source4/rpc_server/drsuapi/getncchanges.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    implement the DRSUpdateRefs call
   5
   6    Copyright (C) Anatoliy Atanasov 2009
   7    Copyright (C) Andrew Tridgell 2009
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_drsuapi.h"
  25 #include "rpc_server/dcerpc_server.h"
  26 #include "rpc_server/common/common.h"
  27 #include "dsdb/samdb/samdb.h"
  28 #include "lib/ldb/include/ldb_errors.h"
  29 #include "param/param.h"
  30 #include "librpc/gen_ndr/ndr_drsblobs.h"
  31 #include "auth/auth.h"
  32 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
  33 #include "rpc_server/dcerpc_server_proto.h"
  34 #include "../libcli/drsuapi/drsuapi.h"
  35 #include "../libcli/security/dom_sid.h"
  36
  37 /*
  38   drsuapi_DsGetNCChanges for one object
  39 */
  40 static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItemEx *obj,
  41                                           struct ldb_message *msg,
  42                                           struct ldb_context *sam_ctx,
  43                                           struct ldb_dn *ncRoot_dn,
  44                                           struct dsdb_schema *schema,
  45                                           DATA_BLOB *session_key)
  46 {
  47         const struct ldb_val *md_value;
  48         int i;
  49         struct ldb_dn *obj_dn;
  50         struct replPropertyMetaDataBlob md;
  51         struct dom_sid *sid;
  52         uint32_t rid = 0;
  53
  54         if (ldb_dn_compare(ncRoot_dn, msg->dn) == 0) {
  55                 obj->is_nc_prefix = true;
  56                 obj->parent_object_guid = NULL;
  57         } else {
  58                 obj->is_nc_prefix = false;
  59                 obj->parent_object_guid = talloc(obj, struct GUID);
  60                 *obj->parent_object_guid = samdb_result_guid(msg, "parentGUID");
  61         }
  62         obj->next_object = NULL;
  63
  64         obj->meta_data_ctr = talloc(obj, struct drsuapi_DsReplicaMetaDataCtr);
  65         md_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
  66         if (md_value) {
  67                 enum ndr_err_code ndr_err;
  68                 ndr_err = ndr_pull_struct_blob(md_value, obj,
  69                                                lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")), &md,
  70                                                (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
  71                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  72                         return WERR_DS_DRA_INTERNAL_ERROR;
  73                 }
  74
  75                 if (md.version != 1) {
  76                         return WERR_DS_DRA_INTERNAL_ERROR;
  77                 }
  78
  79                 obj->meta_data_ctr->count = md.ctr.ctr1.count;
  80                 obj->meta_data_ctr->meta_data = talloc_array(obj, struct drsuapi_DsReplicaMetaData, md.ctr.ctr1.count);
  81                 for (i=0; i<md.ctr.ctr1.count; i++) {
  82                         obj->meta_data_ctr->meta_data[i].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
  83                         obj->meta_data_ctr->meta_data[i].version = md.ctr.ctr1.array[i].version;
  84                         obj->meta_data_ctr->meta_data[i].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;
  85                         obj->meta_data_ctr->meta_data[i].originating_usn = md.ctr.ctr1.array[i].originating_usn;
  86                 }
  87         } else {
  88                 obj->meta_data_ctr->meta_data = talloc(obj, struct drsuapi_DsReplicaMetaData);
  89                 obj->meta_data_ctr->count = 0;
  90                 ZERO_STRUCT(md);
  91         }
  92         obj->object.identifier = talloc(obj, struct drsuapi_DsReplicaObjectIdentifier);
  93         obj_dn = ldb_msg_find_attr_as_dn(sam_ctx, obj, msg, "distinguishedName");
  94         obj->object.identifier->dn = ldb_dn_get_linearized(obj_dn);
  95         obj->object.identifier->guid = samdb_result_guid(msg, "objectGUID");
  96         sid = samdb_result_dom_sid(obj, msg, "objectSid");
  97         if (sid) {
  98                 dom_sid_split_rid(NULL, sid, NULL, &rid);
  99                 obj->object.identifier->sid = *sid;
 100         } else {
 101                 ZERO_STRUCT(obj->object.identifier->sid);
 102         }
 103
 104         obj->object.attribute_ctr.num_attributes = obj->meta_data_ctr->count;
 105         obj->object.attribute_ctr.attributes = talloc_array(obj, struct drsuapi_DsReplicaAttribute,
 106                                                             obj->object.attribute_ctr.num_attributes);
 107
 108         /*
 109          * Note that the meta_data array and the attributes array must
 110          * be the same size and in the same order
 111          */
 112         for (i=0; i<obj->object.attribute_ctr.num_attributes; i++) {
 113                 const struct dsdb_attribute *sa;
 114                 struct ldb_message_element *el;
 115                 WERROR werr;
 116
 117                 sa = dsdb_attribute_by_attributeID_id(schema, md.ctr.ctr1.array[i].attid);
 118                 if (!sa) {
 119                         DEBUG(0,("Unable to find attributeID %u in schema\n", md.ctr.ctr1.array[i].attid));
 120                         return WERR_DS_DRA_INTERNAL_ERROR;
 121                 }
 122
 123                 el = ldb_msg_find_element(msg, sa->lDAPDisplayName);
 124                 if (el == NULL) {
 125                         DEBUG(0,("No element '%s' for attributeID %u in message\n",
 126                                  sa->lDAPDisplayName, md.ctr.ctr1.array[i].attid));
 127                         ZERO_STRUCT(obj->object.attribute_ctr.attributes[i]);
 128                         obj->object.attribute_ctr.attributes[i].attid = md.ctr.ctr1.array[i].attid;
 129                 } else {
 130                         werr = dsdb_attribute_ldb_to_drsuapi(sam_ctx, schema, el, obj,
 131                                                              &obj->object.attribute_ctr.attributes[i]);
 132                         if (!W_ERROR_IS_OK(werr)) {
 133                                 DEBUG(0,("Unable to convert %s to DRS object - %s\n",
 134                                          sa->lDAPDisplayName, win_errstr(werr)));
 135                                 return werr;
 136                         }
 137
 138                         /* some attributes needs to be encrypted
 139                            before being sent */
 140                         werr = drsuapi_encrypt_attribute(obj, session_key, rid,
 141                                                          &obj->object.attribute_ctr.attributes[i]);
 142                         if (!W_ERROR_IS_OK(werr)) {
 143                                 DEBUG(0,("Unable to encrypt %s in DRS object - %s\n",
 144                                          sa->lDAPDisplayName, win_errstr(werr)));
 145                                 return werr;
 146                         }
 147                 }
 148         }
 149
 150         return WERR_OK;
 151 }
 152
 153 static int replmd_drsuapi_DsReplicaCursor2_compare(const struct drsuapi_DsReplicaCursor2 *c1,
 154                                                    const struct drsuapi_DsReplicaCursor2 *c2)
 155 {
 156         return GUID_compare(&c1->source_dsa_invocation_id, &c2->source_dsa_invocation_id);
 157 }
 158
 159 static WERROR get_nc_changes_udv(struct drsuapi_DsReplicaCursor2CtrEx *udv,
 160                                  struct ldb_message *msg,
 161                                  struct ldb_context *sam_ctx)
 162 {
 163         uint32_t it_value;
 164
 165         it_value = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
 166         if ((it_value & INSTANCE_TYPE_IS_NC_HEAD) == INSTANCE_TYPE_IS_NC_HEAD) {
 167                 const struct ldb_val *ouv_value;
 168                 struct drsuapi_DsReplicaCursor2 *tmp_cursor;
 169                 uint64_t highest_commited_usn;
 170                 NTTIME now;
 171                 time_t t = time(NULL);
 172
 173                 int ret = ldb_sequence_number(sam_ctx, LDB_SEQ_HIGHEST_SEQ, &highest_commited_usn);
 174                 if (ret != LDB_SUCCESS) {
 175                         return WERR_DS_DRA_INTERNAL_ERROR;
 176                 }
 177                 tmp_cursor = talloc(udv, struct drsuapi_DsReplicaCursor2);
 178                 tmp_cursor->source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
 179                 tmp_cursor->highest_usn = highest_commited_usn;
 180                 unix_to_nt_time(&now, t);
 181                 tmp_cursor->last_sync_success = now;
 182
 183                 ouv_value = ldb_msg_find_ldb_val(msg, "replUpToDateVector");
 184                 if (ouv_value) {
 185                         struct replUpToDateVectorBlob ouv;
 186                         enum ndr_err_code ndr_err;
 187
 188                         ndr_err = ndr_pull_struct_blob(ouv_value, udv,
 189                                                        lp_iconv_convenience(ldb_get_opaque(sam_ctx, "loadparm")), &ouv,
 190                                                        (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
 191                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 192                                 return WERR_DS_DRA_INTERNAL_ERROR;
 193                         }
 194                         if (ouv.version != 2) {
 195                                 return WERR_DS_DRA_INTERNAL_ERROR;
 196                         }
 197
 198                         udv->count = ouv.ctr.ctr2.count + 1;
 199                         udv->cursors = talloc_steal(udv, ouv.ctr.ctr2.cursors);
 200                         udv->cursors = talloc_realloc(udv, udv->cursors, struct drsuapi_DsReplicaCursor2, udv->count);
 201                         if (!udv->cursors) {
 202                                 return WERR_DS_DRA_INTERNAL_ERROR;
 203                         }
 204                         udv->cursors[udv->count - 1] = *tmp_cursor;
 205
 206                         qsort(udv->cursors, udv->count,
 207                               sizeof(struct drsuapi_DsReplicaCursor2),
 208                               (comparison_fn_t)replmd_drsuapi_DsReplicaCursor2_compare);
 209                 } else {
 210                         udv->count = 1;
 211                         udv->cursors = talloc_steal(udv, tmp_cursor);
 212                 }
 213         }
 214
 215         return WERR_OK;
 216 }
 217
 218 /*
 219   drsuapi_DsGetNCChanges
 220 */
 221 WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 222                                      struct drsuapi_DsGetNCChanges *r)
 223 {
 224         struct ldb_result *site_res;
 225         struct drsuapi_DsReplicaObjectIdentifier *ncRoot;
 226         struct ldb_context *sam_ctx;
 227         struct ldb_dn *ncRoot_dn;
 228         int ret;
 229         int i;
 230         struct dsdb_schema *schema;
 231         struct drsuapi_DsReplicaOIDMapping_Ctr *ctr;
 232         struct drsuapi_DsReplicaObjectListItemEx *currentObject;
 233         NTSTATUS status;
 234         DATA_BLOB session_key;
 235         const char *attrs[] = { "*", "parentGUID", NULL };
 236
 237         /*
 238          * connect to the samdb. TODO: We need to check that the caller
 239          * has the rights to do this. This exposes all attributes,
 240          * including all passwords.
 241          */
 242         sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx,
 243                                 system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
 244         if (!sam_ctx) {
 245                 return WERR_FOOBAR;
 246         }
 247
 248         /* Check request revision. */
 249         if (r->in.level != 8) {
 250                 return WERR_REVISION_MISMATCH;
 251         }
 252
 253         /* Perform access checks. */
 254         if (r->in.req->req8.naming_context == NULL) {
 255                 return WERR_DS_DRA_INVALID_PARAMETER;
 256         }
 257
 258         ncRoot = r->in.req->req8.naming_context;
 259         if (ncRoot == NULL) {
 260                 return WERR_DS_DRA_BAD_NC;
 261         }
 262
 263         DEBUG(4,("DsGetNSChanges with uSNChanged >= %llu\n",
 264                  (unsigned long long)r->in.req->req8.highwatermark.highest_usn));
 265
 266         /* we need the session key for encrypting password attributes */
 267         status = dcesrv_inherited_session_key(dce_call->conn, &session_key);
 268         if (!NT_STATUS_IS_OK(status)) {
 269                 DEBUG(0,(__location__ ": Failed to get session key\n"));
 270                 return WERR_DS_DRA_INTERNAL_ERROR;
 271         }
 272
 273         /* Construct response. */
 274         ncRoot_dn = ldb_dn_new(mem_ctx, sam_ctx, ncRoot->dn);
 275         ret = drsuapi_search_with_extended_dn(sam_ctx, mem_ctx, &site_res,
 276                                               ncRoot_dn, LDB_SCOPE_SUBTREE, attrs,
 277                                               "(&(uSNChanged>=%llu)(objectClass=*))",
 278                                               (unsigned long long)r->in.req->req8.highwatermark.highest_usn);
 279         if (ret != LDB_SUCCESS) {
 280                 return WERR_DS_DRA_INTERNAL_ERROR;
 281         }
 282
 283         *r->out.level_out = 6;
 284         r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier);
 285         *r->out.ctr->ctr6.naming_context = *ncRoot;
 286         /* TODO: linked attributes*/
 287         r->out.ctr->ctr6.linked_attributes_count = 0;
 288         r->out.ctr->ctr6.linked_attributes = NULL;
 289
 290         r->out.ctr->ctr6.object_count = 0;
 291         r->out.ctr->ctr6.more_data = false;
 292         r->out.ctr->ctr6.uptodateness_vector = NULL;
 293
 294         /* Prefix mapping */
 295         schema = dsdb_get_schema(sam_ctx);
 296         if (!schema) {
 297                 DEBUG(0,("No schema in sam_ctx\n"));
 298                 return WERR_DS_DRA_INTERNAL_ERROR;
 299         }
 300
 301         dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr);
 302         r->out.ctr->ctr6.mapping_ctr = *ctr;
 303
 304         r->out.ctr->ctr6.source_dsa_guid = *(samdb_ntds_objectGUID(sam_ctx));
 305         r->out.ctr->ctr6.source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
 306
 307         r->out.ctr->ctr6.old_highwatermark = r->in.req->req8.highwatermark;
 308         r->out.ctr->ctr6.new_highwatermark = r->in.req->req8.highwatermark;
 309
 310         r->out.ctr->ctr6.uptodateness_vector = talloc(mem_ctx, struct drsuapi_DsReplicaCursor2CtrEx);
 311         r->out.ctr->ctr6.uptodateness_vector->version = 2;
 312         r->out.ctr->ctr6.uptodateness_vector->reserved1 = 0;
 313         r->out.ctr->ctr6.uptodateness_vector->reserved2 = 0;
 314
 315         r->out.ctr->ctr6.first_object = talloc(mem_ctx, struct drsuapi_DsReplicaObjectListItemEx);
 316         currentObject = r->out.ctr->ctr6.first_object;
 317
 318         for(i=0; i<site_res->count; i++) {
 319                 int uSN;
 320                 WERROR werr;
 321
 322                 uSN = ldb_msg_find_attr_as_int(site_res->msgs[i], "uSNChanged", -1);
 323                 r->out.ctr->ctr6.object_count++;
 324                 if (uSN > r->out.ctr->ctr6.new_highwatermark.highest_usn) {
 325                         r->out.ctr->ctr6.new_highwatermark.highest_usn = uSN;
 326                 }
 327
 328                 werr = get_nc_changes_build_object(currentObject, site_res->msgs[i], sam_ctx, ncRoot_dn,
 329                                                    schema, &session_key);
 330                 if (!W_ERROR_IS_OK(werr)) {
 331                         r->out.ctr->ctr6.first_object = NULL;
 332                         return werr;
 333                 }
 334
 335                 werr = get_nc_changes_udv(r->out.ctr->ctr6.uptodateness_vector, site_res->msgs[i], sam_ctx);
 336                 if (!W_ERROR_IS_OK(werr)) {
 337                         return werr;
 338                 }
 339
 340                 if (i == (site_res->count-1)) {
 341                         break;
 342                 }
 343                 currentObject->next_object = talloc_zero(mem_ctx, struct drsuapi_DsReplicaObjectListItemEx);
 344                 currentObject = currentObject->next_object;
 345         }
 346
 347         return WERR_OK;
 348 }