From: Kamen Mazdrashki <kamenim@samba.org>
Date: Sun, 25 Apr 2010 21:22:53 +0000 (+0300)
Subject: s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUID
X-Git-Url: http://git.samba.org/?p=kamenim%2Fsamba.git;a=commitdiff_plain;h=e9194af939aa47aea67c074853fd228acb3ac03b

s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUID

This function is used in DRSUpdateRefs() implementation where we
get DSA's objectGUID rather than invocationId
---

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 3a04797f82..31f3ad41c4 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -3570,18 +3570,18 @@ const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
 }
 
 /*
-   validate that an invocationID belongs to the specified user sid.
+   validate that an DSA GUID belongs to the specified user sid.
    The user SID must be a domain controller account (either RODC or
    RWDC)
  */
-int dsdb_validate_invocation_id(struct ldb_context *ldb,
-				const struct GUID *invocation_id,
-				const struct dom_sid *sid)
+int dsdb_validate_dsa_guid(struct ldb_context *ldb,
+			   const struct GUID *dsa_guid,
+			   const struct dom_sid *sid)
 {
 	/* strategy:
-	    - find DN of record with the invocationID in the
-	      configuration partition
-            - remote "NTDS Settings" component from DN
+	    - find DN of record with the DSA GUID in the
+	      configuration partition (objectGUID)
+            - remove "NTDS Settings" component from DN
 	    - do a base search on that DN for serverReference with
 	      extended-dn enabled
             - extract objectSID from resulting serverReference
@@ -3601,10 +3601,10 @@ int dsdb_validate_invocation_id(struct ldb_context *ldb,
 	config_dn = ldb_get_config_basedn(ldb);
 
 	ret = dsdb_search_one(ldb, tmp_ctx, &msg, config_dn, LDB_SCOPE_SUBTREE,
-			      attrs1, 0, "(&(invocationID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, invocation_id));
+			      attrs1, 0, "(&(objectGUID=%s)(objectClass=nTDSDSA))", GUID_string(tmp_ctx, dsa_guid));
 	if (ret != LDB_SUCCESS) {
-		DEBUG(1,(__location__ ": Failed to find invocationID %s for sid %s\n",
-			 GUID_string(tmp_ctx, invocation_id), dom_sid_string(tmp_ctx, sid)));
+		DEBUG(1,(__location__ ": Failed to find DSA objectGUID %s for sid %s\n",
+			 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
 		talloc_free(tmp_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
@@ -3619,32 +3619,32 @@ int dsdb_validate_invocation_id(struct ldb_context *ldb,
 			      attrs2, DSDB_SEARCH_SHOW_EXTENDED_DN,
 			      "(objectClass=server)");
 	if (ret != LDB_SUCCESS) {
-		DEBUG(1,(__location__ ": Failed to find server record for invocationID %s, sid %s\n",
-			 GUID_string(tmp_ctx, invocation_id), dom_sid_string(tmp_ctx, sid)));
+		DEBUG(1,(__location__ ": Failed to find server record for DSA with objectGUID %s, sid %s\n",
+			 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
 		talloc_free(tmp_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
 	account_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, msg, "serverReference");
 	if (account_dn == NULL) {
-		DEBUG(1,(__location__ ": Failed to find account_dn for invocationID %s, sid %s\n",
-			 GUID_string(tmp_ctx, invocation_id), dom_sid_string(tmp_ctx, sid)));
+		DEBUG(1,(__location__ ": Failed to find account_dn for DSA with objectGUID %s, sid %s\n",
+			 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
 		talloc_free(tmp_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
 	status = dsdb_get_extended_dn_sid(account_dn, &sid2, "SID");
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(1,(__location__ ": Failed to find SID for invocationID %s, sid %s\n",
-			 GUID_string(tmp_ctx, invocation_id), dom_sid_string(tmp_ctx, sid)));
+		DEBUG(1,(__location__ ": Failed to find SID for DSA with objectGUID %s, sid %s\n",
+			 GUID_string(tmp_ctx, dsa_guid), dom_sid_string(tmp_ctx, sid)));
 		talloc_free(tmp_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
 	if (!dom_sid_equal(sid, &sid2)) {
 		/* someone is trying to spoof another account */
-		DEBUG(0,(__location__ ": Bad invocationID invocationID %s for sid %s - expected sid %s\n",
-			 GUID_string(tmp_ctx, invocation_id),
+		DEBUG(0,(__location__ ": Bad DSA objectGUID %s for sid %s - expected sid %s\n",
+			 GUID_string(tmp_ctx, dsa_guid),
 			 dom_sid_string(tmp_ctx, sid),
 			 dom_sid_string(tmp_ctx, &sid2)));
 		talloc_free(tmp_ctx);
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index 0403db8f88..d52a77959a 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -211,10 +211,10 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
 
 	security_level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
 	if (security_level < SECURITY_ADMINISTRATOR) {
-		/* check that they are using an invocationId that they own */
-		ret = dsdb_validate_invocation_id(b_state->sam_ctx,
-						  &req->dest_dsa_guid,
-						  dce_call->conn->auth_state.session_info->security_token->user_sid);
+		/* check that they are using an DSA objectGUID that they own */
+		ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
+		                             &req->dest_dsa_guid,
+		                             dce_call->conn->auth_state.session_info->security_token->user_sid);
 		if (ret != LDB_SUCCESS) {
 			DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
 				 dom_sid_string(mem_ctx,