2006-03-14 18:03:25 +03:00
/*
Unix SMB / CIFS implementation .
interface functions for the sam database
Copyright ( C ) Andrew Tridgell 2004
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2006-03-14 18:03:25 +03:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2006-03-14 18:03:25 +03:00
*/
# ifndef __SAMDB_H__
# define __SAMDB_H__
struct auth_session_info ;
2007-01-16 13:57:55 +03:00
struct dsdb_control_current_partition ;
2007-01-11 13:21:38 +03:00
struct dsdb_extended_replicated_object ;
struct dsdb_extended_replicated_objects ;
2007-12-02 19:09:52 +03:00
struct loadparm_context ;
2008-12-29 22:24:57 +03:00
struct tevent_context ;
2018-04-04 03:39:55 +03:00
struct tsocket_address ;
2015-02-02 15:12:36 +03:00
struct dsdb_trust_routing_table ;
2022-02-09 06:33:23 +03:00
enum dsdb_password_checked {
DSDB_PASSWORD_NOT_CHECKED = 0 , /* unused */
DSDB_PASSWORD_RESET ,
DSDB_PASSWORD_CHECKED_AND_CORRECT
} ;
2007-01-11 13:21:38 +03:00
# include "librpc/gen_ndr/security.h"
2011-02-10 06:12:51 +03:00
# include <ldb.h>
2008-08-18 14:30:27 +04:00
# include "lib/ldb-samba/ldif_handlers.h"
2007-01-11 13:21:38 +03:00
# include "librpc/gen_ndr/samr.h"
# include "librpc/gen_ndr/drsuapi.h"
# include "librpc/gen_ndr/drsblobs.h"
# include "dsdb/schema/schema.h"
# include "dsdb/samdb/samdb_proto.h"
2009-11-05 08:57:20 +03:00
# include "dsdb/common/dsdb_dn.h"
2017-03-13 02:14:23 +03:00
# include "dsdb/common/util_links.h"
2010-11-27 20:30:12 +03:00
# include "dsdb/common/proto.h"
2009-06-12 16:27:19 +04:00
# include "../libds/common/flags.h"
2006-03-14 18:03:25 +03:00
2007-01-16 13:57:55 +03:00
# define DSDB_CONTROL_CURRENT_PARTITION_OID "1.3.6.1.4.1.7165.4.3.2"
struct dsdb_control_current_partition {
/*
* this is the version of the dsdb_control_current_partition
* version 0 : initial implementation
2009-09-02 07:36:54 +04:00
* version 1 : got rid of backend and module fields
2007-01-16 13:57:55 +03:00
*/
2009-09-02 07:36:54 +04:00
# define DSDB_CONTROL_CURRENT_PARTITION_VERSION 1
2007-01-16 13:57:55 +03:00
uint32_t version ;
struct ldb_dn * dn ;
} ;
2011-09-23 11:27:40 +04:00
/*
flags in dsdb_repl_flags to control replication logic
*/
# define DSDB_REPL_FLAG_PRIORITISE_INCOMING 1
# define DSDB_REPL_FLAG_PARTIAL_REPLICA 2
2011-09-28 03:30:44 +04:00
# define DSDB_REPL_FLAG_ADD_NCNAME 4
2015-08-19 04:26:41 +03:00
# define DSDB_REPL_FLAG_EXPECT_NO_SECRETS 8
2017-06-14 02:35:36 +03:00
# define DSDB_REPL_FLAG_OBJECT_SUBSET 16
replmd: Don't fail cycle if we get link for deleted object with GET_TGT
We are going to end up supporting 2 different server schemes:
A. the old/default behaviour of sending all the linked attributes last,
at the end of the replication cycle.
B. the new/Microsoft way of sending the linked attributes interleaved
with the source/target objects.
Normally if we're talking to a server using the old scheme-A, we won't
ever use the GET_TGT flag. However, there are a couple of cases where
it can happen:
- A link to a new object was added during the replication cycle.
- An object was deleted while the replication was in progress (and
the linked attribute got queued before the object was deleted).
Talking to an Samba DC running the old scheme will just cause it to
start the replication cycle from scratch again, which is fairly
harmless. However, there is a chance that the same thing can happen
again, in which case the replication cycle will fail (because GET_TGT
was already set).
Even if we're using the new scheme (B), we could still potentially hit
this case, as we can still queue up linked attributes between requests
(group memberships can be larger than what can fit into a single
replication chunk).
If GET_TGT is set in the GetNcChanges request, then the local copy of
the target object should always be up-to-date when we process the linked
attribute. So if we still think the target object is deleted/recycled at
this point, then it's safe to ignore the linked attribute (because we
know our local copy is up-to-date). This logic matches the MS spec logic
in ProcessLinkValue().
Not failing the replication cycle may be beneficial if we're trying to
do a full-sync of a large database. Otherwise it might be time-consuming
and frustrating to repeat the sync unnecessarily.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12972
2017-07-20 02:14:27 +03:00
# define DSDB_REPL_FLAG_TARGETS_UPTODATE 32
2011-09-23 11:27:40 +04:00
2008-09-27 04:27:54 +04:00
# define DSDB_CONTROL_REPLICATED_UPDATE_OID "1.3.6.1.4.1.7165.4.3.3"
2008-12-16 11:21:55 +03:00
# define DSDB_CONTROL_DN_STORAGE_FORMAT_OID "1.3.6.1.4.1.7165.4.3.4"
/* DSDB_CONTROL_DN_STORAGE_FORMAT_OID has NULL data and behaves very
* much like LDB_CONTROL_EXTENDED_DN_OID when the DB stores an
* extended DN , and otherwise returns normal DNs */
2010-06-13 20:19:37 +04:00
# define DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID "1.3.6.1.4.1.7165.4.3.8"
2009-09-23 21:25:54 +04:00
2018-04-19 00:47:42 +03:00
struct dsdb_user_pwd_settings {
uint32_t pwdProperties ;
uint32_t pwdHistoryLength ;
int64_t maxPwdAge ;
int64_t minPwdAge ;
uint32_t minPwdLength ;
bool store_cleartext ;
const char * netbios_domain ;
const char * dns_domain ;
const char * realm ;
} ;
2009-09-23 21:25:54 +04:00
struct dsdb_control_password_change_status {
2018-04-19 00:47:42 +03:00
struct dsdb_user_pwd_settings domain_data ;
2009-09-23 21:25:54 +04:00
enum samPwdChangeReason reject_reason ;
} ;
2010-06-13 20:19:37 +04:00
# define DSDB_CONTROL_PASSWORD_HASH_VALUES_OID "1.3.6.1.4.1.7165.4.3.9"
2009-09-23 21:25:54 +04:00
2022-02-09 06:53:08 +03:00
# define DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID "1.3.6.1.4.1.7165.4.3.10"
2010-08-15 22:01:27 +04:00
struct dsdb_control_password_change {
2022-02-09 06:33:23 +03:00
enum dsdb_password_checked old_password_checked ;
2010-08-15 22:01:27 +04:00
} ;
2010-06-14 09:30:36 +04:00
/**
DSDB_CONTROL_APPLY_LINKS is internal to Samba4 - a token passed between repl_meta_data and linked_attributes modules
*/
# define DSDB_CONTROL_APPLY_LINKS "1.3.6.1.4.1.7165.4.3.11"
2010-06-30 10:24:35 +04:00
/*
* this should only be used for importing users from Samba3
*/
# define DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID "1.3.6.1.4.1.7165.4.3.12"
2010-06-22 19:56:37 +04:00
/**
OID used to allow the replacement of replPropertyMetaData .
It is used when the current replmetadata needs to be edited .
*/
# define DSDB_CONTROL_CHANGEREPLMETADATA_OID "1.3.6.1.4.1.7165.4.3.14"
2011-10-07 11:49:48 +04:00
/* passed when we want to get the behaviour of the non-global catalog port */
# define DSDB_CONTROL_NO_GLOBAL_CATALOG "1.3.6.1.4.1.7165.4.3.17"
/* passed when we want special behaviour for partial replicas */
# define DSDB_CONTROL_PARTIAL_REPLICA "1.3.6.1.4.1.7165.4.3.18"
/* passed when we want special behaviour for dbcheck */
# define DSDB_CONTROL_DBCHECK "1.3.6.1.4.1.7165.4.3.19"
2012-07-18 11:13:30 +04:00
/* passed when dbcheck wants to modify a read only replica (very special case) */
# define DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA "1.3.6.1.4.1.7165.4.3.19.1"
2017-10-25 17:47:36 +03:00
/* passed by dbcheck to fix duplicate linked attributes (bug #13095) */
# define DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS "1.3.6.1.4.1.7165.4.3.19.2"
2018-10-08 18:13:13 +03:00
/* passed by dbcheck to fix the DN string of a one-way-link (bug #13495) */
dbchecker: Fixing up incorrect DNs wasn't working
dbcheck would fail to fix up attributes where the extended DN's GUID is
correct, but the DN itself is incorrect. The code failed attempting to
remove the old/incorrect DN, e.g.
NOTE: old (due to rename or delete) DN string component for
objectCategory in object CN=alice,CN=Users,DC=samba,DC=example,DC=com -
<GUID=7bfdf9d8-62f9-420c-8a71-e3d3e931c91e>;
CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=bad,DC=com
Change DN to <GUID=7bfdf9d8-62f9-420c-8a71-e3d3e931c91e>;
CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com?
[y/N/all/none] y
Failed to fix old DN string on attribute objectCategory : (16,
"attribute 'objectCategory': no matching attribute value while deleting
attribute on 'CN=alice,CN=Users,DC=samba,DC=example,DC=com'")
The problem was the LDB message specified the value to delete with its
full DN, including the GUID. The LDB code then helpfully corrected this
value on the way through, so that the DN got updated to reflect the
correct DN (i.e. 'DC=example,DC=com') of the object matching that GUID,
rather than the incorrect DN (i.e. 'DC=bad,DC=com') that we were trying
to remove. Because the requested value and the existing DB value didn't
match, the operation failed.
We can avoid this problem by passing down just the DN (not the extended
DN) of the value we want to delete. Without the GUID portion of the DN,
the LDB code will no longer try to correct it on the way through, and
the dbcheck operation will succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13495
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
2018-05-25 05:05:27 +03:00
# define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME "1.3.6.1.4.1.7165.4.3.19.3"
2018-10-08 18:13:52 +03:00
/* passed by dbcheck to fix the DN SID of a one-way-link (bug #13418) */
# define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID "1.3.6.1.4.1.7165.4.3.19.4"
2011-10-05 16:59:59 +04:00
/* passed when importing plain text password on upgrades */
# define DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.20"
2012-11-22 20:42:32 +04:00
/*
* passed from the descriptor module in order to
* store the recalucated nTSecurityDescriptor without
* modifying the replPropertyMetaData .
*/
# define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.3.21"
2014-12-04 07:23:29 +03:00
/*
* passed when creating a interdomain trust account through LSA
* to relax constraints in the samldb ldb module .
*/
# define DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID "1.3.6.1.4.1.7165.4.3.23"
2014-10-28 17:03:59 +03:00
/*
* Internal control to mark requests as being part of Tombstone restoring
* procedure - it requires slightly special behavior like :
* - a bit different security checks
* - restoring certain attributes to their default values , etc
*/
# define DSDB_CONTROL_RESTORE_TOMBSTONE_OID "1.3.6.1.4.1.7165.4.3.24"
2015-07-23 07:01:14 +03:00
/**
OID used to allow the replacement of replPropertyMetaData .
It is used when the current replmetadata needs only to be re - sorted , but not edited .
*/
# define DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID "1.3.6.1.4.1.7165.4.3.25"
2016-02-11 10:31:46 +03:00
/*
* pass the default state of pwdLastSet between the " samldb " and " password_hash "
* modules .
*/
# define DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.26"
2016-05-27 17:52:54 +03:00
/*
* pass the userAccountControl changes between the " samldb " and " password_hash "
* modules .
*/
# define DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID "1.3.6.1.4.1.7165.4.3.27"
struct dsdb_control_password_user_account_control {
uint32_t req_flags ; /* the flags given by the client request */
uint32_t old_flags ; /* the old flags stored (0 on add) */
uint32_t new_flags ; /* the new flags stored */
} ;
2016-06-30 06:03:39 +03:00
/*
* Ignores strict checking when adding objects to samldb .
* This is used when provisioning , as checking all objects when added
* was slow due to an unindexed search .
*/
# define DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID "1.3.6.1.4.1.7165.4.3.28"
2016-07-06 02:54:25 +03:00
/* passed when we want to thoroughly delete linked attributes */
# define DSDB_CONTROL_REPLMD_VANISH_LINKS "1.3.6.1.4.1.7165.4.3.29"
2017-03-24 00:24:21 +03:00
/*
* lockoutTime is a replicated attribute , but must be modified before
* connectivity occurs to allow password lockouts .
*/
# define DSDB_CONTROL_FORCE_RODC_LOCAL_CHANGE "1.3.6.1.4.1.7165.4.3.31"
2017-08-01 04:18:33 +03:00
# define DSDB_CONTROL_INVALID_NOT_IMPLEMENTED "1.3.6.1.4.1.7165.4.3.32"
2018-02-16 17:30:13 +03:00
/*
* Used to pass " user password change " vs " password reset " from the ACL to the
* password_hash module , ensuring both modules treat the request identical .
*/
# define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID "1.3.6.1.4.1.7165.4.3.33"
struct dsdb_control_password_acl_validation {
bool pwd_reset ;
} ;
2018-04-15 22:59:43 +03:00
/*
* Used to pass the current transaction identifier from the audit_log
* module to group membership auditing module
*/
# define DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID "1.3.6.1.4.1.7165.4.3.34"
struct dsdb_control_transaction_identifier {
struct GUID transaction_guid ;
} ;
2007-01-06 13:15:02 +03:00
# define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1"
2007-01-09 14:15:56 +03:00
struct dsdb_extended_replicated_object {
struct ldb_message * msg ;
2015-12-09 07:05:56 +03:00
struct GUID object_guid ;
struct GUID * parent_guid ;
2007-01-13 13:53:12 +03:00
const char * when_changed ;
2007-01-11 12:45:30 +03:00
struct replPropertyMetaDataBlob * meta_data ;
2012-07-28 09:27:26 +04:00
/* Only used for internal processing in repl_meta_data */
struct ldb_dn * last_known_parent ;
2015-12-09 07:05:56 +03:00
struct ldb_dn * local_parent_dn ;
2007-01-09 14:15:56 +03:00
} ;
2018-12-14 04:49:03 +03:00
/*
* the schema_dn is passed as struct ldb_dn in
* req - > op . extended . data
*/
# define DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID "1.3.6.1.4.1.7165.4.4.2"
2007-01-06 13:15:02 +03:00
struct dsdb_extended_replicated_objects {
2007-01-13 14:37:13 +03:00
/*
* this is the version of the dsdb_extended_replicated_objects
* version 0 : initial implementation
*/
2016-07-13 09:15:20 +03:00
# define DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION 3
2007-01-13 14:37:13 +03:00
uint32_t version ;
2011-09-23 11:27:40 +04:00
/* DSDB_REPL_FLAG_* flags */
uint32_t dsdb_repl_flags ;
2007-01-07 22:11:27 +03:00
struct ldb_dn * partition_dn ;
2007-01-09 14:15:56 +03:00
2007-01-12 19:02:10 +03:00
const struct repsFromTo1 * source_dsa ;
2007-01-12 16:17:25 +03:00
const struct drsuapi_DsReplicaCursor2CtrEx * uptodateness_vector ;
2007-01-09 14:15:56 +03:00
uint32_t num_objects ;
struct dsdb_extended_replicated_object * objects ;
2009-09-03 06:52:31 +04:00
uint32_t linked_attributes_count ;
2016-08-08 10:10:48 +03:00
struct drsuapi_DsReplicaLinkedAttribute * linked_attributes ;
2015-12-09 07:05:56 +03:00
WERROR error ;
2016-07-13 09:15:20 +03:00
bool originating_updates ;
2007-01-06 13:15:02 +03:00
} ;
2018-12-14 04:49:03 +03:00
/* In ldb.h: LDB_EXTENDED_SEQUENCE_NUMBER 1.3.6.1.4.1.7165.4.4.3 */
2009-10-02 04:28:29 +04:00
# define DSDB_EXTENDED_CREATE_PARTITION_OID "1.3.6.1.4.1.7165.4.4.4"
struct dsdb_create_partition_exop {
struct ldb_dn * new_dn ;
} ;
2018-12-14 04:49:03 +03:00
/* this takes a struct dsdb_fsmo_extended_op */
# define DSDB_EXTENDED_ALLOCATE_RID_POOL "1.3.6.1.4.1.7165.4.4.5"
struct dsdb_fsmo_extended_op {
uint64_t fsmo_info ;
struct GUID destination_dsa_guid ;
} ;
# define DSDB_EXTENDED_SCHEMA_UPGRADE_IN_PROGRESS_OID "1.3.6.1.4.1.7165.4.4.6"
2008-07-24 12:00:20 +04:00
/*
2018-12-14 04:49:03 +03:00
* passed from the descriptor module in order to
* store the recalucated nTSecurityDescriptor without
* modifying the replPropertyMetaData .
2008-07-24 12:00:20 +04:00
*/
2018-12-14 04:49:03 +03:00
# define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.4.7"
struct dsdb_extended_sec_desc_propagation_op {
struct ldb_dn * nc_root ;
2019-12-12 04:44:57 +03:00
struct GUID guid ;
2018-12-14 04:49:03 +03:00
bool include_self ;
} ;
2008-07-23 10:59:17 +04:00
2018-12-14 04:49:03 +03:00
/* this takes no data */
# define DSDB_EXTENDED_CREATE_OWN_RID_SET "1.3.6.1.4.1.7165.4.4.8"
2018-11-21 03:55:53 +03:00
2018-12-14 04:49:03 +03:00
/* this takes a struct dsdb_extended_allocate_rid */
# define DSDB_EXTENDED_ALLOCATE_RID "1.3.6.1.4.1.7165.4.4.9"
struct dsdb_extended_allocate_rid {
uint32_t rid ;
} ;
# define DSDB_EXTENDED_SCHEMA_LOAD "1.3.6.1.4.1.7165.4.4.10"
2012-04-06 04:20:37 +04:00
2008-12-16 10:28:55 +03:00
# define DSDB_OPENLDAP_DEREFERENCE_CONTROL "1.3.6.1.4.1.4203.666.5.16"
struct dsdb_openldap_dereference {
const char * source_attribute ;
const char * * dereference_attribute ;
} ;
struct dsdb_openldap_dereference_control {
struct dsdb_openldap_dereference * * dereference ;
} ;
struct dsdb_openldap_dereference_result {
const char * source_attribute ;
const char * dereferenced_dn ;
int num_attributes ;
struct ldb_message_element * attributes ;
} ;
struct dsdb_openldap_dereference_result_control {
struct dsdb_openldap_dereference_result * * attributes ;
} ;
2012-05-12 13:13:42 +04:00
struct samldb_msds_intid_persistant {
uint32_t msds_intid ;
} ;
# define SAMLDB_MSDS_INTID_OPAQUE "SAMLDB_MSDS_INTID_OPAQUE"
2009-10-02 04:28:29 +04:00
# define DSDB_PARTITION_DN "@PARTITION"
# define DSDB_PARTITION_ATTR "partition"
2009-11-16 10:46:28 +03:00
# define DSDB_EXTENDED_DN_STORE_FORMAT_OPAQUE_NAME "dsdb_extended_dn_store_format"
struct dsdb_extended_dn_store_format {
bool store_extended_dn_in_ldb ;
} ;
2009-11-23 12:30:35 +03:00
# define DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME "DSDB_OPAQUE_PARTITION_MODULE_MSG"
2011-04-16 11:46:40 +04:00
# define DSDB_ACL_CHECKS_DIRSYNC_FLAG 0x1
2013-10-14 13:38:10 +04:00
# define DSDB_SAMDB_MINIMUM_ALLOWED_RID 1000
2012-05-30 21:43:27 +04:00
# define DSDB_METADATA_SCHEMA_SEQ_NUM "SCHEMA_SEQ_NUM"
2016-06-02 00:13:21 +03:00
/*
* must be in LDB_FLAG_INTERNAL_MASK
* see also the values in lib / ldb / include / ldb_module . h
*/
# define DSDB_FLAG_INTERNAL_FORCE_META_DATA 0x10000
2017-01-12 06:51:45 +03:00
# define SAMBA_COMPATIBLE_FEATURES_ATTR "compatibleFeatures"
# define SAMBA_REQUIRED_FEATURES_ATTR "requiredFeatures"
2017-02-03 06:13:43 +03:00
# define SAMBA_FEATURES_SUPPORTED_FLAG "@SAMBA_FEATURES_SUPPORTED"
2017-02-03 01:25:37 +03:00
# define SAMBA_SORTED_LINKS_FEATURE "sortedLinks"
2017-12-14 21:21:10 +03:00
# define SAMBA_ENCRYPTED_SECRETS_FEATURE "encryptedSecrets"
2018-02-07 01:10:34 +03:00
/*
* lmdb level one feature is an experimental release with basic support
* for lmdb database files , instead of tdb .
* - Keys are limited to 511 bytes long so GUID indexes are required
* - Currently only the :
* partition data files
* are in lmdb format .
*/
# define SAMBA_LMDB_LEVEL_ONE_FEATURE "lmdbLevelOne"
2017-02-03 01:25:37 +03:00
2006-03-14 18:03:25 +03:00
# endif /* __SAMDB_H__ */
