diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /source4/dsdb/repl/drepl_secret.c | |
parent | Initial commit. (diff) | |
download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | source4/dsdb/repl/drepl_secret.c | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/source4/dsdb/repl/drepl_secret.c b/source4/dsdb/repl/drepl_secret.c new file mode 100644 index 0000000..47a8ca9 --- /dev/null +++ b/source4/dsdb/repl/drepl_secret.c @@ -0,0 +1,146 @@ +/* + Unix SMB/CIFS Implementation. + + DSDB replication service - repl secret handling + + Copyright (C) Andrew Tridgell 2010 + Copyright (C) Andrew Bartlett 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + +*/ + +#include "includes.h" +#include "ldb_module.h" +#include "dsdb/samdb/samdb.h" +#include "samba/service.h" +#include "dsdb/repl/drepl_service.h" +#include "param/param.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_DRS_REPL + +struct repl_secret_state { + const char *user_dn; +}; + +/* + called when a repl secret has completed + */ +static void drepl_repl_secret_callback(struct dreplsrv_service *service, + WERROR werr, + enum drsuapi_DsExtendedError ext_err, + void *cb_data) +{ + struct repl_secret_state *state = talloc_get_type_abort(cb_data, struct repl_secret_state); + if (!W_ERROR_IS_OK(werr)) { + if (W_ERROR_EQUAL(werr, WERR_DS_DRA_SECRETS_DENIED)) { + DEBUG(3,(__location__ ": repl secret disallowed for user " + "%s - not in allowed replication group\n", + state->user_dn)); + } else { + DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n", + state->user_dn, win_errstr(werr), ext_err)); + } + } else { + DEBUG(3,(__location__ ": repl secret completed OK for '%s'\n", state->user_dn)); + } + talloc_free(state); +} + + +/** + * Called when the auth code wants us to try and replicate + * a users secrets + */ +void drepl_repl_secret(struct dreplsrv_service *service, + const char *user_dn) +{ + WERROR werr; + struct ldb_dn *nc_dn, *nc_root, *source_dsa_dn; + struct dreplsrv_partition *p; + struct GUID *source_dsa_guid; + struct repl_secret_state *state; + int ret; + + state = talloc_zero(service, struct repl_secret_state); + if (state == NULL) { + /* nothing to do, no return value */ + return; + } + + /* keep a copy for logging in the callback */ + state->user_dn = talloc_strdup(state, user_dn); + + nc_dn = ldb_dn_new(state, service->samdb, user_dn); + if (!ldb_dn_validate(nc_dn)) { + DEBUG(0,(__location__ ": Failed to parse user_dn '%s'\n", user_dn)); + talloc_free(state); + return; + } + + /* work out which partition this is in */ + ret = dsdb_find_nc_root(service->samdb, state, nc_dn, &nc_root); + if (ret != LDB_SUCCESS) { + DEBUG(0,(__location__ ": Failed to find nc_root for user_dn '%s'\n", user_dn)); + talloc_free(state); + return; + } + + /* find the partition in our list */ + for (p=service->partitions; p; p=p->next) { + if (ldb_dn_compare(p->dn, nc_root) == 0) { + break; + } + } + if (p == NULL) { + DEBUG(0,(__location__ ": Failed to find partition for nc_root '%s'\n", ldb_dn_get_linearized(nc_root))); + talloc_free(state); + return; + } + + if (p->sources == NULL) { + DEBUG(0,(__location__ ": No sources for nc_root '%s' for user_dn '%s'\n", + ldb_dn_get_linearized(nc_root), user_dn)); + talloc_free(state); + return; + } + + /* use the first source, for no particularly good reason */ + source_dsa_guid = &p->sources->repsFrom1->source_dsa_obj_guid; + + source_dsa_dn = ldb_dn_new(state, service->samdb, + talloc_asprintf(state, "<GUID=%s>", + GUID_string(state, source_dsa_guid))); + if (!ldb_dn_validate(source_dsa_dn)) { + DEBUG(0,(__location__ ": Invalid source DSA GUID '%s' for user_dn '%s'\n", + GUID_string(state, source_dsa_guid), user_dn)); + talloc_free(state); + return; + } + + werr = drepl_request_extended_op(service, + nc_dn, + source_dsa_dn, + DRSUAPI_EXOP_REPL_SECRET, + 0, + p->sources->repsFrom1->highwatermark.highest_usn, + drepl_repl_secret_callback, state); + if (!W_ERROR_IS_OK(werr)) { + DEBUG(2,(__location__ ": Failed to setup secret replication for user_dn '%s'\n", user_dn)); + talloc_free(state); + return; + } + DEBUG(3,(__location__ ": started secret replication for %s\n", user_dn)); +} |