source4/rpc_server/drsuapi/drsutil.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    useful utilities for the DRS server
   5
   6    Copyright (C) Andrew Tridgell 2009
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "rpc_server/dcerpc_server.h"
  24 #include "dsdb/samdb/samdb.h"
  25 #include "libcli/security/security.h"
  26 #include "libcli/security/session.h"
  27 #include "param/param.h"
  28 #include "auth/session.h"
  29 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
  30
  31 #undef DBGC_CLASS
  32 #define DBGC_CLASS            DBGC_DRS_REPL
  33
  34 int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
  35                                     TALLOC_CTX *mem_ctx,
  36                                     struct ldb_result **_res,
  37                                     struct ldb_dn *basedn,
  38                                     enum ldb_scope scope,
  39                                     const char * const *attrs,
  40                                     const char *filter)
  41 {
  42         int ret;
  43         struct ldb_request *req;
  44         TALLOC_CTX *tmp_ctx;
  45         struct ldb_result *res;
  46
  47         tmp_ctx = talloc_new(mem_ctx);
  48
  49         res = talloc_zero(tmp_ctx, struct ldb_result);
  50         if (!res) {
  51                 return LDB_ERR_OPERATIONS_ERROR;
  52         }
  53
  54         ret = ldb_build_search_req(&req, ldb, tmp_ctx,
  55                                    basedn,
  56                                    scope,
  57                                    filter,
  58                                    attrs,
  59                                    NULL,
  60                                    res,
  61                                    ldb_search_default_callback,
  62                                    NULL);
  63         if (ret != LDB_SUCCESS) {
  64                 talloc_free(tmp_ctx);
  65                 return ret;
  66         }
  67
  68         ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
  69         if (ret != LDB_SUCCESS) {
  70                 return ret;
  71         }
  72
  73         ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);
  74         if (ret != LDB_SUCCESS) {
  75                 return ret;
  76         }
  77
  78         ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
  79         if (ret != LDB_SUCCESS) {
  80                 return ret;
  81         }
  82
  83         ret = ldb_request(ldb, req);
  84         if (ret == LDB_SUCCESS) {
  85                 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
  86         }
  87
  88         talloc_free(req);
  89         *_res = talloc_steal(mem_ctx, res);
  90         return ret;
  91 }
  92
  93 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
  94                                 const char* call,
  95                                 enum security_user_level minimum_level,
  96                                 const struct dom_sid *domain_sid)
  97 {
  98         struct auth_session_info *session_info =
  99                 dcesrv_call_session_info(dce_call);
 100         enum security_user_level level;
 101
 102         if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
 103                          "drs", "disable_sec_check", false)) {
 104                 return WERR_OK;
 105         }
 106
 107         level = security_session_user_level(session_info, domain_sid);
 108         if (level < minimum_level) {
 109                 if (call) {
 110                         DEBUG(0,("%s refused for security token (level=%u)\n",
 111                                  call, (unsigned)level));
 112                         security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);
 113                 }
 114                 return WERR_DS_DRA_ACCESS_DENIED;
 115         }
 116
 117         return WERR_OK;
 118 }
 119
 120 void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
 121                                       struct drsuapi_DsReplicaMetaData *meta_data)
 122 {
 123         if (attr->value_ctr.num_values == 0) {
 124                 return;
 125         }
 126
 127         switch (attr->attid) {
 128         case DRSUAPI_ATTID_dBCSPwd:
 129         case DRSUAPI_ATTID_unicodePwd:
 130         case DRSUAPI_ATTID_ntPwdHistory:
 131         case DRSUAPI_ATTID_lmPwdHistory:
 132         case DRSUAPI_ATTID_supplementalCredentials:
 133         case DRSUAPI_ATTID_priorValue:
 134         case DRSUAPI_ATTID_currentValue:
 135         case DRSUAPI_ATTID_trustAuthOutgoing:
 136         case DRSUAPI_ATTID_trustAuthIncoming:
 137         case DRSUAPI_ATTID_initialAuthOutgoing:
 138         case DRSUAPI_ATTID_initialAuthIncoming:
 139                 /*set value to null*/
 140                 attr->value_ctr.num_values = 0;
 141                 talloc_free(attr->value_ctr.values);
 142                 attr->value_ctr.values = NULL;
 143                 meta_data->originating_change_time = 0;
 144                 return;
 145         default:
 146                 return;
 147         }
 148 }
 149
 150
 151 /*
 152   check security on a DN, with logging of errors
 153  */
 154 static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
 155                                             TALLOC_CTX *mem_ctx,
 156                                             struct security_token *token,
 157                                             struct ldb_dn *dn,
 158                                             const char *ext_right)
 159 {
 160         int ret;
 161         if (!dn) {
 162                 DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
 163                               ext_right));
 164                 return WERR_DS_DRA_ACCESS_DENIED;
 165         }
 166         ret = dsdb_check_access_on_dn(sam_ctx,
 167                                       mem_ctx,
 168                                       dn,
 169                                       token,
 170                                       SEC_ADS_CONTROL_ACCESS,
 171                                       ext_right);
 172         if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
 173                 DEBUG(3,("%s refused for security token on %s\n",
 174                          ext_right, ldb_dn_get_linearized(dn)));
 175                 security_token_debug(DBGC_DRS_REPL, 3, token);
 176                 return WERR_DS_DRA_ACCESS_DENIED;
 177         } else if (ret != LDB_SUCCESS) {
 178                 DEBUG(1,("Failed to perform access check on %s: %s\n", ldb_dn_get_linearized(dn), ldb_strerror(ret)));
 179                 return WERR_DS_DRA_INTERNAL_ERROR;
 180         }
 181         return WERR_OK;
 182 }
 183
 184
 185 /*
 186   check security on a object identifier
 187  */
 188 WERROR drs_security_access_check(struct ldb_context *sam_ctx,
 189                                  TALLOC_CTX *mem_ctx,
 190                                  struct security_token *token,
 191                                  struct drsuapi_DsReplicaObjectIdentifier *nc,
 192                                  const char *ext_right)
 193 {
 194         struct ldb_dn *dn;
 195         WERROR werr;
 196         int ret;
 197
 198         ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
 199                                                      sam_ctx,
 200                                                      nc,
 201                                                      &dn,
 202                                                      NULL);
 203         if (ret != LDB_SUCCESS) {
 204                 return WERR_DS_DRA_BAD_DN;
 205         }
 206
 207         werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
 208         talloc_free(dn);
 209         return werr;
 210 }
 211
 212 /*
 213   check security on the NC root of a object identifier
 214  */
 215 WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
 216                                          TALLOC_CTX *mem_ctx,
 217                                          struct security_token *token,
 218                                          struct drsuapi_DsReplicaObjectIdentifier *nc,
 219                                          const char *ext_right)
 220 {
 221         struct ldb_dn *nc_root;
 222         WERROR werr;
 223         int ret;
 224
 225         ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
 226                                                      sam_ctx,
 227                                                      nc,
 228                                                      NULL,
 229                                                      &nc_root);
 230         if (ret != LDB_SUCCESS) {
 231                 return WERR_DS_DRA_BAD_NC;
 232         }
 233
 234         werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
 235         talloc_free(nc_root);
 236         return werr;
 237 }