Fix typo in warning message
[Samba/gebeck_regimport.git] / source4 / rpc_server / drsuapi / drsutil.c
blobd3b8d23b708d1240756275070115c1b5db5ac6e9
1 /*
2 Unix SMB/CIFS implementation.
4 useful utilities for the DRS server
6 Copyright (C) Andrew Tridgell 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "includes.h"
23 #include "rpc_server/dcerpc_server.h"
24 #include "dsdb/samdb/samdb.h"
25 #include "libcli/security/security.h"
26 #include "libcli/security/session.h"
27 #include "param/param.h"
28 #include "auth/session.h"
29 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
31 int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
32 TALLOC_CTX *mem_ctx,
33 struct ldb_result **_res,
34 struct ldb_dn *basedn,
35 enum ldb_scope scope,
36 const char * const *attrs,
37 const char *filter)
39 int ret;
40 struct ldb_request *req;
41 TALLOC_CTX *tmp_ctx;
42 struct ldb_result *res;
44 tmp_ctx = talloc_new(mem_ctx);
46 res = talloc_zero(tmp_ctx, struct ldb_result);
47 if (!res) {
48 return LDB_ERR_OPERATIONS_ERROR;
51 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
52 basedn,
53 scope,
54 filter,
55 attrs,
56 NULL,
57 res,
58 ldb_search_default_callback,
59 NULL);
60 if (ret != LDB_SUCCESS) {
61 talloc_free(tmp_ctx);
62 return ret;
65 ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
66 if (ret != LDB_SUCCESS) {
67 return ret;
70 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);
71 if (ret != LDB_SUCCESS) {
72 return ret;
75 ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
76 if (ret != LDB_SUCCESS) {
77 return ret;
80 ret = ldb_request(ldb, req);
81 if (ret == LDB_SUCCESS) {
82 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
85 talloc_free(req);
86 *_res = talloc_steal(mem_ctx, res);
87 return ret;
90 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
91 const char* call,
92 enum security_user_level minimum_level,
93 const struct dom_sid *domain_sid)
95 enum security_user_level level;
97 if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
98 "drs", "disable_sec_check", false)) {
99 return WERR_OK;
102 level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
103 if (level < minimum_level) {
104 if (call) {
105 DEBUG(0,("%s refused for security token (level=%u)\n",
106 call, (unsigned)level));
107 security_token_debug(0, 2, dce_call->conn->auth_state.session_info->security_token);
109 return WERR_DS_DRA_ACCESS_DENIED;
112 return WERR_OK;
115 void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
116 struct drsuapi_DsReplicaMetaData *meta_data)
118 if (attr->value_ctr.num_values == 0) {
119 return;
122 switch (attr->attid) {
123 case DRSUAPI_ATTID_dBCSPwd:
124 case DRSUAPI_ATTID_unicodePwd:
125 case DRSUAPI_ATTID_ntPwdHistory:
126 case DRSUAPI_ATTID_lmPwdHistory:
127 case DRSUAPI_ATTID_supplementalCredentials:
128 case DRSUAPI_ATTID_priorValue:
129 case DRSUAPI_ATTID_currentValue:
130 case DRSUAPI_ATTID_trustAuthOutgoing:
131 case DRSUAPI_ATTID_trustAuthIncoming:
132 case DRSUAPI_ATTID_initialAuthOutgoing:
133 case DRSUAPI_ATTID_initialAuthIncoming:
134 /*set value to null*/
135 attr->value_ctr.num_values = 0;
136 talloc_free(attr->value_ctr.values);
137 attr->value_ctr.values = NULL;
138 meta_data->originating_change_time = 0;
139 return;
140 default:
141 return;
147 check security on a DN, with logging of errors
149 static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
150 TALLOC_CTX *mem_ctx,
151 struct security_token *token,
152 struct ldb_dn *dn,
153 const char *ext_right)
155 int ret;
156 if (!dn) {
157 DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
158 ext_right));
159 return WERR_DS_DRA_ACCESS_DENIED;
161 ret = dsdb_check_access_on_dn(sam_ctx,
162 mem_ctx,
164 token,
165 SEC_ADS_CONTROL_ACCESS,
166 ext_right);
167 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
168 DEBUG(3,("%s refused for security token on %s\n",
169 ext_right, ldb_dn_get_linearized(dn)));
170 security_token_debug(2, 0, token);
171 return WERR_DS_DRA_ACCESS_DENIED;
172 } else if (ret != LDB_SUCCESS) {
173 DEBUG(1,("Failed to perform access check on %s\n", ldb_dn_get_linearized(dn)));
174 return WERR_DS_DRA_INTERNAL_ERROR;
176 return WERR_OK;
181 check security on a object identifier
183 WERROR drs_security_access_check(struct ldb_context *sam_ctx,
184 TALLOC_CTX *mem_ctx,
185 struct security_token *token,
186 struct drsuapi_DsReplicaObjectIdentifier *nc,
187 const char *ext_right)
189 struct ldb_dn *dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
190 WERROR werr;
191 werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
192 talloc_free(dn);
193 return werr;
197 check security on the NC root of a object identifier
199 WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
200 TALLOC_CTX *mem_ctx,
201 struct security_token *token,
202 struct drsuapi_DsReplicaObjectIdentifier *nc,
203 const char *ext_right)
205 struct ldb_dn *dn, *nc_root;
206 WERROR werr;
207 int ret;
209 dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
210 W_ERROR_HAVE_NO_MEMORY(dn);
211 ret = dsdb_find_nc_root(sam_ctx, dn, dn, &nc_root);
212 if (ret != LDB_SUCCESS) {
213 return WERR_DS_CANT_FIND_EXPECTED_NC;
215 werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
216 talloc_free(dn);
217 return werr;