2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* This is the implementation of the netlogon pipe. */
28 #include "../libcli/auth/libcli_auth.h"
30 extern userdom_struct current_user_info
;
33 #define DBGC_CLASS DBGC_RPC_SRV
35 /*************************************************************************
37 *************************************************************************/
39 static void init_net_r_req_chal(struct netr_Credential
*r
,
40 struct netr_Credential
*srv_chal
)
42 DEBUG(6,("init_net_r_req_chal: %d\n", __LINE__
));
44 memcpy(r
->data
, srv_chal
->data
, sizeof(r
->data
));
47 /*******************************************************************
48 Inits a netr_NETLOGON_INFO_1 structure.
49 ********************************************************************/
51 static void init_netlogon_info1(struct netr_NETLOGON_INFO_1
*r
,
53 uint32_t pdc_connection_status
)
56 r
->pdc_connection_status
= pdc_connection_status
;
59 /*******************************************************************
60 Inits a netr_NETLOGON_INFO_2 structure.
61 ********************************************************************/
63 static void init_netlogon_info2(struct netr_NETLOGON_INFO_2
*r
,
65 uint32_t pdc_connection_status
,
66 const char *trusted_dc_name
,
67 uint32_t tc_connection_status
)
70 r
->pdc_connection_status
= pdc_connection_status
;
71 r
->trusted_dc_name
= trusted_dc_name
;
72 r
->tc_connection_status
= tc_connection_status
;
75 /*******************************************************************
76 Inits a netr_NETLOGON_INFO_3 structure.
77 ********************************************************************/
79 static void init_netlogon_info3(struct netr_NETLOGON_INFO_3
*r
,
81 uint32_t logon_attempts
)
84 r
->logon_attempts
= logon_attempts
;
87 /*************************************************************************
89 *************************************************************************/
91 WERROR
_netr_LogonControl(pipes_struct
*p
,
92 struct netr_LogonControl
*r
)
94 struct netr_LogonControl2Ex l
;
96 switch (r
->in
.level
) {
100 return WERR_NOT_SUPPORTED
;
102 return WERR_UNKNOWN_LEVEL
;
105 l
.in
.logon_server
= r
->in
.logon_server
;
106 l
.in
.function_code
= r
->in
.function_code
;
107 l
.in
.level
= r
->in
.level
;
109 l
.out
.query
= r
->out
.info
;
111 return _netr_LogonControl2Ex(p
, &l
);
114 /****************************************************************************
115 Send a message to smbd to do a sam synchronisation
116 **************************************************************************/
118 static void send_sync_message(void)
120 DEBUG(3, ("sending sam synchronisation message\n"));
121 message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC
, NULL
, 0,
125 /*************************************************************************
127 *************************************************************************/
129 WERROR
_netr_LogonControl2(pipes_struct
*p
,
130 struct netr_LogonControl2
*r
)
132 struct netr_LogonControl2Ex l
;
134 l
.in
.logon_server
= r
->in
.logon_server
;
135 l
.in
.function_code
= r
->in
.function_code
;
136 l
.in
.level
= r
->in
.level
;
137 l
.in
.data
= r
->in
.data
;
138 l
.out
.query
= r
->out
.query
;
140 return _netr_LogonControl2Ex(p
, &l
);
143 /****************************************************************
144 _netr_LogonControl2Ex
145 ****************************************************************/
147 WERROR
_netr_LogonControl2Ex(pipes_struct
*p
,
148 struct netr_LogonControl2Ex
*r
)
151 uint32 pdc_connection_status
= 0x0;
152 uint32 logon_attempts
= 0x0;
155 const char *dc_name
= NULL
;
156 struct sockaddr_storage dc_ss
;
157 const char *domain
= NULL
;
158 struct netr_NETLOGON_INFO_1
*info1
;
159 struct netr_NETLOGON_INFO_2
*info2
;
160 struct netr_NETLOGON_INFO_3
*info3
;
163 switch (p
->hdr_req
.opnum
) {
164 case NDR_NETR_LOGONCONTROL
:
165 fn
= "_netr_LogonControl";
167 case NDR_NETR_LOGONCONTROL2
:
168 fn
= "_netr_LogonControl2";
170 case NDR_NETR_LOGONCONTROL2EX
:
171 fn
= "_netr_LogonControl2Ex";
174 return WERR_INVALID_PARAM
;
177 tc_status
= W_ERROR_V(WERR_NO_SUCH_DOMAIN
);
179 switch (r
->in
.function_code
) {
180 case NETLOGON_CONTROL_TC_QUERY
:
181 domain
= r
->in
.data
->domain
;
183 if ( !is_trusted_domain( domain
) )
186 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
187 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
191 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
196 tc_status
= W_ERROR_V(WERR_OK
);
200 case NETLOGON_CONTROL_REDISCOVER
:
201 domain
= r
->in
.data
->domain
;
203 if ( !is_trusted_domain( domain
) )
206 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
207 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
211 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
216 tc_status
= W_ERROR_V(WERR_OK
);
221 /* no idea what this should be */
222 DEBUG(0,("%s: unimplemented function level [%d]\n",
223 fn
, r
->in
.function_code
));
224 return WERR_UNKNOWN_LEVEL
;
227 /* prepare the response */
229 switch (r
->in
.level
) {
231 info1
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_1
);
232 W_ERROR_HAVE_NO_MEMORY(info1
);
234 init_netlogon_info1(info1
,
236 pdc_connection_status
);
237 r
->out
.query
->info1
= info1
;
240 info2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_2
);
241 W_ERROR_HAVE_NO_MEMORY(info2
);
243 init_netlogon_info2(info2
,
245 pdc_connection_status
,
248 r
->out
.query
->info2
= info2
;
251 info3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_3
);
252 W_ERROR_HAVE_NO_MEMORY(info3
);
254 init_netlogon_info3(info3
,
257 r
->out
.query
->info3
= info3
;
260 return WERR_UNKNOWN_LEVEL
;
263 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
270 /*************************************************************************
271 _netr_NetrEnumerateTrustedDomains
272 *************************************************************************/
274 WERROR
_netr_NetrEnumerateTrustedDomains(pipes_struct
*p
,
275 struct netr_NetrEnumerateTrustedDomains
*r
)
277 struct netr_Blob trusted_domains_blob
;
280 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
282 /* set up the Trusted Domain List response */
284 blob
= data_blob_talloc_zero(p
->mem_ctx
, 2);
285 trusted_domains_blob
.data
= blob
.data
;
286 trusted_domains_blob
.length
= blob
.length
;
288 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
290 *r
->out
.trusted_domains_blob
= trusted_domains_blob
;
295 /******************************************************************
296 gets a machine password entry. checks access rights of the host.
297 ******************************************************************/
299 static NTSTATUS
get_md4pw(char *md4pw
, const char *mach_acct
,
300 uint16_t sec_chan_type
, uint32_t *rid
)
302 struct samu
*sampass
= NULL
;
308 char addr
[INET6_ADDRSTRLEN
];
311 * Currently this code is redundent as we already have a filter
312 * by hostname list. What this code really needs to do is to
313 * get a hosts allowed/hosts denied list from the SAM database
314 * on a per user basis, and make the access decision there.
315 * I will leave this code here for now as a reminder to implement
316 * this at a later date. JRA.
319 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
320 client_name(get_client_fd()),
321 client_addr(get_client_fd(),addr
,sizeof(addr
)))) {
322 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct
));
327 if ( !(sampass
= samu_new( NULL
)) ) {
328 return NT_STATUS_NO_MEMORY
;
331 /* JRA. This is ok as it is only used for generating the challenge. */
333 ret
= pdb_getsampwnam(sampass
, mach_acct
);
337 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct
));
338 TALLOC_FREE(sampass
);
339 return NT_STATUS_ACCESS_DENIED
;
342 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
343 if (acct_ctrl
& ACB_DISABLED
) {
344 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct
));
345 TALLOC_FREE(sampass
);
346 return NT_STATUS_ACCOUNT_DISABLED
;
349 if (!(acct_ctrl
& ACB_SVRTRUST
) &&
350 !(acct_ctrl
& ACB_WSTRUST
) &&
351 !(acct_ctrl
& ACB_DOMTRUST
))
353 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct
));
354 TALLOC_FREE(sampass
);
355 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
358 switch (sec_chan_type
) {
360 if (!(acct_ctrl
& ACB_SVRTRUST
)) {
361 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
362 "but not a server trust account\n", mach_acct
));
363 TALLOC_FREE(sampass
);
364 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
368 if (!(acct_ctrl
& ACB_WSTRUST
)) {
369 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
370 "but not a workstation trust account\n", mach_acct
));
371 TALLOC_FREE(sampass
);
372 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
375 case SEC_CHAN_DOMAIN
:
376 if (!(acct_ctrl
& ACB_DOMTRUST
)) {
377 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
378 "but not a interdomain trust account\n", mach_acct
));
379 TALLOC_FREE(sampass
);
380 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
387 if ((pass
= pdb_get_nt_passwd(sampass
)) == NULL
) {
388 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct
));
389 TALLOC_FREE(sampass
);
390 return NT_STATUS_LOGON_FAILURE
;
393 memcpy(md4pw
, pass
, 16);
394 dump_data(5, (uint8
*)md4pw
, 16);
397 *rid
= pdb_get_user_rid(sampass
);
400 TALLOC_FREE(sampass
);
407 /*************************************************************************
408 _netr_ServerReqChallenge
409 *************************************************************************/
411 NTSTATUS
_netr_ServerReqChallenge(pipes_struct
*p
,
412 struct netr_ServerReqChallenge
*r
)
415 p
->dc
= TALLOC_ZERO_P(p
, struct dcinfo
);
417 return NT_STATUS_NO_MEMORY
;
420 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
424 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
426 /* Save the client challenge to the server. */
427 memcpy(p
->dc
->clnt_chal
.data
, r
->in
.credentials
->data
,
428 sizeof(r
->in
.credentials
->data
));
430 /* Create a server challenge for the client */
431 /* Set this to a random value. */
432 generate_random_buffer(p
->dc
->srv_chal
.data
, 8);
434 /* set up the LSA REQUEST CHALLENGE response */
435 init_net_r_req_chal(r
->out
.return_credentials
, &p
->dc
->srv_chal
);
437 p
->dc
->challenge_sent
= True
;
442 /*************************************************************************
443 _netr_ServerAuthenticate
444 Create the initial credentials.
445 *************************************************************************/
447 NTSTATUS
_netr_ServerAuthenticate(pipes_struct
*p
,
448 struct netr_ServerAuthenticate
*r
)
451 struct netr_Credential srv_chal_out
;
453 if (!p
->dc
|| !p
->dc
->challenge_sent
) {
454 return NT_STATUS_ACCESS_DENIED
;
457 status
= get_md4pw((char *)p
->dc
->mach_pw
,
459 r
->in
.secure_channel_type
,
461 if (!NT_STATUS_IS_OK(status
)) {
462 DEBUG(0,("_netr_ServerAuthenticate: get_md4pw failed. Failed to "
463 "get password for machine account %s "
464 "from client %s: %s\n",
467 nt_errstr(status
) ));
468 /* always return NT_STATUS_ACCESS_DENIED */
469 return NT_STATUS_ACCESS_DENIED
;
472 /* From the client / server challenges and md4 password, generate sess key */
473 creds_server_init(0, /* No neg flags. */
475 &p
->dc
->clnt_chal
, /* Stored client chal. */
476 &p
->dc
->srv_chal
, /* Stored server chal. */
480 /* Check client credentials are valid. */
481 if (!netlogon_creds_server_check(p
->dc
, r
->in
.credentials
)) {
482 DEBUG(0,("_netr_ServerAuthenticate: netlogon_creds_server_check failed. Rejecting auth "
483 "request from client %s machine account %s\n",
485 r
->in
.account_name
));
486 return NT_STATUS_ACCESS_DENIED
;
489 fstrcpy(p
->dc
->mach_acct
, r
->in
.account_name
);
490 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
491 p
->dc
->authenticated
= True
;
493 /* set up the LSA AUTH response */
494 /* Return the server credentials. */
496 memcpy(r
->out
.return_credentials
->data
, &srv_chal_out
.data
,
497 sizeof(r
->out
.return_credentials
->data
));
502 /*************************************************************************
503 _netr_ServerAuthenticate3
504 *************************************************************************/
506 NTSTATUS
_netr_ServerAuthenticate3(pipes_struct
*p
,
507 struct netr_ServerAuthenticate3
*r
)
511 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
512 * so use a copy to avoid destroying the client values. */
513 uint32_t in_neg_flags
= *r
->in
.negotiate_flags
;
514 struct netr_Credential srv_chal_out
;
517 /* According to Microsoft (see bugid #6099)
518 * Windows 7 looks at the negotiate_flags
519 * returned in this structure *even if the
520 * call fails with access denied* ! So in order
521 * to allow Win7 to connect to a Samba NT style
522 * PDC we set the flags before we know if it's
527 srv_flgs
= NETLOGON_NEG_ACCOUNT_LOCKOUT
|
528 NETLOGON_NEG_PERSISTENT_SAMREPL
|
529 NETLOGON_NEG_ARCFOUR
|
530 NETLOGON_NEG_PROMOTION_COUNT
|
531 NETLOGON_NEG_CHANGELOG_BDC
|
532 NETLOGON_NEG_FULL_SYNC_REPL
|
533 NETLOGON_NEG_MULTIPLE_SIDS
|
535 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
;
537 /* Ensure we support strong (128-bit) keys. */
538 if (in_neg_flags
& NETLOGON_NEG_STRONG_KEYS
) {
539 srv_flgs
|= NETLOGON_NEG_STRONG_KEYS
;
542 if (lp_server_schannel() != false) {
543 srv_flgs
|= NETLOGON_NEG_SCHANNEL
;
546 switch (p
->hdr_req
.opnum
) {
547 case NDR_NETR_SERVERAUTHENTICATE2
:
548 fn
= "_netr_ServerAuthenticate2";
550 case NDR_NETR_SERVERAUTHENTICATE3
:
551 fn
= "_netr_ServerAuthenticate3";
554 return NT_STATUS_INTERNAL_ERROR
;
557 /* We use this as the key to store the creds: */
558 /* r->in.computer_name */
560 if (!p
->dc
|| !p
->dc
->challenge_sent
) {
561 DEBUG(0,("%s: no challenge sent to client %s\n", fn
,
562 r
->in
.computer_name
));
563 status
= NT_STATUS_ACCESS_DENIED
;
567 if ( (lp_server_schannel() == true) &&
568 ((in_neg_flags
& NETLOGON_NEG_SCHANNEL
) == 0) ) {
570 /* schannel must be used, but client did not offer it. */
571 DEBUG(0,("%s: schannel required but client failed "
572 "to offer it. Client was %s\n",
573 fn
, r
->in
.account_name
));
574 status
= NT_STATUS_ACCESS_DENIED
;
578 status
= get_md4pw((char *)p
->dc
->mach_pw
,
580 r
->in
.secure_channel_type
,
582 if (!NT_STATUS_IS_OK(status
)) {
583 DEBUG(0,("%s: failed to get machine password for "
585 fn
, r
->in
.account_name
, nt_errstr(status
) ));
586 /* always return NT_STATUS_ACCESS_DENIED */
587 status
= NT_STATUS_ACCESS_DENIED
;
591 /* From the client / server challenges and md4 password, generate sess key */
592 creds_server_init(in_neg_flags
,
594 &p
->dc
->clnt_chal
, /* Stored client chal. */
595 &p
->dc
->srv_chal
, /* Stored server chal. */
599 /* Check client credentials are valid. */
600 if (!netlogon_creds_server_check(p
->dc
, r
->in
.credentials
)) {
601 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
602 "request from client %s machine account %s\n",
603 fn
, r
->in
.computer_name
,
604 r
->in
.account_name
));
605 status
= NT_STATUS_ACCESS_DENIED
;
608 /* set up the LSA AUTH 2 response */
609 memcpy(r
->out
.return_credentials
->data
, &srv_chal_out
.data
,
610 sizeof(r
->out
.return_credentials
->data
));
612 fstrcpy(p
->dc
->mach_acct
, r
->in
.account_name
);
613 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
614 fstrcpy(p
->dc
->domain
, lp_workgroup() );
616 p
->dc
->authenticated
= True
;
618 /* Store off the state so we can continue after client disconnect. */
620 secrets_store_schannel_session_info(p
->mem_ctx
,
624 status
= NT_STATUS_OK
;
628 *r
->out
.negotiate_flags
= srv_flgs
;
632 /*************************************************************************
633 _netr_ServerAuthenticate2
634 *************************************************************************/
636 NTSTATUS
_netr_ServerAuthenticate2(pipes_struct
*p
,
637 struct netr_ServerAuthenticate2
*r
)
639 struct netr_ServerAuthenticate3 a
;
642 a
.in
.server_name
= r
->in
.server_name
;
643 a
.in
.account_name
= r
->in
.account_name
;
644 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
645 a
.in
.computer_name
= r
->in
.computer_name
;
646 a
.in
.credentials
= r
->in
.credentials
;
647 a
.in
.negotiate_flags
= r
->in
.negotiate_flags
;
649 a
.out
.return_credentials
= r
->out
.return_credentials
;
651 a
.out
.negotiate_flags
= r
->out
.negotiate_flags
;
653 return _netr_ServerAuthenticate3(p
, &a
);
656 /*************************************************************************
657 _netr_ServerPasswordSet
658 *************************************************************************/
660 NTSTATUS
_netr_ServerPasswordSet(pipes_struct
*p
,
661 struct netr_ServerPasswordSet
*r
)
663 NTSTATUS status
= NT_STATUS_OK
;
664 fstring remote_machine
;
665 struct samu
*sampass
=NULL
;
667 unsigned char pwd
[16];
670 struct netr_Authenticator cred_out
;
673 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__
));
675 /* We need the remote machine name for the creds lookup. */
676 fstrcpy(remote_machine
, r
->in
.computer_name
);
678 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
679 /* 'server schannel = yes' should enforce use of
680 schannel, the client did offer it in auth2, but
681 obviously did not use it. */
682 DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n",
684 return NT_STATUS_ACCESS_DENIED
;
688 /* Restore the saved state of the netlogon creds. */
690 ret
= secrets_restore_schannel_session_info(p
, remote_machine
,
694 return NT_STATUS_INVALID_HANDLE
;
698 if (!p
->dc
|| !p
->dc
->authenticated
) {
699 return NT_STATUS_INVALID_HANDLE
;
702 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
703 remote_machine
, p
->dc
->mach_acct
));
705 /* Step the creds chain forward. */
706 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, &cred_out
)) {
707 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
708 "request from client %s machine account %s\n",
709 remote_machine
, p
->dc
->mach_acct
));
710 return NT_STATUS_INVALID_PARAMETER
;
713 /* We must store the creds state after an update. */
714 sampass
= samu_new( NULL
);
716 return NT_STATUS_NO_MEMORY
;
720 secrets_store_schannel_session_info(p
, remote_machine
, p
->dc
);
721 ret
= pdb_getsampwnam(sampass
, p
->dc
->mach_acct
);
725 TALLOC_FREE(sampass
);
726 return NT_STATUS_ACCESS_DENIED
;
729 /* Ensure the account exists and is a machine account. */
731 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
733 if (!(acct_ctrl
& ACB_WSTRUST
||
734 acct_ctrl
& ACB_SVRTRUST
||
735 acct_ctrl
& ACB_DOMTRUST
)) {
736 TALLOC_FREE(sampass
);
737 return NT_STATUS_NO_SUCH_USER
;
740 if (pdb_get_acct_ctrl(sampass
) & ACB_DISABLED
) {
741 TALLOC_FREE(sampass
);
742 return NT_STATUS_ACCOUNT_DISABLED
;
745 /* Woah - what does this to to the credential chain ? JRA */
746 cred_hash3(pwd
, r
->in
.new_password
->hash
, p
->dc
->sess_key
, 0);
748 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
749 for(i
= 0; i
< sizeof(pwd
); i
++)
750 DEBUG(100,("%02X ", pwd
[i
]));
753 old_pw
= pdb_get_nt_passwd(sampass
);
755 if (old_pw
&& memcmp(pwd
, old_pw
, 16) == 0) {
756 /* Avoid backend modificiations and other fun if the
757 client changed the password to the *same thing* */
762 /* LM password should be NULL for machines */
763 if (!pdb_set_lanman_passwd(sampass
, NULL
, PDB_CHANGED
)) {
764 TALLOC_FREE(sampass
);
765 return NT_STATUS_NO_MEMORY
;
768 if (!pdb_set_nt_passwd(sampass
, pwd
, PDB_CHANGED
)) {
769 TALLOC_FREE(sampass
);
770 return NT_STATUS_NO_MEMORY
;
773 if (!pdb_set_pass_last_set_time(sampass
, time(NULL
), PDB_CHANGED
)) {
774 TALLOC_FREE(sampass
);
775 /* Not quite sure what this one qualifies as, but this will do */
776 return NT_STATUS_UNSUCCESSFUL
;
780 status
= pdb_update_sam_account(sampass
);
784 /* set up the LSA Server Password Set response */
786 memcpy(r
->out
.return_authenticator
, &cred_out
,
787 sizeof(*(r
->out
.return_authenticator
)));
789 TALLOC_FREE(sampass
);
793 /*************************************************************************
795 *************************************************************************/
797 NTSTATUS
_netr_LogonSamLogoff(pipes_struct
*p
,
798 struct netr_LogonSamLogoff
*r
)
800 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
801 /* 'server schannel = yes' should enforce use of
802 schannel, the client did offer it in auth2, but
803 obviously did not use it. */
804 DEBUG(0,("_netr_LogonSamLogoff: client %s not using schannel for netlogon\n",
805 get_remote_machine_name() ));
806 return NT_STATUS_ACCESS_DENIED
;
810 /* Using the remote machine name for the creds store: */
811 /* r->in.computer_name */
814 /* Restore the saved state of the netlogon creds. */
818 ret
= secrets_restore_schannel_session_info(
819 p
, r
->in
.computer_name
, &p
->dc
);
822 return NT_STATUS_INVALID_HANDLE
;
826 if (!p
->dc
|| !p
->dc
->authenticated
) {
827 return NT_STATUS_INVALID_HANDLE
;
830 /* checks and updates credentials. creates reply credentials */
831 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
832 DEBUG(2,("_netr_LogonSamLogoff: netlogon_creds_server_step failed. Rejecting auth "
833 "request from client %s machine account %s\n",
834 r
->in
.computer_name
, p
->dc
->mach_acct
));
835 return NT_STATUS_INVALID_PARAMETER
;
838 /* We must store the creds state after an update. */
840 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
846 /*************************************************************************
848 *************************************************************************/
850 NTSTATUS
_netr_LogonSamLogon(pipes_struct
*p
,
851 struct netr_LogonSamLogon
*r
)
853 NTSTATUS status
= NT_STATUS_OK
;
854 struct netr_SamInfo3
*sam3
= NULL
;
855 union netr_LogonLevel
*logon
= r
->in
.logon
;
856 fstring nt_username
, nt_domain
, nt_workstation
;
857 auth_usersupplied_info
*user_info
= NULL
;
858 auth_serversupplied_info
*server_info
= NULL
;
859 struct auth_context
*auth_context
= NULL
;
860 uint8_t pipe_session_key
[16];
861 bool process_creds
= true;
864 switch (p
->hdr_req
.opnum
) {
865 case NDR_NETR_LOGONSAMLOGON
:
866 process_creds
= true;
867 fn
= "_netr_LogonSamLogon";
869 case NDR_NETR_LOGONSAMLOGONEX
:
870 fn
= "_netr_LogonSamLogonEx";
873 process_creds
= false;
876 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
877 /* 'server schannel = yes' should enforce use of
878 schannel, the client did offer it in auth2, but
879 obviously did not use it. */
880 DEBUG(0,("%s: client %s not using schannel for netlogon\n",
881 fn
, get_remote_machine_name() ));
882 return NT_STATUS_ACCESS_DENIED
;
885 sam3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo3
);
887 return NT_STATUS_NO_MEMORY
;
890 /* store the user information, if there is any. */
891 r
->out
.validation
->sam3
= sam3
;
892 *r
->out
.authoritative
= true; /* authoritative response */
893 if (r
->in
.validation_level
!= 2 && r
->in
.validation_level
!= 3) {
894 DEBUG(0,("%s: bad validation_level value %d.\n",
895 fn
, (int)r
->in
.validation_level
));
896 return NT_STATUS_INVALID_INFO_CLASS
;
901 /* Get the remote machine name for the creds store. */
902 /* Note this is the remote machine this request is coming from (member server),
903 not neccessarily the workstation name the user is logging onto.
907 /* Restore the saved state of the netlogon creds. */
911 ret
= secrets_restore_schannel_session_info(
912 p
, r
->in
.computer_name
, &p
->dc
);
915 return NT_STATUS_INVALID_HANDLE
;
919 if (!p
->dc
|| !p
->dc
->authenticated
) {
920 return NT_STATUS_INVALID_HANDLE
;
923 /* checks and updates credentials. creates reply credentials */
924 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
925 DEBUG(2,("%s: creds_server_step failed. Rejecting auth "
926 "request from client %s machine account %s\n",
927 fn
, r
->in
.computer_name
, p
->dc
->mach_acct
));
928 return NT_STATUS_INVALID_PARAMETER
;
931 /* We must store the creds state after an update. */
933 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
937 switch (r
->in
.logon_level
) {
938 case NetlogonInteractiveInformation
:
940 logon
->password
->identity_info
.account_name
.string
);
942 logon
->password
->identity_info
.domain_name
.string
);
943 fstrcpy(nt_workstation
,
944 logon
->password
->identity_info
.workstation
.string
);
946 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
948 case NetlogonNetworkInformation
:
950 logon
->network
->identity_info
.account_name
.string
);
952 logon
->network
->identity_info
.domain_name
.string
);
953 fstrcpy(nt_workstation
,
954 logon
->network
->identity_info
.workstation
.string
);
956 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
959 DEBUG(2,("SAM Logon: unsupported switch value\n"));
960 return NT_STATUS_INVALID_INFO_CLASS
;
963 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username
, nt_workstation
, nt_domain
));
964 fstrcpy(current_user_info
.smb_name
, nt_username
);
965 sub_set_smb_name(nt_username
);
967 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
968 r
->in
.validation_level
, nt_username
));
970 status
= NT_STATUS_OK
;
972 switch (r
->in
.logon_level
) {
973 case NetlogonNetworkInformation
:
975 const char *wksname
= nt_workstation
;
977 status
= make_auth_context_fixed(&auth_context
,
978 logon
->network
->challenge
);
979 if (!NT_STATUS_IS_OK(status
)) {
983 /* For a network logon, the workstation name comes in with two
984 * backslashes in the front. Strip them if they are there. */
986 if (*wksname
== '\\') wksname
++;
987 if (*wksname
== '\\') wksname
++;
989 /* Standard challenge/response authenticaion */
990 if (!make_user_info_netlogon_network(&user_info
,
991 nt_username
, nt_domain
,
993 logon
->network
->identity_info
.parameter_control
,
994 logon
->network
->lm
.data
,
995 logon
->network
->lm
.length
,
996 logon
->network
->nt
.data
,
997 logon
->network
->nt
.length
)) {
998 status
= NT_STATUS_NO_MEMORY
;
1002 case NetlogonInteractiveInformation
:
1003 /* 'Interactive' authentication, supplies the password in its
1004 MD4 form, encrypted with the session key. We will convert
1005 this to challenge/response for the auth subsystem to chew
1010 if (!NT_STATUS_IS_OK(status
= make_auth_context_subsystem(&auth_context
))) {
1014 auth_context
->get_ntlm_challenge(auth_context
, chal
);
1016 if (!make_user_info_netlogon_interactive(&user_info
,
1017 nt_username
, nt_domain
,
1019 logon
->password
->identity_info
.parameter_control
,
1021 logon
->password
->lmpassword
.hash
,
1022 logon
->password
->ntpassword
.hash
,
1024 status
= NT_STATUS_NO_MEMORY
;
1029 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1030 return NT_STATUS_INVALID_INFO_CLASS
;
1033 if ( NT_STATUS_IS_OK(status
) ) {
1034 status
= auth_context
->check_ntlm_password(auth_context
,
1035 user_info
, &server_info
);
1038 (auth_context
->free
)(&auth_context
);
1039 free_user_info(&user_info
);
1041 DEBUG(5,("%s: check_password returned status %s\n",
1042 fn
, nt_errstr(status
)));
1044 /* Check account and password */
1046 if (!NT_STATUS_IS_OK(status
)) {
1047 /* If we don't know what this domain is, we need to
1048 indicate that we are not authoritative. This
1049 allows the client to decide if it needs to try
1050 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1051 if ( NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)
1052 && !strequal(nt_domain
, get_global_sam_name())
1053 && !is_trusted_domain(nt_domain
) )
1054 *r
->out
.authoritative
= false; /* We are not authoritative */
1056 TALLOC_FREE(server_info
);
1060 if (server_info
->guest
) {
1061 /* We don't like guest domain logons... */
1062 DEBUG(5,("%s: Attempted domain logon as GUEST "
1064 TALLOC_FREE(server_info
);
1065 return NT_STATUS_LOGON_FAILURE
;
1068 /* This is the point at which, if the login was successful, that
1069 the SAM Local Security Authority should record that the user is
1070 logged in to the domain. */
1072 if (process_creds
) {
1073 /* Get the pipe session key from the creds. */
1074 memcpy(pipe_session_key
, p
->dc
->sess_key
, 16);
1076 /* Get the pipe session key from the schannel. */
1077 if ((p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
)
1078 || (p
->auth
.a_u
.schannel_auth
== NULL
)) {
1079 return NT_STATUS_INVALID_HANDLE
;
1081 memcpy(pipe_session_key
, p
->auth
.a_u
.schannel_auth
->sess_key
, 16);
1084 status
= serverinfo_to_SamInfo3(server_info
, pipe_session_key
, 16, sam3
);
1085 TALLOC_FREE(server_info
);
1089 /*************************************************************************
1090 _netr_LogonSamLogonEx
1091 - no credential chaining. Map into net sam logon.
1092 *************************************************************************/
1094 NTSTATUS
_netr_LogonSamLogonEx(pipes_struct
*p
,
1095 struct netr_LogonSamLogonEx
*r
)
1097 struct netr_LogonSamLogon q
;
1099 /* Only allow this if the pipe is protected. */
1100 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1101 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1102 get_remote_machine_name() ));
1103 return NT_STATUS_INVALID_PARAMETER
;
1106 q
.in
.server_name
= r
->in
.server_name
;
1107 q
.in
.computer_name
= r
->in
.computer_name
;
1108 q
.in
.logon_level
= r
->in
.logon_level
;
1109 q
.in
.logon
= r
->in
.logon
;
1110 q
.in
.validation_level
= r
->in
.validation_level
;
1111 /* we do not handle the flags */
1112 /* = r->in.flags; */
1114 q
.out
.validation
= r
->out
.validation
;
1115 q
.out
.authoritative
= r
->out
.authoritative
;
1116 /* we do not handle the flags */
1117 /* = r->out.flags; */
1119 return _netr_LogonSamLogon(p
, &q
);
1122 /*************************************************************************
1124 *************************************************************************/
1125 #if 0 /* JERRY -- not correct */
1126 NTSTATUS
_ds_enum_dom_trusts(pipes_struct
*p
, DS_Q_ENUM_DOM_TRUSTS
*q_u
,
1127 DS_R_ENUM_DOM_TRUSTS
*r_u
)
1129 NTSTATUS status
= NT_STATUS_OK
;
1131 /* TODO: According to MSDN, the can only be executed against a
1132 DC or domain member running Windows 2000 or later. Need
1133 to test against a standalone 2k server and see what it
1134 does. A windows 2000 DC includes its own domain in the
1142 /****************************************************************
1143 ****************************************************************/
1145 WERROR
_netr_LogonUasLogon(pipes_struct
*p
,
1146 struct netr_LogonUasLogon
*r
)
1148 p
->rng_fault_state
= true;
1149 return WERR_NOT_SUPPORTED
;
1152 /****************************************************************
1153 ****************************************************************/
1155 WERROR
_netr_LogonUasLogoff(pipes_struct
*p
,
1156 struct netr_LogonUasLogoff
*r
)
1158 p
->rng_fault_state
= true;
1159 return WERR_NOT_SUPPORTED
;
1162 /****************************************************************
1163 ****************************************************************/
1165 NTSTATUS
_netr_DatabaseDeltas(pipes_struct
*p
,
1166 struct netr_DatabaseDeltas
*r
)
1168 p
->rng_fault_state
= true;
1169 return NT_STATUS_NOT_IMPLEMENTED
;
1172 /****************************************************************
1173 ****************************************************************/
1175 NTSTATUS
_netr_DatabaseSync(pipes_struct
*p
,
1176 struct netr_DatabaseSync
*r
)
1178 p
->rng_fault_state
= true;
1179 return NT_STATUS_NOT_IMPLEMENTED
;
1182 /****************************************************************
1183 ****************************************************************/
1185 NTSTATUS
_netr_AccountDeltas(pipes_struct
*p
,
1186 struct netr_AccountDeltas
*r
)
1188 p
->rng_fault_state
= true;
1189 return NT_STATUS_NOT_IMPLEMENTED
;
1192 /****************************************************************
1193 ****************************************************************/
1195 NTSTATUS
_netr_AccountSync(pipes_struct
*p
,
1196 struct netr_AccountSync
*r
)
1198 p
->rng_fault_state
= true;
1199 return NT_STATUS_NOT_IMPLEMENTED
;
1202 /****************************************************************
1203 ****************************************************************/
1205 WERROR
_netr_GetDcName(pipes_struct
*p
,
1206 struct netr_GetDcName
*r
)
1208 p
->rng_fault_state
= true;
1209 return WERR_NOT_SUPPORTED
;
1212 /****************************************************************
1213 ****************************************************************/
1215 WERROR
_netr_GetAnyDCName(pipes_struct
*p
,
1216 struct netr_GetAnyDCName
*r
)
1218 p
->rng_fault_state
= true;
1219 return WERR_NOT_SUPPORTED
;
1222 /****************************************************************
1223 ****************************************************************/
1225 NTSTATUS
_netr_DatabaseSync2(pipes_struct
*p
,
1226 struct netr_DatabaseSync2
*r
)
1228 p
->rng_fault_state
= true;
1229 return NT_STATUS_NOT_IMPLEMENTED
;
1232 /****************************************************************
1233 ****************************************************************/
1235 NTSTATUS
_netr_DatabaseRedo(pipes_struct
*p
,
1236 struct netr_DatabaseRedo
*r
)
1238 p
->rng_fault_state
= true;
1239 return NT_STATUS_NOT_IMPLEMENTED
;
1242 /****************************************************************
1243 ****************************************************************/
1245 WERROR
_netr_DsRGetDCName(pipes_struct
*p
,
1246 struct netr_DsRGetDCName
*r
)
1248 p
->rng_fault_state
= true;
1249 return WERR_NOT_SUPPORTED
;
1252 /****************************************************************
1253 ****************************************************************/
1255 NTSTATUS
_netr_LogonGetCapabilities(pipes_struct
*p
,
1256 struct netr_LogonGetCapabilities
*r
)
1258 return NT_STATUS_NOT_IMPLEMENTED
;
1261 /****************************************************************
1262 ****************************************************************/
1264 WERROR
_netr_NETRLOGONSETSERVICEBITS(pipes_struct
*p
,
1265 struct netr_NETRLOGONSETSERVICEBITS
*r
)
1267 p
->rng_fault_state
= true;
1268 return WERR_NOT_SUPPORTED
;
1271 /****************************************************************
1272 ****************************************************************/
1274 WERROR
_netr_LogonGetTrustRid(pipes_struct
*p
,
1275 struct netr_LogonGetTrustRid
*r
)
1277 p
->rng_fault_state
= true;
1278 return WERR_NOT_SUPPORTED
;
1281 /****************************************************************
1282 ****************************************************************/
1284 WERROR
_netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct
*p
,
1285 struct netr_NETRLOGONCOMPUTESERVERDIGEST
*r
)
1287 p
->rng_fault_state
= true;
1288 return WERR_NOT_SUPPORTED
;
1291 /****************************************************************
1292 ****************************************************************/
1294 WERROR
_netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct
*p
,
1295 struct netr_NETRLOGONCOMPUTECLIENTDIGEST
*r
)
1297 p
->rng_fault_state
= true;
1298 return WERR_NOT_SUPPORTED
;
1301 /****************************************************************
1302 ****************************************************************/
1304 WERROR
_netr_DsRGetDCNameEx(pipes_struct
*p
,
1305 struct netr_DsRGetDCNameEx
*r
)
1307 p
->rng_fault_state
= true;
1308 return WERR_NOT_SUPPORTED
;
1311 /****************************************************************
1312 ****************************************************************/
1314 WERROR
_netr_DsRGetSiteName(pipes_struct
*p
,
1315 struct netr_DsRGetSiteName
*r
)
1317 p
->rng_fault_state
= true;
1318 return WERR_NOT_SUPPORTED
;
1321 /****************************************************************
1322 ****************************************************************/
1324 NTSTATUS
_netr_LogonGetDomainInfo(pipes_struct
*p
,
1325 struct netr_LogonGetDomainInfo
*r
)
1327 p
->rng_fault_state
= true;
1328 return NT_STATUS_NOT_IMPLEMENTED
;
1331 /****************************************************************
1332 ****************************************************************/
1334 NTSTATUS
_netr_ServerPasswordSet2(pipes_struct
*p
,
1335 struct netr_ServerPasswordSet2
*r
)
1337 p
->rng_fault_state
= true;
1338 return NT_STATUS_NOT_IMPLEMENTED
;
1341 /****************************************************************
1342 ****************************************************************/
1344 WERROR
_netr_ServerPasswordGet(pipes_struct
*p
,
1345 struct netr_ServerPasswordGet
*r
)
1347 p
->rng_fault_state
= true;
1348 return WERR_NOT_SUPPORTED
;
1351 /****************************************************************
1352 ****************************************************************/
1354 WERROR
_netr_NETRLOGONSENDTOSAM(pipes_struct
*p
,
1355 struct netr_NETRLOGONSENDTOSAM
*r
)
1357 p
->rng_fault_state
= true;
1358 return WERR_NOT_SUPPORTED
;
1361 /****************************************************************
1362 ****************************************************************/
1364 WERROR
_netr_DsRAddressToSitenamesW(pipes_struct
*p
,
1365 struct netr_DsRAddressToSitenamesW
*r
)
1367 p
->rng_fault_state
= true;
1368 return WERR_NOT_SUPPORTED
;
1371 /****************************************************************
1372 ****************************************************************/
1374 WERROR
_netr_DsRGetDCNameEx2(pipes_struct
*p
,
1375 struct netr_DsRGetDCNameEx2
*r
)
1377 p
->rng_fault_state
= true;
1378 return WERR_NOT_SUPPORTED
;
1381 /****************************************************************
1382 ****************************************************************/
1384 WERROR
_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct
*p
,
1385 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
*r
)
1387 p
->rng_fault_state
= true;
1388 return WERR_NOT_SUPPORTED
;
1391 /****************************************************************
1392 ****************************************************************/
1394 WERROR
_netr_NetrEnumerateTrustedDomainsEx(pipes_struct
*p
,
1395 struct netr_NetrEnumerateTrustedDomainsEx
*r
)
1397 p
->rng_fault_state
= true;
1398 return WERR_NOT_SUPPORTED
;
1401 /****************************************************************
1402 ****************************************************************/
1404 WERROR
_netr_DsRAddressToSitenamesExW(pipes_struct
*p
,
1405 struct netr_DsRAddressToSitenamesExW
*r
)
1407 p
->rng_fault_state
= true;
1408 return WERR_NOT_SUPPORTED
;
1411 /****************************************************************
1412 ****************************************************************/
1414 WERROR
_netr_DsrGetDcSiteCoverageW(pipes_struct
*p
,
1415 struct netr_DsrGetDcSiteCoverageW
*r
)
1417 p
->rng_fault_state
= true;
1418 return WERR_NOT_SUPPORTED
;
1421 /****************************************************************
1422 ****************************************************************/
1424 WERROR
_netr_DsrEnumerateDomainTrusts(pipes_struct
*p
,
1425 struct netr_DsrEnumerateDomainTrusts
*r
)
1427 p
->rng_fault_state
= true;
1428 return WERR_NOT_SUPPORTED
;
1431 /****************************************************************
1432 ****************************************************************/
1434 WERROR
_netr_DsrDeregisterDNSHostRecords(pipes_struct
*p
,
1435 struct netr_DsrDeregisterDNSHostRecords
*r
)
1437 p
->rng_fault_state
= true;
1438 return WERR_NOT_SUPPORTED
;
1441 /****************************************************************
1442 ****************************************************************/
1444 NTSTATUS
_netr_ServerTrustPasswordsGet(pipes_struct
*p
,
1445 struct netr_ServerTrustPasswordsGet
*r
)
1447 p
->rng_fault_state
= true;
1448 return NT_STATUS_NOT_IMPLEMENTED
;
1451 /****************************************************************
1452 ****************************************************************/
1454 WERROR
_netr_DsRGetForestTrustInformation(pipes_struct
*p
,
1455 struct netr_DsRGetForestTrustInformation
*r
)
1457 p
->rng_fault_state
= true;
1458 return WERR_NOT_SUPPORTED
;
1461 /****************************************************************
1462 ****************************************************************/
1464 WERROR
_netr_GetForestTrustInformation(pipes_struct
*p
,
1465 struct netr_GetForestTrustInformation
*r
)
1467 p
->rng_fault_state
= true;
1468 return WERR_NOT_SUPPORTED
;
1471 /****************************************************************
1472 ****************************************************************/
1474 NTSTATUS
_netr_LogonSamLogonWithFlags(pipes_struct
*p
,
1475 struct netr_LogonSamLogonWithFlags
*r
)
1477 p
->rng_fault_state
= true;
1478 return NT_STATUS_NOT_IMPLEMENTED
;
1481 /****************************************************************
1482 ****************************************************************/
1484 NTSTATUS
_netr_ServerGetTrustInfo(pipes_struct
*p
,
1485 struct netr_ServerGetTrustInfo
*r
)
1487 p
->rng_fault_state
= true;
1488 return NT_STATUS_NOT_IMPLEMENTED
;