Line data Source code
1 : /*
2 : Unix SMB/CIFS Implementation.
3 :
4 : DSDB replication service - repl secret handling
5 :
6 : Copyright (C) Andrew Tridgell 2010
7 : Copyright (C) Andrew Bartlett 2010
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 :
22 : */
23 :
24 : #include "includes.h"
25 : #include "ldb_module.h"
26 : #include "dsdb/samdb/samdb.h"
27 : #include "samba/service.h"
28 : #include "dsdb/repl/drepl_service.h"
29 : #include "param/param.h"
30 :
31 : #undef DBGC_CLASS
32 : #define DBGC_CLASS DBGC_DRS_REPL
33 :
34 : struct repl_secret_state {
35 : const char *user_dn;
36 : };
37 :
38 : /*
39 : called when a repl secret has completed
40 : */
41 1850 : static void drepl_repl_secret_callback(struct dreplsrv_service *service,
42 : WERROR werr,
43 : enum drsuapi_DsExtendedError ext_err,
44 : void *cb_data)
45 : {
46 1850 : struct repl_secret_state *state = talloc_get_type_abort(cb_data, struct repl_secret_state);
47 1850 : if (!W_ERROR_IS_OK(werr)) {
48 1850 : if (W_ERROR_EQUAL(werr, WERR_DS_DRA_SECRETS_DENIED)) {
49 1305 : DEBUG(3,(__location__ ": repl secret disallowed for user "
50 : "%s - not in allowed replication group\n",
51 : state->user_dn));
52 : } else {
53 545 : DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n",
54 : state->user_dn, win_errstr(werr), ext_err));
55 : }
56 : } else {
57 0 : DEBUG(3,(__location__ ": repl secret completed OK for '%s'\n", state->user_dn));
58 : }
59 1850 : talloc_free(state);
60 1850 : }
61 :
62 :
63 : /**
64 : * Called when the auth code wants us to try and replicate
65 : * a users secrets
66 : */
67 1850 : void drepl_repl_secret(struct dreplsrv_service *service,
68 : const char *user_dn)
69 : {
70 0 : WERROR werr;
71 0 : struct ldb_dn *nc_dn, *nc_root, *source_dsa_dn;
72 0 : struct dreplsrv_partition *p;
73 0 : struct GUID *source_dsa_guid;
74 0 : struct repl_secret_state *state;
75 0 : int ret;
76 :
77 1850 : state = talloc_zero(service, struct repl_secret_state);
78 1850 : if (state == NULL) {
79 : /* nothing to do, no return value */
80 0 : return;
81 : }
82 :
83 : /* keep a copy for logging in the callback */
84 1850 : state->user_dn = talloc_strdup(state, user_dn);
85 :
86 1850 : nc_dn = ldb_dn_new(state, service->samdb, user_dn);
87 1850 : if (!ldb_dn_validate(nc_dn)) {
88 0 : DEBUG(0,(__location__ ": Failed to parse user_dn '%s'\n", user_dn));
89 0 : talloc_free(state);
90 0 : return;
91 : }
92 :
93 : /* work out which partition this is in */
94 1850 : ret = dsdb_find_nc_root(service->samdb, state, nc_dn, &nc_root);
95 1850 : if (ret != LDB_SUCCESS) {
96 0 : DEBUG(0,(__location__ ": Failed to find nc_root for user_dn '%s'\n", user_dn));
97 0 : talloc_free(state);
98 0 : return;
99 : }
100 :
101 : /* find the partition in our list */
102 7400 : for (p=service->partitions; p; p=p->next) {
103 7400 : if (ldb_dn_compare(p->dn, nc_root) == 0) {
104 1850 : break;
105 : }
106 : }
107 1850 : if (p == NULL) {
108 0 : DEBUG(0,(__location__ ": Failed to find partition for nc_root '%s'\n", ldb_dn_get_linearized(nc_root)));
109 0 : talloc_free(state);
110 0 : return;
111 : }
112 :
113 1850 : if (p->sources == NULL) {
114 0 : DEBUG(0,(__location__ ": No sources for nc_root '%s' for user_dn '%s'\n",
115 : ldb_dn_get_linearized(nc_root), user_dn));
116 0 : talloc_free(state);
117 0 : return;
118 : }
119 :
120 : /* use the first source, for no particularly good reason */
121 1850 : source_dsa_guid = &p->sources->repsFrom1->source_dsa_obj_guid;
122 :
123 1850 : source_dsa_dn = ldb_dn_new(state, service->samdb,
124 1850 : talloc_asprintf(state, "<GUID=%s>",
125 : GUID_string(state, source_dsa_guid)));
126 1850 : if (!ldb_dn_validate(source_dsa_dn)) {
127 0 : DEBUG(0,(__location__ ": Invalid source DSA GUID '%s' for user_dn '%s'\n",
128 : GUID_string(state, source_dsa_guid), user_dn));
129 0 : talloc_free(state);
130 0 : return;
131 : }
132 :
133 1850 : werr = drepl_request_extended_op(service,
134 : nc_dn,
135 : source_dsa_dn,
136 : DRSUAPI_EXOP_REPL_SECRET,
137 : 0,
138 1850 : p->sources->repsFrom1->highwatermark.highest_usn,
139 : drepl_repl_secret_callback, state);
140 1850 : if (!W_ERROR_IS_OK(werr)) {
141 0 : DEBUG(2,(__location__ ": Failed to setup secret replication for user_dn '%s'\n", user_dn));
142 0 : talloc_free(state);
143 0 : return;
144 : }
145 1850 : DEBUG(3,(__location__ ": started secret replication for %s\n", user_dn));
146 : }
|