Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : implement the DsWriteAccountSpn call
5 :
6 : Copyright (C) Stefan Metzmacher 2009
7 : Copyright (C) Andrew Tridgell 2010
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "rpc_server/dcerpc_server.h"
25 : #include "dsdb/samdb/samdb.h"
26 : #include "dsdb/common/util.h"
27 : #include "system/kerberos.h"
28 : #include "auth/kerberos/kerberos.h"
29 : #include "libcli/security/security.h"
30 : #include "libcli/security/session.h"
31 : #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
32 : #include "librpc/gen_ndr/ndr_drsuapi.h"
33 : #include "auth/session.h"
34 :
35 : #undef DBGC_CLASS
36 : #define DBGC_CLASS DBGC_DRS_REPL
37 :
38 : #undef strcasecmp
39 :
40 : /*
41 : check that the SPN update should be allowed as an override
42 : via sam_ctx_system
43 :
44 : This is only called if the client is not a domain controller or
45 : administrator
46 : */
47 12 : static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
48 : struct dcesrv_call_state *dce_call,
49 : struct ldb_dn *dn,
50 : const char *spn)
51 : {
52 : /*
53 : * we only allow SPN updates if:
54 : *
55 : * 1) they are on the clients own account object
56 : * 2) they are of the form SERVICE/dnshostname
57 : */
58 0 : struct auth_session_info *session_info =
59 12 : dcesrv_call_session_info(dce_call);
60 0 : struct dom_sid *user_sid, *sid;
61 12 : TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
62 0 : struct ldb_result *res;
63 12 : const char *attrs[] = { "objectSID", "dNSHostName", NULL };
64 0 : int ret;
65 0 : krb5_context krb_ctx;
66 0 : krb5_error_code kerr;
67 0 : krb5_principal principal;
68 0 : krb5_data component;
69 0 : const char *dns_name, *dnsHostName;
70 :
71 : /* The service principal name shouldn't be NULL */
72 12 : if (spn == NULL) {
73 0 : talloc_free(tmp_ctx);
74 0 : return false;
75 : }
76 :
77 : /*
78 : get the objectSid of the DN that is being modified, and
79 : check it matches the user_sid in their token
80 : */
81 :
82 12 : ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs,
83 : DSDB_SEARCH_ONE_ONLY);
84 12 : if (ret != LDB_SUCCESS) {
85 0 : talloc_free(tmp_ctx);
86 0 : return false;
87 : }
88 :
89 12 : user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
90 12 : sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
91 12 : if (sid == NULL) {
92 0 : talloc_free(tmp_ctx);
93 0 : return false;
94 : }
95 :
96 12 : dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName",
97 : NULL);
98 12 : if (dnsHostName == NULL) {
99 1 : talloc_free(tmp_ctx);
100 1 : return false;
101 : }
102 :
103 11 : if (!dom_sid_equal(sid, user_sid)) {
104 4 : talloc_free(tmp_ctx);
105 4 : return false;
106 : }
107 :
108 7 : kerr = smb_krb5_init_context_basic(tmp_ctx,
109 7 : dce_call->conn->dce_ctx->lp_ctx,
110 : &krb_ctx);
111 7 : if (kerr != 0) {
112 0 : talloc_free(tmp_ctx);
113 0 : return false;
114 : }
115 :
116 7 : kerr = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM,
117 : &principal);
118 7 : if (kerr != 0) {
119 0 : krb5_free_context(krb_ctx);
120 0 : talloc_free(tmp_ctx);
121 0 : return false;
122 : }
123 :
124 7 : if (krb5_princ_size(krb_ctx, principal) != 2) {
125 4 : krb5_free_principal(krb_ctx, principal);
126 4 : krb5_free_context(krb_ctx);
127 4 : talloc_free(tmp_ctx);
128 4 : return false;
129 : }
130 :
131 3 : kerr = smb_krb5_princ_component(krb_ctx, principal, 1, &component);
132 3 : if (kerr) {
133 0 : krb5_free_principal(krb_ctx, principal);
134 0 : krb5_free_context(krb_ctx);
135 0 : talloc_free(tmp_ctx);
136 0 : return false;
137 : }
138 3 : dns_name = (const char *)component.data;
139 :
140 3 : if (strcasecmp(dns_name, dnsHostName) != 0) {
141 2 : krb5_free_principal(krb_ctx, principal);
142 2 : krb5_free_context(krb_ctx);
143 2 : talloc_free(tmp_ctx);
144 2 : return false;
145 : }
146 :
147 : /* its a simple update on their own account - allow it with
148 : * permissions override */
149 1 : krb5_free_principal(krb_ctx, principal);
150 1 : krb5_free_context(krb_ctx);
151 1 : talloc_free(tmp_ctx);
152 :
153 1 : return true;
154 : }
155 :
156 : /*
157 : drsuapi_DsWriteAccountSpn
158 : */
159 4 : WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
160 : struct drsuapi_DsWriteAccountSpn *r)
161 : {
162 0 : struct drsuapi_bind_state *b_state;
163 0 : struct dcesrv_handle *h;
164 :
165 4 : *r->out.level_out = r->in.level;
166 :
167 4 : DCESRV_PULL_HANDLE_WERR(h, r->in.bind_handle, DRSUAPI_BIND_HANDLE);
168 4 : b_state = h->data;
169 :
170 4 : r->out.res = talloc(mem_ctx, union drsuapi_DsWriteAccountSpnResult);
171 4 : W_ERROR_HAVE_NO_MEMORY(r->out.res);
172 :
173 4 : switch (r->in.level) {
174 4 : case 1: {
175 0 : struct drsuapi_DsWriteAccountSpnRequest1 *req;
176 0 : struct ldb_message *msg;
177 0 : uint32_t count;
178 0 : unsigned int i;
179 0 : int ret;
180 4 : unsigned spn_count=0;
181 4 : bool passed_checks = true;
182 0 : struct ldb_context *sam_ctx;
183 :
184 4 : req = &r->in.req->req1;
185 4 : count = req->count;
186 :
187 4 : msg = ldb_msg_new(mem_ctx);
188 4 : if (msg == NULL) {
189 0 : return WERR_NOT_ENOUGH_MEMORY;
190 : }
191 :
192 4 : msg->dn = ldb_dn_new(msg, b_state->sam_ctx,
193 : req->object_dn);
194 4 : if ( ! ldb_dn_validate(msg->dn)) {
195 0 : r->out.res->res1.status = WERR_OK;
196 0 : return WERR_OK;
197 : }
198 :
199 : /* construct mods */
200 16 : for (i = 0; i < count; i++) {
201 12 : if (!writespn_check_spn(b_state,
202 : dce_call,
203 : msg->dn,
204 12 : req->spn_names[i].str)) {
205 11 : passed_checks = false;
206 : }
207 12 : ret = ldb_msg_add_string(msg,
208 : "servicePrincipalName",
209 12 : req->spn_names[i].str);
210 12 : if (ret != LDB_SUCCESS) {
211 0 : return WERR_NOT_ENOUGH_MEMORY;
212 : }
213 12 : spn_count++;
214 : }
215 :
216 4 : if (msg->num_elements == 0) {
217 0 : DEBUG(2,("No SPNs need changing on %s\n",
218 : ldb_dn_get_linearized(msg->dn)));
219 0 : r->out.res->res1.status = WERR_OK;
220 0 : return WERR_OK;
221 : }
222 :
223 8 : for (i=0;i<msg->num_elements;i++) {
224 4 : switch (req->operation) {
225 2 : case DRSUAPI_DS_SPN_OPERATION_ADD:
226 2 : msg->elements[i].flags = LDB_FLAG_MOD_ADD;
227 2 : break;
228 1 : case DRSUAPI_DS_SPN_OPERATION_REPLACE:
229 1 : msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
230 1 : break;
231 1 : case DRSUAPI_DS_SPN_OPERATION_DELETE:
232 1 : msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
233 1 : break;
234 : }
235 : }
236 :
237 4 : if (passed_checks && b_state->sam_ctx_system) {
238 0 : sam_ctx = b_state->sam_ctx_system;
239 : } else {
240 4 : sam_ctx = b_state->sam_ctx;
241 : }
242 :
243 : /* Apply to database */
244 4 : ret = dsdb_modify(sam_ctx, msg, DSDB_MODIFY_PERMISSIVE);
245 4 : if (ret != LDB_SUCCESS) {
246 0 : DEBUG(0,("Failed to modify SPNs on %s: %s\n",
247 : ldb_dn_get_linearized(msg->dn),
248 : ldb_errstring(b_state->sam_ctx)));
249 0 : NDR_PRINT_IN_DEBUG(
250 : drsuapi_DsWriteAccountSpn, r);
251 0 : r->out.res->res1.status = WERR_ACCESS_DENIED;
252 : } else {
253 4 : DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
254 : ldb_dn_get_linearized(msg->dn)));
255 4 : r->out.res->res1.status = WERR_OK;
256 : }
257 :
258 4 : return WERR_OK;
259 : }
260 : }
261 :
262 0 : return WERR_INVALID_LEVEL;
263 : }
|
