git.samba.org / abartlet / samba.git / .git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
s4-dsdb: moved a bunch of fuctions from schema/schema_info_attr.c to samdb/ldb_module...
[abartlet/samba.git/.git] / source4 / dsdb / samdb / ldb_modules / samldb.c
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index bf804fd54c96987f3475a47b3615d8411972a631..21b6506fb9328c7d9abb98d8340859d83288117d 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -24,7 +24,7 @@
  *
  *  Component: ldb samldb module
  *
- *  Description: add embedded user/group creation functionality
+ *  Description: various internal DSDB triggers - most for SAM specific objects
  *
  *  Author: Simo Sorce
  */
@@ -37,7 +37,6 @@
 #include "dsdb/samdb/ldb_modules/ridalloc.h"
 #include "libcli/security/security.h"
 #include "librpc/gen_ndr/ndr_security.h"
-#include "../lib/util/util_ldb.h"
 #include "ldb_wrap.h"
 #include "param/param.h"
 
@@ -166,14 +165,14 @@ static int samldb_check_sAMAccountName(struct samldb_ctx *ac)
 {
        struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
        const char *name;
-        int ret;
+       int ret;
 
-        if (ldb_msg_find_element(ac->msg, "sAMAccountName") == NULL) {
-                ret = samldb_generate_sAMAccountName(ldb, ac->msg);
-                if (ret != LDB_SUCCESS) {
-                        return ret;
-                }
-        }
+       if (ldb_msg_find_element(ac->msg, "sAMAccountName") == NULL) {
+               ret = samldb_generate_sAMAccountName(ldb, ac->msg);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+       }
 
        name = ldb_msg_find_attr_as_string(ac->msg, "sAMAccountName", NULL);
        if (name == NULL) {
@@ -192,107 +191,6 @@ static int samldb_check_sAMAccountName(struct samldb_ctx *ac)
        return samldb_next_step(ac);
 }
 
-/* sAMAccountType handling */
-
-static int samldb_check_sAMAccountType(struct samldb_ctx *ac)
-{
-       struct ldb_context *ldb;
-       unsigned int account_type;
-       unsigned int group_type;
-       unsigned int uac;
-       int ret;
-
-       ldb = ldb_module_get_ctx(ac->module);
-
-       /* make sure sAMAccountType is not specified */
-       if (ldb_msg_find_element(ac->msg, "sAMAccountType") != NULL) {
-               ldb_asprintf_errstring(ldb,
-                       "sAMAccountType must not be specified!");
-               return LDB_ERR_UNWILLING_TO_PERFORM;
-       }
-
-       if (strcmp("user", ac->type) == 0) {
-               uac = samdb_result_uint(ac->msg, "userAccountControl", 0);
-               if (uac == 0) {
-                       ldb_asprintf_errstring(ldb,
-                               "userAccountControl invalid!");
-                       return LDB_ERR_UNWILLING_TO_PERFORM;
-               } else {
-                       account_type = ds_uf2atype(uac);
-                       ret = samdb_msg_add_uint(ldb,
-                                                ac->msg, ac->msg,
-                                                "sAMAccountType",
-                                                account_type);
-                       if (ret != LDB_SUCCESS) {
-                               return ret;
-                       }
-               }
-       } else if (strcmp("group", ac->type) == 0) {
-               group_type = samdb_result_uint(ac->msg, "groupType", 0);
-               if (group_type == 0) {
-                       ldb_asprintf_errstring(ldb,
-                               "groupType invalid!\n");
-                       return LDB_ERR_UNWILLING_TO_PERFORM;
-               } else {
-                       account_type = ds_gtype2atype(group_type);
-                       ret = samdb_msg_add_uint(ldb,
-                                                ac->msg, ac->msg,
-                                                "sAMAccountType",
-                                                account_type);
-                       if (ret != LDB_SUCCESS) {
-                               return ret;
-                       }
-               }
-       }
-
-       return samldb_next_step(ac);
-}
-
-/* primaryGroupID handling */
-
-static int samldb_check_primaryGroupID(struct samldb_ctx *ac)
-{
-       struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
-       struct ldb_dn *prim_group_dn;
-       uint32_t rid;
-       struct dom_sid *sid;
-       int ret;
-
-       rid = samdb_result_uint(ac->msg, "primaryGroupID", (uint32_t) -1);
-       if (rid == (uint32_t) -1) {
-               uint32_t uac = samdb_result_uint(ac->msg, "userAccountControl",
-                                                0);
-
-               rid = ds_uf2prim_group_rid(uac);
-
-               ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
-                                        "primaryGroupID", rid);
-               if (ret != LDB_SUCCESS) {
-                       return ret;
-               }
-       } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
-               ldb_set_errstring(ldb,
-                                 "The primary group isn't settable on add operations!");
-               return LDB_ERR_UNWILLING_TO_PERFORM;
-       }
-
-       sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
-       if (sid == NULL) {
-               return ldb_operr(ldb);
-       }
-
-       prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
-                                       ldap_encode_ndr_dom_sid(ac, sid));
-       if (prim_group_dn == NULL) {
-               ldb_asprintf_errstring(ldb,
-                                      "Failed to find primary group with RID %u!",
-                                      rid);
-               return LDB_ERR_UNWILLING_TO_PERFORM;
-       }
-
-       return samldb_next_step(ac);
-}
-
 
 static bool samldb_msg_add_sid(struct ldb_message *msg,
                                const char *name,
@@ -360,7 +258,7 @@ static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt
 static int samldb_rodc_add(struct samldb_ctx *ac)
 {
        struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
-       unsigned krbtgt_number, i_start, i;
+       uint32_t krbtgt_number, i_start, i;
        int ret;
        char *newpass;
 
@@ -383,7 +281,7 @@ static int samldb_rodc_add(struct samldb_ctx *ac)
                }
        }
 
-       ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+       ldb_asprintf_errstring(ldb,
                               "%08X: Unable to find available msDS-SecondaryKrbTgtNumber",
                               W_ERROR_V(WERR_NO_SYSTEM_RESOURCES));
        return LDB_ERR_OTHER;
@@ -394,7 +292,8 @@ found:
                return ldb_operr(ldb);
        }
 
-       ret = ldb_msg_add_fmt(ac->msg, "msDS-SecondaryKrbTgtNumber", "%u", krbtgt_number);
+       ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
+                                "msDS-SecondaryKrbTgtNumber", krbtgt_number);
        if (ret != LDB_SUCCESS) {
                return ldb_operr(ldb);
        }
@@ -422,7 +321,7 @@ static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac)
        struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
        struct ldb_result *res;
        const char *no_attrs[] = { NULL };
-        int ret;
+       int ret;
 
        ac->res_dn = NULL;
 
@@ -459,7 +358,7 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac)
        int ret;
        bool id_exists;
        uint32_t msds_intid;
-       uint32_t system_flags;
+       int32_t system_flags;
        struct ldb_context *ldb;
        struct ldb_result *ldb_res;
        struct ldb_dn *schema_dn;
@@ -489,7 +388,7 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac)
        }
 
        /* check systemFlags for SCHEMA_BASE_OBJECT flag */
-       system_flags = ldb_msg_find_attr_as_uint(ac->msg, "systemFlags", 0);
+       system_flags = ldb_msg_find_attr_as_int(ac->msg, "systemFlags", 0);
        if (system_flags & SYSTEM_FLAG_SCHEMA_BASE_OBJECT) {
                return LDB_SUCCESS;
        }
@@ -523,7 +422,8 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac)
                talloc_free(ldb_res);
        } while(id_exists);
 
-       return ldb_msg_add_fmt(ac->msg, "msDS-IntId", "%d", msds_intid);
+       return samdb_msg_add_int(ldb, ac->msg, ac->msg, "msDS-IntId",
+                                msds_intid);
 }
 
 
@@ -615,51 +515,35 @@ static bool check_rodc_critical_attribute(struct ldb_message *msg)
 
 static int samldb_fill_object(struct samldb_ctx *ac)
 {
-       struct ldb_context *ldb;
-       struct loadparm_context *lp_ctx;
-       enum sid_generator sid_generator;
+       struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
        int ret;
-       struct ldb_control *rodc_control;
-       struct dom_sid *sid;
-
-       ldb = ldb_module_get_ctx(ac->module);
 
        /* Add informations for the different account types */
        if (strcmp(ac->type, "user") == 0) {
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "userAccountControl", "546");
-               if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "badPwdCount", "0");
-               if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "codePage", "0");
-               if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "countryCode", "0");
-               if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "badPasswordTime", "0");
-               if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "lastLogoff", "0");
-               if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "lastLogon", "0");
-               if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "pwdLastSet", "0");
-               if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "accountExpires", "9223372036854775807");
+               struct ldb_control *rodc_control = ldb_request_get_control(ac->req,
+                                                                          LDB_CONTROL_RODC_DCPROMO_OID);
+               if (rodc_control != NULL) {
+                       /* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */
+                       rodc_control->critical = false;
+                       ret = samldb_add_step(ac, samldb_rodc_add);
+                       if (ret != LDB_SUCCESS) return ret;
+               }
+
+               /* check if we have a valid sAMAccountName */
+               ret = samldb_add_step(ac, samldb_check_sAMAccountName);
                if (ret != LDB_SUCCESS) return ret;
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "logonCount", "0");
+
+               ret = samldb_add_step(ac, samldb_add_entry);
                if (ret != LDB_SUCCESS) return ret;
+
        } else if (strcmp(ac->type, "group") == 0) {
-               ret = samdb_find_or_add_attribute(ldb, ac->msg,
-                       "groupType", "-2147483646");
+               /* check if we have a valid sAMAccountName */
+               ret = samldb_add_step(ac, samldb_check_sAMAccountName);
                if (ret != LDB_SUCCESS) return ret;
+
+               ret = samldb_add_step(ac, samldb_add_entry);
+               if (ret != LDB_SUCCESS) return ret;
+
        } else if (strcmp(ac->type, "classSchema") == 0) {
                const struct ldb_val *rdn_value, *def_obj_cat_val;
 
@@ -675,7 +559,6 @@ static int samldb_fill_object(struct samldb_ctx *ac)
                        return LDB_ERR_UNWILLING_TO_PERFORM;
                }
 
-
                rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
                if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) {
                        /* the RDN has prefix "CN" */
@@ -738,7 +621,6 @@ static int samldb_fill_object(struct samldb_ctx *ac)
                ret = samldb_add_step(ac, samldb_find_for_defaultObjectCategory);
                if (ret != LDB_SUCCESS) return ret;
 
-               return samldb_first_step(ac);
        } else if (strcmp(ac->type, "attributeSchema") == 0) {
                const struct ldb_val *rdn_value;
                rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
@@ -783,59 +665,12 @@ static int samldb_fill_object(struct samldb_ctx *ac)
                ret = samldb_add_step(ac, samldb_add_entry);
                if (ret != LDB_SUCCESS) return ret;
 
-               return samldb_first_step(ac);
        } else {
                ldb_asprintf_errstring(ldb,
                        "Invalid entry type!");
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       rodc_control = ldb_request_get_control(ac->req, LDB_CONTROL_RODC_DCPROMO_OID);
-       if (rodc_control) {
-               /* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */
-               rodc_control->critical = false;
-               ret = samldb_add_step(ac, samldb_rodc_add);
-               if (ret != LDB_SUCCESS) return ret;
-       }
-
-       /* check if we have a valid sAMAccountName */
-       ret = samldb_add_step(ac, samldb_check_sAMAccountName);
-       if (ret != LDB_SUCCESS) return ret;
-
-       /* check account_type/group_type */
-       ret = samldb_add_step(ac, samldb_check_sAMAccountType);
-       if (ret != LDB_SUCCESS) return ret;
-
-       /* check if we have a valid primary group ID */
-       if (strcmp(ac->type, "user") == 0) {
-               ret = samldb_add_step(ac, samldb_check_primaryGroupID);
-               if (ret != LDB_SUCCESS) return ret;
-       }
-
-       lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
-                struct loadparm_context);
-
-       /* don't allow objectSid to be specified without the RELAX control */
-       sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
-       if (sid && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) &&
-           !dsdb_module_am_system(ac->module)) {
-               ldb_asprintf_errstring(ldb, "No SID may be specified in user/group creation for %s",
-                                      ldb_dn_get_linearized(ac->msg->dn));
-               return LDB_ERR_UNWILLING_TO_PERFORM;
-       }
-
-       if (sid == NULL) {
-               sid_generator = lpcfg_sid_generator(lp_ctx);
-               if (sid_generator == SID_GENERATOR_INTERNAL) {
-                       ret = samldb_add_step(ac, samldb_allocate_sid);
-                       if (ret != LDB_SUCCESS) return ret;
-               }
-       }
-
-       /* finally proceed with adding the entry */
-       ret = samldb_add_step(ac, samldb_add_entry);
-       if (ret != LDB_SUCCESS) return ret;
-
        return samldb_first_step(ac);
 }
 
@@ -871,7 +706,7 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac)
 
 static int samldb_schema_info_update(struct samldb_ctx *ac)
 {
-       WERROR werr;
+       int ret;
        struct ldb_context *ldb;
        struct dsdb_schema *schema;
 
@@ -894,23 +729,260 @@ static int samldb_schema_info_update(struct samldb_ctx *ac)
                return ldb_operr(ldb);
        }
 
-       werr = dsdb_module_schema_info_update(ac->module, schema, DSDB_FLAG_NEXT_MODULE);
-       if (!W_ERROR_IS_OK(werr)) {
-               ldb_debug_set(ldb, LDB_DEBUG_FATAL,
-                             "samldb_schema_info_update: "
-                             "dsdb_module_schema_info_update failed with %s",
-                             win_errstr(werr));
-               DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
-               return ldb_operr(ldb);
+       ret = dsdb_module_schema_info_update(ac->module, schema, DSDB_FLAG_NEXT_MODULE);
+       if (ret != LDB_SUCCESS) {
+               ldb_asprintf_errstring(ldb, "samldb_schema_info_update: dsdb_module_schema_info_update failed with %s",
+                                      ldb_errstring(ldb));
+               return ret;
+       }
+
+       return LDB_SUCCESS;
+}
+
+/*
+ * "Objectclass" trigger (MS-SAMR 3.1.1.8.1)
+ *
+ * Has to be invoked on "add" and "modify" operations on "user", "computer" and
+ * "group" objects.
+ * ac->msg contains the "add"/"modify" message
+ * ac->type contains the object type (main objectclass)
+ */
+static int samldb_objectclass_trigger(struct samldb_ctx *ac)
+{
+       struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+       struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb,
+                                        "loadparm"), struct loadparm_context);
+       struct ldb_message_element *el, *el2;
+       enum sid_generator sid_generator;
+       struct dom_sid *sid;
+       const char *tempstr;
+       int ret;
+
+       /* make sure that "sAMAccountType" is not specified */
+       el = ldb_msg_find_element(ac->msg, "sAMAccountType");
+       if (el != NULL) {
+               ldb_set_errstring(ldb,
+                       "samldb: sAMAccountType must not be specified!");
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+
+       /* Step 1: objectSid assignment */
+
+       /* Don't allow the objectSid to be changed. But beside the RELAX
+        * control we have also to guarantee that it can always be set with
+        * SYSTEM permissions. This is needed for the "samba3sam" backend. */
+       sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
+       if ((sid != NULL) && (!dsdb_module_am_system(ac->module)) &&
+           (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) {
+               ldb_asprintf_errstring(ldb, "No SID may be specified in user/group modifications for %s",
+                                      ldb_dn_get_linearized(ac->msg->dn));
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+
+       /* but generate a new SID when we do have an add operations */
+       if ((sid == NULL) && (ac->req->operation == LDB_ADD)) {
+               sid_generator = lpcfg_sid_generator(lp_ctx);
+               if (sid_generator == SID_GENERATOR_INTERNAL) {
+                       ret = samldb_add_step(ac, samldb_allocate_sid);
+                       if (ret != LDB_SUCCESS) return ret;
+               }
+       }
+
+       if (strcmp(ac->type, "user") == 0) {
+               /* Step 1.2: Default values */
+               tempstr = talloc_asprintf(ac->msg, "%d", UF_NORMAL_ACCOUNT);
+               if (tempstr == NULL) return ldb_operr(ldb);
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "userAccountControl", tempstr);
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "badPwdCount", "0");
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "codePage", "0");
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "countryCode", "0");
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "badPasswordTime", "0");
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "lastLogoff", "0");
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "lastLogon", "0");
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "pwdLastSet", "0");
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "accountExpires", "9223372036854775807");
+               if (ret != LDB_SUCCESS) return ret;
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "logonCount", "0");
+               if (ret != LDB_SUCCESS) return ret;
+
+               el = ldb_msg_find_element(ac->msg, "userAccountControl");
+               if (el != NULL) {
+                       uint32_t user_account_control, account_type;
+
+                       /* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */
+                       user_account_control = ldb_msg_find_attr_as_uint(ac->msg,
+                                                                        "userAccountControl",
+                                                                        0);
+
+                       /* Temporary duplicate accounts aren't allowed */
+                       if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
+                               return LDB_ERR_OTHER;
+                       }
+
+                       account_type = ds_uf2atype(user_account_control);
+                       if (account_type == 0) {
+                               ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
+                               return LDB_ERR_UNWILLING_TO_PERFORM;
+                       }
+                       ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
+                                                "sAMAccountType",
+                                                account_type);
+                       if (ret != LDB_SUCCESS) {
+                               return ret;
+                       }
+                       el2 = ldb_msg_find_element(ac->msg, "sAMAccountType");
+                       el2->flags = LDB_FLAG_MOD_REPLACE;
+
+                       if (user_account_control &
+                           (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
+                               ret = samdb_msg_set_string(ldb, ac->msg, ac->msg,
+                                                          "isCriticalSystemObject",
+                                                          "TRUE");
+                               if (ret != LDB_SUCCESS) {
+                                       return ret;
+                               }
+                               el2 = ldb_msg_find_element(ac->msg,
+                                                          "isCriticalSystemObject");
+                               el2->flags = LDB_FLAG_MOD_REPLACE;
+                       }
+
+                       /* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */
+                       if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) {
+                               uint32_t rid = ds_uf2prim_group_rid(user_account_control);
+                               ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
+                                                        "primaryGroupID", rid);
+                               if (ret != LDB_SUCCESS) {
+                                       return ret;
+                               }
+                               el2 = ldb_msg_find_element(ac->msg,
+                                                          "primaryGroupID");
+                               el2->flags = LDB_FLAG_MOD_REPLACE;
+                       }
+
+                       /* Step 1.5: Add additional flags when needed */
+                       if ((user_account_control & UF_NORMAL_ACCOUNT) &&
+                           (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) {
+                               user_account_control |= UF_ACCOUNTDISABLE;
+                               user_account_control |= UF_PASSWD_NOTREQD;
+
+                               ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg,
+                                                        "userAccountControl",
+                                                        user_account_control);
+                               if (ret != LDB_SUCCESS) {
+                                       return ret;
+                               }
+                       }
+               }
+
+       } else if (strcmp(ac->type, "group") == 0) {
+               /* Step 2.2: Default values */
+               tempstr = talloc_asprintf(ac->msg, "%d",
+                                         GTYPE_SECURITY_GLOBAL_GROUP);
+               if (tempstr == NULL) return ldb_operr(ldb);
+               ret = samdb_find_or_add_attribute(ldb, ac->msg,
+                       "groupType", tempstr);
+               if (ret != LDB_SUCCESS) return ret;
+
+               /* Step 2.3: "groupType" -> "sAMAccountType" */
+               el = ldb_msg_find_element(ac->msg, "groupType");
+               if (el != NULL) {
+                       uint32_t group_type, account_type;
+
+                       group_type = ldb_msg_find_attr_as_uint(ac->msg,
+                                                              "groupType", 0);
+
+                       /* The creation of builtin groups requires the
+                        * RELAX control */
+                       if (group_type == GTYPE_SECURITY_BUILTIN_LOCAL_GROUP) {
+                               if (ldb_request_get_control(ac->req,
+                                                           LDB_CONTROL_RELAX_OID) == NULL) {
+                                       return LDB_ERR_UNWILLING_TO_PERFORM;
+                               }
+                       }
+
+                       account_type = ds_gtype2atype(group_type);
+                       if (account_type == 0) {
+                               ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
+                               return LDB_ERR_UNWILLING_TO_PERFORM;
+                       }
+                       ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
+                                                "sAMAccountType",
+                                                account_type);
+                       if (ret != LDB_SUCCESS) {
+                               return ret;
+                       }
+                       el2 = ldb_msg_find_element(ac->msg, "sAMAccountType");
+                       el2->flags = LDB_FLAG_MOD_REPLACE;
+               }
        }
 
        return LDB_SUCCESS;
 }
 
+/*
+ * "Primary group ID" trigger (MS-SAMR 3.1.1.8.2)
+ *
+ * Has to be invoked on "add" and "modify" operations on "user" and "computer"
+ * objects.
+ * ac->msg contains the "add"/"modify" message
+ */
+
+static int samldb_prim_group_set(struct samldb_ctx *ac)
+{
+       struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+       struct ldb_dn *prim_group_dn;
+       uint32_t rid;
+       struct dom_sid *sid;
+
+       rid = ldb_msg_find_attr_as_uint(ac->msg, "primaryGroupID", (uint32_t) -1);
+       if (rid == (uint32_t) -1) {
+               /* we aren't affected of any primary group set */
+               return LDB_SUCCESS;
+
+       } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+               ldb_set_errstring(ldb,
+                                 "The primary group isn't settable on add operations!");
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+
+       sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
+       if (sid == NULL) {
+               return ldb_operr(ldb);
+       }
+
+       prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)",
+                                       ldap_encode_ndr_dom_sid(ac, sid));
+       if (prim_group_dn == NULL) {
+               ldb_asprintf_errstring(ldb,
+                                      "Failed to find primary group with RID %u!",
+                                      rid);
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+
+       return LDB_SUCCESS;
+}
 
 static int samldb_prim_group_change(struct samldb_ctx *ac)
 {
-       struct ldb_context *ldb;
+       struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
        const char * attrs[] = { "primaryGroupID", "memberOf", NULL };
        struct ldb_result *res;
        struct ldb_message_element *el;
@@ -920,8 +992,6 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
        struct ldb_dn *prev_prim_group_dn, *new_prim_group_dn;
        int ret;
 
-       ldb = ldb_module_get_ctx(ac->module);
-
        /* Fetch informations from the existing object */
 
        ret = ldb_search(ldb, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs,
@@ -932,7 +1002,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 
        /* Finds out the DN of the old primary group */
 
-       rid = samdb_result_uint(res->msgs[0], "primaryGroupID", (uint32_t) -1);
+       rid = ldb_msg_find_attr_as_uint(res->msgs[0], "primaryGroupID", (uint32_t) -1);
        if (rid == (uint32_t) -1) {
                /* User objects do always have a mandatory "primaryGroupID"
                 * attribute. If this doesn't exist then the object is of the
@@ -953,7 +1023,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 
        /* Finds out the DN of the new primary group */
 
-       rid = samdb_result_uint(ac->msg, "primaryGroupID", (uint32_t) -1);
+       rid = ldb_msg_find_attr_as_uint(ac->msg, "primaryGroupID", (uint32_t) -1);
        if (rid == (uint32_t) -1) {
                /* we aren't affected of any primary group change */
                return LDB_SUCCESS;
@@ -1016,6 +1086,18 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
        return LDB_SUCCESS;
 }
 
+static int samldb_prim_group_trigger(struct samldb_ctx *ac)
+{
+       int ret;
+
+       if (ac->req->operation == LDB_ADD) {
+               ret = samldb_prim_group_set(ac);
+       } else {
+               ret = samldb_prim_group_change(ac);
+       }
+
+       return ret;
+}
 
 static int samldb_member_check(struct samldb_ctx *ac)
 {
@@ -1104,12 +1186,29 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
        if (samdb_find_attribute(ldb, ac->msg,
                                 "objectclass", "user") != NULL) {
                ac->type = "user";
+
+               ret = samldb_prim_group_trigger(ac);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+
+               ret = samldb_objectclass_trigger(ac);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+
                return samldb_fill_object(ac);
        }
 
        if (samdb_find_attribute(ldb, ac->msg,
                                 "objectclass", "group") != NULL) {
                ac->type = "group";
+
+               ret = samldb_objectclass_trigger(ac);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+
                return samldb_fill_object(ac);
        }
 
@@ -1167,11 +1266,22 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
        ldb = ldb_module_get_ctx(module);
 
-       if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
-               ldb_asprintf_errstring(ldb,
-                       "sAMAccountType must not be specified!");
+       /* make sure that "sAMAccountType" is not specified */
+       el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType");
+       if (el != NULL) {
+               ldb_set_errstring(ldb,
+                       "samldb: sAMAccountType must not be specified!");
                return LDB_ERR_UNWILLING_TO_PERFORM;
        }
+       /* make sure that "isCriticalSystemObject" is not specified */
+       el = ldb_msg_find_element(req->op.mod.message, "isCriticalSystemObject");
+       if (el != NULL) {
+               if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) == NULL) {
+                       ldb_set_errstring(ldb,
+                               "samldb: isCriticalSystemObject must not be specified!");
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
+       }
 
        /* msDS-IntId is not allowed to be modified
         * except when modification comes from replication */
@@ -1197,12 +1307,58 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
        el = ldb_msg_find_element(ac->msg, "groupType");
        if (el && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
-               uint32_t group_type;
+               uint32_t group_type, old_group_type;
 
                modified = true;
 
-               group_type = strtoul((const char *)el->values[0].data, NULL, 0);
+               group_type = ldb_msg_find_attr_as_uint(ac->msg, "groupType", 0);
+               old_group_type = samdb_search_uint(ldb, ac, 0, ac->msg->dn,
+                                                  "groupType", NULL);
+               if (old_group_type == 0) {
+                       return ldb_operr(ldb);
+               }
+
+               /* Group type switching isn't so easy as it seems: We can only
+                * change in this directions: global <-> universal <-> local
+                * On each step also the group type itself
+                * (security/distribution) is variable. */
+
+               switch (group_type) {
+               case GTYPE_SECURITY_GLOBAL_GROUP:
+               case GTYPE_DISTRIBUTION_GLOBAL_GROUP:
+                       /* change to "universal" allowed */
+                       if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) ||
+                           (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) {
+                               return LDB_ERR_UNWILLING_TO_PERFORM;
+                       }
+               break;
+
+               case GTYPE_SECURITY_UNIVERSAL_GROUP:
+               case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP:
+                       /* each change allowed */
+               break;
+
+               case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
+               case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP:
+                       /* change to "universal" allowed */
+                       if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) ||
+                           (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) {
+                               return LDB_ERR_UNWILLING_TO_PERFORM;
+                       }
+               break;
+
+               case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
+               default:
+                       /* we don't allow this "groupType" values */
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               break;
+               }
+
                account_type =  ds_gtype2atype(group_type);
+               if (account_type == 0) {
+                       ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
                ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
                                         "sAMAccountType",
                                         account_type);
@@ -1237,9 +1393,20 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
                modified = true;
 
-               user_account_control = strtoul((const char *)el->values[0].data,
-                       NULL, 0);
+               user_account_control = ldb_msg_find_attr_as_uint(ac->msg,
+                                                                "userAccountControl",
+                                                                0);
+
+               /* Temporary duplicate accounts aren't allowed */
+               if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
+                       return LDB_ERR_OTHER;
+               }
+
                account_type = ds_uf2atype(user_account_control);
+               if (account_type == 0) {
+                       ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
                ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
                                         "sAMAccountType",
                                         account_type);
Unnamed repository; edit this file to name it for gitweb.