/*
Unix SMB/CIFS implementation.
- Extract the user/system database from a remote SamSync server
+ Extract the user/system database from a remote server
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+ Copyright (C) Stefan Metzmacher 2004-2006
+ Copyright (C) Brad Henry 2005
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "libnet/libnet.h"
-#include "libcli/auth/libcli_auth.h"
-#include "auth/gensec/gensec.h"
-#include "auth/gensec/schannel_proto.h"
-#include "librpc/gen_ndr/ndr_netlogon.h"
-#include "librpc/gen_ndr/ndr_netlogon_c.h"
-
-
-/**
- * Decrypt and extract the user's passwords.
- *
- * The writes decrypted (no longer 'RID encrypted' or arcfour encrypted) passwords back into the structure
- */
-static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds,
- enum netr_SamDatabaseID database,
- struct netr_DELTA_ENUM *delta,
- char **error_string)
+#include "lib/events/events.h"
+#include "dsdb/samdb/samdb.h"
+#include "../lib/util/dlinklist.h"
+#include <ldb.h>
+#include <ldb_errors.h>
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "librpc/gen_ndr/ndr_misc.h"
+#include "system/time.h"
+#include "ldb_wrap.h"
+#include "auth/auth.h"
+#include "auth/credentials/credentials.h"
+#include "param/param.h"
+#include "param/provision.h"
+#include "libcli/security/security.h"
+#include "dsdb/common/util.h"
+
+/*
+List of tasks vampire.py must perform:
+- Domain Join
+ - but don't write the secrets.ldb
+ - results for this should be enough to handle the provision
+- if vampire method is samsync
+ - Provision using these results
+ - do we still want to support this NT4 technology?
+- Start samsync with libnet code
+ - provision in the callback
+- Write out the secrets database, using the code from libnet_Join
+
+*/
+struct libnet_vampire_cb_state {
+ const char *netbios_name;
+ const char *domain_name;
+ const char *realm;
+ struct cli_credentials *machine_account;
+
+ /* Schema loaded from local LDIF files */
+ struct dsdb_schema *provision_schema;
+
+ /* 1st pass, with some OIDs/attribute names/class names not
+ * converted, because we may not know them yet */
+ struct dsdb_schema *self_made_schema;
+
+ /* prefixMap in LDB format, from the remote DRS server */
+ DATA_BLOB prefixmap_blob;
+ const struct dsdb_schema *schema;
+
+ struct ldb_context *ldb;
+
+ struct {
+ uint32_t object_count;
+ struct drsuapi_DsReplicaObjectListItemEx *first_object;
+ struct drsuapi_DsReplicaObjectListItemEx *last_object;
+ } schema_part;
+
+ const char *targetdir;
+
+ struct loadparm_context *lp_ctx;
+ struct tevent_context *event_ctx;
+ unsigned total_objects;
+ char *last_partition;
+ const char *server_dn_str;
+};
+
+/* initialise a state structure ready for replication of chunks */
+void *libnet_vampire_replicate_init(TALLOC_CTX *mem_ctx,
+ struct ldb_context *samdb,
+ struct loadparm_context *lp_ctx)
{
+ struct libnet_vampire_cb_state *s = talloc_zero(mem_ctx, struct libnet_vampire_cb_state);
+ if (!s) {
+ return NULL;
+ }
- uint32_t rid = delta->delta_id_union.rid;
- struct netr_DELTA_USER *user = delta->delta_union.user;
- struct samr_Password lm_hash;
- struct samr_Password nt_hash;
- const char *username = user->account_name.string;
- NTSTATUS nt_status;
-
- if (user->lm_password_present) {
- sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0);
- user->lmpassword = lm_hash;
- }
-
- if (user->nt_password_present) {
- sam_rid_crypt(rid, user->ntpassword.hash, nt_hash.hash, 0);
- user->ntpassword = nt_hash;
- }
-
- if (user->user_private_info.SensitiveData) {
- DATA_BLOB data;
- struct netr_USER_KEYS keys;
- data.data = user->user_private_info.SensitiveData;
- data.length = user->user_private_info.DataLength;
- creds_arcfour_crypt(creds, data.data, data.length);
- user->user_private_info.SensitiveData = data.data;
- user->user_private_info.DataLength = data.length;
-
- nt_status = ndr_pull_struct_blob(&data, mem_ctx, &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
- if (NT_STATUS_IS_OK(nt_status)) {
- if (keys.keys.keys2.lmpassword.length == 16) {
- sam_rid_crypt(rid, keys.keys.keys2.lmpassword.pwd.hash, lm_hash.hash, 0);
- user->lmpassword = lm_hash;
- user->lm_password_present = True;
- }
- if (keys.keys.keys2.ntpassword.length == 16) {
- sam_rid_crypt(rid, keys.keys.keys2.ntpassword.pwd.hash, nt_hash.hash, 0);
- user->ntpassword = nt_hash;
- user->nt_password_present = True;
- }
- } else {
- *error_string = talloc_asprintf(mem_ctx, "Failed to parse Sensitive Data for %s:\n", username);
- dump_data(10, data.data, data.length);
- return nt_status;
- }
+ s->ldb = samdb;
+ s->lp_ctx = lp_ctx;
+ s->provision_schema = dsdb_get_schema(s->ldb, s);
+ s->schema = s->provision_schema;
+ s->netbios_name = lpcfg_netbios_name(lp_ctx);
+ s->domain_name = lpcfg_workgroup(lp_ctx);
+ s->realm = lpcfg_realm(lp_ctx);
+
+ return s;
+}
+
+/* Caller is expected to keep supplied pointers around for the lifetime of the structure */
+void *libnet_vampire_cb_state_init(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx, struct tevent_context *event_ctx,
+ const char *netbios_name, const char *domain_name, const char *realm,
+ const char *targetdir)
+{
+ struct libnet_vampire_cb_state *s = talloc_zero(mem_ctx, struct libnet_vampire_cb_state);
+ if (!s) {
+ return NULL;
}
- return NT_STATUS_OK;
+
+ s->lp_ctx = lp_ctx;
+ s->event_ctx = event_ctx;
+ s->netbios_name = netbios_name;
+ s->domain_name = domain_name;
+ s->realm = realm;
+ s->targetdir = targetdir;
+ return s;
}
-/**
- * Decrypt and extract the secrets
- *
- * The writes decrypted secrets back into the structure
- */
-static NTSTATUS fix_secret(TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds,
- enum netr_SamDatabaseID database,
- struct netr_DELTA_ENUM *delta,
- char **error_string)
+struct ldb_context *libnet_vampire_cb_ldb(struct libnet_vampire_cb_state *state)
{
- struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
- creds_arcfour_crypt(creds, secret->current_cipher.cipher_data,
- secret->current_cipher.maxlen);
+ state = talloc_get_type_abort(state, struct libnet_vampire_cb_state);
+ return state->ldb;
+}
+
+struct loadparm_context *libnet_vampire_cb_lp_ctx(struct libnet_vampire_cb_state *state)
+{
+ state = talloc_get_type_abort(state, struct libnet_vampire_cb_state);
+ return state->lp_ctx;
+}
+
+NTSTATUS libnet_vampire_cb_prepare_db(void *private_data,
+ const struct libnet_BecomeDC_PrepareDB *p)
+{
+ struct libnet_vampire_cb_state *s = talloc_get_type(private_data, struct libnet_vampire_cb_state);
+ struct provision_settings settings;
+ struct provision_result result;
+ NTSTATUS status;
+
+ ZERO_STRUCT(settings);
+ settings.site_name = p->dest_dsa->site_name;
+ settings.root_dn_str = p->forest->root_dn_str;
+ settings.domain_dn_str = p->domain->dn_str;
+ settings.config_dn_str = p->forest->config_dn_str;
+ settings.schema_dn_str = p->forest->schema_dn_str;
+ settings.netbios_name = p->dest_dsa->netbios_name;
+ settings.realm = s->realm;
+ settings.domain = s->domain_name;
+ settings.server_dn_str = p->dest_dsa->server_dn_str;
+ settings.machine_password = generate_random_password(s, 16, 255);
+ settings.targetdir = s->targetdir;
+ settings.use_ntvfs = true;
+ status = provision_bare(s, s->lp_ctx, &settings, &result);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ s->ldb = talloc_steal(s, result.samdb);
+ s->lp_ctx = talloc_reparent(talloc_parent(result.lp_ctx), s, result.lp_ctx);
+ s->provision_schema = dsdb_get_schema(s->ldb, s);
+ s->server_dn_str = talloc_steal(s, p->dest_dsa->server_dn_str);
+
+ /* wrap the entire vapire operation in a transaction. This
+ isn't just cosmetic - we use this to ensure that linked
+ attribute back links are added at the end by relying on a
+ transaction commit hook in the linked attributes module. We
+ need to do this as the order of objects coming from the
+ server is not sufficiently deterministic to know that the
+ record that a backlink needs to be created in has itself
+ been created before the object containing the forward link
+ has come over the wire */
+ if (ldb_transaction_start(s->ldb) != LDB_SUCCESS) {
+ return NT_STATUS_FOOBAR;
+ }
+
+ return NT_STATUS_OK;
- creds_arcfour_crypt(creds, secret->old_cipher.cipher_data,
- secret->old_cipher.maxlen);
- return NT_STATUS_OK;
}
-/**
- * Fix up the delta, dealing with encryption issues so that the final
- * callback need only do the printing or application logic
- */
+NTSTATUS libnet_vampire_cb_check_options(void *private_data,
+ const struct libnet_BecomeDC_CheckOptions *o)
+{
+ struct libnet_vampire_cb_state *s = talloc_get_type(private_data, struct libnet_vampire_cb_state);
+
+ DEBUG(0,("Become DC [%s] of Domain[%s]/[%s]\n",
+ s->netbios_name,
+ o->domain->netbios_name, o->domain->dns_name));
+
+ DEBUG(0,("Promotion Partner is Server[%s] from Site[%s]\n",
+ o->source_dsa->dns_name, o->source_dsa->site_name));
+
+ DEBUG(0,("Options:crossRef behavior_version[%u]\n"
+ "\tschema object_version[%u]\n"
+ "\tdomain behavior_version[%u]\n"
+ "\tdomain w2k3_update_revision[%u]\n",
+ o->forest->crossref_behavior_version,
+ o->forest->schema_object_version,
+ o->domain->behavior_version,
+ o->domain->w2k3_update_revision));
-static NTSTATUS fix_delta(TALLOC_CTX *mem_ctx,
- struct creds_CredentialState *creds,
- enum netr_SamDatabaseID database,
- struct netr_DELTA_ENUM *delta,
- char **error_string)
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS libnet_vampire_cb_apply_schema(struct libnet_vampire_cb_state *s,
+ const struct libnet_BecomeDC_StoreChunk *c)
{
- NTSTATUS nt_status = NT_STATUS_OK;
- *error_string = NULL;
- switch (delta->delta_type) {
- case NETR_DELTA_USER:
- {
- nt_status = fix_user(mem_ctx,
- creds,
- database,
- delta,
- error_string);
+ WERROR status;
+ struct dsdb_schema_prefixmap *pfm_remote;
+ const struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr;
+ struct dsdb_schema *provision_schema;
+ uint32_t object_count = 0;
+ struct drsuapi_DsReplicaObjectListItemEx *first_object;
+ uint32_t linked_attributes_count;
+ struct drsuapi_DsReplicaLinkedAttribute *linked_attributes;
+ const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector;
+ struct dsdb_extended_replicated_objects *schema_objs;
+ struct repsFromTo1 *s_dsa;
+ char *tmp_dns_name;
+ struct ldb_context *schema_ldb;
+ struct ldb_dn *partition_dn;
+ struct ldb_message *msg;
+ struct ldb_message_element *prefixMap_el;
+ uint32_t i;
+ int ret;
+ bool ok;
+ uint64_t seq_num = 0;
+ uint32_t cycle_before_switching;
+
+ DEBUG(0,("Analyze and apply schema objects\n"));
+
+ s_dsa = talloc_zero(s, struct repsFromTo1);
+ NT_STATUS_HAVE_NO_MEMORY(s_dsa);
+ s_dsa->other_info = talloc(s_dsa, struct repsFromTo1OtherInfo);
+ NT_STATUS_HAVE_NO_MEMORY(s_dsa->other_info);
+
+ switch (c->ctr_level) {
+ case 1:
+ mapping_ctr = &c->ctr1->mapping_ctr;
+ object_count = s->schema_part.object_count;
+ first_object = s->schema_part.first_object;
+ linked_attributes_count = 0;
+ linked_attributes = NULL;
+ s_dsa->highwatermark = c->ctr1->new_highwatermark;
+ s_dsa->source_dsa_obj_guid = c->ctr1->source_dsa_guid;
+ s_dsa->source_dsa_invocation_id = c->ctr1->source_dsa_invocation_id;
+ uptodateness_vector = NULL; /* TODO: map it */
break;
- }
- case NETR_DELTA_SECRET:
- {
- nt_status = fix_secret(mem_ctx,
- creds,
- database,
- delta,
- error_string);
+ case 6:
+ mapping_ctr = &c->ctr6->mapping_ctr;
+ object_count = s->schema_part.object_count;
+ first_object = s->schema_part.first_object;
+ linked_attributes_count = c->ctr6->linked_attributes_count;
+ linked_attributes = c->ctr6->linked_attributes;
+ s_dsa->highwatermark = c->ctr6->new_highwatermark;
+ s_dsa->source_dsa_obj_guid = c->ctr6->source_dsa_guid;
+ s_dsa->source_dsa_invocation_id = c->ctr6->source_dsa_invocation_id;
+ uptodateness_vector = c->ctr6->uptodateness_vector;
break;
- }
default:
- break;
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ /* We must set these up to ensure the replMetaData is written
+ * correctly, before our NTDS Settings entry is replicated */
+ ok = samdb_set_ntds_invocation_id(s->ldb, &c->dest_dsa->invocation_id);
+ if (!ok) {
+ DEBUG(0,("Failed to set cached ntds invocationId\n"));
+ return NT_STATUS_FOOBAR;
+ }
+ ok = samdb_set_ntds_objectGUID(s->ldb, &c->dest_dsa->ntds_guid);
+ if (!ok) {
+ DEBUG(0,("Failed to set cached ntds objectGUID\n"));
+ return NT_STATUS_FOOBAR;
+ }
+
+ status = dsdb_schema_pfm_from_drsuapi_pfm(mapping_ctr, true,
+ s, &pfm_remote, NULL);
+ if (!W_ERROR_IS_OK(status)) {
+ DEBUG(0,(__location__ ": Failed to decode remote prefixMap: %s",
+ win_errstr(status)));
+ return werror_to_ntstatus(status);
+ }
+
+ s_dsa->replica_flags = DRSUAPI_DRS_WRIT_REP
+ | DRSUAPI_DRS_INIT_SYNC
+ | DRSUAPI_DRS_PER_SYNC;
+ memset(s_dsa->schedule, 0x11, sizeof(s_dsa->schedule));
+
+ tmp_dns_name = GUID_string(s_dsa->other_info, &s_dsa->source_dsa_obj_guid);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_dns_name);
+ tmp_dns_name = talloc_asprintf_append_buffer(tmp_dns_name, "._msdcs.%s", c->forest->dns_name);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_dns_name);
+ s_dsa->other_info->dns_name = tmp_dns_name;
+
+ if (s->self_made_schema == NULL) {
+ DEBUG(0,("libnet_vampire_cb_apply_schema: called with out self_made_schema\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ schema_ldb = provision_get_schema(s, s->lp_ctx,
+ c->forest->schema_dn_str,
+ &s->prefixmap_blob);
+ if (!schema_ldb) {
+ DEBUG(0,("Failed to re-load from local provision using remote prefixMap. "
+ "Will continue with local prefixMap\n"));
+ provision_schema = dsdb_get_schema(s->ldb, s);
+ } else {
+ provision_schema = dsdb_get_schema(schema_ldb, s);
+ ret = dsdb_reference_schema(s->ldb, provision_schema, false);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to attach schema from local provision using remote prefixMap."));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ talloc_free(schema_ldb);
}
- return nt_status;
+
+ cycle_before_switching = lpcfg_parm_long(s->lp_ctx, NULL,
+ "become dc",
+ "schema convert retrial", 1);
+
+ status = dsdb_repl_resolve_working_schema(s->ldb,
+ pfm_remote,
+ cycle_before_switching,
+ provision_schema,
+ s->self_made_schema,
+ object_count,
+ first_object);
+ if (!W_ERROR_IS_OK(status)) {
+ DEBUG(0, ("%s: dsdb_repl_resolve_working_schema() failed: %s",
+ __location__, win_errstr(status)));
+ return werror_to_ntstatus(status);
+ }
+
+ /* free temp objects for 1st conversion phase */
+ talloc_unlink(s, provision_schema);
+
+ /*
+ * attach the schema we just brought over DRS to the ldb,
+ * so we can use it in dsdb_convert_object_ex below
+ */
+ ret = dsdb_set_schema(s->ldb, s->self_made_schema);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to attach working schema from DRS.\n"));
+ return NT_STATUS_FOOBAR;
+ }
+
+ /* we don't want to access the self made schema anymore */
+ s->schema = s->self_made_schema;
+ s->self_made_schema = NULL;
+
+ partition_dn = ldb_dn_new(s, s->ldb, c->partition->nc.dn);
+ if (partition_dn == NULL) {
+ DEBUG(0,("Failed to parse partition DN from DRS.\n"));
+ return NT_STATUS_FOOBAR;
+ }
+
+ /* Now convert the schema elements again, using the schema we finalised, ready to actually import */
+ status = dsdb_replicated_objects_convert(s->ldb,
+ s->schema,
+ partition_dn,
+ mapping_ctr,
+ object_count,
+ first_object,
+ linked_attributes_count,
+ linked_attributes,
+ s_dsa,
+ uptodateness_vector,
+ c->gensec_skey,
+ 0,
+ s, &schema_objs);
+ if (!W_ERROR_IS_OK(status)) {
+ DEBUG(0,("Failed to convert objects when trying to import over DRS (2nd pass, to store remote schema): %s\n", win_errstr(status)));
+ return werror_to_ntstatus(status);
+ }
+
+ if (lpcfg_parm_bool(s->lp_ctx, NULL, "become dc", "dump objects", false)) {
+ for (i=0; i < schema_objs->num_objects; i++) {
+ struct ldb_ldif ldif;
+ fprintf(stdout, "#\n");
+ ldif.changetype = LDB_CHANGETYPE_NONE;
+ ldif.msg = schema_objs->objects[i].msg;
+ ldb_ldif_write_file(s->ldb, stdout, &ldif);
+ NDR_PRINT_DEBUG(replPropertyMetaDataBlob, schema_objs->objects[i].meta_data);
+ }
+ }
+
+ status = dsdb_replicated_objects_commit(s->ldb, NULL, schema_objs, &seq_num);
+ if (!W_ERROR_IS_OK(status)) {
+ DEBUG(0,("Failed to commit objects: %s\n", win_errstr(status)));
+ return werror_to_ntstatus(status);
+ }
+
+ msg = ldb_msg_new(schema_objs);
+ NT_STATUS_HAVE_NO_MEMORY(msg);
+ msg->dn = schema_objs->partition_dn;
+
+ /* We must ensure a prefixMap has been written. Unlike other
+ * attributes (including schemaInfo), it is not replicated in
+ * the normal replication stream. We can use the one from
+ * s->prefixmap_blob because we operate with one, unchanging
+ * prefixMap for this entire operation. */
+ ret = ldb_msg_add_value(msg, "prefixMap", &s->prefixmap_blob, &prefixMap_el);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_FOOBAR;
+ }
+ /* We want to know if a prefixMap was written already, as it
+ * would mean that the above comment was not true, and we have
+ * somehow updated the prefixMap during this transaction */
+ prefixMap_el->flags = LDB_FLAG_MOD_ADD;
+
+ ret = dsdb_modify(s->ldb, msg, DSDB_FLAG_AS_SYSTEM);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to add prefixMap: %s\n", ldb_errstring(s->ldb)));
+ return NT_STATUS_FOOBAR;
+ }
+
+ talloc_free(s_dsa);
+ talloc_free(schema_objs);
+
+ s->schema = dsdb_get_schema(s->ldb, s);
+ if (!s->schema) {
+ DEBUG(0,("Failed to get loaded dsdb_schema\n"));
+ return NT_STATUS_FOOBAR;
+ }
+
+ return NT_STATUS_OK;
}
-NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamSync *r)
+NTSTATUS libnet_vampire_cb_schema_chunk(void *private_data,
+ const struct libnet_BecomeDC_StoreChunk *c)
{
- NTSTATUS nt_status, dbsync_nt_status;
- TALLOC_CTX *samsync_ctx, *loop_ctx, *delta_ctx;
- struct creds_CredentialState *creds;
- struct netr_DatabaseSync dbsync;
- struct cli_credentials *machine_account;
- struct dcerpc_pipe *p;
- struct libnet_context *machine_net_ctx;
- struct libnet_RpcConnectDCInfo *c;
- struct libnet_SamSync_state *state;
- const enum netr_SamDatabaseID database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
- int i;
-
- samsync_ctx = talloc_named(mem_ctx, 0, "SamSync top context");
-
- if (!r->in.machine_account) {
- machine_account = cli_credentials_init(samsync_ctx);
- if (!machine_account) {
- talloc_free(samsync_ctx);
- return NT_STATUS_NO_MEMORY;
+ struct libnet_vampire_cb_state *s = talloc_get_type(private_data, struct libnet_vampire_cb_state);
+ WERROR status;
+ const struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr;
+ uint32_t nc_object_count;
+ uint32_t nc_total_received = 0;
+ uint32_t object_count;
+ struct drsuapi_DsReplicaObjectListItemEx *first_object;
+ struct drsuapi_DsReplicaObjectListItemEx *cur;
+ uint32_t nc_linked_attributes_count;
+ uint32_t linked_attributes_count;
+
+ switch (c->ctr_level) {
+ case 1:
+ mapping_ctr = &c->ctr1->mapping_ctr;
+ nc_object_count = c->ctr1->extended_ret; /* maybe w2k send this unexpected? */
+ object_count = c->ctr1->object_count;
+ first_object = c->ctr1->first_object;
+ nc_linked_attributes_count = 0;
+ linked_attributes_count = 0;
+ break;
+ case 6:
+ mapping_ctr = &c->ctr6->mapping_ctr;
+ nc_object_count = c->ctr6->nc_object_count;
+ object_count = c->ctr6->object_count;
+ first_object = c->ctr6->first_object;
+ nc_linked_attributes_count = c->ctr6->nc_linked_attributes_count;
+ linked_attributes_count = c->ctr6->linked_attributes_count;
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!s->schema_part.first_object) {
+ nc_total_received = object_count;
+ } else {
+ nc_total_received = s->schema_part.object_count + object_count;
+ }
+ if (nc_object_count) {
+ DEBUG(0,("Schema-DN[%s] objects[%u/%u] linked_values[%u/%u]\n",
+ c->partition->nc.dn, nc_total_received, nc_object_count,
+ linked_attributes_count, nc_linked_attributes_count));
+ } else {
+ DEBUG(0,("Schema-DN[%s] objects[%u] linked_values[%u]\n",
+ c->partition->nc.dn, nc_total_received, linked_attributes_count));
+ }
+
+ if (!s->self_made_schema) {
+ WERROR werr;
+ struct drsuapi_DsReplicaOIDMapping_Ctr mapping_ctr_without_schema_info;
+ /* Put the DRS prefixmap aside for the schema we are
+ * about to load in the provision, and into the one we
+ * are making with the help of DRS */
+
+ mapping_ctr_without_schema_info = *mapping_ctr;
+
+ /* This strips off the 0xFF schema info from the end,
+ * because we don't want it in the blob */
+ if (mapping_ctr_without_schema_info.num_mappings > 0) {
+ mapping_ctr_without_schema_info.num_mappings--;
+ }
+ werr = dsdb_get_drsuapi_prefixmap_as_blob(&mapping_ctr_without_schema_info, s, &s->prefixmap_blob);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werror_to_ntstatus(werr);
}
- cli_credentials_set_conf(machine_account);
- nt_status = cli_credentials_set_machine_account(machine_account);
- if (!NT_STATUS_IS_OK(nt_status)) {
- r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain machine account password - are we joined to the domain?");
- talloc_free(samsync_ctx);
- return nt_status;
+
+ /* Set up two manually-constructed schema - the local
+ * schema from the provision will be used to build
+ * one, which will then in turn be used to build the
+ * other. */
+ s->self_made_schema = dsdb_new_schema(s);
+ NT_STATUS_HAVE_NO_MEMORY(s->self_made_schema);
+
+ status = dsdb_load_prefixmap_from_drsuapi(s->self_made_schema, mapping_ctr);
+ if (!W_ERROR_IS_OK(status)) {
+ return werror_to_ntstatus(status);
}
} else {
- machine_account = r->in.machine_account;
+ status = dsdb_schema_pfm_contains_drsuapi_pfm(s->self_made_schema->prefixmap, mapping_ctr);
+ if (!W_ERROR_IS_OK(status)) {
+ return werror_to_ntstatus(status);
+ }
+ }
+
+ if (!s->schema_part.first_object) {
+ s->schema_part.object_count = object_count;
+ s->schema_part.first_object = talloc_steal(s, first_object);
+ } else {
+ s->schema_part.object_count += object_count;
+ s->schema_part.last_object->next_object = talloc_steal(s->schema_part.last_object,
+ first_object);
+ }
+ for (cur = first_object; cur->next_object; cur = cur->next_object) {}
+ s->schema_part.last_object = cur;
+
+ if (!c->partition->more_data) {
+ return libnet_vampire_cb_apply_schema(s, c);
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS libnet_vampire_cb_store_chunk(void *private_data,
+ const struct libnet_BecomeDC_StoreChunk *c)
+{
+ struct libnet_vampire_cb_state *s = talloc_get_type(private_data, struct libnet_vampire_cb_state);
+ WERROR status;
+ struct dsdb_schema *schema;
+ const struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr;
+ uint32_t nc_object_count;
+ uint32_t object_count;
+ struct drsuapi_DsReplicaObjectListItemEx *first_object;
+ uint32_t nc_linked_attributes_count;
+ uint32_t linked_attributes_count;
+ struct drsuapi_DsReplicaLinkedAttribute *linked_attributes;
+ const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector;
+ struct dsdb_extended_replicated_objects *objs;
+ uint32_t req_replica_flags;
+ uint32_t dsdb_repl_flags = 0;
+ struct repsFromTo1 *s_dsa;
+ char *tmp_dns_name;
+ uint32_t i;
+ uint64_t seq_num;
+ bool is_exop = false;
+ struct ldb_dn *partition_dn = NULL;
+ struct ldb_dn *nc_root = NULL;
+
+ s_dsa = talloc_zero(s, struct repsFromTo1);
+ NT_STATUS_HAVE_NO_MEMORY(s_dsa);
+ s_dsa->other_info = talloc(s_dsa, struct repsFromTo1OtherInfo);
+ NT_STATUS_HAVE_NO_MEMORY(s_dsa->other_info);
+
+ switch (c->ctr_level) {
+ case 1:
+ mapping_ctr = &c->ctr1->mapping_ctr;
+ nc_object_count = c->ctr1->extended_ret; /* maybe w2k send this unexpected? */
+ object_count = c->ctr1->object_count;
+ first_object = c->ctr1->first_object;
+ nc_linked_attributes_count = 0;
+ linked_attributes_count = 0;
+ linked_attributes = NULL;
+ s_dsa->highwatermark = c->ctr1->new_highwatermark;
+ s_dsa->source_dsa_obj_guid = c->ctr1->source_dsa_guid;
+ s_dsa->source_dsa_invocation_id = c->ctr1->source_dsa_invocation_id;
+ uptodateness_vector = NULL; /* TODO: map it */
+ break;
+ case 6:
+ mapping_ctr = &c->ctr6->mapping_ctr;
+ nc_object_count = c->ctr6->nc_object_count;
+ object_count = c->ctr6->object_count;
+ first_object = c->ctr6->first_object;
+ nc_linked_attributes_count = c->ctr6->nc_linked_attributes_count;
+ linked_attributes_count = c->ctr6->linked_attributes_count;
+ linked_attributes = c->ctr6->linked_attributes;
+ s_dsa->highwatermark = c->ctr6->new_highwatermark;
+ s_dsa->source_dsa_obj_guid = c->ctr6->source_dsa_guid;
+ s_dsa->source_dsa_invocation_id = c->ctr6->source_dsa_invocation_id;
+ uptodateness_vector = c->ctr6->uptodateness_vector;
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (c->req_level) {
+ case 0:
+ /* none */
+ req_replica_flags = 0;
+ break;
+ case 5:
+ if (c->req5->extended_op != DRSUAPI_EXOP_NONE) {
+ is_exop = true;
+ }
+ req_replica_flags = c->req5->replica_flags;
+ break;
+ case 8:
+ if (c->req8->extended_op != DRSUAPI_EXOP_NONE) {
+ is_exop = true;
+ }
+ req_replica_flags = c->req8->replica_flags;
+ break;
+ case 10:
+ if (c->req10->extended_op != DRSUAPI_EXOP_NONE) {
+ is_exop = true;
+ }
+ req_replica_flags = c->req10->replica_flags;
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
}
- /* We cannot do this unless we are a BDC. Check, before we get odd errors later */
- if (cli_credentials_get_secure_channel_type(machine_account) != SEC_CHAN_BDC) {
- r->out.error_string
- = talloc_asprintf(mem_ctx,
- "Our join to domain %s is not as a BDC (%d), please rejoin as a BDC",
-
- cli_credentials_get_domain(machine_account),
- cli_credentials_get_secure_channel_type(machine_account));
- talloc_free(samsync_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ if (req_replica_flags & DRSUAPI_DRS_CRITICAL_ONLY) {
+ /*
+ * If we only replicate the critical objects
+ * we should not remember what we already
+ * got, as it is incomplete.
+ */
+ ZERO_STRUCT(s_dsa->highwatermark);
+ uptodateness_vector = NULL;
}
- c = talloc(samsync_ctx, struct libnet_RpcConnectDCInfo);
- if (!c) {
- r->out.error_string = NULL;
- talloc_free(samsync_ctx);
- return NT_STATUS_NO_MEMORY;
+ /* TODO: avoid hardcoded flags */
+ s_dsa->replica_flags = DRSUAPI_DRS_WRIT_REP
+ | DRSUAPI_DRS_INIT_SYNC
+ | DRSUAPI_DRS_PER_SYNC;
+ memset(s_dsa->schedule, 0x11, sizeof(s_dsa->schedule));
+
+ tmp_dns_name = GUID_string(s_dsa->other_info, &s_dsa->source_dsa_obj_guid);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_dns_name);
+ tmp_dns_name = talloc_asprintf_append_buffer(tmp_dns_name, "._msdcs.%s", c->forest->dns_name);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_dns_name);
+ s_dsa->other_info->dns_name = tmp_dns_name;
+
+ /* we want to show a count per partition */
+ if (!s->last_partition || strcmp(s->last_partition, c->partition->nc.dn) != 0) {
+ s->total_objects = 0;
+ talloc_free(s->last_partition);
+ s->last_partition = talloc_strdup(s, c->partition->nc.dn);
}
+ s->total_objects += object_count;
- if (r->in.binding_string) {
- c->level = LIBNET_RPC_CONNECT_BINDING;
- c->in.binding = r->in.binding_string;
+ partition_dn = ldb_dn_new(s, s->ldb, c->partition->nc.dn);
+ if (partition_dn == NULL) {
+ DEBUG(0,("Failed to parse partition DN from DRS.\n"));
+ return NT_STATUS_FOOBAR;
+ }
+
+ if (is_exop) {
+ int ret;
+ if (nc_object_count) {
+ DEBUG(0,("Exop on[%s] objects[%u/%u] linked_values[%u/%u]\n",
+ c->partition->nc.dn, s->total_objects, nc_object_count,
+ linked_attributes_count, nc_linked_attributes_count));
+ } else {
+ DEBUG(0,("Exop on[%s] objects[%u] linked_values[%u]\n",
+ c->partition->nc.dn, s->total_objects, linked_attributes_count));
+ }
+ ret = dsdb_find_nc_root(s->ldb, s,
+ partition_dn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find nc_root for %s\n",
+ ldb_dn_get_linearized(partition_dn)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
} else {
- /* prepare connect to the NETLOGON pipe of PDC */
- c->level = LIBNET_RPC_CONNECT_PDC;
- c->in.name = cli_credentials_get_domain(machine_account);
- }
- c->in.dcerpc_iface = &dcerpc_table_netlogon;
-
- /* We must do this as the machine, not as any command-line
- * user. So we override the credentials in the
- * libnet_context */
- machine_net_ctx = talloc(samsync_ctx, struct libnet_context);
- if (!machine_net_ctx) {
- r->out.error_string = NULL;
- talloc_free(samsync_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- *machine_net_ctx = *ctx;
- machine_net_ctx->cred = machine_account;
-
- /* connect to the NETLOGON pipe of the PDC */
- nt_status = libnet_RpcConnectDCInfo(machine_net_ctx, c);
- if (!NT_STATUS_IS_OK(nt_status)) {
- if (r->in.binding_string) {
- r->out.error_string = talloc_asprintf(mem_ctx,
- "Connection to NETLOGON pipe of DC %s failed: %s",
- r->in.binding_string, c->out.error_string);
+ if (nc_object_count) {
+ DEBUG(0,("Partition[%s] objects[%u/%u] linked_values[%u/%u]\n",
+ c->partition->nc.dn, s->total_objects, nc_object_count,
+ linked_attributes_count, nc_linked_attributes_count));
} else {
- r->out.error_string = talloc_asprintf(mem_ctx,
- "Connection to NETLOGON pipe of DC for %s failed: %s",
- c->in.name, c->out.error_string);
+ DEBUG(0,("Partition[%s] objects[%u] linked_values[%u]\n",
+ c->partition->nc.dn, s->total_objects, linked_attributes_count));
}
- talloc_free(samsync_ctx);
- return nt_status;
- }
-
- /* This makes a new pipe, on which we can do schannel. We
- * should do this in the RpcConnect code, but the abstaction
- * layers do not suit yet */
-
- nt_status = dcerpc_secondary_connection(c->out.dcerpc_pipe, &p,
- c->out.dcerpc_pipe->binding);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- r->out.error_string = talloc_asprintf(mem_ctx,
- "Secondary connection to NETLOGON pipe of DC %s failed: %s",
- dcerpc_server_name(p), nt_errstr(nt_status));
- talloc_free(samsync_ctx);
- return nt_status;
- }
-
- nt_status = dcerpc_bind_auth_schannel(samsync_ctx, p, &dcerpc_table_netlogon,
- machine_account, DCERPC_AUTH_LEVEL_PRIVACY);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- r->out.error_string = talloc_asprintf(mem_ctx,
- "SCHANNEL authentication to NETLOGON pipe of DC %s failed: %s",
- dcerpc_server_name(p), nt_errstr(nt_status));
- talloc_free(samsync_ctx);
- return nt_status;
- }
-
- state = talloc(samsync_ctx, struct libnet_SamSync_state);
- if (!state) {
- r->out.error_string = NULL;
- talloc_free(samsync_ctx);
- return nt_status;
- }
-
- state->domain_name = c->out.domain_name;
- state->domain_sid = c->out.domain_sid;
- state->realm = c->out.realm;
- state->domain_guid = c->out.guid;
- state->machine_net_ctx = machine_net_ctx;
- state->netlogon_pipe = p;
-
- /* initialise the callback layer. It may wish to contact the
- * server with ldap, now we know the name */
-
- if (r->in.init_fn) {
- char *error_string;
- nt_status = r->in.init_fn(samsync_ctx,
- r->in.fn_ctx,
- state,
- &error_string);
- if (!NT_STATUS_IS_OK(nt_status)) {
- r->out.error_string = talloc_steal(mem_ctx, error_string);
- talloc_free(samsync_ctx);
- return nt_status;
+ nc_root = partition_dn;
+ }
+
+
+ schema = dsdb_get_schema(s->ldb, NULL);
+ if (!schema) {
+ DEBUG(0,(__location__ ": Schema is not loaded yet!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (req_replica_flags & DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS) {
+ dsdb_repl_flags |= DSDB_REPL_FLAG_PRIORITISE_INCOMING;
+ }
+
+ if (req_replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) {
+ dsdb_repl_flags |= DSDB_REPL_FLAG_EXPECT_NO_SECRETS;
+ }
+
+ status = dsdb_replicated_objects_convert(s->ldb,
+ schema,
+ nc_root,
+ mapping_ctr,
+ object_count,
+ first_object,
+ linked_attributes_count,
+ linked_attributes,
+ s_dsa,
+ uptodateness_vector,
+ c->gensec_skey,
+ dsdb_repl_flags,
+ s, &objs);
+ if (!W_ERROR_IS_OK(status)) {
+ DEBUG(0,("Failed to convert objects: %s\n", win_errstr(status)));
+ return werror_to_ntstatus(status);
+ }
+
+ if (lpcfg_parm_bool(s->lp_ctx, NULL, "become dc", "dump objects", false)) {
+ for (i=0; i < objs->num_objects; i++) {
+ struct ldb_ldif ldif;
+ fprintf(stdout, "#\n");
+ ldif.changetype = LDB_CHANGETYPE_NONE;
+ ldif.msg = objs->objects[i].msg;
+ ldb_ldif_write_file(s->ldb, stdout, &ldif);
+ NDR_PRINT_DEBUG(replPropertyMetaDataBlob, objs->objects[i].meta_data);
}
}
+ status = dsdb_replicated_objects_commit(s->ldb, NULL, objs, &seq_num);
+ if (!W_ERROR_IS_OK(status)) {
+ DEBUG(0,("Failed to commit objects: %s\n", win_errstr(status)));
+ return werror_to_ntstatus(status);
+ }
+
+ talloc_free(s_dsa);
+ talloc_free(objs);
- /* get NETLOGON credentails */
-
- nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
- if (!NT_STATUS_IS_OK(nt_status)) {
- r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
- talloc_free(samsync_ctx);
- return nt_status;
- }
-
- /* Setup details for the syncronisation */
- dbsync.in.logon_server = talloc_asprintf(samsync_ctx, "\\\\%s", dcerpc_server_name(p));
- dbsync.in.computername = cli_credentials_get_workstation(machine_account);
- dbsync.in.preferredmaximumlength = (uint32_t)-1;
- ZERO_STRUCT(dbsync.in.return_authenticator);
-
- for (i=0;i< ARRAY_SIZE(database_ids); i++) {
- dbsync.in.sync_context = 0;
- dbsync.in.database_id = database_ids[i];
-
- do {
- int d;
- loop_ctx = talloc_named(samsync_ctx, 0, "DatabaseSync loop context");
- creds_client_authenticator(creds, &dbsync.in.credential);
-
- dbsync_nt_status = dcerpc_netr_DatabaseSync(p, loop_ctx, &dbsync);
- if (!NT_STATUS_IS_OK(dbsync_nt_status) &&
- !NT_STATUS_EQUAL(dbsync_nt_status, STATUS_MORE_ENTRIES)) {
- r->out.error_string = talloc_asprintf(mem_ctx, "DatabaseSync failed - %s", nt_errstr(nt_status));
- talloc_free(samsync_ctx);
- return nt_status;
- }
-
- if (!creds_client_check(creds, &dbsync.out.return_authenticator.cred)) {
- r->out.error_string = talloc_strdup(mem_ctx, "Credential chaining on incoming DatabaseSync failed");
- talloc_free(samsync_ctx);
- return NT_STATUS_ACCESS_DENIED;
- }
-
- dbsync.in.sync_context = dbsync.out.sync_context;
-
- /* For every single remote 'delta' entry: */
- for (d=0; d < dbsync.out.delta_enum_array->num_deltas; d++) {
- char *error_string = NULL;
- delta_ctx = talloc_named(loop_ctx, 0, "DatabaseSync delta context");
- /* 'Fix' elements, by decrypting and
- * de-obfustiating the data */
- nt_status = fix_delta(delta_ctx,
- creds,
- dbsync.in.database_id,
- &dbsync.out.delta_enum_array->delta_enum[d],
- &error_string);
- if (!NT_STATUS_IS_OK(nt_status)) {
- r->out.error_string = talloc_steal(mem_ctx, error_string);
- talloc_free(samsync_ctx);
- return nt_status;
- }
-
- /* Now call the callback. This will
- * do something like print the data or
- * write to an ldb */
- nt_status = r->in.delta_fn(delta_ctx,
- r->in.fn_ctx,
- dbsync.in.database_id,
- &dbsync.out.delta_enum_array->delta_enum[d],
- &error_string);
- if (!NT_STATUS_IS_OK(nt_status)) {
- r->out.error_string = talloc_steal(mem_ctx, error_string);
- talloc_free(samsync_ctx);
- return nt_status;
- }
- talloc_free(delta_ctx);
- }
- talloc_free(loop_ctx);
- } while (NT_STATUS_EQUAL(dbsync_nt_status, STATUS_MORE_ENTRIES));
-
- if (!NT_STATUS_IS_OK(dbsync_nt_status)) {
- r->out.error_string = talloc_asprintf(mem_ctx, "libnet_SamSync_netlogon failed: unexpected inconsistancy. Should not get error %s here", nt_errstr(nt_status));
- talloc_free(samsync_ctx);
- return dbsync_nt_status;
+ for (i=0; i < linked_attributes_count; i++) {
+ const struct dsdb_attribute *sa;
+
+ if (!linked_attributes[i].identifier) {
+ DEBUG(0, ("No linked attribute identifier\n"));
+ return NT_STATUS_FOOBAR;
+ }
+
+ if (!linked_attributes[i].value.blob) {
+ DEBUG(0, ("No linked attribute value\n"));
+ return NT_STATUS_FOOBAR;
+ }
+
+ sa = dsdb_attribute_by_attributeID_id(s->schema,
+ linked_attributes[i].attid);
+ if (!sa) {
+ DEBUG(0, ("Unable to find attribute via attribute id %d\n", linked_attributes[i].attid));
+ return NT_STATUS_FOOBAR;
+ }
+
+ if (lpcfg_parm_bool(s->lp_ctx, NULL, "become dc", "dump objects", false)) {
+ DEBUG(0,("# %s\n", sa->lDAPDisplayName));
+ NDR_PRINT_DEBUG(drsuapi_DsReplicaLinkedAttribute, &linked_attributes[i]);
+ dump_data(0,
+ linked_attributes[i].value.blob->data,
+ linked_attributes[i].value.blob->length);
}
- nt_status = NT_STATUS_OK;
}
- talloc_free(samsync_ctx);
- return nt_status;
+
+ return NT_STATUS_OK;
}
git.samba.org / sfrench / samba-autobuild / .git / blobdiff