sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-14 00:58:38 +03:00
Code

s4-drs: validate RODC credentials via the user_sid

Browse Source 
This checks whether a replication client is a RODC by inclusion of the
the DOMAIN_RID_ENTERPRISE_READONLY_DCS sid in the users token

Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Tridgell 2010-04-22 16:56:40 +10:00
parent bb1ba4ff76
commit e7262b51d1
1 changed files with 12 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
source4/rpc_server/drsuapi/getncchanges.c
View File

@ -751,31 +751,21 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_SOURCE_DISABLED;
}
/* for non-administrator replications, check that they have
given the correct source_dsa_invocation_id */
security_level = security_session_user_level(dce_call->conn->auth_state.session_info);
if (security_level < SECURITY_ADMINISTRATOR) {
/* validate their guid */
ret = dsdb_validate_invocation_id(b_state->sam_ctx,
&req8->source_dsa_invocation_id,
dce_call->conn->auth_state.session_info->security_token->user_sid);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Attempted replication with invalid invocationId %s\n",
GUID_string(mem_ctx, &req8->source_dsa_invocation_id)));
return WERR_DS_DRA_INVALID_PARAMETER;
}
werr = drs_security_level_check(dce_call, "DsGetNCChanges", SECURITY_RO_DOMAIN_CONTROLLER);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
if (security_level < SECURITY_ADMINISTRATOR &&
/* for non-administrator replications, check that they have
given the correct source_dsa_invocation_id */
security_level = security_session_user_level(dce_call->conn->auth_state.session_info,
samdb_domain_sid(b_state->sam_ctx));
if (security_level == SECURITY_RO_DOMAIN_CONTROLLER &&
(req8->replica_flags & DRSUAPI_DRS_WRIT_REP)) {
bool is_rodc;
ret = samdb_is_rodc(b_state->sam_ctx, &req8->source_dsa_invocation_id, &is_rodc);
if (ret != LDB_SUCCESS || is_rodc) {
DEBUG(0,(__location__ ": Attempt to do writeable replication by RODC %s\n",
GUID_string(mem_ctx, &req8->source_dsa_invocation_id)));
return WERR_DS_DRA_INVALID_PARAMETER;
}
DEBUG(0,(__location__ ": Attempt to do writeable replication by RODC %s\n",
dom_sid_string(mem_ctx,
dce_call->conn->auth_state.session_info->security_token->user_sid)));
return WERR_DS_DRA_INVALID_PARAMETER;
}
@ -784,11 +774,6 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
req8->uptodateness_vector = NULL;
}
werr = drs_security_level_check(dce_call, "DsGetNCChanges");
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
/* we don't yet support extended operations */
switch (req8->extended_op) {
case DRSUAPI_EXOP_NONE: