4.2.1.3 Server Behavior of the IDL_DSAPrepareScript Method
Informative summary of behavior: The IDL_DSAPrepareScript method prepares for a subsequent call to IDL_DSAExecuteScript. The partitions container that is a child object of the root of the configuration NC is altered as follows:
The value of msDS-UpdateScript is validated.
If valid, a password is generated and stored in the value for msDS-ExecuteScriptPassword.
The password, a hash of the value stored in msDS-UpdateScript, and a hash of that same value with the GUID {0916C8E3-3431-4586-AF77-44BD3B16F961} appended are returned to the client. The returned password value is later passed back by the client in a call to IDL_DSAExecuteScript as a form of authorization.
-
ULONG IDL_DSAPrepareScript( [in] handle_t hRpc, [in] DWORD dwInVersion, [in, ref, switch_is(dwInVersion)] DSA_MSG_PREPARE_SCRIPT_REQ *pmsgIn, [out, ref] DWORD *pdwOutVersion, [out, ref, switch_is(*pdwOutVersion)] DSA_MSG_PREPARE_SCRIPT_REPLY *pmsgOut); pc: DSName msgIn: DSA_MSG_PREPARE_SCRIPT_REQ_V1 byteseq: sequence of BYTE /* Returned message will be version 1 */ pdwOutVersion^ := 1 pmsgOut^V1.dwOperationStatus := ERROR_DS_INTERNAL_FAILURE pmsgOut^V1.pwErrMessage := null pmsgOut^V1.cbPassword := 0 pmsgOut^V1.pbPassword := null pmsgOut^V1.cbHashBody := 0 pmsgOut^V1.pbHashBody := null pmsgOut^V1.cbHashSignature := 0 pmsgOut^V1.pbHashSignature := null /* Validate the version */ if dwInVersion ≠ 1 then return ERROR_INVALID_PARAMETER endif msgIn := pmsgIn^.V1 /* Validate input params */ if msgIn.Reserved ≠ 0 then return ERROR_INVALID_PARAMETER endif /* Only 1 instance of this call can be running. */ if PrepareScriptInProgress() then pmsgOut^.V1.dwOperationStatus := ERROR_ACCESS_DENIED pmsgOut^.V1.pwErrMessage := human-readable description of the error return 0 endif /* Locate the Partitions container directly beneath ConfigNC */ pc := DescendantObject(ConfigNC(), "CN=Partitions,") /* Forest functionality level must be Win2K3 or above */ if pc!msDS-Behavior-Version = null or pc!msDS-Behavior-Version < DS_BEHAVIOR_WIN2003 then return ERROR_DS_NOT_SUPPORTED endif /* Security checks */ if not AccessCheckAttr( pc, msDS-UpdateScript, RIGHT_DS_WRITE_PROPERTY) then pmsgOut^.V1.dwOperationStatus := ERROR_DS_AUTHORIZATION_FAILED pmsgOut^.V1.pwErrMessage := human-readable description of the error return 0 endif if not AccessCheckCAR(pc, DS-Execute-Intentions-Script) then pmsgOut^.V1.dwOperationStatus := ERROR_DS_AUTHORIZATION_FAILED pmsgOut^.V1.pwErrMessage := human-readable description of the error return 0 endif if GetKeyLengthHandleT(hRpc) < 128 then pmsgOut^.V1.dwOperationStatus := ERROR_DS_STRONG_AUTH_REQUIRED pmsgOut^.V1.pwErrMessage := human-readable description of the error return 0 endif /* Validate stored script */ if not PrepareScriptVerifyScript(pc) then pmsgOut^.V1.dwOperationStatus := ERROR_DS_INVALID_SCRIPT pmsgOut^.V1.pwErrMessage := human-readable description of the error return 0 endif /* Generate and return password for subsequent call to * IDL_DSAExecuteScript() */ pc!msDS-ExecuteScriptPassword := PrepareScriptGeneratePassword() /* Return password and hashes */ byteseq := pc!msDS-ExecuteScriptPassword pmsgOut^.V1.pbPassword := byteseq pmsgOut^.V1.cbPassword := byteseq.length byteseq := PrepareScriptHashBody(pc) pmsgOut^.V1.pbHashBody := byteseq pmsgOut^.V1.cbHashBody := byteseq.length byteseq := PrepareScriptHashSignature(pc) pmsgOut^.V1.pbHashSignature := byteseq pmsgOut^.V1.cbHashSignature := byteseq.length pmsgOut^.V1.dwOperationStatus := 0 return 0