| 1 | /*
|
|---|
| 2 | Unix SMB/CIFS mplementation.
|
|---|
| 3 |
|
|---|
| 4 | DSDB replication service - repl secret handling
|
|---|
| 5 |
|
|---|
| 6 | Copyright (C) Andrew Tridgell 2010
|
|---|
| 7 | Copyright (C) Andrew Bartlett 2010
|
|---|
| 8 |
|
|---|
| 9 | This program is free software; you can redistribute it and/or modify
|
|---|
| 10 | it under the terms of the GNU General Public License as published by
|
|---|
| 11 | the Free Software Foundation; either version 3 of the License, or
|
|---|
| 12 | (at your option) any later version.
|
|---|
| 13 |
|
|---|
| 14 | This program is distributed in the hope that it will be useful,
|
|---|
| 15 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 17 | GNU General Public License for more details.
|
|---|
| 18 |
|
|---|
| 19 | You should have received a copy of the GNU General Public License
|
|---|
| 20 | along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|---|
| 21 |
|
|---|
| 22 | */
|
|---|
| 23 |
|
|---|
| 24 | #include "includes.h"
|
|---|
| 25 | #include "ldb_module.h"
|
|---|
| 26 | #include "dsdb/samdb/samdb.h"
|
|---|
| 27 | #include "smbd/service.h"
|
|---|
| 28 | #include "dsdb/repl/drepl_service.h"
|
|---|
| 29 | #include "param/param.h"
|
|---|
| 30 |
|
|---|
| 31 | struct repl_secret_state {
|
|---|
| 32 | const char *user_dn;
|
|---|
| 33 | };
|
|---|
| 34 |
|
|---|
| 35 | /*
|
|---|
| 36 | called when a repl secret has completed
|
|---|
| 37 | */
|
|---|
| 38 | static void drepl_repl_secret_callback(struct dreplsrv_service *service,
|
|---|
| 39 | WERROR werr,
|
|---|
| 40 | enum drsuapi_DsExtendedError ext_err,
|
|---|
| 41 | void *cb_data)
|
|---|
| 42 | {
|
|---|
| 43 | struct repl_secret_state *state = talloc_get_type_abort(cb_data, struct repl_secret_state);
|
|---|
| 44 | if (!W_ERROR_IS_OK(werr)) {
|
|---|
| 45 | DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n",
|
|---|
| 46 | state->user_dn, win_errstr(werr), ext_err));
|
|---|
| 47 | } else {
|
|---|
| 48 | DEBUG(3,(__location__ ": repl secret completed OK for '%s'\n", state->user_dn));
|
|---|
| 49 | }
|
|---|
| 50 | talloc_free(state);
|
|---|
| 51 | }
|
|---|
| 52 |
|
|---|
| 53 |
|
|---|
| 54 | /**
|
|---|
| 55 | * Called when the auth code wants us to try and replicate
|
|---|
| 56 | * a users secrets
|
|---|
| 57 | */
|
|---|
| 58 | void drepl_repl_secret(struct dreplsrv_service *service,
|
|---|
| 59 | const char *user_dn)
|
|---|
| 60 | {
|
|---|
| 61 | WERROR werr;
|
|---|
| 62 | struct ldb_dn *nc_dn, *nc_root, *source_dsa_dn;
|
|---|
| 63 | struct dreplsrv_partition *p;
|
|---|
| 64 | struct GUID *source_dsa_guid;
|
|---|
| 65 | struct repl_secret_state *state;
|
|---|
| 66 | int ret;
|
|---|
| 67 |
|
|---|
| 68 | state = talloc_zero(service, struct repl_secret_state);
|
|---|
| 69 | if (state == NULL) {
|
|---|
| 70 | /* nothing to do, no return value */
|
|---|
| 71 | return;
|
|---|
| 72 | }
|
|---|
| 73 |
|
|---|
| 74 | /* keep a copy for logging in the callback */
|
|---|
| 75 | state->user_dn = talloc_strdup(state, user_dn);
|
|---|
| 76 |
|
|---|
| 77 | nc_dn = ldb_dn_new(state, service->samdb, user_dn);
|
|---|
| 78 | if (!ldb_dn_validate(nc_dn)) {
|
|---|
| 79 | DEBUG(0,(__location__ ": Failed to parse user_dn '%s'\n", user_dn));
|
|---|
| 80 | talloc_free(state);
|
|---|
| 81 | return;
|
|---|
| 82 | }
|
|---|
| 83 |
|
|---|
| 84 | /* work out which partition this is in */
|
|---|
| 85 | ret = dsdb_find_nc_root(service->samdb, state, nc_dn, &nc_root);
|
|---|
| 86 | if (ret != LDB_SUCCESS) {
|
|---|
| 87 | DEBUG(0,(__location__ ": Failed to find nc_root for user_dn '%s'\n", user_dn));
|
|---|
| 88 | talloc_free(state);
|
|---|
| 89 | return;
|
|---|
| 90 | }
|
|---|
| 91 |
|
|---|
| 92 | /* find the partition in our list */
|
|---|
| 93 | for (p=service->partitions; p; p=p->next) {
|
|---|
| 94 | if (ldb_dn_compare(p->dn, nc_root) == 0) {
|
|---|
| 95 | break;
|
|---|
| 96 | }
|
|---|
| 97 | }
|
|---|
| 98 | if (p == NULL) {
|
|---|
| 99 | DEBUG(0,(__location__ ": Failed to find partition for nc_root '%s'\n", ldb_dn_get_linearized(nc_root)));
|
|---|
| 100 | talloc_free(state);
|
|---|
| 101 | return;
|
|---|
| 102 | }
|
|---|
| 103 |
|
|---|
| 104 | if (p->sources == NULL) {
|
|---|
| 105 | DEBUG(0,(__location__ ": No sources for nc_root '%s' for user_dn '%s'\n",
|
|---|
| 106 | ldb_dn_get_linearized(nc_root), user_dn));
|
|---|
| 107 | talloc_free(state);
|
|---|
| 108 | return;
|
|---|
| 109 | }
|
|---|
| 110 |
|
|---|
| 111 | /* use the first source, for no particularly good reason */
|
|---|
| 112 | source_dsa_guid = &p->sources->repsFrom1->source_dsa_obj_guid;
|
|---|
| 113 |
|
|---|
| 114 | source_dsa_dn = ldb_dn_new(state, service->samdb,
|
|---|
| 115 | talloc_asprintf(state, "<GUID=%s>",
|
|---|
| 116 | GUID_string(state, source_dsa_guid)));
|
|---|
| 117 | if (!ldb_dn_validate(source_dsa_dn)) {
|
|---|
| 118 | DEBUG(0,(__location__ ": Invalid source DSA GUID '%s' for user_dn '%s'\n",
|
|---|
| 119 | GUID_string(state, source_dsa_guid), user_dn));
|
|---|
| 120 | talloc_free(state);
|
|---|
| 121 | return;
|
|---|
| 122 | }
|
|---|
| 123 |
|
|---|
| 124 | werr = drepl_request_extended_op(service,
|
|---|
| 125 | nc_dn,
|
|---|
| 126 | source_dsa_dn,
|
|---|
| 127 | DRSUAPI_EXOP_REPL_SECRET,
|
|---|
| 128 | 0,
|
|---|
| 129 | p->sources->repsFrom1->highwatermark.highest_usn,
|
|---|
| 130 | drepl_repl_secret_callback, state);
|
|---|
| 131 | if (!W_ERROR_IS_OK(werr)) {
|
|---|
| 132 | DEBUG(2,(__location__ ": Failed to setup secret replication for user_dn '%s'\n", user_dn));
|
|---|
| 133 | talloc_free(state);
|
|---|
| 134 | return;
|
|---|
| 135 | }
|
|---|
| 136 | DEBUG(3,(__location__ ": started secret replication for %s\n", user_dn));
|
|---|
| 137 | }
|
|---|
