diff options
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/common/util.c | 17 | ||||
-rw-r--r-- | source4/dsdb/repl/drepl_fsmo.c | 32 | ||||
-rw-r--r-- | source4/dsdb/repl/drepl_ridalloc.c | 11 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/ridalloc.c | 27 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/rootdse.c | 11 |
5 files changed, 61 insertions, 37 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index fd8ba62aab..5d73df2ec3 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1658,21 +1658,10 @@ int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base return ret; } - status = dsdb_get_extended_dn_guid(referenced_dn, &referenced_guid, "GUID"); + ret = samdb_dn_is_our_ntdsa(ldb, referenced_dn, is_ntdsa); + talloc_free(tmp_ctx); - if (!NT_STATUS_IS_OK(status)) { - return LDB_ERR_OPERATIONS_ERROR; - } - - - our_ntds_guid = samdb_ntds_objectGUID(ldb); - if (!our_ntds_guid) { - DEBUG(0, ("Failed to find our NTDS Settings GUID for comparison with %s on %s - %s\n", attribute, ldb_dn_get_linearized(base), ldb_errstring(ldb))); - return LDB_ERR_OPERATIONS_ERROR; - } - - *is_ntdsa = GUID_equal(&referenced_guid, our_ntds_guid); - return LDB_SUCCESS; + return ret; } /* diff --git a/source4/dsdb/repl/drepl_fsmo.c b/source4/dsdb/repl/drepl_fsmo.c index 4a1d08ac1b..0e83982ab4 100644 --- a/source4/dsdb/repl/drepl_fsmo.c +++ b/source4/dsdb/repl/drepl_fsmo.c @@ -52,15 +52,6 @@ static void drepl_role_callback(struct dreplsrv_service *service, irpc_send_reply(fsmo->msg, NT_STATUS_OK); } -static bool fsmo_master_equal(struct ldb_dn *ntds_dn, struct ldb_dn *role_owner_dn) -{ - if (ldb_dn_compare(ntds_dn, role_owner_dn) == 0) { - DEBUG(0,("\nWe are the FSMO master.\n")); - return true; - } - return false; -} - /* see which role is we are asked to assume, initialize data and send request */ @@ -69,20 +60,15 @@ NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg, { struct dreplsrv_service *service = talloc_get_type(msg->private_data, struct dreplsrv_service); - struct ldb_dn *role_owner_dn, *fsmo_role_dn, *ntds_dn; + struct ldb_dn *role_owner_dn, *fsmo_role_dn; TALLOC_CTX *tmp_ctx = talloc_new(service); uint64_t fsmo_info = 0; enum drsuapi_DsExtendedOperation extended_op = DRSUAPI_EXOP_NONE; WERROR werr; enum drepl_role_master role = r->in.role; struct fsmo_role_state *fsmo; - - ntds_dn = samdb_ntds_settings_dn(service->samdb, tmp_ctx); - if (!ntds_dn) { - talloc_free(tmp_ctx); - r->out.result = WERR_DS_DRA_INTERNAL_ERROR; - return NT_STATUS_OK; - } + bool is_us; + int ret; werr = dsdb_get_fsmo_role_info(tmp_ctx, service->samdb, role, &fsmo_role_dn, &role_owner_dn); @@ -112,7 +98,17 @@ NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg, return NT_STATUS_OK; } - if (fsmo_master_equal(ntds_dn, role_owner_dn) || + ret = samdb_dn_is_our_ntdsa(service->samdb, role_owner_dn, &is_us); + if (ret != LDB_SUCCESS) { + DEBUG(0,("FSMO role check failed (failed to confirm if our ntdsDsa) for DN %s and owner %s \n", + ldb_dn_get_linearized(fsmo_role_dn), + ldb_dn_get_linearized(role_owner_dn))); + talloc_free(tmp_ctx); + r->out.result = WERR_DS_DRA_INTERNAL_ERROR; + return NT_STATUS_OK; + } + + if (is_us || (extended_op == DRSUAPI_EXOP_NONE)) { DEBUG(0,("FSMO role check failed for DN %s and owner %s \n", ldb_dn_get_linearized(fsmo_role_dn), diff --git a/source4/dsdb/repl/drepl_ridalloc.c b/source4/dsdb/repl/drepl_ridalloc.c index c817c319f2..bd3a62b14b 100644 --- a/source4/dsdb/repl/drepl_ridalloc.c +++ b/source4/dsdb/repl/drepl_ridalloc.c @@ -168,6 +168,7 @@ WERROR dreplsrv_ridalloc_check_rid_pool(struct dreplsrv_service *service) WERROR werr; int ret; uint64_t alloc_pool; + bool is_us; if (service->am_rodc) { talloc_free(tmp_ctx); @@ -208,7 +209,15 @@ WERROR dreplsrv_ridalloc_check_rid_pool(struct dreplsrv_service *service) return WERR_DS_DRA_INTERNAL_ERROR; } - if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) == 0) { + ret = samdb_dn_is_our_ntdsa(ldb, fsmo_role_dn, &is_us); + if (ret != LDB_SUCCESS) { + DEBUG(0,(__location__ ": Failed to find detrmine if %s is our ntdsDsa object - %s\n", + ldb_dn_get_linearized(fsmo_role_dn), ldb_errstring(ldb))); + talloc_free(tmp_ctx); + return WERR_DS_DRA_INTERNAL_ERROR; + } + + if (is_us) { /* we are the RID Manager - no need to do a DRSUAPI_EXOP_FSMO_RID_ALLOC */ talloc_free(tmp_ctx); diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c index 915248c440..d0266eda8a 100644 --- a/source4/dsdb/samdb/ldb_modules/ridalloc.c +++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c @@ -388,6 +388,8 @@ static int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *me struct ldb_dn *rid_manager_dn, *fsmo_role_dn; int ret; struct ldb_context *ldb = ldb_module_get_ctx(module); + struct GUID fsmo_role_guid, *our_ntds_guid; + NTSTATUS status; /* work out who is the RID Manager */ ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent); @@ -407,7 +409,19 @@ static int ridalloc_create_own_rid_set(struct ldb_module *module, TALLOC_CTX *me return ret; } - if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) != 0) { + status = dsdb_get_extended_dn_guid(fsmo_role_dn, &fsmo_role_guid, "GUID"); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(tmp_ctx); + return ldb_operr(ldb_module_get_ctx(module)); + } + + our_ntds_guid = samdb_ntds_objectGUID(ldb_module_get_ctx(module)); + if (!our_ntds_guid) { + talloc_free(tmp_ctx); + return ldb_operr(ldb_module_get_ctx(module)); + } + + if (!GUID_equal(&fsmo_role_guid, our_ntds_guid)) { ridalloc_poke_rid_manager(module); ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh"); talloc_free(tmp_ctx); @@ -429,6 +443,7 @@ static int ridalloc_new_own_pool(struct ldb_module *module, uint64_t *new_pool, struct ldb_dn *rid_manager_dn, *fsmo_role_dn; int ret; struct ldb_context *ldb = ldb_module_get_ctx(module); + bool is_us; /* work out who is the RID Manager */ ret = dsdb_module_rid_manager_dn(module, tmp_ctx, &rid_manager_dn, parent); @@ -448,7 +463,15 @@ static int ridalloc_new_own_pool(struct ldb_module *module, uint64_t *new_pool, return ret; } - if (ldb_dn_compare(samdb_ntds_settings_dn(ldb, tmp_ctx), fsmo_role_dn) != 0) { + ret = samdb_dn_is_our_ntdsa(ldb, fsmo_role_dn, &is_us); + if (ret != LDB_SUCCESS) { + ldb_asprintf_errstring(ldb, "Failed to confirm if our ntdsDsa is %s: %s", + ldb_dn_get_linearized(fsmo_role_dn), ldb_errstring(ldb)); + talloc_free(tmp_ctx); + return ret; + } + + if (!is_us) { ridalloc_poke_rid_manager(module); ldb_asprintf_errstring(ldb, "Remote RID Set allocation needs refresh"); talloc_free(tmp_ctx); diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 9ae5b20eb1..0668d1ad13 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -183,7 +183,7 @@ static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *d struct ldb_dn *owner_dn; ret = dsdb_module_search_dn(module, tmp_ctx, &res, - dn, attrs, DSDB_FLAG_NEXT_MODULE, parent); + dn, attrs, DSDB_FLAG_NEXT_MODULE|DSDB_SEARCH_SHOW_EXTENDED_DN, parent); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; @@ -197,7 +197,14 @@ static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *d return LDB_SUCCESS; } - *master = (ldb_dn_compare(owner_dn, samdb_ntds_settings_dn(ldb_module_get_ctx(module), tmp_ctx)) == 0); + ret = samdb_dn_is_our_ntdsa(ldb_module_get_ctx(module), dn, master); + if (ret != LDB_SUCCESS) { + ldb_asprintf_errstring(ldb_module_get_ctx(module), "Failed to confirm if our ntdsDsa is %s: %s", + ldb_dn_get_linearized(owner_dn), ldb_errstring(ldb_module_get_ctx(module))); + talloc_free(tmp_ctx); + return ret; + } + talloc_free(tmp_ctx); return LDB_SUCCESS; } |