2 Unix SMB/CIFS implementation.
4 implement the DSGetNCChanges call
6 Copyright (C) Anatoliy Atanasov 2009
7 Copyright (C) Andrew Tridgell 2009-2010
8 Copyright (C) Andrew Bartlett 2010-2016
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "rpc_server/dcerpc_server.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "param/param.h"
28 #include "librpc/gen_ndr/ndr_drsblobs.h"
29 #include "librpc/gen_ndr/ndr_drsuapi.h"
30 #include "librpc/gen_ndr/ndr_security.h"
31 #include "libcli/security/security.h"
32 #include "libcli/security/session.h"
33 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
34 #include "rpc_server/dcerpc_server_proto.h"
35 #include "rpc_server/common/sid_helper.h"
36 #include "../libcli/drsuapi/drsuapi.h"
37 #include "lib/util/binsearch.h"
38 #include "lib/util/tsort.h"
39 #include "auth/session.h"
40 #include "dsdb/common/util.h"
41 #include "lib/dbwrap/dbwrap.h"
42 #include "lib/dbwrap/dbwrap_rbt.h"
43 #include "librpc/gen_ndr/ndr_misc.h"
46 #define DBGC_CLASS DBGC_DRS_REPL
48 #define DRS_GUID_SIZE 16
49 #define DEFAULT_MAX_OBJECTS 1000
50 #define DEFAULT_MAX_LINKS 1500
53 * state of a partially-completed replication cycle. This state persists
54 * over multiple calls to dcesrv_drsuapi_DsGetNCChanges()
56 struct drsuapi_getncchanges_state {
57 struct db_context *obj_cache;
60 uint32_t num_processed;
61 struct ldb_dn *ncRoot_dn;
62 struct GUID ncRoot_guid;
68 struct drsuapi_DsReplicaHighWaterMark last_hwm;
69 struct ldb_dn *last_dn;
70 struct drsuapi_DsReplicaHighWaterMark final_hwm;
71 struct drsuapi_DsReplicaCursor2CtrEx *final_udv;
72 struct drsuapi_DsReplicaLinkedAttribute *la_list;
76 /* these are just used for debugging the replication's progress */
81 /* We must keep the GUIDs in NDR form for sorting */
82 struct la_for_sorting {
83 const struct drsuapi_DsReplicaLinkedAttribute *link;
84 uint8_t target_guid[DRS_GUID_SIZE];
85 uint8_t source_guid[DRS_GUID_SIZE];
89 * stores the state for a chunk of replication data. This state information
90 * only exists for a single call to dcesrv_drsuapi_DsGetNCChanges()
92 struct getncchanges_repl_chunk {
95 uint32_t tgt_la_count;
96 bool immediate_link_sync;
100 /* stores the objects to be sent in this chunk */
101 uint32_t object_count;
102 struct drsuapi_DsReplicaObjectListItemEx *object_list;
104 /* the last object added to this replication chunk */
105 struct drsuapi_DsReplicaObjectListItemEx *last_object;
108 static int drsuapi_DsReplicaHighWaterMark_cmp(const struct drsuapi_DsReplicaHighWaterMark *h1,
109 const struct drsuapi_DsReplicaHighWaterMark *h2)
111 if (h1->highest_usn < h2->highest_usn) {
113 } else if (h1->highest_usn > h2->highest_usn) {
115 } else if (h1->tmp_highest_usn < h2->tmp_highest_usn) {
117 } else if (h1->tmp_highest_usn > h2->tmp_highest_usn) {
119 } else if (h1->reserved_usn < h2->reserved_usn) {
121 } else if (h1->reserved_usn > h2->reserved_usn) {
129 build a DsReplicaObjectIdentifier from a ldb msg
131 static struct drsuapi_DsReplicaObjectIdentifier *get_object_identifier(TALLOC_CTX *mem_ctx,
132 const struct ldb_message *msg)
134 struct drsuapi_DsReplicaObjectIdentifier *identifier;
137 identifier = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier);
138 if (identifier == NULL) {
142 identifier->dn = ldb_dn_alloc_linearized(identifier, msg->dn);
143 identifier->guid = samdb_result_guid(msg, "objectGUID");
145 sid = samdb_result_dom_sid(identifier, msg, "objectSid");
147 identifier->sid = *sid;
149 ZERO_STRUCT(identifier->sid);
154 static int udv_compare(const struct GUID *guid1, struct GUID guid2)
156 return GUID_compare(guid1, &guid2);
160 see if we can filter an attribute using the uptodateness_vector
162 static bool udv_filter(const struct drsuapi_DsReplicaCursorCtrEx *udv,
163 const struct GUID *originating_invocation_id,
164 uint64_t originating_usn)
166 const struct drsuapi_DsReplicaCursor *c;
167 if (udv == NULL) return false;
168 BINARY_ARRAY_SEARCH(udv->cursors, udv->count, source_dsa_invocation_id,
169 originating_invocation_id, udv_compare, c);
170 if (c && originating_usn <= c->highest_usn) {
176 static int uint32_t_cmp(uint32_t a1, uint32_t a2)
178 if (a1 == a2) return 0;
179 return a1 > a2 ? 1 : -1;
182 static int uint32_t_ptr_cmp(uint32_t *a1, uint32_t *a2, void *unused)
184 if (*a1 == *a2) return 0;
185 return *a1 > *a2 ? 1 : -1;
188 static WERROR getncchanges_attid_remote_to_local(const struct dsdb_schema *schema,
189 const struct dsdb_syntax_ctx *ctx,
190 enum drsuapi_DsAttributeId remote_attid_as_enum,
191 enum drsuapi_DsAttributeId *local_attid_as_enum,
192 const struct dsdb_attribute **_sa)
195 const struct dsdb_attribute *sa = NULL;
197 if (ctx->pfm_remote == NULL) {
198 DEBUG(7, ("No prefixMap supplied, falling back to local prefixMap.\n"));
202 werr = dsdb_attribute_drsuapi_remote_to_local(ctx,
203 remote_attid_as_enum,
206 if (!W_ERROR_IS_OK(werr)) {
207 DEBUG(3, ("WARNING: Unable to resolve remote attid, falling back to local prefixMap.\n"));
214 sa = dsdb_attribute_by_attributeID_id(schema, remote_attid_as_enum);
216 return WERR_DS_DRA_SCHEMA_MISMATCH;
218 if (local_attid_as_enum != NULL) {
219 *local_attid_as_enum = sa->attributeID_id;
228 static WERROR getncchanges_update_revealed_list(struct ldb_context *sam_ctx,
230 struct ldb_message **msg,
231 struct ldb_dn *object_dn,
232 const struct GUID *object_guid,
233 const struct dsdb_attribute *sa,
234 struct replPropertyMetaData1 *meta_data,
235 struct ldb_message *revealed_users)
237 enum ndr_err_code ndr_err;
239 char *attr_str = NULL;
240 char *attr_hex = NULL;
242 struct ldb_message_element *existing = NULL, *el_add = NULL, *el_del = NULL;
243 const char * const * secret_attributes = ldb_get_opaque(sam_ctx, "LDB_SECRET_ATTRIBUTE_LIST");
245 if (!ldb_attr_in_list(secret_attributes,
246 sa->lDAPDisplayName)) {
251 ndr_err = ndr_push_struct_blob(&attr_blob, mem_ctx, meta_data, (ndr_push_flags_fn_t)ndr_push_replPropertyMetaData1);
252 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
253 return WERR_DS_DRA_INTERNAL_ERROR;
256 attr_hex = hex_encode_talloc(mem_ctx, attr_blob.data, attr_blob.length);
257 if (attr_hex == NULL) {
258 return WERR_NOT_ENOUGH_MEMORY;
261 attr_str = talloc_asprintf(mem_ctx, "B:%zd:%s:%s", attr_blob.length*2, attr_hex, ldb_dn_get_linearized(object_dn));
262 if (attr_str == NULL) {
263 return WERR_NOT_ENOUGH_MEMORY;
266 existing = ldb_msg_find_element(revealed_users, "msDS-RevealedUsers");
267 if (existing != NULL) {
268 /* Replace the old value (if one exists) with the current one */
269 struct parsed_dn *link_dns;
270 struct parsed_dn *exact = NULL, *unused = NULL;
272 DATA_BLOB partial_meta;
274 ldb_err = get_parsed_dns_trusted(mem_ctx, existing, &link_dns);
275 if (ldb_err != LDB_SUCCESS) {
276 return WERR_DS_DRA_INTERNAL_ERROR;
279 /* Construct a partial metadata blob to match on in the DB */
280 SIVAL(attid, 0, sa->attributeID_id);
281 partial_meta.length = 4;
282 partial_meta.data = attid;
284 /* Binary search using GUID and attribute id for uniqueness */
285 ldb_err = parsed_dn_find(sam_ctx, link_dns, existing->num_values,
286 object_guid, object_dn,
289 DSDB_SYNTAX_BINARY_DN, true);
291 if (ldb_err != LDB_SUCCESS) {
292 DEBUG(0,(__location__ ": Failed parsed DN find - %s\n",
293 ldb_errstring(sam_ctx)));
294 return WERR_DS_DRA_INTERNAL_ERROR;
298 /* Perform some verification of the blob */
299 struct replPropertyMetaData1 existing_meta_data;
300 ndr_err = ndr_pull_struct_blob_all_noalloc(&exact->dsdb_dn->extra_part,
302 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaData1);
303 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
304 return WERR_DS_DRA_INTERNAL_ERROR;
307 if (existing_meta_data.attid == sa->attributeID_id) {
308 ldb_err = ldb_msg_add_empty(*msg, "msDS-RevealedUsers", LDB_FLAG_MOD_DELETE, &el_del);
309 if (ldb_err != LDB_SUCCESS) {
310 return WERR_DS_DRA_INTERNAL_ERROR;
313 el_del->values = talloc_array((*msg)->elements, struct ldb_val, 1);
314 if (el_del->values == NULL) {
315 return WERR_NOT_ENOUGH_MEMORY;
317 el_del->values[0] = *exact->v;
318 el_del->num_values = 1;
320 return WERR_DS_DRA_INTERNAL_ERROR;
325 ldb_err = ldb_msg_add_empty(*msg, "msDS-RevealedUsers", LDB_FLAG_MOD_ADD, &el_add);
326 if (ldb_err != LDB_SUCCESS) {
327 return WERR_DS_DRA_INTERNAL_ERROR;
330 el_add->values = talloc_array((*msg)->elements, struct ldb_val, 1);
331 if (el_add->values == NULL) {
332 return WERR_NOT_ENOUGH_MEMORY;
336 el_add->values[0] = data_blob_string_const(attr_str);
337 el_add->num_values = 1;
343 * This function filter attributes for build_object based on the
344 * uptodatenessvector and partial attribute set.
346 * Any secret attributes are forced here for REPL_SECRET, and audited at this
347 * point with msDS-RevealedUsers.
349 static WERROR get_nc_changes_filter_attrs(struct drsuapi_DsReplicaObjectListItemEx *obj,
350 struct replPropertyMetaDataBlob md,
351 struct ldb_context *sam_ctx,
352 const struct ldb_message *msg,
353 const struct GUID *guid,
355 uint64_t highest_usn,
356 const struct dsdb_attribute *rdn_sa,
357 struct dsdb_schema *schema,
358 struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector,
359 struct drsuapi_DsPartialAttributeSet *partial_attribute_set,
363 struct ldb_message **revealed_list_msg,
364 struct ldb_message *existing_revealed_list_msg)
368 for (n=i=0; i<md.ctr.ctr1.count; i++) {
369 const struct dsdb_attribute *sa;
370 bool force_attribute = false;
372 /* if the attribute has not changed, and it is not the
373 instanceType then don't include it */
374 if (md.ctr.ctr1.array[i].local_usn < highest_usn &&
376 md.ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType) continue;
378 /* don't include the rDN */
379 if (md.ctr.ctr1.array[i].attid == rdn_sa->attributeID_id) continue;
381 sa = dsdb_attribute_by_attributeID_id(schema, md.ctr.ctr1.array[i].attid);
383 DEBUG(0,(__location__ ": Failed to find attribute in schema for attrid %u mentioned in replPropertyMetaData of %s\n",
384 (unsigned int)md.ctr.ctr1.array[i].attid,
385 ldb_dn_get_linearized(msg->dn)));
386 return WERR_DS_DRA_INTERNAL_ERROR;
390 struct ldb_message_element *el;
391 el = ldb_msg_find_element(msg, sa->lDAPDisplayName);
392 if (el && el->num_values && dsdb_dn_is_upgraded_link_val(&el->values[0])) {
393 /* don't send upgraded links inline */
399 !dsdb_attr_in_rodc_fas(sa)) {
400 force_attribute = true;
401 DEBUG(4,("Forcing attribute %s in %s\n",
402 sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
403 werr = getncchanges_update_revealed_list(sam_ctx, obj,
406 &md.ctr.ctr1.array[i],
407 existing_revealed_list_msg);
408 if (!W_ERROR_IS_OK(werr)) {
413 /* filter by uptodateness_vector */
414 if (md.ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType &&
416 udv_filter(uptodateness_vector,
417 &md.ctr.ctr1.array[i].originating_invocation_id,
418 md.ctr.ctr1.array[i].originating_usn)) {
422 /* filter by partial_attribute_set */
423 if (partial_attribute_set && !force_attribute) {
424 uint32_t *result = NULL;
425 BINARY_ARRAY_SEARCH_V(local_pas, partial_attribute_set->num_attids, sa->attributeID_id,
426 uint32_t_cmp, result);
427 if (result == NULL) {
432 obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
433 obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
434 obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;
435 obj->meta_data_ctr->meta_data[n].originating_usn = md.ctr.ctr1.array[i].originating_usn;
436 attids[n] = md.ctr.ctr1.array[i].attid;
447 drsuapi_DsGetNCChanges for one object
449 static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItemEx *obj,
450 const struct ldb_message *msg,
451 struct ldb_context *sam_ctx,
452 struct drsuapi_getncchanges_state *getnc_state,
453 struct dsdb_schema *schema,
454 DATA_BLOB *session_key,
455 struct drsuapi_DsGetNCChangesRequest10 *req10,
456 bool force_object_return,
458 struct ldb_dn *machine_dn,
459 const struct GUID *guid)
461 const struct ldb_val *md_value;
463 struct replPropertyMetaDataBlob md;
466 enum ndr_err_code ndr_err;
469 const struct dsdb_attribute *rdn_sa;
471 unsigned int instanceType;
472 struct dsdb_syntax_ctx syntax_ctx;
473 struct ldb_result *res = NULL;
476 uint32_t replica_flags = req10->replica_flags;
477 struct drsuapi_DsPartialAttributeSet *partial_attribute_set =
478 req10->partial_attribute_set;
479 struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector =
480 req10->uptodateness_vector;
481 enum drsuapi_DsExtendedOperation extended_op = req10->extended_op;
482 bool is_schema_nc = getnc_state->is_schema_nc;
483 uint64_t highest_usn = getnc_state->min_usn;
485 /* make dsdb sytanx context for conversions */
486 dsdb_syntax_ctx_init(&syntax_ctx, sam_ctx, schema);
487 syntax_ctx.is_schema_nc = is_schema_nc;
489 uSNChanged = ldb_msg_find_attr_as_uint64(msg, "uSNChanged", 0);
490 instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
491 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
492 obj->is_nc_prefix = true;
493 obj->parent_object_guid = NULL;
495 obj->is_nc_prefix = false;
496 obj->parent_object_guid = talloc(obj, struct GUID);
497 if (obj->parent_object_guid == NULL) {
498 return WERR_DS_DRA_INTERNAL_ERROR;
500 *obj->parent_object_guid = samdb_result_guid(msg, "parentGUID");
501 if (GUID_all_zero(obj->parent_object_guid)) {
502 DEBUG(0,(__location__ ": missing parentGUID for %s\n",
503 ldb_dn_get_linearized(msg->dn)));
504 return WERR_DS_DRA_INTERNAL_ERROR;
507 obj->next_object = NULL;
509 md_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
511 /* nothing to send */
515 if (instanceType & INSTANCE_TYPE_UNINSTANT) {
516 /* don't send uninstantiated objects */
520 if (uSNChanged <= highest_usn) {
521 /* nothing to send */
525 ndr_err = ndr_pull_struct_blob(md_value, obj, &md,
526 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
527 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
528 return WERR_DS_DRA_INTERNAL_ERROR;
531 if (md.version != 1) {
532 return WERR_DS_DRA_INTERNAL_ERROR;
535 rdn = ldb_dn_get_rdn_name(msg->dn);
537 DEBUG(0,(__location__ ": No rDN for %s\n", ldb_dn_get_linearized(msg->dn)));
538 return WERR_DS_DRA_INTERNAL_ERROR;
541 rdn_sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn);
542 if (rdn_sa == NULL) {
543 DEBUG(0,(__location__ ": Can't find dsds_attribute for rDN %s in %s\n",
544 rdn, ldb_dn_get_linearized(msg->dn)));
545 return WERR_DS_DRA_INTERNAL_ERROR;
548 obj->meta_data_ctr = talloc(obj, struct drsuapi_DsReplicaMetaDataCtr);
549 attids = talloc_array(obj, uint32_t, md.ctr.ctr1.count);
551 obj->object.identifier = get_object_identifier(obj, msg);
552 if (obj->object.identifier == NULL) {
553 return WERR_NOT_ENOUGH_MEMORY;
555 dom_sid_split_rid(NULL, &obj->object.identifier->sid, NULL, &rid);
557 obj->meta_data_ctr->meta_data = talloc_array(obj, struct drsuapi_DsReplicaMetaData, md.ctr.ctr1.count);
559 if (extended_op == DRSUAPI_EXOP_REPL_SECRET) {
560 /* Get the existing revealed users for the destination */
561 struct ldb_message *revealed_list_msg = NULL;
562 struct ldb_message *existing_revealed_list_msg = NULL;
563 const char *machine_attrs[] = {
564 "msDS-RevealedUsers",
568 revealed_list_msg = ldb_msg_new(sam_ctx);
569 if (revealed_list_msg == NULL) {
570 return WERR_NOT_ENOUGH_MEMORY;
572 revealed_list_msg->dn = machine_dn;
574 ret = ldb_transaction_start(sam_ctx);
575 if (ret != LDB_SUCCESS) {
576 DEBUG(0,(__location__ ": Failed transaction start - %s\n",
577 ldb_errstring(sam_ctx)));
578 return WERR_DS_DRA_INTERNAL_ERROR;
581 ldb_err = dsdb_search_dn(sam_ctx, obj, &res, machine_dn, machine_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN);
582 if (ldb_err != LDB_SUCCESS || res->count != 1) {
583 ldb_transaction_cancel(sam_ctx);
584 return WERR_DS_DRA_INTERNAL_ERROR;
587 existing_revealed_list_msg = res->msgs[0];
589 werr = get_nc_changes_filter_attrs(obj, md, sam_ctx, msg,
590 guid, &n, highest_usn,
593 partial_attribute_set, local_pas,
597 existing_revealed_list_msg);
598 if (!W_ERROR_IS_OK(werr)) {
599 ldb_transaction_cancel(sam_ctx);
603 if (revealed_list_msg != NULL) {
604 ret = ldb_modify(sam_ctx, revealed_list_msg);
605 if (ret != LDB_SUCCESS) {
606 DEBUG(0,(__location__ ": Failed to alter revealed links - %s\n",
607 ldb_errstring(sam_ctx)));
608 ldb_transaction_cancel(sam_ctx);
609 return WERR_DS_DRA_INTERNAL_ERROR;
613 ret = ldb_transaction_commit(sam_ctx);
614 if (ret != LDB_SUCCESS) {
615 DEBUG(0,(__location__ ": Failed transaction commit - %s\n",
616 ldb_errstring(sam_ctx)));
617 return WERR_DS_DRA_INTERNAL_ERROR;
620 werr = get_nc_changes_filter_attrs(obj, md, sam_ctx, msg, guid,
621 &n, highest_usn, rdn_sa,
622 schema, uptodateness_vector,
623 partial_attribute_set, local_pas,
628 if (!W_ERROR_IS_OK(werr)) {
633 /* ignore it if its an empty change. Note that renames always
634 * change the 'name' attribute, so they won't be ignored by
637 * the force_object_return check is used to force an empty
638 * object return when we timeout in the getncchanges loop.
639 * This allows us to return an empty object, which keeps the
640 * client happy while preventing timeouts
644 attids[0] == DRSUAPI_ATTID_instanceType &&
645 !force_object_return)) {
646 talloc_free(obj->meta_data_ctr);
647 obj->meta_data_ctr = NULL;
651 obj->meta_data_ctr->count = n;
653 obj->object.flags = DRSUAPI_DS_REPLICA_OBJECT_FROM_MASTER;
654 obj->object.attribute_ctr.num_attributes = obj->meta_data_ctr->count;
655 obj->object.attribute_ctr.attributes = talloc_array(obj, struct drsuapi_DsReplicaAttribute,
656 obj->object.attribute_ctr.num_attributes);
657 if (obj->object.attribute_ctr.attributes == NULL) {
658 return WERR_NOT_ENOUGH_MEMORY;
662 * Note that the meta_data array and the attributes array must
663 * be the same size and in the same order
665 for (i=0; i<obj->object.attribute_ctr.num_attributes; i++) {
666 struct ldb_message_element *el;
667 const struct dsdb_attribute *sa;
669 sa = dsdb_attribute_by_attributeID_id(schema, attids[i]);
671 DEBUG(0,("Unable to find attributeID %u in schema\n", attids[i]));
672 return WERR_DS_DRA_INTERNAL_ERROR;
675 el = ldb_msg_find_element(msg, sa->lDAPDisplayName);
677 /* this happens for attributes that have been removed */
678 DEBUG(5,("No element '%s' for attributeID %u in message\n",
679 sa->lDAPDisplayName, attids[i]));
680 ZERO_STRUCT(obj->object.attribute_ctr.attributes[i]);
681 obj->object.attribute_ctr.attributes[i].attid =
682 dsdb_attribute_get_attid(sa, syntax_ctx.is_schema_nc);
684 werr = sa->syntax->ldb_to_drsuapi(&syntax_ctx, sa, el, obj,
685 &obj->object.attribute_ctr.attributes[i]);
686 if (!W_ERROR_IS_OK(werr)) {
687 DEBUG(0,("Unable to convert %s on %s to DRS object - %s\n",
688 sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn),
692 /* if DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING is set
693 * check if attribute is secret and send a null value
695 if (replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) {
696 drsuapi_process_secret_attribute(&obj->object.attribute_ctr.attributes[i],
697 &obj->meta_data_ctr->meta_data[i]);
699 /* some attributes needs to be encrypted
701 werr = drsuapi_encrypt_attribute(obj, session_key, rid,
702 &obj->object.attribute_ctr.attributes[i]);
703 if (!W_ERROR_IS_OK(werr)) {
704 DEBUG(0,("Unable to encrypt %s on %s in DRS object - %s\n",
705 sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn),
710 if (attids[i] != obj->object.attribute_ctr.attributes[i].attid) {
711 DEBUG(0, ("Unable to replicate attribute %s on %s via DRS, incorrect attributeID: "
715 ldb_dn_get_linearized(msg->dn),
717 obj->object.attribute_ctr.attributes[i].attid));
718 return WERR_DS_DATABASE_ERROR;
726 add one linked attribute from an object to the list of linked
727 attributes in a getncchanges request
729 static WERROR get_nc_changes_add_la(TALLOC_CTX *mem_ctx,
730 struct ldb_context *sam_ctx,
731 const struct dsdb_schema *schema,
732 const struct dsdb_attribute *sa,
733 const struct ldb_message *msg,
734 struct dsdb_dn *dsdb_dn,
735 struct drsuapi_DsReplicaLinkedAttribute **la_list,
739 struct drsuapi_DsReplicaLinkedAttribute *la;
744 (*la_list) = talloc_realloc(mem_ctx, *la_list, struct drsuapi_DsReplicaLinkedAttribute, (*la_count)+1);
745 W_ERROR_HAVE_NO_MEMORY(*la_list);
747 la = &(*la_list)[*la_count];
749 la->identifier = get_object_identifier(*la_list, msg);
750 W_ERROR_HAVE_NO_MEMORY(la->identifier);
752 active = (dsdb_dn_rmd_flags(dsdb_dn->dn) & DSDB_RMD_FLAG_DELETED) == 0;
755 /* We have to check that the inactive link still point to an existing object */
761 v = ldb_msg_find_attr_as_string(msg, "isDeleted", "FALSE");
762 if (strncmp(v, "TRUE", 4) == 0) {
764 * Note: we skip the transmition of the deleted link even if the other part used to
765 * know about it because when we transmit the deletion of the object, the link will
766 * be deleted too due to deletion of object where link points and Windows do so.
768 if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008_R2) {
769 v = ldb_msg_find_attr_as_string(msg, "isRecycled", "FALSE");
771 * On Windows 2008R2 isRecycled is always present even if FL or DL are < FL 2K8R2
772 * if it join an existing domain with deleted objets, it firsts impose to have a
773 * schema with the is-Recycled object and for all deleted objects it adds the isRecycled
774 * either during initial replication or after the getNCChanges.
775 * Behavior of samba has been changed to always have this attribute if it's present in the schema.
777 * So if FL <2K8R2 isRecycled might be here or not but we don't care, it's meaning less.
778 * If FL >=2K8R2 we are sure that this attribute will be here.
779 * For this kind of forest level we do not return the link if the object is recycled
780 * (isRecycled = true).
782 if (strncmp(v, "TRUE", 4) == 0) {
783 DEBUG(2, (" object %s is recycled, not returning linked attribute !\n",
784 ldb_dn_get_linearized(msg->dn)));
791 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid, "GUID");
792 if (!NT_STATUS_IS_OK(status)) {
793 DEBUG(0,(__location__ " Unable to extract GUID in linked attribute '%s' in '%s'\n",
794 sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
795 return ntstatus_to_werror(status);
797 ret = dsdb_find_dn_by_guid(sam_ctx, mem_ctx, &guid, 0, &tdn);
798 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
799 DEBUG(2, (" Search of guid %s returned 0 objects, skipping it !\n",
800 GUID_string(mem_ctx, &guid)));
802 } else if (ret != LDB_SUCCESS) {
803 DEBUG(0, (__location__ " Search of guid %s failed with error code %d\n",
804 GUID_string(mem_ctx, &guid),
809 la->attid = dsdb_attribute_get_attid(sa, is_schema_nc);
810 la->flags = active?DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE:0;
812 status = dsdb_get_extended_dn_uint32(dsdb_dn->dn, &la->meta_data.version, "RMD_VERSION");
813 if (!NT_STATUS_IS_OK(status)) {
814 DEBUG(0,(__location__ " No RMD_VERSION in linked attribute '%s' in '%s'\n",
815 sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
816 return ntstatus_to_werror(status);
818 status = dsdb_get_extended_dn_nttime(dsdb_dn->dn, &la->meta_data.originating_change_time, "RMD_CHANGETIME");
819 if (!NT_STATUS_IS_OK(status)) {
820 DEBUG(0,(__location__ " No RMD_CHANGETIME in linked attribute '%s' in '%s'\n",
821 sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
822 return ntstatus_to_werror(status);
824 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &la->meta_data.originating_invocation_id, "RMD_INVOCID");
825 if (!NT_STATUS_IS_OK(status)) {
826 DEBUG(0,(__location__ " No RMD_INVOCID in linked attribute '%s' in '%s'\n",
827 sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
828 return ntstatus_to_werror(status);
830 status = dsdb_get_extended_dn_uint64(dsdb_dn->dn, &la->meta_data.originating_usn, "RMD_ORIGINATING_USN");
831 if (!NT_STATUS_IS_OK(status)) {
832 DEBUG(0,(__location__ " No RMD_ORIGINATING_USN in linked attribute '%s' in '%s'\n",
833 sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
834 return ntstatus_to_werror(status);
837 status = dsdb_get_extended_dn_nttime(dsdb_dn->dn, &la->originating_add_time, "RMD_ADDTIME");
838 if (!NT_STATUS_IS_OK(status)) {
839 /* this is possible for upgraded links */
840 la->originating_add_time = la->meta_data.originating_change_time;
843 werr = dsdb_dn_la_to_blob(sam_ctx, sa, schema, *la_list, dsdb_dn, &la->value.blob);
844 W_ERROR_NOT_OK_RETURN(werr);
852 add linked attributes from an object to the list of linked
853 attributes in a getncchanges request
855 static WERROR get_nc_changes_add_links(struct ldb_context *sam_ctx,
858 struct dsdb_schema *schema,
859 uint64_t highest_usn,
860 uint32_t replica_flags,
861 const struct ldb_message *msg,
862 struct drsuapi_DsReplicaLinkedAttribute **la_list,
864 struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector)
867 TALLOC_CTX *tmp_ctx = NULL;
868 uint64_t uSNChanged = ldb_msg_find_attr_as_uint64(msg, "uSNChanged", 0);
869 bool is_critical = ldb_msg_find_attr_as_bool(msg, "isCriticalSystemObject", false);
871 if (replica_flags & DRSUAPI_DRS_CRITICAL_ONLY) {
877 if (uSNChanged <= highest_usn) {
881 tmp_ctx = talloc_new(mem_ctx);
882 if (tmp_ctx == NULL) {
883 return WERR_NOT_ENOUGH_MEMORY;
886 for (i=0; i<msg->num_elements; i++) {
887 struct ldb_message_element *el = &msg->elements[i];
888 const struct dsdb_attribute *sa;
891 sa = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
893 if (!sa || sa->linkID == 0 || (sa->linkID & 1)) {
894 /* we only want forward links */
898 if (el->num_values && !dsdb_dn_is_upgraded_link_val(&el->values[0])) {
899 /* its an old style link, it will have been
900 * sent in the main replication data */
904 for (j=0; j<el->num_values; j++) {
905 struct dsdb_dn *dsdb_dn;
907 uint64_t originating_usn;
908 NTSTATUS status, status2;
910 struct GUID originating_invocation_id;
912 dsdb_dn = dsdb_dn_parse(tmp_ctx, sam_ctx, &el->values[j], sa->syntax->ldap_oid);
913 if (dsdb_dn == NULL) {
914 DEBUG(1,(__location__ ": Failed to parse DN for %s in %s\n",
915 el->name, ldb_dn_get_linearized(msg->dn)));
916 talloc_free(tmp_ctx);
917 return WERR_DS_DRA_INTERNAL_ERROR;
920 status = dsdb_get_extended_dn_uint64(dsdb_dn->dn, &local_usn, "RMD_LOCAL_USN");
921 if (!NT_STATUS_IS_OK(status)) {
922 /* this can happen for attributes
923 given to us with old style meta
928 if (local_usn > uSNChanged) {
929 DEBUG(1,(__location__ ": uSNChanged less than RMD_LOCAL_USN for %s on %s\n",
930 el->name, ldb_dn_get_linearized(msg->dn)));
931 talloc_free(tmp_ctx);
932 return WERR_DS_DRA_INTERNAL_ERROR;
935 if (local_usn <= highest_usn) {
939 status = dsdb_get_extended_dn_guid(dsdb_dn->dn,
940 &originating_invocation_id,
942 status2 = dsdb_get_extended_dn_uint64(dsdb_dn->dn,
944 "RMD_ORIGINATING_USN");
946 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(status2)) {
947 if (udv_filter(uptodateness_vector,
948 &originating_invocation_id,
954 werr = get_nc_changes_add_la(mem_ctx, sam_ctx, schema,
955 sa, msg, dsdb_dn, la_list,
956 la_count, is_schema_nc);
957 if (!W_ERROR_IS_OK(werr)) {
958 talloc_free(tmp_ctx);
964 talloc_free(tmp_ctx);
969 fill in the cursors return based on the replUpToDateVector for the ncRoot_dn
971 static WERROR get_nc_changes_udv(struct ldb_context *sam_ctx,
972 struct ldb_dn *ncRoot_dn,
973 struct drsuapi_DsReplicaCursor2CtrEx *udv)
981 ret = dsdb_load_udv_v2(sam_ctx, ncRoot_dn, udv, &udv->cursors, &udv->count);
982 if (ret != LDB_SUCCESS) {
983 DEBUG(0,(__location__ ": Failed to load UDV for %s - %s\n",
984 ldb_dn_get_linearized(ncRoot_dn), ldb_errstring(sam_ctx)));
985 return WERR_DS_DRA_INTERNAL_ERROR;
992 /* comparison function for linked attributes - see CompareLinks() in
993 * MS-DRSR section 4.1.10.5.17 */
994 static int linked_attribute_compare(const struct la_for_sorting *la1,
995 const struct la_for_sorting *la2,
999 c = memcmp(la1->source_guid,
1000 la2->source_guid, sizeof(la2->source_guid));
1005 if (la1->link->attid != la2->link->attid) {
1006 return la1->link->attid < la2->link->attid? -1:1;
1009 if ((la1->link->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE) !=
1010 (la2->link->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)) {
1011 return (la1->link->flags &
1012 DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)? 1:-1;
1015 return memcmp(la1->target_guid,
1016 la2->target_guid, sizeof(la2->target_guid));
1019 struct drsuapi_changed_objects {
1026 sort the objects we send first by uSNChanged
1028 static int site_res_cmp_usn_order(struct drsuapi_changed_objects *m1,
1029 struct drsuapi_changed_objects *m2,
1030 struct drsuapi_getncchanges_state *getnc_state)
1034 ret = ldb_dn_compare(getnc_state->ncRoot_dn, m1->dn);
1039 ret = ldb_dn_compare(getnc_state->ncRoot_dn, m2->dn);
1044 if (m1->usn == m2->usn) {
1045 return ldb_dn_compare(m2->dn, m1->dn);
1048 if (m1->usn < m2->usn) {
1057 handle a DRSUAPI_EXOP_FSMO_RID_ALLOC call
1059 static WERROR getncchanges_rid_alloc(struct drsuapi_bind_state *b_state,
1060 TALLOC_CTX *mem_ctx,
1061 struct drsuapi_DsGetNCChangesRequest10 *req10,
1062 struct drsuapi_DsGetNCChangesCtr6 *ctr6,
1063 struct ldb_dn **rid_manager_dn)
1065 struct ldb_dn *req_dn, *ntds_dn = NULL;
1067 struct ldb_context *ldb = b_state->sam_ctx;
1068 struct ldb_result *ext_res;
1069 struct dsdb_fsmo_extended_op *exop;
1074 - verify that the DN being asked for is the RID Manager DN
1075 - verify that we are the RID Manager
1078 /* work out who is the RID Manager, also return to caller */
1079 ret = samdb_rid_manager_dn(ldb, mem_ctx, rid_manager_dn);
1080 if (ret != LDB_SUCCESS) {
1081 DEBUG(0, (__location__ ": Failed to find RID Manager object - %s\n", ldb_errstring(ldb)));
1082 return WERR_DS_DRA_INTERNAL_ERROR;
1085 req_dn = drs_ObjectIdentifier_to_dn(mem_ctx, ldb, req10->naming_context);
1086 if (!ldb_dn_validate(req_dn) ||
1087 ldb_dn_compare(req_dn, *rid_manager_dn) != 0) {
1088 /* that isn't the RID Manager DN */
1089 DEBUG(0,(__location__ ": RID Alloc request for wrong DN %s\n",
1090 drs_ObjectIdentifier_to_string(mem_ctx, req10->naming_context)));
1091 ctr6->extended_ret = DRSUAPI_EXOP_ERR_MISMATCH;
1095 /* TODO: make sure ntds_dn is a valid nTDSDSA object */
1096 ret = dsdb_find_dn_by_guid(ldb, mem_ctx, &req10->destination_dsa_guid, 0, &ntds_dn);
1097 if (ret != LDB_SUCCESS) {
1098 DEBUG(0, (__location__ ": Unable to find NTDS object for guid %s - %s\n",
1099 GUID_string(mem_ctx, &req10->destination_dsa_guid), ldb_errstring(ldb)));
1100 ctr6->extended_ret = DRSUAPI_EXOP_ERR_UNKNOWN_CALLER;
1104 /* find the DN of the RID Manager */
1105 ret = samdb_reference_dn_is_our_ntdsa(ldb, *rid_manager_dn, "fSMORoleOwner", &is_us);
1106 if (ret != LDB_SUCCESS) {
1107 DEBUG(0,("Failed to find fSMORoleOwner in RID Manager object\n"));
1108 ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
1109 return WERR_DS_DRA_INTERNAL_ERROR;
1113 /* we're not the RID Manager - go away */
1114 DEBUG(0,(__location__ ": RID Alloc request when not RID Manager\n"));
1115 ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
1119 exop = talloc(mem_ctx, struct dsdb_fsmo_extended_op);
1120 W_ERROR_HAVE_NO_MEMORY(exop);
1122 exop->fsmo_info = req10->fsmo_info;
1123 exop->destination_dsa_guid = req10->destination_dsa_guid;
1125 ret = ldb_transaction_start(ldb);
1126 if (ret != LDB_SUCCESS) {
1127 DEBUG(0,(__location__ ": Failed transaction start - %s\n",
1128 ldb_errstring(ldb)));
1129 return WERR_DS_DRA_INTERNAL_ERROR;
1132 ret = ldb_extended(ldb, DSDB_EXTENDED_ALLOCATE_RID_POOL, exop, &ext_res);
1133 if (ret != LDB_SUCCESS) {
1134 DEBUG(0,(__location__ ": Failed extended allocation RID pool operation - %s\n",
1135 ldb_errstring(ldb)));
1136 ldb_transaction_cancel(ldb);
1137 return WERR_DS_DRA_INTERNAL_ERROR;
1140 ret = ldb_transaction_commit(ldb);
1141 if (ret != LDB_SUCCESS) {
1142 DEBUG(0,(__location__ ": Failed transaction commit - %s\n",
1143 ldb_errstring(ldb)));
1144 return WERR_DS_DRA_INTERNAL_ERROR;
1147 talloc_free(ext_res);
1149 DEBUG(2,("Allocated RID pool for server %s\n",
1150 GUID_string(mem_ctx, &req10->destination_dsa_guid)));
1152 ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
1158 handle a DRSUAPI_EXOP_REPL_SECRET call
1160 static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
1161 TALLOC_CTX *mem_ctx,
1162 struct drsuapi_DsGetNCChangesRequest10 *req10,
1163 struct dom_sid *user_sid,
1164 struct drsuapi_DsGetNCChangesCtr6 *ctr6,
1165 bool has_get_all_changes,
1166 struct ldb_dn **machine_dn)
1168 struct drsuapi_DsReplicaObjectIdentifier *ncRoot = req10->naming_context;
1169 struct ldb_dn *obj_dn = NULL;
1170 struct ldb_dn *ntds_dn = NULL, *server_dn = NULL;
1171 struct ldb_dn *rodc_dn, *krbtgt_link_dn;
1173 const char *rodc_attrs[] = { "msDS-KrbTgtLink", "msDS-NeverRevealGroup", "msDS-RevealOnDemandGroup", "objectGUID", NULL };
1174 const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
1175 struct ldb_result *rodc_res = NULL, *obj_res = NULL;
1176 const struct dom_sid **never_reveal_sids, **reveal_sids, **token_sids;
1177 const struct dom_sid *object_sid = NULL;
1179 const struct dom_sid *additional_sids[] = { NULL, NULL };
1181 DEBUG(3,(__location__ ": DRSUAPI_EXOP_REPL_SECRET extended op on %s\n",
1182 drs_ObjectIdentifier_to_string(mem_ctx, ncRoot)));
1185 * we need to work out if we will allow this DC to
1186 * replicate the secrets for this object
1188 * see 4.1.10.5.14 GetRevealSecretsPolicyForUser for details
1192 if (b_state->sam_ctx_system == NULL) {
1193 /* this operation needs system level access */
1194 ctr6->extended_ret = DRSUAPI_EXOP_ERR_ACCESS_DENIED;
1195 return WERR_DS_DRA_ACCESS_DENIED;
1199 * Before we accept or deny, fetch the machine DN for the destination
1202 * If we are the RODC, we will check that this matches the SID.
1204 ret = dsdb_find_dn_by_guid(b_state->sam_ctx_system, mem_ctx,
1205 &req10->destination_dsa_guid, 0,
1207 if (ret != LDB_SUCCESS) {
1211 server_dn = ldb_dn_get_parent(mem_ctx, ntds_dn);
1212 if (server_dn == NULL) {
1216 ret = samdb_reference_dn(b_state->sam_ctx_system, mem_ctx, server_dn,
1217 "serverReference", machine_dn);
1219 if (ret != LDB_SUCCESS) {
1224 * In MS-DRSR.pdf 5.99 IsGetNCChangesPermissionGranted
1226 * The pseudo code indicate
1227 * revealsecrets = true
1228 * if IsRevealSecretRequest(msgIn) then
1229 * if AccessCheckCAR(ncRoot, Ds-Replication-Get-Changes-All) = false
1231 * if (msgIn.ulExtendedOp = EXOP_REPL_SECRETS) then
1232 * <... check if this account is ok to be replicated on this DC ...>
1233 * <... and if not reveal secrets = no ...>
1235 * reveal secrets = false
1240 * Which basically means that if you have GET_ALL_CHANGES rights (~== RWDC)
1241 * then you can do EXOP_REPL_SECRETS
1243 obj_dn = drs_ObjectIdentifier_to_dn(mem_ctx, b_state->sam_ctx_system, ncRoot);
1244 if (!ldb_dn_validate(obj_dn)) goto failed;
1246 if (has_get_all_changes) {
1250 rodc_dn = ldb_dn_new_fmt(mem_ctx, b_state->sam_ctx_system, "<SID=%s>",
1251 dom_sid_string(mem_ctx, user_sid));
1252 if (!ldb_dn_validate(rodc_dn)) goto failed;
1254 /* do the two searches we need */
1255 ret = dsdb_search_dn(b_state->sam_ctx_system, mem_ctx, &rodc_res, rodc_dn, rodc_attrs,
1256 DSDB_SEARCH_SHOW_EXTENDED_DN);
1257 if (ret != LDB_SUCCESS || rodc_res->count != 1) goto failed;
1259 ret = dsdb_search_dn(b_state->sam_ctx_system, mem_ctx, &obj_res, obj_dn, obj_attrs, 0);
1260 if (ret != LDB_SUCCESS || obj_res->count != 1) goto failed;
1262 /* if the object SID is equal to the user_sid, allow */
1263 object_sid = samdb_result_dom_sid(mem_ctx, obj_res->msgs[0], "objectSid");
1264 if (dom_sid_equal(user_sid, object_sid)) {
1268 additional_sids[0] = object_sid;
1271 * Must be an RODC account at this point, verify machine DN matches the
1274 if (ldb_dn_compare(rodc_res->msgs[0]->dn, *machine_dn) != 0) {
1278 /* an RODC is allowed to get its own krbtgt account secrets */
1279 krbtgt_link_dn = samdb_result_dn(b_state->sam_ctx_system, mem_ctx,
1280 rodc_res->msgs[0], "msDS-KrbTgtLink", NULL);
1281 if (krbtgt_link_dn != NULL &&
1282 ldb_dn_compare(obj_dn, krbtgt_link_dn) == 0) {
1286 /* but it isn't allowed to get anyone elses krbtgt secrets */
1287 if (samdb_result_dn(b_state->sam_ctx_system, mem_ctx,
1288 obj_res->msgs[0], "msDS-KrbTgtLinkBL", NULL)) {
1292 if (ldb_msg_find_attr_as_uint(obj_res->msgs[0],
1293 "userAccountControl", 0) &
1294 UF_INTERDOMAIN_TRUST_ACCOUNT) {
1298 werr = samdb_result_sid_array_dn(b_state->sam_ctx_system, rodc_res->msgs[0],
1299 mem_ctx, "msDS-NeverRevealGroup", &never_reveal_sids);
1300 if (!W_ERROR_IS_OK(werr)) {
1304 werr = samdb_result_sid_array_dn(b_state->sam_ctx_system, rodc_res->msgs[0],
1305 mem_ctx, "msDS-RevealOnDemandGroup", &reveal_sids);
1306 if (!W_ERROR_IS_OK(werr)) {
1311 * The SID list needs to include itself as well as the tokenGroups.
1313 * TODO determine if sIDHistory is required for this check
1315 werr = samdb_result_sid_array_ndr(b_state->sam_ctx_system, obj_res->msgs[0],
1316 mem_ctx, "tokenGroups", &token_sids,
1317 additional_sids, 1);
1318 if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
1322 if (never_reveal_sids &&
1323 sid_list_match(token_sids, never_reveal_sids)) {
1328 sid_list_match(token_sids, reveal_sids)) {
1334 DEBUG(2,(__location__ ": Denied single object with secret replication for %s by RODC %s\n",
1335 ldb_dn_get_linearized(obj_dn), ldb_dn_get_linearized(rodc_res->msgs[0]->dn)));
1336 ctr6->extended_ret = DRSUAPI_EXOP_ERR_NONE;
1337 return WERR_DS_DRA_SECRETS_DENIED;
1340 DEBUG(2,(__location__ ": Allowed single object with secret replication for %s by %s %s\n",
1341 ldb_dn_get_linearized(obj_dn), has_get_all_changes?"RWDC":"RODC",
1342 ldb_dn_get_linearized(*machine_dn)));
1343 ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
1344 req10->highwatermark.highest_usn = 0;
1348 DEBUG(2,(__location__ ": Failed single secret replication for %s by RODC %s\n",
1349 ldb_dn_get_linearized(obj_dn), dom_sid_string(mem_ctx, user_sid)));
1350 ctr6->extended_ret = DRSUAPI_EXOP_ERR_NONE;
1351 return WERR_DS_DRA_BAD_DN;
1355 handle a DRSUAPI_EXOP_REPL_OBJ call
1357 static WERROR getncchanges_repl_obj(struct drsuapi_bind_state *b_state,
1358 TALLOC_CTX *mem_ctx,
1359 struct drsuapi_DsGetNCChangesRequest10 *req10,
1360 struct dom_sid *user_sid,
1361 struct drsuapi_DsGetNCChangesCtr6 *ctr6)
1363 struct drsuapi_DsReplicaObjectIdentifier *ncRoot = req10->naming_context;
1365 DEBUG(3,(__location__ ": DRSUAPI_EXOP_REPL_OBJ extended op on %s\n",
1366 drs_ObjectIdentifier_to_string(mem_ctx, ncRoot)));
1368 ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
1374 handle DRSUAPI_EXOP_FSMO_REQ_ROLE,
1375 DRSUAPI_EXOP_FSMO_RID_REQ_ROLE,
1376 and DRSUAPI_EXOP_FSMO_REQ_PDC calls
1378 static WERROR getncchanges_change_master(struct drsuapi_bind_state *b_state,
1379 TALLOC_CTX *mem_ctx,
1380 struct drsuapi_DsGetNCChangesRequest10 *req10,
1381 struct drsuapi_DsGetNCChangesCtr6 *ctr6)
1383 struct ldb_dn *req_dn, *ntds_dn;
1386 struct ldb_context *ldb = b_state->sam_ctx;
1387 struct ldb_message *msg;
1392 - verify that the client dn exists
1393 - verify that we are the current master
1396 req_dn = drs_ObjectIdentifier_to_dn(mem_ctx, ldb, req10->naming_context);
1397 if (!ldb_dn_validate(req_dn)) {
1398 /* that is not a valid dn */
1399 DEBUG(0,(__location__ ": FSMO role transfer request for invalid DN %s\n",
1400 drs_ObjectIdentifier_to_string(mem_ctx, req10->naming_context)));
1401 ctr6->extended_ret = DRSUAPI_EXOP_ERR_MISMATCH;
1405 /* find the DN of the current role owner */
1406 ret = samdb_reference_dn_is_our_ntdsa(ldb, req_dn, "fSMORoleOwner", &is_us);
1407 if (ret != LDB_SUCCESS) {
1408 DEBUG(0,("Failed to find fSMORoleOwner in RID Manager object\n"));
1409 ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
1410 return WERR_DS_DRA_INTERNAL_ERROR;
1414 /* we're not the RID Manager or role owner - go away */
1415 DEBUG(0,(__location__ ": FSMO role or RID manager transfer owner request when not role owner\n"));
1416 ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
1420 /* change the current master */
1421 msg = ldb_msg_new(ldb);
1422 W_ERROR_HAVE_NO_MEMORY(msg);
1423 msg->dn = drs_ObjectIdentifier_to_dn(msg, ldb, req10->naming_context);
1424 W_ERROR_HAVE_NO_MEMORY(msg->dn);
1426 /* TODO: make sure ntds_dn is a valid nTDSDSA object */
1427 ret = dsdb_find_dn_by_guid(ldb, msg, &req10->destination_dsa_guid, 0, &ntds_dn);
1428 if (ret != LDB_SUCCESS) {
1429 DEBUG(0, (__location__ ": Unable to find NTDS object for guid %s - %s\n",
1430 GUID_string(mem_ctx, &req10->destination_dsa_guid), ldb_errstring(ldb)));
1432 ctr6->extended_ret = DRSUAPI_EXOP_ERR_UNKNOWN_CALLER;
1436 ret = ldb_msg_add_string(msg, "fSMORoleOwner", ldb_dn_get_linearized(ntds_dn));
1439 return WERR_DS_DRA_INTERNAL_ERROR;
1442 for (i=0;i<msg->num_elements;i++) {
1443 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
1446 ret = ldb_transaction_start(ldb);
1447 if (ret != LDB_SUCCESS) {
1448 DEBUG(0,(__location__ ": Failed transaction start - %s\n",
1449 ldb_errstring(ldb)));
1450 return WERR_DS_DRA_INTERNAL_ERROR;
1453 ret = ldb_modify(ldb, msg);
1454 if (ret != LDB_SUCCESS) {
1455 DEBUG(0,(__location__ ": Failed to change current owner - %s\n",
1456 ldb_errstring(ldb)));
1457 ldb_transaction_cancel(ldb);
1458 return WERR_DS_DRA_INTERNAL_ERROR;
1461 ret = ldb_transaction_commit(ldb);
1462 if (ret != LDB_SUCCESS) {
1463 DEBUG(0,(__location__ ": Failed transaction commit - %s\n",
1464 ldb_errstring(ldb)));
1465 return WERR_DS_DRA_INTERNAL_ERROR;
1468 ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
1474 see if this getncchanges request includes a request to reveal secret information
1476 static WERROR dcesrv_drsuapi_is_reveal_secrets_request(struct drsuapi_bind_state *b_state,
1477 struct drsuapi_DsGetNCChangesRequest10 *req10,
1478 struct dsdb_schema_prefixmap *pfm_remote,
1479 bool *is_secret_request)
1481 enum drsuapi_DsExtendedOperation exop;
1483 struct dsdb_schema *schema;
1484 struct dsdb_syntax_ctx syntax_ctx;
1486 *is_secret_request = true;
1488 exop = req10->extended_op;
1491 case DRSUAPI_EXOP_FSMO_REQ_ROLE:
1492 case DRSUAPI_EXOP_FSMO_RID_ALLOC:
1493 case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
1494 case DRSUAPI_EXOP_FSMO_REQ_PDC:
1495 case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
1496 /* FSMO exops can reveal secrets */
1497 *is_secret_request = true;
1499 case DRSUAPI_EXOP_REPL_SECRET:
1500 case DRSUAPI_EXOP_REPL_OBJ:
1501 case DRSUAPI_EXOP_NONE:
1505 if (req10->replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) {
1506 *is_secret_request = false;
1510 if (exop == DRSUAPI_EXOP_REPL_SECRET ||
1511 req10->partial_attribute_set == NULL) {
1512 /* they want secrets */
1513 *is_secret_request = true;
1517 schema = dsdb_get_schema(b_state->sam_ctx, NULL);
1518 dsdb_syntax_ctx_init(&syntax_ctx, b_state->sam_ctx, schema);
1519 syntax_ctx.pfm_remote = pfm_remote;
1521 /* check the attributes they asked for */
1522 for (i=0; i<req10->partial_attribute_set->num_attids; i++) {
1523 const struct dsdb_attribute *sa;
1524 WERROR werr = getncchanges_attid_remote_to_local(schema,
1526 req10->partial_attribute_set->attids[i],
1530 if (!W_ERROR_IS_OK(werr)) {
1531 DEBUG(0,(__location__": attid 0x%08X not found: %s\n",
1532 req10->partial_attribute_set->attids[i], win_errstr(werr)));
1536 if (!dsdb_attr_in_rodc_fas(sa)) {
1537 *is_secret_request = true;
1542 if (req10->partial_attribute_set_ex) {
1543 /* check the extended attributes they asked for */
1544 for (i=0; i<req10->partial_attribute_set_ex->num_attids; i++) {
1545 const struct dsdb_attribute *sa;
1546 WERROR werr = getncchanges_attid_remote_to_local(schema,
1548 req10->partial_attribute_set_ex->attids[i],
1552 if (!W_ERROR_IS_OK(werr)) {
1553 DEBUG(0,(__location__": attid 0x%08X not found: %s\n",
1554 req10->partial_attribute_set_ex->attids[i], win_errstr(werr)));
1558 if (!dsdb_attr_in_rodc_fas(sa)) {
1559 *is_secret_request = true;
1565 *is_secret_request = false;
1570 see if this getncchanges request is only for attributes in the GC
1571 partial attribute set
1573 static WERROR dcesrv_drsuapi_is_gc_pas_request(struct drsuapi_bind_state *b_state,
1574 struct drsuapi_DsGetNCChangesRequest10 *req10,
1575 struct dsdb_schema_prefixmap *pfm_remote,
1576 bool *is_gc_pas_request)
1578 enum drsuapi_DsExtendedOperation exop;
1580 struct dsdb_schema *schema;
1581 struct dsdb_syntax_ctx syntax_ctx;
1583 exop = req10->extended_op;
1586 case DRSUAPI_EXOP_FSMO_REQ_ROLE:
1587 case DRSUAPI_EXOP_FSMO_RID_ALLOC:
1588 case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
1589 case DRSUAPI_EXOP_FSMO_REQ_PDC:
1590 case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
1591 case DRSUAPI_EXOP_REPL_SECRET:
1592 *is_gc_pas_request = false;
1594 case DRSUAPI_EXOP_REPL_OBJ:
1595 case DRSUAPI_EXOP_NONE:
1599 if (req10->partial_attribute_set == NULL) {
1600 /* they want it all */
1601 *is_gc_pas_request = false;
1605 schema = dsdb_get_schema(b_state->sam_ctx, NULL);
1606 dsdb_syntax_ctx_init(&syntax_ctx, b_state->sam_ctx, schema);
1607 syntax_ctx.pfm_remote = pfm_remote;
1609 /* check the attributes they asked for */
1610 for (i=0; i<req10->partial_attribute_set->num_attids; i++) {
1611 const struct dsdb_attribute *sa;
1612 WERROR werr = getncchanges_attid_remote_to_local(schema,
1614 req10->partial_attribute_set->attids[i],
1618 if (!W_ERROR_IS_OK(werr)) {
1619 DEBUG(0,(__location__": attid 0x%08X not found: %s\n",
1620 req10->partial_attribute_set->attids[i], win_errstr(werr)));
1624 if (!sa->isMemberOfPartialAttributeSet) {
1625 *is_gc_pas_request = false;
1630 if (req10->partial_attribute_set_ex) {
1631 /* check the extended attributes they asked for */
1632 for (i=0; i<req10->partial_attribute_set_ex->num_attids; i++) {
1633 const struct dsdb_attribute *sa;
1634 WERROR werr = getncchanges_attid_remote_to_local(schema,
1636 req10->partial_attribute_set_ex->attids[i],
1640 if (!W_ERROR_IS_OK(werr)) {
1641 DEBUG(0,(__location__": attid 0x%08X not found: %s\n",
1642 req10->partial_attribute_set_ex->attids[i], win_errstr(werr)));
1646 if (!sa->isMemberOfPartialAttributeSet) {
1647 *is_gc_pas_request = false;
1653 *is_gc_pas_request = true;
1659 map from req8 to req10
1661 static struct drsuapi_DsGetNCChangesRequest10 *
1662 getncchanges_map_req8(TALLOC_CTX *mem_ctx,
1663 struct drsuapi_DsGetNCChangesRequest8 *req8)
1665 struct drsuapi_DsGetNCChangesRequest10 *req10 = talloc_zero(mem_ctx,
1666 struct drsuapi_DsGetNCChangesRequest10);
1667 if (req10 == NULL) {
1671 req10->destination_dsa_guid = req8->destination_dsa_guid;
1672 req10->source_dsa_invocation_id = req8->source_dsa_invocation_id;
1673 req10->naming_context = req8->naming_context;
1674 req10->highwatermark = req8->highwatermark;
1675 req10->uptodateness_vector = req8->uptodateness_vector;
1676 req10->replica_flags = req8->replica_flags;
1677 req10->max_object_count = req8->max_object_count;
1678 req10->max_ndr_size = req8->max_ndr_size;
1679 req10->extended_op = req8->extended_op;
1680 req10->fsmo_info = req8->fsmo_info;
1681 req10->partial_attribute_set = req8->partial_attribute_set;
1682 req10->partial_attribute_set_ex = req8->partial_attribute_set_ex;
1683 req10->mapping_ctr = req8->mapping_ctr;
1688 static const char *collect_objects_attrs[] = { "uSNChanged",
1693 * Collects object for normal replication cycle.
1695 static WERROR getncchanges_collect_objects(struct drsuapi_bind_state *b_state,
1696 TALLOC_CTX *mem_ctx,
1697 struct drsuapi_DsGetNCChangesRequest10 *req10,
1698 struct ldb_dn *search_dn,
1699 const char *extra_filter,
1700 struct ldb_result **search_res)
1703 char* search_filter;
1704 enum ldb_scope scope = LDB_SCOPE_SUBTREE;
1705 struct drsuapi_getncchanges_state *getnc_state = b_state->getncchanges_state;
1706 bool critical_only = false;
1708 if (req10->replica_flags & DRSUAPI_DRS_CRITICAL_ONLY) {
1709 critical_only = true;
1712 if (req10->extended_op == DRSUAPI_EXOP_REPL_OBJ ||
1713 req10->extended_op == DRSUAPI_EXOP_REPL_SECRET) {
1714 scope = LDB_SCOPE_BASE;
1715 critical_only = false;
1718 /* Construct response. */
1719 search_filter = talloc_asprintf(mem_ctx,
1720 "(uSNChanged>=%llu)",
1721 (unsigned long long)(getnc_state->min_usn+1));
1724 search_filter = talloc_asprintf(mem_ctx, "(&%s(%s))", search_filter, extra_filter);
1727 if (critical_only) {
1728 search_filter = talloc_asprintf(mem_ctx,
1729 "(&%s(isCriticalSystemObject=TRUE))",
1733 if (req10->replica_flags & DRSUAPI_DRS_ASYNC_REP) {
1734 scope = LDB_SCOPE_BASE;
1738 search_dn = getnc_state->ncRoot_dn;
1741 DEBUG(2,(__location__ ": getncchanges on %s using filter %s\n",
1742 ldb_dn_get_linearized(getnc_state->ncRoot_dn), search_filter));
1743 ret = drsuapi_search_with_extended_dn(b_state->sam_ctx, getnc_state, search_res,
1745 collect_objects_attrs,
1747 if (ret != LDB_SUCCESS) {
1748 return WERR_DS_DRA_INTERNAL_ERROR;
1755 * Collects object for normal replication cycle.
1757 static WERROR getncchanges_collect_objects_exop(struct drsuapi_bind_state *b_state,
1758 TALLOC_CTX *mem_ctx,
1759 struct drsuapi_DsGetNCChangesRequest10 *req10,
1760 struct drsuapi_DsGetNCChangesCtr6 *ctr6,
1761 struct ldb_dn *search_dn,
1762 const char *extra_filter,
1763 struct ldb_result **search_res)
1765 /* we have nothing to do in case of ex-op failure */
1766 if (ctr6->extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
1770 switch (req10->extended_op) {
1771 case DRSUAPI_EXOP_FSMO_RID_ALLOC:
1774 struct ldb_dn *ntds_dn = NULL;
1775 struct ldb_dn *server_dn = NULL;
1776 struct ldb_dn *machine_dn = NULL;
1777 struct ldb_dn *rid_set_dn = NULL;
1778 struct ldb_result *search_res2 = NULL;
1779 struct ldb_result *search_res3 = NULL;
1780 TALLOC_CTX *frame = talloc_stackframe();
1781 /* get RID manager, RID set and server DN (in that order) */
1783 /* This first search will get the RID Manager */
1784 ret = drsuapi_search_with_extended_dn(b_state->sam_ctx, frame,
1786 search_dn, LDB_SCOPE_BASE,
1787 collect_objects_attrs,
1789 if (ret != LDB_SUCCESS) {
1790 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get RID Manager object %s - %s",
1791 ldb_dn_get_linearized(search_dn),
1792 ldb_errstring(b_state->sam_ctx)));
1794 return WERR_DS_DRA_INTERNAL_ERROR;
1797 if ((*search_res)->count != 1) {
1798 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get RID Manager object %s - %u objects returned",
1799 ldb_dn_get_linearized(search_dn),
1800 (*search_res)->count));
1802 return WERR_DS_DRA_INTERNAL_ERROR;
1805 /* Now extend it to the RID set */
1807 /* Find the computer account DN for the destination
1808 * dsa GUID specified */
1810 ret = dsdb_find_dn_by_guid(b_state->sam_ctx, frame,
1811 &req10->destination_dsa_guid, 0,
1813 if (ret != LDB_SUCCESS) {
1814 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Unable to find NTDS object for guid %s - %s\n",
1816 &req10->destination_dsa_guid),
1817 ldb_errstring(b_state->sam_ctx)));
1819 return WERR_DS_DRA_INTERNAL_ERROR;
1822 server_dn = ldb_dn_get_parent(frame, ntds_dn);
1825 return WERR_DS_DRA_INTERNAL_ERROR;
1828 ret = samdb_reference_dn(b_state->sam_ctx, frame, server_dn,
1829 "serverReference", &machine_dn);
1830 if (ret != LDB_SUCCESS) {
1831 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to find serverReference in %s - %s",
1832 ldb_dn_get_linearized(server_dn),
1833 ldb_errstring(b_state->sam_ctx)));
1835 return WERR_DS_DRA_INTERNAL_ERROR;
1838 ret = samdb_reference_dn(b_state->sam_ctx, frame, machine_dn,
1839 "rIDSetReferences", &rid_set_dn);
1840 if (ret != LDB_SUCCESS) {
1841 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to find rIDSetReferences in %s - %s",
1842 ldb_dn_get_linearized(server_dn),
1843 ldb_errstring(b_state->sam_ctx)));
1845 return WERR_DS_DRA_INTERNAL_ERROR;
1849 /* This first search will get the RID Manager, now get the RID set */
1850 ret = drsuapi_search_with_extended_dn(b_state->sam_ctx, frame,
1852 rid_set_dn, LDB_SCOPE_BASE,
1853 collect_objects_attrs,
1855 if (ret != LDB_SUCCESS) {
1856 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get RID Set object %s - %s",
1857 ldb_dn_get_linearized(rid_set_dn),
1858 ldb_errstring(b_state->sam_ctx)));
1860 return WERR_DS_DRA_INTERNAL_ERROR;
1863 if (search_res2->count != 1) {
1864 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get RID Set object %s - %u objects returned",
1865 ldb_dn_get_linearized(rid_set_dn),
1866 search_res2->count));
1868 return WERR_DS_DRA_INTERNAL_ERROR;
1871 /* Finally get the server DN */
1872 ret = drsuapi_search_with_extended_dn(b_state->sam_ctx, frame,
1874 machine_dn, LDB_SCOPE_BASE,
1875 collect_objects_attrs,
1877 if (ret != LDB_SUCCESS) {
1878 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get server object %s - %s",
1879 ldb_dn_get_linearized(server_dn),
1880 ldb_errstring(b_state->sam_ctx)));
1882 return WERR_DS_DRA_INTERNAL_ERROR;
1885 if (search_res3->count != 1) {
1886 DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get server object %s - %u objects returned",
1887 ldb_dn_get_linearized(server_dn),
1888 search_res3->count));
1890 return WERR_DS_DRA_INTERNAL_ERROR;
1893 /* Now extend the original search_res with these answers */
1894 (*search_res)->count = 3;
1896 (*search_res)->msgs = talloc_realloc(frame, (*search_res)->msgs,
1897 struct ldb_message *,
1898 (*search_res)->count);
1899 if ((*search_res)->msgs == NULL) {
1901 return WERR_NOT_ENOUGH_MEMORY;
1905 talloc_steal(mem_ctx, *search_res);
1906 (*search_res)->msgs[1] =
1907 talloc_steal((*search_res)->msgs, search_res2->msgs[0]);
1908 (*search_res)->msgs[2] =
1909 talloc_steal((*search_res)->msgs, search_res3->msgs[0]);
1915 /* TODO: implement extended op specific collection
1916 * of objects. Right now we just normal procedure
1917 * for collecting objects */
1918 return getncchanges_collect_objects(b_state, mem_ctx, req10, search_dn, extra_filter, search_res);
1922 static void dcesrv_drsuapi_update_highwatermark(const struct ldb_message *msg,
1924 struct drsuapi_DsReplicaHighWaterMark *hwm)
1926 uint64_t uSN = ldb_msg_find_attr_as_uint64(msg, "uSNChanged", 0);
1928 if (uSN > max_usn) {
1930 * Only report the max_usn we had at the start
1931 * of the replication cycle.
1933 * If this object has changed lately we better
1934 * let the destination dsa refetch the change.
1935 * This is better than the risk of loosing some
1936 * objects or linked attributes.
1941 if (uSN <= hwm->tmp_highest_usn) {
1945 hwm->tmp_highest_usn = uSN;
1946 hwm->reserved_usn = 0;
1950 * Adds an object's GUID to the cache of objects already sent.
1951 * This avoids us sending the same object multiple times when
1952 * the GetNCChanges request uses a flag like GET_ANC.
1954 static WERROR dcesrv_drsuapi_obj_cache_add(struct db_context *obj_cache,
1955 const struct GUID *guid)
1957 enum ndr_err_code ndr_err;
1958 uint8_t guid_buf[DRS_GUID_SIZE] = { 0, };
1961 .length = sizeof(guid_buf),
1973 ndr_err = ndr_push_struct_into_fixed_blob(&b, guid,
1974 (ndr_push_flags_fn_t)ndr_push_GUID);
1975 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1976 return WERR_DS_DRA_INTERNAL_ERROR;
1979 status = dbwrap_store(obj_cache, key, val, TDB_REPLACE);
1980 if (!NT_STATUS_IS_OK(status)) {
1981 return WERR_DS_DRA_INTERNAL_ERROR;
1988 * Checks if the object with the GUID specified already exists in the
1989 * object cache, i.e. it's already been sent in a GetNCChanges response.
1991 static WERROR dcesrv_drsuapi_obj_cache_exists(struct db_context *obj_cache,
1992 const struct GUID *guid)
1994 enum ndr_err_code ndr_err;
1995 uint8_t guid_buf[DRS_GUID_SIZE] = { 0, };
1998 .length = sizeof(guid_buf),
2006 ndr_err = ndr_push_struct_into_fixed_blob(&b, guid,
2007 (ndr_push_flags_fn_t)ndr_push_GUID);
2008 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2009 return WERR_DS_DRA_INTERNAL_ERROR;
2012 exists = dbwrap_exists(obj_cache, key);
2014 return WERR_OBJECT_NOT_FOUND;
2017 return WERR_OBJECT_NAME_EXISTS;
2021 * Copies the la_list specified into a sorted array, ready to be sent in a
2022 * GetNCChanges response.
2024 static WERROR getncchanges_get_sorted_array(const struct drsuapi_DsReplicaLinkedAttribute *la_list,
2025 const uint32_t link_count,
2026 struct ldb_context *sam_ctx,
2027 TALLOC_CTX *mem_ctx,
2028 const struct dsdb_schema *schema,
2029 struct la_for_sorting **ret_array)
2032 struct la_for_sorting *guid_array;
2033 WERROR werr = WERR_OK;
2036 guid_array = talloc_array(mem_ctx, struct la_for_sorting, link_count);
2037 if (guid_array == NULL) {
2038 DEBUG(0, ("Out of memory allocating %u linked attributes for sorting", link_count));
2039 return WERR_NOT_ENOUGH_MEMORY;
2042 for (j = 0; j < link_count; j++) {
2044 /* we need to get the target GUIDs to compare */
2046 const struct drsuapi_DsReplicaLinkedAttribute *la = &la_list[j];
2047 const struct dsdb_attribute *schema_attrib;
2048 const struct ldb_val *target_guid;
2049 DATA_BLOB source_guid;
2050 TALLOC_CTX *frame = talloc_stackframe();
2053 schema_attrib = dsdb_attribute_by_attributeID_id(schema, la->attid);
2055 werr = dsdb_dn_la_from_blob(sam_ctx, schema_attrib, schema, frame, la->value.blob, &dn);
2056 if (!W_ERROR_IS_OK(werr)) {
2057 DEBUG(0,(__location__ ": Bad la blob in sort\n"));
2062 /* Extract the target GUID in NDR form */
2063 target_guid = ldb_dn_get_extended_component(dn->dn, "GUID");
2064 if (target_guid == NULL
2065 || target_guid->length != sizeof(guid_array[0].target_guid)) {
2066 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
2068 /* Repack the source GUID as NDR for sorting */
2069 status = GUID_to_ndr_blob(&la->identifier->guid,
2074 if (!NT_STATUS_IS_OK(status)
2075 || source_guid.length != sizeof(guid_array[0].source_guid)) {
2076 DEBUG(0,(__location__ ": Bad la guid in sort\n"));
2078 return ntstatus_to_werror(status);
2081 guid_array[j].link = &la_list[j];
2082 memcpy(guid_array[j].target_guid, target_guid->data,
2083 sizeof(guid_array[j].target_guid));
2084 memcpy(guid_array[j].source_guid, source_guid.data,
2085 sizeof(guid_array[j].source_guid));
2089 LDB_TYPESAFE_QSORT(guid_array, link_count, NULL, linked_attribute_compare);
2091 *ret_array = guid_array;
2098 * Adds any ancestor/parent objects of the child_obj specified.
2099 * This is needed when the GET_ANC flag is specified in the request.
2100 * @param new_objs if parents are added, this gets updated to point to a chain
2101 * of parent objects (with the parents first and the child last)
2103 static WERROR getncchanges_add_ancestors(struct drsuapi_DsReplicaObjectListItemEx *child_obj,
2104 struct ldb_dn *child_dn,
2105 TALLOC_CTX *mem_ctx,
2106 struct ldb_context *sam_ctx,
2107 struct drsuapi_getncchanges_state *getnc_state,
2108 struct dsdb_schema *schema,
2109 DATA_BLOB *session_key,
2110 struct drsuapi_DsGetNCChangesRequest10 *req10,
2111 uint32_t *local_pas,
2112 struct ldb_dn *machine_dn,
2113 struct drsuapi_DsReplicaObjectListItemEx **new_objs)
2116 const struct GUID *next_anc_guid = NULL;
2117 WERROR werr = WERR_OK;
2118 static const char * const msg_attrs[] = {
2120 "nTSecurityDescriptor",
2122 "replPropertyMetaData",
2123 DSDB_SECRET_ATTRIBUTES,
2126 next_anc_guid = child_obj->parent_object_guid;
2128 while (next_anc_guid != NULL) {
2129 struct drsuapi_DsReplicaObjectListItemEx *anc_obj = NULL;
2130 struct ldb_message *anc_msg = NULL;
2131 struct ldb_result *anc_res = NULL;
2132 struct ldb_dn *anc_dn = NULL;
2135 * Don't send an object twice. (If we've sent the object, then
2136 * we've also sent all its parents as well)
2138 werr = dcesrv_drsuapi_obj_cache_exists(getnc_state->obj_cache,
2140 if (W_ERROR_EQUAL(werr, WERR_OBJECT_NAME_EXISTS)) {
2143 if (W_ERROR_IS_OK(werr)) {
2144 return WERR_INTERNAL_ERROR;
2146 if (!W_ERROR_EQUAL(werr, WERR_OBJECT_NOT_FOUND)) {
2150 anc_obj = talloc_zero(mem_ctx,
2151 struct drsuapi_DsReplicaObjectListItemEx);
2152 if (anc_obj == NULL) {
2153 return WERR_NOT_ENOUGH_MEMORY;
2156 anc_dn = ldb_dn_new_fmt(anc_obj, sam_ctx, "<GUID=%s>",
2157 GUID_string(anc_obj, next_anc_guid));
2158 if (anc_dn == NULL) {
2159 return WERR_NOT_ENOUGH_MEMORY;
2162 ret = drsuapi_search_with_extended_dn(sam_ctx, anc_obj,
2166 if (ret != LDB_SUCCESS) {
2167 const char *anc_str = NULL;
2168 const char *obj_str = NULL;
2170 anc_str = ldb_dn_get_extended_linearized(anc_obj,
2173 obj_str = ldb_dn_get_extended_linearized(anc_obj,
2177 DBG_ERR("getncchanges: failed to fetch ANC "
2178 "DN %s for DN %s - %s\n",
2179 anc_str, obj_str, ldb_errstring(sam_ctx));
2180 return WERR_DS_DRA_INCONSISTENT_DIT;
2183 anc_msg = anc_res->msgs[0];
2185 werr = get_nc_changes_build_object(anc_obj, anc_msg,
2188 schema, session_key,
2190 false, /* force_object_return */
2194 if (!W_ERROR_IS_OK(werr)) {
2199 * Regardless of whether we actually use it or not,
2200 * we add it to the cache so we don't look at it again
2202 werr = dcesrv_drsuapi_obj_cache_add(getnc_state->obj_cache,
2204 if (!W_ERROR_IS_OK(werr)) {
2209 * Any ancestors which are below the highwatermark
2210 * or uptodateness_vector shouldn't be added,
2211 * but we still look further up the
2212 * tree for ones which have been changed recently.
2214 if (anc_obj->meta_data_ctr != NULL) {
2217 * prepend the parent to the list so that the client-side
2218 * adds the parent object before it adds the children
2220 anc_obj->next_object = *new_objs;
2221 *new_objs = anc_obj;
2225 TALLOC_FREE(anc_res);
2226 TALLOC_FREE(anc_dn);
2229 * We may need to resolve more parents...
2231 next_anc_guid = anc_obj->parent_object_guid;
2237 * Adds a list of new objects into the current chunk of replication data to send
2239 static void getncchanges_chunk_add_objects(struct getncchanges_repl_chunk *repl_chunk,
2240 struct drsuapi_DsReplicaObjectListItemEx *obj_list)
2242 struct drsuapi_DsReplicaObjectListItemEx *obj;
2245 * We track the last object added to the replication chunk, so just add
2246 * the new object-list onto the end
2248 if (repl_chunk->object_list == NULL) {
2249 repl_chunk->object_list = obj_list;
2251 repl_chunk->last_object->next_object = obj_list;
2254 for (obj = obj_list; obj != NULL; obj = obj->next_object) {
2255 repl_chunk->object_count += 1;
2258 * Remember the last object in the response - we'll use this to
2259 * link the next object(s) processed onto the existing list
2261 if (obj->next_object == NULL) {
2262 repl_chunk->last_object = obj;
2268 * Gets the object to send, packed into an RPC struct ready to send. This also
2269 * adds the object to the object cache, and adds any ancestors (if needed).
2270 * @param msg - DB search result for the object to add
2271 * @param guid - GUID of the object to add
2272 * @param ret_obj_list - returns the object ready to be sent (in a list, along
2273 * with any ancestors that might be needed). NULL if nothing to send.
2275 static WERROR getncchanges_get_obj_to_send(const struct ldb_message *msg,
2276 TALLOC_CTX *mem_ctx,
2277 struct ldb_context *sam_ctx,
2278 struct drsuapi_getncchanges_state *getnc_state,
2279 struct dsdb_schema *schema,
2280 DATA_BLOB *session_key,
2281 struct drsuapi_DsGetNCChangesRequest10 *req10,
2282 bool force_object_return,
2283 uint32_t *local_pas,
2284 struct ldb_dn *machine_dn,
2285 const struct GUID *guid,
2286 struct drsuapi_DsReplicaObjectListItemEx **ret_obj_list)
2288 struct drsuapi_DsReplicaObjectListItemEx *obj;
2291 *ret_obj_list = NULL;
2293 obj = talloc_zero(mem_ctx, struct drsuapi_DsReplicaObjectListItemEx);
2294 W_ERROR_HAVE_NO_MEMORY(obj);
2296 werr = get_nc_changes_build_object(obj, msg, sam_ctx, getnc_state,
2297 schema, session_key, req10,
2298 force_object_return,
2299 local_pas, machine_dn, guid);
2300 if (!W_ERROR_IS_OK(werr)) {
2305 * The object may get filtered out by the UTDV's USN and not actually
2306 * sent, in which case there's nothing more to do here
2308 if (obj->meta_data_ctr == NULL) {
2313 if (getnc_state->obj_cache != NULL) {
2314 werr = dcesrv_drsuapi_obj_cache_add(getnc_state->obj_cache,
2316 if (!W_ERROR_IS_OK(werr)) {
2321 *ret_obj_list = obj;
2324 * If required, also add any ancestors that the client may need to know
2325 * about before it can resolve this object. These get prepended to the
2326 * ret_obj_list so the client adds them first.
2328 if (getnc_state->is_get_anc) {
2329 werr = getncchanges_add_ancestors(obj, msg->dn, mem_ctx,
2330 sam_ctx, getnc_state,
2331 schema, session_key,
2333 machine_dn, ret_obj_list);
2340 * Returns the number of links that are waiting to be sent
2342 static uint32_t getncchanges_chunk_links_pending(struct getncchanges_repl_chunk *repl_chunk,
2343 struct drsuapi_getncchanges_state *getnc_state)
2345 uint32_t links_to_send = 0;
2347 if (getnc_state->is_get_tgt) {
2350 * when the GET_TGT flag is set, only include the linked
2351 * attributes whose target object has already been checked
2352 * (i.e. they're ready to send).
2354 if (repl_chunk->tgt_la_count > getnc_state->la_idx) {
2355 links_to_send = (repl_chunk->tgt_la_count -
2356 getnc_state->la_idx);
2359 links_to_send = getnc_state->la_count - getnc_state->la_idx;
2362 return links_to_send;
2366 * Returns the max number of links that will fit in the current replication chunk
2368 static uint32_t getncchanges_chunk_max_links(struct getncchanges_repl_chunk *repl_chunk)
2370 uint32_t max_links = 0;
2372 if (repl_chunk->max_links != DEFAULT_MAX_LINKS ||
2373 repl_chunk->max_objects != DEFAULT_MAX_OBJECTS) {
2376 * We're using non-default settings, so don't try to adjust
2377 * them, just trust the user has configured decent values
2379 max_links = repl_chunk->max_links;
2381 } else if (repl_chunk->max_links > repl_chunk->object_count) {
2384 * This is just an approximate guess to avoid overfilling the
2385 * replication chunk. It's the logic we've used historically.
2386 * E.g. if we've already sent 1000 objects, then send 1000 fewer
2387 * links. For comparison, the max that Windows seems to send is
2388 * ~2700 links and ~250 objects (although this may vary based
2391 max_links = repl_chunk->max_links - repl_chunk->object_count;
2398 * Returns true if the current GetNCChanges() call has taken longer than its
2399 * allotted time. This prevents the client from timing out.
2401 static bool getncchanges_chunk_timed_out(struct getncchanges_repl_chunk *repl_chunk)
2403 return (time(NULL) - repl_chunk->start > repl_chunk->max_wait);
2407 * Returns true if the current chunk of replication data has reached the
2408 * max_objects and/or max_links thresholds.
2410 static bool getncchanges_chunk_is_full(struct getncchanges_repl_chunk *repl_chunk,
2411 struct drsuapi_getncchanges_state *getnc_state)
2413 bool chunk_full = false;
2414 uint32_t links_to_send;
2415 uint32_t chunk_limit;
2417 /* check if the current chunk is already full with objects */
2418 if (repl_chunk->object_count >= repl_chunk->max_objects) {
2421 } else if (repl_chunk->object_count > 0 &&
2422 getncchanges_chunk_timed_out(repl_chunk)) {
2425 * We've exceeded our allotted time building this chunk,
2426 * and we have at least one object to send back to the client
2430 } else if (repl_chunk->immediate_link_sync) {
2432 /* check if the chunk is already full with links */
2433 links_to_send = getncchanges_chunk_links_pending(repl_chunk,
2436 chunk_limit = getncchanges_chunk_max_links(repl_chunk);
2439 * The chunk is full if we've got more links to send than will
2442 if (links_to_send > 0 && chunk_limit <= links_to_send) {
2451 * Goes through any new linked attributes and checks that the target object
2452 * will be known to the client, i.e. we've already sent it in an replication
2453 * chunk. If not, then it adds the target object to the current replication
2454 * chunk. This is only done when the client specifies DRS_GET_TGT.
2456 static WERROR getncchanges_chunk_add_la_targets(struct getncchanges_repl_chunk *repl_chunk,
2457 struct drsuapi_getncchanges_state *getnc_state,
2458 uint32_t start_la_index,
2459 TALLOC_CTX *mem_ctx,
2460 struct ldb_context *sam_ctx,
2461 struct dsdb_schema *schema,
2462 DATA_BLOB *session_key,
2463 struct drsuapi_DsGetNCChangesRequest10 *req10,
2464 uint32_t *local_pas,
2465 struct ldb_dn *machine_dn)
2469 uint32_t max_la_index;
2471 uint32_t target_count = 0;
2472 WERROR werr = WERR_OK;
2473 static const char * const msg_attrs[] = {
2475 "nTSecurityDescriptor",
2477 "replPropertyMetaData",
2478 DSDB_SECRET_ATTRIBUTES,
2482 * A object can potentially link to thousands of targets. Only bother
2483 * checking as many targets as will fit into the current response
2485 max_links = getncchanges_chunk_max_links(repl_chunk);
2486 max_la_index = MIN(getnc_state->la_count,
2487 start_la_index + max_links);
2489 /* loop through any linked attributes to check */
2490 for (i = start_la_index;
2491 (i < max_la_index &&
2492 !getncchanges_chunk_is_full(repl_chunk, getnc_state));
2495 struct GUID target_guid;
2496 struct drsuapi_DsReplicaObjectListItemEx *new_objs = NULL;
2497 const struct drsuapi_DsReplicaLinkedAttribute *la;
2498 struct ldb_result *msg_res;
2499 struct ldb_dn *search_dn;
2500 TALLOC_CTX *tmp_ctx;
2502 const struct dsdb_attribute *schema_attrib;
2506 la = &getnc_state->la_list[i];
2507 tmp_ctx = talloc_new(mem_ctx);
2510 * Track what linked attribute targets we've checked. We might
2511 * not have time to check them all, so we should only send back
2512 * the ones we've actually checked.
2514 repl_chunk->tgt_la_count = i + 1;
2516 /* get the GUID of the linked attribute's target object */
2517 schema_attrib = dsdb_attribute_by_attributeID_id(schema,
2520 werr = dsdb_dn_la_from_blob(sam_ctx, schema_attrib, schema,
2521 tmp_ctx, la->value.blob, &dn);
2523 if (!W_ERROR_IS_OK(werr)) {
2524 DEBUG(0,(__location__ ": Bad la blob\n"));
2528 status = dsdb_get_extended_dn_guid(dn->dn, &target_guid, "GUID");
2530 if (!NT_STATUS_IS_OK(status)) {
2531 return ntstatus_to_werror(status);
2535 * if the target isn't in the cache, then the client
2536 * might not know about it, so send the target now
2538 werr = dcesrv_drsuapi_obj_cache_exists(getnc_state->obj_cache,
2541 if (W_ERROR_EQUAL(werr, WERR_OBJECT_NAME_EXISTS)) {
2543 /* target already sent, nothing to do */
2544 TALLOC_FREE(tmp_ctx);
2548 same_nc = dsdb_objects_have_same_nc(sam_ctx, tmp_ctx, dn->dn,
2549 getnc_state->ncRoot_dn);
2551 /* don't try to fetch target objects from another partition */
2553 TALLOC_FREE(tmp_ctx);
2557 search_dn = ldb_dn_new_fmt(tmp_ctx, sam_ctx, "<GUID=%s>",
2558 GUID_string(tmp_ctx, &target_guid));
2559 W_ERROR_HAVE_NO_MEMORY(search_dn);
2561 ret = drsuapi_search_with_extended_dn(sam_ctx, tmp_ctx,
2562 &msg_res, search_dn,
2567 * Don't fail the replication if we can't find the target.
2568 * This could happen for a one-way linked attribute, if the
2569 * target is deleted and then later expunged (thus, the source
2570 * object can be left with a hanging link). Continue to send
2571 * the the link (the client-side has already tried once with
2572 * GET_TGT, so it should just end up ignoring it).
2574 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
2575 DBG_WARNING("Encountered unknown link target DN %s\n",
2576 ldb_dn_get_extended_linearized(tmp_ctx, dn->dn, 1));
2577 TALLOC_FREE(tmp_ctx);
2580 } else if (ret != LDB_SUCCESS) {
2581 DBG_ERR("Failed to fetch link target DN %s - %s\n",
2582 ldb_dn_get_extended_linearized(tmp_ctx, dn->dn, 1),
2583 ldb_errstring(sam_ctx));
2584 return WERR_DS_DRA_INCONSISTENT_DIT;
2588 * Construct an object, ready to send (this will include
2589 * the object's ancestors as well, if GET_ANC is set)
2591 werr = getncchanges_get_obj_to_send(msg_res->msgs[0], mem_ctx,
2592 sam_ctx, getnc_state,
2593 schema, session_key, req10,
2595 machine_dn, &target_guid,
2597 if (!W_ERROR_IS_OK(werr)) {
2601 if (new_objs != NULL) {
2603 getncchanges_chunk_add_objects(repl_chunk, new_objs);
2605 TALLOC_FREE(tmp_ctx);
2608 if (target_count > 0) {
2609 DEBUG(3, ("GET_TGT: checked %u link-attrs, added %u target objs\n",
2610 i - start_la_index, target_count));
2617 * Creates a helper struct used for building a chunk of replication data,
2618 * i.e. used over a single call to dcesrv_drsuapi_DsGetNCChanges().
2620 static struct getncchanges_repl_chunk * getncchanges_chunk_new(TALLOC_CTX *mem_ctx,
2621 struct dcesrv_call_state *dce_call,
2622 struct drsuapi_DsGetNCChangesRequest10 *req10)
2624 struct getncchanges_repl_chunk *repl_chunk;
2626 repl_chunk = talloc_zero(mem_ctx, struct getncchanges_repl_chunk);
2628 repl_chunk->start = time(NULL);
2630 repl_chunk->max_objects = lpcfg_parm_int(dce_call->conn->dce_ctx->lp_ctx, NULL,
2631 "drs", "max object sync",
2632 DEFAULT_MAX_OBJECTS);
2635 * The client control here only applies in normal replication, not extended
2636 * operations, which return a fixed set, even if the caller
2637 * sets max_object_count == 0
2639 if (req10->extended_op == DRSUAPI_EXOP_NONE) {
2642 * use this to force single objects at a time, which is useful
2643 * for working out what object is giving problems
2645 if (req10->max_object_count < repl_chunk->max_objects) {
2646 repl_chunk->max_objects = req10->max_object_count;
2650 repl_chunk->max_links =
2651 lpcfg_parm_int(dce_call->conn->dce_ctx->lp_ctx, NULL,
2652 "drs", "max link sync",
2655 repl_chunk->immediate_link_sync =
2656 lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
2657 "drs", "immediate link sync", false);
2660 * Maximum time that we can spend in a getncchanges
2661 * in order to avoid timeout of the other part.
2662 * 10 seconds by default.
2664 repl_chunk->max_wait = lpcfg_parm_int(dce_call->conn->dce_ctx->lp_ctx,
2665 NULL, "drs", "max work time", 10);
2671 drsuapi_DsGetNCChanges
2673 see MS-DRSR 4.1.10.5.2 for basic logic of this function
2675 WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
2676 struct drsuapi_DsGetNCChanges *r)
2678 struct auth_session_info *session_info =
2679 dcesrv_call_session_info(dce_call);
2680 struct drsuapi_DsReplicaObjectIdentifier *ncRoot;
2683 struct dsdb_schema *schema;
2684 struct drsuapi_DsReplicaOIDMapping_Ctr *ctr;
2685 struct getncchanges_repl_chunk *repl_chunk;
2687 DATA_BLOB session_key;
2689 struct dcesrv_handle *h;
2690 struct drsuapi_bind_state *b_state;
2691 struct drsuapi_getncchanges_state *getnc_state;
2692 struct drsuapi_DsGetNCChangesRequest10 *req10;
2694 uint32_t link_count = 0;
2695 struct ldb_dn *search_dn = NULL;
2697 enum security_user_level security_level;
2698 struct ldb_context *sam_ctx;
2699 struct dom_sid *user_sid;
2700 bool is_secret_request;
2701 bool is_gc_pas_request;
2702 struct drsuapi_changed_objects *changes;
2703 bool has_get_all_changes = false;
2704 struct GUID invocation_id;
2705 static const struct drsuapi_DsReplicaLinkedAttribute no_linked_attr;
2706 struct dsdb_schema_prefixmap *pfm_remote = NULL;
2708 uint32_t *local_pas = NULL;
2709 struct ldb_dn *machine_dn = NULL; /* Only used for REPL SECRET EXOP */
2711 DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
2714 /* sam_ctx_system is not present for non-administrator users */
2715 sam_ctx = b_state->sam_ctx_system?b_state->sam_ctx_system:b_state->sam_ctx;
2717 invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
2719 *r->out.level_out = 6;
2721 r->out.ctr->ctr6.linked_attributes_count = 0;
2722 r->out.ctr->ctr6.linked_attributes = discard_const_p(struct drsuapi_DsReplicaLinkedAttribute, &no_linked_attr);
2724 r->out.ctr->ctr6.object_count = 0;
2725 r->out.ctr->ctr6.nc_object_count = 0;
2726 r->out.ctr->ctr6.more_data = false;
2727 r->out.ctr->ctr6.uptodateness_vector = NULL;
2728 r->out.ctr->ctr6.source_dsa_guid = *(samdb_ntds_objectGUID(sam_ctx));
2729 r->out.ctr->ctr6.source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
2730 r->out.ctr->ctr6.first_object = NULL;
2732 /* Check request revision.
2734 switch (r->in.level) {
2736 req10 = getncchanges_map_req8(mem_ctx, &r->in.req->req8);
2737 if (req10 == NULL) {
2738 return WERR_NOT_ENOUGH_MEMORY;
2742 req10 = &r->in.req->req10;
2745 DEBUG(0,(__location__ ": Request for DsGetNCChanges with unsupported level %u\n",
2747 return WERR_REVISION_MISMATCH;
2750 repl_chunk = getncchanges_chunk_new(mem_ctx, dce_call, req10);
2752 if (repl_chunk == NULL) {
2753 return WERR_NOT_ENOUGH_MEMORY;
2756 /* a RODC doesn't allow for any replication */
2757 ret = samdb_rodc(sam_ctx, &am_rodc);
2758 if (ret == LDB_SUCCESS && am_rodc) {
2759 DEBUG(0,(__location__ ": DsGetNCChanges attempt on RODC\n"));
2760 return WERR_DS_DRA_SOURCE_DISABLED;
2763 /* Perform access checks. */
2764 /* TODO: we need to support a sync on a specific non-root
2765 * DN. We'll need to find the real partition root here */
2766 ncRoot = req10->naming_context;
2767 if (ncRoot == NULL) {
2768 DEBUG(0,(__location__ ": Request for DsGetNCChanges with no NC\n"));
2769 return WERR_DS_DRA_INVALID_PARAMETER;
2772 if (samdb_ntds_options(sam_ctx, &options) != LDB_SUCCESS) {
2773 return WERR_DS_DRA_INTERNAL_ERROR;
2776 if ((options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) &&
2777 !(req10->replica_flags & DRSUAPI_DRS_SYNC_FORCED)) {
2778 return WERR_DS_DRA_SOURCE_DISABLED;
2781 user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
2783 /* all clients must have GUID_DRS_GET_CHANGES */
2784 werr = drs_security_access_check_nc_root(sam_ctx,
2786 session_info->security_token,
2787 req10->naming_context,
2788 GUID_DRS_GET_CHANGES);
2789 if (!W_ERROR_IS_OK(werr)) {
2793 if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
2794 full = req10->partial_attribute_set == NULL &&
2795 req10->partial_attribute_set_ex == NULL;
2797 full = (options & DRSUAPI_DRS_WRIT_REP) != 0;
2800 werr = dsdb_schema_pfm_from_drsuapi_pfm(&req10->mapping_ctr, true,
2801 mem_ctx, &pfm_remote, NULL);
2803 /* We were supplied a partial attribute set, without the prefix map! */
2804 if (!full && !W_ERROR_IS_OK(werr)) {
2805 if (req10->mapping_ctr.num_mappings == 0) {
2807 * Despite the fact MS-DRSR specifies that this shouldn't
2808 * happen, Windows RODCs will in fact not provide a prefixMap.
2810 DEBUG(5,(__location__ ": Failed to provide a remote prefixMap,"
2811 " falling back to local prefixMap\n"));
2813 DEBUG(0,(__location__ ": Failed to decode remote prefixMap: %s\n",
2819 /* allowed if the GC PAS and client has
2820 GUID_DRS_GET_FILTERED_ATTRIBUTES */
2821 werr = dcesrv_drsuapi_is_gc_pas_request(b_state, req10, pfm_remote, &is_gc_pas_request);
2822 if (!W_ERROR_IS_OK(werr)) {
2825 if (is_gc_pas_request) {
2826 werr = drs_security_access_check_nc_root(sam_ctx,
2828 session_info->security_token,
2829 req10->naming_context,
2830 GUID_DRS_GET_FILTERED_ATTRIBUTES);
2831 if (W_ERROR_IS_OK(werr)) {
2836 werr = dcesrv_drsuapi_is_reveal_secrets_request(b_state, req10,
2838 &is_secret_request);
2839 if (!W_ERROR_IS_OK(werr)) {
2842 if (is_secret_request) {
2843 werr = drs_security_access_check_nc_root(sam_ctx,
2845 session_info->security_token,
2846 req10->naming_context,
2847 GUID_DRS_GET_ALL_CHANGES);
2848 if (!W_ERROR_IS_OK(werr)) {
2849 /* Only bail if this is not a EXOP_REPL_SECRET */
2850 if (req10->extended_op != DRSUAPI_EXOP_REPL_SECRET) {
2854 has_get_all_changes = true;
2859 /* for non-administrator replications, check that they have
2860 given the correct source_dsa_invocation_id */
2861 security_level = security_session_user_level(session_info,
2862 samdb_domain_sid(sam_ctx));
2863 if (security_level == SECURITY_RO_DOMAIN_CONTROLLER) {
2864 if (req10->replica_flags & DRSUAPI_DRS_WRIT_REP) {
2865 /* we rely on this flag being unset for RODC requests */
2866 req10->replica_flags &= ~DRSUAPI_DRS_WRIT_REP;
2870 if (req10->replica_flags & DRSUAPI_DRS_FULL_SYNC_PACKET) {
2871 /* Ignore the _in_ uptpdateness vector*/
2872 req10->uptodateness_vector = NULL;
2875 if (GUID_all_zero(&req10->source_dsa_invocation_id)) {
2876 req10->source_dsa_invocation_id = invocation_id;
2879 if (!GUID_equal(&req10->source_dsa_invocation_id, &invocation_id)) {
2881 * The given highwatermark is only valid relative to the
2882 * specified source_dsa_invocation_id.
2884 ZERO_STRUCT(req10->highwatermark);
2887 getnc_state = b_state->getncchanges_state;
2889 /* see if a previous replication has been abandoned */
2891 struct ldb_dn *new_dn = drs_ObjectIdentifier_to_dn(getnc_state, sam_ctx, ncRoot);
2892 if (ldb_dn_compare(new_dn, getnc_state->ncRoot_dn) != 0) {
2893 DEBUG(0,(__location__ ": DsGetNCChanges 2nd replication on different DN %s %s (last_dn %s)\n",
2894 ldb_dn_get_linearized(new_dn),
2895 ldb_dn_get_linearized(getnc_state->ncRoot_dn),
2896 ldb_dn_get_linearized(getnc_state->last_dn)));
2897 TALLOC_FREE(getnc_state);
2898 b_state->getncchanges_state = NULL;
2903 ret = drsuapi_DsReplicaHighWaterMark_cmp(&getnc_state->last_hwm,
2904 &req10->highwatermark);
2906 DEBUG(0,(__location__ ": DsGetNCChanges 2nd replication "
2907 "on DN %s %s highwatermark (last_dn %s)\n",
2908 ldb_dn_get_linearized(getnc_state->ncRoot_dn),
2909 (ret > 0) ? "older" : "newer",
2910 ldb_dn_get_linearized(getnc_state->last_dn)));
2911 TALLOC_FREE(getnc_state);
2912 b_state->getncchanges_state = NULL;
2916 if (getnc_state == NULL) {
2917 struct ldb_result *res = NULL;
2918 const char *attrs[] = {
2923 uint32_t nc_instanceType;
2924 struct ldb_dn *ncRoot_dn;
2926 ncRoot_dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, ncRoot);
2927 if (ncRoot_dn == NULL) {
2928 return WERR_NOT_ENOUGH_MEMORY;
2931 ret = dsdb_search_dn(sam_ctx, mem_ctx, &res,
2933 DSDB_SEARCH_SHOW_DELETED |
2934 DSDB_SEARCH_SHOW_RECYCLED);
2935 if (ret != LDB_SUCCESS) {
2936 DBG_WARNING("Failed to find ncRoot_dn %s\n",
2937 ldb_dn_get_linearized(ncRoot_dn));
2938 return WERR_DS_DRA_BAD_DN;
2940 nc_instanceType = ldb_msg_find_attr_as_int(res->msgs[0],
2944 if (req10->extended_op != DRSUAPI_EXOP_NONE) {
2945 r->out.ctr->ctr6.extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
2949 * This is the first replication cycle and it is
2950 * a good place to handle extended operations
2952 * FIXME: we don't fully support extended operations yet
2954 switch (req10->extended_op) {
2955 case DRSUAPI_EXOP_NONE:
2956 if ((nc_instanceType & INSTANCE_TYPE_IS_NC_HEAD) == 0) {
2958 = ldb_dn_get_linearized(ncRoot_dn);
2960 DBG_NOTICE("Rejecting full replication on "
2961 "not NC %s", dn_str);
2963 return WERR_DS_CANT_FIND_EXPECTED_NC;
2967 case DRSUAPI_EXOP_FSMO_RID_ALLOC:
2968 werr = getncchanges_rid_alloc(b_state, mem_ctx, req10, &r->out.ctr->ctr6, &search_dn);
2969 W_ERROR_NOT_OK_RETURN(werr);
2970 if (r->out.ctr->ctr6.extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
2974 case DRSUAPI_EXOP_REPL_SECRET:
2975 werr = getncchanges_repl_secret(b_state, mem_ctx, req10,
2978 has_get_all_changes,
2980 r->out.result = werr;
2981 W_ERROR_NOT_OK_RETURN(werr);
2983 case DRSUAPI_EXOP_FSMO_REQ_ROLE:
2984 werr = getncchanges_change_master(b_state, mem_ctx, req10, &r->out.ctr->ctr6);
2985 W_ERROR_NOT_OK_RETURN(werr);
2986 if (r->out.ctr->ctr6.extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
2990 case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
2991 werr = getncchanges_change_master(b_state, mem_ctx, req10, &r->out.ctr->ctr6);
2992 W_ERROR_NOT_OK_RETURN(werr);
2993 if (r->out.ctr->ctr6.extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
2997 case DRSUAPI_EXOP_FSMO_REQ_PDC:
2998 werr = getncchanges_change_master(b_state, mem_ctx, req10, &r->out.ctr->ctr6);
2999 W_ERROR_NOT_OK_RETURN(werr);
3000 if (r->out.ctr->ctr6.extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
3004 case DRSUAPI_EXOP_REPL_OBJ:
3005 werr = getncchanges_repl_obj(b_state, mem_ctx, req10, user_sid, &r->out.ctr->ctr6);
3006 r->out.result = werr;
3007 W_ERROR_NOT_OK_RETURN(werr);
3010 case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
3012 DEBUG(0,(__location__ ": Request for DsGetNCChanges unsupported extended op 0x%x\n",
3013 (unsigned)req10->extended_op));
3014 return WERR_DS_DRA_NOT_SUPPORTED;
3017 /* Initialize the state we'll store over the replication cycle */
3018 getnc_state = talloc_zero(b_state, struct drsuapi_getncchanges_state);
3019 if (getnc_state == NULL) {
3020 return WERR_NOT_ENOUGH_MEMORY;
3022 b_state->getncchanges_state = getnc_state;
3024 getnc_state->ncRoot_dn = ncRoot_dn;
3025 talloc_steal(getnc_state, ncRoot_dn);
3027 getnc_state->ncRoot_guid = samdb_result_guid(res->msgs[0],
3029 ncRoot->guid = getnc_state->ncRoot_guid;
3031 /* find out if we are to replicate Schema NC */
3032 ret = ldb_dn_compare_base(ldb_get_schema_basedn(sam_ctx),
3034 getnc_state->is_schema_nc = (0 == ret);
3039 if (!ldb_dn_validate(getnc_state->ncRoot_dn) ||
3040 ldb_dn_is_null(getnc_state->ncRoot_dn)) {
3041 DEBUG(0,(__location__ ": Bad DN '%s'\n",
3042 drs_ObjectIdentifier_to_string(mem_ctx, ncRoot)));
3043 return WERR_DS_DRA_INVALID_PARAMETER;
3046 ncRoot->guid = getnc_state->ncRoot_guid;
3048 /* we need the session key for encrypting password attributes */
3049 status = dcesrv_auth_session_key(dce_call, &session_key);
3050 if (!NT_STATUS_IS_OK(status)) {
3051 DEBUG(0,(__location__ ": Failed to get session key\n"));
3052 return WERR_DS_DRA_INTERNAL_ERROR;
3056 TODO: MS-DRSR section 4.1.10.1.1
3057 Work out if this is the start of a new cycle */
3059 if (getnc_state->guids == NULL) {
3060 const char *extra_filter;
3061 struct ldb_result *search_res = NULL;
3062 static const struct drsuapi_DsReplicaCursorCtrEx empty_udv;
3063 const struct drsuapi_DsReplicaCursorCtrEx *udv = NULL;
3065 extra_filter = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "object filter");
3067 if (req10->extended_op == DRSUAPI_EXOP_NONE) {
3068 if (req10->uptodateness_vector != NULL) {
3069 udv = req10->uptodateness_vector;
3074 getnc_state->min_usn = req10->highwatermark.highest_usn;
3075 for (i = 0; i < udv->count; i++) {
3077 const struct drsuapi_DsReplicaCursor *cur =
3080 match = GUID_equal(&invocation_id,
3081 &cur->source_dsa_invocation_id);
3085 if (cur->highest_usn > getnc_state->min_usn) {
3086 getnc_state->min_usn = cur->highest_usn;
3091 /* We do not want REPL_SECRETS or REPL_SINGLE to return empty-handed */
3093 getnc_state->min_usn = 0;
3096 getnc_state->max_usn = getnc_state->min_usn;
3098 getnc_state->final_udv = talloc_zero(getnc_state,
3099 struct drsuapi_DsReplicaCursor2CtrEx);
3100 if (getnc_state->final_udv == NULL) {
3101 return WERR_NOT_ENOUGH_MEMORY;
3103 werr = get_nc_changes_udv(sam_ctx, getnc_state->ncRoot_dn,
3104 getnc_state->final_udv);
3105 if (!W_ERROR_IS_OK(werr)) {
3109 if (req10->extended_op == DRSUAPI_EXOP_NONE) {
3110 werr = getncchanges_collect_objects(b_state, mem_ctx, req10,
3111 search_dn, extra_filter,
3114 werr = getncchanges_collect_objects_exop(b_state, mem_ctx, req10,
3116 search_dn, extra_filter,
3119 W_ERROR_NOT_OK_RETURN(werr);
3121 /* extract out the GUIDs list */
3122 getnc_state->num_records = search_res ? search_res->count : 0;
3123 getnc_state->guids = talloc_array(getnc_state, struct GUID, getnc_state->num_records);
3124 W_ERROR_HAVE_NO_MEMORY(getnc_state->guids);
3126 changes = talloc_array(getnc_state,
3127 struct drsuapi_changed_objects,
3128 getnc_state->num_records);
3129 W_ERROR_HAVE_NO_MEMORY(changes);
3131 for (i=0; i<getnc_state->num_records; i++) {
3132 changes[i].dn = search_res->msgs[i]->dn;
3133 changes[i].guid = samdb_result_guid(search_res->msgs[i], "objectGUID");
3134 changes[i].usn = ldb_msg_find_attr_as_uint64(search_res->msgs[i], "uSNChanged", 0);
3136 if (changes[i].usn > getnc_state->max_usn) {
3137 getnc_state->max_usn = changes[i].usn;
3141 /* RID_ALLOC returns 3 objects in a fixed order */
3142 if (req10->extended_op == DRSUAPI_EXOP_FSMO_RID_ALLOC) {
3145 LDB_TYPESAFE_QSORT(changes,
3146 getnc_state->num_records,
3148 site_res_cmp_usn_order);
3151 for (i=0; i < getnc_state->num_records; i++) {
3152 getnc_state->guids[i] = changes[i].guid;
3153 if (GUID_all_zero(&getnc_state->guids[i])) {
3154 DEBUG(2,("getncchanges: bad objectGUID from %s\n",
3155 ldb_dn_get_linearized(search_res->msgs[i]->dn)));
3156 return WERR_DS_DRA_INTERNAL_ERROR;
3160 getnc_state->final_hwm.tmp_highest_usn = getnc_state->max_usn;
3161 getnc_state->final_hwm.reserved_usn = 0;
3162 getnc_state->final_hwm.highest_usn = getnc_state->max_usn;
3164 talloc_free(search_res);
3165 talloc_free(changes);
3167 if (req10->extended_op == DRSUAPI_EXOP_NONE) {
3168 getnc_state->is_get_anc =
3169 ((req10->replica_flags & DRSUAPI_DRS_GET_ANC) != 0);
3170 getnc_state->is_get_tgt =
3171 ((req10->more_flags & DRSUAPI_DRS_GET_TGT) != 0);
3175 * when using GET_ANC or GET_TGT, cache the objects that have
3176 * been already sent, to avoid sending them multiple times
3178 if (getnc_state->is_get_anc || getnc_state->is_get_tgt) {
3179 DEBUG(3,("Using object cache, GET_ANC %u, GET_TGT %u\n",
3180 getnc_state->is_get_anc,
3181 getnc_state->is_get_tgt));
3183 getnc_state->obj_cache = db_open_rbt(getnc_state);
3184 if (getnc_state->obj_cache == NULL) {
3185 return WERR_NOT_ENOUGH_MEMORY;
3190 if (req10->uptodateness_vector) {
3191 /* make sure its sorted */
3192 TYPESAFE_QSORT(req10->uptodateness_vector->cursors,
3193 req10->uptodateness_vector->count,
3194 drsuapi_DsReplicaCursor_compare);
3197 /* Prefix mapping */
3198 schema = dsdb_get_schema(sam_ctx, mem_ctx);
3200 DEBUG(0,("No schema in sam_ctx\n"));
3201 return WERR_DS_DRA_INTERNAL_ERROR;
3204 r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier);
3205 if (r->out.ctr->ctr6.naming_context == NULL) {
3206 return WERR_NOT_ENOUGH_MEMORY;
3208 *r->out.ctr->ctr6.naming_context = *ncRoot;
3210 /* find the SID if there is one */
3211 dsdb_find_sid_by_dn(sam_ctx, getnc_state->ncRoot_dn, &r->out.ctr->ctr6.naming_context->sid);
3213 dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr);
3214 r->out.ctr->ctr6.mapping_ctr = *ctr;
3216 r->out.ctr->ctr6.source_dsa_guid = *(samdb_ntds_objectGUID(sam_ctx));
3217 r->out.ctr->ctr6.source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
3219 r->out.ctr->ctr6.old_highwatermark = req10->highwatermark;
3220 r->out.ctr->ctr6.new_highwatermark = req10->highwatermark;
3223 * If the client has already set GET_TGT then we know they can handle
3224 * receiving the linked attributes interleaved with the source objects
3226 if (getnc_state->is_get_tgt) {
3227 repl_chunk->immediate_link_sync = true;
3230 if (req10->partial_attribute_set != NULL) {
3231 struct dsdb_syntax_ctx syntax_ctx;
3234 dsdb_syntax_ctx_init(&syntax_ctx, sam_ctx, schema);
3235 syntax_ctx.pfm_remote = pfm_remote;
3237 local_pas = talloc_array(b_state, uint32_t, req10->partial_attribute_set->num_attids);
3239 for (j = 0; j < req10->partial_attribute_set->num_attids; j++) {
3240 getncchanges_attid_remote_to_local(schema,
3242 req10->partial_attribute_set->attids[j],
3243 (enum drsuapi_DsAttributeId *)&local_pas[j],
3247 LDB_TYPESAFE_QSORT(local_pas,
3248 req10->partial_attribute_set->num_attids,
3254 * Check in case we're still processing the links from an object in the
3255 * previous chunk. We want to send the links (and any targets needed)
3256 * before moving on to the next object.
3258 if (getnc_state->is_get_tgt) {
3259 werr = getncchanges_chunk_add_la_targets(repl_chunk,
3261 getnc_state->la_idx,
3263 schema, &session_key,
3267 if (!W_ERROR_IS_OK(werr)) {
3272 for (i=getnc_state->num_processed;
3273 i<getnc_state->num_records &&
3274 !getncchanges_chunk_is_full(repl_chunk, getnc_state);
3276 struct drsuapi_DsReplicaObjectListItemEx *new_objs = NULL;
3277 struct ldb_message *msg;
3278 static const char * const msg_attrs[] = {
3280 "nTSecurityDescriptor",
3282 "replPropertyMetaData",
3283 DSDB_SECRET_ATTRIBUTES,
3285 struct ldb_result *msg_res;
3286 struct ldb_dn *msg_dn;
3287 bool obj_already_sent = false;
3288 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
3289 uint32_t old_la_index;
3291 msg_dn = ldb_dn_new_fmt(tmp_ctx, sam_ctx, "<GUID=%s>",
3292 GUID_string(tmp_ctx, &getnc_state->guids[i]));
3293 W_ERROR_HAVE_NO_MEMORY(msg_dn);
3296 * by re-searching here we avoid having a lot of full
3297 * records in memory between calls to getncchanges.
3299 * We expect that we may get some objects that vanish
3300 * (tombstone expunge) between the first and second
3303 ret = drsuapi_search_with_extended_dn(sam_ctx, tmp_ctx, &msg_res,
3305 LDB_SCOPE_BASE, msg_attrs, NULL);
3306 if (ret != LDB_SUCCESS) {
3307 if (ret != LDB_ERR_NO_SUCH_OBJECT) {
3308 DEBUG(1,("getncchanges: failed to fetch DN %s - %s\n",
3309 ldb_dn_get_extended_linearized(tmp_ctx, msg_dn, 1),
3310 ldb_errstring(sam_ctx)));
3312 TALLOC_FREE(tmp_ctx);
3316 if (msg_res->count == 0) {
3317 DEBUG(1,("getncchanges: got LDB_SUCCESS but failed"
3318 "to get any results in fetch of DN "
3319 "%s (race with tombstone expunge?)\n",
3320 ldb_dn_get_extended_linearized(tmp_ctx,
3322 TALLOC_FREE(tmp_ctx);
3326 msg = msg_res->msgs[0];
3329 * Check if we've already sent the object as an ancestor of
3330 * another object. If so, we don't need to send it again
3332 if (getnc_state->obj_cache != NULL) {
3333 werr = dcesrv_drsuapi_obj_cache_exists(getnc_state->obj_cache,
3334 &getnc_state->guids[i]);
3335 if (W_ERROR_EQUAL(werr, WERR_OBJECT_NAME_EXISTS)) {
3336 obj_already_sent = true;
3340 if (!obj_already_sent) {
3341 bool max_wait_reached;
3343 max_wait_reached = getncchanges_chunk_timed_out(repl_chunk);
3346 * Construct an object, ready to send (this will include
3347 * the object's ancestors as well, if needed)
3349 werr = getncchanges_get_obj_to_send(msg, mem_ctx, sam_ctx,
3350 getnc_state, schema,
3351 &session_key, req10,
3353 local_pas, machine_dn,
3354 &getnc_state->guids[i],
3356 if (!W_ERROR_IS_OK(werr)) {
3361 old_la_index = getnc_state->la_count;
3364 * We've reached the USN where this object naturally occurs.
3365 * Regardless of whether we've already sent the object (as an
3366 * ancestor), we add its links and update the HWM at this point
3368 werr = get_nc_changes_add_links(sam_ctx, getnc_state,
3369 getnc_state->is_schema_nc,
3370 schema, getnc_state->min_usn,
3371 req10->replica_flags,
3373 &getnc_state->la_list,
3374 &getnc_state->la_count,
3375 req10->uptodateness_vector);
3376 if (!W_ERROR_IS_OK(werr)) {
3380 dcesrv_drsuapi_update_highwatermark(msg,
3381 getnc_state->max_usn,
3382 &r->out.ctr->ctr6.new_highwatermark);
3384 if (new_objs != NULL) {
3387 * Add the object (and, if GET_ANC, any parents it may
3388 * have) into the current chunk of replication data
3390 getncchanges_chunk_add_objects(repl_chunk, new_objs);
3392 talloc_free(getnc_state->last_dn);
3393 getnc_state->last_dn = talloc_move(getnc_state, &msg->dn);
3396 DEBUG(8,(__location__ ": %s object %s\n",
3397 new_objs ? "replicating" : "skipping send of",
3398 ldb_dn_get_linearized(msg->dn)));
3400 getnc_state->total_links += (getnc_state->la_count - old_la_index);
3403 * If the GET_TGT flag was set, check any new links added to
3404 * make sure the client knows about the link target object
3406 if (getnc_state->is_get_tgt) {
3407 werr = getncchanges_chunk_add_la_targets(repl_chunk,
3411 schema, &session_key,
3415 if (!W_ERROR_IS_OK(werr)) {
3420 TALLOC_FREE(tmp_ctx);
3423 /* copy the constructed object list into the response message */
3424 r->out.ctr->ctr6.object_count = repl_chunk->object_count;
3425 r->out.ctr->ctr6.first_object = repl_chunk->object_list;
3427 getnc_state->num_processed = i;
3429 if (i < getnc_state->num_records) {
3430 r->out.ctr->ctr6.more_data = true;
3433 /* the client can us to call UpdateRefs on its behalf to
3434 re-establish monitoring of the NC */
3435 if ((req10->replica_flags & (DRSUAPI_DRS_ADD_REF | DRSUAPI_DRS_REF_GCSPN)) &&
3436 !GUID_all_zero(&req10->destination_dsa_guid)) {
3437 struct drsuapi_DsReplicaUpdateRefsRequest1 ureq;
3438 DEBUG(3,("UpdateRefs on getncchanges for %s\n",
3439 GUID_string(mem_ctx, &req10->destination_dsa_guid)));
3440 ureq.naming_context = ncRoot;
3441 ureq.dest_dsa_dns_name = samdb_ntds_msdcs_dns_name(sam_ctx, mem_ctx,
3442 &req10->destination_dsa_guid);
3443 if (!ureq.dest_dsa_dns_name) {
3444 return WERR_NOT_ENOUGH_MEMORY;
3446 ureq.dest_dsa_guid = req10->destination_dsa_guid;
3447 ureq.options = DRSUAPI_DRS_ADD_REF |
3448 DRSUAPI_DRS_ASYNC_OP |
3449 DRSUAPI_DRS_GETCHG_CHECK;
3451 /* we also need to pass through the
3452 DRSUAPI_DRS_REF_GCSPN bit so that repsTo gets flagged
3453 to send notifies using the GC SPN */
3454 ureq.options |= (req10->replica_flags & DRSUAPI_DRS_REF_GCSPN);
3456 werr = drsuapi_UpdateRefs(dce_call->msg_ctx,
3457 dce_call->event_ctx, b_state,
3459 if (!W_ERROR_IS_OK(werr)) {
3460 DEBUG(0,(__location__ ": Failed UpdateRefs on %s for %s in DsGetNCChanges - %s\n",
3461 drs_ObjectIdentifier_to_string(mem_ctx, ncRoot), ureq.dest_dsa_dns_name,
3467 * Work out how many links we can send in this chunk. The default is to
3468 * send all the links last, but there is a config option to send them
3469 * immediately, in the same chunk as their source object
3471 if (!r->out.ctr->ctr6.more_data || repl_chunk->immediate_link_sync) {
3472 link_count = getncchanges_chunk_links_pending(repl_chunk,
3474 link_count = MIN(link_count,
3475 getncchanges_chunk_max_links(repl_chunk));
3478 /* If we've got linked attributes to send, add them now */
3479 if (link_count > 0) {
3480 struct la_for_sorting *la_sorted;
3483 * Grab a chunk of linked attributes off the list and put them
3484 * in sorted array, ready to send
3486 werr = getncchanges_get_sorted_array(&getnc_state->la_list[getnc_state->la_idx],
3488 sam_ctx, getnc_state,
3491 if (!W_ERROR_IS_OK(werr)) {
3495 r->out.ctr->ctr6.linked_attributes_count = link_count;
3496 r->out.ctr->ctr6.linked_attributes = talloc_array(r->out.ctr, struct drsuapi_DsReplicaLinkedAttribute, link_count);
3497 if (r->out.ctr->ctr6.linked_attributes == NULL) {
3498 DEBUG(0, ("Out of memory allocating %u linked attributes for output", link_count));
3499 return WERR_NOT_ENOUGH_MEMORY;
3502 for (k = 0; k < link_count; k++) {
3503 r->out.ctr->ctr6.linked_attributes[k] = *la_sorted[k].link;
3506 getnc_state->la_idx += link_count;
3507 getnc_state->links_given += link_count;
3509 if (getnc_state->la_idx < getnc_state->la_count) {
3510 r->out.ctr->ctr6.more_data = true;
3514 * We've now sent all the links seen so far, so we can
3515 * reset la_list back to an empty list again. Note that
3516 * the steal means the linked attribute memory gets
3517 * freed after this RPC message is sent on the wire.
3519 talloc_steal(mem_ctx, getnc_state->la_list);
3520 getnc_state->la_list = NULL;
3521 getnc_state->la_idx = 0;
3522 getnc_state->la_count = 0;
3525 TALLOC_FREE(la_sorted);
3528 if (req10->replica_flags & DRSUAPI_DRS_GET_NC_SIZE) {
3530 * TODO: This implementation is wrong
3531 * we should find out the total number of
3532 * objects and links in the whole naming context
3533 * at the start of the cycle and return these
3534 * values in each message.
3536 * For now we keep our current strategy and return
3537 * the number of objects for this cycle and the number
3538 * of links we found so far during the cycle.
3540 r->out.ctr->ctr6.nc_object_count = getnc_state->num_records;
3541 r->out.ctr->ctr6.nc_linked_attributes_count = getnc_state->total_links;
3544 if (!r->out.ctr->ctr6.more_data) {
3546 /* this is the last response in the replication cycle */
3547 r->out.ctr->ctr6.new_highwatermark = getnc_state->final_hwm;
3548 r->out.ctr->ctr6.uptodateness_vector = talloc_move(mem_ctx,
3549 &getnc_state->final_udv);
3552 * Free the state info stored for the replication cycle. Note
3553 * that the RPC message we're sending contains links stored in
3554 * getnc_state. mem_ctx is local to this RPC call, so the memory
3555 * will get freed after the RPC message is sent on the wire.
3557 talloc_steal(mem_ctx, getnc_state);
3558 b_state->getncchanges_state = NULL;
3560 ret = drsuapi_DsReplicaHighWaterMark_cmp(&r->out.ctr->ctr6.old_highwatermark,
3561 &r->out.ctr->ctr6.new_highwatermark);
3564 * We need to make sure that we never return the
3565 * same highwatermark within the same replication
3566 * cycle more than once. Otherwise we cannot detect
3567 * when the client uses an unexptected highwatermark.
3569 * This is a HACK which is needed because our
3570 * object ordering is wrong and set tmp_highest_usn
3571 * to a value that is higher than what we already
3572 * sent to the client (destination dsa).
3574 r->out.ctr->ctr6.new_highwatermark.reserved_usn += 1;
3577 getnc_state->last_hwm = r->out.ctr->ctr6.new_highwatermark;
3580 if (req10->extended_op != DRSUAPI_EXOP_NONE) {
3581 r->out.ctr->ctr6.uptodateness_vector = NULL;
3582 r->out.ctr->ctr6.nc_object_count = 0;
3583 ZERO_STRUCT(r->out.ctr->ctr6.new_highwatermark);
3586 TALLOC_FREE(repl_chunk);
3588 DEBUG(r->out.ctr->ctr6.more_data?4:2,
3589 ("DsGetNCChanges with uSNChanged >= %llu flags 0x%08x on %s gave %u objects (done %u/%u) %u links (done %u/%u (as %s))\n",
3590 (unsigned long long)(req10->highwatermark.highest_usn+1),
3591 req10->replica_flags, drs_ObjectIdentifier_to_string(mem_ctx, ncRoot),
3592 r->out.ctr->ctr6.object_count,
3593 i, r->out.ctr->ctr6.more_data?getnc_state->num_records:i,
3594 r->out.ctr->ctr6.linked_attributes_count,
3595 getnc_state->links_given, getnc_state->total_links,
3596 dom_sid_string(mem_ctx, user_sid)));
3599 if (!r->out.ctr->ctr6.more_data && req10->extended_op != DRSUAPI_EXOP_NONE) {
3600 NDR_PRINT_FUNCTION_DEBUG(drsuapi_DsGetNCChanges, NDR_BOTH, r);