s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID

this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a
user object.

There is some 'interesting' interaction with the rangeLower and
rangeUpper attributes and this add. We don't implementat
rangeLower/rangeUpper yet, but when we do we'll need an override for
this control (or be careful about module ordering).

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 9ae308b9bc855a0f7f1a46038150d8ce9a84d3db..8bb5f3d30ddd1b217e8ed293856ed8168d3a50b3 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -347,6 +347,65 @@ static int samldb_allocate_sid(struct samldb_ctx *ac)
        return samldb_next_step(ac);
 }
 
+/*
+  see if a krbtgt_number is available
+ */
+static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt_number)
+{
+       TALLOC_CTX *tmp_ctx = talloc_new(ac);
+       struct ldb_result *res;
+       const char *attrs[] = { NULL };
+       int ret;
+
+       ret = dsdb_module_search(ac->module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
+                                attrs, DSDB_FLAG_NEXT_MODULE,
+                                "msDC-SecondaryKrbTgtNumber=%u", krbtgt_number);
+       if (ret == LDB_SUCCESS && res->count == 0) {
+               talloc_free(tmp_ctx);
+               return true;
+       }
+       talloc_free(tmp_ctx);
+       return false;
+}
+
+/* special handling for add in RODC join */
+static int samldb_rodc_add(struct samldb_ctx *ac)
+{
+       struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+       unsigned krbtgt_number, i_start, i;
+
+       /* find a unused msDC-SecondaryKrbTgtNumber */
+       i_start = generate_random() & 0xFFFF;
+       if (i_start == 0) {
+               i_start = 1;
+       }
+
+       for (i=i_start; i<=0xFFFF; i++) {
+               if (samldb_krbtgtnumber_available(ac, i)) {
+                       krbtgt_number = i;
+                       goto found;
+               }
+       }
+       for (i=1; i<i_start; i++) {
+               if (samldb_krbtgtnumber_available(ac, i)) {
+                       krbtgt_number = i;
+                       goto found;
+               }
+       }
+
+       ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+                              "%08X: Unable to find available msDS-SecondaryKrbTgtNumber",
+                              W_ERROR_V(WERR_NO_SYSTEM_RESOURCES));
+       return LDB_ERR_OTHER;
+
+found:
+       if ( ! ldb_msg_add_fmt(ac->msg, "msDS-SecondaryKrbTgtNumber", "%u", krbtgt_number)) {
+               return ldb_operr(ldb);
+       }
+
+       return samldb_next_step(ac);
+}
+
 /*
  * samldb_dn_from_sid (async)
  */
@@ -744,6 +803,7 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
        struct loadparm_context *lp_ctx;
        enum sid_generator sid_generator;
        int ret;
+       struct ldb_control *rodc_control;
 
        ldb = ldb_module_get_ctx(ac->module);
 
@@ -957,6 +1017,15 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
                }
        }
 
+       rodc_control = ldb_request_get_control(ac->req, LDB_CONTROL_RODC_DCPROMO_OID);
+       if (rodc_control) {
+               /* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */
+               rodc_control->critical = false;
+               ret = samldb_add_step(ac, samldb_rodc_add);
+               if (ret != LDB_SUCCESS) return ret;
+       }
+
+
        /* finally proceed with adding the entry */
        ret = samldb_add_step(ac, samldb_add_entry);
        if (ret != LDB_SUCCESS) return ret;

diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h
index 53ae0e4c1887aab3272d229802e4f08cc19281b5..f3ec1ed606d47066eac74944648e82f47e754ea4 100644 (file)
--- a/source4/lib/ldb/include/ldb.h
+++ b/source4/lib/ldb/include/ldb.h
@@ -679,6 +679,12 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque);
 */
 #define LDB_CONTROL_RELAX_OID "1.3.6.1.4.1.4203.666.5.12"
 
+/**
+   control for RODC join
+   See [MS-ADTS] section 3.1.1.3.4.1.23
+*/
+#define LDB_CONTROL_RODC_DCPROMO_OID "1.2.840.113556.1.4.1341"
+
 /*
    OID for LDAP Extended Operation PASSWORD_CHANGE.
 

diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c
index 0250c040129881fc3796ac1fe02f11c520f655d5..5244975dfc31bdcc53fc9e2adfc5a815e8778bac 100644 (file)
--- a/source4/libcli/ldap/ldap_controls.c
+++ b/source4/libcli/ldap/ldap_controls.c
@@ -1170,6 +1170,7 @@ static const struct ldap_control_handler ldap_known_controls[] = {
        { "1.3.6.1.4.1.7165.4.4.1", NULL, NULL },
        { DSDB_OPENLDAP_DEREFERENCE_CONTROL, decode_openldap_dereference, encode_openldap_dereference},
        { LDB_CONTROL_RELAX_OID, decode_flag_request, encode_flag_request },
+       { LDB_CONTROL_RODC_DCPROMO_OID, decode_flag_request, encode_flag_request },
        { NULL, NULL, NULL }
 };