search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:lib: remove unused connections_fetch_entry*() and connections_init()
[Samba/gebeck_regimport.git] / source4 / rpc_server / drsuapi / writespn.c
blobccf612be5683d7ffefa182270aa8c3d91399683c
1 /*
2 Unix SMB/CIFS implementation.
3
4 implement the DsWriteAccountSpn call
5
6 Copyright (C) Stefan Metzmacher 2009
7 Copyright (C) Andrew Tridgell 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpc_server/dcerpc_server.h"
25 #include "dsdb/samdb/samdb.h"
26 #include "dsdb/common/util.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "libcli/security/security.h"
30 #include "libcli/security/session.h"
31 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
32 #include "auth/session.h"
33
34 /*
35 check that the SPN update should be allowed as an override
36 via sam_ctx_system
37
38 This is only called if the client is not a domain controller or
39 administrator
40 */
41 static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
42 struct dcesrv_call_state *dce_call,
43 struct ldb_dn *dn,
44 const char *spn)
45 {
46 /*
47 * we only allow SPN updates if:
48 *
49 * 1) they are on the clients own account object
50 * 2) they are of the form SERVICE/dnshostname
51 */
52 struct dom_sid *user_sid, *sid;
53 TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
54 struct ldb_result *res;
55 const char *attrs[] = { "objectSID", "dNSHostName", NULL };
56 int ret;
57 krb5_context krb_ctx;
58 krb5_error_code kerr;
59 krb5_principal principal;
60 krb5_data *component;
61 const char *dns_name, *dnsHostName;
62
63 /* The service principal name shouldn't be NULL */
64 if (spn == NULL) {
65 talloc_free(tmp_ctx);
66 return false;
67 }
68
69 /*
70 get the objectSid of the DN that is being modified, and
71 check it matches the user_sid in their token
72 */
73
74 ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs,
75 DSDB_SEARCH_ONE_ONLY);
76 if (ret != LDB_SUCCESS) {
77 talloc_free(tmp_ctx);
78 return false;
79 }
80
81 user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
82 sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
83 if (sid == NULL) {
84 talloc_free(tmp_ctx);
85 return false;
86 }
87
88 dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName",
89 NULL);
90 if (dnsHostName == NULL) {
91 talloc_free(tmp_ctx);
92 return false;
93 }
94
95 if (!dom_sid_equal(sid, user_sid)) {
96 talloc_free(tmp_ctx);
97 return false;
98 }
99
100 kerr = smb_krb5_init_context_basic(tmp_ctx,
101 dce_call->conn->dce_ctx->lp_ctx,
102 &krb_ctx);
103 if (kerr != 0) {
104 talloc_free(tmp_ctx);
105 return false;
106 }
107
108 ret = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM,
109 &principal);
110 if (kerr != 0) {
111 krb5_free_context(krb_ctx);
112 talloc_free(tmp_ctx);
113 return false;
114 }
115
116 if (krb5_princ_size(krb_ctx, principal) != 2) {
117 krb5_free_principal(krb_ctx, principal);
118 krb5_free_context(krb_ctx);
119 talloc_free(tmp_ctx);
120 return false;
121 }
122
123 component = krb5_princ_component(krb_ctx, principal, 1);
124 dns_name = (const char *)component->data;
125
126 if (strcasecmp(dns_name, dnsHostName) != 0) {
127 krb5_free_principal(krb_ctx, principal);
128 krb5_free_context(krb_ctx);
129 talloc_free(tmp_ctx);
130 return false;
131 }
132
133 /* its a simple update on their own account - allow it with
134 * permissions override */
135 krb5_free_principal(krb_ctx, principal);
136 krb5_free_context(krb_ctx);
137 talloc_free(tmp_ctx);
138
139 return true;
140 }
141
142 /*
143 drsuapi_DsWriteAccountSpn
144 */
145 WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
146 struct drsuapi_DsWriteAccountSpn *r)
147 {
148 struct drsuapi_bind_state *b_state;
149 struct dcesrv_handle *h;
150 enum security_user_level level;
151
152 *r->out.level_out = r->in.level;
153
154 DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
155 b_state = h->data;
156
157 r->out.res = talloc(mem_ctx, union drsuapi_DsWriteAccountSpnResult);
158 W_ERROR_HAVE_NO_MEMORY(r->out.res);
159
160 level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
161
162 switch (r->in.level) {
163 case 1: {
164 struct drsuapi_DsWriteAccountSpnRequest1 *req;
165 struct ldb_message *msg;
166 uint32_t count;
167 unsigned int i;
168 int ret;
169 unsigned spn_count=0;
170 bool passed_checks = true;
171 struct ldb_context *sam_ctx;
172
173 req = &r->in.req->req1;
174 count = req->count;
175
176 msg = ldb_msg_new(mem_ctx);
177 if (msg == NULL) {
178 return WERR_NOMEM;
179 }
180
181 msg->dn = ldb_dn_new(msg, b_state->sam_ctx,
182 req->object_dn);
183 if ( ! ldb_dn_validate(msg->dn)) {
184 r->out.res->res1.status = WERR_OK;
185 return WERR_OK;
186 }
187
188 /* construct mods */
189 for (i = 0; i < count; i++) {
190 if (!writespn_check_spn(b_state,
191 dce_call,
192 msg->dn,
193 req->spn_names[i].str)) {
194 passed_checks = false;
195 }
196 ret = ldb_msg_add_string(msg,
197 "servicePrincipalName",
198 req->spn_names[i].str);
199 if (ret != LDB_SUCCESS) {
200 return WERR_NOMEM;
201 }
202 spn_count++;
203 }
204
205 if (msg->num_elements == 0) {
206 DEBUG(2,("No SPNs need changing on %s\n",
207 ldb_dn_get_linearized(msg->dn)));
208 r->out.res->res1.status = WERR_OK;
209 return WERR_OK;
210 }
211
212 for (i=0;i<msg->num_elements;i++) {
213 switch (req->operation) {
214 case DRSUAPI_DS_SPN_OPERATION_ADD:
215 msg->elements[i].flags = LDB_FLAG_MOD_ADD;
216 break;
217 case DRSUAPI_DS_SPN_OPERATION_REPLACE:
218 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
219 break;
220 case DRSUAPI_DS_SPN_OPERATION_DELETE:
221 msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
222 break;
223 }
224 }
225
226 if (passed_checks && b_state->sam_ctx_system) {
227 sam_ctx = b_state->sam_ctx_system;
228 } else {
229 sam_ctx = b_state->sam_ctx;
230 }
231
232 /* Apply to database */
233 ret = dsdb_modify(sam_ctx, msg, DSDB_MODIFY_PERMISSIVE);
234 if (ret != LDB_SUCCESS) {
235 DEBUG(0,("Failed to modify SPNs on %s: %s\n",
236 ldb_dn_get_linearized(msg->dn),
237 ldb_errstring(b_state->sam_ctx)));
238 r->out.res->res1.status = WERR_ACCESS_DENIED;
239 } else {
240 DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
241 ldb_dn_get_linearized(msg->dn)));
242 r->out.res->res1.status = WERR_OK;
243 }
244
245 return WERR_OK;
246 }
247 }
248
249 return WERR_UNKNOWN_LEVEL;
250 }
reg import