diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-09-15 19:26:33 -0700 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-09-15 19:52:25 -0700 |
commit | 5d2dfd12cf779c410e041a1815e5e3edf0ea38d8 (patch) | |
tree | 5f22b2c8eeb4159875f47055b50a2e5ee36e0143 /source4/rpc_server/drsuapi/getncchanges.c | |
parent | 7ded0741d9d5a4c2859769e4abfbc197aed0e5e1 (diff) | |
download | samba-5d2dfd12cf779c410e041a1815e5e3edf0ea38d8.tar.gz samba-5d2dfd12cf779c410e041a1815e5e3edf0ea38d8.tar.bz2 samba-5d2dfd12cf779c410e041a1815e5e3edf0ea38d8.zip |
s4-drs: lock down key DRS calls
The key DRS calls should only be allowed by administrators or domain
controllers
Diffstat (limited to 'source4/rpc_server/drsuapi/getncchanges.c')
-rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 49 |
1 files changed, 29 insertions, 20 deletions
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index a05ddb9a5d..14d4f0d6d1 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -33,6 +33,7 @@ #include "rpc_server/dcerpc_server_proto.h" #include "../libcli/drsuapi/drsuapi.h" #include "../libcli/security/dom_sid.h" +#include "libcli/security/security.h" /* drsuapi_DsGetNCChanges for one object @@ -278,17 +279,15 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ DATA_BLOB session_key; const char *attrs[] = { "*", "parentGUID", NULL }; WERROR werr; + + *r->out.level_out = 6; + /* TODO: linked attributes*/ + r->out.ctr->ctr6.linked_attributes_count = 0; + r->out.ctr->ctr6.linked_attributes = NULL; - /* - * connect to the samdb. TODO: We need to check that the caller - * has the rights to do this. This exposes all attributes, - * including all passwords. - */ - sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, - system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); - if (!sam_ctx) { - return WERR_FOOBAR; - } + r->out.ctr->ctr6.object_count = 0; + r->out.ctr->ctr6.more_data = false; + r->out.ctr->ctr6.uptodateness_vector = NULL; /* Check request revision. */ if (r->in.level != 8) { @@ -305,6 +304,23 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_BAD_NC; } + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("getncchanges refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + + /* + * connect to the samdb. TODO: We need to check that the caller + * has the rights to do this. This exposes all attributes, + * including all passwords. + */ + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, + system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); + if (!sam_ctx) { + return WERR_FOOBAR; + } + /* we need the session key for encrypting password attributes */ status = dcesrv_inherited_session_key(dce_call->conn, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -322,16 +338,6 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_INTERNAL_ERROR; } - *r->out.level_out = 6; - r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier); - *r->out.ctr->ctr6.naming_context = *ncRoot; - /* TODO: linked attributes*/ - r->out.ctr->ctr6.linked_attributes_count = 0; - r->out.ctr->ctr6.linked_attributes = NULL; - - r->out.ctr->ctr6.object_count = 0; - r->out.ctr->ctr6.more_data = false; - r->out.ctr->ctr6.uptodateness_vector = NULL; /* Prefix mapping */ schema = dsdb_get_schema(sam_ctx); @@ -340,6 +346,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_INTERNAL_ERROR; } + r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier); + *r->out.ctr->ctr6.naming_context = *ncRoot; + dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr); r->out.ctr->ctr6.mapping_ctr = *ctr; |