4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
45 #include "lib/util/util_tdb.h"
46 #include "lib/dbwrap/dbwrap.h"
47 #include "lib/dbwrap/dbwrap_rbt.h"
49 struct descriptor_changes {
50 struct descriptor_changes *prev, *next;
51 struct ldb_dn *nc_root;
53 struct GUID parent_guid;
56 struct ldb_dn *stopped_dn;
61 struct descriptor_transaction {
65 * We used to have a list of changes, appended with each
66 * DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID operation.
68 * But the main problem was that a replication
69 * cycle (mainly the initial replication) calls
70 * DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID for the
71 * same object[GUID] more than once. With
72 * DRSUAPI_DRS_GET_TGT we'll get the naming
73 * context head object and other top level
74 * containers, every often.
76 * It means we'll process objects more
77 * than once and waste a lot of time
78 * doing the same work again and again.
80 * We use an objectGUID based map in order to
81 * avoid registering objects more than once.
82 * In an domain with 22000 object it can
83 * reduce the work from 4 hours down to ~ 3.5 minutes.
85 struct descriptor_changes *list;
86 struct db_context *map;
87 size_t num_registrations;
88 size_t num_registered;
93 struct db_context *map;
99 struct descriptor_data {
100 struct descriptor_transaction transaction;
103 struct descriptor_context {
104 struct ldb_module *module;
105 struct ldb_request *req;
106 struct ldb_message *msg;
107 struct ldb_reply *search_res;
108 struct ldb_reply *search_oc_res;
109 struct ldb_val *parentsd_val;
110 struct ldb_message_element *sd_element;
111 struct ldb_val *sd_val;
113 int (*step_fn)(struct descriptor_context *);
116 static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
118 const struct security_token *token,
119 struct ldb_context *ldb)
121 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
122 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
123 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
124 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
125 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
126 struct dom_sid *dag_sid;
127 struct ldb_dn *nc_root;
130 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
131 if (ret != LDB_SUCCESS) {
132 talloc_free(tmp_ctx);
136 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
137 if (security_token_has_sid(token, sa_sid)) {
138 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
139 } else if (security_token_has_sid(token, ea_sid)) {
140 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
141 } else if (security_token_has_sid(token, da_sid)) {
142 dag_sid = dom_sid_dup(mem_ctx, da_sid);
143 } else if (security_token_is_system(token)) {
144 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
148 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
149 if (security_token_has_sid(token, ea_sid)) {
150 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
151 } else if (security_token_has_sid(token, da_sid)) {
152 dag_sid = dom_sid_dup(mem_ctx, da_sid);
153 } else if (security_token_is_system(token)) {
154 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
158 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
159 if (security_token_has_sid(token, da_sid)) {
160 dag_sid = dom_sid_dup(mem_ctx, da_sid);
161 } else if (security_token_has_sid(token, ea_sid)) {
162 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
163 } else if (security_token_is_system(token)) {
164 dag_sid = dom_sid_dup(mem_ctx, da_sid);
172 talloc_free(tmp_ctx);
176 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
177 const struct dsdb_class *objectclass)
179 struct ldb_context *ldb = ldb_module_get_ctx(module);
180 struct security_descriptor *sd;
181 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
183 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
187 sd = sddl_decode(mem_ctx,
188 objectclass->defaultSecurityDescriptor,
193 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
194 struct ldb_context *ldb,
198 * This depends on the function level of the DC
199 * which is 2008R2 in our case. Which means it is
200 * higher than 2003 and we should use the
201 * "default administrator group" also as owning group.
203 * This matches dcpromo for a 2003 domain
204 * on a Windows 2008R2 DC.
209 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
210 struct security_descriptor *new_sd,
211 struct security_descriptor *old_sd,
214 struct security_descriptor *final_sd;
215 /* if there is no control or control == 0 modify everything */
220 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
221 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
222 final_sd->type = SEC_DESC_SELF_RELATIVE;
224 if (sd_flags & (SECINFO_OWNER)) {
225 if (new_sd->owner_sid) {
226 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
228 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
231 if (old_sd->owner_sid) {
232 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
234 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
237 if (sd_flags & (SECINFO_GROUP)) {
238 if (new_sd->group_sid) {
239 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
241 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
244 if (old_sd->group_sid) {
245 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
247 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
250 if (sd_flags & (SECINFO_SACL)) {
251 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
252 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
253 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
254 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
255 SEC_DESC_SERVER_SECURITY);
257 else if (old_sd && old_sd->sacl) {
258 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
259 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
260 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
261 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
262 SEC_DESC_SERVER_SECURITY);
265 if (sd_flags & (SECINFO_DACL)) {
266 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
267 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
268 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
269 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
270 SEC_DESC_DACL_TRUSTED);
272 else if (old_sd && old_sd->dacl) {
273 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
274 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
275 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
276 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
277 SEC_DESC_DACL_TRUSTED);
279 /* not so sure about this */
280 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
284 static struct security_descriptor *get_new_descriptor_nonlinear(struct ldb_module *module,
287 const struct dsdb_class *objectclass,
288 const struct ldb_val *parent,
289 const struct ldb_val *object,
290 const struct ldb_val *old_sd,
293 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
294 struct security_descriptor *old_descriptor = NULL;
295 struct security_descriptor *new_sd, *final_sd;
296 enum ndr_err_code ndr_err;
297 struct ldb_context *ldb = ldb_module_get_ctx(module);
298 struct auth_session_info *session_info
299 = ldb_get_opaque(ldb, DSDB_SESSION_INFO);
300 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
301 struct dom_sid *default_owner;
302 struct dom_sid *default_group;
303 struct security_descriptor *default_descriptor = NULL;
304 struct GUID *object_list = NULL;
306 if (objectclass != NULL) {
307 default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
308 object_list = talloc_zero_array(mem_ctx, struct GUID, 2);
309 if (object_list == NULL) {
312 object_list[0] = objectclass->schemaIDGUID;
316 user_descriptor = talloc(mem_ctx, struct security_descriptor);
317 if (!user_descriptor) {
320 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
322 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
324 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
325 talloc_free(user_descriptor);
329 user_descriptor = default_descriptor;
333 old_descriptor = talloc(mem_ctx, struct security_descriptor);
334 if (!old_descriptor) {
337 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
339 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
341 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
342 talloc_free(old_descriptor);
348 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
349 if (!parent_descriptor) {
352 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
354 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
356 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
357 talloc_free(parent_descriptor);
362 if (user_descriptor && default_descriptor &&
363 (user_descriptor->dacl == NULL))
365 user_descriptor->dacl = default_descriptor->dacl;
366 user_descriptor->type |= default_descriptor->type & (
367 SEC_DESC_DACL_PRESENT |
368 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
369 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
370 SEC_DESC_DACL_TRUSTED);
373 if (user_descriptor && default_descriptor &&
374 (user_descriptor->sacl == NULL))
376 user_descriptor->sacl = default_descriptor->sacl;
377 user_descriptor->type |= default_descriptor->type & (
378 SEC_DESC_SACL_PRESENT |
379 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
380 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
381 SEC_DESC_SERVER_SECURITY);
385 if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
386 user_descriptor->owner_sid = NULL;
389 * We need the correct owner sid
390 * when calculating the DACL or SACL
392 if (old_descriptor) {
393 user_descriptor->owner_sid = old_descriptor->owner_sid;
396 if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
397 user_descriptor->group_sid = NULL;
400 * We need the correct group sid
401 * when calculating the DACL or SACL
403 if (old_descriptor) {
404 user_descriptor->group_sid = old_descriptor->group_sid;
407 if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
408 user_descriptor->dacl = NULL;
411 * We add SEC_DESC_DACL_PROTECTED so that
412 * create_security_descriptor() skips
413 * the unused inheritance calculation
415 user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
417 if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
418 user_descriptor->sacl = NULL;
421 * We add SEC_DESC_SACL_PROTECTED so that
422 * create_security_descriptor() skips
423 * the unused inheritance calculation
425 user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
428 default_owner = get_default_ag(mem_ctx, dn,
429 session_info->security_token, ldb);
430 default_group = get_default_group(mem_ctx, ldb, default_owner);
431 new_sd = create_security_descriptor(mem_ctx,
436 SEC_DACL_AUTO_INHERIT |
437 SEC_SACL_AUTO_INHERIT,
438 session_info->security_token,
439 default_owner, default_group,
440 map_generic_rights_ds);
444 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
450 if (final_sd->dacl) {
451 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
453 if (final_sd->sacl) {
454 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
458 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
459 DBG_DEBUG("Object %s created with descriptor %s\n\n",
460 ldb_dn_get_linearized(dn),
461 sddl_encode(tmp_ctx, final_sd, domain_sid));
462 TALLOC_FREE(tmp_ctx);
468 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
471 const struct dsdb_class *objectclass,
472 const struct ldb_val *parent,
473 const struct ldb_val *object,
474 const struct ldb_val *old_sd,
477 struct security_descriptor *final_sd = NULL;
478 enum ndr_err_code ndr_err;
479 DATA_BLOB *linear_sd = talloc(mem_ctx, DATA_BLOB);
485 final_sd = get_new_descriptor_nonlinear(module,
493 if (final_sd == NULL) {
497 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
499 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
500 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
507 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
512 struct security_descriptor *old_sd, *final_sd;
513 DATA_BLOB *linear_sd;
514 enum ndr_err_code ndr_err;
516 old_sd = talloc(mem_ctx, struct security_descriptor);
520 ndr_err = ndr_pull_struct_blob(sd, old_sd,
522 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
524 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
529 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
535 linear_sd = talloc(mem_ctx, DATA_BLOB);
540 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
542 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
543 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
550 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
551 struct ldb_request *req)
553 struct ldb_context *ldb;
554 struct descriptor_context *ac;
556 ldb = ldb_module_get_ctx(module);
558 ac = talloc_zero(req, struct descriptor_context);
560 ldb_set_errstring(ldb, "Out of Memory");
569 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
571 struct descriptor_context *ac;
572 struct ldb_val *sd_val = NULL;
573 struct ldb_message_element *sd_el;
575 int ret = LDB_SUCCESS;
577 ac = talloc_get_type(req->context, struct descriptor_context);
580 ret = LDB_ERR_OPERATIONS_ERROR;
583 if (ares->error != LDB_SUCCESS) {
584 return ldb_module_done(ac->req, ares->controls,
585 ares->response, ares->error);
588 switch (ares->type) {
589 case LDB_REPLY_ENTRY:
590 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
592 sd_val = sd_el->values;
596 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
597 sd_val, ac->sd_flags);
599 ret = LDB_ERR_OPERATIONS_ERROR;
602 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
603 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
604 if (ret != LDB_SUCCESS) {
608 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
610 case LDB_REPLY_REFERRAL:
611 return ldb_module_send_referral(ac->req, ares->referral);
614 return ldb_module_done(ac->req, ares->controls,
615 ares->response, ares->error);
620 return ldb_module_done(ac->req, NULL, NULL, ret);
623 static bool can_write_owner(TALLOC_CTX *mem_ctx,
624 struct ldb_context *ldb,
626 const struct security_token *security_token,
627 const struct dom_sid *owner_sid)
629 const struct dom_sid *default_owner = NULL;
631 /* If the user possesses SE_RESTORE_PRIVILEGE, the write is allowed. */
632 bool ok = security_token_has_privilege(security_token, SEC_PRIV_RESTORE);
637 /* The user can write their own SID to a security descriptor. */
638 ok = security_token_is_sid(security_token, owner_sid);
644 * The user can write the SID of the "default administrators group" that
645 * they are a member of.
647 default_owner = get_default_ag(mem_ctx, dn,
648 security_token, ldb);
649 if (default_owner != NULL) {
650 ok = security_token_is_sid(security_token, owner_sid);
656 static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
658 struct ldb_context *ldb = ldb_module_get_ctx(module);
659 struct ldb_request *add_req;
660 struct ldb_message *msg;
661 struct ldb_result *parent_res;
662 const struct ldb_val *parent_sd = NULL;
663 const struct ldb_val *user_sd = NULL;
664 struct ldb_dn *dn = req->op.add.message->dn;
665 struct ldb_dn *parent_dn, *nc_root;
666 struct ldb_message_element *objectclass_element, *sd_element;
668 const struct dsdb_schema *schema;
670 const struct dsdb_class *objectclass;
671 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
672 uint32_t instanceType;
674 enum ndr_err_code ndr_err;
675 struct dsdb_control_calculated_default_sd *control_sd = NULL;
676 uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
677 struct security_descriptor *user_descriptor = NULL;
679 /* do not manipulate our control entries */
680 if (ldb_dn_is_special(dn)) {
681 return ldb_next_request(module, req);
684 user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
685 sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
686 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
687 if (user_sd == NULL && sd_element) {
688 return ldb_next_request(module, req);
691 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
693 instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
695 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
700 ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
701 if (ret != LDB_SUCCESS) {
702 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
703 ldb_dn_get_linearized(dn));
707 if (ldb_dn_compare(dn, nc_root) == 0) {
708 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
714 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
717 /* if the object has a parent, retrieve its SD to
718 * use for calculation. Unfortunately we do not yet have
719 * instanceType, so we use dsdb_find_nc_root. */
721 parent_dn = ldb_dn_get_parent(req, dn);
722 if (parent_dn == NULL) {
726 /* we aren't any NC */
727 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
729 DSDB_FLAG_NEXT_MODULE |
730 DSDB_FLAG_AS_SYSTEM |
731 DSDB_SEARCH_SHOW_RECYCLED,
733 if (ret != LDB_SUCCESS) {
734 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
735 ldb_dn_get_linearized(parent_dn));
738 if (parent_res->count != 1) {
739 return ldb_operr(ldb);
741 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
744 schema = dsdb_get_schema(ldb, req);
746 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
747 if (objectclass_element == NULL) {
748 return ldb_operr(ldb);
751 objectclass = dsdb_get_last_structural_class(schema,
752 objectclass_element);
753 if (objectclass == NULL) {
754 return ldb_operr(ldb);
758 * The SD_FLAG control is ignored on add
759 * and we default to all bits set.
761 sd_flags = SECINFO_OWNER|SECINFO_GROUP|SECINFO_SACL|SECINFO_DACL;
763 control_sd = talloc(req, struct dsdb_control_calculated_default_sd);
764 if (control_sd == NULL) {
765 return ldb_operr(ldb);
767 control_sd->specified_sd = false;
768 control_sd->specified_sacl = false;
769 if (user_sd != NULL) {
770 user_descriptor = talloc(req, struct security_descriptor);
771 if (user_descriptor == NULL) {
772 return ldb_operr(ldb);
774 ndr_err = ndr_pull_struct_blob(user_sd, user_descriptor,
776 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
778 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
779 talloc_free(user_descriptor);
780 return ldb_operr(ldb);
783 * calculate the permissions needed, since in acl we no longer have
784 * access to the original user descriptor
786 control_sd->specified_sd = true;
787 control_sd->specified_sacl = user_descriptor->sacl != NULL;
789 if (user_descriptor->owner_sid != NULL) {
790 /* Verify the owner of the security descriptor. */
792 const struct auth_session_info *session_info
793 = ldb_get_opaque(ldb, DSDB_SESSION_INFO);
795 bool ok = can_write_owner(req,
798 session_info->security_token,
799 user_descriptor->owner_sid);
800 talloc_free(user_descriptor);
802 return dsdb_module_werror(module,
803 LDB_ERR_CONSTRAINT_VIOLATION,
805 "invalid addition of owner SID");
810 sd = get_new_descriptor(module, dn, req,
811 objectclass, parent_sd,
812 user_sd, NULL, sd_flags);
814 return ldb_operr(ldb);
817 control_sd->default_sd = get_new_descriptor_nonlinear(module,
825 if (control_sd->default_sd == NULL) {
826 return ldb_operr(ldb);
829 msg = ldb_msg_copy_shallow(req, req->op.add.message);
833 if (sd_element != NULL) {
834 sd_element->values[0] = *sd;
836 ret = ldb_msg_add_steal_value(msg,
837 "nTSecurityDescriptor",
839 if (ret != LDB_SUCCESS) {
844 ret = ldb_build_add_req(&add_req, ldb, req,
847 req, dsdb_next_callback,
850 LDB_REQ_SET_LOCATION(add_req);
851 if (ret != LDB_SUCCESS) {
852 return ldb_error(ldb, ret,
853 "descriptor_add: Error creating new add request.");
856 dom_sid_parse("S-1-0-0", control_sd->default_sd->owner_sid);
857 ret = ldb_request_add_control(add_req,
858 DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID,
859 false, (void *)control_sd);
860 if (ret != LDB_SUCCESS) {
861 return ldb_module_operr(module);
863 return ldb_next_request(module, add_req);
866 static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
868 struct ldb_context *ldb = ldb_module_get_ctx(module);
869 struct ldb_request *mod_req;
870 struct ldb_message *msg;
871 struct ldb_result *current_res, *parent_res;
872 const struct ldb_val *old_sd = NULL;
873 const struct ldb_val *parent_sd = NULL;
874 const struct ldb_val *user_sd = NULL;
875 struct ldb_dn *dn = req->op.mod.message->dn;
876 struct ldb_dn *parent_dn;
877 struct ldb_message_element *objectclass_element, *sd_element;
879 uint32_t instanceType;
880 bool explicit_sd_flags = false;
881 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
882 const struct dsdb_schema *schema;
884 const struct dsdb_class *objectclass;
885 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
886 static const char * const current_attrs[] = { "nTSecurityDescriptor",
888 "objectClass", NULL };
889 struct GUID parent_guid = { .time_low = 0 };
890 struct ldb_control *sd_propagation_control;
893 /* do not manipulate our control entries */
894 if (ldb_dn_is_special(dn)) {
895 return ldb_next_request(module, req);
898 sd_propagation_control = ldb_request_get_control(req,
899 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
900 if (sd_propagation_control != NULL) {
901 if (sd_propagation_control->data != module) {
902 return ldb_operr(ldb);
904 if (req->op.mod.message->num_elements != 0) {
905 return ldb_operr(ldb);
907 if (explicit_sd_flags) {
908 return ldb_operr(ldb);
910 if (sd_flags != 0xF) {
911 return ldb_operr(ldb);
913 if (sd_propagation_control->critical == 0) {
914 return ldb_operr(ldb);
917 sd_propagation_control->critical = 0;
920 sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
921 if (sd_propagation_control == NULL && sd_element == NULL) {
922 return ldb_next_request(module, req);
926 * nTSecurityDescriptor with DELETE is not supported yet.
927 * TODO: handle this correctly.
929 if (sd_propagation_control == NULL &&
930 LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE)
932 return ldb_module_error(module,
933 LDB_ERR_UNWILLING_TO_PERFORM,
934 "MOD_DELETE for nTSecurityDescriptor "
935 "not supported yet");
938 user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
939 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
940 if (sd_propagation_control == NULL && user_sd == NULL) {
941 return ldb_next_request(module, req);
944 if (sd_flags & SECINFO_OWNER && user_sd != NULL) {
945 /* Verify the new owner of the security descriptor. */
947 struct security_descriptor *user_descriptor = NULL;
948 enum ndr_err_code ndr_err;
949 const struct auth_session_info *session_info;
952 user_descriptor = talloc(req, struct security_descriptor);
954 if (user_descriptor == NULL) {
955 return ldb_operr(ldb);
957 ndr_err = ndr_pull_struct_blob(user_sd, user_descriptor,
959 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
961 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
962 talloc_free(user_descriptor);
963 return ldb_operr(ldb);
966 session_info = ldb_get_opaque(ldb, DSDB_SESSION_INFO);
968 ok = can_write_owner(req,
971 session_info->security_token,
972 user_descriptor->owner_sid);
973 talloc_free(user_descriptor);
975 return dsdb_module_werror(module,
976 LDB_ERR_CONSTRAINT_VIOLATION,
978 "invalid modification of owner SID");
982 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
984 ret = dsdb_module_search_dn(module, req, ¤t_res, dn,
986 DSDB_FLAG_NEXT_MODULE |
987 DSDB_FLAG_AS_SYSTEM |
988 DSDB_SEARCH_SHOW_RECYCLED |
989 DSDB_SEARCH_SHOW_EXTENDED_DN,
991 if (ret != LDB_SUCCESS) {
992 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
993 ldb_dn_get_linearized(dn));
997 instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
999 /* if the object has a parent, retrieve its SD to
1000 * use for calculation */
1001 if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
1002 !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
1005 parent_dn = ldb_dn_get_parent(req, dn);
1006 if (parent_dn == NULL) {
1007 return ldb_oom(ldb);
1009 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
1011 DSDB_FLAG_NEXT_MODULE |
1012 DSDB_FLAG_AS_SYSTEM |
1013 DSDB_SEARCH_SHOW_RECYCLED |
1014 DSDB_SEARCH_SHOW_EXTENDED_DN,
1016 if (ret != LDB_SUCCESS) {
1017 ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
1018 ldb_dn_get_linearized(parent_dn));
1021 if (parent_res->count != 1) {
1022 return ldb_operr(ldb);
1024 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
1026 status = dsdb_get_extended_dn_guid(parent_res->msgs[0]->dn,
1029 if (!NT_STATUS_IS_OK(status)) {
1030 return ldb_operr(ldb);
1034 schema = dsdb_get_schema(ldb, req);
1036 objectclass_element = ldb_msg_find_element(current_res->msgs[0], "objectClass");
1037 if (objectclass_element == NULL) {
1038 return ldb_operr(ldb);
1041 objectclass = dsdb_get_last_structural_class(schema,
1042 objectclass_element);
1043 if (objectclass == NULL) {
1044 return ldb_operr(ldb);
1047 old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
1048 if (old_sd == NULL) {
1049 return ldb_operr(ldb);
1052 if (sd_propagation_control != NULL) {
1054 * This just triggers a recalculation of the
1060 sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
1061 objectclass, parent_sd,
1062 user_sd, old_sd, sd_flags);
1064 return ldb_operr(ldb);
1066 msg = ldb_msg_copy_shallow(req, req->op.mod.message);
1068 return ldb_oom(ldb);
1070 cmp_ret = data_blob_cmp(old_sd, sd);
1071 if (sd_propagation_control != NULL) {
1074 * The nTSecurityDescriptor is unchanged,
1075 * which means we can stop the processing.
1077 * We mark the control as critical again,
1078 * as we have not processed it, so the caller
1079 * can tell that the descriptor was unchanged.
1081 sd_propagation_control->critical = 1;
1082 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1085 ret = ldb_msg_append_value(msg, "nTSecurityDescriptor",
1086 sd, LDB_FLAG_MOD_REPLACE);
1087 if (ret != LDB_SUCCESS) {
1088 return ldb_oom(ldb);
1090 } else if (cmp_ret != 0) {
1092 struct ldb_dn *nc_root;
1095 ret = dsdb_find_nc_root(ldb,
1097 current_res->msgs[0]->dn,
1099 if (ret != LDB_SUCCESS) {
1100 return ldb_oom(ldb);
1103 status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
1106 if (!NT_STATUS_IS_OK(status)) {
1107 return ldb_operr(ldb);
1111 * Force SD propagation on children of this record
1113 ret = dsdb_module_schedule_sd_propagation(module,
1118 if (ret != LDB_SUCCESS) {
1119 return ldb_operr(ldb);
1121 sd_element->values[0] = *sd;
1123 sd_element->values[0] = *sd;
1126 ret = ldb_build_mod_req(&mod_req, ldb, req,
1132 LDB_REQ_SET_LOCATION(mod_req);
1133 if (ret != LDB_SUCCESS) {
1137 return ldb_next_request(module, mod_req);
1140 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
1143 struct ldb_context *ldb;
1144 struct ldb_request *down_req;
1145 struct descriptor_context *ac;
1146 bool explicit_sd_flags = false;
1147 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
1148 bool show_sd = explicit_sd_flags;
1151 ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
1157 return ldb_next_request(module, req);
1160 ldb = ldb_module_get_ctx(module);
1161 ac = descriptor_init_context(module, req);
1163 return ldb_operr(ldb);
1165 ac->sd_flags = sd_flags;
1167 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
1168 req->op.search.base,
1169 req->op.search.scope,
1170 req->op.search.tree,
1171 req->op.search.attrs,
1173 ac, descriptor_search_callback,
1175 LDB_REQ_SET_LOCATION(down_req);
1176 if (ret != LDB_SUCCESS) {
1180 return ldb_next_request(ac->module, down_req);
1183 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
1185 struct ldb_context *ldb = ldb_module_get_ctx(module);
1186 struct ldb_dn *olddn = req->op.rename.olddn;
1187 struct ldb_dn *newdn = req->op.rename.newdn;
1190 /* do not manipulate our control entries */
1191 if (ldb_dn_is_special(req->op.rename.olddn)) {
1192 return ldb_next_request(module, req);
1195 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n",
1196 ldb_dn_get_linearized(olddn));
1198 if (ldb_dn_compare(olddn, newdn) != 0) {
1199 struct ldb_dn *nc_root;
1202 ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
1203 if (ret != LDB_SUCCESS) {
1204 return ldb_oom(ldb);
1207 ret = dsdb_module_guid_by_dn(module,
1211 if (ret == LDB_SUCCESS) {
1213 * Without disturbing any errors if the olddn
1214 * does not exit, force SD propagation on
1215 * this record (get a new inherited SD from
1216 * the potentially new parent
1218 * We don't now the parent guid here,
1219 * but we're not in a hot code path here,
1220 * as the "descriptor" module is located
1221 * above the "repl_meta_data", only
1222 * originating changes are handled here.
1224 * If it turns out to be a problem we may
1225 * search for the new parent guid.
1227 struct GUID parent_guid = { .time_low = 0 };
1229 ret = dsdb_module_schedule_sd_propagation(module,
1234 if (ret != LDB_SUCCESS) {
1235 return ldb_operr(ldb);
1240 return ldb_next_request(module, req);
1243 static void descriptor_changes_parser(TDB_DATA key, TDB_DATA data, void *private_data)
1245 struct descriptor_changes **c_ptr = (struct descriptor_changes **)private_data;
1248 SMB_ASSERT(data.dsize == sizeof(ptr));
1250 memcpy(&ptr, data.dptr, data.dsize);
1252 *c_ptr = talloc_get_type_abort((void *)ptr, struct descriptor_changes);
1255 static void descriptor_object_parser(TDB_DATA key, TDB_DATA data, void *private_data)
1257 SMB_ASSERT(data.dsize == 0);
1260 static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
1261 struct ldb_request *req)
1263 struct descriptor_data *descriptor_private =
1264 talloc_get_type_abort(ldb_module_get_private(module),
1265 struct descriptor_data);
1266 struct descriptor_transaction *t = &descriptor_private->transaction;
1267 struct ldb_context *ldb = ldb_module_get_ctx(module);
1268 struct dsdb_extended_sec_desc_propagation_op *op;
1269 struct descriptor_changes *c = NULL;
1273 op = talloc_get_type(req->op.extended.data,
1274 struct dsdb_extended_sec_desc_propagation_op);
1276 ldb_debug(ldb, LDB_DEBUG_FATAL,
1277 "descriptor_extended_sec_desc_propagation: "
1278 "invalid extended data\n");
1279 return LDB_ERR_PROTOCOL_ERROR;
1282 if (t->mem == NULL) {
1283 return ldb_module_operr(module);
1286 if (GUID_equal(&op->parent_guid, &op->guid)) {
1288 * This is an unexpected situation,
1289 * it should never happen!
1291 DBG_ERR("ERROR: Object %s is its own parent (nc_root=%s)\n",
1292 GUID_string(t->mem, &op->guid),
1293 ldb_dn_get_extended_linearized(t->mem, op->nc_root, 1));
1294 return ldb_module_operr(module);
1298 * First we check if we already have an registration
1299 * for the given object.
1302 key = make_tdb_data((const void*)&op->guid, sizeof(op->guid));
1303 status = dbwrap_parse_record(t->changes.map, key,
1304 descriptor_changes_parser, &c);
1305 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1307 status = NT_STATUS_OK;
1309 if (!NT_STATUS_IS_OK(status)) {
1310 ldb_debug(ldb, LDB_DEBUG_FATAL,
1311 "dbwrap_parse_record() - %s\n",
1313 return ldb_module_operr(module);
1318 * Create a new structure if we
1319 * don't know about the object yet.
1322 c = talloc_zero(t->mem, struct descriptor_changes);
1324 return ldb_module_oom(module);
1326 c->nc_root = ldb_dn_copy(c, op->nc_root);
1327 if (c->nc_root == NULL) {
1328 return ldb_module_oom(module);
1333 if (ldb_dn_compare(c->nc_root, op->nc_root) != 0) {
1335 * This is an unexpected situation,
1336 * we don't expect the nc root to change
1337 * during a replication cycle.
1339 DBG_ERR("ERROR: Object %s nc_root changed %s => %s\n",
1340 GUID_string(c, &c->guid),
1341 ldb_dn_get_extended_linearized(c, c->nc_root, 1),
1342 ldb_dn_get_extended_linearized(c, op->nc_root, 1));
1343 return ldb_module_operr(module);
1349 * always use the last known parent_guid.
1351 c->parent_guid = op->parent_guid;
1354 * Note that we only set, but don't clear values here,
1355 * it means c->force_self and c->force_children can
1356 * both be true in the end.
1358 if (op->include_self) {
1359 c->force_self = true;
1361 c->force_children = true;
1364 if (c->ref_count == 1) {
1365 struct TDB_DATA val = make_tdb_data((const void*)&c, sizeof(c));
1368 * Remember the change by objectGUID in order
1369 * to avoid processing it more than once.
1372 status = dbwrap_store(t->changes.map, key, val, TDB_INSERT);
1373 if (!NT_STATUS_IS_OK(status)) {
1374 ldb_debug(ldb, LDB_DEBUG_FATAL,
1375 "dbwrap_parse_record() - %s\n",
1377 return ldb_module_operr(module);
1380 DLIST_ADD_END(t->changes.list, c);
1381 t->changes.num_registered += 1;
1383 t->changes.num_registrations += 1;
1385 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1388 static int descriptor_extended(struct ldb_module *module, struct ldb_request *req)
1390 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID) == 0) {
1391 return descriptor_extended_sec_desc_propagation(module, req);
1394 return ldb_next_request(module, req);
1397 static int descriptor_init(struct ldb_module *module)
1399 struct ldb_context *ldb = ldb_module_get_ctx(module);
1401 struct descriptor_data *descriptor_private;
1403 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
1404 if (ret != LDB_SUCCESS) {
1405 ldb_debug(ldb, LDB_DEBUG_ERROR,
1406 "descriptor: Unable to register control with rootdse!\n");
1407 return ldb_operr(ldb);
1410 descriptor_private = talloc_zero(module, struct descriptor_data);
1411 if (descriptor_private == NULL) {
1413 return LDB_ERR_OPERATIONS_ERROR;
1415 ldb_module_set_private(module, descriptor_private);
1417 return ldb_next_init(module);
1420 static int descriptor_sd_propagation_object(struct ldb_module *module,
1421 struct ldb_message *msg,
1424 struct descriptor_data *descriptor_private =
1425 talloc_get_type_abort(ldb_module_get_private(module),
1426 struct descriptor_data);
1427 struct descriptor_transaction *t = &descriptor_private->transaction;
1428 struct ldb_context *ldb = ldb_module_get_ctx(module);
1429 struct ldb_request *sub_req;
1430 struct ldb_result *mod_res;
1431 struct ldb_control *sd_propagation_control;
1435 TDB_DATA empty_val = { .dsize = 0, };
1437 struct descriptor_changes *c = NULL;
1442 * We get the GUID of the object
1443 * in order to have the cache key
1447 status = dsdb_get_extended_dn_guid(msg->dn, &guid, "GUID");
1448 if (!NT_STATUS_IS_OK(status)) {
1449 return ldb_operr(ldb);
1451 key = make_tdb_data((const void*)&guid, sizeof(guid));
1454 * Check if we already processed this object.
1456 status = dbwrap_parse_record(t->objects.map, key,
1457 descriptor_object_parser, NULL);
1458 if (NT_STATUS_IS_OK(status)) {
1460 * All work is already one
1462 t->objects.num_skipped += 1;
1466 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1467 ldb_debug(ldb, LDB_DEBUG_FATAL,
1468 "dbwrap_parse_record() - %s\n",
1470 return ldb_module_operr(module);
1473 t->objects.num_processed += 1;
1476 * Remember that we're processing this object.
1478 status = dbwrap_store(t->objects.map, key, empty_val, TDB_INSERT);
1479 if (!NT_STATUS_IS_OK(status)) {
1480 ldb_debug(ldb, LDB_DEBUG_FATAL,
1481 "dbwrap_parse_record() - %s\n",
1483 return ldb_module_operr(module);
1487 * Check that if there's a descriptor_change in our list,
1488 * which we may be able to remove from the pending list
1489 * when we processed the object.
1492 status = dbwrap_parse_record(t->changes.map, key, descriptor_changes_parser, &c);
1493 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1495 status = NT_STATUS_OK;
1497 if (!NT_STATUS_IS_OK(status)) {
1498 ldb_debug(ldb, LDB_DEBUG_FATAL,
1499 "dbwrap_parse_record() - %s\n",
1501 return ldb_module_operr(module);
1504 mod_res = talloc_zero(msg, struct ldb_result);
1505 if (mod_res == NULL) {
1506 return ldb_module_oom(module);
1509 ret = ldb_build_mod_req(&sub_req, ldb, mod_res,
1513 ldb_modify_default_callback,
1515 LDB_REQ_SET_LOCATION(sub_req);
1516 if (ret != LDB_SUCCESS) {
1517 return ldb_module_operr(module);
1520 ldb_req_mark_trusted(sub_req);
1522 ret = ldb_request_add_control(sub_req,
1523 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID,
1525 if (ret != LDB_SUCCESS) {
1526 return ldb_module_operr(module);
1529 sd_propagation_control = ldb_request_get_control(sub_req,
1530 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
1531 if (sd_propagation_control == NULL) {
1532 return ldb_module_operr(module);
1535 ret = dsdb_request_add_controls(sub_req,
1536 DSDB_FLAG_AS_SYSTEM |
1537 DSDB_SEARCH_SHOW_RECYCLED);
1538 if (ret != LDB_SUCCESS) {
1539 return ldb_module_operr(module);
1542 ret = descriptor_modify(module, sub_req);
1543 if (ret == LDB_SUCCESS) {
1544 ret = ldb_wait(sub_req->handle, LDB_WAIT_ALL);
1546 if (ret != LDB_SUCCESS) {
1547 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1548 "descriptor_modify on %s failed: %s",
1549 ldb_dn_get_linearized(msg->dn),
1550 ldb_errstring(ldb_module_get_ctx(module)));
1551 return LDB_ERR_OPERATIONS_ERROR;
1554 if (sd_propagation_control->critical != 0) {
1557 * If we don't have a
1558 * descriptor_changes structure
1562 } else if (!c->force_children) {
1564 * If we don't need to
1565 * propagate to children,
1572 if (c != NULL && !c->force_children) {
1574 * Remove the pending change,
1575 * we already done all required work,
1576 * there's no need to do it again.
1578 * Note DLIST_REMOVE() is a noop
1579 * if the element is not part of
1582 DLIST_REMOVE(t->changes.list, c);
1585 talloc_free(mod_res);
1590 static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
1591 struct ldb_message **m2)
1593 struct ldb_dn *dn1 = (*m1)->dn;
1594 struct ldb_dn *dn2 = (*m2)->dn;
1597 * This sorts in tree order, parents first
1599 return ldb_dn_compare(dn2, dn1);
1602 static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1603 struct descriptor_changes *change)
1605 struct descriptor_data *descriptor_private =
1606 talloc_get_type_abort(ldb_module_get_private(module),
1607 struct descriptor_data);
1608 struct descriptor_transaction *t = &descriptor_private->transaction;
1609 struct ldb_result *guid_res = NULL;
1610 struct ldb_result *res = NULL;
1612 const char * const no_attrs[] = { "@__NONE__", NULL };
1613 struct ldb_dn *stopped_dn = NULL;
1614 struct GUID_txt_buf guid_buf;
1618 t->changes.num_processed += 1;
1621 * First confirm this object has children, or exists
1622 * (depending on change->force_self)
1624 * LDB_SCOPE_SUBTREE searches are expensive.
1626 * We know this is safe against a rename race as we are in the
1627 * prepare_commit(), so must be in a transaction.
1630 /* Find the DN by GUID, as this is stable under rename */
1631 ret = dsdb_module_search(module,
1637 DSDB_FLAG_NEXT_MODULE |
1638 DSDB_FLAG_AS_SYSTEM |
1639 DSDB_SEARCH_SHOW_DELETED |
1640 DSDB_SEARCH_SHOW_RECYCLED |
1641 DSDB_SEARCH_SHOW_EXTENDED_DN,
1642 NULL, /* parent_req */
1644 GUID_buf_string(&change->guid,
1647 if (ret != LDB_SUCCESS) {
1651 if (guid_res->count != 1) {
1653 * We were just given this GUID during the same
1654 * transaction, if it is missing this is a big
1657 * Cleanup of tombstones does not trigger this module
1658 * as it just does a delete.
1660 ldb_asprintf_errstring(ldb_module_get_ctx(module),
1661 "failed to find GUID %s under %s "
1662 "for transaction-end SD inheritance: %d results",
1663 GUID_buf_string(&change->guid,
1665 ldb_dn_get_linearized(change->nc_root),
1667 return LDB_ERR_OPERATIONS_ERROR;
1671 * OK, so there was a parent, are there children? Note: that
1672 * this time we do not search for deleted/recycled objects
1674 ret = dsdb_module_search(module,
1677 guid_res->msgs[0]->dn,
1680 DSDB_FLAG_NEXT_MODULE |
1681 DSDB_FLAG_AS_SYSTEM,
1682 NULL, /* parent_req */
1684 if (ret != LDB_SUCCESS) {
1686 * LDB_ERR_NO_SUCH_OBJECT, say if the DN was a deleted
1687 * object, is ignored by the caller
1692 if (res->count == 0 && !change->force_self) {
1693 /* All done, no children */
1699 * First, if we are in force_self mode (eg renamed under new
1700 * parent) then apply the SD to the top object
1702 if (change->force_self) {
1703 ret = descriptor_sd_propagation_object(module,
1706 if (ret != LDB_SUCCESS) {
1707 TALLOC_FREE(guid_res);
1711 if (stop == true && !change->force_children) {
1712 /* There was no change, nothing more to do */
1713 TALLOC_FREE(guid_res);
1717 if (res->count == 0) {
1719 TALLOC_FREE(guid_res);
1727 * Note: that we do not search for deleted/recycled objects
1729 ret = dsdb_module_search(module,
1732 guid_res->msgs[0]->dn,
1735 DSDB_FLAG_NEXT_MODULE |
1736 DSDB_FLAG_AS_SYSTEM |
1737 DSDB_SEARCH_SHOW_EXTENDED_DN,
1738 NULL, /* parent_req */
1740 if (ret != LDB_SUCCESS) {
1744 TYPESAFE_QSORT(res->msgs, res->count,
1745 descriptor_sd_propagation_msg_sort);
1747 /* We start from 1, the top object has been done */
1748 for (i = 1; i < res->count; i++) {
1750 * ldb_dn_compare_base() does not match for NULL but
1753 if (stopped_dn != NULL) {
1754 ret = ldb_dn_compare_base(stopped_dn,
1757 * Skip further processing of this
1764 ret = descriptor_sd_propagation_object(module,
1767 if (ret != LDB_SUCCESS) {
1773 * If this child didn't change, then nothing
1774 * under it needs to change
1776 * res has been sorted into tree order so the
1777 * next few entries can be skipped
1779 stopped_dn = res->msgs[i]->dn;
1787 static int descriptor_start_transaction(struct ldb_module *module)
1789 struct descriptor_data *descriptor_private =
1790 talloc_get_type_abort(ldb_module_get_private(module),
1791 struct descriptor_data);
1792 struct descriptor_transaction *t = &descriptor_private->transaction;
1794 if (t->mem != NULL) {
1795 return ldb_module_operr(module);
1798 *t = (struct descriptor_transaction) { .mem = NULL, };
1799 t->mem = talloc_new(descriptor_private);
1800 if (t->mem == NULL) {
1801 return ldb_module_oom(module);
1803 t->changes.map = db_open_rbt(t->mem);
1804 if (t->changes.map == NULL) {
1805 TALLOC_FREE(t->mem);
1806 *t = (struct descriptor_transaction) { .mem = NULL, };
1807 return ldb_module_oom(module);
1809 t->objects.map = db_open_rbt(t->mem);
1810 if (t->objects.map == NULL) {
1811 TALLOC_FREE(t->mem);
1812 *t = (struct descriptor_transaction) { .mem = NULL, };
1813 return ldb_module_oom(module);
1816 return ldb_next_start_trans(module);
1819 static int descriptor_prepare_commit(struct ldb_module *module)
1821 struct descriptor_data *descriptor_private =
1822 talloc_get_type_abort(ldb_module_get_private(module),
1823 struct descriptor_data);
1824 struct descriptor_transaction *t = &descriptor_private->transaction;
1825 struct ldb_context *ldb = ldb_module_get_ctx(module);
1826 struct descriptor_changes *c, *n;
1829 DBG_NOTICE("changes: num_registrations=%zu\n",
1830 t->changes.num_registrations);
1831 DBG_NOTICE("changes: num_registered=%zu\n",
1832 t->changes.num_registered);
1835 * The security descriptor propagation
1836 * needs to apply the inheritance from
1837 * an object to itself and/or all it's
1840 * In the initial replication during
1841 * a join, we have every object in our
1844 * In order to avoid useless work it's
1845 * better to start with toplevel objects and
1846 * move down to the leaf object from there.
1848 * So if the parent_guid is also in our list,
1849 * we better move the object behind its parent.
1851 * It allows that the recursive processing of
1852 * the parent already does the work needed
1855 * If we have a list for this directory tree:
1863 * The initial list would have the order D, E, B, A, C
1865 * By still processing from the front, we ensure that,
1866 * when D is found to be below C, that E follows because
1867 * we keep peeling items off the front for checking and
1868 * move them behind their parent.
1878 for (c = t->changes.list; c; c = n) {
1879 struct descriptor_changes *pc = NULL;
1882 if (c->sort_count >= t->changes.num_registered) {
1884 * This should never happen, but it's
1885 * a sanity check in order to avoid
1886 * endless loops. Just stop sorting.
1892 * Check if we have the parent also in the list.
1894 if (!GUID_all_zero((const void*)&c->parent_guid)) {
1898 pkey = make_tdb_data((const void*)&c->parent_guid,
1899 sizeof(c->parent_guid));
1901 status = dbwrap_parse_record(t->changes.map, pkey,
1902 descriptor_changes_parser, &pc);
1903 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1905 status = NT_STATUS_OK;
1907 if (!NT_STATUS_IS_OK(status)) {
1908 ldb_debug(ldb, LDB_DEBUG_FATAL,
1909 "dbwrap_parse_record() - %s\n",
1911 return ldb_module_operr(module);
1917 * There is no parent in the list
1919 t->changes.num_toplevel += 1;
1924 * Move the child after the parent
1926 * Note that we do that multiple times
1927 * in case the parent already moved itself.
1929 * See the comment above the loop.
1931 DLIST_REMOVE(t->changes.list, c);
1932 DLIST_ADD_AFTER(t->changes.list, c, pc);
1935 * Remember how often we moved the object
1936 * in order to avoid endless loops.
1941 DBG_NOTICE("changes: num_toplevel=%zu\n", t->changes.num_toplevel);
1943 while (t->changes.list != NULL) {
1944 c = t->changes.list;
1946 DLIST_REMOVE(t->changes.list, c);
1949 * Note that descriptor_sd_propagation_recursive()
1950 * may also remove other elements of the list,
1951 * so we can't use a next pointer
1953 ret = descriptor_sd_propagation_recursive(module, c);
1954 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1957 if (ret != LDB_SUCCESS) {
1962 DBG_NOTICE("changes: num_processed=%zu\n", t->changes.num_processed);
1963 DBG_NOTICE("objects: num_processed=%zu\n", t->objects.num_processed);
1964 DBG_NOTICE("objects: num_skipped=%zu\n", t->objects.num_skipped);
1966 return ldb_next_prepare_commit(module);
1969 static int descriptor_end_transaction(struct ldb_module *module)
1971 struct descriptor_data *descriptor_private =
1972 talloc_get_type_abort(ldb_module_get_private(module),
1973 struct descriptor_data);
1974 struct descriptor_transaction *t = &descriptor_private->transaction;
1976 TALLOC_FREE(t->mem);
1977 *t = (struct descriptor_transaction) { .mem = NULL, };
1979 return ldb_next_end_trans(module);
1982 static int descriptor_del_transaction(struct ldb_module *module)
1984 struct descriptor_data *descriptor_private =
1985 talloc_get_type_abort(ldb_module_get_private(module),
1986 struct descriptor_data);
1987 struct descriptor_transaction *t = &descriptor_private->transaction;
1989 TALLOC_FREE(t->mem);
1990 *t = (struct descriptor_transaction) { .mem = NULL, };
1992 return ldb_next_del_trans(module);
1995 static const struct ldb_module_ops ldb_descriptor_module_ops = {
1996 .name = "descriptor",
1997 .search = descriptor_search,
1998 .add = descriptor_add,
1999 .modify = descriptor_modify,
2000 .rename = descriptor_rename,
2001 .init_context = descriptor_init,
2002 .extended = descriptor_extended,
2003 .start_transaction = descriptor_start_transaction,
2004 .prepare_commit = descriptor_prepare_commit,
2005 .end_transaction = descriptor_end_transaction,
2006 .del_transaction = descriptor_del_transaction,
2009 int ldb_descriptor_module_init(const char *version)
2011 LDB_MODULE_CHECK_VERSION(version);
2012 return ldb_register_module(&ldb_descriptor_module_ops);