X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=source4%2Fdsdb%2Fsamdb%2Fldb_modules%2Fsamldb.c;h=ee43d84398f120d813cc896ce25c05c2ba77893d;hb=576e78571b65aa5a3e593;hp=a7bb0f6db85650ed970a2ec12819f3a26b844614;hpb=974279b67de6aa346f961b4546bfa556b4ab7ece;p=metze%2Fsamba%2Fwip.git diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index a7bb0f6db856..ee43d84398f1 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -24,7 +24,7 @@ * * Component: ldb samldb module * - * Description: add embedded user/group creation functionality + * Description: various internal DSDB triggers - most for SAM specific objects * * Author: Simo Sorce */ @@ -34,9 +34,9 @@ #include "ldb_module.h" #include "dsdb/samdb/samdb.h" #include "dsdb/samdb/ldb_modules/util.h" +#include "dsdb/samdb/ldb_modules/ridalloc.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_security.h" -#include "../lib/util/util_ldb.h" #include "ldb_wrap.h" #include "param/param.h" @@ -59,15 +59,8 @@ struct samldb_ctx { /* the resulting message */ struct ldb_message *msg; - /* holds the entry SID */ - struct dom_sid *sid; - - /* holds a generic dn */ - struct ldb_dn *dn; - - /* used in conjunction with "sid" in "samldb_dn_from_sid" and - * "samldb_find_for_defaultObjectCategory" */ - struct ldb_dn *res_dn; + /* used in "samldb_find_for_defaultObjectCategory" */ + struct ldb_dn *dn, *res_dn; /* all the async steps necessary to complete the operation */ struct samldb_step *steps; @@ -139,8 +132,8 @@ static int samldb_next_step(struct samldb_ctx *ac) return ac->curstep->fn(ac); } - /* we exit the samldb module here */ - /* If someone set an ares to forward controls and response back to the caller, use them */ + /* We exit the samldb module here. If someone set an "ares" to forward + * controls and response back to the caller, use them. */ if (ac->ares) { return ldb_module_done(ac->req, ac->ares->controls, ac->ares->response, LDB_SUCCESS); @@ -149,7 +142,11 @@ static int samldb_next_step(struct samldb_ctx *ac) } } -static int samldb_generate_samAccountName(struct ldb_context *ldb, struct ldb_message *msg) + +/* sAMAccountName handling */ + +static int samldb_generate_sAMAccountName(struct ldb_context *ldb, + struct ldb_message *msg) { char *name; @@ -162,151 +159,46 @@ static int samldb_generate_samAccountName(struct ldb_context *ldb, struct ldb_me if (name == NULL) { return ldb_oom(ldb); } - return ldb_msg_add_steal_string(msg, "samAccountName", name); + return ldb_msg_add_steal_string(msg, "sAMAccountName", name); } -/* - * samldb_check_samAccountName (async) - */ - -static int samldb_check_samAccountName_callback(struct ldb_request *req, - struct ldb_reply *ares) +static int samldb_check_sAMAccountName(struct samldb_ctx *ac) { - struct samldb_ctx *ac; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + const char *name; int ret; - ac = talloc_get_type(req->context, struct samldb_ctx); - - if (ares->error != LDB_SUCCESS) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - switch (ares->type) { - case LDB_REPLY_ENTRY: - /* if we get an entry it means this samAccountName - * already exists */ - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_ENTRY_ALREADY_EXISTS); - - case LDB_REPLY_REFERRAL: - /* ignore */ - talloc_free(ares); - ret = LDB_SUCCESS; - break; - - case LDB_REPLY_DONE: - /* not found, go on */ - talloc_free(ares); - ret = samldb_next_step(ac); - break; - } - - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); + if (ldb_msg_find_element(ac->msg, "sAMAccountName") == NULL) { + ret = samldb_generate_sAMAccountName(ldb, ac->msg); + if (ret != LDB_SUCCESS) { + return ret; + } } - return LDB_SUCCESS; -} - -static int samldb_check_samAccountName(struct samldb_ctx *ac) -{ - struct ldb_context *ldb; - struct ldb_request *req; - const char *name; - char *filter; - int ret; - - ldb = ldb_module_get_ctx(ac->module); - - if (ldb_msg_find_element(ac->msg, "samAccountName") == NULL) { - ret = samldb_generate_samAccountName(ldb, ac->msg); - if (ret != LDB_SUCCESS) { - return ret; - } - } - - name = ldb_msg_find_attr_as_string(ac->msg, "samAccountName", NULL); + name = ldb_msg_find_attr_as_string(ac->msg, "sAMAccountName", NULL); if (name == NULL) { - return ldb_operr(ldb); + /* The "sAMAccountName" cannot be nothing */ + ldb_set_errstring(ldb, + "samldb: Empty account names aren't allowed!"); + return LDB_ERR_CONSTRAINT_VIOLATION; } - filter = talloc_asprintf(ac, "samAccountName=%s", + + ret = samdb_search_count(ldb, ac, NULL, "(sAMAccountName=%s)", ldb_binary_encode_string(ac, name)); - if (filter == NULL) { + if ((ret < 0) || (ret > 1)) { return ldb_operr(ldb); } - - ret = ldb_build_search_req(&req, ldb, ac, - ldb_get_default_basedn(ldb), - LDB_SCOPE_SUBTREE, - filter, NULL, - NULL, - ac, samldb_check_samAccountName_callback, - ac->req); - talloc_free(filter); - if (ret != LDB_SUCCESS) { - return ret; - } - return ldb_next_request(ac->module, req); -} - - -static int samldb_check_samAccountType(struct samldb_ctx *ac) -{ - struct ldb_context *ldb; - unsigned int account_type; - unsigned int group_type; - unsigned int uac; - int ret; - - ldb = ldb_module_get_ctx(ac->module); - - /* make sure sAMAccountType is not specified */ - if (ldb_msg_find_element(ac->msg, "sAMAccountType") != NULL) { + if (ret == 1) { ldb_asprintf_errstring(ldb, - "sAMAccountType must not be specified!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - - if (strcmp("user", ac->type) == 0) { - uac = samdb_result_uint(ac->msg, "userAccountControl", 0); - if (uac == 0) { - ldb_asprintf_errstring(ldb, - "userAccountControl invalid!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } else { - account_type = ds_uf2atype(uac); - ret = samdb_msg_add_uint(ldb, - ac->msg, ac->msg, - "sAMAccountType", - account_type); - if (ret != LDB_SUCCESS) { - return ret; - } - } - } else - if (strcmp("group", ac->type) == 0) { - - group_type = samdb_result_uint(ac->msg, "groupType", 0); - if (group_type == 0) { - ldb_asprintf_errstring(ldb, - "groupType invalid!\n"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } else { - account_type = ds_gtype2atype(group_type); - ret = samdb_msg_add_uint(ldb, - ac->msg, ac->msg, - "sAMAccountType", - account_type); - if (ret != LDB_SUCCESS) { - return ret; - } - } + "samldb: Account name (sAMAccountName) '%s' already in use!", + name); + return LDB_ERR_ENTRY_ALREADY_EXISTS; } return samldb_next_step(ac); } + static bool samldb_msg_add_sid(struct ldb_message *msg, const char *name, const struct dom_sid *sid) @@ -327,20 +219,21 @@ static bool samldb_msg_add_sid(struct ldb_message *msg, static int samldb_allocate_sid(struct samldb_ctx *ac) { uint32_t rid; - int ret; + struct dom_sid *sid; struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + int ret; ret = ridalloc_allocate_rid(ac->module, &rid); if (ret != LDB_SUCCESS) { return ret; } - ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); - if (ac->sid == NULL) { + sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); + if (sid == NULL) { return ldb_module_oom(ac->module); } - if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) { + if ( ! samldb_msg_add_sid(ac->msg, "objectSid", sid)) { return ldb_operr(ldb); } @@ -350,16 +243,19 @@ static int samldb_allocate_sid(struct samldb_ctx *ac) /* see if a krbtgt_number is available */ -static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt_number) +static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, + uint32_t krbtgt_number) { TALLOC_CTX *tmp_ctx = talloc_new(ac); struct ldb_result *res; - const char *attrs[] = { NULL }; + const char *no_attrs[] = { NULL }; int ret; - ret = dsdb_module_search(ac->module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, - attrs, DSDB_FLAG_NEXT_MODULE, - "msDC-SecondaryKrbTgtNumber=%u", krbtgt_number); + ret = dsdb_module_search(ac->module, tmp_ctx, &res, NULL, + LDB_SCOPE_SUBTREE, no_attrs, + DSDB_FLAG_NEXT_MODULE, + "(msDC-SecondaryKrbTgtNumber=%u)", + krbtgt_number); if (ret == LDB_SUCCESS && res->count == 0) { talloc_free(tmp_ctx); return true; @@ -372,7 +268,9 @@ static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt static int samldb_rodc_add(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - unsigned krbtgt_number, i_start, i; + uint32_t krbtgt_number, i_start, i; + int ret; + char *newpass; /* find a unused msDC-SecondaryKrbTgtNumber */ i_start = generate_random() & 0xFFFF; @@ -393,246 +291,75 @@ static int samldb_rodc_add(struct samldb_ctx *ac) } } - ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), + ldb_asprintf_errstring(ldb, "%08X: Unable to find available msDS-SecondaryKrbTgtNumber", W_ERROR_V(WERR_NO_SYSTEM_RESOURCES)); return LDB_ERR_OTHER; found: - if (ldb_msg_add_fmt(ac->msg, "msDS-SecondaryKrbTgtNumber", "%u", krbtgt_number) != LDB_SUCCESS) { + ret = ldb_msg_add_empty(ac->msg, "msDS-SecondaryKrbTgtNumber", + LDB_FLAG_INTERNAL_DISABLE_VALIDATION, NULL); + if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } - return samldb_next_step(ac); -} - -/* - * samldb_dn_from_sid (async) - */ - -static int samldb_dn_from_sid(struct samldb_ctx *ac); - -static int samldb_dn_from_sid_callback(struct ldb_request *req, - struct ldb_reply *ares) -{ - struct ldb_context *ldb; - struct samldb_ctx *ac; - int ret; - - ac = talloc_get_type(req->context, struct samldb_ctx); - ldb = ldb_module_get_ctx(ac->module); - - if (!ares) { - ret = LDB_ERR_OPERATIONS_ERROR; - goto done; - } - if (ares->error != LDB_SUCCESS) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - switch (ares->type) { - case LDB_REPLY_ENTRY: - /* save entry */ - if (ac->res_dn != NULL) { - /* one too many! */ - ldb_set_errstring(ldb, - "Invalid number of results while searching " - "for domain objects!"); - ret = LDB_ERR_OPERATIONS_ERROR; - break; - } - ac->res_dn = ldb_dn_copy(ac, ares->message->dn); - - talloc_free(ares); - ret = LDB_SUCCESS; - break; - - case LDB_REPLY_REFERRAL: - /* ignore */ - talloc_free(ares); - ret = LDB_SUCCESS; - break; - - case LDB_REPLY_DONE: - talloc_free(ares); - - /* found or not found, go on */ - ret = samldb_next_step(ac); - break; + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "msDS-SecondaryKrbTgtNumber", krbtgt_number); + if (ret != LDB_SUCCESS) { + return ldb_operr(ldb); } -done: + ret = ldb_msg_add_fmt(ac->msg, "sAMAccountName", "krbtgt_%u", + krbtgt_number); if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); + return ldb_operr(ldb); } - return LDB_SUCCESS; -} - -/* Finds the DN "res_dn" of an object with a given SID "sid" */ -static int samldb_dn_from_sid(struct samldb_ctx *ac) -{ - struct ldb_context *ldb; - static const char * const attrs[] = { NULL }; - struct ldb_request *req; - char *filter; - int ret; - - ldb = ldb_module_get_ctx(ac->module); - - if (ac->sid == NULL) + newpass = generate_random_password(ac->msg, 128, 255); + if (newpass == NULL) { return ldb_operr(ldb); + } - filter = talloc_asprintf(ac, "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, ac->sid)); - if (filter == NULL) - return ldb_oom(ldb); - - ret = ldb_build_search_req(&req, ldb, ac, - ldb_get_default_basedn(ldb), - LDB_SCOPE_SUBTREE, - filter, attrs, - NULL, - ac, samldb_dn_from_sid_callback, - ac->req); - if (ret != LDB_SUCCESS) - return ret; - - return ldb_next_request(ac->module, req); -} - - -static int samldb_check_primaryGroupID_1(struct samldb_ctx *ac) -{ - struct ldb_context *ldb; - uint32_t rid; - - ldb = ldb_module_get_ctx(ac->module); - - rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0); - ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); - if (ac->sid == NULL) + ret = ldb_msg_add_steal_string(ac->msg, "clearTextPassword", newpass); + if (ret != LDB_SUCCESS) { return ldb_operr(ldb); - ac->res_dn = NULL; - - return samldb_next_step(ac); -} - -static int samldb_check_primaryGroupID_2(struct samldb_ctx *ac) -{ - if (ac->res_dn == NULL) { - struct ldb_context *ldb; - ldb = ldb_module_get_ctx(ac->module); - ldb_asprintf_errstring(ldb, - "Failed to find group sid %s!", - dom_sid_string(ac->sid, ac->sid)); - return LDB_ERR_UNWILLING_TO_PERFORM; } return samldb_next_step(ac); } - -/* - * samldb_find_for_defaultObjectCategory (async) - */ - -static int samldb_find_for_defaultObjectCategory_callback(struct ldb_request *req, - struct ldb_reply *ares) +static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac) { - struct ldb_context *ldb; - struct samldb_ctx *ac; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct ldb_result *res; + const char *no_attrs[] = { NULL }; int ret; - ac = talloc_get_type(req->context, struct samldb_ctx); - ldb = ldb_module_get_ctx(ac->module); - - if (!ares) { - ret = LDB_ERR_OPERATIONS_ERROR; - goto done; - } - if (ares->error != LDB_SUCCESS) { - if (ares->error == LDB_ERR_NO_SUCH_OBJECT) { - if (ldb_request_get_control(ac->req, - LDB_CONTROL_RELAX_OID) != NULL) { - /* Don't be pricky when the DN doesn't exist */ - /* if we have the RELAX control specified */ - ac->res_dn = req->op.search.base; - return samldb_next_step(ac); - } else { - ldb_set_errstring(ldb, - "samldb_find_defaultObjectCategory: " - "Invalid DN for 'defaultObjectCategory'!"); - ares->error = LDB_ERR_CONSTRAINT_VIOLATION; - } - } - - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - switch (ares->type) { - case LDB_REPLY_ENTRY: - ac->res_dn = talloc_steal(ac, ares->message->dn); - - ret = LDB_SUCCESS; - break; - - case LDB_REPLY_REFERRAL: - /* ignore */ - talloc_free(ares); - ret = LDB_SUCCESS; - break; - - case LDB_REPLY_DONE: - talloc_free(ares); + ac->res_dn = NULL; - if (ac->res_dn != NULL) { - /* when found go on */ - ret = samldb_next_step(ac); - } else { - ret = LDB_ERR_OPERATIONS_ERROR; + ret = dsdb_module_search(ac->module, ac, &res, + ac->dn, LDB_SCOPE_BASE, no_attrs, + DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT + | DSDB_FLAG_NEXT_MODULE, + "(objectClass=classSchema)"); + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + /* Don't be pricky when the DN doesn't exist if we have the */ + /* RELAX control specified */ + if (ldb_request_get_control(ac->req, + LDB_CONTROL_RELAX_OID) == NULL) { + ldb_set_errstring(ldb, + "samldb_find_defaultObjectCategory: " + "Invalid DN for 'defaultObjectCategory'!"); + return LDB_ERR_CONSTRAINT_VIOLATION; } - break; } - -done: - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); - } - - return LDB_SUCCESS; -} - -static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac) -{ - struct ldb_context *ldb; - struct ldb_request *req; - static const char *no_attrs[] = { NULL }; - int ret; - - ldb = ldb_module_get_ctx(ac->module); - - ac->res_dn = NULL; - - ret = ldb_build_search_req(&req, ldb, ac, - ac->dn, LDB_SCOPE_BASE, - "(objectClass=classSchema)", no_attrs, - NULL, ac, - samldb_find_for_defaultObjectCategory_callback, - ac->req); - if (ret != LDB_SUCCESS) { + if ((ret != LDB_ERR_NO_SUCH_OBJECT) && (ret != LDB_SUCCESS)) { return ret; } - ret = dsdb_request_add_controls(req, - DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT); - if (ret != LDB_SUCCESS) { - return ret; - } + ac->res_dn = ac->dn; - return ldb_next_request(ac->module, req); + return samldb_next_step(ac); } /** @@ -644,7 +371,7 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac) int ret; bool id_exists; uint32_t msds_intid; - uint32_t system_flags; + int32_t system_flags; struct ldb_context *ldb; struct ldb_result *ldb_res; struct ldb_dn *schema_dn; @@ -653,7 +380,8 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac) schema_dn = ldb_get_schema_basedn(ldb); /* replicated update should always go through */ - if (ldb_request_get_control(ac->req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) { + if (ldb_request_get_control(ac->req, + DSDB_CONTROL_REPLICATED_UPDATE_OID)) { return LDB_SUCCESS; } @@ -674,7 +402,7 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac) } /* check systemFlags for SCHEMA_BASE_OBJECT flag */ - system_flags = ldb_msg_find_attr_as_uint(ac->msg, "systemFlags", 0); + system_flags = ldb_msg_find_attr_as_int(ac->msg, "systemFlags", 0); if (system_flags & SYSTEM_FLAG_SCHEMA_BASE_OBJECT) { return LDB_SUCCESS; } @@ -708,7 +436,8 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac) talloc_free(ldb_res); } while(id_exists); - return ldb_msg_add_fmt(ac->msg, "msDS-IntId", "%d", msds_intid); + return samdb_msg_add_int(ldb, ac->msg, ac->msg, "msDS-IntId", + msds_intid); } @@ -769,6 +498,7 @@ static int samldb_add_entry(struct samldb_ctx *ac) ac->req->controls, ac, samldb_add_entry_callback, ac->req); + LDB_REQ_SET_LOCATION(req); if (ret != LDB_SUCCESS) { return ret; } @@ -786,7 +516,8 @@ static bool check_rodc_critical_attribute(struct ldb_message *msg) schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0); searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0); - rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL); + rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE + | SEARCH_FLAG_CONFIDENTIAL); if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) && ((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) { @@ -797,58 +528,37 @@ static bool check_rodc_critical_attribute(struct ldb_message *msg) } -static int samldb_fill_object(struct samldb_ctx *ac, const char *type) +static int samldb_fill_object(struct samldb_ctx *ac) { - struct ldb_context *ldb; - struct loadparm_context *lp_ctx; - enum sid_generator sid_generator; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); int ret; - struct ldb_control *rodc_control; - - ldb = ldb_module_get_ctx(ac->module); /* Add informations for the different account types */ - ac->type = type; if (strcmp(ac->type, "user") == 0) { - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "userAccountControl", "546"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "badPwdCount", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "codePage", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "countryCode", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "badPasswordTime", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "lastLogoff", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "lastLogon", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "pwdLastSet", "0"); - if (ret != LDB_SUCCESS) return ret; - if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "primaryGroupID", DOMAIN_RID_USERS); + struct ldb_control *rodc_control = ldb_request_get_control(ac->req, + LDB_CONTROL_RODC_DCPROMO_OID); + if (rodc_control != NULL) { + /* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */ + rodc_control->critical = false; + ret = samldb_add_step(ac, samldb_rodc_add); if (ret != LDB_SUCCESS) return ret; } - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "accountExpires", "9223372036854775807"); + + /* check if we have a valid sAMAccountName */ + ret = samldb_add_step(ac, samldb_check_sAMAccountName); if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "logonCount", "0"); + + ret = samldb_add_step(ac, samldb_add_entry); if (ret != LDB_SUCCESS) return ret; + } else if (strcmp(ac->type, "group") == 0) { - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "groupType", "-2147483646"); + /* check if we have a valid sAMAccountName */ + ret = samldb_add_step(ac, samldb_check_sAMAccountName); + if (ret != LDB_SUCCESS) return ret; + + ret = samldb_add_step(ac, samldb_add_entry); if (ret != LDB_SUCCESS) return ret; + } else if (strcmp(ac->type, "classSchema") == 0) { const struct ldb_val *rdn_value, *def_obj_cat_val; @@ -864,13 +574,12 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) return LDB_ERR_UNWILLING_TO_PERFORM; } - rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { /* the RDN has prefix "CN" */ ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName", - samdb_cn_to_lDAPDisplayName(ac, - (const char *) rdn_value->data)); + samdb_cn_to_lDAPDisplayName(ac->msg, + (const char *) rdn_value->data)); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; @@ -910,9 +619,8 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) * caller. Use the entry DN for it. */ ac->dn = ac->msg->dn; - ret = samdb_msg_add_string(ldb, ac, ac->msg, - "defaultObjectCategory", - ldb_dn_get_linearized(ac->dn)); + ret = ldb_msg_add_string(ac->msg, "defaultObjectCategory", + ldb_dn_alloc_linearized(ac->msg, ac->dn)); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; @@ -927,15 +635,14 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) ret = samldb_add_step(ac, samldb_find_for_defaultObjectCategory); if (ret != LDB_SUCCESS) return ret; - return samldb_first_step(ac); } else if (strcmp(ac->type, "attributeSchema") == 0) { const struct ldb_val *rdn_value; rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { /* the RDN has prefix "CN" */ ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName", - samdb_cn_to_lDAPDisplayName(ac, - (const char *) rdn_value->data)); + samdb_cn_to_lDAPDisplayName(ac->msg, + (const char *) rdn_value->data)); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; @@ -945,7 +652,8 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) /* do not allow to mark an attributeSchema as RODC filtered if it * is system-critical */ if (check_rodc_critical_attribute(ac->msg)) { - ldb_asprintf_errstring(ldb, "Refusing schema add of %s - cannot combine critical attribute with RODC filtering", + ldb_asprintf_errstring(ldb, + "samldb: refusing schema add of %s - cannot combine critical attribute with RODC filtering", ldb_dn_get_linearized(ac->msg->dn)); return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -972,87 +680,33 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) ret = samldb_add_step(ac, samldb_add_entry); if (ret != LDB_SUCCESS) return ret; - return samldb_first_step(ac); } else { ldb_asprintf_errstring(ldb, "Invalid entry type!"); return LDB_ERR_OPERATIONS_ERROR; } - /* check if we have a valid samAccountName */ - ret = samldb_add_step(ac, samldb_check_samAccountName); - if (ret != LDB_SUCCESS) return ret; - - /* check account_type/group_type */ - ret = samldb_add_step(ac, samldb_check_samAccountType); - if (ret != LDB_SUCCESS) return ret; - - /* check if we have a valid primary group ID */ - if (strcmp(ac->type, "user") == 0) { - ret = samldb_add_step(ac, samldb_check_primaryGroupID_1); - if (ret != LDB_SUCCESS) return ret; - ret = samldb_add_step(ac, samldb_dn_from_sid); - if (ret != LDB_SUCCESS) return ret; - ret = samldb_add_step(ac, samldb_check_primaryGroupID_2); - if (ret != LDB_SUCCESS) return ret; - } - - lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"), - struct loadparm_context); - - /* don't allow objectSID to be specified without the RELAX control */ - ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid"); - if (ac->sid && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) && - !dsdb_module_am_system(ac->module)) { - ldb_asprintf_errstring(ldb, "No SID may be specified in user/group creation for %s", - ldb_dn_get_linearized(ac->msg->dn)); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - - if ( ! ac->sid) { - sid_generator = lpcfg_sid_generator(lp_ctx); - if (sid_generator == SID_GENERATOR_INTERNAL) { - ret = samldb_add_step(ac, samldb_allocate_sid); - if (ret != LDB_SUCCESS) return ret; - } - } - - rodc_control = ldb_request_get_control(ac->req, LDB_CONTROL_RODC_DCPROMO_OID); - if (rodc_control) { - /* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */ - rodc_control->critical = false; - ret = samldb_add_step(ac, samldb_rodc_add); - if (ret != LDB_SUCCESS) return ret; - } - - - /* finally proceed with adding the entry */ - ret = samldb_add_step(ac, samldb_add_entry); - if (ret != LDB_SUCCESS) return ret; - - return samldb_first_step(ac); -} + return samldb_first_step(ac); +} static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) { struct ldb_context *ldb; + struct dom_sid *sid; int ret; ldb = ldb_module_get_ctx(ac->module); - ac->sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid"); - if (ac->sid == NULL) { - ac->sid = dom_sid_parse_talloc(ac->msg, - (const char *)ldb_dn_get_rdn_val(ac->msg->dn)->data); - if (!ac->sid) { + sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid"); + if (sid == NULL) { + sid = dom_sid_parse_talloc(ac->msg, + (const char *)ldb_dn_get_rdn_val(ac->msg->dn)->data); + if (sid == NULL) { ldb_set_errstring(ldb, - "No valid SID found in " - "ForeignSecurityPrincipal CN!"); - talloc_free(ac); + "samldb: No valid SID found in ForeignSecurityPrincipal CN!"); return LDB_ERR_CONSTRAINT_VIOLATION; } - if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) { - talloc_free(ac); + if (! samldb_msg_add_sid(ac->msg, "objectSid", sid)) { return ldb_operr(ldb); } } @@ -1066,12 +720,13 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) static int samldb_schema_info_update(struct samldb_ctx *ac) { - WERROR werr; + int ret; struct ldb_context *ldb; struct dsdb_schema *schema; /* replicated update should always go through */ - if (ldb_request_get_control(ac->req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) { + if (ldb_request_get_control(ac->req, + DSDB_CONTROL_REPLICATED_UPDATE_OID)) { return LDB_SUCCESS; } @@ -1089,33 +744,276 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) return ldb_operr(ldb); } - werr = dsdb_module_schema_info_update(ac->module, schema, DSDB_FLAG_NEXT_MODULE); - if (!W_ERROR_IS_OK(werr)) { - ldb_debug_set(ldb, LDB_DEBUG_FATAL, - "samldb_schema_info_update: " - "dsdb_module_schema_info_update failed with %s", - win_errstr(werr)); - DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb))); - return ldb_operr(ldb); + ret = dsdb_module_schema_info_update(ac->module, schema, + DSDB_FLAG_NEXT_MODULE); + if (ret != LDB_SUCCESS) { + ldb_asprintf_errstring(ldb, + "samldb_schema_info_update: dsdb_module_schema_info_update failed with %s", + ldb_errstring(ldb)); + return ret; } return LDB_SUCCESS; } +/* + * "Objectclass" trigger (MS-SAMR 3.1.1.8.1) + * + * Has to be invoked on "add" and "modify" operations on "user", "computer" and + * "group" objects. + * ac->msg contains the "add"/"modify" message + * ac->type contains the object type (main objectclass) + */ +static int samldb_objectclass_trigger(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, + "loadparm"), struct loadparm_context); + struct ldb_message_element *el, *el2; + enum sid_generator sid_generator; + struct dom_sid *sid; + const char *tempstr; + int ret; + + /* make sure that "sAMAccountType" is not specified */ + el = ldb_msg_find_element(ac->msg, "sAMAccountType"); + if (el != NULL) { + ldb_set_errstring(ldb, + "samldb: sAMAccountType must not be specified!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + /* Step 1: objectSid assignment */ + + /* Don't allow the objectSid to be changed. But beside the RELAX + * control we have also to guarantee that it can always be set with + * SYSTEM permissions. This is needed for the "samba3sam" backend. */ + sid = samdb_result_dom_sid(ac, ac->msg, "objectSid"); + if ((sid != NULL) && (!dsdb_module_am_system(ac->module)) && + (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) { + ldb_set_errstring(ldb, + "samldb: objectSid must not be specified!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + /* but generate a new SID when we do have an add operations */ + if ((sid == NULL) && (ac->req->operation == LDB_ADD)) { + sid_generator = lpcfg_sid_generator(lp_ctx); + if (sid_generator == SID_GENERATOR_INTERNAL) { + ret = samldb_add_step(ac, samldb_allocate_sid); + if (ret != LDB_SUCCESS) return ret; + } + } + + if (strcmp(ac->type, "user") == 0) { + /* Step 1.2: Default values */ + tempstr = talloc_asprintf(ac->msg, "%d", UF_NORMAL_ACCOUNT); + if (tempstr == NULL) return ldb_operr(ldb); + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "userAccountControl", tempstr); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "badPwdCount", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "codePage", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "countryCode", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "badPasswordTime", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "lastLogoff", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "lastLogon", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "pwdLastSet", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "accountExpires", "9223372036854775807"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "logonCount", "0"); + if (ret != LDB_SUCCESS) return ret; + + el = ldb_msg_find_element(ac->msg, "userAccountControl"); + if (el != NULL) { + uint32_t user_account_control, account_type; + + /* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */ + user_account_control = ldb_msg_find_attr_as_uint(ac->msg, + "userAccountControl", + 0); + + /* Temporary duplicate accounts aren't allowed */ + if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { + return LDB_ERR_OTHER; + } + + account_type = ds_uf2atype(user_account_control); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "sAMAccountType", + account_type); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); + el2->flags = LDB_FLAG_MOD_REPLACE; + + if (user_account_control & + (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { + ret = samdb_msg_set_string(ldb, ac->msg, ac->msg, + "isCriticalSystemObject", + "TRUE"); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, + "isCriticalSystemObject"); + el2->flags = LDB_FLAG_MOD_REPLACE; + } + + /* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */ + if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { + uint32_t rid = ds_uf2prim_group_rid(user_account_control); + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "primaryGroupID", rid); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, + "primaryGroupID"); + el2->flags = LDB_FLAG_MOD_REPLACE; + } + + /* Step 1.5: Add additional flags when needed */ + if ((user_account_control & UF_NORMAL_ACCOUNT) && + (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) { + user_account_control |= UF_ACCOUNTDISABLE; + user_account_control |= UF_PASSWD_NOTREQD; + + ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, + "userAccountControl", + user_account_control); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + + } else if (strcmp(ac->type, "group") == 0) { + /* Step 2.2: Default values */ + tempstr = talloc_asprintf(ac->msg, "%d", + GTYPE_SECURITY_GLOBAL_GROUP); + if (tempstr == NULL) return ldb_operr(ldb); + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "groupType", tempstr); + if (ret != LDB_SUCCESS) return ret; + + /* Step 2.3: "groupType" -> "sAMAccountType" */ + el = ldb_msg_find_element(ac->msg, "groupType"); + if (el != NULL) { + uint32_t group_type, account_type; + + group_type = ldb_msg_find_attr_as_uint(ac->msg, + "groupType", 0); + + /* The creation of builtin groups requires the + * RELAX control */ + if (group_type == GTYPE_SECURITY_BUILTIN_LOCAL_GROUP) { + if (ldb_request_get_control(ac->req, + LDB_CONTROL_RELAX_OID) == NULL) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } + + account_type = ds_gtype2atype(group_type); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "sAMAccountType", + account_type); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); + el2->flags = LDB_FLAG_MOD_REPLACE; + } + } + + return LDB_SUCCESS; +} + +/* + * "Primary group ID" trigger (MS-SAMR 3.1.1.8.2) + * + * Has to be invoked on "add" and "modify" operations on "user" and "computer" + * objects. + * ac->msg contains the "add"/"modify" message + */ + +static int samldb_prim_group_set(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct ldb_dn *prim_group_dn; + uint32_t rid; + struct dom_sid *sid; + + rid = ldb_msg_find_attr_as_uint(ac->msg, "primaryGroupID", (uint32_t) -1); + if (rid == (uint32_t) -1) { + /* we aren't affected of any primary group set */ + return LDB_SUCCESS; + + } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + ldb_set_errstring(ldb, + "The primary group isn't settable on add operations!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); + if (sid == NULL) { + return ldb_operr(ldb); + } + + prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, sid)); + if (prim_group_dn == NULL) { + ldb_asprintf_errstring(ldb, + "Failed to find primary group with RID %u!", + rid); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + return LDB_SUCCESS; +} static int samldb_prim_group_change(struct samldb_ctx *ac) { - struct ldb_context *ldb; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); const char * attrs[] = { "primaryGroupID", "memberOf", NULL }; struct ldb_result *res; struct ldb_message_element *el; struct ldb_message *msg; - uint32_t rid; - struct dom_sid *sid; + uint32_t prev_rid, new_rid; + struct dom_sid *prev_sid, *new_sid; struct ldb_dn *prev_prim_group_dn, *new_prim_group_dn; int ret; - ldb = ldb_module_get_ctx(ac->module); + el = dsdb_get_single_valued_attr(ac->msg, "primaryGroupID"); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } /* Fetch informations from the existing object */ @@ -1124,186 +1022,646 @@ static int samldb_prim_group_change(struct samldb_ctx *ac) if (ret != LDB_SUCCESS) { return ret; } + if (res->count != 1) { + return ldb_operr(ldb); + } /* Finds out the DN of the old primary group */ - rid = samdb_result_uint(res->msgs[0], "primaryGroupID", (uint32_t) -1); - if (rid == (uint32_t) -1) { + prev_rid = ldb_msg_find_attr_as_uint(res->msgs[0], "primaryGroupID", + (uint32_t) -1); + if (prev_rid == (uint32_t) -1) { /* User objects do always have a mandatory "primaryGroupID" * attribute. If this doesn't exist then the object is of the * wrong type. This is the exact Windows error code */ return LDB_ERR_OBJECT_CLASS_VIOLATION; } - - sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); - if (sid == NULL) { + + prev_sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), prev_rid); + if (prev_sid == NULL) { + return ldb_operr(ldb); + } + + /* Finds out the DN of the new primary group + * Notice: in order to parse the primary group ID correctly we create + * a temporary message here. */ + + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + new_rid = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", (uint32_t) -1); + talloc_free(msg); + if (new_rid == (uint32_t) -1) { + /* we aren't affected of any primary group change */ + return LDB_SUCCESS; + } + + if (prev_rid == new_rid) { + return LDB_SUCCESS; + } + + prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, prev_sid)); + if (prev_prim_group_dn == NULL) { + return ldb_operr(ldb); + } + + new_sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), new_rid); + if (new_sid == NULL) { + return ldb_operr(ldb); + } + + new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, new_sid)); + if (new_prim_group_dn == NULL) { + /* Here we know if the specified new primary group candidate is + * valid or not. */ + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + /* We need to be already a normal member of the new primary + * group in order to be successful. */ + el = samdb_find_attribute(ldb, res->msgs[0], "memberOf", + ldb_dn_get_linearized(new_prim_group_dn)); + if (el == NULL) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + /* Remove the "member" attribute on the new primary group */ + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + msg->dn = new_prim_group_dn; + + ret = samdb_msg_add_delval(ldb, msg, msg, "member", + ldb_dn_get_linearized(ac->msg->dn)); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_free(msg); + + /* Add a "member" attribute for the previous primary group */ + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + msg->dn = prev_prim_group_dn; + + ret = samdb_msg_add_addval(ldb, msg, msg, "member", + ldb_dn_get_linearized(ac->msg->dn)); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_free(msg); + + return LDB_SUCCESS; +} + +static int samldb_prim_group_trigger(struct samldb_ctx *ac) +{ + int ret; + + if (ac->req->operation == LDB_ADD) { + ret = samldb_prim_group_set(ac); + } else { + ret = samldb_prim_group_change(ac); + } + + return ret; +} + +static int samldb_user_account_control_change(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + uint32_t user_account_control, account_type; + struct ldb_message_element *el; + struct ldb_message *tmp_msg; + int ret; + + el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl"); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } + + /* Create a temporary message for fetching the "userAccountControl" */ + tmp_msg = ldb_msg_new(ac->msg); + if (tmp_msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(tmp_msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + user_account_control = ldb_msg_find_attr_as_uint(tmp_msg, + "userAccountControl", + 0); + talloc_free(tmp_msg); + + /* Temporary duplicate accounts aren't allowed */ + if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { + return LDB_ERR_OTHER; + } + + account_type = ds_uf2atype(user_account_control); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", + account_type); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, "sAMAccountType"); + el->flags = LDB_FLAG_MOD_REPLACE; + + if (user_account_control + & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { + ret = samdb_msg_add_string(ldb, ac->msg, ac->msg, + "isCriticalSystemObject", "TRUE"); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, + "isCriticalSystemObject"); + el->flags = LDB_FLAG_MOD_REPLACE; + } + + if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { + uint32_t rid = ds_uf2prim_group_rid(user_account_control); + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "primaryGroupID", rid); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, + "primaryGroupID"); + el->flags = LDB_FLAG_MOD_REPLACE; + } + + return LDB_SUCCESS; +} + +static int samldb_group_type_change(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + uint32_t group_type, old_group_type, account_type; + struct ldb_message_element *el; + struct ldb_message *tmp_msg; + int ret; + + el = dsdb_get_single_valued_attr(ac->msg, "groupType"); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } + + /* Create a temporary message for fetching the "groupType" */ + tmp_msg = ldb_msg_new(ac->msg); + if (tmp_msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(tmp_msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + group_type = ldb_msg_find_attr_as_uint(tmp_msg, "groupType", 0); + talloc_free(tmp_msg); + + old_group_type = samdb_search_uint(ldb, ac, 0, ac->msg->dn, + "groupType", NULL); + if (old_group_type == 0) { + return ldb_operr(ldb); + } + + /* Group type switching isn't so easy as it seems: We can only + * change in this directions: global <-> universal <-> local + * On each step also the group type itself + * (security/distribution) is variable. */ + + switch (group_type) { + case GTYPE_SECURITY_GLOBAL_GROUP: + case GTYPE_DISTRIBUTION_GLOBAL_GROUP: + /* change to "universal" allowed */ + if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) || + (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + break; + + case GTYPE_SECURITY_UNIVERSAL_GROUP: + case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: + /* each change allowed */ + break; + + case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: + case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: + /* change to "universal" allowed */ + if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) || + (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + break; + + case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: + default: + /* we don't allow this "groupType" values */ + return LDB_ERR_UNWILLING_TO_PERFORM; + break; + } + + account_type = ds_gtype2atype(group_type); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", + account_type); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, "sAMAccountType"); + el->flags = LDB_FLAG_MOD_REPLACE; + + return LDB_SUCCESS; +} + +static int samldb_sam_accountname_check(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + const char *no_attrs[] = { NULL }; + struct ldb_result *res; + const char *sam_accountname, *enc_str; + struct ldb_message_element *el; + struct ldb_message *tmp_msg; + int ret; + + el = dsdb_get_single_valued_attr(ac->msg, "sAMAccountName"); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } + + /* Create a temporary message for fetching the "sAMAccountName" */ + tmp_msg = ldb_msg_new(ac->msg); + if (tmp_msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(tmp_msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + sam_accountname = talloc_steal(ac, + ldb_msg_find_attr_as_string(tmp_msg, "sAMAccountName", NULL)); + talloc_free(tmp_msg); + + if (sam_accountname == NULL) { + /* The "sAMAccountName" cannot be nothing */ + ldb_set_errstring(ldb, + "samldb: Empty account names aren't allowed!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + enc_str = ldb_binary_encode_string(ac, sam_accountname); + if (enc_str == NULL) { + return ldb_module_oom(ac->module); + } + + /* Make sure that a "sAMAccountName" is only used once */ + + ret = ldb_search(ldb, ac, &res, NULL, LDB_SCOPE_SUBTREE, no_attrs, + "(sAMAccountName=%s)", enc_str); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count > 1) { + return ldb_operr(ldb); + } else if (res->count == 1) { + if (ldb_dn_compare(res->msgs[0]->dn, ac->msg->dn) != 0) { + ldb_asprintf_errstring(ldb, + "samldb: Account name (sAMAccountName) '%s' already in use!", + sam_accountname); + return LDB_ERR_ENTRY_ALREADY_EXISTS; + } + } + talloc_free(res); + + return LDB_SUCCESS; +} + +static int samldb_member_check(struct samldb_ctx *ac) +{ + static const char * const attrs[] = { "objectSid", "member", NULL }; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct ldb_message_element *el; + struct ldb_dn *member_dn; + uint32_t prim_group_rid; + struct dom_sid *sid; + struct ldb_result *res; + struct dom_sid *group_sid; + unsigned int i, j; + int cnt; + int ret; + + /* Fetch informations from the existing object */ + + ret = ldb_search(ldb, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, + NULL); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count != 1) { return ldb_operr(ldb); } - prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)", - dom_sid_string(ac, sid)); - if (prev_prim_group_dn == NULL) { + group_sid = samdb_result_dom_sid(res, res->msgs[0], "objectSid"); + if (group_sid == NULL) { return ldb_operr(ldb); } - /* Finds out the DN of the new primary group */ + /* We've to walk over all modification entries and consider the "member" + * ones. */ + for (i = 0; i < ac->msg->num_elements; i++) { + if (ldb_attr_cmp(ac->msg->elements[i].name, "member") != 0) { + continue; + } - rid = samdb_result_uint(ac->msg, "primaryGroupID", (uint32_t) -1); - if (rid == (uint32_t) -1) { - /* we aren't affected of any primary group change */ - return LDB_SUCCESS; - } + el = &ac->msg->elements[i]; + for (j = 0; j < el->num_values; j++) { + struct ldb_message_element *mo; - sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); - if (sid == NULL) { - return ldb_operr(ldb); - } + member_dn = ldb_dn_from_ldb_val(ac, ldb, + &el->values[j]); + if (!ldb_dn_validate(member_dn)) { + return ldb_operr(ldb); + } - new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)", - dom_sid_string(ac, sid)); - if (new_prim_group_dn == NULL) { - /* Here we know if the specified new primary group candidate is - * valid or not. */ - return LDB_ERR_UNWILLING_TO_PERFORM; - } + /* The "member" attribute can be modified with the + * following restrictions (beside a valid DN): + * + * - "add" operations can only be performed when the + * member still doesn't exist - if not then return + * ERR_ENTRY_ALREADY_EXISTS (not + * ERR_ATTRIBUTE_OR_VALUE_EXISTS!) + * - "delete" operations can only be performed when the + * member does exist - if not then return + * ERR_UNWILLING_TO_PERFORM (not + * ERR_NO_SUCH_ATTRIBUTE!) + * - primary group check + */ + mo = samdb_find_attribute(ldb, res->msgs[0], "member", + ldb_dn_get_linearized(member_dn)); + if (mo == NULL) { + cnt = 0; + } else { + cnt = 1; + } - /* Only update the "member" attributes when we really do have a change */ - if (ldb_dn_compare(new_prim_group_dn, prev_prim_group_dn) != 0) { - /* We need to be already a normal member of the new primary - * group in order to be successful. */ - el = samdb_find_attribute(ldb, res->msgs[0], "memberOf", - ldb_dn_get_linearized(new_prim_group_dn)); - if (el == NULL) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } + if ((cnt > 0) && (LDB_FLAG_MOD_TYPE(el->flags) + == LDB_FLAG_MOD_ADD)) { + return LDB_ERR_ENTRY_ALREADY_EXISTS; + } + if ((cnt == 0) && LDB_FLAG_MOD_TYPE(el->flags) + == LDB_FLAG_MOD_DELETE) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } - /* Remove the "member" attribute on the new primary group */ - msg = talloc_zero(ac, struct ldb_message); - msg->dn = new_prim_group_dn; + /* Denies to add "member"s to groups which are primary + * ones for them - in this case return + * ERR_ENTRY_ALREADY_EXISTS. */ + + prim_group_rid = samdb_search_uint(ldb, ac, + (uint32_t) -1, + member_dn, + "primaryGroupID", + NULL); + if (prim_group_rid == (uint32_t) -1) { + /* the member hasn't to be a user account -> + * therefore no check needed in this case. */ + continue; + } - ret = samdb_msg_add_delval(ldb, ac, msg, "member", - ldb_dn_get_linearized(ac->msg->dn)); - if (ret != LDB_SUCCESS) { - return ret; - } + sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), + prim_group_rid); + if (sid == NULL) { + return ldb_operr(ldb); + } - ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE); - if (ret != LDB_SUCCESS) { - return ret; + if (dom_sid_equal(group_sid, sid)) { + return LDB_ERR_ENTRY_ALREADY_EXISTS; + } } + } + + return LDB_SUCCESS; +} + +/* This trigger adapts the "servicePrincipalName" attributes if the + * "dNSHostName" and/or "sAMAccountName" attribute change(s) */ +static int samldb_service_principal_names_change(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct ldb_message_element *el = NULL, *el2 = NULL; + struct ldb_message *msg; + const char *attrs[] = { "servicePrincipalName", NULL }; + struct ldb_result *res; + const char *dns_hostname = NULL, *old_dns_hostname = NULL, + *sam_accountname = NULL, *old_sam_accountname = NULL; + unsigned int i; + int ret; - /* Add a "member" attribute for the previous primary group */ - msg = talloc_zero(ac, struct ldb_message); - msg->dn = prev_prim_group_dn; + el = dsdb_get_single_valued_attr(ac->msg, "dNSHostName"); + el2 = dsdb_get_single_valued_attr(ac->msg, "sAMAccountName"); + if ((el == NULL) && (el2 == NULL)) { + /* we are not affected */ + return LDB_SUCCESS; + } - ret = samdb_msg_add_addval(ldb, ac, msg, "member", - ldb_dn_get_linearized(ac->msg->dn)); + /* Create a temporary message for fetching the "dNSHostName" */ + if (el != NULL) { + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(msg, el, 0); if (ret != LDB_SUCCESS) { return ret; } + dns_hostname = talloc_steal(ac, + ldb_msg_find_attr_as_string(msg, "dNSHostName", NULL)); + talloc_free(msg); + + old_dns_hostname = samdb_search_string(ldb, ac, ac->msg->dn, + "dNSHostName", NULL); + } + + /* Create a temporary message for fetching the "sAMAccountName" */ + if (el2 != NULL) { + char *tempstr, *tempstr2; - ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE); + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(msg, el2, 0); if (ret != LDB_SUCCESS) { return ret; } + tempstr = talloc_strdup(ac, + ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL)); + talloc_free(msg); + + tempstr2 = talloc_strdup(ac, + samdb_search_string(ldb, ac, ac->msg->dn, "sAMAccountName", NULL)); + + /* The "sAMAccountName" needs some additional trimming: we need + * to remove the trailing "$"s if they exist. */ + if ((tempstr != NULL) && (tempstr[0] != '\0') && + (tempstr[strlen(tempstr) - 1] == '$')) { + tempstr[strlen(tempstr) - 1] = '\0'; + } + if ((tempstr2 != NULL) && (tempstr2[0] != '\0') && + (tempstr2[strlen(tempstr2) - 1] == '$')) { + tempstr2[strlen(tempstr2) - 1] = '\0'; + } + sam_accountname = tempstr; + old_sam_accountname = tempstr2; } - return LDB_SUCCESS; -} - - -static int samldb_member_check(struct samldb_ctx *ac) -{ - struct ldb_context *ldb; - struct ldb_message_element *el; - struct ldb_dn *member_dn, *group_dn; - uint32_t prim_group_rid; - struct dom_sid *sid; - unsigned int i; + if (old_dns_hostname == NULL) { + /* we cannot change when the old name is unknown */ + dns_hostname = NULL; + } + if ((old_dns_hostname != NULL) && (dns_hostname != NULL) && + (strcasecmp(old_dns_hostname, dns_hostname) == 0)) { + /* The "dNSHostName" didn't change */ + dns_hostname = NULL; + } - ldb = ldb_module_get_ctx(ac->module); + if (old_sam_accountname == NULL) { + /* we cannot change when the old name is unknown */ + sam_accountname = NULL; + } + if ((old_sam_accountname != NULL) && (sam_accountname != NULL) && + (strcasecmp(old_sam_accountname, sam_accountname) == 0)) { + /* The "sAMAccountName" didn't change */ + sam_accountname = NULL; + } - el = ldb_msg_find_element(ac->msg, "member"); - if (el == NULL) { - /* we aren't affected */ + if ((dns_hostname == NULL) && (sam_accountname == NULL)) { + /* Well, there are informations missing (old name(s)) or the + * names didn't change. We've nothing to do and can exit here */ return LDB_SUCCESS; } - for (i = 0; i < el->num_values; i++) { - /* Denies to add "member"s to groups which are primary ones - * for them */ - member_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[i]); - if (!ldb_dn_validate(member_dn)) { - return ldb_operr(ldb); + /* Potential "servicePrincipalName" changes in the same request have to + * be handled before the update (Windows behaviour). */ + el = ldb_msg_find_element(ac->msg, "servicePrincipalName"); + if (el != NULL) { + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); } + msg->dn = ac->msg->dn; - prim_group_rid = samdb_search_uint(ldb, ac, (uint32_t) -1, - member_dn, "primaryGroupID", - NULL); - if (prim_group_rid == (uint32_t) -1) { - /* the member hasn't to be a user account -> therefore - * no check needed in this case. */ - continue; - } + do { + ret = ldb_msg_add(msg, el, el->flags); + if (ret != LDB_SUCCESS) { + return ret; + } - sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), - prim_group_rid); - if (sid == NULL) { - return ldb_operr(ldb); - } + ldb_msg_remove_element(ac->msg, el); - group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)", - dom_sid_string(ac, sid)); - if (group_dn == NULL) { - return ldb_operr(ldb); - } + el = ldb_msg_find_element(ac->msg, + "servicePrincipalName"); + } while (el != NULL); - if (ldb_dn_compare(group_dn, ac->msg->dn) == 0) { - return LDB_ERR_ENTRY_ALREADY_EXISTS; + ret = dsdb_module_modify(ac->module, msg, + DSDB_FLAG_NEXT_MODULE); + if (ret != LDB_SUCCESS) { + return ret; } + talloc_free(msg); } - return LDB_SUCCESS; -} + /* Fetch the "servicePrincipalName"s if any */ + ret = ldb_search(ldb, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, + NULL); + if (ret != LDB_SUCCESS) { + return ret; + } + if ((res->count != 1) || (res->msgs[0]->num_elements > 1)) { + return ldb_operr(ldb); + } + if (res->msgs[0]->num_elements == 1) { + /* Yes, we do have "servicePrincipalName"s. First we update them + * locally, that means we do always substitute the current + * "dNSHostName" with the new one and/or "sAMAccountName" + * without "$" with the new one and then we append this to the + * modification request (Windows behaviour). */ -static int samldb_prim_group_users_check(struct samldb_ctx *ac) -{ - struct ldb_context *ldb; - struct dom_sid *sid; - uint32_t rid; - NTSTATUS status; - int count; + for (i = 0; i < res->msgs[0]->elements[0].num_values; i++) { + char *old_str, *new_str, *pos; + const char *tok; - ldb = ldb_module_get_ctx(ac->module); + old_str = (char *) + res->msgs[0]->elements[0].values[i].data; - /* Finds out the SID/RID of the SAM object */ - sid = samdb_search_dom_sid(ldb, ac, ac->req->op.del.dn, "objectSID", - NULL); - if (sid == NULL) { - /* No SID - it might not be a SAM object - therefore ok */ - return LDB_SUCCESS; - } - status = dom_sid_split_rid(ac, sid, NULL, &rid); - if (!NT_STATUS_IS_OK(status)) { - return ldb_operr(ldb); - } - if (rid == 0) { - /* Special object (security principal?) */ - return LDB_SUCCESS; - } + new_str = talloc_strdup(ac->msg, + strtok_r(old_str, "/", &pos)); + if (new_str == NULL) { + return ldb_module_oom(ac->module); + } - /* Deny delete requests from groups which are primary ones */ - count = samdb_search_count(ldb, NULL, - "(&(primaryGroupID=%u)(objectClass=user))", - rid); - if (count < 0) { - return ldb_operr(ldb); - } - if (count > 0) { - return LDB_ERR_ENTRY_ALREADY_EXISTS; + while ((tok = strtok_r(NULL, "/", &pos)) != NULL) { + if ((dns_hostname != NULL) && + (strcasecmp(tok, old_dns_hostname) == 0)) { + tok = dns_hostname; + } + if ((sam_accountname != NULL) && + (strcasecmp(tok, old_sam_accountname) == 0)) { + tok = sam_accountname; + } + + new_str = talloc_asprintf(ac->msg, "%s/%s", + new_str, tok); + if (new_str == NULL) { + return ldb_module_oom(ac->module); + } + } + + ret = ldb_msg_add_string(ac->msg, + "servicePrincipalName", + new_str); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + el = ldb_msg_find_element(ac->msg, "servicePrincipalName"); + el->flags = LDB_FLAG_MOD_REPLACE; } + talloc_free(res); + return LDB_SUCCESS; } @@ -1329,22 +1687,41 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) } /* build the new msg */ - ac->msg = ldb_msg_copy(ac, ac->req->op.add.message); - if (!ac->msg) { + ac->msg = ldb_msg_copy_shallow(ac, req->op.add.message); + if (ac->msg == NULL) { talloc_free(ac); ldb_debug(ldb, LDB_DEBUG_FATAL, - "samldb_add: ldb_msg_copy failed!\n"); + "samldb_add: ldb_msg_copy_shallow failed!\n"); return ldb_operr(ldb); } if (samdb_find_attribute(ldb, ac->msg, "objectclass", "user") != NULL) { - return samldb_fill_object(ac, "user"); + ac->type = "user"; + + ret = samldb_prim_group_trigger(ac); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = samldb_objectclass_trigger(ac); + if (ret != LDB_SUCCESS) { + return ret; + } + + return samldb_fill_object(ac); } if (samdb_find_attribute(ldb, ac->msg, "objectclass", "group") != NULL) { - return samldb_fill_object(ac, "group"); + ac->type = "group"; + + ret = samldb_objectclass_trigger(ac); + if (ret != LDB_SUCCESS) { + return ret; + } + + return samldb_fill_object(ac); } /* perhaps a foreignSecurityPrincipal? */ @@ -1362,7 +1739,8 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) return ret; } - return samldb_fill_object(ac, "classSchema"); + ac->type = "classSchema"; + return samldb_fill_object(ac); } if (samdb_find_attribute(ldb, ac->msg, @@ -1373,7 +1751,8 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) return ret; } - return samldb_fill_object(ac, "attributeSchema"); + ac->type = "attributeSchema"; + return samldb_fill_object(ac); } talloc_free(ac); @@ -1387,10 +1766,9 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; struct samldb_ctx *ac; - struct ldb_message *msg; struct ldb_message_element *el, *el2; + bool modified = false; int ret; - uint32_t account_type; if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */ @@ -1399,16 +1777,35 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) ldb = ldb_module_get_ctx(module); - if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) { - ldb_asprintf_errstring(ldb, - "sAMAccountType must not be specified!"); + /* make sure that "objectSid" is not specified */ + el = ldb_msg_find_element(req->op.mod.message, "objectSid"); + if (el != NULL) { + ldb_set_errstring(ldb, + "samldb: objectSid must not be specified!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + /* make sure that "sAMAccountType" is not specified */ + el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType"); + if (el != NULL) { + ldb_set_errstring(ldb, + "samldb: sAMAccountType must not be specified!"); return LDB_ERR_UNWILLING_TO_PERFORM; } + /* make sure that "isCriticalSystemObject" is not specified */ + el = ldb_msg_find_element(req->op.mod.message, "isCriticalSystemObject"); + if (el != NULL) { + if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) == NULL) { + ldb_set_errstring(ldb, + "samldb: isCriticalSystemObject must not be specified!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } /* msDS-IntId is not allowed to be modified * except when modification comes from replication */ if (ldb_msg_find_element(req->op.mod.message, "msDS-IntId")) { - if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) { + if (!ldb_request_get_control(req, + DSDB_CONTROL_REPLICATED_UPDATE_OID)) { return LDB_ERR_CONSTRAINT_VIOLATION; } } @@ -1418,103 +1815,132 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) return ldb_operr(ldb); } - /* TODO: do not modify original request, create a new one */ - - el = ldb_msg_find_element(req->op.mod.message, "groupType"); - if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { - uint32_t group_type; - - req->op.mod.message = msg = ldb_msg_copy_shallow(req, - req->op.mod.message); + /* build the new msg */ + ac->msg = ldb_msg_copy_shallow(ac, req->op.mod.message); + if (ac->msg == NULL) { + talloc_free(ac); + ldb_debug(ldb, LDB_DEBUG_FATAL, + "samldb_modify: ldb_msg_copy_shallow failed!\n"); + return ldb_operr(ldb); + } - group_type = strtoul((const char *)el->values[0].data, NULL, 0); - account_type = ds_gtype2atype(group_type); - ret = samdb_msg_add_uint(ldb, msg, msg, - "sAMAccountType", - account_type); + el = ldb_msg_find_element(ac->msg, "primaryGroupID"); + if (el != NULL) { + ret = samldb_prim_group_change(ac); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(msg, "sAMAccountType"); - el2->flags = LDB_FLAG_MOD_REPLACE; - } - if (el && (el->flags == LDB_FLAG_MOD_DELETE)) { - return LDB_ERR_UNWILLING_TO_PERFORM; } - el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID"); - if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { - req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req, - req->op.mod.message); - - ret = samldb_prim_group_change(ac); + el = ldb_msg_find_element(ac->msg, "userAccountControl"); + if (el != NULL) { + modified = true; + ret = samldb_user_account_control_change(ac); if (ret != LDB_SUCCESS) { return ret; } } - if (el && (el->flags == LDB_FLAG_MOD_DELETE)) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - - el = ldb_msg_find_element(req->op.mod.message, "userAccountControl"); - if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { - uint32_t user_account_control; - req->op.mod.message = msg = ldb_msg_copy_shallow(req, - req->op.mod.message); - - user_account_control = strtoul((const char *)el->values[0].data, - NULL, 0); - account_type = ds_uf2atype(user_account_control); - ret = samdb_msg_add_uint(ldb, msg, msg, - "sAMAccountType", - account_type); + el = ldb_msg_find_element(ac->msg, "groupType"); + if (el != NULL) { + modified = true; + ret = samldb_group_type_change(ac); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(msg, "sAMAccountType"); - el2->flags = LDB_FLAG_MOD_REPLACE; + } - if (user_account_control & UF_SERVER_TRUST_ACCOUNT) { - ret = samdb_msg_add_string(ldb, msg, msg, - "isCriticalSystemObject", "TRUE"); - if (ret != LDB_SUCCESS) { - return ret; - } - el2 = ldb_msg_find_element(msg, "isCriticalSystemObject"); - el2->flags = LDB_FLAG_MOD_REPLACE; + el = ldb_msg_find_element(ac->msg, "sAMAccountName"); + if (el != NULL) { + ret = samldb_sam_accountname_check(ac); + if (ret != LDB_SUCCESS) { + return ret; + } + } - /* DCs have primaryGroupID of DOMAIN_RID_DCS */ - if (!ldb_msg_find_element(msg, "primaryGroupID")) { - ret = samdb_msg_add_uint(ldb, msg, msg, - "primaryGroupID", DOMAIN_RID_DCS); - if (ret != LDB_SUCCESS) { - return ret; - } - el2 = ldb_msg_find_element(msg, "primaryGroupID"); - el2->flags = LDB_FLAG_MOD_REPLACE; - } + el = ldb_msg_find_element(ac->msg, "member"); + if (el != NULL) { + ret = samldb_member_check(ac); + if (ret != LDB_SUCCESS) { + return ret; } } - if (el && (el->flags == LDB_FLAG_MOD_DELETE)) { - return LDB_ERR_UNWILLING_TO_PERFORM; + + el = ldb_msg_find_element(ac->msg, "dNSHostName"); + el2 = ldb_msg_find_element(ac->msg, "sAMAccountName"); + if ((el != NULL) || (el2 != NULL)) { + modified = true; + ret = samldb_service_principal_names_change(ac); + if (ret != LDB_SUCCESS) { + return ret; + } } - el = ldb_msg_find_element(req->op.mod.message, "member"); - if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { - req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req, - req->op.mod.message); + if (modified) { + struct ldb_request *child_req; - ret = samldb_member_check(ac); + /* Now perform the real modifications as a child request */ + ret = ldb_build_mod_req(&child_req, ldb, ac, + ac->msg, + req->controls, + req, dsdb_next_callback, + req); + LDB_REQ_SET_LOCATION(child_req); if (ret != LDB_SUCCESS) { return ret; } + + return ldb_next_request(module, child_req); } + talloc_free(ac); + + /* no change which interests us, go on */ return ldb_next_request(module, req); } /* delete */ + +static int samldb_prim_group_users_check(struct samldb_ctx *ac) +{ + struct ldb_context *ldb; + struct dom_sid *sid; + uint32_t rid; + NTSTATUS status; + int count; + + ldb = ldb_module_get_ctx(ac->module); + + /* Finds out the SID/RID of the SAM object */ + sid = samdb_search_dom_sid(ldb, ac, ac->req->op.del.dn, "objectSid", + NULL); + if (sid == NULL) { + /* No SID - it might not be a SAM object - therefore ok */ + return LDB_SUCCESS; + } + status = dom_sid_split_rid(ac, sid, NULL, &rid); + if (!NT_STATUS_IS_OK(status)) { + return ldb_operr(ldb); + } + if (rid == 0) { + /* Special object (security principal?) */ + return LDB_SUCCESS; + } + + /* Deny delete requests from groups which are primary ones */ + count = samdb_search_count(ldb, ac, NULL, + "(&(primaryGroupID=%u)(objectClass=user))", + rid); + if (count < 0) { + return ldb_operr(ldb); + } + if (count > 0) { + return LDB_ERR_ENTRY_ALREADY_EXISTS; + } + + return LDB_SUCCESS; +} + static int samldb_delete(struct ldb_module *module, struct ldb_request *req) { struct samldb_ctx *ac; @@ -1526,26 +1952,33 @@ static int samldb_delete(struct ldb_module *module, struct ldb_request *req) } ac = samldb_ctx_init(module, req); - if (ac == NULL) + if (ac == NULL) { return ldb_operr(ldb_module_get_ctx(module)); + } ret = samldb_prim_group_users_check(ac); if (ret != LDB_SUCCESS) { return ret; } + talloc_free(ac); + return ldb_next_request(module, req); } +/* extended */ + static int samldb_extended_allocate_rid_pool(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb = ldb_module_get_ctx(module); struct dsdb_fsmo_extended_op *exop; int ret; - exop = talloc_get_type(req->op.extended.data, struct dsdb_fsmo_extended_op); + exop = talloc_get_type(req->op.extended.data, + struct dsdb_fsmo_extended_op); if (!exop) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "samldb_extended_allocate_rid_pool: invalid extended data\n"); + ldb_set_errstring(ldb, + "samldb_extended_allocate_rid_pool: invalid extended data"); return LDB_ERR_PROTOCOL_ERROR; } @@ -1567,7 +2000,7 @@ static int samldb_extended(struct ldb_module *module, struct ldb_request *req) } -_PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = { +static const struct ldb_module_ops ldb_samldb_module_ops = { .name = "samldb", .add = samldb_add, .modify = samldb_modify, @@ -1575,3 +2008,9 @@ _PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = { .extended = samldb_extended }; + +int ldb_samldb_module_init(const char *version) +{ + LDB_MODULE_CHECK_VERSION(version); + return ldb_register_module(&ldb_samldb_module_ops); +}