2 Unix SMB/CIFS implementation.
4 common sid helper functions
6 Copyright (C) Catalyst.NET Ltd 2017
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "rpc_server/dcerpc_server.h"
24 #include "librpc/gen_ndr/ndr_security.h"
25 #include "source4/dsdb/samdb/samdb.h"
26 #include "libcli/security/security.h"
29 see if any SIDs in list1 are in list2
31 static bool sid_list_match(uint32_t num_sids1
,
32 const struct dom_sid
*list1
,
34 const struct dom_sid
*list2
)
37 /* do we ever have enough SIDs here to worry about O(n^2) ? */
38 for (i
=0; i
< num_sids1
; i
++) {
39 for (j
=0; j
< num_sids2
; j
++) {
40 if (dom_sid_equal(&list1
[i
], &list2
[j
])) {
49 * Return an array of SIDs from a ldb_message given an attribute name assumes
50 * the SIDs are in NDR form (with primary_sid applied on the start).
52 static WERROR
samdb_result_sid_array_ndr(struct ldb_context
*sam_ctx
,
53 struct ldb_message
*msg
,
57 struct dom_sid
**sids
,
58 const struct dom_sid
*primary_sid
)
60 struct ldb_message_element
*el
;
63 el
= ldb_msg_find_element(msg
, attr
);
69 /* Make array long enough for NULL and additional SID */
70 (*sids
) = talloc_array(mem_ctx
, struct dom_sid
,
72 W_ERROR_HAVE_NO_MEMORY(*sids
);
74 (*sids
)[PRIMARY_USER_SID_INDEX
] = *primary_sid
;
76 for (i
= 0; i
<el
->num_values
; i
++) {
77 enum ndr_err_code ndr_err
;
78 struct dom_sid sid
= { 0, };
80 ndr_err
= ndr_pull_struct_blob_all_noalloc(&el
->values
[i
], &sid
,
81 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
82 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
83 return WERR_INTERNAL_DB_CORRUPTION
;
85 /* Primary SID is already in position zero. */
95 return an array of SIDs from a ldb_message given an attribute name
96 assumes the SIDs are in extended DN format
98 WERROR
samdb_result_sid_array_dn(struct ldb_context
*sam_ctx
,
99 const struct ldb_message
*msg
,
103 struct dom_sid
**sids
)
105 struct ldb_message_element
*el
;
108 el
= ldb_msg_find_element(msg
, attr
);
114 (*sids
) = talloc_array(mem_ctx
, struct dom_sid
, el
->num_values
+ 1);
115 W_ERROR_HAVE_NO_MEMORY(*sids
);
117 for (i
=0; i
<el
->num_values
; i
++) {
118 struct ldb_dn
*dn
= ldb_dn_from_ldb_val(mem_ctx
, sam_ctx
, &el
->values
[i
]);
120 struct dom_sid sid
= { 0, };
122 status
= dsdb_get_extended_dn_sid(dn
, &sid
, "SID");
123 if (!NT_STATUS_IS_OK(status
)) {
124 return WERR_INTERNAL_DB_CORRUPTION
;
133 WERROR
samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context
*sam_ctx
,
134 const struct dom_sid
*rodc_machine_account_sid
,
135 const struct ldb_message
*rodc_msg
,
136 const struct ldb_message
*obj_msg
,
137 uint32_t num_token_sids
,
138 const struct dom_sid
*token_sids
)
140 uint32_t num_never_reveal_sids
, num_reveal_sids
;
141 struct dom_sid
*never_reveal_sids
, *reveal_sids
;
142 TALLOC_CTX
*frame
= talloc_stackframe();
147 * We are not allowed to get anyone elses krbtgt secrets (and
148 * in callers that don't shortcut before this, the RODC should
149 * not deal with any krbtgt)
151 if (samdb_result_dn(sam_ctx
, frame
,
152 obj_msg
, "msDS-KrbTgtLinkBL", NULL
)) {
154 DBG_INFO("Denied attempt to replicate to/act as a RODC krbtgt trust account %s using RODC: %s\n",
155 ldb_dn_get_linearized(obj_msg
->dn
),
156 ldb_dn_get_linearized(rodc_msg
->dn
));
157 return WERR_DS_DRA_SECRETS_DENIED
;
160 if (ldb_msg_find_attr_as_uint(obj_msg
,
161 "userAccountControl", 0) &
162 UF_INTERDOMAIN_TRUST_ACCOUNT
) {
163 DBG_INFO("Denied attempt to replicate to/act as a inter-domain trust account %s using RODC: %s\n",
164 ldb_dn_get_linearized(obj_msg
->dn
),
165 ldb_dn_get_linearized(rodc_msg
->dn
));
167 return WERR_DS_DRA_SECRETS_DENIED
;
170 /* Be very sure the RODC is really an RODC */
171 rodc_uac
= ldb_msg_find_attr_as_uint(rodc_msg
,
172 "userAccountControl",
174 if ((rodc_uac
& UF_PARTIAL_SECRETS_ACCOUNT
)
175 != UF_PARTIAL_SECRETS_ACCOUNT
) {
176 DBG_ERR("Attempt to use an RODC account that is not an RODC: %s\n",
177 ldb_dn_get_linearized(rodc_msg
->dn
));
179 return WERR_DOMAIN_CONTROLLER_NOT_FOUND
;
182 werr
= samdb_result_sid_array_dn(sam_ctx
, rodc_msg
,
183 frame
, "msDS-NeverRevealGroup",
184 &num_never_reveal_sids
,
186 if (!W_ERROR_IS_OK(werr
)) {
187 DBG_ERR("Failed to parse msDS-NeverRevealGroup on %s: %s\n",
188 ldb_dn_get_linearized(rodc_msg
->dn
),
191 return WERR_DS_DRA_SECRETS_DENIED
;
194 werr
= samdb_result_sid_array_dn(sam_ctx
, rodc_msg
,
195 frame
, "msDS-RevealOnDemandGroup",
198 if (!W_ERROR_IS_OK(werr
)) {
199 DBG_ERR("Failed to parse msDS-RevealOnDemandGroup on %s: %s\n",
200 ldb_dn_get_linearized(rodc_msg
->dn
),
203 return WERR_DS_DRA_SECRETS_DENIED
;
206 /* The RODC can replicate and print tickets for itself. */
207 if (dom_sid_equal(&token_sids
[PRIMARY_USER_SID_INDEX
], rodc_machine_account_sid
)) {
212 if (never_reveal_sids
&&
213 sid_list_match(num_token_sids
,
215 num_never_reveal_sids
,
216 never_reveal_sids
)) {
218 return WERR_DS_DRA_SECRETS_DENIED
;
222 sid_list_match(num_token_sids
,
231 return WERR_DS_DRA_SECRETS_DENIED
;
236 * This is a wrapper for the above that pulls in the tokenGroups
237 * rather than relying on the caller providing those
239 WERROR
samdb_confirm_rodc_allowed_to_repl_to(struct ldb_context
*sam_ctx
,
240 struct dom_sid
*rodc_machine_account_sid
,
241 struct ldb_message
*rodc_msg
,
242 struct ldb_message
*obj_msg
)
244 TALLOC_CTX
*frame
= talloc_stackframe();
246 uint32_t num_token_sids
;
247 struct dom_sid
*token_sids
;
248 const struct dom_sid
*object_sid
= NULL
;
250 object_sid
= samdb_result_dom_sid(frame
,
253 if (object_sid
== NULL
) {
254 return WERR_DS_DRA_BAD_DN
;
258 * The SID list needs to include itself as well as the tokenGroups.
260 * TODO determine if sIDHistory is required for this check
262 werr
= samdb_result_sid_array_ndr(sam_ctx
,
264 frame
, "tokenGroups",
268 if (!W_ERROR_IS_OK(werr
) || token_sids
==NULL
) {
269 DBG_ERR("Failed to get tokenGroups on %s to confirm access via RODC %s: %s\n",
270 ldb_dn_get_linearized(obj_msg
->dn
),
271 ldb_dn_get_linearized(rodc_msg
->dn
),
273 return WERR_DS_DRA_SECRETS_DENIED
;
276 werr
= samdb_confirm_rodc_allowed_to_repl_to_sid_list(sam_ctx
,
277 rodc_machine_account_sid
,