source: vendor/current/source4/dsdb/common/util_samr.c@ 740

Last change on this file since 740 was 740, checked in by Silvan Scherrer, 12 years ago

Samba Server: update vendor to 3.6.0
File size: 15.5 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 Helpers to add users and groups to the DB
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2010
9 Copyright (C) Matthias Dieter Wallnöfer 2009
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23*/
24
25#include "includes.h"
26#include "dsdb/samdb/samdb.h"
27#include "dsdb/common/util.h"
28#include "../libds/common/flags.h"
29#include "libcli/security/security.h"
30
31#include "libds/common/flag_mapping.h"
32
33/* Add a user, SAMR style, including the correct transaction
34 * semantics. Used by the SAMR server and by pdb_samba4 */
35NTSTATUS dsdb_add_user(struct ldb_context *ldb,
36 TALLOC_CTX *mem_ctx,
37 const char *account_name,
38 uint32_t acct_flags,
39 struct dom_sid **sid,
40 struct ldb_dn **dn)
41{
42 const char *name;
43 struct ldb_message *msg;
44 int ret;
45 const char *container, *obj_class=NULL;
46 char *cn_name;
47 size_t cn_name_len;
48
49 const char *attrs[] = {
50 "objectSid",
51 "userAccountControl",
52 NULL
53 };
54
55 uint32_t user_account_control;
56 struct ldb_dn *account_dn;
57 struct dom_sid *account_sid;
58
59 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
60 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
61
62 /*
63 * Start a transaction, so we can query and do a subsequent atomic
64 * modify
65 */
66
67 ret = ldb_transaction_start(ldb);
68 if (ret != LDB_SUCCESS) {
69 DEBUG(0,("Failed to start a transaction for user creation: %s\n",
70 ldb_errstring(ldb)));
71 talloc_free(tmp_ctx);
72 return NT_STATUS_INTERNAL_DB_CORRUPTION;
73 }
74
75 /* check if the user already exists */
76 name = samdb_search_string(ldb, tmp_ctx, NULL,
77 "sAMAccountName",
78 "(&(sAMAccountName=%s)(objectclass=user))",
79 ldb_binary_encode_string(tmp_ctx, account_name));
80 if (name != NULL) {
81 ldb_transaction_cancel(ldb);
82 talloc_free(tmp_ctx);
83 return NT_STATUS_USER_EXISTS;
84 }
85
86 cn_name = talloc_strdup(tmp_ctx, account_name);
87 if (!cn_name) {
88 ldb_transaction_cancel(ldb);
89 talloc_free(tmp_ctx);
90 return NT_STATUS_NO_MEMORY;
91 }
92
93 cn_name_len = strlen(cn_name);
94 if (cn_name_len < 1) {
95 ldb_transaction_cancel(ldb);
96 talloc_free(tmp_ctx);
97 return NT_STATUS_INVALID_PARAMETER;
98 }
99
100 msg = ldb_msg_new(tmp_ctx);
101 if (msg == NULL) {
102 ldb_transaction_cancel(ldb);
103 talloc_free(tmp_ctx);
104 return NT_STATUS_NO_MEMORY;
105 }
106
107 /* This must be one of these values *only* */
108 if (acct_flags == ACB_NORMAL) {
109 container = "CN=Users";
110 obj_class = "user";
111
112 } else if (acct_flags == ACB_WSTRUST) {
113 if (cn_name[cn_name_len - 1] != '$') {
114 ldb_transaction_cancel(ldb);
115 return NT_STATUS_FOOBAR;
116 }
117 cn_name[cn_name_len - 1] = '\0';
118 container = "CN=Computers";
119 obj_class = "computer";
120
121 } else if (acct_flags == ACB_SVRTRUST) {
122 if (cn_name[cn_name_len - 1] != '$') {
123 ldb_transaction_cancel(ldb);
124 return NT_STATUS_FOOBAR;
125 }
126 cn_name[cn_name_len - 1] = '\0';
127 container = "OU=Domain Controllers";
128 obj_class = "computer";
129 } else {
130 ldb_transaction_cancel(ldb);
131 talloc_free(tmp_ctx);
132 return NT_STATUS_INVALID_PARAMETER;
133 }
134
135 /* add core elements to the ldb_message for the user */
136 msg->dn = ldb_dn_copy(msg, ldb_get_default_basedn(ldb));
137 if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) {
138 ldb_transaction_cancel(ldb);
139 talloc_free(tmp_ctx);
140 return NT_STATUS_FOOBAR;
141 }
142
143 ldb_msg_add_string(msg, "sAMAccountName", account_name);
144 ldb_msg_add_string(msg, "objectClass", obj_class);
145
146 /* create the user */
147 ret = ldb_add(ldb, msg);
148 switch (ret) {
149 case LDB_SUCCESS:
150 break;
151 case LDB_ERR_ENTRY_ALREADY_EXISTS:
152 ldb_transaction_cancel(ldb);
153 DEBUG(0,("Failed to create user record %s: %s\n",
154 ldb_dn_get_linearized(msg->dn),
155 ldb_errstring(ldb)));
156 talloc_free(tmp_ctx);
157 return NT_STATUS_USER_EXISTS;
158 case LDB_ERR_UNWILLING_TO_PERFORM:
159 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
160 ldb_transaction_cancel(ldb);
161 DEBUG(0,("Failed to create user record %s: %s\n",
162 ldb_dn_get_linearized(msg->dn),
163 ldb_errstring(ldb)));
164 talloc_free(tmp_ctx);
165 return NT_STATUS_ACCESS_DENIED;
166 default:
167 ldb_transaction_cancel(ldb);
168 DEBUG(0,("Failed to create user record %s: %s\n",
169 ldb_dn_get_linearized(msg->dn),
170 ldb_errstring(ldb)));
171 talloc_free(tmp_ctx);
172 return NT_STATUS_INTERNAL_DB_CORRUPTION;
173 }
174
175 account_dn = msg->dn;
176
177 /* retrieve the sid and account control bits for the user just created */
178 ret = dsdb_search_one(ldb, tmp_ctx, &msg,
179 account_dn, LDB_SCOPE_BASE, attrs, 0, NULL);
180
181 if (ret != LDB_SUCCESS) {
182 ldb_transaction_cancel(ldb);
183 DEBUG(0,("Can't locate the account we just created %s: %s\n",
184 ldb_dn_get_linearized(account_dn), ldb_errstring(ldb)));
185 talloc_free(tmp_ctx);
186 return NT_STATUS_INTERNAL_DB_CORRUPTION;
187 }
188 account_sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
189 if (account_sid == NULL) {
190 ldb_transaction_cancel(ldb);
191 DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n",
192 ldb_dn_get_linearized(msg->dn)));
193 talloc_free(tmp_ctx);
194 return NT_STATUS_INTERNAL_DB_CORRUPTION;
195 }
196
197 /* Change the account control to be the correct account type.
198 * The default is for a workstation account */
199 user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
200 user_account_control = (user_account_control &
201 ~(UF_NORMAL_ACCOUNT |
202 UF_INTERDOMAIN_TRUST_ACCOUNT |
203 UF_WORKSTATION_TRUST_ACCOUNT |
204 UF_SERVER_TRUST_ACCOUNT));
205 user_account_control |= ds_acb2uf(acct_flags);
206
207 talloc_free(msg);
208 msg = ldb_msg_new(tmp_ctx);
209 if (msg == NULL) {
210 ldb_transaction_cancel(ldb);
211 talloc_free(tmp_ctx);
212 return NT_STATUS_NO_MEMORY;
213 }
214
215 msg->dn = account_dn;
216
217 if (samdb_msg_add_uint(ldb, tmp_ctx, msg,
218 "userAccountControl",
219 user_account_control) != LDB_SUCCESS) {
220 ldb_transaction_cancel(ldb);
221 talloc_free(tmp_ctx);
222 return NT_STATUS_NO_MEMORY;
223 }
224
225 /* modify the samdb record */
226 ret = dsdb_replace(ldb, msg, 0);
227 if (ret != LDB_SUCCESS) {
228 DEBUG(0,("Failed to modify account record %s to set userAccountControl: %s\n",
229 ldb_dn_get_linearized(msg->dn),
230 ldb_errstring(ldb)));
231 ldb_transaction_cancel(ldb);
232 talloc_free(tmp_ctx);
233
234 /* we really need samdb.c to return NTSTATUS */
235 return NT_STATUS_UNSUCCESSFUL;
236 }
237
238 ret = ldb_transaction_commit(ldb);
239 if (ret != LDB_SUCCESS) {
240 DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
241 ldb_dn_get_linearized(msg->dn),
242 ldb_errstring(ldb)));
243 talloc_free(tmp_ctx);
244 return NT_STATUS_INTERNAL_DB_CORRUPTION;
245 }
246 *dn = talloc_steal(mem_ctx, account_dn);
247 *sid = talloc_steal(mem_ctx, account_sid);
248 talloc_free(tmp_ctx);
249 return NT_STATUS_OK;
250}
251
252/*
253 called by samr_CreateDomainGroup and pdb_samba4
254*/
255NTSTATUS dsdb_add_domain_group(struct ldb_context *ldb,
256 TALLOC_CTX *mem_ctx,
257 const char *groupname,
258 struct dom_sid **sid,
259 struct ldb_dn **dn)
260{
261 const char *name;
262 struct ldb_message *msg;
263 struct dom_sid *group_sid;
264 int ret;
265
266 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
267 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
268
269 /* check if the group already exists */
270 name = samdb_search_string(ldb, tmp_ctx, NULL,
271 "sAMAccountName",
272 "(&(sAMAccountName=%s)(objectclass=group))",
273 ldb_binary_encode_string(tmp_ctx, groupname));
274 if (name != NULL) {
275 return NT_STATUS_GROUP_EXISTS;
276 }
277
278 msg = ldb_msg_new(tmp_ctx);
279 if (msg == NULL) {
280 return NT_STATUS_NO_MEMORY;
281 }
282
283 /* add core elements to the ldb_message for the user */
284 msg->dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(ldb));
285 ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=Users", groupname);
286 if (!msg->dn) {
287 talloc_free(tmp_ctx);
288 return NT_STATUS_NO_MEMORY;
289 }
290 ldb_msg_add_string(msg, "sAMAccountName", groupname);
291 ldb_msg_add_string(msg, "objectClass", "group");
292
293 /* create the group */
294 ret = ldb_add(ldb, msg);
295 switch (ret) {
296 case LDB_SUCCESS:
297 break;
298 case LDB_ERR_ENTRY_ALREADY_EXISTS:
299 DEBUG(0,("Failed to create group record %s: %s\n",
300 ldb_dn_get_linearized(msg->dn),
301 ldb_errstring(ldb)));
302 talloc_free(tmp_ctx);
303 return NT_STATUS_GROUP_EXISTS;
304 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
305 DEBUG(0,("Failed to create group record %s: %s\n",
306 ldb_dn_get_linearized(msg->dn),
307 ldb_errstring(ldb)));
308 talloc_free(tmp_ctx);
309 return NT_STATUS_ACCESS_DENIED;
310 default:
311 DEBUG(0,("Failed to create group record %s: %s\n",
312 ldb_dn_get_linearized(msg->dn),
313 ldb_errstring(ldb)));
314 talloc_free(tmp_ctx);
315 return NT_STATUS_INTERNAL_DB_CORRUPTION;
316 }
317
318 /* retrieve the sid for the group just created */
319 group_sid = samdb_search_dom_sid(ldb, tmp_ctx,
320 msg->dn, "objectSid", NULL);
321 if (group_sid == NULL) {
322 return NT_STATUS_UNSUCCESSFUL;
323 }
324
325 *dn = talloc_steal(mem_ctx, msg->dn);
326 *sid = talloc_steal(mem_ctx, group_sid);
327 talloc_free(tmp_ctx);
328 return NT_STATUS_OK;
329}
330
331NTSTATUS dsdb_add_domain_alias(struct ldb_context *ldb,
332 TALLOC_CTX *mem_ctx,
333 const char *alias_name,
334 struct dom_sid **sid,
335 struct ldb_dn **dn)
336{
337 const char *name;
338 struct ldb_message *msg;
339 struct dom_sid *alias_sid;
340 int ret;
341
342 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
343 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
344
345 /* Check if alias already exists */
346 name = samdb_search_string(ldb, tmp_ctx, NULL,
347 "sAMAccountName",
348 "(sAMAccountName=%s)(objectclass=group))",
349 ldb_binary_encode_string(mem_ctx, alias_name));
350
351 if (name != NULL) {
352 talloc_free(tmp_ctx);
353 return NT_STATUS_ALIAS_EXISTS;
354 }
355
356 msg = ldb_msg_new(tmp_ctx);
357 if (msg == NULL) {
358 talloc_free(tmp_ctx);
359 return NT_STATUS_NO_MEMORY;
360 }
361
362 /* add core elements to the ldb_message for the alias */
363 msg->dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(ldb));
364 ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=Users", alias_name);
365 if (!msg->dn) {
366 talloc_free(tmp_ctx);
367 return NT_STATUS_NO_MEMORY;
368 }
369
370 ldb_msg_add_string(msg, "sAMAccountName", alias_name);
371 ldb_msg_add_string(msg, "objectClass", "group");
372 samdb_msg_add_int(ldb, mem_ctx, msg, "groupType", GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
373
374 /* create the alias */
375 ret = ldb_add(ldb, msg);
376 switch (ret) {
377 case LDB_SUCCESS:
378 break;
379 case LDB_ERR_ENTRY_ALREADY_EXISTS:
380 talloc_free(tmp_ctx);
381 return NT_STATUS_ALIAS_EXISTS;
382 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
383 talloc_free(tmp_ctx);
384 return NT_STATUS_ACCESS_DENIED;
385 default:
386 DEBUG(0,("Failed to create alias record %s: %s\n",
387 ldb_dn_get_linearized(msg->dn),
388 ldb_errstring(ldb)));
389 talloc_free(tmp_ctx);
390 return NT_STATUS_INTERNAL_DB_CORRUPTION;
391 }
392
393 /* retrieve the sid for the alias just created */
394 alias_sid = samdb_search_dom_sid(ldb, tmp_ctx,
395 msg->dn, "objectSid", NULL);
396
397 *dn = talloc_steal(mem_ctx, msg->dn);
398 *sid = talloc_steal(mem_ctx, alias_sid);
399 talloc_free(tmp_ctx);
400
401 return NT_STATUS_OK;
402}
403
404/* Return the members of this group (which may be a domain group or an alias) */
405NTSTATUS dsdb_enum_group_mem(struct ldb_context *ldb,
406 TALLOC_CTX *mem_ctx,
407 struct ldb_dn *dn,
408 struct dom_sid **members_out,
409 unsigned int *pnum_members)
410{
411 struct ldb_message *msg;
412 unsigned int i, j;
413 int ret;
414 struct dom_sid *members;
415 struct ldb_message_element *member_el;
416 const char *attrs[] = { "member", NULL };
417 NTSTATUS status;
418 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
419 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
420
421 ret = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs,
422 DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
423 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
424 talloc_free(tmp_ctx);
425 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
426 }
427 if (ret != LDB_SUCCESS) {
428 DEBUG(1, ("dsdb_enum_group_mem: dsdb_search for %s failed: %s\n",
429 ldb_dn_get_linearized(dn), ldb_errstring(ldb)));
430 return NT_STATUS_INTERNAL_DB_CORRUPTION;
431 }
432
433 member_el = ldb_msg_find_element(msg, "member");
434 if (!member_el) {
435 *members_out = NULL;
436 *pnum_members = 0;
437 talloc_free(tmp_ctx);
438 return NT_STATUS_OK;
439 }
440
441 members = talloc_array(mem_ctx, struct dom_sid, member_el->num_values);
442 if (members == NULL) {
443 return NT_STATUS_NO_MEMORY;
444 }
445
446 j = 0;
447 for (i=0; i <member_el->num_values; i++) {
448 struct ldb_dn *member_dn = ldb_dn_from_ldb_val(tmp_ctx, ldb,
449 &member_el->values[i]);
450 if (!member_dn || !ldb_dn_validate(member_dn)) {
451 DEBUG(1, ("Could not parse %*.*s as a DN\n",
452 (int)member_el->values[i].length,
453 (int)member_el->values[i].length,
454 (const char *)member_el->values[i].data));
455 talloc_free(tmp_ctx);
456 return NT_STATUS_INTERNAL_DB_CORRUPTION;
457 }
458
459 status = dsdb_get_extended_dn_sid(member_dn, &members[j],
460 "SID");
461 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
462 /* If we fail finding a SID then this is no error since
463 * it could be a non SAM object - e.g. a contact */
464 continue;
465 } else if (!NT_STATUS_IS_OK(status)) {
466 DEBUG(1, ("When parsing DN '%s' we failed to parse it's SID component, so we cannot fetch the membership: %s\n",
467 ldb_dn_get_extended_linearized(tmp_ctx, member_dn, 1),
468 nt_errstr(status)));
469 talloc_free(tmp_ctx);
470 return status;
471 }
472
473 ++j;
474 }
475
476 *members_out = talloc_steal(mem_ctx, members);
477 *pnum_members = j;
478 talloc_free(tmp_ctx);
479 return NT_STATUS_OK;
480}
481
482NTSTATUS dsdb_lookup_rids(struct ldb_context *ldb,
483 TALLOC_CTX *mem_ctx,
484 const struct dom_sid *domain_sid,
485 unsigned int num_rids,
486 uint32_t *rids,
487 const char **names,
488 enum lsa_SidType *lsa_attrs)
489{
490 const char *attrs[] = { "sAMAccountType", "sAMAccountName", NULL };
491 unsigned int i, num_mapped;
492
493 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
494 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
495
496 num_mapped = 0;
497
498 for (i=0; i<num_rids; i++) {
499 struct ldb_message *msg;
500 struct ldb_dn *dn;
501 uint32_t attr;
502 int rc;
503
504 lsa_attrs[i] = SID_NAME_UNKNOWN;
505
506 dn = ldb_dn_new_fmt(tmp_ctx, ldb, "<SID=%s>",
507 dom_sid_string(tmp_ctx,
508 dom_sid_add_rid(tmp_ctx, domain_sid,
509 rids[i])));
510 if (dn == NULL) {
511 talloc_free(tmp_ctx);
512 return NT_STATUS_NO_MEMORY;
513 }
514 rc = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "samAccountName=*");
515 if (rc == LDB_ERR_NO_SUCH_OBJECT) {
516 continue;
517 } else if (rc != LDB_SUCCESS) {
518 talloc_free(tmp_ctx);
519 return NT_STATUS_INTERNAL_DB_CORRUPTION;
520 }
521
522 names[i] = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
523 if (names[i] == NULL) {
524 DEBUG(10, ("no samAccountName\n"));
525 continue;
526 }
527 talloc_steal(names, names[i]);
528 attr = ldb_msg_find_attr_as_uint(msg, "samAccountType", 0);
529 lsa_attrs[i] = ds_atype_map(attr);
530 if (lsa_attrs[i] == SID_NAME_UNKNOWN) {
531 continue;
532 }
533 num_mapped += 1;
534 }
535 talloc_free(tmp_ctx);
536
537 if (num_mapped == 0) {
538 return NT_STATUS_NONE_MAPPED;
539 }
540 if (num_mapped < num_rids) {
541 return STATUS_SOME_UNMAPPED;
542 }
543 return NT_STATUS_OK;
544}
545
Note: See TracBrowser for help on using the repository browser.