2 Unix SMB/CIFS implementation.
4 implement the DRSUpdateRefs call
6 Copyright (C) Anatoliy Atanasov 2009
7 Copyright (C) Andrew Tridgell 2009
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "librpc/gen_ndr/ndr_drsuapi.h"
25 #include "rpc_server/dcerpc_server.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "param/param.h"
28 #include "librpc/gen_ndr/ndr_drsblobs.h"
29 #include "auth/auth.h"
30 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
31 #include "rpc_server/dcerpc_server_proto.h"
32 #include "../libcli/drsuapi/drsuapi.h"
33 #include "libcli/security/security.h"
36 drsuapi_DsGetNCChanges for one object
38 static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItemEx *obj,
39 struct ldb_message *msg,
40 struct ldb_context *sam_ctx,
41 struct ldb_dn *ncRoot_dn,
42 struct dsdb_schema *schema,
43 DATA_BLOB *session_key,
46 const struct ldb_val *md_value;
48 struct ldb_dn *obj_dn;
49 struct replPropertyMetaDataBlob md;
52 enum ndr_err_code ndr_err;
55 if (ldb_dn_compare(ncRoot_dn, msg->dn) == 0) {
56 obj->is_nc_prefix = true;
57 obj->parent_object_guid = NULL;
59 obj->is_nc_prefix = false;
60 obj->parent_object_guid = talloc(obj, struct GUID);
61 *obj->parent_object_guid = samdb_result_guid(msg, "parentGUID");
63 obj->next_object = NULL;
65 md_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
71 ndr_err = ndr_pull_struct_blob(md_value, obj,
72 lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")), &md,
73 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
74 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
75 return WERR_DS_DRA_INTERNAL_ERROR;
78 if (md.version != 1) {
79 return WERR_DS_DRA_INTERNAL_ERROR;
82 obj->meta_data_ctr = talloc(obj, struct drsuapi_DsReplicaMetaDataCtr);
83 attids = talloc_array(obj, uint32_t, md.ctr.ctr1.count);
85 obj->meta_data_ctr->meta_data = talloc_array(obj, struct drsuapi_DsReplicaMetaData, md.ctr.ctr1.count);
86 for (n=i=0; i<md.ctr.ctr1.count; i++) {
87 if (md.ctr.ctr1.array[i].local_usn < highest_usn) continue;
88 obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
89 obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
90 obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;
91 obj->meta_data_ctr->meta_data[n].originating_usn = md.ctr.ctr1.array[i].originating_usn;
92 attids[n] = md.ctr.ctr1.array[i].attid;
97 note that if n==0 we still need to send the change, as it
98 could be a rename, which changes the uSNChanged, but not any
99 of the replicated attributes
102 obj->meta_data_ctr->count = n;
104 obj->object.identifier = talloc(obj, struct drsuapi_DsReplicaObjectIdentifier);
105 obj_dn = ldb_msg_find_attr_as_dn(sam_ctx, obj, msg, "distinguishedName");
106 obj->object.identifier->dn = ldb_dn_get_linearized(obj_dn);
107 obj->object.identifier->guid = samdb_result_guid(msg, "objectGUID");
108 sid = samdb_result_dom_sid(obj, msg, "objectSid");
110 dom_sid_split_rid(NULL, sid, NULL, &rid);
111 obj->object.identifier->sid = *sid;
113 ZERO_STRUCT(obj->object.identifier->sid);
116 obj->object.attribute_ctr.num_attributes = obj->meta_data_ctr->count;
117 obj->object.attribute_ctr.attributes = talloc_array(obj, struct drsuapi_DsReplicaAttribute,
118 obj->object.attribute_ctr.num_attributes);
121 * Note that the meta_data array and the attributes array must
122 * be the same size and in the same order
124 for (i=0; i<obj->object.attribute_ctr.num_attributes; i++) {
125 const struct dsdb_attribute *sa;
126 struct ldb_message_element *el;
129 sa = dsdb_attribute_by_attributeID_id(schema, attids[i]);
131 DEBUG(0,("Unable to find attributeID %u in schema\n", attids[i]));
132 return WERR_DS_DRA_INTERNAL_ERROR;
135 el = ldb_msg_find_element(msg, sa->lDAPDisplayName);
137 DEBUG(0,("No element '%s' for attributeID %u in message\n",
138 sa->lDAPDisplayName, attids[i]));
139 ZERO_STRUCT(obj->object.attribute_ctr.attributes[i]);
140 obj->object.attribute_ctr.attributes[i].attid = attids[i];
142 werr = dsdb_attribute_ldb_to_drsuapi(sam_ctx, schema, el, obj,
143 &obj->object.attribute_ctr.attributes[i]);
144 if (!W_ERROR_IS_OK(werr)) {
145 DEBUG(0,("Unable to convert %s to DRS object - %s\n",
146 sa->lDAPDisplayName, win_errstr(werr)));
150 /* some attributes needs to be encrypted
152 werr = drsuapi_encrypt_attribute(obj, session_key, rid,
153 &obj->object.attribute_ctr.attributes[i]);
154 if (!W_ERROR_IS_OK(werr)) {
155 DEBUG(0,("Unable to encrypt %s in DRS object - %s\n",
156 sa->lDAPDisplayName, win_errstr(werr)));
165 static int replmd_drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
166 const struct drsuapi_DsReplicaCursor2 *c2)
168 return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
172 load replUpToDateVector from a DN
174 static WERROR load_udv(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
175 struct ldb_dn *dn, struct replUpToDateVectorBlob *ouv)
177 const char *attrs[] = { "replUpToDateVector", NULL };
178 struct ldb_result *res = NULL;
179 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
180 struct ldb_message_element *el;
181 enum ndr_err_code ndr_err;
185 if (ldb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, NULL) != LDB_SUCCESS ||
187 DEBUG(0,("load_udv: failed to read partition object\n"));
188 talloc_free(tmp_ctx);
189 return WERR_DS_DRA_INTERNAL_ERROR;
192 el = ldb_msg_find_element(res->msgs[0], "replUpToDateVector");
193 if (el == NULL || el->num_values < 1) {
194 talloc_free(tmp_ctx);
199 ndr_err = ndr_pull_struct_blob(&el->values[0],
200 mem_ctx, lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")),
202 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
203 talloc_free(tmp_ctx);
204 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
205 DEBUG(0,(__location__ ": Failed to parse replUpToDateVector for %s\n",
206 ldb_dn_get_linearized(dn)));
207 return WERR_DS_DRA_INTERNAL_ERROR;
215 fill in the cursors return based on the replUpToDateVector for the ncRoot_dn
217 static WERROR get_nc_changes_udv(struct ldb_context *sam_ctx,
218 struct ldb_dn *ncRoot_dn,
219 struct drsuapi_DsReplicaCursor2CtrEx *udv)
222 struct drsuapi_DsReplicaCursor2 *tmp_cursor;
223 uint64_t highest_commited_usn;
225 time_t t = time(NULL);
227 struct replUpToDateVectorBlob ouv;
229 werr = load_udv(sam_ctx, udv, ncRoot_dn, &ouv);
230 if (!W_ERROR_IS_OK(werr)) {
234 ret = ldb_sequence_number(sam_ctx, LDB_SEQ_HIGHEST_SEQ, &highest_commited_usn);
235 if (ret != LDB_SUCCESS) {
236 return WERR_DS_DRA_INTERNAL_ERROR;
239 tmp_cursor = talloc(udv, struct drsuapi_DsReplicaCursor2);
240 tmp_cursor->source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
241 tmp_cursor->highest_usn = highest_commited_usn;
242 unix_to_nt_time(&now, t);
243 tmp_cursor->last_sync_success = now;
245 udv->count = ouv.ctr.ctr2.count + 1;
246 udv->cursors = talloc_steal(udv, ouv.ctr.ctr2.cursors);
247 udv->cursors = talloc_realloc(udv, udv->cursors, struct drsuapi_DsReplicaCursor2, udv->count);
249 return WERR_DS_DRA_INTERNAL_ERROR;
251 udv->cursors[udv->count - 1] = *tmp_cursor;
253 qsort(udv->cursors, udv->count,
254 sizeof(struct drsuapi_DsReplicaCursor2),
255 (comparison_fn_t)replmd_drsuapi_DsReplicaCursor2_compare);
261 drsuapi_DsGetNCChanges
263 WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
264 struct drsuapi_DsGetNCChanges *r)
266 struct ldb_result *site_res;
267 struct drsuapi_DsReplicaObjectIdentifier *ncRoot;
268 struct ldb_context *sam_ctx;
269 struct ldb_dn *ncRoot_dn;
272 struct dsdb_schema *schema;
273 struct drsuapi_DsReplicaOIDMapping_Ctr *ctr;
274 struct drsuapi_DsReplicaObjectListItemEx **currentObject;
276 DATA_BLOB session_key;
277 const char *attrs[] = { "*", "parentGUID", NULL };
280 *r->out.level_out = 6;
281 /* TODO: linked attributes*/
282 r->out.ctr->ctr6.linked_attributes_count = 0;
283 r->out.ctr->ctr6.linked_attributes = NULL;
285 r->out.ctr->ctr6.object_count = 0;
286 r->out.ctr->ctr6.more_data = false;
287 r->out.ctr->ctr6.uptodateness_vector = NULL;
289 /* Check request revision. */
290 if (r->in.level != 8) {
291 return WERR_REVISION_MISMATCH;
294 /* Perform access checks. */
295 if (r->in.req->req8.naming_context == NULL) {
296 return WERR_DS_DRA_INVALID_PARAMETER;
299 ncRoot = r->in.req->req8.naming_context;
300 if (ncRoot == NULL) {
301 return WERR_DS_DRA_BAD_NC;
304 if (security_session_user_level(dce_call->conn->auth_state.session_info) <
305 SECURITY_DOMAIN_CONTROLLER) {
306 DEBUG(0,("getncchanges refused for security token\n"));
307 return WERR_DS_DRA_ACCESS_DENIED;
311 * connect to the samdb. TODO: We need to check that the caller
312 * has the rights to do this. This exposes all attributes,
313 * including all passwords.
315 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx,
316 system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
321 /* we need the session key for encrypting password attributes */
322 status = dcesrv_inherited_session_key(dce_call->conn, &session_key);
323 if (!NT_STATUS_IS_OK(status)) {
324 DEBUG(0,(__location__ ": Failed to get session key\n"));
325 return WERR_DS_DRA_INTERNAL_ERROR;
328 /* Construct response. */
329 ncRoot_dn = ldb_dn_new(mem_ctx, sam_ctx, ncRoot->dn);
330 ret = drsuapi_search_with_extended_dn(sam_ctx, mem_ctx, &site_res,
331 ncRoot_dn, LDB_SCOPE_SUBTREE, attrs,
332 "(uSNChanged>=%llu)",
333 (unsigned long long)(r->in.req->req8.highwatermark.highest_usn+1));
334 if (ret != LDB_SUCCESS) {
335 return WERR_DS_DRA_INTERNAL_ERROR;
340 schema = dsdb_get_schema(sam_ctx);
342 DEBUG(0,("No schema in sam_ctx\n"));
343 return WERR_DS_DRA_INTERNAL_ERROR;
346 r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier);
347 *r->out.ctr->ctr6.naming_context = *ncRoot;
349 dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr);
350 r->out.ctr->ctr6.mapping_ctr = *ctr;
352 r->out.ctr->ctr6.source_dsa_guid = *(samdb_ntds_objectGUID(sam_ctx));
353 r->out.ctr->ctr6.source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
355 r->out.ctr->ctr6.old_highwatermark = r->in.req->req8.highwatermark;
356 r->out.ctr->ctr6.new_highwatermark = r->in.req->req8.highwatermark;
358 r->out.ctr->ctr6.uptodateness_vector = talloc(mem_ctx, struct drsuapi_DsReplicaCursor2CtrEx);
359 r->out.ctr->ctr6.uptodateness_vector->version = 2;
360 r->out.ctr->ctr6.uptodateness_vector->reserved1 = 0;
361 r->out.ctr->ctr6.uptodateness_vector->reserved2 = 0;
363 r->out.ctr->ctr6.first_object = NULL;
364 currentObject = &r->out.ctr->ctr6.first_object;
366 for(i=0; i<site_res->count; i++) {
368 struct drsuapi_DsReplicaObjectListItemEx *obj;
369 obj = talloc_zero(mem_ctx, struct drsuapi_DsReplicaObjectListItemEx);
371 uSN = ldb_msg_find_attr_as_int(site_res->msgs[i], "uSNChanged", -1);
372 if (uSN > r->out.ctr->ctr6.new_highwatermark.highest_usn) {
373 r->out.ctr->ctr6.new_highwatermark.tmp_highest_usn = uSN;
374 r->out.ctr->ctr6.new_highwatermark.highest_usn = uSN;
377 werr = get_nc_changes_build_object(obj, site_res->msgs[i], sam_ctx, ncRoot_dn,
378 schema, &session_key, r->in.req->req8.highwatermark.highest_usn);
379 if (!W_ERROR_IS_OK(werr)) {
383 if (obj->meta_data_ctr == NULL) {
384 /* no attributes to send */
389 r->out.ctr->ctr6.object_count++;
391 *currentObject = obj;
392 currentObject = &obj->next_object;
395 werr = get_nc_changes_udv(sam_ctx, ncRoot_dn, r->out.ctr->ctr6.uptodateness_vector);
396 if (!W_ERROR_IS_OK(werr)) {
401 DEBUG(3,("DsGetNCChanges with uSNChanged >= %llu on %s gave %u objects\n",
402 (unsigned long long)(r->in.req->req8.highwatermark.highest_usn+1),
403 ncRoot->dn, r->out.ctr->ctr6.object_count));
405 if (r->out.ctr->ctr6.object_count <= 10 && DEBUGLVL(6)) {
406 NDR_PRINT_FUNCTION_DEBUG(drsuapi_DsGetNCChanges, NDR_IN|NDR_OUT, r);
git.samba.org / samba.git / blob