sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code

s4:samr Split the guts of samr_CreateUser2 into a helper function

Browse Source 
This allows this logic to be shared, rather than copied, into a passdb
wrapper.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2010-05-21 08:14:53 +10:00
parent e0d141bd46
commit 43c931b2d4
3 changed files with 258 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

249
source4/dsdb/common/util_samr.c Normal file
View File

@ -0,0 +1,249 @@
/*
Unix SMB/CIFS implementation.
Helpers to add users and groups to the DB
Copyright (C) Andrew Tridgell 2004
Copyright (C) Volker Lendecke 2004
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2010
Copyright (C) Matthias Dieter Wallnöfer 2009
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "dsdb/samdb/samdb.h"
#include "dsdb/common/util.h"
#include "../libds/common/flags.h"
/* Add a user, SAMR style, including the correct transaction
* semantics. Used by the SAMR server and by pdb_samba4 */
NTSTATUS dsdb_add_user(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const char *account_name,
uint32_t acct_flags,
struct dom_sid **sid,
struct ldb_dn **dn)
{
const char *name;
struct ldb_message *msg;
int ret;
const char *container, *obj_class=NULL;
char *cn_name;
int cn_name_len;
const char *attrs[] = {
"objectSid",
"userAccountControl",
NULL
};
uint32_t user_account_control;
struct ldb_dn *account_dn;
struct dom_sid *account_sid;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
/*
* Start a transaction, so we can query and do a subsequent atomic
* modify
*/
ret = ldb_transaction_start(ldb);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to start a transaction for user creation: %s\n",
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* check if the user already exists */
name = samdb_search_string(ldb, tmp_ctx, NULL,
"sAMAccountName",
"(&(sAMAccountName=%s)(objectclass=user))",
ldb_binary_encode_string(tmp_ctx, account_name));
if (name != NULL) {
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
return NT_STATUS_USER_EXISTS;
}
msg = ldb_msg_new(tmp_ctx);
if (msg == NULL) {
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
cn_name = talloc_strdup(tmp_ctx, account_name);
if (!cn_name) {
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
cn_name_len = strlen(cn_name);
/* This must be one of these values *only* */
if (acct_flags == ACB_NORMAL) {
container = "CN=Users";
obj_class = "user";
} else if (acct_flags == ACB_WSTRUST) {
if (cn_name[cn_name_len - 1] != '$') {
ldb_transaction_cancel(ldb);
return NT_STATUS_FOOBAR;
}
cn_name[cn_name_len - 1] = '\0';
container = "CN=Computers";
obj_class = "computer";
samdb_msg_add_int(ldb, tmp_ctx, msg,
"primaryGroupID", DOMAIN_RID_DOMAIN_MEMBERS);
} else if (acct_flags == ACB_SVRTRUST) {
if (cn_name[cn_name_len - 1] != '$') {
ldb_transaction_cancel(ldb);
return NT_STATUS_FOOBAR;
}
cn_name[cn_name_len - 1] = '\0';
container = "OU=Domain Controllers";
obj_class = "computer";
samdb_msg_add_int(ldb, tmp_ctx, msg,
"primaryGroupID", DOMAIN_RID_DCS);
} else {
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
/* add core elements to the ldb_message for the user */
msg->dn = ldb_dn_copy(msg, ldb_get_default_basedn(ldb));
if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) {
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
return NT_STATUS_FOOBAR;
}
samdb_msg_add_string(ldb, tmp_ctx, msg, "sAMAccountName",
account_name);
samdb_msg_add_string(ldb, tmp_ctx, msg, "objectClass",
obj_class);
/* create the user */
ret = ldb_add(ldb, msg);
switch (ret) {
case LDB_SUCCESS:
break;
case LDB_ERR_ENTRY_ALREADY_EXISTS:
ldb_transaction_cancel(ldb);
DEBUG(0,("Failed to create user record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return NT_STATUS_USER_EXISTS;
case LDB_ERR_UNWILLING_TO_PERFORM:
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
ldb_transaction_cancel(ldb);
DEBUG(0,("Failed to create user record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return NT_STATUS_ACCESS_DENIED;
default:
ldb_transaction_cancel(ldb);
DEBUG(0,("Failed to create user record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
account_dn = msg->dn;
/* retrieve the sid and account control bits for the user just created */
ret = dsdb_search_one(ldb, tmp_ctx, &msg,
account_dn, LDB_SCOPE_BASE, attrs, 0, NULL);
if (ret != LDB_SUCCESS) {
ldb_transaction_cancel(ldb);
DEBUG(0,("Can't locate the account we just created %s: %s\n",
ldb_dn_get_linearized(account_dn), ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
account_sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
if (account_sid == NULL) {
ldb_transaction_cancel(ldb);
DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n",
ldb_dn_get_linearized(msg->dn)));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* Change the account control to be the correct account type.
* The default is for a workstation account */
user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
user_account_control = (user_account_control &
~(UF_NORMAL_ACCOUNT |
UF_INTERDOMAIN_TRUST_ACCOUNT |
UF_WORKSTATION_TRUST_ACCOUNT |
UF_SERVER_TRUST_ACCOUNT));
user_account_control |= ds_acb2uf(acct_flags);
talloc_free(msg);
msg = ldb_msg_new(tmp_ctx);
if (msg == NULL) {
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
msg->dn = account_dn;
if (samdb_msg_add_uint(ldb, tmp_ctx, msg,
"userAccountControl",
user_account_control) != 0) {
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
/* modify the samdb record */
ret = dsdb_replace(ldb, msg, 0);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to modify account record %s to set userAccountControl: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb)));
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
/* we really need samdb.c to return NTSTATUS */
return NT_STATUS_UNSUCCESSFUL;
}
ret = ldb_transaction_commit(ldb);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
*dn = talloc_steal(mem_ctx, account_dn);
*sid = talloc_steal(mem_ctx, account_sid);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}

2
source4/dsdb/wscript_build
View File

@ -11,7 +11,7 @@ bld.SAMBA_SUBSYSTEM('SAMDB',
bld.SAMBA_SUBSYSTEM('SAMDB_COMMON',
source='common/util.c common/dsdb_dn.c common/dsdb_access.c ../../libds/common/flag_mapping.c',
source='common/util.c common/util_samr.c common/dsdb_dn.c common/dsdb_access.c ../../libds/common/flag_mapping.c',
autoproto='common/proto.h',
deps='ldb NDR_DRSBLOBS LIBCLI_LDAP_NDR UTIL_LDB LIBCLI_AUTH DSDB_MODULE_HELPERS'
)

194
source4/rpc_server/samr/dcesrv_samr.c
View File

@ -32,6 +32,7 @@
#include "lib/ldb/include/ldb_errors.h"
#include "../libds/common/flags.h"
#include "dsdb/samdb/samdb.h"
#include "dsdb/common/util.h"
#include "libcli/ldap/ldap_ndr.h"
#include "libcli/security/security.h"
#include "rpc_server/samr/proto.h"
@ -1213,28 +1214,14 @@ static NTSTATUS dcesrv_samr_EnumDomainGroups(struct dcesrv_call_state *dce_call,
static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct samr_CreateUser2 *r)
{
NTSTATUS status;
struct samr_domain_state *d_state;
struct samr_account_state *a_state;
struct dcesrv_handle *h;
const char *name;
struct ldb_message *msg;
struct ldb_dn *dn;
struct dom_sid *sid;
const char *account_name;
struct dcesrv_handle *u_handle;
int ret;
const char *container, *obj_class=NULL;
char *cn_name;
int cn_name_len;
const char *attrs[] = {
"objectSid",
"userAccountControl",
NULL
};
uint32_t user_account_control;
struct ldb_message **msgs;
const char *account_name;
ZERO_STRUCTP(r->out.user_handle);
*r->out.access_granted = 0;
@ -1257,111 +1244,10 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
return NT_STATUS_INVALID_PARAMETER;
}
/*
* Start a transaction, so we can query and do a subsequent atomic
* modify
*/
ret = ldb_transaction_start(d_state->sam_ctx);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to start a transaction for user creation: %s\n",
ldb_errstring(d_state->sam_ctx)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
status = dsdb_add_user(d_state->sam_ctx, mem_ctx, account_name, r->in.acct_flags, &sid, &dn);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* check if the user already exists */
name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
"sAMAccountName",
"(&(sAMAccountName=%s)(objectclass=user))",
ldb_binary_encode_string(mem_ctx, account_name));
if (name != NULL) {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_USER_EXISTS;
}
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_NO_MEMORY;
}
cn_name = talloc_strdup(mem_ctx, account_name);
if (!cn_name) {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_NO_MEMORY;
}
cn_name_len = strlen(cn_name);
/* This must be one of these values *only* */
if (r->in.acct_flags == ACB_NORMAL) {
container = "CN=Users";
obj_class = "user";
} else if (r->in.acct_flags == ACB_WSTRUST) {
if (cn_name[cn_name_len - 1] != '$') {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_FOOBAR;
}
cn_name[cn_name_len - 1] = '\0';
container = "CN=Computers";
obj_class = "computer";
samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg,
"primaryGroupID", DOMAIN_RID_DOMAIN_MEMBERS);
} else if (r->in.acct_flags == ACB_SVRTRUST) {
if (cn_name[cn_name_len - 1] != '$') {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_FOOBAR;
}
cn_name[cn_name_len - 1] = '\0';
container = "OU=Domain Controllers";
obj_class = "computer";
samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg,
"primaryGroupID", DOMAIN_RID_DCS);
} else {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
/* add core elements to the ldb_message for the user */
msg->dn = ldb_dn_copy(msg, d_state->domain_dn);
if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_FOOBAR;
}
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "sAMAccountName",
account_name);
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass",
obj_class);
/* create the user */
ret = ldb_add(d_state->sam_ctx, msg);
switch (ret) {
case LDB_SUCCESS:
break;
case LDB_ERR_ENTRY_ALREADY_EXISTS:
ldb_transaction_cancel(d_state->sam_ctx);
DEBUG(0,("Failed to create user record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(d_state->sam_ctx)));
return NT_STATUS_USER_EXISTS;
case LDB_ERR_UNWILLING_TO_PERFORM:
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
ldb_transaction_cancel(d_state->sam_ctx);
DEBUG(0,("Failed to create user record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(d_state->sam_ctx)));
return NT_STATUS_ACCESS_DENIED;
default:
ldb_transaction_cancel(d_state->sam_ctx);
DEBUG(0,("Failed to create user record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(d_state->sam_ctx)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
a_state = talloc(mem_ctx, struct samr_account_state);
if (!a_state) {
ldb_transaction_cancel(d_state->sam_ctx);
@ -1370,71 +1256,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
a_state->sam_ctx = d_state->sam_ctx;
a_state->access_mask = r->in.access_mask;
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
/* retrieve the sid and account control bits for the user just created */
ret = gendb_search_dn(d_state->sam_ctx, mem_ctx,
msg->dn, &msgs, attrs);
if (ret != 1) {
ldb_transaction_cancel(d_state->sam_ctx);
DEBUG(0,("Apparently we failed to create an account record, as %s now doesn't exist\n",
ldb_dn_get_linearized(msg->dn)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
sid = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid");
if (sid == NULL) {
ldb_transaction_cancel(d_state->sam_ctx);
DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n",
ldb_dn_get_linearized(msg->dn)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* Change the account control to be the correct account type.
* The default is for a workstation account */
user_account_control = samdb_result_uint(msgs[0], "userAccountControl", 0);
user_account_control = (user_account_control &
~(UF_NORMAL_ACCOUNT |
UF_INTERDOMAIN_TRUST_ACCOUNT |
UF_WORKSTATION_TRUST_ACCOUNT |
UF_SERVER_TRUST_ACCOUNT));
user_account_control |= ds_acb2uf(r->in.acct_flags);
talloc_free(msg);
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_NO_MEMORY;
}
msg->dn = ldb_dn_copy(msg, a_state->account_dn);
if (samdb_msg_add_uint(a_state->sam_ctx, mem_ctx, msg,
"userAccountControl",
user_account_control) != 0) {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_NO_MEMORY;
}
/* modify the samdb record */
ret = dsdb_replace(a_state->sam_ctx, msg, 0);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to modify account record %s to set userAccountControl: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(d_state->sam_ctx)));
ldb_transaction_cancel(d_state->sam_ctx);
/* we really need samdb.c to return NTSTATUS */
return NT_STATUS_UNSUCCESSFUL;
}
ret = ldb_transaction_commit(d_state->sam_ctx);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(d_state->sam_ctx)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
a_state->account_dn = talloc_steal(a_state, dn);
a_state->account_name = talloc_steal(a_state, account_name);
if (!a_state->account_name) {