4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
45 #include "lib/util/util_tdb.h"
46 #include "lib/dbwrap/dbwrap.h"
47 #include "lib/dbwrap/dbwrap_rbt.h"
49 struct descriptor_changes {
50 struct descriptor_changes *prev, *next;
51 struct ldb_dn *nc_root;
53 struct GUID parent_guid;
56 struct ldb_dn *stopped_dn;
61 struct descriptor_transaction {
65 * We used to have a list of changes, appended with each
66 * DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID operation.
68 * But the main problem was that a replication
69 * cycle (mainly the initial replication) calls
70 * DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID for the
71 * same object[GUID] more than once. With
72 * DRSUAPI_DRS_GET_TGT we'll get the naming
73 * context head object and other top level
74 * containers, every often.
76 * It means we'll process objects more
77 * than once and waste a lot of time
78 * doing the same work again and again.
80 * We use an objectGUID based map in order to
81 * avoid registering objects more than once.
82 * In an domain with 22000 object it can
83 * reduce the work from 4 hours down to ~ 3.5 minutes.
85 struct descriptor_changes *list;
86 struct db_context *map;
87 size_t num_registrations;
88 size_t num_registered;
93 struct db_context *map;
99 struct descriptor_data {
100 struct descriptor_transaction transaction;
103 struct descriptor_context {
104 struct ldb_module *module;
105 struct ldb_request *req;
106 struct ldb_message *msg;
107 struct ldb_reply *search_res;
108 struct ldb_reply *search_oc_res;
109 struct ldb_val *parentsd_val;
110 struct ldb_message_element *sd_element;
111 struct ldb_val *sd_val;
113 int (*step_fn)(struct descriptor_context *);
116 static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
118 const struct security_token *token,
119 struct ldb_context *ldb)
121 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
122 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
123 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
124 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
125 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
126 struct dom_sid *dag_sid;
127 struct ldb_dn *nc_root;
130 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
131 if (ret != LDB_SUCCESS) {
132 talloc_free(tmp_ctx);
136 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
137 if (security_token_has_sid(token, sa_sid)) {
138 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
139 } else if (security_token_has_sid(token, ea_sid)) {
140 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
141 } else if (security_token_has_sid(token, da_sid)) {
142 dag_sid = dom_sid_dup(mem_ctx, da_sid);
143 } else if (security_token_is_system(token)) {
144 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
148 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
149 if (security_token_has_sid(token, ea_sid)) {
150 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
151 } else if (security_token_has_sid(token, da_sid)) {
152 dag_sid = dom_sid_dup(mem_ctx, da_sid);
153 } else if (security_token_is_system(token)) {
154 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
158 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
159 if (security_token_has_sid(token, da_sid)) {
160 dag_sid = dom_sid_dup(mem_ctx, da_sid);
161 } else if (security_token_has_sid(token, ea_sid)) {
162 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
163 } else if (security_token_is_system(token)) {
164 dag_sid = dom_sid_dup(mem_ctx, da_sid);
172 talloc_free(tmp_ctx);
176 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
177 const struct dsdb_class *objectclass)
179 struct ldb_context *ldb = ldb_module_get_ctx(module);
180 struct security_descriptor *sd;
181 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
183 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
187 sd = sddl_decode(mem_ctx,
188 objectclass->defaultSecurityDescriptor,
193 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
194 struct ldb_context *ldb,
198 * This depends on the function level of the DC
199 * which is 2008R2 in our case. Which means it is
200 * higher than 2003 and we should use the
201 * "default administrator group" also as owning group.
203 * This matches dcpromo for a 2003 domain
204 * on a Windows 2008R2 DC.
209 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
210 struct security_descriptor *new_sd,
211 struct security_descriptor *old_sd,
214 struct security_descriptor *final_sd;
215 /* if there is no control or control == 0 modify everything */
220 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
221 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
222 final_sd->type = SEC_DESC_SELF_RELATIVE;
224 if (sd_flags & (SECINFO_OWNER)) {
225 if (new_sd->owner_sid) {
226 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
228 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
231 if (old_sd->owner_sid) {
232 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
234 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
237 if (sd_flags & (SECINFO_GROUP)) {
238 if (new_sd->group_sid) {
239 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
241 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
244 if (old_sd->group_sid) {
245 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
247 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
250 if (sd_flags & (SECINFO_SACL)) {
251 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
252 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
253 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
254 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
255 SEC_DESC_SERVER_SECURITY);
257 else if (old_sd && old_sd->sacl) {
258 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
259 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
260 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
261 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
262 SEC_DESC_SERVER_SECURITY);
265 if (sd_flags & (SECINFO_DACL)) {
266 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
267 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
268 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
269 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
270 SEC_DESC_DACL_TRUSTED);
272 else if (old_sd && old_sd->dacl) {
273 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
274 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
275 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
276 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
277 SEC_DESC_DACL_TRUSTED);
279 /* not so sure about this */
280 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
284 static struct security_descriptor *get_new_descriptor_nonlinear(struct ldb_module *module,
287 const struct dsdb_class *objectclass,
288 const struct ldb_val *parent,
289 const struct ldb_val *object,
290 const struct ldb_val *old_sd,
293 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
294 struct security_descriptor *old_descriptor = NULL;
295 struct security_descriptor *new_sd, *final_sd;
296 enum ndr_err_code ndr_err;
297 struct ldb_context *ldb = ldb_module_get_ctx(module);
298 struct auth_session_info *session_info
299 = ldb_get_opaque(ldb, DSDB_SESSION_INFO);
300 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
301 struct dom_sid *default_owner;
302 struct dom_sid *default_group;
303 struct security_descriptor *default_descriptor = NULL;
304 struct GUID *object_list = NULL;
306 if (objectclass != NULL) {
307 default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
308 object_list = talloc_zero_array(mem_ctx, struct GUID, 2);
309 if (object_list == NULL) {
312 object_list[0] = objectclass->schemaIDGUID;
316 user_descriptor = talloc(mem_ctx, struct security_descriptor);
317 if (!user_descriptor) {
320 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
322 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
324 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
325 talloc_free(user_descriptor);
329 user_descriptor = default_descriptor;
333 old_descriptor = talloc(mem_ctx, struct security_descriptor);
334 if (!old_descriptor) {
337 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
339 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
341 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
342 talloc_free(old_descriptor);
348 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
349 if (!parent_descriptor) {
352 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
354 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
356 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
357 talloc_free(parent_descriptor);
362 if (user_descriptor && default_descriptor &&
363 (user_descriptor->dacl == NULL))
365 user_descriptor->dacl = default_descriptor->dacl;
366 user_descriptor->type |= default_descriptor->type & (
367 SEC_DESC_DACL_PRESENT |
368 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
369 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
370 SEC_DESC_DACL_TRUSTED);
373 if (user_descriptor && default_descriptor &&
374 (user_descriptor->sacl == NULL))
376 user_descriptor->sacl = default_descriptor->sacl;
377 user_descriptor->type |= default_descriptor->type & (
378 SEC_DESC_SACL_PRESENT |
379 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
380 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
381 SEC_DESC_SERVER_SECURITY);
385 if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
386 user_descriptor->owner_sid = NULL;
389 * We need the correct owner sid
390 * when calculating the DACL or SACL
392 if (old_descriptor) {
393 user_descriptor->owner_sid = old_descriptor->owner_sid;
396 if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
397 user_descriptor->group_sid = NULL;
400 * We need the correct group sid
401 * when calculating the DACL or SACL
403 if (old_descriptor) {
404 user_descriptor->group_sid = old_descriptor->group_sid;
407 if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
408 user_descriptor->dacl = NULL;
411 * We add SEC_DESC_DACL_PROTECTED so that
412 * create_security_descriptor() skips
413 * the unused inheritance calculation
415 user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
417 if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
418 user_descriptor->sacl = NULL;
421 * We add SEC_DESC_SACL_PROTECTED so that
422 * create_security_descriptor() skips
423 * the unused inheritance calculation
425 user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
428 default_owner = get_default_ag(mem_ctx, dn,
429 session_info->security_token, ldb);
430 default_group = get_default_group(mem_ctx, ldb, default_owner);
431 new_sd = create_security_descriptor(mem_ctx,
436 SEC_DACL_AUTO_INHERIT |
437 SEC_SACL_AUTO_INHERIT,
438 session_info->security_token,
439 default_owner, default_group,
440 map_generic_rights_ds);
444 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
450 if (final_sd->dacl) {
451 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
453 if (final_sd->sacl) {
454 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
458 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
459 DBG_DEBUG("Object %s created with descriptor %s\n\n",
460 ldb_dn_get_linearized(dn),
461 sddl_encode(tmp_ctx, final_sd, domain_sid));
462 TALLOC_FREE(tmp_ctx);
468 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
471 const struct dsdb_class *objectclass,
472 const struct ldb_val *parent,
473 const struct ldb_val *object,
474 const struct ldb_val *old_sd,
477 struct security_descriptor *final_sd = NULL;
478 enum ndr_err_code ndr_err;
479 DATA_BLOB *linear_sd = talloc(mem_ctx, DATA_BLOB);
485 final_sd = get_new_descriptor_nonlinear(module,
493 if (final_sd == NULL) {
497 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
499 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
500 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
507 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
512 struct security_descriptor *old_sd, *final_sd;
513 DATA_BLOB *linear_sd;
514 enum ndr_err_code ndr_err;
516 old_sd = talloc(mem_ctx, struct security_descriptor);
520 ndr_err = ndr_pull_struct_blob(sd, old_sd,
522 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
524 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
529 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
535 linear_sd = talloc(mem_ctx, DATA_BLOB);
540 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
542 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
543 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
550 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
551 struct ldb_request *req)
553 struct ldb_context *ldb;
554 struct descriptor_context *ac;
556 ldb = ldb_module_get_ctx(module);
558 ac = talloc_zero(req, struct descriptor_context);
560 ldb_set_errstring(ldb, "Out of Memory");
569 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
571 struct descriptor_context *ac;
572 struct ldb_val *sd_val = NULL;
573 struct ldb_message_element *sd_el;
575 int ret = LDB_SUCCESS;
577 ac = talloc_get_type(req->context, struct descriptor_context);
580 ret = LDB_ERR_OPERATIONS_ERROR;
583 if (ares->error != LDB_SUCCESS) {
584 return ldb_module_done(ac->req, ares->controls,
585 ares->response, ares->error);
588 switch (ares->type) {
589 case LDB_REPLY_ENTRY:
590 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
592 sd_val = sd_el->values;
596 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
597 sd_val, ac->sd_flags);
599 ret = LDB_ERR_OPERATIONS_ERROR;
602 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
603 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
604 if (ret != LDB_SUCCESS) {
608 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
610 case LDB_REPLY_REFERRAL:
611 return ldb_module_send_referral(ac->req, ares->referral);
614 return ldb_module_done(ac->req, ares->controls,
615 ares->response, ares->error);
620 return ldb_module_done(ac->req, NULL, NULL, ret);
623 static bool can_write_owner(TALLOC_CTX *mem_ctx,
624 struct ldb_context *ldb,
626 const struct security_token *security_token,
627 const struct dom_sid *owner_sid)
629 const struct dom_sid *default_owner = NULL;
631 /* If the user possesses SE_RESTORE_PRIVILEGE, the write is allowed. */
632 bool ok = security_token_has_privilege(security_token, SEC_PRIV_RESTORE);
637 /* The user can write their own SID to a security descriptor. */
638 ok = security_token_is_sid(security_token, owner_sid);
644 * The user can write the SID of the "default administrators group" that
645 * they are a member of.
647 default_owner = get_default_ag(mem_ctx, dn,
648 security_token, ldb);
649 if (default_owner != NULL) {
650 ok = security_token_is_sid(security_token, owner_sid);
656 static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
658 struct ldb_context *ldb = ldb_module_get_ctx(module);
659 struct ldb_request *add_req;
660 struct ldb_message *msg;
661 struct ldb_result *parent_res;
662 const struct ldb_val *parent_sd = NULL;
663 const struct ldb_val *user_sd = NULL;
664 struct ldb_dn *dn = req->op.add.message->dn;
665 struct ldb_dn *parent_dn, *nc_root;
666 struct ldb_message_element *objectclass_element, *sd_element;
668 const struct dsdb_schema *schema;
670 const struct dsdb_class *objectclass;
671 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
672 uint32_t instanceType;
674 enum ndr_err_code ndr_err;
675 struct dsdb_control_calculated_default_sd *control_sd = NULL;
676 uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
677 struct security_descriptor *user_descriptor = NULL;
679 /* do not manipulate our control entries */
680 if (ldb_dn_is_special(dn)) {
681 return ldb_next_request(module, req);
684 user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
685 sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
686 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
687 if (user_sd == NULL && sd_element) {
688 return ldb_next_request(module, req);
691 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
693 instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
695 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
700 ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
701 if (ret != LDB_SUCCESS) {
702 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
703 ldb_dn_get_linearized(dn));
707 if (ldb_dn_compare(dn, nc_root) == 0) {
708 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
714 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
717 /* if the object has a parent, retrieve its SD to
718 * use for calculation. Unfortunately we do not yet have
719 * instanceType, so we use dsdb_find_nc_root. */
721 parent_dn = ldb_dn_get_parent(req, dn);
722 if (parent_dn == NULL) {
726 /* we aren't any NC */
727 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
729 DSDB_FLAG_NEXT_MODULE |
730 DSDB_FLAG_AS_SYSTEM |
731 DSDB_SEARCH_SHOW_RECYCLED,
733 if (ret != LDB_SUCCESS) {
734 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
735 ldb_dn_get_linearized(parent_dn));
738 if (parent_res->count != 1) {
739 return ldb_operr(ldb);
741 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
744 schema = dsdb_get_schema(ldb, req);
746 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
747 if (objectclass_element == NULL) {
748 return ldb_operr(ldb);
751 objectclass = dsdb_get_last_structural_class(schema,
752 objectclass_element);
753 if (objectclass == NULL) {
754 return ldb_operr(ldb);
758 * The SD_FLAG control is ignored on add
759 * and we default to all bits set.
761 sd_flags = SECINFO_OWNER|SECINFO_GROUP|SECINFO_SACL|SECINFO_DACL;
763 control_sd = talloc(req, struct dsdb_control_calculated_default_sd);
764 if (control_sd == NULL) {
765 return ldb_operr(ldb);
767 control_sd->specified_sd = false;
768 control_sd->specified_sacl = false;
769 if (user_sd != NULL) {
770 user_descriptor = talloc(req, struct security_descriptor);
771 if (user_descriptor == NULL) {
772 return ldb_operr(ldb);
774 ndr_err = ndr_pull_struct_blob(user_sd, user_descriptor,
776 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
778 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
779 talloc_free(user_descriptor);
780 return ldb_operr(ldb);
783 * calculate the permissions needed, since in acl we no longer have
784 * access to the original user descriptor
786 control_sd->specified_sd = true;
787 control_sd->specified_sacl = user_descriptor->sacl != NULL;
789 if (user_descriptor->owner_sid != NULL) {
790 /* Verify the owner of the security descriptor. */
792 const struct auth_session_info *session_info
793 = ldb_get_opaque(ldb, DSDB_SESSION_INFO);
795 bool ok = can_write_owner(req,
798 session_info->security_token,
799 user_descriptor->owner_sid);
800 talloc_free(user_descriptor);
802 return dsdb_module_werror(module,
803 LDB_ERR_CONSTRAINT_VIOLATION,
805 "invalid addition of owner SID");
810 sd = get_new_descriptor(module, dn, req,
811 objectclass, parent_sd,
812 user_sd, NULL, sd_flags);
814 return ldb_operr(ldb);
817 control_sd->default_sd = get_new_descriptor_nonlinear(module,
825 if (control_sd->default_sd == NULL) {
826 return ldb_operr(ldb);
829 msg = ldb_msg_copy_shallow(req, req->op.add.message);
833 if (sd_element != NULL) {
834 sd_element->values[0] = *sd;
836 ret = ldb_msg_add_steal_value(msg,
837 "nTSecurityDescriptor",
839 if (ret != LDB_SUCCESS) {
844 ret = ldb_build_add_req(&add_req, ldb, req,
847 req, dsdb_next_callback,
850 LDB_REQ_SET_LOCATION(add_req);
851 if (ret != LDB_SUCCESS) {
852 return ldb_error(ldb, ret,
853 "descriptor_add: Error creating new add request.");
856 *control_sd->default_sd->owner_sid = global_sid_NULL;
857 ret = ldb_request_add_control(add_req,
858 DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID,
859 false, (void *)control_sd);
860 if (ret != LDB_SUCCESS) {
861 return ldb_module_operr(module);
863 return ldb_next_request(module, add_req);
866 static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
868 struct ldb_context *ldb = ldb_module_get_ctx(module);
869 struct ldb_request *mod_req;
870 struct ldb_message *msg;
871 struct ldb_result *current_res, *parent_res;
872 const struct ldb_val *old_sd = NULL;
873 const struct ldb_val *parent_sd = NULL;
874 const struct ldb_val *user_sd = NULL;
875 struct ldb_dn *dn = req->op.mod.message->dn;
876 struct ldb_dn *parent_dn;
877 struct ldb_message_element *objectclass_element, *sd_element;
879 uint32_t instanceType;
880 bool explicit_sd_flags = false;
881 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
882 const struct dsdb_schema *schema;
884 const struct dsdb_class *objectclass;
885 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
886 static const char * const current_attrs[] = { "nTSecurityDescriptor",
888 "objectClass", NULL };
889 struct GUID parent_guid = { .time_low = 0 };
890 struct ldb_control *sd_propagation_control;
893 /* do not manipulate our control entries */
894 if (ldb_dn_is_special(dn)) {
895 return ldb_next_request(module, req);
898 sd_propagation_control = ldb_request_get_control(req,
899 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
900 if (sd_propagation_control != NULL) {
901 if (sd_propagation_control->data != module) {
902 return ldb_operr(ldb);
904 if (req->op.mod.message->num_elements != 0) {
905 return ldb_operr(ldb);
907 if (explicit_sd_flags) {
908 return ldb_operr(ldb);
910 if (sd_flags != 0xF) {
911 return ldb_operr(ldb);
913 if (sd_propagation_control->critical == 0) {
914 return ldb_operr(ldb);
917 sd_propagation_control->critical = 0;
920 sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
921 if (sd_propagation_control == NULL && sd_element == NULL) {
922 return ldb_next_request(module, req);
926 * nTSecurityDescriptor with DELETE is not supported yet.
927 * TODO: handle this correctly.
929 if (sd_propagation_control == NULL &&
930 LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE)
932 return ldb_module_error(module,
933 LDB_ERR_UNWILLING_TO_PERFORM,
934 "MOD_DELETE for nTSecurityDescriptor "
935 "not supported yet");
938 user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
939 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
940 if (sd_propagation_control == NULL && user_sd == NULL) {
941 return ldb_next_request(module, req);
944 if (sd_flags & SECINFO_OWNER && user_sd != NULL) {
945 /* Verify the new owner of the security descriptor. */
947 struct security_descriptor *user_descriptor = NULL;
948 enum ndr_err_code ndr_err;
949 const struct auth_session_info *session_info;
952 user_descriptor = talloc(req, struct security_descriptor);
954 if (user_descriptor == NULL) {
955 return ldb_operr(ldb);
957 ndr_err = ndr_pull_struct_blob(user_sd, user_descriptor,
959 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
961 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
962 talloc_free(user_descriptor);
963 return ldb_operr(ldb);
966 session_info = ldb_get_opaque(ldb, DSDB_SESSION_INFO);
968 ok = can_write_owner(req,
971 session_info->security_token,
972 user_descriptor->owner_sid);
973 talloc_free(user_descriptor);
975 return dsdb_module_werror(module,
976 LDB_ERR_CONSTRAINT_VIOLATION,
978 "invalid modification of owner SID");
982 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
984 ret = dsdb_module_search_dn(module, req, ¤t_res, dn,
986 DSDB_FLAG_NEXT_MODULE |
987 DSDB_FLAG_AS_SYSTEM |
988 DSDB_SEARCH_SHOW_RECYCLED |
989 DSDB_SEARCH_SHOW_EXTENDED_DN,
991 if (ret != LDB_SUCCESS) {
992 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
993 ldb_dn_get_linearized(dn));
997 instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
999 /* if the object has a parent, retrieve its SD to
1000 * use for calculation */
1001 if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
1002 !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
1005 parent_dn = ldb_dn_get_parent(req, dn);
1006 if (parent_dn == NULL) {
1007 return ldb_oom(ldb);
1009 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
1011 DSDB_FLAG_NEXT_MODULE |
1012 DSDB_FLAG_AS_SYSTEM |
1013 DSDB_SEARCH_SHOW_RECYCLED |
1014 DSDB_SEARCH_SHOW_EXTENDED_DN,
1016 if (ret != LDB_SUCCESS) {
1017 ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
1018 ldb_dn_get_linearized(parent_dn));
1021 if (parent_res->count != 1) {
1022 return ldb_operr(ldb);
1024 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
1026 status = dsdb_get_extended_dn_guid(parent_res->msgs[0]->dn,
1029 if (!NT_STATUS_IS_OK(status)) {
1030 return ldb_operr(ldb);
1034 schema = dsdb_get_schema(ldb, req);
1036 objectclass_element = ldb_msg_find_element(current_res->msgs[0], "objectClass");
1037 if (objectclass_element == NULL) {
1038 return ldb_operr(ldb);
1041 objectclass = dsdb_get_last_structural_class(schema,
1042 objectclass_element);
1043 if (objectclass == NULL) {
1044 return ldb_operr(ldb);
1047 old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
1048 if (old_sd == NULL) {
1049 return ldb_operr(ldb);
1052 if (sd_propagation_control != NULL) {
1054 * This just triggers a recalculation of the
1060 sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
1061 objectclass, parent_sd,
1062 user_sd, old_sd, sd_flags);
1064 return ldb_operr(ldb);
1066 msg = ldb_msg_copy_shallow(req, req->op.mod.message);
1068 return ldb_oom(ldb);
1070 cmp_ret = data_blob_cmp(old_sd, sd);
1071 if (sd_propagation_control != NULL) {
1074 * The nTSecurityDescriptor is unchanged,
1075 * which means we can stop the processing.
1077 * We mark the control as critical again,
1078 * as we have not processed it, so the caller
1079 * can tell that the descriptor was unchanged.
1081 sd_propagation_control->critical = 1;
1082 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1085 ret = ldb_msg_append_value(msg, "nTSecurityDescriptor",
1086 sd, LDB_FLAG_MOD_REPLACE);
1087 if (ret != LDB_SUCCESS) {
1088 return ldb_oom(ldb);
1090 } else if (cmp_ret != 0) {
1092 struct ldb_dn *nc_root;
1095 ret = dsdb_find_nc_root(ldb,
1097 current_res->msgs[0]->dn,
1099 if (ret != LDB_SUCCESS) {
1100 return ldb_oom(ldb);
1103 status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
1106 if (!NT_STATUS_IS_OK(status)) {
1107 return ldb_operr(ldb);
1111 * Force SD propagation on children of this record
1113 ret = dsdb_module_schedule_sd_propagation(module,
1118 if (ret != LDB_SUCCESS) {
1119 return ldb_operr(ldb);
1121 sd_element->values[0] = *sd;
1123 sd_element->values[0] = *sd;
1126 ret = ldb_build_mod_req(&mod_req, ldb, req,
1132 LDB_REQ_SET_LOCATION(mod_req);
1133 if (ret != LDB_SUCCESS) {
1137 return ldb_next_request(module, mod_req);
1140 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
1143 struct ldb_context *ldb;
1144 struct ldb_request *down_req;
1145 struct descriptor_context *ac;
1146 bool explicit_sd_flags = false;
1147 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
1148 bool show_sd = explicit_sd_flags;
1151 ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
1157 return ldb_next_request(module, req);
1160 ldb = ldb_module_get_ctx(module);
1161 ac = descriptor_init_context(module, req);
1163 return ldb_operr(ldb);
1165 ac->sd_flags = sd_flags;
1167 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
1168 req->op.search.base,
1169 req->op.search.scope,
1170 req->op.search.tree,
1171 req->op.search.attrs,
1173 ac, descriptor_search_callback,
1175 LDB_REQ_SET_LOCATION(down_req);
1176 if (ret != LDB_SUCCESS) {
1180 return ldb_next_request(ac->module, down_req);
1183 static int descriptor_rename_callback(struct ldb_request *req,
1184 struct ldb_reply *ares)
1186 struct descriptor_context *ac = NULL;
1187 struct ldb_context *ldb = NULL;
1188 struct ldb_dn *newdn = req->op.rename.newdn;
1190 struct ldb_dn *nc_root;
1191 struct GUID parent_guid = { .time_low = 0 };
1194 ac = talloc_get_type_abort(req->context, struct descriptor_context);
1195 ldb = ldb_module_get_ctx(ac->module);
1198 return ldb_module_done(ac->req, NULL, NULL,
1199 LDB_ERR_OPERATIONS_ERROR);
1201 if (ares->error != LDB_SUCCESS) {
1202 return ldb_module_done(ac->req, ares->controls,
1203 ares->response, ares->error);
1206 if (ares->type != LDB_REPLY_DONE) {
1207 return ldb_module_done(ac->req, NULL, NULL,
1208 LDB_ERR_OPERATIONS_ERROR);
1211 ret = dsdb_module_guid_by_dn(ac->module,
1215 if (ret != LDB_SUCCESS) {
1216 return ldb_module_done(ac->req, NULL, NULL,
1219 ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
1220 if (ret != LDB_SUCCESS) {
1221 return ldb_module_done(ac->req, NULL, NULL,
1226 * After a successful rename, force SD propagation on this
1227 * record (get a new inherited SD from the potentially new
1230 * We don't know the parent guid here (it is filled in as
1231 * all-zero in the initialiser above), but we're not in a hot
1232 * code path here, as the "descriptor" module is located above
1233 * the "repl_meta_data", only originating changes are handled
1236 * If it turns out to be a problem we may search for the new
1240 ret = dsdb_module_schedule_sd_propagation(ac->module,
1245 if (ret != LDB_SUCCESS) {
1246 ret = ldb_operr(ldb);
1247 return ldb_module_done(ac->req, NULL, NULL,
1251 return ldb_module_done(ac->req, ares->controls,
1252 ares->response, ares->error);
1258 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
1260 struct descriptor_context *ac = NULL;
1261 struct ldb_context *ldb = ldb_module_get_ctx(module);
1262 struct ldb_dn *olddn = req->op.rename.olddn;
1263 struct ldb_dn *newdn = req->op.rename.newdn;
1264 struct ldb_request *down_req;
1267 /* do not manipulate our control entries */
1268 if (ldb_dn_is_special(req->op.rename.olddn)) {
1269 return ldb_next_request(module, req);
1272 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n",
1273 ldb_dn_get_linearized(olddn));
1275 if (ldb_dn_compare(olddn, newdn) == 0) {
1276 /* No special work required for a case-only rename */
1277 return ldb_next_request(module, req);
1280 ac = descriptor_init_context(module, req);
1282 return ldb_operr(ldb);
1285 ret = ldb_build_rename_req(&down_req, ldb, ac,
1286 req->op.rename.olddn,
1287 req->op.rename.newdn,
1289 ac, descriptor_rename_callback,
1291 LDB_REQ_SET_LOCATION(down_req);
1292 if (ret != LDB_SUCCESS) {
1296 return ldb_next_request(module, down_req);
1299 static void descriptor_changes_parser(TDB_DATA key, TDB_DATA data, void *private_data)
1301 struct descriptor_changes **c_ptr = (struct descriptor_changes **)private_data;
1304 SMB_ASSERT(data.dsize == sizeof(ptr));
1306 memcpy(&ptr, data.dptr, data.dsize);
1308 *c_ptr = talloc_get_type_abort((void *)ptr, struct descriptor_changes);
1311 static void descriptor_object_parser(TDB_DATA key, TDB_DATA data, void *private_data)
1313 SMB_ASSERT(data.dsize == 0);
1316 static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
1317 struct ldb_request *req)
1319 struct descriptor_data *descriptor_private =
1320 talloc_get_type_abort(ldb_module_get_private(module),
1321 struct descriptor_data);
1322 struct descriptor_transaction *t = &descriptor_private->transaction;
1323 struct ldb_context *ldb = ldb_module_get_ctx(module);
1324 struct dsdb_extended_sec_desc_propagation_op *op;
1325 struct descriptor_changes *c = NULL;
1329 op = talloc_get_type(req->op.extended.data,
1330 struct dsdb_extended_sec_desc_propagation_op);
1332 ldb_debug(ldb, LDB_DEBUG_FATAL,
1333 "descriptor_extended_sec_desc_propagation: "
1334 "invalid extended data\n");
1335 return LDB_ERR_PROTOCOL_ERROR;
1338 if (t->mem == NULL) {
1339 return ldb_module_operr(module);
1342 if (GUID_equal(&op->parent_guid, &op->guid)) {
1344 * This is an unexpected situation,
1345 * it should never happen!
1347 DBG_ERR("ERROR: Object %s is its own parent (nc_root=%s)\n",
1348 GUID_string(t->mem, &op->guid),
1349 ldb_dn_get_extended_linearized(t->mem, op->nc_root, 1));
1350 return ldb_module_operr(module);
1354 * First we check if we already have an registration
1355 * for the given object.
1358 key = make_tdb_data((const void*)&op->guid, sizeof(op->guid));
1359 status = dbwrap_parse_record(t->changes.map, key,
1360 descriptor_changes_parser, &c);
1361 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1363 status = NT_STATUS_OK;
1365 if (!NT_STATUS_IS_OK(status)) {
1366 ldb_debug(ldb, LDB_DEBUG_FATAL,
1367 "dbwrap_parse_record() - %s\n",
1369 return ldb_module_operr(module);
1374 * Create a new structure if we
1375 * don't know about the object yet.
1378 c = talloc_zero(t->mem, struct descriptor_changes);
1380 return ldb_module_oom(module);
1382 c->nc_root = ldb_dn_copy(c, op->nc_root);
1383 if (c->nc_root == NULL) {
1384 return ldb_module_oom(module);
1389 if (ldb_dn_compare(c->nc_root, op->nc_root) != 0) {
1391 * This is an unexpected situation,
1392 * we don't expect the nc root to change
1393 * during a replication cycle.
1395 DBG_ERR("ERROR: Object %s nc_root changed %s => %s\n",
1396 GUID_string(c, &c->guid),
1397 ldb_dn_get_extended_linearized(c, c->nc_root, 1),
1398 ldb_dn_get_extended_linearized(c, op->nc_root, 1));
1399 return ldb_module_operr(module);
1405 * always use the last known parent_guid.
1407 c->parent_guid = op->parent_guid;
1410 * Note that we only set, but don't clear values here,
1411 * it means c->force_self and c->force_children can
1412 * both be true in the end.
1414 if (op->include_self) {
1415 c->force_self = true;
1417 c->force_children = true;
1420 if (c->ref_count == 1) {
1421 struct TDB_DATA val = make_tdb_data((const void*)&c, sizeof(c));
1424 * Remember the change by objectGUID in order
1425 * to avoid processing it more than once.
1428 status = dbwrap_store(t->changes.map, key, val, TDB_INSERT);
1429 if (!NT_STATUS_IS_OK(status)) {
1430 ldb_debug(ldb, LDB_DEBUG_FATAL,
1431 "dbwrap_parse_record() - %s\n",
1433 return ldb_module_operr(module);
1436 DLIST_ADD_END(t->changes.list, c);
1437 t->changes.num_registered += 1;
1439 t->changes.num_registrations += 1;
1441 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1444 static int descriptor_extended(struct ldb_module *module, struct ldb_request *req)
1446 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID) == 0) {
1447 return descriptor_extended_sec_desc_propagation(module, req);
1450 return ldb_next_request(module, req);
1453 static int descriptor_init(struct ldb_module *module)
1455 struct ldb_context *ldb = ldb_module_get_ctx(module);
1457 struct descriptor_data *descriptor_private;
1459 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
1460 if (ret != LDB_SUCCESS) {
1461 ldb_debug(ldb, LDB_DEBUG_ERROR,
1462 "descriptor: Unable to register control with rootdse!\n");
1463 return ldb_operr(ldb);
1466 descriptor_private = talloc_zero(module, struct descriptor_data);
1467 if (descriptor_private == NULL) {
1469 return LDB_ERR_OPERATIONS_ERROR;
1471 ldb_module_set_private(module, descriptor_private);
1473 return ldb_next_init(module);
1476 static int descriptor_sd_propagation_object(struct ldb_module *module,
1477 struct ldb_message *msg,
1480 struct descriptor_data *descriptor_private =
1481 talloc_get_type_abort(ldb_module_get_private(module),
1482 struct descriptor_data);
1483 struct descriptor_transaction *t = &descriptor_private->transaction;
1484 struct ldb_context *ldb = ldb_module_get_ctx(module);
1485 struct ldb_request *sub_req;
1486 struct ldb_result *mod_res;
1487 struct ldb_control *sd_propagation_control;
1491 TDB_DATA empty_val = { .dsize = 0, };
1493 struct descriptor_changes *c = NULL;
1498 * We get the GUID of the object
1499 * in order to have the cache key
1503 status = dsdb_get_extended_dn_guid(msg->dn, &guid, "GUID");
1504 if (!NT_STATUS_IS_OK(status)) {
1505 return ldb_operr(ldb);
1507 key = make_tdb_data((const void*)&guid, sizeof(guid));
1510 * Check if we already processed this object.
1512 status = dbwrap_parse_record(t->objects.map, key,
1513 descriptor_object_parser, NULL);
1514 if (NT_STATUS_IS_OK(status)) {
1516 * All work is already one
1518 t->objects.num_skipped += 1;
1522 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1523 ldb_debug(ldb, LDB_DEBUG_FATAL,
1524 "dbwrap_parse_record() - %s\n",
1526 return ldb_module_operr(module);
1529 t->objects.num_processed += 1;
1532 * Remember that we're processing this object.
1534 status = dbwrap_store(t->objects.map, key, empty_val, TDB_INSERT);
1535 if (!NT_STATUS_IS_OK(status)) {
1536 ldb_debug(ldb, LDB_DEBUG_FATAL,
1537 "dbwrap_parse_record() - %s\n",
1539 return ldb_module_operr(module);
1543 * Check that if there's a descriptor_change in our list,
1544 * which we may be able to remove from the pending list
1545 * when we processed the object.
1548 status = dbwrap_parse_record(t->changes.map, key, descriptor_changes_parser, &c);
1549 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1551 status = NT_STATUS_OK;
1553 if (!NT_STATUS_IS_OK(status)) {
1554 ldb_debug(ldb, LDB_DEBUG_FATAL,
1555 "dbwrap_parse_record() - %s\n",
1557 return ldb_module_operr(module);
1560 mod_res = talloc_zero(msg, struct ldb_result);
1561 if (mod_res == NULL) {
1562 return ldb_module_oom(module);
1565 ret = ldb_build_mod_req(&sub_req, ldb, mod_res,
1569 ldb_modify_default_callback,
1571 LDB_REQ_SET_LOCATION(sub_req);
1572 if (ret != LDB_SUCCESS) {
1573 return ldb_module_operr(module);
1576 ldb_req_mark_trusted(sub_req);
1578 ret = ldb_request_add_control(sub_req,
1579 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID,
1581 if (ret != LDB_SUCCESS) {
1582 return ldb_module_operr(module);
1585 sd_propagation_control = ldb_request_get_control(sub_req,
1586 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
1587 if (sd_propagation_control == NULL) {
1588 return ldb_module_operr(module);
1591 ret = dsdb_request_add_controls(sub_req,
1592 DSDB_FLAG_AS_SYSTEM |
1593 DSDB_SEARCH_SHOW_RECYCLED);
1594 if (ret != LDB_SUCCESS) {
1595 return ldb_module_operr(module);
1598 ret = descriptor_modify(module, sub_req);
1599 if (ret == LDB_SUCCESS) {
1600 ret = ldb_wait(sub_req->handle, LDB_WAIT_ALL);
1602 if (ret != LDB_SUCCESS) {
1603 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1604 "descriptor_modify on %s failed: %s",
1605 ldb_dn_get_linearized(msg->dn),
1606 ldb_errstring(ldb_module_get_ctx(module)));
1607 return LDB_ERR_OPERATIONS_ERROR;
1610 if (sd_propagation_control->critical != 0) {
1613 * If we don't have a
1614 * descriptor_changes structure
1618 } else if (!c->force_children) {
1620 * If we don't need to
1621 * propagate to children,
1628 if (c != NULL && !c->force_children) {
1630 * Remove the pending change,
1631 * we already done all required work,
1632 * there's no need to do it again.
1634 * Note DLIST_REMOVE() is a noop
1635 * if the element is not part of
1638 DLIST_REMOVE(t->changes.list, c);
1641 talloc_free(mod_res);
1646 static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
1647 struct ldb_message **m2)
1649 struct ldb_dn *dn1 = (*m1)->dn;
1650 struct ldb_dn *dn2 = (*m2)->dn;
1653 * This sorts in tree order, parents first
1655 return ldb_dn_compare(dn2, dn1);
1658 static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1659 struct descriptor_changes *change)
1661 struct descriptor_data *descriptor_private =
1662 talloc_get_type_abort(ldb_module_get_private(module),
1663 struct descriptor_data);
1664 struct descriptor_transaction *t = &descriptor_private->transaction;
1665 struct ldb_result *guid_res = NULL;
1666 struct ldb_result *res = NULL;
1668 const char * const no_attrs[] = { "@__NONE__", NULL };
1669 struct ldb_dn *stopped_dn = NULL;
1670 struct GUID_txt_buf guid_buf;
1674 t->changes.num_processed += 1;
1677 * First confirm this object has children, or exists
1678 * (depending on change->force_self)
1680 * LDB_SCOPE_SUBTREE searches are expensive.
1682 * We know this is safe against a rename race as we are in the
1683 * prepare_commit(), so must be in a transaction.
1686 /* Find the DN by GUID, as this is stable under rename */
1687 ret = dsdb_module_search(module,
1693 DSDB_FLAG_NEXT_MODULE |
1694 DSDB_FLAG_AS_SYSTEM |
1695 DSDB_SEARCH_SHOW_DELETED |
1696 DSDB_SEARCH_SHOW_RECYCLED |
1697 DSDB_SEARCH_SHOW_EXTENDED_DN,
1698 NULL, /* parent_req */
1700 GUID_buf_string(&change->guid,
1703 if (ret != LDB_SUCCESS) {
1707 if (guid_res->count != 1) {
1709 * We were just given this GUID during the same
1710 * transaction, if it is missing this is a big
1713 * Cleanup of tombstones does not trigger this module
1714 * as it just does a delete.
1716 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1717 "failed to find GUID %s under %s "
1718 "for transaction-end SD inheritance: %d results",
1719 GUID_buf_string(&change->guid,
1721 ldb_dn_get_linearized(change->nc_root),
1723 return LDB_ERR_OPERATIONS_ERROR;
1727 * OK, so there was a parent, are there children? Note: that
1728 * this time we do not search for deleted/recycled objects
1730 ret = dsdb_module_search(module,
1733 guid_res->msgs[0]->dn,
1736 DSDB_FLAG_NEXT_MODULE |
1737 DSDB_FLAG_AS_SYSTEM,
1738 NULL, /* parent_req */
1740 if (ret != LDB_SUCCESS) {
1742 * LDB_ERR_NO_SUCH_OBJECT, say if the DN was a deleted
1743 * object, is ignored by the caller
1748 if (res->count == 0 && !change->force_self) {
1749 /* All done, no children */
1755 * First, if we are in force_self mode (eg renamed under new
1756 * parent) then apply the SD to the top object
1758 if (change->force_self) {
1759 ret = descriptor_sd_propagation_object(module,
1762 if (ret != LDB_SUCCESS) {
1763 TALLOC_FREE(guid_res);
1767 if (stop == true && !change->force_children) {
1768 /* There was no change, nothing more to do */
1769 TALLOC_FREE(guid_res);
1773 if (res->count == 0) {
1775 TALLOC_FREE(guid_res);
1783 * Note: that we do not search for deleted/recycled objects
1785 ret = dsdb_module_search(module,
1788 guid_res->msgs[0]->dn,
1791 DSDB_FLAG_NEXT_MODULE |
1792 DSDB_FLAG_AS_SYSTEM |
1793 DSDB_SEARCH_SHOW_EXTENDED_DN,
1794 NULL, /* parent_req */
1796 if (ret != LDB_SUCCESS) {
1800 TYPESAFE_QSORT(res->msgs, res->count,
1801 descriptor_sd_propagation_msg_sort);
1803 /* We start from 1, the top object has been done */
1804 for (i = 1; i < res->count; i++) {
1806 * ldb_dn_compare_base() does not match for NULL but
1809 if (stopped_dn != NULL) {
1810 ret = ldb_dn_compare_base(stopped_dn,
1813 * Skip further processing of this
1820 ret = descriptor_sd_propagation_object(module,
1823 if (ret != LDB_SUCCESS) {
1829 * If this child didn't change, then nothing
1830 * under it needs to change
1832 * res has been sorted into tree order so the
1833 * next few entries can be skipped
1835 stopped_dn = res->msgs[i]->dn;
1843 static int descriptor_start_transaction(struct ldb_module *module)
1845 struct descriptor_data *descriptor_private =
1846 talloc_get_type_abort(ldb_module_get_private(module),
1847 struct descriptor_data);
1848 struct descriptor_transaction *t = &descriptor_private->transaction;
1850 if (t->mem != NULL) {
1851 return ldb_module_operr(module);
1854 *t = (struct descriptor_transaction) { .mem = NULL, };
1855 t->mem = talloc_new(descriptor_private);
1856 if (t->mem == NULL) {
1857 return ldb_module_oom(module);
1859 t->changes.map = db_open_rbt(t->mem);
1860 if (t->changes.map == NULL) {
1861 TALLOC_FREE(t->mem);
1862 *t = (struct descriptor_transaction) { .mem = NULL, };
1863 return ldb_module_oom(module);
1865 t->objects.map = db_open_rbt(t->mem);
1866 if (t->objects.map == NULL) {
1867 TALLOC_FREE(t->mem);
1868 *t = (struct descriptor_transaction) { .mem = NULL, };
1869 return ldb_module_oom(module);
1872 return ldb_next_start_trans(module);
1875 static int descriptor_prepare_commit(struct ldb_module *module)
1877 struct descriptor_data *descriptor_private =
1878 talloc_get_type_abort(ldb_module_get_private(module),
1879 struct descriptor_data);
1880 struct descriptor_transaction *t = &descriptor_private->transaction;
1881 struct ldb_context *ldb = ldb_module_get_ctx(module);
1882 struct descriptor_changes *c, *n;
1885 DBG_NOTICE("changes: num_registrations=%zu\n",
1886 t->changes.num_registrations);
1887 DBG_NOTICE("changes: num_registered=%zu\n",
1888 t->changes.num_registered);
1891 * The security descriptor propagation
1892 * needs to apply the inheritance from
1893 * an object to itself and/or all it's
1896 * In the initial replication during
1897 * a join, we have every object in our
1900 * In order to avoid useless work it's
1901 * better to start with toplevel objects and
1902 * move down to the leaf object from there.
1904 * So if the parent_guid is also in our list,
1905 * we better move the object behind its parent.
1907 * It allows that the recursive processing of
1908 * the parent already does the work needed
1911 * If we have a list for this directory tree:
1919 * The initial list would have the order D, E, B, A, C
1921 * By still processing from the front, we ensure that,
1922 * when D is found to be below C, that E follows because
1923 * we keep peeling items off the front for checking and
1924 * move them behind their parent.
1934 for (c = t->changes.list; c; c = n) {
1935 struct descriptor_changes *pc = NULL;
1938 if (c->sort_count >= t->changes.num_registered) {
1940 * This should never happen, but it's
1941 * a sanity check in order to avoid
1942 * endless loops. Just stop sorting.
1948 * Check if we have the parent also in the list.
1950 if (!GUID_all_zero((const void*)&c->parent_guid)) {
1954 pkey = make_tdb_data((const void*)&c->parent_guid,
1955 sizeof(c->parent_guid));
1957 status = dbwrap_parse_record(t->changes.map, pkey,
1958 descriptor_changes_parser, &pc);
1959 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1961 status = NT_STATUS_OK;
1963 if (!NT_STATUS_IS_OK(status)) {
1964 ldb_debug(ldb, LDB_DEBUG_FATAL,
1965 "dbwrap_parse_record() - %s\n",
1967 return ldb_module_operr(module);
1973 * There is no parent in the list
1975 t->changes.num_toplevel += 1;
1980 * Move the child after the parent
1982 * Note that we do that multiple times
1983 * in case the parent already moved itself.
1985 * See the comment above the loop.
1987 DLIST_REMOVE(t->changes.list, c);
1988 DLIST_ADD_AFTER(t->changes.list, c, pc);
1991 * Remember how often we moved the object
1992 * in order to avoid endless loops.
1997 DBG_NOTICE("changes: num_toplevel=%zu\n", t->changes.num_toplevel);
1999 while (t->changes.list != NULL) {
2000 c = t->changes.list;
2002 DLIST_REMOVE(t->changes.list, c);
2005 * Note that descriptor_sd_propagation_recursive()
2006 * may also remove other elements of the list,
2007 * so we can't use a next pointer
2009 ret = descriptor_sd_propagation_recursive(module, c);
2010 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2013 if (ret != LDB_SUCCESS) {
2018 DBG_NOTICE("changes: num_processed=%zu\n", t->changes.num_processed);
2019 DBG_NOTICE("objects: num_processed=%zu\n", t->objects.num_processed);
2020 DBG_NOTICE("objects: num_skipped=%zu\n", t->objects.num_skipped);
2022 return ldb_next_prepare_commit(module);
2025 static int descriptor_end_transaction(struct ldb_module *module)
2027 struct descriptor_data *descriptor_private =
2028 talloc_get_type_abort(ldb_module_get_private(module),
2029 struct descriptor_data);
2030 struct descriptor_transaction *t = &descriptor_private->transaction;
2032 TALLOC_FREE(t->mem);
2033 *t = (struct descriptor_transaction) { .mem = NULL, };
2035 return ldb_next_end_trans(module);
2038 static int descriptor_del_transaction(struct ldb_module *module)
2040 struct descriptor_data *descriptor_private =
2041 talloc_get_type_abort(ldb_module_get_private(module),
2042 struct descriptor_data);
2043 struct descriptor_transaction *t = &descriptor_private->transaction;
2045 TALLOC_FREE(t->mem);
2046 *t = (struct descriptor_transaction) { .mem = NULL, };
2048 return ldb_next_del_trans(module);
2051 static const struct ldb_module_ops ldb_descriptor_module_ops = {
2052 .name = "descriptor",
2053 .search = descriptor_search,
2054 .add = descriptor_add,
2055 .modify = descriptor_modify,
2056 .rename = descriptor_rename,
2057 .init_context = descriptor_init,
2058 .extended = descriptor_extended,
2059 .start_transaction = descriptor_start_transaction,
2060 .prepare_commit = descriptor_prepare_commit,
2061 .end_transaction = descriptor_end_transaction,
2062 .del_transaction = descriptor_del_transaction,
2065 int ldb_descriptor_module_init(const char *version)
2067 LDB_MODULE_CHECK_VERSION(version);
2068 return ldb_register_module(&ldb_descriptor_module_ops);