summaryrefslogtreecommitdiffstats
path: root/source4/dsdb/common/util_groups.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /source4/dsdb/common/util_groups.c
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--source4/dsdb/common/util_groups.c199
1 files changed, 199 insertions, 0 deletions
diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
new file mode 100644
index 0000000..c2075de
--- /dev/null
+++ b/source4/dsdb/common/util_groups.c
@@ -0,0 +1,199 @@
+/*
+ Unix SMB/CIFS implementation.
+ Password and authentication handling
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2010
+ Copyright (C) Stefan Metzmacher 2005
+ Copyright (C) Matthias Dieter Wallnöfer 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/auth.h"
+#include <ldb.h>
+#include "dsdb/samdb/samdb.h"
+#include "libcli/security/security.h"
+#include "dsdb/common/util.h"
+
+/* This function tests if a SID structure "sids" contains the SID "sid" */
+static bool sids_contains_sid(const struct dom_sid *sids,
+ const unsigned int num_sids,
+ const struct dom_sid *sid)
+{
+ unsigned int i;
+
+ for (i = 0; i < num_sids; i++) {
+ if (dom_sid_equal(&sids[i], sid))
+ return true;
+ }
+ return false;
+}
+
+/*
+ * This function generates the transitive closure of a given SAM object "dn_val"
+ * (it basically expands nested memberships).
+ * If the object isn't located in the "res_sids" structure yet and the
+ * "only_childs" flag is false, we add it to "res_sids".
+ * Then we've always to consider the "memberOf" attributes. We invoke the
+ * function recursively on each of it with the "only_childs" flag set to
+ * "false".
+ * The "only_childs" flag is particularly useful if you have a user object and
+ * want to include all it's groups (referenced with "memberOf") but not itself
+ * or considering if that object matches the filter.
+ *
+ * At the beginning "res_sids" should reference to a NULL pointer.
+ */
+NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
+ struct ldb_val *dn_val, const bool only_childs, const char *filter,
+ TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids,
+ unsigned int *num_res_sids)
+{
+ const char * const attrs[] = { "memberOf", NULL };
+ unsigned int i;
+ int ret;
+ bool already_there;
+ struct ldb_dn *dn;
+ struct dom_sid sid;
+ TALLOC_CTX *tmp_ctx;
+ struct ldb_result *res;
+ NTSTATUS status;
+ const struct ldb_message_element *el;
+
+ if (*res_sids == NULL) {
+ *num_res_sids = 0;
+ }
+
+ if (!sam_ctx) {
+ DEBUG(0, ("No SAM available, cannot determine local groups\n"));
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
+ tmp_ctx = talloc_new(res_sids_ctx);
+
+ dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, dn_val);
+ if (dn == NULL) {
+ talloc_free(tmp_ctx);
+ DEBUG(0, (__location__ ": we failed parsing DN %.*s, so we cannot calculate the group token\n",
+ (int)dn_val->length, dn_val->data));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ /* If we fail finding a SID then this is no error since it could
+ * be a non SAM object - e.g. a group with object class
+ * "groupOfNames" */
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, (__location__ ": when parsing DN '%s' we failed to parse it's SID component, so we cannot calculate the group token: %s\n",
+ ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
+ nt_errstr(status)));
+ talloc_free(tmp_ctx);
+ return status;
+ }
+
+ if (!ldb_dn_minimise(dn)) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ if (only_childs) {
+ ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
+ DSDB_SEARCH_SHOW_EXTENDED_DN);
+ } else {
+ /* This is an O(n^2) linear search */
+ already_there = sids_contains_sid(*res_sids,
+ *num_res_sids, &sid);
+ if (already_there) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
+ attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s",
+ filter);
+ }
+
+ /*
+ * We have the problem with the caller creating a <SID=S-....>
+ * DN for ForeignSecurityPrincipals as they also have
+ * duplicate objects with the SAME SID under CN=Configuration.
+ * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba
+ * and on Windows. So, we allow this to fail, and
+ * double-check if we can find it with a search in the main
+ * domain partition.
+ */
+ if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) {
+ char *sid_string = dom_sid_string(tmp_ctx,
+ &sid);
+ if (!sid_string) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ ret = dsdb_search(sam_ctx, tmp_ctx, &res,
+ ldb_get_default_basedn(sam_ctx),
+ LDB_SCOPE_SUBTREE,
+ attrs, DSDB_SEARCH_SHOW_EXTENDED_DN,
+ "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))",
+ sid_string);
+ }
+
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ if (ret != LDB_SUCCESS) {
+ DEBUG(1, (__location__ ": dsdb_search for %s failed: %s\n",
+ ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
+ ldb_errstring(sam_ctx)));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ /* We may get back 0 results, if the SID didn't match the filter - such as it wasn't a domain group, for example */
+ if (res->count != 1) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ /* We only apply this test once we know the SID matches the filter */
+ if (!only_childs) {
+ *res_sids = talloc_realloc(res_sids_ctx, *res_sids,
+ struct dom_sid, *num_res_sids + 1);
+ if (*res_sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ (*res_sids)[*num_res_sids] = sid;
+ ++(*num_res_sids);
+ }
+
+ el = ldb_msg_find_element(res->msgs[0], "memberOf");
+
+ for (i = 0; el && i < el->num_values; i++) {
+ status = dsdb_expand_nested_groups(sam_ctx, &el->values[i],
+ false, filter, res_sids_ctx, res_sids, num_res_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return status;
+ }
+ }
+
+ talloc_free(tmp_ctx);
+
+ return NT_STATUS_OK;
+}