2 Unix SMB/CIFS implementation.
4 implement the DsAddEntry call
6 Copyright (C) Stefan Metzmacher 2009
7 Copyright (C) Andrew Tridgell 2009
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "rpc_server/dcerpc_server.h"
25 #include "dsdb/samdb/samdb.h"
26 #include "dsdb/common/util.h"
27 #include "param/param.h"
28 #include "libcli/security/security.h"
29 #include "libcli/security/session.h"
30 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
31 #include "librpc/gen_ndr/ndr_drsuapi.h"
34 #define DBGC_CLASS DBGC_DRS_REPL
37 add special SPNs needed for DRS replication to machine accounts when
38 an AddEntry is done to create a nTDSDSA object
40 static WERROR drsuapi_add_SPNs(struct drsuapi_bind_state *b_state,
41 struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
42 const struct drsuapi_DsReplicaObjectListItem *first_object)
45 const struct drsuapi_DsReplicaObjectListItem *obj;
46 const char *attrs[] = { "serverReference", "objectGUID", NULL };
48 for (obj = first_object; obj; obj=obj->next_object) {
49 const char *dn_string = obj->object.identifier->dn;
50 struct ldb_dn *dn = ldb_dn_new(mem_ctx, b_state->sam_ctx, dn_string);
51 struct ldb_result *res, *res2;
52 struct ldb_dn *ref_dn;
53 struct GUID ntds_guid;
54 struct ldb_message *msg;
55 struct ldb_message_element *el;
56 const char *ntds_guid_str;
57 const char *dom_string;
58 const char *attrs2[] = { "dNSHostName", "cn", NULL };
59 const char *dNSHostName, *cn;
61 DEBUG(6,(__location__ ": Adding SPNs for %s\n",
62 ldb_dn_get_linearized(dn)));
64 ret = ldb_search(b_state->sam_ctx, mem_ctx, &res,
65 dn, LDB_SCOPE_BASE, attrs,
66 "(objectClass=ntDSDSA)");
67 if (ret != LDB_SUCCESS) {
68 DEBUG(0,(__location__ ": Failed to find dn '%s'\n", dn_string));
69 return WERR_DS_DRA_INTERNAL_ERROR;
73 /* we only add SPNs for nTDSDSA objects */
77 ref_dn = samdb_result_dn(b_state->sam_ctx, mem_ctx, res->msgs[0], "serverReference", NULL);
79 /* we only add SPNs for objects with a
84 DEBUG(6,(__location__ ": serverReference %s\n",
85 ldb_dn_get_linearized(ref_dn)));
87 ntds_guid = samdb_result_guid(res->msgs[0], "objectGUID");
89 ntds_guid_str = GUID_string(res, &ntds_guid);
91 dom_string = lpcfg_dnsdomain(dce_call->conn->dce_ctx->lp_ctx);
93 /* get the dNSHostName and cn */
94 ret = ldb_search(b_state->sam_ctx, mem_ctx, &res2,
95 ref_dn, LDB_SCOPE_BASE, attrs2, NULL);
96 if (ret != LDB_SUCCESS) {
97 DEBUG(0,(__location__ ": Failed to find ref_dn '%s'\n",
98 ldb_dn_get_linearized(ref_dn)));
99 return WERR_DS_DRA_INTERNAL_ERROR;
102 dNSHostName = ldb_msg_find_attr_as_string(res2->msgs[0], "dNSHostName", NULL);
103 cn = ldb_msg_find_attr_as_string(res2->msgs[0], "cn", NULL);
106 * construct a modify request to add the new SPNs to
107 * the machine account
109 msg = ldb_msg_new(mem_ctx);
111 return WERR_NOT_ENOUGH_MEMORY;
115 ret = ldb_msg_add_empty(msg, "servicePrincipalName",
116 LDB_FLAG_MOD_ADD, &el);
117 if (ret != LDB_SUCCESS) {
118 return WERR_NOT_ENOUGH_MEMORY;
122 ldb_msg_add_steal_string(msg, "servicePrincipalName",
123 talloc_asprintf(el->values,
124 "E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s",
125 ntds_guid_str, dom_string));
126 ldb_msg_add_steal_string(msg, "servicePrincipalName",
127 talloc_asprintf(el->values, "ldap/%s._msdcs.%s",
128 ntds_guid_str, dom_string));
130 ldb_msg_add_steal_string(msg, "servicePrincipalName",
131 talloc_asprintf(el->values, "ldap/%s", cn));
134 ldb_msg_add_steal_string(msg, "servicePrincipalName",
135 talloc_asprintf(el->values, "ldap/%s", dNSHostName));
137 if (el->num_values < 2) {
138 return WERR_NOT_ENOUGH_MEMORY;
141 ret = dsdb_modify(b_state->sam_ctx, msg, DSDB_MODIFY_PERMISSIVE);
142 if (ret != LDB_SUCCESS) {
143 DEBUG(0,(__location__ ": Failed to add SPNs - %s\n",
144 ldb_errstring(b_state->sam_ctx)));
145 return WERR_DS_DRA_INTERNAL_ERROR;
158 WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
159 struct drsuapi_DsAddEntry *r)
162 struct drsuapi_bind_state *b_state;
163 struct dcesrv_handle *h;
165 struct drsuapi_DsReplicaObjectIdentifier2 *ids = NULL;
167 const struct drsuapi_DsReplicaObjectListItem *first_object;
170 NDR_PRINT_FUNCTION_DEBUG(drsuapi_DsAddEntry, NDR_IN, r);
173 /* TODO: check which out level the client supports */
175 ZERO_STRUCTP(r->out.ctr);
176 *r->out.level_out = 3;
177 r->out.ctr->ctr3.err_ver = 1;
178 r->out.ctr->ctr3.err_data = talloc_zero(mem_ctx, union drsuapi_DsAddEntry_ErrData);
180 DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
183 status = drs_security_level_check(dce_call, "DsAddEntry", SECURITY_DOMAIN_CONTROLLER, NULL);
184 if (!W_ERROR_IS_OK(status)) {
188 switch (r->in.level) {
190 ret = ldb_transaction_start(b_state->sam_ctx);
191 if (ret != LDB_SUCCESS) {
192 DBG_ERR("DsAddEntry start transaction failed: %s\n",
193 ldb_errstring(b_state->sam_ctx));
194 return WERR_DS_DRA_INTERNAL_ERROR;
198 first_object = &r->in.req->req2.first_object;
200 status = dsdb_origin_objects_commit(b_state->sam_ctx,
204 DSDB_REPL_FLAG_ADD_NCNAME,
206 if (!W_ERROR_IS_OK(status)) {
207 r->out.ctr->ctr3.err_data->v1.status = status;
208 ldb_transaction_cancel(b_state->sam_ctx);
209 DEBUG(0,(__location__ ": DsAddEntry failed - %s\n", win_errstr(status)));
213 r->out.ctr->ctr3.count = num;
214 r->out.ctr->ctr3.objects = ids;
221 /* if any of the added entries are nTDSDSA objects then we
222 * need to add the SPNs to the machine account
224 status = drsuapi_add_SPNs(b_state, dce_call, mem_ctx, first_object);
225 if (!W_ERROR_IS_OK(status)) {
226 r->out.ctr->ctr3.err_data->v1.status = status;
227 ldb_transaction_cancel(b_state->sam_ctx);
228 DEBUG(0,(__location__ ": DsAddEntry add SPNs failed - %s\n", win_errstr(status)));
232 ret = ldb_transaction_commit(b_state->sam_ctx);
233 if (ret != LDB_SUCCESS) {
234 DEBUG(0,(__location__ ": DsAddEntry commit failed: %s\n",
235 ldb_errstring(b_state->sam_ctx)));
236 return WERR_DS_DRA_INTERNAL_ERROR;