search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb/util - Change also here counters to "unsigned"
[Samba/ekacnet.git] / source4 / dsdb / common / util.c
blobf597c419cc210c5d5ce2462fe1899ae00785a12c
1 /*
2 Unix SMB/CIFS implementation.
3 Samba utility functions
4
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "events/events.h"
26 #include "ldb.h"
27 #include "ldb_errors.h"
28 #include "../lib/util/util_ldb.h"
29 #include "../lib/crypto/crypto.h"
30 #include "dsdb/samdb/samdb.h"
31 #include "libcli/security/security.h"
32 #include "librpc/gen_ndr/ndr_security.h"
33 #include "librpc/gen_ndr/ndr_misc.h"
34 #include "../libds/common/flags.h"
35 #include "dsdb/common/proto.h"
36 #include "libcli/ldap/ldap_ndr.h"
37 #include "param/param.h"
38 #include "libcli/auth/libcli_auth.h"
39 #include "librpc/gen_ndr/ndr_drsblobs.h"
40 #include "system/locale.h"
41 #include "lib/util/tsort.h"
42 #include "dsdb/common/util.h"
43
44 /*
45 search the sam for the specified attributes in a specific domain, filter on
46 objectSid being in domain_sid.
47 */
48 int samdb_search_domain(struct ldb_context *sam_ldb,
49 TALLOC_CTX *mem_ctx,
50 struct ldb_dn *basedn,
51 struct ldb_message ***res,
52 const char * const *attrs,
53 const struct dom_sid *domain_sid,
54 const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
55 {
56 va_list ap;
57 int i, count;
58
59 va_start(ap, format);
60 count = gendb_search_v(sam_ldb, mem_ctx, basedn,
61 res, attrs, format, ap);
62 va_end(ap);
63
64 i=0;
65
66 while (i<count) {
67 struct dom_sid *entry_sid;
68
69 entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
70
71 if ((entry_sid == NULL) ||
72 (!dom_sid_in_domain(domain_sid, entry_sid))) {
73 /* Delete that entry from the result set */
74 (*res)[i] = (*res)[count-1];
75 count -= 1;
76 talloc_free(entry_sid);
77 continue;
78 }
79 talloc_free(entry_sid);
80 i += 1;
81 }
82
83 return count;
84 }
85
86 /*
87 search the sam for a single string attribute in exactly 1 record
88 */
89 const char *samdb_search_string_v(struct ldb_context *sam_ldb,
90 TALLOC_CTX *mem_ctx,
91 struct ldb_dn *basedn,
92 const char *attr_name,
93 const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
94 {
95 int count;
96 const char *attrs[2] = { NULL, NULL };
97 struct ldb_message **res = NULL;
98
99 attrs[0] = attr_name;
100
101 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
102 if (count > 1) {
103 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
104 attr_name, format, count));
105 }
106 if (count != 1) {
107 talloc_free(res);
108 return NULL;
109 }
110
111 return samdb_result_string(res[0], attr_name, NULL);
112 }
113
114 /*
115 search the sam for a single string attribute in exactly 1 record
116 */
117 const char *samdb_search_string(struct ldb_context *sam_ldb,
118 TALLOC_CTX *mem_ctx,
119 struct ldb_dn *basedn,
120 const char *attr_name,
121 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
122 {
123 va_list ap;
124 const char *str;
125
126 va_start(ap, format);
127 str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
128 va_end(ap);
129
130 return str;
131 }
132
133 struct ldb_dn *samdb_search_dn(struct ldb_context *sam_ldb,
134 TALLOC_CTX *mem_ctx,
135 struct ldb_dn *basedn,
136 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
137 {
138 va_list ap;
139 struct ldb_dn *ret;
140 struct ldb_message **res = NULL;
141 int count;
142
143 va_start(ap, format);
144 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, NULL, format, ap);
145 va_end(ap);
146
147 if (count != 1) return NULL;
148
149 ret = talloc_steal(mem_ctx, res[0]->dn);
150 talloc_free(res);
151
152 return ret;
153 }
154
155 /*
156 search the sam for a dom_sid attribute in exactly 1 record
157 */
158 struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
159 TALLOC_CTX *mem_ctx,
160 struct ldb_dn *basedn,
161 const char *attr_name,
162 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
163 {
164 va_list ap;
165 int count;
166 struct ldb_message **res;
167 const char *attrs[2] = { NULL, NULL };
168 struct dom_sid *sid;
169
170 attrs[0] = attr_name;
171
172 va_start(ap, format);
173 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
174 va_end(ap);
175 if (count > 1) {
176 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
177 attr_name, format, count));
178 }
179 if (count != 1) {
180 talloc_free(res);
181 return NULL;
182 }
183 sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
184 talloc_free(res);
185 return sid;
186 }
187
188 /*
189 return the count of the number of records in the sam matching the query
190 */
191 int samdb_search_count(struct ldb_context *sam_ldb,
192 struct ldb_dn *basedn,
193 const char *format, ...) _PRINTF_ATTRIBUTE(3,4)
194 {
195 va_list ap;
196 struct ldb_message **res;
197 const char *attrs[] = { NULL };
198 int ret;
199 TALLOC_CTX *tmp_ctx = talloc_new(sam_ldb);
200
201 va_start(ap, format);
202 ret = gendb_search_v(sam_ldb, tmp_ctx, basedn, &res, attrs, format, ap);
203 va_end(ap);
204 talloc_free(tmp_ctx);
205
206 return ret;
207 }
208
209
210 /*
211 search the sam for a single integer attribute in exactly 1 record
212 */
213 unsigned int samdb_search_uint(struct ldb_context *sam_ldb,
214 TALLOC_CTX *mem_ctx,
215 unsigned int default_value,
216 struct ldb_dn *basedn,
217 const char *attr_name,
218 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
219 {
220 va_list ap;
221 int count;
222 struct ldb_message **res;
223 const char *attrs[2] = { NULL, NULL };
224
225 attrs[0] = attr_name;
226
227 va_start(ap, format);
228 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
229 va_end(ap);
230
231 if (count != 1) {
232 return default_value;
233 }
234
235 return samdb_result_uint(res[0], attr_name, default_value);
236 }
237
238 /*
239 search the sam for a single signed 64 bit integer attribute in exactly 1 record
240 */
241 int64_t samdb_search_int64(struct ldb_context *sam_ldb,
242 TALLOC_CTX *mem_ctx,
243 int64_t default_value,
244 struct ldb_dn *basedn,
245 const char *attr_name,
246 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
247 {
248 va_list ap;
249 int count;
250 struct ldb_message **res;
251 const char *attrs[2] = { NULL, NULL };
252
253 attrs[0] = attr_name;
254
255 va_start(ap, format);
256 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
257 va_end(ap);
258
259 if (count != 1) {
260 return default_value;
261 }
262
263 return samdb_result_int64(res[0], attr_name, default_value);
264 }
265
266 /*
267 search the sam for multipe records each giving a single string attribute
268 return the number of matches, or -1 on error
269 */
270 int samdb_search_string_multiple(struct ldb_context *sam_ldb,
271 TALLOC_CTX *mem_ctx,
272 struct ldb_dn *basedn,
273 const char ***strs,
274 const char *attr_name,
275 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
276 {
277 va_list ap;
278 int count, i;
279 const char *attrs[2] = { NULL, NULL };
280 struct ldb_message **res = NULL;
281
282 attrs[0] = attr_name;
283
284 va_start(ap, format);
285 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
286 va_end(ap);
287
288 if (count <= 0) {
289 return count;
290 }
291
292 /* make sure its single valued */
293 for (i=0;i<count;i++) {
294 if (res[i]->num_elements != 1) {
295 DEBUG(1,("samdb: search for %s %s not single valued\n",
296 attr_name, format));
297 talloc_free(res);
298 return -1;
299 }
300 }
301
302 *strs = talloc_array(mem_ctx, const char *, count+1);
303 if (! *strs) {
304 talloc_free(res);
305 return -1;
306 }
307
308 for (i=0;i<count;i++) {
309 (*strs)[i] = samdb_result_string(res[i], attr_name, NULL);
310 }
311 (*strs)[count] = NULL;
312
313 return count;
314 }
315
316 /*
317 pull a uint from a result set.
318 */
319 unsigned int samdb_result_uint(const struct ldb_message *msg, const char *attr, unsigned int default_value)
320 {
321 return ldb_msg_find_attr_as_uint(msg, attr, default_value);
322 }
323
324 /*
325 pull a (signed) int64 from a result set.
326 */
327 int64_t samdb_result_int64(const struct ldb_message *msg, const char *attr, int64_t default_value)
328 {
329 return ldb_msg_find_attr_as_int64(msg, attr, default_value);
330 }
331
332 /*
333 pull a string from a result set.
334 */
335 const char *samdb_result_string(const struct ldb_message *msg, const char *attr,
336 const char *default_value)
337 {
338 return ldb_msg_find_attr_as_string(msg, attr, default_value);
339 }
340
341 struct ldb_dn *samdb_result_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
342 const char *attr, struct ldb_dn *default_value)
343 {
344 struct ldb_dn *ret_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
345 if (!ret_dn) {
346 return default_value;
347 }
348 return ret_dn;
349 }
350
351 /*
352 pull a rid from a objectSid in a result set.
353 */
354 uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
355 const char *attr, uint32_t default_value)
356 {
357 struct dom_sid *sid;
358 uint32_t rid;
359
360 sid = samdb_result_dom_sid(mem_ctx, msg, attr);
361 if (sid == NULL) {
362 return default_value;
363 }
364 rid = sid->sub_auths[sid->num_auths-1];
365 talloc_free(sid);
366 return rid;
367 }
368
369 /*
370 pull a dom_sid structure from a objectSid in a result set.
371 */
372 struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
373 const char *attr)
374 {
375 const struct ldb_val *v;
376 struct dom_sid *sid;
377 enum ndr_err_code ndr_err;
378 v = ldb_msg_find_ldb_val(msg, attr);
379 if (v == NULL) {
380 return NULL;
381 }
382 sid = talloc(mem_ctx, struct dom_sid);
383 if (sid == NULL) {
384 return NULL;
385 }
386 ndr_err = ndr_pull_struct_blob(v, sid, NULL, sid,
387 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
388 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
389 talloc_free(sid);
390 return NULL;
391 }
392 return sid;
393 }
394
395 /*
396 pull a guid structure from a objectGUID in a result set.
397 */
398 struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
399 {
400 const struct ldb_val *v;
401 struct GUID guid;
402 NTSTATUS status;
403
404 v = ldb_msg_find_ldb_val(msg, attr);
405 if (!v) return GUID_zero();
406
407 status = GUID_from_ndr_blob(v, &guid);
408 if (!NT_STATUS_IS_OK(status)) {
409 return GUID_zero();
410 }
411
412 return guid;
413 }
414
415 /*
416 pull a sid prefix from a objectSid in a result set.
417 this is used to find the domain sid for a user
418 */
419 struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
420 const char *attr)
421 {
422 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
423 if (!sid || sid->num_auths < 1) return NULL;
424 sid->num_auths--;
425 return sid;
426 }
427
428 /*
429 pull a NTTIME in a result set.
430 */
431 NTTIME samdb_result_nttime(const struct ldb_message *msg, const char *attr,
432 NTTIME default_value)
433 {
434 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
435 }
436
437 /*
438 * Windows stores 0 for lastLogoff.
439 * But when a MS DC return the lastLogoff (as Logoff Time)
440 * it returns 0x7FFFFFFFFFFFFFFF, not returning this value in this case
441 * cause windows 2008 and newer version to fail for SMB requests
442 */
443 NTTIME samdb_result_last_logoff(const struct ldb_message *msg)
444 {
445 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "lastLogoff",0);
446
447 if (ret == 0)
448 ret = 0x7FFFFFFFFFFFFFFFULL;
449
450 return ret;
451 }
452
453 /*
454 * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
455 * indicate an account doesn't expire.
456 *
457 * When Windows initially creates an account, it sets
458 * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However,
459 * when changing from an account having a specific expiration date to
460 * that account never expiring, it sets accountExpires = 0.
461 *
462 * Consolidate that logic here to allow clearer logic for account expiry in
463 * the rest of the code.
464 */
465 NTTIME samdb_result_account_expires(const struct ldb_message *msg)
466 {
467 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
468 0);
469
470 if (ret == 0)
471 ret = 0x7FFFFFFFFFFFFFFFULL;
472
473 return ret;
474 }
475
476 /*
477 pull a uint64_t from a result set.
478 */
479 uint64_t samdb_result_uint64(const struct ldb_message *msg, const char *attr,
480 uint64_t default_value)
481 {
482 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
483 }
484
485
486 /*
487 construct the allow_password_change field from the PwdLastSet attribute and the
488 domain password settings
489 */
490 NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
491 TALLOC_CTX *mem_ctx,
492 struct ldb_dn *domain_dn,
493 struct ldb_message *msg,
494 const char *attr)
495 {
496 uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
497 int64_t minPwdAge;
498
499 if (attr_time == 0) {
500 return 0;
501 }
502
503 minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "minPwdAge", NULL);
504
505 /* yes, this is a -= not a += as minPwdAge is stored as the negative
506 of the number of 100-nano-seconds */
507 attr_time -= minPwdAge;
508
509 return attr_time;
510 }
511
512 /*
513 construct the force_password_change field from the PwdLastSet
514 attribute, the userAccountControl and the domain password settings
515 */
516 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
517 TALLOC_CTX *mem_ctx,
518 struct ldb_dn *domain_dn,
519 struct ldb_message *msg)
520 {
521 uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0);
522 uint32_t userAccountControl = samdb_result_uint64(msg, "userAccountControl", 0);
523 int64_t maxPwdAge;
524
525 /* Machine accounts don't expire, and there is a flag for 'no expiry' */
526 if (!(userAccountControl & UF_NORMAL_ACCOUNT)
527 || (userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
528 return 0x7FFFFFFFFFFFFFFFULL;
529 }
530
531 if (attr_time == 0) {
532 return 0;
533 }
534
535 maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "maxPwdAge", NULL);
536 if (maxPwdAge == 0) {
537 return 0x7FFFFFFFFFFFFFFFULL;
538 } else {
539 attr_time -= maxPwdAge;
540 }
541
542 return attr_time;
543 }
544
545 /*
546 pull a samr_Password structutre from a result set.
547 */
548 struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr)
549 {
550 struct samr_Password *hash = NULL;
551 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
552 if (val && (val->length >= sizeof(hash->hash))) {
553 hash = talloc(mem_ctx, struct samr_Password);
554 memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash)));
555 }
556 return hash;
557 }
558
559 /*
560 pull an array of samr_Password structures from a result set.
561 */
562 unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
563 const char *attr, struct samr_Password **hashes)
564 {
565 unsigned int count, i;
566 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
567
568 *hashes = NULL;
569 if (!val) {
570 return 0;
571 }
572 count = val->length / 16;
573 if (count == 0) {
574 return 0;
575 }
576
577 *hashes = talloc_array(mem_ctx, struct samr_Password, count);
578 if (! *hashes) {
579 return 0;
580 }
581
582 for (i=0;i<count;i++) {
583 memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
584 }
585
586 return count;
587 }
588
589 NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_message *msg,
590 struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
591 {
592 struct samr_Password *lmPwdHash, *ntPwdHash;
593 if (nt_pwd) {
594 unsigned int num_nt;
595 num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash);
596 if (num_nt == 0) {
597 *nt_pwd = NULL;
598 } else if (num_nt > 1) {
599 return NT_STATUS_INTERNAL_DB_CORRUPTION;
600 } else {
601 *nt_pwd = &ntPwdHash[0];
602 }
603 }
604 if (lm_pwd) {
605 /* Ensure that if we have turned off LM
606 * authentication, that we never use the LM hash, even
607 * if we store it */
608 if (lp_lanman_auth(lp_ctx)) {
609 unsigned int num_lm;
610 num_lm = samdb_result_hashes(mem_ctx, msg, "dBCSPwd", &lmPwdHash);
611 if (num_lm == 0) {
612 *lm_pwd = NULL;
613 } else if (num_lm > 1) {
614 return NT_STATUS_INTERNAL_DB_CORRUPTION;
615 } else {
616 *lm_pwd = &lmPwdHash[0];
617 }
618 } else {
619 *lm_pwd = NULL;
620 }
621 }
622 return NT_STATUS_OK;
623 }
624
625 /*
626 pull a samr_LogonHours structutre from a result set.
627 */
628 struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
629 {
630 struct samr_LogonHours hours;
631 const int units_per_week = 168;
632 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
633 ZERO_STRUCT(hours);
634 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
635 if (!hours.bits) {
636 return hours;
637 }
638 hours.units_per_week = units_per_week;
639 memset(hours.bits, 0xFF, units_per_week);
640 if (val) {
641 memcpy(hours.bits, val->data, MIN(val->length, units_per_week));
642 }
643 return hours;
644 }
645
646 /*
647 pull a set of account_flags from a result set.
648
649 This requires that the attributes:
650 pwdLastSet
651 userAccountControl
652 be included in 'msg'
653 */
654 uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
655 struct ldb_message *msg, struct ldb_dn *domain_dn)
656 {
657 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
658 uint32_t acct_flags = ds_uf2acb(userAccountControl);
659 NTTIME must_change_time;
660 NTTIME now;
661
662 must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
663 domain_dn, msg);
664
665 /* Test account expire time */
666 unix_to_nt_time(&now, time(NULL));
667 /* check for expired password */
668 if (must_change_time < now) {
669 acct_flags |= ACB_PW_EXPIRED;
670 }
671 return acct_flags;
672 }
673
674 struct lsa_BinaryString samdb_result_parameters(TALLOC_CTX *mem_ctx,
675 struct ldb_message *msg,
676 const char *attr)
677 {
678 struct lsa_BinaryString s;
679 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
680
681 ZERO_STRUCT(s);
682
683 if (!val) {
684 return s;
685 }
686
687 s.array = talloc_array(mem_ctx, uint16_t, val->length/2);
688 if (!s.array) {
689 return s;
690 }
691 s.length = s.size = val->length;
692 memcpy(s.array, val->data, val->length);
693
694 return s;
695 }
696
697 /* Find an attribute, with a particular value */
698
699 /* The current callers of this function expect a very specific
700 * behaviour: In particular, objectClass subclass equivilance is not
701 * wanted. This means that we should not lookup the schema for the
702 * comparison function */
703 struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb,
704 const struct ldb_message *msg,
705 const char *name, const char *value)
706 {
707 unsigned int i;
708 struct ldb_message_element *el = ldb_msg_find_element(msg, name);
709
710 if (!el) {
711 return NULL;
712 }
713
714 for (i=0;i<el->num_values;i++) {
715 if (ldb_attr_cmp(value, (char *)el->values[i].data) == 0) {
716 return el;
717 }
718 }
719
720 return NULL;
721 }
722
723 int samdb_find_or_add_value(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
724 {
725 if (samdb_find_attribute(ldb, msg, name, set_value) == NULL) {
726 return samdb_msg_add_string(ldb, msg, msg, name, set_value);
727 }
728 return LDB_SUCCESS;
729 }
730
731 int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
732 {
733 struct ldb_message_element *el;
734
735 el = ldb_msg_find_element(msg, name);
736 if (el) {
737 return LDB_SUCCESS;
738 }
739
740 return samdb_msg_add_string(ldb, msg, msg, name, set_value);
741 }
742
743
744
745 /*
746 add a string element to a message
747 */
748 int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
749 const char *attr_name, const char *str)
750 {
751 char *s = talloc_strdup(mem_ctx, str);
752 char *a = talloc_strdup(mem_ctx, attr_name);
753 if (s == NULL || a == NULL) {
754 return LDB_ERR_OPERATIONS_ERROR;
755 }
756 return ldb_msg_add_string(msg, a, s);
757 }
758
759 /*
760 add a dom_sid element to a message
761 */
762 int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
763 const char *attr_name, struct dom_sid *sid)
764 {
765 struct ldb_val v;
766 enum ndr_err_code ndr_err;
767
768 ndr_err = ndr_push_struct_blob(&v, mem_ctx,
769 lp_iconv_convenience(ldb_get_opaque(sam_ldb, "loadparm")),
770 sid,
771 (ndr_push_flags_fn_t)ndr_push_dom_sid);
772 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
773 return LDB_ERR_OPERATIONS_ERROR;
774 }
775 return ldb_msg_add_value(msg, attr_name, &v, NULL);
776 }
777
778
779 /*
780 add a delete element operation to a message
781 */
782 int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
783 const char *attr_name)
784 {
785 /* we use an empty replace rather than a delete, as it allows for
786 dsdb_replace() to be used everywhere */
787 return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
788 }
789
790 /*
791 add a add attribute value to a message
792 */
793 int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
794 const char *attr_name, const char *value)
795 {
796 struct ldb_message_element *el;
797 char *a, *v;
798 int ret;
799 a = talloc_strdup(mem_ctx, attr_name);
800 if (a == NULL)
801 return LDB_ERR_OPERATIONS_ERROR;
802 v = talloc_strdup(mem_ctx, value);
803 if (v == NULL)
804 return LDB_ERR_OPERATIONS_ERROR;
805 ret = ldb_msg_add_string(msg, a, v);
806 if (ret != 0)
807 return ret;
808 el = ldb_msg_find_element(msg, a);
809 if (el == NULL)
810 return LDB_ERR_OPERATIONS_ERROR;
811 el->flags = LDB_FLAG_MOD_ADD;
812 return LDB_SUCCESS;
813 }
814
815 /*
816 add a delete attribute value to a message
817 */
818 int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
819 const char *attr_name, const char *value)
820 {
821 struct ldb_message_element *el;
822 char *a, *v;
823 int ret;
824 a = talloc_strdup(mem_ctx, attr_name);
825 if (a == NULL)
826 return LDB_ERR_OPERATIONS_ERROR;
827 v = talloc_strdup(mem_ctx, value);
828 if (v == NULL)
829 return LDB_ERR_OPERATIONS_ERROR;
830 ret = ldb_msg_add_string(msg, a, v);
831 if (ret != 0)
832 return ret;
833 el = ldb_msg_find_element(msg, a);
834 if (el == NULL)
835 return LDB_ERR_OPERATIONS_ERROR;
836 el->flags = LDB_FLAG_MOD_DELETE;
837 return LDB_SUCCESS;
838 }
839
840 /*
841 add a int element to a message
842 */
843 int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
844 const char *attr_name, int v)
845 {
846 const char *s = talloc_asprintf(mem_ctx, "%d", v);
847 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
848 }
849
850 /*
851 add a unsigned int element to a message
852 */
853 int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
854 const char *attr_name, unsigned int v)
855 {
856 return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v);
857 }
858
859 /*
860 add a (signed) int64_t element to a message
861 */
862 int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
863 const char *attr_name, int64_t v)
864 {
865 const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
866 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
867 }
868
869 /*
870 add a uint64_t element to a message
871 */
872 int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
873 const char *attr_name, uint64_t v)
874 {
875 return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v);
876 }
877
878 /*
879 add a samr_Password element to a message
880 */
881 int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
882 const char *attr_name, struct samr_Password *hash)
883 {
884 struct ldb_val val;
885 val.data = talloc_memdup(mem_ctx, hash->hash, 16);
886 if (!val.data) {
887 return LDB_ERR_OPERATIONS_ERROR;
888 }
889 val.length = 16;
890 return ldb_msg_add_value(msg, attr_name, &val, NULL);
891 }
892
893 /*
894 add a samr_Password array to a message
895 */
896 int samdb_msg_add_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
897 const char *attr_name, struct samr_Password *hashes,
898 unsigned int count)
899 {
900 struct ldb_val val;
901 unsigned int i;
902 val.data = talloc_array_size(mem_ctx, 16, count);
903 val.length = count*16;
904 if (!val.data) {
905 return LDB_ERR_OPERATIONS_ERROR;
906 }
907 for (i=0;i<count;i++) {
908 memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
909 }
910 return ldb_msg_add_value(msg, attr_name, &val, NULL);
911 }
912
913 /*
914 add a acct_flags element to a message
915 */
916 int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
917 const char *attr_name, uint32_t v)
918 {
919 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, ds_acb2uf(v));
920 }
921
922 /*
923 add a logon_hours element to a message
924 */
925 int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
926 const char *attr_name, struct samr_LogonHours *hours)
927 {
928 struct ldb_val val;
929 val.length = hours->units_per_week / 8;
930 val.data = hours->bits;
931 return ldb_msg_add_value(msg, attr_name, &val, NULL);
932 }
933
934 /*
935 add a parameters element to a message
936 */
937 int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
938 const char *attr_name, struct lsa_BinaryString *parameters)
939 {
940 struct ldb_val val;
941 val.length = parameters->length;
942 val.data = (uint8_t *)parameters->array;
943 return ldb_msg_add_value(msg, attr_name, &val, NULL);
944 }
945 /*
946 add a general value element to a message
947 */
948 int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
949 const char *attr_name, const struct ldb_val *val)
950 {
951 return ldb_msg_add_value(msg, attr_name, val, NULL);
952 }
953
954 /*
955 sets a general value element to a message
956 */
957 int samdb_msg_set_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
958 const char *attr_name, const struct ldb_val *val)
959 {
960 struct ldb_message_element *el;
961
962 el = ldb_msg_find_element(msg, attr_name);
963 if (el) {
964 el->num_values = 0;
965 }
966 return ldb_msg_add_value(msg, attr_name, val, NULL);
967 }
968
969 /*
970 set a string element in a message
971 */
972 int samdb_msg_set_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
973 const char *attr_name, const char *str)
974 {
975 struct ldb_message_element *el;
976
977 el = ldb_msg_find_element(msg, attr_name);
978 if (el) {
979 el->num_values = 0;
980 }
981 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, str);
982 }
983
984 /*
985 * Handle ldb_request in transaction
986 */
987 static int dsdb_autotransaction_request(struct ldb_context *sam_ldb,
988 struct ldb_request *req)
989 {
990 int ret;
991
992 ret = ldb_transaction_start(sam_ldb);
993 if (ret != LDB_SUCCESS) {
994 return ret;
995 }
996
997 ret = ldb_request(sam_ldb, req);
998 if (ret == LDB_SUCCESS) {
999 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
1000 }
1001
1002 if (ret == LDB_SUCCESS) {
1003 return ldb_transaction_commit(sam_ldb);
1004 }
1005 ldb_transaction_cancel(sam_ldb);
1006
1007 return ret;
1008 }
1009
1010 /*
1011 return a default security descriptor
1012 */
1013 struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
1014 {
1015 struct security_descriptor *sd;
1016
1017 sd = security_descriptor_initialise(mem_ctx);
1018
1019 return sd;
1020 }
1021
1022 struct ldb_dn *samdb_base_dn(struct ldb_context *sam_ctx)
1023 {
1024 return ldb_get_default_basedn(sam_ctx);
1025 }
1026
1027 struct ldb_dn *samdb_config_dn(struct ldb_context *sam_ctx)
1028 {
1029 return ldb_get_config_basedn(sam_ctx);
1030 }
1031
1032 struct ldb_dn *samdb_schema_dn(struct ldb_context *sam_ctx)
1033 {
1034 return ldb_get_schema_basedn(sam_ctx);
1035 }
1036
1037 struct ldb_dn *samdb_aggregate_schema_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1038 {
1039 struct ldb_dn *schema_dn = ldb_get_schema_basedn(sam_ctx);
1040 struct ldb_dn *aggregate_dn;
1041 if (!schema_dn) {
1042 return NULL;
1043 }
1044
1045 aggregate_dn = ldb_dn_copy(mem_ctx, schema_dn);
1046 if (!aggregate_dn) {
1047 return NULL;
1048 }
1049 if (!ldb_dn_add_child_fmt(aggregate_dn, "CN=Aggregate")) {
1050 return NULL;
1051 }
1052 return aggregate_dn;
1053 }
1054
1055 struct ldb_dn *samdb_root_dn(struct ldb_context *sam_ctx)
1056 {
1057 return ldb_get_root_basedn(sam_ctx);
1058 }
1059
1060 struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1061 {
1062 struct ldb_dn *new_dn;
1063
1064 new_dn = ldb_dn_copy(mem_ctx, samdb_config_dn(sam_ctx));
1065 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Partitions")) {
1066 talloc_free(new_dn);
1067 return NULL;
1068 }
1069 return new_dn;
1070 }
1071
1072 struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1073 {
1074 struct ldb_dn *new_dn;
1075
1076 new_dn = ldb_dn_copy(mem_ctx, samdb_config_dn(sam_ctx));
1077 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Sites")) {
1078 talloc_free(new_dn);
1079 return NULL;
1080 }
1081 return new_dn;
1082 }
1083
1084 /*
1085 work out the domain sid for the current open ldb
1086 */
1087 const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
1088 {
1089 TALLOC_CTX *tmp_ctx;
1090 const struct dom_sid *domain_sid;
1091 const char *attrs[] = {
1092 "objectSid",
1093 NULL
1094 };
1095 struct ldb_result *res;
1096 int ret;
1097
1098 /* see if we have a cached copy */
1099 domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1100 if (domain_sid) {
1101 return domain_sid;
1102 }
1103
1104 tmp_ctx = talloc_new(ldb);
1105 if (tmp_ctx == NULL) {
1106 goto failed;
1107 }
1108
1109 ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
1110
1111 if (ret != LDB_SUCCESS) {
1112 goto failed;
1113 }
1114
1115 if (res->count != 1) {
1116 goto failed;
1117 }
1118
1119 domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
1120 if (domain_sid == NULL) {
1121 goto failed;
1122 }
1123
1124 /* cache the domain_sid in the ldb */
1125 if (ldb_set_opaque(ldb, "cache.domain_sid", discard_const_p(struct dom_sid, domain_sid)) != LDB_SUCCESS) {
1126 goto failed;
1127 }
1128
1129 talloc_steal(ldb, domain_sid);
1130 talloc_free(tmp_ctx);
1131
1132 return domain_sid;
1133
1134 failed:
1135 talloc_free(tmp_ctx);
1136 return NULL;
1137 }
1138
1139 /*
1140 get domain sid from cache
1141 */
1142 const struct dom_sid *samdb_domain_sid_cache_only(struct ldb_context *ldb)
1143 {
1144 return (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1145 }
1146
1147 bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in)
1148 {
1149 TALLOC_CTX *tmp_ctx;
1150 struct dom_sid *dom_sid_new;
1151 struct dom_sid *dom_sid_old;
1152
1153 /* see if we have a cached copy */
1154 dom_sid_old = talloc_get_type(ldb_get_opaque(ldb,
1155 "cache.domain_sid"), struct dom_sid);
1156
1157 tmp_ctx = talloc_new(ldb);
1158 if (tmp_ctx == NULL) {
1159 goto failed;
1160 }
1161
1162 dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in);
1163 if (!dom_sid_new) {
1164 goto failed;
1165 }
1166
1167 /* cache the domain_sid in the ldb */
1168 if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) {
1169 goto failed;
1170 }
1171
1172 talloc_steal(ldb, dom_sid_new);
1173 talloc_free(tmp_ctx);
1174 talloc_free(dom_sid_old);
1175
1176 return true;
1177
1178 failed:
1179 DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
1180 talloc_free(tmp_ctx);
1181 return false;
1182 }
1183
1184 /* Obtain the short name of the flexible single master operator
1185 * (FSMO), such as the PDC Emulator */
1186 const char *samdb_result_fsmo_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
1187 const char *attr)
1188 {
1189 /* Format is cn=NTDS Settings,cn=<NETBIOS name of FSMO>,.... */
1190 struct ldb_dn *fsmo_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
1191 const struct ldb_val *val = ldb_dn_get_component_val(fsmo_dn, 1);
1192 const char *name = ldb_dn_get_component_name(fsmo_dn, 1);
1193
1194 if (!name || (ldb_attr_cmp(name, "cn") != 0)) {
1195 /* Ensure this matches the format. This gives us a
1196 * bit more confidence that a 'cn' value will be a
1197 * ascii string */
1198 return NULL;
1199 }
1200 if (val) {
1201 return (char *)val->data;
1202 }
1203 return NULL;
1204 }
1205
1206 /*
1207 work out the ntds settings dn for the current open ldb
1208 */
1209 struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb)
1210 {
1211 TALLOC_CTX *tmp_ctx;
1212 const char *root_attrs[] = { "dsServiceName", NULL };
1213 int ret;
1214 struct ldb_result *root_res;
1215 struct ldb_dn *settings_dn;
1216
1217 /* see if we have a cached copy */
1218 settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "cache.settings_dn");
1219 if (settings_dn) {
1220 return settings_dn;
1221 }
1222
1223 tmp_ctx = talloc_new(ldb);
1224 if (tmp_ctx == NULL) {
1225 goto failed;
1226 }
1227
1228 ret = ldb_search(ldb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, ldb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
1229 if (ret) {
1230 DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
1231 ldb_errstring(ldb)));
1232 goto failed;
1233 }
1234
1235 if (root_res->count != 1) {
1236 goto failed;
1237 }
1238
1239 settings_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, root_res->msgs[0], "dsServiceName");
1240
1241 /* cache the domain_sid in the ldb */
1242 if (ldb_set_opaque(ldb, "cache.settings_dn", settings_dn) != LDB_SUCCESS) {
1243 goto failed;
1244 }
1245
1246 talloc_steal(ldb, settings_dn);
1247 talloc_free(tmp_ctx);
1248
1249 return settings_dn;
1250
1251 failed:
1252 DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
1253 talloc_free(tmp_ctx);
1254 return NULL;
1255 }
1256
1257 /*
1258 work out the ntds settings invocationId for the current open ldb
1259 */
1260 const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb)
1261 {
1262 TALLOC_CTX *tmp_ctx;
1263 const char *attrs[] = { "invocationId", NULL };
1264 int ret;
1265 struct ldb_result *res;
1266 struct GUID *invocation_id;
1267
1268 /* see if we have a cached copy */
1269 invocation_id = (struct GUID *)ldb_get_opaque(ldb, "cache.invocation_id");
1270 if (invocation_id) {
1271 return invocation_id;
1272 }
1273
1274 tmp_ctx = talloc_new(ldb);
1275 if (tmp_ctx == NULL) {
1276 goto failed;
1277 }
1278
1279 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1280 if (ret) {
1281 goto failed;
1282 }
1283
1284 if (res->count != 1) {
1285 goto failed;
1286 }
1287
1288 invocation_id = talloc(tmp_ctx, struct GUID);
1289 if (!invocation_id) {
1290 goto failed;
1291 }
1292
1293 *invocation_id = samdb_result_guid(res->msgs[0], "invocationId");
1294
1295 /* cache the domain_sid in the ldb */
1296 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id) != LDB_SUCCESS) {
1297 goto failed;
1298 }
1299
1300 talloc_steal(ldb, invocation_id);
1301 talloc_free(tmp_ctx);
1302
1303 return invocation_id;
1304
1305 failed:
1306 DEBUG(1,("Failed to find our own NTDS Settings invocationId in the ldb!\n"));
1307 talloc_free(tmp_ctx);
1308 return NULL;
1309 }
1310
1311 bool samdb_set_ntds_invocation_id(struct ldb_context *ldb, const struct GUID *invocation_id_in)
1312 {
1313 TALLOC_CTX *tmp_ctx;
1314 struct GUID *invocation_id_new;
1315 struct GUID *invocation_id_old;
1316
1317 /* see if we have a cached copy */
1318 invocation_id_old = (struct GUID *)ldb_get_opaque(ldb,
1319 "cache.invocation_id");
1320
1321 tmp_ctx = talloc_new(ldb);
1322 if (tmp_ctx == NULL) {
1323 goto failed;
1324 }
1325
1326 invocation_id_new = talloc(tmp_ctx, struct GUID);
1327 if (!invocation_id_new) {
1328 goto failed;
1329 }
1330
1331 *invocation_id_new = *invocation_id_in;
1332
1333 /* cache the domain_sid in the ldb */
1334 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id_new) != LDB_SUCCESS) {
1335 goto failed;
1336 }
1337
1338 talloc_steal(ldb, invocation_id_new);
1339 talloc_free(tmp_ctx);
1340 talloc_free(invocation_id_old);
1341
1342 return true;
1343
1344 failed:
1345 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1346 talloc_free(tmp_ctx);
1347 return false;
1348 }
1349
1350 /*
1351 work out the ntds settings objectGUID for the current open ldb
1352 */
1353 const struct GUID *samdb_ntds_objectGUID(struct ldb_context *ldb)
1354 {
1355 TALLOC_CTX *tmp_ctx;
1356 const char *attrs[] = { "objectGUID", NULL };
1357 int ret;
1358 struct ldb_result *res;
1359 struct GUID *ntds_guid;
1360
1361 /* see if we have a cached copy */
1362 ntds_guid = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1363 if (ntds_guid) {
1364 return ntds_guid;
1365 }
1366
1367 tmp_ctx = talloc_new(ldb);
1368 if (tmp_ctx == NULL) {
1369 goto failed;
1370 }
1371
1372 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1373 if (ret) {
1374 goto failed;
1375 }
1376
1377 if (res->count != 1) {
1378 goto failed;
1379 }
1380
1381 ntds_guid = talloc(tmp_ctx, struct GUID);
1382 if (!ntds_guid) {
1383 goto failed;
1384 }
1385
1386 *ntds_guid = samdb_result_guid(res->msgs[0], "objectGUID");
1387
1388 /* cache the domain_sid in the ldb */
1389 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid) != LDB_SUCCESS) {
1390 goto failed;
1391 }
1392
1393 talloc_steal(ldb, ntds_guid);
1394 talloc_free(tmp_ctx);
1395
1396 return ntds_guid;
1397
1398 failed:
1399 DEBUG(1,("Failed to find our own NTDS Settings objectGUID in the ldb!\n"));
1400 talloc_free(tmp_ctx);
1401 return NULL;
1402 }
1403
1404 bool samdb_set_ntds_objectGUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in)
1405 {
1406 TALLOC_CTX *tmp_ctx;
1407 struct GUID *ntds_guid_new;
1408 struct GUID *ntds_guid_old;
1409
1410 /* see if we have a cached copy */
1411 ntds_guid_old = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1412
1413 tmp_ctx = talloc_new(ldb);
1414 if (tmp_ctx == NULL) {
1415 goto failed;
1416 }
1417
1418 ntds_guid_new = talloc(tmp_ctx, struct GUID);
1419 if (!ntds_guid_new) {
1420 goto failed;
1421 }
1422
1423 *ntds_guid_new = *ntds_guid_in;
1424
1425 /* cache the domain_sid in the ldb */
1426 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid_new) != LDB_SUCCESS) {
1427 goto failed;
1428 }
1429
1430 talloc_steal(ldb, ntds_guid_new);
1431 talloc_free(tmp_ctx);
1432 talloc_free(ntds_guid_old);
1433
1434 return true;
1435
1436 failed:
1437 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1438 talloc_free(tmp_ctx);
1439 return false;
1440 }
1441
1442 /*
1443 work out the server dn for the current open ldb
1444 */
1445 struct ldb_dn *samdb_server_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1446 {
1447 return ldb_dn_get_parent(mem_ctx, samdb_ntds_settings_dn(ldb));
1448 }
1449
1450 /*
1451 work out the server dn for the current open ldb
1452 */
1453 struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1454 {
1455 struct ldb_dn *server_dn;
1456 struct ldb_dn *servers_dn;
1457 struct ldb_dn *server_site_dn;
1458
1459 /* TODO: there must be a saner way to do this!! */
1460
1461 server_dn = samdb_server_dn(ldb, mem_ctx);
1462 if (!server_dn) return NULL;
1463
1464 servers_dn = ldb_dn_get_parent(mem_ctx, server_dn);
1465 if (!servers_dn) return NULL;
1466
1467 server_site_dn = ldb_dn_get_parent(mem_ctx, servers_dn);
1468
1469 talloc_free(server_dn);
1470 return server_site_dn;
1471 }
1472
1473 /*
1474 find a 'reference' DN that points at another object
1475 (eg. serverReference, rIDManagerReference etc)
1476 */
1477 int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *base,
1478 const char *attribute, struct ldb_dn **dn)
1479 {
1480 const char *attrs[2];
1481 struct ldb_result *res;
1482 int ret;
1483
1484 attrs[0] = attribute;
1485 attrs[1] = NULL;
1486
1487 ret = ldb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, NULL);
1488 if (ret != LDB_SUCCESS) {
1489 return ret;
1490 }
1491 if (res->count != 1) {
1492 talloc_free(res);
1493 return LDB_ERR_NO_SUCH_OBJECT;
1494 }
1495
1496 *dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
1497 if (!*dn) {
1498 talloc_free(res);
1499 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1500 }
1501
1502 talloc_free(res);
1503 return LDB_SUCCESS;
1504 }
1505
1506 /*
1507 find our machine account via the serverReference attribute in the
1508 server DN
1509 */
1510 int samdb_server_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1511 {
1512 struct ldb_dn *server_dn;
1513 int ret;
1514
1515 server_dn = samdb_server_dn(ldb, mem_ctx);
1516 if (server_dn == NULL) {
1517 return LDB_ERR_NO_SUCH_OBJECT;
1518 }
1519
1520 ret = samdb_reference_dn(ldb, mem_ctx, server_dn, "serverReference", dn);
1521 talloc_free(server_dn);
1522
1523 return ret;
1524 }
1525
1526 /*
1527 find the RID Manager$ DN via the rIDManagerReference attribute in the
1528 base DN
1529 */
1530 int samdb_rid_manager_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1531 {
1532 return samdb_reference_dn(ldb, mem_ctx, samdb_base_dn(ldb), "rIDManagerReference", dn);
1533 }
1534
1535 /*
1536 find the RID Set DN via the rIDSetReferences attribute in our
1537 machine account DN
1538 */
1539 int samdb_rid_set_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1540 {
1541 struct ldb_dn *server_ref_dn;
1542 int ret;
1543
1544 ret = samdb_server_reference_dn(ldb, mem_ctx, &server_ref_dn);
1545 if (ret != LDB_SUCCESS) {
1546 return ret;
1547 }
1548 ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn);
1549 talloc_free(server_ref_dn);
1550 return ret;
1551 }
1552
1553 const char *samdb_server_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1554 {
1555 const struct ldb_val *val = ldb_dn_get_rdn_val(samdb_server_site_dn(ldb, mem_ctx));
1556
1557 if (val != NULL)
1558 return (const char *) val->data;
1559 else
1560 return NULL;
1561 }
1562
1563 /*
1564 work out if we are the PDC for the domain of the current open ldb
1565 */
1566 bool samdb_is_pdc(struct ldb_context *ldb)
1567 {
1568 const char *dom_attrs[] = { "fSMORoleOwner", NULL };
1569 int ret;
1570 struct ldb_result *dom_res;
1571 TALLOC_CTX *tmp_ctx;
1572 bool is_pdc;
1573 struct ldb_dn *pdc;
1574
1575 tmp_ctx = talloc_new(ldb);
1576 if (tmp_ctx == NULL) {
1577 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1578 return false;
1579 }
1580
1581 ret = ldb_search(ldb, tmp_ctx, &dom_res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, dom_attrs, NULL);
1582 if (ret) {
1583 DEBUG(1,("Searching for fSMORoleOwner in %s failed: %s\n",
1584 ldb_dn_get_linearized(ldb_get_default_basedn(ldb)),
1585 ldb_errstring(ldb)));
1586 goto failed;
1587 }
1588 if (dom_res->count != 1) {
1589 goto failed;
1590 }
1591
1592 pdc = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, dom_res->msgs[0], "fSMORoleOwner");
1593
1594 if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), pdc) == 0) {
1595 is_pdc = true;
1596 } else {
1597 is_pdc = false;
1598 }
1599
1600 talloc_free(tmp_ctx);
1601
1602 return is_pdc;
1603
1604 failed:
1605 DEBUG(1,("Failed to find if we are the PDC for this ldb\n"));
1606 talloc_free(tmp_ctx);
1607 return false;
1608 }
1609
1610 /*
1611 work out if we are a Global Catalog server for the domain of the current open ldb
1612 */
1613 bool samdb_is_gc(struct ldb_context *ldb)
1614 {
1615 const char *attrs[] = { "options", NULL };
1616 int ret, options;
1617 struct ldb_result *res;
1618 TALLOC_CTX *tmp_ctx;
1619
1620 tmp_ctx = talloc_new(ldb);
1621 if (tmp_ctx == NULL) {
1622 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1623 return false;
1624 }
1625
1626 /* Query cn=ntds settings,.... */
1627 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1628 if (ret) {
1629 talloc_free(tmp_ctx);
1630 return false;
1631 }
1632 if (res->count != 1) {
1633 talloc_free(tmp_ctx);
1634 return false;
1635 }
1636
1637 options = ldb_msg_find_attr_as_int(res->msgs[0], "options", 0);
1638 talloc_free(tmp_ctx);
1639
1640 /* if options attribute has the 0x00000001 flag set, then enable the global catlog */
1641 if (options & 0x000000001) {
1642 return true;
1643 }
1644 return false;
1645 }
1646
1647 /* Find a domain object in the parents of a particular DN. */
1648 int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
1649 struct ldb_dn **parent_dn, const char **errstring)
1650 {
1651 TALLOC_CTX *local_ctx;
1652 struct ldb_dn *sdn = dn;
1653 struct ldb_result *res = NULL;
1654 int ret = 0;
1655 const char *attrs[] = { NULL };
1656
1657 local_ctx = talloc_new(mem_ctx);
1658 if (local_ctx == NULL) return LDB_ERR_OPERATIONS_ERROR;
1659
1660 while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
1661 ret = ldb_search(ldb, local_ctx, &res, sdn, LDB_SCOPE_BASE, attrs,
1662 "(|(objectClass=domain)(objectClass=builtinDomain))");
1663 if (ret == LDB_SUCCESS) {
1664 if (res->count == 1) {
1665 break;
1666 }
1667 } else {
1668 break;
1669 }
1670 }
1671
1672 if (ret != LDB_SUCCESS) {
1673 *errstring = talloc_asprintf(mem_ctx, "Error searching for parent domain of %s, failed searching for %s: %s",
1674 ldb_dn_get_linearized(dn),
1675 ldb_dn_get_linearized(sdn),
1676 ldb_errstring(ldb));
1677 talloc_free(local_ctx);
1678 return ret;
1679 }
1680 if (res->count != 1) {
1681 *errstring = talloc_asprintf(mem_ctx, "Invalid dn (%s), not child of a domain object",
1682 ldb_dn_get_linearized(dn));
1683 DEBUG(0,(__location__ ": %s\n", *errstring));
1684 talloc_free(local_ctx);
1685 return LDB_ERR_CONSTRAINT_VIOLATION;
1686 }
1687
1688 *parent_dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
1689 talloc_free(local_ctx);
1690 return ret;
1691 }
1692
1693
1694 /*
1695 * Performs checks on a user password (plaintext UNIX format - attribute
1696 * "password"). The remaining parameters have to be extracted from the domain
1697 * object in the AD.
1698 *
1699 * Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
1700 */
1701 enum samr_ValidationStatus samdb_check_password(const DATA_BLOB *password,
1702 const uint32_t pwdProperties,
1703 const uint32_t minPwdLength)
1704 {
1705 /* checks if the "minPwdLength" property is satisfied */
1706 if (minPwdLength > password->length)
1707 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
1708
1709 /* checks the password complexity */
1710 if (((pwdProperties & DOMAIN_PASSWORD_COMPLEX) != 0)
1711 && (password->data != NULL)
1712 && (!check_password_quality((const char *) password->data)))
1713 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
1714
1715 return SAMR_VALIDATION_STATUS_SUCCESS;
1716 }
1717
1718 /*
1719 * Sets the user password using plaintext UTF16 (attribute "new_password") or
1720 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
1721 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
1722 * gives some more informations if the changed failed.
1723 *
1724 * The caller should have a LDB transaction wrapping this.
1725 *
1726 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
1727 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
1728 * NT_STATUS_PASSWORD_RESTRICTION
1729 */
1730 NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
1731 struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
1732 struct ldb_message *mod,
1733 const DATA_BLOB *new_password,
1734 struct samr_Password *param_lmNewHash,
1735 struct samr_Password *param_ntNewHash,
1736 bool user_change,
1737 enum samPwdChangeReason *reject_reason,
1738 struct samr_DomInfo1 **_dominfo)
1739 {
1740 const char * const user_attrs[] = { "userAccountControl",
1741 "lmPwdHistory",
1742 "ntPwdHistory",
1743 "dBCSPwd", "unicodePwd",
1744 "objectSid",
1745 "pwdLastSet", NULL };
1746 const char * const domain_attrs[] = { "minPwdLength", "pwdProperties",
1747 "pwdHistoryLength",
1748 "maxPwdAge", "minPwdAge", NULL };
1749 NTTIME pwdLastSet;
1750 uint32_t minPwdLength, pwdProperties, pwdHistoryLength;
1751 int64_t maxPwdAge, minPwdAge;
1752 uint32_t userAccountControl;
1753 struct samr_Password *sambaLMPwdHistory, *sambaNTPwdHistory,
1754 *lmPwdHash, *ntPwdHash, *lmNewHash, *ntNewHash;
1755 struct samr_Password local_lmNewHash, local_ntNewHash;
1756 int sambaLMPwdHistory_len, sambaNTPwdHistory_len;
1757 struct dom_sid *domain_sid;
1758 struct ldb_message **res;
1759 bool restrictions;
1760 int count;
1761 time_t now = time(NULL);
1762 NTTIME now_nt;
1763 unsigned int i;
1764
1765 /* we need to know the time to compute password age */
1766 unix_to_nt_time(&now_nt, now);
1767
1768 /* pull all the user parameters */
1769 count = gendb_search_dn(ctx, mem_ctx, user_dn, &res, user_attrs);
1770 if (count != 1) {
1771 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1772 }
1773 userAccountControl = samdb_result_uint(res[0], "userAccountControl", 0);
1774 sambaLMPwdHistory_len = samdb_result_hashes(mem_ctx, res[0],
1775 "lmPwdHistory", &sambaLMPwdHistory);
1776 sambaNTPwdHistory_len = samdb_result_hashes(mem_ctx, res[0],
1777 "ntPwdHistory", &sambaNTPwdHistory);
1778 lmPwdHash = samdb_result_hash(mem_ctx, res[0], "dBCSPwd");
1779 ntPwdHash = samdb_result_hash(mem_ctx, res[0], "unicodePwd");
1780 pwdLastSet = samdb_result_uint64(res[0], "pwdLastSet", 0);
1781
1782 /* Copy parameters */
1783 lmNewHash = param_lmNewHash;
1784 ntNewHash = param_ntNewHash;
1785
1786 /* Only non-trust accounts have restrictions (possibly this
1787 * test is the wrong way around, but I like to be restrictive
1788 * if possible */
1789 restrictions = !(userAccountControl & (UF_INTERDOMAIN_TRUST_ACCOUNT
1790 |UF_WORKSTATION_TRUST_ACCOUNT
1791 |UF_SERVER_TRUST_ACCOUNT));
1792
1793 if (domain_dn != NULL) {
1794 /* pull the domain parameters */
1795 count = gendb_search_dn(ctx, mem_ctx, domain_dn, &res,
1796 domain_attrs);
1797 if (count != 1) {
1798 DEBUG(2, ("samdb_set_password: Domain DN %s is invalid, for user %s\n",
1799 ldb_dn_get_linearized(domain_dn),
1800 ldb_dn_get_linearized(user_dn)));
1801 return NT_STATUS_NO_SUCH_DOMAIN;
1802 }
1803 } else {
1804 /* work out the domain sid, and pull the domain from there */
1805 domain_sid = samdb_result_sid_prefix(mem_ctx, res[0],
1806 "objectSid");
1807 if (domain_sid == NULL) {
1808 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1809 }
1810
1811 count = gendb_search(ctx, mem_ctx, NULL, &res, domain_attrs,
1812 "(objectSid=%s)",
1813 ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
1814 if (count != 1) {
1815 DEBUG(2, ("samdb_set_password: Could not find domain to match SID: %s, for user %s\n",
1816 dom_sid_string(mem_ctx, domain_sid),
1817 ldb_dn_get_linearized(user_dn)));
1818 return NT_STATUS_NO_SUCH_DOMAIN;
1819 }
1820 }
1821
1822 minPwdLength = samdb_result_uint(res[0], "minPwdLength", 0);
1823 pwdProperties = samdb_result_uint(res[0], "pwdProperties", 0);
1824 pwdHistoryLength = samdb_result_uint(res[0], "pwdHistoryLength", 0);
1825 maxPwdAge = samdb_result_int64(res[0], "maxPwdAge", 0);
1826 minPwdAge = samdb_result_int64(res[0], "minPwdAge", 0);
1827
1828 if ((userAccountControl & UF_PASSWD_NOTREQD) != 0) {
1829 /* see [MS-ADTS] 2.2.15 */
1830 minPwdLength = 0;
1831 }
1832
1833 if (_dominfo != NULL) {
1834 struct samr_DomInfo1 *dominfo;
1835 /* on failure we need to fill in the reject reasons */
1836 dominfo = talloc(mem_ctx, struct samr_DomInfo1);
1837 if (dominfo == NULL) {
1838 return NT_STATUS_NO_MEMORY;
1839 }
1840 dominfo->min_password_length = minPwdLength;
1841 dominfo->password_properties = pwdProperties;
1842 dominfo->password_history_length = pwdHistoryLength;
1843 dominfo->max_password_age = maxPwdAge;
1844 dominfo->min_password_age = minPwdAge;
1845 *_dominfo = dominfo;
1846 }
1847
1848 if ((restrictions != 0) && (new_password != 0)) {
1849 char *new_pass;
1850
1851 /* checks if the "minPwdLength" property is satisfied */
1852 if ((restrictions != 0)
1853 && (minPwdLength > utf16_len_n(
1854 new_password->data, new_password->length)/2)) {
1855 if (reject_reason) {
1856 *reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT;
1857 }
1858 return NT_STATUS_PASSWORD_RESTRICTION;
1859 }
1860
1861 /* Create the NT hash */
1862 mdfour(local_ntNewHash.hash, new_password->data,
1863 new_password->length);
1864
1865 ntNewHash = &local_ntNewHash;
1866
1867 /* Only check complexity if we can convert it at all. Assuming unconvertable passwords are 'strong' */
1868 if (convert_string_talloc_convenience(mem_ctx,
1869 lp_iconv_convenience(ldb_get_opaque(ctx, "loadparm")),
1870 CH_UTF16, CH_UNIX,
1871 new_password->data, new_password->length,
1872 (void **)&new_pass, NULL, false)) {
1873
1874 /* checks the password complexity */
1875 if ((restrictions != 0)
1876 && ((pwdProperties
1877 & DOMAIN_PASSWORD_COMPLEX) != 0)
1878 && (!check_password_quality(new_pass))) {
1879 if (reject_reason) {
1880 *reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
1881 }
1882 return NT_STATUS_PASSWORD_RESTRICTION;
1883 }
1884
1885 /* compute the new lm hashes (for checking history - case insenitivly!) */
1886 if (E_deshash(new_pass, local_lmNewHash.hash)) {
1887 lmNewHash = &local_lmNewHash;
1888 }
1889 }
1890 }
1891
1892 if ((restrictions != 0) && user_change) {
1893 /* are all password changes disallowed? */
1894 if ((pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) != 0) {
1895 if (reject_reason) {
1896 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
1897 }
1898 return NT_STATUS_PASSWORD_RESTRICTION;
1899 }
1900
1901 /* can this user change the password? */
1902 if ((userAccountControl & UF_PASSWD_CANT_CHANGE) != 0) {
1903 if (reject_reason) {
1904 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
1905 }
1906 return NT_STATUS_PASSWORD_RESTRICTION;
1907 }
1908
1909 /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
1910 if (pwdLastSet - minPwdAge > now_nt) {
1911 if (reject_reason) {
1912 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
1913 }
1914 return NT_STATUS_PASSWORD_RESTRICTION;
1915 }
1916
1917 /* check the immediately past password */
1918 if (pwdHistoryLength > 0) {
1919 if (lmNewHash && lmPwdHash && memcmp(lmNewHash->hash,
1920 lmPwdHash->hash, 16) == 0) {
1921 if (reject_reason) {
1922 *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
1923 }
1924 return NT_STATUS_PASSWORD_RESTRICTION;
1925 }
1926 if (ntNewHash && ntPwdHash && memcmp(ntNewHash->hash,
1927 ntPwdHash->hash, 16) == 0) {
1928 if (reject_reason) {
1929 *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
1930 }
1931 return NT_STATUS_PASSWORD_RESTRICTION;
1932 }
1933 }
1934
1935 /* check the password history */
1936 sambaLMPwdHistory_len = MIN(sambaLMPwdHistory_len,
1937 pwdHistoryLength);
1938 sambaNTPwdHistory_len = MIN(sambaNTPwdHistory_len,
1939 pwdHistoryLength);
1940
1941 for (i=0; lmNewHash && i<sambaLMPwdHistory_len;i++) {
1942 if (memcmp(lmNewHash->hash, sambaLMPwdHistory[i].hash,
1943 16) == 0) {
1944 if (reject_reason) {
1945 *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
1946 }
1947 return NT_STATUS_PASSWORD_RESTRICTION;
1948 }
1949 }
1950 for (i=0; ntNewHash && i<sambaNTPwdHistory_len;i++) {
1951 if (memcmp(ntNewHash->hash, sambaNTPwdHistory[i].hash,
1952 16) == 0) {
1953 if (reject_reason) {
1954 *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
1955 }
1956 return NT_STATUS_PASSWORD_RESTRICTION;
1957 }
1958 }
1959 }
1960
1961 #define CHECK_RET(x) do { if (x != 0) return NT_STATUS_NO_MEMORY; } while(0)
1962
1963 /* the password is acceptable. Start forming the new fields */
1964 if (new_password != NULL) {
1965 /* if we know the cleartext UTF16 password, then set it.
1966 * Modules in ldb will set all the appropriate
1967 * hashes */
1968 CHECK_RET(ldb_msg_add_value(mod, "clearTextPassword", new_password, NULL));
1969 } else {
1970 /* we don't have the cleartext, so set what we have of the
1971 * hashes */
1972
1973 if (lmNewHash) {
1974 CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "dBCSPwd", lmNewHash));
1975 }
1976
1977 if (ntNewHash) {
1978 CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "unicodePwd", ntNewHash));
1979 }
1980 }
1981
1982 if (reject_reason) {
1983 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
1984 }
1985 return NT_STATUS_OK;
1986 }
1987
1988
1989 /*
1990 * Sets the user password using plaintext UTF16 (attribute "new_password") or
1991 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
1992 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
1993 * gives some more informations if the changed failed.
1994 *
1995 * This wrapper function for "samdb_set_password" takes a SID as input rather
1996 * than a user DN.
1997 *
1998 * This call encapsulates a new LDB transaction for changing the password;
1999 * therefore the user hasn't to start a new one.
2000 *
2001 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2002 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2003 * NT_STATUS_PASSWORD_RESTRICTION
2004 */
2005 NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2006 const struct dom_sid *user_sid,
2007 const DATA_BLOB *new_password,
2008 struct samr_Password *lmNewHash,
2009 struct samr_Password *ntNewHash,
2010 bool user_change,
2011 enum samPwdChangeReason *reject_reason,
2012 struct samr_DomInfo1 **_dominfo)
2013 {
2014 NTSTATUS nt_status;
2015 struct ldb_dn *user_dn;
2016 struct ldb_message *msg;
2017 int ret;
2018
2019 ret = ldb_transaction_start(ldb);
2020 if (ret != LDB_SUCCESS) {
2021 DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb)));
2022 return NT_STATUS_TRANSACTION_ABORTED;
2023 }
2024
2025 user_dn = samdb_search_dn(ldb, mem_ctx, NULL,
2026 "(&(objectSid=%s)(objectClass=user))",
2027 ldap_encode_ndr_dom_sid(mem_ctx, user_sid));
2028 if (!user_dn) {
2029 ldb_transaction_cancel(ldb);
2030 DEBUG(3, ("samdb_set_password_sid: SID %s not found in samdb, returning NO_SUCH_USER\n",
2031 dom_sid_string(mem_ctx, user_sid)));
2032 return NT_STATUS_NO_SUCH_USER;
2033 }
2034
2035 msg = ldb_msg_new(mem_ctx);
2036 if (msg == NULL) {
2037 ldb_transaction_cancel(ldb);
2038 talloc_free(user_dn);
2039 return NT_STATUS_NO_MEMORY;
2040 }
2041
2042 msg->dn = ldb_dn_copy(msg, user_dn);
2043 if (!msg->dn) {
2044 ldb_transaction_cancel(ldb);
2045 talloc_free(user_dn);
2046 talloc_free(msg);
2047 return NT_STATUS_NO_MEMORY;
2048 }
2049
2050 nt_status = samdb_set_password(ldb, mem_ctx,
2051 user_dn, NULL,
2052 msg, new_password,
2053 lmNewHash, ntNewHash,
2054 user_change,
2055 reject_reason, _dominfo);
2056 if (!NT_STATUS_IS_OK(nt_status)) {
2057 ldb_transaction_cancel(ldb);
2058 talloc_free(user_dn);
2059 talloc_free(msg);
2060 return nt_status;
2061 }
2062
2063 /* modify the samdb record */
2064 ret = dsdb_replace(ldb, msg, 0);
2065 if (ret != LDB_SUCCESS) {
2066 ldb_transaction_cancel(ldb);
2067 talloc_free(user_dn);
2068 talloc_free(msg);
2069 return NT_STATUS_ACCESS_DENIED;
2070 }
2071
2072 talloc_free(msg);
2073
2074 ret = ldb_transaction_commit(ldb);
2075 if (ret != LDB_SUCCESS) {
2076 DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
2077 ldb_dn_get_linearized(user_dn),
2078 ldb_errstring(ldb)));
2079 talloc_free(user_dn);
2080 return NT_STATUS_TRANSACTION_ABORTED;
2081 }
2082
2083 talloc_free(user_dn);
2084 return NT_STATUS_OK;
2085 }
2086
2087
2088 NTSTATUS samdb_create_foreign_security_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
2089 struct dom_sid *sid, struct ldb_dn **ret_dn)
2090 {
2091 struct ldb_message *msg;
2092 struct ldb_dn *basedn;
2093 char *sidstr;
2094 int ret;
2095
2096 sidstr = dom_sid_string(mem_ctx, sid);
2097 NT_STATUS_HAVE_NO_MEMORY(sidstr);
2098
2099 /* We might have to create a ForeignSecurityPrincipal, even if this user
2100 * is in our own domain */
2101
2102 msg = ldb_msg_new(sidstr);
2103 if (msg == NULL) {
2104 talloc_free(sidstr);
2105 return NT_STATUS_NO_MEMORY;
2106 }
2107
2108 ret = dsdb_wellknown_dn(sam_ctx, sidstr, samdb_base_dn(sam_ctx),
2109 DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER,
2110 &basedn);
2111 if (ret != LDB_SUCCESS) {
2112 DEBUG(0, ("Failed to find DN for "
2113 "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx)));
2114 talloc_free(sidstr);
2115 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2116 }
2117
2118 /* add core elements to the ldb_message for the alias */
2119 msg->dn = basedn;
2120 if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr)) {
2121 talloc_free(sidstr);
2122 return NT_STATUS_NO_MEMORY;
2123 }
2124
2125 samdb_msg_add_string(sam_ctx, msg, msg,
2126 "objectClass",
2127 "foreignSecurityPrincipal");
2128
2129 /* create the alias */
2130 ret = ldb_add(sam_ctx, msg);
2131 if (ret != LDB_SUCCESS) {
2132 DEBUG(0,("Failed to create foreignSecurityPrincipal "
2133 "record %s: %s\n",
2134 ldb_dn_get_linearized(msg->dn),
2135 ldb_errstring(sam_ctx)));
2136 talloc_free(sidstr);
2137 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2138 }
2139
2140 *ret_dn = talloc_steal(mem_ctx, msg->dn);
2141 talloc_free(sidstr);
2142
2143 return NT_STATUS_OK;
2144 }
2145
2146
2147 /*
2148 Find the DN of a domain, assuming it to be a dotted.dns name
2149 */
2150
2151 struct ldb_dn *samdb_dns_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *dns_domain)
2152 {
2153 unsigned int i;
2154 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2155 const char *binary_encoded;
2156 const char **split_realm;
2157 struct ldb_dn *dn;
2158
2159 if (!tmp_ctx) {
2160 return NULL;
2161 }
2162
2163 split_realm = (const char **)str_list_make(tmp_ctx, dns_domain, ".");
2164 if (!split_realm) {
2165 talloc_free(tmp_ctx);
2166 return NULL;
2167 }
2168 dn = ldb_dn_new(mem_ctx, ldb, NULL);
2169 for (i=0; split_realm[i]; i++) {
2170 binary_encoded = ldb_binary_encode_string(tmp_ctx, split_realm[i]);
2171 if (!ldb_dn_add_base_fmt(dn, "dc=%s", binary_encoded)) {
2172 DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
2173 binary_encoded, ldb_dn_get_linearized(dn)));
2174 talloc_free(tmp_ctx);
2175 return NULL;
2176 }
2177 }
2178 if (!ldb_dn_validate(dn)) {
2179 DEBUG(2, ("Failed to validated DN %s\n",
2180 ldb_dn_get_linearized(dn)));
2181 talloc_free(tmp_ctx);
2182 return NULL;
2183 }
2184 talloc_free(tmp_ctx);
2185 return dn;
2186 }
2187
2188 /*
2189 Find the DN of a domain, be it the netbios or DNS name
2190 */
2191 struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2192 const char *domain_name)
2193 {
2194 const char * const domain_ref_attrs[] = {
2195 "ncName", NULL
2196 };
2197 const char * const domain_ref2_attrs[] = {
2198 NULL
2199 };
2200 struct ldb_result *res_domain_ref;
2201 char *escaped_domain = ldb_binary_encode_string(mem_ctx, domain_name);
2202 /* find the domain's DN */
2203 int ret_domain = ldb_search(ldb, mem_ctx,
2204 &res_domain_ref,
2205 samdb_partitions_dn(ldb, mem_ctx),
2206 LDB_SCOPE_ONELEVEL,
2207 domain_ref_attrs,
2208 "(&(nETBIOSName=%s)(objectclass=crossRef))",
2209 escaped_domain);
2210 if (ret_domain != 0) {
2211 return NULL;
2212 }
2213
2214 if (res_domain_ref->count == 0) {
2215 ret_domain = ldb_search(ldb, mem_ctx,
2216 &res_domain_ref,
2217 samdb_dns_domain_to_dn(ldb, mem_ctx, domain_name),
2218 LDB_SCOPE_BASE,
2219 domain_ref2_attrs,
2220 "(objectclass=domain)");
2221 if (ret_domain != 0) {
2222 return NULL;
2223 }
2224
2225 if (res_domain_ref->count == 1) {
2226 return res_domain_ref->msgs[0]->dn;
2227 }
2228 return NULL;
2229 }
2230
2231 if (res_domain_ref->count > 1) {
2232 DEBUG(0,("Found %d records matching domain [%s]\n",
2233 ret_domain, domain_name));
2234 return NULL;
2235 }
2236
2237 return samdb_result_dn(ldb, mem_ctx, res_domain_ref->msgs[0], "nCName", NULL);
2238
2239 }
2240
2241
2242 /*
2243 use a GUID to find a DN
2244 */
2245 int dsdb_find_dn_by_guid(struct ldb_context *ldb,
2246 TALLOC_CTX *mem_ctx,
2247 const struct GUID *guid, struct ldb_dn **dn)
2248 {
2249 int ret;
2250 struct ldb_result *res;
2251 const char *attrs[] = { NULL };
2252 char *guid_str = GUID_string(mem_ctx, guid);
2253
2254 if (!guid_str) {
2255 return LDB_ERR_OPERATIONS_ERROR;
2256 }
2257
2258 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
2259 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
2260 DSDB_SEARCH_SHOW_EXTENDED_DN |
2261 DSDB_SEARCH_ONE_ONLY,
2262 "objectGUID=%s", guid_str);
2263 talloc_free(guid_str);
2264 if (ret != LDB_SUCCESS) {
2265 return ret;
2266 }
2267
2268 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2269 talloc_free(res);
2270
2271 return LDB_SUCCESS;
2272 }
2273
2274 /*
2275 use a DN to find a GUID with a given attribute name
2276 */
2277 int dsdb_find_guid_attr_by_dn(struct ldb_context *ldb,
2278 struct ldb_dn *dn, const char *attribute,
2279 struct GUID *guid)
2280 {
2281 int ret;
2282 struct ldb_result *res;
2283 const char *attrs[2];
2284 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2285
2286 attrs[0] = attribute;
2287 attrs[1] = NULL;
2288
2289 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
2290 if (ret != LDB_SUCCESS) {
2291 talloc_free(tmp_ctx);
2292 return ret;
2293 }
2294 if (res->count < 1) {
2295 talloc_free(tmp_ctx);
2296 return LDB_ERR_NO_SUCH_OBJECT;
2297 }
2298 *guid = samdb_result_guid(res->msgs[0], attribute);
2299 talloc_free(tmp_ctx);
2300 return LDB_SUCCESS;
2301 }
2302
2303 /*
2304 use a DN to find a GUID
2305 */
2306 int dsdb_find_guid_by_dn(struct ldb_context *ldb,
2307 struct ldb_dn *dn, struct GUID *guid)
2308 {
2309 return dsdb_find_guid_attr_by_dn(ldb, dn, "objectGUID", guid);
2310 }
2311
2312
2313
2314 /*
2315 adds the given GUID to the given ldb_message. This value is added
2316 for the given attr_name (may be either "objectGUID" or "parentGUID").
2317 */
2318 int dsdb_msg_add_guid(struct ldb_message *msg,
2319 struct GUID *guid,
2320 const char *attr_name)
2321 {
2322 int ret;
2323 struct ldb_val v;
2324 NTSTATUS status;
2325 TALLOC_CTX *tmp_ctx = talloc_init("dsdb_msg_add_guid");
2326
2327 status = GUID_to_ndr_blob(guid, tmp_ctx, &v);
2328 if (!NT_STATUS_IS_OK(status)) {
2329 ret = LDB_ERR_OPERATIONS_ERROR;
2330 goto done;
2331 }
2332
2333 ret = ldb_msg_add_steal_value(msg, attr_name, &v);
2334 if (ret != LDB_SUCCESS) {
2335 DEBUG(4,(__location__ ": Failed to add %s to the message\n",
2336 attr_name));
2337 goto done;
2338 }
2339
2340 ret = LDB_SUCCESS;
2341
2342 done:
2343 talloc_free(tmp_ctx);
2344 return ret;
2345
2346 }
2347
2348
2349 /*
2350 use a DN to find a SID
2351 */
2352 int dsdb_find_sid_by_dn(struct ldb_context *ldb,
2353 struct ldb_dn *dn, struct dom_sid *sid)
2354 {
2355 int ret;
2356 struct ldb_result *res;
2357 const char *attrs[] = { "objectSID", NULL };
2358 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2359 struct dom_sid *s;
2360
2361 ZERO_STRUCTP(sid);
2362
2363 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
2364 if (ret != LDB_SUCCESS) {
2365 talloc_free(tmp_ctx);
2366 return ret;
2367 }
2368 if (res->count < 1) {
2369 talloc_free(tmp_ctx);
2370 return LDB_ERR_NO_SUCH_OBJECT;
2371 }
2372 s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSID");
2373 if (s == NULL) {
2374 talloc_free(tmp_ctx);
2375 return LDB_ERR_NO_SUCH_OBJECT;
2376 }
2377 *sid = *s;
2378 talloc_free(tmp_ctx);
2379 return LDB_SUCCESS;
2380 }
2381
2382
2383
2384 /*
2385 load a repsFromTo blob list for a given partition GUID
2386 attr must be "repsFrom" or "repsTo"
2387 */
2388 WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2389 const char *attr, struct repsFromToBlob **r, uint32_t *count)
2390 {
2391 const char *attrs[] = { attr, NULL };
2392 struct ldb_result *res = NULL;
2393 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2394 unsigned int i;
2395 struct ldb_message_element *el;
2396
2397 *r = NULL;
2398 *count = 0;
2399
2400 if (ldb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, NULL) != LDB_SUCCESS ||
2401 res->count < 1) {
2402 DEBUG(0,("dsdb_loadreps: failed to read partition object\n"));
2403 talloc_free(tmp_ctx);
2404 return WERR_DS_DRA_INTERNAL_ERROR;
2405 }
2406
2407 el = ldb_msg_find_element(res->msgs[0], attr);
2408 if (el == NULL) {
2409 /* it's OK to be empty */
2410 talloc_free(tmp_ctx);
2411 return WERR_OK;
2412 }
2413
2414 *count = el->num_values;
2415 *r = talloc_array(mem_ctx, struct repsFromToBlob, *count);
2416 if (*r == NULL) {
2417 talloc_free(tmp_ctx);
2418 return WERR_DS_DRA_INTERNAL_ERROR;
2419 }
2420
2421 for (i=0; i<(*count); i++) {
2422 enum ndr_err_code ndr_err;
2423 ndr_err = ndr_pull_struct_blob(&el->values[i],
2424 mem_ctx, lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")),
2425 &(*r)[i],
2426 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
2427 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2428 talloc_free(tmp_ctx);
2429 return WERR_DS_DRA_INTERNAL_ERROR;
2430 }
2431 }
2432
2433 talloc_free(tmp_ctx);
2434
2435 return WERR_OK;
2436 }
2437
2438 /*
2439 save the repsFromTo blob list for a given partition GUID
2440 attr must be "repsFrom" or "repsTo"
2441 */
2442 WERROR dsdb_savereps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2443 const char *attr, struct repsFromToBlob *r, uint32_t count)
2444 {
2445 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2446 struct ldb_message *msg;
2447 struct ldb_message_element *el;
2448 unsigned int i;
2449
2450 msg = ldb_msg_new(tmp_ctx);
2451 msg->dn = dn;
2452 if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_REPLACE, &el) != LDB_SUCCESS) {
2453 goto failed;
2454 }
2455
2456 el->values = talloc_array(msg, struct ldb_val, count);
2457 if (!el->values) {
2458 goto failed;
2459 }
2460
2461 for (i=0; i<count; i++) {
2462 struct ldb_val v;
2463 enum ndr_err_code ndr_err;
2464
2465 ndr_err = ndr_push_struct_blob(&v, tmp_ctx, lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")),
2466 &r[i],
2467 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
2468 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2469 goto failed;
2470 }
2471
2472 el->num_values++;
2473 el->values[i] = v;
2474 }
2475
2476 if (ldb_modify(sam_ctx, msg) != LDB_SUCCESS) {
2477 DEBUG(0,("Failed to store %s - %s\n", attr, ldb_errstring(sam_ctx)));
2478 goto failed;
2479 }
2480
2481 talloc_free(tmp_ctx);
2482
2483 return WERR_OK;
2484
2485 failed:
2486 talloc_free(tmp_ctx);
2487 return WERR_DS_DRA_INTERNAL_ERROR;
2488 }
2489
2490
2491 /*
2492 load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
2493 object for a partition
2494 */
2495 int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn,
2496 uint64_t *uSN, uint64_t *urgent_uSN)
2497 {
2498 struct ldb_request *req;
2499 int ret;
2500 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2501 struct dsdb_control_current_partition *p_ctrl;
2502 struct ldb_result *res;
2503
2504 res = talloc_zero(tmp_ctx, struct ldb_result);
2505 if (!res) {
2506 talloc_free(tmp_ctx);
2507 return LDB_ERR_OPERATIONS_ERROR;
2508 }
2509
2510 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
2511 ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"),
2512 LDB_SCOPE_BASE,
2513 NULL, NULL,
2514 NULL,
2515 res, ldb_search_default_callback,
2516 NULL);
2517 if (ret != LDB_SUCCESS) {
2518 talloc_free(tmp_ctx);
2519 return ret;
2520 }
2521
2522 p_ctrl = talloc(req, struct dsdb_control_current_partition);
2523 if (p_ctrl == NULL) {
2524 talloc_free(res);
2525 return LDB_ERR_OPERATIONS_ERROR;
2526 }
2527 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
2528 p_ctrl->dn = dn;
2529
2530
2531 ret = ldb_request_add_control(req,
2532 DSDB_CONTROL_CURRENT_PARTITION_OID,
2533 false, p_ctrl);
2534 if (ret != LDB_SUCCESS) {
2535 talloc_free(tmp_ctx);
2536 return ret;
2537 }
2538
2539 /* Run the new request */
2540 ret = ldb_request(ldb, req);
2541
2542 if (ret == LDB_SUCCESS) {
2543 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
2544 }
2545
2546 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2547 /* it hasn't been created yet, which means
2548 an implicit value of zero */
2549 *uSN = 0;
2550 talloc_free(tmp_ctx);
2551 return LDB_SUCCESS;
2552 }
2553
2554 if (ret != LDB_SUCCESS) {
2555 talloc_free(tmp_ctx);
2556 return ret;
2557 }
2558
2559 if (res->count < 1) {
2560 *uSN = 0;
2561 if (urgent_uSN) {
2562 *urgent_uSN = 0;
2563 }
2564 } else {
2565 *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0);
2566 if (urgent_uSN) {
2567 *urgent_uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNUrgent", 0);
2568 }
2569 }
2570
2571 talloc_free(tmp_ctx);
2572
2573 return LDB_SUCCESS;
2574 }
2575
2576 /*
2577 save uSNHighest and uSNUrgent attributes in the @REPLCHANGED object for a
2578 partition
2579 */
2580 int dsdb_save_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn,
2581 uint64_t uSN, uint64_t urgent_uSN)
2582 {
2583 struct ldb_request *req;
2584 struct ldb_message *msg;
2585 struct dsdb_control_current_partition *p_ctrl;
2586 int ret;
2587
2588 msg = ldb_msg_new(ldb);
2589 if (msg == NULL) {
2590 return LDB_ERR_OPERATIONS_ERROR;
2591 }
2592
2593 msg->dn = ldb_dn_new(msg, ldb, "@REPLCHANGED");
2594 if (msg->dn == NULL) {
2595 talloc_free(msg);
2596 return LDB_ERR_OPERATIONS_ERROR;
2597 }
2598
2599 ret = ldb_msg_add_fmt(msg, "uSNHighest", "%llu", (unsigned long long)uSN);
2600 if (ret != LDB_SUCCESS) {
2601 talloc_free(msg);
2602 return ret;
2603 }
2604 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
2605
2606 /* urgent_uSN is optional so may not be stored */
2607 if (urgent_uSN) {
2608 ret = ldb_msg_add_fmt(msg, "uSNUrgent", "%llu", (unsigned long long)urgent_uSN);
2609 if (ret != LDB_SUCCESS) {
2610 talloc_free(msg);
2611 return ret;
2612 }
2613 msg->elements[1].flags = LDB_FLAG_MOD_REPLACE;
2614 }
2615
2616
2617 p_ctrl = talloc(msg, struct dsdb_control_current_partition);
2618 if (p_ctrl == NULL) {
2619 talloc_free(msg);
2620 return LDB_ERR_OPERATIONS_ERROR;
2621 }
2622 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
2623 p_ctrl->dn = dn;
2624
2625 ret = ldb_build_mod_req(&req, ldb, msg,
2626 msg,
2627 NULL,
2628 NULL, ldb_op_default_callback,
2629 NULL);
2630 again:
2631 if (ret != LDB_SUCCESS) {
2632 talloc_free(msg);
2633 return ret;
2634 }
2635
2636 ret = ldb_request_add_control(req,
2637 DSDB_CONTROL_CURRENT_PARTITION_OID,
2638 false, p_ctrl);
2639 if (ret != LDB_SUCCESS) {
2640 talloc_free(msg);
2641 return ret;
2642 }
2643
2644 /* Run the new request */
2645 ret = ldb_request(ldb, req);
2646
2647 if (ret == LDB_SUCCESS) {
2648 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
2649 }
2650 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2651 ret = ldb_build_add_req(&req, ldb, msg,
2652 msg,
2653 NULL,
2654 NULL, ldb_op_default_callback,
2655 NULL);
2656 goto again;
2657 }
2658
2659 talloc_free(msg);
2660
2661 return ret;
2662 }
2663
2664 int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
2665 const struct drsuapi_DsReplicaCursor2 *c2)
2666 {
2667 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2668 }
2669
2670 int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor *c1,
2671 const struct drsuapi_DsReplicaCursor *c2)
2672 {
2673 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2674 }
2675
2676 /*
2677 see if we are a RODC
2678 */
2679 bool samdb_rodc(struct ldb_context *sam_ctx)
2680 {
2681 TALLOC_CTX *tmp_ctx;
2682 const char *obj_category;
2683 struct ldb_dn *obj_category_dn;
2684 const struct ldb_val *obj_category_dn_rdn_val;
2685
2686 tmp_ctx = talloc_new(sam_ctx);
2687 if (tmp_ctx == NULL) {
2688 DEBUG(1,("samdb_rodc: Failed to talloc new context.\n"));
2689 goto failed;
2690 }
2691
2692 obj_category = samdb_ntds_object_category(tmp_ctx, sam_ctx);
2693 if (!obj_category) {
2694 DEBUG(1,("samdb_rodc: Failed to get object category.\n"));
2695 goto failed;
2696 }
2697
2698 obj_category_dn = ldb_dn_new(tmp_ctx, sam_ctx, obj_category);
2699 if (!obj_category_dn) {
2700 DEBUG(1,("samdb_rodc: Failed to create object category dn.\n"));
2701 goto failed;
2702 }
2703
2704 obj_category_dn_rdn_val = ldb_dn_get_rdn_val(obj_category_dn);
2705 if (!obj_category_dn_rdn_val) {
2706 DEBUG(1, ("samdb_rodc: Failed to get object category dn rdn value.\n"));
2707 goto failed;
2708 }
2709
2710 if (strequal((const char*)obj_category_dn_rdn_val->data, "NTDS-DSA-RO")) {
2711 talloc_free(tmp_ctx);
2712 return true;
2713 }
2714
2715 failed:
2716 talloc_free(tmp_ctx);
2717 return false;
2718 }
2719
2720 /*
2721 return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
2722
2723 flags are DS_NTDS_OPTION_*
2724 */
2725 int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options)
2726 {
2727 TALLOC_CTX *tmp_ctx;
2728 const char *attrs[] = { "options", NULL };
2729 int ret;
2730 struct ldb_result *res;
2731
2732 tmp_ctx = talloc_new(ldb);
2733 if (tmp_ctx == NULL) {
2734 goto failed;
2735 }
2736
2737 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
2738 if (ret) {
2739 goto failed;
2740 }
2741
2742 if (res->count != 1) {
2743 goto failed;
2744 }
2745
2746 *options = samdb_result_uint(res->msgs[0], "options", 0);
2747
2748 talloc_free(tmp_ctx);
2749
2750 return LDB_SUCCESS;
2751
2752 failed:
2753 DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n"));
2754 talloc_free(tmp_ctx);
2755 return LDB_ERR_NO_SUCH_OBJECT;
2756 }
2757
2758 const char* samdb_ntds_object_category(TALLOC_CTX *tmp_ctx, struct ldb_context *ldb)
2759 {
2760 const char *attrs[] = { "objectCategory", NULL };
2761 int ret;
2762 struct ldb_result *res;
2763
2764 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
2765 if (ret) {
2766 goto failed;
2767 }
2768
2769 if (res->count != 1) {
2770 goto failed;
2771 }
2772
2773 return samdb_result_string(res->msgs[0], "objectCategory", NULL);
2774
2775 failed:
2776 DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
2777 return NULL;
2778 }
2779
2780 /*
2781 * Function which generates a "lDAPDisplayName" attribute from a "CN" one.
2782 * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
2783 */
2784 const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX *mem_ctx, const char *cn)
2785 {
2786 char **tokens, *ret;
2787 size_t i;
2788
2789 tokens = str_list_make(mem_ctx, cn, " -_");
2790 if (tokens == NULL)
2791 return NULL;
2792
2793 /* "tolower()" and "toupper()" should also work properly on 0x00 */
2794 tokens[0][0] = tolower(tokens[0][0]);
2795 for (i = 1; i < str_list_length((const char **)tokens); i++)
2796 tokens[i][0] = toupper(tokens[i][0]);
2797
2798 ret = talloc_strdup(mem_ctx, tokens[0]);
2799 for (i = 1; i < str_list_length((const char **)tokens); i++)
2800 ret = talloc_asprintf_append_buffer(ret, "%s", tokens[i]);
2801
2802 talloc_free(tokens);
2803
2804 return ret;
2805 }
2806
2807 /*
2808 return domain functional level
2809 returns DS_DOMAIN_FUNCTION_*
2810 */
2811 int dsdb_functional_level(struct ldb_context *ldb)
2812 {
2813 int *domainFunctionality =
2814 talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
2815 if (!domainFunctionality) {
2816 DEBUG(0,(__location__ ": WARNING: domainFunctionality not setup\n"));
2817 return DS_DOMAIN_FUNCTION_2000;
2818 }
2819 return *domainFunctionality;
2820 }
2821
2822 /*
2823 set a GUID in an extended DN structure
2824 */
2825 int dsdb_set_extended_dn_guid(struct ldb_dn *dn, const struct GUID *guid, const char *component_name)
2826 {
2827 struct ldb_val v;
2828 NTSTATUS status;
2829 int ret;
2830
2831 status = GUID_to_ndr_blob(guid, dn, &v);
2832 if (!NT_STATUS_IS_OK(status)) {
2833 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
2834 }
2835
2836 ret = ldb_dn_set_extended_component(dn, component_name, &v);
2837 data_blob_free(&v);
2838 return ret;
2839 }
2840
2841 /*
2842 return a GUID from a extended DN structure
2843 */
2844 NTSTATUS dsdb_get_extended_dn_guid(struct ldb_dn *dn, struct GUID *guid, const char *component_name)
2845 {
2846 const struct ldb_val *v;
2847
2848 v = ldb_dn_get_extended_component(dn, component_name);
2849 if (v == NULL) {
2850 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2851 }
2852
2853 return GUID_from_ndr_blob(v, guid);
2854 }
2855
2856 /*
2857 return a uint64_t from a extended DN structure
2858 */
2859 NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const char *component_name)
2860 {
2861 const struct ldb_val *v;
2862 char *s;
2863
2864 v = ldb_dn_get_extended_component(dn, component_name);
2865 if (v == NULL) {
2866 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2867 }
2868 s = talloc_strndup(dn, (const char *)v->data, v->length);
2869 NT_STATUS_HAVE_NO_MEMORY(s);
2870
2871 *val = strtoull(s, NULL, 0);
2872
2873 talloc_free(s);
2874 return NT_STATUS_OK;
2875 }
2876
2877 /*
2878 return a NTTIME from a extended DN structure
2879 */
2880 NTSTATUS dsdb_get_extended_dn_nttime(struct ldb_dn *dn, NTTIME *nttime, const char *component_name)
2881 {
2882 return dsdb_get_extended_dn_uint64(dn, nttime, component_name);
2883 }
2884
2885 /*
2886 return a uint32_t from a extended DN structure
2887 */
2888 NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const char *component_name)
2889 {
2890 const struct ldb_val *v;
2891 char *s;
2892
2893 v = ldb_dn_get_extended_component(dn, component_name);
2894 if (v == NULL) {
2895 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2896 }
2897
2898 s = talloc_strndup(dn, (const char *)v->data, v->length);
2899 NT_STATUS_HAVE_NO_MEMORY(s);
2900
2901 *val = strtoul(s, NULL, 0);
2902
2903 talloc_free(s);
2904 return NT_STATUS_OK;
2905 }
2906
2907 /*
2908 return RMD_FLAGS directly from a ldb_dn
2909 returns 0 if not found
2910 */
2911 uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn)
2912 {
2913 const struct ldb_val *v;
2914 char buf[32];
2915 v = ldb_dn_get_extended_component(dn, "RMD_FLAGS");
2916 if (!v || v->length > sizeof(buf)-1) return 0;
2917 strncpy(buf, (const char *)v->data, v->length);
2918 buf[v->length] = 0;
2919 return strtoul(buf, NULL, 10);
2920 }
2921
2922 /*
2923 return RMD_FLAGS directly from a ldb_val for a DN
2924 returns 0 if RMD_FLAGS is not found
2925 */
2926 uint32_t dsdb_dn_val_rmd_flags(struct ldb_val *val)
2927 {
2928 const char *p;
2929 uint32_t flags;
2930 char *end;
2931
2932 if (val->length < 13) {
2933 return 0;
2934 }
2935 p = memmem(val->data, val->length-2, "<RMD_FLAGS=", 11);
2936 if (!p) {
2937 return 0;
2938 }
2939 flags = strtoul(p+11, &end, 10);
2940 if (!end || *end != '>') {
2941 /* it must end in a > */
2942 return 0;
2943 }
2944 return flags;
2945 }
2946
2947 /*
2948 return true if a ldb_val containing a DN in storage form is deleted
2949 */
2950 bool dsdb_dn_is_deleted_val(struct ldb_val *val)
2951 {
2952 return (dsdb_dn_val_rmd_flags(val) & DSDB_RMD_FLAG_DELETED) != 0;
2953 }
2954
2955 /*
2956 return true if a ldb_val containing a DN in storage form is
2957 in the upgraded w2k3 linked attribute format
2958 */
2959 bool dsdb_dn_is_upgraded_link_val(struct ldb_val *val)
2960 {
2961 return memmem(val->data, val->length, "<RMD_ADDTIME=", 13) != NULL;
2962 }
2963
2964 /*
2965 return a DN for a wellknown GUID
2966 */
2967 int dsdb_wellknown_dn(struct ldb_context *samdb, TALLOC_CTX *mem_ctx,
2968 struct ldb_dn *nc_root, const char *wk_guid,
2969 struct ldb_dn **wkguid_dn)
2970 {
2971 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2972 const char *attrs[] = { NULL };
2973 int ret;
2974 struct ldb_dn *dn;
2975 struct ldb_result *res;
2976
2977 /* construct the magic WKGUID DN */
2978 dn = ldb_dn_new_fmt(tmp_ctx, samdb, "<WKGUID=%s,%s>",
2979 wk_guid, ldb_dn_get_linearized(nc_root));
2980 if (!wkguid_dn) {
2981 talloc_free(tmp_ctx);
2982 return LDB_ERR_OPERATIONS_ERROR;
2983 }
2984
2985 ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
2986 if (ret != LDB_SUCCESS) {
2987 talloc_free(tmp_ctx);
2988 return ret;
2989 }
2990
2991 (*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn);
2992 talloc_free(tmp_ctx);
2993 return LDB_SUCCESS;
2994 }
2995
2996
2997 static int dsdb_dn_compare_ptrs(struct ldb_dn **dn1, struct ldb_dn **dn2)
2998 {
2999 return ldb_dn_compare(*dn1, *dn2);
3000 }
3001
3002 /*
3003 find a NC root given a DN within the NC
3004 */
3005 int dsdb_find_nc_root(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
3006 struct ldb_dn **nc_root)
3007 {
3008 const char *root_attrs[] = { "namingContexts", NULL };
3009 TALLOC_CTX *tmp_ctx;
3010 int ret;
3011 struct ldb_message_element *el;
3012 struct ldb_result *root_res;
3013 int i;
3014 struct ldb_dn **nc_dns;
3015
3016 tmp_ctx = talloc_new(samdb);
3017 if (tmp_ctx == NULL) {
3018 return LDB_ERR_OPERATIONS_ERROR;
3019 }
3020
3021 ret = ldb_search(samdb, tmp_ctx, &root_res,
3022 ldb_dn_new(tmp_ctx, samdb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
3023 if (ret) {
3024 DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb)));
3025 talloc_free(tmp_ctx);
3026 return ret;
3027 }
3028
3029 el = ldb_msg_find_element(root_res->msgs[0], "namingContexts");
3030 if (!el) {
3031 DEBUG(1,("Finding namingContexts element in root_res failed: %s\n",
3032 ldb_errstring(samdb)));
3033 talloc_free(tmp_ctx);
3034 return LDB_ERR_NO_SUCH_ATTRIBUTE;
3035 }
3036
3037 nc_dns = talloc_array(tmp_ctx, struct ldb_dn *, el->num_values);
3038 if (!nc_dns) {
3039 talloc_free(tmp_ctx);
3040 return LDB_ERR_OPERATIONS_ERROR;
3041 }
3042
3043 for (i=0; i<el->num_values; i++) {
3044 nc_dns[i] = ldb_dn_from_ldb_val(nc_dns, samdb, &el->values[i]);
3045 if (nc_dns[i] == NULL) {
3046 talloc_free(tmp_ctx);
3047 return LDB_ERR_OPERATIONS_ERROR;
3048 }
3049 }
3050
3051 TYPESAFE_QSORT(nc_dns, el->num_values, dsdb_dn_compare_ptrs);
3052
3053 for (i=0; i<el->num_values; i++) {
3054 if (ldb_dn_compare_base(nc_dns[i], dn) == 0) {
3055 (*nc_root) = talloc_steal(mem_ctx, nc_dns[i]);
3056 talloc_free(tmp_ctx);
3057 return LDB_SUCCESS;
3058 }
3059 }
3060
3061 talloc_free(tmp_ctx);
3062 return LDB_ERR_NO_SUCH_OBJECT;
3063 }
3064
3065
3066 /*
3067 find the deleted objects DN for any object, by looking for the NC
3068 root, then looking up the wellknown GUID
3069 */
3070 int dsdb_get_deleted_objects_dn(struct ldb_context *ldb,
3071 TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
3072 struct ldb_dn **do_dn)
3073 {
3074 struct ldb_dn *nc_root;
3075 int ret;
3076
3077 ret = dsdb_find_nc_root(ldb, mem_ctx, obj_dn, &nc_root);
3078 if (ret != LDB_SUCCESS) {
3079 return ret;
3080 }
3081
3082 ret = dsdb_wellknown_dn(ldb, mem_ctx, nc_root, DS_GUID_DELETED_OBJECTS_CONTAINER, do_dn);
3083 talloc_free(nc_root);
3084 return ret;
3085 }
3086
3087 /*
3088 return the tombstoneLifetime, in days
3089 */
3090 int dsdb_tombstone_lifetime(struct ldb_context *ldb, uint32_t *lifetime)
3091 {
3092 struct ldb_dn *dn;
3093 dn = samdb_config_dn(ldb);
3094 if (!dn) {
3095 return LDB_ERR_NO_SUCH_OBJECT;
3096 }
3097 dn = ldb_dn_copy(ldb, dn);
3098 if (!dn) {
3099 return LDB_ERR_OPERATIONS_ERROR;
3100 }
3101 /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
3102 be a wellknown GUID for this */
3103 if (!ldb_dn_add_child_fmt(dn, "CN=Directory Service,CN=Windows NT,CN=Services")) {
3104 talloc_free(dn);
3105 return LDB_ERR_OPERATIONS_ERROR;
3106 }
3107
3108 *lifetime = samdb_search_uint(ldb, dn, 180, dn, "tombstoneLifetime", "objectClass=nTDSService");
3109 talloc_free(dn);
3110 return LDB_SUCCESS;
3111 }
3112
3113 /*
3114 compare a ldb_val to a string case insensitively
3115 */
3116 int samdb_ldb_val_case_cmp(const char *s, struct ldb_val *v)
3117 {
3118 size_t len = strlen(s);
3119 int ret;
3120 if (len > v->length) return 1;
3121 ret = strncasecmp(s, (const char *)v->data, v->length);
3122 if (ret != 0) return ret;
3123 if (v->length > len && v->data[len] != 0) {
3124 return -1;
3125 }
3126 return 0;
3127 }
3128
3129
3130 /*
3131 load the UDV for a partition in v2 format
3132 The list is returned sorted, and with our local cursor added
3133 */
3134 int dsdb_load_udv_v2(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
3135 struct drsuapi_DsReplicaCursor2 **cursors, uint32_t *count)
3136 {
3137 static const char *attrs[] = { "replUpToDateVector", NULL };
3138 struct ldb_result *r;
3139 const struct ldb_val *ouv_value;
3140 unsigned int i;
3141 int ret;
3142 uint64_t highest_usn;
3143 const struct GUID *our_invocation_id;
3144 struct timeval now = timeval_current();
3145
3146 ret = ldb_search(samdb, mem_ctx, &r, dn, LDB_SCOPE_BASE, attrs, NULL);
3147 if (ret != LDB_SUCCESS) {
3148 return ret;
3149 }
3150
3151 ouv_value = ldb_msg_find_ldb_val(r->msgs[0], "replUpToDateVector");
3152 if (ouv_value) {
3153 enum ndr_err_code ndr_err;
3154 struct replUpToDateVectorBlob ouv;
3155
3156 ndr_err = ndr_pull_struct_blob(ouv_value, r,
3157 lp_iconv_convenience(ldb_get_opaque(samdb, "loadparm")), &ouv,
3158 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
3159 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3160 talloc_free(r);
3161 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3162 }
3163 if (ouv.version != 2) {
3164 /* we always store as version 2, and
3165 * replUpToDateVector is not replicated
3166 */
3167 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3168 }
3169
3170 *count = ouv.ctr.ctr2.count;
3171 *cursors = talloc_steal(mem_ctx, ouv.ctr.ctr2.cursors);
3172 } else {
3173 *count = 0;
3174 *cursors = NULL;
3175 }
3176
3177 talloc_free(r);
3178
3179 our_invocation_id = samdb_ntds_invocation_id(samdb);
3180 if (!our_invocation_id) {
3181 DEBUG(0,(__location__ ": No invocationID on samdb - %s\n", ldb_errstring(samdb)));
3182 talloc_free(*cursors);
3183 return LDB_ERR_OPERATIONS_ERROR;
3184 }
3185
3186 ret = dsdb_load_partition_usn(samdb, dn, &highest_usn, NULL);
3187 if (ret != LDB_SUCCESS) {
3188 /* nothing to add - this can happen after a vampire */
3189 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3190 return LDB_SUCCESS;
3191 }
3192
3193 for (i=0; i<*count; i++) {
3194 if (GUID_equal(our_invocation_id, &(*cursors)[i].source_dsa_invocation_id)) {
3195 (*cursors)[i].highest_usn = highest_usn;
3196 (*cursors)[i].last_sync_success = timeval_to_nttime(&now);
3197 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3198 return LDB_SUCCESS;
3199 }
3200 }
3201
3202 (*cursors) = talloc_realloc(mem_ctx, *cursors, struct drsuapi_DsReplicaCursor2, (*count)+1);
3203 if (! *cursors) {
3204 return LDB_ERR_OPERATIONS_ERROR;
3205 }
3206
3207 (*cursors)[*count].source_dsa_invocation_id = *our_invocation_id;
3208 (*cursors)[*count].highest_usn = highest_usn;
3209 (*cursors)[*count].last_sync_success = timeval_to_nttime(&now);
3210 (*count)++;
3211
3212 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3213
3214 return LDB_SUCCESS;
3215 }
3216
3217 /*
3218 load the UDV for a partition in version 1 format
3219 The list is returned sorted, and with our local cursor added
3220 */
3221 int dsdb_load_udv_v1(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
3222 struct drsuapi_DsReplicaCursor **cursors, uint32_t *count)
3223 {
3224 struct drsuapi_DsReplicaCursor2 *v2;
3225 unsigned int i;
3226 int ret;
3227
3228 ret = dsdb_load_udv_v2(samdb, dn, mem_ctx, &v2, count);
3229 if (ret != LDB_SUCCESS) {
3230 return ret;
3231 }
3232
3233 if (*count == 0) {
3234 talloc_free(v2);
3235 *cursors = NULL;
3236 return LDB_SUCCESS;
3237 }
3238
3239 *cursors = talloc_array(mem_ctx, struct drsuapi_DsReplicaCursor, *count);
3240 if (*cursors == NULL) {
3241 talloc_free(v2);
3242 return LDB_ERR_OPERATIONS_ERROR;
3243 }
3244
3245 for (i=0; i<*count; i++) {
3246 (*cursors)[i].source_dsa_invocation_id = v2[i].source_dsa_invocation_id;
3247 (*cursors)[i].highest_usn = v2[i].highest_usn;
3248 }
3249 talloc_free(v2);
3250 return LDB_SUCCESS;
3251 }
3252
3253 /*
3254 add a set of controls to a ldb_request structure based on a set of
3255 flags. See util.h for a list of available flags
3256 */
3257 int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags)
3258 {
3259 int ret;
3260 if (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) {
3261 struct ldb_search_options_control *options;
3262 /* Using the phantom root control allows us to search all partitions */
3263 options = talloc(req, struct ldb_search_options_control);
3264 if (options == NULL) {
3265 return LDB_ERR_OPERATIONS_ERROR;
3266 }
3267 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
3268
3269 ret = ldb_request_add_control(req,
3270 LDB_CONTROL_SEARCH_OPTIONS_OID,
3271 true, options);
3272 if (ret != LDB_SUCCESS) {
3273 return ret;
3274 }
3275 }
3276
3277 if (dsdb_flags & DSDB_SEARCH_SHOW_DELETED) {
3278 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
3279 if (ret != LDB_SUCCESS) {
3280 return ret;
3281 }
3282 }
3283
3284 if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) {
3285 ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, true, NULL);
3286 if (ret != LDB_SUCCESS) {
3287 return ret;
3288 }
3289 }
3290
3291 if (dsdb_flags & DSDB_SEARCH_SHOW_EXTENDED_DN) {
3292 struct ldb_extended_dn_control *extended_ctrl = talloc(req, struct ldb_extended_dn_control);
3293 if (!extended_ctrl) {
3294 return LDB_ERR_OPERATIONS_ERROR;
3295 }
3296 extended_ctrl->type = 1;
3297
3298 ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_ctrl);
3299 if (ret != LDB_SUCCESS) {
3300 return ret;
3301 }
3302 }
3303
3304 if (dsdb_flags & DSDB_SEARCH_REVEAL_INTERNALS) {
3305 ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
3306 if (ret != LDB_SUCCESS) {
3307 return ret;
3308 }
3309 }
3310
3311 if (dsdb_flags & DSDB_MODIFY_RELAX) {
3312 ret = ldb_request_add_control(req, LDB_CONTROL_RELAX_OID, false, NULL);
3313 if (ret != LDB_SUCCESS) {
3314 return ret;
3315 }
3316 }
3317
3318 if (dsdb_flags & DSDB_MODIFY_PERMISSIVE) {
3319 ret = ldb_request_add_control(req, LDB_CONTROL_PERMISSIVE_MODIFY_OID, false, NULL);
3320 if (ret != LDB_SUCCESS) {
3321 return ret;
3322 }
3323 }
3324
3325 if (dsdb_flags & DSDB_FLAG_AS_SYSTEM) {
3326 ret = ldb_request_add_control(req, LDB_CONTROL_AS_SYSTEM_OID, false, NULL);
3327 if (ret != LDB_SUCCESS) {
3328 return ret;
3329 }
3330 }
3331
3332 return LDB_SUCCESS;
3333 }
3334
3335 /*
3336 a modify with a set of controls
3337 */
3338 int dsdb_modify(struct ldb_context *ldb, const struct ldb_message *message,
3339 uint32_t dsdb_flags)
3340 {
3341 struct ldb_request *req;
3342 int ret;
3343
3344 ret = ldb_build_mod_req(&req, ldb, ldb,
3345 message,
3346 NULL,
3347 NULL,
3348 ldb_op_default_callback,
3349 NULL);
3350
3351 if (ret != LDB_SUCCESS) return ret;
3352
3353 ret = dsdb_request_add_controls(req, dsdb_flags);
3354 if (ret != LDB_SUCCESS) {
3355 talloc_free(req);
3356 return ret;
3357 }
3358
3359 ret = dsdb_autotransaction_request(ldb, req);
3360
3361 talloc_free(req);
3362 return ret;
3363 }
3364
3365 /*
3366 like dsdb_modify() but set all the element flags to
3367 LDB_FLAG_MOD_REPLACE
3368 */
3369 int dsdb_replace(struct ldb_context *ldb, struct ldb_message *msg, uint32_t dsdb_flags)
3370 {
3371 unsigned int i;
3372
3373 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
3374 for (i=0;i<msg->num_elements;i++) {
3375 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
3376 }
3377
3378 return dsdb_modify(ldb, msg, dsdb_flags);
3379 }
3380
3381
3382 /*
3383 search for attrs on one DN, allowing for dsdb_flags controls
3384 */
3385 int dsdb_search_dn(struct ldb_context *ldb,
3386 TALLOC_CTX *mem_ctx,
3387 struct ldb_result **_res,
3388 struct ldb_dn *basedn,
3389 const char * const *attrs,
3390 uint32_t dsdb_flags)
3391 {
3392 int ret;
3393 struct ldb_request *req;
3394 struct ldb_result *res;
3395
3396 res = talloc_zero(mem_ctx, struct ldb_result);
3397 if (!res) {
3398 return LDB_ERR_OPERATIONS_ERROR;
3399 }
3400
3401 ret = ldb_build_search_req(&req, ldb, res,
3402 basedn,
3403 LDB_SCOPE_BASE,
3404 NULL,
3405 attrs,
3406 NULL,
3407 res,
3408 ldb_search_default_callback,
3409 NULL);
3410 if (ret != LDB_SUCCESS) {
3411 talloc_free(res);
3412 return ret;
3413 }
3414
3415 ret = dsdb_request_add_controls(req, dsdb_flags);
3416 if (ret != LDB_SUCCESS) {
3417 talloc_free(res);
3418 return ret;
3419 }
3420
3421 ret = ldb_request(ldb, req);
3422 if (ret == LDB_SUCCESS) {
3423 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3424 }
3425
3426 talloc_free(req);
3427 if (ret != LDB_SUCCESS) {
3428 talloc_free(res);
3429 return ret;
3430 }
3431
3432 *_res = res;
3433 return LDB_SUCCESS;
3434 }
3435
3436 /*
3437 general search with dsdb_flags for controls
3438 */
3439 int dsdb_search(struct ldb_context *ldb,
3440 TALLOC_CTX *mem_ctx,
3441 struct ldb_result **_res,
3442 struct ldb_dn *basedn,
3443 enum ldb_scope scope,
3444 const char * const *attrs,
3445 uint32_t dsdb_flags,
3446 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
3447 {
3448 int ret;
3449 struct ldb_request *req;
3450 struct ldb_result *res;
3451 va_list ap;
3452 char *expression = NULL;
3453 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3454
3455 res = talloc_zero(tmp_ctx, struct ldb_result);
3456 if (!res) {
3457 talloc_free(tmp_ctx);
3458 return LDB_ERR_OPERATIONS_ERROR;
3459 }
3460
3461 if (exp_fmt) {
3462 va_start(ap, exp_fmt);
3463 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
3464 va_end(ap);
3465
3466 if (!expression) {
3467 talloc_free(tmp_ctx);
3468 return LDB_ERR_OPERATIONS_ERROR;
3469 }
3470 }
3471
3472 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
3473 basedn,
3474 scope,
3475 expression,
3476 attrs,
3477 NULL,
3478 res,
3479 ldb_search_default_callback,
3480 NULL);
3481 if (ret != LDB_SUCCESS) {
3482 talloc_free(tmp_ctx);
3483 return ret;
3484 }
3485
3486 ret = dsdb_request_add_controls(req, dsdb_flags);
3487 if (ret != LDB_SUCCESS) {
3488 talloc_free(tmp_ctx);
3489 return ret;
3490 }
3491
3492 ret = ldb_request(ldb, req);
3493 if (ret == LDB_SUCCESS) {
3494 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3495 }
3496
3497 if (ret != LDB_SUCCESS) {
3498 talloc_free(tmp_ctx);
3499 return ret;
3500 }
3501
3502 if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
3503 if (res->count == 0) {
3504 talloc_free(tmp_ctx);
3505 return LDB_ERR_NO_SUCH_OBJECT;
3506 }
3507 if (res->count != 1) {
3508 talloc_free(tmp_ctx);
3509 return LDB_ERR_CONSTRAINT_VIOLATION;
3510 }
3511 }
3512
3513 *_res = talloc_steal(mem_ctx, res);
3514 talloc_free(tmp_ctx);
3515
3516 return LDB_SUCCESS;
3517 }
3518
3519
3520 /*
3521 general search with dsdb_flags for controls
3522 returns exactly 1 record or an error
3523 */
3524 int dsdb_search_one(struct ldb_context *ldb,
3525 TALLOC_CTX *mem_ctx,
3526 struct ldb_message **msg,
3527 struct ldb_dn *basedn,
3528 enum ldb_scope scope,
3529 const char * const *attrs,
3530 uint32_t dsdb_flags,
3531 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
3532 {
3533 int ret;
3534 struct ldb_result *res;
3535 va_list ap;
3536 char *expression = NULL;
3537 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3538
3539 dsdb_flags |= DSDB_SEARCH_ONE_ONLY;
3540
3541 res = talloc_zero(tmp_ctx, struct ldb_result);
3542 if (!res) {
3543 talloc_free(tmp_ctx);
3544 return LDB_ERR_OPERATIONS_ERROR;
3545 }
3546
3547 if (exp_fmt) {
3548 va_start(ap, exp_fmt);
3549 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
3550 va_end(ap);
3551
3552 if (!expression) {
3553 talloc_free(tmp_ctx);
3554 return LDB_ERR_OPERATIONS_ERROR;
3555 }
3556 }
3557
3558 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
3559 dsdb_flags, "%s", expression);
3560 if (ret != LDB_SUCCESS) {
3561 talloc_free(tmp_ctx);
3562 return ret;
3563 }
3564
3565 *msg = talloc_steal(mem_ctx, res->msgs[0]);
3566 talloc_free(tmp_ctx);
3567
3568 return LDB_SUCCESS;
3569 }