Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : useful utilities for the DRS server
5 :
6 : Copyright (C) Andrew Tridgell 2009
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "rpc_server/dcerpc_server.h"
24 : #include "dsdb/samdb/samdb.h"
25 : #include "libcli/security/security.h"
26 : #include "libcli/security/session.h"
27 : #include "param/param.h"
28 : #include "auth/session.h"
29 : #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
30 :
31 : #undef DBGC_CLASS
32 : #define DBGC_CLASS DBGC_DRS_REPL
33 :
34 687654 : int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
35 : TALLOC_CTX *mem_ctx,
36 : struct ldb_result **_res,
37 : struct ldb_dn *basedn,
38 : enum ldb_scope scope,
39 : const char * const *attrs,
40 : const char *filter)
41 : {
42 0 : int ret;
43 0 : struct ldb_request *req;
44 0 : TALLOC_CTX *tmp_ctx;
45 0 : struct ldb_result *res;
46 :
47 687654 : tmp_ctx = talloc_new(mem_ctx);
48 :
49 687654 : res = talloc_zero(tmp_ctx, struct ldb_result);
50 687654 : if (!res) {
51 0 : return LDB_ERR_OPERATIONS_ERROR;
52 : }
53 :
54 687654 : ret = ldb_build_search_req(&req, ldb, tmp_ctx,
55 : basedn,
56 : scope,
57 : filter,
58 : attrs,
59 : NULL,
60 : res,
61 : ldb_search_default_callback,
62 : NULL);
63 687654 : if (ret != LDB_SUCCESS) {
64 0 : talloc_free(tmp_ctx);
65 0 : return ret;
66 : }
67 :
68 687654 : ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
69 687654 : if (ret != LDB_SUCCESS) {
70 0 : return ret;
71 : }
72 :
73 687654 : ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);
74 687654 : if (ret != LDB_SUCCESS) {
75 0 : return ret;
76 : }
77 :
78 687654 : ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
79 687654 : if (ret != LDB_SUCCESS) {
80 0 : return ret;
81 : }
82 :
83 687654 : ret = ldb_request(ldb, req);
84 687654 : if (ret == LDB_SUCCESS) {
85 687654 : ret = ldb_wait(req->handle, LDB_WAIT_ALL);
86 : }
87 :
88 687654 : talloc_free(req);
89 687654 : *_res = talloc_steal(mem_ctx, res);
90 687654 : return ret;
91 : }
92 :
93 4492 : WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
94 : const char* call,
95 : enum security_user_level minimum_level,
96 : const struct dom_sid *domain_sid)
97 : {
98 73 : struct auth_session_info *session_info =
99 4492 : dcesrv_call_session_info(dce_call);
100 73 : enum security_user_level level;
101 :
102 4492 : if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
103 : "drs", "disable_sec_check", false)) {
104 0 : return WERR_OK;
105 : }
106 :
107 4492 : level = security_session_user_level(session_info, domain_sid);
108 4492 : if (level < minimum_level) {
109 78 : if (call) {
110 0 : DEBUG(0,("%s refused for security token (level=%u)\n",
111 : call, (unsigned)level));
112 0 : security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);
113 : }
114 78 : return WERR_DS_DRA_ACCESS_DENIED;
115 : }
116 :
117 4414 : return WERR_OK;
118 : }
119 :
120 1213168 : void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
121 : struct drsuapi_DsReplicaMetaData *meta_data)
122 : {
123 1213168 : if (attr->value_ctr.num_values == 0) {
124 0 : return;
125 : }
126 :
127 1213168 : switch (attr->attid) {
128 1059 : case DRSUAPI_ATTID_dBCSPwd:
129 : case DRSUAPI_ATTID_unicodePwd:
130 : case DRSUAPI_ATTID_ntPwdHistory:
131 : case DRSUAPI_ATTID_lmPwdHistory:
132 : case DRSUAPI_ATTID_supplementalCredentials:
133 : case DRSUAPI_ATTID_priorValue:
134 : case DRSUAPI_ATTID_currentValue:
135 : case DRSUAPI_ATTID_trustAuthOutgoing:
136 : case DRSUAPI_ATTID_trustAuthIncoming:
137 : case DRSUAPI_ATTID_initialAuthOutgoing:
138 : case DRSUAPI_ATTID_initialAuthIncoming:
139 : /*set value to null*/
140 1059 : attr->value_ctr.num_values = 0;
141 1059 : talloc_free(attr->value_ctr.values);
142 1059 : attr->value_ctr.values = NULL;
143 1059 : meta_data->originating_change_time = 0;
144 1059 : return;
145 1212109 : default:
146 1212109 : return;
147 : }
148 : }
149 :
150 :
151 : /*
152 : check security on a DN, with logging of errors
153 : */
154 19756 : static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
155 : TALLOC_CTX *mem_ctx,
156 : struct security_token *token,
157 : struct ldb_dn *dn,
158 : const char *ext_right)
159 : {
160 0 : int ret;
161 19756 : if (!dn) {
162 0 : DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
163 : ext_right));
164 0 : return WERR_DS_DRA_ACCESS_DENIED;
165 : }
166 19756 : ret = dsdb_check_access_on_dn(sam_ctx,
167 : mem_ctx,
168 : dn,
169 : token,
170 : SEC_ADS_CONTROL_ACCESS,
171 : ext_right);
172 19756 : if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
173 1415 : DEBUG(3,("%s refused for security token on %s\n",
174 : ext_right, ldb_dn_get_linearized(dn)));
175 1415 : security_token_debug(DBGC_DRS_REPL, 3, token);
176 1415 : return WERR_DS_DRA_ACCESS_DENIED;
177 18341 : } else if (ret != LDB_SUCCESS) {
178 0 : DEBUG(1,("Failed to perform access check on %s: %s\n", ldb_dn_get_linearized(dn), ldb_strerror(ret)));
179 0 : return WERR_DS_DRA_INTERNAL_ERROR;
180 : }
181 18341 : return WERR_OK;
182 : }
183 :
184 :
185 : /*
186 : check security on a object identifier
187 : */
188 1669 : WERROR drs_security_access_check(struct ldb_context *sam_ctx,
189 : TALLOC_CTX *mem_ctx,
190 : struct security_token *token,
191 : struct drsuapi_DsReplicaObjectIdentifier *nc,
192 : const char *ext_right)
193 : {
194 0 : struct ldb_dn *dn;
195 0 : WERROR werr;
196 0 : int ret;
197 :
198 1669 : ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
199 : sam_ctx,
200 : nc,
201 : &dn,
202 : NULL);
203 1669 : if (ret != LDB_SUCCESS) {
204 0 : return WERR_DS_DRA_BAD_DN;
205 : }
206 :
207 1669 : werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
208 1669 : talloc_free(dn);
209 1669 : return werr;
210 : }
211 :
212 : /*
213 : check security on the NC root of a object identifier
214 : */
215 18095 : WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
216 : TALLOC_CTX *mem_ctx,
217 : struct security_token *token,
218 : struct drsuapi_DsReplicaObjectIdentifier *nc,
219 : const char *ext_right)
220 : {
221 0 : struct ldb_dn *nc_root;
222 0 : WERROR werr;
223 0 : int ret;
224 :
225 18095 : ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
226 : sam_ctx,
227 : nc,
228 : NULL,
229 : &nc_root);
230 18095 : if (ret != LDB_SUCCESS) {
231 8 : return WERR_DS_DRA_BAD_NC;
232 : }
233 :
234 18087 : werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
235 18087 : talloc_free(nc_root);
236 18087 : return werr;
237 : }
|
