diff options
author | Andrew Bartlett <abartlet@samba.org> | 2015-08-19 13:26:41 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2015-10-26 05:11:21 +0100 |
commit | 4b25650577cd5c20729f3405c64c20ddf71b0ae3 (patch) | |
tree | cd8dfc1d539815b66268bd059be3896a02b828da | |
parent | 6d301ad1c9ff0f1ccd4f97bd5f234b10707a15bf (diff) | |
download | samba-4b25650577cd5c20729f3405c64c20ddf71b0ae3.tar.gz |
repl: Give an error if we get a secret when not expecting one
We should never get a secret from a server when we specify DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
This asserts that this is the case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
-rw-r--r-- | libcli/drsuapi/drsuapi.h | 1 | ||||
-rw-r--r-- | libcli/drsuapi/repl_decrypt.c | 6 | ||||
-rw-r--r-- | source3/libnet/libnet_dssync.c | 1 | ||||
-rw-r--r-- | source4/dsdb/repl/drepl_out_helpers.c | 3 | ||||
-rw-r--r-- | source4/dsdb/repl/replicated_objects.c | 23 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.h | 1 | ||||
-rw-r--r-- | source4/libnet/libnet_vampire.c | 7 |
7 files changed, 38 insertions, 4 deletions
diff --git a/libcli/drsuapi/drsuapi.h b/libcli/drsuapi/drsuapi.h index a4fb15fa49d..7c6cf2f69fb 100644 --- a/libcli/drsuapi/drsuapi.h +++ b/libcli/drsuapi/drsuapi.h @@ -29,6 +29,7 @@ WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx, WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx, const DATA_BLOB *gensec_skey, uint32_t rid, + uint32_t dsdb_repl_flags, struct drsuapi_DsReplicaAttribute *attr); diff --git a/libcli/drsuapi/repl_decrypt.c b/libcli/drsuapi/repl_decrypt.c index 00b8db8abc0..4a2a28f27ff 100644 --- a/libcli/drsuapi/repl_decrypt.c +++ b/libcli/drsuapi/repl_decrypt.c @@ -28,6 +28,7 @@ #include "../lib/crypto/crypto.h" #include "../libcli/drsuapi/drsuapi.h" #include "libcli/auth/libcli_auth.h" +#include "dsdb/samdb/samdb.h" WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx, const DATA_BLOB *gensec_skey, @@ -134,6 +135,7 @@ WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx, WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx, const DATA_BLOB *gensec_skey, uint32_t rid, + uint32_t dsdb_repl_flags, struct drsuapi_DsReplicaAttribute *attr) { WERROR status; @@ -164,6 +166,10 @@ WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx, return WERR_OK; } + if (dsdb_repl_flags & DSDB_REPL_FLAG_EXPECT_NO_SECRETS) { + return WERR_TOO_MANY_SECRETS; + } + if (attr->value_ctr.num_values > 1) { return WERR_DS_DRA_INVALID_PARAMETER; } diff --git a/source3/libnet/libnet_dssync.c b/source3/libnet/libnet_dssync.c index 94f06285a89..267709e3c11 100644 --- a/source3/libnet/libnet_dssync.c +++ b/source3/libnet/libnet_dssync.c @@ -113,6 +113,7 @@ static void libnet_dssync_decrypt_attributes(TALLOC_CTX *mem_ctx, drsuapi_decrypt_attribute(mem_ctx, session_key, rid, + 0, attr); } } diff --git a/source4/dsdb/repl/drepl_out_helpers.c b/source4/dsdb/repl/drepl_out_helpers.c index a0478813681..a1e8dcbb244 100644 --- a/source4/dsdb/repl/drepl_out_helpers.c +++ b/source4/dsdb/repl/drepl_out_helpers.c @@ -740,6 +740,9 @@ static void dreplsrv_op_pull_source_apply_changes_trigger(struct tevent_req *req if (state->op->options & DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS) { dsdb_repl_flags |= DSDB_REPL_FLAG_PRIORITISE_INCOMING; } + if (state->op->options & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) { + dsdb_repl_flags |= DSDB_REPL_FLAG_EXPECT_NO_SECRETS; + } status = dsdb_replicated_objects_convert(service->samdb, working_schema ? working_schema : schema, diff --git a/source4/dsdb/repl/replicated_objects.c b/source4/dsdb/repl/replicated_objects.c index df880ad7373..1afdb36f70d 100644 --- a/source4/dsdb/repl/replicated_objects.c +++ b/source4/dsdb/repl/replicated_objects.c @@ -347,7 +347,7 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb, struct dsdb_extended_replicated_object *out) { NTSTATUS nt_status; - WERROR status; + WERROR status = WERR_OK; uint32_t i; struct ldb_message *msg; struct replPropertyMetaDataBlob *md; @@ -444,8 +444,25 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb, } for (j=0; j<a->value_ctr.num_values; j++) { - status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob, gensec_skey, rid, a); - W_ERROR_NOT_OK_RETURN(status); + status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob, + gensec_skey, rid, + dsdb_repl_flags, a); + if (!W_ERROR_IS_OK(status)) { + break; + } + } + if (W_ERROR_EQUAL(status, WERR_TOO_MANY_SECRETS)) { + WERROR get_name_status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote, + a, msg->elements, e); + if (W_ERROR_IS_OK(get_name_status)) { + DEBUG(0, ("Unxpectedly got secret value %s on %s from DRS server\n", + e->name, ldb_dn_get_linearized(msg->dn))); + } else { + DEBUG(0, ("Unxpectedly got secret value on %s from DRS server", + ldb_dn_get_linearized(msg->dn))); + } + } else if (!W_ERROR_IS_OK(status)) { + return status; } status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote, diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 324045a9329..0a1d90d8b40 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -62,6 +62,7 @@ struct dsdb_control_current_partition { #define DSDB_REPL_FLAG_PRIORITISE_INCOMING 1 #define DSDB_REPL_FLAG_PARTIAL_REPLICA 2 #define DSDB_REPL_FLAG_ADD_NCNAME 4 +#define DSDB_REPL_FLAG_EXPECT_NO_SECRETS 8 #define DSDB_CONTROL_REPLICATED_UPDATE_OID "1.3.6.1.4.1.7165.4.3.3" diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c index 1c3403fdb1c..1d649fc33d0 100644 --- a/source4/libnet/libnet_vampire.c +++ b/source4/libnet/libnet_vampire.c @@ -553,6 +553,7 @@ NTSTATUS libnet_vampire_cb_store_chunk(void *private_data, const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector; struct dsdb_extended_replicated_objects *objs; uint32_t req_replica_flags; + uint32_t dsdb_repl_flags = 0; struct repsFromTo1 *s_dsa; char *tmp_dns_name; uint32_t i; @@ -679,6 +680,10 @@ NTSTATUS libnet_vampire_cb_store_chunk(void *private_data, return NT_STATUS_INTERNAL_ERROR; } + if (req_replica_flags & DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING) { + dsdb_repl_flags |= DSDB_REPL_FLAG_EXPECT_NO_SECRETS; + } + status = dsdb_replicated_objects_convert(s->ldb, schema, c->partition->nc.dn, @@ -690,7 +695,7 @@ NTSTATUS libnet_vampire_cb_store_chunk(void *private_data, s_dsa, uptodateness_vector, c->gensec_skey, - 0, + dsdb_repl_flags, s, &objs); if (!W_ERROR_IS_OK(status)) { DEBUG(0,("Failed to convert objects: %s\n", win_errstr(status))); |