search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3/torture: local_rbtree: avoid birthday collisions
[samba4-gss.git] / source4 / rpc_server / drsuapi / writespn.c
blobac9199946c834376caac52450f078ebabe1856b2
1 /*
2 Unix SMB/CIFS implementation.
3
4 implement the DsWriteAccountSpn call
5
6 Copyright (C) Stefan Metzmacher 2009
7 Copyright (C) Andrew Tridgell 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpc_server/dcerpc_server.h"
25 #include "dsdb/samdb/samdb.h"
26 #include "dsdb/common/util.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "libcli/security/security.h"
30 #include "libcli/security/session.h"
31 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
32 #include "librpc/gen_ndr/ndr_drsuapi.h"
33 #include "auth/session.h"
34
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_DRS_REPL
37
38 #undef strcasecmp
39
40 /*
41 check that the SPN update should be allowed as an override
42 via sam_ctx_system
43
44 This is only called if the client is not a domain controller or
45 administrator
46 */
47 static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
48 struct dcesrv_call_state *dce_call,
49 struct ldb_dn *dn,
50 const char *spn)
51 {
52 /*
53 * we only allow SPN updates if:
54 *
55 * 1) they are on the clients own account object
56 * 2) they are of the form SERVICE/dnshostname
57 */
58 struct auth_session_info *session_info =
59 dcesrv_call_session_info(dce_call);
60 struct dom_sid *user_sid, *sid;
61 TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
62 struct ldb_result *res;
63 const char *attrs[] = { "objectSID", "dNSHostName", NULL };
64 int ret;
65 krb5_context krb_ctx;
66 krb5_error_code kerr;
67 krb5_principal principal;
68 krb5_data component;
69 const char *dns_name, *dnsHostName;
70
71 /* The service principal name shouldn't be NULL */
72 if (spn == NULL) {
73 talloc_free(tmp_ctx);
74 return false;
75 }
76
77 /*
78 get the objectSid of the DN that is being modified, and
79 check it matches the user_sid in their token
80 */
81
82 ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs,
83 DSDB_SEARCH_ONE_ONLY);
84 if (ret != LDB_SUCCESS) {
85 talloc_free(tmp_ctx);
86 return false;
87 }
88
89 user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
90 sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
91 if (sid == NULL) {
92 talloc_free(tmp_ctx);
93 return false;
94 }
95
96 dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName",
97 NULL);
98 if (dnsHostName == NULL) {
99 talloc_free(tmp_ctx);
100 return false;
101 }
102
103 if (!dom_sid_equal(sid, user_sid)) {
104 talloc_free(tmp_ctx);
105 return false;
106 }
107
108 kerr = smb_krb5_init_context_basic(tmp_ctx,
109 dce_call->conn->dce_ctx->lp_ctx,
110 &krb_ctx);
111 if (kerr != 0) {
112 talloc_free(tmp_ctx);
113 return false;
114 }
115
116 kerr = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM,
117 &principal);
118 if (kerr != 0) {
119 krb5_free_context(krb_ctx);
120 talloc_free(tmp_ctx);
121 return false;
122 }
123
124 if (krb5_princ_size(krb_ctx, principal) != 2) {
125 krb5_free_principal(krb_ctx, principal);
126 krb5_free_context(krb_ctx);
127 talloc_free(tmp_ctx);
128 return false;
129 }
130
131 kerr = smb_krb5_princ_component(krb_ctx, principal, 1, &component);
132 if (kerr) {
133 krb5_free_principal(krb_ctx, principal);
134 krb5_free_context(krb_ctx);
135 talloc_free(tmp_ctx);
136 return false;
137 }
138 dns_name = (const char *)component.data;
139
140 if (strcasecmp(dns_name, dnsHostName) != 0) {
141 krb5_free_principal(krb_ctx, principal);
142 krb5_free_context(krb_ctx);
143 talloc_free(tmp_ctx);
144 return false;
145 }
146
147 /* its a simple update on their own account - allow it with
148 * permissions override */
149 krb5_free_principal(krb_ctx, principal);
150 krb5_free_context(krb_ctx);
151 talloc_free(tmp_ctx);
152
153 return true;
154 }
155
156 /*
157 drsuapi_DsWriteAccountSpn
158 */
159 WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
160 struct drsuapi_DsWriteAccountSpn *r)
161 {
162 struct drsuapi_bind_state *b_state;
163 struct dcesrv_handle *h;
164
165 *r->out.level_out = r->in.level;
166
167 DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
168 b_state = h->data;
169
170 r->out.res = talloc(mem_ctx, union drsuapi_DsWriteAccountSpnResult);
171 W_ERROR_HAVE_NO_MEMORY(r->out.res);
172
173 switch (r->in.level) {
174 case 1: {
175 struct drsuapi_DsWriteAccountSpnRequest1 *req;
176 struct ldb_message *msg;
177 uint32_t count;
178 unsigned int i;
179 int ret;
180 unsigned spn_count=0;
181 bool passed_checks = true;
182 struct ldb_context *sam_ctx;
183
184 req = &r->in.req->req1;
185 count = req->count;
186
187 msg = ldb_msg_new(mem_ctx);
188 if (msg == NULL) {
189 return WERR_NOT_ENOUGH_MEMORY;
190 }
191
192 msg->dn = ldb_dn_new(msg, b_state->sam_ctx,
193 req->object_dn);
194 if ( ! ldb_dn_validate(msg->dn)) {
195 r->out.res->res1.status = WERR_OK;
196 return WERR_OK;
197 }
198
199 /* construct mods */
200 for (i = 0; i < count; i++) {
201 if (!writespn_check_spn(b_state,
202 dce_call,
203 msg->dn,
204 req->spn_names[i].str)) {
205 passed_checks = false;
206 }
207 ret = ldb_msg_add_string(msg,
208 "servicePrincipalName",
209 req->spn_names[i].str);
210 if (ret != LDB_SUCCESS) {
211 return WERR_NOT_ENOUGH_MEMORY;
212 }
213 spn_count++;
214 }
215
216 if (msg->num_elements == 0) {
217 DEBUG(2,("No SPNs need changing on %s\n",
218 ldb_dn_get_linearized(msg->dn)));
219 r->out.res->res1.status = WERR_OK;
220 return WERR_OK;
221 }
222
223 for (i=0;i<msg->num_elements;i++) {
224 switch (req->operation) {
225 case DRSUAPI_DS_SPN_OPERATION_ADD:
226 msg->elements[i].flags = LDB_FLAG_MOD_ADD;
227 break;
228 case DRSUAPI_DS_SPN_OPERATION_REPLACE:
229 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
230 break;
231 case DRSUAPI_DS_SPN_OPERATION_DELETE:
232 msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
233 break;
234 }
235 }
236
237 if (passed_checks && b_state->sam_ctx_system) {
238 sam_ctx = b_state->sam_ctx_system;
239 } else {
240 sam_ctx = b_state->sam_ctx;
241 }
242
243 /* Apply to database */
244 ret = dsdb_modify(sam_ctx, msg, DSDB_MODIFY_PERMISSIVE);
245 if (ret != LDB_SUCCESS) {
246 DEBUG(0,("Failed to modify SPNs on %s: %s\n",
247 ldb_dn_get_linearized(msg->dn),
248 ldb_errstring(b_state->sam_ctx)));
249 NDR_PRINT_IN_DEBUG(
250 drsuapi_DsWriteAccountSpn, r);
251 r->out.res->res1.status = WERR_ACCESS_DENIED;
252 } else {
253 DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
254 ldb_dn_get_linearized(msg->dn)));
255 r->out.res->res1.status = WERR_OK;
256 }
257
258 return WERR_OK;
259 }
260 }
261
262 return WERR_INVALID_LEVEL;
263 }
GSS-enabled samba4