diff options
author | Nadezhda Ivanova <nivanova@samba.org> | 2010-09-26 21:14:45 -0700 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-09-28 11:36:40 -0700 |
commit | 440cee48b93936bfb9b1376e55e457a721bdcc19 (patch) | |
tree | a92f43383ac78254fe6db3c9fb655d81b856f2b2 | |
parent | 6caa5128150da5c585957b34e8a9c40396877452 (diff) | |
download | samba-440cee48b93936bfb9b1376e55e457a721bdcc19.tar.gz samba-440cee48b93936bfb9b1376e55e457a721bdcc19.tar.bz2 samba-440cee48b93936bfb9b1376e55e457a721bdcc19.zip |
s4-drs: Added drs_security_access_check function
It takes a security token, an ldb_context, and the desired CAR and checks
if the principal has this CAR granted
-rw-r--r-- | source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 6 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/drsutil.c | 58 |
2 files changed, 64 insertions, 0 deletions
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h index 818813ed57..1de347f9f1 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h @@ -69,3 +69,9 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr, struct drsuapi_DsReplicaMetaData *meta_data); + +WERROR drs_security_access_check(struct ldb_context *sam_ctx, + TALLOC_CTX *mem_ctx, + struct security_token *token, + struct drsuapi_DsReplicaObjectIdentifier *nc, + const char *ext_right); diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c index f20082f6bb..5b5e14aea4 100644 --- a/source4/rpc_server/drsuapi/drsutil.c +++ b/source4/rpc_server/drsuapi/drsutil.c @@ -42,6 +42,34 @@ char *drs_ObjectIdentifier_to_string(TALLOC_CTX *mem_ctx, return ret; } +struct ldb_dn *drs_ObjectIdentifier_to_dn(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + struct drsuapi_DsReplicaObjectIdentifier *nc) +{ + char *guid = NULL, *sid = NULL, *ret = NULL; + struct ldb_dn *new_dn; + if (!GUID_all_zero(&nc->guid)) { + guid = GUID_string(mem_ctx, &nc->guid); + if (guid) { + ret = talloc_asprintf_append(mem_ctx, "<GUID=%s>;", guid); + } + } + if (nc->sid.sid_rev_num != 0) { + sid = dom_sid_string(mem_ctx, &nc->sid); + if (sid) { + ret = talloc_asprintf_append(ret, "<SID=%s>;", sid); + } + } + if (nc->dn) { + ret = talloc_asprintf_append(ret, "%s", nc->dn); + } + new_dn = ldb_dn_new(mem_ctx, ldb, ret); + talloc_free(guid); + talloc_free(sid); + talloc_free(ret); + return new_dn; +} + int drsuapi_search_with_extended_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_result **_res, @@ -155,3 +183,33 @@ void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr, return; } } + +WERROR drs_security_access_check(struct ldb_context *sam_ctx, + TALLOC_CTX *mem_ctx, + struct security_token *token, + struct drsuapi_DsReplicaObjectIdentifier *nc, + const char *ext_right) +{ + struct ldb_dn *dn = drs_ObjectIdentifier_to_dn(mem_ctx, sam_ctx, nc); + int ret; + if (!dn) { + DEBUG(3,("drs_security_access_check: Null dn provided, access is denied\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + ret = dsdb_check_access_on_dn(sam_ctx, + mem_ctx, + dn, + token, + SEC_ADS_CONTROL_ACCESS, + ext_right); + if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { + DEBUG(3,("%s refused for security token\n", ext_right)); + security_token_debug(2, token); + return WERR_DS_DRA_ACCESS_DENIED; + } else if (ret != LDB_SUCCESS) { + DEBUG(1,("Failed to perform access check on %s \n", ldb_dn_get_linearized(dn))); + return WERR_DS_DRA_ACCESS_DENIED; + return WERR_DS_DRA_INTERNAL_ERROR; + } + return WERR_OK; +} |