|
Lines 63-68
struct dlz_bind9_data {
Link Here
|
| 63 |
struct smb_krb5_context *smb_krb5_ctx; |
63 |
struct smb_krb5_context *smb_krb5_ctx; |
| 64 |
struct auth4_context *auth_context; |
64 |
struct auth4_context *auth_context; |
| 65 |
struct auth_session_info *session_info; |
65 |
struct auth_session_info *session_info; |
|
|
66 |
bool is_system_session; |
| 66 |
char *update_name; |
67 |
char *update_name; |
| 67 |
|
68 |
|
| 68 |
/* helper functions from the dlz_dlopen driver */ |
69 |
/* helper functions from the dlz_dlopen driver */ |
|
Lines 736-741
_PUBLIC_ void dlz_destroy(void *dbdata)
Link Here
|
| 736 |
dlz_bind9_state_ref_count--; |
737 |
dlz_bind9_state_ref_count--; |
| 737 |
if (dlz_bind9_state_ref_count == 0) { |
738 |
if (dlz_bind9_state_ref_count == 0) { |
| 738 |
talloc_unlink(state, state->samdb); |
739 |
talloc_unlink(state, state->samdb); |
|
|
740 |
if (state->is_system_session) { |
| 741 |
state->session_info = NULL; |
| 742 |
} |
| 739 |
talloc_free(state); |
743 |
talloc_free(state); |
| 740 |
dlz_bind9_state = NULL; |
744 |
dlz_bind9_state = NULL; |
| 741 |
} |
745 |
} |
|
Lines 1268-1273
static bool b9_is_tombstoned(struct ldb_result *res) {
Link Here
|
| 1268 |
return val != NULL; |
1272 |
return val != NULL; |
| 1269 |
} |
1273 |
} |
| 1270 |
|
1274 |
|
|
|
1275 |
static char *b9_dn_fqdn(TALLOC_CTX *mem_ctx, struct ldb_dn *dn) { |
| 1276 |
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); |
| 1277 |
unsigned int i; |
| 1278 |
char *fqdn = NULL; |
| 1279 |
|
| 1280 |
for (i = 0; i < ldb_dn_get_comp_num(dn); i++) { |
| 1281 |
const char *name = ldb_dn_get_component_name(dn, i); |
| 1282 |
const struct ldb_val *value = ldb_dn_get_component_val(dn, i); |
| 1283 |
if (ldb_attr_cmp(name, "dc") != 0) { |
| 1284 |
break; |
| 1285 |
} |
| 1286 |
if (fqdn) { |
| 1287 |
fqdn = talloc_asprintf(tmp_ctx, "%s.%s", fqdn, |
| 1288 |
ldb_dn_escape_value(tmp_ctx, |
| 1289 |
*value)); |
| 1290 |
} else { |
| 1291 |
fqdn = ldb_dn_escape_value(tmp_ctx, *value); |
| 1292 |
} |
| 1293 |
if (!fqdn) { |
| 1294 |
break; |
| 1295 |
} |
| 1296 |
} |
| 1297 |
|
| 1298 |
if (fqdn != NULL) { |
| 1299 |
talloc_steal(mem_ctx, fqdn); |
| 1300 |
} |
| 1301 |
|
| 1302 |
talloc_free(tmp_ctx); |
| 1303 |
return fqdn; |
| 1304 |
} |
| 1305 |
|
| 1271 |
/* |
1306 |
/* |
| 1272 |
authorize a zone update |
1307 |
authorize a zone update |
| 1273 |
*/ |
1308 |
*/ |
|
Lines 1285-1290
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
Link Here
|
| 1285 |
NTSTATUS nt_status; |
1320 |
NTSTATUS nt_status; |
| 1286 |
struct gensec_security *gensec_ctx; |
1321 |
struct gensec_security *gensec_ctx; |
| 1287 |
struct auth_session_info *session_info; |
1322 |
struct auth_session_info *session_info; |
|
|
1323 |
bool is_system_session = false; |
| 1288 |
struct ldb_dn *dn; |
1324 |
struct ldb_dn *dn; |
| 1289 |
isc_result_t result; |
1325 |
isc_result_t result; |
| 1290 |
struct ldb_result *res; |
1326 |
struct ldb_result *res; |
|
Lines 1294-1300
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
Link Here
|
| 1294 |
|
1330 |
|
| 1295 |
/* Remove cached credentials, if any */ |
1331 |
/* Remove cached credentials, if any */ |
| 1296 |
if (state->session_info) { |
1332 |
if (state->session_info) { |
| 1297 |
talloc_free(state->session_info); |
1333 |
if (!state->is_system_session) { |
|
|
1334 |
talloc_free(state->session_info); |
| 1335 |
} |
| 1336 |
state->is_system_session = false; |
| 1298 |
state->session_info = NULL; |
1337 |
state->session_info = NULL; |
| 1299 |
} |
1338 |
} |
| 1300 |
if (state->update_name) { |
1339 |
if (state->update_name) { |
|
Lines 1411-1416
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
Link Here
|
| 1411 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
1450 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
| 1412 |
session_info->security_token, |
1451 |
session_info->security_token, |
| 1413 |
access_mask, NULL); |
1452 |
access_mask, NULL); |
|
|
1453 |
|
| 1454 |
/* Univention Specific: If a maschine tries to access a forward/zone |
| 1455 |
* without the proper access-rights, but the FQDN as computed from the |
| 1456 |
* DN and the actual FQDN of the requesting maschine match, a |
| 1457 |
* modification is allowed and the privileges for this operation are |
| 1458 |
* escalated to `SYSTEM`. |
| 1459 |
*/ |
| 1460 |
if (ldb_ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { |
| 1461 |
char *fqdn = b9_dn_fqdn(tmp_ctx, dn); |
| 1462 |
if (fqdn != NULL && strcmp(fqdn, name) == 0) { |
| 1463 |
session_info = system_session(state->lp); |
| 1464 |
is_system_session = true; |
| 1465 |
ldb_ret = LDB_SUCCESS; |
| 1466 |
} |
| 1414 |
} |
1467 |
} |
| 1415 |
if (ldb_ret != LDB_SUCCESS) { |
1468 |
if (ldb_ret != LDB_SUCCESS) { |
| 1416 |
state->log(ISC_LOG_INFO, |
1469 |
state->log(ISC_LOG_INFO, |
|
Lines 1427-1433
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
Link Here
|
| 1427 |
talloc_free(tmp_ctx); |
1480 |
talloc_free(tmp_ctx); |
| 1428 |
return ISC_FALSE; |
1481 |
return ISC_FALSE; |
| 1429 |
} |
1482 |
} |
| 1430 |
state->session_info = talloc_steal(state, session_info); |
1483 |
state->is_system_session = is_system_session; |
|
|
1484 |
if (is_system_session) { |
| 1485 |
state->session_info = session_info; |
| 1486 |
} else { |
| 1487 |
state->session_info = talloc_steal(state, session_info); |
| 1488 |
} |
| 1431 |
|
1489 |
|
| 1432 |
state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s", |
1490 |
state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s", |
| 1433 |
signer, name, tcpaddr, type, key); |
1491 |
signer, name, tcpaddr, type, key); |
| 1434 |
- |
|
|