diff options
45 files changed, 1452 insertions, 555 deletions
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-Group-Mapping.xml b/docs-xml/Samba3-HOWTO/TOSHARG-Group-Mapping.xml index 337ae3d794..e2a0abcfd8 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-Group-Mapping.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-Group-Mapping.xml @@ -810,7 +810,7 @@ net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d Versions of Samba-3 prior to 3.0.23 automatically create default group mapping for the <literal>Domain Admins, Domain Users</literal> and <literal>Domain Guests</literal> Windows groups, but do not map them to UNIX GIDs. This was a cause of administrative confusion and - trouble. Commencing with Samba-3.0.23 this annomaly has been fixed - thus all Windows groups + trouble. Commencing with Samba-3.0.23 this anomaly has been fixed - thus all Windows groups must now be manually and explicitly created and mapped to a valid UNIX GID by the Samba administrator. </para></note> diff --git a/examples/LDAP/samba.schema.at.IBM-DS b/examples/LDAP/samba.schema.at.IBM-DS index 4f4c0567a9..3730a92115 100644 --- a/examples/LDAP/samba.schema.at.IBM-DS +++ b/examples/LDAP/samba.schema.at.IBM-DS @@ -73,10 +73,6 @@ IBMAttributetypes=( 1.3.6.1.4.1.7165.2.1.54 DBNAME( 'sambaPasswordHistory' 'sam attributetypes=( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) -attributetypes=( 1.3.6.1.4.1.7165.2.1.56 NAME 'sambaAccountPolicyName' DESC 'Account Policy Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) - -attributetypes=( 1.3.6.1.4.1.7165.2.1.57 NAME 'sambaAccountPolicyValue' DESC 'Account Policy Value' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - attributetypes=( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes=( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) diff --git a/examples/LDAP/samba.schema.oc.IBM-DS b/examples/LDAP/samba.schema.oc.IBM-DS index de3cfb6f71..736d586d92 100644 --- a/examples/LDAP/samba.schema.oc.IBM-DS +++ b/examples/LDAP/samba.schema.oc.IBM-DS @@ -19,5 +19,3 @@ objectclasses=( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DES objectclasses=( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) ) objectclasses=( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet )) - -objectclasses=( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' SUP top STRUCTURAL DESC 'Samba Account Policy' MUST ( sambaAccountPolicyName $ sambaAccountPolicyValue ) MAY ( description ) ) diff --git a/lib/replace/crypt.m4 b/lib/replace/crypt.m4 index 684c3519f2..fae2a58685 100644 --- a/lib/replace/crypt.m4 +++ b/lib/replace/crypt.m4 @@ -3,4 +3,4 @@ AC_CHECK_HEADERS(crypt.h) AC_SEARCH_LIBS_EXT(crypt, [crypt], CRYPT_LIBS, [ AC_DEFINE(HAVE_CRYPT,1,[Whether the system has the crypt() function]) ], - [ LIBREPLACEOBJ="${LIBREPLACEOBJ} crypt.o" ]) + [ LIBREPLACEOBJ="${LIBREPLACEOBJ} $libreplacedir/crypt.o" ]) diff --git a/lib/replace/dlfcn.m4 b/lib/replace/dlfcn.m4 index 42f56f26be..722e0246b7 100644 --- a/lib/replace/dlfcn.m4 +++ b/lib/replace/dlfcn.m4 @@ -23,7 +23,7 @@ AC_VERIFY_C_PROTOTYPE([void *dlopen(const char* filename, unsigned int flags)], ]) if test x"${libreplace_cv_dlfcn}" = x"yes";then - LIBREPLACEOBJ="${LIBREPLACEOBJ} dlfcn.o" + LIBREPLACEOBJ="${LIBREPLACEOBJ} $libreplacedir/dlfcn.o" fi LIBDL="$LIBS" diff --git a/lib/replace/libreplace.m4 b/lib/replace/libreplace.m4 index 7815901032..af8587938d 100644 --- a/lib/replace/libreplace.m4 +++ b/lib/replace/libreplace.m4 @@ -16,7 +16,7 @@ done if test x"$libreplacedir" = "x"; then AC_MSG_ERROR([cannot find libreplace in $libreplacepaths]) fi -LIBREPLACEOBJ="replace.o" +LIBREPLACEOBJ="$libreplacedir/replace.o" AC_SUBST(LIBREPLACEOBJ) AC_CANONICAL_BUILD diff --git a/lib/replace/libreplace_network.m4 b/lib/replace/libreplace_network.m4 index 2af02312ab..b7d15eaddb 100644 --- a/lib/replace/libreplace_network.m4 +++ b/lib/replace/libreplace_network.m4 @@ -173,7 +173,7 @@ LIBS="${LIBREPLACE_NETWORK_LIBS}" libreplace_SAVE_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$CPPFLAGS -I$libreplacedir" -AC_CHECK_FUNCS(socketpair,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} socketpair.o"]) +AC_CHECK_FUNCS(socketpair,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} $libreplacedir/socketpair.o"]) AC_CACHE_CHECK([for broken inet_ntoa],libreplace_cv_REPLACE_INET_NTOA,[ AC_TRY_RUN([ @@ -193,14 +193,14 @@ exit(1);}], AC_CHECK_FUNCS(inet_ntoa,[],[libreplace_cv_REPLACE_INET_NTOA=yes]) if test x"$libreplace_cv_REPLACE_INET_NTOA" = x"yes"; then AC_DEFINE(REPLACE_INET_NTOA,1,[Whether inet_ntoa should be replaced]) - LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} inet_ntoa.o" + LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} $libreplacedir/inet_ntoa.o" fi -AC_CHECK_FUNCS(inet_aton,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} inet_aton.o"]) +AC_CHECK_FUNCS(inet_aton,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} $libreplacedir/inet_aton.o"]) -AC_CHECK_FUNCS(inet_ntop,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} inet_ntop.o"]) +AC_CHECK_FUNCS(inet_ntop,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} $libreplacedir/inet_ntop.o"]) -AC_CHECK_FUNCS(inet_pton,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} inet_pton.o"]) +AC_CHECK_FUNCS(inet_pton,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} $libreplacedir/inet_pton.o"]) dnl test for getaddrinfo/getnameinfo AC_CACHE_CHECK([for getaddrinfo],libreplace_cv_HAVE_GETADDRINFO,[ @@ -232,7 +232,7 @@ if test x"$libreplace_cv_HAVE_GETADDRINFO" = x"yes"; then AC_DEFINE(HAVE_FREEADDRINFO,1,[Whether the system has freeaddrinfo]) AC_DEFINE(HAVE_GAI_STRERROR,1,[Whether the system has gai_strerror]) else - LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} getaddrinfo.o" + LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} $libreplacedir/getaddrinfo.o" fi AC_CHECK_HEADERS([ifaddrs.h]) @@ -287,7 +287,7 @@ AC_TRY_RUN([ if test x"$libreplace_cv_HAVE_IFACE_GETIFADDRS" = x"yes"; then iface=yes;AC_DEFINE(HAVE_IFACE_GETIFADDRS,1,[Whether iface getifaddrs is available]) else - LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} getifaddrs.o" + LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} $libreplacedir/getifaddrs.o" fi diff --git a/lib/replace/repdir.m4 b/lib/replace/repdir.m4 index fb3f414c95..682ab44c56 100644 --- a/lib/replace/repdir.m4 +++ b/lib/replace/repdir.m4 @@ -45,7 +45,7 @@ fi if test x"$libreplace_cv_READDIR_GETDIRENTRIES" = x"yes"; then AC_DEFINE(REPLACE_READDIR,1,[replace readdir]) AC_DEFINE(REPLACE_READDIR_GETDIRENTRIES,1,[replace readdir using getdirentries()]) - LIBREPLACEOBJ="${LIBREPLACEOBJ} repdir_getdirentries.o" + LIBREPLACEOBJ="${LIBREPLACEOBJ} $libreplacedir/repdir_getdirentries.o" libreplace_cv_READDIR_NEEDED=no fi @@ -68,7 +68,7 @@ fi if test x"$libreplace_cv_READDIR_GETDENTS" = x"yes"; then AC_DEFINE(REPLACE_READDIR,1,[replace readdir]) AC_DEFINE(REPLACE_READDIR_GETDENTS,1,[replace readdir using getdents()]) - LIBREPLACEOBJ="${LIBREPLACEOBJ} repdir_getdents.o" + LIBREPLACEOBJ="${LIBREPLACEOBJ} $libreplacedir/repdir_getdents.o" libreplace_cv_READDIR_NEEDED=no fi diff --git a/lib/replace/strptime.m4 b/lib/replace/strptime.m4 index da22fc5a97..b1a56b4aab 100644 --- a/lib/replace/strptime.m4 +++ b/lib/replace/strptime.m4 @@ -9,5 +9,5 @@ AC_CACHE_CHECK([whether strptime is available and works],libreplace_cv_STRPTIME_ ]) if test x"$libreplace_cv_STRPTIME_OK" != x"yes"; then AC_DEFINE(REPLACE_STRPTIME,1,[Whether strptime should be replaced]) - LIBREPLACEOBJ="${LIBREPLACEOBJ} strptime.o" + LIBREPLACEOBJ="${LIBREPLACEOBJ} $libreplacedir/strptime.o" fi diff --git a/lib/replace/timegm.m4 b/lib/replace/timegm.m4 index 59f3ae0521..9b76d0c727 100644 --- a/lib/replace/timegm.m4 +++ b/lib/replace/timegm.m4 @@ -1 +1 @@ -AC_CHECK_FUNCS(timegm,[],[LIBREPLACEOBJ="${LIBREPLACEOBJ} timegm.o"]) +AC_CHECK_FUNCS(timegm,[],[LIBREPLACEOBJ="${LIBREPLACEOBJ} $libreplacedir/timegm.o"]) diff --git a/librpc/gen_ndr/ndr_schannel.c b/librpc/gen_ndr/ndr_schannel.c index 4bbb56a8b0..e9adcf619b 100644 --- a/librpc/gen_ndr/ndr_schannel.c +++ b/librpc/gen_ndr/ndr_schannel.c @@ -5,278 +5,6 @@ #include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_nbt.h" -static enum ndr_err_code ndr_push_schannel_bind_3(struct ndr_push *ndr, int ndr_flags, const struct schannel_bind_3 *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_push_align(ndr, 4)); - { - uint32_t _flags_save_string = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); - NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->domain)); - ndr->flags = _flags_save_string; - } - { - uint32_t _flags_save_string = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); - NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->workstation)); - ndr->flags = _flags_save_string; - } - } - if (ndr_flags & NDR_BUFFERS) { - } - return NDR_ERR_SUCCESS; -} - -static enum ndr_err_code ndr_pull_schannel_bind_3(struct ndr_pull *ndr, int ndr_flags, struct schannel_bind_3 *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_align(ndr, 4)); - { - uint32_t _flags_save_string = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); - NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->domain)); - ndr->flags = _flags_save_string; - } - { - uint32_t _flags_save_string = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); - NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->workstation)); - ndr->flags = _flags_save_string; - } - } - if (ndr_flags & NDR_BUFFERS) { - } - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ void ndr_print_schannel_bind_3(struct ndr_print *ndr, const char *name, const struct schannel_bind_3 *r) -{ - ndr_print_struct(ndr, name, "schannel_bind_3"); - ndr->depth++; - ndr_print_string(ndr, "domain", r->domain); - ndr_print_string(ndr, "workstation", r->workstation); - ndr->depth--; -} - -static enum ndr_err_code ndr_push_schannel_bind_23(struct ndr_push *ndr, int ndr_flags, const struct schannel_bind_23 *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_push_align(ndr, 4)); - { - uint32_t _flags_save_string = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); - NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->domain)); - ndr->flags = _flags_save_string; - } - { - uint32_t _flags_save_string = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); - NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->workstation)); - ndr->flags = _flags_save_string; - } - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->dnsdomain)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->dnsworkstation)); - } - if (ndr_flags & NDR_BUFFERS) { - } - return NDR_ERR_SUCCESS; -} - -static enum ndr_err_code ndr_pull_schannel_bind_23(struct ndr_pull *ndr, int ndr_flags, struct schannel_bind_23 *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_align(ndr, 4)); - { - uint32_t _flags_save_string = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); - NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->domain)); - ndr->flags = _flags_save_string; - } - { - uint32_t _flags_save_string = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); - NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->workstation)); - ndr->flags = _flags_save_string; - } - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->dnsdomain)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->dnsworkstation)); - } - if (ndr_flags & NDR_BUFFERS) { - } - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ void ndr_print_schannel_bind_23(struct ndr_print *ndr, const char *name, const struct schannel_bind_23 *r) -{ - ndr_print_struct(ndr, name, "schannel_bind_23"); - ndr->depth++; - ndr_print_string(ndr, "domain", r->domain); - ndr_print_string(ndr, "workstation", r->workstation); - ndr_print_nbt_string(ndr, "dnsdomain", r->dnsdomain); - ndr_print_nbt_string(ndr, "dnsworkstation", r->dnsworkstation); - ndr->depth--; -} - -static enum ndr_err_code ndr_push_schannel_bind_info(struct ndr_push *ndr, int ndr_flags, const union schannel_bind_info *r) -{ - if (ndr_flags & NDR_SCALARS) { - int level = ndr_push_get_switch_value(ndr, r); - switch (level) { - case 3: { - NDR_CHECK(ndr_push_schannel_bind_3(ndr, NDR_SCALARS, &r->info3)); - break; } - - case 23: { - NDR_CHECK(ndr_push_schannel_bind_23(ndr, NDR_SCALARS, &r->info23)); - break; } - - default: - return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__); - } - } - if (ndr_flags & NDR_BUFFERS) { - int level = ndr_push_get_switch_value(ndr, r); - switch (level) { - case 3: - break; - - case 23: - break; - - default: - return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__); - } - } - return NDR_ERR_SUCCESS; -} - -static enum ndr_err_code ndr_pull_schannel_bind_info(struct ndr_pull *ndr, int ndr_flags, union schannel_bind_info *r) -{ - int level; - level = ndr_pull_get_switch_value(ndr, r); - if (ndr_flags & NDR_SCALARS) { - switch (level) { - case 3: { - NDR_CHECK(ndr_pull_schannel_bind_3(ndr, NDR_SCALARS, &r->info3)); - break; } - - case 23: { - NDR_CHECK(ndr_pull_schannel_bind_23(ndr, NDR_SCALARS, &r->info23)); - break; } - - default: - return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__); - } - } - if (ndr_flags & NDR_BUFFERS) { - switch (level) { - case 3: - break; - - case 23: - break; - - default: - return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__); - } - } - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ void ndr_print_schannel_bind_info(struct ndr_print *ndr, const char *name, const union schannel_bind_info *r) -{ - int level; - level = ndr_print_get_switch_value(ndr, r); - ndr_print_union(ndr, name, level, "schannel_bind_info"); - switch (level) { - case 3: - ndr_print_schannel_bind_3(ndr, "info3", &r->info3); - break; - - case 23: - ndr_print_schannel_bind_23(ndr, "info23", &r->info23); - break; - - default: - ndr_print_bad_level(ndr, name, level); - } -} - -_PUBLIC_ enum ndr_err_code ndr_push_schannel_bind(struct ndr_push *ndr, int ndr_flags, const struct schannel_bind *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown1)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->bind_type)); - NDR_CHECK(ndr_push_set_switch_value(ndr, &r->u, r->bind_type)); - NDR_CHECK(ndr_push_schannel_bind_info(ndr, NDR_SCALARS, &r->u)); - } - if (ndr_flags & NDR_BUFFERS) { - } - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ enum ndr_err_code ndr_pull_schannel_bind(struct ndr_pull *ndr, int ndr_flags, struct schannel_bind *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->bind_type)); - NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->u, r->bind_type)); - NDR_CHECK(ndr_pull_schannel_bind_info(ndr, NDR_SCALARS, &r->u)); - } - if (ndr_flags & NDR_BUFFERS) { - } - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ void ndr_print_schannel_bind(struct ndr_print *ndr, const char *name, const struct schannel_bind *r) -{ - ndr_print_struct(ndr, name, "schannel_bind"); - ndr->depth++; - ndr_print_uint32(ndr, "unknown1", r->unknown1); - ndr_print_uint32(ndr, "bind_type", r->bind_type); - ndr_print_set_switch_value(ndr, &r->u, r->bind_type); - ndr_print_schannel_bind_info(ndr, "u", &r->u); - ndr->depth--; -} - -_PUBLIC_ enum ndr_err_code ndr_push_schannel_bind_ack(struct ndr_push *ndr, int ndr_flags, const struct schannel_bind_ack *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown1)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown2)); - NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->unknown3)); - } - if (ndr_flags & NDR_BUFFERS) { - } - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ enum ndr_err_code ndr_pull_schannel_bind_ack(struct ndr_pull *ndr, int ndr_flags, struct schannel_bind_ack *r) -{ - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown1)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown2)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->unknown3)); - } - if (ndr_flags & NDR_BUFFERS) { - } - return NDR_ERR_SUCCESS; -} - -_PUBLIC_ void ndr_print_schannel_bind_ack(struct ndr_print *ndr, const char *name, const struct schannel_bind_ack *r) -{ - ndr_print_struct(ndr, name, "schannel_bind_ack"); - ndr->depth++; - ndr_print_uint32(ndr, "unknown1", r->unknown1); - ndr_print_uint32(ndr, "unknown2", r->unknown2); - ndr_print_uint32(ndr, "unknown3", r->unknown3); - ndr->depth--; -} - _PUBLIC_ enum ndr_err_code ndr_push_netlogon_creds_CredentialState(struct ndr_push *ndr, int ndr_flags, const struct netlogon_creds_CredentialState *r) { { diff --git a/librpc/gen_ndr/ndr_schannel.h b/librpc/gen_ndr/ndr_schannel.h index ed4093366a..63ee1e4cc9 100644 --- a/librpc/gen_ndr/ndr_schannel.h +++ b/librpc/gen_ndr/ndr_schannel.h @@ -8,15 +8,6 @@ #include "../librpc/ndr/ndr_schannel.h" #define NDR_SCHANNEL_CALL_COUNT (0) -void ndr_print_schannel_bind_3(struct ndr_print *ndr, const char *name, const struct schannel_bind_3 *r); -void ndr_print_schannel_bind_23(struct ndr_print *ndr, const char *name, const struct schannel_bind_23 *r); -void ndr_print_schannel_bind_info(struct ndr_print *ndr, const char *name, const union schannel_bind_info *r); -enum ndr_err_code ndr_push_schannel_bind(struct ndr_push *ndr, int ndr_flags, const struct schannel_bind *r); -enum ndr_err_code ndr_pull_schannel_bind(struct ndr_pull *ndr, int ndr_flags, struct schannel_bind *r); -void ndr_print_schannel_bind(struct ndr_print *ndr, const char *name, const struct schannel_bind *r); -enum ndr_err_code ndr_push_schannel_bind_ack(struct ndr_push *ndr, int ndr_flags, const struct schannel_bind_ack *r); -enum ndr_err_code ndr_pull_schannel_bind_ack(struct ndr_pull *ndr, int ndr_flags, struct schannel_bind_ack *r); -void ndr_print_schannel_bind_ack(struct ndr_print *ndr, const char *name, const struct schannel_bind_ack *r); enum ndr_err_code ndr_push_netlogon_creds_CredentialState(struct ndr_push *ndr, int ndr_flags, const struct netlogon_creds_CredentialState *r); enum ndr_err_code ndr_pull_netlogon_creds_CredentialState(struct ndr_pull *ndr, int ndr_flags, struct netlogon_creds_CredentialState *r); void ndr_print_netlogon_creds_CredentialState(struct ndr_print *ndr, const char *name, const struct netlogon_creds_CredentialState *r); diff --git a/librpc/gen_ndr/schannel.h b/librpc/gen_ndr/schannel.h index 6a85af2f46..c07212fea6 100644 --- a/librpc/gen_ndr/schannel.h +++ b/librpc/gen_ndr/schannel.h @@ -9,35 +9,6 @@ #ifndef _HEADER_schannel #define _HEADER_schannel -struct schannel_bind_3 { - const char * domain;/* [flag(LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM)] */ - const char * workstation;/* [flag(LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM)] */ -}; - -struct schannel_bind_23 { - const char * domain;/* [flag(LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM)] */ - const char * workstation;/* [flag(LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM)] */ - const char * dnsdomain; - const char * dnsworkstation; -}; - -union schannel_bind_info { - struct schannel_bind_3 info3;/* [case(3)] */ - struct schannel_bind_23 info23;/* [case(23)] */ -}/* [nodiscriminant] */; - -struct schannel_bind { - uint32_t unknown1; - uint32_t bind_type; - union schannel_bind_info u;/* [switch_is(bind_type)] */ -}/* [public] */; - -struct schannel_bind_ack { - uint32_t unknown1; - uint32_t unknown2; - uint32_t unknown3; -}/* [public] */; - struct netlogon_creds_CredentialState { uint32_t negotiate_flags; uint8_t session_key[16]; diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl index d9b230d70b..a30e2928e0 100644 --- a/librpc/idl/schannel.idl +++ b/librpc/idl/schannel.idl @@ -12,40 +12,6 @@ import "netlogon.idl", "nbt.idl"; ] interface schannel { - /* - a schannel bind blob - used in dcerpc auth_info - on a schannel - */ - typedef struct { - astring domain; - astring workstation; - } schannel_bind_3; - - typedef struct { - astring domain; - astring workstation; - nbt_string dnsdomain; - nbt_string dnsworkstation; - } schannel_bind_23; - - typedef [nodiscriminant] union { - [case (3)] schannel_bind_3 info3; - [case (23)] schannel_bind_23 info23; - } schannel_bind_info; - - typedef [public] struct { - uint32 unknown1; /* seems to need to be 0 */ - uint32 bind_type; - [switch_is(bind_type)] schannel_bind_info u; - } schannel_bind; - - /* a bind_ack blob */ - typedef [public] struct { - uint32 unknown1; /* 1 */ - uint32 unknown2; /* 0 */ - uint32 unknown3; /* 0x006c0000 */ - } schannel_bind_ack; - /* this structure is used internally in the NETLOGON server */ typedef [public,flag(NDR_PAHEX)] struct { diff --git a/pidl/tests/Util.pm b/pidl/tests/Util.pm index cfc5cf3a99..ff876ec039 100644 --- a/pidl/tests/Util.pm +++ b/pidl/tests/Util.pm @@ -77,7 +77,6 @@ SKIP: { my $main = " #define uint_t unsigned int -#define _GNU_SOURCE #include <stdint.h> #include <stdlib.h> #include <stdio.h> diff --git a/pidl/tests/ndr_string.pl b/pidl/tests/ndr_string.pl index faecbbf4c5..7b76c7b295 100755 --- a/pidl/tests/ndr_string.pl +++ b/pidl/tests/ndr_string.pl @@ -70,7 +70,7 @@ test_samba4_ndr("string-wchar-fixed-array-01", 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, \'f\', 0x00, \'o\', 0x00, - \'o\', 0x00, 0x00, 0x00 + \'o\', 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00 }; DATA_BLOB b = { data, sizeof(data) }; @@ -86,16 +86,16 @@ test_samba4_ndr("string-wchar-fixed-array-01", if (r.in.str == NULL) return 2; - if (r.in.str.l1 == 0x00000001) + if (r.in.str->l1 != 0x00000001) return 3; if (strncmp(str.str, "foo", 3) != 0) return 4; - if (r.in.str.str[4] != 0) + if (r.in.str->str[4] != 0) return 5; - if (r.in.str.l3 == 0x00000002) + if (r.in.str->l2 != 0x00000002) return 6; '); @@ -114,9 +114,9 @@ test_samba4_ndr("string-wchar-fixed-array-02", 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, \'f\', 0x00, \'o\', 0x00, - \'o\', 0x00, \'b\', 0x00 + \'o\', 0x00, \'b\', 0x00, \'a\', 0x00, \'r\', 0x00, - 0x00, 0x00, 0x00, 0x00 + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00 }; DATA_BLOB b = { data, sizeof(data) }; @@ -146,9 +146,9 @@ test_samba4_ndr("string-wchar-fixed-array-03", 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, \'f\', 0x00, \'o\', 0x00, - \'o\', 0x00, \'b\', 0x00 + \'o\', 0x00, \'b\', 0x00, \'a\', 0x00, \'r\', 0x00, - 0x00, 0x00, 0x00, 0x00 + 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00 }; DATA_BLOB b = { data, sizeof(data) }; diff --git a/source3/include/proto.h b/source3/include/proto.h index abc76e8e02..5da13ca0d7 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5203,6 +5203,14 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, char ***pdomains, char ***pnames, enum lsa_SidType **ptypes); +NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes); NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *pol, int num_names, @@ -5211,6 +5219,15 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, int level, DOM_SID **sids, enum lsa_SidType **types); +NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types); + bool fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid); /* The following definitions come from rpc_client/cli_netlogon.c */ diff --git a/source3/libsmb/clireadwrite.c b/source3/libsmb/clireadwrite.c index 27f9e4fd98..b6901961d0 100644 --- a/source3/libsmb/clireadwrite.c +++ b/source3/libsmb/clireadwrite.c @@ -230,6 +230,120 @@ NTSTATUS cli_read_andx_recv(struct tevent_req *req, ssize_t *received, return NT_STATUS_OK; } +struct cli_readall_state { + struct tevent_context *ev; + struct cli_state *cli; + uint16_t fnum; + off_t start_offset; + size_t size; + size_t received; + uint8_t *buf; +}; + +static void cli_readall_done(struct tevent_req *subreq); + +static struct tevent_req *cli_readall_send(TALLOC_CTX *mem_ctx, + struct event_context *ev, + struct cli_state *cli, + uint16_t fnum, + off_t offset, size_t size) +{ + struct tevent_req *req, *subreq; + struct cli_readall_state *state; + + req = tevent_req_create(mem_ctx, &state, struct cli_readall_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->cli = cli; + state->fnum = fnum; + state->start_offset = offset; + state->size = size; + state->received = 0; + state->buf = NULL; + + subreq = cli_read_andx_send(state, ev, cli, fnum, offset, size); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, cli_readall_done, req); + return req; +} + +static void cli_readall_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct cli_readall_state *state = tevent_req_data( + req, struct cli_readall_state); + ssize_t received; + uint8_t *buf; + NTSTATUS status; + + status = cli_read_andx_recv(subreq, &received, &buf); + if (!NT_STATUS_IS_OK(status)) { + tevent_req_nterror(req, status); + return; + } + + if ((state->received == 0) && (received == state->size)) { + /* Ideal case: Got it all in one run */ + state->buf = buf; + state->received += received; + tevent_req_done(req); + return; + } + + /* + * We got a short read, issue a read for the + * rest. Unfortunately we have to allocate the buffer + * ourselves now, as our caller expects to receive a single + * buffer. cli_read_andx does it from the buffer received from + * the net, but with a short read we have to put it together + * from several reads. + */ + + if (state->buf == NULL) { + state->buf = talloc_array(state, uint8_t, state->size); + if (tevent_req_nomem(state->buf, req)) { + return; + } + } + memcpy(state->buf + state->received, buf, received); + state->received += received; + + TALLOC_FREE(subreq); + + if (state->received >= state->size) { + tevent_req_done(req); + return; + } + + subreq = cli_read_andx_send(state, state->ev, state->cli, state->fnum, + state->start_offset + state->received, + state->size - state->received); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, cli_readall_done, req); +} + +static NTSTATUS cli_readall_recv(struct tevent_req *req, ssize_t *received, + uint8_t **rcvbuf) +{ + struct cli_readall_state *state = tevent_req_data( + req, struct cli_readall_state); + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status)) { + return status; + } + *received = state->received; + *rcvbuf = state->buf; + return NT_STATUS_OK; +} + struct cli_pull_subreq { struct tevent_req *req; ssize_t received; @@ -368,7 +482,7 @@ struct tevent_req *cli_pull_send(TALLOC_CTX *mem_ctx, size_left = size - state->requested; request_thistime = MIN(size_left, state->chunk_size); - subreq->req = cli_read_andx_send( + subreq->req = cli_readall_send( state->reqs, ev, cli, fnum, state->start_offset + state->requested, request_thistime); @@ -413,8 +527,8 @@ static void cli_pull_read_done(struct tevent_req *subreq) return; } - status = cli_read_andx_recv(subreq, &pull_subreq->received, - &pull_subreq->buf); + status = cli_readall_recv(subreq, &pull_subreq->received, + &pull_subreq->buf); if (!NT_STATUS_IS_OK(status)) { tevent_req_nterror(state->req, status); return; @@ -472,7 +586,7 @@ static void cli_pull_read_done(struct tevent_req *subreq) + state->requested), state->top_req)); - new_req = cli_read_andx_send( + new_req = cli_readall_send( state->reqs, state->ev, state->cli, state->fnum, state->start_offset + state->requested, diff --git a/source3/libsmb/nterr.c b/source3/libsmb/nterr.c index e8d6621d1b..197d5bd730 100644 --- a/source3/libsmb/nterr.c +++ b/source3/libsmb/nterr.c @@ -543,6 +543,7 @@ static const nt_err_code_struct nt_errs[] = { "NT_STATUS_RPC_NT_CALL_FAILED", NT_STATUS_RPC_NT_CALL_FAILED }, { "NT_STATUS_RPC_NT_PROTOCOL_ERROR", NT_STATUS_RPC_NT_PROTOCOL_ERROR }, { "NT_STATUS_RPC_NT_PROCNUM_OUT_OF_RANGE", NT_STATUS_RPC_NT_PROCNUM_OUT_OF_RANGE }, + { "NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED", NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED }, { NULL, NT_STATUS(0) } }; diff --git a/source3/modules/vfs_aio_fork.c b/source3/modules/vfs_aio_fork.c index 4468fe097f..c725fa6b90 100644 --- a/source3/modules/vfs_aio_fork.c +++ b/source3/modules/vfs_aio_fork.c @@ -343,6 +343,9 @@ static void aio_child_loop(int sockfd, struct mmap_area *map) ret_struct.size = sys_pread( fd, (void *)map->ptr, cmd_struct.n, cmd_struct.offset); +#ifdef ENABLE_BUILD_FARM_HACKS + ret_struct.size = MAX(1, ret_struct.size * 0.9); +#endif } else { ret_struct.size = sys_pwrite( diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index 68fd96faa8..aa883d3cf1 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -114,7 +114,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, const DOM_SID *sids, char **domains, char **names, - enum lsa_SidType *types) + enum lsa_SidType *types, + bool use_lookupsids3) { NTSTATUS result = NT_STATUS_OK; TALLOC_CTX *tmp_ctx = NULL; @@ -147,13 +148,41 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, } } - result = rpccli_lsa_LookupSids(cli, mem_ctx, - pol, - &sid_array, - &ref_domains, - &lsa_names, - level, - &count); + if (use_lookupsids3) { + struct lsa_TransNameArray2 lsa_names2; + uint32_t n; + + result = rpccli_lsa_LookupSids3(cli, mem_ctx, + &sid_array, + &ref_domains, + &lsa_names2, + level, + &count, + 0, + 0); + + if (!NT_STATUS_IS_ERR(result)) { + lsa_names.count = lsa_names2.count; + lsa_names.names = talloc_array(mem_ctx, struct lsa_TranslatedName, lsa_names.count); + if (!lsa_names.names) { + return NT_STATUS_NO_MEMORY; + } + for (n=0; n < lsa_names.count; n++) { + lsa_names.names[n].sid_type = lsa_names2.names[n].sid_type; + lsa_names.names[n].name = lsa_names2.names[n].name; + lsa_names.names[n].sid_index = lsa_names2.names[n].sid_index; + } + } + + } else { + result = rpccli_lsa_LookupSids(cli, mem_ctx, + pol, + &sid_array, + &ref_domains, + &lsa_names, + level, + &count); + } DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n", nt_errstr(result), count)); @@ -233,14 +262,15 @@ done: * at 20480 for win2k3, but we keep it at a save 1000 for now. */ #define LOOKUP_SIDS_HUNK_SIZE 1000 -NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const DOM_SID *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes) +static NTSTATUS rpccli_lsa_lookup_sids_generic(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes, + bool use_lookupsids3) { NTSTATUS result = NT_STATUS_OK; int sids_left = 0; @@ -299,7 +329,8 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, hunk_sids, hunk_domains, hunk_names, - hunk_types); + hunk_types, + use_lookupsids3); if (!NT_STATUS_IS_OK(hunk_result) && !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) && @@ -340,25 +371,54 @@ fail: return result; } -/** Lookup a list of names */ +NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes) +{ + return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids, + pdomains, pnames, ptypes, false); +} -NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, +NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - struct policy_handle *pol, int num_names, - const char **names, - const char ***dom_names, - int level, - DOM_SID **sids, - enum lsa_SidType **types) + struct policy_handle *pol, + int num_sids, + const DOM_SID *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes) +{ + return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids, + pdomains, pnames, ptypes, true); +} + +/** Lookup a list of names */ + +static NTSTATUS rpccli_lsa_lookup_names_generic(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types, + bool use_lookupnames4) { NTSTATUS result; int i; struct lsa_String *lsa_names = NULL; struct lsa_RefDomainList *domains = NULL; struct lsa_TransSidArray sid_array; + struct lsa_TransSidArray3 sid_array3; uint32_t count = 0; ZERO_STRUCT(sid_array); + ZERO_STRUCT(sid_array3); lsa_names = TALLOC_ARRAY(mem_ctx, struct lsa_String, num_names); if (!lsa_names) { @@ -369,14 +429,26 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, init_lsa_String(&lsa_names[i], names[i]); } - result = rpccli_lsa_LookupNames(cli, mem_ctx, - pol, - num_names, - lsa_names, - &domains, - &sid_array, - level, - &count); + if (use_lookupnames4) { + result = rpccli_lsa_LookupNames4(cli, mem_ctx, + num_names, + lsa_names, + &domains, + &sid_array3, + level, + &count, + 0, + 0); + } else { + result = rpccli_lsa_LookupNames(cli, mem_ctx, + pol, + num_names, + lsa_names, + &domains, + &sid_array, + level, + &count); + } if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) { @@ -423,10 +495,17 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, } for (i = 0; i < num_names; i++) { - uint32_t dom_idx = sid_array.sids[i].sid_index; - uint32_t dom_rid = sid_array.sids[i].rid; + uint32_t dom_idx; DOM_SID *sid = &(*sids)[i]; + if (use_lookupnames4) { + dom_idx = sid_array3.sids[i].sid_index; + (*types)[i] = sid_array3.sids[i].sid_type; + } else { + dom_idx = sid_array.sids[i].sid_index; + (*types)[i] = sid_array.sids[i].sid_type; + } + /* Translate optimised sid through domain index array */ if (dom_idx == 0xffffffff) { @@ -436,14 +515,16 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, continue; } - sid_copy(sid, domains->domains[dom_idx].sid); + if (use_lookupnames4) { + sid_copy(sid, sid_array3.sids[i].sid); + } else { + sid_copy(sid, domains->domains[dom_idx].sid); - if (dom_rid != 0xffffffff) { - sid_append_rid(sid, dom_rid); + if (sid_array.sids[i].rid != 0xffffffff) { + sid_append_rid(sid, sid_array.sids[i].rid); + } } - (*types)[i] = sid_array.sids[i].sid_type; - if (dom_names == NULL) { continue; } @@ -455,3 +536,31 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, return result; } + +NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types) +{ + return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names, + names, dom_names, level, sids, + types, false); +} + +NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, int num_names, + const char **names, + const char ***dom_names, + int level, + DOM_SID **sids, + enum lsa_SidType **types) +{ + return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names, + names, dom_names, level, sids, + types, true); +} diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index d428c3aa9e..c5c0c02090 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -1087,7 +1087,7 @@ static void schannel_digest(struct schannel_auth_struct *a, SSVAL(sig,0,verf->SignatureAlgorithm); SSVAL(sig,2,verf->SealAlgorithm); SSVAL(sig,4,verf->Pad); - SSVAL(sig,8,verf->Flags); + SSVAL(sig,6,verf->Flags); /* verfiy the signature on the packet by MD5 over various bits */ MD5Init(&ctx3); diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index f21c80e327..07a0b971a0 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -1150,7 +1150,7 @@ NTSTATUS _netr_LogonSamLogonEx(pipes_struct *p, struct netr_LogonSamLogonEx *r) { NTSTATUS status; - struct netlogon_creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds = NULL; become_root(); status = schannel_fetch_session_key(p->mem_ctx, r->in.computer_name, &creds); diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 7be0a0d2d2..ce7df63972 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -2199,11 +2199,13 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss return False; } - blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), data_len); + blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len); ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &schannel_chk, (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_SIGNATURE); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(0,("failed to pull NL_AUTH_SIGNATURE\n")); + dump_data(2, blob.data, blob.length); return false; } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2d50280ac8..058bd12f61 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -773,7 +773,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p, struct samr_alias_info *ainfo; NTSTATUS status; SEC_DESC * psd = NULL; - size_t sd_size; + size_t sd_size = 0; cinfo = policy_handle_find(p, r->in.handle, STD_RIGHT_READ_CONTROL_ACCESS, NULL, diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index 8e56f671d7..15d64436e3 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. dcerpc schannel operations @@ -10,12 +10,12 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -36,24 +36,26 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t return 32; } -static NTSTATUS schannel_session_key(struct gensec_security *gensec_security, +static NTSTATUS schannel_session_key(struct gensec_security *gensec_security, DATA_BLOB *session_key) { return NT_STATUS_NOT_IMPLEMENTED; } -static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) +static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) { struct schannel_state *state = (struct schannel_state *)gensec_security->private_data; NTSTATUS status; enum ndr_err_code ndr_err; - struct schannel_bind bind_schannel; - struct schannel_bind_ack bind_schannel_ack; + struct NL_AUTH_MESSAGE bind_schannel; + struct NL_AUTH_MESSAGE bind_schannel_ack; struct netlogon_creds_CredentialState *creds; struct ldb_context *schannel_ldb; const char *workstation; const char *domain; + uint32_t required_flags; + *out = data_blob(NULL, 0); switch (gensec_security->gensec_role) { @@ -65,71 +67,78 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ state->creds = talloc_reference(state, cli_credentials_get_netlogon_creds(gensec_security->credentials)); - bind_schannel.unknown1 = 0; + bind_schannel.MessageType = NL_NEGOTIATE_REQUEST; #if 0 /* to support this we'd need to have access to the full domain name */ - bind_schannel.bind_type = 23; - bind_schannel.u.info23.domain = cli_credentials_get_domain(gensec_security->credentials); - bind_schannel.u.info23.workstation = cli_credentials_get_workstation(gensec_security->credentials); - bind_schannel.u.info23.dnsdomain = cli_credentials_get_realm(gensec_security->credentials); + /* 0x17, 23 */ + bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME | + NL_FLAG_OEM_NETBIOS_COMPUTER_NAME | + NL_FLAG_UTF8_DNS_DOMAIN_NAME | + NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME; + bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials); + bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials); + bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials); /* w2k3 refuses us if we use the full DNS workstation? why? perhaps because we don't fill in the dNSHostName attribute in the machine account? */ - bind_schannel.u.info23.dnsworkstation = cli_credentials_get_workstation(gensec_security->credentials); + bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials); #else - bind_schannel.bind_type = 3; - bind_schannel.u.info3.domain = cli_credentials_get_domain(gensec_security->credentials); - bind_schannel.u.info3.workstation = cli_credentials_get_workstation(gensec_security->credentials); + bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME | + NL_FLAG_OEM_NETBIOS_COMPUTER_NAME; + bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials); + bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials); #endif - - ndr_err = ndr_push_struct_blob(out, out_mem_ctx, + + ndr_err = ndr_push_struct_blob(out, out_mem_ctx, gensec_security->settings->iconv_convenience, &bind_schannel, - (ndr_push_flags_fn_t)ndr_push_schannel_bind); + (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); DEBUG(3, ("Could not create schannel bind: %s\n", nt_errstr(status))); return status; } - + state->state = SCHANNEL_STATE_UPDATE_1; return NT_STATUS_MORE_PROCESSING_REQUIRED; case GENSEC_SERVER: - + + required_flags = NL_FLAG_OEM_NETBIOS_COMPUTER_NAME | + NL_FLAG_OEM_NETBIOS_DOMAIN_NAME; + if (state->state != SCHANNEL_STATE_START) { /* no third leg on this protocol */ return NT_STATUS_INVALID_PARAMETER; } - + /* parse the schannel startup blob */ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, gensec_security->settings->iconv_convenience, - &bind_schannel, - (ndr_pull_flags_fn_t)ndr_pull_schannel_bind); + &bind_schannel, + (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); DEBUG(3, ("Could not parse incoming schannel bind: %s\n", nt_errstr(status))); return status; } - - if (bind_schannel.bind_type == 23) { - workstation = bind_schannel.u.info23.workstation; - domain = bind_schannel.u.info23.domain; - } else { - workstation = bind_schannel.u.info3.workstation; - domain = bind_schannel.u.info3.domain; + + if (!(required_flags == (bind_schannel.Flags & required_flags))) { + return NT_STATUS_INVALID_PARAMETER; } - + + workstation = bind_schannel.oem_netbios_computer.a; + domain = bind_schannel.oem_netbios_domain.a; + if (strcasecmp_m(domain, lp_workgroup(gensec_security->settings->lp_ctx)) != 0) { DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n", domain, lp_workgroup(gensec_security->settings->lp_ctx))); - + return NT_STATUS_LOGON_FAILURE; } - schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx, + schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx); if (!schannel_ldb) { return NT_STATUS_ACCESS_DENIED; @@ -149,13 +158,16 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ state->creds = talloc_reference(state, creds); - bind_schannel_ack.unknown1 = 1; - bind_schannel_ack.unknown2 = 0; - bind_schannel_ack.unknown3 = 0x6c0000; - - ndr_err = ndr_push_struct_blob(out, out_mem_ctx, + bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE; + bind_schannel_ack.Flags = 0; + bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think + * this does not have + * any meaning here + * - gd */ + + ndr_err = ndr_push_struct_blob(out, out_mem_ctx, gensec_security->settings->iconv_convenience, &bind_schannel_ack, - (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack); + (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n", @@ -181,7 +193,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, struct netlogon_creds_CredentialState **creds) -{ +{ struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); *creds = talloc_reference(mem_ctx, state->creds); @@ -190,15 +202,15 @@ _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, } return NT_STATUS_OK; } - -/** + +/** * Returns anonymous credentials for schannel, matching Win2k3. * */ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, - struct auth_session_info **_session_info) + struct auth_session_info **_session_info) { struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, _session_info); @@ -220,7 +232,7 @@ static NTSTATUS schannel_start(struct gensec_security *gensec_security) return NT_STATUS_OK; } -static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) +static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) { NTSTATUS status; struct schannel_state *state; @@ -232,7 +244,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) state = (struct schannel_state *)gensec_security->private_data; state->initiator = false; - + return NT_STATUS_OK; } @@ -248,7 +260,7 @@ static NTSTATUS schannel_client_start(struct gensec_security *gensec_security) state = (struct schannel_state *)gensec_security->private_data; state->initiator = true; - + return NT_STATUS_OK; } @@ -256,7 +268,7 @@ static NTSTATUS schannel_client_start(struct gensec_security *gensec_security) static bool schannel_have_feature(struct gensec_security *gensec_security, uint32_t feature) { - if (feature & (GENSEC_FEATURE_SIGN | + if (feature & (GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL)) { return true; } diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index b5005444cc..c2636e127f 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -2257,3 +2257,149 @@ failed: } +/* + load the uSNHighest attribute from the @REPLCHANGED object for a + partition + */ +int dsdb_load_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn, uint64_t *uSN) +{ + struct ldb_request *req; + int ret; + TALLOC_CTX *tmp_ctx = talloc_new(ldb); + struct dsdb_control_current_partition *p_ctrl; + struct ldb_result *res; + + res = talloc_zero(tmp_ctx, struct ldb_result); + if (!res) { + talloc_free(tmp_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_build_search_req(&req, ldb, tmp_ctx, + ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"), + LDB_SCOPE_BASE, + NULL, NULL, + NULL, + res, ldb_search_default_callback, + NULL); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ret; + } + + p_ctrl = talloc(req, struct dsdb_control_current_partition); + if (p_ctrl == NULL) { + talloc_free(res); + return LDB_ERR_OPERATIONS_ERROR; + } + p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION; + p_ctrl->dn = dn; + + + ret = ldb_request_add_control(req, + DSDB_CONTROL_CURRENT_PARTITION_OID, + false, p_ctrl); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ret; + } + + /* Run the new request */ + ret = ldb_request(ldb, req); + + if (ret == LDB_SUCCESS) { + ret = ldb_wait(req->handle, LDB_WAIT_ALL); + } + + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ret; + } + + if (res->count < 1) { + *uSN = 0; + } else { + *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0); + } + + talloc_free(tmp_ctx); + + return LDB_SUCCESS; +} + +/* + save the uSNHighest attribute in the @REPLCHANGED object for a + partition + */ +int dsdb_save_partition_usn(struct ldb_context *ldb, struct ldb_dn *dn, uint64_t uSN) +{ + struct ldb_request *req; + struct ldb_message *msg; + struct dsdb_control_current_partition *p_ctrl; + int ret; + + msg = ldb_msg_new(ldb); + if (msg == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + msg->dn = ldb_dn_new(msg, ldb, "@REPLCHANGED"); + if (msg->dn == NULL) { + talloc_free(msg); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_msg_add_fmt(msg, "uSNHighest", "%llu", (unsigned long long)uSN); + if (ret != LDB_SUCCESS) { + talloc_free(msg); + return ret; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + + p_ctrl = talloc(msg, struct dsdb_control_current_partition); + if (p_ctrl == NULL) { + talloc_free(msg); + return LDB_ERR_OPERATIONS_ERROR; + } + p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION; + p_ctrl->dn = dn; + + ret = ldb_build_mod_req(&req, ldb, msg, + msg, + NULL, + NULL, ldb_op_default_callback, + NULL); +again: + if (ret != LDB_SUCCESS) { + talloc_free(msg); + return ret; + } + + ret = ldb_request_add_control(req, + DSDB_CONTROL_CURRENT_PARTITION_OID, + false, p_ctrl); + if (ret != LDB_SUCCESS) { + talloc_free(msg); + return ret; + } + + /* Run the new request */ + ret = ldb_request(ldb, req); + + if (ret == LDB_SUCCESS) { + ret = ldb_wait(req->handle, LDB_WAIT_ALL); + } + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + ret = ldb_build_add_req(&req, ldb, msg, + msg, + NULL, + NULL, ldb_op_default_callback, + NULL); + goto again; + } + + talloc_free(msg); + + return ret; +} diff --git a/source4/dsdb/config.mk b/source4/dsdb/config.mk index eb26f5b433..4150ba0d54 100644 --- a/source4/dsdb/config.mk +++ b/source4/dsdb/config.mk @@ -62,7 +62,8 @@ DREPL_SRV_OBJ_FILES = $(addprefix $(dsdbsrcdir)/repl/, \ drepl_periodic.o \ drepl_partitions.o \ drepl_out_pull.o \ - drepl_out_helpers.o) + drepl_out_helpers.o \ + drepl_notify.o) $(eval $(call proto_header_template,$(dsdbsrcdir)/repl/drepl_service_proto.h,$(DREPL_SRV_OBJ_FILES:.o=.c))) diff --git a/source4/dsdb/repl/drepl_notify.c b/source4/dsdb/repl/drepl_notify.c new file mode 100644 index 0000000000..73280917c5 --- /dev/null +++ b/source4/dsdb/repl/drepl_notify.c @@ -0,0 +1,428 @@ +/* + Unix SMB/CIFS mplementation. + + DSDB replication service periodic notification handling + + Copyright (C) Andrew Tridgell 2009 + based on drepl_periodic + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + +*/ + +#include "includes.h" +#include "lib/events/events.h" +#include "dsdb/samdb/samdb.h" +#include "auth/auth.h" +#include "smbd/service.h" +#include "lib/messaging/irpc.h" +#include "dsdb/repl/drepl_service.h" +#include "lib/ldb/include/ldb_errors.h" +#include "../lib/util/dlinklist.h" +#include "librpc/gen_ndr/ndr_misc.h" +#include "librpc/gen_ndr/ndr_drsuapi.h" +#include "librpc/gen_ndr/ndr_drsblobs.h" +#include "libcli/composite/composite.h" + + +struct dreplsrv_op_notify_state { + struct composite_context *creq; + + struct dreplsrv_out_connection *conn; + + struct dreplsrv_drsuapi_connection *drsuapi; + + struct drsuapi_DsBindInfoCtr bind_info_ctr; + struct drsuapi_DsBind bind_r; + struct dreplsrv_notify_operation *op; +}; + +/* + receive a DsReplicaSync reply + */ +static void dreplsrv_op_notify_replica_sync_recv(struct rpc_request *req) +{ + struct dreplsrv_op_notify_state *st = talloc_get_type(req->async.private_data, + struct dreplsrv_op_notify_state); + struct composite_context *c = st->creq; + struct drsuapi_DsReplicaSync *r = talloc_get_type(req->ndr.struct_ptr, + struct drsuapi_DsReplicaSync); + + c->status = dcerpc_ndr_request_recv(req); + if (!composite_is_ok(c)) return; + + if (!W_ERROR_IS_OK(r->out.result)) { + composite_error(c, werror_to_ntstatus(r->out.result)); + return; + } + + composite_done(c); +} + +/* + send a DsReplicaSync +*/ +static void dreplsrv_op_notify_replica_sync_send(struct dreplsrv_op_notify_state *st) +{ + struct composite_context *c = st->creq; + struct dreplsrv_partition *partition = st->op->source_dsa->partition; + struct dreplsrv_drsuapi_connection *drsuapi = st->op->source_dsa->conn->drsuapi; + struct rpc_request *req; + struct drsuapi_DsReplicaSync *r; + + r = talloc_zero(st, struct drsuapi_DsReplicaSync); + if (composite_nomem(r, c)) return; + + r->in.bind_handle = &drsuapi->bind_handle; + r->in.level = 1; + r->in.req.req1.naming_context = &partition->nc; + r->in.req.req1.source_dsa_guid = st->op->service->ntds_guid; + r->in.req.req1.options = + DRSUAPI_DS_REPLICA_SYNC_ASYNCHRONOUS_OPERATION | + DRSUAPI_DS_REPLICA_SYNC_WRITEABLE | + DRSUAPI_DS_REPLICA_SYNC_ALL_SOURCES; + + + req = dcerpc_drsuapi_DsReplicaSync_send(drsuapi->pipe, r, r); + composite_continue_rpc(c, req, dreplsrv_op_notify_replica_sync_recv, st); +} + +/* + called when we have an established connection + */ +static void dreplsrv_op_notify_connect_recv(struct composite_context *creq) +{ + struct dreplsrv_op_notify_state *st = talloc_get_type(creq->async.private_data, + struct dreplsrv_op_notify_state); + struct composite_context *c = st->creq; + + c->status = dreplsrv_out_drsuapi_recv(creq); + if (!composite_is_ok(c)) return; + + dreplsrv_op_notify_replica_sync_send(st); +} + +/* + start the ReplicaSync async call + */ +static struct composite_context *dreplsrv_op_notify_send(struct dreplsrv_notify_operation *op) +{ + struct composite_context *c; + struct composite_context *creq; + struct dreplsrv_op_notify_state *st; + + c = composite_create(op, op->service->task->event_ctx); + if (c == NULL) return NULL; + + st = talloc_zero(c, struct dreplsrv_op_notify_state); + if (composite_nomem(st, c)) return c; + + st->creq = c; + st->op = op; + + creq = dreplsrv_out_drsuapi_send(op->source_dsa->conn); + composite_continue(c, creq, dreplsrv_op_notify_connect_recv, st); + + return c; +} + +static void dreplsrv_notify_del_repsTo(struct dreplsrv_notify_operation *op) +{ + uint32_t count; + struct repsFromToBlob *reps; + WERROR werr; + struct dreplsrv_service *s = op->service; + int i; + + werr = dsdb_loadreps(s->samdb, op, op->source_dsa->partition->dn, "repsTo", &reps, &count); + if (!W_ERROR_IS_OK(werr)) { + DEBUG(0,(__location__ ": Failed to load repsTo for %s\n", + ldb_dn_get_linearized(op->source_dsa->partition->dn))); + return; + } + + for (i=0; i<count; i++) { + if (GUID_compare(&reps[i].ctr.ctr1.source_dsa_obj_guid, + &op->source_dsa->repsFrom1->source_dsa_obj_guid) == 0) { + memmove(&reps[i], &reps[i+1], + sizeof(reps[i])*(count-(i+1))); + count--; + } + } + + werr = dsdb_savereps(s->samdb, op, op->source_dsa->partition->dn, "repsTo", reps, count); + if (!W_ERROR_IS_OK(werr)) { + DEBUG(0,(__location__ ": Failed to save repsTo for %s\n", + ldb_dn_get_linearized(op->source_dsa->partition->dn))); + return; + } +} + +/* + called when a notify operation has completed + */ +static void dreplsrv_notify_op_callback(struct dreplsrv_notify_operation *op) +{ + NTSTATUS status; + struct dreplsrv_service *s = op->service; + + status = composite_wait(op->creq); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("dreplsrv_notify: Failed to send DsReplicaSync to %s - %s\n", + op->source_dsa->repsFrom1->other_info->dns_name, + nt_errstr(status))); + } else { + DEBUG(2,("dreplsrv_notify: DsReplicaSync OK for %s\n", + op->source_dsa->repsFrom1->other_info->dns_name)); + op->source_dsa->notify_uSN = op->uSN; + /* delete the repsTo for this replication partner in the + partition, as we have successfully told him to sync */ + dreplsrv_notify_del_repsTo(op); + } + talloc_free(op->creq); + + talloc_free(op); + s->ops.n_current = NULL; + dreplsrv_notify_run_ops(s); +} + + +static void dreplsrv_notify_op_callback_creq(struct composite_context *creq) +{ + struct dreplsrv_notify_operation *op = talloc_get_type(creq->async.private_data, + struct dreplsrv_notify_operation); + dreplsrv_notify_op_callback(op); +} + +/* + run any pending replica sync calls + */ +void dreplsrv_notify_run_ops(struct dreplsrv_service *s) +{ + struct dreplsrv_notify_operation *op; + + if (s->ops.n_current || s->ops.current) { + /* if there's still one running, we're done */ + return; + } + + if (!s->ops.notifies) { + /* if there're no pending operations, we're done */ + return; + } + + op = s->ops.notifies; + s->ops.n_current = op; + DLIST_REMOVE(s->ops.notifies, op); + + op->creq = dreplsrv_op_notify_send(op); + if (!op->creq) { + dreplsrv_notify_op_callback(op); + return; + } + + op->creq->async.fn = dreplsrv_notify_op_callback_creq; + op->creq->async.private_data = op; +} + + +/* + find a source_dsa for a given guid + */ +static struct dreplsrv_partition_source_dsa *dreplsrv_find_source_dsa(struct dreplsrv_partition *p, + struct GUID *guid) +{ + struct dreplsrv_partition_source_dsa *s; + + for (s=p->sources; s; s=s->next) { + if (GUID_compare(&s->repsFrom1->source_dsa_obj_guid, guid) == 0) { + return s; + } + } + return NULL; +} + + +/* + schedule a replicaSync message + */ +static WERROR dreplsrv_schedule_notify_sync(struct dreplsrv_service *service, + struct dreplsrv_partition *p, + struct repsFromToBlob *reps, + TALLOC_CTX *mem_ctx, + uint64_t uSN) +{ + struct dreplsrv_notify_operation *op; + struct dreplsrv_partition_source_dsa *s; + + s = dreplsrv_find_source_dsa(p, &reps->ctr.ctr1.source_dsa_obj_guid); + if (s == NULL) { + DEBUG(0,(__location__ ": Unable to find source_dsa for %s\n", + GUID_string(mem_ctx, &reps->ctr.ctr1.source_dsa_obj_guid))); + return WERR_DS_UNAVAILABLE; + } + + op = talloc_zero(mem_ctx, struct dreplsrv_notify_operation); + W_ERROR_HAVE_NO_MEMORY(op); + + op->service = service; + op->source_dsa = s; + op->uSN = uSN; + + DLIST_ADD_END(service->ops.notifies, op, struct dreplsrv_notify_operation *); + talloc_steal(service, op); + return WERR_OK; +} + +/* + see if a partition has a hugher uSN than what is in the repsTo and + if so then send a DsReplicaSync + */ +static WERROR dreplsrv_notify_check(struct dreplsrv_service *s, + struct dreplsrv_partition *p, + TALLOC_CTX *mem_ctx) +{ + uint32_t count=0; + struct repsFromToBlob *reps; + WERROR werr; + uint64_t uSN; + int ret, i; + + werr = dsdb_loadreps(s->samdb, mem_ctx, p->dn, "repsTo", &reps, &count); + if (count == 0) { + werr = dsdb_loadreps(s->samdb, mem_ctx, p->dn, "repsFrom", &reps, &count); + } + if (!W_ERROR_IS_OK(werr)) { + DEBUG(0,(__location__ ": Failed to load repsTo for %s\n", + ldb_dn_get_linearized(p->dn))); + return werr; + } + + /* loads the partition uSNHighest */ + ret = dsdb_load_partition_usn(s->samdb, p->dn, &uSN); + if (ret != LDB_SUCCESS || uSN == 0) { + /* nothing to do */ + return WERR_OK; + } + + /* see if any of our partners need some of our objects */ + for (i=0; i<count; i++) { + struct dreplsrv_partition_source_dsa *sdsa; + sdsa = dreplsrv_find_source_dsa(p, &reps[i].ctr.ctr1.source_dsa_obj_guid); + if (sdsa == NULL) continue; + if (sdsa->notify_uSN < uSN) { + /* we need to tell this partner to replicate + with us */ + werr = dreplsrv_schedule_notify_sync(s, p, &reps[i], mem_ctx, uSN); + if (!W_ERROR_IS_OK(werr)) { + DEBUG(0,(__location__ ": Failed to setup notify to %s for %s\n", + reps[i].ctr.ctr1.other_info->dns_name, + ldb_dn_get_linearized(p->dn))); + return werr; + } + } + } + + return WERR_OK; +} + +/* + see if any of the partitions have changed, and if so then send a + DsReplicaSync to all the replica partners in the repsTo object + */ +static WERROR dreplsrv_notify_check_all(struct dreplsrv_service *s, TALLOC_CTX *mem_ctx) +{ + WERROR status; + struct dreplsrv_partition *p; + + for (p = s->partitions; p; p = p->next) { + status = dreplsrv_notify_check(s, p, mem_ctx); + W_ERROR_NOT_OK_RETURN(status); + } + + return WERR_OK; +} + +static void dreplsrv_notify_run(struct dreplsrv_service *service); + +static void dreplsrv_notify_handler_te(struct tevent_context *ev, struct tevent_timer *te, + struct timeval t, void *ptr) +{ + struct dreplsrv_service *service = talloc_get_type(ptr, struct dreplsrv_service); + WERROR status; + + service->notify.te = NULL; + + dreplsrv_notify_run(service); + + status = dreplsrv_notify_schedule(service, service->notify.interval); + if (!W_ERROR_IS_OK(status)) { + task_server_terminate(service->task, win_errstr(status)); + return; + } +} + +WERROR dreplsrv_notify_schedule(struct dreplsrv_service *service, uint32_t next_interval) +{ + TALLOC_CTX *tmp_mem; + struct tevent_timer *new_te; + struct timeval next_time; + + /* prevent looping */ + if (next_interval == 0) next_interval = 1; + + next_time = timeval_current_ofs(next_interval, 50); + + if (service->notify.te) { + /* + * if the timestamp of the new event is higher, + * as current next we don't need to reschedule + */ + if (timeval_compare(&next_time, &service->notify.next_event) > 0) { + return WERR_OK; + } + } + + /* reset the next scheduled timestamp */ + service->notify.next_event = next_time; + + new_te = event_add_timed(service->task->event_ctx, service, + service->notify.next_event, + dreplsrv_notify_handler_te, service); + W_ERROR_HAVE_NO_MEMORY(new_te); + + tmp_mem = talloc_new(service); + DEBUG(2,("dreplsrv_notify_schedule(%u) %sscheduled for: %s\n", + next_interval, + (service->notify.te?"re":""), + nt_time_string(tmp_mem, timeval_to_nttime(&next_time)))); + talloc_free(tmp_mem); + + talloc_free(service->notify.te); + service->notify.te = new_te; + + return WERR_OK; +} + +static void dreplsrv_notify_run(struct dreplsrv_service *service) +{ + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_new(service); + dreplsrv_notify_check_all(service, mem_ctx); + talloc_free(mem_ctx); + + dreplsrv_run_pending_ops(service); + dreplsrv_notify_run_ops(service); +} diff --git a/source4/dsdb/repl/drepl_out_helpers.c b/source4/dsdb/repl/drepl_out_helpers.c index e90f2783b1..168aacdde9 100644 --- a/source4/dsdb/repl/drepl_out_helpers.c +++ b/source4/dsdb/repl/drepl_out_helpers.c @@ -48,7 +48,7 @@ struct dreplsrv_out_drsuapi_state { static void dreplsrv_out_drsuapi_connect_recv(struct composite_context *creq); -static struct composite_context *dreplsrv_out_drsuapi_send(struct dreplsrv_out_connection *conn) +struct composite_context *dreplsrv_out_drsuapi_send(struct dreplsrv_out_connection *conn) { struct composite_context *c; struct composite_context *creq; @@ -165,7 +165,7 @@ static void dreplsrv_out_drsuapi_bind_recv(struct rpc_request *req) composite_done(c); } -static NTSTATUS dreplsrv_out_drsuapi_recv(struct composite_context *c) +NTSTATUS dreplsrv_out_drsuapi_recv(struct composite_context *c) { NTSTATUS status; struct dreplsrv_out_drsuapi_state *st = talloc_get_type(c->private_data, diff --git a/source4/dsdb/repl/drepl_out_pull.c b/source4/dsdb/repl/drepl_out_pull.c index 54dbd29730..b073d265c3 100644 --- a/source4/dsdb/repl/drepl_out_pull.c +++ b/source4/dsdb/repl/drepl_out_pull.c @@ -125,6 +125,7 @@ done: talloc_free(op); s->ops.current = NULL; dreplsrv_run_pending_ops(s); + dreplsrv_notify_run_ops(s); } static void dreplsrv_pending_op_callback_creq(struct composite_context *creq) @@ -140,7 +141,7 @@ void dreplsrv_run_pending_ops(struct dreplsrv_service *s) time_t t; NTTIME now; - if (s->ops.current) { + if (s->ops.current || s->ops.n_current) { /* if there's still one running, we're done */ return; } diff --git a/source4/dsdb/repl/drepl_periodic.c b/source4/dsdb/repl/drepl_periodic.c index 2cfcb310dc..377cecbe99 100644 --- a/source4/dsdb/repl/drepl_periodic.c +++ b/source4/dsdb/repl/drepl_periodic.c @@ -110,4 +110,5 @@ static void dreplsrv_periodic_run(struct dreplsrv_service *service) dreplsrv_refresh_partitions(service); dreplsrv_run_pending_ops(service); + dreplsrv_notify_run_ops(service); } diff --git a/source4/dsdb/repl/drepl_service.c b/source4/dsdb/repl/drepl_service.c index eb49da3d41..cb415b65e6 100644 --- a/source4/dsdb/repl/drepl_service.c +++ b/source4/dsdb/repl/drepl_service.c @@ -196,6 +196,16 @@ static void dreplsrv_task_init(struct task_server *task) return; } + service->notify.interval = lp_parm_int(task->lp_ctx, NULL, "dreplsrv", + "notify_interval", 5); /* in seconds */ + status = dreplsrv_notify_schedule(service, service->notify.interval); + if (!W_ERROR_IS_OK(status)) { + task_server_terminate(task, talloc_asprintf(task, + "dreplsrv: Failed to setup notify schedule: %s\n", + win_errstr(status))); + return; + } + irpc_add_name(task->msg_ctx, "dreplsrv"); IRPC_REGISTER(task->msg_ctx, drsuapi, DRSUAPI_DSREPLICASYNC, drepl_replica_sync, service); diff --git a/source4/dsdb/repl/drepl_service.h b/source4/dsdb/repl/drepl_service.h index a9eea30719..0f9684fa78 100644 --- a/source4/dsdb/repl/drepl_service.h +++ b/source4/dsdb/repl/drepl_service.h @@ -69,6 +69,9 @@ struct dreplsrv_partition_source_dsa { struct repsFromToBlob _repsFromBlob; struct repsFromTo1 *repsFrom1; + /* the last uSN when we sent a notify */ + uint64_t notify_uSN; + /* the reference to the source_dsa and its outgoing connection */ struct dreplsrv_out_connection *conn; }; @@ -107,6 +110,17 @@ struct dreplsrv_out_operation { struct composite_context *creq; }; +struct dreplsrv_notify_operation { + struct dreplsrv_notify_operation *prev, *next; + + struct dreplsrv_service *service; + uint64_t uSN; + + struct dreplsrv_partition_source_dsa *source_dsa; + + struct composite_context *creq; +}; + struct dreplsrv_service { /* the whole drepl service is in one task */ struct task_server *task; @@ -150,6 +164,23 @@ struct dreplsrv_service { struct tevent_timer *te; } periodic; + /* some stuff for notify processing */ + struct { + /* + * the interval between notify runs + */ + uint32_t interval; + + /* + * the timestamp for the next event, + * this is the timstamp passed to event_add_timed() + */ + struct timeval next_event; + + /* here we have a reference to the timed event the schedules the notifies */ + struct tevent_timer *te; + } notify; + /* * the list of partitions we need to replicate */ @@ -166,6 +197,12 @@ struct dreplsrv_service { /* the list of pending operations */ struct dreplsrv_out_operation *pending; + + /* the list of pending notify operations */ + struct dreplsrv_notify_operation *notifies; + + /* an active notify operation */ + struct dreplsrv_notify_operation *n_current; } ops; }; diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c index d4a69952e8..79d11fd958 100644 --- a/source4/dsdb/samdb/ldb_modules/partition.c +++ b/source4/dsdb/samdb/ldb_modules/partition.c @@ -161,6 +161,10 @@ static struct dsdb_partition *find_partition(struct partition_private_data *data } } + if (dn == NULL) { + return NULL; + } + /* Look at base DN */ /* Figure out which partition it is under */ /* Skip the lot if 'data' isn't here yet (initialisation) */ @@ -470,10 +474,10 @@ static int partition_replicate(struct ldb_module *module, struct ldb_request *re static int partition_search(struct ldb_module *module, struct ldb_request *req) { struct ldb_control **saved_controls; - /* Find backend */ struct partition_private_data *data = talloc_get_type(module->private_data, struct partition_private_data); + /* issue request */ /* (later) consider if we should be searching multiple @@ -483,6 +487,17 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req) struct ldb_control *domain_scope_control = ldb_request_get_control(req, LDB_CONTROL_DOMAIN_SCOPE_OID); struct ldb_search_options_control *search_options = NULL; + struct dsdb_partition *p; + + p = find_partition(data, NULL, req); + if (p != NULL) { + /* the caller specified what partition they want the + * search - just pass it on + */ + return ldb_next_request(p->module, req); + } + + if (search_control) { search_options = talloc_get_type(search_control->data, struct ldb_search_options_control); } @@ -765,7 +780,7 @@ static int partition_sequence_number(struct ldb_module *module, struct ldb_reque struct ldb_result *res; struct dsdb_partition *p; - p = find_partition(NULL, NULL, req); + p = find_partition(data, NULL, req); if (p != NULL) { /* the caller specified what partition they want the * sequence number operation on - just pass it on diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 2a16c2bb82..f9411fe95f 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -47,7 +47,14 @@ #include "lib/util/dlinklist.h" struct replmd_private { + TALLOC_CTX *la_ctx; struct la_entry *la_list; + uint32_t num_ncs; + struct nc_entry { + struct ldb_dn *dn; + struct GUID guid; + uint64_t mod_usn; + } *ncs; }; struct la_entry { @@ -71,6 +78,188 @@ struct replmd_replicated_request { struct ldb_message *search_msg; }; + +/* + initialise the module + allocate the private structure and build the list + of partition DNs for use by replmd_notify() + */ +static int replmd_init(struct ldb_module *module) +{ + struct replmd_private *replmd_private; + struct ldb_context *ldb = ldb_module_get_ctx(module); + + replmd_private = talloc_zero(module, struct replmd_private); + if (replmd_private == NULL) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + ldb_module_set_private(module, replmd_private); + + return ldb_next_init(module); +} + + +static int nc_compare(struct nc_entry *n1, struct nc_entry *n2) +{ + return ldb_dn_compare(n1->dn, n2->dn); +} + +/* + build the list of partition DNs for use by replmd_notify() + */ +static int replmd_load_NCs(struct ldb_module *module) +{ + const char *attrs[] = { "namingContexts", NULL }; + struct ldb_result *res = NULL; + int i, ret; + TALLOC_CTX *tmp_ctx; + struct ldb_context *ldb; + struct ldb_message_element *el; + struct replmd_private *replmd_private = + talloc_get_type(ldb_module_get_private(module), struct replmd_private); + + if (replmd_private->ncs != NULL) { + return LDB_SUCCESS; + } + + ldb = ldb_module_get_ctx(module); + tmp_ctx = talloc_new(module); + + /* load the list of naming contexts */ + ret = ldb_search(ldb, tmp_ctx, &res, ldb_dn_new(tmp_ctx, ldb, ""), + LDB_SCOPE_BASE, attrs, NULL); + if (ret != LDB_SUCCESS || + res->count != 1) { + DEBUG(0,(__location__ ": Failed to load rootDSE\n")); + return LDB_ERR_OPERATIONS_ERROR; + } + + el = ldb_msg_find_element(res->msgs[0], "namingContexts"); + if (el == NULL) { + DEBUG(0,(__location__ ": Failed to load namingContexts\n")); + return LDB_ERR_OPERATIONS_ERROR; + } + + replmd_private->num_ncs = el->num_values; + replmd_private->ncs = talloc_array(replmd_private, struct nc_entry, + replmd_private->num_ncs); + if (replmd_private->ncs == NULL) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i=0; i<replmd_private->num_ncs; i++) { + replmd_private->ncs[i].dn = + ldb_dn_from_ldb_val(replmd_private->ncs, + ldb, &el->values[i]); + replmd_private->ncs[i].mod_usn = 0; + } + + talloc_free(res); + + /* now find the GUIDs of each of those DNs */ + for (i=0; i<replmd_private->num_ncs; i++) { + const char *attrs2[] = { "objectGUID", NULL }; + ret = ldb_search(ldb, tmp_ctx, &res, replmd_private->ncs[i].dn, + LDB_SCOPE_BASE, attrs2, NULL); + if (ret != LDB_SUCCESS || + res->count != 1) { + /* this happens when the schema is first being + setup */ + talloc_free(replmd_private->ncs); + replmd_private->ncs = NULL; + replmd_private->num_ncs = 0; + talloc_free(tmp_ctx); + return LDB_SUCCESS; + } + replmd_private->ncs[i].guid = + samdb_result_guid(res->msgs[0], "objectGUID"); + talloc_free(res); + } + + /* sort the NCs into order, most to least specific */ + qsort(replmd_private->ncs, replmd_private->num_ncs, + sizeof(replmd_private->ncs[0]), QSORT_CAST nc_compare); + + + talloc_free(tmp_ctx); + + return LDB_SUCCESS; +} + + +/* + * notify the repl task that a object has changed. The notifies are + * gathered up in the replmd_private structure then written to the + * @REPLCHANGED object in each partition during the prepare_commit + */ +static int replmd_notify(struct ldb_module *module, struct ldb_dn *dn, uint64_t uSN) +{ + int ret, i; + struct replmd_private *replmd_private = + talloc_get_type(ldb_module_get_private(module), struct replmd_private); + + ret = replmd_load_NCs(module); + if (ret != LDB_SUCCESS) { + return ret; + } + if (replmd_private->num_ncs == 0) { + return LDB_SUCCESS; + } + + for (i=0; i<replmd_private->num_ncs; i++) { + if (ldb_dn_compare_base(replmd_private->ncs[i].dn, dn) == 0) { + break; + } + } + if (i == replmd_private->num_ncs) { + DEBUG(0,(__location__ ": DN not within known NCs '%s'\n", + ldb_dn_get_linearized(dn))); + return LDB_ERR_OPERATIONS_ERROR; + } + + if (uSN > replmd_private->ncs[i].mod_usn) { + replmd_private->ncs[i].mod_usn = uSN; + } + + return LDB_SUCCESS; +} + + +/* + * update a @REPLCHANGED record in each partition if there have been + * any writes of replicated data in the partition + */ +static int replmd_notify_store(struct ldb_module *module) +{ + int i; + struct replmd_private *replmd_private = + talloc_get_type(ldb_module_get_private(module), struct replmd_private); + struct ldb_context *ldb = ldb_module_get_ctx(module); + + for (i=0; i<replmd_private->num_ncs; i++) { + int ret; + + if (replmd_private->ncs[i].mod_usn == 0) { + /* this partition has not changed in this + transaction */ + continue; + } + + ret = dsdb_save_partition_usn(ldb, replmd_private->ncs[i].dn, + replmd_private->ncs[i].mod_usn); + if (ret != LDB_SUCCESS) { + DEBUG(0,(__location__ ": Failed to save partition uSN for %s\n", + ldb_dn_get_linearized(replmd_private->ncs[i].dn))); + return ret; + } + } + + return LDB_SUCCESS; +} + + /* created a replmd_replicated_request context */ @@ -458,6 +647,11 @@ static int replmd_add(struct ldb_module *module, struct ldb_request *req) return ret; } + ret = replmd_notify(module, msg->dn, seq_num); + if (ret != LDB_SUCCESS) { + return ret; + } + /* go on with the call chain */ return ldb_next_request(module, down_req); } @@ -505,6 +699,7 @@ static int replmd_update_rpmd_element(struct ldb_context *ldb, return LDB_ERR_OPERATIONS_ERROR; } omd->ctr.ctr1.count++; + ZERO_STRUCT(omd->ctr.ctr1.array[i]); } /* Get a new sequence number from the backend. We only do this @@ -519,7 +714,7 @@ static int replmd_update_rpmd_element(struct ldb_context *ldb, } md1 = &omd->ctr.ctr1.array[i]; - md1->version = 1; + md1->version++; md1->attid = a->attributeID_id; md1->originating_change_time = now; md1->originating_invocation_id = *our_invocation_id; @@ -534,8 +729,8 @@ static int replmd_update_rpmd_element(struct ldb_context *ldb, * object. This is needed for DRS replication, as the merge on the * client is based on this object */ -static int replmd_update_rpmd(struct ldb_context *ldb, struct ldb_message *msg, - uint64_t *seq_num) +static int replmd_update_rpmd(struct ldb_module *module, + struct ldb_message *msg, uint64_t *seq_num) { const struct ldb_val *omd_value; enum ndr_err_code ndr_err; @@ -548,6 +743,9 @@ static int replmd_update_rpmd(struct ldb_context *ldb, struct ldb_message *msg, int ret; const char *attrs[] = { "replPropertyMetaData" , NULL }; struct ldb_result *res; + struct ldb_context *ldb; + + ldb = ldb_module_get_ctx(module); our_invocation_id = samdb_ntds_invocation_id(ldb); if (!our_invocation_id) { @@ -631,6 +829,11 @@ static int replmd_update_rpmd(struct ldb_context *ldb, struct ldb_message *msg, return ret; } + ret = replmd_notify(module, msg->dn, *seq_num); + if (ret != LDB_SUCCESS) { + return ret; + } + el->num_values = 1; el->values = md_value; } @@ -691,7 +894,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) * attribute was changed */ - ret = replmd_update_rpmd(ldb, msg, &seq_num); + ret = replmd_update_rpmd(module, msg, &seq_num); if (ret != LDB_SUCCESS) { return ret; } @@ -729,6 +932,102 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, down_req); } + +/* + handle a rename request + + On a rename we need to do an extra ldb_modify which sets the + whenChanged and uSNChanged attributes + */ +static int replmd_rename(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_context *ldb; + int ret, i; + time_t t = time(NULL); + uint64_t seq_num = 0; + struct ldb_message *msg; + struct replmd_private *replmd_private = + talloc_get_type(ldb_module_get_private(module), struct replmd_private); + + /* do not manipulate our control entries */ + if (ldb_dn_is_special(req->op.mod.message->dn)) { + return ldb_next_request(module, req); + } + + ldb = ldb_module_get_ctx(module); + + ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_rename\n"); + + /* Get a sequence number from the backend */ + ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num); + if (ret != LDB_SUCCESS) { + return ret; + } + + msg = ldb_msg_new(req); + if (msg == NULL) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + msg->dn = req->op.rename.olddn; + + if (add_time_element(msg, "whenChanged", t) != LDB_SUCCESS) { + talloc_free(msg); + return LDB_ERR_OPERATIONS_ERROR; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + if (add_uint64_element(msg, "uSNChanged", seq_num) != LDB_SUCCESS) { + talloc_free(msg); + return LDB_ERR_OPERATIONS_ERROR; + } + msg->elements[1].flags = LDB_FLAG_MOD_REPLACE; + + ret = ldb_modify(ldb, msg); + talloc_free(msg); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = replmd_load_NCs(module); + if (ret != 0) { + return ret; + } + + /* now update the highest uSNs of the partitions that are + affected. Note that two partitions could be changing */ + for (i=0; i<replmd_private->num_ncs; i++) { + if (ldb_dn_compare_base(replmd_private->ncs[i].dn, + req->op.rename.olddn) == 0) { + break; + } + } + if (i == replmd_private->num_ncs) { + DEBUG(0,(__location__ ": rename olddn outside tree? %s\n", + ldb_dn_get_linearized(req->op.rename.olddn))); + return LDB_ERR_OPERATIONS_ERROR; + } + replmd_private->ncs[i].mod_usn = seq_num; + + for (i=0; i<replmd_private->num_ncs; i++) { + if (ldb_dn_compare_base(replmd_private->ncs[i].dn, + req->op.rename.newdn) == 0) { + break; + } + } + if (i == replmd_private->num_ncs) { + DEBUG(0,(__location__ ": rename newdn outside tree? %s\n", + ldb_dn_get_linearized(req->op.rename.newdn))); + return LDB_ERR_OPERATIONS_ERROR; + } + replmd_private->ncs[i].mod_usn = seq_num; + + /* go on with the call chain */ + return ldb_next_request(module, req); +} + + static int replmd_replicated_request_error(struct replmd_replicated_request *ar, int ret) { return ret; @@ -829,6 +1128,11 @@ static int replmd_replicated_apply_add(struct replmd_replicated_request *ar) return replmd_replicated_request_error(ar, ret); } + ret = replmd_notify(ar->module, msg->dn, seq_num); + if (ret != LDB_SUCCESS) { + return replmd_replicated_request_error(ar, ret); + } + /* * the meta data array is already sorted by the caller */ @@ -1105,6 +1409,11 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; } + ret = replmd_notify(ar->module, msg->dn, seq_num); + if (ret != LDB_SUCCESS) { + return replmd_replicated_request_error(ar, ret); + } + if (DEBUGLVL(4)) { char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg); DEBUG(4, ("DRS replication modify message:\n%s\n", s)); @@ -1684,18 +1993,17 @@ static int replmd_extended_replicated_objects(struct ldb_module *module, struct for (i=0; i<ar->objs->linked_attributes_count; i++) { struct la_entry *la_entry; - if (replmd_private == NULL) { - DEBUG(0,(__location__ ": repl_meta_data not called from within a transaction\n")); - return LDB_ERR_OPERATIONS_ERROR; + if (replmd_private->la_ctx == NULL) { + replmd_private->la_ctx = talloc_new(replmd_private); } - - la_entry = talloc(replmd_private, struct la_entry); + la_entry = talloc(replmd_private->la_ctx, struct la_entry); if (la_entry == NULL) { ldb_oom(ldb); return LDB_ERR_OPERATIONS_ERROR; } la_entry->la = talloc(la_entry, struct drsuapi_DsReplicaLinkedAttribute); if (la_entry->la == NULL) { + talloc_free(la_entry); ldb_oom(ldb); return LDB_ERR_OPERATIONS_ERROR; } @@ -1891,15 +2199,17 @@ static int replmd_extended(struct ldb_module *module, struct ldb_request *req) static int replmd_start_transaction(struct ldb_module *module) { /* create our private structure for this transaction */ + int i; struct replmd_private *replmd_private = talloc_get_type(ldb_module_get_private(module), struct replmd_private); - talloc_free(replmd_private); - replmd_private = talloc(module, struct replmd_private); - if (replmd_private == NULL) { - return LDB_ERR_OPERATIONS_ERROR; - } + talloc_free(replmd_private->la_ctx); replmd_private->la_list = NULL; - ldb_module_set_private(module, replmd_private); + replmd_private->la_ctx = NULL; + + for (i=0; i<replmd_private->num_ncs; i++) { + replmd_private->ncs[i].mod_usn = 0; + } + return ldb_next_start_trans(module); } @@ -1911,23 +2221,32 @@ static int replmd_prepare_commit(struct ldb_module *module) { struct replmd_private *replmd_private = talloc_get_type(ldb_module_get_private(module), struct replmd_private); - struct la_entry *la; + struct la_entry *la, *prev; + int ret; /* walk the list backwards, to do the first entry first, as we * added the entries with DLIST_ADD() which puts them at the * start of the list */ for (la = replmd_private->la_list; la && la->next; la=la->next) ; - for (; la; la=la->prev) { - int ret; + for (; la; la=prev) { + prev = la->prev; + DLIST_REMOVE(replmd_private->la_list, la); ret = replmd_process_linked_attribute(module, la); if (ret != LDB_SUCCESS) { return ret; } } - talloc_free(replmd_private); - ldb_module_set_private(module, NULL); + talloc_free(replmd_private->la_ctx); + replmd_private->la_list = NULL; + replmd_private->la_ctx = NULL; + + /* possibly change @REPLCHANGED */ + ret = replmd_notify_store(module); + if (ret != LDB_SUCCESS) { + return ret; + } return ldb_next_prepare_commit(module); } @@ -1936,17 +2255,20 @@ static int replmd_del_transaction(struct ldb_module *module) { struct replmd_private *replmd_private = talloc_get_type(ldb_module_get_private(module), struct replmd_private); - talloc_free(replmd_private); - ldb_module_set_private(module, NULL); + talloc_free(replmd_private->la_ctx); + replmd_private->la_list = NULL; + replmd_private->la_ctx = NULL; return ldb_next_del_trans(module); } _PUBLIC_ const struct ldb_module_ops ldb_repl_meta_data_module_ops = { .name = "repl_meta_data", - .add = replmd_add, - .modify = replmd_modify, - .extended = replmd_extended, + .init_context = replmd_init, + .add = replmd_add, + .modify = replmd_modify, + .rename = replmd_rename, + .extended = replmd_extended, .start_transaction = replmd_start_transaction, .prepare_commit = replmd_prepare_commit, .del_transaction = replmd_del_transaction, diff --git a/source4/dsdb/samdb/ldb_modules/samba3sam.c b/source4/dsdb/samdb/ldb_modules/samba3sam.c index 59cb9de717..f5ddff95ed 100644 --- a/source4/dsdb/samdb/ldb_modules/samba3sam.c +++ b/source4/dsdb/samdb/ldb_modules/samba3sam.c @@ -24,7 +24,6 @@ * sambaTrustPassword * sambaUnixIdPool * sambaIdmapEntry - * sambaAccountPolicy * sambaSidEntry * sambaAcctFlags -> systemFlags ? * sambaPasswordHistory -> ntPwdHistory*/ diff --git a/source4/heimdal_build/asn1_deps.pl b/source4/heimdal_build/asn1_deps.pl index 9da0787012..504f66d535 100755 --- a/source4/heimdal_build/asn1_deps.pl +++ b/source4/heimdal_build/asn1_deps.pl @@ -1,7 +1,7 @@ #!/usr/bin/perl # Generate make dependency rules for asn1 files # Jelmer Vernooij <jelmer@samba.org> 2005 -# Andrew Bartlett <abartlet@samba.org> 2006 +# Andrew Bartlett <abartlet@samba.org> 2006-2009 # Stefan Metzmacher <metze@samba.org> 2007 # GPL @@ -11,12 +11,6 @@ my $file = shift; my $prefix = shift; my $dirname = shift; my $options = join(' ', @ARGV); -my $x_file; -my @x_files = (); -my $c_file; -my @c_files = (); -my $o_file; -my @o_files = (); my $import; my @imports = (); my $dep; @@ -29,31 +23,27 @@ if (not defined $options) { my $header = "$dirname/$prefix.h"; my $headerx = "$dirname/$prefix.hx"; +my $o_file = "$dirname/asn1_$prefix.o"; +my $c_file = "$dirname/asn1_$prefix.c"; +my $x_file = "$dirname/asn1_$prefix.x"; +my $output_file = "$dirname/" . $prefix . "_asn1_files"; print "basics:: $header\n"; +print "$output_file: \$(heimdalsrcdir)/$file \$(ASN1C)\n"; +print "\t\@echo \"Compiling ASN1 file \$(heimdalsrcdir)/$file\"\n"; +print "\t\@\$(heimdalbuildsrcdir)/asn1_compile_wrapper.sh \$(builddir) $dirname \$(ASN1C) \$(call abspath,\$(heimdalsrcdir)/$file) $prefix $options --one-code-file\n\n"; +print "$headerx: $output_file\n"; print "$header: $headerx\n"; print "\t\@cp $headerx $header\n"; -print "$headerx: \$(heimdalsrcdir)/$file \$(ASN1C)\n"; -print "\t\@echo \"Compiling ASN1 file \$(heimdalsrcdir)/$file\"\n"; -print "\t\@\$(heimdalbuildsrcdir)/asn1_compile_wrapper.sh \$(builddir) $dirname \$(ASN1C) \$(call abspath,\$(heimdalsrcdir)/$file) $prefix $options\n\n"; +print "$x_file: $header\n"; +print "$c_file: $x_file\n"; +print "\t\@echo \"#include \\\"config.h\\\"\" > $c_file && cat $x_file >> $c_file\n\n"; open(IN,"heimdal/$file") or die("Can't open heimdal/$file: $!"); my @lines = <IN>; close(IN); foreach my $line (@lines) { - if ($line =~ /^([\w]+[\w\-]+)(\s+OBJECT IDENTIFIER)?\s*::=/) { - my $output = $1; - $output =~ s/-/_/g; - $c_file = "$dirname/asn1_$output.c"; - $x_file = "$dirname/asn1_$output.x"; - $o_file = "$dirname/asn1_$output.o"; - print "$x_file: $header\n"; - print "$c_file: $dirname/asn1_$output.x\n"; - print "\t\@echo \"#include \\\"config.h\\\"\" > $c_file && cat $x_file >> $c_file\n\n"; - push @x_files, $x_file; - push @c_files, $c_file; - push @o_files, $o_file; - } elsif ($line =~ /^(\s*IMPORT)([\w\,\s])*(\s+FROM\s+)([\w]+[\w\-]+);/) { + if ($line =~ /^(\s*IMPORT)([\w\,\s])*(\s+FROM\s+)([\w]+[\w\-]+);/) { $import = $line; chomp $import; push @imports, $import; @@ -94,21 +84,16 @@ print "CFLAGS = -Iheimdal_build -Iheimdal/lib/roken -I$dirname\n"; print "PUBLIC_DEPENDENCIES = $depstr\n\n"; print "HEIMDAL_".uc($prefix)."_OBJ_FILES = "; -foreach $o_file (@o_files) { - print "\\\n\t$o_file"; -} +print "\\\n\t$o_file"; print "\n\n"; print "clean:: \n"; print "\t\@echo \"Deleting ASN1 output files generated from $file\"\n"; +print "\t\@rm -f $output_file\n"; print "\t\@rm -f $header\n"; -foreach $c_file (@c_files) { - print "\t\@rm -f $c_file\n"; -} -foreach $x_file (@x_files) { - print "\t\@rm -f $x_file\n"; -} +print "\t\@rm -f $c_file\n"; +print "\t\@rm -f $x_file\n"; print "\t\@rm -f $dirname/$prefix\_files\n"; print "\t\@rm -f $dirname/$prefix\.h\n"; print "\n"; diff --git a/source4/heimdal_build/internal.mk b/source4/heimdal_build/internal.mk index 61159ab94e..a2b5df7257 100644 --- a/source4/heimdal_build/internal.mk +++ b/source4/heimdal_build/internal.mk @@ -114,7 +114,7 @@ $(eval $(call heimdal_proto_header_template, \ # Start SUBSYSTEM HEIMDAL_GSSAPI [SUBSYSTEM::HEIMDAL_GSSAPI] CFLAGS = -I$(heimdalbuildsrcdir) -I$(heimdalsrcdir)/lib/gssapi -I$(heimdalsrcdir)/lib/gssapi/gssapi -I$(heimdalsrcdir)/lib/gssapi/spnego -I$(heimdalsrcdir)/lib/gssapi/krb5 -I$(heimdalsrcdir)/lib/gssapi/mech -PRIVATE_DEPENDENCIES = HEIMDAL_HCRYPTO HEIMDAL_HEIM_ASN1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_ROKEN HEIMDAL_KRB5 +PRIVATE_DEPENDENCIES = HEIMDAL_HCRYPTO HEIMDAL_HEIM_ASN1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 HEIMDAL_ROKEN HEIMDAL_KRB5 # End SUBSYSTEM HEIMDAL_GSSAPI ####################### @@ -250,7 +250,6 @@ HEIMDAL_GSSAPI_OBJ_FILES = \ $(heimdalsrcdir)/lib/gssapi/mech/gss_release_name.o \ $(heimdalsrcdir)/lib/gssapi/mech/gss_set_cred_option.o \ $(heimdalsrcdir)/lib/gssapi/mech/gss_pseudo_random.o \ - $(heimdalsrcdir)/lib/gssapi/asn1_GSSAPIContextToken.o \ $(heimdalbuildsrcdir)/gssapi-glue.o ####################### diff --git a/source4/lib/ldb/pyldb.c b/source4/lib/ldb/pyldb.c index 3f7fa2f395..b4f03dc538 100644 --- a/source4/lib/ldb/pyldb.c +++ b/source4/lib/ldb/pyldb.c @@ -1758,8 +1758,13 @@ static PyObject *py_ldb_msg_keys(PyLdbMessageObject *self) static PyObject *py_ldb_msg_getitem_helper(PyLdbMessageObject *self, PyObject *py_name) { struct ldb_message_element *el; - char *name = PyString_AsString(py_name); + char *name; struct ldb_message *msg = PyLdbMessage_AsMessage(self); + if (!PyString_Check(py_name)) { + PyErr_SetNone(PyExc_TypeError); + return NULL; + } + name = PyString_AsString(py_name); if (!strcmp(name, "dn")) return PyLdbDn_FromDn(msg->dn); el = ldb_msg_find_element(msg, name); @@ -1786,8 +1791,11 @@ static PyObject *py_ldb_msg_get(PyLdbMessageObject *self, PyObject *args) return NULL; ret = py_ldb_msg_getitem_helper(self, name); - if (ret == NULL) + if (ret == NULL) { + if (PyErr_Occurred()) + return NULL; Py_RETURN_NONE; + } return ret; } diff --git a/source4/lib/ldb/tests/python/api.py b/source4/lib/ldb/tests/python/api.py index 88983ac738..133bd180c1 100755 --- a/source4/lib/ldb/tests/python/api.py +++ b/source4/lib/ldb/tests/python/api.py @@ -480,6 +480,10 @@ class LdbMsgTests(unittest.TestCase): self.msg.dn = ldb.Dn(ldb.Ldb("foo.tdb"), "@BASEINFO") self.assertEquals("@BASEINFO", self.msg.get("dn").__str__()) + def test_get_invalid(self): + self.msg.dn = ldb.Dn(ldb.Ldb("foo.tdb"), "@BASEINFO") + self.assertRaises(TypeError, self.msg.get, 42) + def test_get_other(self): self.msg["foo"] = ["bar"] self.assertEquals("bar", self.msg.get("foo")[0]) diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 6f7637a970..165e485d45 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -94,12 +94,13 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem attids[n] = md.ctr.ctr1.array[i].attid; n++; } - if (n == 0) { - /* nothing to send */ - talloc_free(obj->meta_data_ctr); - obj->meta_data_ctr = NULL; - return WERR_OK; - } + + /* + note that if n==0 we still need to send the change, as it + could be a rename, which changes the uSNChanged, but not any + of the replicated attributes + */ + obj->meta_data_ctr->count = n; obj->object.identifier = talloc(obj, struct drsuapi_DsReplicaObjectIdentifier); @@ -315,7 +316,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ ncRoot_dn = ldb_dn_new(mem_ctx, sam_ctx, ncRoot->dn); ret = drsuapi_search_with_extended_dn(sam_ctx, mem_ctx, &site_res, ncRoot_dn, LDB_SCOPE_SUBTREE, attrs, - "uSNChanged>=%llu", + "(uSNChanged>=%llu)", (unsigned long long)(r->in.req->req8.highwatermark.highest_usn+1)); if (ret != LDB_SUCCESS) { return WERR_DS_DRA_INTERNAL_ERROR; diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 19149e92e2..e21a3cbee1 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -1040,10 +1040,14 @@ def provision(setup_dir, message, session_info, if domainsid is None: domainsid = security.random_sid() + # create/adapt the group policy GUIDs if policyguid is None: policyguid = str(uuid.uuid4()) + policyguid = policyguid.upper() if policyguid_dc is None: policyguid_dc = str(uuid.uuid4()) + policyguid_dc = policyguid_dc.upper() + if adminpass is None: adminpass = glue.generate_random_str(12) if krbtgtpass is None: @@ -1191,16 +1195,16 @@ def provision(setup_dir, message, session_info, os.makedirs(policy_path, 0755) open(os.path.join(policy_path, "GPT.INI"), 'w').write( "[General]\r\nVersion=65544") - os.makedirs(os.path.join(policy_path, "Machine"), 0755) - os.makedirs(os.path.join(policy_path, "User"), 0755) + os.makedirs(os.path.join(policy_path, "MACHINE"), 0755) + os.makedirs(os.path.join(policy_path, "USER"), 0755) policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies", "{" + policyguid_dc + "}") os.makedirs(policy_path_dc, 0755) open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write( "[General]\r\nVersion=2") - os.makedirs(os.path.join(policy_path_dc, "Machine"), 0755) - os.makedirs(os.path.join(policy_path_dc, "User"), 0755) + os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755) + os.makedirs(os.path.join(policy_path_dc, "USER"), 0755) if not os.path.isdir(paths.netlogon): os.makedirs(paths.netlogon, 0755) diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 35faed84bb..71f9949f67 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -2,7 +2,8 @@ # Configuration Naming Context ############################### -# Display specifiers are in "display-specifiers/DisplaySpecifiers-Win2k8R2.txt" +# Display specifiers are located in +# display-specifiers/DisplaySpecifiers-Win2k8R2.txt" # This file is parsed during provision using the ms_display_specifiers.py # script. @@ -746,6 +747,32 @@ objectClass: top objectClass: applicationSiteSettings objectClass: licensingSiteSettings +dn: CN=Inter-Site Transports,CN=Sites,${CONFIGDN} +objectClass: top +objectClass: interSiteTransportContainer +systemFlags: -2147483648 + +dn: CN=IP,CN=Inter-Site Transports,CN=Sites,${CONFIGDN} +objectClass: top +objectClass: interSiteTransport +transportAddressAttribute: dNSHostName +transportDLLName: ismip.dll + +dn: CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,${CONFIGDN} +objectClass: top +objectClass: siteLink +cost: 100 +replInterval: 180 +siteList: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +systemFlags: 1073741824 + +dn: CN=SMTP,CN=Inter-Site Transports,CN=Sites,${CONFIGDN} +objectClass: top +objectClass: interSiteTransport +transportAddressAttribute: mailAddress +transportDLLName: ismsmtp.dll +options: 1 + dn: CN=NTDS Site Settings,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} objectClass: top objectClass: applicationSiteSettings @@ -756,7 +783,3 @@ objectClass: top objectClass: serversContainer systemFlags: 33554432 -dn: CN=Subnets,CN=Sites,${CONFIGDN} -objectClass: top -objectClass: subnetContainer -systemFlags: -1073741824 diff --git a/source4/setup/provision_group_policy.ldif b/source4/setup/provision_group_policy.ldif index 00f0bee4cc..6f58bd4a38 100644 --- a/source4/setup/provision_group_policy.ldif +++ b/source4/setup/provision_group_policy.ldif @@ -14,17 +14,20 @@ gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-248 gPCUserExtensionNames: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1 1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E- 11D1-A7CC-0000F87571E3}] +isCriticalSystemObject: TRUE nTSecurityDescriptor: O:${DOMAINSID}-512G:${DOMAINSID}-512D:PAI(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) systemFlags: -1946157056 dn: CN=User,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN} objectClass: top objectClass: container +isCriticalSystemObject: TRUE systemFlags: -1946157056 dn: CN=Machine,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN} objectClass: top objectClass: container +isCriticalSystemObject: TRUE systemFlags: -1946157056 dn: CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN} @@ -38,16 +41,19 @@ versionNumber: 2 flags: 0 gPCMachineExtensionNames: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4 FB-11D0-A0D0-00A0C90F574B}] +isCriticalSystemObject: TRUE nTSecurityDescriptor: O:${DOMAINSID}-512G:${DOMAINSID}-512D:PAI(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) systemFlags: -1946157056 dn: CN=User,CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN} objectClass: top objectClass: container +isCriticalSystemObject: TRUE systemFlags: -1946157056 dn: CN=Machine,CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN} objectClass: top objectClass: container +isCriticalSystemObject: TRUE systemFlags: -1946157056 |