2 Unix SMB/CIFS implementation.
4 implement the DsWriteAccountSpn call
6 Copyright (C) Stefan Metzmacher 2009
7 Copyright (C) Andrew Tridgell 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "rpc_server/dcerpc_server.h"
25 #include "dsdb/samdb/samdb.h"
26 #include "dsdb/common/util.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "libcli/security/security.h"
30 #include "libcli/security/session.h"
31 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
32 #include "auth/session.h"
35 check that the SPN update should be allowed as an override
38 This is only called if the client is not a domain controller or
41 static bool writespn_check_spn(struct drsuapi_bind_state
*b_state
,
42 struct dcesrv_call_state
*dce_call
,
47 * we only allow SPN updates if:
49 * 1) they are on the clients own account object
50 * 2) they are of the form SERVICE/dnshostname
52 struct dom_sid
*user_sid
, *sid
;
53 TALLOC_CTX
*tmp_ctx
= talloc_new(dce_call
);
54 struct ldb_result
*res
;
55 const char *attrs
[] = { "objectSID", "dNSHostName", NULL
};
59 krb5_principal principal
;
61 const char *dns_name
, *dnsHostName
;
63 /* The service principal name shouldn't be NULL */
70 get the objectSid of the DN that is being modified, and
71 check it matches the user_sid in their token
74 ret
= dsdb_search_dn(b_state
->sam_ctx
, tmp_ctx
, &res
, dn
, attrs
,
75 DSDB_SEARCH_ONE_ONLY
);
76 if (ret
!= LDB_SUCCESS
) {
81 user_sid
= &dce_call
->conn
->auth_state
.session_info
->security_token
->sids
[PRIMARY_USER_SID_INDEX
];
82 sid
= samdb_result_dom_sid(tmp_ctx
, res
->msgs
[0], "objectSid");
88 dnsHostName
= ldb_msg_find_attr_as_string(res
->msgs
[0], "dNSHostName",
90 if (dnsHostName
== NULL
) {
95 if (!dom_sid_equal(sid
, user_sid
)) {
100 kerr
= smb_krb5_init_context_basic(tmp_ctx
,
101 dce_call
->conn
->dce_ctx
->lp_ctx
,
104 talloc_free(tmp_ctx
);
108 ret
= krb5_parse_name_flags(krb_ctx
, spn
, KRB5_PRINCIPAL_PARSE_NO_REALM
,
111 krb5_free_context(krb_ctx
);
112 talloc_free(tmp_ctx
);
116 if (krb5_princ_size(krb_ctx
, principal
) != 2) {
117 krb5_free_principal(krb_ctx
, principal
);
118 krb5_free_context(krb_ctx
);
119 talloc_free(tmp_ctx
);
123 component
= krb5_princ_component(krb_ctx
, principal
, 1);
124 dns_name
= (const char *)component
->data
;
126 if (strcasecmp(dns_name
, dnsHostName
) != 0) {
127 krb5_free_principal(krb_ctx
, principal
);
128 krb5_free_context(krb_ctx
);
129 talloc_free(tmp_ctx
);
133 /* its a simple update on their own account - allow it with
134 * permissions override */
135 krb5_free_principal(krb_ctx
, principal
);
136 krb5_free_context(krb_ctx
);
137 talloc_free(tmp_ctx
);
143 drsuapi_DsWriteAccountSpn
145 WERROR
dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state
*dce_call
, TALLOC_CTX
*mem_ctx
,
146 struct drsuapi_DsWriteAccountSpn
*r
)
148 struct drsuapi_bind_state
*b_state
;
149 struct dcesrv_handle
*h
;
150 enum security_user_level level
;
152 *r
->out
.level_out
= r
->in
.level
;
154 DCESRV_PULL_HANDLE_WERR(h
, r
->in
.bind_handle
, DRSUAPI_BIND_HANDLE
);
157 r
->out
.res
= talloc(mem_ctx
, union drsuapi_DsWriteAccountSpnResult
);
158 W_ERROR_HAVE_NO_MEMORY(r
->out
.res
);
160 level
= security_session_user_level(dce_call
->conn
->auth_state
.session_info
, NULL
);
162 switch (r
->in
.level
) {
164 struct drsuapi_DsWriteAccountSpnRequest1
*req
;
165 struct ldb_message
*msg
;
169 unsigned spn_count
=0;
170 bool passed_checks
= true;
171 struct ldb_context
*sam_ctx
;
173 req
= &r
->in
.req
->req1
;
176 msg
= ldb_msg_new(mem_ctx
);
181 msg
->dn
= ldb_dn_new(msg
, b_state
->sam_ctx
,
183 if ( ! ldb_dn_validate(msg
->dn
)) {
184 r
->out
.res
->res1
.status
= WERR_OK
;
189 for (i
= 0; i
< count
; i
++) {
190 if (!writespn_check_spn(b_state
,
193 req
->spn_names
[i
].str
)) {
194 passed_checks
= false;
196 ret
= ldb_msg_add_string(msg
,
197 "servicePrincipalName",
198 req
->spn_names
[i
].str
);
199 if (ret
!= LDB_SUCCESS
) {
205 if (msg
->num_elements
== 0) {
206 DEBUG(2,("No SPNs need changing on %s\n",
207 ldb_dn_get_linearized(msg
->dn
)));
208 r
->out
.res
->res1
.status
= WERR_OK
;
212 for (i
=0;i
<msg
->num_elements
;i
++) {
213 switch (req
->operation
) {
214 case DRSUAPI_DS_SPN_OPERATION_ADD
:
215 msg
->elements
[i
].flags
= LDB_FLAG_MOD_ADD
;
217 case DRSUAPI_DS_SPN_OPERATION_REPLACE
:
218 msg
->elements
[i
].flags
= LDB_FLAG_MOD_REPLACE
;
220 case DRSUAPI_DS_SPN_OPERATION_DELETE
:
221 msg
->elements
[i
].flags
= LDB_FLAG_MOD_DELETE
;
226 if (passed_checks
&& b_state
->sam_ctx_system
) {
227 sam_ctx
= b_state
->sam_ctx_system
;
229 sam_ctx
= b_state
->sam_ctx
;
232 /* Apply to database */
233 ret
= dsdb_modify(sam_ctx
, msg
, DSDB_MODIFY_PERMISSIVE
);
234 if (ret
!= LDB_SUCCESS
) {
235 DEBUG(0,("Failed to modify SPNs on %s: %s\n",
236 ldb_dn_get_linearized(msg
->dn
),
237 ldb_errstring(b_state
->sam_ctx
)));
238 r
->out
.res
->res1
.status
= WERR_ACCESS_DENIED
;
240 DEBUG(2,("Modified %u SPNs on %s\n", spn_count
,
241 ldb_dn_get_linearized(msg
->dn
)));
242 r
->out
.res
->res1
.status
= WERR_OK
;
249 return WERR_UNKNOWN_LEVEL
;