diff options
-rw-r--r-- | source4/libcli/security/security.h | 1 | ||||
-rw-r--r-- | source4/libcli/security/security_token.c | 9 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/addentry.c | 7 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 13 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 49 | ||||
-rw-r--r-- | source4/rpc_server/drsuapi/updaterefs.c | 7 |
6 files changed, 64 insertions, 22 deletions
diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h index 6dbbe014e7..3cfa484816 100644 --- a/source4/libcli/security/security.h +++ b/source4/libcli/security/security.h @@ -22,6 +22,7 @@ enum security_user_level { SECURITY_ANONYMOUS, SECURITY_USER, + SECURITY_DOMAIN_CONTROLLER, SECURITY_ADMINISTRATOR, SECURITY_SYSTEM }; diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c index 0764dfeb8f..d3eff93ddb 100644 --- a/source4/libcli/security/security_token.c +++ b/source4/libcli/security/security_token.c @@ -142,6 +142,11 @@ bool security_token_has_nt_authenticated_users(const struct security_token *toke return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS); } +bool security_token_has_enterprise_dcs(const struct security_token *token) +{ + return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS); +} + enum security_user_level security_session_user_level(struct auth_session_info *session_info) { if (!session_info) { @@ -160,6 +165,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_ADMINISTRATOR; } + if (security_token_has_enterprise_dcs(session_info->security_token)) { + return SECURITY_DOMAIN_CONTROLLER; + } + if (security_token_has_nt_authenticated_users(session_info->security_token)) { return SECURITY_USER; } diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c index ae478027a6..edf46aa5fb 100644 --- a/source4/rpc_server/drsuapi/addentry.c +++ b/source4/rpc_server/drsuapi/addentry.c @@ -30,6 +30,7 @@ #include "librpc/gen_ndr/ndr_drsblobs.h" #include "auth/auth.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" +#include "libcli/security/security.h" /* @@ -149,6 +150,12 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("DsAddEntry refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + switch (r->in.level) { case 2: ret = ldb_transaction_start(b_state->sam_ctx); diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c index a5418a1a93..c01711d2d9 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c +++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c @@ -30,6 +30,7 @@ #include "librpc/gen_ndr/ndr_drsblobs.h" #include "messaging/irpc.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" +#include "libcli/security/security.h" /* drsuapi_DsBind @@ -234,8 +235,10 @@ static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, T struct server_id *repld; struct irpc_request *ireq; - if (DEBUGLVL(4)) { - NDR_PRINT_IN_DEBUG(drsuapi_DsReplicaSync, r); + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("DsReplicaSync refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; } repld = irpc_servers_byname(dce_call->msg_ctx, mem_ctx, "dreplsrv"); @@ -474,6 +477,12 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call ZERO_STRUCT(r->out.res); *r->out.level_out = 1; + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("DsRemoveDSServer refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE); b_state = h->data; diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index a05ddb9a5d..14d4f0d6d1 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -33,6 +33,7 @@ #include "rpc_server/dcerpc_server_proto.h" #include "../libcli/drsuapi/drsuapi.h" #include "../libcli/security/dom_sid.h" +#include "libcli/security/security.h" /* drsuapi_DsGetNCChanges for one object @@ -278,17 +279,15 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ DATA_BLOB session_key; const char *attrs[] = { "*", "parentGUID", NULL }; WERROR werr; + + *r->out.level_out = 6; + /* TODO: linked attributes*/ + r->out.ctr->ctr6.linked_attributes_count = 0; + r->out.ctr->ctr6.linked_attributes = NULL; - /* - * connect to the samdb. TODO: We need to check that the caller - * has the rights to do this. This exposes all attributes, - * including all passwords. - */ - sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, - system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); - if (!sam_ctx) { - return WERR_FOOBAR; - } + r->out.ctr->ctr6.object_count = 0; + r->out.ctr->ctr6.more_data = false; + r->out.ctr->ctr6.uptodateness_vector = NULL; /* Check request revision. */ if (r->in.level != 8) { @@ -305,6 +304,23 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_BAD_NC; } + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("getncchanges refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + + /* + * connect to the samdb. TODO: We need to check that the caller + * has the rights to do this. This exposes all attributes, + * including all passwords. + */ + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, + system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); + if (!sam_ctx) { + return WERR_FOOBAR; + } + /* we need the session key for encrypting password attributes */ status = dcesrv_inherited_session_key(dce_call->conn, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -322,16 +338,6 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_INTERNAL_ERROR; } - *r->out.level_out = 6; - r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier); - *r->out.ctr->ctr6.naming_context = *ncRoot; - /* TODO: linked attributes*/ - r->out.ctr->ctr6.linked_attributes_count = 0; - r->out.ctr->ctr6.linked_attributes = NULL; - - r->out.ctr->ctr6.object_count = 0; - r->out.ctr->ctr6.more_data = false; - r->out.ctr->ctr6.uptodateness_vector = NULL; /* Prefix mapping */ schema = dsdb_get_schema(sam_ctx); @@ -340,6 +346,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_INTERNAL_ERROR; } + r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct drsuapi_DsReplicaObjectIdentifier); + *r->out.ctr->ctr6.naming_context = *ncRoot; + dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr); r->out.ctr->ctr6.mapping_ctr = *ctr; diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index 45244c7801..34ff0caa14 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -29,6 +29,7 @@ #include "librpc/gen_ndr/ndr_drsblobs.h" #include "auth/auth.h" #include "rpc_server/drsuapi/dcesrv_drsuapi.h" +#include "libcli/security/security.h" struct repsTo { uint32_t count; @@ -109,6 +110,12 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA WERROR werr; struct ldb_dn *dn; + if (security_session_user_level(dce_call->conn->auth_state.session_info) < + SECURITY_DOMAIN_CONTROLLER) { + DEBUG(0,("DsReplicaUpdateRefs refused for security token\n")); + return WERR_DS_DRA_ACCESS_DENIED; + } + if (r->in.level != 1) { DEBUG(0,("DrReplicUpdateRefs - unsupported level %u\n", r->in.level)); return WERR_DS_DRA_INVALID_PARAMETER; |