search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Remove a call to procid_self()
[Samba/gebeck_regimport.git] / source4 / dsdb / common / util.c
blob086f2a5a1cec616cb3b2989b86e47ad0af151143
1 /*
2 Unix SMB/CIFS implementation.
3 Samba utility functions
4
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "events/events.h"
26 #include "ldb.h"
27 #include "ldb_module.h"
28 #include "ldb_errors.h"
29 #include "../lib/util/util_ldb.h"
30 #include "../lib/crypto/crypto.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "librpc/gen_ndr/ndr_misc.h"
35 #include "../libds/common/flags.h"
36 #include "dsdb/common/proto.h"
37 #include "libcli/ldap/ldap_ndr.h"
38 #include "param/param.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "librpc/gen_ndr/ndr_drsblobs.h"
41 #include "system/locale.h"
42 #include "lib/util/tsort.h"
43 #include "dsdb/common/util.h"
44 #include "lib/socket/socket.h"
45 #include "librpc/gen_ndr/irpc.h"
46 #include "libds/common/flag_mapping.h"
47
48 /*
49 search the sam for the specified attributes in a specific domain, filter on
50 objectSid being in domain_sid.
51 */
52 int samdb_search_domain(struct ldb_context *sam_ldb,
53 TALLOC_CTX *mem_ctx,
54 struct ldb_dn *basedn,
55 struct ldb_message ***res,
56 const char * const *attrs,
57 const struct dom_sid *domain_sid,
58 const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
59 {
60 va_list ap;
61 int i, count;
62
63 va_start(ap, format);
64 count = gendb_search_v(sam_ldb, mem_ctx, basedn,
65 res, attrs, format, ap);
66 va_end(ap);
67
68 i=0;
69
70 while (i<count) {
71 struct dom_sid *entry_sid;
72
73 entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
74
75 if ((entry_sid == NULL) ||
76 (!dom_sid_in_domain(domain_sid, entry_sid))) {
77 /* Delete that entry from the result set */
78 (*res)[i] = (*res)[count-1];
79 count -= 1;
80 talloc_free(entry_sid);
81 continue;
82 }
83 talloc_free(entry_sid);
84 i += 1;
85 }
86
87 return count;
88 }
89
90 /*
91 search the sam for a single string attribute in exactly 1 record
92 */
93 const char *samdb_search_string_v(struct ldb_context *sam_ldb,
94 TALLOC_CTX *mem_ctx,
95 struct ldb_dn *basedn,
96 const char *attr_name,
97 const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
98 {
99 int count;
100 const char *attrs[2] = { NULL, NULL };
101 struct ldb_message **res = NULL;
102
103 attrs[0] = attr_name;
104
105 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
106 if (count > 1) {
107 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
108 attr_name, format, count));
109 }
110 if (count != 1) {
111 talloc_free(res);
112 return NULL;
113 }
114
115 return ldb_msg_find_attr_as_string(res[0], attr_name, NULL);
116 }
117
118 /*
119 search the sam for a single string attribute in exactly 1 record
120 */
121 const char *samdb_search_string(struct ldb_context *sam_ldb,
122 TALLOC_CTX *mem_ctx,
123 struct ldb_dn *basedn,
124 const char *attr_name,
125 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
126 {
127 va_list ap;
128 const char *str;
129
130 va_start(ap, format);
131 str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
132 va_end(ap);
133
134 return str;
135 }
136
137 struct ldb_dn *samdb_search_dn(struct ldb_context *sam_ldb,
138 TALLOC_CTX *mem_ctx,
139 struct ldb_dn *basedn,
140 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
141 {
142 va_list ap;
143 struct ldb_dn *ret;
144 struct ldb_message **res = NULL;
145 int count;
146
147 va_start(ap, format);
148 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, NULL, format, ap);
149 va_end(ap);
150
151 if (count != 1) return NULL;
152
153 ret = talloc_steal(mem_ctx, res[0]->dn);
154 talloc_free(res);
155
156 return ret;
157 }
158
159 /*
160 search the sam for a dom_sid attribute in exactly 1 record
161 */
162 struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
163 TALLOC_CTX *mem_ctx,
164 struct ldb_dn *basedn,
165 const char *attr_name,
166 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
167 {
168 va_list ap;
169 int count;
170 struct ldb_message **res;
171 const char *attrs[2] = { NULL, NULL };
172 struct dom_sid *sid;
173
174 attrs[0] = attr_name;
175
176 va_start(ap, format);
177 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
178 va_end(ap);
179 if (count > 1) {
180 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
181 attr_name, format, count));
182 }
183 if (count != 1) {
184 talloc_free(res);
185 return NULL;
186 }
187 sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
188 talloc_free(res);
189 return sid;
190 }
191
192 /*
193 return the count of the number of records in the sam matching the query
194 */
195 int samdb_search_count(struct ldb_context *sam_ldb,
196 TALLOC_CTX *mem_ctx,
197 struct ldb_dn *basedn,
198 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
199 {
200 va_list ap;
201 const char *attrs[] = { NULL };
202 int ret;
203
204 va_start(ap, format);
205 ret = gendb_search_v(sam_ldb, mem_ctx, basedn, NULL, attrs, format, ap);
206 va_end(ap);
207
208 return ret;
209 }
210
211
212 /*
213 search the sam for a single integer attribute in exactly 1 record
214 */
215 unsigned int samdb_search_uint(struct ldb_context *sam_ldb,
216 TALLOC_CTX *mem_ctx,
217 unsigned int default_value,
218 struct ldb_dn *basedn,
219 const char *attr_name,
220 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
221 {
222 va_list ap;
223 int count;
224 struct ldb_message **res;
225 const char *attrs[2] = { NULL, NULL };
226
227 attrs[0] = attr_name;
228
229 va_start(ap, format);
230 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
231 va_end(ap);
232
233 if (count != 1) {
234 return default_value;
235 }
236
237 return ldb_msg_find_attr_as_uint(res[0], attr_name, default_value);
238 }
239
240 /*
241 search the sam for a single signed 64 bit integer attribute in exactly 1 record
242 */
243 int64_t samdb_search_int64(struct ldb_context *sam_ldb,
244 TALLOC_CTX *mem_ctx,
245 int64_t default_value,
246 struct ldb_dn *basedn,
247 const char *attr_name,
248 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
249 {
250 va_list ap;
251 int count;
252 struct ldb_message **res;
253 const char *attrs[2] = { NULL, NULL };
254
255 attrs[0] = attr_name;
256
257 va_start(ap, format);
258 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
259 va_end(ap);
260
261 if (count != 1) {
262 return default_value;
263 }
264
265 return ldb_msg_find_attr_as_int64(res[0], attr_name, default_value);
266 }
267
268 /*
269 search the sam for multipe records each giving a single string attribute
270 return the number of matches, or -1 on error
271 */
272 int samdb_search_string_multiple(struct ldb_context *sam_ldb,
273 TALLOC_CTX *mem_ctx,
274 struct ldb_dn *basedn,
275 const char ***strs,
276 const char *attr_name,
277 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
278 {
279 va_list ap;
280 int count, i;
281 const char *attrs[2] = { NULL, NULL };
282 struct ldb_message **res = NULL;
283
284 attrs[0] = attr_name;
285
286 va_start(ap, format);
287 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
288 va_end(ap);
289
290 if (count <= 0) {
291 return count;
292 }
293
294 /* make sure its single valued */
295 for (i=0;i<count;i++) {
296 if (res[i]->num_elements != 1) {
297 DEBUG(1,("samdb: search for %s %s not single valued\n",
298 attr_name, format));
299 talloc_free(res);
300 return -1;
301 }
302 }
303
304 *strs = talloc_array(mem_ctx, const char *, count+1);
305 if (! *strs) {
306 talloc_free(res);
307 return -1;
308 }
309
310 for (i=0;i<count;i++) {
311 (*strs)[i] = ldb_msg_find_attr_as_string(res[i], attr_name, NULL);
312 }
313 (*strs)[count] = NULL;
314
315 return count;
316 }
317
318 struct ldb_dn *samdb_result_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
319 const char *attr, struct ldb_dn *default_value)
320 {
321 struct ldb_dn *ret_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
322 if (!ret_dn) {
323 return default_value;
324 }
325 return ret_dn;
326 }
327
328 /*
329 pull a rid from a objectSid in a result set.
330 */
331 uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
332 const char *attr, uint32_t default_value)
333 {
334 struct dom_sid *sid;
335 uint32_t rid;
336
337 sid = samdb_result_dom_sid(mem_ctx, msg, attr);
338 if (sid == NULL) {
339 return default_value;
340 }
341 rid = sid->sub_auths[sid->num_auths-1];
342 talloc_free(sid);
343 return rid;
344 }
345
346 /*
347 pull a dom_sid structure from a objectSid in a result set.
348 */
349 struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
350 const char *attr)
351 {
352 bool ok;
353 const struct ldb_val *v;
354 struct dom_sid *sid;
355 v = ldb_msg_find_ldb_val(msg, attr);
356 if (v == NULL) {
357 return NULL;
358 }
359 sid = talloc(mem_ctx, struct dom_sid);
360 if (sid == NULL) {
361 return NULL;
362 }
363 ok = sid_blob_parse(*v, sid);
364 if (!ok) {
365 talloc_free(sid);
366 return NULL;
367 }
368 return sid;
369 }
370
371 /*
372 pull a guid structure from a objectGUID in a result set.
373 */
374 struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
375 {
376 const struct ldb_val *v;
377 struct GUID guid;
378 NTSTATUS status;
379
380 v = ldb_msg_find_ldb_val(msg, attr);
381 if (!v) return GUID_zero();
382
383 status = GUID_from_ndr_blob(v, &guid);
384 if (!NT_STATUS_IS_OK(status)) {
385 return GUID_zero();
386 }
387
388 return guid;
389 }
390
391 /*
392 pull a sid prefix from a objectSid in a result set.
393 this is used to find the domain sid for a user
394 */
395 struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
396 const char *attr)
397 {
398 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
399 if (!sid || sid->num_auths < 1) return NULL;
400 sid->num_auths--;
401 return sid;
402 }
403
404 /*
405 pull a NTTIME in a result set.
406 */
407 NTTIME samdb_result_nttime(const struct ldb_message *msg, const char *attr,
408 NTTIME default_value)
409 {
410 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
411 }
412
413 /*
414 * Windows stores 0 for lastLogoff.
415 * But when a MS DC return the lastLogoff (as Logoff Time)
416 * it returns 0x7FFFFFFFFFFFFFFF, not returning this value in this case
417 * cause windows 2008 and newer version to fail for SMB requests
418 */
419 NTTIME samdb_result_last_logoff(const struct ldb_message *msg)
420 {
421 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "lastLogoff",0);
422
423 if (ret == 0)
424 ret = 0x7FFFFFFFFFFFFFFFULL;
425
426 return ret;
427 }
428
429 /*
430 * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
431 * indicate an account doesn't expire.
432 *
433 * When Windows initially creates an account, it sets
434 * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However,
435 * when changing from an account having a specific expiration date to
436 * that account never expiring, it sets accountExpires = 0.
437 *
438 * Consolidate that logic here to allow clearer logic for account expiry in
439 * the rest of the code.
440 */
441 NTTIME samdb_result_account_expires(const struct ldb_message *msg)
442 {
443 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
444 0);
445
446 if (ret == 0)
447 ret = 0x7FFFFFFFFFFFFFFFULL;
448
449 return ret;
450 }
451
452 /*
453 construct the allow_password_change field from the PwdLastSet attribute and the
454 domain password settings
455 */
456 NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
457 TALLOC_CTX *mem_ctx,
458 struct ldb_dn *domain_dn,
459 struct ldb_message *msg,
460 const char *attr)
461 {
462 uint64_t attr_time = ldb_msg_find_attr_as_uint64(msg, attr, 0);
463 int64_t minPwdAge;
464
465 if (attr_time == 0) {
466 return 0;
467 }
468
469 minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "minPwdAge", NULL);
470
471 /* yes, this is a -= not a += as minPwdAge is stored as the negative
472 of the number of 100-nano-seconds */
473 attr_time -= minPwdAge;
474
475 return attr_time;
476 }
477
478 /*
479 construct the force_password_change field from the PwdLastSet
480 attribute, the userAccountControl and the domain password settings
481 */
482 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
483 TALLOC_CTX *mem_ctx,
484 struct ldb_dn *domain_dn,
485 struct ldb_message *msg)
486 {
487 int64_t attr_time = ldb_msg_find_attr_as_int64(msg, "pwdLastSet", 0);
488 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg,
489 "userAccountControl",
490 0);
491 int64_t maxPwdAge;
492
493 /* Machine accounts don't expire, and there is a flag for 'no expiry' */
494 if (!(userAccountControl & UF_NORMAL_ACCOUNT)
495 || (userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
496 return 0x7FFFFFFFFFFFFFFFULL;
497 }
498
499 if (attr_time == 0) {
500 return 0;
501 }
502 if (attr_time == -1) {
503 return 0x7FFFFFFFFFFFFFFFULL;
504 }
505
506 maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
507 "maxPwdAge", NULL);
508 if (maxPwdAge == 0 || maxPwdAge == -0x8000000000000000ULL) {
509 return 0x7FFFFFFFFFFFFFFFULL;
510 } else {
511 attr_time -= maxPwdAge;
512 }
513
514 return attr_time;
515 }
516
517 /*
518 pull a samr_Password structutre from a result set.
519 */
520 struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr)
521 {
522 struct samr_Password *hash = NULL;
523 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
524 if (val && (val->length >= sizeof(hash->hash))) {
525 hash = talloc(mem_ctx, struct samr_Password);
526 memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash)));
527 }
528 return hash;
529 }
530
531 /*
532 pull an array of samr_Password structures from a result set.
533 */
534 unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
535 const char *attr, struct samr_Password **hashes)
536 {
537 unsigned int count, i;
538 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
539
540 *hashes = NULL;
541 if (!val) {
542 return 0;
543 }
544 count = val->length / 16;
545 if (count == 0) {
546 return 0;
547 }
548
549 *hashes = talloc_array(mem_ctx, struct samr_Password, count);
550 if (! *hashes) {
551 return 0;
552 }
553
554 for (i=0;i<count;i++) {
555 memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
556 }
557
558 return count;
559 }
560
561 NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_message *msg,
562 struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
563 {
564 struct samr_Password *lmPwdHash, *ntPwdHash;
565 if (nt_pwd) {
566 unsigned int num_nt;
567 num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash);
568 if (num_nt == 0) {
569 *nt_pwd = NULL;
570 } else if (num_nt > 1) {
571 return NT_STATUS_INTERNAL_DB_CORRUPTION;
572 } else {
573 *nt_pwd = &ntPwdHash[0];
574 }
575 }
576 if (lm_pwd) {
577 /* Ensure that if we have turned off LM
578 * authentication, that we never use the LM hash, even
579 * if we store it */
580 if (lpcfg_lanman_auth(lp_ctx)) {
581 unsigned int num_lm;
582 num_lm = samdb_result_hashes(mem_ctx, msg, "dBCSPwd", &lmPwdHash);
583 if (num_lm == 0) {
584 *lm_pwd = NULL;
585 } else if (num_lm > 1) {
586 return NT_STATUS_INTERNAL_DB_CORRUPTION;
587 } else {
588 *lm_pwd = &lmPwdHash[0];
589 }
590 } else {
591 *lm_pwd = NULL;
592 }
593 }
594 return NT_STATUS_OK;
595 }
596
597 /*
598 pull a samr_LogonHours structutre from a result set.
599 */
600 struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
601 {
602 struct samr_LogonHours hours;
603 size_t units_per_week = 168;
604 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
605
606 ZERO_STRUCT(hours);
607
608 if (val) {
609 units_per_week = val->length * 8;
610 }
611
612 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week/8);
613 if (!hours.bits) {
614 return hours;
615 }
616 hours.units_per_week = units_per_week;
617 memset(hours.bits, 0xFF, units_per_week/8);
618 if (val) {
619 memcpy(hours.bits, val->data, val->length);
620 }
621
622 return hours;
623 }
624
625 /*
626 pull a set of account_flags from a result set.
627
628 This requires that the attributes:
629 pwdLastSet
630 userAccountControl
631 be included in 'msg'
632 */
633 uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
634 struct ldb_message *msg, struct ldb_dn *domain_dn)
635 {
636 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
637 uint32_t acct_flags = ds_uf2acb(userAccountControl);
638 NTTIME must_change_time;
639 NTTIME now;
640
641 must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
642 domain_dn, msg);
643
644 /* Test account expire time */
645 unix_to_nt_time(&now, time(NULL));
646 /* check for expired password */
647 if (must_change_time < now) {
648 acct_flags |= ACB_PW_EXPIRED;
649 }
650 return acct_flags;
651 }
652
653 struct lsa_BinaryString samdb_result_parameters(TALLOC_CTX *mem_ctx,
654 struct ldb_message *msg,
655 const char *attr)
656 {
657 struct lsa_BinaryString s;
658 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
659
660 ZERO_STRUCT(s);
661
662 if (!val) {
663 return s;
664 }
665
666 s.array = talloc_array(mem_ctx, uint16_t, val->length/2);
667 if (!s.array) {
668 return s;
669 }
670 s.length = s.size = val->length;
671 memcpy(s.array, val->data, val->length);
672
673 return s;
674 }
675
676 /* Find an attribute, with a particular value */
677
678 /* The current callers of this function expect a very specific
679 * behaviour: In particular, objectClass subclass equivilance is not
680 * wanted. This means that we should not lookup the schema for the
681 * comparison function */
682 struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb,
683 const struct ldb_message *msg,
684 const char *name, const char *value)
685 {
686 unsigned int i;
687 struct ldb_message_element *el = ldb_msg_find_element(msg, name);
688
689 if (!el) {
690 return NULL;
691 }
692
693 for (i=0;i<el->num_values;i++) {
694 if (ldb_attr_cmp(value, (char *)el->values[i].data) == 0) {
695 return el;
696 }
697 }
698
699 return NULL;
700 }
701
702 int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
703 {
704 struct ldb_message_element *el;
705
706 el = ldb_msg_find_element(msg, name);
707 if (el) {
708 return LDB_SUCCESS;
709 }
710
711 return ldb_msg_add_string(msg, name, set_value);
712 }
713
714 /*
715 add a dom_sid element to a message
716 */
717 int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
718 const char *attr_name, const struct dom_sid *sid)
719 {
720 struct ldb_val v;
721 enum ndr_err_code ndr_err;
722
723 ndr_err = ndr_push_struct_blob(&v, mem_ctx,
724 sid,
725 (ndr_push_flags_fn_t)ndr_push_dom_sid);
726 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
727 return ldb_operr(sam_ldb);
728 }
729 return ldb_msg_add_value(msg, attr_name, &v, NULL);
730 }
731
732
733 /*
734 add a delete element operation to a message
735 */
736 int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
737 const char *attr_name)
738 {
739 /* we use an empty replace rather than a delete, as it allows for
740 dsdb_replace() to be used everywhere */
741 return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
742 }
743
744 /*
745 add an add attribute value to a message or enhance an existing attribute
746 which has the same name and the add flag set.
747 */
748 int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
749 struct ldb_message *msg, const char *attr_name,
750 const char *value)
751 {
752 struct ldb_message_element *el;
753 struct ldb_val val, *vals;
754 char *v;
755 unsigned int i;
756 bool found = false;
757 int ret;
758
759 v = talloc_strdup(mem_ctx, value);
760 if (v == NULL) {
761 return ldb_oom(sam_ldb);
762 }
763
764 val.data = (uint8_t *) v;
765 val.length = strlen(v);
766
767 if (val.length == 0) {
768 /* allow empty strings as non-existent attributes */
769 return LDB_SUCCESS;
770 }
771
772 for (i = 0; i < msg->num_elements; i++) {
773 el = &msg->elements[i];
774 if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
775 (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD)) {
776 found = true;
777 break;
778 }
779 }
780 if (!found) {
781 ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_ADD,
782 &el);
783 if (ret != LDB_SUCCESS) {
784 return ret;
785 }
786 }
787
788 vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
789 el->num_values + 1);
790 if (vals == NULL) {
791 return ldb_oom(sam_ldb);
792 }
793 el->values = vals;
794 el->values[el->num_values] = val;
795 ++(el->num_values);
796
797 return LDB_SUCCESS;
798 }
799
800 /*
801 add a delete attribute value to a message or enhance an existing attribute
802 which has the same name and the delete flag set.
803 */
804 int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
805 struct ldb_message *msg, const char *attr_name,
806 const char *value)
807 {
808 struct ldb_message_element *el;
809 struct ldb_val val, *vals;
810 char *v;
811 unsigned int i;
812 bool found = false;
813 int ret;
814
815 v = talloc_strdup(mem_ctx, value);
816 if (v == NULL) {
817 return ldb_oom(sam_ldb);
818 }
819
820 val.data = (uint8_t *) v;
821 val.length = strlen(v);
822
823 if (val.length == 0) {
824 /* allow empty strings as non-existent attributes */
825 return LDB_SUCCESS;
826 }
827
828 for (i = 0; i < msg->num_elements; i++) {
829 el = &msg->elements[i];
830 if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
831 (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE)) {
832 found = true;
833 break;
834 }
835 }
836 if (!found) {
837 ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_DELETE,
838 &el);
839 if (ret != LDB_SUCCESS) {
840 return ret;
841 }
842 }
843
844 vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
845 el->num_values + 1);
846 if (vals == NULL) {
847 return ldb_oom(sam_ldb);
848 }
849 el->values = vals;
850 el->values[el->num_values] = val;
851 ++(el->num_values);
852
853 return LDB_SUCCESS;
854 }
855
856 /*
857 add a int element to a message
858 */
859 int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
860 const char *attr_name, int v)
861 {
862 const char *s = talloc_asprintf(mem_ctx, "%d", v);
863 if (s == NULL) {
864 return ldb_oom(sam_ldb);
865 }
866 return ldb_msg_add_string(msg, attr_name, s);
867 }
868
869 /*
870 * Add an unsigned int element to a message
871 *
872 * The issue here is that we have not yet first cast to int32_t explicitly,
873 * before we cast to an signed int to printf() into the %d or cast to a
874 * int64_t before we then cast to a long long to printf into a %lld.
875 *
876 * There are *no* unsigned integers in Active Directory LDAP, even the RID
877 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
878 * (See the schema, and the syntax definitions in schema_syntax.c).
879 *
880 */
881 int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
882 const char *attr_name, unsigned int v)
883 {
884 return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v);
885 }
886
887 /*
888 add a (signed) int64_t element to a message
889 */
890 int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
891 const char *attr_name, int64_t v)
892 {
893 const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
894 if (s == NULL) {
895 return ldb_oom(sam_ldb);
896 }
897 return ldb_msg_add_string(msg, attr_name, s);
898 }
899
900 /*
901 * Add an unsigned int64_t (uint64_t) element to a message
902 *
903 * The issue here is that we have not yet first cast to int32_t explicitly,
904 * before we cast to an signed int to printf() into the %d or cast to a
905 * int64_t before we then cast to a long long to printf into a %lld.
906 *
907 * There are *no* unsigned integers in Active Directory LDAP, even the RID
908 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
909 * (See the schema, and the syntax definitions in schema_syntax.c).
910 *
911 */
912 int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
913 const char *attr_name, uint64_t v)
914 {
915 return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v);
916 }
917
918 /*
919 add a samr_Password element to a message
920 */
921 int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
922 const char *attr_name, const struct samr_Password *hash)
923 {
924 struct ldb_val val;
925 val.data = talloc_memdup(mem_ctx, hash->hash, 16);
926 if (!val.data) {
927 return ldb_oom(sam_ldb);
928 }
929 val.length = 16;
930 return ldb_msg_add_value(msg, attr_name, &val, NULL);
931 }
932
933 /*
934 add a samr_Password array to a message
935 */
936 int samdb_msg_add_hashes(struct ldb_context *ldb,
937 TALLOC_CTX *mem_ctx, struct ldb_message *msg,
938 const char *attr_name, struct samr_Password *hashes,
939 unsigned int count)
940 {
941 struct ldb_val val;
942 unsigned int i;
943 val.data = talloc_array_size(mem_ctx, 16, count);
944 val.length = count*16;
945 if (!val.data) {
946 return ldb_oom(ldb);
947 }
948 for (i=0;i<count;i++) {
949 memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
950 }
951 return ldb_msg_add_value(msg, attr_name, &val, NULL);
952 }
953
954 /*
955 add a acct_flags element to a message
956 */
957 int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
958 const char *attr_name, uint32_t v)
959 {
960 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, ds_acb2uf(v));
961 }
962
963 /*
964 add a logon_hours element to a message
965 */
966 int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
967 const char *attr_name, struct samr_LogonHours *hours)
968 {
969 struct ldb_val val;
970 val.length = hours->units_per_week / 8;
971 val.data = hours->bits;
972 return ldb_msg_add_value(msg, attr_name, &val, NULL);
973 }
974
975 /*
976 add a parameters element to a message
977 */
978 int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
979 const char *attr_name, struct lsa_BinaryString *parameters)
980 {
981 struct ldb_val val;
982 val.length = parameters->length;
983 val.data = (uint8_t *)parameters->array;
984 return ldb_msg_add_value(msg, attr_name, &val, NULL);
985 }
986
987 /*
988 * Sets an unsigned int element in a message
989 *
990 * The issue here is that we have not yet first cast to int32_t explicitly,
991 * before we cast to an signed int to printf() into the %d or cast to a
992 * int64_t before we then cast to a long long to printf into a %lld.
993 *
994 * There are *no* unsigned integers in Active Directory LDAP, even the RID
995 * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
996 * (See the schema, and the syntax definitions in schema_syntax.c).
997 *
998 */
999 int samdb_msg_set_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
1000 struct ldb_message *msg, const char *attr_name,
1001 unsigned int v)
1002 {
1003 struct ldb_message_element *el;
1004
1005 el = ldb_msg_find_element(msg, attr_name);
1006 if (el) {
1007 el->num_values = 0;
1008 }
1009 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, v);
1010 }
1011
1012 /*
1013 * Handle ldb_request in transaction
1014 */
1015 static int dsdb_autotransaction_request(struct ldb_context *sam_ldb,
1016 struct ldb_request *req)
1017 {
1018 int ret;
1019
1020 ret = ldb_transaction_start(sam_ldb);
1021 if (ret != LDB_SUCCESS) {
1022 return ret;
1023 }
1024
1025 ret = ldb_request(sam_ldb, req);
1026 if (ret == LDB_SUCCESS) {
1027 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
1028 }
1029
1030 if (ret == LDB_SUCCESS) {
1031 return ldb_transaction_commit(sam_ldb);
1032 }
1033 ldb_transaction_cancel(sam_ldb);
1034
1035 return ret;
1036 }
1037
1038 /*
1039 return a default security descriptor
1040 */
1041 struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
1042 {
1043 struct security_descriptor *sd;
1044
1045 sd = security_descriptor_initialise(mem_ctx);
1046
1047 return sd;
1048 }
1049
1050 struct ldb_dn *samdb_aggregate_schema_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1051 {
1052 struct ldb_dn *schema_dn = ldb_get_schema_basedn(sam_ctx);
1053 struct ldb_dn *aggregate_dn;
1054 if (!schema_dn) {
1055 return NULL;
1056 }
1057
1058 aggregate_dn = ldb_dn_copy(mem_ctx, schema_dn);
1059 if (!aggregate_dn) {
1060 return NULL;
1061 }
1062 if (!ldb_dn_add_child_fmt(aggregate_dn, "CN=Aggregate")) {
1063 return NULL;
1064 }
1065 return aggregate_dn;
1066 }
1067
1068 struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1069 {
1070 struct ldb_dn *new_dn;
1071
1072 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1073 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Partitions")) {
1074 talloc_free(new_dn);
1075 return NULL;
1076 }
1077 return new_dn;
1078 }
1079
1080 struct ldb_dn *samdb_infrastructure_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1081 {
1082 struct ldb_dn *new_dn;
1083
1084 new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx));
1085 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Infrastructure")) {
1086 talloc_free(new_dn);
1087 return NULL;
1088 }
1089 return new_dn;
1090 }
1091
1092 struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1093 {
1094 struct ldb_dn *new_dn;
1095
1096 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1097 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Sites")) {
1098 talloc_free(new_dn);
1099 return NULL;
1100 }
1101 return new_dn;
1102 }
1103
1104 /*
1105 work out the domain sid for the current open ldb
1106 */
1107 const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
1108 {
1109 TALLOC_CTX *tmp_ctx;
1110 const struct dom_sid *domain_sid;
1111 const char *attrs[] = {
1112 "objectSid",
1113 NULL
1114 };
1115 struct ldb_result *res;
1116 int ret;
1117
1118 /* see if we have a cached copy */
1119 domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1120 if (domain_sid) {
1121 return domain_sid;
1122 }
1123
1124 tmp_ctx = talloc_new(ldb);
1125 if (tmp_ctx == NULL) {
1126 goto failed;
1127 }
1128
1129 ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
1130
1131 if (ret != LDB_SUCCESS) {
1132 goto failed;
1133 }
1134
1135 if (res->count != 1) {
1136 goto failed;
1137 }
1138
1139 domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
1140 if (domain_sid == NULL) {
1141 goto failed;
1142 }
1143
1144 /* cache the domain_sid in the ldb */
1145 if (ldb_set_opaque(ldb, "cache.domain_sid", discard_const_p(struct dom_sid, domain_sid)) != LDB_SUCCESS) {
1146 goto failed;
1147 }
1148
1149 talloc_steal(ldb, domain_sid);
1150 talloc_free(tmp_ctx);
1151
1152 return domain_sid;
1153
1154 failed:
1155 talloc_free(tmp_ctx);
1156 return NULL;
1157 }
1158
1159 /*
1160 get domain sid from cache
1161 */
1162 const struct dom_sid *samdb_domain_sid_cache_only(struct ldb_context *ldb)
1163 {
1164 return (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1165 }
1166
1167 bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in)
1168 {
1169 TALLOC_CTX *tmp_ctx;
1170 struct dom_sid *dom_sid_new;
1171 struct dom_sid *dom_sid_old;
1172
1173 /* see if we have a cached copy */
1174 dom_sid_old = talloc_get_type(ldb_get_opaque(ldb,
1175 "cache.domain_sid"), struct dom_sid);
1176
1177 tmp_ctx = talloc_new(ldb);
1178 if (tmp_ctx == NULL) {
1179 goto failed;
1180 }
1181
1182 dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in);
1183 if (!dom_sid_new) {
1184 goto failed;
1185 }
1186
1187 /* cache the domain_sid in the ldb */
1188 if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) {
1189 goto failed;
1190 }
1191
1192 talloc_steal(ldb, dom_sid_new);
1193 talloc_free(tmp_ctx);
1194 talloc_free(dom_sid_old);
1195
1196 return true;
1197
1198 failed:
1199 DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
1200 talloc_free(tmp_ctx);
1201 return false;
1202 }
1203
1204 bool samdb_set_ntds_settings_dn(struct ldb_context *ldb, struct ldb_dn *ntds_settings_dn_in)
1205 {
1206 TALLOC_CTX *tmp_ctx;
1207 struct ldb_dn *ntds_settings_dn_new;
1208 struct ldb_dn *ntds_settings_dn_old;
1209
1210 /* see if we have a forced copy from provision */
1211 ntds_settings_dn_old = talloc_get_type(ldb_get_opaque(ldb,
1212 "forced.ntds_settings_dn"), struct ldb_dn);
1213
1214 tmp_ctx = talloc_new(ldb);
1215 if (tmp_ctx == NULL) {
1216 goto failed;
1217 }
1218
1219 ntds_settings_dn_new = ldb_dn_copy(tmp_ctx, ntds_settings_dn_in);
1220 if (!ntds_settings_dn_new) {
1221 goto failed;
1222 }
1223
1224 /* set the DN in the ldb to avoid lookups during provision */
1225 if (ldb_set_opaque(ldb, "forced.ntds_settings_dn", ntds_settings_dn_new) != LDB_SUCCESS) {
1226 goto failed;
1227 }
1228
1229 talloc_steal(ldb, ntds_settings_dn_new);
1230 talloc_free(tmp_ctx);
1231 talloc_free(ntds_settings_dn_old);
1232
1233 return true;
1234
1235 failed:
1236 DEBUG(1,("Failed to set our NTDS Settings DN in the ldb!\n"));
1237 talloc_free(tmp_ctx);
1238 return false;
1239 }
1240
1241 /*
1242 work out the ntds settings dn for the current open ldb
1243 */
1244 struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1245 {
1246 TALLOC_CTX *tmp_ctx;
1247 const char *root_attrs[] = { "dsServiceName", NULL };
1248 int ret;
1249 struct ldb_result *root_res;
1250 struct ldb_dn *settings_dn;
1251
1252 /* see if we have a cached copy */
1253 settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "forced.ntds_settings_dn");
1254 if (settings_dn) {
1255 return ldb_dn_copy(mem_ctx, settings_dn);
1256 }
1257
1258 tmp_ctx = talloc_new(mem_ctx);
1259 if (tmp_ctx == NULL) {
1260 goto failed;
1261 }
1262
1263 ret = ldb_search(ldb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, ldb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
1264 if (ret != LDB_SUCCESS) {
1265 DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
1266 ldb_errstring(ldb)));
1267 goto failed;
1268 }
1269
1270 if (root_res->count != 1) {
1271 goto failed;
1272 }
1273
1274 settings_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, root_res->msgs[0], "dsServiceName");
1275
1276 /* note that we do not cache the DN here, as that would mean
1277 * we could not handle server renames at runtime. Only
1278 * provision sets up forced.ntds_settings_dn */
1279
1280 talloc_steal(mem_ctx, settings_dn);
1281 talloc_free(tmp_ctx);
1282
1283 return settings_dn;
1284
1285 failed:
1286 DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
1287 talloc_free(tmp_ctx);
1288 return NULL;
1289 }
1290
1291 /*
1292 work out the ntds settings invocationId for the current open ldb
1293 */
1294 const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb)
1295 {
1296 TALLOC_CTX *tmp_ctx;
1297 const char *attrs[] = { "invocationId", NULL };
1298 int ret;
1299 struct ldb_result *res;
1300 struct GUID *invocation_id;
1301
1302 /* see if we have a cached copy */
1303 invocation_id = (struct GUID *)ldb_get_opaque(ldb, "cache.invocation_id");
1304 if (invocation_id) {
1305 return invocation_id;
1306 }
1307
1308 tmp_ctx = talloc_new(ldb);
1309 if (tmp_ctx == NULL) {
1310 goto failed;
1311 }
1312
1313 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL);
1314 if (ret) {
1315 goto failed;
1316 }
1317
1318 if (res->count != 1) {
1319 goto failed;
1320 }
1321
1322 invocation_id = talloc(tmp_ctx, struct GUID);
1323 if (!invocation_id) {
1324 goto failed;
1325 }
1326
1327 *invocation_id = samdb_result_guid(res->msgs[0], "invocationId");
1328
1329 /* cache the domain_sid in the ldb */
1330 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id) != LDB_SUCCESS) {
1331 goto failed;
1332 }
1333
1334 talloc_steal(ldb, invocation_id);
1335 talloc_free(tmp_ctx);
1336
1337 return invocation_id;
1338
1339 failed:
1340 DEBUG(1,("Failed to find our own NTDS Settings invocationId in the ldb!\n"));
1341 talloc_free(tmp_ctx);
1342 return NULL;
1343 }
1344
1345 bool samdb_set_ntds_invocation_id(struct ldb_context *ldb, const struct GUID *invocation_id_in)
1346 {
1347 TALLOC_CTX *tmp_ctx;
1348 struct GUID *invocation_id_new;
1349 struct GUID *invocation_id_old;
1350
1351 /* see if we have a cached copy */
1352 invocation_id_old = (struct GUID *)ldb_get_opaque(ldb,
1353 "cache.invocation_id");
1354
1355 tmp_ctx = talloc_new(ldb);
1356 if (tmp_ctx == NULL) {
1357 goto failed;
1358 }
1359
1360 invocation_id_new = talloc(tmp_ctx, struct GUID);
1361 if (!invocation_id_new) {
1362 goto failed;
1363 }
1364
1365 *invocation_id_new = *invocation_id_in;
1366
1367 /* cache the domain_sid in the ldb */
1368 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id_new) != LDB_SUCCESS) {
1369 goto failed;
1370 }
1371
1372 talloc_steal(ldb, invocation_id_new);
1373 talloc_free(tmp_ctx);
1374 talloc_free(invocation_id_old);
1375
1376 return true;
1377
1378 failed:
1379 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1380 talloc_free(tmp_ctx);
1381 return false;
1382 }
1383
1384 /*
1385 work out the ntds settings objectGUID for the current open ldb
1386 */
1387 const struct GUID *samdb_ntds_objectGUID(struct ldb_context *ldb)
1388 {
1389 TALLOC_CTX *tmp_ctx;
1390 const char *attrs[] = { "objectGUID", NULL };
1391 int ret;
1392 struct ldb_result *res;
1393 struct GUID *ntds_guid;
1394
1395 /* see if we have a cached copy */
1396 ntds_guid = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1397 if (ntds_guid) {
1398 return ntds_guid;
1399 }
1400
1401 tmp_ctx = talloc_new(ldb);
1402 if (tmp_ctx == NULL) {
1403 goto failed;
1404 }
1405
1406 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL);
1407 if (ret) {
1408 goto failed;
1409 }
1410
1411 if (res->count != 1) {
1412 goto failed;
1413 }
1414
1415 ntds_guid = talloc(tmp_ctx, struct GUID);
1416 if (!ntds_guid) {
1417 goto failed;
1418 }
1419
1420 *ntds_guid = samdb_result_guid(res->msgs[0], "objectGUID");
1421
1422 /* cache the domain_sid in the ldb */
1423 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid) != LDB_SUCCESS) {
1424 goto failed;
1425 }
1426
1427 talloc_steal(ldb, ntds_guid);
1428 talloc_free(tmp_ctx);
1429
1430 return ntds_guid;
1431
1432 failed:
1433 DEBUG(1,("Failed to find our own NTDS Settings objectGUID in the ldb!\n"));
1434 talloc_free(tmp_ctx);
1435 return NULL;
1436 }
1437
1438 bool samdb_set_ntds_objectGUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in)
1439 {
1440 TALLOC_CTX *tmp_ctx;
1441 struct GUID *ntds_guid_new;
1442 struct GUID *ntds_guid_old;
1443
1444 /* see if we have a cached copy */
1445 ntds_guid_old = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1446
1447 tmp_ctx = talloc_new(ldb);
1448 if (tmp_ctx == NULL) {
1449 goto failed;
1450 }
1451
1452 ntds_guid_new = talloc(tmp_ctx, struct GUID);
1453 if (!ntds_guid_new) {
1454 goto failed;
1455 }
1456
1457 *ntds_guid_new = *ntds_guid_in;
1458
1459 /* cache the domain_sid in the ldb */
1460 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid_new) != LDB_SUCCESS) {
1461 goto failed;
1462 }
1463
1464 talloc_steal(ldb, ntds_guid_new);
1465 talloc_free(tmp_ctx);
1466 talloc_free(ntds_guid_old);
1467
1468 return true;
1469
1470 failed:
1471 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1472 talloc_free(tmp_ctx);
1473 return false;
1474 }
1475
1476 /*
1477 work out the server dn for the current open ldb
1478 */
1479 struct ldb_dn *samdb_server_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1480 {
1481 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1482 struct ldb_dn *dn;
1483 if (!tmp_ctx) {
1484 return NULL;
1485 }
1486 dn = ldb_dn_get_parent(mem_ctx, samdb_ntds_settings_dn(ldb, tmp_ctx));
1487 talloc_free(tmp_ctx);
1488 return dn;
1489
1490 }
1491
1492 /*
1493 work out the server dn for the current open ldb
1494 */
1495 struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1496 {
1497 struct ldb_dn *server_dn;
1498 struct ldb_dn *servers_dn;
1499 struct ldb_dn *server_site_dn;
1500
1501 /* TODO: there must be a saner way to do this!! */
1502 server_dn = samdb_server_dn(ldb, mem_ctx);
1503 if (!server_dn) return NULL;
1504
1505 servers_dn = ldb_dn_get_parent(mem_ctx, server_dn);
1506 talloc_free(server_dn);
1507 if (!servers_dn) return NULL;
1508
1509 server_site_dn = ldb_dn_get_parent(mem_ctx, servers_dn);
1510 talloc_free(servers_dn);
1511
1512 return server_site_dn;
1513 }
1514
1515 /*
1516 find the site name from a computers DN record
1517 */
1518 int samdb_find_site_for_computer(struct ldb_context *ldb,
1519 TALLOC_CTX *mem_ctx, struct ldb_dn *computer_dn,
1520 const char **site_name)
1521 {
1522 int ret;
1523 struct ldb_dn *dn;
1524 const struct ldb_val *rdn_val;
1525
1526 *site_name = NULL;
1527
1528 ret = samdb_reference_dn(ldb, mem_ctx, computer_dn, "serverReferenceBL", &dn);
1529 if (ret != LDB_SUCCESS) {
1530 return ret;
1531 }
1532
1533 if (!ldb_dn_remove_child_components(dn, 2)) {
1534 talloc_free(dn);
1535 return LDB_ERR_INVALID_DN_SYNTAX;
1536 }
1537
1538 rdn_val = ldb_dn_get_rdn_val(dn);
1539 if (rdn_val == NULL) {
1540 return LDB_ERR_OPERATIONS_ERROR;
1541 }
1542
1543 (*site_name) = talloc_strndup(mem_ctx, (const char *)rdn_val->data, rdn_val->length);
1544 talloc_free(dn);
1545 if (!*site_name) {
1546 return LDB_ERR_OPERATIONS_ERROR;
1547 }
1548 return LDB_SUCCESS;
1549 }
1550
1551 /*
1552 find the NTDS GUID from a computers DN record
1553 */
1554 int samdb_find_ntdsguid_for_computer(struct ldb_context *ldb, struct ldb_dn *computer_dn,
1555 struct GUID *ntds_guid)
1556 {
1557 int ret;
1558 struct ldb_dn *dn;
1559
1560 *ntds_guid = GUID_zero();
1561
1562 ret = samdb_reference_dn(ldb, ldb, computer_dn, "serverReferenceBL", &dn);
1563 if (ret != LDB_SUCCESS) {
1564 return ret;
1565 }
1566
1567 if (!ldb_dn_add_child_fmt(dn, "CN=NTDS Settings")) {
1568 talloc_free(dn);
1569 return LDB_ERR_OPERATIONS_ERROR;
1570 }
1571
1572 ret = dsdb_find_guid_by_dn(ldb, dn, ntds_guid);
1573 talloc_free(dn);
1574 return ret;
1575 }
1576
1577 /*
1578 find a 'reference' DN that points at another object
1579 (eg. serverReference, rIDManagerReference etc)
1580 */
1581 int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *base,
1582 const char *attribute, struct ldb_dn **dn)
1583 {
1584 const char *attrs[2];
1585 struct ldb_result *res;
1586 int ret;
1587
1588 attrs[0] = attribute;
1589 attrs[1] = NULL;
1590
1591 ret = dsdb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_ONE_ONLY|DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
1592 if (ret != LDB_SUCCESS) {
1593 ldb_asprintf_errstring(ldb, "Cannot find DN %s to get attribute %s for reference dn: %s",
1594 ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb));
1595 return ret;
1596 }
1597
1598 *dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
1599 if (!*dn) {
1600 if (!ldb_msg_find_element(res->msgs[0], attribute)) {
1601 ldb_asprintf_errstring(ldb, "Cannot find attribute %s of %s to calculate reference dn", attribute,
1602 ldb_dn_get_linearized(base));
1603 } else {
1604 ldb_asprintf_errstring(ldb, "Cannot interpret attribute %s of %s as a dn", attribute,
1605 ldb_dn_get_linearized(base));
1606 }
1607 talloc_free(res);
1608 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1609 }
1610
1611 talloc_free(res);
1612 return LDB_SUCCESS;
1613 }
1614
1615 /*
1616 find if a DN (must have GUID component!) is our ntdsDsa
1617 */
1618 int samdb_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *dn, bool *is_ntdsa)
1619 {
1620 NTSTATUS status;
1621 struct GUID dn_guid;
1622 const struct GUID *our_ntds_guid;
1623 status = dsdb_get_extended_dn_guid(dn, &dn_guid, "GUID");
1624 if (!NT_STATUS_IS_OK(status)) {
1625 return LDB_ERR_OPERATIONS_ERROR;
1626 }
1627
1628 our_ntds_guid = samdb_ntds_objectGUID(ldb);
1629 if (!our_ntds_guid) {
1630 DEBUG(0, ("Failed to find our NTDS Settings GUID for comparison with %s - %s\n", ldb_dn_get_linearized(dn), ldb_errstring(ldb)));
1631 return LDB_ERR_OPERATIONS_ERROR;
1632 }
1633
1634 *is_ntdsa = GUID_equal(&dn_guid, our_ntds_guid);
1635 return LDB_SUCCESS;
1636 }
1637
1638 /*
1639 find a 'reference' DN that points at another object and indicate if it is our ntdsDsa
1640 */
1641 int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base,
1642 const char *attribute, bool *is_ntdsa)
1643 {
1644 int ret;
1645 struct ldb_dn *referenced_dn;
1646 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
1647 if (tmp_ctx == NULL) {
1648 return LDB_ERR_OPERATIONS_ERROR;
1649 }
1650 ret = samdb_reference_dn(ldb, tmp_ctx, base, attribute, &referenced_dn);
1651 if (ret != LDB_SUCCESS) {
1652 DEBUG(0, ("Failed to find object %s for attribute %s - %s\n", ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb)));
1653 return ret;
1654 }
1655
1656 ret = samdb_dn_is_our_ntdsa(ldb, referenced_dn, is_ntdsa);
1657
1658 talloc_free(tmp_ctx);
1659 return ret;
1660 }
1661
1662 /*
1663 find our machine account via the serverReference attribute in the
1664 server DN
1665 */
1666 int samdb_server_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1667 {
1668 struct ldb_dn *server_dn;
1669 int ret;
1670
1671 server_dn = samdb_server_dn(ldb, mem_ctx);
1672 if (server_dn == NULL) {
1673 return LDB_ERR_NO_SUCH_OBJECT;
1674 }
1675
1676 ret = samdb_reference_dn(ldb, mem_ctx, server_dn, "serverReference", dn);
1677 talloc_free(server_dn);
1678
1679 return ret;
1680 }
1681
1682 /*
1683 find the RID Manager$ DN via the rIDManagerReference attribute in the
1684 base DN
1685 */
1686 int samdb_rid_manager_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1687 {
1688 return samdb_reference_dn(ldb, mem_ctx, ldb_get_default_basedn(ldb),
1689 "rIDManagerReference", dn);
1690 }
1691
1692 /*
1693 find the RID Set DN via the rIDSetReferences attribute in our
1694 machine account DN
1695 */
1696 int samdb_rid_set_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1697 {
1698 struct ldb_dn *server_ref_dn;
1699 int ret;
1700
1701 ret = samdb_server_reference_dn(ldb, mem_ctx, &server_ref_dn);
1702 if (ret != LDB_SUCCESS) {
1703 return ret;
1704 }
1705 ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn);
1706 talloc_free(server_ref_dn);
1707 return ret;
1708 }
1709
1710 const char *samdb_server_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1711 {
1712 const struct ldb_val *val = ldb_dn_get_rdn_val(samdb_server_site_dn(ldb,
1713 mem_ctx));
1714
1715 if (val == NULL) {
1716 return NULL;
1717 }
1718
1719 return (const char *) val->data;
1720 }
1721
1722 /*
1723 * Finds the client site by using the client's IP address.
1724 * The "subnet_name" returns the name of the subnet if parameter != NULL
1725 */
1726 const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
1727 const char *ip_address, char **subnet_name)
1728 {
1729 const char *attrs[] = { "cn", "siteObject", NULL };
1730 struct ldb_dn *sites_container_dn, *subnets_dn, *sites_dn;
1731 struct ldb_result *res;
1732 const struct ldb_val *val;
1733 const char *site_name = NULL, *l_subnet_name = NULL;
1734 const char *allow_list[2] = { NULL, NULL };
1735 unsigned int i, count;
1736 int cnt, ret;
1737
1738 /*
1739 * if we don't have a client ip e.g. ncalrpc
1740 * the server site is the client site
1741 */
1742 if (ip_address == NULL) {
1743 return samdb_server_site_name(ldb, mem_ctx);
1744 }
1745
1746 sites_container_dn = samdb_sites_dn(ldb, mem_ctx);
1747 if (sites_container_dn == NULL) {
1748 return NULL;
1749 }
1750
1751 subnets_dn = ldb_dn_copy(mem_ctx, sites_container_dn);
1752 if ( ! ldb_dn_add_child_fmt(subnets_dn, "CN=Subnets")) {
1753 talloc_free(sites_container_dn);
1754 talloc_free(subnets_dn);
1755 return NULL;
1756 }
1757
1758 ret = ldb_search(ldb, mem_ctx, &res, subnets_dn, LDB_SCOPE_ONELEVEL,
1759 attrs, NULL);
1760 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1761 count = 0;
1762 } else if (ret != LDB_SUCCESS) {
1763 talloc_free(sites_container_dn);
1764 talloc_free(subnets_dn);
1765 return NULL;
1766 } else {
1767 count = res->count;
1768 }
1769
1770 for (i = 0; i < count; i++) {
1771 l_subnet_name = ldb_msg_find_attr_as_string(res->msgs[i], "cn",
1772 NULL);
1773
1774 allow_list[0] = l_subnet_name;
1775
1776 if (socket_allow_access(mem_ctx, NULL, allow_list, "", ip_address)) {
1777 sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx,
1778 res->msgs[i],
1779 "siteObject");
1780 if (sites_dn == NULL) {
1781 /* No reference, maybe another subnet matches */
1782 continue;
1783 }
1784
1785 /* "val" cannot be NULL here since "sites_dn" != NULL */
1786 val = ldb_dn_get_rdn_val(sites_dn);
1787 site_name = talloc_strdup(mem_ctx,
1788 (const char *) val->data);
1789
1790 talloc_free(sites_dn);
1791
1792 break;
1793 }
1794 }
1795
1796 if (site_name == NULL) {
1797 /* This is the Windows Server fallback rule: when no subnet
1798 * exists and we have only one site available then use it (it
1799 * is for sure the same as our server site). If more sites do
1800 * exist then we don't know which one to use and set the site
1801 * name to "". */
1802 cnt = samdb_search_count(ldb, mem_ctx, sites_container_dn,
1803 "(objectClass=site)");
1804 if (cnt == 1) {
1805 site_name = samdb_server_site_name(ldb, mem_ctx);
1806 } else {
1807 site_name = talloc_strdup(mem_ctx, "");
1808 }
1809 l_subnet_name = NULL;
1810 }
1811
1812 if (subnet_name != NULL) {
1813 *subnet_name = talloc_strdup(mem_ctx, l_subnet_name);
1814 }
1815
1816 talloc_free(sites_container_dn);
1817 talloc_free(subnets_dn);
1818 talloc_free(res);
1819
1820 return site_name;
1821 }
1822
1823 /*
1824 work out if we are the PDC for the domain of the current open ldb
1825 */
1826 bool samdb_is_pdc(struct ldb_context *ldb)
1827 {
1828 int ret;
1829 bool is_pdc;
1830
1831 ret = samdb_reference_dn_is_our_ntdsa(ldb, ldb_get_default_basedn(ldb), "fsmoRoleOwner",
1832 &is_pdc);
1833 if (ret != LDB_SUCCESS) {
1834 DEBUG(1,("Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in %s failed: %s\n",
1835 ldb_dn_get_linearized(ldb_get_default_basedn(ldb)),
1836 ldb_errstring(ldb)));
1837 return false;
1838 }
1839
1840 return is_pdc;
1841 }
1842
1843 /*
1844 work out if we are a Global Catalog server for the domain of the current open ldb
1845 */
1846 bool samdb_is_gc(struct ldb_context *ldb)
1847 {
1848 uint32_t options;
1849 if (samdb_ntds_options(ldb, &options) != LDB_SUCCESS) {
1850 return false;
1851 }
1852 return (options & DS_NTDSDSA_OPT_IS_GC) != 0;
1853 }
1854
1855 /* Find a domain object in the parents of a particular DN. */
1856 int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
1857 struct ldb_dn **parent_dn, const char **errstring)
1858 {
1859 TALLOC_CTX *local_ctx;
1860 struct ldb_dn *sdn = dn;
1861 struct ldb_result *res = NULL;
1862 int ret = LDB_SUCCESS;
1863 const char *attrs[] = { NULL };
1864
1865 local_ctx = talloc_new(mem_ctx);
1866 if (local_ctx == NULL) return ldb_oom(ldb);
1867
1868 while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
1869 ret = ldb_search(ldb, local_ctx, &res, sdn, LDB_SCOPE_BASE, attrs,
1870 "(|(objectClass=domain)(objectClass=builtinDomain))");
1871 if (ret == LDB_SUCCESS) {
1872 if (res->count == 1) {
1873 break;
1874 }
1875 } else {
1876 break;
1877 }
1878 }
1879
1880 if (ret != LDB_SUCCESS) {
1881 *errstring = talloc_asprintf(mem_ctx, "Error searching for parent domain of %s, failed searching for %s: %s",
1882 ldb_dn_get_linearized(dn),
1883 ldb_dn_get_linearized(sdn),
1884 ldb_errstring(ldb));
1885 talloc_free(local_ctx);
1886 return ret;
1887 }
1888 if (res->count != 1) {
1889 *errstring = talloc_asprintf(mem_ctx, "Invalid dn (%s), not child of a domain object",
1890 ldb_dn_get_linearized(dn));
1891 DEBUG(0,(__location__ ": %s\n", *errstring));
1892 talloc_free(local_ctx);
1893 return LDB_ERR_CONSTRAINT_VIOLATION;
1894 }
1895
1896 *parent_dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
1897 talloc_free(local_ctx);
1898 return ret;
1899 }
1900
1901
1902 /*
1903 * Performs checks on a user password (plaintext UNIX format - attribute
1904 * "password"). The remaining parameters have to be extracted from the domain
1905 * object in the AD.
1906 *
1907 * Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
1908 */
1909 enum samr_ValidationStatus samdb_check_password(const DATA_BLOB *password,
1910 const uint32_t pwdProperties,
1911 const uint32_t minPwdLength)
1912 {
1913 /* checks if the "minPwdLength" property is satisfied */
1914 if (minPwdLength > password->length)
1915 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
1916
1917 /* checks the password complexity */
1918 if (((pwdProperties & DOMAIN_PASSWORD_COMPLEX) != 0)
1919 && (password->data != NULL)
1920 && (!check_password_quality((const char *) password->data)))
1921 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
1922
1923 return SAMR_VALIDATION_STATUS_SUCCESS;
1924 }
1925
1926 /*
1927 * Callback for "samdb_set_password" password change
1928 */
1929 int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares)
1930 {
1931 int ret;
1932
1933 if (!ares) {
1934 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
1935 }
1936
1937 if (ares->error != LDB_SUCCESS) {
1938 ret = ares->error;
1939 req->context = talloc_steal(req,
1940 ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
1941 talloc_free(ares);
1942 return ldb_request_done(req, ret);
1943 }
1944
1945 if (ares->type != LDB_REPLY_DONE) {
1946 talloc_free(ares);
1947 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
1948 }
1949
1950 req->context = talloc_steal(req,
1951 ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
1952 talloc_free(ares);
1953 return ldb_request_done(req, LDB_SUCCESS);
1954 }
1955
1956 /*
1957 * Sets the user password using plaintext UTF16 (attribute "new_password") or
1958 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
1959 * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a
1960 * user change or not. The "rejectReason" gives some more information if the
1961 * change failed.
1962 *
1963 * Results: NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
1964 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
1965 */
1966 NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
1967 struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
1968 const DATA_BLOB *new_password,
1969 const struct samr_Password *lmNewHash,
1970 const struct samr_Password *ntNewHash,
1971 const struct samr_Password *lmOldHash,
1972 const struct samr_Password *ntOldHash,
1973 enum samPwdChangeReason *reject_reason,
1974 struct samr_DomInfo1 **_dominfo)
1975 {
1976 struct ldb_message *msg;
1977 struct ldb_message_element *el;
1978 struct ldb_request *req;
1979 struct dsdb_control_password_change_status *pwd_stat = NULL;
1980 int ret;
1981 NTSTATUS status = NT_STATUS_OK;
1982
1983 #define CHECK_RET(x) \
1984 if (x != LDB_SUCCESS) { \
1985 talloc_free(msg); \
1986 return NT_STATUS_NO_MEMORY; \
1987 }
1988
1989 msg = ldb_msg_new(mem_ctx);
1990 if (msg == NULL) {
1991 return NT_STATUS_NO_MEMORY;
1992 }
1993 msg->dn = user_dn;
1994 if ((new_password != NULL)
1995 && ((lmNewHash == NULL) && (ntNewHash == NULL))) {
1996 /* we have the password as plaintext UTF16 */
1997 CHECK_RET(ldb_msg_add_value(msg, "clearTextPassword",
1998 new_password, NULL));
1999 el = ldb_msg_find_element(msg, "clearTextPassword");
2000 el->flags = LDB_FLAG_MOD_REPLACE;
2001 } else if ((new_password == NULL)
2002 && ((lmNewHash != NULL) || (ntNewHash != NULL))) {
2003 /* we have a password as LM and/or NT hash */
2004 if (lmNewHash != NULL) {
2005 CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg,
2006 "dBCSPwd", lmNewHash));
2007 el = ldb_msg_find_element(msg, "dBCSPwd");
2008 el->flags = LDB_FLAG_MOD_REPLACE;
2009 }
2010 if (ntNewHash != NULL) {
2011 CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg,
2012 "unicodePwd", ntNewHash));
2013 el = ldb_msg_find_element(msg, "unicodePwd");
2014 el->flags = LDB_FLAG_MOD_REPLACE;
2015 }
2016 } else {
2017 /* the password wasn't specified correctly */
2018 talloc_free(msg);
2019 return NT_STATUS_INVALID_PARAMETER;
2020 }
2021
2022 /* build modify request */
2023 ret = ldb_build_mod_req(&req, ldb, mem_ctx, msg, NULL, NULL,
2024 samdb_set_password_callback, NULL);
2025 if (ret != LDB_SUCCESS) {
2026 talloc_free(msg);
2027 return NT_STATUS_NO_MEMORY;
2028 }
2029
2030 /* A password change operation */
2031 if ((ntOldHash != NULL) || (lmOldHash != NULL)) {
2032 struct dsdb_control_password_change *change;
2033
2034 change = talloc(req, struct dsdb_control_password_change);
2035 if (change == NULL) {
2036 talloc_free(req);
2037 talloc_free(msg);
2038 return NT_STATUS_NO_MEMORY;
2039 }
2040
2041 change->old_nt_pwd_hash = ntOldHash;
2042 change->old_lm_pwd_hash = lmOldHash;
2043
2044 ret = ldb_request_add_control(req,
2045 DSDB_CONTROL_PASSWORD_CHANGE_OID,
2046 true, change);
2047 if (ret != LDB_SUCCESS) {
2048 talloc_free(req);
2049 talloc_free(msg);
2050 return NT_STATUS_NO_MEMORY;
2051 }
2052 }
2053 ret = ldb_request_add_control(req,
2054 DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
2055 true, NULL);
2056 if (ret != LDB_SUCCESS) {
2057 talloc_free(req);
2058 talloc_free(msg);
2059 return NT_STATUS_NO_MEMORY;
2060 }
2061 ret = ldb_request_add_control(req,
2062 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
2063 true, NULL);
2064 if (ret != LDB_SUCCESS) {
2065 talloc_free(req);
2066 talloc_free(msg);
2067 return NT_STATUS_NO_MEMORY;
2068 }
2069
2070 ret = dsdb_autotransaction_request(ldb, req);
2071
2072 if (req->context != NULL) {
2073 pwd_stat = talloc_steal(mem_ctx,
2074 ((struct ldb_control *)req->context)->data);
2075 }
2076
2077 talloc_free(req);
2078 talloc_free(msg);
2079
2080 /* Sets the domain info (if requested) */
2081 if (_dominfo != NULL) {
2082 struct samr_DomInfo1 *dominfo;
2083
2084 dominfo = talloc_zero(mem_ctx, struct samr_DomInfo1);
2085 if (dominfo == NULL) {
2086 return NT_STATUS_NO_MEMORY;
2087 }
2088
2089 if (pwd_stat != NULL) {
2090 dominfo->min_password_length = pwd_stat->domain_data.minPwdLength;
2091 dominfo->password_properties = pwd_stat->domain_data.pwdProperties;
2092 dominfo->password_history_length = pwd_stat->domain_data.pwdHistoryLength;
2093 dominfo->max_password_age = pwd_stat->domain_data.maxPwdAge;
2094 dominfo->min_password_age = pwd_stat->domain_data.minPwdAge;
2095 }
2096
2097 *_dominfo = dominfo;
2098 }
2099
2100 if (reject_reason != NULL) {
2101 if (pwd_stat != NULL) {
2102 *reject_reason = pwd_stat->reject_reason;
2103 } else {
2104 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
2105 }
2106 }
2107
2108 if (pwd_stat != NULL) {
2109 talloc_free(pwd_stat);
2110 }
2111
2112 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
2113 const char *errmsg = ldb_errstring(ldb);
2114 char *endptr = NULL;
2115 WERROR werr = WERR_GENERAL_FAILURE;
2116 status = NT_STATUS_UNSUCCESSFUL;
2117 if (errmsg != NULL) {
2118 werr = W_ERROR(strtol(errmsg, &endptr, 16));
2119 }
2120 if (endptr != errmsg) {
2121 if (W_ERROR_EQUAL(werr, WERR_INVALID_PASSWORD)) {
2122 status = NT_STATUS_WRONG_PASSWORD;
2123 }
2124 if (W_ERROR_EQUAL(werr, WERR_PASSWORD_RESTRICTION)) {
2125 status = NT_STATUS_PASSWORD_RESTRICTION;
2126 }
2127 }
2128 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2129 /* don't let the caller know if an account doesn't exist */
2130 status = NT_STATUS_WRONG_PASSWORD;
2131 } else if (ret != LDB_SUCCESS) {
2132 status = NT_STATUS_UNSUCCESSFUL;
2133 }
2134
2135 return status;
2136 }
2137
2138 /*
2139 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2140 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2141 * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a
2142 * user change or not. The "rejectReason" gives some more information if the
2143 * change failed.
2144 *
2145 * This wrapper function for "samdb_set_password" takes a SID as input rather
2146 * than a user DN.
2147 *
2148 * This call encapsulates a new LDB transaction for changing the password;
2149 * therefore the user hasn't to start a new one.
2150 *
2151 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2152 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2153 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
2154 * NT_STATUS_TRANSACTION_ABORTED, NT_STATUS_NO_SUCH_USER
2155 */
2156 NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2157 const struct dom_sid *user_sid,
2158 const DATA_BLOB *new_password,
2159 const struct samr_Password *lmNewHash,
2160 const struct samr_Password *ntNewHash,
2161 const struct samr_Password *lmOldHash,
2162 const struct samr_Password *ntOldHash,
2163 enum samPwdChangeReason *reject_reason,
2164 struct samr_DomInfo1 **_dominfo)
2165 {
2166 NTSTATUS nt_status;
2167 struct ldb_dn *user_dn;
2168 int ret;
2169
2170 ret = ldb_transaction_start(ldb);
2171 if (ret != LDB_SUCCESS) {
2172 DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb)));
2173 return NT_STATUS_TRANSACTION_ABORTED;
2174 }
2175
2176 user_dn = samdb_search_dn(ldb, mem_ctx, NULL,
2177 "(&(objectSid=%s)(objectClass=user))",
2178 ldap_encode_ndr_dom_sid(mem_ctx, user_sid));
2179 if (!user_dn) {
2180 ldb_transaction_cancel(ldb);
2181 DEBUG(3, ("samdb_set_password_sid: SID %s not found in samdb, returning NO_SUCH_USER\n",
2182 dom_sid_string(mem_ctx, user_sid)));
2183 return NT_STATUS_NO_SUCH_USER;
2184 }
2185
2186 nt_status = samdb_set_password(ldb, mem_ctx,
2187 user_dn, NULL,
2188 new_password,
2189 lmNewHash, ntNewHash,
2190 lmOldHash, ntOldHash,
2191 reject_reason, _dominfo);
2192 if (!NT_STATUS_IS_OK(nt_status)) {
2193 ldb_transaction_cancel(ldb);
2194 talloc_free(user_dn);
2195 return nt_status;
2196 }
2197
2198 ret = ldb_transaction_commit(ldb);
2199 if (ret != LDB_SUCCESS) {
2200 DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
2201 ldb_dn_get_linearized(user_dn),
2202 ldb_errstring(ldb)));
2203 talloc_free(user_dn);
2204 return NT_STATUS_TRANSACTION_ABORTED;
2205 }
2206
2207 talloc_free(user_dn);
2208 return NT_STATUS_OK;
2209 }
2210
2211
2212 NTSTATUS samdb_create_foreign_security_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
2213 struct dom_sid *sid, struct ldb_dn **ret_dn)
2214 {
2215 struct ldb_message *msg;
2216 struct ldb_dn *basedn;
2217 char *sidstr;
2218 int ret;
2219
2220 sidstr = dom_sid_string(mem_ctx, sid);
2221 NT_STATUS_HAVE_NO_MEMORY(sidstr);
2222
2223 /* We might have to create a ForeignSecurityPrincipal, even if this user
2224 * is in our own domain */
2225
2226 msg = ldb_msg_new(sidstr);
2227 if (msg == NULL) {
2228 talloc_free(sidstr);
2229 return NT_STATUS_NO_MEMORY;
2230 }
2231
2232 ret = dsdb_wellknown_dn(sam_ctx, sidstr,
2233 ldb_get_default_basedn(sam_ctx),
2234 DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER,
2235 &basedn);
2236 if (ret != LDB_SUCCESS) {
2237 DEBUG(0, ("Failed to find DN for "
2238 "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx)));
2239 talloc_free(sidstr);
2240 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2241 }
2242
2243 /* add core elements to the ldb_message for the alias */
2244 msg->dn = basedn;
2245 if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr)) {
2246 talloc_free(sidstr);
2247 return NT_STATUS_NO_MEMORY;
2248 }
2249
2250 ret = ldb_msg_add_string(msg, "objectClass",
2251 "foreignSecurityPrincipal");
2252 if (ret != LDB_SUCCESS) {
2253 talloc_free(sidstr);
2254 return NT_STATUS_NO_MEMORY;
2255 }
2256
2257 /* create the alias */
2258 ret = ldb_add(sam_ctx, msg);
2259 if (ret != LDB_SUCCESS) {
2260 DEBUG(0,("Failed to create foreignSecurityPrincipal "
2261 "record %s: %s\n",
2262 ldb_dn_get_linearized(msg->dn),
2263 ldb_errstring(sam_ctx)));
2264 talloc_free(sidstr);
2265 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2266 }
2267
2268 *ret_dn = talloc_steal(mem_ctx, msg->dn);
2269 talloc_free(sidstr);
2270
2271 return NT_STATUS_OK;
2272 }
2273
2274
2275 /*
2276 Find the DN of a domain, assuming it to be a dotted.dns name
2277 */
2278
2279 struct ldb_dn *samdb_dns_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *dns_domain)
2280 {
2281 unsigned int i;
2282 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2283 const char *binary_encoded;
2284 const char * const *split_realm;
2285 struct ldb_dn *dn;
2286
2287 if (!tmp_ctx) {
2288 return NULL;
2289 }
2290
2291 split_realm = (const char * const *)str_list_make(tmp_ctx, dns_domain, ".");
2292 if (!split_realm) {
2293 talloc_free(tmp_ctx);
2294 return NULL;
2295 }
2296 dn = ldb_dn_new(mem_ctx, ldb, NULL);
2297 for (i=0; split_realm[i]; i++) {
2298 binary_encoded = ldb_binary_encode_string(tmp_ctx, split_realm[i]);
2299 if (!ldb_dn_add_base_fmt(dn, "dc=%s", binary_encoded)) {
2300 DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
2301 binary_encoded, ldb_dn_get_linearized(dn)));
2302 talloc_free(tmp_ctx);
2303 return NULL;
2304 }
2305 }
2306 if (!ldb_dn_validate(dn)) {
2307 DEBUG(2, ("Failed to validated DN %s\n",
2308 ldb_dn_get_linearized(dn)));
2309 talloc_free(tmp_ctx);
2310 return NULL;
2311 }
2312 talloc_free(tmp_ctx);
2313 return dn;
2314 }
2315
2316
2317 /*
2318 Find the DNS equivalent of a DN, in dotted DNS form
2319 */
2320 char *samdb_dn_to_dns_domain(TALLOC_CTX *mem_ctx, struct ldb_dn *dn)
2321 {
2322 int i, num_components = ldb_dn_get_comp_num(dn);
2323 char *dns_name = talloc_strdup(mem_ctx, "");
2324 if (dns_name == NULL) {
2325 return NULL;
2326 }
2327
2328 for (i=0; i<num_components; i++) {
2329 const struct ldb_val *v = ldb_dn_get_component_val(dn, i);
2330 char *s;
2331 if (v == NULL) {
2332 talloc_free(dns_name);
2333 return NULL;
2334 }
2335 s = talloc_asprintf_append_buffer(dns_name, "%*.*s.",
2336 (int)v->length, (int)v->length, (char *)v->data);
2337 if (s == NULL) {
2338 talloc_free(dns_name);
2339 return NULL;
2340 }
2341 dns_name = s;
2342 }
2343
2344 /* remove the last '.' */
2345 if (dns_name[0] != 0) {
2346 dns_name[strlen(dns_name)-1] = 0;
2347 }
2348
2349 return dns_name;
2350 }
2351
2352 /*
2353 Find the DNS _msdcs name for a given NTDS GUID. The resulting DNS
2354 name is based on the forest DNS name
2355 */
2356 char *samdb_ntds_msdcs_dns_name(struct ldb_context *samdb,
2357 TALLOC_CTX *mem_ctx,
2358 const struct GUID *ntds_guid)
2359 {
2360 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2361 const char *guid_str;
2362 struct ldb_dn *forest_dn;
2363 const char *dnsforest;
2364 char *ret;
2365
2366 guid_str = GUID_string(tmp_ctx, ntds_guid);
2367 if (guid_str == NULL) {
2368 talloc_free(tmp_ctx);
2369 return NULL;
2370 }
2371 forest_dn = ldb_get_root_basedn(samdb);
2372 if (forest_dn == NULL) {
2373 talloc_free(tmp_ctx);
2374 return NULL;
2375 }
2376 dnsforest = samdb_dn_to_dns_domain(tmp_ctx, forest_dn);
2377 if (dnsforest == NULL) {
2378 talloc_free(tmp_ctx);
2379 return NULL;
2380 }
2381 ret = talloc_asprintf(mem_ctx, "%s._msdcs.%s", guid_str, dnsforest);
2382 talloc_free(tmp_ctx);
2383 return ret;
2384 }
2385
2386
2387 /*
2388 Find the DN of a domain, be it the netbios or DNS name
2389 */
2390 struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2391 const char *domain_name)
2392 {
2393 const char * const domain_ref_attrs[] = {
2394 "ncName", NULL
2395 };
2396 const char * const domain_ref2_attrs[] = {
2397 NULL
2398 };
2399 struct ldb_result *res_domain_ref;
2400 char *escaped_domain = ldb_binary_encode_string(mem_ctx, domain_name);
2401 /* find the domain's DN */
2402 int ret_domain = ldb_search(ldb, mem_ctx,
2403 &res_domain_ref,
2404 samdb_partitions_dn(ldb, mem_ctx),
2405 LDB_SCOPE_ONELEVEL,
2406 domain_ref_attrs,
2407 "(&(nETBIOSName=%s)(objectclass=crossRef))",
2408 escaped_domain);
2409 if (ret_domain != LDB_SUCCESS) {
2410 return NULL;
2411 }
2412
2413 if (res_domain_ref->count == 0) {
2414 ret_domain = ldb_search(ldb, mem_ctx,
2415 &res_domain_ref,
2416 samdb_dns_domain_to_dn(ldb, mem_ctx, domain_name),
2417 LDB_SCOPE_BASE,
2418 domain_ref2_attrs,
2419 "(objectclass=domain)");
2420 if (ret_domain != LDB_SUCCESS) {
2421 return NULL;
2422 }
2423
2424 if (res_domain_ref->count == 1) {
2425 return res_domain_ref->msgs[0]->dn;
2426 }
2427 return NULL;
2428 }
2429
2430 if (res_domain_ref->count > 1) {
2431 DEBUG(0,("Found %d records matching domain [%s]\n",
2432 ret_domain, domain_name));
2433 return NULL;
2434 }
2435
2436 return samdb_result_dn(ldb, mem_ctx, res_domain_ref->msgs[0], "nCName", NULL);
2437
2438 }
2439
2440
2441 /*
2442 use a GUID to find a DN
2443 */
2444 int dsdb_find_dn_by_guid(struct ldb_context *ldb,
2445 TALLOC_CTX *mem_ctx,
2446 const struct GUID *guid, struct ldb_dn **dn)
2447 {
2448 int ret;
2449 struct ldb_result *res;
2450 const char *attrs[] = { NULL };
2451 char *guid_str = GUID_string(mem_ctx, guid);
2452
2453 if (!guid_str) {
2454 return ldb_operr(ldb);
2455 }
2456
2457 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
2458 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
2459 DSDB_SEARCH_SHOW_EXTENDED_DN |
2460 DSDB_SEARCH_ONE_ONLY,
2461 "objectGUID=%s", guid_str);
2462 talloc_free(guid_str);
2463 if (ret != LDB_SUCCESS) {
2464 return ret;
2465 }
2466
2467 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2468 talloc_free(res);
2469
2470 return LDB_SUCCESS;
2471 }
2472
2473 /*
2474 use a DN to find a GUID with a given attribute name
2475 */
2476 int dsdb_find_guid_attr_by_dn(struct ldb_context *ldb,
2477 struct ldb_dn *dn, const char *attribute,
2478 struct GUID *guid)
2479 {
2480 int ret;
2481 struct ldb_result *res;
2482 const char *attrs[2];
2483 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2484
2485 attrs[0] = attribute;
2486 attrs[1] = NULL;
2487
2488 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs,
2489 DSDB_SEARCH_SHOW_DELETED |
2490 DSDB_SEARCH_SHOW_RECYCLED);
2491 if (ret != LDB_SUCCESS) {
2492 talloc_free(tmp_ctx);
2493 return ret;
2494 }
2495 if (res->count < 1) {
2496 talloc_free(tmp_ctx);
2497 return LDB_ERR_NO_SUCH_OBJECT;
2498 }
2499 *guid = samdb_result_guid(res->msgs[0], attribute);
2500 talloc_free(tmp_ctx);
2501 return LDB_SUCCESS;
2502 }
2503
2504 /*
2505 use a DN to find a GUID
2506 */
2507 int dsdb_find_guid_by_dn(struct ldb_context *ldb,
2508 struct ldb_dn *dn, struct GUID *guid)
2509 {
2510 return dsdb_find_guid_attr_by_dn(ldb, dn, "objectGUID", guid);
2511 }
2512
2513
2514
2515 /*
2516 adds the given GUID to the given ldb_message. This value is added
2517 for the given attr_name (may be either "objectGUID" or "parentGUID").
2518 */
2519 int dsdb_msg_add_guid(struct ldb_message *msg,
2520 struct GUID *guid,
2521 const char *attr_name)
2522 {
2523 int ret;
2524 struct ldb_val v;
2525 NTSTATUS status;
2526 TALLOC_CTX *tmp_ctx = talloc_init("dsdb_msg_add_guid");
2527
2528 status = GUID_to_ndr_blob(guid, tmp_ctx, &v);
2529 if (!NT_STATUS_IS_OK(status)) {
2530 ret = LDB_ERR_OPERATIONS_ERROR;
2531 goto done;
2532 }
2533
2534 ret = ldb_msg_add_steal_value(msg, attr_name, &v);
2535 if (ret != LDB_SUCCESS) {
2536 DEBUG(4,(__location__ ": Failed to add %s to the message\n",
2537 attr_name));
2538 goto done;
2539 }
2540
2541 ret = LDB_SUCCESS;
2542
2543 done:
2544 talloc_free(tmp_ctx);
2545 return ret;
2546
2547 }
2548
2549
2550 /*
2551 use a DN to find a SID
2552 */
2553 int dsdb_find_sid_by_dn(struct ldb_context *ldb,
2554 struct ldb_dn *dn, struct dom_sid *sid)
2555 {
2556 int ret;
2557 struct ldb_result *res;
2558 const char *attrs[] = { "objectSid", NULL };
2559 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2560 struct dom_sid *s;
2561
2562 ZERO_STRUCTP(sid);
2563
2564 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs,
2565 DSDB_SEARCH_SHOW_DELETED |
2566 DSDB_SEARCH_SHOW_RECYCLED);
2567 if (ret != LDB_SUCCESS) {
2568 talloc_free(tmp_ctx);
2569 return ret;
2570 }
2571 if (res->count < 1) {
2572 talloc_free(tmp_ctx);
2573 return LDB_ERR_NO_SUCH_OBJECT;
2574 }
2575 s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
2576 if (s == NULL) {
2577 talloc_free(tmp_ctx);
2578 return LDB_ERR_NO_SUCH_OBJECT;
2579 }
2580 *sid = *s;
2581 talloc_free(tmp_ctx);
2582 return LDB_SUCCESS;
2583 }
2584
2585 /*
2586 use a SID to find a DN
2587 */
2588 int dsdb_find_dn_by_sid(struct ldb_context *ldb,
2589 TALLOC_CTX *mem_ctx,
2590 struct dom_sid *sid, struct ldb_dn **dn)
2591 {
2592 int ret;
2593 struct ldb_result *res;
2594 const char *attrs[] = { NULL };
2595 char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid);
2596
2597 if (!sid_str) {
2598 return ldb_operr(ldb);
2599 }
2600
2601 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
2602 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
2603 DSDB_SEARCH_SHOW_EXTENDED_DN |
2604 DSDB_SEARCH_ONE_ONLY,
2605 "objectSid=%s", sid_str);
2606 talloc_free(sid_str);
2607 if (ret != LDB_SUCCESS) {
2608 return ret;
2609 }
2610
2611 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2612 talloc_free(res);
2613
2614 return LDB_SUCCESS;
2615 }
2616
2617 /*
2618 load a repsFromTo blob list for a given partition GUID
2619 attr must be "repsFrom" or "repsTo"
2620 */
2621 WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2622 const char *attr, struct repsFromToBlob **r, uint32_t *count)
2623 {
2624 const char *attrs[] = { attr, NULL };
2625 struct ldb_result *res = NULL;
2626 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2627 unsigned int i;
2628 struct ldb_message_element *el;
2629 int ret;
2630
2631 *r = NULL;
2632 *count = 0;
2633
2634 ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs, 0);
2635 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2636 /* partition hasn't been replicated yet */
2637 return WERR_OK;
2638 }
2639 if (ret != LDB_SUCCESS) {
2640 DEBUG(0,("dsdb_loadreps: failed to read partition object: %s\n", ldb_errstring(sam_ctx)));
2641 talloc_free(tmp_ctx);
2642 return WERR_DS_DRA_INTERNAL_ERROR;
2643 }
2644
2645 el = ldb_msg_find_element(res->msgs[0], attr);
2646 if (el == NULL) {
2647 /* it's OK to be empty */
2648 talloc_free(tmp_ctx);
2649 return WERR_OK;
2650 }
2651
2652 *count = el->num_values;
2653 *r = talloc_array(mem_ctx, struct repsFromToBlob, *count);
2654 if (*r == NULL) {
2655 talloc_free(tmp_ctx);
2656 return WERR_DS_DRA_INTERNAL_ERROR;
2657 }
2658
2659 for (i=0; i<(*count); i++) {
2660 enum ndr_err_code ndr_err;
2661 ndr_err = ndr_pull_struct_blob(&el->values[i],
2662 mem_ctx,
2663 &(*r)[i],
2664 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
2665 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2666 talloc_free(tmp_ctx);
2667 return WERR_DS_DRA_INTERNAL_ERROR;
2668 }
2669 }
2670
2671 talloc_free(tmp_ctx);
2672
2673 return WERR_OK;
2674 }
2675
2676 /*
2677 save the repsFromTo blob list for a given partition GUID
2678 attr must be "repsFrom" or "repsTo"
2679 */
2680 WERROR dsdb_savereps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2681 const char *attr, struct repsFromToBlob *r, uint32_t count)
2682 {
2683 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2684 struct ldb_message *msg;
2685 struct ldb_message_element *el;
2686 unsigned int i;
2687
2688 msg = ldb_msg_new(tmp_ctx);
2689 msg->dn = dn;
2690 if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_REPLACE, &el) != LDB_SUCCESS) {
2691 goto failed;
2692 }
2693
2694 el->values = talloc_array(msg, struct ldb_val, count);
2695 if (!el->values) {
2696 goto failed;
2697 }
2698
2699 for (i=0; i<count; i++) {
2700 struct ldb_val v;
2701 enum ndr_err_code ndr_err;
2702
2703 ndr_err = ndr_push_struct_blob(&v, tmp_ctx,
2704 &r[i],
2705 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
2706 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2707 goto failed;
2708 }
2709
2710 el->num_values++;
2711 el->values[i] = v;
2712 }
2713
2714 if (dsdb_modify(sam_ctx, msg, 0) != LDB_SUCCESS) {
2715 DEBUG(0,("Failed to store %s - %s\n", attr, ldb_errstring(sam_ctx)));
2716 goto failed;
2717 }
2718
2719 talloc_free(tmp_ctx);
2720
2721 return WERR_OK;
2722
2723 failed:
2724 talloc_free(tmp_ctx);
2725 return WERR_DS_DRA_INTERNAL_ERROR;
2726 }
2727
2728
2729 /*
2730 load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
2731 object for a partition
2732 */
2733 int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn,
2734 uint64_t *uSN, uint64_t *urgent_uSN)
2735 {
2736 struct ldb_request *req;
2737 int ret;
2738 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2739 struct dsdb_control_current_partition *p_ctrl;
2740 struct ldb_result *res;
2741
2742 res = talloc_zero(tmp_ctx, struct ldb_result);
2743 if (!res) {
2744 talloc_free(tmp_ctx);
2745 return ldb_oom(ldb);
2746 }
2747
2748 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
2749 ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"),
2750 LDB_SCOPE_BASE,
2751 NULL, NULL,
2752 NULL,
2753 res, ldb_search_default_callback,
2754 NULL);
2755 if (ret != LDB_SUCCESS) {
2756 talloc_free(tmp_ctx);
2757 return ret;
2758 }
2759
2760 p_ctrl = talloc(req, struct dsdb_control_current_partition);
2761 if (p_ctrl == NULL) {
2762 talloc_free(tmp_ctx);
2763 return ldb_oom(ldb);
2764 }
2765 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
2766 p_ctrl->dn = dn;
2767
2768 ret = ldb_request_add_control(req,
2769 DSDB_CONTROL_CURRENT_PARTITION_OID,
2770 false, p_ctrl);
2771 if (ret != LDB_SUCCESS) {
2772 talloc_free(tmp_ctx);
2773 return ret;
2774 }
2775
2776 /* Run the new request */
2777 ret = ldb_request(ldb, req);
2778
2779 if (ret == LDB_SUCCESS) {
2780 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
2781 }
2782
2783 if (ret == LDB_ERR_NO_SUCH_OBJECT || ret == LDB_ERR_INVALID_DN_SYNTAX) {
2784 /* it hasn't been created yet, which means
2785 an implicit value of zero */
2786 *uSN = 0;
2787 talloc_free(tmp_ctx);
2788 return LDB_SUCCESS;
2789 }
2790
2791 if (ret != LDB_SUCCESS) {
2792 talloc_free(tmp_ctx);
2793 return ret;
2794 }
2795
2796 if (res->count < 1) {
2797 *uSN = 0;
2798 if (urgent_uSN) {
2799 *urgent_uSN = 0;
2800 }
2801 } else {
2802 *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0);
2803 if (urgent_uSN) {
2804 *urgent_uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNUrgent", 0);
2805 }
2806 }
2807
2808 talloc_free(tmp_ctx);
2809
2810 return LDB_SUCCESS;
2811 }
2812
2813 int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
2814 const struct drsuapi_DsReplicaCursor2 *c2)
2815 {
2816 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2817 }
2818
2819 int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor *c1,
2820 const struct drsuapi_DsReplicaCursor *c2)
2821 {
2822 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2823 }
2824
2825
2826 /*
2827 see if a computer identified by its invocationId is a RODC
2828 */
2829 int samdb_is_rodc(struct ldb_context *sam_ctx, const struct GUID *objectGUID, bool *is_rodc)
2830 {
2831 /* 1) find the DN for this servers NTDSDSA object
2832 2) search for the msDS-isRODC attribute
2833 3) if not present then not a RODC
2834 4) if present and TRUE then is a RODC
2835 */
2836 struct ldb_dn *config_dn;
2837 const char *attrs[] = { "msDS-isRODC", NULL };
2838 int ret;
2839 struct ldb_result *res;
2840 TALLOC_CTX *tmp_ctx = talloc_new(sam_ctx);
2841
2842 config_dn = ldb_get_config_basedn(sam_ctx);
2843 if (!config_dn) {
2844 talloc_free(tmp_ctx);
2845 return ldb_operr(sam_ctx);
2846 }
2847
2848 ret = dsdb_search(sam_ctx, tmp_ctx, &res, config_dn, LDB_SCOPE_SUBTREE, attrs,
2849 DSDB_SEARCH_ONE_ONLY, "objectGUID=%s", GUID_string(tmp_ctx, objectGUID));
2850
2851 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2852 *is_rodc = false;
2853 talloc_free(tmp_ctx);
2854 return LDB_SUCCESS;
2855 }
2856
2857 if (ret != LDB_SUCCESS) {
2858 DEBUG(1,(("Failed to find our own NTDS Settings object by objectGUID=%s!\n"),
2859 GUID_string(tmp_ctx, objectGUID)));
2860 *is_rodc = false;
2861 talloc_free(tmp_ctx);
2862 return ret;
2863 }
2864
2865 ret = ldb_msg_find_attr_as_bool(res->msgs[0], "msDS-isRODC", 0);
2866 *is_rodc = (ret == 1);
2867
2868 talloc_free(tmp_ctx);
2869 return LDB_SUCCESS;
2870 }
2871
2872
2873 /*
2874 see if we are a RODC
2875 */
2876 int samdb_rodc(struct ldb_context *sam_ctx, bool *am_rodc)
2877 {
2878 const struct GUID *objectGUID;
2879 int ret;
2880 bool *cached;
2881
2882 /* see if we have a cached copy */
2883 cached = (bool *)ldb_get_opaque(sam_ctx, "cache.am_rodc");
2884 if (cached) {
2885 *am_rodc = *cached;
2886 return LDB_SUCCESS;
2887 }
2888
2889 objectGUID = samdb_ntds_objectGUID(sam_ctx);
2890 if (!objectGUID) {
2891 return ldb_operr(sam_ctx);
2892 }
2893
2894 ret = samdb_is_rodc(sam_ctx, objectGUID, am_rodc);
2895 if (ret != LDB_SUCCESS) {
2896 return ret;
2897 }
2898
2899 cached = talloc(sam_ctx, bool);
2900 if (cached == NULL) {
2901 return ldb_oom(sam_ctx);
2902 }
2903 *cached = *am_rodc;
2904
2905 ret = ldb_set_opaque(sam_ctx, "cache.am_rodc", cached);
2906 if (ret != LDB_SUCCESS) {
2907 talloc_free(cached);
2908 return ldb_operr(sam_ctx);
2909 }
2910
2911 return LDB_SUCCESS;
2912 }
2913
2914 bool samdb_set_am_rodc(struct ldb_context *ldb, bool am_rodc)
2915 {
2916 TALLOC_CTX *tmp_ctx;
2917 bool *cached;
2918
2919 tmp_ctx = talloc_new(ldb);
2920 if (tmp_ctx == NULL) {
2921 goto failed;
2922 }
2923
2924 cached = talloc(tmp_ctx, bool);
2925 if (!cached) {
2926 goto failed;
2927 }
2928
2929 *cached = am_rodc;
2930 if (ldb_set_opaque(ldb, "cache.am_rodc", cached) != LDB_SUCCESS) {
2931 goto failed;
2932 }
2933
2934 talloc_steal(ldb, cached);
2935 talloc_free(tmp_ctx);
2936 return true;
2937
2938 failed:
2939 DEBUG(1,("Failed to set our own cached am_rodc in the ldb!\n"));
2940 talloc_free(tmp_ctx);
2941 return false;
2942 }
2943
2944
2945 /*
2946 * return NTDSSiteSettings options. See MS-ADTS 7.1.1.2.2.1.1
2947 * flags are DS_NTDSSETTINGS_OPT_*
2948 */
2949 int samdb_ntds_site_settings_options(struct ldb_context *ldb_ctx,
2950 uint32_t *options)
2951 {
2952 int rc;
2953 TALLOC_CTX *tmp_ctx;
2954 struct ldb_result *res;
2955 struct ldb_dn *site_dn;
2956 const char *attrs[] = { "options", NULL };
2957
2958 tmp_ctx = talloc_new(ldb_ctx);
2959 if (tmp_ctx == NULL)
2960 goto failed;
2961
2962 /* Retrieve the site dn for the ldb that we
2963 * have open. This is our local site.
2964 */
2965 site_dn = samdb_server_site_dn(ldb_ctx, tmp_ctx);
2966 if (site_dn == NULL)
2967 goto failed;
2968
2969 /* Perform a one level (child) search from the local
2970 * site distinguided name. We're looking for the
2971 * "options" attribute within the nTDSSiteSettings
2972 * object
2973 */
2974 rc = ldb_search(ldb_ctx, tmp_ctx, &res, site_dn,
2975 LDB_SCOPE_ONELEVEL, attrs,
2976 "objectClass=nTDSSiteSettings");
2977
2978 if (rc != LDB_SUCCESS || res->count != 1)
2979 goto failed;
2980
2981 *options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0);
2982
2983 talloc_free(tmp_ctx);
2984
2985 return LDB_SUCCESS;
2986
2987 failed:
2988 DEBUG(1,("Failed to find our NTDS Site Settings options in ldb!\n"));
2989 talloc_free(tmp_ctx);
2990 return LDB_ERR_NO_SUCH_OBJECT;
2991 }
2992
2993 /*
2994 return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
2995
2996 flags are DS_NTDS_OPTION_*
2997 */
2998 int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options)
2999 {
3000 TALLOC_CTX *tmp_ctx;
3001 const char *attrs[] = { "options", NULL };
3002 int ret;
3003 struct ldb_result *res;
3004
3005 tmp_ctx = talloc_new(ldb);
3006 if (tmp_ctx == NULL) {
3007 goto failed;
3008 }
3009
3010 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL);
3011 if (ret != LDB_SUCCESS) {
3012 goto failed;
3013 }
3014
3015 if (res->count != 1) {
3016 goto failed;
3017 }
3018
3019 *options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0);
3020
3021 talloc_free(tmp_ctx);
3022
3023 return LDB_SUCCESS;
3024
3025 failed:
3026 DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n"));
3027 talloc_free(tmp_ctx);
3028 return LDB_ERR_NO_SUCH_OBJECT;
3029 }
3030
3031 const char* samdb_ntds_object_category(TALLOC_CTX *tmp_ctx, struct ldb_context *ldb)
3032 {
3033 const char *attrs[] = { "objectCategory", NULL };
3034 int ret;
3035 struct ldb_result *res;
3036
3037 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL);
3038 if (ret != LDB_SUCCESS) {
3039 goto failed;
3040 }
3041
3042 if (res->count != 1) {
3043 goto failed;
3044 }
3045
3046 return ldb_msg_find_attr_as_string(res->msgs[0], "objectCategory", NULL);
3047
3048 failed:
3049 DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
3050 return NULL;
3051 }
3052
3053 /*
3054 * Function which generates a "lDAPDisplayName" attribute from a "CN" one.
3055 * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
3056 */
3057 const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX *mem_ctx, const char *cn)
3058 {
3059 char **tokens, *ret;
3060 size_t i;
3061
3062 tokens = str_list_make(mem_ctx, cn, " -_");
3063 if (tokens == NULL)
3064 return NULL;
3065
3066 /* "tolower()" and "toupper()" should also work properly on 0x00 */
3067 tokens[0][0] = tolower(tokens[0][0]);
3068 for (i = 1; i < str_list_length((const char * const *)tokens); i++)
3069 tokens[i][0] = toupper(tokens[i][0]);
3070
3071 ret = talloc_strdup(mem_ctx, tokens[0]);
3072 for (i = 1; i < str_list_length((const char * const *)tokens); i++)
3073 ret = talloc_asprintf_append_buffer(ret, "%s", tokens[i]);
3074
3075 talloc_free(tokens);
3076
3077 return ret;
3078 }
3079
3080 /*
3081 * This detects and returns the domain functional level (DS_DOMAIN_FUNCTION_*)
3082 */
3083 int dsdb_functional_level(struct ldb_context *ldb)
3084 {
3085 int *domainFunctionality =
3086 talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
3087 if (!domainFunctionality) {
3088 /* this is expected during initial provision */
3089 DEBUG(4,(__location__ ": WARNING: domainFunctionality not setup\n"));
3090 return DS_DOMAIN_FUNCTION_2000;
3091 }
3092 return *domainFunctionality;
3093 }
3094
3095 /*
3096 * This detects and returns the forest functional level (DS_DOMAIN_FUNCTION_*)
3097 */
3098 int dsdb_forest_functional_level(struct ldb_context *ldb)
3099 {
3100 int *forestFunctionality =
3101 talloc_get_type(ldb_get_opaque(ldb, "forestFunctionality"), int);
3102 if (!forestFunctionality) {
3103 DEBUG(0,(__location__ ": WARNING: forestFunctionality not setup\n"));
3104 return DS_DOMAIN_FUNCTION_2000;
3105 }
3106 return *forestFunctionality;
3107 }
3108
3109 /*
3110 set a GUID in an extended DN structure
3111 */
3112 int dsdb_set_extended_dn_guid(struct ldb_dn *dn, const struct GUID *guid, const char *component_name)
3113 {
3114 struct ldb_val v;
3115 NTSTATUS status;
3116 int ret;
3117
3118 status = GUID_to_ndr_blob(guid, dn, &v);
3119 if (!NT_STATUS_IS_OK(status)) {
3120 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3121 }
3122
3123 ret = ldb_dn_set_extended_component(dn, component_name, &v);
3124 data_blob_free(&v);
3125 return ret;
3126 }
3127
3128 /*
3129 return a GUID from a extended DN structure
3130 */
3131 NTSTATUS dsdb_get_extended_dn_guid(struct ldb_dn *dn, struct GUID *guid, const char *component_name)
3132 {
3133 const struct ldb_val *v;
3134
3135 v = ldb_dn_get_extended_component(dn, component_name);
3136 if (v == NULL) {
3137 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3138 }
3139
3140 return GUID_from_ndr_blob(v, guid);
3141 }
3142
3143 /*
3144 return a uint64_t from a extended DN structure
3145 */
3146 NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const char *component_name)
3147 {
3148 const struct ldb_val *v;
3149 char *s;
3150
3151 v = ldb_dn_get_extended_component(dn, component_name);
3152 if (v == NULL) {
3153 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3154 }
3155 s = talloc_strndup(dn, (const char *)v->data, v->length);
3156 NT_STATUS_HAVE_NO_MEMORY(s);
3157
3158 *val = strtoull(s, NULL, 0);
3159
3160 talloc_free(s);
3161 return NT_STATUS_OK;
3162 }
3163
3164 /*
3165 return a NTTIME from a extended DN structure
3166 */
3167 NTSTATUS dsdb_get_extended_dn_nttime(struct ldb_dn *dn, NTTIME *nttime, const char *component_name)
3168 {
3169 return dsdb_get_extended_dn_uint64(dn, nttime, component_name);
3170 }
3171
3172 /*
3173 return a uint32_t from a extended DN structure
3174 */
3175 NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const char *component_name)
3176 {
3177 const struct ldb_val *v;
3178 char *s;
3179
3180 v = ldb_dn_get_extended_component(dn, component_name);
3181 if (v == NULL) {
3182 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3183 }
3184
3185 s = talloc_strndup(dn, (const char *)v->data, v->length);
3186 NT_STATUS_HAVE_NO_MEMORY(s);
3187
3188 *val = strtoul(s, NULL, 0);
3189
3190 talloc_free(s);
3191 return NT_STATUS_OK;
3192 }
3193
3194 /*
3195 return a dom_sid from a extended DN structure
3196 */
3197 NTSTATUS dsdb_get_extended_dn_sid(struct ldb_dn *dn, struct dom_sid *sid, const char *component_name)
3198 {
3199 const struct ldb_val *sid_blob;
3200 struct TALLOC_CTX *tmp_ctx;
3201 enum ndr_err_code ndr_err;
3202
3203 sid_blob = ldb_dn_get_extended_component(dn, component_name);
3204 if (!sid_blob) {
3205 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3206 }
3207
3208 tmp_ctx = talloc_new(NULL);
3209
3210 ndr_err = ndr_pull_struct_blob_all(sid_blob, tmp_ctx, sid,
3211 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
3212 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3213 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
3214 talloc_free(tmp_ctx);
3215 return status;
3216 }
3217
3218 talloc_free(tmp_ctx);
3219 return NT_STATUS_OK;
3220 }
3221
3222
3223 /*
3224 return RMD_FLAGS directly from a ldb_dn
3225 returns 0 if not found
3226 */
3227 uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn)
3228 {
3229 const struct ldb_val *v;
3230 char buf[32];
3231 v = ldb_dn_get_extended_component(dn, "RMD_FLAGS");
3232 if (!v || v->length > sizeof(buf)-1) return 0;
3233 strncpy(buf, (const char *)v->data, v->length);
3234 buf[v->length] = 0;
3235 return strtoul(buf, NULL, 10);
3236 }
3237
3238 /*
3239 return RMD_FLAGS directly from a ldb_val for a DN
3240 returns 0 if RMD_FLAGS is not found
3241 */
3242 uint32_t dsdb_dn_val_rmd_flags(const struct ldb_val *val)
3243 {
3244 const char *p;
3245 uint32_t flags;
3246 char *end;
3247
3248 if (val->length < 13) {
3249 return 0;
3250 }
3251 p = memmem(val->data, val->length, "<RMD_FLAGS=", 11);
3252 if (!p) {
3253 return 0;
3254 }
3255 flags = strtoul(p+11, &end, 10);
3256 if (!end || *end != '>') {
3257 /* it must end in a > */
3258 return 0;
3259 }
3260 return flags;
3261 }
3262
3263 /*
3264 return true if a ldb_val containing a DN in storage form is deleted
3265 */
3266 bool dsdb_dn_is_deleted_val(const struct ldb_val *val)
3267 {
3268 return (dsdb_dn_val_rmd_flags(val) & DSDB_RMD_FLAG_DELETED) != 0;
3269 }
3270
3271 /*
3272 return true if a ldb_val containing a DN in storage form is
3273 in the upgraded w2k3 linked attribute format
3274 */
3275 bool dsdb_dn_is_upgraded_link_val(struct ldb_val *val)
3276 {
3277 return memmem(val->data, val->length, "<RMD_VERSION=", 13) != NULL;
3278 }
3279
3280 /*
3281 return a DN for a wellknown GUID
3282 */
3283 int dsdb_wellknown_dn(struct ldb_context *samdb, TALLOC_CTX *mem_ctx,
3284 struct ldb_dn *nc_root, const char *wk_guid,
3285 struct ldb_dn **wkguid_dn)
3286 {
3287 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3288 const char *attrs[] = { NULL };
3289 int ret;
3290 struct ldb_dn *dn;
3291 struct ldb_result *res;
3292
3293 /* construct the magic WKGUID DN */
3294 dn = ldb_dn_new_fmt(tmp_ctx, samdb, "<WKGUID=%s,%s>",
3295 wk_guid, ldb_dn_get_linearized(nc_root));
3296 if (!wkguid_dn) {
3297 talloc_free(tmp_ctx);
3298 return ldb_operr(samdb);
3299 }
3300
3301 ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs,
3302 DSDB_SEARCH_SHOW_DELETED |
3303 DSDB_SEARCH_SHOW_RECYCLED);
3304 if (ret != LDB_SUCCESS) {
3305 talloc_free(tmp_ctx);
3306 return ret;
3307 }
3308
3309 (*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn);
3310 talloc_free(tmp_ctx);
3311 return LDB_SUCCESS;
3312 }
3313
3314
3315 static int dsdb_dn_compare_ptrs(struct ldb_dn **dn1, struct ldb_dn **dn2)
3316 {
3317 return ldb_dn_compare(*dn1, *dn2);
3318 }
3319
3320 /*
3321 find a NC root given a DN within the NC
3322 */
3323 int dsdb_find_nc_root(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
3324 struct ldb_dn **nc_root)
3325 {
3326 const char *root_attrs[] = { "namingContexts", NULL };
3327 TALLOC_CTX *tmp_ctx;
3328 int ret;
3329 struct ldb_message_element *el;
3330 struct ldb_result *root_res;
3331 unsigned int i;
3332 struct ldb_dn **nc_dns;
3333
3334 tmp_ctx = talloc_new(samdb);
3335 if (tmp_ctx == NULL) {
3336 return ldb_oom(samdb);
3337 }
3338
3339 ret = ldb_search(samdb, tmp_ctx, &root_res,
3340 ldb_dn_new(tmp_ctx, samdb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
3341 if (ret != LDB_SUCCESS) {
3342 DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb)));
3343 talloc_free(tmp_ctx);
3344 return ret;
3345 }
3346
3347 el = ldb_msg_find_element(root_res->msgs[0], "namingContexts");
3348 if ((el == NULL) || (el->num_values < 3)) {
3349 struct ldb_message *tmp_msg;
3350
3351 DEBUG(5,("dsdb_find_nc_root: Finding a valid 'namingContexts' element in the RootDSE failed. Using a temporary list."));
3352
3353 /* This generates a temporary list of NCs in order to let the
3354 * provisioning work. */
3355 tmp_msg = ldb_msg_new(tmp_ctx);
3356 if (tmp_msg == NULL) {
3357 talloc_free(tmp_ctx);
3358 return ldb_oom(samdb);
3359 }
3360 ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
3361 ldb_dn_alloc_linearized(tmp_msg, ldb_get_schema_basedn(samdb)));
3362 if (ret != LDB_SUCCESS) {
3363 talloc_free(tmp_ctx);
3364 return ret;
3365 }
3366 ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
3367 ldb_dn_alloc_linearized(tmp_msg, ldb_get_config_basedn(samdb)));
3368 if (ret != LDB_SUCCESS) {
3369 talloc_free(tmp_ctx);
3370 return ret;
3371 }
3372 ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
3373 ldb_dn_alloc_linearized(tmp_msg, ldb_get_default_basedn(samdb)));
3374 if (ret != LDB_SUCCESS) {
3375 talloc_free(tmp_ctx);
3376 return ret;
3377 }
3378 el = &tmp_msg->elements[0];
3379 }
3380
3381 nc_dns = talloc_array(tmp_ctx, struct ldb_dn *, el->num_values);
3382 if (!nc_dns) {
3383 talloc_free(tmp_ctx);
3384 return ldb_oom(samdb);
3385 }
3386
3387 for (i=0; i<el->num_values; i++) {
3388 nc_dns[i] = ldb_dn_from_ldb_val(nc_dns, samdb, &el->values[i]);
3389 if (nc_dns[i] == NULL) {
3390 talloc_free(tmp_ctx);
3391 return ldb_operr(samdb);
3392 }
3393 }
3394
3395 TYPESAFE_QSORT(nc_dns, el->num_values, dsdb_dn_compare_ptrs);
3396
3397 for (i=0; i<el->num_values; i++) {
3398 if (ldb_dn_compare_base(nc_dns[i], dn) == 0) {
3399 (*nc_root) = talloc_steal(mem_ctx, nc_dns[i]);
3400 talloc_free(tmp_ctx);
3401 return LDB_SUCCESS;
3402 }
3403 }
3404
3405 talloc_free(tmp_ctx);
3406 return LDB_ERR_NO_SUCH_OBJECT;
3407 }
3408
3409
3410 /*
3411 find the deleted objects DN for any object, by looking for the NC
3412 root, then looking up the wellknown GUID
3413 */
3414 int dsdb_get_deleted_objects_dn(struct ldb_context *ldb,
3415 TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
3416 struct ldb_dn **do_dn)
3417 {
3418 struct ldb_dn *nc_root;
3419 int ret;
3420
3421 ret = dsdb_find_nc_root(ldb, mem_ctx, obj_dn, &nc_root);
3422 if (ret != LDB_SUCCESS) {
3423 return ret;
3424 }
3425
3426 ret = dsdb_wellknown_dn(ldb, mem_ctx, nc_root, DS_GUID_DELETED_OBJECTS_CONTAINER, do_dn);
3427 talloc_free(nc_root);
3428 return ret;
3429 }
3430
3431 /*
3432 return the tombstoneLifetime, in days
3433 */
3434 int dsdb_tombstone_lifetime(struct ldb_context *ldb, uint32_t *lifetime)
3435 {
3436 struct ldb_dn *dn;
3437 dn = ldb_get_config_basedn(ldb);
3438 if (!dn) {
3439 return LDB_ERR_NO_SUCH_OBJECT;
3440 }
3441 dn = ldb_dn_copy(ldb, dn);
3442 if (!dn) {
3443 return ldb_operr(ldb);
3444 }
3445 /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
3446 be a wellknown GUID for this */
3447 if (!ldb_dn_add_child_fmt(dn, "CN=Directory Service,CN=Windows NT,CN=Services")) {
3448 talloc_free(dn);
3449 return ldb_operr(ldb);
3450 }
3451
3452 *lifetime = samdb_search_uint(ldb, dn, 180, dn, "tombstoneLifetime", "objectClass=nTDSService");
3453 talloc_free(dn);
3454 return LDB_SUCCESS;
3455 }
3456
3457 /*
3458 compare a ldb_val to a string case insensitively
3459 */
3460 int samdb_ldb_val_case_cmp(const char *s, struct ldb_val *v)
3461 {
3462 size_t len = strlen(s);
3463 int ret;
3464 if (len > v->length) return 1;
3465 ret = strncasecmp(s, (const char *)v->data, v->length);
3466 if (ret != 0) return ret;
3467 if (v->length > len && v->data[len] != 0) {
3468 return -1;
3469 }
3470 return 0;
3471 }
3472
3473
3474 /*
3475 load the UDV for a partition in v2 format
3476 The list is returned sorted, and with our local cursor added
3477 */
3478 int dsdb_load_udv_v2(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
3479 struct drsuapi_DsReplicaCursor2 **cursors, uint32_t *count)
3480 {
3481 static const char *attrs[] = { "replUpToDateVector", NULL };
3482 struct ldb_result *r;
3483 const struct ldb_val *ouv_value;
3484 unsigned int i;
3485 int ret;
3486 uint64_t highest_usn;
3487 const struct GUID *our_invocation_id;
3488 struct timeval now = timeval_current();
3489
3490 ret = ldb_search(samdb, mem_ctx, &r, dn, LDB_SCOPE_BASE, attrs, NULL);
3491 if (ret != LDB_SUCCESS) {
3492 return ret;
3493 }
3494
3495 ouv_value = ldb_msg_find_ldb_val(r->msgs[0], "replUpToDateVector");
3496 if (ouv_value) {
3497 enum ndr_err_code ndr_err;
3498 struct replUpToDateVectorBlob ouv;
3499
3500 ndr_err = ndr_pull_struct_blob(ouv_value, r, &ouv,
3501 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
3502 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3503 talloc_free(r);
3504 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3505 }
3506 if (ouv.version != 2) {
3507 /* we always store as version 2, and
3508 * replUpToDateVector is not replicated
3509 */
3510 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3511 }
3512
3513 *count = ouv.ctr.ctr2.count;
3514 *cursors = talloc_steal(mem_ctx, ouv.ctr.ctr2.cursors);
3515 } else {
3516 *count = 0;
3517 *cursors = NULL;
3518 }
3519
3520 talloc_free(r);
3521
3522 our_invocation_id = samdb_ntds_invocation_id(samdb);
3523 if (!our_invocation_id) {
3524 DEBUG(0,(__location__ ": No invocationID on samdb - %s\n", ldb_errstring(samdb)));
3525 talloc_free(*cursors);
3526 return ldb_operr(samdb);
3527 }
3528
3529 ret = dsdb_load_partition_usn(samdb, dn, &highest_usn, NULL);
3530 if (ret != LDB_SUCCESS) {
3531 /* nothing to add - this can happen after a vampire */
3532 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3533 return LDB_SUCCESS;
3534 }
3535
3536 for (i=0; i<*count; i++) {
3537 if (GUID_equal(our_invocation_id, &(*cursors)[i].source_dsa_invocation_id)) {
3538 (*cursors)[i].highest_usn = highest_usn;
3539 (*cursors)[i].last_sync_success = timeval_to_nttime(&now);
3540 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3541 return LDB_SUCCESS;
3542 }
3543 }
3544
3545 (*cursors) = talloc_realloc(mem_ctx, *cursors, struct drsuapi_DsReplicaCursor2, (*count)+1);
3546 if (! *cursors) {
3547 return ldb_oom(samdb);
3548 }
3549
3550 (*cursors)[*count].source_dsa_invocation_id = *our_invocation_id;
3551 (*cursors)[*count].highest_usn = highest_usn;
3552 (*cursors)[*count].last_sync_success = timeval_to_nttime(&now);
3553 (*count)++;
3554
3555 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3556
3557 return LDB_SUCCESS;
3558 }
3559
3560 /*
3561 load the UDV for a partition in version 1 format
3562 The list is returned sorted, and with our local cursor added
3563 */
3564 int dsdb_load_udv_v1(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
3565 struct drsuapi_DsReplicaCursor **cursors, uint32_t *count)
3566 {
3567 struct drsuapi_DsReplicaCursor2 *v2;
3568 uint32_t i;
3569 int ret;
3570
3571 ret = dsdb_load_udv_v2(samdb, dn, mem_ctx, &v2, count);
3572 if (ret != LDB_SUCCESS) {
3573 return ret;
3574 }
3575
3576 if (*count == 0) {
3577 talloc_free(v2);
3578 *cursors = NULL;
3579 return LDB_SUCCESS;
3580 }
3581
3582 *cursors = talloc_array(mem_ctx, struct drsuapi_DsReplicaCursor, *count);
3583 if (*cursors == NULL) {
3584 talloc_free(v2);
3585 return ldb_oom(samdb);
3586 }
3587
3588 for (i=0; i<*count; i++) {
3589 (*cursors)[i].source_dsa_invocation_id = v2[i].source_dsa_invocation_id;
3590 (*cursors)[i].highest_usn = v2[i].highest_usn;
3591 }
3592 talloc_free(v2);
3593 return LDB_SUCCESS;
3594 }
3595
3596 /*
3597 add a set of controls to a ldb_request structure based on a set of
3598 flags. See util.h for a list of available flags
3599 */
3600 int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags)
3601 {
3602 int ret;
3603 if (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) {
3604 struct ldb_search_options_control *options;
3605 /* Using the phantom root control allows us to search all partitions */
3606 options = talloc(req, struct ldb_search_options_control);
3607 if (options == NULL) {
3608 return LDB_ERR_OPERATIONS_ERROR;
3609 }
3610 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
3611
3612 ret = ldb_request_add_control(req,
3613 LDB_CONTROL_SEARCH_OPTIONS_OID,
3614 true, options);
3615 if (ret != LDB_SUCCESS) {
3616 return ret;
3617 }
3618 }
3619
3620 if (dsdb_flags & DSDB_SEARCH_NO_GLOBAL_CATALOG) {
3621 ret = ldb_request_add_control(req,
3622 DSDB_CONTROL_NO_GLOBAL_CATALOG,
3623 false, NULL);
3624 if (ret != LDB_SUCCESS) {
3625 return ret;
3626 }
3627 }
3628
3629 if (dsdb_flags & DSDB_SEARCH_SHOW_DELETED) {
3630 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
3631 if (ret != LDB_SUCCESS) {
3632 return ret;
3633 }
3634 }
3635
3636 if (dsdb_flags & DSDB_SEARCH_SHOW_RECYCLED) {
3637 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, false, NULL);
3638 if (ret != LDB_SUCCESS) {
3639 return ret;
3640 }
3641 }
3642
3643 if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) {
3644 ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, false, NULL);
3645 if (ret != LDB_SUCCESS) {
3646 return ret;
3647 }
3648 }
3649
3650 if (dsdb_flags & DSDB_SEARCH_SHOW_EXTENDED_DN) {
3651 struct ldb_extended_dn_control *extended_ctrl = talloc(req, struct ldb_extended_dn_control);
3652 if (!extended_ctrl) {
3653 return LDB_ERR_OPERATIONS_ERROR;
3654 }
3655 extended_ctrl->type = 1;
3656
3657 ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_ctrl);
3658 if (ret != LDB_SUCCESS) {
3659 return ret;
3660 }
3661 }
3662
3663 if (dsdb_flags & DSDB_SEARCH_REVEAL_INTERNALS) {
3664 ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
3665 if (ret != LDB_SUCCESS) {
3666 return ret;
3667 }
3668 }
3669
3670 if (dsdb_flags & DSDB_MODIFY_RELAX) {
3671 ret = ldb_request_add_control(req, LDB_CONTROL_RELAX_OID, false, NULL);
3672 if (ret != LDB_SUCCESS) {
3673 return ret;
3674 }
3675 }
3676
3677 if (dsdb_flags & DSDB_MODIFY_PERMISSIVE) {
3678 ret = ldb_request_add_control(req, LDB_CONTROL_PERMISSIVE_MODIFY_OID, false, NULL);
3679 if (ret != LDB_SUCCESS) {
3680 return ret;
3681 }
3682 }
3683
3684 if (dsdb_flags & DSDB_FLAG_AS_SYSTEM) {
3685 ret = ldb_request_add_control(req, LDB_CONTROL_AS_SYSTEM_OID, false, NULL);
3686 if (ret != LDB_SUCCESS) {
3687 return ret;
3688 }
3689 }
3690
3691 if (dsdb_flags & DSDB_TREE_DELETE) {
3692 ret = ldb_request_add_control(req, LDB_CONTROL_TREE_DELETE_OID, false, NULL);
3693 if (ret != LDB_SUCCESS) {
3694 return ret;
3695 }
3696 }
3697
3698 if (dsdb_flags & DSDB_PROVISION) {
3699 ret = ldb_request_add_control(req, LDB_CONTROL_PROVISION_OID, false, NULL);
3700 if (ret != LDB_SUCCESS) {
3701 return ret;
3702 }
3703 }
3704
3705 /* This is a special control to bypass the password_hash module for use in pdb_samba4 for Samba3 upgrades */
3706 if (dsdb_flags & DSDB_BYPASS_PASSWORD_HASH) {
3707 ret = ldb_request_add_control(req, DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID, true, NULL);
3708 if (ret != LDB_SUCCESS) {
3709 return ret;
3710 }
3711 }
3712
3713 if (dsdb_flags & DSDB_PASSWORD_BYPASS_LAST_SET) {
3714 /*
3715 * This must not be critical, as it will only be
3716 * handled (and need to be handled) if the other
3717 * attributes in the request bring password_hash into
3718 * action
3719 */
3720 ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID, false, NULL);
3721 if (ret != LDB_SUCCESS) {
3722 return ret;
3723 }
3724 }
3725
3726 if (dsdb_flags & DSDB_MODIFY_PARTIAL_REPLICA) {
3727 ret = ldb_request_add_control(req, DSDB_CONTROL_PARTIAL_REPLICA, false, NULL);
3728 if (ret != LDB_SUCCESS) {
3729 return ret;
3730 }
3731 }
3732
3733 return LDB_SUCCESS;
3734 }
3735
3736 /*
3737 an add with a set of controls
3738 */
3739 int dsdb_add(struct ldb_context *ldb, const struct ldb_message *message,
3740 uint32_t dsdb_flags)
3741 {
3742 struct ldb_request *req;
3743 int ret;
3744
3745 ret = ldb_build_add_req(&req, ldb, ldb,
3746 message,
3747 NULL,
3748 NULL,
3749 ldb_op_default_callback,
3750 NULL);
3751
3752 if (ret != LDB_SUCCESS) return ret;
3753
3754 ret = dsdb_request_add_controls(req, dsdb_flags);
3755 if (ret != LDB_SUCCESS) {
3756 talloc_free(req);
3757 return ret;
3758 }
3759
3760 ret = dsdb_autotransaction_request(ldb, req);
3761
3762 talloc_free(req);
3763 return ret;
3764 }
3765
3766 /*
3767 a modify with a set of controls
3768 */
3769 int dsdb_modify(struct ldb_context *ldb, const struct ldb_message *message,
3770 uint32_t dsdb_flags)
3771 {
3772 struct ldb_request *req;
3773 int ret;
3774
3775 ret = ldb_build_mod_req(&req, ldb, ldb,
3776 message,
3777 NULL,
3778 NULL,
3779 ldb_op_default_callback,
3780 NULL);
3781
3782 if (ret != LDB_SUCCESS) return ret;
3783
3784 ret = dsdb_request_add_controls(req, dsdb_flags);
3785 if (ret != LDB_SUCCESS) {
3786 talloc_free(req);
3787 return ret;
3788 }
3789
3790 ret = dsdb_autotransaction_request(ldb, req);
3791
3792 talloc_free(req);
3793 return ret;
3794 }
3795
3796 /*
3797 a delete with a set of flags
3798 */
3799 int dsdb_delete(struct ldb_context *ldb, struct ldb_dn *dn,
3800 uint32_t dsdb_flags)
3801 {
3802 struct ldb_request *req;
3803 int ret;
3804
3805 ret = ldb_build_del_req(&req, ldb, ldb,
3806 dn,
3807 NULL,
3808 NULL,
3809 ldb_op_default_callback,
3810 NULL);
3811
3812 if (ret != LDB_SUCCESS) return ret;
3813
3814 ret = dsdb_request_add_controls(req, dsdb_flags);
3815 if (ret != LDB_SUCCESS) {
3816 talloc_free(req);
3817 return ret;
3818 }
3819
3820 ret = dsdb_autotransaction_request(ldb, req);
3821
3822 talloc_free(req);
3823 return ret;
3824 }
3825
3826 /*
3827 like dsdb_modify() but set all the element flags to
3828 LDB_FLAG_MOD_REPLACE
3829 */
3830 int dsdb_replace(struct ldb_context *ldb, struct ldb_message *msg, uint32_t dsdb_flags)
3831 {
3832 unsigned int i;
3833
3834 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
3835 for (i=0;i<msg->num_elements;i++) {
3836 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
3837 }
3838
3839 return dsdb_modify(ldb, msg, dsdb_flags);
3840 }
3841
3842
3843 /*
3844 search for attrs on one DN, allowing for dsdb_flags controls
3845 */
3846 int dsdb_search_dn(struct ldb_context *ldb,
3847 TALLOC_CTX *mem_ctx,
3848 struct ldb_result **_res,
3849 struct ldb_dn *basedn,
3850 const char * const *attrs,
3851 uint32_t dsdb_flags)
3852 {
3853 int ret;
3854 struct ldb_request *req;
3855 struct ldb_result *res;
3856
3857 res = talloc_zero(mem_ctx, struct ldb_result);
3858 if (!res) {
3859 return ldb_oom(ldb);
3860 }
3861
3862 ret = ldb_build_search_req(&req, ldb, res,
3863 basedn,
3864 LDB_SCOPE_BASE,
3865 NULL,
3866 attrs,
3867 NULL,
3868 res,
3869 ldb_search_default_callback,
3870 NULL);
3871 if (ret != LDB_SUCCESS) {
3872 talloc_free(res);
3873 return ret;
3874 }
3875
3876 ret = dsdb_request_add_controls(req, dsdb_flags);
3877 if (ret != LDB_SUCCESS) {
3878 talloc_free(res);
3879 return ret;
3880 }
3881
3882 ret = ldb_request(ldb, req);
3883 if (ret == LDB_SUCCESS) {
3884 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3885 }
3886
3887 talloc_free(req);
3888 if (ret != LDB_SUCCESS) {
3889 talloc_free(res);
3890 return ret;
3891 }
3892
3893 *_res = res;
3894 return LDB_SUCCESS;
3895 }
3896
3897 /*
3898 search for attrs on one DN, by the GUID of the DN, allowing for
3899 dsdb_flags controls
3900 */
3901 int dsdb_search_by_dn_guid(struct ldb_context *ldb,
3902 TALLOC_CTX *mem_ctx,
3903 struct ldb_result **_res,
3904 const struct GUID *guid,
3905 const char * const *attrs,
3906 uint32_t dsdb_flags)
3907 {
3908 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3909 struct ldb_dn *dn;
3910 int ret;
3911
3912 dn = ldb_dn_new_fmt(tmp_ctx, ldb, "<GUID=%s>", GUID_string(tmp_ctx, guid));
3913 if (dn == NULL) {
3914 talloc_free(tmp_ctx);
3915 return ldb_oom(ldb);
3916 }
3917
3918 ret = dsdb_search_dn(ldb, mem_ctx, _res, dn, attrs, dsdb_flags);
3919 talloc_free(tmp_ctx);
3920 return ret;
3921 }
3922
3923 /*
3924 general search with dsdb_flags for controls
3925 */
3926 int dsdb_search(struct ldb_context *ldb,
3927 TALLOC_CTX *mem_ctx,
3928 struct ldb_result **_res,
3929 struct ldb_dn *basedn,
3930 enum ldb_scope scope,
3931 const char * const *attrs,
3932 uint32_t dsdb_flags,
3933 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
3934 {
3935 int ret;
3936 struct ldb_request *req;
3937 struct ldb_result *res;
3938 va_list ap;
3939 char *expression = NULL;
3940 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3941
3942 /* cross-partitions searches with a basedn break multi-domain support */
3943 SMB_ASSERT(basedn == NULL || (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) == 0);
3944
3945 res = talloc_zero(tmp_ctx, struct ldb_result);
3946 if (!res) {
3947 talloc_free(tmp_ctx);
3948 return ldb_oom(ldb);
3949 }
3950
3951 if (exp_fmt) {
3952 va_start(ap, exp_fmt);
3953 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
3954 va_end(ap);
3955
3956 if (!expression) {
3957 talloc_free(tmp_ctx);
3958 return ldb_oom(ldb);
3959 }
3960 }
3961
3962 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
3963 basedn,
3964 scope,
3965 expression,
3966 attrs,
3967 NULL,
3968 res,
3969 ldb_search_default_callback,
3970 NULL);
3971 if (ret != LDB_SUCCESS) {
3972 talloc_free(tmp_ctx);
3973 return ret;
3974 }
3975
3976 ret = dsdb_request_add_controls(req, dsdb_flags);
3977 if (ret != LDB_SUCCESS) {
3978 talloc_free(tmp_ctx);
3979 ldb_reset_err_string(ldb);
3980 return ret;
3981 }
3982
3983 ret = ldb_request(ldb, req);
3984 if (ret == LDB_SUCCESS) {
3985 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3986 }
3987
3988 if (ret != LDB_SUCCESS) {
3989 talloc_free(tmp_ctx);
3990 return ret;
3991 }
3992
3993 if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
3994 if (res->count == 0) {
3995 talloc_free(tmp_ctx);
3996 ldb_reset_err_string(ldb);
3997 return LDB_ERR_NO_SUCH_OBJECT;
3998 }
3999 if (res->count != 1) {
4000 talloc_free(tmp_ctx);
4001 ldb_reset_err_string(ldb);
4002 return LDB_ERR_CONSTRAINT_VIOLATION;
4003 }
4004 }
4005
4006 *_res = talloc_steal(mem_ctx, res);
4007 talloc_free(tmp_ctx);
4008
4009 return LDB_SUCCESS;
4010 }
4011
4012
4013 /*
4014 general search with dsdb_flags for controls
4015 returns exactly 1 record or an error
4016 */
4017 int dsdb_search_one(struct ldb_context *ldb,
4018 TALLOC_CTX *mem_ctx,
4019 struct ldb_message **msg,
4020 struct ldb_dn *basedn,
4021 enum ldb_scope scope,
4022 const char * const *attrs,
4023 uint32_t dsdb_flags,
4024 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
4025 {
4026 int ret;
4027 struct ldb_result *res;
4028 va_list ap;
4029 char *expression = NULL;
4030 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
4031
4032 dsdb_flags |= DSDB_SEARCH_ONE_ONLY;
4033
4034 res = talloc_zero(tmp_ctx, struct ldb_result);
4035 if (!res) {
4036 talloc_free(tmp_ctx);
4037 return ldb_oom(ldb);
4038 }
4039
4040 if (exp_fmt) {
4041 va_start(ap, exp_fmt);
4042 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
4043 va_end(ap);
4044
4045 if (!expression) {
4046 talloc_free(tmp_ctx);
4047 return ldb_oom(ldb);
4048 }
4049 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
4050 dsdb_flags, "%s", expression);
4051 } else {
4052 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
4053 dsdb_flags, NULL);
4054 }
4055
4056 if (ret != LDB_SUCCESS) {
4057 talloc_free(tmp_ctx);
4058 return ret;
4059 }
4060
4061 *msg = talloc_steal(mem_ctx, res->msgs[0]);
4062 talloc_free(tmp_ctx);
4063
4064 return LDB_SUCCESS;
4065 }
4066
4067 /* returns back the forest DNS name */
4068 const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
4069 {
4070 const char *forest_name = ldb_dn_canonical_string(mem_ctx,
4071 ldb_get_root_basedn(ldb));
4072 char *p;
4073
4074 if (forest_name == NULL) {
4075 return NULL;
4076 }
4077
4078 p = strchr(forest_name, '/');
4079 if (p) {
4080 *p = '\0';
4081 }
4082
4083 return forest_name;
4084 }
4085
4086 /* returns back the default domain DNS name */
4087 const char *samdb_default_domain_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
4088 {
4089 const char *domain_name = ldb_dn_canonical_string(mem_ctx,
4090 ldb_get_default_basedn(ldb));
4091 char *p;
4092
4093 if (domain_name == NULL) {
4094 return NULL;
4095 }
4096
4097 p = strchr(domain_name, '/');
4098 if (p) {
4099 *p = '\0';
4100 }
4101
4102 return domain_name;
4103 }
4104
4105 /*
4106 validate that an DSA GUID belongs to the specified user sid.
4107 The user SID must be a domain controller account (either RODC or
4108 RWDC)
4109 */
4110 int dsdb_validate_dsa_guid(struct ldb_context *ldb,
4111 const struct GUID *dsa_guid,
4112 const struct dom_sid *sid)
4113 {
4114 /* strategy:
4115 - find DN of record with the DSA GUID in the
4116 configuration partition (objectGUID)
4117 - remove "NTDS Settings" component from DN
4118 - do a base search on that DN for serverReference with
4119 extended-dn enabled
4120 - extract objectSid from resulting serverReference
4121 attribute
4122 - check this sid matches the sid argument
4123 */
4124 struct ldb_dn *config_dn;
4125 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
4126 struct ldb_message *msg;
4127 const char *attrs1[] = { NULL };
4128 const char *attrs2[] = { "serverReference", NULL };
4129 int ret;
4130 struct ldb_dn *dn, *account_dn;
4131 struct dom_sid sid2;
4132 NTSTATUS status;
4133
4134 config_dn = ldb_get_config_basedn(ldb);
4135
4136 ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE,
4137 attrs1, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid));
4138 if (ret != LDB_SUCCESS) {
4139 DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for sid %s\n",
4140 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
4141 talloc_free(tmp_ctx);
4142 return ldb_operr(ldb);
4143 }
4144 dn = msg->dn;
4145
4146 if (!ldb_dn_remove_child_components(dn, 1)) {
4147 talloc_free(tmp_ctx);
4148 return ldb_operr(ldb);
4149 }
4150
4151 ret = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE,
4152 attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN,
4153 "(objectClass=server)");
4154 if (ret != LDB_SUCCESS) {
4155 DEBUG(1,(__location__ ": Failed to find server record for DSA with objectGUID %s, sid %s\n",
4156 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
4157 talloc_free(tmp_ctx);
4158 return ldb_operr(ldb);
4159 }
4160
4161 account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg, "serverReference");
4162 if (account_dn == NULL) {
4163 DEBUG(1,(__location__ ": Failed to find account_dn for DSA with objectGUID %s, sid %s\n",
4164 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
4165 talloc_free(tmp_ctx);
4166 return ldb_operr(ldb);
4167 }
4168
4169 status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID");
4170 if (!NT_STATUS_IS_OK(status)) {
4171 DEBUG(1,(__location__ ": Failed to find SID for DSA with objectGUID %s, sid %s\n",
4172 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
4173 talloc_free(tmp_ctx);
4174 return ldb_operr(ldb);
4175 }
4176
4177 if (!dom_sid_equal(sid, &sid2)) {
4178 /* someone is trying to spoof another account */
4179 DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s - expected sid %s\n",
4180 GUID_string(tmp_ctx, dsa_guid),
4181 dom_sid_string(tmp_ctx, sid),
4182 dom_sid_string(tmp_ctx, &sid2)));
4183 talloc_free(tmp_ctx);
4184 return ldb_operr(ldb);
4185 }
4186
4187 talloc_free(tmp_ctx);
4188 return LDB_SUCCESS;
4189 }
4190
4191 static const char * const secret_attributes[] = {
4192 DSDB_SECRET_ATTRIBUTES,
4193 NULL
4194 };
4195
4196 /*
4197 check if the attribute belongs to the RODC filtered attribute set
4198 Note that attributes that are in the filtered attribute set are the
4199 ones that _are_ always sent to a RODC
4200 */
4201 bool dsdb_attr_in_rodc_fas(const struct dsdb_attribute *sa)
4202 {
4203 /* they never get secret attributes */
4204 if (is_attr_in_list(secret_attributes, sa->lDAPDisplayName)) {
4205 return false;
4206 }
4207
4208 /* they do get non-secret critical attributes */
4209 if (sa->schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) {
4210 return true;
4211 }
4212
4213 /* they do get non-secret attributes marked as being in the FAS */
4214 if (sa->searchFlags & SEARCH_FLAG_RODC_ATTRIBUTE) {
4215 return true;
4216 }
4217
4218 /* other attributes are denied */
4219 return false;
4220 }
4221
4222 /* return fsmo role dn and role owner dn for a particular role*/
4223 WERROR dsdb_get_fsmo_role_info(TALLOC_CTX *tmp_ctx,
4224 struct ldb_context *ldb,
4225 uint32_t role,
4226 struct ldb_dn **fsmo_role_dn,
4227 struct ldb_dn **role_owner_dn)
4228 {
4229 int ret;
4230 switch (role) {
4231 case DREPL_NAMING_MASTER:
4232 *fsmo_role_dn = samdb_partitions_dn(ldb, tmp_ctx);
4233 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
4234 if (ret != LDB_SUCCESS) {
4235 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Naming Master object - %s",
4236 ldb_errstring(ldb)));
4237 talloc_free(tmp_ctx);
4238 return WERR_DS_DRA_INTERNAL_ERROR;
4239 }
4240 break;
4241 case DREPL_INFRASTRUCTURE_MASTER:
4242 *fsmo_role_dn = samdb_infrastructure_dn(ldb, tmp_ctx);
4243 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
4244 if (ret != LDB_SUCCESS) {
4245 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s",
4246 ldb_errstring(ldb)));
4247 talloc_free(tmp_ctx);
4248 return WERR_DS_DRA_INTERNAL_ERROR;
4249 }
4250 break;
4251 case DREPL_RID_MASTER:
4252 ret = samdb_rid_manager_dn(ldb, tmp_ctx, fsmo_role_dn);
4253 if (ret != LDB_SUCCESS) {
4254 DEBUG(0, (__location__ ": Failed to find RID Manager object - %s", ldb_errstring(ldb)));
4255 talloc_free(tmp_ctx);
4256 return WERR_DS_DRA_INTERNAL_ERROR;
4257 }
4258
4259 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
4260 if (ret != LDB_SUCCESS) {
4261 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in RID Manager object - %s",
4262 ldb_errstring(ldb)));
4263 talloc_free(tmp_ctx);
4264 return WERR_DS_DRA_INTERNAL_ERROR;
4265 }
4266 break;
4267 case DREPL_SCHEMA_MASTER:
4268 *fsmo_role_dn = ldb_get_schema_basedn(ldb);
4269 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
4270 if (ret != LDB_SUCCESS) {
4271 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s",
4272 ldb_errstring(ldb)));
4273 talloc_free(tmp_ctx);
4274 return WERR_DS_DRA_INTERNAL_ERROR;
4275 }
4276 break;
4277 case DREPL_PDC_MASTER:
4278 *fsmo_role_dn = ldb_get_default_basedn(ldb);
4279 ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
4280 if (ret != LDB_SUCCESS) {
4281 DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Pd Master object - %s",
4282 ldb_errstring(ldb)));
4283 talloc_free(tmp_ctx);
4284 return WERR_DS_DRA_INTERNAL_ERROR;
4285 }
4286 break;
4287 default:
4288 return WERR_DS_DRA_INTERNAL_ERROR;
4289 }
4290 return WERR_OK;
4291 }
4292
4293 const char *samdb_dn_to_dnshostname(struct ldb_context *ldb,
4294 TALLOC_CTX *mem_ctx,
4295 struct ldb_dn *server_dn)
4296 {
4297 int ldb_ret;
4298 struct ldb_result *res = NULL;
4299 const char * const attrs[] = { "dNSHostName", NULL};
4300
4301 ldb_ret = ldb_search(ldb, mem_ctx, &res,
4302 server_dn,
4303 LDB_SCOPE_BASE,
4304 attrs, NULL);
4305 if (ldb_ret != LDB_SUCCESS) {
4306 DEBUG(4, ("Failed to find dNSHostName for dn %s, ldb error: %s",
4307 ldb_dn_get_linearized(server_dn), ldb_errstring(ldb)));
4308 return NULL;
4309 }
4310
4311 return ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
4312 }
4313
4314 /*
4315 returns true if an attribute is in the filter,
4316 false otherwise, provided that attribute value is provided with the expression
4317 */
4318 bool dsdb_attr_in_parse_tree(struct ldb_parse_tree *tree,
4319 const char *attr)
4320 {
4321 unsigned int i;
4322 switch (tree->operation) {
4323 case LDB_OP_AND:
4324 case LDB_OP_OR:
4325 for (i=0;i<tree->u.list.num_elements;i++) {
4326 if (dsdb_attr_in_parse_tree(tree->u.list.elements[i],
4327 attr))
4328 return true;
4329 }
4330 return false;
4331 case LDB_OP_NOT:
4332 return dsdb_attr_in_parse_tree(tree->u.isnot.child, attr);
4333 case LDB_OP_EQUALITY:
4334 case LDB_OP_GREATER:
4335 case LDB_OP_LESS:
4336 case LDB_OP_APPROX:
4337 if (ldb_attr_cmp(tree->u.equality.attr, attr) == 0) {
4338 return true;
4339 }
4340 return false;
4341 case LDB_OP_SUBSTRING:
4342 if (ldb_attr_cmp(tree->u.substring.attr, attr) == 0) {
4343 return true;
4344 }
4345 return false;
4346 case LDB_OP_PRESENT:
4347 /* (attrname=*) is not filtered out */
4348 return false;
4349 case LDB_OP_EXTENDED:
4350 if (tree->u.extended.attr &&
4351 ldb_attr_cmp(tree->u.extended.attr, attr) == 0) {
4352 return true;
4353 }
4354 return false;
4355 }
4356 return false;
4357 }
4358
4359 bool is_attr_in_list(const char * const * attrs, const char *attr)
4360 {
4361 unsigned int i;
4362
4363 for (i = 0; attrs[i]; i++) {
4364 if (ldb_attr_cmp(attrs[i], attr) == 0)
4365 return true;
4366 }
4367
4368 return false;
4369 }
4370
4371
4372 /*
4373 map an ldb error code to an approximate NTSTATUS code
4374 */
4375 NTSTATUS dsdb_ldb_err_to_ntstatus(int err)
4376 {
4377 switch (err) {
4378 case LDB_SUCCESS:
4379 return NT_STATUS_OK;
4380
4381 case LDB_ERR_PROTOCOL_ERROR:
4382 return NT_STATUS_DEVICE_PROTOCOL_ERROR;
4383
4384 case LDB_ERR_TIME_LIMIT_EXCEEDED:
4385 return NT_STATUS_IO_TIMEOUT;
4386
4387 case LDB_ERR_SIZE_LIMIT_EXCEEDED:
4388 return NT_STATUS_BUFFER_TOO_SMALL;
4389
4390 case LDB_ERR_COMPARE_FALSE:
4391 case LDB_ERR_COMPARE_TRUE:
4392 return NT_STATUS_REVISION_MISMATCH;
4393
4394 case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED:
4395 return NT_STATUS_NOT_SUPPORTED;
4396
4397 case LDB_ERR_STRONG_AUTH_REQUIRED:
4398 case LDB_ERR_CONFIDENTIALITY_REQUIRED:
4399 case LDB_ERR_SASL_BIND_IN_PROGRESS:
4400 case LDB_ERR_INAPPROPRIATE_AUTHENTICATION:
4401 case LDB_ERR_INVALID_CREDENTIALS:
4402 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
4403 case LDB_ERR_UNWILLING_TO_PERFORM:
4404 return NT_STATUS_ACCESS_DENIED;
4405
4406 case LDB_ERR_NO_SUCH_OBJECT:
4407 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
4408
4409 case LDB_ERR_REFERRAL:
4410 case LDB_ERR_NO_SUCH_ATTRIBUTE:
4411 return NT_STATUS_NOT_FOUND;
4412
4413 case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION:
4414 return NT_STATUS_NOT_SUPPORTED;
4415
4416 case LDB_ERR_ADMIN_LIMIT_EXCEEDED:
4417 return NT_STATUS_BUFFER_TOO_SMALL;
4418
4419 case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE:
4420 case LDB_ERR_INAPPROPRIATE_MATCHING:
4421 case LDB_ERR_CONSTRAINT_VIOLATION:
4422 case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
4423 case LDB_ERR_INVALID_DN_SYNTAX:
4424 case LDB_ERR_NAMING_VIOLATION:
4425 case LDB_ERR_OBJECT_CLASS_VIOLATION:
4426 case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF:
4427 case LDB_ERR_NOT_ALLOWED_ON_RDN:
4428 return NT_STATUS_INVALID_PARAMETER;
4429
4430 case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
4431 case LDB_ERR_ENTRY_ALREADY_EXISTS:
4432 return NT_STATUS_ERROR_DS_OBJ_STRING_NAME_EXISTS;
4433
4434 case LDB_ERR_BUSY:
4435 return NT_STATUS_NETWORK_BUSY;
4436
4437 case LDB_ERR_ALIAS_PROBLEM:
4438 case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM:
4439 case LDB_ERR_UNAVAILABLE:
4440 case LDB_ERR_LOOP_DETECT:
4441 case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED:
4442 case LDB_ERR_AFFECTS_MULTIPLE_DSAS:
4443 case LDB_ERR_OTHER:
4444 case LDB_ERR_OPERATIONS_ERROR:
4445 break;
4446 }
4447 return NT_STATUS_UNSUCCESSFUL;
4448 }
4449
4450
4451 /*
4452 create a new naming context that will hold a partial replica
4453 */
4454 int dsdb_create_partial_replica_NC(struct ldb_context *ldb, struct ldb_dn *dn)
4455 {
4456 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
4457 struct ldb_message *msg;
4458 int ret;
4459
4460 msg = ldb_msg_new(tmp_ctx);
4461 if (msg == NULL) {
4462 talloc_free(tmp_ctx);
4463 return ldb_oom(ldb);
4464 }
4465
4466 msg->dn = dn;
4467 ret = ldb_msg_add_string(msg, "objectClass", "top");
4468 if (ret != LDB_SUCCESS) {
4469 talloc_free(tmp_ctx);
4470 return ldb_oom(ldb);
4471 }
4472
4473 /* [MS-DRSR] implies that we should only add the 'top'
4474 * objectclass, but that would cause lots of problems with our
4475 * objectclass code as top is not structural, so we add
4476 * 'domainDNS' as well to keep things sane. We're expecting
4477 * this new NC to be of objectclass domainDNS after
4478 * replication anyway
4479 */
4480 ret = ldb_msg_add_string(msg, "objectClass", "domainDNS");
4481 if (ret != LDB_SUCCESS) {
4482 talloc_free(tmp_ctx);
4483 return ldb_oom(ldb);
4484 }
4485
4486 ret = ldb_msg_add_fmt(msg, "instanceType", "%u",
4487 INSTANCE_TYPE_IS_NC_HEAD|
4488 INSTANCE_TYPE_NC_ABOVE|
4489 INSTANCE_TYPE_UNINSTANT);
4490 if (ret != LDB_SUCCESS) {
4491 talloc_free(tmp_ctx);
4492 return ldb_oom(ldb);
4493 }
4494
4495 ret = dsdb_add(ldb, msg, DSDB_MODIFY_PARTIAL_REPLICA);
4496 if (ret != LDB_SUCCESS && ret != LDB_ERR_ENTRY_ALREADY_EXISTS) {
4497 DEBUG(0,("Failed to create new NC for %s - %s (%s)\n",
4498 ldb_dn_get_linearized(dn),
4499 ldb_errstring(ldb), ldb_strerror(ret)));
4500 talloc_free(tmp_ctx);
4501 return ret;
4502 }
4503
4504 DEBUG(1,("Created new NC for %s\n", ldb_dn_get_linearized(dn)));
4505
4506 talloc_free(tmp_ctx);
4507 return LDB_SUCCESS;
4508 }
4509
4510 /**
4511 build a GUID from a string
4512 */
4513 _PUBLIC_ NTSTATUS NS_GUID_from_string(const char *s, struct GUID *guid)
4514 {
4515 NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
4516 uint32_t time_low;
4517 uint32_t time_mid, time_hi_and_version;
4518 uint32_t clock_seq[2];
4519 uint32_t node[6];
4520 int i;
4521
4522 if (s == NULL) {
4523 return NT_STATUS_INVALID_PARAMETER;
4524 }
4525
4526 if (11 == sscanf(s, "%08x-%04x%04x-%02x%02x%02x%02x-%02x%02x%02x%02x",
4527 &time_low, &time_mid, &time_hi_and_version,
4528 &clock_seq[0], &clock_seq[1],
4529 &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) {
4530 status = NT_STATUS_OK;
4531 }
4532
4533 if (!NT_STATUS_IS_OK(status)) {
4534 return status;
4535 }
4536
4537 guid->time_low = time_low;
4538 guid->time_mid = time_mid;
4539 guid->time_hi_and_version = time_hi_and_version;
4540 guid->clock_seq[0] = clock_seq[0];
4541 guid->clock_seq[1] = clock_seq[1];
4542 for (i=0;i<6;i++) {
4543 guid->node[i] = node[i];
4544 }
4545
4546 return NT_STATUS_OK;
4547 }
4548
4549 _PUBLIC_ char *NS_GUID_string(TALLOC_CTX *mem_ctx, const struct GUID *guid)
4550 {
4551 return talloc_asprintf(mem_ctx,
4552 "%08x-%04x%04x-%02x%02x%02x%02x-%02x%02x%02x%02x",
4553 guid->time_low, guid->time_mid,
4554 guid->time_hi_and_version,
4555 guid->clock_seq[0],
4556 guid->clock_seq[1],
4557 guid->node[0], guid->node[1],
4558 guid->node[2], guid->node[3],
4559 guid->node[4], guid->node[5]);
4560 }
reg import