From 191d632e237761004fe0fe79a29a7274b7267d45 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 17 Aug 2010 09:59:18 +1000 Subject: s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a user object. There is some 'interesting' interaction with the rangeLower and rangeUpper attributes and this add. We don't implementat rangeLower/rangeUpper yet, but when we do we'll need an override for this control (or be careful about module ordering). Pair-Programmed-With: Andrew Bartlett --- source4/dsdb/samdb/ldb_modules/samldb.c | 69 +++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) (limited to 'source4/dsdb/samdb/ldb_modules') diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 9ae308b9bc..8bb5f3d30d 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -347,6 +347,65 @@ static int samldb_allocate_sid(struct samldb_ctx *ac) return samldb_next_step(ac); } +/* + see if a krbtgt_number is available + */ +static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt_number) +{ + TALLOC_CTX *tmp_ctx = talloc_new(ac); + struct ldb_result *res; + const char *attrs[] = { NULL }; + int ret; + + ret = dsdb_module_search(ac->module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, + attrs, DSDB_FLAG_NEXT_MODULE, + "msDC-SecondaryKrbTgtNumber=%u", krbtgt_number); + if (ret == LDB_SUCCESS && res->count == 0) { + talloc_free(tmp_ctx); + return true; + } + talloc_free(tmp_ctx); + return false; +} + +/* special handling for add in RODC join */ +static int samldb_rodc_add(struct samldb_ctx *ac) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + unsigned krbtgt_number, i_start, i; + + /* find a unused msDC-SecondaryKrbTgtNumber */ + i_start = generate_random() & 0xFFFF; + if (i_start == 0) { + i_start = 1; + } + + for (i=i_start; i<=0xFFFF; i++) { + if (samldb_krbtgtnumber_available(ac, i)) { + krbtgt_number = i; + goto found; + } + } + for (i=1; imodule), + "%08X: Unable to find available msDS-SecondaryKrbTgtNumber", + W_ERROR_V(WERR_NO_SYSTEM_RESOURCES)); + return LDB_ERR_OTHER; + +found: + if ( ! ldb_msg_add_fmt(ac->msg, "msDS-SecondaryKrbTgtNumber", "%u", krbtgt_number)) { + return ldb_operr(ldb); + } + + return samldb_next_step(ac); +} + /* * samldb_dn_from_sid (async) */ @@ -744,6 +803,7 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) struct loadparm_context *lp_ctx; enum sid_generator sid_generator; int ret; + struct ldb_control *rodc_control; ldb = ldb_module_get_ctx(ac->module); @@ -957,6 +1017,15 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) } } + rodc_control = ldb_request_get_control(ac->req, LDB_CONTROL_RODC_DCPROMO_OID); + if (rodc_control) { + /* see [MS-ADTS] 3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID */ + rodc_control->critical = false; + ret = samldb_add_step(ac, samldb_rodc_add); + if (ret != LDB_SUCCESS) return ret; + } + + /* finally proceed with adding the entry */ ret = samldb_add_step(ac, samldb_add_entry); if (ret != LDB_SUCCESS) return ret; -- cgit