1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s4-drs: bring us much closer to the docs for DRS secret replication

The rules for when a RODC can replicate secrets are:

 - it can always replicate its own acct
 - it can also replicate its krbtgt acct
 - it can't replicate other krbtgt accts
 - it can't replicate interdomain trust accounts
 - it can't replicate users in the denied group list
 - it can replicate users in the allowed group list

otherwise it can't replicate

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Tridgell 2010-08-18 18:38:26 +10:00
parent 6eb34e6907
commit 4cc6b5a69b

View File

@ -26,6 +26,7 @@
#include "param/param.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "librpc/gen_ndr/ndr_drsuapi.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
#include "rpc_server/dcerpc_server_proto.h"
#include "../libcli/drsuapi/drsuapi.h"
@ -33,6 +34,7 @@
#include "lib/util/binsearch.h"
#include "lib/util/tsort.h"
#include "auth/session.h"
#include "dsdb/common/util.h"
/*
build a DsReplicaObjectIdentifier from a ldb msg
@ -677,6 +679,228 @@ static WERROR getncchanges_rid_alloc(struct drsuapi_bind_state *b_state,
return WERR_OK;
}
/*
return an array of SIDs from a ldb_message given an attribute name
assumes the SIDs are in extended DN format
*/
static WERROR samdb_result_sid_array_dn(struct ldb_context *sam_ctx,
struct ldb_message *msg,
TALLOC_CTX *mem_ctx,
const char *attr,
const struct dom_sid ***sids)
{
struct ldb_message_element *el;
int i;
el = ldb_msg_find_element(msg, attr);
if (!el) {
*sids = NULL;
return WERR_OK;
}
(*sids) = talloc_array(mem_ctx, const struct dom_sid *, el->num_values + 1);
W_ERROR_HAVE_NO_MEMORY(*sids);
for (i=0; i<el->num_values; i++) {
struct ldb_dn *dn = ldb_dn_from_ldb_val(mem_ctx, sam_ctx, &el->values[i]);
NTSTATUS status;
struct dom_sid *sid;
sid = talloc(*sids, struct dom_sid);
W_ERROR_HAVE_NO_MEMORY(sid);
status = dsdb_get_extended_dn_sid(dn, sid, "SID");
if (!NT_STATUS_IS_OK(status)) {
return WERR_INTERNAL_DB_CORRUPTION;
}
(*sids)[i] = sid;
}
(*sids)[i] = NULL;
return WERR_OK;
}
/*
return an array of SIDs from a ldb_message given an attribute name
assumes the SIDs are in NDR form
*/
static WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx,
struct ldb_message *msg,
TALLOC_CTX *mem_ctx,
const char *attr,
const struct dom_sid ***sids)
{
struct ldb_message_element *el;
int i;
el = ldb_msg_find_element(msg, attr);
if (!el) {
*sids = NULL;
return WERR_OK;
}
(*sids) = talloc_array(mem_ctx, const struct dom_sid *, el->num_values + 1);
W_ERROR_HAVE_NO_MEMORY(*sids);
for (i=0; i<el->num_values; i++) {
enum ndr_err_code ndr_err;
struct dom_sid *sid;
sid = talloc(*sids, struct dom_sid);
W_ERROR_HAVE_NO_MEMORY(sid);
ndr_err = ndr_pull_struct_blob(&el->values[i], sid, sid,
(ndr_pull_flags_fn_t)ndr_pull_dom_sid);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return WERR_INTERNAL_DB_CORRUPTION;
}
(*sids)[i] = sid;
}
(*sids)[i] = NULL;
return WERR_OK;
}
/*
see if any SIDs in list1 are in list2
*/
static bool sid_list_match(const struct dom_sid **list1, const struct dom_sid **list2)
{
int i, j;
/* do we ever have enough SIDs here to worry about O(n^2) ? */
for (i=0; list1[i]; i++) {
for (j=0; list2[j]; j++) {
if (dom_sid_equal(list1[i], list2[j])) {
return true;
}
}
}
return false;
}
/*
handle a DRSUAPI_EXOP_REPL_SECRET call
*/
static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
TALLOC_CTX *mem_ctx,
struct drsuapi_DsGetNCChangesRequest8 *req8,
struct dom_sid *user_sid,
struct drsuapi_DsGetNCChangesCtr6 *ctr6)
{
struct drsuapi_DsReplicaObjectIdentifier *ncRoot = req8->naming_context;
struct ldb_dn *obj_dn, *rodc_dn, *krbtgt_link_dn;
int ret;
const char *rodc_attrs[] = { "msDS-KrbTgtLink", "msDS-NeverRevealGroup", "msDS-RevealOnDemandGroup", NULL };
const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
struct ldb_result *rodc_res, *obj_res;
const struct dom_sid **never_reveal_sids, **reveal_sids, **token_sids;
WERROR werr;
DEBUG(3,(__location__ ": DRSUAPI_EXOP_REPL_SECRET extended op on %s\n", ncRoot->dn));
/*
* we need to work out if we will allow this RODC to
* replicate the secrets for this object
*
* see 4.1.10.5.14 GetRevealSecretsPolicyForUser for details
* of this function
*/
if (b_state->sam_ctx_system == NULL) {
/* this operation needs system level access */
ctr6->extended_ret = DRSUAPI_EXOP_ERR_ACCESS_DENIED;
return WERR_DS_DRA_SOURCE_DISABLED;
}
obj_dn = ldb_dn_new(mem_ctx, b_state->sam_ctx_system, ncRoot->dn);
if (!ldb_dn_validate(obj_dn)) goto failed;
rodc_dn = ldb_dn_new_fmt(mem_ctx, b_state->sam_ctx_system, "<SID=%s>",
dom_sid_string(mem_ctx, user_sid));
if (!ldb_dn_validate(rodc_dn)) goto failed;
/* do the two searches we need */
ret = dsdb_search_dn(b_state->sam_ctx_system, mem_ctx, &rodc_res, rodc_dn, rodc_attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN);
if (ret != LDB_SUCCESS || rodc_res->count != 1) goto failed;
ret = dsdb_search_dn(b_state->sam_ctx_system, mem_ctx, &obj_res, obj_dn, obj_attrs, 0);
if (ret != LDB_SUCCESS || obj_res->count != 1) goto failed;
/* if the object SID is equal to the user_sid, allow */
if (dom_sid_equal(user_sid,
samdb_result_dom_sid(mem_ctx, obj_res->msgs[0], "objectSid"))) {
goto allowed;
}
/* an RODC is allowed to get its own krbtgt account secrets */
krbtgt_link_dn = samdb_result_dn(b_state->sam_ctx_system, mem_ctx,
rodc_res->msgs[0], "msDS-KrbTgtLink", NULL);
if (krbtgt_link_dn != NULL &&
ldb_dn_compare(obj_dn, krbtgt_link_dn) == 0) {
goto allowed;
}
/* but it isn't allowed to get anyone elses krbtgt secrets */
if (samdb_result_dn(b_state->sam_ctx_system, mem_ctx,
obj_res->msgs[0], "msDS-KrbTgtLinkBL", NULL)) {
goto denied;
}
if (samdb_result_uint(obj_res->msgs[0], "UserAccountControl", 0) &
UF_INTERDOMAIN_TRUST_ACCOUNT) {
goto denied;
}
werr = samdb_result_sid_array_dn(b_state->sam_ctx_system, rodc_res->msgs[0],
mem_ctx, "msDS-NeverRevealGroup", &never_reveal_sids);
if (!W_ERROR_IS_OK(werr)) {
goto denied;
}
werr = samdb_result_sid_array_dn(b_state->sam_ctx_system, rodc_res->msgs[0],
mem_ctx, "msDS-RevealOnDemandGroup", &reveal_sids);
if (!W_ERROR_IS_OK(werr)) {
goto denied;
}
werr = samdb_result_sid_array_ndr(b_state->sam_ctx_system, obj_res->msgs[0],
mem_ctx, "tokenGroups", &token_sids);
if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
goto denied;
}
if (never_reveal_sids &&
sid_list_match(token_sids, never_reveal_sids)) {
goto denied;
}
if (reveal_sids &&
sid_list_match(token_sids, reveal_sids)) {
goto allowed;
}
/* default deny */
denied:
DEBUG(2,(__location__ ": Denied RODC secret replication for %s by RODC %s\n",
ncRoot->dn, ldb_dn_get_linearized(rodc_res->msgs[0]->dn)));
ctr6->extended_ret = DRSUAPI_EXOP_ERR_ACCESS_DENIED;
return WERR_ACCESS_DENIED;
allowed:
DEBUG(2,(__location__ ": Allowed RODC secret replication for %s by RODC %s\n",
ncRoot->dn, ldb_dn_get_linearized(rodc_res->msgs[0]->dn)));
ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
req8->highwatermark.highest_usn = 0;
return WERR_OK;
failed:
DEBUG(2,(__location__ ": Failed RODC secret replication for %s by RODC %s\n",
ncRoot->dn, dom_sid_string(mem_ctx, user_sid)));
ctr6->extended_ret = DRSUAPI_EXOP_ERR_DIR_ERROR;
return WERR_DS_DRA_SOURCE_DISABLED;
}
/* state of a partially completed getncchanges call */
@ -733,9 +957,10 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
uint32_t link_total = 0;
uint32_t link_given = 0;
struct ldb_dn *search_dn = NULL;
bool am_rodc;
bool am_rodc, null_scope=false;
enum security_user_level security_level;
struct ldb_context *sam_ctx;
struct dom_sid *user_sid;
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
@ -794,6 +1019,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return werr;
}
user_sid = dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
/* for non-administrator replications, check that they have
given the correct source_dsa_invocation_id */
security_level = security_session_user_level(dce_call->conn->auth_state.session_info,
@ -802,8 +1030,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
(req8->replica_flags & DRSUAPI_DRS_WRIT_REP) &&
req8->extended_op != DRSUAPI_EXOP_REPL_SECRET) {
DEBUG(3,(__location__ ": Removing WRIT_REP flag for replication by RODC %s\n",
dom_sid_string(mem_ctx,
dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX])));
dom_sid_string(mem_ctx, user_sid)));
req8->replica_flags &= ~DRSUAPI_DRS_WRIT_REP;
}
@ -825,10 +1052,14 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
break;
case DRSUAPI_EXOP_REPL_SECRET:
DEBUG(0,(__location__ ": DRSUAPI_EXOP_REPL_SECRET extended op\n"));
r->out.ctr->ctr6.extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
req8->highwatermark.highest_usn = 0;
werr = getncchanges_repl_secret(b_state, mem_ctx, req8, user_sid, &r->out.ctr->ctr6);
if (W_ERROR_EQUAL(werr, WERR_ACCESS_DENIED)) {
null_scope = true;
} else {
W_ERROR_NOT_OK_RETURN(werr);
}
break;
case DRSUAPI_EXOP_FSMO_REQ_ROLE:
case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
case DRSUAPI_EXOP_FSMO_REQ_PDC:
@ -989,9 +1220,10 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
*/
max_links = lpcfg_parm_int(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "max link sync", 1500);
for(i=getnc_state->num_sent;
i<getnc_state->site_res->count &&
(r->out.ctr->ctr6.object_count < max_objects);
for (i=getnc_state->num_sent;
i<getnc_state->site_res->count &&
!null_scope &&
(r->out.ctr->ctr6.object_count < max_objects);
i++) {
int uSN;
struct drsuapi_DsReplicaObjectListItemEx *obj;