1 /* 2 Unix SMB/CIFS implementation. 3 4 interface functions for the sam database 5 6 Copyright (C) Andrew Tridgell 2004 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License as published by 10 the Free Software Foundation; either version 3 of the License, or 11 (at your option) any later version. 12 13 This program is distributed in the hope that it will be useful, 14 but WITHOUT ANY WARRANTY; without even the implied warranty of 15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 GNU General Public License for more details. 17 18 You should have received a copy of the GNU General Public License 19 along with this program. If not, see <http://www.gnu.org/licenses/>. 20 */ 21 22 #ifndef __SAMDB_H__ 23 #define __SAMDB_H__ 24 25 struct auth_session_info; 26 struct dsdb_control_current_partition; 27 struct dsdb_extended_replicated_object; 28 struct dsdb_extended_replicated_objects; 29 struct loadparm_context; 30 struct tevent_context; 31 struct tsocket_address; 32 struct dsdb_trust_routing_table; 33 34 #include "librpc/gen_ndr/security.h" 35 #include <ldb.h> 36 #include "lib/ldb-samba/ldif_handlers.h" 37 #include "librpc/gen_ndr/samr.h" 38 #include "librpc/gen_ndr/drsuapi.h" 39 #include "librpc/gen_ndr/drsblobs.h" 40 #include "dsdb/schema/schema.h" 41 #include "dsdb/samdb/samdb_proto.h" 42 #include "dsdb/common/dsdb_dn.h" 43 #include "dsdb/common/util_links.h" 44 #include "dsdb/common/proto.h" 45 #include "../libds/common/flags.h" 46 47 #define DSDB_CONTROL_CURRENT_PARTITION_OID "1.3.6.1.4.1.7165.4.3.2" 48 struct dsdb_control_current_partition { 49 /* 50 * this is the version of the dsdb_control_current_partition 51 * version 0: initial implementation 52 * version 1: got rid of backend and module fields 53 */ 54 #define DSDB_CONTROL_CURRENT_PARTITION_VERSION 1 55 uint32_t version; 56 struct ldb_dn *dn; 57 }; 58 59 60 /* 61 flags in dsdb_repl_flags to control replication logic 62 */ 63 #define DSDB_REPL_FLAG_PRIORITISE_INCOMING 1 64 #define DSDB_REPL_FLAG_PARTIAL_REPLICA 2 65 #define DSDB_REPL_FLAG_ADD_NCNAME 4 66 #define DSDB_REPL_FLAG_EXPECT_NO_SECRETS 8 67 #define DSDB_REPL_FLAG_OBJECT_SUBSET 16 68 #define DSDB_REPL_FLAG_TARGETS_UPTODATE 32 69 70 #define DSDB_CONTROL_REPLICATED_UPDATE_OID "1.3.6.1.4.1.7165.4.3.3" 71 72 #define DSDB_CONTROL_DN_STORAGE_FORMAT_OID "1.3.6.1.4.1.7165.4.3.4" 73 /* DSDB_CONTROL_DN_STORAGE_FORMAT_OID has NULL data and behaves very 74 * much like LDB_CONTROL_EXTENDED_DN_OID when the DB stores an 75 * extended DN, and otherwise returns normal DNs */ 76 77 #define DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID "1.3.6.1.4.1.7165.4.3.8" 78 79 struct dsdb_user_pwd_settings { 80 uint32_t pwdProperties; 81 uint32_t pwdHistoryLength; 82 int64_t maxPwdAge; 83 int64_t minPwdAge; 84 uint32_t minPwdLength; 85 bool store_cleartext; 86 const char *netbios_domain; 87 const char *dns_domain; 88 const char *realm; 89 }; 90 91 struct dsdb_control_password_change_status { 92 struct dsdb_user_pwd_settings domain_data; 93 enum samPwdChangeReason reject_reason; 94 }; 95 96 #define DSDB_CONTROL_PASSWORD_HASH_VALUES_OID "1.3.6.1.4.1.7165.4.3.9" 97 98 #define DSDB_CONTROL_PASSWORD_CHANGE_OID "1.3.6.1.4.1.7165.4.3.10" 99 struct dsdb_control_password_change { 100 const struct samr_Password *old_nt_pwd_hash; 101 const struct samr_Password *old_lm_pwd_hash; 102 }; 103 104 /** 105 DSDB_CONTROL_APPLY_LINKS is internal to Samba4 - a token passed between repl_meta_data and linked_attributes modules 106 */ 107 #define DSDB_CONTROL_APPLY_LINKS "1.3.6.1.4.1.7165.4.3.11" 108 109 /* 110 * this should only be used for importing users from Samba3 111 */ 112 #define DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID "1.3.6.1.4.1.7165.4.3.12" 113 114 /** 115 OID used to allow the replacement of replPropertyMetaData. 116 It is used when the current replmetadata needs to be edited. 117 */ 118 #define DSDB_CONTROL_CHANGEREPLMETADATA_OID "1.3.6.1.4.1.7165.4.3.14" 119 120 /* passed when we want to get the behaviour of the non-global catalog port */ 121 #define DSDB_CONTROL_NO_GLOBAL_CATALOG "1.3.6.1.4.1.7165.4.3.17" 122 123 /* passed when we want special behaviour for partial replicas */ 124 #define DSDB_CONTROL_PARTIAL_REPLICA "1.3.6.1.4.1.7165.4.3.18" 125 126 /* passed when we want special behaviour for dbcheck */ 127 #define DSDB_CONTROL_DBCHECK "1.3.6.1.4.1.7165.4.3.19" 128 129 /* passed when dbcheck wants to modify a read only replica (very special case) */ 130 #define DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA "1.3.6.1.4.1.7165.4.3.19.1" 131 132 /* passed by dbcheck to fix duplicate linked attributes (bug #13095) */ 133 #define DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS "1.3.6.1.4.1.7165.4.3.19.2" 134 135 /* passed by dbcheck to fix the DN string of a one-way-link (bug #13495) */ 136 #define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME "1.3.6.1.4.1.7165.4.3.19.3" 137 138 /* passed by dbcheck to fix the DN SID of a one-way-link (bug #13418) */ 139 #define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID "1.3.6.1.4.1.7165.4.3.19.4" 140 141 /* passed when importing plain text password on upgrades */ 142 #define DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.20" 143 144 /* 145 * passed from the descriptor module in order to 146 * store the recalucated nTSecurityDescriptor without 147 * modifying the replPropertyMetaData. 148 */ 149 #define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.3.21" 150 151 /* 152 * passed when creating a interdomain trust account through LSA 153 * to relax constraints in the samldb ldb module. 154 */ 155 #define DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID "1.3.6.1.4.1.7165.4.3.23" 156 157 /* 158 * Internal control to mark requests as being part of Tombstone restoring 159 * procedure - it requires slightly special behavior like: 160 * - a bit different security checks 161 * - restoring certain attributes to their default values, etc 162 */ 163 #define DSDB_CONTROL_RESTORE_TOMBSTONE_OID "1.3.6.1.4.1.7165.4.3.24" 164 165 /** 166 OID used to allow the replacement of replPropertyMetaData. 167 It is used when the current replmetadata needs only to be re-sorted, but not edited. 168 */ 169 #define DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID "1.3.6.1.4.1.7165.4.3.25" 170 171 /* 172 * pass the default state of pwdLastSet between the "samldb" and "password_hash" 173 * modules. 174 */ 175 #define DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.26" 176 177 /* 178 * pass the userAccountControl changes between the "samldb" and "password_hash" 179 * modules. 180 */ 181 #define DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID "1.3.6.1.4.1.7165.4.3.27" 182 struct dsdb_control_password_user_account_control { 183 uint32_t req_flags; /* the flags given by the client request */ 184 uint32_t old_flags; /* the old flags stored (0 on add) */ 185 uint32_t new_flags; /* the new flags stored */ 186 }; 187 188 /* 189 * Ignores strict checking when adding objects to samldb. 190 * This is used when provisioning, as checking all objects when added 191 * was slow due to an unindexed search. 192 */ 193 #define DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID "1.3.6.1.4.1.7165.4.3.28" 194 195 /* passed when we want to thoroughly delete linked attributes */ 196 #define DSDB_CONTROL_REPLMD_VANISH_LINKS "1.3.6.1.4.1.7165.4.3.29" 197 198 /* 199 * lockoutTime is a replicated attribute, but must be modified before 200 * connectivity occurs to allow password lockouts. 201 */ 202 #define DSDB_CONTROL_FORCE_RODC_LOCAL_CHANGE "1.3.6.1.4.1.7165.4.3.31" 203 204 #define DSDB_CONTROL_INVALID_NOT_IMPLEMENTED "1.3.6.1.4.1.7165.4.3.32" 205 206 /* 207 * Used to pass "user password change" vs "password reset" from the ACL to the 208 * password_hash module, ensuring both modules treat the request identical. 209 */ 210 #define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID "1.3.6.1.4.1.7165.4.3.33" 211 struct dsdb_control_password_acl_validation { 212 bool pwd_reset; 213 }; 214 215 /* 216 * Used to pass the current transaction identifier from the audit_log 217 * module to group membership auditing module 218 */ 219 #define DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID "1.3.6.1.4.1.7165.4.3.34" 220 struct dsdb_control_transaction_identifier { 221 struct GUID transaction_guid; 222 }; 223 224 #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1" 225 struct dsdb_extended_replicated_object { 226 struct ldb_message *msg; 227 struct GUID object_guid; 228 struct GUID *parent_guid; 229 const char *when_changed; 230 struct replPropertyMetaDataBlob *meta_data; 231 232 /* Only used for internal processing in repl_meta_data */ 233 struct ldb_dn *last_known_parent; 234 struct ldb_dn *local_parent_dn; 235 }; 236 237 /* 238 * the schema_dn is passed as struct ldb_dn in 239 * req->op.extended.data 240 */ 241 #define DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID "1.3.6.1.4.1.7165.4.4.2" 242 243 struct dsdb_extended_replicated_objects { 244 /* 245 * this is the version of the dsdb_extended_replicated_objects 246 * version 0: initial implementation 247 */ 248 #define DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION 3 249 uint32_t version; 250 251 /* DSDB_REPL_FLAG_* flags */ 252 uint32_t dsdb_repl_flags; 253 254 struct ldb_dn *partition_dn; 255 256 const struct repsFromTo1 *source_dsa; 257 const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector; 258 259 uint32_t num_objects; 260 struct dsdb_extended_replicated_object *objects; 261 262 uint32_t linked_attributes_count; 263 struct drsuapi_DsReplicaLinkedAttribute *linked_attributes; 264 265 WERROR error; 266 267 bool originating_updates; 268 }; 269 270 /* In ldb.h: LDB_EXTENDED_SEQUENCE_NUMBER 1.3.6.1.4.1.7165.4.4.3 */ 271 272 #define DSDB_EXTENDED_CREATE_PARTITION_OID "1.3.6.1.4.1.7165.4.4.4" 273 struct dsdb_create_partition_exop { 274 struct ldb_dn *new_dn; 275 }; 276 277 /* this takes a struct dsdb_fsmo_extended_op */ 278 #define DSDB_EXTENDED_ALLOCATE_RID_POOL "1.3.6.1.4.1.7165.4.4.5" 279 280 struct dsdb_fsmo_extended_op { 281 uint64_t fsmo_info; 282 struct GUID destination_dsa_guid; 283 }; 284 285 #define DSDB_EXTENDED_SCHEMA_UPGRADE_IN_PROGRESS_OID "1.3.6.1.4.1.7165.4.4.6" 286 287 /* 288 * passed from the descriptor module in order to 289 * store the recalucated nTSecurityDescriptor without 290 * modifying the replPropertyMetaData. 291 */ 292 #define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.4.7" 293 struct dsdb_extended_sec_desc_propagation_op { 294 struct ldb_dn *nc_root; 295 struct GUID guid; 296 bool include_self; 297 }; 298 299 /* this takes no data */ 300 #define DSDB_EXTENDED_CREATE_OWN_RID_SET "1.3.6.1.4.1.7165.4.4.8" 301 302 /* this takes a struct dsdb_extended_allocate_rid */ 303 #define DSDB_EXTENDED_ALLOCATE_RID "1.3.6.1.4.1.7165.4.4.9" 304 305 struct dsdb_extended_allocate_rid { 306 uint32_t rid; 307 }; 308 309 #define DSDB_EXTENDED_SCHEMA_LOAD "1.3.6.1.4.1.7165.4.4.10" 310 311 #define DSDB_OPENLDAP_DEREFERENCE_CONTROL "1.3.6.1.4.1.4203.666.5.16" 312 313 struct dsdb_openldap_dereference { 314 const char *source_attribute; 315 const char **dereference_attribute; 316 }; 317 318 struct dsdb_openldap_dereference_control { 319 struct dsdb_openldap_dereference **dereference; 320 }; 321 322 struct dsdb_openldap_dereference_result { 323 const char *source_attribute; 324 const char *dereferenced_dn; 325 int num_attributes; 326 struct ldb_message_element *attributes; 327 }; 328 329 struct dsdb_openldap_dereference_result_control { 330 struct dsdb_openldap_dereference_result **attributes; 331 }; 332 333 struct samldb_msds_intid_persistant { 334 uint32_t msds_intid; 335 }; 336 337 #define SAMLDB_MSDS_INTID_OPAQUE "SAMLDB_MSDS_INTID_OPAQUE" 338 339 #define DSDB_PARTITION_DN "@PARTITION" 340 #define DSDB_PARTITION_ATTR "partition" 341 342 #define DSDB_EXTENDED_DN_STORE_FORMAT_OPAQUE_NAME "dsdb_extended_dn_store_format" 343 struct dsdb_extended_dn_store_format { 344 bool store_extended_dn_in_ldb; 345 }; 346 347 #define DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME "DSDB_OPAQUE_PARTITION_MODULE_MSG" 348 349 #define DSDB_ACL_CHECKS_DIRSYNC_FLAG 0x1 350 #define DSDB_SAMDB_MINIMUM_ALLOWED_RID 1000 351 352 #define DSDB_METADATA_SCHEMA_SEQ_NUM "SCHEMA_SEQ_NUM" 353 354 /* 355 * must be in LDB_FLAG_INTERNAL_MASK 356 * see also the values in lib/ldb/include/ldb_module.h 357 */ 358 #define DSDB_FLAG_INTERNAL_FORCE_META_DATA 0x10000 359 360 #define SAMBA_COMPATIBLE_FEATURES_ATTR "compatibleFeatures" 361 #define SAMBA_REQUIRED_FEATURES_ATTR "requiredFeatures" 362 #define SAMBA_FEATURES_SUPPORTED_FLAG "@SAMBA_FEATURES_SUPPORTED" 363 364 #define SAMBA_SORTED_LINKS_FEATURE "sortedLinks" 365 #define SAMBA_ENCRYPTED_SECRETS_FEATURE "encryptedSecrets" 366 /* 367 * lmdb level one feature is an experimental release with basic support 368 * for lmdb database files, instead of tdb. 369 * - Keys are limited to 511 bytes long so GUID indexes are required 370 * - Currently only the: 371 * partition data files 372 * are in lmdb format. 373 */ 374 #define SAMBA_LMDB_LEVEL_ONE_FEATURE "lmdbLevelOne" 375 376 #endif /* __SAMDB_H__ */ 377