mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s4:rpc_server/drsuapi: make use dcesrv_call_session_info()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
c989e35c63
commit
e1caa51146
@ -90,7 +90,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C
|
|||||||
auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
|
auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
|
||||||
connected_as_system = true;
|
connected_as_system = true;
|
||||||
} else {
|
} else {
|
||||||
auth_info = dce_call->conn->auth_state.session_info;
|
auth_info = dcesrv_call_session_info(dce_call);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1011,15 +1011,17 @@ static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TA
|
|||||||
static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
||||||
struct drsuapi_DsReplicaGetInfo *r)
|
struct drsuapi_DsReplicaGetInfo *r)
|
||||||
{
|
{
|
||||||
|
struct auth_session_info *session_info =
|
||||||
|
dcesrv_call_session_info(dce_call);
|
||||||
enum security_user_level level;
|
enum security_user_level level;
|
||||||
|
|
||||||
if (!lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
|
if (!lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
|
||||||
"drs", "disable_sec_check", false)) {
|
"drs", "disable_sec_check", false)) {
|
||||||
level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
|
level = security_session_user_level(session_info, NULL);
|
||||||
if (level < SECURITY_DOMAIN_CONTROLLER) {
|
if (level < SECURITY_DOMAIN_CONTROLLER) {
|
||||||
DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
|
DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
|
||||||
security_token_debug(DBGC_DRS_REPL, 2,
|
security_token_debug(DBGC_DRS_REPL, 2,
|
||||||
dce_call->conn->auth_state.session_info->security_token);
|
session_info->security_token);
|
||||||
return WERR_DS_DRA_ACCESS_DENIED;
|
return WERR_DS_DRA_ACCESS_DENIED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -95,6 +95,8 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
|
|||||||
enum security_user_level minimum_level,
|
enum security_user_level minimum_level,
|
||||||
const struct dom_sid *domain_sid)
|
const struct dom_sid *domain_sid)
|
||||||
{
|
{
|
||||||
|
struct auth_session_info *session_info =
|
||||||
|
dcesrv_call_session_info(dce_call);
|
||||||
enum security_user_level level;
|
enum security_user_level level;
|
||||||
|
|
||||||
if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
|
if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
|
||||||
@ -102,12 +104,12 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
|
|||||||
return WERR_OK;
|
return WERR_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
|
level = security_session_user_level(session_info, domain_sid);
|
||||||
if (level < minimum_level) {
|
if (level < minimum_level) {
|
||||||
if (call) {
|
if (call) {
|
||||||
DEBUG(0,("%s refused for security token (level=%u)\n",
|
DEBUG(0,("%s refused for security token (level=%u)\n",
|
||||||
call, (unsigned)level));
|
call, (unsigned)level));
|
||||||
security_token_debug(DBGC_DRS_REPL, 2, dce_call->conn->auth_state.session_info->security_token);
|
security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);
|
||||||
}
|
}
|
||||||
return WERR_DS_DRA_ACCESS_DENIED;
|
return WERR_DS_DRA_ACCESS_DENIED;
|
||||||
}
|
}
|
||||||
|
@ -2698,6 +2698,8 @@ static struct getncchanges_repl_chunk * getncchanges_chunk_new(TALLOC_CTX *mem_c
|
|||||||
WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
||||||
struct drsuapi_DsGetNCChanges *r)
|
struct drsuapi_DsGetNCChanges *r)
|
||||||
{
|
{
|
||||||
|
struct auth_session_info *session_info =
|
||||||
|
dcesrv_call_session_info(dce_call);
|
||||||
struct drsuapi_DsReplicaObjectIdentifier *ncRoot;
|
struct drsuapi_DsReplicaObjectIdentifier *ncRoot;
|
||||||
int ret;
|
int ret;
|
||||||
uint32_t i, k;
|
uint32_t i, k;
|
||||||
@ -2799,12 +2801,12 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
|
|||||||
return WERR_DS_DRA_SOURCE_DISABLED;
|
return WERR_DS_DRA_SOURCE_DISABLED;
|
||||||
}
|
}
|
||||||
|
|
||||||
user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
|
user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
|
||||||
|
|
||||||
/* all clients must have GUID_DRS_GET_CHANGES */
|
/* all clients must have GUID_DRS_GET_CHANGES */
|
||||||
werr = drs_security_access_check_nc_root(sam_ctx,
|
werr = drs_security_access_check_nc_root(sam_ctx,
|
||||||
mem_ctx,
|
mem_ctx,
|
||||||
dce_call->conn->auth_state.session_info->security_token,
|
session_info->security_token,
|
||||||
req10->naming_context,
|
req10->naming_context,
|
||||||
GUID_DRS_GET_CHANGES);
|
GUID_DRS_GET_CHANGES);
|
||||||
if (!W_ERROR_IS_OK(werr)) {
|
if (!W_ERROR_IS_OK(werr)) {
|
||||||
@ -2846,7 +2848,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
|
|||||||
if (is_gc_pas_request) {
|
if (is_gc_pas_request) {
|
||||||
werr = drs_security_access_check_nc_root(sam_ctx,
|
werr = drs_security_access_check_nc_root(sam_ctx,
|
||||||
mem_ctx,
|
mem_ctx,
|
||||||
dce_call->conn->auth_state.session_info->security_token,
|
session_info->security_token,
|
||||||
req10->naming_context,
|
req10->naming_context,
|
||||||
GUID_DRS_GET_FILTERED_ATTRIBUTES);
|
GUID_DRS_GET_FILTERED_ATTRIBUTES);
|
||||||
if (W_ERROR_IS_OK(werr)) {
|
if (W_ERROR_IS_OK(werr)) {
|
||||||
@ -2863,7 +2865,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
|
|||||||
if (is_secret_request) {
|
if (is_secret_request) {
|
||||||
werr = drs_security_access_check_nc_root(sam_ctx,
|
werr = drs_security_access_check_nc_root(sam_ctx,
|
||||||
mem_ctx,
|
mem_ctx,
|
||||||
dce_call->conn->auth_state.session_info->security_token,
|
session_info->security_token,
|
||||||
req10->naming_context,
|
req10->naming_context,
|
||||||
GUID_DRS_GET_ALL_CHANGES);
|
GUID_DRS_GET_ALL_CHANGES);
|
||||||
if (!W_ERROR_IS_OK(werr)) {
|
if (!W_ERROR_IS_OK(werr)) {
|
||||||
@ -2879,7 +2881,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
|
|||||||
allowed:
|
allowed:
|
||||||
/* for non-administrator replications, check that they have
|
/* for non-administrator replications, check that they have
|
||||||
given the correct source_dsa_invocation_id */
|
given the correct source_dsa_invocation_id */
|
||||||
security_level = security_session_user_level(dce_call->conn->auth_state.session_info,
|
security_level = security_session_user_level(session_info,
|
||||||
samdb_domain_sid(sam_ctx));
|
samdb_domain_sid(sam_ctx));
|
||||||
if (security_level == SECURITY_RO_DOMAIN_CONTROLLER) {
|
if (security_level == SECURITY_RO_DOMAIN_CONTROLLER) {
|
||||||
if (req10->replica_flags & DRSUAPI_DRS_WRIT_REP) {
|
if (req10->replica_flags & DRSUAPI_DRS_WRIT_REP) {
|
||||||
|
@ -336,6 +336,8 @@ failed:
|
|||||||
WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
||||||
struct drsuapi_DsReplicaUpdateRefs *r)
|
struct drsuapi_DsReplicaUpdateRefs *r)
|
||||||
{
|
{
|
||||||
|
struct auth_session_info *session_info =
|
||||||
|
dcesrv_call_session_info(dce_call);
|
||||||
struct dcesrv_handle *h;
|
struct dcesrv_handle *h;
|
||||||
struct drsuapi_bind_state *b_state;
|
struct drsuapi_bind_state *b_state;
|
||||||
struct drsuapi_DsReplicaUpdateRefsRequest1 *req;
|
struct drsuapi_DsReplicaUpdateRefsRequest1 *req;
|
||||||
@ -353,7 +355,7 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
|
|||||||
req = &r->in.req.req1;
|
req = &r->in.req.req1;
|
||||||
werr = drs_security_access_check(b_state->sam_ctx,
|
werr = drs_security_access_check(b_state->sam_ctx,
|
||||||
mem_ctx,
|
mem_ctx,
|
||||||
dce_call->conn->auth_state.session_info->security_token,
|
session_info->security_token,
|
||||||
req->naming_context,
|
req->naming_context,
|
||||||
GUID_DRS_MANAGE_TOPOLOGY);
|
GUID_DRS_MANAGE_TOPOLOGY);
|
||||||
|
|
||||||
@ -361,16 +363,16 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
|
|||||||
return werr;
|
return werr;
|
||||||
}
|
}
|
||||||
|
|
||||||
security_level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
|
security_level = security_session_user_level(session_info, NULL);
|
||||||
if (security_level < SECURITY_ADMINISTRATOR) {
|
if (security_level < SECURITY_ADMINISTRATOR) {
|
||||||
/* check that they are using an DSA objectGUID that they own */
|
/* check that they are using an DSA objectGUID that they own */
|
||||||
ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
|
ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
|
||||||
&req->dest_dsa_guid,
|
&req->dest_dsa_guid,
|
||||||
&dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
|
&session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
|
||||||
if (ret != LDB_SUCCESS) {
|
if (ret != LDB_SUCCESS) {
|
||||||
DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
|
DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
|
||||||
dom_sid_string(mem_ctx,
|
dom_sid_string(mem_ctx,
|
||||||
&dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
|
&session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
|
||||||
GUID_string(mem_ctx, &req->dest_dsa_guid)));
|
GUID_string(mem_ctx, &req->dest_dsa_guid)));
|
||||||
return WERR_DS_DRA_ACCESS_DENIED;
|
return WERR_DS_DRA_ACCESS_DENIED;
|
||||||
}
|
}
|
||||||
|
@ -53,6 +53,8 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
|
|||||||
* 1) they are on the clients own account object
|
* 1) they are on the clients own account object
|
||||||
* 2) they are of the form SERVICE/dnshostname
|
* 2) they are of the form SERVICE/dnshostname
|
||||||
*/
|
*/
|
||||||
|
struct auth_session_info *session_info =
|
||||||
|
dcesrv_call_session_info(dce_call);
|
||||||
struct dom_sid *user_sid, *sid;
|
struct dom_sid *user_sid, *sid;
|
||||||
TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
|
TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
|
||||||
struct ldb_result *res;
|
struct ldb_result *res;
|
||||||
@ -82,7 +84,7 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
|
user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
|
||||||
sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
|
sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
|
||||||
if (sid == NULL) {
|
if (sid == NULL) {
|
||||||
talloc_free(tmp_ctx);
|
talloc_free(tmp_ctx);
|
||||||
|
Loading…
Reference in New Issue
Block a user