2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "events/events.h"
27 #include "ldb_module.h"
28 #include "ldb_errors.h"
29 #include "../lib/util/util_ldb.h"
30 #include "../lib/crypto/crypto.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "librpc/gen_ndr/ndr_misc.h"
35 #include "../libds/common/flags.h"
36 #include "dsdb/common/proto.h"
37 #include "libcli/ldap/ldap_ndr.h"
38 #include "param/param.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "librpc/gen_ndr/ndr_drsblobs.h"
41 #include "system/locale.h"
42 #include "lib/util/tsort.h"
43 #include "dsdb/common/util.h"
44 #include "lib/socket/socket.h"
45 #include "dsdb/samdb/ldb_modules/util.h"
48 search the sam for the specified attributes in a specific domain, filter on
49 objectSid being in domain_sid.
51 int samdb_search_domain(struct ldb_context *sam_ldb,
53 struct ldb_dn *basedn,
54 struct ldb_message ***res,
55 const char * const *attrs,
56 const struct dom_sid *domain_sid,
57 const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
63 count = gendb_search_v(sam_ldb, mem_ctx, basedn,
64 res, attrs, format, ap);
70 struct dom_sid *entry_sid;
72 entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
74 if ((entry_sid == NULL) ||
75 (!dom_sid_in_domain(domain_sid, entry_sid))) {
76 /* Delete that entry from the result set */
77 (*res)[i] = (*res)[count-1];
79 talloc_free(entry_sid);
82 talloc_free(entry_sid);
90 search the sam for a single string attribute in exactly 1 record
92 const char *samdb_search_string_v(struct ldb_context *sam_ldb,
94 struct ldb_dn *basedn,
95 const char *attr_name,
96 const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
99 const char *attrs[2] = { NULL, NULL };
100 struct ldb_message **res = NULL;
102 attrs[0] = attr_name;
104 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
106 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
107 attr_name, format, count));
114 return samdb_result_string(res[0], attr_name, NULL);
118 search the sam for a single string attribute in exactly 1 record
120 const char *samdb_search_string(struct ldb_context *sam_ldb,
122 struct ldb_dn *basedn,
123 const char *attr_name,
124 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
129 va_start(ap, format);
130 str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
136 struct ldb_dn *samdb_search_dn(struct ldb_context *sam_ldb,
138 struct ldb_dn *basedn,
139 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
143 struct ldb_message **res = NULL;
146 va_start(ap, format);
147 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, NULL, format, ap);
150 if (count != 1) return NULL;
152 ret = talloc_steal(mem_ctx, res[0]->dn);
159 search the sam for a dom_sid attribute in exactly 1 record
161 struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
163 struct ldb_dn *basedn,
164 const char *attr_name,
165 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
169 struct ldb_message **res;
170 const char *attrs[2] = { NULL, NULL };
173 attrs[0] = attr_name;
175 va_start(ap, format);
176 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
179 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
180 attr_name, format, count));
186 sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
192 return the count of the number of records in the sam matching the query
194 int samdb_search_count(struct ldb_context *sam_ldb,
195 struct ldb_dn *basedn,
196 const char *format, ...) _PRINTF_ATTRIBUTE(3,4)
199 struct ldb_message **res;
200 const char *attrs[] = { NULL };
202 TALLOC_CTX *tmp_ctx = talloc_new(sam_ldb);
204 va_start(ap, format);
205 ret = gendb_search_v(sam_ldb, tmp_ctx, basedn, &res, attrs, format, ap);
207 talloc_free(tmp_ctx);
214 search the sam for a single integer attribute in exactly 1 record
216 unsigned int samdb_search_uint(struct ldb_context *sam_ldb,
218 unsigned int default_value,
219 struct ldb_dn *basedn,
220 const char *attr_name,
221 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
225 struct ldb_message **res;
226 const char *attrs[2] = { NULL, NULL };
228 attrs[0] = attr_name;
230 va_start(ap, format);
231 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
235 return default_value;
238 return samdb_result_uint(res[0], attr_name, default_value);
242 search the sam for a single signed 64 bit integer attribute in exactly 1 record
244 int64_t samdb_search_int64(struct ldb_context *sam_ldb,
246 int64_t default_value,
247 struct ldb_dn *basedn,
248 const char *attr_name,
249 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
253 struct ldb_message **res;
254 const char *attrs[2] = { NULL, NULL };
256 attrs[0] = attr_name;
258 va_start(ap, format);
259 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
263 return default_value;
266 return samdb_result_int64(res[0], attr_name, default_value);
270 search the sam for multipe records each giving a single string attribute
271 return the number of matches, or -1 on error
273 int samdb_search_string_multiple(struct ldb_context *sam_ldb,
275 struct ldb_dn *basedn,
277 const char *attr_name,
278 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
282 const char *attrs[2] = { NULL, NULL };
283 struct ldb_message **res = NULL;
285 attrs[0] = attr_name;
287 va_start(ap, format);
288 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
295 /* make sure its single valued */
296 for (i=0;i<count;i++) {
297 if (res[i]->num_elements != 1) {
298 DEBUG(1,("samdb: search for %s %s not single valued\n",
305 *strs = talloc_array(mem_ctx, const char *, count+1);
311 for (i=0;i<count;i++) {
312 (*strs)[i] = samdb_result_string(res[i], attr_name, NULL);
314 (*strs)[count] = NULL;
320 pull a uint from a result set.
322 unsigned int samdb_result_uint(const struct ldb_message *msg, const char *attr, unsigned int default_value)
324 return ldb_msg_find_attr_as_uint(msg, attr, default_value);
328 pull a (signed) int64 from a result set.
330 int64_t samdb_result_int64(const struct ldb_message *msg, const char *attr, int64_t default_value)
332 return ldb_msg_find_attr_as_int64(msg, attr, default_value);
336 pull a string from a result set.
338 const char *samdb_result_string(const struct ldb_message *msg, const char *attr,
339 const char *default_value)
341 return ldb_msg_find_attr_as_string(msg, attr, default_value);
344 struct ldb_dn *samdb_result_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
345 const char *attr, struct ldb_dn *default_value)
347 struct ldb_dn *ret_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
349 return default_value;
355 pull a rid from a objectSid in a result set.
357 uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
358 const char *attr, uint32_t default_value)
363 sid = samdb_result_dom_sid(mem_ctx, msg, attr);
365 return default_value;
367 rid = sid->sub_auths[sid->num_auths-1];
373 pull a dom_sid structure from a objectSid in a result set.
375 struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
378 const struct ldb_val *v;
380 enum ndr_err_code ndr_err;
381 v = ldb_msg_find_ldb_val(msg, attr);
385 sid = talloc(mem_ctx, struct dom_sid);
389 ndr_err = ndr_pull_struct_blob(v, sid, sid,
390 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
391 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
399 pull a guid structure from a objectGUID in a result set.
401 struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
403 const struct ldb_val *v;
407 v = ldb_msg_find_ldb_val(msg, attr);
408 if (!v) return GUID_zero();
410 status = GUID_from_ndr_blob(v, &guid);
411 if (!NT_STATUS_IS_OK(status)) {
419 pull a sid prefix from a objectSid in a result set.
420 this is used to find the domain sid for a user
422 struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
425 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
426 if (!sid || sid->num_auths < 1) return NULL;
432 pull a NTTIME in a result set.
434 NTTIME samdb_result_nttime(const struct ldb_message *msg, const char *attr,
435 NTTIME default_value)
437 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
441 * Windows stores 0 for lastLogoff.
442 * But when a MS DC return the lastLogoff (as Logoff Time)
443 * it returns 0x7FFFFFFFFFFFFFFF, not returning this value in this case
444 * cause windows 2008 and newer version to fail for SMB requests
446 NTTIME samdb_result_last_logoff(const struct ldb_message *msg)
448 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "lastLogoff",0);
451 ret = 0x7FFFFFFFFFFFFFFFULL;
457 * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
458 * indicate an account doesn't expire.
460 * When Windows initially creates an account, it sets
461 * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However,
462 * when changing from an account having a specific expiration date to
463 * that account never expiring, it sets accountExpires = 0.
465 * Consolidate that logic here to allow clearer logic for account expiry in
466 * the rest of the code.
468 NTTIME samdb_result_account_expires(const struct ldb_message *msg)
470 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
474 ret = 0x7FFFFFFFFFFFFFFFULL;
480 pull a uint64_t from a result set.
482 uint64_t samdb_result_uint64(const struct ldb_message *msg, const char *attr,
483 uint64_t default_value)
485 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
490 construct the allow_password_change field from the PwdLastSet attribute and the
491 domain password settings
493 NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
495 struct ldb_dn *domain_dn,
496 struct ldb_message *msg,
499 uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
502 if (attr_time == 0) {
506 minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "minPwdAge", NULL);
508 /* yes, this is a -= not a += as minPwdAge is stored as the negative
509 of the number of 100-nano-seconds */
510 attr_time -= minPwdAge;
516 construct the force_password_change field from the PwdLastSet
517 attribute, the userAccountControl and the domain password settings
519 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
521 struct ldb_dn *domain_dn,
522 struct ldb_message *msg)
524 int64_t attr_time = samdb_result_int64(msg, "pwdLastSet", 0);
525 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg,
526 "userAccountControl",
530 /* Machine accounts don't expire, and there is a flag for 'no expiry' */
531 if (!(userAccountControl & UF_NORMAL_ACCOUNT)
532 || (userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
533 return 0x7FFFFFFFFFFFFFFFULL;
536 if (attr_time == 0) {
539 if (attr_time == -1) {
540 return 0x7FFFFFFFFFFFFFFFULL;
543 maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
545 if (maxPwdAge == 0) {
546 return 0x7FFFFFFFFFFFFFFFULL;
548 attr_time -= maxPwdAge;
555 pull a samr_Password structutre from a result set.
557 struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr)
559 struct samr_Password *hash = NULL;
560 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
561 if (val && (val->length >= sizeof(hash->hash))) {
562 hash = talloc(mem_ctx, struct samr_Password);
563 memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash)));
569 pull an array of samr_Password structures from a result set.
571 unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
572 const char *attr, struct samr_Password **hashes)
574 unsigned int count, i;
575 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
581 count = val->length / 16;
586 *hashes = talloc_array(mem_ctx, struct samr_Password, count);
591 for (i=0;i<count;i++) {
592 memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
598 NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_message *msg,
599 struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
601 struct samr_Password *lmPwdHash, *ntPwdHash;
604 num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash);
607 } else if (num_nt > 1) {
608 return NT_STATUS_INTERNAL_DB_CORRUPTION;
610 *nt_pwd = &ntPwdHash[0];
614 /* Ensure that if we have turned off LM
615 * authentication, that we never use the LM hash, even
617 if (lpcfg_lanman_auth(lp_ctx)) {
619 num_lm = samdb_result_hashes(mem_ctx, msg, "dBCSPwd", &lmPwdHash);
622 } else if (num_lm > 1) {
623 return NT_STATUS_INTERNAL_DB_CORRUPTION;
625 *lm_pwd = &lmPwdHash[0];
635 pull a samr_LogonHours structutre from a result set.
637 struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
639 struct samr_LogonHours hours;
640 size_t units_per_week = 168;
641 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
646 units_per_week = val->length * 8;
649 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week/8);
653 hours.units_per_week = units_per_week;
654 memset(hours.bits, 0xFF, units_per_week/8);
656 memcpy(hours.bits, val->data, val->length);
663 pull a set of account_flags from a result set.
665 This requires that the attributes:
670 uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
671 struct ldb_message *msg, struct ldb_dn *domain_dn)
673 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
674 uint32_t acct_flags = ds_uf2acb(userAccountControl);
675 NTTIME must_change_time;
678 must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
681 /* Test account expire time */
682 unix_to_nt_time(&now, time(NULL));
683 /* check for expired password */
684 if (must_change_time < now) {
685 acct_flags |= ACB_PW_EXPIRED;
690 struct lsa_BinaryString samdb_result_parameters(TALLOC_CTX *mem_ctx,
691 struct ldb_message *msg,
694 struct lsa_BinaryString s;
695 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
703 s.array = talloc_array(mem_ctx, uint16_t, val->length/2);
707 s.length = s.size = val->length;
708 memcpy(s.array, val->data, val->length);
713 /* Find an attribute, with a particular value */
715 /* The current callers of this function expect a very specific
716 * behaviour: In particular, objectClass subclass equivilance is not
717 * wanted. This means that we should not lookup the schema for the
718 * comparison function */
719 struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb,
720 const struct ldb_message *msg,
721 const char *name, const char *value)
724 struct ldb_message_element *el = ldb_msg_find_element(msg, name);
730 for (i=0;i<el->num_values;i++) {
731 if (ldb_attr_cmp(value, (char *)el->values[i].data) == 0) {
740 * This is intended for use by the "password hash" module since there
741 * password changes can be specified through one message element with the
742 * new password (to set) and another one with the old password (to unset).
744 * The first which sets a password (new value) can have flags
745 * (LDB_FLAG_MOD_ADD, LDB_FLAG_MOD_REPLACE) but also none (on "add" operations
746 * for entries). The latter (old value) has always specified
747 * LDB_FLAG_MOD_DELETE.
749 * Returns LDB_ERR_NO_SUCH_ATTRIBUTE if the attribute which should be deleted
750 * doesn't contain only one value (this is the Windows Server behaviour)
751 * otherwise LDB_SUCCESS.
753 int samdb_msg_find_old_and_new_ldb_val(const struct ldb_message *msg,
755 const struct ldb_val **new_val,
756 const struct ldb_val **old_val)
767 for (i = 0; i < msg->num_elements; i++) {
768 if (ldb_attr_cmp(msg->elements[i].name, name) == 0) {
769 if (msg->elements[i].flags == LDB_FLAG_MOD_DELETE) {
770 *old_val = &msg->elements[i].values[0];
772 *new_val = &msg->elements[i].values[0];
780 int samdb_find_or_add_value(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
782 if (samdb_find_attribute(ldb, msg, name, set_value) == NULL) {
783 return samdb_msg_add_string(ldb, msg, msg, name, set_value);
788 int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
790 struct ldb_message_element *el;
792 el = ldb_msg_find_element(msg, name);
797 return samdb_msg_add_string(ldb, msg, msg, name, set_value);
803 add a string element to a message
805 int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
806 const char *attr_name, const char *str)
808 char *s = talloc_strdup(mem_ctx, str);
809 char *a = talloc_strdup(mem_ctx, attr_name);
810 if (s == NULL || a == NULL) {
811 return ldb_oom(sam_ldb);
813 return ldb_msg_add_string(msg, a, s);
817 add a dom_sid element to a message
819 int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
820 const char *attr_name, struct dom_sid *sid)
823 enum ndr_err_code ndr_err;
825 ndr_err = ndr_push_struct_blob(&v, mem_ctx,
827 (ndr_push_flags_fn_t)ndr_push_dom_sid);
828 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
829 return ldb_operr(sam_ldb);
831 return ldb_msg_add_value(msg, attr_name, &v, NULL);
836 add a delete element operation to a message
838 int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
839 const char *attr_name)
841 /* we use an empty replace rather than a delete, as it allows for
842 dsdb_replace() to be used everywhere */
843 return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
847 add an add attribute value to a message or enhance an existing attribute
848 which has the same name and the add flag set.
850 int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
851 struct ldb_message *msg, const char *attr_name,
854 struct ldb_message_element *el;
855 struct ldb_val val, *vals;
861 v = talloc_strdup(mem_ctx, value);
863 return ldb_oom(sam_ldb);
866 val.data = (uint8_t *) v;
867 val.length = strlen(v);
869 if (val.length == 0) {
870 /* allow empty strings as non-existent attributes */
874 for (i = 0; i < msg->num_elements; i++) {
875 el = &msg->elements[i];
876 if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
877 (el->flags == LDB_FLAG_MOD_ADD)) {
883 ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_ADD,
885 if (ret != LDB_SUCCESS) {
890 vals = talloc_realloc(msg, el->values, struct ldb_val,
893 return ldb_oom(sam_ldb);
896 el->values[el->num_values] = val;
903 add a delete attribute value to a message or enhance an existing attribute
904 which has the same name and the delete flag set.
906 int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
907 struct ldb_message *msg, const char *attr_name,
910 struct ldb_message_element *el;
911 struct ldb_val val, *vals;
917 v = talloc_strdup(mem_ctx, value);
919 return ldb_oom(sam_ldb);
922 val.data = (uint8_t *) v;
923 val.length = strlen(v);
925 if (val.length == 0) {
926 /* allow empty strings as non-existent attributes */
930 for (i = 0; i < msg->num_elements; i++) {
931 el = &msg->elements[i];
932 if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
933 (el->flags == LDB_FLAG_MOD_DELETE)) {
939 ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_DELETE,
941 if (ret != LDB_SUCCESS) {
946 vals = talloc_realloc(msg, el->values, struct ldb_val,
949 return ldb_oom(sam_ldb);
952 el->values[el->num_values] = val;
959 add a int element to a message
961 int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
962 const char *attr_name, int v)
964 const char *s = talloc_asprintf(mem_ctx, "%d", v);
965 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
969 add a unsigned int element to a message
971 int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
972 const char *attr_name, unsigned int v)
974 return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v);
978 add a (signed) int64_t element to a message
980 int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
981 const char *attr_name, int64_t v)
983 const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
984 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
988 add a uint64_t element to a message
990 int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
991 const char *attr_name, uint64_t v)
993 return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v);
997 add a samr_Password element to a message
999 int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1000 const char *attr_name, struct samr_Password *hash)
1003 val.data = talloc_memdup(mem_ctx, hash->hash, 16);
1005 return ldb_oom(sam_ldb);
1008 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1012 add a samr_Password array to a message
1014 int samdb_msg_add_hashes(struct ldb_context *ldb,
1015 TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1016 const char *attr_name, struct samr_Password *hashes,
1021 val.data = talloc_array_size(mem_ctx, 16, count);
1022 val.length = count*16;
1024 return ldb_oom(ldb);
1026 for (i=0;i<count;i++) {
1027 memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
1029 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1033 add a acct_flags element to a message
1035 int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1036 const char *attr_name, uint32_t v)
1038 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, ds_acb2uf(v));
1042 add a logon_hours element to a message
1044 int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1045 const char *attr_name, struct samr_LogonHours *hours)
1048 val.length = hours->units_per_week / 8;
1049 val.data = hours->bits;
1050 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1054 add a parameters element to a message
1056 int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1057 const char *attr_name, struct lsa_BinaryString *parameters)
1060 val.length = parameters->length;
1061 val.data = (uint8_t *)parameters->array;
1062 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1065 add a general value element to a message
1067 int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1068 const char *attr_name, const struct ldb_val *val)
1070 return ldb_msg_add_value(msg, attr_name, val, NULL);
1074 sets a general value element to a message
1076 int samdb_msg_set_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1077 const char *attr_name, const struct ldb_val *val)
1079 struct ldb_message_element *el;
1081 el = ldb_msg_find_element(msg, attr_name);
1085 return ldb_msg_add_value(msg, attr_name, val, NULL);
1089 set a string element in a message
1091 int samdb_msg_set_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1092 const char *attr_name, const char *str)
1094 struct ldb_message_element *el;
1096 el = ldb_msg_find_element(msg, attr_name);
1100 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, str);
1104 * Handle ldb_request in transaction
1106 static int dsdb_autotransaction_request(struct ldb_context *sam_ldb,
1107 struct ldb_request *req)
1111 ret = ldb_transaction_start(sam_ldb);
1112 if (ret != LDB_SUCCESS) {
1116 ret = ldb_request(sam_ldb, req);
1117 if (ret == LDB_SUCCESS) {
1118 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
1121 if (ret == LDB_SUCCESS) {
1122 return ldb_transaction_commit(sam_ldb);
1124 ldb_transaction_cancel(sam_ldb);
1130 return a default security descriptor
1132 struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
1134 struct security_descriptor *sd;
1136 sd = security_descriptor_initialise(mem_ctx);
1141 struct ldb_dn *samdb_aggregate_schema_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1143 struct ldb_dn *schema_dn = ldb_get_schema_basedn(sam_ctx);
1144 struct ldb_dn *aggregate_dn;
1149 aggregate_dn = ldb_dn_copy(mem_ctx, schema_dn);
1150 if (!aggregate_dn) {
1153 if (!ldb_dn_add_child_fmt(aggregate_dn, "CN=Aggregate")) {
1156 return aggregate_dn;
1159 struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1161 struct ldb_dn *new_dn;
1163 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1164 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Partitions")) {
1165 talloc_free(new_dn);
1171 struct ldb_dn *samdb_infrastructure_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1173 struct ldb_dn *new_dn;
1175 new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx));
1176 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Infrastructure")) {
1177 talloc_free(new_dn);
1183 struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1185 struct ldb_dn *new_dn;
1187 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1188 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Sites")) {
1189 talloc_free(new_dn);
1196 work out the domain sid for the current open ldb
1198 const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
1200 TALLOC_CTX *tmp_ctx;
1201 const struct dom_sid *domain_sid;
1202 const char *attrs[] = {
1206 struct ldb_result *res;
1209 /* see if we have a cached copy */
1210 domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1215 tmp_ctx = talloc_new(ldb);
1216 if (tmp_ctx == NULL) {
1220 ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
1222 if (ret != LDB_SUCCESS) {
1226 if (res->count != 1) {
1230 domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
1231 if (domain_sid == NULL) {
1235 /* cache the domain_sid in the ldb */
1236 if (ldb_set_opaque(ldb, "cache.domain_sid", discard_const_p(struct dom_sid, domain_sid)) != LDB_SUCCESS) {
1240 talloc_steal(ldb, domain_sid);
1241 talloc_free(tmp_ctx);
1246 talloc_free(tmp_ctx);
1251 get domain sid from cache
1253 const struct dom_sid *samdb_domain_sid_cache_only(struct ldb_context *ldb)
1255 return (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1258 bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in)
1260 TALLOC_CTX *tmp_ctx;
1261 struct dom_sid *dom_sid_new;
1262 struct dom_sid *dom_sid_old;
1264 /* see if we have a cached copy */
1265 dom_sid_old = talloc_get_type(ldb_get_opaque(ldb,
1266 "cache.domain_sid"), struct dom_sid);
1268 tmp_ctx = talloc_new(ldb);
1269 if (tmp_ctx == NULL) {
1273 dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in);
1278 /* cache the domain_sid in the ldb */
1279 if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) {
1283 talloc_steal(ldb, dom_sid_new);
1284 talloc_free(tmp_ctx);
1285 talloc_free(dom_sid_old);
1290 DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
1291 talloc_free(tmp_ctx);
1295 bool samdb_set_ntds_settings_dn(struct ldb_context *ldb, struct ldb_dn *ntds_settings_dn_in)
1297 TALLOC_CTX *tmp_ctx;
1298 struct ldb_dn *ntds_settings_dn_new;
1299 struct ldb_dn *ntds_settings_dn_old;
1301 /* see if we have a cached copy */
1302 ntds_settings_dn_old = talloc_get_type(ldb_get_opaque(ldb,
1303 "cache.ntds_settings_dn"), struct ldb_dn);
1305 tmp_ctx = talloc_new(ldb);
1306 if (tmp_ctx == NULL) {
1310 ntds_settings_dn_new = ldb_dn_copy(tmp_ctx, ntds_settings_dn_in);
1311 if (!ntds_settings_dn_new) {
1315 /* cache the domain_sid in the ldb */
1316 if (ldb_set_opaque(ldb, "cache.ntds_settings_dn", ntds_settings_dn_new) != LDB_SUCCESS) {
1320 talloc_steal(ldb, ntds_settings_dn_new);
1321 talloc_free(tmp_ctx);
1322 talloc_free(ntds_settings_dn_old);
1327 DEBUG(1,("Failed to set our NTDS Settings DN in the ldb!\n"));
1328 talloc_free(tmp_ctx);
1332 /* Obtain the short name of the flexible single master operator
1333 * (FSMO), such as the PDC Emulator */
1334 const char *samdb_result_fsmo_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
1337 /* Format is cn=NTDS Settings,cn=<NETBIOS name of FSMO>,.... */
1338 struct ldb_dn *fsmo_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
1339 const struct ldb_val *val = ldb_dn_get_component_val(fsmo_dn, 1);
1340 const char *name = ldb_dn_get_component_name(fsmo_dn, 1);
1342 if (!name || (ldb_attr_cmp(name, "cn") != 0)) {
1343 /* Ensure this matches the format. This gives us a
1344 * bit more confidence that a 'cn' value will be a
1349 return (char *)val->data;
1355 work out the ntds settings dn for the current open ldb
1357 struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb)
1359 TALLOC_CTX *tmp_ctx;
1360 const char *root_attrs[] = { "dsServiceName", NULL };
1362 struct ldb_result *root_res;
1363 struct ldb_dn *settings_dn;
1365 /* see if we have a cached copy */
1366 settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "cache.ntds_settings_dn");
1371 tmp_ctx = talloc_new(ldb);
1372 if (tmp_ctx == NULL) {
1376 ret = ldb_search(ldb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, ldb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
1378 DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
1379 ldb_errstring(ldb)));
1383 if (root_res->count != 1) {
1387 settings_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, root_res->msgs[0], "dsServiceName");
1389 /* cache the domain_sid in the ldb */
1390 if (ldb_set_opaque(ldb, "cache.settings_dn", settings_dn) != LDB_SUCCESS) {
1394 talloc_steal(ldb, settings_dn);
1395 talloc_free(tmp_ctx);
1400 DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
1401 talloc_free(tmp_ctx);
1406 work out the ntds settings invocationId for the current open ldb
1408 const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb)
1410 TALLOC_CTX *tmp_ctx;
1411 const char *attrs[] = { "invocationId", NULL };
1413 struct ldb_result *res;
1414 struct GUID *invocation_id;
1416 /* see if we have a cached copy */
1417 invocation_id = (struct GUID *)ldb_get_opaque(ldb, "cache.invocation_id");
1418 if (invocation_id) {
1419 return invocation_id;
1422 tmp_ctx = talloc_new(ldb);
1423 if (tmp_ctx == NULL) {
1427 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1432 if (res->count != 1) {
1436 invocation_id = talloc(tmp_ctx, struct GUID);
1437 if (!invocation_id) {
1441 *invocation_id = samdb_result_guid(res->msgs[0], "invocationId");
1443 /* cache the domain_sid in the ldb */
1444 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id) != LDB_SUCCESS) {
1448 talloc_steal(ldb, invocation_id);
1449 talloc_free(tmp_ctx);
1451 return invocation_id;
1454 DEBUG(1,("Failed to find our own NTDS Settings invocationId in the ldb!\n"));
1455 talloc_free(tmp_ctx);
1459 bool samdb_set_ntds_invocation_id(struct ldb_context *ldb, const struct GUID *invocation_id_in)
1461 TALLOC_CTX *tmp_ctx;
1462 struct GUID *invocation_id_new;
1463 struct GUID *invocation_id_old;
1465 /* see if we have a cached copy */
1466 invocation_id_old = (struct GUID *)ldb_get_opaque(ldb,
1467 "cache.invocation_id");
1469 tmp_ctx = talloc_new(ldb);
1470 if (tmp_ctx == NULL) {
1474 invocation_id_new = talloc(tmp_ctx, struct GUID);
1475 if (!invocation_id_new) {
1479 *invocation_id_new = *invocation_id_in;
1481 /* cache the domain_sid in the ldb */
1482 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id_new) != LDB_SUCCESS) {
1486 talloc_steal(ldb, invocation_id_new);
1487 talloc_free(tmp_ctx);
1488 talloc_free(invocation_id_old);
1493 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1494 talloc_free(tmp_ctx);
1499 work out the ntds settings objectGUID for the current open ldb
1501 const struct GUID *samdb_ntds_objectGUID(struct ldb_context *ldb)
1503 TALLOC_CTX *tmp_ctx;
1504 const char *attrs[] = { "objectGUID", NULL };
1506 struct ldb_result *res;
1507 struct GUID *ntds_guid;
1509 /* see if we have a cached copy */
1510 ntds_guid = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1515 tmp_ctx = talloc_new(ldb);
1516 if (tmp_ctx == NULL) {
1520 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1525 if (res->count != 1) {
1529 ntds_guid = talloc(tmp_ctx, struct GUID);
1534 *ntds_guid = samdb_result_guid(res->msgs[0], "objectGUID");
1536 /* cache the domain_sid in the ldb */
1537 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid) != LDB_SUCCESS) {
1541 talloc_steal(ldb, ntds_guid);
1542 talloc_free(tmp_ctx);
1547 DEBUG(1,("Failed to find our own NTDS Settings objectGUID in the ldb!\n"));
1548 talloc_free(tmp_ctx);
1552 bool samdb_set_ntds_objectGUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in)
1554 TALLOC_CTX *tmp_ctx;
1555 struct GUID *ntds_guid_new;
1556 struct GUID *ntds_guid_old;
1558 /* see if we have a cached copy */
1559 ntds_guid_old = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1561 tmp_ctx = talloc_new(ldb);
1562 if (tmp_ctx == NULL) {
1566 ntds_guid_new = talloc(tmp_ctx, struct GUID);
1567 if (!ntds_guid_new) {
1571 *ntds_guid_new = *ntds_guid_in;
1573 /* cache the domain_sid in the ldb */
1574 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid_new) != LDB_SUCCESS) {
1578 talloc_steal(ldb, ntds_guid_new);
1579 talloc_free(tmp_ctx);
1580 talloc_free(ntds_guid_old);
1585 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1586 talloc_free(tmp_ctx);
1591 work out the server dn for the current open ldb
1593 struct ldb_dn *samdb_server_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1595 return ldb_dn_get_parent(mem_ctx, samdb_ntds_settings_dn(ldb));
1599 work out the server dn for the current open ldb
1601 struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1603 struct ldb_dn *server_dn;
1604 struct ldb_dn *servers_dn;
1605 struct ldb_dn *server_site_dn;
1607 /* TODO: there must be a saner way to do this!! */
1608 server_dn = samdb_server_dn(ldb, mem_ctx);
1609 if (!server_dn) return NULL;
1611 servers_dn = ldb_dn_get_parent(mem_ctx, server_dn);
1612 talloc_free(server_dn);
1613 if (!servers_dn) return NULL;
1615 server_site_dn = ldb_dn_get_parent(mem_ctx, servers_dn);
1616 talloc_free(servers_dn);
1618 return server_site_dn;
1622 find a 'reference' DN that points at another object
1623 (eg. serverReference, rIDManagerReference etc)
1625 int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *base,
1626 const char *attribute, struct ldb_dn **dn)
1628 const char *attrs[2];
1629 struct ldb_result *res;
1632 attrs[0] = attribute;
1635 ret = ldb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, NULL);
1636 if (ret != LDB_SUCCESS) {
1639 if (res->count != 1) {
1641 return LDB_ERR_NO_SUCH_OBJECT;
1644 *dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
1647 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1655 find our machine account via the serverReference attribute in the
1658 int samdb_server_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1660 struct ldb_dn *server_dn;
1663 server_dn = samdb_server_dn(ldb, mem_ctx);
1664 if (server_dn == NULL) {
1665 return LDB_ERR_NO_SUCH_OBJECT;
1668 ret = samdb_reference_dn(ldb, mem_ctx, server_dn, "serverReference", dn);
1669 talloc_free(server_dn);
1675 find the RID Manager$ DN via the rIDManagerReference attribute in the
1678 int samdb_rid_manager_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1680 return samdb_reference_dn(ldb, mem_ctx, ldb_get_default_basedn(ldb),
1681 "rIDManagerReference", dn);
1685 find the RID Set DN via the rIDSetReferences attribute in our
1688 int samdb_rid_set_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1690 struct ldb_dn *server_ref_dn;
1693 ret = samdb_server_reference_dn(ldb, mem_ctx, &server_ref_dn);
1694 if (ret != LDB_SUCCESS) {
1697 ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn);
1698 talloc_free(server_ref_dn);
1702 const char *samdb_server_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1704 const struct ldb_val *val = ldb_dn_get_rdn_val(samdb_server_site_dn(ldb,
1711 return (const char *) val->data;
1715 * Finds the client site by using the client's IP address.
1716 * The "subnet_name" returns the name of the subnet if parameter != NULL
1718 const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
1719 const char *ip_address, char **subnet_name)
1721 const char *attrs[] = { "cn", "siteObject", NULL };
1722 struct ldb_dn *sites_container_dn, *subnets_dn, *sites_dn;
1723 struct ldb_result *res;
1724 const struct ldb_val *val;
1725 const char *site_name = NULL, *l_subnet_name = NULL;
1726 const char *allow_list[2] = { NULL, NULL };
1727 unsigned int i, count;
1731 * if we don't have a client ip e.g. ncalrpc
1732 * the server site is the client site
1734 if (ip_address == NULL) {
1735 return samdb_server_site_name(ldb, mem_ctx);
1738 sites_container_dn = samdb_sites_dn(ldb, mem_ctx);
1739 if (sites_container_dn == NULL) {
1743 subnets_dn = ldb_dn_copy(mem_ctx, sites_container_dn);
1744 if ( ! ldb_dn_add_child_fmt(subnets_dn, "CN=Subnets")) {
1745 talloc_free(sites_container_dn);
1746 talloc_free(subnets_dn);
1750 ret = ldb_search(ldb, mem_ctx, &res, subnets_dn, LDB_SCOPE_ONELEVEL,
1752 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1754 } else if (ret != LDB_SUCCESS) {
1755 talloc_free(sites_container_dn);
1756 talloc_free(subnets_dn);
1762 for (i = 0; i < count; i++) {
1763 l_subnet_name = ldb_msg_find_attr_as_string(res->msgs[i], "cn",
1766 allow_list[0] = l_subnet_name;
1768 if (allow_access(mem_ctx, NULL, allow_list, "", ip_address)) {
1769 sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx,
1772 if (sites_dn == NULL) {
1773 /* No reference, maybe another subnet matches */
1777 /* "val" cannot be NULL here since "sites_dn" != NULL */
1778 val = ldb_dn_get_rdn_val(sites_dn);
1779 site_name = talloc_strdup(mem_ctx,
1780 (const char *) val->data);
1782 talloc_free(sites_dn);
1788 if (site_name == NULL) {
1789 /* This is the Windows Server fallback rule: when no subnet
1790 * exists and we have only one site available then use it (it
1791 * is for sure the same as our server site). If more sites do
1792 * exist then we don't know which one to use and set the site
1794 cnt = samdb_search_count(ldb, sites_container_dn,
1795 "(objectClass=site)");
1797 site_name = samdb_server_site_name(ldb, mem_ctx);
1799 site_name = talloc_strdup(mem_ctx, "");
1801 l_subnet_name = NULL;
1804 if (subnet_name != NULL) {
1805 *subnet_name = talloc_strdup(mem_ctx, l_subnet_name);
1808 talloc_free(sites_container_dn);
1809 talloc_free(subnets_dn);
1816 work out if we are the PDC for the domain of the current open ldb
1818 bool samdb_is_pdc(struct ldb_context *ldb)
1820 const char *dom_attrs[] = { "fSMORoleOwner", NULL };
1822 struct ldb_result *dom_res;
1823 TALLOC_CTX *tmp_ctx;
1827 tmp_ctx = talloc_new(ldb);
1828 if (tmp_ctx == NULL) {
1829 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1833 ret = ldb_search(ldb, tmp_ctx, &dom_res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, dom_attrs, NULL);
1834 if (ret != LDB_SUCCESS) {
1835 DEBUG(1,("Searching for fSMORoleOwner in %s failed: %s\n",
1836 ldb_dn_get_linearized(ldb_get_default_basedn(ldb)),
1837 ldb_errstring(ldb)));
1840 if (dom_res->count != 1) {
1844 pdc = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, dom_res->msgs[0], "fSMORoleOwner");
1846 if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), pdc) == 0) {
1852 talloc_free(tmp_ctx);
1857 DEBUG(1,("Failed to find if we are the PDC for this ldb\n"));
1858 talloc_free(tmp_ctx);
1863 work out if we are a Global Catalog server for the domain of the current open ldb
1865 bool samdb_is_gc(struct ldb_context *ldb)
1867 const char *attrs[] = { "options", NULL };
1869 struct ldb_result *res;
1870 TALLOC_CTX *tmp_ctx;
1872 tmp_ctx = talloc_new(ldb);
1873 if (tmp_ctx == NULL) {
1874 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1878 /* Query cn=ntds settings,.... */
1879 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1880 if (ret != LDB_SUCCESS) {
1881 talloc_free(tmp_ctx);
1884 if (res->count != 1) {
1885 talloc_free(tmp_ctx);
1889 options = ldb_msg_find_attr_as_int(res->msgs[0], "options", 0);
1890 talloc_free(tmp_ctx);
1892 /* if options attribute has the 0x00000001 flag set, then enable the global catlog */
1893 if (options & 0x000000001) {
1899 /* Find a domain object in the parents of a particular DN. */
1900 int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
1901 struct ldb_dn **parent_dn, const char **errstring)
1903 TALLOC_CTX *local_ctx;
1904 struct ldb_dn *sdn = dn;
1905 struct ldb_result *res = NULL;
1906 int ret = LDB_SUCCESS;
1907 const char *attrs[] = { NULL };
1909 local_ctx = talloc_new(mem_ctx);
1910 if (local_ctx == NULL) return ldb_oom(ldb);
1912 while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
1913 ret = ldb_search(ldb, local_ctx, &res, sdn, LDB_SCOPE_BASE, attrs,
1914 "(|(objectClass=domain)(objectClass=builtinDomain))");
1915 if (ret == LDB_SUCCESS) {
1916 if (res->count == 1) {
1924 if (ret != LDB_SUCCESS) {
1925 *errstring = talloc_asprintf(mem_ctx, "Error searching for parent domain of %s, failed searching for %s: %s",
1926 ldb_dn_get_linearized(dn),
1927 ldb_dn_get_linearized(sdn),
1928 ldb_errstring(ldb));
1929 talloc_free(local_ctx);
1932 if (res->count != 1) {
1933 *errstring = talloc_asprintf(mem_ctx, "Invalid dn (%s), not child of a domain object",
1934 ldb_dn_get_linearized(dn));
1935 DEBUG(0,(__location__ ": %s\n", *errstring));
1936 talloc_free(local_ctx);
1937 return LDB_ERR_CONSTRAINT_VIOLATION;
1940 *parent_dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
1941 talloc_free(local_ctx);
1947 * Performs checks on a user password (plaintext UNIX format - attribute
1948 * "password"). The remaining parameters have to be extracted from the domain
1951 * Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
1953 enum samr_ValidationStatus samdb_check_password(const DATA_BLOB *password,
1954 const uint32_t pwdProperties,
1955 const uint32_t minPwdLength)
1957 /* checks if the "minPwdLength" property is satisfied */
1958 if (minPwdLength > password->length)
1959 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
1961 /* checks the password complexity */
1962 if (((pwdProperties & DOMAIN_PASSWORD_COMPLEX) != 0)
1963 && (password->data != NULL)
1964 && (!check_password_quality((const char *) password->data)))
1965 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
1967 return SAMR_VALIDATION_STATUS_SUCCESS;
1971 * Callback for "samdb_set_password" password change
1973 int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares)
1978 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
1981 if (ares->error != LDB_SUCCESS) {
1983 req->context = talloc_steal(req,
1984 ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
1986 return ldb_request_done(req, ret);
1989 if (ares->type != LDB_REPLY_DONE) {
1991 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
1994 req->context = talloc_steal(req,
1995 ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
1997 return ldb_request_done(req, LDB_SUCCESS);
2001 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2002 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2003 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
2004 * gives some more informations if the changed failed.
2006 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2007 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2008 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
2010 NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2011 struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
2012 const DATA_BLOB *new_password,
2013 struct samr_Password *lmNewHash,
2014 struct samr_Password *ntNewHash,
2016 enum samPwdChangeReason *reject_reason,
2017 struct samr_DomInfo1 **_dominfo)
2019 struct ldb_message *msg;
2020 struct ldb_message_element *el;
2021 struct ldb_request *req;
2022 struct dsdb_control_password_change_status *pwd_stat = NULL;
2024 NTSTATUS status = NT_STATUS_OK;
2026 #define CHECK_RET(x) \
2027 if (x != LDB_SUCCESS) { \
2029 return NT_STATUS_NO_MEMORY; \
2032 msg = ldb_msg_new(mem_ctx);
2034 return NT_STATUS_NO_MEMORY;
2037 if ((new_password != NULL)
2038 && ((lmNewHash == NULL) && (ntNewHash == NULL))) {
2039 /* we have the password as plaintext UTF16 */
2040 CHECK_RET(samdb_msg_add_value(ldb, mem_ctx, msg,
2041 "clearTextPassword", new_password));
2042 el = ldb_msg_find_element(msg, "clearTextPassword");
2043 el->flags = LDB_FLAG_MOD_REPLACE;
2044 } else if ((new_password == NULL)
2045 && ((lmNewHash != NULL) || (ntNewHash != NULL))) {
2046 /* we have a password as LM and/or NT hash */
2047 if (lmNewHash != NULL) {
2048 CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg,
2049 "dBCSPwd", lmNewHash));
2050 el = ldb_msg_find_element(msg, "dBCSPwd");
2051 el->flags = LDB_FLAG_MOD_REPLACE;
2053 if (ntNewHash != NULL) {
2054 CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg,
2055 "unicodePwd", ntNewHash));
2056 el = ldb_msg_find_element(msg, "unicodePwd");
2057 el->flags = LDB_FLAG_MOD_REPLACE;
2060 /* the password wasn't specified correctly */
2062 return NT_STATUS_INVALID_PARAMETER;
2065 /* build modify request */
2066 ret = ldb_build_mod_req(&req, ldb, mem_ctx, msg, NULL, NULL,
2067 samdb_set_password_callback, NULL);
2068 if (ret != LDB_SUCCESS) {
2070 return NT_STATUS_NO_MEMORY;
2074 /* a user password change and we've checked already the old
2075 * password somewhere else (callers responsability) */
2076 ret = ldb_request_add_control(req,
2077 DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID,
2079 if (ret != LDB_SUCCESS) {
2082 return NT_STATUS_NO_MEMORY;
2085 ret = ldb_request_add_control(req,
2086 DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
2088 if (ret != LDB_SUCCESS) {
2091 return NT_STATUS_NO_MEMORY;
2093 ret = ldb_request_add_control(req,
2094 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
2096 if (ret != LDB_SUCCESS) {
2099 return NT_STATUS_NO_MEMORY;
2102 ret = dsdb_autotransaction_request(ldb, req);
2104 if (req->context != NULL) {
2105 pwd_stat = talloc_steal(mem_ctx,
2106 ((struct ldb_control *)req->context)->data);
2112 /* Sets the domain info (if requested) */
2113 if (_dominfo != NULL) {
2114 struct samr_DomInfo1 *dominfo;
2116 dominfo = talloc_zero(mem_ctx, struct samr_DomInfo1);
2117 if (dominfo == NULL) {
2118 return NT_STATUS_NO_MEMORY;
2121 if (pwd_stat != NULL) {
2122 dominfo->min_password_length = pwd_stat->domain_data.minPwdLength;
2123 dominfo->password_properties = pwd_stat->domain_data.pwdProperties;
2124 dominfo->password_history_length = pwd_stat->domain_data.pwdHistoryLength;
2125 dominfo->max_password_age = pwd_stat->domain_data.maxPwdAge;
2126 dominfo->min_password_age = pwd_stat->domain_data.minPwdAge;
2129 *_dominfo = dominfo;
2132 if (reject_reason != NULL) {
2133 if (pwd_stat != NULL) {
2134 *reject_reason = pwd_stat->reject_reason;
2136 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
2140 if (pwd_stat != NULL) {
2141 talloc_free(pwd_stat);
2144 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
2145 const char *errmsg = ldb_errstring(ldb);
2146 char *endptr = NULL;
2147 WERROR werr = WERR_GENERAL_FAILURE;
2148 status = NT_STATUS_UNSUCCESSFUL;
2149 if (errmsg != NULL) {
2150 werr = W_ERROR(strtol(errmsg, &endptr, 16));
2152 if (endptr != errmsg) {
2153 if (W_ERROR_EQUAL(werr, WERR_INVALID_PASSWORD)) {
2154 status = NT_STATUS_WRONG_PASSWORD;
2156 if (W_ERROR_EQUAL(werr, WERR_PASSWORD_RESTRICTION)) {
2157 status = NT_STATUS_PASSWORD_RESTRICTION;
2160 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2161 /* don't let the caller know if an account doesn't exist */
2162 status = NT_STATUS_WRONG_PASSWORD;
2163 } else if (ret != LDB_SUCCESS) {
2164 status = NT_STATUS_UNSUCCESSFUL;
2171 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2172 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2173 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
2174 * gives some more informations if the changed failed.
2176 * This wrapper function for "samdb_set_password" takes a SID as input rather
2179 * This call encapsulates a new LDB transaction for changing the password;
2180 * therefore the user hasn't to start a new one.
2182 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2183 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2184 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
2186 NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2187 const struct dom_sid *user_sid,
2188 const DATA_BLOB *new_password,
2189 struct samr_Password *lmNewHash,
2190 struct samr_Password *ntNewHash,
2192 enum samPwdChangeReason *reject_reason,
2193 struct samr_DomInfo1 **_dominfo)
2196 struct ldb_dn *user_dn;
2199 ret = ldb_transaction_start(ldb);
2200 if (ret != LDB_SUCCESS) {
2201 DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb)));
2202 return NT_STATUS_TRANSACTION_ABORTED;
2205 user_dn = samdb_search_dn(ldb, mem_ctx, NULL,
2206 "(&(objectSid=%s)(objectClass=user))",
2207 ldap_encode_ndr_dom_sid(mem_ctx, user_sid));
2209 ldb_transaction_cancel(ldb);
2210 DEBUG(3, ("samdb_set_password_sid: SID %s not found in samdb, returning NO_SUCH_USER\n",
2211 dom_sid_string(mem_ctx, user_sid)));
2212 return NT_STATUS_NO_SUCH_USER;
2215 nt_status = samdb_set_password(ldb, mem_ctx,
2218 lmNewHash, ntNewHash,
2220 reject_reason, _dominfo);
2221 if (!NT_STATUS_IS_OK(nt_status)) {
2222 ldb_transaction_cancel(ldb);
2223 talloc_free(user_dn);
2227 ret = ldb_transaction_commit(ldb);
2228 if (ret != LDB_SUCCESS) {
2229 DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
2230 ldb_dn_get_linearized(user_dn),
2231 ldb_errstring(ldb)));
2232 talloc_free(user_dn);
2233 return NT_STATUS_TRANSACTION_ABORTED;
2236 talloc_free(user_dn);
2237 return NT_STATUS_OK;
2241 NTSTATUS samdb_create_foreign_security_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
2242 struct dom_sid *sid, struct ldb_dn **ret_dn)
2244 struct ldb_message *msg;
2245 struct ldb_dn *basedn;
2249 sidstr = dom_sid_string(mem_ctx, sid);
2250 NT_STATUS_HAVE_NO_MEMORY(sidstr);
2252 /* We might have to create a ForeignSecurityPrincipal, even if this user
2253 * is in our own domain */
2255 msg = ldb_msg_new(sidstr);
2257 talloc_free(sidstr);
2258 return NT_STATUS_NO_MEMORY;
2261 ret = dsdb_wellknown_dn(sam_ctx, sidstr,
2262 ldb_get_default_basedn(sam_ctx),
2263 DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER,
2265 if (ret != LDB_SUCCESS) {
2266 DEBUG(0, ("Failed to find DN for "
2267 "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx)));
2268 talloc_free(sidstr);
2269 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2272 /* add core elements to the ldb_message for the alias */
2274 if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr)) {
2275 talloc_free(sidstr);
2276 return NT_STATUS_NO_MEMORY;
2279 samdb_msg_add_string(sam_ctx, msg, msg,
2281 "foreignSecurityPrincipal");
2283 /* create the alias */
2284 ret = ldb_add(sam_ctx, msg);
2285 if (ret != LDB_SUCCESS) {
2286 DEBUG(0,("Failed to create foreignSecurityPrincipal "
2288 ldb_dn_get_linearized(msg->dn),
2289 ldb_errstring(sam_ctx)));
2290 talloc_free(sidstr);
2291 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2294 *ret_dn = talloc_steal(mem_ctx, msg->dn);
2295 talloc_free(sidstr);
2297 return NT_STATUS_OK;
2302 Find the DN of a domain, assuming it to be a dotted.dns name
2305 struct ldb_dn *samdb_dns_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *dns_domain)
2308 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2309 const char *binary_encoded;
2310 const char **split_realm;
2317 split_realm = (const char **)str_list_make(tmp_ctx, dns_domain, ".");
2319 talloc_free(tmp_ctx);
2322 dn = ldb_dn_new(mem_ctx, ldb, NULL);
2323 for (i=0; split_realm[i]; i++) {
2324 binary_encoded = ldb_binary_encode_string(tmp_ctx, split_realm[i]);
2325 if (!ldb_dn_add_base_fmt(dn, "dc=%s", binary_encoded)) {
2326 DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
2327 binary_encoded, ldb_dn_get_linearized(dn)));
2328 talloc_free(tmp_ctx);
2332 if (!ldb_dn_validate(dn)) {
2333 DEBUG(2, ("Failed to validated DN %s\n",
2334 ldb_dn_get_linearized(dn)));
2335 talloc_free(tmp_ctx);
2338 talloc_free(tmp_ctx);
2343 Find the DN of a domain, be it the netbios or DNS name
2345 struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2346 const char *domain_name)
2348 const char * const domain_ref_attrs[] = {
2351 const char * const domain_ref2_attrs[] = {
2354 struct ldb_result *res_domain_ref;
2355 char *escaped_domain = ldb_binary_encode_string(mem_ctx, domain_name);
2356 /* find the domain's DN */
2357 int ret_domain = ldb_search(ldb, mem_ctx,
2359 samdb_partitions_dn(ldb, mem_ctx),
2362 "(&(nETBIOSName=%s)(objectclass=crossRef))",
2364 if (ret_domain != LDB_SUCCESS) {
2368 if (res_domain_ref->count == 0) {
2369 ret_domain = ldb_search(ldb, mem_ctx,
2371 samdb_dns_domain_to_dn(ldb, mem_ctx, domain_name),
2374 "(objectclass=domain)");
2375 if (ret_domain != LDB_SUCCESS) {
2379 if (res_domain_ref->count == 1) {
2380 return res_domain_ref->msgs[0]->dn;
2385 if (res_domain_ref->count > 1) {
2386 DEBUG(0,("Found %d records matching domain [%s]\n",
2387 ret_domain, domain_name));
2391 return samdb_result_dn(ldb, mem_ctx, res_domain_ref->msgs[0], "nCName", NULL);
2397 use a GUID to find a DN
2399 int dsdb_find_dn_by_guid(struct ldb_context *ldb,
2400 TALLOC_CTX *mem_ctx,
2401 const struct GUID *guid, struct ldb_dn **dn)
2404 struct ldb_result *res;
2405 const char *attrs[] = { NULL };
2406 char *guid_str = GUID_string(mem_ctx, guid);
2409 return ldb_operr(ldb);
2412 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
2413 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
2414 DSDB_SEARCH_SHOW_EXTENDED_DN |
2415 DSDB_SEARCH_ONE_ONLY,
2416 "objectGUID=%s", guid_str);
2417 talloc_free(guid_str);
2418 if (ret != LDB_SUCCESS) {
2422 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2429 use a DN to find a GUID with a given attribute name
2431 int dsdb_find_guid_attr_by_dn(struct ldb_context *ldb,
2432 struct ldb_dn *dn, const char *attribute,
2436 struct ldb_result *res;
2437 const char *attrs[2];
2438 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2440 attrs[0] = attribute;
2443 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
2444 if (ret != LDB_SUCCESS) {
2445 talloc_free(tmp_ctx);
2448 if (res->count < 1) {
2449 talloc_free(tmp_ctx);
2450 return LDB_ERR_NO_SUCH_OBJECT;
2452 *guid = samdb_result_guid(res->msgs[0], attribute);
2453 talloc_free(tmp_ctx);
2458 use a DN to find a GUID
2460 int dsdb_find_guid_by_dn(struct ldb_context *ldb,
2461 struct ldb_dn *dn, struct GUID *guid)
2463 return dsdb_find_guid_attr_by_dn(ldb, dn, "objectGUID", guid);
2469 adds the given GUID to the given ldb_message. This value is added
2470 for the given attr_name (may be either "objectGUID" or "parentGUID").
2472 int dsdb_msg_add_guid(struct ldb_message *msg,
2474 const char *attr_name)
2479 TALLOC_CTX *tmp_ctx = talloc_init("dsdb_msg_add_guid");
2481 status = GUID_to_ndr_blob(guid, tmp_ctx, &v);
2482 if (!NT_STATUS_IS_OK(status)) {
2483 ret = LDB_ERR_OPERATIONS_ERROR;
2487 ret = ldb_msg_add_steal_value(msg, attr_name, &v);
2488 if (ret != LDB_SUCCESS) {
2489 DEBUG(4,(__location__ ": Failed to add %s to the message\n",
2497 talloc_free(tmp_ctx);
2504 use a DN to find a SID
2506 int dsdb_find_sid_by_dn(struct ldb_context *ldb,
2507 struct ldb_dn *dn, struct dom_sid *sid)
2510 struct ldb_result *res;
2511 const char *attrs[] = { "objectSID", NULL };
2512 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2517 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
2518 if (ret != LDB_SUCCESS) {
2519 talloc_free(tmp_ctx);
2522 if (res->count < 1) {
2523 talloc_free(tmp_ctx);
2524 return LDB_ERR_NO_SUCH_OBJECT;
2526 s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSID");
2528 talloc_free(tmp_ctx);
2529 return LDB_ERR_NO_SUCH_OBJECT;
2532 talloc_free(tmp_ctx);
2537 use a SID to find a DN
2539 int dsdb_find_dn_by_sid(struct ldb_context *ldb,
2540 TALLOC_CTX *mem_ctx,
2541 struct dom_sid *sid, struct ldb_dn **dn)
2544 struct ldb_result *res;
2545 const char *attrs[] = { NULL };
2546 char *sid_str = dom_sid_string(mem_ctx, sid);
2549 return ldb_operr(ldb);
2552 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
2553 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
2554 DSDB_SEARCH_SHOW_EXTENDED_DN |
2555 DSDB_SEARCH_ONE_ONLY,
2556 "objectSID=%s", sid_str);
2557 talloc_free(sid_str);
2558 if (ret != LDB_SUCCESS) {
2562 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2569 load a repsFromTo blob list for a given partition GUID
2570 attr must be "repsFrom" or "repsTo"
2572 WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2573 const char *attr, struct repsFromToBlob **r, uint32_t *count)
2575 const char *attrs[] = { attr, NULL };
2576 struct ldb_result *res = NULL;
2577 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2579 struct ldb_message_element *el;
2584 if (ldb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, NULL) != LDB_SUCCESS ||
2586 DEBUG(0,("dsdb_loadreps: failed to read partition object\n"));
2587 talloc_free(tmp_ctx);
2588 return WERR_DS_DRA_INTERNAL_ERROR;
2591 el = ldb_msg_find_element(res->msgs[0], attr);
2593 /* it's OK to be empty */
2594 talloc_free(tmp_ctx);
2598 *count = el->num_values;
2599 *r = talloc_array(mem_ctx, struct repsFromToBlob, *count);
2601 talloc_free(tmp_ctx);
2602 return WERR_DS_DRA_INTERNAL_ERROR;
2605 for (i=0; i<(*count); i++) {
2606 enum ndr_err_code ndr_err;
2607 ndr_err = ndr_pull_struct_blob(&el->values[i],
2610 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
2611 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2612 talloc_free(tmp_ctx);
2613 return WERR_DS_DRA_INTERNAL_ERROR;
2617 talloc_free(tmp_ctx);
2623 save the repsFromTo blob list for a given partition GUID
2624 attr must be "repsFrom" or "repsTo"
2626 WERROR dsdb_savereps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2627 const char *attr, struct repsFromToBlob *r, uint32_t count)
2629 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2630 struct ldb_message *msg;
2631 struct ldb_message_element *el;
2634 msg = ldb_msg_new(tmp_ctx);
2636 if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_REPLACE, &el) != LDB_SUCCESS) {
2640 el->values = talloc_array(msg, struct ldb_val, count);
2645 for (i=0; i<count; i++) {
2647 enum ndr_err_code ndr_err;
2649 ndr_err = ndr_push_struct_blob(&v, tmp_ctx,
2651 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
2652 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2660 if (ldb_modify(sam_ctx, msg) != LDB_SUCCESS) {
2661 DEBUG(0,("Failed to store %s - %s\n", attr, ldb_errstring(sam_ctx)));
2665 talloc_free(tmp_ctx);
2670 talloc_free(tmp_ctx);
2671 return WERR_DS_DRA_INTERNAL_ERROR;
2676 load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
2677 object for a partition
2679 int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn,
2680 uint64_t *uSN, uint64_t *urgent_uSN)
2682 struct ldb_request *req;
2684 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2685 struct dsdb_control_current_partition *p_ctrl;
2686 struct ldb_result *res;
2688 res = talloc_zero(tmp_ctx, struct ldb_result);
2690 talloc_free(tmp_ctx);
2691 return ldb_oom(ldb);
2694 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
2695 ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"),
2699 res, ldb_search_default_callback,
2701 if (ret != LDB_SUCCESS) {
2702 talloc_free(tmp_ctx);
2706 p_ctrl = talloc(req, struct dsdb_control_current_partition);
2707 if (p_ctrl == NULL) {
2708 talloc_free(tmp_ctx);
2709 return ldb_oom(ldb);
2711 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
2714 ret = ldb_request_add_control(req,
2715 DSDB_CONTROL_CURRENT_PARTITION_OID,
2717 if (ret != LDB_SUCCESS) {
2718 talloc_free(tmp_ctx);
2722 /* Run the new request */
2723 ret = ldb_request(ldb, req);
2725 if (ret == LDB_SUCCESS) {
2726 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
2729 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2730 /* it hasn't been created yet, which means
2731 an implicit value of zero */
2733 talloc_free(tmp_ctx);
2737 if (ret != LDB_SUCCESS) {
2738 talloc_free(tmp_ctx);
2742 if (res->count < 1) {
2748 *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0);
2750 *urgent_uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNUrgent", 0);
2754 talloc_free(tmp_ctx);
2759 int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
2760 const struct drsuapi_DsReplicaCursor2 *c2)
2762 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2765 int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor *c1,
2766 const struct drsuapi_DsReplicaCursor *c2)
2768 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2773 see if a computer identified by its invocationId is a RODC
2775 int samdb_is_rodc(struct ldb_context *sam_ctx, const struct GUID *objectGUID, bool *is_rodc)
2777 /* 1) find the DN for this servers NTDSDSA object
2778 2) search for the msDS-isRODC attribute
2779 3) if not present then not a RODC
2780 4) if present and TRUE then is a RODC
2782 struct ldb_dn *config_dn;
2783 const char *attrs[] = { "msDS-isRODC", NULL };
2785 struct ldb_result *res;
2786 TALLOC_CTX *tmp_ctx = talloc_new(sam_ctx);
2788 config_dn = ldb_get_config_basedn(sam_ctx);
2790 talloc_free(tmp_ctx);
2791 return ldb_operr(sam_ctx);
2794 ret = dsdb_search(sam_ctx, tmp_ctx, &res, config_dn, LDB_SCOPE_SUBTREE, attrs,
2795 DSDB_SEARCH_ONE_ONLY, "objectGUID=%s", GUID_string(tmp_ctx, objectGUID));
2797 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2799 talloc_free(tmp_ctx);
2803 if (ret != LDB_SUCCESS) {
2804 DEBUG(1,(("Failed to find our own NTDS Settings object by objectGUID=%s!\n"),
2805 GUID_string(tmp_ctx, objectGUID)));
2807 talloc_free(tmp_ctx);
2811 ret = ldb_msg_find_attr_as_bool(res->msgs[0], "msDS-isRODC", 0);
2812 *is_rodc = (ret == 1);
2814 talloc_free(tmp_ctx);
2820 see if we are a RODC
2822 int samdb_rodc(struct ldb_context *sam_ctx, bool *am_rodc)
2824 const struct GUID *objectGUID;
2828 /* see if we have a cached copy */
2829 cached = (bool *)ldb_get_opaque(sam_ctx, "cache.am_rodc");
2835 objectGUID = samdb_ntds_objectGUID(sam_ctx);
2837 return ldb_operr(sam_ctx);
2840 ret = samdb_is_rodc(sam_ctx, objectGUID, am_rodc);
2841 if (ret != LDB_SUCCESS) {
2845 cached = talloc(sam_ctx, bool);
2846 if (cached == NULL) {
2847 return ldb_oom(sam_ctx);
2851 ret = ldb_set_opaque(sam_ctx, "cache.am_rodc", cached);
2852 if (ret != LDB_SUCCESS) {
2853 talloc_free(cached);
2854 return ldb_operr(sam_ctx);
2860 bool samdb_set_am_rodc(struct ldb_context *ldb, bool am_rodc)
2862 TALLOC_CTX *tmp_ctx;
2865 tmp_ctx = talloc_new(ldb);
2866 if (tmp_ctx == NULL) {
2870 cached = talloc(tmp_ctx, bool);
2876 if (ldb_set_opaque(ldb, "cache.am_rodc", cached) != LDB_SUCCESS) {
2880 talloc_steal(ldb, cached);
2881 talloc_free(tmp_ctx);
2885 DEBUG(1,("Failed to set our own cached am_rodc in the ldb!\n"));
2886 talloc_free(tmp_ctx);
2892 return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
2894 flags are DS_NTDS_OPTION_*
2896 int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options)
2898 TALLOC_CTX *tmp_ctx;
2899 const char *attrs[] = { "options", NULL };
2901 struct ldb_result *res;
2903 tmp_ctx = talloc_new(ldb);
2904 if (tmp_ctx == NULL) {
2908 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
2909 if (ret != LDB_SUCCESS) {
2913 if (res->count != 1) {
2917 *options = samdb_result_uint(res->msgs[0], "options", 0);
2919 talloc_free(tmp_ctx);
2924 DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n"));
2925 talloc_free(tmp_ctx);
2926 return LDB_ERR_NO_SUCH_OBJECT;
2929 const char* samdb_ntds_object_category(TALLOC_CTX *tmp_ctx, struct ldb_context *ldb)
2931 const char *attrs[] = { "objectCategory", NULL };
2933 struct ldb_result *res;
2935 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
2936 if (ret != LDB_SUCCESS) {
2940 if (res->count != 1) {
2944 return samdb_result_string(res->msgs[0], "objectCategory", NULL);
2947 DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
2952 * Function which generates a "lDAPDisplayName" attribute from a "CN" one.
2953 * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
2955 const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX *mem_ctx, const char *cn)
2957 char **tokens, *ret;
2960 tokens = str_list_make(mem_ctx, cn, " -_");
2964 /* "tolower()" and "toupper()" should also work properly on 0x00 */
2965 tokens[0][0] = tolower(tokens[0][0]);
2966 for (i = 1; i < str_list_length((const char **)tokens); i++)
2967 tokens[i][0] = toupper(tokens[i][0]);
2969 ret = talloc_strdup(mem_ctx, tokens[0]);
2970 for (i = 1; i < str_list_length((const char **)tokens); i++)
2971 ret = talloc_asprintf_append_buffer(ret, "%s", tokens[i]);
2973 talloc_free(tokens);
2979 * This detects and returns the domain functional level (DS_DOMAIN_FUNCTION_*)
2981 int dsdb_functional_level(struct ldb_context *ldb)
2983 int *domainFunctionality =
2984 talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
2985 if (!domainFunctionality) {
2986 DEBUG(0,(__location__ ": WARNING: domainFunctionality not setup\n"));
2987 return DS_DOMAIN_FUNCTION_2000;
2989 return *domainFunctionality;
2993 * This detects and returns the forest functional level (DS_DOMAIN_FUNCTION_*)
2995 int dsdb_forest_functional_level(struct ldb_context *ldb)
2997 int *forestFunctionality =
2998 talloc_get_type(ldb_get_opaque(ldb, "forestFunctionality"), int);
2999 if (!forestFunctionality) {
3000 DEBUG(0,(__location__ ": WARNING: forestFunctionality not setup\n"));
3001 return DS_DOMAIN_FUNCTION_2000;
3003 return *forestFunctionality;
3007 set a GUID in an extended DN structure
3009 int dsdb_set_extended_dn_guid(struct ldb_dn *dn, const struct GUID *guid, const char *component_name)
3015 status = GUID_to_ndr_blob(guid, dn, &v);
3016 if (!NT_STATUS_IS_OK(status)) {
3017 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3020 ret = ldb_dn_set_extended_component(dn, component_name, &v);
3026 return a GUID from a extended DN structure
3028 NTSTATUS dsdb_get_extended_dn_guid(struct ldb_dn *dn, struct GUID *guid, const char *component_name)
3030 const struct ldb_val *v;
3032 v = ldb_dn_get_extended_component(dn, component_name);
3034 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3037 return GUID_from_ndr_blob(v, guid);
3041 return a uint64_t from a extended DN structure
3043 NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const char *component_name)
3045 const struct ldb_val *v;
3048 v = ldb_dn_get_extended_component(dn, component_name);
3050 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3052 s = talloc_strndup(dn, (const char *)v->data, v->length);
3053 NT_STATUS_HAVE_NO_MEMORY(s);
3055 *val = strtoull(s, NULL, 0);
3058 return NT_STATUS_OK;
3062 return a NTTIME from a extended DN structure
3064 NTSTATUS dsdb_get_extended_dn_nttime(struct ldb_dn *dn, NTTIME *nttime, const char *component_name)
3066 return dsdb_get_extended_dn_uint64(dn, nttime, component_name);
3070 return a uint32_t from a extended DN structure
3072 NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const char *component_name)
3074 const struct ldb_val *v;
3077 v = ldb_dn_get_extended_component(dn, component_name);
3079 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3082 s = talloc_strndup(dn, (const char *)v->data, v->length);
3083 NT_STATUS_HAVE_NO_MEMORY(s);
3085 *val = strtoul(s, NULL, 0);
3088 return NT_STATUS_OK;
3092 return a dom_sid from a extended DN structure
3094 NTSTATUS dsdb_get_extended_dn_sid(struct ldb_dn *dn, struct dom_sid *sid, const char *component_name)
3096 const struct ldb_val *sid_blob;
3097 struct TALLOC_CTX *tmp_ctx;
3098 enum ndr_err_code ndr_err;
3100 sid_blob = ldb_dn_get_extended_component(dn, "SID");
3102 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3105 tmp_ctx = talloc_new(NULL);
3107 ndr_err = ndr_pull_struct_blob_all(sid_blob, tmp_ctx, sid,
3108 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
3109 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3110 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
3111 talloc_free(tmp_ctx);
3115 talloc_free(tmp_ctx);
3116 return NT_STATUS_OK;
3121 return RMD_FLAGS directly from a ldb_dn
3122 returns 0 if not found
3124 uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn)
3126 const struct ldb_val *v;
3128 v = ldb_dn_get_extended_component(dn, "RMD_FLAGS");
3129 if (!v || v->length > sizeof(buf)-1) return 0;
3130 strncpy(buf, (const char *)v->data, v->length);
3132 return strtoul(buf, NULL, 10);
3136 return RMD_FLAGS directly from a ldb_val for a DN
3137 returns 0 if RMD_FLAGS is not found
3139 uint32_t dsdb_dn_val_rmd_flags(const struct ldb_val *val)
3145 if (val->length < 13) {
3148 p = memmem(val->data, val->length-2, "<RMD_FLAGS=", 11);
3152 flags = strtoul(p+11, &end, 10);
3153 if (!end || *end != '>') {
3154 /* it must end in a > */
3161 return true if a ldb_val containing a DN in storage form is deleted
3163 bool dsdb_dn_is_deleted_val(const struct ldb_val *val)
3165 return (dsdb_dn_val_rmd_flags(val) & DSDB_RMD_FLAG_DELETED) != 0;
3169 return true if a ldb_val containing a DN in storage form is
3170 in the upgraded w2k3 linked attribute format
3172 bool dsdb_dn_is_upgraded_link_val(struct ldb_val *val)
3174 return memmem(val->data, val->length, "<RMD_ADDTIME=", 13) != NULL;
3178 return a DN for a wellknown GUID
3180 int dsdb_wellknown_dn(struct ldb_context *samdb, TALLOC_CTX *mem_ctx,
3181 struct ldb_dn *nc_root, const char *wk_guid,
3182 struct ldb_dn **wkguid_dn)
3184 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3185 const char *attrs[] = { NULL };
3188 struct ldb_result *res;
3190 /* construct the magic WKGUID DN */
3191 dn = ldb_dn_new_fmt(tmp_ctx, samdb, "<WKGUID=%s,%s>",
3192 wk_guid, ldb_dn_get_linearized(nc_root));
3194 talloc_free(tmp_ctx);
3195 return ldb_operr(samdb);
3198 ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
3199 if (ret != LDB_SUCCESS) {
3200 talloc_free(tmp_ctx);
3204 (*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn);
3205 talloc_free(tmp_ctx);
3210 static int dsdb_dn_compare_ptrs(struct ldb_dn **dn1, struct ldb_dn **dn2)
3212 return ldb_dn_compare(*dn1, *dn2);
3216 find a NC root given a DN within the NC
3218 int dsdb_find_nc_root(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
3219 struct ldb_dn **nc_root)
3221 const char *root_attrs[] = { "namingContexts", NULL };
3222 TALLOC_CTX *tmp_ctx;
3224 struct ldb_message_element *el;
3225 struct ldb_result *root_res;
3227 struct ldb_dn **nc_dns;
3229 tmp_ctx = talloc_new(samdb);
3230 if (tmp_ctx == NULL) {
3231 return ldb_oom(samdb);
3234 ret = ldb_search(samdb, tmp_ctx, &root_res,
3235 ldb_dn_new(tmp_ctx, samdb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
3236 if (ret != LDB_SUCCESS) {
3237 DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb)));
3238 talloc_free(tmp_ctx);
3242 el = ldb_msg_find_element(root_res->msgs[0], "namingContexts");
3244 DEBUG(1,("Finding namingContexts element in root_res failed: %s\n",
3245 ldb_errstring(samdb)));
3246 talloc_free(tmp_ctx);
3247 return LDB_ERR_NO_SUCH_ATTRIBUTE;
3250 nc_dns = talloc_array(tmp_ctx, struct ldb_dn *, el->num_values);
3252 talloc_free(tmp_ctx);
3253 return ldb_oom(samdb);
3256 for (i=0; i<el->num_values; i++) {
3257 nc_dns[i] = ldb_dn_from_ldb_val(nc_dns, samdb, &el->values[i]);
3258 if (nc_dns[i] == NULL) {
3259 talloc_free(tmp_ctx);
3260 return ldb_operr(samdb);
3264 TYPESAFE_QSORT(nc_dns, el->num_values, dsdb_dn_compare_ptrs);
3266 for (i=0; i<el->num_values; i++) {
3267 if (ldb_dn_compare_base(nc_dns[i], dn) == 0) {
3268 (*nc_root) = talloc_steal(mem_ctx, nc_dns[i]);
3269 talloc_free(tmp_ctx);
3274 talloc_free(tmp_ctx);
3275 return LDB_ERR_NO_SUCH_OBJECT;
3280 find the deleted objects DN for any object, by looking for the NC
3281 root, then looking up the wellknown GUID
3283 int dsdb_get_deleted_objects_dn(struct ldb_context *ldb,
3284 TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
3285 struct ldb_dn **do_dn)
3287 struct ldb_dn *nc_root;
3290 ret = dsdb_find_nc_root(ldb, mem_ctx, obj_dn, &nc_root);
3291 if (ret != LDB_SUCCESS) {
3295 ret = dsdb_wellknown_dn(ldb, mem_ctx, nc_root, DS_GUID_DELETED_OBJECTS_CONTAINER, do_dn);
3296 talloc_free(nc_root);
3301 return the tombstoneLifetime, in days
3303 int dsdb_tombstone_lifetime(struct ldb_context *ldb, uint32_t *lifetime)
3306 dn = ldb_get_config_basedn(ldb);
3308 return LDB_ERR_NO_SUCH_OBJECT;
3310 dn = ldb_dn_copy(ldb, dn);
3312 return ldb_operr(ldb);
3314 /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
3315 be a wellknown GUID for this */
3316 if (!ldb_dn_add_child_fmt(dn, "CN=Directory Service,CN=Windows NT,CN=Services")) {
3318 return ldb_operr(ldb);
3321 *lifetime = samdb_search_uint(ldb, dn, 180, dn, "tombstoneLifetime", "objectClass=nTDSService");
3327 compare a ldb_val to a string case insensitively
3329 int samdb_ldb_val_case_cmp(const char *s, struct ldb_val *v)
3331 size_t len = strlen(s);
3333 if (len > v->length) return 1;
3334 ret = strncasecmp(s, (const char *)v->data, v->length);
3335 if (ret != 0) return ret;
3336 if (v->length > len && v->data[len] != 0) {
3344 load the UDV for a partition in v2 format
3345 The list is returned sorted, and with our local cursor added
3347 int dsdb_load_udv_v2(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
3348 struct drsuapi_DsReplicaCursor2 **cursors, uint32_t *count)
3350 static const char *attrs[] = { "replUpToDateVector", NULL };
3351 struct ldb_result *r;
3352 const struct ldb_val *ouv_value;
3355 uint64_t highest_usn;
3356 const struct GUID *our_invocation_id;
3357 struct timeval now = timeval_current();
3359 ret = ldb_search(samdb, mem_ctx, &r, dn, LDB_SCOPE_BASE, attrs, NULL);
3360 if (ret != LDB_SUCCESS) {
3364 ouv_value = ldb_msg_find_ldb_val(r->msgs[0], "replUpToDateVector");
3366 enum ndr_err_code ndr_err;
3367 struct replUpToDateVectorBlob ouv;
3369 ndr_err = ndr_pull_struct_blob(ouv_value, r, &ouv,
3370 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
3371 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3373 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3375 if (ouv.version != 2) {
3376 /* we always store as version 2, and
3377 * replUpToDateVector is not replicated
3379 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3382 *count = ouv.ctr.ctr2.count;
3383 *cursors = talloc_steal(mem_ctx, ouv.ctr.ctr2.cursors);
3391 our_invocation_id = samdb_ntds_invocation_id(samdb);
3392 if (!our_invocation_id) {
3393 DEBUG(0,(__location__ ": No invocationID on samdb - %s\n", ldb_errstring(samdb)));
3394 talloc_free(*cursors);
3395 return ldb_operr(samdb);
3398 ret = dsdb_load_partition_usn(samdb, dn, &highest_usn, NULL);
3399 if (ret != LDB_SUCCESS) {
3400 /* nothing to add - this can happen after a vampire */
3401 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3405 for (i=0; i<*count; i++) {
3406 if (GUID_equal(our_invocation_id, &(*cursors)[i].source_dsa_invocation_id)) {
3407 (*cursors)[i].highest_usn = highest_usn;
3408 (*cursors)[i].last_sync_success = timeval_to_nttime(&now);
3409 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3414 (*cursors) = talloc_realloc(mem_ctx, *cursors, struct drsuapi_DsReplicaCursor2, (*count)+1);
3416 return ldb_oom(samdb);
3419 (*cursors)[*count].source_dsa_invocation_id = *our_invocation_id;
3420 (*cursors)[*count].highest_usn = highest_usn;
3421 (*cursors)[*count].last_sync_success = timeval_to_nttime(&now);
3424 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3430 load the UDV for a partition in version 1 format
3431 The list is returned sorted, and with our local cursor added
3433 int dsdb_load_udv_v1(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
3434 struct drsuapi_DsReplicaCursor **cursors, uint32_t *count)
3436 struct drsuapi_DsReplicaCursor2 *v2;
3440 ret = dsdb_load_udv_v2(samdb, dn, mem_ctx, &v2, count);
3441 if (ret != LDB_SUCCESS) {
3451 *cursors = talloc_array(mem_ctx, struct drsuapi_DsReplicaCursor, *count);
3452 if (*cursors == NULL) {
3454 return ldb_oom(samdb);
3457 for (i=0; i<*count; i++) {
3458 (*cursors)[i].source_dsa_invocation_id = v2[i].source_dsa_invocation_id;
3459 (*cursors)[i].highest_usn = v2[i].highest_usn;
3466 add a set of controls to a ldb_request structure based on a set of
3467 flags. See util.h for a list of available flags
3469 int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags)
3472 if (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) {
3473 struct ldb_search_options_control *options;
3474 /* Using the phantom root control allows us to search all partitions */
3475 options = talloc(req, struct ldb_search_options_control);
3476 if (options == NULL) {
3477 return LDB_ERR_OPERATIONS_ERROR;
3479 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
3481 ret = ldb_request_add_control(req,
3482 LDB_CONTROL_SEARCH_OPTIONS_OID,
3484 if (ret != LDB_SUCCESS) {
3489 if (dsdb_flags & DSDB_SEARCH_SHOW_DELETED) {
3490 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
3491 if (ret != LDB_SUCCESS) {
3496 if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) {
3497 ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, true, NULL);
3498 if (ret != LDB_SUCCESS) {
3503 if (dsdb_flags & DSDB_SEARCH_SHOW_EXTENDED_DN) {
3504 struct ldb_extended_dn_control *extended_ctrl = talloc(req, struct ldb_extended_dn_control);
3505 if (!extended_ctrl) {
3506 return LDB_ERR_OPERATIONS_ERROR;
3508 extended_ctrl->type = 1;
3510 ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_ctrl);
3511 if (ret != LDB_SUCCESS) {
3516 if (dsdb_flags & DSDB_SEARCH_REVEAL_INTERNALS) {
3517 ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
3518 if (ret != LDB_SUCCESS) {
3523 if (dsdb_flags & DSDB_MODIFY_RELAX) {
3524 ret = ldb_request_add_control(req, LDB_CONTROL_RELAX_OID, false, NULL);
3525 if (ret != LDB_SUCCESS) {
3530 if (dsdb_flags & DSDB_MODIFY_PERMISSIVE) {
3531 ret = ldb_request_add_control(req, LDB_CONTROL_PERMISSIVE_MODIFY_OID, false, NULL);
3532 if (ret != LDB_SUCCESS) {
3537 if (dsdb_flags & DSDB_FLAG_AS_SYSTEM) {
3538 ret = ldb_request_add_control(req, LDB_CONTROL_AS_SYSTEM_OID, false, NULL);
3539 if (ret != LDB_SUCCESS) {
3544 if (dsdb_flags & DSDB_TREE_DELETE) {
3545 ret = ldb_request_add_control(req, LDB_CONTROL_TREE_DELETE_OID, false, NULL);
3546 if (ret != LDB_SUCCESS) {
3555 an add with a set of controls
3557 int dsdb_add(struct ldb_context *ldb, const struct ldb_message *message,
3558 uint32_t dsdb_flags)
3560 struct ldb_request *req;
3563 ret = ldb_build_add_req(&req, ldb, ldb,
3567 ldb_op_default_callback,
3570 if (ret != LDB_SUCCESS) return ret;
3572 ret = dsdb_request_add_controls(req, dsdb_flags);
3573 if (ret != LDB_SUCCESS) {
3578 ret = dsdb_autotransaction_request(ldb, req);
3585 a modify with a set of controls
3587 int dsdb_modify(struct ldb_context *ldb, const struct ldb_message *message,
3588 uint32_t dsdb_flags)
3590 struct ldb_request *req;
3593 ret = ldb_build_mod_req(&req, ldb, ldb,
3597 ldb_op_default_callback,
3600 if (ret != LDB_SUCCESS) return ret;
3602 ret = dsdb_request_add_controls(req, dsdb_flags);
3603 if (ret != LDB_SUCCESS) {
3608 ret = dsdb_autotransaction_request(ldb, req);
3615 like dsdb_modify() but set all the element flags to
3616 LDB_FLAG_MOD_REPLACE
3618 int dsdb_replace(struct ldb_context *ldb, struct ldb_message *msg, uint32_t dsdb_flags)
3622 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
3623 for (i=0;i<msg->num_elements;i++) {
3624 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
3627 return dsdb_modify(ldb, msg, dsdb_flags);
3632 search for attrs on one DN, allowing for dsdb_flags controls
3634 int dsdb_search_dn(struct ldb_context *ldb,
3635 TALLOC_CTX *mem_ctx,
3636 struct ldb_result **_res,
3637 struct ldb_dn *basedn,
3638 const char * const *attrs,
3639 uint32_t dsdb_flags)
3642 struct ldb_request *req;
3643 struct ldb_result *res;
3645 res = talloc_zero(mem_ctx, struct ldb_result);
3647 return ldb_oom(ldb);
3650 ret = ldb_build_search_req(&req, ldb, res,
3657 ldb_search_default_callback,
3659 if (ret != LDB_SUCCESS) {
3664 ret = dsdb_request_add_controls(req, dsdb_flags);
3665 if (ret != LDB_SUCCESS) {
3670 ret = ldb_request(ldb, req);
3671 if (ret == LDB_SUCCESS) {
3672 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3676 if (ret != LDB_SUCCESS) {
3686 general search with dsdb_flags for controls
3688 int dsdb_search(struct ldb_context *ldb,
3689 TALLOC_CTX *mem_ctx,
3690 struct ldb_result **_res,
3691 struct ldb_dn *basedn,
3692 enum ldb_scope scope,
3693 const char * const *attrs,
3694 uint32_t dsdb_flags,
3695 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
3698 struct ldb_request *req;
3699 struct ldb_result *res;
3701 char *expression = NULL;
3702 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3704 res = talloc_zero(tmp_ctx, struct ldb_result);
3706 talloc_free(tmp_ctx);
3707 return ldb_oom(ldb);
3711 va_start(ap, exp_fmt);
3712 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
3716 talloc_free(tmp_ctx);
3717 return ldb_oom(ldb);
3721 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
3728 ldb_search_default_callback,
3730 if (ret != LDB_SUCCESS) {
3731 talloc_free(tmp_ctx);
3735 ret = dsdb_request_add_controls(req, dsdb_flags);
3736 if (ret != LDB_SUCCESS) {
3737 talloc_free(tmp_ctx);
3741 ret = ldb_request(ldb, req);
3742 if (ret == LDB_SUCCESS) {
3743 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3746 if (ret != LDB_SUCCESS) {
3747 talloc_free(tmp_ctx);
3751 if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
3752 if (res->count == 0) {
3753 talloc_free(tmp_ctx);
3754 return LDB_ERR_NO_SUCH_OBJECT;
3756 if (res->count != 1) {
3757 talloc_free(tmp_ctx);
3758 return LDB_ERR_CONSTRAINT_VIOLATION;
3762 *_res = talloc_steal(mem_ctx, res);
3763 talloc_free(tmp_ctx);
3770 general search with dsdb_flags for controls
3771 returns exactly 1 record or an error
3773 int dsdb_search_one(struct ldb_context *ldb,
3774 TALLOC_CTX *mem_ctx,
3775 struct ldb_message **msg,
3776 struct ldb_dn *basedn,
3777 enum ldb_scope scope,
3778 const char * const *attrs,
3779 uint32_t dsdb_flags,
3780 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
3783 struct ldb_result *res;
3785 char *expression = NULL;
3786 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3788 dsdb_flags |= DSDB_SEARCH_ONE_ONLY;
3790 res = talloc_zero(tmp_ctx, struct ldb_result);
3792 talloc_free(tmp_ctx);
3793 return ldb_oom(ldb);
3797 va_start(ap, exp_fmt);
3798 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
3802 talloc_free(tmp_ctx);
3803 return ldb_oom(ldb);
3805 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
3806 dsdb_flags, "%s", expression);
3808 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
3812 if (ret != LDB_SUCCESS) {
3813 talloc_free(tmp_ctx);
3817 *msg = talloc_steal(mem_ctx, res->msgs[0]);
3818 talloc_free(tmp_ctx);
3823 /* returns back the forest DNS name */
3824 const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
3826 const char *forest_name = ldb_dn_canonical_string(mem_ctx,
3827 ldb_get_root_basedn(ldb));
3830 if (forest_name == NULL) {
3834 p = strchr(forest_name, '/');
3843 validate that an DSA GUID belongs to the specified user sid.
3844 The user SID must be a domain controller account (either RODC or
3847 int dsdb_validate_dsa_guid(struct ldb_context *ldb,
3848 const struct GUID *dsa_guid,
3849 const struct dom_sid *sid)
3852 - find DN of record with the DSA GUID in the
3853 configuration partition (objectGUID)
3854 - remove "NTDS Settings" component from DN
3855 - do a base search on that DN for serverReference with
3857 - extract objectSID from resulting serverReference
3859 - check this sid matches the sid argument
3861 struct ldb_dn *config_dn;
3862 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
3863 struct ldb_message *msg;
3864 const char *attrs1[] = { NULL };
3865 const char *attrs2[] = { "serverReference", NULL };
3867 struct ldb_dn *dn, *account_dn;
3868 struct dom_sid sid2;
3871 config_dn = ldb_get_config_basedn(ldb);
3873 ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE,
3874 attrs1, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid));
3875 if (ret != LDB_SUCCESS) {
3876 DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for sid %s\n",
3877 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
3878 talloc_free(tmp_ctx);
3879 return ldb_operr(ldb);
3883 if (!ldb_dn_remove_child_components(dn, 1)) {
3884 talloc_free(tmp_ctx);
3885 return ldb_operr(ldb);
3888 ret = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE,
3889 attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN,
3890 "(objectClass=server)");
3891 if (ret != LDB_SUCCESS) {
3892 DEBUG(1,(__location__ ": Failed to find server record for DSA with objectGUID %s, sid %s\n",
3893 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
3894 talloc_free(tmp_ctx);
3895 return ldb_operr(ldb);
3898 account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg, "serverReference");
3899 if (account_dn == NULL) {
3900 DEBUG(1,(__location__ ": Failed to find account_dn for DSA with objectGUID %s, sid %s\n",
3901 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
3902 talloc_free(tmp_ctx);
3903 return ldb_operr(ldb);
3906 status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID");
3907 if (!NT_STATUS_IS_OK(status)) {
3908 DEBUG(1,(__location__ ": Failed to find SID for DSA with objectGUID %s, sid %s\n",
3909 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
3910 talloc_free(tmp_ctx);
3911 return ldb_operr(ldb);
3914 if (!dom_sid_equal(sid, &sid2)) {
3915 /* someone is trying to spoof another account */
3916 DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s - expected sid %s\n",
3917 GUID_string(tmp_ctx, dsa_guid),
3918 dom_sid_string(tmp_ctx, sid),
3919 dom_sid_string(tmp_ctx, &sid2)));
3920 talloc_free(tmp_ctx);
3921 return ldb_operr(ldb);
3924 talloc_free(tmp_ctx);
3928 const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys",
3929 "ms-PKI-AccountCredentials",
3930 "ms-PKI-RoamingTimeStamp",
3931 "ms-FVE-KeyPackage",
3932 "ms-FVE-RecoveryGuid",
3933 "ms-FVE-RecoveryInformation",
3934 "ms-FVE-RecoveryPassword",
3935 "ms-FVE-VolumeGuid",
3936 "ms-TPM-OwnerInformation",
3939 check if the attribute belongs to the RODC filtered attribute set
3941 bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa)
3943 int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
3944 bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0);
3946 if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) {
3949 if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) {