r26298: Use metze's schema loading code to pre-initialise the schema into the

samdb before we start writing entries into it.

In doing so, I realised we still used 'dnsDomain', which is not part
of the standard schema (now removed).

We also set the 'wrong' side of the linked attributes for the
masteredBy on each partition - this is now set in provision_self_join
and backlinks via the linked attributes code.

When we have the schema loaded, we must also have a valid domain SID
loaded, so that the objectclass module works.  This required some ejs
glue.

Andrew Bartlett
(This used to be commit b0de08916e8cb59ce6a2ea94bbc9ac0679830ac1)

9 files changed, 159 insertions, 52 deletions

diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index b3ed41a752..939de4b048 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -1136,6 +1136,43 @@ failed:
 	return NULL;
 }
 
+bool samdb_set_domain_sid(struct ldb_context *ldb, const struct dom_sid *dom_sid_in)
+{
+	TALLOC_CTX *tmp_ctx;
+	struct dom_sid *dom_sid_new;
+	struct dom_sid *dom_sid_old;
+
+	/* see if we have a cached copy */
+	dom_sid_old = talloc_get_type(ldb_get_opaque(ldb, 
+						     "cache.domain_sid"), struct dom_sid);
+
+	tmp_ctx = talloc_new(ldb);
+	if (tmp_ctx == NULL) {
+		goto failed;
+	}
+
+	dom_sid_new = dom_sid_dup(tmp_ctx, dom_sid_in);
+	if (!dom_sid_new) {
+		goto failed;
+	}
+
+	/* cache the domain_sid in the ldb */
+	if (ldb_set_opaque(ldb, "cache.domain_sid", dom_sid_new) != LDB_SUCCESS) {
+		goto failed;
+	}
+
+	talloc_steal(ldb, dom_sid_new);
+	talloc_free(tmp_ctx);
+	talloc_free(dom_sid_old);
+
+	return true;
+
+failed:
+	DEBUG(1,("Failed to set our own cached domain SID in the ldb!\n"));
+	talloc_free(tmp_ctx);
+	return false;
+}
+
 /* Obtain the short name of the flexible single master operator
  * (FSMO), such as the PDC Emulator */
 const char *samdb_result_fsmo_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct ldb_message *msg, 
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index d51f9e218d..d7f9fdde3d 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -985,6 +985,7 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA
 	const char * const attrs[] = { "dnsDomain", "objectGUID", NULL };
 	void *sam_ctx;
 	struct ldb_message **res;
+	struct ldb_dn *domain_dn;
 	int ret;
 
 	ZERO_STRUCT(r->out);
@@ -994,9 +995,13 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA
 		return WERR_DS_SERVICE_UNAVAILABLE;
 	}
 
-	ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
-				"(&(objectClass=domainDNS)(dnsDomain=%s))",
-				r->in.domain_name);
+	domain_dn = samdb_dns_domain_to_dn(sam_ctx, mem_ctx,
+					   r->in.domain_name);   
+	if (domain_dn == NULL) {
+		return WERR_DS_SERVICE_UNAVAILABLE;
+	}
+
+	ret = gendb_search_dn(sam_ctx, mem_ctx, domain_dn, &res, attrs);
 	if (ret != 1) {
 		return WERR_NO_SUCH_DOMAIN;
 	}
diff --git a/source4/scripting/ejs/smbcalls_ldb.c b/source4/scripting/ejs/smbcalls_ldb.c
index b8c35d267e..7599cbf443 100644
--- a/source4/scripting/ejs/smbcalls_ldb.c
+++ b/source4/scripting/ejs/smbcalls_ldb.c
@@ -28,6 +28,7 @@
 #include "ldb_wrap.h"
 #include "dsdb/samdb/samdb.h"
 #include "librpc/ndr/libndr.h"
+#include "libcli/security/security.h"
 
 /*
   get the connected db
@@ -598,7 +599,7 @@ static int ejs_ldb_attach_dsdb_schema_from_ldif(MprVarHandle eid, int argc, char
 }
 
 /*
-  commit a ldb attach a dsdb_schema from ldif files
+  set a particular invocationId against the running LDB
   usage:
    ok = ldb.set_ntds_invocationId("7729aa4b-f990-41ad-b81a-8b6a14090f41");
 */
@@ -640,9 +641,9 @@ static int ejs_ldb_set_ntds_invocationId(MprVarHandle eid, int argc, char **argv
 }
 
 /*
-  commit a ldb attach a dsdb_schema from ldif files
+  attach a particular ntds objectGUID against the current ldb
   usage:
-   ok = ldb.get_ntds_objectGUID("7729aa4b-f990-41ad-b81a-8b6a14090f41");
+   ok = ldb.set_ntds_objectGUID("7729aa4b-f990-41ad-b81a-8b6a14090f41");
 */
 static int ejs_ldb_set_ntds_objectGUID(MprVarHandle eid, int argc, char **argv)
 {
@@ -682,6 +683,48 @@ static int ejs_ldb_set_ntds_objectGUID(MprVarHandle eid, int argc, char **argv)
 }
 
 /*
+  attach a particular domain SID against the current ldb
+  usage:
+   ok = ldb.set_domain_sid("S-S-1-5-21-3065342217-3567412576-2214182334");
+*/
+static int ejs_ldb_set_domain_sid(MprVarHandle eid, int argc, char **argv)
+{
+	struct ldb_context *ldb;
+	struct dom_sid *dom_sid;
+	char *dom_sid_str;
+	bool ok;
+
+	if (argc != 1) {
+		ejsSetErrorMsg(eid, "ldb.set_domain_sid invalid arguments");
+		return -1;
+	}
+
+	ldb = ejs_get_ldb_context(eid);
+	if (ldb == NULL) {
+		return -1;
+	}
+
+	dom_sid_str = argv[0];
+
+	dom_sid = dom_sid_parse_talloc(NULL, dom_sid_str);
+	if (!dom_sid) {
+		ejsSetErrorMsg(eid, "ldb.set_domain_sid - failed to parse domain sid '%s'\n",
+				dom_sid_str);
+		return -1;
+	}
+
+	ok = samdb_set_domain_sid(ldb, dom_sid);
+	talloc_free(dom_sid);
+	if (!ok) {
+		ejsSetErrorMsg(eid, "ldb.set_domain_sid - failed to set cached ntds invocationId\n");
+		return -1;
+	}
+
+	mpr_Return(eid, mprCreateBoolVar(ok));
+	return 0;
+}
+
+/*
   initialise ldb ejs subsystem
 */
 static int ejs_ldb_init(MprVarHandle eid, int argc, struct MprVar **argv)
@@ -708,6 +751,8 @@ static int ejs_ldb_init(MprVarHandle eid, int argc, struct MprVar **argv)
 			      ejs_ldb_set_ntds_invocationId);
 	mprSetStringCFunction(ldb, "set_ntds_objectGUID",
 			      ejs_ldb_set_ntds_objectGUID);
+	mprSetStringCFunction(ldb, "set_domain_sid",
+			      ejs_ldb_set_domain_sid);
 	mprSetVar(ldb, "SCOPE_BASE", mprCreateNumberVar(LDB_SCOPE_BASE));
 	mprSetVar(ldb, "SCOPE_ONE", mprCreateNumberVar(LDB_SCOPE_ONELEVEL));
 	mprSetVar(ldb, "SCOPE_SUBTREE", mprCreateNumberVar(LDB_SCOPE_SUBTREE));
diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js
index 2dfc941a66..b42f3b2580 100644
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -563,6 +563,44 @@ function provision_become_dc(subobj, message, erase, paths, session_info)
 	return true;
 }
 
+function load_schema(subobj, message, samdb)
+{
+	var lp = loadparm_init();
+	var src = lp.get("setup directory") + "/" + "schema.ldif";
+
+	if (! sys.stat(src)) {
+		message("Template file not found: %s\n",src);
+		assert(0);
+	}
+
+	var schema_data = sys.file_load(src);
+
+	src = lp.get("setup directory") + "/" + "schema_samba4.ldif";
+
+	if (! sys.stat(src)) {
+		message("Template file not found: %s\n",src);
+		assert(0);
+	}
+
+	schema_data = schema_data + sys.file_load(src);
+
+	schema_data = substitute_var(schema_data, subobj);
+
+	src = lp.get("setup directory") + "/" + "provision_schema_basedn_modify.ldif";
+
+	if (! sys.stat(src)) {
+		message("Template file not found: %s\n",src);
+		assert(0);
+	}
+
+	var head_data = sys.file_load(src);
+	head_data = substitute_var(head_data, subobj);
+
+	var ok = samdb.attach_dsdb_schema_from_ldif(head_data, schema_data);
+	return ok;
+}
+
+
 /*
   provision samba4 - caution, this wipes all existing data!
 */
@@ -648,8 +686,15 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
 	}
 	samdb.close();
 
+	message("Pre-loading the Samba4 and AD schema\n");
+	
 	samdb = open_ldb(info, paths.samdb, false);
 
+	samdb.set_domain_sid(subobj.DOMAINSID);
+
+	var load_schema_ok = load_schema(subobj, message, samdb);
+	assert(load_schema_ok.is_ok);
+
 	message("Adding DomainDN: " + subobj.DOMAINDN + " (permitted to fail)\n");
 	var add_ok = setup_add_ldif("provision_basedn.ldif", info, samdb, true);
 	message("Modifying DomainDN: " + subobj.DOMAINDN + "\n");
@@ -692,16 +737,6 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
 	message("Setting up sam.ldb AD schema\n");
 	setup_add_ldif("schema.ldif", info, samdb, false);
 
-	// (hack) Reload, now we have the schema loaded.  
-	var commit_ok = samdb.transaction_commit();
-	if (!commit_ok) {
-		info.message("samdb commit failed: " + samdb.errstring() + "\n");
-		assert(commit_ok);
-	}
-	samdb.close();
-
-	samdb = open_ldb(info, paths.samdb, false);
-
 	message("Setting up sam.ldb configuration data\n");
 	setup_add_ldif("provision_configuration.ldif", info, samdb, false);
 
diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
index 286ecdd49c..fa990599d9 100644
--- a/source4/setup/provision_basedn_modify.ldif
+++ b/source4/setup/provision_basedn_modify.ldif
@@ -3,8 +3,6 @@
 ###############################
 dn: ${DOMAINDN}
 changetype: modify
-replace: dnsDomain
-dnsDomain: ${DNSDOMAIN}
 -
 replace: dc
 dc: ${RDN_DC}
@@ -79,12 +77,6 @@ replace: subRefs
 subRefs: ${CONFIGDN}
 subRefs: ${SCHEMADN}
 -
-replace: masteredBy
-masteredBy: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
--
-replace: msDs-masteredBy
-msDs-masteredBy: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
--
 replace: gPLink
 gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};2]
 -
diff --git a/source4/setup/provision_configuration_basedn_modify.ldif b/source4/setup/provision_configuration_basedn_modify.ldif
index 897499b163..46ba4e9649 100644
--- a/source4/setup/provision_configuration_basedn_modify.ldif
+++ b/source4/setup/provision_configuration_basedn_modify.ldif
@@ -14,9 +14,3 @@ objectCategory: CN=Configuration,${SCHEMADN}
 -
 replace: subRefs
 subRefs: ${SCHEMADN}
--
-replace: masteredBy
-masteredBy: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
--
-replace: msDs-masteredBy
-msDs-masteredBy: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
diff --git a/source4/setup/provision_schema_basedn_modify.ldif b/source4/setup/provision_schema_basedn_modify.ldif
index a222a654f7..92c5cf1ace 100644
--- a/source4/setup/provision_schema_basedn_modify.ldif
+++ b/source4/setup/provision_schema_basedn_modify.ldif
@@ -9,15 +9,6 @@ instanceType: 13
 replace: showInAdvancedViewOnly
 showInAdvancedViewOnly: TRUE
 -
-replace: objectCategory
-objectCategory: CN=DMD,${SCHEMADN}
--
-replace: masteredBy
-masteredBy: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
--
-replace: msDs-masteredBy
-msDs-masteredBy: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
--
 replace: fSMORoleOwner
 fSMORoleOwner: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
 -
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index 8c6959dbaa..06230e8d00 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -61,4 +61,9 @@ systemFlags: 33554432
 dMDLocation: ${SCHEMADN}
 invocationId: ${INVOCATIONID}
 msDS-Behavior-Version: 2
-
+msDS-hasMasterNCs: ${CONFIGDN}
+msDS-hasMasterNCs: ${SCHEMADN}
+msDS-hasMasterNCs: ${DOMAINDN}
+hasMasterNCs: ${CONFIGDN}
+hasMasterNCs: ${SCHEMADN}
+hasMasterNCs: ${DOMAINDN}
diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif
index 2967261758..a9f79f1635 100644
--- a/source4/setup/schema_samba4.ldif
+++ b/source4/setup/schema_samba4.ldif
@@ -96,18 +96,21 @@ attributeID: 1.3.6.1.4.1.7165.4.1.5
 attributeSyntax: 2.5.5.5
 oMSyntax: 22
 
-dn: cn=dnsDomain,${SCHEMADN}
-objectClass: top
-objectClass: attributeSchema
-lDAPDisplayName: dnsDomain
-isSingleValued: FALSE
-systemFlags: 17
-systemOnly: TRUE
-schemaIDGUID: A40165E6-5E45-44A7-A8FA-186C94333018
-adminDisplayName: DNS-Domain
-attributeID: 1.3.6.1.4.1.7165.4.1.6
-attributeSyntax: 2.5.5.4
-oMSyntax: 20
+#
+# Not used anymore
+#
+#dn: cn=dnsDomain,${SCHEMADN}
+#objectClass: top
+#objectClass: attributeSchema
+#lDAPDisplayName: dnsDomain
+#isSingleValued: FALSE
+#systemFlags: 17
+#systemOnly: TRUE
+#schemaIDGUID: A40165E6-5E45-44A7-A8FA-186C94333018
+#adminDisplayName: DNS-Domain
+#attributeID: 1.3.6.1.4.1.7165.4.1.6
+#attributeSyntax: 2.5.5.4
+#oMSyntax: 20
 
 dn: cn=privilege,${SCHEMADN}
 objectClass: top