mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
aee2039e63
This make this funciton the gatekeeper between the wire format and the internal struct ldb_dn, checking if the DN exists and which NC it belongs to along the way, and presenting only a DB-returned DN for internal processing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
238 lines
6.0 KiB
C
238 lines
6.0 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
useful utilities for the DRS server
|
|
|
|
Copyright (C) Andrew Tridgell 2009
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "rpc_server/dcerpc_server.h"
|
|
#include "dsdb/samdb/samdb.h"
|
|
#include "libcli/security/security.h"
|
|
#include "libcli/security/session.h"
|
|
#include "param/param.h"
|
|
#include "auth/session.h"
|
|
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_DRS_REPL
|
|
|
|
int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct ldb_result **_res,
|
|
struct ldb_dn *basedn,
|
|
enum ldb_scope scope,
|
|
const char * const *attrs,
|
|
const char *filter)
|
|
{
|
|
int ret;
|
|
struct ldb_request *req;
|
|
TALLOC_CTX *tmp_ctx;
|
|
struct ldb_result *res;
|
|
|
|
tmp_ctx = talloc_new(mem_ctx);
|
|
|
|
res = talloc_zero(tmp_ctx, struct ldb_result);
|
|
if (!res) {
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
ret = ldb_build_search_req(&req, ldb, tmp_ctx,
|
|
basedn,
|
|
scope,
|
|
filter,
|
|
attrs,
|
|
NULL,
|
|
res,
|
|
ldb_search_default_callback,
|
|
NULL);
|
|
if (ret != LDB_SUCCESS) {
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
|
|
ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
|
|
if (ret != LDB_SUCCESS) {
|
|
return ret;
|
|
}
|
|
|
|
ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);
|
|
if (ret != LDB_SUCCESS) {
|
|
return ret;
|
|
}
|
|
|
|
ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
|
|
if (ret != LDB_SUCCESS) {
|
|
return ret;
|
|
}
|
|
|
|
ret = ldb_request(ldb, req);
|
|
if (ret == LDB_SUCCESS) {
|
|
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
|
|
}
|
|
|
|
talloc_free(req);
|
|
*_res = talloc_steal(mem_ctx, res);
|
|
return ret;
|
|
}
|
|
|
|
WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
|
|
const char* call,
|
|
enum security_user_level minimum_level,
|
|
const struct dom_sid *domain_sid)
|
|
{
|
|
struct auth_session_info *session_info =
|
|
dcesrv_call_session_info(dce_call);
|
|
enum security_user_level level;
|
|
|
|
if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
|
|
"drs", "disable_sec_check", false)) {
|
|
return WERR_OK;
|
|
}
|
|
|
|
level = security_session_user_level(session_info, domain_sid);
|
|
if (level < minimum_level) {
|
|
if (call) {
|
|
DEBUG(0,("%s refused for security token (level=%u)\n",
|
|
call, (unsigned)level));
|
|
security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);
|
|
}
|
|
return WERR_DS_DRA_ACCESS_DENIED;
|
|
}
|
|
|
|
return WERR_OK;
|
|
}
|
|
|
|
void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
|
|
struct drsuapi_DsReplicaMetaData *meta_data)
|
|
{
|
|
if (attr->value_ctr.num_values == 0) {
|
|
return;
|
|
}
|
|
|
|
switch (attr->attid) {
|
|
case DRSUAPI_ATTID_dBCSPwd:
|
|
case DRSUAPI_ATTID_unicodePwd:
|
|
case DRSUAPI_ATTID_ntPwdHistory:
|
|
case DRSUAPI_ATTID_lmPwdHistory:
|
|
case DRSUAPI_ATTID_supplementalCredentials:
|
|
case DRSUAPI_ATTID_priorValue:
|
|
case DRSUAPI_ATTID_currentValue:
|
|
case DRSUAPI_ATTID_trustAuthOutgoing:
|
|
case DRSUAPI_ATTID_trustAuthIncoming:
|
|
case DRSUAPI_ATTID_initialAuthOutgoing:
|
|
case DRSUAPI_ATTID_initialAuthIncoming:
|
|
/*set value to null*/
|
|
attr->value_ctr.num_values = 0;
|
|
talloc_free(attr->value_ctr.values);
|
|
attr->value_ctr.values = NULL;
|
|
meta_data->originating_change_time = 0;
|
|
return;
|
|
default:
|
|
return;
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
check security on a DN, with logging of errors
|
|
*/
|
|
static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct security_token *token,
|
|
struct ldb_dn *dn,
|
|
const char *ext_right)
|
|
{
|
|
int ret;
|
|
if (!dn) {
|
|
DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
|
|
ext_right));
|
|
return WERR_DS_DRA_ACCESS_DENIED;
|
|
}
|
|
ret = dsdb_check_access_on_dn(sam_ctx,
|
|
mem_ctx,
|
|
dn,
|
|
token,
|
|
SEC_ADS_CONTROL_ACCESS,
|
|
ext_right);
|
|
if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
|
|
DEBUG(3,("%s refused for security token on %s\n",
|
|
ext_right, ldb_dn_get_linearized(dn)));
|
|
security_token_debug(DBGC_DRS_REPL, 3, token);
|
|
return WERR_DS_DRA_ACCESS_DENIED;
|
|
} else if (ret != LDB_SUCCESS) {
|
|
DEBUG(1,("Failed to perform access check on %s: %s\n", ldb_dn_get_linearized(dn), ldb_strerror(ret)));
|
|
return WERR_DS_DRA_INTERNAL_ERROR;
|
|
}
|
|
return WERR_OK;
|
|
}
|
|
|
|
|
|
/*
|
|
check security on a object identifier
|
|
*/
|
|
WERROR drs_security_access_check(struct ldb_context *sam_ctx,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct security_token *token,
|
|
struct drsuapi_DsReplicaObjectIdentifier *nc,
|
|
const char *ext_right)
|
|
{
|
|
struct ldb_dn *dn;
|
|
WERROR werr;
|
|
int ret;
|
|
|
|
ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
|
|
sam_ctx,
|
|
nc,
|
|
&dn,
|
|
NULL);
|
|
if (ret != LDB_SUCCESS) {
|
|
return WERR_DS_DRA_BAD_DN;
|
|
}
|
|
|
|
werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
|
|
talloc_free(dn);
|
|
return werr;
|
|
}
|
|
|
|
/*
|
|
check security on the NC root of a object identifier
|
|
*/
|
|
WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct security_token *token,
|
|
struct drsuapi_DsReplicaObjectIdentifier *nc,
|
|
const char *ext_right)
|
|
{
|
|
struct ldb_dn *nc_root;
|
|
WERROR werr;
|
|
int ret;
|
|
|
|
ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
|
|
sam_ctx,
|
|
nc,
|
|
NULL,
|
|
&nc_root);
|
|
if (ret != LDB_SUCCESS) {
|
|
return WERR_DS_DRA_BAD_NC;
|
|
}
|
|
|
|
werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
|
|
talloc_free(nc_root);
|
|
return werr;
|
|
}
|