search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r21729: Some more tests
[Samba/ekacnet.git] / source4 / winbind / wb_init_domain.c
blob8700dd637e5c0a3c670081c4063e69c27b733de9
1 /*
2 Unix SMB/CIFS implementation.
3
4 A composite API for initializing a domain
5
6 Copyright (C) Volker Lendecke 2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "libcli/composite/composite.h"
25 #include "libcli/smb_composite/smb_composite.h"
26 #include "winbind/wb_server.h"
27 #include "winbind/wb_async_helpers.h"
28 #include "winbind/wb_helper.h"
29 #include "smbd/service_task.h"
30 #include "librpc/gen_ndr/ndr_netlogon.h"
31 #include "librpc/gen_ndr/ndr_lsa_c.h"
32
33 #include "libcli/auth/credentials.h"
34 #include "libcli/security/security.h"
35
36 #include "libcli/ldap/ldap_client.h"
37
38 #include "auth/credentials/credentials.h"
39
40 /*
41 * Initialize a domain:
42 *
43 * - With schannel credentials, try to open the SMB connection with the
44 * machine creds. This works against W2k3SP1 with an NTLMSSP session
45 * setup. Fall back to anonymous.
46 *
47 * - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
48 * pipe.
49 *
50 * - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
51 * to schannel and then to anon bind.
52 *
53 * - With queryinfopolicy, verify that we're talking to the right domain
54 *
55 * A bit complex, but with all the combinations I think it's the best we can
56 * get. NT4, W2k3 and W2k all have different combinations, but in the end we
57 * have a signed&sealed lsa connection on all of them.
58 *
59 * Not sure if it is overkill, but it seems to work.
60 */
61
62 struct init_domain_state {
63 struct composite_context *ctx;
64 struct wbsrv_domain *domain;
65 struct wbsrv_service *service;
66
67 struct smb_composite_connect conn;
68
69 struct lsa_QueryInfoPolicy queryinfo;
70 };
71
72 static void init_domain_recv_tree(struct composite_context *ctx);
73 static void init_domain_recv_netlogoncreds(struct composite_context *ctx);
74 static void init_domain_recv_netlogonpipe(struct composite_context *ctx);
75 static void init_domain_recv_schannel(struct composite_context *ctx);
76 static void init_domain_recv_lsa(struct composite_context *ctx);
77 static void init_domain_recv_queryinfo(struct rpc_request *req);
78 static void init_domain_recv_ldapconn(struct composite_context *ctx);
79 static void init_domain_recv_samr(struct composite_context *ctx);
80
81 struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
82 struct wbsrv_service *service,
83 struct wb_dom_info *dom_info)
84 {
85 struct composite_context *result, *ctx;
86 struct init_domain_state *state;
87
88 result = talloc(mem_ctx, struct composite_context);
89 if (result == NULL) goto failed;
90 result->state = COMPOSITE_STATE_IN_PROGRESS;
91 result->async.fn = NULL;
92 result->event_ctx = service->task->event_ctx;
93
94 state = talloc_zero(result, struct init_domain_state);
95 if (state == NULL) goto failed;
96 state->ctx = result;
97 result->private_data = state;
98
99 state->service = service;
100
101 state->domain = talloc(state, struct wbsrv_domain);
102 if (state->domain == NULL) goto failed;
103
104 state->domain->info = talloc_reference(state->domain, dom_info);
105 if (state->domain->info == NULL) goto failed;
106
107 state->domain->schannel_creds = cli_credentials_init(state->domain);
108 if (state->domain->schannel_creds == NULL) goto failed;
109
110 cli_credentials_set_conf(state->domain->schannel_creds);
111 state->ctx->status =
112 cli_credentials_set_machine_account(state->domain->
113 schannel_creds);
114 if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
115
116 state->conn.in.dest_host = dom_info->dc_address;
117 state->conn.in.port = 0;
118 state->conn.in.called_name = dom_info->dc_name;
119 state->conn.in.service = "IPC$";
120 state->conn.in.service_type = "IPC";
121 state->conn.in.workgroup = dom_info->name;
122 state->conn.in.credentials = state->domain->schannel_creds;
123
124 state->conn.in.fallback_to_anonymous = True;
125
126 ctx = smb_composite_connect_send(&state->conn, state->domain,
127 result->event_ctx);
128 if (ctx == NULL) goto failed;
129
130 ctx->async.fn = init_domain_recv_tree;
131 ctx->async.private_data = state;
132 return result;
133
134 failed:
135 talloc_free(result);
136 return NULL;
137 }
138
139 static void init_domain_recv_tree(struct composite_context *ctx)
140 {
141 struct init_domain_state *state =
142 talloc_get_type(ctx->async.private_data,
143 struct init_domain_state);
144 state->ctx->status = smb_composite_connect_recv(ctx, state);
145 if (!composite_is_ok(state->ctx)) return;
146
147 if ((state->domain->schannel_creds != NULL) &&
148 (!cli_credentials_is_anonymous(state->domain->schannel_creds)) &&
149 ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
150 (dom_sid_equal(state->domain->info->sid,
151 state->service->primary_sid)))) {
152 ctx = wb_get_schannel_creds_send(state,
153 state->domain->schannel_creds,
154 state->conn.out.tree,
155 state->ctx->event_ctx);
156 composite_continue(state->ctx, ctx,
157 init_domain_recv_netlogoncreds, state);
158 return;
159 }
160
161 ctx = wb_connect_lsa_send(state, state->conn.out.tree, NULL);
162 composite_continue(state->ctx, ctx, init_domain_recv_lsa, state);
163 }
164
165 static void init_domain_recv_netlogoncreds(struct composite_context *ctx)
166 {
167 struct init_domain_state *state =
168 talloc_get_type(ctx->async.private_data,
169 struct init_domain_state);
170 struct dcerpc_pipe *auth2_pipe;
171 struct smbcli_tree *tree = NULL;
172
173 state->ctx->status =
174 wb_get_schannel_creds_recv(ctx, state, &auth2_pipe);
175 if (!composite_is_ok(state->ctx)) return;
176
177 if (!lp_winbind_sealed_pipes()) {
178 state->domain->netlogon_pipe = talloc_reference(state->domain,
179 auth2_pipe);
180 ctx = wb_connect_lsa_send(state, state->conn.out.tree, NULL);
181 composite_continue(state->ctx, ctx, init_domain_recv_lsa,
182 state);
183 return;
184 }
185
186 state->domain->netlogon_pipe =
187 dcerpc_pipe_init(state->domain, state->ctx->event_ctx);
188 if (composite_nomem(state->domain->netlogon_pipe, state->ctx)) return;
189
190 tree = dcerpc_smb_tree(auth2_pipe->conn);
191 if (tree == NULL) {
192 composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
193 return;
194 }
195
196 ctx = dcerpc_pipe_open_smb_send(state->domain->netlogon_pipe,
197 tree, "\\netlogon");
198 composite_continue(state->ctx, ctx, init_domain_recv_netlogonpipe,
199 state);
200 }
201
202 static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
203 {
204 struct init_domain_state *state =
205 talloc_get_type(ctx->async.private_data,
206 struct init_domain_state);
207
208 state->ctx->status = dcerpc_pipe_open_smb_recv(ctx);
209 if (!composite_is_ok(state->ctx)) return;
210
211 state->domain->netlogon_pipe->conn->flags |=
212 (DCERPC_SIGN | DCERPC_SEAL);
213 ctx = dcerpc_bind_auth_send(state, state->domain->netlogon_pipe,
214 &dcerpc_table_netlogon,
215 state->domain->schannel_creds,
216 DCERPC_AUTH_TYPE_SCHANNEL,
217 DCERPC_AUTH_LEVEL_PRIVACY,
218 NULL);
219 composite_continue(state->ctx, ctx, init_domain_recv_schannel, state);
220 }
221
222 static void init_domain_recv_schannel(struct composite_context *ctx)
223 {
224 struct init_domain_state *state =
225 talloc_get_type(ctx->async.private_data,
226 struct init_domain_state);
227
228 state->ctx->status = dcerpc_bind_auth_recv(ctx);
229 if (!composite_is_ok(state->ctx)) return;
230
231 ctx = wb_connect_lsa_send(state, state->conn.out.tree,
232 state->domain->schannel_creds);
233 composite_continue(state->ctx, ctx, init_domain_recv_lsa, state);
234 }
235
236 static void init_domain_recv_lsa(struct composite_context *ctx)
237 {
238 struct init_domain_state *state =
239 talloc_get_type(ctx->async.private_data,
240 struct init_domain_state);
241
242 struct rpc_request *req;
243
244 state->ctx->status = wb_connect_lsa_recv(ctx, state->domain,
245 &state->domain->lsa_auth_type,
246 &state->domain->lsa_pipe,
247 &state->domain->lsa_policy);
248 if (!composite_is_ok(state->ctx)) return;
249
250 /* Give the tree to the pipes. */
251 talloc_unlink(state, state->conn.out.tree);
252
253 state->queryinfo.in.handle = state->domain->lsa_policy;
254 state->queryinfo.in.level = LSA_POLICY_INFO_ACCOUNT_DOMAIN;
255
256 req = dcerpc_lsa_QueryInfoPolicy_send(state->domain->lsa_pipe, state,
257 &state->queryinfo);
258 composite_continue_rpc(state->ctx, req,
259 init_domain_recv_queryinfo, state);
260 }
261
262 static void init_domain_recv_queryinfo(struct rpc_request *req)
263 {
264 struct init_domain_state *state =
265 talloc_get_type(req->async.private, struct init_domain_state);
266 struct lsa_DomainInfo *dominfo;
267 struct composite_context *ctx;
268 const char *ldap_url;
269
270 state->ctx->status = dcerpc_ndr_request_recv(req);
271 if (!composite_is_ok(state->ctx)) return;
272 state->ctx->status = state->queryinfo.out.result;
273 if (!composite_is_ok(state->ctx)) return;
274
275 dominfo = &state->queryinfo.out.info->account_domain;
276
277 if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
278 DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
279 state->domain->info->name,
280 dcerpc_server_name(state->domain->lsa_pipe),
281 dominfo->name.string));
282 composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
283 return;
284 }
285
286 if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
287 DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
288 dom_sid_string(state, state->domain->info->sid),
289 dcerpc_server_name(state->domain->lsa_pipe),
290 dom_sid_string(state, dominfo->sid)));
291 composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
292 return;
293 }
294
295 state->domain->ldap_conn =
296 ldap4_new_connection(state->domain, state->ctx->event_ctx);
297 composite_nomem(state->domain->ldap_conn, state->ctx);
298
299 ldap_url = talloc_asprintf(state, "ldap://%s/",
300 state->domain->info->dc_address);
301 composite_nomem(ldap_url, state->ctx);
302
303 ctx = ldap_connect_send(state->domain->ldap_conn, ldap_url);
304 composite_continue(state->ctx, ctx, init_domain_recv_ldapconn, state);
305 }
306
307 static void init_domain_recv_ldapconn(struct composite_context *ctx)
308 {
309 struct init_domain_state *state =
310 talloc_get_type(ctx->async.private_data,
311 struct init_domain_state);
312
313 state->ctx->status = ldap_connect_recv(ctx);
314 if (NT_STATUS_IS_OK(state->ctx->status)) {
315 state->domain->ldap_conn->host =
316 talloc_strdup(state->domain->ldap_conn,
317 state->domain->info->dc_name);
318 state->ctx->status =
319 ldap_bind_sasl(state->domain->ldap_conn,
320 state->domain->schannel_creds);
321 DEBUG(0, ("ldap_bind returned %s\n",
322 nt_errstr(state->ctx->status)));
323 }
324
325 state->domain->samr_pipe =
326 dcerpc_pipe_init(state->domain, state->ctx->event_ctx);
327 if (composite_nomem(state->domain->samr_pipe, state->ctx)) return;
328
329 ctx = wb_connect_sam_send(state, state->conn.out.tree,
330 state->domain->lsa_auth_type,
331 state->domain->schannel_creds,
332 state->domain->info->sid);
333 composite_continue(state->ctx, ctx, init_domain_recv_samr, state);
334 }
335
336 static void init_domain_recv_samr(struct composite_context *ctx)
337 {
338 struct init_domain_state *state =
339 talloc_get_type(ctx->async.private_data,
340 struct init_domain_state);
341
342 state->ctx->status = wb_connect_sam_recv(
343 ctx, state->domain, &state->domain->samr_pipe,
344 &state->domain->samr_handle, &state->domain->domain_handle);
345 if (!composite_is_ok(state->ctx)) return;
346
347 composite_done(state->ctx);
348 }
349
350 NTSTATUS wb_init_domain_recv(struct composite_context *c,
351 TALLOC_CTX *mem_ctx,
352 struct wbsrv_domain **result)
353 {
354 NTSTATUS status = composite_wait(c);
355 if (NT_STATUS_IS_OK(status)) {
356 struct init_domain_state *state =
357 talloc_get_type(c->private_data,
358 struct init_domain_state);
359 *result = talloc_steal(mem_ctx, state->domain);
360 }
361 talloc_free(c);
362 return status;
363 }
364
365 NTSTATUS wb_init_domain(TALLOC_CTX *mem_ctx, struct wbsrv_service *service,
366 struct wb_dom_info *dom_info,
367 struct wbsrv_domain **result)
368 {
369 struct composite_context *c =
370 wb_init_domain_send(mem_ctx, service, dom_info);
371 return wb_init_domain_recv(c, mem_ctx, result);
372 }