2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Andrew Tridgell 2004
6 Copyright (C) Volker Lendecke 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
8 Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "events/events.h"
27 #include "ldb_module.h"
28 #include "ldb_errors.h"
29 #include "../lib/util/util_ldb.h"
30 #include "../lib/crypto/crypto.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "librpc/gen_ndr/ndr_misc.h"
35 #include "../libds/common/flags.h"
36 #include "dsdb/common/proto.h"
37 #include "libcli/ldap/ldap_ndr.h"
38 #include "param/param.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "librpc/gen_ndr/ndr_drsblobs.h"
41 #include "system/locale.h"
42 #include "lib/util/tsort.h"
43 #include "dsdb/common/util.h"
44 #include "lib/socket/socket.h"
45 #include "dsdb/samdb/ldb_modules/util.h"
48 search the sam for the specified attributes in a specific domain, filter on
49 objectSid being in domain_sid.
51 int samdb_search_domain(struct ldb_context *sam_ldb,
53 struct ldb_dn *basedn,
54 struct ldb_message ***res,
55 const char * const *attrs,
56 const struct dom_sid *domain_sid,
57 const char *format, ...) _PRINTF_ATTRIBUTE(7,8)
63 count = gendb_search_v(sam_ldb, mem_ctx, basedn,
64 res, attrs, format, ap);
70 struct dom_sid *entry_sid;
72 entry_sid = samdb_result_dom_sid(mem_ctx, (*res)[i], "objectSid");
74 if ((entry_sid == NULL) ||
75 (!dom_sid_in_domain(domain_sid, entry_sid))) {
76 /* Delete that entry from the result set */
77 (*res)[i] = (*res)[count-1];
79 talloc_free(entry_sid);
82 talloc_free(entry_sid);
90 search the sam for a single string attribute in exactly 1 record
92 const char *samdb_search_string_v(struct ldb_context *sam_ldb,
94 struct ldb_dn *basedn,
95 const char *attr_name,
96 const char *format, va_list ap) _PRINTF_ATTRIBUTE(5,0)
99 const char *attrs[2] = { NULL, NULL };
100 struct ldb_message **res = NULL;
102 attrs[0] = attr_name;
104 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
106 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
107 attr_name, format, count));
114 return samdb_result_string(res[0], attr_name, NULL);
118 search the sam for a single string attribute in exactly 1 record
120 const char *samdb_search_string(struct ldb_context *sam_ldb,
122 struct ldb_dn *basedn,
123 const char *attr_name,
124 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
129 va_start(ap, format);
130 str = samdb_search_string_v(sam_ldb, mem_ctx, basedn, attr_name, format, ap);
136 struct ldb_dn *samdb_search_dn(struct ldb_context *sam_ldb,
138 struct ldb_dn *basedn,
139 const char *format, ...) _PRINTF_ATTRIBUTE(4,5)
143 struct ldb_message **res = NULL;
146 va_start(ap, format);
147 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, NULL, format, ap);
150 if (count != 1) return NULL;
152 ret = talloc_steal(mem_ctx, res[0]->dn);
159 search the sam for a dom_sid attribute in exactly 1 record
161 struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb,
163 struct ldb_dn *basedn,
164 const char *attr_name,
165 const char *format, ...) _PRINTF_ATTRIBUTE(5,6)
169 struct ldb_message **res;
170 const char *attrs[2] = { NULL, NULL };
173 attrs[0] = attr_name;
175 va_start(ap, format);
176 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
179 DEBUG(1,("samdb: search for %s %s not single valued (count=%d)\n",
180 attr_name, format, count));
186 sid = samdb_result_dom_sid(mem_ctx, res[0], attr_name);
192 return the count of the number of records in the sam matching the query
194 int samdb_search_count(struct ldb_context *sam_ldb,
195 struct ldb_dn *basedn,
196 const char *format, ...) _PRINTF_ATTRIBUTE(3,4)
199 struct ldb_message **res;
200 const char *attrs[] = { NULL };
202 TALLOC_CTX *tmp_ctx = talloc_new(sam_ldb);
204 va_start(ap, format);
205 ret = gendb_search_v(sam_ldb, tmp_ctx, basedn, &res, attrs, format, ap);
207 talloc_free(tmp_ctx);
214 search the sam for a single integer attribute in exactly 1 record
216 unsigned int samdb_search_uint(struct ldb_context *sam_ldb,
218 unsigned int default_value,
219 struct ldb_dn *basedn,
220 const char *attr_name,
221 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
225 struct ldb_message **res;
226 const char *attrs[2] = { NULL, NULL };
228 attrs[0] = attr_name;
230 va_start(ap, format);
231 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
235 return default_value;
238 return samdb_result_uint(res[0], attr_name, default_value);
242 search the sam for a single signed 64 bit integer attribute in exactly 1 record
244 int64_t samdb_search_int64(struct ldb_context *sam_ldb,
246 int64_t default_value,
247 struct ldb_dn *basedn,
248 const char *attr_name,
249 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
253 struct ldb_message **res;
254 const char *attrs[2] = { NULL, NULL };
256 attrs[0] = attr_name;
258 va_start(ap, format);
259 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
263 return default_value;
266 return samdb_result_int64(res[0], attr_name, default_value);
270 search the sam for multipe records each giving a single string attribute
271 return the number of matches, or -1 on error
273 int samdb_search_string_multiple(struct ldb_context *sam_ldb,
275 struct ldb_dn *basedn,
277 const char *attr_name,
278 const char *format, ...) _PRINTF_ATTRIBUTE(6,7)
282 const char *attrs[2] = { NULL, NULL };
283 struct ldb_message **res = NULL;
285 attrs[0] = attr_name;
287 va_start(ap, format);
288 count = gendb_search_v(sam_ldb, mem_ctx, basedn, &res, attrs, format, ap);
295 /* make sure its single valued */
296 for (i=0;i<count;i++) {
297 if (res[i]->num_elements != 1) {
298 DEBUG(1,("samdb: search for %s %s not single valued\n",
305 *strs = talloc_array(mem_ctx, const char *, count+1);
311 for (i=0;i<count;i++) {
312 (*strs)[i] = samdb_result_string(res[i], attr_name, NULL);
314 (*strs)[count] = NULL;
320 pull a uint from a result set.
322 unsigned int samdb_result_uint(const struct ldb_message *msg, const char *attr, unsigned int default_value)
324 return ldb_msg_find_attr_as_uint(msg, attr, default_value);
328 pull a (signed) int64 from a result set.
330 int64_t samdb_result_int64(const struct ldb_message *msg, const char *attr, int64_t default_value)
332 return ldb_msg_find_attr_as_int64(msg, attr, default_value);
336 pull a string from a result set.
338 const char *samdb_result_string(const struct ldb_message *msg, const char *attr,
339 const char *default_value)
341 return ldb_msg_find_attr_as_string(msg, attr, default_value);
344 struct ldb_dn *samdb_result_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
345 const char *attr, struct ldb_dn *default_value)
347 struct ldb_dn *ret_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
349 return default_value;
355 pull a rid from a objectSid in a result set.
357 uint32_t samdb_result_rid_from_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
358 const char *attr, uint32_t default_value)
363 sid = samdb_result_dom_sid(mem_ctx, msg, attr);
365 return default_value;
367 rid = sid->sub_auths[sid->num_auths-1];
373 pull a dom_sid structure from a objectSid in a result set.
375 struct dom_sid *samdb_result_dom_sid(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
378 const struct ldb_val *v;
380 enum ndr_err_code ndr_err;
381 v = ldb_msg_find_ldb_val(msg, attr);
385 sid = talloc(mem_ctx, struct dom_sid);
389 ndr_err = ndr_pull_struct_blob(v, sid, sid,
390 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
391 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
399 pull a guid structure from a objectGUID in a result set.
401 struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
403 const struct ldb_val *v;
407 v = ldb_msg_find_ldb_val(msg, attr);
408 if (!v) return GUID_zero();
410 status = GUID_from_ndr_blob(v, &guid);
411 if (!NT_STATUS_IS_OK(status)) {
419 pull a sid prefix from a objectSid in a result set.
420 this is used to find the domain sid for a user
422 struct dom_sid *samdb_result_sid_prefix(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
425 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg, attr);
426 if (!sid || sid->num_auths < 1) return NULL;
432 pull a NTTIME in a result set.
434 NTTIME samdb_result_nttime(const struct ldb_message *msg, const char *attr,
435 NTTIME default_value)
437 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
441 * Windows stores 0 for lastLogoff.
442 * But when a MS DC return the lastLogoff (as Logoff Time)
443 * it returns 0x7FFFFFFFFFFFFFFF, not returning this value in this case
444 * cause windows 2008 and newer version to fail for SMB requests
446 NTTIME samdb_result_last_logoff(const struct ldb_message *msg)
448 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "lastLogoff",0);
451 ret = 0x7FFFFFFFFFFFFFFFULL;
457 * Windows uses both 0 and 9223372036854775807 (0x7FFFFFFFFFFFFFFFULL) to
458 * indicate an account doesn't expire.
460 * When Windows initially creates an account, it sets
461 * accountExpires = 9223372036854775807 (0x7FFFFFFFFFFFFFFF). However,
462 * when changing from an account having a specific expiration date to
463 * that account never expiring, it sets accountExpires = 0.
465 * Consolidate that logic here to allow clearer logic for account expiry in
466 * the rest of the code.
468 NTTIME samdb_result_account_expires(const struct ldb_message *msg)
470 NTTIME ret = ldb_msg_find_attr_as_uint64(msg, "accountExpires",
474 ret = 0x7FFFFFFFFFFFFFFFULL;
480 pull a uint64_t from a result set.
482 uint64_t samdb_result_uint64(const struct ldb_message *msg, const char *attr,
483 uint64_t default_value)
485 return ldb_msg_find_attr_as_uint64(msg, attr, default_value);
490 construct the allow_password_change field from the PwdLastSet attribute and the
491 domain password settings
493 NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
495 struct ldb_dn *domain_dn,
496 struct ldb_message *msg,
499 uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
502 if (attr_time == 0) {
506 minPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "minPwdAge", NULL);
508 /* yes, this is a -= not a += as minPwdAge is stored as the negative
509 of the number of 100-nano-seconds */
510 attr_time -= minPwdAge;
516 construct the force_password_change field from the PwdLastSet
517 attribute, the userAccountControl and the domain password settings
519 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
521 struct ldb_dn *domain_dn,
522 struct ldb_message *msg)
524 int64_t attr_time = samdb_result_int64(msg, "pwdLastSet", 0);
525 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg,
526 "userAccountControl",
530 /* Machine accounts don't expire, and there is a flag for 'no expiry' */
531 if (!(userAccountControl & UF_NORMAL_ACCOUNT)
532 || (userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
533 return 0x7FFFFFFFFFFFFFFFULL;
536 if (attr_time == 0) {
539 if (attr_time == -1) {
540 return 0x7FFFFFFFFFFFFFFFULL;
543 maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
545 if (maxPwdAge == 0) {
546 return 0x7FFFFFFFFFFFFFFFULL;
548 attr_time -= maxPwdAge;
555 pull a samr_Password structutre from a result set.
557 struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, const struct ldb_message *msg, const char *attr)
559 struct samr_Password *hash = NULL;
560 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
561 if (val && (val->length >= sizeof(hash->hash))) {
562 hash = talloc(mem_ctx, struct samr_Password);
563 memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash)));
569 pull an array of samr_Password structures from a result set.
571 unsigned int samdb_result_hashes(TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
572 const char *attr, struct samr_Password **hashes)
574 unsigned int count, i;
575 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
581 count = val->length / 16;
586 *hashes = talloc_array(mem_ctx, struct samr_Password, count);
591 for (i=0;i<count;i++) {
592 memcpy((*hashes)[i].hash, (i*16)+(char *)val->data, 16);
598 NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_message *msg,
599 struct samr_Password **lm_pwd, struct samr_Password **nt_pwd)
601 struct samr_Password *lmPwdHash, *ntPwdHash;
604 num_nt = samdb_result_hashes(mem_ctx, msg, "unicodePwd", &ntPwdHash);
607 } else if (num_nt > 1) {
608 return NT_STATUS_INTERNAL_DB_CORRUPTION;
610 *nt_pwd = &ntPwdHash[0];
614 /* Ensure that if we have turned off LM
615 * authentication, that we never use the LM hash, even
617 if (lpcfg_lanman_auth(lp_ctx)) {
619 num_lm = samdb_result_hashes(mem_ctx, msg, "dBCSPwd", &lmPwdHash);
622 } else if (num_lm > 1) {
623 return NT_STATUS_INTERNAL_DB_CORRUPTION;
625 *lm_pwd = &lmPwdHash[0];
635 pull a samr_LogonHours structutre from a result set.
637 struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr)
639 struct samr_LogonHours hours;
640 size_t units_per_week = 168;
641 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
646 units_per_week = val->length * 8;
649 hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week/8);
653 hours.units_per_week = units_per_week;
654 memset(hours.bits, 0xFF, units_per_week/8);
656 memcpy(hours.bits, val->data, val->length);
663 pull a set of account_flags from a result set.
665 This requires that the attributes:
670 uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
671 struct ldb_message *msg, struct ldb_dn *domain_dn)
673 uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
674 uint32_t acct_flags = ds_uf2acb(userAccountControl);
675 NTTIME must_change_time;
678 must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
681 /* Test account expire time */
682 unix_to_nt_time(&now, time(NULL));
683 /* check for expired password */
684 if (must_change_time < now) {
685 acct_flags |= ACB_PW_EXPIRED;
690 struct lsa_BinaryString samdb_result_parameters(TALLOC_CTX *mem_ctx,
691 struct ldb_message *msg,
694 struct lsa_BinaryString s;
695 const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr);
703 s.array = talloc_array(mem_ctx, uint16_t, val->length/2);
707 s.length = s.size = val->length;
708 memcpy(s.array, val->data, val->length);
713 /* Find an attribute, with a particular value */
715 /* The current callers of this function expect a very specific
716 * behaviour: In particular, objectClass subclass equivilance is not
717 * wanted. This means that we should not lookup the schema for the
718 * comparison function */
719 struct ldb_message_element *samdb_find_attribute(struct ldb_context *ldb,
720 const struct ldb_message *msg,
721 const char *name, const char *value)
724 struct ldb_message_element *el = ldb_msg_find_element(msg, name);
730 for (i=0;i<el->num_values;i++) {
731 if (ldb_attr_cmp(value, (char *)el->values[i].data) == 0) {
740 * This is intended for use by the "password hash" module since there
741 * password changes can be specified through one message element with the
742 * new password (to set) and another one with the old password (to unset).
744 * The first which sets a password (new value) can have flags
745 * (LDB_FLAG_MOD_ADD, LDB_FLAG_MOD_REPLACE) but also none (on "add" operations
746 * for entries). The latter (old value) has always specified
747 * LDB_FLAG_MOD_DELETE.
749 * Returns LDB_ERR_NO_SUCH_ATTRIBUTE if the attribute which should be deleted
750 * doesn't contain only one value (this is the Windows Server behaviour)
751 * otherwise LDB_SUCCESS.
753 int samdb_msg_find_old_and_new_ldb_val(const struct ldb_message *msg,
755 const struct ldb_val **new_val,
756 const struct ldb_val **old_val)
767 for (i = 0; i < msg->num_elements; i++) {
768 if (ldb_attr_cmp(msg->elements[i].name, name) == 0) {
769 if (msg->elements[i].flags == LDB_FLAG_MOD_DELETE) {
770 *old_val = &msg->elements[i].values[0];
772 *new_val = &msg->elements[i].values[0];
780 int samdb_find_or_add_value(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
782 if (samdb_find_attribute(ldb, msg, name, set_value) == NULL) {
783 return samdb_msg_add_string(ldb, msg, msg, name, set_value);
788 int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg, const char *name, const char *set_value)
790 struct ldb_message_element *el;
792 el = ldb_msg_find_element(msg, name);
797 return samdb_msg_add_string(ldb, msg, msg, name, set_value);
803 add a string element to a message
805 int samdb_msg_add_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
806 const char *attr_name, const char *str)
808 char *s = talloc_strdup(mem_ctx, str);
809 char *a = talloc_strdup(mem_ctx, attr_name);
810 if (s == NULL || a == NULL) {
811 return ldb_oom(sam_ldb);
813 return ldb_msg_add_string(msg, a, s);
817 add a dom_sid element to a message
819 int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
820 const char *attr_name, struct dom_sid *sid)
823 enum ndr_err_code ndr_err;
825 ndr_err = ndr_push_struct_blob(&v, mem_ctx,
827 (ndr_push_flags_fn_t)ndr_push_dom_sid);
828 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
829 return ldb_operr(sam_ldb);
831 return ldb_msg_add_value(msg, attr_name, &v, NULL);
836 add a delete element operation to a message
838 int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
839 const char *attr_name)
841 /* we use an empty replace rather than a delete, as it allows for
842 dsdb_replace() to be used everywhere */
843 return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
847 add an add attribute value to a message or enhance an existing attribute
848 which has the same name and the add flag set.
850 int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
851 struct ldb_message *msg, const char *attr_name,
854 struct ldb_message_element *el;
855 struct ldb_val val, *vals;
861 v = talloc_strdup(mem_ctx, value);
863 return ldb_oom(sam_ldb);
866 val.data = (uint8_t *) v;
867 val.length = strlen(v);
869 if (val.length == 0) {
870 /* allow empty strings as non-existent attributes */
874 for (i = 0; i < msg->num_elements; i++) {
875 el = &msg->elements[i];
876 if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
877 (el->flags == LDB_FLAG_MOD_ADD)) {
883 ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_ADD,
885 if (ret != LDB_SUCCESS) {
890 vals = talloc_realloc(msg, el->values, struct ldb_val,
893 return ldb_oom(sam_ldb);
896 el->values[el->num_values] = val;
903 add a delete attribute value to a message or enhance an existing attribute
904 which has the same name and the delete flag set.
906 int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx,
907 struct ldb_message *msg, const char *attr_name,
910 struct ldb_message_element *el;
911 struct ldb_val val, *vals;
917 v = talloc_strdup(mem_ctx, value);
919 return ldb_oom(sam_ldb);
922 val.data = (uint8_t *) v;
923 val.length = strlen(v);
925 if (val.length == 0) {
926 /* allow empty strings as non-existent attributes */
930 for (i = 0; i < msg->num_elements; i++) {
931 el = &msg->elements[i];
932 if ((ldb_attr_cmp(el->name, attr_name) == 0) &&
933 (el->flags == LDB_FLAG_MOD_DELETE)) {
939 ret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_DELETE,
941 if (ret != LDB_SUCCESS) {
946 vals = talloc_realloc(msg, el->values, struct ldb_val,
949 return ldb_oom(sam_ldb);
952 el->values[el->num_values] = val;
959 add a int element to a message
961 int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
962 const char *attr_name, int v)
964 const char *s = talloc_asprintf(mem_ctx, "%d", v);
965 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
969 add a unsigned int element to a message
971 int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
972 const char *attr_name, unsigned int v)
974 return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v);
978 add a (signed) int64_t element to a message
980 int samdb_msg_add_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
981 const char *attr_name, int64_t v)
983 const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v);
984 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, s);
988 add a uint64_t element to a message
990 int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
991 const char *attr_name, uint64_t v)
993 return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v);
997 add a samr_Password element to a message
999 int samdb_msg_add_hash(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1000 const char *attr_name, struct samr_Password *hash)
1003 val.data = talloc_memdup(mem_ctx, hash->hash, 16);
1005 return ldb_oom(sam_ldb);
1008 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1012 add a samr_Password array to a message
1014 int samdb_msg_add_hashes(struct ldb_context *ldb,
1015 TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1016 const char *attr_name, struct samr_Password *hashes,
1021 val.data = talloc_array_size(mem_ctx, 16, count);
1022 val.length = count*16;
1024 return ldb_oom(ldb);
1026 for (i=0;i<count;i++) {
1027 memcpy(i*16 + (char *)val.data, hashes[i].hash, 16);
1029 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1033 add a acct_flags element to a message
1035 int samdb_msg_add_acct_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1036 const char *attr_name, uint32_t v)
1038 return samdb_msg_add_uint(sam_ldb, mem_ctx, msg, attr_name, ds_acb2uf(v));
1042 add a logon_hours element to a message
1044 int samdb_msg_add_logon_hours(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1045 const char *attr_name, struct samr_LogonHours *hours)
1048 val.length = hours->units_per_week / 8;
1049 val.data = hours->bits;
1050 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1054 add a parameters element to a message
1056 int samdb_msg_add_parameters(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1057 const char *attr_name, struct lsa_BinaryString *parameters)
1060 val.length = parameters->length;
1061 val.data = (uint8_t *)parameters->array;
1062 return ldb_msg_add_value(msg, attr_name, &val, NULL);
1065 add a general value element to a message
1067 int samdb_msg_add_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1068 const char *attr_name, const struct ldb_val *val)
1070 return ldb_msg_add_value(msg, attr_name, val, NULL);
1074 sets a general value element to a message
1076 int samdb_msg_set_value(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1077 const char *attr_name, const struct ldb_val *val)
1079 struct ldb_message_element *el;
1081 el = ldb_msg_find_element(msg, attr_name);
1085 return ldb_msg_add_value(msg, attr_name, val, NULL);
1089 set a string element in a message
1091 int samdb_msg_set_string(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg,
1092 const char *attr_name, const char *str)
1094 struct ldb_message_element *el;
1096 el = ldb_msg_find_element(msg, attr_name);
1100 return samdb_msg_add_string(sam_ldb, mem_ctx, msg, attr_name, str);
1104 * Handle ldb_request in transaction
1106 static int dsdb_autotransaction_request(struct ldb_context *sam_ldb,
1107 struct ldb_request *req)
1111 ret = ldb_transaction_start(sam_ldb);
1112 if (ret != LDB_SUCCESS) {
1116 ret = ldb_request(sam_ldb, req);
1117 if (ret == LDB_SUCCESS) {
1118 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
1121 if (ret == LDB_SUCCESS) {
1122 return ldb_transaction_commit(sam_ldb);
1124 ldb_transaction_cancel(sam_ldb);
1130 return a default security descriptor
1132 struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ctx)
1134 struct security_descriptor *sd;
1136 sd = security_descriptor_initialise(mem_ctx);
1141 struct ldb_dn *samdb_aggregate_schema_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1143 struct ldb_dn *schema_dn = ldb_get_schema_basedn(sam_ctx);
1144 struct ldb_dn *aggregate_dn;
1149 aggregate_dn = ldb_dn_copy(mem_ctx, schema_dn);
1150 if (!aggregate_dn) {
1153 if (!ldb_dn_add_child_fmt(aggregate_dn, "CN=Aggregate")) {
1156 return aggregate_dn;
1159 struct ldb_dn *samdb_partitions_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1161 struct ldb_dn *new_dn;
1163 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1164 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Partitions")) {
1165 talloc_free(new_dn);
1171 struct ldb_dn *samdb_infrastructure_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1173 struct ldb_dn *new_dn;
1175 new_dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(sam_ctx));
1176 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Infrastructure")) {
1177 talloc_free(new_dn);
1183 struct ldb_dn *samdb_sites_dn(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx)
1185 struct ldb_dn *new_dn;
1187 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(sam_ctx));
1188 if ( ! ldb_dn_add_child_fmt(new_dn, "CN=Sites")) {
1189 talloc_free(new_dn);
1196 work out the domain sid for the current open ldb
1198 const struct dom_sid *samdb_domain_sid(struct ldb_context *ldb)
1200 TALLOC_CTX *tmp_ctx;
1201 const struct dom_sid *domain_sid;
1202 const char *attrs[] = {
1206 struct ldb_result *res;
1209 /* see if we have a cached copy */
1210 domain_sid = (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1215 tmp_ctx = talloc_new(ldb);
1216 if (tmp_ctx == NULL) {
1220 ret = ldb_search(ldb, tmp_ctx, &res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, attrs, "objectSid=*");
1222 if (ret != LDB_SUCCESS) {
1226 if (res->count != 1) {
1230 domain_sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
1231 if (domain_sid == NULL) {
1235 /* cache the domain_sid in the ldb */
1236 if (ldb_set_opaque(ldb, "cache.domain_sid", discard_const_p(struct dom_sid, domain_sid)) != LDB_SUCCESS) {
1240 talloc_steal(ldb, domain_sid);
1241 talloc_free(tmp_ctx);
1246 talloc_free(tmp_ctx);
1251 get domain sid from cache
1253 const struct dom_sid *samdb_domain_sid_cache_only(struct ldb_context *ldb)
1255 return (struct dom_sid *)ldb_get_opaque(ldb, "cache.domain_sid");
1258 bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in)
1260 TALLOC_CTX *tmp_ctx;
1261 struct dom_sid *dom_sid_new;
1262 struct dom_sid *dom_sid_old;
1264 /* see if we have a cached copy */
1265 dom_sid_old = talloc_get_type(ldb_get_opaque(ldb,
1266 "cache.domain_sid"), struct dom_sid);
1268 tmp_ctx = talloc_new(ldb);
1269 if (tmp_ctx == NULL) {
1273 dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in);
1278 /* cache the domain_sid in the ldb */
1279 if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) {
1283 talloc_steal(ldb, dom_sid_new);
1284 talloc_free(tmp_ctx);
1285 talloc_free(dom_sid_old);
1290 DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
1291 talloc_free(tmp_ctx);
1295 bool samdb_set_ntds_settings_dn(struct ldb_context *ldb, struct ldb_dn *ntds_settings_dn_in)
1297 TALLOC_CTX *tmp_ctx;
1298 struct ldb_dn *ntds_settings_dn_new;
1299 struct ldb_dn *ntds_settings_dn_old;
1301 /* see if we have a cached copy */
1302 ntds_settings_dn_old = talloc_get_type(ldb_get_opaque(ldb,
1303 "cache.ntds_settings_dn"), struct ldb_dn);
1305 tmp_ctx = talloc_new(ldb);
1306 if (tmp_ctx == NULL) {
1310 ntds_settings_dn_new = ldb_dn_copy(tmp_ctx, ntds_settings_dn_in);
1311 if (!ntds_settings_dn_new) {
1315 /* cache the domain_sid in the ldb */
1316 if (ldb_set_opaque(ldb, "cache.ntds_settings_dn", ntds_settings_dn_new) != LDB_SUCCESS) {
1320 talloc_steal(ldb, ntds_settings_dn_new);
1321 talloc_free(tmp_ctx);
1322 talloc_free(ntds_settings_dn_old);
1327 DEBUG(1,("Failed to set our NTDS Settings DN in the ldb!\n"));
1328 talloc_free(tmp_ctx);
1332 /* Obtain the short name of the flexible single master operator
1333 * (FSMO), such as the PDC Emulator */
1334 const char *samdb_result_fsmo_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg,
1337 /* Format is cn=NTDS Settings,cn=<NETBIOS name of FSMO>,.... */
1338 struct ldb_dn *fsmo_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, msg, attr);
1339 const struct ldb_val *val = ldb_dn_get_component_val(fsmo_dn, 1);
1340 const char *name = ldb_dn_get_component_name(fsmo_dn, 1);
1342 if (!name || (ldb_attr_cmp(name, "cn") != 0)) {
1343 /* Ensure this matches the format. This gives us a
1344 * bit more confidence that a 'cn' value will be a
1349 return (char *)val->data;
1355 work out the ntds settings dn for the current open ldb
1357 struct ldb_dn *samdb_ntds_settings_dn(struct ldb_context *ldb)
1359 TALLOC_CTX *tmp_ctx;
1360 const char *root_attrs[] = { "dsServiceName", NULL };
1362 struct ldb_result *root_res;
1363 struct ldb_dn *settings_dn;
1365 /* see if we have a cached copy */
1366 settings_dn = (struct ldb_dn *)ldb_get_opaque(ldb, "cache.ntds_settings_dn");
1371 tmp_ctx = talloc_new(ldb);
1372 if (tmp_ctx == NULL) {
1376 ret = ldb_search(ldb, tmp_ctx, &root_res, ldb_dn_new(tmp_ctx, ldb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
1378 DEBUG(1,("Searching for dsServiceName in rootDSE failed: %s\n",
1379 ldb_errstring(ldb)));
1383 if (root_res->count != 1) {
1387 settings_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, root_res->msgs[0], "dsServiceName");
1389 /* cache the domain_sid in the ldb */
1390 if (ldb_set_opaque(ldb, "cache.settings_dn", settings_dn) != LDB_SUCCESS) {
1394 talloc_steal(ldb, settings_dn);
1395 talloc_free(tmp_ctx);
1400 DEBUG(1,("Failed to find our own NTDS Settings DN in the ldb!\n"));
1401 talloc_free(tmp_ctx);
1406 work out the ntds settings invocationId for the current open ldb
1408 const struct GUID *samdb_ntds_invocation_id(struct ldb_context *ldb)
1410 TALLOC_CTX *tmp_ctx;
1411 const char *attrs[] = { "invocationId", NULL };
1413 struct ldb_result *res;
1414 struct GUID *invocation_id;
1416 /* see if we have a cached copy */
1417 invocation_id = (struct GUID *)ldb_get_opaque(ldb, "cache.invocation_id");
1418 if (invocation_id) {
1419 return invocation_id;
1422 tmp_ctx = talloc_new(ldb);
1423 if (tmp_ctx == NULL) {
1427 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1432 if (res->count != 1) {
1436 invocation_id = talloc(tmp_ctx, struct GUID);
1437 if (!invocation_id) {
1441 *invocation_id = samdb_result_guid(res->msgs[0], "invocationId");
1443 /* cache the domain_sid in the ldb */
1444 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id) != LDB_SUCCESS) {
1448 talloc_steal(ldb, invocation_id);
1449 talloc_free(tmp_ctx);
1451 return invocation_id;
1454 DEBUG(1,("Failed to find our own NTDS Settings invocationId in the ldb!\n"));
1455 talloc_free(tmp_ctx);
1459 bool samdb_set_ntds_invocation_id(struct ldb_context *ldb, const struct GUID *invocation_id_in)
1461 TALLOC_CTX *tmp_ctx;
1462 struct GUID *invocation_id_new;
1463 struct GUID *invocation_id_old;
1465 /* see if we have a cached copy */
1466 invocation_id_old = (struct GUID *)ldb_get_opaque(ldb,
1467 "cache.invocation_id");
1469 tmp_ctx = talloc_new(ldb);
1470 if (tmp_ctx == NULL) {
1474 invocation_id_new = talloc(tmp_ctx, struct GUID);
1475 if (!invocation_id_new) {
1479 *invocation_id_new = *invocation_id_in;
1481 /* cache the domain_sid in the ldb */
1482 if (ldb_set_opaque(ldb, "cache.invocation_id", invocation_id_new) != LDB_SUCCESS) {
1486 talloc_steal(ldb, invocation_id_new);
1487 talloc_free(tmp_ctx);
1488 talloc_free(invocation_id_old);
1493 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1494 talloc_free(tmp_ctx);
1499 work out the ntds settings objectGUID for the current open ldb
1501 const struct GUID *samdb_ntds_objectGUID(struct ldb_context *ldb)
1503 TALLOC_CTX *tmp_ctx;
1504 const char *attrs[] = { "objectGUID", NULL };
1506 struct ldb_result *res;
1507 struct GUID *ntds_guid;
1509 /* see if we have a cached copy */
1510 ntds_guid = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1515 tmp_ctx = talloc_new(ldb);
1516 if (tmp_ctx == NULL) {
1520 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1525 if (res->count != 1) {
1529 ntds_guid = talloc(tmp_ctx, struct GUID);
1534 *ntds_guid = samdb_result_guid(res->msgs[0], "objectGUID");
1536 /* cache the domain_sid in the ldb */
1537 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid) != LDB_SUCCESS) {
1541 talloc_steal(ldb, ntds_guid);
1542 talloc_free(tmp_ctx);
1547 DEBUG(1,("Failed to find our own NTDS Settings objectGUID in the ldb!\n"));
1548 talloc_free(tmp_ctx);
1552 bool samdb_set_ntds_objectGUID(struct ldb_context *ldb, const struct GUID *ntds_guid_in)
1554 TALLOC_CTX *tmp_ctx;
1555 struct GUID *ntds_guid_new;
1556 struct GUID *ntds_guid_old;
1558 /* see if we have a cached copy */
1559 ntds_guid_old = (struct GUID *)ldb_get_opaque(ldb, "cache.ntds_guid");
1561 tmp_ctx = talloc_new(ldb);
1562 if (tmp_ctx == NULL) {
1566 ntds_guid_new = talloc(tmp_ctx, struct GUID);
1567 if (!ntds_guid_new) {
1571 *ntds_guid_new = *ntds_guid_in;
1573 /* cache the domain_sid in the ldb */
1574 if (ldb_set_opaque(ldb, "cache.ntds_guid", ntds_guid_new) != LDB_SUCCESS) {
1578 talloc_steal(ldb, ntds_guid_new);
1579 talloc_free(tmp_ctx);
1580 talloc_free(ntds_guid_old);
1585 DEBUG(1,("Failed to set our own cached invocationId in the ldb!\n"));
1586 talloc_free(tmp_ctx);
1591 work out the server dn for the current open ldb
1593 struct ldb_dn *samdb_server_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1595 return ldb_dn_get_parent(mem_ctx, samdb_ntds_settings_dn(ldb));
1599 work out the server dn for the current open ldb
1601 struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1603 struct ldb_dn *server_dn;
1604 struct ldb_dn *servers_dn;
1605 struct ldb_dn *server_site_dn;
1607 /* TODO: there must be a saner way to do this!! */
1608 server_dn = samdb_server_dn(ldb, mem_ctx);
1609 if (!server_dn) return NULL;
1611 servers_dn = ldb_dn_get_parent(mem_ctx, server_dn);
1612 talloc_free(server_dn);
1613 if (!servers_dn) return NULL;
1615 server_site_dn = ldb_dn_get_parent(mem_ctx, servers_dn);
1616 talloc_free(servers_dn);
1618 return server_site_dn;
1622 find a 'reference' DN that points at another object
1623 (eg. serverReference, rIDManagerReference etc)
1625 int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *base,
1626 const char *attribute, struct ldb_dn **dn)
1628 const char *attrs[2];
1629 struct ldb_result *res;
1632 attrs[0] = attribute;
1635 ret = ldb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, NULL);
1636 if (ret != LDB_SUCCESS) {
1639 if (res->count != 1) {
1641 return LDB_ERR_NO_SUCH_OBJECT;
1644 *dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
1647 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1655 find our machine account via the serverReference attribute in the
1658 int samdb_server_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1660 struct ldb_dn *server_dn;
1663 server_dn = samdb_server_dn(ldb, mem_ctx);
1664 if (server_dn == NULL) {
1665 return LDB_ERR_NO_SUCH_OBJECT;
1668 ret = samdb_reference_dn(ldb, mem_ctx, server_dn, "serverReference", dn);
1669 talloc_free(server_dn);
1675 find the RID Manager$ DN via the rIDManagerReference attribute in the
1678 int samdb_rid_manager_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1680 return samdb_reference_dn(ldb, mem_ctx, ldb_get_default_basedn(ldb),
1681 "rIDManagerReference", dn);
1685 find the RID Set DN via the rIDSetReferences attribute in our
1688 int samdb_rid_set_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
1690 struct ldb_dn *server_ref_dn;
1693 ret = samdb_server_reference_dn(ldb, mem_ctx, &server_ref_dn);
1694 if (ret != LDB_SUCCESS) {
1697 ret = samdb_reference_dn(ldb, mem_ctx, server_ref_dn, "rIDSetReferences", dn);
1698 talloc_free(server_ref_dn);
1702 const char *samdb_server_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
1704 const struct ldb_val *val = ldb_dn_get_rdn_val(samdb_server_site_dn(ldb,
1711 return (const char *) val->data;
1715 * Finds the client site by using the client's IP address.
1716 * The "subnet_name" returns the name of the subnet if parameter != NULL
1718 const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
1719 const char *ip_address, char **subnet_name)
1721 const char *attrs[] = { "cn", "siteObject", NULL };
1722 struct ldb_dn *sites_container_dn, *subnets_dn, *sites_dn;
1723 struct ldb_result *res;
1724 const struct ldb_val *val;
1725 const char *site_name = NULL, *l_subnet_name = NULL;
1726 const char *allow_list[2] = { NULL, NULL };
1727 unsigned int i, count;
1731 * if we don't have a client ip e.g. ncalrpc
1732 * the server site is the client site
1734 if (ip_address == NULL) {
1735 return samdb_server_site_name(ldb, mem_ctx);
1738 sites_container_dn = samdb_sites_dn(ldb, mem_ctx);
1739 if (sites_container_dn == NULL) {
1743 subnets_dn = ldb_dn_copy(mem_ctx, sites_container_dn);
1744 if ( ! ldb_dn_add_child_fmt(subnets_dn, "CN=Subnets")) {
1745 talloc_free(sites_container_dn);
1746 talloc_free(subnets_dn);
1750 ret = ldb_search(ldb, mem_ctx, &res, subnets_dn, LDB_SCOPE_ONELEVEL,
1752 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1754 } else if (ret != LDB_SUCCESS) {
1755 talloc_free(sites_container_dn);
1756 talloc_free(subnets_dn);
1762 for (i = 0; i < count; i++) {
1763 l_subnet_name = ldb_msg_find_attr_as_string(res->msgs[i], "cn",
1766 allow_list[0] = l_subnet_name;
1768 if (allow_access(mem_ctx, NULL, allow_list, "", ip_address)) {
1769 sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx,
1772 if (sites_dn == NULL) {
1773 /* No reference, maybe another subnet matches */
1777 /* "val" cannot be NULL here since "sites_dn" != NULL */
1778 val = ldb_dn_get_rdn_val(sites_dn);
1779 site_name = talloc_strdup(mem_ctx,
1780 (const char *) val->data);
1782 talloc_free(sites_dn);
1788 if (site_name == NULL) {
1789 /* This is the Windows Server fallback rule: when no subnet
1790 * exists and we have only one site available then use it (it
1791 * is for sure the same as our server site). If more sites do
1792 * exist then we don't know which one to use and set the site
1794 cnt = samdb_search_count(ldb, sites_container_dn,
1795 "(objectClass=site)");
1797 site_name = samdb_server_site_name(ldb, mem_ctx);
1799 site_name = talloc_strdup(mem_ctx, "");
1801 l_subnet_name = NULL;
1804 if (subnet_name != NULL) {
1805 *subnet_name = talloc_strdup(mem_ctx, l_subnet_name);
1808 talloc_free(sites_container_dn);
1809 talloc_free(subnets_dn);
1816 work out if we are the PDC for the domain of the current open ldb
1818 bool samdb_is_pdc(struct ldb_context *ldb)
1820 const char *dom_attrs[] = { "fSMORoleOwner", NULL };
1822 struct ldb_result *dom_res;
1823 TALLOC_CTX *tmp_ctx;
1827 tmp_ctx = talloc_new(ldb);
1828 if (tmp_ctx == NULL) {
1829 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1833 ret = ldb_search(ldb, tmp_ctx, &dom_res, ldb_get_default_basedn(ldb), LDB_SCOPE_BASE, dom_attrs, NULL);
1834 if (ret != LDB_SUCCESS) {
1835 DEBUG(1,("Searching for fSMORoleOwner in %s failed: %s\n",
1836 ldb_dn_get_linearized(ldb_get_default_basedn(ldb)),
1837 ldb_errstring(ldb)));
1840 if (dom_res->count != 1) {
1844 pdc = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, dom_res->msgs[0], "fSMORoleOwner");
1846 if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), pdc) == 0) {
1852 talloc_free(tmp_ctx);
1857 DEBUG(1,("Failed to find if we are the PDC for this ldb\n"));
1858 talloc_free(tmp_ctx);
1863 work out if we are a Global Catalog server for the domain of the current open ldb
1865 bool samdb_is_gc(struct ldb_context *ldb)
1867 const char *attrs[] = { "options", NULL };
1869 struct ldb_result *res;
1870 TALLOC_CTX *tmp_ctx;
1872 tmp_ctx = talloc_new(ldb);
1873 if (tmp_ctx == NULL) {
1874 DEBUG(1, ("talloc_new failed in samdb_is_pdc"));
1878 /* Query cn=ntds settings,.... */
1879 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
1880 if (ret != LDB_SUCCESS) {
1881 talloc_free(tmp_ctx);
1884 if (res->count != 1) {
1885 talloc_free(tmp_ctx);
1889 options = ldb_msg_find_attr_as_int(res->msgs[0], "options", 0);
1890 talloc_free(tmp_ctx);
1892 /* if options attribute has the 0x00000001 flag set, then enable the global catlog */
1893 if (options & 0x000000001) {
1899 /* Find a domain object in the parents of a particular DN. */
1900 int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
1901 struct ldb_dn **parent_dn, const char **errstring)
1903 TALLOC_CTX *local_ctx;
1904 struct ldb_dn *sdn = dn;
1905 struct ldb_result *res = NULL;
1906 int ret = LDB_SUCCESS;
1907 const char *attrs[] = { NULL };
1909 local_ctx = talloc_new(mem_ctx);
1910 if (local_ctx == NULL) return ldb_oom(ldb);
1912 while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
1913 ret = ldb_search(ldb, local_ctx, &res, sdn, LDB_SCOPE_BASE, attrs,
1914 "(|(objectClass=domain)(objectClass=builtinDomain))");
1915 if (ret == LDB_SUCCESS) {
1916 if (res->count == 1) {
1924 if (ret != LDB_SUCCESS) {
1925 *errstring = talloc_asprintf(mem_ctx, "Error searching for parent domain of %s, failed searching for %s: %s",
1926 ldb_dn_get_linearized(dn),
1927 ldb_dn_get_linearized(sdn),
1928 ldb_errstring(ldb));
1929 talloc_free(local_ctx);
1932 if (res->count != 1) {
1933 *errstring = talloc_asprintf(mem_ctx, "Invalid dn (%s), not child of a domain object",
1934 ldb_dn_get_linearized(dn));
1935 DEBUG(0,(__location__ ": %s\n", *errstring));
1936 talloc_free(local_ctx);
1937 return LDB_ERR_CONSTRAINT_VIOLATION;
1940 *parent_dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
1941 talloc_free(local_ctx);
1947 * Performs checks on a user password (plaintext UNIX format - attribute
1948 * "password"). The remaining parameters have to be extracted from the domain
1951 * Result codes from "enum samr_ValidationStatus" (consider "samr.idl")
1953 enum samr_ValidationStatus samdb_check_password(const DATA_BLOB *password,
1954 const uint32_t pwdProperties,
1955 const uint32_t minPwdLength)
1957 /* checks if the "minPwdLength" property is satisfied */
1958 if (minPwdLength > password->length)
1959 return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
1961 /* checks the password complexity */
1962 if (((pwdProperties & DOMAIN_PASSWORD_COMPLEX) != 0)
1963 && (password->data != NULL)
1964 && (!check_password_quality((const char *) password->data)))
1965 return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
1967 return SAMR_VALIDATION_STATUS_SUCCESS;
1971 * Callback for "samdb_set_password" password change
1973 int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares)
1978 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
1981 if (ares->error != LDB_SUCCESS) {
1983 req->context = talloc_steal(req,
1984 ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
1986 return ldb_request_done(req, ret);
1989 if (ares->type != LDB_REPLY_DONE) {
1991 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
1994 req->context = talloc_steal(req,
1995 ldb_reply_get_control(ares, DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID));
1997 return ldb_request_done(req, LDB_SUCCESS);
2001 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2002 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2003 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
2004 * gives some more informations if the changed failed.
2006 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2007 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2008 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION
2010 NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2011 struct ldb_dn *user_dn, struct ldb_dn *domain_dn,
2012 const DATA_BLOB *new_password,
2013 struct samr_Password *lmNewHash,
2014 struct samr_Password *ntNewHash,
2016 enum samPwdChangeReason *reject_reason,
2017 struct samr_DomInfo1 **_dominfo)
2019 struct ldb_message *msg;
2020 struct ldb_message_element *el;
2021 struct ldb_request *req;
2022 struct dsdb_control_password_change_status *pwd_stat = NULL;
2024 NTSTATUS status = NT_STATUS_OK;
2026 #define CHECK_RET(x) \
2027 if (x != LDB_SUCCESS) { \
2029 return NT_STATUS_NO_MEMORY; \
2032 msg = ldb_msg_new(mem_ctx);
2034 return NT_STATUS_NO_MEMORY;
2037 if ((new_password != NULL)
2038 && ((lmNewHash == NULL) && (ntNewHash == NULL))) {
2039 /* we have the password as plaintext UTF16 */
2040 CHECK_RET(samdb_msg_add_value(ldb, mem_ctx, msg,
2041 "clearTextPassword", new_password));
2042 el = ldb_msg_find_element(msg, "clearTextPassword");
2043 el->flags = LDB_FLAG_MOD_REPLACE;
2044 } else if ((new_password == NULL)
2045 && ((lmNewHash != NULL) || (ntNewHash != NULL))) {
2046 /* we have a password as LM and/or NT hash */
2047 if (lmNewHash != NULL) {
2048 CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg,
2049 "dBCSPwd", lmNewHash));
2050 el = ldb_msg_find_element(msg, "dBCSPwd");
2051 el->flags = LDB_FLAG_MOD_REPLACE;
2053 if (ntNewHash != NULL) {
2054 CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg,
2055 "unicodePwd", ntNewHash));
2056 el = ldb_msg_find_element(msg, "unicodePwd");
2057 el->flags = LDB_FLAG_MOD_REPLACE;
2060 /* the password wasn't specified correctly */
2062 return NT_STATUS_INVALID_PARAMETER;
2065 /* build modify request */
2066 ret = ldb_build_mod_req(&req, ldb, mem_ctx, msg, NULL, NULL,
2067 samdb_set_password_callback, NULL);
2068 if (ret != LDB_SUCCESS) {
2070 return NT_STATUS_NO_MEMORY;
2074 /* a user password change and we've checked already the old
2075 * password somewhere else (callers responsability) */
2076 ret = ldb_request_add_control(req,
2077 DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID,
2079 if (ret != LDB_SUCCESS) {
2082 return NT_STATUS_NO_MEMORY;
2085 ret = ldb_request_add_control(req,
2086 DSDB_CONTROL_PASSWORD_HASH_VALUES_OID,
2088 if (ret != LDB_SUCCESS) {
2091 return NT_STATUS_NO_MEMORY;
2093 ret = ldb_request_add_control(req,
2094 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
2096 if (ret != LDB_SUCCESS) {
2099 return NT_STATUS_NO_MEMORY;
2102 ret = dsdb_autotransaction_request(ldb, req);
2104 if (req->context != NULL) {
2105 pwd_stat = talloc_steal(mem_ctx,
2106 ((struct ldb_control *)req->context)->data);
2112 /* Sets the domain info (if requested) */
2113 if (_dominfo != NULL) {
2114 struct samr_DomInfo1 *dominfo;
2116 dominfo = talloc_zero(mem_ctx, struct samr_DomInfo1);
2117 if (dominfo == NULL) {
2118 return NT_STATUS_NO_MEMORY;
2121 if (pwd_stat != NULL) {
2122 dominfo->min_password_length = pwd_stat->domain_data.minPwdLength;
2123 dominfo->password_properties = pwd_stat->domain_data.pwdProperties;
2124 dominfo->password_history_length = pwd_stat->domain_data.pwdHistoryLength;
2125 dominfo->max_password_age = pwd_stat->domain_data.maxPwdAge;
2126 dominfo->min_password_age = pwd_stat->domain_data.minPwdAge;
2129 *_dominfo = dominfo;
2132 if (reject_reason != NULL) {
2133 if (pwd_stat != NULL) {
2134 *reject_reason = pwd_stat->reject_reason;
2136 *reject_reason = SAM_PWD_CHANGE_NO_ERROR;
2140 if (pwd_stat != NULL) {
2141 talloc_free(pwd_stat);
2144 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
2145 const char *errmsg = ldb_errstring(ldb);
2146 char *endptr = NULL;
2147 WERROR werr = WERR_GENERAL_FAILURE;
2148 status = NT_STATUS_UNSUCCESSFUL;
2149 if (errmsg != NULL) {
2150 werr = W_ERROR(strtol(errmsg, &endptr, 16));
2152 if (endptr != errmsg) {
2153 if (W_ERROR_EQUAL(werr, WERR_INVALID_PASSWORD)) {
2154 status = NT_STATUS_WRONG_PASSWORD;
2156 if (W_ERROR_EQUAL(werr, WERR_PASSWORD_RESTRICTION)) {
2157 status = NT_STATUS_PASSWORD_RESTRICTION;
2160 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2161 /* don't let the caller know if an account doesn't exist */
2162 status = NT_STATUS_WRONG_PASSWORD;
2163 } else if (ret != LDB_SUCCESS) {
2164 status = NT_STATUS_UNSUCCESSFUL;
2171 * Sets the user password using plaintext UTF16 (attribute "new_password") or
2172 * LM (attribute "lmNewHash") or NT (attribute "ntNewHash") hash. Also pass
2173 * as parameter if it's a user change or not ("userChange"). The "rejectReason"
2174 * gives some more informations if the changed failed.
2176 * This wrapper function for "samdb_set_password" takes a SID as input rather
2179 * This call encapsulates a new LDB transaction for changing the password;
2180 * therefore the user hasn't to start a new one.
2182 * Results: NT_STATUS_OK, NT_STATUS_INTERNAL_DB_CORRUPTION,
2183 * NT_STATUS_INVALID_PARAMETER, NT_STATUS_UNSUCCESSFUL,
2184 * NT_STATUS_WRONG_PASSWORD, NT_STATUS_PASSWORD_RESTRICTION,
2185 * NT_STATUS_TRANSACTION_ABORTED, NT_STATUS_NO_SUCH_USER
2187 NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2188 const struct dom_sid *user_sid,
2189 const DATA_BLOB *new_password,
2190 struct samr_Password *lmNewHash,
2191 struct samr_Password *ntNewHash,
2193 enum samPwdChangeReason *reject_reason,
2194 struct samr_DomInfo1 **_dominfo)
2197 struct ldb_dn *user_dn;
2200 ret = ldb_transaction_start(ldb);
2201 if (ret != LDB_SUCCESS) {
2202 DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(ldb)));
2203 return NT_STATUS_TRANSACTION_ABORTED;
2206 user_dn = samdb_search_dn(ldb, mem_ctx, NULL,
2207 "(&(objectSid=%s)(objectClass=user))",
2208 ldap_encode_ndr_dom_sid(mem_ctx, user_sid));
2210 ldb_transaction_cancel(ldb);
2211 DEBUG(3, ("samdb_set_password_sid: SID %s not found in samdb, returning NO_SUCH_USER\n",
2212 dom_sid_string(mem_ctx, user_sid)));
2213 return NT_STATUS_NO_SUCH_USER;
2216 nt_status = samdb_set_password(ldb, mem_ctx,
2219 lmNewHash, ntNewHash,
2221 reject_reason, _dominfo);
2222 if (!NT_STATUS_IS_OK(nt_status)) {
2223 ldb_transaction_cancel(ldb);
2224 talloc_free(user_dn);
2228 ret = ldb_transaction_commit(ldb);
2229 if (ret != LDB_SUCCESS) {
2230 DEBUG(0,("Failed to commit transaction to change password on %s: %s\n",
2231 ldb_dn_get_linearized(user_dn),
2232 ldb_errstring(ldb)));
2233 talloc_free(user_dn);
2234 return NT_STATUS_TRANSACTION_ABORTED;
2237 talloc_free(user_dn);
2238 return NT_STATUS_OK;
2242 NTSTATUS samdb_create_foreign_security_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
2243 struct dom_sid *sid, struct ldb_dn **ret_dn)
2245 struct ldb_message *msg;
2246 struct ldb_dn *basedn;
2250 sidstr = dom_sid_string(mem_ctx, sid);
2251 NT_STATUS_HAVE_NO_MEMORY(sidstr);
2253 /* We might have to create a ForeignSecurityPrincipal, even if this user
2254 * is in our own domain */
2256 msg = ldb_msg_new(sidstr);
2258 talloc_free(sidstr);
2259 return NT_STATUS_NO_MEMORY;
2262 ret = dsdb_wellknown_dn(sam_ctx, sidstr,
2263 ldb_get_default_basedn(sam_ctx),
2264 DS_GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER,
2266 if (ret != LDB_SUCCESS) {
2267 DEBUG(0, ("Failed to find DN for "
2268 "ForeignSecurityPrincipal container - %s\n", ldb_errstring(sam_ctx)));
2269 talloc_free(sidstr);
2270 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2273 /* add core elements to the ldb_message for the alias */
2275 if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s", sidstr)) {
2276 talloc_free(sidstr);
2277 return NT_STATUS_NO_MEMORY;
2280 samdb_msg_add_string(sam_ctx, msg, msg,
2282 "foreignSecurityPrincipal");
2284 /* create the alias */
2285 ret = ldb_add(sam_ctx, msg);
2286 if (ret != LDB_SUCCESS) {
2287 DEBUG(0,("Failed to create foreignSecurityPrincipal "
2289 ldb_dn_get_linearized(msg->dn),
2290 ldb_errstring(sam_ctx)));
2291 talloc_free(sidstr);
2292 return NT_STATUS_INTERNAL_DB_CORRUPTION;
2295 *ret_dn = talloc_steal(mem_ctx, msg->dn);
2296 talloc_free(sidstr);
2298 return NT_STATUS_OK;
2303 Find the DN of a domain, assuming it to be a dotted.dns name
2306 struct ldb_dn *samdb_dns_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *dns_domain)
2309 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2310 const char *binary_encoded;
2311 const char **split_realm;
2318 split_realm = (const char **)str_list_make(tmp_ctx, dns_domain, ".");
2320 talloc_free(tmp_ctx);
2323 dn = ldb_dn_new(mem_ctx, ldb, NULL);
2324 for (i=0; split_realm[i]; i++) {
2325 binary_encoded = ldb_binary_encode_string(tmp_ctx, split_realm[i]);
2326 if (!ldb_dn_add_base_fmt(dn, "dc=%s", binary_encoded)) {
2327 DEBUG(2, ("Failed to add dc=%s element to DN %s\n",
2328 binary_encoded, ldb_dn_get_linearized(dn)));
2329 talloc_free(tmp_ctx);
2333 if (!ldb_dn_validate(dn)) {
2334 DEBUG(2, ("Failed to validated DN %s\n",
2335 ldb_dn_get_linearized(dn)));
2336 talloc_free(tmp_ctx);
2339 talloc_free(tmp_ctx);
2344 Find the DN of a domain, be it the netbios or DNS name
2346 struct ldb_dn *samdb_domain_to_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
2347 const char *domain_name)
2349 const char * const domain_ref_attrs[] = {
2352 const char * const domain_ref2_attrs[] = {
2355 struct ldb_result *res_domain_ref;
2356 char *escaped_domain = ldb_binary_encode_string(mem_ctx, domain_name);
2357 /* find the domain's DN */
2358 int ret_domain = ldb_search(ldb, mem_ctx,
2360 samdb_partitions_dn(ldb, mem_ctx),
2363 "(&(nETBIOSName=%s)(objectclass=crossRef))",
2365 if (ret_domain != LDB_SUCCESS) {
2369 if (res_domain_ref->count == 0) {
2370 ret_domain = ldb_search(ldb, mem_ctx,
2372 samdb_dns_domain_to_dn(ldb, mem_ctx, domain_name),
2375 "(objectclass=domain)");
2376 if (ret_domain != LDB_SUCCESS) {
2380 if (res_domain_ref->count == 1) {
2381 return res_domain_ref->msgs[0]->dn;
2386 if (res_domain_ref->count > 1) {
2387 DEBUG(0,("Found %d records matching domain [%s]\n",
2388 ret_domain, domain_name));
2392 return samdb_result_dn(ldb, mem_ctx, res_domain_ref->msgs[0], "nCName", NULL);
2398 use a GUID to find a DN
2400 int dsdb_find_dn_by_guid(struct ldb_context *ldb,
2401 TALLOC_CTX *mem_ctx,
2402 const struct GUID *guid, struct ldb_dn **dn)
2405 struct ldb_result *res;
2406 const char *attrs[] = { NULL };
2407 char *guid_str = GUID_string(mem_ctx, guid);
2410 return ldb_operr(ldb);
2413 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
2414 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
2415 DSDB_SEARCH_SHOW_EXTENDED_DN |
2416 DSDB_SEARCH_ONE_ONLY,
2417 "objectGUID=%s", guid_str);
2418 talloc_free(guid_str);
2419 if (ret != LDB_SUCCESS) {
2423 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2430 use a DN to find a GUID with a given attribute name
2432 int dsdb_find_guid_attr_by_dn(struct ldb_context *ldb,
2433 struct ldb_dn *dn, const char *attribute,
2437 struct ldb_result *res;
2438 const char *attrs[2];
2439 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2441 attrs[0] = attribute;
2444 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
2445 if (ret != LDB_SUCCESS) {
2446 talloc_free(tmp_ctx);
2449 if (res->count < 1) {
2450 talloc_free(tmp_ctx);
2451 return LDB_ERR_NO_SUCH_OBJECT;
2453 *guid = samdb_result_guid(res->msgs[0], attribute);
2454 talloc_free(tmp_ctx);
2459 use a DN to find a GUID
2461 int dsdb_find_guid_by_dn(struct ldb_context *ldb,
2462 struct ldb_dn *dn, struct GUID *guid)
2464 return dsdb_find_guid_attr_by_dn(ldb, dn, "objectGUID", guid);
2470 adds the given GUID to the given ldb_message. This value is added
2471 for the given attr_name (may be either "objectGUID" or "parentGUID").
2473 int dsdb_msg_add_guid(struct ldb_message *msg,
2475 const char *attr_name)
2480 TALLOC_CTX *tmp_ctx = talloc_init("dsdb_msg_add_guid");
2482 status = GUID_to_ndr_blob(guid, tmp_ctx, &v);
2483 if (!NT_STATUS_IS_OK(status)) {
2484 ret = LDB_ERR_OPERATIONS_ERROR;
2488 ret = ldb_msg_add_steal_value(msg, attr_name, &v);
2489 if (ret != LDB_SUCCESS) {
2490 DEBUG(4,(__location__ ": Failed to add %s to the message\n",
2498 talloc_free(tmp_ctx);
2505 use a DN to find a SID
2507 int dsdb_find_sid_by_dn(struct ldb_context *ldb,
2508 struct ldb_dn *dn, struct dom_sid *sid)
2511 struct ldb_result *res;
2512 const char *attrs[] = { "objectSID", NULL };
2513 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2518 ret = dsdb_search_dn(ldb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
2519 if (ret != LDB_SUCCESS) {
2520 talloc_free(tmp_ctx);
2523 if (res->count < 1) {
2524 talloc_free(tmp_ctx);
2525 return LDB_ERR_NO_SUCH_OBJECT;
2527 s = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSID");
2529 talloc_free(tmp_ctx);
2530 return LDB_ERR_NO_SUCH_OBJECT;
2533 talloc_free(tmp_ctx);
2538 use a SID to find a DN
2540 int dsdb_find_dn_by_sid(struct ldb_context *ldb,
2541 TALLOC_CTX *mem_ctx,
2542 struct dom_sid *sid, struct ldb_dn **dn)
2545 struct ldb_result *res;
2546 const char *attrs[] = { NULL };
2547 char *sid_str = dom_sid_string(mem_ctx, sid);
2550 return ldb_operr(ldb);
2553 ret = dsdb_search(ldb, mem_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
2554 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
2555 DSDB_SEARCH_SHOW_EXTENDED_DN |
2556 DSDB_SEARCH_ONE_ONLY,
2557 "objectSID=%s", sid_str);
2558 talloc_free(sid_str);
2559 if (ret != LDB_SUCCESS) {
2563 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
2570 load a repsFromTo blob list for a given partition GUID
2571 attr must be "repsFrom" or "repsTo"
2573 WERROR dsdb_loadreps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2574 const char *attr, struct repsFromToBlob **r, uint32_t *count)
2576 const char *attrs[] = { attr, NULL };
2577 struct ldb_result *res = NULL;
2578 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2580 struct ldb_message_element *el;
2585 if (ldb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, NULL) != LDB_SUCCESS ||
2587 DEBUG(0,("dsdb_loadreps: failed to read partition object\n"));
2588 talloc_free(tmp_ctx);
2589 return WERR_DS_DRA_INTERNAL_ERROR;
2592 el = ldb_msg_find_element(res->msgs[0], attr);
2594 /* it's OK to be empty */
2595 talloc_free(tmp_ctx);
2599 *count = el->num_values;
2600 *r = talloc_array(mem_ctx, struct repsFromToBlob, *count);
2602 talloc_free(tmp_ctx);
2603 return WERR_DS_DRA_INTERNAL_ERROR;
2606 for (i=0; i<(*count); i++) {
2607 enum ndr_err_code ndr_err;
2608 ndr_err = ndr_pull_struct_blob(&el->values[i],
2611 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
2612 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2613 talloc_free(tmp_ctx);
2614 return WERR_DS_DRA_INTERNAL_ERROR;
2618 talloc_free(tmp_ctx);
2624 save the repsFromTo blob list for a given partition GUID
2625 attr must be "repsFrom" or "repsTo"
2627 WERROR dsdb_savereps(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
2628 const char *attr, struct repsFromToBlob *r, uint32_t count)
2630 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
2631 struct ldb_message *msg;
2632 struct ldb_message_element *el;
2635 msg = ldb_msg_new(tmp_ctx);
2637 if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_REPLACE, &el) != LDB_SUCCESS) {
2641 el->values = talloc_array(msg, struct ldb_val, count);
2646 for (i=0; i<count; i++) {
2648 enum ndr_err_code ndr_err;
2650 ndr_err = ndr_push_struct_blob(&v, tmp_ctx,
2652 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
2653 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2661 if (ldb_modify(sam_ctx, msg) != LDB_SUCCESS) {
2662 DEBUG(0,("Failed to store %s - %s\n", attr, ldb_errstring(sam_ctx)));
2666 talloc_free(tmp_ctx);
2671 talloc_free(tmp_ctx);
2672 return WERR_DS_DRA_INTERNAL_ERROR;
2677 load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
2678 object for a partition
2680 int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn,
2681 uint64_t *uSN, uint64_t *urgent_uSN)
2683 struct ldb_request *req;
2685 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
2686 struct dsdb_control_current_partition *p_ctrl;
2687 struct ldb_result *res;
2689 res = talloc_zero(tmp_ctx, struct ldb_result);
2691 talloc_free(tmp_ctx);
2692 return ldb_oom(ldb);
2695 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
2696 ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"),
2700 res, ldb_search_default_callback,
2702 if (ret != LDB_SUCCESS) {
2703 talloc_free(tmp_ctx);
2707 p_ctrl = talloc(req, struct dsdb_control_current_partition);
2708 if (p_ctrl == NULL) {
2709 talloc_free(tmp_ctx);
2710 return ldb_oom(ldb);
2712 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
2715 ret = ldb_request_add_control(req,
2716 DSDB_CONTROL_CURRENT_PARTITION_OID,
2718 if (ret != LDB_SUCCESS) {
2719 talloc_free(tmp_ctx);
2723 /* Run the new request */
2724 ret = ldb_request(ldb, req);
2726 if (ret == LDB_SUCCESS) {
2727 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
2730 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2731 /* it hasn't been created yet, which means
2732 an implicit value of zero */
2734 talloc_free(tmp_ctx);
2738 if (ret != LDB_SUCCESS) {
2739 talloc_free(tmp_ctx);
2743 if (res->count < 1) {
2749 *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0);
2751 *urgent_uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNUrgent", 0);
2755 talloc_free(tmp_ctx);
2760 int drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
2761 const struct drsuapi_DsReplicaCursor2 *c2)
2763 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2766 int drsuapi_DsReplicaCursor_compare(const struct drsuapi_DsReplicaCursor *c1,
2767 const struct drsuapi_DsReplicaCursor *c2)
2769 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
2774 see if a computer identified by its invocationId is a RODC
2776 int samdb_is_rodc(struct ldb_context *sam_ctx, const struct GUID *objectGUID, bool *is_rodc)
2778 /* 1) find the DN for this servers NTDSDSA object
2779 2) search for the msDS-isRODC attribute
2780 3) if not present then not a RODC
2781 4) if present and TRUE then is a RODC
2783 struct ldb_dn *config_dn;
2784 const char *attrs[] = { "msDS-isRODC", NULL };
2786 struct ldb_result *res;
2787 TALLOC_CTX *tmp_ctx = talloc_new(sam_ctx);
2789 config_dn = ldb_get_config_basedn(sam_ctx);
2791 talloc_free(tmp_ctx);
2792 return ldb_operr(sam_ctx);
2795 ret = dsdb_search(sam_ctx, tmp_ctx, &res, config_dn, LDB_SCOPE_SUBTREE, attrs,
2796 DSDB_SEARCH_ONE_ONLY, "objectGUID=%s", GUID_string(tmp_ctx, objectGUID));
2798 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2800 talloc_free(tmp_ctx);
2804 if (ret != LDB_SUCCESS) {
2805 DEBUG(1,(("Failed to find our own NTDS Settings object by objectGUID=%s!\n"),
2806 GUID_string(tmp_ctx, objectGUID)));
2808 talloc_free(tmp_ctx);
2812 ret = ldb_msg_find_attr_as_bool(res->msgs[0], "msDS-isRODC", 0);
2813 *is_rodc = (ret == 1);
2815 talloc_free(tmp_ctx);
2821 see if we are a RODC
2823 int samdb_rodc(struct ldb_context *sam_ctx, bool *am_rodc)
2825 const struct GUID *objectGUID;
2829 /* see if we have a cached copy */
2830 cached = (bool *)ldb_get_opaque(sam_ctx, "cache.am_rodc");
2836 objectGUID = samdb_ntds_objectGUID(sam_ctx);
2838 return ldb_operr(sam_ctx);
2841 ret = samdb_is_rodc(sam_ctx, objectGUID, am_rodc);
2842 if (ret != LDB_SUCCESS) {
2846 cached = talloc(sam_ctx, bool);
2847 if (cached == NULL) {
2848 return ldb_oom(sam_ctx);
2852 ret = ldb_set_opaque(sam_ctx, "cache.am_rodc", cached);
2853 if (ret != LDB_SUCCESS) {
2854 talloc_free(cached);
2855 return ldb_operr(sam_ctx);
2861 bool samdb_set_am_rodc(struct ldb_context *ldb, bool am_rodc)
2863 TALLOC_CTX *tmp_ctx;
2866 tmp_ctx = talloc_new(ldb);
2867 if (tmp_ctx == NULL) {
2871 cached = talloc(tmp_ctx, bool);
2877 if (ldb_set_opaque(ldb, "cache.am_rodc", cached) != LDB_SUCCESS) {
2881 talloc_steal(ldb, cached);
2882 talloc_free(tmp_ctx);
2886 DEBUG(1,("Failed to set our own cached am_rodc in the ldb!\n"));
2887 talloc_free(tmp_ctx);
2893 return NTDS options flags. See MS-ADTS 7.1.1.2.2.1.2.1.1
2895 flags are DS_NTDS_OPTION_*
2897 int samdb_ntds_options(struct ldb_context *ldb, uint32_t *options)
2899 TALLOC_CTX *tmp_ctx;
2900 const char *attrs[] = { "options", NULL };
2902 struct ldb_result *res;
2904 tmp_ctx = talloc_new(ldb);
2905 if (tmp_ctx == NULL) {
2909 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
2910 if (ret != LDB_SUCCESS) {
2914 if (res->count != 1) {
2918 *options = samdb_result_uint(res->msgs[0], "options", 0);
2920 talloc_free(tmp_ctx);
2925 DEBUG(1,("Failed to find our own NTDS Settings options in the ldb!\n"));
2926 talloc_free(tmp_ctx);
2927 return LDB_ERR_NO_SUCH_OBJECT;
2930 const char* samdb_ntds_object_category(TALLOC_CTX *tmp_ctx, struct ldb_context *ldb)
2932 const char *attrs[] = { "objectCategory", NULL };
2934 struct ldb_result *res;
2936 ret = ldb_search(ldb, tmp_ctx, &res, samdb_ntds_settings_dn(ldb), LDB_SCOPE_BASE, attrs, NULL);
2937 if (ret != LDB_SUCCESS) {
2941 if (res->count != 1) {
2945 return samdb_result_string(res->msgs[0], "objectCategory", NULL);
2948 DEBUG(1,("Failed to find our own NTDS Settings objectCategory in the ldb!\n"));
2953 * Function which generates a "lDAPDisplayName" attribute from a "CN" one.
2954 * Algorithm implemented according to MS-ADTS 3.1.1.2.3.4
2956 const char *samdb_cn_to_lDAPDisplayName(TALLOC_CTX *mem_ctx, const char *cn)
2958 char **tokens, *ret;
2961 tokens = str_list_make(mem_ctx, cn, " -_");
2965 /* "tolower()" and "toupper()" should also work properly on 0x00 */
2966 tokens[0][0] = tolower(tokens[0][0]);
2967 for (i = 1; i < str_list_length((const char **)tokens); i++)
2968 tokens[i][0] = toupper(tokens[i][0]);
2970 ret = talloc_strdup(mem_ctx, tokens[0]);
2971 for (i = 1; i < str_list_length((const char **)tokens); i++)
2972 ret = talloc_asprintf_append_buffer(ret, "%s", tokens[i]);
2974 talloc_free(tokens);
2980 * This detects and returns the domain functional level (DS_DOMAIN_FUNCTION_*)
2982 int dsdb_functional_level(struct ldb_context *ldb)
2984 int *domainFunctionality =
2985 talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
2986 if (!domainFunctionality) {
2987 DEBUG(0,(__location__ ": WARNING: domainFunctionality not setup\n"));
2988 return DS_DOMAIN_FUNCTION_2000;
2990 return *domainFunctionality;
2994 * This detects and returns the forest functional level (DS_DOMAIN_FUNCTION_*)
2996 int dsdb_forest_functional_level(struct ldb_context *ldb)
2998 int *forestFunctionality =
2999 talloc_get_type(ldb_get_opaque(ldb, "forestFunctionality"), int);
3000 if (!forestFunctionality) {
3001 DEBUG(0,(__location__ ": WARNING: forestFunctionality not setup\n"));
3002 return DS_DOMAIN_FUNCTION_2000;
3004 return *forestFunctionality;
3008 set a GUID in an extended DN structure
3010 int dsdb_set_extended_dn_guid(struct ldb_dn *dn, const struct GUID *guid, const char *component_name)
3016 status = GUID_to_ndr_blob(guid, dn, &v);
3017 if (!NT_STATUS_IS_OK(status)) {
3018 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3021 ret = ldb_dn_set_extended_component(dn, component_name, &v);
3027 return a GUID from a extended DN structure
3029 NTSTATUS dsdb_get_extended_dn_guid(struct ldb_dn *dn, struct GUID *guid, const char *component_name)
3031 const struct ldb_val *v;
3033 v = ldb_dn_get_extended_component(dn, component_name);
3035 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3038 return GUID_from_ndr_blob(v, guid);
3042 return a uint64_t from a extended DN structure
3044 NTSTATUS dsdb_get_extended_dn_uint64(struct ldb_dn *dn, uint64_t *val, const char *component_name)
3046 const struct ldb_val *v;
3049 v = ldb_dn_get_extended_component(dn, component_name);
3051 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3053 s = talloc_strndup(dn, (const char *)v->data, v->length);
3054 NT_STATUS_HAVE_NO_MEMORY(s);
3056 *val = strtoull(s, NULL, 0);
3059 return NT_STATUS_OK;
3063 return a NTTIME from a extended DN structure
3065 NTSTATUS dsdb_get_extended_dn_nttime(struct ldb_dn *dn, NTTIME *nttime, const char *component_name)
3067 return dsdb_get_extended_dn_uint64(dn, nttime, component_name);
3071 return a uint32_t from a extended DN structure
3073 NTSTATUS dsdb_get_extended_dn_uint32(struct ldb_dn *dn, uint32_t *val, const char *component_name)
3075 const struct ldb_val *v;
3078 v = ldb_dn_get_extended_component(dn, component_name);
3080 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3083 s = talloc_strndup(dn, (const char *)v->data, v->length);
3084 NT_STATUS_HAVE_NO_MEMORY(s);
3086 *val = strtoul(s, NULL, 0);
3089 return NT_STATUS_OK;
3093 return a dom_sid from a extended DN structure
3095 NTSTATUS dsdb_get_extended_dn_sid(struct ldb_dn *dn, struct dom_sid *sid, const char *component_name)
3097 const struct ldb_val *sid_blob;
3098 struct TALLOC_CTX *tmp_ctx;
3099 enum ndr_err_code ndr_err;
3101 sid_blob = ldb_dn_get_extended_component(dn, "SID");
3103 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3106 tmp_ctx = talloc_new(NULL);
3108 ndr_err = ndr_pull_struct_blob_all(sid_blob, tmp_ctx, sid,
3109 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
3110 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3111 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
3112 talloc_free(tmp_ctx);
3116 talloc_free(tmp_ctx);
3117 return NT_STATUS_OK;
3122 return RMD_FLAGS directly from a ldb_dn
3123 returns 0 if not found
3125 uint32_t dsdb_dn_rmd_flags(struct ldb_dn *dn)
3127 const struct ldb_val *v;
3129 v = ldb_dn_get_extended_component(dn, "RMD_FLAGS");
3130 if (!v || v->length > sizeof(buf)-1) return 0;
3131 strncpy(buf, (const char *)v->data, v->length);
3133 return strtoul(buf, NULL, 10);
3137 return RMD_FLAGS directly from a ldb_val for a DN
3138 returns 0 if RMD_FLAGS is not found
3140 uint32_t dsdb_dn_val_rmd_flags(const struct ldb_val *val)
3146 if (val->length < 13) {
3149 p = memmem(val->data, val->length-2, "<RMD_FLAGS=", 11);
3153 flags = strtoul(p+11, &end, 10);
3154 if (!end || *end != '>') {
3155 /* it must end in a > */
3162 return true if a ldb_val containing a DN in storage form is deleted
3164 bool dsdb_dn_is_deleted_val(const struct ldb_val *val)
3166 return (dsdb_dn_val_rmd_flags(val) & DSDB_RMD_FLAG_DELETED) != 0;
3170 return true if a ldb_val containing a DN in storage form is
3171 in the upgraded w2k3 linked attribute format
3173 bool dsdb_dn_is_upgraded_link_val(struct ldb_val *val)
3175 return memmem(val->data, val->length, "<RMD_ADDTIME=", 13) != NULL;
3179 return a DN for a wellknown GUID
3181 int dsdb_wellknown_dn(struct ldb_context *samdb, TALLOC_CTX *mem_ctx,
3182 struct ldb_dn *nc_root, const char *wk_guid,
3183 struct ldb_dn **wkguid_dn)
3185 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3186 const char *attrs[] = { NULL };
3189 struct ldb_result *res;
3191 /* construct the magic WKGUID DN */
3192 dn = ldb_dn_new_fmt(tmp_ctx, samdb, "<WKGUID=%s,%s>",
3193 wk_guid, ldb_dn_get_linearized(nc_root));
3195 talloc_free(tmp_ctx);
3196 return ldb_operr(samdb);
3199 ret = dsdb_search_dn(samdb, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_DELETED);
3200 if (ret != LDB_SUCCESS) {
3201 talloc_free(tmp_ctx);
3205 (*wkguid_dn) = talloc_steal(mem_ctx, res->msgs[0]->dn);
3206 talloc_free(tmp_ctx);
3211 static int dsdb_dn_compare_ptrs(struct ldb_dn **dn1, struct ldb_dn **dn2)
3213 return ldb_dn_compare(*dn1, *dn2);
3217 find a NC root given a DN within the NC
3219 int dsdb_find_nc_root(struct ldb_context *samdb, TALLOC_CTX *mem_ctx, struct ldb_dn *dn,
3220 struct ldb_dn **nc_root)
3222 const char *root_attrs[] = { "namingContexts", NULL };
3223 TALLOC_CTX *tmp_ctx;
3225 struct ldb_message_element *el;
3226 struct ldb_result *root_res;
3228 struct ldb_dn **nc_dns;
3230 tmp_ctx = talloc_new(samdb);
3231 if (tmp_ctx == NULL) {
3232 return ldb_oom(samdb);
3235 ret = ldb_search(samdb, tmp_ctx, &root_res,
3236 ldb_dn_new(tmp_ctx, samdb, ""), LDB_SCOPE_BASE, root_attrs, NULL);
3237 if (ret != LDB_SUCCESS) {
3238 DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(samdb)));
3239 talloc_free(tmp_ctx);
3243 el = ldb_msg_find_element(root_res->msgs[0], "namingContexts");
3245 DEBUG(1,("Finding namingContexts element in root_res failed: %s\n",
3246 ldb_errstring(samdb)));
3247 talloc_free(tmp_ctx);
3248 return LDB_ERR_NO_SUCH_ATTRIBUTE;
3251 nc_dns = talloc_array(tmp_ctx, struct ldb_dn *, el->num_values);
3253 talloc_free(tmp_ctx);
3254 return ldb_oom(samdb);
3257 for (i=0; i<el->num_values; i++) {
3258 nc_dns[i] = ldb_dn_from_ldb_val(nc_dns, samdb, &el->values[i]);
3259 if (nc_dns[i] == NULL) {
3260 talloc_free(tmp_ctx);
3261 return ldb_operr(samdb);
3265 TYPESAFE_QSORT(nc_dns, el->num_values, dsdb_dn_compare_ptrs);
3267 for (i=0; i<el->num_values; i++) {
3268 if (ldb_dn_compare_base(nc_dns[i], dn) == 0) {
3269 (*nc_root) = talloc_steal(mem_ctx, nc_dns[i]);
3270 talloc_free(tmp_ctx);
3275 talloc_free(tmp_ctx);
3276 return LDB_ERR_NO_SUCH_OBJECT;
3281 find the deleted objects DN for any object, by looking for the NC
3282 root, then looking up the wellknown GUID
3284 int dsdb_get_deleted_objects_dn(struct ldb_context *ldb,
3285 TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
3286 struct ldb_dn **do_dn)
3288 struct ldb_dn *nc_root;
3291 ret = dsdb_find_nc_root(ldb, mem_ctx, obj_dn, &nc_root);
3292 if (ret != LDB_SUCCESS) {
3296 ret = dsdb_wellknown_dn(ldb, mem_ctx, nc_root, DS_GUID_DELETED_OBJECTS_CONTAINER, do_dn);
3297 talloc_free(nc_root);
3302 return the tombstoneLifetime, in days
3304 int dsdb_tombstone_lifetime(struct ldb_context *ldb, uint32_t *lifetime)
3307 dn = ldb_get_config_basedn(ldb);
3309 return LDB_ERR_NO_SUCH_OBJECT;
3311 dn = ldb_dn_copy(ldb, dn);
3313 return ldb_operr(ldb);
3315 /* see MS-ADTS section 7.1.1.2.4.1.1. There doesn't appear to
3316 be a wellknown GUID for this */
3317 if (!ldb_dn_add_child_fmt(dn, "CN=Directory Service,CN=Windows NT,CN=Services")) {
3319 return ldb_operr(ldb);
3322 *lifetime = samdb_search_uint(ldb, dn, 180, dn, "tombstoneLifetime", "objectClass=nTDSService");
3328 compare a ldb_val to a string case insensitively
3330 int samdb_ldb_val_case_cmp(const char *s, struct ldb_val *v)
3332 size_t len = strlen(s);
3334 if (len > v->length) return 1;
3335 ret = strncasecmp(s, (const char *)v->data, v->length);
3336 if (ret != 0) return ret;
3337 if (v->length > len && v->data[len] != 0) {
3345 load the UDV for a partition in v2 format
3346 The list is returned sorted, and with our local cursor added
3348 int dsdb_load_udv_v2(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
3349 struct drsuapi_DsReplicaCursor2 **cursors, uint32_t *count)
3351 static const char *attrs[] = { "replUpToDateVector", NULL };
3352 struct ldb_result *r;
3353 const struct ldb_val *ouv_value;
3356 uint64_t highest_usn;
3357 const struct GUID *our_invocation_id;
3358 struct timeval now = timeval_current();
3360 ret = ldb_search(samdb, mem_ctx, &r, dn, LDB_SCOPE_BASE, attrs, NULL);
3361 if (ret != LDB_SUCCESS) {
3365 ouv_value = ldb_msg_find_ldb_val(r->msgs[0], "replUpToDateVector");
3367 enum ndr_err_code ndr_err;
3368 struct replUpToDateVectorBlob ouv;
3370 ndr_err = ndr_pull_struct_blob(ouv_value, r, &ouv,
3371 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
3372 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3374 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3376 if (ouv.version != 2) {
3377 /* we always store as version 2, and
3378 * replUpToDateVector is not replicated
3380 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
3383 *count = ouv.ctr.ctr2.count;
3384 *cursors = talloc_steal(mem_ctx, ouv.ctr.ctr2.cursors);
3392 our_invocation_id = samdb_ntds_invocation_id(samdb);
3393 if (!our_invocation_id) {
3394 DEBUG(0,(__location__ ": No invocationID on samdb - %s\n", ldb_errstring(samdb)));
3395 talloc_free(*cursors);
3396 return ldb_operr(samdb);
3399 ret = dsdb_load_partition_usn(samdb, dn, &highest_usn, NULL);
3400 if (ret != LDB_SUCCESS) {
3401 /* nothing to add - this can happen after a vampire */
3402 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3406 for (i=0; i<*count; i++) {
3407 if (GUID_equal(our_invocation_id, &(*cursors)[i].source_dsa_invocation_id)) {
3408 (*cursors)[i].highest_usn = highest_usn;
3409 (*cursors)[i].last_sync_success = timeval_to_nttime(&now);
3410 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3415 (*cursors) = talloc_realloc(mem_ctx, *cursors, struct drsuapi_DsReplicaCursor2, (*count)+1);
3417 return ldb_oom(samdb);
3420 (*cursors)[*count].source_dsa_invocation_id = *our_invocation_id;
3421 (*cursors)[*count].highest_usn = highest_usn;
3422 (*cursors)[*count].last_sync_success = timeval_to_nttime(&now);
3425 TYPESAFE_QSORT(*cursors, *count, drsuapi_DsReplicaCursor2_compare);
3431 load the UDV for a partition in version 1 format
3432 The list is returned sorted, and with our local cursor added
3434 int dsdb_load_udv_v1(struct ldb_context *samdb, struct ldb_dn *dn, TALLOC_CTX *mem_ctx,
3435 struct drsuapi_DsReplicaCursor **cursors, uint32_t *count)
3437 struct drsuapi_DsReplicaCursor2 *v2;
3441 ret = dsdb_load_udv_v2(samdb, dn, mem_ctx, &v2, count);
3442 if (ret != LDB_SUCCESS) {
3452 *cursors = talloc_array(mem_ctx, struct drsuapi_DsReplicaCursor, *count);
3453 if (*cursors == NULL) {
3455 return ldb_oom(samdb);
3458 for (i=0; i<*count; i++) {
3459 (*cursors)[i].source_dsa_invocation_id = v2[i].source_dsa_invocation_id;
3460 (*cursors)[i].highest_usn = v2[i].highest_usn;
3467 add a set of controls to a ldb_request structure based on a set of
3468 flags. See util.h for a list of available flags
3470 int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags)
3473 if (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) {
3474 struct ldb_search_options_control *options;
3475 /* Using the phantom root control allows us to search all partitions */
3476 options = talloc(req, struct ldb_search_options_control);
3477 if (options == NULL) {
3478 return LDB_ERR_OPERATIONS_ERROR;
3480 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
3482 ret = ldb_request_add_control(req,
3483 LDB_CONTROL_SEARCH_OPTIONS_OID,
3485 if (ret != LDB_SUCCESS) {
3490 if (dsdb_flags & DSDB_SEARCH_SHOW_DELETED) {
3491 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
3492 if (ret != LDB_SUCCESS) {
3497 if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) {
3498 ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, true, NULL);
3499 if (ret != LDB_SUCCESS) {
3504 if (dsdb_flags & DSDB_SEARCH_SHOW_EXTENDED_DN) {
3505 struct ldb_extended_dn_control *extended_ctrl = talloc(req, struct ldb_extended_dn_control);
3506 if (!extended_ctrl) {
3507 return LDB_ERR_OPERATIONS_ERROR;
3509 extended_ctrl->type = 1;
3511 ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, extended_ctrl);
3512 if (ret != LDB_SUCCESS) {
3517 if (dsdb_flags & DSDB_SEARCH_REVEAL_INTERNALS) {
3518 ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
3519 if (ret != LDB_SUCCESS) {
3524 if (dsdb_flags & DSDB_MODIFY_RELAX) {
3525 ret = ldb_request_add_control(req, LDB_CONTROL_RELAX_OID, false, NULL);
3526 if (ret != LDB_SUCCESS) {
3531 if (dsdb_flags & DSDB_MODIFY_PERMISSIVE) {
3532 ret = ldb_request_add_control(req, LDB_CONTROL_PERMISSIVE_MODIFY_OID, false, NULL);
3533 if (ret != LDB_SUCCESS) {
3538 if (dsdb_flags & DSDB_FLAG_AS_SYSTEM) {
3539 ret = ldb_request_add_control(req, LDB_CONTROL_AS_SYSTEM_OID, false, NULL);
3540 if (ret != LDB_SUCCESS) {
3545 if (dsdb_flags & DSDB_TREE_DELETE) {
3546 ret = ldb_request_add_control(req, LDB_CONTROL_TREE_DELETE_OID, false, NULL);
3547 if (ret != LDB_SUCCESS) {
3556 an add with a set of controls
3558 int dsdb_add(struct ldb_context *ldb, const struct ldb_message *message,
3559 uint32_t dsdb_flags)
3561 struct ldb_request *req;
3564 ret = ldb_build_add_req(&req, ldb, ldb,
3568 ldb_op_default_callback,
3571 if (ret != LDB_SUCCESS) return ret;
3573 ret = dsdb_request_add_controls(req, dsdb_flags);
3574 if (ret != LDB_SUCCESS) {
3579 ret = dsdb_autotransaction_request(ldb, req);
3586 a modify with a set of controls
3588 int dsdb_modify(struct ldb_context *ldb, const struct ldb_message *message,
3589 uint32_t dsdb_flags)
3591 struct ldb_request *req;
3594 ret = ldb_build_mod_req(&req, ldb, ldb,
3598 ldb_op_default_callback,
3601 if (ret != LDB_SUCCESS) return ret;
3603 ret = dsdb_request_add_controls(req, dsdb_flags);
3604 if (ret != LDB_SUCCESS) {
3609 ret = dsdb_autotransaction_request(ldb, req);
3616 like dsdb_modify() but set all the element flags to
3617 LDB_FLAG_MOD_REPLACE
3619 int dsdb_replace(struct ldb_context *ldb, struct ldb_message *msg, uint32_t dsdb_flags)
3623 /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
3624 for (i=0;i<msg->num_elements;i++) {
3625 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
3628 return dsdb_modify(ldb, msg, dsdb_flags);
3633 search for attrs on one DN, allowing for dsdb_flags controls
3635 int dsdb_search_dn(struct ldb_context *ldb,
3636 TALLOC_CTX *mem_ctx,
3637 struct ldb_result **_res,
3638 struct ldb_dn *basedn,
3639 const char * const *attrs,
3640 uint32_t dsdb_flags)
3643 struct ldb_request *req;
3644 struct ldb_result *res;
3646 res = talloc_zero(mem_ctx, struct ldb_result);
3648 return ldb_oom(ldb);
3651 ret = ldb_build_search_req(&req, ldb, res,
3658 ldb_search_default_callback,
3660 if (ret != LDB_SUCCESS) {
3665 ret = dsdb_request_add_controls(req, dsdb_flags);
3666 if (ret != LDB_SUCCESS) {
3671 ret = ldb_request(ldb, req);
3672 if (ret == LDB_SUCCESS) {
3673 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3677 if (ret != LDB_SUCCESS) {
3687 general search with dsdb_flags for controls
3689 int dsdb_search(struct ldb_context *ldb,
3690 TALLOC_CTX *mem_ctx,
3691 struct ldb_result **_res,
3692 struct ldb_dn *basedn,
3693 enum ldb_scope scope,
3694 const char * const *attrs,
3695 uint32_t dsdb_flags,
3696 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
3699 struct ldb_request *req;
3700 struct ldb_result *res;
3702 char *expression = NULL;
3703 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3705 res = talloc_zero(tmp_ctx, struct ldb_result);
3707 talloc_free(tmp_ctx);
3708 return ldb_oom(ldb);
3712 va_start(ap, exp_fmt);
3713 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
3717 talloc_free(tmp_ctx);
3718 return ldb_oom(ldb);
3722 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
3729 ldb_search_default_callback,
3731 if (ret != LDB_SUCCESS) {
3732 talloc_free(tmp_ctx);
3736 ret = dsdb_request_add_controls(req, dsdb_flags);
3737 if (ret != LDB_SUCCESS) {
3738 talloc_free(tmp_ctx);
3742 ret = ldb_request(ldb, req);
3743 if (ret == LDB_SUCCESS) {
3744 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3747 if (ret != LDB_SUCCESS) {
3748 talloc_free(tmp_ctx);
3752 if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
3753 if (res->count == 0) {
3754 talloc_free(tmp_ctx);
3755 return LDB_ERR_NO_SUCH_OBJECT;
3757 if (res->count != 1) {
3758 talloc_free(tmp_ctx);
3759 return LDB_ERR_CONSTRAINT_VIOLATION;
3763 *_res = talloc_steal(mem_ctx, res);
3764 talloc_free(tmp_ctx);
3771 general search with dsdb_flags for controls
3772 returns exactly 1 record or an error
3774 int dsdb_search_one(struct ldb_context *ldb,
3775 TALLOC_CTX *mem_ctx,
3776 struct ldb_message **msg,
3777 struct ldb_dn *basedn,
3778 enum ldb_scope scope,
3779 const char * const *attrs,
3780 uint32_t dsdb_flags,
3781 const char *exp_fmt, ...) _PRINTF_ATTRIBUTE(8, 9)
3784 struct ldb_result *res;
3786 char *expression = NULL;
3787 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3789 dsdb_flags |= DSDB_SEARCH_ONE_ONLY;
3791 res = talloc_zero(tmp_ctx, struct ldb_result);
3793 talloc_free(tmp_ctx);
3794 return ldb_oom(ldb);
3798 va_start(ap, exp_fmt);
3799 expression = talloc_vasprintf(tmp_ctx, exp_fmt, ap);
3803 talloc_free(tmp_ctx);
3804 return ldb_oom(ldb);
3806 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
3807 dsdb_flags, "%s", expression);
3809 ret = dsdb_search(ldb, tmp_ctx, &res, basedn, scope, attrs,
3813 if (ret != LDB_SUCCESS) {
3814 talloc_free(tmp_ctx);
3818 *msg = talloc_steal(mem_ctx, res->msgs[0]);
3819 talloc_free(tmp_ctx);
3824 /* returns back the forest DNS name */
3825 const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
3827 const char *forest_name = ldb_dn_canonical_string(mem_ctx,
3828 ldb_get_root_basedn(ldb));
3831 if (forest_name == NULL) {
3835 p = strchr(forest_name, '/');
3844 validate that an DSA GUID belongs to the specified user sid.
3845 The user SID must be a domain controller account (either RODC or
3848 int dsdb_validate_dsa_guid(struct ldb_context *ldb,
3849 const struct GUID *dsa_guid,
3850 const struct dom_sid *sid)
3853 - find DN of record with the DSA GUID in the
3854 configuration partition (objectGUID)
3855 - remove "NTDS Settings" component from DN
3856 - do a base search on that DN for serverReference with
3858 - extract objectSID from resulting serverReference
3860 - check this sid matches the sid argument
3862 struct ldb_dn *config_dn;
3863 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
3864 struct ldb_message *msg;
3865 const char *attrs1[] = { NULL };
3866 const char *attrs2[] = { "serverReference", NULL };
3868 struct ldb_dn *dn, *account_dn;
3869 struct dom_sid sid2;
3872 config_dn = ldb_get_config_basedn(ldb);
3874 ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE,
3875 attrs1, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid));
3876 if (ret != LDB_SUCCESS) {
3877 DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for sid %s\n",
3878 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
3879 talloc_free(tmp_ctx);
3880 return ldb_operr(ldb);
3884 if (!ldb_dn_remove_child_components(dn, 1)) {
3885 talloc_free(tmp_ctx);
3886 return ldb_operr(ldb);
3889 ret = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE,
3890 attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN,
3891 "(objectClass=server)");
3892 if (ret != LDB_SUCCESS) {
3893 DEBUG(1,(__location__ ": Failed to find server record for DSA with objectGUID %s, sid %s\n",
3894 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
3895 talloc_free(tmp_ctx);
3896 return ldb_operr(ldb);
3899 account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg, "serverReference");
3900 if (account_dn == NULL) {
3901 DEBUG(1,(__location__ ": Failed to find account_dn for DSA with objectGUID %s, sid %s\n",
3902 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
3903 talloc_free(tmp_ctx);
3904 return ldb_operr(ldb);
3907 status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID");
3908 if (!NT_STATUS_IS_OK(status)) {
3909 DEBUG(1,(__location__ ": Failed to find SID for DSA with objectGUID %s, sid %s\n",
3910 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
3911 talloc_free(tmp_ctx);
3912 return ldb_operr(ldb);
3915 if (!dom_sid_equal(sid, &sid2)) {
3916 /* someone is trying to spoof another account */
3917 DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s - expected sid %s\n",
3918 GUID_string(tmp_ctx, dsa_guid),
3919 dom_sid_string(tmp_ctx, sid),
3920 dom_sid_string(tmp_ctx, &sid2)));
3921 talloc_free(tmp_ctx);
3922 return ldb_operr(ldb);
3925 talloc_free(tmp_ctx);
3929 const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys",
3930 "ms-PKI-AccountCredentials",
3931 "ms-PKI-RoamingTimeStamp",
3932 "ms-FVE-KeyPackage",
3933 "ms-FVE-RecoveryGuid",
3934 "ms-FVE-RecoveryInformation",
3935 "ms-FVE-RecoveryPassword",
3936 "ms-FVE-VolumeGuid",
3937 "ms-TPM-OwnerInformation",
3940 check if the attribute belongs to the RODC filtered attribute set
3942 bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa)
3944 int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
3945 bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0);
3947 if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) {
3950 if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) {