1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
samba-mirror/source4/dsdb/common/util.c
Andrew Bartlett 09ae48b415 dsdb: Prepare to handle smartcard password rollover
We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00

7037 lines
176 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
Unix SMB/CIFS implementation.
Samba utility functions
Copyright (C) Andrew Tridgell 2004
Copyright (C) Volker Lendecke 2004
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "ldb.h"
#include "ldb_module.h"
#include "ldb_errors.h"
#include "../lib/util/util_ldb.h"
#include "lib/crypto/gmsa.h"
#include "dsdb/samdb/samdb.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/gen_ndr/ndr_misc.h"
#include "../libds/common/flags.h"
#include "dsdb/common/proto.h"
#include "libcli/ldap/ldap_ndr.h"
#include "param/param.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "dsdb/common/util.h"
#include "dsdb/gmsa/gkdi.h"
#include "dsdb/gmsa/util.h"
#include "lib/socket/socket.h"
#include "librpc/gen_ndr/irpc.h"
#include "libds/common/flag_mapping.h"
#include "lib/util/access.h"
#include "lib/util/data_blob.h"
#include "lib/util/debug.h"
#include "lib/util/fault.h"
#include "lib/util/sys_rw_data.h"
#include "libcli/util/ntstatus.h"
#include "lib/util/smb_strtox.h"
#include "auth/auth.h"
#undef strncasecmp
#undef strcasecmp
/*
* This is included to allow us to handle DSDB_FLAG_REPLICATED_UPDATE in
* dsdb_request_add_controls()
*/
#include "dsdb/samdb/ldb_modules/util.h"
/* default is 30 minutes: -1e7 * 30 * 60 */
#define DEFAULT_OBSERVATION_WINDOW (-18000000000)
/*
search the sam for the specified attributes in a specific domain, filter on
objectSid being in domain_sid.
*/
int samdb_search_domain(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn,
struct ldb_message ***res,
const char * const *attrs,
const struct dom_sid *domain_sid,
const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
{
va_list ap;
int i, count;
va_start(ap, format);
count = gendb_search_v(sam_ldb, mem_ctx, basedn,
res, attrs, format, ap);
va_end(ap);
i=0;
while (i<count) {
struct dom_sid *entry_sid;
entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
if ((entry_sid == NULL) ||
(!dom_sid_in_domain(domain_sid, entry_sid))) {
/* Delete that entry from the result set */
(*res)[i] = (*res)[count-1];
count -= 1;
talloc_free(entry_sid);
continue;
}
talloc_free(entry_sid);
i += 1;
}
return count;
}
/*
search the sam for a single string attribute in exactly 1 record
*/
const char *samdb_search_string_v(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn,
const char *attr_name,
const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
{
int count;
const char *attrs[2] = { NULL, NULL };
struct ldb_message **res = NULL;
attrs[0] = attr_name;
count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
if (count > 1) {
DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
attr_name, format, count));
}
if (count != 1) {
talloc_free(res);
return NULL;
}
return ldb_msg_find_attr_as_string(res[0], attr_name, NULL);
}
/*
search the sam for a single string attribute in exactly 1 record
*/
const char *samdb_search_string(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn,
const char *attr_name,
const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
{
va_list ap;
const char *str;
va_start(ap, format);
str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
va_end(ap);
return str;
}
struct ldb_dn *samdb_search_dn(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn,
const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
{
va_list ap;
struct ldb_dn *ret;
struct ldb_message **res = NULL;
int count;
va_start(ap, format);
count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, NULL, format, ap);
va_end(ap);
if (count != 1) return NULL;
ret = talloc_steal(mem_ctx, res[0]->dn);
talloc_free(res);
return ret;
}
/*
search the sam for a dom_sid attribute in exactly 1 record
*/
struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn,
const char *attr_name,
const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
{
va_list ap;
int count;
struct ldb_message **res;
const char *attrs[2] = { NULL, NULL };
struct dom_sid *sid;
attrs[0] = attr_name;
va_start(ap, format);
count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
va_end(ap);
if (count > 1) {
DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
attr_name, format, count));
}
if (count != 1) {
talloc_free(res);
return NULL;
}
sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
talloc_free(res);
return sid;
}
/*
search the sam for a single integer attribute in exactly 1 record
*/
unsigned int samdb_search_uint(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
unsigned int default_value,
struct ldb_dn *basedn,
const char *attr_name,
const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
{
va_list ap;
int count;
struct ldb_message **res;
const char *attrs[2] = { NULL, NULL };
attrs[0] = attr_name;
va_start(ap, format);
count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
va_end(ap);
if (count != 1) {
return default_value;
}
return ldb_msg_find_attr_as_uint(res[0], attr_name, default_value);
}
/*
search the sam for a single signed 64 bit integer attribute in exactly 1 record
*/
int64_t samdb_search_int64(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
int64_t default_value,
struct ldb_dn *basedn,
const char *attr_name,
const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
{
va_list ap;
int count;
struct ldb_message **res;
const char *attrs[2] = { NULL, NULL };
attrs[0] = attr_name;
va_start(ap, format);
count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
va_end(ap);
if (count != 1) {
return default_value;
}
return ldb_msg_find_attr_as_int64(res[0], attr_name, default_value);
}
/*
search the sam for multiple records each giving a single string attribute
return the number of matches, or -1 on error
*/
int samdb_search_string_multiple(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn,
const char ***strs,
const char *attr_name,
const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
{
va_list ap;
int count, i;
const char *attrs[2] = { NULL, NULL };
struct ldb_message **res = NULL;
attrs[0] = attr_name;
va_start(ap, format);
count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
va_end(ap);
if (count <= 0) {
return count;
}
/* make sure its single valued */
for (i=0;i<count;i++) {
if (res[i]->num_elements != 1) {
DEBUG(1,("samdb: search for %s %s not single valued\n",
attr_name, format));
talloc_free(res);
return -1;
}
}
*strs = talloc_array(mem_ctx, const char *, count+1);
if (! *strs) {
talloc_free(res);
return -1;
}
for (i=0;i<count;i++) {
(*strs)[i] = ldb_msg_find_attr_as_string(res[i], attr_name, NULL);
}
(*strs)[count] = NULL;
return count;
}
struct ldb_dn *samdb_result_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
const char *attr, struct ldb_dn *default_value)
{
struct ldb_dn *ret_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
if (!ret_dn) {
return default_value;
}
return ret_dn;
}
/*
pull a rid from a objectSid in a result set.
*/
uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
const char *attr, uint32_t default_value)
{
struct dom_sid *sid;
uint32_t rid;
sid = samdb_result_dom_sid(mem_ctx, msg, attr);
if (sid == NULL) {
return default_value;
}
rid = sid->sub_auths[sid->num_auths-1];
talloc_free(sid);
return rid;
}
/*
pull a dom_sid structure from a objectSid in a result set.
*/
struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
const char *attr)
{
ssize_t ret;
const struct ldb_val *v;
struct dom_sid *sid;
v = ldb_msg_find_ldb_val(msg, attr);
if (v == NULL) {
return NULL;
}
sid = talloc(mem_ctx, struct dom_sid);
if (sid == NULL) {
return NULL;
}
ret = sid_parse(v->data, v->length, sid);
if (ret == -1) {
talloc_free(sid);
return NULL;
}
return sid;
}
/**
* Makes an auth_SidAttr structure from a objectSid in a result set and a
* supplied attribute value.
*
* @param [in] mem_ctx Talloc memory context on which to allocate the auth_SidAttr.
* @param [in] msg The message from which to take the objectSid.
* @param [in] attr The attribute name, usually "objectSid".
* @param [in] attrs SE_GROUP_* flags to go with the SID.
* @returns A pointer to the auth_SidAttr structure, or NULL on failure.
*/
struct auth_SidAttr *samdb_result_dom_sid_attrs(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
const char *attr, uint32_t attrs)
{
ssize_t ret;
const struct ldb_val *v;
struct auth_SidAttr *sid;
v = ldb_msg_find_ldb_val(msg, attr);
if (v == NULL) {
return NULL;
}
sid = talloc(mem_ctx, struct auth_SidAttr);
if (sid == NULL) {
return NULL;
}
ret = sid_parse(v->data, v->length, &sid->sid);
if (ret == -1) {
talloc_free(sid);
return NULL;
}
sid->attrs = attrs;
return sid;
}
/*
pull a dom_sid structure from a objectSid in a result set.
*/
int samdb_result_dom_sid_buf(const struct ldb_message *msg,
const char *attr,
struct dom_sid *sid)
{
ssize_t ret;
const struct ldb_val *v = NULL;
v = ldb_msg_find_ldb_val(msg, attr);
if (v == NULL) {
return LDB_ERR_NO_SUCH_ATTRIBUTE;
}
ret = sid_parse(v->data, v->length, sid);
if (ret == -1) {
return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
/*
pull a guid structure from a objectGUID in a result set.
*/
struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
{
const struct ldb_val *v;
struct GUID guid;
NTSTATUS status;
v = ldb_msg_find_ldb_val(msg, attr);
if (!v) return GUID_zero();
status = GUID_from_ndr_blob(v, &guid);
if (!NT_STATUS_IS_OK(status)) {
return GUID_zero();
}
return guid;
}
/*
pull a sid prefix from a objectSid in a result set.
this is used to find the domain sid for a user
*/
struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
const char *attr)
{
struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
if (!sid || sid->num_auths < 1) return NULL;
sid->num_auths--;
return sid;
}
/*
pull a NTTIME in a result set.
*/
NTTIME samdb_result_nttime(const struct ldb_message *msg, const char *attr,
NTTIME default_value)
{
return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
}
/*
* Windows stores 0 for lastLogoff.
* But when a MS DC return the lastLogoff (as Logoff Time)
* it returns INT64_MAX, not returning this value in this case
* cause windows 2008 and newer version to fail for SMB requests
*/
NTTIME samdb_result_last_logoff(const struct ldb_message *msg)
{
NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "lastLogoff",0);
if (ret == 0)
ret = INT64_MAX;
return ret;
}
/*
* Windows uses both 0 and 9223372036854775807 (INT64_MAX) to
* indicate an account doesn't expire.
*
* When Windows initially creates an account, it sets
* accountExpires = 9223372036854775807 (INT64_MAX). However,
* when changing from an account having a specific expiration date to
* that account never expiring, it sets accountExpires = 0.
*
* Consolidate that logic here to allow clearer logic for account expiry in
* the rest of the code.
*/
NTTIME samdb_result_account_expires(const struct ldb_message *msg)
{
NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
0);
if (ret == 0)
ret = INT64_MAX;
return ret;
}
/*
construct the allow_password_change field from the PwdLastSet attribute and the
domain password settings
*/
NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *domain_dn,
const struct ldb_message *msg,
const char *attr)
{
uint64_t attr_time = ldb_msg_find_attr_as_uint64(msg, attr, 0);
int64_t minPwdAge;
if (attr_time == 0) {
return 0;
}
minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "minPwdAge", NULL);
/* yes, this is a -= not a += as minPwdAge is stored as the negative
of the number of 100-nano-seconds */
attr_time -= minPwdAge;
return attr_time;
}
/*
pull a samr_Password structure from a result set.
*/
struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr)
{
struct samr_Password *hash = NULL;
const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
if (val && (val->length >= sizeof(hash->hash))) {
hash = talloc(mem_ctx, struct samr_Password);
if (hash == NULL) {
return NULL;
}
talloc_keep_secret(hash);
memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash)));
}
return hash;
}
/*
pull an array of samr_Password structures from a result set.
*/
unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
const char *attr, struct samr_Password **hashes)
{
unsigned int count, i;
const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
*hashes = NULL;
if (!val) {
return 0;
}
if (val->length % 16 != 0) {
/*
* The length is wrong. Dont try to read beyond the end of the
* buffer.
*/
return 0;
}
count = val->length / 16;
if (count == 0) {
return 0;
}
*hashes = talloc_array(mem_ctx, struct samr_Password, count);
if (! *hashes) {
return 0;
}
talloc_keep_secret(*hashes);
for (i=0;i<count;i++) {
memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
}
return count;
}
NTSTATUS samdb_result_passwords_from_history(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const struct ldb_message *msg,
unsigned int idx,
const struct samr_Password **lm_pwd,
const struct samr_Password **nt_pwd)
{
struct samr_Password *lmPwdHash, *ntPwdHash;
if (nt_pwd) {
unsigned int num_nt;
num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHistory", &ntPwdHash);
if (num_nt <= idx) {
*nt_pwd = NULL;
} else {
*nt_pwd = &ntPwdHash[idx];
}
}
if (lm_pwd) {
/* Ensure that if we have turned off LM
* authentication, that we never use the LM hash, even
* if we store it */
if (lpcfg_lanman_auth(lp_ctx)) {
unsigned int num_lm;
num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHistory", &lmPwdHash);
if (num_lm <= idx) {
*lm_pwd = NULL;
} else {
*lm_pwd = &lmPwdHash[idx];
}
} else {
*lm_pwd = NULL;
}
}
return NT_STATUS_OK;
}
NTSTATUS samdb_result_passwords_no_lockout(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const struct ldb_message *msg,
struct samr_Password **nt_pwd)
{
struct samr_Password *ntPwdHash;
if (nt_pwd) {
unsigned int num_nt;
num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash);
if (num_nt == 0) {
*nt_pwd = NULL;
} else if (num_nt > 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
*nt_pwd = &ntPwdHash[0];
}
}
return NT_STATUS_OK;
}
NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const struct ldb_message *msg,
struct samr_Password **nt_pwd)
{
uint16_t acct_flags;
acct_flags = samdb_result_acct_flags(msg,
"msDS-User-Account-Control-Computed");
/* Quit if the account was locked out. */
if (acct_flags & ACB_AUTOLOCK) {
DEBUG(3,("samdb_result_passwords: Account for user %s was locked out.\n",
ldb_dn_get_linearized(msg->dn)));
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
return samdb_result_passwords_no_lockout(mem_ctx, lp_ctx, msg,
nt_pwd);
}
/*
pull a samr_LogonHours structure from a result set.
*/
struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
{
struct samr_LogonHours hours = {};
size_t units_per_week = 168;
const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
if (val) {
units_per_week = val->length * 8;
}
hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week/8);
if (!hours.bits) {
return hours;
}
hours.units_per_week = units_per_week;
memset(hours.bits, 0xFF, units_per_week/8);
if (val) {
memcpy(hours.bits, val->data, val->length);
}
return hours;
}
/*
pull a set of account_flags from a result set.
Naturally, this requires that userAccountControl and
(if not null) the attributes 'attr' be already
included in msg
*/
uint32_t samdb_result_acct_flags(const struct ldb_message *msg, const char *attr)
{
uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
uint32_t attr_flags = 0;
uint32_t acct_flags = ds_uf2acb(userAccountControl);
if (attr) {
attr_flags = ldb_msg_find_attr_as_uint(msg, attr, UF_ACCOUNTDISABLE);
if (attr_flags == UF_ACCOUNTDISABLE) {
DEBUG(0, ("Attribute %s not found, disabling account %s!\n", attr,
ldb_dn_get_linearized(msg->dn)));
}
acct_flags |= ds_uf2acb(attr_flags);
}
return acct_flags;
}
NTSTATUS samdb_result_parameters(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
const char *attr,
struct lsa_BinaryString *s)
{
int i;
const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
ZERO_STRUCTP(s);
if (!val) {
return NT_STATUS_OK;
}
if ((val->length % 2) != 0) {
/*
* If the on-disk data is not even in length, we know
* it is corrupt, and can not be safely pushed. We
* would either truncate, send an uninitialised
* byte or send a forced zero byte
*/
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
s->array = talloc_array(mem_ctx, uint16_t, val->length/2);
if (!s->array) {
return NT_STATUS_NO_MEMORY;
}
s->length = s->size = val->length;
/* The on-disk format is the 'network' format, being UTF16LE (sort of) */
for (i = 0; i < s->length / 2; i++) {
s->array[i] = SVAL(val->data, i * 2);
}
return NT_STATUS_OK;
}
/* Find an attribute, with a particular value */
/* The current callers of this function expect a very specific
* behaviour: In particular, objectClass subclass equivalence is not
* wanted. This means that we should not lookup the schema for the
* comparison function */
struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb,
const struct ldb_message *msg,
const char *name, const char *value)
{
unsigned int i;
struct ldb_message_element *el = ldb_msg_find_element(msg, name);
if (!el) {
return NULL;
}
for (i=0;i<el->num_values;i++) {
if (ldb_attr_cmp(value, (char *)el->values[i].data) == 0) {
return el;
}
}
return NULL;
}
static int samdb_find_or_add_attribute_ex(struct ldb_context *ldb,
struct ldb_message *msg,
const char *name,
const char *set_value,
unsigned attr_flags,
bool *added)
{
int ret;
struct ldb_message_element *el;
SMB_ASSERT(attr_flags != 0);
el = ldb_msg_find_element(msg, name);
if (el) {
if (added != NULL) {
*added = false;
}
return LDB_SUCCESS;
}
ret = ldb_msg_add_empty(msg, name,
attr_flags,
&el);
if (ret != LDB_SUCCESS) {
return ret;
}
if (set_value != NULL) {
ret = ldb_msg_add_string(msg, name, set_value);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (added != NULL) {
*added = true;
}
return LDB_SUCCESS;
}
int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
{
return samdb_find_or_add_attribute_ex(ldb, msg, name, set_value, LDB_FLAG_MOD_ADD, NULL);
}
/*
add a dom_sid element to a message
*/
int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, const struct dom_sid *sid)
{
struct ldb_val v;
enum ndr_err_code ndr_err;
ndr_err = ndr_push_struct_blob(&v, mem_ctx,
sid,
(ndr_push_flags_fn_t)ndr_push_dom_sid);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return ldb_operr(sam_ldb);
}
return ldb_msg_add_value(msg, attr_name, &v, NULL);
}
/*
add a delete element operation to a message
*/
int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name)
{
/* we use an empty replace rather than a delete, as it allows for
dsdb_replace() to be used everywhere */
return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
}
/*
add an add attribute value to a message or enhance an existing attribute
which has the same name and the add flag set.
*/
int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
struct ldb_message *msg, const char *attr_name,
const char *value)
{
struct ldb_message_element *el;
struct ldb_val val;
char *v;
unsigned int i;
bool found = false;
int ret;
v = talloc_strdup(mem_ctx, value);
if (v == NULL) {
return ldb_oom(sam_ldb);
}
val.data = (uint8_t *) v;
val.length = strlen(v);
if (val.length == 0) {
/* allow empty strings as non-existent attributes */
return LDB_SUCCESS;
}
for (i = 0; i < msg->num_elements; i++) {
el = &msg->elements[i];
if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
(LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD)) {
found = true;
break;
}
}
if (!found) {
ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_ADD,
&el);
if (ret != LDB_SUCCESS) {
return ret;
}
}
ret = ldb_msg_element_add_value(msg->elements, el, &val);
if (ret != LDB_SUCCESS) {
return ldb_oom(sam_ldb);
}
return LDB_SUCCESS;
}
/*
add a delete attribute value to a message or enhance an existing attribute
which has the same name and the delete flag set.
*/
int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
struct ldb_message *msg, const char *attr_name,
const char *value)
{
struct ldb_message_element *el;
struct ldb_val val;
char *v;
unsigned int i;
bool found = false;
int ret;
v = talloc_strdup(mem_ctx, value);
if (v == NULL) {
return ldb_oom(sam_ldb);
}
val.data = (uint8_t *) v;
val.length = strlen(v);
if (val.length == 0) {
/* allow empty strings as non-existent attributes */
return LDB_SUCCESS;
}
for (i = 0; i < msg->num_elements; i++) {
el = &msg->elements[i];
if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
(LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE)) {
found = true;
break;
}
}
if (!found) {
ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_DELETE,
&el);
if (ret != LDB_SUCCESS) {
return ret;
}
}
ret = ldb_msg_element_add_value(msg->elements, el, &val);
if (ret != LDB_SUCCESS) {
return ldb_oom(sam_ldb);
}
return LDB_SUCCESS;
}
/*
add a int element to a message
*/
int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, int v)
{
const char *s = talloc_asprintf(mem_ctx, "%d", v);
if (s == NULL) {
return ldb_oom(sam_ldb);
}
return ldb_msg_add_string(msg, attr_name, s);
}
int samdb_msg_add_int_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, int v, int flags)
{
const char *s = talloc_asprintf(mem_ctx, "%d", v);
if (s == NULL) {
return ldb_oom(sam_ldb);
}
return ldb_msg_add_string_flags(msg, attr_name, s, flags);
}
/*
* Add an unsigned int element to a message
*
* The issue here is that we have not yet first cast to int32_t explicitly,
* before we cast to an signed int to printf() into the %d or cast to a
* int64_t before we then cast to a long long to printf into a %lld.
*
* There are *no* unsigned integers in Active Directory LDAP, even the RID
* allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
* (See the schema, and the syntax definitions in schema_syntax.c).
*
*/
int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, unsigned int v)
{
return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v);
}
int samdb_msg_add_uint_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, unsigned int v, int flags)
{
return samdb_msg_add_int_flags(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags);
}
/*
add a (signed) int64_t element to a message
*/
int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, int64_t v)
{
const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
if (s == NULL) {
return ldb_oom(sam_ldb);
}
return ldb_msg_add_string(msg, attr_name, s);
}
/*
* Add an unsigned int64_t (uint64_t) element to a message
*
* The issue here is that we have not yet first cast to int32_t explicitly,
* before we cast to an signed int to printf() into the %d or cast to a
* int64_t before we then cast to a long long to printf into a %lld.
*
* There are *no* unsigned integers in Active Directory LDAP, even the RID
* allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
* (See the schema, and the syntax definitions in schema_syntax.c).
*
*/
int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, uint64_t v)
{
return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v);
}
/*
append a int element to a message
*/
int samdb_msg_append_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, int v, int flags)
{
const char *s = talloc_asprintf(mem_ctx, "%d", v);
if (s == NULL) {
return ldb_oom(sam_ldb);
}
return ldb_msg_append_string(msg, attr_name, s, flags);
}
/*
* Append an unsigned int element to a message
*
* The issue here is that we have not yet first cast to int32_t explicitly,
* before we cast to an signed int to printf() into the %d or cast to a
* int64_t before we then cast to a long long to printf into a %lld.
*
* There are *no* unsigned integers in Active Directory LDAP, even the RID
* allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
* (See the schema, and the syntax definitions in schema_syntax.c).
*
*/
int samdb_msg_append_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, unsigned int v, int flags)
{
return samdb_msg_append_int(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags);
}
/*
append a (signed) int64_t element to a message
*/
int samdb_msg_append_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, int64_t v, int flags)
{
const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
if (s == NULL) {
return ldb_oom(sam_ldb);
}
return ldb_msg_append_string(msg, attr_name, s, flags);
}
/*
* Append an unsigned int64_t (uint64_t) element to a message
*
* The issue here is that we have not yet first cast to int32_t explicitly,
* before we cast to an signed int to printf() into the %d or cast to a
* int64_t before we then cast to a long long to printf into a %lld.
*
* There are *no* unsigned integers in Active Directory LDAP, even the RID
* allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
* (See the schema, and the syntax definitions in schema_syntax.c).
*
*/
int samdb_msg_append_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, uint64_t v, int flags)
{
return samdb_msg_append_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v, flags);
}
/*
add a samr_Password element to a message
*/
int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, const struct samr_Password *hash)
{
struct ldb_val val;
val.data = talloc_memdup(mem_ctx, hash->hash, 16);
if (!val.data) {
return ldb_oom(sam_ldb);
}
val.length = 16;
return ldb_msg_add_value(msg, attr_name, &val, NULL);
}
/*
add a samr_Password array to a message
*/
int samdb_msg_add_hashes(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, struct samr_Password *hashes,
unsigned int count)
{
struct ldb_val val;
unsigned int i;
val.data = talloc_array_size(mem_ctx, 16, count);
val.length = count*16;
if (!val.data) {
return ldb_oom(ldb);
}
for (i=0;i<count;i++) {
memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
}
return ldb_msg_add_value(msg, attr_name, &val, NULL);
}
/*
add a acct_flags element to a message
*/
int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, uint32_t v)
{
return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, ds_acb2uf(v));
}
/*
add a logon_hours element to a message
*/
int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, struct samr_LogonHours *hours)
{
struct ldb_val val;
val.length = hours->units_per_week / 8;
val.data = hours->bits;
return ldb_msg_add_value(msg, attr_name, &val, NULL);
}
/*
add a parameters element to a message
*/
int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, struct lsa_BinaryString *parameters)
{
int i;
struct ldb_val val;
if ((parameters->length % 2) != 0) {
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
}
val.data = talloc_array(mem_ctx, uint8_t, parameters->length);
if (val.data == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
val.length = parameters->length;
for (i = 0; i < parameters->length / 2; i++) {
/*
* The on-disk format needs to be in the 'network'
* format, parameters->array is a uint16_t array of
* length parameters->length / 2
*/
SSVAL(val.data, i * 2, parameters->array[i]);
}
return ldb_msg_add_steal_value(msg, attr_name, &val);
}
/*
* Sets an unsigned int element in a message
*
* The issue here is that we have not yet first cast to int32_t explicitly,
* before we cast to an signed int to printf() into the %d or cast to a
* int64_t before we then cast to a long long to printf into a %lld.
*
* There are *no* unsigned integers in Active Directory LDAP, even the RID
* allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
* (See the schema, and the syntax definitions in schema_syntax.c).
*
*/
int samdb_msg_set_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
struct ldb_message *msg, const char *attr_name,
unsigned int v)
{
struct ldb_message_element *el;
el = ldb_msg_find_element(msg, attr_name);
if (el) {
el->num_values = 0;
}
return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, v);
}
/*
* Handle ldb_request in transaction
*/
int dsdb_autotransaction_request(struct ldb_context *sam_ldb,
struct ldb_request *req)
{
int ret;
ret = ldb_transaction_start(sam_ldb);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = ldb_request(sam_ldb, req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
}
if (ret == LDB_SUCCESS) {
return ldb_transaction_commit(sam_ldb);
}
ldb_transaction_cancel(sam_ldb);
return ret;
}
/*
return a default security descriptor
*/
struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
{
struct security_descriptor *sd;
sd = security_descriptor_initialise(mem_ctx);
return sd;
}
struct ldb_dn *samdb_aggregate_schema_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
{
struct ldb_dn *schema_dn = ldb_get_schema_basedn(sam_ctx);
struct ldb_dn *aggregate_dn;
if (!schema_dn) {
return NULL;
}
aggregate_dn = ldb_dn_copy(mem_ctx, schema_dn);
if (!aggregate_dn) {
return NULL;
}
if (!ldb_dn_add_child_fmt(aggregate_dn, "CN=Aggregate")) {
return NULL;
}
return aggregate_dn;
}
struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
{
struct ldb_dn *new_dn;
new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Partitions")) {
talloc_free(new_dn);
return NULL;
}
return new_dn;
}
struct ldb_dn *samdb_infrastructure_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
{
struct ldb_dn *new_dn;
new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx));
if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Infrastructure")) {
talloc_free(new_dn);
return NULL;
}
return new_dn;
}
struct ldb_dn *samdb_system_container_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
{
struct ldb_dn *new_dn = NULL;
bool ok;
new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx));
if (new_dn == NULL) {
return NULL;
}
ok = ldb_dn_add_child_fmt(new_dn, "CN=System");
if (!ok) {
TALLOC_FREE(new_dn);
return NULL;
}
return new_dn;
}
struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
{
struct ldb_dn *new_dn;
new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Sites")) {
talloc_free(new_dn);
return NULL;
}
return new_dn;
}
struct ldb_dn *samdb_extended_rights_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
{
struct ldb_dn *new_dn;
new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Extended-Rights")) {
talloc_free(new_dn);
return NULL;
}
return new_dn;
}
struct ldb_dn *samdb_configuration_dn(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
const char *dn_str)
{
struct ldb_dn *config_dn = NULL;
struct ldb_dn *child_dn = NULL;
bool ok;
config_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
if (config_dn == NULL) {
return NULL;
}
child_dn = ldb_dn_new(mem_ctx, sam_ctx, dn_str);
if (child_dn == NULL) {
talloc_free(config_dn);
return NULL;
}
ok = ldb_dn_add_child(config_dn, child_dn);
talloc_free(child_dn);
if (!ok) {
talloc_free(config_dn);
return NULL;
}
return config_dn;
}
struct ldb_dn *samdb_gkdi_root_key_container_dn(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx)
{
/*
* [MS-GKDI] says the root key container is to be found in “CN=Sid Key
* Service,CN=Services”, but that is not correct.
*/
return samdb_configuration_dn(sam_ctx,
mem_ctx,
"CN=Master Root Keys,"
"CN=Group Key Distribution Service,"
"CN=Services");
}
struct ldb_dn *samdb_gkdi_root_key_dn(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
const struct GUID *root_key_id)
{
struct ldb_dn *root_key_dn = NULL;
struct ldb_dn *child_dn = NULL;
struct GUID_txt_buf guid_buf;
char *root_key_id_string = NULL;
bool ok;
root_key_id_string = GUID_buf_string(root_key_id, &guid_buf);
if (root_key_id_string == NULL) {
return NULL;
}
root_key_dn = samdb_gkdi_root_key_container_dn(sam_ctx, mem_ctx);
if (root_key_dn == NULL) {
return NULL;
}
child_dn = ldb_dn_new_fmt(mem_ctx,
sam_ctx,
"CN=%s",
root_key_id_string);
if (child_dn == NULL) {
talloc_free(root_key_dn);
return NULL;
}
ok = ldb_dn_add_child(root_key_dn, child_dn);
talloc_free(child_dn);
if (!ok) {
talloc_free(root_key_dn);
return NULL;
}
return root_key_dn;
}
/*
work out the domain sid for the current open ldb
*/
const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx;
const struct dom_sid *domain_sid;
const char *attrs[] = {
"objectSid",
NULL
};
struct ldb_result *res;
int ret;
/* see if we have a cached copy */
domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
if (domain_sid) {
return domain_sid;
}
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
if (ret != LDB_SUCCESS) {
goto failed;
}
if (res->count != 1) {
goto failed;
}
domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
if (domain_sid == NULL) {
goto failed;
}
/* cache the domain_sid in the ldb */
if (ldb_set_opaque(ldb, "cache.domain_sid", discard_const_p(struct dom_sid, domain_sid)) != LDB_SUCCESS) {
goto failed;
}
talloc_steal(ldb, domain_sid);
talloc_free(tmp_ctx);
return domain_sid;
failed:
talloc_free(tmp_ctx);
return NULL;
}
/*
get domain sid from cache
*/
const struct dom_sid *samdb_domain_sid_cache_only(struct ldb_context *ldb)
{
return (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
}
bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in)
{
TALLOC_CTX *tmp_ctx;
struct dom_sid *dom_sid_new;
struct dom_sid *dom_sid_old;
/* see if we have a cached copy */
dom_sid_old = talloc_get_type(ldb_get_opaque(ldb,
"cache.domain_sid"), struct dom_sid);
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in);
if (!dom_sid_new) {
goto failed;
}
/* cache the domain_sid in the ldb */
if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) {
goto failed;
}
talloc_steal(ldb, dom_sid_new);
talloc_free(tmp_ctx);
talloc_free(dom_sid_old);
return true;
failed:
DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
talloc_free(tmp_ctx);
return false;
}
/*
work out the domain guid for the current open ldb
*/
const struct GUID *samdb_domain_guid(struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx = NULL;
struct GUID *domain_guid = NULL;
const char *attrs[] = {
"objectGUID",
NULL
};
struct ldb_result *res = NULL;
int ret;
/* see if we have a cached copy */
domain_guid = (struct GUID *)ldb_get_opaque(ldb, "cache.domain_guid");
if (domain_guid) {
return domain_guid;
}
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectGUID=*");
if (ret != LDB_SUCCESS) {
goto failed;
}
if (res->count != 1) {
goto failed;
}
domain_guid = talloc(tmp_ctx, struct GUID);
if (domain_guid == NULL) {
goto failed;
}
*domain_guid = samdb_result_guid(res->msgs[0], "objectGUID");
/* cache the domain_sid in the ldb */
if (ldb_set_opaque(ldb, "cache.domain_guid", domain_guid) != LDB_SUCCESS) {
goto failed;
}
talloc_steal(ldb, domain_guid);
talloc_free(tmp_ctx);
return domain_guid;
failed:
talloc_free(tmp_ctx);
return NULL;
}
bool samdb_set_ntds_settings_dn(struct ldb_context *ldb, struct ldb_dn *ntds_settings_dn_in)
{
TALLOC_CTX *tmp_ctx;
struct ldb_dn *ntds_settings_dn_new;
struct ldb_dn *ntds_settings_dn_old;
/* see if we have a forced copy from provision */
ntds_settings_dn_old = talloc_get_type(ldb_get_opaque(ldb,
"forced.ntds_settings_dn"), struct ldb_dn);
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
ntds_settings_dn_new = ldb_dn_copy(tmp_ctx, ntds_settings_dn_in);
if (!ntds_settings_dn_new) {
goto failed;
}
/* set the DN in the ldb to avoid lookups during provision */
if (ldb_set_opaque(ldb, "forced.ntds_settings_dn", ntds_settings_dn_new) != LDB_SUCCESS) {
goto failed;
}
talloc_steal(ldb, ntds_settings_dn_new);
talloc_free(tmp_ctx);
talloc_free(ntds_settings_dn_old);
return true;
failed:
DEBUG(1,("Failed to set our NTDS Settings DN in the ldb!\n"));
talloc_free(tmp_ctx);
return false;
}
/*
work out the ntds settings dn for the current open ldb
*/
struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
{
TALLOC_CTX *tmp_ctx;
const char *root_attrs[] = { "dsServiceName", NULL };
int ret;
struct ldb_result *root_res;
struct ldb_dn *settings_dn;
/* see if we have a cached copy */
settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "forced.ntds_settings_dn");
if (settings_dn) {
return ldb_dn_copy(mem_ctx, settings_dn);
}
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
goto failed;
}
ret = ldb_search(ldb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, ldb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
ldb_errstring(ldb)));
goto failed;
}
if (root_res->count != 1) {
goto failed;
}
settings_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, root_res->msgs[0], "dsServiceName");
/* note that we do not cache the DN here, as that would mean
* we could not handle server renames at runtime. Only
* provision sets up forced.ntds_settings_dn */
talloc_steal(mem_ctx, settings_dn);
talloc_free(tmp_ctx);
return settings_dn;
failed:
DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
talloc_free(tmp_ctx);
return NULL;
}
/*
work out the ntds settings invocationID/objectGUID for the current open ldb
*/
static const struct GUID *samdb_ntds_GUID(struct ldb_context *ldb,
const char *attribute,
const char *cache_name)
{
TALLOC_CTX *tmp_ctx;
const char *attrs[] = { attribute, NULL };
int ret;
struct ldb_result *res;
struct GUID *ntds_guid;
struct ldb_dn *ntds_settings_dn = NULL;
const char *errstr = NULL;
/* see if we have a cached copy */
ntds_guid = (struct GUID *)ldb_get_opaque(ldb, cache_name);
if (ntds_guid != NULL) {
return ntds_guid;
}
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
ntds_settings_dn = samdb_ntds_settings_dn(ldb, tmp_ctx);
if (ntds_settings_dn == NULL) {
errstr = "samdb_ntds_settings_dn() returned NULL";
goto failed;
}
ret = ldb_search(ldb, tmp_ctx, &res, ntds_settings_dn,
LDB_SCOPE_BASE, attrs, NULL);
if (ret) {
errstr = ldb_errstring(ldb);
goto failed;
}
if (res->count != 1) {
errstr = "incorrect number of results from base search";
goto failed;
}
ntds_guid = talloc(tmp_ctx, struct GUID);
if (ntds_guid == NULL) {
goto failed;
}
*ntds_guid = samdb_result_guid(res->msgs[0], attribute);
if (GUID_all_zero(ntds_guid)) {
if (ldb_msg_find_ldb_val(res->msgs[0], attribute)) {
errstr = "failed to find the GUID attribute";
} else {
errstr = "failed to parse the GUID";
}
goto failed;
}
/* cache the domain_sid in the ldb */
if (ldb_set_opaque(ldb, cache_name, ntds_guid) != LDB_SUCCESS) {
errstr = "ldb_set_opaque() failed";
goto failed;
}
talloc_steal(ldb, ntds_guid);
talloc_free(tmp_ctx);
return ntds_guid;
failed:
DBG_WARNING("Failed to find our own NTDS Settings %s in the ldb: %s!\n",
attribute, errstr);
talloc_free(tmp_ctx);
return NULL;
}
/*
work out the ntds settings objectGUID for the current open ldb
*/
const struct GUID *samdb_ntds_objectGUID(struct ldb_context *ldb)
{
return samdb_ntds_GUID(ldb, "objectGUID", "cache.ntds_guid");
}
/*
work out the ntds settings invocationId for the current open ldb
*/
const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb)
{
return samdb_ntds_GUID(ldb, "invocationId", "cache.invocation_id");
}
static bool samdb_set_ntds_GUID(struct ldb_context *ldb,
const struct GUID *ntds_guid_in,
const char *attribute,
const char *cache_name)
{
TALLOC_CTX *tmp_ctx;
struct GUID *ntds_guid_new;
struct GUID *ntds_guid_old;
/* see if we have a cached copy */
ntds_guid_old = (struct GUID *)ldb_get_opaque(ldb, cache_name);
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
ntds_guid_new = talloc(tmp_ctx, struct GUID);
if (!ntds_guid_new) {
goto failed;
}
*ntds_guid_new = *ntds_guid_in;
/* cache the domain_sid in the ldb */
if (ldb_set_opaque(ldb, cache_name, ntds_guid_new) != LDB_SUCCESS) {
goto failed;
}
talloc_steal(ldb, ntds_guid_new);
talloc_free(tmp_ctx);
talloc_free(ntds_guid_old);
return true;
failed:
DBG_WARNING("Failed to set our own cached %s in the ldb!\n",
attribute);
talloc_free(tmp_ctx);
return false;
}
bool samdb_set_ntds_objectGUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in)
{
return samdb_set_ntds_GUID(ldb,
ntds_guid_in,
"objectGUID",
"cache.ntds_guid");
}
bool samdb_set_ntds_invocation_id(struct ldb_context *ldb, const struct GUID *invocation_id_in)
{
return samdb_set_ntds_GUID(ldb,
invocation_id_in,
"invocationId",
"cache.invocation_id");
}
/*
work out the server dn for the current open ldb
*/
struct ldb_dn *samdb_server_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *dn;
if (!tmp_ctx) {
return NULL;
}
dn = ldb_dn_get_parent(mem_ctx, samdb_ntds_settings_dn(ldb, tmp_ctx));
talloc_free(tmp_ctx);
return dn;
}
/*
work out the server dn for the current open ldb
*/
struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
{
struct ldb_dn *server_dn;
struct ldb_dn *servers_dn;
struct ldb_dn *server_site_dn;
/* TODO: there must be a saner way to do this!! */
server_dn = samdb_server_dn(ldb, mem_ctx);
if (!server_dn) return NULL;
servers_dn = ldb_dn_get_parent(mem_ctx, server_dn);
talloc_free(server_dn);
if (!servers_dn) return NULL;
server_site_dn = ldb_dn_get_parent(mem_ctx, servers_dn);
talloc_free(servers_dn);
return server_site_dn;
}
/*
find the site name from a computers DN record
*/
int samdb_find_site_for_computer(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx, struct ldb_dn *computer_dn,
const char **site_name)
{
int ret;
struct ldb_dn *dn;
const struct ldb_val *rdn_val;
*site_name = NULL;
ret = samdb_reference_dn(ldb, mem_ctx, computer_dn, "serverReferenceBL", &dn);
if (ret != LDB_SUCCESS) {
return ret;
}
if (!ldb_dn_remove_child_components(dn, 2)) {
talloc_free(dn);
return LDB_ERR_INVALID_DN_SYNTAX;
}
rdn_val = ldb_dn_get_rdn_val(dn);
if (rdn_val == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
(*site_name) = talloc_strndup(mem_ctx, (const char *)rdn_val->data, rdn_val->length);
talloc_free(dn);
if (!*site_name) {
return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
/*
find the NTDS GUID from a computers DN record
*/
int samdb_find_ntdsguid_for_computer(struct ldb_context *ldb, struct ldb_dn *computer_dn,
struct GUID *ntds_guid)
{
int ret;
struct ldb_dn *dn;
*ntds_guid = GUID_zero();
ret = samdb_reference_dn(ldb, ldb, computer_dn, "serverReferenceBL", &dn);
if (ret != LDB_SUCCESS) {
return ret;
}
if (!ldb_dn_add_child_fmt(dn, "CN=NTDS Settings")) {
talloc_free(dn);
return LDB_ERR_OPERATIONS_ERROR;
}
ret = dsdb_find_guid_by_dn(ldb, dn, ntds_guid);
talloc_free(dn);
return ret;
}
/*
find a 'reference' DN that points at another object
(eg. serverReference, rIDManagerReference etc)
*/
int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *base,
const char *attribute, struct ldb_dn **dn)
{
const char *attrs[2];
struct ldb_result *res;
int ret;
attrs[0] = attribute;
attrs[1] = NULL;
ret = dsdb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_ONE_ONLY|DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, "Cannot find DN %s to get attribute %s for reference dn: %s",
ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb));
return ret;
}
*dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
if (!*dn) {
if (!ldb_msg_find_element(res->msgs[0], attribute)) {
ldb_asprintf_errstring(ldb, "Cannot find attribute %s of %s to calculate reference dn", attribute,
ldb_dn_get_linearized(base));
} else {
ldb_asprintf_errstring(ldb, "Cannot interpret attribute %s of %s as a dn", attribute,
ldb_dn_get_linearized(base));
}
talloc_free(res);
return LDB_ERR_NO_SUCH_ATTRIBUTE;
}
talloc_free(res);
return LDB_SUCCESS;
}
/*
find if a DN (must have GUID component!) is our ntdsDsa
*/
int samdb_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *dn, bool *is_ntdsa)
{
NTSTATUS status;
struct GUID dn_guid;
const struct GUID *our_ntds_guid;
status = dsdb_get_extended_dn_guid(dn, &dn_guid, "GUID");
if (!NT_STATUS_IS_OK(status)) {
return LDB_ERR_OPERATIONS_ERROR;
}
our_ntds_guid = samdb_ntds_objectGUID(ldb);
if (!our_ntds_guid) {
DEBUG(0, ("Failed to find our NTDS Settings GUID for comparison with %s - %s\n", ldb_dn_get_linearized(dn), ldb_errstring(ldb)));
return LDB_ERR_OPERATIONS_ERROR;
}
*is_ntdsa = GUID_equal(&dn_guid, our_ntds_guid);
return LDB_SUCCESS;
}
/*
find a 'reference' DN that points at another object and indicate if it is our ntdsDsa
*/
int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base,
const char *attribute, bool *is_ntdsa)
{
int ret;
struct ldb_dn *referenced_dn;
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = samdb_reference_dn(ldb, tmp_ctx, base, attribute, &referenced_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0, ("Failed to find object %s for attribute %s - %s\n", ldb_dn_get_linearized(base), attribute, ldb_errstring(ldb)));
return ret;
}
ret = samdb_dn_is_our_ntdsa(ldb, referenced_dn, is_ntdsa);
talloc_free(tmp_ctx);
return ret;
}
/*
find our machine account via the serverReference attribute in the
server DN
*/
int samdb_server_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
{
struct ldb_dn *server_dn;
int ret;
server_dn = samdb_server_dn(ldb, mem_ctx);
if (server_dn == NULL) {
return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
ret = samdb_reference_dn(ldb, mem_ctx, server_dn, "serverReference", dn);
talloc_free(server_dn);
return ret;
}
/*
find the RID Manager$ DN via the rIDManagerReference attribute in the
base DN
*/
int samdb_rid_manager_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
{
return samdb_reference_dn(ldb, mem_ctx, ldb_get_default_basedn(ldb),
"rIDManagerReference", dn);
}
/*
find the RID Set DN via the rIDSetReferences attribute in our
machine account DN
*/
int samdb_rid_set_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
{
struct ldb_dn *server_ref_dn = NULL;
int ret;
ret = samdb_server_reference_dn(ldb, mem_ctx, &server_ref_dn);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn);
talloc_free(server_ref_dn);
return ret;
}
const char *samdb_server_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
{
const struct ldb_val *val = ldb_dn_get_rdn_val(samdb_server_site_dn(ldb,
mem_ctx));
if (val == NULL) {
return NULL;
}
return (const char *) val->data;
}
/*
* Finds the client site by using the client's IP address.
* The "subnet_name" returns the name of the subnet if parameter != NULL
*
* Has a Windows-based fallback to provide the only site available, or an empty
* string if there are multiple sites.
*/
const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
const char *ip_address, char **subnet_name,
bool fallback)
{
const char *attrs[] = { "cn", "siteObject", NULL };
struct ldb_dn *sites_container_dn = NULL;
struct ldb_dn *subnets_dn = NULL;
struct ldb_dn *sites_dn = NULL;
struct ldb_result *res = NULL;
const struct ldb_val *val = NULL;
const char *site_name = NULL;
const char *l_subnet_name = NULL;
const char *allow_list[2] = { NULL, NULL };
unsigned int i, count;
int ret;
/*
* if we don't have a client ip e.g. ncalrpc
* the server site is the client site
*/
if (ip_address == NULL) {
return samdb_server_site_name(ldb, mem_ctx);
}
sites_container_dn = samdb_sites_dn(ldb, mem_ctx);
if (sites_container_dn == NULL) {
goto exit;
}
subnets_dn = ldb_dn_copy(mem_ctx, sites_container_dn);
if ( ! ldb_dn_add_child_fmt(subnets_dn, "CN=Subnets")) {
goto exit;
}
ret = ldb_search(ldb, mem_ctx, &res, subnets_dn, LDB_SCOPE_ONELEVEL,
attrs, NULL);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
count = 0;
} else if (ret != LDB_SUCCESS) {
goto exit;
} else {
count = res->count;
}
for (i = 0; i < count; i++) {
l_subnet_name = ldb_msg_find_attr_as_string(res->msgs[i], "cn",
NULL);
allow_list[0] = l_subnet_name;
if (allow_access_nolog(NULL, allow_list, "", ip_address)) {
sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx,
res->msgs[i],
"siteObject");
if (sites_dn == NULL) {
/* No reference, maybe another subnet matches */
continue;
}
/* "val" cannot be NULL here since "sites_dn" != NULL */
val = ldb_dn_get_rdn_val(sites_dn);
site_name = talloc_strdup(mem_ctx,
(const char *) val->data);
TALLOC_FREE(sites_dn);
break;
}
}
if (site_name == NULL && fallback) {
/* This is the Windows Server fallback rule: when no subnet
* exists and we have only one site available then use it (it
* is for sure the same as our server site). If more sites do
* exist then we don't know which one to use and set the site
* name to "". */
size_t cnt = 0;
ret = dsdb_domain_count(
ldb,
&cnt,
sites_container_dn,
NULL,
LDB_SCOPE_SUBTREE,
"(objectClass=site)");
if (ret != LDB_SUCCESS) {
goto exit;
}
if (cnt == 1) {
site_name = samdb_server_site_name(ldb, mem_ctx);
} else {
site_name = talloc_strdup(mem_ctx, "");
}
l_subnet_name = NULL;
}
if (subnet_name != NULL) {
*subnet_name = talloc_strdup(mem_ctx, l_subnet_name);
}
exit:
TALLOC_FREE(sites_container_dn);
TALLOC_FREE(subnets_dn);
TALLOC_FREE(res);
return site_name;
}
/*
work out if we are the PDC for the domain of the current open ldb
*/
bool samdb_is_pdc(struct ldb_context *ldb)
{
int ret;
bool is_pdc;
ret = samdb_reference_dn_is_our_ntdsa(ldb, ldb_get_default_basedn(ldb), "fsmoRoleOwner",
&is_pdc);
if (ret != LDB_SUCCESS) {
DEBUG(1,("Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in %s failed: %s\n",
ldb_dn_get_linearized(ldb_get_default_basedn(ldb)),
ldb_errstring(ldb)));
return false;
}
return is_pdc;
}
/*
work out if we are a Global Catalog server for the domain of the current open ldb
*/
bool samdb_is_gc(struct ldb_context *ldb)
{
uint32_t options = 0;
if (samdb_ntds_options(ldb, &options) != LDB_SUCCESS) {
return false;
}
return (options & DS_NTDSDSA_OPT_IS_GC) != 0;
}
/* Find a domain object in the parents of a particular DN. */
int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
struct ldb_dn **parent_dn, const char **errstring)
{
TALLOC_CTX *local_ctx;
struct ldb_dn *sdn = dn;
struct ldb_result *res = NULL;
int ret = LDB_SUCCESS;
const char *attrs[] = { NULL };
local_ctx = talloc_new(mem_ctx);
if (local_ctx == NULL) return ldb_oom(ldb);
while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
ret = ldb_search(ldb, local_ctx, &res, sdn, LDB_SCOPE_BASE, attrs,
"(|(objectClass=domain)(objectClass=builtinDomain))");
if (ret == LDB_SUCCESS) {
if (res->count == 1) {
break;
}
} else {
break;
}
}
if (ret != LDB_SUCCESS) {
*errstring = talloc_asprintf(mem_ctx, "Error searching for parent domain of %s, failed searching for %s: %s",
ldb_dn_get_linearized(dn),
ldb_dn_get_linearized(sdn),
ldb_errstring(ldb));
talloc_free(local_ctx);
return ret;
}
/* should never be true with 'ret=LDB_SUCCESS', here to satisfy clang */
if (res == NULL) {
talloc_free(local_ctx);
return LDB_ERR_OTHER;
}
if (res->count != 1) {
*errstring = talloc_asprintf(mem_ctx, "Invalid dn (%s), not child of a domain object",
ldb_dn_get_linearized(dn));
DEBUG(0,(__location__ ": %s\n", *errstring));
talloc_free(local_ctx);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
*parent_dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
talloc_free(local_ctx);
return ret;
}
static void pwd_timeout_debug(struct tevent_context *unused1,
struct tevent_timer *unused2,
struct timeval unused3,
void *unused4)
{
DEBUG(0, ("WARNING: check_password_complexity: password script "
"took more than 1 second to run\n"));
}
/*
* Performs checks on a user password (plaintext UNIX format - attribute
* "password"). The remaining parameters have to be extracted from the domain
* object in the AD.
*
* Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
*/
enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char *account_name,
const char *user_principal_name,
const char *full_name,
const DATA_BLOB *utf8_blob,
const uint32_t pwdProperties,
const uint32_t minPwdLength)
{
const struct loadparm_substitution *lp_sub =
lpcfg_noop_substitution();
char *password_script = NULL;
const char *utf8_pw = (const char *)utf8_blob->data;
/*
* This looks strange because it is.
*
* The check for the number of characters in the password
* should clearly not be against the byte length, or else a
* single UTF8 character would count for more than one.
*
* We have chosen to use the number of 16-bit units that the
* password encodes to as the measure of length. This is not
* the same as the number of codepoints, if a password
* contains a character beyond the Basic Multilingual Plane
* (above 65535) it will count for more than one "character".
*/
size_t password_characters_roughly = strlen_m(utf8_pw);
/* checks if the "minPwdLength" property is satisfied */
if (minPwdLength > password_characters_roughly) {
return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
}
/* We might not be asked to check the password complexity */
if (!(pwdProperties & DOMAIN_PASSWORD_COMPLEX)) {
return SAMR_VALIDATION_STATUS_SUCCESS;
}
if (password_characters_roughly == 0) {
return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
}
password_script = lpcfg_check_password_script(lp_ctx, lp_sub, mem_ctx);
if (password_script != NULL && *password_script != '\0') {
int check_ret = 0;
int error = 0;
ssize_t nwritten = 0;
struct tevent_context *event_ctx = NULL;
struct tevent_req *req = NULL;
int cps_stdin = -1;
const char * const cmd[4] = {
"/bin/sh", "-c",
password_script,
NULL
};
event_ctx = tevent_context_init(mem_ctx);
if (event_ctx == NULL) {
TALLOC_FREE(password_script);
return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
}
/* Gives a warning after 1 second, terminates after 10 */
tevent_add_timer(event_ctx, event_ctx,
tevent_timeval_current_ofs(1, 0),
pwd_timeout_debug, NULL);
check_ret = setenv("SAMBA_CPS_ACCOUNT_NAME", account_name, 1);
if (check_ret != 0) {
TALLOC_FREE(password_script);
TALLOC_FREE(event_ctx);
return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
}
if (user_principal_name != NULL) {
check_ret = setenv("SAMBA_CPS_USER_PRINCIPAL_NAME",
user_principal_name, 1);
} else {
unsetenv("SAMBA_CPS_USER_PRINCIPAL_NAME");
}
if (check_ret != 0) {
TALLOC_FREE(password_script);
TALLOC_FREE(event_ctx);
return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
}
if (full_name != NULL) {
check_ret = setenv("SAMBA_CPS_FULL_NAME", full_name, 1);
} else {
unsetenv("SAMBA_CPS_FULL_NAME");
}
if (check_ret != 0) {
TALLOC_FREE(password_script);
TALLOC_FREE(event_ctx);
return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
}
req = samba_runcmd_send(event_ctx, event_ctx,
tevent_timeval_current_ofs(10, 0),
100, 100, cmd, NULL);
unsetenv("SAMBA_CPS_ACCOUNT_NAME");
unsetenv("SAMBA_CPS_USER_PRINCIPAL_NAME");
unsetenv("SAMBA_CPS_FULL_NAME");
if (req == NULL) {
TALLOC_FREE(password_script);
TALLOC_FREE(event_ctx);
return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
}
cps_stdin = samba_runcmd_export_stdin(req);
nwritten = write_data(
cps_stdin, utf8_blob->data, utf8_blob->length);
if (nwritten == -1) {
close(cps_stdin);
TALLOC_FREE(password_script);
TALLOC_FREE(event_ctx);
return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
}
close(cps_stdin);
if (!tevent_req_poll(req, event_ctx)) {
TALLOC_FREE(password_script);
TALLOC_FREE(event_ctx);
return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
}
check_ret = samba_runcmd_recv(req, &error);
TALLOC_FREE(event_ctx);
if (error == ETIMEDOUT) {
DEBUG(0, ("check_password_complexity: check password script took too long!\n"));
TALLOC_FREE(password_script);
return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR;
}
DEBUG(5,("check_password_complexity: check password script (%s) "
"returned [%d]\n", password_script, check_ret));
if (check_ret != 0) {
DEBUG(1,("check_password_complexity: "
"check password script said new password is not good "
"enough!\n"));
TALLOC_FREE(password_script);
return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
}
TALLOC_FREE(password_script);
return SAMR_VALIDATION_STATUS_SUCCESS;
}
TALLOC_FREE(password_script);
/*
* Here are the standard AD password quality rules, which we
* run after the script.
*/
if (!check_password_quality(utf8_pw)) {
return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
}
return SAMR_VALIDATION_STATUS_SUCCESS;
}
/*
* Callback for "samdb_set_password" password change
*/
int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares)
{
int ret;
if (!ares) {
return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
}
if (ares->error != LDB_SUCCESS) {
ret = ares->error;
req->context = talloc_steal(req,
ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
talloc_free(ares);
return ldb_request_done(req, ret);
}
if (ares->type != LDB_REPLY_DONE) {
talloc_free(ares);
return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
}
req->context = talloc_steal(req,
ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
talloc_free(ares);
return ldb_request_done(req, LDB_SUCCESS);
}
static NTSTATUS samdb_set_password_request(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
struct ldb_dn *user_dn,
const DATA_BLOB *new_password,
const struct samr_Password *ntNewHash,
enum dsdb_password_checked old_password_checked,
bool permit_interdomain_trust,
struct ldb_request **req_out)
{
struct ldb_message *msg;
struct ldb_message_element *el;
struct ldb_request *req;
int ret;
bool hash_values = false;
*req_out = NULL;
#define CHECK_RET(x) \
if (x != LDB_SUCCESS) { \
talloc_free(msg); \
return NT_STATUS_NO_MEMORY; \
}
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
return NT_STATUS_NO_MEMORY;
}
msg->dn = user_dn;
if ((new_password != NULL)
&& ((ntNewHash == NULL))) {
/* we have the password as plaintext UTF16 */
CHECK_RET(ldb_msg_add_value(msg, "clearTextPassword",
new_password, NULL));
el = ldb_msg_find_element(msg, "clearTextPassword");
el->flags = LDB_FLAG_MOD_REPLACE;
} else if ((new_password == NULL)
&& ((ntNewHash != NULL))) {
/* we have a password as NT hash */
if (ntNewHash != NULL) {
CHECK_RET(samdb_msg_add_hash(ldb, msg, msg,
"unicodePwd", ntNewHash));
el = ldb_msg_find_element(msg, "unicodePwd");
el->flags = LDB_FLAG_MOD_REPLACE;
}
hash_values = true;
} else {
/* the password wasn't specified correctly */
talloc_free(msg);
return NT_STATUS_INVALID_PARAMETER;
}
#undef CHECK_RET
/* build modify request */
ret = ldb_build_mod_req(&req, ldb, mem_ctx, msg, NULL, NULL,
samdb_set_password_callback, NULL);
if (ret != LDB_SUCCESS) {
talloc_free(msg);
return NT_STATUS_NO_MEMORY;
}
/* Tie the lifetime of the message to that of the request. */
talloc_steal(req, msg);
/* A password change operation */
if (old_password_checked == DSDB_PASSWORD_CHECKED_AND_CORRECT) {
struct dsdb_control_password_change *change;
change = talloc(req, struct dsdb_control_password_change);
if (change == NULL) {
talloc_free(req);
return NT_STATUS_NO_MEMORY;
}
change->old_password_checked = old_password_checked;
ret = ldb_request_add_control(req,
DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID,
true, change);
if (ret != LDB_SUCCESS) {
talloc_free(req);
return NT_STATUS_NO_MEMORY;
}
/* a KDC-triggered smart card password rollover (ResetSmartCardAccountPassword) */
} else if (old_password_checked == DSDB_PASSWORD_KDC_RESET_SMARTCARD_ACCOUNT_PASSWORD) {
ret = ldb_request_add_control(req,
DSDB_CONTROL_PASSWORD_KDC_RESET_SMARTCARD_ACCOUNT_PASSWORD,
true, NULL);
if (ret != LDB_SUCCESS) {
talloc_free(req);
return NT_STATUS_NO_MEMORY;
}
}
if (hash_values) {
ret = ldb_request_add_control(req,
DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
true, NULL);
if (ret != LDB_SUCCESS) {
talloc_free(req);
return NT_STATUS_NO_MEMORY;
}
}
if (permit_interdomain_trust) {
ret = ldb_request_add_control(req,
DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID,
false, NULL);
if (ret != LDB_SUCCESS) {
talloc_free(req);
return NT_STATUS_NO_MEMORY;
}
}
ret = ldb_request_add_control(req,
DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
true, NULL);
if (ret != LDB_SUCCESS) {
talloc_free(req);
return NT_STATUS_NO_MEMORY;
}
*req_out = req;
return NT_STATUS_OK;
}
/*
* Sets the user password using plaintext UTF16 (attribute "new_password") or NT
* (attribute "ntNewHash") hash. Also pass the old LM and/or NT hash (attributes
* "lmOldHash"/"ntOldHash") if it is a user change or not. The "rejectReason"
* gives some more information if the change failed.
*
* Results: NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
* NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
* NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCOUNT_LOCKED_OUT, NT_STATUS_NO_MEMORY
*/
static NTSTATUS samdb_set_password_internal(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
struct ldb_dn *user_dn,
const DATA_BLOB *new_password,
const struct samr_Password *ntNewHash,
enum dsdb_password_checked old_password_checked,
enum samPwdChangeReason *reject_reason,
struct samr_DomInfo1 **_dominfo,
bool permit_interdomain_trust)
{
struct ldb_request *req;
struct dsdb_control_password_change_status *pwd_stat = NULL;
int ret;
NTSTATUS status = NT_STATUS_OK;
status = samdb_set_password_request(ldb,
mem_ctx,
user_dn,
new_password,
ntNewHash,
old_password_checked,
permit_interdomain_trust,
&req);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
ret = ldb_request(ldb, req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
}
if (req->context != NULL) {
struct ldb_control *control = talloc_get_type_abort(req->context,
struct ldb_control);
pwd_stat = talloc_get_type_abort(control->data,
struct dsdb_control_password_change_status);
talloc_steal(mem_ctx, pwd_stat);
}
talloc_free(req);
/* Sets the domain info (if requested) */
if (_dominfo != NULL) {
struct samr_DomInfo1 *dominfo;
dominfo = talloc_zero(mem_ctx, struct samr_DomInfo1);
if (dominfo == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (pwd_stat != NULL) {
dominfo->min_password_length = pwd_stat->domain_data.minPwdLength;
dominfo->password_properties = pwd_stat->domain_data.pwdProperties;
dominfo->password_history_length = pwd_stat->domain_data.pwdHistoryLength;
dominfo->max_password_age = pwd_stat->domain_data.maxPwdAge;
dominfo->min_password_age = pwd_stat->domain_data.minPwdAge;
}
*_dominfo = dominfo;
}
if (reject_reason != NULL) {
if (pwd_stat != NULL) {
*reject_reason = pwd_stat->reject_reason;
} else {
*reject_reason = SAM_PWD_CHANGE_NO_ERROR;
}
}
if (pwd_stat != NULL) {
talloc_free(pwd_stat);
}
if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
const char *errmsg = ldb_errstring(ldb);
char *endptr = NULL;
WERROR werr = WERR_GEN_FAILURE;
status = NT_STATUS_UNSUCCESSFUL;
if (errmsg != NULL) {
werr = W_ERROR(strtol(errmsg, &endptr, 16));
DBG_WARNING("%s\n", errmsg);
}
if (endptr != errmsg) {
if (W_ERROR_EQUAL(werr, WERR_INVALID_PASSWORD)) {
status = NT_STATUS_WRONG_PASSWORD;
}
if (W_ERROR_EQUAL(werr, WERR_PASSWORD_RESTRICTION)) {
status = NT_STATUS_PASSWORD_RESTRICTION;
}
if (W_ERROR_EQUAL(werr, WERR_ACCOUNT_LOCKED_OUT)) {
status = NT_STATUS_ACCOUNT_LOCKED_OUT;
}
}
} else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
/* don't let the caller know if an account doesn't exist */
status = NT_STATUS_WRONG_PASSWORD;
} else if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
status = NT_STATUS_ACCESS_DENIED;
} else if (ret != LDB_SUCCESS) {
DEBUG(1, ("Failed to set password on %s: %s\n",
ldb_dn_get_linearized(user_dn),
ldb_errstring(ldb)));
status = NT_STATUS_UNSUCCESSFUL;
}
return status;
}
NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
struct ldb_dn *user_dn,
const DATA_BLOB *new_password,
const struct samr_Password *ntNewHash,
enum dsdb_password_checked old_password_checked,
enum samPwdChangeReason *reject_reason,
struct samr_DomInfo1 **_dominfo)
{
return samdb_set_password_internal(ldb, mem_ctx,
user_dn,
new_password,
ntNewHash,
old_password_checked,
reject_reason, _dominfo,
false); /* reject trusts */
}
/*
* Sets the user password using plaintext UTF16 (attribute "new_password") or NT
* (attribute "ntNewHash") hash. Also pass the old LM and/or NT hash (attributes
* "lmOldHash"/"ntOldHash") if it is a user change or not. The "rejectReason"
* gives some more information if the change failed.
*
* This wrapper function for "samdb_set_password" takes a SID as input rather
* than a user DN.
*
* This call encapsulates a new LDB transaction for changing the password;
* therefore the user hasn't to start a new one.
*
* Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
* NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
* NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
* NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCOUNT_LOCKED_OUT, NT_STATUS_NO_MEMORY
* NT_STATUS_TRANSACTION_ABORTED, NT_STATUS_NO_SUCH_USER
*/
NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
const struct dom_sid *user_sid,
const uint32_t *new_version, /* optional for trusts */
const DATA_BLOB *new_password,
const struct samr_Password *ntNewHash,
enum dsdb_password_checked old_password_checked,
enum samPwdChangeReason *reject_reason,
struct samr_DomInfo1 **_dominfo)
{
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS nt_status;
static const char * const attrs[] = {
"userAccountControl",
"sAMAccountName",
NULL
};
struct ldb_message *user_msg = NULL;
int ret;
uint32_t uac = 0;
ret = ldb_transaction_start(ldb);
if (ret != LDB_SUCCESS) {
DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb)));
TALLOC_FREE(frame);
return NT_STATUS_TRANSACTION_ABORTED;
}
ret = dsdb_search_one(ldb, frame, &user_msg, ldb_get_default_basedn(ldb),
LDB_SCOPE_SUBTREE, attrs, 0,
"(&(objectSid=%s)(objectClass=user))",
ldap_encode_ndr_dom_sid(frame, user_sid));
if (ret != LDB_SUCCESS) {
ldb_transaction_cancel(ldb);
DEBUG(3, ("samdb_set_password_sid: SID[%s] not found in samdb %s - %s, "
"returning NO_SUCH_USER\n",
dom_sid_string(frame, user_sid),
ldb_strerror(ret), ldb_errstring(ldb)));
TALLOC_FREE(frame);
return NT_STATUS_NO_SUCH_USER;
}
uac = ldb_msg_find_attr_as_uint(user_msg, "userAccountControl", 0);
if (!(uac & UF_ACCOUNT_TYPE_MASK)) {
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: invalid "
"userAccountControl[0x%08X] for SID[%s] DN[%s], "
"returning NO_SUCH_USER\n",
(unsigned)uac, dom_sid_string(frame, user_sid),
ldb_dn_get_linearized(user_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_NO_SUCH_USER;
}
if (uac & UF_INTERDOMAIN_TRUST_ACCOUNT) {
static const char * const tdo_attrs[] = {
"trustAuthIncoming",
"trustDirection",
NULL
};
struct ldb_message *tdo_msg = NULL;
const char *account_name = NULL;
uint32_t trust_direction;
uint32_t i;
const struct ldb_val *old_val = NULL;
struct trustAuthInOutBlob old_blob = {
.count = 0,
};
uint32_t old_version = 0;
struct AuthenticationInformation *old_version_a = NULL;
uint32_t _new_version = 0;
struct trustAuthInOutBlob new_blob = {
.count = 0,
};
struct ldb_val new_val = {
.length = 0,
};
struct timeval tv = timeval_current();
NTTIME now = timeval_to_nttime(&tv);
enum ndr_err_code ndr_err;
if (new_password == NULL && ntNewHash == NULL) {
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: "
"no new password provided "
"sAMAccountName for SID[%s] DN[%s], "
"returning INVALID_PARAMETER\n",
dom_sid_string(frame, user_sid),
ldb_dn_get_linearized(user_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER;
}
if (new_password != NULL && ntNewHash != NULL) {
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: "
"two new passwords provided "
"sAMAccountName for SID[%s] DN[%s], "
"returning INVALID_PARAMETER\n",
dom_sid_string(frame, user_sid),
ldb_dn_get_linearized(user_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER;
}
if (new_password != NULL && (new_password->length % 2)) {
ldb_transaction_cancel(ldb);
DEBUG(2, ("samdb_set_password_sid: "
"invalid utf16 length (%zu) "
"sAMAccountName for SID[%s] DN[%s], "
"returning WRONG_PASSWORD\n",
new_password->length,
dom_sid_string(frame, user_sid),
ldb_dn_get_linearized(user_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_WRONG_PASSWORD;
}
if (new_password != NULL && new_password->length >= 500) {
ldb_transaction_cancel(ldb);
DEBUG(2, ("samdb_set_password_sid: "
"utf16 password too long (%zu) "
"sAMAccountName for SID[%s] DN[%s], "
"returning WRONG_PASSWORD\n",
new_password->length,
dom_sid_string(frame, user_sid),
ldb_dn_get_linearized(user_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_WRONG_PASSWORD;
}
account_name = ldb_msg_find_attr_as_string(user_msg,
"sAMAccountName", NULL);
if (account_name == NULL) {
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: missing "
"sAMAccountName for SID[%s] DN[%s], "
"returning NO_SUCH_USER\n",
dom_sid_string(frame, user_sid),
ldb_dn_get_linearized(user_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_NO_SUCH_USER;
}
nt_status = dsdb_trust_search_tdo_by_type(ldb,
SEC_CHAN_DOMAIN,
account_name,
tdo_attrs,
frame, &tdo_msg);
if (!NT_STATUS_IS_OK(nt_status)) {
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: dsdb_trust_search_tdo "
"failed(%s) for sAMAccountName[%s] SID[%s] DN[%s], "
"returning INTERNAL_DB_CORRUPTION\n",
nt_errstr(nt_status), account_name,
dom_sid_string(frame, user_sid),
ldb_dn_get_linearized(user_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
trust_direction = ldb_msg_find_attr_as_int(tdo_msg,
"trustDirection", 0);
if (!(trust_direction & LSA_TRUST_DIRECTION_INBOUND)) {
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: direction[0x%08X] is "
"not inbound for sAMAccountName[%s] "
"DN[%s] TDO[%s], "
"returning INTERNAL_DB_CORRUPTION\n",
(unsigned)trust_direction,
account_name,
ldb_dn_get_linearized(user_msg->dn),
ldb_dn_get_linearized(tdo_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
old_val = ldb_msg_find_ldb_val(tdo_msg, "trustAuthIncoming");
if (old_val != NULL) {
ndr_err = ndr_pull_struct_blob(old_val, frame, &old_blob,
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: "
"failed(%s) to parse "
"trustAuthOutgoing sAMAccountName[%s] "
"DN[%s] TDO[%s], "
"returning INTERNAL_DB_CORRUPTION\n",
ndr_map_error2string(ndr_err),
account_name,
ldb_dn_get_linearized(user_msg->dn),
ldb_dn_get_linearized(tdo_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
}
for (i = old_blob.current.count; i > 0; i--) {
struct AuthenticationInformation *a =
&old_blob.current.array[i - 1];
switch (a->AuthType) {
case TRUST_AUTH_TYPE_NONE:
if (i == old_blob.current.count) {
/*
* remove TRUST_AUTH_TYPE_NONE at the
* end
*/
old_blob.current.count--;
}
break;
case TRUST_AUTH_TYPE_VERSION:
old_version_a = a;
old_version = a->AuthInfo.version.version;
break;
case TRUST_AUTH_TYPE_CLEAR:
break;
case TRUST_AUTH_TYPE_NT4OWF:
break;
}
}
if (new_version == NULL) {
_new_version = 0;
new_version = &_new_version;
}
if (old_version_a != NULL && *new_version != (old_version + 1)) {
old_version_a->LastUpdateTime = now;
old_version_a->AuthType = TRUST_AUTH_TYPE_NONE;
}
new_blob.count = MAX(old_blob.current.count, 2);
new_blob.current.array = talloc_zero_array(frame,
struct AuthenticationInformation,
new_blob.count);
if (new_blob.current.array == NULL) {
ldb_transaction_cancel(ldb);
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
new_blob.previous.array = talloc_zero_array(frame,
struct AuthenticationInformation,
new_blob.count);
if (new_blob.current.array == NULL) {
ldb_transaction_cancel(ldb);
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
for (i = 0; i < old_blob.current.count; i++) {
struct AuthenticationInformation *o =
&old_blob.current.array[i];
struct AuthenticationInformation *p =
&new_blob.previous.array[i];
*p = *o;
new_blob.previous.count++;
}
for (; i < new_blob.count; i++) {
struct AuthenticationInformation *pi =
&new_blob.previous.array[i];
if (i == 0) {
/*
* new_blob.previous is still empty so
* we'll do new_blob.previous = new_blob.current
* below.
*/
break;
}
pi->LastUpdateTime = now;
pi->AuthType = TRUST_AUTH_TYPE_NONE;
new_blob.previous.count++;
}
for (i = 0; i < new_blob.count; i++) {
struct AuthenticationInformation *ci =
&new_blob.current.array[i];
ci->LastUpdateTime = now;
switch (i) {
case 0:
if (ntNewHash != NULL) {
ci->AuthType = TRUST_AUTH_TYPE_NT4OWF;
ci->AuthInfo.nt4owf.password = *ntNewHash;
break;
}
ci->AuthType = TRUST_AUTH_TYPE_CLEAR;
ci->AuthInfo.clear.size = new_password->length;
ci->AuthInfo.clear.password = new_password->data;
break;
case 1:
ci->AuthType = TRUST_AUTH_TYPE_VERSION;
ci->AuthInfo.version.version = *new_version;
break;
default:
ci->AuthType = TRUST_AUTH_TYPE_NONE;
break;
}
new_blob.current.count++;
}
if (new_blob.previous.count == 0) {
TALLOC_FREE(new_blob.previous.array);
new_blob.previous = new_blob.current;
}
ndr_err = ndr_push_struct_blob(&new_val, frame, &new_blob,
(ndr_push_flags_fn_t)ndr_push_trustAuthInOutBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: "
"failed(%s) to generate "
"trustAuthOutgoing sAMAccountName[%s] "
"DN[%s] TDO[%s], "
"returning UNSUCCESSFUL\n",
ndr_map_error2string(ndr_err),
account_name,
ldb_dn_get_linearized(user_msg->dn),
ldb_dn_get_linearized(tdo_msg->dn)));
TALLOC_FREE(frame);
return NT_STATUS_UNSUCCESSFUL;
}
tdo_msg->num_elements = 0;
TALLOC_FREE(tdo_msg->elements);
ret = ldb_msg_append_value(tdo_msg, "trustAuthIncoming",
&new_val, LDB_FLAG_MOD_REPLACE);
if (ret != LDB_SUCCESS) {
ldb_transaction_cancel(ldb);
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
ret = ldb_modify(ldb, tdo_msg);
if (ret != LDB_SUCCESS) {
nt_status = dsdb_ldb_err_to_ntstatus(ret);
ldb_transaction_cancel(ldb);
DEBUG(1, ("samdb_set_password_sid: "
"failed to replace "
"trustAuthOutgoing sAMAccountName[%s] "
"DN[%s] TDO[%s], "
"%s - %s\n",
account_name,
ldb_dn_get_linearized(user_msg->dn),
ldb_dn_get_linearized(tdo_msg->dn),
nt_errstr(nt_status), ldb_errstring(ldb)));
TALLOC_FREE(frame);
return nt_status;
}
}
nt_status = samdb_set_password_internal(ldb, mem_ctx,
user_msg->dn,
new_password,
ntNewHash,
old_password_checked,
reject_reason, _dominfo,
true); /* permit trusts */
if (!NT_STATUS_IS_OK(nt_status)) {
ldb_transaction_cancel(ldb);
TALLOC_FREE(frame);
return nt_status;
}
ret = ldb_transaction_commit(ldb);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
ldb_dn_get_linearized(user_msg->dn),
ldb_errstring(ldb)));
TALLOC_FREE(frame);
return NT_STATUS_TRANSACTION_ABORTED;
}
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
NTSTATUS samdb_create_foreign_security_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
struct dom_sid *sid, struct ldb_dn **ret_dn)
{
struct ldb_message *msg;
struct ldb_dn *basedn = NULL;
char *sidstr;
int ret;
sidstr = dom_sid_string(mem_ctx, sid);
NT_STATUS_HAVE_NO_MEMORY(sidstr);
/* We might have to create a ForeignSecurityPrincipal, even if this user
* is in our own domain */
msg = ldb_msg_new(sidstr);
if (msg == NULL) {
talloc_free(sidstr);
return NT_STATUS_NO_MEMORY;
}
ret = dsdb_wellknown_dn(sam_ctx, sidstr,
ldb_get_default_basedn(sam_ctx),
DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER,
&basedn);
if (ret != LDB_SUCCESS) {
DEBUG(0, ("Failed to find DN for "
"ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx)));
talloc_free(sidstr);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* add core elements to the ldb_message for the alias */
msg->dn = basedn;
if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr)) {
talloc_free(sidstr);
return NT_STATUS_NO_MEMORY;
}
ret = ldb_msg_add_string(msg, "objectClass",
"foreignSecurityPrincipal");
if (ret != LDB_SUCCESS) {
talloc_free(sidstr);
return NT_STATUS_NO_MEMORY;
}
/* create the alias */
ret = ldb_add(sam_ctx, msg);
if (ret != LDB_SUCCESS) {
DEBUG(0,("Failed to create foreignSecurityPrincipal "
"record %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(sam_ctx)));
talloc_free(sidstr);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
*ret_dn = talloc_steal(mem_ctx, msg->dn);
talloc_free(sidstr);
return NT_STATUS_OK;
}
/*
Find the DN of a domain, assuming it to be a dotted.dns name
*/
struct ldb_dn *samdb_dns_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *dns_domain)
{
unsigned int i;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const char *binary_encoded;
const char * const *split_realm;
struct ldb_dn *dn;
if (!tmp_ctx) {
return NULL;
}
split_realm = (const char * const *)str_list_make(tmp_ctx, dns_domain, ".");
if (!split_realm) {
talloc_free(tmp_ctx);
return NULL;
}
dn = ldb_dn_new(mem_ctx, ldb, NULL);
for (i=0; split_realm[i]; i++) {
binary_encoded = ldb_binary_encode_string(tmp_ctx, split_realm[i]);
if (binary_encoded == NULL) {
DEBUG(2, ("Failed to add dc= element to DN %s\n",
ldb_dn_get_linearized(dn)));
talloc_free(tmp_ctx);
return NULL;
}
if (!ldb_dn_add_base_fmt(dn, "dc=%s", binary_encoded)) {
DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
binary_encoded, ldb_dn_get_linearized(dn)));
talloc_free(tmp_ctx);
return NULL;
}
}
if (!ldb_dn_validate(dn)) {
DEBUG(2, ("Failed to validated DN %s\n",
ldb_dn_get_linearized(dn)));
talloc_free(tmp_ctx);
return NULL;
}
talloc_free(tmp_ctx);
return dn;
}
/*
Find the DNS equivalent of a DN, in dotted DNS form
*/
char *samdb_dn_to_dns_domain(TALLOC_CTX *mem_ctx, struct ldb_dn *dn)
{
int i, num_components = ldb_dn_get_comp_num(dn);
char *dns_name = talloc_strdup(mem_ctx, "");
if (dns_name == NULL) {
return NULL;
}
for (i=0; i<num_components; i++) {
const struct ldb_val *v = ldb_dn_get_component_val(dn, i);
char *s;
if (v == NULL) {
talloc_free(dns_name);
return NULL;
}
s = talloc_asprintf_append_buffer(dns_name, "%*.*s.",
(int)v->length, (int)v->length, (char *)v->data);
if (s == NULL) {
talloc_free(dns_name);
return NULL;
}
dns_name = s;
}
/* remove the last '.' */
if (dns_name[0] != 0) {
dns_name[strlen(dns_name)-1] = 0;
}
return dns_name;
}
/*
Find the DNS _msdcs name for a given NTDS GUID. The resulting DNS
name is based on the forest DNS name
*/
char *samdb_ntds_msdcs_dns_name(struct ldb_context *samdb,
TALLOC_CTX *mem_ctx,
const struct GUID *ntds_guid)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const char *guid_str;
struct ldb_dn *forest_dn;
const char *dnsforest;
char *ret;
guid_str = GUID_string(tmp_ctx, ntds_guid);
if (guid_str == NULL) {
talloc_free(tmp_ctx);
return NULL;
}
forest_dn = ldb_get_root_basedn(samdb);
if (forest_dn == NULL) {
talloc_free(tmp_ctx);
return NULL;
}
dnsforest = samdb_dn_to_dns_domain(tmp_ctx, forest_dn);
if (dnsforest == NULL) {
talloc_free(tmp_ctx);
return NULL;
}
ret = talloc_asprintf(mem_ctx, "%s._msdcs.%s", guid_str, dnsforest);
talloc_free(tmp_ctx);
return ret;
}
/*
Find the DN of a domain, be it the netbios or DNS name
*/
struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
const char *domain_name)
{
const char * const domain_ref_attrs[] = {
"ncName", NULL
};
const char * const domain_ref2_attrs[] = {
NULL
};
struct ldb_result *res_domain_ref;
char *escaped_domain = ldb_binary_encode_string(mem_ctx, domain_name);
int ret_domain;
if (escaped_domain == NULL) {
return NULL;
}
/* find the domain's DN */
ret_domain = ldb_search(ldb, mem_ctx,
&res_domain_ref,
samdb_partitions_dn(ldb, mem_ctx),
LDB_SCOPE_ONELEVEL,
domain_ref_attrs,
"(&(nETBIOSName=%s)(objectclass=crossRef))",
escaped_domain);
if (ret_domain != LDB_SUCCESS) {
return NULL;
}
if (res_domain_ref->count == 0) {
ret_domain = ldb_search(ldb, mem_ctx,
&res_domain_ref,
samdb_dns_domain_to_dn(ldb, mem_ctx, domain_name),
LDB_SCOPE_BASE,
domain_ref2_attrs,
"(objectclass=domain)");
if (ret_domain != LDB_SUCCESS) {
return NULL;
}
if (res_domain_ref->count == 1) {
return res_domain_ref->msgs[0]->dn;
}
return NULL;
}
if (res_domain_ref->count > 1) {
DEBUG(0,("Found %d records matching domain [%s]\n",
ret_domain, domain_name));
return NULL;
}
return samdb_result_dn(ldb, mem_ctx, res_domain_ref->msgs[0], "nCName", NULL);
}
/*
use a GUID to find a DN
*/
int dsdb_find_dn_by_guid(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct GUID *guid,
uint32_t dsdb_flags,
struct ldb_dn **dn)
{
int ret;
struct ldb_result *res;
const char *attrs[] = { NULL };
struct GUID_txt_buf buf;
char *guid_str = GUID_buf_string(guid, &buf);
ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
DSDB_SEARCH_SHOW_EXTENDED_DN |
DSDB_SEARCH_ONE_ONLY | dsdb_flags,
"objectGUID=%s", guid_str);
if (ret != LDB_SUCCESS) {
return ret;
}
*dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
talloc_free(res);
return LDB_SUCCESS;
}
/*
use a DN to find a GUID with a given attribute name
*/
int dsdb_find_guid_attr_by_dn(struct ldb_context *ldb,
struct ldb_dn *dn, const char *attribute,
struct GUID *guid)
{
int ret;
struct ldb_result *res = NULL;
const char *attrs[2];
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
attrs[0] = attribute;
attrs[1] = NULL;
ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs,
DSDB_SEARCH_SHOW_DELETED |
DSDB_SEARCH_SHOW_RECYCLED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* satisfy clang */
if (res == NULL) {
talloc_free(tmp_ctx);
return LDB_ERR_OTHER;
}
if (res->count < 1) {
talloc_free(tmp_ctx);
return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
*guid = samdb_result_guid(res->msgs[0], attribute);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
use a DN to find a GUID
*/
int dsdb_find_guid_by_dn(struct ldb_context *ldb,
struct ldb_dn *dn, struct GUID *guid)
{
return dsdb_find_guid_attr_by_dn(ldb, dn, "objectGUID", guid);
}
/*
adds the given GUID to the given ldb_message. This value is added
for the given attr_name (may be either "objectGUID" or "parentGUID").
This function is used in processing 'add' requests.
*/
int dsdb_msg_add_guid(struct ldb_message *msg,
struct GUID *guid,
const char *attr_name)
{
int ret;
struct ldb_val v;
NTSTATUS status;
TALLOC_CTX *tmp_ctx = talloc_init("dsdb_msg_add_guid");
status = GUID_to_ndr_blob(guid, tmp_ctx, &v);
if (!NT_STATUS_IS_OK(status)) {
ret = LDB_ERR_OPERATIONS_ERROR;
goto done;
}
ret = ldb_msg_add_steal_value(msg, attr_name, &v);
if (ret != LDB_SUCCESS) {
DEBUG(4,(__location__ ": Failed to add %s to the message\n",
attr_name));
goto done;
}
ret = LDB_SUCCESS;
done:
talloc_free(tmp_ctx);
return ret;
}
/*
use a DN to find a SID
*/
int dsdb_find_sid_by_dn(struct ldb_context *ldb,
struct ldb_dn *dn, struct dom_sid *sid)
{
int ret;
struct ldb_result *res = NULL;
const char *attrs[] = { "objectSid", NULL };
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
struct dom_sid *s;
ZERO_STRUCTP(sid);
ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs,
DSDB_SEARCH_SHOW_DELETED |
DSDB_SEARCH_SHOW_RECYCLED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
if (res == NULL) {
talloc_free(tmp_ctx);
return LDB_ERR_OTHER;
}
if (res->count < 1) {
talloc_free(tmp_ctx);
return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
if (s == NULL) {
talloc_free(tmp_ctx);
return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
*sid = *s;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
use a SID to find a DN
*/
int dsdb_find_dn_by_sid(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct dom_sid *sid, struct ldb_dn **dn)
{
int ret;
struct ldb_result *res;
const char *attrs[] = { NULL };
char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid);
if (!sid_str) {
return ldb_operr(ldb);
}
ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
DSDB_SEARCH_SHOW_EXTENDED_DN |
DSDB_SEARCH_ONE_ONLY,
"objectSid=%s", sid_str);
talloc_free(sid_str);
if (ret != LDB_SUCCESS) {
return ret;
}
*dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
talloc_free(res);
return LDB_SUCCESS;
}
/*
load a repsFromTo blob list for a given partition GUID
attr must be "repsFrom" or "repsTo"
*/
WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
const char *attr, struct repsFromToBlob **r, uint32_t *count)
{
const char *attrs[] = { attr, NULL };
struct ldb_result *res = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
unsigned int i;
struct ldb_message_element *el;
int ret;
*r = NULL;
*count = 0;
if (tmp_ctx == NULL) {
return WERR_NOT_ENOUGH_MEMORY;
}
ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs, 0);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
/* partition hasn't been replicated yet */
talloc_free(tmp_ctx);
return WERR_OK;
}
if (ret != LDB_SUCCESS) {
DEBUG(0,("dsdb_loadreps: failed to read partition object: %s\n", ldb_errstring(sam_ctx)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
/* satisfy clang */
if (res == NULL) {
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
el = ldb_msg_find_element(res->msgs[0], attr);
if (el == NULL) {
/* it's OK to be empty */
talloc_free(tmp_ctx);
return WERR_OK;
}
*count = el->num_values;
*r = talloc_array(mem_ctx, struct repsFromToBlob, *count);
if (*r == NULL) {
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
for (i=0; i<(*count); i++) {
enum ndr_err_code ndr_err;
ndr_err = ndr_pull_struct_blob(&el->values[i],
mem_ctx,
&(*r)[i],
(ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
}
talloc_free(tmp_ctx);
return WERR_OK;
}
/*
save the repsFromTo blob list for a given partition GUID
attr must be "repsFrom" or "repsTo"
*/
WERROR dsdb_savereps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
const char *attr, struct repsFromToBlob *r, uint32_t count)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_message *msg;
struct ldb_message_element *el;
unsigned int i;
if (tmp_ctx == NULL) {
goto failed;
}
msg = ldb_msg_new(tmp_ctx);
if (msg == NULL) {
goto failed;
}
msg->dn = dn;
if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_REPLACE, &el) != LDB_SUCCESS) {
goto failed;
}
el->values = talloc_array(msg, struct ldb_val, count);
if (!el->values) {
goto failed;
}
for (i=0; i<count; i++) {
struct ldb_val v;
enum ndr_err_code ndr_err;
ndr_err = ndr_push_struct_blob(&v, tmp_ctx,
&r[i],
(ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
goto failed;
}
el->num_values++;
el->values[i] = v;
}
if (dsdb_modify(sam_ctx, msg, 0) != LDB_SUCCESS) {
DEBUG(0,("Failed to store %s - %s\n", attr, ldb_errstring(sam_ctx)));
goto failed;
}
talloc_free(tmp_ctx);
return WERR_OK;
failed:
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
/*
load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
object for a partition
*/
int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn,
uint64_t *uSN, uint64_t *urgent_uSN)
{
struct ldb_request *req;
int ret;
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
struct dsdb_control_current_partition *p_ctrl;
struct ldb_result *res;
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
res = talloc_zero(tmp_ctx, struct ldb_result);
if (!res) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ret = ldb_build_search_req(&req, ldb, tmp_ctx,
ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"),
LDB_SCOPE_BASE,
NULL, NULL,
NULL,
res, ldb_search_default_callback,
NULL);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
p_ctrl = talloc(req, struct dsdb_control_current_partition);
if (p_ctrl == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
p_ctrl->dn = dn;
ret = ldb_request_add_control(req,
DSDB_CONTROL_CURRENT_PARTITION_OID,
false, p_ctrl);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* Run the new request */
ret = ldb_request(ldb, req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
}
if (ret == LDB_ERR_NO_SUCH_OBJECT || ret == LDB_ERR_INVALID_DN_SYNTAX) {
/* it hasn't been created yet, which means
an implicit value of zero */
*uSN = 0;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
if (res->count < 1) {
*uSN = 0;
if (urgent_uSN) {
*urgent_uSN = 0;
}
} else {
*uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0);
if (urgent_uSN) {
*urgent_uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNUrgent", 0);
}
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
const struct drsuapi_DsReplicaCursor2 *c2)
{
return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
}
int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor *c1,
const struct drsuapi_DsReplicaCursor *c2)
{
return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
}
/*
* Return the NTDS object for a GUID, confirming it is in the
* configuration partition and a nTDSDSA object
*/
int samdb_get_ntds_obj_by_guid(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
const struct GUID *objectGUID,
const char **attrs,
struct ldb_message **msg)
{
int ret;
struct ldb_result *res;
struct GUID_txt_buf guid_buf;
char *guid_str = GUID_buf_string(objectGUID, &guid_buf);
struct ldb_dn *config_dn = NULL;
config_dn = ldb_get_config_basedn(sam_ctx);
if (config_dn == NULL) {
return ldb_operr(sam_ctx);
}
ret = dsdb_search(sam_ctx,
mem_ctx,
&res,
config_dn,
LDB_SCOPE_SUBTREE,
attrs,
DSDB_SEARCH_ONE_ONLY,
"(&(objectGUID=%s)(objectClass=nTDSDSA))",
guid_str);
if (ret != LDB_SUCCESS) {
return ret;
}
if (msg) {
*msg = talloc_steal(mem_ctx, res->msgs[0]);
}
TALLOC_FREE(res);
return ret;
}
/*
see if a computer identified by its objectGUID is a RODC
*/
int samdb_is_rodc(struct ldb_context *sam_ctx, const struct GUID *objectGUID, bool *is_rodc)
{
/* 1) find the DN for this servers NTDSDSA object
2) search for the msDS-isRODC attribute
3) if not present then not a RODC
4) if present and TRUE then is a RODC
*/
const char *attrs[] = { "msDS-isRODC", NULL };
int ret;
struct ldb_message *msg;
TALLOC_CTX *tmp_ctx = talloc_new(sam_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(sam_ctx);
}
ret = samdb_get_ntds_obj_by_guid(tmp_ctx,
sam_ctx,
objectGUID,
attrs, &msg);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
*is_rodc = false;
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
if (ret != LDB_SUCCESS) {
DEBUG(1,("Failed to find our own NTDS Settings object by objectGUID=%s!\n",
GUID_string(tmp_ctx, objectGUID)));
*is_rodc = false;
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_msg_find_attr_as_bool(msg, "msDS-isRODC", 0);
*is_rodc = (ret == 1);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
see if we are a RODC
*/
int samdb_rodc(struct ldb_context *sam_ctx, bool *am_rodc)
{
const struct GUID *objectGUID;
int ret;
bool *cached;
/* see if we have a cached copy */
cached = (bool *)ldb_get_opaque(sam_ctx, "cache.am_rodc");
if (cached) {
*am_rodc = *cached;
return LDB_SUCCESS;
}
objectGUID = samdb_ntds_objectGUID(sam_ctx);
if (!objectGUID) {
return ldb_operr(sam_ctx);
}
ret = samdb_is_rodc(sam_ctx, objectGUID, am_rodc);
if (ret != LDB_SUCCESS) {
return ret;
}
cached = talloc(sam_ctx, bool);
if (cached == NULL) {
return ldb_oom(sam_ctx);
}
*cached = *am_rodc;
ret = ldb_set_opaque(sam_ctx, "cache.am_rodc", cached);
if (ret != LDB_SUCCESS) {
talloc_free(cached);
return ldb_operr(sam_ctx);
}
return LDB_SUCCESS;
}
int samdb_dns_host_name(struct ldb_context *sam_ctx, const char **host_name)
{
const char *_host_name = NULL;
const char *attrs[] = { "dnsHostName", NULL };
TALLOC_CTX *tmp_ctx = NULL;
int ret;
struct ldb_result *res = NULL;
_host_name = (const char *)ldb_get_opaque(sam_ctx, "cache.dns_host_name");
if (_host_name != NULL) {
*host_name = _host_name;
return LDB_SUCCESS;
}
tmp_ctx = talloc_new(sam_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(sam_ctx);
}
ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, NULL, attrs, 0);
if (res == NULL || res->count != 1 || ret != LDB_SUCCESS) {
DEBUG(0, ("Failed to get rootDSE for dnsHostName: %s\n",
ldb_errstring(sam_ctx)));
TALLOC_FREE(tmp_ctx);
return ret;
}
_host_name = ldb_msg_find_attr_as_string(res->msgs[0],
"dnsHostName",
NULL);
if (_host_name == NULL) {
DEBUG(0, ("Failed to get dnsHostName from rootDSE\n"));
TALLOC_FREE(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ldb_set_opaque(sam_ctx, "cache.dns_host_name",
discard_const_p(char *, _host_name));
if (ret != LDB_SUCCESS) {
TALLOC_FREE(tmp_ctx);
return ldb_operr(sam_ctx);
}
*host_name = talloc_steal(sam_ctx, _host_name);
TALLOC_FREE(tmp_ctx);
return LDB_SUCCESS;
}
bool samdb_set_am_rodc(struct ldb_context *ldb, bool am_rodc)
{
TALLOC_CTX *tmp_ctx;
bool *cached;
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
cached = talloc(tmp_ctx, bool);
if (!cached) {
goto failed;
}
*cached = am_rodc;
if (ldb_set_opaque(ldb, "cache.am_rodc", cached) != LDB_SUCCESS) {
goto failed;
}
talloc_steal(ldb, cached);
talloc_free(tmp_ctx);
return true;
failed:
DEBUG(1,("Failed to set our own cached am_rodc in the ldb!\n"));
talloc_free(tmp_ctx);
return false;
}
/*
* return NTDSSiteSettings options. See MS-ADTS 7.1.1.2.2.1.1
* flags are DS_NTDSSETTINGS_OPT_*
*/
int samdb_ntds_site_settings_options(struct ldb_context *ldb_ctx,
uint32_t *options)
{
int rc;
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
struct ldb_dn *site_dn;
const char *attrs[] = { "options", NULL };
tmp_ctx = talloc_new(ldb_ctx);
if (tmp_ctx == NULL)
goto failed;
/* Retrieve the site dn for the ldb that we
* have open. This is our local site.
*/
site_dn = samdb_server_site_dn(ldb_ctx, tmp_ctx);
if (site_dn == NULL)
goto failed;
/* Perform a one level (child) search from the local
* site distinguished name. We're looking for the
* "options" attribute within the nTDSSiteSettings
* object
*/
rc = ldb_search(ldb_ctx, tmp_ctx, &res, site_dn,
LDB_SCOPE_ONELEVEL, attrs,
"objectClass=nTDSSiteSettings");
if (rc != LDB_SUCCESS || res->count != 1)
goto failed;
*options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
failed:
DEBUG(1,("Failed to find our NTDS Site Settings options in ldb!\n"));
talloc_free(tmp_ctx);
return ldb_error(ldb_ctx, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
/*
return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
flags are DS_NTDS_OPTION_*
*/
int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options)
{
TALLOC_CTX *tmp_ctx;
const char *attrs[] = { "options", NULL };
int ret;
struct ldb_result *res;
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL);
if (ret != LDB_SUCCESS) {
goto failed;
}
if (res->count != 1) {
goto failed;
}
*options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
failed:
DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n"));
talloc_free(tmp_ctx);
return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
const char* samdb_ntds_object_category(TALLOC_CTX *tmp_ctx, struct ldb_context *ldb)
{
const char *attrs[] = { "objectCategory", NULL };
int ret;
struct ldb_result *res;
ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb, tmp_ctx), LDB_SCOPE_BASE, attrs, NULL);
if (ret != LDB_SUCCESS) {
goto failed;
}
if (res->count != 1) {
goto failed;
}
return ldb_msg_find_attr_as_string(res->msgs[0], "objectCategory", NULL);
failed:
DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
return NULL;
}
/*
* Function which generates a "lDAPDisplayName" attribute from a "CN" one.
* Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
*/
const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX *mem_ctx, const char *cn)
{
char **tokens, *ret;
size_t i;
tokens = str_list_make(mem_ctx, cn, " -_");
if (tokens == NULL || tokens[0] == NULL) {
return NULL;
}
/* "tolower()" and "toupper()" should also work properly on 0x00 */
tokens[0][0] = tolower(tokens[0][0]);
for (i = 1; tokens[i] != NULL; i++)
tokens[i][0] = toupper(tokens[i][0]);
ret = talloc_strdup(mem_ctx, tokens[0]);
if (ret == NULL) {
talloc_free(tokens);
return NULL;
}
for (i = 1; tokens[i] != NULL; i++) {
ret = talloc_asprintf_append_buffer(ret, "%s", tokens[i]);
if (ret == NULL) {
talloc_free(tokens);
return NULL;
}
}
talloc_free(tokens);
return ret;
}
/*
* This detects and returns the domain functional level (DS_DOMAIN_FUNCTION_*)
*/
int dsdb_functional_level(struct ldb_context *ldb)
{
unsigned long long *domainFunctionality =
talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), unsigned long long);
if (!domainFunctionality) {
/* this is expected during initial provision */
DEBUG(4,(__location__ ": WARNING: domainFunctionality not setup\n"));
return DS_DOMAIN_FUNCTION_2000;
}
return *domainFunctionality;
}
/*
* This detects and returns the forest functional level (DS_DOMAIN_FUNCTION_*)
*/
int dsdb_forest_functional_level(struct ldb_context *ldb)
{
unsigned long long *forestFunctionality =
talloc_get_type(ldb_get_opaque(ldb, "forestFunctionality"), unsigned long long);
if (!forestFunctionality) {
DEBUG(0,(__location__ ": WARNING: forestFunctionality not setup\n"));
return DS_DOMAIN_FUNCTION_2000;
}
return *forestFunctionality;
}
/*
* This detects and returns the DC functional level (DS_DOMAIN_FUNCTION_*)
*/
int dsdb_dc_functional_level(struct ldb_context *ldb)
{
unsigned long long *dcFunctionality =
talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), unsigned long long);
if (!dcFunctionality) {
/* this is expected during initial provision */
DEBUG(4,(__location__ ": WARNING: domainControllerFunctionality not setup\n"));
return DS_DOMAIN_FUNCTION_2008_R2;
}
return *dcFunctionality;
}
const char *dsdb_dc_operatingSystemVersion(int dc_functional_level)
{
const char *operatingSystemVersion = NULL;
/*
* While we are there also update
* operatingSystem and operatingSystemVersion
* as at least operatingSystemVersion is really
* important for some clients/applications (like exchange).
*/
if (dc_functional_level >= DS_DOMAIN_FUNCTION_2016) {
/* Pretend Windows 2016 */
operatingSystemVersion = "10.0 (14393)";
} else if (dc_functional_level >= DS_DOMAIN_FUNCTION_2012_R2) {
/* Pretend Windows 2012 R2 */
operatingSystemVersion = "6.3 (9600)";
} else if (dc_functional_level >= DS_DOMAIN_FUNCTION_2012) {
/* Pretend Windows 2012 */
operatingSystemVersion = "6.2 (9200)";
} else {
/* Pretend Windows 2008 R2 */
operatingSystemVersion = "6.1 (7600)";
}
return operatingSystemVersion;
}
int dsdb_check_and_update_fl(struct ldb_context *ldb_ctx, struct loadparm_context *lp_ctx)
{
TALLOC_CTX *frame = talloc_stackframe();
int ret;
int db_dc_functional_level;
int db_domain_functional_level;
int db_forest_functional_level;
int lp_dc_functional_level = lpcfg_ad_dc_functional_level(lp_ctx);
bool am_rodc;
struct ldb_message *msg = NULL;
struct ldb_dn *dc_ntds_settings_dn = NULL;
struct ldb_dn *dc_computer_dn = NULL;
const char *operatingSystem = NULL;
const char *operatingSystemVersion = NULL;
db_dc_functional_level = dsdb_dc_functional_level(ldb_ctx);
db_domain_functional_level = dsdb_functional_level(ldb_ctx);
db_forest_functional_level = dsdb_forest_functional_level(ldb_ctx);
if (lp_dc_functional_level < db_domain_functional_level) {
DBG_ERR("Refusing to start as smb.conf 'ad dc functional level' maps to %d, "
"which is less than the domain functional level of %d\n",
lp_dc_functional_level, db_domain_functional_level);
TALLOC_FREE(frame);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
if (lp_dc_functional_level < db_forest_functional_level) {
DBG_ERR("Refusing to start as smb.conf 'ad dc functional level' maps to %d, "
"which is less than the forest functional level of %d\n",
lp_dc_functional_level, db_forest_functional_level);
TALLOC_FREE(frame);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
/* Check if we need to update the DB */
if (db_dc_functional_level == lp_dc_functional_level) {
/*
* Note that this early return means
* we're not updating operatingSystem and
* operatingSystemVersion.
*
* But at least for now that's
* exactly what we want.
*/
TALLOC_FREE(frame);
return LDB_SUCCESS;
}
/* Confirm we are not an RODC before we try a modify */
ret = samdb_rodc(ldb_ctx, &am_rodc);
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to determine if this server is an RODC\n");
TALLOC_FREE(frame);
return ret;
}
if (am_rodc) {
DBG_WARNING("Unable to update DC's msDS-Behavior-Version "
"(from %d to %d) and operatingSystem[Version] "
"as we are an RODC\n",
db_dc_functional_level, lp_dc_functional_level);
TALLOC_FREE(frame);
return LDB_SUCCESS;
}
dc_ntds_settings_dn = samdb_ntds_settings_dn(ldb_ctx, frame);
if (dc_ntds_settings_dn == NULL) {
DBG_ERR("Failed to find own NTDS Settings DN\n");
TALLOC_FREE(frame);
return LDB_ERR_NO_SUCH_OBJECT;
}
/* Now update our msDS-Behavior-Version */
msg = ldb_msg_new(frame);
if (msg == NULL) {
DBG_ERR("Failed to allocate message to update msDS-Behavior-Version\n");
TALLOC_FREE(frame);
return LDB_ERR_OPERATIONS_ERROR;
}
msg->dn = dc_ntds_settings_dn;
ret = samdb_msg_add_int(ldb_ctx, frame, msg, "msDS-Behavior-Version", lp_dc_functional_level);
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to set new msDS-Behavior-Version on message\n");
TALLOC_FREE(frame);
return LDB_ERR_OPERATIONS_ERROR;
}
ret = dsdb_replace(ldb_ctx, msg, 0);
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to update DB with new msDS-Behavior-Version on %s: %s\n",
ldb_dn_get_linearized(dc_ntds_settings_dn),
ldb_errstring(ldb_ctx));
TALLOC_FREE(frame);
return ret;
}
/*
* We have to update the opaque because this particular ldb_context
* will not re-read the DB
*/
{
unsigned long long *val = talloc(ldb_ctx, unsigned long long);
if (!val) {
TALLOC_FREE(frame);
return LDB_ERR_OPERATIONS_ERROR;
}
*val = lp_dc_functional_level;
ret = ldb_set_opaque(ldb_ctx,
"domainControllerFunctionality", val);
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to re-set domainControllerFunctionality opaque\n");
TALLOC_FREE(val);
TALLOC_FREE(frame);
return ret;
}
}
/*
* While we are there also update
* operatingSystem and operatingSystemVersion
* as at least operatingSystemVersion is really
* important for some clients/applications (like exchange).
*/
operatingSystem = talloc_asprintf(frame, "Samba-%s",
samba_version_string());
if (operatingSystem == NULL) {
TALLOC_FREE(frame);
return ldb_oom(ldb_ctx);
}
operatingSystemVersion = dsdb_dc_operatingSystemVersion(db_dc_functional_level);
ret = samdb_server_reference_dn(ldb_ctx, frame, &dc_computer_dn);
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to get the dc_computer_dn: %s\n",
ldb_errstring(ldb_ctx));
TALLOC_FREE(frame);
return ret;
}
msg = ldb_msg_new(frame);
if (msg == NULL) {
DBG_ERR("Failed to allocate message to update msDS-Behavior-Version\n");
TALLOC_FREE(frame);
return LDB_ERR_OPERATIONS_ERROR;
}
msg->dn = dc_computer_dn;
ret = samdb_msg_add_addval(ldb_ctx, frame, msg,
"operatingSystem",
operatingSystem);
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to set new operatingSystem on message\n");
TALLOC_FREE(frame);
return ldb_operr(ldb_ctx);
}
ret = samdb_msg_add_addval(ldb_ctx, frame, msg,
"operatingSystemVersion",
operatingSystemVersion);
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to set new operatingSystemVersion on message\n");
TALLOC_FREE(frame);
return ldb_operr(ldb_ctx);
}
ret = dsdb_replace(ldb_ctx, msg, 0);
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to update DB with new operatingSystem[Version] on %s: %s\n",
ldb_dn_get_linearized(dc_computer_dn),
ldb_errstring(ldb_ctx));
TALLOC_FREE(frame);
return ret;
}
TALLOC_FREE(frame);
return LDB_SUCCESS;
}
/*
set a GUID in an extended DN structure
*/
int dsdb_set_extended_dn_guid(struct ldb_dn *dn, const struct GUID *guid, const char *component_name)
{
struct ldb_val v;
NTSTATUS status;
int ret;
status = GUID_to_ndr_blob(guid, dn, &v);
if (!NT_STATUS_IS_OK(status)) {
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
}
ret = ldb_dn_set_extended_component(dn, component_name, &v);
data_blob_free(&v);
return ret;
}
/*
return a GUID from a extended DN structure
*/
NTSTATUS dsdb_get_extended_dn_guid(struct ldb_dn *dn, struct GUID *guid, const char *component_name)
{
const struct ldb_val *v;
v = ldb_dn_get_extended_component(dn, component_name);
if (v == NULL) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
return GUID_from_ndr_blob(v, guid);
}
/*
return a uint64_t from a extended DN structure
*/
NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const char *component_name)
{
const struct ldb_val *v;
int error = 0;
v = ldb_dn_get_extended_component(dn, component_name);
if (v == NULL) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
/* Just check we don't allow the caller to fill our stack */
if (v->length >= 64) {
return NT_STATUS_INVALID_PARAMETER;
} else {
char s[v->length+1];
memcpy(s, v->data, v->length);
s[v->length] = 0;
*val = smb_strtoull(s, NULL, 0, &error, SMB_STR_STANDARD);
if (error != 0) {
return NT_STATUS_INVALID_PARAMETER;
}
}
return NT_STATUS_OK;
}
/*
return a NTTIME from a extended DN structure
*/
NTSTATUS dsdb_get_extended_dn_nttime(struct ldb_dn *dn, NTTIME *nttime, const char *component_name)
{
return dsdb_get_extended_dn_uint64(dn, nttime, component_name);
}
/*
return a uint32_t from a extended DN structure
*/
NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const char *component_name)
{
const struct ldb_val *v;
int error = 0;
v = ldb_dn_get_extended_component(dn, component_name);
if (v == NULL) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
/* Just check we don't allow the caller to fill our stack */
if (v->length >= 32) {
return NT_STATUS_INVALID_PARAMETER;
} else {
char s[v->length + 1];
memcpy(s, v->data, v->length);
s[v->length] = 0;
*val = smb_strtoul(s, NULL, 0, &error, SMB_STR_STANDARD);
if (error != 0) {
return NT_STATUS_INVALID_PARAMETER;
}
}
return NT_STATUS_OK;
}
/*
return a dom_sid from a extended DN structure
*/
NTSTATUS dsdb_get_extended_dn_sid(struct ldb_dn *dn, struct dom_sid *sid, const char *component_name)
{
const struct ldb_val *sid_blob;
enum ndr_err_code ndr_err;
sid_blob = ldb_dn_get_extended_component(dn, component_name);
if (!sid_blob) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
ndr_err = ndr_pull_struct_blob_all_noalloc(sid_blob, sid,
(ndr_pull_flags_fn_t)ndr_pull_dom_sid);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
return status;
}
return NT_STATUS_OK;
}
/*
return RMD_FLAGS directly from a ldb_dn
returns 0 if not found
*/
uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn)
{
uint32_t rmd_flags = 0;
NTSTATUS status = dsdb_get_extended_dn_uint32(dn, &rmd_flags,
"RMD_FLAGS");
if (NT_STATUS_IS_OK(status)) {
return rmd_flags;
}
return 0;
}
/*
return RMD_FLAGS directly from a ldb_val for a DN
returns 0 if RMD_FLAGS is not found
*/
uint32_t dsdb_dn_val_rmd_flags(const struct ldb_val *val)
{
const char *p;
uint32_t flags;
char *end;
int error = 0;
if (val->length < 13) {
return 0;
}
p = memmem(val->data, val->length, "<RMD_FLAGS=", 11);
if (!p) {
return 0;
}
flags = smb_strtoul(p+11, &end, 10, &error, SMB_STR_STANDARD);
if (!end || *end != '>' || error != 0) {
/* it must end in a > */
return 0;
}
return flags;
}
/*
return true if a ldb_val containing a DN in storage form is deleted
*/
bool dsdb_dn_is_deleted_val(const struct ldb_val *val)
{
return (dsdb_dn_val_rmd_flags(val) & DSDB_RMD_FLAG_DELETED) != 0;
}
/*
return true if a ldb_val containing a DN in storage form is
in the upgraded w2k3 linked attribute format
*/
bool dsdb_dn_is_upgraded_link_val(const struct ldb_val *val)
{
return memmem(val->data, val->length, "<RMD_VERSION=", 13) != NULL;
}
/*
return a DN for a wellknown GUID
*/
int dsdb_wellknown_dn(struct ldb_context *samdb, TALLOC_CTX *mem_ctx,
struct ldb_dn *nc_root, const char *wk_guid,
struct ldb_dn **wkguid_dn)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const char *attrs[] = { NULL };
int ret;
struct ldb_dn *dn;
struct ldb_result *res = NULL;
if (tmp_ctx == NULL) {
return ldb_oom(samdb);
}
/* construct the magic WKGUID DN */
dn = ldb_dn_new_fmt(tmp_ctx, samdb, "<WKGUID=%s,%s>",
wk_guid, ldb_dn_get_linearized(nc_root));
if (!wkguid_dn) {
talloc_free(tmp_ctx);
return ldb_operr(samdb);
}
ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs,
DSDB_SEARCH_SHOW_DELETED |
DSDB_SEARCH_SHOW_RECYCLED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
/* fix clang warning */
if (res == NULL){
talloc_free(tmp_ctx);
return LDB_ERR_OTHER;
}
(*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
static int dsdb_dn_compare_ptrs(struct ldb_dn **dn1, struct ldb_dn **dn2)
{
return ldb_dn_compare(*dn1, *dn2);
}
/*
find a NC root given a DN within the NC by reading the rootDSE namingContexts
*/
static int dsdb_find_nc_root_string_based(struct ldb_context *samdb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
struct ldb_dn **nc_root)
{
const char *root_attrs[] = { "namingContexts", NULL };
TALLOC_CTX *tmp_ctx;
int ret;
struct ldb_message_element *el;
struct ldb_result *root_res;
unsigned int i;
struct ldb_dn **nc_dns;
tmp_ctx = talloc_new(samdb);
if (tmp_ctx == NULL) {
return ldb_oom(samdb);
}
ret = ldb_search(samdb, tmp_ctx, &root_res,
ldb_dn_new(tmp_ctx, samdb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
if (ret != LDB_SUCCESS || root_res->count == 0) {
DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb)));
talloc_free(tmp_ctx);
return ret;
}
el = ldb_msg_find_element(root_res->msgs[0], "namingContexts");
if ((el == NULL) || (el->num_values < 3)) {
struct ldb_message *tmp_msg;
DEBUG(5,("dsdb_find_nc_root: Finding a valid 'namingContexts' element in the RootDSE failed. Using a temporary list.\n"));
/* This generates a temporary list of NCs in order to let the
* provisioning work. */
tmp_msg = ldb_msg_new(tmp_ctx);
if (tmp_msg == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(samdb);
}
ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
ldb_dn_alloc_linearized(tmp_msg, ldb_get_schema_basedn(samdb)));
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
ldb_dn_alloc_linearized(tmp_msg, ldb_get_config_basedn(samdb)));
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_msg_add_steal_string(tmp_msg, "namingContexts",
ldb_dn_alloc_linearized(tmp_msg, ldb_get_default_basedn(samdb)));
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
el = &tmp_msg->elements[0];
}
nc_dns = talloc_array(tmp_ctx, struct ldb_dn *, el->num_values);
if (!nc_dns) {
talloc_free(tmp_ctx);
return ldb_oom(samdb);
}
for (i=0; i<el->num_values; i++) {
nc_dns[i] = ldb_dn_from_ldb_val(nc_dns, samdb, &el->values[i]);
if (nc_dns[i] == NULL) {
talloc_free(tmp_ctx);
return ldb_operr(samdb);
}
}
TYPESAFE_QSORT(nc_dns, el->num_values, dsdb_dn_compare_ptrs);
for (i=0; i<el->num_values; i++) {
if (ldb_dn_compare_base(nc_dns[i], dn) == 0) {
(*nc_root) = talloc_steal(mem_ctx, nc_dns[i]);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
}
talloc_free(tmp_ctx);
return ldb_error(samdb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
struct dsdb_get_partition_and_dn {
TALLOC_CTX *mem_ctx;
unsigned int count;
struct ldb_dn *dn;
struct ldb_dn *partition_dn;
bool want_partition_dn;
};
static int dsdb_get_partition_and_dn(struct ldb_request *req,
struct ldb_reply *ares)
{
int ret;
struct dsdb_get_partition_and_dn *context = req->context;
struct ldb_control *partition_ctrl = NULL;
struct dsdb_control_current_partition *partition = NULL;
if (!ares) {
return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
}
if (ares->error != LDB_SUCCESS
&& ares->error != LDB_ERR_NO_SUCH_OBJECT) {
return ldb_request_done(req, ares->error);
}
switch (ares->type) {
case LDB_REPLY_ENTRY:
if (context->count != 0) {
return ldb_request_done(req,
LDB_ERR_CONSTRAINT_VIOLATION);
}
context->count++;
context->dn = talloc_steal(context->mem_ctx,
ares->message->dn);
break;
case LDB_REPLY_REFERRAL:
talloc_free(ares);
return ldb_request_done(req, LDB_SUCCESS);
case LDB_REPLY_DONE:
partition_ctrl
= ldb_reply_get_control(ares,
DSDB_CONTROL_CURRENT_PARTITION_OID);
if (!context->want_partition_dn ||
partition_ctrl == NULL) {
ret = ares->error;
talloc_free(ares);
return ldb_request_done(req, ret);
}
partition
= talloc_get_type_abort(partition_ctrl->data,
struct dsdb_control_current_partition);
context->partition_dn
= ldb_dn_copy(context->mem_ctx, partition->dn);
if (context->partition_dn == NULL) {
return ldb_request_done(req,
LDB_ERR_OPERATIONS_ERROR);
}
ret = ares->error;
talloc_free(ares);
return ldb_request_done(req, ret);
}
talloc_free(ares);
return LDB_SUCCESS;
}
/*
find a NC root given a DN within the NC
*/
int dsdb_normalise_dn_and_find_nc_root(struct ldb_context *samdb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
struct ldb_dn **normalised_dn,
struct ldb_dn **nc_root)
{
TALLOC_CTX *tmp_ctx;
int ret;
struct ldb_request *req;
struct ldb_result *res;
struct ldb_dn *search_dn = dn;
static const char * attrs[] = { NULL };
bool has_extended = ldb_dn_has_extended(dn);
bool has_normal_components = ldb_dn_get_comp_num(dn) >= 1;
struct dsdb_get_partition_and_dn context = {
.mem_ctx = mem_ctx,
.want_partition_dn = nc_root != NULL
};
if (!has_extended && !has_normal_components) {
return ldb_error(samdb, LDB_ERR_NO_SUCH_OBJECT,
"Request for NC root for rootDSE (\"\") denied.");
}
tmp_ctx = talloc_new(samdb);
if (tmp_ctx == NULL) {
return ldb_oom(samdb);
}
res = talloc_zero(tmp_ctx, struct ldb_result);
if (res == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(samdb);
}
if (has_extended && has_normal_components) {
bool minimise_ok;
search_dn = ldb_dn_copy(tmp_ctx, dn);
if (search_dn == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(samdb);
}
minimise_ok = ldb_dn_minimise(search_dn);
if (!minimise_ok) {
talloc_free(tmp_ctx);
return ldb_operr(samdb);
}
}
ret = ldb_build_search_req(&req, samdb, tmp_ctx,
search_dn,
LDB_SCOPE_BASE,
NULL,
attrs,
NULL,
&context,
dsdb_get_partition_and_dn,
NULL);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_request_add_control(req,
DSDB_CONTROL_CURRENT_PARTITION_OID,
false, NULL);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_request_add_controls(req,
DSDB_SEARCH_SHOW_RECYCLED|
DSDB_SEARCH_SHOW_DELETED|
DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_request(samdb, req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
}
/*
* This could be a new DN, not in the DB, which is OK. If we
* don't need the normalised DN, we can continue.
*
* We may be told the partition it would be in in the search
* reply control, or if not we can do a string-based match.
*/
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
if (normalised_dn != NULL) {
talloc_free(tmp_ctx);
return ret;
}
ret = LDB_SUCCESS;
ldb_reset_err_string(samdb);
} else if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
if (normalised_dn != NULL) {
if (context.count != 1) {
/* No results */
ldb_asprintf_errstring(samdb,
"Request for NC root for %s failed to return any results.",
ldb_dn_get_linearized(dn));
talloc_free(tmp_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
}
*normalised_dn = context.dn;
}
/*
* If the user did not need to find the nc_root,
* we are done
*/
if (nc_root == NULL) {
talloc_free(tmp_ctx);
return ret;
}
/*
* When we are working locally, both for the case were
* we find the DN, and the case where we fail, we get
* back via controls the partition it was in or should
* have been in, to return to the client
*/
if (context.partition_dn != NULL) {
(*nc_root) = context.partition_dn;
talloc_free(tmp_ctx);
return ret;
}
/*
* This is a remote operation, which is a little harder as we
* have a work out the nc_root from the list of NCs. If we did
* at least resolve the DN to a string, get that now, it makes
* the string-based match below possible for a GUID-based
* input over remote LDAP.
*/
if (context.dn) {
dn = context.dn;
} else if (has_extended && !has_normal_components) {
ldb_asprintf_errstring(samdb,
"Cannot determine NC root "
"for a not-found bare extended DN %s.",
ldb_dn_get_extended_linearized(tmp_ctx, dn, 1));
talloc_free(tmp_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
}
/*
* Either we are working against a remote LDAP
* server or the object doesn't exist locally.
*
* This means any GUID that was present in the DN
* therefore could not be evaluated, so do a
* string-based match instead.
*/
talloc_free(tmp_ctx);
return dsdb_find_nc_root_string_based(samdb,
mem_ctx,
dn,
nc_root);
}
/*
find a NC root given a DN within the NC
*/
int dsdb_find_nc_root(struct ldb_context *samdb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
struct ldb_dn **nc_root)
{
return dsdb_normalise_dn_and_find_nc_root(samdb,
mem_ctx,
dn,
NULL,
nc_root);
}
/*
find the deleted objects DN for any object, by looking for the NC
root, then looking up the wellknown GUID
*/
int dsdb_get_deleted_objects_dn(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
struct ldb_dn **do_dn)
{
struct ldb_dn *nc_root;
int ret;
ret = dsdb_find_nc_root(ldb, mem_ctx, obj_dn, &nc_root);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = dsdb_wellknown_dn(ldb, mem_ctx, nc_root, DS_GUID_DELETED_OBJECTS_CONTAINER, do_dn);
talloc_free(nc_root);
return ret;
}
/*
return the tombstoneLifetime, in days
*/
int dsdb_tombstone_lifetime(struct ldb_context *ldb, uint32_t *lifetime)
{
struct ldb_dn *dn;
dn = ldb_get_config_basedn(ldb);
if (!dn) {
return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
dn = ldb_dn_copy(ldb, dn);
if (!dn) {
return ldb_operr(ldb);
}
/* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
be a wellknown GUID for this */
if (!ldb_dn_add_child_fmt(dn, "CN=Directory Service,CN=Windows NT,CN=Services")) {
talloc_free(dn);
return ldb_operr(ldb);
}
*lifetime = samdb_search_uint(ldb, dn, 180, dn, "tombstoneLifetime", "objectClass=nTDSService");
talloc_free(dn);
return LDB_SUCCESS;
}
/*
compare a ldb_val to a string case insensitively
*/
int samdb_ldb_val_case_cmp(const char *s, struct ldb_val *v)
{
size_t len = strlen(s);
int ret;
if (len > v->length) return 1;
ret = strncasecmp(s, (const char *)v->data, v->length);
if (ret != 0) return ret;
if (v->length > len && v->data[len] != 0) {
return -1;
}
return 0;
}
/*
load the UDV for a partition in v2 format
The list is returned sorted, and with our local cursor added
*/
int dsdb_load_udv_v2(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaCursor2 **cursors, uint32_t *count)
{
static const char *attrs[] = { "replUpToDateVector", NULL };
struct ldb_result *r = NULL;
const struct ldb_val *ouv_value;
unsigned int i;
int ret;
uint64_t highest_usn = 0;
const struct GUID *our_invocation_id;
static const struct timeval tv1970;
NTTIME nt1970 = timeval_to_nttime(&tv1970);
ret = dsdb_search_dn(samdb, mem_ctx, &r, dn, attrs, DSDB_SEARCH_SHOW_RECYCLED|DSDB_SEARCH_SHOW_DELETED);
if (ret != LDB_SUCCESS) {
return ret;
}
/* fix clang warning */
if (r == NULL) {
return LDB_ERR_OTHER;
}
ouv_value = ldb_msg_find_ldb_val(r->msgs[0], "replUpToDateVector");
if (ouv_value) {
enum ndr_err_code ndr_err;
struct replUpToDateVectorBlob ouv;
ndr_err = ndr_pull_struct_blob(ouv_value, r, &ouv,
(ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(r);
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
}
if (ouv.version != 2) {
/* we always store as version 2, and
* replUpToDateVector is not replicated
*/
talloc_free(r);
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
}
*count = ouv.ctr.ctr2.count;
*cursors = talloc_steal(mem_ctx, ouv.ctr.ctr2.cursors);
} else {
*count = 0;
*cursors = NULL;
}
talloc_free(r);
our_invocation_id = samdb_ntds_invocation_id(samdb);
if (!our_invocation_id) {
DEBUG(0,(__location__ ": No invocationID on samdb - %s\n", ldb_errstring(samdb)));
talloc_free(*cursors);
return ldb_operr(samdb);
}
ret = ldb_sequence_number(samdb, LDB_SEQ_HIGHEST_SEQ, &highest_usn);
if (ret != LDB_SUCCESS) {
/* nothing to add - this can happen after a vampire */
TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
return LDB_SUCCESS;
}
for (i=0; i<*count; i++) {
if (GUID_equal(our_invocation_id, &(*cursors)[i].source_dsa_invocation_id)) {
(*cursors)[i].highest_usn = highest_usn;
(*cursors)[i].last_sync_success = nt1970;
TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
return LDB_SUCCESS;
}
}
(*cursors) = talloc_realloc(mem_ctx, *cursors, struct drsuapi_DsReplicaCursor2, (*count)+1);
if (! *cursors) {
return ldb_oom(samdb);
}
(*cursors)[*count].source_dsa_invocation_id = *our_invocation_id;
(*cursors)[*count].highest_usn = highest_usn;
(*cursors)[*count].last_sync_success = nt1970;
(*count)++;
TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
return LDB_SUCCESS;
}
/*
load the UDV for a partition in version 1 format
The list is returned sorted, and with our local cursor added
*/
int dsdb_load_udv_v1(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaCursor **cursors, uint32_t *count)
{
struct drsuapi_DsReplicaCursor2 *v2 = NULL;
uint32_t i;
int ret;
ret = dsdb_load_udv_v2(samdb, dn, mem_ctx, &v2, count);
if (ret != LDB_SUCCESS) {
return ret;
}
if (*count == 0) {
talloc_free(v2);
*cursors = NULL;
return LDB_SUCCESS;
}
*cursors = talloc_array(mem_ctx, struct drsuapi_DsReplicaCursor, *count);
if (*cursors == NULL) {
talloc_free(v2);
return ldb_oom(samdb);
}
for (i=0; i<*count; i++) {
(*cursors)[i].source_dsa_invocation_id = v2[i].source_dsa_invocation_id;
(*cursors)[i].highest_usn = v2[i].highest_usn;
}
talloc_free(v2);
return LDB_SUCCESS;
}
/*
add a set of controls to a ldb_request structure based on a set of
flags. See util.h for a list of available flags
*/
int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags)
{
int ret;
if (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) {
struct ldb_search_options_control *options;
/* Using the phantom root control allows us to search all partitions */
options = talloc(req, struct ldb_search_options_control);
if (options == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
ret = ldb_request_add_control(req,
LDB_CONTROL_SEARCH_OPTIONS_OID,
true, options);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_SEARCH_NO_GLOBAL_CATALOG) {
ret = ldb_request_add_control(req,
DSDB_CONTROL_NO_GLOBAL_CATALOG,
false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_SEARCH_SHOW_DELETED) {
ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_SEARCH_SHOW_RECYCLED) {
ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) {
ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_SEARCH_SHOW_EXTENDED_DN) {
struct ldb_extended_dn_control *extended_ctrl = talloc(req, struct ldb_extended_dn_control);
if (!extended_ctrl) {
return LDB_ERR_OPERATIONS_ERROR;
}
extended_ctrl->type = 1;
ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_ctrl);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_SEARCH_REVEAL_INTERNALS) {
ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_MODIFY_RELAX) {
ret = ldb_request_add_control(req, LDB_CONTROL_RELAX_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_MODIFY_PERMISSIVE) {
ret = ldb_request_add_control(req, LDB_CONTROL_PERMISSIVE_MODIFY_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_FLAG_AS_SYSTEM) {
ret = ldb_request_add_control(req, LDB_CONTROL_AS_SYSTEM_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_TREE_DELETE) {
ret = ldb_request_add_control(req, LDB_CONTROL_TREE_DELETE_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_PROVISION) {
ret = ldb_request_add_control(req, LDB_CONTROL_PROVISION_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
/* This is a special control to bypass the password_hash module for use in pdb_samba4 for Samba3 upgrades */
if (dsdb_flags & DSDB_BYPASS_PASSWORD_HASH) {
ret = ldb_request_add_control(req, DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID, true, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_PASSWORD_BYPASS_LAST_SET) {
/*
* This must not be critical, as it will only be
* handled (and need to be handled) if the other
* attributes in the request bring password_hash into
* action
*/
ret = ldb_request_add_control(req, DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_REPLMD_VANISH_LINKS) {
ret = ldb_request_add_control(req, DSDB_CONTROL_REPLMD_VANISH_LINKS, true, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_MODIFY_PARTIAL_REPLICA) {
ret = ldb_request_add_control(req, DSDB_CONTROL_PARTIAL_REPLICA, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_FLAG_REPLICATED_UPDATE) {
ret = ldb_request_add_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID, false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_FLAG_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE) {
ret = ldb_request_add_control(req, DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID, true, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (dsdb_flags & DSDB_MARK_REQ_UNTRUSTED) {
ldb_req_mark_untrusted(req);
}
return LDB_SUCCESS;
}
/*
returns true if a control with the specified "oid" exists
*/
bool dsdb_request_has_control(struct ldb_request *req, const char *oid)
{
return (ldb_request_get_control(req, oid) != NULL);
}
/*
an add with a set of controls
*/
int dsdb_add(struct ldb_context *ldb, const struct ldb_message *message,
uint32_t dsdb_flags)
{
struct ldb_request *req;
int ret;
ret = ldb_build_add_req(&req, ldb, ldb,
message,
NULL,
NULL,
ldb_op_default_callback,
NULL);
if (ret != LDB_SUCCESS) return ret;
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
talloc_free(req);
return ret;
}
ret = dsdb_autotransaction_request(ldb, req);
talloc_free(req);
return ret;
}
/*
a modify with a set of controls
*/
int dsdb_modify(struct ldb_context *ldb, const struct ldb_message *message,
uint32_t dsdb_flags)
{
struct ldb_request *req;
int ret;
ret = ldb_build_mod_req(&req, ldb, ldb,
message,
NULL,
NULL,
ldb_op_default_callback,
NULL);
if (ret != LDB_SUCCESS) return ret;
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
talloc_free(req);
return ret;
}
ret = dsdb_autotransaction_request(ldb, req);
talloc_free(req);
return ret;
}
/*
a delete with a set of flags
*/
int dsdb_delete(struct ldb_context *ldb, struct ldb_dn *dn,
uint32_t dsdb_flags)
{
struct ldb_request *req;
int ret;
ret = ldb_build_del_req(&req, ldb, ldb,
dn,
NULL,
NULL,
ldb_op_default_callback,
NULL);
if (ret != LDB_SUCCESS) return ret;
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
talloc_free(req);
return ret;
}
ret = dsdb_autotransaction_request(ldb, req);
talloc_free(req);
return ret;
}
/*
like dsdb_modify() but set all the element flags to
LDB_FLAG_MOD_REPLACE
*/
int dsdb_replace(struct ldb_context *ldb, struct ldb_message *msg, uint32_t dsdb_flags)
{
unsigned int i;
/* mark all the message elements as LDB_FLAG_MOD_REPLACE */
for (i=0;i<msg->num_elements;i++) {
msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
}
return dsdb_modify(ldb, msg, dsdb_flags);
}
const char *dsdb_search_scope_as_string(enum ldb_scope scope)
{
const char *scope_str;
switch (scope) {
case LDB_SCOPE_BASE:
scope_str = "BASE";
break;
case LDB_SCOPE_ONELEVEL:
scope_str = "ONE";
break;
case LDB_SCOPE_SUBTREE:
scope_str = "SUB";
break;
default:
scope_str = "<Invalid scope>";
break;
}
return scope_str;
}
/*
search for attrs on one DN, allowing for dsdb_flags controls
*/
int dsdb_search_dn(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_result **_result,
struct ldb_dn *basedn,
const char * const *attrs,
uint32_t dsdb_flags)
{
int ret;
struct ldb_request *req;
struct ldb_result *res;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
res = talloc_zero(tmp_ctx, struct ldb_result);
if (!res) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ret = ldb_build_search_req(&req, ldb, res,
basedn,
LDB_SCOPE_BASE,
NULL,
attrs,
NULL,
res,
ldb_search_default_callback,
NULL);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = ldb_request(ldb, req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
}
talloc_free(req);
if (ret != LDB_SUCCESS) {
DBG_INFO("flags=0x%08x %s -> %s (%s)\n",
dsdb_flags,
basedn?ldb_dn_get_extended_linearized(tmp_ctx,
basedn,
1):"NULL",
ldb_errstring(ldb), ldb_strerror(ret));
talloc_free(tmp_ctx);
return ret;
}
DBG_DEBUG("flags=0x%08x %s -> %d\n",
dsdb_flags,
basedn?ldb_dn_get_extended_linearized(tmp_ctx,
basedn,
1):"NULL",
res->count);
*_result = talloc_steal(mem_ctx, res);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
search for attrs on one DN, by the GUID of the DN, allowing for
dsdb_flags controls
*/
int dsdb_search_by_dn_guid(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_result **_result,
const struct GUID *guid,
const char * const *attrs,
uint32_t dsdb_flags)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct ldb_dn *dn;
int ret;
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
dn = ldb_dn_new_fmt(tmp_ctx, ldb, "<GUID=%s>", GUID_string(tmp_ctx, guid));
if (dn == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ret = dsdb_search_dn(ldb, mem_ctx, _result, dn, attrs, dsdb_flags);
talloc_free(tmp_ctx);
return ret;
}
NTSTATUS gmsa_system_password_update_request(
struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
const uint8_t
password_buf[static const GMSA_PASSWORD_NULL_TERMINATED_LEN],
struct ldb_request **request_out)
{
DATA_BLOB password_blob = {};
struct ldb_request *request = NULL;
NTSTATUS status;
int ret;
dn = ldb_dn_copy(mem_ctx, dn);
if (dn == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
/* Make a copy of the password. */
password_blob = data_blob_talloc(mem_ctx,
password_buf,
GMSA_PASSWORD_LEN);
if (password_blob.data == NULL) {
talloc_free(dn);
return NT_STATUS_NO_MEMORY;
}
status = samdb_set_password_request(ldb,
mem_ctx,
dn,
&password_blob,
NULL,
DSDB_PASSWORD_RESET,
false /* reject trusts */,
&request);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&password_blob);
talloc_free(dn);
return status;
}
/* Tie the lifetime of the password to that of the request. */
talloc_steal(request, password_blob.data);
/* Tie the lifetime of the DN to that of the request. */
talloc_steal(request, dn);
/* Make sure the password update happens as System. */
ret = dsdb_request_add_controls(request, DSDB_FLAG_AS_SYSTEM);
if (ret) {
talloc_free(request);
return NT_STATUS_NO_MEMORY;
}
*request_out = request;
return NT_STATUS_OK;
}
/*
general search with dsdb_flags for controls
*/
int dsdb_search(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_result **_result,
struct ldb_dn *basedn,
enum ldb_scope scope,
const char * const *attrs,
uint32_t dsdb_flags,
const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
{
int ret;
struct ldb_request *req;
struct ldb_result *res;
va_list ap;
char *expression = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
int tries;
const int max_tries = 5;
/* cross-partitions searches with a basedn break multi-domain support */
SMB_ASSERT(basedn == NULL || (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) == 0);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
res = talloc(tmp_ctx, struct ldb_result);
if (!res) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
if (exp_fmt) {
va_start(ap, exp_fmt);
expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
va_end(ap);
if (!expression) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
}
for (tries = 0; tries < max_tries; ++tries) {
bool retry = true;
*res = (struct ldb_result){};
ret = ldb_build_search_req(&req, ldb, tmp_ctx,
basedn,
scope,
expression,
attrs,
NULL,
res,
ldb_search_default_callback,
NULL);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
ldb_reset_err_string(ldb);
return ret;
}
ret = ldb_request(ldb, req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
}
if (ret != LDB_SUCCESS) {
DBG_INFO("%s flags=0x%08x %s %s -> %s (%s)\n",
dsdb_search_scope_as_string(scope),
dsdb_flags,
basedn?ldb_dn_get_extended_linearized(tmp_ctx,
basedn,
1):"NULL",
expression?expression:"NULL",
ldb_errstring(ldb), ldb_strerror(ret));
talloc_free(tmp_ctx);
return ret;
}
if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
if (res->count == 0) {
DBG_INFO("%s SEARCH_ONE_ONLY flags=0x%08x %s %s -> %u results\n",
dsdb_search_scope_as_string(scope),
dsdb_flags,
basedn?ldb_dn_get_extended_linearized(tmp_ctx,
basedn,
1):"NULL",
expression?expression:"NULL", res->count);
talloc_free(tmp_ctx);
ldb_reset_err_string(ldb);
return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
if (res->count != 1) {
DBG_INFO("%s SEARCH_ONE_ONLY flags=0x%08x %s %s -> %u (expected 1) results\n",
dsdb_search_scope_as_string(scope),
dsdb_flags,
basedn?ldb_dn_get_extended_linearized(tmp_ctx,
basedn,
1):"NULL",
expression?expression:"NULL", res->count);
talloc_free(tmp_ctx);
ldb_reset_err_string(ldb);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
if (!(dsdb_flags & DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS)) {
break;
}
/*
* If were searching for passwords, we must account for the
* possibility that one or more of the accounts are Group
* Managed Service Accounts with outofdate keys. In such a
* case, we must derive the new password(s), update the keys,
* and perform the search again to get the updated results.
*
* The following attributes are necessary in order for this to
* work properly:
*
* • msDS-ManagedPasswordId
* • msDS-ManagedPasswordInterval
* • objectClass
* • objectSid
* • whenCreated
*/
ret = dsdb_update_gmsa_keys(tmp_ctx, ldb, res, &retry);
if (ret) {
talloc_free(tmp_ctx);
return ret;
}
if (!retry) {
break;
}
}
if (tries == max_tries) {
talloc_free(tmp_ctx);
ldb_reset_err_string(ldb);
return ldb_operr(ldb);
}
*_result = talloc_steal(mem_ctx, res);
DBG_DEBUG("%s flags=0x%08x %s %s -> %d\n",
dsdb_search_scope_as_string(scope),
dsdb_flags,
basedn?ldb_dn_get_extended_linearized(tmp_ctx,
basedn,
1):"NULL",
expression?expression:"NULL",
res->count);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
general search with dsdb_flags for controls
returns exactly 1 record or an error
*/
int dsdb_search_one(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_message **msg,
struct ldb_dn *basedn,
enum ldb_scope scope,
const char * const *attrs,
uint32_t dsdb_flags,
const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
{
int ret;
struct ldb_result *res;
va_list ap;
char *expression = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
dsdb_flags |= DSDB_SEARCH_ONE_ONLY;
res = talloc_zero(tmp_ctx, struct ldb_result);
if (!res) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
if (exp_fmt) {
va_start(ap, exp_fmt);
expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
va_end(ap);
if (!expression) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
dsdb_flags, "%s", expression);
} else {
ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
dsdb_flags, NULL);
}
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
*msg = talloc_steal(mem_ctx, res->msgs[0]);
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/* returns back the forest DNS name */
const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
{
const char *forest_name = ldb_dn_canonical_string(mem_ctx,
ldb_get_root_basedn(ldb));
char *p;
if (forest_name == NULL) {
return NULL;
}
p = strchr(forest_name, '/');
if (p) {
*p = '\0';
}
return forest_name;
}
/* returns back the default domain DNS name */
const char *samdb_default_domain_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
{
const char *domain_name = ldb_dn_canonical_string(mem_ctx,
ldb_get_default_basedn(ldb));
char *p;
if (domain_name == NULL) {
return NULL;
}
p = strchr(domain_name, '/');
if (p) {
*p = '\0';
}
return domain_name;
}
/*
validate that an DSA GUID belongs to the specified user sid.
The user SID must be a domain controller account (either RODC or
RWDC)
*/
int dsdb_validate_dsa_guid(struct ldb_context *ldb,
const struct GUID *dsa_guid,
const struct dom_sid *sid)
{
/* strategy:
- find DN of record with the DSA GUID in the
configuration partition (objectGUID)
- remove "NTDS Settings" component from DN
- do a base search on that DN for serverReference with
extended-dn enabled
- extract objectSid from resulting serverReference
attribute
- check this sid matches the sid argument
*/
struct ldb_dn *config_dn;
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
struct ldb_message *msg;
const char *attrs1[] = { NULL };
const char *attrs2[] = { "serverReference", NULL };
int ret;
struct ldb_dn *dn, *account_dn;
struct dom_sid sid2;
NTSTATUS status;
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
config_dn = ldb_get_config_basedn(ldb);
ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE,
attrs1, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid));
if (ret != LDB_SUCCESS) {
DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for sid %s\n",
GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
dn = msg->dn;
if (!ldb_dn_remove_child_components(dn, 1)) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
ret = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE,
attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN,
"(objectClass=server)");
if (ret != LDB_SUCCESS) {
DEBUG(1,(__location__ ": Failed to find server record for DSA with objectGUID %s, sid %s\n",
GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg, "serverReference");
if (account_dn == NULL) {
DEBUG(1,(__location__ ": Failed to find account dn "
"(serverReference) for %s, parent of DSA with "
"objectGUID %s, sid %s\n",
ldb_dn_get_linearized(msg->dn),
GUID_string(tmp_ctx, dsa_guid),
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,(__location__ ": Failed to find SID for DSA with objectGUID %s, sid %s\n",
GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
if (!dom_sid_equal(sid, &sid2)) {
/* someone is trying to spoof another account */
DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s - expected sid %s\n",
GUID_string(tmp_ctx, dsa_guid),
dom_sid_string(tmp_ctx, sid),
dom_sid_string(tmp_ctx, &sid2)));
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
static const char * const secret_attributes[] = {
DSDB_SECRET_ATTRIBUTES,
NULL
};
/*
check if the attribute belongs to the RODC filtered attribute set
Note that attributes that are in the filtered attribute set are the
ones that _are_ always sent to a RODC
*/
bool dsdb_attr_in_rodc_fas(const struct dsdb_attribute *sa)
{
/* they never get secret attributes */
if (ldb_attr_in_list(secret_attributes, sa->lDAPDisplayName)) {
return false;
}
/* they do get non-secret critical attributes */
if (sa->schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) {
return true;
}
/* they do get non-secret attributes marked as being in the FAS */
if (sa->searchFlags & SEARCH_FLAG_RODC_ATTRIBUTE) {
return true;
}
/* other attributes are denied */
return false;
}
/* return fsmo role dn and role owner dn for a particular role*/
WERROR dsdb_get_fsmo_role_info(TALLOC_CTX *tmp_ctx,
struct ldb_context *ldb,
uint32_t role,
struct ldb_dn **fsmo_role_dn,
struct ldb_dn **role_owner_dn)
{
int ret;
switch (role) {
case DREPL_NAMING_MASTER:
*fsmo_role_dn = samdb_partitions_dn(ldb, tmp_ctx);
ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Naming Master object - %s\n",
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
break;
case DREPL_INFRASTRUCTURE_MASTER:
*fsmo_role_dn = samdb_infrastructure_dn(ldb, tmp_ctx);
ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s\n",
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
break;
case DREPL_RID_MASTER:
ret = samdb_rid_manager_dn(ldb, tmp_ctx, fsmo_role_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0, (__location__ ": Failed to find RID Manager object - %s\n", ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in RID Manager object - %s\n",
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
break;
case DREPL_SCHEMA_MASTER:
*fsmo_role_dn = ldb_get_schema_basedn(ldb);
ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s\n",
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
break;
case DREPL_PDC_MASTER:
*fsmo_role_dn = ldb_get_default_basedn(ldb);
ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Pd Master object - %s\n",
ldb_errstring(ldb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
break;
default:
return WERR_DS_DRA_INTERNAL_ERROR;
}
return WERR_OK;
}
const char *samdb_dn_to_dnshostname(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *server_dn)
{
int ldb_ret;
struct ldb_result *res = NULL;
const char * const attrs[] = { "dNSHostName", NULL};
ldb_ret = ldb_search(ldb, mem_ctx, &res,
server_dn,
LDB_SCOPE_BASE,
attrs, NULL);
if (ldb_ret != LDB_SUCCESS) {
DEBUG(4, ("Failed to find dNSHostName for dn %s, ldb error: %s\n",
ldb_dn_get_linearized(server_dn), ldb_errstring(ldb)));
return NULL;
}
return ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
}
/*
returns true if an attribute is in the filter,
false otherwise, provided that attribute value is provided with the expression
*/
bool dsdb_attr_in_parse_tree(struct ldb_parse_tree *tree,
const char *attr)
{
unsigned int i;
switch (tree->operation) {
case LDB_OP_AND:
case LDB_OP_OR:
for (i=0;i<tree->u.list.num_elements;i++) {
if (dsdb_attr_in_parse_tree(tree->u.list.elements[i],
attr))
return true;
}
return false;
case LDB_OP_NOT:
return dsdb_attr_in_parse_tree(tree->u.isnot.child, attr);
case LDB_OP_EQUALITY:
if (ldb_attr_cmp(tree->u.equality.attr, attr) == 0) {
return true;
}
return false;
case LDB_OP_GREATER:
case LDB_OP_LESS:
case LDB_OP_APPROX:
if (ldb_attr_cmp(tree->u.comparison.attr, attr) == 0) {
return true;
}
return false;
case LDB_OP_SUBSTRING:
if (ldb_attr_cmp(tree->u.substring.attr, attr) == 0) {
return true;
}
return false;
case LDB_OP_PRESENT:
/* (attrname=*) is not filtered out */
return false;
case LDB_OP_EXTENDED:
if (tree->u.extended.attr &&
ldb_attr_cmp(tree->u.extended.attr, attr) == 0) {
return true;
}
return false;
}
return false;
}
int dsdb_werror_at(struct ldb_context *ldb, int ldb_ecode, WERROR werr,
const char *location, const char *func,
const char *reason)
{
if (reason == NULL) {
reason = win_errstr(werr);
}
ldb_asprintf_errstring(ldb, "%08X: %s at %s:%s",
W_ERROR_V(werr), reason, location, func);
return ldb_ecode;
}
/*
map an ldb error code to an approximate NTSTATUS code
*/
NTSTATUS dsdb_ldb_err_to_ntstatus(int err)
{
switch (err) {
case LDB_SUCCESS:
return NT_STATUS_OK;
case LDB_ERR_PROTOCOL_ERROR:
return NT_STATUS_DEVICE_PROTOCOL_ERROR;
case LDB_ERR_TIME_LIMIT_EXCEEDED:
return NT_STATUS_IO_TIMEOUT;
case LDB_ERR_SIZE_LIMIT_EXCEEDED:
return NT_STATUS_BUFFER_TOO_SMALL;
case LDB_ERR_COMPARE_FALSE:
case LDB_ERR_COMPARE_TRUE:
return NT_STATUS_REVISION_MISMATCH;
case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED:
return NT_STATUS_NOT_SUPPORTED;
case LDB_ERR_STRONG_AUTH_REQUIRED:
case LDB_ERR_CONFIDENTIALITY_REQUIRED:
case LDB_ERR_SASL_BIND_IN_PROGRESS:
case LDB_ERR_INAPPROPRIATE_AUTHENTICATION:
case LDB_ERR_INVALID_CREDENTIALS:
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
case LDB_ERR_UNWILLING_TO_PERFORM:
return NT_STATUS_ACCESS_DENIED;
case LDB_ERR_NO_SUCH_OBJECT:
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
case LDB_ERR_REFERRAL:
case LDB_ERR_NO_SUCH_ATTRIBUTE:
return NT_STATUS_NOT_FOUND;
case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION:
return NT_STATUS_NOT_SUPPORTED;
case LDB_ERR_ADMIN_LIMIT_EXCEEDED:
return NT_STATUS_BUFFER_TOO_SMALL;
case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE:
case LDB_ERR_INAPPROPRIATE_MATCHING:
case LDB_ERR_CONSTRAINT_VIOLATION:
case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
case LDB_ERR_INVALID_DN_SYNTAX:
case LDB_ERR_NAMING_VIOLATION:
case LDB_ERR_OBJECT_CLASS_VIOLATION:
case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF:
case LDB_ERR_NOT_ALLOWED_ON_RDN:
return NT_STATUS_INVALID_PARAMETER;
case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
case LDB_ERR_ENTRY_ALREADY_EXISTS:
return NT_STATUS_ERROR_DS_OBJ_STRING_NAME_EXISTS;
case LDB_ERR_BUSY:
return NT_STATUS_NETWORK_BUSY;
case LDB_ERR_ALIAS_PROBLEM:
case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM:
case LDB_ERR_UNAVAILABLE:
case LDB_ERR_LOOP_DETECT:
case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED:
case LDB_ERR_AFFECTS_MULTIPLE_DSAS:
case LDB_ERR_OTHER:
case LDB_ERR_OPERATIONS_ERROR:
break;
}
return NT_STATUS_UNSUCCESSFUL;
}
/*
create a new naming context that will hold a partial replica
*/
int dsdb_create_partial_replica_NC(struct ldb_context *ldb, struct ldb_dn *dn)
{
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
struct ldb_message *msg;
int ret;
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
msg = ldb_msg_new(tmp_ctx);
if (msg == NULL) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
msg->dn = dn;
ret = ldb_msg_add_string(msg, "objectClass", "top");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
/* [MS-DRSR] implies that we should only add the 'top'
* objectclass, but that would cause lots of problems with our
* objectclass code as top is not structural, so we add
* 'domainDNS' as well to keep things sane. We're expecting
* this new NC to be of objectclass domainDNS after
* replication anyway
*/
ret = ldb_msg_add_string(msg, "objectClass", "domainDNS");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ret = ldb_msg_add_fmt(msg, "instanceType", "%u",
INSTANCE_TYPE_IS_NC_HEAD|
INSTANCE_TYPE_NC_ABOVE|
INSTANCE_TYPE_UNINSTANT);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
ret = dsdb_add(ldb, msg, DSDB_MODIFY_PARTIAL_REPLICA);
if (ret != LDB_SUCCESS && ret != LDB_ERR_ENTRY_ALREADY_EXISTS) {
DEBUG(0,("Failed to create new NC for %s - %s (%s)\n",
ldb_dn_get_linearized(dn),
ldb_errstring(ldb), ldb_strerror(ret)));
talloc_free(tmp_ctx);
return ret;
}
DEBUG(1,("Created new NC for %s\n", ldb_dn_get_linearized(dn)));
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
* Return the effective badPwdCount
*
* This requires that the user_msg have (if present):
* - badPasswordTime
* - badPwdCount
*
* This also requires that the domain_msg have (if present):
* - lockOutObservationWindow
*/
int dsdb_effective_badPwdCount(const struct ldb_message *user_msg,
int64_t lockOutObservationWindow,
NTTIME now)
{
int64_t badPasswordTime;
badPasswordTime = ldb_msg_find_attr_as_int64(user_msg, "badPasswordTime", 0);
if (badPasswordTime - lockOutObservationWindow >= now) {
return ldb_msg_find_attr_as_int(user_msg, "badPwdCount", 0);
} else {
return 0;
}
}
/*
* Returns a user's PSO, or NULL if none was found
*/
static struct ldb_result *lookup_user_pso(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
const struct ldb_message *user_msg,
const char * const *attrs)
{
struct ldb_result *res = NULL;
struct ldb_dn *pso_dn = NULL;
int ret;
/* if the user has a PSO that applies, then use the PSO's setting */
pso_dn = ldb_msg_find_attr_as_dn(sam_ldb, mem_ctx, user_msg,
"msDS-ResultantPSO");
if (pso_dn != NULL) {
ret = dsdb_search_dn(sam_ldb, mem_ctx, &res, pso_dn, attrs, 0);
if (ret != LDB_SUCCESS) {
/*
* log the error. The caller should fallback to using
* the default domain password settings
*/
DBG_ERR("Error retrieving msDS-ResultantPSO %s for %s\n",
ldb_dn_get_linearized(pso_dn),
ldb_dn_get_linearized(user_msg->dn));
}
talloc_free(pso_dn);
}
return res;
}
/*
* Return the msDS-LockoutObservationWindow for a user message
*
* This requires that the user_msg have (if present):
* - msDS-ResultantPSO
*/
int64_t samdb_result_msds_LockoutObservationWindow(
struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *domain_dn,
const struct ldb_message *user_msg)
{
int64_t lockOutObservationWindow;
struct ldb_result *res = NULL;
const char *attrs[] = { "msDS-LockoutObservationWindow",
NULL };
if (domain_dn == NULL) {
smb_panic("domain dn is NULL");
}
res = lookup_user_pso(sam_ldb, mem_ctx, user_msg, attrs);
if (res != NULL) {
lockOutObservationWindow =
ldb_msg_find_attr_as_int64(res->msgs[0],
"msDS-LockoutObservationWindow",
DEFAULT_OBSERVATION_WINDOW);
talloc_free(res);
} else {
/* no PSO was found, lookup the default domain setting */
lockOutObservationWindow =
samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
"lockOutObservationWindow", NULL);
}
return lockOutObservationWindow;
}
/*
* Return the effective badPwdCount
*
* This requires that the user_msg have (if present):
* - badPasswordTime
* - badPwdCount
* - msDS-ResultantPSO
*/
int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *domain_dn,
const struct ldb_message *user_msg)
{
struct timeval tv_now = timeval_current();
NTTIME now = timeval_to_nttime(&tv_now);
int64_t lockOutObservationWindow =
samdb_result_msds_LockoutObservationWindow(
sam_ldb, mem_ctx, domain_dn, user_msg);
return dsdb_effective_badPwdCount(user_msg, lockOutObservationWindow, now);
}
/*
* Returns the lockoutThreshold that applies. If a PSO is specified, then that
* setting is used over the domain defaults
*/
static int64_t get_lockout_threshold(struct ldb_message *domain_msg,
struct ldb_message *pso_msg)
{
if (pso_msg != NULL) {
return ldb_msg_find_attr_as_int(pso_msg,
"msDS-LockoutThreshold", 0);
} else {
return ldb_msg_find_attr_as_int(domain_msg,
"lockoutThreshold", 0);
}
}
/*
* Returns the lockOutObservationWindow that applies. If a PSO is specified,
* then that setting is used over the domain defaults
*/
static int64_t get_lockout_observation_window(struct ldb_message *domain_msg,
struct ldb_message *pso_msg)
{
if (pso_msg != NULL) {
return ldb_msg_find_attr_as_int64(pso_msg,
"msDS-LockoutObservationWindow",
DEFAULT_OBSERVATION_WINDOW);
} else {
return ldb_msg_find_attr_as_int64(domain_msg,
"lockOutObservationWindow",
DEFAULT_OBSERVATION_WINDOW);
}
}
/*
* Prepare an update to the badPwdCount and associated attributes.
*
* This requires that the user_msg have (if present):
* - objectSid
* - badPasswordTime
* - badPwdCount
*
* This also requires that the domain_msg have (if present):
* - pwdProperties
* - lockoutThreshold
* - lockOutObservationWindow
*
* This also requires that the pso_msg have (if present):
* - msDS-LockoutThreshold
* - msDS-LockoutObservationWindow
*/
NTSTATUS dsdb_update_bad_pwd_count(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
struct ldb_message *user_msg,
struct ldb_message *domain_msg,
struct ldb_message *pso_msg,
struct ldb_message **_mod_msg)
{
int ret, badPwdCount;
unsigned int i;
int64_t lockoutThreshold, lockOutObservationWindow;
struct dom_sid *sid;
struct timeval tv_now = timeval_current();
NTTIME now = timeval_to_nttime(&tv_now);
NTSTATUS status;
uint32_t pwdProperties, rid = 0;
struct ldb_message *mod_msg;
sid = samdb_result_dom_sid(mem_ctx, user_msg, "objectSid");
pwdProperties = ldb_msg_find_attr_as_uint(domain_msg,
"pwdProperties", -1);
if (sid && !(pwdProperties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
status = dom_sid_split_rid(NULL, sid, NULL, &rid);
if (!NT_STATUS_IS_OK(status)) {
/*
* This can't happen anyway, but always try
* and update the badPwdCount on failure
*/
rid = 0;
}
}
TALLOC_FREE(sid);
/*
* Work out if we are doing password lockout on the domain.
* Also, the built in administrator account is exempt:
* http://msdn.microsoft.com/en-us/library/windows/desktop/aa375371%28v=vs.85%29.aspx
*/
lockoutThreshold = get_lockout_threshold(domain_msg, pso_msg);
if (lockoutThreshold == 0 || (rid == DOMAIN_RID_ADMINISTRATOR)) {
DEBUG(5, ("Not updating badPwdCount on %s after wrong password\n",
ldb_dn_get_linearized(user_msg->dn)));
return NT_STATUS_OK;
}
mod_msg = ldb_msg_new(mem_ctx);
if (mod_msg == NULL) {
return NT_STATUS_NO_MEMORY;
}
mod_msg->dn = ldb_dn_copy(mod_msg, user_msg->dn);
if (mod_msg->dn == NULL) {
TALLOC_FREE(mod_msg);
return NT_STATUS_NO_MEMORY;
}
lockOutObservationWindow = get_lockout_observation_window(domain_msg,
pso_msg);
badPwdCount = dsdb_effective_badPwdCount(user_msg, lockOutObservationWindow, now);
badPwdCount++;
ret = samdb_msg_add_int(sam_ctx, mod_msg, mod_msg, "badPwdCount", badPwdCount);
if (ret != LDB_SUCCESS) {
TALLOC_FREE(mod_msg);
return NT_STATUS_NO_MEMORY;
}
ret = samdb_msg_add_int64(sam_ctx, mod_msg, mod_msg, "badPasswordTime", now);
if (ret != LDB_SUCCESS) {
TALLOC_FREE(mod_msg);
return NT_STATUS_NO_MEMORY;
}
if (dsdb_account_is_trust(user_msg)) {
/* Trust accounts cannot be locked out. */
} else if (badPwdCount >= lockoutThreshold) {
ret = samdb_msg_add_int64(sam_ctx, mod_msg, mod_msg, "lockoutTime", now);
if (ret != LDB_SUCCESS) {
TALLOC_FREE(mod_msg);
return NT_STATUS_NO_MEMORY;
}
DEBUGC( DBGC_AUTH, 1, ("Locked out user %s after %d wrong passwords\n",
ldb_dn_get_linearized(user_msg->dn), badPwdCount));
} else {
DEBUGC( DBGC_AUTH, 5, ("Updated badPwdCount on %s after %d wrong passwords\n",
ldb_dn_get_linearized(user_msg->dn), badPwdCount));
}
/* mark all the message elements as LDB_FLAG_MOD_REPLACE */
for (i=0; i< mod_msg->num_elements; i++) {
mod_msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
}
*_mod_msg = mod_msg;
return NT_STATUS_OK;
}
/**
* Sets defaults for a User object
* List of default attributes set:
* accountExpires, badPasswordTime, badPwdCount,
* codePage, countryCode, lastLogoff, lastLogon
* logonCount, pwdLastSet
*/
int dsdb_user_obj_set_defaults(struct ldb_context *ldb,
struct ldb_message *usr_obj,
struct ldb_request *req)
{
size_t i;
int ret;
static const struct attribute_values {
const char *name;
const char *value;
const char *add_value;
const char *mod_value;
const char *control;
unsigned add_flags;
unsigned mod_flags;
} map[] = {
{
.name = "accountExpires",
.add_value = "9223372036854775807",
.mod_value = "0",
},
{
.name = "badPasswordTime",
.value = "0"
},
{
.name = "badPwdCount",
.value = "0"
},
{
.name = "codePage",
.value = "0"
},
{
.name = "countryCode",
.value = "0"
},
{
.name = "lastLogoff",
.value = "0"
},
{
.name = "lastLogon",
.value = "0"
},
{
.name = "logonCount",
.value = "0"
},
{
.name = "logonHours",
.add_flags = DSDB_FLAG_INTERNAL_FORCE_META_DATA,
},
{
.name = "pwdLastSet",
.value = "0",
.control = DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID,
},
{
.name = "adminCount",
.mod_value = "0",
},
{
.name = "operatorCount",
.mod_value = "0",
},
};
for (i = 0; i < ARRAY_SIZE(map); i++) {
bool added = false;
const char *value = NULL;
unsigned flags = 0;
if (req != NULL && req->operation == LDB_ADD) {
value = map[i].add_value;
flags = map[i].add_flags;
} else {
value = map[i].mod_value;
flags = map[i].mod_flags;
}
if (value == NULL) {
value = map[i].value;
}
if (value != NULL) {
flags |= LDB_FLAG_MOD_ADD;
}
if (flags == 0) {
continue;
}
ret = samdb_find_or_add_attribute_ex(ldb, usr_obj,
map[i].name,
value, flags,
&added);
if (ret != LDB_SUCCESS) {
return ret;
}
if (req != NULL && added && map[i].control != NULL) {
ret = ldb_request_add_control(req,
map[i].control,
false, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
}
return LDB_SUCCESS;
}
/**
* Sets 'sAMAccountType on user object based on userAccountControl.
* This function is used in processing both 'add' and 'modify' requests.
* @param ldb Current ldb_context
* @param usr_obj ldb_message representing User object
* @param user_account_control Value for userAccountControl flags
* @param account_type_p Optional pointer to account_type to return
* @return LDB_SUCCESS or LDB_ERR* code on failure
*/
int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message *usr_obj,
uint32_t user_account_control, uint32_t *account_type_p)
{
int ret;
uint32_t account_type;
account_type = ds_uf2atype(user_account_control);
if (account_type == 0) {
ldb_set_errstring(ldb, "dsdb: Unrecognized account type!");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj,
"sAMAccountType",
account_type,
LDB_FLAG_MOD_REPLACE);
if (ret != LDB_SUCCESS) {
return ret;
}
if (account_type_p) {
*account_type_p = account_type;
}
return LDB_SUCCESS;
}
/**
* Determine and set primaryGroupID based on userAccountControl value.
* This function is used in processing both 'add' and 'modify' requests.
* @param ldb Current ldb_context
* @param usr_obj ldb_message representing User object
* @param user_account_control Value for userAccountControl flags
* @param group_rid_p Optional pointer to group RID to return
* @return LDB_SUCCESS or LDB_ERR* code on failure
*/
int dsdb_user_obj_set_primary_group_id(struct ldb_context *ldb, struct ldb_message *usr_obj,
uint32_t user_account_control, uint32_t *group_rid_p)
{
int ret;
uint32_t rid;
rid = ds_uf2prim_group_rid(user_account_control);
ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj,
"primaryGroupID", rid,
LDB_FLAG_MOD_REPLACE);
if (ret != LDB_SUCCESS) {
return ret;
}
if (group_rid_p) {
*group_rid_p = rid;
}
return LDB_SUCCESS;
}
/**
* Returns True if the source and target DNs both have the same naming context,
* i.e. they're both in the same partition.
*/
bool dsdb_objects_have_same_nc(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *source_dn,
struct ldb_dn *target_dn)
{
TALLOC_CTX *tmp_ctx;
struct ldb_dn *source_nc = NULL;
struct ldb_dn *target_nc = NULL;
int ret;
bool same_nc = true;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
ret = dsdb_find_nc_root(ldb, tmp_ctx, source_dn, &source_nc);
/* fix clang warning */
if (source_nc == NULL) {
ret = LDB_ERR_OTHER;
}
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to find base DN for source %s: %s\n",
ldb_dn_get_linearized(source_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return true;
}
ret = dsdb_find_nc_root(ldb, tmp_ctx, target_dn, &target_nc);
/* fix clang warning */
if (target_nc == NULL) {
ret = LDB_ERR_OTHER;
}
if (ret != LDB_SUCCESS) {
DBG_ERR("Failed to find base DN for target %s: %s\n",
ldb_dn_get_linearized(target_dn), ldb_errstring(ldb));
talloc_free(tmp_ctx);
return true;
}
same_nc = (ldb_dn_compare(source_nc, target_nc) == 0);
talloc_free(tmp_ctx);
return same_nc;
}
/*
* Context for dsdb_count_domain_callback
*/
struct dsdb_count_domain_context {
/*
* Number of matching records
*/
size_t count;
/*
* sid of the domain that the records must belong to.
* if NULL records can belong to any domain.
*/
struct dom_sid *dom_sid;
};
/*
* @brief ldb async callback for dsdb_domain_count.
*
* count the number of records in the database matching an LDAP query,
* optionally filtering for domain membership.
*
* @param [in,out] req the ldb request being processed
* req->context contains:
* count The number of matching records
* dom_sid The domain sid, if present records must belong
* to the domain to be counted.
*@param [in,out] ares The query result.
*
* @return an LDB error code
*
*/
static int dsdb_count_domain_callback(
struct ldb_request *req,
struct ldb_reply *ares)
{
if (ares == NULL) {
return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
}
if (ares->error != LDB_SUCCESS) {
int error = ares->error;
TALLOC_FREE(ares);
return ldb_request_done(req, error);
}
switch (ares->type) {
case LDB_REPLY_ENTRY:
{
struct dsdb_count_domain_context *context = NULL;
ssize_t ret;
bool in_domain;
struct dom_sid sid;
const struct ldb_val *v;
context = req->context;
if (context->dom_sid == NULL) {
context->count++;
break;
}
v = ldb_msg_find_ldb_val(ares->message, "objectSid");
if (v == NULL) {
break;
}
ret = sid_parse(v->data, v->length, &sid);
if (ret == -1) {
break;
}
in_domain = dom_sid_in_domain(context->dom_sid, &sid);
if (!in_domain) {
break;
}
context->count++;
break;
}
case LDB_REPLY_REFERRAL:
break;
case LDB_REPLY_DONE:
TALLOC_FREE(ares);
return ldb_request_done(req, LDB_SUCCESS);
}
TALLOC_FREE(ares);
return LDB_SUCCESS;
}
/*
* @brief Count the number of records matching a query.
*
* Count the number of entries in the database matching the supplied query,
* optionally filtering only those entries belonging to the supplied domain.
*
* @param ldb [in] Current ldb context
* @param count [out] Pointer to the count
* @param base [in] The base dn for the query
* @param dom_sid [in] The domain sid, if non NULL records that are not a member
* of the domain are ignored.
* @param scope [in] Search scope.
* @param exp_fmt [in] format string for the query.
*
* @return LDB_STATUS code.
*/
int PRINTF_ATTRIBUTE(6, 7) dsdb_domain_count(
struct ldb_context *ldb,
size_t *count,
struct ldb_dn *base,
struct dom_sid *dom_sid,
enum ldb_scope scope,
const char *exp_fmt, ...)
{
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_request *req = NULL;
struct dsdb_count_domain_context *context = NULL;
char *expression = NULL;
const char *object_sid[] = {"objectSid", NULL};
const char *none[] = {NULL};
va_list ap;
int ret;
*count = 0;
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
}
context = talloc_zero(tmp_ctx, struct dsdb_count_domain_context);
if (context == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
context->dom_sid = dom_sid;
if (exp_fmt) {
va_start(ap, exp_fmt);
expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
va_end(ap);
if (expression == NULL) {
TALLOC_FREE(context);
TALLOC_FREE(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
}
ret = ldb_build_search_req(
&req,
ldb,
tmp_ctx,
base,
scope,
expression,
(dom_sid == NULL) ? none : object_sid,
NULL,
context,
dsdb_count_domain_callback,
NULL);
ldb_req_set_location(req, "dsdb_domain_count");
if (ret != LDB_SUCCESS) goto done;
ret = ldb_request(ldb, req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
if (ret == LDB_SUCCESS) {
*count = context->count;
}
}
done:
TALLOC_FREE(expression);
TALLOC_FREE(req);
TALLOC_FREE(context);
TALLOC_FREE(tmp_ctx);
return ret;
}
/*
* Returns 1 if 'sids' contains the Protected Users group SID for the domain, 0
* if not. Returns a negative value on error.
*/
int dsdb_is_protected_user(struct ldb_context *ldb,
const struct auth_SidAttr *sids,
uint32_t num_sids)
{
const struct dom_sid *domain_sid = NULL;
struct dom_sid protected_users_sid;
uint32_t i;
domain_sid = samdb_domain_sid(ldb);
if (domain_sid == NULL) {
return -1;
}
protected_users_sid = *domain_sid;
if (!sid_append_rid(&protected_users_sid, DOMAIN_RID_PROTECTED_USERS)) {
return -1;
}
for (i = 0; i < num_sids; ++i) {
if (dom_sid_equal(&protected_users_sid, &sids[i].sid)) {
return 1;
}
}
return 0;
}
bool dsdb_account_is_trust(const struct ldb_message *msg)
{
uint32_t userAccountControl;
userAccountControl = ldb_msg_find_attr_as_uint(msg,
"userAccountControl",
0);
return userAccountControl & UF_TRUST_ACCOUNT_MASK;
}