source4/dsdb/repl/drepl_secret.c

   1 /*
   2    Unix SMB/CIFS Implementation.
   3
   4    DSDB replication service - repl secret handling
   5
   6    Copyright (C) Andrew Tridgell 2010
   7    Copyright (C) Andrew Bartlett 2010
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21
  22 */
  23
  24 #include "includes.h"
  25 #include "ldb_module.h"
  26 #include "dsdb/samdb/samdb.h"
  27 #include "samba/service.h"
  28 #include "dsdb/repl/drepl_service.h"
  29 #include "param/param.h"
  30
  31 #undef DBGC_CLASS
  32 #define DBGC_CLASS            DBGC_DRS_REPL
  33
  34 struct repl_secret_state {
  35         const char *user_dn;
  36 };
  37
  38 /*
  39   called when a repl secret has completed
  40  */
  41 static void drepl_repl_secret_callback(struct dreplsrv_service *service,
  42                                        WERROR werr,
  43                                        enum drsuapi_DsExtendedError ext_err,
  44                                        void *cb_data)
  45 {
  46         struct repl_secret_state *state = talloc_get_type_abort(cb_data, struct repl_secret_state);
  47         if (!W_ERROR_IS_OK(werr)) {
  48                 if (W_ERROR_EQUAL(werr, WERR_DS_DRA_SECRETS_DENIED)) {
  49                         DEBUG(3,(__location__ ": repl secret disallowed for user "
  50                                  "%s - not in allowed replication group\n",
  51                                  state->user_dn));
  52                 } else {
  53                         DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n",
  54                                  state->user_dn, win_errstr(werr), ext_err));
  55                 }
  56         } else {
  57                 DEBUG(3,(__location__ ": repl secret completed OK for '%s'\n", state->user_dn));
  58         }
  59         talloc_free(state);
  60 }
  61
  62
  63 /**
  64  * Called when the auth code wants us to try and replicate
  65  * a users secrets
  66  */
  67 void drepl_repl_secret(struct dreplsrv_service *service,
  68                        const char *user_dn)
  69 {
  70         WERROR werr;
  71         struct ldb_dn *nc_dn, *nc_root, *source_dsa_dn;
  72         struct dreplsrv_partition *p;
  73         struct GUID *source_dsa_guid;
  74         struct repl_secret_state *state;
  75         int ret;
  76
  77         state = talloc_zero(service, struct repl_secret_state);
  78         if (state == NULL) {
  79                 /* nothing to do, no return value */
  80                 return;
  81         }
  82
  83         /* keep a copy for logging in the callback */
  84         state->user_dn = talloc_strdup(state, user_dn);
  85
  86         nc_dn = ldb_dn_new(state, service->samdb, user_dn);
  87         if (!ldb_dn_validate(nc_dn)) {
  88                 DEBUG(0,(__location__ ": Failed to parse user_dn '%s'\n", user_dn));
  89                 talloc_free(state);
  90                 return;
  91         }
  92
  93         /* work out which partition this is in */
  94         ret = dsdb_find_nc_root(service->samdb, state, nc_dn, &nc_root);
  95         if (ret != LDB_SUCCESS) {
  96                 DEBUG(0,(__location__ ": Failed to find nc_root for user_dn '%s'\n", user_dn));
  97                 talloc_free(state);
  98                 return;
  99         }
 100
 101         /* find the partition in our list */
 102         for (p=service->partitions; p; p=p->next) {
 103                 if (ldb_dn_compare(p->dn, nc_root) == 0) {
 104                         break;
 105                 }
 106         }
 107         if (p == NULL) {
 108                 DEBUG(0,(__location__ ": Failed to find partition for nc_root '%s'\n", ldb_dn_get_linearized(nc_root)));
 109                 talloc_free(state);
 110                 return;
 111         }
 112
 113         if (p->sources == NULL) {
 114                 DEBUG(0,(__location__ ": No sources for nc_root '%s' for user_dn '%s'\n",
 115                          ldb_dn_get_linearized(nc_root), user_dn));
 116                 talloc_free(state);
 117                 return;
 118         }
 119
 120         /* use the first source, for no particularly good reason */
 121         source_dsa_guid = &p->sources->repsFrom1->source_dsa_obj_guid;
 122
 123         source_dsa_dn = ldb_dn_new(state, service->samdb,
 124                                    talloc_asprintf(state, "<GUID=%s>",
 125                                                    GUID_string(state, source_dsa_guid)));
 126         if (!ldb_dn_validate(source_dsa_dn)) {
 127                 DEBUG(0,(__location__ ": Invalid source DSA GUID '%s' for user_dn '%s'\n",
 128                          GUID_string(state, source_dsa_guid), user_dn));
 129                 talloc_free(state);
 130                 return;
 131         }
 132
 133         werr = drepl_request_extended_op(service,
 134                                          nc_dn,
 135                                          source_dsa_dn,
 136                                          DRSUAPI_EXOP_REPL_SECRET,
 137                                          0,
 138                                          p->sources->repsFrom1->highwatermark.highest_usn,
 139                                          drepl_repl_secret_callback, state);
 140         if (!W_ERROR_IS_OK(werr)) {
 141                 DEBUG(2,(__location__ ": Failed to setup secret replication for user_dn '%s'\n", user_dn));
 142                 talloc_free(state);
 143                 return;
 144         }
 145         DEBUG(3,(__location__ ": started secret replication for %s\n", user_dn));
 146 }