1/* 2 Unix SMB/CIFS implementation. 3 4 useful utilities for the DRS server 5 6 Copyright (C) Andrew Tridgell 2009 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License as published by 10 the Free Software Foundation; either version 3 of the License, or 11 (at your option) any later version. 12 13 This program is distributed in the hope that it will be useful, 14 but WITHOUT ANY WARRANTY; without even the implied warranty of 15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 GNU General Public License for more details. 17 18 You should have received a copy of the GNU General Public License 19 along with this program. If not, see <http://www.gnu.org/licenses/>. 20*/ 21 22#include "includes.h" 23#include "rpc_server/dcerpc_server.h" 24#include "dsdb/samdb/samdb.h" 25#include "libcli/security/dom_sid.h" 26#include "rpc_server/drsuapi/dcesrv_drsuapi.h" 27#include "libcli/security/security.h" 28#include "param/param.h" 29 30/* 31 format a drsuapi_DsReplicaObjectIdentifier naming context as a string 32 */ 33char *drs_ObjectIdentifier_to_string(TALLOC_CTX *mem_ctx, 34 struct drsuapi_DsReplicaObjectIdentifier *nc) 35{ 36 char *guid, *sid, *ret; 37 guid = GUID_string(mem_ctx, &nc->guid); 38 sid = dom_sid_string(mem_ctx, &nc->sid); 39 ret = talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", 40 guid, sid, nc->dn); 41 talloc_free(guid); 42 talloc_free(sid); 43 return ret; 44} 45 46int drsuapi_search_with_extended_dn(struct ldb_context *ldb, 47 TALLOC_CTX *mem_ctx, 48 struct ldb_result **_res, 49 struct ldb_dn *basedn, 50 enum ldb_scope scope, 51 const char * const *attrs, 52 const char *sort_attrib, 53 const char *filter) 54{ 55 int ret; 56 struct ldb_request *req; 57 TALLOC_CTX *tmp_ctx; 58 struct ldb_result *res; 59 60 tmp_ctx = talloc_new(mem_ctx); 61 62 res = talloc_zero(tmp_ctx, struct ldb_result); 63 if (!res) { 64 return LDB_ERR_OPERATIONS_ERROR; 65 } 66 67 ret = ldb_build_search_req(&req, ldb, tmp_ctx, 68 basedn, 69 scope, 70 filter, 71 attrs, 72 NULL, 73 res, 74 ldb_search_default_callback, 75 NULL); 76 if (ret != LDB_SUCCESS) { 77 talloc_free(tmp_ctx); 78 return ret; 79 } 80 81 ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, true, NULL); 82 if (ret != LDB_SUCCESS) { 83 return ret; 84 } 85 86 ret = ldb_request_add_control(req, LDB_CONTROL_SHOW_DELETED_OID, true, NULL); 87 if (ret != LDB_SUCCESS) { 88 return ret; 89 } 90 91 if (sort_attrib) { 92 struct ldb_server_sort_control **sort_control; 93 sort_control = talloc_array(req, struct ldb_server_sort_control *, 2); 94 if (sort_control == NULL) { 95 talloc_free(tmp_ctx); 96 return LDB_ERR_OPERATIONS_ERROR; 97 } 98 sort_control[0] = talloc(req, struct ldb_server_sort_control); 99 sort_control[0]->attributeName = sort_attrib; 100 sort_control[0]->orderingRule = NULL; 101 sort_control[0]->reverse = 1; 102 sort_control[1] = NULL; 103 104 ret = ldb_request_add_control(req, LDB_CONTROL_SERVER_SORT_OID, true, sort_control); 105 if (ret != LDB_SUCCESS) { 106 return ret; 107 } 108 } 109 110 111 ret = ldb_request(ldb, req); 112 if (ret == LDB_SUCCESS) { 113 ret = ldb_wait(req->handle, LDB_WAIT_ALL); 114 } 115 116 talloc_free(req); 117 *_res = talloc_steal(mem_ctx, res); 118 return ret; 119} 120 121WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call) 122{ 123 if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, 124 "drs", "disable_sec_check", false)) { 125 return WERR_OK; 126 } 127 128 if (security_session_user_level(dce_call->conn->auth_state.session_info) < 129 SECURITY_DOMAIN_CONTROLLER) { 130 DEBUG(0,("DsReplicaGetInfo refused for security token\n")); 131 return WERR_DS_DRA_ACCESS_DENIED; 132 } 133 134 return WERR_OK; 135} 136 137void drsuapi_process_secret_attribute(struct drsuapi_DsReplicaAttribute *attr, 138 struct drsuapi_DsReplicaMetaData *meta_data) 139{ 140 if (attr->value_ctr.num_values == 0) { 141 return; 142 } 143 144 switch (attr->attid) { 145 case DRSUAPI_ATTRIBUTE_dBCSPwd: 146 case DRSUAPI_ATTRIBUTE_unicodePwd: 147 case DRSUAPI_ATTRIBUTE_ntPwdHistory: 148 case DRSUAPI_ATTRIBUTE_lmPwdHistory: 149 case DRSUAPI_ATTRIBUTE_supplementalCredentials: 150 case DRSUAPI_ATTRIBUTE_priorValue: 151 case DRSUAPI_ATTRIBUTE_currentValue: 152 case DRSUAPI_ATTRIBUTE_trustAuthOutgoing: 153 case DRSUAPI_ATTRIBUTE_trustAuthIncoming: 154 case DRSUAPI_ATTRIBUTE_initialAuthOutgoing: 155 case DRSUAPI_ATTRIBUTE_initialAuthIncoming: 156 /*set value to null*/ 157 attr->value_ctr.num_values = 0; 158 talloc_free(attr->value_ctr.values); 159 attr->value_ctr.values = NULL; 160 meta_data->originating_change_time = 0; 161 return; 162 default: 163 return; 164 } 165 return; 166} 167