diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-08-18 18:38:26 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-08-20 20:34:11 +1000 |
commit | 4cc6b5a69b1f94d96a73ac15d58ff71d2e4febfd (patch) | |
tree | dea77563408464b03ada123475e413427464848c | |
parent | 6eb34e69078630f1795a75d186eccf50e1f3c683 (diff) | |
download | samba-4cc6b5a69b1f94d96a73ac15d58ff71d2e4febfd.tar.gz samba-4cc6b5a69b1f94d96a73ac15d58ff71d2e4febfd.tar.bz2 samba-4cc6b5a69b1f94d96a73ac15d58ff71d2e4febfd.zip |
s4-drs: bring us much closer to the docs for DRS secret replication
The rules for when a RODC can replicate secrets are:
- it can always replicate its own acct
- it can also replicate its krbtgt acct
- it can't replicate other krbtgt accts
- it can't replicate interdomain trust accounts
- it can't replicate users in the denied group list
- it can replicate users in the allowed group list
otherwise it can't replicate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 250 |
1 files changed, 241 insertions, 9 deletions
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 779b7c78f9..796bc2dd62 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -26,6 +26,7 @@ #include "param/param.h" #include "librpc/gen_ndr/ndr_drsblobs.h" #include "librpc/gen_ndr/ndr_drsuapi.h" +#include "librpc/gen_ndr/ndr_security.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" #include "rpc_server/dcerpc_server_proto.h" #include "../libcli/drsuapi/drsuapi.h" @@ -33,6 +34,7 @@ #include "lib/util/binsearch.h" #include "lib/util/tsort.h" #include "auth/session.h" +#include "dsdb/common/util.h" /* build a DsReplicaObjectIdentifier from a ldb msg @@ -677,6 +679,228 @@ static WERROR getncchanges_rid_alloc(struct drsuapi_bind_state *b_state, return WERR_OK; } +/* + return an array of SIDs from a ldb_message given an attribute name + assumes the SIDs are in extended DN format + */ +static WERROR samdb_result_sid_array_dn(struct ldb_context *sam_ctx, + struct ldb_message *msg, + TALLOC_CTX *mem_ctx, + const char *attr, + const struct dom_sid ***sids) +{ + struct ldb_message_element *el; + int i; + + el = ldb_msg_find_element(msg, attr); + if (!el) { + *sids = NULL; + return WERR_OK; + } + + (*sids) = talloc_array(mem_ctx, const struct dom_sid *, el->num_values + 1); + W_ERROR_HAVE_NO_MEMORY(*sids); + + for (i=0; i<el->num_values; i++) { + struct ldb_dn *dn = ldb_dn_from_ldb_val(mem_ctx, sam_ctx, &el->values[i]); + NTSTATUS status; + struct dom_sid *sid; + + sid = talloc(*sids, struct dom_sid); + W_ERROR_HAVE_NO_MEMORY(sid); + status = dsdb_get_extended_dn_sid(dn, sid, "SID"); + if (!NT_STATUS_IS_OK(status)) { + return WERR_INTERNAL_DB_CORRUPTION; + } + (*sids)[i] = sid; + } + (*sids)[i] = NULL; + + return WERR_OK; +} + + +/* + return an array of SIDs from a ldb_message given an attribute name + assumes the SIDs are in NDR form + */ +static WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx, + struct ldb_message *msg, + TALLOC_CTX *mem_ctx, + const char *attr, + const struct dom_sid ***sids) +{ + struct ldb_message_element *el; + int i; + + el = ldb_msg_find_element(msg, attr); + if (!el) { + *sids = NULL; + return WERR_OK; + } + + (*sids) = talloc_array(mem_ctx, const struct dom_sid *, el->num_values + 1); + W_ERROR_HAVE_NO_MEMORY(*sids); + + for (i=0; i<el->num_values; i++) { + enum ndr_err_code ndr_err; + struct dom_sid *sid; + + sid = talloc(*sids, struct dom_sid); + W_ERROR_HAVE_NO_MEMORY(sid); + + ndr_err = ndr_pull_struct_blob(&el->values[i], sid, sid, + (ndr_pull_flags_fn_t)ndr_pull_dom_sid); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return WERR_INTERNAL_DB_CORRUPTION; + } + (*sids)[i] = sid; + } + (*sids)[i] = NULL; + + return WERR_OK; +} + +/* + see if any SIDs in list1 are in list2 + */ +static bool sid_list_match(const struct dom_sid **list1, const struct dom_sid **list2) +{ + int i, j; + /* do we ever have enough SIDs here to worry about O(n^2) ? */ + for (i=0; list1[i]; i++) { + for (j=0; list2[j]; j++) { + if (dom_sid_equal(list1[i], list2[j])) { + return true; + } + } + } + return false; +} + +/* + handle a DRSUAPI_EXOP_REPL_SECRET call + */ +static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state, + TALLOC_CTX *mem_ctx, + struct drsuapi_DsGetNCChangesRequest8 *req8, + struct dom_sid *user_sid, + struct drsuapi_DsGetNCChangesCtr6 *ctr6) +{ + struct drsuapi_DsReplicaObjectIdentifier *ncRoot = req8->naming_context; + struct ldb_dn *obj_dn, *rodc_dn, *krbtgt_link_dn; + int ret; + const char *rodc_attrs[] = { "msDS-KrbTgtLink", "msDS-NeverRevealGroup", "msDS-RevealOnDemandGroup", NULL }; + const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL }; + struct ldb_result *rodc_res, *obj_res; + const struct dom_sid **never_reveal_sids, **reveal_sids, **token_sids; + WERROR werr; + + DEBUG(3,(__location__ ": DRSUAPI_EXOP_REPL_SECRET extended op on %s\n", ncRoot->dn)); + + /* + * we need to work out if we will allow this RODC to + * replicate the secrets for this object + * + * see 4.1.10.5.14 GetRevealSecretsPolicyForUser for details + * of this function + */ + + if (b_state->sam_ctx_system == NULL) { + /* this operation needs system level access */ + ctr6->extended_ret = DRSUAPI_EXOP_ERR_ACCESS_DENIED; + return WERR_DS_DRA_SOURCE_DISABLED; + } + + obj_dn = ldb_dn_new(mem_ctx, b_state->sam_ctx_system, ncRoot->dn); + if (!ldb_dn_validate(obj_dn)) goto failed; + + rodc_dn = ldb_dn_new_fmt(mem_ctx, b_state->sam_ctx_system, "<SID=%s>", + dom_sid_string(mem_ctx, user_sid)); + if (!ldb_dn_validate(rodc_dn)) goto failed; + + /* do the two searches we need */ + ret = dsdb_search_dn(b_state->sam_ctx_system, mem_ctx, &rodc_res, rodc_dn, rodc_attrs, + DSDB_SEARCH_SHOW_EXTENDED_DN); + if (ret != LDB_SUCCESS || rodc_res->count != 1) goto failed; + + ret = dsdb_search_dn(b_state->sam_ctx_system, mem_ctx, &obj_res, obj_dn, obj_attrs, 0); + if (ret != LDB_SUCCESS || obj_res->count != 1) goto failed; + + /* if the object SID is equal to the user_sid, allow */ + if (dom_sid_equal(user_sid, + samdb_result_dom_sid(mem_ctx, obj_res->msgs[0], "objectSid"))) { + goto allowed; + } + + /* an RODC is allowed to get its own krbtgt account secrets */ + krbtgt_link_dn = samdb_result_dn(b_state->sam_ctx_system, mem_ctx, + rodc_res->msgs[0], "msDS-KrbTgtLink", NULL); + if (krbtgt_link_dn != NULL && + ldb_dn_compare(obj_dn, krbtgt_link_dn) == 0) { + goto allowed; + } + + /* but it isn't allowed to get anyone elses krbtgt secrets */ + if (samdb_result_dn(b_state->sam_ctx_system, mem_ctx, + obj_res->msgs[0], "msDS-KrbTgtLinkBL", NULL)) { + goto denied; + } + + if (samdb_result_uint(obj_res->msgs[0], "UserAccountControl", 0) & + UF_INTERDOMAIN_TRUST_ACCOUNT) { + goto denied; + } + + werr = samdb_result_sid_array_dn(b_state->sam_ctx_system, rodc_res->msgs[0], + mem_ctx, "msDS-NeverRevealGroup", &never_reveal_sids); + if (!W_ERROR_IS_OK(werr)) { + goto denied; + } + + werr = samdb_result_sid_array_dn(b_state->sam_ctx_system, rodc_res->msgs[0], + mem_ctx, "msDS-RevealOnDemandGroup", &reveal_sids); + if (!W_ERROR_IS_OK(werr)) { + goto denied; + } + + werr = samdb_result_sid_array_ndr(b_state->sam_ctx_system, obj_res->msgs[0], + mem_ctx, "tokenGroups", &token_sids); + if (!W_ERROR_IS_OK(werr) || token_sids==NULL) { + goto denied; + } + + if (never_reveal_sids && + sid_list_match(token_sids, never_reveal_sids)) { + goto denied; + } + + if (reveal_sids && + sid_list_match(token_sids, reveal_sids)) { + goto allowed; + } + + /* default deny */ +denied: + DEBUG(2,(__location__ ": Denied RODC secret replication for %s by RODC %s\n", + ncRoot->dn, ldb_dn_get_linearized(rodc_res->msgs[0]->dn))); + ctr6->extended_ret = DRSUAPI_EXOP_ERR_ACCESS_DENIED; + return WERR_ACCESS_DENIED; + +allowed: + DEBUG(2,(__location__ ": Allowed RODC secret replication for %s by RODC %s\n", + ncRoot->dn, ldb_dn_get_linearized(rodc_res->msgs[0]->dn))); + ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS; + req8->highwatermark.highest_usn = 0; + return WERR_OK; + +failed: + DEBUG(2,(__location__ ": Failed RODC secret replication for %s by RODC %s\n", + ncRoot->dn, dom_sid_string(mem_ctx, user_sid))); + ctr6->extended_ret = DRSUAPI_EXOP_ERR_DIR_ERROR; + return WERR_DS_DRA_SOURCE_DISABLED; +} + /* state of a partially completed getncchanges call */ @@ -733,9 +957,10 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ uint32_t link_total = 0; uint32_t link_given = 0; struct ldb_dn *search_dn = NULL; - bool am_rodc; + bool am_rodc, null_scope=false; enum security_user_level security_level; struct ldb_context *sam_ctx; + struct dom_sid *user_sid; DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; @@ -794,6 +1019,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return werr; } + user_sid = dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + + /* for non-administrator replications, check that they have given the correct source_dsa_invocation_id */ security_level = security_session_user_level(dce_call->conn->auth_state.session_info, @@ -802,8 +1030,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ (req8->replica_flags & DRSUAPI_DRS_WRIT_REP) && req8->extended_op != DRSUAPI_EXOP_REPL_SECRET) { DEBUG(3,(__location__ ": Removing WRIT_REP flag for replication by RODC %s\n", - dom_sid_string(mem_ctx, - dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]))); + dom_sid_string(mem_ctx, user_sid))); req8->replica_flags &= ~DRSUAPI_DRS_WRIT_REP; } @@ -825,10 +1052,14 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ break; case DRSUAPI_EXOP_REPL_SECRET: - DEBUG(0,(__location__ ": DRSUAPI_EXOP_REPL_SECRET extended op\n")); - r->out.ctr->ctr6.extended_ret = DRSUAPI_EXOP_ERR_SUCCESS; - req8->highwatermark.highest_usn = 0; + werr = getncchanges_repl_secret(b_state, mem_ctx, req8, user_sid, &r->out.ctr->ctr6); + if (W_ERROR_EQUAL(werr, WERR_ACCESS_DENIED)) { + null_scope = true; + } else { + W_ERROR_NOT_OK_RETURN(werr); + } break; + case DRSUAPI_EXOP_FSMO_REQ_ROLE: case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE: case DRSUAPI_EXOP_FSMO_REQ_PDC: @@ -989,9 +1220,10 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ */ max_links = lpcfg_parm_int(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "max link sync", 1500); - for(i=getnc_state->num_sent; - i<getnc_state->site_res->count && - (r->out.ctr->ctr6.object_count < max_objects); + for (i=getnc_state->num_sent; + i<getnc_state->site_res->count && + !null_scope && + (r->out.ctr->ctr6.object_count < max_objects); i++) { int uSN; struct drsuapi_DsReplicaObjectListItemEx *obj; |