2 Unix SMB/CIFS implementation.
4 A composite API for initializing a domain
6 Copyright (C) Volker Lendecke 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "libcli/composite/composite.h"
25 #include "libcli/smb_composite/smb_composite.h"
26 #include "winbind/wb_server.h"
27 #include "winbind/wb_async_helpers.h"
28 #include "winbind/wb_helper.h"
29 #include "smbd/service_task.h"
30 #include "librpc/gen_ndr/ndr_netlogon.h"
31 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "libcli/auth/credentials.h"
34 #include "libcli/security/security.h"
36 #include "libcli/ldap/ldap_client.h"
38 #include "auth/credentials/credentials.h"
41 * Initialize a domain:
43 * - With schannel credentials, try to open the SMB connection with the
44 * machine creds. This works against W2k3SP1 with an NTLMSSP session
45 * setup. Fall back to anonymous.
47 * - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
50 * - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
51 * to schannel and then to anon bind.
53 * - With queryinfopolicy, verify that we're talking to the right domain
55 * A bit complex, but with all the combinations I think it's the best we can
56 * get. NT4, W2k3 and W2k all have different combinations, but in the end we
57 * have a signed&sealed lsa connection on all of them.
59 * Not sure if it is overkill, but it seems to work.
62 struct init_domain_state
{
63 struct composite_context
*ctx
;
64 struct wbsrv_domain
*domain
;
65 struct wbsrv_service
*service
;
67 struct smb_composite_connect conn
;
69 struct lsa_QueryInfoPolicy queryinfo
;
72 static void init_domain_recv_tree(struct composite_context
*ctx
);
73 static void init_domain_recv_netlogoncreds(struct composite_context
*ctx
);
74 static void init_domain_recv_netlogonpipe(struct composite_context
*ctx
);
75 static void init_domain_recv_schannel(struct composite_context
*ctx
);
76 static void init_domain_recv_lsa(struct composite_context
*ctx
);
77 static void init_domain_recv_queryinfo(struct rpc_request
*req
);
78 static void init_domain_recv_ldapconn(struct composite_context
*ctx
);
79 static void init_domain_recv_samr(struct composite_context
*ctx
);
81 struct composite_context
*wb_init_domain_send(TALLOC_CTX
*mem_ctx
,
82 struct wbsrv_service
*service
,
83 struct wb_dom_info
*dom_info
)
85 struct composite_context
*result
, *ctx
;
86 struct init_domain_state
*state
;
88 result
= composite_create(mem_ctx
, service
->task
->event_ctx
);
89 if (result
== NULL
) goto failed
;
91 state
= talloc_zero(result
, struct init_domain_state
);
92 if (state
== NULL
) goto failed
;
94 result
->private_data
= state
;
96 state
->service
= service
;
98 state
->domain
= talloc(state
, struct wbsrv_domain
);
99 if (state
->domain
== NULL
) goto failed
;
101 state
->domain
->info
= talloc_reference(state
->domain
, dom_info
);
102 if (state
->domain
->info
== NULL
) goto failed
;
104 state
->domain
->schannel_creds
= cli_credentials_init(state
->domain
);
105 if (state
->domain
->schannel_creds
== NULL
) goto failed
;
107 cli_credentials_set_conf(state
->domain
->schannel_creds
);
109 cli_credentials_set_machine_account(state
->domain
->
111 if (!NT_STATUS_IS_OK(state
->ctx
->status
)) goto failed
;
113 state
->conn
.in
.dest_host
= dom_info
->dc_address
;
114 state
->conn
.in
.port
= 0;
115 state
->conn
.in
.called_name
= dom_info
->dc_name
;
116 state
->conn
.in
.service
= "IPC$";
117 state
->conn
.in
.service_type
= "IPC";
118 state
->conn
.in
.workgroup
= dom_info
->name
;
119 state
->conn
.in
.credentials
= state
->domain
->schannel_creds
;
121 state
->conn
.in
.fallback_to_anonymous
= True
;
123 ctx
= smb_composite_connect_send(&state
->conn
, state
->domain
,
125 if (ctx
== NULL
) goto failed
;
127 ctx
->async
.fn
= init_domain_recv_tree
;
128 ctx
->async
.private_data
= state
;
136 static void init_domain_recv_tree(struct composite_context
*ctx
)
138 struct init_domain_state
*state
=
139 talloc_get_type(ctx
->async
.private_data
,
140 struct init_domain_state
);
141 state
->ctx
->status
= smb_composite_connect_recv(ctx
, state
);
142 if (!composite_is_ok(state
->ctx
)) return;
144 if ((state
->domain
->schannel_creds
!= NULL
) &&
145 (!cli_credentials_is_anonymous(state
->domain
->schannel_creds
)) &&
146 ((lp_server_role() == ROLE_DOMAIN_MEMBER
) &&
147 (dom_sid_equal(state
->domain
->info
->sid
,
148 state
->service
->primary_sid
)))) {
149 ctx
= wb_get_schannel_creds_send(state
,
150 state
->domain
->schannel_creds
,
151 state
->conn
.out
.tree
,
152 state
->ctx
->event_ctx
);
153 composite_continue(state
->ctx
, ctx
,
154 init_domain_recv_netlogoncreds
, state
);
158 ctx
= wb_connect_lsa_send(state
, state
->conn
.out
.tree
, NULL
);
159 composite_continue(state
->ctx
, ctx
, init_domain_recv_lsa
, state
);
162 static void init_domain_recv_netlogoncreds(struct composite_context
*ctx
)
164 struct init_domain_state
*state
=
165 talloc_get_type(ctx
->async
.private_data
,
166 struct init_domain_state
);
167 struct dcerpc_pipe
*auth2_pipe
;
168 struct smbcli_tree
*tree
= NULL
;
171 wb_get_schannel_creds_recv(ctx
, state
, &auth2_pipe
);
172 if (!composite_is_ok(state
->ctx
)) return;
174 if (!lp_winbind_sealed_pipes()) {
175 state
->domain
->netlogon_pipe
= talloc_reference(state
->domain
,
177 ctx
= wb_connect_lsa_send(state
, state
->conn
.out
.tree
, NULL
);
178 composite_continue(state
->ctx
, ctx
, init_domain_recv_lsa
,
183 state
->domain
->netlogon_pipe
=
184 dcerpc_pipe_init(state
->domain
, state
->ctx
->event_ctx
);
185 if (composite_nomem(state
->domain
->netlogon_pipe
, state
->ctx
)) return;
187 tree
= dcerpc_smb_tree(auth2_pipe
->conn
);
189 composite_error(state
->ctx
, NT_STATUS_INTERNAL_ERROR
);
193 ctx
= dcerpc_pipe_open_smb_send(state
->domain
->netlogon_pipe
,
195 composite_continue(state
->ctx
, ctx
, init_domain_recv_netlogonpipe
,
199 static void init_domain_recv_netlogonpipe(struct composite_context
*ctx
)
201 struct init_domain_state
*state
=
202 talloc_get_type(ctx
->async
.private_data
,
203 struct init_domain_state
);
205 state
->ctx
->status
= dcerpc_pipe_open_smb_recv(ctx
);
206 if (!composite_is_ok(state
->ctx
)) return;
208 state
->domain
->netlogon_pipe
->conn
->flags
|=
209 (DCERPC_SIGN
| DCERPC_SEAL
);
210 ctx
= dcerpc_bind_auth_send(state
, state
->domain
->netlogon_pipe
,
211 &dcerpc_table_netlogon
,
212 state
->domain
->schannel_creds
,
213 DCERPC_AUTH_TYPE_SCHANNEL
,
214 DCERPC_AUTH_LEVEL_PRIVACY
,
216 composite_continue(state
->ctx
, ctx
, init_domain_recv_schannel
, state
);
219 static void init_domain_recv_schannel(struct composite_context
*ctx
)
221 struct init_domain_state
*state
=
222 talloc_get_type(ctx
->async
.private_data
,
223 struct init_domain_state
);
225 state
->ctx
->status
= dcerpc_bind_auth_recv(ctx
);
226 if (!composite_is_ok(state
->ctx
)) return;
228 ctx
= wb_connect_lsa_send(state
, state
->conn
.out
.tree
,
229 state
->domain
->schannel_creds
);
230 composite_continue(state
->ctx
, ctx
, init_domain_recv_lsa
, state
);
233 static void init_domain_recv_lsa(struct composite_context
*ctx
)
235 struct init_domain_state
*state
=
236 talloc_get_type(ctx
->async
.private_data
,
237 struct init_domain_state
);
239 struct rpc_request
*req
;
241 state
->ctx
->status
= wb_connect_lsa_recv(ctx
, state
->domain
,
242 &state
->domain
->lsa_auth_type
,
243 &state
->domain
->lsa_pipe
,
244 &state
->domain
->lsa_policy
);
245 if (!composite_is_ok(state
->ctx
)) return;
247 /* Give the tree to the pipes. */
248 talloc_unlink(state
, state
->conn
.out
.tree
);
250 state
->queryinfo
.in
.handle
= state
->domain
->lsa_policy
;
251 state
->queryinfo
.in
.level
= LSA_POLICY_INFO_ACCOUNT_DOMAIN
;
253 req
= dcerpc_lsa_QueryInfoPolicy_send(state
->domain
->lsa_pipe
, state
,
255 composite_continue_rpc(state
->ctx
, req
,
256 init_domain_recv_queryinfo
, state
);
259 static void init_domain_recv_queryinfo(struct rpc_request
*req
)
261 struct init_domain_state
*state
=
262 talloc_get_type(req
->async
.private_data
, struct init_domain_state
);
263 struct lsa_DomainInfo
*dominfo
;
264 struct composite_context
*ctx
;
265 const char *ldap_url
;
267 state
->ctx
->status
= dcerpc_ndr_request_recv(req
);
268 if (!composite_is_ok(state
->ctx
)) return;
269 state
->ctx
->status
= state
->queryinfo
.out
.result
;
270 if (!composite_is_ok(state
->ctx
)) return;
272 dominfo
= &state
->queryinfo
.out
.info
->account_domain
;
274 if (strcasecmp(state
->domain
->info
->name
, dominfo
->name
.string
) != 0) {
275 DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
276 state
->domain
->info
->name
,
277 dcerpc_server_name(state
->domain
->lsa_pipe
),
278 dominfo
->name
.string
));
279 composite_error(state
->ctx
, NT_STATUS_INVALID_DOMAIN_STATE
);
283 if (!dom_sid_equal(state
->domain
->info
->sid
, dominfo
->sid
)) {
284 DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
285 dom_sid_string(state
, state
->domain
->info
->sid
),
286 dcerpc_server_name(state
->domain
->lsa_pipe
),
287 dom_sid_string(state
, dominfo
->sid
)));
288 composite_error(state
->ctx
, NT_STATUS_INVALID_DOMAIN_STATE
);
292 state
->domain
->ldap_conn
=
293 ldap4_new_connection(state
->domain
, state
->ctx
->event_ctx
);
294 composite_nomem(state
->domain
->ldap_conn
, state
->ctx
);
296 ldap_url
= talloc_asprintf(state
, "ldap://%s/",
297 state
->domain
->info
->dc_address
);
298 composite_nomem(ldap_url
, state
->ctx
);
300 ctx
= ldap_connect_send(state
->domain
->ldap_conn
, ldap_url
);
301 composite_continue(state
->ctx
, ctx
, init_domain_recv_ldapconn
, state
);
304 static void init_domain_recv_ldapconn(struct composite_context
*ctx
)
306 struct init_domain_state
*state
=
307 talloc_get_type(ctx
->async
.private_data
,
308 struct init_domain_state
);
310 state
->ctx
->status
= ldap_connect_recv(ctx
);
311 if (NT_STATUS_IS_OK(state
->ctx
->status
)) {
312 state
->domain
->ldap_conn
->host
=
313 talloc_strdup(state
->domain
->ldap_conn
,
314 state
->domain
->info
->dc_name
);
316 ldap_bind_sasl(state
->domain
->ldap_conn
,
317 state
->domain
->schannel_creds
);
318 DEBUG(0, ("ldap_bind returned %s\n",
319 nt_errstr(state
->ctx
->status
)));
322 state
->domain
->samr_pipe
=
323 dcerpc_pipe_init(state
->domain
, state
->ctx
->event_ctx
);
324 if (composite_nomem(state
->domain
->samr_pipe
, state
->ctx
)) return;
326 ctx
= wb_connect_sam_send(state
, state
->conn
.out
.tree
,
327 state
->domain
->lsa_auth_type
,
328 state
->domain
->schannel_creds
,
329 state
->domain
->info
->sid
);
330 composite_continue(state
->ctx
, ctx
, init_domain_recv_samr
, state
);
333 static void init_domain_recv_samr(struct composite_context
*ctx
)
335 struct init_domain_state
*state
=
336 talloc_get_type(ctx
->async
.private_data
,
337 struct init_domain_state
);
339 state
->ctx
->status
= wb_connect_sam_recv(
340 ctx
, state
->domain
, &state
->domain
->samr_pipe
,
341 &state
->domain
->samr_handle
, &state
->domain
->domain_handle
);
342 if (!composite_is_ok(state
->ctx
)) return;
344 composite_done(state
->ctx
);
347 NTSTATUS
wb_init_domain_recv(struct composite_context
*c
,
349 struct wbsrv_domain
**result
)
351 NTSTATUS status
= composite_wait(c
);
352 if (NT_STATUS_IS_OK(status
)) {
353 struct init_domain_state
*state
=
354 talloc_get_type(c
->private_data
,
355 struct init_domain_state
);
356 *result
= talloc_steal(mem_ctx
, state
->domain
);
362 NTSTATUS
wb_init_domain(TALLOC_CTX
*mem_ctx
, struct wbsrv_service
*service
,
363 struct wb_dom_info
*dom_info
,
364 struct wbsrv_domain
**result
)
366 struct composite_context
*c
=
367 wb_init_domain_send(mem_ctx
, service
, dom_info
);
368 return wb_init_domain_recv(c
, mem_ctx
, result
);