LCOV - code coverage report
Current view: top level - source4/dsdb/samdb - samdb.c (source / functions) Hit Total Coverage
Test: coverage report for support-claim-type-attributes 6b5c566e Lines: 108 132 81.8 %
Date: 2023-11-21 12:31:41 Functions: 3 3 100.0 %

          Line data    Source code
       1             : /* 
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    interface functions for the sam database
       5             : 
       6             :    Copyright (C) Andrew Tridgell 2004
       7             :    Copyright (C) Volker Lendecke 2004
       8             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
       9             : 
      10             :    This program is free software; you can redistribute it and/or modify
      11             :    it under the terms of the GNU General Public License as published by
      12             :    the Free Software Foundation; either version 3 of the License, or
      13             :    (at your option) any later version.
      14             :    
      15             :    This program is distributed in the hope that it will be useful,
      16             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      17             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      18             :    GNU General Public License for more details.
      19             :    
      20             :    You should have received a copy of the GNU General Public License
      21             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      22             : */
      23             : 
      24             : #include "includes.h"
      25             : #include "librpc/gen_ndr/ndr_netlogon.h"
      26             : #include "librpc/gen_ndr/ndr_security.h"
      27             : #include "lib/events/events.h"
      28             : #include "lib/ldb-samba/ldb_wrap.h"
      29             : #include <ldb.h>
      30             : #include <ldb_errors.h>
      31             : #include "libcli/security/security.h"
      32             : #include "libcli/security/claims-conversions.h"
      33             : #include "libcli/auth/libcli_auth.h"
      34             : #include "libcli/ldap/ldap_ndr.h"
      35             : #include "system/time.h"
      36             : #include "system/filesys.h"
      37             : #include "ldb_wrap.h"
      38             : #include "../lib/util/util_ldb.h"
      39             : #include "dsdb/samdb/samdb.h"
      40             : #include "../libds/common/flags.h"
      41             : #include "param/param.h"
      42             : #include "lib/events/events.h"
      43             : #include "auth/credentials/credentials.h"
      44             : #include "param/secrets.h"
      45             : #include "auth/auth.h"
      46             : #include "lib/tsocket/tsocket.h"
      47             : #include "lib/param/loadparm.h"
      48             : 
      49             : /*
      50             :   connect to the SAM database specified by URL
      51             :   return an opaque context pointer on success, or NULL on failure
      52             :  */
      53      253448 : int samdb_connect_url(TALLOC_CTX *mem_ctx,
      54             :                       struct tevent_context *ev_ctx,
      55             :                       struct loadparm_context *lp_ctx,
      56             :                       struct auth_session_info *session_info,
      57             :                       unsigned int flags,
      58             :                       const char *url,
      59             :                       const struct tsocket_address *remote_address,
      60             :                       struct ldb_context **ldb_ret,
      61             :                       char **errstring)
      62             : {
      63      253448 :         struct ldb_context *ldb = NULL;
      64        8285 :         int ret;
      65      253448 :         *ldb_ret = NULL;
      66      253448 :         *errstring = NULL;
      67             : 
      68             :         /* We create sam.ldb in provision, and never anywhere else */
      69      253448 :         flags |= LDB_FLG_DONT_CREATE_DB;
      70             : 
      71      253448 :         if (remote_address == NULL) {
      72      182199 :                 ldb = ldb_wrap_find(url, ev_ctx, lp_ctx,
      73             :                                     session_info, NULL, flags);
      74      182199 :                 if (ldb != NULL) {
      75       80835 :                         *ldb_ret = talloc_reference(mem_ctx, ldb);
      76       80835 :                         if (*ldb_ret == NULL) {
      77           0 :                                 return LDB_ERR_OPERATIONS_ERROR;
      78             :                         }
      79       80835 :                         return LDB_SUCCESS;
      80             :                 }
      81             :         }
      82             : 
      83      172613 :         ldb = samba_ldb_init(mem_ctx, ev_ctx, lp_ctx, session_info, NULL);
      84             : 
      85      172613 :         if (ldb == NULL) {
      86           0 :                 *errstring = talloc_asprintf(mem_ctx,
      87             :                                              "Failed to set up Samba ldb "
      88             :                                              "wrappers with samba_ldb_init() "
      89             :                                              "to connect to %s",
      90             :                                              url);
      91           0 :                 return LDB_ERR_OPERATIONS_ERROR;
      92             :         }
      93             : 
      94      172613 :         dsdb_set_global_schema(ldb);
      95             : 
      96      172613 :         ret = samba_ldb_connect(ldb, lp_ctx, url, flags);
      97      172613 :         if (ret != LDB_SUCCESS) {
      98           4 :                 *errstring = talloc_asprintf(mem_ctx,
      99             :                                              "Failed to connect to %s: %s",
     100             :                                              url,
     101             :                                              ldb_errstring(ldb));
     102           4 :                 talloc_free(ldb);
     103           4 :                 return LDB_ERR_OPERATIONS_ERROR;
     104             :         }
     105             : 
     106             :         /*
     107             :          * If a remote_address was specified, then set it on the DB
     108             :          * and do not add to the wrap list (as we need to keep the LDB
     109             :          * pointer unique for the address).
     110             :          *
     111             :          * We use this for audit logging and for the "netlogon" attribute
     112             :          */
     113      172609 :         if (remote_address != NULL) {
     114       71249 :                 ldb_set_opaque(ldb, "remoteAddress",
     115             :                                discard_const(remote_address));
     116       71249 :                 *ldb_ret = ldb;
     117       71249 :                 return LDB_SUCCESS;
     118             :         }
     119             :                 
     120      101360 :         if (!ldb_wrap_add(url, ev_ctx, lp_ctx, session_info, NULL, flags, ldb)) {
     121           0 :                 *errstring = talloc_asprintf(mem_ctx,
     122             :                                              "Failed to add cached DB reference"
     123             :                                              " to %s",
     124             :                                              url);
     125           0 :                 talloc_free(ldb);
     126           0 :                 return LDB_ERR_OPERATIONS_ERROR;
     127             :         }
     128             : 
     129      101360 :         *ldb_ret = ldb;
     130      101360 :         return LDB_SUCCESS;
     131             : }
     132             : 
     133             : 
     134             : /*
     135             :   connect to the SAM database
     136             :   return an opaque context pointer on success, or NULL on failure
     137             :  */
     138      190513 : struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
     139             :                                   struct tevent_context *ev_ctx,
     140             :                                   struct loadparm_context *lp_ctx,
     141             :                                   struct auth_session_info *session_info,
     142             :                                   const struct tsocket_address *remote_address,
     143             :                                   unsigned int flags)
     144             : {
     145        7181 :         char *errstring;
     146        7181 :         struct ldb_context *ldb;
     147      190513 :         int ret = samdb_connect_url(mem_ctx,
     148             :                                     ev_ctx,
     149             :                                     lp_ctx,
     150             :                                     session_info,
     151             :                                     flags,
     152             :                                     "sam.ldb",
     153             :                                     remote_address,
     154             :                                     &ldb,
     155             :                                     &errstring);
     156      190513 :         if (ret == LDB_SUCCESS) {
     157      190509 :                 return ldb;
     158             :         }
     159           4 :         return NULL;
     160             : }
     161             : 
     162             : /****************************************************************************
     163             :  Create the SID list for this user.
     164             : ****************************************************************************/
     165       94907 : NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, 
     166             :                                struct loadparm_context *lp_ctx,
     167             :                                uint32_t num_sids,
     168             :                                const struct auth_SidAttr *sids,
     169             :                                uint32_t num_device_sids,
     170             :                                const struct auth_SidAttr *device_sids,
     171             :                                struct auth_claims auth_claims,
     172             :                                uint32_t session_info_flags,
     173             :                                struct security_token **token)
     174             : {
     175        2164 :         struct security_token *ptoken;
     176        2164 :         uint32_t i;
     177        2164 :         NTSTATUS status;
     178        2164 :         enum claims_evaluation_control evaluate_claims;
     179       94907 :         bool sids_are_valid = false;
     180       94907 :         bool device_sids_are_valid = false;
     181       94907 :         bool authentication_was_compounded = session_info_flags & AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION;
     182             : 
     183             :         /*
     184             :          * Some special-case callers can't supply the lp_ctx, but do
     185             :          * not interact with claims or conditional ACEs
     186             :          */
     187       94907 :         if (lp_ctx == NULL) {
     188        1254 :                 evaluate_claims = CLAIMS_EVALUATION_INVALID_STATE;
     189             :         } else {
     190       95817 :                 enum acl_claims_evaluation claims_evaultion_setting
     191       93653 :                         = lpcfg_acl_claims_evaluation(lp_ctx);
     192             : 
     193             :                 /*
     194             :                  * We are well inside the AD DC, so we do not need to check
     195             :                  * the server role etc
     196             :                  */
     197       93653 :                 switch (claims_evaultion_setting) {
     198       91489 :                 case ACL_CLAIMS_EVALUATION_AD_DC_ONLY:
     199       91489 :                         evaluate_claims = CLAIMS_EVALUATION_ALWAYS;
     200       91489 :                         break;
     201           0 :                 default:
     202           0 :                         evaluate_claims = CLAIMS_EVALUATION_NEVER;
     203             :                 }
     204             :         }
     205             : 
     206       94907 :         ptoken = security_token_initialise(mem_ctx, evaluate_claims);
     207       94907 :         NT_STATUS_HAVE_NO_MEMORY(ptoken);
     208             : 
     209       94907 :         if (num_sids > UINT32_MAX - 6) {
     210           0 :                 talloc_free(ptoken);
     211           0 :                 return NT_STATUS_INVALID_PARAMETER;
     212             :         }
     213       94907 :         ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */);
     214       94907 :         if (ptoken->sids == NULL) {
     215           0 :                 talloc_free(ptoken);
     216           0 :                 return NT_STATUS_NO_MEMORY;
     217             :         }
     218             : 
     219       94907 :         ptoken->num_sids = 0;
     220             : 
     221      804468 :         for (i = 0; i < num_sids; i++) {
     222             :                 uint32_t check_sid_idx;
     223      692349 :                 for (check_sid_idx = 0;
     224     4718524 :                      check_sid_idx < ptoken->num_sids;
     225     4008963 :                      check_sid_idx++) {
     226     4055888 :                         if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i].sid)) {
     227       45794 :                                 break;
     228             :                         }
     229             :                 }
     230             : 
     231      709561 :                 if (check_sid_idx == ptoken->num_sids) {
     232      662636 :                         const struct dom_sid *sid = &sids[i].sid;
     233             : 
     234      662636 :                         sids_are_valid = sids_are_valid || dom_sid_equal(
     235             :                                 sid, &global_sid_Claims_Valid);
     236      662636 :                         authentication_was_compounded = authentication_was_compounded || dom_sid_equal(
     237             :                                 sid, &global_sid_Compounded_Authentication);
     238             : 
     239      662636 :                         ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
     240      662636 :                         if (ptoken->sids == NULL) {
     241           0 :                                 talloc_free(ptoken);
     242           0 :                                 return NT_STATUS_NO_MEMORY;
     243             :                         }
     244             : 
     245      662636 :                         ptoken->sids[ptoken->num_sids] = *sid;
     246      662636 :                         ptoken->num_sids++;
     247             :                 }
     248             :         }
     249             : 
     250       94907 :         if (authentication_was_compounded && num_device_sids) {
     251         227 :                 ptoken->device_sids = talloc_array(ptoken, struct dom_sid, num_device_sids);
     252         227 :                 if (ptoken->device_sids == NULL) {
     253           0 :                         talloc_free(ptoken);
     254           0 :                         return NT_STATUS_NO_MEMORY;
     255             :                 }
     256        2006 :                 for (i = 0; i < num_device_sids; i++) {
     257             :                         uint32_t check_sid_idx;
     258        1779 :                         for (check_sid_idx = 0;
     259        6575 :                              check_sid_idx < ptoken->num_device_sids;
     260        4796 :                              check_sid_idx++) {
     261        5023 :                                 if (dom_sid_equal(&ptoken->device_sids[check_sid_idx], &device_sids[i].sid)) {
     262         227 :                                         break;
     263             :                                 }
     264             :                         }
     265             : 
     266        1779 :                         if (check_sid_idx == ptoken->num_device_sids) {
     267        1552 :                                 const struct dom_sid *device_sid = &device_sids[i].sid;
     268             : 
     269        1552 :                                 device_sids_are_valid = device_sids_are_valid || dom_sid_equal(
     270             :                                         device_sid, &global_sid_Claims_Valid);
     271             : 
     272        1552 :                                 ptoken->device_sids = talloc_realloc(ptoken,
     273             :                                                                      ptoken->device_sids,
     274             :                                                                      struct dom_sid,
     275             :                                                                      ptoken->num_device_sids + 1);
     276        1552 :                                 if (ptoken->device_sids == NULL) {
     277           0 :                                         talloc_free(ptoken);
     278           0 :                                         return NT_STATUS_NO_MEMORY;
     279             :                                 }
     280             : 
     281        1552 :                                 ptoken->device_sids[ptoken->num_device_sids] = *device_sid;
     282        1552 :                                 ptoken->num_device_sids++;
     283             :                         }
     284             :                 }
     285             :         }
     286             : 
     287             :         /* The caller may have requested simple privileges, for example if there isn't a local DB */
     288       94907 :         if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
     289             :                 /* Shortcuts to prevent recursion and avoid lookups */
     290       50951 :                 if (ptoken->sids == NULL) {
     291           0 :                         ptoken->privilege_mask = 0;
     292       50951 :                 } else if (security_token_is_system(ptoken)) {
     293        5728 :                         ptoken->privilege_mask = ~0;
     294       45223 :                 } else if (security_token_is_anonymous(ptoken)) {
     295       41796 :                         ptoken->privilege_mask = 0;
     296        3427 :                 } else if (security_token_has_builtin_administrators(ptoken)) {
     297        1259 :                         ptoken->privilege_mask = ~0;
     298             :                 } else {
     299             :                         /* All other 'users' get a empty priv set so far */
     300        2168 :                         ptoken->privilege_mask = 0;
     301             :                 }
     302             :         } else {
     303             :                 /* setup the privilege mask for this token */
     304       43956 :                 status = samdb_privilege_setup(lp_ctx, ptoken);
     305       43956 :                 if (!NT_STATUS_IS_OK(status)) {
     306           0 :                         talloc_free(ptoken);
     307           0 :                         DEBUG(1,("Unable to access privileges database\n"));
     308           0 :                         return status;
     309             :                 }
     310             :         }
     311             : 
     312             :         /*
     313             :          * TODO: we might want to regard ‘session_info_flags’ for the device
     314             :          * SIDs as well as for the client SIDs.
     315             :          */
     316             : 
     317       94907 :         if (sids_are_valid) {
     318       33052 :                 status = claims_data_security_claims(ptoken,
     319             :                                                      auth_claims.user_claims,
     320             :                                                      &ptoken->user_claims,
     321             :                                                      &ptoken->num_user_claims);
     322       33052 :                 if (!NT_STATUS_IS_OK(status)) {
     323          16 :                         talloc_free(ptoken);
     324          16 :                         return status;
     325             :                 }
     326             :         }
     327             : 
     328       94891 :         if (device_sids_are_valid && authentication_was_compounded) {
     329         195 :                 status = claims_data_security_claims(ptoken,
     330             :                                                      auth_claims.device_claims,
     331             :                                                      &ptoken->device_claims,
     332             :                                                      &ptoken->num_device_claims);
     333         195 :                 if (!NT_STATUS_IS_OK(status)) {
     334           0 :                         talloc_free(ptoken);
     335           0 :                         return status;
     336             :                 }
     337             :         }
     338             : 
     339       94891 :         security_token_debug(0, 10, ptoken);
     340             : 
     341       94891 :         *token = ptoken;
     342             : 
     343       94891 :         return NT_STATUS_OK;
     344             : }

Generated by: LCOV version 1.14