s4-drs: lock down key DRS calls
[Samba/aatanasov.git] / source4 / libnet / libnet_samsync_ldb.c
blob5bb75ca30d8fe1f651632a9f5bade8318c3ee52b
1 /*
2 Unix SMB/CIFS implementation.
4 Extract the user/system database from a remote SamSync server
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 Copyright (C) Andrew Tridgell 2004
8 Copyright (C) Volker Lendecke 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "includes.h"
26 #include "libnet/libnet.h"
27 #include "libcli/ldap/ldap_ndr.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "auth/auth.h"
30 #include "../lib/util/util_ldb.h"
31 #include "librpc/gen_ndr/ndr_misc.h"
32 #include "ldb_wrap.h"
33 #include "libcli/security/security.h"
34 #include "librpc/rpc/dcerpc.h"
35 #include "param/param.h"
37 struct samsync_ldb_secret {
38 struct samsync_ldb_secret *prev, *next;
39 DATA_BLOB secret;
40 char *name;
41 NTTIME mtime;
44 struct samsync_ldb_trusted_domain {
45 struct samsync_ldb_trusted_domain *prev, *next;
46 struct dom_sid *sid;
47 char *name;
50 struct samsync_ldb_state {
51 /* Values from the LSA lookup */
52 const struct libnet_SamSync_state *samsync_state;
54 struct dom_sid *dom_sid[3];
55 struct ldb_context *sam_ldb, *remote_ldb;
56 struct ldb_dn *base_dn[3];
57 struct samsync_ldb_secret *secrets;
58 struct samsync_ldb_trusted_domain *trusted_domains;
61 static NTSTATUS samsync_ldb_add_foreignSecurityPrincipal(TALLOC_CTX *mem_ctx,
62 struct samsync_ldb_state *state,
63 struct dom_sid *sid,
64 struct ldb_dn **fsp_dn,
65 char **error_string)
67 const char *sidstr = dom_sid_string(mem_ctx, sid);
68 /* We assume that ForeignSecurityPrincipals are under the BASEDN of the main domain */
69 struct ldb_dn *basedn = samdb_search_dn(state->sam_ldb, mem_ctx,
70 state->base_dn[SAM_DATABASE_DOMAIN],
71 "(&(objectClass=container)(cn=ForeignSecurityPrincipals))");
72 struct ldb_message *msg;
73 int ret;
75 if (!sidstr) {
76 return NT_STATUS_NO_MEMORY;
79 if (basedn == NULL) {
80 *error_string = talloc_asprintf(mem_ctx,
81 "Failed to find DN for "
82 "ForeignSecurityPrincipal container under %s",
83 ldb_dn_get_linearized(state->base_dn[SAM_DATABASE_DOMAIN]));
84 return NT_STATUS_INTERNAL_DB_CORRUPTION;
87 msg = ldb_msg_new(mem_ctx);
88 if (msg == NULL) {
89 return NT_STATUS_NO_MEMORY;
92 /* add core elements to the ldb_message for the alias */
93 msg->dn = basedn;
94 if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr))
95 return NT_STATUS_UNSUCCESSFUL;
97 samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
98 "objectClass",
99 "foreignSecurityPrincipal");
101 *fsp_dn = msg->dn;
103 /* create the alias */
104 ret = ldb_add(state->sam_ldb, msg);
105 if (ret != 0) {
106 *error_string = talloc_asprintf(mem_ctx, "Failed to create foreignSecurityPrincipal "
107 "record %s: %s",
108 ldb_dn_get_linearized(msg->dn),
109 ldb_errstring(state->sam_ldb));
110 return NT_STATUS_INTERNAL_DB_CORRUPTION;
112 return NT_STATUS_OK;
115 static NTSTATUS samsync_ldb_handle_domain(TALLOC_CTX *mem_ctx,
116 struct samsync_ldb_state *state,
117 enum netr_SamDatabaseID database,
118 struct netr_DELTA_ENUM *delta,
119 char **error_string)
121 struct netr_DELTA_DOMAIN *domain = delta->delta_union.domain;
122 const char *domain_name = domain->domain_name.string;
123 struct ldb_message *msg;
124 int ret;
126 msg = ldb_msg_new(mem_ctx);
127 if (msg == NULL) {
128 return NT_STATUS_NO_MEMORY;
131 if (database == SAM_DATABASE_DOMAIN) {
132 struct ldb_dn *partitions_basedn;
133 const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL};
134 struct ldb_message **msgs_domain;
135 int ret_domain;
137 partitions_basedn = samdb_partitions_dn(state->sam_ldb, mem_ctx);
139 ret_domain = gendb_search(state->sam_ldb, mem_ctx, partitions_basedn, &msgs_domain, domain_attrs,
140 "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))",
141 domain_name);
142 if (ret_domain == -1) {
143 *error_string = talloc_asprintf(mem_ctx, "gendb_search for domain failed: %s", ldb_errstring(state->sam_ldb));
144 return NT_STATUS_INTERNAL_DB_CORRUPTION;
147 if (ret_domain != 1) {
148 *error_string = talloc_asprintf(mem_ctx, "Failed to find existing domain record for %s: %d results", domain_name,
149 ret_domain);
150 return NT_STATUS_NO_SUCH_DOMAIN;
153 state->base_dn[database] = samdb_result_dn(state->sam_ldb, state, msgs_domain[0], "nCName", NULL);
155 if (state->dom_sid[database]) {
156 /* Update the domain sid with the incoming
157 * domain (found on LSA pipe, database sid may
158 * be random) */
159 samdb_msg_add_dom_sid(state->sam_ldb, mem_ctx,
160 msg, "objectSid", state->dom_sid[database]);
161 } else {
162 /* Well, we will have to use the one from the database */
163 state->dom_sid[database] = samdb_search_dom_sid(state->sam_ldb, state,
164 state->base_dn[database],
165 "objectSid", NULL);
168 if (state->samsync_state->domain_guid) {
169 enum ndr_err_code ndr_err;
170 struct ldb_val v;
171 ndr_err = ndr_push_struct_blob(&v, msg, NULL,
172 state->samsync_state->domain_guid,
173 (ndr_push_flags_fn_t)ndr_push_GUID);
174 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
175 *error_string = talloc_asprintf(mem_ctx, "ndr_push of domain GUID failed!");
176 return ndr_map_error2ntstatus(ndr_err);
179 ldb_msg_add_value(msg, "objectGUID", &v, NULL);
181 } else if (database == SAM_DATABASE_BUILTIN) {
182 /* work out the builtin_dn - useful for so many calls its worth
183 fetching here */
184 const char *dnstring = samdb_search_string(state->sam_ldb, mem_ctx, NULL,
185 "distinguishedName", "objectClass=builtinDomain");
186 state->base_dn[database] = ldb_dn_new(state, state->sam_ldb, dnstring);
187 if ( ! ldb_dn_validate(state->base_dn[database])) {
188 return NT_STATUS_INTERNAL_ERROR;
190 } else {
191 /* PRIVs DB */
192 return NT_STATUS_INVALID_PARAMETER;
195 msg->dn = talloc_reference(mem_ctx, state->base_dn[database]);
196 if (!msg->dn) {
197 return NT_STATUS_NO_MEMORY;
200 samdb_msg_add_string(state->sam_ldb, mem_ctx,
201 msg, "oEMInformation", domain->oem_information.string);
203 samdb_msg_add_int64(state->sam_ldb, mem_ctx,
204 msg, "forceLogoff", domain->force_logoff_time);
206 samdb_msg_add_uint(state->sam_ldb, mem_ctx,
207 msg, "minPwdLen", domain->min_password_length);
209 samdb_msg_add_int64(state->sam_ldb, mem_ctx,
210 msg, "maxPwdAge", domain->max_password_age);
212 samdb_msg_add_int64(state->sam_ldb, mem_ctx,
213 msg, "minPwdAge", domain->min_password_age);
215 samdb_msg_add_uint(state->sam_ldb, mem_ctx,
216 msg, "pwdHistoryLength", domain->password_history_length);
218 samdb_msg_add_uint64(state->sam_ldb, mem_ctx,
219 msg, "modifiedCount",
220 domain->sequence_num);
222 samdb_msg_add_uint64(state->sam_ldb, mem_ctx,
223 msg, "creationTime", domain->domain_create_time);
225 /* TODO: Account lockout, password properties */
227 ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
229 if (ret) {
230 return NT_STATUS_INTERNAL_ERROR;
232 return NT_STATUS_OK;
235 static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx,
236 struct samsync_ldb_state *state,
237 enum netr_SamDatabaseID database,
238 struct netr_DELTA_ENUM *delta,
239 char **error_string)
241 uint32_t rid = delta->delta_id_union.rid;
242 struct netr_DELTA_USER *user = delta->delta_union.user;
243 const char *container, *obj_class;
244 char *cn_name;
245 int cn_name_len;
246 const struct dom_sid *user_sid;
247 struct ldb_message *msg;
248 struct ldb_message **msgs;
249 struct ldb_message **remote_msgs = NULL;
250 int ret, i;
251 uint32_t acb;
252 bool add = false;
253 const char *attrs[] = { NULL };
254 /* we may change this to a global search, then fill in only the things not in ldap later */
255 const char *remote_attrs[] = { "userPrincipalName", "servicePrincipalName",
256 "msDS-KeyVersionNumber", "objectGUID", NULL};
258 user_sid = dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid);
259 if (!user_sid) {
260 return NT_STATUS_NO_MEMORY;
263 msg = ldb_msg_new(mem_ctx);
264 if (msg == NULL) {
265 return NT_STATUS_NO_MEMORY;
268 msg->dn = NULL;
269 /* search for the user, by rid */
270 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database],
271 &msgs, attrs, "(&(objectClass=user)(objectSid=%s))",
272 ldap_encode_ndr_dom_sid(mem_ctx, user_sid));
274 if (ret == -1) {
275 *error_string = talloc_asprintf(mem_ctx, "LDB for user %s failed: %s",
276 dom_sid_string(mem_ctx, user_sid),
277 ldb_errstring(state->sam_ldb));
278 return NT_STATUS_INTERNAL_DB_CORRUPTION;
279 } else if (ret == 0) {
280 add = true;
281 } else if (ret > 1) {
282 *error_string = talloc_asprintf(mem_ctx, "More than one user with SID: %s in local LDB",
283 dom_sid_string(mem_ctx, user_sid));
284 return NT_STATUS_INTERNAL_DB_CORRUPTION;
285 } else {
286 msg->dn = msgs[0]->dn;
287 talloc_steal(msg, msgs[0]->dn);
290 /* and do the same on the remote database */
291 if (state->remote_ldb) {
292 ret = gendb_search(state->remote_ldb, mem_ctx, state->base_dn[database],
293 &remote_msgs, remote_attrs, "(&(objectClass=user)(objectSid=%s))",
294 ldap_encode_ndr_dom_sid(mem_ctx, user_sid));
296 if (ret == -1) {
297 *error_string = talloc_asprintf(mem_ctx, "remote LDAP for user %s failed: %s",
298 dom_sid_string(mem_ctx, user_sid),
299 ldb_errstring(state->remote_ldb));
300 return NT_STATUS_INTERNAL_DB_CORRUPTION;
301 } else if (ret == 0) {
302 *error_string = talloc_asprintf(mem_ctx, "User exists in samsync but not in remote LDAP domain! (base: %s, SID: %s)",
303 ldb_dn_get_linearized(state->base_dn[database]),
304 dom_sid_string(mem_ctx, user_sid));
305 return NT_STATUS_NO_SUCH_USER;
306 } else if (ret > 1) {
307 *error_string = talloc_asprintf(mem_ctx, "More than one user in remote LDAP domain with SID: %s",
308 dom_sid_string(mem_ctx, user_sid));
309 return NT_STATUS_INTERNAL_DB_CORRUPTION;
311 /* Try to put things in the same location as the remote server */
312 } else if (add) {
313 msg->dn = remote_msgs[0]->dn;
314 talloc_steal(msg, remote_msgs[0]->dn);
318 cn_name = talloc_strdup(mem_ctx, user->account_name.string);
319 NT_STATUS_HAVE_NO_MEMORY(cn_name);
320 cn_name_len = strlen(cn_name);
322 #define ADD_OR_DEL(type, attrib, field) do { \
323 if (user->field) { \
324 samdb_msg_add_ ## type(state->sam_ldb, mem_ctx, msg, \
325 attrib, user->field); \
326 } else if (!add) { \
327 samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg, \
328 attrib); \
330 } while (0);
332 ADD_OR_DEL(string, "samAccountName", account_name.string);
333 ADD_OR_DEL(string, "displayName", full_name.string);
335 if (samdb_msg_add_dom_sid(state->sam_ldb, mem_ctx, msg,
336 "objectSid", dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))) {
337 return NT_STATUS_NO_MEMORY;
340 ADD_OR_DEL(uint, "primaryGroupID", primary_gid);
341 ADD_OR_DEL(string, "homeDirectory", home_directory.string);
342 ADD_OR_DEL(string, "homeDrive", home_drive.string);
343 ADD_OR_DEL(string, "scriptPath", logon_script.string);
344 ADD_OR_DEL(string, "description", description.string);
345 ADD_OR_DEL(string, "userWorkstations", workstations.string);
347 ADD_OR_DEL(uint64, "lastLogon", last_logon);
348 ADD_OR_DEL(uint64, "lastLogoff", last_logoff);
350 if (samdb_msg_add_logon_hours(state->sam_ldb, mem_ctx, msg, "logonHours", &user->logon_hours) != 0) {
351 return NT_STATUS_NO_MEMORY;
354 ADD_OR_DEL(uint, "badPwdCount", bad_password_count);
355 ADD_OR_DEL(uint, "logonCount", logon_count);
357 ADD_OR_DEL(uint64, "pwdLastSet", last_password_change);
358 ADD_OR_DEL(uint64, "accountExpires", acct_expiry);
360 if (samdb_msg_add_acct_flags(state->sam_ldb, mem_ctx, msg,
361 "userAccountControl", user->acct_flags) != 0) {
362 return NT_STATUS_NO_MEMORY;
365 if (!add) {
366 /* Passwords. Ensure there is no plaintext stored against
367 * this entry, as we only have hashes */
368 samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
369 "userPassword");
371 if (user->lm_password_present) {
372 samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg,
373 "dBCSPwd", &user->lmpassword);
374 } else if (!add) {
375 samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
376 "dBCSPwd");
378 if (user->nt_password_present) {
379 samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg,
380 "unicodePwd", &user->ntpassword);
381 } else if (!add) {
382 samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
383 "unicodePwd");
386 ADD_OR_DEL(string, "comment", comment.string);
388 if (samdb_msg_add_parameters(state->sam_ldb, mem_ctx, msg, "userParameters", &user->parameters) != 0) {
389 return NT_STATUS_NO_MEMORY;
392 ADD_OR_DEL(uint, "countryCode", country_code);
393 ADD_OR_DEL(uint, "codePage", code_page);
395 ADD_OR_DEL(string, "profilePath", profile_path.string);
397 #undef ADD_OR_DEL
399 for (i=0; remote_attrs[i]; i++) {
400 struct ldb_message_element *el = ldb_msg_find_element(remote_msgs[0], remote_attrs[i]);
401 if (!el) {
402 samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
403 remote_attrs[i]);
404 } else {
405 ldb_msg_add(msg, el, LDB_FLAG_MOD_REPLACE);
409 acb = user->acct_flags;
410 if (acb & (ACB_WSTRUST)) {
411 cn_name[cn_name_len - 1] = '\0';
412 container = "Computers";
413 obj_class = "computer";
415 } else if (acb & ACB_SVRTRUST) {
416 if (cn_name[cn_name_len - 1] != '$') {
417 return NT_STATUS_FOOBAR;
419 cn_name[cn_name_len - 1] = '\0';
420 container = "Domain Controllers";
421 obj_class = "computer";
422 } else {
423 container = "Users";
424 obj_class = "user";
426 if (add) {
427 samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
428 "objectClass", obj_class);
429 if (!msg->dn) {
430 msg->dn = ldb_dn_copy(mem_ctx, state->base_dn[database]);
431 ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=%s", cn_name, container);
432 if (!msg->dn) {
433 return NT_STATUS_NO_MEMORY;
437 ret = ldb_add(state->sam_ldb, msg);
438 if (ret != 0) {
439 struct ldb_dn *first_try_dn = msg->dn;
440 /* Try again with the default DN */
441 if (!remote_msgs) {
442 *error_string = talloc_asprintf(mem_ctx, "Failed to create user record. Tried %s: %s",
443 ldb_dn_get_linearized(first_try_dn),
444 ldb_errstring(state->sam_ldb));
445 return NT_STATUS_INTERNAL_DB_CORRUPTION;
446 } else {
447 msg->dn = talloc_steal(msg, remote_msgs[0]->dn);
448 ret = ldb_add(state->sam_ldb, msg);
449 if (ret != 0) {
450 *error_string = talloc_asprintf(mem_ctx, "Failed to create user record. Tried both %s and %s: %s",
451 ldb_dn_get_linearized(first_try_dn),
452 ldb_dn_get_linearized(msg->dn),
453 ldb_errstring(state->sam_ldb));
454 return NT_STATUS_INTERNAL_DB_CORRUPTION;
458 } else {
459 ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
460 if (ret != 0) {
461 *error_string = talloc_asprintf(mem_ctx, "Failed to modify user record %s: %s",
462 ldb_dn_get_linearized(msg->dn),
463 ldb_errstring(state->sam_ldb));
464 return NT_STATUS_INTERNAL_DB_CORRUPTION;
468 return NT_STATUS_OK;
471 static NTSTATUS samsync_ldb_delete_user(TALLOC_CTX *mem_ctx,
472 struct samsync_ldb_state *state,
473 enum netr_SamDatabaseID database,
474 struct netr_DELTA_ENUM *delta,
475 char **error_string)
477 uint32_t rid = delta->delta_id_union.rid;
478 struct ldb_message **msgs;
479 int ret;
480 const char *attrs[] = { NULL };
482 /* search for the user, by rid */
483 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database],
484 &msgs, attrs, "(&(objectClass=user)(objectSid=%s))",
485 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
487 if (ret == -1) {
488 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
489 return NT_STATUS_INTERNAL_DB_CORRUPTION;
490 } else if (ret == 0) {
491 return NT_STATUS_NO_SUCH_USER;
492 } else if (ret > 1) {
493 *error_string = talloc_asprintf(mem_ctx, "More than one user with SID: %s",
494 dom_sid_string(mem_ctx,
495 dom_sid_add_rid(mem_ctx,
496 state->dom_sid[database],
497 rid)));
498 return NT_STATUS_INTERNAL_DB_CORRUPTION;
501 ret = ldb_delete(state->sam_ldb, msgs[0]->dn);
502 if (ret != 0) {
503 *error_string = talloc_asprintf(mem_ctx, "Failed to delete user record %s: %s",
504 ldb_dn_get_linearized(msgs[0]->dn),
505 ldb_errstring(state->sam_ldb));
506 return NT_STATUS_INTERNAL_DB_CORRUPTION;
509 return NT_STATUS_OK;
512 static NTSTATUS samsync_ldb_handle_group(TALLOC_CTX *mem_ctx,
513 struct samsync_ldb_state *state,
514 enum netr_SamDatabaseID database,
515 struct netr_DELTA_ENUM *delta,
516 char **error_string)
518 uint32_t rid = delta->delta_id_union.rid;
519 struct netr_DELTA_GROUP *group = delta->delta_union.group;
520 const char *container, *obj_class;
521 const char *cn_name;
523 struct ldb_message *msg;
524 struct ldb_message **msgs;
525 int ret;
526 bool add = false;
527 const char *attrs[] = { NULL };
529 msg = ldb_msg_new(mem_ctx);
530 if (msg == NULL) {
531 return NT_STATUS_NO_MEMORY;
534 /* search for the group, by rid */
535 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
536 "(&(objectClass=group)(objectSid=%s))",
537 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
539 if (ret == -1) {
540 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
541 return NT_STATUS_INTERNAL_DB_CORRUPTION;
542 } else if (ret == 0) {
543 add = true;
544 } else if (ret > 1) {
545 *error_string = talloc_asprintf(mem_ctx, "More than one group/alias with SID: %s",
546 dom_sid_string(mem_ctx,
547 dom_sid_add_rid(mem_ctx,
548 state->dom_sid[database],
549 rid)));
550 return NT_STATUS_INTERNAL_DB_CORRUPTION;
551 } else {
552 msg->dn = talloc_steal(msg, msgs[0]->dn);
555 cn_name = group->group_name.string;
557 #define ADD_OR_DEL(type, attrib, field) do { \
558 if (group->field) { \
559 samdb_msg_add_ ## type(state->sam_ldb, mem_ctx, msg, \
560 attrib, group->field); \
561 } else if (!add) { \
562 samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg, \
563 attrib); \
565 } while (0);
567 ADD_OR_DEL(string, "samAccountName", group_name.string);
569 if (samdb_msg_add_dom_sid(state->sam_ldb, mem_ctx, msg,
570 "objectSid", dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))) {
571 return NT_STATUS_NO_MEMORY;
574 ADD_OR_DEL(string, "description", description.string);
576 #undef ADD_OR_DEL
578 container = "Users";
579 obj_class = "group";
581 if (add) {
582 samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
583 "objectClass", obj_class);
584 msg->dn = ldb_dn_copy(mem_ctx, state->base_dn[database]);
585 ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=%s", cn_name, container);
586 if (!msg->dn) {
587 return NT_STATUS_NO_MEMORY;
590 ret = ldb_add(state->sam_ldb, msg);
591 if (ret != 0) {
592 *error_string = talloc_asprintf(mem_ctx, "Failed to create group record %s: %s",
593 ldb_dn_get_linearized(msg->dn),
594 ldb_errstring(state->sam_ldb));
595 return NT_STATUS_INTERNAL_DB_CORRUPTION;
597 } else {
598 ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
599 if (ret != 0) {
600 *error_string = talloc_asprintf(mem_ctx, "Failed to modify group record %s: %s",
601 ldb_dn_get_linearized(msg->dn),
602 ldb_errstring(state->sam_ldb));
603 return NT_STATUS_INTERNAL_DB_CORRUPTION;
607 return NT_STATUS_OK;
610 static NTSTATUS samsync_ldb_delete_group(TALLOC_CTX *mem_ctx,
611 struct samsync_ldb_state *state,
612 enum netr_SamDatabaseID database,
613 struct netr_DELTA_ENUM *delta,
614 char **error_string)
616 uint32_t rid = delta->delta_id_union.rid;
617 struct ldb_message **msgs;
618 int ret;
619 const char *attrs[] = { NULL };
621 /* search for the group, by rid */
622 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
623 "(&(objectClass=group)(objectSid=%s))",
624 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
626 if (ret == -1) {
627 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
628 return NT_STATUS_INTERNAL_DB_CORRUPTION;
629 } else if (ret == 0) {
630 return NT_STATUS_NO_SUCH_GROUP;
631 } else if (ret > 1) {
632 *error_string = talloc_asprintf(mem_ctx, "More than one group/alias with SID: %s",
633 dom_sid_string(mem_ctx,
634 dom_sid_add_rid(mem_ctx,
635 state->dom_sid[database],
636 rid)));
637 return NT_STATUS_INTERNAL_DB_CORRUPTION;
640 ret = ldb_delete(state->sam_ldb, msgs[0]->dn);
641 if (ret != 0) {
642 *error_string = talloc_asprintf(mem_ctx, "Failed to delete group record %s: %s",
643 ldb_dn_get_linearized(msgs[0]->dn),
644 ldb_errstring(state->sam_ldb));
645 return NT_STATUS_INTERNAL_DB_CORRUPTION;
648 return NT_STATUS_OK;
651 static NTSTATUS samsync_ldb_handle_group_member(TALLOC_CTX *mem_ctx,
652 struct samsync_ldb_state *state,
653 enum netr_SamDatabaseID database,
654 struct netr_DELTA_ENUM *delta,
655 char **error_string)
657 uint32_t rid = delta->delta_id_union.rid;
658 struct netr_DELTA_GROUP_MEMBER *group_member = delta->delta_union.group_member;
659 struct ldb_message *msg;
660 struct ldb_message **msgs;
661 int ret;
662 const char *attrs[] = { NULL };
663 int i;
665 msg = ldb_msg_new(mem_ctx);
666 if (msg == NULL) {
667 return NT_STATUS_NO_MEMORY;
670 /* search for the group, by rid */
671 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
672 "(&(objectClass=group)(objectSid=%s))",
673 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
675 if (ret == -1) {
676 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
677 return NT_STATUS_INTERNAL_DB_CORRUPTION;
678 } else if (ret == 0) {
679 return NT_STATUS_NO_SUCH_GROUP;
680 } else if (ret > 1) {
681 *error_string = talloc_asprintf(mem_ctx, "More than one group/alias with SID: %s",
682 dom_sid_string(mem_ctx,
683 dom_sid_add_rid(mem_ctx,
684 state->dom_sid[database],
685 rid)));
686 return NT_STATUS_INTERNAL_DB_CORRUPTION;
687 } else {
688 msg->dn = talloc_steal(msg, msgs[0]->dn);
691 talloc_free(msgs);
693 for (i=0; i<group_member->num_rids; i++) {
694 /* search for the group, by rid */
695 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
696 "(&(objectClass=user)(objectSid=%s))",
697 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], group_member->rids[i])));
699 if (ret == -1) {
700 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
701 return NT_STATUS_INTERNAL_DB_CORRUPTION;
702 } else if (ret == 0) {
703 return NT_STATUS_NO_SUCH_USER;
704 } else if (ret > 1) {
705 return NT_STATUS_INTERNAL_DB_CORRUPTION;
706 } else {
707 samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", ldb_dn_alloc_linearized(mem_ctx, msgs[0]->dn));
710 talloc_free(msgs);
713 ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
714 if (ret != 0) {
715 *error_string = talloc_asprintf(mem_ctx, "Failed to modify group record %s: %s",
716 ldb_dn_get_linearized(msg->dn),
717 ldb_errstring(state->sam_ldb));
718 return NT_STATUS_INTERNAL_DB_CORRUPTION;
721 return NT_STATUS_OK;
724 static NTSTATUS samsync_ldb_handle_alias(TALLOC_CTX *mem_ctx,
725 struct samsync_ldb_state *state,
726 enum netr_SamDatabaseID database,
727 struct netr_DELTA_ENUM *delta,
728 char **error_string)
730 uint32_t rid = delta->delta_id_union.rid;
731 struct netr_DELTA_ALIAS *alias = delta->delta_union.alias;
732 const char *container, *obj_class;
733 const char *cn_name;
735 struct ldb_message *msg;
736 struct ldb_message **msgs;
737 int ret;
738 bool add = false;
739 const char *attrs[] = { NULL };
741 msg = ldb_msg_new(mem_ctx);
742 if (msg == NULL) {
743 return NT_STATUS_NO_MEMORY;
746 /* search for the alias, by rid */
747 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
748 "(&(objectClass=group)(objectSid=%s))",
749 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
751 if (ret == -1) {
752 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
753 return NT_STATUS_INTERNAL_DB_CORRUPTION;
754 } else if (ret == 0) {
755 add = true;
756 } else if (ret > 1) {
757 *error_string = talloc_asprintf(mem_ctx, "More than one group/alias with SID: %s",
758 dom_sid_string(mem_ctx,
759 dom_sid_add_rid(mem_ctx,
760 state->dom_sid[database],
761 rid)));
762 return NT_STATUS_INTERNAL_DB_CORRUPTION;
763 } else {
764 msg->dn = talloc_steal(mem_ctx, msgs[0]->dn);
767 cn_name = alias->alias_name.string;
769 #define ADD_OR_DEL(type, attrib, field) do { \
770 if (alias->field) { \
771 samdb_msg_add_ ## type(state->sam_ldb, mem_ctx, msg, \
772 attrib, alias->field); \
773 } else if (!add) { \
774 samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg, \
775 attrib); \
777 } while (0);
779 ADD_OR_DEL(string, "samAccountName", alias_name.string);
781 if (samdb_msg_add_dom_sid(state->sam_ldb, mem_ctx, msg,
782 "objectSid", dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))) {
783 return NT_STATUS_NO_MEMORY;
786 ADD_OR_DEL(string, "description", description.string);
788 #undef ADD_OR_DEL
790 samdb_msg_add_uint(state->sam_ldb, mem_ctx, msg, "groupType", 0x80000004);
792 container = "Users";
793 obj_class = "group";
795 if (add) {
796 samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
797 "objectClass", obj_class);
798 msg->dn = ldb_dn_copy(mem_ctx, state->base_dn[database]);
799 ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=%s", cn_name, container);
800 if (!msg->dn) {
801 return NT_STATUS_NO_MEMORY;
804 ret = ldb_add(state->sam_ldb, msg);
805 if (ret != 0) {
806 *error_string = talloc_asprintf(mem_ctx, "Failed to create alias record %s: %s",
807 ldb_dn_get_linearized(msg->dn),
808 ldb_errstring(state->sam_ldb));
809 return NT_STATUS_INTERNAL_DB_CORRUPTION;
811 } else {
812 ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
813 if (ret != 0) {
814 *error_string = talloc_asprintf(mem_ctx, "Failed to modify alias record %s: %s",
815 ldb_dn_get_linearized(msg->dn),
816 ldb_errstring(state->sam_ldb));
817 return NT_STATUS_INTERNAL_DB_CORRUPTION;
821 return NT_STATUS_OK;
824 static NTSTATUS samsync_ldb_delete_alias(TALLOC_CTX *mem_ctx,
825 struct samsync_ldb_state *state,
826 enum netr_SamDatabaseID database,
827 struct netr_DELTA_ENUM *delta,
828 char **error_string)
830 uint32_t rid = delta->delta_id_union.rid;
831 struct ldb_message **msgs;
832 int ret;
833 const char *attrs[] = { NULL };
835 /* search for the alias, by rid */
836 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
837 "(&(objectClass=group)(objectSid=%s))",
838 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
840 if (ret == -1) {
841 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
842 return NT_STATUS_INTERNAL_DB_CORRUPTION;
843 } else if (ret == 0) {
844 return NT_STATUS_NO_SUCH_ALIAS;
845 } else if (ret > 1) {
846 return NT_STATUS_INTERNAL_DB_CORRUPTION;
849 ret = ldb_delete(state->sam_ldb, msgs[0]->dn);
850 if (ret != 0) {
851 *error_string = talloc_asprintf(mem_ctx, "Failed to delete alias record %s: %s",
852 ldb_dn_get_linearized(msgs[0]->dn),
853 ldb_errstring(state->sam_ldb));
854 return NT_STATUS_INTERNAL_DB_CORRUPTION;
857 return NT_STATUS_OK;
860 static NTSTATUS samsync_ldb_handle_alias_member(TALLOC_CTX *mem_ctx,
861 struct samsync_ldb_state *state,
862 enum netr_SamDatabaseID database,
863 struct netr_DELTA_ENUM *delta,
864 char **error_string)
866 uint32_t rid = delta->delta_id_union.rid;
867 struct netr_DELTA_ALIAS_MEMBER *alias_member = delta->delta_union.alias_member;
868 struct ldb_message *msg;
869 struct ldb_message **msgs;
870 int ret;
871 const char *attrs[] = { NULL };
872 int i;
874 msg = ldb_msg_new(mem_ctx);
875 if (msg == NULL) {
876 return NT_STATUS_NO_MEMORY;
879 /* search for the alias, by rid */
880 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
881 "(&(objectClass=group)(objectSid=%s))",
882 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
884 if (ret == -1) {
885 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
886 return NT_STATUS_INTERNAL_DB_CORRUPTION;
887 } else if (ret == 0) {
888 return NT_STATUS_NO_SUCH_GROUP;
889 } else if (ret > 1) {
890 *error_string = talloc_asprintf(mem_ctx, "More than one group/alias with SID: %s",
891 dom_sid_string(mem_ctx,
892 dom_sid_add_rid(mem_ctx,
893 state->dom_sid[database],
894 rid)));
895 return NT_STATUS_INTERNAL_DB_CORRUPTION;
896 } else {
897 msg->dn = talloc_steal(msg, msgs[0]->dn);
900 talloc_free(msgs);
902 for (i=0; i<alias_member->sids.num_sids; i++) {
903 struct ldb_dn *alias_member_dn;
904 /* search for members, in the top basedn (normal users are builtin aliases) */
905 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
906 "(objectSid=%s)",
907 ldap_encode_ndr_dom_sid(mem_ctx, alias_member->sids.sids[i].sid));
909 if (ret == -1) {
910 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
911 return NT_STATUS_INTERNAL_DB_CORRUPTION;
912 } else if (ret == 0) {
913 NTSTATUS nt_status;
914 nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
915 alias_member->sids.sids[i].sid,
916 &alias_member_dn,
917 error_string);
918 if (!NT_STATUS_IS_OK(nt_status)) {
919 return nt_status;
921 } else if (ret > 1) {
922 return NT_STATUS_INTERNAL_DB_CORRUPTION;
923 } else {
924 alias_member_dn = msgs[0]->dn;
926 samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", ldb_dn_alloc_linearized(mem_ctx, alias_member_dn));
928 talloc_free(msgs);
931 ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
932 if (ret != 0) {
933 *error_string = talloc_asprintf(mem_ctx, "Failed to modify group record %s: %s",
934 ldb_dn_get_linearized(msg->dn),
935 ldb_errstring(state->sam_ldb));
936 return NT_STATUS_INTERNAL_DB_CORRUPTION;
939 return NT_STATUS_OK;
942 static NTSTATUS samsync_ldb_handle_account(TALLOC_CTX *mem_ctx,
943 struct samsync_ldb_state *state,
944 enum netr_SamDatabaseID database,
945 struct netr_DELTA_ENUM *delta,
946 char **error_string)
948 struct dom_sid *sid = delta->delta_id_union.sid;
949 struct netr_DELTA_ACCOUNT *account = delta->delta_union.account;
951 struct ldb_message *msg;
952 struct ldb_message **msgs;
953 struct ldb_dn *privilege_dn;
954 int ret;
955 const char *attrs[] = { NULL };
956 int i;
958 msg = ldb_msg_new(mem_ctx);
959 if (msg == NULL) {
960 return NT_STATUS_NO_MEMORY;
963 /* search for the account, by sid, in the top basedn */
964 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
965 "(objectSid=%s)", ldap_encode_ndr_dom_sid(mem_ctx, sid));
967 if (ret == -1) {
968 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
969 return NT_STATUS_INTERNAL_DB_CORRUPTION;
970 } else if (ret == 0) {
971 NTSTATUS nt_status;
972 nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
973 sid,
974 &privilege_dn,
975 error_string);
976 privilege_dn = talloc_steal(msg, privilege_dn);
977 if (!NT_STATUS_IS_OK(nt_status)) {
978 return nt_status;
980 } else if (ret > 1) {
981 *error_string = talloc_asprintf(mem_ctx, "More than one account with SID: %s",
982 dom_sid_string(mem_ctx, sid));
983 return NT_STATUS_INTERNAL_DB_CORRUPTION;
984 } else {
985 privilege_dn = talloc_steal(msg, msgs[0]->dn);
988 msg->dn = privilege_dn;
990 for (i=0; i< account->privilege_entries; i++) {
991 samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "privilege",
992 account->privilege_name[i].string);
995 ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
996 if (ret != 0) {
997 *error_string = talloc_asprintf(mem_ctx, "Failed to modify privilege record %s",
998 ldb_dn_get_linearized(msg->dn));
999 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1002 return NT_STATUS_OK;
1005 static NTSTATUS samsync_ldb_delete_account(TALLOC_CTX *mem_ctx,
1006 struct samsync_ldb_state *state,
1007 enum netr_SamDatabaseID database,
1008 struct netr_DELTA_ENUM *delta,
1009 char **error_string)
1011 struct dom_sid *sid = delta->delta_id_union.sid;
1013 struct ldb_message *msg;
1014 struct ldb_message **msgs;
1015 int ret;
1016 const char *attrs[] = { NULL };
1018 msg = ldb_msg_new(mem_ctx);
1019 if (msg == NULL) {
1020 return NT_STATUS_NO_MEMORY;
1023 /* search for the account, by sid, in the top basedn */
1024 ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
1025 "(objectSid=%s)",
1026 ldap_encode_ndr_dom_sid(mem_ctx, sid));
1028 if (ret == -1) {
1029 *error_string = talloc_asprintf(mem_ctx, "gendb_search failed: %s", ldb_errstring(state->sam_ldb));
1030 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1031 } else if (ret == 0) {
1032 return NT_STATUS_NO_SUCH_USER;
1033 } else if (ret > 1) {
1034 *error_string = talloc_asprintf(mem_ctx, "More than one account with SID: %s",
1035 dom_sid_string(mem_ctx, sid));
1036 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1037 } else {
1038 msg->dn = talloc_steal(msg, msgs[0]->dn);
1041 samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
1042 "privilage");
1044 ret = samdb_replace(state->sam_ldb, mem_ctx, msg);
1045 if (ret != 0) {
1046 *error_string = talloc_asprintf(mem_ctx, "Failed to modify privilege record %s",
1047 ldb_dn_get_linearized(msg->dn));
1048 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1051 return NT_STATUS_OK;
1054 static NTSTATUS libnet_samsync_ldb_fn(TALLOC_CTX *mem_ctx,
1055 void *private_data,
1056 enum netr_SamDatabaseID database,
1057 struct netr_DELTA_ENUM *delta,
1058 char **error_string)
1060 NTSTATUS nt_status = NT_STATUS_OK;
1061 struct samsync_ldb_state *state = talloc_get_type(private_data, struct samsync_ldb_state);
1063 *error_string = NULL;
1064 switch (delta->delta_type) {
1065 case NETR_DELTA_DOMAIN:
1067 nt_status = samsync_ldb_handle_domain(mem_ctx,
1068 state,
1069 database,
1070 delta,
1071 error_string);
1072 break;
1074 case NETR_DELTA_USER:
1076 nt_status = samsync_ldb_handle_user(mem_ctx,
1077 state,
1078 database,
1079 delta,
1080 error_string);
1081 break;
1083 case NETR_DELTA_DELETE_USER:
1085 nt_status = samsync_ldb_delete_user(mem_ctx,
1086 state,
1087 database,
1088 delta,
1089 error_string);
1090 break;
1092 case NETR_DELTA_GROUP:
1094 nt_status = samsync_ldb_handle_group(mem_ctx,
1095 state,
1096 database,
1097 delta,
1098 error_string);
1099 break;
1101 case NETR_DELTA_DELETE_GROUP:
1103 nt_status = samsync_ldb_delete_group(mem_ctx,
1104 state,
1105 database,
1106 delta,
1107 error_string);
1108 break;
1110 case NETR_DELTA_GROUP_MEMBER:
1112 nt_status = samsync_ldb_handle_group_member(mem_ctx,
1113 state,
1114 database,
1115 delta,
1116 error_string);
1117 break;
1119 case NETR_DELTA_ALIAS:
1121 nt_status = samsync_ldb_handle_alias(mem_ctx,
1122 state,
1123 database,
1124 delta,
1125 error_string);
1126 break;
1128 case NETR_DELTA_DELETE_ALIAS:
1130 nt_status = samsync_ldb_delete_alias(mem_ctx,
1131 state,
1132 database,
1133 delta,
1134 error_string);
1135 break;
1137 case NETR_DELTA_ALIAS_MEMBER:
1139 nt_status = samsync_ldb_handle_alias_member(mem_ctx,
1140 state,
1141 database,
1142 delta,
1143 error_string);
1144 break;
1146 case NETR_DELTA_ACCOUNT:
1148 nt_status = samsync_ldb_handle_account(mem_ctx,
1149 state,
1150 database,
1151 delta,
1152 error_string);
1153 break;
1155 case NETR_DELTA_DELETE_ACCOUNT:
1157 nt_status = samsync_ldb_delete_account(mem_ctx,
1158 state,
1159 database,
1160 delta,
1161 error_string);
1162 break;
1164 default:
1165 /* Can't dump them all right now */
1166 break;
1168 if (!NT_STATUS_IS_OK(nt_status) && !*error_string) {
1169 *error_string = talloc_asprintf(mem_ctx, "Failed to handle samsync delta: %s", nt_errstr(nt_status));
1171 return nt_status;
1174 static NTSTATUS libnet_samsync_ldb_init(TALLOC_CTX *mem_ctx,
1175 void *private_data,
1176 struct libnet_SamSync_state *samsync_state,
1177 char **error_string)
1179 struct samsync_ldb_state *state = talloc_get_type(private_data, struct samsync_ldb_state);
1180 const char *server = dcerpc_server_name(samsync_state->netlogon_pipe);
1181 char *ldap_url;
1183 state->samsync_state = samsync_state;
1185 ZERO_STRUCT(state->dom_sid);
1186 if (state->samsync_state->domain_sid) {
1187 state->dom_sid[SAM_DATABASE_DOMAIN] = dom_sid_dup(state, state->samsync_state->domain_sid);
1190 state->dom_sid[SAM_DATABASE_BUILTIN] = dom_sid_parse_talloc(state, SID_BUILTIN);
1192 if (state->samsync_state->realm) {
1193 if (!server || !*server) {
1194 /* huh? how do we not have a server name? */
1195 *error_string = talloc_strdup(mem_ctx, "No DCE/RPC server name available. How did we connect?");
1196 return NT_STATUS_INVALID_PARAMETER;
1198 ldap_url = talloc_asprintf(state, "ldap://%s", server);
1200 state->remote_ldb = ldb_wrap_connect(mem_ctx,
1201 state->samsync_state->machine_net_ctx->event_ctx,
1202 state->samsync_state->machine_net_ctx->lp_ctx,
1203 ldap_url,
1204 NULL, state->samsync_state->machine_net_ctx->cred,
1205 0, NULL);
1206 if (!state->remote_ldb) {
1207 *error_string = talloc_asprintf(mem_ctx, "Failed to connect to remote LDAP server at %s (used to extract additional data in SamSync replication)", ldap_url);
1208 return NT_STATUS_NO_LOGON_SERVERS;
1210 } else {
1211 state->remote_ldb = NULL;
1213 return NT_STATUS_OK;
1216 NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_samsync_ldb *r)
1218 NTSTATUS nt_status;
1219 struct libnet_SamSync r2;
1220 struct samsync_ldb_state *state = talloc(mem_ctx, struct samsync_ldb_state);
1222 if (!state) {
1223 return NT_STATUS_NO_MEMORY;
1226 state->secrets = NULL;
1227 state->trusted_domains = NULL;
1229 state->sam_ldb = samdb_connect(mem_ctx,
1230 ctx->event_ctx,
1231 ctx->lp_ctx,
1232 r->in.session_info);
1234 r2.out.error_string = NULL;
1235 r2.in.binding_string = r->in.binding_string;
1236 r2.in.init_fn = libnet_samsync_ldb_init;
1237 r2.in.delta_fn = libnet_samsync_ldb_fn;
1238 r2.in.fn_ctx = state;
1239 r2.in.machine_account = NULL; /* TODO: Create a machine account, fill this in, and the delete it */
1240 nt_status = libnet_SamSync_netlogon(ctx, state, &r2);
1241 r->out.error_string = r2.out.error_string;
1242 talloc_steal(mem_ctx, r->out.error_string);
1244 if (!NT_STATUS_IS_OK(nt_status)) {
1245 talloc_free(state);
1246 return nt_status;
1248 talloc_free(state);
1249 return nt_status;