sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-08 04:58:40 +03:00
Code

Add drs_security_level_check for dcesrv calls security checks

Browse Source 
There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true
This commit is contained in:
Anatoliy Atanasov 2009-09-19 15:08:19 -07:00 committed by Andrew Tridgell
parent 2b5d1dfe6b
commit 6e56261eb7
6 changed files with 36 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
source4/rpc_server/drsuapi/addentry.c
View File

@ -151,10 +151,9 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
if (security_session_user_level(dce_call->conn->auth_state.session_info) <
SECURITY_DOMAIN_CONTROLLER) {
DEBUG(0,("DsAddEntry refused for security token\n"));
return WERR_DS_DRA_ACCESS_DENIED;
status = drs_security_level_check(dce_call, "DsAddEntry");
if (!W_ERROR_IS_OK(status)) {
return status;
}
switch (r->in.level) {

18
source4/rpc_server/drsuapi/dcesrv_drsuapi.c
View File

@ -228,15 +228,17 @@ static WERROR dcesrv_drsuapi_DsUnbind(struct dcesrv_call_state *dce_call, TALLOC
static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaSync *r)
{
if (security_session_user_level(dce_call->conn->auth_state.session_info) <
SECURITY_DOMAIN_CONTROLLER) {
DEBUG(0,("DsReplicaSync refused for security token\n"));
return WERR_DS_DRA_ACCESS_DENIED;
WERROR status;
status = drs_security_level_check(dce_call, "DsReplicaSync");
if (!W_ERROR_IS_OK(status)) {
return status;
}
dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICASYNC,
&ndr_table_drsuapi,
"dreplsrv", "DsReplicaSync");
return WERR_OK;
}
@ -453,14 +455,14 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call
struct ldb_dn *ntds_dn;
int ret;
bool ok;
WERROR status;
ZERO_STRUCT(r->out.res);
*r->out.level_out = 1;
if (security_session_user_level(dce_call->conn->auth_state.session_info) <
SECURITY_DOMAIN_CONTROLLER) {
DEBUG(0,("DsRemoveDSServer refused for security token\n"));
return WERR_DS_DRA_ACCESS_DENIED;
status = drs_security_level_check(dce_call, "DsRemoveDSServer");
if (!W_ERROR_IS_OK(status)) {
return status;
}
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);

2
source4/rpc_server/drsuapi/dcesrv_drsuapi.h
View File

@ -56,3 +56,5 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
const char * const *attrs,
const char *format, ...) PRINTF_ATTRIBUTE(7,8);
WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
const char* call);

15
source4/rpc_server/drsuapi/drsutil.c
View File

@ -24,6 +24,7 @@
#include "dsdb/samdb/samdb.h"
#include "libcli/security/dom_sid.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
#include "libcli/security/security.h"
/*
format a drsuapi_DsReplicaObjectIdentifier naming context as a string
@ -101,3 +102,17 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
return ret;
}
WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
{
if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) {
return WERR_OK;
}
if (security_session_user_level(dce_call->conn->auth_state.session_info) <
SECURITY_DOMAIN_CONTROLLER) {
DEBUG(0,("DsReplicaGetInfo refused for security token\n"));
return WERR_DS_DRA_ACCESS_DENIED;
}
return WERR_OK;
}

7
source4/rpc_server/drsuapi/getncchanges.c
View File

@ -301,10 +301,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_BAD_NC;
}
if (security_session_user_level(dce_call->conn->auth_state.session_info) <
SECURITY_DOMAIN_CONTROLLER) {
DEBUG(0,("getncchanges refused for security token\n"));
return WERR_DS_DRA_ACCESS_DENIED;
werr = drs_security_level_check(dce_call, "DsGetNCChanges");
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
/*

7
source4/rpc_server/drsuapi/updaterefs.c
View File

@ -105,10 +105,9 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
WERROR werr;
struct ldb_dn *dn;
if (security_session_user_level(dce_call->conn->auth_state.session_info) <
SECURITY_DOMAIN_CONTROLLER) {
DEBUG(0,("DsReplicaUpdateRefs refused for security token\n"));
return WERR_DS_DRA_ACCESS_DENIED;
werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs");
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
if (r->in.level != 1) {