samldb.c

samba最新软件

/* 
   SAM ldb module

   Copyright (C) Simo Sorce  2004
   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005

   * NOTICE: this module is NOT released under the GNU LGPL license as
   * other ldb code. This module is release under the GNU GPL v3 or
   * later license.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

/*
 *  Name: ldb
 *
 *  Component: ldb samldb module
 *
 *  Description: add embedded user/group creation functionality
 *
 *  Author: Simo Sorce
 */

#include "includes.h"
#include "libcli/ldap/ldap_ndr.h"
#include "lib/ldb/include/ldb_errors.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_private.h"
#include "dsdb/samdb/samdb.h"
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "util/util_ldb.h"

int samldb_notice_sid(struct ldb_module *module, 
		      TALLOC_CTX *mem_ctx, const struct dom_sid *sid);

static bool samldb_msg_add_sid(struct ldb_module *module, struct ldb_message *msg, const char *name, const struct dom_sid *sid)
{
	struct ldb_val v;
	enum ndr_err_code ndr_err;

	ndr_err = ndr_push_struct_blob(&v, msg, NULL, sid,
				       (ndr_push_flags_fn_t)ndr_push_dom_sid);
	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
		return false;
	}
	return (ldb_msg_add_value(msg, name, &v, NULL) == 0);
}

/*
  allocate a new id, attempting to do it atomically
  return 0 on failure, the id on success
*/
static int samldb_set_next_rid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
			       struct ldb_dn *dn, uint32_t old_id, uint32_t new_id)
{
	struct ldb_message msg;
	int ret;
	struct ldb_val vals[2];
	struct ldb_message_element els[2];

	if (new_id == 0) {
		/* out of IDs ! */
		ldb_set_errstring(ldb, "Are we out of valid IDs ?\n");
		return LDB_ERR_OPERATIONS_ERROR;
	}

	/* we do a delete and add as a single operation. That prevents
	   a race, in case we are not actually on a transaction db */
	ZERO_STRUCT(msg);
	msg.dn = ldb_dn_copy(mem_ctx, dn);
	if (!msg.dn) {
		ldb_oom(ldb);
		return LDB_ERR_OPERATIONS_ERROR;
	}
	msg.num_elements = 2;
	msg.elements = els;

	els[0].num_values = 1;
	els[0].values = &vals[0];
	els[0].flags = LDB_FLAG_MOD_DELETE;
	els[0].name = talloc_strdup(mem_ctx, "nextRid");
	if (!els[0].name) {
		ldb_oom(ldb);
		return LDB_ERR_OPERATIONS_ERROR;
	}

	els[1].num_values = 1;
	els[1].values = &vals[1];
	els[1].flags = LDB_FLAG_MOD_ADD;
	els[1].name = els[0].name;

	vals[0].data = (uint8_t *)talloc_asprintf(mem_ctx, "%u", old_id);
	if (!vals[0].data) {
		ldb_oom(ldb);
		return LDB_ERR_OPERATIONS_ERROR;
	}
	vals[0].length = strlen((char *)vals[0].data);

	vals[1].data = (uint8_t *)talloc_asprintf(mem_ctx, "%u", new_id);
	if (!vals[1].data) {
		ldb_oom(ldb);
		return LDB_ERR_OPERATIONS_ERROR;
	}
	vals[1].length = strlen((char *)vals[1].data);

	ret = ldb_modify(ldb, &msg);
	return ret;
}

/*
  allocate a new id, attempting to do it atomically
  return 0 on failure, the id on success
*/
static int samldb_find_next_rid(struct ldb_module *module, TALLOC_CTX *mem_ctx,
				struct ldb_dn *dn, uint32_t *old_rid)
{
	const char * const attrs[2] = { "nextRid", NULL };
	struct ldb_result *res = NULL;
	int ret;
	const char *str;

	ret = ldb_search(module->ldb, dn, LDB_SCOPE_BASE, "nextRid=*", attrs, &res);
	if (ret != LDB_SUCCESS) {
		return ret;
	}
	if (res->count != 1) {
		talloc_free(res);
		return LDB_ERR_OPERATIONS_ERROR;
	}

	str = ldb_msg_find_attr_as_string(res->msgs[0], "nextRid", NULL);
	if (str == NULL) {
		ldb_asprintf_errstring(module->ldb,
					"attribute nextRid not found in %s\n",
					ldb_dn_get_linearized(dn));
		talloc_free(res);
		return LDB_ERR_OPERATIONS_ERROR;
	}

	*old_rid = strtol(str, NULL, 0);
	talloc_free(res);
	return LDB_SUCCESS;
}

static int samldb_allocate_next_rid(struct ldb_module *module, TALLOC_CTX *mem_ctx,
				    struct ldb_dn *dn, const struct dom_sid *dom_sid, 
				    struct dom_sid **new_sid)
{
	struct dom_sid *obj_sid;
	uint32_t old_rid;
	int ret;
	
	ret = samldb_find_next_rid(module, mem_ctx, dn, &old_rid);	
	if (ret) {
		return ret;
	}
		
	/* return the new object sid */
	obj_sid = dom_sid_add_rid(mem_ctx, dom_sid, old_rid);
		
	*new_sid = dom_sid_add_rid(mem_ctx, dom_sid, old_rid + 1);
	if (!*new_sid) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	ret = samldb_notice_sid(module, mem_ctx, *new_sid);
	if (ret != 0) {
		/* gah, there are conflicting sids.
		 * This is a critical situation it means that someone messed up with
		 * the DB and nextRid is not returning free RIDs, report an error
		 * and refuse to create any user until the problem is fixed */
		ldb_asprintf_errstring(module->ldb,
					"Critical Error: unconsistent DB, unable to retireve an unique RID to generate a new SID: %s",
					ldb_errstring(module->ldb));
		return ret;
	}
	return ret;
}

/* search the domain related to the provided dn
   allocate a new RID for the domain
   return the new sid string
*/
static int samldb_get_new_sid(struct ldb_module *module, 
			      TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
			      struct ldb_dn *dom_dn, 
			      struct dom_sid **sid)
{
	const char * const attrs[2] = { "objectSid", NULL };
	struct ldb_result *res = NULL;
	int ret;
	struct dom_sid *dom_sid;

	/* get the domain component part of the provided dn */

	/* find the domain sid */

	ret = ldb_search(module->ldb, dom_dn, LDB_SCOPE_BASE, "objectSid=*", attrs, &res);
	if (ret != LDB_SUCCESS) {
		ldb_asprintf_errstring(module->ldb,
					"samldb_get_new_sid: error retrieving domain sid from %s: %s!\n",
					ldb_dn_get_linearized(dom_dn),
					ldb_errstring(module->ldb));
		talloc_free(res);
		return ret;
	}

	if (res->count != 1) {
		ldb_asprintf_errstring(module->ldb,
					"samldb_get_new_sid: error retrieving domain sid from %s: not found!\n",
					ldb_dn_get_linearized(dom_dn));
		talloc_free(res);
		return LDB_ERR_CONSTRAINT_VIOLATION;
	}

	dom_sid = samdb_result_dom_sid(res, res->msgs[0], "objectSid");
	if (dom_sid == NULL) {
		ldb_set_errstring(module->ldb, "samldb_get_new_sid: error parsing domain sid!\n");
		talloc_free(res);
		return LDB_ERR_CONSTRAINT_VIOLATION;
	}

	/* allocate a new Rid for the domain */
	ret = samldb_allocate_next_rid(module, mem_ctx, dom_dn, dom_sid, sid);
	if (ret != 0) {
		ldb_debug(module->ldb, LDB_DEBUG_FATAL, "Failed to increment nextRid of %s: %s\n", ldb_dn_get_linearized(dom_dn), ldb_errstring(module->ldb));
		talloc_free(res);
		return ret;
	}

	talloc_free(res);

	return ret;
}

/* If we are adding new users/groups, we need to update the nextRid
 * attribute to be 'above' all incoming users RIDs.  This tries to
 * avoid clashes in future */

int samldb_notice_sid(struct ldb_module *module, 
		      TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
{
	int ret;
	struct ldb_dn *dom_dn;
	struct dom_sid *dom_sid;
	const char *attrs[] = { NULL };
	struct ldb_result *dom_res;
	struct ldb_result *res;
	uint32_t old_rid;

	/* find if this SID already exists */
	ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &res,
				 NULL, LDB_SCOPE_SUBTREE, attrs,
				 "(objectSid=%s)", ldap_encode_ndr_dom_sid(mem_ctx, sid));
	if (ret == LDB_SUCCESS) {
		if (res->count > 0) {
			talloc_free(res);
			ldb_asprintf_errstring(module->ldb,
						"Attempt to add record with SID %s rejected,"
						" because this SID is already in the database",
						dom_sid_string(mem_ctx, sid));
			/* We have a duplicate SID, we must reject the add */
			return LDB_ERR_CONSTRAINT_VIOLATION;
		}
		talloc_free(res);
	} else {
		ldb_asprintf_errstring(module->ldb,
					"samldb_notice_sid: error searching to see if sid %s is in use: %s\n", 
					dom_sid_string(mem_ctx, sid), 
					ldb_errstring(module->ldb));
		return ret;
	}

	dom_sid = dom_sid_dup(mem_ctx, sid);
	if (!dom_sid) {
		return LDB_ERR_OPERATIONS_ERROR;
	}
	/* get the domain component part of the provided SID */
	dom_sid->num_auths--;

	/* find the domain DN */
	ret = ldb_search_exp_fmt(module->ldb, mem_ctx, &dom_res,
				 NULL, LDB_SCOPE_SUBTREE, attrs,
				 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
				 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
	if (ret == LDB_SUCCESS) {
		if (dom_res->count == 0) {
			talloc_free(dom_res);
			/* This isn't an operation on a domain we know about, so nothing to update */
			return LDB_SUCCESS;
		}

		if (dom_res->count > 1) {
			talloc_free(dom_res);
			ldb_asprintf_errstring(module->ldb,
					"samldb_notice_sid: error retrieving domain from sid: duplicate (found %d) domain: %s!\n", 
					dom_res->count, dom_sid_string(dom_res, dom_sid));
			return LDB_ERR_OPERATIONS_ERROR;
		}
	} else {
		ldb_asprintf_errstring(module->ldb,
					"samldb_notice_sid: error retrieving domain from sid: %s: %s\n", 
					dom_sid_string(dom_res, dom_sid), 
					ldb_errstring(module->ldb));
		return ret;
	}

	dom_dn = dom_res->msgs[0]->dn;

	ret = samldb_find_next_rid(module, mem_ctx, 
				   dom_dn, &old_rid);
	if (ret) {
		talloc_free(dom_res);
		return ret;
	}

	if (old_rid <= sid->sub_auths[sid->num_auths - 1]) {
		ret = samldb_set_next_rid(module->ldb, mem_ctx, dom_dn, old_rid, 
					  sid->sub_auths[sid->num_auths - 1] + 1);
	}
	talloc_free(dom_res);
	return ret;
}

static int samldb_handle_sid(struct ldb_module *module, 
			     TALLOC_CTX *mem_ctx, struct ldb_message *msg2,
			     struct ldb_dn *parent_dn)
{
	int ret;
	
	struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg2, "objectSid");
	if (sid == NULL) { 
		ret = samldb_get_new_sid(module, msg2, msg2->dn, parent_dn, &sid);
		if (ret != 0) {
			return ret;
		}

		if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
			talloc_free(sid);
			return LDB_ERR_OPERATIONS_ERROR;
		}
		talloc_free(sid);
		ret = LDB_SUCCESS;
	} else {
		ret = samldb_notice_sid(module, msg2, sid);
	}
	return ret;
}

static int samldb_generate_samAccountName(struct ldb_module *module, TALLOC_CTX *mem_ctx, 
					  struct ldb_dn *dom_dn, char **name) 
{
	const char *attrs[] = { NULL };
	struct ldb_result *res;
	int ret;
	
	/* Format: $000000-000000000000 */
	
	do {
		*name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)generate_random(), (unsigned int)generate_random(), (unsigned int)generate_random());
		/* TODO: Figure out exactly what this is meant to conflict with */
		ret = ldb_search_exp_fmt(module->ldb,
					 mem_ctx, &res, dom_dn, LDB_SCOPE_SUBTREE, attrs,
					 "samAccountName=%s",
					 ldb_binary_encode_string(mem_ctx, *name));
		if (ret != LDB_SUCCESS) {
			ldb_asprintf_errstring(module->ldb, "samldb: Failure searching to determine if samAccountName %s is unique: %s",
					       *name, ldb_errstring(module->ldb));
			return ret;
		}

		if (res->count == 0) {
			talloc_free(res);
			/* Great. There are no conflicting users/groups/etc */
			return LDB_SUCCESS;
		} else {
			talloc_free(*name);
                        /* gah, there is a conflicting name, lets move around the loop again... */
		}
	} while (1);
}

static int samldb_fill_group_object(struct ldb_module *module, const struct ldb_message *msg,
						    struct ldb_message **ret_msg)
{
	int ret;
	unsigned int group_type;
	char *name;
	struct ldb_message *msg2;
	struct ldb_dn *dom_dn;
	const char *rdn_name;
	TALLOC_CTX *mem_ctx = talloc_new(msg);
	const char *errstr;
	if (!mem_ctx) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	/* build the new msg */
	msg2 = ldb_msg_copy(mem_ctx, msg);