libnet_become_dc.c

来自「samba最新软件」· C语言 代码 · 共 2,239 行 · 第 1/5 页

/*
   Unix SMB/CIFS implementation.

   Copyright (C) Stefan Metzmacher <metze@samba.org> 2006

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include "libnet/libnet.h"
#include "libcli/composite/composite.h"
#include "libcli/cldap/cldap.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "lib/ldb_wrap.h"
#include "dsdb/samdb/samdb.h"
#include "dsdb/common/flags.h"
#include "librpc/gen_ndr/ndr_drsuapi_c.h"
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_misc.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/gen_ndr/ndr_nbt.h"
#include "librpc/gen_ndr/ndr_drsuapi.h"
#include "auth/gensec/gensec.h"
#include "param/param.h"

/*****************************************************************************
 * Windows 2003 (w2k3) does the following steps when changing the server role
 * from domain member to domain controller
 *
 * We mostly do the same.
 *****************************************************************************/

/*
 * lookup DC:
 * - using nbt name<1C> request and a samlogon mailslot request
 * or
 * - using a DNS SRV _ldap._tcp.dc._msdcs. request and a CLDAP netlogon request
 *
 * see: becomeDC_recv_cldap() and becomeDC_send_cldap()
 */

/*
 * Open 1st LDAP connection to the DC using admin credentials
 *
 * see: becomeDC_connect_ldap1() and becomeDC_ldap_connect()
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_rootdse()
 *
 * Request:
 *	basedn:	""
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	*
 * Result:
 *      ""
 *		currentTime:		20061202155100.0Z
 *		subschemaSubentry:	CN=Aggregate,CN=Schema,CN=Configuration,<domain_partition>
 *		dsServiceName:		CN=<netbios_name>,CN=Servers,CN=<site_name>,CN=Sites,CN=Configuration,<domain_partition>
 *		namingContexts:		<domain_partition>
 *					CN=Configuration,<domain_partition>
 *					CN=Schema,CN=Configuration,<domain_partition>
 *		defaultNamingContext:	<domain_partition>
 *		schemaNamingContext:	CN=Schema,CN=Configuration,<domain_partition>
 *		configurationNamingContext:CN=Configuration,<domain_partition>
 *		rootDomainNamingContext:<domain_partition>
 *		supportedControl:	...
 *		supportedLDAPVersion:	3
 *					2
 *		supportedLDAPPolicies:	...
 *		highestCommitedUSN:	...
 *		supportedSASLMechanisms:GSSAPI
 *					GSS-SPNEGO
 *					EXTERNAL
 *					DIGEST-MD5
 *		dnsHostName:		<dns_host_name>
 *		ldapServiceName:	<domain_dns_name>:<netbios_name>$@<REALM>
 *		serverName:		CN=Servers,CN=<site_name>,CN=Sites,CN=Configuration,<domain_partition>
 *		supportedCapabilities:	...
 *		isSyncronized:		TRUE
 *		isGlobalCatalogReady:	TRUE
 *		domainFunctionality:	0
 *		forestFunctionality:	0
 *		domainControllerFunctionality: 2
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_crossref_behavior_version()
 *
 * Request:
 *	basedn:	CN=Configuration,<domain_partition>
 *	scope:	one
 *	filter:	(cn=Partitions)
 *	attrs:	msDS-Behavior-Version
 * Result:
 *      CN=Partitions,CN=Configuration,<domain_partition>
 *		msDS-Behavior-Version:	0
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * NOTE: this seems to be a bug! as the messageID of the LDAP message is corrupted!
 *
 * not implemented here
 * 
 * Request:
 *	basedn:	CN=Schema,CN=Configuration,<domain_partition>
 *	scope:	one
 *	filter:	(cn=Partitions)
 *	attrs:	msDS-Behavior-Version
 * Result:
 *	<none>
 *
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_domain_behavior_version()
 * 
 * Request:
 *	basedn:	<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	msDS-Behavior-Version
 * Result:
 *	<domain_partition>
 *		msDS-Behavior-Version:	0
 */

/*
 * LDAP search 1st LDAP connection:
 * 
 * see: becomeDC_ldap1_schema_object_version()
 *
 * Request:
 *	basedn:	CN=Schema,CN=Configuration,<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	objectVersion
 * Result:
 *	CN=Schema,CN=Configuration,<domain_partition>
 *		objectVersion:	30
 */

/*
 * LDAP search 1st LDAP connection:
 * 
 * not implemented, because the information is already there
 *
 * Request:
 *	basedn:	""
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	defaultNamingContext
 *		dnsHostName
 * Result:
 *	""
 *		defaultNamingContext:	<domain_partition>
 *		dnsHostName:		<dns_host_name>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_infrastructure_fsmo()
 * 
 * Request:
 *	basedn:	<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	1.1
 * Result:
 *	CN=Infrastructure,<domain_partition>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_w2k3_update_revision()
 *
 * Request:
 *	basedn:	CN=Windows2003Update,CN=DomainUpdates,CN=System,<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	revision
 * Result:
 *      CN=Windows2003Update,CN=DomainUpdates,CN=System,<domain_partition>
 *		revision:	8
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_infrastructure_fsmo()
 *
 * Request:
 *	basedn:	CN=Infrastructure,<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	fSMORoleOwner
 * Result:
 *      CN=Infrastructure,<domain_partition>
 *		fSMORoleOwner:	CN=NTDS Settings,<infrastructure_fsmo_server_object>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_infrastructure_fsmo()
 *
 * Request:
 *	basedn:	<infrastructure_fsmo_server_object>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	dnsHostName
 * Result:
 *      <infrastructure_fsmo_server_object>
 *		dnsHostName:	<dns_host_name>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_infrastructure_fsmo()
 *
 * Request:
 *	basedn:	CN=NTDS Settings,<infrastructure_fsmo_server_object>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	objectGUID
 * Result:
 *      CN=NTDS Settings,<infrastructure_fsmo_server_object>
 *		objectGUID:	<object_guid>
 */

/*
 * LDAP search 1st LDAP connection:
 * 
 * see: becomeDC_ldap1_rid_manager_fsmo()
 *
 * Request:
 *	basedn:	<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	rIDManagerReference
 * Result:
 *	<domain_partition>
 *		rIDManagerReference:	CN=RID Manager$,CN=System,<domain_partition>
 */

/*
 * LDAP search 1st LDAP connection:
 * 
 * see: becomeDC_ldap1_rid_manager_fsmo()
 *
 * Request:
 *	basedn:	CN=RID Manager$,CN=System,<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	fSMORoleOwner
 * Result:
 *      CN=Infrastructure,<domain_partition>
 *		fSMORoleOwner:	CN=NTDS Settings,<rid_manager_fsmo_server_object>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_rid_manager_fsmo()
 *
 * Request:
 *	basedn:	<rid_manager_fsmo_server_object>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	dnsHostName
 * Result:
 *      <rid_manager_fsmo_server_object>
 *		dnsHostName:	<dns_host_name>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_rid_manager_fsmo()
 *
 * Request:
 *	basedn:	CN=NTDS Settings,<rid_manager_fsmo_server_object>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	msDs-ReplicationEpoch
 * Result:
 *      CN=NTDS Settings,<rid_manager_fsmo_server_object>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_site_object()
 *
 * Request:
 *	basedn:	CN=<new_dc_site_name>,CN=Sites,CN=Configuration,<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:
 * Result:
 *      CN=<new_dc_site_name>,CN=Sites,CN=Configuration,<domain_partition>
 *		objectClass:	top
 *				site
 *		cn:		<new_dc_site_name>
 *		distinguishedName:CN=<new_dc_site_name>,CN=Sites,CN=Configuration,<domain_partition>
 *		instanceType:	4
 *		whenCreated:	...
 *		whenChanged:	...
 *		uSNCreated:	...
 *		uSNChanged:	...
 *		showInAdvancedViewOnly:	TRUE
 *		name:		<new_dc_site_name>
 *		objectGUID:	<object_guid>
 *		systemFlags:	1107296256 <0x42000000>
 *		objectCategory:	CN=Site,C=Schema,CN=Configuration,<domain_partition>
 */

/***************************************************************
 * Add this stage we call the check_options() callback function
 * of the caller, to see if he wants us to continue
 *
 * see: becomeDC_check_options()
 ***************************************************************/

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_computer_object()
 *
 * Request:
 *	basedn:	<domain_partition>
 *	scope:	sub
 *	filter:	(&(|(objectClass=user)(objectClass=computer))(sAMAccountName=<new_dc_account_name>))
 *	attrs:	distinguishedName
 *		userAccountControl
 * Result:
 *      CN=<new_dc_netbios_name>,CN=Computers,<domain_partition>
 *		distinguishedName:	CN=<new_dc_netbios_name>,CN=Computers,<domain_partition>
 *		userAccoountControl:	4096 <0x1000>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_server_object_1()
 *
 * Request:
 *	basedn:	CN=<new_dc_netbios_name>,CN=Servers,CN=<new_dc_site_name>,CN=Sites,CN=Configuration,<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:
 * Result:
 *      <noSuchObject>
 *	<matchedDN:CN=Servers,CN=<new_dc_site_name>,CN=Sites,CN=Configuration,<domain_partition>>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * see: becomeDC_ldap1_server_object_2()
 * 
 * Request:
 *	basedn:	CN=<new_dc_netbios_name>,CN=Computers,<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:	serverReferenceBL
 *	typesOnly: TRUE!!!
 * Result:
 *      CN=<new_dc_netbios_name>,CN=Computers,<domain_partition>
 */

/*
 * LDAP add 1st LDAP connection:
 * 
 * see: becomeDC_ldap1_server_object_add()
 *
 * Request:
 *	CN=<new_dc_netbios_name>,CN=Computers,<domain_partition>
 *	objectClass:	server
 *	systemFlags:	50000000 <0x2FAF080>
 *	serverReference:CN=<new_dc_netbios_name>,CN=Computers,<domain_partition>
 * Result:
 *      <success>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * not implemented, maybe we can add that later
 *
 * Request:
 *	basedn:	CN=NTDS Settings,CN=<new_dc_netbios_name>,CN=Servers,CN=<new_dc_site_name>,CN=Sites,CN=Configuration,<domain_partition>
 *	scope:	base
 *	filter:	(objectClass=*)
 *	attrs:
 * Result:
 *      <noSuchObject>
 *	<matchedDN:CN=<new_dc_netbios_name>,CN=Servers,CN=<new_dc_site_name>,CN=Sites,CN=Configuration,<domain_partition>>
 */

/*
 * LDAP search 1st LDAP connection:
 *
 * not implemented because it gives no new information
 * 
 * Request:
 *	basedn:	CN=Partitions,CN=Configuration,<domain_partition>
 *	scope:	sub
 *	filter:	(nCName=<domain_partition>)
 *	attrs:	nCName
 *		dnsRoot
 *	controls: LDAP_SERVER_EXTENDED_DN_OID:critical=false
 * Result:
 *      <GUID=<hex_guid>>;CN=<domain_netbios_name>,CN=Partitions,<domain_partition>>
 *		nCName:		<GUID=<hex_guid>>;<SID=<hex_sid>>;<domain_partition>>
 *		dnsRoot:	<domain_dns_name>
 */

/*
 * LDAP modify 1st LDAP connection:
 *
 * see: becomeDC_ldap1_server_object_modify()
 * 
 * Request (add):