/* Unix SMB/CIFS implementation. Samba utility functions Copyright (C) Andrew Tridgell 2004 Copyright (C) Volker Lendecke 2004 Copyright (C) Andrew Bartlett 2006 Copyright (C) Jelmer Vernooij 2007 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "includes.h" #include "events/events.h" #include "ldb.h" #include "ldb_module.h" #include "ldb_errors.h" #include "../lib/util/util_ldb.h" #include "../lib/crypto/crypto.h" #include "dsdb/samdb/samdb.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_security.h" #include "librpc/gen_ndr/ndr_misc.h" #include "../libds/common/flags.h" #include "dsdb/common/proto.h" #include "libcli/ldap/ldap_ndr.h" #include "param/param.h" #include "libcli/auth/libcli_auth.h" #include "librpc/gen_ndr/ndr_drsblobs.h" #include "system/locale.h" #include "system/filesys.h" #include "lib/util/tsort.h" #include "dsdb/common/util.h" #include "lib/socket/socket.h" #include "librpc/gen_ndr/irpc.h" #include "libds/common/flag_mapping.h" #include "lib/util/access.h" #include "lib/util/sys_rw_data.h" #include "libcli/util/ntstatus.h" #include "lib/util/smb_strtox.h" #include "auth/auth.h" #undef strncasecmp #undef strcasecmp /* * This included to allow us to handle DSDB_FLAG_REPLICATED_UPDATE in * dsdb_request_add_controls() */ #include "dsdb/samdb/ldb_modules/util.h" /* default is 30 minutes: -1e7 * 30 * 60 */ #define DEFAULT_OBSERVATION_WINDOW (-18000000000) /* search the sam for the specified attributes in a specific domain, filter on objectSid being in domain_sid. */ int samdb_search_domain(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *basedn, struct ldb_message ***res, const char * const *attrs, const struct dom_sid *domain_sid, const char *format, ...) _PRINTF_ATTRIBUTE(7,8) { va_list ap; int i, count; va_start(ap, format); count = gendb_search_v(sam_ldb, mem_ctx, basedn, res, attrs, format, ap); va_end(ap); i=0; while (i 1) { DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n", attr_name, format, count)); } if (count != 1) { talloc_free(res); return NULL; } return ldb_msg_find_attr_as_string(res[0], attr_name, NULL); } /* search the sam for a single string attribute in exactly 1 record */ const char *samdb_search_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *basedn, const char *attr_name, const char *format, ...) _PRINTF_ATTRIBUTE(5,6) { va_list ap; const char *str; va_start(ap, format); str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap); va_end(ap); return str; } struct ldb_dn *samdb_search_dn(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *basedn, const char *format, ...) _PRINTF_ATTRIBUTE(4,5) { va_list ap; struct ldb_dn *ret; struct ldb_message **res = NULL; int count; va_start(ap, format); count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, NULL, format, ap); va_end(ap); if (count != 1) return NULL; ret = talloc_steal(mem_ctx, res[0]->dn); talloc_free(res); return ret; } /* search the sam for a dom_sid attribute in exactly 1 record */ struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *basedn, const char *attr_name, const char *format, ...) _PRINTF_ATTRIBUTE(5,6) { va_list ap; int count; struct ldb_message **res; const char *attrs[2] = { NULL, NULL }; struct dom_sid *sid; attrs[0] = attr_name; va_start(ap, format); count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap); va_end(ap); if (count > 1) { DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n", attr_name, format, count)); } if (count != 1) { talloc_free(res); return NULL; } sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name); talloc_free(res); return sid; } /* search the sam for a single integer attribute in exactly 1 record */ unsigned int samdb_search_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, unsigned int default_value, struct ldb_dn *basedn, const char *attr_name, const char *format, ...) _PRINTF_ATTRIBUTE(6,7) { va_list ap; int count; struct ldb_message **res; const char *attrs[2] = { NULL, NULL }; attrs[0] = attr_name; va_start(ap, format); count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap); va_end(ap); if (count != 1) { return default_value; } return ldb_msg_find_attr_as_uint(res[0], attr_name, default_value); } /* search the sam for a single signed 64 bit integer attribute in exactly 1 record */ int64_t samdb_search_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, int64_t default_value, struct ldb_dn *basedn, const char *attr_name, const char *format, ...) _PRINTF_ATTRIBUTE(6,7) { va_list ap; int count; struct ldb_message **res; const char *attrs[2] = { NULL, NULL }; attrs[0] = attr_name; va_start(ap, format); count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap); va_end(ap); if (count != 1) { return default_value; } return ldb_msg_find_attr_as_int64(res[0], attr_name, default_value); } /* search the sam for multiple records each giving a single string attribute return the number of matches, or -1 on error */ int samdb_search_string_multiple(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *basedn, const char ***strs, const char *attr_name, const char *format, ...) _PRINTF_ATTRIBUTE(6,7) { va_list ap; int count, i; const char *attrs[2] = { NULL, NULL }; struct ldb_message **res = NULL; attrs[0] = attr_name; va_start(ap, format); count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap); va_end(ap); if (count <= 0) { return count; } /* make sure its single valued */ for (i=0;inum_elements != 1) { DEBUG(1,("samdb: search for %s %s not single valued\n", attr_name, format)); talloc_free(res); return -1; } } *strs = talloc_array(mem_ctx, const char *, count+1); if (! *strs) { talloc_free(res); return -1; } for (i=0;isub_auths[sid->num_auths-1]; talloc_free(sid); return rid; } /* pull a dom_sid structure from a objectSid in a result set. */ struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr) { ssize_t ret; const struct ldb_val *v; struct dom_sid *sid; v = ldb_msg_find_ldb_val(msg, attr); if (v == NULL) { return NULL; } sid = talloc(mem_ctx, struct dom_sid); if (sid == NULL) { return NULL; } ret = sid_parse(v->data, v->length, sid); if (ret == -1) { talloc_free(sid); return NULL; } return sid; } /** * Makes an auth_SidAttr structure from a objectSid in a result set and a * supplied attribute value. * * @param [in] mem_ctx Talloc memory context on which to allocate the auth_SidAttr. * @param [in] msg The message from which to take the objectSid. * @param [in] attr The attribute name, usually "objectSid". * @param [in] attrs SE_GROUP_* flags to go with the SID. * @returns A pointer to the auth_SidAttr structure, or NULL on failure. */ struct auth_SidAttr *samdb_result_dom_sid_attrs(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr, uint32_t attrs) { ssize_t ret; const struct ldb_val *v; struct auth_SidAttr *sid; v = ldb_msg_find_ldb_val(msg, attr); if (v == NULL) { return NULL; } sid = talloc(mem_ctx, struct auth_SidAttr); if (sid == NULL) { return NULL; } ret = sid_parse(v->data, v->length, &sid->sid); if (ret == -1) { talloc_free(sid); return NULL; } sid->attrs = attrs; return sid; } /* pull a dom_sid structure from a objectSid in a result set. */ int samdb_result_dom_sid_buf(const struct ldb_message *msg, const char *attr, struct dom_sid *sid) { ssize_t ret; const struct ldb_val *v = NULL; v = ldb_msg_find_ldb_val(msg, attr); if (v == NULL) { return LDB_ERR_NO_SUCH_ATTRIBUTE; } ret = sid_parse(v->data, v->length, sid); if (ret == -1) { return LDB_ERR_OPERATIONS_ERROR; } return LDB_SUCCESS; } /* pull a guid structure from a objectGUID in a result set. */ struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr) { const struct ldb_val *v; struct GUID guid; NTSTATUS status; v = ldb_msg_find_ldb_val(msg, attr); if (!v) return GUID_zero(); status = GUID_from_ndr_blob(v, &guid); if (!NT_STATUS_IS_OK(status)) { return GUID_zero(); } return guid; } /* pull a sid prefix from a objectSid in a result set. this is used to find the domain sid for a user */ struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr) { struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr); if (!sid || sid->num_auths < 1) return NULL; sid->num_auths--; return sid; } /* pull a NTTIME in a result set. */ NTTIME samdb_result_nttime(const struct ldb_message *msg, const char *attr, NTTIME default_value) { return ldb_msg_find_attr_as_uint64(msg, attr, default_value); } /* * Windows stores 0 for lastLogoff. * But when a MS DC return the lastLogoff (as Logoff Time) * it returns INT64_MAX, not returning this value in this case * cause windows 2008 and newer version to fail for SMB requests */ NTTIME samdb_result_last_logoff(const struct ldb_message *msg) { NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "lastLogoff",0); if (ret == 0) ret = INT64_MAX; return ret; } /* * Windows uses both 0 and 9223372036854775807 (INT64_MAX) to * indicate an account doesn't expire. * * When Windows initially creates an account, it sets * accountExpires = 9223372036854775807 (INT64_MAX). However, * when changing from an account having a specific expiration date to * that account never expiring, it sets accountExpires = 0. * * Consolidate that logic here to allow clearer logic for account expiry in * the rest of the code. */ NTTIME samdb_result_account_expires(const struct ldb_message *msg) { NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires", 0); if (ret == 0) ret = INT64_MAX; return ret; } /* construct the allow_password_change field from the PwdLastSet attribute and the domain password settings */ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *domain_dn, const struct ldb_message *msg, const char *attr) { uint64_t attr_time = ldb_msg_find_attr_as_uint64(msg, attr, 0); int64_t minPwdAge; if (attr_time == 0) { return 0; } minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "minPwdAge", NULL); /* yes, this is a -= not a += as minPwdAge is stored as the negative of the number of 100-nano-seconds */ attr_time -= minPwdAge; return attr_time; } /* pull a samr_Password structure from a result set. */ struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr) { struct samr_Password *hash = NULL; const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); if (val && (val->length >= sizeof(hash->hash))) { hash = talloc(mem_ctx, struct samr_Password); if (hash == NULL) { return NULL; } talloc_keep_secret(hash); memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash))); } return hash; } /* pull an array of samr_Password structures from a result set. */ unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr, struct samr_Password **hashes) { unsigned int count, i; const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); *hashes = NULL; if (!val) { return 0; } if (val->length % 16 != 0) { /* * The length is wrong. Don’t try to read beyond the end of the * buffer. */ return 0; } count = val->length / 16; if (count == 0) { return 0; } *hashes = talloc_array(mem_ctx, struct samr_Password, count); if (! *hashes) { return 0; } talloc_keep_secret(*hashes); for (i=0;idata, 16); } return count; } NTSTATUS samdb_result_passwords_from_history(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, const struct ldb_message *msg, unsigned int idx, const struct samr_Password **lm_pwd, const struct samr_Password **nt_pwd) { struct samr_Password *lmPwdHash, *ntPwdHash; if (nt_pwd) { unsigned int num_nt; num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHistory", &ntPwdHash); if (num_nt <= idx) { *nt_pwd = NULL; } else { *nt_pwd = &ntPwdHash[idx]; } } if (lm_pwd) { /* Ensure that if we have turned off LM * authentication, that we never use the LM hash, even * if we store it */ if (lpcfg_lanman_auth(lp_ctx)) { unsigned int num_lm; num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHistory", &lmPwdHash); if (num_lm <= idx) { *lm_pwd = NULL; } else { *lm_pwd = &lmPwdHash[idx]; } } else { *lm_pwd = NULL; } } return NT_STATUS_OK; } NTSTATUS samdb_result_passwords_no_lockout(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, const struct ldb_message *msg, struct samr_Password **nt_pwd) { struct samr_Password *ntPwdHash; if (nt_pwd) { unsigned int num_nt; num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash); if (num_nt == 0) { *nt_pwd = NULL; } else if (num_nt > 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } else { *nt_pwd = &ntPwdHash[0]; } } return NT_STATUS_OK; } NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, const struct ldb_message *msg, struct samr_Password **nt_pwd) { uint16_t acct_flags; acct_flags = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed"); /* Quit if the account was locked out. */ if (acct_flags & ACB_AUTOLOCK) { DEBUG(3,("samdb_result_passwords: Account for user %s was locked out.\n", ldb_dn_get_linearized(msg->dn))); return NT_STATUS_ACCOUNT_LOCKED_OUT; } return samdb_result_passwords_no_lockout(mem_ctx, lp_ctx, msg, nt_pwd); } /* pull a samr_LogonHours structure from a result set. */ struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr) { struct samr_LogonHours hours = {}; size_t units_per_week = 168; const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); if (val) { units_per_week = val->length * 8; } hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week/8); if (!hours.bits) { return hours; } hours.units_per_week = units_per_week; memset(hours.bits, 0xFF, units_per_week/8); if (val) { memcpy(hours.bits, val->data, val->length); } return hours; } /* pull a set of account_flags from a result set. Naturally, this requires that userAccountControl and (if not null) the attributes 'attr' be already included in msg */ uint32_t samdb_result_acct_flags(const struct ldb_message *msg, const char *attr) { uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); uint32_t attr_flags = 0; uint32_t acct_flags = ds_uf2acb(userAccountControl); if (attr) { attr_flags = ldb_msg_find_attr_as_uint(msg, attr, UF_ACCOUNTDISABLE); if (attr_flags == UF_ACCOUNTDISABLE) { DEBUG(0, ("Attribute %s not found, disabling account %s!\n", attr, ldb_dn_get_linearized(msg->dn))); } acct_flags |= ds_uf2acb(attr_flags); } return acct_flags; } NTSTATUS samdb_result_parameters(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr, struct lsa_BinaryString *s) { int i; const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); ZERO_STRUCTP(s); if (!val) { return NT_STATUS_OK; } if ((val->length % 2) != 0) { /* * If the on-disk data is not even in length, we know * it is corrupt, and can not be safely pushed. We * would either truncate, send an uninitialised * byte or send a forced zero byte */ return NT_STATUS_INTERNAL_DB_CORRUPTION; } s->array = talloc_array(mem_ctx, uint16_t, val->length/2); if (!s->array) { return NT_STATUS_NO_MEMORY; } s->length = s->size = val->length; /* The on-disk format is the 'network' format, being UTF16LE (sort of) */ for (i = 0; i < s->length / 2; i++) { s->array[i] = SVAL(val->data, i * 2); } return NT_STATUS_OK; } /* Find an attribute, with a particular value */ /* The current callers of this function expect a very specific * behaviour: In particular, objectClass subclass equivalence is not * wanted. This means that we should not lookup the schema for the * comparison function */ struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb, const struct ldb_message *msg, const char *name, const char *value) { unsigned int i; struct ldb_message_element *el = ldb_msg_find_element(msg, name); if (!el) { return NULL; } for (i=0;inum_values;i++) { if (ldb_attr_cmp(value, (char *)el->values[i].data) == 0) { return el; } } return NULL; } static int samdb_find_or_add_attribute_ex(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value, unsigned attr_flags, bool *added) { int ret; struct ldb_message_element *el; SMB_ASSERT(attr_flags != 0); el = ldb_msg_find_element(msg, name); if (el) { if (added != NULL) { *added = false; } return LDB_SUCCESS; } ret = ldb_msg_add_empty(msg, name, attr_flags, &el); if (ret != LDB_SUCCESS) { return ret; } if (set_value != NULL) { ret = ldb_msg_add_string(msg, name, set_value); if (ret != LDB_SUCCESS) { return ret; } } if (added != NULL) { *added = true; } return LDB_SUCCESS; } int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value) { return samdb_find_or_add_attribute_ex(ldb, msg, name, set_value, LDB_FLAG_MOD_ADD, NULL); } /* add a dom_sid element to a message */ int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, const struct dom_sid *sid) { struct ldb_val v; enum ndr_err_code ndr_err; ndr_err = ndr_push_struct_blob(&v, mem_ctx, sid, (ndr_push_flags_fn_t)ndr_push_dom_sid); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return ldb_operr(sam_ldb); } return ldb_msg_add_value(msg, attr_name, &v, NULL); } /* add a delete element operation to a message */ int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name) { /* we use an empty replace rather than a delete, as it allows for dsdb_replace() to be used everywhere */ return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL); } /* add an add attribute value to a message or enhance an existing attribute which has the same name and the add flag set. */ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, const char *value) { struct ldb_message_element *el; struct ldb_val val; char *v; unsigned int i; bool found = false; int ret; v = talloc_strdup(mem_ctx, value); if (v == NULL) { return ldb_oom(sam_ldb); } val.data = (uint8_t *) v; val.length = strlen(v); if (val.length == 0) { /* allow empty strings as non-existent attributes */ return LDB_SUCCESS; } for (i = 0; i < msg->num_elements; i++) { el = &msg->elements[i]; if ((ldb_attr_cmp(el->name, attr_name) == 0) && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD)) { found = true; break; } } if (!found) { ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_ADD, &el); if (ret != LDB_SUCCESS) { return ret; } } ret = ldb_msg_element_add_value(msg->elements, el, &val); if (ret != LDB_SUCCESS) { return ldb_oom(sam_ldb); } return LDB_SUCCESS; } /* add a delete attribute value to a message or enhance an existing attribute which has the same name and the delete flag set. */ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, const char *value) { struct ldb_message_element *el; struct ldb_val val; char *v; unsigned int i; bool found = false; int ret; v = talloc_strdup(mem_ctx, value); if (v == NULL) { return ldb_oom(sam_ldb); } val.data = (uint8_t *) v; val.length = strlen(v); if (val.length == 0) { /* allow empty strings as non-existent attributes */ return LDB_SUCCESS; } for (i = 0; i < msg->num_elements; i++) { el = &msg->elements[i]; if ((ldb_attr_cmp(el->name, attr_name) == 0) && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE)) { found = true; break; } } if (!found) { ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_DELETE, &el); if (ret != LDB_SUCCESS) { return ret; } } ret = ldb_msg_element_add_value(msg->elements, el, &val); if (ret != LDB_SUCCESS) { return ldb_oom(sam_ldb); } return LDB_SUCCESS; } /* add a int element to a message */ int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, int v) { const char *s = talloc_asprintf(mem_ctx, "%d", v); if (s == NULL) { return ldb_oom(sam_ldb); } return ldb_msg_add_string(msg, attr_name, s); } int samdb_msg_add_int_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, int v, int flags) { const char *s = talloc_asprintf(mem_ctx, "%d", v); if (s == NULL) { return ldb_oom(sam_ldb); } return ldb_msg_add_string_flags(msg, attr_name, s, flags); } /* * Add an unsigned int element to a message * * The issue here is that we have not yet first cast to int32_t explicitly, * before we cast to an signed int to printf() into the %d or cast to a * int64_t before we then cast to a long long to printf into a %lld. * * There are *no* unsigned integers in Active Directory LDAP, even the RID * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. * (See the schema, and the syntax definitions in schema_syntax.c). * */ int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, unsigned int v) { return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v); } int samdb_msg_add_uint_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, unsigned int v, int flags) { return samdb_msg_add_int_flags(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags); } /* add a (signed) int64_t element to a message */ int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, int64_t v) { const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v); if (s == NULL) { return ldb_oom(sam_ldb); } return ldb_msg_add_string(msg, attr_name, s); } /* * Add an unsigned int64_t (uint64_t) element to a message * * The issue here is that we have not yet first cast to int32_t explicitly, * before we cast to an signed int to printf() into the %d or cast to a * int64_t before we then cast to a long long to printf into a %lld. * * There are *no* unsigned integers in Active Directory LDAP, even the RID * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. * (See the schema, and the syntax definitions in schema_syntax.c). * */ int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, uint64_t v) { return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v); } /* append a int element to a message */ int samdb_msg_append_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, int v, int flags) { const char *s = talloc_asprintf(mem_ctx, "%d", v); if (s == NULL) { return ldb_oom(sam_ldb); } return ldb_msg_append_string(msg, attr_name, s, flags); } /* * Append an unsigned int element to a message * * The issue here is that we have not yet first cast to int32_t explicitly, * before we cast to an signed int to printf() into the %d or cast to a * int64_t before we then cast to a long long to printf into a %lld. * * There are *no* unsigned integers in Active Directory LDAP, even the RID * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. * (See the schema, and the syntax definitions in schema_syntax.c). * */ int samdb_msg_append_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, unsigned int v, int flags) { return samdb_msg_append_int(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags); } /* append a (signed) int64_t element to a message */ int samdb_msg_append_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, int64_t v, int flags) { const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v); if (s == NULL) { return ldb_oom(sam_ldb); } return ldb_msg_append_string(msg, attr_name, s, flags); } /* * Append an unsigned int64_t (uint64_t) element to a message * * The issue here is that we have not yet first cast to int32_t explicitly, * before we cast to an signed int to printf() into the %d or cast to a * int64_t before we then cast to a long long to printf into a %lld. * * There are *no* unsigned integers in Active Directory LDAP, even the RID * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. * (See the schema, and the syntax definitions in schema_syntax.c). * */ int samdb_msg_append_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, uint64_t v, int flags) { return samdb_msg_append_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v, flags); } /* add a samr_Password element to a message */ int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, const struct samr_Password *hash) { struct ldb_val val; val.data = talloc_memdup(mem_ctx, hash->hash, 16); if (!val.data) { return ldb_oom(sam_ldb); } val.length = 16; return ldb_msg_add_value(msg, attr_name, &val, NULL); } /* add a samr_Password array to a message */ int samdb_msg_add_hashes(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, struct samr_Password *hashes, unsigned int count) { struct ldb_val val; unsigned int i; val.data = talloc_array_size(mem_ctx, 16, count); val.length = count*16; if (!val.data) { return ldb_oom(ldb); } for (i=0;iunits_per_week / 8; val.data = hours->bits; return ldb_msg_add_value(msg, attr_name, &val, NULL); } /* add a parameters element to a message */ int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, struct lsa_BinaryString *parameters) { int i; struct ldb_val val; if ((parameters->length % 2) != 0) { return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; } val.data = talloc_array(mem_ctx, uint8_t, parameters->length); if (val.data == NULL) { return LDB_ERR_OPERATIONS_ERROR; } val.length = parameters->length; for (i = 0; i < parameters->length / 2; i++) { /* * The on-disk format needs to be in the 'network' * format, parameters->array is a uint16_t array of * length parameters->length / 2 */ SSVAL(val.data, i * 2, parameters->array[i]); } return ldb_msg_add_steal_value(msg, attr_name, &val); } /* * Sets an unsigned int element in a message * * The issue here is that we have not yet first cast to int32_t explicitly, * before we cast to an signed int to printf() into the %d or cast to a * int64_t before we then cast to a long long to printf into a %lld. * * There are *no* unsigned integers in Active Directory LDAP, even the RID * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. * (See the schema, and the syntax definitions in schema_syntax.c). * */ int samdb_msg_set_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name, unsigned int v) { struct ldb_message_element *el; el = ldb_msg_find_element(msg, attr_name); if (el) { el->num_values = 0; } return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, v); } /* * Handle ldb_request in transaction */ int dsdb_autotransaction_request(struct ldb_context *sam_ldb, struct ldb_request *req) { int ret; ret = ldb_transaction_start(sam_ldb); if (ret != LDB_SUCCESS) { return ret; } ret = ldb_request(sam_ldb, req); if (ret == LDB_SUCCESS) { ret = ldb_wait(req->handle, LDB_WAIT_ALL); } if (ret == LDB_SUCCESS) { return ldb_transaction_commit(sam_ldb); } ldb_transaction_cancel(sam_ldb); return ret; } /* return a default security descriptor */ struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx) { struct security_descriptor *sd; sd = security_descriptor_initialise(mem_ctx); return sd; } struct ldb_dn *samdb_aggregate_schema_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { struct ldb_dn *schema_dn = ldb_get_schema_basedn(sam_ctx); struct ldb_dn *aggregate_dn; if (!schema_dn) { return NULL; } aggregate_dn = ldb_dn_copy(mem_ctx, schema_dn); if (!aggregate_dn) { return NULL; } if (!ldb_dn_add_child_fmt(aggregate_dn, "CN=Aggregate")) { return NULL; } return aggregate_dn; } struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { struct ldb_dn *new_dn; new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx)); if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Partitions")) { talloc_free(new_dn); return NULL; } return new_dn; } struct ldb_dn *samdb_infrastructure_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { struct ldb_dn *new_dn; new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx)); if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Infrastructure")) { talloc_free(new_dn); return NULL; } return new_dn; } struct ldb_dn *samdb_system_container_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { struct ldb_dn *new_dn = NULL; bool ok; new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx)); if (new_dn == NULL) { return NULL; } ok = ldb_dn_add_child_fmt(new_dn, "CN=System"); if (!ok) { TALLOC_FREE(new_dn); return NULL; } return new_dn; } struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { struct ldb_dn *new_dn; new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx)); if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Sites")) { talloc_free(new_dn); return NULL; } return new_dn; } struct ldb_dn *samdb_extended_rights_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { struct ldb_dn *new_dn; new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx)); if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Extended-Rights")) { talloc_free(new_dn); return NULL; } return new_dn; } static struct ldb_dn *samdb_configuration_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, const char *dn_str) { struct ldb_dn *config_dn = NULL; struct ldb_dn *child_dn = NULL; bool ok; config_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx)); if (config_dn == NULL) { return NULL; } child_dn = ldb_dn_new(mem_ctx, sam_ctx, dn_str); if (child_dn == NULL) { talloc_free(config_dn); return NULL; } ok = ldb_dn_add_child(config_dn, child_dn); talloc_free(child_dn); if (!ok) { talloc_free(config_dn); return NULL; } return config_dn; } struct ldb_dn *samdb_gkdi_root_key_container_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx) { /* * [MS-GKDI] says the root key container is to be found in “CN=Sid Key * Service,CN=Services”, but that is not correct. */ return samdb_configuration_dn(sam_ctx, mem_ctx, "CN=Master Root Keys," "CN=Group Key Distribution Service," "CN=Services"); } struct ldb_dn *samdb_gkdi_root_key_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, const struct GUID *root_key_id) { struct ldb_dn *root_key_dn = NULL; struct ldb_dn *child_dn = NULL; struct GUID_txt_buf guid_buf; char *root_key_id_string = NULL; bool ok; root_key_id_string = GUID_buf_string(root_key_id, &guid_buf); if (root_key_id_string == NULL) { return NULL; } root_key_dn = samdb_gkdi_root_key_container_dn(sam_ctx, mem_ctx); if (root_key_dn == NULL) { return NULL; } child_dn = ldb_dn_new_fmt(mem_ctx, sam_ctx, "CN=%s", root_key_id_string); if (child_dn == NULL) { talloc_free(root_key_dn); return NULL; } ok = ldb_dn_add_child(root_key_dn, child_dn); talloc_free(child_dn); if (!ok) { talloc_free(root_key_dn); return NULL; } return root_key_dn; } /* work out the domain sid for the current open ldb */ const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb) { TALLOC_CTX *tmp_ctx; const struct dom_sid *domain_sid; const char *attrs[] = { "objectSid", NULL }; struct ldb_result *res; int ret; /* see if we have a cached copy */ domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid"); if (domain_sid) { return domain_sid; } tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { goto failed; } ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*"); if (ret != LDB_SUCCESS) { goto failed; } if (res->count != 1) { goto failed; } domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid"); if (domain_sid == NULL) { goto failed; } /* cache the domain_sid in the ldb */ if (ldb_set_opaque(ldb, "cache.domain_sid", discard_const_p(struct dom_sid, domain_sid)) != LDB_SUCCESS) { goto failed; } talloc_steal(ldb, domain_sid); talloc_free(tmp_ctx); return domain_sid; failed: talloc_free(tmp_ctx); return NULL; } /* get domain sid from cache */ const struct dom_sid *samdb_domain_sid_cache_only(struct ldb_context *ldb) { return (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid"); } bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in) { TALLOC_CTX *tmp_ctx; struct dom_sid *dom_sid_new; struct dom_sid *dom_sid_old; /* see if we have a cached copy */ dom_sid_old = talloc_get_type(ldb_get_opaque(ldb, "cache.domain_sid"), struct dom_sid); tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { goto failed; } dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in); if (!dom_sid_new) { goto failed; } /* cache the domain_sid in the ldb */ if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) { goto failed; } talloc_steal(ldb, dom_sid_new); talloc_free(tmp_ctx); talloc_free(dom_sid_old); return true; failed: DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n")); talloc_free(tmp_ctx); return false; } /* work out the domain guid for the current open ldb */ const struct GUID *samdb_domain_guid(struct ldb_context *ldb) { TALLOC_CTX *tmp_ctx = NULL; struct GUID *domain_guid = NULL; const char *attrs[] = { "objectGUID", NULL }; struct ldb_result *res = NULL; int ret; /* see if we have a cached copy */ domain_guid = (struct GUID *)ldb_get_opaque(ldb, "cache.domain_guid"); if (domain_guid) { return domain_guid; } tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { goto failed; } ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectGUID=*"); if (ret != LDB_SUCCESS) { goto failed; } if (res->count != 1) { goto failed; } domain_guid = talloc(tmp_ctx, struct GUID); if (domain_guid == NULL) { goto failed; } *domain_guid = samdb_result_guid(res->msgs[0], "objectGUID"); /* cache the domain_sid in the ldb */ if (ldb_set_opaque(ldb, "cache.domain_guid", domain_guid) != LDB_SUCCESS) { goto failed; } talloc_steal(ldb, domain_guid); talloc_free(tmp_ctx); return domain_guid; failed: talloc_free(tmp_ctx); return NULL; } bool samdb_set_ntds_settings_dn(struct ldb_context *ldb, struct ldb_dn *ntds_settings_dn_in) { TALLOC_CTX *tmp_ctx; struct ldb_dn *ntds_settings_dn_new; struct ldb_dn *ntds_settings_dn_old; /* see if we have a forced copy from provision */ ntds_settings_dn_old = talloc_get_type(ldb_get_opaque(ldb, "forced.ntds_settings_dn"), struct ldb_dn); tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { goto failed; } ntds_settings_dn_new = ldb_dn_copy(tmp_ctx, ntds_settings_dn_in); if (!ntds_settings_dn_new) { goto failed; } /* set the DN in the ldb to avoid lookups during provision */ if (ldb_set_opaque(ldb, "forced.ntds_settings_dn", ntds_settings_dn_new) != LDB_SUCCESS) { goto failed; } talloc_steal(ldb, ntds_settings_dn_new); talloc_free(tmp_ctx); talloc_free(ntds_settings_dn_old); return true; failed: DEBUG(1,("Failed to set our NTDS Settings DN in the ldb!\n")); talloc_free(tmp_ctx); return false; } /* work out the ntds settings dn for the current open ldb */ struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) { TALLOC_CTX *tmp_ctx; const char *root_attrs[] = { "dsServiceName", NULL }; int ret; struct ldb_result *root_res; struct ldb_dn *settings_dn; /* see if we have a cached copy */ settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "forced.ntds_settings_dn"); if (settings_dn) { return ldb_dn_copy(mem_ctx, settings_dn); } tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { goto failed; } ret = ldb_search(ldb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, ldb, ""), LDB_SCOPE_BASE, root_attrs, NULL); if (ret != LDB_SUCCESS) { DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n", ldb_errstring(ldb))); goto failed; } if (root_res->count != 1) { goto failed; } settings_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, root_res->msgs[0], "dsServiceName"); /* note that we do not cache the DN here, as that would mean * we could not handle server renames at runtime. Only * provision sets up forced.ntds_settings_dn */ talloc_steal(mem_ctx, settings_dn); talloc_free(tmp_ctx); return settings_dn; failed: DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n")); talloc_free(tmp_ctx); return NULL; } /* work out the ntds settings invocationID/objectGUID for the current open ldb */ static const struct GUID *samdb_ntds_GUID(struct ldb_context *ldb, const char *attribute, const char *cache_name) { TALLOC_CTX *tmp_ctx; const char *attrs[] = { attribute, NULL }; int ret; struct ldb_result *res; struct GUID *ntds_guid; struct ldb_dn *ntds_settings_dn = NULL; const char *errstr = NULL; /* see if we have a cached copy */ ntds_guid = (struct GUID *)ldb_get_opaque(ldb, cache_name); if (ntds_guid != NULL) { return ntds_guid; } tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { goto failed; } ntds_settings_dn = samdb_ntds_settings_dn(ldb, tmp_ctx); if (ntds_settings_dn == NULL) { errstr = "samdb_ntds_settings_dn() returned NULL"; goto failed; } ret = ldb_search(ldb, tmp_ctx, &res, ntds_settings_dn, LDB_SCOPE_BASE, attrs, NULL); if (ret) { errstr = ldb_errstring(ldb); goto failed; } if (res->count != 1) { errstr = "incorrect number of results from base search"; goto failed; } ntds_guid = talloc(tmp_ctx, struct GUID); if (ntds_guid == NULL) { goto failed; } *ntds_guid = samdb_result_guid(res->msgs[0], attribute); if (GUID_all_zero(ntds_guid)) { if (ldb_msg_find_ldb_val(res->msgs[0], attribute)) { errstr = "failed to find the GUID attribute"; } else { errstr = "failed to parse the GUID"; } goto failed; } /* cache the domain_sid in the ldb */ if (ldb_set_opaque(ldb, cache_name, ntds_guid) != LDB_SUCCESS) { errstr = "ldb_set_opaque() failed"; goto failed; } talloc_steal(ldb, ntds_guid); talloc_free(tmp_ctx); return ntds_guid; failed: DBG_WARNING("Failed to find our own NTDS Settings %s in the ldb: %s!\n", attribute, errstr); talloc_free(tmp_ctx); return NULL; } /* work out the ntds settings objectGUID for the current open ldb */ const struct GUID *samdb_ntds_objectGUID(struct ldb_context *ldb) { return samdb_ntds_GUID(ldb, "objectGUID", "cache.ntds_guid"); } /* work out the ntds settings invocationId for the current open ldb */ const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb) { return samdb_ntds_GUID(ldb, "invocationId", "cache.invocation_id"); } static bool samdb_set_ntds_GUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in, const char *attribute, const char *cache_name) { TALLOC_CTX *tmp_ctx; struct GUID *ntds_guid_new; struct GUID *ntds_guid_old; /* see if we have a cached copy */ ntds_guid_old = (struct GUID *)ldb_get_opaque(ldb, cache_name); tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { goto failed; } ntds_guid_new = talloc(tmp_ctx, struct GUID); if (!ntds_guid_new) { goto failed; } *ntds_guid_new = *ntds_guid_in; /* cache the domain_sid in the ldb */ if (ldb_set_opaque(ldb, cache_name, ntds_guid_new) != LDB_SUCCESS) { goto failed; } talloc_steal(ldb, ntds_guid_new); talloc_free(tmp_ctx); talloc_free(ntds_guid_old); return true; failed: DBG_WARNING("Failed to set our own cached %s in the ldb!\n", attribute); talloc_free(tmp_ctx); return false; } bool samdb_set_ntds_objectGUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in) { return samdb_set_ntds_GUID(ldb, ntds_guid_in, "objectGUID", "cache.ntds_guid"); } bool samdb_set_ntds_invocation_id(struct ldb_context *ldb, const struct GUID *invocation_id_in) { return samdb_set_ntds_GUID(ldb, invocation_id_in, "invocationId", "cache.invocation_id"); } /* work out the server dn for the current open ldb */ struct ldb_dn *samdb_server_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) { TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); struct ldb_dn *dn; if (!tmp_ctx) { return NULL; } dn = ldb_dn_get_parent(mem_ctx, samdb_ntds_settings_dn(ldb, tmp_ctx)); talloc_free(tmp_ctx); return dn; } /* work out the server dn for the current open ldb */ struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) { struct ldb_dn *server_dn; struct ldb_dn *servers_dn; struct ldb_dn *server_site_dn; /* TODO: there must be a saner way to do this!! */ server_dn = samdb_server_dn(ldb, mem_ctx); if (!server_dn) return NULL; servers_dn = ldb_dn_get_parent(mem_ctx, server_dn); talloc_free(server_dn); if (!servers_dn) return NULL; server_site_dn = ldb_dn_get_parent(mem_ctx, servers_dn); talloc_free(servers_dn); return server_site_dn; } /* find the site name from a computers DN record */ int samdb_find_site_for_computer(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *computer_dn, const char **site_name) { int ret; struct ldb_dn *dn; const struct ldb_val *rdn_val; *site_name = NULL; ret = samdb_reference_dn(ldb, mem_ctx, computer_dn, "serverReferenceBL", &dn); if (ret != LDB_SUCCESS) { return ret; } if (!ldb_dn_remove_child_components(dn, 2)) { talloc_free(dn); return LDB_ERR_INVALID_DN_SYNTAX; } rdn_val = ldb_dn_get_rdn_val(dn); if (rdn_val == NULL) { return LDB_ERR_OPERATIONS_ERROR; } (*site_name) = talloc_strndup(mem_ctx, (const char *)rdn_val->data, rdn_val->length); talloc_free(dn); if (!*site_name) { return LDB_ERR_OPERATIONS_ERROR; } return LDB_SUCCESS; } /* find the NTDS GUID from a computers DN record */ int samdb_find_ntdsguid_for_computer(struct ldb_context *ldb, struct ldb_dn *computer_dn, struct GUID *ntds_guid) { int ret; struct ldb_dn *dn; *ntds_guid = GUID_zero(); ret = samdb_reference_dn(ldb, ldb, computer_dn, "serverReferenceBL", &dn); if (ret != LDB_SUCCESS) { return ret; } if (!ldb_dn_add_child_fmt(dn, "CN=NTDS Settings")) { talloc_free(dn); return LDB_ERR_OPERATIONS_ERROR; } ret = dsdb_find_guid_by_dn(ldb, dn, ntds_guid); talloc_free(dn); return ret; } /* find a 'reference' DN that points at another object (eg. serverReference, rIDManagerReference etc) */ int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *base, const char *attribute, struct ldb_dn **dn) { const char *attrs[2]; struct ldb_result *res; int ret; attrs[0] = attribute; attrs[1] = NULL; ret = dsdb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_ONE_ONLY|DSDB_SEARCH_SHOW_EXTENDED_DN, NULL); if (ret != LDB_SUCCESS) { ldb_asprintf_errstring(ldb, "Cannot find DN %s to get attribute %s for reference dn: %s", ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb)); return ret; } *dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute); if (!*dn) { if (!ldb_msg_find_element(res->msgs[0], attribute)) { ldb_asprintf_errstring(ldb, "Cannot find attribute %s of %s to calculate reference dn", attribute, ldb_dn_get_linearized(base)); } else { ldb_asprintf_errstring(ldb, "Cannot interpret attribute %s of %s as a dn", attribute, ldb_dn_get_linearized(base)); } talloc_free(res); return LDB_ERR_NO_SUCH_ATTRIBUTE; } talloc_free(res); return LDB_SUCCESS; } /* find if a DN (must have GUID component!) is our ntdsDsa */ int samdb_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *dn, bool *is_ntdsa) { NTSTATUS status; struct GUID dn_guid; const struct GUID *our_ntds_guid; status = dsdb_get_extended_dn_guid(dn, &dn_guid, "GUID"); if (!NT_STATUS_IS_OK(status)) { return LDB_ERR_OPERATIONS_ERROR; } our_ntds_guid = samdb_ntds_objectGUID(ldb); if (!our_ntds_guid) { DEBUG(0, ("Failed to find our NTDS Settings GUID for comparison with %s - %s\n", ldb_dn_get_linearized(dn), ldb_errstring(ldb))); return LDB_ERR_OPERATIONS_ERROR; } *is_ntdsa = GUID_equal(&dn_guid, our_ntds_guid); return LDB_SUCCESS; } /* find a 'reference' DN that points at another object and indicate if it is our ntdsDsa */ int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base, const char *attribute, bool *is_ntdsa) { int ret; struct ldb_dn *referenced_dn; TALLOC_CTX *tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { return LDB_ERR_OPERATIONS_ERROR; } ret = samdb_reference_dn(ldb, tmp_ctx, base, attribute, &referenced_dn); if (ret != LDB_SUCCESS) { DEBUG(0, ("Failed to find object %s for attribute %s - %s\n", ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb))); return ret; } ret = samdb_dn_is_our_ntdsa(ldb, referenced_dn, is_ntdsa); talloc_free(tmp_ctx); return ret; } /* find our machine account via the serverReference attribute in the server DN */ int samdb_server_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn) { struct ldb_dn *server_dn; int ret; server_dn = samdb_server_dn(ldb, mem_ctx); if (server_dn == NULL) { return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__); } ret = samdb_reference_dn(ldb, mem_ctx, server_dn, "serverReference", dn); talloc_free(server_dn); return ret; } /* find the RID Manager$ DN via the rIDManagerReference attribute in the base DN */ int samdb_rid_manager_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn) { return samdb_reference_dn(ldb, mem_ctx, ldb_get_default_basedn(ldb), "rIDManagerReference", dn); } /* find the RID Set DN via the rIDSetReferences attribute in our machine account DN */ int samdb_rid_set_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn) { struct ldb_dn *server_ref_dn = NULL; int ret; ret = samdb_server_reference_dn(ldb, mem_ctx, &server_ref_dn); if (ret != LDB_SUCCESS) { return ret; } ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn); talloc_free(server_ref_dn); return ret; } const char *samdb_server_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) { const struct ldb_val *val = ldb_dn_get_rdn_val(samdb_server_site_dn(ldb, mem_ctx)); if (val == NULL) { return NULL; } return (const char *) val->data; } /* * Finds the client site by using the client's IP address. * The "subnet_name" returns the name of the subnet if parameter != NULL * * Has a Windows-based fallback to provide the only site available, or an empty * string if there are multiple sites. */ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *ip_address, char **subnet_name, bool fallback) { const char *attrs[] = { "cn", "siteObject", NULL }; struct ldb_dn *sites_container_dn = NULL; struct ldb_dn *subnets_dn = NULL; struct ldb_dn *sites_dn = NULL; struct ldb_result *res = NULL; const struct ldb_val *val = NULL; const char *site_name = NULL; const char *l_subnet_name = NULL; const char *allow_list[2] = { NULL, NULL }; unsigned int i, count; int ret; /* * if we don't have a client ip e.g. ncalrpc * the server site is the client site */ if (ip_address == NULL) { return samdb_server_site_name(ldb, mem_ctx); } sites_container_dn = samdb_sites_dn(ldb, mem_ctx); if (sites_container_dn == NULL) { goto exit; } subnets_dn = ldb_dn_copy(mem_ctx, sites_container_dn); if ( ! ldb_dn_add_child_fmt(subnets_dn, "CN=Subnets")) { goto exit; } ret = ldb_search(ldb, mem_ctx, &res, subnets_dn, LDB_SCOPE_ONELEVEL, attrs, NULL); if (ret == LDB_ERR_NO_SUCH_OBJECT) { count = 0; } else if (ret != LDB_SUCCESS) { goto exit; } else { count = res->count; } for (i = 0; i < count; i++) { l_subnet_name = ldb_msg_find_attr_as_string(res->msgs[i], "cn", NULL); allow_list[0] = l_subnet_name; if (allow_access_nolog(NULL, allow_list, "", ip_address)) { sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[i], "siteObject"); if (sites_dn == NULL) { /* No reference, maybe another subnet matches */ continue; } /* "val" cannot be NULL here since "sites_dn" != NULL */ val = ldb_dn_get_rdn_val(sites_dn); site_name = talloc_strdup(mem_ctx, (const char *) val->data); TALLOC_FREE(sites_dn); break; } } if (site_name == NULL && fallback) { /* This is the Windows Server fallback rule: when no subnet * exists and we have only one site available then use it (it * is for sure the same as our server site). If more sites do * exist then we don't know which one to use and set the site * name to "". */ size_t cnt = 0; ret = dsdb_domain_count( ldb, &cnt, sites_container_dn, NULL, LDB_SCOPE_SUBTREE, "(objectClass=site)"); if (ret != LDB_SUCCESS) { goto exit; } if (cnt == 1) { site_name = samdb_server_site_name(ldb, mem_ctx); } else { site_name = talloc_strdup(mem_ctx, ""); } l_subnet_name = NULL; } if (subnet_name != NULL) { *subnet_name = talloc_strdup(mem_ctx, l_subnet_name); } exit: TALLOC_FREE(sites_container_dn); TALLOC_FREE(subnets_dn); TALLOC_FREE(res); return site_name; } /* work out if we are the PDC for the domain of the current open ldb */ bool samdb_is_pdc(struct ldb_context *ldb) { int ret; bool is_pdc; ret = samdb_reference_dn_is_our_ntdsa(ldb, ldb_get_default_basedn(ldb), "fsmoRoleOwner", &is_pdc); if (ret != LDB_SUCCESS) { DEBUG(1,("Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in %s failed: %s\n", ldb_dn_get_linearized(ldb_get_default_basedn(ldb)), ldb_errstring(ldb))); return false; } return is_pdc; } /* work out if we are a Global Catalog server for the domain of the current open ldb */ bool samdb_is_gc(struct ldb_context *ldb) { uint32_t options = 0; if (samdb_ntds_options(ldb, &options) != LDB_SUCCESS) { return false; } return (options & DS_NTDSDSA_OPT_IS_GC) != 0; } /* Find a domain object in the parents of a particular DN. */ int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct ldb_dn **parent_dn, const char **errstring) { TALLOC_CTX *local_ctx; struct ldb_dn *sdn = dn; struct ldb_result *res = NULL; int ret = LDB_SUCCESS; const char *attrs[] = { NULL }; local_ctx = talloc_new(mem_ctx); if (local_ctx == NULL) return ldb_oom(ldb); while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) { ret = ldb_search(ldb, local_ctx, &res, sdn, LDB_SCOPE_BASE, attrs, "(|(objectClass=domain)(objectClass=builtinDomain))"); if (ret == LDB_SUCCESS) { if (res->count == 1) { break; } } else { break; } } if (ret != LDB_SUCCESS) { *errstring = talloc_asprintf(mem_ctx, "Error searching for parent domain of %s, failed searching for %s: %s", ldb_dn_get_linearized(dn), ldb_dn_get_linearized(sdn), ldb_errstring(ldb)); talloc_free(local_ctx); return ret; } /* should never be true with 'ret=LDB_SUCCESS', here to satisfy clang */ if (res == NULL) { talloc_free(local_ctx); return LDB_ERR_OTHER; } if (res->count != 1) { *errstring = talloc_asprintf(mem_ctx, "Invalid dn (%s), not child of a domain object", ldb_dn_get_linearized(dn)); DEBUG(0,(__location__ ": %s\n", *errstring)); talloc_free(local_ctx); return LDB_ERR_CONSTRAINT_VIOLATION; } *parent_dn = talloc_steal(mem_ctx, res->msgs[0]->dn); talloc_free(local_ctx); return ret; } static void pwd_timeout_debug(struct tevent_context *unused1, struct tevent_timer *unused2, struct timeval unused3, void *unused4) { DEBUG(0, ("WARNING: check_password_complexity: password script " "took more than 1 second to run\n")); } /* * Performs checks on a user password (plaintext UNIX format - attribute * "password"). The remaining parameters have to be extracted from the domain * object in the AD. * * Result codes from "enum samr_ValidationStatus" (consider "samr.idl") */ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, const char *account_name, const char *user_principal_name, const char *full_name, const DATA_BLOB *utf8_blob, const uint32_t pwdProperties, const uint32_t minPwdLength) { const struct loadparm_substitution *lp_sub = lpcfg_noop_substitution(); char *password_script = NULL; const char *utf8_pw = (const char *)utf8_blob->data; /* * This looks strange because it is. * * The check for the number of characters in the password * should clearly not be against the byte length, or else a * single UTF8 character would count for more than one. * * We have chosen to use the number of 16-bit units that the * password encodes to as the measure of length. This is not * the same as the number of codepoints, if a password * contains a character beyond the Basic Multilingual Plane * (above 65535) it will count for more than one "character". */ size_t password_characters_roughly = strlen_m(utf8_pw); /* checks if the "minPwdLength" property is satisfied */ if (minPwdLength > password_characters_roughly) { return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT; } /* We might not be asked to check the password complexity */ if (!(pwdProperties & DOMAIN_PASSWORD_COMPLEX)) { return SAMR_VALIDATION_STATUS_SUCCESS; } if (password_characters_roughly == 0) { return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH; } password_script = lpcfg_check_password_script(lp_ctx, lp_sub, mem_ctx); if (password_script != NULL && *password_script != '\0') { int check_ret = 0; int error = 0; ssize_t nwritten = 0; struct tevent_context *event_ctx = NULL; struct tevent_req *req = NULL; int cps_stdin = -1; const char * const cmd[4] = { "/bin/sh", "-c", password_script, NULL }; event_ctx = tevent_context_init(mem_ctx); if (event_ctx == NULL) { TALLOC_FREE(password_script); return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; } /* Gives a warning after 1 second, terminates after 10 */ tevent_add_timer(event_ctx, event_ctx, tevent_timeval_current_ofs(1, 0), pwd_timeout_debug, NULL); check_ret = setenv("SAMBA_CPS_ACCOUNT_NAME", account_name, 1); if (check_ret != 0) { TALLOC_FREE(password_script); TALLOC_FREE(event_ctx); return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; } if (user_principal_name != NULL) { check_ret = setenv("SAMBA_CPS_USER_PRINCIPAL_NAME", user_principal_name, 1); } else { unsetenv("SAMBA_CPS_USER_PRINCIPAL_NAME"); } if (check_ret != 0) { TALLOC_FREE(password_script); TALLOC_FREE(event_ctx); return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; } if (full_name != NULL) { check_ret = setenv("SAMBA_CPS_FULL_NAME", full_name, 1); } else { unsetenv("SAMBA_CPS_FULL_NAME"); } if (check_ret != 0) { TALLOC_FREE(password_script); TALLOC_FREE(event_ctx); return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; } req = samba_runcmd_send(event_ctx, event_ctx, tevent_timeval_current_ofs(10, 0), 100, 100, cmd, NULL); unsetenv("SAMBA_CPS_ACCOUNT_NAME"); unsetenv("SAMBA_CPS_USER_PRINCIPAL_NAME"); unsetenv("SAMBA_CPS_FULL_NAME"); if (req == NULL) { TALLOC_FREE(password_script); TALLOC_FREE(event_ctx); return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; } cps_stdin = samba_runcmd_export_stdin(req); nwritten = write_data( cps_stdin, utf8_blob->data, utf8_blob->length); if (nwritten == -1) { close(cps_stdin); TALLOC_FREE(password_script); TALLOC_FREE(event_ctx); return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; } close(cps_stdin); if (!tevent_req_poll(req, event_ctx)) { TALLOC_FREE(password_script); TALLOC_FREE(event_ctx); return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; } check_ret = samba_runcmd_recv(req, &error); TALLOC_FREE(event_ctx); if (error == ETIMEDOUT) { DEBUG(0, ("check_password_complexity: check password script took too long!\n")); TALLOC_FREE(password_script); return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; } DEBUG(5,("check_password_complexity: check password script (%s) " "returned [%d]\n", password_script, check_ret)); if (check_ret != 0) { DEBUG(1,("check_password_complexity: " "check password script said new password is not good " "enough!\n")); TALLOC_FREE(password_script); return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH; } TALLOC_FREE(password_script); return SAMR_VALIDATION_STATUS_SUCCESS; } TALLOC_FREE(password_script); /* * Here are the standard AD password quality rules, which we * run after the script. */ if (!check_password_quality(utf8_pw)) { return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH; } return SAMR_VALIDATION_STATUS_SUCCESS; } /* * Callback for "samdb_set_password" password change */ int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares) { int ret; if (!ares) { return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR); } if (ares->error != LDB_SUCCESS) { ret = ares->error; req->context = talloc_steal(req, ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID)); talloc_free(ares); return ldb_request_done(req, ret); } if (ares->type != LDB_REPLY_DONE) { talloc_free(ares); return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR); } req->context = talloc_steal(req, ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID)); talloc_free(ares); return ldb_request_done(req, LDB_SUCCESS); } /* * Sets the user password using plaintext UTF16 (attribute "new_password") or * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a * user change or not. The "rejectReason" gives some more information if the * change failed. * * Results: NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL, * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION, * NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCOUNT_LOCKED_OUT, NT_STATUS_NO_MEMORY */ static NTSTATUS samdb_set_password_internal(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *user_dn, struct ldb_dn *domain_dn, const DATA_BLOB *new_password, const struct samr_Password *ntNewHash, enum dsdb_password_checked old_password_checked, enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo, bool permit_interdomain_trust) { struct ldb_message *msg; struct ldb_message_element *el; struct ldb_request *req; struct dsdb_control_password_change_status *pwd_stat = NULL; int ret; bool hash_values = false; NTSTATUS status = NT_STATUS_OK; #define CHECK_RET(x) \ if (x != LDB_SUCCESS) { \ talloc_free(msg); \ return NT_STATUS_NO_MEMORY; \ } msg = ldb_msg_new(mem_ctx); if (msg == NULL) { return NT_STATUS_NO_MEMORY; } msg->dn = user_dn; if ((new_password != NULL) && ((ntNewHash == NULL))) { /* we have the password as plaintext UTF16 */ CHECK_RET(ldb_msg_add_value(msg, "clearTextPassword", new_password, NULL)); el = ldb_msg_find_element(msg, "clearTextPassword"); el->flags = LDB_FLAG_MOD_REPLACE; } else if ((new_password == NULL) && ((ntNewHash != NULL))) { /* we have a password as NT hash */ if (ntNewHash != NULL) { CHECK_RET(samdb_msg_add_hash(ldb, msg, msg, "unicodePwd", ntNewHash)); el = ldb_msg_find_element(msg, "unicodePwd"); el->flags = LDB_FLAG_MOD_REPLACE; } hash_values = true; } else { /* the password wasn't specified correctly */ talloc_free(msg); return NT_STATUS_INVALID_PARAMETER; } #undef CHECK_RET /* build modify request */ ret = ldb_build_mod_req(&req, ldb, mem_ctx, msg, NULL, NULL, samdb_set_password_callback, NULL); if (ret != LDB_SUCCESS) { talloc_free(msg); return NT_STATUS_NO_MEMORY; } /* A password change operation */ if (old_password_checked == DSDB_PASSWORD_CHECKED_AND_CORRECT) { struct dsdb_control_password_change *change; change = talloc(req, struct dsdb_control_password_change); if (change == NULL) { talloc_free(req); talloc_free(msg); return NT_STATUS_NO_MEMORY; } change->old_password_checked = old_password_checked; ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID, true, change); if (ret != LDB_SUCCESS) { talloc_free(req); talloc_free(msg); return NT_STATUS_NO_MEMORY; } } if (hash_values) { ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, true, NULL); if (ret != LDB_SUCCESS) { talloc_free(req); talloc_free(msg); return NT_STATUS_NO_MEMORY; } } if (permit_interdomain_trust) { ret = ldb_request_add_control(req, DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID, false, NULL); if (ret != LDB_SUCCESS) { talloc_free(req); talloc_free(msg); return NT_STATUS_NO_MEMORY; } } ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID, true, NULL); if (ret != LDB_SUCCESS) { talloc_free(req); talloc_free(msg); return NT_STATUS_NO_MEMORY; } ret = ldb_request(ldb, req); if (ret == LDB_SUCCESS) { ret = ldb_wait(req->handle, LDB_WAIT_ALL); } if (req->context != NULL) { struct ldb_control *control = talloc_get_type_abort(req->context, struct ldb_control); pwd_stat = talloc_get_type_abort(control->data, struct dsdb_control_password_change_status); talloc_steal(mem_ctx, pwd_stat); } talloc_free(req); talloc_free(msg); /* Sets the domain info (if requested) */ if (_dominfo != NULL) { struct samr_DomInfo1 *dominfo; dominfo = talloc_zero(mem_ctx, struct samr_DomInfo1); if (dominfo == NULL) { return NT_STATUS_NO_MEMORY; } if (pwd_stat != NULL) { dominfo->min_password_length = pwd_stat->domain_data.minPwdLength; dominfo->password_properties = pwd_stat->domain_data.pwdProperties; dominfo->password_history_length = pwd_stat->domain_data.pwdHistoryLength; dominfo->max_password_age = pwd_stat->domain_data.maxPwdAge; dominfo->min_password_age = pwd_stat->domain_data.minPwdAge; } *_dominfo = dominfo; } if (reject_reason != NULL) { if (pwd_stat != NULL) { *reject_reason = pwd_stat->reject_reason; } else { *reject_reason = SAM_PWD_CHANGE_NO_ERROR; } } if (pwd_stat != NULL) { talloc_free(pwd_stat); } if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { const char *errmsg = ldb_errstring(ldb); char *endptr = NULL; WERROR werr = WERR_GEN_FAILURE; status = NT_STATUS_UNSUCCESSFUL; if (errmsg != NULL) { werr = W_ERROR(strtol(errmsg, &endptr, 16)); DBG_WARNING("%s\n", errmsg); } if (endptr != errmsg) { if (W_ERROR_EQUAL(werr, WERR_INVALID_PASSWORD)) { status = NT_STATUS_WRONG_PASSWORD; } if (W_ERROR_EQUAL(werr, WERR_PASSWORD_RESTRICTION)) { status = NT_STATUS_PASSWORD_RESTRICTION; } if (W_ERROR_EQUAL(werr, WERR_ACCOUNT_LOCKED_OUT)) { status = NT_STATUS_ACCOUNT_LOCKED_OUT; } } } else if (ret == LDB_ERR_NO_SUCH_OBJECT) { /* don't let the caller know if an account doesn't exist */ status = NT_STATUS_WRONG_PASSWORD; } else if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { status = NT_STATUS_ACCESS_DENIED; } else if (ret != LDB_SUCCESS) { DEBUG(1, ("Failed to set password on %s: %s\n", ldb_dn_get_linearized(user_dn), ldb_errstring(ldb))); status = NT_STATUS_UNSUCCESSFUL; } return status; } NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *user_dn, struct ldb_dn *domain_dn, const DATA_BLOB *new_password, const struct samr_Password *ntNewHash, enum dsdb_password_checked old_password_checked, enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo) { return samdb_set_password_internal(ldb, mem_ctx, user_dn, domain_dn, new_password, ntNewHash, old_password_checked, reject_reason, _dominfo, false); /* reject trusts */ } /* * Sets the user password using plaintext UTF16 (attribute "new_password") or * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a * user change or not. The "rejectReason" gives some more information if the * change failed. * * This wrapper function for "samdb_set_password" takes a SID as input rather * than a user DN. * * This call encapsulates a new LDB transaction for changing the password; * therefore the user hasn't to start a new one. * * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION, * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL, * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION, * NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCOUNT_LOCKED_OUT, NT_STATUS_NO_MEMORY * NT_STATUS_TRANSACTION_ABORTED, NT_STATUS_NO_SUCH_USER */ NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct dom_sid *user_sid, const uint32_t *new_version, /* optional for trusts */ const DATA_BLOB *new_password, const struct samr_Password *ntNewHash, enum dsdb_password_checked old_password_checked, enum samPwdChangeReason *reject_reason, struct samr_DomInfo1 **_dominfo) { TALLOC_CTX *frame = talloc_stackframe(); NTSTATUS nt_status; static const char * const attrs[] = { "userAccountControl", "sAMAccountName", NULL }; struct ldb_message *user_msg = NULL; int ret; uint32_t uac = 0; ret = ldb_transaction_start(ldb); if (ret != LDB_SUCCESS) { DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb))); TALLOC_FREE(frame); return NT_STATUS_TRANSACTION_ABORTED; } ret = dsdb_search_one(ldb, frame, &user_msg, ldb_get_default_basedn(ldb), LDB_SCOPE_SUBTREE, attrs, 0, "(&(objectSid=%s)(objectClass=user))", ldap_encode_ndr_dom_sid(frame, user_sid)); if (ret != LDB_SUCCESS) { ldb_transaction_cancel(ldb); DEBUG(3, ("samdb_set_password_sid: SID[%s] not found in samdb %s - %s, " "returning NO_SUCH_USER\n", dom_sid_string(frame, user_sid), ldb_strerror(ret), ldb_errstring(ldb))); TALLOC_FREE(frame); return NT_STATUS_NO_SUCH_USER; } uac = ldb_msg_find_attr_as_uint(user_msg, "userAccountControl", 0); if (!(uac & UF_ACCOUNT_TYPE_MASK)) { ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: invalid " "userAccountControl[0x%08X] for SID[%s] DN[%s], " "returning NO_SUCH_USER\n", (unsigned)uac, dom_sid_string(frame, user_sid), ldb_dn_get_linearized(user_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_NO_SUCH_USER; } if (uac & UF_INTERDOMAIN_TRUST_ACCOUNT) { static const char * const tdo_attrs[] = { "trustAuthIncoming", "trustDirection", NULL }; struct ldb_message *tdo_msg = NULL; const char *account_name = NULL; uint32_t trust_direction; uint32_t i; const struct ldb_val *old_val = NULL; struct trustAuthInOutBlob old_blob = { .count = 0, }; uint32_t old_version = 0; struct AuthenticationInformation *old_version_a = NULL; uint32_t _new_version = 0; struct trustAuthInOutBlob new_blob = { .count = 0, }; struct ldb_val new_val = { .length = 0, }; struct timeval tv = timeval_current(); NTTIME now = timeval_to_nttime(&tv); enum ndr_err_code ndr_err; if (new_password == NULL && ntNewHash == NULL) { ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: " "no new password provided " "sAMAccountName for SID[%s] DN[%s], " "returning INVALID_PARAMETER\n", dom_sid_string(frame, user_sid), ldb_dn_get_linearized(user_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_INVALID_PARAMETER; } if (new_password != NULL && ntNewHash != NULL) { ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: " "two new passwords provided " "sAMAccountName for SID[%s] DN[%s], " "returning INVALID_PARAMETER\n", dom_sid_string(frame, user_sid), ldb_dn_get_linearized(user_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_INVALID_PARAMETER; } if (new_password != NULL && (new_password->length % 2)) { ldb_transaction_cancel(ldb); DEBUG(2, ("samdb_set_password_sid: " "invalid utf16 length (%zu) " "sAMAccountName for SID[%s] DN[%s], " "returning WRONG_PASSWORD\n", new_password->length, dom_sid_string(frame, user_sid), ldb_dn_get_linearized(user_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_WRONG_PASSWORD; } if (new_password != NULL && new_password->length >= 500) { ldb_transaction_cancel(ldb); DEBUG(2, ("samdb_set_password_sid: " "utf16 password too long (%zu) " "sAMAccountName for SID[%s] DN[%s], " "returning WRONG_PASSWORD\n", new_password->length, dom_sid_string(frame, user_sid), ldb_dn_get_linearized(user_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_WRONG_PASSWORD; } account_name = ldb_msg_find_attr_as_string(user_msg, "sAMAccountName", NULL); if (account_name == NULL) { ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: missing " "sAMAccountName for SID[%s] DN[%s], " "returning NO_SUCH_USER\n", dom_sid_string(frame, user_sid), ldb_dn_get_linearized(user_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_NO_SUCH_USER; } nt_status = dsdb_trust_search_tdo_by_type(ldb, SEC_CHAN_DOMAIN, account_name, tdo_attrs, frame, &tdo_msg); if (!NT_STATUS_IS_OK(nt_status)) { ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: dsdb_trust_search_tdo " "failed(%s) for sAMAccountName[%s] SID[%s] DN[%s], " "returning INTERNAL_DB_CORRUPTION\n", nt_errstr(nt_status), account_name, dom_sid_string(frame, user_sid), ldb_dn_get_linearized(user_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_INTERNAL_DB_CORRUPTION; } trust_direction = ldb_msg_find_attr_as_int(tdo_msg, "trustDirection", 0); if (!(trust_direction & LSA_TRUST_DIRECTION_INBOUND)) { ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: direction[0x%08X] is " "not inbound for sAMAccountName[%s] " "DN[%s] TDO[%s], " "returning INTERNAL_DB_CORRUPTION\n", (unsigned)trust_direction, account_name, ldb_dn_get_linearized(user_msg->dn), ldb_dn_get_linearized(tdo_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_INTERNAL_DB_CORRUPTION; } old_val = ldb_msg_find_ldb_val(tdo_msg, "trustAuthIncoming"); if (old_val != NULL) { ndr_err = ndr_pull_struct_blob(old_val, frame, &old_blob, (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: " "failed(%s) to parse " "trustAuthOutgoing sAMAccountName[%s] " "DN[%s] TDO[%s], " "returning INTERNAL_DB_CORRUPTION\n", ndr_map_error2string(ndr_err), account_name, ldb_dn_get_linearized(user_msg->dn), ldb_dn_get_linearized(tdo_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_INTERNAL_DB_CORRUPTION; } } for (i = old_blob.current.count; i > 0; i--) { struct AuthenticationInformation *a = &old_blob.current.array[i - 1]; switch (a->AuthType) { case TRUST_AUTH_TYPE_NONE: if (i == old_blob.current.count) { /* * remove TRUST_AUTH_TYPE_NONE at the * end */ old_blob.current.count--; } break; case TRUST_AUTH_TYPE_VERSION: old_version_a = a; old_version = a->AuthInfo.version.version; break; case TRUST_AUTH_TYPE_CLEAR: break; case TRUST_AUTH_TYPE_NT4OWF: break; } } if (new_version == NULL) { _new_version = 0; new_version = &_new_version; } if (old_version_a != NULL && *new_version != (old_version + 1)) { old_version_a->LastUpdateTime = now; old_version_a->AuthType = TRUST_AUTH_TYPE_NONE; } new_blob.count = MAX(old_blob.current.count, 2); new_blob.current.array = talloc_zero_array(frame, struct AuthenticationInformation, new_blob.count); if (new_blob.current.array == NULL) { ldb_transaction_cancel(ldb); TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } new_blob.previous.array = talloc_zero_array(frame, struct AuthenticationInformation, new_blob.count); if (new_blob.current.array == NULL) { ldb_transaction_cancel(ldb); TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } for (i = 0; i < old_blob.current.count; i++) { struct AuthenticationInformation *o = &old_blob.current.array[i]; struct AuthenticationInformation *p = &new_blob.previous.array[i]; *p = *o; new_blob.previous.count++; } for (; i < new_blob.count; i++) { struct AuthenticationInformation *pi = &new_blob.previous.array[i]; if (i == 0) { /* * new_blob.previous is still empty so * we'll do new_blob.previous = new_blob.current * below. */ break; } pi->LastUpdateTime = now; pi->AuthType = TRUST_AUTH_TYPE_NONE; new_blob.previous.count++; } for (i = 0; i < new_blob.count; i++) { struct AuthenticationInformation *ci = &new_blob.current.array[i]; ci->LastUpdateTime = now; switch (i) { case 0: if (ntNewHash != NULL) { ci->AuthType = TRUST_AUTH_TYPE_NT4OWF; ci->AuthInfo.nt4owf.password = *ntNewHash; break; } ci->AuthType = TRUST_AUTH_TYPE_CLEAR; ci->AuthInfo.clear.size = new_password->length; ci->AuthInfo.clear.password = new_password->data; break; case 1: ci->AuthType = TRUST_AUTH_TYPE_VERSION; ci->AuthInfo.version.version = *new_version; break; default: ci->AuthType = TRUST_AUTH_TYPE_NONE; break; } new_blob.current.count++; } if (new_blob.previous.count == 0) { TALLOC_FREE(new_blob.previous.array); new_blob.previous = new_blob.current; } ndr_err = ndr_push_struct_blob(&new_val, frame, &new_blob, (ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: " "failed(%s) to generate " "trustAuthOutgoing sAMAccountName[%s] " "DN[%s] TDO[%s], " "returning UNSUCCESSFUL\n", ndr_map_error2string(ndr_err), account_name, ldb_dn_get_linearized(user_msg->dn), ldb_dn_get_linearized(tdo_msg->dn))); TALLOC_FREE(frame); return NT_STATUS_UNSUCCESSFUL; } tdo_msg->num_elements = 0; TALLOC_FREE(tdo_msg->elements); ret = ldb_msg_append_value(tdo_msg, "trustAuthIncoming", &new_val, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { ldb_transaction_cancel(ldb); TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } ret = ldb_modify(ldb, tdo_msg); if (ret != LDB_SUCCESS) { nt_status = dsdb_ldb_err_to_ntstatus(ret); ldb_transaction_cancel(ldb); DEBUG(1, ("samdb_set_password_sid: " "failed to replace " "trustAuthOutgoing sAMAccountName[%s] " "DN[%s] TDO[%s], " "%s - %s\n", account_name, ldb_dn_get_linearized(user_msg->dn), ldb_dn_get_linearized(tdo_msg->dn), nt_errstr(nt_status), ldb_errstring(ldb))); TALLOC_FREE(frame); return nt_status; } } nt_status = samdb_set_password_internal(ldb, mem_ctx, user_msg->dn, NULL, new_password, ntNewHash, old_password_checked, reject_reason, _dominfo, true); /* permit trusts */ if (!NT_STATUS_IS_OK(nt_status)) { ldb_transaction_cancel(ldb); TALLOC_FREE(frame); return nt_status; } ret = ldb_transaction_commit(ldb); if (ret != LDB_SUCCESS) { DEBUG(0,("Failed to commit transaction to change password on %s: %s\n", ldb_dn_get_linearized(user_msg->dn), ldb_errstring(ldb))); TALLOC_FREE(frame); return NT_STATUS_TRANSACTION_ABORTED; } TALLOC_FREE(frame); return NT_STATUS_OK; } NTSTATUS samdb_create_foreign_security_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct dom_sid *sid, struct ldb_dn **ret_dn) { struct ldb_message *msg; struct ldb_dn *basedn = NULL; char *sidstr; int ret; sidstr = dom_sid_string(mem_ctx, sid); NT_STATUS_HAVE_NO_MEMORY(sidstr); /* We might have to create a ForeignSecurityPrincipal, even if this user * is in our own domain */ msg = ldb_msg_new(sidstr); if (msg == NULL) { talloc_free(sidstr); return NT_STATUS_NO_MEMORY; } ret = dsdb_wellknown_dn(sam_ctx, sidstr, ldb_get_default_basedn(sam_ctx), DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER, &basedn); if (ret != LDB_SUCCESS) { DEBUG(0, ("Failed to find DN for " "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx))); talloc_free(sidstr); return NT_STATUS_INTERNAL_DB_CORRUPTION; } /* add core elements to the ldb_message for the alias */ msg->dn = basedn; if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr)) { talloc_free(sidstr); return NT_STATUS_NO_MEMORY; } ret = ldb_msg_add_string(msg, "objectClass", "foreignSecurityPrincipal"); if (ret != LDB_SUCCESS) { talloc_free(sidstr); return NT_STATUS_NO_MEMORY; } /* create the alias */ ret = ldb_add(sam_ctx, msg); if (ret != LDB_SUCCESS) { DEBUG(0,("Failed to create foreignSecurityPrincipal " "record %s: %s\n", ldb_dn_get_linearized(msg->dn), ldb_errstring(sam_ctx))); talloc_free(sidstr); return NT_STATUS_INTERNAL_DB_CORRUPTION; } *ret_dn = talloc_steal(mem_ctx, msg->dn); talloc_free(sidstr); return NT_STATUS_OK; } /* Find the DN of a domain, assuming it to be a dotted.dns name */ struct ldb_dn *samdb_dns_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *dns_domain) { unsigned int i; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); const char *binary_encoded; const char * const *split_realm; struct ldb_dn *dn; if (!tmp_ctx) { return NULL; } split_realm = (const char * const *)str_list_make(tmp_ctx, dns_domain, "."); if (!split_realm) { talloc_free(tmp_ctx); return NULL; } dn = ldb_dn_new(mem_ctx, ldb, NULL); for (i=0; split_realm[i]; i++) { binary_encoded = ldb_binary_encode_string(tmp_ctx, split_realm[i]); if (binary_encoded == NULL) { DEBUG(2, ("Failed to add dc= element to DN %s\n", ldb_dn_get_linearized(dn))); talloc_free(tmp_ctx); return NULL; } if (!ldb_dn_add_base_fmt(dn, "dc=%s", binary_encoded)) { DEBUG(2, ("Failed to add dc=%s element to DN %s\n", binary_encoded, ldb_dn_get_linearized(dn))); talloc_free(tmp_ctx); return NULL; } } if (!ldb_dn_validate(dn)) { DEBUG(2, ("Failed to validated DN %s\n", ldb_dn_get_linearized(dn))); talloc_free(tmp_ctx); return NULL; } talloc_free(tmp_ctx); return dn; } /* Find the DNS equivalent of a DN, in dotted DNS form */ char *samdb_dn_to_dns_domain(TALLOC_CTX *mem_ctx, struct ldb_dn *dn) { int i, num_components = ldb_dn_get_comp_num(dn); char *dns_name = talloc_strdup(mem_ctx, ""); if (dns_name == NULL) { return NULL; } for (i=0; ilength, (int)v->length, (char *)v->data); if (s == NULL) { talloc_free(dns_name); return NULL; } dns_name = s; } /* remove the last '.' */ if (dns_name[0] != 0) { dns_name[strlen(dns_name)-1] = 0; } return dns_name; } /* Find the DNS _msdcs name for a given NTDS GUID. The resulting DNS name is based on the forest DNS name */ char *samdb_ntds_msdcs_dns_name(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, const struct GUID *ntds_guid) { TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); const char *guid_str; struct ldb_dn *forest_dn; const char *dnsforest; char *ret; guid_str = GUID_string(tmp_ctx, ntds_guid); if (guid_str == NULL) { talloc_free(tmp_ctx); return NULL; } forest_dn = ldb_get_root_basedn(samdb); if (forest_dn == NULL) { talloc_free(tmp_ctx); return NULL; } dnsforest = samdb_dn_to_dns_domain(tmp_ctx, forest_dn); if (dnsforest == NULL) { talloc_free(tmp_ctx); return NULL; } ret = talloc_asprintf(mem_ctx, "%s._msdcs.%s", guid_str, dnsforest); talloc_free(tmp_ctx); return ret; } /* Find the DN of a domain, be it the netbios or DNS name */ struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *domain_name) { const char * const domain_ref_attrs[] = { "ncName", NULL }; const char * const domain_ref2_attrs[] = { NULL }; struct ldb_result *res_domain_ref; char *escaped_domain = ldb_binary_encode_string(mem_ctx, domain_name); int ret_domain; if (escaped_domain == NULL) { return NULL; } /* find the domain's DN */ ret_domain = ldb_search(ldb, mem_ctx, &res_domain_ref, samdb_partitions_dn(ldb, mem_ctx), LDB_SCOPE_ONELEVEL, domain_ref_attrs, "(&(nETBIOSName=%s)(objectclass=crossRef))", escaped_domain); if (ret_domain != LDB_SUCCESS) { return NULL; } if (res_domain_ref->count == 0) { ret_domain = ldb_search(ldb, mem_ctx, &res_domain_ref, samdb_dns_domain_to_dn(ldb, mem_ctx, domain_name), LDB_SCOPE_BASE, domain_ref2_attrs, "(objectclass=domain)"); if (ret_domain != LDB_SUCCESS) { return NULL; } if (res_domain_ref->count == 1) { return res_domain_ref->msgs[0]->dn; } return NULL; } if (res_domain_ref->count > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", ret_domain, domain_name)); return NULL; } return samdb_result_dn(ldb, mem_ctx, res_domain_ref->msgs[0], "nCName", NULL); } /* use a GUID to find a DN */ int dsdb_find_dn_by_guid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct GUID *guid, uint32_t dsdb_flags, struct ldb_dn **dn) { int ret; struct ldb_result *res; const char *attrs[] = { NULL }; struct GUID_txt_buf buf; char *guid_str = GUID_buf_string(guid, &buf); ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_SEARCH_ALL_PARTITIONS | DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_ONE_ONLY | dsdb_flags, "objectGUID=%s", guid_str); if (ret != LDB_SUCCESS) { return ret; } *dn = talloc_steal(mem_ctx, res->msgs[0]->dn); talloc_free(res); return LDB_SUCCESS; } /* use a DN to find a GUID with a given attribute name */ int dsdb_find_guid_attr_by_dn(struct ldb_context *ldb, struct ldb_dn *dn, const char *attribute, struct GUID *guid) { int ret; struct ldb_result *res = NULL; const char *attrs[2]; TALLOC_CTX *tmp_ctx = talloc_new(ldb); attrs[0] = attribute; attrs[1] = NULL; ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED | DSDB_SEARCH_SHOW_RECYCLED); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } /* satisfy clang */ if (res == NULL) { talloc_free(tmp_ctx); return LDB_ERR_OTHER; } if (res->count < 1) { talloc_free(tmp_ctx); return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__); } *guid = samdb_result_guid(res->msgs[0], attribute); talloc_free(tmp_ctx); return LDB_SUCCESS; } /* use a DN to find a GUID */ int dsdb_find_guid_by_dn(struct ldb_context *ldb, struct ldb_dn *dn, struct GUID *guid) { return dsdb_find_guid_attr_by_dn(ldb, dn, "objectGUID", guid); } /* adds the given GUID to the given ldb_message. This value is added for the given attr_name (may be either "objectGUID" or "parentGUID"). This function is used in processing 'add' requests. */ int dsdb_msg_add_guid(struct ldb_message *msg, struct GUID *guid, const char *attr_name) { int ret; struct ldb_val v; NTSTATUS status; TALLOC_CTX *tmp_ctx = talloc_init("dsdb_msg_add_guid"); status = GUID_to_ndr_blob(guid, tmp_ctx, &v); if (!NT_STATUS_IS_OK(status)) { ret = LDB_ERR_OPERATIONS_ERROR; goto done; } ret = ldb_msg_add_steal_value(msg, attr_name, &v); if (ret != LDB_SUCCESS) { DEBUG(4,(__location__ ": Failed to add %s to the message\n", attr_name)); goto done; } ret = LDB_SUCCESS; done: talloc_free(tmp_ctx); return ret; } /* use a DN to find a SID */ int dsdb_find_sid_by_dn(struct ldb_context *ldb, struct ldb_dn *dn, struct dom_sid *sid) { int ret; struct ldb_result *res = NULL; const char *attrs[] = { "objectSid", NULL }; TALLOC_CTX *tmp_ctx = talloc_new(ldb); struct dom_sid *s; ZERO_STRUCTP(sid); ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED | DSDB_SEARCH_SHOW_RECYCLED); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } if (res == NULL) { talloc_free(tmp_ctx); return LDB_ERR_OTHER; } if (res->count < 1) { talloc_free(tmp_ctx); return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__); } s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid"); if (s == NULL) { talloc_free(tmp_ctx); return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__); } *sid = *s; talloc_free(tmp_ctx); return LDB_SUCCESS; } /* use a SID to find a DN */ int dsdb_find_dn_by_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct dom_sid *sid, struct ldb_dn **dn) { int ret; struct ldb_result *res; const char *attrs[] = { NULL }; char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid); if (!sid_str) { return ldb_operr(ldb); } ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_SEARCH_ALL_PARTITIONS | DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_ONE_ONLY, "objectSid=%s", sid_str); talloc_free(sid_str); if (ret != LDB_SUCCESS) { return ret; } *dn = talloc_steal(mem_ctx, res->msgs[0]->dn); talloc_free(res); return LDB_SUCCESS; } /* load a repsFromTo blob list for a given partition GUID attr must be "repsFrom" or "repsTo" */ WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn, const char *attr, struct repsFromToBlob **r, uint32_t *count) { const char *attrs[] = { attr, NULL }; struct ldb_result *res = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); unsigned int i; struct ldb_message_element *el; int ret; *r = NULL; *count = 0; if (tmp_ctx == NULL) { return WERR_NOT_ENOUGH_MEMORY; } ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs, 0); if (ret == LDB_ERR_NO_SUCH_OBJECT) { /* partition hasn't been replicated yet */ talloc_free(tmp_ctx); return WERR_OK; } if (ret != LDB_SUCCESS) { DEBUG(0,("dsdb_loadreps: failed to read partition object: %s\n", ldb_errstring(sam_ctx))); talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } /* satisfy clang */ if (res == NULL) { talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } el = ldb_msg_find_element(res->msgs[0], attr); if (el == NULL) { /* it's OK to be empty */ talloc_free(tmp_ctx); return WERR_OK; } *count = el->num_values; *r = talloc_array(mem_ctx, struct repsFromToBlob, *count); if (*r == NULL) { talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } for (i=0; i<(*count); i++) { enum ndr_err_code ndr_err; ndr_err = ndr_pull_struct_blob(&el->values[i], mem_ctx, &(*r)[i], (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } } talloc_free(tmp_ctx); return WERR_OK; } /* save the repsFromTo blob list for a given partition GUID attr must be "repsFrom" or "repsTo" */ WERROR dsdb_savereps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn, const char *attr, struct repsFromToBlob *r, uint32_t count) { TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); struct ldb_message *msg; struct ldb_message_element *el; unsigned int i; if (tmp_ctx == NULL) { goto failed; } msg = ldb_msg_new(tmp_ctx); if (msg == NULL) { goto failed; } msg->dn = dn; if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_REPLACE, &el) != LDB_SUCCESS) { goto failed; } el->values = talloc_array(msg, struct ldb_val, count); if (!el->values) { goto failed; } for (i=0; inum_values++; el->values[i] = v; } if (dsdb_modify(sam_ctx, msg, 0) != LDB_SUCCESS) { DEBUG(0,("Failed to store %s - %s\n", attr, ldb_errstring(sam_ctx))); goto failed; } talloc_free(tmp_ctx); return WERR_OK; failed: talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } /* load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED object for a partition */ int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn, uint64_t *uSN, uint64_t *urgent_uSN) { struct ldb_request *req; int ret; TALLOC_CTX *tmp_ctx = talloc_new(ldb); struct dsdb_control_current_partition *p_ctrl; struct ldb_result *res; if (tmp_ctx == NULL) { return ldb_oom(ldb); } res = talloc_zero(tmp_ctx, struct ldb_result); if (!res) { talloc_free(tmp_ctx); return ldb_oom(ldb); } ret = ldb_build_search_req(&req, ldb, tmp_ctx, ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"), LDB_SCOPE_BASE, NULL, NULL, NULL, res, ldb_search_default_callback, NULL); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } p_ctrl = talloc(req, struct dsdb_control_current_partition); if (p_ctrl == NULL) { talloc_free(tmp_ctx); return ldb_oom(ldb); } p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION; p_ctrl->dn = dn; ret = ldb_request_add_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID, false, p_ctrl); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } /* Run the new request */ ret = ldb_request(ldb, req); if (ret == LDB_SUCCESS) { ret = ldb_wait(req->handle, LDB_WAIT_ALL); } if (ret == LDB_ERR_NO_SUCH_OBJECT || ret == LDB_ERR_INVALID_DN_SYNTAX) { /* it hasn't been created yet, which means an implicit value of zero */ *uSN = 0; talloc_free(tmp_ctx); return LDB_SUCCESS; } if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } if (res->count < 1) { *uSN = 0; if (urgent_uSN) { *urgent_uSN = 0; } } else { *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0); if (urgent_uSN) { *urgent_uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNUrgent", 0); } } talloc_free(tmp_ctx); return LDB_SUCCESS; } int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1, const struct drsuapi_DsReplicaCursor2 *c2) { return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id); } int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor *c1, const struct drsuapi_DsReplicaCursor *c2) { return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id); } /* * Return the NTDS object for a GUID, confirming it is in the * configuration partition and a nTDSDSA object */ int samdb_get_ntds_obj_by_guid(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const struct GUID *objectGUID, const char **attrs, struct ldb_message **msg) { int ret; struct ldb_result *res; struct GUID_txt_buf guid_buf; char *guid_str = GUID_buf_string(objectGUID, &guid_buf); struct ldb_dn *config_dn = NULL; config_dn = ldb_get_config_basedn(sam_ctx); if (config_dn == NULL) { return ldb_operr(sam_ctx); } ret = dsdb_search(sam_ctx, mem_ctx, &res, config_dn, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_ONE_ONLY, "(&(objectGUID=%s)(objectClass=nTDSDSA))", guid_str); if (ret != LDB_SUCCESS) { return ret; } if (msg) { *msg = talloc_steal(mem_ctx, res->msgs[0]); } TALLOC_FREE(res); return ret; } /* see if a computer identified by its objectGUID is a RODC */ int samdb_is_rodc(struct ldb_context *sam_ctx, const struct GUID *objectGUID, bool *is_rodc) { /* 1) find the DN for this servers NTDSDSA object 2) search for the msDS-isRODC attribute 3) if not present then not a RODC 4) if present and TRUE then is a RODC */ const char *attrs[] = { "msDS-isRODC", NULL }; int ret; struct ldb_message *msg; TALLOC_CTX *tmp_ctx = talloc_new(sam_ctx); if (tmp_ctx == NULL) { return ldb_oom(sam_ctx); } ret = samdb_get_ntds_obj_by_guid(tmp_ctx, sam_ctx, objectGUID, attrs, &msg); if (ret == LDB_ERR_NO_SUCH_OBJECT) { *is_rodc = false; talloc_free(tmp_ctx); return LDB_SUCCESS; } if (ret != LDB_SUCCESS) { DEBUG(1,("Failed to find our own NTDS Settings object by objectGUID=%s!\n", GUID_string(tmp_ctx, objectGUID))); *is_rodc = false; talloc_free(tmp_ctx); return ret; } ret = ldb_msg_find_attr_as_bool(msg, "msDS-isRODC", 0); *is_rodc = (ret == 1); talloc_free(tmp_ctx); return LDB_SUCCESS; } /* see if we are a RODC */ int samdb_rodc(struct ldb_context *sam_ctx, bool *am_rodc) { const struct GUID *objectGUID; int ret; bool *cached; /* see if we have a cached copy */ cached = (bool *)ldb_get_opaque(sam_ctx, "cache.am_rodc"); if (cached) { *am_rodc = *cached; return LDB_SUCCESS; } objectGUID = samdb_ntds_objectGUID(sam_ctx); if (!objectGUID) { return ldb_operr(sam_ctx); } ret = samdb_is_rodc(sam_ctx, objectGUID, am_rodc); if (ret != LDB_SUCCESS) { return ret; } cached = talloc(sam_ctx, bool); if (cached == NULL) { return ldb_oom(sam_ctx); } *cached = *am_rodc; ret = ldb_set_opaque(sam_ctx, "cache.am_rodc", cached); if (ret != LDB_SUCCESS) { talloc_free(cached); return ldb_operr(sam_ctx); } return LDB_SUCCESS; } int samdb_dns_host_name(struct ldb_context *sam_ctx, const char **host_name) { const char *_host_name = NULL; const char *attrs[] = { "dnsHostName", NULL }; TALLOC_CTX *tmp_ctx = NULL; int ret; struct ldb_result *res = NULL; _host_name = (const char *)ldb_get_opaque(sam_ctx, "cache.dns_host_name"); if (_host_name != NULL) { *host_name = _host_name; return LDB_SUCCESS; } tmp_ctx = talloc_new(sam_ctx); if (tmp_ctx == NULL) { return ldb_oom(sam_ctx); } ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, NULL, attrs, 0); if (res == NULL || res->count != 1 || ret != LDB_SUCCESS) { DEBUG(0, ("Failed to get rootDSE for dnsHostName: %s\n", ldb_errstring(sam_ctx))); TALLOC_FREE(tmp_ctx); return ret; } _host_name = ldb_msg_find_attr_as_string(res->msgs[0], "dnsHostName", NULL); if (_host_name == NULL) { DEBUG(0, ("Failed to get dnsHostName from rootDSE\n")); TALLOC_FREE(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } ret = ldb_set_opaque(sam_ctx, "cache.dns_host_name", discard_const_p(char *, _host_name)); if (ret != LDB_SUCCESS) { TALLOC_FREE(tmp_ctx); return ldb_operr(sam_ctx); } *host_name = talloc_steal(sam_ctx, _host_name); TALLOC_FREE(tmp_ctx); return LDB_SUCCESS; } bool samdb_set_am_rodc(struct ldb_context *ldb, bool am_rodc) { TALLOC_CTX *tmp_ctx; bool *cached; tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { goto failed; } cached = talloc(tmp_ctx, bool); if (!cached) { goto failed; } *cached = am_rodc; if (ldb_set_opaque(ldb, "cache.am_rodc", cached) != LDB_SUCCESS) { goto failed; } talloc_steal(ldb, cached); talloc_free(tmp_ctx); return true; failed: DEBUG(1,("Failed to set our own cached am_rodc in the ldb!\n")); talloc_free(tmp_ctx); return false; } /* * return NTDSSiteSettings options. See MS-ADTS 7.1.1.2.2.1.1 * flags are DS_NTDSSETTINGS_OPT_* */ int samdb_ntds_site_settings_options(struct ldb_context *ldb_ctx, uint32_t *options) { int rc; TALLOC_CTX *tmp_ctx; struct ldb_result *res; struct ldb_dn *site_dn; const char *attrs[] = { "options", NULL }; tmp_ctx = talloc_new(ldb_ctx); if (tmp_ctx == NULL) goto failed; /* Retrieve the site dn for the ldb that we * have open. This is our local site. */ site_dn = samdb_server_site_dn(ldb_ctx, tmp_ctx); if (site_dn == NULL) goto failed; /* Perform a one level (child) search from the local * site distinguished name. We're looking for the * "options" attribute within the nTDSSiteSettings * object */ rc = ldb_search(ldb_ctx, tmp_ctx, &res, site_dn, LDB_SCOPE_ONELEVEL, attrs, "objectClass=nTDSSiteSettings"); if (rc != LDB_SUCCESS || res->count != 1) goto failed; *options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0); talloc_free(tmp_ctx); return LDB_SUCCESS; failed: DEBUG(1,("Failed to find our NTDS Site Settings options in ldb!\n")); talloc_free(tmp_ctx); return ldb_error(ldb_ctx, LDB_ERR_NO_SUCH_OBJECT, __func__); } /* return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1 flags are DS_NTDS_OPTION_* */ int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options) { TALLOC_CTX *tmp_ctx; const char *attrs[] = { "options", NULL }; int ret; struct ldb_result *res; tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { goto failed; } ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL); if (ret != LDB_SUCCESS) { goto failed; } if (res->count != 1) { goto failed; } *options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0); talloc_free(tmp_ctx); return LDB_SUCCESS; failed: DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n")); talloc_free(tmp_ctx); return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__); } const char* samdb_ntds_object_category(TALLOC_CTX *tmp_ctx, struct ldb_context *ldb) { const char *attrs[] = { "objectCategory", NULL }; int ret; struct ldb_result *res; ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL); if (ret != LDB_SUCCESS) { goto failed; } if (res->count != 1) { goto failed; } return ldb_msg_find_attr_as_string(res->msgs[0], "objectCategory", NULL); failed: DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n")); return NULL; } /* * Function which generates a "lDAPDisplayName" attribute from a "CN" one. * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4 */ const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX *mem_ctx, const char *cn) { char **tokens, *ret; size_t i; tokens = str_list_make(mem_ctx, cn, " -_"); if (tokens == NULL || tokens[0] == NULL) { return NULL; } /* "tolower()" and "toupper()" should also work properly on 0x00 */ tokens[0][0] = tolower(tokens[0][0]); for (i = 1; tokens[i] != NULL; i++) tokens[i][0] = toupper(tokens[i][0]); ret = talloc_strdup(mem_ctx, tokens[0]); if (ret == NULL) { talloc_free(tokens); return NULL; } for (i = 1; tokens[i] != NULL; i++) { ret = talloc_asprintf_append_buffer(ret, "%s", tokens[i]); if (ret == NULL) { talloc_free(tokens); return NULL; } } talloc_free(tokens); return ret; } /* * This detects and returns the domain functional level (DS_DOMAIN_FUNCTION_*) */ int dsdb_functional_level(struct ldb_context *ldb) { int *domainFunctionality = talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int); if (!domainFunctionality) { /* this is expected during initial provision */ DEBUG(4,(__location__ ": WARNING: domainFunctionality not setup\n")); return DS_DOMAIN_FUNCTION_2000; } return *domainFunctionality; } /* * This detects and returns the forest functional level (DS_DOMAIN_FUNCTION_*) */ int dsdb_forest_functional_level(struct ldb_context *ldb) { int *forestFunctionality = talloc_get_type(ldb_get_opaque(ldb, "forestFunctionality"), int); if (!forestFunctionality) { DEBUG(0,(__location__ ": WARNING: forestFunctionality not setup\n")); return DS_DOMAIN_FUNCTION_2000; } return *forestFunctionality; } /* * This detects and returns the DC functional level (DS_DOMAIN_FUNCTION_*) */ int dsdb_dc_functional_level(struct ldb_context *ldb) { int *dcFunctionality = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int); if (!dcFunctionality) { /* this is expected during initial provision */ DEBUG(4,(__location__ ": WARNING: domainControllerFunctionality not setup\n")); return DS_DOMAIN_FUNCTION_2008_R2; } return *dcFunctionality; } const char *dsdb_dc_operatingSystemVersion(int dc_functional_level) { const char *operatingSystemVersion = NULL; /* * While we are there also update * operatingSystem and operatingSystemVersion * as at least operatingSystemVersion is really * important for some clients/applications (like exchange). */ if (dc_functional_level >= DS_DOMAIN_FUNCTION_2016) { /* Pretend Windows 2016 */ operatingSystemVersion = "10.0 (14393)"; } else if (dc_functional_level >= DS_DOMAIN_FUNCTION_2012_R2) { /* Pretend Windows 2012 R2 */ operatingSystemVersion = "6.3 (9600)"; } else if (dc_functional_level >= DS_DOMAIN_FUNCTION_2012) { /* Pretend Windows 2012 */ operatingSystemVersion = "6.2 (9200)"; } else { /* Pretend Windows 2008 R2 */ operatingSystemVersion = "6.1 (7600)"; } return operatingSystemVersion; } int dsdb_check_and_update_fl(struct ldb_context *ldb_ctx, struct loadparm_context *lp_ctx) { TALLOC_CTX *frame = talloc_stackframe(); int ret; int db_dc_functional_level; int db_domain_functional_level; int db_forest_functional_level; int lp_dc_functional_level = lpcfg_ad_dc_functional_level(lp_ctx); bool am_rodc; struct ldb_message *msg = NULL; struct ldb_dn *dc_ntds_settings_dn = NULL; struct ldb_dn *dc_computer_dn = NULL; const char *operatingSystem = NULL; const char *operatingSystemVersion = NULL; db_dc_functional_level = dsdb_dc_functional_level(ldb_ctx); db_domain_functional_level = dsdb_functional_level(ldb_ctx); db_forest_functional_level = dsdb_forest_functional_level(ldb_ctx); if (lp_dc_functional_level < db_domain_functional_level) { DBG_ERR("Refusing to start as smb.conf 'ad dc functional level' maps to %d, " "which is less than the domain functional level of %d\n", lp_dc_functional_level, db_domain_functional_level); TALLOC_FREE(frame); return LDB_ERR_CONSTRAINT_VIOLATION; } if (lp_dc_functional_level < db_forest_functional_level) { DBG_ERR("Refusing to start as smb.conf 'ad dc functional level' maps to %d, " "which is less than the forest functional level of %d\n", lp_dc_functional_level, db_forest_functional_level); TALLOC_FREE(frame); return LDB_ERR_CONSTRAINT_VIOLATION; } /* Check if we need to update the DB */ if (db_dc_functional_level == lp_dc_functional_level) { /* * Note that this early return means * we're not updating operatingSystem and * operatingSystemVersion. * * But at least for now that's * exactly what we want. */ TALLOC_FREE(frame); return LDB_SUCCESS; } /* Confirm we are not an RODC before we try a modify */ ret = samdb_rodc(ldb_ctx, &am_rodc); if (ret != LDB_SUCCESS) { DBG_ERR("Failed to determine if this server is an RODC\n"); TALLOC_FREE(frame); return ret; } if (am_rodc) { DBG_WARNING("Unable to update DC's msDS-Behavior-Version " "(from %d to %d) and operatingSystem[Version] " "as we are an RODC\n", db_dc_functional_level, lp_dc_functional_level); TALLOC_FREE(frame); return LDB_SUCCESS; } dc_ntds_settings_dn = samdb_ntds_settings_dn(ldb_ctx, frame); if (dc_ntds_settings_dn == NULL) { DBG_ERR("Failed to find own NTDS Settings DN\n"); TALLOC_FREE(frame); return LDB_ERR_NO_SUCH_OBJECT; } /* Now update our msDS-Behavior-Version */ msg = ldb_msg_new(frame); if (msg == NULL) { DBG_ERR("Failed to allocate message to update msDS-Behavior-Version\n"); TALLOC_FREE(frame); return LDB_ERR_OPERATIONS_ERROR; } msg->dn = dc_ntds_settings_dn; ret = samdb_msg_add_int(ldb_ctx, frame, msg, "msDS-Behavior-Version", lp_dc_functional_level); if (ret != LDB_SUCCESS) { DBG_ERR("Failed to set new msDS-Behavior-Version on message\n"); TALLOC_FREE(frame); return LDB_ERR_OPERATIONS_ERROR; } ret = dsdb_replace(ldb_ctx, msg, 0); if (ret != LDB_SUCCESS) { DBG_ERR("Failed to update DB with new msDS-Behavior-Version on %s: %s\n", ldb_dn_get_linearized(dc_ntds_settings_dn), ldb_errstring(ldb_ctx)); TALLOC_FREE(frame); return ret; } /* * We have to update the opaque because this particular ldb_context * will not re-read the DB */ { int *val = talloc(ldb_ctx, int); if (!val) { TALLOC_FREE(frame); return LDB_ERR_OPERATIONS_ERROR; } *val = lp_dc_functional_level; ret = ldb_set_opaque(ldb_ctx, "domainControllerFunctionality", val); if (ret != LDB_SUCCESS) { DBG_ERR("Failed to re-set domainControllerFunctionality opaque\n"); TALLOC_FREE(val); TALLOC_FREE(frame); return ret; } } /* * While we are there also update * operatingSystem and operatingSystemVersion * as at least operatingSystemVersion is really * important for some clients/applications (like exchange). */ operatingSystem = talloc_asprintf(frame, "Samba-%s", samba_version_string()); if (operatingSystem == NULL) { TALLOC_FREE(frame); return ldb_oom(ldb_ctx); } operatingSystemVersion = dsdb_dc_operatingSystemVersion(db_dc_functional_level); ret = samdb_server_reference_dn(ldb_ctx, frame, &dc_computer_dn); if (ret != LDB_SUCCESS) { DBG_ERR("Failed to get the dc_computer_dn: %s\n", ldb_errstring(ldb_ctx)); TALLOC_FREE(frame); return ret; } msg = ldb_msg_new(frame); if (msg == NULL) { DBG_ERR("Failed to allocate message to update msDS-Behavior-Version\n"); TALLOC_FREE(frame); return LDB_ERR_OPERATIONS_ERROR; } msg->dn = dc_computer_dn; ret = samdb_msg_add_addval(ldb_ctx, frame, msg, "operatingSystem", operatingSystem); if (ret != LDB_SUCCESS) { DBG_ERR("Failed to set new operatingSystem on message\n"); TALLOC_FREE(frame); return ldb_operr(ldb_ctx); } ret = samdb_msg_add_addval(ldb_ctx, frame, msg, "operatingSystemVersion", operatingSystemVersion); if (ret != LDB_SUCCESS) { DBG_ERR("Failed to set new operatingSystemVersion on message\n"); TALLOC_FREE(frame); return ldb_operr(ldb_ctx); } ret = dsdb_replace(ldb_ctx, msg, 0); if (ret != LDB_SUCCESS) { DBG_ERR("Failed to update DB with new operatingSystem[Version] on %s: %s\n", ldb_dn_get_linearized(dc_computer_dn), ldb_errstring(ldb_ctx)); TALLOC_FREE(frame); return ret; } TALLOC_FREE(frame); return LDB_SUCCESS; } /* set a GUID in an extended DN structure */ int dsdb_set_extended_dn_guid(struct ldb_dn *dn, const struct GUID *guid, const char *component_name) { struct ldb_val v; NTSTATUS status; int ret; status = GUID_to_ndr_blob(guid, dn, &v); if (!NT_STATUS_IS_OK(status)) { return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; } ret = ldb_dn_set_extended_component(dn, component_name, &v); data_blob_free(&v); return ret; } /* return a GUID from a extended DN structure */ NTSTATUS dsdb_get_extended_dn_guid(struct ldb_dn *dn, struct GUID *guid, const char *component_name) { const struct ldb_val *v; v = ldb_dn_get_extended_component(dn, component_name); if (v == NULL) { return NT_STATUS_OBJECT_NAME_NOT_FOUND; } return GUID_from_ndr_blob(v, guid); } /* return a uint64_t from a extended DN structure */ NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const char *component_name) { const struct ldb_val *v; int error = 0; v = ldb_dn_get_extended_component(dn, component_name); if (v == NULL) { return NT_STATUS_OBJECT_NAME_NOT_FOUND; } /* Just check we don't allow the caller to fill our stack */ if (v->length >= 64) { return NT_STATUS_INVALID_PARAMETER; } else { char s[v->length+1]; memcpy(s, v->data, v->length); s[v->length] = 0; *val = smb_strtoull(s, NULL, 0, &error, SMB_STR_STANDARD); if (error != 0) { return NT_STATUS_INVALID_PARAMETER; } } return NT_STATUS_OK; } /* return a NTTIME from a extended DN structure */ NTSTATUS dsdb_get_extended_dn_nttime(struct ldb_dn *dn, NTTIME *nttime, const char *component_name) { return dsdb_get_extended_dn_uint64(dn, nttime, component_name); } /* return a uint32_t from a extended DN structure */ NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const char *component_name) { const struct ldb_val *v; int error = 0; v = ldb_dn_get_extended_component(dn, component_name); if (v == NULL) { return NT_STATUS_OBJECT_NAME_NOT_FOUND; } /* Just check we don't allow the caller to fill our stack */ if (v->length >= 32) { return NT_STATUS_INVALID_PARAMETER; } else { char s[v->length + 1]; memcpy(s, v->data, v->length); s[v->length] = 0; *val = smb_strtoul(s, NULL, 0, &error, SMB_STR_STANDARD); if (error != 0) { return NT_STATUS_INVALID_PARAMETER; } } return NT_STATUS_OK; } /* return a dom_sid from a extended DN structure */ NTSTATUS dsdb_get_extended_dn_sid(struct ldb_dn *dn, struct dom_sid *sid, const char *component_name) { const struct ldb_val *sid_blob; enum ndr_err_code ndr_err; sid_blob = ldb_dn_get_extended_component(dn, component_name); if (!sid_blob) { return NT_STATUS_OBJECT_NAME_NOT_FOUND; } ndr_err = ndr_pull_struct_blob_all_noalloc(sid_blob, sid, (ndr_pull_flags_fn_t)ndr_pull_dom_sid); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { NTSTATUS status = ndr_map_error2ntstatus(ndr_err); return status; } return NT_STATUS_OK; } /* return RMD_FLAGS directly from a ldb_dn returns 0 if not found */ uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn) { uint32_t rmd_flags = 0; NTSTATUS status = dsdb_get_extended_dn_uint32(dn, &rmd_flags, "RMD_FLAGS"); if (NT_STATUS_IS_OK(status)) { return rmd_flags; } return 0; } /* return RMD_FLAGS directly from a ldb_val for a DN returns 0 if RMD_FLAGS is not found */ uint32_t dsdb_dn_val_rmd_flags(const struct ldb_val *val) { const char *p; uint32_t flags; char *end; int error = 0; if (val->length < 13) { return 0; } p = memmem(val->data, val->length, " */ return 0; } return flags; } /* return true if a ldb_val containing a DN in storage form is deleted */ bool dsdb_dn_is_deleted_val(const struct ldb_val *val) { return (dsdb_dn_val_rmd_flags(val) & DSDB_RMD_FLAG_DELETED) != 0; } /* return true if a ldb_val containing a DN in storage form is in the upgraded w2k3 linked attribute format */ bool dsdb_dn_is_upgraded_link_val(const struct ldb_val *val) { return memmem(val->data, val->length, "", wk_guid, ldb_dn_get_linearized(nc_root)); if (!wkguid_dn) { talloc_free(tmp_ctx); return ldb_operr(samdb); } ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED | DSDB_SEARCH_SHOW_RECYCLED); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } /* fix clang warning */ if (res == NULL){ talloc_free(tmp_ctx); return LDB_ERR_OTHER; } (*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn); talloc_free(tmp_ctx); return LDB_SUCCESS; } static int dsdb_dn_compare_ptrs(struct ldb_dn **dn1, struct ldb_dn **dn2) { return ldb_dn_compare(*dn1, *dn2); } /* find a NC root given a DN within the NC by reading the rootDSE namingContexts */ static int dsdb_find_nc_root_string_based(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct ldb_dn **nc_root) { const char *root_attrs[] = { "namingContexts", NULL }; TALLOC_CTX *tmp_ctx; int ret; struct ldb_message_element *el; struct ldb_result *root_res; unsigned int i; struct ldb_dn **nc_dns; tmp_ctx = talloc_new(samdb); if (tmp_ctx == NULL) { return ldb_oom(samdb); } ret = ldb_search(samdb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, samdb, ""), LDB_SCOPE_BASE, root_attrs, NULL); if (ret != LDB_SUCCESS || root_res->count == 0) { DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb))); talloc_free(tmp_ctx); return ret; } el = ldb_msg_find_element(root_res->msgs[0], "namingContexts"); if ((el == NULL) || (el->num_values < 3)) { struct ldb_message *tmp_msg; DEBUG(5,("dsdb_find_nc_root: Finding a valid 'namingContexts' element in the RootDSE failed. Using a temporary list.\n")); /* This generates a temporary list of NCs in order to let the * provisioning work. */ tmp_msg = ldb_msg_new(tmp_ctx); if (tmp_msg == NULL) { talloc_free(tmp_ctx); return ldb_oom(samdb); } ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts", ldb_dn_alloc_linearized(tmp_msg, ldb_get_schema_basedn(samdb))); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts", ldb_dn_alloc_linearized(tmp_msg, ldb_get_config_basedn(samdb))); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts", ldb_dn_alloc_linearized(tmp_msg, ldb_get_default_basedn(samdb))); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } el = &tmp_msg->elements[0]; } nc_dns = talloc_array(tmp_ctx, struct ldb_dn *, el->num_values); if (!nc_dns) { talloc_free(tmp_ctx); return ldb_oom(samdb); } for (i=0; inum_values; i++) { nc_dns[i] = ldb_dn_from_ldb_val(nc_dns, samdb, &el->values[i]); if (nc_dns[i] == NULL) { talloc_free(tmp_ctx); return ldb_operr(samdb); } } TYPESAFE_QSORT(nc_dns, el->num_values, dsdb_dn_compare_ptrs); for (i=0; inum_values; i++) { if (ldb_dn_compare_base(nc_dns[i], dn) == 0) { (*nc_root) = talloc_steal(mem_ctx, nc_dns[i]); talloc_free(tmp_ctx); return LDB_SUCCESS; } } talloc_free(tmp_ctx); return ldb_error(samdb, LDB_ERR_NO_SUCH_OBJECT, __func__); } struct dsdb_get_partition_and_dn { TALLOC_CTX *mem_ctx; unsigned int count; struct ldb_dn *dn; struct ldb_dn *partition_dn; bool want_partition_dn; }; static int dsdb_get_partition_and_dn(struct ldb_request *req, struct ldb_reply *ares) { int ret; struct dsdb_get_partition_and_dn *context = req->context; struct ldb_control *partition_ctrl = NULL; struct dsdb_control_current_partition *partition = NULL; if (!ares) { return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR); } if (ares->error != LDB_SUCCESS && ares->error != LDB_ERR_NO_SUCH_OBJECT) { return ldb_request_done(req, ares->error); } switch (ares->type) { case LDB_REPLY_ENTRY: if (context->count != 0) { return ldb_request_done(req, LDB_ERR_CONSTRAINT_VIOLATION); } context->count++; context->dn = talloc_steal(context->mem_ctx, ares->message->dn); break; case LDB_REPLY_REFERRAL: talloc_free(ares); return ldb_request_done(req, LDB_SUCCESS); case LDB_REPLY_DONE: partition_ctrl = ldb_reply_get_control(ares, DSDB_CONTROL_CURRENT_PARTITION_OID); if (!context->want_partition_dn || partition_ctrl == NULL) { ret = ares->error; talloc_free(ares); return ldb_request_done(req, ret); } partition = talloc_get_type_abort(partition_ctrl->data, struct dsdb_control_current_partition); context->partition_dn = ldb_dn_copy(context->mem_ctx, partition->dn); if (context->partition_dn == NULL) { return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR); } ret = ares->error; talloc_free(ares); return ldb_request_done(req, ret); } talloc_free(ares); return LDB_SUCCESS; } /* find a NC root given a DN within the NC */ int dsdb_normalise_dn_and_find_nc_root(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct ldb_dn **normalised_dn, struct ldb_dn **nc_root) { TALLOC_CTX *tmp_ctx; int ret; struct ldb_request *req; struct ldb_result *res; struct ldb_dn *search_dn = dn; static const char * attrs[] = { NULL }; bool has_extended = ldb_dn_has_extended(dn); bool has_normal_components = ldb_dn_get_comp_num(dn) >= 1; struct dsdb_get_partition_and_dn context = { .mem_ctx = mem_ctx, .want_partition_dn = nc_root != NULL }; if (!has_extended && !has_normal_components) { return ldb_error(samdb, LDB_ERR_NO_SUCH_OBJECT, "Request for NC root for rootDSE (\"\") denied."); } tmp_ctx = talloc_new(samdb); if (tmp_ctx == NULL) { return ldb_oom(samdb); } res = talloc_zero(tmp_ctx, struct ldb_result); if (res == NULL) { talloc_free(tmp_ctx); return ldb_oom(samdb); } if (has_extended && has_normal_components) { bool minimise_ok; search_dn = ldb_dn_copy(tmp_ctx, dn); if (search_dn == NULL) { talloc_free(tmp_ctx); return ldb_oom(samdb); } minimise_ok = ldb_dn_minimise(search_dn); if (!minimise_ok) { talloc_free(tmp_ctx); return ldb_operr(samdb); } } ret = ldb_build_search_req(&req, samdb, tmp_ctx, search_dn, LDB_SCOPE_BASE, NULL, attrs, NULL, &context, dsdb_get_partition_and_dn, NULL); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } ret = ldb_request_add_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID, false, NULL); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } ret = dsdb_request_add_controls(req, DSDB_SEARCH_SHOW_RECYCLED| DSDB_SEARCH_SHOW_DELETED| DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } ret = ldb_request(samdb, req); if (ret == LDB_SUCCESS) { ret = ldb_wait(req->handle, LDB_WAIT_ALL); } /* * This could be a new DN, not in the DB, which is OK. If we * don't need the normalised DN, we can continue. * * We may be told the partition it would be in in the search * reply control, or if not we can do a string-based match. */ if (ret == LDB_ERR_NO_SUCH_OBJECT) { if (normalised_dn != NULL) { talloc_free(tmp_ctx); return ret; } ret = LDB_SUCCESS; ldb_reset_err_string(samdb); } else if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } if (normalised_dn != NULL) { if (context.count != 1) { /* No results */ ldb_asprintf_errstring(samdb, "Request for NC root for %s failed to return any results.", ldb_dn_get_linearized(dn)); talloc_free(tmp_ctx); return LDB_ERR_NO_SUCH_OBJECT; } *normalised_dn = context.dn; } /* * If the user did not need to find the nc_root, * we are done */ if (nc_root == NULL) { talloc_free(tmp_ctx); return ret; } /* * When we are working locally, both for the case were * we find the DN, and the case where we fail, we get * back via controls the partition it was in or should * have been in, to return to the client */ if (context.partition_dn != NULL) { (*nc_root) = context.partition_dn; talloc_free(tmp_ctx); return ret; } /* * This is a remote operation, which is a little harder as we * have a work out the nc_root from the list of NCs. If we did * at least resolve the DN to a string, get that now, it makes * the string-based match below possible for a GUID-based * input over remote LDAP. */ if (context.dn) { dn = context.dn; } else if (has_extended && !has_normal_components) { ldb_asprintf_errstring(samdb, "Cannot determine NC root " "for a not-found bare extended DN %s.", ldb_dn_get_extended_linearized(tmp_ctx, dn, 1)); talloc_free(tmp_ctx); return LDB_ERR_NO_SUCH_OBJECT; } /* * Either we are working against a remote LDAP * server or the object doesn't exist locally. * * This means any GUID that was present in the DN * therefore could not be evaluated, so do a * string-based match instead. */ talloc_free(tmp_ctx); return dsdb_find_nc_root_string_based(samdb, mem_ctx, dn, nc_root); } /* find a NC root given a DN within the NC */ int dsdb_find_nc_root(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct ldb_dn **nc_root) { return dsdb_normalise_dn_and_find_nc_root(samdb, mem_ctx, dn, NULL, nc_root); } /* find the deleted objects DN for any object, by looking for the NC root, then looking up the wellknown GUID */ int dsdb_get_deleted_objects_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn, struct ldb_dn **do_dn) { struct ldb_dn *nc_root; int ret; ret = dsdb_find_nc_root(ldb, mem_ctx, obj_dn, &nc_root); if (ret != LDB_SUCCESS) { return ret; } ret = dsdb_wellknown_dn(ldb, mem_ctx, nc_root, DS_GUID_DELETED_OBJECTS_CONTAINER, do_dn); talloc_free(nc_root); return ret; } /* return the tombstoneLifetime, in days */ int dsdb_tombstone_lifetime(struct ldb_context *ldb, uint32_t *lifetime) { struct ldb_dn *dn; dn = ldb_get_config_basedn(ldb); if (!dn) { return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__); } dn = ldb_dn_copy(ldb, dn); if (!dn) { return ldb_operr(ldb); } /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to be a wellknown GUID for this */ if (!ldb_dn_add_child_fmt(dn, "CN=Directory Service,CN=Windows NT,CN=Services")) { talloc_free(dn); return ldb_operr(ldb); } *lifetime = samdb_search_uint(ldb, dn, 180, dn, "tombstoneLifetime", "objectClass=nTDSService"); talloc_free(dn); return LDB_SUCCESS; } /* compare a ldb_val to a string case insensitively */ int samdb_ldb_val_case_cmp(const char *s, struct ldb_val *v) { size_t len = strlen(s); int ret; if (len > v->length) return 1; ret = strncasecmp(s, (const char *)v->data, v->length); if (ret != 0) return ret; if (v->length > len && v->data[len] != 0) { return -1; } return 0; } /* load the UDV for a partition in v2 format The list is returned sorted, and with our local cursor added */ int dsdb_load_udv_v2(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx, struct drsuapi_DsReplicaCursor2 **cursors, uint32_t *count) { static const char *attrs[] = { "replUpToDateVector", NULL }; struct ldb_result *r = NULL; const struct ldb_val *ouv_value; unsigned int i; int ret; uint64_t highest_usn = 0; const struct GUID *our_invocation_id; static const struct timeval tv1970; NTTIME nt1970 = timeval_to_nttime(&tv1970); ret = dsdb_search_dn(samdb, mem_ctx, &r, dn, attrs, DSDB_SEARCH_SHOW_RECYCLED|DSDB_SEARCH_SHOW_DELETED); if (ret != LDB_SUCCESS) { return ret; } /* fix clang warning */ if (r == NULL) { return LDB_ERR_OTHER; } ouv_value = ldb_msg_find_ldb_val(r->msgs[0], "replUpToDateVector"); if (ouv_value) { enum ndr_err_code ndr_err; struct replUpToDateVectorBlob ouv; ndr_err = ndr_pull_struct_blob(ouv_value, r, &ouv, (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { talloc_free(r); return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; } if (ouv.version != 2) { /* we always store as version 2, and * replUpToDateVector is not replicated */ talloc_free(r); return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; } *count = ouv.ctr.ctr2.count; *cursors = talloc_steal(mem_ctx, ouv.ctr.ctr2.cursors); } else { *count = 0; *cursors = NULL; } talloc_free(r); our_invocation_id = samdb_ntds_invocation_id(samdb); if (!our_invocation_id) { DEBUG(0,(__location__ ": No invocationID on samdb - %s\n", ldb_errstring(samdb))); talloc_free(*cursors); return ldb_operr(samdb); } ret = ldb_sequence_number(samdb, LDB_SEQ_HIGHEST_SEQ, &highest_usn); if (ret != LDB_SUCCESS) { /* nothing to add - this can happen after a vampire */ TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare); return LDB_SUCCESS; } for (i=0; i<*count; i++) { if (GUID_equal(our_invocation_id, &(*cursors)[i].source_dsa_invocation_id)) { (*cursors)[i].highest_usn = highest_usn; (*cursors)[i].last_sync_success = nt1970; TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare); return LDB_SUCCESS; } } (*cursors) = talloc_realloc(mem_ctx, *cursors, struct drsuapi_DsReplicaCursor2, (*count)+1); if (! *cursors) { return ldb_oom(samdb); } (*cursors)[*count].source_dsa_invocation_id = *our_invocation_id; (*cursors)[*count].highest_usn = highest_usn; (*cursors)[*count].last_sync_success = nt1970; (*count)++; TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare); return LDB_SUCCESS; } /* load the UDV for a partition in version 1 format The list is returned sorted, and with our local cursor added */ int dsdb_load_udv_v1(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx, struct drsuapi_DsReplicaCursor **cursors, uint32_t *count) { struct drsuapi_DsReplicaCursor2 *v2 = NULL; uint32_t i; int ret; ret = dsdb_load_udv_v2(samdb, dn, mem_ctx, &v2, count); if (ret != LDB_SUCCESS) { return ret; } if (*count == 0) { talloc_free(v2); *cursors = NULL; return LDB_SUCCESS; } *cursors = talloc_array(mem_ctx, struct drsuapi_DsReplicaCursor, *count); if (*cursors == NULL) { talloc_free(v2); return ldb_oom(samdb); } for (i=0; i<*count; i++) { (*cursors)[i].source_dsa_invocation_id = v2[i].source_dsa_invocation_id; (*cursors)[i].highest_usn = v2[i].highest_usn; } talloc_free(v2); return LDB_SUCCESS; } /* add a set of controls to a ldb_request structure based on a set of flags. See util.h for a list of available flags */ int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags) { int ret; if (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) { struct ldb_search_options_control *options; /* Using the phantom root control allows us to search all partitions */ options = talloc(req, struct ldb_search_options_control); if (options == NULL) { return LDB_ERR_OPERATIONS_ERROR; } options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT; ret = ldb_request_add_control(req, LDB_CONTROL_SEARCH_OPTIONS_OID, true, options); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_SEARCH_NO_GLOBAL_CATALOG) { ret = ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_SEARCH_SHOW_DELETED) { ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_SEARCH_SHOW_RECYCLED) { ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) { ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_SEARCH_SHOW_EXTENDED_DN) { struct ldb_extended_dn_control *extended_ctrl = talloc(req, struct ldb_extended_dn_control); if (!extended_ctrl) { return LDB_ERR_OPERATIONS_ERROR; } extended_ctrl->type = 1; ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_ctrl); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_SEARCH_REVEAL_INTERNALS) { ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_MODIFY_RELAX) { ret = ldb_request_add_control(req, LDB_CONTROL_RELAX_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_MODIFY_PERMISSIVE) { ret = ldb_request_add_control(req, LDB_CONTROL_PERMISSIVE_MODIFY_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_FLAG_AS_SYSTEM) { ret = ldb_request_add_control(req, LDB_CONTROL_AS_SYSTEM_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_TREE_DELETE) { ret = ldb_request_add_control(req, LDB_CONTROL_TREE_DELETE_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_PROVISION) { ret = ldb_request_add_control(req, LDB_CONTROL_PROVISION_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } /* This is a special control to bypass the password_hash module for use in pdb_samba4 for Samba3 upgrades */ if (dsdb_flags & DSDB_BYPASS_PASSWORD_HASH) { ret = ldb_request_add_control(req, DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID, true, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_PASSWORD_BYPASS_LAST_SET) { /* * This must not be critical, as it will only be * handled (and need to be handled) if the other * attributes in the request bring password_hash into * action */ ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_REPLMD_VANISH_LINKS) { ret = ldb_request_add_control(req, DSDB_CONTROL_REPLMD_VANISH_LINKS, true, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_MODIFY_PARTIAL_REPLICA) { ret = ldb_request_add_control(req, DSDB_CONTROL_PARTIAL_REPLICA, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_FLAG_REPLICATED_UPDATE) { ret = ldb_request_add_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_FLAG_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE) { ret = ldb_request_add_control(req, DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID, true, NULL); if (ret != LDB_SUCCESS) { return ret; } } if (dsdb_flags & DSDB_MARK_REQ_UNTRUSTED) { ldb_req_mark_untrusted(req); } return LDB_SUCCESS; } /* returns true if a control with the specified "oid" exists */ bool dsdb_request_has_control(struct ldb_request *req, const char *oid) { return (ldb_request_get_control(req, oid) != NULL); } /* an add with a set of controls */ int dsdb_add(struct ldb_context *ldb, const struct ldb_message *message, uint32_t dsdb_flags) { struct ldb_request *req; int ret; ret = ldb_build_add_req(&req, ldb, ldb, message, NULL, NULL, ldb_op_default_callback, NULL); if (ret != LDB_SUCCESS) return ret; ret = dsdb_request_add_controls(req, dsdb_flags); if (ret != LDB_SUCCESS) { talloc_free(req); return ret; } ret = dsdb_autotransaction_request(ldb, req); talloc_free(req); return ret; } /* a modify with a set of controls */ int dsdb_modify(struct ldb_context *ldb, const struct ldb_message *message, uint32_t dsdb_flags) { struct ldb_request *req; int ret; ret = ldb_build_mod_req(&req, ldb, ldb, message, NULL, NULL, ldb_op_default_callback, NULL); if (ret != LDB_SUCCESS) return ret; ret = dsdb_request_add_controls(req, dsdb_flags); if (ret != LDB_SUCCESS) { talloc_free(req); return ret; } ret = dsdb_autotransaction_request(ldb, req); talloc_free(req); return ret; } /* a delete with a set of flags */ int dsdb_delete(struct ldb_context *ldb, struct ldb_dn *dn, uint32_t dsdb_flags) { struct ldb_request *req; int ret; ret = ldb_build_del_req(&req, ldb, ldb, dn, NULL, NULL, ldb_op_default_callback, NULL); if (ret != LDB_SUCCESS) return ret; ret = dsdb_request_add_controls(req, dsdb_flags); if (ret != LDB_SUCCESS) { talloc_free(req); return ret; } ret = dsdb_autotransaction_request(ldb, req); talloc_free(req); return ret; } /* like dsdb_modify() but set all the element flags to LDB_FLAG_MOD_REPLACE */ int dsdb_replace(struct ldb_context *ldb, struct ldb_message *msg, uint32_t dsdb_flags) { unsigned int i; /* mark all the message elements as LDB_FLAG_MOD_REPLACE */ for (i=0;inum_elements;i++) { msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; } return dsdb_modify(ldb, msg, dsdb_flags); } const char *dsdb_search_scope_as_string(enum ldb_scope scope) { const char *scope_str; switch (scope) { case LDB_SCOPE_BASE: scope_str = "BASE"; break; case LDB_SCOPE_ONELEVEL: scope_str = "ONE"; break; case LDB_SCOPE_SUBTREE: scope_str = "SUB"; break; default: scope_str = ""; break; } return scope_str; } /* search for attrs on one DN, allowing for dsdb_flags controls */ int dsdb_search_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_result **_result, struct ldb_dn *basedn, const char * const *attrs, uint32_t dsdb_flags) { int ret; struct ldb_request *req; struct ldb_result *res; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { return ldb_oom(ldb); } res = talloc_zero(tmp_ctx, struct ldb_result); if (!res) { talloc_free(tmp_ctx); return ldb_oom(ldb); } ret = ldb_build_search_req(&req, ldb, res, basedn, LDB_SCOPE_BASE, NULL, attrs, NULL, res, ldb_search_default_callback, NULL); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } ret = dsdb_request_add_controls(req, dsdb_flags); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } ret = ldb_request(ldb, req); if (ret == LDB_SUCCESS) { ret = ldb_wait(req->handle, LDB_WAIT_ALL); } talloc_free(req); if (ret != LDB_SUCCESS) { DBG_INFO("flags=0x%08x %s -> %s (%s)\n", dsdb_flags, basedn?ldb_dn_get_extended_linearized(tmp_ctx, basedn, 1):"NULL", ldb_errstring(ldb), ldb_strerror(ret)); talloc_free(tmp_ctx); return ret; } DBG_DEBUG("flags=0x%08x %s -> %d\n", dsdb_flags, basedn?ldb_dn_get_extended_linearized(tmp_ctx, basedn, 1):"NULL", res->count); *_result = talloc_steal(mem_ctx, res); talloc_free(tmp_ctx); return LDB_SUCCESS; } /* search for attrs on one DN, by the GUID of the DN, allowing for dsdb_flags controls */ int dsdb_search_by_dn_guid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_result **_result, const struct GUID *guid, const char * const *attrs, uint32_t dsdb_flags) { TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); struct ldb_dn *dn; int ret; if (tmp_ctx == NULL) { return ldb_oom(ldb); } dn = ldb_dn_new_fmt(tmp_ctx, ldb, "", GUID_string(tmp_ctx, guid)); if (dn == NULL) { talloc_free(tmp_ctx); return ldb_oom(ldb); } ret = dsdb_search_dn(ldb, mem_ctx, _result, dn, attrs, dsdb_flags); talloc_free(tmp_ctx); return ret; } /* general search with dsdb_flags for controls */ int dsdb_search(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_result **_result, struct ldb_dn *basedn, enum ldb_scope scope, const char * const *attrs, uint32_t dsdb_flags, const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9) { int ret; struct ldb_request *req; struct ldb_result *res; va_list ap; char *expression = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); /* cross-partitions searches with a basedn break multi-domain support */ SMB_ASSERT(basedn == NULL || (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) == 0); if (tmp_ctx == NULL) { return ldb_oom(ldb); } res = talloc_zero(tmp_ctx, struct ldb_result); if (!res) { talloc_free(tmp_ctx); return ldb_oom(ldb); } if (exp_fmt) { va_start(ap, exp_fmt); expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap); va_end(ap); if (!expression) { talloc_free(tmp_ctx); return ldb_oom(ldb); } } ret = ldb_build_search_req(&req, ldb, tmp_ctx, basedn, scope, expression, attrs, NULL, res, ldb_search_default_callback, NULL); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } ret = dsdb_request_add_controls(req, dsdb_flags); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); ldb_reset_err_string(ldb); return ret; } ret = ldb_request(ldb, req); if (ret == LDB_SUCCESS) { ret = ldb_wait(req->handle, LDB_WAIT_ALL); } if (ret != LDB_SUCCESS) { DBG_INFO("%s flags=0x%08x %s %s -> %s (%s)\n", dsdb_search_scope_as_string(scope), dsdb_flags, basedn?ldb_dn_get_extended_linearized(tmp_ctx, basedn, 1):"NULL", expression?expression:"NULL", ldb_errstring(ldb), ldb_strerror(ret)); talloc_free(tmp_ctx); return ret; } if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) { if (res->count == 0) { DBG_INFO("%s SEARCH_ONE_ONLY flags=0x%08x %s %s -> %u results\n", dsdb_search_scope_as_string(scope), dsdb_flags, basedn?ldb_dn_get_extended_linearized(tmp_ctx, basedn, 1):"NULL", expression?expression:"NULL", res->count); talloc_free(tmp_ctx); ldb_reset_err_string(ldb); return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__); } if (res->count != 1) { DBG_INFO("%s SEARCH_ONE_ONLY flags=0x%08x %s %s -> %u (expected 1) results\n", dsdb_search_scope_as_string(scope), dsdb_flags, basedn?ldb_dn_get_extended_linearized(tmp_ctx, basedn, 1):"NULL", expression?expression:"NULL", res->count); talloc_free(tmp_ctx); ldb_reset_err_string(ldb); return LDB_ERR_CONSTRAINT_VIOLATION; } } *_result = talloc_steal(mem_ctx, res); DBG_DEBUG("%s flags=0x%08x %s %s -> %d\n", dsdb_search_scope_as_string(scope), dsdb_flags, basedn?ldb_dn_get_extended_linearized(tmp_ctx, basedn, 1):"NULL", expression?expression:"NULL", res->count); talloc_free(tmp_ctx); return LDB_SUCCESS; } /* general search with dsdb_flags for controls returns exactly 1 record or an error */ int dsdb_search_one(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_message **msg, struct ldb_dn *basedn, enum ldb_scope scope, const char * const *attrs, uint32_t dsdb_flags, const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9) { int ret; struct ldb_result *res; va_list ap; char *expression = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { return ldb_oom(ldb); } dsdb_flags |= DSDB_SEARCH_ONE_ONLY; res = talloc_zero(tmp_ctx, struct ldb_result); if (!res) { talloc_free(tmp_ctx); return ldb_oom(ldb); } if (exp_fmt) { va_start(ap, exp_fmt); expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap); va_end(ap); if (!expression) { talloc_free(tmp_ctx); return ldb_oom(ldb); } ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs, dsdb_flags, "%s", expression); } else { ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs, dsdb_flags, NULL); } if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; } *msg = talloc_steal(mem_ctx, res->msgs[0]); talloc_free(tmp_ctx); return LDB_SUCCESS; } /* returns back the forest DNS name */ const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) { const char *forest_name = ldb_dn_canonical_string(mem_ctx, ldb_get_root_basedn(ldb)); char *p; if (forest_name == NULL) { return NULL; } p = strchr(forest_name, '/'); if (p) { *p = '\0'; } return forest_name; } /* returns back the default domain DNS name */ const char *samdb_default_domain_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) { const char *domain_name = ldb_dn_canonical_string(mem_ctx, ldb_get_default_basedn(ldb)); char *p; if (domain_name == NULL) { return NULL; } p = strchr(domain_name, '/'); if (p) { *p = '\0'; } return domain_name; } /* validate that an DSA GUID belongs to the specified user sid. The user SID must be a domain controller account (either RODC or RWDC) */ int dsdb_validate_dsa_guid(struct ldb_context *ldb, const struct GUID *dsa_guid, const struct dom_sid *sid) { /* strategy: - find DN of record with the DSA GUID in the configuration partition (objectGUID) - remove "NTDS Settings" component from DN - do a base search on that DN for serverReference with extended-dn enabled - extract objectSid from resulting serverReference attribute - check this sid matches the sid argument */ struct ldb_dn *config_dn; TALLOC_CTX *tmp_ctx = talloc_new(ldb); struct ldb_message *msg; const char *attrs1[] = { NULL }; const char *attrs2[] = { "serverReference", NULL }; int ret; struct ldb_dn *dn, *account_dn; struct dom_sid sid2; NTSTATUS status; if (tmp_ctx == NULL) { return ldb_oom(ldb); } config_dn = ldb_get_config_basedn(ldb); ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE, attrs1, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid)); if (ret != LDB_SUCCESS) { DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for sid %s\n", GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return ldb_operr(ldb); } dn = msg->dn; if (!ldb_dn_remove_child_components(dn, 1)) { talloc_free(tmp_ctx); return ldb_operr(ldb); } ret = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=server)"); if (ret != LDB_SUCCESS) { DEBUG(1,(__location__ ": Failed to find server record for DSA with objectGUID %s, sid %s\n", GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return ldb_operr(ldb); } account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg, "serverReference"); if (account_dn == NULL) { DEBUG(1,(__location__ ": Failed to find account dn " "(serverReference) for %s, parent of DSA with " "objectGUID %s, sid %s\n", ldb_dn_get_linearized(msg->dn), GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return ldb_operr(ldb); } status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID"); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,(__location__ ": Failed to find SID for DSA with objectGUID %s, sid %s\n", GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return ldb_operr(ldb); } if (!dom_sid_equal(sid, &sid2)) { /* someone is trying to spoof another account */ DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s - expected sid %s\n", GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid), dom_sid_string(tmp_ctx, &sid2))); talloc_free(tmp_ctx); return ldb_operr(ldb); } talloc_free(tmp_ctx); return LDB_SUCCESS; } static const char * const secret_attributes[] = { DSDB_SECRET_ATTRIBUTES, NULL }; /* check if the attribute belongs to the RODC filtered attribute set Note that attributes that are in the filtered attribute set are the ones that _are_ always sent to a RODC */ bool dsdb_attr_in_rodc_fas(const struct dsdb_attribute *sa) { /* they never get secret attributes */ if (ldb_attr_in_list(secret_attributes, sa->lDAPDisplayName)) { return false; } /* they do get non-secret critical attributes */ if (sa->schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) { return true; } /* they do get non-secret attributes marked as being in the FAS */ if (sa->searchFlags & SEARCH_FLAG_RODC_ATTRIBUTE) { return true; } /* other attributes are denied */ return false; } /* return fsmo role dn and role owner dn for a particular role*/ WERROR dsdb_get_fsmo_role_info(TALLOC_CTX *tmp_ctx, struct ldb_context *ldb, uint32_t role, struct ldb_dn **fsmo_role_dn, struct ldb_dn **role_owner_dn) { int ret; switch (role) { case DREPL_NAMING_MASTER: *fsmo_role_dn = samdb_partitions_dn(ldb, tmp_ctx); ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Naming Master object - %s\n", ldb_errstring(ldb))); talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } break; case DREPL_INFRASTRUCTURE_MASTER: *fsmo_role_dn = samdb_infrastructure_dn(ldb, tmp_ctx); ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s\n", ldb_errstring(ldb))); talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } break; case DREPL_RID_MASTER: ret = samdb_rid_manager_dn(ldb, tmp_ctx, fsmo_role_dn); if (ret != LDB_SUCCESS) { DEBUG(0, (__location__ ": Failed to find RID Manager object - %s\n", ldb_errstring(ldb))); talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in RID Manager object - %s\n", ldb_errstring(ldb))); talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } break; case DREPL_SCHEMA_MASTER: *fsmo_role_dn = ldb_get_schema_basedn(ldb); ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s\n", ldb_errstring(ldb))); talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } break; case DREPL_PDC_MASTER: *fsmo_role_dn = ldb_get_default_basedn(ldb); ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Pd Master object - %s\n", ldb_errstring(ldb))); talloc_free(tmp_ctx); return WERR_DS_DRA_INTERNAL_ERROR; } break; default: return WERR_DS_DRA_INTERNAL_ERROR; } return WERR_OK; } const char *samdb_dn_to_dnshostname(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *server_dn) { int ldb_ret; struct ldb_result *res = NULL; const char * const attrs[] = { "dNSHostName", NULL}; ldb_ret = ldb_search(ldb, mem_ctx, &res, server_dn, LDB_SCOPE_BASE, attrs, NULL); if (ldb_ret != LDB_SUCCESS) { DEBUG(4, ("Failed to find dNSHostName for dn %s, ldb error: %s\n", ldb_dn_get_linearized(server_dn), ldb_errstring(ldb))); return NULL; } return ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL); } /* returns true if an attribute is in the filter, false otherwise, provided that attribute value is provided with the expression */ bool dsdb_attr_in_parse_tree(struct ldb_parse_tree *tree, const char *attr) { unsigned int i; switch (tree->operation) { case LDB_OP_AND: case LDB_OP_OR: for (i=0;iu.list.num_elements;i++) { if (dsdb_attr_in_parse_tree(tree->u.list.elements[i], attr)) return true; } return false; case LDB_OP_NOT: return dsdb_attr_in_parse_tree(tree->u.isnot.child, attr); case LDB_OP_EQUALITY: if (ldb_attr_cmp(tree->u.equality.attr, attr) == 0) { return true; } return false; case LDB_OP_GREATER: case LDB_OP_LESS: case LDB_OP_APPROX: if (ldb_attr_cmp(tree->u.comparison.attr, attr) == 0) { return true; } return false; case LDB_OP_SUBSTRING: if (ldb_attr_cmp(tree->u.substring.attr, attr) == 0) { return true; } return false; case LDB_OP_PRESENT: /* (attrname=*) is not filtered out */ return false; case LDB_OP_EXTENDED: if (tree->u.extended.attr && ldb_attr_cmp(tree->u.extended.attr, attr) == 0) { return true; } return false; } return false; } int dsdb_werror_at(struct ldb_context *ldb, int ldb_ecode, WERROR werr, const char *location, const char *func, const char *reason) { if (reason == NULL) { reason = win_errstr(werr); } ldb_asprintf_errstring(ldb, "%08X: %s at %s:%s", W_ERROR_V(werr), reason, location, func); return ldb_ecode; } /* map an ldb error code to an approximate NTSTATUS code */ NTSTATUS dsdb_ldb_err_to_ntstatus(int err) { switch (err) { case LDB_SUCCESS: return NT_STATUS_OK; case LDB_ERR_PROTOCOL_ERROR: return NT_STATUS_DEVICE_PROTOCOL_ERROR; case LDB_ERR_TIME_LIMIT_EXCEEDED: return NT_STATUS_IO_TIMEOUT; case LDB_ERR_SIZE_LIMIT_EXCEEDED: return NT_STATUS_BUFFER_TOO_SMALL; case LDB_ERR_COMPARE_FALSE: case LDB_ERR_COMPARE_TRUE: return NT_STATUS_REVISION_MISMATCH; case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED: return NT_STATUS_NOT_SUPPORTED; case LDB_ERR_STRONG_AUTH_REQUIRED: case LDB_ERR_CONFIDENTIALITY_REQUIRED: case LDB_ERR_SASL_BIND_IN_PROGRESS: case LDB_ERR_INAPPROPRIATE_AUTHENTICATION: case LDB_ERR_INVALID_CREDENTIALS: case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS: case LDB_ERR_UNWILLING_TO_PERFORM: return NT_STATUS_ACCESS_DENIED; case LDB_ERR_NO_SUCH_OBJECT: return NT_STATUS_OBJECT_NAME_NOT_FOUND; case LDB_ERR_REFERRAL: case LDB_ERR_NO_SUCH_ATTRIBUTE: return NT_STATUS_NOT_FOUND; case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION: return NT_STATUS_NOT_SUPPORTED; case LDB_ERR_ADMIN_LIMIT_EXCEEDED: return NT_STATUS_BUFFER_TOO_SMALL; case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE: case LDB_ERR_INAPPROPRIATE_MATCHING: case LDB_ERR_CONSTRAINT_VIOLATION: case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX: case LDB_ERR_INVALID_DN_SYNTAX: case LDB_ERR_NAMING_VIOLATION: case LDB_ERR_OBJECT_CLASS_VIOLATION: case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF: case LDB_ERR_NOT_ALLOWED_ON_RDN: return NT_STATUS_INVALID_PARAMETER; case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS: case LDB_ERR_ENTRY_ALREADY_EXISTS: return NT_STATUS_ERROR_DS_OBJ_STRING_NAME_EXISTS; case LDB_ERR_BUSY: return NT_STATUS_NETWORK_BUSY; case LDB_ERR_ALIAS_PROBLEM: case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM: case LDB_ERR_UNAVAILABLE: case LDB_ERR_LOOP_DETECT: case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED: case LDB_ERR_AFFECTS_MULTIPLE_DSAS: case LDB_ERR_OTHER: case LDB_ERR_OPERATIONS_ERROR: break; } return NT_STATUS_UNSUCCESSFUL; } /* create a new naming context that will hold a partial replica */ int dsdb_create_partial_replica_NC(struct ldb_context *ldb, struct ldb_dn *dn) { TALLOC_CTX *tmp_ctx = talloc_new(ldb); struct ldb_message *msg; int ret; if (tmp_ctx == NULL) { return ldb_oom(ldb); } msg = ldb_msg_new(tmp_ctx); if (msg == NULL) { talloc_free(tmp_ctx); return ldb_oom(ldb); } msg->dn = dn; ret = ldb_msg_add_string(msg, "objectClass", "top"); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ldb_oom(ldb); } /* [MS-DRSR] implies that we should only add the 'top' * objectclass, but that would cause lots of problems with our * objectclass code as top is not structural, so we add * 'domainDNS' as well to keep things sane. We're expecting * this new NC to be of objectclass domainDNS after * replication anyway */ ret = ldb_msg_add_string(msg, "objectClass", "domainDNS"); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ldb_oom(ldb); } ret = ldb_msg_add_fmt(msg, "instanceType", "%u", INSTANCE_TYPE_IS_NC_HEAD| INSTANCE_TYPE_NC_ABOVE| INSTANCE_TYPE_UNINSTANT); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ldb_oom(ldb); } ret = dsdb_add(ldb, msg, DSDB_MODIFY_PARTIAL_REPLICA); if (ret != LDB_SUCCESS && ret != LDB_ERR_ENTRY_ALREADY_EXISTS) { DEBUG(0,("Failed to create new NC for %s - %s (%s)\n", ldb_dn_get_linearized(dn), ldb_errstring(ldb), ldb_strerror(ret))); talloc_free(tmp_ctx); return ret; } DEBUG(1,("Created new NC for %s\n", ldb_dn_get_linearized(dn))); talloc_free(tmp_ctx); return LDB_SUCCESS; } /* * Return the effective badPwdCount * * This requires that the user_msg have (if present): * - badPasswordTime * - badPwdCount * * This also requires that the domain_msg have (if present): * - lockOutObservationWindow */ int dsdb_effective_badPwdCount(const struct ldb_message *user_msg, int64_t lockOutObservationWindow, NTTIME now) { int64_t badPasswordTime; badPasswordTime = ldb_msg_find_attr_as_int64(user_msg, "badPasswordTime", 0); if (badPasswordTime - lockOutObservationWindow >= now) { return ldb_msg_find_attr_as_int(user_msg, "badPwdCount", 0); } else { return 0; } } /* * Returns a user's PSO, or NULL if none was found */ static struct ldb_result *lookup_user_pso(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *user_msg, const char * const *attrs) { struct ldb_result *res = NULL; struct ldb_dn *pso_dn = NULL; int ret; /* if the user has a PSO that applies, then use the PSO's setting */ pso_dn = ldb_msg_find_attr_as_dn(sam_ldb, mem_ctx, user_msg, "msDS-ResultantPSO"); if (pso_dn != NULL) { ret = dsdb_search_dn(sam_ldb, mem_ctx, &res, pso_dn, attrs, 0); if (ret != LDB_SUCCESS) { /* * log the error. The caller should fallback to using * the default domain password settings */ DBG_ERR("Error retrieving msDS-ResultantPSO %s for %s\n", ldb_dn_get_linearized(pso_dn), ldb_dn_get_linearized(user_msg->dn)); } talloc_free(pso_dn); } return res; } /* * Return the msDS-LockoutObservationWindow for a user message * * This requires that the user_msg have (if present): * - msDS-ResultantPSO */ int64_t samdb_result_msds_LockoutObservationWindow( struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *domain_dn, const struct ldb_message *user_msg) { int64_t lockOutObservationWindow; struct ldb_result *res = NULL; const char *attrs[] = { "msDS-LockoutObservationWindow", NULL }; if (domain_dn == NULL) { smb_panic("domain dn is NULL"); } res = lookup_user_pso(sam_ldb, mem_ctx, user_msg, attrs); if (res != NULL) { lockOutObservationWindow = ldb_msg_find_attr_as_int64(res->msgs[0], "msDS-LockoutObservationWindow", DEFAULT_OBSERVATION_WINDOW); talloc_free(res); } else { /* no PSO was found, lookup the default domain setting */ lockOutObservationWindow = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "lockOutObservationWindow", NULL); } return lockOutObservationWindow; } /* * Return the effective badPwdCount * * This requires that the user_msg have (if present): * - badPasswordTime * - badPwdCount * - msDS-ResultantPSO */ int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *domain_dn, const struct ldb_message *user_msg) { struct timeval tv_now = timeval_current(); NTTIME now = timeval_to_nttime(&tv_now); int64_t lockOutObservationWindow = samdb_result_msds_LockoutObservationWindow( sam_ldb, mem_ctx, domain_dn, user_msg); return dsdb_effective_badPwdCount(user_msg, lockOutObservationWindow, now); } /* * Returns the lockoutThreshold that applies. If a PSO is specified, then that * setting is used over the domain defaults */ static int64_t get_lockout_threshold(struct ldb_message *domain_msg, struct ldb_message *pso_msg) { if (pso_msg != NULL) { return ldb_msg_find_attr_as_int(pso_msg, "msDS-LockoutThreshold", 0); } else { return ldb_msg_find_attr_as_int(domain_msg, "lockoutThreshold", 0); } } /* * Returns the lockOutObservationWindow that applies. If a PSO is specified, * then that setting is used over the domain defaults */ static int64_t get_lockout_observation_window(struct ldb_message *domain_msg, struct ldb_message *pso_msg) { if (pso_msg != NULL) { return ldb_msg_find_attr_as_int64(pso_msg, "msDS-LockoutObservationWindow", DEFAULT_OBSERVATION_WINDOW); } else { return ldb_msg_find_attr_as_int64(domain_msg, "lockOutObservationWindow", DEFAULT_OBSERVATION_WINDOW); } } /* * Prepare an update to the badPwdCount and associated attributes. * * This requires that the user_msg have (if present): * - objectSid * - badPasswordTime * - badPwdCount * * This also requires that the domain_msg have (if present): * - pwdProperties * - lockoutThreshold * - lockOutObservationWindow * * This also requires that the pso_msg have (if present): * - msDS-LockoutThreshold * - msDS-LockoutObservationWindow */ NTSTATUS dsdb_update_bad_pwd_count(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, struct ldb_message *user_msg, struct ldb_message *domain_msg, struct ldb_message *pso_msg, struct ldb_message **_mod_msg) { int ret, badPwdCount; unsigned int i; int64_t lockoutThreshold, lockOutObservationWindow; struct dom_sid *sid; struct timeval tv_now = timeval_current(); NTTIME now = timeval_to_nttime(&tv_now); NTSTATUS status; uint32_t pwdProperties, rid = 0; struct ldb_message *mod_msg; sid = samdb_result_dom_sid(mem_ctx, user_msg, "objectSid"); pwdProperties = ldb_msg_find_attr_as_uint(domain_msg, "pwdProperties", -1); if (sid && !(pwdProperties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) { status = dom_sid_split_rid(NULL, sid, NULL, &rid); if (!NT_STATUS_IS_OK(status)) { /* * This can't happen anyway, but always try * and update the badPwdCount on failure */ rid = 0; } } TALLOC_FREE(sid); /* * Work out if we are doing password lockout on the domain. * Also, the built in administrator account is exempt: * http://msdn.microsoft.com/en-us/library/windows/desktop/aa375371%28v=vs.85%29.aspx */ lockoutThreshold = get_lockout_threshold(domain_msg, pso_msg); if (lockoutThreshold == 0 || (rid == DOMAIN_RID_ADMINISTRATOR)) { DEBUG(5, ("Not updating badPwdCount on %s after wrong password\n", ldb_dn_get_linearized(user_msg->dn))); return NT_STATUS_OK; } mod_msg = ldb_msg_new(mem_ctx); if (mod_msg == NULL) { return NT_STATUS_NO_MEMORY; } mod_msg->dn = ldb_dn_copy(mod_msg, user_msg->dn); if (mod_msg->dn == NULL) { TALLOC_FREE(mod_msg); return NT_STATUS_NO_MEMORY; } lockOutObservationWindow = get_lockout_observation_window(domain_msg, pso_msg); badPwdCount = dsdb_effective_badPwdCount(user_msg, lockOutObservationWindow, now); badPwdCount++; ret = samdb_msg_add_int(sam_ctx, mod_msg, mod_msg, "badPwdCount", badPwdCount); if (ret != LDB_SUCCESS) { TALLOC_FREE(mod_msg); return NT_STATUS_NO_MEMORY; } ret = samdb_msg_add_int64(sam_ctx, mod_msg, mod_msg, "badPasswordTime", now); if (ret != LDB_SUCCESS) { TALLOC_FREE(mod_msg); return NT_STATUS_NO_MEMORY; } if (badPwdCount >= lockoutThreshold) { ret = samdb_msg_add_int64(sam_ctx, mod_msg, mod_msg, "lockoutTime", now); if (ret != LDB_SUCCESS) { TALLOC_FREE(mod_msg); return NT_STATUS_NO_MEMORY; } DEBUGC( DBGC_AUTH, 1, ("Locked out user %s after %d wrong passwords\n", ldb_dn_get_linearized(user_msg->dn), badPwdCount)); } else { DEBUGC( DBGC_AUTH, 5, ("Updated badPwdCount on %s after %d wrong passwords\n", ldb_dn_get_linearized(user_msg->dn), badPwdCount)); } /* mark all the message elements as LDB_FLAG_MOD_REPLACE */ for (i=0; i< mod_msg->num_elements; i++) { mod_msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; } *_mod_msg = mod_msg; return NT_STATUS_OK; } /** * Sets defaults for a User object * List of default attributes set: * accountExpires, badPasswordTime, badPwdCount, * codePage, countryCode, lastLogoff, lastLogon * logonCount, pwdLastSet */ int dsdb_user_obj_set_defaults(struct ldb_context *ldb, struct ldb_message *usr_obj, struct ldb_request *req) { size_t i; int ret; const struct attribute_values { const char *name; const char *value; const char *add_value; const char *mod_value; const char *control; unsigned add_flags; unsigned mod_flags; } map[] = { { .name = "accountExpires", .add_value = "9223372036854775807", .mod_value = "0", }, { .name = "badPasswordTime", .value = "0" }, { .name = "badPwdCount", .value = "0" }, { .name = "codePage", .value = "0" }, { .name = "countryCode", .value = "0" }, { .name = "lastLogoff", .value = "0" }, { .name = "lastLogon", .value = "0" }, { .name = "logonCount", .value = "0" }, { .name = "logonHours", .add_flags = DSDB_FLAG_INTERNAL_FORCE_META_DATA, }, { .name = "pwdLastSet", .value = "0", .control = DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID, }, { .name = "adminCount", .mod_value = "0", }, { .name = "operatorCount", .mod_value = "0", }, }; for (i = 0; i < ARRAY_SIZE(map); i++) { bool added = false; const char *value = NULL; unsigned flags = 0; if (req != NULL && req->operation == LDB_ADD) { value = map[i].add_value; flags = map[i].add_flags; } else { value = map[i].mod_value; flags = map[i].mod_flags; } if (value == NULL) { value = map[i].value; } if (value != NULL) { flags |= LDB_FLAG_MOD_ADD; } if (flags == 0) { continue; } ret = samdb_find_or_add_attribute_ex(ldb, usr_obj, map[i].name, value, flags, &added); if (ret != LDB_SUCCESS) { return ret; } if (req != NULL && added && map[i].control != NULL) { ret = ldb_request_add_control(req, map[i].control, false, NULL); if (ret != LDB_SUCCESS) { return ret; } } } return LDB_SUCCESS; } /** * Sets 'sAMAccountType on user object based on userAccountControl. * This function is used in processing both 'add' and 'modify' requests. * @param ldb Current ldb_context * @param usr_obj ldb_message representing User object * @param user_account_control Value for userAccountControl flags * @param account_type_p Optional pointer to account_type to return * @return LDB_SUCCESS or LDB_ERR* code on failure */ int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message *usr_obj, uint32_t user_account_control, uint32_t *account_type_p) { int ret; uint32_t account_type; account_type = ds_uf2atype(user_account_control); if (account_type == 0) { ldb_set_errstring(ldb, "dsdb: Unrecognized account type!"); return LDB_ERR_UNWILLING_TO_PERFORM; } ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj, "sAMAccountType", account_type, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } if (account_type_p) { *account_type_p = account_type; } return LDB_SUCCESS; } /** * Determine and set primaryGroupID based on userAccountControl value. * This function is used in processing both 'add' and 'modify' requests. * @param ldb Current ldb_context * @param usr_obj ldb_message representing User object * @param user_account_control Value for userAccountControl flags * @param group_rid_p Optional pointer to group RID to return * @return LDB_SUCCESS or LDB_ERR* code on failure */ int dsdb_user_obj_set_primary_group_id(struct ldb_context *ldb, struct ldb_message *usr_obj, uint32_t user_account_control, uint32_t *group_rid_p) { int ret; uint32_t rid; rid = ds_uf2prim_group_rid(user_account_control); ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj, "primaryGroupID", rid, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } if (group_rid_p) { *group_rid_p = rid; } return LDB_SUCCESS; } /** * Returns True if the source and target DNs both have the same naming context, * i.e. they're both in the same partition. */ bool dsdb_objects_have_same_nc(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *source_dn, struct ldb_dn *target_dn) { TALLOC_CTX *tmp_ctx; struct ldb_dn *source_nc = NULL; struct ldb_dn *target_nc = NULL; int ret; bool same_nc = true; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { return ldb_oom(ldb); } ret = dsdb_find_nc_root(ldb, tmp_ctx, source_dn, &source_nc); /* fix clang warning */ if (source_nc == NULL) { ret = LDB_ERR_OTHER; } if (ret != LDB_SUCCESS) { DBG_ERR("Failed to find base DN for source %s: %s\n", ldb_dn_get_linearized(source_dn), ldb_errstring(ldb)); talloc_free(tmp_ctx); return true; } ret = dsdb_find_nc_root(ldb, tmp_ctx, target_dn, &target_nc); /* fix clang warning */ if (target_nc == NULL) { ret = LDB_ERR_OTHER; } if (ret != LDB_SUCCESS) { DBG_ERR("Failed to find base DN for target %s: %s\n", ldb_dn_get_linearized(target_dn), ldb_errstring(ldb)); talloc_free(tmp_ctx); return true; } same_nc = (ldb_dn_compare(source_nc, target_nc) == 0); talloc_free(tmp_ctx); return same_nc; } /* * Context for dsdb_count_domain_callback */ struct dsdb_count_domain_context { /* * Number of matching records */ size_t count; /* * sid of the domain that the records must belong to. * if NULL records can belong to any domain. */ struct dom_sid *dom_sid; }; /* * @brief ldb async callback for dsdb_domain_count. * * count the number of records in the database matching an LDAP query, * optionally filtering for domain membership. * * @param [in,out] req the ldb request being processed * req->context contains: * count The number of matching records * dom_sid The domain sid, if present records must belong * to the domain to be counted. *@param [in,out] ares The query result. * * @return an LDB error code * */ static int dsdb_count_domain_callback( struct ldb_request *req, struct ldb_reply *ares) { if (ares == NULL) { return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR); } if (ares->error != LDB_SUCCESS) { int error = ares->error; TALLOC_FREE(ares); return ldb_request_done(req, error); } switch (ares->type) { case LDB_REPLY_ENTRY: { struct dsdb_count_domain_context *context = NULL; ssize_t ret; bool in_domain; struct dom_sid sid; const struct ldb_val *v; context = req->context; if (context->dom_sid == NULL) { context->count++; break; } v = ldb_msg_find_ldb_val(ares->message, "objectSid"); if (v == NULL) { break; } ret = sid_parse(v->data, v->length, &sid); if (ret == -1) { break; } in_domain = dom_sid_in_domain(context->dom_sid, &sid); if (!in_domain) { break; } context->count++; break; } case LDB_REPLY_REFERRAL: break; case LDB_REPLY_DONE: TALLOC_FREE(ares); return ldb_request_done(req, LDB_SUCCESS); } TALLOC_FREE(ares); return LDB_SUCCESS; } /* * @brief Count the number of records matching a query. * * Count the number of entries in the database matching the supplied query, * optionally filtering only those entries belonging to the supplied domain. * * @param ldb [in] Current ldb context * @param count [out] Pointer to the count * @param base [in] The base dn for the query * @param dom_sid [in] The domain sid, if non NULL records that are not a member * of the domain are ignored. * @param scope [in] Search scope. * @param exp_fmt [in] format string for the query. * * @return LDB_STATUS code. */ int PRINTF_ATTRIBUTE(6, 7) dsdb_domain_count( struct ldb_context *ldb, size_t *count, struct ldb_dn *base, struct dom_sid *dom_sid, enum ldb_scope scope, const char *exp_fmt, ...) { TALLOC_CTX *tmp_ctx = NULL; struct ldb_request *req = NULL; struct dsdb_count_domain_context *context = NULL; char *expression = NULL; const char *object_sid[] = {"objectSid", NULL}; const char *none[] = {NULL}; va_list ap; int ret; *count = 0; tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { return ldb_oom(ldb); } context = talloc_zero(tmp_ctx, struct dsdb_count_domain_context); if (context == NULL) { return LDB_ERR_OPERATIONS_ERROR; } context->dom_sid = dom_sid; if (exp_fmt) { va_start(ap, exp_fmt); expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap); va_end(ap); if (expression == NULL) { TALLOC_FREE(context); TALLOC_FREE(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } } ret = ldb_build_search_req( &req, ldb, tmp_ctx, base, scope, expression, (dom_sid == NULL) ? none : object_sid, NULL, context, dsdb_count_domain_callback, NULL); ldb_req_set_location(req, "dsdb_domain_count"); if (ret != LDB_SUCCESS) goto done; ret = ldb_request(ldb, req); if (ret == LDB_SUCCESS) { ret = ldb_wait(req->handle, LDB_WAIT_ALL); if (ret == LDB_SUCCESS) { *count = context->count; } } done: TALLOC_FREE(expression); TALLOC_FREE(req); TALLOC_FREE(context); TALLOC_FREE(tmp_ctx); return ret; } /* * Returns 1 if 'sids' contains the Protected Users group SID for the domain, 0 * if not. Returns a negative value on error. */ int dsdb_is_protected_user(struct ldb_context *ldb, const struct auth_SidAttr *sids, uint32_t num_sids) { const struct dom_sid *domain_sid = NULL; struct dom_sid protected_users_sid; uint32_t i; domain_sid = samdb_domain_sid(ldb); if (domain_sid == NULL) { return -1; } protected_users_sid = *domain_sid; if (!sid_append_rid(&protected_users_sid, DOMAIN_RID_PROTECTED_USERS)) { return -1; } for (i = 0; i < num_sids; ++i) { if (dom_sid_equal(&protected_users_sid, &sids[i].sid)) { return 1; } } return 0; }