search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb:common: Fix code spelling
[Samba.git] / source4 / dsdb / common / rodc_helper.c
blobb4982aee9ed45f056594375a8afc7e33d96cf4df
1 /*
2 Unix SMB/CIFS implementation.
3
4 common sid helper functions
5
6 Copyright (C) Catalyst.NET Ltd 2017
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "rpc_server/dcerpc_server.h"
24 #include "librpc/gen_ndr/ndr_security.h"
25 #include "source4/dsdb/samdb/samdb.h"
26 #include "libcli/security/security.h"
27
28 /*
29 see if any SIDs in list1 are in list2
30 */
31 static bool sid_list_match(uint32_t num_sids1,
32 const struct dom_sid *list1,
33 uint32_t num_sids2,
34 const struct dom_sid *list2)
35 {
36 unsigned int i, j;
37 /* do we ever have enough SIDs here to worry about O(n^2) ? */
38 for (i=0; i < num_sids1; i++) {
39 for (j=0; j < num_sids2; j++) {
40 if (dom_sid_equal(&list1[i], &list2[j])) {
41 return true;
42 }
43 }
44 }
45 return false;
46 }
47
48 /*
49 * Return an array of SIDs from a ldb_message given an attribute name assumes
50 * the SIDs are in NDR form (with primary_sid applied on the start).
51 */
52 static WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx,
53 struct ldb_message *msg,
54 TALLOC_CTX *mem_ctx,
55 const char *attr,
56 uint32_t *num_sids,
57 struct dom_sid **sids,
58 const struct dom_sid *primary_sid)
59 {
60 struct ldb_message_element *el;
61 unsigned int i;
62
63 el = ldb_msg_find_element(msg, attr);
64 if (!el) {
65 *sids = NULL;
66 return WERR_OK;
67 }
68
69 /* Make array long enough for NULL and additional SID */
70 (*sids) = talloc_array(mem_ctx, struct dom_sid,
71 el->num_values + 1);
72 W_ERROR_HAVE_NO_MEMORY(*sids);
73
74 (*sids)[PRIMARY_USER_SID_INDEX] = *primary_sid;
75
76 for (i = 0; i<el->num_values; i++) {
77 enum ndr_err_code ndr_err;
78 struct dom_sid sid = { 0, };
79
80 ndr_err = ndr_pull_struct_blob_all_noalloc(&el->values[i], &sid,
81 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
82 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
83 return WERR_INTERNAL_DB_CORRUPTION;
84 }
85 /* Primary SID is already in position zero. */
86 (*sids)[i+1] = sid;
87 }
88
89 *num_sids = i+1;
90
91 return WERR_OK;
92 }
93
94 /*
95 return an array of SIDs from a ldb_message given an attribute name
96 assumes the SIDs are in extended DN format
97 */
98 WERROR samdb_result_sid_array_dn(struct ldb_context *sam_ctx,
99 const struct ldb_message *msg,
100 TALLOC_CTX *mem_ctx,
101 const char *attr,
102 uint32_t *num_sids,
103 struct dom_sid **sids)
104 {
105 struct ldb_message_element *el;
106 unsigned int i;
107
108 el = ldb_msg_find_element(msg, attr);
109 if (!el) {
110 *sids = NULL;
111 return WERR_OK;
112 }
113
114 (*sids) = talloc_array(mem_ctx, struct dom_sid, el->num_values + 1);
115 W_ERROR_HAVE_NO_MEMORY(*sids);
116
117 for (i=0; i<el->num_values; i++) {
118 struct ldb_dn *dn = ldb_dn_from_ldb_val(mem_ctx, sam_ctx, &el->values[i]);
119 NTSTATUS status;
120 struct dom_sid sid = { 0, };
121
122 status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
123 if (!NT_STATUS_IS_OK(status)) {
124 return WERR_INTERNAL_DB_CORRUPTION;
125 }
126 (*sids)[i] = sid;
127 }
128 *num_sids = i;
129
130 return WERR_OK;
131 }
132
133 WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ctx,
134 const struct dom_sid *rodc_machine_account_sid,
135 const struct ldb_message *rodc_msg,
136 const struct ldb_message *obj_msg,
137 uint32_t num_token_sids,
138 const struct dom_sid *token_sids)
139 {
140 uint32_t num_never_reveal_sids, num_reveal_sids;
141 struct dom_sid *never_reveal_sids, *reveal_sids;
142 TALLOC_CTX *frame = talloc_stackframe();
143 WERROR werr;
144 uint32_t rodc_uac;
145
146 /*
147 * We are not allowed to get anyone elses krbtgt secrets (and
148 * in callers that don't shortcut before this, the RODC should
149 * not deal with any krbtgt)
150 */
151 if (samdb_result_dn(sam_ctx, frame,
152 obj_msg, "msDS-KrbTgtLinkBL", NULL)) {
153 TALLOC_FREE(frame);
154 DBG_INFO("Denied attempt to replicate to/act as a RODC krbtgt trust account %s using RODC: %s\n",
155 ldb_dn_get_linearized(obj_msg->dn),
156 ldb_dn_get_linearized(rodc_msg->dn));
157 return WERR_DS_DRA_SECRETS_DENIED;
158 }
159
160 if (ldb_msg_find_attr_as_uint(obj_msg,
161 "userAccountControl", 0) &
162 UF_INTERDOMAIN_TRUST_ACCOUNT) {
163 DBG_INFO("Denied attempt to replicate to/act as a inter-domain trust account %s using RODC: %s\n",
164 ldb_dn_get_linearized(obj_msg->dn),
165 ldb_dn_get_linearized(rodc_msg->dn));
166 TALLOC_FREE(frame);
167 return WERR_DS_DRA_SECRETS_DENIED;
168 }
169
170 /* Be very sure the RODC is really an RODC */
171 rodc_uac = ldb_msg_find_attr_as_uint(rodc_msg,
172 "userAccountControl",
173 0);
174 if ((rodc_uac & UF_PARTIAL_SECRETS_ACCOUNT)
175 != UF_PARTIAL_SECRETS_ACCOUNT) {
176 DBG_ERR("Attempt to use an RODC account that is not an RODC: %s\n",
177 ldb_dn_get_linearized(rodc_msg->dn));
178 TALLOC_FREE(frame);
179 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
180 }
181
182 werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
183 frame, "msDS-NeverRevealGroup",
184 &num_never_reveal_sids,
185 &never_reveal_sids);
186 if (!W_ERROR_IS_OK(werr)) {
187 DBG_ERR("Failed to parse msDS-NeverRevealGroup on %s: %s\n",
188 ldb_dn_get_linearized(rodc_msg->dn),
189 win_errstr(werr));
190 TALLOC_FREE(frame);
191 return WERR_DS_DRA_SECRETS_DENIED;
192 }
193
194 werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
195 frame, "msDS-RevealOnDemandGroup",
196 &num_reveal_sids,
197 &reveal_sids);
198 if (!W_ERROR_IS_OK(werr)) {
199 DBG_ERR("Failed to parse msDS-RevealOnDemandGroup on %s: %s\n",
200 ldb_dn_get_linearized(rodc_msg->dn),
201 win_errstr(werr));
202 TALLOC_FREE(frame);
203 return WERR_DS_DRA_SECRETS_DENIED;
204 }
205
206 /* The RODC can replicate and print tickets for itself. */
207 if (dom_sid_equal(&token_sids[PRIMARY_USER_SID_INDEX], rodc_machine_account_sid)) {
208 TALLOC_FREE(frame);
209 return WERR_OK;
210 }
211
212 if (never_reveal_sids &&
213 sid_list_match(num_token_sids,
214 token_sids,
215 num_never_reveal_sids,
216 never_reveal_sids)) {
217 TALLOC_FREE(frame);
218 return WERR_DS_DRA_SECRETS_DENIED;
219 }
220
221 if (reveal_sids &&
222 sid_list_match(num_token_sids,
223 token_sids,
224 num_reveal_sids,
225 reveal_sids)) {
226 TALLOC_FREE(frame);
227 return WERR_OK;
228 }
229
230 TALLOC_FREE(frame);
231 return WERR_DS_DRA_SECRETS_DENIED;
232
233 }
234
235 /*
236 * This is a wrapper for the above that pulls in the tokenGroups
237 * rather than relying on the caller providing those
238 */
239 WERROR samdb_confirm_rodc_allowed_to_repl_to(struct ldb_context *sam_ctx,
240 struct dom_sid *rodc_machine_account_sid,
241 struct ldb_message *rodc_msg,
242 struct ldb_message *obj_msg)
243 {
244 TALLOC_CTX *frame = talloc_stackframe();
245 WERROR werr;
246 uint32_t num_token_sids;
247 struct dom_sid *token_sids;
248 const struct dom_sid *object_sid = NULL;
249
250 object_sid = samdb_result_dom_sid(frame,
251 obj_msg,
252 "objectSid");
253 if (object_sid == NULL) {
254 return WERR_DS_DRA_BAD_DN;
255 }
256
257 /*
258 * The SID list needs to include itself as well as the tokenGroups.
259 *
260 * TODO determine if sIDHistory is required for this check
261 */
262 werr = samdb_result_sid_array_ndr(sam_ctx,
263 obj_msg,
264 frame, "tokenGroups",
265 &num_token_sids,
266 &token_sids,
267 object_sid);
268 if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
269 DBG_ERR("Failed to get tokenGroups on %s to confirm access via RODC %s: %s\n",
270 ldb_dn_get_linearized(obj_msg->dn),
271 ldb_dn_get_linearized(rodc_msg->dn),
272 win_errstr(werr));
273 return WERR_DS_DRA_SECRETS_DENIED;
274 }
275
276 werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(sam_ctx,
277 rodc_machine_account_sid,
278 rodc_msg,
279 obj_msg,
280 num_token_sids,
281 token_sids);
282 TALLOC_FREE(frame);
283 return werr;
284 }
Samba GIT mirror