#include "auth/auth.h"
#include "param/param.h"
#include "dsdb/samdb/ldb_modules/util.h"
+#include "lib/util/util_tdb.h"
+#include "lib/dbwrap/dbwrap.h"
+#include "lib/dbwrap/dbwrap_rbt.h"
+
+struct descriptor_changes {
+ struct descriptor_changes *prev, *next;
+ struct ldb_dn *nc_root;
+ struct GUID guid;
+ bool force_self;
+ bool force_children;
+ struct ldb_dn *stopped_dn;
+ size_t ref_count;
+};
+
+struct descriptor_transaction {
+ TALLOC_CTX *mem;
+ struct {
+ /*
+ * We used to have a list of changes, appended with each
+ * DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID operation.
+ *
+ * But the main problem was that a replication
+ * cycle (mainly the initial replication) calls
+ * DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID for the
+ * same object[GUID] more than once. With
+ * DRSUAPI_DRS_GET_TGT we'll get the naming
+ * context head object and other top level
+ * containers, every often.
+ *
+ * It means we'll process objects more
+ * than once and waste a lot of time
+ * doing the same work again and again.
+ *
+ * We use an objectGUID based map in order to
+ * avoid registering objects more than once.
+ * In an domain with 22000 object it can
+ * reduce the work from 4 hours down to ~ 3.5 minutes.
+ */
+ struct descriptor_changes *list;
+ struct db_context *map;
+ size_t num_registrations;
+ size_t num_registered;
+ size_t num_processed;
+ } changes;
+ struct {
+ size_t num_processed;
+ } objects;
+};
struct descriptor_data {
- int _dummy;
+ struct descriptor_transaction transaction;
};
struct descriptor_context {
struct ldb_val *parentsd_val;
struct ldb_message_element *sd_element;
struct ldb_val *sd_val;
+ uint32_t sd_flags;
int (*step_fn)(struct descriptor_context *);
};
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
+ } else if (security_token_is_system(token)) {
+ dag_sid = dom_sid_dup(mem_ctx, sa_sid);
} else {
dag_sid = NULL;
}
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else if (security_token_has_sid(token, da_sid)) {
dag_sid = dom_sid_dup(mem_ctx, da_sid);
+ } else if (security_token_is_system(token)) {
+ dag_sid = dom_sid_dup(mem_ctx, ea_sid);
} else {
dag_sid = NULL;
}
dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else if (security_token_has_sid(token, ea_sid)) {
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
+ } else if (security_token_is_system(token)) {
+ dag_sid = dom_sid_dup(mem_ctx, da_sid);
} else {
dag_sid = NULL;
}
struct ldb_context *ldb,
struct dom_sid *dag)
{
- if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
- return dag;
- }
-
- return NULL;
+ /*
+ * This depends on the function level of the DC
+ * which is 2008R2 in our case. Which means it is
+ * higher than 2003 and we should use the
+ * "default administrator group" also as owning group.
+ *
+ * This matches dcpromo for a 2003 domain
+ * on a Windows 2008R2 DC.
+ */
+ return dag;
}
static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
final_sd->type = SEC_DESC_SELF_RELATIVE;
if (sd_flags & (SECINFO_OWNER)) {
- final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
+ if (new_sd->owner_sid) {
+ final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
+ }
final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
}
else if (old_sd) {
- final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
+ if (old_sd->owner_sid) {
+ final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
+ }
final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
}
if (sd_flags & (SECINFO_GROUP)) {
- final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
+ if (new_sd->group_sid) {
+ final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
+ }
final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
}
else if (old_sd) {
- final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
+ if (old_sd->group_sid) {
+ final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
+ }
final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
}
enum ndr_err_code ndr_err;
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct auth_session_info *session_info
- = ldb_get_opaque(ldb, "sessionInfo");
+ = ldb_get_opaque(ldb, DSDB_SESSION_INFO);
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
- char *sddl_sd;
struct dom_sid *default_owner;
struct dom_sid *default_group;
+ struct security_descriptor *default_descriptor = NULL;
+ struct GUID *object_list = NULL;
+
+ if (objectclass != NULL) {
+ default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
+ object_list = talloc_zero_array(mem_ctx, struct GUID, 2);
+ if (object_list == NULL) {
+ return NULL;
+ }
+ object_list[0] = objectclass->schemaIDGUID;
+ }
if (object) {
user_descriptor = talloc(mem_ctx, struct security_descriptor);
return NULL;
}
} else {
- user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
+ user_descriptor = default_descriptor;
}
if (old_sd) {
}
}
+ if (user_descriptor && default_descriptor &&
+ (user_descriptor->dacl == NULL))
+ {
+ user_descriptor->dacl = default_descriptor->dacl;
+ user_descriptor->type |= default_descriptor->type & (
+ SEC_DESC_DACL_PRESENT |
+ SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
+ SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
+ SEC_DESC_DACL_TRUSTED);
+ }
+
+ if (user_descriptor && default_descriptor &&
+ (user_descriptor->sacl == NULL))
+ {
+ user_descriptor->sacl = default_descriptor->sacl;
+ user_descriptor->type |= default_descriptor->type & (
+ SEC_DESC_SACL_PRESENT |
+ SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
+ SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
+ SEC_DESC_SERVER_SECURITY);
+ }
+
+
+ if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
+ user_descriptor->owner_sid = NULL;
+
+ /*
+ * We need the correct owner sid
+ * when calculating the DACL or SACL
+ */
+ if (old_descriptor) {
+ user_descriptor->owner_sid = old_descriptor->owner_sid;
+ }
+ }
+ if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
+ user_descriptor->group_sid = NULL;
+
+ /*
+ * We need the correct group sid
+ * when calculating the DACL or SACL
+ */
+ if (old_descriptor) {
+ user_descriptor->group_sid = old_descriptor->group_sid;
+ }
+ }
+ if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
+ user_descriptor->dacl = NULL;
+
+ /*
+ * We add SEC_DESC_DACL_PROTECTED so that
+ * create_security_descriptor() skips
+ * the unused inheritance calculation
+ */
+ user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
+ }
+ if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
+ user_descriptor->sacl = NULL;
+
+ /*
+ * We add SEC_DESC_SACL_PROTECTED so that
+ * create_security_descriptor() skips
+ * the unused inheritance calculation
+ */
+ user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
+ }
+
default_owner = get_default_ag(mem_ctx, dn,
session_info->security_token, ldb);
default_group = get_default_group(mem_ctx, ldb, default_owner);
- new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true,
- NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT,
+ new_sd = create_security_descriptor(mem_ctx,
+ parent_descriptor,
+ user_descriptor,
+ true,
+ object_list,
+ SEC_DACL_AUTO_INHERIT |
+ SEC_SACL_AUTO_INHERIT,
session_info->security_token,
default_owner, default_group,
map_generic_rights_ds);
final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
}
- sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
- DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
+ {
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ DBG_DEBUG("Object %s created with descriptor %s\n\n",
+ ldb_dn_get_linearized(dn),
+ sddl_encode(tmp_ctx, final_sd, domain_sid));
+ TALLOC_FREE(tmp_ctx);
+ }
linear_sd = talloc(mem_ctx, DATA_BLOB);
if (!linear_sd) {
static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
{
struct descriptor_context *ac;
- struct ldb_control *sd_control;
struct ldb_val *sd_val = NULL;
struct ldb_message_element *sd_el;
DATA_BLOB *show_sd;
- int ret;
- uint32_t sd_flags = 0;
+ int ret = LDB_SUCCESS;
ac = talloc_get_type(req->context, struct descriptor_context);
ares->response, ares->error);
}
- sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
- if (sd_control) {
- struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
- sd_flags = sdctr->secinfo_flags;
- /* we only care for the last 4 bits */
- sd_flags = sd_flags & 0x0000000F;
- if (sd_flags == 0) {
- /* MS-ADTS 3.1.1.3.4.1.11 says that no bits
- equals all 4 bits */
- sd_flags = 0xF;
- }
- }
-
switch (ares->type) {
case LDB_REPLY_ENTRY:
- if (sd_flags != 0) {
- sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
- if (sd_el) {
- sd_val = sd_el->values;
- }
+ sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
+ if (sd_el) {
+ sd_val = sd_el->values;
}
+
if (sd_val) {
show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
- sd_val, sd_flags);
+ sd_val, ac->sd_flags);
if (!show_sd) {
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
{
- struct ldb_context *ldb;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_request *add_req;
struct ldb_message *msg;
struct ldb_result *parent_res;
const struct ldb_val *parent_sd = NULL;
const struct ldb_val *user_sd;
- struct ldb_dn *parent_dn, *dn, *nc_root;
+ struct ldb_dn *dn = req->op.add.message->dn;
+ struct ldb_dn *parent_dn, *nc_root;
struct ldb_message_element *objectclass_element, *sd_element;
int ret;
const struct dsdb_schema *schema;
static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
uint32_t instanceType;
bool isNC = false;
+ uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
+
+ /* do not manipulate our control entries */
+ if (ldb_dn_is_special(dn)) {
+ return ldb_next_request(module, req);
+ }
- ldb = ldb_module_get_ctx(module);
- dn = req->op.add.message->dn;
user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
/* nTSecurityDescriptor without a value is an error, letting through so it is handled */
ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
- /* do not manipulate our control entries */
- if (ldb_dn_is_special(dn)) {
- return ldb_next_request(module, req);
- }
-
instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
return ldb_operr(ldb);
}
+ /*
+ * The SD_FLAG control is ignored on add
+ * and we default to all bits set.
+ */
+ sd_flags = SECINFO_OWNER|SECINFO_GROUP|SECINFO_SACL|SECINFO_DACL;
+
sd = get_new_descriptor(module, dn, req,
objectclass, parent_sd,
- user_sd, NULL, 0);
+ user_sd, NULL, sd_flags);
+ if (sd == NULL) {
+ return ldb_operr(ldb);
+ }
msg = ldb_msg_copy_shallow(req, req->op.add.message);
- if (sd != NULL) {
- if (sd_element != NULL) {
- sd_element->values[0] = *sd;
- } else {
- ret = ldb_msg_add_steal_value(msg,
- "nTSecurityDescriptor",
- sd);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
+ if (msg == NULL) {
+ return ldb_oom(ldb);
+ }
+ if (sd_element != NULL) {
+ sd_element->values[0] = *sd;
+ } else {
+ ret = ldb_msg_add_steal_value(msg,
+ "nTSecurityDescriptor",
+ sd);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
}
static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
{
- struct ldb_context *ldb;
- struct ldb_control *sd_recalculate_control, *sd_flags_control;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_request *mod_req;
struct ldb_message *msg;
struct ldb_result *current_res, *parent_res;
const struct ldb_val *old_sd = NULL;
const struct ldb_val *parent_sd = NULL;
const struct ldb_val *user_sd;
- struct ldb_dn *parent_dn, *dn;
- struct ldb_message_element *objectclass_element;
+ struct ldb_dn *dn = req->op.mod.message->dn;
+ struct ldb_dn *parent_dn;
+ struct ldb_message_element *objectclass_element, *sd_element;
int ret;
- uint32_t instanceType, sd_flags = 0;
+ uint32_t instanceType;
+ bool explicit_sd_flags = false;
+ uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
const struct dsdb_schema *schema;
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
static const char * const current_attrs[] = { "nTSecurityDescriptor",
"instanceType",
"objectClass", NULL };
- ldb = ldb_module_get_ctx(module);
- dn = req->op.mod.message->dn;
- user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
- /* This control forces the recalculation of the SD also when
- * no modification is performed. */
- sd_recalculate_control = ldb_request_get_control(req,
- LDB_CONTROL_RECALCULATE_SD_OID);
- if (!user_sd && !sd_recalculate_control) {
+ struct ldb_control *sd_propagation_control;
+ int cmp_ret = -1;
+
+ /* do not manipulate our control entries */
+ if (ldb_dn_is_special(dn)) {
return ldb_next_request(module, req);
}
- ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
+ sd_propagation_control = ldb_request_get_control(req,
+ DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
+ if (sd_propagation_control != NULL) {
+ if (sd_propagation_control->data != module) {
+ return ldb_operr(ldb);
+ }
+ if (req->op.mod.message->num_elements != 0) {
+ return ldb_operr(ldb);
+ }
+ if (explicit_sd_flags) {
+ return ldb_operr(ldb);
+ }
+ if (sd_flags != 0xF) {
+ return ldb_operr(ldb);
+ }
+ if (sd_propagation_control->critical == 0) {
+ return ldb_operr(ldb);
+ }
- /* do not manipulate our control entries */
- if (ldb_dn_is_special(dn)) {
+ sd_propagation_control->critical = 0;
+ }
+
+ sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
+ if (sd_propagation_control == NULL && sd_element == NULL) {
return ldb_next_request(module, req);
}
+ /*
+ * nTSecurityDescriptor with DELETE is not supported yet.
+ * TODO: handle this correctly.
+ */
+ if (sd_propagation_control == NULL &&
+ LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE)
+ {
+ return ldb_module_error(module,
+ LDB_ERR_UNWILLING_TO_PERFORM,
+ "MOD_DELETE for nTSecurityDescriptor "
+ "not supported yet");
+ }
+
+ user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
+ /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
+ if (sd_propagation_control == NULL && user_sd == NULL) {
+ return ldb_next_request(module, req);
+ }
+
+ ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
+
ret = dsdb_module_search_dn(module, req, ¤t_res, dn,
current_attrs,
DSDB_FLAG_NEXT_MODULE |
DSDB_FLAG_AS_SYSTEM |
- DSDB_SEARCH_SHOW_RECYCLED,
+ DSDB_SEARCH_SHOW_RECYCLED |
+ DSDB_SEARCH_SHOW_EXTENDED_DN,
req);
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
}
parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
}
- sd_flags_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
schema = dsdb_get_schema(ldb, req);
return ldb_operr(ldb);
}
- if (sd_flags_control) {
- struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_flags_control->data;
- sd_flags = sdctr->secinfo_flags;
- /* we only care for the last 4 bits */
- sd_flags = sd_flags & 0x0000000F;
+ old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
+ if (old_sd == NULL) {
+ return ldb_operr(ldb);
}
- if (sd_flags != 0) {
- old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
+
+ if (sd_propagation_control != NULL) {
+ /*
+ * This just triggers a recalculation of the
+ * inherited aces.
+ */
+ user_sd = old_sd;
}
- sd = get_new_descriptor(module, dn, req,
+ sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
objectclass, parent_sd,
user_sd, old_sd, sd_flags);
+ if (sd == NULL) {
+ return ldb_operr(ldb);
+ }
msg = ldb_msg_copy_shallow(req, req->op.mod.message);
- if (sd != NULL) {
- struct ldb_message_element *sd_element;
- if (user_sd != NULL) {
- sd_element = ldb_msg_find_element(msg,
- "nTSecurityDescriptor");
- sd_element->values[0] = *sd;
- } else if (sd_recalculate_control != NULL) {
- /* In this branch we really do force the recalculation
- * of the SD */
- ldb_msg_remove_attr(msg, "nTSecurityDescriptor");
-
- ret = ldb_msg_add_steal_value(msg,
- "nTSecurityDescriptor",
- sd);
- if (ret != LDB_SUCCESS) {
- return ldb_error(ldb, ret,
- "descriptor_modify: Could not replace SD value in message.");
- }
- sd_element = ldb_msg_find_element(msg,
- "nTSecurityDescriptor");
- sd_element->flags = LDB_FLAG_MOD_REPLACE;
- }
+ if (msg == NULL) {
+ return ldb_oom(ldb);
}
+ cmp_ret = data_blob_cmp(old_sd, sd);
+ if (sd_propagation_control != NULL) {
+ if (cmp_ret == 0) {
+ /*
+ * The nTSecurityDescriptor is unchanged,
+ * which means we can stop the processing.
+ *
+ * We mark the control as critical again,
+ * as we have not processed it, so the caller
+ * can tell that the descriptor was unchanged.
+ */
+ sd_propagation_control->critical = 1;
+ return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
+ }
- /* mark the controls as non-critical since we've handled them */
- if (sd_flags_control != NULL) {
- sd_flags_control->critical = 0;
- }
- if (sd_recalculate_control != NULL) {
- sd_recalculate_control->critical = 0;
+ ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor",
+ LDB_FLAG_MOD_REPLACE,
+ &sd_element);
+ if (ret != LDB_SUCCESS) {
+ return ldb_oom(ldb);
+ }
+ ret = ldb_msg_add_value(msg, "nTSecurityDescriptor",
+ sd, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ldb_oom(ldb);
+ }
+ } else if (cmp_ret != 0) {
+ struct GUID guid;
+ struct ldb_dn *nc_root;
+ NTSTATUS status;
+
+ ret = dsdb_find_nc_root(ldb,
+ msg,
+ current_res->msgs[0]->dn,
+ &nc_root);
+ if (ret != LDB_SUCCESS) {
+ return ldb_oom(ldb);
+ }
+
+ status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
+ &guid,
+ "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ return ldb_operr(ldb);
+ }
+
+ /*
+ * Force SD propagation on children of this record
+ */
+ ret = dsdb_module_schedule_sd_propagation(module,
+ nc_root,
+ guid,
+ false);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+ }
+ sd_element->values[0] = *sd;
+ } else {
+ sd_element->values[0] = *sd;
}
ret = ldb_build_mod_req(&mod_req, ldb, req,
{
int ret;
struct ldb_context *ldb;
- struct ldb_control *sd_control;
struct ldb_request *down_req;
struct descriptor_context *ac;
+ bool explicit_sd_flags = false;
+ uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
+ bool show_sd = explicit_sd_flags;
+
+ if (!show_sd &&
+ ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
+ {
+ show_sd = true;
+ }
- sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
- if (!sd_control) {
+ if (!show_sd) {
return ldb_next_request(module, req);
}
if (ac == NULL) {
return ldb_operr(ldb);
}
+ ac->sd_flags = sd_flags;
ret = ldb_build_search_req_ex(&down_req, ldb, ac,
req->op.search.base,
if (ret != LDB_SUCCESS) {
return ret;
}
- /* mark it as handled */
- if (sd_control) {
- sd_control->critical = 0;
- }
return ldb_next_request(ac->module, down_req);
}
-/* TODO */
+
static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
- ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn));
+ struct ldb_dn *olddn = req->op.rename.olddn;
+ struct ldb_dn *newdn = req->op.rename.newdn;
+ int ret;
/* do not manipulate our control entries */
if (ldb_dn_is_special(req->op.rename.olddn)) {
return ldb_next_request(module, req);
}
+ ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n",
+ ldb_dn_get_linearized(olddn));
+
+ if (ldb_dn_compare(olddn, newdn) != 0) {
+ struct ldb_dn *nc_root;
+ struct GUID guid;
+
+ ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ return ldb_oom(ldb);
+ }
+
+ ret = dsdb_module_guid_by_dn(module,
+ olddn,
+ &guid,
+ req);
+ if (ret == LDB_SUCCESS) {
+ /*
+ * Without disturbing any errors if the olddn
+ * does not exit, force SD propagation on
+ * this record (get a new inherited SD from
+ * the potentially new parent
+ */
+ ret = dsdb_module_schedule_sd_propagation(module,
+ nc_root,
+ guid,
+ true);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+ }
+ }
+ }
+
+ return ldb_next_request(module, req);
+}
+
+static void descriptor_changes_parser(TDB_DATA key, TDB_DATA data, void *private_data)
+{
+ struct descriptor_changes **c_ptr = (struct descriptor_changes **)private_data;
+ uintptr_t ptr = 0;
+
+ SMB_ASSERT(data.dsize == sizeof(ptr));
+
+ memcpy(&ptr, data.dptr, data.dsize);
+
+ *c_ptr = talloc_get_type_abort((void *)ptr, struct descriptor_changes);
+}
+
+static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
+ struct ldb_request *req)
+{
+ struct descriptor_data *descriptor_private =
+ talloc_get_type_abort(ldb_module_get_private(module),
+ struct descriptor_data);
+ struct descriptor_transaction *t = &descriptor_private->transaction;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct dsdb_extended_sec_desc_propagation_op *op;
+ struct descriptor_changes *c = NULL;
+ TDB_DATA key;
+ NTSTATUS status;
+
+ op = talloc_get_type(req->op.extended.data,
+ struct dsdb_extended_sec_desc_propagation_op);
+ if (op == NULL) {
+ ldb_debug(ldb, LDB_DEBUG_FATAL,
+ "descriptor_extended_sec_desc_propagation: "
+ "invalid extended data\n");
+ return LDB_ERR_PROTOCOL_ERROR;
+ }
+
+ if (t->mem == NULL) {
+ return ldb_module_operr(module);
+ }
+
+ /*
+ * First we check if we already have an registration
+ * for the given object.
+ */
+
+ key = make_tdb_data((const void*)&op->guid, sizeof(op->guid));
+ status = dbwrap_parse_record(t->changes.map, key,
+ descriptor_changes_parser, &c);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ c = NULL;
+ status = NT_STATUS_OK;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_debug(ldb, LDB_DEBUG_FATAL,
+ "dbwrap_parse_record() - %s\n",
+ nt_errstr(status));
+ return ldb_module_operr(module);
+ }
+
+ if (c == NULL) {
+ /*
+ * Create a new structure if we
+ * don't know about the object yet.
+ */
+
+ c = talloc_zero(t->mem, struct descriptor_changes);
+ if (c == NULL) {
+ return ldb_module_oom(module);
+ }
+ c->nc_root = ldb_dn_copy(c, op->nc_root);
+ if (c->nc_root == NULL) {
+ return ldb_module_oom(module);
+ }
+ c->guid = op->guid;
+ }
+
+ if (ldb_dn_compare(c->nc_root, op->nc_root) != 0) {
+ /*
+ * This is an unexpected situation,
+ * we don't expect the nc root to change
+ * during a replication cycle.
+ */
+ DBG_ERR("ERROR: Object %s nc_root changed %s => %s\n",
+ GUID_string(c, &c->guid),
+ ldb_dn_get_extended_linearized(c, c->nc_root, 1),
+ ldb_dn_get_extended_linearized(c, op->nc_root, 1));
+ return ldb_module_operr(module);
+ }
+
+ c->ref_count += 1;
+
+ /*
+ * Note that we only set, but don't clear values here,
+ * it means c->force_self and c->force_children can
+ * both be true in the end.
+ */
+ if (op->include_self) {
+ c->force_self = true;
+ } else {
+ c->force_children = true;
+ }
+
+ if (c->ref_count == 1) {
+ struct TDB_DATA val = make_tdb_data((const void*)&c, sizeof(c));
+
+ /*
+ * Remember the change by objectGUID in order
+ * to avoid processing it more than once.
+ */
+
+ status = dbwrap_store(t->changes.map, key, val, TDB_INSERT);
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_debug(ldb, LDB_DEBUG_FATAL,
+ "dbwrap_parse_record() - %s\n",
+ nt_errstr(status));
+ return ldb_module_operr(module);
+ }
+
+ DLIST_ADD_END(t->changes.list, c);
+ t->changes.num_registered += 1;
+ }
+ t->changes.num_registrations += 1;
+
+ return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
+}
+
+static int descriptor_extended(struct ldb_module *module, struct ldb_request *req)
+{
+ if (strcmp(req->op.extended.oid, DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID) == 0) {
+ return descriptor_extended_sec_desc_propagation(module, req);
+ }
+
return ldb_next_request(module, req);
}
static int descriptor_init(struct ldb_module *module)
{
- int ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
struct ldb_context *ldb = ldb_module_get_ctx(module);
+ int ret;
+ struct descriptor_data *descriptor_private;
+
+ ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_ERROR,
"descriptor: Unable to register control with rootdse!\n");
return ldb_operr(ldb);
}
+
+ descriptor_private = talloc_zero(module, struct descriptor_data);
+ if (descriptor_private == NULL) {
+ ldb_oom(ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ ldb_module_set_private(module, descriptor_private);
+
return ldb_next_init(module);
}
+static int descriptor_sd_propagation_object(struct ldb_module *module,
+ struct ldb_message *msg,
+ bool *stop)
+{
+ struct descriptor_data *descriptor_private =
+ talloc_get_type_abort(ldb_module_get_private(module),
+ struct descriptor_data);
+ struct descriptor_transaction *t = &descriptor_private->transaction;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ldb_request *sub_req;
+ struct ldb_result *mod_res;
+ struct ldb_control *sd_propagation_control;
+ int ret;
+
+ *stop = false;
+
+ t->objects.num_processed += 1;
+
+ mod_res = talloc_zero(msg, struct ldb_result);
+ if (mod_res == NULL) {
+ return ldb_module_oom(module);
+ }
+
+ ret = ldb_build_mod_req(&sub_req, ldb, mod_res,
+ msg,
+ NULL,
+ mod_res,
+ ldb_modify_default_callback,
+ NULL);
+ LDB_REQ_SET_LOCATION(sub_req);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_operr(module);
+ }
+
+ ldb_req_mark_trusted(sub_req);
+
+ ret = ldb_request_add_control(sub_req,
+ DSDB_CONTROL_SEC_DESC_PROPAGATION_OID,
+ true, module);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_operr(module);
+ }
+
+ sd_propagation_control = ldb_request_get_control(sub_req,
+ DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
+ if (sd_propagation_control == NULL) {
+ return ldb_module_operr(module);
+ }
+
+ ret = dsdb_request_add_controls(sub_req,
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_operr(module);
+ }
+
+ ret = descriptor_modify(module, sub_req);
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_wait(sub_req->handle, LDB_WAIT_ALL);
+ }
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "descriptor_modify on %s failed: %s",
+ ldb_dn_get_linearized(msg->dn),
+ ldb_errstring(ldb_module_get_ctx(module)));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ if (sd_propagation_control->critical != 0) {
+ *stop = true;
+ }
+
+ talloc_free(mod_res);
+
+ return LDB_SUCCESS;
+}
+
+static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
+ struct ldb_message **m2)
+{
+ struct ldb_dn *dn1 = (*m1)->dn;
+ struct ldb_dn *dn2 = (*m2)->dn;
+
+ /*
+ * This sorts in tree order, parents first
+ */
+ return ldb_dn_compare(dn2, dn1);
+}
+
+static int descriptor_sd_propagation_recursive(struct ldb_module *module,
+ struct descriptor_changes *change)
+{
+ struct descriptor_data *descriptor_private =
+ talloc_get_type_abort(ldb_module_get_private(module),
+ struct descriptor_data);
+ struct descriptor_transaction *t = &descriptor_private->transaction;
+ struct ldb_result *guid_res = NULL;
+ struct ldb_result *res = NULL;
+ unsigned int i;
+ const char * const no_attrs[] = { "@__NONE__", NULL };
+ struct ldb_dn *stopped_dn = NULL;
+ struct GUID_txt_buf guid_buf;
+ int ret;
+ bool stop = false;
+
+ t->changes.num_processed += 1;
+
+ /*
+ * First confirm this object has children, or exists
+ * (depending on change->force_self)
+ *
+ * LDB_SCOPE_SUBTREE searches are expensive.
+ *
+ * We know this is safe against a rename race as we are in the
+ * prepare_commit(), so must be in a transaction.
+ */
+
+ /* Find the DN by GUID, as this is stable under rename */
+ ret = dsdb_module_search(module,
+ change,
+ &guid_res,
+ change->nc_root,
+ LDB_SCOPE_SUBTREE,
+ no_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_DELETED |
+ DSDB_SEARCH_SHOW_RECYCLED,
+ NULL, /* parent_req */
+ "(objectGUID=%s)",
+ GUID_buf_string(&change->guid,
+ &guid_buf));
+
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (guid_res->count != 1) {
+ /*
+ * We were just given this GUID during the same
+ * transaction, if it is missing this is a big
+ * problem.
+ *
+ * Cleanup of tombstones does not trigger this module
+ * as it just does a delete.
+ */
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "failed to find GUID %s under %s "
+ "for transaction-end SD inheritance: %d results",
+ GUID_buf_string(&change->guid,
+ &guid_buf),
+ ldb_dn_get_linearized(change->nc_root),
+ guid_res->count);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ /*
+ * OK, so there was a parent, are there children? Note: that
+ * this time we do not search for deleted/recycled objects
+ */
+ ret = dsdb_module_search(module,
+ change,
+ &res,
+ guid_res->msgs[0]->dn,
+ LDB_SCOPE_ONELEVEL,
+ no_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
+ NULL, /* parent_req */
+ "(objectClass=*)");
+ if (ret != LDB_SUCCESS) {
+ /*
+ * LDB_ERR_NO_SUCH_OBJECT, say if the DN was a deleted
+ * object, is ignored by the caller
+ */
+ return ret;
+ }
+
+ if (res->count == 0 && !change->force_self) {
+ /* All done, no children */
+ TALLOC_FREE(res);
+ return LDB_SUCCESS;
+ }
+
+ /*
+ * First, if we are in force_self mode (eg renamed under new
+ * parent) then apply the SD to the top object
+ */
+ if (change->force_self) {
+ ret = descriptor_sd_propagation_object(module,
+ guid_res->msgs[0],
+ &stop);
+ if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(guid_res);
+ return ret;
+ }
+
+ if (stop == true && !change->force_children) {
+ /* There was no change, nothing more to do */
+ TALLOC_FREE(guid_res);
+ return LDB_SUCCESS;
+ }
+
+ if (res->count == 0) {
+ /* All done! */
+ TALLOC_FREE(guid_res);
+ return LDB_SUCCESS;
+ }
+ }
+
+ /*
+ * Look for children
+ *
+ * Note: that we do not search for deleted/recycled objects
+ */
+ ret = dsdb_module_search(module,
+ change,
+ &res,
+ guid_res->msgs[0]->dn,
+ LDB_SCOPE_SUBTREE,
+ no_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
+ NULL, /* parent_req */
+ "(objectClass=*)");
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ TYPESAFE_QSORT(res->msgs, res->count,
+ descriptor_sd_propagation_msg_sort);
+
+ /* We start from 1, the top object has been done */
+ for (i = 1; i < res->count; i++) {
+ /*
+ * ldb_dn_compare_base() does not match for NULL but
+ * this is clearer
+ */
+ if (stopped_dn != NULL) {
+ ret = ldb_dn_compare_base(stopped_dn,
+ res->msgs[i]->dn);
+ /*
+ * Skip further processing of this
+ * sub-subtree
+ */
+ if (ret == 0) {
+ continue;
+ }
+ }
+ ret = descriptor_sd_propagation_object(module,
+ res->msgs[i],
+ &stop);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (stop) {
+ /*
+ * If this child didn't change, then nothing
+ * under it needs to change
+ *
+ * res has been sorted into tree order so the
+ * next few entries can be skipped
+ */
+ stopped_dn = res->msgs[i]->dn;
+ }
+ }
+
+ TALLOC_FREE(res);
+ return LDB_SUCCESS;
+}
+
+static int descriptor_start_transaction(struct ldb_module *module)
+{
+ struct descriptor_data *descriptor_private =
+ talloc_get_type_abort(ldb_module_get_private(module),
+ struct descriptor_data);
+ struct descriptor_transaction *t = &descriptor_private->transaction;
+
+ if (t->mem != NULL) {
+ return ldb_module_operr(module);
+ }
+
+ *t = (struct descriptor_transaction) { .mem = NULL, };
+ t->mem = talloc_new(descriptor_private);
+ if (t->mem == NULL) {
+ return ldb_module_oom(module);
+ }
+ t->changes.map = db_open_rbt(t->mem);
+ if (t->changes.map == NULL) {
+ TALLOC_FREE(t->mem);
+ *t = (struct descriptor_transaction) { .mem = NULL, };
+ return ldb_module_oom(module);
+ }
+
+ return ldb_next_start_trans(module);
+}
+
+static int descriptor_prepare_commit(struct ldb_module *module)
+{
+ struct descriptor_data *descriptor_private =
+ talloc_get_type_abort(ldb_module_get_private(module),
+ struct descriptor_data);
+ struct descriptor_transaction *t = &descriptor_private->transaction;
+ struct descriptor_changes *c, *n;
+ int ret;
+
+ DBG_NOTICE("changes: num_registrations=%zu\n",
+ t->changes.num_registrations);
+ DBG_NOTICE("changes: num_registered=%zu\n",
+ t->changes.num_registered);
+
+ for (c = t->changes.list; c; c = n) {
+ n = c->next;
+
+ DLIST_REMOVE(t->changes.list, c);
+
+ ret = descriptor_sd_propagation_recursive(module, c);
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ continue;
+ }
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+
+ DBG_NOTICE("changes: num_processed=%zu\n", t->changes.num_processed);
+ DBG_NOTICE("objects: num_processed=%zu\n", t->objects.num_processed);
+
+ return ldb_next_prepare_commit(module);
+}
+
+static int descriptor_end_transaction(struct ldb_module *module)
+{
+ struct descriptor_data *descriptor_private =
+ talloc_get_type_abort(ldb_module_get_private(module),
+ struct descriptor_data);
+ struct descriptor_transaction *t = &descriptor_private->transaction;
+
+ TALLOC_FREE(t->mem);
+ *t = (struct descriptor_transaction) { .mem = NULL, };
+
+ return ldb_next_end_trans(module);
+}
+
+static int descriptor_del_transaction(struct ldb_module *module)
+{
+ struct descriptor_data *descriptor_private =
+ talloc_get_type_abort(ldb_module_get_private(module),
+ struct descriptor_data);
+ struct descriptor_transaction *t = &descriptor_private->transaction;
+
+ TALLOC_FREE(t->mem);
+ *t = (struct descriptor_transaction) { .mem = NULL, };
+
+ return ldb_next_del_trans(module);
+}
static const struct ldb_module_ops ldb_descriptor_module_ops = {
- .name = "descriptor",
- .search = descriptor_search,
- .add = descriptor_add,
- .modify = descriptor_modify,
- .rename = descriptor_rename,
- .init_context = descriptor_init
+ .name = "descriptor",
+ .search = descriptor_search,
+ .add = descriptor_add,
+ .modify = descriptor_modify,
+ .rename = descriptor_rename,
+ .init_context = descriptor_init,
+ .extended = descriptor_extended,
+ .start_transaction = descriptor_start_transaction,
+ .prepare_commit = descriptor_prepare_commit,
+ .end_transaction = descriptor_end_transaction,
+ .del_transaction = descriptor_del_transaction,
};
int ldb_descriptor_module_init(const char *version)