diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-04-22 16:48:01 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-04-22 19:36:16 +1000 |
commit | bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e (patch) | |
tree | 8fd3704eb6819063b1916c78bb1893ba16c7fe72 /source4/rpc_server/drsuapi | |
parent | ec0bb2f46b855d44cccb71a5511c2acb7d8eae09 (diff) | |
download | samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.tar.gz samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.tar.bz2 samba-bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e.zip |
s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Diffstat (limited to 'source4/rpc_server/drsuapi')
-rw-r--r-- | source4/rpc_server/drsuapi/addentry.c | 4 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 10 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 3 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/drsutil.c | 8 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/updaterefs.c | 23 |
5 files changed, 34 insertions, 14 deletions
diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c index cfddd80fe4..e87c940597 100644 --- a/source4/rpc_server/drsuapi/addentry.c +++ b/source4/rpc_server/drsuapi/addentry.c @@ -27,7 +27,7 @@ #include "param/param.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" #include "librpc/gen_ndr/ndr_drsuapi.h" - +#include "libcli/security/security.h" /* add special SPNs needed for DRS replication to machine accounts when @@ -171,7 +171,7 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; - status = drs_security_level_check(dce_call, "DsAddEntry"); + status = drs_security_level_check(dce_call, "DsAddEntry", SECURITY_DOMAIN_CONTROLLER); if (!W_ERROR_IS_OK(status)) { return status; } diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c index 270c716d46..5d3c513f3f 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c @@ -65,7 +65,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C W_ERROR_HAVE_NO_MEMORY(b_state); /* if this is a DC connecting, give them system level access */ - werr = drs_security_level_check(dce_call, NULL); + werr = drs_security_level_check(dce_call, NULL, SECURITY_DOMAIN_CONTROLLER); if (W_ERROR_IS_OK(werr)) { DEBUG(3,(__location__ ": doing DsBind with system_session\n")); auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx); @@ -247,7 +247,7 @@ static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, T { WERROR status; - status = drs_security_level_check(dce_call, "DsReplicaSync"); + status = drs_security_level_check(dce_call, "DsReplicaSync", SECURITY_DOMAIN_CONTROLLER); if (!W_ERROR_IS_OK(status)) { return status; } @@ -401,7 +401,7 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call *r->out.level_out = 1; - status = drs_security_level_check(dce_call, "DsRemoveDSServer"); + status = drs_security_level_check(dce_call, "DsRemoveDSServer", SECURITY_DOMAIN_CONTROLLER); if (!W_ERROR_IS_OK(status)) { return status; } @@ -726,7 +726,7 @@ static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TA struct drsuapi_DsExecuteKCC *r) { WERROR status; - status = drs_security_level_check(dce_call, "DsExecuteKCC"); + status = drs_security_level_check(dce_call, "DsExecuteKCC", SECURITY_DOMAIN_CONTROLLER); if (!W_ERROR_IS_OK(status)) { return status; @@ -748,7 +748,7 @@ static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call if (!lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", false)) { - level = security_session_user_level(dce_call->conn->auth_state.session_info); + level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL); if (level < SECURITY_ADMINISTRATOR) { DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n")); security_token_debug(2, dce_call->conn->auth_state.session_info->security_token); diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h index ba6bb21145..3b733deec1 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h @@ -61,8 +61,9 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, const char * const *attrs, const char *filter); +enum security_user_level; WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, - const char* call); + const char* call, enum security_user_level minimum_level); void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr, struct drsuapi_DsReplicaMetaData *meta_data); diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c index 28ec7bb848..11eff25fab 100644 --- a/source4/rpc_server/drsuapi/drsutil.c +++ b/source4/rpc_server/drsuapi/drsutil.c @@ -101,7 +101,9 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb, return ret; } -WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call) +WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, + const char* call, + enum security_user_level minimum_level) { enum security_user_level level; @@ -110,8 +112,8 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* return WERR_OK; } - level = security_session_user_level(dce_call->conn->auth_state.session_info); - if (level < SECURITY_DOMAIN_CONTROLLER) { + level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL); + if (level < minimum_level) { if (call) { DEBUG(0,("%s refused for security token (level=%u)\n", call, (unsigned)level)); diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index dd3a3342b5..0403db8f88 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -23,6 +23,8 @@ #include "rpc_server/dcerpc_server.h" #include "dsdb/samdb/samdb.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" +#include "libcli/security/security.h" +#include "auth/session.h" struct repsTo { uint32_t count; @@ -189,11 +191,13 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA struct drsuapi_bind_state *b_state; struct drsuapi_DsReplicaUpdateRefsRequest1 *req; WERROR werr; + int ret; + enum security_user_level security_level; DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; - werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs"); + werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs", SECURITY_RO_DOMAIN_CONTROLLER); if (!W_ERROR_IS_OK(werr)) { return werr; } @@ -205,7 +209,20 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA req = &r->in.req.req1; + security_level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL); + if (security_level < SECURITY_ADMINISTRATOR) { + /* check that they are using an invocationId that they own */ + ret = dsdb_validate_invocation_id(b_state->sam_ctx, + &req->dest_dsa_guid, + dce_call->conn->auth_state.session_info->security_token->user_sid); + if (ret != LDB_SUCCESS) { + DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n", + dom_sid_string(mem_ctx, + dce_call->conn->auth_state.session_info->security_token->user_sid), + GUID_string(mem_ctx, &req->dest_dsa_guid))); + return WERR_DS_DRA_ACCESS_DENIED; + } + } + return drsuapi_UpdateRefs(b_state, mem_ctx, req); } - - |