search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-ldb: allow for unescaped '=' in a index DN
[Samba/cd1.git] / source3 / libnet / libnet_samsync.c
blobdf7e875ab64d6161609fc244cde6679fb5d8fee0
1 /*
2 Unix SMB/CIFS implementation.
3
4 Extract the user/system database from a remote SamSync server
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 Copyright (C) Guenther Deschner <gd@samba.org> 2008
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23
24 #include "includes.h"
25 #include "libnet/libnet.h"
26 #include "../lib/crypto/crypto.h"
27 #include "../libcli/samsync/samsync.h"
28 #include "../libcli/auth/libcli_auth.h"
29
30 /**
31 * Fix up the delta, dealing with encryption issues so that the final
32 * callback need only do the printing or application logic
33 */
34
35 static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx,
36 struct netlogon_creds_CredentialState *creds,
37 enum netr_SamDatabaseID database_id,
38 struct netr_DELTA_ENUM_ARRAY *r)
39 {
40 NTSTATUS status;
41 int i;
42
43 for (i = 0; i < r->num_deltas; i++) {
44
45 status = samsync_fix_delta(mem_ctx,
46 creds,
47 database_id,
48 &r->delta_enum[i]);
49 if (!NT_STATUS_IS_OK(status)) {
50 return status;
51 }
52 }
53
54 return NT_STATUS_OK;
55 }
56
57 /**
58 * libnet_samsync_init_context
59 */
60
61 NTSTATUS libnet_samsync_init_context(TALLOC_CTX *mem_ctx,
62 const struct dom_sid *domain_sid,
63 struct samsync_context **ctx_p)
64 {
65 struct samsync_context *ctx;
66
67 *ctx_p = NULL;
68
69 ctx = TALLOC_ZERO_P(mem_ctx, struct samsync_context);
70 NT_STATUS_HAVE_NO_MEMORY(ctx);
71
72 if (domain_sid) {
73 ctx->domain_sid = sid_dup_talloc(mem_ctx, domain_sid);
74 NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid);
75
76 ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
77 NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid_str);
78 }
79
80 *ctx_p = ctx;
81
82 return NT_STATUS_OK;
83 }
84
85 /**
86 * samsync_database_str
87 */
88
89 static const char *samsync_database_str(enum netr_SamDatabaseID database_id)
90 {
91
92 switch (database_id) {
93 case SAM_DATABASE_DOMAIN:
94 return "DOMAIN";
95 case SAM_DATABASE_BUILTIN:
96 return "BUILTIN";
97 case SAM_DATABASE_PRIVS:
98 return "PRIVS";
99 default:
100 return "unknown";
101 }
102 }
103
104 /**
105 * samsync_debug_str
106 */
107
108 static const char *samsync_debug_str(TALLOC_CTX *mem_ctx,
109 enum net_samsync_mode mode,
110 enum netr_SamDatabaseID database_id)
111 {
112 const char *action = NULL;
113
114 switch (mode) {
115 case NET_SAMSYNC_MODE_DUMP:
116 action = "Dumping (to stdout)";
117 break;
118 case NET_SAMSYNC_MODE_FETCH_PASSDB:
119 action = "Fetching (to passdb)";
120 break;
121 case NET_SAMSYNC_MODE_FETCH_LDIF:
122 action = "Fetching (to ldif)";
123 break;
124 case NET_SAMSYNC_MODE_FETCH_KEYTAB:
125 action = "Fetching (to keytab)";
126 break;
127 default:
128 action = "Unknown";
129 break;
130 }
131
132 return talloc_asprintf(mem_ctx, "%s %s database",
133 action, samsync_database_str(database_id));
134 }
135
136 /**
137 * libnet_samsync
138 */
139
140 static void libnet_init_netr_ChangeLogEntry(struct samsync_object *o,
141 struct netr_ChangeLogEntry *e)
142 {
143 ZERO_STRUCTP(e);
144
145 e->db_index = o->database_id;
146 e->delta_type = o->object_type;
147
148 switch (e->delta_type) {
149 case NETR_DELTA_DOMAIN:
150 case NETR_DELTA_DELETE_GROUP:
151 case NETR_DELTA_RENAME_GROUP:
152 case NETR_DELTA_DELETE_USER:
153 case NETR_DELTA_RENAME_USER:
154 case NETR_DELTA_DELETE_ALIAS:
155 case NETR_DELTA_RENAME_ALIAS:
156 case NETR_DELTA_DELETE_TRUST:
157 case NETR_DELTA_DELETE_ACCOUNT:
158 case NETR_DELTA_DELETE_SECRET:
159 case NETR_DELTA_DELETE_GROUP2:
160 case NETR_DELTA_DELETE_USER2:
161 case NETR_DELTA_MODIFY_COUNT:
162 break;
163 case NETR_DELTA_USER:
164 case NETR_DELTA_GROUP:
165 case NETR_DELTA_GROUP_MEMBER:
166 case NETR_DELTA_ALIAS:
167 case NETR_DELTA_ALIAS_MEMBER:
168 e->object_rid = o->object_identifier.rid;
169 break;
170 case NETR_DELTA_SECRET:
171 e->object.object_name = o->object_identifier.name;
172 e->flags = NETR_CHANGELOG_NAME_INCLUDED;
173 break;
174 case NETR_DELTA_TRUSTED_DOMAIN:
175 case NETR_DELTA_ACCOUNT:
176 case NETR_DELTA_POLICY:
177 e->object.object_sid = o->object_identifier.sid;
178 e->flags = NETR_CHANGELOG_SID_INCLUDED;
179 break;
180 default:
181 break;
182 }
183 }
184
185 /**
186 * libnet_samsync_delta
187 */
188
189 static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
190 enum netr_SamDatabaseID database_id,
191 uint64_t *sequence_num,
192 struct samsync_context *ctx,
193 struct netr_ChangeLogEntry *e)
194 {
195 NTSTATUS result;
196 NTSTATUS callback_status;
197 const char *logon_server = ctx->cli->desthost;
198 const char *computername = global_myname();
199 struct netr_Authenticator credential;
200 struct netr_Authenticator return_authenticator;
201 uint16_t restart_state = 0;
202 uint32_t sync_context = 0;
203
204 ZERO_STRUCT(return_authenticator);
205
206 do {
207 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
208
209 netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
210
211 if (ctx->single_object_replication &&
212 !ctx->force_full_replication) {
213 result = rpccli_netr_DatabaseRedo(ctx->cli, mem_ctx,
214 logon_server,
215 computername,
216 &credential,
217 &return_authenticator,
218 *e,
219 0,
220 &delta_enum_array);
221 } else if (!ctx->force_full_replication &&
222 sequence_num && (*sequence_num > 0)) {
223 result = rpccli_netr_DatabaseDeltas(ctx->cli, mem_ctx,
224 logon_server,
225 computername,
226 &credential,
227 &return_authenticator,
228 database_id,
229 sequence_num,
230 &delta_enum_array,
231 0xffff);
232 } else {
233 result = rpccli_netr_DatabaseSync2(ctx->cli, mem_ctx,
234 logon_server,
235 computername,
236 &credential,
237 &return_authenticator,
238 database_id,
239 restart_state,
240 &sync_context,
241 &delta_enum_array,
242 0xffff);
243 }
244
245 if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
246 return result;
247 }
248
249 /* Check returned credentials. */
250 if (!netlogon_creds_client_check(ctx->cli->dc,
251 &return_authenticator.cred)) {
252 DEBUG(0,("credentials chain check failed\n"));
253 return NT_STATUS_ACCESS_DENIED;
254 }
255
256 if (NT_STATUS_IS_ERR(result)) {
257 break;
258 }
259
260 samsync_fix_delta_array(mem_ctx,
261 ctx->cli->dc,
262 database_id,
263 delta_enum_array);
264
265 /* Process results */
266 callback_status = ctx->ops->process_objects(mem_ctx, database_id,
267 delta_enum_array,
268 sequence_num,
269 ctx);
270 if (!NT_STATUS_IS_OK(callback_status)) {
271 result = callback_status;
272 goto out;
273 }
274
275 TALLOC_FREE(delta_enum_array);
276
277 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
278
279 out:
280
281 return result;
282 }
283
284 /**
285 * libnet_samsync
286 */
287
288 NTSTATUS libnet_samsync(enum netr_SamDatabaseID database_id,
289 struct samsync_context *ctx)
290 {
291 NTSTATUS status = NT_STATUS_OK;
292 NTSTATUS callback_status;
293 TALLOC_CTX *mem_ctx;
294 const char *debug_str;
295 uint64_t sequence_num = 0;
296 int i = 0;
297
298 if (!(mem_ctx = talloc_new(ctx))) {
299 return NT_STATUS_NO_MEMORY;
300 }
301
302 if (!ctx->ops) {
303 return NT_STATUS_INVALID_PARAMETER;
304 }
305
306 if (ctx->ops->startup) {
307 status = ctx->ops->startup(mem_ctx, ctx,
308 database_id, &sequence_num);
309 if (!NT_STATUS_IS_OK(status)) {
310 goto done;
311 }
312 }
313
314 debug_str = samsync_debug_str(mem_ctx, ctx->mode, database_id);
315 if (debug_str) {
316 d_fprintf(stderr, "%s\n", debug_str);
317 }
318
319 if (!ctx->single_object_replication) {
320 status = libnet_samsync_delta(mem_ctx, database_id,
321 &sequence_num, ctx, NULL);
322 goto done;
323 }
324
325 for (i=0; i<ctx->num_objects; i++) {
326
327 struct netr_ChangeLogEntry e;
328
329 if (ctx->objects[i].database_id != database_id) {
330 continue;
331 }
332
333 libnet_init_netr_ChangeLogEntry(&ctx->objects[i], &e);
334
335 status = libnet_samsync_delta(mem_ctx, database_id,
336 &sequence_num, ctx, &e);
337 if (!NT_STATUS_IS_OK(status)) {
338 goto done;
339 }
340 }
341
342 done:
343
344 if (NT_STATUS_IS_OK(status) && ctx->ops->finish) {
345 callback_status = ctx->ops->finish(mem_ctx, ctx,
346 database_id, sequence_num);
347 if (!NT_STATUS_IS_OK(callback_status)) {
348 status = callback_status;
349 }
350 }
351
352 if (NT_STATUS_IS_ERR(status) && !ctx->error_message) {
353
354 ctx->error_message = talloc_asprintf(ctx,
355 "Failed to fetch %s database: %s",
356 samsync_database_str(database_id),
357 nt_errstr(status));
358
359 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
360
361 ctx->error_message =
362 talloc_asprintf_append(ctx->error_message,
363 "\nPerhaps %s is a Windows native mode domain?",
364 ctx->domain_name);
365 }
366 }
367
368 talloc_destroy(mem_ctx);
369
370 return status;
371 }
372
373 /**
374 * pull_netr_AcctLockStr
375 */
376
377 NTSTATUS pull_netr_AcctLockStr(TALLOC_CTX *mem_ctx,
378 struct lsa_BinaryString *r,
379 struct netr_AcctLockStr **str_p)
380 {
381 struct netr_AcctLockStr *str;
382 enum ndr_err_code ndr_err;
383 DATA_BLOB blob;
384
385 if (!mem_ctx || !r || !str_p) {
386 return NT_STATUS_INVALID_PARAMETER;
387 }
388
389 *str_p = NULL;
390
391 str = TALLOC_ZERO_P(mem_ctx, struct netr_AcctLockStr);
392 if (!str) {
393 return NT_STATUS_NO_MEMORY;
394 }
395
396 blob = data_blob_const(r->array, r->length);
397
398 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, NULL, str,
399 (ndr_pull_flags_fn_t)ndr_pull_netr_AcctLockStr);
400
401 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
402 return ndr_map_error2ntstatus(ndr_err);
403 }
404
405 *str_p = str;
406
407 return NT_STATUS_OK;
408 }
409
Crístian's Samba branch