From bb1ba4ff76eb90d0d62dd3edbe288f45cf7a0a1e Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 22 Apr 2010 16:48:01 +1000
Subject: s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level

This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC

This required a new domain_sid argument to
security_session_user_level()

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
---
 source4/rpc_server/drsuapi/addentry.c       |  4 ++--
 source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 10 +++++-----
 source4/rpc_server/drsuapi/dcesrv_drsuapi.h |  3 ++-
 source4/rpc_server/drsuapi/drsutil.c        |  8 +++++---
 source4/rpc_server/drsuapi/updaterefs.c     | 23 ++++++++++++++++++++---
 5 files changed, 34 insertions(+), 14 deletions(-)

(limited to 'source4/rpc_server/drsuapi')

diff --git a/source4/rpc_server/drsuapi/addentry.c b/source4/rpc_server/drsuapi/addentry.c
index cfddd80fe4..e87c940597 100644
--- a/source4/rpc_server/drsuapi/addentry.c
+++ b/source4/rpc_server/drsuapi/addentry.c
@@ -27,7 +27,7 @@
 #include "param/param.h"
 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
 #include "librpc/gen_ndr/ndr_drsuapi.h"
-
+#include "libcli/security/security.h"
 
 /*
   add special SPNs needed for DRS replication to machine accounts when
@@ -171,7 +171,7 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
 	b_state = h->data;
 
-	status = drs_security_level_check(dce_call, "DsAddEntry");
+	status = drs_security_level_check(dce_call, "DsAddEntry", SECURITY_DOMAIN_CONTROLLER);
 	if (!W_ERROR_IS_OK(status)) {
 		return status;
 	}
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index 270c716d46..5d3c513f3f 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -65,7 +65,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C
 	W_ERROR_HAVE_NO_MEMORY(b_state);
 
 	/* if this is a DC connecting, give them system level access */
-	werr = drs_security_level_check(dce_call, NULL);
+	werr = drs_security_level_check(dce_call, NULL, SECURITY_DOMAIN_CONTROLLER);
 	if (W_ERROR_IS_OK(werr)) {
 		DEBUG(3,(__location__ ": doing DsBind with system_session\n"));
 		auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
@@ -247,7 +247,7 @@ static WERROR dcesrv_drsuapi_DsReplicaSync(struct dcesrv_call_state *dce_call, T
 {
 	WERROR status;
 
-	status = drs_security_level_check(dce_call, "DsReplicaSync");
+	status = drs_security_level_check(dce_call, "DsReplicaSync", SECURITY_DOMAIN_CONTROLLER);
 	if (!W_ERROR_IS_OK(status)) {
 		return status;
 	}
@@ -401,7 +401,7 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct dcesrv_call_state *dce_call
 
 	*r->out.level_out = 1;
 
-	status = drs_security_level_check(dce_call, "DsRemoveDSServer");
+	status = drs_security_level_check(dce_call, "DsRemoveDSServer", SECURITY_DOMAIN_CONTROLLER);
 	if (!W_ERROR_IS_OK(status)) {
 		return status;
 	}
@@ -726,7 +726,7 @@ static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TA
 				  struct drsuapi_DsExecuteKCC *r)
 {
 	WERROR status;
-	status = drs_security_level_check(dce_call, "DsExecuteKCC");
+	status = drs_security_level_check(dce_call, "DsExecuteKCC", SECURITY_DOMAIN_CONTROLLER);
 
 	if (!W_ERROR_IS_OK(status)) {
 		return status;
@@ -748,7 +748,7 @@ static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call
 
 	if (!lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
 			 "drs", "disable_sec_check", false)) {
-		level = security_session_user_level(dce_call->conn->auth_state.session_info);
+		level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
 		if (level < SECURITY_ADMINISTRATOR) {
 			DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
 			security_token_debug(2, dce_call->conn->auth_state.session_info->security_token);
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
index ba6bb21145..3b733deec1 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.h
@@ -61,8 +61,9 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
 				    const char * const *attrs,
 				    const char *filter);
 
+enum security_user_level;
 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
-				const char* call);
+				const char* call, enum security_user_level minimum_level);
 
 void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr,
 				      struct drsuapi_DsReplicaMetaData *meta_data);
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 28ec7bb848..11eff25fab 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -101,7 +101,9 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
 	return ret;
 }
 
-WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
+WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
+				const char* call,
+				enum security_user_level minimum_level)
 {
 	enum security_user_level level;
 
@@ -110,8 +112,8 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char*
 		return WERR_OK;
 	}
 
-	level = security_session_user_level(dce_call->conn->auth_state.session_info);
-	if (level < SECURITY_DOMAIN_CONTROLLER) {
+	level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+	if (level < minimum_level) {
 		if (call) {
 			DEBUG(0,("%s refused for security token (level=%u)\n",
 				 call, (unsigned)level));
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index dd3a3342b5..0403db8f88 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -23,6 +23,8 @@
 #include "rpc_server/dcerpc_server.h"
 #include "dsdb/samdb/samdb.h"
 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
+#include "auth/session.h"
 
 struct repsTo {
 	uint32_t count;
@@ -189,11 +191,13 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
 	struct drsuapi_bind_state *b_state;
 	struct drsuapi_DsReplicaUpdateRefsRequest1 *req;
 	WERROR werr;
+	int ret;
+	enum security_user_level security_level;
 
 	DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
 	b_state = h->data;
 
-	werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs");
+	werr = drs_security_level_check(dce_call, "DsReplicaUpdateRefs", SECURITY_RO_DOMAIN_CONTROLLER);
 	if (!W_ERROR_IS_OK(werr)) {
 		return werr;
 	}
@@ -205,7 +209,20 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
 
 	req = &r->in.req.req1;
 
+	security_level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+	if (security_level < SECURITY_ADMINISTRATOR) {
+		/* check that they are using an invocationId that they own */
+		ret = dsdb_validate_invocation_id(b_state->sam_ctx,
+						  &req->dest_dsa_guid,
+						  dce_call->conn->auth_state.session_info->security_token->user_sid);
+		if (ret != LDB_SUCCESS) {
+			DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
+				 dom_sid_string(mem_ctx,
+						dce_call->conn->auth_state.session_info->security_token->user_sid),
+				 GUID_string(mem_ctx, &req->dest_dsa_guid)));
+			return WERR_DS_DRA_ACCESS_DENIED;
+		}
+	}
+
 	return drsuapi_UpdateRefs(b_state, mem_ctx, req);
 }
-
-
-- 
cgit