From: Andrew Tridgell <tridge@samba.org>
Date: Mon, 16 Aug 2010 23:59:18 +0000 (+1000)
Subject: s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID
X-Git-Tag: samba-4.0.0alpha13~1004
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=191d632e237761004fe0fe79a29a7274b7267d45

s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID

this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a
user object.

There is some 'interesting' interaction with the rangeLower and
rangeUpper attributes and this add. We don't implementat
rangeLower/rangeUpper yet, but when we do we'll need an override for
this control (or be careful about module ordering).

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 9ae308b9bc8..8bb5f3d30dd 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -347,6 +347,65 @@ static int samldb_allocate_sid(struct samldb_ctx *ac)
 	return samldb_next_step(ac);
 }
 
+/*
+  see if a krbtgt_number is available
+ */
+static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt_number)
+{
+	TALLOC_CTX *tmp_ctx = talloc_new(ac);
+	struct ldb_result *res;
+	const char *attrs[] = { NULL };
+	int ret;
+
+	ret = dsdb_module_search(ac->module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
+				 attrs, DSDB_FLAG_NEXT_MODULE,
+				 "msDC-SecondaryKrbTgtNumber=%u", krbtgt_number);
+	if (ret == LDB_SUCCESS && res->count == 0) {
+		talloc_free(tmp_ctx);
+		return true;
+	}
+	talloc_free(tmp_ctx);
+	return false;
+}
+
+/* special handling for add in RODC join */
+static int samldb_rodc_add(struct samldb_ctx *ac)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+	unsigned krbtgt_number, i_start, i;
+
+	/* find a unused msDC-SecondaryKrbTgtNumber */
+	i_start = generate_random() & 0xFFFF;
+	if (i_start == 0) {
+		i_start = 1;
+	}
+
+	for (i=i_start; i<=0xFFFF; i++) {
+		if (samldb_krbtgtnumber_available(ac, i)) {
+			krbtgt_number = i;
+			goto found;
+		}
+	}
+	for (i=1; i<i_start; i++) {
+		if (samldb_krbtgtnumber_available(ac, i)) {
+			krbtgt_number = i;
+			goto found;
+		}
+	}
+
+	ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+			       "%08X: Unable to find available msDS-SecondaryKrbTgtNumber",
+			       W_ERROR_V(WERR_NO_SYSTEM_RESOURCES));
+	return LDB_ERR_OTHER;
+
+found:
+	if ( ! ldb_msg_add_fmt(ac->msg, "msDS-SecondaryKrbTgtNumber", "%u", krbtgt_number)) {
+		return ldb_operr(ldb);
+	}
+
+	return samldb_next_step(ac);
+}
+
 /*
  * samldb_dn_from_sid (async)
  */
@@ -744,6 +803,7 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
 	struct loadparm_context *lp_ctx;
 	enum sid_generator sid_generator;
 	int ret;
+	struct ldb_control *rodc_control;
 
 	ldb = ldb_module_get_ctx(ac->module);
 
@@ -957,6 +1017,15 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
 		}
 	}
 
+	rodc_control = ldb_request_get_control(ac->req, LDB_CONTROL_RODC_DCPROMO_OID);
+	if (rodc_control) {
+		/* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */
+		rodc_control->critical = false;
+		ret = samldb_add_step(ac, samldb_rodc_add);
+		if (ret != LDB_SUCCESS) return ret;
+	}
+
+
 	/* finally proceed with adding the entry */
 	ret = samldb_add_step(ac, samldb_add_entry);
 	if (ret != LDB_SUCCESS) return ret;
diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h
index 53ae0e4c188..f3ec1ed606d 100644
--- a/source4/lib/ldb/include/ldb.h
+++ b/source4/lib/ldb/include/ldb.h
@@ -679,6 +679,12 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque);
 */
 #define LDB_CONTROL_RELAX_OID "1.3.6.1.4.1.4203.666.5.12"
 
+/**
+   control for RODC join
+   See [MS-ADTS] section 3.1.1.3.4.1.23
+*/
+#define LDB_CONTROL_RODC_DCPROMO_OID "1.2.840.113556.1.4.1341"
+
 /*
    OID for LDAP Extended Operation PASSWORD_CHANGE.
 
diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c
index 0250c040129..5244975dfc3 100644
--- a/source4/libcli/ldap/ldap_controls.c
+++ b/source4/libcli/ldap/ldap_controls.c
@@ -1170,6 +1170,7 @@ static const struct ldap_control_handler ldap_known_controls[] = {
 	{ "1.3.6.1.4.1.7165.4.4.1", NULL, NULL },
 	{ DSDB_OPENLDAP_DEREFERENCE_CONTROL, decode_openldap_dereference, encode_openldap_dereference},
 	{ LDB_CONTROL_RELAX_OID, decode_flag_request, encode_flag_request },
+	{ LDB_CONTROL_RODC_DCPROMO_OID, decode_flag_request, encode_flag_request },
 	{ NULL, NULL, NULL }
 };