s4-drs: added domain_sid to DRS security checks
[nivanova/samba-autobuild/.git] / source4 / rpc_server / drsuapi / drsutil.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    useful utilities for the DRS server
5
6    Copyright (C) Andrew Tridgell 2009
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "rpc_server/dcerpc_server.h"
24 #include "dsdb/samdb/samdb.h"
25 #include "libcli/security/security.h"
26 #include "param/param.h"
27 #include "auth/session.h"
28
29 /*
30   format a drsuapi_DsReplicaObjectIdentifier naming context as a string
31  */
32 char *drs_ObjectIdentifier_to_string(TALLOC_CTX *mem_ctx,
33                                      struct drsuapi_DsReplicaObjectIdentifier *nc)
34 {
35         char *guid, *sid, *ret;
36         guid = GUID_string(mem_ctx, &nc->guid);
37         sid  = dom_sid_string(mem_ctx, &nc->sid);
38         ret = talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
39                               guid, sid, nc->dn);
40         talloc_free(guid);
41         talloc_free(sid);
42         return ret;
43 }
44
45 int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
46                                     TALLOC_CTX *mem_ctx,
47                                     struct ldb_result **_res,
48                                     struct ldb_dn *basedn,
49                                     enum ldb_scope scope,
50                                     const char * const *attrs,
51                                     const char *filter)
52 {
53         int ret;
54         struct ldb_request *req;
55         TALLOC_CTX *tmp_ctx;
56         struct ldb_result *res;
57
58         tmp_ctx = talloc_new(mem_ctx);
59
60         res = talloc_zero(tmp_ctx, struct ldb_result);
61         if (!res) {
62                 return LDB_ERR_OPERATIONS_ERROR;
63         }
64
65         ret = ldb_build_search_req(&req, ldb, tmp_ctx,
66                                    basedn,
67                                    scope,
68                                    filter,
69                                    attrs,
70                                    NULL,
71                                    res,
72                                    ldb_search_default_callback,
73                                    NULL);
74         if (ret != LDB_SUCCESS) {
75                 talloc_free(tmp_ctx);
76                 return ret;
77         }
78
79         ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
80         if (ret != LDB_SUCCESS) {
81                 return ret;
82         }
83
84         ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
85         if (ret != LDB_SUCCESS) {
86                 return ret;
87         }
88
89         ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
90         if (ret != LDB_SUCCESS) {
91                 return ret;
92         }
93
94         ret = ldb_request(ldb, req);
95         if (ret == LDB_SUCCESS) {
96                 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
97         }
98
99         talloc_free(req);
100         *_res = talloc_steal(mem_ctx, res);
101         return ret;
102 }
103
104 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
105                                 const char* call,
106                                 enum security_user_level minimum_level,
107                                 const struct dom_sid *domain_sid)
108 {
109         enum security_user_level level;
110
111         if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
112                          "drs", "disable_sec_check", false)) {
113                 return WERR_OK;
114         }
115
116         level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
117         if (level < minimum_level) {
118                 if (call) {
119                         DEBUG(0,("%s refused for security token (level=%u)\n",
120                                  call, (unsigned)level));
121                         security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
122                 }
123                 return WERR_DS_DRA_ACCESS_DENIED;
124         }
125
126         return WERR_OK;
127 }
128
129 void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
130                                       struct drsuapi_DsReplicaMetaData *meta_data)
131 {
132         if (attr->value_ctr.num_values == 0) {
133                 return;
134         }
135
136         switch (attr->attid) {
137         case DRSUAPI_ATTRIBUTE_dBCSPwd:
138         case DRSUAPI_ATTRIBUTE_unicodePwd:
139         case DRSUAPI_ATTRIBUTE_ntPwdHistory:
140         case DRSUAPI_ATTRIBUTE_lmPwdHistory:
141         case DRSUAPI_ATTRIBUTE_supplementalCredentials:
142         case DRSUAPI_ATTRIBUTE_priorValue:
143         case DRSUAPI_ATTRIBUTE_currentValue:
144         case DRSUAPI_ATTRIBUTE_trustAuthOutgoing:
145         case DRSUAPI_ATTRIBUTE_trustAuthIncoming:
146         case DRSUAPI_ATTRIBUTE_initialAuthOutgoing:
147         case DRSUAPI_ATTRIBUTE_initialAuthIncoming:
148                 /*set value to null*/
149                 attr->value_ctr.num_values = 0;
150                 talloc_free(attr->value_ctr.values);
151                 attr->value_ctr.values = NULL;
152                 meta_data->originating_change_time = 0;
153                 return;
154         default:
155                 return;
156         }
157 }