source4/rpc_server/drsuapi/drsutil.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    useful utilities for the DRS server
   5
   6    Copyright (C) Andrew Tridgell 2009
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "rpc_server/dcerpc_server.h"
  24 #include "dsdb/samdb/samdb.h"
  25 #include "libcli/security/security.h"
  26 #include "libcli/security/session.h"
  27 #include "param/param.h"
  28 #include "auth/session.h"
  29 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
  30
  31 int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
  32                                     TALLOC_CTX *mem_ctx,
  33                                     struct ldb_result **_res,
  34                                     struct ldb_dn *basedn,
  35                                     enum ldb_scope scope,
  36                                     const char * const *attrs,
  37                                     const char *filter)
  38 {
  39         int ret;
  40         struct ldb_request *req;
  41         TALLOC_CTX *tmp_ctx;
  42         struct ldb_result *res;
  43
  44         tmp_ctx = talloc_new(mem_ctx);
  45
  46         res = talloc_zero(tmp_ctx, struct ldb_result);
  47         if (!res) {
  48                 return LDB_ERR_OPERATIONS_ERROR;
  49         }
  50
  51         ret = ldb_build_search_req(&req, ldb, tmp_ctx,
  52                                    basedn,
  53                                    scope,
  54                                    filter,
  55                                    attrs,
  56                                    NULL,
  57                                    res,
  58                                    ldb_search_default_callback,
  59                                    NULL);
  60         if (ret != LDB_SUCCESS) {
  61                 talloc_free(tmp_ctx);
  62                 return ret;
  63         }
  64
  65         ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
  66         if (ret != LDB_SUCCESS) {
  67                 return ret;
  68         }
  69
  70         ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);
  71         if (ret != LDB_SUCCESS) {
  72                 return ret;
  73         }
  74
  75         ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
  76         if (ret != LDB_SUCCESS) {
  77                 return ret;
  78         }
  79
  80         ret = ldb_request(ldb, req);
  81         if (ret == LDB_SUCCESS) {
  82                 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
  83         }
  84
  85         talloc_free(req);
  86         *_res = talloc_steal(mem_ctx, res);
  87         return ret;
  88 }
  89
  90 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
  91                                 const char* call,
  92                                 enum security_user_level minimum_level,
  93                                 const struct dom_sid *domain_sid)
  94 {
  95         enum security_user_level level;
  96
  97         if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
  98                          "drs", "disable_sec_check", false)) {
  99                 return WERR_OK;
 100         }
 101
 102         level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
 103         if (level < minimum_level) {
 104                 if (call) {
 105                         DEBUG(0,("%s refused for security token (level=%u)\n",
 106                                  call, (unsigned)level));
 107                         security_token_debug(0, 2, dce_call->conn->auth_state.session_info->security_token);
 108                 }
 109                 return WERR_DS_DRA_ACCESS_DENIED;
 110         }
 111
 112         return WERR_OK;
 113 }
 114
 115 void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
 116                                       struct drsuapi_DsReplicaMetaData *meta_data)
 117 {
 118         if (attr->value_ctr.num_values == 0) {
 119                 return;
 120         }
 121
 122         switch (attr->attid) {
 123         case DRSUAPI_ATTID_dBCSPwd:
 124         case DRSUAPI_ATTID_unicodePwd:
 125         case DRSUAPI_ATTID_ntPwdHistory:
 126         case DRSUAPI_ATTID_lmPwdHistory:
 127         case DRSUAPI_ATTID_supplementalCredentials:
 128         case DRSUAPI_ATTID_priorValue:
 129         case DRSUAPI_ATTID_currentValue:
 130         case DRSUAPI_ATTID_trustAuthOutgoing:
 131         case DRSUAPI_ATTID_trustAuthIncoming:
 132         case DRSUAPI_ATTID_initialAuthOutgoing:
 133         case DRSUAPI_ATTID_initialAuthIncoming:
 134                 /*set value to null*/
 135                 attr->value_ctr.num_values = 0;
 136                 talloc_free(attr->value_ctr.values);
 137                 attr->value_ctr.values = NULL;
 138                 meta_data->originating_change_time = 0;
 139                 return;
 140         default:
 141                 return;
 142         }
 143 }
 144
 145
 146 /*
 147   check security on a DN, with logging of errors
 148  */
 149 static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
 150                                             TALLOC_CTX *mem_ctx,
 151                                             struct security_token *token,
 152                                             struct ldb_dn *dn,
 153                                             const char *ext_right)
 154 {
 155         int ret;
 156         if (!dn) {
 157                 DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
 158                               ext_right));
 159                 return WERR_DS_DRA_ACCESS_DENIED;
 160         }
 161         ret = dsdb_check_access_on_dn(sam_ctx,
 162                                       mem_ctx,
 163                                       dn,
 164                                       token,
 165                                       SEC_ADS_CONTROL_ACCESS,
 166                                       ext_right);
 167         if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
 168                 DEBUG(3,("%s refused for security token on %s\n",
 169                          ext_right, ldb_dn_get_linearized(dn)));
 170                 security_token_debug(2, 0, token);
 171                 return WERR_DS_DRA_ACCESS_DENIED;
 172         } else if (ret != LDB_SUCCESS) {
 173                 DEBUG(1,("Failed to perform access check on %s: %s\n", ldb_dn_get_linearized(dn), ldb_strerror(ret)));
 174                 return WERR_DS_DRA_INTERNAL_ERROR;
 175         }
 176         return WERR_OK;
 177 }
 178
 179
 180 /*
 181   check security on a object identifier
 182  */
 183 WERROR drs_security_access_check(struct ldb_context *sam_ctx,
 184                                  TALLOC_CTX *mem_ctx,
 185                                  struct security_token *token,
 186                                  struct drsuapi_DsReplicaObjectIdentifier *nc,
 187                                  const char *ext_right)
 188 {
 189         struct ldb_dn *dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
 190         WERROR werr;
 191         werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
 192         talloc_free(dn);
 193         return werr;
 194 }
 195
 196 /*
 197   check security on the NC root of a object identifier
 198  */
 199 WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
 200                                          TALLOC_CTX *mem_ctx,
 201                                          struct security_token *token,
 202                                          struct drsuapi_DsReplicaObjectIdentifier *nc,
 203                                          const char *ext_right)
 204 {
 205         struct ldb_dn *dn, *nc_root;
 206         WERROR werr;
 207         int ret;
 208
 209         dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
 210         W_ERROR_HAVE_NO_MEMORY(dn);
 211         ret = dsdb_find_nc_root(sam_ctx, dn, dn, &nc_root);
 212         if (ret != LDB_SUCCESS) {
 213                 return WERR_DS_CANT_FIND_EXPECTED_NC;
 214         }
 215         werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
 216         talloc_free(dn);
 217         return werr;
 218 }