s4:samr Split the guts of samr_CreateUser2 into a helper function

author Andrew Bartlett <abartlet@samba.org>

Thu, 20 May 2010 22:14:53 +0000 (08:14 +1000)

committer Andrew Bartlett <abartlet@samba.org>

Mon, 24 May 2010 13:08:11 +0000 (23:08 +1000)
author Andrew Bartlett <abartlet@samba.org>
Thu, 20 May 2010 22:14:53 +0000 (08:14 +1000)
committer Andrew Bartlett <abartlet@samba.org>
Mon, 24 May 2010 13:08:11 +0000 (23:08 +1000)
diff --git a/source4/dsdb/common/util_samr.c b/source4/dsdb/common/util_samr.c

new file mode 100644 (file)

index 0000000..83329d2
--- /dev/null
+++ b/source4/dsdb/common/util_samr.c
@@ -0,0 +1,249 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Helpers to add users and groups to the DB
+
+   Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Volker Lendecke 2004
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2010
+   Copyright (C) Matthias Dieter Wallnöfer 2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
+#include "../libds/common/flags.h"
+
+/* Add a user, SAMR style, including the correct transaction
+ * semantics.  Used by the SAMR server and by pdb_samba4 */
+NTSTATUS dsdb_add_user(struct ldb_context *ldb,
+                      TALLOC_CTX *mem_ctx,
+                      const char *account_name,
+                      uint32_t acct_flags,
+                      struct dom_sid **sid,
+                      struct ldb_dn **dn)
+{
+       const char *name;
+       struct ldb_message *msg;
+       int ret;
+       const char *container, *obj_class=NULL;
+       char *cn_name;
+       int cn_name_len;
+
+       const char *attrs[] = {
+               "objectSid",
+               "userAccountControl",
+               NULL
+       };
+
+       uint32_t user_account_control;
+       struct ldb_dn *account_dn;
+       struct dom_sid *account_sid;
+
+       TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+       NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
+
+       /*
+        * Start a transaction, so we can query and do a subsequent atomic
+        * modify
+        */
+
+       ret = ldb_transaction_start(ldb);
+       if (ret != LDB_SUCCESS) {
+               DEBUG(0,("Failed to start a transaction for user creation: %s\n",
+                        ldb_errstring(ldb)));
+               talloc_free(tmp_ctx);
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+
+       /* check if the user already exists */
+       name = samdb_search_string(ldb, tmp_ctx, NULL,
+                                  "sAMAccountName",
+                                  "(&(sAMAccountName=%s)(objectclass=user))",
+                                  ldb_binary_encode_string(tmp_ctx, account_name));
+       if (name != NULL) {
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_ctx);
+               return NT_STATUS_USER_EXISTS;
+       }
+
+       msg = ldb_msg_new(tmp_ctx);
+       if (msg == NULL) {
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_ctx);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       cn_name   = talloc_strdup(tmp_ctx, account_name);
+       if (!cn_name) {
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_ctx);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       cn_name_len = strlen(cn_name);
+
+       /* This must be one of these values *only* */
+       if (acct_flags == ACB_NORMAL) {
+               container = "CN=Users";
+               obj_class = "user";
+
+       } else if (acct_flags == ACB_WSTRUST) {
+               if (cn_name[cn_name_len - 1] != '$') {
+                       ldb_transaction_cancel(ldb);
+                       return NT_STATUS_FOOBAR;
+               }
+               cn_name[cn_name_len - 1] = '\0';
+               container = "CN=Computers";
+               obj_class = "computer";
+               samdb_msg_add_int(ldb, tmp_ctx, msg,
+                       "primaryGroupID", DOMAIN_RID_DOMAIN_MEMBERS);
+
+       } else if (acct_flags == ACB_SVRTRUST) {
+               if (cn_name[cn_name_len - 1] != '$') {
+                       ldb_transaction_cancel(ldb);
+                       return NT_STATUS_FOOBAR;
+               }
+               cn_name[cn_name_len - 1] = '\0';
+               container = "OU=Domain Controllers";
+               obj_class = "computer";
+               samdb_msg_add_int(ldb, tmp_ctx, msg,
+                       "primaryGroupID", DOMAIN_RID_DCS);
+       } else {
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_ctx);
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       /* add core elements to the ldb_message for the user */
+       msg->dn = ldb_dn_copy(msg, ldb_get_default_basedn(ldb));
+       if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) {
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_ctx);
+               return NT_STATUS_FOOBAR;
+       }
+
+       samdb_msg_add_string(ldb, tmp_ctx, msg, "sAMAccountName",
+               account_name);
+       samdb_msg_add_string(ldb, tmp_ctx, msg, "objectClass",
+               obj_class);
+
+       /* create the user */
+       ret = ldb_add(ldb, msg);
+       switch (ret) {
+       case LDB_SUCCESS:
+               break;
+       case LDB_ERR_ENTRY_ALREADY_EXISTS:
+               ldb_transaction_cancel(ldb);
+               DEBUG(0,("Failed to create user record %s: %s\n",
+                        ldb_dn_get_linearized(msg->dn),
+                        ldb_errstring(ldb)));
+               talloc_free(tmp_ctx);
+               return NT_STATUS_USER_EXISTS;
+       case LDB_ERR_UNWILLING_TO_PERFORM:
+       case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
+               ldb_transaction_cancel(ldb);
+               DEBUG(0,("Failed to create user record %s: %s\n",
+                        ldb_dn_get_linearized(msg->dn),
+                        ldb_errstring(ldb)));
+               talloc_free(tmp_ctx);
+               return NT_STATUS_ACCESS_DENIED;
+       default:
+               ldb_transaction_cancel(ldb);
+               DEBUG(0,("Failed to create user record %s: %s\n",
+                        ldb_dn_get_linearized(msg->dn),
+                        ldb_errstring(ldb)));
+               talloc_free(tmp_ctx);
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+
+       account_dn = msg->dn;
+
+       /* retrieve the sid and account control bits for the user just created */
+       ret = dsdb_search_one(ldb, tmp_ctx, &msg,
+                             account_dn, LDB_SCOPE_BASE, attrs, 0, NULL);
+
+       if (ret != LDB_SUCCESS) {
+               ldb_transaction_cancel(ldb);
+               DEBUG(0,("Can't locate the account we just created %s: %s\n",
+                        ldb_dn_get_linearized(account_dn), ldb_errstring(ldb)));
+               talloc_free(tmp_ctx);
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+       account_sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
+       if (account_sid == NULL) {
+               ldb_transaction_cancel(ldb);
+               DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n",
+                        ldb_dn_get_linearized(msg->dn)));
+               talloc_free(tmp_ctx);
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+
+       /* Change the account control to be the correct account type.
+        * The default is for a workstation account */
+       user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
+       user_account_control = (user_account_control &
+                               ~(UF_NORMAL_ACCOUNT |
+                                 UF_INTERDOMAIN_TRUST_ACCOUNT |
+                                 UF_WORKSTATION_TRUST_ACCOUNT |
+                                 UF_SERVER_TRUST_ACCOUNT));
+       user_account_control |= ds_acb2uf(acct_flags);
+
+       talloc_free(msg);
+       msg = ldb_msg_new(tmp_ctx);
+       if (msg == NULL) {
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_ctx);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       msg->dn = account_dn;
+
+       if (samdb_msg_add_uint(ldb, tmp_ctx, msg,
+                              "userAccountControl",
+                              user_account_control) != 0) {
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_ctx);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       /* modify the samdb record */
+       ret = dsdb_replace(ldb, msg, 0);
+       if (ret != LDB_SUCCESS) {
+               DEBUG(0,("Failed to modify account record %s to set userAccountControl: %s\n",
+                        ldb_dn_get_linearized(msg->dn),
+                        ldb_errstring(ldb)));
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_ctx);
+
+               /* we really need samdb.c to return NTSTATUS */
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       ret = ldb_transaction_commit(ldb);
+       if (ret != LDB_SUCCESS) {
+               DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
+                        ldb_dn_get_linearized(msg->dn),
+                        ldb_errstring(ldb)));
+               talloc_free(tmp_ctx);
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+       *dn = talloc_steal(mem_ctx, account_dn);
+       *sid = talloc_steal(mem_ctx, account_sid);
+       talloc_free(tmp_ctx);
+       return NT_STATUS_OK;
+}
+
diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build

index 92f056197b305543926bafaf7b906eb08bd51e21..1bf8413acc5d913b4673e163e4e026139e2aee28 100644 (file)
--- a/source4/dsdb/wscript_build
+++ b/source4/dsdb/wscript_build
@@ -11,7 +11,7 @@ bld.SAMBA_SUBSYSTEM('SAMDB',
  
  
  bld.SAMBA_SUBSYSTEM('SAMDB_COMMON',
-       source='common/util.c common/dsdb_dn.c common/dsdb_access.c ../../libds/common/flag_mapping.c',
+       source='common/util.c common/util_samr.c common/dsdb_dn.c common/dsdb_access.c ../../libds/common/flag_mapping.c',
         autoproto='common/proto.h',
         deps='ldb NDR_DRSBLOBS LIBCLI_LDAP_NDR UTIL_LDB LIBCLI_AUTH DSDB_MODULE_HELPERS'
         )
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c

index 5775b1410ff7461f4ddf72614683824c3100bb15..f13feb3aa9e6c6227ce8721d43ca316f3fbdbd7f 100644 (file)
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -32,6 +32,7 @@
  #include "lib/ldb/include/ldb_errors.h"
  #include "../libds/common/flags.h"
  #include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
  #include "libcli/ldap/ldap_ndr.h"
  #include "libcli/security/security.h"
  #include "rpc_server/samr/proto.h"
@@ -1213,28 +1214,14 @@ static NTSTATUS dcesrv_samr_EnumDomainGroups(struct dcesrv_call_state *dce_call,
  static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                  struct samr_CreateUser2 *r)
  {
+       NTSTATUS status;
         struct samr_domain_state *d_state;
         struct samr_account_state *a_state;
         struct dcesrv_handle *h;
-       const char *name;
-       struct ldb_message *msg;
+       struct ldb_dn *dn;
         struct dom_sid *sid;
-       const char *account_name;
         struct dcesrv_handle *u_handle;
-       int ret;
-       const char *container, *obj_class=NULL;
-       char *cn_name;
-       int cn_name_len;
-
-       const char *attrs[] = {
-               "objectSid", 
-               "userAccountControl",
-               NULL
-       };
-
-       uint32_t user_account_control;
-
-       struct ldb_message **msgs;
+       const char *account_name;
  
         ZERO_STRUCTP(r->out.user_handle);
         *r->out.access_granted = 0;
@@ -1257,111 +1244,10 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
                 return NT_STATUS_INVALID_PARAMETER;
         }
  
-       /*
-        * Start a transaction, so we can query and do a subsequent atomic
-        * modify
-        */
-
-       ret = ldb_transaction_start(d_state->sam_ctx);
-       if (ret != LDB_SUCCESS) {
-               DEBUG(0,("Failed to start a transaction for user creation: %s\n",
-                        ldb_errstring(d_state->sam_ctx)));
-               return NT_STATUS_INTERNAL_DB_CORRUPTION;
-       }
-
-       /* check if the user already exists */
-       name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, 
-                                  "sAMAccountName", 
-                                  "(&(sAMAccountName=%s)(objectclass=user))", 
-                                  ldb_binary_encode_string(mem_ctx, account_name));
-       if (name != NULL) {
-               ldb_transaction_cancel(d_state->sam_ctx);
-               return NT_STATUS_USER_EXISTS;
-       }
-
-       msg = ldb_msg_new(mem_ctx);
-       if (msg == NULL) {
-               ldb_transaction_cancel(d_state->sam_ctx);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       cn_name   = talloc_strdup(mem_ctx, account_name);
-       if (!cn_name) {
-               ldb_transaction_cancel(d_state->sam_ctx);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       cn_name_len = strlen(cn_name);
-
-       /* This must be one of these values *only* */
-       if (r->in.acct_flags == ACB_NORMAL) {
-               container = "CN=Users";
-               obj_class = "user";
-
-       } else if (r->in.acct_flags == ACB_WSTRUST) {
-               if (cn_name[cn_name_len - 1] != '$') {
-                       ldb_transaction_cancel(d_state->sam_ctx);
-                       return NT_STATUS_FOOBAR;
-               }
-               cn_name[cn_name_len - 1] = '\0';
-               container = "CN=Computers";
-               obj_class = "computer";
-               samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg,
-                       "primaryGroupID", DOMAIN_RID_DOMAIN_MEMBERS);
-
-       } else if (r->in.acct_flags == ACB_SVRTRUST) {
-               if (cn_name[cn_name_len - 1] != '$') {
-                       ldb_transaction_cancel(d_state->sam_ctx);
-                       return NT_STATUS_FOOBAR;                
-               }
-               cn_name[cn_name_len - 1] = '\0';
-               container = "OU=Domain Controllers";
-               obj_class = "computer";
-               samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg,
-                       "primaryGroupID", DOMAIN_RID_DCS);
-       } else {
-               ldb_transaction_cancel(d_state->sam_ctx);
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-
-       /* add core elements to the ldb_message for the user */
-       msg->dn = ldb_dn_copy(msg, d_state->domain_dn);
-       if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) {
-               ldb_transaction_cancel(d_state->sam_ctx);
-               return NT_STATUS_FOOBAR;
-       }
-
-       samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "sAMAccountName",
-               account_name);
-       samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass",
-               obj_class);
-
-       /* create the user */
-       ret = ldb_add(d_state->sam_ctx, msg);
-       switch (ret) {
-       case LDB_SUCCESS:
-               break;
-       case LDB_ERR_ENTRY_ALREADY_EXISTS:
-               ldb_transaction_cancel(d_state->sam_ctx);
-               DEBUG(0,("Failed to create user record %s: %s\n",
-                        ldb_dn_get_linearized(msg->dn),
-                        ldb_errstring(d_state->sam_ctx)));
-               return NT_STATUS_USER_EXISTS;
-       case LDB_ERR_UNWILLING_TO_PERFORM:
-       case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
-               ldb_transaction_cancel(d_state->sam_ctx);
-               DEBUG(0,("Failed to create user record %s: %s\n",
-                        ldb_dn_get_linearized(msg->dn),
-                        ldb_errstring(d_state->sam_ctx)));
-               return NT_STATUS_ACCESS_DENIED;
-       default:
-               ldb_transaction_cancel(d_state->sam_ctx);
-               DEBUG(0,("Failed to create user record %s: %s\n",
-                        ldb_dn_get_linearized(msg->dn),
-                        ldb_errstring(d_state->sam_ctx)));
-               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       status = dsdb_add_user(d_state->sam_ctx, mem_ctx, account_name, r->in.acct_flags, &sid, &dn);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
         }
-
         a_state = talloc(mem_ctx, struct samr_account_state);
         if (!a_state) {
                 ldb_transaction_cancel(d_state->sam_ctx);
@@ -1370,71 +1256,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
         a_state->sam_ctx = d_state->sam_ctx;
         a_state->access_mask = r->in.access_mask;
         a_state->domain_state = talloc_reference(a_state, d_state);
-       a_state->account_dn = talloc_steal(a_state, msg->dn);
-
-       /* retrieve the sid and account control bits for the user just created */
-       ret = gendb_search_dn(d_state->sam_ctx, mem_ctx,
-                             msg->dn, &msgs, attrs);
-
-       if (ret != 1) {
-               ldb_transaction_cancel(d_state->sam_ctx);
-               DEBUG(0,("Apparently we failed to create an account record, as %s now doesn't exist\n",
-                        ldb_dn_get_linearized(msg->dn)));
-               return NT_STATUS_INTERNAL_DB_CORRUPTION;
-       }
-       sid = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid");
-       if (sid == NULL) {
-               ldb_transaction_cancel(d_state->sam_ctx);
-               DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n",
-                        ldb_dn_get_linearized(msg->dn)));
-               return NT_STATUS_INTERNAL_DB_CORRUPTION;
-       }
-
-       /* Change the account control to be the correct account type.
-        * The default is for a workstation account */
-       user_account_control = samdb_result_uint(msgs[0], "userAccountControl", 0);
-       user_account_control = (user_account_control & 
-                               ~(UF_NORMAL_ACCOUNT |
-                                 UF_INTERDOMAIN_TRUST_ACCOUNT | 
-                                 UF_WORKSTATION_TRUST_ACCOUNT | 
-                                 UF_SERVER_TRUST_ACCOUNT));
-       user_account_control |= ds_acb2uf(r->in.acct_flags);
-
-       talloc_free(msg);
-       msg = ldb_msg_new(mem_ctx);
-       if (msg == NULL) {
-               ldb_transaction_cancel(d_state->sam_ctx);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       msg->dn = ldb_dn_copy(msg, a_state->account_dn);
-
-       if (samdb_msg_add_uint(a_state->sam_ctx, mem_ctx, msg, 
-                              "userAccountControl", 
-                              user_account_control) != 0) { 
-               ldb_transaction_cancel(d_state->sam_ctx);
-               return NT_STATUS_NO_MEMORY; 
-       }
-
-       /* modify the samdb record */
-       ret = dsdb_replace(a_state->sam_ctx, msg, 0);
-       if (ret != LDB_SUCCESS) {
-               DEBUG(0,("Failed to modify account record %s to set userAccountControl: %s\n",
-                        ldb_dn_get_linearized(msg->dn),
-                        ldb_errstring(d_state->sam_ctx)));
-               ldb_transaction_cancel(d_state->sam_ctx);
-
-               /* we really need samdb.c to return NTSTATUS */
-               return NT_STATUS_UNSUCCESSFUL;
-       }
-
-       ret = ldb_transaction_commit(d_state->sam_ctx);
-       if (ret != LDB_SUCCESS) {
-               DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
-                        ldb_dn_get_linearized(msg->dn),
-                        ldb_errstring(d_state->sam_ctx)));
-               return NT_STATUS_INTERNAL_DB_CORRUPTION;
-       }
+       a_state->account_dn = talloc_steal(a_state, dn);
  
         a_state->account_name = talloc_steal(a_state, account_name);
         if (!a_state->account_name) {
author	Andrew Bartlett <abartlet@samba.org>
	Thu, 20 May 2010 22:14:53 +0000 (08:14 +1000)
committer	Andrew Bartlett <abartlet@samba.org>
	Mon, 24 May 2010 13:08:11 +0000 (23:08 +1000)
source4/dsdb/common/util_samr.c	[new file with mode: 0644]	patch \| blob
source4/dsdb/wscript_build		patch \| blob \| history
source4/rpc_server/samr/dcesrv_samr.c		patch \| blob \| history