return WERR_OK;
}
+
+WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ctx,
+ struct ldb_message *rodc_msg,
+ uint32_t num_token_sids,
+ struct dom_sid *token_sids)
+{
+ uint32_t num_never_reveal_sids, num_reveal_sids;
+ struct dom_sid *never_reveal_sids, *reveal_sids;
+ TALLOC_CTX *frame = talloc_stackframe();
+ WERROR werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
+ frame, "msDS-NeverRevealGroup",
+ &num_never_reveal_sids,
+ &never_reveal_sids);
+ if (!W_ERROR_IS_OK(werr)) {
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_SECRETS_DENIED;
+ }
+
+ werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,
+ frame, "msDS-RevealOnDemandGroup",
+ &num_reveal_sids,
+ &reveal_sids);
+ if (!W_ERROR_IS_OK(werr)) {
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_SECRETS_DENIED;
+ }
+
+ if (never_reveal_sids &&
+ sid_list_match(num_token_sids,
+ token_sids,
+ num_never_reveal_sids,
+ never_reveal_sids)) {
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_SECRETS_DENIED;
+ }
+
+ if (reveal_sids &&
+ sid_list_match(num_token_sids,
+ token_sids,
+ num_reveal_sids,
+ reveal_sids)) {
+ TALLOC_FREE(frame);
+ return WERR_OK;
+ }
+
+ TALLOC_FREE(frame);
+ return WERR_DS_DRA_SECRETS_DENIED;
+
+}
const char *rodc_attrs[] = { "msDS-KrbTgtLink", "msDS-NeverRevealGroup", "msDS-RevealOnDemandGroup", "objectGUID", NULL };
const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
struct ldb_result *rodc_res = NULL, *obj_res = NULL;
- uint32_t num_never_reveal_sids, num_reveal_sids, num_token_sids;
- struct dom_sid *never_reveal_sids, *reveal_sids, *token_sids;
+ uint32_t num_token_sids;
+ struct dom_sid *token_sids;
const struct dom_sid *object_sid = NULL;
WERROR werr;
goto denied;
}
- werr = samdb_result_sid_array_dn(b_state->sam_ctx_system, rodc_res->msgs[0],
- mem_ctx, "msDS-NeverRevealGroup",
- &num_never_reveal_sids,
- &never_reveal_sids);
- if (!W_ERROR_IS_OK(werr)) {
- goto denied;
- }
-
- werr = samdb_result_sid_array_dn(b_state->sam_ctx_system, rodc_res->msgs[0],
- mem_ctx, "msDS-RevealOnDemandGroup",
- &num_reveal_sids,
- &reveal_sids);
- if (!W_ERROR_IS_OK(werr)) {
- goto denied;
- }
-
- if (never_reveal_sids &&
- sid_list_match(num_token_sids,
- token_sids,
- num_never_reveal_sids,
- never_reveal_sids)) {
- goto denied;
- }
+ werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(b_state->sam_ctx_system,
+ rodc_res->msgs[0],
+ num_token_sids,
+ token_sids);
- if (reveal_sids &&
- sid_list_match(num_token_sids,
- token_sids,
- num_reveal_sids,
- reveal_sids)) {
+ if (W_ERROR_IS_OK(werr)) {
goto allowed;
}
struct ldb_result *rodc_res = NULL, *obj_res = NULL;
WERROR werr;
struct dom_sid *object_sid;
- uint32_t num_never_reveal_sids, num_reveal_sids, num_token_sids;
- struct dom_sid *never_reveal_sids, *reveal_sids, *token_sids;
+ uint32_t num_token_sids;
+ struct dom_sid *token_sids;
rodc_dn = ldb_dn_new_fmt(mem_ctx, sam_ctx, "<SID=%s>",
dom_sid_string(mem_ctx, user_sid));
goto denied;
}
- werr = samdb_result_sid_array_dn(sam_ctx, rodc_res->msgs[0],
- mem_ctx, "msDS-NeverRevealGroup",
- &num_never_reveal_sids,
- &never_reveal_sids);
- if (!W_ERROR_IS_OK(werr)) {
- goto denied;
- }
-
- werr = samdb_result_sid_array_dn(sam_ctx, rodc_res->msgs[0],
- mem_ctx, "msDS-RevealOnDemandGroup",
- &num_reveal_sids,
- &reveal_sids);
- if (!W_ERROR_IS_OK(werr)) {
- goto denied;
- }
+ werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(sam_ctx,
+ rodc_res->msgs[0],
+ num_token_sids,
+ token_sids);
- if (never_reveal_sids &&
- sid_list_match(num_token_sids,
- token_sids,
- num_never_reveal_sids,
- never_reveal_sids)) {
- goto denied;
- }
-
- if (reveal_sids &&
- sid_list_match(num_token_sids,
- token_sids,
- num_reveal_sids,
- reveal_sids)) {
+ if (W_ERROR_IS_OK(werr)) {
goto allowed;
}
-
denied:
return false;
allowed:
projects / thirdparty / samba.git / commitdiff
