r8790: Finish the migration of aliases and privilages with SamSync, by adding

templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)

The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.

Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.

Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong.  Many of these should perhaps be hooked
into an error string.

Andrew Bartlett
(This used to be commit 1f071b0609c5c83024db1d4a7d04334a932b8253)

2 files changed, 34 insertions, 48 deletions

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 78973776f1..85f94712ba 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -220,6 +220,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 				     struct lsa_policy_state **_state)
 {
 	struct lsa_policy_state *state;
+	const char *domain_attrs[] =  {"nETBIOSName", "nCName", NULL};
+	int ret_domain;
+	struct ldb_message **msgs_domain;
 
 	state = talloc(mem_ctx, struct lsa_policy_state);
 	if (!state) {
@@ -237,36 +240,47 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
 
+	ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
+				  "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", 
+				  lp_workgroup());
+	
+	if (ret_domain == -1) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+		
+	if (ret_domain != 1) {
+		return NT_STATUS_NO_SUCH_DOMAIN;		
+	}
+
 	/* work out the domain_dn - useful for so many calls its worth
 	   fetching here */
-	state->domain_dn = talloc_reference(state, 
-					    samdb_search_string(state->sam_ldb, mem_ctx, NULL,
-								"dn", "(&(objectClass=domain)(!(objectclass=builtinDomain)))"));
+	state->domain_dn = talloc_steal(state, samdb_result_string(msgs_domain[0], "nCName", NULL));
 	if (!state->domain_dn) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
 	/* work out the builtin_dn - useful for so many calls its worth
 	   fetching here */
-	state->builtin_dn = talloc_reference(state, 
-					     samdb_search_string(state->sam_ldb, mem_ctx, NULL,
-						"dn", "objectClass=builtinDomain"));
+	state->builtin_dn = talloc_steal(state, 
+					 samdb_search_string(state->sam_ldb, mem_ctx, NULL,
+							     "dn", "objectClass=builtinDomain"));
 	if (!state->builtin_dn) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
 	/* work out the system_dn - useful for so many calls its worth
 	   fetching here */
-	state->system_dn = talloc_reference(state, 
-					     samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
-					       "dn", "(&(objectClass=container)(cn=System))"));
+	state->system_dn = talloc_steal(state, 
+					samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
+							    "dn", "(&(objectClass=container)(cn=System))"));
 	if (!state->system_dn) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
-	state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
-						 state->domain_dn, "objectSid", 
-						 "dn=%s", state->domain_dn);
+	state->domain_sid = talloc_steal(state, 
+					 samdb_search_dom_sid(state->sam_ldb, state,
+							      state->domain_dn, "objectSid", 
+							      "dn=%s", state->domain_dn));
 	if (!state->domain_sid) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
@@ -276,13 +290,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
-	state->domain_name = talloc_reference(state, 
-					      samdb_search_string(state->sam_ldb, mem_ctx,
-								  state->domain_dn, "name", 
-								  "dn=%s", state->domain_dn));
-	if (!state->domain_name) {
-		return NT_STATUS_NO_SUCH_DOMAIN;		
-	}
+	state->domain_name = talloc_strdup(state, 
+					   samdb_result_string(msgs_domain[0], "nETBIOSName", 
+							       lp_workgroup()));
 
 	*_state = state;
 
@@ -619,14 +629,6 @@ static NTSTATUS lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_call, TALL
 		samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "securityIdentifier", sid_string);
 	}
 
-	/* pull in all the template attributes. */
-	ret = samdb_copy_template(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, 
-				  "(&(name=TemplateTrustedDomain)(objectclass=trustedDomainTemplate))");
-	if (ret != 0) {
-		DEBUG(0,("Failed to load TemplateTrustedDomain from samdb\n"));
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
-
 	samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "objectClass", "trustedDomain");
 	
 	trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 3cda88c04c..26593d1697 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -747,7 +747,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	a_state->domain_state = talloc_reference(a_state, d_state);
 	a_state->account_dn = talloc_steal(a_state, msg->dn);
 
-	/* retrieve the sid for the group just created */
+	/* retrieve the sid for the user just created */
 	sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
 				   msg->dn, "objectSid", "dn=%s", msg->dn);
 	if (sid == NULL) {
@@ -907,7 +907,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
 	/* Check if alias already exists */
 	name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
 				   "sAMAccountName",
-				   "(&pAMAccountName=%s)(objectclass=group))",
+				   "(sAMAccountName=%s)(objectclass=group))",
 				   alias_name);
 
 	if (name != NULL) {
@@ -2040,17 +2040,6 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		/* pull in all the template attributes */
-		ret = samdb_copy_template(d_state->sam_ctx, mem_ctx, msg, 
-					  "(&(name=TemplateForeignSecurityPrincipal)"
-					  "(objectclass=foreignSecurityPrincipalTemplate))");
-		if (ret != 0) {
-			DEBUG(0,("Failed to load "
-				 "TemplateForeignSecurityPrincipal "
-				 "from samdb\n"));
-			return NT_STATUS_INTERNAL_DB_CORRUPTION;
-		}
-
 		/* TODO: Hmmm. This feels wrong. How do I find the base dn to
 		 * put the ForeignSecurityPrincipals? d_state->domain_dn does
 		 * not work, this is wrong for the Builtin domain, there's no
@@ -2076,13 +2065,9 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
 		memberdn = msg->dn;
 
 		samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
-				     "name", sidstr);
-		samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
 				     "objectClass",
 				     "foreignSecurityPrincipal");
-		samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
-				     "objectSid", sidstr);
-		
+
 		/* create the alias */
 		ret = samdb_add(d_state->sam_ctx, mem_ctx, msg);
 		if (ret != 0) {
@@ -3256,7 +3241,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	struct ldb_message **msgs;
 	int ret;
 	const char * const attrs[] = {"minPwdLength", "pwdProperties", NULL };
-	void *sam_ctx;
+	struct ldb_context *sam_ctx;
 
 	ZERO_STRUCT(r->out.info);
 
@@ -3267,8 +3252,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
 
 	ret = gendb_search(sam_ctx, 
 			   mem_ctx, NULL, &msgs, attrs, 
-			   "(&(name=%s)(objectclass=domain))",
-			   lp_workgroup());
+			   "(&(!(objectClass=builtinDomain))(objectclass=domain))");
 	if (ret <= 0) {
 		return NT_STATUS_NO_SUCH_DOMAIN;
 	}