diff options
Diffstat (limited to 'src/providers/ad/ad_gpo.c')
-rw-r--r-- | src/providers/ad/ad_gpo.c | 102 |
1 files changed, 77 insertions, 25 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index ca8a5f66c..168ed2d7e 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -42,6 +42,8 @@ #include "providers/ldap/sdap_access.h" #include "providers/ldap/sdap_async.h" #include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_idmap.h" +#include "util/util_sss_idmap.h" #include <ndr.h> #include <gen_ndr/security.h> @@ -63,7 +65,6 @@ #define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000 #define AD_AGP_GUID "edacfd8f-ffb3-11d1-b41d-00a0c968f939" #define AD_AUTHENTICATED_USERS_SID "S-1-5-11" -#define SID_MAX_LEN 1024 /* == common data structures and declarations ============================= */ @@ -123,6 +124,43 @@ int ad_gpo_process_gpo_recv(struct tevent_req *req, /* == ad_gpo_access_send/recv helpers =======================================*/ +static bool +ad_gpo_dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int i; + + if (sid1 == sid2) { + return true; + } + + if (!sid1 || !sid2) { + return false; + } + + if (sid1->sid_rev_num != sid2->sid_rev_num) { + return false; + } + + for (i = 0; i < 6; i++) { + if (sid1->id_auth[i] != sid2->id_auth[i]) { + return false; + } + } + + if (sid1->num_auths != sid2->num_auths) { + return false; + } + + for (i = 0; i < sid1->num_auths; i++) { + if (sid1->sub_auths[i] != sid2->sub_auths[i]) { + return false; + } + } + + return true; +} + + /* * This function retrieves the SIDs corresponding to the input user and returns * the user_sid, group_sids, and group_size in their respective output params. @@ -207,10 +245,6 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx, return ret; } -bool string_to_sid(struct dom_sid *sidout, const char *sidstr); -int dom_sid_string_buf(const struct dom_sid *sid, char *buf, int buflen); -bool dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2); - /* * This function determines whether the input ACE includes any of the * client's SIDs. The boolean result is assigned to the _included output param. @@ -220,34 +254,40 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, const char **group_sids, int group_size, struct security_ace *ace, + struct sss_idmap_ctx *idmap_ctx, bool *_included) { int i = 0; struct dom_sid ace_dom_sid; - struct dom_sid user_dom_sid; - struct dom_sid group_dom_sid; - char buf[SID_MAX_LEN + 1]; + struct dom_sid *user_dom_sid; + struct dom_sid *group_dom_sid; + enum idmap_error_code err; + bool included = false; ace_dom_sid = ace->trustee; - dom_sid_string_buf(&ace_dom_sid, buf, SID_MAX_LEN); - - if (!string_to_sid(&user_dom_sid, user_sid)) { - DEBUG(SSSDBG_OP_FAILURE, "string_to_sid failed\n"); - return EINVAL; + err = sss_idmap_sid_to_smb_sid(idmap_ctx, user_sid, &user_dom_sid); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); + return EFAULT; } - if (dom_sid_equal(&ace_dom_sid, &user_dom_sid)) { + included = ad_gpo_dom_sid_equal(&ace_dom_sid, user_dom_sid); + sss_idmap_free_smb_sid(idmap_ctx, user_dom_sid); + if (included) { *_included = true; return EOK; } for (i = 0; i < group_size; i++) { - if (!string_to_sid(&group_dom_sid, group_sids[i])) { - DEBUG(SSSDBG_OP_FAILURE, "string_to_sid failed\n"); - return EINVAL; + err = sss_idmap_sid_to_smb_sid(idmap_ctx, group_sids[i], &group_dom_sid); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); + return EFAULT; } - if (dom_sid_equal(&ace_dom_sid, &group_dom_sid)) { + included = ad_gpo_dom_sid_equal(&ace_dom_sid, group_dom_sid); + sss_idmap_free_smb_sid(idmap_ctx, group_dom_sid); + if (included) { *_included = true; return EOK; } @@ -286,6 +326,7 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, * AGP, then deny the requested control access right. Stop access checking. */ static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace, + struct sss_idmap_ctx *idmap_ctx, const char *user_sid, const char **group_sids, int group_size) @@ -301,7 +342,7 @@ static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace, } ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, ace, - &included); + idmap_ctx, &included); if (ret != EOK) { return AD_GPO_ACE_DENIED; } @@ -342,6 +383,7 @@ static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace, * The boolean result is assigned to the _access_allowed output parameter. */ static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl, + struct sss_idmap_ctx *idmap_ctx, const char *user_sid, const char **group_sids, int group_size, @@ -367,7 +409,8 @@ static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl, for (i = 0; i < dacl->num_aces; i ++) { ace = &dacl->aces[i]; - ace_status = ad_gpo_evaluate_ace(ace, user_sid, group_sids, group_size); + ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid, + group_sids, group_size); switch (ace_status) { case AD_GPO_ACE_NEUTRAL: @@ -396,6 +439,7 @@ static errno_t ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, const char *user, struct sss_domain_info *domain, + struct sss_idmap_ctx *idmap_ctx, struct gp_gpo **candidate_gpos, int num_candidate_gpos, struct gp_gpo ***_dacl_filtered_gpos, @@ -474,7 +518,7 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, break; } - ad_gpo_evaluate_dacl(dacl, user_sid, group_sids, + ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, group_sids, group_size, &access_allowed); if (access_allowed) { DEBUG(SSSDBG_TRACE_ALL, @@ -707,7 +751,6 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) ret, sss_strerror(ret)); goto done; } - state->target_dn = talloc_steal(state, target_dn); if (state->target_dn == NULL) { ret = ENOMEM; @@ -831,6 +874,7 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) } ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->domain, + state->opts->idmap_ctx->map, candidate_gpos, num_candidate_gpos, &state->dacl_filtered_gpos, &state->num_dacl_filtered_gpos); @@ -1878,8 +1922,8 @@ ad_gpo_parse_machine_ext_names(TALLOC_CTX *mem_ctx, } enum ndr_err_code -ndr_pull_security_descriptor(struct ndr_pull *ndr, int ndr_flags, - struct security_descriptor *r); +ad_gpo_ndr_pull_security_descriptor(struct ndr_pull *ndr, int ndr_flags, + struct security_descriptor *r); /* * This function parses the input data blob and assigns the resulting @@ -1894,6 +1938,7 @@ static errno_t ad_gpo_parse_sd(TALLOC_CTX *mem_ctx, struct ndr_pull *ndr_pull = NULL; struct security_descriptor sd; DATA_BLOB blob; + enum ndr_err_code ndr_err; blob.data = data; blob.length = length; @@ -1904,7 +1949,14 @@ static errno_t ad_gpo_parse_sd(TALLOC_CTX *mem_ctx, return EINVAL; } - ndr_pull_security_descriptor(ndr_pull, NDR_SCALARS|NDR_BUFFERS, &sd); + ndr_err = ad_gpo_ndr_pull_security_descriptor(ndr_pull, + NDR_SCALARS|NDR_BUFFERS, + &sd); + + if (ndr_err != NDR_ERR_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to pull security descriptor\n"); + return EINVAL; + } *_gpo_sd = talloc_memdup(mem_ctx, &sd, sizeof(struct security_descriptor)); |