idl: Use DRSUAPI_ATTID_ prefix instead of DRSUAPI_ATTRIBUTE_ for ATTID values
[sfrench/samba-autobuild/.git] / source4 / rpc_server / drsuapi / drsutil.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    useful utilities for the DRS server
5
6    Copyright (C) Andrew Tridgell 2009
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "rpc_server/dcerpc_server.h"
24 #include "dsdb/samdb/samdb.h"
25 #include "libcli/security/security.h"
26 #include "libcli/security/session.h"
27 #include "param/param.h"
28 #include "auth/session.h"
29
30 int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
31                                     TALLOC_CTX *mem_ctx,
32                                     struct ldb_result **_res,
33                                     struct ldb_dn *basedn,
34                                     enum ldb_scope scope,
35                                     const char * const *attrs,
36                                     const char *filter)
37 {
38         int ret;
39         struct ldb_request *req;
40         TALLOC_CTX *tmp_ctx;
41         struct ldb_result *res;
42
43         tmp_ctx = talloc_new(mem_ctx);
44
45         res = talloc_zero(tmp_ctx, struct ldb_result);
46         if (!res) {
47                 return LDB_ERR_OPERATIONS_ERROR;
48         }
49
50         ret = ldb_build_search_req(&req, ldb, tmp_ctx,
51                                    basedn,
52                                    scope,
53                                    filter,
54                                    attrs,
55                                    NULL,
56                                    res,
57                                    ldb_search_default_callback,
58                                    NULL);
59         if (ret != LDB_SUCCESS) {
60                 talloc_free(tmp_ctx);
61                 return ret;
62         }
63
64         ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL);
65         if (ret != LDB_SUCCESS) {
66                 return ret;
67         }
68
69         ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_RECYCLED_OID, true, NULL);
70         if (ret != LDB_SUCCESS) {
71                 return ret;
72         }
73
74         ret = ldb_request_add_control(req, LDB_CONTROL_REVEAL_INTERNALS, false, NULL);
75         if (ret != LDB_SUCCESS) {
76                 return ret;
77         }
78
79         ret = ldb_request(ldb, req);
80         if (ret == LDB_SUCCESS) {
81                 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
82         }
83
84         talloc_free(req);
85         *_res = talloc_steal(mem_ctx, res);
86         return ret;
87 }
88
89 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
90                                 const char* call,
91                                 enum security_user_level minimum_level,
92                                 const struct dom_sid *domain_sid)
93 {
94         enum security_user_level level;
95
96         if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
97                          "drs", "disable_sec_check", false)) {
98                 return WERR_OK;
99         }
100
101         level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
102         if (level < minimum_level) {
103                 if (call) {
104                         DEBUG(0,("%s refused for security token (level=%u)\n",
105                                  call, (unsigned)level));
106                         security_token_debug(0, 2, dce_call->conn->auth_state.session_info->security_token);
107                 }
108                 return WERR_DS_DRA_ACCESS_DENIED;
109         }
110
111         return WERR_OK;
112 }
113
114 void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
115                                       struct drsuapi_DsReplicaMetaData *meta_data)
116 {
117         if (attr->value_ctr.num_values == 0) {
118                 return;
119         }
120
121         switch (attr->attid) {
122         case DRSUAPI_ATTID_dBCSPwd:
123         case DRSUAPI_ATTID_unicodePwd:
124         case DRSUAPI_ATTID_ntPwdHistory:
125         case DRSUAPI_ATTID_lmPwdHistory:
126         case DRSUAPI_ATTID_supplementalCredentials:
127         case DRSUAPI_ATTID_priorValue:
128         case DRSUAPI_ATTID_currentValue:
129         case DRSUAPI_ATTID_trustAuthOutgoing:
130         case DRSUAPI_ATTID_trustAuthIncoming:
131         case DRSUAPI_ATTID_initialAuthOutgoing:
132         case DRSUAPI_ATTID_initialAuthIncoming:
133                 /*set value to null*/
134                 attr->value_ctr.num_values = 0;
135                 talloc_free(attr->value_ctr.values);
136                 attr->value_ctr.values = NULL;
137                 meta_data->originating_change_time = 0;
138                 return;
139         default:
140                 return;
141         }
142 }
143
144
145 /*
146   check security on a DN, with logging of errors
147  */
148 static WERROR drs_security_access_check_log(struct ldb_context *sam_ctx,
149                                             TALLOC_CTX *mem_ctx,
150                                             struct security_token *token,
151                                             struct ldb_dn *dn,
152                                             const char *ext_right)
153 {
154         int ret;
155         if (!dn) {
156                 DEBUG(3,("drs_security_access_check: Null dn provided, access is denied for %s\n",
157                               ext_right));
158                 return WERR_DS_DRA_ACCESS_DENIED;
159         }
160         ret = dsdb_check_access_on_dn(sam_ctx,
161                                       mem_ctx,
162                                       dn,
163                                       token,
164                                       SEC_ADS_CONTROL_ACCESS,
165                                       ext_right);
166         if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
167                 DEBUG(3,("%s refused for security token on %s\n",
168                          ext_right, ldb_dn_get_linearized(dn)));
169                 security_token_debug(2, 0, token);
170                 return WERR_DS_DRA_ACCESS_DENIED;
171         } else if (ret != LDB_SUCCESS) {
172                 DEBUG(1,("Failed to perform access check on %s\n", ldb_dn_get_linearized(dn)));
173                 return WERR_DS_DRA_INTERNAL_ERROR;
174         }
175         return WERR_OK;
176 }
177
178
179 /*
180   check security on a object identifier
181  */
182 WERROR drs_security_access_check(struct ldb_context *sam_ctx,
183                                  TALLOC_CTX *mem_ctx,
184                                  struct security_token *token,
185                                  struct drsuapi_DsReplicaObjectIdentifier *nc,
186                                  const char *ext_right)
187 {
188         struct ldb_dn *dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
189         WERROR werr;
190         werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, dn, ext_right);
191         talloc_free(dn);
192         return werr;
193 }
194
195 /*
196   check security on the NC root of a object identifier
197  */
198 WERROR drs_security_access_check_nc_root(struct ldb_context *sam_ctx,
199                                          TALLOC_CTX *mem_ctx,
200                                          struct security_token *token,
201                                          struct drsuapi_DsReplicaObjectIdentifier *nc,
202                                          const char *ext_right)
203 {
204         struct ldb_dn *dn, *nc_root;
205         WERROR werr;
206         int ret;
207
208         dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc);
209         W_ERROR_HAVE_NO_MEMORY(dn);
210         ret = dsdb_find_nc_root(sam_ctx, dn, dn, &nc_root);
211         if (ret != LDB_SUCCESS) {
212                 return WERR_DS_CANT_FIND_EXPECTED_NC;
213         }
214         werr = drs_security_access_check_log(sam_ctx, mem_ctx, token, nc_root, ext_right);
215         talloc_free(dn);
216         return werr;
217 }