2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* This is the implementation of the netlogon pipe. */
29 extern userdom_struct current_user_info
;
32 #define DBGC_CLASS DBGC_RPC_SRV
34 /*************************************************************************
36 *************************************************************************/
38 static void init_net_r_req_chal(struct netr_Credential
*r
,
39 struct netr_Credential
*srv_chal
)
41 DEBUG(6,("init_net_r_req_chal: %d\n", __LINE__
));
43 memcpy(r
->data
, srv_chal
->data
, sizeof(r
->data
));
46 /*******************************************************************
47 Inits a netr_NETLOGON_INFO_1 structure.
48 ********************************************************************/
50 static void init_netlogon_info1(struct netr_NETLOGON_INFO_1
*r
,
52 uint32_t pdc_connection_status
)
55 r
->pdc_connection_status
= pdc_connection_status
;
58 /*******************************************************************
59 Inits a netr_NETLOGON_INFO_2 structure.
60 ********************************************************************/
62 static void init_netlogon_info2(struct netr_NETLOGON_INFO_2
*r
,
64 uint32_t pdc_connection_status
,
65 const char *trusted_dc_name
,
66 uint32_t tc_connection_status
)
69 r
->pdc_connection_status
= pdc_connection_status
;
70 r
->trusted_dc_name
= trusted_dc_name
;
71 r
->tc_connection_status
= tc_connection_status
;
74 /*******************************************************************
75 Inits a netr_NETLOGON_INFO_3 structure.
76 ********************************************************************/
78 static void init_netlogon_info3(struct netr_NETLOGON_INFO_3
*r
,
80 uint32_t logon_attempts
)
83 r
->logon_attempts
= logon_attempts
;
86 /*************************************************************************
88 *************************************************************************/
90 WERROR
_netr_LogonControl(pipes_struct
*p
,
91 struct netr_LogonControl
*r
)
93 struct netr_LogonControl2Ex l
;
95 switch (r
->in
.level
) {
99 return WERR_NOT_SUPPORTED
;
101 return WERR_UNKNOWN_LEVEL
;
104 l
.in
.logon_server
= r
->in
.logon_server
;
105 l
.in
.function_code
= r
->in
.function_code
;
106 l
.in
.level
= r
->in
.level
;
108 l
.out
.query
= r
->out
.info
;
110 return _netr_LogonControl2Ex(p
, &l
);
113 /****************************************************************************
114 Send a message to smbd to do a sam synchronisation
115 **************************************************************************/
117 static void send_sync_message(void)
119 DEBUG(3, ("sending sam synchronisation message\n"));
120 message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC
, NULL
, 0,
124 /*************************************************************************
126 *************************************************************************/
128 WERROR
_netr_LogonControl2(pipes_struct
*p
,
129 struct netr_LogonControl2
*r
)
131 struct netr_LogonControl2Ex l
;
133 l
.in
.logon_server
= r
->in
.logon_server
;
134 l
.in
.function_code
= r
->in
.function_code
;
135 l
.in
.level
= r
->in
.level
;
136 l
.in
.data
= r
->in
.data
;
137 l
.out
.query
= r
->out
.query
;
139 return _netr_LogonControl2Ex(p
, &l
);
142 /****************************************************************
143 _netr_LogonControl2Ex
144 ****************************************************************/
146 WERROR
_netr_LogonControl2Ex(pipes_struct
*p
,
147 struct netr_LogonControl2Ex
*r
)
150 uint32 pdc_connection_status
= 0x0;
151 uint32 logon_attempts
= 0x0;
154 const char *dc_name
= NULL
;
155 struct sockaddr_storage dc_ss
;
156 const char *domain
= NULL
;
157 struct netr_NETLOGON_INFO_1
*info1
;
158 struct netr_NETLOGON_INFO_2
*info2
;
159 struct netr_NETLOGON_INFO_3
*info3
;
162 switch (p
->hdr_req
.opnum
) {
163 case NDR_NETR_LOGONCONTROL
:
164 fn
= "_netr_LogonControl";
166 case NDR_NETR_LOGONCONTROL2
:
167 fn
= "_netr_LogonControl2";
169 case NDR_NETR_LOGONCONTROL2EX
:
170 fn
= "_netr_LogonControl2Ex";
173 return WERR_INVALID_PARAM
;
176 tc_status
= W_ERROR_V(WERR_NO_SUCH_DOMAIN
);
178 switch (r
->in
.function_code
) {
179 case NETLOGON_CONTROL_TC_QUERY
:
180 domain
= r
->in
.data
->domain
;
182 if ( !is_trusted_domain( domain
) )
185 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
186 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
190 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
195 tc_status
= W_ERROR_V(WERR_OK
);
199 case NETLOGON_CONTROL_REDISCOVER
:
200 domain
= r
->in
.data
->domain
;
202 if ( !is_trusted_domain( domain
) )
205 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
206 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
210 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
215 tc_status
= W_ERROR_V(WERR_OK
);
220 /* no idea what this should be */
221 DEBUG(0,("%s: unimplemented function level [%d]\n",
222 fn
, r
->in
.function_code
));
223 return WERR_UNKNOWN_LEVEL
;
226 /* prepare the response */
228 switch (r
->in
.level
) {
230 info1
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_1
);
231 W_ERROR_HAVE_NO_MEMORY(info1
);
233 init_netlogon_info1(info1
,
235 pdc_connection_status
);
236 r
->out
.query
->info1
= info1
;
239 info2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_2
);
240 W_ERROR_HAVE_NO_MEMORY(info2
);
242 init_netlogon_info2(info2
,
244 pdc_connection_status
,
247 r
->out
.query
->info2
= info2
;
250 info3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_3
);
251 W_ERROR_HAVE_NO_MEMORY(info3
);
253 init_netlogon_info3(info3
,
256 r
->out
.query
->info3
= info3
;
259 return WERR_UNKNOWN_LEVEL
;
262 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
269 /*************************************************************************
270 _netr_NetrEnumerateTrustedDomains
271 *************************************************************************/
273 WERROR
_netr_NetrEnumerateTrustedDomains(pipes_struct
*p
,
274 struct netr_NetrEnumerateTrustedDomains
*r
)
276 struct netr_Blob trusted_domains_blob
;
279 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
281 /* set up the Trusted Domain List response */
283 blob
= data_blob_talloc_zero(p
->mem_ctx
, 2);
284 trusted_domains_blob
.data
= blob
.data
;
285 trusted_domains_blob
.length
= blob
.length
;
287 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
289 *r
->out
.trusted_domains_blob
= trusted_domains_blob
;
294 /******************************************************************
295 gets a machine password entry. checks access rights of the host.
296 ******************************************************************/
298 static NTSTATUS
get_md4pw(char *md4pw
, const char *mach_acct
,
299 uint16_t sec_chan_type
, uint32_t *rid
)
301 struct samu
*sampass
= NULL
;
307 char addr
[INET6_ADDRSTRLEN
];
310 * Currently this code is redundent as we already have a filter
311 * by hostname list. What this code really needs to do is to
312 * get a hosts allowed/hosts denied list from the SAM database
313 * on a per user basis, and make the access decision there.
314 * I will leave this code here for now as a reminder to implement
315 * this at a later date. JRA.
318 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
319 client_name(get_client_fd()),
320 client_addr(get_client_fd(),addr
,sizeof(addr
)))) {
321 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct
));
326 if ( !(sampass
= samu_new( NULL
)) ) {
327 return NT_STATUS_NO_MEMORY
;
330 /* JRA. This is ok as it is only used for generating the challenge. */
332 ret
= pdb_getsampwnam(sampass
, mach_acct
);
336 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct
));
337 TALLOC_FREE(sampass
);
338 return NT_STATUS_ACCESS_DENIED
;
341 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
342 if (acct_ctrl
& ACB_DISABLED
) {
343 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct
));
344 TALLOC_FREE(sampass
);
345 return NT_STATUS_ACCOUNT_DISABLED
;
348 if (!(acct_ctrl
& ACB_SVRTRUST
) &&
349 !(acct_ctrl
& ACB_WSTRUST
) &&
350 !(acct_ctrl
& ACB_DOMTRUST
))
352 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct
));
353 TALLOC_FREE(sampass
);
354 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
357 switch (sec_chan_type
) {
359 if (!(acct_ctrl
& ACB_SVRTRUST
)) {
360 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
361 "but not a server trust account\n", mach_acct
));
362 TALLOC_FREE(sampass
);
363 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
367 if (!(acct_ctrl
& ACB_WSTRUST
)) {
368 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
369 "but not a workstation trust account\n", mach_acct
));
370 TALLOC_FREE(sampass
);
371 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
374 case SEC_CHAN_DOMAIN
:
375 if (!(acct_ctrl
& ACB_DOMTRUST
)) {
376 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
377 "but not a interdomain trust account\n", mach_acct
));
378 TALLOC_FREE(sampass
);
379 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
386 if ((pass
= pdb_get_nt_passwd(sampass
)) == NULL
) {
387 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct
));
388 TALLOC_FREE(sampass
);
389 return NT_STATUS_LOGON_FAILURE
;
392 memcpy(md4pw
, pass
, 16);
393 dump_data(5, (uint8
*)md4pw
, 16);
396 *rid
= pdb_get_user_rid(sampass
);
399 TALLOC_FREE(sampass
);
406 /*************************************************************************
407 _netr_ServerReqChallenge
408 *************************************************************************/
410 NTSTATUS
_netr_ServerReqChallenge(pipes_struct
*p
,
411 struct netr_ServerReqChallenge
*r
)
414 p
->dc
= TALLOC_ZERO_P(p
, struct dcinfo
);
416 return NT_STATUS_NO_MEMORY
;
419 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
423 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
425 /* Save the client challenge to the server. */
426 memcpy(p
->dc
->clnt_chal
.data
, r
->in
.credentials
->data
,
427 sizeof(r
->in
.credentials
->data
));
429 /* Create a server challenge for the client */
430 /* Set this to a random value. */
431 generate_random_buffer(p
->dc
->srv_chal
.data
, 8);
433 /* set up the LSA REQUEST CHALLENGE response */
434 init_net_r_req_chal(r
->out
.return_credentials
, &p
->dc
->srv_chal
);
436 p
->dc
->challenge_sent
= True
;
441 /*************************************************************************
442 _netr_ServerAuthenticate
443 Create the initial credentials.
444 *************************************************************************/
446 NTSTATUS
_netr_ServerAuthenticate(pipes_struct
*p
,
447 struct netr_ServerAuthenticate
*r
)
450 struct netr_Credential srv_chal_out
;
452 if (!p
->dc
|| !p
->dc
->challenge_sent
) {
453 return NT_STATUS_ACCESS_DENIED
;
456 status
= get_md4pw((char *)p
->dc
->mach_pw
,
458 r
->in
.secure_channel_type
,
460 if (!NT_STATUS_IS_OK(status
)) {
461 DEBUG(0,("_netr_ServerAuthenticate: get_md4pw failed. Failed to "
462 "get password for machine account %s "
463 "from client %s: %s\n",
466 nt_errstr(status
) ));
467 /* always return NT_STATUS_ACCESS_DENIED */
468 return NT_STATUS_ACCESS_DENIED
;
471 /* From the client / server challenges and md4 password, generate sess key */
472 creds_server_init(0, /* No neg flags. */
474 &p
->dc
->clnt_chal
, /* Stored client chal. */
475 &p
->dc
->srv_chal
, /* Stored server chal. */
479 /* Check client credentials are valid. */
480 if (!netlogon_creds_server_check(p
->dc
, r
->in
.credentials
)) {
481 DEBUG(0,("_netr_ServerAuthenticate: netlogon_creds_server_check failed. Rejecting auth "
482 "request from client %s machine account %s\n",
484 r
->in
.account_name
));
485 return NT_STATUS_ACCESS_DENIED
;
488 fstrcpy(p
->dc
->mach_acct
, r
->in
.account_name
);
489 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
490 p
->dc
->authenticated
= True
;
492 /* set up the LSA AUTH response */
493 /* Return the server credentials. */
495 memcpy(r
->out
.return_credentials
->data
, &srv_chal_out
.data
,
496 sizeof(r
->out
.return_credentials
->data
));
501 /*************************************************************************
502 _netr_ServerAuthenticate3
503 *************************************************************************/
505 NTSTATUS
_netr_ServerAuthenticate3(pipes_struct
*p
,
506 struct netr_ServerAuthenticate3
*r
)
510 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
511 * so use a copy to avoid destroying the client values. */
512 uint32_t in_neg_flags
= *r
->in
.negotiate_flags
;
513 struct netr_Credential srv_chal_out
;
516 /* According to Microsoft (see bugid #6099)
517 * Windows 7 looks at the negotiate_flags
518 * returned in this structure *even if the
519 * call fails with access denied* ! So in order
520 * to allow Win7 to connect to a Samba NT style
521 * PDC we set the flags before we know if it's
526 srv_flgs
= NETLOGON_NEG_ACCOUNT_LOCKOUT
|
527 NETLOGON_NEG_PERSISTENT_SAMREPL
|
528 NETLOGON_NEG_ARCFOUR
|
529 NETLOGON_NEG_PROMOTION_COUNT
|
530 NETLOGON_NEG_CHANGELOG_BDC
|
531 NETLOGON_NEG_FULL_SYNC_REPL
|
532 NETLOGON_NEG_MULTIPLE_SIDS
|
534 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
;
536 /* Ensure we support strong (128-bit) keys. */
537 if (in_neg_flags
& NETLOGON_NEG_STRONG_KEYS
) {
538 srv_flgs
|= NETLOGON_NEG_STRONG_KEYS
;
541 if (lp_server_schannel() != false) {
542 srv_flgs
|= NETLOGON_NEG_SCHANNEL
;
545 switch (p
->hdr_req
.opnum
) {
546 case NDR_NETR_SERVERAUTHENTICATE2
:
547 fn
= "_netr_ServerAuthenticate2";
549 case NDR_NETR_SERVERAUTHENTICATE3
:
550 fn
= "_netr_ServerAuthenticate3";
553 return NT_STATUS_INTERNAL_ERROR
;
556 /* We use this as the key to store the creds: */
557 /* r->in.computer_name */
559 if (!p
->dc
|| !p
->dc
->challenge_sent
) {
560 DEBUG(0,("%s: no challenge sent to client %s\n", fn
,
561 r
->in
.computer_name
));
562 status
= NT_STATUS_ACCESS_DENIED
;
566 if ( (lp_server_schannel() == true) &&
567 ((in_neg_flags
& NETLOGON_NEG_SCHANNEL
) == 0) ) {
569 /* schannel must be used, but client did not offer it. */
570 DEBUG(0,("%s: schannel required but client failed "
571 "to offer it. Client was %s\n",
572 fn
, r
->in
.account_name
));
573 status
= NT_STATUS_ACCESS_DENIED
;
577 status
= get_md4pw((char *)p
->dc
->mach_pw
,
579 r
->in
.secure_channel_type
,
581 if (!NT_STATUS_IS_OK(status
)) {
582 DEBUG(0,("%s: failed to get machine password for "
584 fn
, r
->in
.account_name
, nt_errstr(status
) ));
585 /* always return NT_STATUS_ACCESS_DENIED */
586 status
= NT_STATUS_ACCESS_DENIED
;
590 /* From the client / server challenges and md4 password, generate sess key */
591 creds_server_init(in_neg_flags
,
593 &p
->dc
->clnt_chal
, /* Stored client chal. */
594 &p
->dc
->srv_chal
, /* Stored server chal. */
598 /* Check client credentials are valid. */
599 if (!netlogon_creds_server_check(p
->dc
, r
->in
.credentials
)) {
600 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
601 "request from client %s machine account %s\n",
602 fn
, r
->in
.computer_name
,
603 r
->in
.account_name
));
604 status
= NT_STATUS_ACCESS_DENIED
;
607 /* set up the LSA AUTH 2 response */
608 memcpy(r
->out
.return_credentials
->data
, &srv_chal_out
.data
,
609 sizeof(r
->out
.return_credentials
->data
));
611 fstrcpy(p
->dc
->mach_acct
, r
->in
.account_name
);
612 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
613 fstrcpy(p
->dc
->domain
, lp_workgroup() );
615 p
->dc
->authenticated
= True
;
617 /* Store off the state so we can continue after client disconnect. */
619 secrets_store_schannel_session_info(p
->mem_ctx
,
623 status
= NT_STATUS_OK
;
627 *r
->out
.negotiate_flags
= srv_flgs
;
631 /*************************************************************************
632 _netr_ServerAuthenticate2
633 *************************************************************************/
635 NTSTATUS
_netr_ServerAuthenticate2(pipes_struct
*p
,
636 struct netr_ServerAuthenticate2
*r
)
638 struct netr_ServerAuthenticate3 a
;
641 a
.in
.server_name
= r
->in
.server_name
;
642 a
.in
.account_name
= r
->in
.account_name
;
643 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
644 a
.in
.computer_name
= r
->in
.computer_name
;
645 a
.in
.credentials
= r
->in
.credentials
;
646 a
.in
.negotiate_flags
= r
->in
.negotiate_flags
;
648 a
.out
.return_credentials
= r
->out
.return_credentials
;
650 a
.out
.negotiate_flags
= r
->out
.negotiate_flags
;
652 return _netr_ServerAuthenticate3(p
, &a
);
655 /*************************************************************************
656 _netr_ServerPasswordSet
657 *************************************************************************/
659 NTSTATUS
_netr_ServerPasswordSet(pipes_struct
*p
,
660 struct netr_ServerPasswordSet
*r
)
662 NTSTATUS status
= NT_STATUS_OK
;
663 fstring remote_machine
;
664 struct samu
*sampass
=NULL
;
666 unsigned char pwd
[16];
669 struct netr_Authenticator cred_out
;
672 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__
));
674 /* We need the remote machine name for the creds lookup. */
675 fstrcpy(remote_machine
, r
->in
.computer_name
);
677 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
678 /* 'server schannel = yes' should enforce use of
679 schannel, the client did offer it in auth2, but
680 obviously did not use it. */
681 DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n",
683 return NT_STATUS_ACCESS_DENIED
;
687 /* Restore the saved state of the netlogon creds. */
689 ret
= secrets_restore_schannel_session_info(p
, remote_machine
,
693 return NT_STATUS_INVALID_HANDLE
;
697 if (!p
->dc
|| !p
->dc
->authenticated
) {
698 return NT_STATUS_INVALID_HANDLE
;
701 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
702 remote_machine
, p
->dc
->mach_acct
));
704 /* Step the creds chain forward. */
705 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, &cred_out
)) {
706 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
707 "request from client %s machine account %s\n",
708 remote_machine
, p
->dc
->mach_acct
));
709 return NT_STATUS_INVALID_PARAMETER
;
712 /* We must store the creds state after an update. */
713 sampass
= samu_new( NULL
);
715 return NT_STATUS_NO_MEMORY
;
719 secrets_store_schannel_session_info(p
, remote_machine
, p
->dc
);
720 ret
= pdb_getsampwnam(sampass
, p
->dc
->mach_acct
);
724 TALLOC_FREE(sampass
);
725 return NT_STATUS_ACCESS_DENIED
;
728 /* Ensure the account exists and is a machine account. */
730 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
732 if (!(acct_ctrl
& ACB_WSTRUST
||
733 acct_ctrl
& ACB_SVRTRUST
||
734 acct_ctrl
& ACB_DOMTRUST
)) {
735 TALLOC_FREE(sampass
);
736 return NT_STATUS_NO_SUCH_USER
;
739 if (pdb_get_acct_ctrl(sampass
) & ACB_DISABLED
) {
740 TALLOC_FREE(sampass
);
741 return NT_STATUS_ACCOUNT_DISABLED
;
744 des_crypt112_16(pwd
, r
->in
.new_password
->hash
, p
->dc
->sess_key
, 0);
746 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
747 for(i
= 0; i
< sizeof(pwd
); i
++)
748 DEBUG(100,("%02X ", pwd
[i
]));
751 old_pw
= pdb_get_nt_passwd(sampass
);
753 if (old_pw
&& memcmp(pwd
, old_pw
, 16) == 0) {
754 /* Avoid backend modificiations and other fun if the
755 client changed the password to the *same thing* */
760 /* LM password should be NULL for machines */
761 if (!pdb_set_lanman_passwd(sampass
, NULL
, PDB_CHANGED
)) {
762 TALLOC_FREE(sampass
);
763 return NT_STATUS_NO_MEMORY
;
766 if (!pdb_set_nt_passwd(sampass
, pwd
, PDB_CHANGED
)) {
767 TALLOC_FREE(sampass
);
768 return NT_STATUS_NO_MEMORY
;
771 if (!pdb_set_pass_last_set_time(sampass
, time(NULL
), PDB_CHANGED
)) {
772 TALLOC_FREE(sampass
);
773 /* Not quite sure what this one qualifies as, but this will do */
774 return NT_STATUS_UNSUCCESSFUL
;
778 status
= pdb_update_sam_account(sampass
);
782 /* set up the LSA Server Password Set response */
784 memcpy(r
->out
.return_authenticator
, &cred_out
,
785 sizeof(*(r
->out
.return_authenticator
)));
787 TALLOC_FREE(sampass
);
791 /*************************************************************************
793 *************************************************************************/
795 NTSTATUS
_netr_LogonSamLogoff(pipes_struct
*p
,
796 struct netr_LogonSamLogoff
*r
)
798 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
799 /* 'server schannel = yes' should enforce use of
800 schannel, the client did offer it in auth2, but
801 obviously did not use it. */
802 DEBUG(0,("_netr_LogonSamLogoff: client %s not using schannel for netlogon\n",
803 get_remote_machine_name() ));
804 return NT_STATUS_ACCESS_DENIED
;
808 /* Using the remote machine name for the creds store: */
809 /* r->in.computer_name */
812 /* Restore the saved state of the netlogon creds. */
816 ret
= secrets_restore_schannel_session_info(
817 p
, r
->in
.computer_name
, &p
->dc
);
820 return NT_STATUS_INVALID_HANDLE
;
824 if (!p
->dc
|| !p
->dc
->authenticated
) {
825 return NT_STATUS_INVALID_HANDLE
;
828 /* checks and updates credentials. creates reply credentials */
829 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
830 DEBUG(2,("_netr_LogonSamLogoff: netlogon_creds_server_step failed. Rejecting auth "
831 "request from client %s machine account %s\n",
832 r
->in
.computer_name
, p
->dc
->mach_acct
));
833 return NT_STATUS_INVALID_PARAMETER
;
836 /* We must store the creds state after an update. */
838 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
844 /*************************************************************************
846 *************************************************************************/
848 NTSTATUS
_netr_LogonSamLogon(pipes_struct
*p
,
849 struct netr_LogonSamLogon
*r
)
851 NTSTATUS status
= NT_STATUS_OK
;
852 struct netr_SamInfo3
*sam3
= NULL
;
853 union netr_LogonLevel
*logon
= r
->in
.logon
;
854 fstring nt_username
, nt_domain
, nt_workstation
;
855 auth_usersupplied_info
*user_info
= NULL
;
856 auth_serversupplied_info
*server_info
= NULL
;
857 struct auth_context
*auth_context
= NULL
;
858 uint8_t pipe_session_key
[16];
859 bool process_creds
= true;
862 switch (p
->hdr_req
.opnum
) {
863 case NDR_NETR_LOGONSAMLOGON
:
864 process_creds
= true;
865 fn
= "_netr_LogonSamLogon";
867 case NDR_NETR_LOGONSAMLOGONEX
:
868 fn
= "_netr_LogonSamLogonEx";
871 process_creds
= false;
874 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
875 /* 'server schannel = yes' should enforce use of
876 schannel, the client did offer it in auth2, but
877 obviously did not use it. */
878 DEBUG(0,("%s: client %s not using schannel for netlogon\n",
879 fn
, get_remote_machine_name() ));
880 return NT_STATUS_ACCESS_DENIED
;
883 *r
->out
.authoritative
= true; /* authoritative response */
884 if (r
->in
.validation_level
!= 2 && r
->in
.validation_level
!= 3) {
885 DEBUG(0,("%s: bad validation_level value %d.\n",
886 fn
, (int)r
->in
.validation_level
));
887 return NT_STATUS_INVALID_INFO_CLASS
;
890 sam3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo3
);
892 return NT_STATUS_NO_MEMORY
;
895 /* store the user information, if there is any. */
896 r
->out
.validation
->sam3
= sam3
;
900 /* Get the remote machine name for the creds store. */
901 /* Note this is the remote machine this request is coming from (member server),
902 not neccessarily the workstation name the user is logging onto.
906 /* Restore the saved state of the netlogon creds. */
910 ret
= secrets_restore_schannel_session_info(
911 p
, r
->in
.computer_name
, &p
->dc
);
914 return NT_STATUS_INVALID_HANDLE
;
918 if (!p
->dc
|| !p
->dc
->authenticated
) {
919 return NT_STATUS_INVALID_HANDLE
;
922 /* checks and updates credentials. creates reply credentials */
923 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
924 DEBUG(2,("%s: creds_server_step failed. Rejecting auth "
925 "request from client %s machine account %s\n",
926 fn
, r
->in
.computer_name
, p
->dc
->mach_acct
));
927 return NT_STATUS_INVALID_PARAMETER
;
930 /* We must store the creds state after an update. */
932 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
936 switch (r
->in
.logon_level
) {
937 case NetlogonInteractiveInformation
:
939 logon
->password
->identity_info
.account_name
.string
);
941 logon
->password
->identity_info
.domain_name
.string
);
942 fstrcpy(nt_workstation
,
943 logon
->password
->identity_info
.workstation
.string
);
945 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
947 case NetlogonNetworkInformation
:
949 logon
->network
->identity_info
.account_name
.string
);
951 logon
->network
->identity_info
.domain_name
.string
);
952 fstrcpy(nt_workstation
,
953 logon
->network
->identity_info
.workstation
.string
);
955 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
958 DEBUG(2,("SAM Logon: unsupported switch value\n"));
959 return NT_STATUS_INVALID_INFO_CLASS
;
962 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username
, nt_workstation
, nt_domain
));
963 fstrcpy(current_user_info
.smb_name
, nt_username
);
964 sub_set_smb_name(nt_username
);
966 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
967 r
->in
.validation_level
, nt_username
));
969 status
= NT_STATUS_OK
;
971 switch (r
->in
.logon_level
) {
972 case NetlogonNetworkInformation
:
974 const char *wksname
= nt_workstation
;
976 status
= make_auth_context_fixed(&auth_context
,
977 logon
->network
->challenge
);
978 if (!NT_STATUS_IS_OK(status
)) {
982 /* For a network logon, the workstation name comes in with two
983 * backslashes in the front. Strip them if they are there. */
985 if (*wksname
== '\\') wksname
++;
986 if (*wksname
== '\\') wksname
++;
988 /* Standard challenge/response authenticaion */
989 if (!make_user_info_netlogon_network(&user_info
,
990 nt_username
, nt_domain
,
992 logon
->network
->identity_info
.parameter_control
,
993 logon
->network
->lm
.data
,
994 logon
->network
->lm
.length
,
995 logon
->network
->nt
.data
,
996 logon
->network
->nt
.length
)) {
997 status
= NT_STATUS_NO_MEMORY
;
1001 case NetlogonInteractiveInformation
:
1002 /* 'Interactive' authentication, supplies the password in its
1003 MD4 form, encrypted with the session key. We will convert
1004 this to challenge/response for the auth subsystem to chew
1009 if (!NT_STATUS_IS_OK(status
= make_auth_context_subsystem(&auth_context
))) {
1013 auth_context
->get_ntlm_challenge(auth_context
, chal
);
1015 if (!make_user_info_netlogon_interactive(&user_info
,
1016 nt_username
, nt_domain
,
1018 logon
->password
->identity_info
.parameter_control
,
1020 logon
->password
->lmpassword
.hash
,
1021 logon
->password
->ntpassword
.hash
,
1023 status
= NT_STATUS_NO_MEMORY
;
1028 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1029 return NT_STATUS_INVALID_INFO_CLASS
;
1032 if ( NT_STATUS_IS_OK(status
) ) {
1033 status
= auth_context
->check_ntlm_password(auth_context
,
1034 user_info
, &server_info
);
1037 (auth_context
->free
)(&auth_context
);
1038 free_user_info(&user_info
);
1040 DEBUG(5,("%s: check_password returned status %s\n",
1041 fn
, nt_errstr(status
)));
1043 /* Check account and password */
1045 if (!NT_STATUS_IS_OK(status
)) {
1046 /* If we don't know what this domain is, we need to
1047 indicate that we are not authoritative. This
1048 allows the client to decide if it needs to try
1049 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1050 if ( NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)
1051 && !strequal(nt_domain
, get_global_sam_name())
1052 && !is_trusted_domain(nt_domain
) )
1053 *r
->out
.authoritative
= false; /* We are not authoritative */
1055 TALLOC_FREE(server_info
);
1059 if (server_info
->guest
) {
1060 /* We don't like guest domain logons... */
1061 DEBUG(5,("%s: Attempted domain logon as GUEST "
1063 TALLOC_FREE(server_info
);
1064 return NT_STATUS_LOGON_FAILURE
;
1067 /* This is the point at which, if the login was successful, that
1068 the SAM Local Security Authority should record that the user is
1069 logged in to the domain. */
1071 if (process_creds
) {
1072 /* Get the pipe session key from the creds. */
1073 memcpy(pipe_session_key
, p
->dc
->sess_key
, 16);
1075 /* Get the pipe session key from the schannel. */
1076 if ((p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
)
1077 || (p
->auth
.a_u
.schannel_auth
== NULL
)) {
1078 return NT_STATUS_INVALID_HANDLE
;
1080 memcpy(pipe_session_key
, p
->auth
.a_u
.schannel_auth
->sess_key
, 16);
1083 status
= serverinfo_to_SamInfo3(server_info
, pipe_session_key
, 16, sam3
);
1084 TALLOC_FREE(server_info
);
1088 /*************************************************************************
1089 _netr_LogonSamLogonEx
1090 - no credential chaining. Map into net sam logon.
1091 *************************************************************************/
1093 NTSTATUS
_netr_LogonSamLogonEx(pipes_struct
*p
,
1094 struct netr_LogonSamLogonEx
*r
)
1096 struct netr_LogonSamLogon q
;
1098 /* Only allow this if the pipe is protected. */
1099 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1100 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1101 get_remote_machine_name() ));
1102 return NT_STATUS_INVALID_PARAMETER
;
1105 q
.in
.server_name
= r
->in
.server_name
;
1106 q
.in
.computer_name
= r
->in
.computer_name
;
1107 q
.in
.logon_level
= r
->in
.logon_level
;
1108 q
.in
.logon
= r
->in
.logon
;
1109 q
.in
.validation_level
= r
->in
.validation_level
;
1110 /* we do not handle the flags */
1111 /* = r->in.flags; */
1113 q
.out
.validation
= r
->out
.validation
;
1114 q
.out
.authoritative
= r
->out
.authoritative
;
1115 /* we do not handle the flags */
1116 /* = r->out.flags; */
1118 return _netr_LogonSamLogon(p
, &q
);
1121 /*************************************************************************
1123 *************************************************************************/
1124 #if 0 /* JERRY -- not correct */
1125 NTSTATUS
_ds_enum_dom_trusts(pipes_struct
*p
, DS_Q_ENUM_DOM_TRUSTS
*q_u
,
1126 DS_R_ENUM_DOM_TRUSTS
*r_u
)
1128 NTSTATUS status
= NT_STATUS_OK
;
1130 /* TODO: According to MSDN, the can only be executed against a
1131 DC or domain member running Windows 2000 or later. Need
1132 to test against a standalone 2k server and see what it
1133 does. A windows 2000 DC includes its own domain in the
1141 /****************************************************************
1142 ****************************************************************/
1144 WERROR
_netr_LogonUasLogon(pipes_struct
*p
,
1145 struct netr_LogonUasLogon
*r
)
1147 p
->rng_fault_state
= true;
1148 return WERR_NOT_SUPPORTED
;
1151 /****************************************************************
1152 ****************************************************************/
1154 WERROR
_netr_LogonUasLogoff(pipes_struct
*p
,
1155 struct netr_LogonUasLogoff
*r
)
1157 p
->rng_fault_state
= true;
1158 return WERR_NOT_SUPPORTED
;
1161 /****************************************************************
1162 ****************************************************************/
1164 NTSTATUS
_netr_DatabaseDeltas(pipes_struct
*p
,
1165 struct netr_DatabaseDeltas
*r
)
1167 p
->rng_fault_state
= true;
1168 return NT_STATUS_NOT_IMPLEMENTED
;
1171 /****************************************************************
1172 ****************************************************************/
1174 NTSTATUS
_netr_DatabaseSync(pipes_struct
*p
,
1175 struct netr_DatabaseSync
*r
)
1177 p
->rng_fault_state
= true;
1178 return NT_STATUS_NOT_IMPLEMENTED
;
1181 /****************************************************************
1182 ****************************************************************/
1184 NTSTATUS
_netr_AccountDeltas(pipes_struct
*p
,
1185 struct netr_AccountDeltas
*r
)
1187 p
->rng_fault_state
= true;
1188 return NT_STATUS_NOT_IMPLEMENTED
;
1191 /****************************************************************
1192 ****************************************************************/
1194 NTSTATUS
_netr_AccountSync(pipes_struct
*p
,
1195 struct netr_AccountSync
*r
)
1197 p
->rng_fault_state
= true;
1198 return NT_STATUS_NOT_IMPLEMENTED
;
1201 /****************************************************************
1202 ****************************************************************/
1204 WERROR
_netr_GetDcName(pipes_struct
*p
,
1205 struct netr_GetDcName
*r
)
1207 p
->rng_fault_state
= true;
1208 return WERR_NOT_SUPPORTED
;
1211 /****************************************************************
1212 ****************************************************************/
1214 WERROR
_netr_GetAnyDCName(pipes_struct
*p
,
1215 struct netr_GetAnyDCName
*r
)
1217 p
->rng_fault_state
= true;
1218 return WERR_NOT_SUPPORTED
;
1221 /****************************************************************
1222 ****************************************************************/
1224 NTSTATUS
_netr_DatabaseSync2(pipes_struct
*p
,
1225 struct netr_DatabaseSync2
*r
)
1227 p
->rng_fault_state
= true;
1228 return NT_STATUS_NOT_IMPLEMENTED
;
1231 /****************************************************************
1232 ****************************************************************/
1234 NTSTATUS
_netr_DatabaseRedo(pipes_struct
*p
,
1235 struct netr_DatabaseRedo
*r
)
1237 p
->rng_fault_state
= true;
1238 return NT_STATUS_NOT_IMPLEMENTED
;
1241 /****************************************************************
1242 ****************************************************************/
1244 WERROR
_netr_DsRGetDCName(pipes_struct
*p
,
1245 struct netr_DsRGetDCName
*r
)
1247 p
->rng_fault_state
= true;
1248 return WERR_NOT_SUPPORTED
;
1251 /****************************************************************
1252 ****************************************************************/
1254 NTSTATUS
_netr_LogonGetCapabilities(pipes_struct
*p
,
1255 struct netr_LogonGetCapabilities
*r
)
1257 return NT_STATUS_NOT_IMPLEMENTED
;
1260 /****************************************************************
1261 ****************************************************************/
1263 WERROR
_netr_NETRLOGONSETSERVICEBITS(pipes_struct
*p
,
1264 struct netr_NETRLOGONSETSERVICEBITS
*r
)
1266 p
->rng_fault_state
= true;
1267 return WERR_NOT_SUPPORTED
;
1270 /****************************************************************
1271 ****************************************************************/
1273 WERROR
_netr_LogonGetTrustRid(pipes_struct
*p
,
1274 struct netr_LogonGetTrustRid
*r
)
1276 p
->rng_fault_state
= true;
1277 return WERR_NOT_SUPPORTED
;
1280 /****************************************************************
1281 ****************************************************************/
1283 WERROR
_netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct
*p
,
1284 struct netr_NETRLOGONCOMPUTESERVERDIGEST
*r
)
1286 p
->rng_fault_state
= true;
1287 return WERR_NOT_SUPPORTED
;
1290 /****************************************************************
1291 ****************************************************************/
1293 WERROR
_netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct
*p
,
1294 struct netr_NETRLOGONCOMPUTECLIENTDIGEST
*r
)
1296 p
->rng_fault_state
= true;
1297 return WERR_NOT_SUPPORTED
;
1300 /****************************************************************
1301 ****************************************************************/
1303 WERROR
_netr_DsRGetDCNameEx(pipes_struct
*p
,
1304 struct netr_DsRGetDCNameEx
*r
)
1306 p
->rng_fault_state
= true;
1307 return WERR_NOT_SUPPORTED
;
1310 /****************************************************************
1311 ****************************************************************/
1313 WERROR
_netr_DsRGetSiteName(pipes_struct
*p
,
1314 struct netr_DsRGetSiteName
*r
)
1316 p
->rng_fault_state
= true;
1317 return WERR_NOT_SUPPORTED
;
1320 /****************************************************************
1321 ****************************************************************/
1323 NTSTATUS
_netr_LogonGetDomainInfo(pipes_struct
*p
,
1324 struct netr_LogonGetDomainInfo
*r
)
1326 p
->rng_fault_state
= true;
1327 return NT_STATUS_NOT_IMPLEMENTED
;
1330 /****************************************************************
1331 ****************************************************************/
1333 NTSTATUS
_netr_ServerPasswordSet2(pipes_struct
*p
,
1334 struct netr_ServerPasswordSet2
*r
)
1336 p
->rng_fault_state
= true;
1337 return NT_STATUS_NOT_IMPLEMENTED
;
1340 /****************************************************************
1341 ****************************************************************/
1343 WERROR
_netr_ServerPasswordGet(pipes_struct
*p
,
1344 struct netr_ServerPasswordGet
*r
)
1346 p
->rng_fault_state
= true;
1347 return WERR_NOT_SUPPORTED
;
1350 /****************************************************************
1351 ****************************************************************/
1353 WERROR
_netr_NETRLOGONSENDTOSAM(pipes_struct
*p
,
1354 struct netr_NETRLOGONSENDTOSAM
*r
)
1356 p
->rng_fault_state
= true;
1357 return WERR_NOT_SUPPORTED
;
1360 /****************************************************************
1361 ****************************************************************/
1363 WERROR
_netr_DsRAddressToSitenamesW(pipes_struct
*p
,
1364 struct netr_DsRAddressToSitenamesW
*r
)
1366 p
->rng_fault_state
= true;
1367 return WERR_NOT_SUPPORTED
;
1370 /****************************************************************
1371 ****************************************************************/
1373 WERROR
_netr_DsRGetDCNameEx2(pipes_struct
*p
,
1374 struct netr_DsRGetDCNameEx2
*r
)
1376 p
->rng_fault_state
= true;
1377 return WERR_NOT_SUPPORTED
;
1380 /****************************************************************
1381 ****************************************************************/
1383 WERROR
_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct
*p
,
1384 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
*r
)
1386 p
->rng_fault_state
= true;
1387 return WERR_NOT_SUPPORTED
;
1390 /****************************************************************
1391 ****************************************************************/
1393 WERROR
_netr_NetrEnumerateTrustedDomainsEx(pipes_struct
*p
,
1394 struct netr_NetrEnumerateTrustedDomainsEx
*r
)
1396 p
->rng_fault_state
= true;
1397 return WERR_NOT_SUPPORTED
;
1400 /****************************************************************
1401 ****************************************************************/
1403 WERROR
_netr_DsRAddressToSitenamesExW(pipes_struct
*p
,
1404 struct netr_DsRAddressToSitenamesExW
*r
)
1406 p
->rng_fault_state
= true;
1407 return WERR_NOT_SUPPORTED
;
1410 /****************************************************************
1411 ****************************************************************/
1413 WERROR
_netr_DsrGetDcSiteCoverageW(pipes_struct
*p
,
1414 struct netr_DsrGetDcSiteCoverageW
*r
)
1416 p
->rng_fault_state
= true;
1417 return WERR_NOT_SUPPORTED
;
1420 /****************************************************************
1421 ****************************************************************/
1423 WERROR
_netr_DsrEnumerateDomainTrusts(pipes_struct
*p
,
1424 struct netr_DsrEnumerateDomainTrusts
*r
)
1426 p
->rng_fault_state
= true;
1427 return WERR_NOT_SUPPORTED
;
1430 /****************************************************************
1431 ****************************************************************/
1433 WERROR
_netr_DsrDeregisterDNSHostRecords(pipes_struct
*p
,
1434 struct netr_DsrDeregisterDNSHostRecords
*r
)
1436 p
->rng_fault_state
= true;
1437 return WERR_NOT_SUPPORTED
;
1440 /****************************************************************
1441 ****************************************************************/
1443 NTSTATUS
_netr_ServerTrustPasswordsGet(pipes_struct
*p
,
1444 struct netr_ServerTrustPasswordsGet
*r
)
1446 p
->rng_fault_state
= true;
1447 return NT_STATUS_NOT_IMPLEMENTED
;
1450 /****************************************************************
1451 ****************************************************************/
1453 WERROR
_netr_DsRGetForestTrustInformation(pipes_struct
*p
,
1454 struct netr_DsRGetForestTrustInformation
*r
)
1456 p
->rng_fault_state
= true;
1457 return WERR_NOT_SUPPORTED
;
1460 /****************************************************************
1461 ****************************************************************/
1463 WERROR
_netr_GetForestTrustInformation(pipes_struct
*p
,
1464 struct netr_GetForestTrustInformation
*r
)
1466 p
->rng_fault_state
= true;
1467 return WERR_NOT_SUPPORTED
;
1470 /****************************************************************
1471 ****************************************************************/
1473 NTSTATUS
_netr_LogonSamLogonWithFlags(pipes_struct
*p
,
1474 struct netr_LogonSamLogonWithFlags
*r
)
1476 p
->rng_fault_state
= true;
1477 return NT_STATUS_NOT_IMPLEMENTED
;
1480 /****************************************************************
1481 ****************************************************************/
1483 NTSTATUS
_netr_ServerGetTrustInfo(pipes_struct
*p
,
1484 struct netr_ServerGetTrustInfo
*r
)
1486 p
->rng_fault_state
= true;
1487 return NT_STATUS_NOT_IMPLEMENTED
;