search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-dsdb: added samdb_domain_sid_cache_only()
[Samba/nascimento.git] / source4 / dsdb / common / util.c
blob6147940e3b79905ce8f60c6a2f0f1ae9643ceef1
1 /*
2 Unix SMB/CIFS implementation.
3 Samba utility functions
4
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "events/events.h"
26 #include "ldb.h"
27 #include "ldb_errors.h"
28 #include "../lib/util/util_ldb.h"
29 #include "../lib/crypto/crypto.h"
30 #include "dsdb/samdb/samdb.h"
31 #include "libcli/security/security.h"
32 #include "librpc/gen_ndr/ndr_security.h"
33 #include "librpc/gen_ndr/ndr_misc.h"
34 #include "../libds/common/flags.h"
35 #include "dsdb/common/proto.h"
36 #include "libcli/ldap/ldap_ndr.h"
37 #include "param/param.h"
38 #include "libcli/auth/libcli_auth.h"
39 #include "librpc/gen_ndr/ndr_drsblobs.h"
40 #include "system/locale.h"
41
42 /*
43 search the sam for the specified attributes in a specific domain, filter on
44 objectSid being in domain_sid.
45 */
46 int samdb_search_domain(struct ldb_context *sam_ldb,
47 TALLOC_CTX *mem_ctx,
48 struct ldb_dn *basedn,
49 struct ldb_message ***res,
50 const char * const *attrs,
51 const struct dom_sid *domain_sid,
52 const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
53 {
54 va_list ap;
55 int i, count;
56
57 va_start(ap, format);
58 count = gendb_search_v(sam_ldb, mem_ctx, basedn,
59 res, attrs, format, ap);
60 va_end(ap);
61
62 i=0;
63
64 while (i<count) {
65 struct dom_sid *entry_sid;
66
67 entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
68
69 if ((entry_sid == NULL) ||
70 (!dom_sid_in_domain(domain_sid, entry_sid))) {
71 /* Delete that entry from the result set */
72 (*res)[i] = (*res)[count-1];
73 count -= 1;
74 talloc_free(entry_sid);
75 continue;
76 }
77 talloc_free(entry_sid);
78 i += 1;
79 }
80
81 return count;
82 }
83
84 /*
85 search the sam for a single string attribute in exactly 1 record
86 */
87 const char *samdb_search_string_v(struct ldb_context *sam_ldb,
88 TALLOC_CTX *mem_ctx,
89 struct ldb_dn *basedn,
90 const char *attr_name,
91 const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
92 {
93 int count;
94 const char *attrs[2] = { NULL, NULL };
95 struct ldb_message **res = NULL;
96
97 attrs[0] = attr_name;
98
99 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
100 if (count > 1) {
101 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
102 attr_name, format, count));
103 }
104 if (count != 1) {
105 talloc_free(res);
106 return NULL;
107 }
108
109 return samdb_result_string(res[0], attr_name, NULL);
110 }
111
112 /*
113 search the sam for a single string attribute in exactly 1 record
114 */
115 const char *samdb_search_string(struct ldb_context *sam_ldb,
116 TALLOC_CTX *mem_ctx,
117 struct ldb_dn *basedn,
118 const char *attr_name,
119 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
120 {
121 va_list ap;
122 const char *str;
123
124 va_start(ap, format);
125 str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
126 va_end(ap);
127
128 return str;
129 }
130
131 struct ldb_dn *samdb_search_dn(struct ldb_context *sam_ldb,
132 TALLOC_CTX *mem_ctx,
133 struct ldb_dn *basedn,
134 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
135 {
136 va_list ap;
137 struct ldb_dn *ret;
138 struct ldb_message **res = NULL;
139 int count;
140
141 va_start(ap, format);
142 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, NULL, format, ap);
143 va_end(ap);
144
145 if (count != 1) return NULL;
146
147 ret = talloc_steal(mem_ctx, res[0]->dn);
148 talloc_free(res);
149
150 return ret;
151 }
152
153 /*
154 search the sam for a dom_sid attribute in exactly 1 record
155 */
156 struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
157 TALLOC_CTX *mem_ctx,
158 struct ldb_dn *basedn,
159 const char *attr_name,
160 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
161 {
162 va_list ap;
163 int count;
164 struct ldb_message **res;
165 const char *attrs[2] = { NULL, NULL };
166 struct dom_sid *sid;
167
168 attrs[0] = attr_name;
169
170 va_start(ap, format);
171 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
172 va_end(ap);
173 if (count > 1) {
174 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
175 attr_name, format, count));
176 }
177 if (count != 1) {
178 talloc_free(res);
179 return NULL;
180 }
181 sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
182 talloc_free(res);
183 return sid;
184 }
185
186 /*
187 return the count of the number of records in the sam matching the query
188 */
189 int samdb_search_count(struct ldb_context *sam_ldb,
190 struct ldb_dn *basedn,
191 const char *format, ...) _PRINTF_ATTRIBUTE(3,4)
192 {
193 va_list ap;
194 struct ldb_message **res;
195 const char *attrs[] = { NULL };
196 int ret;
197 TALLOC_CTX *tmp_ctx = talloc_new(sam_ldb);
198
199 va_start(ap, format);
200 ret = gendb_search_v(sam_ldb, tmp_ctx, basedn, &res, attrs, format, ap);
201 va_end(ap);
202 talloc_free(tmp_ctx);
203
204 return ret;
205 }
206
207
208 /*
209 search the sam for a single integer attribute in exactly 1 record
210 */
211 uint_t samdb_search_uint(struct ldb_context *sam_ldb,
212 TALLOC_CTX *mem_ctx,
213 uint_t default_value,
214 struct ldb_dn *basedn,
215 const char *attr_name,
216 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
217 {
218 va_list ap;
219 int count;
220 struct ldb_message **res;
221 const char *attrs[2] = { NULL, NULL };
222
223 attrs[0] = attr_name;
224
225 va_start(ap, format);
226 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
227 va_end(ap);
228
229 if (count != 1) {
230 return default_value;
231 }
232
233 return samdb_result_uint(res[0], attr_name, default_value);
234 }
235
236 /*
237 search the sam for a single signed 64 bit integer attribute in exactly 1 record
238 */
239 int64_t samdb_search_int64(struct ldb_context *sam_ldb,
240 TALLOC_CTX *mem_ctx,
241 int64_t default_value,
242 struct ldb_dn *basedn,
243 const char *attr_name,
244 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
245 {
246 va_list ap;
247 int count;
248 struct ldb_message **res;
249 const char *attrs[2] = { NULL, NULL };
250
251 attrs[0] = attr_name;
252
253 va_start(ap, format);
254 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
255 va_end(ap);
256
257 if (count != 1) {
258 return default_value;
259 }
260
261 return samdb_result_int64(res[0], attr_name, default_value);
262 }
263
264 /*
265 search the sam for multipe records each giving a single string attribute
266 return the number of matches, or -1 on error
267 */
268 int samdb_search_string_multiple(struct ldb_context *sam_ldb,
269 TALLOC_CTX *mem_ctx,
270 struct ldb_dn *basedn,
271 const char ***strs,
272 const char *attr_name,
273 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
274 {
275 va_list ap;
276 int count, i;
277 const char *attrs[2] = { NULL, NULL };
278 struct ldb_message **res = NULL;
279
280 attrs[0] = attr_name;
281
282 va_start(ap, format);
283 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
284 va_end(ap);
285
286 if (count <= 0) {
287 return count;
288 }
289
290 /* make sure its single valued */
291 for (i=0;i<count;i++) {
292 if (res[i]->num_elements != 1) {
293 DEBUG(1,("samdb: search for %s %s not single valued\n",
294 attr_name, format));
295 talloc_free(res);
296 return -1;
297 }
298 }
299
300 *strs = talloc_array(mem_ctx, const char *, count+1);
301 if (! *strs) {
302 talloc_free(res);
303 return -1;
304 }
305
306 for (i=0;i<count;i++) {
307 (*strs)[i] = samdb_result_string(res[i], attr_name, NULL);
308 }
309 (*strs)[count] = NULL;
310
311 return count;
312 }
313
314 /*
315 pull a uint from a result set.
316 */
317 uint_t samdb_result_uint(const struct ldb_message *msg, const char *attr, uint_t default_value)
318 {
319 return ldb_msg_find_attr_as_uint(msg, attr, default_value);
320 }
321
322 /*
323 pull a (signed) int64 from a result set.
324 */
325 int64_t samdb_result_int64(const struct ldb_message *msg, const char *attr, int64_t default_value)
326 {
327 return ldb_msg_find_attr_as_int64(msg, attr, default_value);
328 }
329
330 /*
331 pull a string from a result set.
332 */
333 const char *samdb_result_string(const struct ldb_message *msg, const char *attr,
334 const char *default_value)
335 {
336 return ldb_msg_find_attr_as_string(msg, attr, default_value);
337 }
338
339 struct ldb_dn *samdb_result_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
340 const char *attr, struct ldb_dn *default_value)
341 {
342 struct ldb_dn *ret_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
343 if (!ret_dn) {
344 return default_value;
345 }
346 return ret_dn;
347 }
348
349 /*
350 pull a rid from a objectSid in a result set.
351 */
352 uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
353 const char *attr, uint32_t default_value)
354 {
355 struct dom_sid *sid;
356 uint32_t rid;
357
358 sid = samdb_result_dom_sid(mem_ctx, msg, attr);
359 if (sid == NULL) {
360 return default_value;
361 }
362 rid = sid->sub_auths[sid->num_auths-1];
363 talloc_free(sid);
364 return rid;
365 }
366
367 /*
368 pull a dom_sid structure from a objectSid in a result set.
369 */
370 struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
371 const char *attr)
372 {
373 const struct ldb_val *v;
374 struct dom_sid *sid;
375 enum ndr_err_code ndr_err;
376 v = ldb_msg_find_ldb_val(msg, attr);
377 if (v == NULL) {
378 return NULL;
379 }
380 sid = talloc(mem_ctx, struct dom_sid);
381 if (sid == NULL) {
382 return NULL;
383 }
384 ndr_err = ndr_pull_struct_blob(v, sid, NULL, sid,
385 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
386 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
387 talloc_free(sid);
388 return NULL;
389 }
390 return sid;
391 }
392
393 /*
394 pull a guid structure from a objectGUID in a result set.
395 */
396 struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
397 {
398 const struct ldb_val *v;
399 struct GUID guid;
400 NTSTATUS status;
401
402 v = ldb_msg_find_ldb_val(msg, attr);
403 if (!v) return GUID_zero();
404
405 status = GUID_from_ndr_blob(v, &guid);
406 if (!NT_STATUS_IS_OK(status)) {
407 return GUID_zero();
408 }
409
410 return guid;
411 }
412
413 /*
414 pull a sid prefix from a objectSid in a result set.
415 this is used to find the domain sid for a user
416 */
417 struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
418 const char *attr)
419 {
420 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
421 if (!sid || sid->num_auths < 1) return NULL;
422 sid->num_auths--;
423 return sid;
424 }
425
426 /*
427 pull a NTTIME in a result set.
428 */
429 NTTIME samdb_result_nttime(const struct ldb_message *msg, const char *attr,
430 NTTIME default_value)
431 {
432 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
433 }
434
435 /*
436 * Windows stores 0 for lastLogoff.
437 * But when a MS DC return the lastLogoff (as Logoff Time)
438 * it returns 0x7FFFFFFFFFFFFFFF, not returning this value in this case
439 * cause windows 2008 and newer version to fail for SMB requests
440 */
441 NTTIME samdb_result_last_logoff(const struct ldb_message *msg)
442 {
443 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "lastLogoff",0);
444
445 if (ret == 0)
446 ret = 0x7FFFFFFFFFFFFFFFULL;
447
448 return ret;
449 }
450
451 /*
452 * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
453 * indicate an account doesn't expire.
454 *
455 * When Windows initially creates an account, it sets
456 * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However,
457 * when changing from an account having a specific expiration date to
458 * that account never expiring, it sets accountExpires = 0.
459 *
460 * Consolidate that logic here to allow clearer logic for account expiry in
461 * the rest of the code.
462 */
463 NTTIME samdb_result_account_expires(const struct ldb_message *msg)
464 {
465 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
466 0);
467
468 if (ret == 0)
469 ret = 0x7FFFFFFFFFFFFFFFULL;
470
471 return ret;
472 }
473
474 /*
475 pull a uint64_t from a result set.
476 */
477 uint64_t samdb_result_uint64(const struct ldb_message *msg, const char *attr,
478 uint64_t default_value)
479 {
480 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
481 }
482
483
484 /*
485 construct the allow_password_change field from the PwdLastSet attribute and the
486 domain password settings
487 */
488 NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
489 TALLOC_CTX *mem_ctx,
490 struct ldb_dn *domain_dn,
491 struct ldb_message *msg,
492 const char *attr)
493 {
494 uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
495 int64_t minPwdAge;
496
497 if (attr_time == 0) {
498 return 0;
499 }
500
501 minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "minPwdAge", NULL);
502
503 /* yes, this is a -= not a += as minPwdAge is stored as the negative
504 of the number of 100-nano-seconds */
505 attr_time -= minPwdAge;
506
507 return attr_time;
508 }
509
510 /*
511 construct the force_password_change field from the PwdLastSet
512 attribute, the userAccountControl and the domain password settings
513 */
514 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
515 TALLOC_CTX *mem_ctx,
516 struct ldb_dn *domain_dn,
517 struct ldb_message *msg)
518 {
519 uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0);
520 uint32_t userAccountControl = samdb_result_uint64(msg, "userAccountControl", 0);
521 int64_t maxPwdAge;
522
523 /* Machine accounts don't expire, and there is a flag for 'no expiry' */
524 if (!(userAccountControl & UF_NORMAL_ACCOUNT)
525 || (userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
526 return 0x7FFFFFFFFFFFFFFFULL;
527 }
528
529 if (attr_time == 0) {
530 return 0;
531 }
532
533 maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "maxPwdAge", NULL);
534 if (maxPwdAge == 0) {
535 return 0x7FFFFFFFFFFFFFFFULL;
536 } else {
537 attr_time -= maxPwdAge;
538 }
539
540 return attr_time;
541 }
542
543 /*
544 pull a samr_Password structutre from a result set.
545 */
546 struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr)
547 {
548 struct samr_Password *hash = NULL;
549 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
550 if (val && (val->length >= sizeof(hash->hash))) {
551 hash = talloc(mem_ctx, struct samr_Password);
552 memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash)));
553 }
554 return hash;
555 }
556
557 /*
558 pull an array of samr_Password structutres from a result set.
559 */
560 uint_t samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
561 const char *attr, struct samr_Password **hashes)
562 {
563 uint_t count, i;
564 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
565
566 *hashes = NULL;
567 if (!val) {
568 return 0;
569 }
570 count = val->length / 16;
571 if (count == 0) {
572 return 0;
573 }
574
575 *hashes = talloc_array(mem_ctx, struct samr_Password, count);
576 if (! *hashes) {
577 return 0;
578 }
579
580 for (i=0;i<count;i++) {
581 memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
582 }
583
584 return count;
585 }
586
587 NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_message *msg,
588 struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
589 {
590 struct samr_Password *lmPwdHash, *ntPwdHash;
591 if (nt_pwd) {
592 int num_nt;
593 num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash);
594 if (num_nt == 0) {
595 *nt_pwd = NULL;
596 } else if (num_nt > 1) {
597 return NT_STATUS_INTERNAL_DB_CORRUPTION;
598 } else {
599 *nt_pwd = &ntPwdHash[0];
600 }
601 }
602 if (lm_pwd) {
603 /* Ensure that if we have turned off LM
604 * authentication, that we never use the LM hash, even
605 * if we store it */
606 if (lp_lanman_auth(lp_ctx)) {
607 int num_lm;
608 num_lm = samdb_result_hashes(mem_ctx, msg, "dBCSPwd", &lmPwdHash);
609 if (num_lm == 0) {
610 *lm_pwd = NULL;
611 } else if (num_lm > 1) {
612 return NT_STATUS_INTERNAL_DB_CORRUPTION;
613 } else {
614 *lm_pwd = &lmPwdHash[0];
615 }
616 } else {
617 *lm_pwd = NULL;
618 }
619 }
620 return NT_STATUS_OK;
621 }
622
623 /*
624 pull a samr_LogonHours structutre from a result set.
625 */
626 struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
627 {
628 struct samr_LogonHours hours;
629 const int units_per_week = 168;
630 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
631 ZERO_STRUCT(hours);
632 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
633 if (!hours.bits) {
634 return hours;
635 }
636 hours.units_per_week = units_per_week;
637 memset(hours.bits, 0xFF, units_per_week);
638 if (val) {
639 memcpy(hours.bits, val->data, MIN(val->length, units_per_week));
640 }
641 return hours;
642 }
643
644 /*
645 pull a set of account_flags from a result set.
646
647 This requires that the attributes:
648 pwdLastSet
649 userAccountControl
650 be included in 'msg'
651 */
652 uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
653 struct ldb_message *msg, struct ldb_dn *domain_dn)
654 {
655 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
656 uint32_t acct_flags = ds_uf2acb(userAccountControl);
657 NTTIME must_change_time;
658 NTTIME now;
659
660 must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
661 domain_dn, msg);
662
663 /* Test account expire time */
664 unix_to_nt_time(&now, time(NULL));
665 /* check for expired password */
666 if (must_change_time < now) {
667 acct_flags |= ACB_PW_EXPIRED;
668 }
669 return acct_flags;
670 }
671
672 struct lsa_BinaryString samdb_result_parameters(TALLOC_CTX *mem_ctx,
673 struct ldb_message *msg,
674 const char *attr)
675 {
676 struct lsa_BinaryString s;
677 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
678
679 ZERO_STRUCT(s);
680
681 if (!val) {
682 return s;
683 }
684
685 s.array = talloc_array(mem_ctx, uint16_t, val->length/2);
686 if (!s.array) {
687 return s;
688 }
689 s.length = s.size = val->length/2;
690 memcpy(s.array, val->data, val->length);
691
692 return s;
693 }
694
695 /* Find an attribute, with a particular value */
696
697 /* The current callers of this function expect a very specific
698 * behaviour: In particular, objectClass subclass equivilance is not
699 * wanted. This means that we should not lookup the schema for the
700 * comparison function */
701 struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb,
702 const struct ldb_message *msg,
703 const char *name, const char *value)
704 {
705 int i;
706 struct ldb_message_element *el = ldb_msg_find_element(msg, name);
707
708 if (!el) {
709 return NULL;
710 }
711
712 for (i=0;i<el->num_values;i++) {
713 if (ldb_attr_cmp(value, (char *)el->values[i].data) == 0) {
714 return el;
715 }
716 }
717
718 return NULL;
719 }
720
721 int samdb_find_or_add_value(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
722 {
723 if (samdb_find_attribute(ldb, msg, name, set_value) == NULL) {
724 return samdb_msg_add_string(ldb, msg, msg, name, set_value);
725 }
726 return LDB_SUCCESS;
727 }
728
729 int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
730 {
731 struct ldb_message_element *el;
732
733 el = ldb_msg_find_element(msg, name);
734 if (el) {
735 return LDB_SUCCESS;
736 }
737
738 return samdb_msg_add_string(ldb, msg, msg, name, set_value);
739 }
740
741
742
743 /*
744 add a string element to a message
745 */
746 int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
747 const char *attr_name, const char *str)
748 {
749 char *s = talloc_strdup(mem_ctx, str);
750 char *a = talloc_strdup(mem_ctx, attr_name);
751 if (s == NULL || a == NULL) {
752 return LDB_ERR_OPERATIONS_ERROR;
753 }
754 return ldb_msg_add_string(msg, a, s);
755 }
756
757 /*
758 add a dom_sid element to a message
759 */
760 int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
761 const char *attr_name, struct dom_sid *sid)
762 {
763 struct ldb_val v;
764 enum ndr_err_code ndr_err;
765
766 ndr_err = ndr_push_struct_blob(&v, mem_ctx,
767 lp_iconv_convenience(ldb_get_opaque(sam_ldb, "loadparm")),
768 sid,
769 (ndr_push_flags_fn_t)ndr_push_dom_sid);
770 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
771 return -1;
772 }
773 return ldb_msg_add_value(msg, attr_name, &v, NULL);
774 }
775
776
777 /*
778 add a delete element operation to a message
779 */
780 int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
781 const char *attr_name)
782 {
783 /* we use an empty replace rather than a delete, as it allows for
784 samdb_replace() to be used everywhere */
785 return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
786 }
787
788 /*
789 add a add attribute value to a message
790 */
791 int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
792 const char *attr_name, const char *value)
793 {
794 struct ldb_message_element *el;
795 char *a, *v;
796 int ret;
797 a = talloc_strdup(mem_ctx, attr_name);
798 if (a == NULL)
799 return -1;
800 v = talloc_strdup(mem_ctx, value);
801 if (v == NULL)
802 return -1;
803 ret = ldb_msg_add_string(msg, a, v);
804 if (ret != 0)
805 return ret;
806 el = ldb_msg_find_element(msg, a);
807 if (el == NULL)
808 return -1;
809 el->flags = LDB_FLAG_MOD_ADD;
810 return 0;
811 }
812
813 /*
814 add a delete attribute value to a message
815 */
816 int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
817 const char *attr_name, const char *value)
818 {
819 struct ldb_message_element *el;
820 char *a, *v;
821 int ret;
822 a = talloc_strdup(mem_ctx, attr_name);
823 if (a == NULL)
824 return -1;
825 v = talloc_strdup(mem_ctx, value);
826 if (v == NULL)
827 return -1;
828 ret = ldb_msg_add_string(msg, a, v);
829 if (ret != 0)
830 return ret;
831 el = ldb_msg_find_element(msg, a);
832 if (el == NULL)
833 return -1;
834 el->flags = LDB_FLAG_MOD_DELETE;
835 return 0;
836 }
837
838 /*
839 add a int element to a message
840 */
841 int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
842 const char *attr_name, int v)
843 {
844 const char *s = talloc_asprintf(mem_ctx, "%d", v);
845 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
846 }
847
848 /*
849 add a uint_t element to a message
850 */
851 int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
852 const char *attr_name, uint_t v)
853 {
854 const char *s = talloc_asprintf(mem_ctx, "%u", v);
855 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
856 }
857
858 /*
859 add a (signed) int64_t element to a message
860 */
861 int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
862 const char *attr_name, int64_t v)
863 {
864 const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
865 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
866 }
867
868 /*
869 add a uint64_t element to a message
870 */
871 int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
872 const char *attr_name, uint64_t v)
873 {
874 const char *s = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)v);
875 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
876 }
877
878 /*
879 add a samr_Password element to a message
880 */
881 int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
882 const char *attr_name, struct samr_Password *hash)
883 {
884 struct ldb_val val;
885 val.data = talloc_memdup(mem_ctx, hash->hash, 16);
886 if (!val.data) {
887 return -1;
888 }
889 val.length = 16;
890 return ldb_msg_add_value(msg, attr_name, &val, NULL);
891 }
892
893 /*
894 add a samr_Password array to a message
895 */
896 int samdb_msg_add_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
897 const char *attr_name, struct samr_Password *hashes, uint_t count)
898 {
899 struct ldb_val val;
900 int i;
901 val.data = talloc_array_size(mem_ctx, 16, count);
902 val.length = count*16;
903 if (!val.data) {
904 return -1;
905 }
906 for (i=0;i<count;i++) {
907 memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
908 }
909 return ldb_msg_add_value(msg, attr_name, &val, NULL);
910 }
911
912 /*
913 add a acct_flags element to a message
914 */
915 int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
916 const char *attr_name, uint32_t v)
917 {
918 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, ds_acb2uf(v));
919 }
920
921 /*
922 add a logon_hours element to a message
923 */
924 int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
925 const char *attr_name, struct samr_LogonHours *hours)
926 {
927 struct ldb_val val;
928 val.length = hours->units_per_week / 8;
929 val.data = hours->bits;
930 return ldb_msg_add_value(msg, attr_name, &val, NULL);
931 }
932
933 /*
934 add a parameters element to a message
935 */
936 int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
937 const char *attr_name, struct lsa_BinaryString *parameters)
938 {
939 struct ldb_val val;
940 val.length = parameters->length * 2;
941 val.data = (uint8_t *)parameters->array;
942 return ldb_msg_add_value(msg, attr_name, &val, NULL);
943 }
944 /*
945 add a general value element to a message
946 */
947 int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
948 const char *attr_name, const struct ldb_val *val)
949 {
950 return ldb_msg_add_value(msg, attr_name, val, NULL);
951 }
952
953 /*
954 sets a general value element to a message
955 */
956 int samdb_msg_set_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
957 const char *attr_name, const struct ldb_val *val)
958 {
959 struct ldb_message_element *el;
960
961 el = ldb_msg_find_element(msg, attr_name);
962 if (el) {
963 el->num_values = 0;
964 }
965 return ldb_msg_add_value(msg, attr_name, val, NULL);
966 }
967
968 /*
969 set a string element in a message
970 */
971 int samdb_msg_set_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
972 const char *attr_name, const char *str)
973 {
974 struct ldb_message_element *el;
975
976 el = ldb_msg_find_element(msg, attr_name);
977 if (el) {
978 el->num_values = 0;
979 }
980 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, str);
981 }
982
983 /*
984 replace elements in a record
985 */
986 int samdb_replace(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg)
987 {
988 int i;
989
990 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
991 for (i=0;i<msg->num_elements;i++) {
992 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
993 }
994
995 /* modify the samdb record */
996 return ldb_modify(sam_ldb, msg);
997 }
998
999 /*
1000 * Handle ldb_request in transaction
1001 */
1002 static int dsdb_autotransaction_request(struct ldb_context *sam_ldb,
1003 struct ldb_request *req)
1004 {
1005 int ret;
1006
1007 ret = ldb_transaction_start(sam_ldb);
1008 if (ret != LDB_SUCCESS) {
1009 return ret;
1010 }
1011
1012 ret = ldb_request(sam_ldb, req);
1013 if (ret == LDB_SUCCESS) {
1014 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
1015 }
1016
1017 if (ret == LDB_SUCCESS) {
1018 return ldb_transaction_commit(sam_ldb);
1019 }
1020 ldb_transaction_cancel(sam_ldb);
1021
1022 return ret;
1023 }
1024
1025 /*
1026 * replace elements in a record using LDB_CONTROL_AS_SYSTEM
1027 * used to skip access checks on operations
1028 * that are performed by the system
1029 */
1030 int samdb_replace_as_system(struct ldb_context *sam_ldb,
1031 TALLOC_CTX *mem_ctx,
1032 struct ldb_message *msg)
1033 {
1034 int i;
1035 int ldb_ret;
1036 struct ldb_request *req = NULL;
1037
1038 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
1039 for (i=0;i<msg->num_elements;i++) {
1040 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
1041 }
1042
1043
1044 ldb_ret = ldb_msg_sanity_check(sam_ldb, msg);
1045 if (ldb_ret != LDB_SUCCESS) {
1046 return ldb_ret;
1047 }
1048
1049 ldb_ret = ldb_build_mod_req(&req, sam_ldb, mem_ctx,
1050 msg,
1051 NULL,
1052 NULL,
1053 ldb_op_default_callback,
1054 NULL);
1055
1056 if (ldb_ret != LDB_SUCCESS) {
1057 talloc_free(req);
1058 return ldb_ret;
1059 }
1060
1061 ldb_ret = ldb_request_add_control(req, LDB_CONTROL_AS_SYSTEM_OID, false, NULL);
1062 if (ldb_ret != LDB_SUCCESS) {
1063 talloc_free(req);
1064 return ldb_ret;
1065 }
1066
1067 /* do request and auto start a transaction */
1068 ldb_ret = dsdb_autotransaction_request(sam_ldb, req);
1069
1070 talloc_free(req);
1071 return ldb_ret;
1072 }
1073
1074 /*
1075 return a default security descriptor
1076 */
1077 struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
1078 {
1079 struct security_descriptor *sd;
1080
1081 sd = security_descriptor_initialise(mem_ctx);
1082
1083 return sd;
1084 }
1085
1086 struct ldb_dn *samdb_base_dn(struct ldb_context *sam_ctx)
1087 {
1088 return ldb_get_default_basedn(sam_ctx);
1089 }
1090
1091 struct ldb_dn *samdb_config_dn(struct ldb_context *sam_ctx)
1092 {
1093 return ldb_get_config_basedn(sam_ctx);
1094 }
1095
1096 struct ldb_dn *samdb_schema_dn(struct ldb_context *sam_ctx)
1097 {
1098 return ldb_get_schema_basedn(sam_ctx);
1099 }
1100
1101 struct ldb_dn *samdb_aggregate_schema_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1102 {
1103 struct ldb_dn *schema_dn = ldb_get_schema_basedn(sam_ctx);
1104 struct ldb_dn *aggregate_dn;
1105 if (!schema_dn) {
1106 return NULL;
1107 }
1108
1109 aggregate_dn = ldb_dn_copy(mem_ctx, schema_dn);
1110 if (!aggregate_dn) {
1111 return NULL;
1112 }
1113 if (!ldb_dn_add_child_fmt(aggregate_dn, "CN=Aggregate")) {
1114 return NULL;
1115 }
1116 return aggregate_dn;
1117 }
1118
1119 struct ldb_dn *samdb_root_dn(struct ldb_context *sam_ctx)
1120 {
1121 return ldb_get_root_basedn(sam_ctx);
1122 }
1123
1124 struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1125 {
1126 struct ldb_dn *new_dn;
1127
1128 new_dn = ldb_dn_copy(mem_ctx, samdb_config_dn(sam_ctx));
1129 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Partitions")) {
1130 talloc_free(new_dn);
1131 return NULL;
1132 }
1133 return new_dn;
1134 }
1135
1136 struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1137 {
1138 struct ldb_dn *new_dn;
1139
1140 new_dn = ldb_dn_copy(mem_ctx, samdb_config_dn(sam_ctx));
1141 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Sites")) {
1142 talloc_free(new_dn);
1143 return NULL;
1144 }
1145 return new_dn;
1146 }
1147
1148 /*
1149 work out the domain sid for the current open ldb
1150 */
1151 const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
1152 {
1153 TALLOC_CTX *tmp_ctx;
1154 const struct dom_sid *domain_sid;
1155 const char *attrs[] = {
1156 "objectSid",
1157 NULL
1158 };
1159 struct ldb_result *res;
1160 int ret;
1161
1162 /* see if we have a cached copy */
1163 domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1164 if (domain_sid) {
1165 return domain_sid;
1166 }
1167
1168 tmp_ctx = talloc_new(ldb);
1169 if (tmp_ctx == NULL) {
1170 goto failed;
1171 }
1172
1173 ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
1174
1175 if (ret != LDB_SUCCESS) {
1176 goto failed;
1177 }
1178
1179 if (res->count != 1) {
1180 goto failed;
1181 }
1182
1183 domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
1184 if (domain_sid == NULL) {
1185 goto failed;
1186 }
1187
1188 /* cache the domain_sid in the ldb */
1189 if (ldb_set_opaque(ldb, "cache.domain_sid", discard_const_p(struct dom_sid, domain_sid)) != LDB_SUCCESS) {
1190 goto failed;
1191 }
1192
1193 talloc_steal(ldb, domain_sid);
1194 talloc_free(tmp_ctx);
1195
1196 return domain_sid;
1197
1198 failed:
1199 talloc_free(tmp_ctx);
1200 return NULL;
1201 }
1202
1203 /*
1204 get domain sid from cache
1205 */
1206 const struct dom_sid *samdb_domain_sid_cache_only(struct ldb_context *ldb)
1207 {
1208 return (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1209 }
1210
1211 bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in)
1212 {
1213 TALLOC_CTX *tmp_ctx;
1214 struct dom_sid *dom_sid_new;
1215 struct dom_sid *dom_sid_old;
1216
1217 /* see if we have a cached copy */
1218 dom_sid_old = talloc_get_type(ldb_get_opaque(ldb,
1219 "cache.domain_sid"), struct dom_sid);
1220
1221 tmp_ctx = talloc_new(ldb);
1222 if (tmp_ctx == NULL) {
1223 goto failed;
1224 }
1225
1226 dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in);
1227 if (!dom_sid_new) {
1228 goto failed;
1229 }
1230
1231 /* cache the domain_sid in the ldb */
1232 if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) {
1233 goto failed;
1234 }
1235
1236 talloc_steal(ldb, dom_sid_new);
1237 talloc_free(tmp_ctx);
1238 talloc_free(dom_sid_old);
1239
1240 return true;
1241
1242 failed:
1243 DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
1244 talloc_free(tmp_ctx);
1245 return false;
1246 }
1247
1248 /* Obtain the short name of the flexible single master operator
1249 * (FSMO), such as the PDC Emulator */
1250 const char *samdb_result_fsmo_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
1251 const char *attr)
1252 {
1253 /* Format is cn=NTDS Settings,cn=<NETBIOS name of FSMO>,.... */
1254 struct ldb_dn *fsmo_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
1255 const struct ldb_val *val = ldb_dn_get_component_val(fsmo_dn, 1);
1256 const char *name = ldb_dn_get_component_name(fsmo_dn, 1);
1257
1258 if (!name || (ldb_attr_cmp(name, "cn") != 0)) {
1259 /* Ensure this matches the format. This gives us a
1260 * bit more confidence that a 'cn' value will be a
1261 * ascii string */
1262 return NULL;
1263 }
1264 if (val) {
1265 return (char *)val->data;
1266 }
1267 return NULL;
1268 }
1269
1270 /*
1271 work out the ntds settings dn for the current open ldb
1272 */
1273 struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb)
1274 {
1275 TALLOC_CTX *tmp_ctx;
1276 const char *root_attrs[] = { "dsServiceName", NULL };
1277 int ret;
1278 struct ldb_result *root_res;
1279 struct ldb_dn *settings_dn;
1280
1281 /* see if we have a cached copy */
1282 settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "cache.settings_dn");
1283 if (settings_dn) {
1284 return settings_dn;
1285 }
1286
1287 tmp_ctx = talloc_new(ldb);
1288 if (tmp_ctx == NULL) {
1289 goto failed;
1290 }
1291
1292 ret = ldb_search(ldb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, ldb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
1293 if (ret) {
1294 DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
1295 ldb_errstring(ldb)));
1296 goto failed;
1297 }
1298
1299 if (root_res->count != 1) {
1300 goto failed;
1301 }
1302
1303 settings_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, root_res->msgs[0], "dsServiceName");
1304
1305 /* cache the domain_sid in the ldb */
1306 if (ldb_set_opaque(ldb, "cache.settings_dn", settings_dn) != LDB_SUCCESS) {
1307 goto failed;
1308 }
1309
1310 talloc_steal(ldb, settings_dn);
1311 talloc_free(tmp_ctx);
1312
1313 return settings_dn;
1314
1315 failed:
1316 DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
1317 talloc_free(tmp_ctx);
1318 return NULL;
1319 }
1320
1321 /*
1322 work out the ntds settings invocationId for the current open ldb
1323 */
1324 const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb)
1325 {
1326 TALLOC_CTX *tmp_ctx;
1327 const char *attrs[] = { "invocationId", NULL };
1328 int ret;
1329 struct ldb_result *res;
1330 struct GUID *invocation_id;
1331
1332 /* see if we have a cached copy */
1333 invocation_id = (struct GUID *)ldb_get_opaque(ldb, "cache.invocation_id");
1334 if (invocation_id) {
1335 return invocation_id;
1336 }
1337
1338 tmp_ctx = talloc_new(ldb);
1339 if (tmp_ctx == NULL) {
1340 goto failed;
1341 }
1342
1343 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1344 if (ret) {
1345 goto failed;
1346 }
1347
1348 if (res->count != 1) {
1349 goto failed;
1350 }
1351
1352 invocation_id = talloc(tmp_ctx, struct GUID);
1353 if (!invocation_id) {
1354 goto failed;
1355 }
1356
1357 *invocation_id = samdb_result_guid(res->msgs[0], "invocationId");
1358
1359 /* cache the domain_sid in the ldb */
1360 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id) != LDB_SUCCESS) {
1361 goto failed;
1362 }
1363
1364 talloc_steal(ldb, invocation_id);
1365 talloc_free(tmp_ctx);
1366
1367 return invocation_id;
1368
1369 failed:
1370 DEBUG(1,("Failed to find our own NTDS Settings invocationId in the ldb!\n"));
1371 talloc_free(tmp_ctx);
1372 return NULL;
1373 }
1374
1375 bool samdb_set_ntds_invocation_id(struct ldb_context *ldb, const struct GUID *invocation_id_in)
1376 {
1377 TALLOC_CTX *tmp_ctx;
1378 struct GUID *invocation_id_new;
1379 struct GUID *invocation_id_old;
1380
1381 /* see if we have a cached copy */
1382 invocation_id_old = (struct GUID *)ldb_get_opaque(ldb,
1383 "cache.invocation_id");
1384
1385 tmp_ctx = talloc_new(ldb);
1386 if (tmp_ctx == NULL) {
1387 goto failed;
1388 }
1389
1390 invocation_id_new = talloc(tmp_ctx, struct GUID);
1391 if (!invocation_id_new) {
1392 goto failed;
1393 }
1394
1395 *invocation_id_new = *invocation_id_in;
1396
1397 /* cache the domain_sid in the ldb */
1398 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id_new) != LDB_SUCCESS) {
1399 goto failed;
1400 }
1401
1402 talloc_steal(ldb, invocation_id_new);
1403 talloc_free(tmp_ctx);
1404 talloc_free(invocation_id_old);
1405
1406 return true;
1407
1408 failed:
1409 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1410 talloc_free(tmp_ctx);
1411 return false;
1412 }
1413
1414 /*
1415 work out the ntds settings objectGUID for the current open ldb
1416 */
1417 const struct GUID *samdb_ntds_objectGUID(struct ldb_context *ldb)
1418 {
1419 TALLOC_CTX *tmp_ctx;
1420 const char *attrs[] = { "objectGUID", NULL };
1421 int ret;
1422 struct ldb_result *res;
1423 struct GUID *ntds_guid;
1424
1425 /* see if we have a cached copy */
1426 ntds_guid = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1427 if (ntds_guid) {
1428 return ntds_guid;
1429 }
1430
1431 tmp_ctx = talloc_new(ldb);
1432 if (tmp_ctx == NULL) {
1433 goto failed;
1434 }
1435
1436 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1437 if (ret) {
1438 goto failed;
1439 }
1440
1441 if (res->count != 1) {
1442 goto failed;
1443 }
1444
1445 ntds_guid = talloc(tmp_ctx, struct GUID);
1446 if (!ntds_guid) {
1447 goto failed;
1448 }
1449
1450 *ntds_guid = samdb_result_guid(res->msgs[0], "objectGUID");
1451
1452 /* cache the domain_sid in the ldb */
1453 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid) != LDB_SUCCESS) {
1454 goto failed;
1455 }
1456
1457 talloc_steal(ldb, ntds_guid);
1458 talloc_free(tmp_ctx);
1459
1460 return ntds_guid;
1461
1462 failed:
1463 DEBUG(1,("Failed to find our own NTDS Settings objectGUID in the ldb!\n"));
1464 talloc_free(tmp_ctx);
1465 return NULL;
1466 }
1467
1468 bool samdb_set_ntds_objectGUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in)
1469 {
1470 TALLOC_CTX *tmp_ctx;
1471 struct GUID *ntds_guid_new;
1472 struct GUID *ntds_guid_old;
1473
1474 /* see if we have a cached copy */
1475 ntds_guid_old = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1476
1477 tmp_ctx = talloc_new(ldb);
1478 if (tmp_ctx == NULL) {
1479 goto failed;
1480 }
1481
1482 ntds_guid_new = talloc(tmp_ctx, struct GUID);
1483 if (!ntds_guid_new) {
1484 goto failed;
1485 }
1486
1487 *ntds_guid_new = *ntds_guid_in;
1488
1489 /* cache the domain_sid in the ldb */
1490 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid_new) != LDB_SUCCESS) {
1491 goto failed;
1492 }
1493
1494 talloc_steal(ldb, ntds_guid_new);
1495 talloc_free(tmp_ctx);
1496 talloc_free(ntds_guid_old);
1497
1498 return true;
1499
1500 failed:
1501 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1502 talloc_free(tmp_ctx);
1503 return false;
1504 }
1505
1506 /*
1507 work out the server dn for the current open ldb
1508 */
1509 struct ldb_dn *samdb_server_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1510 {
1511 return ldb_dn_get_parent(mem_ctx, samdb_ntds_settings_dn(ldb));
1512 }
1513
1514 /*
1515 work out the server dn for the current open ldb
1516 */
1517 struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1518 {
1519 struct ldb_dn *server_dn;
1520 struct ldb_dn *server_site_dn;
1521
1522 server_dn = samdb_server_dn(ldb, mem_ctx);
1523 if (!server_dn) return NULL;
1524
1525 server_site_dn = ldb_dn_get_parent(mem_ctx, server_dn);
1526
1527 talloc_free(server_dn);
1528 return server_site_dn;
1529 }
1530
1531 /*
1532 find a 'reference' DN that points at another object
1533 (eg. serverReference, rIDManagerReference etc)
1534 */
1535 int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *base,
1536 const char *attribute, struct ldb_dn **dn)
1537 {
1538 const char *attrs[2];
1539 struct ldb_result *res;
1540 int ret;
1541
1542 attrs[0] = attribute;
1543 attrs[1] = NULL;
1544
1545 ret = ldb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, NULL);
1546 if (ret != LDB_SUCCESS) {
1547 return ret;
1548 }
1549 if (res->count != 1) {
1550 talloc_free(res);
1551 return LDB_ERR_NO_SUCH_OBJECT;
1552 }
1553
1554 *dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
1555 if (!*dn) {
1556 talloc_free(res);
1557 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1558 }
1559
1560 talloc_free(res);
1561 return LDB_SUCCESS;
1562 }
1563
1564 /*
1565 find our machine account via the serverReference attribute in the
1566 server DN
1567 */
1568 int samdb_server_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1569 {
1570 struct ldb_dn *server_dn;
1571 int ret;
1572
1573 server_dn = samdb_server_dn(ldb, mem_ctx);
1574 if (server_dn == NULL) {
1575 return LDB_ERR_NO_SUCH_OBJECT;
1576 }
1577
1578 ret = samdb_reference_dn(ldb, mem_ctx, server_dn, "serverReference", dn);
1579 talloc_free(server_dn);
1580
1581 return ret;
1582 }
1583
1584 /*
1585 find the RID Manager$ DN via the rIDManagerReference attribute in the
1586 base DN
1587 */
1588 int samdb_rid_manager_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1589 {
1590 return samdb_reference_dn(ldb, mem_ctx, samdb_base_dn(ldb), "rIDManagerReference", dn);
1591 }
1592
1593 /*
1594 find the RID Set DN via the rIDSetReferences attribute in our
1595 machine account DN
1596 */
1597 int samdb_rid_set_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1598 {
1599 struct ldb_dn *server_ref_dn;
1600 int ret;
1601
1602 ret = samdb_server_reference_dn(ldb, mem_ctx, &server_ref_dn);
1603 if (ret != LDB_SUCCESS) {
1604 return ret;
1605 }
1606 ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn);
1607 talloc_free(server_ref_dn);
1608 return ret;
1609 }
1610
1611 const char *samdb_server_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1612 {
1613 const struct ldb_val *val = ldb_dn_get_rdn_val(samdb_server_site_dn(ldb, mem_ctx));
1614
1615 if (val != NULL)
1616 return (const char *) val->data;
1617 else
1618 return NULL;
1619 }
1620
1621 /*
1622 work out if we are the PDC for the domain of the current open ldb
1623 */
1624 bool samdb_is_pdc(struct ldb_context *ldb)
1625 {
1626 const char *dom_attrs[] = { "fSMORoleOwner", NULL };
1627 int ret;
1628 struct ldb_result *dom_res;
1629 TALLOC_CTX *tmp_ctx;
1630 bool is_pdc;
1631 struct ldb_dn *pdc;
1632
1633 tmp_ctx = talloc_new(ldb);
1634 if (tmp_ctx == NULL) {
1635 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1636 return false;
1637 }
1638
1639 ret = ldb_search(ldb, tmp_ctx, &dom_res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, dom_attrs, NULL);
1640 if (ret) {
1641 DEBUG(1,("Searching for fSMORoleOwner in %s failed: %s\n",
1642 ldb_dn_get_linearized(ldb_get_default_basedn(ldb)),
1643 ldb_errstring(ldb)));
1644 goto failed;
1645 }
1646 if (dom_res->count != 1) {
1647 goto failed;
1648 }
1649
1650 pdc = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, dom_res->msgs[0], "fSMORoleOwner");
1651
1652 if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), pdc) == 0) {
1653 is_pdc = true;
1654 } else {
1655 is_pdc = false;
1656 }
1657
1658 talloc_free(tmp_ctx);
1659
1660 return is_pdc;
1661
1662 failed:
1663 DEBUG(1,("Failed to find if we are the PDC for this ldb\n"));
1664 talloc_free(tmp_ctx);
1665 return false;
1666 }
1667
1668 /*
1669 work out if we are a Global Catalog server for the domain of the current open ldb
1670 */
1671 bool samdb_is_gc(struct ldb_context *ldb)
1672 {
1673 const char *attrs[] = { "options", NULL };
1674 int ret, options;
1675 struct ldb_result *res;
1676 TALLOC_CTX *tmp_ctx;
1677
1678 tmp_ctx = talloc_new(ldb);
1679 if (tmp_ctx == NULL) {
1680 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1681 return false;
1682 }
1683
1684 /* Query cn=ntds settings,.... */
1685 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1686 if (ret) {
1687 talloc_free(tmp_ctx);
1688 return false;
1689 }
1690 if (res->count != 1) {
1691 talloc_free(tmp_ctx);
1692 return false;
1693 }
1694
1695 options = ldb_msg_find_attr_as_int(res->msgs[0], "options", 0);
1696 talloc_free(tmp_ctx);
1697
1698 /* if options attribute has the 0x00000001 flag set, then enable the global catlog */
1699 if (options & 0x000000001) {
1700 return true;
1701 }
1702 return false;
1703 }
1704
1705 /* Find a domain object in the parents of a particular DN. */
1706 int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
1707 struct ldb_dn **parent_dn, const char **errstring)
1708 {
1709 TALLOC_CTX *local_ctx;
1710 struct ldb_dn *sdn = dn;
1711 struct ldb_result *res = NULL;
1712 int ret = 0;
1713 const char *attrs[] = { NULL };
1714
1715 local_ctx = talloc_new(mem_ctx);
1716 if (local_ctx == NULL) return LDB_ERR_OPERATIONS_ERROR;
1717
1718 while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
1719 ret = ldb_search(ldb, local_ctx, &res, sdn, LDB_SCOPE_BASE, attrs,
1720 "(|(objectClass=domain)(objectClass=builtinDomain))");
1721 if (ret == LDB_SUCCESS) {
1722 if (res->count == 1) {
1723 break;
1724 }
1725 } else {
1726 break;
1727 }
1728 }
1729
1730 if (ret != LDB_SUCCESS) {
1731 *errstring = talloc_asprintf(mem_ctx, "Error searching for parent domain of %s, failed searching for %s: %s",
1732 ldb_dn_get_linearized(dn),
1733 ldb_dn_get_linearized(sdn),
1734 ldb_errstring(ldb));
1735 talloc_free(local_ctx);
1736 return ret;
1737 }
1738 if (res->count != 1) {
1739 *errstring = talloc_asprintf(mem_ctx, "Invalid dn (%s), not child of a domain object",
1740 ldb_dn_get_linearized(dn));
1741 DEBUG(0,(__location__ ": %s\n", *errstring));
1742 talloc_free(local_ctx);
1743 return LDB_ERR_CONSTRAINT_VIOLATION;
1744 }
1745
1746 *parent_dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
1747 talloc_free(local_ctx);
1748 return ret;
1749 }
1750
1751
1752 /*
1753 * Performs checks on a user password (plaintext UNIX format - attribute
1754 * "password"). The remaining parameters have to be extracted from the domain
1755 * object in the AD.
1756 *
1757 * Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
1758 */
1759 enum samr_ValidationStatus samdb_check_password(const DATA_BLOB *password,
1760 const uint32_t pwdProperties,
1761 const uint32_t minPwdLength)
1762 {
1763 /* checks if the "minPwdLength" property is satisfied */
1764 if (minPwdLength > password->length)
1765 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
1766
1767 /* checks the password complexity */
1768 if (((pwdProperties & DOMAIN_PASSWORD_COMPLEX) != 0)
1769 && (password->data != NULL)
1770 && (!check_password_quality((const char *) password->data)))
1771 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
1772
1773 return SAMR_VALIDATION_STATUS_SUCCESS;
1774 }
1775
1776 /*
1777 * Sets the user password using plaintext UTF16 (attribute "new_password") or
1778 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
1779 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
1780 * gives some more informations if the changed failed.
1781 *
1782 * The caller should have a LDB transaction wrapping this.
1783 *
1784 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
1785 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
1786 * NT_STATUS_PASSWORD_RESTRICTION
1787 */
1788 NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
1789 struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
1790 struct ldb_message *mod,
1791 const DATA_BLOB *new_password,
1792 struct samr_Password *param_lmNewHash,
1793 struct samr_Password *param_ntNewHash,
1794 bool user_change,
1795 enum samPwdChangeReason *reject_reason,
1796 struct samr_DomInfo1 **_dominfo)
1797 {
1798 const char * const user_attrs[] = { "userAccountControl",
1799 "lmPwdHistory",
1800 "ntPwdHistory",
1801 "dBCSPwd", "unicodePwd",
1802 "objectSid",
1803 "pwdLastSet", NULL };
1804 const char * const domain_attrs[] = { "minPwdLength", "pwdProperties",
1805 "pwdHistoryLength",
1806 "maxPwdAge", "minPwdAge", NULL };
1807 NTTIME pwdLastSet;
1808 uint32_t minPwdLength, pwdProperties, pwdHistoryLength;
1809 int64_t maxPwdAge, minPwdAge;
1810 uint32_t userAccountControl;
1811 struct samr_Password *sambaLMPwdHistory, *sambaNTPwdHistory,
1812 *lmPwdHash, *ntPwdHash, *lmNewHash, *ntNewHash;
1813 struct samr_Password local_lmNewHash, local_ntNewHash;
1814 int sambaLMPwdHistory_len, sambaNTPwdHistory_len;
1815 struct dom_sid *domain_sid;
1816 struct ldb_message **res;
1817 bool restrictions;
1818 int count;
1819 time_t now = time(NULL);
1820 NTTIME now_nt;
1821 int i;
1822
1823 /* we need to know the time to compute password age */
1824 unix_to_nt_time(&now_nt, now);
1825
1826 /* pull all the user parameters */
1827 count = gendb_search_dn(ctx, mem_ctx, user_dn, &res, user_attrs);
1828 if (count != 1) {
1829 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1830 }
1831 userAccountControl = samdb_result_uint(res[0], "userAccountControl", 0);
1832 sambaLMPwdHistory_len = samdb_result_hashes(mem_ctx, res[0],
1833 "lmPwdHistory", &sambaLMPwdHistory);
1834 sambaNTPwdHistory_len = samdb_result_hashes(mem_ctx, res[0],
1835 "ntPwdHistory", &sambaNTPwdHistory);
1836 lmPwdHash = samdb_result_hash(mem_ctx, res[0], "dBCSPwd");
1837 ntPwdHash = samdb_result_hash(mem_ctx, res[0], "unicodePwd");
1838 pwdLastSet = samdb_result_uint64(res[0], "pwdLastSet", 0);
1839
1840 /* Copy parameters */
1841 lmNewHash = param_lmNewHash;
1842 ntNewHash = param_ntNewHash;
1843
1844 /* Only non-trust accounts have restrictions (possibly this
1845 * test is the wrong way around, but I like to be restrictive
1846 * if possible */
1847 restrictions = !(userAccountControl & (UF_INTERDOMAIN_TRUST_ACCOUNT
1848 |UF_WORKSTATION_TRUST_ACCOUNT
1849 |UF_SERVER_TRUST_ACCOUNT));
1850
1851 if (domain_dn != NULL) {
1852 /* pull the domain parameters */
1853 count = gendb_search_dn(ctx, mem_ctx, domain_dn, &res,
1854 domain_attrs);
1855 if (count != 1) {
1856 DEBUG(2, ("samdb_set_password: Domain DN %s is invalid, for user %s\n",
1857 ldb_dn_get_linearized(domain_dn),
1858 ldb_dn_get_linearized(user_dn)));
1859 return NT_STATUS_NO_SUCH_DOMAIN;
1860 }
1861 } else {
1862 /* work out the domain sid, and pull the domain from there */
1863 domain_sid = samdb_result_sid_prefix(mem_ctx, res[0],
1864 "objectSid");
1865 if (domain_sid == NULL) {
1866 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1867 }
1868
1869 count = gendb_search(ctx, mem_ctx, NULL, &res, domain_attrs,
1870 "(objectSid=%s)",
1871 ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
1872 if (count != 1) {
1873 DEBUG(2, ("samdb_set_password: Could not find domain to match SID: %s, for user %s\n",
1874 dom_sid_string(mem_ctx, domain_sid),
1875 ldb_dn_get_linearized(user_dn)));
1876 return NT_STATUS_NO_SUCH_DOMAIN;
1877 }
1878 }
1879
1880 minPwdLength = samdb_result_uint(res[0], "minPwdLength", 0);
1881 pwdProperties = samdb_result_uint(res[0], "pwdProperties", 0);
1882 pwdHistoryLength = samdb_result_uint(res[0], "pwdHistoryLength", 0);
1883 maxPwdAge = samdb_result_int64(res[0], "maxPwdAge", 0);
1884 minPwdAge = samdb_result_int64(res[0], "minPwdAge", 0);
1885
1886 if ((userAccountControl & UF_PASSWD_NOTREQD) != 0) {
1887 /* see [MS-ADTS] 2.2.15 */
1888 minPwdLength = 0;
1889 }
1890
1891 if (_dominfo != NULL) {
1892 struct samr_DomInfo1 *dominfo;
1893 /* on failure we need to fill in the reject reasons */
1894 dominfo = talloc(mem_ctx, struct samr_DomInfo1);
1895 if (dominfo == NULL) {
1896 return NT_STATUS_NO_MEMORY;
1897 }
1898 dominfo->min_password_length = minPwdLength;
1899 dominfo->password_properties = pwdProperties;
1900 dominfo->password_history_length = pwdHistoryLength;
1901 dominfo->max_password_age = maxPwdAge;
1902 dominfo->min_password_age = minPwdAge;
1903 *_dominfo = dominfo;
1904 }
1905
1906 if ((restrictions != 0) && (new_password != 0)) {
1907 char *new_pass;
1908
1909 /* checks if the "minPwdLength" property is satisfied */
1910 if ((restrictions != 0)
1911 && (minPwdLength > utf16_len_n(
1912 new_password->data, new_password->length)/2)) {
1913 if (reject_reason) {
1914 *reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT;
1915 }
1916 return NT_STATUS_PASSWORD_RESTRICTION;
1917 }
1918
1919 /* Create the NT hash */
1920 mdfour(local_ntNewHash.hash, new_password->data,
1921 new_password->length);
1922
1923 ntNewHash = &local_ntNewHash;
1924
1925 /* Only check complexity if we can convert it at all. Assuming unconvertable passwords are 'strong' */
1926 if (convert_string_talloc_convenience(mem_ctx,
1927 lp_iconv_convenience(ldb_get_opaque(ctx, "loadparm")),
1928 CH_UTF16, CH_UNIX,
1929 new_password->data, new_password->length,
1930 (void **)&new_pass, NULL, false)) {
1931
1932 /* checks the password complexity */
1933 if ((restrictions != 0)
1934 && ((pwdProperties
1935 & DOMAIN_PASSWORD_COMPLEX) != 0)
1936 && (!check_password_quality(new_pass))) {
1937 if (reject_reason) {
1938 *reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
1939 }
1940 return NT_STATUS_PASSWORD_RESTRICTION;
1941 }
1942
1943 /* compute the new lm hashes (for checking history - case insenitivly!) */
1944 if (E_deshash(new_pass, local_lmNewHash.hash)) {
1945 lmNewHash = &local_lmNewHash;
1946 }
1947 }
1948 }
1949
1950 if ((restrictions != 0) && user_change) {
1951 /* are all password changes disallowed? */
1952 if ((pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) != 0) {
1953 if (reject_reason) {
1954 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
1955 }
1956 return NT_STATUS_PASSWORD_RESTRICTION;
1957 }
1958
1959 /* can this user change the password? */
1960 if ((userAccountControl & UF_PASSWD_CANT_CHANGE) != 0) {
1961 if (reject_reason) {
1962 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
1963 }
1964 return NT_STATUS_PASSWORD_RESTRICTION;
1965 }
1966
1967 /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
1968 if (pwdLastSet - minPwdAge > now_nt) {
1969 if (reject_reason) {
1970 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
1971 }
1972 return NT_STATUS_PASSWORD_RESTRICTION;
1973 }
1974
1975 /* check the immediately past password */
1976 if (pwdHistoryLength > 0) {
1977 if (lmNewHash && lmPwdHash && memcmp(lmNewHash->hash,
1978 lmPwdHash->hash, 16) == 0) {
1979 if (reject_reason) {
1980 *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
1981 }
1982 return NT_STATUS_PASSWORD_RESTRICTION;
1983 }
1984 if (ntNewHash && ntPwdHash && memcmp(ntNewHash->hash,
1985 ntPwdHash->hash, 16) == 0) {
1986 if (reject_reason) {
1987 *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
1988 }
1989 return NT_STATUS_PASSWORD_RESTRICTION;
1990 }
1991 }
1992
1993 /* check the password history */
1994 sambaLMPwdHistory_len = MIN(sambaLMPwdHistory_len,
1995 pwdHistoryLength);
1996 sambaNTPwdHistory_len = MIN(sambaNTPwdHistory_len,
1997 pwdHistoryLength);
1998
1999 for (i=0; lmNewHash && i<sambaLMPwdHistory_len;i++) {
2000 if (memcmp(lmNewHash->hash, sambaLMPwdHistory[i].hash,
2001 16) == 0) {
2002 if (reject_reason) {
2003 *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
2004 }
2005 return NT_STATUS_PASSWORD_RESTRICTION;
2006 }
2007 }
2008 for (i=0; ntNewHash && i<sambaNTPwdHistory_len;i++) {
2009 if (memcmp(ntNewHash->hash, sambaNTPwdHistory[i].hash,
2010 16) == 0) {
2011 if (reject_reason) {
2012 *reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
2013 }
2014 return NT_STATUS_PASSWORD_RESTRICTION;
2015 }
2016 }
2017 }
2018
2019 #define CHECK_RET(x) do { if (x != 0) return NT_STATUS_NO_MEMORY; } while(0)
2020
2021 /* the password is acceptable. Start forming the new fields */
2022 if (new_password != NULL) {
2023 /* if we know the cleartext UTF16 password, then set it.
2024 * Modules in ldb will set all the appropriate
2025 * hashes */
2026 CHECK_RET(ldb_msg_add_value(mod, "clearTextPassword", new_password, NULL));
2027 } else {
2028 /* we don't have the cleartext, so set what we have of the
2029 * hashes */
2030
2031 if (lmNewHash) {
2032 CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "dBCSPwd", lmNewHash));
2033 }
2034
2035 if (ntNewHash) {
2036 CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "unicodePwd", ntNewHash));
2037 }
2038 }
2039
2040 if (reject_reason) {
2041 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
2042 }
2043 return NT_STATUS_OK;
2044 }
2045
2046
2047 /*
2048 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2049 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2050 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
2051 * gives some more informations if the changed failed.
2052 *
2053 * This wrapper function for "samdb_set_password" takes a SID as input rather
2054 * than a user DN.
2055 *
2056 * This call encapsulates a new LDB transaction for changing the password;
2057 * therefore the user hasn't to start a new one.
2058 *
2059 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2060 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2061 * NT_STATUS_PASSWORD_RESTRICTION
2062 */
2063 NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2064 const struct dom_sid *user_sid,
2065 const DATA_BLOB *new_password,
2066 struct samr_Password *lmNewHash,
2067 struct samr_Password *ntNewHash,
2068 bool user_change,
2069 enum samPwdChangeReason *reject_reason,
2070 struct samr_DomInfo1 **_dominfo)
2071 {
2072 NTSTATUS nt_status;
2073 struct ldb_dn *user_dn;
2074 struct ldb_message *msg;
2075 int ret;
2076
2077 ret = ldb_transaction_start(ldb);
2078 if (ret != LDB_SUCCESS) {
2079 DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb)));
2080 return NT_STATUS_TRANSACTION_ABORTED;
2081 }
2082
2083 user_dn = samdb_search_dn(ldb, mem_ctx, NULL,
2084 "(&(objectSid=%s)(objectClass=user))",
2085 ldap_encode_ndr_dom_sid(mem_ctx, user_sid));
2086 if (!user_dn) {
2087 ldb_transaction_cancel(ldb);
2088 DEBUG(3, ("samdb_set_password_sid: SID %s not found in samdb, returning NO_SUCH_USER\n",
2089 dom_sid_string(mem_ctx, user_sid)));
2090 return NT_STATUS_NO_SUCH_USER;
2091 }
2092
2093 msg = ldb_msg_new(mem_ctx);
2094 if (msg == NULL) {
2095 ldb_transaction_cancel(ldb);
2096 talloc_free(user_dn);
2097 return NT_STATUS_NO_MEMORY;
2098 }
2099
2100 msg->dn = ldb_dn_copy(msg, user_dn);
2101 if (!msg->dn) {
2102 ldb_transaction_cancel(ldb);
2103 talloc_free(user_dn);
2104 talloc_free(msg);
2105 return NT_STATUS_NO_MEMORY;
2106 }
2107
2108 nt_status = samdb_set_password(ldb, mem_ctx,
2109 user_dn, NULL,
2110 msg, new_password,
2111 lmNewHash, ntNewHash,
2112 user_change,
2113 reject_reason, _dominfo);
2114 if (!NT_STATUS_IS_OK(nt_status)) {
2115 ldb_transaction_cancel(ldb);
2116 talloc_free(user_dn);
2117 talloc_free(msg);
2118 return nt_status;
2119 }
2120
2121 /* modify the samdb record */
2122 ret = samdb_replace(ldb, mem_ctx, msg);
2123 if (ret != LDB_SUCCESS) {
2124 ldb_transaction_cancel(ldb);
2125 talloc_free(user_dn);
2126 talloc_free(msg);
2127 return NT_STATUS_ACCESS_DENIED;
2128 }
2129
2130 talloc_free(msg);
2131
2132 ret = ldb_transaction_commit(ldb);
2133 if (ret != LDB_SUCCESS) {
2134 DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
2135 ldb_dn_get_linearized(user_dn),
2136 ldb_errstring(ldb)));
2137 talloc_free(user_dn);
2138 return NT_STATUS_TRANSACTION_ABORTED;
2139 }
2140
2141 talloc_free(user_dn);
2142 return NT_STATUS_OK;
2143 }
2144
2145
2146 NTSTATUS samdb_create_foreign_security_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
2147 struct dom_sid *sid, struct ldb_dn **ret_dn)
2148 {
2149 struct ldb_message *msg;
2150 struct ldb_dn *basedn;
2151 char *sidstr;
2152 int ret;
2153
2154 sidstr = dom_sid_string(mem_ctx, sid);
2155 NT_STATUS_HAVE_NO_MEMORY(sidstr);
2156
2157 /* We might have to create a ForeignSecurityPrincipal, even if this user
2158 * is in our own domain */
2159
2160 msg = ldb_msg_new(sidstr);
2161 if (msg == NULL) {
2162 talloc_free(sidstr);
2163 return NT_STATUS_NO_MEMORY;
2164 }
2165
2166 ret = dsdb_wellknown_dn(sam_ctx, sidstr, samdb_base_dn(sam_ctx),
2167 DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER,
2168 &basedn);
2169 if (ret != LDB_SUCCESS) {
2170 DEBUG(0, ("Failed to find DN for "
2171 "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx)));
2172 talloc_free(sidstr);
2173 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2174 }
2175
2176 /* add core elements to the ldb_message for the alias */
2177 msg->dn = basedn;
2178 if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr)) {
2179 talloc_free(sidstr);
2180 return NT_STATUS_NO_MEMORY;
2181 }
2182
2183 samdb_msg_add_string(sam_ctx, msg, msg,
2184 "objectClass",
2185 "foreignSecurityPrincipal");
2186
2187 /* create the alias */
2188 ret = ldb_add(sam_ctx, msg);
2189 if (ret != LDB_SUCCESS) {
2190 DEBUG(0,("Failed to create foreignSecurityPrincipal "
2191 "record %s: %s\n",
2192 ldb_dn_get_linearized(msg->dn),
2193 ldb_errstring(sam_ctx)));
2194 talloc_free(sidstr);
2195 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2196 }
2197
2198 *ret_dn = talloc_steal(mem_ctx, msg->dn);
2199 talloc_free(sidstr);
2200
2201 return NT_STATUS_OK;
2202 }
2203
2204
2205 /*
2206 Find the DN of a domain, assuming it to be a dotted.dns name
2207 */
2208
2209 struct ldb_dn *samdb_dns_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *dns_domain)
2210 {
2211 int i;
2212 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2213 const char *binary_encoded;
2214 const char **split_realm;
2215 struct ldb_dn *dn;
2216
2217 if (!tmp_ctx) {
2218 return NULL;
2219 }
2220
2221 split_realm = (const char **)str_list_make(tmp_ctx, dns_domain, ".");
2222 if (!split_realm) {
2223 talloc_free(tmp_ctx);
2224 return NULL;
2225 }
2226 dn = ldb_dn_new(mem_ctx, ldb, NULL);
2227 for (i=0; split_realm[i]; i++) {
2228 binary_encoded = ldb_binary_encode_string(tmp_ctx, split_realm[i]);
2229 if (!ldb_dn_add_base_fmt(dn, "dc=%s", binary_encoded)) {
2230 DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
2231 binary_encoded, ldb_dn_get_linearized(dn)));
2232 talloc_free(tmp_ctx);
2233 return NULL;
2234 }
2235 }
2236 if (!ldb_dn_validate(dn)) {
2237 DEBUG(2, ("Failed to validated DN %s\n",
2238 ldb_dn_get_linearized(dn)));
2239 talloc_free(tmp_ctx);
2240 return NULL;
2241 }
2242 talloc_free(tmp_ctx);
2243 return dn;
2244 }
2245
2246 /*
2247 Find the DN of a domain, be it the netbios or DNS name
2248 */
2249 struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2250 const char *domain_name)
2251 {
2252 const char * const domain_ref_attrs[] = {
2253 "ncName", NULL
2254 };
2255 const char * const domain_ref2_attrs[] = {
2256 NULL
2257 };
2258 struct ldb_result *res_domain_ref;
2259 char *escaped_domain = ldb_binary_encode_string(mem_ctx, domain_name);
2260 /* find the domain's DN */
2261 int ret_domain = ldb_search(ldb, mem_ctx,
2262 &res_domain_ref,
2263 samdb_partitions_dn(ldb, mem_ctx),
2264 LDB_SCOPE_ONELEVEL,
2265 domain_ref_attrs,
2266 "(&(nETBIOSName=%s)(objectclass=crossRef))",
2267 escaped_domain);
2268 if (ret_domain != 0) {
2269 return NULL;
2270 }
2271
2272 if (res_domain_ref->count == 0) {
2273 ret_domain = ldb_search(ldb, mem_ctx,
2274 &res_domain_ref,
2275 samdb_dns_domain_to_dn(ldb, mem_ctx, domain_name),
2276 LDB_SCOPE_BASE,
2277 domain_ref2_attrs,
2278 "(objectclass=domain)");
2279 if (ret_domain != 0) {
2280 return NULL;
2281 }
2282
2283 if (res_domain_ref->count == 1) {
2284 return res_domain_ref->msgs[0]->dn;
2285 }
2286 return NULL;
2287 }
2288
2289 if (res_domain_ref->count > 1) {
2290 DEBUG(0,("Found %d records matching domain [%s]\n",
2291 ret_domain, domain_name));
2292 return NULL;
2293 }
2294
2295 return samdb_result_dn(ldb, mem_ctx, res_domain_ref->msgs[0], "nCName", NULL);
2296
2297 }
2298
2299
2300 /*
2301 use a GUID to find a DN
2302 */
2303 int dsdb_find_dn_by_guid(struct ldb_context *ldb,
2304 TALLOC_CTX *mem_ctx,
2305 const char *guid_str, struct ldb_dn **dn)
2306 {
2307 int ret;
2308 struct ldb_result *res;
2309 const char *attrs[] = { NULL };
2310 struct ldb_request *search_req;
2311 char *expression;
2312 struct ldb_search_options_control *options;
2313
2314 expression = talloc_asprintf(mem_ctx, "objectGUID=%s", guid_str);
2315 if (!expression) {
2316 DEBUG(0, (__location__ ": out of memory\n"));
2317 return LDB_ERR_OPERATIONS_ERROR;
2318 }
2319
2320 res = talloc_zero(expression, struct ldb_result);
2321 if (!res) {
2322 DEBUG(0, (__location__ ": out of memory\n"));
2323 talloc_free(expression);
2324 return LDB_ERR_OPERATIONS_ERROR;
2325 }
2326
2327 ret = ldb_build_search_req(&search_req, ldb, expression,
2328 ldb_get_default_basedn(ldb),
2329 LDB_SCOPE_SUBTREE,
2330 expression, attrs,
2331 NULL,
2332 res, ldb_search_default_callback,
2333 NULL);
2334 if (ret != LDB_SUCCESS) {
2335 talloc_free(expression);
2336 return ret;
2337 }
2338
2339 /* we need to cope with cross-partition links, so search for
2340 the GUID over all partitions */
2341 options = talloc(search_req, struct ldb_search_options_control);
2342 if (options == NULL) {
2343 DEBUG(0, (__location__ ": out of memory\n"));
2344 talloc_free(expression);
2345 return LDB_ERR_OPERATIONS_ERROR;
2346 }
2347 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
2348
2349 ret = ldb_request_add_control(search_req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
2350 if (ret != LDB_SUCCESS) {
2351 talloc_free(expression);
2352 return ret;
2353 }
2354
2355 ret = ldb_request_add_control(search_req,
2356 LDB_CONTROL_SEARCH_OPTIONS_OID,
2357 true, options);
2358 if (ret != LDB_SUCCESS) {
2359 talloc_free(expression);
2360 return ret;
2361 }
2362
2363 ret = ldb_request(ldb, search_req);
2364 if (ret != LDB_SUCCESS) {
2365 talloc_free(expression);
2366 return ret;
2367 }
2368
2369 ret = ldb_wait(search_req->handle, LDB_WAIT_ALL);
2370 if (ret != LDB_SUCCESS) {
2371 talloc_free(expression);
2372 return ret;
2373 }
2374
2375 /* this really should be exactly 1, but there is a bug in the
2376 partitions module that can return two here with the
2377 search_options control set */
2378 if (res->count < 1) {
2379 talloc_free(expression);
2380 return LDB_ERR_NO_SUCH_OBJECT;
2381 }
2382
2383 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2384 talloc_free(expression);
2385
2386 return LDB_SUCCESS;
2387 }
2388
2389 /*
2390 search for attrs on one DN, allowing for deleted objects
2391 */
2392 int dsdb_search_dn_with_deleted(struct ldb_context *ldb,
2393 TALLOC_CTX *mem_ctx,
2394 struct ldb_result **_res,
2395 struct ldb_dn *basedn,
2396 const char * const *attrs)
2397 {
2398 int ret;
2399 struct ldb_request *req;
2400 TALLOC_CTX *tmp_ctx;
2401 struct ldb_result *res;
2402
2403 tmp_ctx = talloc_new(mem_ctx);
2404
2405 res = talloc_zero(tmp_ctx, struct ldb_result);
2406 if (!res) {
2407 talloc_free(tmp_ctx);
2408 return LDB_ERR_OPERATIONS_ERROR;
2409 }
2410
2411 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
2412 basedn,
2413 LDB_SCOPE_BASE,
2414 NULL,
2415 attrs,
2416 NULL,
2417 res,
2418 ldb_search_default_callback,
2419 NULL);
2420 if (ret != LDB_SUCCESS) {
2421 talloc_free(tmp_ctx);
2422 return ret;
2423 }
2424
2425 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
2426 if (ret != LDB_SUCCESS) {
2427 talloc_free(tmp_ctx);
2428 return ret;
2429 }
2430
2431 ret = ldb_request(ldb, req);
2432 if (ret == LDB_SUCCESS) {
2433 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
2434 }
2435
2436 *_res = talloc_steal(mem_ctx, res);
2437 talloc_free(tmp_ctx);
2438 return ret;
2439 }
2440
2441
2442 /*
2443 use a DN to find a GUID with a given attribute name
2444 */
2445 int dsdb_find_guid_attr_by_dn(struct ldb_context *ldb,
2446 struct ldb_dn *dn, const char *attribute,
2447 struct GUID *guid)
2448 {
2449 int ret;
2450 struct ldb_result *res;
2451 const char *attrs[2];
2452 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2453
2454 attrs[0] = attribute;
2455 attrs[1] = NULL;
2456
2457 ret = dsdb_search_dn_with_deleted(ldb, tmp_ctx, &res, dn, attrs);
2458 if (ret != LDB_SUCCESS) {
2459 talloc_free(tmp_ctx);
2460 return ret;
2461 }
2462 if (res->count < 1) {
2463 talloc_free(tmp_ctx);
2464 return LDB_ERR_NO_SUCH_OBJECT;
2465 }
2466 *guid = samdb_result_guid(res->msgs[0], attribute);
2467 talloc_free(tmp_ctx);
2468 return LDB_SUCCESS;
2469 }
2470
2471 /*
2472 use a DN to find a GUID
2473 */
2474 int dsdb_find_guid_by_dn(struct ldb_context *ldb,
2475 struct ldb_dn *dn, struct GUID *guid)
2476 {
2477 return dsdb_find_guid_attr_by_dn(ldb, dn, "objectGUID", guid);
2478 }
2479
2480
2481
2482 /*
2483 adds the given GUID to the given ldb_message. This value is added
2484 for the given attr_name (may be either "objectGUID" or "parentGUID").
2485 */
2486 int dsdb_msg_add_guid(struct ldb_message *msg,
2487 struct GUID *guid,
2488 const char *attr_name)
2489 {
2490 int ret;
2491 struct ldb_val v;
2492 NTSTATUS status;
2493 TALLOC_CTX *tmp_ctx = talloc_init("dsdb_msg_add_guid");
2494
2495 status = GUID_to_ndr_blob(guid, tmp_ctx, &v);
2496 if (!NT_STATUS_IS_OK(status)) {
2497 ret = LDB_ERR_OPERATIONS_ERROR;
2498 goto done;
2499 }
2500
2501 ret = ldb_msg_add_steal_value(msg, attr_name, &v);
2502 if (ret != LDB_SUCCESS) {
2503 DEBUG(4,(__location__ ": Failed to add %s to the message\n",
2504 attr_name));
2505 goto done;
2506 }
2507
2508 ret = LDB_SUCCESS;
2509
2510 done:
2511 talloc_free(tmp_ctx);
2512 return ret;
2513
2514 }
2515
2516
2517 /*
2518 use a DN to find a SID
2519 */
2520 int dsdb_find_sid_by_dn(struct ldb_context *ldb,
2521 struct ldb_dn *dn, struct dom_sid *sid)
2522 {
2523 int ret;
2524 struct ldb_result *res;
2525 const char *attrs[] = { "objectSID", NULL };
2526 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2527 struct dom_sid *s;
2528
2529 ZERO_STRUCTP(sid);
2530
2531 ret = dsdb_search_dn_with_deleted(ldb, tmp_ctx, &res, dn, attrs);
2532 if (ret != LDB_SUCCESS) {
2533 talloc_free(tmp_ctx);
2534 return ret;
2535 }
2536 if (res->count < 1) {
2537 talloc_free(tmp_ctx);
2538 return LDB_ERR_NO_SUCH_OBJECT;
2539 }
2540 s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSID");
2541 if (s == NULL) {
2542 talloc_free(tmp_ctx);
2543 return LDB_ERR_NO_SUCH_OBJECT;
2544 }
2545 *sid = *s;
2546 talloc_free(tmp_ctx);
2547 return LDB_SUCCESS;
2548 }
2549
2550
2551
2552 /*
2553 load a repsFromTo blob list for a given partition GUID
2554 attr must be "repsFrom" or "repsTo"
2555 */
2556 WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2557 const char *attr, struct repsFromToBlob **r, uint32_t *count)
2558 {
2559 const char *attrs[] = { attr, NULL };
2560 struct ldb_result *res = NULL;
2561 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2562 int i;
2563 struct ldb_message_element *el;
2564
2565 *r = NULL;
2566 *count = 0;
2567
2568 if (ldb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, NULL) != LDB_SUCCESS ||
2569 res->count < 1) {
2570 DEBUG(0,("dsdb_loadreps: failed to read partition object\n"));
2571 talloc_free(tmp_ctx);
2572 return WERR_DS_DRA_INTERNAL_ERROR;
2573 }
2574
2575 el = ldb_msg_find_element(res->msgs[0], attr);
2576 if (el == NULL) {
2577 /* it's OK to be empty */
2578 talloc_free(tmp_ctx);
2579 return WERR_OK;
2580 }
2581
2582 *count = el->num_values;
2583 *r = talloc_array(mem_ctx, struct repsFromToBlob, *count);
2584 if (*r == NULL) {
2585 talloc_free(tmp_ctx);
2586 return WERR_DS_DRA_INTERNAL_ERROR;
2587 }
2588
2589 for (i=0; i<(*count); i++) {
2590 enum ndr_err_code ndr_err;
2591 ndr_err = ndr_pull_struct_blob(&el->values[i],
2592 mem_ctx, lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")),
2593 &(*r)[i],
2594 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
2595 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2596 talloc_free(tmp_ctx);
2597 return WERR_DS_DRA_INTERNAL_ERROR;
2598 }
2599 }
2600
2601 talloc_free(tmp_ctx);
2602
2603 return WERR_OK;
2604 }
2605
2606 /*
2607 save the repsFromTo blob list for a given partition GUID
2608 attr must be "repsFrom" or "repsTo"
2609 */
2610 WERROR dsdb_savereps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2611 const char *attr, struct repsFromToBlob *r, uint32_t count)
2612 {
2613 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2614 struct ldb_message *msg;
2615 struct ldb_message_element *el;
2616 int i;
2617
2618 msg = ldb_msg_new(tmp_ctx);
2619 msg->dn = dn;
2620 if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_REPLACE, &el) != LDB_SUCCESS) {
2621 goto failed;
2622 }
2623
2624 el->values = talloc_array(msg, struct ldb_val, count);
2625 if (!el->values) {
2626 goto failed;
2627 }
2628
2629 for (i=0; i<count; i++) {
2630 struct ldb_val v;
2631 enum ndr_err_code ndr_err;
2632
2633 ndr_err = ndr_push_struct_blob(&v, tmp_ctx, lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")),
2634 &r[i],
2635 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
2636 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2637 goto failed;
2638 }
2639
2640 el->num_values++;
2641 el->values[i] = v;
2642 }
2643
2644 if (ldb_modify(sam_ctx, msg) != LDB_SUCCESS) {
2645 DEBUG(0,("Failed to store %s - %s\n", attr, ldb_errstring(sam_ctx)));
2646 goto failed;
2647 }
2648
2649 talloc_free(tmp_ctx);
2650
2651 return WERR_OK;
2652
2653 failed:
2654 talloc_free(tmp_ctx);
2655 return WERR_DS_DRA_INTERNAL_ERROR;
2656 }
2657
2658
2659 /*
2660 load the uSNHighest attribute from the @REPLCHANGED object for a
2661 partition
2662 */
2663 int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn, uint64_t *uSN)
2664 {
2665 struct ldb_request *req;
2666 int ret;
2667 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2668 struct dsdb_control_current_partition *p_ctrl;
2669 struct ldb_result *res;
2670
2671 res = talloc_zero(tmp_ctx, struct ldb_result);
2672 if (!res) {
2673 talloc_free(tmp_ctx);
2674 return LDB_ERR_OPERATIONS_ERROR;
2675 }
2676
2677 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
2678 ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"),
2679 LDB_SCOPE_BASE,
2680 NULL, NULL,
2681 NULL,
2682 res, ldb_search_default_callback,
2683 NULL);
2684 if (ret != LDB_SUCCESS) {
2685 talloc_free(tmp_ctx);
2686 return ret;
2687 }
2688
2689 p_ctrl = talloc(req, struct dsdb_control_current_partition);
2690 if (p_ctrl == NULL) {
2691 talloc_free(res);
2692 return LDB_ERR_OPERATIONS_ERROR;
2693 }
2694 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
2695 p_ctrl->dn = dn;
2696
2697
2698 ret = ldb_request_add_control(req,
2699 DSDB_CONTROL_CURRENT_PARTITION_OID,
2700 false, p_ctrl);
2701 if (ret != LDB_SUCCESS) {
2702 talloc_free(tmp_ctx);
2703 return ret;
2704 }
2705
2706 /* Run the new request */
2707 ret = ldb_request(ldb, req);
2708
2709 if (ret == LDB_SUCCESS) {
2710 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
2711 }
2712
2713 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2714 /* it hasn't been created yet, which means
2715 an implicit value of zero */
2716 *uSN = 0;
2717 talloc_free(tmp_ctx);
2718 return LDB_SUCCESS;
2719 }
2720
2721 if (ret != LDB_SUCCESS) {
2722 talloc_free(tmp_ctx);
2723 return ret;
2724 }
2725
2726 if (res->count < 1) {
2727 *uSN = 0;
2728 } else {
2729 *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0);
2730 }
2731
2732 talloc_free(tmp_ctx);
2733
2734 return LDB_SUCCESS;
2735 }
2736
2737 /*
2738 save the uSNHighest attribute in the @REPLCHANGED object for a
2739 partition
2740 */
2741 int dsdb_save_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn, uint64_t uSN)
2742 {
2743 struct ldb_request *req;
2744 struct ldb_message *msg;
2745 struct dsdb_control_current_partition *p_ctrl;
2746 int ret;
2747
2748 msg = ldb_msg_new(ldb);
2749 if (msg == NULL) {
2750 return LDB_ERR_OPERATIONS_ERROR;
2751 }
2752
2753 msg->dn = ldb_dn_new(msg, ldb, "@REPLCHANGED");
2754 if (msg->dn == NULL) {
2755 talloc_free(msg);
2756 return LDB_ERR_OPERATIONS_ERROR;
2757 }
2758
2759 ret = ldb_msg_add_fmt(msg, "uSNHighest", "%llu", (unsigned long long)uSN);
2760 if (ret != LDB_SUCCESS) {
2761 talloc_free(msg);
2762 return ret;
2763 }
2764 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
2765
2766
2767 p_ctrl = talloc(msg, struct dsdb_control_current_partition);
2768 if (p_ctrl == NULL) {
2769 talloc_free(msg);
2770 return LDB_ERR_OPERATIONS_ERROR;
2771 }
2772 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
2773 p_ctrl->dn = dn;
2774
2775 ret = ldb_build_mod_req(&req, ldb, msg,
2776 msg,
2777 NULL,
2778 NULL, ldb_op_default_callback,
2779 NULL);
2780 again:
2781 if (ret != LDB_SUCCESS) {
2782 talloc_free(msg);
2783 return ret;
2784 }
2785
2786 ret = ldb_request_add_control(req,
2787 DSDB_CONTROL_CURRENT_PARTITION_OID,
2788 false, p_ctrl);
2789 if (ret != LDB_SUCCESS) {
2790 talloc_free(msg);
2791 return ret;
2792 }
2793
2794 /* Run the new request */
2795 ret = ldb_request(ldb, req);
2796
2797 if (ret == LDB_SUCCESS) {
2798 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
2799 }
2800 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2801 ret = ldb_build_add_req(&req, ldb, msg,
2802 msg,
2803 NULL,
2804 NULL, ldb_op_default_callback,
2805 NULL);
2806 goto again;
2807 }
2808
2809 talloc_free(msg);
2810
2811 return ret;
2812 }
2813
2814 int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
2815 const struct drsuapi_DsReplicaCursor2 *c2)
2816 {
2817 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2818 }
2819
2820 int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor *c1,
2821 const struct drsuapi_DsReplicaCursor *c2)
2822 {
2823 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2824 }
2825
2826 /*
2827 see if we are a RODC
2828
2829 TODO: This should take a sam_ctx, and lookup the right object (with
2830 a cache)
2831 */
2832 bool samdb_rodc(struct loadparm_context *lp_ctx)
2833 {
2834 return lp_parm_bool(lp_ctx, NULL, "repl", "RODC", false);
2835 }
2836
2837
2838 /*
2839 return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
2840
2841 flags are DS_NTDS_OPTION_*
2842 */
2843 int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options)
2844 {
2845 TALLOC_CTX *tmp_ctx;
2846 const char *attrs[] = { "options", NULL };
2847 int ret;
2848 struct ldb_result *res;
2849
2850 tmp_ctx = talloc_new(ldb);
2851 if (tmp_ctx == NULL) {
2852 goto failed;
2853 }
2854
2855 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
2856 if (ret) {
2857 goto failed;
2858 }
2859
2860 if (res->count != 1) {
2861 goto failed;
2862 }
2863
2864 *options = samdb_result_uint(res->msgs[0], "options", 0);
2865
2866 talloc_free(tmp_ctx);
2867
2868 return LDB_SUCCESS;
2869
2870 failed:
2871 DEBUG(1,("Failed to find our own NTDS Settings objectGUID in the ldb!\n"));
2872 talloc_free(tmp_ctx);
2873 return LDB_ERR_NO_SUCH_OBJECT;
2874 }
2875
2876 /*
2877 * Function which generates a "lDAPDisplayName" attribute from a "CN" one.
2878 * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
2879 */
2880 const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX *mem_ctx, const char *cn)
2881 {
2882 char **tokens, *ret;
2883 size_t i;
2884
2885 tokens = str_list_make(mem_ctx, cn, " -_");
2886 if (tokens == NULL)
2887 return NULL;
2888
2889 /* "tolower()" and "toupper()" should also work properly on 0x00 */
2890 tokens[0][0] = tolower(tokens[0][0]);
2891 for (i = 1; i < str_list_length((const char **)tokens); i++)
2892 tokens[i][0] = toupper(tokens[i][0]);
2893
2894 ret = talloc_strdup(mem_ctx, tokens[0]);
2895 for (i = 1; i < str_list_length((const char **)tokens); i++)
2896 ret = talloc_asprintf_append_buffer(ret, "%s", tokens[i]);
2897
2898 talloc_free(tokens);
2899
2900 return ret;
2901 }
2902
2903 /*
2904 return domain functional level
2905 returns DS_DOMAIN_FUNCTION_*
2906 */
2907 int dsdb_functional_level(struct ldb_context *ldb)
2908 {
2909 int *domainFunctionality =
2910 talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
2911 if (!domainFunctionality) {
2912 DEBUG(0,(__location__ ": WARNING: domainFunctionality not setup\n"));
2913 return DS_DOMAIN_FUNCTION_2000;
2914 }
2915 return *domainFunctionality;
2916 }
2917
2918 /*
2919 set a GUID in an extended DN structure
2920 */
2921 int dsdb_set_extended_dn_guid(struct ldb_dn *dn, const struct GUID *guid, const char *component_name)
2922 {
2923 struct ldb_val v;
2924 NTSTATUS status;
2925 int ret;
2926
2927 status = GUID_to_ndr_blob(guid, dn, &v);
2928 if (!NT_STATUS_IS_OK(status)) {
2929 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
2930 }
2931
2932 ret = ldb_dn_set_extended_component(dn, component_name, &v);
2933 data_blob_free(&v);
2934 return ret;
2935 }
2936
2937 /*
2938 return a GUID from a extended DN structure
2939 */
2940 NTSTATUS dsdb_get_extended_dn_guid(struct ldb_dn *dn, struct GUID *guid, const char *component_name)
2941 {
2942 const struct ldb_val *v;
2943
2944 v = ldb_dn_get_extended_component(dn, component_name);
2945 if (v == NULL) {
2946 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2947 }
2948
2949 return GUID_from_ndr_blob(v, guid);
2950 }
2951
2952 /*
2953 return a uint64_t from a extended DN structure
2954 */
2955 NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const char *component_name)
2956 {
2957 const struct ldb_val *v;
2958 char *s;
2959
2960 v = ldb_dn_get_extended_component(dn, component_name);
2961 if (v == NULL) {
2962 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2963 }
2964 s = talloc_strndup(dn, (const char *)v->data, v->length);
2965 NT_STATUS_HAVE_NO_MEMORY(s);
2966
2967 *val = strtoull(s, NULL, 0);
2968
2969 talloc_free(s);
2970 return NT_STATUS_OK;
2971 }
2972
2973 /*
2974 return a NTTIME from a extended DN structure
2975 */
2976 NTSTATUS dsdb_get_extended_dn_nttime(struct ldb_dn *dn, NTTIME *nttime, const char *component_name)
2977 {
2978 return dsdb_get_extended_dn_uint64(dn, nttime, component_name);
2979 }
2980
2981 /*
2982 return a uint32_t from a extended DN structure
2983 */
2984 NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const char *component_name)
2985 {
2986 const struct ldb_val *v;
2987 char *s;
2988
2989 v = ldb_dn_get_extended_component(dn, component_name);
2990 if (v == NULL) {
2991 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2992 }
2993
2994 s = talloc_strndup(dn, (const char *)v->data, v->length);
2995 NT_STATUS_HAVE_NO_MEMORY(s);
2996
2997 *val = strtoul(s, NULL, 0);
2998
2999 talloc_free(s);
3000 return NT_STATUS_OK;
3001 }
3002
3003 /*
3004 return RMD_FLAGS directly from a ldb_dn
3005 returns 0 if not found
3006 */
3007 uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn)
3008 {
3009 const struct ldb_val *v;
3010 char buf[32];
3011 v = ldb_dn_get_extended_component(dn, "RMD_FLAGS");
3012 if (!v || v->length > sizeof(buf)-1) return 0;
3013 strncpy(buf, (const char *)v->data, v->length);
3014 buf[v->length] = 0;
3015 return strtoul(buf, NULL, 10);
3016 }
3017
3018 /*
3019 return RMD_FLAGS directly from a ldb_val for a DN
3020 returns 0 if RMD_FLAGS is not found
3021 */
3022 uint32_t dsdb_dn_val_rmd_flags(struct ldb_val *val)
3023 {
3024 const char *p;
3025 uint32_t flags;
3026 char *end;
3027
3028 if (val->length < 13) {
3029 return 0;
3030 }
3031 p = memmem(val->data, val->length-2, "<RMD_FLAGS=", 11);
3032 if (!p) {
3033 return 0;
3034 }
3035 flags = strtoul(p+11, &end, 10);
3036 if (!end || *end != '>') {
3037 /* it must end in a > */
3038 return 0;
3039 }
3040 return flags;
3041 }
3042
3043 /*
3044 return true if a ldb_val containing a DN in storage form is deleted
3045 */
3046 bool dsdb_dn_is_deleted_val(struct ldb_val *val)
3047 {
3048 return (dsdb_dn_val_rmd_flags(val) & DSDB_RMD_FLAG_DELETED) != 0;
3049 }
3050
3051 /*
3052 return true if a ldb_val containing a DN in storage form is
3053 in the upgraded w2k3 linked attribute format
3054 */
3055 bool dsdb_dn_is_upgraded_link_val(struct ldb_val *val)
3056 {
3057 return memmem(val->data, val->length, "<RMD_ADDTIME=", 13) != NULL;
3058 }
3059
3060 /*
3061 return a DN for a wellknown GUID
3062 */
3063 int dsdb_wellknown_dn(struct ldb_context *samdb, TALLOC_CTX *mem_ctx,
3064 struct ldb_dn *nc_root, const char *wk_guid,
3065 struct ldb_dn **wkguid_dn)
3066 {
3067 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3068 const char *attrs[] = { NULL };
3069 int ret;
3070 struct ldb_dn *dn;
3071 struct ldb_result *res;
3072
3073 /* construct the magic WKGUID DN */
3074 dn = ldb_dn_new_fmt(tmp_ctx, samdb, "<WKGUID=%s,%s>",
3075 wk_guid, ldb_dn_get_linearized(nc_root));
3076 if (!wkguid_dn) {
3077 talloc_free(tmp_ctx);
3078 return LDB_ERR_OPERATIONS_ERROR;
3079 }
3080
3081 ret = dsdb_search_dn_with_deleted(samdb, tmp_ctx, &res, dn, attrs);
3082 if (ret != LDB_SUCCESS) {
3083 talloc_free(tmp_ctx);
3084 return ret;
3085 }
3086
3087 (*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn);
3088 talloc_free(tmp_ctx);
3089 return LDB_SUCCESS;
3090 }
3091
3092
3093 static int dsdb_dn_compare_ptrs(struct ldb_dn **dn1, struct ldb_dn **dn2)
3094 {
3095 return ldb_dn_compare(*dn1, *dn2);
3096 }
3097
3098 /*
3099 find a NC root given a DN within the NC
3100 */
3101 int dsdb_find_nc_root(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
3102 struct ldb_dn **nc_root)
3103 {
3104 const char *root_attrs[] = { "namingContexts", NULL };
3105 TALLOC_CTX *tmp_ctx;
3106 int ret;
3107 struct ldb_message_element *el;
3108 struct ldb_result *root_res;
3109 int i;
3110 struct ldb_dn **nc_dns;
3111
3112 tmp_ctx = talloc_new(samdb);
3113 if (tmp_ctx == NULL) {
3114 return LDB_ERR_OPERATIONS_ERROR;
3115 }
3116
3117 ret = ldb_search(samdb, tmp_ctx, &root_res,
3118 ldb_dn_new(tmp_ctx, samdb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
3119 if (ret) {
3120 DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb)));
3121 talloc_free(tmp_ctx);
3122 return ret;
3123 }
3124
3125 el = ldb_msg_find_element(root_res->msgs[0], "namingContexts");
3126 if (!el) {
3127 DEBUG(1,("Finding namingContexts element in root_res failed: %s\n",
3128 ldb_errstring(samdb)));
3129 talloc_free(tmp_ctx);
3130 return LDB_ERR_NO_SUCH_ATTRIBUTE;
3131 }
3132
3133 nc_dns = talloc_array(tmp_ctx, struct ldb_dn *, el->num_values);
3134 if (!nc_dns) {
3135 talloc_free(tmp_ctx);
3136 return LDB_ERR_OPERATIONS_ERROR;
3137 }
3138
3139 for (i=0; i<el->num_values; i++) {
3140 nc_dns[i] = ldb_dn_from_ldb_val(nc_dns, samdb, &el->values[i]);
3141 if (nc_dns[i] == NULL) {
3142 talloc_free(tmp_ctx);
3143 return LDB_ERR_OPERATIONS_ERROR;
3144 }
3145 }
3146
3147 qsort(nc_dns, el->num_values, sizeof(nc_dns[0]), (comparison_fn_t)dsdb_dn_compare_ptrs);
3148
3149 for (i=0; i<el->num_values; i++) {
3150 if (ldb_dn_compare_base(nc_dns[i], dn) == 0) {
3151 (*nc_root) = talloc_steal(mem_ctx, nc_dns[i]);
3152 talloc_free(tmp_ctx);
3153 return LDB_SUCCESS;
3154 }
3155 }
3156
3157 talloc_free(tmp_ctx);
3158 return LDB_ERR_NO_SUCH_OBJECT;
3159 }
3160
3161
3162 /*
3163 find the deleted objects DN for any object, by looking for the NC
3164 root, then looking up the wellknown GUID
3165 */
3166 int dsdb_get_deleted_objects_dn(struct ldb_context *ldb,
3167 TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
3168 struct ldb_dn **do_dn)
3169 {
3170 struct ldb_dn *nc_root;
3171 int ret;
3172
3173 ret = dsdb_find_nc_root(ldb, mem_ctx, obj_dn, &nc_root);
3174 if (ret != LDB_SUCCESS) {
3175 return ret;
3176 }
3177
3178 ret = dsdb_wellknown_dn(ldb, mem_ctx, nc_root, DS_GUID_DELETED_OBJECTS_CONTAINER, do_dn);
3179 talloc_free(nc_root);
3180 return ret;
3181 }
3182
3183 /*
3184 return the tombstoneLifetime, in days
3185 */
3186 int dsdb_tombstone_lifetime(struct ldb_context *ldb, uint32_t *lifetime)
3187 {
3188 struct ldb_dn *dn;
3189 dn = samdb_config_dn(ldb);
3190 if (!dn) {
3191 return LDB_ERR_NO_SUCH_OBJECT;
3192 }
3193 dn = ldb_dn_copy(ldb, dn);
3194 if (!dn) {
3195 return LDB_ERR_OPERATIONS_ERROR;
3196 }
3197 /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
3198 be a wellknown GUID for this */
3199 if (!ldb_dn_add_child_fmt(dn, "CN=Directory Service,CN=Windows NT")) {
3200 talloc_free(dn);
3201 return LDB_ERR_OPERATIONS_ERROR;
3202 }
3203
3204 *lifetime = samdb_search_uint(ldb, dn, 180, dn, "tombstoneLifetime", "objectClass=nTDSService");
3205 talloc_free(dn);
3206 return LDB_SUCCESS;
3207 }
3208
3209 /*
3210 compare a ldb_val to a string case insensitively
3211 */
3212 int samdb_ldb_val_case_cmp(const char *s, struct ldb_val *v)
3213 {
3214 size_t len = strlen(s);
3215 int ret;
3216 if (len > v->length) return 1;
3217 ret = strncasecmp(s, (const char *)v->data, v->length);
3218 if (ret != 0) return ret;
3219 if (v->length > len && v->data[len] != 0) {
3220 return -1;
3221 }
3222 return 0;
3223 }