4 Copyright (C) Simo Sorce 2004-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2013
6 Copyright (C) Andrew Tridgell 2005-2009
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
8 Copyright (C) Matthieu Patou <mat@samba.org> 2010-2011
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 * Component: ldb repl_meta_data module
29 * Description: - add a unique objectGUID onto every new record,
30 * - handle whenCreated, whenChanged timestamps
31 * - handle uSNCreated, uSNChanged numbers
32 * - handle replPropertyMetaData attribute
35 * Author: Stefan Metzmacher
39 #include "ldb_module.h"
40 #include "dsdb/samdb/samdb.h"
41 #include "dsdb/common/proto.h"
42 #include "../libds/common/flags.h"
43 #include "librpc/gen_ndr/ndr_misc.h"
44 #include "librpc/gen_ndr/ndr_drsuapi.h"
45 #include "librpc/gen_ndr/ndr_drsblobs.h"
46 #include "param/param.h"
47 #include "libcli/security/security.h"
48 #include "lib/util/dlinklist.h"
49 #include "dsdb/samdb/ldb_modules/util.h"
50 #include "lib/util/binsearch.h"
51 #include "lib/util/tsort.h"
54 * It's 29/12/9999 at 23:59:59 UTC as specified in MS-ADTS 7.1.1.4.2
55 * Deleted Objects Container
57 static const NTTIME DELETED_OBJECT_CONTAINER_CHANGE_TIME = 2650466015990000000ULL;
59 struct replmd_private {
61 struct la_entry *la_list;
63 struct la_backlink *la_backlinks;
65 struct nc_entry *prev, *next;
68 uint64_t mod_usn_urgent;
70 struct ldb_dn *schema_dn;
74 struct la_entry *next, *prev;
75 struct drsuapi_DsReplicaLinkedAttribute *la;
78 struct replmd_replicated_request {
79 struct ldb_module *module;
80 struct ldb_request *req;
82 const struct dsdb_schema *schema;
83 struct GUID our_invocation_id;
85 /* the controls we pass down */
86 struct ldb_control **controls;
88 /* details for the mode where we apply a bunch of inbound replication meessages */
90 uint32_t index_current;
91 struct dsdb_extended_replicated_objects *objs;
93 struct ldb_message *search_msg;
94 struct GUID local_parent_guid;
102 static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar);
103 static int replmd_delete_internals(struct ldb_module *module, struct ldb_request *req, bool re_delete);
105 enum urgent_situation {
106 REPL_URGENT_ON_CREATE = 1,
107 REPL_URGENT_ON_UPDATE = 2,
108 REPL_URGENT_ON_DELETE = 4
111 enum deletion_state {
112 OBJECT_NOT_DELETED=1,
119 static void replmd_deletion_state(struct ldb_module *module,
120 const struct ldb_message *msg,
121 enum deletion_state *current_state,
122 enum deletion_state *next_state)
125 bool enabled = false;
128 *current_state = OBJECT_REMOVED;
129 if (next_state != NULL) {
130 *next_state = OBJECT_REMOVED;
135 ret = dsdb_recyclebin_enabled(module, &enabled);
136 if (ret != LDB_SUCCESS) {
140 if (ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE")) {
142 *current_state = OBJECT_TOMBSTONE;
143 if (next_state != NULL) {
144 *next_state = OBJECT_REMOVED;
149 if (ldb_msg_check_string_attribute(msg, "isRecycled", "TRUE")) {
150 *current_state = OBJECT_RECYCLED;
151 if (next_state != NULL) {
152 *next_state = OBJECT_REMOVED;
157 *current_state = OBJECT_DELETED;
158 if (next_state != NULL) {
159 *next_state = OBJECT_RECYCLED;
164 *current_state = OBJECT_NOT_DELETED;
165 if (next_state == NULL) {
170 *next_state = OBJECT_DELETED;
172 *next_state = OBJECT_TOMBSTONE;
176 static const struct {
177 const char *update_name;
178 enum urgent_situation repl_situation;
179 } urgent_objects[] = {
180 {"nTDSDSA", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE)},
181 {"crossRef", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE)},
182 {"attributeSchema", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
183 {"classSchema", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
184 {"secret", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
185 {"rIDManager", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
189 /* Attributes looked for when updating or deleting, to check for a urgent replication needed */
190 static const char *urgent_attrs[] = {
193 "userAccountControl",
198 static bool replmd_check_urgent_objectclass(const struct ldb_message_element *objectclass_el,
199 enum urgent_situation situation)
202 for (i=0; urgent_objects[i].update_name; i++) {
204 if ((situation & urgent_objects[i].repl_situation) == 0) {
208 for (j=0; j<objectclass_el->num_values; j++) {
209 const struct ldb_val *v = &objectclass_el->values[j];
210 if (ldb_attr_cmp((const char *)v->data, urgent_objects[i].update_name) == 0) {
218 static bool replmd_check_urgent_attribute(const struct ldb_message_element *el)
220 if (ldb_attr_in_list(urgent_attrs, el->name)) {
227 static int replmd_replicated_apply_isDeleted(struct replmd_replicated_request *ar);
230 initialise the module
231 allocate the private structure and build the list
232 of partition DNs for use by replmd_notify()
234 static int replmd_init(struct ldb_module *module)
236 struct replmd_private *replmd_private;
237 struct ldb_context *ldb = ldb_module_get_ctx(module);
239 replmd_private = talloc_zero(module, struct replmd_private);
240 if (replmd_private == NULL) {
242 return LDB_ERR_OPERATIONS_ERROR;
244 ldb_module_set_private(module, replmd_private);
246 replmd_private->schema_dn = ldb_get_schema_basedn(ldb);
248 return ldb_next_init(module);
252 cleanup our per-transaction contexts
254 static void replmd_txn_cleanup(struct replmd_private *replmd_private)
256 talloc_free(replmd_private->la_ctx);
257 replmd_private->la_list = NULL;
258 replmd_private->la_ctx = NULL;
260 talloc_free(replmd_private->bl_ctx);
261 replmd_private->la_backlinks = NULL;
262 replmd_private->bl_ctx = NULL;
267 struct la_backlink *next, *prev;
268 const char *attr_name;
269 struct GUID forward_guid, target_guid;
274 process a backlinks we accumulated during a transaction, adding and
275 deleting the backlinks from the target objects
277 static int replmd_process_backlink(struct ldb_module *module, struct la_backlink *bl, struct ldb_request *parent)
279 struct ldb_dn *target_dn, *source_dn;
281 struct ldb_context *ldb = ldb_module_get_ctx(module);
282 struct ldb_message *msg;
283 TALLOC_CTX *tmp_ctx = talloc_new(bl);
289 - construct ldb_message
290 - either an add or a delete
292 ret = dsdb_module_dn_by_guid(module, tmp_ctx, &bl->target_guid, &target_dn, parent);
293 if (ret != LDB_SUCCESS) {
294 DEBUG(2,(__location__ ": WARNING: Failed to find target DN for linked attribute with GUID %s\n",
295 GUID_string(bl, &bl->target_guid)));
299 ret = dsdb_module_dn_by_guid(module, tmp_ctx, &bl->forward_guid, &source_dn, parent);
300 if (ret != LDB_SUCCESS) {
301 ldb_asprintf_errstring(ldb, "Failed to find source DN for linked attribute with GUID %s\n",
302 GUID_string(bl, &bl->forward_guid));
303 talloc_free(tmp_ctx);
307 msg = ldb_msg_new(tmp_ctx);
309 ldb_module_oom(module);
310 talloc_free(tmp_ctx);
311 return LDB_ERR_OPERATIONS_ERROR;
314 /* construct a ldb_message for adding/deleting the backlink */
316 dn_string = ldb_dn_get_extended_linearized(tmp_ctx, source_dn, 1);
318 ldb_module_oom(module);
319 talloc_free(tmp_ctx);
320 return LDB_ERR_OPERATIONS_ERROR;
322 ret = ldb_msg_add_steal_string(msg, bl->attr_name, dn_string);
323 if (ret != LDB_SUCCESS) {
324 talloc_free(tmp_ctx);
327 msg->elements[0].flags = bl->active?LDB_FLAG_MOD_ADD:LDB_FLAG_MOD_DELETE;
329 /* a backlink should never be single valued. Unfortunately the
330 exchange schema has a attribute
331 msExchBridgeheadedLocalConnectorsDNBL which is single
332 valued and a backlink. We need to cope with that by
333 ignoring the single value flag */
334 msg->elements[0].flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
336 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
337 if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE && !bl->active) {
338 /* we allow LDB_ERR_NO_SUCH_ATTRIBUTE as success to
339 cope with possible corruption where the backlink has
340 already been removed */
341 DEBUG(3,("WARNING: backlink from %s already removed from %s - %s\n",
342 ldb_dn_get_linearized(target_dn),
343 ldb_dn_get_linearized(source_dn),
344 ldb_errstring(ldb)));
346 } else if (ret != LDB_SUCCESS) {
347 ldb_asprintf_errstring(ldb, "Failed to %s backlink from %s to %s - %s",
348 bl->active?"add":"remove",
349 ldb_dn_get_linearized(source_dn),
350 ldb_dn_get_linearized(target_dn),
352 talloc_free(tmp_ctx);
355 talloc_free(tmp_ctx);
360 add a backlink to the list of backlinks to add/delete in the prepare
363 static int replmd_add_backlink(struct ldb_module *module, const struct dsdb_schema *schema,
364 struct GUID *forward_guid, struct GUID *target_guid,
365 bool active, const struct dsdb_attribute *schema_attr, bool immediate)
367 const struct dsdb_attribute *target_attr;
368 struct la_backlink *bl;
369 struct replmd_private *replmd_private =
370 talloc_get_type_abort(ldb_module_get_private(module), struct replmd_private);
372 target_attr = dsdb_attribute_by_linkID(schema, schema_attr->linkID ^ 1);
375 * windows 2003 has a broken schema where the
376 * definition of msDS-IsDomainFor is missing (which is
377 * supposed to be the backlink of the
378 * msDS-HasDomainNCs attribute
383 /* see if its already in the list */
384 for (bl=replmd_private->la_backlinks; bl; bl=bl->next) {
385 if (GUID_equal(forward_guid, &bl->forward_guid) &&
386 GUID_equal(target_guid, &bl->target_guid) &&
387 (target_attr->lDAPDisplayName == bl->attr_name ||
388 strcmp(target_attr->lDAPDisplayName, bl->attr_name) == 0)) {
394 /* we found an existing one */
395 if (bl->active == active) {
398 DLIST_REMOVE(replmd_private->la_backlinks, bl);
403 if (replmd_private->bl_ctx == NULL) {
404 replmd_private->bl_ctx = talloc_new(replmd_private);
405 if (replmd_private->bl_ctx == NULL) {
406 ldb_module_oom(module);
407 return LDB_ERR_OPERATIONS_ERROR;
412 bl = talloc(replmd_private->bl_ctx, struct la_backlink);
414 ldb_module_oom(module);
415 return LDB_ERR_OPERATIONS_ERROR;
418 /* Ensure the schema does not go away before the bl->attr_name is used */
419 if (!talloc_reference(bl, schema)) {
421 ldb_module_oom(module);
422 return LDB_ERR_OPERATIONS_ERROR;
425 bl->attr_name = target_attr->lDAPDisplayName;
426 bl->forward_guid = *forward_guid;
427 bl->target_guid = *target_guid;
430 /* the caller may ask for this backlink to be processed
433 int ret = replmd_process_backlink(module, bl, NULL);
438 DLIST_ADD(replmd_private->la_backlinks, bl);
445 * Callback for most write operations in this module:
447 * notify the repl task that a object has changed. The notifies are
448 * gathered up in the replmd_private structure then written to the
449 * @REPLCHANGED object in each partition during the prepare_commit
451 static int replmd_op_callback(struct ldb_request *req, struct ldb_reply *ares)
454 struct replmd_replicated_request *ac =
455 talloc_get_type_abort(req->context, struct replmd_replicated_request);
456 struct replmd_private *replmd_private =
457 talloc_get_type_abort(ldb_module_get_private(ac->module), struct replmd_private);
458 struct nc_entry *modified_partition;
459 struct ldb_control *partition_ctrl;
460 const struct dsdb_control_current_partition *partition;
462 struct ldb_control **controls;
464 partition_ctrl = ldb_reply_get_control(ares, DSDB_CONTROL_CURRENT_PARTITION_OID);
466 controls = ares->controls;
467 if (ldb_request_get_control(ac->req,
468 DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
470 * Remove the current partition control from what we pass up
471 * the chain if it hasn't been requested manually.
473 controls = ldb_controls_except_specified(ares->controls, ares,
477 if (ares->error != LDB_SUCCESS) {
478 DEBUG(5,("%s failure. Error is: %s\n", __FUNCTION__, ldb_strerror(ares->error)));
479 return ldb_module_done(ac->req, controls,
480 ares->response, ares->error);
483 if (ares->type != LDB_REPLY_DONE) {
484 ldb_set_errstring(ldb_module_get_ctx(ac->module), "Invalid reply type for notify\n!");
485 return ldb_module_done(ac->req, NULL,
486 NULL, LDB_ERR_OPERATIONS_ERROR);
489 if (!partition_ctrl) {
490 ldb_set_errstring(ldb_module_get_ctx(ac->module),"No partition control on reply");
491 return ldb_module_done(ac->req, NULL,
492 NULL, LDB_ERR_OPERATIONS_ERROR);
495 partition = talloc_get_type_abort(partition_ctrl->data,
496 struct dsdb_control_current_partition);
498 if (ac->seq_num > 0) {
499 for (modified_partition = replmd_private->ncs; modified_partition;
500 modified_partition = modified_partition->next) {
501 if (ldb_dn_compare(modified_partition->dn, partition->dn) == 0) {
506 if (modified_partition == NULL) {
507 modified_partition = talloc_zero(replmd_private, struct nc_entry);
508 if (!modified_partition) {
509 ldb_oom(ldb_module_get_ctx(ac->module));
510 return ldb_module_done(ac->req, NULL,
511 NULL, LDB_ERR_OPERATIONS_ERROR);
513 modified_partition->dn = ldb_dn_copy(modified_partition, partition->dn);
514 if (!modified_partition->dn) {
515 ldb_oom(ldb_module_get_ctx(ac->module));
516 return ldb_module_done(ac->req, NULL,
517 NULL, LDB_ERR_OPERATIONS_ERROR);
519 DLIST_ADD(replmd_private->ncs, modified_partition);
522 if (ac->seq_num > modified_partition->mod_usn) {
523 modified_partition->mod_usn = ac->seq_num;
525 modified_partition->mod_usn_urgent = ac->seq_num;
530 if (ac->apply_mode) {
531 ret = replmd_replicated_apply_isDeleted(ac);
532 if (ret != LDB_SUCCESS) {
533 return ldb_module_done(ac->req, NULL, NULL, ret);
537 /* free the partition control container here, for the
538 * common path. Other cases will have it cleaned up
539 * eventually with the ares */
540 talloc_free(partition_ctrl);
541 return ldb_module_done(ac->req, controls,
542 ares->response, LDB_SUCCESS);
548 * update a @REPLCHANGED record in each partition if there have been
549 * any writes of replicated data in the partition
551 static int replmd_notify_store(struct ldb_module *module, struct ldb_request *parent)
553 struct replmd_private *replmd_private =
554 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
556 while (replmd_private->ncs) {
558 struct nc_entry *modified_partition = replmd_private->ncs;
560 ret = dsdb_module_save_partition_usn(module, modified_partition->dn,
561 modified_partition->mod_usn,
562 modified_partition->mod_usn_urgent, parent);
563 if (ret != LDB_SUCCESS) {
564 DEBUG(0,(__location__ ": Failed to save partition uSN for %s\n",
565 ldb_dn_get_linearized(modified_partition->dn)));
568 DLIST_REMOVE(replmd_private->ncs, modified_partition);
569 talloc_free(modified_partition);
577 created a replmd_replicated_request context
579 static struct replmd_replicated_request *replmd_ctx_init(struct ldb_module *module,
580 struct ldb_request *req)
582 struct ldb_context *ldb;
583 struct replmd_replicated_request *ac;
584 const struct GUID *our_invocation_id;
586 ldb = ldb_module_get_ctx(module);
588 ac = talloc_zero(req, struct replmd_replicated_request);
597 ac->schema = dsdb_get_schema(ldb, ac);
599 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
600 "replmd_modify: no dsdb_schema loaded");
601 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
606 /* get our invocationId */
607 our_invocation_id = samdb_ntds_invocation_id(ldb);
608 if (!our_invocation_id) {
609 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
610 "replmd_add: unable to find invocationId\n");
614 ac->our_invocation_id = *our_invocation_id;
620 add a time element to a record
622 static int add_time_element(struct ldb_message *msg, const char *attr, time_t t)
624 struct ldb_message_element *el;
628 if (ldb_msg_find_element(msg, attr) != NULL) {
632 s = ldb_timestring(msg, t);
634 return LDB_ERR_OPERATIONS_ERROR;
637 ret = ldb_msg_add_string(msg, attr, s);
638 if (ret != LDB_SUCCESS) {
642 el = ldb_msg_find_element(msg, attr);
643 /* always set as replace. This works because on add ops, the flag
645 el->flags = LDB_FLAG_MOD_REPLACE;
651 add a uint64_t element to a record
653 static int add_uint64_element(struct ldb_context *ldb, struct ldb_message *msg,
654 const char *attr, uint64_t v)
656 struct ldb_message_element *el;
659 if (ldb_msg_find_element(msg, attr) != NULL) {
663 ret = samdb_msg_add_uint64(ldb, msg, msg, attr, v);
664 if (ret != LDB_SUCCESS) {
668 el = ldb_msg_find_element(msg, attr);
669 /* always set as replace. This works because on add ops, the flag
671 el->flags = LDB_FLAG_MOD_REPLACE;
676 static int replmd_replPropertyMetaData1_attid_sort(const struct replPropertyMetaData1 *m1,
677 const struct replPropertyMetaData1 *m2,
678 const uint32_t *rdn_attid)
681 * This assignment seems inoccous, but it is critical for the
682 * system, as we need to do the comparisons as a unsigned
683 * quantity, not signed (enums are signed integers)
685 uint32_t attid_1 = m1->attid;
686 uint32_t attid_2 = m2->attid;
688 if (attid_1 == attid_2) {
693 * See above regarding this being an unsigned comparison.
694 * Otherwise when the high bit is set on non-standard
695 * attributes, they would end up first, before objectClass
698 return attid_1 > attid_2 ? 1 : -1;
701 static int replmd_replPropertyMetaDataCtr1_verify(struct ldb_context *ldb,
702 struct replPropertyMetaDataCtr1 *ctr1,
705 if (ctr1->count == 0) {
706 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
707 "No elements found in replPropertyMetaData for %s!\n",
708 ldb_dn_get_linearized(dn));
709 return LDB_ERR_CONSTRAINT_VIOLATION;
712 /* the objectClass attribute is value 0x00000000, so must be first */
713 if (ctr1->array[0].attid != DRSUAPI_ATTID_objectClass) {
714 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
715 "No objectClass found in replPropertyMetaData for %s!\n",
716 ldb_dn_get_linearized(dn));
717 return LDB_ERR_OBJECT_CLASS_VIOLATION;
723 static int replmd_replPropertyMetaDataCtr1_sort_and_verify(struct ldb_context *ldb,
724 struct replPropertyMetaDataCtr1 *ctr1,
727 /* Note this is O(n^2) for the almost-sorted case, which this is */
728 LDB_TYPESAFE_QSORT(ctr1->array, ctr1->count, NULL,
729 replmd_replPropertyMetaData1_attid_sort);
730 return replmd_replPropertyMetaDataCtr1_verify(ldb, ctr1, dn);
733 static int replmd_ldb_message_element_attid_sort(const struct ldb_message_element *e1,
734 const struct ldb_message_element *e2,
735 const struct dsdb_schema *schema)
737 const struct dsdb_attribute *a1;
738 const struct dsdb_attribute *a2;
741 * TODO: make this faster by caching the dsdb_attribute pointer
742 * on the ldb_messag_element
745 a1 = dsdb_attribute_by_lDAPDisplayName(schema, e1->name);
746 a2 = dsdb_attribute_by_lDAPDisplayName(schema, e2->name);
749 * TODO: remove this check, we should rely on e1 and e2 having valid attribute names
753 return strcasecmp(e1->name, e2->name);
755 if (a1->attributeID_id == a2->attributeID_id) {
758 return a1->attributeID_id > a2->attributeID_id ? 1 : -1;
761 static void replmd_ldb_message_sort(struct ldb_message *msg,
762 const struct dsdb_schema *schema)
764 LDB_TYPESAFE_QSORT(msg->elements, msg->num_elements, schema, replmd_ldb_message_element_attid_sort);
767 static int replmd_build_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
768 const struct GUID *invocation_id, uint64_t seq_num,
769 uint64_t local_usn, NTTIME nttime, uint32_t version, bool deleted);
773 fix up linked attributes in replmd_add.
774 This involves setting up the right meta-data in extended DN
775 components, and creating backlinks to the object
777 static int replmd_add_fix_la(struct ldb_module *module, struct ldb_message_element *el,
778 uint64_t seq_num, const struct GUID *invocationId, time_t t,
779 struct GUID *guid, const struct dsdb_attribute *sa, struct ldb_request *parent)
782 TALLOC_CTX *tmp_ctx = talloc_new(el->values);
783 struct ldb_context *ldb = ldb_module_get_ctx(module);
785 /* We will take a reference to the schema in replmd_add_backlink */
786 const struct dsdb_schema *schema = dsdb_get_schema(ldb, NULL);
789 unix_to_nt_time(&now, t);
791 for (i=0; i<el->num_values; i++) {
792 struct ldb_val *v = &el->values[i];
793 struct dsdb_dn *dsdb_dn = dsdb_dn_parse(tmp_ctx, ldb, v, sa->syntax->ldap_oid);
794 struct GUID target_guid;
798 /* note that the DN already has the extended
799 components from the extended_dn_store module */
800 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &target_guid, "GUID");
801 if (!NT_STATUS_IS_OK(status) || GUID_all_zero(&target_guid)) {
802 ret = dsdb_module_guid_by_dn(module, dsdb_dn->dn, &target_guid, parent);
803 if (ret != LDB_SUCCESS) {
804 talloc_free(tmp_ctx);
807 ret = dsdb_set_extended_dn_guid(dsdb_dn->dn, &target_guid, "GUID");
808 if (ret != LDB_SUCCESS) {
809 talloc_free(tmp_ctx);
814 ret = replmd_build_la_val(el->values, v, dsdb_dn, invocationId,
815 seq_num, seq_num, now, 0, false);
816 if (ret != LDB_SUCCESS) {
817 talloc_free(tmp_ctx);
821 ret = replmd_add_backlink(module, schema, guid, &target_guid, true, sa, false);
822 if (ret != LDB_SUCCESS) {
823 talloc_free(tmp_ctx);
828 talloc_free(tmp_ctx);
834 intercept add requests
836 static int replmd_add(struct ldb_module *module, struct ldb_request *req)
838 struct samldb_msds_intid_persistant *msds_intid_struct;
839 struct ldb_context *ldb;
840 struct ldb_control *control;
841 struct replmd_replicated_request *ac;
842 enum ndr_err_code ndr_err;
843 struct ldb_request *down_req;
844 struct ldb_message *msg;
845 const DATA_BLOB *guid_blob;
847 struct replPropertyMetaDataBlob nmd;
848 struct ldb_val nmd_value;
851 * The use of a time_t here seems odd, but as the NTTIME
852 * elements are actually declared as NTTIME_1sec in the IDL,
853 * getting a higher resolution timestamp is not required.
855 time_t t = time(NULL);
860 unsigned int functional_level;
862 bool allow_add_guid = false;
863 bool remove_current_guid = false;
864 bool is_urgent = false;
865 bool is_schema_nc = false;
866 struct ldb_message_element *objectclass_el;
867 struct replmd_private *replmd_private =
868 talloc_get_type_abort(ldb_module_get_private(module), struct replmd_private);
870 /* check if there's a show relax control (used by provision to say 'I know what I'm doing') */
871 control = ldb_request_get_control(req, LDB_CONTROL_RELAX_OID);
873 allow_add_guid = true;
876 /* do not manipulate our control entries */
877 if (ldb_dn_is_special(req->op.add.message->dn)) {
878 return ldb_next_request(module, req);
881 ldb = ldb_module_get_ctx(module);
883 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_add\n");
885 guid_blob = ldb_msg_find_ldb_val(req->op.add.message, "objectGUID");
886 if (guid_blob != NULL) {
887 if (!allow_add_guid) {
888 ldb_set_errstring(ldb,
889 "replmd_add: it's not allowed to add an object with objectGUID!");
890 return LDB_ERR_UNWILLING_TO_PERFORM;
892 NTSTATUS status = GUID_from_data_blob(guid_blob,&guid);
893 if (!NT_STATUS_IS_OK(status)) {
894 ldb_set_errstring(ldb,
895 "replmd_add: Unable to parse the 'objectGUID' as a GUID!");
896 return LDB_ERR_UNWILLING_TO_PERFORM;
898 /* we remove this attribute as it can be a string and
899 * will not be treated correctly and then we will re-add
900 * it later on in the good format */
901 remove_current_guid = true;
905 guid = GUID_random();
908 ac = replmd_ctx_init(module, req);
910 return ldb_module_oom(module);
913 functional_level = dsdb_functional_level(ldb);
915 /* Get a sequence number from the backend */
916 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ac->seq_num);
917 if (ret != LDB_SUCCESS) {
922 /* we have to copy the message as the caller might have it as a const */
923 msg = ldb_msg_copy_shallow(ac, req->op.add.message);
927 return LDB_ERR_OPERATIONS_ERROR;
930 /* generated times */
931 unix_to_nt_time(&now, t);
932 time_str = ldb_timestring(msg, t);
936 return LDB_ERR_OPERATIONS_ERROR;
938 if (remove_current_guid) {
939 ldb_msg_remove_attr(msg,"objectGUID");
943 * remove autogenerated attributes
945 ldb_msg_remove_attr(msg, "whenCreated");
946 ldb_msg_remove_attr(msg, "whenChanged");
947 ldb_msg_remove_attr(msg, "uSNCreated");
948 ldb_msg_remove_attr(msg, "uSNChanged");
949 ldb_msg_remove_attr(msg, "replPropertyMetaData");
952 * readd replicated attributes
954 ret = ldb_msg_add_string(msg, "whenCreated", time_str);
955 if (ret != LDB_SUCCESS) {
961 /* build the replication meta_data */
964 nmd.ctr.ctr1.count = msg->num_elements;
965 nmd.ctr.ctr1.array = talloc_array(msg,
966 struct replPropertyMetaData1,
968 if (!nmd.ctr.ctr1.array) {
971 return LDB_ERR_OPERATIONS_ERROR;
974 is_schema_nc = ldb_dn_compare_base(replmd_private->schema_dn, msg->dn) == 0;
976 for (i=0; i < msg->num_elements; i++) {
977 struct ldb_message_element *e = &msg->elements[i];
978 struct replPropertyMetaData1 *m = &nmd.ctr.ctr1.array[ni];
979 const struct dsdb_attribute *sa;
981 if (e->name[0] == '@') continue;
983 sa = dsdb_attribute_by_lDAPDisplayName(ac->schema, e->name);
985 ldb_debug_set(ldb, LDB_DEBUG_ERROR,
986 "replmd_add: attribute '%s' not defined in schema\n",
989 return LDB_ERR_NO_SUCH_ATTRIBUTE;
992 if ((sa->systemFlags & DS_FLAG_ATTR_NOT_REPLICATED) || (sa->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED)) {
993 /* if the attribute is not replicated (0x00000001)
994 * or constructed (0x00000004) it has no metadata
999 if (sa->linkID != 0 && functional_level > DS_DOMAIN_FUNCTION_2000) {
1000 ret = replmd_add_fix_la(module, e, ac->seq_num, &ac->our_invocation_id, t, &guid, sa, req);
1001 if (ret != LDB_SUCCESS) {
1005 /* linked attributes are not stored in
1006 replPropertyMetaData in FL above w2k */
1010 m->attid = dsdb_attribute_get_attid(sa, is_schema_nc);
1012 if (m->attid == DRSUAPI_ATTID_isDeleted) {
1013 const struct ldb_val *rdn_val = ldb_dn_get_rdn_val(msg->dn);
1016 if (rdn_val == NULL) {
1019 return LDB_ERR_OPERATIONS_ERROR;
1022 rdn = (const char*)rdn_val->data;
1023 if (strcmp(rdn, "Deleted Objects") == 0) {
1025 * Set the originating_change_time to 29/12/9999 at 23:59:59
1026 * as specified in MS-ADTS 7.1.1.4.2 Deleted Objects Container
1028 m->originating_change_time = DELETED_OBJECT_CONTAINER_CHANGE_TIME;
1030 m->originating_change_time = now;
1033 m->originating_change_time = now;
1035 m->originating_invocation_id = ac->our_invocation_id;
1036 m->originating_usn = ac->seq_num;
1037 m->local_usn = ac->seq_num;
1041 /* fix meta data count */
1042 nmd.ctr.ctr1.count = ni;
1045 * sort meta data array
1047 ret = replmd_replPropertyMetaDataCtr1_sort_and_verify(ldb, &nmd.ctr.ctr1, msg->dn);
1048 if (ret != LDB_SUCCESS) {
1049 ldb_asprintf_errstring(ldb, "%s: error during direct ADD: %s", __func__, ldb_errstring(ldb));
1054 /* generated NDR encoded values */
1055 ndr_err = ndr_push_struct_blob(&nmd_value, msg,
1057 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
1058 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1061 return LDB_ERR_OPERATIONS_ERROR;
1065 * add the autogenerated values
1067 ret = dsdb_msg_add_guid(msg, &guid, "objectGUID");
1068 if (ret != LDB_SUCCESS) {
1073 ret = ldb_msg_add_string(msg, "whenChanged", time_str);
1074 if (ret != LDB_SUCCESS) {
1079 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNCreated", ac->seq_num);
1080 if (ret != LDB_SUCCESS) {
1085 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ac->seq_num);
1086 if (ret != LDB_SUCCESS) {
1091 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &nmd_value, NULL);
1092 if (ret != LDB_SUCCESS) {
1099 * sort the attributes by attid before storing the object
1101 replmd_ldb_message_sort(msg, ac->schema);
1104 * Assert that we do have an objectClass
1106 objectclass_el = ldb_msg_find_element(msg, "objectClass");
1107 if (objectclass_el == NULL) {
1108 ldb_asprintf_errstring(ldb, __location__
1109 ": objectClass missing on %s\n",
1110 ldb_dn_get_linearized(msg->dn));
1112 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1114 is_urgent = replmd_check_urgent_objectclass(objectclass_el,
1115 REPL_URGENT_ON_CREATE);
1117 ac->is_urgent = is_urgent;
1118 ret = ldb_build_add_req(&down_req, ldb, ac,
1121 ac, replmd_op_callback,
1124 LDB_REQ_SET_LOCATION(down_req);
1125 if (ret != LDB_SUCCESS) {
1130 /* current partition control is needed by "replmd_op_callback" */
1131 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
1132 ret = ldb_request_add_control(down_req,
1133 DSDB_CONTROL_CURRENT_PARTITION_OID,
1135 if (ret != LDB_SUCCESS) {
1141 if (functional_level == DS_DOMAIN_FUNCTION_2000) {
1142 ret = ldb_request_add_control(down_req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
1143 if (ret != LDB_SUCCESS) {
1149 /* mark the control done */
1151 control->critical = 0;
1153 if (ldb_dn_compare_base(replmd_private->schema_dn, req->op.add.message->dn) != 0) {
1155 /* Update the usn in the SAMLDB_MSDS_INTID_OPAQUE opaque */
1156 msds_intid_struct = (struct samldb_msds_intid_persistant *) ldb_get_opaque(ldb, SAMLDB_MSDS_INTID_OPAQUE);
1157 if (msds_intid_struct) {
1158 msds_intid_struct->usn = ac->seq_num;
1161 /* go on with the call chain */
1162 return ldb_next_request(module, down_req);
1167 * update the replPropertyMetaData for one element
1169 static int replmd_update_rpmd_element(struct ldb_context *ldb,
1170 struct ldb_message *msg,
1171 struct ldb_message_element *el,
1172 struct ldb_message_element *old_el,
1173 struct replPropertyMetaDataBlob *omd,
1174 const struct dsdb_schema *schema,
1176 const struct GUID *our_invocation_id,
1179 struct ldb_request *req)
1182 const struct dsdb_attribute *a;
1183 struct replPropertyMetaData1 *md1;
1184 bool may_skip = false;
1187 a = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
1189 if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)) {
1190 /* allow this to make it possible for dbcheck
1191 to remove bad attributes */
1195 DEBUG(0,(__location__ ": Unable to find attribute %s in schema\n",
1197 return LDB_ERR_OPERATIONS_ERROR;
1200 attid = dsdb_attribute_get_attid(a, is_schema_nc);
1202 if ((a->systemFlags & DS_FLAG_ATTR_NOT_REPLICATED) || (a->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED)) {
1207 * if the attribute's value haven't changed, and this isn't
1208 * just a delete of everything then return LDB_SUCCESS Unless
1209 * we have the provision control or if the attribute is
1210 * interSiteTopologyGenerator as this page explain:
1211 * http://support.microsoft.com/kb/224815 this attribute is
1212 * periodicaly written by the DC responsible for the intersite
1213 * generation in a given site
1215 * Unchanged could be deleting or replacing an already-gone
1216 * thing with an unconstrained delete/empty replace or a
1217 * replace with the same value, but not an add with the same
1218 * value because that could be about adding a duplicate (which
1219 * is for someone else to error out on).
1221 if (old_el != NULL && ldb_msg_element_equal_ordered(el, old_el)) {
1222 if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) {
1225 } else if (old_el == NULL && el->num_values == 0) {
1226 if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) {
1228 } else if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
1234 if (strcmp(el->name, "interSiteTopologyGenerator") != 0 &&
1235 !ldb_request_get_control(req, LDB_CONTROL_PROVISION_OID)) {
1237 * allow this to make it possible for dbcheck
1238 * to rebuild broken metadata
1244 for (i=0; i<omd->ctr.ctr1.count; i++) {
1246 * First check if we find it under the msDS-IntID,
1247 * then check if we find it under the OID and
1250 * This allows the administrator to simply re-write
1251 * the attributes and so restore replication, which is
1252 * likely what they will try to do.
1254 if (attid == omd->ctr.ctr1.array[i].attid) {
1258 if (a->attributeID_id == omd->ctr.ctr1.array[i].attid) {
1263 if (a->linkID != 0 && dsdb_functional_level(ldb) > DS_DOMAIN_FUNCTION_2000) {
1264 /* linked attributes are not stored in
1265 replPropertyMetaData in FL above w2k, but we do
1266 raise the seqnum for the object */
1267 if (*seq_num == 0 &&
1268 ldb_sequence_number(ldb, LDB_SEQ_NEXT, seq_num) != LDB_SUCCESS) {
1269 return LDB_ERR_OPERATIONS_ERROR;
1274 if (i == omd->ctr.ctr1.count) {
1275 /* we need to add a new one */
1276 omd->ctr.ctr1.array = talloc_realloc(msg, omd->ctr.ctr1.array,
1277 struct replPropertyMetaData1, omd->ctr.ctr1.count+1);
1278 if (omd->ctr.ctr1.array == NULL) {
1280 return LDB_ERR_OPERATIONS_ERROR;
1282 omd->ctr.ctr1.count++;
1283 ZERO_STRUCT(omd->ctr.ctr1.array[i]);
1286 /* Get a new sequence number from the backend. We only do this
1287 * if we have a change that requires a new
1288 * replPropertyMetaData element
1290 if (*seq_num == 0) {
1291 int ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, seq_num);
1292 if (ret != LDB_SUCCESS) {
1293 return LDB_ERR_OPERATIONS_ERROR;
1297 md1 = &omd->ctr.ctr1.array[i];
1300 if (md1->attid == DRSUAPI_ATTID_isDeleted) {
1301 const struct ldb_val *rdn_val = ldb_dn_get_rdn_val(msg->dn);
1304 if (rdn_val == NULL) {
1306 return LDB_ERR_OPERATIONS_ERROR;
1309 rdn = (const char*)rdn_val->data;
1310 if (strcmp(rdn, "Deleted Objects") == 0) {
1312 * Set the originating_change_time to 29/12/9999 at 23:59:59
1313 * as specified in MS-ADTS 7.1.1.4.2 Deleted Objects Container
1315 md1->originating_change_time = DELETED_OBJECT_CONTAINER_CHANGE_TIME;
1317 md1->originating_change_time = now;
1320 md1->originating_change_time = now;
1322 md1->originating_invocation_id = *our_invocation_id;
1323 md1->originating_usn = *seq_num;
1324 md1->local_usn = *seq_num;
1330 * Bump the replPropertyMetaData version on an attribute, and if it
1331 * has changed (or forced by leaving rdn_old NULL), update the value
1334 * This is important, as calling a modify operation may not change the
1335 * version number if the values appear unchanged, but a rename between
1336 * parents bumps this value.
1339 static int replmd_update_rpmd_rdn_attr(struct ldb_context *ldb,
1340 struct ldb_message *msg,
1341 const struct ldb_val *rdn_new,
1342 const struct ldb_val *rdn_old,
1343 struct replPropertyMetaDataBlob *omd,
1344 struct replmd_replicated_request *ar,
1348 struct ldb_message_element new_el = {
1349 .flags = LDB_FLAG_MOD_REPLACE,
1350 .name = ldb_dn_get_rdn_name(msg->dn),
1352 .values = discard_const_p(struct ldb_val, rdn_new)
1354 struct ldb_message_element old_el = {
1355 .flags = LDB_FLAG_MOD_REPLACE,
1356 .name = ldb_dn_get_rdn_name(msg->dn),
1357 .num_values = rdn_old ? 1 : 0,
1358 .values = discard_const_p(struct ldb_val, rdn_old)
1361 if (ldb_msg_element_equal_ordered(&new_el, &old_el) == false) {
1362 int ret = ldb_msg_add(msg, &new_el, LDB_FLAG_MOD_REPLACE);
1363 if (ret != LDB_SUCCESS) {
1364 return ldb_oom(ldb);
1368 return replmd_update_rpmd_element(ldb, msg, &new_el, NULL,
1369 omd, ar->schema, &ar->seq_num,
1370 &ar->our_invocation_id,
1371 now, is_schema_nc, ar->req);
1375 static uint64_t find_max_local_usn(struct replPropertyMetaDataBlob omd)
1377 uint32_t count = omd.ctr.ctr1.count;
1380 for (i=0; i < count; i++) {
1381 struct replPropertyMetaData1 m = omd.ctr.ctr1.array[i];
1382 if (max < m.local_usn) {
1390 * update the replPropertyMetaData object each time we modify an
1391 * object. This is needed for DRS replication, as the merge on the
1392 * client is based on this object
1394 static int replmd_update_rpmd(struct ldb_module *module,
1395 const struct dsdb_schema *schema,
1396 struct ldb_request *req,
1397 const char * const *rename_attrs,
1398 struct ldb_message *msg, uint64_t *seq_num,
1399 time_t t, bool is_schema_nc,
1400 bool *is_urgent, bool *rodc)
1402 const struct ldb_val *omd_value;
1403 enum ndr_err_code ndr_err;
1404 struct replPropertyMetaDataBlob omd;
1407 const struct GUID *our_invocation_id;
1409 const char * const *attrs = NULL;
1410 const char * const attrs2[] = { "uSNChanged", "objectClass", "instanceType", NULL };
1411 struct ldb_result *res;
1412 struct ldb_context *ldb;
1413 struct ldb_message_element *objectclass_el;
1414 enum urgent_situation situation;
1415 bool rmd_is_provided;
1416 bool rmd_is_just_resorted = false;
1417 const char *not_rename_attrs[4 + msg->num_elements];
1420 attrs = rename_attrs;
1422 for (i = 0; i < msg->num_elements; i++) {
1423 not_rename_attrs[i] = msg->elements[i].name;
1425 not_rename_attrs[i] = "replPropertyMetaData";
1426 not_rename_attrs[i+1] = "objectClass";
1427 not_rename_attrs[i+2] = "instanceType";
1428 not_rename_attrs[i+3] = NULL;
1429 attrs = not_rename_attrs;
1432 ldb = ldb_module_get_ctx(module);
1434 our_invocation_id = samdb_ntds_invocation_id(ldb);
1435 if (!our_invocation_id) {
1436 /* this happens during an initial vampire while
1437 updating the schema */
1438 DEBUG(5,("No invocationID - skipping replPropertyMetaData update\n"));
1442 unix_to_nt_time(&now, t);
1444 if (ldb_request_get_control(req, DSDB_CONTROL_CHANGEREPLMETADATA_OID)) {
1445 rmd_is_provided = true;
1446 if (ldb_request_get_control(req, DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID)) {
1447 rmd_is_just_resorted = true;
1450 rmd_is_provided = false;
1453 /* if isDeleted is present and is TRUE, then we consider we are deleting,
1454 * otherwise we consider we are updating */
1455 if (ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE")) {
1456 situation = REPL_URGENT_ON_DELETE;
1457 } else if (rename_attrs) {
1458 situation = REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE;
1460 situation = REPL_URGENT_ON_UPDATE;
1463 if (rmd_is_provided) {
1464 /* In this case the change_replmetadata control was supplied */
1465 /* We check that it's the only attribute that is provided
1466 * (it's a rare case so it's better to keep the code simplier)
1467 * We also check that the highest local_usn is bigger or the same as
1470 if( msg->num_elements != 1 ||
1471 strncmp(msg->elements[0].name,
1472 "replPropertyMetaData", 20) ) {
1473 DEBUG(0,(__location__ ": changereplmetada control called without "\
1474 "a specified replPropertyMetaData attribute or with others\n"));
1475 return LDB_ERR_OPERATIONS_ERROR;
1477 if (situation != REPL_URGENT_ON_UPDATE) {
1478 DEBUG(0,(__location__ ": changereplmetada control can't be called when deleting an object\n"));
1479 return LDB_ERR_OPERATIONS_ERROR;
1481 omd_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
1483 DEBUG(0,(__location__ ": replPropertyMetaData was not specified for Object %s\n",
1484 ldb_dn_get_linearized(msg->dn)));
1485 return LDB_ERR_OPERATIONS_ERROR;
1487 ndr_err = ndr_pull_struct_blob(omd_value, msg, &omd,
1488 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
1489 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1490 DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s\n",
1491 ldb_dn_get_linearized(msg->dn)));
1492 return LDB_ERR_OPERATIONS_ERROR;
1495 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs2,
1496 DSDB_FLAG_NEXT_MODULE |
1497 DSDB_SEARCH_SHOW_RECYCLED |
1498 DSDB_SEARCH_SHOW_EXTENDED_DN |
1499 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
1500 DSDB_SEARCH_REVEAL_INTERNALS, req);
1502 if (ret != LDB_SUCCESS) {
1506 if (rmd_is_just_resorted == false) {
1507 *seq_num = find_max_local_usn(omd);
1509 db_seq = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNChanged", 0);
1512 * The test here now allows for a new
1513 * replPropertyMetaData with no change, if was
1514 * just dbcheck re-sorting the values.
1516 if (*seq_num <= db_seq) {
1517 DEBUG(0,(__location__ ": changereplmetada control provided but max(local_usn)" \
1518 " is less than uSNChanged (max = %lld uSNChanged = %lld)\n",
1519 (long long)*seq_num, (long long)db_seq));
1520 return LDB_ERR_OPERATIONS_ERROR;
1525 /* search for the existing replPropertyMetaDataBlob. We need
1526 * to use REVEAL and ask for DNs in storage format to support
1527 * the check for values being the same in
1528 * replmd_update_rpmd_element()
1530 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs,
1531 DSDB_FLAG_NEXT_MODULE |
1532 DSDB_SEARCH_SHOW_RECYCLED |
1533 DSDB_SEARCH_SHOW_EXTENDED_DN |
1534 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
1535 DSDB_SEARCH_REVEAL_INTERNALS, req);
1536 if (ret != LDB_SUCCESS) {
1540 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
1542 DEBUG(0,(__location__ ": Object %s does not have a replPropertyMetaData attribute\n",
1543 ldb_dn_get_linearized(msg->dn)));
1544 return LDB_ERR_OPERATIONS_ERROR;
1547 ndr_err = ndr_pull_struct_blob(omd_value, msg, &omd,
1548 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
1549 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1550 DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s\n",
1551 ldb_dn_get_linearized(msg->dn)));
1552 return LDB_ERR_OPERATIONS_ERROR;
1555 if (omd.version != 1) {
1556 DEBUG(0,(__location__ ": bad version %u in replPropertyMetaData for %s\n",
1557 omd.version, ldb_dn_get_linearized(msg->dn)));
1558 return LDB_ERR_OPERATIONS_ERROR;
1561 for (i=0; i<msg->num_elements; i++) {
1562 struct ldb_message_element *old_el;
1563 old_el = ldb_msg_find_element(res->msgs[0], msg->elements[i].name);
1564 ret = replmd_update_rpmd_element(ldb, msg, &msg->elements[i], old_el, &omd, schema, seq_num,
1568 if (ret != LDB_SUCCESS) {
1572 if (!*is_urgent && (situation == REPL_URGENT_ON_UPDATE)) {
1573 *is_urgent = replmd_check_urgent_attribute(&msg->elements[i]);
1580 * Assert that we have an objectClass attribute - this is major
1581 * corruption if we don't have this!
1583 objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
1584 if (objectclass_el != NULL) {
1586 * Now check if this objectClass means we need to do urgent replication
1588 if (!*is_urgent && replmd_check_urgent_objectclass(objectclass_el,
1592 } else if (!ldb_request_get_control(req, DSDB_CONTROL_DBCHECK)) {
1593 ldb_asprintf_errstring(ldb, __location__
1594 ": objectClass missing on %s\n",
1595 ldb_dn_get_linearized(msg->dn));
1596 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1600 * replmd_update_rpmd_element has done an update if the
1603 if (*seq_num != 0 || rmd_is_just_resorted == true) {
1604 struct ldb_val *md_value;
1605 struct ldb_message_element *el;
1607 /*if we are RODC and this is a DRSR update then its ok*/
1608 if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)
1609 && !ldb_request_get_control(req, DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA)) {
1610 unsigned instanceType;
1612 ret = samdb_rodc(ldb, rodc);
1613 if (ret != LDB_SUCCESS) {
1614 DEBUG(4, (__location__ ": unable to tell if we are an RODC\n"));
1616 ldb_set_errstring(ldb, "RODC modify is forbidden!");
1617 return LDB_ERR_REFERRAL;
1620 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], "instanceType", INSTANCE_TYPE_WRITE);
1621 if (!(instanceType & INSTANCE_TYPE_WRITE)) {
1622 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1623 "cannot change replicated attribute on partial replica");
1627 md_value = talloc(msg, struct ldb_val);
1628 if (md_value == NULL) {
1630 return LDB_ERR_OPERATIONS_ERROR;
1633 ret = replmd_replPropertyMetaDataCtr1_sort_and_verify(ldb, &omd.ctr.ctr1, msg->dn);
1634 if (ret != LDB_SUCCESS) {
1635 ldb_asprintf_errstring(ldb, "%s: %s", __func__, ldb_errstring(ldb));
1639 ndr_err = ndr_push_struct_blob(md_value, msg, &omd,
1640 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
1641 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1642 DEBUG(0,(__location__ ": Failed to marshall replPropertyMetaData for %s\n",
1643 ldb_dn_get_linearized(msg->dn)));
1644 return LDB_ERR_OPERATIONS_ERROR;
1647 ret = ldb_msg_add_empty(msg, "replPropertyMetaData", LDB_FLAG_MOD_REPLACE, &el);
1648 if (ret != LDB_SUCCESS) {
1649 DEBUG(0,(__location__ ": Failed to add updated replPropertyMetaData %s\n",
1650 ldb_dn_get_linearized(msg->dn)));
1655 el->values = md_value;
1662 struct dsdb_dn *dsdb_dn;
1667 static int parsed_dn_compare(struct parsed_dn *pdn1, struct parsed_dn *pdn2)
1669 return GUID_compare(&pdn1->guid, &pdn2->guid);
1672 static int GUID_compare_struct(struct GUID *g1, struct GUID g2)
1674 return GUID_compare(g1, &g2);
1677 static struct parsed_dn *parsed_dn_find(struct parsed_dn *pdn,
1678 unsigned int count, struct GUID *guid,
1681 struct parsed_dn *ret;
1683 if (dn && GUID_all_zero(guid)) {
1684 /* when updating a link using DRS, we sometimes get a
1685 NULL GUID. We then need to try and match by DN */
1686 for (i=0; i<count; i++) {
1687 if (ldb_dn_compare(pdn[i].dsdb_dn->dn, dn) == 0) {
1688 dsdb_get_extended_dn_guid(pdn[i].dsdb_dn->dn, guid, "GUID");
1694 BINARY_ARRAY_SEARCH(pdn, count, guid, guid, GUID_compare_struct, ret);
1699 get a series of message element values as an array of DNs and GUIDs
1700 the result is sorted by GUID
1702 static int get_parsed_dns(struct ldb_module *module, TALLOC_CTX *mem_ctx,
1703 struct ldb_message_element *el, struct parsed_dn **pdn,
1704 const char *ldap_oid, struct ldb_request *parent)
1707 struct ldb_context *ldb = ldb_module_get_ctx(module);
1714 (*pdn) = talloc_array(mem_ctx, struct parsed_dn, el->num_values);
1716 ldb_module_oom(module);
1717 return LDB_ERR_OPERATIONS_ERROR;
1720 for (i=0; i<el->num_values; i++) {
1721 struct ldb_val *v = &el->values[i];
1724 struct parsed_dn *p;
1728 p->dsdb_dn = dsdb_dn_parse(*pdn, ldb, v, ldap_oid);
1729 if (p->dsdb_dn == NULL) {
1730 return LDB_ERR_INVALID_DN_SYNTAX;
1733 dn = p->dsdb_dn->dn;
1735 status = dsdb_get_extended_dn_guid(dn, &p->guid, "GUID");
1736 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1737 /* we got a DN without a GUID - go find the GUID */
1738 int ret = dsdb_module_guid_by_dn(module, dn, &p->guid, parent);
1739 if (ret != LDB_SUCCESS) {
1740 ldb_asprintf_errstring(ldb, "Unable to find GUID for DN %s\n",
1741 ldb_dn_get_linearized(dn));
1742 if (ret == LDB_ERR_NO_SUCH_OBJECT &&
1743 LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE &&
1744 ldb_attr_cmp(el->name, "member") == 0) {
1745 return LDB_ERR_UNWILLING_TO_PERFORM;
1749 ret = dsdb_set_extended_dn_guid(dn, &p->guid, "GUID");
1750 if (ret != LDB_SUCCESS) {
1753 } else if (!NT_STATUS_IS_OK(status)) {
1754 return LDB_ERR_OPERATIONS_ERROR;
1757 /* keep a pointer to the original ldb_val */
1761 TYPESAFE_QSORT(*pdn, el->num_values, parsed_dn_compare);
1767 build a new extended DN, including all meta data fields
1769 RMD_FLAGS = DSDB_RMD_FLAG_* bits
1770 RMD_ADDTIME = originating_add_time
1771 RMD_INVOCID = originating_invocation_id
1772 RMD_CHANGETIME = originating_change_time
1773 RMD_ORIGINATING_USN = originating_usn
1774 RMD_LOCAL_USN = local_usn
1775 RMD_VERSION = version
1777 static int replmd_build_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1778 const struct GUID *invocation_id, uint64_t seq_num,
1779 uint64_t local_usn, NTTIME nttime, uint32_t version, bool deleted)
1781 struct ldb_dn *dn = dsdb_dn->dn;
1782 const char *tstring, *usn_string, *flags_string;
1783 struct ldb_val tval;
1785 struct ldb_val usnv, local_usnv;
1786 struct ldb_val vers, flagsv;
1789 const char *dnstring;
1791 uint32_t rmd_flags = deleted?DSDB_RMD_FLAG_DELETED:0;
1793 tstring = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)nttime);
1795 return LDB_ERR_OPERATIONS_ERROR;
1797 tval = data_blob_string_const(tstring);
1799 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)seq_num);
1801 return LDB_ERR_OPERATIONS_ERROR;
1803 usnv = data_blob_string_const(usn_string);
1805 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)local_usn);
1807 return LDB_ERR_OPERATIONS_ERROR;
1809 local_usnv = data_blob_string_const(usn_string);
1811 vstring = talloc_asprintf(mem_ctx, "%lu", (unsigned long)version);
1813 return LDB_ERR_OPERATIONS_ERROR;
1815 vers = data_blob_string_const(vstring);
1817 status = GUID_to_ndr_blob(invocation_id, dn, &iid);
1818 if (!NT_STATUS_IS_OK(status)) {
1819 return LDB_ERR_OPERATIONS_ERROR;
1822 flags_string = talloc_asprintf(mem_ctx, "%u", rmd_flags);
1823 if (!flags_string) {
1824 return LDB_ERR_OPERATIONS_ERROR;
1826 flagsv = data_blob_string_const(flags_string);
1828 ret = ldb_dn_set_extended_component(dn, "RMD_FLAGS", &flagsv);
1829 if (ret != LDB_SUCCESS) return ret;
1830 ret = ldb_dn_set_extended_component(dn, "RMD_ADDTIME", &tval);
1831 if (ret != LDB_SUCCESS) return ret;
1832 ret = ldb_dn_set_extended_component(dn, "RMD_INVOCID", &iid);
1833 if (ret != LDB_SUCCESS) return ret;
1834 ret = ldb_dn_set_extended_component(dn, "RMD_CHANGETIME", &tval);
1835 if (ret != LDB_SUCCESS) return ret;
1836 ret = ldb_dn_set_extended_component(dn, "RMD_LOCAL_USN", &local_usnv);
1837 if (ret != LDB_SUCCESS) return ret;
1838 ret = ldb_dn_set_extended_component(dn, "RMD_ORIGINATING_USN", &usnv);
1839 if (ret != LDB_SUCCESS) return ret;
1840 ret = ldb_dn_set_extended_component(dn, "RMD_VERSION", &vers);
1841 if (ret != LDB_SUCCESS) return ret;
1843 dnstring = dsdb_dn_get_extended_linearized(mem_ctx, dsdb_dn, 1);
1844 if (dnstring == NULL) {
1845 return LDB_ERR_OPERATIONS_ERROR;
1847 *v = data_blob_string_const(dnstring);
1852 static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1853 struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
1854 uint64_t seq_num, uint64_t local_usn, NTTIME nttime,
1855 uint32_t version, bool deleted);
1858 check if any links need upgrading from w2k format
1860 The parent_ctx is the ldb_message_element which contains the values array that dns[i].v points at, and which should be used for allocating any new value.
1862 static int replmd_check_upgrade_links(struct parsed_dn *dns, uint32_t count, struct ldb_message_element *parent_ctx, const struct GUID *invocation_id)
1865 for (i=0; i<count; i++) {
1870 status = dsdb_get_extended_dn_uint32(dns[i].dsdb_dn->dn, &version, "RMD_VERSION");
1871 if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1875 /* it's an old one that needs upgrading */
1876 ret = replmd_update_la_val(parent_ctx->values, dns[i].v, dns[i].dsdb_dn, dns[i].dsdb_dn, invocation_id,
1878 if (ret != LDB_SUCCESS) {
1886 update an extended DN, including all meta data fields
1888 see replmd_build_la_val for value names
1890 static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1891 struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
1892 uint64_t usn, uint64_t local_usn, NTTIME nttime,
1893 uint32_t version, bool deleted)
1895 struct ldb_dn *dn = dsdb_dn->dn;
1896 const char *tstring, *usn_string, *flags_string;
1897 struct ldb_val tval;
1899 struct ldb_val usnv, local_usnv;
1900 struct ldb_val vers, flagsv;
1901 const struct ldb_val *old_addtime;
1902 uint32_t old_version;
1905 const char *dnstring;
1907 uint32_t rmd_flags = deleted?DSDB_RMD_FLAG_DELETED:0;
1909 tstring = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)nttime);
1911 return LDB_ERR_OPERATIONS_ERROR;
1913 tval = data_blob_string_const(tstring);
1915 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)usn);
1917 return LDB_ERR_OPERATIONS_ERROR;
1919 usnv = data_blob_string_const(usn_string);
1921 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)local_usn);
1923 return LDB_ERR_OPERATIONS_ERROR;
1925 local_usnv = data_blob_string_const(usn_string);
1927 status = GUID_to_ndr_blob(invocation_id, dn, &iid);
1928 if (!NT_STATUS_IS_OK(status)) {
1929 return LDB_ERR_OPERATIONS_ERROR;
1932 flags_string = talloc_asprintf(mem_ctx, "%u", rmd_flags);
1933 if (!flags_string) {
1934 return LDB_ERR_OPERATIONS_ERROR;
1936 flagsv = data_blob_string_const(flags_string);
1938 ret = ldb_dn_set_extended_component(dn, "RMD_FLAGS", &flagsv);
1939 if (ret != LDB_SUCCESS) return ret;
1941 /* get the ADDTIME from the original */
1942 old_addtime = ldb_dn_get_extended_component(old_dsdb_dn->dn, "RMD_ADDTIME");
1943 if (old_addtime == NULL) {
1944 old_addtime = &tval;
1946 if (dsdb_dn != old_dsdb_dn ||
1947 ldb_dn_get_extended_component(dn, "RMD_ADDTIME") == NULL) {
1948 ret = ldb_dn_set_extended_component(dn, "RMD_ADDTIME", old_addtime);
1949 if (ret != LDB_SUCCESS) return ret;
1952 /* use our invocation id */
1953 ret = ldb_dn_set_extended_component(dn, "RMD_INVOCID", &iid);
1954 if (ret != LDB_SUCCESS) return ret;
1956 /* changetime is the current time */
1957 ret = ldb_dn_set_extended_component(dn, "RMD_CHANGETIME", &tval);
1958 if (ret != LDB_SUCCESS) return ret;
1960 /* update the USN */
1961 ret = ldb_dn_set_extended_component(dn, "RMD_ORIGINATING_USN", &usnv);
1962 if (ret != LDB_SUCCESS) return ret;
1964 ret = ldb_dn_set_extended_component(dn, "RMD_LOCAL_USN", &local_usnv);
1965 if (ret != LDB_SUCCESS) return ret;
1967 /* increase the version by 1 */
1968 status = dsdb_get_extended_dn_uint32(old_dsdb_dn->dn, &old_version, "RMD_VERSION");
1969 if (NT_STATUS_IS_OK(status) && old_version >= version) {
1970 version = old_version+1;
1972 vstring = talloc_asprintf(dn, "%lu", (unsigned long)version);
1973 vers = data_blob_string_const(vstring);
1974 ret = ldb_dn_set_extended_component(dn, "RMD_VERSION", &vers);
1975 if (ret != LDB_SUCCESS) return ret;
1977 dnstring = dsdb_dn_get_extended_linearized(mem_ctx, dsdb_dn, 1);
1978 if (dnstring == NULL) {
1979 return LDB_ERR_OPERATIONS_ERROR;
1981 *v = data_blob_string_const(dnstring);
1987 handle adding a linked attribute
1989 static int replmd_modify_la_add(struct ldb_module *module,
1990 const struct dsdb_schema *schema,
1991 struct ldb_message *msg,
1992 struct ldb_message_element *el,
1993 struct ldb_message_element *old_el,
1994 const struct dsdb_attribute *schema_attr,
1997 struct GUID *msg_guid,
1998 struct ldb_request *parent)
2001 struct parsed_dn *dns, *old_dns;
2002 TALLOC_CTX *tmp_ctx = talloc_new(msg);
2004 struct ldb_val *new_values = NULL;
2005 unsigned int num_new_values = 0;
2006 unsigned old_num_values = old_el?old_el->num_values:0;
2007 const struct GUID *invocation_id;
2008 struct ldb_context *ldb = ldb_module_get_ctx(module);
2011 unix_to_nt_time(&now, t);
2013 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
2014 if (ret != LDB_SUCCESS) {
2015 talloc_free(tmp_ctx);
2019 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
2020 if (ret != LDB_SUCCESS) {
2021 talloc_free(tmp_ctx);
2025 invocation_id = samdb_ntds_invocation_id(ldb);
2026 if (!invocation_id) {
2027 talloc_free(tmp_ctx);
2028 return LDB_ERR_OPERATIONS_ERROR;
2031 ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el, invocation_id);
2032 if (ret != LDB_SUCCESS) {
2033 talloc_free(tmp_ctx);
2037 /* for each new value, see if it exists already with the same GUID */
2038 for (i=0; i<el->num_values; i++) {
2039 struct parsed_dn *p = parsed_dn_find(old_dns, old_num_values, &dns[i].guid, NULL);
2041 /* this is a new linked attribute value */
2042 new_values = talloc_realloc(tmp_ctx, new_values, struct ldb_val, num_new_values+1);
2043 if (new_values == NULL) {
2044 ldb_module_oom(module);
2045 talloc_free(tmp_ctx);
2046 return LDB_ERR_OPERATIONS_ERROR;
2048 ret = replmd_build_la_val(new_values, &new_values[num_new_values], dns[i].dsdb_dn,
2049 invocation_id, seq_num, seq_num, now, 0, false);
2050 if (ret != LDB_SUCCESS) {
2051 talloc_free(tmp_ctx);
2056 /* this is only allowed if the GUID was
2057 previously deleted. */
2058 uint32_t rmd_flags = dsdb_dn_rmd_flags(p->dsdb_dn->dn);
2060 if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
2061 struct GUID_txt_buf guid_str;
2062 ldb_asprintf_errstring(ldb, "Attribute %s already exists for target GUID %s",
2063 el->name, GUID_buf_string(&p->guid, &guid_str));
2064 talloc_free(tmp_ctx);
2065 /* error codes for 'member' need to be
2067 if (ldb_attr_cmp(el->name, "member") == 0) {
2068 return LDB_ERR_ENTRY_ALREADY_EXISTS;
2070 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
2073 ret = replmd_update_la_val(old_el->values, p->v, dns[i].dsdb_dn, p->dsdb_dn,
2074 invocation_id, seq_num, seq_num, now, 0, false);
2075 if (ret != LDB_SUCCESS) {
2076 talloc_free(tmp_ctx);
2081 ret = replmd_add_backlink(module, schema, msg_guid, &dns[i].guid, true, schema_attr, true);
2082 if (ret != LDB_SUCCESS) {
2083 talloc_free(tmp_ctx);
2088 /* add the new ones on to the end of the old values, constructing a new el->values */
2089 el->values = talloc_realloc(msg->elements, old_el?old_el->values:NULL,
2091 old_num_values+num_new_values);
2092 if (el->values == NULL) {
2093 ldb_module_oom(module);
2094 return LDB_ERR_OPERATIONS_ERROR;
2097 memcpy(&el->values[old_num_values], new_values, num_new_values*sizeof(struct ldb_val));
2098 el->num_values = old_num_values + num_new_values;
2100 talloc_steal(msg->elements, el->values);
2101 talloc_steal(el->values, new_values);
2103 talloc_free(tmp_ctx);
2105 /* we now tell the backend to replace all existing values
2106 with the one we have constructed */
2107 el->flags = LDB_FLAG_MOD_REPLACE;
2114 handle deleting all active linked attributes
2116 static int replmd_modify_la_delete(struct ldb_module *module,
2117 const struct dsdb_schema *schema,
2118 struct ldb_message *msg,
2119 struct ldb_message_element *el,
2120 struct ldb_message_element *old_el,
2121 const struct dsdb_attribute *schema_attr,
2124 struct GUID *msg_guid,
2125 struct ldb_request *parent)
2128 struct parsed_dn *dns, *old_dns;
2129 TALLOC_CTX *tmp_ctx = talloc_new(msg);
2131 const struct GUID *invocation_id;
2132 struct ldb_context *ldb = ldb_module_get_ctx(module);
2135 unix_to_nt_time(&now, t);
2137 /* check if there is nothing to delete */
2138 if ((!old_el || old_el->num_values == 0) &&
2139 el->num_values == 0) {
2143 if (!old_el || old_el->num_values == 0) {
2144 return LDB_ERR_NO_SUCH_ATTRIBUTE;
2147 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
2148 if (ret != LDB_SUCCESS) {
2149 talloc_free(tmp_ctx);
2153 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
2154 if (ret != LDB_SUCCESS) {
2155 talloc_free(tmp_ctx);
2159 invocation_id = samdb_ntds_invocation_id(ldb);
2160 if (!invocation_id) {
2161 return LDB_ERR_OPERATIONS_ERROR;
2164 ret = replmd_check_upgrade_links(old_dns, old_el->num_values, old_el, invocation_id);
2165 if (ret != LDB_SUCCESS) {
2166 talloc_free(tmp_ctx);
2172 /* see if we are being asked to delete any links that
2173 don't exist or are already deleted */
2174 for (i=0; i<el->num_values; i++) {
2175 struct parsed_dn *p = &dns[i];
2176 struct parsed_dn *p2;
2179 p2 = parsed_dn_find(old_dns, old_el->num_values, &p->guid, NULL);
2181 struct GUID_txt_buf buf;
2182 ldb_asprintf_errstring(ldb, "Attribute %s doesn't exist for target GUID %s",
2183 el->name, GUID_buf_string(&p->guid, &buf));
2184 if (ldb_attr_cmp(el->name, "member") == 0) {
2185 return LDB_ERR_UNWILLING_TO_PERFORM;
2187 return LDB_ERR_NO_SUCH_ATTRIBUTE;
2190 rmd_flags = dsdb_dn_rmd_flags(p2->dsdb_dn->dn);
2191 if (rmd_flags & DSDB_RMD_FLAG_DELETED) {
2192 struct GUID_txt_buf buf;
2193 ldb_asprintf_errstring(ldb, "Attribute %s already deleted for target GUID %s",
2194 el->name, GUID_buf_string(&p->guid, &buf));
2195 if (ldb_attr_cmp(el->name, "member") == 0) {
2196 return LDB_ERR_UNWILLING_TO_PERFORM;
2198 return LDB_ERR_NO_SUCH_ATTRIBUTE;
2203 /* for each new value, see if it exists already with the same GUID
2204 if it is not already deleted and matches the delete list then delete it
2206 for (i=0; i<old_el->num_values; i++) {
2207 struct parsed_dn *p = &old_dns[i];
2210 if (el->num_values && parsed_dn_find(dns, el->num_values, &p->guid, NULL) == NULL) {
2214 rmd_flags = dsdb_dn_rmd_flags(p->dsdb_dn->dn);
2215 if (rmd_flags & DSDB_RMD_FLAG_DELETED) continue;
2217 ret = replmd_update_la_val(old_el->values, p->v, p->dsdb_dn, p->dsdb_dn,
2218 invocation_id, seq_num, seq_num, now, 0, true);
2219 if (ret != LDB_SUCCESS) {
2220 talloc_free(tmp_ctx);
2224 ret = replmd_add_backlink(module, schema, msg_guid, &old_dns[i].guid, false, schema_attr, true);
2225 if (ret != LDB_SUCCESS) {
2226 talloc_free(tmp_ctx);
2231 el->values = talloc_steal(msg->elements, old_el->values);
2232 el->num_values = old_el->num_values;
2234 talloc_free(tmp_ctx);
2236 /* we now tell the backend to replace all existing values
2237 with the one we have constructed */
2238 el->flags = LDB_FLAG_MOD_REPLACE;
2244 handle replacing a linked attribute
2246 static int replmd_modify_la_replace(struct ldb_module *module,
2247 const struct dsdb_schema *schema,
2248 struct ldb_message *msg,
2249 struct ldb_message_element *el,
2250 struct ldb_message_element *old_el,
2251 const struct dsdb_attribute *schema_attr,
2254 struct GUID *msg_guid,
2255 struct ldb_request *parent)
2258 struct parsed_dn *dns, *old_dns;
2259 TALLOC_CTX *tmp_ctx = talloc_new(msg);
2261 const struct GUID *invocation_id;
2262 struct ldb_context *ldb = ldb_module_get_ctx(module);
2263 struct ldb_val *new_values = NULL;
2264 unsigned int num_new_values = 0;
2265 unsigned int old_num_values = old_el?old_el->num_values:0;
2268 unix_to_nt_time(&now, t);
2270 /* check if there is nothing to replace */
2271 if ((!old_el || old_el->num_values == 0) &&
2272 el->num_values == 0) {
2276 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
2277 if (ret != LDB_SUCCESS) {
2278 talloc_free(tmp_ctx);
2282 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
2283 if (ret != LDB_SUCCESS) {
2284 talloc_free(tmp_ctx);
2288 invocation_id = samdb_ntds_invocation_id(ldb);
2289 if (!invocation_id) {
2290 return LDB_ERR_OPERATIONS_ERROR;
2293 ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el, invocation_id);
2294 if (ret != LDB_SUCCESS) {
2295 talloc_free(tmp_ctx);
2299 /* mark all the old ones as deleted */
2300 for (i=0; i<old_num_values; i++) {
2301 struct parsed_dn *old_p = &old_dns[i];
2302 struct parsed_dn *p;
2303 uint32_t rmd_flags = dsdb_dn_rmd_flags(old_p->dsdb_dn->dn);
2305 if (rmd_flags & DSDB_RMD_FLAG_DELETED) continue;
2307 ret = replmd_add_backlink(module, schema, msg_guid, &old_dns[i].guid, false, schema_attr, false);
2308 if (ret != LDB_SUCCESS) {
2309 talloc_free(tmp_ctx);
2313 p = parsed_dn_find(dns, el->num_values, &old_p->guid, NULL);
2315 /* we don't delete it if we are re-adding it */
2319 ret = replmd_update_la_val(old_el->values, old_p->v, old_p->dsdb_dn, old_p->dsdb_dn,
2320 invocation_id, seq_num, seq_num, now, 0, true);
2321 if (ret != LDB_SUCCESS) {
2322 talloc_free(tmp_ctx);
2327 /* for each new value, either update its meta-data, or add it
2330 for (i=0; i<el->num_values; i++) {
2331 struct parsed_dn *p = &dns[i], *old_p;
2334 (old_p = parsed_dn_find(old_dns,
2335 old_num_values, &p->guid, NULL)) != NULL) {
2336 /* update in place */
2337 ret = replmd_update_la_val(old_el->values, old_p->v, p->dsdb_dn,
2338 old_p->dsdb_dn, invocation_id,
2339 seq_num, seq_num, now, 0, false);
2340 if (ret != LDB_SUCCESS) {
2341 talloc_free(tmp_ctx);
2346 new_values = talloc_realloc(tmp_ctx, new_values, struct ldb_val,
2348 if (new_values == NULL) {
2349 ldb_module_oom(module);
2350 talloc_free(tmp_ctx);
2351 return LDB_ERR_OPERATIONS_ERROR;
2353 ret = replmd_build_la_val(new_values, &new_values[num_new_values], dns[i].dsdb_dn,
2354 invocation_id, seq_num, seq_num, now, 0, false);
2355 if (ret != LDB_SUCCESS) {
2356 talloc_free(tmp_ctx);
2362 ret = replmd_add_backlink(module, schema, msg_guid, &dns[i].guid, true, schema_attr, false);
2363 if (ret != LDB_SUCCESS) {
2364 talloc_free(tmp_ctx);
2369 /* add the new values to the end of old_el */
2370 if (num_new_values != 0) {
2371 el->values = talloc_realloc(msg->elements, old_el?old_el->values:NULL,
2372 struct ldb_val, old_num_values+num_new_values);
2373 if (el->values == NULL) {
2374 ldb_module_oom(module);
2375 return LDB_ERR_OPERATIONS_ERROR;
2377 memcpy(&el->values[old_num_values], &new_values[0],
2378 sizeof(struct ldb_val)*num_new_values);
2379 el->num_values = old_num_values + num_new_values;
2380 talloc_steal(msg->elements, new_values);
2382 el->values = old_el->values;
2383 el->num_values = old_el->num_values;
2384 talloc_steal(msg->elements, el->values);
2387 talloc_free(tmp_ctx);
2389 /* we now tell the backend to replace all existing values
2390 with the one we have constructed */
2391 el->flags = LDB_FLAG_MOD_REPLACE;
2398 handle linked attributes in modify requests
2400 static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
2401 struct ldb_message *msg,
2402 uint64_t seq_num, time_t t,
2403 struct ldb_request *parent)
2405 struct ldb_result *res;
2408 struct ldb_context *ldb = ldb_module_get_ctx(module);
2409 struct ldb_message *old_msg;
2411 const struct dsdb_schema *schema;
2412 struct GUID old_guid;
2415 /* there the replmd_update_rpmd code has already
2416 * checked and saw that there are no linked
2421 if (dsdb_functional_level(ldb) == DS_DOMAIN_FUNCTION_2000) {
2422 /* don't do anything special for linked attributes */
2426 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, NULL,
2427 DSDB_FLAG_NEXT_MODULE |
2428 DSDB_SEARCH_SHOW_RECYCLED |
2429 DSDB_SEARCH_REVEAL_INTERNALS |
2430 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
2432 if (ret != LDB_SUCCESS) {
2435 schema = dsdb_get_schema(ldb, res);
2437 return LDB_ERR_OPERATIONS_ERROR;
2440 old_msg = res->msgs[0];
2442 old_guid = samdb_result_guid(old_msg, "objectGUID");
2444 for (i=0; i<msg->num_elements; i++) {
2445 struct ldb_message_element *el = &msg->elements[i];
2446 struct ldb_message_element *old_el, *new_el;
2447 const struct dsdb_attribute *schema_attr
2448 = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
2450 ldb_asprintf_errstring(ldb,
2451 "%s: attribute %s is not a valid attribute in schema",
2452 __FUNCTION__, el->name);
2453 return LDB_ERR_OBJECT_CLASS_VIOLATION;
2455 if (schema_attr->linkID == 0) {
2458 if ((schema_attr->linkID & 1) == 1) {
2459 if (parent && ldb_request_get_control(parent, DSDB_CONTROL_DBCHECK)) {
2462 /* Odd is for the target. Illegal to modify */
2463 ldb_asprintf_errstring(ldb,
2464 "attribute %s must not be modified directly, it is a linked attribute", el->name);
2465 return LDB_ERR_UNWILLING_TO_PERFORM;
2467 old_el = ldb_msg_find_element(old_msg, el->name);
2468 switch (el->flags & LDB_FLAG_MOD_MASK) {
2469 case LDB_FLAG_MOD_REPLACE:
2470 ret = replmd_modify_la_replace(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2472 case LDB_FLAG_MOD_DELETE:
2473 ret = replmd_modify_la_delete(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2475 case LDB_FLAG_MOD_ADD:
2476 ret = replmd_modify_la_add(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2479 ldb_asprintf_errstring(ldb,
2480 "invalid flags 0x%x for %s linked attribute",
2481 el->flags, el->name);
2482 return LDB_ERR_UNWILLING_TO_PERFORM;
2484 if (dsdb_check_single_valued_link(schema_attr, el) != LDB_SUCCESS) {
2485 ldb_asprintf_errstring(ldb,
2486 "Attribute %s is single valued but more than one value has been supplied",
2488 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
2490 el->flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
2495 if (ret != LDB_SUCCESS) {
2499 ldb_msg_remove_attr(old_msg, el->name);
2501 ldb_msg_add_empty(old_msg, el->name, 0, &new_el);
2502 new_el->num_values = el->num_values;
2503 new_el->values = talloc_steal(msg->elements, el->values);
2505 /* TODO: this relises a bit too heavily on the exact
2506 behaviour of ldb_msg_find_element and
2507 ldb_msg_remove_element */
2508 old_el = ldb_msg_find_element(msg, el->name);
2510 ldb_msg_remove_element(msg, old_el);
2521 static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
2523 struct samldb_msds_intid_persistant *msds_intid_struct;
2524 struct ldb_context *ldb;
2525 struct replmd_replicated_request *ac;
2526 struct ldb_request *down_req;
2527 struct ldb_message *msg;
2528 time_t t = time(NULL);
2530 bool is_urgent = false, rodc = false;
2531 bool is_schema_nc = false;
2532 unsigned int functional_level;
2533 const struct ldb_message_element *guid_el = NULL;
2534 struct ldb_control *sd_propagation_control;
2535 struct replmd_private *replmd_private =
2536 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
2538 /* do not manipulate our control entries */
2539 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2540 return ldb_next_request(module, req);
2543 sd_propagation_control = ldb_request_get_control(req,
2544 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
2545 if (sd_propagation_control != NULL) {
2546 if (req->op.mod.message->num_elements != 1) {
2547 return ldb_module_operr(module);
2549 ret = strcmp(req->op.mod.message->elements[0].name,
2550 "nTSecurityDescriptor");
2552 return ldb_module_operr(module);
2555 return ldb_next_request(module, req);
2558 ldb = ldb_module_get_ctx(module);
2560 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_modify\n");
2562 guid_el = ldb_msg_find_element(req->op.mod.message, "objectGUID");
2563 if (guid_el != NULL) {
2564 ldb_set_errstring(ldb,
2565 "replmd_modify: it's not allowed to change the objectGUID!");
2566 return LDB_ERR_CONSTRAINT_VIOLATION;
2569 ac = replmd_ctx_init(module, req);
2571 return ldb_module_oom(module);
2574 functional_level = dsdb_functional_level(ldb);
2576 /* we have to copy the message as the caller might have it as a const */
2577 msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
2581 return LDB_ERR_OPERATIONS_ERROR;
2584 ldb_msg_remove_attr(msg, "whenChanged");
2585 ldb_msg_remove_attr(msg, "uSNChanged");
2587 is_schema_nc = ldb_dn_compare_base(replmd_private->schema_dn, msg->dn) == 0;
2589 ret = replmd_update_rpmd(module, ac->schema, req, NULL,
2590 msg, &ac->seq_num, t, is_schema_nc,
2592 if (rodc && (ret == LDB_ERR_REFERRAL)) {
2593 struct loadparm_context *lp_ctx;
2596 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2597 struct loadparm_context);
2599 referral = talloc_asprintf(req,
2601 lpcfg_dnsdomain(lp_ctx),
2602 ldb_dn_get_linearized(msg->dn));
2603 ret = ldb_module_send_referral(req, referral);
2608 if (ret != LDB_SUCCESS) {
2613 ret = replmd_modify_handle_linked_attribs(module, msg, ac->seq_num, t, req);
2614 if (ret != LDB_SUCCESS) {
2620 * - replace the old object with the newly constructed one
2623 ac->is_urgent = is_urgent;
2625 ret = ldb_build_mod_req(&down_req, ldb, ac,
2628 ac, replmd_op_callback,
2630 LDB_REQ_SET_LOCATION(down_req);
2631 if (ret != LDB_SUCCESS) {
2636 /* current partition control is needed by "replmd_op_callback" */
2637 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
2638 ret = ldb_request_add_control(down_req,
2639 DSDB_CONTROL_CURRENT_PARTITION_OID,
2641 if (ret != LDB_SUCCESS) {
2647 /* If we are in functional level 2000, then
2648 * replmd_modify_handle_linked_attribs will have done
2650 if (functional_level == DS_DOMAIN_FUNCTION_2000) {
2651 ret = ldb_request_add_control(down_req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
2652 if (ret != LDB_SUCCESS) {
2658 talloc_steal(down_req, msg);
2660 /* we only change whenChanged and uSNChanged if the seq_num
2662 if (ac->seq_num != 0) {
2663 ret = add_time_element(msg, "whenChanged", t);
2664 if (ret != LDB_SUCCESS) {
2670 ret = add_uint64_element(ldb, msg, "uSNChanged", ac->seq_num);
2671 if (ret != LDB_SUCCESS) {
2678 if (!ldb_dn_compare_base(replmd_private->schema_dn, msg->dn)) {
2679 /* Update the usn in the SAMLDB_MSDS_INTID_OPAQUE opaque */
2680 msds_intid_struct = (struct samldb_msds_intid_persistant *) ldb_get_opaque(ldb, SAMLDB_MSDS_INTID_OPAQUE);
2681 if (msds_intid_struct) {
2682 msds_intid_struct->usn = ac->seq_num;
2686 /* go on with the call chain */
2687 return ldb_next_request(module, down_req);
2690 static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *ares);
2693 handle a rename request
2695 On a rename we need to do an extra ldb_modify which sets the
2696 whenChanged and uSNChanged attributes. We do this in a callback after the success.
2698 static int replmd_rename(struct ldb_module *module, struct ldb_request *req)
2700 struct ldb_context *ldb;
2701 struct replmd_replicated_request *ac;
2703 struct ldb_request *down_req;
2705 /* do not manipulate our control entries */
2706 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2707 return ldb_next_request(module, req);
2710 ldb = ldb_module_get_ctx(module);
2712 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_rename\n");
2714 ac = replmd_ctx_init(module, req);
2716 return ldb_module_oom(module);
2719 ret = ldb_build_rename_req(&down_req, ldb, ac,
2720 ac->req->op.rename.olddn,
2721 ac->req->op.rename.newdn,
2723 ac, replmd_rename_callback,
2725 LDB_REQ_SET_LOCATION(down_req);
2726 if (ret != LDB_SUCCESS) {
2731 /* go on with the call chain */
2732 return ldb_next_request(module, down_req);
2735 /* After the rename is compleated, update the whenchanged etc */
2736 static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *ares)
2738 struct ldb_context *ldb;
2739 struct ldb_request *down_req;
2740 struct ldb_message *msg;
2741 const struct dsdb_attribute *rdn_attr;
2742 const char *rdn_name;
2743 const struct ldb_val *rdn_val;
2744 const char *attrs[5] = { NULL, };
2745 time_t t = time(NULL);
2747 bool is_urgent = false, rodc = false;
2749 struct replmd_replicated_request *ac =
2750 talloc_get_type(req->context, struct replmd_replicated_request);
2751 struct replmd_private *replmd_private =
2752 talloc_get_type(ldb_module_get_private(ac->module),
2753 struct replmd_private);
2755 ldb = ldb_module_get_ctx(ac->module);
2757 if (ares->error != LDB_SUCCESS) {
2758 return ldb_module_done(ac->req, ares->controls,
2759 ares->response, ares->error);
2762 if (ares->type != LDB_REPLY_DONE) {
2763 ldb_set_errstring(ldb,
2764 "invalid ldb_reply_type in callback");
2766 return ldb_module_done(ac->req, NULL, NULL,
2767 LDB_ERR_OPERATIONS_ERROR);
2771 * - replace the old object with the newly constructed one
2774 msg = ldb_msg_new(ac);
2777 return LDB_ERR_OPERATIONS_ERROR;
2780 msg->dn = ac->req->op.rename.newdn;
2782 is_schema_nc = ldb_dn_compare_base(replmd_private->schema_dn, msg->dn) == 0;
2784 rdn_name = ldb_dn_get_rdn_name(msg->dn);
2785 if (rdn_name == NULL) {
2787 return ldb_module_done(ac->req, NULL, NULL,
2791 /* normalize the rdn attribute name */
2792 rdn_attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, rdn_name);
2793 if (rdn_attr == NULL) {
2795 return ldb_module_done(ac->req, NULL, NULL,
2798 rdn_name = rdn_attr->lDAPDisplayName;
2800 rdn_val = ldb_dn_get_rdn_val(msg->dn);
2801 if (rdn_val == NULL) {
2803 return ldb_module_done(ac->req, NULL, NULL,
2807 if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
2809 return ldb_module_done(ac->req, NULL, NULL,
2812 if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) {
2814 return ldb_module_done(ac->req, NULL, NULL,
2817 if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
2819 return ldb_module_done(ac->req, NULL, NULL,
2822 if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) {
2824 return ldb_module_done(ac->req, NULL, NULL,
2829 * here we let replmd_update_rpmd() only search for
2830 * the existing "replPropertyMetaData" and rdn_name attributes.
2832 * We do not want the existing "name" attribute as
2833 * the "name" attribute needs to get the version
2834 * updated on rename even if the rdn value hasn't changed.
2836 * This is the diff of the meta data, for a moved user
2837 * on a w2k8r2 server:
2840 * -dn: CN=sdf df,CN=Users,DC=bla,DC=base
2841 * +dn: CN=sdf df,OU=TestOU,DC=bla,DC=base
2842 * replPropertyMetaData: NDR: struct replPropertyMetaDataBlob
2843 * version : 0x00000001 (1)
2844 * reserved : 0x00000000 (0)
2845 * @@ -66,11 +66,11 @@ replPropertyMetaData: NDR: struct re
2846 * local_usn : 0x00000000000037a5 (14245)
2847 * array: struct replPropertyMetaData1
2848 * attid : DRSUAPI_ATTID_name (0x90001)
2849 * - version : 0x00000001 (1)
2850 * - originating_change_time : Wed Feb 9 17:20:49 2011 CET
2851 * + version : 0x00000002 (2)
2852 * + originating_change_time : Wed Apr 6 15:21:01 2011 CEST
2853 * originating_invocation_id: 0d36ca05-5507-4e62-aca3-354bab0d39e1
2854 * - originating_usn : 0x00000000000037a5 (14245)
2855 * - local_usn : 0x00000000000037a5 (14245)
2856 * + originating_usn : 0x0000000000003834 (14388)
2857 * + local_usn : 0x0000000000003834 (14388)
2858 * array: struct replPropertyMetaData1
2859 * attid : DRSUAPI_ATTID_userAccountControl (0x90008)
2860 * version : 0x00000004 (4)
2862 attrs[0] = "replPropertyMetaData";
2863 attrs[1] = "objectClass";
2864 attrs[2] = "instanceType";
2865 attrs[3] = rdn_name;
2868 ret = replmd_update_rpmd(ac->module, ac->schema, req, attrs,
2869 msg, &ac->seq_num, t,
2870 is_schema_nc, &is_urgent, &rodc);
2871 if (rodc && (ret == LDB_ERR_REFERRAL)) {
2872 struct ldb_dn *olddn = ac->req->op.rename.olddn;
2873 struct loadparm_context *lp_ctx;
2876 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2877 struct loadparm_context);
2879 referral = talloc_asprintf(req,
2881 lpcfg_dnsdomain(lp_ctx),
2882 ldb_dn_get_linearized(olddn));
2883 ret = ldb_module_send_referral(req, referral);
2885 return ldb_module_done(req, NULL, NULL, ret);
2888 if (ret != LDB_SUCCESS) {
2890 return ldb_module_done(ac->req, NULL, NULL, ret);
2893 if (ac->seq_num == 0) {
2895 return ldb_module_done(ac->req, NULL, NULL,
2897 "internal error seq_num == 0"));
2899 ac->is_urgent = is_urgent;
2901 ret = ldb_build_mod_req(&down_req, ldb, ac,
2904 ac, replmd_op_callback,
2906 LDB_REQ_SET_LOCATION(down_req);
2907 if (ret != LDB_SUCCESS) {
2912 /* current partition control is needed by "replmd_op_callback" */
2913 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
2914 ret = ldb_request_add_control(down_req,
2915 DSDB_CONTROL_CURRENT_PARTITION_OID,
2917 if (ret != LDB_SUCCESS) {
2923 talloc_steal(down_req, msg);
2925 ret = add_time_element(msg, "whenChanged", t);
2926 if (ret != LDB_SUCCESS) {
2932 ret = add_uint64_element(ldb, msg, "uSNChanged", ac->seq_num);
2933 if (ret != LDB_SUCCESS) {
2939 /* go on with the call chain - do the modify after the rename */
2940 return ldb_next_request(ac->module, down_req);
2944 * remove links from objects that point at this object when an object
2945 * is deleted. We remove it from the NEXT module per MS-DRSR 5.160
2946 * RemoveObj which states that link removal due to the object being
2947 * deleted is NOT an originating update - they just go away!
2950 static int replmd_delete_remove_link(struct ldb_module *module,
2951 const struct dsdb_schema *schema,
2953 struct ldb_message_element *el,
2954 const struct dsdb_attribute *sa,
2955 struct ldb_request *parent)
2958 TALLOC_CTX *tmp_ctx = talloc_new(module);
2959 struct ldb_context *ldb = ldb_module_get_ctx(module);
2961 for (i=0; i<el->num_values; i++) {
2962 struct dsdb_dn *dsdb_dn;
2966 struct ldb_message *msg;
2967 const struct dsdb_attribute *target_attr;
2968 struct ldb_message_element *el2;
2969 struct ldb_val dn_val;
2971 if (dsdb_dn_is_deleted_val(&el->values[i])) {
2975 dsdb_dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], sa->syntax->ldap_oid);
2977 talloc_free(tmp_ctx);
2978 return LDB_ERR_OPERATIONS_ERROR;
2981 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid2, "GUID");
2982 if (!NT_STATUS_IS_OK(status)) {
2983 talloc_free(tmp_ctx);
2984 return LDB_ERR_OPERATIONS_ERROR;
2987 /* remove the link */
2988 msg = ldb_msg_new(tmp_ctx);
2990 ldb_module_oom(module);
2991 talloc_free(tmp_ctx);
2992 return LDB_ERR_OPERATIONS_ERROR;
2996 msg->dn = dsdb_dn->dn;
2998 target_attr = dsdb_attribute_by_linkID(schema, sa->linkID ^ 1);
2999 if (target_attr == NULL) {
3003 ret = ldb_msg_add_empty(msg, target_attr->lDAPDisplayName, LDB_FLAG_MOD_DELETE, &el2);
3004 if (ret != LDB_SUCCESS) {
3005 ldb_module_oom(module);
3006 talloc_free(tmp_ctx);
3007 return LDB_ERR_OPERATIONS_ERROR;
3009 dn_val = data_blob_string_const(ldb_dn_get_linearized(dn));
3010 el2->values = &dn_val;
3011 el2->num_values = 1;
3013 ret = dsdb_module_modify(module, msg, DSDB_FLAG_OWN_MODULE, parent);
3014 if (ret != LDB_SUCCESS) {
3015 talloc_free(tmp_ctx);
3019 talloc_free(tmp_ctx);
3025 handle update of replication meta data for deletion of objects
3027 This also handles the mapping of delete to a rename operation
3028 to allow deletes to be replicated.
3030 It also handles the incoming deleted objects, to ensure they are
3031 fully deleted here. In that case re_delete is true, and we do not
3032 use this as a signal to change the deleted state, just reinforce it.
3035 static int replmd_delete_internals(struct ldb_module *module, struct ldb_request *req, bool re_delete)
3037 int ret = LDB_ERR_OTHER;
3038 bool retb, disallow_move_on_delete;
3039 struct ldb_dn *old_dn, *new_dn;
3040 const char *rdn_name;
3041 const struct ldb_val *rdn_value, *new_rdn_value;
3043 struct ldb_context *ldb = ldb_module_get_ctx(module);
3044 const struct dsdb_schema *schema;
3045 struct ldb_message *msg, *old_msg;
3046 struct ldb_message_element *el;
3047 TALLOC_CTX *tmp_ctx;
3048 struct ldb_result *res, *parent_res;
3049 const char *preserved_attrs[] = {
3050 /* yes, this really is a hard coded list. See MS-ADTS
3051 section 3.1.1.5.5.1.1 */
3052 "nTSecurityDescriptor", "attributeID", "attributeSyntax", "dNReferenceUpdate", "dNSHostName",
3053 "flatName", "governsID", "groupType", "instanceType", "lDAPDisplayName", "legacyExchangeDN",
3054 "isDeleted", "isRecycled", "lastKnownParent", "msDS-LastKnownRDN", "mS-DS-CreatorSID",
3055 "mSMQOwnerID", "nCName", "objectClass", "distinguishedName", "objectGUID", "objectSid",
3056 "oMSyntax", "proxiedObjectName", "name", "replPropertyMetaData", "sAMAccountName",
3057 "securityIdentifier", "sIDHistory", "subClassOf", "systemFlags", "trustPartner", "trustDirection",
3058 "trustType", "trustAttributes", "userAccountControl", "uSNChanged", "uSNCreated", "whenCreated",
3059 "whenChanged", NULL};
3060 unsigned int i, el_count = 0;
3061 enum deletion_state deletion_state, next_deletion_state;
3063 if (ldb_dn_is_special(req->op.del.dn)) {
3064 return ldb_next_request(module, req);
3068 * We have to allow dbcheck to remove an object that
3069 * is beyond repair, and to do so totally. This could
3070 * mean we we can get a partial object from the other
3071 * DC, causing havoc, so dbcheck suggests
3072 * re-replication first. dbcheck sets both DBCHECK
3073 * and RELAX in this situation.
3075 if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)
3076 && ldb_request_get_control(req, DSDB_CONTROL_DBCHECK)) {
3077 /* really, really remove it */
3078 return ldb_next_request(module, req);
3081 tmp_ctx = talloc_new(ldb);
3084 return LDB_ERR_OPERATIONS_ERROR;
3087 schema = dsdb_get_schema(ldb, tmp_ctx);
3089 talloc_free(tmp_ctx);
3090 return LDB_ERR_OPERATIONS_ERROR;
3093 old_dn = ldb_dn_copy(tmp_ctx, req->op.del.dn);
3095 /* we need the complete msg off disk, so we can work out which
3096 attributes need to be removed */
3097 ret = dsdb_module_search_dn(module, tmp_ctx, &res, old_dn, NULL,
3098 DSDB_FLAG_NEXT_MODULE |
3099 DSDB_SEARCH_SHOW_RECYCLED |
3100 DSDB_SEARCH_REVEAL_INTERNALS |
3101 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT, req);
3102 if (ret != LDB_SUCCESS) {
3103 ldb_asprintf_errstring(ldb_module_get_ctx(module),
3104 "repmd_delete: Failed to %s %s, because we failed to find it: %s",
3105 re_delete ? "re-delete" : "delete",
3106 ldb_dn_get_linearized(old_dn),
3107 ldb_errstring(ldb_module_get_ctx(module)));
3108 talloc_free(tmp_ctx);
3111 old_msg = res->msgs[0];
3113 replmd_deletion_state(module, old_msg,
3115 &next_deletion_state);
3117 /* This supports us noticing an incoming isDeleted and acting on it */
3119 SMB_ASSERT(deletion_state > OBJECT_NOT_DELETED);
3120 next_deletion_state = deletion_state;
3123 if (next_deletion_state == OBJECT_REMOVED) {
3125 * We have to prevent objects being deleted, even if
3126 * the administrator really wants them gone, as
3127 * without the tombstone, we can get a partial object
3128 * from the other DC, causing havoc.
3130 * The only other valid case is when the 180 day
3131 * timeout has expired, when relax is specified.
3133 if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)) {
3134 /* it is already deleted - really remove it this time */
3135 talloc_free(tmp_ctx);
3136 return ldb_next_request(module, req);
3139 ldb_asprintf_errstring(ldb, "Refusing to delete tombstone object %s. "
3140 "This check is to prevent corruption of the replicated state.",
3141 ldb_dn_get_linearized(old_msg->dn));
3142 return LDB_ERR_UNWILLING_TO_PERFORM;
3145 rdn_name = ldb_dn_get_rdn_name(old_dn);
3146 rdn_value = ldb_dn_get_rdn_val(old_dn);
3147 if ((rdn_name == NULL) || (rdn_value == NULL)) {
3148 talloc_free(tmp_ctx);
3149 return ldb_operr(ldb);
3152 msg = ldb_msg_new(tmp_ctx);
3154 ldb_module_oom(module);
3155 talloc_free(tmp_ctx);
3156 return LDB_ERR_OPERATIONS_ERROR;
3161 /* consider the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag */
3162 disallow_move_on_delete =
3163 (ldb_msg_find_attr_as_int(old_msg, "systemFlags", 0)
3164 & SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE);
3166 /* work out where we will be renaming this object to */
3167 if (!disallow_move_on_delete) {
3168 struct ldb_dn *deleted_objects_dn;
3169 ret = dsdb_get_deleted_objects_dn(ldb, tmp_ctx, old_dn,
3170 &deleted_objects_dn);
3173 * We should not move objects if we can't find the
3174 * deleted objects DN. Not moving (or otherwise
3175 * harming) the Deleted Objects DN itself is handled
3178 if (re_delete && (ret != LDB_SUCCESS)) {
3179 new_dn = ldb_dn_get_parent(tmp_ctx, old_dn);
3180 if (new_dn == NULL) {
3181 ldb_module_oom(module);
3182 talloc_free(tmp_ctx);
3183 return LDB_ERR_OPERATIONS_ERROR;
3185 } else if (ret != LDB_SUCCESS) {
3186 /* this is probably an attempted delete on a partition
3187 * that doesn't allow delete operations, such as the
3188 * schema partition */
3189 ldb_asprintf_errstring(ldb, "No Deleted Objects container for DN %s",
3190 ldb_dn_get_linearized(old_dn));
3191 talloc_free(tmp_ctx);
3192 return LDB_ERR_UNWILLING_TO_PERFORM;
3194 new_dn = deleted_objects_dn;
3197 new_dn = ldb_dn_get_parent(tmp_ctx, old_dn);
3198 if (new_dn == NULL) {
3199 ldb_module_oom(module);
3200 talloc_free(tmp_ctx);
3201 return LDB_ERR_OPERATIONS_ERROR;
3205 if (deletion_state == OBJECT_NOT_DELETED) {
3206 /* get the objects GUID from the search we just did */
3207 guid = samdb_result_guid(old_msg, "objectGUID");
3209 /* Add a formatted child */
3210 retb = ldb_dn_add_child_fmt(new_dn, "%s=%s\\0ADEL:%s",
3212 ldb_dn_escape_value(tmp_ctx, *rdn_value),
3213 GUID_string(tmp_ctx, &guid));
3215 ldb_asprintf_errstring(ldb, __location__
3216 ": Unable to add a formatted child to dn: %s",
3217 ldb_dn_get_linearized(new_dn));
3218 talloc_free(tmp_ctx);
3219 return LDB_ERR_OPERATIONS_ERROR;
3222 ret = ldb_msg_add_string(msg, "isDeleted", "TRUE");
3223 if (ret != LDB_SUCCESS) {
3224 ldb_asprintf_errstring(ldb, __location__
3225 ": Failed to add isDeleted string to the msg");
3226 talloc_free(tmp_ctx);
3229 msg->elements[el_count++].flags = LDB_FLAG_MOD_REPLACE;
3232 * No matter what has happened with other renames etc, try again to
3233 * get this to be under the deleted DN. See MS-DRSR 5.160 RemoveObj
3236 struct ldb_dn *rdn = ldb_dn_copy(tmp_ctx, old_dn);
3237 retb = ldb_dn_remove_base_components(rdn, ldb_dn_get_comp_num(rdn) - 1);
3239 ldb_asprintf_errstring(ldb, __location__
3240 ": Unable to add a prepare rdn of %s",
3241 ldb_dn_get_linearized(rdn));
3242 talloc_free(tmp_ctx);
3243 return LDB_ERR_OPERATIONS_ERROR;
3245 SMB_ASSERT(ldb_dn_get_comp_num(rdn) == 1);
3247 retb = ldb_dn_add_child(new_dn, rdn);
3249 ldb_asprintf_errstring(ldb, __location__
3250 ": Unable to add rdn %s to base dn: %s",
3251 ldb_dn_get_linearized(rdn),
3252 ldb_dn_get_linearized(new_dn));
3253 talloc_free(tmp_ctx);
3254 return LDB_ERR_OPERATIONS_ERROR;
3259 now we need to modify the object in the following ways:
3261 - add isDeleted=TRUE
3262 - update rDN and name, with new rDN
3263 - remove linked attributes
3264 - remove objectCategory and sAMAccountType
3265 - remove attribs not on the preserved list
3266 - preserved if in above list, or is rDN
3267 - remove all linked attribs from this object
3268 - remove all links from other objects to this object
3269 - add lastKnownParent
3270 - update replPropertyMetaData?
3272 see MS-ADTS "Tombstone Requirements" section 3.1.1.5.5.1.1
3275 if (deletion_state == OBJECT_NOT_DELETED) {
3276 struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, old_dn);
3277 char *parent_dn_str = NULL;
3279 /* we need the storage form of the parent GUID */
3280 ret = dsdb_module_search_dn(module, tmp_ctx, &parent_res,
3282 DSDB_FLAG_NEXT_MODULE |
3283 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
3284 DSDB_SEARCH_REVEAL_INTERNALS|
3285 DSDB_SEARCH_SHOW_RECYCLED, req);
3286 if (ret != LDB_SUCCESS) {
3287 ldb_asprintf_errstring(ldb_module_get_ctx(module),
3288 "repmd_delete: Failed to %s %s, "
3289 "because we failed to find it's parent (%s): %s",
3290 re_delete ? "re-delete" : "delete",
3291 ldb_dn_get_linearized(old_dn),
3292 ldb_dn_get_linearized(parent_dn),
3293 ldb_errstring(ldb_module_get_ctx(module)));
3294 talloc_free(tmp_ctx);
3299 * Now we can use the DB version,
3300 * it will have the extended DN info in it
3302 parent_dn = parent_res->msgs[0]->dn;
3303 parent_dn_str = ldb_dn_get_extended_linearized(tmp_ctx,
3306 if (parent_dn_str == NULL) {
3307 talloc_free(tmp_ctx);
3308 return ldb_module_oom(module);
3311 ret = ldb_msg_add_steal_string(msg, "lastKnownParent",
3313 if (ret != LDB_SUCCESS) {
3314 ldb_asprintf_errstring(ldb, __location__
3315 ": Failed to add lastKnownParent "
3316 "string when deleting %s",
3317 ldb_dn_get_linearized(old_dn));
3318 talloc_free(tmp_ctx);
3321 msg->elements[el_count++].flags = LDB_FLAG_MOD_REPLACE;
3323 if (next_deletion_state == OBJECT_DELETED) {
3324 ret = ldb_msg_add_value(msg, "msDS-LastKnownRDN", rdn_value, NULL);
3325 if (ret != LDB_SUCCESS) {
3326 ldb_asprintf_errstring(ldb, __location__
3327 ": Failed to add msDS-LastKnownRDN "
3328 "string when deleting %s",
3329 ldb_dn_get_linearized(old_dn));
3330 talloc_free(tmp_ctx);
3333 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
3337 switch (next_deletion_state) {
3339 case OBJECT_RECYCLED:
3340 case OBJECT_TOMBSTONE:
3343 * MS-ADTS 3.1.1.5.5.1.1 Tombstone Requirements
3344 * describes what must be removed from a tombstone
3347 * MS-ADTS 3.1.1.5.5.1.3 Recycled-Object Requirements
3348 * describes what must be removed from a recycled
3354 * we also mark it as recycled, meaning this object can't be
3355 * recovered (we are stripping its attributes).
3356 * This is done only if we have this schema object of course ...
3357 * This behavior is identical to the one of Windows 2008R2 which
3358 * always set the isRecycled attribute, even if the recycle-bin is
3359 * not activated and what ever the forest level is.
3361 if (dsdb_attribute_by_lDAPDisplayName(schema, "isRecycled") != NULL) {
3362 ret = ldb_msg_add_string(msg, "isRecycled", "TRUE");
3363 if (ret != LDB_SUCCESS) {
3364 DEBUG(0,(__location__ ": Failed to add isRecycled string to the msg\n"));
3365 ldb_module_oom(module);
3366 talloc_free(tmp_ctx);
3369 msg->elements[el_count++].flags = LDB_FLAG_MOD_REPLACE;
3372 /* work out which of the old attributes we will be removing */
3373 for (i=0; i<old_msg->num_elements; i++) {
3374 const struct dsdb_attribute *sa;
3375 el = &old_msg->elements[i];
3376 sa = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
3378 talloc_free(tmp_ctx);
3379 return LDB_ERR_OPERATIONS_ERROR;
3381 if (ldb_attr_cmp(el->name, rdn_name) == 0) {
3382 /* don't remove the rDN */
3385 if (sa->linkID && (sa->linkID & 1)) {
3387 we have a backlink in this object
3388 that needs to be removed. We're not
3389 allowed to remove it directly
3390 however, so we instead setup a
3391 modify to delete the corresponding
3394 ret = replmd_delete_remove_link(module, schema, old_dn, el, sa, req);
3395 if (ret != LDB_SUCCESS) {
3396 const char *old_dn_str
3397 = ldb_dn_get_linearized(old_dn);
3398 ldb_asprintf_errstring(ldb,
3400 ": Failed to remove backlink of "
3401 "%s when deleting %s",
3404 talloc_free(tmp_ctx);
3405 return LDB_ERR_OPERATIONS_ERROR;
3407 /* now we continue, which means we
3408 won't remove this backlink
3414 if (ldb_attr_in_list(preserved_attrs, el->name)) {
3417 if (sa->searchFlags & SEARCH_FLAG_PRESERVEONDELETE) {
3421 ret = ldb_msg_add_empty(msg, el->name, LDB_FLAG_MOD_DELETE, &el);
3422 if (ret != LDB_SUCCESS) {
3423 talloc_free(tmp_ctx);
3424 ldb_module_oom(module);
3431 case OBJECT_DELETED:
3433 * MS-ADTS 3.1.1.5.5.1.2 Deleted-Object Requirements
3434 * describes what must be removed from a deleted
3438 ret = ldb_msg_add_empty(msg, "objectCategory", LDB_FLAG_MOD_REPLACE, NULL);
3439 if (ret != LDB_SUCCESS) {
3440 talloc_free(tmp_ctx);
3441 ldb_module_oom(module);
3445 ret = ldb_msg_add_empty(msg, "sAMAccountType", LDB_FLAG_MOD_REPLACE, NULL);
3446 if (ret != LDB_SUCCESS) {
3447 talloc_free(tmp_ctx);
3448 ldb_module_oom(module);
3458 if (deletion_state == OBJECT_NOT_DELETED) {
3459 const struct dsdb_attribute *sa;
3461 /* work out what the new rdn value is, for updating the
3462 rDN and name fields */
3463 new_rdn_value = ldb_dn_get_rdn_val(new_dn);
3464 if (new_rdn_value == NULL) {
3465 talloc_free(tmp_ctx);
3466 return ldb_operr(ldb);
3469 sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
3471 talloc_free(tmp_ctx);
3472 return LDB_ERR_OPERATIONS_ERROR;
3475 ret = ldb_msg_add_value(msg, sa->lDAPDisplayName, new_rdn_value,
3477 if (ret != LDB_SUCCESS) {
3478 talloc_free(tmp_ctx);
3481 el->flags = LDB_FLAG_MOD_REPLACE;
3483 el = ldb_msg_find_element(old_msg, "name");
3485 ret = ldb_msg_add_value(msg, "name", new_rdn_value, &el);
3486 if (ret != LDB_SUCCESS) {
3487 talloc_free(tmp_ctx);
3490 el->flags = LDB_FLAG_MOD_REPLACE;
3495 * TODO: Per MS-DRSR 5.160 RemoveObj we should remove links directly, not as an originating update!
3500 * No matter what has happned with other renames, try again to
3501 * get this to be under the deleted DN.
3503 if (strcmp(ldb_dn_get_linearized(old_dn), ldb_dn_get_linearized(new_dn)) != 0) {
3504 /* now rename onto the new DN */
3505 ret = dsdb_module_rename(module, old_dn, new_dn, DSDB_FLAG_NEXT_MODULE, req);
3506 if (ret != LDB_SUCCESS){
3507 DEBUG(0,(__location__ ": Failed to rename object from '%s' to '%s' - %s\n",
3508 ldb_dn_get_linearized(old_dn),
3509 ldb_dn_get_linearized(new_dn),
3510 ldb_errstring(ldb)));
3511 talloc_free(tmp_ctx);
3517 ret = dsdb_module_modify(module, msg, DSDB_FLAG_OWN_MODULE, req);
3518 if (ret != LDB_SUCCESS) {
3519 ldb_asprintf_errstring(ldb, "replmd_delete: Failed to modify object %s in delete - %s",
3520 ldb_dn_get_linearized(old_dn), ldb_errstring(ldb));
3521 talloc_free(tmp_ctx);
3525 talloc_free(tmp_ctx);
3527 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
3530 static int replmd_delete(struct ldb_module *module, struct ldb_request *req)
3532 return replmd_delete_internals(module, req, false);
3536 static int replmd_replicated_request_error(struct replmd_replicated_request *ar, int ret)
3541 static int replmd_replicated_request_werror(struct replmd_replicated_request *ar, WERROR status)
3543 int ret = LDB_ERR_OTHER;
3544 /* TODO: do some error mapping */
3546 /* Let the caller know the full WERROR */
3547 ar->objs->error = status;
3553 static struct replPropertyMetaData1 *
3554 replmd_replPropertyMetaData1_find_attid(struct replPropertyMetaDataBlob *md_blob,
3555 enum drsuapi_DsAttributeId attid)
3558 struct replPropertyMetaDataCtr1 *rpmd_ctr = &md_blob->ctr.ctr1;
3560 for (i = 0; i < rpmd_ctr->count; i++) {
3561 if (rpmd_ctr->array[i].attid == attid) {
3562 return &rpmd_ctr->array[i];
3570 return true if an update is newer than an existing entry
3571 see section 5.11 of MS-ADTS
3573 static bool replmd_update_is_newer(const struct GUID *current_invocation_id,
3574 const struct GUID *update_invocation_id,
3575 uint32_t current_version,
3576 uint32_t update_version,
3577 NTTIME current_change_time,
3578 NTTIME update_change_time)
3580 if (update_version != current_version) {
3581 return update_version > current_version;
3583 if (update_change_time != current_change_time) {
3584 return update_change_time > current_change_time;
3586 return GUID_compare(update_invocation_id, current_invocation_id) > 0;
3589 static bool replmd_replPropertyMetaData1_is_newer(struct replPropertyMetaData1 *cur_m,
3590 struct replPropertyMetaData1 *new_m)
3592 return replmd_update_is_newer(&cur_m->originating_invocation_id,
3593 &new_m->originating_invocation_id,
3596 cur_m->originating_change_time,
3597 new_m->originating_change_time);
3600 static bool replmd_replPropertyMetaData1_new_should_be_taken(uint32_t dsdb_repl_flags,
3601 struct replPropertyMetaData1 *cur_m,
3602 struct replPropertyMetaData1 *new_m)
3607 * If the new replPropertyMetaData entry for this attribute is
3608 * not provided (this happens in the case where we look for
3609 * ATTID_name, but the name was not changed), then the local
3610 * state is clearly still current, as the remote
3611 * server didn't send it due to being older the high watermark
3614 if (new_m == NULL) {
3618 if (dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING) {
3620 * if we compare equal then do an
3621 * update. This is used when a client
3622 * asks for a FULL_SYNC, and can be
3623 * used to recover a corrupt
3626 * This call is a bit tricky, what we
3627 * are doing it turning the 'is_newer'
3628 * call into a 'not is older' by
3629 * swapping cur_m and new_m, and negating the
3632 cmp = !replmd_replPropertyMetaData1_is_newer(new_m,
3635 cmp = replmd_replPropertyMetaData1_is_newer(cur_m,
3645 static struct ldb_dn *replmd_conflict_dn(TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct GUID *guid)
3647 const struct ldb_val *rdn_val;
3648 const char *rdn_name;
3649 struct ldb_dn *new_dn;
3651 rdn_val = ldb_dn_get_rdn_val(dn);
3652 rdn_name = ldb_dn_get_rdn_name(dn);
3653 if (!rdn_val || !rdn_name) {
3657 new_dn = ldb_dn_copy(mem_ctx, dn);
3662 if (!ldb_dn_remove_child_components(new_dn, 1)) {
3666 if (!ldb_dn_add_child_fmt(new_dn, "%s=%s\\0ACNF:%s",
3668 ldb_dn_escape_value(new_dn, *rdn_val),
3669 GUID_string(new_dn, guid))) {
3678 perform a modify operation which sets the rDN and name attributes to
3679 their current values. This has the effect of changing these
3680 attributes to have been last updated by the current DC. This is
3681 needed to ensure that renames performed as part of conflict
3682 resolution are propogated to other DCs
3684 static int replmd_name_modify(struct replmd_replicated_request *ar,
3685 struct ldb_request *req, struct ldb_dn *dn)
3687 struct ldb_message *msg;
3688 const char *rdn_name;
3689 const struct ldb_val *rdn_val;
3690 const struct dsdb_attribute *rdn_attr;
3693 msg = ldb_msg_new(req);
3699 rdn_name = ldb_dn_get_rdn_name(dn);
3700 if (rdn_name == NULL) {
3704 /* normalize the rdn attribute name */
3705 rdn_attr = dsdb_attribute_by_lDAPDisplayName(ar->schema, rdn_name);
3706 if (rdn_attr == NULL) {
3709 rdn_name = rdn_attr->lDAPDisplayName;
3711 rdn_val = ldb_dn_get_rdn_val(dn);
3712 if (rdn_val == NULL) {
3716 if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
3719 if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) {
3722 if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
3725 if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) {
3729 ret = dsdb_module_modify(ar->module, msg, DSDB_FLAG_OWN_MODULE, req);
3730 if (ret != LDB_SUCCESS) {
3731 DEBUG(0,(__location__ ": Failed to modify rDN/name of conflict DN '%s' - %s",
3732 ldb_dn_get_linearized(dn),
3733 ldb_errstring(ldb_module_get_ctx(ar->module))));
3743 DEBUG(0,(__location__ ": Failed to setup modify rDN/name of conflict DN '%s'",
3744 ldb_dn_get_linearized(dn)));
3745 return LDB_ERR_OPERATIONS_ERROR;
3750 callback for conflict DN handling where we have renamed the incoming
3751 record. After renaming it, we need to ensure the change of name and
3752 rDN for the incoming record is seen as an originating update by this DC.
3754 This also handles updating lastKnownParent for entries sent to lostAndFound
3756 static int replmd_op_name_modify_callback(struct ldb_request *req, struct ldb_reply *ares)
3758 struct replmd_replicated_request *ar =
3759 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3760 struct ldb_dn *conflict_dn = NULL;
3763 if (ares->error != LDB_SUCCESS) {
3764 /* call the normal callback for everything except success */
3765 return replmd_op_callback(req, ares);
3768 switch (req->operation) {
3770 conflict_dn = req->op.add.message->dn;
3773 conflict_dn = req->op.mod.message->dn;
3776 smb_panic("replmd_op_name_modify_callback called in unknown circumstances");
3779 /* perform a modify of the rDN and name of the record */
3780 ret = replmd_name_modify(ar, req, conflict_dn);
3781 if (ret != LDB_SUCCESS) {
3783 return replmd_op_callback(req, ares);
3786 if (ar->objs->objects[ar->index_current].last_known_parent) {
3787 struct ldb_message *msg = ldb_msg_new(req);
3789 ldb_module_oom(ar->module);
3790 return LDB_ERR_OPERATIONS_ERROR;
3793 msg->dn = req->op.add.message->dn;
3795 ret = ldb_msg_add_steal_string(msg, "lastKnownParent",
3796 ldb_dn_get_extended_linearized(msg, ar->objs->objects[ar->index_current].last_known_parent, 1));
3797 if (ret != LDB_SUCCESS) {
3798 DEBUG(0,(__location__ ": Failed to add lastKnownParent string to the msg\n"));
3799 ldb_module_oom(ar->module);
3802 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
3804 ret = dsdb_module_modify(ar->module, msg, DSDB_FLAG_OWN_MODULE, req);
3805 if (ret != LDB_SUCCESS) {
3806 DEBUG(0,(__location__ ": Failed to modify lastKnownParent of lostAndFound DN '%s' - %s",
3807 ldb_dn_get_linearized(msg->dn),
3808 ldb_errstring(ldb_module_get_ctx(ar->module))));
3814 return replmd_op_callback(req, ares);
3818 callback for replmd_replicated_apply_add()
3819 This copes with the creation of conflict records in the case where
3820 the DN exists, but with a different objectGUID
3822 static int replmd_op_possible_conflict_callback(struct ldb_request *req, struct ldb_reply *ares, int (*callback)(struct ldb_request *req, struct ldb_reply *ares))
3824 struct ldb_dn *conflict_dn;
3825 struct replmd_replicated_request *ar =
3826 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3827 struct ldb_result *res;
3828 const char *attrs[] = { "replPropertyMetaData", "objectGUID", NULL };
3830 const struct ldb_val *omd_value;
3831 struct replPropertyMetaDataBlob omd, *rmd;
3832 enum ndr_err_code ndr_err;
3833 bool rename_incoming_record, rodc;
3834 struct replPropertyMetaData1 *rmd_name, *omd_name;
3835 struct ldb_message *msg;
3836 struct ldb_request *down_req = NULL;
3838 /* call the normal callback for success */
3839 if (ares->error == LDB_SUCCESS) {
3840 return callback(req, ares);
3844 * we have a conflict, and need to decide if we will keep the
3845 * new record or the old record
3848 msg = ar->objs->objects[ar->index_current].msg;
3849 conflict_dn = msg->dn;
3851 /* For failures other than conflicts, fail the whole operation here */
3852 if (ares->error != LDB_ERR_ENTRY_ALREADY_EXISTS) {
3853 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module), "Failed to locally apply remote add of %s: %s",
3854 ldb_dn_get_linearized(conflict_dn),
3855 ldb_errstring(ldb_module_get_ctx(ar->module)));
3857 return ldb_module_done(ar->req, NULL, NULL,
3858 LDB_ERR_OPERATIONS_ERROR);
3861 ret = samdb_rodc(ldb_module_get_ctx(ar->module), &rodc);
3862 if (ret != LDB_SUCCESS) {
3863 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module), "Failed to determine if we are an RODC when attempting to form conflict DN: %s", ldb_errstring(ldb_module_get_ctx(ar->module)));
3864 return ldb_module_done(ar->req, NULL, NULL,
3865 LDB_ERR_OPERATIONS_ERROR);
3871 * We are on an RODC, or were a GC for this
3872 * partition, so we have to fail this until
3873 * someone who owns the partition sorts it
3876 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
3877 "Conflict adding object '%s' from incoming replication as we are read only for the partition. \n"
3878 " - We must fail the operation until a master for this partition resolves the conflict",
3879 ldb_dn_get_linearized(conflict_dn));
3884 * first we need the replPropertyMetaData attribute from the
3885 * local, conflicting record
3887 ret = dsdb_module_search_dn(ar->module, req, &res, conflict_dn,
3889 DSDB_FLAG_NEXT_MODULE |
3890 DSDB_SEARCH_SHOW_DELETED |
3891 DSDB_SEARCH_SHOW_RECYCLED, req);
3892 if (ret != LDB_SUCCESS) {
3893 DEBUG(0,(__location__ ": Unable to find object for conflicting record '%s'\n",
3894 ldb_dn_get_linearized(conflict_dn)));
3898 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
3899 if (omd_value == NULL) {
3900 DEBUG(0,(__location__ ": Unable to find replPropertyMetaData for conflicting record '%s'\n",
3901 ldb_dn_get_linearized(conflict_dn)));
3905 ndr_err = ndr_pull_struct_blob(omd_value, res->msgs[0], &omd,
3906 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
3907 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3908 DEBUG(0,(__location__ ": Failed to parse old replPropertyMetaData for %s\n",
3909 ldb_dn_get_linearized(conflict_dn)));
3913 rmd = ar->objs->objects[ar->index_current].meta_data;
3916 * we decide which is newer based on the RPMD on the name
3917 * attribute. See [MS-DRSR] ResolveNameConflict.
3919 * We expect omd_name to be present, as this is from a local
3920 * search, but while rmd_name should have been given to us by
3921 * the remote server, if it is missing we just prefer the
3923 * replmd_replPropertyMetaData1_new_should_be_taken()
3925 rmd_name = replmd_replPropertyMetaData1_find_attid(rmd, DRSUAPI_ATTID_name);
3926 omd_name = replmd_replPropertyMetaData1_find_attid(&omd, DRSUAPI_ATTID_name);
3928 DEBUG(0,(__location__ ": Failed to find name attribute in local LDB replPropertyMetaData for %s\n",
3929 ldb_dn_get_linearized(conflict_dn)));
3934 * Should we preserve the current record, and so rename the
3935 * incoming record to be a conflict?
3937 rename_incoming_record
3938 = !replmd_replPropertyMetaData1_new_should_be_taken(ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING,
3939 omd_name, rmd_name);
3941 if (rename_incoming_record) {
3943 struct ldb_dn *new_dn;
3945 guid = samdb_result_guid(msg, "objectGUID");
3946 if (GUID_all_zero(&guid)) {
3947 DEBUG(0,(__location__ ": Failed to find objectGUID for conflicting incoming record %s\n",
3948 ldb_dn_get_linearized(conflict_dn)));
3951 new_dn = replmd_conflict_dn(req, conflict_dn, &guid);
3952 if (new_dn == NULL) {
3953 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
3954 ldb_dn_get_linearized(conflict_dn)));
3958 DEBUG(2,(__location__ ": Resolving conflict record via incoming rename '%s' -> '%s'\n",
3959 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
3961 /* re-submit the request, but with the new DN */
3962 callback = replmd_op_name_modify_callback;
3965 /* we are renaming the existing record */
3967 struct ldb_dn *new_dn;
3969 guid = samdb_result_guid(res->msgs[0], "objectGUID");
3970 if (GUID_all_zero(&guid)) {
3971 DEBUG(0,(__location__ ": Failed to find objectGUID for existing conflict record %s\n",
3972 ldb_dn_get_linearized(conflict_dn)));
3976 new_dn = replmd_conflict_dn(req, conflict_dn, &guid);
3977 if (new_dn == NULL) {
3978 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
3979 ldb_dn_get_linearized(conflict_dn)));
3983 DEBUG(2,(__location__ ": Resolving conflict record via existing-record rename '%s' -> '%s'\n",
3984 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
3986 ret = dsdb_module_rename(ar->module, conflict_dn, new_dn,
3987 DSDB_FLAG_OWN_MODULE, req);
3988 if (ret != LDB_SUCCESS) {
3989 DEBUG(0,(__location__ ": Failed to rename conflict dn '%s' to '%s' - %s\n",
3990 ldb_dn_get_linearized(conflict_dn),
3991 ldb_dn_get_linearized(new_dn),
3992 ldb_errstring(ldb_module_get_ctx(ar->module))));
3997 * now we need to ensure that the rename is seen as an
3998 * originating update. We do that with a modify.
4000 ret = replmd_name_modify(ar, req, new_dn);
4001 if (ret != LDB_SUCCESS) {
4005 DEBUG(2,(__location__ ": With conflicting record renamed, re-apply replicated creation of '%s'\n",
4006 ldb_dn_get_linearized(req->op.add.message->dn)));
4009 ret = ldb_build_add_req(&down_req,
4010 ldb_module_get_ctx(ar->module),
4017 if (ret != LDB_SUCCESS) {
4020 LDB_REQ_SET_LOCATION(down_req);
4022 /* current partition control needed by "repmd_op_callback" */
4023 ret = ldb_request_add_control(down_req,
4024 DSDB_CONTROL_CURRENT_PARTITION_OID,
4026 if (ret != LDB_SUCCESS) {
4027 return replmd_replicated_request_error(ar, ret);
4030 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PARTIAL_REPLICA) {
4031 /* this tells the partition module to make it a
4032 partial replica if creating an NC */
4033 ret = ldb_request_add_control(down_req,
4034 DSDB_CONTROL_PARTIAL_REPLICA,
4036 if (ret != LDB_SUCCESS) {
4037 return replmd_replicated_request_error(ar, ret);
4042 * Finally we re-run the add, otherwise the new record won't
4043 * exist, as we are here because of that exact failure!
4045 return ldb_next_request(ar->module, down_req);
4048 /* on failure make the caller get the error. This means
4049 * replication will stop with an error, but there is not much
4052 return ldb_module_done(ar->req, NULL, NULL,
4057 callback for replmd_replicated_apply_add()
4058 This copes with the creation of conflict records in the case where
4059 the DN exists, but with a different objectGUID
4061 static int replmd_op_add_callback(struct ldb_request *req, struct ldb_reply *ares)
4063 struct replmd_replicated_request *ar =
4064 talloc_get_type_abort(req->context, struct replmd_replicated_request);
4066 if (ar->objs->objects[ar->index_current].last_known_parent) {
4067 /* This is like a conflict DN, where we put the object in LostAndFound
4068 see MS-DRSR 4.1.10.6.10 FindBestParentObject */
4069 return replmd_op_possible_conflict_callback(req, ares, replmd_op_name_modify_callback);
4072 return replmd_op_possible_conflict_callback(req, ares, replmd_op_callback);
4076 this is called when a new object comes in over DRS
4078 static int replmd_replicated_apply_add(struct replmd_replicated_request *ar)
4080 struct ldb_context *ldb;
4081 struct ldb_request *change_req;
4082 enum ndr_err_code ndr_err;
4083 struct ldb_message *msg;
4084 struct replPropertyMetaDataBlob *md;
4085 struct ldb_val md_value;
4088 bool remote_isDeleted = false;
4091 time_t t = time(NULL);
4092 const struct ldb_val *rdn_val;
4093 struct replmd_private *replmd_private =
4094 talloc_get_type(ldb_module_get_private(ar->module),
4095 struct replmd_private);
4096 unix_to_nt_time(&now, t);
4098 ldb = ldb_module_get_ctx(ar->module);
4099 msg = ar->objs->objects[ar->index_current].msg;
4100 md = ar->objs->objects[ar->index_current].meta_data;
4101 is_schema_nc = ldb_dn_compare_base(replmd_private->schema_dn, msg->dn) == 0;
4103 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
4104 if (ret != LDB_SUCCESS) {
4105 return replmd_replicated_request_error(ar, ret);
4108 ret = dsdb_msg_add_guid(msg,
4109 &ar->objs->objects[ar->index_current].object_guid,
4111 if (ret != LDB_SUCCESS) {
4112 return replmd_replicated_request_error(ar, ret);
4115 ret = ldb_msg_add_string(msg, "whenChanged", ar->objs->objects[ar->index_current].when_changed);
4116 if (ret != LDB_SUCCESS) {
4117 return replmd_replicated_request_error(ar, ret);
4120 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNCreated", ar->seq_num);
4121 if (ret != LDB_SUCCESS) {
4122 return replmd_replicated_request_error(ar, ret);
4125 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ar->seq_num);
4126 if (ret != LDB_SUCCESS) {
4127 return replmd_replicated_request_error(ar, ret);
4130 /* remove any message elements that have zero values */
4131 for (i=0; i<msg->num_elements; i++) {
4132 struct ldb_message_element *el = &msg->elements[i];
4134 if (el->num_values == 0) {
4135 if (ldb_attr_cmp(msg->elements[i].name, "objectClass") == 0) {
4136 ldb_asprintf_errstring(ldb, __location__
4137 ": empty objectClass sent on %s, aborting replication\n",
4138 ldb_dn_get_linearized(msg->dn));
4139 return replmd_replicated_request_error(ar, LDB_ERR_OBJECT_CLASS_VIOLATION);
4142 DEBUG(4,(__location__ ": Removing attribute %s with num_values==0\n",
4144 memmove(el, el+1, sizeof(*el)*(msg->num_elements - (i+1)));
4145 msg->num_elements--;
4152 struct GUID_txt_buf guid_txt;
4154 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_ADD, msg);
4155 DEBUG(4, ("DRS replication add message of %s:\n%s\n",
4156 GUID_buf_string(&ar->objs->objects[ar->index_current].object_guid, &guid_txt),
4161 remote_isDeleted = ldb_msg_find_attr_as_bool(msg,
4162 "isDeleted", false);
4165 * the meta data array is already sorted by the caller, except
4166 * for the RDN, which needs to be added.
4170 rdn_val = ldb_dn_get_rdn_val(msg->dn);
4171 ret = replmd_update_rpmd_rdn_attr(ldb, msg, rdn_val, NULL,
4172 md, ar, now, is_schema_nc);
4173 if (ret != LDB_SUCCESS) {
4174 ldb_asprintf_errstring(ldb, "%s: error during DRS repl ADD: %s", __func__, ldb_errstring(ldb));
4175 return replmd_replicated_request_error(ar, ret);
4178 ret = replmd_replPropertyMetaDataCtr1_sort_and_verify(ldb, &md->ctr.ctr1, msg->dn);
4179 if (ret != LDB_SUCCESS) {
4180 ldb_asprintf_errstring(ldb, "%s: error during DRS repl ADD: %s", __func__, ldb_errstring(ldb));
4181 return replmd_replicated_request_error(ar, ret);
4184 for (i=0; i < md->ctr.ctr1.count; i++) {
4185 md->ctr.ctr1.array[i].local_usn = ar->seq_num;
4187 ndr_err = ndr_push_struct_blob(&md_value, msg, md,
4188 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
4189 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4190 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4191 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4193 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &md_value, NULL);
4194 if (ret != LDB_SUCCESS) {
4195 return replmd_replicated_request_error(ar, ret);
4198 replmd_ldb_message_sort(msg, ar->schema);
4200 if (!remote_isDeleted) {
4201 ret = dsdb_module_schedule_sd_propagation(ar->module,
4202 ar->objs->partition_dn,
4204 if (ret != LDB_SUCCESS) {
4205 return replmd_replicated_request_error(ar, ret);
4209 ar->isDeleted = remote_isDeleted;
4211 ret = ldb_build_add_req(&change_req,
4217 replmd_op_add_callback,
4219 LDB_REQ_SET_LOCATION(change_req);
4220 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4222 /* current partition control needed by "repmd_op_callback" */
4223 ret = ldb_request_add_control(change_req,
4224 DSDB_CONTROL_CURRENT_PARTITION_OID,
4226 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4228 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PARTIAL_REPLICA) {
4229 /* this tells the partition module to make it a
4230 partial replica if creating an NC */
4231 ret = ldb_request_add_control(change_req,
4232 DSDB_CONTROL_PARTIAL_REPLICA,
4234 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4237 return ldb_next_request(ar->module, change_req);
4240 static int replmd_replicated_apply_search_for_parent_callback(struct ldb_request *req,
4241 struct ldb_reply *ares)
4243 struct replmd_replicated_request *ar = talloc_get_type(req->context,
4244 struct replmd_replicated_request);
4248 return ldb_module_done(ar->req, NULL, NULL,
4249 LDB_ERR_OPERATIONS_ERROR);
4253 * The error NO_SUCH_OBJECT is not expected, unless the search
4254 * base is the partition DN, and that case doesn't happen here
4255 * because then we wouldn't get a parent_guid_value in any
4258 if (ares->error != LDB_SUCCESS) {
4259 return ldb_module_done(ar->req, ares->controls,
4260 ares->response, ares->error);
4263 switch (ares->type) {
4264 case LDB_REPLY_ENTRY:
4266 struct ldb_message *parent_msg = ares->message;
4267 struct ldb_message *msg = ar->objs->objects[ar->index_current].msg;
4268 struct ldb_dn *parent_dn;
4271 if (!ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE")
4272 && ldb_msg_check_string_attribute(parent_msg, "isDeleted", "TRUE")) {
4273 /* Per MS-DRSR 4.1.10.6.10
4274 * FindBestParentObject we need to move this
4275 * new object under a deleted object to
4277 struct ldb_dn *nc_root;
4279 ret = dsdb_find_nc_root(ldb_module_get_ctx(ar->module), msg, msg->dn, &nc_root);
4280 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
4281 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4282 "No suitable NC root found for %s. "
4283 "We need to move this object because parent object %s "
4284 "is deleted, but this object is not.",
4285 ldb_dn_get_linearized(msg->dn),
4286 ldb_dn_get_linearized(parent_msg->dn));
4287 return ldb_module_done(ar->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
4288 } else if (ret != LDB_SUCCESS) {
4289 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4290 "Unable to find NC root for %s: %s. "
4291 "We need to move this object because parent object %s "
4292 "is deleted, but this object is not.",
4293 ldb_dn_get_linearized(msg->dn),
4294 ldb_errstring(ldb_module_get_ctx(ar->module)),
4295 ldb_dn_get_linearized(parent_msg->dn));
4296 return ldb_module_done(ar->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
4299 ret = dsdb_wellknown_dn(ldb_module_get_ctx(ar->module), msg,
4301 DS_GUID_LOSTANDFOUND_CONTAINER,
4303 if (ret != LDB_SUCCESS) {
4304 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4305 "Unable to find LostAndFound Container for %s "
4306 "in partition %s: %s. "
4307 "We need to move this object because parent object %s "
4308 "is deleted, but this object is not.",
4309 ldb_dn_get_linearized(msg->dn), ldb_dn_get_linearized(nc_root),
4310 ldb_errstring(ldb_module_get_ctx(ar->module)),
4311 ldb_dn_get_linearized(parent_msg->dn));
4312 return ldb_module_done(ar->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
4314 ar->objs->objects[ar->index_current].last_known_parent
4315 = talloc_steal(ar->objs->objects[ar->index_current].msg, parent_msg->dn);
4319 = talloc_steal(ar->objs->objects[ar->index_current].msg, parent_msg->dn);
4322 ar->objs->objects[ar->index_current].local_parent_dn = parent_dn;
4324 comp_num = ldb_dn_get_comp_num(msg->dn);
4326 if (!ldb_dn_remove_base_components(msg->dn, comp_num - 1)) {
4328 return ldb_module_done(ar->req, NULL, NULL, ldb_module_operr(ar->module));
4331 if (!ldb_dn_add_base(msg->dn, parent_dn)) {
4333 return ldb_module_done(ar->req, NULL, NULL, ldb_module_operr(ar->module));
4337 case LDB_REPLY_REFERRAL:
4338 /* we ignore referrals */
4341 case LDB_REPLY_DONE:
4343 if (ar->objs->objects[ar->index_current].local_parent_dn == NULL) {
4344 struct GUID_txt_buf str_buf;
4345 if (ar->search_msg != NULL) {
4346 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4347 "No parent with GUID %s found for object locally known as %s",
4348 GUID_buf_string(ar->objs->objects[ar->index_current].parent_guid, &str_buf),
4349 ldb_dn_get_linearized(ar->search_msg->dn));
4351 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4352 "No parent with GUID %s found for object remotely known as %s",
4353 GUID_buf_string(ar->objs->objects[ar->index_current].parent_guid, &str_buf),
4354 ldb_dn_get_linearized(ar->objs->objects[ar->index_current].msg->dn));
4358 * This error code is really important, as it
4359 * is the flag back to the callers to retry
4360 * this with DRSUAPI_DRS_GET_ANC, and so get
4361 * the parent objects before the child
4364 return ldb_module_done(ar->req, NULL, NULL,
4365 replmd_replicated_request_werror(ar, WERR_DS_DRA_MISSING_PARENT));
4368 if (ar->search_msg != NULL) {
4369 ret = replmd_replicated_apply_merge(ar);
4371 ret = replmd_replicated_apply_add(ar);
4373 if (ret != LDB_SUCCESS) {
4374 return ldb_module_done(ar->req, NULL, NULL, ret);
4383 * Look for the parent object, so we put the new object in the right
4384 * place This is akin to NameObject in MS-DRSR - this routine and the
4385 * callbacks find the right parent name, and correct name for this
4389 static int replmd_replicated_apply_search_for_parent(struct replmd_replicated_request *ar)
4391 struct ldb_context *ldb;
4395 struct ldb_request *search_req;
4396 static const char *attrs[] = {"isDeleted", NULL};
4397 struct GUID_txt_buf guid_str_buf;
4399 ldb = ldb_module_get_ctx(ar->module);
4401 if (ar->objs->objects[ar->index_current].parent_guid == NULL) {
4402 if (ar->search_msg != NULL) {
4403 return replmd_replicated_apply_merge(ar);
4405 return replmd_replicated_apply_add(ar);
4409 tmp_str = GUID_buf_string(ar->objs->objects[ar->index_current].parent_guid,
4412 filter = talloc_asprintf(ar, "(objectGUID=%s)", tmp_str);
4413 if (!filter) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4415 ret = ldb_build_search_req(&search_req,
4418 ar->objs->partition_dn,
4424 replmd_replicated_apply_search_for_parent_callback,
4426 LDB_REQ_SET_LOCATION(search_req);
4428 ret = dsdb_request_add_controls(search_req,
4429 DSDB_SEARCH_SHOW_RECYCLED|
4430 DSDB_SEARCH_SHOW_DELETED|
4431 DSDB_SEARCH_SHOW_EXTENDED_DN);
4432 if (ret != LDB_SUCCESS) {
4436 return ldb_next_request(ar->module, search_req);
4440 handle renames that come in over DRS replication
4442 static int replmd_replicated_handle_rename(struct replmd_replicated_request *ar,
4443 struct ldb_message *msg,
4444 struct ldb_request *parent,
4448 TALLOC_CTX *tmp_ctx = talloc_new(msg);
4449 struct ldb_result *res;
4450 struct ldb_dn *conflict_dn;
4451 const char *attrs[] = { "replPropertyMetaData", "objectGUID", NULL };
4452 const struct ldb_val *omd_value;
4453 struct replPropertyMetaDataBlob omd, *rmd;
4454 enum ndr_err_code ndr_err;
4455 bool rename_incoming_record, rodc;
4456 struct replPropertyMetaData1 *rmd_name, *omd_name;
4457 struct ldb_dn *new_dn;
4460 DEBUG(4,("replmd_replicated_request rename %s => %s\n",
4461 ldb_dn_get_linearized(ar->search_msg->dn),
4462 ldb_dn_get_linearized(msg->dn)));
4465 ret = dsdb_module_rename(ar->module, ar->search_msg->dn, msg->dn,
4466 DSDB_FLAG_NEXT_MODULE, ar->req);
4467 if (ret == LDB_SUCCESS) {
4468 talloc_free(tmp_ctx);
4473 if (ret != LDB_ERR_ENTRY_ALREADY_EXISTS) {
4474 talloc_free(tmp_ctx);
4475 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module), "Failed to locally apply remote rename from %s to %s: %s",
4476 ldb_dn_get_linearized(ar->search_msg->dn),
4477 ldb_dn_get_linearized(msg->dn),
4478 ldb_errstring(ldb_module_get_ctx(ar->module)));
4482 ret = samdb_rodc(ldb_module_get_ctx(ar->module), &rodc);
4483 if (ret != LDB_SUCCESS) {
4484 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4485 "Failed to determine if we are an RODC when attempting to form conflict DN: %s",
4486 ldb_errstring(ldb_module_get_ctx(ar->module)));
4487 return LDB_ERR_OPERATIONS_ERROR;
4490 * we have a conflict, and need to decide if we will keep the
4491 * new record or the old record
4494 conflict_dn = msg->dn;
4498 * We are on an RODC, or were a GC for this
4499 * partition, so we have to fail this until
4500 * someone who owns the partition sorts it
4503 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4504 "Conflict adding object '%s' from incoming replication but we are read only for the partition. \n"
4505 " - We must fail the operation until a master for this partition resolves the conflict",
4506 ldb_dn_get_linearized(conflict_dn));
4511 * first we need the replPropertyMetaData attribute from the
4514 ret = dsdb_module_search_dn(ar->module, tmp_ctx, &res, conflict_dn,
4516 DSDB_FLAG_NEXT_MODULE |
4517 DSDB_SEARCH_SHOW_DELETED |
4518 DSDB_SEARCH_SHOW_RECYCLED, ar->req);
4519 if (ret != LDB_SUCCESS) {
4520 DEBUG(0,(__location__ ": Unable to find object for conflicting record '%s'\n",
4521 ldb_dn_get_linearized(conflict_dn)));
4525 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
4526 if (omd_value == NULL) {
4527 DEBUG(0,(__location__ ": Unable to find replPropertyMetaData for conflicting record '%s'\n",
4528 ldb_dn_get_linearized(conflict_dn)));
4532 ndr_err = ndr_pull_struct_blob(omd_value, res->msgs[0], &omd,
4533 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
4534 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4535 DEBUG(0,(__location__ ": Failed to parse old replPropertyMetaData for %s\n",
4536 ldb_dn_get_linearized(conflict_dn)));
4540 rmd = ar->objs->objects[ar->index_current].meta_data;
4543 * we decide which is newer based on the RPMD on the name
4544 * attribute. See [MS-DRSR] ResolveNameConflict.
4546 * We expect omd_name to be present, as this is from a local
4547 * search, but while rmd_name should have been given to us by
4548 * the remote server, if it is missing we just prefer the
4550 * replmd_replPropertyMetaData1_new_should_be_taken()
4552 rmd_name = replmd_replPropertyMetaData1_find_attid(rmd, DRSUAPI_ATTID_name);
4553 omd_name = replmd_replPropertyMetaData1_find_attid(&omd, DRSUAPI_ATTID_name);
4555 DEBUG(0,(__location__ ": Failed to find name attribute in local LDB replPropertyMetaData for %s\n",
4556 ldb_dn_get_linearized(conflict_dn)));
4561 * Should we preserve the current record, and so rename the
4562 * incoming record to be a conflict?
4564 rename_incoming_record =
4565 !replmd_replPropertyMetaData1_new_should_be_taken(
4566 ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING,
4567 omd_name, rmd_name);
4569 if (rename_incoming_record) {
4571 new_dn = replmd_conflict_dn(msg, msg->dn,
4572 &ar->objs->objects[ar->index_current].object_guid);
4573 if (new_dn == NULL) {
4574 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4575 "Failed to form conflict DN for %s\n",
4576 ldb_dn_get_linearized(msg->dn));
4578 return replmd_replicated_request_werror(ar, WERR_NOMEM);
4581 ret = dsdb_module_rename(ar->module, ar->search_msg->dn, new_dn,
4582 DSDB_FLAG_NEXT_MODULE, ar->req);
4583 if (ret != LDB_SUCCESS) {
4584 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4585 "Failed to rename incoming conflicting dn '%s' (was '%s') to '%s' - %s\n",
4586 ldb_dn_get_linearized(conflict_dn),
4587 ldb_dn_get_linearized(ar->search_msg->dn),
4588 ldb_dn_get_linearized(new_dn),
4589 ldb_errstring(ldb_module_get_ctx(ar->module)));
4590 return replmd_replicated_request_werror(ar, WERR_DS_DRA_DB_ERROR);
4598 /* we are renaming the existing record */
4600 guid = samdb_result_guid(res->msgs[0], "objectGUID");
4601 if (GUID_all_zero(&guid)) {
4602 DEBUG(0,(__location__ ": Failed to find objectGUID for existing conflict record %s\n",
4603 ldb_dn_get_linearized(conflict_dn)));
4607 new_dn = replmd_conflict_dn(tmp_ctx, conflict_dn, &guid);
4608 if (new_dn == NULL) {
4609 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
4610 ldb_dn_get_linearized(conflict_dn)));
4614 DEBUG(2,(__location__ ": Resolving conflict record via existing-record rename '%s' -> '%s'\n",
4615 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
4617 ret = dsdb_module_rename(ar->module, conflict_dn, new_dn,
4618 DSDB_FLAG_OWN_MODULE, ar->req);
4619 if (ret != LDB_SUCCESS) {
4620 DEBUG(0,(__location__ ": Failed to rename conflict dn '%s' to '%s' - %s\n",
4621 ldb_dn_get_linearized(conflict_dn),
4622 ldb_dn_get_linearized(new_dn),
4623 ldb_errstring(ldb_module_get_ctx(ar->module))));
4628 * now we need to ensure that the rename is seen as an
4629 * originating update. We do that with a modify.
4631 ret = replmd_name_modify(ar, ar->req, new_dn);
4632 if (ret != LDB_SUCCESS) {
4636 DEBUG(2,(__location__ ": With conflicting record renamed, re-apply replicated rename '%s' -> '%s'\n",
4637 ldb_dn_get_linearized(ar->search_msg->dn),
4638 ldb_dn_get_linearized(msg->dn)));
4641 ret = dsdb_module_rename(ar->module, ar->search_msg->dn, msg->dn,
4642 DSDB_FLAG_NEXT_MODULE, ar->req);
4643 if (ret != LDB_SUCCESS) {
4644 DEBUG(0,(__location__ ": After conflict resolution, failed to rename dn '%s' to '%s' - %s\n",
4645 ldb_dn_get_linearized(ar->search_msg->dn),
4646 ldb_dn_get_linearized(msg->dn),
4647 ldb_errstring(ldb_module_get_ctx(ar->module))));
4653 * On failure make the caller get the error
4654 * This means replication will stop with an error,
4655 * but there is not much else we can do. In the
4656 * LDB_ERR_ENTRY_ALREADY_EXISTS case this is exactly what is
4660 talloc_free(tmp_ctx);
4665 static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
4667 struct ldb_context *ldb;
4668 struct ldb_request *change_req;
4669 enum ndr_err_code ndr_err;
4670 struct ldb_message *msg;
4671 struct replPropertyMetaDataBlob *rmd;
4672 struct replPropertyMetaDataBlob omd;
4673 const struct ldb_val *omd_value;
4674 struct replPropertyMetaDataBlob nmd;
4675 struct ldb_val nmd_value;
4676 struct GUID remote_parent_guid;
4679 unsigned int removed_attrs = 0;
4681 int (*callback)(struct ldb_request *req, struct ldb_reply *ares) = replmd_op_callback;
4682 bool isDeleted = false;
4683 bool local_isDeleted = false;
4684 bool remote_isDeleted = false;
4685 bool take_remote_isDeleted = false;
4686 bool sd_updated = false;
4687 bool renamed = false;
4688 bool is_schema_nc = false;
4690 const struct ldb_val *old_rdn, *new_rdn;
4691 struct replmd_private *replmd_private =
4692 talloc_get_type(ldb_module_get_private(ar->module),
4693 struct replmd_private);
4695 time_t t = time(NULL);
4696 unix_to_nt_time(&now, t);
4698 ldb = ldb_module_get_ctx(ar->module);
4699 msg = ar->objs->objects[ar->index_current].msg;
4701 is_schema_nc = ldb_dn_compare_base(replmd_private->schema_dn, msg->dn) == 0;
4703 rmd = ar->objs->objects[ar->index_current].meta_data;
4707 /* find existing meta data */
4708 omd_value = ldb_msg_find_ldb_val(ar->search_msg, "replPropertyMetaData");
4710 ndr_err = ndr_pull_struct_blob(omd_value, ar, &omd,
4711 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
4712 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4713 nt_status = ndr_map_error2ntstatus(ndr_err);
4714 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4717 if (omd.version != 1) {
4718 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
4723 struct GUID_txt_buf guid_txt;
4725 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
4726 DEBUG(5, ("Initial DRS replication modify message of %s is:\n%s\n"
4729 GUID_buf_string(&ar->objs->objects[ar->index_current].object_guid, &guid_txt),
4731 ndr_print_struct_string(s,
4732 (ndr_print_fn_t)ndr_print_replPropertyMetaDataBlob,
4733 "existing replPropertyMetaData",
4735 ndr_print_struct_string(s,
4736 (ndr_print_fn_t)ndr_print_replPropertyMetaDataBlob,
4737 "incoming replPropertyMetaData",
4742 local_isDeleted = ldb_msg_find_attr_as_bool(ar->search_msg,
4743 "isDeleted", false);
4744 remote_isDeleted = ldb_msg_find_attr_as_bool(msg,
4745 "isDeleted", false);
4748 * Fill in the remote_parent_guid with the GUID or an all-zero
4751 if (ar->objs->objects[ar->index_current].parent_guid != NULL) {
4752 remote_parent_guid = *ar->objs->objects[ar->index_current].parent_guid;
4754 remote_parent_guid = GUID_zero();
4758 * To ensure we follow a complex rename chain around, we have
4759 * to confirm that the DN is the same (mostly to confirm the
4760 * RDN) and the parentGUID is the same.
4762 * This ensures we keep things under the correct parent, which
4763 * replmd_replicated_handle_rename() will do.
4766 if (strcmp(ldb_dn_get_linearized(msg->dn), ldb_dn_get_linearized(ar->search_msg->dn)) == 0
4767 && GUID_equal(&remote_parent_guid, &ar->local_parent_guid)) {
4771 * handle renames, even just by case that come in over
4772 * DRS. Changes in the parent DN don't hit us here,
4773 * because the search for a parent will clean up those
4776 * We also have already filtered out the case where
4777 * the peer has an older name to what we have (see
4778 * replmd_replicated_apply_search_callback())
4780 ret = replmd_replicated_handle_rename(ar, msg, ar->req, &renamed);
4783 if (ret != LDB_SUCCESS) {
4784 ldb_debug(ldb, LDB_DEBUG_FATAL,
4785 "replmd_replicated_request rename %s => %s failed - %s\n",
4786 ldb_dn_get_linearized(ar->search_msg->dn),
4787 ldb_dn_get_linearized(msg->dn),
4788 ldb_errstring(ldb));
4789 return replmd_replicated_request_werror(ar, WERR_DS_DRA_DB_ERROR);
4792 if (renamed == true) {
4794 * Set the callback to one that will fix up the name
4795 * metadata on the new conflict DN
4797 callback = replmd_op_name_modify_callback;
4802 nmd.ctr.ctr1.count = omd.ctr.ctr1.count + rmd->ctr.ctr1.count;
4803 nmd.ctr.ctr1.array = talloc_array(ar,
4804 struct replPropertyMetaData1,
4805 nmd.ctr.ctr1.count);
4806 if (!nmd.ctr.ctr1.array) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4808 /* first copy the old meta data */
4809 for (i=0; i < omd.ctr.ctr1.count; i++) {
4810 nmd.ctr.ctr1.array[ni] = omd.ctr.ctr1.array[i];
4815 /* now merge in the new meta data */
4816 for (i=0; i < rmd->ctr.ctr1.count; i++) {
4819 for (j=0; j < ni; j++) {
4822 if (rmd->ctr.ctr1.array[i].attid != nmd.ctr.ctr1.array[j].attid) {
4826 cmp = replmd_replPropertyMetaData1_new_should_be_taken(
4827 ar->objs->dsdb_repl_flags,
4828 &nmd.ctr.ctr1.array[j],
4829 &rmd->ctr.ctr1.array[i]);
4831 /* replace the entry */
4832 nmd.ctr.ctr1.array[j] = rmd->ctr.ctr1.array[i];
4833 if (ar->seq_num == 0) {
4834 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
4835 if (ret != LDB_SUCCESS) {
4836 return replmd_replicated_request_error(ar, ret);
4839 nmd.ctr.ctr1.array[j].local_usn = ar->seq_num;
4840 switch (nmd.ctr.ctr1.array[j].attid) {
4841 case DRSUAPI_ATTID_ntSecurityDescriptor:
4844 case DRSUAPI_ATTID_isDeleted:
4845 take_remote_isDeleted = true;
4854 if (rmd->ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType) {
4855 DEBUG(3,("Discarding older DRS attribute update to %s on %s from %s\n",
4856 msg->elements[i-removed_attrs].name,
4857 ldb_dn_get_linearized(msg->dn),
4858 GUID_string(ar, &rmd->ctr.ctr1.array[i].originating_invocation_id)));
4861 /* we don't want to apply this change so remove the attribute */
4862 ldb_msg_remove_element(msg, &msg->elements[i-removed_attrs]);
4869 if (found) continue;
4871 nmd.ctr.ctr1.array[ni] = rmd->ctr.ctr1.array[i];
4872 if (ar->seq_num == 0) {
4873 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
4874 if (ret != LDB_SUCCESS) {
4875 return replmd_replicated_request_error(ar, ret);
4878 nmd.ctr.ctr1.array[ni].local_usn = ar->seq_num;
4879 switch (nmd.ctr.ctr1.array[ni].attid) {
4880 case DRSUAPI_ATTID_ntSecurityDescriptor:
4883 case DRSUAPI_ATTID_isDeleted:
4884 take_remote_isDeleted = true;
4893 * finally correct the size of the meta_data array
4895 nmd.ctr.ctr1.count = ni;
4897 new_rdn = ldb_dn_get_rdn_val(msg->dn);
4898 old_rdn = ldb_dn_get_rdn_val(ar->search_msg->dn);
4901 ret = replmd_update_rpmd_rdn_attr(ldb, msg, new_rdn, old_rdn,
4902 &nmd, ar, now, is_schema_nc);
4903 if (ret != LDB_SUCCESS) {
4904 ldb_asprintf_errstring(ldb, "%s: error during DRS repl merge: %s", __func__, ldb_errstring(ldb));
4905 return replmd_replicated_request_error(ar, ret);
4909 * sort the new meta data array
4911 ret = replmd_replPropertyMetaDataCtr1_sort_and_verify(ldb, &nmd.ctr.ctr1, msg->dn);
4912 if (ret != LDB_SUCCESS) {
4913 ldb_asprintf_errstring(ldb, "%s: error during DRS repl merge: %s", __func__, ldb_errstring(ldb));
4918 * Work out if this object is deleted, so we can prune any extra attributes. See MS-DRSR 4.1.10.6.9
4921 * This also controls SD propagation below
4923 if (take_remote_isDeleted) {
4924 isDeleted = remote_isDeleted;
4926 isDeleted = local_isDeleted;
4929 ar->isDeleted = isDeleted;
4932 * check if some replicated attributes left, otherwise skip the ldb_modify() call
4934 if (msg->num_elements == 0) {
4935 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_replicated_apply_merge[%u]: skip replace\n",
4938 return replmd_replicated_apply_isDeleted(ar);
4941 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_replicated_apply_merge[%u]: replace %u attributes\n",
4942 ar->index_current, msg->num_elements);
4948 if (sd_updated && !isDeleted) {
4949 ret = dsdb_module_schedule_sd_propagation(ar->module,
4950 ar->objs->partition_dn,
4952 if (ret != LDB_SUCCESS) {
4953 return ldb_operr(ldb);
4957 /* create the meta data value */
4958 ndr_err = ndr_push_struct_blob(&nmd_value, msg, &nmd,
4959 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
4960 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4961 nt_status = ndr_map_error2ntstatus(ndr_err);
4962 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4966 * when we know that we'll modify the record, add the whenChanged, uSNChanged
4967 * and replPopertyMetaData attributes
4969 ret = ldb_msg_add_string(msg, "whenChanged", ar->objs->objects[ar->index_current].when_changed);
4970 if (ret != LDB_SUCCESS) {
4971 return replmd_replicated_request_error(ar, ret);
4973 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ar->seq_num);
4974 if (ret != LDB_SUCCESS) {
4975 return replmd_replicated_request_error(ar, ret);
4977 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &nmd_value, NULL);
4978 if (ret != LDB_SUCCESS) {
4979 return replmd_replicated_request_error(ar, ret);
4982 replmd_ldb_message_sort(msg, ar->schema);
4984 /* we want to replace the old values */
4985 for (i=0; i < msg->num_elements; i++) {
4986 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
4987 if (ldb_attr_cmp(msg->elements[i].name, "objectClass") == 0) {
4988 if (msg->elements[i].num_values == 0) {
4989 ldb_asprintf_errstring(ldb, __location__
4990 ": objectClass removed on %s, aborting replication\n",
4991 ldb_dn_get_linearized(msg->dn));
4992 return replmd_replicated_request_error(ar, LDB_ERR_OBJECT_CLASS_VIOLATION);
4998 struct GUID_txt_buf guid_txt;
5000 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
5001 DEBUG(4, ("Final DRS replication modify message of %s:\n%s\n",
5002 GUID_buf_string(&ar->objs->objects[ar->index_current].object_guid, &guid_txt),
5007 ret = ldb_build_mod_req(&change_req,
5015 LDB_REQ_SET_LOCATION(change_req);
5016 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
5018 /* current partition control needed by "repmd_op_callback" */
5019 ret = ldb_request_add_control(change_req,
5020 DSDB_CONTROL_CURRENT_PARTITION_OID,
5022 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
5024 return ldb_next_request(ar->module, change_req);
5027 static int replmd_replicated_apply_search_callback(struct ldb_request *req,
5028 struct ldb_reply *ares)
5030 struct replmd_replicated_request *ar = talloc_get_type(req->context,
5031 struct replmd_replicated_request);
5035 return ldb_module_done(ar->req, NULL, NULL,
5036 LDB_ERR_OPERATIONS_ERROR);
5038 if (ares->error != LDB_SUCCESS &&
5039 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
5040 return ldb_module_done(ar->req, ares->controls,
5041 ares->response, ares->error);
5044 switch (ares->type) {
5045 case LDB_REPLY_ENTRY:
5046 ar->search_msg = talloc_steal(ar, ares->message);
5049 case LDB_REPLY_REFERRAL:
5050 /* we ignore referrals */
5053 case LDB_REPLY_DONE:
5055 struct replPropertyMetaData1 *md_remote;
5056 struct replPropertyMetaData1 *md_local;
5058 struct replPropertyMetaDataBlob omd;
5059 const struct ldb_val *omd_value;
5060 struct replPropertyMetaDataBlob *rmd;
5061 struct ldb_message *msg;
5063 ar->objs->objects[ar->index_current].local_parent_dn = NULL;
5064 ar->objs->objects[ar->index_current].last_known_parent = NULL;
5067 * This is the ADD case, find the appropriate parent,
5068 * as this object doesn't exist locally:
5070 if (ar->search_msg == NULL) {
5071 ret = replmd_replicated_apply_search_for_parent(ar);
5072 if (ret != LDB_SUCCESS) {
5073 return ldb_module_done(ar->req, NULL, NULL, ret);
5080 * Otherwise, in the MERGE case, work out if we are
5081 * attempting a rename, and if so find the parent the
5082 * newly renamed object wants to belong under (which
5083 * may not be the parent in it's attached string DN
5085 rmd = ar->objs->objects[ar->index_current].meta_data;
5089 /* find existing meta data */
5090 omd_value = ldb_msg_find_ldb_val(ar->search_msg, "replPropertyMetaData");
5092 enum ndr_err_code ndr_err;
5093 ndr_err = ndr_pull_struct_blob(omd_value, ar, &omd,
5094 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
5095 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
5096 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
5097 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
5100 if (omd.version != 1) {
5101 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
5105 ar->local_parent_guid = samdb_result_guid(ar->search_msg, "parentGUID");
5107 instanceType = ldb_msg_find_attr_as_int(ar->search_msg, "instanceType", 0);
5108 if (((instanceType & INSTANCE_TYPE_IS_NC_HEAD) == 0)
5109 && GUID_all_zero(&ar->local_parent_guid)) {
5110 DEBUG(0, ("Refusing to replicate new version of %s "
5111 "as local object has an all-zero parentGUID attribute, "
5112 "despite not being an NC root\n",
5113 ldb_dn_get_linearized(ar->search_msg->dn)));
5114 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
5118 * now we need to check for double renames. We could have a
5119 * local rename pending which our replication partner hasn't
5120 * received yet. We choose which one wins by looking at the
5121 * attribute stamps on the two objects, the newer one wins.
5123 * This also simply applies the correct algorithms for
5124 * determining if a change was made to name at all, or
5125 * if the object has just been renamed under the same
5128 md_remote = replmd_replPropertyMetaData1_find_attid(rmd, DRSUAPI_ATTID_name);
5129 md_local = replmd_replPropertyMetaData1_find_attid(&omd, DRSUAPI_ATTID_name);
5131 DEBUG(0,(__location__ ": Failed to find name attribute in local LDB replPropertyMetaData for %s\n",
5132 ldb_dn_get_linearized(ar->search_msg->dn)));
5133 return replmd_replicated_request_werror(ar, WERR_DS_DRA_DB_ERROR);
5137 * if there is no name attribute given then we have to assume the
5138 * object we've received has the older name
5140 if (replmd_replPropertyMetaData1_new_should_be_taken(
5141 ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING,
5142 md_local, md_remote)) {
5143 struct GUID_txt_buf p_guid_local;
5144 struct GUID_txt_buf p_guid_remote;
5145 msg = ar->objs->objects[ar->index_current].msg;
5147 /* Merge on the existing object, with rename */
5149 DEBUG(4,(__location__ ": Looking for new parent for object %s currently under %s "
5150 "as incoming object changing to %s under %s\n",
5151 ldb_dn_get_linearized(ar->search_msg->dn),
5152 GUID_buf_string(&ar->local_parent_guid, &p_guid_local),
5153 ldb_dn_get_linearized(msg->dn),
5154 GUID_buf_string(ar->objs->objects[ar->index_current].parent_guid,
5156 ret = replmd_replicated_apply_search_for_parent(ar);
5158 struct GUID_txt_buf p_guid_local;
5159 struct GUID_txt_buf p_guid_remote;
5160 msg = ar->objs->objects[ar->index_current].msg;
5163 * Merge on the existing object, force no
5164 * rename (code below just to explain why in
5168 if (strcmp(ldb_dn_get_linearized(ar->search_msg->dn),
5169 ldb_dn_get_linearized(msg->dn)) == 0) {
5170 if (ar->objs->objects[ar->index_current].parent_guid != NULL &&
5171 GUID_equal(&ar->local_parent_guid,
5172 ar->objs->objects[ar->index_current].parent_guid)
5174 DEBUG(4,(__location__ ": Keeping object %s at under %s "
5175 "despite incoming object changing parent to %s\n",
5176 ldb_dn_get_linearized(ar->search_msg->dn),
5177 GUID_buf_string(&ar->local_parent_guid, &p_guid_local),
5178 GUID_buf_string(ar->objs->objects[ar->index_current].parent_guid,
5182 DEBUG(4,(__location__ ": Keeping object %s at under %s "
5183 " and rejecting older rename to %s under %s\n",
5184 ldb_dn_get_linearized(ar->search_msg->dn),
5185 GUID_buf_string(&ar->local_parent_guid, &p_guid_local),
5186 ldb_dn_get_linearized(msg->dn),
5187 GUID_buf_string(ar->objs->objects[ar->index_current].parent_guid,
5191 * This assignment ensures that the strcmp()
5192 * and GUID_equal() calls in
5193 * replmd_replicated_apply_merge() avoids the
5196 ar->objs->objects[ar->index_current].parent_guid =
5197 &ar->local_parent_guid;
5199 msg->dn = ar->search_msg->dn;
5200 ret = replmd_replicated_apply_merge(ar);
5202 if (ret != LDB_SUCCESS) {
5203 return ldb_module_done(ar->req, NULL, NULL, ret);
5212 static int replmd_replicated_uptodate_vector(struct replmd_replicated_request *ar);
5214 static int replmd_replicated_apply_next(struct replmd_replicated_request *ar)
5216 struct ldb_context *ldb;
5220 struct ldb_request *search_req;
5221 static const char *attrs[] = { "*", "parentGUID", "instanceType",
5222 "replPropertyMetaData", "nTSecurityDescriptor",
5224 struct GUID_txt_buf guid_str_buf;
5226 if (ar->index_current >= ar->objs->num_objects) {
5227 /* done with it, go to next stage */
5228 return replmd_replicated_uptodate_vector(ar);
5231 ldb = ldb_module_get_ctx(ar->module);
5232 ar->search_msg = NULL;
5233 ar->isDeleted = false;
5235 tmp_str = GUID_buf_string(&ar->objs->objects[ar->index_current].object_guid,
5238 filter = talloc_asprintf(ar, "(objectGUID=%s)", tmp_str);
5239 if (!filter) return replmd_replicated_request_werror(ar, WERR_NOMEM);
5241 ret = ldb_build_search_req(&search_req,
5244 ar->objs->partition_dn,
5250 replmd_replicated_apply_search_callback,
5252 LDB_REQ_SET_LOCATION(search_req);
5254 ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED);
5256 if (ret != LDB_SUCCESS) {
5260 return ldb_next_request(ar->module, search_req);
5264 * This is essentially a wrapper for replmd_replicated_apply_next()
5266 * This is needed to ensure that both codepaths call this handler.
5268 static int replmd_replicated_apply_isDeleted(struct replmd_replicated_request *ar)
5270 struct ldb_dn *deleted_objects_dn;
5271 struct ldb_message *msg = ar->objs->objects[ar->index_current].msg;
5272 int ret = dsdb_get_deleted_objects_dn(ldb_module_get_ctx(ar->module), msg, msg->dn,
5273 &deleted_objects_dn);
5274 if (ar->isDeleted && (ret != LDB_SUCCESS || ldb_dn_compare(msg->dn, deleted_objects_dn) != 0)) {
5276 * Do a delete here again, so that if there is
5277 * anything local that conflicts with this
5278 * object being deleted, it is removed. This
5279 * includes links. See MS-DRSR 4.1.10.6.9
5282 * If the object is already deleted, and there
5283 * is no more work required, it doesn't do
5287 /* This has been updated to point to the DN we eventually did the modify on */
5289 struct ldb_request *del_req;
5290 struct ldb_result *res;
5292 TALLOC_CTX *tmp_ctx = talloc_new(ar);
5294 ret = ldb_oom(ldb_module_get_ctx(ar->module));
5298 res = talloc_zero(tmp_ctx, struct ldb_result);
5300 ret = ldb_oom(ldb_module_get_ctx(ar->module));
5301 talloc_free(tmp_ctx);
5305 /* Build a delete request, which hopefully will artually turn into nothing */
5306 ret = ldb_build_del_req(&del_req, ldb_module_get_ctx(ar->module), tmp_ctx,
5310 ldb_modify_default_callback,
5312 LDB_REQ_SET_LOCATION(del_req);
5313 if (ret != LDB_SUCCESS) {
5314 talloc_free(tmp_ctx);
5319 * This is the guts of the call, call back
5320 * into our delete code, but setting the
5321 * re_delete flag so we delete anything that
5322 * shouldn't be there on a deleted or recycled
5325 ret = replmd_delete_internals(ar->module, del_req, true);
5326 if (ret == LDB_SUCCESS) {
5327 ret = ldb_wait(del_req->handle, LDB_WAIT_ALL);
5330 talloc_free(tmp_ctx);
5331 if (ret != LDB_SUCCESS) {
5336 ar->index_current++;
5337 return replmd_replicated_apply_next(ar);
5340 static int replmd_replicated_uptodate_modify_callback(struct ldb_request *req,
5341 struct ldb_reply *ares)
5343 struct ldb_context *ldb;
5344 struct replmd_replicated_request *ar = talloc_get_type(req->context,
5345 struct replmd_replicated_request);
5346 ldb = ldb_module_get_ctx(ar->module);
5349 return ldb_module_done(ar->req, NULL, NULL,
5350 LDB_ERR_OPERATIONS_ERROR);
5352 if (ares->error != LDB_SUCCESS) {
5353 return ldb_module_done(ar->req, ares->controls,
5354 ares->response, ares->error);
5357 if (ares->type != LDB_REPLY_DONE) {
5358 ldb_asprintf_errstring(ldb, "Invalid LDB reply type %d", ares->type);
5359 return ldb_module_done(ar->req, NULL, NULL,
5360 LDB_ERR_OPERATIONS_ERROR);
5365 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
5368 static int replmd_replicated_uptodate_modify(struct replmd_replicated_request *ar)
5370 struct ldb_context *ldb;
5371 struct ldb_request *change_req;
5372 enum ndr_err_code ndr_err;
5373 struct ldb_message *msg;
5374 struct replUpToDateVectorBlob ouv;
5375 const struct ldb_val *ouv_value;
5376 const struct drsuapi_DsReplicaCursor2CtrEx *ruv;
5377 struct replUpToDateVectorBlob nuv;
5378 struct ldb_val nuv_value;
5379 struct ldb_message_element *nuv_el = NULL;
5380 struct ldb_message_element *orf_el = NULL;
5381 struct repsFromToBlob nrf;
5382 struct ldb_val *nrf_value = NULL;
5383 struct ldb_message_element *nrf_el = NULL;
5387 time_t t = time(NULL);
5390 uint32_t instanceType;
5392 ldb = ldb_module_get_ctx(ar->module);
5393 ruv = ar->objs->uptodateness_vector;
5399 unix_to_nt_time(&now, t);
5401 if (ar->search_msg == NULL) {
5402 /* this happens for a REPL_OBJ call where we are
5403 creating the target object by replicating it. The
5404 subdomain join code does this for the partition DN
5406 DEBUG(4,(__location__ ": Skipping UDV and repsFrom update as no target DN\n"));
5407 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
5410 instanceType = ldb_msg_find_attr_as_uint(ar->search_msg, "instanceType", 0);
5411 if (! (instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
5412 DEBUG(4,(__location__ ": Skipping UDV and repsFrom update as not NC root: %s\n",
5413 ldb_dn_get_linearized(ar->search_msg->dn)));
5414 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
5418 * first create the new replUpToDateVector
5420 ouv_value = ldb_msg_find_ldb_val(ar->search_msg, "replUpToDateVector");
5422 ndr_err = ndr_pull_struct_blob(ouv_value, ar, &ouv,
5423 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
5424 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
5425 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
5426 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
5429 if (ouv.version != 2) {
5430 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
5435 * the new uptodateness vector will at least
5436 * contain 1 entry, one for the source_dsa
5438 * plus optional values from our old vector and the one from the source_dsa
5440 nuv.ctr.ctr2.count = ouv.ctr.ctr2.count;
5441 if (ruv) nuv.ctr.ctr2.count += ruv->count;
5442 nuv.ctr.ctr2.cursors = talloc_array(ar,
5443 struct drsuapi_DsReplicaCursor2,
5444 nuv.ctr.ctr2.count);
5445 if (!nuv.ctr.ctr2.cursors) return replmd_replicated_request_werror(ar, WERR_NOMEM);
5447 /* first copy the old vector */
5448 for (i=0; i < ouv.ctr.ctr2.count; i++) {
5449 nuv.ctr.ctr2.cursors[ni] = ouv.ctr.ctr2.cursors[i];
5453 /* merge in the source_dsa vector is available */
5454 for (i=0; (ruv && i < ruv->count); i++) {
5457 if (GUID_equal(&ruv->cursors[i].source_dsa_invocation_id,
5458 &ar->our_invocation_id)) {
5462 for (j=0; j < ni; j++) {
5463 if (!GUID_equal(&ruv->cursors[i].source_dsa_invocation_id,
5464 &nuv.ctr.ctr2.cursors[j].source_dsa_invocation_id)) {
5470 if (ruv->cursors[i].highest_usn > nuv.ctr.ctr2.cursors[j].highest_usn) {
5471 nuv.ctr.ctr2.cursors[j] = ruv->cursors[i];
5476 if (found) continue;
5478 /* if it's not there yet, add it */
5479 nuv.ctr.ctr2.cursors[ni] = ruv->cursors[i];
5484 * finally correct the size of the cursors array
5486 nuv.ctr.ctr2.count = ni;
5491 TYPESAFE_QSORT(nuv.ctr.ctr2.cursors, nuv.ctr.ctr2.count, drsuapi_DsReplicaCursor2_compare);
5494 * create the change ldb_message
5496 msg = ldb_msg_new(ar);
5497 if (!msg) return replmd_replicated_request_werror(ar, WERR_NOMEM);
5498 msg->dn = ar->search_msg->dn;
5500 ndr_err = ndr_push_struct_blob(&nuv_value, msg, &nuv,
5501 (ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
5502 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
5503 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
5504 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
5506 ret = ldb_msg_add_value(msg, "replUpToDateVector", &nuv_value, &nuv_el);
5507 if (ret != LDB_SUCCESS) {
5508 return replmd_replicated_request_error(ar, ret);
5510 nuv_el->flags = LDB_FLAG_MOD_REPLACE;
5513 * now create the new repsFrom value from the given repsFromTo1 structure
5517 nrf.ctr.ctr1 = *ar->objs->source_dsa;
5518 nrf.ctr.ctr1.last_attempt = now;
5519 nrf.ctr.ctr1.last_success = now;
5520 nrf.ctr.ctr1.result_last_attempt = WERR_OK;
5523 * first see if we already have a repsFrom value for the current source dsa
5524 * if so we'll later replace this value
5526 orf_el = ldb_msg_find_element(ar->search_msg, "repsFrom");
5528 for (i=0; i < orf_el->num_values; i++) {
5529 struct repsFromToBlob *trf;
5531 trf = talloc(ar, struct repsFromToBlob);
5532 if (!trf) return replmd_replicated_request_werror(ar, WERR_NOMEM);
5534 ndr_err = ndr_pull_struct_blob(&orf_el->values[i], trf, trf,
5535 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
5536 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
5537 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
5538 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
5541 if (trf->version != 1) {
5542 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
5546 * we compare the source dsa objectGUID not the invocation_id
5547 * because we want only one repsFrom value per source dsa
5548 * and when the invocation_id of the source dsa has changed we don't need
5549 * the old repsFrom with the old invocation_id
5551 if (!GUID_equal(&trf->ctr.ctr1.source_dsa_obj_guid,
5552 &ar->objs->source_dsa->source_dsa_obj_guid)) {
5558 nrf_value = &orf_el->values[i];
5563 * copy over all old values to the new ldb_message
5565 ret = ldb_msg_add_empty(msg, "repsFrom", 0, &nrf_el);
5566 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
5571 * if we haven't found an old repsFrom value for the current source dsa
5572 * we'll add a new value
5575 struct ldb_val zero_value;
5576 ZERO_STRUCT(zero_value);
5577 ret = ldb_msg_add_value(msg, "repsFrom", &zero_value, &nrf_el);
5578 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
5580 nrf_value = &nrf_el->values[nrf_el->num_values - 1];
5583 /* we now fill the value which is already attached to ldb_message */
5584 ndr_err = ndr_push_struct_blob(nrf_value, msg,
5586 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
5587 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
5588 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
5589 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
5593 * the ldb_message_element for the attribute, has all the old values and the new one
5594 * so we'll replace the whole attribute with all values
5596 nrf_el->flags = LDB_FLAG_MOD_REPLACE;
5598 if (CHECK_DEBUGLVL(4)) {
5599 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
5600 DEBUG(4, ("DRS replication uptodate modify message:\n%s\n", s));
5604 /* prepare the ldb_modify() request */
5605 ret = ldb_build_mod_req(&change_req,
5611 replmd_replicated_uptodate_modify_callback,
5613 LDB_REQ_SET_LOCATION(change_req);
5614 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
5616 return ldb_next_request(ar->module, change_req);
5619 static int replmd_replicated_uptodate_search_callback(struct ldb_request *req,
5620 struct ldb_reply *ares)
5622 struct replmd_replicated_request *ar = talloc_get_type(req->context,
5623 struct replmd_replicated_request);
5627 return ldb_module_done(ar->req, NULL, NULL,
5628 LDB_ERR_OPERATIONS_ERROR);
5630 if (ares->error != LDB_SUCCESS &&
5631 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
5632 return ldb_module_done(ar->req, ares->controls,
5633 ares->response, ares->error);
5636 switch (ares->type) {
5637 case LDB_REPLY_ENTRY:
5638 ar->search_msg = talloc_steal(ar, ares->message);
5641 case LDB_REPLY_REFERRAL:
5642 /* we ignore referrals */
5645 case LDB_REPLY_DONE:
5646 ret = replmd_replicated_uptodate_modify(ar);
5647 if (ret != LDB_SUCCESS) {
5648 return ldb_module_done(ar->req, NULL, NULL, ret);
5657 static int replmd_replicated_uptodate_vector(struct replmd_replicated_request *ar)
5659 struct ldb_context *ldb;
5661 static const char *attrs[] = {
5662 "replUpToDateVector",
5667 struct ldb_request *search_req;
5669 ldb = ldb_module_get_ctx(ar->module);
5670 ar->search_msg = NULL;
5672 ret = ldb_build_search_req(&search_req,
5675 ar->objs->partition_dn,
5681 replmd_replicated_uptodate_search_callback,
5683 LDB_REQ_SET_LOCATION(search_req);
5684 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
5686 return ldb_next_request(ar->module, search_req);
5691 static int replmd_extended_replicated_objects(struct ldb_module *module, struct ldb_request *req)
5693 struct ldb_context *ldb;
5694 struct dsdb_extended_replicated_objects *objs;
5695 struct replmd_replicated_request *ar;
5696 struct ldb_control **ctrls;
5699 struct replmd_private *replmd_private =
5700 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
5701 struct dsdb_control_replicated_update *rep_update;
5703 ldb = ldb_module_get_ctx(module);
5705 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_extended_replicated_objects\n");
5707 objs = talloc_get_type(req->op.extended.data, struct dsdb_extended_replicated_objects);
5709 ldb_debug(ldb, LDB_DEBUG_FATAL, "replmd_extended_replicated_objects: invalid extended data\n");
5710 return LDB_ERR_PROTOCOL_ERROR;
5713 if (objs->version != DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION) {
5714 ldb_debug(ldb, LDB_DEBUG_FATAL, "replmd_extended_replicated_objects: extended data invalid version [%u != %u]\n",
5715 objs->version, DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION);
5716 return LDB_ERR_PROTOCOL_ERROR;
5719 ar = replmd_ctx_init(module, req);
5721 return LDB_ERR_OPERATIONS_ERROR;
5723 /* Set the flags to have the replmd_op_callback run over the full set of objects */
5724 ar->apply_mode = true;
5726 ar->schema = dsdb_get_schema(ldb, ar);
5728 ldb_debug_set(ldb, LDB_DEBUG_FATAL, "replmd_ctx_init: no loaded schema found\n");
5730 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
5731 return LDB_ERR_CONSTRAINT_VIOLATION;
5734 ctrls = req->controls;
5736 if (req->controls) {
5737 req->controls = talloc_memdup(ar, req->controls,
5738 talloc_get_size(req->controls));
5739 if (!req->controls) return replmd_replicated_request_werror(ar, WERR_NOMEM);
5742 /* This allows layers further down to know if a change came in
5743 over replication and what the replication flags were */
5744 rep_update = talloc_zero(ar, struct dsdb_control_replicated_update);
5745 if (rep_update == NULL) {
5746 return ldb_module_oom(module);
5748 rep_update->dsdb_repl_flags = objs->dsdb_repl_flags;
5750 ret = ldb_request_add_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID, false, rep_update);
5751 if (ret != LDB_SUCCESS) {
5755 /* If this change contained linked attributes in the body
5756 * (rather than in the links section) we need to update
5757 * backlinks in linked_attributes */
5758 ret = ldb_request_add_control(req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
5759 if (ret != LDB_SUCCESS) {
5763 ar->controls = req->controls;
5764 req->controls = ctrls;
5766 DEBUG(4,("linked_attributes_count=%u\n", objs->linked_attributes_count));
5768 /* save away the linked attributes for the end of the
5770 for (i=0; i<ar->objs->linked_attributes_count; i++) {
5771 struct la_entry *la_entry;
5773 if (replmd_private->la_ctx == NULL) {
5774 replmd_private->la_ctx = talloc_new(replmd_private);
5776 la_entry = talloc(replmd_private->la_ctx, struct la_entry);
5777 if (la_entry == NULL) {
5779 return LDB_ERR_OPERATIONS_ERROR;
5781 la_entry->la = talloc(la_entry, struct drsuapi_DsReplicaLinkedAttribute);
5782 if (la_entry->la == NULL) {
5783 talloc_free(la_entry);
5785 return LDB_ERR_OPERATIONS_ERROR;
5787 *la_entry->la = ar->objs->linked_attributes[i];
5789 /* we need to steal the non-scalars so they stay
5790 around until the end of the transaction */
5791 talloc_steal(la_entry->la, la_entry->la->identifier);
5792 talloc_steal(la_entry->la, la_entry->la->value.blob);
5794 DLIST_ADD(replmd_private->la_list, la_entry);
5797 return replmd_replicated_apply_next(ar);
5801 process one linked attribute structure
5803 static int replmd_process_linked_attribute(struct ldb_module *module,
5804 struct la_entry *la_entry,
5805 struct ldb_request *parent)
5807 struct drsuapi_DsReplicaLinkedAttribute *la = la_entry->la;
5808 struct ldb_context *ldb = ldb_module_get_ctx(module);
5809 struct ldb_message *msg;
5810 struct ldb_message *target_msg = NULL;
5811 TALLOC_CTX *tmp_ctx = talloc_new(la_entry);
5812 const struct dsdb_schema *schema = dsdb_get_schema(ldb, tmp_ctx);
5814 const struct dsdb_attribute *attr;
5815 struct dsdb_dn *dsdb_dn;
5816 uint64_t seq_num = 0;
5817 struct ldb_message_element *old_el;
5819 time_t t = time(NULL);
5820 struct ldb_result *res;
5821 struct ldb_result *target_res;
5822 const char *attrs[4];
5823 const char *attrs2[] = { "isDeleted", "isRecycled", NULL };
5824 struct parsed_dn *pdn_list, *pdn;
5825 struct GUID guid = GUID_zero();
5827 bool active = (la->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)?true:false;
5828 const struct GUID *our_invocation_id;
5830 enum deletion_state deletion_state = OBJECT_NOT_DELETED;
5831 enum deletion_state target_deletion_state = OBJECT_NOT_DELETED;
5834 linked_attributes[0]:
5835 &objs->linked_attributes[i]: struct drsuapi_DsReplicaLinkedAttribute
5837 identifier: struct drsuapi_DsReplicaObjectIdentifier
5838 __ndr_size : 0x0000003a (58)
5839 __ndr_size_sid : 0x00000000 (0)
5840 guid : 8e95b6a9-13dd-4158-89db-3220a5be5cc7
5842 __ndr_size_dn : 0x00000000 (0)
5844 attid : DRSUAPI_ATTID_member (0x1F)
5845 value: struct drsuapi_DsAttributeValue
5846 __ndr_size : 0x0000007e (126)
5848 blob : DATA_BLOB length=126
5849 flags : 0x00000001 (1)
5850 1: DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
5851 originating_add_time : Wed Sep 2 22:20:01 2009 EST
5852 meta_data: struct drsuapi_DsReplicaMetaData
5853 version : 0x00000015 (21)
5854 originating_change_time : Wed Sep 2 23:39:07 2009 EST
5855 originating_invocation_id: 794640f3-18cf-40ee-a211-a93992b67a64
5856 originating_usn : 0x000000000001e19c (123292)
5858 (for cases where the link is to a normal DN)
5859 &target: struct drsuapi_DsReplicaObjectIdentifier3
5860 __ndr_size : 0x0000007e (126)
5861 __ndr_size_sid : 0x0000001c (28)
5862 guid : 7639e594-db75-4086-b0d4-67890ae46031
5863 sid : S-1-5-21-2848215498-2472035911-1947525656-19924
5864 __ndr_size_dn : 0x00000022 (34)
5865 dn : 'CN=UOne,OU=TestOU,DC=vsofs8,DC=com'
5868 /* find the attribute being modified */
5869 attr = dsdb_attribute_by_attributeID_id(schema, la->attid);
5871 DEBUG(0, (__location__ ": Unable to find attributeID 0x%x\n", la->attid));
5872 talloc_free(tmp_ctx);
5873 return LDB_ERR_OPERATIONS_ERROR;
5876 attrs[0] = attr->lDAPDisplayName;
5877 attrs[1] = "isDeleted";
5878 attrs[2] = "isRecycled";
5881 /* get the existing message from the db for the object with
5882 this GUID, returning attribute being modified. We will then
5883 use this msg as the basis for a modify call */
5884 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
5885 DSDB_FLAG_NEXT_MODULE |
5886 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
5887 DSDB_SEARCH_SHOW_RECYCLED |
5888 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
5889 DSDB_SEARCH_REVEAL_INTERNALS,
5891 "objectGUID=%s", GUID_string(tmp_ctx, &la->identifier->guid));
5892 if (ret != LDB_SUCCESS) {
5893 talloc_free(tmp_ctx);
5896 if (res->count != 1) {
5897 ldb_asprintf_errstring(ldb, "DRS linked attribute for GUID %s - DN not found",
5898 GUID_string(tmp_ctx, &la->identifier->guid));
5899 talloc_free(tmp_ctx);
5900 return LDB_ERR_NO_SUCH_OBJECT;
5905 * Check for deleted objects per MS-DRSR 4.1.10.6.13
5906 * ProcessLinkValue, because link updates are not applied to
5907 * recycled and tombstone objects. We don't have to delete
5908 * any existing link, that should have happened when the
5909 * object deletion was replicated or initiated.
5912 replmd_deletion_state(module, msg, &deletion_state, NULL);
5914 if (deletion_state >= OBJECT_RECYCLED) {
5915 talloc_free(tmp_ctx);
5919 old_el = ldb_msg_find_element(msg, attr->lDAPDisplayName);
5920 if (old_el == NULL) {
5921 ret = ldb_msg_add_empty(msg, attr->lDAPDisplayName, LDB_FLAG_MOD_REPLACE, &old_el);
5922 if (ret != LDB_SUCCESS) {
5923 ldb_module_oom(module);
5924 talloc_free(tmp_ctx);
5925 return LDB_ERR_OPERATIONS_ERROR;
5928 old_el->flags = LDB_FLAG_MOD_REPLACE;
5931 /* parse the existing links */
5932 ret = get_parsed_dns(module, tmp_ctx, old_el, &pdn_list, attr->syntax->ldap_oid, parent);
5933 if (ret != LDB_SUCCESS) {
5934 talloc_free(tmp_ctx);
5938 /* get our invocationId */
5939 our_invocation_id = samdb_ntds_invocation_id(ldb);
5940 if (!our_invocation_id) {
5941 ldb_debug_set(ldb, LDB_DEBUG_ERROR, __location__ ": unable to find invocationId\n");
5942 talloc_free(tmp_ctx);
5943 return LDB_ERR_OPERATIONS_ERROR;
5946 ret = replmd_check_upgrade_links(pdn_list, old_el->num_values, old_el, our_invocation_id);
5947 if (ret != LDB_SUCCESS) {
5948 talloc_free(tmp_ctx);
5952 status = dsdb_dn_la_from_blob(ldb, attr, schema, tmp_ctx, la->value.blob, &dsdb_dn);
5953 if (!W_ERROR_IS_OK(status)) {
5954 ldb_asprintf_errstring(ldb, "Failed to parsed linked attribute blob for %s on %s - %s\n",
5955 old_el->name, ldb_dn_get_linearized(msg->dn), win_errstr(status));
5956 talloc_free(tmp_ctx);
5957 return LDB_ERR_OPERATIONS_ERROR;
5960 ntstatus = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid, "GUID");
5961 if (!NT_STATUS_IS_OK(ntstatus) && !active) {
5963 * This strange behaviour (allowing a NULL/missing
5964 * GUID) originally comes from:
5966 * commit e3054ce0fe0f8f62d2f5b2a77893e7a1479128bd
5967 * Author: Andrew Tridgell <tridge@samba.org>
5968 * Date: Mon Dec 21 21:21:55 2009 +1100
5970 * s4-drs: cope better with NULL GUIDS from DRS
5972 * It is valid to get a NULL GUID over DRS for a deleted forward link. We
5973 * need to match by DN if possible when seeing if we should update an
5976 * Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
5979 ret = dsdb_module_search_dn(module, tmp_ctx, &target_res,
5980 dsdb_dn->dn, attrs2,
5981 DSDB_FLAG_NEXT_MODULE |
5982 DSDB_SEARCH_SHOW_RECYCLED |
5983 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
5984 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
5986 } else if (!NT_STATUS_IS_OK(ntstatus)) {
5987 ldb_asprintf_errstring(ldb, "Failed to find GUID in linked attribute blob for %s on %s from %s",
5989 ldb_dn_get_linearized(dsdb_dn->dn),
5990 ldb_dn_get_linearized(msg->dn));
5991 talloc_free(tmp_ctx);
5992 return LDB_ERR_OPERATIONS_ERROR;
5994 ret = dsdb_module_search(module, tmp_ctx, &target_res,
5995 NULL, LDB_SCOPE_SUBTREE,
5997 DSDB_FLAG_NEXT_MODULE |
5998 DSDB_SEARCH_SHOW_RECYCLED |
5999 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
6000 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
6003 GUID_string(tmp_ctx, &guid));
6006 if (ret != LDB_SUCCESS) {
6007 ldb_asprintf_errstring(ldb_module_get_ctx(module), "Failed to re-resolve GUID %s: %s\n",
6008 GUID_string(tmp_ctx, &guid),
6009 ldb_errstring(ldb_module_get_ctx(module)));
6010 talloc_free(tmp_ctx);
6014 if (target_res->count == 0) {
6015 DEBUG(2,(__location__ ": WARNING: Failed to re-resolve GUID %s - using %s\n",
6016 GUID_string(tmp_ctx, &guid),
6017 ldb_dn_get_linearized(dsdb_dn->dn)));
6018 } else if (target_res->count != 1) {
6019 ldb_asprintf_errstring(ldb_module_get_ctx(module), "More than one object found matching objectGUID %s\n",
6020 GUID_string(tmp_ctx, &guid));
6021 talloc_free(tmp_ctx);
6022 return LDB_ERR_OPERATIONS_ERROR;
6024 target_msg = target_res->msgs[0];
6025 dsdb_dn->dn = talloc_steal(dsdb_dn, target_msg->dn);
6029 * Check for deleted objects per MS-DRSR 4.1.10.6.13
6030 * ProcessLinkValue, because link updates are not applied to
6031 * recycled and tombstone objects. We don't have to delete
6032 * any existing link, that should have happened when the
6033 * object deletion was replicated or initiated.
6035 replmd_deletion_state(module, target_msg,
6036 &target_deletion_state, NULL);
6038 if (target_deletion_state >= OBJECT_RECYCLED) {
6039 talloc_free(tmp_ctx);
6043 /* see if this link already exists */
6044 pdn = parsed_dn_find(pdn_list, old_el->num_values, &guid, dsdb_dn->dn);
6046 /* see if this update is newer than what we have already */
6047 struct GUID invocation_id = GUID_zero();
6048 uint32_t version = 0;
6049 uint32_t originating_usn = 0;
6050 NTTIME change_time = 0;
6051 uint32_t rmd_flags = dsdb_dn_rmd_flags(pdn->dsdb_dn->dn);
6053 dsdb_get_extended_dn_guid(pdn->dsdb_dn->dn, &invocation_id, "RMD_INVOCID");
6054 dsdb_get_extended_dn_uint32(pdn->dsdb_dn->dn, &version, "RMD_VERSION");
6055 dsdb_get_extended_dn_uint32(pdn->dsdb_dn->dn, &originating_usn, "RMD_ORIGINATING_USN");
6056 dsdb_get_extended_dn_nttime(pdn->dsdb_dn->dn, &change_time, "RMD_CHANGETIME");
6058 if (!replmd_update_is_newer(&invocation_id,
6059 &la->meta_data.originating_invocation_id,
6061 la->meta_data.version,
6063 la->meta_data.originating_change_time)) {
6064 DEBUG(3,("Discarding older DRS linked attribute update to %s on %s from %s\n",
6065 old_el->name, ldb_dn_get_linearized(msg->dn),
6066 GUID_string(tmp_ctx, &la->meta_data.originating_invocation_id)));
6067 talloc_free(tmp_ctx);
6071 /* get a seq_num for this change */
6072 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
6073 if (ret != LDB_SUCCESS) {
6074 talloc_free(tmp_ctx);
6078 if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
6079 /* remove the existing backlink */
6080 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid, false, attr, true);
6081 if (ret != LDB_SUCCESS) {
6082 talloc_free(tmp_ctx);
6087 ret = replmd_update_la_val(tmp_ctx, pdn->v, dsdb_dn, pdn->dsdb_dn,
6088 &la->meta_data.originating_invocation_id,
6089 la->meta_data.originating_usn, seq_num,
6090 la->meta_data.originating_change_time,
6091 la->meta_data.version,
6093 if (ret != LDB_SUCCESS) {
6094 talloc_free(tmp_ctx);
6099 /* add the new backlink */
6100 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid, true, attr, true);
6101 if (ret != LDB_SUCCESS) {
6102 talloc_free(tmp_ctx);
6107 /* get a seq_num for this change */
6108 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
6109 if (ret != LDB_SUCCESS) {
6110 talloc_free(tmp_ctx);
6114 old_el->values = talloc_realloc(msg->elements, old_el->values,
6115 struct ldb_val, old_el->num_values+1);
6116 if (!old_el->values) {
6117 ldb_module_oom(module);
6118 return LDB_ERR_OPERATIONS_ERROR;
6120 old_el->num_values++;
6122 ret = replmd_build_la_val(tmp_ctx, &old_el->values[old_el->num_values-1], dsdb_dn,
6123 &la->meta_data.originating_invocation_id,
6124 la->meta_data.originating_usn, seq_num,
6125 la->meta_data.originating_change_time,
6126 la->meta_data.version,
6127 (la->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)?false:true);
6128 if (ret != LDB_SUCCESS) {
6129 talloc_free(tmp_ctx);
6134 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid,
6136 if (ret != LDB_SUCCESS) {
6137 talloc_free(tmp_ctx);
6143 /* we only change whenChanged and uSNChanged if the seq_num
6145 ret = add_time_element(msg, "whenChanged", t);
6146 if (ret != LDB_SUCCESS) {
6147 talloc_free(tmp_ctx);
6152 ret = add_uint64_element(ldb, msg, "uSNChanged", seq_num);
6153 if (ret != LDB_SUCCESS) {
6154 talloc_free(tmp_ctx);
6159 old_el = ldb_msg_find_element(msg, attr->lDAPDisplayName);
6160 if (old_el == NULL) {
6161 talloc_free(tmp_ctx);
6162 return ldb_operr(ldb);
6165 ret = dsdb_check_single_valued_link(attr, old_el);
6166 if (ret != LDB_SUCCESS) {
6167 talloc_free(tmp_ctx);
6171 old_el->flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
6173 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
6174 if (ret != LDB_SUCCESS) {
6175 ldb_debug(ldb, LDB_DEBUG_WARNING, "Failed to apply linked attribute change '%s'\n%s\n",
6177 ldb_ldif_message_string(ldb, tmp_ctx, LDB_CHANGETYPE_MODIFY, msg));
6178 talloc_free(tmp_ctx);
6182 talloc_free(tmp_ctx);
6187 static int replmd_extended(struct ldb_module *module, struct ldb_request *req)
6189 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_REPLICATED_OBJECTS_OID) == 0) {
6190 return replmd_extended_replicated_objects(module, req);
6193 return ldb_next_request(module, req);
6198 we hook into the transaction operations to allow us to
6199 perform the linked attribute updates at the end of the whole
6200 transaction. This allows a forward linked attribute to be created
6201 before the object is created. During a vampire, w2k8 sends us linked
6202 attributes before the objects they are part of.
6204 static int replmd_start_transaction(struct ldb_module *module)
6206 /* create our private structure for this transaction */
6207 struct replmd_private *replmd_private = talloc_get_type(ldb_module_get_private(module),
6208 struct replmd_private);
6209 replmd_txn_cleanup(replmd_private);
6211 /* free any leftover mod_usn records from cancelled
6213 while (replmd_private->ncs) {
6214 struct nc_entry *e = replmd_private->ncs;
6215 DLIST_REMOVE(replmd_private->ncs, e);
6219 return ldb_next_start_trans(module);
6223 on prepare commit we loop over our queued la_context structures and
6226 static int replmd_prepare_commit(struct ldb_module *module)
6228 struct replmd_private *replmd_private =
6229 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
6230 struct la_entry *la, *prev;
6231 struct la_backlink *bl;
6234 /* walk the list backwards, to do the first entry first, as we
6235 * added the entries with DLIST_ADD() which puts them at the
6236 * start of the list */
6237 for (la = DLIST_TAIL(replmd_private->la_list); la; la=prev) {
6238 prev = DLIST_PREV(la);
6239 DLIST_REMOVE(replmd_private->la_list, la);
6240 ret = replmd_process_linked_attribute(module, la, NULL);
6241 if (ret != LDB_SUCCESS) {
6242 replmd_txn_cleanup(replmd_private);
6247 /* process our backlink list, creating and deleting backlinks
6249 for (bl=replmd_private->la_backlinks; bl; bl=bl->next) {
6250 ret = replmd_process_backlink(module, bl, NULL);
6251 if (ret != LDB_SUCCESS) {
6252 replmd_txn_cleanup(replmd_private);
6257 replmd_txn_cleanup(replmd_private);
6259 /* possibly change @REPLCHANGED */
6260 ret = replmd_notify_store(module, NULL);
6261 if (ret != LDB_SUCCESS) {
6265 return ldb_next_prepare_commit(module);
6268 static int replmd_del_transaction(struct ldb_module *module)
6270 struct replmd_private *replmd_private =
6271 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
6272 replmd_txn_cleanup(replmd_private);
6274 return ldb_next_del_trans(module);
6278 static const struct ldb_module_ops ldb_repl_meta_data_module_ops = {
6279 .name = "repl_meta_data",
6280 .init_context = replmd_init,
6282 .modify = replmd_modify,
6283 .rename = replmd_rename,
6284 .del = replmd_delete,
6285 .extended = replmd_extended,
6286 .start_transaction = replmd_start_transaction,
6287 .prepare_commit = replmd_prepare_commit,
6288 .del_transaction = replmd_del_transaction,
6291 int ldb_repl_meta_data_module_init(const char *version)
6293 LDB_MODULE_CHECK_VERSION(version);
6294 return ldb_register_module(&ldb_repl_meta_data_module_ops);