diff options
-rw-r--r-- | source4/dsdb/common/util_samr.c | 249 | ||||
-rw-r--r-- | source4/dsdb/wscript_build | 2 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.c | 194 |
3 files changed, 258 insertions, 187 deletions
diff --git a/source4/dsdb/common/util_samr.c b/source4/dsdb/common/util_samr.c new file mode 100644 index 0000000000..83329d2afc --- /dev/null +++ b/source4/dsdb/common/util_samr.c @@ -0,0 +1,249 @@ +/* + Unix SMB/CIFS implementation. + + Helpers to add users and groups to the DB + + Copyright (C) Andrew Tridgell 2004 + Copyright (C) Volker Lendecke 2004 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2010 + Copyright (C) Matthias Dieter Wallnöfer 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" +#include "../libds/common/flags.h" + +/* Add a user, SAMR style, including the correct transaction + * semantics. Used by the SAMR server and by pdb_samba4 */ +NTSTATUS dsdb_add_user(struct ldb_context *ldb, + TALLOC_CTX *mem_ctx, + const char *account_name, + uint32_t acct_flags, + struct dom_sid **sid, + struct ldb_dn **dn) +{ + const char *name; + struct ldb_message *msg; + int ret; + const char *container, *obj_class=NULL; + char *cn_name; + int cn_name_len; + + const char *attrs[] = { + "objectSid", + "userAccountControl", + NULL + }; + + uint32_t user_account_control; + struct ldb_dn *account_dn; + struct dom_sid *account_sid; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); + + /* + * Start a transaction, so we can query and do a subsequent atomic + * modify + */ + + ret = ldb_transaction_start(ldb); + if (ret != LDB_SUCCESS) { + DEBUG(0,("Failed to start a transaction for user creation: %s\n", + ldb_errstring(ldb))); + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + /* check if the user already exists */ + name = samdb_search_string(ldb, tmp_ctx, NULL, + "sAMAccountName", + "(&(sAMAccountName=%s)(objectclass=user))", + ldb_binary_encode_string(tmp_ctx, account_name)); + if (name != NULL) { + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return NT_STATUS_USER_EXISTS; + } + + msg = ldb_msg_new(tmp_ctx); + if (msg == NULL) { + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + cn_name = talloc_strdup(tmp_ctx, account_name); + if (!cn_name) { + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + cn_name_len = strlen(cn_name); + + /* This must be one of these values *only* */ + if (acct_flags == ACB_NORMAL) { + container = "CN=Users"; + obj_class = "user"; + + } else if (acct_flags == ACB_WSTRUST) { + if (cn_name[cn_name_len - 1] != '$') { + ldb_transaction_cancel(ldb); + return NT_STATUS_FOOBAR; + } + cn_name[cn_name_len - 1] = '\0'; + container = "CN=Computers"; + obj_class = "computer"; + samdb_msg_add_int(ldb, tmp_ctx, msg, + "primaryGroupID", DOMAIN_RID_DOMAIN_MEMBERS); + + } else if (acct_flags == ACB_SVRTRUST) { + if (cn_name[cn_name_len - 1] != '$') { + ldb_transaction_cancel(ldb); + return NT_STATUS_FOOBAR; + } + cn_name[cn_name_len - 1] = '\0'; + container = "OU=Domain Controllers"; + obj_class = "computer"; + samdb_msg_add_int(ldb, tmp_ctx, msg, + "primaryGroupID", DOMAIN_RID_DCS); + } else { + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_PARAMETER; + } + + /* add core elements to the ldb_message for the user */ + msg->dn = ldb_dn_copy(msg, ldb_get_default_basedn(ldb)); + if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) { + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return NT_STATUS_FOOBAR; + } + + samdb_msg_add_string(ldb, tmp_ctx, msg, "sAMAccountName", + account_name); + samdb_msg_add_string(ldb, tmp_ctx, msg, "objectClass", + obj_class); + + /* create the user */ + ret = ldb_add(ldb, msg); + switch (ret) { + case LDB_SUCCESS: + break; + case LDB_ERR_ENTRY_ALREADY_EXISTS: + ldb_transaction_cancel(ldb); + DEBUG(0,("Failed to create user record %s: %s\n", + ldb_dn_get_linearized(msg->dn), + ldb_errstring(ldb))); + talloc_free(tmp_ctx); + return NT_STATUS_USER_EXISTS; + case LDB_ERR_UNWILLING_TO_PERFORM: + case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS: + ldb_transaction_cancel(ldb); + DEBUG(0,("Failed to create user record %s: %s\n", + ldb_dn_get_linearized(msg->dn), + ldb_errstring(ldb))); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + default: + ldb_transaction_cancel(ldb); + DEBUG(0,("Failed to create user record %s: %s\n", + ldb_dn_get_linearized(msg->dn), + ldb_errstring(ldb))); + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + account_dn = msg->dn; + + /* retrieve the sid and account control bits for the user just created */ + ret = dsdb_search_one(ldb, tmp_ctx, &msg, + account_dn, LDB_SCOPE_BASE, attrs, 0, NULL); + + if (ret != LDB_SUCCESS) { + ldb_transaction_cancel(ldb); + DEBUG(0,("Can't locate the account we just created %s: %s\n", + ldb_dn_get_linearized(account_dn), ldb_errstring(ldb))); + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + account_sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid"); + if (account_sid == NULL) { + ldb_transaction_cancel(ldb); + DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n", + ldb_dn_get_linearized(msg->dn))); + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + /* Change the account control to be the correct account type. + * The default is for a workstation account */ + user_account_control = samdb_result_uint(msg, "userAccountControl", 0); + user_account_control = (user_account_control & + ~(UF_NORMAL_ACCOUNT | + UF_INTERDOMAIN_TRUST_ACCOUNT | + UF_WORKSTATION_TRUST_ACCOUNT | + UF_SERVER_TRUST_ACCOUNT)); + user_account_control |= ds_acb2uf(acct_flags); + + talloc_free(msg); + msg = ldb_msg_new(tmp_ctx); + if (msg == NULL) { + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + msg->dn = account_dn; + + if (samdb_msg_add_uint(ldb, tmp_ctx, msg, + "userAccountControl", + user_account_control) != 0) { + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* modify the samdb record */ + ret = dsdb_replace(ldb, msg, 0); + if (ret != LDB_SUCCESS) { + DEBUG(0,("Failed to modify account record %s to set userAccountControl: %s\n", + ldb_dn_get_linearized(msg->dn), + ldb_errstring(ldb))); + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + + /* we really need samdb.c to return NTSTATUS */ + return NT_STATUS_UNSUCCESSFUL; + } + + ret = ldb_transaction_commit(ldb); + if (ret != LDB_SUCCESS) { + DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n", + ldb_dn_get_linearized(msg->dn), + ldb_errstring(ldb))); + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + *dn = talloc_steal(mem_ctx, account_dn); + *sid = talloc_steal(mem_ctx, account_sid); + talloc_free(tmp_ctx); + return NT_STATUS_OK; +} + diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build index 92f056197b..1bf8413acc 100644 --- a/source4/dsdb/wscript_build +++ b/source4/dsdb/wscript_build @@ -11,7 +11,7 @@ bld.SAMBA_SUBSYSTEM('SAMDB', bld.SAMBA_SUBSYSTEM('SAMDB_COMMON', - source='common/util.c common/dsdb_dn.c common/dsdb_access.c ../../libds/common/flag_mapping.c', + source='common/util.c common/util_samr.c common/dsdb_dn.c common/dsdb_access.c ../../libds/common/flag_mapping.c', autoproto='common/proto.h', deps='ldb NDR_DRSBLOBS LIBCLI_LDAP_NDR UTIL_LDB LIBCLI_AUTH DSDB_MODULE_HELPERS' ) diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 5775b1410f..f13feb3aa9 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -32,6 +32,7 @@ #include "lib/ldb/include/ldb_errors.h" #include "../libds/common/flags.h" #include "dsdb/samdb/samdb.h" +#include "dsdb/common/util.h" #include "libcli/ldap/ldap_ndr.h" #include "libcli/security/security.h" #include "rpc_server/samr/proto.h" @@ -1213,28 +1214,14 @@ static NTSTATUS dcesrv_samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct samr_CreateUser2 *r) { + NTSTATUS status; struct samr_domain_state *d_state; struct samr_account_state *a_state; struct dcesrv_handle *h; - const char *name; - struct ldb_message *msg; + struct ldb_dn *dn; struct dom_sid *sid; - const char *account_name; struct dcesrv_handle *u_handle; - int ret; - const char *container, *obj_class=NULL; - char *cn_name; - int cn_name_len; - - const char *attrs[] = { - "objectSid", - "userAccountControl", - NULL - }; - - uint32_t user_account_control; - - struct ldb_message **msgs; + const char *account_name; ZERO_STRUCTP(r->out.user_handle); *r->out.access_granted = 0; @@ -1257,111 +1244,10 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_INVALID_PARAMETER; } - /* - * Start a transaction, so we can query and do a subsequent atomic - * modify - */ - - ret = ldb_transaction_start(d_state->sam_ctx); - if (ret != LDB_SUCCESS) { - DEBUG(0,("Failed to start a transaction for user creation: %s\n", - ldb_errstring(d_state->sam_ctx))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - /* check if the user already exists */ - name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, - "sAMAccountName", - "(&(sAMAccountName=%s)(objectclass=user))", - ldb_binary_encode_string(mem_ctx, account_name)); - if (name != NULL) { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_USER_EXISTS; - } - - msg = ldb_msg_new(mem_ctx); - if (msg == NULL) { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_NO_MEMORY; - } - - cn_name = talloc_strdup(mem_ctx, account_name); - if (!cn_name) { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_NO_MEMORY; - } - - cn_name_len = strlen(cn_name); - - /* This must be one of these values *only* */ - if (r->in.acct_flags == ACB_NORMAL) { - container = "CN=Users"; - obj_class = "user"; - - } else if (r->in.acct_flags == ACB_WSTRUST) { - if (cn_name[cn_name_len - 1] != '$') { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_FOOBAR; - } - cn_name[cn_name_len - 1] = '\0'; - container = "CN=Computers"; - obj_class = "computer"; - samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg, - "primaryGroupID", DOMAIN_RID_DOMAIN_MEMBERS); - - } else if (r->in.acct_flags == ACB_SVRTRUST) { - if (cn_name[cn_name_len - 1] != '$') { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_FOOBAR; - } - cn_name[cn_name_len - 1] = '\0'; - container = "OU=Domain Controllers"; - obj_class = "computer"; - samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg, - "primaryGroupID", DOMAIN_RID_DCS); - } else { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_INVALID_PARAMETER; - } - - /* add core elements to the ldb_message for the user */ - msg->dn = ldb_dn_copy(msg, d_state->domain_dn); - if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_FOOBAR; - } - - samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "sAMAccountName", - account_name); - samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass", - obj_class); - - /* create the user */ - ret = ldb_add(d_state->sam_ctx, msg); - switch (ret) { - case LDB_SUCCESS: - break; - case LDB_ERR_ENTRY_ALREADY_EXISTS: - ldb_transaction_cancel(d_state->sam_ctx); - DEBUG(0,("Failed to create user record %s: %s\n", - ldb_dn_get_linearized(msg->dn), - ldb_errstring(d_state->sam_ctx))); - return NT_STATUS_USER_EXISTS; - case LDB_ERR_UNWILLING_TO_PERFORM: - case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS: - ldb_transaction_cancel(d_state->sam_ctx); - DEBUG(0,("Failed to create user record %s: %s\n", - ldb_dn_get_linearized(msg->dn), - ldb_errstring(d_state->sam_ctx))); - return NT_STATUS_ACCESS_DENIED; - default: - ldb_transaction_cancel(d_state->sam_ctx); - DEBUG(0,("Failed to create user record %s: %s\n", - ldb_dn_get_linearized(msg->dn), - ldb_errstring(d_state->sam_ctx))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; + status = dsdb_add_user(d_state->sam_ctx, mem_ctx, account_name, r->in.acct_flags, &sid, &dn); + if (!NT_STATUS_IS_OK(status)) { + return status; } - a_state = talloc(mem_ctx, struct samr_account_state); if (!a_state) { ldb_transaction_cancel(d_state->sam_ctx); @@ -1370,71 +1256,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL a_state->sam_ctx = d_state->sam_ctx; a_state->access_mask = r->in.access_mask; a_state->domain_state = talloc_reference(a_state, d_state); - a_state->account_dn = talloc_steal(a_state, msg->dn); - - /* retrieve the sid and account control bits for the user just created */ - ret = gendb_search_dn(d_state->sam_ctx, mem_ctx, - msg->dn, &msgs, attrs); - - if (ret != 1) { - ldb_transaction_cancel(d_state->sam_ctx); - DEBUG(0,("Apparently we failed to create an account record, as %s now doesn't exist\n", - ldb_dn_get_linearized(msg->dn))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - sid = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid"); - if (sid == NULL) { - ldb_transaction_cancel(d_state->sam_ctx); - DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n", - ldb_dn_get_linearized(msg->dn))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - /* Change the account control to be the correct account type. - * The default is for a workstation account */ - user_account_control = samdb_result_uint(msgs[0], "userAccountControl", 0); - user_account_control = (user_account_control & - ~(UF_NORMAL_ACCOUNT | - UF_INTERDOMAIN_TRUST_ACCOUNT | - UF_WORKSTATION_TRUST_ACCOUNT | - UF_SERVER_TRUST_ACCOUNT)); - user_account_control |= ds_acb2uf(r->in.acct_flags); - - talloc_free(msg); - msg = ldb_msg_new(mem_ctx); - if (msg == NULL) { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_NO_MEMORY; - } - - msg->dn = ldb_dn_copy(msg, a_state->account_dn); - - if (samdb_msg_add_uint(a_state->sam_ctx, mem_ctx, msg, - "userAccountControl", - user_account_control) != 0) { - ldb_transaction_cancel(d_state->sam_ctx); - return NT_STATUS_NO_MEMORY; - } - - /* modify the samdb record */ - ret = dsdb_replace(a_state->sam_ctx, msg, 0); - if (ret != LDB_SUCCESS) { - DEBUG(0,("Failed to modify account record %s to set userAccountControl: %s\n", - ldb_dn_get_linearized(msg->dn), - ldb_errstring(d_state->sam_ctx))); - ldb_transaction_cancel(d_state->sam_ctx); - - /* we really need samdb.c to return NTSTATUS */ - return NT_STATUS_UNSUCCESSFUL; - } - - ret = ldb_transaction_commit(d_state->sam_ctx); - if (ret != LDB_SUCCESS) { - DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n", - ldb_dn_get_linearized(msg->dn), - ldb_errstring(d_state->sam_ctx))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } + a_state->account_dn = talloc_steal(a_state, dn); a_state->account_name = talloc_steal(a_state, account_name); if (!a_state->account_name) { |