2 Unix SMB/CIFS implementation.
4 common sid helper functions
6 Copyright (C) Catalyst.NET Ltd 2017
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "rpc_server/dcerpc_server.h"
24 #include "librpc/gen_ndr/ndr_security.h"
25 #include "source4/dsdb/samdb/samdb.h"
26 #include "rpc_server/common/sid_helper.h"
27 #include "libcli/security/security.h"
30 see if any SIDs in list1 are in list2
32 bool sid_list_match(uint32_t num_sids1,
33 const struct dom_sid *list1,
35 const struct dom_sid *list2)
38 /* do we ever have enough SIDs here to worry about O(n^2) ? */
39 for (i=0; i < num_sids1; i++) {
40 for (j=0; j < num_sids2; j++) {
41 if (dom_sid_equal(&list1[i], &list2[j])) {
50 * Return an array of SIDs from a ldb_message given an attribute name assumes
51 * the SIDs are in NDR form (with additional sids applied on the end).
53 WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx,
54 struct ldb_message *msg,
58 struct dom_sid **sids,
59 const struct dom_sid *additional_sids,
60 unsigned int num_additional)
62 struct ldb_message_element *el;
65 el = ldb_msg_find_element(msg, attr);
71 /* Make array long enough for NULL and additional SID */
72 (*sids) = talloc_array(mem_ctx, struct dom_sid,
73 el->num_values + num_additional);
74 W_ERROR_HAVE_NO_MEMORY(*sids);
76 for (i=0; i<el->num_values; i++) {
77 enum ndr_err_code ndr_err;
79 ndr_err = ndr_pull_struct_blob_all_noalloc(&el->values[i], &(*sids)[i],
80 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
81 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
82 return WERR_INTERNAL_DB_CORRUPTION;
86 for (j = 0; j < num_additional; j++) {
87 (*sids)[i++] = additional_sids[j];
96 return an array of SIDs from a ldb_message given an attribute name
97 assumes the SIDs are in extended DN format
99 WERROR samdb_result_sid_array_dn(struct ldb_context *sam_ctx,
100 struct ldb_message *msg,
104 struct dom_sid **sids)
106 struct ldb_message_element *el;
109 el = ldb_msg_find_element(msg, attr);
115 (*sids) = talloc_array(mem_ctx, struct dom_sid, el->num_values + 1);
116 W_ERROR_HAVE_NO_MEMORY(*sids);
118 for (i=0; i<el->num_values; i++) {
119 struct ldb_dn *dn = ldb_dn_from_ldb_val(mem_ctx, sam_ctx, &el->values[i]);
121 struct dom_sid sid = { 0, };
123 status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
124 if (!NT_STATUS_IS_OK(status)) {
125 return WERR_INTERNAL_DB_CORRUPTION;
134 WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ctx,
135 struct ldb_message *rodc_msg,
136 uint32_t num_token_sids,
137 struct dom_sid *token_sids)
139 uint32_t num_never_reveal_sids, num_reveal_sids;
140 struct dom_sid *never_reveal_sids, *reveal_sids;
141 TALLOC_CTX *frame = talloc_stackframe();
142 WERROR werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
143 frame, "msDS-NeverRevealGroup",
144 &num_never_reveal_sids,
146 if (!W_ERROR_IS_OK(werr)) {
148 return WERR_DS_DRA_SECRETS_DENIED;
151 werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
152 frame, "msDS-RevealOnDemandGroup",
155 if (!W_ERROR_IS_OK(werr)) {
157 return WERR_DS_DRA_SECRETS_DENIED;
160 if (never_reveal_sids &&
161 sid_list_match(num_token_sids,
163 num_never_reveal_sids,
164 never_reveal_sids)) {
166 return WERR_DS_DRA_SECRETS_DENIED;
170 sid_list_match(num_token_sids,
179 return WERR_DS_DRA_SECRETS_DENIED;
git.samba.org / samba.git / blob