search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r22944: fix bug #4618:
[Samba.git] / source / winbind / wb_init_domain.c
blob3f28c3137238e65309b8b1f59946c0c71342c089
1 /*
2 Unix SMB/CIFS implementation.
3
4 A composite API for initializing a domain
5
6 Copyright (C) Volker Lendecke 2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "libcli/composite/composite.h"
25 #include "libcli/smb_composite/smb_composite.h"
26 #include "winbind/wb_server.h"
27 #include "winbind/wb_async_helpers.h"
28 #include "winbind/wb_helper.h"
29 #include "smbd/service_task.h"
30 #include "librpc/gen_ndr/ndr_netlogon.h"
31 #include "librpc/gen_ndr/ndr_lsa_c.h"
32
33 #include "libcli/auth/credentials.h"
34 #include "libcli/security/security.h"
35
36 #include "libcli/ldap/ldap_client.h"
37
38 #include "auth/credentials/credentials.h"
39
40 /*
41 * Initialize a domain:
42 *
43 * - With schannel credentials, try to open the SMB connection with the
44 * machine creds. This works against W2k3SP1 with an NTLMSSP session
45 * setup. Fall back to anonymous.
46 *
47 * - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
48 * pipe.
49 *
50 * - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
51 * to schannel and then to anon bind.
52 *
53 * - With queryinfopolicy, verify that we're talking to the right domain
54 *
55 * A bit complex, but with all the combinations I think it's the best we can
56 * get. NT4, W2k3 and W2k all have different combinations, but in the end we
57 * have a signed&sealed lsa connection on all of them.
58 *
59 * Not sure if it is overkill, but it seems to work.
60 */
61
62 struct init_domain_state {
63 struct composite_context *ctx;
64 struct wbsrv_domain *domain;
65 struct wbsrv_service *service;
66
67 struct smb_composite_connect conn;
68
69 struct lsa_QueryInfoPolicy queryinfo;
70 };
71
72 static void init_domain_recv_tree(struct composite_context *ctx);
73 static void init_domain_recv_netlogoncreds(struct composite_context *ctx);
74 static void init_domain_recv_netlogonpipe(struct composite_context *ctx);
75 static void init_domain_recv_schannel(struct composite_context *ctx);
76 static void init_domain_recv_lsa(struct composite_context *ctx);
77 static void init_domain_recv_queryinfo(struct rpc_request *req);
78 static void init_domain_recv_ldapconn(struct composite_context *ctx);
79 static void init_domain_recv_samr(struct composite_context *ctx);
80
81 struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
82 struct wbsrv_service *service,
83 struct wb_dom_info *dom_info)
84 {
85 struct composite_context *result, *ctx;
86 struct init_domain_state *state;
87
88 result = composite_create(mem_ctx, service->task->event_ctx);
89 if (result == NULL) goto failed;
90
91 state = talloc_zero(result, struct init_domain_state);
92 if (state == NULL) goto failed;
93 state->ctx = result;
94 result->private_data = state;
95
96 state->service = service;
97
98 state->domain = talloc(state, struct wbsrv_domain);
99 if (state->domain == NULL) goto failed;
100
101 state->domain->info = talloc_reference(state->domain, dom_info);
102 if (state->domain->info == NULL) goto failed;
103
104 state->domain->schannel_creds = cli_credentials_init(state->domain);
105 if (state->domain->schannel_creds == NULL) goto failed;
106
107 cli_credentials_set_conf(state->domain->schannel_creds);
108 state->ctx->status =
109 cli_credentials_set_machine_account(state->domain->
110 schannel_creds);
111 if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
112
113 state->conn.in.dest_host = dom_info->dc_address;
114 state->conn.in.port = 0;
115 state->conn.in.called_name = dom_info->dc_name;
116 state->conn.in.service = "IPC$";
117 state->conn.in.service_type = "IPC";
118 state->conn.in.workgroup = dom_info->name;
119 state->conn.in.credentials = state->domain->schannel_creds;
120
121 state->conn.in.fallback_to_anonymous = True;
122
123 ctx = smb_composite_connect_send(&state->conn, state->domain,
124 result->event_ctx);
125 if (ctx == NULL) goto failed;
126
127 ctx->async.fn = init_domain_recv_tree;
128 ctx->async.private_data = state;
129 return result;
130
131 failed:
132 talloc_free(result);
133 return NULL;
134 }
135
136 static void init_domain_recv_tree(struct composite_context *ctx)
137 {
138 struct init_domain_state *state =
139 talloc_get_type(ctx->async.private_data,
140 struct init_domain_state);
141 state->ctx->status = smb_composite_connect_recv(ctx, state);
142 if (!composite_is_ok(state->ctx)) return;
143
144 if ((state->domain->schannel_creds != NULL) &&
145 (!cli_credentials_is_anonymous(state->domain->schannel_creds)) &&
146 ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
147 (dom_sid_equal(state->domain->info->sid,
148 state->service->primary_sid)))) {
149 ctx = wb_get_schannel_creds_send(state,
150 state->domain->schannel_creds,
151 state->conn.out.tree,
152 state->ctx->event_ctx);
153 composite_continue(state->ctx, ctx,
154 init_domain_recv_netlogoncreds, state);
155 return;
156 }
157
158 ctx = wb_connect_lsa_send(state, state->conn.out.tree, NULL);
159 composite_continue(state->ctx, ctx, init_domain_recv_lsa, state);
160 }
161
162 static void init_domain_recv_netlogoncreds(struct composite_context *ctx)
163 {
164 struct init_domain_state *state =
165 talloc_get_type(ctx->async.private_data,
166 struct init_domain_state);
167 struct dcerpc_pipe *auth2_pipe;
168 struct smbcli_tree *tree = NULL;
169
170 state->ctx->status =
171 wb_get_schannel_creds_recv(ctx, state, &auth2_pipe);
172 if (!composite_is_ok(state->ctx)) return;
173
174 if (!lp_winbind_sealed_pipes()) {
175 state->domain->netlogon_pipe = talloc_reference(state->domain,
176 auth2_pipe);
177 ctx = wb_connect_lsa_send(state, state->conn.out.tree, NULL);
178 composite_continue(state->ctx, ctx, init_domain_recv_lsa,
179 state);
180 return;
181 }
182
183 state->domain->netlogon_pipe =
184 dcerpc_pipe_init(state->domain, state->ctx->event_ctx);
185 if (composite_nomem(state->domain->netlogon_pipe, state->ctx)) return;
186
187 tree = dcerpc_smb_tree(auth2_pipe->conn);
188 if (tree == NULL) {
189 composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
190 return;
191 }
192
193 ctx = dcerpc_pipe_open_smb_send(state->domain->netlogon_pipe,
194 tree, "\\netlogon");
195 composite_continue(state->ctx, ctx, init_domain_recv_netlogonpipe,
196 state);
197 }
198
199 static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
200 {
201 struct init_domain_state *state =
202 talloc_get_type(ctx->async.private_data,
203 struct init_domain_state);
204
205 state->ctx->status = dcerpc_pipe_open_smb_recv(ctx);
206 if (!composite_is_ok(state->ctx)) return;
207
208 state->domain->netlogon_pipe->conn->flags |=
209 (DCERPC_SIGN | DCERPC_SEAL);
210 ctx = dcerpc_bind_auth_send(state, state->domain->netlogon_pipe,
211 &dcerpc_table_netlogon,
212 state->domain->schannel_creds,
213 DCERPC_AUTH_TYPE_SCHANNEL,
214 DCERPC_AUTH_LEVEL_PRIVACY,
215 NULL);
216 composite_continue(state->ctx, ctx, init_domain_recv_schannel, state);
217 }
218
219 static void init_domain_recv_schannel(struct composite_context *ctx)
220 {
221 struct init_domain_state *state =
222 talloc_get_type(ctx->async.private_data,
223 struct init_domain_state);
224
225 state->ctx->status = dcerpc_bind_auth_recv(ctx);
226 if (!composite_is_ok(state->ctx)) return;
227
228 ctx = wb_connect_lsa_send(state, state->conn.out.tree,
229 state->domain->schannel_creds);
230 composite_continue(state->ctx, ctx, init_domain_recv_lsa, state);
231 }
232
233 static void init_domain_recv_lsa(struct composite_context *ctx)
234 {
235 struct init_domain_state *state =
236 talloc_get_type(ctx->async.private_data,
237 struct init_domain_state);
238
239 struct rpc_request *req;
240
241 state->ctx->status = wb_connect_lsa_recv(ctx, state->domain,
242 &state->domain->lsa_auth_type,
243 &state->domain->lsa_pipe,
244 &state->domain->lsa_policy);
245 if (!composite_is_ok(state->ctx)) return;
246
247 /* Give the tree to the pipes. */
248 talloc_unlink(state, state->conn.out.tree);
249
250 state->queryinfo.in.handle = state->domain->lsa_policy;
251 state->queryinfo.in.level = LSA_POLICY_INFO_ACCOUNT_DOMAIN;
252
253 req = dcerpc_lsa_QueryInfoPolicy_send(state->domain->lsa_pipe, state,
254 &state->queryinfo);
255 composite_continue_rpc(state->ctx, req,
256 init_domain_recv_queryinfo, state);
257 }
258
259 static void init_domain_recv_queryinfo(struct rpc_request *req)
260 {
261 struct init_domain_state *state =
262 talloc_get_type(req->async.private_data, struct init_domain_state);
263 struct lsa_DomainInfo *dominfo;
264 struct composite_context *ctx;
265 const char *ldap_url;
266
267 state->ctx->status = dcerpc_ndr_request_recv(req);
268 if (!composite_is_ok(state->ctx)) return;
269 state->ctx->status = state->queryinfo.out.result;
270 if (!composite_is_ok(state->ctx)) return;
271
272 dominfo = &state->queryinfo.out.info->account_domain;
273
274 if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
275 DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
276 state->domain->info->name,
277 dcerpc_server_name(state->domain->lsa_pipe),
278 dominfo->name.string));
279 composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
280 return;
281 }
282
283 if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
284 DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
285 dom_sid_string(state, state->domain->info->sid),
286 dcerpc_server_name(state->domain->lsa_pipe),
287 dom_sid_string(state, dominfo->sid)));
288 composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
289 return;
290 }
291
292 state->domain->ldap_conn =
293 ldap4_new_connection(state->domain, state->ctx->event_ctx);
294 composite_nomem(state->domain->ldap_conn, state->ctx);
295
296 ldap_url = talloc_asprintf(state, "ldap://%s/",
297 state->domain->info->dc_address);
298 composite_nomem(ldap_url, state->ctx);
299
300 ctx = ldap_connect_send(state->domain->ldap_conn, ldap_url);
301 composite_continue(state->ctx, ctx, init_domain_recv_ldapconn, state);
302 }
303
304 static void init_domain_recv_ldapconn(struct composite_context *ctx)
305 {
306 struct init_domain_state *state =
307 talloc_get_type(ctx->async.private_data,
308 struct init_domain_state);
309
310 state->ctx->status = ldap_connect_recv(ctx);
311 if (NT_STATUS_IS_OK(state->ctx->status)) {
312 state->domain->ldap_conn->host =
313 talloc_strdup(state->domain->ldap_conn,
314 state->domain->info->dc_name);
315 state->ctx->status =
316 ldap_bind_sasl(state->domain->ldap_conn,
317 state->domain->schannel_creds);
318 DEBUG(0, ("ldap_bind returned %s\n",
319 nt_errstr(state->ctx->status)));
320 }
321
322 state->domain->samr_pipe =
323 dcerpc_pipe_init(state->domain, state->ctx->event_ctx);
324 if (composite_nomem(state->domain->samr_pipe, state->ctx)) return;
325
326 ctx = wb_connect_sam_send(state, state->conn.out.tree,
327 state->domain->lsa_auth_type,
328 state->domain->schannel_creds,
329 state->domain->info->sid);
330 composite_continue(state->ctx, ctx, init_domain_recv_samr, state);
331 }
332
333 static void init_domain_recv_samr(struct composite_context *ctx)
334 {
335 struct init_domain_state *state =
336 talloc_get_type(ctx->async.private_data,
337 struct init_domain_state);
338
339 state->ctx->status = wb_connect_sam_recv(
340 ctx, state->domain, &state->domain->samr_pipe,
341 &state->domain->samr_handle, &state->domain->domain_handle);
342 if (!composite_is_ok(state->ctx)) return;
343
344 composite_done(state->ctx);
345 }
346
347 NTSTATUS wb_init_domain_recv(struct composite_context *c,
348 TALLOC_CTX *mem_ctx,
349 struct wbsrv_domain **result)
350 {
351 NTSTATUS status = composite_wait(c);
352 if (NT_STATUS_IS_OK(status)) {
353 struct init_domain_state *state =
354 talloc_get_type(c->private_data,
355 struct init_domain_state);
356 *result = talloc_steal(mem_ctx, state->domain);
357 }
358 talloc_free(c);
359 return status;
360 }
361
362 NTSTATUS wb_init_domain(TALLOC_CTX *mem_ctx, struct wbsrv_service *service,
363 struct wb_dom_info *dom_info,
364 struct wbsrv_domain **result)
365 {
366 struct composite_context *c =
367 wb_init_domain_send(mem_ctx, service, dom_info);
368 return wb_init_domain_recv(c, mem_ctx, result);
369 }
Samba GIT mirror