s4-dsdb: common helper to determine "primaryGroupID" attribute value

At the moment current implementation does not check if group RID
is existing group RID - this responsibility is left to the caller.

Change-Id: I8c58dd23a7185d63fa2117be0617884eb78d13c1
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

3 files changed, 49 insertions, 20 deletions

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 821ea56d68..ac90cbc83b 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -4922,3 +4922,35 @@ int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message *
 
 	return LDB_SUCCESS;
 }
+
+/**
+ * Determine and set primaryGroupID based on userAccountControl value
+ * @param ldb Current ldb_context
+ * @param usr_obj ldb_message representing User object
+ * @param user_account_control Value for userAccountControl flags
+ * @param group_rid_p Optional pointer to group RID to return
+ * @return LDB_SUCCESS or LDB_ERR* code on failure
+ */
+int dsdb_user_obj_set_primary_group_id(struct ldb_context *ldb, struct ldb_message *usr_obj,
+				       uint32_t user_account_control, uint32_t *group_rid_p)
+{
+	int ret;
+	uint32_t rid;
+	struct ldb_message_element *el;
+
+	rid = ds_uf2prim_group_rid(user_account_control);
+
+	ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj,
+				 "primaryGroupID", rid);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+	el = ldb_msg_find_element(usr_obj, "primaryGroupID");
+	el->flags = LDB_FLAG_MOD_REPLACE;
+
+	if (group_rid_p) {
+		*group_rid_p = rid;
+	}
+
+	return LDB_SUCCESS;
+}
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 8f61721464..664ace08f2 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1091,8 +1091,12 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
 
 			/* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */
 			if (!ldb_msg_find_element(ac->msg, "primaryGroupID")) {
-				uint32_t rid = ds_uf2prim_group_rid(user_account_control);
+				uint32_t rid;
 
+				ret = dsdb_user_obj_set_primary_group_id(ldb, ac->msg, user_account_control, &rid);
+				if (ret != LDB_SUCCESS) {
+					return ret;
+				}
 				/*
 				 * Older AD deployments don't know about the
 				 * RODC group
@@ -1103,15 +1107,6 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
 						return ret;
 					}
 				}
-
-				ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg,
-							 "primaryGroupID", rid);
-				if (ret != LDB_SUCCESS) {
-					return ret;
-				}
-				el2 = ldb_msg_find_element(ac->msg,
-							   "primaryGroupID");
-				el2->flags = LDB_FLAG_MOD_REPLACE;
 			}
 
 			/* Step 1.5: Add additional flags when needed */
diff --git a/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c b/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c
index bbcad631cb..fa24ca45f3 100644
--- a/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c
+++ b/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c
@@ -235,6 +235,7 @@ static int _tr_restore_attributes(struct ldb_context *ldb, struct ldb_message *c
 
 	/* objectClass is USER */
 	if (samdb_find_attribute(ldb, cur_msg, "objectclass", "user") != NULL) {
+		uint32_t primary_group_rid;
 		/* restoring 'user' instance attribute is heavily borrowed from samldb.c */
 
 		/* Default values */
@@ -263,17 +264,18 @@ static int _tr_restore_attributes(struct ldb_context *ldb, struct ldb_message *c
 		}
 
 		/* "userAccountControl" -> "primaryGroupID" mapping */
-		if (!ldb_msg_find_element(new_msg, "primaryGroupID")) {
-			uint32_t rid = ds_uf2prim_group_rid(user_account_control);
-
-			ret = samdb_msg_add_uint(ldb, new_msg, new_msg,
-						 "primaryGroupID", rid);
-			if (ret != LDB_SUCCESS) {
-				return ret;
-			}
-			el = ldb_msg_find_element(new_msg, "primaryGroupID");
-			el->flags = LDB_FLAG_MOD_REPLACE;
+		ret = dsdb_user_obj_set_primary_group_id(ldb, new_msg, user_account_control, &primary_group_rid);
+		if (ret != LDB_SUCCESS) {
+			return ret;
 		}
+		/*
+		 * Older AD deployments don't know about the
+		 * RODC group
+		 */
+		if (primary_group_rid == DOMAIN_RID_READONLY_DCS) {
+			/* TODO:  check group exists */
+		}
+
 	}
 
 	/* objectClass is GROUP */