search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
format-subunit: Hide reason if it is None.
[Samba/eduardoll.git] / source3 / rpc_server / srv_netlog_nt.c
blobb41b3d10709a65b4517fb431cfde52b9ef4d9774
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008-2009.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* This is the implementation of the netlogon pipe. */
26
27 #include "includes.h"
28 #include "../libcli/auth/schannel.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30
31 extern userdom_struct current_user_info;
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 struct netlogon_server_pipe_state {
37 struct netr_Credential client_challenge;
38 struct netr_Credential server_challenge;
39 };
40
41 /*************************************************************************
42 _netr_LogonControl
43 *************************************************************************/
44
45 WERROR _netr_LogonControl(pipes_struct *p,
46 struct netr_LogonControl *r)
47 {
48 struct netr_LogonControl2Ex l;
49
50 switch (r->in.level) {
51 case 1:
52 break;
53 case 2:
54 return WERR_NOT_SUPPORTED;
55 default:
56 return WERR_UNKNOWN_LEVEL;
57 }
58
59 l.in.logon_server = r->in.logon_server;
60 l.in.function_code = r->in.function_code;
61 l.in.level = r->in.level;
62 l.in.data = NULL;
63 l.out.query = r->out.query;
64
65 return _netr_LogonControl2Ex(p, &l);
66 }
67
68 /****************************************************************************
69 Send a message to smbd to do a sam synchronisation
70 **************************************************************************/
71
72 static void send_sync_message(void)
73 {
74 DEBUG(3, ("sending sam synchronisation message\n"));
75 message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC, NULL, 0,
76 NULL);
77 }
78
79 /*************************************************************************
80 _netr_LogonControl2
81 *************************************************************************/
82
83 WERROR _netr_LogonControl2(pipes_struct *p,
84 struct netr_LogonControl2 *r)
85 {
86 struct netr_LogonControl2Ex l;
87
88 l.in.logon_server = r->in.logon_server;
89 l.in.function_code = r->in.function_code;
90 l.in.level = r->in.level;
91 l.in.data = r->in.data;
92 l.out.query = r->out.query;
93
94 return _netr_LogonControl2Ex(p, &l);
95 }
96
97 /*************************************************************************
98 *************************************************************************/
99
100 static bool wb_change_trust_creds(const char *domain, WERROR *tc_status)
101 {
102 wbcErr result;
103 struct wbcAuthErrorInfo *error = NULL;
104
105 result = wbcChangeTrustCredentials(domain, &error);
106 switch (result) {
107 case WBC_ERR_WINBIND_NOT_AVAILABLE:
108 return false;
109 case WBC_ERR_DOMAIN_NOT_FOUND:
110 *tc_status = WERR_NO_SUCH_DOMAIN;
111 return true;
112 case WBC_ERR_SUCCESS:
113 *tc_status = WERR_OK;
114 return true;
115 default:
116 break;
117 }
118
119 if (error && error->nt_status != 0) {
120 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
121 } else {
122 *tc_status = WERR_TRUST_FAILURE;
123 }
124 wbcFreeMemory(error);
125 return true;
126 }
127
128 /*************************************************************************
129 *************************************************************************/
130
131 static bool wb_check_trust_creds(const char *domain, WERROR *tc_status)
132 {
133 wbcErr result;
134 struct wbcAuthErrorInfo *error = NULL;
135
136 result = wbcCheckTrustCredentials(domain, &error);
137 switch (result) {
138 case WBC_ERR_WINBIND_NOT_AVAILABLE:
139 return false;
140 case WBC_ERR_DOMAIN_NOT_FOUND:
141 *tc_status = WERR_NO_SUCH_DOMAIN;
142 return true;
143 case WBC_ERR_SUCCESS:
144 *tc_status = WERR_OK;
145 return true;
146 default:
147 break;
148 }
149
150 if (error && error->nt_status != 0) {
151 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
152 } else {
153 *tc_status = WERR_TRUST_FAILURE;
154 }
155 wbcFreeMemory(error);
156 return true;
157 }
158
159 /****************************************************************
160 _netr_LogonControl2Ex
161 ****************************************************************/
162
163 WERROR _netr_LogonControl2Ex(pipes_struct *p,
164 struct netr_LogonControl2Ex *r)
165 {
166 uint32_t flags = 0x0;
167 WERROR pdc_connection_status = WERR_OK;
168 uint32_t logon_attempts = 0x0;
169 WERROR tc_status;
170 fstring dc_name2;
171 const char *dc_name = NULL;
172 struct sockaddr_storage dc_ss;
173 const char *domain = NULL;
174 struct netr_NETLOGON_INFO_1 *info1;
175 struct netr_NETLOGON_INFO_2 *info2;
176 struct netr_NETLOGON_INFO_3 *info3;
177 struct netr_NETLOGON_INFO_4 *info4;
178 const char *fn;
179 uint32_t acct_ctrl;
180
181 switch (p->hdr_req.opnum) {
182 case NDR_NETR_LOGONCONTROL:
183 fn = "_netr_LogonControl";
184 break;
185 case NDR_NETR_LOGONCONTROL2:
186 fn = "_netr_LogonControl2";
187 break;
188 case NDR_NETR_LOGONCONTROL2EX:
189 fn = "_netr_LogonControl2Ex";
190 break;
191 default:
192 return WERR_INVALID_PARAM;
193 }
194
195 acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
196
197 switch (r->in.function_code) {
198 case NETLOGON_CONTROL_TC_VERIFY:
199 case NETLOGON_CONTROL_CHANGE_PASSWORD:
200 case NETLOGON_CONTROL_REDISCOVER:
201 if ((geteuid() != sec_initial_uid()) &&
202 !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
203 !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
204 !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
205 return WERR_ACCESS_DENIED;
206 }
207 break;
208 default:
209 break;
210 }
211
212 tc_status = WERR_NO_SUCH_DOMAIN;
213
214 switch (r->in.function_code) {
215 case NETLOGON_CONTROL_QUERY:
216 tc_status = WERR_OK;
217 break;
218 case NETLOGON_CONTROL_REPLICATE:
219 case NETLOGON_CONTROL_SYNCHRONIZE:
220 case NETLOGON_CONTROL_PDC_REPLICATE:
221 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
222 case NETLOGON_CONTROL_BREAKPOINT:
223 if (acct_ctrl & ACB_NORMAL) {
224 return WERR_NOT_SUPPORTED;
225 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
226 return WERR_ACCESS_DENIED;
227 } else {
228 return WERR_ACCESS_DENIED;
229 }
230 case NETLOGON_CONTROL_TRUNCATE_LOG:
231 if (acct_ctrl & ACB_NORMAL) {
232 break;
233 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
234 return WERR_ACCESS_DENIED;
235 } else {
236 return WERR_ACCESS_DENIED;
237 }
238
239 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
240 case NETLOGON_CONTROL_FORCE_DNS_REG:
241 case NETLOGON_CONTROL_QUERY_DNS_REG:
242 return WERR_NOT_SUPPORTED;
243 case NETLOGON_CONTROL_FIND_USER:
244 if (!r->in.data || !r->in.data->user) {
245 return WERR_NOT_SUPPORTED;
246 }
247 break;
248 case NETLOGON_CONTROL_SET_DBFLAG:
249 if (!r->in.data) {
250 return WERR_NOT_SUPPORTED;
251 }
252 break;
253 case NETLOGON_CONTROL_TC_VERIFY:
254 if (!r->in.data || !r->in.data->domain) {
255 return WERR_NOT_SUPPORTED;
256 }
257
258 if (!wb_check_trust_creds(r->in.data->domain, &tc_status)) {
259 return WERR_NOT_SUPPORTED;
260 }
261 break;
262 case NETLOGON_CONTROL_TC_QUERY:
263 if (!r->in.data || !r->in.data->domain) {
264 return WERR_NOT_SUPPORTED;
265 }
266
267 domain = r->in.data->domain;
268
269 if (!is_trusted_domain(domain)) {
270 break;
271 }
272
273 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
274 tc_status = WERR_NO_LOGON_SERVERS;
275 break;
276 }
277
278 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
279 if (!dc_name) {
280 return WERR_NOMEM;
281 }
282
283 tc_status = WERR_OK;
284
285 break;
286
287 case NETLOGON_CONTROL_REDISCOVER:
288 if (!r->in.data || !r->in.data->domain) {
289 return WERR_NOT_SUPPORTED;
290 }
291
292 domain = r->in.data->domain;
293
294 if (!is_trusted_domain(domain)) {
295 break;
296 }
297
298 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
299 tc_status = WERR_NO_LOGON_SERVERS;
300 break;
301 }
302
303 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
304 if (!dc_name) {
305 return WERR_NOMEM;
306 }
307
308 tc_status = WERR_OK;
309
310 break;
311
312 case NETLOGON_CONTROL_CHANGE_PASSWORD:
313 if (!r->in.data || !r->in.data->domain) {
314 return WERR_NOT_SUPPORTED;
315 }
316
317 if (!wb_change_trust_creds(r->in.data->domain, &tc_status)) {
318 return WERR_NOT_SUPPORTED;
319 }
320 break;
321
322 default:
323 /* no idea what this should be */
324 DEBUG(0,("%s: unimplemented function level [%d]\n",
325 fn, r->in.function_code));
326 return WERR_UNKNOWN_LEVEL;
327 }
328
329 /* prepare the response */
330
331 switch (r->in.level) {
332 case 1:
333 info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1);
334 W_ERROR_HAVE_NO_MEMORY(info1);
335
336 info1->flags = flags;
337 info1->pdc_connection_status = pdc_connection_status;
338
339 r->out.query->info1 = info1;
340 break;
341 case 2:
342 info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2);
343 W_ERROR_HAVE_NO_MEMORY(info2);
344
345 info2->flags = flags;
346 info2->pdc_connection_status = pdc_connection_status;
347 info2->trusted_dc_name = dc_name;
348 info2->tc_connection_status = tc_status;
349
350 r->out.query->info2 = info2;
351 break;
352 case 3:
353 info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3);
354 W_ERROR_HAVE_NO_MEMORY(info3);
355
356 info3->flags = flags;
357 info3->logon_attempts = logon_attempts;
358
359 r->out.query->info3 = info3;
360 break;
361 case 4:
362 info4 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_4);
363 W_ERROR_HAVE_NO_MEMORY(info4);
364
365 info4->trusted_dc_name = dc_name;
366 info4->trusted_domain_name = r->in.data->domain;
367
368 r->out.query->info4 = info4;
369 break;
370 default:
371 return WERR_UNKNOWN_LEVEL;
372 }
373
374 if (lp_server_role() == ROLE_DOMAIN_BDC) {
375 send_sync_message();
376 }
377
378 return WERR_OK;
379 }
380
381 /*************************************************************************
382 _netr_NetrEnumerateTrustedDomains
383 *************************************************************************/
384
385 WERROR _netr_NetrEnumerateTrustedDomains(pipes_struct *p,
386 struct netr_NetrEnumerateTrustedDomains *r)
387 {
388 NTSTATUS status;
389 DATA_BLOB blob;
390 struct trustdom_info **domains;
391 uint32_t num_domains;
392 const char **trusted_domains;
393 int i;
394
395 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
396
397 /* set up the Trusted Domain List response */
398
399 become_root();
400 status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
401 unbecome_root();
402
403 if (!NT_STATUS_IS_OK(status)) {
404 return ntstatus_to_werror(status);
405 }
406
407 trusted_domains = talloc_zero_array(p->mem_ctx, const char *, num_domains + 1);
408 if (!trusted_domains) {
409 return WERR_NOMEM;
410 }
411
412 for (i = 0; i < num_domains; i++) {
413 trusted_domains[i] = talloc_strdup(trusted_domains, domains[i]->name);
414 if (!trusted_domains[i]) {
415 TALLOC_FREE(trusted_domains);
416 return WERR_NOMEM;
417 }
418 }
419
420 if (!push_reg_multi_sz(trusted_domains, &blob, trusted_domains)) {
421 TALLOC_FREE(trusted_domains);
422 return WERR_NOMEM;
423 }
424
425 r->out.trusted_domains_blob->data = blob.data;
426 r->out.trusted_domains_blob->length = blob.length;
427
428 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
429
430 return WERR_OK;
431 }
432
433 /******************************************************************
434 gets a machine password entry. checks access rights of the host.
435 ******************************************************************/
436
437 static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct,
438 enum netr_SchannelType sec_chan_type, struct dom_sid *sid)
439 {
440 struct samu *sampass = NULL;
441 const uint8 *pass;
442 bool ret;
443 uint32 acct_ctrl;
444
445 #if 0
446 char addr[INET6_ADDRSTRLEN];
447
448 /*
449 * Currently this code is redundent as we already have a filter
450 * by hostname list. What this code really needs to do is to
451 * get a hosts allowed/hosts denied list from the SAM database
452 * on a per user basis, and make the access decision there.
453 * I will leave this code here for now as a reminder to implement
454 * this at a later date. JRA.
455 */
456
457 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
458 client_name(get_client_fd()),
459 client_addr(get_client_fd(),addr,sizeof(addr)))) {
460 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct));
461 return False;
462 }
463 #endif /* 0 */
464
465 if ( !(sampass = samu_new( NULL )) ) {
466 return NT_STATUS_NO_MEMORY;
467 }
468
469 /* JRA. This is ok as it is only used for generating the challenge. */
470 become_root();
471 ret = pdb_getsampwnam(sampass, mach_acct);
472 unbecome_root();
473
474 if (!ret) {
475 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct));
476 TALLOC_FREE(sampass);
477 return NT_STATUS_ACCESS_DENIED;
478 }
479
480 acct_ctrl = pdb_get_acct_ctrl(sampass);
481 if (acct_ctrl & ACB_DISABLED) {
482 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct));
483 TALLOC_FREE(sampass);
484 return NT_STATUS_ACCOUNT_DISABLED;
485 }
486
487 if (!(acct_ctrl & ACB_SVRTRUST) &&
488 !(acct_ctrl & ACB_WSTRUST) &&
489 !(acct_ctrl & ACB_DOMTRUST))
490 {
491 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct));
492 TALLOC_FREE(sampass);
493 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
494 }
495
496 switch (sec_chan_type) {
497 case SEC_CHAN_BDC:
498 if (!(acct_ctrl & ACB_SVRTRUST)) {
499 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
500 "but not a server trust account\n", mach_acct));
501 TALLOC_FREE(sampass);
502 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
503 }
504 break;
505 case SEC_CHAN_WKSTA:
506 if (!(acct_ctrl & ACB_WSTRUST)) {
507 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
508 "but not a workstation trust account\n", mach_acct));
509 TALLOC_FREE(sampass);
510 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
511 }
512 break;
513 case SEC_CHAN_DOMAIN:
514 if (!(acct_ctrl & ACB_DOMTRUST)) {
515 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
516 "but not a interdomain trust account\n", mach_acct));
517 TALLOC_FREE(sampass);
518 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
519 }
520 break;
521 default:
522 break;
523 }
524
525 if ((pass = pdb_get_nt_passwd(sampass)) == NULL) {
526 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct));
527 TALLOC_FREE(sampass);
528 return NT_STATUS_LOGON_FAILURE;
529 }
530
531 memcpy(md4pw->hash, pass, 16);
532 dump_data(5, md4pw->hash, 16);
533
534 sid_copy(sid, pdb_get_user_sid(sampass));
535
536 TALLOC_FREE(sampass);
537
538 return NT_STATUS_OK;
539
540
541 }
542
543 /*************************************************************************
544 _netr_ServerReqChallenge
545 *************************************************************************/
546
547 NTSTATUS _netr_ServerReqChallenge(pipes_struct *p,
548 struct netr_ServerReqChallenge *r)
549 {
550 struct netlogon_server_pipe_state *pipe_state =
551 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
552
553 if (pipe_state) {
554 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
555 talloc_free(pipe_state);
556 p->private_data = NULL;
557 }
558
559 pipe_state = talloc(p, struct netlogon_server_pipe_state);
560 NT_STATUS_HAVE_NO_MEMORY(pipe_state);
561
562 pipe_state->client_challenge = *r->in.credentials;
563
564 generate_random_buffer(pipe_state->server_challenge.data,
565 sizeof(pipe_state->server_challenge.data));
566
567 *r->out.return_credentials = pipe_state->server_challenge;
568
569 p->private_data = pipe_state;
570
571 return NT_STATUS_OK;
572 }
573
574 /*************************************************************************
575 _netr_ServerAuthenticate
576 Create the initial credentials.
577 *************************************************************************/
578
579 NTSTATUS _netr_ServerAuthenticate(pipes_struct *p,
580 struct netr_ServerAuthenticate *r)
581 {
582 struct netr_ServerAuthenticate3 a;
583 uint32_t negotiate_flags = 0;
584 uint32_t rid;
585
586 a.in.server_name = r->in.server_name;
587 a.in.account_name = r->in.account_name;
588 a.in.secure_channel_type = r->in.secure_channel_type;
589 a.in.computer_name = r->in.computer_name;
590 a.in.credentials = r->in.credentials;
591 a.in.negotiate_flags = &negotiate_flags;
592
593 a.out.return_credentials = r->out.return_credentials;
594 a.out.rid = &rid;
595 a.out.negotiate_flags = &negotiate_flags;
596
597 return _netr_ServerAuthenticate3(p, &a);
598
599 }
600
601 /*************************************************************************
602 _netr_ServerAuthenticate3
603 *************************************************************************/
604
605 NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
606 struct netr_ServerAuthenticate3 *r)
607 {
608 NTSTATUS status;
609 uint32_t srv_flgs;
610 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
611 * so use a copy to avoid destroying the client values. */
612 uint32_t in_neg_flags = *r->in.negotiate_flags;
613 const char *fn;
614 struct dom_sid sid;
615 struct samr_Password mach_pwd;
616 struct netlogon_creds_CredentialState *creds;
617 struct netlogon_server_pipe_state *pipe_state =
618 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
619
620 /* According to Microsoft (see bugid #6099)
621 * Windows 7 looks at the negotiate_flags
622 * returned in this structure *even if the
623 * call fails with access denied* ! So in order
624 * to allow Win7 to connect to a Samba NT style
625 * PDC we set the flags before we know if it's
626 * an error or not.
627 */
628
629 /* 0x000001ff */
630 srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
631 NETLOGON_NEG_PERSISTENT_SAMREPL |
632 NETLOGON_NEG_ARCFOUR |
633 NETLOGON_NEG_PROMOTION_COUNT |
634 NETLOGON_NEG_CHANGELOG_BDC |
635 NETLOGON_NEG_FULL_SYNC_REPL |
636 NETLOGON_NEG_MULTIPLE_SIDS |
637 NETLOGON_NEG_REDO |
638 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
639 NETLOGON_NEG_PASSWORD_SET2;
640
641 /* Ensure we support strong (128-bit) keys. */
642 if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
643 srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
644 }
645
646 if (lp_server_schannel() != false) {
647 srv_flgs |= NETLOGON_NEG_SCHANNEL;
648 }
649
650 switch (p->hdr_req.opnum) {
651 case NDR_NETR_SERVERAUTHENTICATE:
652 fn = "_netr_ServerAuthenticate";
653 break;
654 case NDR_NETR_SERVERAUTHENTICATE2:
655 fn = "_netr_ServerAuthenticate2";
656 break;
657 case NDR_NETR_SERVERAUTHENTICATE3:
658 fn = "_netr_ServerAuthenticate3";
659 break;
660 default:
661 return NT_STATUS_INTERNAL_ERROR;
662 }
663
664 /* We use this as the key to store the creds: */
665 /* r->in.computer_name */
666
667 if (!pipe_state) {
668 DEBUG(0,("%s: no challenge sent to client %s\n", fn,
669 r->in.computer_name));
670 status = NT_STATUS_ACCESS_DENIED;
671 goto out;
672 }
673
674 if ( (lp_server_schannel() == true) &&
675 ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
676
677 /* schannel must be used, but client did not offer it. */
678 DEBUG(0,("%s: schannel required but client failed "
679 "to offer it. Client was %s\n",
680 fn, r->in.account_name));
681 status = NT_STATUS_ACCESS_DENIED;
682 goto out;
683 }
684
685 status = get_md4pw(&mach_pwd,
686 r->in.account_name,
687 r->in.secure_channel_type,
688 &sid);
689 if (!NT_STATUS_IS_OK(status)) {
690 DEBUG(0,("%s: failed to get machine password for "
691 "account %s: %s\n",
692 fn, r->in.account_name, nt_errstr(status) ));
693 /* always return NT_STATUS_ACCESS_DENIED */
694 status = NT_STATUS_ACCESS_DENIED;
695 goto out;
696 }
697
698 /* From the client / server challenges and md4 password, generate sess key */
699 /* Check client credentials are valid. */
700 creds = netlogon_creds_server_init(p->mem_ctx,
701 r->in.account_name,
702 r->in.computer_name,
703 r->in.secure_channel_type,
704 &pipe_state->client_challenge,
705 &pipe_state->server_challenge,
706 &mach_pwd,
707 r->in.credentials,
708 r->out.return_credentials,
709 *r->in.negotiate_flags);
710 if (!creds) {
711 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
712 "request from client %s machine account %s\n",
713 fn, r->in.computer_name,
714 r->in.account_name));
715 status = NT_STATUS_ACCESS_DENIED;
716 goto out;
717 }
718
719 creds->sid = sid_dup_talloc(creds, &sid);
720 if (!creds->sid) {
721 status = NT_STATUS_NO_MEMORY;
722 goto out;
723 }
724
725 /* Store off the state so we can continue after client disconnect. */
726 become_root();
727 status = schannel_save_creds_state(p->mem_ctx,
728 NULL, lp_private_dir(), creds);
729 unbecome_root();
730
731 if (!NT_STATUS_IS_OK(status)) {
732 goto out;
733 }
734
735 sid_peek_rid(&sid, r->out.rid);
736
737 status = NT_STATUS_OK;
738
739 out:
740
741 *r->out.negotiate_flags = srv_flgs;
742 return status;
743 }
744
745 /*************************************************************************
746 _netr_ServerAuthenticate2
747 *************************************************************************/
748
749 NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
750 struct netr_ServerAuthenticate2 *r)
751 {
752 struct netr_ServerAuthenticate3 a;
753 uint32_t rid;
754
755 a.in.server_name = r->in.server_name;
756 a.in.account_name = r->in.account_name;
757 a.in.secure_channel_type = r->in.secure_channel_type;
758 a.in.computer_name = r->in.computer_name;
759 a.in.credentials = r->in.credentials;
760 a.in.negotiate_flags = r->in.negotiate_flags;
761
762 a.out.return_credentials = r->out.return_credentials;
763 a.out.rid = &rid;
764 a.out.negotiate_flags = r->out.negotiate_flags;
765
766 return _netr_ServerAuthenticate3(p, &a);
767 }
768
769 /*************************************************************************
770 * If schannel is required for this call test that it actually is available.
771 *************************************************************************/
772 static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
773 const char *computer_name,
774 bool integrity, bool privacy)
775 {
776 if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
777 if (!privacy && !integrity) {
778 return NT_STATUS_OK;
779 }
780
781 if ((!privacy && integrity) &&
782 auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
783 return NT_STATUS_OK;
784 }
785
786 if ((privacy || integrity) &&
787 auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
788 return NT_STATUS_OK;
789 }
790 }
791
792 /* test didn't pass */
793 DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
794 computer_name));
795
796 return NT_STATUS_ACCESS_DENIED;
797 }
798
799 /*************************************************************************
800 *************************************************************************/
801
802 static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
803 TALLOC_CTX *mem_ctx,
804 const char *computer_name,
805 struct netr_Authenticator *received_authenticator,
806 struct netr_Authenticator *return_authenticator,
807 struct netlogon_creds_CredentialState **creds_out)
808 {
809 NTSTATUS status;
810 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
811
812 if (schannel_global_required) {
813 status = schannel_check_required(&p->auth,
814 computer_name,
815 false, false);
816 if (!NT_STATUS_IS_OK(status)) {
817 return status;
818 }
819 }
820
821 status = schannel_check_creds_state(mem_ctx, NULL,
822 lp_private_dir(),
823 computer_name,
824 received_authenticator,
825 return_authenticator,
826 creds_out);
827
828 return status;
829 }
830
831 /*************************************************************************
832 *************************************************************************/
833
834 static NTSTATUS netr_find_machine_account(TALLOC_CTX *mem_ctx,
835 const char *account_name,
836 struct samu **sampassp)
837 {
838 struct samu *sampass;
839 bool ret = false;
840 uint32_t acct_ctrl;
841
842 sampass = samu_new(mem_ctx);
843 if (!sampass) {
844 return NT_STATUS_NO_MEMORY;
845 }
846
847 become_root();
848 ret = pdb_getsampwnam(sampass, account_name);
849 unbecome_root();
850
851 if (!ret) {
852 TALLOC_FREE(sampass);
853 return NT_STATUS_ACCESS_DENIED;
854 }
855
856 /* Ensure the account exists and is a machine account. */
857
858 acct_ctrl = pdb_get_acct_ctrl(sampass);
859
860 if (!(acct_ctrl & ACB_WSTRUST ||
861 acct_ctrl & ACB_SVRTRUST ||
862 acct_ctrl & ACB_DOMTRUST)) {
863 TALLOC_FREE(sampass);
864 return NT_STATUS_NO_SUCH_USER;
865 }
866
867 if (acct_ctrl & ACB_DISABLED) {
868 TALLOC_FREE(sampass);
869 return NT_STATUS_ACCOUNT_DISABLED;
870 }
871
872 *sampassp = sampass;
873
874 return NT_STATUS_OK;
875 }
876
877 /*************************************************************************
878 *************************************************************************/
879
880 static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
881 struct samu *sampass,
882 DATA_BLOB *plaintext_blob,
883 struct samr_Password *nt_hash,
884 struct samr_Password *lm_hash)
885 {
886 NTSTATUS status;
887 const uchar *old_pw;
888 const char *plaintext = NULL;
889 size_t plaintext_len;
890 struct samr_Password nt_hash_local;
891
892 if (!sampass) {
893 return NT_STATUS_INVALID_PARAMETER;
894 }
895
896 if (plaintext_blob) {
897 if (!convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX,
898 plaintext_blob->data, plaintext_blob->length,
899 &plaintext, &plaintext_len, false))
900 {
901 plaintext = NULL;
902 mdfour(nt_hash_local.hash, plaintext_blob->data, plaintext_blob->length);
903 nt_hash = &nt_hash_local;
904 }
905 }
906
907 if (plaintext) {
908 if (!pdb_set_plaintext_passwd(sampass, plaintext)) {
909 return NT_STATUS_ACCESS_DENIED;
910 }
911
912 goto done;
913 }
914
915 if (nt_hash) {
916 old_pw = pdb_get_nt_passwd(sampass);
917
918 if (old_pw && memcmp(nt_hash->hash, old_pw, 16) == 0) {
919 /* Avoid backend modificiations and other fun if the
920 client changed the password to the *same thing* */
921 } else {
922 /* LM password should be NULL for machines */
923 if (!pdb_set_lanman_passwd(sampass, NULL, PDB_CHANGED)) {
924 return NT_STATUS_NO_MEMORY;
925 }
926 if (!pdb_set_nt_passwd(sampass, nt_hash->hash, PDB_CHANGED)) {
927 return NT_STATUS_NO_MEMORY;
928 }
929
930 if (!pdb_set_pass_last_set_time(sampass, time(NULL), PDB_CHANGED)) {
931 /* Not quite sure what this one qualifies as, but this will do */
932 return NT_STATUS_UNSUCCESSFUL;
933 }
934 }
935 }
936
937 done:
938 become_root();
939 status = pdb_update_sam_account(sampass);
940 unbecome_root();
941
942 return status;
943 }
944
945 /*************************************************************************
946 _netr_ServerPasswordSet
947 *************************************************************************/
948
949 NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
950 struct netr_ServerPasswordSet *r)
951 {
952 NTSTATUS status = NT_STATUS_OK;
953 struct samu *sampass=NULL;
954 int i;
955 struct netlogon_creds_CredentialState *creds;
956
957 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
958
959 become_root();
960 status = netr_creds_server_step_check(p, p->mem_ctx,
961 r->in.computer_name,
962 r->in.credential,
963 r->out.return_authenticator,
964 &creds);
965 unbecome_root();
966
967 if (!NT_STATUS_IS_OK(status)) {
968 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
969 "request from client %s machine account %s\n",
970 r->in.computer_name, creds->computer_name));
971 TALLOC_FREE(creds);
972 return status;
973 }
974
975 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
976 r->in.computer_name, creds->computer_name));
977
978 netlogon_creds_des_decrypt(creds, r->in.new_password);
979
980 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
981 for(i = 0; i < sizeof(r->in.new_password->hash); i++)
982 DEBUG(100,("%02X ", r->in.new_password->hash[i]));
983 DEBUG(100,("\n"));
984
985 status = netr_find_machine_account(p->mem_ctx,
986 creds->account_name,
987 &sampass);
988 if (!NT_STATUS_IS_OK(status)) {
989 return status;
990 }
991
992 status = netr_set_machine_account_password(sampass,
993 sampass,
994 NULL,
995 r->in.new_password,
996 NULL);
997 TALLOC_FREE(sampass);
998 return status;
999 }
1000
1001 /****************************************************************
1002 _netr_ServerPasswordSet2
1003 ****************************************************************/
1004
1005 NTSTATUS _netr_ServerPasswordSet2(pipes_struct *p,
1006 struct netr_ServerPasswordSet2 *r)
1007 {
1008 NTSTATUS status;
1009 struct netlogon_creds_CredentialState *creds;
1010 struct samu *sampass;
1011 DATA_BLOB plaintext;
1012 struct samr_CryptPassword password_buf;
1013 struct samr_Password nt_hash;
1014
1015 become_root();
1016 status = netr_creds_server_step_check(p, p->mem_ctx,
1017 r->in.computer_name,
1018 r->in.credential,
1019 r->out.return_authenticator,
1020 &creds);
1021 unbecome_root();
1022
1023 if (!NT_STATUS_IS_OK(status)) {
1024 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1025 "failed. Rejecting auth request from client %s machine account %s\n",
1026 r->in.computer_name, creds->computer_name));
1027 TALLOC_FREE(creds);
1028 return status;
1029 }
1030
1031 memcpy(password_buf.data, r->in.new_password->data, 512);
1032 SIVAL(password_buf.data, 512, r->in.new_password->length);
1033 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
1034
1035 if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
1036 return NT_STATUS_WRONG_PASSWORD;
1037 }
1038
1039 mdfour(nt_hash.hash, plaintext.data, plaintext.length);
1040
1041 status = netr_find_machine_account(p->mem_ctx,
1042 creds->account_name,
1043 &sampass);
1044 if (!NT_STATUS_IS_OK(status)) {
1045 return status;
1046 }
1047
1048 status = netr_set_machine_account_password(sampass,
1049 sampass,
1050 NULL,
1051 &nt_hash,
1052 NULL);
1053 TALLOC_FREE(sampass);
1054 return status;
1055 }
1056
1057 /*************************************************************************
1058 _netr_LogonSamLogoff
1059 *************************************************************************/
1060
1061 NTSTATUS _netr_LogonSamLogoff(pipes_struct *p,
1062 struct netr_LogonSamLogoff *r)
1063 {
1064 NTSTATUS status;
1065 struct netlogon_creds_CredentialState *creds;
1066
1067 become_root();
1068 status = netr_creds_server_step_check(p, p->mem_ctx,
1069 r->in.computer_name,
1070 r->in.credential,
1071 r->out.return_authenticator,
1072 &creds);
1073 unbecome_root();
1074
1075 return status;
1076 }
1077
1078 /*************************************************************************
1079 _netr_LogonSamLogon_base
1080 *************************************************************************/
1081
1082 static NTSTATUS _netr_LogonSamLogon_base(pipes_struct *p,
1083 struct netr_LogonSamLogonEx *r,
1084 struct netlogon_creds_CredentialState *creds)
1085 {
1086 NTSTATUS status = NT_STATUS_OK;
1087 union netr_LogonLevel *logon = r->in.logon;
1088 const char *nt_username, *nt_domain, *nt_workstation;
1089 struct auth_usersupplied_info *user_info = NULL;
1090 struct auth_serversupplied_info *server_info = NULL;
1091 struct auth_context *auth_context = NULL;
1092 uint8_t pipe_session_key[16];
1093 bool process_creds = true;
1094 const char *fn;
1095
1096 switch (p->hdr_req.opnum) {
1097 case NDR_NETR_LOGONSAMLOGON:
1098 process_creds = true;
1099 fn = "_netr_LogonSamLogon";
1100 break;
1101 case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
1102 process_creds = true;
1103 fn = "_netr_LogonSamLogonWithFlags";
1104 break;
1105 case NDR_NETR_LOGONSAMLOGONEX:
1106 process_creds = false;
1107 fn = "_netr_LogonSamLogonEx";
1108 break;
1109 default:
1110 return NT_STATUS_INTERNAL_ERROR;
1111 }
1112
1113 *r->out.authoritative = true; /* authoritative response */
1114
1115 switch (r->in.validation_level) {
1116 case 2:
1117 r->out.validation->sam2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo2);
1118 if (!r->out.validation->sam2) {
1119 return NT_STATUS_NO_MEMORY;
1120 }
1121 break;
1122 case 3:
1123 r->out.validation->sam3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo3);
1124 if (!r->out.validation->sam3) {
1125 return NT_STATUS_NO_MEMORY;
1126 }
1127 break;
1128 case 6:
1129 r->out.validation->sam6 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo6);
1130 if (!r->out.validation->sam6) {
1131 return NT_STATUS_NO_MEMORY;
1132 }
1133 break;
1134 default:
1135 DEBUG(0,("%s: bad validation_level value %d.\n",
1136 fn, (int)r->in.validation_level));
1137 return NT_STATUS_INVALID_INFO_CLASS;
1138 }
1139
1140 switch (r->in.logon_level) {
1141 case NetlogonInteractiveInformation:
1142 case NetlogonServiceInformation:
1143 case NetlogonInteractiveTransitiveInformation:
1144 case NetlogonServiceTransitiveInformation:
1145 nt_username = logon->password->identity_info.account_name.string ?
1146 logon->password->identity_info.account_name.string : "";
1147 nt_domain = logon->password->identity_info.domain_name.string ?
1148 logon->password->identity_info.domain_name.string : "";
1149 nt_workstation = logon->password->identity_info.workstation.string ?
1150 logon->password->identity_info.workstation.string : "";
1151
1152 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
1153 break;
1154 case NetlogonNetworkInformation:
1155 case NetlogonNetworkTransitiveInformation:
1156 nt_username = logon->network->identity_info.account_name.string ?
1157 logon->network->identity_info.account_name.string : "";
1158 nt_domain = logon->network->identity_info.domain_name.string ?
1159 logon->network->identity_info.domain_name.string : "";
1160 nt_workstation = logon->network->identity_info.workstation.string ?
1161 logon->network->identity_info.workstation.string : "";
1162
1163 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
1164 break;
1165 default:
1166 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1167 return NT_STATUS_INVALID_INFO_CLASS;
1168 } /* end switch */
1169
1170 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain));
1171 fstrcpy(current_user_info.smb_name, nt_username);
1172 sub_set_smb_name(nt_username);
1173
1174 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1175 r->in.validation_level, nt_username));
1176
1177 status = NT_STATUS_OK;
1178
1179 switch (r->in.logon_level) {
1180 case NetlogonNetworkInformation:
1181 case NetlogonNetworkTransitiveInformation:
1182 {
1183 const char *wksname = nt_workstation;
1184
1185 status = make_auth_context_fixed(&auth_context,
1186 logon->network->challenge);
1187 if (!NT_STATUS_IS_OK(status)) {
1188 return status;
1189 }
1190
1191 /* For a network logon, the workstation name comes in with two
1192 * backslashes in the front. Strip them if they are there. */
1193
1194 if (*wksname == '\\') wksname++;
1195 if (*wksname == '\\') wksname++;
1196
1197 /* Standard challenge/response authenticaion */
1198 if (!make_user_info_netlogon_network(&user_info,
1199 nt_username, nt_domain,
1200 wksname,
1201 logon->network->identity_info.parameter_control,
1202 logon->network->lm.data,
1203 logon->network->lm.length,
1204 logon->network->nt.data,
1205 logon->network->nt.length)) {
1206 status = NT_STATUS_NO_MEMORY;
1207 }
1208 break;
1209 }
1210 case NetlogonInteractiveInformation:
1211 case NetlogonServiceInformation:
1212 case NetlogonInteractiveTransitiveInformation:
1213 case NetlogonServiceTransitiveInformation:
1214
1215 /* 'Interactive' authentication, supplies the password in its
1216 MD4 form, encrypted with the session key. We will convert
1217 this to challenge/response for the auth subsystem to chew
1218 on */
1219 {
1220 uint8_t chal[8];
1221
1222 if (!NT_STATUS_IS_OK(status = make_auth_context_subsystem(&auth_context))) {
1223 return status;
1224 }
1225
1226 auth_context->get_ntlm_challenge(auth_context, chal);
1227
1228 if (!make_user_info_netlogon_interactive(&user_info,
1229 nt_username, nt_domain,
1230 nt_workstation,
1231 logon->password->identity_info.parameter_control,
1232 chal,
1233 logon->password->lmpassword.hash,
1234 logon->password->ntpassword.hash,
1235 creds->session_key)) {
1236 status = NT_STATUS_NO_MEMORY;
1237 }
1238 break;
1239 }
1240 default:
1241 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1242 return NT_STATUS_INVALID_INFO_CLASS;
1243 } /* end switch */
1244
1245 if ( NT_STATUS_IS_OK(status) ) {
1246 status = auth_context->check_ntlm_password(auth_context,
1247 user_info, &server_info);
1248 }
1249
1250 (auth_context->free)(&auth_context);
1251 free_user_info(&user_info);
1252
1253 DEBUG(5,("%s: check_password returned status %s\n",
1254 fn, nt_errstr(status)));
1255
1256 /* Check account and password */
1257
1258 if (!NT_STATUS_IS_OK(status)) {
1259 /* If we don't know what this domain is, we need to
1260 indicate that we are not authoritative. This
1261 allows the client to decide if it needs to try
1262 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1263 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
1264 && !strequal(nt_domain, get_global_sam_name())
1265 && !is_trusted_domain(nt_domain) )
1266 *r->out.authoritative = false; /* We are not authoritative */
1267
1268 TALLOC_FREE(server_info);
1269 return status;
1270 }
1271
1272 if (server_info->guest) {
1273 /* We don't like guest domain logons... */
1274 DEBUG(5,("%s: Attempted domain logon as GUEST "
1275 "denied.\n", fn));
1276 TALLOC_FREE(server_info);
1277 return NT_STATUS_LOGON_FAILURE;
1278 }
1279
1280 /* This is the point at which, if the login was successful, that
1281 the SAM Local Security Authority should record that the user is
1282 logged in to the domain. */
1283
1284 if (process_creds) {
1285 /* Get the pipe session key from the creds. */
1286 memcpy(pipe_session_key, creds->session_key, 16);
1287 } else {
1288 /* Get the pipe session key from the schannel. */
1289 if ((p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL)
1290 || (p->auth.a_u.schannel_auth == NULL)) {
1291 return NT_STATUS_INVALID_HANDLE;
1292 }
1293 memcpy(pipe_session_key, p->auth.a_u.schannel_auth->creds->session_key, 16);
1294 }
1295
1296 switch (r->in.validation_level) {
1297 case 2:
1298 status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16,
1299 r->out.validation->sam2);
1300 break;
1301 case 3:
1302 status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16,
1303 r->out.validation->sam3);
1304 break;
1305 case 6:
1306 status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
1307 r->out.validation->sam6);
1308 break;
1309 }
1310
1311 TALLOC_FREE(server_info);
1312
1313 return status;
1314 }
1315
1316 /****************************************************************
1317 _netr_LogonSamLogonWithFlags
1318 ****************************************************************/
1319
1320 NTSTATUS _netr_LogonSamLogonWithFlags(pipes_struct *p,
1321 struct netr_LogonSamLogonWithFlags *r)
1322 {
1323 NTSTATUS status;
1324 struct netlogon_creds_CredentialState *creds;
1325 struct netr_LogonSamLogonEx r2;
1326 struct netr_Authenticator return_authenticator;
1327
1328 become_root();
1329 status = netr_creds_server_step_check(p, p->mem_ctx,
1330 r->in.computer_name,
1331 r->in.credential,
1332 &return_authenticator,
1333 &creds);
1334 unbecome_root();
1335 if (!NT_STATUS_IS_OK(status)) {
1336 return status;
1337 }
1338
1339 r2.in.server_name = r->in.server_name;
1340 r2.in.computer_name = r->in.computer_name;
1341 r2.in.logon_level = r->in.logon_level;
1342 r2.in.logon = r->in.logon;
1343 r2.in.validation_level = r->in.validation_level;
1344 r2.in.flags = r->in.flags;
1345 r2.out.validation = r->out.validation;
1346 r2.out.authoritative = r->out.authoritative;
1347 r2.out.flags = r->out.flags;
1348
1349 status = _netr_LogonSamLogon_base(p, &r2, creds);
1350
1351 *r->out.return_authenticator = return_authenticator;
1352
1353 return status;
1354 }
1355
1356 /*************************************************************************
1357 _netr_LogonSamLogon
1358 *************************************************************************/
1359
1360 NTSTATUS _netr_LogonSamLogon(pipes_struct *p,
1361 struct netr_LogonSamLogon *r)
1362 {
1363 NTSTATUS status;
1364 struct netr_LogonSamLogonWithFlags r2;
1365 uint32_t flags = 0;
1366
1367 r2.in.server_name = r->in.server_name;
1368 r2.in.computer_name = r->in.computer_name;
1369 r2.in.credential = r->in.credential;
1370 r2.in.logon_level = r->in.logon_level;
1371 r2.in.logon = r->in.logon;
1372 r2.in.validation_level = r->in.validation_level;
1373 r2.in.return_authenticator = r->in.return_authenticator;
1374 r2.in.flags = &flags;
1375 r2.out.validation = r->out.validation;
1376 r2.out.authoritative = r->out.authoritative;
1377 r2.out.flags = &flags;
1378 r2.out.return_authenticator = r->out.return_authenticator;
1379
1380 status = _netr_LogonSamLogonWithFlags(p, &r2);
1381
1382 return status;
1383 }
1384
1385 /*************************************************************************
1386 _netr_LogonSamLogonEx
1387 - no credential chaining. Map into net sam logon.
1388 *************************************************************************/
1389
1390 NTSTATUS _netr_LogonSamLogonEx(pipes_struct *p,
1391 struct netr_LogonSamLogonEx *r)
1392 {
1393 NTSTATUS status;
1394 struct netlogon_creds_CredentialState *creds = NULL;
1395
1396 become_root();
1397 status = schannel_get_creds_state(p->mem_ctx,
1398 NULL, lp_private_dir(),
1399 r->in.computer_name, &creds);
1400 unbecome_root();
1401 if (!NT_STATUS_IS_OK(status)) {
1402 return status;
1403 }
1404
1405 /* Only allow this if the pipe is protected. */
1406 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1407 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1408 get_remote_machine_name() ));
1409 return NT_STATUS_INVALID_PARAMETER;
1410 }
1411
1412 status = _netr_LogonSamLogon_base(p, r, creds);
1413 TALLOC_FREE(creds);
1414
1415 return status;
1416 }
1417
1418 /*************************************************************************
1419 _ds_enum_dom_trusts
1420 *************************************************************************/
1421 #if 0 /* JERRY -- not correct */
1422 NTSTATUS _ds_enum_dom_trusts(pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u,
1423 DS_R_ENUM_DOM_TRUSTS *r_u)
1424 {
1425 NTSTATUS status = NT_STATUS_OK;
1426
1427 /* TODO: According to MSDN, the can only be executed against a
1428 DC or domain member running Windows 2000 or later. Need
1429 to test against a standalone 2k server and see what it
1430 does. A windows 2000 DC includes its own domain in the
1431 list. --jerry */
1432
1433 return status;
1434 }
1435 #endif /* JERRY */
1436
1437
1438 /****************************************************************
1439 ****************************************************************/
1440
1441 WERROR _netr_LogonUasLogon(pipes_struct *p,
1442 struct netr_LogonUasLogon *r)
1443 {
1444 p->rng_fault_state = true;
1445 return WERR_NOT_SUPPORTED;
1446 }
1447
1448 /****************************************************************
1449 ****************************************************************/
1450
1451 WERROR _netr_LogonUasLogoff(pipes_struct *p,
1452 struct netr_LogonUasLogoff *r)
1453 {
1454 p->rng_fault_state = true;
1455 return WERR_NOT_SUPPORTED;
1456 }
1457
1458 /****************************************************************
1459 ****************************************************************/
1460
1461 NTSTATUS _netr_DatabaseDeltas(pipes_struct *p,
1462 struct netr_DatabaseDeltas *r)
1463 {
1464 p->rng_fault_state = true;
1465 return NT_STATUS_NOT_IMPLEMENTED;
1466 }
1467
1468 /****************************************************************
1469 ****************************************************************/
1470
1471 NTSTATUS _netr_DatabaseSync(pipes_struct *p,
1472 struct netr_DatabaseSync *r)
1473 {
1474 p->rng_fault_state = true;
1475 return NT_STATUS_NOT_IMPLEMENTED;
1476 }
1477
1478 /****************************************************************
1479 ****************************************************************/
1480
1481 NTSTATUS _netr_AccountDeltas(pipes_struct *p,
1482 struct netr_AccountDeltas *r)
1483 {
1484 p->rng_fault_state = true;
1485 return NT_STATUS_NOT_IMPLEMENTED;
1486 }
1487
1488 /****************************************************************
1489 ****************************************************************/
1490
1491 NTSTATUS _netr_AccountSync(pipes_struct *p,
1492 struct netr_AccountSync *r)
1493 {
1494 p->rng_fault_state = true;
1495 return NT_STATUS_NOT_IMPLEMENTED;
1496 }
1497
1498 /****************************************************************
1499 ****************************************************************/
1500
1501 static bool wb_getdcname(TALLOC_CTX *mem_ctx,
1502 const char *domain,
1503 const char **dcname,
1504 uint32_t flags,
1505 WERROR *werr)
1506 {
1507 wbcErr result;
1508 struct wbcDomainControllerInfo *dc_info = NULL;
1509
1510 result = wbcLookupDomainController(domain,
1511 flags,
1512 &dc_info);
1513 switch (result) {
1514 case WBC_ERR_SUCCESS:
1515 break;
1516 case WBC_ERR_WINBIND_NOT_AVAILABLE:
1517 return false;
1518 case WBC_ERR_DOMAIN_NOT_FOUND:
1519 *werr = WERR_NO_SUCH_DOMAIN;
1520 return true;
1521 default:
1522 *werr = WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1523 return true;
1524 }
1525
1526 *dcname = talloc_strdup(mem_ctx, dc_info->dc_name);
1527 wbcFreeMemory(dc_info);
1528 if (!*dcname) {
1529 *werr = WERR_NOMEM;
1530 return false;
1531 }
1532
1533 *werr = WERR_OK;
1534
1535 return true;
1536 }
1537
1538 /****************************************************************
1539 _netr_GetDcName
1540 ****************************************************************/
1541
1542 WERROR _netr_GetDcName(pipes_struct *p,
1543 struct netr_GetDcName *r)
1544 {
1545 NTSTATUS status;
1546 WERROR werr;
1547 uint32_t flags;
1548 struct netr_DsRGetDCNameInfo *info;
1549 bool ret;
1550
1551 ret = wb_getdcname(p->mem_ctx,
1552 r->in.domainname,
1553 r->out.dcname,
1554 WBC_LOOKUP_DC_IS_FLAT_NAME |
1555 WBC_LOOKUP_DC_RETURN_FLAT_NAME |
1556 WBC_LOOKUP_DC_PDC_REQUIRED,
1557 &werr);
1558 if (ret == true) {
1559 return werr;
1560 }
1561
1562 flags = DS_PDC_REQUIRED | DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1563
1564 status = dsgetdcname(p->mem_ctx,
1565 smbd_messaging_context(),
1566 r->in.domainname,
1567 NULL,
1568 NULL,
1569 flags,
1570 &info);
1571 if (!NT_STATUS_IS_OK(status)) {
1572 return ntstatus_to_werror(status);
1573 }
1574
1575 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1576 talloc_free(info);
1577 if (!*r->out.dcname) {
1578 return WERR_NOMEM;
1579 }
1580
1581 return WERR_OK;
1582 }
1583
1584 /****************************************************************
1585 _netr_GetAnyDCName
1586 ****************************************************************/
1587
1588 WERROR _netr_GetAnyDCName(pipes_struct *p,
1589 struct netr_GetAnyDCName *r)
1590 {
1591 NTSTATUS status;
1592 WERROR werr;
1593 uint32_t flags;
1594 struct netr_DsRGetDCNameInfo *info;
1595 bool ret;
1596
1597 ret = wb_getdcname(p->mem_ctx,
1598 r->in.domainname,
1599 r->out.dcname,
1600 WBC_LOOKUP_DC_IS_FLAT_NAME |
1601 WBC_LOOKUP_DC_RETURN_FLAT_NAME,
1602 &werr);
1603 if (ret == true) {
1604 return werr;
1605 }
1606
1607 flags = DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1608
1609 status = dsgetdcname(p->mem_ctx,
1610 smbd_messaging_context(),
1611 r->in.domainname,
1612 NULL,
1613 NULL,
1614 flags,
1615 &info);
1616 if (!NT_STATUS_IS_OK(status)) {
1617 return ntstatus_to_werror(status);
1618 }
1619
1620 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1621 talloc_free(info);
1622 if (!*r->out.dcname) {
1623 return WERR_NOMEM;
1624 }
1625
1626 return WERR_OK;
1627 }
1628
1629 /****************************************************************
1630 ****************************************************************/
1631
1632 NTSTATUS _netr_DatabaseSync2(pipes_struct *p,
1633 struct netr_DatabaseSync2 *r)
1634 {
1635 p->rng_fault_state = true;
1636 return NT_STATUS_NOT_IMPLEMENTED;
1637 }
1638
1639 /****************************************************************
1640 ****************************************************************/
1641
1642 NTSTATUS _netr_DatabaseRedo(pipes_struct *p,
1643 struct netr_DatabaseRedo *r)
1644 {
1645 p->rng_fault_state = true;
1646 return NT_STATUS_NOT_IMPLEMENTED;
1647 }
1648
1649 /****************************************************************
1650 ****************************************************************/
1651
1652 WERROR _netr_DsRGetDCName(pipes_struct *p,
1653 struct netr_DsRGetDCName *r)
1654 {
1655 p->rng_fault_state = true;
1656 return WERR_NOT_SUPPORTED;
1657 }
1658
1659 /****************************************************************
1660 ****************************************************************/
1661
1662 NTSTATUS _netr_LogonGetCapabilities(pipes_struct *p,
1663 struct netr_LogonGetCapabilities *r)
1664 {
1665 return NT_STATUS_NOT_IMPLEMENTED;
1666 }
1667
1668 /****************************************************************
1669 ****************************************************************/
1670
1671 WERROR _netr_NETRLOGONSETSERVICEBITS(pipes_struct *p,
1672 struct netr_NETRLOGONSETSERVICEBITS *r)
1673 {
1674 p->rng_fault_state = true;
1675 return WERR_NOT_SUPPORTED;
1676 }
1677
1678 /****************************************************************
1679 ****************************************************************/
1680
1681 WERROR _netr_LogonGetTrustRid(pipes_struct *p,
1682 struct netr_LogonGetTrustRid *r)
1683 {
1684 p->rng_fault_state = true;
1685 return WERR_NOT_SUPPORTED;
1686 }
1687
1688 /****************************************************************
1689 ****************************************************************/
1690
1691 WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct *p,
1692 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
1693 {
1694 p->rng_fault_state = true;
1695 return WERR_NOT_SUPPORTED;
1696 }
1697
1698 /****************************************************************
1699 ****************************************************************/
1700
1701 WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct *p,
1702 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
1703 {
1704 p->rng_fault_state = true;
1705 return WERR_NOT_SUPPORTED;
1706 }
1707
1708 /****************************************************************
1709 ****************************************************************/
1710
1711 WERROR _netr_DsRGetDCNameEx(pipes_struct *p,
1712 struct netr_DsRGetDCNameEx *r)
1713 {
1714 p->rng_fault_state = true;
1715 return WERR_NOT_SUPPORTED;
1716 }
1717
1718 /****************************************************************
1719 ****************************************************************/
1720
1721 WERROR _netr_DsRGetSiteName(pipes_struct *p,
1722 struct netr_DsRGetSiteName *r)
1723 {
1724 p->rng_fault_state = true;
1725 return WERR_NOT_SUPPORTED;
1726 }
1727
1728 /****************************************************************
1729 ****************************************************************/
1730
1731 NTSTATUS _netr_LogonGetDomainInfo(pipes_struct *p,
1732 struct netr_LogonGetDomainInfo *r)
1733 {
1734 p->rng_fault_state = true;
1735 return NT_STATUS_NOT_IMPLEMENTED;
1736 }
1737
1738 /****************************************************************
1739 ****************************************************************/
1740
1741 WERROR _netr_ServerPasswordGet(pipes_struct *p,
1742 struct netr_ServerPasswordGet *r)
1743 {
1744 p->rng_fault_state = true;
1745 return WERR_NOT_SUPPORTED;
1746 }
1747
1748 /****************************************************************
1749 ****************************************************************/
1750
1751 WERROR _netr_NETRLOGONSENDTOSAM(pipes_struct *p,
1752 struct netr_NETRLOGONSENDTOSAM *r)
1753 {
1754 p->rng_fault_state = true;
1755 return WERR_NOT_SUPPORTED;
1756 }
1757
1758 /****************************************************************
1759 ****************************************************************/
1760
1761 WERROR _netr_DsRAddressToSitenamesW(pipes_struct *p,
1762 struct netr_DsRAddressToSitenamesW *r)
1763 {
1764 p->rng_fault_state = true;
1765 return WERR_NOT_SUPPORTED;
1766 }
1767
1768 /****************************************************************
1769 ****************************************************************/
1770
1771 WERROR _netr_DsRGetDCNameEx2(pipes_struct *p,
1772 struct netr_DsRGetDCNameEx2 *r)
1773 {
1774 p->rng_fault_state = true;
1775 return WERR_NOT_SUPPORTED;
1776 }
1777
1778 /****************************************************************
1779 ****************************************************************/
1780
1781 WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct *p,
1782 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1783 {
1784 p->rng_fault_state = true;
1785 return WERR_NOT_SUPPORTED;
1786 }
1787
1788 /****************************************************************
1789 ****************************************************************/
1790
1791 WERROR _netr_NetrEnumerateTrustedDomainsEx(pipes_struct *p,
1792 struct netr_NetrEnumerateTrustedDomainsEx *r)
1793 {
1794 p->rng_fault_state = true;
1795 return WERR_NOT_SUPPORTED;
1796 }
1797
1798 /****************************************************************
1799 ****************************************************************/
1800
1801 WERROR _netr_DsRAddressToSitenamesExW(pipes_struct *p,
1802 struct netr_DsRAddressToSitenamesExW *r)
1803 {
1804 p->rng_fault_state = true;
1805 return WERR_NOT_SUPPORTED;
1806 }
1807
1808 /****************************************************************
1809 ****************************************************************/
1810
1811 WERROR _netr_DsrGetDcSiteCoverageW(pipes_struct *p,
1812 struct netr_DsrGetDcSiteCoverageW *r)
1813 {
1814 p->rng_fault_state = true;
1815 return WERR_NOT_SUPPORTED;
1816 }
1817
1818 /****************************************************************
1819 ****************************************************************/
1820
1821 WERROR _netr_DsrEnumerateDomainTrusts(pipes_struct *p,
1822 struct netr_DsrEnumerateDomainTrusts *r)
1823 {
1824 p->rng_fault_state = true;
1825 return WERR_NOT_SUPPORTED;
1826 }
1827
1828 /****************************************************************
1829 ****************************************************************/
1830
1831 WERROR _netr_DsrDeregisterDNSHostRecords(pipes_struct *p,
1832 struct netr_DsrDeregisterDNSHostRecords *r)
1833 {
1834 p->rng_fault_state = true;
1835 return WERR_NOT_SUPPORTED;
1836 }
1837
1838 /****************************************************************
1839 ****************************************************************/
1840
1841 NTSTATUS _netr_ServerTrustPasswordsGet(pipes_struct *p,
1842 struct netr_ServerTrustPasswordsGet *r)
1843 {
1844 p->rng_fault_state = true;
1845 return NT_STATUS_NOT_IMPLEMENTED;
1846 }
1847
1848 /****************************************************************
1849 ****************************************************************/
1850
1851 WERROR _netr_DsRGetForestTrustInformation(pipes_struct *p,
1852 struct netr_DsRGetForestTrustInformation *r)
1853 {
1854 p->rng_fault_state = true;
1855 return WERR_NOT_SUPPORTED;
1856 }
1857
1858 /****************************************************************
1859 ****************************************************************/
1860
1861 NTSTATUS _netr_GetForestTrustInformation(pipes_struct *p,
1862 struct netr_GetForestTrustInformation *r)
1863 {
1864 p->rng_fault_state = true;
1865 return NT_STATUS_NOT_IMPLEMENTED;
1866 }
1867
1868 /****************************************************************
1869 ****************************************************************/
1870
1871 NTSTATUS _netr_ServerGetTrustInfo(pipes_struct *p,
1872 struct netr_ServerGetTrustInfo *r)
1873 {
1874 p->rng_fault_state = true;
1875 return NT_STATUS_NOT_IMPLEMENTED;
1876 }
1877
Eduardo's samba4 branches