2009-09-09 15:00:01 +04:00
/*
Unix SMB / CIFS implementation .
2010-09-27 08:12:02 +04:00
implement the DSGetNCChanges call
2009-09-09 15:00:01 +04:00
Copyright ( C ) Anatoliy Atanasov 2009
Copyright ( C ) Andrew Tridgell 2009
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
# include "rpc_server/dcerpc_server.h"
# include "dsdb/samdb/samdb.h"
# include "param/param.h"
# include "librpc/gen_ndr/ndr_drsblobs.h"
2009-12-19 16:12:35 +03:00
# include "librpc/gen_ndr/ndr_drsuapi.h"
2010-08-18 12:38:26 +04:00
# include "librpc/gen_ndr/ndr_security.h"
2009-09-09 15:00:01 +04:00
# include "rpc_server/drsuapi/dcesrv_drsuapi.h"
2009-09-10 11:46:30 +04:00
# include "rpc_server/dcerpc_server_proto.h"
# include "../libcli/drsuapi/drsuapi.h"
2009-09-16 06:26:33 +04:00
# include "libcli/security/security.h"
2010-09-20 08:49:39 +04:00
# include "libcli/security/session.h"
2010-01-09 05:11:27 +03:00
# include "lib/util/binsearch.h"
2010-02-13 05:00:55 +03:00
# include "lib/util/tsort.h"
2010-04-22 08:56:19 +04:00
# include "auth/session.h"
2010-08-18 12:38:26 +04:00
# include "dsdb/common/util.h"
2009-09-09 15:00:01 +04:00
2009-12-19 04:25:09 +03:00
/*
build a DsReplicaObjectIdentifier from a ldb msg
*/
static struct drsuapi_DsReplicaObjectIdentifier * get_object_identifier ( TALLOC_CTX * mem_ctx ,
struct ldb_message * msg )
{
struct drsuapi_DsReplicaObjectIdentifier * identifier ;
struct dom_sid * sid ;
identifier = talloc ( mem_ctx , struct drsuapi_DsReplicaObjectIdentifier ) ;
if ( identifier = = NULL ) {
return NULL ;
}
identifier - > dn = ldb_dn_alloc_linearized ( identifier , msg - > dn ) ;
identifier - > guid = samdb_result_guid ( msg , " objectGUID " ) ;
sid = samdb_result_dom_sid ( identifier , msg , " objectSid " ) ;
if ( sid ) {
identifier - > sid = * sid ;
} else {
ZERO_STRUCT ( identifier - > sid ) ;
}
return identifier ;
}
2010-01-09 05:11:27 +03:00
static int udv_compare ( const struct GUID * guid1 , struct GUID guid2 )
{
return GUID_compare ( guid1 , & guid2 ) ;
}
/*
see if we can filter an attribute using the uptodateness_vector
*/
static bool udv_filter ( const struct drsuapi_DsReplicaCursorCtrEx * udv ,
const struct GUID * originating_invocation_id ,
uint64_t originating_usn )
{
const struct drsuapi_DsReplicaCursor * c ;
if ( udv = = NULL ) return false ;
BINARY_ARRAY_SEARCH ( udv - > cursors , udv - > count , source_dsa_invocation_id ,
originating_invocation_id , udv_compare , c ) ;
if ( c & & originating_usn < = c - > highest_usn ) {
return true ;
}
return false ;
}
2010-09-30 02:49:15 +04:00
static int attid_cmp ( enum drsuapi_DsAttributeId a1 , enum drsuapi_DsAttributeId a2 )
{
if ( a1 = = a2 ) return 0 ;
return ( ( uint32_t ) a1 ) > ( ( uint32_t ) a2 ) ? 1 : - 1 ;
}
/*
check if an attribute is in a partial_attribute_set
*/
static bool check_partial_attribute_set ( const struct dsdb_attribute * sa ,
struct drsuapi_DsPartialAttributeSet * pas )
{
enum drsuapi_DsAttributeId * result ;
BINARY_ARRAY_SEARCH_V ( pas - > attids , pas - > num_attids , ( enum drsuapi_DsAttributeId ) sa - > attributeID_id ,
attid_cmp , result ) ;
return result ! = NULL ;
}
2009-09-09 15:26:17 +04:00
/*
2009-09-10 11:46:30 +04:00
drsuapi_DsGetNCChanges for one object
2009-09-09 15:26:17 +04:00
*/
static WERROR get_nc_changes_build_object ( struct drsuapi_DsReplicaObjectListItemEx * obj ,
struct ldb_message * msg ,
struct ldb_context * sam_ctx ,
struct ldb_dn * ncRoot_dn ,
2010-08-18 04:52:48 +04:00
bool is_schema_nc ,
2009-09-10 11:46:30 +04:00
struct dsdb_schema * schema ,
2009-09-12 05:14:29 +04:00
DATA_BLOB * session_key ,
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING in getncchanges
When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0
2009-09-24 03:51:55 +04:00
uint64_t highest_usn ,
2010-01-09 05:11:27 +03:00
uint32_t replica_flags ,
2010-09-30 02:49:15 +04:00
struct drsuapi_DsPartialAttributeSet * partial_attribute_set ,
2010-08-18 08:31:05 +04:00
struct drsuapi_DsReplicaCursorCtrEx * uptodateness_vector ,
enum drsuapi_DsExtendedOperation extended_op )
2009-09-09 15:26:17 +04:00
{
const struct ldb_val * md_value ;
2010-09-30 10:47:24 +04:00
uint32_t i , n ;
2009-09-09 17:38:51 +04:00
struct replPropertyMetaDataBlob md ;
2009-09-10 11:46:30 +04:00
uint32_t rid = 0 ;
2009-09-12 05:14:29 +04:00
enum ndr_err_code ndr_err ;
uint32_t * attids ;
2009-09-24 00:56:10 +04:00
const char * rdn ;
const struct dsdb_attribute * rdn_sa ;
2010-01-09 10:50:30 +03:00
unsigned int instanceType ;
2010-08-18 04:52:48 +04:00
struct dsdb_syntax_ctx syntax_ctx ;
/* make dsdb sytanx context for conversions */
dsdb_syntax_ctx_init ( & syntax_ctx , sam_ctx , schema ) ;
syntax_ctx . is_schema_nc = is_schema_nc ;
2009-09-09 15:26:17 +04:00
2010-01-09 10:50:30 +03:00
instanceType = ldb_msg_find_attr_as_uint ( msg , " instanceType " , 0 ) ;
if ( instanceType & INSTANCE_TYPE_IS_NC_HEAD ) {
2009-09-09 15:26:17 +04:00
obj - > is_nc_prefix = true ;
obj - > parent_object_guid = NULL ;
} else {
2009-09-26 02:17:44 +04:00
obj - > is_nc_prefix = false ;
obj - > parent_object_guid = talloc ( obj , struct GUID ) ;
2009-12-09 06:38:25 +03:00
if ( obj - > parent_object_guid = = NULL ) {
2009-09-26 02:17:44 +04:00
return WERR_DS_DRA_INTERNAL_ERROR ;
2009-09-24 00:56:10 +04:00
}
2009-12-09 06:38:25 +03:00
* obj - > parent_object_guid = samdb_result_guid ( msg , " parentGUID " ) ;
if ( GUID_all_zero ( obj - > parent_object_guid ) ) {
DEBUG ( 0 , ( __location__ " : missing parentGUID for %s \n " ,
ldb_dn_get_linearized ( msg - > dn ) ) ) ;
2009-09-26 02:17:44 +04:00
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2009-09-09 15:26:17 +04:00
}
obj - > next_object = NULL ;
md_value = ldb_msg_find_ldb_val ( msg , " replPropertyMetaData " ) ;
2009-09-12 05:14:29 +04:00
if ( ! md_value ) {
/* nothing to send */
return WERR_OK ;
}
2010-04-26 11:02:25 +04:00
if ( instanceType & INSTANCE_TYPE_UNINSTANT ) {
/* don't send uninstantiated objects */
return WERR_OK ;
}
2010-05-09 19:20:01 +04:00
ndr_err = ndr_pull_struct_blob ( md_value , obj , & md ,
2009-09-12 05:14:29 +04:00
( ndr_pull_flags_fn_t ) ndr_pull_replPropertyMetaDataBlob ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
return WERR_DS_DRA_INTERNAL_ERROR ;
}
if ( md . version ! = 1 ) {
return WERR_DS_DRA_INTERNAL_ERROR ;
2009-09-09 15:26:17 +04:00
}
2009-09-12 05:14:29 +04:00
2009-09-24 00:56:10 +04:00
rdn = ldb_dn_get_rdn_name ( msg - > dn ) ;
if ( rdn = = NULL ) {
DEBUG ( 0 , ( __location__ " : No rDN for %s \n " , ldb_dn_get_linearized ( msg - > dn ) ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
rdn_sa = dsdb_attribute_by_lDAPDisplayName ( schema , rdn ) ;
if ( rdn_sa = = NULL ) {
DEBUG ( 0 , ( __location__ " : Can't find dsds_attribute for rDN %s in %s \n " ,
rdn , ldb_dn_get_linearized ( msg - > dn ) ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2009-09-12 05:14:29 +04:00
obj - > meta_data_ctr = talloc ( obj , struct drsuapi_DsReplicaMetaDataCtr ) ;
attids = talloc_array ( obj , uint32_t , md . ctr . ctr1 . count ) ;
2009-12-03 01:19:55 +03:00
2009-12-19 04:25:09 +03:00
obj - > object . identifier = get_object_identifier ( obj , msg ) ;
if ( obj - > object . identifier = = NULL ) {
return WERR_NOMEM ;
2009-12-03 01:19:55 +03:00
}
2009-12-19 04:25:09 +03:00
dom_sid_split_rid ( NULL , & obj - > object . identifier - > sid , NULL , & rid ) ;
2009-09-12 05:14:29 +04:00
obj - > meta_data_ctr - > meta_data = talloc_array ( obj , struct drsuapi_DsReplicaMetaData , md . ctr . ctr1 . count ) ;
for ( n = i = 0 ; i < md . ctr . ctr1 . count ; i + + ) {
2009-12-19 12:59:04 +03:00
const struct dsdb_attribute * sa ;
2010-08-18 08:31:05 +04:00
bool force_attribute = false ;
2009-09-24 00:56:10 +04:00
/* if the attribute has not changed, and it is not the
instanceType then don ' t include it */
if ( md . ctr . ctr1 . array [ i ] . local_usn < highest_usn & &
2010-08-18 08:31:05 +04:00
extended_op ! = DRSUAPI_EXOP_REPL_SECRET & &
2010-10-29 03:22:35 +04:00
md . ctr . ctr1 . array [ i ] . attid ! = DRSUAPI_ATTID_instanceType ) continue ;
2009-10-14 13:29:39 +04:00
2009-09-24 00:56:10 +04:00
/* don't include the rDN */
if ( md . ctr . ctr1 . array [ i ] . attid = = rdn_sa - > attributeID_id ) continue ;
2009-10-14 13:29:39 +04:00
2009-12-19 12:59:04 +03:00
sa = dsdb_attribute_by_attributeID_id ( schema , md . ctr . ctr1 . array [ i ] . attid ) ;
2010-03-11 02:42:18 +03:00
if ( ! sa ) {
DEBUG ( 0 , ( __location__ " : Failed to find attribute in schema for attrid %u mentioned in replPropertyMetaData of %s \n " ,
( unsigned int ) md . ctr . ctr1 . array [ i ] . attid ,
ldb_dn_get_linearized ( msg - > dn ) ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2009-12-19 12:59:04 +03:00
if ( sa - > linkID ) {
struct ldb_message_element * el ;
el = ldb_msg_find_element ( msg , sa - > lDAPDisplayName ) ;
if ( el & & el - > num_values & & dsdb_dn_is_upgraded_link_val ( & el - > values [ 0 ] ) ) {
/* don't send upgraded links inline */
continue ;
}
}
2010-08-18 08:31:05 +04:00
if ( extended_op = = DRSUAPI_EXOP_REPL_SECRET & &
! dsdb_attr_in_rodc_fas ( sa ) ) {
force_attribute = true ;
DEBUG ( 4 , ( " Forcing attribute %s in %s \n " ,
sa - > lDAPDisplayName , ldb_dn_get_linearized ( msg - > dn ) ) ) ;
}
2010-01-09 05:11:27 +03:00
/* filter by uptodateness_vector */
2010-10-29 03:22:35 +04:00
if ( md . ctr . ctr1 . array [ i ] . attid ! = DRSUAPI_ATTID_instanceType & &
2010-08-18 08:31:05 +04:00
! force_attribute & &
2010-01-09 05:11:27 +03:00
udv_filter ( uptodateness_vector ,
& md . ctr . ctr1 . array [ i ] . originating_invocation_id ,
md . ctr . ctr1 . array [ i ] . originating_usn ) ) {
continue ;
}
2010-09-30 02:49:15 +04:00
/* filter by partial_attribute_set */
if ( partial_attribute_set & & ! check_partial_attribute_set ( sa , partial_attribute_set ) ) {
2010-04-16 00:42:08 +04:00
continue ;
}
2009-09-12 05:14:29 +04:00
obj - > meta_data_ctr - > meta_data [ n ] . originating_change_time = md . ctr . ctr1 . array [ i ] . originating_change_time ;
obj - > meta_data_ctr - > meta_data [ n ] . version = md . ctr . ctr1 . array [ i ] . version ;
obj - > meta_data_ctr - > meta_data [ n ] . originating_invocation_id = md . ctr . ctr1 . array [ i ] . originating_invocation_id ;
obj - > meta_data_ctr - > meta_data [ n ] . originating_usn = md . ctr . ctr1 . array [ i ] . originating_usn ;
attids [ n ] = md . ctr . ctr1 . array [ i ] . attid ;
n + + ;
}
2009-09-15 00:12:32 +04:00
2010-01-09 05:11:27 +03:00
/* ignore it if its an empty change. Note that renames always
* change the ' name ' attribute , so they won ' t be ignored by
* this */
if ( n = = 0 | |
2010-10-29 03:22:35 +04:00
( n = = 1 & & attids [ 0 ] = = DRSUAPI_ATTID_instanceType ) ) {
2010-01-09 05:11:27 +03:00
talloc_free ( obj - > meta_data_ctr ) ;
obj - > meta_data_ctr = NULL ;
return WERR_OK ;
}
2009-09-15 00:12:32 +04:00
2009-09-12 05:14:29 +04:00
obj - > meta_data_ctr - > count = n ;
2009-09-24 00:56:10 +04:00
obj - > object . flags = DRSUAPI_DS_REPLICA_OBJECT_FROM_MASTER ;
2009-09-09 17:38:51 +04:00
obj - > object . attribute_ctr . num_attributes = obj - > meta_data_ctr - > count ;
obj - > object . attribute_ctr . attributes = talloc_array ( obj , struct drsuapi_DsReplicaAttribute ,
obj - > object . attribute_ctr . num_attributes ) ;
/*
* Note that the meta_data array and the attributes array must
* be the same size and in the same order
*/
for ( i = 0 ; i < obj - > object . attribute_ctr . num_attributes ; i + + ) {
struct ldb_message_element * el ;
WERROR werr ;
2009-09-24 00:56:10 +04:00
const struct dsdb_attribute * sa ;
2009-09-12 05:14:29 +04:00
sa = dsdb_attribute_by_attributeID_id ( schema , attids [ i ] ) ;
2009-09-09 17:38:51 +04:00
if ( ! sa ) {
2009-09-12 05:14:29 +04:00
DEBUG ( 0 , ( " Unable to find attributeID %u in schema \n " , attids [ i ] ) ) ;
2009-09-09 17:38:51 +04:00
return WERR_DS_DRA_INTERNAL_ERROR ;
}
el = ldb_msg_find_element ( msg , sa - > lDAPDisplayName ) ;
if ( el = = NULL ) {
2009-12-03 01:19:55 +03:00
/* this happens for attributes that have been removed */
DEBUG ( 5 , ( " No element '%s' for attributeID %u in message \n " ,
2009-09-12 05:14:29 +04:00
sa - > lDAPDisplayName , attids [ i ] ) ) ;
2009-09-09 19:27:12 +04:00
ZERO_STRUCT ( obj - > object . attribute_ctr . attributes [ i ] ) ;
2010-08-19 04:17:36 +04:00
obj - > object . attribute_ctr . attributes [ i ] . attid =
dsdb_attribute_get_attid ( sa , syntax_ctx . is_schema_nc ) ;
2009-09-09 19:27:12 +04:00
} else {
2010-08-18 04:52:48 +04:00
werr = sa - > syntax - > ldb_to_drsuapi ( & syntax_ctx , sa , el , obj ,
& obj - > object . attribute_ctr . attributes [ i ] ) ;
2009-09-09 19:27:12 +04:00
if ( ! W_ERROR_IS_OK ( werr ) ) {
DEBUG ( 0 , ( " Unable to convert %s to DRS object - %s \n " ,
sa - > lDAPDisplayName , win_errstr ( werr ) ) ) ;
return werr ;
}
2009-10-14 13:29:39 +04:00
/* if DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING is set
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING in getncchanges
When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0
2009-09-24 03:51:55 +04:00
* check if attribute is secret and send a null value
*/
2009-10-14 13:29:39 +04:00
if ( replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING ) {
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING in getncchanges
When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0
2009-09-24 03:51:55 +04:00
drsuapi_process_secret_attribute ( & obj - > object . attribute_ctr . attributes [ i ] ,
& obj - > meta_data_ctr - > meta_data [ i ] ) ;
}
2009-09-10 11:46:30 +04:00
/* some attributes needs to be encrypted
before being sent */
werr = drsuapi_encrypt_attribute ( obj , session_key , rid ,
& obj - > object . attribute_ctr . attributes [ i ] ) ;
if ( ! W_ERROR_IS_OK ( werr ) ) {
DEBUG ( 0 , ( " Unable to encrypt %s in DRS object - %s \n " ,
sa - > lDAPDisplayName , win_errstr ( werr ) ) ) ;
return werr ;
}
2009-09-09 15:26:17 +04:00
}
}
return WERR_OK ;
}
2009-12-19 04:25:09 +03:00
/*
add one linked attribute from an object to the list of linked
attributes in a getncchanges request
*/
static WERROR get_nc_changes_add_la ( TALLOC_CTX * mem_ctx ,
struct ldb_context * sam_ctx ,
const struct dsdb_schema * schema ,
const struct dsdb_attribute * sa ,
struct ldb_message * msg ,
struct dsdb_dn * dsdb_dn ,
struct drsuapi_DsReplicaLinkedAttribute * * la_list ,
uint32_t * la_count )
{
struct drsuapi_DsReplicaLinkedAttribute * la ;
bool active ;
NTSTATUS status ;
WERROR werr ;
( * la_list ) = talloc_realloc ( mem_ctx , * la_list , struct drsuapi_DsReplicaLinkedAttribute , ( * la_count ) + 1 ) ;
W_ERROR_HAVE_NO_MEMORY ( * la_list ) ;
la = & ( * la_list ) [ * la_count ] ;
la - > identifier = get_object_identifier ( * la_list , msg ) ;
W_ERROR_HAVE_NO_MEMORY ( la - > identifier ) ;
2010-01-02 00:14:52 +03:00
active = ( dsdb_dn_rmd_flags ( dsdb_dn - > dn ) & DSDB_RMD_FLAG_DELETED ) = = 0 ;
2009-12-19 04:25:09 +03:00
la - > attid = sa - > attributeID_id ;
la - > flags = active ? DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE : 0 ;
status = dsdb_get_extended_dn_nttime ( dsdb_dn - > dn , & la - > originating_add_time , " RMD_ADDTIME " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return ntstatus_to_werror ( status ) ;
}
status = dsdb_get_extended_dn_uint32 ( dsdb_dn - > dn , & la - > meta_data . version , " RMD_VERSION " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return ntstatus_to_werror ( status ) ;
}
status = dsdb_get_extended_dn_nttime ( dsdb_dn - > dn , & la - > meta_data . originating_change_time , " RMD_CHANGETIME " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return ntstatus_to_werror ( status ) ;
}
status = dsdb_get_extended_dn_guid ( dsdb_dn - > dn , & la - > meta_data . originating_invocation_id , " RMD_INVOCID " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return ntstatus_to_werror ( status ) ;
}
status = dsdb_get_extended_dn_uint64 ( dsdb_dn - > dn , & la - > meta_data . originating_usn , " RMD_ORIGINATING_USN " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return ntstatus_to_werror ( status ) ;
}
2009-12-28 09:19:29 +03:00
werr = dsdb_dn_la_to_blob ( sam_ctx , sa , schema , * la_list , dsdb_dn , & la - > value . blob ) ;
2009-12-19 04:25:09 +03:00
W_ERROR_NOT_OK_RETURN ( werr ) ;
( * la_count ) + + ;
return WERR_OK ;
}
/*
add linked attributes from an object to the list of linked
attributes in a getncchanges request
*/
static WERROR get_nc_changes_add_links ( struct ldb_context * sam_ctx ,
TALLOC_CTX * mem_ctx ,
struct ldb_dn * ncRoot_dn ,
struct dsdb_schema * schema ,
uint64_t highest_usn ,
uint32_t replica_flags ,
struct ldb_message * msg ,
struct drsuapi_DsReplicaLinkedAttribute * * la_list ,
2010-01-09 05:11:27 +03:00
uint32_t * la_count ,
struct drsuapi_DsReplicaCursorCtrEx * uptodateness_vector )
2009-12-19 04:25:09 +03:00
{
2009-11-21 20:57:24 +03:00
unsigned int i ;
2009-12-19 04:25:09 +03:00
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
2009-12-19 16:12:35 +03:00
uint64_t uSNChanged = ldb_msg_find_attr_as_int ( msg , " uSNChanged " , - 1 ) ;
2009-12-19 04:25:09 +03:00
for ( i = 0 ; i < msg - > num_elements ; i + + ) {
struct ldb_message_element * el = & msg - > elements [ i ] ;
const struct dsdb_attribute * sa ;
2009-11-21 20:57:24 +03:00
unsigned int j ;
2009-12-19 04:25:09 +03:00
sa = dsdb_attribute_by_lDAPDisplayName ( schema , el - > name ) ;
if ( ! sa | | sa - > linkID = = 0 | | ( sa - > linkID & 1 ) ) {
/* we only want forward links */
continue ;
}
2009-12-19 12:59:04 +03:00
if ( el - > num_values & & ! dsdb_dn_is_upgraded_link_val ( & el - > values [ 0 ] ) ) {
/* its an old style link, it will have been
* sent in the main replication data */
continue ;
}
2009-12-19 04:25:09 +03:00
for ( j = 0 ; j < el - > num_values ; j + + ) {
struct dsdb_dn * dsdb_dn ;
uint64_t local_usn ;
NTSTATUS status ;
WERROR werr ;
dsdb_dn = dsdb_dn_parse ( tmp_ctx , sam_ctx , & el - > values [ j ] , sa - > syntax - > ldap_oid ) ;
if ( dsdb_dn = = NULL ) {
DEBUG ( 1 , ( __location__ " : Failed to parse DN for %s in %s \n " ,
el - > name , ldb_dn_get_linearized ( msg - > dn ) ) ) ;
talloc_free ( tmp_ctx ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
status = dsdb_get_extended_dn_uint64 ( dsdb_dn - > dn , & local_usn , " RMD_LOCAL_USN " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
/* this can happen for attributes
given to us with old style meta
data */
continue ;
}
2009-12-19 16:12:35 +03:00
if ( local_usn > uSNChanged ) {
DEBUG ( 1 , ( __location__ " : uSNChanged less than RMD_LOCAL_USN for %s on %s \n " ,
el - > name , ldb_dn_get_linearized ( msg - > dn ) ) ) ;
talloc_free ( tmp_ctx ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2009-12-19 04:25:09 +03:00
if ( local_usn < highest_usn ) {
continue ;
}
werr = get_nc_changes_add_la ( mem_ctx , sam_ctx , schema , sa , msg ,
2009-12-21 13:12:19 +03:00
dsdb_dn , la_list , la_count ) ;
2009-12-19 04:25:09 +03:00
if ( ! W_ERROR_IS_OK ( werr ) ) {
talloc_free ( tmp_ctx ) ;
return werr ;
}
}
}
talloc_free ( tmp_ctx ) ;
return WERR_OK ;
}
2009-09-12 05:14:29 +04:00
/*
fill in the cursors return based on the replUpToDateVector for the ncRoot_dn
*/
static WERROR get_nc_changes_udv ( struct ldb_context * sam_ctx ,
struct ldb_dn * ncRoot_dn ,
2010-01-16 03:49:09 +03:00
struct drsuapi_DsReplicaCursor2CtrEx * udv )
2009-09-12 05:14:29 +04:00
{
2010-01-16 03:49:09 +03:00
int ret ;
2009-09-12 05:14:29 +04:00
2010-01-09 06:28:00 +03:00
udv - > version = 2 ;
udv - > reserved1 = 0 ;
udv - > reserved2 = 0 ;
2010-01-16 03:08:59 +03:00
ret = dsdb_load_udv_v2 ( sam_ctx , ncRoot_dn , udv , & udv - > cursors , & udv - > count ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Failed to load UDV for %s - %s \n " ,
ldb_dn_get_linearized ( ncRoot_dn ) , ldb_errstring ( sam_ctx ) ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
2009-09-12 05:14:29 +04:00
}
2009-09-10 13:41:48 +04:00
return WERR_OK ;
}
2009-12-28 09:22:40 +03:00
/* comparison function for linked attributes - see CompareLinks() in
* MS - DRSR section 4.1 .10 .5 .17 */
static int linked_attribute_compare ( const struct drsuapi_DsReplicaLinkedAttribute * la1 ,
const struct drsuapi_DsReplicaLinkedAttribute * la2 ,
struct ldb_context * sam_ctx )
{
int c ;
WERROR werr ;
TALLOC_CTX * tmp_ctx ;
const struct dsdb_schema * schema ;
const struct dsdb_attribute * schema_attrib ;
struct dsdb_dn * dn1 , * dn2 ;
struct GUID guid1 , guid2 ;
NTSTATUS status ;
c = GUID_compare ( & la1 - > identifier - > guid ,
& la2 - > identifier - > guid ) ;
if ( c ! = 0 ) return c ;
if ( la1 - > attid ! = la2 - > attid ) {
return la1 - > attid < la2 - > attid ? - 1 : 1 ;
}
if ( ( la1 - > flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE ) ! =
( la2 - > flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE ) ) {
return ( la1 - > flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE ) ? 1 : - 1 ;
}
/* we need to get the target GUIDs to compare */
tmp_ctx = talloc_new ( sam_ctx ) ;
2010-03-16 06:52:39 +03:00
schema = dsdb_get_schema ( sam_ctx , tmp_ctx ) ;
2009-12-28 09:22:40 +03:00
schema_attrib = dsdb_attribute_by_attributeID_id ( schema , la1 - > attid ) ;
werr = dsdb_dn_la_from_blob ( sam_ctx , schema_attrib , schema , tmp_ctx , la1 - > value . blob , & dn1 ) ;
if ( ! W_ERROR_IS_OK ( werr ) ) {
DEBUG ( 0 , ( __location__ " : Bad la1 blob in sort \n " ) ) ;
talloc_free ( tmp_ctx ) ;
return 0 ;
}
werr = dsdb_dn_la_from_blob ( sam_ctx , schema_attrib , schema , tmp_ctx , la2 - > value . blob , & dn2 ) ;
if ( ! W_ERROR_IS_OK ( werr ) ) {
DEBUG ( 0 , ( __location__ " : Bad la2 blob in sort \n " ) ) ;
talloc_free ( tmp_ctx ) ;
return 0 ;
}
status = dsdb_get_extended_dn_guid ( dn1 - > dn , & guid1 , " GUID " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : Bad la1 guid in sort \n " ) ) ;
talloc_free ( tmp_ctx ) ;
return 0 ;
}
status = dsdb_get_extended_dn_guid ( dn2 - > dn , & guid2 , " GUID " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : Bad la2 guid in sort \n " ) ) ;
talloc_free ( tmp_ctx ) ;
return 0 ;
}
talloc_free ( tmp_ctx ) ;
return GUID_compare ( & guid1 , & guid2 ) ;
}
2009-12-21 13:10:41 +03:00
/*
sort the objects we send by tree order
*/
2010-02-13 05:00:55 +03:00
static int site_res_cmp_parent_order ( struct ldb_message * * m1 , struct ldb_message * * m2 )
2009-12-21 13:10:41 +03:00
{
return ldb_dn_compare ( ( * m2 ) - > dn , ( * m1 ) - > dn ) ;
}
/*
sort the objects we send first by uSNChanged
*/
2010-02-13 05:00:55 +03:00
static int site_res_cmp_usn_order ( struct ldb_message * * m1 , struct ldb_message * * m2 )
2009-12-21 13:10:41 +03:00
{
unsigned usnchanged1 , usnchanged2 ;
unsigned cn1 , cn2 ;
cn1 = ldb_dn_get_comp_num ( ( * m1 ) - > dn ) ;
cn2 = ldb_dn_get_comp_num ( ( * m2 ) - > dn ) ;
if ( cn1 ! = cn2 ) {
return cn1 > cn2 ? 1 : - 1 ;
}
usnchanged1 = ldb_msg_find_attr_as_uint ( * m1 , " uSNChanged " , 0 ) ;
usnchanged2 = ldb_msg_find_attr_as_uint ( * m2 , " uSNChanged " , 0 ) ;
if ( usnchanged1 = = usnchanged2 ) {
return 0 ;
}
return usnchanged1 > usnchanged2 ? 1 : - 1 ;
}
2010-01-06 11:35:05 +03:00
/*
handle a DRSUAPI_EXOP_FSMO_RID_ALLOC call
*/
static WERROR getncchanges_rid_alloc ( struct drsuapi_bind_state * b_state ,
TALLOC_CTX * mem_ctx ,
2010-09-30 10:30:18 +04:00
struct drsuapi_DsGetNCChangesRequest10 * req10 ,
2010-01-06 11:35:05 +03:00
struct drsuapi_DsGetNCChangesCtr6 * ctr6 )
{
struct ldb_dn * rid_manager_dn , * fsmo_role_dn , * req_dn ;
int ret ;
struct ldb_context * ldb = b_state - > sam_ctx ;
struct ldb_result * ext_res ;
struct ldb_dn * base_dn ;
struct dsdb_fsmo_extended_op * exop ;
/*
steps :
- verify that the DN being asked for is the RID Manager DN
- verify that we are the RID Manager
*/
/* work out who is the RID Manager */
ret = samdb_rid_manager_dn ( ldb , mem_ctx , & rid_manager_dn ) ;
if ( ret ! = LDB_SUCCESS ) {
2010-01-07 10:38:39 +03:00
DEBUG ( 0 , ( __location__ " : Failed to find RID Manager object - %s \n " , ldb_errstring ( ldb ) ) ) ;
2010-01-06 11:35:05 +03:00
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2010-09-30 10:30:18 +04:00
req_dn = drs_ObjectIdentifier_to_dn ( mem_ctx , ldb , req10 - > naming_context ) ;
2010-01-06 11:35:05 +03:00
if ( ! req_dn | |
! ldb_dn_validate ( req_dn ) | |
2010-01-07 10:38:39 +03:00
ldb_dn_compare ( req_dn , rid_manager_dn ) ! = 0 ) {
2010-01-06 11:35:05 +03:00
/* that isn't the RID Manager DN */
2010-01-07 10:38:39 +03:00
DEBUG ( 0 , ( __location__ " : RID Alloc request for wrong DN %s \n " ,
2010-09-30 10:30:18 +04:00
drs_ObjectIdentifier_to_string ( mem_ctx , req10 - > naming_context ) ) ) ;
2010-01-06 11:35:05 +03:00
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_MISMATCH ;
return WERR_OK ;
}
/* find the DN of the RID Manager */
ret = samdb_reference_dn ( ldb , mem_ctx , rid_manager_dn , " fSMORoleOwner " , & fsmo_role_dn ) ;
if ( ret ! = LDB_SUCCESS ) {
2010-01-07 10:38:39 +03:00
DEBUG ( 0 , ( __location__ " : Failed to find fSMORoleOwner in RID Manager object - %s \n " ,
2010-01-06 11:35:05 +03:00
ldb_errstring ( ldb ) ) ) ;
2010-01-09 07:12:18 +03:00
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER ;
2010-01-06 11:35:05 +03:00
return WERR_DS_DRA_INTERNAL_ERROR ;
}
if ( ldb_dn_compare ( samdb_ntds_settings_dn ( ldb ) , fsmo_role_dn ) ! = 0 ) {
/* we're not the RID Manager - go away */
2010-01-07 10:38:39 +03:00
DEBUG ( 0 , ( __location__ " : RID Alloc request when not RID Manager \n " ) ) ;
2010-01-06 11:35:05 +03:00
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER ;
return WERR_OK ;
}
exop = talloc ( mem_ctx , struct dsdb_fsmo_extended_op ) ;
W_ERROR_HAVE_NO_MEMORY ( exop ) ;
2010-09-30 10:30:18 +04:00
exop - > fsmo_info = req10 - > fsmo_info ;
exop - > destination_dsa_guid = req10 - > destination_dsa_guid ;
2010-01-06 11:35:05 +03:00
2010-01-07 10:38:39 +03:00
ret = ldb_transaction_start ( ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Failed transaction start - %s \n " ,
ldb_errstring ( ldb ) ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2010-09-03 07:20:49 +04:00
/*
* FIXME ( kim ) : this is a temp hack to return just few object ,
* but not the whole domain NC .
* We should remove this hack and implement a ' scope '
* building function to return just the set of object
* documented for DRSUAPI_EXOP_FSMO_RID_ALLOC extended_op
*/
2010-09-30 10:30:18 +04:00
ldb_sequence_number ( ldb , LDB_SEQ_HIGHEST_SEQ , & req10 - > highwatermark . highest_usn ) ;
2010-09-03 07:20:49 +04:00
2010-01-06 11:35:05 +03:00
ret = ldb_extended ( ldb , DSDB_EXTENDED_ALLOCATE_RID_POOL , exop , & ext_res ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Failed extended allocation RID pool operation - %s \n " ,
ldb_errstring ( ldb ) ) ) ;
2010-01-07 10:38:39 +03:00
ldb_transaction_cancel ( ldb ) ;
2010-01-06 11:35:05 +03:00
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2010-01-07 10:38:39 +03:00
ret = ldb_transaction_commit ( ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Failed transaction commit - %s \n " ,
ldb_errstring ( ldb ) ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2010-01-06 11:35:05 +03:00
talloc_free ( ext_res ) ;
2010-04-13 10:41:10 +04:00
base_dn = ldb_get_default_basedn ( ldb ) ;
2010-01-06 11:35:05 +03:00
2010-01-06 12:56:19 +03:00
DEBUG ( 2 , ( " Allocated RID pool for server %s \n " ,
2010-09-30 10:30:18 +04:00
GUID_string ( mem_ctx , & req10 - > destination_dsa_guid ) ) ) ;
2010-01-06 12:56:19 +03:00
2010-01-09 07:12:18 +03:00
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_SUCCESS ;
2010-01-06 11:35:05 +03:00
return WERR_OK ;
}
2010-08-18 12:38:26 +04:00
/*
return an array of SIDs from a ldb_message given an attribute name
assumes the SIDs are in extended DN format
*/
static WERROR samdb_result_sid_array_dn ( struct ldb_context * sam_ctx ,
struct ldb_message * msg ,
TALLOC_CTX * mem_ctx ,
const char * attr ,
const struct dom_sid * * * sids )
{
struct ldb_message_element * el ;
2010-08-23 09:37:36 +04:00
unsigned int i ;
2010-08-18 12:38:26 +04:00
el = ldb_msg_find_element ( msg , attr ) ;
if ( ! el ) {
* sids = NULL ;
return WERR_OK ;
}
( * sids ) = talloc_array ( mem_ctx , const struct dom_sid * , el - > num_values + 1 ) ;
W_ERROR_HAVE_NO_MEMORY ( * sids ) ;
for ( i = 0 ; i < el - > num_values ; i + + ) {
struct ldb_dn * dn = ldb_dn_from_ldb_val ( mem_ctx , sam_ctx , & el - > values [ i ] ) ;
NTSTATUS status ;
struct dom_sid * sid ;
sid = talloc ( * sids , struct dom_sid ) ;
W_ERROR_HAVE_NO_MEMORY ( sid ) ;
status = dsdb_get_extended_dn_sid ( dn , sid , " SID " ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return WERR_INTERNAL_DB_CORRUPTION ;
}
( * sids ) [ i ] = sid ;
}
( * sids ) [ i ] = NULL ;
return WERR_OK ;
}
/*
return an array of SIDs from a ldb_message given an attribute name
assumes the SIDs are in NDR form
*/
static WERROR samdb_result_sid_array_ndr ( struct ldb_context * sam_ctx ,
struct ldb_message * msg ,
TALLOC_CTX * mem_ctx ,
const char * attr ,
const struct dom_sid * * * sids )
{
struct ldb_message_element * el ;
2010-08-23 09:37:36 +04:00
unsigned int i ;
2010-08-18 12:38:26 +04:00
el = ldb_msg_find_element ( msg , attr ) ;
if ( ! el ) {
* sids = NULL ;
return WERR_OK ;
}
( * sids ) = talloc_array ( mem_ctx , const struct dom_sid * , el - > num_values + 1 ) ;
W_ERROR_HAVE_NO_MEMORY ( * sids ) ;
for ( i = 0 ; i < el - > num_values ; i + + ) {
enum ndr_err_code ndr_err ;
struct dom_sid * sid ;
sid = talloc ( * sids , struct dom_sid ) ;
W_ERROR_HAVE_NO_MEMORY ( sid ) ;
ndr_err = ndr_pull_struct_blob ( & el - > values [ i ] , sid , sid ,
( ndr_pull_flags_fn_t ) ndr_pull_dom_sid ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
return WERR_INTERNAL_DB_CORRUPTION ;
}
( * sids ) [ i ] = sid ;
}
( * sids ) [ i ] = NULL ;
return WERR_OK ;
}
/*
see if any SIDs in list1 are in list2
*/
static bool sid_list_match ( const struct dom_sid * * list1 , const struct dom_sid * * list2 )
{
2010-08-23 09:37:36 +04:00
unsigned int i , j ;
2010-08-18 12:38:26 +04:00
/* do we ever have enough SIDs here to worry about O(n^2) ? */
for ( i = 0 ; list1 [ i ] ; i + + ) {
for ( j = 0 ; list2 [ j ] ; j + + ) {
if ( dom_sid_equal ( list1 [ i ] , list2 [ j ] ) ) {
return true ;
}
}
}
return false ;
}
/*
handle a DRSUAPI_EXOP_REPL_SECRET call
*/
static WERROR getncchanges_repl_secret ( struct drsuapi_bind_state * b_state ,
TALLOC_CTX * mem_ctx ,
2010-09-30 10:30:18 +04:00
struct drsuapi_DsGetNCChangesRequest10 * req10 ,
2010-08-18 12:38:26 +04:00
struct dom_sid * user_sid ,
struct drsuapi_DsGetNCChangesCtr6 * ctr6 )
{
2010-09-30 10:30:18 +04:00
struct drsuapi_DsReplicaObjectIdentifier * ncRoot = req10 - > naming_context ;
2010-08-18 12:38:26 +04:00
struct ldb_dn * obj_dn , * rodc_dn , * krbtgt_link_dn ;
int ret ;
const char * rodc_attrs [ ] = { " msDS-KrbTgtLink " , " msDS-NeverRevealGroup " , " msDS-RevealOnDemandGroup " , NULL } ;
const char * obj_attrs [ ] = { " tokenGroups " , " objectSid " , " UserAccountControl " , " msDS-KrbTgtLinkBL " , NULL } ;
struct ldb_result * rodc_res , * obj_res ;
const struct dom_sid * * never_reveal_sids , * * reveal_sids , * * token_sids ;
WERROR werr ;
2010-09-28 21:40:18 +04:00
DEBUG ( 3 , ( __location__ " : DRSUAPI_EXOP_REPL_SECRET extended op on %s \n " ,
drs_ObjectIdentifier_to_string ( mem_ctx , ncRoot ) ) ) ;
2010-08-18 12:38:26 +04:00
/*
* we need to work out if we will allow this RODC to
* replicate the secrets for this object
*
* see 4.1 .10 .5 .14 GetRevealSecretsPolicyForUser for details
* of this function
*/
if ( b_state - > sam_ctx_system = = NULL ) {
/* this operation needs system level access */
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_ACCESS_DENIED ;
return WERR_DS_DRA_SOURCE_DISABLED ;
}
2010-09-28 21:40:18 +04:00
obj_dn = drs_ObjectIdentifier_to_dn ( mem_ctx , b_state - > sam_ctx_system , ncRoot ) ;
2010-08-18 12:38:26 +04:00
if ( ! ldb_dn_validate ( obj_dn ) ) goto failed ;
rodc_dn = ldb_dn_new_fmt ( mem_ctx , b_state - > sam_ctx_system , " <SID=%s> " ,
dom_sid_string ( mem_ctx , user_sid ) ) ;
if ( ! ldb_dn_validate ( rodc_dn ) ) goto failed ;
/* do the two searches we need */
ret = dsdb_search_dn ( b_state - > sam_ctx_system , mem_ctx , & rodc_res , rodc_dn , rodc_attrs ,
DSDB_SEARCH_SHOW_EXTENDED_DN ) ;
if ( ret ! = LDB_SUCCESS | | rodc_res - > count ! = 1 ) goto failed ;
ret = dsdb_search_dn ( b_state - > sam_ctx_system , mem_ctx , & obj_res , obj_dn , obj_attrs , 0 ) ;
if ( ret ! = LDB_SUCCESS | | obj_res - > count ! = 1 ) goto failed ;
/* if the object SID is equal to the user_sid, allow */
if ( dom_sid_equal ( user_sid ,
samdb_result_dom_sid ( mem_ctx , obj_res - > msgs [ 0 ] , " objectSid " ) ) ) {
goto allowed ;
}
/* an RODC is allowed to get its own krbtgt account secrets */
krbtgt_link_dn = samdb_result_dn ( b_state - > sam_ctx_system , mem_ctx ,
rodc_res - > msgs [ 0 ] , " msDS-KrbTgtLink " , NULL ) ;
if ( krbtgt_link_dn ! = NULL & &
ldb_dn_compare ( obj_dn , krbtgt_link_dn ) = = 0 ) {
goto allowed ;
}
/* but it isn't allowed to get anyone elses krbtgt secrets */
if ( samdb_result_dn ( b_state - > sam_ctx_system , mem_ctx ,
obj_res - > msgs [ 0 ] , " msDS-KrbTgtLinkBL " , NULL ) ) {
goto denied ;
}
2010-10-14 11:41:42 +04:00
if ( ldb_msg_find_attr_as_uint ( obj_res - > msgs [ 0 ] ,
" userAccountControl " , 0 ) &
2010-08-18 12:38:26 +04:00
UF_INTERDOMAIN_TRUST_ACCOUNT ) {
goto denied ;
}
werr = samdb_result_sid_array_dn ( b_state - > sam_ctx_system , rodc_res - > msgs [ 0 ] ,
mem_ctx , " msDS-NeverRevealGroup " , & never_reveal_sids ) ;
if ( ! W_ERROR_IS_OK ( werr ) ) {
goto denied ;
}
werr = samdb_result_sid_array_dn ( b_state - > sam_ctx_system , rodc_res - > msgs [ 0 ] ,
mem_ctx , " msDS-RevealOnDemandGroup " , & reveal_sids ) ;
if ( ! W_ERROR_IS_OK ( werr ) ) {
goto denied ;
}
werr = samdb_result_sid_array_ndr ( b_state - > sam_ctx_system , obj_res - > msgs [ 0 ] ,
mem_ctx , " tokenGroups " , & token_sids ) ;
if ( ! W_ERROR_IS_OK ( werr ) | | token_sids = = NULL ) {
goto denied ;
}
if ( never_reveal_sids & &
sid_list_match ( token_sids , never_reveal_sids ) ) {
goto denied ;
}
if ( reveal_sids & &
sid_list_match ( token_sids , reveal_sids ) ) {
goto allowed ;
}
/* default deny */
denied :
DEBUG ( 2 , ( __location__ " : Denied RODC secret replication for %s by RODC %s \n " ,
2010-09-28 21:40:18 +04:00
ldb_dn_get_linearized ( obj_dn ) , ldb_dn_get_linearized ( rodc_res - > msgs [ 0 ] - > dn ) ) ) ;
2010-08-19 07:06:08 +04:00
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_NONE ;
return WERR_DS_DRA_ACCESS_DENIED ;
2010-08-18 12:38:26 +04:00
allowed :
DEBUG ( 2 , ( __location__ " : Allowed RODC secret replication for %s by RODC %s \n " ,
2010-09-28 21:40:18 +04:00
ldb_dn_get_linearized ( obj_dn ) , ldb_dn_get_linearized ( rodc_res - > msgs [ 0 ] - > dn ) ) ) ;
2010-08-18 12:38:26 +04:00
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_SUCCESS ;
2010-09-30 10:30:18 +04:00
req10 - > highwatermark . highest_usn = 0 ;
2010-08-18 12:38:26 +04:00
return WERR_OK ;
failed :
DEBUG ( 2 , ( __location__ " : Failed RODC secret replication for %s by RODC %s \n " ,
2010-09-28 21:40:18 +04:00
ldb_dn_get_linearized ( obj_dn ) , dom_sid_string ( mem_ctx , user_sid ) ) ) ;
2010-08-19 07:06:08 +04:00
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_NONE ;
return WERR_DS_DRA_BAD_DN ;
2010-08-18 12:38:26 +04:00
}
2010-09-28 21:48:38 +04:00
/*
handle a DRSUAPI_EXOP_REPL_OBJ call
*/
static WERROR getncchanges_repl_obj ( struct drsuapi_bind_state * b_state ,
TALLOC_CTX * mem_ctx ,
2010-09-30 10:30:18 +04:00
struct drsuapi_DsGetNCChangesRequest10 * req10 ,
2010-09-28 21:48:38 +04:00
struct dom_sid * user_sid ,
struct drsuapi_DsGetNCChangesCtr6 * ctr6 )
{
2010-09-30 10:30:18 +04:00
struct drsuapi_DsReplicaObjectIdentifier * ncRoot = req10 - > naming_context ;
2010-09-28 21:48:38 +04:00
DEBUG ( 3 , ( __location__ " : DRSUAPI_EXOP_REPL_OBJ extended op on %s \n " ,
drs_ObjectIdentifier_to_string ( mem_ctx , ncRoot ) ) ) ;
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_SUCCESS ;
2010-09-30 10:30:18 +04:00
req10 - > highwatermark . highest_usn = 0 ;
2010-09-28 21:48:38 +04:00
return WERR_OK ;
}
2010-08-26 11:59:02 +04:00
/*
handle DRSUAPI_EXOP_FSMO_REQ_ROLE ,
DRSUAPI_EXOP_FSMO_RID_REQ_ROLE ,
and DRSUAPI_EXOP_FSMO_REQ_PDC calls
*/
static WERROR getncchanges_change_master ( struct drsuapi_bind_state * b_state ,
TALLOC_CTX * mem_ctx ,
2010-09-30 10:30:18 +04:00
struct drsuapi_DsGetNCChangesRequest10 * req10 ,
2010-08-26 11:59:02 +04:00
struct drsuapi_DsGetNCChangesCtr6 * ctr6 )
{
struct ldb_dn * fsmo_role_dn , * req_dn , * ntds_dn ;
2010-09-10 21:17:25 +04:00
int ret ;
unsigned int i ;
2010-08-26 11:59:02 +04:00
struct ldb_context * ldb = b_state - > sam_ctx ;
struct ldb_message * msg ;
/*
steps :
- verify that the client dn exists
- verify that we are the current master
*/
2010-09-30 10:30:18 +04:00
req_dn = drs_ObjectIdentifier_to_dn ( mem_ctx , ldb , req10 - > naming_context ) ;
2010-08-26 11:59:02 +04:00
if ( ! req_dn | |
! ldb_dn_validate ( req_dn ) ) {
/* that is not a valid dn */
DEBUG ( 0 , ( __location__ " : FSMO role transfer request for invalid DN %s \n " ,
2010-09-30 10:30:18 +04:00
drs_ObjectIdentifier_to_string ( mem_ctx , req10 - > naming_context ) ) ) ;
2010-08-26 11:59:02 +04:00
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_MISMATCH ;
return WERR_OK ;
}
/* retrieve the current role owner */
ret = samdb_reference_dn ( ldb , mem_ctx , req_dn , " fSMORoleOwner " , & fsmo_role_dn ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Failed to find fSMORoleOwner in context - %s \n " ,
ldb_errstring ( ldb ) ) ) ;
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
if ( ldb_dn_compare ( samdb_ntds_settings_dn ( ldb ) , fsmo_role_dn ) ! = 0 ) {
/* we're not the current owner - go away */
DEBUG ( 0 , ( __location__ " : FSMO transfer request when not owner \n " ) ) ;
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER ;
return WERR_OK ;
}
/* change the current master */
msg = ldb_msg_new ( ldb ) ;
W_ERROR_HAVE_NO_MEMORY ( msg ) ;
2010-09-30 10:30:18 +04:00
msg - > dn = drs_ObjectIdentifier_to_dn ( msg , ldb , req10 - > naming_context ) ;
2010-08-26 11:59:02 +04:00
W_ERROR_HAVE_NO_MEMORY ( msg - > dn ) ;
2010-09-30 10:30:18 +04:00
ret = dsdb_find_dn_by_guid ( ldb , msg , & req10 - > destination_dsa_guid , & ntds_dn ) ;
2010-08-26 11:59:02 +04:00
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Unable to find NTDS object for guid %s - %s \n " ,
2010-09-30 10:30:18 +04:00
GUID_string ( mem_ctx , & req10 - > destination_dsa_guid ) , ldb_errstring ( ldb ) ) ) ;
2010-08-26 11:59:02 +04:00
talloc_free ( msg ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
ret = ldb_msg_add_string ( msg , " fSMORoleOwner " , ldb_dn_get_linearized ( ntds_dn ) ) ;
if ( ret ! = 0 ) {
talloc_free ( msg ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2010-01-06 11:35:05 +03:00
2010-08-26 11:59:02 +04:00
for ( i = 0 ; i < msg - > num_elements ; i + + ) {
msg - > elements [ i ] . flags = LDB_FLAG_MOD_REPLACE ;
}
ret = ldb_transaction_start ( ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Failed transaction start - %s \n " ,
ldb_errstring ( ldb ) ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
ret = ldb_modify ( ldb , msg ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Failed to change current owner - %s \n " ,
ldb_errstring ( ldb ) ) ) ;
ldb_transaction_cancel ( ldb ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
ret = ldb_transaction_commit ( ldb ) ;
if ( ret ! = LDB_SUCCESS ) {
DEBUG ( 0 , ( __location__ " : Failed transaction commit - %s \n " ,
ldb_errstring ( ldb ) ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
ctr6 - > extended_ret = DRSUAPI_EXOP_ERR_SUCCESS ;
return WERR_OK ;
}
2010-01-06 11:35:05 +03:00
2009-09-26 02:17:44 +04:00
/* state of a partially completed getncchanges call */
struct drsuapi_getncchanges_state {
struct ldb_result * site_res ;
uint32_t num_sent ;
struct ldb_dn * ncRoot_dn ;
2010-08-18 04:52:48 +04:00
bool is_schema_nc ;
2009-12-03 01:19:55 +03:00
uint64_t min_usn ;
uint64_t highest_usn ;
2009-12-19 16:12:35 +03:00
struct ldb_dn * last_dn ;
2009-12-21 13:13:59 +03:00
struct drsuapi_DsReplicaLinkedAttribute * la_list ;
uint32_t la_count ;
2010-07-09 14:52:11 +04:00
bool la_sorted ;
uint32_t la_idx ;
2010-01-09 05:11:27 +03:00
struct drsuapi_DsReplicaCursorCtrEx * uptodateness_vector ;
2009-09-26 02:17:44 +04:00
} ;
2010-09-30 02:49:15 +04:00
/*
see if this getncchanges request includes a request to reveal secret information
*/
static WERROR dcesrv_drsuapi_is_reveal_secrets_request ( struct drsuapi_bind_state * b_state ,
2010-09-30 10:30:18 +04:00
struct drsuapi_DsGetNCChangesRequest10 * req10 ,
2010-09-30 02:49:15 +04:00
bool * is_secret_request )
{
enum drsuapi_DsExtendedOperation exop ;
2010-09-30 10:47:24 +04:00
uint32_t i ;
2010-09-30 02:49:15 +04:00
struct dsdb_schema * schema ;
* is_secret_request = true ;
2010-09-30 10:30:18 +04:00
exop = req10 - > extended_op ;
2010-09-30 02:49:15 +04:00
switch ( exop ) {
case DRSUAPI_EXOP_FSMO_REQ_ROLE :
case DRSUAPI_EXOP_FSMO_RID_ALLOC :
case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE :
case DRSUAPI_EXOP_FSMO_REQ_PDC :
case DRSUAPI_EXOP_FSMO_ABANDON_ROLE :
/* FSMO exops can reveal secrets */
* is_secret_request = true ;
return WERR_OK ;
case DRSUAPI_EXOP_REPL_SECRET :
case DRSUAPI_EXOP_REPL_OBJ :
case DRSUAPI_EXOP_NONE :
break ;
}
2010-09-30 10:30:18 +04:00
if ( req10 - > replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING ) {
2010-09-30 02:49:15 +04:00
* is_secret_request = false ;
return WERR_OK ;
}
if ( exop = = DRSUAPI_EXOP_REPL_SECRET | |
2010-09-30 10:30:18 +04:00
req10 - > partial_attribute_set = = NULL ) {
2010-09-30 02:49:15 +04:00
/* they want secrets */
* is_secret_request = true ;
return WERR_OK ;
}
schema = dsdb_get_schema ( b_state - > sam_ctx , NULL ) ;
/* check the attributes they asked for */
2010-09-30 10:30:18 +04:00
for ( i = 0 ; i < req10 - > partial_attribute_set - > num_attids ; i + + ) {
2010-09-30 02:49:15 +04:00
const struct dsdb_attribute * sa ;
2010-09-30 10:30:18 +04:00
sa = dsdb_attribute_by_attributeID_id ( schema , req10 - > partial_attribute_set - > attids [ i ] ) ;
2010-09-30 02:49:15 +04:00
if ( sa = = NULL ) {
return WERR_DS_DRA_SCHEMA_MISMATCH ;
}
if ( ! dsdb_attr_in_rodc_fas ( sa ) ) {
* is_secret_request = true ;
return WERR_OK ;
}
}
/* check the attributes they asked for */
2010-09-30 10:30:18 +04:00
for ( i = 0 ; i < req10 - > partial_attribute_set_ex - > num_attids ; i + + ) {
2010-09-30 02:49:15 +04:00
const struct dsdb_attribute * sa ;
2010-09-30 10:30:18 +04:00
sa = dsdb_attribute_by_attributeID_id ( schema , req10 - > partial_attribute_set_ex - > attids [ i ] ) ;
2010-09-30 02:49:15 +04:00
if ( sa = = NULL ) {
return WERR_DS_DRA_SCHEMA_MISMATCH ;
}
if ( ! dsdb_attr_in_rodc_fas ( sa ) ) {
* is_secret_request = true ;
return WERR_OK ;
}
}
* is_secret_request = false ;
return WERR_OK ;
}
2010-09-30 10:30:18 +04:00
/*
map from req8 to req10
*/
static struct drsuapi_DsGetNCChangesRequest10 *
getncchanges_map_req8 ( TALLOC_CTX * mem_ctx ,
struct drsuapi_DsGetNCChangesRequest8 * req8 )
{
struct drsuapi_DsGetNCChangesRequest10 * req10 = talloc_zero ( mem_ctx ,
struct drsuapi_DsGetNCChangesRequest10 ) ;
if ( req10 = = NULL ) {
return NULL ;
}
req10 - > destination_dsa_guid = req8 - > destination_dsa_guid ;
req10 - > source_dsa_invocation_id = req8 - > source_dsa_invocation_id ;
req10 - > naming_context = req8 - > naming_context ;
req10 - > highwatermark = req8 - > highwatermark ;
req10 - > uptodateness_vector = req8 - > uptodateness_vector ;
req10 - > replica_flags = req8 - > replica_flags ;
req10 - > max_object_count = req8 - > max_object_count ;
req10 - > max_ndr_size = req8 - > max_ndr_size ;
req10 - > extended_op = req8 - > extended_op ;
req10 - > fsmo_info = req8 - > fsmo_info ;
req10 - > partial_attribute_set = req8 - > partial_attribute_set ;
req10 - > partial_attribute_set_ex = req8 - > partial_attribute_set_ex ;
req10 - > mapping_ctr = req8 - > mapping_ctr ;
return req10 ;
}
2010-09-30 02:49:15 +04:00
2009-09-09 15:00:01 +04:00
/*
drsuapi_DsGetNCChanges
2009-10-13 12:49:08 +04:00
see MS - DRSR 4.1 .10 .5 .2 for basic logic of this function
2009-09-09 15:00:01 +04:00
*/
WERROR dcesrv_drsuapi_DsGetNCChanges ( struct dcesrv_call_state * dce_call , TALLOC_CTX * mem_ctx ,
struct drsuapi_DsGetNCChanges * r )
{
struct drsuapi_DsReplicaObjectIdentifier * ncRoot ;
int ret ;
2010-09-30 10:47:24 +04:00
uint32_t i ;
2009-09-09 15:00:01 +04:00
struct dsdb_schema * schema ;
struct drsuapi_DsReplicaOIDMapping_Ctr * ctr ;
2009-09-12 05:14:29 +04:00
struct drsuapi_DsReplicaObjectListItemEx * * currentObject ;
2009-09-10 11:46:30 +04:00
NTSTATUS status ;
DATA_BLOB session_key ;
2009-12-16 11:45:22 +03:00
const char * attrs [ ] = { " * " , " distinguishedName " ,
" nTSecurityDescriptor " ,
2009-12-09 06:38:25 +03:00
" parentGUID " ,
2009-12-16 11:45:22 +03:00
" replPropertyMetaData " ,
" unicodePwd " ,
" dBCSPwd " ,
" ntPwdHistory " ,
" lmPwdHistory " ,
" supplementalCredentials " ,
2009-11-20 07:19:35 +03:00
NULL } ;
2009-09-12 05:14:29 +04:00
WERROR werr ;
2009-09-26 02:17:44 +04:00
struct dcesrv_handle * h ;
struct drsuapi_bind_state * b_state ;
struct drsuapi_getncchanges_state * getnc_state ;
2010-09-30 10:30:18 +04:00
struct drsuapi_DsGetNCChangesRequest10 * req10 ;
2009-10-13 12:49:08 +04:00
uint32_t options ;
2009-12-19 16:12:35 +03:00
uint32_t max_objects ;
2010-07-09 14:52:11 +04:00
uint32_t max_links ;
uint32_t link_count = 0 ;
uint32_t link_total = 0 ;
uint32_t link_given = 0 ;
2010-01-09 02:12:54 +03:00
struct ldb_dn * search_dn = NULL ;
2010-08-18 12:38:26 +04:00
bool am_rodc , null_scope = false ;
2010-04-22 08:56:19 +04:00
enum security_user_level security_level ;
2010-08-18 08:31:05 +04:00
struct ldb_context * sam_ctx ;
2010-08-18 12:38:26 +04:00
struct dom_sid * user_sid ;
2010-09-30 02:49:15 +04:00
bool is_secret_request ;
2009-09-26 02:17:44 +04:00
DCESRV_PULL_HANDLE_WERR ( h , r - > in . bind_handle , DRSUAPI_BIND_HANDLE ) ;
b_state = h - > data ;
2009-09-24 02:47:14 +04:00
2010-08-18 08:31:05 +04:00
sam_ctx = b_state - > sam_ctx_system ? b_state - > sam_ctx_system : b_state - > sam_ctx ;
2009-09-16 06:26:33 +04:00
* r - > out . level_out = 6 ;
/* TODO: linked attributes*/
r - > out . ctr - > ctr6 . linked_attributes_count = 0 ;
r - > out . ctr - > ctr6 . linked_attributes = NULL ;
2009-09-09 15:26:17 +04:00
2009-09-16 06:26:33 +04:00
r - > out . ctr - > ctr6 . object_count = 0 ;
2009-09-26 02:17:44 +04:00
r - > out . ctr - > ctr6 . nc_object_count = 0 ;
2009-09-16 06:26:33 +04:00
r - > out . ctr - > ctr6 . more_data = false ;
r - > out . ctr - > ctr6 . uptodateness_vector = NULL ;
2009-09-09 15:00:01 +04:00
2009-10-13 12:49:08 +04:00
/* a RODC doesn't allow for any replication */
2010-08-18 08:31:05 +04:00
ret = samdb_rodc ( sam_ctx , & am_rodc ) ;
2010-04-16 00:37:40 +04:00
if ( ret = = LDB_SUCCESS & & am_rodc ) {
2009-10-13 12:49:08 +04:00
DEBUG ( 0 , ( __location__ " : DsGetNCChanges attempt on RODC \n " ) ) ;
return WERR_DS_DRA_SOURCE_DISABLED ;
}
/* Check request revision.
*/
2010-09-30 10:30:18 +04:00
switch ( r - > in . level ) {
case 8 :
req10 = getncchanges_map_req8 ( mem_ctx , & r - > in . req - > req8 ) ;
if ( req10 = = NULL ) {
return WERR_NOMEM ;
}
break ;
case 10 :
req10 = & r - > in . req - > req10 ;
break ;
default :
2009-10-13 12:49:08 +04:00
DEBUG ( 0 , ( __location__ " : Request for DsGetNCChanges with unsupported level %u \n " ,
r - > in . level ) ) ;
2009-09-09 15:00:01 +04:00
return WERR_REVISION_MISMATCH ;
}
2009-10-13 12:49:08 +04:00
2009-09-09 15:00:01 +04:00
/* Perform access checks. */
2009-12-03 01:19:55 +03:00
/* TODO: we need to support a sync on a specific non-root
* DN . We ' ll need to find the real partition root here */
2010-09-30 10:30:18 +04:00
ncRoot = req10 - > naming_context ;
2009-10-13 12:49:08 +04:00
if ( ncRoot = = NULL ) {
DEBUG ( 0 , ( __location__ " : Request for DsGetNCChanges with no NC \n " ) ) ;
2009-09-09 15:00:01 +04:00
return WERR_DS_DRA_INVALID_PARAMETER ;
}
2010-08-18 08:31:05 +04:00
if ( samdb_ntds_options ( sam_ctx , & options ) ! = LDB_SUCCESS ) {
2009-10-13 12:49:08 +04:00
return WERR_DS_DRA_INTERNAL_ERROR ;
}
if ( ( options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL ) & &
2010-09-30 10:30:18 +04:00
! ( req10 - > replica_flags & DRSUAPI_DRS_SYNC_FORCED ) ) {
2009-10-13 12:49:08 +04:00
return WERR_DS_DRA_SOURCE_DISABLED ;
2009-09-09 15:00:01 +04:00
}
2010-09-30 02:49:15 +04:00
user_sid = & dce_call - > conn - > auth_state . session_info - > security_token - > sids [ PRIMARY_USER_SID_INDEX ] ;
werr = drs_security_access_check_nc_root ( b_state - > sam_ctx ,
mem_ctx ,
dce_call - > conn - > auth_state . session_info - > security_token ,
2010-09-30 10:30:18 +04:00
req10 - > naming_context ,
2010-09-30 02:49:15 +04:00
GUID_DRS_GET_CHANGES ) ;
2010-04-22 10:56:40 +04:00
if ( ! W_ERROR_IS_OK ( werr ) ) {
return werr ;
2010-04-22 08:56:19 +04:00
}
2010-09-30 10:30:18 +04:00
werr = dcesrv_drsuapi_is_reveal_secrets_request ( b_state , req10 , & is_secret_request ) ;
2010-09-30 02:49:15 +04:00
if ( ! W_ERROR_IS_OK ( werr ) ) {
return werr ;
}
2010-09-30 10:30:18 +04:00
if ( is_secret_request & & req10 - > extended_op ! = DRSUAPI_EXOP_REPL_SECRET ) {
2010-09-30 02:49:15 +04:00
werr = drs_security_access_check_nc_root ( b_state - > sam_ctx ,
mem_ctx ,
dce_call - > conn - > auth_state . session_info - > security_token ,
2010-09-30 10:30:18 +04:00
req10 - > naming_context ,
2010-09-30 02:49:15 +04:00
GUID_DRS_GET_ALL_CHANGES ) ;
if ( ! W_ERROR_IS_OK ( werr ) ) {
return werr ;
}
}
2010-08-18 12:38:26 +04:00
2010-04-22 10:56:40 +04:00
/* for non-administrator replications, check that they have
given the correct source_dsa_invocation_id */
security_level = security_session_user_level ( dce_call - > conn - > auth_state . session_info ,
2010-08-18 08:31:05 +04:00
samdb_domain_sid ( sam_ctx ) ) ;
2010-09-30 02:49:15 +04:00
if ( security_level = = SECURITY_RO_DOMAIN_CONTROLLER ) {
2010-09-30 10:30:18 +04:00
if ( req10 - > replica_flags & DRSUAPI_DRS_WRIT_REP ) {
2010-09-30 02:49:15 +04:00
/* we rely on this flag being unset for RODC requests */
2010-09-30 10:30:18 +04:00
req10 - > replica_flags & = ~ DRSUAPI_DRS_WRIT_REP ;
2010-09-30 02:49:15 +04:00
}
2010-04-16 00:37:40 +04:00
}
2010-09-30 10:30:18 +04:00
if ( req10 - > replica_flags & DRSUAPI_DRS_FULL_SYNC_PACKET ) {
2009-09-24 03:58:58 +04:00
/* Ignore the _in_ uptpdateness vector*/
2010-09-30 10:30:18 +04:00
req10 - > uptodateness_vector = NULL ;
2009-09-24 03:58:58 +04:00
}
2009-09-26 02:17:44 +04:00
getnc_state = b_state - > getncchanges_state ;
2009-12-03 01:19:55 +03:00
/* see if a previous replication has been abandoned */
if ( getnc_state ) {
2010-09-28 21:40:18 +04:00
struct ldb_dn * new_dn = drs_ObjectIdentifier_to_dn ( getnc_state , sam_ctx , ncRoot ) ;
2009-12-03 01:19:55 +03:00
if ( ldb_dn_compare ( new_dn , getnc_state - > ncRoot_dn ) ! = 0 ) {
2009-12-19 16:12:35 +03:00
DEBUG ( 0 , ( __location__ " : DsGetNCChanges 2nd replication on different DN %s %s (last_dn %s) \n " ,
2009-12-03 01:19:55 +03:00
ldb_dn_get_linearized ( new_dn ) ,
2009-12-19 16:12:35 +03:00
ldb_dn_get_linearized ( getnc_state - > ncRoot_dn ) ,
ldb_dn_get_linearized ( getnc_state - > last_dn ) ) ) ;
2009-12-03 01:19:55 +03:00
talloc_free ( getnc_state ) ;
getnc_state = NULL ;
}
}
2009-09-26 02:17:44 +04:00
if ( getnc_state = = NULL ) {
getnc_state = talloc_zero ( b_state , struct drsuapi_getncchanges_state ) ;
if ( getnc_state = = NULL ) {
return WERR_NOMEM ;
}
b_state - > getncchanges_state = getnc_state ;
2010-09-28 21:40:18 +04:00
getnc_state - > ncRoot_dn = drs_ObjectIdentifier_to_dn ( getnc_state , sam_ctx , ncRoot ) ;
2010-08-18 04:52:48 +04:00
/* find out if we are to replicate Schema NC */
ret = ldb_dn_compare ( getnc_state - > ncRoot_dn ,
ldb_get_schema_basedn ( b_state - > sam_ctx ) ) ;
getnc_state - > is_schema_nc = ( 0 = = ret ) ;
2010-09-10 03:02:56 +04:00
/*
* This is the first replication cycle and it is
* a good place to handle extended operations
*
* FIXME : we don ' t fully support extended operations yet
*/
2010-09-30 10:30:18 +04:00
switch ( req10 - > extended_op ) {
2010-09-10 03:02:56 +04:00
case DRSUAPI_EXOP_NONE :
break ;
case DRSUAPI_EXOP_FSMO_RID_ALLOC :
2010-09-30 10:30:18 +04:00
werr = getncchanges_rid_alloc ( b_state , mem_ctx , req10 , & r - > out . ctr - > ctr6 ) ;
2010-09-10 03:02:56 +04:00
W_ERROR_NOT_OK_RETURN ( werr ) ;
search_dn = ldb_get_default_basedn ( sam_ctx ) ;
break ;
case DRSUAPI_EXOP_REPL_SECRET :
2010-09-30 10:30:18 +04:00
werr = getncchanges_repl_secret ( b_state , mem_ctx , req10 , user_sid , & r - > out . ctr - > ctr6 ) ;
2010-09-10 03:02:56 +04:00
r - > out . result = werr ;
W_ERROR_NOT_OK_RETURN ( werr ) ;
break ;
case DRSUAPI_EXOP_FSMO_REQ_ROLE :
2010-09-30 10:30:18 +04:00
werr = getncchanges_change_master ( b_state , mem_ctx , req10 , & r - > out . ctr - > ctr6 ) ;
2010-09-10 03:02:56 +04:00
W_ERROR_NOT_OK_RETURN ( werr ) ;
break ;
case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE :
2010-09-30 10:30:18 +04:00
werr = getncchanges_change_master ( b_state , mem_ctx , req10 , & r - > out . ctr - > ctr6 ) ;
2010-09-10 03:02:56 +04:00
W_ERROR_NOT_OK_RETURN ( werr ) ;
break ;
case DRSUAPI_EXOP_FSMO_REQ_PDC :
2010-09-30 10:30:18 +04:00
werr = getncchanges_change_master ( b_state , mem_ctx , req10 , & r - > out . ctr - > ctr6 ) ;
2010-09-10 03:02:56 +04:00
W_ERROR_NOT_OK_RETURN ( werr ) ;
break ;
case DRSUAPI_EXOP_REPL_OBJ :
2010-09-30 10:30:18 +04:00
werr = getncchanges_repl_obj ( b_state , mem_ctx , req10 , user_sid , & r - > out . ctr - > ctr6 ) ;
2010-09-28 21:48:38 +04:00
r - > out . result = werr ;
W_ERROR_NOT_OK_RETURN ( werr ) ;
break ;
case DRSUAPI_EXOP_FSMO_ABANDON_ROLE :
2010-09-10 03:02:56 +04:00
DEBUG ( 0 , ( __location__ " : Request for DsGetNCChanges unsupported extended op 0x%x \n " ,
2010-09-30 10:30:18 +04:00
( unsigned ) req10 - > extended_op ) ) ;
2010-09-10 03:02:56 +04:00
return WERR_DS_DRA_NOT_SUPPORTED ;
}
2009-12-09 06:39:05 +03:00
}
if ( ! ldb_dn_validate ( getnc_state - > ncRoot_dn ) | |
ldb_dn_is_null ( getnc_state - > ncRoot_dn ) ) {
2010-09-28 21:40:18 +04:00
DEBUG ( 0 , ( __location__ " : Bad DN '%s' \n " ,
drs_ObjectIdentifier_to_string ( mem_ctx , ncRoot ) ) ) ;
2009-12-09 06:39:05 +03:00
return WERR_DS_DRA_INVALID_PARAMETER ;
2009-09-16 06:26:33 +04:00
}
2009-09-10 11:46:30 +04:00
/* we need the session key for encrypting password attributes */
status = dcesrv_inherited_session_key ( dce_call - > conn , & session_key ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : Failed to get session key \n " ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2009-10-13 12:49:08 +04:00
/*
TODO : MS - DRSR section 4.1 .10 .1 .1
Work out if this is the start of a new cycle */
2009-09-26 02:17:44 +04:00
if ( getnc_state - > site_res = = NULL ) {
char * search_filter ;
enum ldb_scope scope = LDB_SCOPE_SUBTREE ;
2009-12-19 16:12:35 +03:00
const char * extra_filter ;
2010-09-30 10:30:18 +04:00
if ( req10 - > extended_op = = DRSUAPI_EXOP_REPL_OBJ | |
req10 - > extended_op = = DRSUAPI_EXOP_REPL_SECRET ) {
2010-09-28 21:48:38 +04:00
scope = LDB_SCOPE_BASE ;
}
2010-07-16 08:32:42 +04:00
extra_filter = lpcfg_parm_string ( dce_call - > conn - > dce_ctx - > lp_ctx , NULL , " drs " , " object filter " ) ;
2009-09-24 02:47:14 +04:00
2010-09-30 10:30:18 +04:00
getnc_state - > min_usn = req10 - > highwatermark . highest_usn ;
2009-09-24 03:52:34 +04:00
2009-09-26 02:17:44 +04:00
/* Construct response. */
search_filter = talloc_asprintf ( mem_ctx ,
" (uSNChanged>=%llu) " ,
( unsigned long long ) ( getnc_state - > min_usn + 1 ) ) ;
2009-10-13 06:09:07 +04:00
2009-12-19 16:12:35 +03:00
if ( extra_filter ) {
search_filter = talloc_asprintf ( mem_ctx , " (&%s(%s)) " , search_filter , extra_filter ) ;
}
2010-09-30 10:30:18 +04:00
if ( req10 - > replica_flags & DRSUAPI_DRS_CRITICAL_ONLY ) {
2009-09-26 02:17:44 +04:00
search_filter = talloc_asprintf ( mem_ctx ,
" (&%s(isCriticalSystemObject=TRUE)) " ,
search_filter ) ;
}
2010-09-30 10:30:18 +04:00
if ( req10 - > replica_flags & DRSUAPI_DRS_ASYNC_REP ) {
2009-09-26 02:17:44 +04:00
scope = LDB_SCOPE_BASE ;
}
2010-01-09 02:12:54 +03:00
if ( ! search_dn ) {
search_dn = getnc_state - > ncRoot_dn ;
}
2010-09-28 01:42:13 +04:00
DEBUG ( 2 , ( __location__ " : getncchanges on %s using filter %s \n " ,
2009-09-26 02:17:44 +04:00
ldb_dn_get_linearized ( getnc_state - > ncRoot_dn ) , search_filter ) ) ;
2010-08-18 08:31:05 +04:00
ret = drsuapi_search_with_extended_dn ( sam_ctx , getnc_state , & getnc_state - > site_res ,
2010-01-09 02:12:54 +03:00
search_dn , scope , attrs ,
2009-09-26 02:17:44 +04:00
search_filter ) ;
if ( ret ! = LDB_SUCCESS ) {
return WERR_DS_DRA_INTERNAL_ERROR ;
}
2009-12-21 13:10:41 +03:00
2010-09-30 10:30:18 +04:00
if ( req10 - > replica_flags & DRSUAPI_DRS_GET_ANC ) {
2010-02-13 05:00:55 +03:00
TYPESAFE_QSORT ( getnc_state - > site_res - > msgs ,
getnc_state - > site_res - > count ,
site_res_cmp_parent_order ) ;
2009-12-21 13:10:41 +03:00
} else {
2010-02-13 05:00:55 +03:00
TYPESAFE_QSORT ( getnc_state - > site_res - > msgs ,
getnc_state - > site_res - > count ,
site_res_cmp_usn_order ) ;
2009-12-21 13:10:41 +03:00
}
2010-09-30 10:30:18 +04:00
getnc_state - > uptodateness_vector = talloc_steal ( getnc_state , req10 - > uptodateness_vector ) ;
2010-01-09 05:11:27 +03:00
if ( getnc_state - > uptodateness_vector ) {
/* make sure its sorted */
2010-02-13 05:00:55 +03:00
TYPESAFE_QSORT ( getnc_state - > uptodateness_vector - > cursors ,
getnc_state - > uptodateness_vector - > count ,
drsuapi_DsReplicaCursor_compare ) ;
2010-01-09 05:11:27 +03:00
}
2009-09-09 15:00:01 +04:00
}
/* Prefix mapping */
2010-08-18 08:31:05 +04:00
schema = dsdb_get_schema ( sam_ctx , mem_ctx ) ;
2009-09-09 15:00:01 +04:00
if ( ! schema ) {
2009-09-09 15:26:17 +04:00
DEBUG ( 0 , ( " No schema in sam_ctx \n " ) ) ;
return WERR_DS_DRA_INTERNAL_ERROR ;
2009-09-09 15:00:01 +04:00
}
2009-09-16 06:26:33 +04:00
r - > out . ctr - > ctr6 . naming_context = talloc ( mem_ctx , struct drsuapi_DsReplicaObjectIdentifier ) ;
* r - > out . ctr - > ctr6 . naming_context = * ncRoot ;
2010-08-18 08:31:05 +04:00
if ( dsdb_find_guid_by_dn ( sam_ctx , getnc_state - > ncRoot_dn ,
2009-09-26 02:17:44 +04:00
& r - > out . ctr - > ctr6 . naming_context - > guid ) ! = LDB_SUCCESS ) {
2009-09-24 00:56:10 +04:00
DEBUG ( 0 , ( __location__ " : Failed to find GUID of ncRoot_dn %s \n " ,
2009-09-26 02:17:44 +04:00
ldb_dn_get_linearized ( getnc_state - > ncRoot_dn ) ) ) ;
2009-09-24 00:56:10 +04:00
return WERR_DS_DRA_INTERNAL_ERROR ;
}
/* find the SID if there is one */
2010-08-18 08:31:05 +04:00
dsdb_find_sid_by_dn ( sam_ctx , getnc_state - > ncRoot_dn , & r - > out . ctr - > ctr6 . naming_context - > sid ) ;
2009-09-24 00:56:10 +04:00
2009-09-09 15:00:01 +04:00
dsdb_get_oid_mappings_drsuapi ( schema , true , mem_ctx , & ctr ) ;
r - > out . ctr - > ctr6 . mapping_ctr = * ctr ;
2010-08-18 08:31:05 +04:00
r - > out . ctr - > ctr6 . source_dsa_guid = * ( samdb_ntds_objectGUID ( sam_ctx ) ) ;
r - > out . ctr - > ctr6 . source_dsa_invocation_id = * ( samdb_ntds_invocation_id ( sam_ctx ) ) ;
2009-09-09 15:00:01 +04:00
2010-09-30 10:30:18 +04:00
r - > out . ctr - > ctr6 . old_highwatermark = req10 - > highwatermark ;
r - > out . ctr - > ctr6 . new_highwatermark = req10 - > highwatermark ;
2009-09-09 15:00:01 +04:00
2009-09-12 05:14:29 +04:00
r - > out . ctr - > ctr6 . first_object = NULL ;
currentObject = & r - > out . ctr - > ctr6 . first_object ;
2009-09-09 15:00:01 +04:00
2009-12-19 04:25:09 +03:00
/* use this to force single objects at a time, which is useful
* for working out what object is giving problems
*/
2010-07-16 08:32:42 +04:00
max_objects = lpcfg_parm_int ( dce_call - > conn - > dce_ctx - > lp_ctx , NULL , " drs " , " max object sync " , 1000 ) ;
2010-09-30 10:30:18 +04:00
if ( req10 - > max_object_count < max_objects ) {
max_objects = req10 - > max_object_count ;
2009-12-19 16:12:35 +03:00
}
2010-07-09 14:52:11 +04:00
/*
* TODO : work out how the maximum should be calculated
*/
2010-07-16 08:32:42 +04:00
max_links = lpcfg_parm_int ( dce_call - > conn - > dce_ctx - > lp_ctx , NULL , " drs " , " max link sync " , 1500 ) ;
2009-12-19 04:25:09 +03:00
2010-08-18 12:38:26 +04:00
for ( i = getnc_state - > num_sent ;
i < getnc_state - > site_res - > count & &
! null_scope & &
( r - > out . ctr - > ctr6 . object_count < max_objects ) ;
2009-09-26 02:17:44 +04:00
i + + ) {
2009-09-09 15:26:17 +04:00
int uSN ;
2009-09-12 05:14:29 +04:00
struct drsuapi_DsReplicaObjectListItemEx * obj ;
2009-12-19 04:25:09 +03:00
struct ldb_message * msg = getnc_state - > site_res - > msgs [ i ] ;
2009-09-12 05:14:29 +04:00
obj = talloc_zero ( mem_ctx , struct drsuapi_DsReplicaObjectListItemEx ) ;
2009-09-09 15:26:17 +04:00
2009-12-19 04:25:09 +03:00
werr = get_nc_changes_build_object ( obj , msg ,
2010-08-18 08:31:05 +04:00
sam_ctx , getnc_state - > ncRoot_dn ,
2010-08-18 04:52:48 +04:00
getnc_state - > is_schema_nc ,
2009-09-26 02:17:44 +04:00
schema , & session_key , getnc_state - > min_usn ,
2010-09-30 10:30:18 +04:00
req10 - > replica_flags ,
req10 - > partial_attribute_set ,
2010-09-30 02:49:15 +04:00
getnc_state - > uptodateness_vector ,
2010-09-30 10:30:18 +04:00
req10 - > extended_op ) ;
2009-09-09 15:26:17 +04:00
if ( ! W_ERROR_IS_OK ( werr ) ) {
return werr ;
2009-09-09 15:00:01 +04:00
}
2009-09-10 13:41:48 +04:00
2010-08-18 08:31:05 +04:00
werr = get_nc_changes_add_links ( sam_ctx , getnc_state ,
2009-12-19 04:25:09 +03:00
getnc_state - > ncRoot_dn ,
schema , getnc_state - > min_usn ,
2010-09-30 10:30:18 +04:00
req10 - > replica_flags ,
2009-12-19 04:25:09 +03:00
msg ,
2009-12-21 13:13:59 +03:00
& getnc_state - > la_list ,
2010-01-09 05:11:27 +03:00
& getnc_state - > la_count ,
getnc_state - > uptodateness_vector ) ;
2009-12-19 04:25:09 +03:00
if ( ! W_ERROR_IS_OK ( werr ) ) {
return werr ;
}
2009-12-21 13:16:35 +03:00
uSN = ldb_msg_find_attr_as_int ( msg , " uSNChanged " , - 1 ) ;
if ( uSN > r - > out . ctr - > ctr6 . new_highwatermark . tmp_highest_usn ) {
r - > out . ctr - > ctr6 . new_highwatermark . tmp_highest_usn = uSN ;
}
if ( uSN > getnc_state - > highest_usn ) {
getnc_state - > highest_usn = uSN ;
}
2009-09-12 05:14:29 +04:00
if ( obj - > meta_data_ctr = = NULL ) {
2010-01-09 06:28:00 +03:00
DEBUG ( 8 , ( __location__ " : getncchanges skipping send of object %s \n " ,
2009-12-19 04:25:09 +03:00
ldb_dn_get_linearized ( msg - > dn ) ) ) ;
2009-09-12 05:14:29 +04:00
/* no attributes to send */
talloc_free ( obj ) ;
continue ;
2009-09-10 13:41:48 +04:00
}
2009-09-12 05:14:29 +04:00
r - > out . ctr - > ctr6 . object_count + + ;
* currentObject = obj ;
currentObject = & obj - > next_object ;
2009-12-19 04:25:09 +03:00
2009-12-19 16:12:35 +03:00
talloc_free ( getnc_state - > last_dn ) ;
getnc_state - > last_dn = ldb_dn_copy ( getnc_state , msg - > dn ) ;
2009-12-19 04:25:09 +03:00
DEBUG ( 8 , ( __location__ " : replicating object %s \n " , ldb_dn_get_linearized ( msg - > dn ) ) ) ;
2009-09-09 15:00:01 +04:00
}
2009-09-26 02:17:44 +04:00
getnc_state - > num_sent + = r - > out . ctr - > ctr6 . object_count ;
2009-09-12 05:14:29 +04:00
2009-09-26 02:17:44 +04:00
r - > out . ctr - > ctr6 . nc_object_count = getnc_state - > site_res - > count ;
2009-10-14 13:29:39 +04:00
/* the client can us to call UpdateRefs on its behalf to
re - establish monitoring of the NC */
2010-09-30 10:30:18 +04:00
if ( ( req10 - > replica_flags & ( DRSUAPI_DRS_ADD_REF | DRSUAPI_DRS_REF_GCSPN ) ) & &
! GUID_all_zero ( & req10 - > destination_dsa_guid ) ) {
2009-10-14 13:29:39 +04:00
struct drsuapi_DsReplicaUpdateRefsRequest1 ureq ;
2010-04-26 15:49:37 +04:00
DEBUG ( 3 , ( " UpdateRefs on getncchanges for %s \n " ,
2010-09-30 10:30:18 +04:00
GUID_string ( mem_ctx , & req10 - > destination_dsa_guid ) ) ) ;
2009-10-14 13:29:39 +04:00
ureq . naming_context = ncRoot ;
ureq . dest_dsa_dns_name = talloc_asprintf ( mem_ctx , " %s._msdcs.%s " ,
2010-09-30 10:30:18 +04:00
GUID_string ( mem_ctx , & req10 - > destination_dsa_guid ) ,
2010-09-15 12:49:34 +04:00
lpcfg_dnsdomain ( dce_call - > conn - > dce_ctx - > lp_ctx ) ) ;
2009-10-14 13:29:39 +04:00
if ( ! ureq . dest_dsa_dns_name ) {
return WERR_NOMEM ;
}
2010-09-30 10:30:18 +04:00
ureq . dest_dsa_guid = req10 - > destination_dsa_guid ;
2010-01-14 06:38:00 +03:00
ureq . options = DRSUAPI_DRS_ADD_REF |
DRSUAPI_DRS_ASYNC_OP |
DRSUAPI_DRS_GETCHG_CHECK ;
2010-09-30 23:43:45 +04:00
/* we also need to pass through the
DRSUAPI_DRS_REF_GCSPN bit so that repsTo gets flagged
to send notifies using the GC SPN */
ureq . options | = ( req10 - > replica_flags & DRSUAPI_DRS_REF_GCSPN ) ;
2009-10-14 13:29:39 +04:00
werr = drsuapi_UpdateRefs ( b_state , mem_ctx , & ureq ) ;
if ( ! W_ERROR_IS_OK ( werr ) ) {
DEBUG ( 0 , ( __location__ " : Failed UpdateRefs in DsGetNCChanges - %s \n " ,
win_errstr ( werr ) ) ) ;
}
}
2010-07-09 14:52:11 +04:00
/*
* TODO :
* This is just a guess , how to calculate the
* number of linked attributes to send , we need to
* find out how to do this right .
*/
if ( r - > out . ctr - > ctr6 . object_count > = max_links ) {
max_links = 0 ;
} else {
max_links - = r - > out . ctr - > ctr6 . object_count ;
}
link_total = getnc_state - > la_count ;
2009-09-26 02:17:44 +04:00
if ( i < getnc_state - > site_res - > count ) {
r - > out . ctr - > ctr6 . more_data = true ;
} else {
2010-07-09 14:52:11 +04:00
/* sort the whole array the first time */
if ( ! getnc_state - > la_sorted ) {
LDB_TYPESAFE_QSORT ( getnc_state - > la_list , getnc_state - > la_count ,
2010-08-18 08:31:05 +04:00
sam_ctx , linked_attribute_compare ) ;
2010-07-09 14:52:11 +04:00
getnc_state - > la_sorted = true ;
}
link_count = getnc_state - > la_count - getnc_state - > la_idx ;
link_count = MIN ( max_links , link_count ) ;
r - > out . ctr - > ctr6 . linked_attributes_count = link_count ;
r - > out . ctr - > ctr6 . linked_attributes = getnc_state - > la_list + getnc_state - > la_idx ;
getnc_state - > la_idx + = link_count ;
link_given = getnc_state - > la_idx ;
2009-12-28 09:22:40 +03:00
2010-07-09 14:52:11 +04:00
if ( getnc_state - > la_idx < getnc_state - > la_count ) {
r - > out . ctr - > ctr6 . more_data = true ;
}
}
if ( ! r - > out . ctr - > ctr6 . more_data ) {
talloc_steal ( mem_ctx , getnc_state - > la_list ) ;
2009-12-28 09:22:40 +03:00
2009-09-26 02:17:44 +04:00
r - > out . ctr - > ctr6 . uptodateness_vector = talloc ( mem_ctx , struct drsuapi_DsReplicaCursor2CtrEx ) ;
r - > out . ctr - > ctr6 . new_highwatermark . highest_usn = r - > out . ctr - > ctr6 . new_highwatermark . tmp_highest_usn ;
2010-08-18 08:31:05 +04:00
werr = get_nc_changes_udv ( sam_ctx , getnc_state - > ncRoot_dn ,
2010-01-16 03:49:09 +03:00
r - > out . ctr - > ctr6 . uptodateness_vector ) ;
2009-09-26 02:17:44 +04:00
if ( ! W_ERROR_IS_OK ( werr ) ) {
return werr ;
}
talloc_free ( getnc_state ) ;
b_state - > getncchanges_state = NULL ;
}
2009-09-12 05:14:29 +04:00
2010-09-30 10:30:18 +04:00
if ( req10 - > extended_op ! = DRSUAPI_EXOP_NONE ) {
2010-01-09 02:12:54 +03:00
r - > out . ctr - > ctr6 . uptodateness_vector = NULL ;
r - > out . ctr - > ctr6 . nc_object_count = 0 ;
ZERO_STRUCT ( r - > out . ctr - > ctr6 . new_highwatermark ) ;
2010-09-10 03:05:27 +04:00
r - > out . ctr - > ctr6 . extended_ret = DRSUAPI_EXOP_ERR_SUCCESS ;
2010-01-09 02:12:54 +03:00
}
2010-09-24 21:05:07 +04:00
DEBUG ( r - > out . ctr - > ctr6 . more_data ? 4 : 2 ,
2010-08-23 05:33:19 +04:00
( " DsGetNCChanges with uSNChanged >= %llu flags 0x%08x on %s gave %u objects (done %u/%u) %u links (done %u/%u (as %s)) \n " ,
2010-09-30 10:30:18 +04:00
( unsigned long long ) ( req10 - > highwatermark . highest_usn + 1 ) ,
req10 - > replica_flags , drs_ObjectIdentifier_to_string ( mem_ctx , ncRoot ) ,
2010-07-09 14:52:11 +04:00
r - > out . ctr - > ctr6 . object_count ,
2009-12-19 16:12:35 +03:00
i , r - > out . ctr - > ctr6 . more_data ? getnc_state - > site_res - > count : i ,
2010-07-09 14:52:11 +04:00
r - > out . ctr - > ctr6 . linked_attributes_count ,
2010-08-23 05:33:19 +04:00
link_given , link_total ,
dom_sid_string ( mem_ctx , user_sid ) ) ) ;
2009-12-19 16:12:35 +03:00
#if 0
2010-09-30 10:30:18 +04:00
if ( ! r - > out . ctr - > ctr6 . more_data & & req10 - > extended_op ! = DRSUAPI_EXOP_NONE ) {
2009-12-19 16:12:35 +03:00
NDR_PRINT_FUNCTION_DEBUG ( drsuapi_DsGetNCChanges , NDR_BOTH , r ) ;
}
# endif
2009-09-12 05:14:29 +04:00
2009-09-09 15:00:01 +04:00
return WERR_OK ;
}