summaryrefslogtreecommitdiffstats
path: root/source4/dsdb/repl/drepl_secret.c
blob: 47a8ca9c65ee29df3e9fb74f7e96a5f505eb4896 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
/*
   Unix SMB/CIFS Implementation.

   DSDB replication service - repl secret handling

   Copyright (C) Andrew Tridgell 2010
   Copyright (C) Andrew Bartlett 2010

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

*/

#include "includes.h"
#include "ldb_module.h"
#include "dsdb/samdb/samdb.h"
#include "samba/service.h"
#include "dsdb/repl/drepl_service.h"
#include "param/param.h"

#undef DBGC_CLASS
#define DBGC_CLASS            DBGC_DRS_REPL

struct repl_secret_state {
	const char *user_dn;
};

/*
  called when a repl secret has completed
 */
static void drepl_repl_secret_callback(struct dreplsrv_service *service,
				       WERROR werr,
				       enum drsuapi_DsExtendedError ext_err,
				       void *cb_data)
{
	struct repl_secret_state *state = talloc_get_type_abort(cb_data, struct repl_secret_state);
	if (!W_ERROR_IS_OK(werr)) {
		if (W_ERROR_EQUAL(werr, WERR_DS_DRA_SECRETS_DENIED)) {
			DEBUG(3,(__location__ ": repl secret disallowed for user "
				 "%s - not in allowed replication group\n",
				 state->user_dn));
		} else {
			DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n",
				 state->user_dn, win_errstr(werr), ext_err));
		}
	} else {
		DEBUG(3,(__location__ ": repl secret completed OK for '%s'\n", state->user_dn));
	}
	talloc_free(state);
}


/**
 * Called when the auth code wants us to try and replicate
 * a users secrets
 */
void drepl_repl_secret(struct dreplsrv_service *service,
		       const char *user_dn)
{
	WERROR werr;
	struct ldb_dn *nc_dn, *nc_root, *source_dsa_dn;
	struct dreplsrv_partition *p;
	struct GUID *source_dsa_guid;
	struct repl_secret_state *state;
	int ret;

	state = talloc_zero(service, struct repl_secret_state);
	if (state == NULL) {
		/* nothing to do, no return value */
		return;
	}

	/* keep a copy for logging in the callback */
	state->user_dn = talloc_strdup(state, user_dn);

	nc_dn = ldb_dn_new(state, service->samdb, user_dn);
	if (!ldb_dn_validate(nc_dn)) {
		DEBUG(0,(__location__ ": Failed to parse user_dn '%s'\n", user_dn));
		talloc_free(state);
		return;
	}

	/* work out which partition this is in */
	ret = dsdb_find_nc_root(service->samdb, state, nc_dn, &nc_root);
	if (ret != LDB_SUCCESS) {
		DEBUG(0,(__location__ ": Failed to find nc_root for user_dn '%s'\n", user_dn));
		talloc_free(state);
		return;
	}

	/* find the partition in our list */
	for (p=service->partitions; p; p=p->next) {
		if (ldb_dn_compare(p->dn, nc_root) == 0) {
			break;
		}
	}
	if (p == NULL) {
		DEBUG(0,(__location__ ": Failed to find partition for nc_root '%s'\n", ldb_dn_get_linearized(nc_root)));
		talloc_free(state);
		return;
	}

	if (p->sources == NULL) {
		DEBUG(0,(__location__ ": No sources for nc_root '%s' for user_dn '%s'\n",
			 ldb_dn_get_linearized(nc_root), user_dn));
		talloc_free(state);
		return;
	}

	/* use the first source, for no particularly good reason */
	source_dsa_guid = &p->sources->repsFrom1->source_dsa_obj_guid;

	source_dsa_dn = ldb_dn_new(state, service->samdb,
				   talloc_asprintf(state, "<GUID=%s>",
						   GUID_string(state, source_dsa_guid)));
	if (!ldb_dn_validate(source_dsa_dn)) {
		DEBUG(0,(__location__ ": Invalid source DSA GUID '%s' for user_dn '%s'\n",
			 GUID_string(state, source_dsa_guid), user_dn));
		talloc_free(state);
		return;
	}

	werr = drepl_request_extended_op(service,
					 nc_dn,
					 source_dsa_dn,
					 DRSUAPI_EXOP_REPL_SECRET,
					 0,
					 p->sources->repsFrom1->highwatermark.highest_usn,
					 drepl_repl_secret_callback, state);
	if (!W_ERROR_IS_OK(werr)) {
		DEBUG(2,(__location__ ": Failed to setup secret replication for user_dn '%s'\n", user_dn));
		talloc_free(state);
		return;
	}
	DEBUG(3,(__location__ ": started secret replication for %s\n", user_dn));
}