s4:rpc_server/drsuapi: make use dcesrv_call_session_info()
[samba.git] / source4 / rpc_server / drsuapi / drsutil.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    useful utilities for the DRS server
5
6    Copyright (C) Andrew Tridgell 2009
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "rpc_server/dcerpc_server.h"
24 #include "dsdb/samdb/samdb.h"
25 #include "libcli/security/security.h"
26 #include "libcli/security/session.h"
27 #include "param/param.h"
28 #include "auth/session.h"
29 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS            DBGC_DRS_REPL
33
34 int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
35                                     TALLOC_CTX *mem_ctx,
36                                     struct ldb_result **_res,
37                                     struct ldb_dn *basedn,
38                                     enum ldb_scope scope,
39                                     const char * const *attrs,
40                                     const char *filter)
41 {
42         int ret;
43         struct ldb_request *req;
44         TALLOC_CTX *tmp_ctx;
45         struct ldb_result *res;
46
47         tmp_ctx = talloc_new(mem_ctx);
48
49         res = talloc_zero(tmp_ctx, struct ldb_result);
50         if (!res) {
51                 return LDB_ERR_OPERATIONS_ERROR;
52         }
53
54         ret = ldb_build_search_req(&req, ldb, tmp_ctx,
55                                    basedn,
56                                    scope,
57                                    filter,
58                                    attrs,
59                                    NULL,
60                                    res,
61                                    ldb_search_default_callback,
62                                    NULL);
63         if (ret != LDB_SUCCESS) {
64                 talloc_free(tmp_ctx);
65                 return ret;
66         }
67
68         ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
69         if (ret != LDB_SUCCESS) {
70                 return ret;
71         }
72
73         ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);
74         if (ret != LDB_SUCCESS) {
75                 return ret;
76         }
77
78         ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
79         if (ret != LDB_SUCCESS) {
80                 return ret;
81         }
82
83         ret = ldb_request(ldb, req);
84         if (ret == LDB_SUCCESS) {
85                 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
86         }
87
88         talloc_free(req);
89         *_res = talloc_steal(mem_ctx, res);
90         return ret;
91 }
92
93 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
94                                 const char* call,
95                                 enum security_user_level minimum_level,
96                                 const struct dom_sid *domain_sid)
97 {
98         struct auth_session_info *session_info =
99                 dcesrv_call_session_info(dce_call);
100         enum security_user_level level;
101
102         if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
103                          "drs", "disable_sec_check", false)) {
104                 return WERR_OK;
105         }
106
107         level = security_session_user_level(session_info, domain_sid);
108         if (level < minimum_level) {
109                 if (call) {
110                         DEBUG(0,("%s refused for security token (level=%u)\n",
111                                  call, (unsigned)level));
112                         security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);
113                 }
114                 return WERR_DS_DRA_ACCESS_DENIED;
115         }
116
117         return WERR_OK;
118 }
119
120 void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
121                                       struct drsuapi_DsReplicaMetaData *meta_data)
122 {
123         if (attr->value_ctr.num_values == 0) {
124                 return;
125         }
126
127         switch (attr->attid) {
128         case DRSUAPI_ATTID_dBCSPwd:
129         case DRSUAPI_ATTID_unicodePwd:
130         case DRSUAPI_ATTID_ntPwdHistory:
131         case DRSUAPI_ATTID_lmPwdHistory:
132         case DRSUAPI_ATTID_supplementalCredentials:
133         case DRSUAPI_ATTID_priorValue:
134         case DRSUAPI_ATTID_currentValue:
135         case DRSUAPI_ATTID_trustAuthOutgoing:
136         case DRSUAPI_ATTID_trustAuthIncoming:
137         case DRSUAPI_ATTID_initialAuthOutgoing:
138         case DRSUAPI_ATTID_initialAuthIncoming:
139                 /*set value to null*/
140                 attr->value_ctr.num_values = 0;
141                 talloc_free(attr->value_ctr.values);
142                 attr->value_ctr.values = NULL;
143                 meta_data->originating_change_time = 0;
144                 return;
145         default:
146                 return;
147         }
148 }
149
150
151 /*
152   check security on a DN, with logging of errors
153  */
154 static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
155                                             TALLOC_CTX *mem_ctx,
156                                             struct security_token *token,
157                                             struct ldb_dn *dn,
158                                             const char *ext_right)
159 {
160         int ret;
161         if (!dn) {
162                 DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
163                               ext_right));
164                 return WERR_DS_DRA_ACCESS_DENIED;
165         }
166         ret = dsdb_check_access_on_dn(sam_ctx,
167                                       mem_ctx,
168                                       dn,
169                                       token,
170                                       SEC_ADS_CONTROL_ACCESS,
171                                       ext_right);
172         if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
173                 DEBUG(3,("%s refused for security token on %s\n",
174                          ext_right, ldb_dn_get_linearized(dn)));
175                 security_token_debug(DBGC_DRS_REPL, 3, token);
176                 return WERR_DS_DRA_ACCESS_DENIED;
177         } else if (ret != LDB_SUCCESS) {
178                 DEBUG(1,("Failed to perform access check on %s: %s\n", ldb_dn_get_linearized(dn), ldb_strerror(ret)));
179                 return WERR_DS_DRA_INTERNAL_ERROR;
180         }
181         return WERR_OK;
182 }
183
184
185 /*
186   check security on a object identifier
187  */
188 WERROR drs_security_access_check(struct ldb_context *sam_ctx,
189                                  TALLOC_CTX *mem_ctx,
190                                  struct security_token *token,
191                                  struct drsuapi_DsReplicaObjectIdentifier *nc,
192                                  const char *ext_right)
193 {
194         struct ldb_dn *dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
195         WERROR werr;
196         werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
197         talloc_free(dn);
198         return werr;
199 }
200
201 /*
202   check security on the NC root of a object identifier
203  */
204 WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
205                                          TALLOC_CTX *mem_ctx,
206                                          struct security_token *token,
207                                          struct drsuapi_DsReplicaObjectIdentifier *nc,
208                                          const char *ext_right)
209 {
210         struct ldb_dn *dn, *nc_root;
211         WERROR werr;
212         int ret;
213
214         dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
215         W_ERROR_HAVE_NO_MEMORY(dn);
216         ret = dsdb_find_nc_root(sam_ctx, dn, dn, &nc_root);
217         if (ret != LDB_SUCCESS) {
218                 return WERR_DS_CANT_FIND_EXPECTED_NC;
219         }
220         werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
221         talloc_free(dn);
222         return werr;
223 }