The branch, master has been updated
via 5d2dfd12cf779c410e041a1815e5e3edf0ea38d8 (commit)
via 7ded0741d9d5a4c2859769e4abfbc197aed0e5e1 (commit)
from 10e25fc5e90e9eaabedc2f3477ac1e8947c88c77 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5d2dfd12cf779c410e041a1815e5e3edf0ea38d8
Author: Andrew Tridgell <tri...@samba.org>
Date: Tue Sep 15 19:26:33 2009 -0700
s4-drs: lock down key DRS calls
The key DRS calls should only be allowed by administrators or domain
controllers
commit 7ded0741d9d5a4c2859769e4abfbc197aed0e5e1
Author: Andrew Tridgell <tri...@samba.org>
Date: Tue Sep 15 19:25:45 2009 -0700
s4-security: added a new security level SECURITY_DOMAIN_CONTROLLER
This will be used as a simple way to lock down DRS replication to
administrators and domain controllers
-----------------------------------------------------------------------
Summary of changes:
source4/libcli/security/security.h | 1 +
source4/libcli/security/security_token.c | 9 +++++
source4/rpc_server/drsuapi/addentry.c | 7 ++++
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 13 ++++++-
source4/rpc_server/drsuapi/getncchanges.c | 49 ++++++++++++++++-----------
source4/rpc_server/drsuapi/updaterefs.c | 7 ++++
6 files changed, 64 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/libcli/security/security.h
b/source4/libcli/security/security.h
index 6dbbe01..3cfa484 100644
--- a/source4/libcli/security/security.h
+++ b/source4/libcli/security/security.h
@@ -22,6 +22,7 @@
enum security_user_level {
SECURITY_ANONYMOUS,
SECURITY_USER,
+ SECURITY_DOMAIN_CONTROLLER,
SECURITY_ADMINISTRATOR,
SECURITY_SYSTEM
};
diff --git a/source4/libcli/security/security_token.c
b/source4/libcli/security/security_token.c
index 0764dfe..d3eff93 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -142,6 +142,11 @@ bool security_token_has_nt_authenticated_users(const
struct security_token *toke
return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS);
}
+bool security_token_has_enterprise_dcs(const struct security_token *token)
+{
+ return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS);
+}
+
enum security_user_level security_session_user_level(struct auth_session_info
*session_info)
{
if (!session_info) {
@@ -160,6 +165,10 @@ enum security_user_level
security_session_user_level(struct auth_session_info *s
return SECURITY_ADMINISTRATOR;
}
+ if (security_token_has_enterprise_dcs(session_info->security_token)) {
+ return SECURITY_DOMAIN_CONTROLLER;
+ }
+
if
(security_token_has_nt_authenticated_users(session_info->security_token)) {
return SECURITY_USER;
}
diff --git a/source4/rpc_server/drsuapi/addentry.c
b/source4/rpc_server/drsuapi/addentry.c
index ae47802..edf46aa 100644
--- a/source4/rpc_server/drsuapi/addentry.c
+++ b/source4/rpc_server/drsuapi/addentry.c
@@ -30,6 +30,7 @@
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "auth/auth.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
/*
@@ -149,6 +150,12 @@ WERROR dcesrv_drsuapi_DsAddEntry(struct dcesrv_call_state
*dce_call, TALLOC_CTX
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
+ if
(security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(0,("DsAddEntry refused for security token\n"));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
switch (r->in.level) {
case 2:
ret = ldb_transaction_start(b_state->sam_ctx);
diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index a5418a1..c01711d 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -30,6 +30,7 @@
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "messaging/irpc.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
/*
drsuapi_DsBind
@@ -234,8 +235,10 @@ static WERROR dcesrv_drsuapi_DsReplicaSync(struct
dcesrv_call_state *dce_call, T
struct server_id *repld;
struct irpc_request *ireq;
- if (DEBUGLVL(4)) {
- NDR_PRINT_IN_DEBUG(drsuapi_DsReplicaSync, r);
+ if
(security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(0,("DsReplicaSync refused for security token\n"));
+ return WERR_DS_DRA_ACCESS_DENIED;
}
repld = irpc_servers_byname(dce_call->msg_ctx, mem_ctx, "dreplsrv");
@@ -474,6 +477,12 @@ static WERROR dcesrv_drsuapi_DsRemoveDSServer(struct
dcesrv_call_state *dce_call
ZERO_STRUCT(r->out.res);
*r->out.level_out = 1;
+ if
(security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(0,("DsRemoveDSServer refused for security token\n"));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
b_state = h->data;
diff --git a/source4/rpc_server/drsuapi/getncchanges.c
b/source4/rpc_server/drsuapi/getncchanges.c
index a05ddb9..14d4f0d 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -33,6 +33,7 @@
#include "rpc_server/dcerpc_server_proto.h"
#include "../libcli/drsuapi/drsuapi.h"
#include "../libcli/security/dom_sid.h"
+#include "libcli/security/security.h"
/*
drsuapi_DsGetNCChanges for one object
@@ -278,17 +279,15 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct
dcesrv_call_state *dce_call, TALLOC_
DATA_BLOB session_key;
const char *attrs[] = { "*", "parentGUID", NULL };
WERROR werr;
+
+ *r->out.level_out = 6;
+ /* TODO: linked attributes*/
+ r->out.ctr->ctr6.linked_attributes_count = 0;
+ r->out.ctr->ctr6.linked_attributes = NULL;
- /*
- * connect to the samdb. TODO: We need to check that the caller
- * has the rights to do this. This exposes all attributes,
- * including all passwords.
- */
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
- system_session(mem_ctx,
dce_call->conn->dce_ctx->lp_ctx));
- if (!sam_ctx) {
- return WERR_FOOBAR;
- }
+ r->out.ctr->ctr6.object_count = 0;
+ r->out.ctr->ctr6.more_data = false;
+ r->out.ctr->ctr6.uptodateness_vector = NULL;
/* Check request revision. */
if (r->in.level != 8) {
@@ -305,6 +304,23 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct
dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_BAD_NC;
}
+ if
(security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(0,("getncchanges refused for security token\n"));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
+ /*
+ * connect to the samdb. TODO: We need to check that the caller
+ * has the rights to do this. This exposes all attributes,
+ * including all passwords.
+ */
+ sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
+ system_session(mem_ctx,
dce_call->conn->dce_ctx->lp_ctx));
+ if (!sam_ctx) {
+ return WERR_FOOBAR;
+ }
+
/* we need the session key for encrypting password attributes */
status = dcesrv_inherited_session_key(dce_call->conn, &session_key);
if (!NT_STATUS_IS_OK(status)) {
@@ -322,16 +338,6 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct
dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_INTERNAL_ERROR;
}
- *r->out.level_out = 6;
- r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct
drsuapi_DsReplicaObjectIdentifier);
- *r->out.ctr->ctr6.naming_context = *ncRoot;
- /* TODO: linked attributes*/
- r->out.ctr->ctr6.linked_attributes_count = 0;
- r->out.ctr->ctr6.linked_attributes = NULL;
-
- r->out.ctr->ctr6.object_count = 0;
- r->out.ctr->ctr6.more_data = false;
- r->out.ctr->ctr6.uptodateness_vector = NULL;
/* Prefix mapping */
schema = dsdb_get_schema(sam_ctx);
@@ -340,6 +346,9 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct
dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_INTERNAL_ERROR;
}
+ r->out.ctr->ctr6.naming_context = talloc(mem_ctx, struct
drsuapi_DsReplicaObjectIdentifier);
+ *r->out.ctr->ctr6.naming_context = *ncRoot;
+
dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr);
r->out.ctr->ctr6.mapping_ctr = *ctr;
diff --git a/source4/rpc_server/drsuapi/updaterefs.c
b/source4/rpc_server/drsuapi/updaterefs.c
index 45244c7..34ff0ca 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -29,6 +29,7 @@
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "auth/auth.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "libcli/security/security.h"
struct repsTo {
uint32_t count;
@@ -109,6 +110,12 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct
dcesrv_call_state *dce_call, TA
WERROR werr;
struct ldb_dn *dn;
+ if
(security_session_user_level(dce_call->conn->auth_state.session_info) <
+ SECURITY_DOMAIN_CONTROLLER) {
+ DEBUG(0,("DsReplicaUpdateRefs refused for security token\n"));
+ return WERR_DS_DRA_ACCESS_DENIED;
+ }
+
if (r->in.level != 1) {
DEBUG(0,("DrReplicUpdateRefs - unsupported level %u\n",
r->in.level));
return WERR_DS_DRA_INVALID_PARAMETER;
--
Samba Shared Repository
