source4/winbind/wb_update_rodc_dns.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Do a netr_DsrUpdateReadOnlyServerDnsRecords to a remote DC
   5
   6    Copyright (C) Andrew Bartlett 2010
   7    Copyright (C) Andrew Tridgell 2010
   8
   9    based heavily on wb_sam_logon.c which is copyright:
  10
  11    Copyright (C) Volker Lendecke 2005
  12    Copyright (C) Andrew Bartlett 2005
  13    Copyright (C) Stefan Metzmacher 2006
  14
  15    This program is free software; you can redistribute it and/or modify
  16    it under the terms of the GNU General Public License as published by
  17    the Free Software Foundation; either version 3 of the License, or
  18    (at your option) any later version.
  19
  20    This program is distributed in the hope that it will be useful,
  21    but WITHOUT ANY WARRANTY; without even the implied warranty of
  22    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  23    GNU General Public License for more details.
  24
  25    You should have received a copy of the GNU General Public License
  26    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  27 */
  28
  29 #include "includes.h"
  30 #include <tevent.h>
  31 #include "../lib/util/tevent_ntstatus.h"
  32 #include "libcli/composite/composite.h"
  33 #include "winbind/wb_server.h"
  34 #include "smbd/service_task.h"
  35 #include "auth/credentials/credentials.h"
  36 #include "libcli/auth/libcli_auth.h"
  37 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  38 #include "librpc/gen_ndr/winbind.h"
  39
  40 struct wb_update_rodc_dns_state {
  41         struct tevent_context *ev;
  42
  43         struct winbind_DsrUpdateReadOnlyServerDnsRecords *req;
  44
  45         struct wbsrv_domain *domain;
  46         struct tevent_queue_entry *queue_entry;
  47         struct netlogon_creds_CredentialState *creds_state;
  48         struct netr_Authenticator auth1, auth2;
  49
  50         TALLOC_CTX *r_mem_ctx;
  51         struct netr_DsrUpdateReadOnlyServerDnsRecords r;
  52 };
  53
  54 static void wb_update_rodc_dns_recv_domain(struct composite_context *csubreq);
  55 static void wb_sam_logon_queue_trigger(struct tevent_req *req, void *priv);
  56 static void wb_update_rodc_dns_recv_response(struct tevent_req *subreq);
  57
  58 /*
  59     Find the connection to the DC (or find an existing connection)
  60 */
  61 struct tevent_req *wb_update_rodc_dns_send(TALLOC_CTX *mem_ctx,
  62                                            struct tevent_context *ev,
  63                                            struct wbsrv_service *service,
  64                                            struct winbind_DsrUpdateReadOnlyServerDnsRecords *_req)
  65 {
  66         struct tevent_req *req;
  67         struct wb_update_rodc_dns_state *state;
  68         struct composite_context *csubreq;
  69
  70         req = tevent_req_create(mem_ctx, &state,
  71                                 struct wb_update_rodc_dns_state);
  72         if (req == NULL) {
  73                 return NULL;
  74         }
  75         state->ev = ev;
  76         state->req = _req;
  77
  78         csubreq = wb_sid2domain_send(state, service, service->primary_sid);
  79         if (tevent_req_nomem(csubreq, req)) {
  80                 return tevent_req_post(req, ev);
  81         }
  82         csubreq->async.fn = wb_update_rodc_dns_recv_domain;
  83         csubreq->async.private_data = req;
  84
  85         return req;
  86 }
  87
  88 /*
  89     Having finished making the connection to the DC
  90     Send of a DsrUpdateReadOnlyServerDnsRecords request to authenticate a user.
  91 */
  92 static void wb_update_rodc_dns_recv_domain(struct composite_context *csubreq)
  93 {
  94         struct tevent_req *req =
  95                 talloc_get_type_abort(csubreq->async.private_data,
  96                 struct tevent_req);
  97         struct wb_update_rodc_dns_state *state =
  98                 tevent_req_data(req,
  99                 struct wb_update_rodc_dns_state);
 100         NTSTATUS status;
 101         struct tevent_queue_entry *e;
 102
 103         status = wb_sid2domain_recv(csubreq, &state->domain);
 104         if (tevent_req_nterror(req, status)) {
 105                 return;
 106         }
 107
 108         /*
 109          * Because of the netlogon_creds behavior we have to
 110          * queue the netr_LogonSamLogon() calls
 111          */
 112         e = tevent_queue_add_entry(state->domain->netlogon_queue,
 113                                    state->ev,
 114                                    req,
 115                                    wb_sam_logon_queue_trigger,
 116                                    NULL);
 117         state->queue_entry = e;
 118 }
 119
 120 static void wb_sam_logon_queue_trigger(struct tevent_req *req, void *priv)
 121 {
 122         struct wb_update_rodc_dns_state *state =
 123                 tevent_req_data(req,
 124                 struct wb_update_rodc_dns_state);
 125         struct wbsrv_domain *domain = state->domain;
 126         struct tevent_req *subreq;
 127
 128         state->creds_state = cli_credentials_get_netlogon_creds(domain->libnet_ctx->cred);
 129         netlogon_creds_client_authenticator(state->creds_state, &state->auth1);
 130
 131         state->r.in.server_name = talloc_asprintf(state, "\\\\%s",
 132                               dcerpc_server_name(domain->netlogon_pipe));
 133         if (tevent_req_nomem(state->r.in.server_name, req)) {
 134                 return;
 135         }
 136
 137         state->r.in.computer_name = cli_credentials_get_workstation(domain->libnet_ctx->cred);
 138         state->r.in.credential = &state->auth1;
 139         state->r.out.return_authenticator = &state->auth2;
 140         state->r.in.site_name = state->req->in.site_name;
 141         state->r.in.dns_ttl = state->req->in.dns_ttl;
 142         state->r.in.dns_names = state->req->in.dns_names;
 143         state->r.out.dns_names = state->req->in.dns_names;
 144
 145         /*
 146          * use a new talloc context for the DsrUpdateReadOnlyServerDnsRecords call
 147          * because then we can just to a talloc_steal on this context
 148          * in the final _recv() function to give the caller all the content of
 149          * the s->r.out.dns_names
 150          */
 151         state->r_mem_ctx = talloc_new(state);
 152         if (tevent_req_nomem(state->r_mem_ctx, req)) {
 153                 return;
 154         }
 155
 156         subreq = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_r_send(state,
 157                                                 state->ev,
 158                                                 domain->netlogon_pipe->binding_handle,
 159                                                 &state->r);
 160         if (tevent_req_nomem(subreq, req)) {
 161                 return;
 162         }
 163         tevent_req_set_callback(subreq, wb_update_rodc_dns_recv_response, req);
 164 }
 165
 166 /*
 167    NTLM Authentication
 168
 169    Check the DsrUpdateReadOnlyServerDnsRecords reply and decrypt the session keys
 170 */
 171 static void wb_update_rodc_dns_recv_response(struct tevent_req *subreq)
 172 {
 173         struct tevent_req *req =
 174                 tevent_req_callback_data(subreq,
 175                 struct tevent_req);
 176         struct wb_update_rodc_dns_state *state =
 177                 tevent_req_data(req,
 178                 struct wb_update_rodc_dns_state);
 179         NTSTATUS status;
 180         bool ok;
 181
 182         status = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_r_recv(subreq,
 183                                                                 state->r_mem_ctx);
 184         TALLOC_FREE(subreq);
 185         if (tevent_req_nterror(req, status)) {
 186                 return;
 187         }
 188
 189         if (tevent_req_nterror(req, state->r.out.result)) {
 190                 return;
 191         }
 192
 193         if (state->r.out.return_authenticator == NULL) {
 194                 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
 195                 return;
 196         }
 197
 198         ok = netlogon_creds_client_check(state->creds_state,
 199                                 &state->r.out.return_authenticator->cred);
 200         if (!ok) {
 201                 DEBUG(0, ("Credentials check failed!\n"));
 202                 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
 203                 return;
 204         }
 205
 206         /*
 207          * we do not need the netlogon_creds lock anymore
 208          */
 209         TALLOC_FREE(state->queue_entry);
 210
 211         tevent_req_done(req);
 212 }
 213
 214 NTSTATUS wb_update_rodc_dns_recv(struct tevent_req *req,
 215                         TALLOC_CTX *mem_ctx,
 216                         struct winbind_DsrUpdateReadOnlyServerDnsRecords *_req)
 217 {
 218         struct wb_update_rodc_dns_state *state =
 219                 tevent_req_data(req,
 220                 struct wb_update_rodc_dns_state);
 221         NTSTATUS status;
 222
 223         if (tevent_req_is_nterror(req, &status)) {
 224                 tevent_req_received(req);
 225                 return status;
 226         }
 227
 228         talloc_steal(mem_ctx, state->r_mem_ctx);
 229         _req->out.dns_names = state->r.out.dns_names;
 230
 231         tevent_req_received(req);
 232         return NT_STATUS_OK;
 233 }