X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=source4%2Fdsdb%2Fsamdb%2Fldb_modules%2Fsamldb.c;h=cd13900bf5a9c0cdd89e07e475bdcc4420e3711b;hb=62ee2a5caf8b8e7750a650c7ebc9729beda48a89;hp=385be493b3fc1e46956a434e6914d12223073a32;hpb=9a3810fbb234c4c2a401e6940643ee161e83bb4f;p=obnox%2Fsamba%2Fsamba-obnox.git diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 385be493b3f..cd13900bf5a 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -3,7 +3,8 @@ Copyright (C) Andrew Bartlett 2005 Copyright (C) Simo Sorce 2004-2008 - Copyright (C) Matthias Dieter Wallnöfer 2009-2010 + Copyright (C) Matthias Dieter Wallnöfer 2009-2011 + Copyright (C) Matthieu Patou 2012 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,11 +38,17 @@ #include "dsdb/samdb/ldb_modules/ridalloc.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_security.h" -#include "../lib/util/util_ldb.h" #include "ldb_wrap.h" #include "param/param.h" +#include "libds/common/flag_mapping.h" struct samldb_ctx; +enum samldb_add_type { + SAMLDB_TYPE_USER, + SAMLDB_TYPE_GROUP, + SAMLDB_TYPE_CLASS, + SAMLDB_TYPE_ATTRIBUTE +}; typedef int (*samldb_step_fn_t)(struct samldb_ctx *); @@ -55,7 +62,7 @@ struct samldb_ctx { struct ldb_request *req; /* used for add operations */ - const char *type; + enum samldb_add_type type; /* the resulting message */ struct ldb_message *msg; @@ -133,8 +140,8 @@ static int samldb_next_step(struct samldb_ctx *ac) return ac->curstep->fn(ac); } - /* we exit the samldb module here */ - /* If someone set an ares to forward controls and response back to the caller, use them */ + /* We exit the samldb module here. If someone set an "ares" to forward + * controls and response back to the caller, use them. */ if (ac->ares) { return ldb_module_done(ac->req, ac->ares->controls, ac->ares->response, LDB_SUCCESS); @@ -146,7 +153,8 @@ static int samldb_next_step(struct samldb_ctx *ac) /* sAMAccountName handling */ -static int samldb_generate_sAMAccountName(struct ldb_context *ldb, struct ldb_message *msg) +static int samldb_generate_sAMAccountName(struct ldb_context *ldb, + struct ldb_message *msg) { char *name; @@ -167,6 +175,8 @@ static int samldb_check_sAMAccountName(struct samldb_ctx *ac) struct ldb_context *ldb = ldb_module_get_ctx(ac->module); const char *name; int ret; + struct ldb_result *res; + const char * const noattrs[] = { NULL }; if (ldb_msg_find_element(ac->msg, "sAMAccountName") == NULL) { ret = samldb_generate_sAMAccountName(ldb, ac->msg); @@ -177,17 +187,29 @@ static int samldb_check_sAMAccountName(struct samldb_ctx *ac) name = ldb_msg_find_attr_as_string(ac->msg, "sAMAccountName", NULL); if (name == NULL) { - return ldb_operr(ldb); + /* The "sAMAccountName" cannot be nothing */ + ldb_set_errstring(ldb, + "samldb: Empty account names aren't allowed!"); + return LDB_ERR_CONSTRAINT_VIOLATION; } - ret = samdb_search_count(ldb, NULL, "(sAMAccountName=%s)", + ret = dsdb_module_search(ac->module, ac, &res, + ldb_get_default_basedn(ldb), LDB_SCOPE_SUBTREE, noattrs, + DSDB_FLAG_NEXT_MODULE, + ac->req, + "(sAMAccountName=%s)", ldb_binary_encode_string(ac, name)); - if ((ret < 0) || (ret > 1)) { - return ldb_operr(ldb); + if (ret != LDB_SUCCESS) { + return ret; } - if (ret == 1) { + if (res->count != 0) { + ldb_asprintf_errstring(ldb, + "samldb: Account name (sAMAccountName) '%s' already in use!", + name); + talloc_free(res); return LDB_ERR_ENTRY_ALREADY_EXISTS; } + talloc_free(res); return samldb_next_step(ac); } @@ -217,7 +239,7 @@ static int samldb_allocate_sid(struct samldb_ctx *ac) struct ldb_context *ldb = ldb_module_get_ctx(ac->module); int ret; - ret = ridalloc_allocate_rid(ac->module, &rid); + ret = ridalloc_allocate_rid(ac->module, &rid, ac->req); if (ret != LDB_SUCCESS) { return ret; } @@ -237,16 +259,21 @@ static int samldb_allocate_sid(struct samldb_ctx *ac) /* see if a krbtgt_number is available */ -static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt_number) +static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, + uint32_t krbtgt_number) { TALLOC_CTX *tmp_ctx = talloc_new(ac); struct ldb_result *res; - const char *attrs[] = { NULL }; + const char * const no_attrs[] = { NULL }; int ret; - ret = dsdb_module_search(ac->module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, - attrs, DSDB_FLAG_NEXT_MODULE, - "msDC-SecondaryKrbTgtNumber=%u", krbtgt_number); + ret = dsdb_module_search(ac->module, tmp_ctx, &res, + ldb_get_default_basedn(ldb_module_get_ctx(ac->module)), + LDB_SCOPE_SUBTREE, no_attrs, + DSDB_FLAG_NEXT_MODULE, + ac->req, + "(msDC-SecondaryKrbTgtNumber=%u)", + krbtgt_number); if (ret == LDB_SUCCESS && res->count == 0) { talloc_free(tmp_ctx); return true; @@ -259,9 +286,10 @@ static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt static int samldb_rodc_add(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - unsigned krbtgt_number, i_start, i; + uint32_t krbtgt_number, i_start, i; int ret; char *newpass; + struct ldb_val newpass_utf16; /* find a unused msDC-SecondaryKrbTgtNumber */ i_start = generate_random() & 0xFFFF; @@ -282,33 +310,46 @@ static int samldb_rodc_add(struct samldb_ctx *ac) } } - ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), + ldb_asprintf_errstring(ldb, "%08X: Unable to find available msDS-SecondaryKrbTgtNumber", W_ERROR_V(WERR_NO_SYSTEM_RESOURCES)); return LDB_ERR_OTHER; found: - ret = ldb_msg_add_empty(ac->msg, "msDS-SecondaryKrbTgtNumber", LDB_FLAG_INTERNAL_DISABLE_VALIDATION, NULL); + ret = ldb_msg_add_empty(ac->msg, "msDS-SecondaryKrbTgtNumber", + LDB_FLAG_INTERNAL_DISABLE_VALIDATION, NULL); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } - ret = ldb_msg_add_fmt(ac->msg, "msDS-SecondaryKrbTgtNumber", "%u", krbtgt_number); + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "msDS-SecondaryKrbTgtNumber", krbtgt_number); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } - ret = ldb_msg_add_fmt(ac->msg, "sAMAccountName", "krbtgt_%u", krbtgt_number); + ret = ldb_msg_add_fmt(ac->msg, "sAMAccountName", "krbtgt_%u", + krbtgt_number); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } - newpass = generate_random_password(ac, 128, 255); + newpass = generate_random_password(ac->msg, 128, 255); if (newpass == NULL) { return ldb_operr(ldb); } - ret = ldb_msg_add_steal_string(ac->msg, "clearTextPassword", newpass); + if (!convert_string_talloc(ac, + CH_UNIX, CH_UTF16, + newpass, strlen(newpass), + (void *)&newpass_utf16.data, + &newpass_utf16.length)) { + ldb_asprintf_errstring(ldb, + "samldb_rodc_add: " + "failed to generate UTF16 password from random password"); + return LDB_ERR_OPERATIONS_ERROR; + } + ret = ldb_msg_add_steal_value(ac->msg, "clearTextPassword", &newpass_utf16); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } @@ -320,14 +361,16 @@ static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); struct ldb_result *res; - const char *no_attrs[] = { NULL }; + const char * const no_attrs[] = { NULL }; int ret; ac->res_dn = NULL; ret = dsdb_module_search(ac->module, ac, &res, ac->dn, LDB_SCOPE_BASE, no_attrs, - DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT | DSDB_FLAG_NEXT_MODULE, + DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT + | DSDB_FLAG_NEXT_MODULE, + ac->req, "(objectClass=classSchema)"); if (ret == LDB_ERR_NO_SUCH_OBJECT) { /* Don't be pricky when the DN doesn't exist if we have the */ @@ -344,6 +387,30 @@ static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac) return ret; } + if (ret == LDB_SUCCESS) { + /* ensure the defaultObjectCategory has a full GUID */ + struct ldb_message *m; + m = ldb_msg_new(ac->msg); + if (m == NULL) { + return ldb_oom(ldb); + } + m->dn = ac->msg->dn; + if (ldb_msg_add_string(m, "defaultObjectCategory", + ldb_dn_get_extended_linearized(m, res->msgs[0]->dn, 1)) != + LDB_SUCCESS) { + return ldb_oom(ldb); + } + m->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + ret = dsdb_module_modify(ac->module, m, + DSDB_FLAG_NEXT_MODULE, + ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + ac->res_dn = ac->dn; return samldb_next_step(ac); @@ -358,16 +425,19 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac) int ret; bool id_exists; uint32_t msds_intid; - uint32_t system_flags; + int32_t system_flags; struct ldb_context *ldb; struct ldb_result *ldb_res; struct ldb_dn *schema_dn; + struct samldb_msds_intid_persistant *msds_intid_struct; + struct dsdb_schema *schema; ldb = ldb_module_get_ctx(ac->module); schema_dn = ldb_get_schema_basedn(ldb); /* replicated update should always go through */ - if (ldb_request_get_control(ac->req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) { + if (ldb_request_get_control(ac->req, + DSDB_CONTROL_REPLICATED_UPDATE_OID)) { return LDB_SUCCESS; } @@ -388,41 +458,102 @@ static int samldb_add_handle_msDS_IntId(struct samldb_ctx *ac) } /* check systemFlags for SCHEMA_BASE_OBJECT flag */ - system_flags = ldb_msg_find_attr_as_uint(ac->msg, "systemFlags", 0); + system_flags = ldb_msg_find_attr_as_int(ac->msg, "systemFlags", 0); if (system_flags & SYSTEM_FLAG_SCHEMA_BASE_OBJECT) { return LDB_SUCCESS; } + schema = dsdb_get_schema(ldb, NULL); + if (!schema) { + ldb_debug_set(ldb, LDB_DEBUG_FATAL, + "samldb_schema_info_update: no dsdb_schema loaded"); + DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb))); + return ldb_operr(ldb); + } - /* Generate new value for msDs-IntId - * Value should be in 0x80000000..0xBFFFFFFF range */ - msds_intid = generate_random() % 0X3FFFFFFF; - msds_intid += 0x80000000; + msds_intid_struct = (struct samldb_msds_intid_persistant*) ldb_get_opaque(ldb, SAMLDB_MSDS_INTID_OPAQUE); + if (!msds_intid_struct) { + msds_intid_struct = talloc(ldb, struct samldb_msds_intid_persistant); + /* Generate new value for msDs-IntId + * Value should be in 0x80000000..0xBFFFFFFF range */ + msds_intid = generate_random() % 0X3FFFFFFF; + msds_intid += 0x80000000; + msds_intid_struct->msds_intid = msds_intid; + msds_intid_struct->usn = schema->loaded_usn; + DEBUG(2, ("No samldb_msds_intid_persistant struct, allocating a new one\n")); + } else { + msds_intid = msds_intid_struct->msds_intid; + } /* probe id values until unique one is found */ do { + uint64_t current_usn; msds_intid++; if (msds_intid > 0xBFFFFFFF) { msds_intid = 0x80000001; } + /* + * Alternative strategy to a costly (even indexed search) to the + * database. + * We search in the schema if we have already this intid (using dsdb_attribute_by_attributeID_id because + * in the range 0x80000000 0xBFFFFFFFF, attributeID is a DSDB_ATTID_TYPE_INTID). + * If so generate another random value. + * If not check if the highest USN in the database for the schema partition is the + * one that we know. + * If so it means that's only this ldb context that is touching the schema in the database. + * If not it means that's someone else has modified the database while we are doing our changes too + * (this case should be very bery rare) in order to be sure do the search in the database. + */ + if (dsdb_attribute_by_attributeID_id(schema, msds_intid)) { + msds_intid = generate_random() % 0X3FFFFFFF; + msds_intid += 0x80000000; + continue; + } - ret = dsdb_module_search(ac->module, ac, - &ldb_res, - schema_dn, LDB_SCOPE_ONELEVEL, NULL, - DSDB_FLAG_NEXT_MODULE, - "(msDS-IntId=%d)", msds_intid); + ret = dsdb_module_load_partition_usn(ac->module, schema->base_dn, ¤t_usn, NULL, NULL); if (ret != LDB_SUCCESS) { ldb_debug_set(ldb, LDB_DEBUG_ERROR, - __location__": Searching for msDS-IntId=%d failed - %s\n", - msds_intid, + __location__": Searching for schema USN failed: %s\n", ldb_errstring(ldb)); return ldb_operr(ldb); } - id_exists = (ldb_res->count > 0); - talloc_free(ldb_res); + /* current_usn can be lesser than msds_intid_struct-> if there is + * uncommited changes. + */ + if (current_usn > msds_intid_struct->usn) { + /* oups something has changed, someone/something + * else is modifying or has modified the schema + * we'd better check this intid is the database directly + */ + + DEBUG(2, ("Schema has changed, searching the database for the unicity of %d\n", + msds_intid)); + + ret = dsdb_module_search(ac->module, ac, + &ldb_res, + schema_dn, LDB_SCOPE_ONELEVEL, NULL, + DSDB_FLAG_NEXT_MODULE, + ac->req, + "(msDS-IntId=%d)", msds_intid); + if (ret != LDB_SUCCESS) { + ldb_debug_set(ldb, LDB_DEBUG_ERROR, + __location__": Searching for msDS-IntId=%d failed - %s\n", + msds_intid, + ldb_errstring(ldb)); + return ldb_operr(ldb); + } + id_exists = (ldb_res->count > 0); + talloc_free(ldb_res); + } else { + id_exists = 0; + } + } while(id_exists); + msds_intid_struct->msds_intid = msds_intid; + ldb_set_opaque(ldb, SAMLDB_MSDS_INTID_OPAQUE, msds_intid_struct); - return ldb_msg_add_fmt(ac->msg, "msDS-IntId", "%d", msds_intid); + return samdb_msg_add_int(ldb, ac->msg, ac->msg, "msDS-IntId", + msds_intid); } @@ -454,8 +585,7 @@ static int samldb_add_entry_callback(struct ldb_request *req, ares->response, ares->error); } if (ares->type != LDB_REPLY_DONE) { - ldb_set_errstring(ldb, - "Invalid reply type!\n"); + ldb_asprintf_errstring(ldb, "Invalid LDB reply type %d", ares->type); return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } @@ -501,7 +631,8 @@ static bool check_rodc_critical_attribute(struct ldb_message *msg) schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0); searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0); - rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL); + rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE + | SEARCH_FLAG_CONFIDENTIAL); if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) && ((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) { @@ -517,8 +648,9 @@ static int samldb_fill_object(struct samldb_ctx *ac) struct ldb_context *ldb = ldb_module_get_ctx(ac->module); int ret; - /* Add informations for the different account types */ - if (strcmp(ac->type, "user") == 0) { + /* Add information for the different account types */ + switch(ac->type) { + case SAMLDB_TYPE_USER: { struct ldb_control *rodc_control = ldb_request_get_control(ac->req, LDB_CONTROL_RODC_DCPROMO_OID); if (rodc_control != NULL) { @@ -534,17 +666,28 @@ static int samldb_fill_object(struct samldb_ctx *ac) ret = samldb_add_step(ac, samldb_add_entry); if (ret != LDB_SUCCESS) return ret; + break; + } - } else if (strcmp(ac->type, "group") == 0) { + case SAMLDB_TYPE_GROUP: { /* check if we have a valid sAMAccountName */ ret = samldb_add_step(ac, samldb_check_sAMAccountName); if (ret != LDB_SUCCESS) return ret; ret = samldb_add_step(ac, samldb_add_entry); if (ret != LDB_SUCCESS) return ret; + break; + } - } else if (strcmp(ac->type, "classSchema") == 0) { + case SAMLDB_TYPE_CLASS: { const struct ldb_val *rdn_value, *def_obj_cat_val; + unsigned int v = ldb_msg_find_attr_as_uint(ac->msg, "objectClassCategory", -2); + + /* As discussed with Microsoft through dochelp in April 2012 this is the behavior of windows*/ + if (!ldb_msg_find_element(ac->msg, "subClassOf")) { + ret = ldb_msg_add_string(ac->msg, "subClassOf", "top"); + if (ret != LDB_SUCCESS) return ret; + } ret = samdb_find_or_add_attribute(ldb, ac->msg, "rdnAttId", "cn"); @@ -559,11 +702,14 @@ static int samldb_fill_object(struct samldb_ctx *ac) } rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); + if (rdn_value == NULL) { + return ldb_operr(ldb); + } if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { /* the RDN has prefix "CN" */ ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName", - samdb_cn_to_lDAPDisplayName(ac, - (const char *) rdn_value->data)); + samdb_cn_to_lDAPDisplayName(ac->msg, + (const char *) rdn_value->data)); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; @@ -603,9 +749,8 @@ static int samldb_fill_object(struct samldb_ctx *ac) * caller. Use the entry DN for it. */ ac->dn = ac->msg->dn; - ret = samdb_msg_add_string(ldb, ac->msg, ac->msg, - "defaultObjectCategory", - ldb_dn_get_linearized(ac->dn)); + ret = ldb_msg_add_string(ac->msg, "defaultObjectCategory", + ldb_dn_alloc_linearized(ac->msg, ac->dn)); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; @@ -620,14 +765,29 @@ static int samldb_fill_object(struct samldb_ctx *ac) ret = samldb_add_step(ac, samldb_find_for_defaultObjectCategory); if (ret != LDB_SUCCESS) return ret; - } else if (strcmp(ac->type, "attributeSchema") == 0) { + /* -2 is not a valid objectClassCategory so it means the attribute wasn't present */ + if (v == -2) { + /* Windows 2003 does this*/ + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "objectClassCategory", 0); + if (ret != LDB_SUCCESS) { + return ret; + } + } + break; + } + + case SAMLDB_TYPE_ATTRIBUTE: { const struct ldb_val *rdn_value; + struct ldb_message_element *el; rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); + if (rdn_value == NULL) { + return ldb_operr(ldb); + } if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { /* the RDN has prefix "CN" */ ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName", samdb_cn_to_lDAPDisplayName(ac->msg, - (const char *) rdn_value->data)); + (const char *) rdn_value->data)); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; @@ -637,7 +797,8 @@ static int samldb_fill_object(struct samldb_ctx *ac) /* do not allow to mark an attributeSchema as RODC filtered if it * is system-critical */ if (check_rodc_critical_attribute(ac->msg)) { - ldb_asprintf_errstring(ldb, "Refusing schema add of %s - cannot combine critical attribute with RODC filtering", + ldb_asprintf_errstring(ldb, + "samldb: refusing schema add of %s - cannot combine critical attribute with RODC filtering", ldb_dn_get_linearized(ac->msg->dn)); return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -657,17 +818,51 @@ static int samldb_fill_object(struct samldb_ctx *ac) } } + el = ldb_msg_find_element(ac->msg, "attributeSyntax"); + if (el) { + /* + * No need to scream if there isn't as we have code later on + * that will take care of it. + */ + const struct dsdb_syntax *syntax = find_syntax_map_by_ad_oid((const char *)el->values[0].data); + if (!syntax) { + DEBUG(9, ("Can't find dsdb_syntax object for attributeSyntax %s\n", + (const char *)el->values[0].data)); + } else { + unsigned int v = ldb_msg_find_attr_as_uint(ac->msg, "oMSyntax", 0); + const struct ldb_val *val = ldb_msg_find_ldb_val(ac->msg, "oMObjectClass"); + + if (v == 0) { + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "oMSyntax", syntax->oMSyntax); + if (ret != LDB_SUCCESS) { + return ret; + } + } + if (!val) { + struct ldb_val val2 = ldb_val_dup(ldb, &syntax->oMObjectClass); + if (val2.length > 0) { + ret = ldb_msg_add_value(ac->msg, "oMObjectClass", &val2, NULL); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + } + } + /* handle msDS-IntID attribute */ ret = samldb_add_handle_msDS_IntId(ac); if (ret != LDB_SUCCESS) return ret; ret = samldb_add_step(ac, samldb_add_entry); if (ret != LDB_SUCCESS) return ret; + break; + } - } else { - ldb_asprintf_errstring(ldb, - "Invalid entry type!"); + default: + ldb_asprintf_errstring(ldb, "Invalid entry type!"); return LDB_ERR_OPERATIONS_ERROR; + break; } return samldb_first_step(ac); @@ -676,6 +871,7 @@ static int samldb_fill_object(struct samldb_ctx *ac) static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) { struct ldb_context *ldb; + const struct ldb_val *rdn_value; struct dom_sid *sid; int ret; @@ -683,12 +879,15 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid"); if (sid == NULL) { + rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); + if (rdn_value == NULL) { + return ldb_operr(ldb); + } sid = dom_sid_parse_talloc(ac->msg, - (const char *)ldb_dn_get_rdn_val(ac->msg->dn)->data); + (const char *)rdn_value->data); if (sid == NULL) { ldb_set_errstring(ldb, - "No valid SID found in " - "ForeignSecurityPrincipal CN!"); + "samldb: No valid SID found in ForeignSecurityPrincipal CN!"); return LDB_ERR_CONSTRAINT_VIOLATION; } if (! samldb_msg_add_sid(ac->msg, "objectSid", sid)) { @@ -705,12 +904,13 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) static int samldb_schema_info_update(struct samldb_ctx *ac) { - WERROR werr; + int ret; struct ldb_context *ldb; struct dsdb_schema *schema; /* replicated update should always go through */ - if (ldb_request_get_control(ac->req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) { + if (ldb_request_get_control(ac->req, + DSDB_CONTROL_REPLICATED_UPDATE_OID)) { return LDB_SUCCESS; } @@ -728,19 +928,22 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) return ldb_operr(ldb); } - werr = dsdb_module_schema_info_update(ac->module, schema, DSDB_FLAG_NEXT_MODULE); - if (!W_ERROR_IS_OK(werr)) { - ldb_debug_set(ldb, LDB_DEBUG_FATAL, - "samldb_schema_info_update: " - "dsdb_module_schema_info_update failed with %s", - win_errstr(werr)); - DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb))); - return ldb_operr(ldb); + ret = dsdb_module_schema_info_update(ac->module, schema, + DSDB_FLAG_NEXT_MODULE| + DSDB_FLAG_AS_SYSTEM, + ac->req); + if (ret != LDB_SUCCESS) { + ldb_asprintf_errstring(ldb, + "samldb_schema_info_update: dsdb_module_schema_info_update failed with %s", + ldb_errstring(ldb)); + return ret; } return LDB_SUCCESS; } +static int samldb_prim_group_tester(struct samldb_ctx *ac, uint32_t rid); + /* * "Objectclass" trigger (MS-SAMR 3.1.1.8.1) * @@ -752,10 +955,9 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) static int samldb_objectclass_trigger(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, - "loadparm"), struct loadparm_context); + void *skip_allocate_sids = ldb_get_opaque(ldb, + "skip_allocate_sids"); struct ldb_message_element *el, *el2; - enum sid_generator sid_generator; struct dom_sid *sid; int ret; @@ -763,7 +965,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) el = ldb_msg_find_element(ac->msg, "sAMAccountType"); if (el != NULL) { ldb_set_errstring(ldb, - "samldb: sAMAccountType must not be specified!"); + "samldb: sAMAccountType must not be specified!"); return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -775,25 +977,27 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) sid = samdb_result_dom_sid(ac, ac->msg, "objectSid"); if ((sid != NULL) && (!dsdb_module_am_system(ac->module)) && (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) { - ldb_asprintf_errstring(ldb, "No SID may be specified in user/group modifications for %s", - ldb_dn_get_linearized(ac->msg->dn)); + ldb_set_errstring(ldb, + "samldb: objectSid must not be specified!"); return LDB_ERR_UNWILLING_TO_PERFORM; } /* but generate a new SID when we do have an add operations */ - if ((sid == NULL) && (ac->req->operation == LDB_ADD)) { - sid_generator = lpcfg_sid_generator(lp_ctx); - if (sid_generator == SID_GENERATOR_INTERNAL) { - ret = samldb_add_step(ac, samldb_allocate_sid); - if (ret != LDB_SUCCESS) return ret; - } + if ((sid == NULL) && (ac->req->operation == LDB_ADD) && !skip_allocate_sids) { + ret = samldb_add_step(ac, samldb_allocate_sid); + if (ret != LDB_SUCCESS) return ret; } - if (strcmp(ac->type, "user") == 0) { + switch(ac->type) { + case SAMLDB_TYPE_USER: { + bool uac_generated = false, uac_add_flags = false; + /* Step 1.2: Default values */ ret = samdb_find_or_add_attribute(ldb, ac->msg, - "userAccountControl", - talloc_asprintf(ac->msg, "%u", UF_NORMAL_ACCOUNT)); + "accountExpires", "9223372036854775807"); + if (ret != LDB_SUCCESS) return ret; + ret = samdb_find_or_add_attribute(ldb, ac->msg, + "badPasswordTime", "0"); if (ret != LDB_SUCCESS) return ret; ret = samdb_find_or_add_attribute(ldb, ac->msg, "badPwdCount", "0"); @@ -804,9 +1008,6 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) ret = samdb_find_or_add_attribute(ldb, ac->msg, "countryCode", "0"); if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "badPasswordTime", "0"); - if (ret != LDB_SUCCESS) return ret; ret = samdb_find_or_add_attribute(ldb, ac->msg, "lastLogoff", "0"); if (ret != LDB_SUCCESS) return ret; @@ -814,15 +1015,26 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) "lastLogon", "0"); if (ret != LDB_SUCCESS) return ret; ret = samdb_find_or_add_attribute(ldb, ac->msg, - "pwdLastSet", "0"); - if (ret != LDB_SUCCESS) return ret; - ret = samdb_find_or_add_attribute(ldb, ac->msg, - "accountExpires", "9223372036854775807"); + "logonCount", "0"); if (ret != LDB_SUCCESS) return ret; ret = samdb_find_or_add_attribute(ldb, ac->msg, - "logonCount", "0"); + "pwdLastSet", "0"); if (ret != LDB_SUCCESS) return ret; + /* On add operations we might need to generate a + * "userAccountControl" (if it isn't specified). */ + el = ldb_msg_find_element(ac->msg, "userAccountControl"); + if ((el == NULL) && (ac->req->operation == LDB_ADD)) { + ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, + "userAccountControl", + UF_NORMAL_ACCOUNT); + if (ret != LDB_SUCCESS) { + return ret; + } + uac_generated = true; + uac_add_flags = true; + } + el = ldb_msg_find_element(ac->msg, "userAccountControl"); if (el != NULL) { uint32_t user_account_control, account_type; @@ -831,12 +1043,27 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) user_account_control = ldb_msg_find_attr_as_uint(ac->msg, "userAccountControl", 0); + /* "userAccountControl" = 0 means "UF_NORMAL_ACCOUNT" */ + if (user_account_control == 0) { + user_account_control = UF_NORMAL_ACCOUNT; + uac_generated = true; + } /* Temporary duplicate accounts aren't allowed */ if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { return LDB_ERR_OTHER; } + /* Workstation and (read-only) DC objects do need objectclass "computer" */ + if ((samdb_find_attribute(ldb, ac->msg, + "objectclass", "computer") == NULL) && + (user_account_control & + (UF_SERVER_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT))) { + ldb_set_errstring(ldb, + "samldb: Requested account type does need objectclass 'computer'!"); + return LDB_ERR_OBJECT_CLASS_VIOLATION; + } + account_type = ds_uf2atype(user_account_control); if (account_type == 0) { ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); @@ -851,11 +1078,20 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); el2->flags = LDB_FLAG_MOD_REPLACE; + /* "isCriticalSystemObject" might be set */ if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { - ret = samdb_msg_set_string(ldb, ac->msg, ac->msg, - "isCriticalSystemObject", - "TRUE"); + ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", + "TRUE"); + if (ret != LDB_SUCCESS) { + return ret; + } + el2 = ldb_msg_find_element(ac->msg, + "isCriticalSystemObject"); + el2->flags = LDB_FLAG_MOD_REPLACE; + } else if (user_account_control & UF_WORKSTATION_TRUST_ACCOUNT) { + ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", + "FALSE"); if (ret != LDB_SUCCESS) { return ret; } @@ -867,6 +1103,18 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) /* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */ if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { uint32_t rid = ds_uf2prim_group_rid(user_account_control); + + /* + * Older AD deployments don't know about the + * RODC group + */ + if (rid == DOMAIN_RID_READONLY_DCS) { + ret = samldb_prim_group_tester(ac, rid); + if (ret != LDB_SUCCESS) { + return ret; + } + } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "primaryGroupID", rid); if (ret != LDB_SUCCESS) { @@ -878,10 +1126,14 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) } /* Step 1.5: Add additional flags when needed */ - if ((user_account_control & UF_NORMAL_ACCOUNT) && - (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) == NULL)) { - user_account_control |= UF_ACCOUNTDISABLE; - user_account_control |= UF_PASSWD_NOTREQD; + /* Obviously this is done when the "userAccountControl" + * has been generated here (tested against Windows + * Server) */ + if (uac_generated) { + if (uac_add_flags) { + user_account_control |= UF_ACCOUNTDISABLE; + user_account_control |= UF_PASSWD_NOTREQD; + } ret = samdb_msg_set_uint(ldb, ac->msg, ac->msg, "userAccountControl", @@ -891,12 +1143,18 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) } } } + break; + } + + case SAMLDB_TYPE_GROUP: { + const char *tempstr; - } else if (strcmp(ac->type, "group") == 0) { /* Step 2.2: Default values */ + tempstr = talloc_asprintf(ac->msg, "%d", + GTYPE_SECURITY_GLOBAL_GROUP); + if (tempstr == NULL) return ldb_operr(ldb); ret = samdb_find_or_add_attribute(ldb, ac->msg, - "groupType", - talloc_asprintf(ac->msg, "%u", GTYPE_SECURITY_GLOBAL_GROUP)); + "groupType", tempstr); if (ret != LDB_SUCCESS) return ret; /* Step 2.3: "groupType" -> "sAMAccountType" */ @@ -930,6 +1188,14 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); el2->flags = LDB_FLAG_MOD_REPLACE; } + break; + } + + default: + ldb_asprintf_errstring(ldb, + "Invalid entry type!"); + return LDB_ERR_OPERATIONS_ERROR; + break; } return LDB_SUCCESS; @@ -943,143 +1209,209 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) * ac->msg contains the "add"/"modify" message */ -static int samldb_prim_group_set(struct samldb_ctx *ac) +static int samldb_prim_group_tester(struct samldb_ctx *ac, uint32_t rid) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - struct ldb_dn *prim_group_dn; - uint32_t rid; struct dom_sid *sid; - - rid = samdb_result_uint(ac->msg, "primaryGroupID", (uint32_t) -1); - if (rid == (uint32_t) -1) { - /* we aren't affected of any primary group set */ - return LDB_SUCCESS; - - } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { - ldb_set_errstring(ldb, - "The primary group isn't settable on add operations!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } + struct ldb_result *res; + int ret; + const char * const noattrs[] = { NULL }; sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); if (sid == NULL) { return ldb_operr(ldb); } - prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, sid)); - if (prim_group_dn == NULL) { + ret = dsdb_module_search(ac->module, ac, &res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, + noattrs, DSDB_FLAG_NEXT_MODULE, + ac->req, + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, sid)); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count != 1) { + talloc_free(res); ldb_asprintf_errstring(ldb, "Failed to find primary group with RID %u!", rid); return LDB_ERR_UNWILLING_TO_PERFORM; } + talloc_free(res); return LDB_SUCCESS; } +static int samldb_prim_group_set(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + uint32_t rid; + + rid = ldb_msg_find_attr_as_uint(ac->msg, "primaryGroupID", (uint32_t) -1); + if (rid == (uint32_t) -1) { + /* we aren't affected of any primary group set */ + return LDB_SUCCESS; + + } else if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + ldb_set_errstring(ldb, + "The primary group isn't settable on add operations!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + return samldb_prim_group_tester(ac, rid); +} + static int samldb_prim_group_change(struct samldb_ctx *ac) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - const char * attrs[] = { "primaryGroupID", "memberOf", NULL }; - struct ldb_result *res; + const char * const attrs[] = { "primaryGroupID", "memberOf", NULL }; + struct ldb_result *res, *group_res; struct ldb_message_element *el; struct ldb_message *msg; - uint32_t rid; - struct dom_sid *sid; + uint32_t prev_rid, new_rid; + struct dom_sid *prev_sid, *new_sid; struct ldb_dn *prev_prim_group_dn, *new_prim_group_dn; int ret; + const char * const noattrs[] = { NULL }; + + el = dsdb_get_single_valued_attr(ac->msg, "primaryGroupID", + ac->req->operation); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } - /* Fetch informations from the existing object */ + /* Fetch information from the existing object */ - ret = ldb_search(ldb, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, - NULL); + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs, + DSDB_FLAG_NEXT_MODULE, ac->req); if (ret != LDB_SUCCESS) { return ret; } /* Finds out the DN of the old primary group */ - rid = samdb_result_uint(res->msgs[0], "primaryGroupID", (uint32_t) -1); - if (rid == (uint32_t) -1) { + prev_rid = ldb_msg_find_attr_as_uint(res->msgs[0], "primaryGroupID", + (uint32_t) -1); + if (prev_rid == (uint32_t) -1) { /* User objects do always have a mandatory "primaryGroupID" * attribute. If this doesn't exist then the object is of the * wrong type. This is the exact Windows error code */ return LDB_ERR_OBJECT_CLASS_VIOLATION; } - sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); - if (sid == NULL) { - return ldb_operr(ldb); - } - - prev_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, sid)); - if (prev_prim_group_dn == NULL) { + prev_sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), prev_rid); + if (prev_sid == NULL) { return ldb_operr(ldb); } - /* Finds out the DN of the new primary group */ + /* Finds out the DN of the new primary group + * Notice: in order to parse the primary group ID correctly we create + * a temporary message here. */ - rid = samdb_result_uint(ac->msg, "primaryGroupID", (uint32_t) -1); - if (rid == (uint32_t) -1) { + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + new_rid = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", (uint32_t) -1); + talloc_free(msg); + if (new_rid == (uint32_t) -1) { /* we aren't affected of any primary group change */ return LDB_SUCCESS; } - sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid); - if (sid == NULL) { + if (prev_rid == new_rid) { + return LDB_SUCCESS; + } + + ret = dsdb_module_search(ac->module, ac, &group_res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, + noattrs, DSDB_FLAG_NEXT_MODULE, + ac->req, + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, prev_sid)); + if (ret != LDB_SUCCESS) { + return ret; + } + if (group_res->count != 1) { + return ldb_operr(ldb); + } + prev_prim_group_dn = group_res->msgs[0]->dn; + + new_sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), new_rid); + if (new_sid == NULL) { return ldb_operr(ldb); } - new_prim_group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, sid)); - if (new_prim_group_dn == NULL) { + ret = dsdb_module_search(ac->module, ac, &group_res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, + noattrs, DSDB_FLAG_NEXT_MODULE, + ac->req, + "(objectSid=%s)", + ldap_encode_ndr_dom_sid(ac, new_sid)); + if (ret != LDB_SUCCESS) { + return ret; + } + if (group_res->count != 1) { /* Here we know if the specified new primary group candidate is * valid or not. */ return LDB_ERR_UNWILLING_TO_PERFORM; } + new_prim_group_dn = group_res->msgs[0]->dn; - /* Only update the "member" attributes when we really do have a change */ - if (ldb_dn_compare(new_prim_group_dn, prev_prim_group_dn) != 0) { - /* We need to be already a normal member of the new primary - * group in order to be successful. */ - el = samdb_find_attribute(ldb, res->msgs[0], "memberOf", - ldb_dn_get_linearized(new_prim_group_dn)); - if (el == NULL) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } + /* We need to be already a normal member of the new primary + * group in order to be successful. */ + el = samdb_find_attribute(ldb, res->msgs[0], "memberOf", + ldb_dn_get_linearized(new_prim_group_dn)); + if (el == NULL) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } - /* Remove the "member" attribute on the new primary group */ - msg = talloc_zero(ac, struct ldb_message); - msg->dn = new_prim_group_dn; + /* Remove the "member" attribute on the new primary group */ + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + msg->dn = new_prim_group_dn; - ret = samdb_msg_add_delval(ldb, ac, msg, "member", - ldb_dn_get_linearized(ac->msg->dn)); - if (ret != LDB_SUCCESS) { - return ret; - } + ret = samdb_msg_add_delval(ldb, msg, msg, "member", + ldb_dn_get_linearized(ac->msg->dn)); + if (ret != LDB_SUCCESS) { + return ret; + } - ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE); - if (ret != LDB_SUCCESS) { - return ret; - } + ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_free(msg); - /* Add a "member" attribute for the previous primary group */ - msg = talloc_zero(ac, struct ldb_message); - msg->dn = prev_prim_group_dn; + /* Add a "member" attribute for the previous primary group */ + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + msg->dn = prev_prim_group_dn; - ret = samdb_msg_add_addval(ldb, ac, msg, "member", - ldb_dn_get_linearized(ac->msg->dn)); - if (ret != LDB_SUCCESS) { - return ret; - } + ret = samdb_msg_add_addval(ldb, msg, msg, "member", + ldb_dn_get_linearized(ac->msg->dn)); + if (ret != LDB_SUCCESS) { + return ret; + } - ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE); - if (ret != LDB_SUCCESS) { - return ret; - } + ret = dsdb_module_modify(ac->module, msg, DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret != LDB_SUCCESS) { + return ret; } + talloc_free(msg); return LDB_SUCCESS; } @@ -1097,56 +1429,749 @@ static int samldb_prim_group_trigger(struct samldb_ctx *ac) return ret; } -static int samldb_member_check(struct samldb_ctx *ac) + +/** + * This function is called on LDB modify operations. It performs some additions/ + * replaces on the current LDB message when "userAccountControl" changes. + */ +static int samldb_user_account_control_change(struct samldb_ctx *ac) { - struct ldb_context *ldb; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + uint32_t user_account_control, old_user_account_control, account_type; struct ldb_message_element *el; - struct ldb_dn *member_dn, *group_dn; - uint32_t prim_group_rid; - struct dom_sid *sid; + struct ldb_message *tmp_msg; + int ret; + struct ldb_result *res; + const char * const attrs[] = { "userAccountControl", "objectClass", NULL }; unsigned int i; + bool is_computer = false; - ldb = ldb_module_get_ctx(ac->module); - - el = ldb_msg_find_element(ac->msg, "member"); + el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl", + ac->req->operation); if (el == NULL) { - /* we aren't affected */ + /* we are not affected */ return LDB_SUCCESS; } - for (i = 0; i < el->num_values; i++) { - /* Denies to add "member"s to groups which are primary ones - * for them */ - member_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[i]); - if (!ldb_dn_validate(member_dn)) { - return ldb_operr(ldb); - } + /* Create a temporary message for fetching the "userAccountControl" */ + tmp_msg = ldb_msg_new(ac->msg); + if (tmp_msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(tmp_msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + user_account_control = ldb_msg_find_attr_as_uint(tmp_msg, + "userAccountControl", + 0); + talloc_free(tmp_msg); - prim_group_rid = samdb_search_uint(ldb, ac, (uint32_t) -1, - member_dn, "primaryGroupID", - NULL); - if (prim_group_rid == (uint32_t) -1) { - /* the member hasn't to be a user account -> therefore - * no check needed in this case. */ - continue; - } + /* Temporary duplicate accounts aren't allowed */ + if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { + return LDB_ERR_OTHER; + } - sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), - prim_group_rid); - if (sid == NULL) { - return ldb_operr(ldb); + /* Fetch the old "userAccountControl" and "objectClass" */ + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs, + DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + old_user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0], "userAccountControl", 0); + if (old_user_account_control == 0) { + return ldb_operr(ldb); + } + el = ldb_msg_find_element(res->msgs[0], "objectClass"); + if (el == NULL) { + return ldb_operr(ldb); + } + + /* When we do not have objectclass "computer" we cannot switch to a (read-only) DC */ + for (i = 0; i < el->num_values; i++) { + if (ldb_attr_cmp((char *)el->values[i].data, "computer") == 0) { + is_computer = true; + break; } + } + if (!is_computer && + (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT))) { + ldb_set_errstring(ldb, + "samldb: Requested account type does need objectclass 'computer'!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } - group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSid=%s)", - ldap_encode_ndr_dom_sid(ac, sid)); - if (group_dn == NULL) { - return ldb_operr(ldb); + /* + * The functions "ds_uf2atype" and "ds_uf2prim_group_rid" are used as + * detectors for account type changes. + * So if the account type does change then we need to adjust the + * "sAMAccountType", the "isCriticalSystemObject" and the + * "primaryGroupID" attribute. + */ + if ((ds_uf2atype(user_account_control) + == ds_uf2atype(old_user_account_control)) && + (ds_uf2prim_group_rid(user_account_control) + == ds_uf2prim_group_rid(old_user_account_control))) { + return LDB_SUCCESS; + } + + account_type = ds_uf2atype(user_account_control); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", + account_type); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, "sAMAccountType"); + el->flags = LDB_FLAG_MOD_REPLACE; + + /* "isCriticalSystemObject" might be set/changed */ + if (user_account_control + & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { + ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", + "TRUE"); + if (ret != LDB_SUCCESS) { + return ret; } + el = ldb_msg_find_element(ac->msg, + "isCriticalSystemObject"); + el->flags = LDB_FLAG_MOD_REPLACE; + } else if (user_account_control & UF_WORKSTATION_TRUST_ACCOUNT) { + ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", + "FALSE"); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, + "isCriticalSystemObject"); + el->flags = LDB_FLAG_MOD_REPLACE; + } + + if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { + uint32_t rid = ds_uf2prim_group_rid(user_account_control); + + /* Older AD deployments don't know about the RODC group */ + if (rid == DOMAIN_RID_READONLY_DCS) { + ret = samldb_prim_group_tester(ac, rid); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, + "primaryGroupID", rid); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, + "primaryGroupID"); + el->flags = LDB_FLAG_MOD_REPLACE; + } + + return LDB_SUCCESS; +} + +static int samldb_group_type_change(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + uint32_t group_type, old_group_type, account_type; + struct ldb_message_element *el; + struct ldb_message *tmp_msg; + int ret; + struct ldb_result *res; + const char * const attrs[] = { "groupType", NULL }; + + el = dsdb_get_single_valued_attr(ac->msg, "groupType", + ac->req->operation); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } - if (ldb_dn_compare(group_dn, ac->msg->dn) == 0) { + /* Create a temporary message for fetching the "groupType" */ + tmp_msg = ldb_msg_new(ac->msg); + if (tmp_msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(tmp_msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + group_type = ldb_msg_find_attr_as_uint(tmp_msg, "groupType", 0); + talloc_free(tmp_msg); + + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs, + DSDB_FLAG_NEXT_MODULE | + DSDB_SEARCH_SHOW_DELETED, ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + old_group_type = ldb_msg_find_attr_as_uint(res->msgs[0], "groupType", 0); + if (old_group_type == 0) { + return ldb_operr(ldb); + } + + /* Group type switching isn't so easy as it seems: We can only + * change in this directions: global <-> universal <-> local + * On each step also the group type itself + * (security/distribution) is variable. */ + + if (ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID) == NULL) { + switch (group_type) { + case GTYPE_SECURITY_GLOBAL_GROUP: + case GTYPE_DISTRIBUTION_GLOBAL_GROUP: + /* change to "universal" allowed */ + if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) || + (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) { + ldb_set_errstring(ldb, + "samldb: Change from security/distribution local group forbidden!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + break; + + case GTYPE_SECURITY_UNIVERSAL_GROUP: + case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: + /* each change allowed */ + break; + case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: + case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: + /* change to "universal" allowed */ + if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) || + (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) { + ldb_set_errstring(ldb, + "samldb: Change from security/distribution global group forbidden!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + break; + + case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: + default: + /* we don't allow this "groupType" values */ + return LDB_ERR_UNWILLING_TO_PERFORM; + break; + } + } + + account_type = ds_gtype2atype(group_type); + if (account_type == 0) { + ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", + account_type); + if (ret != LDB_SUCCESS) { + return ret; + } + el = ldb_msg_find_element(ac->msg, "sAMAccountType"); + el->flags = LDB_FLAG_MOD_REPLACE; + + return LDB_SUCCESS; +} + +static int samldb_sam_accountname_check(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + const char * const no_attrs[] = { NULL }; + struct ldb_result *res; + const char *sam_accountname, *enc_str; + struct ldb_message_element *el; + struct ldb_message *tmp_msg; + int ret; + + el = dsdb_get_single_valued_attr(ac->msg, "sAMAccountName", + ac->req->operation); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } + + /* Create a temporary message for fetching the "sAMAccountName" */ + tmp_msg = ldb_msg_new(ac->msg); + if (tmp_msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(tmp_msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + + /* We must not steal the original string, it belongs to the caller! */ + sam_accountname = talloc_strdup(ac, + ldb_msg_find_attr_as_string(tmp_msg, "sAMAccountName", NULL)); + talloc_free(tmp_msg); + + if (sam_accountname == NULL) { + /* The "sAMAccountName" cannot be nothing */ + ldb_set_errstring(ldb, + "samldb: Empty account names aren't allowed!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + enc_str = ldb_binary_encode_string(ac, sam_accountname); + if (enc_str == NULL) { + return ldb_module_oom(ac->module); + } + + /* Make sure that a "sAMAccountName" is only used once */ + + ret = dsdb_module_search(ac->module, ac, &res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, no_attrs, + DSDB_FLAG_NEXT_MODULE, ac->req, + "(sAMAccountName=%s)", enc_str); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count > 1) { + return ldb_operr(ldb); + } else if (res->count == 1) { + if (ldb_dn_compare(res->msgs[0]->dn, ac->msg->dn) != 0) { + ldb_asprintf_errstring(ldb, + "samldb: Account name (sAMAccountName) '%s' already in use!", + sam_accountname); return LDB_ERR_ENTRY_ALREADY_EXISTS; } } + talloc_free(res); + + return LDB_SUCCESS; +} + +static int samldb_member_check(struct samldb_ctx *ac) +{ + const char * const attrs[] = { "objectSid", NULL }; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct ldb_message_element *el; + struct ldb_dn *member_dn; + struct dom_sid *sid; + struct ldb_result *res; + struct dom_sid *group_sid; + unsigned int i, j; + int ret; + + /* Fetch information from the existing object */ + + ret = dsdb_module_search(ac->module, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, + DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, ac->req, NULL); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count != 1) { + return ldb_operr(ldb); + } + + group_sid = samdb_result_dom_sid(res, res->msgs[0], "objectSid"); + if (group_sid == NULL) { + return ldb_operr(ldb); + } + + /* We've to walk over all modification entries and consider the "member" + * ones. */ + for (i = 0; i < ac->msg->num_elements; i++) { + if (ldb_attr_cmp(ac->msg->elements[i].name, "member") != 0) { + continue; + } + + el = &ac->msg->elements[i]; + for (j = 0; j < el->num_values; j++) { + struct ldb_result *group_res; + const char *group_attrs[] = { "primaryGroupID" , NULL }; + uint32_t prim_group_rid; + + if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) { + /* Deletes will be handled in + * repl_meta_data, and deletes not + * matching a member will return + * LDB_ERR_UNWILLING_TO_PERFORM + * there */ + continue; + } + + member_dn = ldb_dn_from_ldb_val(ac, ldb, + &el->values[j]); + if (!ldb_dn_validate(member_dn)) { + return ldb_operr(ldb); + } + + /* Denies to add "member"s to groups which are primary + * ones for them - in this case return + * ERR_ENTRY_ALREADY_EXISTS. */ + + ret = dsdb_module_search_dn(ac->module, ac, &group_res, + member_dn, group_attrs, + DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + /* member DN doesn't exist yet */ + continue; + } + if (ret != LDB_SUCCESS) { + return ret; + } + prim_group_rid = ldb_msg_find_attr_as_uint(group_res->msgs[0], "primaryGroupID", (uint32_t)-1); + if (prim_group_rid == (uint32_t) -1) { + /* the member hasn't to be a user account -> + * therefore no check needed in this case. */ + continue; + } + + sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), + prim_group_rid); + if (sid == NULL) { + return ldb_operr(ldb); + } + + if (dom_sid_equal(group_sid, sid)) { + ldb_asprintf_errstring(ldb, + "samldb: member %s already set via primaryGroupID %u", + ldb_dn_get_linearized(member_dn), prim_group_rid); + return LDB_ERR_ENTRY_ALREADY_EXISTS; + } + } + } + + talloc_free(res); + + return LDB_SUCCESS; +} + +/* SAM objects have special rules regarding the "description" attribute on + * modify operations. */ +static int samldb_description_check(struct samldb_ctx *ac, bool *modified) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + const char * const attrs[] = { "objectClass", "description", NULL }; + struct ldb_result *res; + unsigned int i; + int ret; + + /* Fetch information from the existing object */ + ret = dsdb_module_search(ac->module, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, + DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, ac->req, + "(|(objectclass=user)(objectclass=group)(objectclass=samDomain)(objectclass=samServer))"); + if (ret != LDB_SUCCESS) { + /* don't treat it specially ... let normal error codes + happen from other places */ + ldb_reset_err_string(ldb); + return LDB_SUCCESS; + } + if (res->count == 0) { + /* we didn't match the filter */ + talloc_free(res); + return LDB_SUCCESS; + } + + /* We've to walk over all modification entries and consider the + * "description" ones. */ + for (i = 0; i < ac->msg->num_elements; i++) { + if (ldb_attr_cmp(ac->msg->elements[i].name, "description") == 0) { + ac->msg->elements[i].flags |= LDB_FLAG_INTERNAL_FORCE_SINGLE_VALUE_CHECK; + *modified = true; + } + } + + talloc_free(res); + + return LDB_SUCCESS; +} + +/* This trigger adapts the "servicePrincipalName" attributes if the + * "dNSHostName" and/or "sAMAccountName" attribute change(s) */ +static int samldb_service_principal_names_change(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + struct ldb_message_element *el = NULL, *el2 = NULL; + struct ldb_message *msg; + const char * const attrs[] = { "servicePrincipalName", NULL }; + struct ldb_result *res; + const char *dns_hostname = NULL, *old_dns_hostname = NULL, + *sam_accountname = NULL, *old_sam_accountname = NULL; + unsigned int i, j; + int ret; + + el = dsdb_get_single_valued_attr(ac->msg, "dNSHostName", + ac->req->operation); + el2 = dsdb_get_single_valued_attr(ac->msg, "sAMAccountName", + ac->req->operation); + if ((el == NULL) && (el2 == NULL)) { + /* we are not affected */ + return LDB_SUCCESS; + } + + /* Create a temporary message for fetching the "dNSHostName" */ + if (el != NULL) { + const char *dns_attrs[] = { "dNSHostName", NULL }; + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + dns_hostname = talloc_strdup(ac, + ldb_msg_find_attr_as_string(msg, "dNSHostName", NULL)); + if (dns_hostname == NULL) { + return ldb_module_oom(ac->module); + } + + talloc_free(msg); + + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, + dns_attrs, DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret == LDB_SUCCESS) { + old_dns_hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL); + } + } + + /* Create a temporary message for fetching the "sAMAccountName" */ + if (el2 != NULL) { + char *tempstr, *tempstr2; + const char *acct_attrs[] = { "sAMAccountName", NULL }; + + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(msg, el2, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + tempstr = talloc_strdup(ac, + ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL)); + talloc_free(msg); + + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, acct_attrs, + DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret == LDB_SUCCESS) { + tempstr2 = talloc_strdup(ac, + ldb_msg_find_attr_as_string(res->msgs[0], + "sAMAccountName", NULL)); + } + + + /* The "sAMAccountName" needs some additional trimming: we need + * to remove the trailing "$"s if they exist. */ + if ((tempstr != NULL) && (tempstr[0] != '\0') && + (tempstr[strlen(tempstr) - 1] == '$')) { + tempstr[strlen(tempstr) - 1] = '\0'; + } + if ((tempstr2 != NULL) && (tempstr2[0] != '\0') && + (tempstr2[strlen(tempstr2) - 1] == '$')) { + tempstr2[strlen(tempstr2) - 1] = '\0'; + } + sam_accountname = tempstr; + old_sam_accountname = tempstr2; + } + + if (old_dns_hostname == NULL) { + /* we cannot change when the old name is unknown */ + dns_hostname = NULL; + } + if ((old_dns_hostname != NULL) && (dns_hostname != NULL) && + (strcasecmp_m(old_dns_hostname, dns_hostname) == 0)) { + /* The "dNSHostName" didn't change */ + dns_hostname = NULL; + } + + if (old_sam_accountname == NULL) { + /* we cannot change when the old name is unknown */ + sam_accountname = NULL; + } + if ((old_sam_accountname != NULL) && (sam_accountname != NULL) && + (strcasecmp_m(old_sam_accountname, sam_accountname) == 0)) { + /* The "sAMAccountName" didn't change */ + sam_accountname = NULL; + } + + if ((dns_hostname == NULL) && (sam_accountname == NULL)) { + /* Well, there are information missing (old name(s)) or the + * names didn't change. We've nothing to do and can exit here */ + return LDB_SUCCESS; + } + + /* Potential "servicePrincipalName" changes in the same request have to + * be handled before the update (Windows behaviour). */ + el = ldb_msg_find_element(ac->msg, "servicePrincipalName"); + if (el != NULL) { + msg = ldb_msg_new(ac->msg); + if (msg == NULL) { + return ldb_module_oom(ac->module); + } + msg->dn = ac->msg->dn; + + do { + ret = ldb_msg_add(msg, el, el->flags); + if (ret != LDB_SUCCESS) { + return ret; + } + + ldb_msg_remove_element(ac->msg, el); + + el = ldb_msg_find_element(ac->msg, + "servicePrincipalName"); + } while (el != NULL); + + ret = dsdb_module_modify(ac->module, msg, + DSDB_FLAG_NEXT_MODULE, ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_free(msg); + } + + /* Fetch the "servicePrincipalName"s if any */ + ret = dsdb_module_search(ac->module, ac, &res, ac->msg->dn, LDB_SCOPE_BASE, attrs, + DSDB_FLAG_NEXT_MODULE, ac->req, NULL); + if (ret != LDB_SUCCESS) { + return ret; + } + if ((res->count != 1) || (res->msgs[0]->num_elements > 1)) { + return ldb_operr(ldb); + } + + if (res->msgs[0]->num_elements == 1) { + /* + * Yes, we do have "servicePrincipalName"s. First we update them + * locally, that means we do always substitute the current + * "dNSHostName" with the new one and/or "sAMAccountName" + * without "$" with the new one and then we append the + * modified "servicePrincipalName"s as a message element + * replace to the modification request (Windows behaviour). We + * need also to make sure that the values remain case- + * insensitively unique. + */ + + ret = ldb_msg_add_empty(ac->msg, "servicePrincipalName", + LDB_FLAG_MOD_REPLACE, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + + for (i = 0; i < res->msgs[0]->elements[0].num_values; i++) { + char *old_str, *new_str, *pos; + const char *tok; + struct ldb_val *vals; + bool found = false; + + old_str = (char *) + res->msgs[0]->elements[0].values[i].data; + + new_str = talloc_strdup(ac->msg, + strtok_r(old_str, "/", &pos)); + if (new_str == NULL) { + return ldb_module_oom(ac->module); + } + + while ((tok = strtok_r(NULL, "/", &pos)) != NULL) { + if ((dns_hostname != NULL) && + (strcasecmp_m(tok, old_dns_hostname) == 0)) { + tok = dns_hostname; + } + if ((sam_accountname != NULL) && + (strcasecmp_m(tok, old_sam_accountname) == 0)) { + tok = sam_accountname; + } + + new_str = talloc_asprintf(ac->msg, "%s/%s", + new_str, tok); + if (new_str == NULL) { + return ldb_module_oom(ac->module); + } + } + + /* Uniqueness check */ + for (j = 0; (!found) && (j < el->num_values); j++) { + if (strcasecmp_m((char *)el->values[j].data, + new_str) == 0) { + found = true; + } + } + if (found) { + continue; + } + + /* + * append the new "servicePrincipalName" - + * code derived from ldb_msg_add_value(). + * + * Open coded to make it clear that we must + * append to the MOD_REPLACE el created above. + */ + vals = talloc_realloc(ac->msg, el->values, + struct ldb_val, + el->num_values + 1); + if (vals == NULL) { + return ldb_module_oom(ac->module); + } + el->values = vals; + el->values[el->num_values] = data_blob_string_const(new_str); + ++(el->num_values); + } + } + + talloc_free(res); + + return LDB_SUCCESS; +} + +/* This checks the "fSMORoleOwner" attributes */ +static int samldb_fsmo_role_owner_check(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + const char * const no_attrs[] = { NULL }; + struct ldb_message_element *el; + struct ldb_message *tmp_msg; + struct ldb_dn *res_dn; + struct ldb_result *res; + int ret; + + el = dsdb_get_single_valued_attr(ac->msg, "fSMORoleOwner", + ac->req->operation); + if (el == NULL) { + /* we are not affected */ + return LDB_SUCCESS; + } + + /* Create a temporary message for fetching the "fSMORoleOwner" */ + tmp_msg = ldb_msg_new(ac->msg); + if (tmp_msg == NULL) { + return ldb_module_oom(ac->module); + } + ret = ldb_msg_add(tmp_msg, el, 0); + if (ret != LDB_SUCCESS) { + return ret; + } + res_dn = ldb_msg_find_attr_as_dn(ldb, ac, tmp_msg, "fSMORoleOwner"); + talloc_free(tmp_msg); + + if (res_dn == NULL) { + ldb_set_errstring(ldb, + "samldb: 'fSMORoleOwner' attributes have to reference 'nTDSDSA' entries!"); + if (ac->req->operation == LDB_ADD) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } else { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } + + /* Fetched DN has to reference a "nTDSDSA" entry */ + ret = dsdb_module_search(ac->module, ac, &res, res_dn, LDB_SCOPE_BASE, + no_attrs, + DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, + ac->req, "(objectClass=nTDSDSA)"); + if (ret != LDB_SUCCESS) { + return ret; + } + if (res->count != 1) { + ldb_set_errstring(ldb, + "samldb: 'fSMORoleOwner' attributes have to reference 'nTDSDSA' entries!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + talloc_free(res); return LDB_SUCCESS; } @@ -1157,6 +2182,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; struct samldb_ctx *ac; + struct ldb_message_element *el; int ret; ldb = ldb_module_get_ctx(module); @@ -1181,9 +2207,17 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) return ldb_operr(ldb); } + el = ldb_msg_find_element(ac->msg, "fSMORoleOwner"); + if (el != NULL) { + ret = samldb_fsmo_role_owner_check(ac); + if (ret != LDB_SUCCESS) { + return ret; + } + } + if (samdb_find_attribute(ldb, ac->msg, "objectclass", "user") != NULL) { - ac->type = "user"; + ac->type = SAMLDB_TYPE_USER; ret = samldb_prim_group_trigger(ac); if (ret != LDB_SUCCESS) { @@ -1200,7 +2234,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) if (samdb_find_attribute(ldb, ac->msg, "objectclass", "group") != NULL) { - ac->type = "group"; + ac->type = SAMLDB_TYPE_GROUP; ret = samldb_objectclass_trigger(ac); if (ret != LDB_SUCCESS) { @@ -1225,7 +2259,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) return ret; } - ac->type = "classSchema"; + ac->type = SAMLDB_TYPE_CLASS; return samldb_fill_object(ac); } @@ -1237,7 +2271,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) return ret; } - ac->type = "attributeSchema"; + ac->type = SAMLDB_TYPE_ATTRIBUTE; return samldb_fill_object(ac); } @@ -1255,7 +2289,6 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) struct ldb_message_element *el, *el2; bool modified = false; int ret; - uint32_t account_type; if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */ @@ -1264,11 +2297,20 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) ldb = ldb_module_get_ctx(module); + /* make sure that "objectSid" is not specified */ + el = ldb_msg_find_element(req->op.mod.message, "objectSid"); + if (el != NULL) { + if (ldb_request_get_control(req, LDB_CONTROL_PROVISION_OID) == NULL) { + ldb_set_errstring(ldb, + "samldb: objectSid must not be specified!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } /* make sure that "sAMAccountType" is not specified */ el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType"); if (el != NULL) { ldb_set_errstring(ldb, - "samldb: sAMAccountType must not be specified!"); + "samldb: sAMAccountType must not be specified!"); return LDB_ERR_UNWILLING_TO_PERFORM; } /* make sure that "isCriticalSystemObject" is not specified */ @@ -1276,7 +2318,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) if (el != NULL) { if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) == NULL) { ldb_set_errstring(ldb, - "samldb: isCriticalSystemObject must not be specified!"); + "samldb: isCriticalSystemObject must not be specified!"); return LDB_ERR_UNWILLING_TO_PERFORM; } } @@ -1284,7 +2326,8 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) /* msDS-IntId is not allowed to be modified * except when modification comes from replication */ if (ldb_msg_find_element(req->op.mod.message, "msDS-IntId")) { - if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) { + if (!ldb_request_get_control(req, + DSDB_CONTROL_REPLICATED_UPDATE_OID)) { return LDB_ERR_CONSTRAINT_VIOLATION; } } @@ -1303,150 +2346,69 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) return ldb_operr(ldb); } - el = ldb_msg_find_element(ac->msg, "groupType"); - if (el && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { - uint32_t group_type, old_group_type; - - modified = true; - - group_type = ldb_msg_find_attr_as_uint(ac->msg, "groupType", 0); - old_group_type = samdb_search_uint(ldb, ac, 0, ac->msg->dn, - "groupType", NULL); - if (old_group_type == 0) { - return ldb_operr(ldb); - } - - /* Group type switching isn't so easy as it seems: We can only - * change in this directions: global <-> universal <-> local - * On each step also the group type itself - * (security/distribution) is variable. */ - - switch (group_type) { - case GTYPE_SECURITY_GLOBAL_GROUP: - case GTYPE_DISTRIBUTION_GLOBAL_GROUP: - /* change to "universal" allowed */ - if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) || - (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - break; - - case GTYPE_SECURITY_UNIVERSAL_GROUP: - case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: - /* each change allowed */ - break; - - case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: - case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: - /* change to "universal" allowed */ - if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) || - (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - break; - - case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: - default: - /* we don't allow this "groupType" values */ - return LDB_ERR_UNWILLING_TO_PERFORM; - break; - } - - account_type = ds_gtype2atype(group_type); - if (account_type == 0) { - ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "sAMAccountType", - account_type); + el = ldb_msg_find_element(ac->msg, "primaryGroupID"); + if (el != NULL) { + ret = samldb_prim_group_trigger(ac); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); - el2->flags = LDB_FLAG_MOD_REPLACE; - } - el = ldb_msg_find_element(ac->msg, "groupType"); - if (el && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE)) { - return LDB_ERR_UNWILLING_TO_PERFORM; } - el = ldb_msg_find_element(ac->msg, "primaryGroupID"); - if (el && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { + el = ldb_msg_find_element(ac->msg, "userAccountControl"); + if (el != NULL) { modified = true; - - ret = samldb_prim_group_change(ac); + ret = samldb_user_account_control_change(ac); if (ret != LDB_SUCCESS) { return ret; } } - el = ldb_msg_find_element(ac->msg, "primaryGroupID"); - if (el && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE)) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - - el = ldb_msg_find_element(ac->msg, "userAccountControl"); - if (el && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { - uint32_t user_account_control; + el = ldb_msg_find_element(ac->msg, "groupType"); + if (el != NULL) { modified = true; - - user_account_control = ldb_msg_find_attr_as_uint(ac->msg, - "userAccountControl", - 0); - - /* Temporary duplicate accounts aren't allowed */ - if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) { - return LDB_ERR_OTHER; + ret = samldb_group_type_change(ac); + if (ret != LDB_SUCCESS) { + return ret; } + } - account_type = ds_uf2atype(user_account_control); - if (account_type == 0) { - ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "sAMAccountType", - account_type); + el = ldb_msg_find_element(ac->msg, "sAMAccountName"); + if (el != NULL) { + ret = samldb_sam_accountname_check(ac); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); - el2->flags = LDB_FLAG_MOD_REPLACE; + } - if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { - ret = samdb_msg_add_string(ldb, ac->msg, ac->msg, - "isCriticalSystemObject", - "TRUE"); - if (ret != LDB_SUCCESS) { - return ret; - } - el2 = ldb_msg_find_element(ac->msg, - "isCriticalSystemObject"); - el2->flags = LDB_FLAG_MOD_REPLACE; + el = ldb_msg_find_element(ac->msg, "member"); + if (el != NULL) { + ret = samldb_member_check(ac); + if (ret != LDB_SUCCESS) { + return ret; } + } - if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) { - uint32_t rid = ds_uf2prim_group_rid(user_account_control); - - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "primaryGroupID", rid); - if (ret != LDB_SUCCESS) { - return ret; - } - el2 = ldb_msg_find_element(ac->msg, - "primaryGroupID"); - el2->flags = LDB_FLAG_MOD_REPLACE; + el = ldb_msg_find_element(ac->msg, "description"); + if (el != NULL) { + ret = samldb_description_check(ac, &modified); + if (ret != LDB_SUCCESS) { + return ret; } } - el = ldb_msg_find_element(ac->msg, "userAccountControl"); - if (el && (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE)) { - return LDB_ERR_UNWILLING_TO_PERFORM; + + el = ldb_msg_find_element(ac->msg, "dNSHostName"); + el2 = ldb_msg_find_element(ac->msg, "sAMAccountName"); + if ((el != NULL) || (el2 != NULL)) { + modified = true; + ret = samldb_service_principal_names_change(ac); + if (ret != LDB_SUCCESS) { + return ret; + } } - el = ldb_msg_find_element(ac->msg, "member"); - if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { - ret = samldb_member_check(ac); + el = ldb_msg_find_element(ac->msg, "fSMORoleOwner"); + if (el != NULL) { + ret = samldb_fsmo_role_owner_check(ac); if (ret != LDB_SUCCESS) { return ret; } @@ -1483,13 +2445,27 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac) struct dom_sid *sid; uint32_t rid; NTSTATUS status; - int count; + int ret; + struct ldb_result *res; + const char * const attrs[] = { "objectSid", "isDeleted", NULL }; + const char * const noattrs[] = { NULL }; ldb = ldb_module_get_ctx(ac->module); /* Finds out the SID/RID of the SAM object */ - sid = samdb_search_dom_sid(ldb, ac, ac->req->op.del.dn, "objectSid", - NULL); + ret = dsdb_module_search_dn(ac->module, ac, &res, ac->req->op.del.dn, + attrs, + DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, + ac->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + if (ldb_msg_check_string_attribute(res->msgs[0], "isDeleted", "TRUE")) { + return LDB_SUCCESS; + } + + sid = samdb_result_dom_sid(ac, res->msgs[0], "objectSid"); if (sid == NULL) { /* No SID - it might not be a SAM object - therefore ok */ return LDB_SUCCESS; @@ -1504,13 +2480,16 @@ static int samldb_prim_group_users_check(struct samldb_ctx *ac) } /* Deny delete requests from groups which are primary ones */ - count = samdb_search_count(ldb, NULL, - "(&(primaryGroupID=%u)(objectClass=user))", - rid); - if (count < 0) { - return ldb_operr(ldb); + ret = dsdb_module_search(ac->module, ac, &res, + ldb_get_default_basedn(ldb), + LDB_SCOPE_SUBTREE, noattrs, + DSDB_FLAG_NEXT_MODULE, + ac->req, + "(&(primaryGroupID=%u)(objectClass=user))", rid); + if (ret != LDB_SUCCESS) { + return ret; } - if (count > 0) { + if (res->count > 0) { return LDB_ERR_ENTRY_ALREADY_EXISTS; } @@ -1550,13 +2529,15 @@ static int samldb_extended_allocate_rid_pool(struct ldb_module *module, struct l struct dsdb_fsmo_extended_op *exop; int ret; - exop = talloc_get_type(req->op.extended.data, struct dsdb_fsmo_extended_op); + exop = talloc_get_type(req->op.extended.data, + struct dsdb_fsmo_extended_op); if (!exop) { - ldb_debug(ldb, LDB_DEBUG_FATAL, "samldb_extended_allocate_rid_pool: invalid extended data\n"); + ldb_set_errstring(ldb, + "samldb_extended_allocate_rid_pool: invalid extended data"); return LDB_ERR_PROTOCOL_ERROR; } - ret = ridalloc_allocate_rid_pool_fsmo(module, exop); + ret = ridalloc_allocate_rid_pool_fsmo(module, exop, req); if (ret != LDB_SUCCESS) { return ret; } @@ -1574,7 +2555,7 @@ static int samldb_extended(struct ldb_module *module, struct ldb_request *req) } -_PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = { +static const struct ldb_module_ops ldb_samldb_module_ops = { .name = "samldb", .add = samldb_add, .modify = samldb_modify, @@ -1582,3 +2563,9 @@ _PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = { .extended = samldb_extended }; + +int ldb_samldb_module_init(const char *version) +{ + LDB_MODULE_CHECK_VERSION(version); + return ldb_register_module(&ldb_samldb_module_ops); +}