Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : Password and authentication handling
4 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2010
5 : Copyright (C) Stefan Metzmacher 2005
6 : Copyright (C) Matthias Dieter Wallnöfer 2009
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "auth/auth.h"
24 : #include <ldb.h>
25 : #include "dsdb/samdb/samdb.h"
26 : #include "libcli/security/security.h"
27 : #include "dsdb/common/util.h"
28 :
29 : /*
30 : * This function generates the transitive closure of a given SAM object "dn_val"
31 : * (it basically expands nested memberships).
32 : * If the object isn't located in the "res_sids" structure yet and the
33 : * "only_childs" flag is false, we add it to "res_sids".
34 : * Then we've always to consider the "memberOf" attributes. We invoke the
35 : * function recursively on each of it with the "only_childs" flag set to
36 : * "false".
37 : * The "only_childs" flag is particularly useful if you have a user object and
38 : * want to include all it's groups (referenced with "memberOf") but not itself
39 : * or considering if that object matches the filter.
40 : *
41 : * At the beginning "res_sids" should reference to a NULL pointer.
42 : */
43 2912417 : NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
44 : struct ldb_val *dn_val, const bool only_childs, const char *filter,
45 : TALLOC_CTX *res_sids_ctx, struct auth_SidAttr **res_sids,
46 : uint32_t *num_res_sids)
47 : {
48 101123 : static const char * const attrs[] = { "groupType", "memberOf", NULL };
49 101123 : unsigned int i;
50 101123 : int ret;
51 101123 : struct ldb_dn *dn;
52 101123 : struct dom_sid sid;
53 101123 : TALLOC_CTX *tmp_ctx;
54 101123 : struct ldb_result *res;
55 101123 : NTSTATUS status;
56 101123 : const struct ldb_message_element *el;
57 :
58 2912417 : if (*res_sids == NULL) {
59 27820 : *num_res_sids = 0;
60 : }
61 :
62 2912417 : if (!sam_ctx) {
63 0 : DEBUG(0, ("No SAM available, cannot determine local groups\n"));
64 0 : return NT_STATUS_INVALID_SYSTEM_SERVICE;
65 : }
66 :
67 2912417 : tmp_ctx = talloc_new(res_sids_ctx);
68 2912417 : if (tmp_ctx == NULL) {
69 0 : return NT_STATUS_NO_MEMORY;
70 : }
71 :
72 2912417 : dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, dn_val);
73 2912417 : if (dn == NULL) {
74 0 : talloc_free(tmp_ctx);
75 0 : DEBUG(0, (__location__ ": we failed parsing DN %.*s, so we cannot calculate the group token\n",
76 : (int)dn_val->length, dn_val->data));
77 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
78 : }
79 :
80 2912417 : status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
81 2912417 : if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
82 : /* If we fail finding a SID then this is no error since it could
83 : * be a non SAM object - e.g. a group with object class
84 : * "groupOfNames" */
85 0 : talloc_free(tmp_ctx);
86 0 : return NT_STATUS_OK;
87 2912417 : } else if (!NT_STATUS_IS_OK(status)) {
88 0 : DEBUG(0, (__location__ ": when parsing DN '%s' we failed to parse it's SID component, so we cannot calculate the group token: %s\n",
89 : ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
90 : nt_errstr(status)));
91 0 : talloc_free(tmp_ctx);
92 0 : return status;
93 : }
94 :
95 2912417 : if (!ldb_dn_minimise(dn)) {
96 0 : talloc_free(tmp_ctx);
97 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
98 : }
99 :
100 2912417 : if (only_childs) {
101 1172475 : ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
102 : DSDB_SEARCH_SHOW_EXTENDED_DN);
103 : } else {
104 1739942 : ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
105 : attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s",
106 : filter);
107 : }
108 :
109 : /*
110 : * We have the problem with the caller creating a <SID=S-....>
111 : * DN for ForeignSecurityPrincipals as they also have
112 : * duplicate objects with the SAME SID under CN=Configuration.
113 : * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba
114 : * and on Windows. So, we allow this to fail, and
115 : * double-check if we can find it with a search in the main
116 : * domain partition.
117 : */
118 2912417 : if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) {
119 240190 : char *sid_string = dom_sid_string(tmp_ctx,
120 : &sid);
121 240190 : if (!sid_string) {
122 0 : talloc_free(tmp_ctx);
123 0 : return NT_STATUS_OK;
124 : }
125 :
126 240190 : ret = dsdb_search(sam_ctx, tmp_ctx, &res,
127 : ldb_get_default_basedn(sam_ctx),
128 : LDB_SCOPE_SUBTREE,
129 : attrs, DSDB_SEARCH_SHOW_EXTENDED_DN,
130 : "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))",
131 : sid_string);
132 : }
133 :
134 2912417 : if (ret == LDB_ERR_NO_SUCH_OBJECT) {
135 0 : talloc_free(tmp_ctx);
136 0 : return NT_STATUS_OK;
137 : }
138 :
139 2912417 : if (ret != LDB_SUCCESS) {
140 0 : DEBUG(1, (__location__ ": dsdb_search for %s failed: %s\n",
141 : ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
142 : ldb_errstring(sam_ctx)));
143 0 : talloc_free(tmp_ctx);
144 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION;
145 : }
146 :
147 : /* We may get back 0 results, if the SID didn't match the filter - such as it wasn't a domain group, for example */
148 2912417 : if (res->count != 1) {
149 878293 : talloc_free(tmp_ctx);
150 878293 : return NT_STATUS_OK;
151 : }
152 :
153 : /* We only apply this test once we know the SID matches the filter */
154 2034124 : if (!only_childs) {
155 43893 : unsigned group_type;
156 43893 : uint32_t sid_attrs;
157 43893 : bool already_there;
158 :
159 1048093 : sid_attrs = SE_GROUP_DEFAULT_FLAGS;
160 1048093 : group_type = ldb_msg_find_attr_as_uint(res->msgs[0], "groupType", 0);
161 1048093 : if (group_type & GROUP_TYPE_RESOURCE_GROUP) {
162 677156 : sid_attrs |= SE_GROUP_RESOURCE;
163 : }
164 :
165 : /* This is an O(n^2) linear search */
166 1048093 : already_there = sids_contains_sid_attrs(*res_sids, *num_res_sids,
167 : &sid, sid_attrs);
168 1048093 : if (already_there) {
169 570627 : talloc_free(tmp_ctx);
170 570627 : return NT_STATUS_OK;
171 : }
172 :
173 477466 : *res_sids = talloc_realloc(res_sids_ctx, *res_sids,
174 : struct auth_SidAttr, *num_res_sids + 1);
175 477466 : if (*res_sids == NULL) {
176 0 : TALLOC_FREE(tmp_ctx);
177 0 : return NT_STATUS_NO_MEMORY;
178 : }
179 :
180 477466 : (*res_sids)[*num_res_sids].sid = sid;
181 477466 : (*res_sids)[*num_res_sids].attrs = sid_attrs;
182 :
183 477466 : ++(*num_res_sids);
184 : }
185 :
186 1463497 : el = ldb_msg_find_element(res->msgs[0], "memberOf");
187 :
188 2995997 : for (i = 0; el && i < el->num_values; i++) {
189 1483720 : status = dsdb_expand_nested_groups(sam_ctx, &el->values[i],
190 : false, filter, res_sids_ctx, res_sids, num_res_sids);
191 1483720 : if (!NT_STATUS_IS_OK(status)) {
192 0 : talloc_free(tmp_ctx);
193 0 : return status;
194 : }
195 : }
196 :
197 1463497 : talloc_free(tmp_ctx);
198 :
199 1463497 : return NT_STATUS_OK;
200 : }
|
