X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=source4%2Fdsdb%2Fsamdb%2Fldb_modules%2Fsamldb.c;h=9f5f2c988feecd7122d2525c5e40904d806f88c6;hb=562b50f92f8a1c521a581a6b986444d52843a9bc;hp=f4b7043e32e0ec844d28aec4c9e26046bc7c3bb4;hpb=771b10a421c287bb191192da632e73e5d1458cce;p=mat%2Fsamba.git diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index f4b7043e32..9f5f2c988f 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -3,7 +3,7 @@ Copyright (C) Andrew Bartlett 2005 Copyright (C) Simo Sorce 2004-2008 - Copyright (C) Matthias Dieter Wallnöfer 2009-2010 + Copyright (C) Matthias Dieter Wallnöfer 2009-2011 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -39,8 +39,15 @@ #include "librpc/gen_ndr/ndr_security.h" #include "ldb_wrap.h" #include "param/param.h" +#include "libds/common/flag_mapping.h" struct samldb_ctx; +enum samldb_add_type { + SAMLDB_TYPE_USER, + SAMLDB_TYPE_GROUP, + SAMLDB_TYPE_CLASS, + SAMLDB_TYPE_ATTRIBUTE +}; typedef int (*samldb_step_fn_t)(struct samldb_ctx *); @@ -54,7 +61,7 @@ struct samldb_ctx { struct ldb_request *req; /* used for add operations */ - const char *type; + enum samldb_add_type type; /* the resulting message */ struct ldb_message *msg; @@ -167,6 +174,8 @@ static int samldb_check_sAMAccountName(struct samldb_ctx *ac) struct ldb_context *ldb = ldb_module_get_ctx(ac->module); const char *name; int ret; + struct ldb_result *res; + const char *noattrs[] = { NULL }; if (ldb_msg_find_element(ac->msg, "sAMAccountName") == NULL) { ret = samldb_generate_sAMAccountName(ldb, ac->msg); @@ -177,17 +186,29 @@ static int samldb_check_sAMAccountName(struct samldb_ctx *ac) name = ldb_msg_find_attr_as_string(ac->msg, "sAMAccountName", NULL); if (name == NULL) { - return ldb_operr(ldb); + /* The "sAMAccountName" cannot be nothing */ + ldb_set_errstring(ldb, + "samldb: Empty account names aren't allowed!"); + return LDB_ERR_CONSTRAINT_VIOLATION; } - ret = samdb_search_count(ldb, ac, NULL, "(sAMAccountName=%s)", + ret = dsdb_module_search(ac->module, ac, &res, + ldb_get_default_basedn(ldb), LDB_SCOPE_SUBTREE, noattrs, + DSDB_FLAG_NEXT_MODULE, + ac->req, + "(sAMAccountName=%s)", ldb_binary_encode_string(ac, name)); - if ((ret < 0) || (ret > 1)) { - return ldb_operr(ldb); + if (ret != LDB_SUCCESS) { + return ret; } - if (ret == 1) { + if (res->count != 0) { + ldb_asprintf_errstring(ldb, + "samldb: Account name (sAMAccountName) '%s' already in use!", + name); + talloc_free(res); return LDB_ERR_ENTRY_ALREADY_EXISTS; } + talloc_free(res); return samldb_next_step(ac); } @@ -217,7 +238,7 @@ static int samldb_allocate_sid(struct samldb_ctx *ac) struct ldb_context *ldb = ldb_module_get_ctx(ac->module); int ret; - ret = ridalloc_allocate_rid(ac->module, &rid); + ret = ridalloc_allocate_rid(ac->module, &rid, ac->req); if (ret != LDB_SUCCESS) { return ret; } @@ -245,9 +266,11 @@ static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, const char *no_attrs[] = { NULL }; int ret; - ret = dsdb_module_search(ac->module, tmp_ctx, &res, NULL, + ret = dsdb_module_search(ac->module, tmp_ctx, &res, + ldb_get_default_basedn(ldb_module_get_ctx(ac->module)), LDB_SCOPE_SUBTREE, no_attrs, DSDB_FLAG_NEXT_MODULE, + ac->req, "(msDC-SecondaryKrbTgtNumber=%u)", krbtgt_number); if (ret == LDB_SUCCESS && res->count == 0) { @@ -265,6 +288,7 @@ static int samldb_rodc_add(struct samldb_ctx *ac) uint32_t krbtgt_number, i_start, i; int ret; char *newpass; + struct ldb_val newpass_utf16; /* find a unused msDC-SecondaryKrbTgtNumber */ i_start = generate_random() & 0xFFFF; @@ -314,7 +338,17 @@ found: return ldb_operr(ldb); } - ret = ldb_msg_add_steal_string(ac->msg, "clearTextPassword", newpass); + if (!convert_string_talloc(ac, + CH_UNIX, CH_UTF16, + newpass, strlen(newpass), + (void *)&newpass_utf16.data, + &newpass_utf16.length)) { + ldb_asprintf_errstring(ldb, + "samldb_rodc_add: " + "failed to generate UTF16 password from random password"); + return LDB_ERR_OPERATIONS_ERROR; + } + ret = ldb_msg_add_steal_value(ac->msg, "clearTextPassword", &newpass_utf16); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } @@ -335,6 +369,7 @@ static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac) ac->dn, LDB_SCOPE_BASE, no_attrs, DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT | DSDB_FLAG_NEXT_MODULE, + ac->req, "(objectClass=classSchema)"); if (ret == LDB_ERR_NO_SUCH_OBJECT) { /* Don't be pricky when the DN doesn't exist if we have the */ @@ -351,6 +386,30 @@ static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac) return ret; } + if (ret == LDB_SUCCESS) { + /* ensure the defaultObjectCategory has a full GUID */ + struct ldb_message *m; + m = ldb_msg_new(ac->msg); + if (m == NULL) { + return ldb_oom(ldb); + } + m->dn = ac->msg->dn; + if (ldb_msg_add_string(m, "defaultObjectCategory", + ldb_dn_get_extended_linearized(m, res->msgs[0]->dn, 1)) != + LDB_SUCCESS) { + return ldb_oom(ldb); + } + m->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + ret = dsdb_module_modify(ac->module, m, + DSDB_FLAG_NEXT_MODULE, + ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + ac->res_dn = ac->dn; return samldb_next_step(ac); @@ -417,6 +476,7 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac) &ldb_res, schema_dn, LDB_SCOPE_ONELEVEL, NULL, DSDB_FLAG_NEXT_MODULE, + ac->req, "(msDS-IntId=%d)", msds_intid); if (ret != LDB_SUCCESS) { ldb_debug_set(ldb, LDB_DEBUG_ERROR, @@ -463,8 +523,7 @@ static int samldb_add_entry_callback(struct ldb_request *req, ares->response, ares->error); } if (ares->type != LDB_REPLY_DONE) { - ldb_set_errstring(ldb, - "Invalid reply type!\n"); + ldb_asprintf_errstring(ldb, "Invalid LDB reply type %d", ares->type); return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } @@ -527,157 +586,173 @@ static int samldb_fill_object(struct samldb_ctx *ac) struct ldb_context *ldb = ldb_module_get_ctx(ac->module); int ret; - /* Add informations for the different account types */ - if (strcmp(ac->type, "user") == 0) { - struct ldb_control *rodc_control = ldb_request_get_control(ac->req, - LDB_CONTROL_RODC_DCPROMO_OID); - if (rodc_control != NULL) { - /* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */ - rodc_control->critical = false; - ret = samldb_add_step(ac, samldb_rodc_add); - if (ret != LDB_SUCCESS) return ret; - } - - /* check if we have a valid sAMAccountName */ - ret = samldb_add_step(ac, samldb_check_sAMAccountName); - if (ret != LDB_SUCCESS) return ret; + /* Add information for the different account types */ + switch(ac->type) { + case SAMLDB_TYPE_USER: { + struct ldb_control *rodc_control = ldb_request_get_control(ac->req, + LDB_CONTROL_RODC_DCPROMO_OID); + if (rodc_control != NULL) { + /* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */ + rodc_control->critical = false; + ret = samldb_add_step(ac, samldb_rodc_add); + if (ret != LDB_SUCCESS) return ret; + } - ret = samldb_add_step(ac, samldb_add_entry); - if (ret != LDB_SUCCESS) return ret; + /* check if we have a valid sAMAccountName */ + ret = samldb_add_step(ac, samldb_check_sAMAccountName); + if (ret != LDB_SUCCESS) return ret; - } else if (strcmp(ac->type, "group") == 0) { - /* check if we have a valid sAMAccountName */ - ret = samldb_add_step(ac, samldb_check_sAMAccountName); - if (ret != LDB_SUCCESS) return ret; + ret = samldb_add_step(ac, samldb_add_entry); + if (ret != LDB_SUCCESS) return ret; + break; + } - ret = samldb_add_step(ac, samldb_add_entry); - if (ret != LDB_SUCCESS) return ret; + case SAMLDB_TYPE_GROUP: { + /* check if we have a valid sAMAccountName */ + ret = samldb_add_step(ac, samldb_check_sAMAccountName); + if (ret != LDB_SUCCESS) return ret; - } else if (strcmp(ac->type, "classSchema") == 0) { - const struct ldb_val *rdn_value, *def_obj_cat_val; + ret = samldb_add_step(ac, samldb_add_entry); + if (ret != LDB_SUCCESS) return ret; + break; + } - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "rdnAttId", "cn"); - if (ret != LDB_SUCCESS) return ret; + case SAMLDB_TYPE_CLASS: { + const struct ldb_val *rdn_value, *def_obj_cat_val; - /* do not allow to mark an attributeSchema as RODC filtered if it - * is system-critical */ - if (check_rodc_critical_attribute(ac->msg)) { - ldb_asprintf_errstring(ldb, "Refusing schema add of %s - cannot combine critical class with RODC filtering", - ldb_dn_get_linearized(ac->msg->dn)); - return LDB_ERR_UNWILLING_TO_PERFORM; - } + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "rdnAttId", "cn"); + if (ret != LDB_SUCCESS) return ret; - rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); - if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { - /* the RDN has prefix "CN" */ - ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName", - samdb_cn_to_lDAPDisplayName(ac->msg, - (const char *) rdn_value->data)); - if (ret != LDB_SUCCESS) { - ldb_oom(ldb); - return ret; + /* do not allow to mark an attributeSchema as RODC filtered if it + * is system-critical */ + if (check_rodc_critical_attribute(ac->msg)) { + ldb_asprintf_errstring(ldb, "Refusing schema add of %s - cannot combine critical class with RODC filtering", + ldb_dn_get_linearized(ac->msg->dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; } - } - if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) { - struct GUID guid; - /* a new GUID */ - guid = GUID_random(); - ret = dsdb_msg_add_guid(ac->msg, &guid, "schemaIDGUID"); - if (ret != LDB_SUCCESS) { - ldb_oom(ldb); - return ret; + rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); + if (rdn_value == NULL) { + return ldb_operr(ldb); + } + if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { + /* the RDN has prefix "CN" */ + ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName", + samdb_cn_to_lDAPDisplayName(ac->msg, + (const char *) rdn_value->data)); + if (ret != LDB_SUCCESS) { + ldb_oom(ldb); + return ret; + } } - } - def_obj_cat_val = ldb_msg_find_ldb_val(ac->msg, - "defaultObjectCategory"); - if (def_obj_cat_val != NULL) { - /* "defaultObjectCategory" has been set by the caller. - * Do some checks for consistency. - * NOTE: The real constraint check (that - * 'defaultObjectCategory' is the DN of the new - * objectclass or any parent of it) is still incomplete. - * For now we say that 'defaultObjectCategory' is valid - * if it exists and it is of objectclass "classSchema". - */ - ac->dn = ldb_dn_from_ldb_val(ac, ldb, def_obj_cat_val); - if (ac->dn == NULL) { - ldb_set_errstring(ldb, - "Invalid DN for 'defaultObjectCategory'!"); - return LDB_ERR_CONSTRAINT_VIOLATION; + if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) { + struct GUID guid; + /* a new GUID */ + guid = GUID_random(); + ret = dsdb_msg_add_guid(ac->msg, &guid, "schemaIDGUID"); + if (ret != LDB_SUCCESS) { + ldb_oom(ldb); + return ret; + } } - } else { - /* "defaultObjectCategory" has not been set by the - * caller. Use the entry DN for it. */ - ac->dn = ac->msg->dn; - ret = ldb_msg_add_string(ac->msg, "defaultObjectCategory", - ldb_dn_alloc_linearized(ac->msg, ac->dn)); - if (ret != LDB_SUCCESS) { - ldb_oom(ldb); - return ret; + def_obj_cat_val = ldb_msg_find_ldb_val(ac->msg, + "defaultObjectCategory"); + if (def_obj_cat_val != NULL) { + /* "defaultObjectCategory" has been set by the caller. + * Do some checks for consistency. + * NOTE: The real constraint check (that + * 'defaultObjectCategory' is the DN of the new + * objectclass or any parent of it) is still incomplete. + * For now we say that 'defaultObjectCategory' is valid + * if it exists and it is of objectclass "classSchema". + */ + ac->dn = ldb_dn_from_ldb_val(ac, ldb, def_obj_cat_val); + if (ac->dn == NULL) { + ldb_set_errstring(ldb, + "Invalid DN for 'defaultObjectCategory'!"); + return LDB_ERR_CONSTRAINT_VIOLATION; + } + } else { + /* "defaultObjectCategory" has not been set by the + * caller. Use the entry DN for it. */ + ac->dn = ac->msg->dn; + + ret = ldb_msg_add_string(ac->msg, "defaultObjectCategory", + ldb_dn_alloc_linearized(ac->msg, ac->dn)); + if (ret != LDB_SUCCESS) { + ldb_oom(ldb); + return ret; + } } - } - ret = samldb_add_step(ac, samldb_add_entry); - if (ret != LDB_SUCCESS) return ret; + ret = samldb_add_step(ac, samldb_add_entry); + if (ret != LDB_SUCCESS) return ret; - /* Now perform the checks for the 'defaultObjectCategory'. The - * lookup DN was already saved in "ac->dn" */ - ret = samldb_add_step(ac, samldb_find_for_defaultObjectCategory); - if (ret != LDB_SUCCESS) return ret; + /* Now perform the checks for the 'defaultObjectCategory'. The + * lookup DN was already saved in "ac->dn" */ + ret = samldb_add_step(ac, samldb_find_for_defaultObjectCategory); + if (ret != LDB_SUCCESS) return ret; + break; + } - } else if (strcmp(ac->type, "attributeSchema") == 0) { - const struct ldb_val *rdn_value; - rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); - if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { - /* the RDN has prefix "CN" */ - ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName", - samdb_cn_to_lDAPDisplayName(ac->msg, - (const char *) rdn_value->data)); - if (ret != LDB_SUCCESS) { - ldb_oom(ldb); - return ret; + case SAMLDB_TYPE_ATTRIBUTE: { + const struct ldb_val *rdn_value; + rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); + if (rdn_value == NULL) { + return ldb_operr(ldb); + } + if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { + /* the RDN has prefix "CN" */ + ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName", + samdb_cn_to_lDAPDisplayName(ac->msg, + (const char *) rdn_value->data)); + if (ret != LDB_SUCCESS) { + ldb_oom(ldb); + return ret; + } } - } - /* do not allow to mark an attributeSchema as RODC filtered if it - * is system-critical */ - if (check_rodc_critical_attribute(ac->msg)) { - ldb_asprintf_errstring(ldb, - "samldb: refusing schema add of %s - cannot combine critical attribute with RODC filtering", - ldb_dn_get_linearized(ac->msg->dn)); - return LDB_ERR_UNWILLING_TO_PERFORM; - } + /* do not allow to mark an attributeSchema as RODC filtered if it + * is system-critical */ + if (check_rodc_critical_attribute(ac->msg)) { + ldb_asprintf_errstring(ldb, + "samldb: refusing schema add of %s - cannot combine critical attribute with RODC filtering", + ldb_dn_get_linearized(ac->msg->dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "isSingleValued", "FALSE"); - if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "isSingleValued", "FALSE"); + if (ret != LDB_SUCCESS) return ret; - if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) { - struct GUID guid; - /* a new GUID */ - guid = GUID_random(); - ret = dsdb_msg_add_guid(ac->msg, &guid, "schemaIDGUID"); - if (ret != LDB_SUCCESS) { - ldb_oom(ldb); - return ret; + if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) { + struct GUID guid; + /* a new GUID */ + guid = GUID_random(); + ret = dsdb_msg_add_guid(ac->msg, &guid, "schemaIDGUID"); + if (ret != LDB_SUCCESS) { + ldb_oom(ldb); + return ret; + } } - } - /* handle msDS-IntID attribute */ - ret = samldb_add_handle_msDS_IntId(ac); - if (ret != LDB_SUCCESS) return ret; + /* handle msDS-IntID attribute */ + ret = samldb_add_handle_msDS_IntId(ac); + if (ret != LDB_SUCCESS) return ret; - ret = samldb_add_step(ac, samldb_add_entry); - if (ret != LDB_SUCCESS) return ret; + ret = samldb_add_step(ac, samldb_add_entry); + if (ret != LDB_SUCCESS) return ret; + break; + } - } else { - ldb_asprintf_errstring(ldb, - "Invalid entry type!"); - return LDB_ERR_OPERATIONS_ERROR; + default: + ldb_asprintf_errstring(ldb, + "Invalid entry type!"); + return LDB_ERR_OPERATIONS_ERROR; + break; } return samldb_first_step(ac); @@ -686,6 +761,7 @@ static int samldb_fill_object(struct samldb_ctx *ac) static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) { struct ldb_context *ldb; + const struct ldb_val *rdn_value; struct dom_sid *sid; int ret; @@ -693,8 +769,12 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid"); if (sid == NULL) { + rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); + if (rdn_value == NULL) { + return ldb_operr(ldb); + } sid = dom_sid_parse_talloc(ac->msg, - (const char *)ldb_dn_get_rdn_val(ac->msg->dn)->data); + (const char *)rdn_value->data); if (sid == NULL) { ldb_set_errstring(ldb, "samldb: No valid SID found in ForeignSecurityPrincipal CN!"); @@ -739,7 +819,9 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) } ret = dsdb_module_schema_info_update(ac->module, schema, - DSDB_FLAG_NEXT_MODULE); + DSDB_FLAG_NEXT_MODULE| + DSDB_FLAG_AS_SYSTEM, + ac->req); if (ret != LDB_SUCCESS) { ldb_asprintf_errstring(ldb, "samldb_schema_info_update: dsdb_module_schema_info_update failed with %s", @@ -750,52 +832,7 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) return LDB_SUCCESS; } -/* - * Gets back a single-valued attribute by the rules of the SAM triggers when - * performing a modify operation - */ -static int samldb_get_single_valued_attr(struct samldb_ctx *ac, - const char *attr_name, - struct ldb_message_element **attr) -{ - struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - struct ldb_message_element *el = NULL; - unsigned int i; - - /* We've to walk over all modification entries and consider the - * "attr_name" ones. - * - * 1.) Add operations aren't allowed and there is returned - * "ATTRIBUTE_OR_VALUE_EXISTS". - * 2.) Replace operations are allowed but the last one is taken - * 3.) Delete operations are also not allowed and there is returned - * "UNWILLING_TO_PERFORM". - * - * If "el" is afterwards NULL then that means we've nothing to do here. - */ - for (i = 0; i < ac->msg->num_elements; i++) { - if (ldb_attr_cmp(ac->msg->elements[i].name, attr_name) != 0) { - continue; - } - - el = &ac->msg->elements[i]; - if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD) { - ldb_asprintf_errstring(ldb, - "samldb: attribute '%s' already exists!", - attr_name); - return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS; - } - if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) { - ldb_asprintf_errstring(ldb, - "samldb: attribute '%s' cannot be deleted!", - attr_name); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - } - - *attr = el; - return LDB_SUCCESS; -} +static int samldb_prim_group_tester(struct samldb_ctx *ac, uint32_t rid); /* * "Objectclass" trigger (MS-SAMR 3.1.1.8.1) @@ -808,12 +845,10 @@ static int samldb_get_single_valued_attr(struct samldb_ctx *ac, static int samldb_objectclass_trigger(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, - "loadparm"), struct loadparm_context); + void *skip_allocate_sids = ldb_get_opaque(ldb, + "skip_allocate_sids"); struct ldb_message_element *el, *el2; - enum sid_generator sid_generator; struct dom_sid *sid; - const char *tempstr; int ret; /* make sure that "sAMAccountType" is not specified */ @@ -832,165 +867,216 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) sid = samdb_result_dom_sid(ac, ac->msg, "objectSid"); if ((sid != NULL) && (!dsdb_module_am_system(ac->module)) && (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) { - ldb_asprintf_errstring(ldb, - "samldb: no SID may be specified in user/group modifications for %s", - ldb_dn_get_linearized(ac->msg->dn)); + ldb_set_errstring(ldb, + "samldb: objectSid must not be specified!"); return LDB_ERR_UNWILLING_TO_PERFORM; } /* but generate a new SID when we do have an add operations */ - if ((sid == NULL) && (ac->req->operation == LDB_ADD)) { - sid_generator = lpcfg_sid_generator(lp_ctx); - if (sid_generator == SID_GENERATOR_INTERNAL) { - ret = samldb_add_step(ac, samldb_allocate_sid); - if (ret != LDB_SUCCESS) return ret; - } - } - - if (strcmp(ac->type, "user") == 0) { - /* Step 1.2: Default values */ - tempstr = talloc_asprintf(ac->msg, "%d", UF_NORMAL_ACCOUNT); - if (tempstr == NULL) return ldb_operr(ldb); - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "userAccountControl", tempstr); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "badPwdCount", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "codePage", "0"); + if ((sid == NULL) && (ac->req->operation == LDB_ADD) && !skip_allocate_sids) { + ret = samldb_add_step(ac, samldb_allocate_sid); if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "countryCode", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "badPasswordTime", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "lastLogoff", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "lastLogon", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "pwdLastSet", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "accountExpires", "9223372036854775807"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "logonCount", "0"); - if (ret != LDB_SUCCESS) return ret; - - el = ldb_msg_find_element(ac->msg, "userAccountControl"); - if (el != NULL) { - uint32_t user_account_control, account_type; + } - /* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */ - user_account_control = ldb_msg_find_attr_as_uint(ac->msg, - "userAccountControl", - 0); + switch(ac->type) { + case SAMLDB_TYPE_USER: { + bool uac_generated = false; - /* Temporary duplicate accounts aren't allowed */ - if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { - return LDB_ERR_OTHER; - } + /* Step 1.2: Default values */ + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "accountExpires", "9223372036854775807"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "badPasswordTime", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "badPwdCount", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "codePage", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "countryCode", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "lastLogoff", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "lastLogon", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "logonCount", "0"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "pwdLastSet", "0"); + if (ret != LDB_SUCCESS) return ret; - account_type = ds_uf2atype(user_account_control); - if (account_type == 0) { - ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "sAMAccountType", - account_type); - if (ret != LDB_SUCCESS) { - return ret; - } - el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); - el2->flags = LDB_FLAG_MOD_REPLACE; - - if (user_account_control & - (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { - ret = samdb_msg_set_string(ldb, ac->msg, ac->msg, - "isCriticalSystemObject", - "TRUE"); + /* On add operations we might need to generate a + * "userAccountControl" (if it isn't specified). */ + el = ldb_msg_find_element(ac->msg, "userAccountControl"); + if ((el == NULL) && (ac->req->operation == LDB_ADD)) { + ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, + "userAccountControl", + UF_NORMAL_ACCOUNT); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(ac->msg, - "isCriticalSystemObject"); - el2->flags = LDB_FLAG_MOD_REPLACE; + uac_generated = true; } - /* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */ - if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { - uint32_t rid = ds_uf2prim_group_rid(user_account_control); + el = ldb_msg_find_element(ac->msg, "userAccountControl"); + if (el != NULL) { + uint32_t user_account_control, account_type; + + /* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */ + user_account_control = ldb_msg_find_attr_as_uint(ac->msg, + "userAccountControl", + 0); + + /* Temporary duplicate accounts aren't allowed */ + if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { + return LDB_ERR_OTHER; + } + + /* Workstation and (read-only) DC objects do need objectclass "computer" */ + if ((samdb_find_attribute(ldb, ac->msg, + "objectclass", "computer") == NULL) && + (user_account_control & + (UF_SERVER_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT))) { + ldb_set_errstring(ldb, + "samldb: Requested account type does need objectclass 'computer'!"); + return LDB_ERR_OBJECT_CLASS_VIOLATION; + } + + account_type = ds_uf2atype(user_account_control); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "primaryGroupID", rid); + "sAMAccountType", + account_type); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(ac->msg, - "primaryGroupID"); + el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); el2->flags = LDB_FLAG_MOD_REPLACE; - } - - /* Step 1.5: Add additional flags when needed */ - if ((user_account_control & UF_NORMAL_ACCOUNT) && - (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) { - user_account_control |= UF_ACCOUNTDISABLE; - user_account_control |= UF_PASSWD_NOTREQD; - ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, - "userAccountControl", - user_account_control); - if (ret != LDB_SUCCESS) { - return ret; + /* "isCriticalSystemObject" might be set */ + if (user_account_control & + (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { + ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", + "TRUE"); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, + "isCriticalSystemObject"); + el2->flags = LDB_FLAG_MOD_REPLACE; + } else if (user_account_control & UF_WORKSTATION_TRUST_ACCOUNT) { + ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", + "FALSE"); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, + "isCriticalSystemObject"); + el2->flags = LDB_FLAG_MOD_REPLACE; } - } - } - } else if (strcmp(ac->type, "group") == 0) { - /* Step 2.2: Default values */ - tempstr = talloc_asprintf(ac->msg, "%d", - GTYPE_SECURITY_GLOBAL_GROUP); - if (tempstr == NULL) return ldb_operr(ldb); - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "groupType", tempstr); - if (ret != LDB_SUCCESS) return ret; + /* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */ + if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { + uint32_t rid = ds_uf2prim_group_rid(user_account_control); + + /* + * Older AD deployments don't know about the + * RODC group + */ + if (rid == DOMAIN_RID_READONLY_DCS) { + ret = samldb_prim_group_tester(ac, rid); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "primaryGroupID", rid); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, + "primaryGroupID"); + el2->flags = LDB_FLAG_MOD_REPLACE; + } - /* Step 2.3: "groupType" -> "sAMAccountType" */ - el = ldb_msg_find_element(ac->msg, "groupType"); - if (el != NULL) { - uint32_t group_type, account_type; + /* Step 1.5: Add additional flags when needed */ + /* Obviously this is done when the "userAccountControl" + * has been generated here (tested against Windows + * Server) */ + if (uac_generated) { + user_account_control |= UF_ACCOUNTDISABLE; + user_account_control |= UF_PASSWD_NOTREQD; + + ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, + "userAccountControl", + user_account_control); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + break; + } + case SAMLDB_TYPE_GROUP: { + const char *tempstr; + + /* Step 2.2: Default values */ + tempstr = talloc_asprintf(ac->msg, "%d", + GTYPE_SECURITY_GLOBAL_GROUP); + if (tempstr == NULL) return ldb_operr(ldb); + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "groupType", tempstr); + if (ret != LDB_SUCCESS) return ret; - group_type = ldb_msg_find_attr_as_uint(ac->msg, - "groupType", 0); + /* Step 2.3: "groupType" -> "sAMAccountType" */ + el = ldb_msg_find_element(ac->msg, "groupType"); + if (el != NULL) { + uint32_t group_type, account_type; + + group_type = ldb_msg_find_attr_as_uint(ac->msg, + "groupType", 0); + + /* The creation of builtin groups requires the + * RELAX control */ + if (group_type == GTYPE_SECURITY_BUILTIN_LOCAL_GROUP) { + if (ldb_request_get_control(ac->req, + LDB_CONTROL_RELAX_OID) == NULL) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } - /* The creation of builtin groups requires the - * RELAX control */ - if (group_type == GTYPE_SECURITY_BUILTIN_LOCAL_GROUP) { - if (ldb_request_get_control(ac->req, - LDB_CONTROL_RELAX_OID) == NULL) { + account_type = ds_gtype2atype(group_type); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); return LDB_ERR_UNWILLING_TO_PERFORM; } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "sAMAccountType", + account_type); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); + el2->flags = LDB_FLAG_MOD_REPLACE; } - - account_type = ds_gtype2atype(group_type); - if (account_type == 0) { - ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "sAMAccountType", - account_type); - if (ret != LDB_SUCCESS) { - return ret; + break; } - el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); - el2->flags = LDB_FLAG_MOD_REPLACE; - } + + default: + ldb_asprintf_errstring(ldb, + "Invalid entry type!"); + return LDB_ERR_OPERATIONS_ERROR; + break; } return LDB_SUCCESS; @@ -1004,91 +1090,101 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) * ac->msg contains the "add"/"modify" message */ -static int samldb_prim_group_set(struct samldb_ctx *ac) +static int samldb_prim_group_tester(struct samldb_ctx *ac, uint32_t rid) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - struct ldb_dn *prim_group_dn; - uint32_t rid; struct dom_sid *sid; - - rid = ldb_msg_find_attr_as_uint(ac->msg, "primaryGroupID", (uint32_t) -1); - if (rid == (uint32_t) -1) { - /* we aren't affected of any primary group set */ - return LDB_SUCCESS; - - } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { - ldb_set_errstring(ldb, - "The primary group isn't settable on add operations!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } + struct ldb_result *res; + int ret; + const char *noattrs[] = { NULL }; sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); if (sid == NULL) { return ldb_operr(ldb); } - prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, sid)); - if (prim_group_dn == NULL) { + ret = dsdb_module_search(ac->module, ac, &res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, + noattrs, DSDB_FLAG_NEXT_MODULE, + ac->req, + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, sid)); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count != 1) { + talloc_free(res); ldb_asprintf_errstring(ldb, "Failed to find primary group with RID %u!", rid); return LDB_ERR_UNWILLING_TO_PERFORM; } + talloc_free(res); return LDB_SUCCESS; } +static int samldb_prim_group_set(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + uint32_t rid; + + rid = ldb_msg_find_attr_as_uint(ac->msg, "primaryGroupID", (uint32_t) -1); + if (rid == (uint32_t) -1) { + /* we aren't affected of any primary group set */ + return LDB_SUCCESS; + + } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + ldb_set_errstring(ldb, + "The primary group isn't settable on add operations!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + return samldb_prim_group_tester(ac, rid); +} + static int samldb_prim_group_change(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); const char * attrs[] = { "primaryGroupID", "memberOf", NULL }; - struct ldb_result *res; + struct ldb_result *res, *group_res; struct ldb_message_element *el; struct ldb_message *msg; - uint32_t rid; - struct dom_sid *sid; + uint32_t prev_rid, new_rid; + struct dom_sid *prev_sid, *new_sid; struct ldb_dn *prev_prim_group_dn, *new_prim_group_dn; int ret; + const char *noattrs[] = { NULL }; - ret = samldb_get_single_valued_attr(ac, "primaryGroupID", &el); - if (ret != LDB_SUCCESS) { - return ret; - } + el = dsdb_get_single_valued_attr(ac->msg, "primaryGroupID", + ac->req->operation); if (el == NULL) { /* we are not affected */ return LDB_SUCCESS; } - /* Fetch informations from the existing object */ + /* Fetch information from the existing object */ - ret = ldb_search(ldb, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, - NULL); + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs, + DSDB_FLAG_NEXT_MODULE, ac->req); if (ret != LDB_SUCCESS) { return ret; } - if (res->count != 1) { - return ldb_operr(ldb); - } /* Finds out the DN of the old primary group */ - rid = ldb_msg_find_attr_as_uint(res->msgs[0], "primaryGroupID", (uint32_t) -1); - if (rid == (uint32_t) -1) { + prev_rid = ldb_msg_find_attr_as_uint(res->msgs[0], "primaryGroupID", + (uint32_t) -1); + if (prev_rid == (uint32_t) -1) { /* User objects do always have a mandatory "primaryGroupID" * attribute. If this doesn't exist then the object is of the * wrong type. This is the exact Windows error code */ return LDB_ERR_OBJECT_CLASS_VIOLATION; } - sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); - if (sid == NULL) { - return ldb_operr(ldb); - } - - prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, sid)); - if (prev_prim_group_dn == NULL) { + prev_sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), prev_rid); + if (prev_sid == NULL) { return ldb_operr(ldb); } @@ -1104,76 +1200,99 @@ static int samldb_prim_group_change(struct samldb_ctx *ac) if (ret != LDB_SUCCESS) { return ret; } - rid = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", (uint32_t) -1); + new_rid = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", (uint32_t) -1); talloc_free(msg); - if (rid == (uint32_t) -1) { + if (new_rid == (uint32_t) -1) { /* we aren't affected of any primary group change */ return LDB_SUCCESS; } - sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); - if (sid == NULL) { - return ldb_operr(ldb); + if (prev_rid == new_rid) { + return LDB_SUCCESS; + } + + ret = dsdb_module_search(ac->module, ac, &group_res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, + noattrs, DSDB_FLAG_NEXT_MODULE, + ac->req, + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, prev_sid)); + if (ret != LDB_SUCCESS) { + return ret; + } + if (group_res->count != 1) { + return ldb_operr(ldb); + } + prev_prim_group_dn = group_res->msgs[0]->dn; + + new_sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), new_rid); + if (new_sid == NULL) { + return ldb_operr(ldb); } - new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, sid)); - if (new_prim_group_dn == NULL) { + ret = dsdb_module_search(ac->module, ac, &group_res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, + noattrs, DSDB_FLAG_NEXT_MODULE, + ac->req, + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, new_sid)); + if (ret != LDB_SUCCESS) { + return ret; + } + if (group_res->count != 1) { /* Here we know if the specified new primary group candidate is * valid or not. */ return LDB_ERR_UNWILLING_TO_PERFORM; } + new_prim_group_dn = group_res->msgs[0]->dn; - /* Only update the "member" attributes when we really do have a change */ - if (ldb_dn_compare(new_prim_group_dn, prev_prim_group_dn) != 0) { - /* We need to be already a normal member of the new primary - * group in order to be successful. */ - el = samdb_find_attribute(ldb, res->msgs[0], "memberOf", - ldb_dn_get_linearized(new_prim_group_dn)); - if (el == NULL) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - - /* Remove the "member" attribute on the new primary group */ - msg = ldb_msg_new(ac->msg); - if (msg == NULL) { - return ldb_module_oom(ac->module); - } - msg->dn = new_prim_group_dn; + /* We need to be already a normal member of the new primary + * group in order to be successful. */ + el = samdb_find_attribute(ldb, res->msgs[0], "memberOf", + ldb_dn_get_linearized(new_prim_group_dn)); + if (el == NULL) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } - ret = samdb_msg_add_delval(ldb, msg, msg, "member", - ldb_dn_get_linearized(ac->msg->dn)); - if (ret != LDB_SUCCESS) { - return ret; - } + /* Remove the "member" attribute on the new primary group */ + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + msg->dn = new_prim_group_dn; - ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE); - if (ret != LDB_SUCCESS) { - return ret; - } - talloc_free(msg); + ret = samdb_msg_add_delval(ldb, msg, msg, "member", + ldb_dn_get_linearized(ac->msg->dn)); + if (ret != LDB_SUCCESS) { + return ret; + } - /* Add a "member" attribute for the previous primary group */ - msg = ldb_msg_new(ac->msg); - if (msg == NULL) { - return ldb_module_oom(ac->module); - } - msg->dn = prev_prim_group_dn; + ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_free(msg); - ret = samdb_msg_add_addval(ldb, msg, msg, "member", - ldb_dn_get_linearized(ac->msg->dn)); - if (ret != LDB_SUCCESS) { - return ret; - } + /* Add a "member" attribute for the previous primary group */ + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + msg->dn = prev_prim_group_dn; - ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE); - if (ret != LDB_SUCCESS) { - return ret; - } - talloc_free(msg); + ret = samdb_msg_add_addval(ldb, msg, msg, "member", + ldb_dn_get_linearized(ac->msg->dn)); + if (ret != LDB_SUCCESS) { + return ret; } - talloc_free(res); + ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_free(msg); return LDB_SUCCESS; } @@ -1191,18 +1310,25 @@ static int samldb_prim_group_trigger(struct samldb_ctx *ac) return ret; } + +/** + * This function is called on LDB modify operations. It performs some additions/ + * replaces on the current LDB message when "userAccountControl" changes. + */ static int samldb_user_account_control_change(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - uint32_t user_account_control, account_type; + uint32_t user_account_control, old_user_account_control, account_type; struct ldb_message_element *el; struct ldb_message *tmp_msg; int ret; + struct ldb_result *res; + const char *attrs[] = { "userAccountControl", "objectClass", NULL }; + unsigned int i; + bool is_computer = false; - ret = samldb_get_single_valued_attr(ac, "userAccountControl", &el); - if (ret != LDB_SUCCESS) { - return ret; - } + el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl", + ac->req->operation); if (el == NULL) { /* we are not affected */ return LDB_SUCCESS; @@ -1227,6 +1353,49 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) return LDB_ERR_OTHER; } + /* Fetch the old "userAccountControl" and "objectClass" */ + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs, + DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + old_user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0], "userAccountControl", 0); + if (old_user_account_control == 0) { + return ldb_operr(ldb); + } + el = ldb_msg_find_element(res->msgs[0], "objectClass"); + if (el == NULL) { + return ldb_operr(ldb); + } + + /* When we do not have objectclass "computer" we cannot switch to a (read-only) DC */ + for (i = 0; i < el->num_values; i++) { + if (ldb_attr_cmp((char *)el->values[i].data, "computer") == 0) { + is_computer = true; + break; + } + } + if (!is_computer && + (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT))) { + ldb_set_errstring(ldb, + "samldb: Requested account type does need objectclass 'computer'!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + /* + * The functions "ds_uf2atype" and "ds_uf2prim_group_rid" are used as + * detectors for account type changes. + * So if the account type does change then we need to adjust the + * "sAMAccountType", the "isCriticalSystemObject" and the + * "primaryGroupID" attribute. + */ + if ((ds_uf2atype(user_account_control) + == ds_uf2atype(old_user_account_control)) && + (ds_uf2prim_group_rid(user_account_control) + == ds_uf2prim_group_rid(old_user_account_control))) { + return LDB_SUCCESS; + } + account_type = ds_uf2atype(user_account_control); if (account_type == 0) { ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); @@ -1240,10 +1409,20 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) el = ldb_msg_find_element(ac->msg, "sAMAccountType"); el->flags = LDB_FLAG_MOD_REPLACE; + /* "isCriticalSystemObject" might be set/changed */ if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { - ret = samdb_msg_add_string(ldb, ac->msg, ac->msg, - "isCriticalSystemObject", "TRUE"); + ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", + "TRUE"); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, + "isCriticalSystemObject"); + el->flags = LDB_FLAG_MOD_REPLACE; + } else if (user_account_control & UF_WORKSTATION_TRUST_ACCOUNT) { + ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", + "FALSE"); if (ret != LDB_SUCCESS) { return ret; } @@ -1254,6 +1433,15 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { uint32_t rid = ds_uf2prim_group_rid(user_account_control); + + /* Older AD deployments don't know about the RODC group */ + if (rid == DOMAIN_RID_READONLY_DCS) { + ret = samldb_prim_group_tester(ac, rid); + if (ret != LDB_SUCCESS) { + return ret; + } + } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "primaryGroupID", rid); if (ret != LDB_SUCCESS) { @@ -1274,11 +1462,11 @@ static int samldb_group_type_change(struct samldb_ctx *ac) struct ldb_message_element *el; struct ldb_message *tmp_msg; int ret; + struct ldb_result *res; + const char *attrs[] = { "groupType", NULL }; - ret = samldb_get_single_valued_attr(ac, "groupType", &el); - if (ret != LDB_SUCCESS) { - return ret; - } + el = dsdb_get_single_valued_attr(ac->msg, "groupType", + ac->req->operation); if (el == NULL) { /* we are not affected */ return LDB_SUCCESS; @@ -1296,8 +1484,13 @@ static int samldb_group_type_change(struct samldb_ctx *ac) group_type = ldb_msg_find_attr_as_uint(tmp_msg, "groupType", 0); talloc_free(tmp_msg); - old_group_type = samdb_search_uint(ldb, ac, 0, ac->msg->dn, - "groupType", NULL); + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs, + DSDB_FLAG_NEXT_MODULE | + DSDB_SEARCH_SHOW_DELETED, ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + old_group_type = ldb_msg_find_attr_as_uint(res->msgs[0], "groupType", 0); if (old_group_type == 0) { return ldb_operr(ldb); } @@ -1307,35 +1500,40 @@ static int samldb_group_type_change(struct samldb_ctx *ac) * On each step also the group type itself * (security/distribution) is variable. */ - switch (group_type) { - case GTYPE_SECURITY_GLOBAL_GROUP: - case GTYPE_DISTRIBUTION_GLOBAL_GROUP: - /* change to "universal" allowed */ - if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) || - (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - break; - - case GTYPE_SECURITY_UNIVERSAL_GROUP: - case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: - /* each change allowed */ - break; - - case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: - case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: - /* change to "universal" allowed */ - if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) || - (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) { + if (ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID) == NULL) { + switch (group_type) { + case GTYPE_SECURITY_GLOBAL_GROUP: + case GTYPE_DISTRIBUTION_GLOBAL_GROUP: + /* change to "universal" allowed */ + if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) || + (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) { + ldb_set_errstring(ldb, + "samldb: Change from security/distribution local group forbidden!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + break; + + case GTYPE_SECURITY_UNIVERSAL_GROUP: + case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: + /* each change allowed */ + break; + case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: + case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: + /* change to "universal" allowed */ + if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) || + (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) { + ldb_set_errstring(ldb, + "samldb: Change from security/distribution global group forbidden!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + break; + + case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: + default: + /* we don't allow this "groupType" values */ return LDB_ERR_UNWILLING_TO_PERFORM; + break; } - break; - - case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: - default: - /* we don't allow this "groupType" values */ - return LDB_ERR_UNWILLING_TO_PERFORM; - break; } account_type = ds_gtype2atype(group_type); @@ -1354,15 +1552,100 @@ static int samldb_group_type_change(struct samldb_ctx *ac) return LDB_SUCCESS; } +static int samldb_sam_accountname_check(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + const char *no_attrs[] = { NULL }; + struct ldb_result *res; + const char *sam_accountname, *enc_str; + struct ldb_message_element *el; + struct ldb_message *tmp_msg; + int ret; + + el = dsdb_get_single_valued_attr(ac->msg, "sAMAccountName", + ac->req->operation); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } + + /* Create a temporary message for fetching the "sAMAccountName" */ + tmp_msg = ldb_msg_new(ac->msg); + if (tmp_msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(tmp_msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + sam_accountname = talloc_steal(ac, + ldb_msg_find_attr_as_string(tmp_msg, "sAMAccountName", NULL)); + talloc_free(tmp_msg); + + if (sam_accountname == NULL) { + /* The "sAMAccountName" cannot be nothing */ + ldb_set_errstring(ldb, + "samldb: Empty account names aren't allowed!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + enc_str = ldb_binary_encode_string(ac, sam_accountname); + if (enc_str == NULL) { + return ldb_module_oom(ac->module); + } + + /* Make sure that a "sAMAccountName" is only used once */ + + ret = dsdb_module_search(ac->module, ac, &res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, no_attrs, + DSDB_FLAG_NEXT_MODULE, ac->req, + "(sAMAccountName=%s)", enc_str); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count > 1) { + return ldb_operr(ldb); + } else if (res->count == 1) { + if (ldb_dn_compare(res->msgs[0]->dn, ac->msg->dn) != 0) { + ldb_asprintf_errstring(ldb, + "samldb: Account name (sAMAccountName) '%s' already in use!", + sam_accountname); + return LDB_ERR_ENTRY_ALREADY_EXISTS; + } + } + talloc_free(res); + + return LDB_SUCCESS; +} + static int samldb_member_check(struct samldb_ctx *ac) { + static const char * const attrs[] = { "objectSid", "member", NULL }; struct ldb_context *ldb = ldb_module_get_ctx(ac->module); struct ldb_message_element *el; - struct ldb_dn *member_dn, *group_dn; - uint32_t prim_group_rid; + struct ldb_dn *member_dn; struct dom_sid *sid; + struct ldb_result *res; + struct dom_sid *group_sid; unsigned int i, j; - int cnt; + int ret; + + /* Fetch information from the existing object */ + + ret = dsdb_module_search(ac->module, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, + DSDB_FLAG_NEXT_MODULE, ac->req, NULL); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count != 1) { + return ldb_operr(ldb); + } + + group_sid = samdb_result_dom_sid(res, res->msgs[0], "objectSid"); + if (group_sid == NULL) { + return ldb_operr(ldb); + } /* We've to walk over all modification entries and consider the "member" * ones. */ @@ -1373,49 +1656,40 @@ static int samldb_member_check(struct samldb_ctx *ac) el = &ac->msg->elements[i]; for (j = 0; j < el->num_values; j++) { + struct ldb_result *group_res; + const char *group_attrs[] = { "primaryGroupID" , NULL }; + uint32_t prim_group_rid; + + if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) { + /* Deletes will be handled in + * repl_meta_data, and deletes not + * matching a member will return + * LDB_ERR_UNWILLING_TO_PERFORM + * there */ + continue; + } + member_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[j]); if (!ldb_dn_validate(member_dn)) { return ldb_operr(ldb); } - /* The "member" attribute can be modified with the - * following restrictions (beside a valid DN): - * - * - "add" operations can only be performed when the - * member still doesn't exist - if not then return - * ERR_ENTRY_ALREADY_EXISTS (not - * ERR_ATTRIBUTE_OR_VALUE_EXISTS!) - * - "delete" operations can only be performed when the - * member does exist - if not then return - * ERR_UNWILLING_TO_PERFORM (not - * ERR_NO_SUCH_ATTRIBUTE!) - * - primary group check - */ - cnt = samdb_search_count(ldb, ac, ac->msg->dn, - "(member=%s)", - ldb_dn_get_linearized(member_dn)); - if (cnt < 0) { - return ldb_operr(ldb); - } - if ((cnt > 0) && (LDB_FLAG_MOD_TYPE(el->flags) - == LDB_FLAG_MOD_ADD)) { - return LDB_ERR_ENTRY_ALREADY_EXISTS; - } - if ((cnt == 0) && LDB_FLAG_MOD_TYPE(el->flags) - == LDB_FLAG_MOD_DELETE) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - /* Denies to add "member"s to groups which are primary * ones for them - in this case return * ERR_ENTRY_ALREADY_EXISTS. */ - prim_group_rid = samdb_search_uint(ldb, ac, - (uint32_t) -1, - member_dn, - "primaryGroupID", - NULL); + ret = dsdb_module_search_dn(ac->module, ac, &group_res, + member_dn, group_attrs, + DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + /* member DN doesn't exist yet */ + continue; + } + if (ret != LDB_SUCCESS) { + return ret; + } + prim_group_rid = ldb_msg_find_attr_as_uint(group_res->msgs[0], "primaryGroupID", (uint32_t)-1); if (prim_group_rid == (uint32_t) -1) { /* the member hasn't to be a user account -> * therefore no check needed in this case. */ @@ -1428,18 +1702,261 @@ static int samldb_member_check(struct samldb_ctx *ac) return ldb_operr(ldb); } - group_dn = samdb_search_dn(ldb, ac, NULL, - "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, sid)); - if (group_dn == NULL) { - return ldb_operr(ldb); + if (dom_sid_equal(group_sid, sid)) { + ldb_asprintf_errstring(ldb, + "samldb: member %s already set via primaryGroupID %u", + ldb_dn_get_linearized(member_dn), prim_group_rid); + return LDB_ERR_ENTRY_ALREADY_EXISTS; } + } + } - if (ldb_dn_compare(group_dn, ac->msg->dn) == 0) { - return LDB_ERR_ENTRY_ALREADY_EXISTS; + talloc_free(res); + + return LDB_SUCCESS; +} + +/* SAM objects have special rules regarding the "description" attribute on + * modify operations. */ +static int samldb_description_check(struct samldb_ctx *ac, bool *modified) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + const char * const attrs[] = { "objectClass", "description", NULL }; + struct ldb_result *res; + unsigned int i; + int ret; + + /* Fetch information from the existing object */ + ret = dsdb_module_search(ac->module, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, + DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, ac->req, + "(|(objectclass=user)(objectclass=group)(objectclass=samDomain)(objectclass=samServer))"); + if (ret != LDB_SUCCESS) { + /* don't treat it specially ... let normal error codes + happen from other places */ + ldb_reset_err_string(ldb); + return LDB_SUCCESS; + } + if (res->count == 0) { + /* we didn't match the filter */ + talloc_free(res); + return LDB_SUCCESS; + } + + /* We've to walk over all modification entries and consider the + * "description" ones. */ + for (i = 0; i < ac->msg->num_elements; i++) { + if (ldb_attr_cmp(ac->msg->elements[i].name, "description") == 0) { + ac->msg->elements[i].flags |= LDB_FLAG_INTERNAL_FORCE_SINGLE_VALUE_CHECK; + *modified = true; + } + } + + talloc_free(res); + + return LDB_SUCCESS; +} + +/* This trigger adapts the "servicePrincipalName" attributes if the + * "dNSHostName" and/or "sAMAccountName" attribute change(s) */ +static int samldb_service_principal_names_change(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct ldb_message_element *el = NULL, *el2 = NULL; + struct ldb_message *msg; + const char *attrs[] = { "servicePrincipalName", NULL }; + struct ldb_result *res; + const char *dns_hostname = NULL, *old_dns_hostname = NULL, + *sam_accountname = NULL, *old_sam_accountname = NULL; + unsigned int i; + int ret; + + el = dsdb_get_single_valued_attr(ac->msg, "dNSHostName", + ac->req->operation); + el2 = dsdb_get_single_valued_attr(ac->msg, "sAMAccountName", + ac->req->operation); + if ((el == NULL) && (el2 == NULL)) { + /* we are not affected */ + return LDB_SUCCESS; + } + + /* Create a temporary message for fetching the "dNSHostName" */ + if (el != NULL) { + const char *dns_attrs[] = { "dNSHostName", NULL }; + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + dns_hostname = talloc_steal(ac, + ldb_msg_find_attr_as_string(msg, "dNSHostName", NULL)); + talloc_free(msg); + + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, + dns_attrs, DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret == LDB_SUCCESS) { + old_dns_hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL); + } + } + + /* Create a temporary message for fetching the "sAMAccountName" */ + if (el2 != NULL) { + char *tempstr, *tempstr2; + const char *acct_attrs[] = { "sAMAccountName", NULL }; + + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(msg, el2, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + tempstr = talloc_strdup(ac, + ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL)); + talloc_free(msg); + + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, acct_attrs, + DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret == LDB_SUCCESS) { + tempstr2 = talloc_strdup(ac, + ldb_msg_find_attr_as_string(res->msgs[0], + "sAMAccountName", NULL)); + } + + + /* The "sAMAccountName" needs some additional trimming: we need + * to remove the trailing "$"s if they exist. */ + if ((tempstr != NULL) && (tempstr[0] != '\0') && + (tempstr[strlen(tempstr) - 1] == '$')) { + tempstr[strlen(tempstr) - 1] = '\0'; + } + if ((tempstr2 != NULL) && (tempstr2[0] != '\0') && + (tempstr2[strlen(tempstr2) - 1] == '$')) { + tempstr2[strlen(tempstr2) - 1] = '\0'; + } + sam_accountname = tempstr; + old_sam_accountname = tempstr2; + } + + if (old_dns_hostname == NULL) { + /* we cannot change when the old name is unknown */ + dns_hostname = NULL; + } + if ((old_dns_hostname != NULL) && (dns_hostname != NULL) && + (strcasecmp(old_dns_hostname, dns_hostname) == 0)) { + /* The "dNSHostName" didn't change */ + dns_hostname = NULL; + } + + if (old_sam_accountname == NULL) { + /* we cannot change when the old name is unknown */ + sam_accountname = NULL; + } + if ((old_sam_accountname != NULL) && (sam_accountname != NULL) && + (strcasecmp(old_sam_accountname, sam_accountname) == 0)) { + /* The "sAMAccountName" didn't change */ + sam_accountname = NULL; + } + + if ((dns_hostname == NULL) && (sam_accountname == NULL)) { + /* Well, there are information missing (old name(s)) or the + * names didn't change. We've nothing to do and can exit here */ + return LDB_SUCCESS; + } + + /* Potential "servicePrincipalName" changes in the same request have to + * be handled before the update (Windows behaviour). */ + el = ldb_msg_find_element(ac->msg, "servicePrincipalName"); + if (el != NULL) { + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + msg->dn = ac->msg->dn; + + do { + ret = ldb_msg_add(msg, el, el->flags); + if (ret != LDB_SUCCESS) { + return ret; } + + ldb_msg_remove_element(ac->msg, el); + + el = ldb_msg_find_element(ac->msg, + "servicePrincipalName"); + } while (el != NULL); + + ret = dsdb_module_modify(ac->module, msg, + DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret != LDB_SUCCESS) { + return ret; } + talloc_free(msg); + } + + /* Fetch the "servicePrincipalName"s if any */ + ret = dsdb_module_search(ac->module, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, + DSDB_FLAG_NEXT_MODULE, ac->req, NULL); + if (ret != LDB_SUCCESS) { + return ret; } + if ((res->count != 1) || (res->msgs[0]->num_elements > 1)) { + return ldb_operr(ldb); + } + + if (res->msgs[0]->num_elements == 1) { + /* Yes, we do have "servicePrincipalName"s. First we update them + * locally, that means we do always substitute the current + * "dNSHostName" with the new one and/or "sAMAccountName" + * without "$" with the new one and then we append this to the + * modification request (Windows behaviour). */ + + for (i = 0; i < res->msgs[0]->elements[0].num_values; i++) { + char *old_str, *new_str, *pos; + const char *tok; + + old_str = (char *) + res->msgs[0]->elements[0].values[i].data; + + new_str = talloc_strdup(ac->msg, + strtok_r(old_str, "/", &pos)); + if (new_str == NULL) { + return ldb_module_oom(ac->module); + } + + while ((tok = strtok_r(NULL, "/", &pos)) != NULL) { + if ((dns_hostname != NULL) && + (strcasecmp(tok, old_dns_hostname) == 0)) { + tok = dns_hostname; + } + if ((sam_accountname != NULL) && + (strcasecmp(tok, old_sam_accountname) == 0)) { + tok = sam_accountname; + } + + new_str = talloc_asprintf(ac->msg, "%s/%s", + new_str, tok); + if (new_str == NULL) { + return ldb_module_oom(ac->module); + } + } + + ret = ldb_msg_add_string(ac->msg, + "servicePrincipalName", + new_str); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + el = ldb_msg_find_element(ac->msg, "servicePrincipalName"); + el->flags = LDB_FLAG_MOD_REPLACE; + } + + talloc_free(res); return LDB_SUCCESS; } @@ -1476,7 +1993,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) if (samdb_find_attribute(ldb, ac->msg, "objectclass", "user") != NULL) { - ac->type = "user"; + ac->type = SAMLDB_TYPE_USER; ret = samldb_prim_group_trigger(ac); if (ret != LDB_SUCCESS) { @@ -1493,7 +2010,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) if (samdb_find_attribute(ldb, ac->msg, "objectclass", "group") != NULL) { - ac->type = "group"; + ac->type = SAMLDB_TYPE_GROUP; ret = samldb_objectclass_trigger(ac); if (ret != LDB_SUCCESS) { @@ -1518,7 +2035,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) return ret; } - ac->type = "classSchema"; + ac->type = SAMLDB_TYPE_CLASS; return samldb_fill_object(ac); } @@ -1530,7 +2047,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) return ret; } - ac->type = "attributeSchema"; + ac->type = SAMLDB_TYPE_ATTRIBUTE; return samldb_fill_object(ac); } @@ -1545,7 +2062,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; struct samldb_ctx *ac; - struct ldb_message_element *el; + struct ldb_message_element *el, *el2; bool modified = false; int ret; @@ -1556,6 +2073,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) ldb = ldb_module_get_ctx(module); + /* make sure that "objectSid" is not specified */ + el = ldb_msg_find_element(req->op.mod.message, "objectSid"); + if (el != NULL) { + if (ldb_request_get_control(req, LDB_CONTROL_PROVISION_OID) == NULL) { + ldb_set_errstring(ldb, + "samldb: objectSid must not be specified!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } /* make sure that "sAMAccountType" is not specified */ el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType"); if (el != NULL) { @@ -1598,7 +2124,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) el = ldb_msg_find_element(ac->msg, "primaryGroupID"); if (el != NULL) { - ret = samldb_prim_group_change(ac); + ret = samldb_prim_group_trigger(ac); if (ret != LDB_SUCCESS) { return ret; } @@ -1622,6 +2148,14 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) } } + el = ldb_msg_find_element(ac->msg, "sAMAccountName"); + if (el != NULL) { + ret = samldb_sam_accountname_check(ac); + if (ret != LDB_SUCCESS) { + return ret; + } + } + el = ldb_msg_find_element(ac->msg, "member"); if (el != NULL) { ret = samldb_member_check(ac); @@ -1630,6 +2164,24 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) } } + el = ldb_msg_find_element(ac->msg, "description"); + if (el != NULL) { + ret = samldb_description_check(ac, &modified); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + el = ldb_msg_find_element(ac->msg, "dNSHostName"); + el2 = ldb_msg_find_element(ac->msg, "sAMAccountName"); + if ((el != NULL) || (el2 != NULL)) { + modified = true; + ret = samldb_service_principal_names_change(ac); + if (ret != LDB_SUCCESS) { + return ret; + } + } + if (modified) { struct ldb_request *child_req; @@ -1661,13 +2213,27 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac) struct dom_sid *sid; uint32_t rid; NTSTATUS status; - int count; + int ret; + struct ldb_result *res; + const char *attrs[] = { "objectSid", "isDeleted", NULL }; + const char *noattrs[] = { NULL }; ldb = ldb_module_get_ctx(ac->module); /* Finds out the SID/RID of the SAM object */ - sid = samdb_search_dom_sid(ldb, ac, ac->req->op.del.dn, "objectSid", - NULL); + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->req->op.del.dn, + attrs, + DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, + ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + if (ldb_msg_check_string_attribute(res->msgs[0], "isDeleted", "TRUE")) { + return LDB_SUCCESS; + } + + sid = samdb_result_dom_sid(ac, res->msgs[0], "objectSid"); if (sid == NULL) { /* No SID - it might not be a SAM object - therefore ok */ return LDB_SUCCESS; @@ -1682,13 +2248,16 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac) } /* Deny delete requests from groups which are primary ones */ - count = samdb_search_count(ldb, ac, NULL, - "(&(primaryGroupID=%u)(objectClass=user))", - rid); - if (count < 0) { - return ldb_operr(ldb); + ret = dsdb_module_search(ac->module, ac, &res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, noattrs, + DSDB_FLAG_NEXT_MODULE, + ac->req, + "(&(primaryGroupID=%u)(objectClass=user))", rid); + if (ret != LDB_SUCCESS) { + return ret; } - if (count > 0) { + if (res->count > 0) { return LDB_ERR_ENTRY_ALREADY_EXISTS; } @@ -1736,7 +2305,7 @@ static int samldb_extended_allocate_rid_pool(struct ldb_module *module, struct l return LDB_ERR_PROTOCOL_ERROR; } - ret = ridalloc_allocate_rid_pool_fsmo(module, exop); + ret = ridalloc_allocate_rid_pool_fsmo(module, exop, req); if (ret != LDB_SUCCESS) { return ret; } @@ -1754,7 +2323,7 @@ static int samldb_extended(struct ldb_module *module, struct ldb_request *req) } -_PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = { +static const struct ldb_module_ops ldb_samldb_module_ops = { .name = "samldb", .add = samldb_add, .modify = samldb_modify, @@ -1762,3 +2331,9 @@ _PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = { .extended = samldb_extended }; + +int ldb_samldb_module_init(const char *version) +{ + LDB_MODULE_CHECK_VERSION(version); + return ldb_register_module(&ldb_samldb_module_ops); +}