#include "rpc_server/dcerpc_server.h"
#include "rpc_server/common/common.h"
#include "dsdb/samdb/samdb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "param/param.h"
-#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
#include "libcli/security/security.h"
+#include "auth/auth.h"
+#include "param/param.h"
+
+#define DRSUAPI_UNSUPPORTED(fname) do { \
+ DEBUG(1,(__location__ ": Unsupported DRS call %s\n", #fname)); \
+ if (DEBUGLVL(2)) NDR_PRINT_IN_DEBUG(fname, r); \
+ DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); \
+} while (0)
/*
drsuapi_DsBind
uint32_t pid;
uint32_t repl_epoch;
int ret;
+ struct auth_session_info *auth_info;
+ WERROR werr;
r->out.bind_info = NULL;
ZERO_STRUCTP(r->out.bind_handle);
b_state = talloc_zero(mem_ctx, struct drsuapi_bind_state);
W_ERROR_HAVE_NO_MEMORY(b_state);
+ /* if this is a DC connecting, give them system level access */
+ werr = drs_security_level_check(dce_call, NULL);
+ if (W_ERROR_IS_OK(werr)) {
+ DEBUG(3,(__location__ ": doing DsBind with system_session\n"));
+ auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
+ } else {
+ auth_info = dce_call->conn->auth_state.session_info;
+ }
+
/*
* connect to the samdb
*/
- b_state->sam_ctx = samdb_connect(b_state, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
+ b_state->sam_ctx = samdb_connect(b_state, dce_call->event_ctx,
+ dce_call->conn->dce_ctx->lp_ctx, auth_info);
if (!b_state->sam_ctx) {
return WERR_FOOBAR;
}
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2;
- if (0 /*domain.behavior_version == 2*/) {
- /* TODO: find out how this is really triggered! */
- b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
- }
+ b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND;
static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaSync *r)
{
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsReplicaSync refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ WERROR status;
+
+ status = drs_security_level_check(dce_call, "DsReplicaSync");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICASYNC,
&ndr_table_drsuapi,
"dreplsrv", "DsReplicaSync");
+
return WERR_OK;
}
static WERROR dcesrv_drsuapi_DsReplicaAdd(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaAdd *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(drsuapi_DsReplicaAdd);
}
static WERROR dcesrv_drsuapi_DsReplicaDel(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaDel *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(drsuapi_DsReplicaDel);
}
static WERROR dcesrv_drsuapi_DsReplicaMod(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaMod *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(drsuapi_DsReplicaMod);
}
static WERROR dcesrv_DRSUAPI_VERIFY_NAMES(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct DRSUAPI_VERIFY_NAMES *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(DRSUAPI_VERIFY_NAMES);
}
static WERROR dcesrv_drsuapi_DsGetMemberships(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsGetMemberships *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(drsuapi_DsGetMemberships);
}
static WERROR dcesrv_DRSUAPI_INTER_DOMAIN_MOVE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct DRSUAPI_INTER_DOMAIN_MOVE *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(DRSUAPI_INTER_DOMAIN_MOVE);
}
static WERROR dcesrv_drsuapi_DsGetNT4ChangeLog(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsGetNT4ChangeLog *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(drsuapi_DsGetNT4ChangeLog);
}
return WERR_UNKNOWN_LEVEL;
}
-/*
- drsuapi_DsWriteAccountSpn
-*/
-static WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct drsuapi_DsWriteAccountSpn *r)
-{
- struct drsuapi_bind_state *b_state;
- struct dcesrv_handle *h;
-
- *r->out.level_out = r->in.level;
-
- DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
- b_state = h->data;
-
- r->out.res = talloc(mem_ctx, union drsuapi_DsWriteAccountSpnResult);
- W_ERROR_HAVE_NO_MEMORY(r->out.res);
-
- switch (r->in.level) {
- case 1: {
- struct drsuapi_DsWriteAccountSpnRequest1 *req;
- struct ldb_message *msg;
- int count, i, ret;
- req = &r->in.req->req1;
- count = req->count;
-
- msg = ldb_msg_new(mem_ctx);
- if (msg == NULL) {
- return WERR_NOMEM;
- }
-
- msg->dn = ldb_dn_new(msg, b_state->sam_ctx, req->object_dn);
- if ( ! ldb_dn_validate(msg->dn)) {
- r->out.res->res1.status = WERR_OK;
- return WERR_OK;
- }
-
- /* construct mods */
- for (i = 0; i < count; i++) {
- samdb_msg_add_string(b_state->sam_ctx,
- msg, msg, "servicePrincipalName",
- req->spn_names[i].str);
- }
- for (i=0;i<msg->num_elements;i++) {
- switch (req->operation) {
- case DRSUAPI_DS_SPN_OPERATION_ADD:
- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
- break;
- case DRSUAPI_DS_SPN_OPERATION_REPLACE:
- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
- break;
- case DRSUAPI_DS_SPN_OPERATION_DELETE:
- msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
- break;
- }
- }
-
- /* Apply to database */
-
- ret = ldb_modify(b_state->sam_ctx, msg);
- if (ret != 0) {
- DEBUG(0,("Failed to modify SPNs on %s: %s\n",
- ldb_dn_get_linearized(msg->dn),
- ldb_errstring(b_state->sam_ctx)));
- r->out.res->res1.status = WERR_ACCESS_DENIED;
- } else {
- r->out.res->res1.status = WERR_OK;
- }
-
- return WERR_OK;
- }
- }
-
- return WERR_UNKNOWN_LEVEL;
-}
-
/*
drsuapi_DsRemoveDSServer
struct ldb_dn *ntds_dn;
int ret;
bool ok;
+ WERROR status;
ZERO_STRUCT(r->out.res);
*r->out.level_out = 1;
- if (security_session_user_level(dce_call->conn->auth_state.session_info) <
- SECURITY_DOMAIN_CONTROLLER) {
- DEBUG(0,("DsRemoveDSServer refused for security token\n"));
- return WERR_DS_DRA_ACCESS_DENIED;
+ status = drs_security_level_check(dce_call, "DsRemoveDSServer");
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
}
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
static WERROR dcesrv_DRSUAPI_REMOVE_DS_DOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct DRSUAPI_REMOVE_DS_DOMAIN *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(DRSUAPI_REMOVE_DS_DOMAIN);
}
/* Obtain the site name from a server DN */
static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsExecuteKCC *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ WERROR status;
+ status = drs_security_level_check(dce_call, "DsExecuteKCC");
+
+ if (!W_ERROR_IS_OK(status)) {
+ return status;
+ }
+
+ dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSEXECUTEKCC,
+ &ndr_table_drsuapi, "kccsrv", "DsExecuteKCC");
+ return WERR_OK;
}
static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaGetInfo *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ enum security_user_level level;
+
+ if (!lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
+ "drs", "disable_sec_check", false)) {
+ level = security_session_user_level(dce_call->conn->auth_state.session_info);
+ if (level < SECURITY_ADMINISTRATOR) {
+ DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
+ security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+ }
+
+ dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICAGETINFO,
+ &ndr_table_drsuapi, "kccsrv", "DsReplicaGetInfo");
+
+ return WERR_OK;
}
static WERROR dcesrv_DRSUAPI_ADD_SID_HISTORY(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct DRSUAPI_ADD_SID_HISTORY *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(DRSUAPI_ADD_SID_HISTORY);
}
/*
static WERROR dcesrv_drsuapi_DsGetMemberships2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsGetMemberships2 *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(drsuapi_DsGetMemberships2);
}
/*
static WERROR dcesrv_DRSUAPI_REPLICA_VERIFY_OBJECTS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct DRSUAPI_REPLICA_VERIFY_OBJECTS *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(DRSUAPI_REPLICA_VERIFY_OBJECTS);
}
static WERROR dcesrv_DRSUAPI_GET_OBJECT_EXISTENCE(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct DRSUAPI_GET_OBJECT_EXISTENCE *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(DRSUAPI_GET_OBJECT_EXISTENCE);
}
static WERROR dcesrv_drsuapi_QuerySitesByCost(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_QuerySitesByCost *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ DRSUAPI_UNSUPPORTED(drsuapi_QuerySitesByCost);
}