#include "lib/util/tsort.h"
#include "dsdb/common/util.h"
#include "lib/socket/socket.h"
-#include "dsdb/samdb/ldb_modules/util.h"
+#include "librpc/gen_ndr/irpc.h"
/*
search the sam for the specified attributes in a specific domain, filter on
return NULL;
}
- return samdb_result_string(res[0], attr_name, NULL);
+ return ldb_msg_find_attr_as_string(res[0], attr_name, NULL);
}
/*
return default_value;
}
- return samdb_result_uint(res[0], attr_name, default_value);
+ return ldb_msg_find_attr_as_uint(res[0], attr_name, default_value);
}
/*
return default_value;
}
- return samdb_result_int64(res[0], attr_name, default_value);
+ return ldb_msg_find_attr_as_int64(res[0], attr_name, default_value);
}
/*
}
for (i=0;i<count;i++) {
- (*strs)[i] = samdb_result_string(res[i], attr_name, NULL);
+ (*strs)[i] = ldb_msg_find_attr_as_string(res[i], attr_name, NULL);
}
(*strs)[count] = NULL;
return count;
}
-/*
- pull a uint from a result set.
-*/
-unsigned int samdb_result_uint(const struct ldb_message *msg, const char *attr, unsigned int default_value)
-{
- return ldb_msg_find_attr_as_uint(msg, attr, default_value);
-}
-
-/*
- pull a (signed) int64 from a result set.
-*/
-int64_t samdb_result_int64(const struct ldb_message *msg, const char *attr, int64_t default_value)
-{
- return ldb_msg_find_attr_as_int64(msg, attr, default_value);
-}
-
-/*
- pull a string from a result set.
-*/
-const char *samdb_result_string(const struct ldb_message *msg, const char *attr,
- const char *default_value)
-{
- return ldb_msg_find_attr_as_string(msg, attr, default_value);
-}
-
struct ldb_dn *samdb_result_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
const char *attr, struct ldb_dn *default_value)
{
return ret;
}
-/*
- pull a uint64_t from a result set.
-*/
-uint64_t samdb_result_uint64(const struct ldb_message *msg, const char *attr,
- uint64_t default_value)
-{
- return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
-}
-
-
/*
construct the allow_password_change field from the PwdLastSet attribute and the
domain password settings
struct ldb_message *msg,
const char *attr)
{
- uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
+ uint64_t attr_time = ldb_msg_find_attr_as_uint64(msg, attr, 0);
int64_t minPwdAge;
if (attr_time == 0) {
struct ldb_dn *domain_dn,
struct ldb_message *msg)
{
- int64_t attr_time = samdb_result_int64(msg, "pwdLastSet", 0);
+ int64_t attr_time = ldb_msg_find_attr_as_int64(msg, "pwdLastSet", 0);
uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg,
"userAccountControl",
0);
for (i = 0; i < msg->num_elements; i++) {
if (ldb_attr_cmp(msg->elements[i].name, name) == 0) {
- if (msg->elements[i].flags == LDB_FLAG_MOD_DELETE) {
+ if (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) == LDB_FLAG_MOD_DELETE) {
*old_val = &msg->elements[i].values[0];
} else {
*new_val = &msg->elements[i].values[0];
int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, const char *str)
{
- char *s = talloc_strdup(mem_ctx, str);
- char *a = talloc_strdup(mem_ctx, attr_name);
- if (s == NULL || a == NULL) {
+ const char *s = talloc_strdup(mem_ctx, str);
+ if (s == NULL) {
return ldb_oom(sam_ldb);
}
- return ldb_msg_add_string(msg, a, s);
+ return ldb_msg_add_string(msg, attr_name, s);
}
/*
for (i = 0; i < msg->num_elements; i++) {
el = &msg->elements[i];
if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
- (el->flags == LDB_FLAG_MOD_ADD)) {
+ (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD)) {
found = true;
break;
}
for (i = 0; i < msg->num_elements; i++) {
el = &msg->elements[i];
if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
- (el->flags == LDB_FLAG_MOD_DELETE)) {
+ (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE)) {
found = true;
break;
}
const char *attr_name, int v)
{
const char *s = talloc_asprintf(mem_ctx, "%d", v);
- return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
+ if (s == NULL) {
+ return ldb_oom(sam_ldb);
+ }
+ return ldb_msg_add_string(msg, attr_name, s);
}
/*
- add a unsigned int element to a message
-*/
+ * Add an unsigned int element to a message
+ *
+ * The issue here is that we have not yet first cast to int32_t explicitly,
+ * before we cast to an signed int to printf() into the %d or cast to a
+ * int64_t before we then cast to a long long to printf into a %lld.
+ *
+ * There are *no* unsigned integers in Active Directory LDAP, even the RID
+ * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
+ * (See the schema, and the syntax definitions in schema_syntax.c).
+ *
+ */
int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, unsigned int v)
{
const char *attr_name, int64_t v)
{
const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
- return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
+ if (s == NULL) {
+ return ldb_oom(sam_ldb);
+ }
+ return ldb_msg_add_string(msg, attr_name, s);
}
/*
- add a uint64_t element to a message
-*/
+ * Add an unsigned int64_t (uint64_t) element to a message
+ *
+ * The issue here is that we have not yet first cast to int32_t explicitly,
+ * before we cast to an signed int to printf() into the %d or cast to a
+ * int64_t before we then cast to a long long to printf into a %lld.
+ *
+ * There are *no* unsigned integers in Active Directory LDAP, even the RID
+ * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
+ * (See the schema, and the syntax definitions in schema_syntax.c).
+ *
+ */
int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char *attr_name, uint64_t v)
{
add a samr_Password element to a message
*/
int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, struct samr_Password *hash)
+ const char *attr_name, const struct samr_Password *hash)
{
struct ldb_val val;
val.data = talloc_memdup(mem_ctx, hash->hash, 16);
val.data = (uint8_t *)parameters->array;
return ldb_msg_add_value(msg, attr_name, &val, NULL);
}
-/*
- add a general value element to a message
-*/
-int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
- const char *attr_name, const struct ldb_val *val)
-{
- return ldb_msg_add_value(msg, attr_name, val, NULL);
-}
/*
sets a general value element to a message
return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, str);
}
+/*
+ * sets a signed integer in a message
+ */
+int samdb_msg_set_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg, const char *attr_name, int v)
+{
+ struct ldb_message_element *el;
+
+ el = ldb_msg_find_element(msg, attr_name);
+ if (el) {
+ el->num_values = 0;
+ }
+ return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, v);
+}
+
+/*
+ * Sets an unsigned int element in a message
+ *
+ * The issue here is that we have not yet first cast to int32_t explicitly,
+ * before we cast to an signed int to printf() into the %d or cast to a
+ * int64_t before we then cast to a long long to printf into a %lld.
+ *
+ * There are *no* unsigned integers in Active Directory LDAP, even the RID
+ * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
+ * (See the schema, and the syntax definitions in schema_syntax.c).
+ *
+ */
+int samdb_msg_set_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg, const char *attr_name,
+ unsigned int v)
+{
+ struct ldb_message_element *el;
+
+ el = ldb_msg_find_element(msg, attr_name);
+ if (el) {
+ el->num_values = 0;
+ }
+ return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, v);
+}
+
/*
* Handle ldb_request in transaction
*/
return server_site_dn;
}
+/*
+ find the site name from a computers DN record
+ */
+int samdb_find_site_for_computer(struct ldb_context *ldb,
+ TALLOC_CTX *mem_ctx, struct ldb_dn *computer_dn,
+ const char **site_name)
+{
+ int ret;
+ struct ldb_dn *dn;
+ const struct ldb_val *rdn_val;
+
+ *site_name = NULL;
+
+ ret = samdb_reference_dn(ldb, mem_ctx, computer_dn, "serverReferenceBL", &dn);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (!ldb_dn_remove_child_components(dn, 2)) {
+ talloc_free(dn);
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+ rdn_val = ldb_dn_get_rdn_val(dn);
+ (*site_name) = talloc_strndup(mem_ctx, (const char *)rdn_val->data, rdn_val->length);
+ talloc_free(dn);
+ if (!*site_name) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ return LDB_SUCCESS;
+}
+
+/*
+ find the NTDS GUID from a computers DN record
+ */
+int samdb_find_ntdsguid_for_computer(struct ldb_context *ldb, struct ldb_dn *computer_dn,
+ struct GUID *ntds_guid)
+{
+ int ret;
+ struct ldb_dn *dn;
+
+ *ntds_guid = GUID_zero();
+
+ ret = samdb_reference_dn(ldb, ldb, computer_dn, "serverReferenceBL", &dn);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (!ldb_dn_add_child_fmt(dn, "CN=NTDS Settings")) {
+ talloc_free(dn);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ ret = dsdb_find_guid_by_dn(ldb, dn, ntds_guid);
+ talloc_free(dn);
+ return ret;
+}
+
/*
find a 'reference' DN that points at another object
(eg. serverReference, rIDManagerReference etc)
attrs[0] = attribute;
attrs[1] = NULL;
- ret = ldb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, NULL);
+ ret = dsdb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_ONE_ONLY, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
- if (res->count != 1) {
- talloc_free(res);
- return LDB_ERR_NO_SUCH_OBJECT;
- }
*dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
if (!*dn) {
+ if (!ldb_msg_find_element(res->msgs[0], attribute)) {
+ ldb_asprintf_errstring(ldb, "Cannot find attribute %s of %s to calculate reference dn", attribute,
+ ldb_dn_get_linearized(base));
+ } else {
+ ldb_asprintf_errstring(ldb, "Cannot interpret attribute %s of %s as a dn", attribute,
+ ldb_dn_get_linearized(base));
+ }
talloc_free(res);
return LDB_ERR_NO_SUCH_ATTRIBUTE;
}
/*
* Sets the user password using plaintext UTF16 (attribute "new_password") or
* LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
- * as parameter if it's a user change or not ("userChange"). The "rejectReason"
- * gives some more informations if the changed failed.
+ * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a
+ * user change or not. The "rejectReason" gives some more informations if the
+ * change failed.
*
- * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
- * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
+ * Results: NT_STATUS_OK, NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
* NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
*/
NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
const DATA_BLOB *new_password,
- struct samr_Password *lmNewHash,
- struct samr_Password *ntNewHash,
- bool user_change,
+ const struct samr_Password *lmNewHash,
+ const struct samr_Password *ntNewHash,
+ const struct samr_Password *lmOldHash,
+ const struct samr_Password *ntOldHash,
enum samPwdChangeReason *reject_reason,
struct samr_DomInfo1 **_dominfo)
{
if ((new_password != NULL)
&& ((lmNewHash == NULL) && (ntNewHash == NULL))) {
/* we have the password as plaintext UTF16 */
- CHECK_RET(samdb_msg_add_value(ldb, mem_ctx, msg,
- "clearTextPassword", new_password));
+ CHECK_RET(ldb_msg_add_value(msg, "clearTextPassword",
+ new_password, NULL));
el = ldb_msg_find_element(msg, "clearTextPassword");
el->flags = LDB_FLAG_MOD_REPLACE;
} else if ((new_password == NULL)
return NT_STATUS_NO_MEMORY;
}
- if (user_change) {
- /* a user password change and we've checked already the old
- * password somewhere else (callers responsability) */
+ /* A password change operation */
+ if ((ntOldHash != NULL) || (lmOldHash != NULL)) {
+ struct dsdb_control_password_change *change;
+
+ change = talloc(req, struct dsdb_control_password_change);
+ if (change == NULL) {
+ talloc_free(req);
+ talloc_free(msg);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ change->old_nt_pwd_hash = ntOldHash;
+ change->old_lm_pwd_hash = lmOldHash;
+
ret = ldb_request_add_control(req,
- DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID,
- true, NULL);
+ DSDB_CONTROL_PASSWORD_CHANGE_OID,
+ true, change);
if (ret != LDB_SUCCESS) {
talloc_free(req);
talloc_free(msg);
/*
* Sets the user password using plaintext UTF16 (attribute "new_password") or
* LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
- * as parameter if it's a user change or not ("userChange"). The "rejectReason"
- * gives some more informations if the changed failed.
+ * the old LM and/or NT hash (attributes "lmOldHash"/"ntOldHash") if it is a
+ * user change or not. The "rejectReason" gives some more informations if the
+ * change failed.
*
* This wrapper function for "samdb_set_password" takes a SID as input rather
* than a user DN.
*
* Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
* NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
- * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
+ * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
+ * NT_STATUS_TRANSACTION_ABORTED, NT_STATUS_NO_SUCH_USER
*/
NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
const struct dom_sid *user_sid,
const DATA_BLOB *new_password,
- struct samr_Password *lmNewHash,
- struct samr_Password *ntNewHash,
- bool user_change,
+ const struct samr_Password *lmNewHash,
+ const struct samr_Password *ntNewHash,
+ const struct samr_Password *lmOldHash,
+ const struct samr_Password *ntOldHash,
enum samPwdChangeReason *reject_reason,
struct samr_DomInfo1 **_dominfo)
{
user_dn, NULL,
new_password,
lmNewHash, ntNewHash,
- user_change,
+ lmOldHash, ntOldHash,
reject_reason, _dominfo);
if (!NT_STATUS_IS_OK(nt_status)) {
ldb_transaction_cancel(ldb);
return NT_STATUS_NO_MEMORY;
}
- samdb_msg_add_string(sam_ctx, msg, msg,
- "objectClass",
- "foreignSecurityPrincipal");
+ ret = samdb_msg_add_string(sam_ctx, msg, msg,
+ "objectClass", "foreignSecurityPrincipal");
+ if (ret != LDB_SUCCESS) {
+ talloc_free(sidstr);
+ return NT_STATUS_NO_MEMORY;
+ }
/* create the alias */
ret = ldb_add(sam_ctx, msg);
attrs[0] = attribute;
attrs[1] = NULL;
- ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
+ ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs,
+ DSDB_SEARCH_SHOW_DELETED |
+ DSDB_SEARCH_SHOW_RECYCLED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
{
int ret;
struct ldb_result *res;
- const char *attrs[] = { "objectSID", NULL };
+ const char *attrs[] = { "objectSid", NULL };
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
struct dom_sid *s;
ZERO_STRUCTP(sid);
- ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
+ ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs,
+ DSDB_SEARCH_SHOW_DELETED |
+ DSDB_SEARCH_SHOW_RECYCLED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
talloc_free(tmp_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
}
- s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSID");
+ s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
if (s == NULL) {
talloc_free(tmp_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
int ret;
struct ldb_result *res;
const char *attrs[] = { NULL };
- char *sid_str = dom_sid_string(mem_ctx, sid);
+ char *sid_str = ldap_encode_ndr_dom_sid(mem_ctx, sid);
if (!sid_str) {
return ldb_operr(ldb);
DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
DSDB_SEARCH_SHOW_EXTENDED_DN |
DSDB_SEARCH_ONE_ONLY,
- "objectSID=%s", sid_str);
+ "objectSid=%s", sid_str);
talloc_free(sid_str);
if (ret != LDB_SUCCESS) {
return ret;
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
}
- if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ if (ret == LDB_ERR_NO_SUCH_OBJECT || ret == LDB_ERR_INVALID_DN_SYNTAX) {
/* it hasn't been created yet, which means
an implicit value of zero */
*uSN = 0;
goto failed;
}
- *options = samdb_result_uint(res->msgs[0], "options", 0);
+ *options = ldb_msg_find_attr_as_uint(res->msgs[0], "options", 0);
talloc_free(tmp_ctx);
goto failed;
}
- return samdb_result_string(res->msgs[0], "objectCategory", NULL);
+ return ldb_msg_find_attr_as_string(res->msgs[0], "objectCategory", NULL);
failed:
DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
int *domainFunctionality =
talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
if (!domainFunctionality) {
- DEBUG(0,(__location__ ": WARNING: domainFunctionality not setup\n"));
+ /* this is expected during initial provision */
+ DEBUG(4,(__location__ ": WARNING: domainFunctionality not setup\n"));
return DS_DOMAIN_FUNCTION_2000;
}
return *domainFunctionality;
struct TALLOC_CTX *tmp_ctx;
enum ndr_err_code ndr_err;
- sid_blob = ldb_dn_get_extended_component(dn, "SID");
+ sid_blob = ldb_dn_get_extended_component(dn, component_name);
if (!sid_blob) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
if (val->length < 13) {
return 0;
}
- p = memmem(val->data, val->length-2, "<RMD_FLAGS=", 11);
+ p = memmem(val->data, val->length, "<RMD_FLAGS=", 11);
if (!p) {
return 0;
}
return ldb_operr(samdb);
}
- ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
+ ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs,
+ DSDB_SEARCH_SHOW_DELETED |
+ DSDB_SEARCH_SHOW_RECYCLED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
}
+ if (dsdb_flags & DSDB_SEARCH_SHOW_RECYCLED) {
+ ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, false, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+
if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) {
ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, true, NULL);
if (ret != LDB_SUCCESS) {
}
}
+ if (dsdb_flags & DSDB_PROVISION) {
+ ret = ldb_request_add_control(req, LDB_CONTROL_PROVISION_OID, false, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+
return LDB_SUCCESS;
}
return LDB_SUCCESS;
}
+/*
+ search for attrs on one DN, by the GUID of the DN, allowing for
+ dsdb_flags controls
+ */
+int dsdb_search_by_dn_guid(struct ldb_context *ldb,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_result **_res,
+ const struct GUID *guid,
+ const char * const *attrs,
+ uint32_t dsdb_flags)
+{
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct ldb_dn *dn;
+ int ret;
+
+ dn = ldb_dn_new_fmt(tmp_ctx, ldb, "<GUID=%s>", GUID_string(tmp_ctx, guid));
+ if (!ldb_dn_validate(dn)) {
+ talloc_free(tmp_ctx);
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+
+ ret = dsdb_search_dn(ldb, mem_ctx, _res, dn, attrs, dsdb_flags);
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
/*
general search with dsdb_flags for controls
*/
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
+ ldb_reset_err_string(ldb);
return ret;
}
if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
if (res->count == 0) {
talloc_free(tmp_ctx);
+ ldb_reset_err_string(ldb);
return LDB_ERR_NO_SUCH_OBJECT;
}
if (res->count != 1) {
talloc_free(tmp_ctx);
+ ldb_reset_err_string(ldb);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
- remove "NTDS Settings" component from DN
- do a base search on that DN for serverReference with
extended-dn enabled
- - extract objectSID from resulting serverReference
+ - extract objectSid from resulting serverReference
attribute
- check this sid matches the sid argument
*/
return LDB_SUCCESS;
}
-const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys",
- "ms-PKI-AccountCredentials",
- "ms-PKI-RoamingTimeStamp",
- "ms-FVE-KeyPackage",
- "ms-FVE-RecoveryGuid",
- "ms-FVE-RecoveryInformation",
- "ms-FVE-RecoveryPassword",
- "ms-FVE-VolumeGuid",
- "ms-TPM-OwnerInformation",
- NULL};
+static const char *secret_attributes[] = {
+ "currentValue",
+ "dBCSPwd",
+ "initialAuthIncoming",
+ "initialAuthOutgoing",
+ "lmPwdHistory",
+ "ntPwdHistory",
+ "priorValue",
+ "supplementalCredentials",
+ "trustAuthIncoming",
+ "trustAuthOutgoing",
+ "unicodePwd",
+ NULL
+};
+
/*
check if the attribute belongs to the RODC filtered attribute set
+ Note that attributes that are in the filtered attribute set are the
+ ones that _are_ always sent to a RODC
*/
-bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa)
+bool dsdb_attr_in_rodc_fas(const struct dsdb_attribute *sa)
{
- int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
- bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0);
+ /* they never get secret attributes */
+ if (is_attr_in_list(secret_attributes, sa->lDAPDisplayName)) {
+ return false;
+ }
- if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) {
+ /* they do get non-secret critical attributes */
+ if (sa->schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) {
return true;
}
- if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) {
+
+ /* they do get non-secret attributes marked as being in the FAS */
+ if (sa->searchFlags & SEARCH_FLAG_RODC_ATTRIBUTE) {
return true;
}
+
+ /* other attributes are denied */
+ return false;
+}
+
+/* return fsmo role dn and role owner dn for a particular role*/
+WERROR dsdb_get_fsmo_role_info(TALLOC_CTX *tmp_ctx,
+ struct ldb_context *ldb,
+ uint32_t role,
+ struct ldb_dn **fsmo_role_dn,
+ struct ldb_dn **role_owner_dn)
+{
+ int ret;
+ switch (role) {
+ case DREPL_NAMING_MASTER:
+ *fsmo_role_dn = samdb_partitions_dn(ldb, tmp_ctx);
+ ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Naming Master object - %s",
+ ldb_errstring(ldb)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ break;
+ case DREPL_INFRASTRUCTURE_MASTER:
+ *fsmo_role_dn = samdb_infrastructure_dn(ldb, tmp_ctx);
+ ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s",
+ ldb_errstring(ldb)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ break;
+ case DREPL_RID_MASTER:
+ ret = samdb_rid_manager_dn(ldb, tmp_ctx, fsmo_role_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0, (__location__ ": Failed to find RID Manager object - %s", ldb_errstring(ldb)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in RID Manager object - %s",
+ ldb_errstring(ldb)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ break;
+ case DREPL_SCHEMA_MASTER:
+ *fsmo_role_dn = ldb_get_schema_basedn(ldb);
+ ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Schema Master object - %s",
+ ldb_errstring(ldb)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ break;
+ case DREPL_PDC_MASTER:
+ *fsmo_role_dn = ldb_get_default_basedn(ldb);
+ ret = samdb_reference_dn(ldb, tmp_ctx, *fsmo_role_dn, "fSMORoleOwner", role_owner_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find fSMORoleOwner in Pd Master object - %s",
+ ldb_errstring(ldb)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ break;
+ default:
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ return WERR_OK;
+}
+
+const char *samdb_dn_to_dnshostname(struct ldb_context *ldb,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_dn *server_dn)
+{
+ int ldb_ret;
+ struct ldb_result *res = NULL;
+ const char * const attrs[] = { "dNSHostName", NULL};
+
+ ldb_ret = ldb_search(ldb, mem_ctx, &res,
+ server_dn,
+ LDB_SCOPE_BASE,
+ attrs, NULL);
+ if (ldb_ret != LDB_SUCCESS) {
+ DEBUG(4, ("Failed to find dNSHostName for dn %s, ldb error: %s",
+ ldb_dn_get_linearized(server_dn), ldb_errstring(ldb)));
+ return NULL;
+ }
+
+ return ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
+}
+
+/*
+ returns true if an attribute is in the filter,
+ false otherwise, provided that attribute value is provided with the expression
+*/
+bool dsdb_attr_in_parse_tree(struct ldb_parse_tree *tree,
+ const char *attr)
+{
+ unsigned int i;
+ switch (tree->operation) {
+ case LDB_OP_AND:
+ case LDB_OP_OR:
+ for (i=0;i<tree->u.list.num_elements;i++) {
+ if (dsdb_attr_in_parse_tree(tree->u.list.elements[i],
+ attr))
+ return true;
+ }
+ return false;
+ case LDB_OP_NOT:
+ return dsdb_attr_in_parse_tree(tree->u.isnot.child, attr);
+ case LDB_OP_EQUALITY:
+ case LDB_OP_GREATER:
+ case LDB_OP_LESS:
+ case LDB_OP_APPROX:
+ if (ldb_attr_cmp(tree->u.equality.attr, attr) == 0) {
+ return true;
+ }
+ return false;
+ case LDB_OP_SUBSTRING:
+ if (ldb_attr_cmp(tree->u.substring.attr, attr) == 0) {
+ return true;
+ }
+ return false;
+ case LDB_OP_PRESENT:
+ /* (attrname=*) is not filtered out */
+ return false;
+ case LDB_OP_EXTENDED:
+ if (tree->u.extended.attr &&
+ ldb_attr_cmp(tree->u.extended.attr, attr) == 0) {
+ return true;
+ }
+ return false;
+ }
+ return false;
+}
+
+bool is_attr_in_list(const char * const * attrs, const char *attr)
+{
+ unsigned int i;
+
+ for (i = 0; attrs[i]; i++) {
+ if (ldb_attr_cmp(attrs[i], attr) == 0)
+ return true;
+ }
+
return false;
}
+