samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-01-07 17:18:11 +03:00

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

238 lines

6.0 KiB

C

Raw Normal View History

s4: implemented server side of DSUpdateRefs call This call is made by DCs to tell us we should notify them of directory changes 2009-09-08 05:49:28 +04:00			`/*`
			`Unix SMB/CIFS implementation.`

			`useful utilities for the DRS server`

			`Copyright (C) Andrew Tridgell 2009`

			`This program is free software; you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation; either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`#include "includes.h"`
			`#include "rpc_server/dcerpc_server.h"`
			`#include "dsdb/samdb/samdb.h"`
Add drs_security_level_check for dcesrv calls security checks There is also an option to disable the security check by specifying in the smb.conf file: drs:disable_sec_check = true 2009-09-20 02:08:19 +04:00			`#include "libcli/security/security.h"`
s4-libcli/security Use seperate subsystem for session related functions The merged I plan in this area require spliting security.h into two header files, a common header and a session.h for the remaining source4-specific code. Andrew Bartlett 2010-09-20 08:49:39 +04:00			`#include "libcli/security/session.h"`
s4-repl: need param.h for lp_parm_bool 2009-09-20 02:53:22 +04:00			`#include "param/param.h"`
s4-drs: better debug info when security checks fail show the security token of the user at debug level 2 2010-01-16 02:36:40 +03:00			`#include "auth/session.h"`
source4/rpc_server: Fix prototypes for all functions. 2011-03-19 02:43:34 +03:00			`#include "rpc_server/drsuapi/dcesrv_drsuapi.h"`
s4: implemented server side of DSUpdateRefs call This call is made by DCs to tell us we should notify them of directory changes 2009-09-08 05:49:28 +04:00
debug: Add new debug class "drs_repl" for DRS replication processing This is used in the client and in the server Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 2017-09-06 07:37:34 +03:00			`#undef DBGC_CLASS`
			`#define DBGC_CLASS DBGC_DRS_REPL`

s4:drs split addentry and getncchanges into separate files These will get quite complex eventually, I think we are better separating them so the code is a bit easier to follow 2009-09-09 15:00:01 +04:00			`int drsuapi_search_with_extended_dn(struct ldb_context *ldb,`
s4-drsserver: sort by DN to give tree order This might help the windows client with ordered requests. Later we need to support the "ancestors" mode flag. 2009-09-23 04:07:33 +04:00			`TALLOC_CTX *mem_ctx,`
			`struct ldb_result **_res,`
			`struct ldb_dn *basedn,`
			`enum ldb_scope scope,`
			`const char * const *attrs,`
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_CRITICAL_ONLY req in getncchanges 2009-09-24 02:47:14 +04:00			`const char *filter)`
s4:drs split addentry and getncchanges into separate files These will get quite complex eventually, I think we are better separating them so the code is a bit easier to follow 2009-09-09 15:00:01 +04:00			`{`
			`int ret;`
			`struct ldb_request *req;`
			`TALLOC_CTX *tmp_ctx;`
			`struct ldb_result *res;`

			`tmp_ctx = talloc_new(mem_ctx);`

			`res = talloc_zero(tmp_ctx, struct ldb_result);`
			`if (!res) {`
			`return LDB_ERR_OPERATIONS_ERROR;`
			`}`

			`ret = ldb_build_search_req(&req, ldb, tmp_ctx,`
			`basedn,`
			`scope,`
			`filter,`
			`attrs,`
			`NULL,`
			`res,`
			`ldb_search_default_callback,`
			`NULL);`
			`if (ret != LDB_SUCCESS) {`
			`talloc_free(tmp_ctx);`
			`return ret;`
			`}`

			`ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);`
			`if (ret != LDB_SUCCESS) {`
			`return ret;`
			`}`

s4:dsdb - substitute the "show_deleted" with the "show_recycled" control We intend to see always all objects with the "show_deleted" control specified. To see also recycled objects (beginning with 2008_R2 function level) we need to use the new "show_recycled" control. As far as I see this is only internal code and therefore we don't run into problems if we do substitute it. Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2010-09-20 00:20:08 +04:00			`ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);`
s4-drs: include deleted objects in getncchanges reply Even though we don't create deleted objects ourselves yet, we need to pass along deleted objects we receive from other replication partners 2009-09-24 18:12:14 +04:00			`if (ret != LDB_SUCCESS) {`
			`return ret;`
			`}`

s4-dsdb: ask for REVEAL_INTERNALS in getncchanges We need this for the linked attribute meta data 2009-12-19 04:24:09 +03:00			`ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);`
			`if (ret != LDB_SUCCESS) {`
			`return ret;`
			`}`

s4:drs split addentry and getncchanges into separate files These will get quite complex eventually, I think we are better separating them so the code is a bit easier to follow 2009-09-09 15:00:01 +04:00			`ret = ldb_request(ldb, req);`
			`if (ret == LDB_SUCCESS) {`
			`ret = ldb_wait(req->handle, LDB_WAIT_ALL);`
			`}`

			`talloc_free(req);`
s4-drs: include deleted objects in getncchanges reply Even though we don't create deleted objects ourselves yet, we need to pass along deleted objects we receive from other replication partners 2009-09-24 18:12:14 +04:00			`*_res = talloc_steal(mem_ctx, res);`
s4:drs split addentry and getncchanges into separate files These will get quite complex eventually, I think we are better separating them so the code is a bit easier to follow 2009-09-09 15:00:01 +04:00			`return ret;`
			`}`

s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level This is used for allowing operations by RODCs, and denying them operations that should only be allowed for a full DC This required a new domain_sid argument to security_session_user_level() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Rusty Russell <rusty@samba.org> 2010-04-22 10:48:01 +04:00			`WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,`
			`const char* call,`
s4-drs: added domain_sid to DRS security checks we need the domain_sid to determine if the account is a RODC for our domain Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> 2010-08-17 08:12:21 +04:00			`enum security_user_level minimum_level,`
			`const struct dom_sid *domain_sid)`
Add drs_security_level_check for dcesrv calls security checks There is also an option to disable the security check by specifying in the smb.conf file: drs:disable_sec_check = true 2009-09-20 02:08:19 +04:00			`{`
s4:rpc_server/drsuapi: make use dcesrv_call_session_info() BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 2018-11-03 03:19:51 +03:00			`struct auth_session_info *session_info =`
			`dcesrv_call_session_info(dce_call);`
s4-drs: better debug info when security checks fail show the security token of the user at debug level 2 2010-01-16 02:36:40 +03:00			`enum security_user_level level;`

s4-loadparm: 2nd half of lp_ to lpcfg_ conversion this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org> 2010-07-16 08:32:42 +04:00			`if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,`
s4-drs: security checking on DRS needs to default to on 2009-09-20 06:39:42 +04:00			`"drs", "disable_sec_check", false)) {`
Add drs_security_level_check for dcesrv calls security checks There is also an option to disable the security check by specifying in the smb.conf file: drs:disable_sec_check = true 2009-09-20 02:08:19 +04:00			`return WERR_OK;`
			`}`

s4:rpc_server/drsuapi: make use dcesrv_call_session_info() BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 2018-11-03 03:19:51 +03:00			`level = security_session_user_level(session_info, domain_sid);`
s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level This is used for allowing operations by RODCs, and denying them operations that should only be allowed for a full DC This required a new domain_sid argument to security_session_user_level() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Rusty Russell <rusty@samba.org> 2010-04-22 10:48:01 +04:00			`if (level < minimum_level) {`
s4-drs: fixed error message for drs_security_level_check 2009-10-06 11:58:41 +04:00			`if (call) {`
s4-drs: better debug info when security checks fail show the security token of the user at debug level 2 2010-01-16 02:36:40 +03:00			`DEBUG(0,("%s refused for security token (level=%u)\n",`
			`call, (unsigned)level));`
s4:rpc_server/drsuapi: make use dcesrv_call_session_info() BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 2018-11-03 03:19:51 +03:00			`security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);`
s4-drs: fixed error message for drs_security_level_check 2009-10-06 11:58:41 +04:00			`}`
Add drs_security_level_check for dcesrv calls security checks There is also an option to disable the security check by specifying in the smb.conf file: drs:disable_sec_check = true 2009-09-20 02:08:19 +04:00			`return WERR_DS_DRA_ACCESS_DENIED;`
			`}`

			`return WERR_OK;`
			`}`
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING in getncchanges When this flag is specified in the request these attributes are treated as secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing, lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials, trustAuthIncoming, trustAuthOutgoing, unicodePwd Their value is changed to NULL and the meta_data.originating_change_time to 0 2009-09-24 03:51:55 +04:00
			`void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,`
			`struct drsuapi_DsReplicaMetaData *meta_data)`
			`{`
			`if (attr->value_ctr.num_values == 0) {`
			`return;`
			`}`

			`switch (attr->attid) {`
idl: Use DRSUAPI_ATTID_ prefix instead of DRSUAPI_ATTRIBUTE_ for ATTID values Those values are actually ATTID values and such, they are used for ATTIDs for Attributes, Classes and Syntaxes. 2010-10-29 03:22:35 +04:00			`case DRSUAPI_ATTID_dBCSPwd:`
			`case DRSUAPI_ATTID_unicodePwd:`
			`case DRSUAPI_ATTID_ntPwdHistory:`
			`case DRSUAPI_ATTID_lmPwdHistory:`
			`case DRSUAPI_ATTID_supplementalCredentials:`
			`case DRSUAPI_ATTID_priorValue:`
			`case DRSUAPI_ATTID_currentValue:`
			`case DRSUAPI_ATTID_trustAuthOutgoing:`
			`case DRSUAPI_ATTID_trustAuthIncoming:`
			`case DRSUAPI_ATTID_initialAuthOutgoing:`
			`case DRSUAPI_ATTID_initialAuthIncoming:`
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING in getncchanges When this flag is specified in the request these attributes are treated as secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing, lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials, trustAuthIncoming, trustAuthOutgoing, unicodePwd Their value is changed to NULL and the meta_data.originating_change_time to 0 2009-09-24 03:51:55 +04:00			`/set value to null/`
			`attr->value_ctr.num_values = 0;`
			`talloc_free(attr->value_ctr.values);`
			`attr->value_ctr.values = NULL;`
			`meta_data->originating_change_time = 0;`
			`return;`
			`default:`
			`return;`
			`}`
			`}`
s4-drs: Added drs_security_access_check function It takes a security token, an ldb_context, and the desired CAR and checks if the principal has this CAR granted 2010-09-27 08:14:45 +04:00
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00
			`/*`
			`check security on a DN, with logging of errors`
			`*/`
			`static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,`
			`TALLOC_CTX *mem_ctx,`
			`struct security_token *token,`
			`struct ldb_dn *dn,`
			`const char *ext_right)`
s4-drs: Added drs_security_access_check function It takes a security token, an ldb_context, and the desired CAR and checks if the principal has this CAR granted 2010-09-27 08:14:45 +04:00			`{`
			`int ret;`
			`if (!dn) {`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",`
			`ext_right));`
s4-drs: Added drs_security_access_check function It takes a security token, an ldb_context, and the desired CAR and checks if the principal has this CAR granted 2010-09-27 08:14:45 +04:00			`return WERR_DS_DRA_ACCESS_DENIED;`
			`}`
			`ret = dsdb_check_access_on_dn(sam_ctx,`
			`mem_ctx,`
			`dn,`
			`token,`
			`SEC_ADS_CONTROL_ACCESS,`
			`ext_right);`
			`if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`DEBUG(3,("%s refused for security token on %s\n",`
			`ext_right, ldb_dn_get_linearized(dn)));`
s4-drsuapi: Call security_token_debug() with DBGC_DRS_REPL and a proper log level Selftest logs are full of calls to security_token_debug() with no context and this is never a log level 0 event, so tidy it up. The RODC would trigger this each time there is an attempted preload of a user in the Denied RODC replication group. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 2018-05-21 04:53:01 +03:00			`security_token_debug(DBGC_DRS_REPL, 3, token);`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`return WERR_DS_DRA_ACCESS_DENIED;`
s4-drs: Added drs_security_access_check function It takes a security token, an ldb_context, and the desired CAR and checks if the principal has this CAR granted 2010-09-27 08:14:45 +04:00			`} else if (ret != LDB_SUCCESS) {`
s4-rpc_server/drsuapi: Print ldb error showing why we failed to perform the access check Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2013-09-09 01:57:27 +04:00			`DEBUG(1,("Failed to perform access check on %s: %s\n", ldb_dn_get_linearized(dn), ldb_strerror(ret)));`
s4-drs: Added drs_security_access_check function It takes a security token, an ldb_context, and the desired CAR and checks if the principal has this CAR granted 2010-09-27 08:14:45 +04:00			`return WERR_DS_DRA_INTERNAL_ERROR;`
			`}`
			`return WERR_OK;`
			`}`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00

			`/*`
			`check security on a object identifier`
			`*/`
			`WERROR drs_security_access_check(struct ldb_context *sam_ctx,`
			`TALLOC_CTX *mem_ctx,`
			`struct security_token *token,`
			`struct drsuapi_DsReplicaObjectIdentifier *nc,`
			`const char *ext_right)`
			`{`
s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() This make this funciton the gatekeeper between the wire format and the internal struct ldb_dn, checking if the DN exists and which NC it belongs to along the way, and presenting only a DB-returned DN for internal processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2022-12-11 23:47:36 +03:00			`struct ldb_dn *dn;`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`WERROR werr;`
s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() This make this funciton the gatekeeper between the wire format and the internal struct ldb_dn, checking if the DN exists and which NC it belongs to along the way, and presenting only a DB-returned DN for internal processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2022-12-11 23:47:36 +03:00			`int ret;`

			`ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,`
			`sam_ctx,`
			`nc,`
			`&dn,`
			`NULL);`
			`if (ret != LDB_SUCCESS) {`
			`return WERR_DS_DRA_BAD_DN;`
			`}`

s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);`
			`talloc_free(dn);`
			`return werr;`
			`}`

			`/*`
			`check security on the NC root of a object identifier`
			`*/`
			`WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,`
			`TALLOC_CTX *mem_ctx,`
			`struct security_token *token,`
			`struct drsuapi_DsReplicaObjectIdentifier *nc,`
			`const char *ext_right)`
			`{`
s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() This make this funciton the gatekeeper between the wire format and the internal struct ldb_dn, checking if the DN exists and which NC it belongs to along the way, and presenting only a DB-returned DN for internal processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2022-12-11 23:47:36 +03:00			`struct ldb_dn *nc_root;`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`WERROR werr;`
			`int ret;`

s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() This make this funciton the gatekeeper between the wire format and the internal struct ldb_dn, checking if the DN exists and which NC it belongs to along the way, and presenting only a DB-returned DN for internal processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2022-12-11 23:47:36 +03:00			`ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,`
			`sam_ctx,`
			`nc,`
			`NULL,`
			`&nc_root);`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`if (ret != LDB_SUCCESS) {`
s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() This make this funciton the gatekeeper between the wire format and the internal struct ldb_dn, checking if the DN exists and which NC it belongs to along the way, and presenting only a DB-returned DN for internal processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2022-12-11 23:47:36 +03:00			`return WERR_DS_DRA_BAD_NC;`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`}`
s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() This make this funciton the gatekeeper between the wire format and the internal struct ldb_dn, checking if the DN exists and which NC it belongs to along the way, and presenting only a DB-returned DN for internal processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2022-12-11 23:47:36 +03:00
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);`
s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() This make this funciton the gatekeeper between the wire format and the internal struct ldb_dn, checking if the DN exists and which NC it belongs to along the way, and presenting only a DB-returned DN for internal processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 2022-12-11 23:47:36 +03:00			`talloc_free(nc_root);`
s4-drs: added drs_security_access_check_nc_root() this checks securiity on the NC root of the specified naming context 2010-09-30 02:46:23 +04:00			`return werr;`
			`}`

238 lines 6.0 KiB C Raw Normal View History Unescape Escape

238 lines

6.0 KiB

C

Raw Normal View History