summaryrefslogtreecommitdiffstats
path: root/source4/rpc_server/drsuapi
diff options
context:
space:
mode:
Diffstat (limited to 'source4/rpc_server/drsuapi')
-rw-r--r--source4/rpc_server/drsuapi/addentry.c240
-rw-r--r--source4/rpc_server/drsuapi/dcesrv_drsuapi.c1070
-rw-r--r--source4/rpc_server/drsuapi/dcesrv_drsuapi.h84
-rw-r--r--source4/rpc_server/drsuapi/drsutil.c237
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c3861
-rw-r--r--source4/rpc_server/drsuapi/updaterefs.c411
-rw-r--r--source4/rpc_server/drsuapi/writespn.c257
7 files changed, 6160 insertions, 0 deletions
diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c
new file mode 100644
index 0000000..ff23c52
--- /dev/null
+++ b/source4/rpc_server/drsuapi/addentry.c
@@ -0,0 +1,240 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ implement the DsAddEntry call
+
+ Copyright (C) Stefan Metzmacher 2009
+ Copyright (C) Andrew Tridgell 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "rpc_server/dcerpc_server.h"
+#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
+#include "param/param.h"
+#include "libcli/security/security.h"
+#include "libcli/security/session.h"
+#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_DRS_REPL
+
+/*
+ add special SPNs needed for DRS replication to machine accounts when
+ an AddEntry is done to create a nTDSDSA object
+ */
+static WERROR drsuapi_add_SPNs(struct drsuapi_bind_state *b_state,
+ struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ const struct drsuapi_DsReplicaObjectListItem *first_object)
+{
+ int ret;
+ const struct drsuapi_DsReplicaObjectListItem *obj;
+ const char *attrs[] = { "serverReference", "objectGUID", NULL };
+
+ for (obj = first_object; obj; obj=obj->next_object) {
+ const char *dn_string = obj->object.identifier->dn;
+ struct ldb_dn *dn = ldb_dn_new(mem_ctx, b_state->sam_ctx, dn_string);
+ struct ldb_result *res, *res2;
+ struct ldb_dn *ref_dn;
+ struct GUID ntds_guid;
+ struct ldb_message *msg;
+ struct ldb_message_element *el;
+ const char *ntds_guid_str;
+ const char *dom_string;
+ const char *attrs2[] = { "dNSHostName", "cn", NULL };
+ const char *dNSHostName, *cn;
+
+ DEBUG(6,(__location__ ": Adding SPNs for %s\n",
+ ldb_dn_get_linearized(dn)));
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res,
+ dn, LDB_SCOPE_BASE, attrs,
+ "(objectClass=ntDSDSA)");
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find dn '%s'\n", dn_string));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (res->count < 1) {
+ /* we only add SPNs for nTDSDSA objects */
+ continue;
+ }
+
+ ref_dn = samdb_result_dn(b_state->sam_ctx, mem_ctx, res->msgs[0], "serverReference", NULL);
+ if (ref_dn == NULL) {
+ /* we only add SPNs for objects with a
+ serverReference */
+ continue;
+ }
+
+ DEBUG(6,(__location__ ": serverReference %s\n",
+ ldb_dn_get_linearized(ref_dn)));
+
+ ntds_guid = samdb_result_guid(res->msgs[0], "objectGUID");
+
+ ntds_guid_str = GUID_string(res, &ntds_guid);
+
+ dom_string = lpcfg_dnsdomain(dce_call->conn->dce_ctx->lp_ctx);
+
+ /* get the dNSHostName and cn */
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res2,
+ ref_dn, LDB_SCOPE_BASE, attrs2, NULL);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find ref_dn '%s'\n",
+ ldb_dn_get_linearized(ref_dn)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ dNSHostName = ldb_msg_find_attr_as_string(res2->msgs[0], "dNSHostName", NULL);
+ cn = ldb_msg_find_attr_as_string(res2->msgs[0], "cn", NULL);
+
+ /*
+ * construct a modify request to add the new SPNs to
+ * the machine account
+ */
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ msg->dn = ref_dn;
+ ret = ldb_msg_add_empty(msg, "servicePrincipalName",
+ LDB_FLAG_MOD_ADD, &el);
+ if (ret != LDB_SUCCESS) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+
+ ldb_msg_add_steal_string(msg, "servicePrincipalName",
+ talloc_asprintf(el->values,
+ "E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s",
+ ntds_guid_str, dom_string));
+ ldb_msg_add_steal_string(msg, "servicePrincipalName",
+ talloc_asprintf(el->values, "ldap/%s._msdcs.%s",
+ ntds_guid_str, dom_string));
+ if (cn) {
+ ldb_msg_add_steal_string(msg, "servicePrincipalName",
+ talloc_asprintf(el->values, "ldap/%s", cn));
+ }
+ if (dNSHostName) {
+ ldb_msg_add_steal_string(msg, "servicePrincipalName",
+ talloc_asprintf(el->values, "ldap/%s", dNSHostName));
+ }
+ if (el->num_values < 2) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ ret = dsdb_modify(b_state->sam_ctx, msg, DSDB_MODIFY_PERMISSIVE);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to add SPNs - %s\n",
+ ldb_errstring(b_state->sam_ctx)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ }
+
+ return WERR_OK;
+}
+
+
+
+
+/*
+ drsuapi_DsAddEntry
+*/
+WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsAddEntry *r)
+{
+ WERROR status;
+ struct drsuapi_bind_state *b_state;
+ struct dcesrv_handle *h;
+ uint32_t num = 0;
+ struct drsuapi_DsReplicaObjectIdentifier2 *ids = NULL;
+ int ret;
+ const struct drsuapi_DsReplicaObjectListItem *first_object;
+
+ if (DEBUGLVL(4)) {
+ NDR_PRINT_FUNCTION_DEBUG(drsuapi_DsAddEntry, NDR_IN, r);
+ }
+
+ /* TODO: check which out level the client supports */
+
+ ZERO_STRUCTP(r->out.ctr);
+ *r->out.level_out = 3;
+ r->out.ctr->ctr3.err_ver = 1;
+ r->out.ctr->ctr3.err_data = talloc_zero(mem_ctx, union drsuapi_DsAddEntry_ErrData);
+
+ DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
+ b_state = h->data;
+
+ status = drs_security_level_check(dce_call, "DsAddEntry", SECURITY_DOMAIN_CONTROLLER, NULL);
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
+ }
+
+ switch (r->in.level) {
+ case 2:
+ ret = ldb_transaction_start(b_state->sam_ctx);
+ if (ret != LDB_SUCCESS) {
+ DBG_ERR("DsAddEntry start transaction failed: %s\n",
+ ldb_errstring(b_state->sam_ctx));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+
+ first_object = &r->in.req->req2.first_object;
+
+ status = dsdb_origin_objects_commit(b_state->sam_ctx,
+ mem_ctx,
+ first_object,
+ &num,
+ DSDB_REPL_FLAG_ADD_NCNAME,
+ &ids);
+ if (!W_ERROR_IS_OK(status)) {
+ r->out.ctr->ctr3.err_data->v1.status = status;
+ ldb_transaction_cancel(b_state->sam_ctx);
+ DEBUG(0,(__location__ ": DsAddEntry failed - %s\n", win_errstr(status)));
+ return status;
+ }
+
+ r->out.ctr->ctr3.count = num;
+ r->out.ctr->ctr3.objects = ids;
+
+ break;
+ default:
+ return WERR_FOOBAR;
+ }
+
+ /* if any of the added entries are nTDSDSA objects then we
+ * need to add the SPNs to the machine account
+ */
+ status = drsuapi_add_SPNs(b_state, dce_call, mem_ctx, first_object);
+ if (!W_ERROR_IS_OK(status)) {
+ r->out.ctr->ctr3.err_data->v1.status = status;
+ ldb_transaction_cancel(b_state->sam_ctx);
+ DEBUG(0,(__location__ ": DsAddEntry add SPNs failed - %s\n", win_errstr(status)));
+ return status;
+ }
+
+ ret = ldb_transaction_commit(b_state->sam_ctx);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": DsAddEntry commit failed: %s\n",
+ ldb_errstring(b_state->sam_ctx)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ return WERR_OK;
+}
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
new file mode 100644
index 0000000..8bb4fb2
--- /dev/null
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -0,0 +1,1070 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ endpoint server for the drsuapi pipe
+
+ Copyright (C) Stefan Metzmacher 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
+#include "rpc_server/dcerpc_server.h"
+#include "rpc_server/common/common.h"
+#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
+#include "libcli/security/security.h"
+#include "libcli/security/session.h"
+#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "auth/auth.h"
+#include "param/param.h"
+#include "lib/messaging/irpc.h"
+
+#undef strcasecmp
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_DRS_REPL
+
+#define DRSUAPI_UNSUPPORTED(fname) do { \
+ DEBUG(1,(__location__ ": Unsupported DRS call %s\n", #fname)); \
+ if (DEBUGLVL(2)) NDR_PRINT_IN_DEBUG(fname, r); \
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); \
+} while (0)
+
+#define DCESRV_INTERFACE_DRSUAPI_BIND(context, iface) \
+ dcesrv_interface_drsuapi_bind(context, iface)
+static NTSTATUS dcesrv_interface_drsuapi_bind(struct dcesrv_connection_context *context,
+ const struct dcesrv_interface *iface)
+{
+ return dcesrv_interface_bind_require_privacy(context, iface);
+}
+
+/*
+ drsuapi_DsBind
+*/
+static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsBind *r)
+{
+ struct drsuapi_bind_state *b_state;
+ struct dcesrv_handle *handle;
+ struct drsuapi_DsBindInfoCtr *bind_info;
+ struct drsuapi_DsBindInfoCtr *local_info;
+ struct GUID site_guid, config_guid;
+ struct ldb_result *site_res, *config_res;
+ struct ldb_dn *server_site_dn, *config_dn;
+ static const char *site_attrs[] = { "objectGUID", NULL };
+ static const char *config_attrs[] = { "objectGUID", NULL };
+ struct ldb_result *ntds_res;
+ struct ldb_dn *ntds_dn;
+ static const char *ntds_attrs[] = { "ms-DS-ReplicationEpoch", NULL };
+ uint32_t pid;
+ uint32_t repl_epoch;
+ uint32_t supported_extensions;
+ uint32_t req_length;
+ int ret;
+ WERROR werr;
+
+ r->out.bind_info = NULL;
+ ZERO_STRUCTP(r->out.bind_handle);
+
+ b_state = talloc_zero(mem_ctx, struct drsuapi_bind_state);
+ W_ERROR_HAVE_NO_MEMORY(b_state);
+
+ /* if this is a DC connecting, give them system level access */
+ werr = drs_security_level_check(dce_call, NULL, SECURITY_DOMAIN_CONTROLLER, NULL);
+ if (W_ERROR_IS_OK(werr)) {
+ DBG_NOTICE("doing DsBind with system_session\n");
+ b_state->sam_ctx_system = dcesrv_samdb_connect_as_system(b_state, dce_call);
+ if (b_state->sam_ctx_system == NULL) {
+ return WERR_DS_UNAVAILABLE;
+ }
+ b_state->sam_ctx = b_state->sam_ctx_system;
+ } else {
+ b_state->sam_ctx = dcesrv_samdb_connect_as_user(b_state, dce_call);
+ if (b_state->sam_ctx == NULL) {
+ return WERR_DS_UNAVAILABLE;
+ }
+
+ /*
+ * an RODC also needs system samdb access for secret
+ * attribute replication
+ */
+ werr = drs_security_level_check(dce_call, NULL, SECURITY_RO_DOMAIN_CONTROLLER,
+ samdb_domain_sid(b_state->sam_ctx));
+ if (W_ERROR_IS_OK(werr)) {
+ DBG_NOTICE("doing DsBind as RODC\n");
+ b_state->sam_ctx_system =
+ dcesrv_samdb_connect_as_system(b_state, dce_call);
+ if (b_state->sam_ctx_system == NULL) {
+ return WERR_DS_UNAVAILABLE;
+ }
+ }
+ }
+
+ /*
+ * find out the guid of our own site
+ */
+ server_site_dn = samdb_server_site_dn(b_state->sam_ctx, mem_ctx);
+ W_ERROR_HAVE_NO_MEMORY(server_site_dn);
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &site_res,
+ server_site_dn, LDB_SCOPE_BASE, site_attrs,
+ "(objectClass=*)");
+ if (ret != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ if (site_res->count != 1) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ site_guid = samdb_result_guid(site_res->msgs[0], "objectGUID");
+
+ /*
+ * lookup the local servers Replication Epoch
+ */
+ ntds_dn = samdb_ntds_settings_dn(b_state->sam_ctx, mem_ctx);
+ W_ERROR_HAVE_NO_MEMORY(ntds_dn);
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &ntds_res,
+ ntds_dn, LDB_SCOPE_BASE, ntds_attrs,
+ "(objectClass=*)");
+ if (ret != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ if (ntds_res->count != 1) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ repl_epoch = ldb_msg_find_attr_as_uint(ntds_res->msgs[0],
+ "ms-DS-ReplicationEpoch", 0);
+
+ /*
+ * The "process identifier" of the client.
+ * According to the WSPP docs, sectin 5.35, this is
+ * for informational and debugging purposes only.
+ * The assignment is implementation specific.
+ */
+ pid = 0;
+
+ /*
+ * store the clients bind_guid
+ */
+ if (r->in.bind_guid) {
+ b_state->remote_bind_guid = *r->in.bind_guid;
+ }
+
+ /*
+ * store the clients bind_info
+ */
+ if (r->in.bind_info) {
+ b_state->remote_info = r->in.bind_info;
+ }
+
+ /*
+ * fill in our local bind info
+ */
+ local_info = talloc_zero(mem_ctx, struct drsuapi_DsBindInfoCtr);
+ W_ERROR_HAVE_NO_MEMORY(local_info);
+
+ /*
+ * Fill in supported extensions
+ */
+ supported_extensions = 0;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_BASE;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2;
+#if 0 /* we don't support MSZIP compression (only decompression) */
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS;
+#endif
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V5;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7;
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT;
+#if 0 /* we don't support XPRESS compression yet */
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS;
+#endif
+ supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10;
+
+ /*
+ * There is a chance for r->in.bind_info == NULL
+ * Currently we don't care, since it seems to be used nowhere else.
+ * But we need a request length. So use 28 as default.
+ */
+ req_length = 28;
+ if (r->in.bind_info) {
+ req_length = r->in.bind_info->length;
+ }
+
+ /*
+ * fill 28 or 48 info, depends on request
+ */
+ if (req_length < 48) {
+ local_info->length = 28;
+ local_info->info.info28.supported_extensions = supported_extensions;
+ local_info->info.info28.site_guid = site_guid;
+ local_info->info.info28.pid = pid;
+ local_info->info.info28.repl_epoch = repl_epoch;
+ } else {
+ local_info->length = 48;
+ local_info->info.info48.supported_extensions = supported_extensions;
+ local_info->info.info48.site_guid = site_guid;
+ local_info->info.info48.pid = pid;
+ local_info->info.info48.repl_epoch = repl_epoch;
+
+ local_info->info.info48.supported_extensions_ext = 0;
+ local_info->info.info48.supported_extensions_ext |= DRSUAPI_SUPPORTED_EXTENSION_LH_BETA2;
+
+ /*
+ * find out the guid of our own site
+ */
+ config_dn = ldb_get_config_basedn(b_state->sam_ctx);
+ W_ERROR_HAVE_NO_MEMORY(config_dn);
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &config_res,
+ config_dn, LDB_SCOPE_BASE, config_attrs,
+ "(objectClass=*)");
+ if (ret != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ if (config_res->count != 1) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ config_guid = samdb_result_guid(config_res->msgs[0], "objectGUID");
+ local_info->info.info48.config_dn_guid = config_guid;
+ }
+
+ /*
+ * set local_info
+ */
+ b_state->local_info = local_info;
+
+ /*
+ * set bind_info
+ */
+ bind_info = local_info;
+
+ /*
+ * allocate a bind handle
+ */
+ handle = dcesrv_handle_create(dce_call, DRSUAPI_BIND_HANDLE);
+ W_ERROR_HAVE_NO_MEMORY(handle);
+ handle->data = talloc_steal(handle, b_state);
+
+ /*
+ * prepare reply
+ */
+ r->out.bind_info = bind_info;
+ *r->out.bind_handle = handle->wire_handle;
+
+ return WERR_OK;
+}
+
+
+/*
+ drsuapi_DsUnbind
+*/
+static WERROR dcesrv_drsuapi_DsUnbind(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsUnbind *r)
+{
+ struct dcesrv_handle *h;
+
+ *r->out.bind_handle = *r->in.bind_handle;
+
+ DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
+
+ talloc_free(h);
+
+ ZERO_STRUCTP(r->out.bind_handle);
+
+ return WERR_OK;
+}
+
+
+/*
+ drsuapi_DsReplicaSync
+*/
+static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaSync *r)
+{
+ WERROR status;
+ uint32_t timeout;
+
+ status = drs_security_level_check(dce_call, "DsReplicaSync", SECURITY_DOMAIN_CONTROLLER, NULL);
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
+ }
+
+ if (r->in.level != 1) {
+ DEBUG(0,("DsReplicaSync called with unsupported level %d\n", r->in.level));
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+
+ if (r->in.req->req1.options & DRSUAPI_DRS_ASYNC_OP) {
+ timeout = IRPC_CALL_TIMEOUT;
+ } else {
+ /*
+ * use Infinite time for timeout in case
+ * the caller made a sync call
+ */
+ timeout = IRPC_CALL_TIMEOUT_INF;
+ }
+
+ dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx,
+ r, NDR_DRSUAPI_DSREPLICASYNC,
+ &ndr_table_drsuapi,
+ "dreplsrv", "DsReplicaSync",
+ timeout);
+
+ return WERR_OK;
+}
+
+
+/*
+ drsuapi_DsReplicaAdd
+*/
+static WERROR dcesrv_drsuapi_DsReplicaAdd(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaAdd *r)
+{
+ WERROR status;
+
+ status = drs_security_level_check(dce_call, "DsReplicaAdd", SECURITY_DOMAIN_CONTROLLER, NULL);
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
+ }
+
+ dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx,
+ r, NDR_DRSUAPI_DSREPLICAADD,
+ &ndr_table_drsuapi,
+ "dreplsrv", "DsReplicaAdd",
+ IRPC_CALL_TIMEOUT);
+
+ return WERR_OK;
+}
+
+
+/*
+ drsuapi_DsReplicaDel
+*/
+static WERROR dcesrv_drsuapi_DsReplicaDel(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaDel *r)
+{
+ WERROR status;
+
+ status = drs_security_level_check(dce_call, "DsReplicaDel", SECURITY_DOMAIN_CONTROLLER, NULL);
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
+ }
+
+ dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx,
+ r, NDR_DRSUAPI_DSREPLICADEL,
+ &ndr_table_drsuapi,
+ "dreplsrv", "DsReplicaDel",
+ IRPC_CALL_TIMEOUT);
+
+ return WERR_OK;
+}
+
+
+/*
+ drsuapi_DsReplicaModify
+*/
+static WERROR dcesrv_drsuapi_DsReplicaMod(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaMod *r)
+{
+ WERROR status;
+
+ status = drs_security_level_check(dce_call, "DsReplicaMod", SECURITY_DOMAIN_CONTROLLER, NULL);
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
+ }
+
+ dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx,
+ r, NDR_DRSUAPI_DSREPLICAMOD,
+ &ndr_table_drsuapi,
+ "dreplsrv", "DsReplicaMod",
+ IRPC_CALL_TIMEOUT);
+
+ return WERR_OK;
+}
+
+
+/*
+ DRSUAPI_VERIFY_NAMES
+*/
+static WERROR dcesrv_DRSUAPI_VERIFY_NAMES(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct DRSUAPI_VERIFY_NAMES *r)
+{
+ DRSUAPI_UNSUPPORTED(DRSUAPI_VERIFY_NAMES);
+}
+
+
+/*
+ drsuapi_DsGetMemberships
+*/
+static WERROR dcesrv_drsuapi_DsGetMemberships(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetMemberships *r)
+{
+ DRSUAPI_UNSUPPORTED(drsuapi_DsGetMemberships);
+}
+
+
+/*
+ DRSUAPI_INTER_DOMAIN_MOVE
+*/
+static WERROR dcesrv_DRSUAPI_INTER_DOMAIN_MOVE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct DRSUAPI_INTER_DOMAIN_MOVE *r)
+{
+ DRSUAPI_UNSUPPORTED(DRSUAPI_INTER_DOMAIN_MOVE);
+}
+
+
+/*
+ drsuapi_DsGetNT4ChangeLog
+*/
+static WERROR dcesrv_drsuapi_DsGetNT4ChangeLog(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetNT4ChangeLog *r)
+{
+ DRSUAPI_UNSUPPORTED(drsuapi_DsGetNT4ChangeLog);
+}
+
+/*
+ drsuapi_DsCrackNames
+*/
+static WERROR dcesrv_drsuapi_DsCrackNames(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsCrackNames *r)
+{
+ struct drsuapi_bind_state *b_state;
+ struct dcesrv_handle *h;
+
+ *r->out.level_out = r->in.level;
+
+ DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
+ b_state = h->data;
+
+ r->out.ctr = talloc_zero(mem_ctx, union drsuapi_DsNameCtr);
+ W_ERROR_HAVE_NO_MEMORY(r->out.ctr);
+
+ switch (r->in.level) {
+ case 1: {
+ switch(r->in.req->req1.format_offered){
+ case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX:
+ case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT_NAME_SANS_DOMAIN:
+ case DRSUAPI_DS_NAME_FORMAT_STRING_SID_NAME:
+ case DRSUAPI_DS_NAME_FORMAT_ALT_SECURITY_IDENTITIES_NAME:
+ case DRSUAPI_DS_NAME_FORMAT_MAP_SCHEMA_GUID:
+ case DRSUAPI_DS_NAME_FORMAT_LIST_NCS:
+ case DRSUAPI_DS_NAME_FORMAT_LIST_DOMAINS:
+ case DRSUAPI_DS_NAME_FORMAT_LIST_GLOBAL_CATALOG_SERVERS:
+ case DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_WITH_DCS_IN_SITE:
+ case DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_FOR_DOMAIN_IN_SITE:
+ case DRSUAPI_DS_NAME_FORMAT_LIST_DOMAINS_IN_SITE:
+ case DRSUAPI_DS_NAME_FORMAT_LIST_SERVERS_IN_SITE:
+ case DRSUAPI_DS_NAME_FORMAT_LIST_SITES:
+ case DRSUAPI_DS_NAME_FORMAT_UPN_AND_ALTSECID:
+ case DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON:
+ DEBUG(0, ("DsCrackNames: Unsupported operation requested: %X",
+ r->in.req->req1.format_offered));
+ return WERR_OK;
+ case DRSUAPI_DS_NAME_FORMAT_LIST_INFO_FOR_SERVER:
+ return dcesrv_drsuapi_ListInfoServer(b_state->sam_ctx, mem_ctx, &r->in.req->req1, &r->out.ctr->ctr1);
+ case DRSUAPI_DS_NAME_FORMAT_LIST_ROLES:
+ return dcesrv_drsuapi_ListRoles(b_state->sam_ctx, mem_ctx,
+ &r->in.req->req1, &r->out.ctr->ctr1);
+ default:/* format_offered is in the enum drsuapi_DsNameFormat*/
+ return dcesrv_drsuapi_CrackNamesByNameFormat(b_state->sam_ctx, mem_ctx,
+ &r->in.req->req1, &r->out.ctr->ctr1);
+ }
+ }
+ }
+ return WERR_INVALID_LEVEL;
+}
+
+
+/*
+ drsuapi_DsRemoveDSServer
+*/
+static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsRemoveDSServer *r)
+{
+ struct drsuapi_bind_state *b_state;
+ struct dcesrv_handle *h;
+ struct ldb_dn *ntds_dn;
+ int ret;
+ bool ok;
+ WERROR status;
+
+ *r->out.level_out = 1;
+
+ status = drs_security_level_check(dce_call, "DsRemoveDSServer", SECURITY_DOMAIN_CONTROLLER, NULL);
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
+ }
+
+ DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
+ b_state = h->data;
+
+ switch (r->in.level) {
+ case 1:
+ ntds_dn = ldb_dn_new(mem_ctx, b_state->sam_ctx, r->in.req->req1.server_dn);
+ W_ERROR_HAVE_NO_MEMORY(ntds_dn);
+
+ ok = ldb_dn_validate(ntds_dn);
+ if (!ok) {
+ return WERR_FOOBAR;
+ }
+
+ /* TODO: it's likely that we need more checks here */
+
+ ok = ldb_dn_add_child_fmt(ntds_dn, "CN=NTDS Settings");
+ if (!ok) {
+ return WERR_FOOBAR;
+ }
+
+ if (r->in.req->req1.commit) {
+ ret = dsdb_delete(b_state->sam_ctx, ntds_dn, DSDB_TREE_DELETE);
+ if (ret != LDB_SUCCESS) {
+ return WERR_FOOBAR;
+ }
+ }
+
+ return WERR_OK;
+ default:
+ break;
+ }
+
+ return WERR_FOOBAR;
+}
+
+
+/*
+ DRSUAPI_REMOVE_DS_DOMAIN
+*/
+static WERROR dcesrv_DRSUAPI_REMOVE_DS_DOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct DRSUAPI_REMOVE_DS_DOMAIN *r)
+{
+ DRSUAPI_UNSUPPORTED(DRSUAPI_REMOVE_DS_DOMAIN);
+}
+
+/* Obtain the site name from a server DN */
+static const char *result_site_name(struct ldb_dn *server_dn)
+{
+ /* Format is cn=<NETBIOS name>,cn=Servers,cn=<site>,cn=sites.... */
+ const struct ldb_val *val = ldb_dn_get_component_val(server_dn, 2);
+ const char *name = ldb_dn_get_component_name(server_dn, 2);
+
+ if (!name || (ldb_attr_cmp(name, "cn") != 0)) {
+ /* Ensure this matches the format. This gives us a
+ * bit more confidence that a 'cn' value will be a
+ * ascii string */
+ return NULL;
+ }
+ if (val) {
+ return (char *)val->data;
+ }
+ return NULL;
+}
+
+/*
+ drsuapi_DsGetDomainControllerInfo
+*/
+static WERROR dcesrv_drsuapi_DsGetDomainControllerInfo_1(struct drsuapi_bind_state *b_state,
+ TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetDomainControllerInfo *r)
+{
+ struct ldb_dn *sites_dn;
+ struct ldb_result *res;
+
+ const char *attrs_account_1[] = { "cn", "dnsHostName", NULL };
+ const char *attrs_account_2[] = { "cn", "dnsHostName", "objectGUID", NULL };
+
+ const char *attrs_none[] = { NULL };
+
+ const char *attrs_site[] = { "objectGUID", NULL };
+
+ const char *attrs_ntds[] = { "options", "objectGUID", NULL };
+
+ const char *attrs_1[] = { "serverReference", "cn", "dnsHostName", NULL };
+ const char *attrs_2[] = { "serverReference", "cn", "dnsHostName", "objectGUID", NULL };
+ const char **attrs;
+
+ struct drsuapi_DsGetDCInfoCtr1 *ctr1;
+ struct drsuapi_DsGetDCInfoCtr2 *ctr2;
+ struct drsuapi_DsGetDCInfoCtr3 *ctr3;
+
+ int ret;
+ unsigned int i;
+
+ *r->out.level_out = r->in.req->req1.level;
+ r->out.ctr = talloc_zero(mem_ctx, union drsuapi_DsGetDCInfoCtr);
+ W_ERROR_HAVE_NO_MEMORY(r->out.ctr);
+
+ switch (*r->out.level_out) {
+ case -1:
+ /* this level is not like the others */
+ return WERR_INVALID_LEVEL;
+ case 1:
+ attrs = attrs_1;
+ break;
+ case 2:
+ case 3:
+ attrs = attrs_2;
+ break;
+ default:
+ return WERR_INVALID_LEVEL;
+ }
+
+ sites_dn = samdb_sites_dn(b_state->sam_ctx, mem_ctx);
+ if (!sites_dn) {
+ return WERR_DS_OBJ_NOT_FOUND;
+ }
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res, sites_dn, LDB_SCOPE_SUBTREE, attrs,
+ "(&(objectClass=server)(serverReference=*))");
+
+ if (ret) {
+ DEBUG(1, ("searching for servers in sites DN %s failed: %s\n",
+ ldb_dn_get_linearized(sites_dn), ldb_errstring(b_state->sam_ctx)));
+ return WERR_GEN_FAILURE;
+ }
+
+ switch (*r->out.level_out) {
+ case 1:
+ ctr1 = &r->out.ctr->ctr1;
+ ctr1->count = res->count;
+ ctr1->array = talloc_zero_array(mem_ctx,
+ struct drsuapi_DsGetDCInfo1,
+ res->count);
+ for (i=0; i < res->count; i++) {
+ struct ldb_dn *domain_dn;
+ struct ldb_result *res_domain;
+ struct ldb_result *res_account;
+ struct ldb_dn *ntds_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
+
+ struct ldb_dn *ref_dn
+ = ldb_msg_find_attr_as_dn(b_state->sam_ctx,
+ mem_ctx, res->msgs[i],
+ "serverReference");
+
+ if (!ntds_dn || !ldb_dn_add_child_fmt(ntds_dn, "CN=NTDS Settings")) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_account, ref_dn,
+ LDB_SCOPE_BASE, attrs_account_1,
+ "(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=%u))",
+ UF_SERVER_TRUST_ACCOUNT);
+ if (ret == LDB_SUCCESS && res_account->count == 1) {
+ const char *errstr;
+ ctr1->array[i].dns_name
+ = ldb_msg_find_attr_as_string(res_account->msgs[0], "dNSHostName", NULL);
+ ctr1->array[i].netbios_name
+ = ldb_msg_find_attr_as_string(res_account->msgs[0], "cn", NULL);
+ ctr1->array[i].computer_dn
+ = ldb_dn_get_linearized(res_account->msgs[0]->dn);
+
+ /* Determine if this is the PDC */
+ ret = samdb_search_for_parent_domain(b_state->sam_ctx,
+ mem_ctx, res_account->msgs[0]->dn,
+ &domain_dn, &errstr);
+
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_domain, domain_dn,
+ LDB_SCOPE_BASE, attrs_none, "fSMORoleOwner=%s",
+ ldb_dn_get_linearized(ntds_dn));
+ if (ret) {
+ return WERR_GEN_FAILURE;
+ }
+ if (res_domain->count == 1) {
+ ctr1->array[i].is_pdc = true;
+ }
+ }
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for computer DN %s failed: %s\n",
+ ldb_dn_get_linearized(ref_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+
+ /* Look at server DN and extract site component */
+ ctr1->array[i].site_name = result_site_name(res->msgs[i]->dn);
+ ctr1->array[i].server_dn = ldb_dn_get_linearized(res->msgs[i]->dn);
+
+
+ ctr1->array[i].is_enabled = true;
+
+ }
+ break;
+ case 2:
+ ctr2 = &r->out.ctr->ctr2;
+ ctr2->count = res->count;
+ ctr2->array = talloc_zero_array(mem_ctx,
+ struct drsuapi_DsGetDCInfo2,
+ res->count);
+ for (i=0; i < res->count; i++) {
+ struct ldb_dn *domain_dn;
+ struct ldb_result *res_domain;
+ struct ldb_result *res_account;
+ struct ldb_dn *ntds_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
+ struct ldb_result *res_ntds;
+ struct ldb_dn *site_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
+ struct ldb_result *res_site;
+ struct ldb_dn *ref_dn
+ = ldb_msg_find_attr_as_dn(b_state->sam_ctx,
+ mem_ctx, res->msgs[i],
+ "serverReference");
+
+ if (!ntds_dn || !ldb_dn_add_child_fmt(ntds_dn, "CN=NTDS Settings")) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ /* Format is cn=<NETBIOS name>,cn=Servers,cn=<site>,cn=sites.... */
+ if (!site_dn || !ldb_dn_remove_child_components(site_dn, 2)) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_ntds, ntds_dn,
+ LDB_SCOPE_BASE, attrs_ntds, "objectClass=nTDSDSA");
+ if (ret == LDB_SUCCESS && res_ntds->count == 1) {
+ ctr2->array[i].is_gc
+ = (ldb_msg_find_attr_as_uint(res_ntds->msgs[0], "options", 0) & DS_NTDSDSA_OPT_IS_GC);
+ ctr2->array[i].ntds_guid
+ = samdb_result_guid(res_ntds->msgs[0], "objectGUID");
+ ctr2->array[i].ntds_dn = ldb_dn_get_linearized(res_ntds->msgs[0]->dn);
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for NTDS DN %s failed: %s\n",
+ ldb_dn_get_linearized(ntds_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_site, site_dn,
+ LDB_SCOPE_BASE, attrs_site, "objectClass=site");
+ if (ret == LDB_SUCCESS && res_site->count == 1) {
+ ctr2->array[i].site_guid
+ = samdb_result_guid(res_site->msgs[0], "objectGUID");
+ ctr2->array[i].site_dn = ldb_dn_get_linearized(res_site->msgs[0]->dn);
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for site DN %s failed: %s\n",
+ ldb_dn_get_linearized(site_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_account, ref_dn,
+ LDB_SCOPE_BASE, attrs_account_2, "objectClass=computer");
+ if (ret == LDB_SUCCESS && res_account->count == 1) {
+ const char *errstr;
+ ctr2->array[i].dns_name
+ = ldb_msg_find_attr_as_string(res_account->msgs[0], "dNSHostName", NULL);
+ ctr2->array[i].netbios_name
+ = ldb_msg_find_attr_as_string(res_account->msgs[0], "cn", NULL);
+ ctr2->array[i].computer_dn = ldb_dn_get_linearized(res_account->msgs[0]->dn);
+ ctr2->array[i].computer_guid
+ = samdb_result_guid(res_account->msgs[0], "objectGUID");
+
+ /* Determine if this is the PDC */
+ ret = samdb_search_for_parent_domain(b_state->sam_ctx,
+ mem_ctx, res_account->msgs[0]->dn,
+ &domain_dn, &errstr);
+
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_domain, domain_dn,
+ LDB_SCOPE_BASE, attrs_none, "fSMORoleOwner=%s",
+ ldb_dn_get_linearized(ntds_dn));
+ if (ret == LDB_SUCCESS && res_domain->count == 1) {
+ ctr2->array[i].is_pdc = true;
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for domain DN %s failed: %s\n",
+ ldb_dn_get_linearized(domain_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+ }
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for computer account DN %s failed: %s\n",
+ ldb_dn_get_linearized(ref_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+
+ /* Look at server DN and extract site component */
+ ctr2->array[i].site_name = result_site_name(res->msgs[i]->dn);
+ ctr2->array[i].server_dn = ldb_dn_get_linearized(res->msgs[i]->dn);
+ ctr2->array[i].server_guid
+ = samdb_result_guid(res->msgs[i], "objectGUID");
+
+ ctr2->array[i].is_enabled = true;
+
+ }
+ break;
+ case 3:
+ ctr3 = &r->out.ctr->ctr3;
+ ctr3->count = res->count;
+ ctr3->array = talloc_zero_array(mem_ctx,
+ struct drsuapi_DsGetDCInfo3,
+ res->count);
+ for (i=0; i<res->count; i++) {
+ struct ldb_dn *domain_dn;
+ struct ldb_result *res_domain;
+ struct ldb_result *res_account;
+ struct ldb_dn *ntds_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
+ struct ldb_result *res_ntds;
+ struct ldb_dn *site_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
+ struct ldb_result *res_site;
+ bool is_rodc;
+ struct ldb_dn *ref_dn
+ = ldb_msg_find_attr_as_dn(b_state->sam_ctx,
+ mem_ctx, res->msgs[i],
+ "serverReference");
+
+ if (!ntds_dn || !ldb_dn_add_child_fmt(ntds_dn, "CN=NTDS Settings")) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ /* Format is cn=<NETBIOS name>,cn=Servers,cn=<site>,cn=sites.... */
+ if (!site_dn || !ldb_dn_remove_child_components(site_dn, 2)) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_ntds, ntds_dn,
+ LDB_SCOPE_BASE, attrs_ntds, "objectClass=nTDSDSA");
+ if (ret == LDB_SUCCESS && res_ntds->count == 1) {
+ ctr3->array[i].is_gc
+ = (ldb_msg_find_attr_as_uint(res_ntds->msgs[0], "options", 0) & DS_NTDSDSA_OPT_IS_GC);
+ ctr3->array[i].ntds_guid
+ = samdb_result_guid(res_ntds->msgs[0], "objectGUID");
+ ctr3->array[i].ntds_dn = ldb_dn_get_linearized(res_ntds->msgs[0]->dn);
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for NTDS DN %s failed: %s\n",
+ ldb_dn_get_linearized(ntds_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_site, site_dn,
+ LDB_SCOPE_BASE, attrs_site, "objectClass=site");
+ if (ret == LDB_SUCCESS && res_site->count == 1) {
+ ctr3->array[i].site_guid
+ = samdb_result_guid(res_site->msgs[0], "objectGUID");
+ ctr3->array[i].site_dn = ldb_dn_get_linearized(res_site->msgs[0]->dn);
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for site DN %s failed: %s\n",
+ ldb_dn_get_linearized(site_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_account, ref_dn,
+ LDB_SCOPE_BASE, attrs_account_2, "objectClass=computer");
+ if (ret == LDB_SUCCESS && res_account->count == 1) {
+ const char *errstr;
+ ctr3->array[i].dns_name
+ = ldb_msg_find_attr_as_string(res_account->msgs[0], "dNSHostName", NULL);
+ ctr3->array[i].netbios_name
+ = ldb_msg_find_attr_as_string(res_account->msgs[0], "cn", NULL);
+ ctr3->array[i].computer_dn = ldb_dn_get_linearized(res_account->msgs[0]->dn);
+ ctr3->array[i].computer_guid
+ = samdb_result_guid(res_account->msgs[0], "objectGUID");
+
+ /* Determine if this is the PDC */
+ ret = samdb_search_for_parent_domain(b_state->sam_ctx,
+ mem_ctx, res_account->msgs[0]->dn,
+ &domain_dn, &errstr);
+
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_domain, domain_dn,
+ LDB_SCOPE_BASE, attrs_none, "fSMORoleOwner=%s",
+ ldb_dn_get_linearized(ntds_dn));
+ if (ret == LDB_SUCCESS && res_domain->count == 1) {
+ ctr3->array[i].is_pdc = true;
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for domain DN %s failed: %s\n",
+ ldb_dn_get_linearized(domain_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+ }
+ }
+ if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
+ DEBUG(5, ("warning: searching for computer account DN %s failed: %s\n",
+ ldb_dn_get_linearized(ref_dn), ldb_errstring(b_state->sam_ctx)));
+ }
+
+ /* Look at server DN and extract site component */
+ ctr3->array[i].site_name = result_site_name(res->msgs[i]->dn);
+ ctr3->array[i].server_dn = ldb_dn_get_linearized(res->msgs[i]->dn);
+ ctr3->array[i].server_guid
+ = samdb_result_guid(res->msgs[i], "objectGUID");
+
+ ctr3->array[i].is_enabled = true;
+
+ /* rodc? */
+ ret = samdb_is_rodc(b_state->sam_ctx, &ctr3->array[i].server_guid, &is_rodc);
+ if (ret == LDB_SUCCESS && is_rodc) {
+ ctr3->array[i].is_rodc = true;
+ }
+ }
+ break;
+ default:
+ return WERR_INVALID_LEVEL;
+ }
+ return WERR_OK;
+}
+
+/*
+ drsuapi_DsGetDomainControllerInfo
+*/
+static WERROR dcesrv_drsuapi_DsGetDomainControllerInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetDomainControllerInfo *r)
+{
+ struct dcesrv_handle *h;
+ struct drsuapi_bind_state *b_state;
+ DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
+ b_state = h->data;
+
+ switch (r->in.level) {
+ case 1:
+ return dcesrv_drsuapi_DsGetDomainControllerInfo_1(b_state, mem_ctx, r);
+ }
+
+ return WERR_INVALID_LEVEL;
+}
+
+
+
+/*
+ drsuapi_DsExecuteKCC
+*/
+static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsExecuteKCC *r)
+{
+ WERROR status;
+ uint32_t timeout;
+ status = drs_security_level_check(dce_call, "DsExecuteKCC", SECURITY_DOMAIN_CONTROLLER, NULL);
+
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
+ }
+ if (r->in.req->ctr1.taskID != 0) {
+ return WERR_INVALID_PARAMETER;
+ }
+ if (r->in.req->ctr1.flags & DRSUAPI_DS_EXECUTE_KCC_ASYNCHRONOUS_OPERATION) {
+ timeout = IRPC_CALL_TIMEOUT;
+ } else {
+ /*
+ * use Infinite time for timeout in case
+ * the caller made a sync call
+ */
+ timeout = IRPC_CALL_TIMEOUT_INF;
+ }
+
+ dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSEXECUTEKCC,
+ &ndr_table_drsuapi, "kccsrv", "DsExecuteKCC",
+ timeout);
+ DEBUG(10, ("Forwarded the call to execute the KCC\n"));
+ return WERR_OK;
+}
+
+
+/*
+ drsuapi_DsReplicaGetInfo
+*/
+static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaGetInfo *r)
+{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
+ enum security_user_level level;
+
+ if (!lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
+ "drs", "disable_sec_check", false)) {
+ level = security_session_user_level(session_info, NULL);
+ if (level < SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
+ security_token_debug(DBGC_DRS_REPL, 2,
+ session_info->security_token);
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+ }
+
+ dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICAGETINFO,
+ &ndr_table_drsuapi, "kccsrv", "DsReplicaGetInfo",
+ IRPC_CALL_TIMEOUT);
+
+ return WERR_OK;
+}
+
+
+/*
+ DRSUAPI_ADD_SID_HISTORY
+*/
+static WERROR dcesrv_DRSUAPI_ADD_SID_HISTORY(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct DRSUAPI_ADD_SID_HISTORY *r)
+{
+ DRSUAPI_UNSUPPORTED(DRSUAPI_ADD_SID_HISTORY);
+}
+
+/*
+ drsuapi_DsGetMemberships2
+*/
+static WERROR dcesrv_drsuapi_DsGetMemberships2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetMemberships2 *r)
+{
+ DRSUAPI_UNSUPPORTED(drsuapi_DsGetMemberships2);
+}
+
+/*
+ DRSUAPI_REPLICA_VERIFY_OBJECTS
+*/
+static WERROR dcesrv_DRSUAPI_REPLICA_VERIFY_OBJECTS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct DRSUAPI_REPLICA_VERIFY_OBJECTS *r)
+{
+ DRSUAPI_UNSUPPORTED(DRSUAPI_REPLICA_VERIFY_OBJECTS);
+}
+
+
+/*
+ DRSUAPI_GET_OBJECT_EXISTENCE
+*/
+static WERROR dcesrv_DRSUAPI_GET_OBJECT_EXISTENCE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct DRSUAPI_GET_OBJECT_EXISTENCE *r)
+{
+ DRSUAPI_UNSUPPORTED(DRSUAPI_GET_OBJECT_EXISTENCE);
+}
+
+
+/*
+ drsuapi_QuerySitesByCost
+*/
+static WERROR dcesrv_drsuapi_QuerySitesByCost(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_QuerySitesByCost *r)
+{
+ DRSUAPI_UNSUPPORTED(drsuapi_QuerySitesByCost);
+}
+
+
+/* include the generated boilerplate */
+#include "librpc/gen_ndr/ndr_drsuapi_s.c"
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
new file mode 100644
index 0000000..18ac997
--- /dev/null
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -0,0 +1,84 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ endpoint server for the drsuapi pipe
+
+ Copyright (C) Stefan Metzmacher 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ this type allows us to distinguish handle types
+*/
+enum drsuapi_handle {
+ DRSUAPI_BIND_HANDLE,
+};
+
+/*
+ state asscoiated with a drsuapi_DsBind*() operation
+*/
+struct drsuapi_bind_state {
+ struct ldb_context *sam_ctx;
+ struct ldb_context *sam_ctx_system;
+ struct GUID remote_bind_guid;
+ struct drsuapi_DsBindInfoCtr *remote_info;
+ struct drsuapi_DsBindInfoCtr *local_info;
+ struct drsuapi_getncchanges_state *getncchanges_full_repl_state;
+};
+
+
+/* prototypes of internal functions */
+WERROR drsuapi_UpdateRefs(struct imessaging_context *msg_ctx,
+ struct tevent_context *event_ctx,
+ struct drsuapi_bind_state *b_state, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaUpdateRefsRequest1 *req);
+WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaUpdateRefs *r);
+WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetNCChanges *r);
+WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsAddEntry *r);
+WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsWriteAccountSpn *r);
+
+char *drs_ObjectIdentifier_to_string(TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaObjectIdentifier *nc);
+
+int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_result **_res,
+ struct ldb_dn *basedn,
+ enum ldb_scope scope,
+ const char * const *attrs,
+ const char *filter);
+
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
+ const char* call, enum security_user_level minimum_level,
+ const struct dom_sid *domain_sid);
+
+void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
+ struct drsuapi_DsReplicaMetaData *meta_data);
+
+WERROR drs_security_access_check(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct drsuapi_DsReplicaObjectIdentifier *nc,
+ const char *ext_right);
+
+WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct drsuapi_DsReplicaObjectIdentifier *nc,
+ const char *ext_right);
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
new file mode 100644
index 0000000..48423bb
--- /dev/null
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -0,0 +1,237 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ useful utilities for the DRS server
+
+ Copyright (C) Andrew Tridgell 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "rpc_server/dcerpc_server.h"
+#include "dsdb/samdb/samdb.h"
+#include "libcli/security/security.h"
+#include "libcli/security/session.h"
+#include "param/param.h"
+#include "auth/session.h"
+#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_DRS_REPL
+
+int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_result **_res,
+ struct ldb_dn *basedn,
+ enum ldb_scope scope,
+ const char * const *attrs,
+ const char *filter)
+{
+ int ret;
+ struct ldb_request *req;
+ TALLOC_CTX *tmp_ctx;
+ struct ldb_result *res;
+
+ tmp_ctx = talloc_new(mem_ctx);
+
+ res = talloc_zero(tmp_ctx, struct ldb_result);
+ if (!res) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ ret = ldb_build_search_req(&req, ldb, tmp_ctx,
+ basedn,
+ scope,
+ filter,
+ attrs,
+ NULL,
+ res,
+ ldb_search_default_callback,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_request(ldb, req);
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+ }
+
+ talloc_free(req);
+ *_res = talloc_steal(mem_ctx, res);
+ return ret;
+}
+
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
+ const char* call,
+ enum security_user_level minimum_level,
+ const struct dom_sid *domain_sid)
+{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
+ enum security_user_level level;
+
+ if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
+ "drs", "disable_sec_check", false)) {
+ return WERR_OK;
+ }
+
+ level = security_session_user_level(session_info, domain_sid);
+ if (level < minimum_level) {
+ if (call) {
+ DEBUG(0,("%s refused for security token (level=%u)\n",
+ call, (unsigned)level));
+ security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);
+ }
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
+ return WERR_OK;
+}
+
+void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
+ struct drsuapi_DsReplicaMetaData *meta_data)
+{
+ if (attr->value_ctr.num_values == 0) {
+ return;
+ }
+
+ switch (attr->attid) {
+ case DRSUAPI_ATTID_dBCSPwd:
+ case DRSUAPI_ATTID_unicodePwd:
+ case DRSUAPI_ATTID_ntPwdHistory:
+ case DRSUAPI_ATTID_lmPwdHistory:
+ case DRSUAPI_ATTID_supplementalCredentials:
+ case DRSUAPI_ATTID_priorValue:
+ case DRSUAPI_ATTID_currentValue:
+ case DRSUAPI_ATTID_trustAuthOutgoing:
+ case DRSUAPI_ATTID_trustAuthIncoming:
+ case DRSUAPI_ATTID_initialAuthOutgoing:
+ case DRSUAPI_ATTID_initialAuthIncoming:
+ /*set value to null*/
+ attr->value_ctr.num_values = 0;
+ talloc_free(attr->value_ctr.values);
+ attr->value_ctr.values = NULL;
+ meta_data->originating_change_time = 0;
+ return;
+ default:
+ return;
+ }
+}
+
+
+/*
+ check security on a DN, with logging of errors
+ */
+static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct ldb_dn *dn,
+ const char *ext_right)
+{
+ int ret;
+ if (!dn) {
+ DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
+ ext_right));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+ ret = dsdb_check_access_on_dn(sam_ctx,
+ mem_ctx,
+ dn,
+ token,
+ SEC_ADS_CONTROL_ACCESS,
+ ext_right);
+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+ DEBUG(3,("%s refused for security token on %s\n",
+ ext_right, ldb_dn_get_linearized(dn)));
+ security_token_debug(DBGC_DRS_REPL, 3, token);
+ return WERR_DS_DRA_ACCESS_DENIED;
+ } else if (ret != LDB_SUCCESS) {
+ DEBUG(1,("Failed to perform access check on %s: %s\n", ldb_dn_get_linearized(dn), ldb_strerror(ret)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ return WERR_OK;
+}
+
+
+/*
+ check security on a object identifier
+ */
+WERROR drs_security_access_check(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct drsuapi_DsReplicaObjectIdentifier *nc,
+ const char *ext_right)
+{
+ struct ldb_dn *dn;
+ WERROR werr;
+ int ret;
+
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
+ sam_ctx,
+ nc,
+ &dn,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ return WERR_DS_DRA_BAD_DN;
+ }
+
+ werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
+ talloc_free(dn);
+ return werr;
+}
+
+/*
+ check security on the NC root of a object identifier
+ */
+WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct security_token *token,
+ struct drsuapi_DsReplicaObjectIdentifier *nc,
+ const char *ext_right)
+{
+ struct ldb_dn *nc_root;
+ WERROR werr;
+ int ret;
+
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
+ sam_ctx,
+ nc,
+ NULL,
+ &nc_root);
+ if (ret != LDB_SUCCESS) {
+ return WERR_DS_DRA_BAD_NC;
+ }
+
+ werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
+ talloc_free(nc_root);
+ return werr;
+}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
new file mode 100644
index 0000000..8864e79
--- /dev/null
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -0,0 +1,3861 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ implement the DSGetNCChanges call
+
+ Copyright (C) Anatoliy Atanasov 2009
+ Copyright (C) Andrew Tridgell 2009-2010
+ Copyright (C) Andrew Bartlett 2010-2016
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "rpc_server/dcerpc_server.h"
+#include "dsdb/samdb/samdb.h"
+#include "param/param.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+#include "libcli/security/session.h"
+#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "../libcli/drsuapi/drsuapi.h"
+#include "lib/util/binsearch.h"
+#include "lib/util/tsort.h"
+#include "auth/session.h"
+#include "dsdb/common/util.h"
+#include "lib/dbwrap/dbwrap.h"
+#include "lib/dbwrap/dbwrap_rbt.h"
+#include "librpc/gen_ndr/ndr_misc.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_DRS_REPL
+
+#define DRS_GUID_SIZE 16
+#define DEFAULT_MAX_OBJECTS 1000
+#define DEFAULT_MAX_LINKS 1500
+
+/*
+ * state of a partially-completed replication cycle. This state persists
+ * over multiple calls to dcesrv_drsuapi_DsGetNCChanges()
+ */
+struct drsuapi_getncchanges_state {
+ struct db_context *obj_cache;
+ struct GUID *guids;
+ uint32_t num_records;
+ uint32_t num_processed;
+ struct ldb_dn *ncRoot_dn;
+ struct GUID ncRoot_guid;
+ bool is_schema_nc;
+ bool is_get_anc;
+ bool broken_samba_4_5_get_anc_emulation;
+ bool is_get_tgt;
+ bool send_nc_root_first;
+ uint64_t min_usn;
+ uint64_t max_usn;
+ struct drsuapi_DsReplicaHighWaterMark last_hwm;
+ struct ldb_dn *last_dn;
+ struct drsuapi_DsReplicaHighWaterMark final_hwm;
+ struct drsuapi_DsReplicaCursor2CtrEx *final_udv;
+ struct drsuapi_DsReplicaLinkedAttribute *la_list;
+ uint32_t la_count;
+ uint32_t la_idx;
+
+ /* these are just used for debugging the replication's progress */
+ uint32_t links_given;
+ uint32_t total_links;
+};
+
+/* We must keep the GUIDs in NDR form for sorting */
+struct la_for_sorting {
+ const struct drsuapi_DsReplicaLinkedAttribute *link;
+ uint8_t target_guid[DRS_GUID_SIZE];
+ uint8_t source_guid[DRS_GUID_SIZE];
+};
+
+/*
+ * stores the state for a chunk of replication data. This state information
+ * only exists for a single call to dcesrv_drsuapi_DsGetNCChanges()
+ */
+struct getncchanges_repl_chunk {
+ uint32_t max_objects;
+ uint32_t max_links;
+ uint32_t tgt_la_count;
+ bool immediate_link_sync;
+ time_t max_wait;
+ time_t start;
+
+ /* stores the objects to be sent in this chunk */
+ uint32_t object_count;
+ struct drsuapi_DsReplicaObjectListItemEx *object_list;
+
+ /* the last object added to this replication chunk */
+ struct drsuapi_DsReplicaObjectListItemEx *last_object;
+};
+
+static int drsuapi_DsReplicaHighWaterMark_cmp(const struct drsuapi_DsReplicaHighWaterMark *h1,
+ const struct drsuapi_DsReplicaHighWaterMark *h2)
+{
+ if (h1->highest_usn < h2->highest_usn) {
+ return -1;
+ } else if (h1->highest_usn > h2->highest_usn) {
+ return 1;
+ } else if (h1->tmp_highest_usn < h2->tmp_highest_usn) {
+ return -1;
+ } else if (h1->tmp_highest_usn > h2->tmp_highest_usn) {
+ return 1;
+ } else if (h1->reserved_usn < h2->reserved_usn) {
+ return -1;
+ } else if (h1->reserved_usn > h2->reserved_usn) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/*
+ build a DsReplicaObjectIdentifier from a ldb msg
+ */
+static struct drsuapi_DsReplicaObjectIdentifier *get_object_identifier(TALLOC_CTX *mem_ctx,
+ const struct ldb_message *msg)
+{
+ struct drsuapi_DsReplicaObjectIdentifier *identifier;
+ struct dom_sid *sid;
+
+ identifier = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier);
+ if (identifier == NULL) {
+ return NULL;
+ }
+
+ identifier->dn = ldb_dn_alloc_linearized(identifier, msg->dn);
+ identifier->guid = samdb_result_guid(msg, "objectGUID");
+
+ sid = samdb_result_dom_sid(identifier, msg, "objectSid");
+ if (sid) {
+ identifier->sid = *sid;
+ } else {
+ ZERO_STRUCT(identifier->sid);
+ }
+ return identifier;
+}
+
+static int udv_compare(const struct GUID *guid1, struct GUID guid2)
+{
+ return GUID_compare(guid1, &guid2);
+}
+
+/*
+ see if we can filter an attribute using the uptodateness_vector
+ */
+static bool udv_filter(const struct drsuapi_DsReplicaCursorCtrEx *udv,
+ const struct GUID *originating_invocation_id,
+ uint64_t originating_usn)
+{
+ const struct drsuapi_DsReplicaCursor *c;
+ if (udv == NULL) return false;
+ BINARY_ARRAY_SEARCH(udv->cursors, udv->count, source_dsa_invocation_id,
+ originating_invocation_id, udv_compare, c);
+ if (c && originating_usn <= c->highest_usn) {
+ return true;
+ }
+ return false;
+}
+
+static int uint32_t_cmp(uint32_t a1, uint32_t a2)
+{
+ if (a1 == a2) return 0;
+ return a1 > a2 ? 1 : -1;
+}
+
+static int uint32_t_ptr_cmp(uint32_t *a1, uint32_t *a2)
+{
+ if (*a1 == *a2) return 0;
+ return *a1 > *a2 ? 1 : -1;
+}
+
+static WERROR getncchanges_attid_remote_to_local(const struct dsdb_schema *schema,
+ const struct dsdb_syntax_ctx *ctx,
+ enum drsuapi_DsAttributeId remote_attid_as_enum,
+ enum drsuapi_DsAttributeId *local_attid_as_enum,
+ const struct dsdb_attribute **_sa)
+{
+ WERROR werr;
+ const struct dsdb_attribute *sa = NULL;
+
+ if (ctx->pfm_remote == NULL) {
+ DEBUG(7, ("No prefixMap supplied, falling back to local prefixMap.\n"));
+ goto fail;
+ }
+
+ werr = dsdb_attribute_drsuapi_remote_to_local(ctx,
+ remote_attid_as_enum,
+ local_attid_as_enum,
+ _sa);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(3, ("WARNING: Unable to resolve remote attid, falling back to local prefixMap.\n"));
+ goto fail;
+ }
+
+ return werr;
+fail:
+
+ sa = dsdb_attribute_by_attributeID_id(schema, remote_attid_as_enum);
+ if (sa == NULL) {
+ return WERR_DS_DRA_SCHEMA_MISMATCH;
+ } else {
+ if (local_attid_as_enum != NULL) {
+ *local_attid_as_enum = sa->attributeID_id;
+ }
+ if (_sa != NULL) {
+ *_sa = sa;
+ }
+ return WERR_OK;
+ }
+}
+
+static WERROR getncchanges_update_revealed_list(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_message **msg,
+ struct ldb_dn *object_dn,
+ const struct GUID *object_guid,
+ const struct dsdb_attribute *sa,
+ struct replPropertyMetaData1 *meta_data,
+ struct ldb_message *revealed_users)
+{
+ enum ndr_err_code ndr_err;
+ int ldb_err;
+ char *attr_str = NULL;
+ char *attr_hex = NULL;
+ DATA_BLOB attr_blob;
+ struct ldb_message_element *existing = NULL, *el_add = NULL, *el_del = NULL;
+ const char * const * secret_attributes = ldb_get_opaque(sam_ctx, "LDB_SECRET_ATTRIBUTE_LIST");
+
+ if (!ldb_attr_in_list(secret_attributes,
+ sa->lDAPDisplayName)) {
+ return WERR_OK;
+ }
+
+
+ ndr_err = ndr_push_struct_blob(&attr_blob, mem_ctx, meta_data, (ndr_push_flags_fn_t)ndr_push_replPropertyMetaData1);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ attr_hex = hex_encode_talloc(mem_ctx, attr_blob.data, attr_blob.length);
+ if (attr_hex == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ attr_str = talloc_asprintf(mem_ctx, "B:%zd:%s:%s", attr_blob.length*2, attr_hex, ldb_dn_get_linearized(object_dn));
+ if (attr_str == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ existing = ldb_msg_find_element(revealed_users, "msDS-RevealedUsers");
+ if (existing != NULL) {
+ /* Replace the old value (if one exists) with the current one */
+ struct parsed_dn *link_dns;
+ struct parsed_dn *exact = NULL, *unused = NULL;
+ uint8_t attid[4];
+ DATA_BLOB partial_meta;
+
+ ldb_err = get_parsed_dns_trusted(mem_ctx, existing, &link_dns);
+ if (ldb_err != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ /* Construct a partial metadata blob to match on in the DB */
+ SIVAL(attid, 0, sa->attributeID_id);
+ partial_meta.length = 4;
+ partial_meta.data = attid;
+
+ /* Binary search using GUID and attribute id for uniqueness */
+ ldb_err = parsed_dn_find(sam_ctx, link_dns, existing->num_values,
+ object_guid, object_dn,
+ partial_meta, 4,
+ &exact, &unused,
+ DSDB_SYNTAX_BINARY_DN, true);
+
+ if (ldb_err != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed parsed DN find - %s\n",
+ ldb_errstring(sam_ctx)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (exact != NULL) {
+ /* Perform some verification of the blob */
+ struct replPropertyMetaData1 existing_meta_data;
+ ndr_err = ndr_pull_struct_blob_all_noalloc(&exact->dsdb_dn->extra_part,
+ &existing_meta_data,
+ (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaData1);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (existing_meta_data.attid == sa->attributeID_id) {
+ ldb_err = ldb_msg_add_empty(*msg, "msDS-RevealedUsers", LDB_FLAG_MOD_DELETE, &el_del);
+ if (ldb_err != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ el_del->values = talloc_array((*msg)->elements, struct ldb_val, 1);
+ if (el_del->values == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ el_del->values[0] = *exact->v;
+ el_del->num_values = 1;
+ } else {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ }
+ }
+
+ ldb_err = ldb_msg_add_empty(*msg, "msDS-RevealedUsers", LDB_FLAG_MOD_ADD, &el_add);
+ if (ldb_err != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ el_add->values = talloc_array((*msg)->elements, struct ldb_val, 1);
+ if (el_add->values == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+
+ }
+
+ el_add->values[0] = data_blob_string_const(attr_str);
+ el_add->num_values = 1;
+
+ return WERR_OK;
+}
+
+/*
+ * This function filter attributes for build_object based on the
+ * uptodatenessvector and partial attribute set.
+ *
+ * Any secret attributes are forced here for REPL_SECRET, and audited at this
+ * point with msDS-RevealedUsers.
+ */
+static WERROR get_nc_changes_filter_attrs(struct drsuapi_DsReplicaObjectListItemEx *obj,
+ struct replPropertyMetaDataBlob md,
+ struct ldb_context *sam_ctx,
+ const struct ldb_message *msg,
+ const struct GUID *guid,
+ uint32_t *count,
+ uint64_t highest_usn,
+ const struct dsdb_attribute *rdn_sa,
+ struct dsdb_schema *schema,
+ struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector,
+ struct drsuapi_DsPartialAttributeSet *partial_attribute_set,
+ uint32_t *local_pas,
+ uint32_t *attids,
+ bool exop_secret,
+ struct ldb_message **revealed_list_msg,
+ struct ldb_message *existing_revealed_list_msg)
+{
+ uint32_t i, n;
+ WERROR werr;
+ for (n=i=0; i<md.ctr.ctr1.count; i++) {
+ const struct dsdb_attribute *sa;
+ bool force_attribute = false;
+
+ /* if the attribute has not changed, and it is not the
+ instanceType then don't include it */
+ if (md.ctr.ctr1.array[i].local_usn < highest_usn &&
+ !exop_secret &&
+ md.ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType) continue;
+
+ /* don't include the rDN */
+ if (md.ctr.ctr1.array[i].attid == rdn_sa->attributeID_id) continue;
+
+ sa = dsdb_attribute_by_attributeID_id(schema, md.ctr.ctr1.array[i].attid);
+ if (!sa) {
+ DEBUG(0,(__location__ ": Failed to find attribute in schema for attrid %u mentioned in replPropertyMetaData of %s\n",
+ (unsigned int)md.ctr.ctr1.array[i].attid,
+ ldb_dn_get_linearized(msg->dn)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (sa->linkID) {
+ struct ldb_message_element *el;
+ el = ldb_msg_find_element(msg, sa->lDAPDisplayName);
+ if (el && el->num_values && dsdb_dn_is_upgraded_link_val(&el->values[0])) {
+ /* don't send upgraded links inline */
+ continue;
+ }
+ }
+
+ if (exop_secret &&
+ !dsdb_attr_in_rodc_fas(sa)) {
+ force_attribute = true;
+ DEBUG(4,("Forcing attribute %s in %s\n",
+ sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
+ werr = getncchanges_update_revealed_list(sam_ctx, obj,
+ revealed_list_msg,
+ msg->dn, guid, sa,
+ &md.ctr.ctr1.array[i],
+ existing_revealed_list_msg);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ }
+
+ /* filter by uptodateness_vector */
+ if (md.ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType &&
+ !force_attribute &&
+ udv_filter(uptodateness_vector,
+ &md.ctr.ctr1.array[i].originating_invocation_id,
+ md.ctr.ctr1.array[i].originating_usn)) {
+ continue;
+ }
+
+ /* filter by partial_attribute_set */
+ if (partial_attribute_set && !force_attribute) {
+ uint32_t *result = NULL;
+ BINARY_ARRAY_SEARCH_V(local_pas, partial_attribute_set->num_attids, sa->attributeID_id,
+ uint32_t_cmp, result);
+ if (result == NULL) {
+ continue;
+ }
+ }
+
+ obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
+ obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
+ obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;
+ obj->meta_data_ctr->meta_data[n].originating_usn = md.ctr.ctr1.array[i].originating_usn;
+ attids[n] = md.ctr.ctr1.array[i].attid;
+
+ n++;
+ }
+
+ *count = n;
+
+ return WERR_OK;
+}
+
+/*
+ drsuapi_DsGetNCChanges for one object
+*/
+static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItemEx *obj,
+ const struct ldb_message *msg,
+ struct ldb_context *sam_ctx,
+ struct drsuapi_getncchanges_state *getnc_state,
+ struct dsdb_schema *schema,
+ DATA_BLOB *session_key,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ bool force_object_return,
+ uint32_t *local_pas,
+ struct ldb_dn *machine_dn,
+ const struct GUID *guid)
+{
+ const struct ldb_val *md_value;
+ uint32_t i, n;
+ struct replPropertyMetaDataBlob md;
+ uint32_t rid = 0;
+ int ldb_err;
+ enum ndr_err_code ndr_err;
+ uint32_t *attids;
+ const char *rdn;
+ const struct dsdb_attribute *rdn_sa;
+ uint64_t uSNChanged;
+ unsigned int instanceType;
+ struct dsdb_syntax_ctx syntax_ctx;
+ struct ldb_result *res = NULL;
+ WERROR werr;
+ int ret;
+ uint32_t replica_flags = req10->replica_flags;
+ struct drsuapi_DsPartialAttributeSet *partial_attribute_set =
+ req10->partial_attribute_set;
+ struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector =
+ req10->uptodateness_vector;
+ enum drsuapi_DsExtendedOperation extended_op = req10->extended_op;
+ bool is_schema_nc = getnc_state->is_schema_nc;
+ uint64_t highest_usn = getnc_state->min_usn;
+
+ /* make dsdb sytanx context for conversions */
+ dsdb_syntax_ctx_init(&syntax_ctx, sam_ctx, schema);
+ syntax_ctx.is_schema_nc = is_schema_nc;
+
+ uSNChanged = ldb_msg_find_attr_as_uint64(msg, "uSNChanged", 0);
+ instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
+ if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
+ obj->is_nc_prefix = true;
+ obj->parent_object_guid = NULL;
+ } else {
+ obj->is_nc_prefix = false;
+ obj->parent_object_guid = talloc(obj, struct GUID);
+ if (obj->parent_object_guid == NULL) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ *obj->parent_object_guid = samdb_result_guid(msg, "parentGUID");
+ if (GUID_all_zero(obj->parent_object_guid)) {
+ DEBUG(0,(__location__ ": missing parentGUID for %s\n",
+ ldb_dn_get_linearized(msg->dn)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ }
+ obj->next_object = NULL;
+
+ md_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
+ if (!md_value) {
+ /* nothing to send */
+ return WERR_OK;
+ }
+
+ if (instanceType & INSTANCE_TYPE_UNINSTANT) {
+ /* don't send uninstantiated objects */
+ return WERR_OK;
+ }
+
+ if (uSNChanged <= highest_usn) {
+ /* nothing to send */
+ return WERR_OK;
+ }
+
+ ndr_err = ndr_pull_struct_blob(md_value, obj, &md,
+ (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (md.version != 1) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ rdn = ldb_dn_get_rdn_name(msg->dn);
+ if (rdn == NULL) {
+ DEBUG(0,(__location__ ": No rDN for %s\n", ldb_dn_get_linearized(msg->dn)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ rdn_sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn);
+ if (rdn_sa == NULL) {
+ DEBUG(0,(__location__ ": Can't find dsds_attribute for rDN %s in %s\n",
+ rdn, ldb_dn_get_linearized(msg->dn)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ obj->meta_data_ctr = talloc(obj, struct drsuapi_DsReplicaMetaDataCtr);
+ attids = talloc_array(obj, uint32_t, md.ctr.ctr1.count);
+
+ obj->object.identifier = get_object_identifier(obj, msg);
+ if (obj->object.identifier == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ dom_sid_split_rid(NULL, &obj->object.identifier->sid, NULL, &rid);
+
+ obj->meta_data_ctr->meta_data = talloc_array(obj, struct drsuapi_DsReplicaMetaData, md.ctr.ctr1.count);
+
+ if (extended_op == DRSUAPI_EXOP_REPL_SECRET) {
+ /* Get the existing revealed users for the destination */
+ struct ldb_message *revealed_list_msg = NULL;
+ struct ldb_message *existing_revealed_list_msg = NULL;
+ const char *machine_attrs[] = {
+ "msDS-RevealedUsers",
+ NULL
+ };
+
+ revealed_list_msg = ldb_msg_new(sam_ctx);
+ if (revealed_list_msg == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ revealed_list_msg->dn = machine_dn;
+
+ ret = ldb_transaction_start(sam_ctx);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed transaction start - %s\n",
+ ldb_errstring(sam_ctx)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ldb_err = dsdb_search_dn(sam_ctx, obj, &res, machine_dn, machine_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN);
+ if (ldb_err != LDB_SUCCESS || res->count != 1) {
+ ldb_transaction_cancel(sam_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ existing_revealed_list_msg = res->msgs[0];
+
+ werr = get_nc_changes_filter_attrs(obj, md, sam_ctx, msg,
+ guid, &n, highest_usn,
+ rdn_sa, schema,
+ uptodateness_vector,
+ partial_attribute_set, local_pas,
+ attids,
+ true,
+ &revealed_list_msg,
+ existing_revealed_list_msg);
+ if (!W_ERROR_IS_OK(werr)) {
+ ldb_transaction_cancel(sam_ctx);
+ return werr;
+ }
+
+ if (revealed_list_msg != NULL) {
+ ret = ldb_modify(sam_ctx, revealed_list_msg);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to alter revealed links - %s\n",
+ ldb_errstring(sam_ctx)));
+ ldb_transaction_cancel(sam_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ }
+
+ ret = ldb_transaction_commit(sam_ctx);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed transaction commit - %s\n",
+ ldb_errstring(sam_ctx)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ } else {
+ werr = get_nc_changes_filter_attrs(obj, md, sam_ctx, msg, guid,
+ &n, highest_usn, rdn_sa,
+ schema, uptodateness_vector,
+ partial_attribute_set, local_pas,
+ attids,
+ false,
+ NULL,
+ NULL);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ }
+
+ /* ignore it if its an empty change. Note that renames always
+ * change the 'name' attribute, so they won't be ignored by
+ * this
+
+ * the force_object_return check is used to force an empty
+ * object return when we timeout in the getncchanges loop.
+ * This allows us to return an empty object, which keeps the
+ * client happy while preventing timeouts
+ */
+ if (n == 0 ||
+ (n == 1 &&
+ attids[0] == DRSUAPI_ATTID_instanceType &&
+ !force_object_return)) {
+ talloc_free(obj->meta_data_ctr);
+ obj->meta_data_ctr = NULL;
+ return WERR_OK;
+ }
+
+ obj->meta_data_ctr->count = n;
+
+ obj->object.flags = DRSUAPI_DS_REPLICA_OBJECT_FROM_MASTER;
+ obj->object.attribute_ctr.num_attributes = obj->meta_data_ctr->count;
+ obj->object.attribute_ctr.attributes = talloc_array(obj, struct drsuapi_DsReplicaAttribute,
+ obj->object.attribute_ctr.num_attributes);
+ if (obj->object.attribute_ctr.attributes == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ /*
+ * Note that the meta_data array and the attributes array must
+ * be the same size and in the same order
+ */
+ for (i=0; i<obj->object.attribute_ctr.num_attributes; i++) {
+ struct ldb_message_element *el;
+ const struct dsdb_attribute *sa;
+
+ sa = dsdb_attribute_by_attributeID_id(schema, attids[i]);
+ if (!sa) {
+ DEBUG(0,("Unable to find attributeID %u in schema\n", attids[i]));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ el = ldb_msg_find_element(msg, sa->lDAPDisplayName);
+ if (el == NULL) {
+ /* this happens for attributes that have been removed */
+ DEBUG(5,("No element '%s' for attributeID %u in message\n",
+ sa->lDAPDisplayName, attids[i]));
+ ZERO_STRUCT(obj->object.attribute_ctr.attributes[i]);
+ obj->object.attribute_ctr.attributes[i].attid =
+ dsdb_attribute_get_attid(sa, syntax_ctx.is_schema_nc);
+ } else {
+ werr = sa->syntax->ldb_to_drsuapi(&syntax_ctx, sa, el, obj,
+ &obj->object.attribute_ctr.attributes[i]);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("Unable to convert %s on %s to DRS object - %s\n",
+ sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn),
+ win_errstr(werr)));
+ return werr;
+ }
+ /* if DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING is set
+ * check if attribute is secret and send a null value
+ */
+ if (replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) {
+ drsuapi_process_secret_attribute(&obj->object.attribute_ctr.attributes[i],
+ &obj->meta_data_ctr->meta_data[i]);
+ }
+ /* some attributes needs to be encrypted
+ before being sent */
+ werr = drsuapi_encrypt_attribute(obj, session_key, rid,
+ &obj->object.attribute_ctr.attributes[i]);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("Unable to encrypt %s on %s in DRS object - %s\n",
+ sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn),
+ win_errstr(werr)));
+ return werr;
+ }
+ }
+ if (attids[i] != obj->object.attribute_ctr.attributes[i].attid) {
+ DEBUG(0, ("Unable to replicate attribute %s on %s via DRS, incorrect attributeID: "
+ "0x%08x vs 0x%08x "
+ "Run dbcheck!\n",
+ sa->lDAPDisplayName,
+ ldb_dn_get_linearized(msg->dn),
+ attids[i],
+ obj->object.attribute_ctr.attributes[i].attid));
+ return WERR_DS_DATABASE_ERROR;
+ }
+ }
+
+ return WERR_OK;
+}
+
+/*
+ add one linked attribute from an object to the list of linked
+ attributes in a getncchanges request
+ */
+static WERROR get_nc_changes_add_la(TALLOC_CTX *mem_ctx,
+ struct ldb_context *sam_ctx,
+ const struct dsdb_schema *schema,
+ const struct dsdb_attribute *sa,
+ const struct ldb_message *msg,
+ struct dsdb_dn *dsdb_dn,
+ struct drsuapi_DsReplicaLinkedAttribute **la_list,
+ uint32_t *la_count,
+ bool is_schema_nc)
+{
+ struct drsuapi_DsReplicaLinkedAttribute *la;
+ bool active;
+ NTSTATUS status;
+ WERROR werr;
+
+ (*la_list) = talloc_realloc(mem_ctx, *la_list, struct drsuapi_DsReplicaLinkedAttribute, (*la_count)+1);
+ W_ERROR_HAVE_NO_MEMORY(*la_list);
+
+ la = &(*la_list)[*la_count];
+
+ la->identifier = get_object_identifier(*la_list, msg);
+ W_ERROR_HAVE_NO_MEMORY(la->identifier);
+
+ active = (dsdb_dn_rmd_flags(dsdb_dn->dn) & DSDB_RMD_FLAG_DELETED) == 0;
+
+ if (!active) {
+ /* We have to check that the inactive link still point to an existing object */
+ struct GUID guid;
+ struct ldb_dn *tdn;
+ int ret;
+ const char *v;
+
+ v = ldb_msg_find_attr_as_string(msg, "isDeleted", "FALSE");
+ if (strncmp(v, "TRUE", 4) == 0) {
+ /*
+ * Note: we skip the transmition of the deleted link even if the other part used to
+ * know about it because when we transmit the deletion of the object, the link will
+ * be deleted too due to deletion of object where link points and Windows do so.
+ */
+ if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008_R2) {
+ v = ldb_msg_find_attr_as_string(msg, "isRecycled", "FALSE");
+ /*
+ * On Windows 2008R2 isRecycled is always present even if FL or DL are < FL 2K8R2
+ * if it join an existing domain with deleted objets, it firsts impose to have a
+ * schema with the is-Recycled object and for all deleted objects it adds the isRecycled
+ * either during initial replication or after the getNCChanges.
+ * Behavior of samba has been changed to always have this attribute if it's present in the schema.
+ *
+ * So if FL <2K8R2 isRecycled might be here or not but we don't care, it's meaning less.
+ * If FL >=2K8R2 we are sure that this attribute will be here.
+ * For this kind of forest level we do not return the link if the object is recycled
+ * (isRecycled = true).
+ */
+ if (strncmp(v, "TRUE", 4) == 0) {
+ DEBUG(2, (" object %s is recycled, not returning linked attribute !\n",
+ ldb_dn_get_linearized(msg->dn)));
+ return WERR_OK;
+ }
+ } else {
+ return WERR_OK;
+ }
+ }
+ status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid, "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ " Unable to extract GUID in linked attribute '%s' in '%s'\n",
+ sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
+ return ntstatus_to_werror(status);
+ }
+ ret = dsdb_find_dn_by_guid(sam_ctx, mem_ctx, &guid, 0, &tdn);
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ DEBUG(2, (" Search of guid %s returned 0 objects, skipping it !\n",
+ GUID_string(mem_ctx, &guid)));
+ return WERR_OK;
+ } else if (ret != LDB_SUCCESS) {
+ DEBUG(0, (__location__ " Search of guid %s failed with error code %d\n",
+ GUID_string(mem_ctx, &guid),
+ ret));
+ return WERR_OK;
+ }
+ }
+ la->attid = dsdb_attribute_get_attid(sa, is_schema_nc);
+ la->flags = active?DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE:0;
+
+ status = dsdb_get_extended_dn_uint32(dsdb_dn->dn, &la->meta_data.version, "RMD_VERSION");
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ " No RMD_VERSION in linked attribute '%s' in '%s'\n",
+ sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
+ return ntstatus_to_werror(status);
+ }
+ status = dsdb_get_extended_dn_nttime(dsdb_dn->dn, &la->meta_data.originating_change_time, "RMD_CHANGETIME");
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ " No RMD_CHANGETIME in linked attribute '%s' in '%s'\n",
+ sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
+ return ntstatus_to_werror(status);
+ }
+ status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &la->meta_data.originating_invocation_id, "RMD_INVOCID");
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ " No RMD_INVOCID in linked attribute '%s' in '%s'\n",
+ sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
+ return ntstatus_to_werror(status);
+ }
+ status = dsdb_get_extended_dn_uint64(dsdb_dn->dn, &la->meta_data.originating_usn, "RMD_ORIGINATING_USN");
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ " No RMD_ORIGINATING_USN in linked attribute '%s' in '%s'\n",
+ sa->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)));
+ return ntstatus_to_werror(status);
+ }
+
+ status = dsdb_get_extended_dn_nttime(dsdb_dn->dn, &la->originating_add_time, "RMD_ADDTIME");
+ if (!NT_STATUS_IS_OK(status)) {
+ /* this is possible for upgraded links */
+ la->originating_add_time = la->meta_data.originating_change_time;
+ }
+
+ werr = dsdb_dn_la_to_blob(sam_ctx, sa, schema, *la_list, dsdb_dn, &la->value.blob);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ (*la_count)++;
+ return WERR_OK;
+}
+
+
+/*
+ add linked attributes from an object to the list of linked
+ attributes in a getncchanges request
+ */
+static WERROR get_nc_changes_add_links(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ bool is_schema_nc,
+ struct dsdb_schema *schema,
+ uint64_t highest_usn,
+ uint32_t replica_flags,
+ const struct ldb_message *msg,
+ struct drsuapi_DsReplicaLinkedAttribute **la_list,
+ uint32_t *la_count,
+ struct drsuapi_DsReplicaCursorCtrEx *uptodateness_vector)
+{
+ unsigned int i;
+ TALLOC_CTX *tmp_ctx = NULL;
+ uint64_t uSNChanged = ldb_msg_find_attr_as_uint64(msg, "uSNChanged", 0);
+ bool is_critical = ldb_msg_find_attr_as_bool(msg, "isCriticalSystemObject", false);
+
+ if (replica_flags & DRSUAPI_DRS_CRITICAL_ONLY) {
+ if (!is_critical) {
+ return WERR_OK;
+ }
+ }
+
+ if (uSNChanged <= highest_usn) {
+ return WERR_OK;
+ }
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ for (i=0; i<msg->num_elements; i++) {
+ struct ldb_message_element *el = &msg->elements[i];
+ const struct dsdb_attribute *sa;
+ unsigned int j;
+
+ sa = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
+
+ if (!sa || sa->linkID == 0 || (sa->linkID & 1)) {
+ /* we only want forward links */
+ continue;
+ }
+
+ if (el->num_values && !dsdb_dn_is_upgraded_link_val(&el->values[0])) {
+ /* its an old style link, it will have been
+ * sent in the main replication data */
+ continue;
+ }
+
+ for (j=0; j<el->num_values; j++) {
+ struct dsdb_dn *dsdb_dn;
+ uint64_t local_usn;
+ uint64_t originating_usn;
+ NTSTATUS status, status2;
+ WERROR werr;
+ struct GUID originating_invocation_id;
+
+ dsdb_dn = dsdb_dn_parse(tmp_ctx, sam_ctx, &el->values[j], sa->syntax->ldap_oid);
+ if (dsdb_dn == NULL) {
+ DEBUG(1,(__location__ ": Failed to parse DN for %s in %s\n",
+ el->name, ldb_dn_get_linearized(msg->dn)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ status = dsdb_get_extended_dn_uint64(dsdb_dn->dn, &local_usn, "RMD_LOCAL_USN");
+ if (!NT_STATUS_IS_OK(status)) {
+ /* this can happen for attributes
+ given to us with old style meta
+ data */
+ continue;
+ }
+
+ if (local_usn > uSNChanged) {
+ DEBUG(1,(__location__ ": uSNChanged less than RMD_LOCAL_USN for %s on %s\n",
+ el->name, ldb_dn_get_linearized(msg->dn)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (local_usn <= highest_usn) {
+ continue;
+ }
+
+ status = dsdb_get_extended_dn_guid(dsdb_dn->dn,
+ &originating_invocation_id,
+ "RMD_INVOCID");
+ status2 = dsdb_get_extended_dn_uint64(dsdb_dn->dn,
+ &originating_usn,
+ "RMD_ORIGINATING_USN");
+
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(status2)) {
+ if (udv_filter(uptodateness_vector,
+ &originating_invocation_id,
+ originating_usn)) {
+ continue;
+ }
+ }
+
+ werr = get_nc_changes_add_la(mem_ctx, sam_ctx, schema,
+ sa, msg, dsdb_dn, la_list,
+ la_count, is_schema_nc);
+ if (!W_ERROR_IS_OK(werr)) {
+ talloc_free(tmp_ctx);
+ return werr;
+ }
+ }
+ }
+
+ talloc_free(tmp_ctx);
+ return WERR_OK;
+}
+
+/*
+ fill in the cursors return based on the replUpToDateVector for the ncRoot_dn
+ */
+static WERROR get_nc_changes_udv(struct ldb_context *sam_ctx,
+ struct ldb_dn *ncRoot_dn,
+ struct drsuapi_DsReplicaCursor2CtrEx *udv)
+{
+ int ret;
+
+ udv->version = 2;
+ udv->reserved1 = 0;
+ udv->reserved2 = 0;
+
+ ret = dsdb_load_udv_v2(sam_ctx, ncRoot_dn, udv, &udv->cursors, &udv->count);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to load UDV for %s - %s\n",
+ ldb_dn_get_linearized(ncRoot_dn), ldb_errstring(sam_ctx)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ return WERR_OK;
+}
+
+
+/* comparison function for linked attributes - see CompareLinks() in
+ * MS-DRSR section 4.1.10.5.17 */
+static int linked_attribute_compare(const struct la_for_sorting *la1,
+ const struct la_for_sorting *la2)
+{
+ int c;
+ c = memcmp(la1->source_guid,
+ la2->source_guid, sizeof(la2->source_guid));
+ if (c != 0) {
+ return c;
+ }
+
+ if (la1->link->attid != la2->link->attid) {
+ return la1->link->attid < la2->link->attid? -1:1;
+ }
+
+ if ((la1->link->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE) !=
+ (la2->link->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)) {
+ return (la1->link->flags &
+ DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)? 1:-1;
+ }
+
+ return memcmp(la1->target_guid,
+ la2->target_guid, sizeof(la2->target_guid));
+}
+
+struct drsuapi_changed_objects {
+ struct ldb_dn *dn;
+ struct GUID guid;
+ uint64_t usn;
+};
+
+
+/*
+ sort the objects we send by tree order (Samba 4.5 emulation)
+ */
+static int site_res_cmp_anc_order(struct drsuapi_changed_objects *m1,
+ struct drsuapi_changed_objects *m2,
+ struct drsuapi_getncchanges_state *getnc_state)
+{
+ return ldb_dn_compare(m2->dn, m1->dn);
+}
+
+/*
+ sort the objects we send first by uSNChanged
+ */
+static int site_res_cmp_usn_order(struct drsuapi_changed_objects *m1,
+ struct drsuapi_changed_objects *m2,
+ struct drsuapi_getncchanges_state *getnc_state)
+{
+ if (m1->usn == m2->usn) {
+ return ldb_dn_compare(m2->dn, m1->dn);
+ }
+
+ if (m1->usn < m2->usn) {
+ return -1;
+ }
+
+ return 1;
+}
+
+
+/*
+ handle a DRSUAPI_EXOP_FSMO_RID_ALLOC call
+ */
+static WERROR getncchanges_rid_alloc(struct drsuapi_bind_state *b_state,
+ TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ struct drsuapi_DsGetNCChangesCtr6 *ctr6,
+ struct ldb_dn **rid_manager_dn)
+{
+ struct ldb_dn *req_dn, *ntds_dn = NULL;
+ int ret;
+ struct ldb_context *ldb = b_state->sam_ctx;
+ struct ldb_result *ext_res;
+ struct dsdb_fsmo_extended_op *exop;
+ bool is_us;
+
+ /*
+ steps:
+ - verify that the DN being asked for is the RID Manager DN
+ - verify that we are the RID Manager
+ */
+
+ /* work out who is the RID Manager, also return to caller */
+ ret = samdb_rid_manager_dn(ldb, mem_ctx, rid_manager_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0, (__location__ ": Failed to find RID Manager object - %s\n", ldb_errstring(ldb)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
+ ldb,
+ req10->naming_context,
+ &req_dn,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ DBG_ERR("RID Alloc request for invalid DN %s: %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, req10->naming_context),
+ ldb_strerror(ret));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_MISMATCH;
+ return WERR_OK;
+ }
+
+ if (ldb_dn_compare(req_dn, *rid_manager_dn) != 0) {
+ /* that isn't the RID Manager DN */
+ DBG_ERR("RID Alloc request for wrong DN %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx,
+ req10->naming_context));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_MISMATCH;
+ return WERR_OK;
+ }
+
+ /* TODO: make sure ntds_dn is a valid nTDSDSA object */
+ ret = dsdb_find_dn_by_guid(ldb, mem_ctx, &req10->destination_dsa_guid, 0, &ntds_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0, (__location__ ": Unable to find NTDS object for guid %s - %s\n",
+ GUID_string(mem_ctx, &req10->destination_dsa_guid), ldb_errstring(ldb)));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_UNKNOWN_CALLER;
+ return WERR_OK;
+ }
+
+ /* find the DN of the RID Manager */
+ ret = samdb_reference_dn_is_our_ntdsa(ldb, *rid_manager_dn, "fSMORoleOwner", &is_us);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to find fSMORoleOwner in RID Manager object\n"));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (!is_us) {
+ /* we're not the RID Manager - go away */
+ DEBUG(0,(__location__ ": RID Alloc request when not RID Manager\n"));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
+ return WERR_OK;
+ }
+
+ exop = talloc(mem_ctx, struct dsdb_fsmo_extended_op);
+ W_ERROR_HAVE_NO_MEMORY(exop);
+
+ exop->fsmo_info = req10->fsmo_info;
+ exop->destination_dsa_guid = req10->destination_dsa_guid;
+
+ ret = ldb_transaction_start(ldb);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed transaction start - %s\n",
+ ldb_errstring(ldb)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ret = ldb_extended(ldb, DSDB_EXTENDED_ALLOCATE_RID_POOL, exop, &ext_res);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed extended allocation RID pool operation - %s\n",
+ ldb_errstring(ldb)));
+ ldb_transaction_cancel(ldb);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ret = ldb_transaction_commit(ldb);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed transaction commit - %s\n",
+ ldb_errstring(ldb)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ talloc_free(ext_res);
+
+ DEBUG(2,("Allocated RID pool for server %s\n",
+ GUID_string(mem_ctx, &req10->destination_dsa_guid)));
+
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
+
+ return WERR_OK;
+}
+
+/*
+ handle a DRSUAPI_EXOP_REPL_SECRET call
+ */
+static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
+ TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ struct dom_sid *user_sid,
+ struct drsuapi_DsGetNCChangesCtr6 *ctr6,
+ bool has_get_all_changes,
+ struct ldb_dn **machine_dn)
+{
+ struct drsuapi_DsReplicaObjectIdentifier *ncRoot = req10->naming_context;
+ struct ldb_dn *obj_dn = NULL;
+ struct ldb_message *ntds_msg = NULL;
+ struct ldb_dn *ntds_dn = NULL, *server_dn = NULL;
+ struct ldb_dn *rodc_dn, *krbtgt_link_dn;
+ int ret;
+ const char *ntds_attrs[] = { NULL };
+ const char *rodc_attrs[] = { "msDS-KrbTgtLink",
+ "msDS-NeverRevealGroup",
+ "msDS-RevealOnDemandGroup",
+ "userAccountControl",
+ NULL };
+ const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
+ struct ldb_result *rodc_res = NULL, *obj_res = NULL;
+ WERROR werr;
+ struct GUID_txt_buf guid_buf;
+
+ DEBUG(3,(__location__ ": DRSUAPI_EXOP_REPL_SECRET extended op on %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, ncRoot)));
+
+ /*
+ * we need to work out if we will allow this DC to
+ * replicate the secrets for this object
+ *
+ * see 4.1.10.5.14 GetRevealSecretsPolicyForUser for details
+ * of this function
+ */
+
+ if (b_state->sam_ctx_system == NULL) {
+ /* this operation needs system level access */
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_ACCESS_DENIED;
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
+ /*
+ * Before we accept or deny, fetch the machine DN for the destination
+ * DSA GUID.
+ *
+ * If we are the RODC, we will check that this matches the SID.
+ */
+ ret = samdb_get_ntds_obj_by_guid(mem_ctx,
+ b_state->sam_ctx_system,
+ &req10->destination_dsa_guid,
+ ntds_attrs,
+ &ntds_msg);
+ if (ret != LDB_SUCCESS) {
+ goto dest_dsa_error;
+ }
+
+ ntds_dn = ntds_msg->dn;
+
+ server_dn = ldb_dn_get_parent(mem_ctx, ntds_dn);
+ if (server_dn == NULL) {
+ goto failed;
+ }
+
+ ret = samdb_reference_dn(b_state->sam_ctx_system, mem_ctx, server_dn,
+ "serverReference", machine_dn);
+
+ if (ret != LDB_SUCCESS) {
+ goto dest_dsa_error;
+ }
+
+ /*
+ * In MS-DRSR.pdf 5.99 IsGetNCChangesPermissionGranted
+ *
+ * The pseudo code indicate
+ * revealsecrets = true
+ * if IsRevealSecretRequest(msgIn) then
+ * if AccessCheckCAR(ncRoot, Ds-Replication-Get-Changes-All) = false
+ * then
+ * if (msgIn.ulExtendedOp = EXOP_REPL_SECRETS) then
+ * <... check if this account is ok to be replicated on this DC ...>
+ * <... and if not reveal secrets = no ...>
+ * else
+ * reveal secrets = false
+ * endif
+ * endif
+ * endif
+ *
+ * Which basically means that if you have GET_ALL_CHANGES rights (~== RWDC)
+ * then you can do EXOP_REPL_SECRETS
+ */
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
+ b_state->sam_ctx_system,
+ ncRoot,
+ &obj_dn,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ DBG_ERR("RevealSecretRequest for for invalid DN %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, ncRoot));
+ goto failed;
+ }
+
+ if (!ldb_dn_validate(obj_dn)) goto failed;
+
+ if (has_get_all_changes) {
+ goto allowed;
+ }
+
+ rodc_dn = ldb_dn_new_fmt(mem_ctx, b_state->sam_ctx_system, "<SID=%s>",
+ dom_sid_string(mem_ctx, user_sid));
+ if (!ldb_dn_validate(rodc_dn)) goto failed;
+
+ /*
+ * do the two searches we need
+ * We need DSDB_SEARCH_SHOW_EXTENDED_DN as we get a SID lists
+ * out of the extended DNs
+ */
+ ret = dsdb_search_dn(b_state->sam_ctx_system, mem_ctx, &rodc_res, rodc_dn, rodc_attrs,
+ DSDB_SEARCH_SHOW_EXTENDED_DN);
+ if (ret != LDB_SUCCESS || rodc_res->count != 1) goto failed;
+
+ ret = dsdb_search_dn(b_state->sam_ctx_system, mem_ctx, &obj_res, obj_dn, obj_attrs, 0);
+ if (ret != LDB_SUCCESS || obj_res->count != 1) goto failed;
+
+ /*
+ * Must be an RODC account at this point, verify machine DN matches the
+ * SID account
+ */
+ if (ldb_dn_compare(rodc_res->msgs[0]->dn, *machine_dn) != 0) {
+ goto denied;
+ }
+
+ /* an RODC is allowed to get its own krbtgt account secrets */
+ krbtgt_link_dn = samdb_result_dn(b_state->sam_ctx_system, mem_ctx,
+ rodc_res->msgs[0], "msDS-KrbTgtLink", NULL);
+ if (krbtgt_link_dn != NULL &&
+ ldb_dn_compare(obj_dn, krbtgt_link_dn) == 0) {
+ goto allowed;
+ }
+
+ werr = samdb_confirm_rodc_allowed_to_repl_to(b_state->sam_ctx_system,
+ user_sid,
+ rodc_res->msgs[0],
+ obj_res->msgs[0]);
+
+ if (W_ERROR_IS_OK(werr)) {
+ goto allowed;
+ }
+
+ /* default deny */
+denied:
+ DEBUG(2,(__location__ ": Denied single object with secret replication for %s by RODC %s\n",
+ ldb_dn_get_linearized(obj_dn), ldb_dn_get_linearized(rodc_res->msgs[0]->dn)));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_NONE;
+ return WERR_DS_DRA_SECRETS_DENIED;
+
+allowed:
+ DEBUG(2,(__location__ ": Allowed single object with secret replication for %s by %s %s\n",
+ ldb_dn_get_linearized(obj_dn), has_get_all_changes?"RWDC":"RODC",
+ ldb_dn_get_linearized(*machine_dn)));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
+ req10->highwatermark.highest_usn = 0;
+ return WERR_OK;
+
+failed:
+ DEBUG(2,(__location__ ": Failed single secret replication for %s by RODC %s\n",
+ ldb_dn_get_linearized(obj_dn), dom_sid_string(mem_ctx, user_sid)));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_NONE;
+ return WERR_DS_DRA_BAD_DN;
+
+dest_dsa_error:
+ DBG_WARNING("Failed secret replication for %s by RODC %s as dest_dsa_guid %s is invalid\n",
+ ldb_dn_get_linearized(obj_dn),
+ dom_sid_string(mem_ctx, user_sid),
+ GUID_buf_string(&req10->destination_dsa_guid,
+ &guid_buf));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_NONE;
+ return WERR_DS_DRA_DB_ERROR;
+}
+
+/*
+ handle a DRSUAPI_EXOP_REPL_OBJ call
+ */
+static WERROR getncchanges_repl_obj(struct drsuapi_bind_state *b_state,
+ TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ struct dom_sid *user_sid,
+ struct drsuapi_DsGetNCChangesCtr6 *ctr6)
+{
+ struct drsuapi_DsReplicaObjectIdentifier *ncRoot = req10->naming_context;
+
+ DEBUG(3,(__location__ ": DRSUAPI_EXOP_REPL_OBJ extended op on %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, ncRoot)));
+
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
+ return WERR_OK;
+}
+
+
+/*
+ handle DRSUAPI_EXOP_FSMO_REQ_ROLE,
+ DRSUAPI_EXOP_FSMO_RID_REQ_ROLE,
+ and DRSUAPI_EXOP_FSMO_REQ_PDC calls
+ */
+static WERROR getncchanges_change_master(struct drsuapi_bind_state *b_state,
+ TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ struct drsuapi_DsGetNCChangesCtr6 *ctr6)
+{
+ struct ldb_dn *req_dn, *ntds_dn;
+ int ret;
+ unsigned int i;
+ struct ldb_context *ldb = b_state->sam_ctx;
+ struct ldb_message *msg;
+ bool is_us;
+
+ /*
+ steps:
+ - verify that the client dn exists
+ - verify that we are the current master
+ */
+
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx, ldb, req10->naming_context,
+ &req_dn, NULL);
+ if (ret != LDB_SUCCESS) {
+ /* that is not a valid dn */
+ DBG_ERR("FSMO role transfer request for invalid DN %s: %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, req10->naming_context),
+ ldb_strerror(ret));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_MISMATCH;
+ return WERR_OK;
+ }
+
+ /* find the DN of the current role owner */
+ ret = samdb_reference_dn_is_our_ntdsa(ldb, req_dn, "fSMORoleOwner", &is_us);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to find fSMORoleOwner in RID Manager object\n"));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (!is_us) {
+ /* we're not the RID Manager or role owner - go away */
+ DEBUG(0,(__location__ ": FSMO role or RID manager transfer owner request when not role owner\n"));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER;
+ return WERR_OK;
+ }
+
+ /* change the current master */
+ msg = ldb_msg_new(ldb);
+ W_ERROR_HAVE_NO_MEMORY(msg);
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(msg, ldb, req10->naming_context,
+ &msg->dn, NULL);
+ if (ret != LDB_SUCCESS) {
+ /* that is not a valid dn */
+ DBG_ERR("FSMO role transfer request for invalid DN %s: %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, req10->naming_context),
+ ldb_strerror(ret));
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_MISMATCH;
+ return WERR_OK;
+ }
+
+ /* TODO: make sure ntds_dn is a valid nTDSDSA object */
+ ret = dsdb_find_dn_by_guid(ldb, msg, &req10->destination_dsa_guid, 0, &ntds_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0, (__location__ ": Unable to find NTDS object for guid %s - %s\n",
+ GUID_string(mem_ctx, &req10->destination_dsa_guid), ldb_errstring(ldb)));
+ talloc_free(msg);
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_UNKNOWN_CALLER;
+ return WERR_OK;
+ }
+
+ ret = ldb_msg_add_string(msg, "fSMORoleOwner", ldb_dn_get_linearized(ntds_dn));
+ if (ret != 0) {
+ talloc_free(msg);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ for (i=0;i<msg->num_elements;i++) {
+ msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
+ }
+
+ ret = ldb_transaction_start(ldb);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed transaction start - %s\n",
+ ldb_errstring(ldb)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ret = ldb_modify(ldb, msg);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to change current owner - %s\n",
+ ldb_errstring(ldb)));
+ ldb_transaction_cancel(ldb);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ret = ldb_transaction_commit(ldb);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed transaction commit - %s\n",
+ ldb_errstring(ldb)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
+
+ return WERR_OK;
+}
+
+/*
+ see if this getncchanges request includes a request to reveal secret information
+ */
+static WERROR dcesrv_drsuapi_is_reveal_secrets_request(struct drsuapi_bind_state *b_state,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ struct dsdb_schema_prefixmap *pfm_remote,
+ bool *is_secret_request)
+{
+ enum drsuapi_DsExtendedOperation exop;
+ uint32_t i;
+ struct dsdb_schema *schema;
+ struct dsdb_syntax_ctx syntax_ctx;
+
+ *is_secret_request = true;
+
+ exop = req10->extended_op;
+
+ switch (exop) {
+ case DRSUAPI_EXOP_FSMO_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_RID_ALLOC:
+ case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_REQ_PDC:
+ case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
+ /* FSMO exops can reveal secrets */
+ *is_secret_request = true;
+ return WERR_OK;
+ case DRSUAPI_EXOP_REPL_SECRET:
+ case DRSUAPI_EXOP_REPL_OBJ:
+ case DRSUAPI_EXOP_NONE:
+ break;
+ }
+
+ if (req10->replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) {
+ *is_secret_request = false;
+ return WERR_OK;
+ }
+
+ if (exop == DRSUAPI_EXOP_REPL_SECRET ||
+ req10->partial_attribute_set == NULL) {
+ /* they want secrets */
+ *is_secret_request = true;
+ return WERR_OK;
+ }
+
+ schema = dsdb_get_schema(b_state->sam_ctx, NULL);
+ dsdb_syntax_ctx_init(&syntax_ctx, b_state->sam_ctx, schema);
+ syntax_ctx.pfm_remote = pfm_remote;
+
+ /* check the attributes they asked for */
+ for (i=0; i<req10->partial_attribute_set->num_attids; i++) {
+ const struct dsdb_attribute *sa;
+ WERROR werr = getncchanges_attid_remote_to_local(schema,
+ &syntax_ctx,
+ req10->partial_attribute_set->attids[i],
+ NULL,
+ &sa);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,(__location__": attid 0x%08X not found: %s\n",
+ req10->partial_attribute_set->attids[i], win_errstr(werr)));
+ return werr;
+ }
+
+ if (!dsdb_attr_in_rodc_fas(sa)) {
+ *is_secret_request = true;
+ return WERR_OK;
+ }
+ }
+
+ if (req10->partial_attribute_set_ex) {
+ /* check the extended attributes they asked for */
+ for (i=0; i<req10->partial_attribute_set_ex->num_attids; i++) {
+ const struct dsdb_attribute *sa;
+ WERROR werr = getncchanges_attid_remote_to_local(schema,
+ &syntax_ctx,
+ req10->partial_attribute_set_ex->attids[i],
+ NULL,
+ &sa);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,(__location__": attid 0x%08X not found: %s\n",
+ req10->partial_attribute_set_ex->attids[i], win_errstr(werr)));
+ return werr;
+ }
+
+ if (!dsdb_attr_in_rodc_fas(sa)) {
+ *is_secret_request = true;
+ return WERR_OK;
+ }
+ }
+ }
+
+ *is_secret_request = false;
+ return WERR_OK;
+}
+
+/*
+ see if this getncchanges request is only for attributes in the GC
+ partial attribute set
+ */
+static WERROR dcesrv_drsuapi_is_gc_pas_request(struct drsuapi_bind_state *b_state,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ struct dsdb_schema_prefixmap *pfm_remote,
+ bool *is_gc_pas_request)
+{
+ enum drsuapi_DsExtendedOperation exop;
+ uint32_t i;
+ struct dsdb_schema *schema;
+ struct dsdb_syntax_ctx syntax_ctx;
+
+ exop = req10->extended_op;
+
+ switch (exop) {
+ case DRSUAPI_EXOP_FSMO_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_RID_ALLOC:
+ case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_REQ_PDC:
+ case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
+ case DRSUAPI_EXOP_REPL_SECRET:
+ *is_gc_pas_request = false;
+ return WERR_OK;
+ case DRSUAPI_EXOP_REPL_OBJ:
+ case DRSUAPI_EXOP_NONE:
+ break;
+ }
+
+ if (req10->partial_attribute_set == NULL) {
+ /* they want it all */
+ *is_gc_pas_request = false;
+ return WERR_OK;
+ }
+
+ schema = dsdb_get_schema(b_state->sam_ctx, NULL);
+ dsdb_syntax_ctx_init(&syntax_ctx, b_state->sam_ctx, schema);
+ syntax_ctx.pfm_remote = pfm_remote;
+
+ /* check the attributes they asked for */
+ for (i=0; i<req10->partial_attribute_set->num_attids; i++) {
+ const struct dsdb_attribute *sa;
+ WERROR werr = getncchanges_attid_remote_to_local(schema,
+ &syntax_ctx,
+ req10->partial_attribute_set->attids[i],
+ NULL,
+ &sa);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,(__location__": attid 0x%08X not found: %s\n",
+ req10->partial_attribute_set->attids[i], win_errstr(werr)));
+ return werr;
+ }
+
+ if (!sa->isMemberOfPartialAttributeSet) {
+ *is_gc_pas_request = false;
+ return WERR_OK;
+ }
+ }
+
+ if (req10->partial_attribute_set_ex) {
+ /* check the extended attributes they asked for */
+ for (i=0; i<req10->partial_attribute_set_ex->num_attids; i++) {
+ const struct dsdb_attribute *sa;
+ WERROR werr = getncchanges_attid_remote_to_local(schema,
+ &syntax_ctx,
+ req10->partial_attribute_set_ex->attids[i],
+ NULL,
+ &sa);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,(__location__": attid 0x%08X not found: %s\n",
+ req10->partial_attribute_set_ex->attids[i], win_errstr(werr)));
+ return werr;
+ }
+
+ if (!sa->isMemberOfPartialAttributeSet) {
+ *is_gc_pas_request = false;
+ return WERR_OK;
+ }
+ }
+ }
+
+ *is_gc_pas_request = true;
+ return WERR_OK;
+}
+
+
+/*
+ map from req8 to req10
+ */
+static struct drsuapi_DsGetNCChangesRequest10 *
+getncchanges_map_req8(TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetNCChangesRequest8 *req8)
+{
+ struct drsuapi_DsGetNCChangesRequest10 *req10 = talloc_zero(mem_ctx,
+ struct drsuapi_DsGetNCChangesRequest10);
+ if (req10 == NULL) {
+ return NULL;
+ }
+
+ req10->destination_dsa_guid = req8->destination_dsa_guid;
+ req10->source_dsa_invocation_id = req8->source_dsa_invocation_id;
+ req10->naming_context = req8->naming_context;
+ req10->highwatermark = req8->highwatermark;
+ req10->uptodateness_vector = req8->uptodateness_vector;
+ req10->replica_flags = req8->replica_flags;
+ req10->max_object_count = req8->max_object_count;
+ req10->max_ndr_size = req8->max_ndr_size;
+ req10->extended_op = req8->extended_op;
+ req10->fsmo_info = req8->fsmo_info;
+ req10->partial_attribute_set = req8->partial_attribute_set;
+ req10->partial_attribute_set_ex = req8->partial_attribute_set_ex;
+ req10->mapping_ctr = req8->mapping_ctr;
+
+ return req10;
+}
+
+static const char *collect_objects_attrs[] = { "uSNChanged",
+ "objectGUID" ,
+ NULL };
+
+/**
+ * Collects object for normal replication cycle.
+ */
+static WERROR getncchanges_collect_objects(struct drsuapi_bind_state *b_state,
+ TALLOC_CTX *mem_ctx,
+ struct drsuapi_getncchanges_state *getnc_state,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ struct ldb_dn *search_dn,
+ const char *extra_filter,
+ struct ldb_result **search_res)
+{
+ int ret;
+ char* search_filter;
+ enum ldb_scope scope = LDB_SCOPE_SUBTREE;
+ bool critical_only = false;
+
+ if (req10->replica_flags & DRSUAPI_DRS_CRITICAL_ONLY) {
+ critical_only = true;
+ }
+
+ if (req10->extended_op == DRSUAPI_EXOP_REPL_OBJ ||
+ req10->extended_op == DRSUAPI_EXOP_REPL_SECRET) {
+ scope = LDB_SCOPE_BASE;
+ critical_only = false;
+ }
+
+ /* Construct response. */
+ search_filter = talloc_asprintf(mem_ctx,
+ "(uSNChanged>=%llu)",
+ (unsigned long long)(getnc_state->min_usn+1));
+
+ if (extra_filter) {
+ search_filter = talloc_asprintf(mem_ctx, "(&%s(%s))", search_filter, extra_filter);
+ }
+
+ if (critical_only) {
+ search_filter = talloc_asprintf(mem_ctx,
+ "(&%s(isCriticalSystemObject=TRUE))",
+ search_filter);
+ }
+
+ if (req10->replica_flags & DRSUAPI_DRS_ASYNC_REP) {
+ scope = LDB_SCOPE_BASE;
+ }
+
+ if (!search_dn) {
+ search_dn = getnc_state->ncRoot_dn;
+ }
+
+ DEBUG(2,(__location__ ": getncchanges on %s using filter %s\n",
+ ldb_dn_get_linearized(getnc_state->ncRoot_dn), search_filter));
+ ret = drsuapi_search_with_extended_dn(b_state->sam_ctx, getnc_state, search_res,
+ search_dn, scope,
+ collect_objects_attrs,
+ search_filter);
+ if (ret != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ return WERR_OK;
+}
+
+/**
+ * Collects object for normal replication cycle.
+ */
+static WERROR getncchanges_collect_objects_exop(struct drsuapi_bind_state *b_state,
+ TALLOC_CTX *mem_ctx,
+ struct drsuapi_getncchanges_state *getnc_state,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ struct drsuapi_DsGetNCChangesCtr6 *ctr6,
+ struct ldb_dn *search_dn,
+ const char *extra_filter,
+ struct ldb_result **search_res)
+{
+ /* we have nothing to do in case of ex-op failure */
+ if (ctr6->extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
+ return WERR_OK;
+ }
+
+ switch (req10->extended_op) {
+ case DRSUAPI_EXOP_FSMO_RID_ALLOC:
+ {
+ int ret;
+ struct ldb_dn *ntds_dn = NULL;
+ struct ldb_dn *server_dn = NULL;
+ struct ldb_dn *machine_dn = NULL;
+ struct ldb_dn *rid_set_dn = NULL;
+ struct ldb_result *search_res2 = NULL;
+ struct ldb_result *search_res3 = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+ /* get RID manager, RID set and server DN (in that order) */
+
+ /* This first search will get the RID Manager */
+ ret = drsuapi_search_with_extended_dn(b_state->sam_ctx, frame,
+ search_res,
+ search_dn, LDB_SCOPE_BASE,
+ collect_objects_attrs,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get RID Manager object %s - %s",
+ ldb_dn_get_linearized(search_dn),
+ ldb_errstring(b_state->sam_ctx)));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if ((*search_res)->count != 1) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get RID Manager object %s - %u objects returned",
+ ldb_dn_get_linearized(search_dn),
+ (*search_res)->count));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ /* Now extend it to the RID set */
+
+ /* Find the computer account DN for the destination
+ * dsa GUID specified */
+
+ ret = dsdb_find_dn_by_guid(b_state->sam_ctx, frame,
+ &req10->destination_dsa_guid, 0,
+ &ntds_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Unable to find NTDS object for guid %s - %s\n",
+ GUID_string(frame,
+ &req10->destination_dsa_guid),
+ ldb_errstring(b_state->sam_ctx)));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ server_dn = ldb_dn_get_parent(frame, ntds_dn);
+ if (!server_dn) {
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ret = samdb_reference_dn(b_state->sam_ctx, frame, server_dn,
+ "serverReference", &machine_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to find serverReference in %s - %s",
+ ldb_dn_get_linearized(server_dn),
+ ldb_errstring(b_state->sam_ctx)));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ ret = samdb_reference_dn(b_state->sam_ctx, frame, machine_dn,
+ "rIDSetReferences", &rid_set_dn);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to find rIDSetReferences in %s - %s",
+ ldb_dn_get_linearized(server_dn),
+ ldb_errstring(b_state->sam_ctx)));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+
+ /* This first search will get the RID Manager, now get the RID set */
+ ret = drsuapi_search_with_extended_dn(b_state->sam_ctx, frame,
+ &search_res2,
+ rid_set_dn, LDB_SCOPE_BASE,
+ collect_objects_attrs,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get RID Set object %s - %s",
+ ldb_dn_get_linearized(rid_set_dn),
+ ldb_errstring(b_state->sam_ctx)));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (search_res2->count != 1) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get RID Set object %s - %u objects returned",
+ ldb_dn_get_linearized(rid_set_dn),
+ search_res2->count));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ /* Finally get the server DN */
+ ret = drsuapi_search_with_extended_dn(b_state->sam_ctx, frame,
+ &search_res3,
+ machine_dn, LDB_SCOPE_BASE,
+ collect_objects_attrs,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get server object %s - %s",
+ ldb_dn_get_linearized(server_dn),
+ ldb_errstring(b_state->sam_ctx)));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (search_res3->count != 1) {
+ DEBUG(1, ("DRSUAPI_EXOP_FSMO_RID_ALLOC: Failed to get server object %s - %u objects returned",
+ ldb_dn_get_linearized(server_dn),
+ search_res3->count));
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ /* Now extend the original search_res with these answers */
+ (*search_res)->count = 3;
+
+ (*search_res)->msgs = talloc_realloc(frame, (*search_res)->msgs,
+ struct ldb_message *,
+ (*search_res)->count);
+ if ((*search_res)->msgs == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+
+ talloc_steal(mem_ctx, *search_res);
+ (*search_res)->msgs[1] =
+ talloc_steal((*search_res)->msgs, search_res2->msgs[0]);
+ (*search_res)->msgs[2] =
+ talloc_steal((*search_res)->msgs, search_res3->msgs[0]);
+
+ TALLOC_FREE(frame);
+ return WERR_OK;
+ }
+ default:
+ /* TODO: implement extended op specific collection
+ * of objects. Right now we just normal procedure
+ * for collecting objects */
+ return getncchanges_collect_objects(b_state,
+ mem_ctx,
+ getnc_state,
+ req10,
+ search_dn,
+ extra_filter,
+ search_res);
+ }
+}
+
+static void dcesrv_drsuapi_update_highwatermark(const struct ldb_message *msg,
+ uint64_t max_usn,
+ struct drsuapi_DsReplicaHighWaterMark *hwm)
+{
+ uint64_t uSN = ldb_msg_find_attr_as_uint64(msg, "uSNChanged", 0);
+
+ if (uSN > max_usn) {
+ /*
+ * Only report the max_usn we had at the start
+ * of the replication cycle.
+ *
+ * If this object has changed lately we better
+ * let the destination dsa refetch the change.
+ * This is better than the risk of loosing some
+ * objects or linked attributes.
+ */
+ return;
+ }
+
+ if (uSN <= hwm->tmp_highest_usn) {
+ return;
+ }
+
+ hwm->tmp_highest_usn = uSN;
+ hwm->reserved_usn = 0;
+}
+
+/**
+ * Adds an object's GUID to the cache of objects already sent.
+ * This avoids us sending the same object multiple times when
+ * the GetNCChanges request uses a flag like GET_ANC.
+ */
+static WERROR dcesrv_drsuapi_obj_cache_add(struct db_context *obj_cache,
+ const struct GUID *guid)
+{
+ enum ndr_err_code ndr_err;
+ uint8_t guid_buf[DRS_GUID_SIZE] = { 0, };
+ DATA_BLOB b = {
+ .data = guid_buf,
+ .length = sizeof(guid_buf),
+ };
+ TDB_DATA key = {
+ .dptr = b.data,
+ .dsize = b.length,
+ };
+ TDB_DATA val = {
+ .dptr = NULL,
+ .dsize = 0,
+ };
+ NTSTATUS status;
+
+ ndr_err = ndr_push_struct_into_fixed_blob(&b, guid,
+ (ndr_push_flags_fn_t)ndr_push_GUID);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ status = dbwrap_store(obj_cache, key, val, TDB_REPLACE);
+ if (!NT_STATUS_IS_OK(status)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ return WERR_OK;
+}
+
+/**
+ * Checks if the object with the GUID specified already exists in the
+ * object cache, i.e. it's already been sent in a GetNCChanges response.
+ */
+static WERROR dcesrv_drsuapi_obj_cache_exists(struct db_context *obj_cache,
+ const struct GUID *guid)
+{
+ enum ndr_err_code ndr_err;
+ uint8_t guid_buf[DRS_GUID_SIZE] = { 0, };
+ DATA_BLOB b = {
+ .data = guid_buf,
+ .length = sizeof(guid_buf),
+ };
+ TDB_DATA key = {
+ .dptr = b.data,
+ .dsize = b.length,
+ };
+ bool exists;
+
+ ndr_err = ndr_push_struct_into_fixed_blob(&b, guid,
+ (ndr_push_flags_fn_t)ndr_push_GUID);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ exists = dbwrap_exists(obj_cache, key);
+ if (!exists) {
+ return WERR_OBJECT_NOT_FOUND;
+ }
+
+ return WERR_OBJECT_NAME_EXISTS;
+}
+
+/**
+ * Copies the la_list specified into a sorted array, ready to be sent in a
+ * GetNCChanges response.
+ */
+static WERROR getncchanges_get_sorted_array(const struct drsuapi_DsReplicaLinkedAttribute *la_list,
+ const uint32_t link_count,
+ struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct dsdb_schema *schema,
+ struct la_for_sorting **ret_array)
+{
+ int j;
+ struct la_for_sorting *guid_array;
+ WERROR werr = WERR_OK;
+
+ *ret_array = NULL;
+ guid_array = talloc_array(mem_ctx, struct la_for_sorting, link_count);
+ if (guid_array == NULL) {
+ DEBUG(0, ("Out of memory allocating %u linked attributes for sorting", link_count));
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ for (j = 0; j < link_count; j++) {
+
+ /* we need to get the target GUIDs to compare */
+ struct dsdb_dn *dn;
+ const struct drsuapi_DsReplicaLinkedAttribute *la = &la_list[j];
+ const struct dsdb_attribute *schema_attrib;
+ const struct ldb_val *target_guid;
+ DATA_BLOB source_guid;
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+
+ schema_attrib = dsdb_attribute_by_attributeID_id(schema, la->attid);
+
+ werr = dsdb_dn_la_from_blob(sam_ctx, schema_attrib, schema, frame, la->value.blob, &dn);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,(__location__ ": Bad la blob in sort\n"));
+ TALLOC_FREE(frame);
+ return werr;
+ }
+
+ /* Extract the target GUID in NDR form */
+ target_guid = ldb_dn_get_extended_component(dn->dn, "GUID");
+ if (target_guid == NULL
+ || target_guid->length != sizeof(guid_array[0].target_guid)) {
+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ } else {
+ /* Repack the source GUID as NDR for sorting */
+ status = GUID_to_ndr_blob(&la->identifier->guid,
+ frame,
+ &source_guid);
+ }
+
+ if (!NT_STATUS_IS_OK(status)
+ || source_guid.length != sizeof(guid_array[0].source_guid)) {
+ DEBUG(0,(__location__ ": Bad la guid in sort\n"));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+
+ guid_array[j].link = &la_list[j];
+ memcpy(guid_array[j].target_guid, target_guid->data,
+ sizeof(guid_array[j].target_guid));
+ memcpy(guid_array[j].source_guid, source_guid.data,
+ sizeof(guid_array[j].source_guid));
+ TALLOC_FREE(frame);
+ }
+
+ TYPESAFE_QSORT(guid_array, link_count, linked_attribute_compare);
+
+ *ret_array = guid_array;
+
+ return werr;
+}
+
+
+/**
+ * Adds any ancestor/parent objects of the child_obj specified.
+ * This is needed when the GET_ANC flag is specified in the request.
+ * @param new_objs if parents are added, this gets updated to point to a chain
+ * of parent objects (with the parents first and the child last)
+ */
+static WERROR getncchanges_add_ancestors(const struct GUID *parent_object_guid,
+ struct ldb_dn *child_dn,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_context *sam_ctx,
+ struct drsuapi_getncchanges_state *getnc_state,
+ struct dsdb_schema *schema,
+ DATA_BLOB *session_key,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ uint32_t *local_pas,
+ struct ldb_dn *machine_dn,
+ struct drsuapi_DsReplicaObjectListItemEx **new_objs)
+{
+ int ret;
+ const struct GUID *next_anc_guid = NULL;
+ WERROR werr = WERR_OK;
+ static const char * const msg_attrs[] = {
+ "*",
+ "nTSecurityDescriptor",
+ "parentGUID",
+ "replPropertyMetaData",
+ DSDB_SECRET_ATTRIBUTES,
+ NULL };
+
+ next_anc_guid = parent_object_guid;
+
+ while (next_anc_guid != NULL) {
+ struct drsuapi_DsReplicaObjectListItemEx *anc_obj = NULL;
+ struct ldb_message *anc_msg = NULL;
+ struct ldb_result *anc_res = NULL;
+ struct ldb_dn *anc_dn = NULL;
+
+ /*
+ * For the GET_ANC case (but not the 'send NC root
+ * first' case), don't send an object twice.
+ *
+ * (If we've sent the object, then we've also sent all
+ * its parents as well)
+ */
+ if (getnc_state->obj_cache) {
+ werr = dcesrv_drsuapi_obj_cache_exists(getnc_state->obj_cache,
+ next_anc_guid);
+ if (W_ERROR_EQUAL(werr, WERR_OBJECT_NAME_EXISTS)) {
+ return WERR_OK;
+ }
+ if (W_ERROR_IS_OK(werr)) {
+ return WERR_INTERNAL_ERROR;
+ }
+ if (!W_ERROR_EQUAL(werr, WERR_OBJECT_NOT_FOUND)) {
+ return werr;
+ }
+ }
+
+ anc_obj = talloc_zero(mem_ctx,
+ struct drsuapi_DsReplicaObjectListItemEx);
+ if (anc_obj == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ anc_dn = ldb_dn_new_fmt(anc_obj, sam_ctx, "<GUID=%s>",
+ GUID_string(anc_obj, next_anc_guid));
+ if (anc_dn == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ ret = drsuapi_search_with_extended_dn(sam_ctx, anc_obj,
+ &anc_res, anc_dn,
+ LDB_SCOPE_BASE,
+ msg_attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ const char *anc_str = NULL;
+ const char *obj_str = NULL;
+
+ anc_str = ldb_dn_get_extended_linearized(anc_obj,
+ anc_dn,
+ 1);
+ obj_str = ldb_dn_get_extended_linearized(anc_obj,
+ child_dn,
+ 1);
+
+ DBG_ERR("getncchanges: failed to fetch ANC "
+ "DN %s for DN %s - %s\n",
+ anc_str, obj_str, ldb_errstring(sam_ctx));
+ return WERR_DS_DRA_INCONSISTENT_DIT;
+ }
+
+ anc_msg = anc_res->msgs[0];
+
+ werr = get_nc_changes_build_object(anc_obj, anc_msg,
+ sam_ctx,
+ getnc_state,
+ schema, session_key,
+ req10,
+ false, /* force_object_return */
+ local_pas,
+ machine_dn,
+ next_anc_guid);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ /*
+ * Regardless of whether we actually use it or not,
+ * we add it to the cache so we don't look at it again
+ *
+ * The only time we are here without
+ * getnc_state->obj_cache is for the forced addition
+ * of the NC root to the start of the reply, this we
+ * want to add each and every call..
+ */
+ if (getnc_state->obj_cache) {
+ werr = dcesrv_drsuapi_obj_cache_add(getnc_state->obj_cache,
+ next_anc_guid);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ }
+
+ /*
+ * Any ancestors which are below the highwatermark
+ * or uptodateness_vector shouldn't be added,
+ * but we still look further up the
+ * tree for ones which have been changed recently.
+ */
+ if (anc_obj->meta_data_ctr != NULL) {
+
+ /*
+ * prepend the parent to the list so that the client-side
+ * adds the parent object before it adds the children
+ */
+ anc_obj->next_object = *new_objs;
+ *new_objs = anc_obj;
+ }
+
+ anc_msg = NULL;
+ TALLOC_FREE(anc_res);
+ TALLOC_FREE(anc_dn);
+
+ /*
+ * We may need to resolve more parents...
+ */
+ next_anc_guid = anc_obj->parent_object_guid;
+ }
+ return werr;
+}
+
+/**
+ * Adds a list of new objects into the current chunk of replication data to send
+ */
+static void getncchanges_chunk_add_objects(struct getncchanges_repl_chunk *repl_chunk,
+ struct drsuapi_DsReplicaObjectListItemEx *obj_list)
+{
+ struct drsuapi_DsReplicaObjectListItemEx *obj;
+
+ /*
+ * We track the last object added to the replication chunk, so just add
+ * the new object-list onto the end
+ */
+ if (repl_chunk->object_list == NULL) {
+ repl_chunk->object_list = obj_list;
+ } else {
+ repl_chunk->last_object->next_object = obj_list;
+ }
+
+ for (obj = obj_list; obj != NULL; obj = obj->next_object) {
+ repl_chunk->object_count += 1;
+
+ /*
+ * Remember the last object in the response - we'll use this to
+ * link the next object(s) processed onto the existing list
+ */
+ if (obj->next_object == NULL) {
+ repl_chunk->last_object = obj;
+ }
+ }
+}
+
+/**
+ * Gets the object to send, packed into an RPC struct ready to send. This also
+ * adds the object to the object cache, and adds any ancestors (if needed).
+ * @param msg - DB search result for the object to add
+ * @param guid - GUID of the object to add
+ * @param ret_obj_list - returns the object ready to be sent (in a list, along
+ * with any ancestors that might be needed). NULL if nothing to send.
+ */
+static WERROR getncchanges_get_obj_to_send(const struct ldb_message *msg,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_context *sam_ctx,
+ struct drsuapi_getncchanges_state *getnc_state,
+ struct dsdb_schema *schema,
+ DATA_BLOB *session_key,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ bool force_object_return,
+ uint32_t *local_pas,
+ struct ldb_dn *machine_dn,
+ const struct GUID *guid,
+ struct drsuapi_DsReplicaObjectListItemEx **ret_obj_list)
+{
+ struct drsuapi_DsReplicaObjectListItemEx *obj;
+ WERROR werr;
+
+ *ret_obj_list = NULL;
+
+ obj = talloc_zero(mem_ctx, struct drsuapi_DsReplicaObjectListItemEx);
+ W_ERROR_HAVE_NO_MEMORY(obj);
+
+ werr = get_nc_changes_build_object(obj, msg, sam_ctx, getnc_state,
+ schema, session_key, req10,
+ force_object_return,
+ local_pas, machine_dn, guid);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ /*
+ * The object may get filtered out by the UTDV's USN and not actually
+ * sent, in which case there's nothing more to do here
+ */
+ if (obj->meta_data_ctr == NULL) {
+ TALLOC_FREE(obj);
+ return WERR_OK;
+ }
+
+ if (getnc_state->obj_cache != NULL) {
+ werr = dcesrv_drsuapi_obj_cache_add(getnc_state->obj_cache,
+ guid);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ }
+
+ *ret_obj_list = obj;
+
+ /*
+ * If required, also add any ancestors that the client may need to know
+ * about before it can resolve this object. These get prepended to the
+ * ret_obj_list so the client adds them first.
+ *
+ * We allow this to be disabled to permit testing of a
+ * client-side fallback for the broken behaviour in Samba 4.5
+ * and earlier.
+ */
+ if (getnc_state->is_get_anc
+ && !getnc_state->broken_samba_4_5_get_anc_emulation) {
+ werr = getncchanges_add_ancestors(obj->parent_object_guid,
+ msg->dn, mem_ctx,
+ sam_ctx, getnc_state,
+ schema, session_key,
+ req10, local_pas,
+ machine_dn, ret_obj_list);
+ }
+
+ return werr;
+}
+
+/**
+ * Returns the number of links that are waiting to be sent
+ */
+static uint32_t getncchanges_chunk_links_pending(struct getncchanges_repl_chunk *repl_chunk,
+ struct drsuapi_getncchanges_state *getnc_state)
+{
+ uint32_t links_to_send = 0;
+
+ if (getnc_state->is_get_tgt) {
+
+ /*
+ * when the GET_TGT flag is set, only include the linked
+ * attributes whose target object has already been checked
+ * (i.e. they're ready to send).
+ */
+ if (repl_chunk->tgt_la_count > getnc_state->la_idx) {
+ links_to_send = (repl_chunk->tgt_la_count -
+ getnc_state->la_idx);
+ }
+ } else {
+ links_to_send = getnc_state->la_count - getnc_state->la_idx;
+ }
+
+ return links_to_send;
+}
+
+/**
+ * Returns the max number of links that will fit in the current replication chunk
+ */
+static uint32_t getncchanges_chunk_max_links(struct getncchanges_repl_chunk *repl_chunk)
+{
+ uint32_t max_links = 0;
+
+ if (repl_chunk->max_links != DEFAULT_MAX_LINKS ||
+ repl_chunk->max_objects != DEFAULT_MAX_OBJECTS) {
+
+ /*
+ * We're using non-default settings, so don't try to adjust
+ * them, just trust the user has configured decent values
+ */
+ max_links = repl_chunk->max_links;
+
+ } else if (repl_chunk->max_links > repl_chunk->object_count) {
+
+ /*
+ * This is just an approximate guess to avoid overfilling the
+ * replication chunk. It's the logic we've used historically.
+ * E.g. if we've already sent 1000 objects, then send 1000 fewer
+ * links. For comparison, the max that Windows seems to send is
+ * ~2700 links and ~250 objects (although this may vary based
+ * on timeouts)
+ */
+ max_links = repl_chunk->max_links - repl_chunk->object_count;
+ }
+
+ return max_links;
+}
+
+/**
+ * Returns true if the current GetNCChanges() call has taken longer than its
+ * allotted time. This prevents the client from timing out.
+ */
+static bool getncchanges_chunk_timed_out(struct getncchanges_repl_chunk *repl_chunk)
+{
+ return (time(NULL) - repl_chunk->start > repl_chunk->max_wait);
+}
+
+/**
+ * Returns true if the current chunk of replication data has reached the
+ * max_objects and/or max_links thresholds.
+ */
+static bool getncchanges_chunk_is_full(struct getncchanges_repl_chunk *repl_chunk,
+ struct drsuapi_getncchanges_state *getnc_state)
+{
+ bool chunk_full = false;
+ uint32_t links_to_send;
+ uint32_t chunk_limit;
+
+ /* check if the current chunk is already full with objects */
+ if (repl_chunk->object_count >= repl_chunk->max_objects) {
+ chunk_full = true;
+
+ } else if (repl_chunk->object_count > 0 &&
+ getncchanges_chunk_timed_out(repl_chunk)) {
+
+ /*
+ * We've exceeded our allotted time building this chunk,
+ * and we have at least one object to send back to the client
+ */
+ chunk_full = true;
+
+ } else if (repl_chunk->immediate_link_sync) {
+
+ /* check if the chunk is already full with links */
+ links_to_send = getncchanges_chunk_links_pending(repl_chunk,
+ getnc_state);
+
+ chunk_limit = getncchanges_chunk_max_links(repl_chunk);
+
+ /*
+ * The chunk is full if we've got more links to send than will
+ * fit in one chunk
+ */
+ if (links_to_send > 0 && chunk_limit <= links_to_send) {
+ chunk_full = true;
+ }
+ }
+
+ return chunk_full;
+}
+
+/**
+ * Goes through any new linked attributes and checks that the target object
+ * will be known to the client, i.e. we've already sent it in an replication
+ * chunk. If not, then it adds the target object to the current replication
+ * chunk. This is only done when the client specifies DRS_GET_TGT.
+ */
+static WERROR getncchanges_chunk_add_la_targets(struct getncchanges_repl_chunk *repl_chunk,
+ struct drsuapi_getncchanges_state *getnc_state,
+ uint32_t start_la_index,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_context *sam_ctx,
+ struct dsdb_schema *schema,
+ DATA_BLOB *session_key,
+ struct drsuapi_DsGetNCChangesRequest10 *req10,
+ uint32_t *local_pas,
+ struct ldb_dn *machine_dn)
+{
+ int ret;
+ uint32_t i;
+ uint32_t max_la_index;
+ uint32_t max_links;
+ uint32_t target_count = 0;
+ WERROR werr = WERR_OK;
+ static const char * const msg_attrs[] = {
+ "*",
+ "nTSecurityDescriptor",
+ "parentGUID",
+ "replPropertyMetaData",
+ DSDB_SECRET_ATTRIBUTES,
+ NULL };
+
+ /*
+ * A object can potentially link to thousands of targets. Only bother
+ * checking as many targets as will fit into the current response
+ */
+ max_links = getncchanges_chunk_max_links(repl_chunk);
+ max_la_index = MIN(getnc_state->la_count,
+ start_la_index + max_links);
+
+ /* loop through any linked attributes to check */
+ for (i = start_la_index;
+ (i < max_la_index &&
+ !getncchanges_chunk_is_full(repl_chunk, getnc_state));
+ i++) {
+
+ struct GUID target_guid;
+ struct drsuapi_DsReplicaObjectListItemEx *new_objs = NULL;
+ const struct drsuapi_DsReplicaLinkedAttribute *la;
+ struct ldb_result *msg_res;
+ struct ldb_dn *search_dn;
+ TALLOC_CTX *tmp_ctx;
+ struct dsdb_dn *dn;
+ const struct dsdb_attribute *schema_attrib;
+ NTSTATUS status;
+ bool same_nc;
+
+ la = &getnc_state->la_list[i];
+ tmp_ctx = talloc_new(mem_ctx);
+
+ /*
+ * Track what linked attribute targets we've checked. We might
+ * not have time to check them all, so we should only send back
+ * the ones we've actually checked.
+ */
+ repl_chunk->tgt_la_count = i + 1;
+
+ /* get the GUID of the linked attribute's target object */
+ schema_attrib = dsdb_attribute_by_attributeID_id(schema,
+ la->attid);
+
+ werr = dsdb_dn_la_from_blob(sam_ctx, schema_attrib, schema,
+ tmp_ctx, la->value.blob, &dn);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,(__location__ ": Bad la blob\n"));
+ return werr;
+ }
+
+ status = dsdb_get_extended_dn_guid(dn->dn, &target_guid, "GUID");
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return ntstatus_to_werror(status);
+ }
+
+ /*
+ * if the target isn't in the cache, then the client
+ * might not know about it, so send the target now
+ */
+ werr = dcesrv_drsuapi_obj_cache_exists(getnc_state->obj_cache,
+ &target_guid);
+
+ if (W_ERROR_EQUAL(werr, WERR_OBJECT_NAME_EXISTS)) {
+
+ /* target already sent, nothing to do */
+ TALLOC_FREE(tmp_ctx);
+ continue;
+ }
+
+ same_nc = dsdb_objects_have_same_nc(sam_ctx, tmp_ctx, dn->dn,
+ getnc_state->ncRoot_dn);
+
+ /* don't try to fetch target objects from another partition */
+ if (!same_nc) {
+ TALLOC_FREE(tmp_ctx);
+ continue;
+ }
+
+ search_dn = ldb_dn_new_fmt(tmp_ctx, sam_ctx, "<GUID=%s>",
+ GUID_string(tmp_ctx, &target_guid));
+ W_ERROR_HAVE_NO_MEMORY(search_dn);
+
+ ret = drsuapi_search_with_extended_dn(sam_ctx, tmp_ctx,
+ &msg_res, search_dn,
+ LDB_SCOPE_BASE,
+ msg_attrs, NULL);
+
+ /*
+ * Don't fail the replication if we can't find the target.
+ * This could happen for a one-way linked attribute, if the
+ * target is deleted and then later expunged (thus, the source
+ * object can be left with a hanging link). Continue to send
+ * the the link (the client-side has already tried once with
+ * GET_TGT, so it should just end up ignoring it).
+ */
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ DBG_WARNING("Encountered unknown link target DN %s\n",
+ ldb_dn_get_extended_linearized(tmp_ctx, dn->dn, 1));
+ TALLOC_FREE(tmp_ctx);
+ continue;
+
+ } else if (ret != LDB_SUCCESS) {
+ DBG_ERR("Failed to fetch link target DN %s - %s\n",
+ ldb_dn_get_extended_linearized(tmp_ctx, dn->dn, 1),
+ ldb_errstring(sam_ctx));
+ return WERR_DS_DRA_INCONSISTENT_DIT;
+ }
+
+ /*
+ * Construct an object, ready to send (this will include
+ * the object's ancestors as well, if GET_ANC is set)
+ */
+ werr = getncchanges_get_obj_to_send(msg_res->msgs[0], mem_ctx,
+ sam_ctx, getnc_state,
+ schema, session_key, req10,
+ false, local_pas,
+ machine_dn, &target_guid,
+ &new_objs);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ if (new_objs != NULL) {
+ target_count++;
+ getncchanges_chunk_add_objects(repl_chunk, new_objs);
+ }
+ TALLOC_FREE(tmp_ctx);
+ }
+
+ if (target_count > 0) {
+ DEBUG(3, ("GET_TGT: checked %u link-attrs, added %u target objs\n",
+ i - start_la_index, target_count));
+ }
+
+ return WERR_OK;
+}
+
+/**
+ * Creates a helper struct used for building a chunk of replication data,
+ * i.e. used over a single call to dcesrv_drsuapi_DsGetNCChanges().
+ */
+static struct getncchanges_repl_chunk * getncchanges_chunk_new(TALLOC_CTX *mem_ctx,
+ struct dcesrv_call_state *dce_call,
+ struct drsuapi_DsGetNCChangesRequest10 *req10)
+{
+ struct getncchanges_repl_chunk *repl_chunk;
+
+ repl_chunk = talloc_zero(mem_ctx, struct getncchanges_repl_chunk);
+
+ repl_chunk->start = time(NULL);
+
+ repl_chunk->max_objects = lpcfg_parm_int(dce_call->conn->dce_ctx->lp_ctx, NULL,
+ "drs", "max object sync",
+ DEFAULT_MAX_OBJECTS);
+
+ /*
+ * The client control here only applies in normal replication, not extended
+ * operations, which return a fixed set, even if the caller
+ * sets max_object_count == 0
+ */
+ if (req10->extended_op == DRSUAPI_EXOP_NONE) {
+
+ /*
+ * use this to force single objects at a time, which is useful
+ * for working out what object is giving problems
+ */
+ if (req10->max_object_count < repl_chunk->max_objects) {
+ repl_chunk->max_objects = req10->max_object_count;
+ }
+ }
+
+ repl_chunk->max_links =
+ lpcfg_parm_int(dce_call->conn->dce_ctx->lp_ctx, NULL,
+ "drs", "max link sync",
+ DEFAULT_MAX_LINKS);
+
+ repl_chunk->immediate_link_sync =
+ lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
+ "drs", "immediate link sync", false);
+
+ /*
+ * Maximum time that we can spend in a getncchanges
+ * in order to avoid timeout of the other part.
+ * 10 seconds by default.
+ */
+ repl_chunk->max_wait = lpcfg_parm_int(dce_call->conn->dce_ctx->lp_ctx,
+ NULL, "drs", "max work time", 10);
+
+ return repl_chunk;
+}
+
+/*
+ drsuapi_DsGetNCChanges
+
+ see MS-DRSR 4.1.10.5.2 for basic logic of this function
+*/
+WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsGetNCChanges *r)
+{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
+ struct imessaging_context *imsg_ctx =
+ dcesrv_imessaging_context(dce_call->conn);
+ struct drsuapi_DsReplicaObjectIdentifier *untrusted_ncRoot;
+ int ret;
+ uint32_t i, k;
+ struct dsdb_schema *schema;
+ struct drsuapi_DsReplicaOIDMapping_Ctr *ctr;
+ struct getncchanges_repl_chunk *repl_chunk;
+ NTSTATUS status;
+ DATA_BLOB session_key;
+ WERROR werr;
+ struct dcesrv_handle *h;
+ struct drsuapi_bind_state *b_state;
+ struct drsuapi_getncchanges_state *getnc_state = NULL;
+ struct drsuapi_DsGetNCChangesRequest10 *req10;
+ uint32_t options;
+ uint32_t link_count = 0;
+ struct ldb_dn *search_dn = NULL;
+ bool am_rodc;
+ enum security_user_level security_level;
+ struct ldb_context *sam_ctx;
+ struct dom_sid *user_sid;
+ bool is_secret_request;
+ bool is_gc_pas_request;
+ struct drsuapi_changed_objects *changes;
+ bool has_get_all_changes = false;
+ struct GUID invocation_id;
+ static const struct drsuapi_DsReplicaLinkedAttribute no_linked_attr;
+ struct dsdb_schema_prefixmap *pfm_remote = NULL;
+ bool full = true;
+ uint32_t *local_pas = NULL;
+ struct ldb_dn *machine_dn = NULL; /* Only used for REPL SECRET EXOP */
+
+ DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
+ b_state = h->data;
+
+ /* sam_ctx_system is not present for non-administrator users */
+ sam_ctx = b_state->sam_ctx_system?b_state->sam_ctx_system:b_state->sam_ctx;
+
+ invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
+
+ *r->out.level_out = 6;
+
+ r->out.ctr->ctr6.linked_attributes_count = 0;
+ r->out.ctr->ctr6.linked_attributes = discard_const_p(struct drsuapi_DsReplicaLinkedAttribute, &no_linked_attr);
+
+ r->out.ctr->ctr6.object_count = 0;
+ r->out.ctr->ctr6.nc_object_count = 0;
+ r->out.ctr->ctr6.more_data = false;
+ r->out.ctr->ctr6.uptodateness_vector = NULL;
+ r->out.ctr->ctr6.source_dsa_guid = *(samdb_ntds_objectGUID(sam_ctx));
+ r->out.ctr->ctr6.source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
+ r->out.ctr->ctr6.first_object = NULL;
+
+ /* Check request revision.
+ */
+ switch (r->in.level) {
+ case 8:
+ req10 = getncchanges_map_req8(mem_ctx, &r->in.req->req8);
+ if (req10 == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ break;
+ case 10:
+ req10 = &r->in.req->req10;
+ break;
+ default:
+ DEBUG(0,(__location__ ": Request for DsGetNCChanges with unsupported level %u\n",
+ r->in.level));
+ return WERR_REVISION_MISMATCH;
+ }
+
+ repl_chunk = getncchanges_chunk_new(mem_ctx, dce_call, req10);
+
+ if (repl_chunk == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ /* a RODC doesn't allow for any replication */
+ ret = samdb_rodc(sam_ctx, &am_rodc);
+ if (ret == LDB_SUCCESS && am_rodc) {
+ DEBUG(0,(__location__ ": DsGetNCChanges attempt on RODC\n"));
+ return WERR_DS_DRA_SOURCE_DISABLED;
+ }
+
+ /*
+ * Help our tests pass by pre-checking the
+ * destination_dsa_guid before the NC permissions. Info on
+ * valid DSA GUIDs is not sensitive so this isn't a leak
+ */
+ switch (req10->extended_op) {
+ case DRSUAPI_EXOP_FSMO_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_RID_ALLOC:
+ case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
+ case DRSUAPI_EXOP_FSMO_REQ_PDC:
+ case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
+ {
+ const char *attrs[] = { NULL };
+
+ ret = samdb_get_ntds_obj_by_guid(mem_ctx,
+ sam_ctx,
+ &req10->destination_dsa_guid,
+ attrs,
+ NULL);
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ /*
+ * Error out with an EXOP error but success at
+ * the top level return value
+ */
+ r->out.ctr->ctr6.extended_ret = DRSUAPI_EXOP_ERR_UNKNOWN_CALLER;
+ return WERR_OK;
+ } else if (ret != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ break;
+ }
+ case DRSUAPI_EXOP_REPL_SECRET:
+ case DRSUAPI_EXOP_REPL_OBJ:
+ case DRSUAPI_EXOP_NONE:
+ break;
+ }
+
+ /* Perform access checks. */
+ untrusted_ncRoot = req10->naming_context;
+ if (untrusted_ncRoot == NULL) {
+ DEBUG(0,(__location__ ": Request for DsGetNCChanges with no NC\n"));
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+
+ if (samdb_ntds_options(sam_ctx, &options) != LDB_SUCCESS) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if ((options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) &&
+ !(req10->replica_flags & DRSUAPI_DRS_SYNC_FORCED)) {
+ return WERR_DS_DRA_SOURCE_DISABLED;
+ }
+
+ user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+
+ /*
+ * all clients must have GUID_DRS_GET_CHANGES. This finds the
+ * actual NC root of the given value and checks that, allowing
+ * REPL_OBJ to work safely
+ */
+ werr = drs_security_access_check_nc_root(sam_ctx,
+ mem_ctx,
+ session_info->security_token,
+ req10->naming_context,
+ GUID_DRS_GET_CHANGES);
+
+ if (W_ERROR_EQUAL(werr, WERR_DS_DRA_BAD_NC)) {
+ /*
+ * These extended operations need a different error if
+ * the supplied DN can't be found
+ */
+ switch (req10->extended_op) {
+ case DRSUAPI_EXOP_REPL_OBJ:
+ case DRSUAPI_EXOP_REPL_SECRET:
+ return WERR_DS_DRA_BAD_DN;
+ default:
+ return werr;
+ }
+ }
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
+ full = req10->partial_attribute_set == NULL &&
+ req10->partial_attribute_set_ex == NULL;
+ } else {
+ full = (options & DRSUAPI_DRS_WRIT_REP) != 0;
+ }
+
+ werr = dsdb_schema_pfm_from_drsuapi_pfm(&req10->mapping_ctr, true,
+ mem_ctx, &pfm_remote, NULL);
+
+ /* We were supplied a partial attribute set, without the prefix map! */
+ if (!full && !W_ERROR_IS_OK(werr)) {
+ if (req10->mapping_ctr.num_mappings == 0) {
+ /*
+ * Despite the fact MS-DRSR specifies that this shouldn't
+ * happen, Windows RODCs will in fact not provide a prefixMap.
+ */
+ DEBUG(5,(__location__ ": Failed to provide a remote prefixMap,"
+ " falling back to local prefixMap\n"));
+ } else {
+ DEBUG(0,(__location__ ": Failed to decode remote prefixMap: %s\n",
+ win_errstr(werr)));
+ return werr;
+ }
+ }
+
+ /* allowed if the GC PAS and client has
+ GUID_DRS_GET_FILTERED_ATTRIBUTES */
+ werr = dcesrv_drsuapi_is_gc_pas_request(b_state, req10, pfm_remote, &is_gc_pas_request);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ if (is_gc_pas_request) {
+ werr = drs_security_access_check_nc_root(sam_ctx,
+ mem_ctx,
+ session_info->security_token,
+ req10->naming_context,
+ GUID_DRS_GET_FILTERED_ATTRIBUTES);
+ if (W_ERROR_IS_OK(werr)) {
+ goto allowed;
+ }
+ }
+
+ werr = dcesrv_drsuapi_is_reveal_secrets_request(b_state, req10,
+ pfm_remote,
+ &is_secret_request);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ if (is_secret_request) {
+ werr = drs_security_access_check_nc_root(sam_ctx,
+ mem_ctx,
+ session_info->security_token,
+ req10->naming_context,
+ GUID_DRS_GET_ALL_CHANGES);
+ if (!W_ERROR_IS_OK(werr)) {
+ /* Only bail if this is not a EXOP_REPL_SECRET */
+ if (req10->extended_op != DRSUAPI_EXOP_REPL_SECRET) {
+ return werr;
+ }
+ } else {
+ has_get_all_changes = true;
+ }
+ }
+
+allowed:
+ /* for non-administrator replications, check that they have
+ given the correct source_dsa_invocation_id */
+ security_level = security_session_user_level(session_info,
+ samdb_domain_sid(sam_ctx));
+ if (security_level == SECURITY_RO_DOMAIN_CONTROLLER) {
+ if (req10->replica_flags & DRSUAPI_DRS_WRIT_REP) {
+ /* we rely on this flag being unset for RODC requests */
+ req10->replica_flags &= ~DRSUAPI_DRS_WRIT_REP;
+ }
+ }
+
+ if (req10->replica_flags & DRSUAPI_DRS_FULL_SYNC_PACKET) {
+ /* Ignore the _in_ uptpdateness vector*/
+ req10->uptodateness_vector = NULL;
+ }
+
+ if (GUID_all_zero(&req10->source_dsa_invocation_id)) {
+ req10->source_dsa_invocation_id = invocation_id;
+ }
+
+ if (!GUID_equal(&req10->source_dsa_invocation_id, &invocation_id)) {
+ /*
+ * The given highwatermark is only valid relative to the
+ * specified source_dsa_invocation_id.
+ */
+ ZERO_STRUCT(req10->highwatermark);
+ }
+
+ /*
+ * An extended operation is "special single-response cycle"
+ * per MS-DRSR 4.1.10.1.1 "Start and Finish" so we don't need
+ * to guess if this is a continuation of any long-term
+ * state.
+ *
+ * Otherwise, maintain (including marking as stale, which is
+ * what the below is for) the replication state.
+ *
+ * Note that point 5 "The server implementation MAY declare
+ * the supplied values ... as too stale to use." would allow
+ * resetting the state at almost any point, Microsoft Azure AD
+ * Connect will switch back and forth between a REPL_OBJ and a
+ * full replication, so we must not reset the statue during
+ * extended operations.
+ */
+ if (req10->extended_op == DRSUAPI_EXOP_NONE &&
+ b_state->getncchanges_full_repl_state != NULL) {
+ /*
+ * Knowing that this is not an extended operation, we
+ * can access (and validate) the full replication
+ * state
+ */
+ getnc_state = b_state->getncchanges_full_repl_state;
+ }
+
+ /* see if a previous replication has been abandoned */
+ if (getnc_state != NULL) {
+ struct ldb_dn *new_dn;
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(getnc_state,
+ sam_ctx,
+ untrusted_ncRoot,
+ &new_dn,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ /*
+ * This can't fail as we have done this above
+ * implicitly but not got the DN out, but
+ * print a good error message regardless just
+ * in case.
+ */
+ DBG_ERR("Bad DN '%s' as Naming Context for GetNCChanges: %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, untrusted_ncRoot),
+ ldb_strerror(ret));
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+ if (ldb_dn_compare(new_dn, getnc_state->ncRoot_dn) != 0) {
+ DEBUG(0,(__location__ ": DsGetNCChanges 2nd replication on different DN %s %s (last_dn %s)\n",
+ ldb_dn_get_linearized(new_dn),
+ ldb_dn_get_linearized(getnc_state->ncRoot_dn),
+ ldb_dn_get_linearized(getnc_state->last_dn)));
+ TALLOC_FREE(getnc_state);
+ b_state->getncchanges_full_repl_state = NULL;
+ }
+ }
+
+ if (getnc_state != NULL) {
+ ret = drsuapi_DsReplicaHighWaterMark_cmp(&getnc_state->last_hwm,
+ &req10->highwatermark);
+ if (ret != 0) {
+ DEBUG(0,(__location__ ": DsGetNCChanges 2nd replication "
+ "on DN %s %s highwatermark (last_dn %s)\n",
+ ldb_dn_get_linearized(getnc_state->ncRoot_dn),
+ (ret > 0) ? "older" : "newer",
+ ldb_dn_get_linearized(getnc_state->last_dn)));
+ TALLOC_FREE(getnc_state);
+ b_state->getncchanges_full_repl_state = NULL;
+ }
+ }
+
+ /*
+ * This is either a new replication cycle, or an extended
+ * operation. A new cycle is triggered above by the
+ * TALLOC_FREE() which sets getnc_state to NULL.
+ */
+ if (getnc_state == NULL) {
+ struct ldb_result *res = NULL;
+ const char *attrs[] = {
+ "instanceType",
+ "objectGuID",
+ NULL
+ };
+ uint32_t nc_instanceType;
+ struct ldb_dn *ncRoot_dn;
+
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
+ sam_ctx,
+ untrusted_ncRoot,
+ &ncRoot_dn,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ DBG_ERR("Bad DN '%s' as Naming Context or EXOP DN for GetNCChanges: %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, untrusted_ncRoot),
+ ldb_strerror(ret));
+ return WERR_DS_DRA_BAD_DN;
+ }
+
+ ret = dsdb_search_dn(sam_ctx, mem_ctx, &res,
+ ncRoot_dn, attrs,
+ DSDB_SEARCH_SHOW_DELETED |
+ DSDB_SEARCH_SHOW_RECYCLED);
+ if (ret != LDB_SUCCESS) {
+ DBG_WARNING("Failed to find ncRoot_dn %s\n",
+ ldb_dn_get_linearized(ncRoot_dn));
+ return WERR_DS_DRA_BAD_DN;
+ }
+ nc_instanceType = ldb_msg_find_attr_as_int(res->msgs[0],
+ "instanceType",
+ 0);
+
+ if (req10->extended_op != DRSUAPI_EXOP_NONE) {
+ r->out.ctr->ctr6.extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
+ }
+
+ /*
+ * This is the first replication cycle and it is
+ * a good place to handle extended operations
+ *
+ * FIXME: we don't fully support extended operations yet
+ */
+ switch (req10->extended_op) {
+ case DRSUAPI_EXOP_NONE:
+ if ((nc_instanceType & INSTANCE_TYPE_IS_NC_HEAD) == 0) {
+ const char *dn_str
+ = ldb_dn_get_linearized(ncRoot_dn);
+
+ DBG_NOTICE("Rejecting full replication on "
+ "not NC %s", dn_str);
+
+ return WERR_DS_CANT_FIND_EXPECTED_NC;
+ }
+
+ break;
+ case DRSUAPI_EXOP_FSMO_RID_ALLOC:
+ werr = getncchanges_rid_alloc(b_state, mem_ctx, req10, &r->out.ctr->ctr6, &search_dn);
+ W_ERROR_NOT_OK_RETURN(werr);
+ if (r->out.ctr->ctr6.extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
+ return WERR_OK;
+ }
+ break;
+ case DRSUAPI_EXOP_REPL_SECRET:
+ werr = getncchanges_repl_secret(b_state, mem_ctx, req10,
+ user_sid,
+ &r->out.ctr->ctr6,
+ has_get_all_changes,
+ &machine_dn);
+ r->out.result = werr;
+ W_ERROR_NOT_OK_RETURN(werr);
+ break;
+ case DRSUAPI_EXOP_FSMO_REQ_ROLE:
+ werr = getncchanges_change_master(b_state, mem_ctx, req10, &r->out.ctr->ctr6);
+ W_ERROR_NOT_OK_RETURN(werr);
+ if (r->out.ctr->ctr6.extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
+ return WERR_OK;
+ }
+ break;
+ case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
+ werr = getncchanges_change_master(b_state, mem_ctx, req10, &r->out.ctr->ctr6);
+ W_ERROR_NOT_OK_RETURN(werr);
+ if (r->out.ctr->ctr6.extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
+ return WERR_OK;
+ }
+ break;
+ case DRSUAPI_EXOP_FSMO_REQ_PDC:
+ werr = getncchanges_change_master(b_state, mem_ctx, req10, &r->out.ctr->ctr6);
+ W_ERROR_NOT_OK_RETURN(werr);
+ if (r->out.ctr->ctr6.extended_ret != DRSUAPI_EXOP_ERR_SUCCESS) {
+ return WERR_OK;
+ }
+ break;
+ case DRSUAPI_EXOP_REPL_OBJ:
+ werr = getncchanges_repl_obj(b_state, mem_ctx, req10, user_sid, &r->out.ctr->ctr6);
+ r->out.result = werr;
+ W_ERROR_NOT_OK_RETURN(werr);
+ break;
+
+ case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
+
+ DEBUG(0,(__location__ ": Request for DsGetNCChanges unsupported extended op 0x%x\n",
+ (unsigned)req10->extended_op));
+ return WERR_DS_DRA_NOT_SUPPORTED;
+ }
+
+ /*
+ * Initialize the state, initially for the remainder
+ * of this call (EXOPs)
+ *
+ * An extended operation is a "special single-response
+ * cycle" per MS-DRSR 4.1.10.1.1 "Start and Finish"
+ *
+ */
+ getnc_state = talloc_zero(mem_ctx, struct drsuapi_getncchanges_state);
+ if (getnc_state == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ if (req10->extended_op == DRSUAPI_EXOP_NONE) {
+ /*
+ * Promote the memory to being a store of
+ * long-term state that we will use over the
+ * replication cycle for full replication
+ * requests
+ *
+ * Store the state in a clearly named location
+ * for pulling back only during full
+ * replications
+ */
+ b_state->getncchanges_full_repl_state
+ = talloc_steal(b_state, getnc_state);
+ }
+
+ getnc_state->ncRoot_dn = ncRoot_dn;
+ talloc_steal(getnc_state, ncRoot_dn);
+
+ getnc_state->ncRoot_guid = samdb_result_guid(res->msgs[0],
+ "objectGUID");
+
+ /* find out if we are to replicate Schema NC */
+ ret = ldb_dn_compare_base(ldb_get_schema_basedn(sam_ctx),
+ ncRoot_dn);
+ getnc_state->is_schema_nc = (0 == ret);
+
+ TALLOC_FREE(res);
+ }
+
+ /* we need the session key for encrypting password attributes */
+ status = dcesrv_auth_session_key(dce_call, &session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ ": Failed to get session key\n"));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ /*
+ TODO: MS-DRSR section 4.1.10.1.1
+ Work out if this is the start of a new cycle */
+
+ if (getnc_state->guids == NULL) {
+ const char *extra_filter;
+ struct ldb_result *search_res = NULL;
+ static const struct drsuapi_DsReplicaCursorCtrEx empty_udv;
+ const struct drsuapi_DsReplicaCursorCtrEx *udv = NULL;
+
+ extra_filter = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "object filter");
+
+ if (req10->extended_op == DRSUAPI_EXOP_NONE) {
+ if (req10->uptodateness_vector != NULL) {
+ udv = req10->uptodateness_vector;
+ } else {
+ udv = &empty_udv;
+ }
+
+ getnc_state->min_usn = req10->highwatermark.highest_usn;
+ for (i = 0; i < udv->count; i++) {
+ bool match;
+ const struct drsuapi_DsReplicaCursor *cur =
+ &udv->cursors[i];
+
+ match = GUID_equal(&invocation_id,
+ &cur->source_dsa_invocation_id);
+ if (!match) {
+ continue;
+ }
+ if (cur->highest_usn > getnc_state->min_usn) {
+ getnc_state->min_usn = cur->highest_usn;
+ }
+ break;
+ }
+ } else {
+ /* We do not want REPL_SECRETS or REPL_SINGLE to return empty-handed */
+ udv = &empty_udv;
+ getnc_state->min_usn = 0;
+ }
+
+ getnc_state->max_usn = getnc_state->min_usn;
+
+ getnc_state->final_udv = talloc_zero(getnc_state,
+ struct drsuapi_DsReplicaCursor2CtrEx);
+ if (getnc_state->final_udv == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ werr = get_nc_changes_udv(sam_ctx, getnc_state->ncRoot_dn,
+ getnc_state->final_udv);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ if (req10->extended_op == DRSUAPI_EXOP_NONE) {
+ werr = getncchanges_collect_objects(b_state, mem_ctx,
+ getnc_state, req10,
+ search_dn, extra_filter,
+ &search_res);
+ } else {
+ werr = getncchanges_collect_objects_exop(b_state, mem_ctx,
+ getnc_state, req10,
+ &r->out.ctr->ctr6,
+ search_dn, extra_filter,
+ &search_res);
+ }
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ /* extract out the GUIDs list */
+ getnc_state->num_records = search_res ? search_res->count : 0;
+ getnc_state->guids = talloc_array(getnc_state, struct GUID, getnc_state->num_records);
+ W_ERROR_HAVE_NO_MEMORY(getnc_state->guids);
+
+ changes = talloc_array(getnc_state,
+ struct drsuapi_changed_objects,
+ getnc_state->num_records);
+ W_ERROR_HAVE_NO_MEMORY(changes);
+
+ for (i=0; i<getnc_state->num_records; i++) {
+ changes[i].dn = search_res->msgs[i]->dn;
+ changes[i].guid = samdb_result_guid(search_res->msgs[i], "objectGUID");
+ changes[i].usn = ldb_msg_find_attr_as_uint64(search_res->msgs[i], "uSNChanged", 0);
+
+ if (changes[i].usn > getnc_state->max_usn) {
+ getnc_state->max_usn = changes[i].usn;
+ }
+
+ if (req10->extended_op == DRSUAPI_EXOP_NONE &&
+ GUID_equal(&changes[i].guid, &getnc_state->ncRoot_guid))
+ {
+ getnc_state->send_nc_root_first = true;
+ }
+ }
+
+ if (req10->extended_op == DRSUAPI_EXOP_NONE) {
+ getnc_state->is_get_anc =
+ ((req10->replica_flags & DRSUAPI_DRS_GET_ANC) != 0);
+ if (getnc_state->is_get_anc
+ && lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
+ NULL,
+ "drs",
+ "broken_samba_4.5_get_anc_emulation",
+ false)) {
+ getnc_state->broken_samba_4_5_get_anc_emulation = true;
+ }
+ if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
+ NULL,
+ "drs",
+ "get_tgt_support",
+ true)) {
+ getnc_state->is_get_tgt =
+ ((req10->more_flags & DRSUAPI_DRS_GET_TGT) != 0);
+ }
+ }
+
+ /* RID_ALLOC returns 3 objects in a fixed order */
+ if (req10->extended_op == DRSUAPI_EXOP_FSMO_RID_ALLOC) {
+ /* Do nothing */
+ } else if (getnc_state->broken_samba_4_5_get_anc_emulation) {
+ LDB_TYPESAFE_QSORT(changes,
+ getnc_state->num_records,
+ getnc_state,
+ site_res_cmp_anc_order);
+ } else {
+ LDB_TYPESAFE_QSORT(changes,
+ getnc_state->num_records,
+ getnc_state,
+ site_res_cmp_usn_order);
+ }
+
+ for (i=0; i < getnc_state->num_records; i++) {
+ getnc_state->guids[i] = changes[i].guid;
+ if (GUID_all_zero(&getnc_state->guids[i])) {
+ DEBUG(2,("getncchanges: bad objectGUID from %s\n",
+ ldb_dn_get_linearized(search_res->msgs[i]->dn)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ }
+
+ getnc_state->final_hwm.tmp_highest_usn = getnc_state->max_usn;
+ getnc_state->final_hwm.reserved_usn = 0;
+ getnc_state->final_hwm.highest_usn = getnc_state->max_usn;
+
+ talloc_free(search_res);
+ talloc_free(changes);
+
+ /*
+ * when using GET_ANC or GET_TGT, cache the objects that have
+ * been already sent, to avoid sending them multiple times
+ */
+ if (getnc_state->is_get_anc || getnc_state->is_get_tgt) {
+ DEBUG(3,("Using object cache, GET_ANC %u, GET_TGT %u\n",
+ getnc_state->is_get_anc,
+ getnc_state->is_get_tgt));
+
+ getnc_state->obj_cache = db_open_rbt(getnc_state);
+ if (getnc_state->obj_cache == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ }
+ }
+
+ if (req10->uptodateness_vector) {
+ /* make sure its sorted */
+ TYPESAFE_QSORT(req10->uptodateness_vector->cursors,
+ req10->uptodateness_vector->count,
+ drsuapi_DsReplicaCursor_compare);
+ }
+
+ /* Prefix mapping */
+ schema = dsdb_get_schema(sam_ctx, mem_ctx);
+ if (!schema) {
+ DEBUG(0,("No schema in sam_ctx\n"));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier);
+ if (r->out.ctr->ctr6.naming_context == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ /*
+ * Match Windows and echo back the original values from the request, even if
+ * they say DummyDN for the string NC
+ */
+ *r->out.ctr->ctr6.naming_context = *untrusted_ncRoot;
+
+ /* find the SID if there is one */
+ dsdb_find_sid_by_dn(sam_ctx, getnc_state->ncRoot_dn, &r->out.ctr->ctr6.naming_context->sid);
+
+ /* Set GUID */
+ r->out.ctr->ctr6.naming_context->guid = getnc_state->ncRoot_guid;
+
+ dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr);
+ r->out.ctr->ctr6.mapping_ctr = *ctr;
+
+ r->out.ctr->ctr6.source_dsa_guid = *(samdb_ntds_objectGUID(sam_ctx));
+ r->out.ctr->ctr6.source_dsa_invocation_id = *(samdb_ntds_invocation_id(sam_ctx));
+
+ r->out.ctr->ctr6.old_highwatermark = req10->highwatermark;
+ r->out.ctr->ctr6.new_highwatermark = req10->highwatermark;
+
+ /*
+ * If the client has already set GET_TGT then we know they can handle
+ * receiving the linked attributes interleaved with the source objects
+ */
+ if (getnc_state->is_get_tgt) {
+ repl_chunk->immediate_link_sync = true;
+ }
+
+ if (req10->partial_attribute_set != NULL) {
+ struct dsdb_syntax_ctx syntax_ctx;
+ uint32_t j = 0;
+
+ dsdb_syntax_ctx_init(&syntax_ctx, sam_ctx, schema);
+ syntax_ctx.pfm_remote = pfm_remote;
+
+ local_pas = talloc_array(b_state, uint32_t, req10->partial_attribute_set->num_attids);
+
+ for (j = 0; j < req10->partial_attribute_set->num_attids; j++) {
+ getncchanges_attid_remote_to_local(schema,
+ &syntax_ctx,
+ req10->partial_attribute_set->attids[j],
+ (enum drsuapi_DsAttributeId *)&local_pas[j],
+ NULL);
+ }
+
+ TYPESAFE_QSORT(local_pas,
+ req10->partial_attribute_set->num_attids,
+ uint32_t_ptr_cmp);
+ }
+
+ /*
+ * If we have the NC root in this replication, send it
+ * first regardless. However, don't bump the USN now,
+ * treat it as if it was sent early due to GET_ANC
+ *
+ * This is triggered for each call, so every page of responses
+ * gets the NC root as the first object, up to the point where
+ * it naturally occurs in the replication.
+ */
+
+ if (getnc_state->send_nc_root_first) {
+ struct drsuapi_DsReplicaObjectListItemEx *new_objs = NULL;
+
+ werr = getncchanges_add_ancestors(&getnc_state->ncRoot_guid,
+ NULL, mem_ctx,
+ sam_ctx, getnc_state,
+ schema, &session_key,
+ req10, local_pas,
+ machine_dn, &new_objs);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ getncchanges_chunk_add_objects(repl_chunk, new_objs);
+
+ DEBUG(8,(__location__ ": replicating NC root %s\n",
+ ldb_dn_get_linearized(getnc_state->ncRoot_dn)));
+ }
+
+ /*
+ * Check in case we're still processing the links from an object in the
+ * previous chunk. We want to send the links (and any targets needed)
+ * before moving on to the next object.
+ */
+ if (getnc_state->is_get_tgt) {
+ werr = getncchanges_chunk_add_la_targets(repl_chunk,
+ getnc_state,
+ getnc_state->la_idx,
+ mem_ctx, sam_ctx,
+ schema, &session_key,
+ req10, local_pas,
+ machine_dn);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ }
+
+ for (i=getnc_state->num_processed;
+ i<getnc_state->num_records &&
+ !getncchanges_chunk_is_full(repl_chunk, getnc_state);
+ i++) {
+ struct drsuapi_DsReplicaObjectListItemEx *new_objs = NULL;
+ struct ldb_message *msg;
+ static const char * const msg_attrs[] = {
+ "*",
+ "nTSecurityDescriptor",
+ "parentGUID",
+ "replPropertyMetaData",
+ DSDB_SECRET_ATTRIBUTES,
+ NULL };
+ struct ldb_result *msg_res;
+ struct ldb_dn *msg_dn;
+ bool obj_already_sent = false;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ uint32_t old_la_index;
+
+ /*
+ * Once we get to the 'natural' place to send the NC
+ * root, stop sending it at the front of each reply
+ * and make sure to suppress sending it now
+ *
+ * We don't just 'continue' here as we must send links
+ * and unlike Windows we want to update the
+ * tmp_highest_usn
+ */
+
+ if (getnc_state->send_nc_root_first &&
+ GUID_equal(&getnc_state->guids[i], &getnc_state->ncRoot_guid))
+ {
+ getnc_state->send_nc_root_first = false;
+ obj_already_sent = true;
+ }
+
+ msg_dn = ldb_dn_new_fmt(tmp_ctx, sam_ctx, "<GUID=%s>",
+ GUID_string(tmp_ctx, &getnc_state->guids[i]));
+ W_ERROR_HAVE_NO_MEMORY(msg_dn);
+
+ /*
+ * by re-searching here we avoid having a lot of full
+ * records in memory between calls to getncchanges.
+ *
+ * We expect that we may get some objects that vanish
+ * (tombstone expunge) between the first and second
+ * check.
+ */
+ ret = drsuapi_search_with_extended_dn(sam_ctx, tmp_ctx, &msg_res,
+ msg_dn,
+ LDB_SCOPE_BASE, msg_attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ if (ret != LDB_ERR_NO_SUCH_OBJECT) {
+ DEBUG(1,("getncchanges: failed to fetch DN %s - %s\n",
+ ldb_dn_get_extended_linearized(tmp_ctx, msg_dn, 1),
+ ldb_errstring(sam_ctx)));
+ }
+ TALLOC_FREE(tmp_ctx);
+ continue;
+ }
+
+ if (msg_res->count == 0) {
+ DEBUG(1,("getncchanges: got LDB_SUCCESS but failed"
+ "to get any results in fetch of DN "
+ "%s (race with tombstone expunge?)\n",
+ ldb_dn_get_extended_linearized(tmp_ctx,
+ msg_dn, 1)));
+ TALLOC_FREE(tmp_ctx);
+ continue;
+ }
+
+ msg = msg_res->msgs[0];
+
+ /*
+ * Check if we've already sent the object as an ancestor of
+ * another object. If so, we don't need to send it again
+ */
+ if (getnc_state->obj_cache != NULL) {
+ werr = dcesrv_drsuapi_obj_cache_exists(getnc_state->obj_cache,
+ &getnc_state->guids[i]);
+ if (W_ERROR_EQUAL(werr, WERR_OBJECT_NAME_EXISTS)) {
+ obj_already_sent = true;
+ }
+ }
+
+ if (!obj_already_sent) {
+ bool max_wait_reached;
+
+ max_wait_reached = getncchanges_chunk_timed_out(repl_chunk);
+
+ /*
+ * Construct an object, ready to send (this will include
+ * the object's ancestors as well, if needed)
+ */
+ werr = getncchanges_get_obj_to_send(msg, mem_ctx, sam_ctx,
+ getnc_state, schema,
+ &session_key, req10,
+ max_wait_reached,
+ local_pas, machine_dn,
+ &getnc_state->guids[i],
+ &new_objs);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ }
+
+ old_la_index = getnc_state->la_count;
+
+ /*
+ * We've reached the USN where this object naturally occurs.
+ * Regardless of whether we've already sent the object (as an
+ * ancestor), we add its links and update the HWM at this point
+ */
+ werr = get_nc_changes_add_links(sam_ctx, getnc_state,
+ getnc_state->is_schema_nc,
+ schema, getnc_state->min_usn,
+ req10->replica_flags,
+ msg,
+ &getnc_state->la_list,
+ &getnc_state->la_count,
+ req10->uptodateness_vector);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ dcesrv_drsuapi_update_highwatermark(msg,
+ getnc_state->max_usn,
+ &r->out.ctr->ctr6.new_highwatermark);
+
+ if (new_objs != NULL) {
+
+ /*
+ * Add the object (and, if GET_ANC, any parents it may
+ * have) into the current chunk of replication data
+ */
+ getncchanges_chunk_add_objects(repl_chunk, new_objs);
+
+ talloc_free(getnc_state->last_dn);
+ /*
+ * talloc_steal() as we still need msg->dn to
+ * be a valid pointer for the log on the next
+ * line.
+ *
+ * msg only remains in scope for the next 25
+ * lines or so anyway.
+ */
+ getnc_state->last_dn = talloc_steal(getnc_state, msg->dn);
+ }
+
+ DEBUG(8,(__location__ ": %s object %s new tmp_highest_usn=%" PRIu64 "\n",
+ new_objs ? "replicating" : "skipping send of",
+ ldb_dn_get_linearized(msg->dn),
+ r->out.ctr->ctr6.new_highwatermark.tmp_highest_usn));
+
+ getnc_state->total_links += (getnc_state->la_count - old_la_index);
+
+ /*
+ * If the GET_TGT flag was set, check any new links added to
+ * make sure the client knows about the link target object
+ */
+ if (getnc_state->is_get_tgt) {
+ werr = getncchanges_chunk_add_la_targets(repl_chunk,
+ getnc_state,
+ old_la_index,
+ mem_ctx, sam_ctx,
+ schema, &session_key,
+ req10, local_pas,
+ machine_dn);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+ }
+
+ TALLOC_FREE(tmp_ctx);
+ }
+
+ /* copy the constructed object list into the response message */
+ r->out.ctr->ctr6.object_count = repl_chunk->object_count;
+ r->out.ctr->ctr6.first_object = repl_chunk->object_list;
+
+ getnc_state->num_processed = i;
+
+ if (i < getnc_state->num_records) {
+ r->out.ctr->ctr6.more_data = true;
+ }
+
+ /* the client can us to call UpdateRefs on its behalf to
+ re-establish monitoring of the NC */
+ if ((req10->replica_flags & (DRSUAPI_DRS_ADD_REF | DRSUAPI_DRS_REF_GCSPN)) &&
+ !GUID_all_zero(&req10->destination_dsa_guid)) {
+ struct drsuapi_DsReplicaUpdateRefsRequest1 ureq;
+ DEBUG(3,("UpdateRefs on getncchanges for %s\n",
+ GUID_string(mem_ctx, &req10->destination_dsa_guid)));
+
+ /*
+ * We pass the pre-validation NC root here as
+ * drsuapi_UpdateRefs() has to check its own input
+ * values due to being called from
+ * dcesrv_drsuapi_DsReplicaUpdateRefs()
+ */
+
+ ureq.naming_context = untrusted_ncRoot;
+ ureq.dest_dsa_dns_name = samdb_ntds_msdcs_dns_name(sam_ctx, mem_ctx,
+ &req10->destination_dsa_guid);
+ if (!ureq.dest_dsa_dns_name) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ ureq.dest_dsa_guid = req10->destination_dsa_guid;
+ ureq.options = DRSUAPI_DRS_ADD_REF |
+ DRSUAPI_DRS_ASYNC_OP |
+ DRSUAPI_DRS_GETCHG_CHECK;
+
+ /* we also need to pass through the
+ DRSUAPI_DRS_REF_GCSPN bit so that repsTo gets flagged
+ to send notifies using the GC SPN */
+ ureq.options |= (req10->replica_flags & DRSUAPI_DRS_REF_GCSPN);
+
+ werr = drsuapi_UpdateRefs(imsg_ctx,
+ dce_call->event_ctx,
+ b_state,
+ mem_ctx,
+ &ureq);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,(__location__ ": Failed UpdateRefs on %s for %s in DsGetNCChanges - %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, untrusted_ncRoot),
+ ureq.dest_dsa_dns_name,
+ win_errstr(werr)));
+ }
+ }
+
+ /*
+ * Work out how many links we can send in this chunk. The default is to
+ * send all the links last, but there is a config option to send them
+ * immediately, in the same chunk as their source object
+ */
+ if (!r->out.ctr->ctr6.more_data || repl_chunk->immediate_link_sync) {
+ link_count = getncchanges_chunk_links_pending(repl_chunk,
+ getnc_state);
+ link_count = MIN(link_count,
+ getncchanges_chunk_max_links(repl_chunk));
+ }
+
+ /* If we've got linked attributes to send, add them now */
+ if (link_count > 0) {
+ struct la_for_sorting *la_sorted;
+
+ /*
+ * Grab a chunk of linked attributes off the list and put them
+ * in sorted array, ready to send
+ */
+ werr = getncchanges_get_sorted_array(&getnc_state->la_list[getnc_state->la_idx],
+ link_count,
+ sam_ctx, getnc_state,
+ schema,
+ &la_sorted);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ r->out.ctr->ctr6.linked_attributes_count = link_count;
+ r->out.ctr->ctr6.linked_attributes = talloc_array(r->out.ctr, struct drsuapi_DsReplicaLinkedAttribute, link_count);
+ if (r->out.ctr->ctr6.linked_attributes == NULL) {
+ DEBUG(0, ("Out of memory allocating %u linked attributes for output", link_count));
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ for (k = 0; k < link_count; k++) {
+ r->out.ctr->ctr6.linked_attributes[k] = *la_sorted[k].link;
+ }
+
+ getnc_state->la_idx += link_count;
+ getnc_state->links_given += link_count;
+
+ if (getnc_state->la_idx < getnc_state->la_count) {
+ r->out.ctr->ctr6.more_data = true;
+ } else {
+
+ /*
+ * We've now sent all the links seen so far, so we can
+ * reset la_list back to an empty list again. Note that
+ * the steal means the linked attribute memory gets
+ * freed after this RPC message is sent on the wire.
+ */
+ talloc_steal(mem_ctx, getnc_state->la_list);
+ getnc_state->la_list = NULL;
+ getnc_state->la_idx = 0;
+ getnc_state->la_count = 0;
+ }
+
+ TALLOC_FREE(la_sorted);
+ }
+
+ if (req10->replica_flags & DRSUAPI_DRS_GET_NC_SIZE) {
+ /*
+ * TODO: This implementation is wrong
+ * we should find out the total number of
+ * objects and links in the whole naming context
+ * at the start of the cycle and return these
+ * values in each message.
+ *
+ * For now we keep our current strategy and return
+ * the number of objects for this cycle and the number
+ * of links we found so far during the cycle.
+ */
+ r->out.ctr->ctr6.nc_object_count = getnc_state->num_records;
+ r->out.ctr->ctr6.nc_linked_attributes_count = getnc_state->total_links;
+ }
+
+ if (req10->extended_op != DRSUAPI_EXOP_NONE) {
+ r->out.ctr->ctr6.uptodateness_vector = NULL;
+ r->out.ctr->ctr6.nc_object_count = 0;
+ ZERO_STRUCT(r->out.ctr->ctr6.new_highwatermark);
+ } else if (!r->out.ctr->ctr6.more_data) {
+
+ /* this is the last response in the replication cycle */
+ r->out.ctr->ctr6.new_highwatermark = getnc_state->final_hwm;
+ r->out.ctr->ctr6.uptodateness_vector = talloc_move(mem_ctx,
+ &getnc_state->final_udv);
+
+ /*
+ * Free the state info stored for the replication cycle. Note
+ * that the RPC message we're sending contains links stored in
+ * getnc_state. mem_ctx is local to this RPC call, so the memory
+ * will get freed after the RPC message is sent on the wire.
+ *
+ * We must not do this for an EXOP, as that should not
+ * end the replication state, which is why that is
+ * checked first above.
+ */
+ talloc_steal(mem_ctx, getnc_state);
+ b_state->getncchanges_full_repl_state = NULL;
+ } else {
+ ret = drsuapi_DsReplicaHighWaterMark_cmp(&r->out.ctr->ctr6.old_highwatermark,
+ &r->out.ctr->ctr6.new_highwatermark);
+ if (ret == 0) {
+ /*
+ * We need to make sure that we never return the
+ * same highwatermark within the same replication
+ * cycle more than once. Otherwise we cannot detect
+ * when the client uses an unexptected highwatermark.
+ *
+ * This is a HACK which is needed because our
+ * object ordering is wrong and set tmp_highest_usn
+ * to a value that is higher than what we already
+ * sent to the client (destination dsa).
+ */
+ r->out.ctr->ctr6.new_highwatermark.reserved_usn += 1;
+ }
+
+ getnc_state->last_hwm = r->out.ctr->ctr6.new_highwatermark;
+ }
+
+ TALLOC_FREE(repl_chunk);
+
+ DEBUG(r->out.ctr->ctr6.more_data?4:2,
+ ("DsGetNCChanges with uSNChanged >= %llu flags 0x%08x on %s gave %u objects (done %u/%u) %u links (done %u/%u (as %s))\n",
+ (unsigned long long)(req10->highwatermark.highest_usn+1),
+ req10->replica_flags,
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, untrusted_ncRoot),
+ r->out.ctr->ctr6.object_count,
+ i, r->out.ctr->ctr6.more_data?getnc_state->num_records:i,
+ r->out.ctr->ctr6.linked_attributes_count,
+ getnc_state->links_given, getnc_state->total_links,
+ dom_sid_string(mem_ctx, user_sid)));
+
+#if 0
+ if (!r->out.ctr->ctr6.more_data && req10->extended_op != DRSUAPI_EXOP_NONE) {
+ NDR_PRINT_FUNCTION_DEBUG(drsuapi_DsGetNCChanges, NDR_BOTH, r);
+ }
+#endif
+
+ return WERR_OK;
+}
+
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
new file mode 100644
index 0000000..0be675f
--- /dev/null
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -0,0 +1,411 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ implement the DRSUpdateRefs call
+
+ Copyright (C) Andrew Tridgell 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "rpc_server/dcerpc_server.h"
+#include "dsdb/samdb/samdb.h"
+#include "libcli/security/security.h"
+#include "libcli/security/session.h"
+#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "auth/session.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
+#include "librpc/gen_ndr/ndr_irpc_c.h"
+#include "lib/messaging/irpc.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_DRS_REPL
+
+struct repsTo {
+ uint32_t count;
+ struct repsFromToBlob *r;
+};
+
+static WERROR uref_check_dest(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
+ struct ldb_dn *dn, struct GUID *dest_guid,
+ uint32_t options)
+{
+ struct repsTo reps;
+ WERROR werr;
+ unsigned int i;
+ bool found = false;
+
+ werr = dsdb_loadreps(sam_ctx, mem_ctx, dn, "repsTo", &reps.r, &reps.count);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ for (i=0; i<reps.count; i++) {
+ if (GUID_equal(dest_guid,
+ &reps.r[i].ctr.ctr1.source_dsa_obj_guid)) {
+ found = true;
+ break;
+ }
+ }
+
+ if (options & DRSUAPI_DRS_ADD_REF) {
+ if (found && !(options & DRSUAPI_DRS_DEL_REF)) {
+ return WERR_DS_DRA_REF_ALREADY_EXISTS;
+ }
+ }
+
+ if (options & DRSUAPI_DRS_DEL_REF) {
+ if (!found && !(options & DRSUAPI_DRS_ADD_REF)) {
+ return WERR_DS_DRA_REF_NOT_FOUND;
+ }
+ }
+
+ return WERR_OK;
+}
+
+/*
+ add a replication destination for a given partition GUID
+ */
+static WERROR uref_add_dest(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
+ struct ldb_dn *dn, struct repsFromTo1 *dest,
+ uint32_t options)
+{
+ struct repsTo reps;
+ WERROR werr;
+ unsigned int i;
+
+ werr = dsdb_loadreps(sam_ctx, mem_ctx, dn, "repsTo", &reps.r, &reps.count);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ for (i=0; i<reps.count; i++) {
+ if (GUID_equal(&dest->source_dsa_obj_guid,
+ &reps.r[i].ctr.ctr1.source_dsa_obj_guid)) {
+ if (options & DRSUAPI_DRS_GETCHG_CHECK) {
+ return WERR_OK;
+ } else {
+ return WERR_DS_DRA_REF_ALREADY_EXISTS;
+ }
+ }
+ }
+
+ reps.r = talloc_realloc(mem_ctx, reps.r, struct repsFromToBlob, reps.count+1);
+ if (reps.r == NULL) {
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+ ZERO_STRUCT(reps.r[reps.count]);
+ reps.r[reps.count].version = 1;
+ reps.r[reps.count].ctr.ctr1 = *dest;
+ /* add the GCSPN flag if the client asked for it */
+ reps.r[reps.count].ctr.ctr1.replica_flags |= (options & DRSUAPI_DRS_REF_GCSPN);
+ reps.count++;
+
+ werr = dsdb_savereps(sam_ctx, mem_ctx, dn, "repsTo", reps.r, reps.count);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ return WERR_OK;
+}
+
+/*
+ delete a replication destination for a given partition GUID
+ */
+static WERROR uref_del_dest(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
+ struct ldb_dn *dn, struct GUID *dest_guid,
+ uint32_t options)
+{
+ struct repsTo reps;
+ WERROR werr;
+ unsigned int i;
+ bool found = false;
+
+ werr = dsdb_loadreps(sam_ctx, mem_ctx, dn, "repsTo", &reps.r, &reps.count);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ for (i=0; i<reps.count; i++) {
+ if (GUID_equal(dest_guid,
+ &reps.r[i].ctr.ctr1.source_dsa_obj_guid)) {
+ if (i+1 < reps.count) {
+ memmove(&reps.r[i], &reps.r[i+1], sizeof(reps.r[i])*(reps.count-(i+1)));
+ }
+ reps.count--;
+ found = true;
+ }
+ }
+
+ werr = dsdb_savereps(sam_ctx, mem_ctx, dn, "repsTo", reps.r, reps.count);
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ if (!found &&
+ !(options & DRSUAPI_DRS_GETCHG_CHECK) &&
+ !(options & DRSUAPI_DRS_ADD_REF)) {
+ return WERR_DS_DRA_REF_NOT_FOUND;
+ }
+
+ return WERR_OK;
+}
+
+struct drepl_refresh_state {
+ struct dreplsrv_refresh r;
+};
+
+/**
+ * @brief Update the references for the given NC and the destination DSA object
+ *
+ * This function is callable from non RPC functions (ie. getncchanges), it
+ * will validate the request to update reference and then will add/del a repsTo
+ * to the specified server referenced by its DSA GUID in the request.
+ *
+ * @param[in] msg_ctx Messaging context for sending partition
+ * refresh in dreplsrv
+ *
+ * @param[in] b_state A bind_state object
+ *
+ * @param[in] mem_ctx A talloc context for memory allocation
+ *
+ * @param[in] req A drsuapi_DsReplicaUpdateRefsRequest1
+ * object which NC, which server and which
+ * action (add/delete) should be performed
+ *
+ * @return WERR_OK is success, different error
+ * otherwise.
+ */
+WERROR drsuapi_UpdateRefs(struct imessaging_context *msg_ctx,
+ struct tevent_context *event_ctx,
+ struct drsuapi_bind_state *b_state, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaUpdateRefsRequest1 *req)
+{
+ WERROR werr;
+ int ret;
+ struct ldb_dn *dn_normalised;
+ struct ldb_dn *nc_root;
+ struct ldb_context *sam_ctx = b_state->sam_ctx_system?b_state->sam_ctx_system:b_state->sam_ctx;
+ struct dcerpc_binding_handle *irpc_handle;
+ struct tevent_req *subreq;
+ struct drepl_refresh_state *state;
+
+
+ DEBUG(4,("DsReplicaUpdateRefs for host '%s' with GUID %s options 0x%08x nc=%s\n",
+ req->dest_dsa_dns_name, GUID_string(mem_ctx, &req->dest_dsa_guid),
+ req->options,
+ drs_ObjectIdentifier_to_debug_string(mem_ctx, req->naming_context)));
+
+ /*
+ * 4.1.26.2 Server Behavior of the IDL_DRSUpdateRefs Method
+ * Implements the input validation checks
+ */
+ if (GUID_all_zero(&req->dest_dsa_guid)) {
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+
+ /* FIXME it seems that we should check the length of the stuff too*/
+ if (req->dest_dsa_dns_name == NULL) {
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+
+ if (!(req->options & (DRSUAPI_DRS_DEL_REF|DRSUAPI_DRS_ADD_REF))) {
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+
+ ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx, sam_ctx, req->naming_context,
+ &dn_normalised, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ DBG_WARNING("Didn't find a nc for %s: %s\n",
+ drs_ObjectIdentifier_to_debug_string(mem_ctx,
+ req->naming_context),
+ ldb_errstring(sam_ctx));
+ return WERR_DS_DRA_BAD_NC;
+ }
+ if (ldb_dn_compare(dn_normalised, nc_root) != 0) {
+ DBG_NOTICE("dn %s is not equal to %s (from %s)\n",
+ ldb_dn_get_linearized(dn_normalised),
+ ldb_dn_get_linearized(nc_root),
+ drs_ObjectIdentifier_to_debug_string(mem_ctx,
+ req->naming_context));
+ return WERR_DS_DRA_BAD_NC;
+ }
+
+ /*
+ * First check without a transaction open.
+ *
+ * This means that in the usual case, it will never open it and never
+ * bother to refresh the dreplsrv.
+ */
+ werr = uref_check_dest(sam_ctx,
+ mem_ctx,
+ dn_normalised,
+ &req->dest_dsa_guid,
+ req->options);
+ if (W_ERROR_EQUAL(werr, WERR_DS_DRA_REF_ALREADY_EXISTS) ||
+ W_ERROR_EQUAL(werr, WERR_DS_DRA_REF_NOT_FOUND)) {
+ if (req->options & DRSUAPI_DRS_GETCHG_CHECK) {
+ return WERR_OK;
+ }
+ return werr;
+ }
+
+ if (ldb_transaction_start(sam_ctx) != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to start transaction on samdb: %s\n",
+ ldb_errstring(sam_ctx)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (req->options & DRSUAPI_DRS_DEL_REF) {
+ werr = uref_del_dest(sam_ctx,
+ mem_ctx,
+ dn_normalised,
+ &req->dest_dsa_guid,
+ req->options);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("Failed to delete repsTo for %s: %s\n",
+ GUID_string(mem_ctx, &req->dest_dsa_guid),
+ win_errstr(werr)));
+ goto failed;
+ }
+ }
+
+ if (req->options & DRSUAPI_DRS_ADD_REF) {
+ struct repsFromTo1 dest;
+ struct repsFromTo1OtherInfo oi;
+
+ ZERO_STRUCT(dest);
+ ZERO_STRUCT(oi);
+
+ oi.dns_name = req->dest_dsa_dns_name;
+ dest.other_info = &oi;
+ dest.source_dsa_obj_guid = req->dest_dsa_guid;
+ dest.replica_flags = req->options;
+
+ werr = uref_add_dest(sam_ctx,
+ mem_ctx,
+ dn_normalised,
+ &dest,
+ req->options);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("Failed to add repsTo for %s: %s\n",
+ GUID_string(mem_ctx, &dest.source_dsa_obj_guid),
+ win_errstr(werr)));
+ goto failed;
+ }
+ }
+
+ if (ldb_transaction_commit(sam_ctx) != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to commit transaction on samdb: %s\n",
+ ldb_errstring(sam_ctx)));
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ state = talloc_zero(mem_ctx, struct drepl_refresh_state);
+ if (state == NULL) {
+ return WERR_OK;
+ }
+
+ irpc_handle = irpc_binding_handle_by_name(mem_ctx, msg_ctx,
+ "dreplsrv", &ndr_table_irpc);
+ if (irpc_handle == NULL) {
+ /* dreplsrv is not running yet */
+ TALLOC_FREE(state);
+ return WERR_OK;
+ }
+
+ /*
+ * [Taken from auth_sam_trigger_repl_secret in auth_sam.c]
+ *
+ * This seem to rely on the current IRPC implementation,
+ * which delivers the message in the _send function.
+ *
+ * TODO: we need a ONE_WAY IRPC handle and register
+ * a callback and wait for it to be triggered!
+ */
+ subreq = dcerpc_dreplsrv_refresh_r_send(state, event_ctx,
+ irpc_handle, &state->r);
+ TALLOC_FREE(subreq);
+ TALLOC_FREE(state);
+
+ return WERR_OK;
+
+failed:
+ ldb_transaction_cancel(sam_ctx);
+ return werr;
+}
+
+/*
+ drsuapi_DsReplicaUpdateRefs
+*/
+WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaUpdateRefs *r)
+{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
+ struct imessaging_context *imsg_ctx =
+ dcesrv_imessaging_context(dce_call->conn);
+ struct dcesrv_handle *h;
+ struct drsuapi_bind_state *b_state;
+ struct drsuapi_DsReplicaUpdateRefsRequest1 *req;
+ WERROR werr;
+ int ret;
+ enum security_user_level security_level;
+
+ DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
+ b_state = h->data;
+
+ if (r->in.level != 1) {
+ DEBUG(0,("DrReplicUpdateRefs - unsupported level %u\n", r->in.level));
+ return WERR_DS_DRA_INVALID_PARAMETER;
+ }
+ req = &r->in.req.req1;
+ werr = drs_security_access_check(b_state->sam_ctx,
+ mem_ctx,
+ session_info->security_token,
+ req->naming_context,
+ GUID_DRS_MANAGE_TOPOLOGY);
+
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ security_level = security_session_user_level(session_info, NULL);
+ if (security_level < SECURITY_ADMINISTRATOR) {
+ /* check that they are using an DSA objectGUID that they own */
+ ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
+ &req->dest_dsa_guid,
+ &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
+ dom_sid_string(mem_ctx,
+ &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
+ GUID_string(mem_ctx, &req->dest_dsa_guid)));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+ }
+
+ werr = drsuapi_UpdateRefs(imsg_ctx,
+ dce_call->event_ctx,
+ b_state,
+ mem_ctx,
+ req);
+
+#if 0
+ NDR_PRINT_FUNCTION_DEBUG(drsuapi_DsReplicaUpdateRefs, NDR_BOTH, r);
+#endif
+
+ return werr;
+}
diff --git a/source4/rpc_server/drsuapi/writespn.c b/source4/rpc_server/drsuapi/writespn.c
new file mode 100644
index 0000000..9e4b533
--- /dev/null
+++ b/source4/rpc_server/drsuapi/writespn.c
@@ -0,0 +1,257 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ implement the DsWriteAccountSpn call
+
+ Copyright (C) Stefan Metzmacher 2009
+ Copyright (C) Andrew Tridgell 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "rpc_server/dcerpc_server.h"
+#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "libcli/security/security.h"
+#include "libcli/security/session.h"
+#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
+#include "auth/session.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_DRS_REPL
+
+#undef strcasecmp
+
+/*
+ check that the SPN update should be allowed as an override
+ via sam_ctx_system
+
+ This is only called if the client is not a domain controller or
+ administrator
+ */
+static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
+ struct dcesrv_call_state *dce_call,
+ struct ldb_dn *dn,
+ const char *spn)
+{
+ /*
+ * we only allow SPN updates if:
+ *
+ * 1) they are on the clients own account object
+ * 2) they are of the form SERVICE/dnshostname
+ */
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
+ struct dom_sid *user_sid, *sid;
+ TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
+ struct ldb_result *res;
+ const char *attrs[] = { "objectSID", "dNSHostName", NULL };
+ int ret;
+ krb5_context krb_ctx;
+ krb5_error_code kerr;
+ krb5_principal principal;
+ const krb5_data *component;
+ const char *dns_name, *dnsHostName;
+
+ /* The service principal name shouldn't be NULL */
+ if (spn == NULL) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ /*
+ get the objectSid of the DN that is being modified, and
+ check it matches the user_sid in their token
+ */
+
+ ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs,
+ DSDB_SEARCH_ONE_ONLY);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+ sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
+ if (sid == NULL) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName",
+ NULL);
+ if (dnsHostName == NULL) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ if (!dom_sid_equal(sid, user_sid)) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ kerr = smb_krb5_init_context_basic(tmp_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ &krb_ctx);
+ if (kerr != 0) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ kerr = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM,
+ &principal);
+ if (kerr != 0) {
+ krb5_free_context(krb_ctx);
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ if (krb5_princ_size(krb_ctx, principal) != 2) {
+ krb5_free_principal(krb_ctx, principal);
+ krb5_free_context(krb_ctx);
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ component = krb5_princ_component(krb_ctx, principal, 1);
+ dns_name = (const char *)component->data;
+
+ if (strcasecmp(dns_name, dnsHostName) != 0) {
+ krb5_free_principal(krb_ctx, principal);
+ krb5_free_context(krb_ctx);
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ /* its a simple update on their own account - allow it with
+ * permissions override */
+ krb5_free_principal(krb_ctx, principal);
+ krb5_free_context(krb_ctx);
+ talloc_free(tmp_ctx);
+
+ return true;
+}
+
+/*
+ drsuapi_DsWriteAccountSpn
+*/
+WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsWriteAccountSpn *r)
+{
+ struct drsuapi_bind_state *b_state;
+ struct dcesrv_handle *h;
+
+ *r->out.level_out = r->in.level;
+
+ DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
+ b_state = h->data;
+
+ r->out.res = talloc(mem_ctx, union drsuapi_DsWriteAccountSpnResult);
+ W_ERROR_HAVE_NO_MEMORY(r->out.res);
+
+ switch (r->in.level) {
+ case 1: {
+ struct drsuapi_DsWriteAccountSpnRequest1 *req;
+ struct ldb_message *msg;
+ uint32_t count;
+ unsigned int i;
+ int ret;
+ unsigned spn_count=0;
+ bool passed_checks = true;
+ struct ldb_context *sam_ctx;
+
+ req = &r->in.req->req1;
+ count = req->count;
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ msg->dn = ldb_dn_new(msg, b_state->sam_ctx,
+ req->object_dn);
+ if ( ! ldb_dn_validate(msg->dn)) {
+ r->out.res->res1.status = WERR_OK;
+ return WERR_OK;
+ }
+
+ /* construct mods */
+ for (i = 0; i < count; i++) {
+ if (!writespn_check_spn(b_state,
+ dce_call,
+ msg->dn,
+ req->spn_names[i].str)) {
+ passed_checks = false;
+ }
+ ret = ldb_msg_add_string(msg,
+ "servicePrincipalName",
+ req->spn_names[i].str);
+ if (ret != LDB_SUCCESS) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ spn_count++;
+ }
+
+ if (msg->num_elements == 0) {
+ DEBUG(2,("No SPNs need changing on %s\n",
+ ldb_dn_get_linearized(msg->dn)));
+ r->out.res->res1.status = WERR_OK;
+ return WERR_OK;
+ }
+
+ for (i=0;i<msg->num_elements;i++) {
+ switch (req->operation) {
+ case DRSUAPI_DS_SPN_OPERATION_ADD:
+ msg->elements[i].flags = LDB_FLAG_MOD_ADD;
+ break;
+ case DRSUAPI_DS_SPN_OPERATION_REPLACE:
+ msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
+ break;
+ case DRSUAPI_DS_SPN_OPERATION_DELETE:
+ msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
+ break;
+ }
+ }
+
+ if (passed_checks && b_state->sam_ctx_system) {
+ sam_ctx = b_state->sam_ctx_system;
+ } else {
+ sam_ctx = b_state->sam_ctx;
+ }
+
+ /* Apply to database */
+ ret = dsdb_modify(sam_ctx, msg, DSDB_MODIFY_PERMISSIVE);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,("Failed to modify SPNs on %s: %s\n",
+ ldb_dn_get_linearized(msg->dn),
+ ldb_errstring(b_state->sam_ctx)));
+ NDR_PRINT_IN_DEBUG(
+ drsuapi_DsWriteAccountSpn, r);
+ r->out.res->res1.status = WERR_ACCESS_DENIED;
+ } else {
+ DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
+ ldb_dn_get_linearized(msg->dn)));
+ r->out.res->res1.status = WERR_OK;
+ }
+
+ return WERR_OK;
+ }
+ }
+
+ return WERR_INVALID_LEVEL;
+}