2
Unix SMB/CIFS mplementation.
3
Helper functions for applying replicated objects
5
Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
7
This program is free software; you can redistribute it and/or modify
8
it under the terms of the GNU General Public License as published by
9
the Free Software Foundation; either version 3 of the License, or
10
(at your option) any later version.
12
This program is distributed in the hope that it will be useful,
13
but WITHOUT ANY WARRANTY; without even the implied warranty of
14
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
GNU General Public License for more details.
17
You should have received a copy of the GNU General Public License
18
along with this program. If not, see <http://www.gnu.org/licenses/>.
23
#include "dsdb/samdb/samdb.h"
24
#include "lib/ldb/include/ldb_errors.h"
25
#include "../lib/util/dlinklist.h"
26
#include "librpc/gen_ndr/ndr_misc.h"
27
#include "librpc/gen_ndr/ndr_drsuapi.h"
28
#include "librpc/gen_ndr/ndr_drsblobs.h"
29
#include "../lib/crypto/crypto.h"
30
#include "libcli/auth/libcli_auth.h"
31
#include "param/param.h"
33
static WERROR dsdb_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
34
const DATA_BLOB *gensec_skey,
43
struct MD5Context md5;
51
DATA_BLOB checked_buffer;
53
DATA_BLOB plain_buffer;
56
* users with rid == 0 should not exist
58
if (rid_crypt && rid == 0) {
59
return WERR_DS_DRA_INVALID_PARAMETER;
63
* the first 16 bytes at the beginning are the confounder
64
* followed by the 4 byte crc32 checksum
66
if (in->length < 20) {
67
return WERR_DS_DRA_INVALID_PARAMETER;
69
confounder = data_blob_const(in->data, 16);
70
enc_buffer = data_blob_const(in->data + 16, in->length - 16);
73
* build the encryption key md5 over the session key followed
76
* here the gensec session key is used and
77
* not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
79
enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
81
MD5Update(&md5, gensec_skey->data, gensec_skey->length);
82
MD5Update(&md5, confounder.data, confounder.length);
83
MD5Final(enc_key.data, &md5);
86
* copy the encrypted buffer part and
87
* decrypt it using the created encryption key using arcfour
89
dec_buffer = data_blob_const(enc_buffer.data, enc_buffer.length);
90
arcfour_crypt_blob(dec_buffer.data, dec_buffer.length, &enc_key);
93
* the first 4 byte are the crc32 checksum
94
* of the remaining bytes
96
crc32_given = IVAL(dec_buffer.data, 0);
97
crc32_calc = crc32_calc_buffer(dec_buffer.data + 4 , dec_buffer.length - 4);
98
if (crc32_given != crc32_calc) {
99
return WERR_SEC_E_DECRYPT_FAILURE;
101
checked_buffer = data_blob_const(dec_buffer.data + 4, dec_buffer.length - 4);
103
plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
104
W_ERROR_HAVE_NO_MEMORY(plain_buffer.data);
107
* The following rid_crypt obfuscation isn't session specific
108
* and not really needed here, because we allways know the rid of the
111
* But for the rest of samba it's easier when we remove this static
115
uint32_t i, num_hashes;
117
if ((checked_buffer.length % 16) != 0) {
118
return WERR_DS_DRA_INVALID_PARAMETER;
121
num_hashes = plain_buffer.length / 16;
122
for (i = 0; i < num_hashes; i++) {
123
uint32_t offset = i * 16;
124
sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
132
static WERROR dsdb_decrypt_attribute(const DATA_BLOB *gensec_skey,
134
struct drsuapi_DsReplicaAttribute *attr)
139
DATA_BLOB plain_data;
140
bool rid_crypt = false;
142
if (attr->value_ctr.num_values == 0) {
146
switch (attr->attid) {
147
case DRSUAPI_ATTRIBUTE_dBCSPwd:
148
case DRSUAPI_ATTRIBUTE_unicodePwd:
149
case DRSUAPI_ATTRIBUTE_ntPwdHistory:
150
case DRSUAPI_ATTRIBUTE_lmPwdHistory:
153
case DRSUAPI_ATTRIBUTE_supplementalCredentials:
154
case DRSUAPI_ATTRIBUTE_priorValue:
155
case DRSUAPI_ATTRIBUTE_currentValue:
156
case DRSUAPI_ATTRIBUTE_trustAuthOutgoing:
157
case DRSUAPI_ATTRIBUTE_trustAuthIncoming:
158
case DRSUAPI_ATTRIBUTE_initialAuthOutgoing:
159
case DRSUAPI_ATTRIBUTE_initialAuthIncoming:
165
if (attr->value_ctr.num_values > 1) {
166
return WERR_DS_DRA_INVALID_PARAMETER;
169
if (!attr->value_ctr.values[0].blob) {
170
return WERR_DS_DRA_INVALID_PARAMETER;
173
mem_ctx = attr->value_ctr.values[0].blob;
174
enc_data = attr->value_ctr.values[0].blob;
176
status = dsdb_decrypt_attribute_value(mem_ctx,
182
W_ERROR_NOT_OK_RETURN(status);
184
talloc_free(attr->value_ctr.values[0].blob->data);
185
*attr->value_ctr.values[0].blob = plain_data;
190
static WERROR dsdb_convert_object(struct ldb_context *ldb,
191
const struct dsdb_schema *schema,
192
struct dsdb_extended_replicated_objects *ctr,
193
const struct drsuapi_DsReplicaObjectListItemEx *in,
194
const DATA_BLOB *gensec_skey,
196
struct dsdb_extended_replicated_object *out)
199
enum ndr_err_code ndr_err;
202
struct ldb_message *msg;
203
struct replPropertyMetaDataBlob *md;
204
struct ldb_val guid_value;
205
NTTIME whenChanged = 0;
206
time_t whenChanged_t;
207
const char *whenChanged_s;
208
const char *rdn_name = NULL;
209
const struct ldb_val *rdn_value = NULL;
210
const struct dsdb_attribute *rdn_attr = NULL;
212
struct drsuapi_DsReplicaAttribute *name_a = NULL;
213
struct drsuapi_DsReplicaMetaData *name_d = NULL;
214
struct replPropertyMetaData1 *rdn_m = NULL;
215
struct dom_sid *sid = NULL;
219
if (!in->object.identifier) {
223
if (!in->object.identifier->dn || !in->object.identifier->dn[0]) {
227
if (in->object.attribute_ctr.num_attributes != 0 && !in->meta_data_ctr) {
231
if (in->object.attribute_ctr.num_attributes != in->meta_data_ctr->count) {
235
sid = &in->object.identifier->sid;
236
if (sid->num_auths > 0) {
237
rid = sid->sub_auths[sid->num_auths - 1];
240
msg = ldb_msg_new(mem_ctx);
241
W_ERROR_HAVE_NO_MEMORY(msg);
243
msg->dn = ldb_dn_new(msg, ldb, in->object.identifier->dn);
244
W_ERROR_HAVE_NO_MEMORY(msg->dn);
246
rdn_name = ldb_dn_get_rdn_name(msg->dn);
247
rdn_attr = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
251
rdn_attid = rdn_attr->attributeID_id;
252
rdn_value = ldb_dn_get_rdn_val(msg->dn);
254
msg->num_elements = in->object.attribute_ctr.num_attributes;
255
msg->elements = talloc_array(msg, struct ldb_message_element,
257
W_ERROR_HAVE_NO_MEMORY(msg->elements);
259
md = talloc(mem_ctx, struct replPropertyMetaDataBlob);
260
W_ERROR_HAVE_NO_MEMORY(md);
264
md->ctr.ctr1.count = in->meta_data_ctr->count;
265
md->ctr.ctr1.reserved = 0;
266
md->ctr.ctr1.array = talloc_array(mem_ctx,
267
struct replPropertyMetaData1,
268
md->ctr.ctr1.count + 1); /* +1 because of the RDN attribute */
269
W_ERROR_HAVE_NO_MEMORY(md->ctr.ctr1.array);
271
for (i=0; i < in->meta_data_ctr->count; i++) {
272
struct drsuapi_DsReplicaAttribute *a;
273
struct drsuapi_DsReplicaMetaData *d;
274
struct replPropertyMetaData1 *m;
275
struct ldb_message_element *e;
277
a = &in->object.attribute_ctr.attributes[i];
278
d = &in->meta_data_ctr->meta_data[i];
279
m = &md->ctr.ctr1.array[i];
280
e = &msg->elements[i];
282
status = dsdb_decrypt_attribute(gensec_skey, rid, a);
283
W_ERROR_NOT_OK_RETURN(status);
285
status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, a, msg->elements, e);
286
W_ERROR_NOT_OK_RETURN(status);
289
m->version = d->version;
290
m->originating_change_time = d->originating_change_time;
291
m->originating_invocation_id = d->originating_invocation_id;
292
m->originating_usn = d->originating_usn;
295
if (d->originating_change_time > whenChanged) {
296
whenChanged = d->originating_change_time;
299
if (a->attid == DRSUAPI_ATTRIBUTE_name) {
302
rdn_m = &md->ctr.ctr1.array[md->ctr.ctr1.count];
307
ret = ldb_msg_add_value(msg, rdn_attr->lDAPDisplayName, rdn_value, NULL);
308
if (ret != LDB_SUCCESS) {
312
rdn_m->attid = rdn_attid;
313
rdn_m->version = name_d->version;
314
rdn_m->originating_change_time = name_d->originating_change_time;
315
rdn_m->originating_invocation_id = name_d->originating_invocation_id;
316
rdn_m->originating_usn = name_d->originating_usn;
317
rdn_m->local_usn = 0;
318
md->ctr.ctr1.count++;
322
whenChanged_t = nt_time_to_unix(whenChanged);
323
whenChanged_s = ldb_timestring(msg, whenChanged_t);
324
W_ERROR_HAVE_NO_MEMORY(whenChanged_s);
326
ndr_err = ndr_push_struct_blob(&guid_value, msg,
327
lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
328
&in->object.identifier->guid,
329
(ndr_push_flags_fn_t)ndr_push_GUID);
330
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
331
nt_status = ndr_map_error2ntstatus(ndr_err);
332
return ntstatus_to_werror(nt_status);
336
out->guid_value = guid_value;
337
out->when_changed = whenChanged_s;
342
WERROR dsdb_extended_replicated_objects_commit(struct ldb_context *ldb,
343
const char *partition_dn,
344
const struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr,
345
uint32_t object_count,
346
const struct drsuapi_DsReplicaObjectListItemEx *first_object,
347
uint32_t linked_attributes_count,
348
const struct drsuapi_DsReplicaLinkedAttribute *linked_attributes,
349
const struct repsFromTo1 *source_dsa,
350
const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector,
351
const DATA_BLOB *gensec_skey,
353
struct dsdb_extended_replicated_objects **_out)
356
const struct dsdb_schema *schema;
357
struct dsdb_extended_replicated_objects *out;
358
struct ldb_result *ext_res;
359
const struct drsuapi_DsReplicaObjectListItemEx *cur;
363
schema = dsdb_get_schema(ldb);
365
return WERR_DS_SCHEMA_NOT_LOADED;
368
status = dsdb_verify_oid_mappings_drsuapi(schema, mapping_ctr);
369
W_ERROR_NOT_OK_RETURN(status);
371
out = talloc_zero(mem_ctx, struct dsdb_extended_replicated_objects);
372
W_ERROR_HAVE_NO_MEMORY(out);
373
out->version = DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION;
375
out->partition_dn = ldb_dn_new(out, ldb, partition_dn);
376
W_ERROR_HAVE_NO_MEMORY(out->partition_dn);
378
out->source_dsa = source_dsa;
379
out->uptodateness_vector= uptodateness_vector;
381
out->num_objects = object_count;
382
out->objects = talloc_array(out,
383
struct dsdb_extended_replicated_object,
385
W_ERROR_HAVE_NO_MEMORY(out->objects);
387
for (i=0, cur = first_object; cur; cur = cur->next_object, i++) {
388
if (i == out->num_objects) {
392
status = dsdb_convert_object(ldb, schema, out, cur, gensec_skey, out->objects, &out->objects[i]);
393
W_ERROR_NOT_OK_RETURN(status);
395
if (i != out->num_objects) {
399
/* TODO: handle linked attributes */
401
ret = ldb_extended(ldb, DSDB_EXTENDED_REPLICATED_OBJECTS_OID, out, &ext_res);
402
if (ret != LDB_SUCCESS) {
403
DEBUG(0,("Failed to apply records: %s: %s\n",
404
ldb_errstring(ldb), ldb_strerror(ret)));
408
talloc_free(ext_res);