search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about unsecure configu...
[Samba.git] / source3 / rpc_server / netlogon / srv_netlog_nt.c
blobc217fee9c43c75a4557e3fd97a0d37091efc8af9
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008-2009.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* This is the implementation of the netlogon pipe. */
26
27 #include "includes.h"
28 #include "system/passwd.h" /* uid_wrapper */
29 #include "ntdomain.h"
30 #include "../libcli/auth/schannel.h"
31 #include "librpc/gen_ndr/ndr_netlogon.h"
32 #include "librpc/gen_ndr/ndr_netlogon_scompat.h"
33 #include "librpc/gen_ndr/ndr_samr_c.h"
34 #include "librpc/gen_ndr/ndr_lsa_c.h"
35 #include "rpc_client/cli_lsarpc.h"
36 #include "rpc_client/init_lsa.h"
37 #include "rpc_client/init_samr.h"
38 #include "rpc_server/rpc_ncacn_np.h"
39 #include "../libcli/security/security.h"
40 #include "../libcli/security/dom_sid.h"
41 #include "librpc/gen_ndr/ndr_drsblobs.h"
42 #include "lib/crypto/md4.h"
43 #include "nsswitch/libwbclient/wbclient.h"
44 #include "../libcli/registry/util_reg.h"
45 #include "passdb.h"
46 #include "auth.h"
47 #include "messages.h"
48 #include "../lib/tsocket/tsocket.h"
49 #include "lib/param/param.h"
50 #include "libsmb/dsgetdcname.h"
51 #include "lib/util/util_str_escape.h"
52
53 extern userdom_struct current_user_info;
54
55 #undef DBGC_CLASS
56 #define DBGC_CLASS DBGC_RPC_SRV
57
58 struct netlogon_server_pipe_state {
59 struct netr_Credential client_challenge;
60 struct netr_Credential server_challenge;
61 };
62
63 /*************************************************************************
64 _netr_LogonControl
65 *************************************************************************/
66
67 WERROR _netr_LogonControl(struct pipes_struct *p,
68 struct netr_LogonControl *r)
69 {
70 struct netr_LogonControl2Ex l;
71
72 switch (r->in.level) {
73 case 1:
74 break;
75 case 2:
76 return WERR_NOT_SUPPORTED;
77 default:
78 return WERR_INVALID_LEVEL;
79 }
80
81 switch (r->in.function_code) {
82 case NETLOGON_CONTROL_QUERY:
83 case NETLOGON_CONTROL_REPLICATE:
84 case NETLOGON_CONTROL_SYNCHRONIZE:
85 case NETLOGON_CONTROL_PDC_REPLICATE:
86 case NETLOGON_CONTROL_BREAKPOINT:
87 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
88 case NETLOGON_CONTROL_TRUNCATE_LOG:
89 break;
90 default:
91 return WERR_NOT_SUPPORTED;
92 }
93
94 l.in.logon_server = r->in.logon_server;
95 l.in.function_code = r->in.function_code;
96 l.in.level = r->in.level;
97 l.in.data = NULL;
98 l.out.query = r->out.query;
99
100 return _netr_LogonControl2Ex(p, &l);
101 }
102
103 /*************************************************************************
104 _netr_LogonControl2
105 *************************************************************************/
106
107 WERROR _netr_LogonControl2(struct pipes_struct *p,
108 struct netr_LogonControl2 *r)
109 {
110 struct netr_LogonControl2Ex l;
111
112 l.in.logon_server = r->in.logon_server;
113 l.in.function_code = r->in.function_code;
114 l.in.level = r->in.level;
115 l.in.data = r->in.data;
116 l.out.query = r->out.query;
117
118 return _netr_LogonControl2Ex(p, &l);
119 }
120
121 /*************************************************************************
122 *************************************************************************/
123
124 static bool wb_change_trust_creds(const char *domain, WERROR *tc_status)
125 {
126 wbcErr result;
127 struct wbcAuthErrorInfo *error = NULL;
128
129 result = wbcChangeTrustCredentials(domain, &error);
130 switch (result) {
131 case WBC_ERR_WINBIND_NOT_AVAILABLE:
132 return false;
133 case WBC_ERR_DOMAIN_NOT_FOUND:
134 *tc_status = WERR_NO_SUCH_DOMAIN;
135 return true;
136 case WBC_ERR_SUCCESS:
137 *tc_status = WERR_OK;
138 return true;
139 default:
140 break;
141 }
142
143 if (error && error->nt_status != 0) {
144 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
145 } else {
146 *tc_status = WERR_TRUST_FAILURE;
147 }
148 wbcFreeMemory(error);
149 return true;
150 }
151
152 /*************************************************************************
153 *************************************************************************/
154
155 static bool wb_check_trust_creds(const char *domain, WERROR *tc_status)
156 {
157 wbcErr result;
158 struct wbcAuthErrorInfo *error = NULL;
159
160 result = wbcCheckTrustCredentials(domain, &error);
161 switch (result) {
162 case WBC_ERR_WINBIND_NOT_AVAILABLE:
163 return false;
164 case WBC_ERR_DOMAIN_NOT_FOUND:
165 *tc_status = WERR_NO_SUCH_DOMAIN;
166 return true;
167 case WBC_ERR_SUCCESS:
168 *tc_status = WERR_OK;
169 return true;
170 default:
171 break;
172 }
173
174 if (error && error->nt_status != 0) {
175 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
176 } else {
177 *tc_status = WERR_TRUST_FAILURE;
178 }
179 wbcFreeMemory(error);
180 return true;
181 }
182
183 /****************************************************************
184 _netr_LogonControl2Ex
185 ****************************************************************/
186
187 WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
188 struct netr_LogonControl2Ex *r)
189 {
190 uint32_t flags = 0x0;
191 WERROR pdc_connection_status = WERR_OK;
192 uint32_t logon_attempts = 0x0;
193 WERROR tc_status;
194 fstring dc_name2;
195 const char *dc_name = NULL;
196 struct sockaddr_storage dc_ss;
197 const char *domain = NULL;
198 struct netr_NETLOGON_INFO_1 *info1;
199 struct netr_NETLOGON_INFO_2 *info2;
200 struct netr_NETLOGON_INFO_3 *info3;
201 struct netr_NETLOGON_INFO_4 *info4;
202 const char *fn;
203 NTSTATUS status;
204 struct netr_DsRGetDCNameInfo *dc_info;
205
206 switch (p->opnum) {
207 case NDR_NETR_LOGONCONTROL:
208 fn = "_netr_LogonControl";
209 break;
210 case NDR_NETR_LOGONCONTROL2:
211 fn = "_netr_LogonControl2";
212 break;
213 case NDR_NETR_LOGONCONTROL2EX:
214 fn = "_netr_LogonControl2Ex";
215 break;
216 default:
217 return WERR_INVALID_PARAMETER;
218 }
219
220 switch (r->in.level) {
221 case 1:
222 case 2:
223 case 3:
224 case 4:
225 break;
226 default:
227 return WERR_INVALID_LEVEL;
228 }
229
230 switch (r->in.function_code) {
231 case NETLOGON_CONTROL_QUERY:
232 break;
233 default:
234 if ((geteuid() != sec_initial_uid()) &&
235 !nt_token_check_domain_rid(p->session_info->security_token, DOMAIN_RID_ADMINS) &&
236 !nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token))
237 {
238 return WERR_ACCESS_DENIED;
239 }
240 break;
241 }
242
243 tc_status = WERR_NO_SUCH_DOMAIN;
244
245 switch (r->in.function_code) {
246 case NETLOGON_CONTROL_QUERY:
247 switch (r->in.level) {
248 case 1:
249 case 3:
250 break;
251 default:
252 return WERR_INVALID_PARAMETER;
253 }
254
255 tc_status = WERR_OK;
256 break;
257 case NETLOGON_CONTROL_REPLICATE:
258 case NETLOGON_CONTROL_SYNCHRONIZE:
259 case NETLOGON_CONTROL_PDC_REPLICATE:
260 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
261 case NETLOGON_CONTROL_BREAKPOINT:
262 case NETLOGON_CONTROL_TRUNCATE_LOG:
263 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
264 case NETLOGON_CONTROL_FORCE_DNS_REG:
265 case NETLOGON_CONTROL_QUERY_DNS_REG:
266 return WERR_NOT_SUPPORTED;
267
268 case NETLOGON_CONTROL_FIND_USER:
269 if (!r->in.data || !r->in.data->user) {
270 return WERR_NOT_SUPPORTED;
271 }
272 break;
273 case NETLOGON_CONTROL_SET_DBFLAG:
274 if (!r->in.data) {
275 return WERR_NOT_SUPPORTED;
276 }
277 break;
278 case NETLOGON_CONTROL_TC_VERIFY:
279 if (!r->in.data || !r->in.data->domain) {
280 return WERR_NOT_SUPPORTED;
281 }
282
283 if (!wb_check_trust_creds(r->in.data->domain, &tc_status)) {
284 return WERR_NOT_SUPPORTED;
285 }
286 break;
287 case NETLOGON_CONTROL_TC_QUERY:
288 if (!r->in.data || !r->in.data->domain) {
289 return WERR_NOT_SUPPORTED;
290 }
291
292 domain = r->in.data->domain;
293
294 if (!is_trusted_domain(domain)) {
295 break;
296 }
297
298 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
299 tc_status = WERR_NO_LOGON_SERVERS;
300 break;
301 }
302
303 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
304 if (!dc_name) {
305 return WERR_NOT_ENOUGH_MEMORY;
306 }
307
308 tc_status = WERR_OK;
309
310 break;
311
312 case NETLOGON_CONTROL_REDISCOVER:
313 if (!r->in.data || !r->in.data->domain) {
314 return WERR_NOT_SUPPORTED;
315 }
316
317 domain = r->in.data->domain;
318
319 if (!is_trusted_domain(domain)) {
320 break;
321 }
322
323 status = dsgetdcname(p->mem_ctx, p->msg_ctx, domain, NULL, NULL,
324 DS_FORCE_REDISCOVERY | DS_RETURN_FLAT_NAME,
325 &dc_info);
326 if (!NT_STATUS_IS_OK(status)) {
327 tc_status = WERR_NO_LOGON_SERVERS;
328 break;
329 }
330
331 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_info->dc_unc);
332 if (!dc_name) {
333 return WERR_NOT_ENOUGH_MEMORY;
334 }
335
336 tc_status = WERR_OK;
337
338 break;
339
340 case NETLOGON_CONTROL_CHANGE_PASSWORD:
341 if (!r->in.data || !r->in.data->domain) {
342 return WERR_NOT_SUPPORTED;
343 }
344
345 if (!wb_change_trust_creds(r->in.data->domain, &tc_status)) {
346 return WERR_NOT_SUPPORTED;
347 }
348 break;
349
350 default:
351 /* no idea what this should be */
352 DEBUG(0,("%s: unimplemented function level [%d]\n",
353 fn, r->in.function_code));
354 return WERR_NOT_SUPPORTED;
355 }
356
357 /* prepare the response */
358
359 switch (r->in.level) {
360 case 1:
361 info1 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_1);
362 W_ERROR_HAVE_NO_MEMORY(info1);
363
364 info1->flags = flags;
365 info1->pdc_connection_status = pdc_connection_status;
366
367 r->out.query->info1 = info1;
368 break;
369 case 2:
370 info2 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_2);
371 W_ERROR_HAVE_NO_MEMORY(info2);
372
373 info2->flags = flags;
374 info2->pdc_connection_status = pdc_connection_status;
375 info2->trusted_dc_name = dc_name;
376 info2->tc_connection_status = tc_status;
377
378 r->out.query->info2 = info2;
379 break;
380 case 3:
381 info3 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_3);
382 W_ERROR_HAVE_NO_MEMORY(info3);
383
384 info3->flags = flags;
385 info3->logon_attempts = logon_attempts;
386
387 r->out.query->info3 = info3;
388 break;
389 case 4:
390 info4 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_4);
391 W_ERROR_HAVE_NO_MEMORY(info4);
392
393 info4->trusted_dc_name = dc_name;
394 info4->trusted_domain_name = r->in.data->domain;
395
396 r->out.query->info4 = info4;
397 break;
398 default:
399 return WERR_INVALID_LEVEL;
400 }
401
402 return WERR_OK;
403 }
404
405 /*************************************************************************
406 _netr_NetrEnumerateTrustedDomains
407 *************************************************************************/
408
409 NTSTATUS _netr_NetrEnumerateTrustedDomains(struct pipes_struct *p,
410 struct netr_NetrEnumerateTrustedDomains *r)
411 {
412 NTSTATUS status;
413 NTSTATUS result = NT_STATUS_OK;
414 DATA_BLOB blob;
415 size_t num_domains = 0;
416 const char **trusted_domains = NULL;
417 struct lsa_DomainList domain_list;
418 struct dcerpc_binding_handle *h = NULL;
419 struct policy_handle pol;
420 uint32_t enum_ctx = 0;
421 int i;
422 uint32_t max_size = (uint32_t)-1;
423
424 ZERO_STRUCT(pol);
425 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
426
427 status = rpcint_binding_handle(p->mem_ctx,
428 &ndr_table_lsarpc,
429 p->remote_address,
430 p->local_address,
431 p->session_info,
432 p->msg_ctx,
433 &h);
434 if (!NT_STATUS_IS_OK(status)) {
435 return status;
436 }
437
438 status = dcerpc_lsa_open_policy2(h,
439 p->mem_ctx,
440 NULL,
441 true,
442 LSA_POLICY_VIEW_LOCAL_INFORMATION,
443 &pol,
444 &result);
445 if (!NT_STATUS_IS_OK(status)) {
446 goto out;
447 }
448 if (!NT_STATUS_IS_OK(result)) {
449 status = result;
450 goto out;
451 }
452
453 do {
454 /* Lookup list of trusted domains */
455 status = dcerpc_lsa_EnumTrustDom(h,
456 p->mem_ctx,
457 &pol,
458 &enum_ctx,
459 &domain_list,
460 max_size,
461 &result);
462 if (!NT_STATUS_IS_OK(status)) {
463 goto out;
464 }
465 if (!NT_STATUS_IS_OK(result) &&
466 !NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
467 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
468 status = result;
469 goto out;
470 }
471
472 for (i = 0; i < domain_list.count; i++) {
473 if (!add_string_to_array(p->mem_ctx, domain_list.domains[i].name.string,
474 &trusted_domains, &num_domains)) {
475 status = NT_STATUS_NO_MEMORY;
476 goto out;
477 }
478 }
479 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
480
481 if (num_domains > 0) {
482 /* multi sz terminate */
483 trusted_domains = talloc_realloc(p->mem_ctx, trusted_domains, const char *, num_domains + 1);
484 if (trusted_domains == NULL) {
485 status = NT_STATUS_NO_MEMORY;
486 goto out;
487 }
488
489 trusted_domains[num_domains] = NULL;
490 }
491
492 if (!push_reg_multi_sz(trusted_domains, &blob, trusted_domains)) {
493 TALLOC_FREE(trusted_domains);
494 status = NT_STATUS_NO_MEMORY;
495 goto out;
496 }
497
498 r->out.trusted_domains_blob->data = blob.data;
499 r->out.trusted_domains_blob->length = blob.length;
500
501 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
502
503 status = NT_STATUS_OK;
504
505 out:
506 if (is_valid_policy_hnd(&pol)) {
507 dcerpc_lsa_Close(h, p->mem_ctx, &pol, &result);
508 }
509
510 return status;
511 }
512
513 /*************************************************************************
514 *************************************************************************/
515
516 static NTSTATUS samr_find_machine_account(TALLOC_CTX *mem_ctx,
517 struct dcerpc_binding_handle *b,
518 const char *account_name,
519 uint32_t access_mask,
520 struct dom_sid2 **domain_sid_p,
521 uint32_t *user_rid_p,
522 struct policy_handle *user_handle)
523 {
524 NTSTATUS status;
525 NTSTATUS result = NT_STATUS_OK;
526 struct policy_handle connect_handle;
527 struct policy_handle domain_handle = { 0, };
528 struct lsa_String domain_name;
529 struct dom_sid2 *domain_sid;
530 struct lsa_String names;
531 struct samr_Ids rids;
532 struct samr_Ids types;
533 uint32_t rid;
534
535 status = dcerpc_samr_Connect2(b, mem_ctx,
536 lp_netbios_name(),
537 SAMR_ACCESS_CONNECT_TO_SERVER |
538 SAMR_ACCESS_ENUM_DOMAINS |
539 SAMR_ACCESS_LOOKUP_DOMAIN,
540 &connect_handle,
541 &result);
542 if (!NT_STATUS_IS_OK(status)) {
543 goto out;
544 }
545 if (!NT_STATUS_IS_OK(result)) {
546 status = result;
547 goto out;
548 }
549
550 init_lsa_String(&domain_name, get_global_sam_name());
551
552 status = dcerpc_samr_LookupDomain(b, mem_ctx,
553 &connect_handle,
554 &domain_name,
555 &domain_sid,
556 &result);
557 if (!NT_STATUS_IS_OK(status)) {
558 goto out;
559 }
560 if (!NT_STATUS_IS_OK(result)) {
561 status = result;
562 goto out;
563 }
564
565 status = dcerpc_samr_OpenDomain(b, mem_ctx,
566 &connect_handle,
567 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
568 domain_sid,
569 &domain_handle,
570 &result);
571 if (!NT_STATUS_IS_OK(status)) {
572 goto out;
573 }
574 if (!NT_STATUS_IS_OK(result)) {
575 status = result;
576 goto out;
577 }
578
579 init_lsa_String(&names, account_name);
580
581 status = dcerpc_samr_LookupNames(b, mem_ctx,
582 &domain_handle,
583 1,
584 &names,
585 &rids,
586 &types,
587 &result);
588 if (!NT_STATUS_IS_OK(status)) {
589 goto out;
590 }
591 if (!NT_STATUS_IS_OK(result)) {
592 status = result;
593 goto out;
594 }
595
596 if (rids.count != 1) {
597 status = NT_STATUS_NO_SUCH_USER;
598 goto out;
599 }
600 if (types.count != 1) {
601 status = NT_STATUS_INVALID_PARAMETER;
602 goto out;
603 }
604 if (types.ids[0] != SID_NAME_USER) {
605 status = NT_STATUS_NO_SUCH_USER;
606 goto out;
607 }
608
609 rid = rids.ids[0];
610
611 status = dcerpc_samr_OpenUser(b, mem_ctx,
612 &domain_handle,
613 access_mask,
614 rid,
615 user_handle,
616 &result);
617 if (!NT_STATUS_IS_OK(status)) {
618 goto out;
619 }
620 if (!NT_STATUS_IS_OK(result)) {
621 status = result;
622 goto out;
623 }
624
625 if (user_rid_p) {
626 *user_rid_p = rid;
627 }
628
629 if (domain_sid_p) {
630 *domain_sid_p = domain_sid;
631 }
632
633 out:
634 if (is_valid_policy_hnd(&domain_handle)) {
635 dcerpc_samr_Close(b, mem_ctx, &domain_handle, &result);
636 }
637 if (is_valid_policy_hnd(&connect_handle)) {
638 dcerpc_samr_Close(b, mem_ctx, &connect_handle, &result);
639 }
640
641 return status;
642 }
643
644 /******************************************************************
645 gets a machine password entry. checks access rights of the host.
646 ******************************************************************/
647
648 static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct,
649 enum netr_SchannelType sec_chan_type,
650 struct dom_sid *sid,
651 struct messaging_context *msg_ctx)
652 {
653 NTSTATUS status;
654 NTSTATUS result = NT_STATUS_OK;
655 TALLOC_CTX *mem_ctx;
656 struct dcerpc_binding_handle *h = NULL;
657 struct tsocket_address *local;
658 struct policy_handle user_handle;
659 uint32_t user_rid;
660 struct dom_sid *domain_sid;
661 uint32_t acct_ctrl;
662 union samr_UserInfo *info;
663 struct auth_session_info *session_info;
664 int rc;
665
666 #if 0
667
668 /*
669 * Currently this code is redundant as we already have a filter
670 * by hostname list. What this code really needs to do is to
671 * get a hosts allowed/hosts denied list from the SAM database
672 * on a per user basis, and make the access decision there.
673 * I will leave this code here for now as a reminder to implement
674 * this at a later date. JRA.
675 */
676
677 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
678 p->client_id.name,
679 p->client_id.addr)) {
680 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct));
681 return False;
682 }
683 #endif /* 0 */
684
685 mem_ctx = talloc_stackframe();
686 if (mem_ctx == NULL) {
687 status = NT_STATUS_NO_MEMORY;
688 goto out;
689 }
690
691 status = make_session_info_system(mem_ctx, &session_info);
692 if (!NT_STATUS_IS_OK(status)) {
693 goto out;
694 }
695
696 ZERO_STRUCT(user_handle);
697
698 rc = tsocket_address_inet_from_strings(mem_ctx,
699 "ip",
700 "127.0.0.1",
701 0,
702 &local);
703 if (rc < 0) {
704 status = NT_STATUS_NO_MEMORY;
705 goto out;
706 }
707
708 status = rpcint_binding_handle(mem_ctx,
709 &ndr_table_samr,
710 local,
711 NULL,
712 session_info,
713 msg_ctx,
714 &h);
715 if (!NT_STATUS_IS_OK(status)) {
716 goto out;
717 }
718
719 status = samr_find_machine_account(mem_ctx, h, mach_acct,
720 SEC_FLAG_MAXIMUM_ALLOWED,
721 &domain_sid, &user_rid,
722 &user_handle);
723 if (!NT_STATUS_IS_OK(status)) {
724 goto out;
725 }
726
727 status = dcerpc_samr_QueryUserInfo2(h,
728 mem_ctx,
729 &user_handle,
730 UserControlInformation,
731 &info,
732 &result);
733 if (!NT_STATUS_IS_OK(status)) {
734 goto out;
735 }
736 if (!NT_STATUS_IS_OK(result)) {
737 status = result;
738 goto out;
739 }
740
741 acct_ctrl = info->info16.acct_flags;
742
743 if (acct_ctrl & ACB_DISABLED) {
744 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct));
745 status = NT_STATUS_ACCOUNT_DISABLED;
746 goto out;
747 }
748
749 if (!(acct_ctrl & ACB_SVRTRUST) &&
750 !(acct_ctrl & ACB_WSTRUST) &&
751 !(acct_ctrl & ACB_DOMTRUST))
752 {
753 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct));
754 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
755 goto out;
756 }
757
758 switch (sec_chan_type) {
759 case SEC_CHAN_BDC:
760 if (!(acct_ctrl & ACB_SVRTRUST)) {
761 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
762 "but not a server trust account\n", mach_acct));
763 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
764 goto out;
765 }
766 break;
767 case SEC_CHAN_WKSTA:
768 if (!(acct_ctrl & ACB_WSTRUST)) {
769 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
770 "but not a workstation trust account\n", mach_acct));
771 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
772 goto out;
773 }
774 break;
775 case SEC_CHAN_DOMAIN:
776 if (!(acct_ctrl & ACB_DOMTRUST)) {
777 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
778 "but not a interdomain trust account\n", mach_acct));
779 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
780 goto out;
781 }
782 break;
783 default:
784 break;
785 }
786
787 become_root();
788 status = dcerpc_samr_QueryUserInfo2(h,
789 mem_ctx,
790 &user_handle,
791 UserInternal1Information,
792 &info,
793 &result);
794 unbecome_root();
795 if (!NT_STATUS_IS_OK(status)) {
796 goto out;
797 }
798 if (!NT_STATUS_IS_OK(result)) {
799 status = result;
800 goto out;
801 }
802
803 if (info->info18.nt_pwd_active == 0) {
804 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct));
805 status = NT_STATUS_LOGON_FAILURE;
806 goto out;
807 }
808
809 /* samr gives out nthash unencrypted (!) */
810 memcpy(md4pw->hash, info->info18.nt_pwd.hash, 16);
811
812 sid_compose(sid, domain_sid, user_rid);
813
814 out:
815 if (h && is_valid_policy_hnd(&user_handle)) {
816 dcerpc_samr_Close(h, mem_ctx, &user_handle, &result);
817 }
818
819 talloc_free(mem_ctx);
820
821 return status;
822 }
823
824 /*************************************************************************
825 _netr_ServerReqChallenge
826 *************************************************************************/
827
828 NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p,
829 struct netr_ServerReqChallenge *r)
830 {
831 struct netlogon_server_pipe_state *pipe_state =
832 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
833
834 if (pipe_state) {
835 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
836 talloc_free(pipe_state);
837 p->private_data = NULL;
838 }
839
840 pipe_state = talloc(p, struct netlogon_server_pipe_state);
841 NT_STATUS_HAVE_NO_MEMORY(pipe_state);
842
843 pipe_state->client_challenge = *r->in.credentials;
844
845 netlogon_creds_random_challenge(&pipe_state->server_challenge);
846
847 *r->out.return_credentials = pipe_state->server_challenge;
848
849 p->private_data = pipe_state;
850
851 return NT_STATUS_OK;
852 }
853
854 /*************************************************************************
855 _netr_ServerAuthenticate
856 Create the initial credentials.
857 *************************************************************************/
858
859 NTSTATUS _netr_ServerAuthenticate(struct pipes_struct *p,
860 struct netr_ServerAuthenticate *r)
861 {
862 struct netr_ServerAuthenticate3 a;
863 uint32_t negotiate_flags = 0;
864 uint32_t rid;
865
866 a.in.server_name = r->in.server_name;
867 a.in.account_name = r->in.account_name;
868 a.in.secure_channel_type = r->in.secure_channel_type;
869 a.in.computer_name = r->in.computer_name;
870 a.in.credentials = r->in.credentials;
871 a.in.negotiate_flags = &negotiate_flags;
872
873 a.out.return_credentials = r->out.return_credentials;
874 a.out.rid = &rid;
875 a.out.negotiate_flags = &negotiate_flags;
876
877 return _netr_ServerAuthenticate3(p, &a);
878
879 }
880
881 /*************************************************************************
882 _netr_ServerAuthenticate3
883 *************************************************************************/
884
885 NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
886 struct netr_ServerAuthenticate3 *r)
887 {
888 NTSTATUS status;
889 uint32_t srv_flgs;
890 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
891 * so use a copy to avoid destroying the client values. */
892 uint32_t in_neg_flags = *r->in.negotiate_flags;
893 const char *fn;
894 struct loadparm_context *lp_ctx;
895 struct dom_sid sid;
896 struct samr_Password mach_pwd;
897 struct netlogon_creds_CredentialState *creds;
898 struct netlogon_server_pipe_state *pipe_state =
899 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
900
901 /* According to Microsoft (see bugid #6099)
902 * Windows 7 looks at the negotiate_flags
903 * returned in this structure *even if the
904 * call fails with access denied* ! So in order
905 * to allow Win7 to connect to a Samba NT style
906 * PDC we set the flags before we know if it's
907 * an error or not.
908 */
909
910 /* 0x000001ff */
911 srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
912 NETLOGON_NEG_PERSISTENT_SAMREPL |
913 NETLOGON_NEG_ARCFOUR |
914 NETLOGON_NEG_PROMOTION_COUNT |
915 NETLOGON_NEG_CHANGELOG_BDC |
916 NETLOGON_NEG_FULL_SYNC_REPL |
917 NETLOGON_NEG_MULTIPLE_SIDS |
918 NETLOGON_NEG_REDO |
919 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
920 NETLOGON_NEG_PASSWORD_SET2;
921
922 /* Ensure we support strong (128-bit) keys. */
923 if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
924 srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
925 }
926
927 if (in_neg_flags & NETLOGON_NEG_SUPPORTS_AES) {
928 srv_flgs |= NETLOGON_NEG_SUPPORTS_AES;
929 }
930
931 if (in_neg_flags & NETLOGON_NEG_SCHANNEL) {
932 srv_flgs |= NETLOGON_NEG_SCHANNEL;
933 }
934
935 /*
936 * Support authenticaten of trusted domains.
937 *
938 * These flags are the minimum required set which works with win2k3
939 * and win2k8.
940 */
941 if (pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX) {
942 srv_flgs |= NETLOGON_NEG_TRANSITIVE_TRUSTS |
943 NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
944 NETLOGON_NEG_CROSS_FOREST_TRUSTS |
945 NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
946 }
947
948 switch (p->opnum) {
949 case NDR_NETR_SERVERAUTHENTICATE:
950 fn = "_netr_ServerAuthenticate";
951 break;
952 case NDR_NETR_SERVERAUTHENTICATE2:
953 fn = "_netr_ServerAuthenticate2";
954 break;
955 case NDR_NETR_SERVERAUTHENTICATE3:
956 fn = "_netr_ServerAuthenticate3";
957 break;
958 default:
959 return NT_STATUS_INTERNAL_ERROR;
960 }
961
962 /* We use this as the key to store the creds: */
963 /* r->in.computer_name */
964
965 if (!pipe_state) {
966 DEBUG(0,("%s: no challenge sent to client %s\n", fn,
967 r->in.computer_name));
968 status = NT_STATUS_ACCESS_DENIED;
969 goto out;
970 }
971
972 status = get_md4pw(&mach_pwd,
973 r->in.account_name,
974 r->in.secure_channel_type,
975 &sid, p->msg_ctx);
976 if (!NT_STATUS_IS_OK(status)) {
977 DEBUG(0,("%s: failed to get machine password for "
978 "account %s: %s\n",
979 fn, r->in.account_name, nt_errstr(status) ));
980 /* always return NT_STATUS_ACCESS_DENIED */
981 status = NT_STATUS_ACCESS_DENIED;
982 goto out;
983 }
984
985 /* From the client / server challenges and md4 password, generate sess key */
986 /* Check client credentials are valid. */
987 creds = netlogon_creds_server_init(p->mem_ctx,
988 r->in.account_name,
989 r->in.computer_name,
990 r->in.secure_channel_type,
991 &pipe_state->client_challenge,
992 &pipe_state->server_challenge,
993 &mach_pwd,
994 r->in.credentials,
995 r->out.return_credentials,
996 srv_flgs);
997 if (!creds) {
998 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
999 "request from client %s machine account %s\n",
1000 fn, r->in.computer_name,
1001 r->in.account_name));
1002 status = NT_STATUS_ACCESS_DENIED;
1003 goto out;
1004 }
1005
1006 creds->sid = dom_sid_dup(creds, &sid);
1007 if (!creds->sid) {
1008 status = NT_STATUS_NO_MEMORY;
1009 goto out;
1010 }
1011
1012 lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
1013 if (lp_ctx == NULL) {
1014 DEBUG(10, ("loadparm_init_s3 failed\n"));
1015 status = NT_STATUS_INTERNAL_ERROR;
1016 goto out;
1017 }
1018
1019 /* Store off the state so we can continue after client disconnect. */
1020 become_root();
1021 status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds);
1022 unbecome_root();
1023
1024 talloc_unlink(p->mem_ctx, lp_ctx);
1025
1026 if (!NT_STATUS_IS_OK(status)) {
1027 ZERO_STRUCTP(r->out.return_credentials);
1028 goto out;
1029 }
1030
1031 sid_peek_rid(&sid, r->out.rid);
1032
1033 status = NT_STATUS_OK;
1034
1035 out:
1036
1037 *r->out.negotiate_flags = srv_flgs;
1038 return status;
1039 }
1040
1041 /*************************************************************************
1042 _netr_ServerAuthenticate2
1043 *************************************************************************/
1044
1045 NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
1046 struct netr_ServerAuthenticate2 *r)
1047 {
1048 struct netr_ServerAuthenticate3 a;
1049 uint32_t rid;
1050
1051 a.in.server_name = r->in.server_name;
1052 a.in.account_name = r->in.account_name;
1053 a.in.secure_channel_type = r->in.secure_channel_type;
1054 a.in.computer_name = r->in.computer_name;
1055 a.in.credentials = r->in.credentials;
1056 a.in.negotiate_flags = r->in.negotiate_flags;
1057
1058 a.out.return_credentials = r->out.return_credentials;
1059 a.out.rid = &rid;
1060 a.out.negotiate_flags = r->out.negotiate_flags;
1061
1062 return _netr_ServerAuthenticate3(p, &a);
1063 }
1064
1065 /*************************************************************************
1066 *************************************************************************/
1067
1068 static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
1069 TALLOC_CTX *mem_ctx,
1070 const char *computer_name,
1071 struct netr_Authenticator *received_authenticator,
1072 struct netr_Authenticator *return_authenticator,
1073 struct netlogon_creds_CredentialState **creds_out)
1074 {
1075 NTSTATUS status;
1076 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
1077 bool schannel_required = schannel_global_required;
1078 const char *explicit_opt = NULL;
1079 struct loadparm_context *lp_ctx;
1080 struct netlogon_creds_CredentialState *creds = NULL;
1081 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1082 uint16_t opnum = p->opnum;
1083 const char *opname = "<unknown>";
1084 static bool warned_global_once = false;
1085
1086 if (creds_out != NULL) {
1087 *creds_out = NULL;
1088 }
1089
1090 if (opnum < ndr_table_netlogon.num_calls) {
1091 opname = ndr_table_netlogon.calls[opnum].name;
1092 }
1093
1094 auth_type = p->auth.auth_type;
1095
1096 lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
1097 if (lp_ctx == NULL) {
1098 DEBUG(0, ("loadparm_init_s3 failed\n"));
1099 return NT_STATUS_INTERNAL_ERROR;
1100 }
1101
1102 status = schannel_check_creds_state(mem_ctx, lp_ctx,
1103 computer_name, received_authenticator,
1104 return_authenticator, &creds);
1105 talloc_unlink(mem_ctx, lp_ctx);
1106
1107 if (!NT_STATUS_IS_OK(status)) {
1108 ZERO_STRUCTP(return_authenticator);
1109 return status;
1110 }
1111
1112 /*
1113 * We don't use lp_parm_bool(), as we
1114 * need the explicit_opt pointer in order to
1115 * adjust the debug messages.
1116 */
1117
1118 explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM,
1119 "server require schannel",
1120 creds->account_name,
1121 NULL);
1122 if (explicit_opt != NULL) {
1123 schannel_required = lp_bool(explicit_opt);
1124 }
1125
1126 if (schannel_required) {
1127 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1128 *creds_out = creds;
1129 return NT_STATUS_OK;
1130 }
1131
1132 DBG_ERR("CVE-2020-1472(ZeroLogon): "
1133 "%s request (opnum[%u]) without schannel from "
1134 "client_account[%s] client_computer_name[%s]\n",
1135 opname, opnum,
1136 log_escape(mem_ctx, creds->account_name),
1137 log_escape(mem_ctx, creds->computer_name));
1138 DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
1139 "'server require schannel:%s = no' is needed! \n",
1140 log_escape(mem_ctx, creds->account_name));
1141 TALLOC_FREE(creds);
1142 ZERO_STRUCTP(return_authenticator);
1143 return NT_STATUS_ACCESS_DENIED;
1144 }
1145
1146 if (!schannel_global_required && !warned_global_once) {
1147 /*
1148 * We want admins to notice their misconfiguration!
1149 */
1150 DBG_ERR("CVE-2020-1472(ZeroLogon): "
1151 "Please configure 'server schannel = yes', "
1152 "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
1153 warned_global_once = true;
1154 }
1155
1156 if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1157 DBG_ERR("CVE-2020-1472(ZeroLogon): "
1158 "%s request (opnum[%u]) WITH schannel from "
1159 "client_account[%s] client_computer_name[%s]\n",
1160 opname, opnum,
1161 log_escape(mem_ctx, creds->account_name),
1162 log_escape(mem_ctx, creds->computer_name));
1163 DBG_ERR("CVE-2020-1472(ZeroLogon): "
1164 "Option 'server require schannel:%s = no' not needed!?\n",
1165 log_escape(mem_ctx, creds->account_name));
1166
1167 *creds_out = creds;
1168 return NT_STATUS_OK;
1169 }
1170
1171 if (explicit_opt != NULL) {
1172 DBG_INFO("CVE-2020-1472(ZeroLogon): "
1173 "%s request (opnum[%u]) without schannel from "
1174 "client_account[%s] client_computer_name[%s]\n",
1175 opname, opnum,
1176 log_escape(mem_ctx, creds->account_name),
1177 log_escape(mem_ctx, creds->computer_name));
1178 DBG_INFO("CVE-2020-1472(ZeroLogon): "
1179 "Option 'server require schannel:%s = no' still needed!\n",
1180 log_escape(mem_ctx, creds->account_name));
1181 } else {
1182 DBG_ERR("CVE-2020-1472(ZeroLogon): "
1183 "%s request (opnum[%u]) without schannel from "
1184 "client_account[%s] client_computer_name[%s]\n",
1185 opname, opnum,
1186 log_escape(mem_ctx, creds->account_name),
1187 log_escape(mem_ctx, creds->computer_name));
1188 DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
1189 "'server require schannel:%s = no' might be needed!\n",
1190 log_escape(mem_ctx, creds->account_name));
1191 }
1192
1193 *creds_out = creds;
1194 return NT_STATUS_OK;
1195 }
1196
1197
1198 /*************************************************************************
1199 *************************************************************************/
1200
1201 struct _samr_Credentials_t {
1202 enum {
1203 CRED_TYPE_NT_HASH,
1204 CRED_TYPE_PLAIN_TEXT,
1205 } cred_type;
1206 union {
1207 struct samr_Password *nt_hash;
1208 const char *password;
1209 } creds;
1210 };
1211
1212
1213 static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
1214 struct auth_session_info *session_info,
1215 struct messaging_context *msg_ctx,
1216 const char *account_name,
1217 struct _samr_Credentials_t *cr)
1218 {
1219 NTSTATUS status;
1220 NTSTATUS result = NT_STATUS_OK;
1221 struct dcerpc_binding_handle *h = NULL;
1222 struct tsocket_address *local;
1223 struct policy_handle user_handle;
1224 uint32_t acct_ctrl;
1225 union samr_UserInfo *info;
1226 struct samr_UserInfo18 info18;
1227 struct samr_UserInfo26 info26;
1228 DATA_BLOB in,out;
1229 int rc;
1230 DATA_BLOB session_key;
1231 enum samr_UserInfoLevel infolevel;
1232 TALLOC_CTX *frame = talloc_stackframe();
1233
1234 ZERO_STRUCT(user_handle);
1235
1236 status = session_extract_session_key(session_info,
1237 &session_key,
1238 KEY_USE_16BYTES);
1239 if (!NT_STATUS_IS_OK(status)) {
1240 goto out;
1241 }
1242
1243 rc = tsocket_address_inet_from_strings(frame,
1244 "ip",
1245 "127.0.0.1",
1246 0,
1247 &local);
1248 if (rc < 0) {
1249 status = NT_STATUS_NO_MEMORY;
1250 goto out;
1251 }
1252
1253 status = rpcint_binding_handle(frame,
1254 &ndr_table_samr,
1255 local,
1256 NULL,
1257 session_info,
1258 msg_ctx,
1259 &h);
1260 if (!NT_STATUS_IS_OK(status)) {
1261 goto out;
1262 }
1263
1264 become_root();
1265 status = samr_find_machine_account(frame,
1266 h,
1267 account_name,
1268 SEC_FLAG_MAXIMUM_ALLOWED,
1269 NULL,
1270 NULL,
1271 &user_handle);
1272 unbecome_root();
1273 if (!NT_STATUS_IS_OK(status)) {
1274 goto out;
1275 }
1276
1277 status = dcerpc_samr_QueryUserInfo2(h,
1278 frame,
1279 &user_handle,
1280 UserControlInformation,
1281 &info,
1282 &result);
1283 if (!NT_STATUS_IS_OK(status)) {
1284 goto out;
1285 }
1286 if (!NT_STATUS_IS_OK(result)) {
1287 status = result;
1288 goto out;
1289 }
1290
1291 acct_ctrl = info->info16.acct_flags;
1292
1293 if (!(acct_ctrl & ACB_WSTRUST ||
1294 acct_ctrl & ACB_SVRTRUST ||
1295 acct_ctrl & ACB_DOMTRUST)) {
1296 status = NT_STATUS_NO_SUCH_USER;
1297 goto out;
1298 }
1299
1300 if (acct_ctrl & ACB_DISABLED) {
1301 status = NT_STATUS_ACCOUNT_DISABLED;
1302 goto out;
1303 }
1304
1305 switch(cr->cred_type) {
1306 case CRED_TYPE_NT_HASH:
1307 ZERO_STRUCT(info18);
1308
1309 infolevel = UserInternal1Information;
1310
1311 in = data_blob_const(cr->creds.nt_hash, 16);
1312 out = data_blob_talloc_zero(frame, 16);
1313 if (out.data == NULL) {
1314 status = NT_STATUS_NO_MEMORY;
1315 goto out;
1316 }
1317 rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
1318 if (rc != 0) {
1319 status = gnutls_error_to_ntstatus(rc,
1320 NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
1321 goto out;
1322 }
1323 memcpy(info18.nt_pwd.hash, out.data, out.length);
1324
1325 info18.nt_pwd_active = true;
1326
1327 info->info18 = info18;
1328 break;
1329 case CRED_TYPE_PLAIN_TEXT:
1330 ZERO_STRUCT(info26);
1331
1332 infolevel = UserInternal5InformationNew;
1333
1334 status = init_samr_CryptPasswordEx(cr->creds.password,
1335 &session_key,
1336 &info26.password);
1337 if (!NT_STATUS_IS_OK(status)) {
1338 goto out;
1339 }
1340
1341 info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1342 info->info26 = info26;
1343 break;
1344 default:
1345 status = NT_STATUS_INTERNAL_ERROR;
1346 goto out;
1347 break;
1348 }
1349
1350 become_root();
1351 status = dcerpc_samr_SetUserInfo2(h,
1352 frame,
1353 &user_handle,
1354 infolevel,
1355 info,
1356 &result);
1357 unbecome_root();
1358 if (!NT_STATUS_IS_OK(status)) {
1359 goto out;
1360 }
1361 if (!NT_STATUS_IS_OK(result)) {
1362 status = result;
1363 goto out;
1364 }
1365
1366 out:
1367 if (h && is_valid_policy_hnd(&user_handle)) {
1368 dcerpc_samr_Close(h, frame, &user_handle, &result);
1369 }
1370 TALLOC_FREE(frame);
1371
1372 return status;
1373 }
1374
1375 /*************************************************************************
1376 _netr_ServerPasswordSet
1377 *************************************************************************/
1378
1379 NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
1380 struct netr_ServerPasswordSet *r)
1381 {
1382 NTSTATUS status = NT_STATUS_OK;
1383 int i;
1384 struct netlogon_creds_CredentialState *creds = NULL;
1385 struct _samr_Credentials_t cr = { CRED_TYPE_NT_HASH, {0}};
1386
1387 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
1388
1389 become_root();
1390 status = netr_creds_server_step_check(p, p->mem_ctx,
1391 r->in.computer_name,
1392 r->in.credential,
1393 r->out.return_authenticator,
1394 &creds);
1395 unbecome_root();
1396
1397 if (!NT_STATUS_IS_OK(status)) {
1398 const char *computer_name = "<unknown>";
1399
1400 if (creds != NULL && creds->computer_name != NULL) {
1401 computer_name = creds->computer_name;
1402 }
1403 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
1404 "request from client %s machine account %s\n",
1405 r->in.computer_name, computer_name));
1406 TALLOC_FREE(creds);
1407 return status;
1408 }
1409
1410 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
1411 r->in.computer_name, creds->computer_name));
1412
1413 status = netlogon_creds_des_decrypt(creds, r->in.new_password);
1414 if (!NT_STATUS_IS_OK(status)) {
1415 return status;
1416 }
1417
1418 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
1419 for(i = 0; i < sizeof(r->in.new_password->hash); i++)
1420 DEBUG(100,("%02X ", r->in.new_password->hash[i]));
1421 DEBUG(100,("\n"));
1422
1423 cr.creds.nt_hash = r->in.new_password;
1424 status = netr_set_machine_account_password(p->mem_ctx,
1425 p->session_info,
1426 p->msg_ctx,
1427 creds->account_name,
1428 &cr);
1429 return status;
1430 }
1431
1432 /****************************************************************
1433 _netr_ServerPasswordSet2
1434 ****************************************************************/
1435
1436 NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
1437 struct netr_ServerPasswordSet2 *r)
1438 {
1439 NTSTATUS status;
1440 struct netlogon_creds_CredentialState *creds = NULL;
1441 DATA_BLOB plaintext = data_blob_null;
1442 DATA_BLOB new_password = data_blob_null;
1443 size_t confounder_len;
1444 DATA_BLOB dec_blob = data_blob_null;
1445 DATA_BLOB enc_blob = data_blob_null;
1446 struct samr_CryptPassword password_buf;
1447 struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}};
1448 bool ok;
1449
1450 become_root();
1451 status = netr_creds_server_step_check(p, p->mem_ctx,
1452 r->in.computer_name,
1453 r->in.credential,
1454 r->out.return_authenticator,
1455 &creds);
1456 unbecome_root();
1457
1458 if (!NT_STATUS_IS_OK(status)) {
1459 const char *computer_name = "<unknown>";
1460
1461 if (creds && creds->computer_name) {
1462 computer_name = creds->computer_name;
1463 }
1464 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1465 "failed. Rejecting auth request from client %s machine account %s\n",
1466 r->in.computer_name, computer_name));
1467 TALLOC_FREE(creds);
1468 return status;
1469 }
1470
1471 DEBUG(3,("_netr_ServerPasswordSet2: Server Password Seti2 by remote "
1472 "machine:[%s] on account [%s]\n",
1473 r->in.computer_name, creds->computer_name));
1474
1475 memcpy(password_buf.data, r->in.new_password->data, 512);
1476 SIVAL(password_buf.data, 512, r->in.new_password->length);
1477
1478 if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
1479 status = netlogon_creds_aes_decrypt(creds,
1480 password_buf.data,
1481 516);
1482 } else {
1483 status = netlogon_creds_arcfour_crypt(creds,
1484 password_buf.data,
1485 516);
1486 }
1487 if (!NT_STATUS_IS_OK(status)) {
1488 TALLOC_FREE(creds);
1489 return status;
1490 }
1491
1492 if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &new_password)) {
1493 DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password "
1494 "from a buffer. Rejecting auth request as a wrong password\n"));
1495 TALLOC_FREE(creds);
1496 return NT_STATUS_WRONG_PASSWORD;
1497 }
1498
1499 /*
1500 * Make sure the length field was encrypted,
1501 * otherwise we are under attack.
1502 */
1503 if (new_password.length == r->in.new_password->length) {
1504 DBG_WARNING("Length[%zu] field not encrypted\n",
1505 new_password.length);
1506 TALLOC_FREE(creds);
1507 return NT_STATUS_WRONG_PASSWORD;
1508 }
1509
1510 /*
1511 * We don't allow empty passwords for machine accounts.
1512 */
1513 if (new_password.length < 2) {
1514 DBG_WARNING("Empty password Length[%zu]\n",
1515 new_password.length);
1516 TALLOC_FREE(creds);
1517 return NT_STATUS_WRONG_PASSWORD;
1518 }
1519
1520 /*
1521 * Make sure the confounder part of CryptPassword
1522 * buffer was encrypted, otherwise we are under attack.
1523 */
1524 confounder_len = 512 - new_password.length;
1525 enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
1526 dec_blob = data_blob_const(password_buf.data, confounder_len);
1527 if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1528 DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
1529 confounder_len);
1530 TALLOC_FREE(creds);
1531 return NT_STATUS_WRONG_PASSWORD;
1532 }
1533
1534 /*
1535 * Check that the password part was actually encrypted,
1536 * otherwise we are under attack.
1537 */
1538 enc_blob = data_blob_const(r->in.new_password->data + confounder_len,
1539 new_password.length);
1540 dec_blob = data_blob_const(password_buf.data + confounder_len,
1541 new_password.length);
1542 if (data_blob_cmp(&dec_blob, &enc_blob) == 0) {
1543 DBG_WARNING("Password buffer not encrypted Length[%zu]\n",
1544 new_password.length);
1545 TALLOC_FREE(creds);
1546 return NT_STATUS_WRONG_PASSWORD;
1547 }
1548
1549 /*
1550 * don't allow zero buffers
1551 */
1552 if (all_zero(new_password.data, new_password.length)) {
1553 DBG_WARNING("Password zero buffer Length[%zu]\n",
1554 new_password.length);
1555 TALLOC_FREE(creds);
1556 return NT_STATUS_WRONG_PASSWORD;
1557 }
1558
1559 /* Convert from UTF16 -> plaintext. */
1560 ok = convert_string_talloc(p->mem_ctx,
1561 CH_UTF16,
1562 CH_UNIX,
1563 new_password.data,
1564 new_password.length,
1565 (void *)&plaintext.data,
1566 &plaintext.length);
1567 if (!ok) {
1568 DBG_WARNING("unable to extract password from a buffer. "
1569 "Rejecting auth request as a wrong password\n");
1570 TALLOC_FREE(creds);
1571 return NT_STATUS_WRONG_PASSWORD;
1572 }
1573
1574 /*
1575 * We don't allow empty passwords for machine accounts.
1576 */
1577
1578 cr.creds.password = (const char*) plaintext.data;
1579 if (strlen(cr.creds.password) == 0) {
1580 DBG_WARNING("Empty plaintext password\n");
1581 TALLOC_FREE(creds);
1582 return NT_STATUS_WRONG_PASSWORD;
1583 }
1584
1585 status = netr_set_machine_account_password(p->mem_ctx,
1586 p->session_info,
1587 p->msg_ctx,
1588 creds->account_name,
1589 &cr);
1590 TALLOC_FREE(creds);
1591 return status;
1592 }
1593
1594 /*************************************************************************
1595 _netr_LogonSamLogoff
1596 *************************************************************************/
1597
1598 NTSTATUS _netr_LogonSamLogoff(struct pipes_struct *p,
1599 struct netr_LogonSamLogoff *r)
1600 {
1601 NTSTATUS status;
1602 struct netlogon_creds_CredentialState *creds;
1603
1604 become_root();
1605 status = netr_creds_server_step_check(p, p->mem_ctx,
1606 r->in.computer_name,
1607 r->in.credential,
1608 r->out.return_authenticator,
1609 &creds);
1610 unbecome_root();
1611
1612 return status;
1613 }
1614
1615 static NTSTATUS _netr_LogonSamLogon_check(const struct netr_LogonSamLogonEx *r)
1616 {
1617 switch (r->in.logon_level) {
1618 case NetlogonInteractiveInformation:
1619 case NetlogonServiceInformation:
1620 case NetlogonInteractiveTransitiveInformation:
1621 case NetlogonServiceTransitiveInformation:
1622 if (r->in.logon->password == NULL) {
1623 return NT_STATUS_INVALID_PARAMETER;
1624 }
1625
1626 switch (r->in.validation_level) {
1627 case NetlogonValidationSamInfo: /* 2 */
1628 case NetlogonValidationSamInfo2: /* 3 */
1629 break;
1630 case NetlogonValidationSamInfo4: /* 6 */
1631 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
1632 DEBUG(10,("Not adding validation info level 6 "
1633 "without ADS passdb backend\n"));
1634 return NT_STATUS_INVALID_INFO_CLASS;
1635 }
1636 break;
1637 default:
1638 return NT_STATUS_INVALID_INFO_CLASS;
1639 }
1640
1641 break;
1642 case NetlogonNetworkInformation:
1643 case NetlogonNetworkTransitiveInformation:
1644 if (r->in.logon->network == NULL) {
1645 return NT_STATUS_INVALID_PARAMETER;
1646 }
1647
1648 switch (r->in.validation_level) {
1649 case NetlogonValidationSamInfo: /* 2 */
1650 case NetlogonValidationSamInfo2: /* 3 */
1651 break;
1652 case NetlogonValidationSamInfo4: /* 6 */
1653 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
1654 DEBUG(10,("Not adding validation info level 6 "
1655 "without ADS passdb backend\n"));
1656 return NT_STATUS_INVALID_INFO_CLASS;
1657 }
1658 break;
1659 default:
1660 return NT_STATUS_INVALID_INFO_CLASS;
1661 }
1662
1663 break;
1664
1665 case NetlogonGenericInformation:
1666 if (r->in.logon->generic == NULL) {
1667 return NT_STATUS_INVALID_PARAMETER;
1668 }
1669
1670 /* we don't support this here */
1671 return NT_STATUS_INVALID_PARAMETER;
1672 #if 0
1673 switch (r->in.validation_level) {
1674 /* TODO: case NetlogonValidationGenericInfo: 4 */
1675 case NetlogonValidationGenericInfo2: /* 5 */
1676 break;
1677 default:
1678 return NT_STATUS_INVALID_INFO_CLASS;
1679 }
1680
1681 break;
1682 #endif
1683 default:
1684 return NT_STATUS_INVALID_PARAMETER;
1685 }
1686
1687 return NT_STATUS_OK;
1688 }
1689
1690 /*************************************************************************
1691 _netr_LogonSamLogon_base
1692 *************************************************************************/
1693
1694 static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
1695 struct netr_LogonSamLogonEx *r,
1696 struct netlogon_creds_CredentialState *creds)
1697 {
1698 NTSTATUS status = NT_STATUS_OK;
1699 union netr_LogonLevel *logon = r->in.logon;
1700 const char *nt_username, *nt_domain, *nt_workstation;
1701 char *sanitized_username = NULL;
1702 struct auth_usersupplied_info *user_info = NULL;
1703 struct auth_serversupplied_info *server_info = NULL;
1704 struct auth_context *auth_context = NULL;
1705 const char *fn;
1706
1707 #ifdef DEBUG_PASSWORD
1708 logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
1709 r->in.logon_level,
1710 r->in.logon);
1711 if (logon == NULL) {
1712 logon = r->in.logon;
1713 }
1714 #endif
1715
1716 switch (p->opnum) {
1717 case NDR_NETR_LOGONSAMLOGON:
1718 fn = "_netr_LogonSamLogon";
1719 break;
1720 case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
1721 fn = "_netr_LogonSamLogonWithFlags";
1722 break;
1723 case NDR_NETR_LOGONSAMLOGONEX:
1724 fn = "_netr_LogonSamLogonEx";
1725 break;
1726 default:
1727 return NT_STATUS_INTERNAL_ERROR;
1728 }
1729
1730 *r->out.authoritative = 1; /* authoritative response */
1731
1732 switch (r->in.validation_level) {
1733 case 2:
1734 r->out.validation->sam2 = talloc_zero(p->mem_ctx, struct netr_SamInfo2);
1735 if (!r->out.validation->sam2) {
1736 return NT_STATUS_NO_MEMORY;
1737 }
1738 break;
1739 case 3:
1740 r->out.validation->sam3 = talloc_zero(p->mem_ctx, struct netr_SamInfo3);
1741 if (!r->out.validation->sam3) {
1742 return NT_STATUS_NO_MEMORY;
1743 }
1744 break;
1745 case 6:
1746 r->out.validation->sam6 = talloc_zero(p->mem_ctx, struct netr_SamInfo6);
1747 if (!r->out.validation->sam6) {
1748 return NT_STATUS_NO_MEMORY;
1749 }
1750 break;
1751 default:
1752 DEBUG(0,("%s: bad validation_level value %d.\n",
1753 fn, (int)r->in.validation_level));
1754 return NT_STATUS_INVALID_INFO_CLASS;
1755 }
1756
1757 switch (r->in.logon_level) {
1758 case NetlogonInteractiveInformation:
1759 case NetlogonServiceInformation:
1760 case NetlogonInteractiveTransitiveInformation:
1761 case NetlogonServiceTransitiveInformation:
1762 nt_username = logon->password->identity_info.account_name.string ?
1763 logon->password->identity_info.account_name.string : "";
1764 nt_domain = logon->password->identity_info.domain_name.string ?
1765 logon->password->identity_info.domain_name.string : "";
1766 nt_workstation = logon->password->identity_info.workstation.string ?
1767 logon->password->identity_info.workstation.string : "";
1768
1769 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
1770 break;
1771 case NetlogonNetworkInformation:
1772 case NetlogonNetworkTransitiveInformation:
1773 nt_username = logon->network->identity_info.account_name.string ?
1774 logon->network->identity_info.account_name.string : "";
1775 nt_domain = logon->network->identity_info.domain_name.string ?
1776 logon->network->identity_info.domain_name.string : "";
1777 nt_workstation = logon->network->identity_info.workstation.string ?
1778 logon->network->identity_info.workstation.string : "";
1779
1780 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
1781 break;
1782 default:
1783 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1784 return NT_STATUS_INVALID_INFO_CLASS;
1785 } /* end switch */
1786
1787 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain));
1788
1789 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1790 r->in.validation_level, nt_username));
1791
1792 status = netlogon_creds_decrypt_samlogon_logon(creds,
1793 r->in.logon_level,
1794 logon);
1795 if (!NT_STATUS_IS_OK(status)) {
1796 return status;
1797 }
1798
1799 status = make_auth3_context_for_netlogon(talloc_tos(), &auth_context);
1800 if (!NT_STATUS_IS_OK(status)) {
1801 return status;
1802 }
1803
1804 switch (r->in.logon_level) {
1805 case NetlogonNetworkInformation:
1806 case NetlogonNetworkTransitiveInformation:
1807 {
1808 const char *wksname = nt_workstation;
1809 const char *workgroup = lp_workgroup();
1810 bool ok;
1811
1812 ok = auth3_context_set_challenge(
1813 auth_context, logon->network->challenge, "fixed");
1814 if (!ok) {
1815 return NT_STATUS_NO_MEMORY;
1816 }
1817
1818 /* For a network logon, the workstation name comes in with two
1819 * backslashes in the front. Strip them if they are there. */
1820
1821 if (*wksname == '\\') wksname++;
1822 if (*wksname == '\\') wksname++;
1823
1824 /* Standard challenge/response authentication */
1825 if (!make_user_info_netlogon_network(talloc_tos(),
1826 &user_info,
1827 nt_username, nt_domain,
1828 wksname,
1829 p->remote_address,
1830 p->local_address,
1831 logon->network->identity_info.parameter_control,
1832 logon->network->lm.data,
1833 logon->network->lm.length,
1834 logon->network->nt.data,
1835 logon->network->nt.length)) {
1836 status = NT_STATUS_NO_MEMORY;
1837 }
1838
1839 if (NT_STATUS_IS_OK(status)) {
1840 status = NTLMv2_RESPONSE_verify_netlogon_creds(
1841 user_info->client.account_name,
1842 user_info->client.domain_name,
1843 user_info->password.response.nt,
1844 creds, workgroup);
1845 }
1846 break;
1847 }
1848 case NetlogonInteractiveInformation:
1849 case NetlogonServiceInformation:
1850 case NetlogonInteractiveTransitiveInformation:
1851 case NetlogonServiceTransitiveInformation:
1852
1853 /* 'Interactive' authentication, supplies the password in its
1854 MD4 form, encrypted with the session key. We will convert
1855 this to challenge/response for the auth subsystem to chew
1856 on */
1857 {
1858 uint8_t chal[8];
1859
1860 #ifdef DEBUG_PASSWORD
1861 if (logon != r->in.logon) {
1862 DEBUG(100,("lm owf password:"));
1863 dump_data(100,
1864 r->in.logon->password->lmpassword.hash, 16);
1865
1866 DEBUG(100,("nt owf password:"));
1867 dump_data(100,
1868 r->in.logon->password->ntpassword.hash, 16);
1869 }
1870
1871 DEBUG(100,("decrypt of lm owf password:"));
1872 dump_data(100, logon->password->lmpassword.hash, 16);
1873
1874 DEBUG(100,("decrypt of nt owf password:"));
1875 dump_data(100, logon->password->ntpassword.hash, 16);
1876 #endif
1877
1878 auth_get_ntlm_challenge(auth_context, chal);
1879
1880 if (!make_user_info_netlogon_interactive(talloc_tos(),
1881 &user_info,
1882 nt_username, nt_domain,
1883 nt_workstation,
1884 p->remote_address,
1885 p->local_address,
1886 logon->password->identity_info.parameter_control,
1887 chal,
1888 logon->password->lmpassword.hash,
1889 logon->password->ntpassword.hash)) {
1890 status = NT_STATUS_NO_MEMORY;
1891 }
1892 break;
1893 }
1894 default:
1895 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1896 return NT_STATUS_INVALID_INFO_CLASS;
1897 } /* end switch */
1898
1899 if ( NT_STATUS_IS_OK(status) ) {
1900 status = auth_check_ntlm_password(p->mem_ctx,
1901 auth_context,
1902 user_info,
1903 &server_info,
1904 r->out.authoritative);
1905 }
1906
1907 TALLOC_FREE(auth_context);
1908 TALLOC_FREE(user_info);
1909
1910 DEBUG(5,("%s: check_password returned status %s\n",
1911 fn, nt_errstr(status)));
1912
1913 /* Check account and password */
1914
1915 if (!NT_STATUS_IS_OK(status)) {
1916 TALLOC_FREE(server_info);
1917 return status;
1918 }
1919
1920 if (server_info->guest) {
1921 /* We don't like guest domain logons... */
1922 DEBUG(5,("%s: Attempted domain logon as GUEST "
1923 "denied.\n", fn));
1924 TALLOC_FREE(server_info);
1925 return NT_STATUS_LOGON_FAILURE;
1926 }
1927
1928 sanitized_username = talloc_alpha_strcpy(talloc_tos(),
1929 nt_username,
1930 SAFE_NETBIOS_CHARS "$");
1931 if (sanitized_username == NULL) {
1932 TALLOC_FREE(server_info);
1933 return NT_STATUS_NO_MEMORY;
1934 }
1935
1936 set_current_user_info(sanitized_username,
1937 server_info->unix_name,
1938 server_info->info3->base.logon_domain.string);
1939 TALLOC_FREE(sanitized_username);
1940
1941 /* This is the point at which, if the login was successful, that
1942 the SAM Local Security Authority should record that the user is
1943 logged in to the domain. */
1944
1945 switch (r->in.validation_level) {
1946 case 2:
1947 status = serverinfo_to_SamInfo2(server_info,
1948 r->out.validation->sam2);
1949 break;
1950 case 3:
1951 status = serverinfo_to_SamInfo3(server_info,
1952 r->out.validation->sam3);
1953 break;
1954 case 6:
1955 /* Only allow this if the pipe is protected. */
1956 if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
1957 DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
1958 get_remote_machine_name()));
1959 status = NT_STATUS_INVALID_PARAMETER;
1960 break;
1961 }
1962
1963 status = serverinfo_to_SamInfo6(server_info,
1964 r->out.validation->sam6);
1965 break;
1966 }
1967
1968 TALLOC_FREE(server_info);
1969
1970 if (!NT_STATUS_IS_OK(status)) {
1971 return status;
1972 }
1973
1974 status = netlogon_creds_encrypt_samlogon_validation(creds,
1975 r->in.validation_level,
1976 r->out.validation);
1977
1978 return status;
1979 }
1980
1981 /****************************************************************
1982 _netr_LogonSamLogonWithFlags
1983 ****************************************************************/
1984
1985 NTSTATUS _netr_LogonSamLogonWithFlags(struct pipes_struct *p,
1986 struct netr_LogonSamLogonWithFlags *r)
1987 {
1988 NTSTATUS status;
1989 struct netlogon_creds_CredentialState *creds;
1990 struct netr_LogonSamLogonEx r2;
1991 struct netr_Authenticator return_authenticator;
1992
1993 *r->out.authoritative = true;
1994
1995 r2.in.server_name = r->in.server_name;
1996 r2.in.computer_name = r->in.computer_name;
1997 r2.in.logon_level = r->in.logon_level;
1998 r2.in.logon = r->in.logon;
1999 r2.in.validation_level = r->in.validation_level;
2000 r2.in.flags = r->in.flags;
2001 r2.out.validation = r->out.validation;
2002 r2.out.authoritative = r->out.authoritative;
2003 r2.out.flags = r->out.flags;
2004
2005 status = _netr_LogonSamLogon_check(&r2);
2006 if (!NT_STATUS_IS_OK(status)) {
2007 return status;
2008 }
2009
2010 become_root();
2011 status = netr_creds_server_step_check(p, p->mem_ctx,
2012 r->in.computer_name,
2013 r->in.credential,
2014 &return_authenticator,
2015 &creds);
2016 unbecome_root();
2017 if (!NT_STATUS_IS_OK(status)) {
2018 return status;
2019 }
2020
2021 status = _netr_LogonSamLogon_base(p, &r2, creds);
2022
2023 *r->out.return_authenticator = return_authenticator;
2024
2025 return status;
2026 }
2027
2028 /*************************************************************************
2029 _netr_LogonSamLogon
2030 *************************************************************************/
2031
2032 NTSTATUS _netr_LogonSamLogon(struct pipes_struct *p,
2033 struct netr_LogonSamLogon *r)
2034 {
2035 NTSTATUS status;
2036 struct netr_LogonSamLogonWithFlags r2;
2037 uint32_t flags = 0;
2038
2039 r2.in.server_name = r->in.server_name;
2040 r2.in.computer_name = r->in.computer_name;
2041 r2.in.credential = r->in.credential;
2042 r2.in.logon_level = r->in.logon_level;
2043 r2.in.logon = r->in.logon;
2044 r2.in.validation_level = r->in.validation_level;
2045 r2.in.return_authenticator = r->in.return_authenticator;
2046 r2.in.flags = &flags;
2047 r2.out.validation = r->out.validation;
2048 r2.out.authoritative = r->out.authoritative;
2049 r2.out.flags = &flags;
2050 r2.out.return_authenticator = r->out.return_authenticator;
2051
2052 status = _netr_LogonSamLogonWithFlags(p, &r2);
2053
2054 return status;
2055 }
2056
2057 /*************************************************************************
2058 _netr_LogonSamLogonEx
2059 - no credential chaining. Map into net sam logon.
2060 *************************************************************************/
2061
2062 NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
2063 struct netr_LogonSamLogonEx *r)
2064 {
2065 NTSTATUS status;
2066 struct netlogon_creds_CredentialState *creds = NULL;
2067 struct loadparm_context *lp_ctx;
2068
2069 *r->out.authoritative = true;
2070
2071 status = _netr_LogonSamLogon_check(r);
2072 if (!NT_STATUS_IS_OK(status)) {
2073 return status;
2074 }
2075
2076 /* Only allow this if the pipe is protected. */
2077 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2078 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
2079 get_remote_machine_name() ));
2080 return NT_STATUS_INVALID_PARAMETER;
2081 }
2082
2083 lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
2084 if (lp_ctx == NULL) {
2085 DEBUG(0, ("loadparm_init_s3 failed\n"));
2086 return NT_STATUS_INTERNAL_ERROR;
2087 }
2088
2089 become_root();
2090 status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
2091 r->in.computer_name, &creds);
2092 unbecome_root();
2093 talloc_unlink(p->mem_ctx, lp_ctx);
2094
2095 if (!NT_STATUS_IS_OK(status)) {
2096 return status;
2097 }
2098
2099 status = _netr_LogonSamLogon_base(p, r, creds);
2100 TALLOC_FREE(creds);
2101
2102 return status;
2103 }
2104
2105 /*************************************************************************
2106 _ds_enum_dom_trusts
2107 *************************************************************************/
2108 #if 0 /* JERRY -- not correct */
2109 NTSTATUS _ds_enum_dom_trusts(struct pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u,
2110 DS_R_ENUM_DOM_TRUSTS *r_u)
2111 {
2112 NTSTATUS status = NT_STATUS_OK;
2113
2114 /* TODO: According to MSDN, the can only be executed against a
2115 DC or domain member running Windows 2000 or later. Need
2116 to test against a standalone 2k server and see what it
2117 does. A windows 2000 DC includes its own domain in the
2118 list. --jerry */
2119
2120 return status;
2121 }
2122 #endif /* JERRY */
2123
2124
2125 /****************************************************************
2126 ****************************************************************/
2127
2128 WERROR _netr_LogonUasLogon(struct pipes_struct *p,
2129 struct netr_LogonUasLogon *r)
2130 {
2131 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2132 return WERR_NOT_SUPPORTED;
2133 }
2134
2135 /****************************************************************
2136 ****************************************************************/
2137
2138 WERROR _netr_LogonUasLogoff(struct pipes_struct *p,
2139 struct netr_LogonUasLogoff *r)
2140 {
2141 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2142 return WERR_NOT_SUPPORTED;
2143 }
2144
2145 /****************************************************************
2146 ****************************************************************/
2147
2148 NTSTATUS _netr_DatabaseDeltas(struct pipes_struct *p,
2149 struct netr_DatabaseDeltas *r)
2150 {
2151 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2152 return NT_STATUS_NOT_IMPLEMENTED;
2153 }
2154
2155 /****************************************************************
2156 ****************************************************************/
2157
2158 NTSTATUS _netr_DatabaseSync(struct pipes_struct *p,
2159 struct netr_DatabaseSync *r)
2160 {
2161 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2162 return NT_STATUS_NOT_IMPLEMENTED;
2163 }
2164
2165 /****************************************************************
2166 ****************************************************************/
2167
2168 NTSTATUS _netr_AccountDeltas(struct pipes_struct *p,
2169 struct netr_AccountDeltas *r)
2170 {
2171 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2172 return NT_STATUS_NOT_IMPLEMENTED;
2173 }
2174
2175 /****************************************************************
2176 ****************************************************************/
2177
2178 NTSTATUS _netr_AccountSync(struct pipes_struct *p,
2179 struct netr_AccountSync *r)
2180 {
2181 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2182 return NT_STATUS_NOT_IMPLEMENTED;
2183 }
2184
2185 /****************************************************************
2186 ****************************************************************/
2187
2188 static bool wb_getdcname(TALLOC_CTX *mem_ctx,
2189 const char *domain,
2190 const char **dcname,
2191 uint32_t flags,
2192 WERROR *werr)
2193 {
2194 wbcErr result;
2195 struct wbcDomainControllerInfo *dc_info = NULL;
2196
2197 result = wbcLookupDomainController(domain,
2198 flags,
2199 &dc_info);
2200 switch (result) {
2201 case WBC_ERR_SUCCESS:
2202 break;
2203 case WBC_ERR_WINBIND_NOT_AVAILABLE:
2204 return false;
2205 case WBC_ERR_DOMAIN_NOT_FOUND:
2206 *werr = WERR_NO_SUCH_DOMAIN;
2207 return true;
2208 default:
2209 *werr = WERR_DOMAIN_CONTROLLER_NOT_FOUND;
2210 return true;
2211 }
2212
2213 *dcname = talloc_strdup(mem_ctx, dc_info->dc_name);
2214 wbcFreeMemory(dc_info);
2215 if (!*dcname) {
2216 *werr = WERR_NOT_ENOUGH_MEMORY;
2217 return false;
2218 }
2219
2220 *werr = WERR_OK;
2221
2222 return true;
2223 }
2224
2225 /****************************************************************
2226 _netr_GetDcName
2227 ****************************************************************/
2228
2229 WERROR _netr_GetDcName(struct pipes_struct *p,
2230 struct netr_GetDcName *r)
2231 {
2232 NTSTATUS status;
2233 WERROR werr;
2234 uint32_t flags;
2235 struct netr_DsRGetDCNameInfo *info;
2236 bool ret;
2237
2238 ret = wb_getdcname(p->mem_ctx,
2239 r->in.domainname,
2240 r->out.dcname,
2241 WBC_LOOKUP_DC_IS_FLAT_NAME |
2242 WBC_LOOKUP_DC_RETURN_FLAT_NAME |
2243 WBC_LOOKUP_DC_PDC_REQUIRED,
2244 &werr);
2245 if (ret == true) {
2246 return werr;
2247 }
2248
2249 flags = DS_PDC_REQUIRED | DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
2250
2251 status = dsgetdcname(p->mem_ctx,
2252 p->msg_ctx,
2253 r->in.domainname,
2254 NULL,
2255 NULL,
2256 flags,
2257 &info);
2258 if (!NT_STATUS_IS_OK(status)) {
2259 return ntstatus_to_werror(status);
2260 }
2261
2262 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
2263 talloc_free(info);
2264 if (!*r->out.dcname) {
2265 return WERR_NOT_ENOUGH_MEMORY;
2266 }
2267
2268 return WERR_OK;
2269 }
2270
2271 /****************************************************************
2272 _netr_GetAnyDCName
2273 ****************************************************************/
2274
2275 WERROR _netr_GetAnyDCName(struct pipes_struct *p,
2276 struct netr_GetAnyDCName *r)
2277 {
2278 NTSTATUS status;
2279 WERROR werr;
2280 uint32_t flags;
2281 struct netr_DsRGetDCNameInfo *info;
2282 bool ret;
2283
2284 ret = wb_getdcname(p->mem_ctx,
2285 r->in.domainname,
2286 r->out.dcname,
2287 WBC_LOOKUP_DC_IS_FLAT_NAME |
2288 WBC_LOOKUP_DC_RETURN_FLAT_NAME,
2289 &werr);
2290 if (ret == true) {
2291 return werr;
2292 }
2293
2294 flags = DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
2295
2296 status = dsgetdcname(p->mem_ctx,
2297 p->msg_ctx,
2298 r->in.domainname,
2299 NULL,
2300 NULL,
2301 flags,
2302 &info);
2303 if (!NT_STATUS_IS_OK(status)) {
2304 return ntstatus_to_werror(status);
2305 }
2306
2307 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
2308 talloc_free(info);
2309 if (!*r->out.dcname) {
2310 return WERR_NOT_ENOUGH_MEMORY;
2311 }
2312
2313 return WERR_OK;
2314 }
2315
2316 /****************************************************************
2317 ****************************************************************/
2318
2319 NTSTATUS _netr_DatabaseSync2(struct pipes_struct *p,
2320 struct netr_DatabaseSync2 *r)
2321 {
2322 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2323 return NT_STATUS_NOT_IMPLEMENTED;
2324 }
2325
2326 /****************************************************************
2327 ****************************************************************/
2328
2329 NTSTATUS _netr_DatabaseRedo(struct pipes_struct *p,
2330 struct netr_DatabaseRedo *r)
2331 {
2332 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2333 return NT_STATUS_NOT_IMPLEMENTED;
2334 }
2335
2336 /****************************************************************
2337 ****************************************************************/
2338
2339 WERROR _netr_DsRGetDCName(struct pipes_struct *p,
2340 struct netr_DsRGetDCName *r)
2341 {
2342 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2343 return WERR_NOT_SUPPORTED;
2344 }
2345
2346 /****************************************************************
2347 ****************************************************************/
2348
2349 NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
2350 struct netr_LogonGetCapabilities *r)
2351 {
2352 struct netlogon_creds_CredentialState *creds;
2353 NTSTATUS status;
2354
2355 become_root();
2356 status = netr_creds_server_step_check(p, p->mem_ctx,
2357 r->in.computer_name,
2358 r->in.credential,
2359 r->out.return_authenticator,
2360 &creds);
2361 unbecome_root();
2362 if (!NT_STATUS_IS_OK(status)) {
2363 return status;
2364 }
2365
2366 if (r->in.query_level != 1) {
2367 return NT_STATUS_NOT_SUPPORTED;
2368 }
2369
2370 r->out.capabilities->server_capabilities = creds->negotiate_flags;
2371
2372 return NT_STATUS_OK;
2373 }
2374
2375 /****************************************************************
2376 ****************************************************************/
2377
2378 WERROR _netr_NETRLOGONSETSERVICEBITS(struct pipes_struct *p,
2379 struct netr_NETRLOGONSETSERVICEBITS *r)
2380 {
2381 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2382 return WERR_NOT_SUPPORTED;
2383 }
2384
2385 /****************************************************************
2386 ****************************************************************/
2387
2388 WERROR _netr_LogonGetTrustRid(struct pipes_struct *p,
2389 struct netr_LogonGetTrustRid *r)
2390 {
2391 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2392 return WERR_NOT_SUPPORTED;
2393 }
2394
2395 /****************************************************************
2396 ****************************************************************/
2397
2398 WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(struct pipes_struct *p,
2399 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
2400 {
2401 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2402 return WERR_NOT_SUPPORTED;
2403 }
2404
2405 /****************************************************************
2406 ****************************************************************/
2407
2408 WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(struct pipes_struct *p,
2409 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
2410 {
2411 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2412 return WERR_NOT_SUPPORTED;
2413 }
2414
2415 /****************************************************************
2416 ****************************************************************/
2417
2418 WERROR _netr_DsRGetDCNameEx(struct pipes_struct *p,
2419 struct netr_DsRGetDCNameEx *r)
2420 {
2421 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2422 return WERR_NOT_SUPPORTED;
2423 }
2424
2425 /****************************************************************
2426 ****************************************************************/
2427
2428 WERROR _netr_DsRGetSiteName(struct pipes_struct *p,
2429 struct netr_DsRGetSiteName *r)
2430 {
2431 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2432 return WERR_NOT_SUPPORTED;
2433 }
2434
2435 /****************************************************************
2436 ****************************************************************/
2437
2438 NTSTATUS _netr_LogonGetDomainInfo(struct pipes_struct *p,
2439 struct netr_LogonGetDomainInfo *r)
2440 {
2441 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2442 return NT_STATUS_NOT_IMPLEMENTED;
2443 }
2444
2445 /****************************************************************
2446 ****************************************************************/
2447
2448 NTSTATUS _netr_ServerPasswordGet(struct pipes_struct *p,
2449 struct netr_ServerPasswordGet *r)
2450 {
2451 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2452 return NT_STATUS_NOT_SUPPORTED;
2453 }
2454
2455 /****************************************************************
2456 ****************************************************************/
2457
2458 NTSTATUS _netr_NetrLogonSendToSam(struct pipes_struct *p,
2459 struct netr_NetrLogonSendToSam *r)
2460 {
2461 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2462 return NT_STATUS_NOT_IMPLEMENTED;
2463 }
2464
2465 /****************************************************************
2466 ****************************************************************/
2467
2468 WERROR _netr_DsRAddressToSitenamesW(struct pipes_struct *p,
2469 struct netr_DsRAddressToSitenamesW *r)
2470 {
2471 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2472 return WERR_NOT_SUPPORTED;
2473 }
2474
2475 /****************************************************************
2476 ****************************************************************/
2477
2478 WERROR _netr_DsRGetDCNameEx2(struct pipes_struct *p,
2479 struct netr_DsRGetDCNameEx2 *r)
2480 {
2481 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2482 return WERR_NOT_SUPPORTED;
2483 }
2484
2485 /****************************************************************
2486 ****************************************************************/
2487
2488 WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct pipes_struct *p,
2489 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
2490 {
2491 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2492 return WERR_NOT_SUPPORTED;
2493 }
2494
2495 /****************************************************************
2496 ****************************************************************/
2497
2498 WERROR _netr_NetrEnumerateTrustedDomainsEx(struct pipes_struct *p,
2499 struct netr_NetrEnumerateTrustedDomainsEx *r)
2500 {
2501 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2502 return WERR_NOT_SUPPORTED;
2503 }
2504
2505 /****************************************************************
2506 ****************************************************************/
2507
2508 WERROR _netr_DsRAddressToSitenamesExW(struct pipes_struct *p,
2509 struct netr_DsRAddressToSitenamesExW *r)
2510 {
2511 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2512 return WERR_NOT_SUPPORTED;
2513 }
2514
2515 /****************************************************************
2516 ****************************************************************/
2517
2518 WERROR _netr_DsrGetDcSiteCoverageW(struct pipes_struct *p,
2519 struct netr_DsrGetDcSiteCoverageW *r)
2520 {
2521 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2522 return WERR_NOT_SUPPORTED;
2523 }
2524
2525 /****************************************************************
2526 ****************************************************************/
2527
2528 WERROR _netr_DsrEnumerateDomainTrusts(struct pipes_struct *p,
2529 struct netr_DsrEnumerateDomainTrusts *r)
2530 {
2531 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2532 return WERR_NOT_SUPPORTED;
2533 }
2534
2535 /****************************************************************
2536 ****************************************************************/
2537
2538 WERROR _netr_DsrDeregisterDNSHostRecords(struct pipes_struct *p,
2539 struct netr_DsrDeregisterDNSHostRecords *r)
2540 {
2541 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2542 return WERR_NOT_SUPPORTED;
2543 }
2544
2545 /****************************************************************
2546 ****************************************************************/
2547
2548 NTSTATUS _netr_ServerTrustPasswordsGet(struct pipes_struct *p,
2549 struct netr_ServerTrustPasswordsGet *r)
2550 {
2551 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2552 return NT_STATUS_NOT_IMPLEMENTED;
2553 }
2554
2555 /****************************************************************
2556 ****************************************************************/
2557
2558 static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
2559 struct lsa_ForestTrustInformation *info)
2560 {
2561 struct lsa_ForestTrustRecord *e;
2562 struct pdb_domain_info *dom_info;
2563 struct lsa_ForestTrustDomainInfo *domain_info;
2564 char **upn_suffixes = NULL;
2565 uint32_t num_suffixes = 0;
2566 uint32_t i = 0;
2567 NTSTATUS status;
2568
2569 dom_info = pdb_get_domain_info(mem_ctx);
2570 if (dom_info == NULL) {
2571 return NT_STATUS_NO_MEMORY;
2572 }
2573
2574 info->count = 2;
2575
2576 become_root();
2577 status = pdb_enum_upn_suffixes(info, &num_suffixes, &upn_suffixes);
2578 unbecome_root();
2579 if (NT_STATUS_IS_OK(status) && (num_suffixes > 0)) {
2580 info->count += num_suffixes;
2581 }
2582
2583 info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, info->count);
2584 if (info->entries == NULL) {
2585 return NT_STATUS_NO_MEMORY;
2586 }
2587
2588 e = talloc(info, struct lsa_ForestTrustRecord);
2589 if (e == NULL) {
2590 return NT_STATUS_NO_MEMORY;
2591 }
2592
2593 e->flags = 0;
2594 e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
2595 e->time = 0; /* so far always 0 in trces. */
2596 e->forest_trust_data.top_level_name.string = talloc_steal(info,
2597 dom_info->dns_forest);
2598
2599 info->entries[0] = e;
2600
2601 if (num_suffixes > 0) {
2602 for (i = 0; i < num_suffixes ; i++) {
2603 e = talloc(info, struct lsa_ForestTrustRecord);
2604 if (e == NULL) {
2605 return NT_STATUS_NO_MEMORY;
2606 }
2607
2608 e->flags = 0;
2609 e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
2610 e->time = 0; /* so far always 0 in traces. */
2611 e->forest_trust_data.top_level_name.string = upn_suffixes[i];
2612 info->entries[1 + i] = e;
2613 }
2614 }
2615
2616 e = talloc(info, struct lsa_ForestTrustRecord);
2617 if (e == NULL) {
2618 return NT_STATUS_NO_MEMORY;
2619 }
2620
2621 /* TODO: check if disabled and set flags accordingly */
2622 e->flags = 0;
2623 e->type = LSA_FOREST_TRUST_DOMAIN_INFO;
2624 e->time = 0; /* so far always 0 in traces. */
2625
2626 domain_info = &e->forest_trust_data.domain_info;
2627 domain_info->domain_sid = dom_sid_dup(info, &dom_info->sid);
2628
2629 domain_info->dns_domain_name.string = talloc_steal(info,
2630 dom_info->dns_domain);
2631 domain_info->netbios_domain_name.string = talloc_steal(info,
2632 dom_info->name);
2633
2634 info->entries[info->count - 1] = e;
2635
2636 return NT_STATUS_OK;
2637 }
2638
2639 /****************************************************************
2640 ****************************************************************/
2641
2642 WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
2643 struct netr_DsRGetForestTrustInformation *r)
2644 {
2645 NTSTATUS status;
2646 struct lsa_ForestTrustInformation *info, **info_ptr;
2647 enum security_user_level security_level;
2648
2649 security_level = security_session_user_level(p->session_info, NULL);
2650 if (security_level < SECURITY_USER) {
2651 return WERR_ACCESS_DENIED;
2652 }
2653
2654 if (r->in.flags & (~DS_GFTI_UPDATE_TDO)) {
2655 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2656 return WERR_INVALID_FLAGS;
2657 }
2658
2659 if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() != ROLE_DOMAIN_PDC)) {
2660 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2661 return WERR_NERR_NOTPRIMARY;
2662 }
2663
2664 if ((r->in.trusted_domain_name == NULL) && (r->in.flags & DS_GFTI_UPDATE_TDO)) {
2665 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2666 return WERR_INVALID_PARAMETER;
2667 }
2668
2669 /* retrieve forest trust information and stop further processing */
2670 if (r->in.trusted_domain_name == NULL) {
2671 info_ptr = talloc(p->mem_ctx, struct lsa_ForestTrustInformation *);
2672 if (info_ptr == NULL) {
2673 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
2674 return WERR_NOT_ENOUGH_MEMORY;
2675 }
2676 info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
2677 if (info == NULL) {
2678 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
2679 return WERR_NOT_ENOUGH_MEMORY;
2680 }
2681
2682 /* Fill forest trust information and expand UPN suffixes list */
2683 status = fill_forest_trust_array(p->mem_ctx, info);
2684 if (!NT_STATUS_IS_OK(status)) {
2685 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
2686 return WERR_NOT_ENOUGH_MEMORY;
2687 }
2688
2689 *info_ptr = info;
2690 r->out.forest_trust_info = info_ptr;
2691
2692 return WERR_OK;
2693
2694 }
2695
2696 /* TODO: implement remaining parts of DsrGetForestTrustInformation (opnum 43)
2697 * when trusted_domain_name is not NULL */
2698
2699 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2700 return WERR_NOT_SUPPORTED;
2701 }
2702
2703 /****************************************************************
2704 _netr_GetForestTrustInformation
2705 ****************************************************************/
2706
2707 NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
2708 struct netr_GetForestTrustInformation *r)
2709 {
2710 NTSTATUS status;
2711 struct netlogon_creds_CredentialState *creds;
2712 struct lsa_ForestTrustInformation *info, **info_ptr;
2713
2714 /* TODO: check server name */
2715
2716 become_root();
2717 status = netr_creds_server_step_check(p, p->mem_ctx,
2718 r->in.computer_name,
2719 r->in.credential,
2720 r->out.return_authenticator,
2721 &creds);
2722 unbecome_root();
2723 if (!NT_STATUS_IS_OK(status)) {
2724 return status;
2725 }
2726
2727 if ((creds->secure_channel_type != SEC_CHAN_DNS_DOMAIN) &&
2728 (creds->secure_channel_type != SEC_CHAN_DOMAIN)) {
2729 return NT_STATUS_NOT_IMPLEMENTED;
2730 }
2731
2732 info_ptr = talloc(p->mem_ctx, struct lsa_ForestTrustInformation *);
2733 if (!info_ptr) {
2734 return NT_STATUS_NO_MEMORY;
2735 }
2736 info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
2737 if (!info) {
2738 return NT_STATUS_NO_MEMORY;
2739 }
2740
2741 /* Fill forest trust information, do expand UPN suffixes list */
2742 status = fill_forest_trust_array(p->mem_ctx, info);
2743 if (!NT_STATUS_IS_OK(status)) {
2744 return status;
2745 }
2746
2747 *info_ptr = info;
2748 r->out.forest_trust_info = info_ptr;
2749
2750 return NT_STATUS_OK;
2751 }
2752
2753 /****************************************************************
2754 ****************************************************************/
2755
2756 static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx,
2757 const DATA_BLOB *trustAuth_blob,
2758 struct netlogon_creds_CredentialState *creds,
2759 struct samr_Password *current_pw_enc,
2760 struct samr_Password *previous_pw_enc)
2761 {
2762 enum ndr_err_code ndr_err;
2763 struct trustAuthInOutBlob trustAuth;
2764 NTSTATUS status;
2765
2766 ndr_err = ndr_pull_struct_blob_all(trustAuth_blob, mem_ctx, &trustAuth,
2767 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2768 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2769 return NT_STATUS_UNSUCCESSFUL;
2770 }
2771
2772 if (trustAuth.count != 0 && trustAuth.current.count != 0 &&
2773 trustAuth.current.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) {
2774 mdfour(current_pw_enc->hash,
2775 trustAuth.current.array[0].AuthInfo.clear.password,
2776 trustAuth.current.array[0].AuthInfo.clear.size);
2777 status = netlogon_creds_des_encrypt(creds, current_pw_enc);
2778 if (!NT_STATUS_IS_OK(status)) {
2779 return status;
2780 }
2781 } else {
2782 return NT_STATUS_UNSUCCESSFUL;
2783 }
2784
2785
2786 if (trustAuth.previous.count != 0 &&
2787 trustAuth.previous.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) {
2788 mdfour(previous_pw_enc->hash,
2789 trustAuth.previous.array[0].AuthInfo.clear.password,
2790 trustAuth.previous.array[0].AuthInfo.clear.size);
2791 status = netlogon_creds_des_encrypt(creds, previous_pw_enc);
2792 if (!NT_STATUS_IS_OK(status)) {
2793 return status;
2794 }
2795 } else {
2796 ZERO_STRUCTP(previous_pw_enc);
2797 }
2798
2799 return NT_STATUS_OK;
2800 }
2801
2802 /****************************************************************
2803 _netr_ServerGetTrustInfo
2804 ****************************************************************/
2805
2806 NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
2807 struct netr_ServerGetTrustInfo *r)
2808 {
2809 NTSTATUS status;
2810 struct netlogon_creds_CredentialState *creds;
2811 char *account_name;
2812 size_t account_name_last;
2813 bool trusted;
2814 struct netr_TrustInfo *trust_info;
2815 struct pdb_trusted_domain *td;
2816
2817 /* TODO: check server name */
2818
2819 become_root();
2820 status = netr_creds_server_step_check(p, p->mem_ctx,
2821 r->in.computer_name,
2822 r->in.credential,
2823 r->out.return_authenticator,
2824 &creds);
2825 unbecome_root();
2826 if (!NT_STATUS_IS_OK(status)) {
2827 return status;
2828 }
2829
2830 account_name = talloc_strdup(p->mem_ctx, r->in.account_name);
2831 if (account_name == NULL) {
2832 return NT_STATUS_NO_MEMORY;
2833 }
2834
2835 account_name_last = strlen(account_name);
2836 if (account_name_last == 0) {
2837 return NT_STATUS_INVALID_PARAMETER;
2838 }
2839 account_name_last--;
2840 if (account_name[account_name_last] == '.') {
2841 account_name[account_name_last] = '\0';
2842 }
2843
2844 if ((creds->secure_channel_type != SEC_CHAN_DNS_DOMAIN) &&
2845 (creds->secure_channel_type != SEC_CHAN_DOMAIN)) {
2846 trusted = false;
2847 } else {
2848 trusted = true;
2849 }
2850
2851
2852 if (trusted) {
2853 account_name_last = strlen(account_name);
2854 if (account_name_last == 0) {
2855 return NT_STATUS_INVALID_PARAMETER;
2856 }
2857 account_name_last--;
2858 if (account_name[account_name_last] == '$') {
2859 account_name[account_name_last] = '\0';
2860 }
2861
2862 status = pdb_get_trusted_domain(p->mem_ctx, account_name, &td);
2863 if (!NT_STATUS_IS_OK(status)) {
2864 return status;
2865 }
2866
2867 if (r->out.trust_info != NULL) {
2868 trust_info = talloc_zero(p->mem_ctx, struct netr_TrustInfo);
2869 if (trust_info == NULL) {
2870 return NT_STATUS_NO_MEMORY;
2871 }
2872 trust_info->count = 1;
2873
2874 trust_info->data = talloc_array(trust_info, uint32_t, 1);
2875 if (trust_info->data == NULL) {
2876 return NT_STATUS_NO_MEMORY;
2877 }
2878 trust_info->data[0] = td->trust_attributes;
2879
2880 *r->out.trust_info = trust_info;
2881 }
2882
2883 if (td->trust_auth_incoming.data == NULL) {
2884 return NT_STATUS_INVALID_PARAMETER;
2885 }
2886
2887 status = get_password_from_trustAuth(p->mem_ctx,
2888 &td->trust_auth_incoming,
2889 creds,
2890 r->out.new_owf_password,
2891 r->out.old_owf_password);
2892
2893 if (!NT_STATUS_IS_OK(status)) {
2894 return status;
2895 }
2896
2897 } else {
2898 /* TODO: look for machine password */
2899 ZERO_STRUCTP(r->out.new_owf_password);
2900 ZERO_STRUCTP(r->out.old_owf_password);
2901
2902 return NT_STATUS_NOT_IMPLEMENTED;
2903 }
2904
2905 return NT_STATUS_OK;
2906 }
2907
2908 /****************************************************************
2909 ****************************************************************/
2910
2911 NTSTATUS _netr_Unused47(struct pipes_struct *p,
2912 struct netr_Unused47 *r)
2913 {
2914 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2915 return NT_STATUS_NOT_IMPLEMENTED;
2916 }
2917
2918 /****************************************************************
2919 ****************************************************************/
2920
2921 NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p,
2922 struct netr_DsrUpdateReadOnlyServerDnsRecords *r)
2923 {
2924 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2925 return NT_STATUS_NOT_IMPLEMENTED;
2926 }
2927
2928 /* include the generated boilerplate */
2929 #include "librpc/gen_ndr/ndr_netlogon_scompat.c"
Samba GIT mirror