source4/rpc_server/lsa/lsa_init.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    endpoint server for the lsarpc pipe
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2007
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "rpc_server/lsa/lsa.h"
  24
  25 /*
  26  * This matches a Windows 2012R2 dc in
  27  * a domain with function level 2012R2.
  28  */
  29 #define DCESRV_LSA_POLICY_SD_SDDL \
  30         "O:BAG:SY" \
  31         "D:" \
  32         "(D;;0x00000800;;;AN)" \
  33         "(A;;0x000f1fff;;;BA)" \
  34         "(A;;0x00020801;;;WD)" \
  35         "(A;;0x00000801;;;AN)" \
  36         "(A;;0x00001000;;;LS)" \
  37         "(A;;0x00001000;;;NS)" \
  38         "(A;;0x00001000;;;S-1-5-17)" \
  39         "(A;;0x00000801;;;AC)" \
  40         "(A;;0x00000801;;;S-1-15-2-2)"
  41
  42 static const struct generic_mapping dcesrv_lsa_policy_mapping = {
  43         LSA_POLICY_READ,
  44         LSA_POLICY_WRITE,
  45         LSA_POLICY_EXECUTE,
  46         LSA_POLICY_ALL_ACCESS
  47 };
  48
  49 NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call,
  50                                      TALLOC_CTX *mem_ctx,
  51                                      uint32_t access_desired,
  52                                      struct lsa_policy_state **_state)
  53 {
  54         struct auth_session_info *session_info =
  55                 dcesrv_call_session_info(dce_call);
  56         enum security_user_level security_level;
  57         struct lsa_policy_state *state;
  58         struct ldb_result *dom_res;
  59         const char *dom_attrs[] = {
  60                 "objectSid",
  61                 "objectGUID",
  62                 "nTMixedDomain",
  63                 "fSMORoleOwner",
  64                 NULL
  65         };
  66         char *p;
  67         int ret;
  68
  69         state = talloc_zero(mem_ctx, struct lsa_policy_state);
  70         if (!state) {
  71                 return NT_STATUS_NO_MEMORY;
  72         }
  73
  74         /* make sure the sam database is accessible */
  75         state->sam_ldb = dcesrv_samdb_connect_as_user(state, dce_call);
  76         if (state->sam_ldb == NULL) {
  77                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
  78         }
  79
  80         /* and the privilege database */
  81         state->pdb = privilege_connect(state, dce_call->conn->dce_ctx->lp_ctx);
  82         if (state->pdb == NULL) {
  83                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
  84         }
  85
  86         /* work out the domain_dn - useful for so many calls its worth
  87            fetching here */
  88         state->domain_dn = ldb_get_default_basedn(state->sam_ldb);
  89         if (!state->domain_dn) {
  90                 return NT_STATUS_NO_MEMORY;
  91         }
  92
  93         /* work out the forest root_dn - useful for so many calls its worth
  94            fetching here */
  95         state->forest_dn = ldb_get_root_basedn(state->sam_ldb);
  96         if (!state->forest_dn) {
  97                 return NT_STATUS_NO_MEMORY;
  98         }
  99
 100         ret = ldb_search(state->sam_ldb, mem_ctx, &dom_res,
 101                          state->domain_dn, LDB_SCOPE_BASE, dom_attrs, NULL);
 102         if (ret != LDB_SUCCESS) {
 103                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
 104         }
 105         if (dom_res->count != 1) {
 106                 return NT_STATUS_NO_SUCH_DOMAIN;
 107         }
 108
 109         state->domain_sid = samdb_result_dom_sid(state, dom_res->msgs[0], "objectSid");
 110         if (!state->domain_sid) {
 111                 return NT_STATUS_NO_SUCH_DOMAIN;
 112         }
 113
 114         state->domain_guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
 115
 116         state->mixed_domain = ldb_msg_find_attr_as_uint(dom_res->msgs[0], "nTMixedDomain", 0);
 117
 118         talloc_free(dom_res);
 119
 120         state->domain_name = lpcfg_sam_name(dce_call->conn->dce_ctx->lp_ctx);
 121
 122         state->domain_dns = ldb_dn_canonical_string(state, state->domain_dn);
 123         if (!state->domain_dns) {
 124                 return NT_STATUS_NO_SUCH_DOMAIN;
 125         }
 126         p = strchr(state->domain_dns, '/');
 127         if (p) {
 128                 *p = '\0';
 129         }
 130
 131         state->forest_dns = ldb_dn_canonical_string(state, state->forest_dn);
 132         if (!state->forest_dns) {
 133                 return NT_STATUS_NO_SUCH_DOMAIN;
 134         }
 135         p = strchr(state->forest_dns, '/');
 136         if (p) {
 137                 *p = '\0';
 138         }
 139
 140         /* work out the builtin_dn - useful for so many calls its worth
 141            fetching here */
 142         state->builtin_dn = samdb_search_dn(state->sam_ldb, state, state->domain_dn, "(objectClass=builtinDomain)");
 143         if (!state->builtin_dn) {
 144                 return NT_STATUS_NO_SUCH_DOMAIN;
 145         }
 146
 147         /* work out the system_dn - useful for so many calls its worth
 148            fetching here */
 149         state->system_dn = samdb_system_container_dn(state->sam_ldb, state);
 150         if (state->system_dn == NULL) {
 151                 return NT_STATUS_NO_MEMORY;
 152         }
 153
 154         state->builtin_sid = dom_sid_parse_talloc(state, SID_BUILTIN);
 155         if (!state->builtin_sid) {
 156                 return NT_STATUS_NO_SUCH_DOMAIN;
 157         }
 158
 159         state->nt_authority_sid = dom_sid_parse_talloc(state, SID_NT_AUTHORITY);
 160         if (!state->nt_authority_sid) {
 161                 return NT_STATUS_NO_SUCH_DOMAIN;
 162         }
 163
 164         state->creator_owner_domain_sid = dom_sid_parse_talloc(state, SID_CREATOR_OWNER_DOMAIN);
 165         if (!state->creator_owner_domain_sid) {
 166                 return NT_STATUS_NO_SUCH_DOMAIN;
 167         }
 168
 169         state->world_domain_sid = dom_sid_parse_talloc(state, SID_WORLD_DOMAIN);
 170         if (!state->world_domain_sid) {
 171                 return NT_STATUS_NO_SUCH_DOMAIN;
 172         }
 173
 174         state->sd = sddl_decode(state, DCESRV_LSA_POLICY_SD_SDDL,
 175                                 state->domain_sid);
 176         if (state->sd == NULL) {
 177                 return NT_STATUS_NO_MEMORY;
 178         }
 179         state->sd->dacl->revision = SECURITY_ACL_REVISION_NT4;
 180
 181         se_map_generic(&access_desired, &dcesrv_lsa_policy_mapping);
 182         security_acl_map_generic(state->sd->dacl, &dcesrv_lsa_policy_mapping);
 183
 184         security_level = security_session_user_level(session_info, NULL);
 185         if (security_level >= SECURITY_SYSTEM) {
 186                 /*
 187                  * The security descriptor doesn't allow system,
 188                  * but we want to allow system via ncalrpc as root.
 189                  */
 190                 state->access_mask = access_desired;
 191                 if (state->access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
 192                         state->access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
 193                         state->access_mask |= LSA_POLICY_ALL_ACCESS;
 194                 }
 195         } else {
 196                 NTSTATUS status;
 197
 198                 status = se_access_check(state->sd,
 199                                          session_info->security_token,
 200                                          access_desired,
 201                                          &state->access_mask);
 202                 if (!NT_STATUS_IS_OK(status)) {
 203                         DEBUG(2,("%s: access desired[0x%08X] rejected[0x%08X] - %s\n",
 204                                  __func__,
 205                                  (unsigned)access_desired,
 206                                  (unsigned)state->access_mask,
 207                                  nt_errstr(status)));
 208                         return status;
 209                 }
 210         }
 211
 212         DEBUG(10,("%s: access desired[0x%08X] granted[0x%08X] - success.\n",
 213                   __func__,
 214                  (unsigned)access_desired,
 215                  (unsigned)state->access_mask));
 216
 217         *_state = state;
 218
 219         return NT_STATUS_OK;
 220 }
 221
 222 /*
 223   lsa_OpenPolicy3
 224 */
 225 NTSTATUS dcesrv_lsa_OpenPolicy3(struct dcesrv_call_state *dce_call,
 226                                 TALLOC_CTX *mem_ctx,
 227                                 struct lsa_OpenPolicy3 *r)
 228 {
 229         enum dcerpc_transport_t transport =
 230                 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
 231         struct lsa_policy_state *state = NULL;
 232         struct dcesrv_handle *handle = NULL;
 233         NTSTATUS status;
 234
 235         if (transport != NCACN_NP && transport != NCALRPC) {
 236                 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
 237         }
 238
 239         ZERO_STRUCTP(r->out.handle);
 240
 241         /*
 242          * The attributes have no effect and MUST be ignored, except the
 243          * root_dir which MUST be NULL.
 244          */
 245         if (r->in.attr != NULL && r->in.attr->root_dir != NULL) {
 246                 return NT_STATUS_INVALID_PARAMETER;
 247         }
 248
 249         switch (r->in.in_version) {
 250         case 1:
 251                 *r->out.out_version = 1;
 252
 253                 r->out.out_revision_info->info1.revision = 1;
 254                 r->out.out_revision_info->info1.supported_features =
 255                                 LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER;
 256
 257                 break;
 258         default:
 259                 return NT_STATUS_NOT_SUPPORTED;
 260         }
 261
 262         status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx,
 263                                              r->in.access_mask,
 264                                              &state);
 265         if (!NT_STATUS_IS_OK(status)) {
 266                 return status;
 267         }
 268
 269         handle = dcesrv_handle_create(dce_call, LSA_HANDLE_POLICY);
 270         if (handle == NULL) {
 271                 return NT_STATUS_NO_MEMORY;
 272         }
 273         handle->data = talloc_steal(handle, state);
 274
 275         state->handle = handle;
 276         *r->out.handle = handle->wire_handle;
 277
 278         return NT_STATUS_OK;
 279 }
 280
 281 /*
 282   lsa_OpenPolicy2
 283 */
 284 NTSTATUS dcesrv_lsa_OpenPolicy2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 285                                 struct lsa_OpenPolicy2 *r)
 286 {
 287         enum dcerpc_transport_t transport =
 288                 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
 289         NTSTATUS status;
 290         struct lsa_policy_state *state;
 291         struct dcesrv_handle *handle;
 292
 293         if (transport != NCACN_NP && transport != NCALRPC) {
 294                 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
 295         }
 296
 297         ZERO_STRUCTP(r->out.handle);
 298
 299         if (r->in.attr != NULL &&
 300             r->in.attr->root_dir != NULL) {
 301                 /* MS-LSAD 3.1.4.4.1 */
 302                 return NT_STATUS_INVALID_PARAMETER;
 303         }
 304
 305         status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx,
 306                                              r->in.access_mask,
 307                                              &state);
 308         if (!NT_STATUS_IS_OK(status)) {
 309                 return status;
 310         }
 311
 312         handle = dcesrv_handle_create(dce_call, LSA_HANDLE_POLICY);
 313         if (!handle) {
 314                 return NT_STATUS_NO_MEMORY;
 315         }
 316
 317         handle->data = talloc_steal(handle, state);
 318
 319         state->handle = handle;
 320         *r->out.handle = handle->wire_handle;
 321
 322         /* note that we have completely ignored the attr element of
 323            the OpenPolicy. As far as I can tell, this is what w2k3
 324            does */
 325
 326         return NT_STATUS_OK;
 327 }
 328
 329 /*
 330   lsa_OpenPolicy
 331   a wrapper around lsa_OpenPolicy2
 332 */
 333 NTSTATUS dcesrv_lsa_OpenPolicy(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 334                                 struct lsa_OpenPolicy *r)
 335 {
 336         enum dcerpc_transport_t transport =
 337                 dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
 338         struct lsa_OpenPolicy2 r2;
 339
 340         if (transport != NCACN_NP && transport != NCALRPC) {
 341                 DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
 342         }
 343
 344         r2 = (struct lsa_OpenPolicy2) {
 345                 .in.attr = r->in.attr,
 346                 .in.access_mask = r->in.access_mask,
 347                 .out.handle = r->out.handle,
 348         };
 349
 350         return dcesrv_lsa_OpenPolicy2(dce_call, mem_ctx, &r2);
 351 }
 352
 353