s4:drsuapi RPC server - fix "enum security_user_level" warning on Tru64
[nivanova/samba-autobuild/.git] / source4 / rpc_server / drsuapi / writespn.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    implement the DsWriteAccountSpn call
5
6    Copyright (C) Stefan Metzmacher 2009
7    Copyright (C) Andrew Tridgell   2010
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpc_server/dcerpc_server.h"
25 #include "dsdb/samdb/samdb.h"
26 #include "dsdb/common/util.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "libcli/security/security.h"
30 #include "libcli/security/session.h"
31 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
32 #include "auth/session.h"
33
34 /*
35   check that the SPN update should be allowed as an override
36   via sam_ctx_system
37
38   This is only called if the client is not a domain controller or
39   administrator
40  */
41 static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
42                                struct dcesrv_call_state *dce_call,
43                                struct ldb_dn *dn,
44                                const char *spn)
45 {
46         /*
47          * we only allow SPN updates if:
48          *
49          * 1) they are on the clients own account object
50          * 2) they are of the form SERVICE/dnshostname
51          */
52         struct dom_sid *user_sid, *sid;
53         TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
54         struct ldb_result *res;
55         const char *attrs[] = { "objectSID", "dNSHostName", NULL };
56         int ret;
57         krb5_context krb_ctx;
58         krb5_error_code kerr;
59         krb5_principal principal;
60         const char *dns_name, *dnsHostName;
61
62         /*
63           get the objectSid of the DN that is being modified, and
64           check it matches the user_sid in their token
65          */
66
67         ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs,
68                              DSDB_SEARCH_ONE_ONLY);
69         if (ret != LDB_SUCCESS) {
70                 talloc_free(tmp_ctx);
71                 return false;
72         }
73
74         user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
75         sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
76         if (sid == NULL) {
77                 talloc_free(tmp_ctx);
78                 return false;
79         }
80
81         dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName",
82                                                   NULL);
83         if (dnsHostName == NULL) {
84                 talloc_free(tmp_ctx);
85                 return false;
86         }
87
88         if (!dom_sid_equal(sid, user_sid)) {
89                 talloc_free(tmp_ctx);
90                 return false;
91         }
92
93         kerr = smb_krb5_init_context_basic(tmp_ctx,
94                                            dce_call->conn->dce_ctx->lp_ctx,
95                                            &krb_ctx);
96         if (kerr != 0) {
97                 talloc_free(tmp_ctx);
98                 return false;
99         }
100
101         ret = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM,
102                                     &principal);
103         if (kerr != 0) {
104                 krb5_free_context(krb_ctx);
105                 talloc_free(tmp_ctx);
106                 return false;
107         }
108
109         if (principal->name.name_string.len != 2) {
110                 krb5_free_principal(krb_ctx, principal);
111                 krb5_free_context(krb_ctx);
112                 talloc_free(tmp_ctx);
113                 return false;
114         }
115
116         dns_name = principal->name.name_string.val[1];
117
118         if (strcasecmp(dns_name, dnsHostName) != 0) {
119                 krb5_free_principal(krb_ctx, principal);
120                 krb5_free_context(krb_ctx);
121                 talloc_free(tmp_ctx);
122                 return false;
123         }
124
125         /* its a simple update on their own account - allow it with
126          * permissions override */
127         krb5_free_principal(krb_ctx, principal);
128         krb5_free_context(krb_ctx);
129         talloc_free(tmp_ctx);
130
131         return true;
132 }
133
134 /*
135   drsuapi_DsWriteAccountSpn
136 */
137 WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
138                                         struct drsuapi_DsWriteAccountSpn *r)
139 {
140         struct drsuapi_bind_state *b_state;
141         struct dcesrv_handle *h;
142         enum security_user_level level;
143
144         *r->out.level_out = r->in.level;
145
146         DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
147         b_state = h->data;
148
149         r->out.res = talloc(mem_ctx, union drsuapi_DsWriteAccountSpnResult);
150         W_ERROR_HAVE_NO_MEMORY(r->out.res);
151
152         level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
153
154         switch (r->in.level) {
155                 case 1: {
156                         struct drsuapi_DsWriteAccountSpnRequest1 *req;
157                         struct ldb_message *msg;
158                         uint32_t count;
159                         unsigned int i;
160                         int ret;
161                         unsigned spn_count=0;
162                         bool passed_checks = true;
163                         struct ldb_context *sam_ctx;
164
165                         req = &r->in.req->req1;
166                         count = req->count;
167
168                         msg = ldb_msg_new(mem_ctx);
169                         if (msg == NULL) {
170                                 return WERR_NOMEM;
171                         }
172
173                         msg->dn = ldb_dn_new(msg, b_state->sam_ctx,
174                                              req->object_dn);
175                         if ( ! ldb_dn_validate(msg->dn)) {
176                                 r->out.res->res1.status = WERR_OK;
177                                 return WERR_OK;
178                         }
179
180                         /* construct mods */
181                         for (i = 0; i < count; i++) {
182                                 if (!writespn_check_spn(b_state,
183                                                        dce_call,
184                                                        msg->dn,
185                                                        req->spn_names[i].str)) {
186                                         passed_checks = false;
187                                 }
188                                 ret = samdb_msg_add_string(b_state->sam_ctx,
189                                                            msg, msg,
190                                                            "servicePrincipalName",
191                                                            req->spn_names[i].str);
192                                 if (ret != LDB_SUCCESS) {
193                                         return WERR_NOMEM;
194                                 }
195                                 spn_count++;
196                         }
197
198                         if (msg->num_elements == 0) {
199                                 DEBUG(2,("No SPNs need changing on %s\n",
200                                          ldb_dn_get_linearized(msg->dn)));
201                                 r->out.res->res1.status = WERR_OK;
202                                 return WERR_OK;
203                         }
204
205                         for (i=0;i<msg->num_elements;i++) {
206                                 switch (req->operation) {
207                                 case DRSUAPI_DS_SPN_OPERATION_ADD:
208                                         msg->elements[i].flags = LDB_FLAG_MOD_ADD;
209                                         break;
210                                 case DRSUAPI_DS_SPN_OPERATION_REPLACE:
211                                         msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
212                                         break;
213                                 case DRSUAPI_DS_SPN_OPERATION_DELETE:
214                                         msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
215                                         break;
216                                 }
217                         }
218
219                         if (passed_checks && b_state->sam_ctx_system) {
220                                 sam_ctx = b_state->sam_ctx_system;
221                         } else {
222                                 sam_ctx = b_state->sam_ctx;
223                         }
224
225                         /* Apply to database */
226                         ret = dsdb_modify(sam_ctx, msg, DSDB_MODIFY_PERMISSIVE);
227                         if (ret != LDB_SUCCESS) {
228                                 DEBUG(0,("Failed to modify SPNs on %s: %s\n",
229                                          ldb_dn_get_linearized(msg->dn),
230                                          ldb_errstring(b_state->sam_ctx)));
231                                 r->out.res->res1.status = WERR_ACCESS_DENIED;
232                         } else {
233                                 DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
234                                          ldb_dn_get_linearized(msg->dn)));
235                                 r->out.res->res1.status = WERR_OK;
236                         }
237
238                         return WERR_OK;
239                 }
240         }
241
242         return WERR_UNKNOWN_LEVEL;
243 }