2 Unix SMB/CIFS implementation.
4 Do a netr_LogonSamLogon to a remote DC
6 Copyright (C) Volker Lendecke 2005
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
8 Copyright (C) Stefan Metzmacher 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "libcli/composite/composite.h"
27 #include "winbind/wb_server.h"
28 #include "smbd/service_task.h"
29 #include "auth/credentials/credentials.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon.h"
32 #include "librpc/gen_ndr/ndr_netlogon_c.h"
33 #include "librpc/gen_ndr/winbind.h"
35 struct wb_sam_logon_state
{
36 struct composite_context
*ctx
;
38 struct winbind_SamLogon
*req
;
40 struct creds_CredentialState
*creds_state
;
41 struct netr_Authenticator auth1
, auth2
;
43 TALLOC_CTX
*r_mem_ctx
;
44 struct netr_LogonSamLogon r
;
47 static void wb_sam_logon_recv_domain(struct composite_context
*ctx
);
48 static void wb_sam_logon_recv_samlogon(struct rpc_request
*req
);
51 Find the connection to the DC (or find an existing connection)
53 struct composite_context
*wb_sam_logon_send(TALLOC_CTX
*mem_ctx
,
54 struct wbsrv_service
*service
,
55 struct winbind_SamLogon
*req
)
57 struct composite_context
*c
, *creq
;
58 struct wb_sam_logon_state
*s
;
60 c
= composite_create(mem_ctx
, service
->task
->event_ctx
);
63 s
= talloc_zero(c
, struct wb_sam_logon_state
);
64 if (composite_nomem(s
, c
)) return c
;
70 creq
= wb_sid2domain_send(s
, service
, service
->primary_sid
);
71 composite_continue(c
, creq
, wb_sam_logon_recv_domain
, s
);
76 Finish the connection to the DC
77 Send of a SamLogon request to authenticate a user.
79 static void wb_sam_logon_recv_domain(struct composite_context
*creq
)
81 struct wb_sam_logon_state
*s
= talloc_get_type(creq
->async
.private_data
,
82 struct wb_sam_logon_state
);
83 struct rpc_request
*req
;
84 struct wbsrv_domain
*domain
;
86 s
->ctx
->status
= wb_sid2domain_recv(creq
, &domain
);
87 if (!composite_is_ok(s
->ctx
)) return;
89 s
->creds_state
= cli_credentials_get_netlogon_creds(domain
->schannel_creds
);
90 creds_client_authenticator(s
->creds_state
, &s
->auth1
);
92 s
->r
.in
.server_name
= talloc_asprintf(s
, "\\\\%s",
93 dcerpc_server_name(domain
->netlogon_pipe
));
94 if (composite_nomem(s
->r
.in
.server_name
, s
->ctx
)) return;
96 s
->r
.in
.computer_name
= cli_credentials_get_workstation(domain
->schannel_creds
);
97 s
->r
.in
.credential
= &s
->auth1
;
98 s
->r
.in
.return_authenticator
= &s
->auth2
;
99 s
->r
.in
.logon_level
= s
->req
->in
.logon_level
;
100 s
->r
.in
.logon
= s
->req
->in
.logon
;
101 s
->r
.in
.validation_level
= s
->req
->in
.validation_level
;
102 s
->r
.out
.return_authenticator
= NULL
;
105 * use a new talloc context for the LogonSamLogon call
106 * because then we can just to a talloc_steal on this context
107 * in the final _recv() function to give the caller all the content of
108 * the s->r.out.validation
110 s
->r_mem_ctx
= talloc_new(s
);
111 if (composite_nomem(s
->r_mem_ctx
, s
->ctx
)) return;
113 req
= dcerpc_netr_LogonSamLogon_send(domain
->netlogon_pipe
, s
->r_mem_ctx
, &s
->r
);
114 composite_continue_rpc(s
->ctx
, req
, wb_sam_logon_recv_samlogon
, s
);
120 Check the SamLogon reply and decrypt the session keys
122 static void wb_sam_logon_recv_samlogon(struct rpc_request
*req
)
124 struct wb_sam_logon_state
*s
= talloc_get_type(req
->async
.private,
125 struct wb_sam_logon_state
);
127 s
->ctx
->status
= dcerpc_ndr_request_recv(req
);
128 if (!composite_is_ok(s
->ctx
)) return;
130 s
->ctx
->status
= s
->r
.out
.result
;
131 if (!composite_is_ok(s
->ctx
)) return;
133 if ((s
->r
.out
.return_authenticator
== NULL
) ||
134 (!creds_client_check(s
->creds_state
,
135 &s
->r
.out
.return_authenticator
->cred
))) {
136 DEBUG(0, ("Credentials check failed!\n"));
137 composite_error(s
->ctx
, NT_STATUS_ACCESS_DENIED
);
141 /* Decrypt the session keys before we reform the info3, so the
142 * person on the other end of winbindd pipe doesn't have to.
143 * They won't have the encryption key anyway */
144 creds_decrypt_samlogon(s
->creds_state
,
145 s
->r
.in
.validation_level
,
146 &s
->r
.out
.validation
);
148 composite_done(s
->ctx
);
151 NTSTATUS
wb_sam_logon_recv(struct composite_context
*c
,
153 struct winbind_SamLogon
*req
)
155 struct wb_sam_logon_state
*s
= talloc_get_type(c
->private_data
,
156 struct wb_sam_logon_state
);
157 NTSTATUS status
= composite_wait(c
);
159 if (NT_STATUS_IS_OK(status
)) {
160 talloc_steal(mem_ctx
, s
->r_mem_ctx
);
161 req
->out
.validation
= s
->r
.out
.validation
;
162 req
->out
.authoritative
= 1;