summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/common/util.c17
-rw-r--r--source4/dsdb/repl/drepl_fsmo.c32
-rw-r--r--source4/dsdb/repl/drepl_ridalloc.c11
-rw-r--r--source4/dsdb/samdb/ldb_modules/ridalloc.c27
-rw-r--r--source4/dsdb/samdb/ldb_modules/rootdse.c11
5 files changed, 61 insertions, 37 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index fd8ba62aab..5d73df2ec3 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1658,21 +1658,10 @@ int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base
return ret;
}
- status = dsdb_get_extended_dn_guid(referenced_dn, &referenced_guid, "GUID");
+ ret = samdb_dn_is_our_ntdsa(ldb, referenced_dn, is_ntdsa);
+
talloc_free(tmp_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
-
- our_ntds_guid = samdb_ntds_objectGUID(ldb);
- if (!our_ntds_guid) {
- DEBUG(0, ("Failed to find our NTDS Settings GUID for comparison with %s on %s - %s\n", attribute, ldb_dn_get_linearized(base), ldb_errstring(ldb)));
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- *is_ntdsa = GUID_equal(&referenced_guid, our_ntds_guid);
- return LDB_SUCCESS;
+ return ret;
}
/*
diff --git a/source4/dsdb/repl/drepl_fsmo.c b/source4/dsdb/repl/drepl_fsmo.c
index 4a1d08ac1b..0e83982ab4 100644
--- a/source4/dsdb/repl/drepl_fsmo.c
+++ b/source4/dsdb/repl/drepl_fsmo.c
@@ -52,15 +52,6 @@ static void drepl_role_callback(struct dreplsrv_service *service,
irpc_send_reply(fsmo->msg, NT_STATUS_OK);
}
-static bool fsmo_master_equal(struct ldb_dn *ntds_dn, struct ldb_dn *role_owner_dn)
-{
- if (ldb_dn_compare(ntds_dn, role_owner_dn) == 0) {
- DEBUG(0,("\nWe are the FSMO master.\n"));
- return true;
- }
- return false;
-}
-
/*
see which role is we are asked to assume, initialize data and send request
*/
@@ -69,20 +60,15 @@ NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg,
{
struct dreplsrv_service *service = talloc_get_type(msg->private_data,
struct dreplsrv_service);
- struct ldb_dn *role_owner_dn, *fsmo_role_dn, *ntds_dn;
+ struct ldb_dn *role_owner_dn, *fsmo_role_dn;
TALLOC_CTX *tmp_ctx = talloc_new(service);
uint64_t fsmo_info = 0;
enum drsuapi_DsExtendedOperation extended_op = DRSUAPI_EXOP_NONE;
WERROR werr;
enum drepl_role_master role = r->in.role;
struct fsmo_role_state *fsmo;
-
- ntds_dn = samdb_ntds_settings_dn(service->samdb, tmp_ctx);
- if (!ntds_dn) {
- talloc_free(tmp_ctx);
- r->out.result = WERR_DS_DRA_INTERNAL_ERROR;
- return NT_STATUS_OK;
- }
+ bool is_us;
+ int ret;
werr = dsdb_get_fsmo_role_info(tmp_ctx, service->samdb, role,
&fsmo_role_dn, &role_owner_dn);
@@ -112,7 +98,17 @@ NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg,
return NT_STATUS_OK;
}
- if (fsmo_master_equal(ntds_dn, role_owner_dn) ||
+ ret = samdb_dn_is_our_ntdsa(service->samdb, role_owner_dn, &is_us);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,("FSMO role check failed (failed to confirm if our ntdsDsa) for DN %s and owner %s \n",
+ ldb_dn_get_linearized(fsmo_role_dn),
+ ldb_dn_get_linearized(role_owner_dn)));
+ talloc_free(tmp_ctx);
+ r->out.result = WERR_DS_DRA_INTERNAL_ERROR;
+ return NT_STATUS_OK;
+ }
+
+ if (is_us ||
(extended_op == DRSUAPI_EXOP_NONE)) {
DEBUG(0,("FSMO role check failed for DN %s and owner %s \n",
ldb_dn_get_linearized(fsmo_role_dn),
diff --git a/source4/dsdb/repl/drepl_ridalloc.c b/source4/dsdb/repl/drepl_ridalloc.c
index c817c319f2..bd3a62b14b 100644
--- a/source4/dsdb/repl/drepl_ridalloc.c
+++ b/source4/dsdb/repl/drepl_ridalloc.c
@@ -168,6 +168,7 @@ WERROR dreplsrv_ridalloc_check_rid_pool(struct dreplsrv_service *service)
WERROR werr;
int ret;
uint64_t alloc_pool;
+ bool is_us;
if (service->am_rodc) {
talloc_free(tmp_ctx);
@@ -208,7 +209,15 @@ WERROR dreplsrv_ridalloc_check_rid_pool(struct dreplsrv_service *service)
return WERR_DS_DRA_INTERNAL_ERROR;
}
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) == 0) {
+ ret = samdb_dn_is_our_ntdsa(ldb, fsmo_role_dn, &is_us);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(0,(__location__ ": Failed to find detrmine if %s is our ntdsDsa object - %s\n",
+ ldb_dn_get_linearized(fsmo_role_dn), ldb_errstring(ldb)));
+ talloc_free(tmp_ctx);
+ return WERR_DS_DRA_INTERNAL_ERROR;
+ }
+
+ if (is_us) {
/* we are the RID Manager - no need to do a
DRSUAPI_EXOP_FSMO_RID_ALLOC */
talloc_free(tmp_ctx);
diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c
index 915248c440..d0266eda8a 100644
--- a/source4/dsdb/samdb/ldb_modules/ridalloc.c
+++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c
@@ -388,6 +388,8 @@ static int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *me
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct GUID fsmo_role_guid, *our_ntds_guid;
+ NTSTATUS status;
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
@@ -407,7 +409,19 @@ static int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *me
return ret;
}
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) != 0) {
+ status = dsdb_get_extended_dn_guid(fsmo_role_dn, &fsmo_role_guid, "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb_module_get_ctx(module));
+ }
+
+ our_ntds_guid = samdb_ntds_objectGUID(ldb_module_get_ctx(module));
+ if (!our_ntds_guid) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb_module_get_ctx(module));
+ }
+
+ if (!GUID_equal(&fsmo_role_guid, our_ntds_guid)) {
ridalloc_poke_rid_manager(module);
ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh");
talloc_free(tmp_ctx);
@@ -429,6 +443,7 @@ static int ridalloc_new_own_pool(struct ldb_module *module, uint64_t *new_pool,
struct ldb_dn *rid_manager_dn, *fsmo_role_dn;
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
+ bool is_us;
/* work out who is the RID Manager */
ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent);
@@ -448,7 +463,15 @@ static int ridalloc_new_own_pool(struct ldb_module *module, uint64_t *new_pool,
return ret;
}
- if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) != 0) {
+ ret = samdb_dn_is_our_ntdsa(ldb, fsmo_role_dn, &is_us);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb, "Failed to confirm if our ntdsDsa is %s: %s",
+ ldb_dn_get_linearized(fsmo_role_dn), ldb_errstring(ldb));
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ if (!is_us) {
ridalloc_poke_rid_manager(module);
ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh");
talloc_free(tmp_ctx);
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 9ae5b20eb1..0668d1ad13 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -183,7 +183,7 @@ static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *d
struct ldb_dn *owner_dn;
ret = dsdb_module_search_dn(module, tmp_ctx, &res,
- dn, attrs, DSDB_FLAG_NEXT_MODULE, parent);
+ dn, attrs, DSDB_FLAG_NEXT_MODULE|DSDB_SEARCH_SHOW_EXTENDED_DN, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -197,7 +197,14 @@ static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *d
return LDB_SUCCESS;
}
- *master = (ldb_dn_compare(owner_dn, samdb_ntds_settings_dn(ldb_module_get_ctx(module), tmp_ctx)) == 0);
+ ret = samdb_dn_is_our_ntdsa(ldb_module_get_ctx(module), dn, master);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module), "Failed to confirm if our ntdsDsa is %s: %s",
+ ldb_dn_get_linearized(owner_dn), ldb_errstring(ldb_module_get_ctx(module)));
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}