_name);
3011 return NULL;
3012 }
3013 dns_name = s;
3014 }
3015
3016 /* remove the last '.' */
3017 if (dns_name[0] != 0) {
3018 dns_name[strlen(dns_name)-1] = 0;
3019 }
3020
3021 return dns_name;
3022 }
3023
3024 /*
3025 Find the DNS _msdcs name for a given NTDS GUID. The resulting DNS
3026 name is based on the forest DNS name
3027 */
3028 char *samdb_ntds_msdcs_dns_name(struct ldb_context *samdb,
3029 TALLOC_CTX *mem_ctx,
3030 const struct GUID *ntds_guid)
3031 {
3032 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3033 const char *guid_str;
3034 struct ldb_dn *forest_dn;
3035 const char *dnsforest;
3036 char *ret;
3037
3038 guid_str = GUID_string(tmp_ctx, ntds_guid);
3039 if (guid_str == NULL) {
3040 talloc_free(tmp_ctx);
3041 return NULL;
3042 }
3043 forest_dn = ldb_get_root_basedn(samdb);
3044 if (forest_dn == NULL) {
3045 talloc_free(tmp_ctx);
3046 return NULL;
3047 }
3048 dnsforest = samdb_dn_to_dns_domain(tmp_ctx, forest_dn);
3049 if (dnsforest == NULL) {
3050 talloc_free(tmp_ctx);
3051 return NULL;
3052 }
3053 ret = talloc_asprintf(mem_ctx, "%s._msdcs.%s", guid_str, dnsforest);
3054 talloc_free(tmp_ctx);
3055 return ret;
3056 }
3057
3058
3059 /*
3060 Find the DN of a domain, be it the netbios or DNS name
3061 */
3062 struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
3063 const char *domain_name)
3064 {
3065 const char * const domain_ref_attrs[] = {
3066 "ncName", NULL
3067 };
3068 const char * const domain_ref2_attrs[] = {
3069 NULL
3070 };
3071 struct ldb_result *res_domain_ref;
3072 char *escaped_domain = ldb_binary_encode_string(mem_ctx, domain_name);
3073 /* find the domain's DN */
3074 int ret_domain = ldb_search(ldb, mem_ctx,
3075 &res_domain_ref,
3076 samdb_partitions_dn(ldb, mem_ctx),
3077 LDB_SCOPE_ONELEVEL,
3078 domain_ref_attrs,
3079 "(&(nETBIOSName=%s)(objectclass=crossRef))",
3080 escaped_domain);
3081 if (ret_domain != LDB_SUCCESS) {
3082 return NULL;
3083 }
3084
3085 if (res_domain_ref->count == 0) {
3086 ret_domain = ldb_search(ldb, mem_ctx,
3087 &res_domain_ref,
3088 samdb_dns_domain_to_dn(ldb, mem_ctx, domain_name),
3089 LDB_SCOPE_BASE,
3090 domain_ref2_attrs,
3091 "(objectclass=domain)");
3092 if (ret_domain != LDB_SUCCESS) {
3093 return NULL;
3094 }
3095
3096 if (res_domain_ref->count == 1) {
3097 return res_domain_ref->msgs[0]->dn;
3098 }
3099 return NULL;
3100 }
3101
3102 if (res_domain_ref->count > 1) {
3103 DEBUG(0,("Found %d records matching domain [%s]\n",
3104 ret_domain, domain_name));
3105 return NULL;
3106 }
3107
3108 return samdb_result_dn(ldb, mem_ctx, res_domain_ref->msgs[0], "nCName", NULL);
3109
3110 }
3111
3112
3113 /*
3114 use a GUID to find a DN
3115 */
3116 int dsdb_find_dn_by_guid(struct ldb_context *ldb,
3117 TALLOC_CTX *mem_ctx,
3118 const struct GUID *guid,
3119 uint32_t dsdb_flags,
3120 struct ldb_dn **dn)
3121 {
3122 int ret;
3123 struct ldb_result *res;
3124 const char *attrs[] = { NULL };
3125 char *guid_str = GUID_string(mem_ctx, guid);
3126
3127 if (!guid_str) {
3128 return ldb_operr(ldb);
3129 }
3130
3131 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
3132 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
3133 DSDB_SEARCH_SHOW_EXTENDED_DN |
3134 DSDB_SEARCH_ONE_ONLY | dsdb_flags,
3135 "objectGUID=%s", guid_str);
3136 talloc_free(guid_str);
3137 if (ret != LDB_SUCCESS) {
3138 return ret;
3139 }
3140
3141 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
3142 talloc_free(res);
3143
3144 return LDB_SUCCESS;
3145 }
3146
3147 /*
3148 use a DN to find a GUID with a given attribute name
3149 */
3150 int dsdb_find_guid_attr_by_dn(struct ldb_context *ldb,
3151 struct ldb_dn *dn, const char *attribute,
3152 struct GUID *guid)
3153 {
3154 int ret;
3155 struct ldb_result *res = NULL;
3156 const char *attrs[2];
3157 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
3158
3159 attrs[0] = attribute;
3160 attrs[1] = NULL;
3161
3162 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs,
3163 DSDB_SEARCH_SHOW_DELETED |
3164 DSDB_SEARCH_SHOW_RECYCLED);
3165 if (ret != LDB_SUCCESS) {
3166 talloc_free(tmp_ctx);
3167 return ret;
3168 }
3169 /* satisfy clang */
3170 if (res == NULL) {
3171 talloc_free(tmp_ctx);
3172 return LDB_ERR_OTHER;
3173 }
3174 if (res->count < 1) {
3175 talloc_free(tmp_ctx);
3176 return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
3177 }
3178 *guid = samdb_result_guid(res->msgs[0], attribute);
3179 talloc_free(tmp_ctx);
3180 return LDB_SUCCESS;
3181 }
3182
3183 /*
3184 use a DN to find a GUID
3185 */
3186 int dsdb_find_guid_by_dn(struct ldb_context *ldb,
3187 struct ldb_dn *dn, struct GUID *guid)
3188 {
3189 return dsdb_find_guid_attr_by_dn(ldb, dn, "objectGUID", guid);
3190 }
3191
3192
3193
3194 /*
3195 adds the given GUID to the given ldb_message. This value is added
3196 for the given attr_name (may be either "objectGUID" or "parentGUID").
3197 */
3198 int dsdb_msg_add_guid(struct ldb_message *msg,
3199 struct GUID *guid,
3200 const char *attr_name)
3201 {
3202 int ret;
3203 struct ldb_val v;
3204 NTSTATUS status;
3205 TALLOC_CTX *tmp_ctx = talloc_init("dsdb_msg_add_guid");
3206
3207 status = GUID_to_ndr_blob(guid, tmp_ctx, &v);
3208 if (!NT_STATUS_IS_OK(status)) {
3209 ret = LDB_ERR_OPERATIONS_ERROR;
3210 goto done;
3211 }
3212
3213 ret = ldb_msg_add_steal_value(msg, attr_name, &v);
3214 if (ret != LDB_SUCCESS) {
3215 DEBUG(4,(__location__ ": Failed to add %s to the message\n",
3216 attr_name));
3217 goto done;
3218 }
3219
3220 ret = LDB_SUCCESS;
3221
3222 done:
3223 talloc_free(tmp_ctx);
3224 return ret;
3225
3226 }
3227
3228
3229 /*
3230 use a DN to find a SID
3231 */
3232 int dsdb_find_sid_by_dn(struct ldb_context *ldb,
3233 struct ldb_dn *dn, struct dom_sid *sid)
3234 {
3235 int ret;
3236 struct ldb_result *res = NULL;
3237 const char *attrs[] = { "objectSid", NULL };
3238 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
3239 struct dom_sid *s;
3240
3241 ZERO_STRUCTP(sid);
3242
3243 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs,
3244 DSDB_SEARCH_SHOW_DELETED |
3245 DSDB_SEARCH_SHOW_RECYCLED);
3246 if (ret != LDB_SUCCESS) {
3247 talloc_free(tmp_ctx);
3248 return ret;
3249 }
3250 if (res == NULL) {
3251 talloc_free(tmp_ctx);
3252 return LDB_ERR_OTHER;
3253 }
3254 if (res->count < 1) {
3255 talloc_free(tmp_ctx);
3256 return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
3257 }
3258 s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
3259 if (s == NULL) {
3260 talloc_free(tmp_ctx);
3261 return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
3262 }
3263 *sid = *s;
3264 talloc_free(tmp_ctx);
3265 return LDB_SUCCESS;
3266 }
3267
3268 /*
3269 use a SID to find a DN
3270 */
3271 int dsdb_find_dn_by_sid(struct ldb_context *ldb,
3272 TALLOC_CTX *mem_ctx,
3273 struct dom_sid *sid, struct ldb_dn **dn)
3274 {
3275 int ret;
3276 struct ldb_result *res;
3277 const char *attrs[] = { NULL };
3278 char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid);
3279
3280 if (!sid_str) {
3281 return ldb_operr(ldb);
3282 }
3283
3284 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
3285 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
3286 DSDB_SEARCH_SHOW_EXTENDED_DN |
3287 DSDB_SEARCH_ONE_ONLY,
3288 "objectSid=%s", sid_str);
3289 talloc_free(sid_str);
3290 if (ret != LDB_SUCCESS) {
3291 return ret;
3292 }
3293
3294 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
3295 talloc_free(res);
3296
3297 return LDB_SUCCESS;
3298 }
3299
3300 /*
3301 load a repsFromTo blob list for a given partition GUID
3302 attr must be "repsFrom" or "repsTo"
3303 */
3304 WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
3305 const char *attr, struct repsFromToBlob **r, uint32_t *count)
3306 {
3307 const char *attrs[] = { attr, NULL };
3308 struct ldb_result *res = NULL;
3309 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3310 unsigned int i;
3311 struct ldb_message_element *el;
3312 int ret;
3313
3314 *r = NULL;
3315 *count = 0;
3316
3317 ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs, 0);
3318 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
3319 /* partition hasn't been replicated yet */
3320 return WERR_OK;
3321 }
3322 if (ret != LDB_SUCCESS) {
3323 DEBUG(0,("dsdb_loadreps: failed to read partition object: %s\n", ldb_errstring(sam_ctx)));
3324 talloc_free(tmp_ctx);
3325 return WERR_DS_DRA_INTERNAL_ERROR;
3326 }
3327
3328 /* satisfy clang */
3329 if (res == NULL) {
3330 talloc_free(tmp_ctx);
3331 return WERR_DS_DRA_INTERNAL_ERROR;
3332 }
3333 el = ldb_msg_find_element(res->msgs[0], attr);
3334 if (el == NULL) {
3335 /* it's OK to be empty */
3336 talloc_free(tmp_ctx);
3337 return WERR_OK;
3338 }
3339
3340 *count = el->num_values;
3341 *r = talloc_array(mem_ctx, struct repsFromToBlob, *count);
3342 if (*r == NULL) {
3343 talloc_free(tmp_ctx);
3344 return WERR_DS_DRA_INTERNAL_ERROR;
3345 }
3346
3347 for (i=0; i<(*count); i++) {
3348 enum ndr_err_code ndr_err;
3349 ndr_err = ndr_pull_struct_blob(&el->values[i],
3350 mem_ctx,
3351 &(*r)[i],
3352 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
3353 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3354 talloc_free(tmp_ctx);
3355 return WERR_DS_DRA_INTERNAL_ERROR;
3356 }
3357 }
3358
3359 talloc_free(tmp_ctx);
3360
3361 return WERR_OK;
3362 }
3363
3364 /*
3365 save the repsFromTo blob list for a given partition GUID
3366 attr must be "repsFrom" or "repsTo"
3367 */
3368 WERROR dsdb_savereps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
3369 const char *attr, struct repsFromToBlob *r, uint32_t count)
3370 {
3371 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3372 struct ldb_message *msg;
3373 struct ldb_message_element *el;
3374 unsigned int i;
3375
3376 msg = ldb_msg_new(tmp_ctx);
3377 msg->dn = dn;
3378 if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_REPLACE, &el) != LDB_SUCCESS) {
3379 goto failed;
3380 }
3381
3382 el->values = talloc_array(msg, struct ldb_val, count);
3383 if (!el->values) {
3384 goto failed;
3385 }
3386
3387 for (i=0; i<count; i++) {
3388 struct ldb_val v;
3389 enum ndr_err_code ndr_err;
3390
3391 ndr_err = ndr_push_struct_blob(&v, tmp_ctx,
3392 &r[i],
3393 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
3394 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3395 goto failed;
3396 }
3397
3398 el->num_values++;
3399 el->values[i] = v;
3400 }
3401
3402 if (dsdb_modify(sam_ctx, msg, 0) != LDB_SUCCESS) {
3403 DEBUG(0,("Failed to store %s - %s\n", attr, ldb_errstring(sam_ctx)));
3404 goto failed;
3405 }
3406
3407 talloc_free(tmp_ctx);
3408
3409 return WERR_OK;
3410
3411 failed:
3412 talloc_free(tmp_ctx);
3413 return WERR_DS_DRA_INTERNAL_ERROR;
3414 }
3415
3416
3417 /*
3418 load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
3419 object for a partition
3420 */
3421 int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn,
3422 uint64_t *uSN, uint64_t *urgent_uSN)
3423 {
3424 struct ldb_request *req;
3425 int ret;
3426 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
3427 struct dsdb_control_current_partition *p_ctrl;
3428 struct ldb_result *res;
3429
3430 res = talloc_zero(tmp_ctx, struct ldb_result);
3431 if (!res) {
3432 talloc_free(tmp_ctx);
3433 return ldb_oom(ldb);
3434 }
3435
3436 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
3437 ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"),
3438 LDB_SCOPE_BASE,
3439 NULL, NULL,
3440 NULL,
3441 res, ldb_search_default_callback,
3442 NULL);
3443 if (ret != LDB_SUCCESS) {
3444 talloc_free(tmp_ctx);
3445 return ret;
3446 }
3447
3448 p_ctrl = talloc(req, struct dsdb_control_current_partition);
3449 if (p_ctrl == NULL) {
3450 talloc_free(tmp_ctx);
3451 return ldb_oom(ldb);
3452 }
3453 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
3454 p_ctrl->dn = dn;
3455
3456 ret = ldb_request_add_control(req,
3457 DSDB_CONTROL_CURRENT_PARTITION_OID,
3458 false, p_ctrl);
3459 if (ret != LDB_SUCCESS) {
3460 talloc_free(tmp_ctx);
3461 return ret;
3462 }
3463
3464 /* Run the new request */
3465 ret = ldb_request(ldb, req);
3466
3467 if (ret == LDB_SUCCESS) {
3468 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3469 }
3470
3471 if (ret == LDB_ERR_NO_SUCH_OBJECT || ret == LDB_ERR_INVALID_DN_SYNTAX) {
3472 /* it hasn't been created yet, which means
3473 an implicit value of zero */
3474 *uSN = 0;
3475 talloc_free(tmp_ctx);
3476 return LDB_SUCCESS;
3477 }
3478
3479 if (ret != LDB_SUCCESS) {
3480 talloc_free(tmp_ctx);
3481 return ret;
3482 }
3483
3484 if (res->count < 1) {
3485 *uSN = 0;
3486 if (urgent_uSN) {
3487 *urgent_uSN = 0;
3488 }
3489 } else {
3490 *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0);
3491 if (urgent_uSN) {
3492 *urgent_uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNUrgent", 0);
3493 }
3494 }
3495
3496 talloc_free(tmp_ctx);
3497
3498 return LDB_SUCCESS;
3499 }
3500
3501 int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
3502 const struct drsuapi_DsReplicaCursor2 *c2)
3503 {
3504 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
3505 }
3506
3507 int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor *c1,
3508 const struct drsuapi_DsReplicaCursor *c2)
3509 {
3510 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
3511 }
3512
3513
3514 /*
3515 see if a computer identified by its invocationId is a RODC
3516 */
3517 int samdb_is_rodc(struct ldb_context *sam_ctx, const struct GUID *objectGUID, bool *is_rodc)
3518 {
3519 /* 1) find the DN for this servers NTDSDSA object
3520 2) search for the msDS-isRODC attribute
3521 3) if not present then not a RODC
3522 4) if present and TRUE then is a RODC
3523 */
3524 struct ldb_dn *config_dn;
3525 const char *attrs[] = { "msDS-isRODC", NULL };
3526 int ret;
3527 struct ldb_result *res;
3528 TALLOC_CTX *tmp_ctx = talloc_new(sam_ctx);
3529
3530 config_dn = ldb_get_config_basedn(sam_ctx);
3531 if (!config_dn) {
3532 talloc_free(tmp_ctx);
3533 return ldb_operr(sam_ctx);
3534 }
3535
3536 ret = dsdb_search(sam_ctx, tmp_ctx, &res, config_dn, LDB_SCOPE_SUBTREE, attrs,
3537 DSDB_SEARCH_ONE_ONLY, "objectGUID=%s", GUID_string(tmp_ctx, objectGUID));
3538
3539 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
3540 *is_rodc = false;
3541 talloc_free(tmp_ctx);
3542 return LDB_SUCCESS;
3543 }
3544
3545 if (ret != LDB_SUCCESS) {
3546 DEBUG(1,(("Failed to find our own NTDS Settings object by objectGUID=%s!\n"),
3547 GUID_string(tmp_ctx, objectGUID)));
3548 *is_rodc = false;
3549 talloc_free(tmp_ctx);
3550 return ret;
3551 }
3552
3553 ret = ldb_msg_find_attr_as_bool(res->msgs[0], "msDS-isRODC", 0);
3554 *is_rodc = (ret == 1);
3555
3556 talloc_free(tmp_ctx);
3557 return LDB_SUCCESS;
3558 }
3559
3560
3561 /*
3562 see if we are a RODC
3563 */
3564 int samdb_rodc(struct ldb_context *sam_ctx, bool *am_rodc)
3565 {
3566 const struct GUID *objectGUID;
3567 int ret;
3568 bool *cached;
3569
3570 /* see if we have a cached copy */
3571 cached = (bool *)ldb_get_opaque(sam_ctx, "cache.am_rodc");
3572 if (cached) {
3573 *am_rodc = *cached;
3574 return LDB_SUCCESS;
3575 }
3576
3577 objectGUID = samdb_ntds_objectGUID(sam_ctx);
3578 if (!objectGUID) {
3579 return ldb_operr(sam_ctx);
3580 }
3581
3582 ret = samdb_is_rodc(sam_ctx, objectGUID, am_rodc);
3583 if (ret != LDB_SUCCESS) {
3584 return ret;
3585 }
3586
3587 cached = talloc(sam_ctx, bool);
3588 if (cached == NULL) {
3589 return ldb_oom(sam_ctx);
3590 }
3591 *cached = *am_rodc;
3592
3593 ret = ldb_set_opaque(sam_ctx, "cache.am_rodc", cached);
3594 if (ret != LDB_SUCCESS) {
3595 talloc_free(cached);
3596 return ldb_operr(sam_ctx);
3597 }
3598
3599 return LDB_SUCCESS;
3600 }
3601
3602 int samdb_dns_host_name(struct ldb_context *sam_ctx, const char **host_name)
3603 {
3604 const char *_host_name = NULL;
3605 const char *attrs[] = { "dnsHostName", NULL };
3606 TALLOC_CTX *tmp_ctx = NULL;
3607 int ret;
3608 struct ldb_result *res = NULL;
3609
3610 _host_name = (const char *)ldb_get_opaque(sam_ctx, "cache.dns_host_name");
3611 if (_host_name != NULL) {
3612 *host_name = _host_name;
3613 return LDB_SUCCESS;
3614 }
3615
3616 tmp_ctx = talloc_new(sam_ctx);
3617
3618 ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, NULL, attrs, 0);
3619
3620 if (res == NULL || res->count != 1 || ret != LDB_SUCCESS) {
3621 DEBUG(0, ("Failed to get rootDSE for dnsHostName: %s",
3622 ldb_errstring(sam_ctx)));
3623 TALLOC_FREE(tmp_ctx);
3624 return ret;
3625 }
3626
3627 _host_name = ldb_msg_find_attr_as_string(res->msgs[0],
3628 "dnsHostName",
3629 NULL);
3630 if (_host_name == NULL) {
3631 DEBUG(0, ("Failed to get dnsHostName from rootDSE"));
3632 TALLOC_FREE(tmp_ctx);
3633 return LDB_ERR_OPERATIONS_ERROR;
3634 }
3635 ret = ldb_set_opaque(sam_ctx, "cache.dns_host_name",
3636 discard_const_p(char *, _host_name));
3637 if (ret != LDB_SUCCESS) {
3638 TALLOC_FREE(tmp_ctx);
3639 return ldb_operr(sam_ctx);
3640 }
3641
3642 *host_name = talloc_steal(sam_ctx, _host_name);
3643
3644 TALLOC_FREE(tmp_ctx);
3645 return LDB_SUCCESS;
3646 }
3647
3648 bool samdb_set_am_rodc(struct ldb_context *ldb, bool am_rodc)
3649 {
3650 TALLOC_CTX *tmp_ctx;
3651 bool *cached;
3652
3653 tmp_ctx = talloc_new(ldb);
3654 if (tmp_ctx == NULL) {
3655 goto failed;
3656 }
3657
3658 cached = talloc(tmp_ctx, bool);
3659 if (!cached) {
3660 goto failed;
3661 }
3662
3663 *cached = am_rodc;
3664 if (ldb_set_opaque(ldb, "cache.am_rodc", cached) != LDB_SUCCESS) {
3665 goto failed;
3666 }
3667
3668 talloc_steal(ldb, cached);
3669 talloc_free(tmp_ctx);
3670 return true;
3671
3672 failed:
3673 DEBUG(1,("Failed to set our own cached am_rodc in the ldb!\n"));
3674 talloc_free(tmp_ctx);
3675 return false;
3676 }
3677
3678
3679 /*
3680 * return NTDSSiteSettings options. See MS-ADTS 7.1.1.2.2.1.1
3681 * flags are DS_NTDSSETTINGS_OPT_*
3682 */
3683 int samdb_ntds_site_settings_options(struct ldb_context *ldb_ctx,
3684 uint32_t *options)
3685 {
3686 int rc;
3687 TALLOC_CTX *tmp_ctx;
3688 struct ldb_result *res;
3689 struct ldb_dn *site_dn;
3690 const char *attrs[] = { "options", NULL };
3691
3692 tmp_ctx = talloc_new(ldb_ctx);
3693 if (tmp_ctx == NULL)
3694 goto failed;
3695
3696 /* Retrieve the site dn for the ldb that we
3697 * have open. This is our local site.
3698 */
3699 site_dn = samdb_server_site_dn(ldb_ctx, tmp_ctx);
3700 if (site_dn == NULL)
3701 goto failed;
3702
3703 /* Perform a one level (child) search from the local
3704 * site distinguided name. We're looking for the
3705 * "options" attribute within the nTDSSiteSettings
3706 * object
3707 */
3708 rc = ldb_search(ldb_ctx, tmp_ctx, &res, site_dn,
3709 LDB_SCOPE_ONELEVEL, attrs,
3710 "objectClass=nTDSSiteSettings");
3711
3712 if (rc != LDB_SUCCESS || res->count != 1)
3713 goto failed;
3714
3715 *options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0);
3716
3717 talloc_free(tmp_ctx);
3718
3719 return LDB_SUCCESS;
3720
3721 failed:
3722 DEBUG(1,("Failed to find our NTDS Site Settings options in ldb!\n"));
3723 talloc_free(tmp_ctx);
3724 return ldb_error(ldb_ctx, LDB_ERR_NO_SUCH_OBJECT, __func__);
3725 }
3726
3727 /*
3728 return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
3729
3730 flags are DS_NTDS_OPTION_*
3731 */
3732 int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options)
3733 {
3734 TALLOC_CTX *tmp_ctx;
3735 const char *attrs[] = { "options", NULL };
3736 int ret;
3737 struct ldb_result *res;
3738
3739 tmp_ctx = talloc_new(ldb);
3740 if (tmp_ctx == NULL) {
3741 goto failed;
3742 }
3743
3744 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL);
3745 if (ret != LDB_SUCCESS) {
3746 goto failed;
3747 }
3748
3749 if (res->count != 1) {
3750 goto failed;
3751 }
3752
3753 *options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0);
3754
3755 talloc_free(tmp_ctx);
3756
3757 return LDB_SUCCESS;
3758
3759 failed:
3760 DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n"));
3761 talloc_free(tmp_ctx);
3762 return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
3763 }
3764
3765 const char* samdb_ntds_object_category(TALLOC_CTX *tmp_ctx, struct ldb_context *ldb)
3766 {
3767 const char *attrs[] = { "objectCategory", NULL };
3768 int ret;
3769 struct ldb_result *res;
3770
3771 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL);
3772 if (ret != LDB_SUCCESS) {
3773 goto failed;
3774 }
3775
3776 if (res->count != 1) {
3777 goto failed;
3778 }
3779
3780 return ldb_msg_find_attr_as_string(res->msgs[0], "objectCategory", NULL);
3781
3782 failed:
3783 DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
3784 return NULL;
3785 }
3786
3787 /*
3788 * Function which generates a "lDAPDisplayName" attribute from a "CN" one.
3789 * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
3790 */
3791 const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX *mem_ctx, const char *cn)
3792 {
3793 char **tokens, *ret;
3794 size_t i;
3795
3796 tokens = str_list_make(mem_ctx, cn, " -_");
3797 if (tokens == NULL || tokens[0] == NULL) {
3798 return NULL;
3799 }
3800
3801 /* "tolower()" and "toupper()" should also work properly on 0x00 */
3802 tokens[0][0] = tolower(tokens[0][0]);
3803 for (i = 1; tokens[i] != NULL; i++)
3804 tokens[i][0] = toupper(tokens[i][0]);
3805
3806 ret = talloc_strdup(mem_ctx, tokens[0]);
3807 for (i = 1; tokens[i] != NULL; i++)
3808 ret = talloc_asprintf_append_buffer(ret, "%s", tokens[i]);
3809
3810 talloc_free(tokens);
3811
3812 return ret;
3813 }
3814
3815 /*
3816 * This detects and returns the domain functional level (DS_DOMAIN_FUNCTION_*)
3817 */
3818 int dsdb_functional_level(struct ldb_context *ldb)
3819 {
3820 int *domainFunctionality =
3821 talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
3822 if (!domainFunctionality) {
3823 /* this is expected during initial provision */
3824 DEBUG(4,(__location__ ": WARNING: domainFunctionality not setup\n"));
3825 return DS_DOMAIN_FUNCTION_2000;
3826 }
3827 return *domainFunctionality;
3828 }
3829
3830 /*
3831 * This detects and returns the forest functional level (DS_DOMAIN_FUNCTION_*)
3832 */
3833 int dsdb_forest_functional_level(struct ldb_context *ldb)
3834 {
3835 int *forestFunctionality =
3836 talloc_get_type(ldb_get_opaque(ldb, "forestFunctionality"), int);
3837 if (!forestFunctionality) {
3838 DEBUG(0,(__location__ ": WARNING: forestFunctionality not setup\n"));
3839 return DS_DOMAIN_FUNCTION_2000;
3840 }
3841 return *forestFunctionality;
3842 }
3843
3844 /*
3845 * This detects and returns the DC functional level (DS_DOMAIN_FUNCTION_*)
3846 */
3847 int dsdb_dc_functional_level(struct ldb_context *ldb)
3848 {
3849 int *dcFunctionality =
3850 talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
3851 if (!dcFunctionality) {
3852 /* this is expected during initial provision */
3853 DEBUG(4,(__location__ ": WARNING: domainControllerFunctionality not setup\n"));
3854 return DS_DOMAIN_FUNCTION_2008_R2;
3855 }
3856 return *dcFunctionality;
3857 }
3858
3859 /*
3860 set a GUID in an extended DN structure
3861 */
3862 int dsdb_set_extended_dn_guid(struct ldb_dn *dn, const struct GUID *guid, const char *component_name)
3863 {
3864 struct ldb_val v;
3865 NTSTATUS status;
3866 int ret;
3867
3868 status = GUID_to_ndr_blob(guid, dn, &v);
3869 if (!NT_STATUS_IS_OK(status)) {
3870 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3871 }
3872
3873 ret = ldb_dn_set_extended_component(dn, component_name, &v);
3874 data_blob_free(&v);
3875 return ret;
3876 }
3877
3878 /*
3879 return a GUID from a extended DN structure
3880 */
3881 NTSTATUS dsdb_get_extended_dn_guid(struct ldb_dn *dn, struct GUID *guid, const char *component_name)
3882 {
3883 const struct ldb_val *v;
3884
3885 v = ldb_dn_get_extended_component(dn, component_name);
3886 if (v == NULL) {
3887 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3888 }
3889
3890 return GUID_from_ndr_blob(v, guid);
3891 }
3892
3893 /*
3894 return a uint64_t from a extended DN structure
3895 */
3896 NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const char *component_name)
3897 {
3898 const struct ldb_val *v;
3899 int error = 0;
3900
3901 v = ldb_dn_get_extended_component(dn, component_name);
3902 if (v == NULL) {
3903 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3904 }
3905
3906 /* Just check we don't allow the caller to fill our stack */
3907 if (v->length >= 64) {
3908 return NT_STATUS_INVALID_PARAMETER;
3909 } else {
3910 char s[v->length+1];
3911 memcpy(s, v->data, v->length);
3912 s[v->length] = 0;
3913
3914 *val = smb_strtoull(s, NULL, 0, &error, SMB_STR_STANDARD);
3915 if (error != 0) {
3916 return NT_STATUS_INVALID_PARAMETER;
3917 }
3918 }
3919 return NT_STATUS_OK;
3920 }
3921
3922 /*
3923 return a NTTIME from a extended DN structure
3924 */
3925 NTSTATUS dsdb_get_extended_dn_nttime(struct ldb_dn *dn, NTTIME *nttime, const char *component_name)
3926 {
3927 return dsdb_get_extended_dn_uint64(dn, nttime, component_name);
3928 }
3929
3930 /*
3931 return a uint32_t from a extended DN structure
3932 */
3933 NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const char *component_name)
3934 {
3935 const struct ldb_val *v;
3936 int error = 0;
3937
3938 v = ldb_dn_get_extended_component(dn, component_name);
3939 if (v == NULL) {
3940 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3941 }
3942
3943 /* Just check we don't allow the caller to fill our stack */
3944 if (v->length >= 32) {
3945 return NT_STATUS_INVALID_PARAMETER;
3946 } else {
3947 char s[v->length + 1];
3948 memcpy(s, v->data, v->length);
3949 s[v->length] = 0;
3950 *val = smb_strtoul(s, NULL, 0, &error, SMB_STR_STANDARD);
3951 if (error != 0) {
3952 return NT_STATUS_INVALID_PARAMETER;
3953 }
3954 }
3955
3956 return NT_STATUS_OK;
3957 }
3958
3959 /*
3960 return a dom_sid from a extended DN structure
3961 */
3962 NTSTATUS dsdb_get_extended_dn_sid(struct ldb_dn *dn, struct dom_sid *sid, const char *component_name)
3963 {
3964 const struct ldb_val *sid_blob;
3965 enum ndr_err_code ndr_err;
3966
3967 sid_blob = ldb_dn_get_extended_component(dn, component_name);
3968 if (!sid_blob) {
3969 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3970 }
3971
3972 ndr_err = ndr_pull_struct_blob_all_noalloc(sid_blob, sid,
3973 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
3974 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3975 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
3976 return status;
3977 }
3978
3979 return NT_STATUS_OK;
3980 }
3981
3982
3983 /*
3984 return RMD_FLAGS directly from a ldb_dn
3985 returns 0 if not found
3986 */
3987 uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn)
3988 {
3989 uint32_t rmd_flags = 0;
3990 NTSTATUS status = dsdb_get_extended_dn_uint32(dn, &rmd_flags,
3991 "RMD_FLAGS");
3992 if (NT_STATUS_IS_OK(status)) {
3993 return rmd_flags;
3994 }
3995 return 0;
3996 }
3997
3998 /*
3999 return RMD_FLAGS directly from a ldb_val for a DN
4000 returns 0 if RMD_FLAGS is not found
4001 */
4002 uint32_t dsdb_dn_val_rmd_flags(const struct ldb_val *val)
4003 {
4004 const char *p;
4005 uint32_t flags;
4006 char *end;
4007 int error = 0;
4008
4009 if (val->length < 13) {
4010 return 0;
4011 }
4012 p = memmem(val->data, val->length, "<RMD_FLAGS=", 11);
4013 if (!p) {
4014 return 0;
4015 }
4016 flags = smb_strtoul(p+11, &end, 10, &error, SMB_STR_STANDARD);
4017 if (!end || *end != '>' || error != 0) {
4018 /* it must end in a > */
4019 return 0;
4020 }
4021 return flags;
4022 }
4023
4024 /*
4025 return true if a ldb_val containing a DN in storage form is deleted
4026 */
4027 bool dsdb_dn_is_deleted_val(const struct ldb_val *val)
4028 {
4029 return (dsdb_dn_val_rmd_flags(val) & DSDB_RMD_FLAG_DELETED) != 0;
4030 }
4031
4032 /*
4033 return true if a ldb_val containing a DN in storage form is
4034 in the upgraded w2k3 linked attribute format
4035 */
4036 bool dsdb_dn_is_upgraded_link_val(const struct ldb_val *val)
4037 {
4038 return memmem(val->data, val->length, "<RMD_VERSION=", 13) != NULL;
4039 }
4040
4041 /*
4042 return a DN for a wellknown GUID
4043 */
4044 int dsdb_wellknown_dn(struct ldb_context *samdb, TALLOC_CTX *mem_ctx,
4045 struct ldb_dn *nc_root, const char *wk_guid,
4046 struct ldb_dn **wkguid_dn)
4047 {
4048 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
4049 const char *attrs[] = { NULL };
4050 int ret;
4051 struct ldb_dn *dn;
4052 struct ldb_result *res = NULL;
4053
4054 /* construct the magic WKGUID DN */
4055 dn = ldb_dn_new_fmt(tmp_ctx, samdb, "<WKGUID=%s,%s>",
4056 wk_guid, ldb_dn_get_linearized(nc_root));
4057 if (!wkguid_dn) {
4058 talloc_free(tmp_ctx);
4059 return ldb_operr(samdb);
4060 }
4061
4062 ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs,
4063 DSDB_SEARCH_SHOW_DELETED |
4064 DSDB_SEARCH_SHOW_RECYCLED);
4065 if (ret != LDB_SUCCESS) {
4066 talloc_free(tmp_ctx);
4067 return ret;
4068 }
4069 /* fix clang warning */
4070 if (res == NULL){
4071 talloc_free(tmp_ctx);
4072 return LDB_ERR_OTHER;
4073 }
4074
4075 (*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn);
4076 talloc_free(tmp_ctx);
4077 return LDB_SUCCESS;
4078 }
4079
4080
4081 static int dsdb_dn_compare_ptrs(struct ldb_dn **dn1, struct ldb_dn **dn2)
4082 {
4083 return ldb_dn_compare(*dn1, *dn2);
4084 }
4085
4086 /*
4087 find a NC root given a DN within the NC
4088 */
4089 int dsdb_find_nc_root(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
4090 struct ldb_dn **nc_root)
4091 {
4092 const char *root_attrs[] = { "namingContexts", NULL };
4093 TALLOC_CTX *tmp_ctx;
4094 int ret;
4095 struct ldb_message_element *el;
4096 struct ldb_result *root_res;
4097 unsigned int i;
4098 struct ldb_dn **nc_dns;
4099
4100 tmp_ctx = talloc_new(samdb);
4101 if (tmp_ctx == NULL) {
4102 return ldb_oom(samdb);
4103 }
4104
4105 ret = ldb_search(samdb, tmp_ctx, &root_res,
4106 ldb_dn_new(tmp_ctx, samdb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
4107 if (ret != LDB_SUCCESS || root_res->count == 0) {
4108 DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb)));
4109 talloc_free(tmp_ctx);
4110 return ret;
4111 }
4112
4113 el = ldb_msg_find_element(root_res->msgs[0], "namingContexts");
4114 if ((el == NULL) || (el->num_values < 3)) {
4115 struct ldb_message *tmp_msg;
4116
4117 DEBUG(5,("dsdb_find_nc_root: Finding a valid 'namingContexts' element in the RootDSE failed. Using a temporary list.\n"));
4118
4119 /* This generates a temporary list of NCs in order to let the
4120 * provisioning work. */
4121 tmp_msg = ldb_msg_new(tmp_ctx);
4122 if (tmp_msg == NULL) {
4123 talloc_free(tmp_ctx);
4124 return ldb_oom(samdb);
4125 }
4126 ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
4127 ldb_dn_alloc_linearized(tmp_msg, ldb_get_schema_basedn(samdb)));
4128 if (ret != LDB_SUCCESS) {
4129 talloc_free(tmp_ctx);
4130 return ret;
4131 }
4132 ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
4133 ldb_dn_alloc_linearized(tmp_msg, ldb_get_config_basedn(samdb)));
4134 if (ret != LDB_SUCCESS) {
4135 talloc_free(tmp_ctx);
4136 return ret;
4137 }
4138 ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
4139 ldb_dn_alloc_linearized(tmp_msg, ldb_get_default_basedn(samdb)));
4140 if (ret != LDB_SUCCESS) {
4141 talloc_free(tmp_ctx);
4142 return ret;
4143 }
4144 el = &tmp_msg->elements[0];
4145 }
4146
4147 nc_dns = talloc_array(tmp_ctx, struct ldb_dn *, el->num_values);
4148 if (!nc_dns) {
4149 talloc_free(tmp_ctx);
4150 return ldb_oom(samdb);
4151 }
4152
4153 for (i=0; i<el->num_values; i++) {
4154 nc_dns[i] = ldb_dn_from_ldb_val(nc_dns, samdb, &el->values[i]);
4155 if (nc_dns[i] == NULL) {
4156 talloc_free(tmp_ctx);
4157 return ldb_operr(samdb);
4158 }
4159 }
4160
4161 TYPESAFE_QSORT(nc_dns, el->num_values, dsdb_dn_compare_ptrs);
4162
4163 for (i=0; i<el->num_values; i++) {
4164 if (ldb_dn_compare_base(nc_dns[i], dn) == 0) {
4165 (*nc_root) = talloc_steal(mem_ctx, nc_dns[i]);
4166 talloc_free(tmp_ctx);
4167 return LDB_SUCCESS;
4168 }
4169 }
4170
4171 talloc_free(tmp_ctx);
4172 return ldb_error(samdb, LDB_ERR_NO_SUCH_OBJECT, __func__);
4173 }
4174
4175
4176 /*
4177 find the deleted objects DN for any object, by looking for the NC
4178 root, then looking up the wellknown GUID
4179 */
4180 int dsdb_get_deleted_objects_dn(struct ldb_context *ldb,
4181 TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
4182 struct ldb_dn **do_dn)
4183 {
4184 struct ldb_dn *nc_root;
4185 int ret;
4186
4187 ret = dsdb_find_nc_root(ldb, mem_ctx, obj_dn, &nc_root);
4188 if (ret != LDB_SUCCESS) {
4189 return ret;
4190 }
4191
4192 ret = dsdb_wellknown_dn(ldb, mem_ctx, nc_root, DS_GUID_DELETED_OBJECTS_CONTAINER, do_dn);
4193 talloc_free(nc_root);
4194 return ret;
4195 }
4196
4197 /*
4198 return the tombstoneLifetime, in days
4199 */
4200 int dsdb_tombstone_lifetime(struct ldb_context *ldb, uint32_t *lifetime)
4201 {
4202 struct ldb_dn *dn;
4203 dn = ldb_get_config_basedn(ldb);
4204 if (!dn) {
4205 return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
4206 }
4207 dn = ldb_dn_copy(ldb, dn);
4208 if (!dn) {
4209 return ldb_operr(ldb);
4210 }
4211 /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
4212 be a wellknown GUID for this */
4213 if (!ldb_dn_add_child_fmt(dn, "CN=Directory Service,CN=Windows NT,CN=Services")) {
4214 talloc_free(dn);
4215 return ldb_operr(ldb);
4216 }
4217
4218 *lifetime = samdb_search_uint(ldb, dn, 180, dn, "tombstoneLifetime", "objectClass=nTDSService");
4219 talloc_free(dn);
4220 return LDB_SUCCESS;
4221 }
4222
4223 /*
4224 compare a ldb_val to a string case insensitively
4225 */
4226 int samdb_ldb_val_case_cmp(const char *s, struct ldb_val *v)
4227 {
4228 size_t len = strlen(s);
4229 int ret;
4230 if (len > v->length) return 1;
4231 ret = strncasecmp(s, (const char *)v->data, v->length);
4232 if (ret != 0) return ret;
4233 if (v->length > len && v->data[len] != 0) {
4234 return -1;
4235 }
4236 return 0;
4237 }
4238
4239
4240 /*
4241 load the UDV for a partition in v2 format
4242 The list is returned sorted, and with our local cursor added
4243 */
4244 int dsdb_load_udv_v2(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
4245 struct drsuapi_DsReplicaCursor2 **cursors, uint32_t *count)
4246 {
4247 static const char *attrs[] = { "replUpToDateVector", NULL };
4248 struct ldb_result *r = NULL;
4249 const struct ldb_val *ouv_value;
4250 unsigned int i;
4251 int ret;
4252 uint64_t highest_usn = 0;
4253 const struct GUID *our_invocation_id;
4254 static const struct timeval tv1970;
4255 NTTIME nt1970 = timeval_to_nttime(&tv1970);
4256
4257 ret = dsdb_search_dn(samdb, mem_ctx, &r, dn, attrs, DSDB_SEARCH_SHOW_RECYCLED|DSDB_SEARCH_SHOW_DELETED);
4258 if (ret != LDB_SUCCESS) {
4259 return ret;
4260 }
4261 /* fix clang warning */
4262 if (r == NULL) {
4263 return LDB_ERR_OTHER;
4264 }
4265 ouv_value = ldb_msg_find_ldb_val(r->msgs[0], "replUpToDateVector");
4266 if (ouv_value) {
4267 enum ndr_err_code ndr_err;
4268 struct replUpToDateVectorBlob ouv;
4269
4270 ndr_err = ndr_pull_struct_blob(ouv_value, r, &ouv,
4271 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
4272 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4273 talloc_free(r);
4274 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
4275 }
4276 if (ouv.version != 2) {
4277 /* we always store as version 2, and
4278 * replUpToDateVector is not replicated
4279 */
4280 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
4281 }
4282
4283 *count = ouv.ctr.ctr2.count;
4284 *cursors = talloc_steal(mem_ctx, ouv.ctr.ctr2.cursors);
4285 } else {
4286 *count = 0;
4287 *cursors = NULL;
4288 }
4289
4290 talloc_free(r);
4291
4292 our_invocation_id = samdb_ntds_invocation_id(samdb);
4293 if (!our_invocation_id) {
4294 DEBUG(0,(__location__ ": No invocationID on samdb - %s\n", ldb_errstring(samdb)));
4295 talloc_free(*cursors);
4296 return ldb_operr(samdb);
4297 }
4298
4299 ret = ldb_sequence_number(samdb, LDB_SEQ_HIGHEST_SEQ, &highest_usn);
4300 if (ret != LDB_SUCCESS) {
4301 /* nothing to add - this can happen after a vampire */
4302 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
4303 return LDB_SUCCESS;
4304 }
4305
4306 for (i=0; i<*count; i++) {
4307 if (GUID_equal(our_invocation_id, &(*cursors)[i].source_dsa_invocation_id)) {
4308 (*cursors)[i].highest_usn = highest_usn;
4309 (*cursors)[i].last_sync_success = nt1970;
4310 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
4311 return LDB_SUCCESS;
4312 }
4313 }
4314
4315 (*cursors) = talloc_realloc(mem_ctx, *cursors, struct drsuapi_DsReplicaCursor2, (*count)+1);
4316 if (! *cursors) {
4317 return ldb_oom(samdb);
4318 }
4319
4320 (*cursors)[*count].source_dsa_invocation_id = *our_invocation_id;
4321 (*cursors)[*count].highest_usn = highest_usn;
4322 (*cursors)[*count].last_sync_success = nt1970;
4323 (*count)++;
4324
4325 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
4326
4327 return LDB_SUCCESS;
4328 }
4329
4330 /*
4331 load the UDV for a partition in version 1 format
4332 The list is returned sorted, and with our local cursor added
4333 */
4334 int dsdb_load_udv_v1(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
4335 struct drsuapi_DsReplicaCursor **cursors, uint32_t *count)
4336 {
4337 struct drsuapi_DsReplicaCursor2 *v2 = NULL;
4338 uint32_t i;
4339 int ret;
4340
4341 ret = dsdb_load_udv_v2(samdb, dn, mem_ctx, &v2, count);
4342 if (ret != LDB_SUCCESS) {
4343 return ret;
4344 }
4345
4346 if (*count == 0) {
4347 talloc_free(v2);
4348 *cursors = NULL;
4349 return LDB_SUCCESS;
4350 }
4351
4352 *cursors = talloc_array(mem_ctx, struct drsuapi_DsReplicaCursor, *count);
4353 if (*cursors == NULL) {
4354 talloc_free(v2);
4355 return ldb_oom(samdb);
4356 }
4357
4358 for (i=0; i<*count; i++) {
4359 (*cursors)[i].source_dsa_invocation_id = v2[i].source_dsa_invocation_id;
4360 (*cursors)[i].highest_usn = v2[i].highest_usn;
4361 }
4362 talloc_free(v2);
4363 return LDB_SUCCESS;
4364 }
4365
4366 /*
4367 add a set of controls to a ldb_request structure based on a set of
4368 flags. See util.h for a list of available flags
4369 */
4370 int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags)
4371 {
4372 int ret;
4373 if (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) {
4374 struct ldb_search_options_control *options;
4375 /* Using the phantom root control allows us to search all partitions */
4376 options = talloc(req, struct ldb_search_options_control);
4377 if (options == NULL) {
4378 return LDB_ERR_OPERATIONS_ERROR;
4379 }
4380 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
4381
4382 ret = ldb_request_add_control(req,
4383 LDB_CONTROL_SEARCH_OPTIONS_OID,
4384 true, options);
4385 if (ret != LDB_SUCCESS) {
4386 return ret;
4387 }
4388 }
4389
4390 if (dsdb_flags & DSDB_SEARCH_NO_GLOBAL_CATALOG) {
4391 ret = ldb_request_add_control(req,
4392 DSDB_CONTROL_NO_GLOBAL_CATALOG,
4393 false, NULL);
4394 if (ret != LDB_SUCCESS) {
4395 return ret;
4396 }
4397 }
4398
4399 if (dsdb_flags & DSDB_SEARCH_SHOW_DELETED) {
4400 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
4401 if (ret != LDB_SUCCESS) {
4402 return ret;
4403 }
4404 }
4405
4406 if (dsdb_flags & DSDB_SEARCH_SHOW_RECYCLED) {
4407 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, false, NULL);
4408 if (ret != LDB_SUCCESS) {
4409 return ret;
4410 }
4411 }
4412
4413 if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) {
4414 ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, false, NULL);
4415 if (ret != LDB_SUCCESS) {
4416 return ret;
4417 }
4418 }
4419
4420 if (dsdb_flags & DSDB_SEARCH_SHOW_EXTENDED_DN) {
4421 struct ldb_extended_dn_control *extended_ctrl = talloc(req, struct ldb_extended_dn_control);
4422 if (!extended_ctrl) {
4423 return LDB_ERR_OPERATIONS_ERROR;
4424 }
4425 extended_ctrl->type = 1;
4426
4427 ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_ctrl);
4428 if (ret != LDB_SUCCESS) {
4429 return ret;
4430 }
4431 }
4432
4433 if (dsdb_flags & DSDB_SEARCH_REVEAL_INTERNALS) {
4434 ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
4435 if (ret != LDB_SUCCESS) {
4436 return ret;
4437 }
4438 }
4439
4440 if (dsdb_flags & DSDB_MODIFY_RELAX) {
4441 ret = ldb_request_add_control(req, LDB_CONTROL_RELAX_OID, false, NULL);
4442 if (ret != LDB_SUCCESS) {
4443 return ret;
4444 }
4445 }
4446
4447 if (dsdb_flags & DSDB_MODIFY_PERMISSIVE) {
4448 ret = ldb_request_add_control(req, LDB_CONTROL_PERMISSIVE_MODIFY_OID, false, NULL);
4449 if (ret != LDB_SUCCESS) {
4450 return ret;
4451 }
4452 }
4453
4454 if (dsdb_flags & DSDB_FLAG_AS_SYSTEM) {
4455 ret = ldb_request_add_control(req, LDB_CONTROL_AS_SYSTEM_OID, false, NULL);
4456 if (ret != LDB_SUCCESS) {
4457 return ret;
4458 }
4459 }
4460
4461 if (dsdb_flags & DSDB_TREE_DELETE) {
4462 ret = ldb_request_add_control(req, LDB_CONTROL_TREE_DELETE_OID, false, NULL);
4463 if (ret != LDB_SUCCESS) {
4464 return ret;
4465 }
4466 }
4467
4468 if (dsdb_flags & DSDB_PROVISION) {
4469 ret = ldb_request_add_control(req, LDB_CONTROL_PROVISION_OID, false, NULL);
4470 if (ret != LDB_SUCCESS) {
4471 return ret;
4472 }
4473 }
4474
4475 /* This is a special control to bypass the password_hash module for use in pdb_samba4 for Samba3 upgrades */
4476 if (dsdb_flags & DSDB_BYPASS_PASSWORD_HASH) {
4477 ret = ldb_request_add_control(req, DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID, true, NULL);
4478 if (ret != LDB_SUCCESS) {
4479 return ret;
4480 }
4481 }
4482
4483 if (dsdb_flags & DSDB_PASSWORD_BYPASS_LAST_SET) {
4484 /*
4485 * This must not be critical, as it will only be
4486 * handled (and need to be handled) if the other
4487 * attributes in the request bring password_hash into
4488 * action
4489 */
4490 ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID, false, NULL);
4491 if (ret != LDB_SUCCESS) {
4492 return ret;
4493 }
4494 }
4495
4496 if (dsdb_flags & DSDB_REPLMD_VANISH_LINKS) {
4497 ret = ldb_request_add_control(req, DSDB_CONTROL_REPLMD_VANISH_LINKS, true, NULL);
4498 if (ret != LDB_SUCCESS) {
4499 return ret;
4500 }
4501 }
4502
4503 if (dsdb_flags & DSDB_MODIFY_PARTIAL_REPLICA) {
4504 ret = ldb_request_add_control(req, DSDB_CONTROL_PARTIAL_REPLICA, false, NULL);
4505 if (ret != LDB_SUCCESS) {
4506 return ret;
4507 }
4508 }
4509
4510 if (dsdb_flags & DSDB_FLAG_REPLICATED_UPDATE) {
4511 ret = ldb_request_add_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID, false, NULL);
4512 if (ret != LDB_SUCCESS) {
4513 return ret;
4514 }
4515 }
4516
4517 return LDB_SUCCESS;
4518 }
4519
4520 /*
4521 returns true if a control with the specified "oid" exists
4522 */
4523 bool dsdb_request_has_control(struct ldb_request *req, const char *oid)
4524 {
4525 return (ldb_request_get_control(req, oid) != NULL);
4526 }
4527
4528 /*
4529 an add with a set of controls
4530 */
4531 int dsdb_add(struct ldb_context *ldb, const struct ldb_message *message,
4532 uint32_t dsdb_flags)
4533 {
4534 struct ldb_request *req;
4535 int ret;
4536
4537 ret = ldb_build_add_req(&req, ldb, ldb,
4538 message,
4539 NULL,
4540 NULL,
4541 ldb_op_default_callback,
4542 NULL);
4543
4544 if (ret != LDB_SUCCESS) return ret;
4545
4546 ret = dsdb_request_add_controls(req, dsdb_flags);
4547 if (ret != LDB_SUCCESS) {
4548 talloc_free(req);
4549 return ret;
4550 }
4551
4552 ret = dsdb_autotransaction_request(ldb, req);
4553
4554 talloc_free(req);
4555 return ret;
4556 }
4557
4558 /*
4559 a modify with a set of controls
4560 */
4561 int dsdb_modify(struct ldb_context *ldb, const struct ldb_message *message,
4562 uint32_t dsdb_flags)
4563 {
4564 struct ldb_request *req;
4565 int ret;
4566
4567 ret = ldb_build_mod_req(&req, ldb, ldb,
4568 message,
4569 NULL,
4570 NULL,
4571 ldb_op_default_callback,
4572 NULL);
4573
4574 if (ret != LDB_SUCCESS) return ret;
4575
4576 ret = dsdb_request_add_controls(req, dsdb_flags);
4577 if (ret != LDB_SUCCESS) {
4578 talloc_free(req);
4579 return ret;
4580 }
4581
4582 ret = dsdb_autotransaction_request(ldb, req);
4583
4584 talloc_free(req);
4585 return ret;
4586 }
4587
4588 /*
4589 a delete with a set of flags
4590 */
4591 int dsdb_delete(struct ldb_context *ldb, struct ldb_dn *dn,
4592 uint32_t dsdb_flags)
4593 {
4594 struct ldb_request *req;
4595 int ret;
4596
4597 ret = ldb_build_del_req(&req, ldb, ldb,
4598 dn,
4599 NULL,
4600 NULL,
4601 ldb_op_default_callback,
4602 NULL);
4603
4604 if (ret != LDB_SUCCESS) return ret;
4605
4606 ret = dsdb_request_add_controls(req, dsdb_flags);
4607 if (ret != LDB_SUCCESS) {
4608 talloc_free(req);
4609 return ret;
4610 }
4611
4612 ret = dsdb_autotransaction_request(ldb, req);
4613
4614 talloc_free(req);
4615 return ret;
4616 }
4617
4618 /*
4619 like dsdb_modify() but set all the element flags to
4620 LDB_FLAG_MOD_REPLACE
4621 */
4622 int dsdb_replace(struct ldb_context *ldb, struct ldb_message *msg, uint32_t dsdb_flags)
4623 {
4624 unsigned int i;
4625
4626 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
4627 for (i=0;i<msg->num_elements;i++) {
4628 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
4629 }
4630
4631 return dsdb_modify(ldb, msg, dsdb_flags);
4632 }
4633
4634
4635 /*
4636 search for attrs on one DN, allowing for dsdb_flags controls
4637 */
4638 int dsdb_search_dn(struct ldb_context *ldb,
4639 TALLOC_CTX *mem_ctx,
4640 struct ldb_result **_result,
4641 struct ldb_dn *basedn,
4642 const char * const *attrs,
4643 uint32_t dsdb_flags)
4644 {
4645 int ret;
4646 struct ldb_request *req;
4647 struct ldb_result *res;
4648
4649 res = talloc_zero(mem_ctx, struct ldb_result);
4650 if (!res) {
4651 return ldb_oom(ldb);
4652 }
4653
4654 ret = ldb_build_search_req(&req, ldb, res,
4655 basedn,
4656 LDB_SCOPE_BASE,
4657 NULL,
4658 attrs,
4659 NULL,
4660 res,
4661 ldb_search_default_callback,
4662 NULL);
4663 if (ret != LDB_SUCCESS) {
4664 talloc_free(res);
4665 return ret;
4666 }
4667
4668 ret = dsdb_request_add_controls(req, dsdb_flags);
4669 if (ret != LDB_SUCCESS) {
4670 talloc_free(res);
4671 return ret;
4672 }
4673
4674 ret = ldb_request(ldb, req);
4675 if (ret == LDB_SUCCESS) {
4676 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
4677 }
4678
4679 talloc_free(req);
4680 if (ret != LDB_SUCCESS) {
4681 talloc_free(res);
4682 return ret;
4683 }
4684
4685 *_result = res;
4686 return LDB_SUCCESS;
4687 }
4688
4689 /*
4690 search for attrs on one DN, by the GUID of the DN, allowing for
4691 dsdb_flags controls
4692 */
4693 int dsdb_search_by_dn_guid(struct ldb_context *ldb,
4694 TALLOC_CTX *mem_ctx,
4695 struct ldb_result **_result,
4696 const struct GUID *guid,
4697 const char * const *attrs,
4698 uint32_t dsdb_flags)
4699 {
4700 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
4701 struct ldb_dn *dn;
4702 int ret;
4703
4704 dn = ldb_dn_new_fmt(tmp_ctx, ldb, "<GUID=%s>", GUID_string(tmp_ctx, guid));
4705 if (dn == NULL) {
4706 talloc_free(tmp_ctx);
4707 return ldb_oom(ldb);
4708 }
4709
4710 ret = dsdb_search_dn(ldb, mem_ctx, _result, dn, attrs, dsdb_flags);
4711 talloc_free(tmp_ctx);
4712 return ret;
4713 }
4714
4715 /*
4716 general search with dsdb_flags for controls
4717 */
4718 int dsdb_search(struct ldb_context *ldb,
4719 TALLOC_CTX *mem_ctx,
4720 struct ldb_result **_result,
4721 struct ldb_dn *basedn,
4722 enum ldb_scope scope,
4723 const char * const *attrs,
4724 uint32_t dsdb_flags,
4725 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
4726 {
4727 int ret;
4728 struct ldb_request *req;
4729 struct ldb_result *res;
4730 va_list ap;
4731 char *expression = NULL;
4732 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
4733
4734 /* cross-partitions searches with a basedn break multi-domain support */
4735 SMB_ASSERT(basedn == NULL || (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) == 0);
4736
4737 res = talloc_zero(tmp_ctx, struct ldb_result);
4738 if (!res) {
4739 talloc_free(tmp_ctx);
4740 return ldb_oom(ldb);
4741 }
4742
4743 if (exp_fmt) {
4744 va_start(ap, exp_fmt);
4745 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
4746 va_end(ap);
4747
4748 if (!expression) {
4749 talloc_free(tmp_ctx);
4750 return ldb_oom(ldb);
4751 }
4752 }
4753
4754 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
4755 basedn,
4756 scope,
4757 expression,
4758 attrs,
4759 NULL,
4760 res,
4761 ldb_search_default_callback,
4762 NULL);
4763 if (ret != LDB_SUCCESS) {
4764 talloc_free(tmp_ctx);
4765 return ret;
4766 }
4767
4768 ret = dsdb_request_add_controls(req, dsdb_flags);
4769 if (ret != LDB_SUCCESS) {
4770 talloc_free(tmp_ctx);
4771 ldb_reset_err_string(ldb);
4772 return ret;
4773 }
4774
4775 ret = ldb_request(ldb, req);
4776 if (ret == LDB_SUCCESS) {
4777 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
4778 }
4779
4780 if (ret != LDB_SUCCESS) {
4781 talloc_free(tmp_ctx);
4782 return ret;
4783 }
4784
4785 if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
4786 if (res->count == 0) {
4787 talloc_free(tmp_ctx);
4788 ldb_reset_err_string(ldb);
4789 return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
4790 }
4791 if (res->count != 1) {
4792 talloc_free(tmp_ctx);
4793 ldb_reset_err_string(ldb);
4794 return LDB_ERR_CONSTRAINT_VIOLATION;
4795 }
4796 }
4797
4798 *_result = talloc_steal(mem_ctx, res);
4799 talloc_free(tmp_ctx);
4800
4801 return LDB_SUCCESS;
4802 }
4803
4804
4805 /*
4806 general search with dsdb_flags for controls
4807 returns exactly 1 record or an error
4808 */
4809 int dsdb_search_one(struct ldb_context *ldb,
4810 TALLOC_CTX *mem_ctx,
4811 struct ldb_message **msg,
4812 struct ldb_dn *basedn,
4813 enum ldb_scope scope,
4814 const char * const *attrs,
4815 uint32_t dsdb_flags,
4816 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
4817 {
4818 int ret;
4819 struct ldb_result *res;
4820 va_list ap;
4821 char *expression = NULL;
4822 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
4823
4824 dsdb_flags |= DSDB_SEARCH_ONE_ONLY;
4825
4826 res = talloc_zero(tmp_ctx, struct ldb_result);
4827 if (!res) {
4828 talloc_free(tmp_ctx);
4829 return ldb_oom(ldb);
4830 }
4831
4832 if (exp_fmt) {
4833 va_start(ap, exp_fmt);
4834 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
4835 va_end(ap);
4836
4837 if (!expression) {
4838 talloc_free(tmp_ctx);
4839 return ldb_oom(ldb);
4840 }
4841 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
4842 dsdb_flags, "%s", expression);
4843 } else {
4844 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
4845 dsdb_flags, NULL);
4846 }
4847
4848 if (ret != LDB_SUCCESS) {
4849 talloc_free(tmp_ctx);
4850 return ret;
4851 }
4852
4853 *msg = talloc_steal(mem_ctx, res->msgs[0]);
4854 talloc_free(tmp_ctx);
4855
4856 return LDB_SUCCESS;
4857 }
4858
4859 /* returns back the forest DNS name */
4860 const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
4861 {
4862 const char *forest_name = ldb_dn_canonical_string(mem_ctx,
4863 ldb_get_root_basedn(ldb));
4864 char *p;
4865
4866 if (forest_name == NULL) {
4867 return NULL;
4868 }
4869
4870 p = strchr(forest_name, '/');
4871 if (p) {
4872 *p = '\0';
4873 }
4874
4875 return forest_name;
4876 }
4877
4878 /* returns back the default domain DNS name */
4879 const char *samdb_default_domain_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
4880 {
4881 const char *domain_name = ldb_dn_canonical_string(mem_ctx,
4882 ldb_get_default_basedn(ldb));
4883 char *p;
4884
4885 if (domain_name == NULL) {
4886 return NULL;
4887 }
4888
4889 p = strchr(domain_name, '/');
4890 if (p) {
4891 *p = '\0';
4892 }
4893
4894 return domain_name;
4895 }
4896
4897 /*
4898 validate that an DSA GUID belongs to the specified user sid.
4899 The user SID must be a domain controller account (either RODC or
4900 RWDC)
4901 */
4902 int dsdb_validate_dsa_guid(struct ldb_context *ldb,
4903 const struct GUID *dsa_guid,
4904 const struct dom_sid *sid)
4905 {
4906 /* strategy:
4907 - find DN of record with the DSA GUID in the
4908 configuration partition (objectGUID)
4909 - remove "NTDS Settings" component from DN
4910 - do a base search on that DN for serverReference with
4911 extended-dn enabled
4912 - extract objectSid from resulting serverReference
4913 attribute
4914 - check this sid matches the sid argument
4915 */
4916 struct ldb_dn *config_dn;
4917 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
4918 struct ldb_message *msg;
4919 const char *attrs1[] = { NULL };
4920 const char *attrs2[] = { "serverReference", NULL };
4921 int ret;
4922 struct ldb_dn *dn, *account_dn;
4923 struct dom_sid sid2;
4924 NTSTATUS status;
4925
4926 config_dn = ldb_get_config_basedn(ldb);
4927
4928 ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE,
4929 attrs1, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid));
4930 if (ret != LDB_SUCCESS) {
4931 DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for sid %s\n",
4932 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
4933 talloc_free(tmp_ctx);
4934 return ldb_operr(ldb);
4935 }
4936 dn = msg->dn;
4937
4938 if (!ldb_dn_remove_child_components(dn, 1)) {
4939 talloc_free(tmp_ctx);
4940 return ldb_operr(ldb);
4941 }
4942
4943 ret = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE,
4944 attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN,
4945 "(objectClass=server)");
4946 if (ret != LDB_SUCCESS) {
4947 DEBUG(1,(__location__ ": Failed to find server record for DSA with objectGUID %s, sid %s\n",
4948 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
4949 talloc_free(tmp_ctx);
4950 return ldb_operr(ldb);
4951 }
4952
4953 account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg, "serverReference");
4954 if (account_dn == NULL) {
4955 DEBUG(1,(__location__ ": Failed to find account dn "
4956 "(serverReference) for %s, parent of DSA with "
4957 "objectGUID %s, sid %s\n",
4958 ldb_dn_get_linearized(msg->dn),
4959 GUID_string(tmp_ctx, dsa_guid),
4960 dom_sid_string(tmp_ctx, sid)));
4961 talloc_free(tmp_ctx);
4962 return ldb_operr(ldb);
4963 }
4964
4965 status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID");
4966 if (!NT_STATUS_IS_OK(status)) {
4967 DEBUG(1,(__location__ ": Failed to find SID for DSA with objectGUID %s, sid %s\n",
4968 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
4969 talloc_free(tmp_ctx);
4970 return ldb_operr(ldb);
4971 }
4972
4973 if (!dom_sid_equal(sid, &sid2)) {
4974 /* someone is trying to spoof another account */
4975 DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s - expected sid %s\n",
4976 GUID_string(tmp_ctx, dsa_guid),
4977 dom_sid_string(tmp_ctx, sid),
4978 dom_sid_string(tmp_ctx, &sid2)));
4979 talloc_free(tmp_ctx);
4980 return ldb_operr(ldb);
4981 }
4982
4983 talloc_free(tmp_ctx);
4984 return LDB_SUCCESS;
4985 }
4986
4987 static const char * const secret_attributes[] = {
4988 DSDB_SECRET_ATTRIBUTES,
4989 NULL
4990 };
4991
4992 /*
4993 check if the attribute belongs to the RODC filtered attribute set
4994 Note that attributes that are in the filtered attribute set are the
4995 ones that _are_ always sent to a RODC
4996 */
4997 bool dsdb_attr_in_rodc_fas(const struct dsdb_attribute *sa)
4998 {
4999 /* they never get secret attributes */
5000 if (is_attr_in_list(secret_attributes, sa->lDAPDisplayName)) {
5001 return false;
5002 }
5003
5004 /* they do get non-secret critical attributes */
5005 if (sa->schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) {
5006 return true;
5007 }
5008
5009 /* they do get non-secret attributes marked as being in the FAS */
5010 if (sa->searchFlags & SEARCH_FLAG_RODC_ATTRIBUTE) {
5011 return true;
5012 }
5013
5014 /* other attributes are denied */
5015 return false;
5016 }
5017
5018 /* return fsmo role dn and role owner dn for a particular role*/
5019 WERROR dsdb_get_fsmo_role_info(TALLOC_CTX *tmp_ctx,
5020 struct ldb_context *ldb,
5021 uint32_t role,
5022 struct ldb_dn **fsmo_role_dn,
5023 struct ldb_dn **role_owner_dn)
5024 {
5025 int ret;
5026 switch (role) {
5027 case DREPL_NAMING_MASTER:
5028 *fsmo_role_dn = samdb_partitions_dn(ldb, tmp_ctx);
5029 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
5030 if (ret != LDB_SUCCESS) {
5031 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Naming Master object - %s",
5032 ldb_errstring(ldb)));
5033 talloc_free(tmp_ctx);
5034 return WERR_DS_DRA_INTERNAL_ERROR;
5035 }
5036 break;
5037 case DREPL_INFRASTRUCTURE_MASTER:
5038 *fsmo_role_dn = samdb_infrastructure_dn(ldb, tmp_ctx);
5039 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
5040 if (ret != LDB_SUCCESS) {
5041 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s",
5042 ldb_errstring(ldb)));
5043 talloc_free(tmp_ctx);
5044 return WERR_DS_DRA_INTERNAL_ERROR;
5045 }
5046 break;
5047 case DREPL_RID_MASTER:
5048 ret = samdb_rid_manager_dn(ldb, tmp_ctx, fsmo_role_dn);
5049 if (ret != LDB_SUCCESS) {
5050 DEBUG(0, (__location__ ": Failed to find RID Manager object - %s", ldb_errstring(ldb)));
5051 talloc_free(tmp_ctx);
5052 return WERR_DS_DRA_INTERNAL_ERROR;
5053 }
5054
5055 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
5056 if (ret != LDB_SUCCESS) {
5057 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in RID Manager object - %s",
5058 ldb_errstring(ldb)));
5059 talloc_free(tmp_ctx);
5060 return WERR_DS_DRA_INTERNAL_ERROR;
5061 }
5062 break;
5063 case DREPL_SCHEMA_MASTER:
5064 *fsmo_role_dn = ldb_get_schema_basedn(ldb);
5065 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
5066 if (ret != LDB_SUCCESS) {
5067 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s",
5068 ldb_errstring(ldb)));
5069 talloc_free(tmp_ctx);
5070 return WERR_DS_DRA_INTERNAL_ERROR;
5071 }
5072 break;
5073 case DREPL_PDC_MASTER:
5074 *fsmo_role_dn = ldb_get_default_basedn(ldb);
5075 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
5076 if (ret != LDB_SUCCESS) {
5077 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Pd Master object - %s",
5078 ldb_errstring(ldb)));
5079 talloc_free(tmp_ctx);
5080 return WERR_DS_DRA_INTERNAL_ERROR;
5081 }
5082 break;
5083 default:
5084 return WERR_DS_DRA_INTERNAL_ERROR;
5085 }
5086 return WERR_OK;
5087 }
5088
5089 const char *samdb_dn_to_dnshostname(struct ldb_context *ldb,
5090 TALLOC_CTX *mem_ctx,
5091 struct ldb_dn *server_dn)
5092 {
5093 int ldb_ret;
5094 struct ldb_result *res = NULL;
5095 const char * const attrs[] = { "dNSHostName", NULL};
5096
5097 ldb_ret = ldb_search(ldb, mem_ctx, &res,
5098 server_dn,
5099 LDB_SCOPE_BASE,
5100 attrs, NULL);
5101 if (ldb_ret != LDB_SUCCESS) {
5102 DEBUG(4, ("Failed to find dNSHostName for dn %s, ldb error: %s",
5103 ldb_dn_get_linearized(server_dn), ldb_errstring(ldb)));
5104 return NULL;
5105 }
5106
5107 return ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
5108 }
5109
5110 /*
5111 returns true if an attribute is in the filter,
5112 false otherwise, provided that attribute value is provided with the expression
5113 */
5114 bool dsdb_attr_in_parse_tree(struct ldb_parse_tree *tree,
5115 const char *attr)
5116 {
5117 unsigned int i;
5118 switch (tree->operation) {
5119 case LDB_OP_AND:
5120 case LDB_OP_OR:
5121 for (i=0;i<tree->u.list.num_elements;i++) {
5122 if (dsdb_attr_in_parse_tree(tree->u.list.elements[i],
5123 attr))
5124 return true;
5125 }
5126 return false;
5127 case LDB_OP_NOT:
5128 return dsdb_attr_in_parse_tree(tree->u.isnot.child, attr);
5129 case LDB_OP_EQUALITY:
5130 case LDB_OP_GREATER:
5131 case LDB_OP_LESS:
5132 case LDB_OP_APPROX:
5133 if (ldb_attr_cmp(tree->u.equality.attr, attr) == 0) {
5134 return true;
5135 }
5136 return false;
5137 case LDB_OP_SUBSTRING:
5138 if (ldb_attr_cmp(tree->u.substring.attr, attr) == 0) {
5139 return true;
5140 }
5141 return false;
5142 case LDB_OP_PRESENT:
5143 /* (attrname=*) is not filtered out */
5144 return false;
5145 case LDB_OP_EXTENDED:
5146 if (tree->u.extended.attr &&
5147 ldb_attr_cmp(tree->u.extended.attr, attr) == 0) {
5148 return true;
5149 }
5150 return false;
5151 }
5152 return false;
5153 }
5154
5155 bool is_attr_in_list(const char * const * attrs, const char *attr)
5156 {
5157 unsigned int i;
5158
5159 for (i = 0; attrs[i]; i++) {
5160 if (ldb_attr_cmp(attrs[i], attr) == 0)
5161 return true;
5162 }
5163
5164 return false;
5165 }
5166
5167 int dsdb_werror_at(struct ldb_context *ldb, int ldb_ecode, WERROR werr,
5168 const char *location, const char *func,
5169 const char *reason)
5170 {
5171 if (reason == NULL) {
5172 reason = win_errstr(werr);
5173 }
5174 ldb_asprintf_errstring(ldb, "%08X: %s at %s:%s",
5175 W_ERROR_V(werr), reason, location, func);
5176 return ldb_ecode;
5177 }
5178
5179 /*
5180 map an ldb error code to an approximate NTSTATUS code
5181 */
5182 NTSTATUS dsdb_ldb_err_to_ntstatus(int err)
5183 {
5184 switch (err) {
5185 case LDB_SUCCESS:
5186 return NT_STATUS_OK;
5187
5188 case LDB_ERR_PROTOCOL_ERROR:
5189 return NT_STATUS_DEVICE_PROTOCOL_ERROR;
5190
5191 case LDB_ERR_TIME_LIMIT_EXCEEDED:
5192 return NT_STATUS_IO_TIMEOUT;
5193
5194 case LDB_ERR_SIZE_LIMIT_EXCEEDED:
5195 return NT_STATUS_BUFFER_TOO_SMALL;
5196
5197 case LDB_ERR_COMPARE_FALSE:
5198 case LDB_ERR_COMPARE_TRUE:
5199 return NT_STATUS_REVISION_MISMATCH;
5200
5201 case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED:
5202 return NT_STATUS_NOT_SUPPORTED;
5203
5204 case LDB_ERR_STRONG_AUTH_REQUIRED:
5205 case LDB_ERR_CONFIDENTIALITY_REQUIRED:
5206 case LDB_ERR_SASL_BIND_IN_PROGRESS:
5207 case LDB_ERR_INAPPROPRIATE_AUTHENTICATION:
5208 case LDB_ERR_INVALID_CREDENTIALS:
5209 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
5210 case LDB_ERR_UNWILLING_TO_PERFORM:
5211 return NT_STATUS_ACCESS_DENIED;
5212
5213 case LDB_ERR_NO_SUCH_OBJECT:
5214 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
5215
5216 case LDB_ERR_REFERRAL:
5217 case LDB_ERR_NO_SUCH_ATTRIBUTE:
5218 return NT_STATUS_NOT_FOUND;
5219
5220 case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION:
5221 return NT_STATUS_NOT_SUPPORTED;
5222
5223 case LDB_ERR_ADMIN_LIMIT_EXCEEDED:
5224 return NT_STATUS_BUFFER_TOO_SMALL;
5225
5226 case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE:
5227 case LDB_ERR_INAPPROPRIATE_MATCHING:
5228 case LDB_ERR_CONSTRAINT_VIOLATION:
5229 case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
5230 case LDB_ERR_INVALID_DN_SYNTAX:
5231 case LDB_ERR_NAMING_VIOLATION:
5232 case LDB_ERR_OBJECT_CLASS_VIOLATION:
5233 case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF:
5234 case LDB_ERR_NOT_ALLOWED_ON_RDN:
5235 return NT_STATUS_INVALID_PARAMETER;
5236
5237 case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
5238 case LDB_ERR_ENTRY_ALREADY_EXISTS:
5239 return NT_STATUS_ERROR_DS_OBJ_STRING_NAME_EXISTS;
5240
5241 case LDB_ERR_BUSY:
5242 return NT_STATUS_NETWORK_BUSY;
5243
5244 case LDB_ERR_ALIAS_PROBLEM:
5245 case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM:
5246 case LDB_ERR_UNAVAILABLE:
5247 case LDB_ERR_LOOP_DETECT:
5248 case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED:
5249 case LDB_ERR_AFFECTS_MULTIPLE_DSAS:
5250 case LDB_ERR_OTHER:
5251 case LDB_ERR_OPERATIONS_ERROR:
5252 break;
5253 }
5254 return NT_STATUS_UNSUCCESSFUL;
5255 }
5256
5257
5258 /*
5259 create a new naming context that will hold a partial replica
5260 */
5261 int dsdb_create_partial_replica_NC(struct ldb_context *ldb, struct ldb_dn *dn)
5262 {
5263 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
5264 struct ldb_message *msg;
5265 int ret;
5266
5267 msg = ldb_msg_new(tmp_ctx);
5268 if (msg == NULL) {
5269 talloc_free(tmp_ctx);
5270 return ldb_oom(ldb);
5271 }
5272
5273 msg->dn = dn;
5274 ret = ldb_msg_add_string(msg, "objectClass", "top");
5275 if (ret != LDB_SUCCESS) {
5276 talloc_free(tmp_ctx);
5277 return ldb_oom(ldb);
5278 }
5279
5280 /* [MS-DRSR] implies that we should only add the 'top'
5281 * objectclass, but that would cause lots of problems with our
5282 * objectclass code as top is not structural, so we add
5283 * 'domainDNS' as well to keep things sane. We're expecting
5284 * this new NC to be of objectclass domainDNS after
5285 * replication anyway
5286 */
5287 ret = ldb_msg_add_string(msg, "objectClass", "domainDNS");
5288 if (ret != LDB_SUCCESS) {
5289 talloc_free(tmp_ctx);
5290 return ldb_oom(ldb);
5291 }
5292
5293 ret = ldb_msg_add_fmt(msg, "instanceType", "%u",
5294 INSTANCE_TYPE_IS_NC_HEAD|
5295 INSTANCE_TYPE_NC_ABOVE|
5296 INSTANCE_TYPE_UNINSTANT);
5297 if (ret != LDB_SUCCESS) {
5298 talloc_free(tmp_ctx);
5299 return ldb_oom(ldb);
5300 }
5301
5302 ret = dsdb_add(ldb, msg, DSDB_MODIFY_PARTIAL_REPLICA);
5303 if (ret != LDB_SUCCESS && ret != LDB_ERR_ENTRY_ALREADY_EXISTS) {
5304 DEBUG(0,("Failed to create new NC for %s - %s (%s)\n",
5305 ldb_dn_get_linearized(dn),
5306 ldb_errstring(ldb), ldb_strerror(ret)));
5307 talloc_free(tmp_ctx);
5308 return ret;
5309 }
5310
5311 DEBUG(1,("Created new NC for %s\n", ldb_dn_get_linearized(dn)));
5312
5313 talloc_free(tmp_ctx);
5314 return LDB_SUCCESS;
5315 }
5316
5317 /*
5318 * Return the effective badPwdCount
5319 *
5320 * This requires that the user_msg have (if present):
5321 * - badPasswordTime
5322 * - badPwdCount
5323 *
5324 * This also requires that the domain_msg have (if present):
5325 * - lockOutObservationWindow
5326 */
5327 static int dsdb_effective_badPwdCount(const struct ldb_message *user_msg,
5328 int64_t lockOutObservationWindow,
5329 NTTIME now)
5330 {
5331 int64_t badPasswordTime;
5332 badPasswordTime = ldb_msg_find_attr_as_int64(user_msg, "badPasswordTime", 0);
5333
5334 if (badPasswordTime - lockOutObservationWindow >= now) {
5335 return ldb_msg_find_attr_as_int(user_msg, "badPwdCount", 0);
5336 } else {
5337 return 0;
5338 }
5339 }
5340
5341 /*
5342 * Returns a user's PSO, or NULL if none was found
5343 */
5344 static struct ldb_result *lookup_user_pso(struct ldb_context *sam_ldb,
5345 TALLOC_CTX *mem_ctx,
5346 const struct ldb_message *user_msg,
5347 const char * const *attrs)
5348 {
5349 struct ldb_result *res = NULL;
5350 struct ldb_dn *pso_dn = NULL;
5351 int ret;
5352
5353 /* if the user has a PSO that applies, then use the PSO's setting */
5354 pso_dn = ldb_msg_find_attr_as_dn(sam_ldb, mem_ctx, user_msg,
5355 "msDS-ResultantPSO");
5356
5357 if (pso_dn != NULL) {
5358
5359 ret = dsdb_search_dn(sam_ldb, mem_ctx, &res, pso_dn, attrs, 0);
5360 if (ret != LDB_SUCCESS) {
5361
5362 /*
5363 * log the error. The caller should fallback to using
5364 * the default domain password settings
5365 */
5366 DBG_ERR("Error retrieving msDS-ResultantPSO %s for %s",
5367 ldb_dn_get_linearized(pso_dn),
5368 ldb_dn_get_linearized(user_msg->dn));
5369 }
5370 talloc_free(pso_dn);
5371 }
5372 return res;
5373 }
5374
5375 /*
5376 * Return the effective badPwdCount
5377 *
5378 * This requires that the user_msg have (if present):
5379 * - badPasswordTime
5380 * - badPwdCount
5381 * - msDS-ResultantPSO
5382 */
5383 int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb,
5384 TALLOC_CTX *mem_ctx,
5385 struct ldb_dn *domain_dn,
5386 const struct ldb_message *user_msg)
5387 {
5388 struct timeval tv_now = timeval_current();
5389 NTTIME now = timeval_to_nttime(&tv_now);
5390 int64_t lockOutObservationWindow;
5391 struct ldb_result *res = NULL;
5392 const char *attrs[] = { "msDS-LockoutObservationWindow",
5393 NULL };
5394
5395 res = lookup_user_pso(sam_ldb, mem_ctx, user_msg, attrs);
5396
5397 if (res != NULL) {
5398 lockOutObservationWindow =
5399 ldb_msg_find_attr_as_int64(res->msgs[0],
5400 "msDS-LockoutObservationWindow",
5401 DEFAULT_OBSERVATION_WINDOW);
5402 talloc_free(res);
5403 } else {
5404
5405 /* no PSO was found, lookup the default domain setting */
5406 lockOutObservationWindow =
5407 samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
5408 "lockOutObservationWindow", NULL);
5409 }
5410
5411 return dsdb_effective_badPwdCount(user_msg, lockOutObservationWindow, now);
5412 }
5413
5414 /*
5415 * Returns the lockoutThreshold that applies. If a PSO is specified, then that
5416 * setting is used over the domain defaults
5417 */
5418 static int64_t get_lockout_threshold(struct ldb_message *domain_msg,
5419 struct ldb_message *pso_msg)
5420 {
5421 if (pso_msg != NULL) {
5422 return ldb_msg_find_attr_as_int(pso_msg,
5423 "msDS-LockoutThreshold", 0);
5424 } else {
5425 return ldb_msg_find_attr_as_int(domain_msg,
5426 "lockoutThreshold", 0);
5427 }
5428 }
5429
5430 /*
5431 * Returns the lockOutObservationWindow that applies. If a PSO is specified,
5432 * then that setting is used over the domain defaults
5433 */
5434 static int64_t get_lockout_observation_window(struct ldb_message *domain_msg,
5435 struct ldb_message *pso_msg)
5436 {
5437 if (pso_msg != NULL) {
5438 return ldb_msg_find_attr_as_int64(pso_msg,
5439 "msDS-LockoutObservationWindow",
5440 DEFAULT_OBSERVATION_WINDOW);
5441 } else {
5442 return ldb_msg_find_attr_as_int64(domain_msg,
5443 "lockOutObservationWindow",
5444 DEFAULT_OBSERVATION_WINDOW);
5445 }
5446 }
5447
5448 /*
5449 * Prepare an update to the badPwdCount and associated attributes.
5450 *
5451 * This requires that the user_msg have (if present):
5452 * - objectSid
5453 * - badPasswordTime
5454 * - badPwdCount
5455 *
5456 * This also requires that the domain_msg have (if present):
5457 * - pwdProperties
5458 * - lockoutThreshold
5459 * - lockOutObservationWindow
5460 *
5461 * This also requires that the pso_msg have (if present):
5462 * - msDS-LockoutThreshold
5463 * - msDS-LockoutObservationWindow
5464 */
5465 NTSTATUS dsdb_update_bad_pwd_count(TALLOC_CTX *mem_ctx,
5466 struct ldb_context *sam_ctx,
5467 struct ldb_message *user_msg,
5468 struct ldb_message *domain_msg,
5469 struct ldb_message *pso_msg,
5470 struct ldb_message **_mod_msg)
5471 {
5472 int ret, badPwdCount;
5473 unsigned int i;
5474 int64_t lockoutThreshold, lockOutObservationWindow;
5475 struct dom_sid *sid;
5476 struct timeval tv_now = timeval_current();
5477 NTTIME now = timeval_to_nttime(&tv_now);
5478 NTSTATUS status;
5479 uint32_t pwdProperties, rid = 0;
5480 struct ldb_message *mod_msg;
5481
5482 sid = samdb_result_dom_sid(mem_ctx, user_msg, "objectSid");
5483
5484 pwdProperties = ldb_msg_find_attr_as_uint(domain_msg,
5485 "pwdProperties", -1);
5486 if (sid && !(pwdProperties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
5487 status = dom_sid_split_rid(NULL, sid, NULL, &rid);
5488 if (!NT_STATUS_IS_OK(status)) {
5489 /*
5490 * This can't happen anyway, but always try
5491 * and update the badPwdCount on failure
5492 */
5493 rid = 0;
5494 }
5495 }
5496 TALLOC_FREE(sid);
5497
5498 /*
5499 * Work out if we are doing password lockout on the domain.
5500 * Also, the built in administrator account is exempt:
5501 * http://msdn.microsoft.com/en-us/library/windows/desktop/aa375371%28v=vs.85%29.aspx
5502 */
5503 lockoutThreshold = get_lockout_threshold(domain_msg, pso_msg);
5504 if (lockoutThreshold == 0 || (rid == DOMAIN_RID_ADMINISTRATOR)) {
5505 DEBUG(5, ("Not updating badPwdCount on %s after wrong password\n",
5506 ldb_dn_get_linearized(user_msg->dn)));
5507 return NT_STATUS_OK;
5508 }
5509
5510 mod_msg = ldb_msg_new(mem_ctx);
5511 if (mod_msg == NULL) {
5512 return NT_STATUS_NO_MEMORY;
5513 }
5514 mod_msg->dn = ldb_dn_copy(mod_msg, user_msg->dn);
5515 if (mod_msg->dn == NULL) {
5516 TALLOC_FREE(mod_msg);
5517 return NT_STATUS_NO_MEMORY;
5518 }
5519
5520 lockOutObservationWindow = get_lockout_observation_window(domain_msg,
5521 pso_msg);
5522
5523 badPwdCount = dsdb_effective_badPwdCount(user_msg, lockOutObservationWindow, now);
5524
5525 badPwdCount++;
5526
5527 ret = samdb_msg_add_int(sam_ctx, mod_msg, mod_msg, "badPwdCount", badPwdCount);
5528 if (ret != LDB_SUCCESS) {
5529 TALLOC_FREE(mod_msg);
5530 return NT_STATUS_NO_MEMORY;
5531 }
5532 ret = samdb_msg_add_int64(sam_ctx, mod_msg, mod_msg, "badPasswordTime", now);
5533 if (ret != LDB_SUCCESS) {
5534 TALLOC_FREE(mod_msg);
5535 return NT_STATUS_NO_MEMORY;
5536 }
5537
5538 if (badPwdCount >= lockoutThreshold) {
5539 ret = samdb_msg_add_int64(sam_ctx, mod_msg, mod_msg, "lockoutTime", now);
5540 if (ret != LDB_SUCCESS) {
5541 TALLOC_FREE(mod_msg);
5542 return NT_STATUS_NO_MEMORY;
5543 }
5544 DEBUGC( DBGC_AUTH, 1, ("Locked out user %s after %d wrong passwords\n",
5545 ldb_dn_get_linearized(user_msg->dn), badPwdCount));
5546 } else {
5547 DEBUGC( DBGC_AUTH, 5, ("Updated badPwdCount on %s after %d wrong passwords\n",
5548 ldb_dn_get_linearized(user_msg->dn), badPwdCount));
5549 }
5550
5551 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
5552 for (i=0; i< mod_msg->num_elements; i++) {
5553 mod_msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
5554 }
5555
5556 *_mod_msg = mod_msg;
5557 return NT_STATUS_OK;
5558 }
5559
5560 /**
5561 * Sets defaults for a User object
5562 * List of default attributes set:
5563 * accountExpires, badPasswordTime, badPwdCount,
5564 * codePage, countryCode, lastLogoff, lastLogon
5565 * logonCount, pwdLastSet
5566 */
5567 int dsdb_user_obj_set_defaults(struct ldb_context *ldb,
5568 struct ldb_message *usr_obj,
5569 struct ldb_request *req)
5570 {
5571 size_t i;
5572 int ret;
5573 const struct attribute_values {
5574 const char *name;
5575 const char *value;
5576 const char *add_value;
5577 const char *mod_value;
5578 const char *control;
5579 unsigned add_flags;
5580 unsigned mod_flags;
5581 } map[] = {
5582 {
5583 .name = "accountExpires",
5584 .add_value = "9223372036854775807",
5585 .mod_value = "0",
5586 },
5587 {
5588 .name = "badPasswordTime",
5589 .value = "0"
5590 },
5591 {
5592 .name = "badPwdCount",
5593 .value = "0"
5594 },
5595 {
5596 .name = "codePage",
5597 .value = "0"
5598 },
5599 {
5600 .name = "countryCode",
5601 .value = "0"
5602 },
5603 {
5604 .name = "lastLogoff",
5605 .value = "0"
5606 },
5607 {
5608 .name = "lastLogon",
5609 .value = "0"
5610 },
5611 {
5612 .name = "logonCount",
5613 .value = "0"
5614 },
5615 {
5616 .name = "logonHours",
5617 .add_flags = DSDB_FLAG_INTERNAL_FORCE_META_DATA,
5618 },
5619 {
5620 .name = "pwdLastSet",
5621 .value = "0",
5622 .control = DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID,
5623 },
5624 {
5625 .name = "adminCount",
5626 .mod_value = "0",
5627 },
5628 {
5629 .name = "operatorCount",
5630 .mod_value = "0",
5631 },
5632 };
5633
5634 for (i = 0; i < ARRAY_SIZE(map); i++) {
5635 bool added = false;
5636 const char *value = NULL;
5637 unsigned flags = 0;
5638
5639 if (req != NULL && req->operation == LDB_ADD) {
5640 value = map[i].add_value;
5641 flags = map[i].add_flags;
5642 } else {
5643 value = map[i].mod_value;
5644 flags = map[i].mod_flags;
5645 }
5646
5647 if (value == NULL) {
5648 value = map[i].value;
5649 }
5650
5651 if (value != NULL) {
5652 flags |= LDB_FLAG_MOD_ADD;
5653 }
5654
5655 if (flags == 0) {
5656 continue;
5657 }
5658
5659 ret = samdb_find_or_add_attribute_ex(ldb, usr_obj,
5660 map[i].name,
5661 value, flags,
5662 &added);
5663 if (ret != LDB_SUCCESS) {
5664 return ret;
5665 }
5666
5667 if (req != NULL && added && map[i].control != NULL) {
5668 ret = ldb_request_add_control(req,
5669 map[i].control,
5670 false, NULL);
5671 if (ret != LDB_SUCCESS) {
5672 return ret;
5673 }
5674 }
5675 }
5676
5677 return LDB_SUCCESS;
5678 }
5679
5680 /**
5681 * Sets 'sAMAccountType on user object based on userAccountControl
5682 * @param ldb Current ldb_context
5683 * @param usr_obj ldb_message representing User object
5684 * @param user_account_control Value for userAccountControl flags
5685 * @param account_type_p Optional pointer to account_type to return
5686 * @return LDB_SUCCESS or LDB_ERR* code on failure
5687 */
5688 int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message *usr_obj,
5689 uint32_t user_account_control, uint32_t *account_type_p)
5690 {
5691 int ret;
5692 uint32_t account_type;
5693 struct ldb_message_element *el;
5694
5695 account_type = ds_uf2atype(user_account_control);
5696 if (account_type == 0) {
5697 ldb_set_errstring(ldb, "dsdb: Unrecognized account type!");
5698 return LDB_ERR_UNWILLING_TO_PERFORM;
5699 }
5700 ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj,
5701 "sAMAccountType",
5702 account_type);
5703 if (ret != LDB_SUCCESS) {
5704 return ret;
5705 }
5706 el = ldb_msg_find_element(usr_obj, "sAMAccountType");
5707 el->flags = LDB_FLAG_MOD_REPLACE;
5708
5709 if (account_type_p) {
5710 *account_type_p = account_type;
5711 }
5712
5713 return LDB_SUCCESS;
5714 }
5715
5716 /**
5717 * Determine and set primaryGroupID based on userAccountControl value
5718 * @param ldb Current ldb_context
5719 * @param usr_obj ldb_message representing User object
5720 * @param user_account_control Value for userAccountControl flags
5721 * @param group_rid_p Optional pointer to group RID to return
5722 * @return LDB_SUCCESS or LDB_ERR* code on failure
5723 */
5724 int dsdb_user_obj_set_primary_group_id(struct ldb_context *ldb, struct ldb_message *usr_obj,
5725 uint32_t user_account_control, uint32_t *group_rid_p)
5726 {
5727 int ret;
5728 uint32_t rid;
5729 struct ldb_message_element *el;
5730
5731 rid = ds_uf2prim_group_rid(user_account_control);
5732
5733 ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj,
5734 "primaryGroupID", rid);
5735 if (ret != LDB_SUCCESS) {
5736 return ret;
5737 }
5738 el = ldb_msg_find_element(usr_obj, "primaryGroupID");
5739 el->flags = LDB_FLAG_MOD_REPLACE;
5740
5741 if (group_rid_p) {
5742 *group_rid_p = rid;
5743 }
5744
5745 return LDB_SUCCESS;
5746 }
5747
5748 /**
5749 * Returns True if the source and target DNs both have the same naming context,
5750 * i.e. they're both in the same partition.
5751 */
5752 bool dsdb_objects_have_same_nc(struct ldb_context *ldb,
5753 TALLOC_CTX *mem_ctx,
5754 struct ldb_dn *source_dn,
5755 struct ldb_dn *target_dn)
5756 {
5757 TALLOC_CTX *tmp_ctx;
5758 struct ldb_dn *source_nc = NULL;
5759 struct ldb_dn *target_nc = NULL;
5760 int ret;
5761 bool same_nc = true;
5762
5763 tmp_ctx = talloc_new(mem_ctx);
5764
5765 ret = dsdb_find_nc_root(ldb, tmp_ctx, source_dn, &source_nc);
5766 /* fix clang warning */
5767 if (source_nc == NULL) {
5768 ret = LDB_ERR_OTHER;
5769 }
5770 if (ret != LDB_SUCCESS) {
5771 DBG_ERR("Failed to find base DN for source %s\n",
5772 ldb_dn_get_linearized(source_dn));
5773 talloc_free(tmp_ctx);
5774 return true;
5775 }
5776
5777 ret = dsdb_find_nc_root(ldb, tmp_ctx, target_dn, &target_nc);
5778 /* fix clang warning */
5779 if (target_nc == NULL) {
5780 ret = LDB_ERR_OTHER;
5781 }
5782 if (ret != LDB_SUCCESS) {
5783 DBG_ERR("Failed to find base DN for target %s\n",
5784 ldb_dn_get_linearized(target_dn));
5785 talloc_free(tmp_ctx);
5786 return true;
5787 }
5788
5789 same_nc = (ldb_dn_compare(source_nc, target_nc) == 0);
5790
5791 talloc_free(tmp_ctx);
5792
5793 return same_nc;
5794 }
5795 /*
5796 * Context for dsdb_count_domain_callback
5797 */
5798 struct dsdb_count_domain_context {
5799 /*
5800 * Number of matching records
5801 */
5802 size_t count;
5803 /*
5804 * sid of the domain that the records must belong to.
5805 * if NULL records can belong to any domain.
5806 */
5807 struct dom_sid *dom_sid;
5808 };
5809
5810 /*
5811 * @brief ldb aysnc callback for dsdb_domain_count.
5812 *
5813 * count the number of records in the database matching an LDAP query,
5814 * optionally filtering for domain membership.
5815 *
5816 * @param [in,out] req the ldb request being processed
5817 * req->context contains:
5818 * count The number of matching records
5819 * dom_sid The domain sid, if present records must belong
5820 * to the domain to be counted.
5821 *@param [in,out] ares The query result.
5822 *
5823 * @return an LDB error code
5824 *
5825 */
5826 static int dsdb_count_domain_callback(
5827 struct ldb_request *req,
5828 struct ldb_reply *ares)
5829 {
5830
5831 if (ares == NULL) {
5832 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
5833 }
5834 if (ares->error != LDB_SUCCESS) {
5835 int error = ares->error;
5836 TALLOC_FREE(ares);
5837 return ldb_request_done(req, error);
5838 }
5839
5840 switch (ares->type) {
5841 case LDB_REPLY_ENTRY:
5842 {
5843 struct dsdb_count_domain_context *context = NULL;
5844 ssize_t ret;
5845 bool in_domain;
5846 struct dom_sid sid;
5847 const struct ldb_val *v;
5848
5849 context = req->context;
5850 if (context->dom_sid == NULL) {
5851 context->count++;
5852 break;
5853 }
5854
5855 v = ldb_msg_find_ldb_val(ares->message, "objectSid");
5856 if (v == NULL) {
5857 break;
5858 }
5859
5860 ret = sid_parse(v->data, v->length, &sid);
5861 if (ret == -1) {
5862 break;
5863 }
5864
5865 in_domain = dom_sid_in_domain(context->dom_sid, &sid);
5866 if (!in_domain) {
5867 break;
5868 }
5869
5870 context->count++;
5871 break;
5872 }
5873 case LDB_REPLY_REFERRAL:
5874 break;
5875
5876 case LDB_REPLY_DONE:
5877 TALLOC_FREE(ares);
5878 return ldb_request_done(req, LDB_SUCCESS);
5879 }
5880
5881 TALLOC_FREE(ares);
5882
5883 return LDB_SUCCESS;
5884 }
5885
5886 /*
5887 * @brief Count the number of records matching a query.
5888 *
5889 * Count the number of entries in the database matching the supplied query,
5890 * optionally filtering only those entries belonging to the supplied domain.
5891 *
5892 * @param ldb [in] Current ldb context
5893 * @param count [out] Pointer to the count
5894 * @param base [in] The base dn for the quey
5895 * @param dom_sid [in] The domain sid, if non NULL records that are not a member
5896 * of the domain are ignored.
5897 * @param scope [in] Search scope.
5898 * @param exp_fmt [in] format string for the query.
5899 *
5900 * @return LDB_STATUS code.
5901 */
5902 int PRINTF_ATTRIBUTE(6, 7) dsdb_domain_count(
5903 struct ldb_context *ldb,
5904 size_t *count,
5905 struct ldb_dn *base,
5906 struct dom_sid *dom_sid,
5907 enum ldb_scope scope,
5908 const char *exp_fmt, ...)
5909 {
5910 TALLOC_CTX *tmp_ctx = NULL;
5911 struct ldb_request *req = NULL;
5912 struct dsdb_count_domain_context *context = NULL;
5913 char *expression = NULL;
5914 const char *object_sid[] = {"objectSid", NULL};
5915 const char *none[] = {NULL};
5916 va_list ap;
5917 int ret;
5918
5919 *count = 0;
5920 tmp_ctx = talloc_new(ldb);
5921
5922 context = talloc_zero(tmp_ctx, struct dsdb_count_domain_context);
5923 if (context == NULL) {
5924 return LDB_ERR_OPERATIONS_ERROR;
5925 }
5926 context->dom_sid = dom_sid;
5927
5928 if (exp_fmt) {
5929 va_start(ap, exp_fmt);
5930 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
5931 va_end(ap);
5932
5933 if (expression == NULL) {
5934 TALLOC_FREE(context);
5935 TALLOC_FREE(tmp_ctx);
5936 return LDB_ERR_OPERATIONS_ERROR;
5937 }
5938 }
5939
5940 ret = ldb_build_search_req(
5941 &req,
5942 ldb,
5943 tmp_ctx,
5944 base,
5945 scope,
5946 expression,
5947 (dom_sid == NULL) ? none : object_sid,
5948 NULL,
5949 context,
5950 dsdb_count_domain_callback,
5951 NULL);
5952 ldb_req_set_location(req, "dsdb_domain_count");
5953
5954 if (ret != LDB_SUCCESS) goto done;
5955
5956 ret = ldb_request(ldb, req);
5957
5958 if (ret == LDB_SUCCESS) {
5959 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
5960 if (ret == LDB_SUCCESS) {
5961 *count = context->count;
5962 }
5963 }
5964
5965
5966 done:
5967 TALLOC_FREE(expression);
5968 TALLOC_FREE(req);
5969 TALLOC_FREE(context);
5970 TALLOC_FREE(tmp_ctx);
5971
5972 return ret;
5973 }
Samba GIT mirror