2 Unix SMB/CIFS implementation.
4 common sid helper functions
6 Copyright (C) Catalyst.NET Ltd 2017
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "rpc_server/dcerpc_server.h"
24 #include "librpc/gen_ndr/ndr_security.h"
25 #include "source4/dsdb/samdb/samdb.h"
26 #include "libcli/security/security.h"
29 see if any SIDs in list1 are in list2
31 bool sid_list_match(uint32_t num_sids1,
32 const struct dom_sid *list1,
34 const struct dom_sid *list2)
37 /* do we ever have enough SIDs here to worry about O(n^2) ? */
38 for (i=0; i < num_sids1; i++) {
39 for (j=0; j < num_sids2; j++) {
40 if (dom_sid_equal(&list1[i], &list2[j])) {
49 * Return an array of SIDs from a ldb_message given an attribute name assumes
50 * the SIDs are in NDR form (with additional sids applied on the end).
52 WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx,
53 struct ldb_message *msg,
57 struct dom_sid **sids,
58 const struct dom_sid *additional_sids,
59 unsigned int num_additional)
61 struct ldb_message_element *el;
64 el = ldb_msg_find_element(msg, attr);
70 /* Make array long enough for NULL and additional SID */
71 (*sids) = talloc_array(mem_ctx, struct dom_sid,
72 el->num_values + num_additional);
73 W_ERROR_HAVE_NO_MEMORY(*sids);
75 for (i=0; i<el->num_values; i++) {
76 enum ndr_err_code ndr_err;
78 ndr_err = ndr_pull_struct_blob_all_noalloc(&el->values[i], &(*sids)[i],
79 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
80 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
81 return WERR_INTERNAL_DB_CORRUPTION;
85 for (j = 0; j < num_additional; j++) {
86 (*sids)[i++] = additional_sids[j];
95 return an array of SIDs from a ldb_message given an attribute name
96 assumes the SIDs are in extended DN format
98 WERROR samdb_result_sid_array_dn(struct ldb_context *sam_ctx,
99 struct ldb_message *msg,
103 struct dom_sid **sids)
105 struct ldb_message_element *el;
108 el = ldb_msg_find_element(msg, attr);
114 (*sids) = talloc_array(mem_ctx, struct dom_sid, el->num_values + 1);
115 W_ERROR_HAVE_NO_MEMORY(*sids);
117 for (i=0; i<el->num_values; i++) {
118 struct ldb_dn *dn = ldb_dn_from_ldb_val(mem_ctx, sam_ctx, &el->values[i]);
120 struct dom_sid sid = { 0, };
122 status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
123 if (!NT_STATUS_IS_OK(status)) {
124 return WERR_INTERNAL_DB_CORRUPTION;
133 WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ctx,
134 struct ldb_message *rodc_msg,
135 struct ldb_message *obj_msg,
136 uint32_t num_token_sids,
137 struct dom_sid *token_sids)
139 uint32_t num_never_reveal_sids, num_reveal_sids;
140 struct dom_sid *never_reveal_sids, *reveal_sids;
141 TALLOC_CTX *frame = talloc_stackframe();
146 * We are not allowed to get anyone elses krbtgt secrets (and
147 * in callers that don't shortcut before this, the RODC should
148 * not deal with any krbtgt)
150 if (samdb_result_dn(sam_ctx, frame,
151 obj_msg, "msDS-KrbTgtLinkBL", NULL)) {
153 DBG_INFO("Denied attempt to replicate to/act as a RODC krbtgt trust account %s using RODC: %s\n",
154 ldb_dn_get_linearized(obj_msg->dn),
155 ldb_dn_get_linearized(rodc_msg->dn));
156 return WERR_DS_DRA_SECRETS_DENIED;
159 if (ldb_msg_find_attr_as_uint(obj_msg,
160 "userAccountControl", 0) &
161 UF_INTERDOMAIN_TRUST_ACCOUNT) {
162 DBG_INFO("Denied attempt to replicate to/act as a inter-domain trust account %s using RODC: %s\n",
163 ldb_dn_get_linearized(obj_msg->dn),
164 ldb_dn_get_linearized(rodc_msg->dn));
166 return WERR_DS_DRA_SECRETS_DENIED;
169 /* Be very sure the RODC is really an RODC */
170 rodc_uac = ldb_msg_find_attr_as_uint(rodc_msg,
171 "userAccountControl",
173 if ((rodc_uac & UF_PARTIAL_SECRETS_ACCOUNT)
174 != UF_PARTIAL_SECRETS_ACCOUNT) {
175 DBG_ERR("Attempt to use an RODC account that is not an RODC: %s\n",
176 ldb_dn_get_linearized(rodc_msg->dn));
178 return WERR_DS_DRA_SECRETS_DENIED;
181 werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
182 frame, "msDS-NeverRevealGroup",
183 &num_never_reveal_sids,
185 if (!W_ERROR_IS_OK(werr)) {
186 DBG_ERR("Failed to parse msDS-NeverRevealGroup on %s: %s\n",
187 ldb_dn_get_linearized(rodc_msg->dn),
190 return WERR_DS_DRA_SECRETS_DENIED;
193 werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
194 frame, "msDS-RevealOnDemandGroup",
197 if (!W_ERROR_IS_OK(werr)) {
198 DBG_ERR("Failed to parse msDS-RevealOnDemandGroup on %s: %s\n",
199 ldb_dn_get_linearized(rodc_msg->dn),
202 return WERR_DS_DRA_SECRETS_DENIED;
205 if (never_reveal_sids &&
206 sid_list_match(num_token_sids,
208 num_never_reveal_sids,
209 never_reveal_sids)) {
211 return WERR_DS_DRA_SECRETS_DENIED;
215 sid_list_match(num_token_sids,
224 return WERR_DS_DRA_SECRETS_DENIED;
229 * This is a wrapper for the above that pulls in the tokenGroups
230 * rather than relying on the caller providing those
232 WERROR samdb_confirm_rodc_allowed_to_repl_to(struct ldb_context *sam_ctx,
233 struct ldb_message *rodc_msg,
234 struct ldb_message *obj_msg)
236 TALLOC_CTX *frame = talloc_stackframe();
238 uint32_t num_token_sids;
239 struct dom_sid *token_sids;
240 const struct dom_sid *object_sid = NULL;
242 object_sid = samdb_result_dom_sid(frame,
245 if (object_sid == NULL) {
246 return WERR_DS_DRA_BAD_DN;
250 * The SID list needs to include itself as well as the tokenGroups.
252 * TODO determine if sIDHistory is required for this check
254 werr = samdb_result_sid_array_ndr(sam_ctx,
256 frame, "tokenGroups",
260 if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
261 DBG_ERR("Failed to get tokenGroups on %s to confirm access via RODC %s: %s\n",
262 ldb_dn_get_linearized(obj_msg->dn),
263 ldb_dn_get_linearized(rodc_msg->dn),
265 return WERR_DS_DRA_SECRETS_DENIED;
268 werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(sam_ctx,