search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
selftest/knownfail.d: move encrypted_secrets to expectedfail.d
[samba.git] / source4 / dsdb / samdb / samdb.c
blob42375a8437ba58154388581bfebde98dacb49724
1 /*
2 Unix SMB/CIFS implementation.
3
4 interface functions for the sam database
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Volker Lendecke 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "librpc/gen_ndr/ndr_netlogon.h"
26 #include "librpc/gen_ndr/ndr_security.h"
27 #include "lib/events/events.h"
28 #include "lib/ldb-samba/ldb_wrap.h"
29 #include <ldb.h>
30 #include <ldb_errors.h>
31 #include "libcli/security/security.h"
32 #include "libcli/security/claims-conversions.h"
33 #include "libcli/auth/libcli_auth.h"
34 #include "libcli/ldap/ldap_ndr.h"
35 #include "system/time.h"
36 #include "system/filesys.h"
37 #include "ldb_wrap.h"
38 #include "../lib/util/util_ldb.h"
39 #include "dsdb/samdb/samdb.h"
40 #include "../libds/common/flags.h"
41 #include "param/param.h"
42 #include "lib/events/events.h"
43 #include "auth/credentials/credentials.h"
44 #include "param/secrets.h"
45 #include "auth/auth.h"
46 #include "lib/tsocket/tsocket.h"
47 #include "lib/param/loadparm.h"
48
49 /*
50 connect to the SAM database specified by URL
51 return an opaque context pointer on success, or NULL on failure
52 */
53 int samdb_connect_url(TALLOC_CTX *mem_ctx,
54 struct tevent_context *ev_ctx,
55 struct loadparm_context *lp_ctx,
56 struct auth_session_info *session_info,
57 unsigned int flags,
58 const char *url,
59 const struct tsocket_address *remote_address,
60 struct ldb_context **ldb_ret,
61 char **errstring)
62 {
63 struct ldb_context *ldb = NULL;
64 int ret;
65 *ldb_ret = NULL;
66 *errstring = NULL;
67
68 /* We create sam.ldb in provision, and never anywhere else */
69 flags |= LDB_FLG_DONT_CREATE_DB;
70
71 if (remote_address == NULL) {
72 ldb = ldb_wrap_find(url, ev_ctx, lp_ctx,
73 session_info, NULL, flags);
74 if (ldb != NULL) {
75 *ldb_ret = talloc_reference(mem_ctx, ldb);
76 if (*ldb_ret == NULL) {
77 return LDB_ERR_OPERATIONS_ERROR;
78 }
79 return LDB_SUCCESS;
80 }
81 }
82
83 ldb = samba_ldb_init(mem_ctx, ev_ctx, lp_ctx, session_info, NULL);
84
85 if (ldb == NULL) {
86 *errstring = talloc_asprintf(mem_ctx,
87 "Failed to set up Samba ldb "
88 "wrappers with samba_ldb_init() "
89 "to connect to %s",
90 url);
91 return LDB_ERR_OPERATIONS_ERROR;
92 }
93
94 dsdb_set_global_schema(ldb);
95
96 ret = samba_ldb_connect(ldb, lp_ctx, url, flags);
97 if (ret != LDB_SUCCESS) {
98 *errstring = talloc_asprintf(mem_ctx,
99 "Failed to connect to %s: %s",
100 url,
101 ldb_errstring(ldb));
102 talloc_free(ldb);
103 return LDB_ERR_OPERATIONS_ERROR;
104 }
105
106 /*
107 * If a remote_address was specified, then set it on the DB
108 * and do not add to the wrap list (as we need to keep the LDB
109 * pointer unique for the address).
110 *
111 * We use this for audit logging and for the "netlogon" attribute
112 */
113 if (remote_address != NULL) {
114 ldb_set_opaque(ldb, "remoteAddress",
115 discard_const(remote_address));
116 *ldb_ret = ldb;
117 return LDB_SUCCESS;
118 }
119
120 if (!ldb_wrap_add(url, ev_ctx, lp_ctx, session_info, NULL, flags, ldb)) {
121 *errstring = talloc_asprintf(mem_ctx,
122 "Failed to add cached DB reference"
123 " to %s",
124 url);
125 talloc_free(ldb);
126 return LDB_ERR_OPERATIONS_ERROR;
127 }
128
129 *ldb_ret = ldb;
130 return LDB_SUCCESS;
131 }
132
133
134 /*
135 connect to the SAM database
136 return an opaque context pointer on success, or NULL on failure
137 */
138 struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
139 struct tevent_context *ev_ctx,
140 struct loadparm_context *lp_ctx,
141 struct auth_session_info *session_info,
142 const struct tsocket_address *remote_address,
143 unsigned int flags)
144 {
145 char *errstring;
146 struct ldb_context *ldb;
147 int ret = samdb_connect_url(mem_ctx,
148 ev_ctx,
149 lp_ctx,
150 session_info,
151 flags,
152 "sam.ldb",
153 remote_address,
154 &ldb,
155 &errstring);
156 if (ret == LDB_SUCCESS) {
157 return ldb;
158 }
159 return NULL;
160 }
161
162 /****************************************************************************
163 Create the SID list for this user.
164 ****************************************************************************/
165 NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
166 struct loadparm_context *lp_ctx,
167 uint32_t num_sids,
168 const struct auth_SidAttr *sids,
169 uint32_t num_device_sids,
170 const struct auth_SidAttr *device_sids,
171 struct auth_claims auth_claims,
172 uint32_t session_info_flags,
173 struct security_token **token)
174 {
175 struct security_token *ptoken;
176 uint32_t i;
177 NTSTATUS status;
178 enum claims_evaluation_control evaluate_claims;
179 bool sids_are_valid = false;
180 bool device_sids_are_valid = false;
181 bool authentication_was_compounded = session_info_flags & AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION;
182
183 /*
184 * Some special-case callers can't supply the lp_ctx, but do
185 * not interact with claims or conditional ACEs
186 */
187 if (lp_ctx == NULL) {
188 evaluate_claims = CLAIMS_EVALUATION_INVALID_STATE;
189 } else {
190 enum acl_claims_evaluation claims_evaultion_setting
191 = lpcfg_acl_claims_evaluation(lp_ctx);
192
193 /*
194 * We are well inside the AD DC, so we do not need to check
195 * the server role etc
196 */
197 switch (claims_evaultion_setting) {
198 case ACL_CLAIMS_EVALUATION_AD_DC_ONLY:
199 evaluate_claims = CLAIMS_EVALUATION_ALWAYS;
200 break;
201 default:
202 evaluate_claims = CLAIMS_EVALUATION_NEVER;
203 }
204 }
205
206 ptoken = security_token_initialise(mem_ctx, evaluate_claims);
207 NT_STATUS_HAVE_NO_MEMORY(ptoken);
208
209 if (num_sids > UINT32_MAX - 6) {
210 talloc_free(ptoken);
211 return NT_STATUS_INVALID_PARAMETER;
212 }
213 ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */);
214 if (ptoken->sids == NULL) {
215 talloc_free(ptoken);
216 return NT_STATUS_NO_MEMORY;
217 }
218
219 ptoken->num_sids = 0;
220
221 for (i = 0; i < num_sids; i++) {
222 uint32_t check_sid_idx;
223 for (check_sid_idx = 0;
224 check_sid_idx < ptoken->num_sids;
225 check_sid_idx++) {
226 if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i].sid)) {
227 break;
228 }
229 }
230
231 if (check_sid_idx == ptoken->num_sids) {
232 const struct dom_sid *sid = &sids[i].sid;
233
234 sids_are_valid = sids_are_valid || dom_sid_equal(
235 sid, &global_sid_Claims_Valid);
236 authentication_was_compounded = authentication_was_compounded || dom_sid_equal(
237 sid, &global_sid_Compounded_Authentication);
238
239 ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
240 if (ptoken->sids == NULL) {
241 talloc_free(ptoken);
242 return NT_STATUS_NO_MEMORY;
243 }
244
245 ptoken->sids[ptoken->num_sids] = *sid;
246 ptoken->num_sids++;
247 }
248 }
249
250 if (authentication_was_compounded && num_device_sids) {
251 ptoken->device_sids = talloc_array(ptoken, struct dom_sid, num_device_sids);
252 if (ptoken->device_sids == NULL) {
253 talloc_free(ptoken);
254 return NT_STATUS_NO_MEMORY;
255 }
256 for (i = 0; i < num_device_sids; i++) {
257 uint32_t check_sid_idx;
258 for (check_sid_idx = 0;
259 check_sid_idx < ptoken->num_device_sids;
260 check_sid_idx++) {
261 if (dom_sid_equal(&ptoken->device_sids[check_sid_idx], &device_sids[i].sid)) {
262 break;
263 }
264 }
265
266 if (check_sid_idx == ptoken->num_device_sids) {
267 const struct dom_sid *device_sid = &device_sids[i].sid;
268
269 device_sids_are_valid = device_sids_are_valid || dom_sid_equal(
270 device_sid, &global_sid_Claims_Valid);
271
272 ptoken->device_sids = talloc_realloc(ptoken,
273 ptoken->device_sids,
274 struct dom_sid,
275 ptoken->num_device_sids + 1);
276 if (ptoken->device_sids == NULL) {
277 talloc_free(ptoken);
278 return NT_STATUS_NO_MEMORY;
279 }
280
281 ptoken->device_sids[ptoken->num_device_sids] = *device_sid;
282 ptoken->num_device_sids++;
283 }
284 }
285 }
286
287 /* The caller may have requested simple privileges, for example if there isn't a local DB */
288 if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
289 /* Shortcuts to prevent recursion and avoid lookups */
290 if (ptoken->sids == NULL) {
291 ptoken->privilege_mask = 0;
292 } else if (security_token_is_system(ptoken)) {
293 ptoken->privilege_mask = ~0;
294 } else if (security_token_is_anonymous(ptoken)) {
295 ptoken->privilege_mask = 0;
296 } else if (security_token_has_builtin_administrators(ptoken)) {
297 ptoken->privilege_mask = ~0;
298 } else {
299 /* All other 'users' get a empty priv set so far */
300 ptoken->privilege_mask = 0;
301 }
302 } else {
303 /* setup the privilege mask for this token */
304 status = samdb_privilege_setup(lp_ctx, ptoken);
305 if (!NT_STATUS_IS_OK(status)) {
306 talloc_free(ptoken);
307 DEBUG(1,("Unable to access privileges database\n"));
308 return status;
309 }
310 }
311
312 /*
313 * TODO: we might want to regard ‘session_info_flags’ for the device
314 * SIDs as well as for the client SIDs.
315 */
316
317 if (sids_are_valid) {
318 status = claims_data_security_claims(ptoken,
319 auth_claims.user_claims,
320 &ptoken->user_claims,
321 &ptoken->num_user_claims);
322 if (!NT_STATUS_IS_OK(status)) {
323 talloc_free(ptoken);
324 return status;
325 }
326 }
327
328 if (device_sids_are_valid && authentication_was_compounded) {
329 status = claims_data_security_claims(ptoken,
330 auth_claims.device_claims,
331 &ptoken->device_claims,
332 &ptoken->num_device_claims);
333 if (!NT_STATUS_IS_OK(status)) {
334 talloc_free(ptoken);
335 return status;
336 }
337 }
338
339 security_token_debug(0, 10, ptoken);
340
341 *token = ptoken;
342
343 return NT_STATUS_OK;
344 }
Samba git mirror