search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:"dns_update_list" file: install it properly into the private directory
[Samba/cd1.git] / source3 / rpc_server / srv_netlog_nt.c
blobb9bfda9a83bbbaa6c062f28a9825d088a7be2760
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008-2009.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* This is the implementation of the netlogon pipe. */
26
27 #include "includes.h"
28 #include "../libcli/auth/schannel.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30
31 extern userdom_struct current_user_info;
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 struct netlogon_server_pipe_state {
37 struct netr_Credential client_challenge;
38 struct netr_Credential server_challenge;
39 };
40
41 /*************************************************************************
42 _netr_LogonControl
43 *************************************************************************/
44
45 WERROR _netr_LogonControl(pipes_struct *p,
46 struct netr_LogonControl *r)
47 {
48 struct netr_LogonControl2Ex l;
49
50 switch (r->in.level) {
51 case 1:
52 break;
53 case 2:
54 return WERR_NOT_SUPPORTED;
55 default:
56 return WERR_UNKNOWN_LEVEL;
57 }
58
59 l.in.logon_server = r->in.logon_server;
60 l.in.function_code = r->in.function_code;
61 l.in.level = r->in.level;
62 l.in.data = NULL;
63 l.out.query = r->out.query;
64
65 return _netr_LogonControl2Ex(p, &l);
66 }
67
68 /****************************************************************************
69 Send a message to smbd to do a sam synchronisation
70 **************************************************************************/
71
72 static void send_sync_message(void)
73 {
74 DEBUG(3, ("sending sam synchronisation message\n"));
75 message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC, NULL, 0,
76 NULL);
77 }
78
79 /*************************************************************************
80 _netr_LogonControl2
81 *************************************************************************/
82
83 WERROR _netr_LogonControl2(pipes_struct *p,
84 struct netr_LogonControl2 *r)
85 {
86 struct netr_LogonControl2Ex l;
87
88 l.in.logon_server = r->in.logon_server;
89 l.in.function_code = r->in.function_code;
90 l.in.level = r->in.level;
91 l.in.data = r->in.data;
92 l.out.query = r->out.query;
93
94 return _netr_LogonControl2Ex(p, &l);
95 }
96
97 /*************************************************************************
98 *************************************************************************/
99
100 static bool wb_change_trust_creds(const char *domain, WERROR *tc_status)
101 {
102 wbcErr result;
103 struct wbcAuthErrorInfo *error = NULL;
104
105 result = wbcChangeTrustCredentials(domain, &error);
106 switch (result) {
107 case WBC_ERR_WINBIND_NOT_AVAILABLE:
108 return false;
109 case WBC_ERR_DOMAIN_NOT_FOUND:
110 *tc_status = WERR_NO_SUCH_DOMAIN;
111 return true;
112 case WBC_ERR_SUCCESS:
113 *tc_status = WERR_OK;
114 return true;
115 default:
116 break;
117 }
118
119 if (error && error->nt_status != 0) {
120 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
121 } else {
122 *tc_status = WERR_TRUST_FAILURE;
123 }
124 wbcFreeMemory(error);
125 return true;
126 }
127
128 /*************************************************************************
129 *************************************************************************/
130
131 static bool wb_check_trust_creds(const char *domain, WERROR *tc_status)
132 {
133 wbcErr result;
134 struct wbcAuthErrorInfo *error = NULL;
135
136 result = wbcCheckTrustCredentials(domain, &error);
137 switch (result) {
138 case WBC_ERR_WINBIND_NOT_AVAILABLE:
139 return false;
140 case WBC_ERR_DOMAIN_NOT_FOUND:
141 *tc_status = WERR_NO_SUCH_DOMAIN;
142 return true;
143 case WBC_ERR_SUCCESS:
144 *tc_status = WERR_OK;
145 return true;
146 default:
147 break;
148 }
149
150 if (error && error->nt_status != 0) {
151 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
152 } else {
153 *tc_status = WERR_TRUST_FAILURE;
154 }
155 wbcFreeMemory(error);
156 return true;
157 }
158
159 /****************************************************************
160 _netr_LogonControl2Ex
161 ****************************************************************/
162
163 WERROR _netr_LogonControl2Ex(pipes_struct *p,
164 struct netr_LogonControl2Ex *r)
165 {
166 uint32_t flags = 0x0;
167 WERROR pdc_connection_status = WERR_OK;
168 uint32_t logon_attempts = 0x0;
169 WERROR tc_status;
170 fstring dc_name2;
171 const char *dc_name = NULL;
172 struct sockaddr_storage dc_ss;
173 const char *domain = NULL;
174 struct netr_NETLOGON_INFO_1 *info1;
175 struct netr_NETLOGON_INFO_2 *info2;
176 struct netr_NETLOGON_INFO_3 *info3;
177 struct netr_NETLOGON_INFO_4 *info4;
178 const char *fn;
179 uint32_t acct_ctrl;
180
181 switch (p->hdr_req.opnum) {
182 case NDR_NETR_LOGONCONTROL:
183 fn = "_netr_LogonControl";
184 break;
185 case NDR_NETR_LOGONCONTROL2:
186 fn = "_netr_LogonControl2";
187 break;
188 case NDR_NETR_LOGONCONTROL2EX:
189 fn = "_netr_LogonControl2Ex";
190 break;
191 default:
192 return WERR_INVALID_PARAM;
193 }
194
195 acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
196
197 switch (r->in.function_code) {
198 case NETLOGON_CONTROL_TC_VERIFY:
199 case NETLOGON_CONTROL_CHANGE_PASSWORD:
200 case NETLOGON_CONTROL_REDISCOVER:
201 if ((geteuid() != sec_initial_uid()) &&
202 !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
203 !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
204 !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
205 return WERR_ACCESS_DENIED;
206 }
207 break;
208 default:
209 break;
210 }
211
212 tc_status = WERR_NO_SUCH_DOMAIN;
213
214 switch (r->in.function_code) {
215 case NETLOGON_CONTROL_QUERY:
216 tc_status = WERR_OK;
217 break;
218 case NETLOGON_CONTROL_REPLICATE:
219 case NETLOGON_CONTROL_SYNCHRONIZE:
220 case NETLOGON_CONTROL_PDC_REPLICATE:
221 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
222 case NETLOGON_CONTROL_BREAKPOINT:
223 if (acct_ctrl & ACB_NORMAL) {
224 return WERR_NOT_SUPPORTED;
225 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
226 return WERR_ACCESS_DENIED;
227 } else {
228 return WERR_ACCESS_DENIED;
229 }
230 case NETLOGON_CONTROL_TRUNCATE_LOG:
231 if (acct_ctrl & ACB_NORMAL) {
232 break;
233 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
234 return WERR_ACCESS_DENIED;
235 } else {
236 return WERR_ACCESS_DENIED;
237 }
238
239 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
240 case NETLOGON_CONTROL_FORCE_DNS_REG:
241 case NETLOGON_CONTROL_QUERY_DNS_REG:
242 return WERR_NOT_SUPPORTED;
243 case NETLOGON_CONTROL_FIND_USER:
244 if (!r->in.data || !r->in.data->user) {
245 return WERR_NOT_SUPPORTED;
246 }
247 break;
248 case NETLOGON_CONTROL_SET_DBFLAG:
249 if (!r->in.data) {
250 return WERR_NOT_SUPPORTED;
251 }
252 break;
253 case NETLOGON_CONTROL_TC_VERIFY:
254 if (!r->in.data || !r->in.data->domain) {
255 return WERR_NOT_SUPPORTED;
256 }
257
258 if (!wb_check_trust_creds(r->in.data->domain, &tc_status)) {
259 return WERR_NOT_SUPPORTED;
260 }
261 break;
262 case NETLOGON_CONTROL_TC_QUERY:
263 if (!r->in.data || !r->in.data->domain) {
264 return WERR_NOT_SUPPORTED;
265 }
266
267 domain = r->in.data->domain;
268
269 if (!is_trusted_domain(domain)) {
270 break;
271 }
272
273 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
274 tc_status = WERR_NO_LOGON_SERVERS;
275 break;
276 }
277
278 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
279 if (!dc_name) {
280 return WERR_NOMEM;
281 }
282
283 tc_status = WERR_OK;
284
285 break;
286
287 case NETLOGON_CONTROL_REDISCOVER:
288 if (!r->in.data || !r->in.data->domain) {
289 return WERR_NOT_SUPPORTED;
290 }
291
292 domain = r->in.data->domain;
293
294 if (!is_trusted_domain(domain)) {
295 break;
296 }
297
298 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
299 tc_status = WERR_NO_LOGON_SERVERS;
300 break;
301 }
302
303 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
304 if (!dc_name) {
305 return WERR_NOMEM;
306 }
307
308 tc_status = WERR_OK;
309
310 break;
311
312 case NETLOGON_CONTROL_CHANGE_PASSWORD:
313 if (!r->in.data || !r->in.data->domain) {
314 return WERR_NOT_SUPPORTED;
315 }
316
317 if (!wb_change_trust_creds(r->in.data->domain, &tc_status)) {
318 return WERR_NOT_SUPPORTED;
319 }
320 break;
321
322 default:
323 /* no idea what this should be */
324 DEBUG(0,("%s: unimplemented function level [%d]\n",
325 fn, r->in.function_code));
326 return WERR_UNKNOWN_LEVEL;
327 }
328
329 /* prepare the response */
330
331 switch (r->in.level) {
332 case 1:
333 info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1);
334 W_ERROR_HAVE_NO_MEMORY(info1);
335
336 info1->flags = flags;
337 info1->pdc_connection_status = pdc_connection_status;
338
339 r->out.query->info1 = info1;
340 break;
341 case 2:
342 info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2);
343 W_ERROR_HAVE_NO_MEMORY(info2);
344
345 info2->flags = flags;
346 info2->pdc_connection_status = pdc_connection_status;
347 info2->trusted_dc_name = dc_name;
348 info2->tc_connection_status = tc_status;
349
350 r->out.query->info2 = info2;
351 break;
352 case 3:
353 info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3);
354 W_ERROR_HAVE_NO_MEMORY(info3);
355
356 info3->flags = flags;
357 info3->logon_attempts = logon_attempts;
358
359 r->out.query->info3 = info3;
360 break;
361 case 4:
362 info4 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_4);
363 W_ERROR_HAVE_NO_MEMORY(info4);
364
365 info4->trusted_dc_name = dc_name;
366 info4->trusted_domain_name = r->in.data->domain;
367
368 r->out.query->info4 = info4;
369 break;
370 default:
371 return WERR_UNKNOWN_LEVEL;
372 }
373
374 if (lp_server_role() == ROLE_DOMAIN_BDC) {
375 send_sync_message();
376 }
377
378 return WERR_OK;
379 }
380
381 /*************************************************************************
382 _netr_NetrEnumerateTrustedDomains
383 *************************************************************************/
384
385 WERROR _netr_NetrEnumerateTrustedDomains(pipes_struct *p,
386 struct netr_NetrEnumerateTrustedDomains *r)
387 {
388 NTSTATUS status;
389 DATA_BLOB blob;
390 struct trustdom_info **domains;
391 uint32_t num_domains;
392 const char **trusted_domains;
393 int i;
394
395 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
396
397 /* set up the Trusted Domain List response */
398
399 become_root();
400 status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
401 unbecome_root();
402
403 if (!NT_STATUS_IS_OK(status)) {
404 return ntstatus_to_werror(status);
405 }
406
407 trusted_domains = talloc_zero_array(p->mem_ctx, const char *, num_domains + 1);
408 if (!trusted_domains) {
409 return WERR_NOMEM;
410 }
411
412 for (i = 0; i < num_domains; i++) {
413 trusted_domains[i] = talloc_strdup(trusted_domains, domains[i]->name);
414 if (!trusted_domains[i]) {
415 TALLOC_FREE(trusted_domains);
416 return WERR_NOMEM;
417 }
418 }
419
420 if (!push_reg_multi_sz(trusted_domains, &blob, trusted_domains)) {
421 TALLOC_FREE(trusted_domains);
422 return WERR_NOMEM;
423 }
424
425 r->out.trusted_domains_blob->data = blob.data;
426 r->out.trusted_domains_blob->length = blob.length;
427
428 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
429
430 return WERR_OK;
431 }
432
433 /******************************************************************
434 gets a machine password entry. checks access rights of the host.
435 ******************************************************************/
436
437 static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct,
438 enum netr_SchannelType sec_chan_type, struct dom_sid *sid)
439 {
440 struct samu *sampass = NULL;
441 const uint8 *pass;
442 bool ret;
443 uint32 acct_ctrl;
444
445 #if 0
446 char addr[INET6_ADDRSTRLEN];
447
448 /*
449 * Currently this code is redundent as we already have a filter
450 * by hostname list. What this code really needs to do is to
451 * get a hosts allowed/hosts denied list from the SAM database
452 * on a per user basis, and make the access decision there.
453 * I will leave this code here for now as a reminder to implement
454 * this at a later date. JRA.
455 */
456
457 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
458 client_name(get_client_fd()),
459 client_addr(get_client_fd(),addr,sizeof(addr)))) {
460 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct));
461 return False;
462 }
463 #endif /* 0 */
464
465 if ( !(sampass = samu_new( NULL )) ) {
466 return NT_STATUS_NO_MEMORY;
467 }
468
469 /* JRA. This is ok as it is only used for generating the challenge. */
470 become_root();
471 ret = pdb_getsampwnam(sampass, mach_acct);
472 unbecome_root();
473
474 if (!ret) {
475 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct));
476 TALLOC_FREE(sampass);
477 return NT_STATUS_ACCESS_DENIED;
478 }
479
480 acct_ctrl = pdb_get_acct_ctrl(sampass);
481 if (acct_ctrl & ACB_DISABLED) {
482 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct));
483 TALLOC_FREE(sampass);
484 return NT_STATUS_ACCOUNT_DISABLED;
485 }
486
487 if (!(acct_ctrl & ACB_SVRTRUST) &&
488 !(acct_ctrl & ACB_WSTRUST) &&
489 !(acct_ctrl & ACB_DOMTRUST))
490 {
491 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct));
492 TALLOC_FREE(sampass);
493 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
494 }
495
496 switch (sec_chan_type) {
497 case SEC_CHAN_BDC:
498 if (!(acct_ctrl & ACB_SVRTRUST)) {
499 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
500 "but not a server trust account\n", mach_acct));
501 TALLOC_FREE(sampass);
502 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
503 }
504 break;
505 case SEC_CHAN_WKSTA:
506 if (!(acct_ctrl & ACB_WSTRUST)) {
507 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
508 "but not a workstation trust account\n", mach_acct));
509 TALLOC_FREE(sampass);
510 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
511 }
512 break;
513 case SEC_CHAN_DOMAIN:
514 if (!(acct_ctrl & ACB_DOMTRUST)) {
515 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
516 "but not a interdomain trust account\n", mach_acct));
517 TALLOC_FREE(sampass);
518 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
519 }
520 break;
521 default:
522 break;
523 }
524
525 if ((pass = pdb_get_nt_passwd(sampass)) == NULL) {
526 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct));
527 TALLOC_FREE(sampass);
528 return NT_STATUS_LOGON_FAILURE;
529 }
530
531 memcpy(md4pw->hash, pass, 16);
532 dump_data(5, md4pw->hash, 16);
533
534 sid_copy(sid, pdb_get_user_sid(sampass));
535
536 TALLOC_FREE(sampass);
537
538 return NT_STATUS_OK;
539
540
541 }
542
543 /*************************************************************************
544 _netr_ServerReqChallenge
545 *************************************************************************/
546
547 NTSTATUS _netr_ServerReqChallenge(pipes_struct *p,
548 struct netr_ServerReqChallenge *r)
549 {
550 struct netlogon_server_pipe_state *pipe_state =
551 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
552
553 if (pipe_state) {
554 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
555 talloc_free(pipe_state);
556 p->private_data = NULL;
557 }
558
559 pipe_state = talloc(p, struct netlogon_server_pipe_state);
560 NT_STATUS_HAVE_NO_MEMORY(pipe_state);
561
562 pipe_state->client_challenge = *r->in.credentials;
563
564 generate_random_buffer(pipe_state->server_challenge.data,
565 sizeof(pipe_state->server_challenge.data));
566
567 *r->out.return_credentials = pipe_state->server_challenge;
568
569 p->private_data = pipe_state;
570
571 return NT_STATUS_OK;
572 }
573
574 /*************************************************************************
575 _netr_ServerAuthenticate
576 Create the initial credentials.
577 *************************************************************************/
578
579 NTSTATUS _netr_ServerAuthenticate(pipes_struct *p,
580 struct netr_ServerAuthenticate *r)
581 {
582 struct netr_ServerAuthenticate3 a;
583 uint32_t negotiate_flags = 0;
584 uint32_t rid;
585
586 a.in.server_name = r->in.server_name;
587 a.in.account_name = r->in.account_name;
588 a.in.secure_channel_type = r->in.secure_channel_type;
589 a.in.computer_name = r->in.computer_name;
590 a.in.credentials = r->in.credentials;
591 a.in.negotiate_flags = &negotiate_flags;
592
593 a.out.return_credentials = r->out.return_credentials;
594 a.out.rid = &rid;
595 a.out.negotiate_flags = &negotiate_flags;
596
597 return _netr_ServerAuthenticate3(p, &a);
598
599 }
600
601 /*************************************************************************
602 _netr_ServerAuthenticate3
603 *************************************************************************/
604
605 NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
606 struct netr_ServerAuthenticate3 *r)
607 {
608 NTSTATUS status;
609 uint32_t srv_flgs;
610 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
611 * so use a copy to avoid destroying the client values. */
612 uint32_t in_neg_flags = *r->in.negotiate_flags;
613 const char *fn;
614 struct dom_sid sid;
615 struct samr_Password mach_pwd;
616 struct netlogon_creds_CredentialState *creds;
617 struct netlogon_server_pipe_state *pipe_state =
618 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
619
620 /* According to Microsoft (see bugid #6099)
621 * Windows 7 looks at the negotiate_flags
622 * returned in this structure *even if the
623 * call fails with access denied* ! So in order
624 * to allow Win7 to connect to a Samba NT style
625 * PDC we set the flags before we know if it's
626 * an error or not.
627 */
628
629 /* 0x000001ff */
630 srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
631 NETLOGON_NEG_PERSISTENT_SAMREPL |
632 NETLOGON_NEG_ARCFOUR |
633 NETLOGON_NEG_PROMOTION_COUNT |
634 NETLOGON_NEG_CHANGELOG_BDC |
635 NETLOGON_NEG_FULL_SYNC_REPL |
636 NETLOGON_NEG_MULTIPLE_SIDS |
637 NETLOGON_NEG_REDO |
638 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
639 NETLOGON_NEG_PASSWORD_SET2;
640
641 /* Ensure we support strong (128-bit) keys. */
642 if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
643 srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
644 }
645
646 if (lp_server_schannel() != false) {
647 srv_flgs |= NETLOGON_NEG_SCHANNEL;
648 }
649
650 switch (p->hdr_req.opnum) {
651 case NDR_NETR_SERVERAUTHENTICATE:
652 fn = "_netr_ServerAuthenticate";
653 break;
654 case NDR_NETR_SERVERAUTHENTICATE2:
655 fn = "_netr_ServerAuthenticate2";
656 break;
657 case NDR_NETR_SERVERAUTHENTICATE3:
658 fn = "_netr_ServerAuthenticate3";
659 break;
660 default:
661 return NT_STATUS_INTERNAL_ERROR;
662 }
663
664 /* We use this as the key to store the creds: */
665 /* r->in.computer_name */
666
667 if (!pipe_state) {
668 DEBUG(0,("%s: no challenge sent to client %s\n", fn,
669 r->in.computer_name));
670 status = NT_STATUS_ACCESS_DENIED;
671 goto out;
672 }
673
674 if ( (lp_server_schannel() == true) &&
675 ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
676
677 /* schannel must be used, but client did not offer it. */
678 DEBUG(0,("%s: schannel required but client failed "
679 "to offer it. Client was %s\n",
680 fn, r->in.account_name));
681 status = NT_STATUS_ACCESS_DENIED;
682 goto out;
683 }
684
685 status = get_md4pw(&mach_pwd,
686 r->in.account_name,
687 r->in.secure_channel_type,
688 &sid);
689 if (!NT_STATUS_IS_OK(status)) {
690 DEBUG(0,("%s: failed to get machine password for "
691 "account %s: %s\n",
692 fn, r->in.account_name, nt_errstr(status) ));
693 /* always return NT_STATUS_ACCESS_DENIED */
694 status = NT_STATUS_ACCESS_DENIED;
695 goto out;
696 }
697
698 /* From the client / server challenges and md4 password, generate sess key */
699 /* Check client credentials are valid. */
700 creds = netlogon_creds_server_init(p->mem_ctx,
701 r->in.account_name,
702 r->in.computer_name,
703 r->in.secure_channel_type,
704 &pipe_state->client_challenge,
705 &pipe_state->server_challenge,
706 &mach_pwd,
707 r->in.credentials,
708 r->out.return_credentials,
709 *r->in.negotiate_flags);
710 if (!creds) {
711 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
712 "request from client %s machine account %s\n",
713 fn, r->in.computer_name,
714 r->in.account_name));
715 status = NT_STATUS_ACCESS_DENIED;
716 goto out;
717 }
718
719 creds->sid = sid_dup_talloc(creds, &sid);
720 if (!creds->sid) {
721 status = NT_STATUS_NO_MEMORY;
722 goto out;
723 }
724
725 /* Store off the state so we can continue after client disconnect. */
726 become_root();
727 status = schannel_save_creds_state(p->mem_ctx,
728 NULL, lp_private_dir(), creds);
729 unbecome_root();
730
731 if (!NT_STATUS_IS_OK(status)) {
732 goto out;
733 }
734
735 sid_peek_rid(&sid, r->out.rid);
736
737 status = NT_STATUS_OK;
738
739 out:
740
741 *r->out.negotiate_flags = srv_flgs;
742 return status;
743 }
744
745 /*************************************************************************
746 _netr_ServerAuthenticate2
747 *************************************************************************/
748
749 NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
750 struct netr_ServerAuthenticate2 *r)
751 {
752 struct netr_ServerAuthenticate3 a;
753 uint32_t rid;
754
755 a.in.server_name = r->in.server_name;
756 a.in.account_name = r->in.account_name;
757 a.in.secure_channel_type = r->in.secure_channel_type;
758 a.in.computer_name = r->in.computer_name;
759 a.in.credentials = r->in.credentials;
760 a.in.negotiate_flags = r->in.negotiate_flags;
761
762 a.out.return_credentials = r->out.return_credentials;
763 a.out.rid = &rid;
764 a.out.negotiate_flags = r->out.negotiate_flags;
765
766 return _netr_ServerAuthenticate3(p, &a);
767 }
768
769 /*************************************************************************
770 * If schannel is required for this call test that it actually is available.
771 *************************************************************************/
772 static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
773 const char *computer_name,
774 bool integrity, bool privacy)
775 {
776 if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
777 if (!privacy && !integrity) {
778 return NT_STATUS_OK;
779 }
780
781 if ((!privacy && integrity) &&
782 auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
783 return NT_STATUS_OK;
784 }
785
786 if ((privacy || integrity) &&
787 auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
788 return NT_STATUS_OK;
789 }
790 }
791
792 /* test didn't pass */
793 DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
794 computer_name));
795
796 return NT_STATUS_ACCESS_DENIED;
797 }
798
799 /*************************************************************************
800 *************************************************************************/
801
802 static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
803 TALLOC_CTX *mem_ctx,
804 const char *computer_name,
805 struct netr_Authenticator *received_authenticator,
806 struct netr_Authenticator *return_authenticator,
807 struct netlogon_creds_CredentialState **creds_out)
808 {
809 NTSTATUS status;
810 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
811
812 if (schannel_global_required) {
813 status = schannel_check_required(&p->auth,
814 computer_name,
815 false, false);
816 if (!NT_STATUS_IS_OK(status)) {
817 return status;
818 }
819 }
820
821 status = schannel_check_creds_state(mem_ctx, NULL,
822 lp_private_dir(),
823 computer_name,
824 received_authenticator,
825 return_authenticator,
826 creds_out);
827
828 return status;
829 }
830
831 /*************************************************************************
832 *************************************************************************/
833
834 static NTSTATUS netr_find_machine_account(TALLOC_CTX *mem_ctx,
835 const char *account_name,
836 struct samu **sampassp)
837 {
838 struct samu *sampass;
839 bool ret = false;
840 uint32_t acct_ctrl;
841
842 sampass = samu_new(mem_ctx);
843 if (!sampass) {
844 return NT_STATUS_NO_MEMORY;
845 }
846
847 become_root();
848 ret = pdb_getsampwnam(sampass, account_name);
849 unbecome_root();
850
851 if (!ret) {
852 TALLOC_FREE(sampass);
853 return NT_STATUS_ACCESS_DENIED;
854 }
855
856 /* Ensure the account exists and is a machine account. */
857
858 acct_ctrl = pdb_get_acct_ctrl(sampass);
859
860 if (!(acct_ctrl & ACB_WSTRUST ||
861 acct_ctrl & ACB_SVRTRUST ||
862 acct_ctrl & ACB_DOMTRUST)) {
863 TALLOC_FREE(sampass);
864 return NT_STATUS_NO_SUCH_USER;
865 }
866
867 if (acct_ctrl & ACB_DISABLED) {
868 TALLOC_FREE(sampass);
869 return NT_STATUS_ACCOUNT_DISABLED;
870 }
871
872 *sampassp = sampass;
873
874 return NT_STATUS_OK;
875 }
876
877 /*************************************************************************
878 *************************************************************************/
879
880 static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
881 struct samu *sampass,
882 DATA_BLOB *plaintext_blob,
883 struct samr_Password *nt_hash,
884 struct samr_Password *lm_hash)
885 {
886 NTSTATUS status;
887 const uchar *old_pw;
888 const char *plaintext = NULL;
889 size_t plaintext_len;
890 struct samr_Password nt_hash_local;
891
892 if (!sampass) {
893 return NT_STATUS_INVALID_PARAMETER;
894 }
895
896 if (plaintext_blob) {
897 if (!convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX,
898 plaintext_blob->data, plaintext_blob->length,
899 &plaintext, &plaintext_len, false))
900 {
901 plaintext = NULL;
902 mdfour(nt_hash_local.hash, plaintext_blob->data, plaintext_blob->length);
903 nt_hash = &nt_hash_local;
904 }
905 }
906
907 if (plaintext) {
908 if (!pdb_set_plaintext_passwd(sampass, plaintext)) {
909 return NT_STATUS_ACCESS_DENIED;
910 }
911
912 goto done;
913 }
914
915 if (nt_hash) {
916 old_pw = pdb_get_nt_passwd(sampass);
917
918 if (old_pw && memcmp(nt_hash->hash, old_pw, 16) == 0) {
919 /* Avoid backend modificiations and other fun if the
920 client changed the password to the *same thing* */
921 } else {
922 /* LM password should be NULL for machines */
923 if (!pdb_set_lanman_passwd(sampass, NULL, PDB_CHANGED)) {
924 return NT_STATUS_NO_MEMORY;
925 }
926 if (!pdb_set_nt_passwd(sampass, nt_hash->hash, PDB_CHANGED)) {
927 return NT_STATUS_NO_MEMORY;
928 }
929
930 if (!pdb_set_pass_last_set_time(sampass, time(NULL), PDB_CHANGED)) {
931 /* Not quite sure what this one qualifies as, but this will do */
932 return NT_STATUS_UNSUCCESSFUL;
933 }
934 }
935 }
936
937 done:
938 become_root();
939 status = pdb_update_sam_account(sampass);
940 unbecome_root();
941
942 return status;
943 }
944
945 /*************************************************************************
946 _netr_ServerPasswordSet
947 *************************************************************************/
948
949 NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
950 struct netr_ServerPasswordSet *r)
951 {
952 NTSTATUS status = NT_STATUS_OK;
953 struct samu *sampass=NULL;
954 int i;
955 struct netlogon_creds_CredentialState *creds;
956
957 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
958
959 become_root();
960 status = netr_creds_server_step_check(p, p->mem_ctx,
961 r->in.computer_name,
962 r->in.credential,
963 r->out.return_authenticator,
964 &creds);
965 unbecome_root();
966
967 if (!NT_STATUS_IS_OK(status)) {
968 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
969 "request from client %s machine account %s\n",
970 r->in.computer_name, creds->computer_name));
971 TALLOC_FREE(creds);
972 return status;
973 }
974
975 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
976 r->in.computer_name, creds->computer_name));
977
978 netlogon_creds_des_decrypt(creds, r->in.new_password);
979
980 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
981 for(i = 0; i < sizeof(r->in.new_password->hash); i++)
982 DEBUG(100,("%02X ", r->in.new_password->hash[i]));
983 DEBUG(100,("\n"));
984
985 status = netr_find_machine_account(p->mem_ctx,
986 creds->account_name,
987 &sampass);
988 if (!NT_STATUS_IS_OK(status)) {
989 return status;
990 }
991
992 status = netr_set_machine_account_password(sampass,
993 sampass,
994 NULL,
995 r->in.new_password,
996 NULL);
997 TALLOC_FREE(sampass);
998 return status;
999 }
1000
1001 /****************************************************************
1002 _netr_ServerPasswordSet2
1003 ****************************************************************/
1004
1005 NTSTATUS _netr_ServerPasswordSet2(pipes_struct *p,
1006 struct netr_ServerPasswordSet2 *r)
1007 {
1008 NTSTATUS status;
1009 struct netlogon_creds_CredentialState *creds;
1010 struct samu *sampass;
1011 DATA_BLOB plaintext;
1012 struct samr_CryptPassword password_buf;
1013 struct samr_Password nt_hash;
1014
1015 become_root();
1016 status = netr_creds_server_step_check(p, p->mem_ctx,
1017 r->in.computer_name,
1018 r->in.credential,
1019 r->out.return_authenticator,
1020 &creds);
1021 unbecome_root();
1022
1023 if (!NT_STATUS_IS_OK(status)) {
1024 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1025 "failed. Rejecting auth request from client %s machine account %s\n",
1026 r->in.computer_name, creds->computer_name));
1027 TALLOC_FREE(creds);
1028 return status;
1029 }
1030
1031 memcpy(password_buf.data, r->in.new_password->data, 512);
1032 SIVAL(password_buf.data, 512, r->in.new_password->length);
1033 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
1034
1035 if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
1036 return NT_STATUS_WRONG_PASSWORD;
1037 }
1038
1039 mdfour(nt_hash.hash, plaintext.data, plaintext.length);
1040
1041 status = netr_find_machine_account(p->mem_ctx,
1042 creds->account_name,
1043 &sampass);
1044 if (!NT_STATUS_IS_OK(status)) {
1045 return status;
1046 }
1047
1048 status = netr_set_machine_account_password(sampass,
1049 sampass,
1050 NULL,
1051 &nt_hash,
1052 NULL);
1053 TALLOC_FREE(sampass);
1054 return status;
1055 }
1056
1057 /*************************************************************************
1058 _netr_LogonSamLogoff
1059 *************************************************************************/
1060
1061 NTSTATUS _netr_LogonSamLogoff(pipes_struct *p,
1062 struct netr_LogonSamLogoff *r)
1063 {
1064 NTSTATUS status;
1065 struct netlogon_creds_CredentialState *creds;
1066
1067 become_root();
1068 status = netr_creds_server_step_check(p, p->mem_ctx,
1069 r->in.computer_name,
1070 r->in.credential,
1071 r->out.return_authenticator,
1072 &creds);
1073 unbecome_root();
1074
1075 return status;
1076 }
1077
1078 /*************************************************************************
1079 _netr_LogonSamLogon_base
1080 *************************************************************************/
1081
1082 static NTSTATUS _netr_LogonSamLogon_base(pipes_struct *p,
1083 struct netr_LogonSamLogonEx *r,
1084 struct netlogon_creds_CredentialState *creds)
1085 {
1086 NTSTATUS status = NT_STATUS_OK;
1087 union netr_LogonLevel *logon = r->in.logon;
1088 const char *nt_username, *nt_domain, *nt_workstation;
1089 struct auth_usersupplied_info *user_info = NULL;
1090 struct auth_serversupplied_info *server_info = NULL;
1091 struct auth_context *auth_context = NULL;
1092 uint8_t pipe_session_key[16];
1093 bool process_creds = true;
1094 const char *fn;
1095
1096 switch (p->hdr_req.opnum) {
1097 case NDR_NETR_LOGONSAMLOGON:
1098 process_creds = true;
1099 fn = "_netr_LogonSamLogon";
1100 break;
1101 case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
1102 process_creds = true;
1103 fn = "_netr_LogonSamLogonWithFlags";
1104 break;
1105 case NDR_NETR_LOGONSAMLOGONEX:
1106 process_creds = false;
1107 fn = "_netr_LogonSamLogonEx";
1108 break;
1109 default:
1110 return NT_STATUS_INTERNAL_ERROR;
1111 }
1112
1113 *r->out.authoritative = true; /* authoritative response */
1114
1115 switch (r->in.validation_level) {
1116 case 2:
1117 r->out.validation->sam2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo2);
1118 if (!r->out.validation->sam2) {
1119 return NT_STATUS_NO_MEMORY;
1120 }
1121 break;
1122 case 3:
1123 r->out.validation->sam3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo3);
1124 if (!r->out.validation->sam3) {
1125 return NT_STATUS_NO_MEMORY;
1126 }
1127 break;
1128 case 6:
1129 r->out.validation->sam6 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo6);
1130 if (!r->out.validation->sam6) {
1131 return NT_STATUS_NO_MEMORY;
1132 }
1133 break;
1134 default:
1135 DEBUG(0,("%s: bad validation_level value %d.\n",
1136 fn, (int)r->in.validation_level));
1137 return NT_STATUS_INVALID_INFO_CLASS;
1138 }
1139
1140 switch (r->in.logon_level) {
1141 case NetlogonInteractiveInformation:
1142 case NetlogonServiceInformation:
1143 case NetlogonInteractiveTransitiveInformation:
1144 case NetlogonServiceTransitiveInformation:
1145 nt_username = logon->password->identity_info.account_name.string;
1146 nt_domain = logon->password->identity_info.domain_name.string;
1147 nt_workstation = logon->password->identity_info.workstation.string;
1148
1149 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
1150 break;
1151 case NetlogonNetworkInformation:
1152 case NetlogonNetworkTransitiveInformation:
1153 nt_username = logon->network->identity_info.account_name.string;
1154 nt_domain = logon->network->identity_info.domain_name.string;
1155 nt_workstation = logon->network->identity_info.workstation.string;
1156
1157 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
1158 break;
1159 default:
1160 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1161 return NT_STATUS_INVALID_INFO_CLASS;
1162 } /* end switch */
1163
1164 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain));
1165 fstrcpy(current_user_info.smb_name, nt_username);
1166 sub_set_smb_name(nt_username);
1167
1168 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1169 r->in.validation_level, nt_username));
1170
1171 status = NT_STATUS_OK;
1172
1173 switch (r->in.logon_level) {
1174 case NetlogonNetworkInformation:
1175 case NetlogonNetworkTransitiveInformation:
1176 {
1177 const char *wksname = nt_workstation;
1178
1179 status = make_auth_context_fixed(&auth_context,
1180 logon->network->challenge);
1181 if (!NT_STATUS_IS_OK(status)) {
1182 return status;
1183 }
1184
1185 /* For a network logon, the workstation name comes in with two
1186 * backslashes in the front. Strip them if they are there. */
1187
1188 if (*wksname == '\\') wksname++;
1189 if (*wksname == '\\') wksname++;
1190
1191 /* Standard challenge/response authenticaion */
1192 if (!make_user_info_netlogon_network(&user_info,
1193 nt_username, nt_domain,
1194 wksname,
1195 logon->network->identity_info.parameter_control,
1196 logon->network->lm.data,
1197 logon->network->lm.length,
1198 logon->network->nt.data,
1199 logon->network->nt.length)) {
1200 status = NT_STATUS_NO_MEMORY;
1201 }
1202 break;
1203 }
1204 case NetlogonInteractiveInformation:
1205 case NetlogonServiceInformation:
1206 case NetlogonInteractiveTransitiveInformation:
1207 case NetlogonServiceTransitiveInformation:
1208
1209 /* 'Interactive' authentication, supplies the password in its
1210 MD4 form, encrypted with the session key. We will convert
1211 this to challenge/response for the auth subsystem to chew
1212 on */
1213 {
1214 uint8_t chal[8];
1215
1216 if (!NT_STATUS_IS_OK(status = make_auth_context_subsystem(&auth_context))) {
1217 return status;
1218 }
1219
1220 auth_context->get_ntlm_challenge(auth_context, chal);
1221
1222 if (!make_user_info_netlogon_interactive(&user_info,
1223 nt_username, nt_domain,
1224 nt_workstation,
1225 logon->password->identity_info.parameter_control,
1226 chal,
1227 logon->password->lmpassword.hash,
1228 logon->password->ntpassword.hash,
1229 creds->session_key)) {
1230 status = NT_STATUS_NO_MEMORY;
1231 }
1232 break;
1233 }
1234 default:
1235 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1236 return NT_STATUS_INVALID_INFO_CLASS;
1237 } /* end switch */
1238
1239 if ( NT_STATUS_IS_OK(status) ) {
1240 status = auth_context->check_ntlm_password(auth_context,
1241 user_info, &server_info);
1242 }
1243
1244 (auth_context->free)(&auth_context);
1245 free_user_info(&user_info);
1246
1247 DEBUG(5,("%s: check_password returned status %s\n",
1248 fn, nt_errstr(status)));
1249
1250 /* Check account and password */
1251
1252 if (!NT_STATUS_IS_OK(status)) {
1253 /* If we don't know what this domain is, we need to
1254 indicate that we are not authoritative. This
1255 allows the client to decide if it needs to try
1256 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1257 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
1258 && !strequal(nt_domain, get_global_sam_name())
1259 && !is_trusted_domain(nt_domain) )
1260 *r->out.authoritative = false; /* We are not authoritative */
1261
1262 TALLOC_FREE(server_info);
1263 return status;
1264 }
1265
1266 if (server_info->guest) {
1267 /* We don't like guest domain logons... */
1268 DEBUG(5,("%s: Attempted domain logon as GUEST "
1269 "denied.\n", fn));
1270 TALLOC_FREE(server_info);
1271 return NT_STATUS_LOGON_FAILURE;
1272 }
1273
1274 /* This is the point at which, if the login was successful, that
1275 the SAM Local Security Authority should record that the user is
1276 logged in to the domain. */
1277
1278 if (process_creds) {
1279 /* Get the pipe session key from the creds. */
1280 memcpy(pipe_session_key, creds->session_key, 16);
1281 } else {
1282 /* Get the pipe session key from the schannel. */
1283 if ((p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL)
1284 || (p->auth.a_u.schannel_auth == NULL)) {
1285 return NT_STATUS_INVALID_HANDLE;
1286 }
1287 memcpy(pipe_session_key, p->auth.a_u.schannel_auth->creds->session_key, 16);
1288 }
1289
1290 switch (r->in.validation_level) {
1291 case 2:
1292 status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16,
1293 r->out.validation->sam2);
1294 break;
1295 case 3:
1296 status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16,
1297 r->out.validation->sam3);
1298 break;
1299 case 6:
1300 status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
1301 r->out.validation->sam6);
1302 break;
1303 }
1304
1305 TALLOC_FREE(server_info);
1306
1307 return status;
1308 }
1309
1310 /****************************************************************
1311 _netr_LogonSamLogonWithFlags
1312 ****************************************************************/
1313
1314 NTSTATUS _netr_LogonSamLogonWithFlags(pipes_struct *p,
1315 struct netr_LogonSamLogonWithFlags *r)
1316 {
1317 NTSTATUS status;
1318 struct netlogon_creds_CredentialState *creds;
1319 struct netr_LogonSamLogonEx r2;
1320 struct netr_Authenticator return_authenticator;
1321
1322 become_root();
1323 status = netr_creds_server_step_check(p, p->mem_ctx,
1324 r->in.computer_name,
1325 r->in.credential,
1326 &return_authenticator,
1327 &creds);
1328 unbecome_root();
1329 if (!NT_STATUS_IS_OK(status)) {
1330 return status;
1331 }
1332
1333 r2.in.server_name = r->in.server_name;
1334 r2.in.computer_name = r->in.computer_name;
1335 r2.in.logon_level = r->in.logon_level;
1336 r2.in.logon = r->in.logon;
1337 r2.in.validation_level = r->in.validation_level;
1338 r2.in.flags = r->in.flags;
1339 r2.out.validation = r->out.validation;
1340 r2.out.authoritative = r->out.authoritative;
1341 r2.out.flags = r->out.flags;
1342
1343 status = _netr_LogonSamLogon_base(p, &r2, creds);
1344
1345 *r->out.return_authenticator = return_authenticator;
1346
1347 return status;
1348 }
1349
1350 /*************************************************************************
1351 _netr_LogonSamLogon
1352 *************************************************************************/
1353
1354 NTSTATUS _netr_LogonSamLogon(pipes_struct *p,
1355 struct netr_LogonSamLogon *r)
1356 {
1357 NTSTATUS status;
1358 struct netr_LogonSamLogonWithFlags r2;
1359 uint32_t flags = 0;
1360
1361 r2.in.server_name = r->in.server_name;
1362 r2.in.computer_name = r->in.computer_name;
1363 r2.in.credential = r->in.credential;
1364 r2.in.logon_level = r->in.logon_level;
1365 r2.in.logon = r->in.logon;
1366 r2.in.validation_level = r->in.validation_level;
1367 r2.in.return_authenticator = r->in.return_authenticator;
1368 r2.in.flags = &flags;
1369 r2.out.validation = r->out.validation;
1370 r2.out.authoritative = r->out.authoritative;
1371 r2.out.flags = &flags;
1372 r2.out.return_authenticator = r->out.return_authenticator;
1373
1374 status = _netr_LogonSamLogonWithFlags(p, &r2);
1375
1376 return status;
1377 }
1378
1379 /*************************************************************************
1380 _netr_LogonSamLogonEx
1381 - no credential chaining. Map into net sam logon.
1382 *************************************************************************/
1383
1384 NTSTATUS _netr_LogonSamLogonEx(pipes_struct *p,
1385 struct netr_LogonSamLogonEx *r)
1386 {
1387 NTSTATUS status;
1388 struct netlogon_creds_CredentialState *creds = NULL;
1389
1390 become_root();
1391 status = schannel_get_creds_state(p->mem_ctx,
1392 NULL, lp_private_dir(),
1393 r->in.computer_name, &creds);
1394 unbecome_root();
1395 if (!NT_STATUS_IS_OK(status)) {
1396 return status;
1397 }
1398
1399 /* Only allow this if the pipe is protected. */
1400 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1401 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1402 get_remote_machine_name() ));
1403 return NT_STATUS_INVALID_PARAMETER;
1404 }
1405
1406 status = _netr_LogonSamLogon_base(p, r, creds);
1407 TALLOC_FREE(creds);
1408
1409 return status;
1410 }
1411
1412 /*************************************************************************
1413 _ds_enum_dom_trusts
1414 *************************************************************************/
1415 #if 0 /* JERRY -- not correct */
1416 NTSTATUS _ds_enum_dom_trusts(pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u,
1417 DS_R_ENUM_DOM_TRUSTS *r_u)
1418 {
1419 NTSTATUS status = NT_STATUS_OK;
1420
1421 /* TODO: According to MSDN, the can only be executed against a
1422 DC or domain member running Windows 2000 or later. Need
1423 to test against a standalone 2k server and see what it
1424 does. A windows 2000 DC includes its own domain in the
1425 list. --jerry */
1426
1427 return status;
1428 }
1429 #endif /* JERRY */
1430
1431
1432 /****************************************************************
1433 ****************************************************************/
1434
1435 WERROR _netr_LogonUasLogon(pipes_struct *p,
1436 struct netr_LogonUasLogon *r)
1437 {
1438 p->rng_fault_state = true;
1439 return WERR_NOT_SUPPORTED;
1440 }
1441
1442 /****************************************************************
1443 ****************************************************************/
1444
1445 WERROR _netr_LogonUasLogoff(pipes_struct *p,
1446 struct netr_LogonUasLogoff *r)
1447 {
1448 p->rng_fault_state = true;
1449 return WERR_NOT_SUPPORTED;
1450 }
1451
1452 /****************************************************************
1453 ****************************************************************/
1454
1455 NTSTATUS _netr_DatabaseDeltas(pipes_struct *p,
1456 struct netr_DatabaseDeltas *r)
1457 {
1458 p->rng_fault_state = true;
1459 return NT_STATUS_NOT_IMPLEMENTED;
1460 }
1461
1462 /****************************************************************
1463 ****************************************************************/
1464
1465 NTSTATUS _netr_DatabaseSync(pipes_struct *p,
1466 struct netr_DatabaseSync *r)
1467 {
1468 p->rng_fault_state = true;
1469 return NT_STATUS_NOT_IMPLEMENTED;
1470 }
1471
1472 /****************************************************************
1473 ****************************************************************/
1474
1475 NTSTATUS _netr_AccountDeltas(pipes_struct *p,
1476 struct netr_AccountDeltas *r)
1477 {
1478 p->rng_fault_state = true;
1479 return NT_STATUS_NOT_IMPLEMENTED;
1480 }
1481
1482 /****************************************************************
1483 ****************************************************************/
1484
1485 NTSTATUS _netr_AccountSync(pipes_struct *p,
1486 struct netr_AccountSync *r)
1487 {
1488 p->rng_fault_state = true;
1489 return NT_STATUS_NOT_IMPLEMENTED;
1490 }
1491
1492 /****************************************************************
1493 ****************************************************************/
1494
1495 static bool wb_getdcname(TALLOC_CTX *mem_ctx,
1496 const char *domain,
1497 const char **dcname,
1498 uint32_t flags,
1499 WERROR *werr)
1500 {
1501 wbcErr result;
1502 struct wbcDomainControllerInfo *dc_info = NULL;
1503
1504 result = wbcLookupDomainController(domain,
1505 flags,
1506 &dc_info);
1507 switch (result) {
1508 case WBC_ERR_SUCCESS:
1509 break;
1510 case WBC_ERR_WINBIND_NOT_AVAILABLE:
1511 return false;
1512 case WBC_ERR_DOMAIN_NOT_FOUND:
1513 *werr = WERR_NO_SUCH_DOMAIN;
1514 return true;
1515 default:
1516 *werr = WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1517 return true;
1518 }
1519
1520 *dcname = talloc_strdup(mem_ctx, dc_info->dc_name);
1521 wbcFreeMemory(dc_info);
1522 if (!*dcname) {
1523 *werr = WERR_NOMEM;
1524 return false;
1525 }
1526
1527 *werr = WERR_OK;
1528
1529 return true;
1530 }
1531
1532 /****************************************************************
1533 _netr_GetDcName
1534 ****************************************************************/
1535
1536 WERROR _netr_GetDcName(pipes_struct *p,
1537 struct netr_GetDcName *r)
1538 {
1539 NTSTATUS status;
1540 WERROR werr;
1541 uint32_t flags;
1542 struct netr_DsRGetDCNameInfo *info;
1543 bool ret;
1544
1545 ret = wb_getdcname(p->mem_ctx,
1546 r->in.domainname,
1547 r->out.dcname,
1548 WBC_LOOKUP_DC_IS_FLAT_NAME |
1549 WBC_LOOKUP_DC_RETURN_FLAT_NAME |
1550 WBC_LOOKUP_DC_PDC_REQUIRED,
1551 &werr);
1552 if (ret == true) {
1553 return werr;
1554 }
1555
1556 flags = DS_PDC_REQUIRED | DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1557
1558 status = dsgetdcname(p->mem_ctx,
1559 smbd_messaging_context(),
1560 r->in.domainname,
1561 NULL,
1562 NULL,
1563 flags,
1564 &info);
1565 if (!NT_STATUS_IS_OK(status)) {
1566 return ntstatus_to_werror(status);
1567 }
1568
1569 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1570 talloc_free(info);
1571 if (!*r->out.dcname) {
1572 return WERR_NOMEM;
1573 }
1574
1575 return WERR_OK;
1576 }
1577
1578 /****************************************************************
1579 _netr_GetAnyDCName
1580 ****************************************************************/
1581
1582 WERROR _netr_GetAnyDCName(pipes_struct *p,
1583 struct netr_GetAnyDCName *r)
1584 {
1585 NTSTATUS status;
1586 WERROR werr;
1587 uint32_t flags;
1588 struct netr_DsRGetDCNameInfo *info;
1589 bool ret;
1590
1591 ret = wb_getdcname(p->mem_ctx,
1592 r->in.domainname,
1593 r->out.dcname,
1594 WBC_LOOKUP_DC_IS_FLAT_NAME |
1595 WBC_LOOKUP_DC_RETURN_FLAT_NAME,
1596 &werr);
1597 if (ret == true) {
1598 return werr;
1599 }
1600
1601 flags = DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1602
1603 status = dsgetdcname(p->mem_ctx,
1604 smbd_messaging_context(),
1605 r->in.domainname,
1606 NULL,
1607 NULL,
1608 flags,
1609 &info);
1610 if (!NT_STATUS_IS_OK(status)) {
1611 return ntstatus_to_werror(status);
1612 }
1613
1614 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1615 talloc_free(info);
1616 if (!*r->out.dcname) {
1617 return WERR_NOMEM;
1618 }
1619
1620 return WERR_OK;
1621 }
1622
1623 /****************************************************************
1624 ****************************************************************/
1625
1626 NTSTATUS _netr_DatabaseSync2(pipes_struct *p,
1627 struct netr_DatabaseSync2 *r)
1628 {
1629 p->rng_fault_state = true;
1630 return NT_STATUS_NOT_IMPLEMENTED;
1631 }
1632
1633 /****************************************************************
1634 ****************************************************************/
1635
1636 NTSTATUS _netr_DatabaseRedo(pipes_struct *p,
1637 struct netr_DatabaseRedo *r)
1638 {
1639 p->rng_fault_state = true;
1640 return NT_STATUS_NOT_IMPLEMENTED;
1641 }
1642
1643 /****************************************************************
1644 ****************************************************************/
1645
1646 WERROR _netr_DsRGetDCName(pipes_struct *p,
1647 struct netr_DsRGetDCName *r)
1648 {
1649 p->rng_fault_state = true;
1650 return WERR_NOT_SUPPORTED;
1651 }
1652
1653 /****************************************************************
1654 ****************************************************************/
1655
1656 NTSTATUS _netr_LogonGetCapabilities(pipes_struct *p,
1657 struct netr_LogonGetCapabilities *r)
1658 {
1659 return NT_STATUS_NOT_IMPLEMENTED;
1660 }
1661
1662 /****************************************************************
1663 ****************************************************************/
1664
1665 WERROR _netr_NETRLOGONSETSERVICEBITS(pipes_struct *p,
1666 struct netr_NETRLOGONSETSERVICEBITS *r)
1667 {
1668 p->rng_fault_state = true;
1669 return WERR_NOT_SUPPORTED;
1670 }
1671
1672 /****************************************************************
1673 ****************************************************************/
1674
1675 WERROR _netr_LogonGetTrustRid(pipes_struct *p,
1676 struct netr_LogonGetTrustRid *r)
1677 {
1678 p->rng_fault_state = true;
1679 return WERR_NOT_SUPPORTED;
1680 }
1681
1682 /****************************************************************
1683 ****************************************************************/
1684
1685 WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct *p,
1686 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
1687 {
1688 p->rng_fault_state = true;
1689 return WERR_NOT_SUPPORTED;
1690 }
1691
1692 /****************************************************************
1693 ****************************************************************/
1694
1695 WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct *p,
1696 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
1697 {
1698 p->rng_fault_state = true;
1699 return WERR_NOT_SUPPORTED;
1700 }
1701
1702 /****************************************************************
1703 ****************************************************************/
1704
1705 WERROR _netr_DsRGetDCNameEx(pipes_struct *p,
1706 struct netr_DsRGetDCNameEx *r)
1707 {
1708 p->rng_fault_state = true;
1709 return WERR_NOT_SUPPORTED;
1710 }
1711
1712 /****************************************************************
1713 ****************************************************************/
1714
1715 WERROR _netr_DsRGetSiteName(pipes_struct *p,
1716 struct netr_DsRGetSiteName *r)
1717 {
1718 p->rng_fault_state = true;
1719 return WERR_NOT_SUPPORTED;
1720 }
1721
1722 /****************************************************************
1723 ****************************************************************/
1724
1725 NTSTATUS _netr_LogonGetDomainInfo(pipes_struct *p,
1726 struct netr_LogonGetDomainInfo *r)
1727 {
1728 p->rng_fault_state = true;
1729 return NT_STATUS_NOT_IMPLEMENTED;
1730 }
1731
1732 /****************************************************************
1733 ****************************************************************/
1734
1735 WERROR _netr_ServerPasswordGet(pipes_struct *p,
1736 struct netr_ServerPasswordGet *r)
1737 {
1738 p->rng_fault_state = true;
1739 return WERR_NOT_SUPPORTED;
1740 }
1741
1742 /****************************************************************
1743 ****************************************************************/
1744
1745 WERROR _netr_NETRLOGONSENDTOSAM(pipes_struct *p,
1746 struct netr_NETRLOGONSENDTOSAM *r)
1747 {
1748 p->rng_fault_state = true;
1749 return WERR_NOT_SUPPORTED;
1750 }
1751
1752 /****************************************************************
1753 ****************************************************************/
1754
1755 WERROR _netr_DsRAddressToSitenamesW(pipes_struct *p,
1756 struct netr_DsRAddressToSitenamesW *r)
1757 {
1758 p->rng_fault_state = true;
1759 return WERR_NOT_SUPPORTED;
1760 }
1761
1762 /****************************************************************
1763 ****************************************************************/
1764
1765 WERROR _netr_DsRGetDCNameEx2(pipes_struct *p,
1766 struct netr_DsRGetDCNameEx2 *r)
1767 {
1768 p->rng_fault_state = true;
1769 return WERR_NOT_SUPPORTED;
1770 }
1771
1772 /****************************************************************
1773 ****************************************************************/
1774
1775 WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct *p,
1776 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1777 {
1778 p->rng_fault_state = true;
1779 return WERR_NOT_SUPPORTED;
1780 }
1781
1782 /****************************************************************
1783 ****************************************************************/
1784
1785 WERROR _netr_NetrEnumerateTrustedDomainsEx(pipes_struct *p,
1786 struct netr_NetrEnumerateTrustedDomainsEx *r)
1787 {
1788 p->rng_fault_state = true;
1789 return WERR_NOT_SUPPORTED;
1790 }
1791
1792 /****************************************************************
1793 ****************************************************************/
1794
1795 WERROR _netr_DsRAddressToSitenamesExW(pipes_struct *p,
1796 struct netr_DsRAddressToSitenamesExW *r)
1797 {
1798 p->rng_fault_state = true;
1799 return WERR_NOT_SUPPORTED;
1800 }
1801
1802 /****************************************************************
1803 ****************************************************************/
1804
1805 WERROR _netr_DsrGetDcSiteCoverageW(pipes_struct *p,
1806 struct netr_DsrGetDcSiteCoverageW *r)
1807 {
1808 p->rng_fault_state = true;
1809 return WERR_NOT_SUPPORTED;
1810 }
1811
1812 /****************************************************************
1813 ****************************************************************/
1814
1815 WERROR _netr_DsrEnumerateDomainTrusts(pipes_struct *p,
1816 struct netr_DsrEnumerateDomainTrusts *r)
1817 {
1818 p->rng_fault_state = true;
1819 return WERR_NOT_SUPPORTED;
1820 }
1821
1822 /****************************************************************
1823 ****************************************************************/
1824
1825 WERROR _netr_DsrDeregisterDNSHostRecords(pipes_struct *p,
1826 struct netr_DsrDeregisterDNSHostRecords *r)
1827 {
1828 p->rng_fault_state = true;
1829 return WERR_NOT_SUPPORTED;
1830 }
1831
1832 /****************************************************************
1833 ****************************************************************/
1834
1835 NTSTATUS _netr_ServerTrustPasswordsGet(pipes_struct *p,
1836 struct netr_ServerTrustPasswordsGet *r)
1837 {
1838 p->rng_fault_state = true;
1839 return NT_STATUS_NOT_IMPLEMENTED;
1840 }
1841
1842 /****************************************************************
1843 ****************************************************************/
1844
1845 WERROR _netr_DsRGetForestTrustInformation(pipes_struct *p,
1846 struct netr_DsRGetForestTrustInformation *r)
1847 {
1848 p->rng_fault_state = true;
1849 return WERR_NOT_SUPPORTED;
1850 }
1851
1852 /****************************************************************
1853 ****************************************************************/
1854
1855 NTSTATUS _netr_GetForestTrustInformation(pipes_struct *p,
1856 struct netr_GetForestTrustInformation *r)
1857 {
1858 p->rng_fault_state = true;
1859 return NT_STATUS_NOT_IMPLEMENTED;
1860 }
1861
1862 /****************************************************************
1863 ****************************************************************/
1864
1865 NTSTATUS _netr_ServerGetTrustInfo(pipes_struct *p,
1866 struct netr_ServerGetTrustInfo *r)
1867 {
1868 p->rng_fault_state = true;
1869 return NT_STATUS_NOT_IMPLEMENTED;
1870 }
1871
Crístian's Samba branch