Lines 63-68
struct dlz_bind9_data {
|
Link Here
|
---|
|
63 |
struct smb_krb5_context *smb_krb5_ctx; |
63 |
struct smb_krb5_context *smb_krb5_ctx; |
64 |
struct auth4_context *auth_context; |
64 |
struct auth4_context *auth_context; |
65 |
struct auth_session_info *session_info; |
65 |
struct auth_session_info *session_info; |
|
|
66 |
bool is_system_session; |
66 |
char *update_name; |
67 |
char *update_name; |
67 |
|
68 |
|
68 |
/* helper functions from the dlz_dlopen driver */ |
69 |
/* helper functions from the dlz_dlopen driver */ |
Lines 736-741
_PUBLIC_ void dlz_destroy(void *dbdata)
|
Link Here
|
---|
|
736 |
dlz_bind9_state_ref_count--; |
737 |
dlz_bind9_state_ref_count--; |
737 |
if (dlz_bind9_state_ref_count == 0) { |
738 |
if (dlz_bind9_state_ref_count == 0) { |
738 |
talloc_unlink(state, state->samdb); |
739 |
talloc_unlink(state, state->samdb); |
|
|
740 |
if (state->is_system_session) { |
741 |
state->session_info = NULL; |
742 |
} |
739 |
talloc_free(state); |
743 |
talloc_free(state); |
740 |
dlz_bind9_state = NULL; |
744 |
dlz_bind9_state = NULL; |
741 |
} |
745 |
} |
Lines 1268-1273
static bool b9_is_tombstoned(struct ldb_result *res) {
|
Link Here
|
---|
|
1268 |
return val != NULL; |
1272 |
return val != NULL; |
1269 |
} |
1273 |
} |
1270 |
|
1274 |
|
|
|
1275 |
static char *b9_dn_fqdn(TALLOC_CTX *mem_ctx, struct ldb_dn *dn) { |
1276 |
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); |
1277 |
unsigned int i; |
1278 |
char *fqdn = NULL; |
1279 |
|
1280 |
for (i = 0; i < ldb_dn_get_comp_num(dn); i++) { |
1281 |
const char *name = ldb_dn_get_component_name(dn, i); |
1282 |
const struct ldb_val *value = ldb_dn_get_component_val(dn, i); |
1283 |
if (ldb_attr_cmp(name, "dc") != 0) { |
1284 |
break; |
1285 |
} |
1286 |
if (fqdn) { |
1287 |
fqdn = talloc_asprintf(tmp_ctx, "%s.%s", fqdn, |
1288 |
ldb_dn_escape_value(tmp_ctx, |
1289 |
*value)); |
1290 |
} else { |
1291 |
fqdn = ldb_dn_escape_value(tmp_ctx, *value); |
1292 |
} |
1293 |
if (!fqdn) { |
1294 |
break; |
1295 |
} |
1296 |
} |
1297 |
|
1298 |
if (fqdn != NULL) { |
1299 |
talloc_steal(mem_ctx, fqdn); |
1300 |
} |
1301 |
|
1302 |
talloc_free(tmp_ctx); |
1303 |
return fqdn; |
1304 |
} |
1305 |
|
1271 |
/* |
1306 |
/* |
1272 |
authorize a zone update |
1307 |
authorize a zone update |
1273 |
*/ |
1308 |
*/ |
Lines 1285-1290
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
---|
|
1285 |
NTSTATUS nt_status; |
1320 |
NTSTATUS nt_status; |
1286 |
struct gensec_security *gensec_ctx; |
1321 |
struct gensec_security *gensec_ctx; |
1287 |
struct auth_session_info *session_info; |
1322 |
struct auth_session_info *session_info; |
|
|
1323 |
bool is_system_session = false; |
1288 |
struct ldb_dn *dn; |
1324 |
struct ldb_dn *dn; |
1289 |
isc_result_t result; |
1325 |
isc_result_t result; |
1290 |
struct ldb_result *res; |
1326 |
struct ldb_result *res; |
Lines 1294-1300
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
---|
|
1294 |
|
1330 |
|
1295 |
/* Remove cached credentials, if any */ |
1331 |
/* Remove cached credentials, if any */ |
1296 |
if (state->session_info) { |
1332 |
if (state->session_info) { |
1297 |
talloc_free(state->session_info); |
1333 |
if (!state->is_system_session) { |
|
|
1334 |
talloc_free(state->session_info); |
1335 |
} |
1336 |
state->is_system_session = false; |
1298 |
state->session_info = NULL; |
1337 |
state->session_info = NULL; |
1299 |
} |
1338 |
} |
1300 |
if (state->update_name) { |
1339 |
if (state->update_name) { |
Lines 1411-1416
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
---|
|
1411 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
1450 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
1412 |
session_info->security_token, |
1451 |
session_info->security_token, |
1413 |
access_mask, NULL); |
1452 |
access_mask, NULL); |
|
|
1453 |
|
1454 |
/* Univention Specific: If a maschine tries to access a forward/zone |
1455 |
* without the proper access-rights, but the FQDN as computed from the |
1456 |
* DN and the actual FQDN of the requesting maschine match, a |
1457 |
* modification is allowed and the privileges for this operation are |
1458 |
* escalated to `SYSTEM`. |
1459 |
*/ |
1460 |
if (ldb_ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { |
1461 |
char *fqdn = b9_dn_fqdn(tmp_ctx, dn); |
1462 |
if (fqdn != NULL && strcmp(fqdn, name) == 0) { |
1463 |
session_info = system_session(state->lp); |
1464 |
is_system_session = true; |
1465 |
ldb_ret = LDB_SUCCESS; |
1466 |
} |
1414 |
} |
1467 |
} |
1415 |
if (ldb_ret != LDB_SUCCESS) { |
1468 |
if (ldb_ret != LDB_SUCCESS) { |
1416 |
state->log(ISC_LOG_INFO, |
1469 |
state->log(ISC_LOG_INFO, |
Lines 1427-1433
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
---|
|
1427 |
talloc_free(tmp_ctx); |
1480 |
talloc_free(tmp_ctx); |
1428 |
return ISC_FALSE; |
1481 |
return ISC_FALSE; |
1429 |
} |
1482 |
} |
1430 |
state->session_info = talloc_steal(state, session_info); |
1483 |
state->is_system_session = is_system_session; |
|
|
1484 |
if (is_system_session) { |
1485 |
state->session_info = session_info; |
1486 |
} else { |
1487 |
state->session_info = talloc_steal(state, session_info); |
1488 |
} |
1431 |
|
1489 |
|
1432 |
state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s", |
1490 |
state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s", |
1433 |
signer, name, tcpaddr, type, key); |
1491 |
signer, name, tcpaddr, type, key); |
1434 |
- |
|
|