2 Unix SMB/CIFS implementation.
4 implement the DRSUpdateRefs call
6 Copyright (C) Anatoliy Atanasov 2009
7 Copyright (C) Andrew Tridgell 2009
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "librpc/gen_ndr/ndr_drsuapi.h"
25 #include "rpc_server/dcerpc_server.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "param/param.h"
28 #include "librpc/gen_ndr/ndr_drsblobs.h"
29 #include "auth/auth.h"
30 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
31 #include "rpc_server/dcerpc_server_proto.h"
32 #include "../libcli/drsuapi/drsuapi.h"
33 #include "libcli/security/security.h"
36 drsuapi_DsGetNCChanges for one object
38 static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItemEx *obj,
39 struct ldb_message *msg,
40 struct ldb_context *sam_ctx,
41 struct ldb_dn *ncRoot_dn,
42 struct dsdb_schema *schema,
43 DATA_BLOB *session_key,
46 const struct ldb_val *md_value;
48 struct ldb_dn *obj_dn;
49 struct replPropertyMetaDataBlob md;
52 enum ndr_err_code ndr_err;
55 if (ldb_dn_compare(ncRoot_dn, msg->dn) == 0) {
56 obj->is_nc_prefix = true;
57 obj->parent_object_guid = NULL;
59 obj->is_nc_prefix = false;
60 obj->parent_object_guid = talloc(obj, struct GUID);
61 *obj->parent_object_guid = samdb_result_guid(msg, "parentGUID");
63 obj->next_object = NULL;
65 md_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
71 ndr_err = ndr_pull_struct_blob(md_value, obj,
72 lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")), &md,
73 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
74 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
75 return WERR_DS_DRA_INTERNAL_ERROR;
78 if (md.version != 1) {
79 return WERR_DS_DRA_INTERNAL_ERROR;
82 obj->meta_data_ctr = talloc(obj, struct drsuapi_DsReplicaMetaDataCtr);
83 attids = talloc_array(obj, uint32_t, md.ctr.ctr1.count);
85 obj->meta_data_ctr->meta_data = talloc_array(obj, struct drsuapi_DsReplicaMetaData, md.ctr.ctr1.count);
86 for (n=i=0; i<md.ctr.ctr1.count; i++) {
87 if (md.ctr.ctr1.array[i].local_usn < highest_usn) continue;
88 obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
89 obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
90 obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;
91 obj->meta_data_ctr->meta_data[n].originating_usn = md.ctr.ctr1.array[i].originating_usn;
92 attids[n] = md.ctr.ctr1.array[i].attid;
97 note that if n==0 we still need to send the change, as it
98 could be a rename, which changes the uSNChanged, but not any
99 of the replicated attributes
102 obj->meta_data_ctr->count = n;
104 obj->object.identifier = talloc(obj, struct drsuapi_DsReplicaObjectIdentifier);
105 obj_dn = ldb_msg_find_attr_as_dn(sam_ctx, obj, msg, "distinguishedName");
106 obj->object.identifier->dn = ldb_dn_get_linearized(obj_dn);
107 obj->object.identifier->guid = samdb_result_guid(msg, "objectGUID");
108 sid = samdb_result_dom_sid(obj, msg, "objectSid");
110 dom_sid_split_rid(NULL, sid, NULL, &rid);
111 obj->object.identifier->sid = *sid;
113 ZERO_STRUCT(obj->object.identifier->sid);
116 obj->object.attribute_ctr.num_attributes = obj->meta_data_ctr->count;
117 obj->object.attribute_ctr.attributes = talloc_array(obj, struct drsuapi_DsReplicaAttribute,
118 obj->object.attribute_ctr.num_attributes);
121 * Note that the meta_data array and the attributes array must
122 * be the same size and in the same order
124 for (i=0; i<obj->object.attribute_ctr.num_attributes; i++) {
125 const struct dsdb_attribute *sa;
126 struct ldb_message_element *el;
129 sa = dsdb_attribute_by_attributeID_id(schema, attids[i]);
131 DEBUG(0,("Unable to find attributeID %u in schema\n", attids[i]));
132 return WERR_DS_DRA_INTERNAL_ERROR;
135 el = ldb_msg_find_element(msg, sa->lDAPDisplayName);
137 DEBUG(0,("No element '%s' for attributeID %u in message\n",
138 sa->lDAPDisplayName, attids[i]));
139 ZERO_STRUCT(obj->object.attribute_ctr.attributes[i]);
140 obj->object.attribute_ctr.attributes[i].attid = attids[i];
142 werr = dsdb_attribute_ldb_to_drsuapi(sam_ctx, schema, el, obj,
143 &obj->object.attribute_ctr.attributes[i]);
144 if (!W_ERROR_IS_OK(werr)) {
145 DEBUG(0,("Unable to convert %s to DRS object - %s\n",
146 sa->lDAPDisplayName, win_errstr(werr)));
150 /* some attributes needs to be encrypted
152 werr = drsuapi_encrypt_attribute(obj, session_key, rid,
153 &obj->object.attribute_ctr.attributes[i]);
154 if (!W_ERROR_IS_OK(werr)) {
155 DEBUG(0,("Unable to encrypt %s in DRS object - %s\n",
156 sa->lDAPDisplayName, win_errstr(werr)));
166 load replUpToDateVector from a DN
168 static WERROR load_udv(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
169 struct ldb_dn *dn, struct replUpToDateVectorBlob *ouv)
171 const char *attrs[] = { "replUpToDateVector", NULL };
172 struct ldb_result *res = NULL;
173 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
174 struct ldb_message_element *el;
175 enum ndr_err_code ndr_err;
179 if (ldb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, NULL) != LDB_SUCCESS ||
181 DEBUG(0,("load_udv: failed to read partition object\n"));
182 talloc_free(tmp_ctx);
183 return WERR_DS_DRA_INTERNAL_ERROR;
186 el = ldb_msg_find_element(res->msgs[0], "replUpToDateVector");
187 if (el == NULL || el->num_values < 1) {
188 talloc_free(tmp_ctx);
193 ndr_err = ndr_pull_struct_blob(&el->values[0],
194 mem_ctx, lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")),
196 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
197 talloc_free(tmp_ctx);
198 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
199 DEBUG(0,(__location__ ": Failed to parse replUpToDateVector for %s\n",
200 ldb_dn_get_linearized(dn)));
201 return WERR_DS_DRA_INTERNAL_ERROR;
209 fill in the cursors return based on the replUpToDateVector for the ncRoot_dn
211 static WERROR get_nc_changes_udv(struct ldb_context *sam_ctx,
212 struct ldb_dn *ncRoot_dn,
213 struct drsuapi_DsReplicaCursor2CtrEx *udv)
216 struct drsuapi_DsReplicaCursor2 *tmp_cursor;
217 uint64_t highest_commited_usn;
219 time_t t = time(NULL);
221 struct replUpToDateVectorBlob ouv;
223 werr = load_udv(sam_ctx, udv, ncRoot_dn, &ouv);
224 if (!W_ERROR_IS_OK(werr)) {
228 ret = ldb_sequence_number(sam_ctx, LDB_SEQ_HIGHEST_SEQ, &highest_commited_usn);
229 if (ret != LDB_SUCCESS) {
230 return WERR_DS_DRA_INTERNAL_ERROR;
233 tmp_cursor = talloc(udv, struct drsuapi_DsReplicaCursor2);
234 tmp_cursor->source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
235 tmp_cursor->highest_usn = highest_commited_usn;
236 unix_to_nt_time(&now, t);
237 tmp_cursor->last_sync_success = now;
239 udv->count = ouv.ctr.ctr2.count + 1;
240 udv->cursors = talloc_steal(udv, ouv.ctr.ctr2.cursors);
241 udv->cursors = talloc_realloc(udv, udv->cursors, struct drsuapi_DsReplicaCursor2, udv->count);
243 return WERR_DS_DRA_INTERNAL_ERROR;
245 udv->cursors[udv->count - 1] = *tmp_cursor;
247 qsort(udv->cursors, udv->count,
248 sizeof(struct drsuapi_DsReplicaCursor2),
249 (comparison_fn_t)drsuapi_DsReplicaCursor2_compare);
255 drsuapi_DsGetNCChanges
257 WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
258 struct drsuapi_DsGetNCChanges *r)
260 struct ldb_result *site_res;
261 struct drsuapi_DsReplicaObjectIdentifier *ncRoot;
262 struct ldb_context *sam_ctx;
263 struct ldb_dn *ncRoot_dn;
266 struct dsdb_schema *schema;
267 struct drsuapi_DsReplicaOIDMapping_Ctr *ctr;
268 struct drsuapi_DsReplicaObjectListItemEx **currentObject;
270 DATA_BLOB session_key;
271 const char *attrs[] = { "*", "parentGUID", "distinguishedName", NULL };
274 *r->out.level_out = 6;
275 /* TODO: linked attributes*/
276 r->out.ctr->ctr6.linked_attributes_count = 0;
277 r->out.ctr->ctr6.linked_attributes = NULL;
279 r->out.ctr->ctr6.object_count = 0;
280 r->out.ctr->ctr6.more_data = false;
281 r->out.ctr->ctr6.uptodateness_vector = NULL;
283 /* Check request revision. */
284 if (r->in.level != 8) {
285 return WERR_REVISION_MISMATCH;
288 /* Perform access checks. */
289 if (r->in.req->req8.naming_context == NULL) {
290 return WERR_DS_DRA_INVALID_PARAMETER;
293 ncRoot = r->in.req->req8.naming_context;
294 if (ncRoot == NULL) {
295 return WERR_DS_DRA_BAD_NC;
298 werr = drs_security_level_check(dce_call, "DsGetNCChanges");
299 if (!W_ERROR_IS_OK(werr)) {
304 * connect to the samdb. TODO: We need to check that the caller
305 * has the rights to do this. This exposes all attributes,
306 * including all passwords.
308 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx,
309 system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
314 /* we need the session key for encrypting password attributes */
315 status = dcesrv_inherited_session_key(dce_call->conn, &session_key);
316 if (!NT_STATUS_IS_OK(status)) {
317 DEBUG(0,(__location__ ": Failed to get session key\n"));
318 return WERR_DS_DRA_INTERNAL_ERROR;
321 /* Construct response. */
322 ncRoot_dn = ldb_dn_new(mem_ctx, sam_ctx, ncRoot->dn);
323 ret = drsuapi_search_with_extended_dn(sam_ctx, mem_ctx, &site_res,
324 ncRoot_dn, LDB_SCOPE_SUBTREE, attrs,
326 "(uSNChanged>=%llu)",
327 (unsigned long long)(r->in.req->req8.highwatermark.highest_usn+1));
328 if (ret != LDB_SUCCESS) {
329 return WERR_DS_DRA_INTERNAL_ERROR;
334 schema = dsdb_get_schema(sam_ctx);
336 DEBUG(0,("No schema in sam_ctx\n"));
337 return WERR_DS_DRA_INTERNAL_ERROR;
340 r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier);
341 *r->out.ctr->ctr6.naming_context = *ncRoot;
343 dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr);
344 r->out.ctr->ctr6.mapping_ctr = *ctr;
346 r->out.ctr->ctr6.source_dsa_guid = *(samdb_ntds_objectGUID(sam_ctx));
347 r->out.ctr->ctr6.source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
349 r->out.ctr->ctr6.old_highwatermark = r->in.req->req8.highwatermark;
350 r->out.ctr->ctr6.new_highwatermark = r->in.req->req8.highwatermark;
352 r->out.ctr->ctr6.uptodateness_vector = talloc(mem_ctx, struct drsuapi_DsReplicaCursor2CtrEx);
353 r->out.ctr->ctr6.uptodateness_vector->version = 2;
354 r->out.ctr->ctr6.uptodateness_vector->reserved1 = 0;
355 r->out.ctr->ctr6.uptodateness_vector->reserved2 = 0;
357 r->out.ctr->ctr6.first_object = NULL;
358 currentObject = &r->out.ctr->ctr6.first_object;
360 for(i=0; i<site_res->count; i++) {
362 struct drsuapi_DsReplicaObjectListItemEx *obj;
363 obj = talloc_zero(mem_ctx, struct drsuapi_DsReplicaObjectListItemEx);
365 uSN = ldb_msg_find_attr_as_int(site_res->msgs[i], "uSNChanged", -1);
366 if (uSN > r->out.ctr->ctr6.new_highwatermark.highest_usn) {
367 r->out.ctr->ctr6.new_highwatermark.tmp_highest_usn = uSN;
368 r->out.ctr->ctr6.new_highwatermark.highest_usn = uSN;
371 werr = get_nc_changes_build_object(obj, site_res->msgs[i], sam_ctx, ncRoot_dn,
372 schema, &session_key, r->in.req->req8.highwatermark.highest_usn);
373 if (!W_ERROR_IS_OK(werr)) {
377 if (obj->meta_data_ctr == NULL) {
378 /* no attributes to send */
383 r->out.ctr->ctr6.object_count++;
385 *currentObject = obj;
386 currentObject = &obj->next_object;
389 werr = get_nc_changes_udv(sam_ctx, ncRoot_dn, r->out.ctr->ctr6.uptodateness_vector);
390 if (!W_ERROR_IS_OK(werr)) {
395 DEBUG(3,("DsGetNCChanges with uSNChanged >= %llu on %s gave %u objects\n",
396 (unsigned long long)(r->in.req->req8.highwatermark.highest_usn+1),
397 ncRoot->dn, r->out.ctr->ctr6.object_count));
399 if (r->out.ctr->ctr6.object_count <= 10 && DEBUGLVL(6)) {
400 NDR_PRINT_FUNCTION_DEBUG(drsuapi_DsGetNCChanges, NDR_IN|NDR_OUT, r);