2 Unix SMB/CIFS implementation.
4 A composite API for initializing a domain
6 Copyright (C) Volker Lendecke 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "libcli/composite/composite.h"
25 #include "libcli/smb_composite/smb_composite.h"
26 #include "winbind/wb_server.h"
27 #include "winbind/wb_async_helpers.h"
28 #include "winbind/wb_helper.h"
29 #include "smbd/service_task.h"
30 #include "librpc/gen_ndr/ndr_netlogon.h"
31 #include "librpc/gen_ndr/ndr_lsa_c.h"
33 #include "libcli/auth/credentials.h"
34 #include "libcli/security/security.h"
36 #include "libcli/ldap/ldap_client.h"
38 #include "auth/credentials/credentials.h"
41 * Initialize a domain:
43 * - With schannel credentials, try to open the SMB connection with the
44 * machine creds. This works against W2k3SP1 with an NTLMSSP session
45 * setup. Fall back to anonymous.
47 * - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
50 * - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
51 * to schannel and then to anon bind.
53 * - With queryinfopolicy, verify that we're talking to the right domain
55 * A bit complex, but with all the combinations I think it's the best we can
56 * get. NT4, W2k3 and W2k all have different combinations, but in the end we
57 * have a signed&sealed lsa connection on all of them.
59 * Not sure if it is overkill, but it seems to work.
62 struct init_domain_state
{
63 struct composite_context
*ctx
;
64 struct wbsrv_domain
*domain
;
65 struct wbsrv_service
*service
;
67 struct smb_composite_connect conn
;
69 struct lsa_QueryInfoPolicy queryinfo
;
72 static void init_domain_recv_tree(struct composite_context
*ctx
);
73 static void init_domain_recv_netlogoncreds(struct composite_context
*ctx
);
74 static void init_domain_recv_netlogonpipe(struct composite_context
*ctx
);
75 static void init_domain_recv_schannel(struct composite_context
*ctx
);
76 static void init_domain_recv_lsa(struct composite_context
*ctx
);
77 static void init_domain_recv_queryinfo(struct rpc_request
*req
);
78 static void init_domain_recv_ldapconn(struct composite_context
*ctx
);
79 static void init_domain_recv_samr(struct composite_context
*ctx
);
81 struct composite_context
*wb_init_domain_send(TALLOC_CTX
*mem_ctx
,
82 struct wbsrv_service
*service
,
83 struct wb_dom_info
*dom_info
)
85 struct composite_context
*result
, *ctx
;
86 struct init_domain_state
*state
;
88 result
= talloc(mem_ctx
, struct composite_context
);
89 if (result
== NULL
) goto failed
;
90 result
->state
= COMPOSITE_STATE_IN_PROGRESS
;
91 result
->async
.fn
= NULL
;
92 result
->event_ctx
= service
->task
->event_ctx
;
94 state
= talloc_zero(result
, struct init_domain_state
);
95 if (state
== NULL
) goto failed
;
97 result
->private_data
= state
;
99 state
->service
= service
;
101 state
->domain
= talloc(state
, struct wbsrv_domain
);
102 if (state
->domain
== NULL
) goto failed
;
104 state
->domain
->info
= talloc_reference(state
->domain
, dom_info
);
105 if (state
->domain
->info
== NULL
) goto failed
;
107 state
->domain
->schannel_creds
= cli_credentials_init(state
->domain
);
108 if (state
->domain
->schannel_creds
== NULL
) goto failed
;
110 cli_credentials_set_conf(state
->domain
->schannel_creds
);
112 cli_credentials_set_machine_account(state
->domain
->
114 if (!NT_STATUS_IS_OK(state
->ctx
->status
)) goto failed
;
116 state
->conn
.in
.dest_host
= dom_info
->dc_address
;
117 state
->conn
.in
.port
= 0;
118 state
->conn
.in
.called_name
= dom_info
->dc_name
;
119 state
->conn
.in
.service
= "IPC$";
120 state
->conn
.in
.service_type
= "IPC";
121 state
->conn
.in
.workgroup
= dom_info
->name
;
122 state
->conn
.in
.credentials
= state
->domain
->schannel_creds
;
124 state
->conn
.in
.fallback_to_anonymous
= True
;
126 ctx
= smb_composite_connect_send(&state
->conn
, state
->domain
,
128 if (ctx
== NULL
) goto failed
;
130 ctx
->async
.fn
= init_domain_recv_tree
;
131 ctx
->async
.private_data
= state
;
139 static void init_domain_recv_tree(struct composite_context
*ctx
)
141 struct init_domain_state
*state
=
142 talloc_get_type(ctx
->async
.private_data
,
143 struct init_domain_state
);
144 state
->ctx
->status
= smb_composite_connect_recv(ctx
, state
);
145 if (!composite_is_ok(state
->ctx
)) return;
147 if ((state
->domain
->schannel_creds
!= NULL
) &&
148 (!cli_credentials_is_anonymous(state
->domain
->schannel_creds
)) &&
149 ((lp_server_role() == ROLE_DOMAIN_MEMBER
) &&
150 (dom_sid_equal(state
->domain
->info
->sid
,
151 state
->service
->primary_sid
)))) {
152 ctx
= wb_get_schannel_creds_send(state
,
153 state
->domain
->schannel_creds
,
154 state
->conn
.out
.tree
,
155 state
->ctx
->event_ctx
);
156 composite_continue(state
->ctx
, ctx
,
157 init_domain_recv_netlogoncreds
, state
);
161 ctx
= wb_connect_lsa_send(state
, state
->conn
.out
.tree
, NULL
);
162 composite_continue(state
->ctx
, ctx
, init_domain_recv_lsa
, state
);
165 static void init_domain_recv_netlogoncreds(struct composite_context
*ctx
)
167 struct init_domain_state
*state
=
168 talloc_get_type(ctx
->async
.private_data
,
169 struct init_domain_state
);
170 struct dcerpc_pipe
*auth2_pipe
;
171 struct smbcli_tree
*tree
= NULL
;
174 wb_get_schannel_creds_recv(ctx
, state
, &auth2_pipe
);
175 if (!composite_is_ok(state
->ctx
)) return;
177 if (!lp_winbind_sealed_pipes()) {
178 state
->domain
->netlogon_pipe
= talloc_reference(state
->domain
,
180 ctx
= wb_connect_lsa_send(state
, state
->conn
.out
.tree
, NULL
);
181 composite_continue(state
->ctx
, ctx
, init_domain_recv_lsa
,
186 state
->domain
->netlogon_pipe
=
187 dcerpc_pipe_init(state
->domain
, state
->ctx
->event_ctx
);
188 if (composite_nomem(state
->domain
->netlogon_pipe
, state
->ctx
)) return;
190 tree
= dcerpc_smb_tree(auth2_pipe
->conn
);
192 composite_error(state
->ctx
, NT_STATUS_INTERNAL_ERROR
);
196 ctx
= dcerpc_pipe_open_smb_send(state
->domain
->netlogon_pipe
,
198 composite_continue(state
->ctx
, ctx
, init_domain_recv_netlogonpipe
,
202 static void init_domain_recv_netlogonpipe(struct composite_context
*ctx
)
204 struct init_domain_state
*state
=
205 talloc_get_type(ctx
->async
.private_data
,
206 struct init_domain_state
);
208 state
->ctx
->status
= dcerpc_pipe_open_smb_recv(ctx
);
209 if (!composite_is_ok(state
->ctx
)) return;
211 state
->domain
->netlogon_pipe
->conn
->flags
|=
212 (DCERPC_SIGN
| DCERPC_SEAL
);
213 ctx
= dcerpc_bind_auth_send(state
, state
->domain
->netlogon_pipe
,
214 &dcerpc_table_netlogon
,
215 state
->domain
->schannel_creds
,
216 DCERPC_AUTH_TYPE_SCHANNEL
,
217 DCERPC_AUTH_LEVEL_PRIVACY
,
219 composite_continue(state
->ctx
, ctx
, init_domain_recv_schannel
, state
);
222 static void init_domain_recv_schannel(struct composite_context
*ctx
)
224 struct init_domain_state
*state
=
225 talloc_get_type(ctx
->async
.private_data
,
226 struct init_domain_state
);
228 state
->ctx
->status
= dcerpc_bind_auth_recv(ctx
);
229 if (!composite_is_ok(state
->ctx
)) return;
231 ctx
= wb_connect_lsa_send(state
, state
->conn
.out
.tree
,
232 state
->domain
->schannel_creds
);
233 composite_continue(state
->ctx
, ctx
, init_domain_recv_lsa
, state
);
236 static void init_domain_recv_lsa(struct composite_context
*ctx
)
238 struct init_domain_state
*state
=
239 talloc_get_type(ctx
->async
.private_data
,
240 struct init_domain_state
);
242 struct rpc_request
*req
;
244 state
->ctx
->status
= wb_connect_lsa_recv(ctx
, state
->domain
,
245 &state
->domain
->lsa_auth_type
,
246 &state
->domain
->lsa_pipe
,
247 &state
->domain
->lsa_policy
);
248 if (!composite_is_ok(state
->ctx
)) return;
250 /* Give the tree to the pipes. */
251 talloc_unlink(state
, state
->conn
.out
.tree
);
253 state
->queryinfo
.in
.handle
= state
->domain
->lsa_policy
;
254 state
->queryinfo
.in
.level
= LSA_POLICY_INFO_ACCOUNT_DOMAIN
;
256 req
= dcerpc_lsa_QueryInfoPolicy_send(state
->domain
->lsa_pipe
, state
,
258 composite_continue_rpc(state
->ctx
, req
,
259 init_domain_recv_queryinfo
, state
);
262 static void init_domain_recv_queryinfo(struct rpc_request
*req
)
264 struct init_domain_state
*state
=
265 talloc_get_type(req
->async
.private, struct init_domain_state
);
266 struct lsa_DomainInfo
*dominfo
;
267 struct composite_context
*ctx
;
268 const char *ldap_url
;
270 state
->ctx
->status
= dcerpc_ndr_request_recv(req
);
271 if (!composite_is_ok(state
->ctx
)) return;
272 state
->ctx
->status
= state
->queryinfo
.out
.result
;
273 if (!composite_is_ok(state
->ctx
)) return;
275 dominfo
= &state
->queryinfo
.out
.info
->account_domain
;
277 if (strcasecmp(state
->domain
->info
->name
, dominfo
->name
.string
) != 0) {
278 DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
279 state
->domain
->info
->name
,
280 dcerpc_server_name(state
->domain
->lsa_pipe
),
281 dominfo
->name
.string
));
282 composite_error(state
->ctx
, NT_STATUS_INVALID_DOMAIN_STATE
);
286 if (!dom_sid_equal(state
->domain
->info
->sid
, dominfo
->sid
)) {
287 DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
288 dom_sid_string(state
, state
->domain
->info
->sid
),
289 dcerpc_server_name(state
->domain
->lsa_pipe
),
290 dom_sid_string(state
, dominfo
->sid
)));
291 composite_error(state
->ctx
, NT_STATUS_INVALID_DOMAIN_STATE
);
295 state
->domain
->ldap_conn
=
296 ldap4_new_connection(state
->domain
, state
->ctx
->event_ctx
);
297 composite_nomem(state
->domain
->ldap_conn
, state
->ctx
);
299 ldap_url
= talloc_asprintf(state
, "ldap://%s/",
300 state
->domain
->info
->dc_address
);
301 composite_nomem(ldap_url
, state
->ctx
);
303 ctx
= ldap_connect_send(state
->domain
->ldap_conn
, ldap_url
);
304 composite_continue(state
->ctx
, ctx
, init_domain_recv_ldapconn
, state
);
307 static void init_domain_recv_ldapconn(struct composite_context
*ctx
)
309 struct init_domain_state
*state
=
310 talloc_get_type(ctx
->async
.private_data
,
311 struct init_domain_state
);
313 state
->ctx
->status
= ldap_connect_recv(ctx
);
314 if (NT_STATUS_IS_OK(state
->ctx
->status
)) {
315 state
->domain
->ldap_conn
->host
=
316 talloc_strdup(state
->domain
->ldap_conn
,
317 state
->domain
->info
->dc_name
);
319 ldap_bind_sasl(state
->domain
->ldap_conn
,
320 state
->domain
->schannel_creds
);
321 DEBUG(0, ("ldap_bind returned %s\n",
322 nt_errstr(state
->ctx
->status
)));
325 state
->domain
->samr_pipe
=
326 dcerpc_pipe_init(state
->domain
, state
->ctx
->event_ctx
);
327 if (composite_nomem(state
->domain
->samr_pipe
, state
->ctx
)) return;
329 ctx
= wb_connect_sam_send(state
, state
->conn
.out
.tree
,
330 state
->domain
->lsa_auth_type
,
331 state
->domain
->schannel_creds
,
332 state
->domain
->info
->sid
);
333 composite_continue(state
->ctx
, ctx
, init_domain_recv_samr
, state
);
336 static void init_domain_recv_samr(struct composite_context
*ctx
)
338 struct init_domain_state
*state
=
339 talloc_get_type(ctx
->async
.private_data
,
340 struct init_domain_state
);
342 state
->ctx
->status
= wb_connect_sam_recv(
343 ctx
, state
->domain
, &state
->domain
->samr_pipe
,
344 &state
->domain
->samr_handle
, &state
->domain
->domain_handle
);
345 if (!composite_is_ok(state
->ctx
)) return;
347 composite_done(state
->ctx
);
350 NTSTATUS
wb_init_domain_recv(struct composite_context
*c
,
352 struct wbsrv_domain
**result
)
354 NTSTATUS status
= composite_wait(c
);
355 if (NT_STATUS_IS_OK(status
)) {
356 struct init_domain_state
*state
=
357 talloc_get_type(c
->private_data
,
358 struct init_domain_state
);
359 *result
= talloc_steal(mem_ctx
, state
->domain
);
365 NTSTATUS
wb_init_domain(TALLOC_CTX
*mem_ctx
, struct wbsrv_service
*service
,
366 struct wb_dom_info
*dom_info
,
367 struct wbsrv_domain
**result
)
369 struct composite_context
*c
=
370 wb_init_domain_send(mem_ctx
, service
, dom_info
);
371 return wb_init_domain_recv(c
, mem_ctx
, result
);