2 Unix SMB/CIFS implementation.
4 Do a netr_LogonSamLogon to a remote DC
6 Copyright (C) Volker Lendecke 2005
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
8 Copyright (C) Stefan Metzmacher 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/composite/composite.h"
26 #include "winbind/wb_server.h"
27 #include "smbd/service_task.h"
28 #include "auth/credentials/credentials.h"
29 #include "libcli/auth/libcli_auth.h"
30 #include "librpc/gen_ndr/ndr_netlogon.h"
31 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 #include "librpc/gen_ndr/winbind.h"
34 struct wb_sam_logon_state
{
35 struct composite_context
*ctx
;
37 struct winbind_SamLogon
*req
;
39 struct netlogon_creds_CredentialState
*creds_state
;
40 struct netr_Authenticator auth1
, auth2
;
42 TALLOC_CTX
*r_mem_ctx
;
43 struct netr_LogonSamLogon r
;
46 static void wb_sam_logon_recv_domain(struct composite_context
*ctx
);
47 static void wb_sam_logon_recv_samlogon(struct rpc_request
*req
);
50 Find the connection to the DC (or find an existing connection)
52 struct composite_context
*wb_sam_logon_send(TALLOC_CTX
*mem_ctx
,
53 struct wbsrv_service
*service
,
54 struct winbind_SamLogon
*req
)
56 struct composite_context
*c
, *creq
;
57 struct wb_sam_logon_state
*s
;
59 c
= composite_create(mem_ctx
, service
->task
->event_ctx
);
62 s
= talloc_zero(c
, struct wb_sam_logon_state
);
63 if (composite_nomem(s
, c
)) return c
;
69 creq
= wb_sid2domain_send(s
, service
, service
->primary_sid
);
70 composite_continue(c
, creq
, wb_sam_logon_recv_domain
, s
);
75 Having finished making the connection to the DC
76 Send of a SamLogon request to authenticate a user.
78 static void wb_sam_logon_recv_domain(struct composite_context
*creq
)
80 struct wb_sam_logon_state
*s
= talloc_get_type(creq
->async
.private_data
,
81 struct wb_sam_logon_state
);
82 struct rpc_request
*req
;
83 struct wbsrv_domain
*domain
;
85 s
->ctx
->status
= wb_sid2domain_recv(creq
, &domain
);
86 if (!composite_is_ok(s
->ctx
)) return;
88 s
->creds_state
= cli_credentials_get_netlogon_creds(domain
->libnet_ctx
->cred
);
89 netlogon_creds_client_authenticator(s
->creds_state
, &s
->auth1
);
91 s
->r
.in
.server_name
= talloc_asprintf(s
, "\\\\%s",
92 dcerpc_server_name(domain
->netlogon_pipe
));
93 if (composite_nomem(s
->r
.in
.server_name
, s
->ctx
)) return;
95 s
->r
.in
.computer_name
= cli_credentials_get_workstation(domain
->libnet_ctx
->cred
);
96 s
->r
.in
.credential
= &s
->auth1
;
97 s
->r
.in
.return_authenticator
= &s
->auth2
;
98 s
->r
.in
.logon_level
= s
->req
->in
.logon_level
;
99 s
->r
.in
.logon
= &s
->req
->in
.logon
;
100 s
->r
.in
.validation_level
= s
->req
->in
.validation_level
;
101 s
->r
.out
.return_authenticator
= NULL
;
102 s
->r
.out
.validation
= talloc(s
, union netr_Validation
);
103 if (composite_nomem(s
->r
.out
.validation
, s
->ctx
)) return;
104 s
->r
.out
.authoritative
= talloc(s
, uint8_t);
105 if (composite_nomem(s
->r
.out
.authoritative
, s
->ctx
)) return;
109 * use a new talloc context for the LogonSamLogon call
110 * because then we can just to a talloc_steal on this context
111 * in the final _recv() function to give the caller all the content of
112 * the s->r.out.validation
114 s
->r_mem_ctx
= talloc_new(s
);
115 if (composite_nomem(s
->r_mem_ctx
, s
->ctx
)) return;
117 req
= dcerpc_netr_LogonSamLogon_send(domain
->netlogon_pipe
, s
->r_mem_ctx
, &s
->r
);
118 composite_continue_rpc(s
->ctx
, req
, wb_sam_logon_recv_samlogon
, s
);
124 Check the SamLogon reply and decrypt the session keys
126 static void wb_sam_logon_recv_samlogon(struct rpc_request
*req
)
128 struct wb_sam_logon_state
*s
= talloc_get_type(req
->async
.private_data
,
129 struct wb_sam_logon_state
);
131 s
->ctx
->status
= dcerpc_ndr_request_recv(req
);
132 if (!composite_is_ok(s
->ctx
)) return;
134 s
->ctx
->status
= s
->r
.out
.result
;
135 if (!composite_is_ok(s
->ctx
)) return;
137 if ((s
->r
.out
.return_authenticator
== NULL
) ||
138 (!netlogon_creds_client_check(s
->creds_state
,
139 &s
->r
.out
.return_authenticator
->cred
))) {
140 DEBUG(0, ("Credentials check failed!\n"));
141 composite_error(s
->ctx
, NT_STATUS_ACCESS_DENIED
);
145 /* Decrypt the session keys before we reform the info3, so the
146 * person on the other end of winbindd pipe doesn't have to.
147 * They won't have the encryption key anyway */
148 netlogon_creds_decrypt_samlogon(s
->creds_state
,
149 s
->r
.in
.validation_level
,
150 s
->r
.out
.validation
);
152 composite_done(s
->ctx
);
155 NTSTATUS
wb_sam_logon_recv(struct composite_context
*c
,
157 struct winbind_SamLogon
*req
)
159 struct wb_sam_logon_state
*s
= talloc_get_type(c
->private_data
,
160 struct wb_sam_logon_state
);
161 NTSTATUS status
= composite_wait(c
);
163 if (NT_STATUS_IS_OK(status
)) {
164 talloc_steal(mem_ctx
, s
->r_mem_ctx
);
165 req
->out
.validation
= *s
->r
.out
.validation
;
166 req
->out
.authoritative
= 1;