2 Unix SMB/CIFS implementation.
4 useful utilities for the DRS server
6 Copyright (C) Andrew Tridgell 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "rpc_server/dcerpc_server.h"
24 #include "dsdb/samdb/samdb.h"
25 #include "libcli/security/security.h"
26 #include "param/param.h"
27 #include "auth/session.h"
30 format a drsuapi_DsReplicaObjectIdentifier naming context as a string
32 char *drs_ObjectIdentifier_to_string(TALLOC_CTX *mem_ctx,
33 struct drsuapi_DsReplicaObjectIdentifier *nc)
35 char *guid, *sid, *ret;
36 guid = GUID_string(mem_ctx, &nc->guid);
37 sid = dom_sid_string(mem_ctx, &nc->sid);
38 ret = talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
45 int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
47 struct ldb_result **_res,
48 struct ldb_dn *basedn,
50 const char * const *attrs,
54 struct ldb_request *req;
56 struct ldb_result *res;
58 tmp_ctx = talloc_new(mem_ctx);
60 res = talloc_zero(tmp_ctx, struct ldb_result);
62 return LDB_ERR_OPERATIONS_ERROR;
65 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
72 ldb_search_default_callback,
74 if (ret != LDB_SUCCESS) {
79 ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
80 if (ret != LDB_SUCCESS) {
84 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL);
85 if (ret != LDB_SUCCESS) {
89 ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
90 if (ret != LDB_SUCCESS) {
94 ret = ldb_request(ldb, req);
95 if (ret == LDB_SUCCESS) {
96 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
100 *_res = talloc_steal(mem_ctx, res);
104 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
106 enum security_user_level minimum_level,
107 const struct dom_sid *domain_sid)
109 enum security_user_level level;
111 if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
112 "drs", "disable_sec_check", false)) {
116 level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
117 if (level < minimum_level) {
119 DEBUG(0,("%s refused for security token (level=%u)\n",
120 call, (unsigned)level));
121 security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
123 return WERR_DS_DRA_ACCESS_DENIED;
129 void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
130 struct drsuapi_DsReplicaMetaData *meta_data)
132 if (attr->value_ctr.num_values == 0) {
136 switch (attr->attid) {
137 case DRSUAPI_ATTRIBUTE_dBCSPwd:
138 case DRSUAPI_ATTRIBUTE_unicodePwd:
139 case DRSUAPI_ATTRIBUTE_ntPwdHistory:
140 case DRSUAPI_ATTRIBUTE_lmPwdHistory:
141 case DRSUAPI_ATTRIBUTE_supplementalCredentials:
142 case DRSUAPI_ATTRIBUTE_priorValue:
143 case DRSUAPI_ATTRIBUTE_currentValue:
144 case DRSUAPI_ATTRIBUTE_trustAuthOutgoing:
145 case DRSUAPI_ATTRIBUTE_trustAuthIncoming:
146 case DRSUAPI_ATTRIBUTE_initialAuthOutgoing:
147 case DRSUAPI_ATTRIBUTE_initialAuthIncoming:
148 /*set value to null*/
149 attr->value_ctr.num_values = 0;
150 talloc_free(attr->value_ctr.values);
151 attr->value_ctr.values = NULL;
152 meta_data->originating_change_time = 0;