2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008-2009.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* This is the implementation of the netlogon pipe. */
28 #include "../libcli/auth/schannel.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_samr.h"
31 #include "../librpc/gen_ndr/srv_lsa.h"
32 #include "../librpc/gen_ndr/cli_samr.h"
33 #include "../librpc/gen_ndr/cli_lsa.h"
34 #include "rpc_client/cli_lsarpc.h"
35 #include "librpc/gen_ndr/messaging.h"
36 #include "../lib/crypto/md4.h"
38 extern userdom_struct current_user_info
;
41 #define DBGC_CLASS DBGC_RPC_SRV
43 struct netlogon_server_pipe_state
{
44 struct netr_Credential client_challenge
;
45 struct netr_Credential server_challenge
;
48 /*************************************************************************
50 *************************************************************************/
52 WERROR
_netr_LogonControl(struct pipes_struct
*p
,
53 struct netr_LogonControl
*r
)
55 struct netr_LogonControl2Ex l
;
57 switch (r
->in
.level
) {
61 return WERR_NOT_SUPPORTED
;
63 return WERR_UNKNOWN_LEVEL
;
66 l
.in
.logon_server
= r
->in
.logon_server
;
67 l
.in
.function_code
= r
->in
.function_code
;
68 l
.in
.level
= r
->in
.level
;
70 l
.out
.query
= r
->out
.query
;
72 return _netr_LogonControl2Ex(p
, &l
);
75 /****************************************************************************
76 Send a message to smbd to do a sam synchronisation
77 **************************************************************************/
79 static void send_sync_message(void)
81 DEBUG(3, ("sending sam synchronisation message\n"));
82 message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC
, NULL
, 0,
86 /*************************************************************************
88 *************************************************************************/
90 WERROR
_netr_LogonControl2(struct pipes_struct
*p
,
91 struct netr_LogonControl2
*r
)
93 struct netr_LogonControl2Ex l
;
95 l
.in
.logon_server
= r
->in
.logon_server
;
96 l
.in
.function_code
= r
->in
.function_code
;
97 l
.in
.level
= r
->in
.level
;
98 l
.in
.data
= r
->in
.data
;
99 l
.out
.query
= r
->out
.query
;
101 return _netr_LogonControl2Ex(p
, &l
);
104 /*************************************************************************
105 *************************************************************************/
107 static bool wb_change_trust_creds(const char *domain
, WERROR
*tc_status
)
110 struct wbcAuthErrorInfo
*error
= NULL
;
112 result
= wbcChangeTrustCredentials(domain
, &error
);
114 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
116 case WBC_ERR_DOMAIN_NOT_FOUND
:
117 *tc_status
= WERR_NO_SUCH_DOMAIN
;
119 case WBC_ERR_SUCCESS
:
120 *tc_status
= WERR_OK
;
126 if (error
&& error
->nt_status
!= 0) {
127 *tc_status
= ntstatus_to_werror(NT_STATUS(error
->nt_status
));
129 *tc_status
= WERR_TRUST_FAILURE
;
131 wbcFreeMemory(error
);
135 /*************************************************************************
136 *************************************************************************/
138 static bool wb_check_trust_creds(const char *domain
, WERROR
*tc_status
)
141 struct wbcAuthErrorInfo
*error
= NULL
;
143 result
= wbcCheckTrustCredentials(domain
, &error
);
145 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
147 case WBC_ERR_DOMAIN_NOT_FOUND
:
148 *tc_status
= WERR_NO_SUCH_DOMAIN
;
150 case WBC_ERR_SUCCESS
:
151 *tc_status
= WERR_OK
;
157 if (error
&& error
->nt_status
!= 0) {
158 *tc_status
= ntstatus_to_werror(NT_STATUS(error
->nt_status
));
160 *tc_status
= WERR_TRUST_FAILURE
;
162 wbcFreeMemory(error
);
166 /****************************************************************
167 _netr_LogonControl2Ex
168 ****************************************************************/
170 WERROR
_netr_LogonControl2Ex(struct pipes_struct
*p
,
171 struct netr_LogonControl2Ex
*r
)
173 uint32_t flags
= 0x0;
174 WERROR pdc_connection_status
= WERR_OK
;
175 uint32_t logon_attempts
= 0x0;
178 const char *dc_name
= NULL
;
179 struct sockaddr_storage dc_ss
;
180 const char *domain
= NULL
;
181 struct netr_NETLOGON_INFO_1
*info1
;
182 struct netr_NETLOGON_INFO_2
*info2
;
183 struct netr_NETLOGON_INFO_3
*info3
;
184 struct netr_NETLOGON_INFO_4
*info4
;
189 case NDR_NETR_LOGONCONTROL
:
190 fn
= "_netr_LogonControl";
192 case NDR_NETR_LOGONCONTROL2
:
193 fn
= "_netr_LogonControl2";
195 case NDR_NETR_LOGONCONTROL2EX
:
196 fn
= "_netr_LogonControl2Ex";
199 return WERR_INVALID_PARAM
;
202 acct_ctrl
= p
->server_info
->info3
->base
.acct_flags
;
204 switch (r
->in
.function_code
) {
205 case NETLOGON_CONTROL_TC_VERIFY
:
206 case NETLOGON_CONTROL_CHANGE_PASSWORD
:
207 case NETLOGON_CONTROL_REDISCOVER
:
208 if ((geteuid() != sec_initial_uid()) &&
209 !nt_token_check_domain_rid(p
->server_info
->ptok
, DOMAIN_RID_ADMINS
) &&
210 !nt_token_check_sid(&global_sid_Builtin_Administrators
, p
->server_info
->ptok
) &&
211 !(acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
))) {
212 return WERR_ACCESS_DENIED
;
219 tc_status
= WERR_NO_SUCH_DOMAIN
;
221 switch (r
->in
.function_code
) {
222 case NETLOGON_CONTROL_QUERY
:
225 case NETLOGON_CONTROL_REPLICATE
:
226 case NETLOGON_CONTROL_SYNCHRONIZE
:
227 case NETLOGON_CONTROL_PDC_REPLICATE
:
228 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG
:
229 case NETLOGON_CONTROL_BREAKPOINT
:
230 if (acct_ctrl
& ACB_NORMAL
) {
231 return WERR_NOT_SUPPORTED
;
232 } else if (acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
)) {
233 return WERR_ACCESS_DENIED
;
235 return WERR_ACCESS_DENIED
;
237 case NETLOGON_CONTROL_TRUNCATE_LOG
:
238 if (acct_ctrl
& ACB_NORMAL
) {
240 } else if (acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
)) {
241 return WERR_ACCESS_DENIED
;
243 return WERR_ACCESS_DENIED
;
246 case NETLOGON_CONTROL_TRANSPORT_NOTIFY
:
247 case NETLOGON_CONTROL_FORCE_DNS_REG
:
248 case NETLOGON_CONTROL_QUERY_DNS_REG
:
249 return WERR_NOT_SUPPORTED
;
250 case NETLOGON_CONTROL_FIND_USER
:
251 if (!r
->in
.data
|| !r
->in
.data
->user
) {
252 return WERR_NOT_SUPPORTED
;
255 case NETLOGON_CONTROL_SET_DBFLAG
:
257 return WERR_NOT_SUPPORTED
;
260 case NETLOGON_CONTROL_TC_VERIFY
:
261 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
262 return WERR_NOT_SUPPORTED
;
265 if (!wb_check_trust_creds(r
->in
.data
->domain
, &tc_status
)) {
266 return WERR_NOT_SUPPORTED
;
269 case NETLOGON_CONTROL_TC_QUERY
:
270 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
271 return WERR_NOT_SUPPORTED
;
274 domain
= r
->in
.data
->domain
;
276 if (!is_trusted_domain(domain
)) {
280 if (!get_dc_name(domain
, NULL
, dc_name2
, &dc_ss
)) {
281 tc_status
= WERR_NO_LOGON_SERVERS
;
285 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
294 case NETLOGON_CONTROL_REDISCOVER
:
295 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
296 return WERR_NOT_SUPPORTED
;
299 domain
= r
->in
.data
->domain
;
301 if (!is_trusted_domain(domain
)) {
305 if (!get_dc_name(domain
, NULL
, dc_name2
, &dc_ss
)) {
306 tc_status
= WERR_NO_LOGON_SERVERS
;
310 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
319 case NETLOGON_CONTROL_CHANGE_PASSWORD
:
320 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
321 return WERR_NOT_SUPPORTED
;
324 if (!wb_change_trust_creds(r
->in
.data
->domain
, &tc_status
)) {
325 return WERR_NOT_SUPPORTED
;
330 /* no idea what this should be */
331 DEBUG(0,("%s: unimplemented function level [%d]\n",
332 fn
, r
->in
.function_code
));
333 return WERR_UNKNOWN_LEVEL
;
336 /* prepare the response */
338 switch (r
->in
.level
) {
340 info1
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_1
);
341 W_ERROR_HAVE_NO_MEMORY(info1
);
343 info1
->flags
= flags
;
344 info1
->pdc_connection_status
= pdc_connection_status
;
346 r
->out
.query
->info1
= info1
;
349 info2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_2
);
350 W_ERROR_HAVE_NO_MEMORY(info2
);
352 info2
->flags
= flags
;
353 info2
->pdc_connection_status
= pdc_connection_status
;
354 info2
->trusted_dc_name
= dc_name
;
355 info2
->tc_connection_status
= tc_status
;
357 r
->out
.query
->info2
= info2
;
360 info3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_3
);
361 W_ERROR_HAVE_NO_MEMORY(info3
);
363 info3
->flags
= flags
;
364 info3
->logon_attempts
= logon_attempts
;
366 r
->out
.query
->info3
= info3
;
369 info4
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_4
);
370 W_ERROR_HAVE_NO_MEMORY(info4
);
372 info4
->trusted_dc_name
= dc_name
;
373 info4
->trusted_domain_name
= r
->in
.data
->domain
;
375 r
->out
.query
->info4
= info4
;
378 return WERR_UNKNOWN_LEVEL
;
381 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
388 /*************************************************************************
389 _netr_NetrEnumerateTrustedDomains
390 *************************************************************************/
392 NTSTATUS
_netr_NetrEnumerateTrustedDomains(struct pipes_struct
*p
,
393 struct netr_NetrEnumerateTrustedDomains
*r
)
398 const char **trusted_domains
= NULL
;
399 struct lsa_DomainList domain_list
;
400 struct rpc_pipe_client
*cli
= NULL
;
401 struct policy_handle pol
;
402 uint32_t enum_ctx
= 0;
404 uint32_t max_size
= (uint32_t)-1;
406 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
408 status
= rpc_pipe_open_internal(p
->mem_ctx
, &ndr_table_lsarpc
.syntax_id
,
411 if (!NT_STATUS_IS_OK(status
)) {
415 status
= rpccli_lsa_open_policy2(cli
, p
->mem_ctx
,
417 LSA_POLICY_VIEW_LOCAL_INFORMATION
,
419 if (!NT_STATUS_IS_OK(status
)) {
424 /* Lookup list of trusted domains */
426 status
= rpccli_lsa_EnumTrustDom(cli
, p
->mem_ctx
,
431 if (!NT_STATUS_IS_OK(status
) &&
432 !NT_STATUS_EQUAL(status
, NT_STATUS_NO_MORE_ENTRIES
) &&
433 !NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
)) {
437 for (i
= 0; i
< domain_list
.count
; i
++) {
438 if (!add_string_to_array(p
->mem_ctx
, domain_list
.domains
[i
].name
.string
,
439 &trusted_domains
, &num_domains
)) {
440 status
= NT_STATUS_NO_MEMORY
;
444 } while (NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
));
446 if (num_domains
> 0) {
447 /* multi sz terminate */
448 trusted_domains
= talloc_realloc(p
->mem_ctx
, trusted_domains
, const char *, num_domains
+ 1);
449 if (trusted_domains
== NULL
) {
450 status
= NT_STATUS_NO_MEMORY
;
454 trusted_domains
[num_domains
] = NULL
;
457 if (!push_reg_multi_sz(trusted_domains
, &blob
, trusted_domains
)) {
458 TALLOC_FREE(trusted_domains
);
459 status
= NT_STATUS_NO_MEMORY
;
463 r
->out
.trusted_domains_blob
->data
= blob
.data
;
464 r
->out
.trusted_domains_blob
->length
= blob
.length
;
466 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
468 status
= NT_STATUS_OK
;
471 if (cli
&& is_valid_policy_hnd(&pol
)) {
472 rpccli_lsa_Close(cli
, p
->mem_ctx
, &pol
);
478 /*************************************************************************
479 *************************************************************************/
481 static NTSTATUS
samr_find_machine_account(TALLOC_CTX
*mem_ctx
,
482 struct rpc_pipe_client
*cli
,
483 const char *account_name
,
484 uint32_t access_mask
,
485 struct dom_sid2
**domain_sid_p
,
486 uint32_t *user_rid_p
,
487 struct policy_handle
*user_handle
)
490 struct policy_handle connect_handle
, domain_handle
;
491 struct lsa_String domain_name
;
492 struct dom_sid2
*domain_sid
;
493 struct lsa_String names
;
494 struct samr_Ids rids
;
495 struct samr_Ids types
;
498 status
= rpccli_samr_Connect2(cli
, mem_ctx
,
500 SAMR_ACCESS_CONNECT_TO_SERVER
|
501 SAMR_ACCESS_ENUM_DOMAINS
|
502 SAMR_ACCESS_LOOKUP_DOMAIN
,
504 if (!NT_STATUS_IS_OK(status
)) {
508 init_lsa_String(&domain_name
, get_global_sam_name());
510 status
= rpccli_samr_LookupDomain(cli
, mem_ctx
,
514 if (!NT_STATUS_IS_OK(status
)) {
518 status
= rpccli_samr_OpenDomain(cli
, mem_ctx
,
520 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
,
523 if (!NT_STATUS_IS_OK(status
)) {
527 init_lsa_String(&names
, account_name
);
529 status
= rpccli_samr_LookupNames(cli
, mem_ctx
,
535 if (!NT_STATUS_IS_OK(status
)) {
539 if (rids
.count
!= 1) {
540 status
= NT_STATUS_NO_SUCH_USER
;
543 if (rids
.count
!= types
.count
) {
544 status
= NT_STATUS_INVALID_PARAMETER
;
547 if (types
.ids
[0] != SID_NAME_USER
) {
548 status
= NT_STATUS_NO_SUCH_USER
;
554 status
= rpccli_samr_OpenUser(cli
, mem_ctx
,
559 if (!NT_STATUS_IS_OK(status
)) {
568 *domain_sid_p
= domain_sid
;
572 if (cli
&& is_valid_policy_hnd(&domain_handle
)) {
573 rpccli_samr_Close(cli
, mem_ctx
, &domain_handle
);
575 if (cli
&& is_valid_policy_hnd(&connect_handle
)) {
576 rpccli_samr_Close(cli
, mem_ctx
, &connect_handle
);
582 /******************************************************************
583 gets a machine password entry. checks access rights of the host.
584 ******************************************************************/
586 static NTSTATUS
get_md4pw(struct samr_Password
*md4pw
, const char *mach_acct
,
587 enum netr_SchannelType sec_chan_type
, struct dom_sid
*sid
)
591 struct rpc_pipe_client
*cli
= NULL
;
592 struct policy_handle user_handle
;
594 struct dom_sid
*domain_sid
;
596 union samr_UserInfo
*info
;
597 struct auth_serversupplied_info
*server_info
;
599 char addr
[INET6_ADDRSTRLEN
];
602 * Currently this code is redundent as we already have a filter
603 * by hostname list. What this code really needs to do is to
604 * get a hosts allowed/hosts denied list from the SAM database
605 * on a per user basis, and make the access decision there.
606 * I will leave this code here for now as a reminder to implement
607 * this at a later date. JRA.
610 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
611 client_name(get_client_fd()),
612 client_addr(get_client_fd(),addr
,sizeof(addr
)))) {
613 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct
));
618 mem_ctx
= talloc_new(talloc_tos());
619 if (mem_ctx
== NULL
) {
620 status
= NT_STATUS_NO_MEMORY
;
624 status
= make_server_info_system(mem_ctx
, &server_info
);
625 if (!NT_STATUS_IS_OK(status
)) {
629 ZERO_STRUCT(user_handle
);
631 status
= rpc_pipe_open_internal(mem_ctx
, &ndr_table_samr
.syntax_id
,
634 if (!NT_STATUS_IS_OK(status
)) {
639 status
= samr_find_machine_account(mem_ctx
, cli
, mach_acct
,
640 SEC_FLAG_MAXIMUM_ALLOWED
,
641 &domain_sid
, &user_rid
,
644 if (!NT_STATUS_IS_OK(status
)) {
648 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
650 UserControlInformation
,
652 if (!NT_STATUS_IS_OK(status
)) {
656 acct_ctrl
= info
->info16
.acct_flags
;
658 if (acct_ctrl
& ACB_DISABLED
) {
659 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct
));
660 status
= NT_STATUS_ACCOUNT_DISABLED
;
664 if (!(acct_ctrl
& ACB_SVRTRUST
) &&
665 !(acct_ctrl
& ACB_WSTRUST
) &&
666 !(acct_ctrl
& ACB_DOMTRUST
))
668 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct
));
669 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
673 switch (sec_chan_type
) {
675 if (!(acct_ctrl
& ACB_SVRTRUST
)) {
676 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
677 "but not a server trust account\n", mach_acct
));
678 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
683 if (!(acct_ctrl
& ACB_WSTRUST
)) {
684 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
685 "but not a workstation trust account\n", mach_acct
));
686 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
690 case SEC_CHAN_DOMAIN
:
691 if (!(acct_ctrl
& ACB_DOMTRUST
)) {
692 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
693 "but not a interdomain trust account\n", mach_acct
));
694 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
703 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
705 UserInternal1Information
,
708 if (!NT_STATUS_IS_OK(status
)) {
711 if (info
->info18
.nt_pwd_active
== 0) {
712 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct
));
713 status
= NT_STATUS_LOGON_FAILURE
;
717 /* samr gives out nthash unencrypted (!) */
718 memcpy(md4pw
->hash
, info
->info18
.nt_pwd
.hash
, 16);
720 sid_compose(sid
, domain_sid
, user_rid
);
723 if (cli
&& is_valid_policy_hnd(&user_handle
)) {
724 rpccli_samr_Close(cli
, mem_ctx
, &user_handle
);
727 talloc_free(mem_ctx
);
732 /*************************************************************************
733 _netr_ServerReqChallenge
734 *************************************************************************/
736 NTSTATUS
_netr_ServerReqChallenge(struct pipes_struct
*p
,
737 struct netr_ServerReqChallenge
*r
)
739 struct netlogon_server_pipe_state
*pipe_state
=
740 talloc_get_type(p
->private_data
, struct netlogon_server_pipe_state
);
743 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
744 talloc_free(pipe_state
);
745 p
->private_data
= NULL
;
748 pipe_state
= talloc(p
, struct netlogon_server_pipe_state
);
749 NT_STATUS_HAVE_NO_MEMORY(pipe_state
);
751 pipe_state
->client_challenge
= *r
->in
.credentials
;
753 generate_random_buffer(pipe_state
->server_challenge
.data
,
754 sizeof(pipe_state
->server_challenge
.data
));
756 *r
->out
.return_credentials
= pipe_state
->server_challenge
;
758 p
->private_data
= pipe_state
;
763 /*************************************************************************
764 _netr_ServerAuthenticate
765 Create the initial credentials.
766 *************************************************************************/
768 NTSTATUS
_netr_ServerAuthenticate(struct pipes_struct
*p
,
769 struct netr_ServerAuthenticate
*r
)
771 struct netr_ServerAuthenticate3 a
;
772 uint32_t negotiate_flags
= 0;
775 a
.in
.server_name
= r
->in
.server_name
;
776 a
.in
.account_name
= r
->in
.account_name
;
777 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
778 a
.in
.computer_name
= r
->in
.computer_name
;
779 a
.in
.credentials
= r
->in
.credentials
;
780 a
.in
.negotiate_flags
= &negotiate_flags
;
782 a
.out
.return_credentials
= r
->out
.return_credentials
;
784 a
.out
.negotiate_flags
= &negotiate_flags
;
786 return _netr_ServerAuthenticate3(p
, &a
);
790 /*************************************************************************
791 _netr_ServerAuthenticate3
792 *************************************************************************/
794 NTSTATUS
_netr_ServerAuthenticate3(struct pipes_struct
*p
,
795 struct netr_ServerAuthenticate3
*r
)
799 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
800 * so use a copy to avoid destroying the client values. */
801 uint32_t in_neg_flags
= *r
->in
.negotiate_flags
;
804 struct samr_Password mach_pwd
;
805 struct netlogon_creds_CredentialState
*creds
;
806 struct netlogon_server_pipe_state
*pipe_state
=
807 talloc_get_type(p
->private_data
, struct netlogon_server_pipe_state
);
809 /* According to Microsoft (see bugid #6099)
810 * Windows 7 looks at the negotiate_flags
811 * returned in this structure *even if the
812 * call fails with access denied* ! So in order
813 * to allow Win7 to connect to a Samba NT style
814 * PDC we set the flags before we know if it's
819 srv_flgs
= NETLOGON_NEG_ACCOUNT_LOCKOUT
|
820 NETLOGON_NEG_PERSISTENT_SAMREPL
|
821 NETLOGON_NEG_ARCFOUR
|
822 NETLOGON_NEG_PROMOTION_COUNT
|
823 NETLOGON_NEG_CHANGELOG_BDC
|
824 NETLOGON_NEG_FULL_SYNC_REPL
|
825 NETLOGON_NEG_MULTIPLE_SIDS
|
827 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
|
828 NETLOGON_NEG_PASSWORD_SET2
;
830 /* Ensure we support strong (128-bit) keys. */
831 if (in_neg_flags
& NETLOGON_NEG_STRONG_KEYS
) {
832 srv_flgs
|= NETLOGON_NEG_STRONG_KEYS
;
835 if (lp_server_schannel() != false) {
836 srv_flgs
|= NETLOGON_NEG_SCHANNEL
;
840 case NDR_NETR_SERVERAUTHENTICATE
:
841 fn
= "_netr_ServerAuthenticate";
843 case NDR_NETR_SERVERAUTHENTICATE2
:
844 fn
= "_netr_ServerAuthenticate2";
846 case NDR_NETR_SERVERAUTHENTICATE3
:
847 fn
= "_netr_ServerAuthenticate3";
850 return NT_STATUS_INTERNAL_ERROR
;
853 /* We use this as the key to store the creds: */
854 /* r->in.computer_name */
857 DEBUG(0,("%s: no challenge sent to client %s\n", fn
,
858 r
->in
.computer_name
));
859 status
= NT_STATUS_ACCESS_DENIED
;
863 if ( (lp_server_schannel() == true) &&
864 ((in_neg_flags
& NETLOGON_NEG_SCHANNEL
) == 0) ) {
866 /* schannel must be used, but client did not offer it. */
867 DEBUG(0,("%s: schannel required but client failed "
868 "to offer it. Client was %s\n",
869 fn
, r
->in
.account_name
));
870 status
= NT_STATUS_ACCESS_DENIED
;
874 status
= get_md4pw(&mach_pwd
,
876 r
->in
.secure_channel_type
,
878 if (!NT_STATUS_IS_OK(status
)) {
879 DEBUG(0,("%s: failed to get machine password for "
881 fn
, r
->in
.account_name
, nt_errstr(status
) ));
882 /* always return NT_STATUS_ACCESS_DENIED */
883 status
= NT_STATUS_ACCESS_DENIED
;
887 /* From the client / server challenges and md4 password, generate sess key */
888 /* Check client credentials are valid. */
889 creds
= netlogon_creds_server_init(p
->mem_ctx
,
892 r
->in
.secure_channel_type
,
893 &pipe_state
->client_challenge
,
894 &pipe_state
->server_challenge
,
897 r
->out
.return_credentials
,
898 *r
->in
.negotiate_flags
);
900 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
901 "request from client %s machine account %s\n",
902 fn
, r
->in
.computer_name
,
903 r
->in
.account_name
));
904 status
= NT_STATUS_ACCESS_DENIED
;
908 creds
->sid
= sid_dup_talloc(creds
, &sid
);
910 status
= NT_STATUS_NO_MEMORY
;
914 /* Store off the state so we can continue after client disconnect. */
916 status
= schannel_save_creds_state(p
->mem_ctx
, lp_private_dir(), creds
);
919 if (!NT_STATUS_IS_OK(status
)) {
923 sid_peek_rid(&sid
, r
->out
.rid
);
925 status
= NT_STATUS_OK
;
929 *r
->out
.negotiate_flags
= srv_flgs
;
933 /*************************************************************************
934 _netr_ServerAuthenticate2
935 *************************************************************************/
937 NTSTATUS
_netr_ServerAuthenticate2(struct pipes_struct
*p
,
938 struct netr_ServerAuthenticate2
*r
)
940 struct netr_ServerAuthenticate3 a
;
943 a
.in
.server_name
= r
->in
.server_name
;
944 a
.in
.account_name
= r
->in
.account_name
;
945 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
946 a
.in
.computer_name
= r
->in
.computer_name
;
947 a
.in
.credentials
= r
->in
.credentials
;
948 a
.in
.negotiate_flags
= r
->in
.negotiate_flags
;
950 a
.out
.return_credentials
= r
->out
.return_credentials
;
952 a
.out
.negotiate_flags
= r
->out
.negotiate_flags
;
954 return _netr_ServerAuthenticate3(p
, &a
);
957 /*************************************************************************
958 * If schannel is required for this call test that it actually is available.
959 *************************************************************************/
960 static NTSTATUS
schannel_check_required(struct pipe_auth_data
*auth_info
,
961 const char *computer_name
,
962 bool integrity
, bool privacy
)
964 if (auth_info
&& auth_info
->auth_type
== PIPE_AUTH_TYPE_SCHANNEL
) {
965 if (!privacy
&& !integrity
) {
969 if ((!privacy
&& integrity
) &&
970 auth_info
->auth_level
== DCERPC_AUTH_LEVEL_INTEGRITY
) {
974 if ((privacy
|| integrity
) &&
975 auth_info
->auth_level
== DCERPC_AUTH_LEVEL_PRIVACY
) {
980 /* test didn't pass */
981 DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
984 return NT_STATUS_ACCESS_DENIED
;
987 /*************************************************************************
988 *************************************************************************/
990 static NTSTATUS
netr_creds_server_step_check(struct pipes_struct
*p
,
992 const char *computer_name
,
993 struct netr_Authenticator
*received_authenticator
,
994 struct netr_Authenticator
*return_authenticator
,
995 struct netlogon_creds_CredentialState
**creds_out
)
998 bool schannel_global_required
= (lp_server_schannel() == true) ? true:false;
1000 if (schannel_global_required
) {
1001 status
= schannel_check_required(&p
->auth
,
1004 if (!NT_STATUS_IS_OK(status
)) {
1009 status
= schannel_check_creds_state(mem_ctx
, lp_private_dir(),
1010 computer_name
, received_authenticator
,
1011 return_authenticator
, creds_out
);
1016 /*************************************************************************
1017 *************************************************************************/
1019 static NTSTATUS
netr_set_machine_account_password(TALLOC_CTX
*mem_ctx
,
1020 struct auth_serversupplied_info
*server_info
,
1021 const char *account_name
,
1022 struct samr_Password
*nt_hash
)
1025 struct rpc_pipe_client
*cli
= NULL
;
1026 struct policy_handle user_handle
;
1028 union samr_UserInfo
*info
;
1029 struct samr_UserInfo18 info18
;
1032 ZERO_STRUCT(user_handle
);
1034 status
= rpc_pipe_open_internal(mem_ctx
, &ndr_table_samr
.syntax_id
,
1037 if (!NT_STATUS_IS_OK(status
)) {
1041 status
= samr_find_machine_account(mem_ctx
, cli
, account_name
,
1042 SEC_FLAG_MAXIMUM_ALLOWED
,
1045 if (!NT_STATUS_IS_OK(status
)) {
1049 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
1051 UserControlInformation
,
1053 if (!NT_STATUS_IS_OK(status
)) {
1057 acct_ctrl
= info
->info16
.acct_flags
;
1059 if (!(acct_ctrl
& ACB_WSTRUST
||
1060 acct_ctrl
& ACB_SVRTRUST
||
1061 acct_ctrl
& ACB_DOMTRUST
)) {
1062 status
= NT_STATUS_NO_SUCH_USER
;
1066 if (acct_ctrl
& ACB_DISABLED
) {
1067 status
= NT_STATUS_ACCOUNT_DISABLED
;
1071 ZERO_STRUCT(info18
);
1073 in
= data_blob_const(nt_hash
->hash
, 16);
1074 out
= data_blob_talloc_zero(mem_ctx
, 16);
1075 sess_crypt_blob(&out
, &in
, &server_info
->user_session_key
, true);
1076 memcpy(info18
.nt_pwd
.hash
, out
.data
, out
.length
);
1078 info18
.nt_pwd_active
= true;
1080 info
->info18
= info18
;
1082 status
= rpccli_samr_SetUserInfo2(cli
, mem_ctx
,
1084 UserInternal1Information
,
1086 if (!NT_STATUS_IS_OK(status
)) {
1091 if (cli
&& is_valid_policy_hnd(&user_handle
)) {
1092 rpccli_samr_Close(cli
, mem_ctx
, &user_handle
);
1098 /*************************************************************************
1099 _netr_ServerPasswordSet
1100 *************************************************************************/
1102 NTSTATUS
_netr_ServerPasswordSet(struct pipes_struct
*p
,
1103 struct netr_ServerPasswordSet
*r
)
1105 NTSTATUS status
= NT_STATUS_OK
;
1107 struct netlogon_creds_CredentialState
*creds
;
1109 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__
));
1112 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1113 r
->in
.computer_name
,
1115 r
->out
.return_authenticator
,
1119 if (!NT_STATUS_IS_OK(status
)) {
1120 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
1121 "request from client %s machine account %s\n",
1122 r
->in
.computer_name
, creds
->computer_name
));
1127 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
1128 r
->in
.computer_name
, creds
->computer_name
));
1130 netlogon_creds_des_decrypt(creds
, r
->in
.new_password
);
1132 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
1133 for(i
= 0; i
< sizeof(r
->in
.new_password
->hash
); i
++)
1134 DEBUG(100,("%02X ", r
->in
.new_password
->hash
[i
]));
1137 status
= netr_set_machine_account_password(p
->mem_ctx
,
1139 creds
->account_name
,
1140 r
->in
.new_password
);
1144 /****************************************************************
1145 _netr_ServerPasswordSet2
1146 ****************************************************************/
1148 NTSTATUS
_netr_ServerPasswordSet2(struct pipes_struct
*p
,
1149 struct netr_ServerPasswordSet2
*r
)
1152 struct netlogon_creds_CredentialState
*creds
;
1153 DATA_BLOB plaintext
;
1154 struct samr_CryptPassword password_buf
;
1155 struct samr_Password nt_hash
;
1158 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1159 r
->in
.computer_name
,
1161 r
->out
.return_authenticator
,
1165 if (!NT_STATUS_IS_OK(status
)) {
1166 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1167 "failed. Rejecting auth request from client %s machine account %s\n",
1168 r
->in
.computer_name
, creds
->computer_name
));
1173 memcpy(password_buf
.data
, r
->in
.new_password
->data
, 512);
1174 SIVAL(password_buf
.data
, 512, r
->in
.new_password
->length
);
1175 netlogon_creds_arcfour_crypt(creds
, password_buf
.data
, 516);
1177 if (!extract_pw_from_buffer(p
->mem_ctx
, password_buf
.data
, &plaintext
)) {
1178 return NT_STATUS_WRONG_PASSWORD
;
1181 mdfour(nt_hash
.hash
, plaintext
.data
, plaintext
.length
);
1183 status
= netr_set_machine_account_password(p
->mem_ctx
,
1185 creds
->account_name
,
1190 /*************************************************************************
1191 _netr_LogonSamLogoff
1192 *************************************************************************/
1194 NTSTATUS
_netr_LogonSamLogoff(struct pipes_struct
*p
,
1195 struct netr_LogonSamLogoff
*r
)
1198 struct netlogon_creds_CredentialState
*creds
;
1201 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1202 r
->in
.computer_name
,
1204 r
->out
.return_authenticator
,
1211 /*************************************************************************
1212 _netr_LogonSamLogon_base
1213 *************************************************************************/
1215 static NTSTATUS
_netr_LogonSamLogon_base(struct pipes_struct
*p
,
1216 struct netr_LogonSamLogonEx
*r
,
1217 struct netlogon_creds_CredentialState
*creds
)
1219 NTSTATUS status
= NT_STATUS_OK
;
1220 union netr_LogonLevel
*logon
= r
->in
.logon
;
1221 const char *nt_username
, *nt_domain
, *nt_workstation
;
1222 struct auth_usersupplied_info
*user_info
= NULL
;
1223 struct auth_serversupplied_info
*server_info
= NULL
;
1224 struct auth_context
*auth_context
= NULL
;
1225 uint8_t pipe_session_key
[16];
1226 bool process_creds
= true;
1230 case NDR_NETR_LOGONSAMLOGON
:
1231 process_creds
= true;
1232 fn
= "_netr_LogonSamLogon";
1234 case NDR_NETR_LOGONSAMLOGONWITHFLAGS
:
1235 process_creds
= true;
1236 fn
= "_netr_LogonSamLogonWithFlags";
1238 case NDR_NETR_LOGONSAMLOGONEX
:
1239 process_creds
= false;
1240 fn
= "_netr_LogonSamLogonEx";
1243 return NT_STATUS_INTERNAL_ERROR
;
1246 *r
->out
.authoritative
= true; /* authoritative response */
1248 switch (r
->in
.validation_level
) {
1250 r
->out
.validation
->sam2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo2
);
1251 if (!r
->out
.validation
->sam2
) {
1252 return NT_STATUS_NO_MEMORY
;
1256 r
->out
.validation
->sam3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo3
);
1257 if (!r
->out
.validation
->sam3
) {
1258 return NT_STATUS_NO_MEMORY
;
1262 r
->out
.validation
->sam6
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo6
);
1263 if (!r
->out
.validation
->sam6
) {
1264 return NT_STATUS_NO_MEMORY
;
1268 DEBUG(0,("%s: bad validation_level value %d.\n",
1269 fn
, (int)r
->in
.validation_level
));
1270 return NT_STATUS_INVALID_INFO_CLASS
;
1273 switch (r
->in
.logon_level
) {
1274 case NetlogonInteractiveInformation
:
1275 case NetlogonServiceInformation
:
1276 case NetlogonInteractiveTransitiveInformation
:
1277 case NetlogonServiceTransitiveInformation
:
1278 nt_username
= logon
->password
->identity_info
.account_name
.string
?
1279 logon
->password
->identity_info
.account_name
.string
: "";
1280 nt_domain
= logon
->password
->identity_info
.domain_name
.string
?
1281 logon
->password
->identity_info
.domain_name
.string
: "";
1282 nt_workstation
= logon
->password
->identity_info
.workstation
.string
?
1283 logon
->password
->identity_info
.workstation
.string
: "";
1285 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
1287 case NetlogonNetworkInformation
:
1288 case NetlogonNetworkTransitiveInformation
:
1289 nt_username
= logon
->network
->identity_info
.account_name
.string
?
1290 logon
->network
->identity_info
.account_name
.string
: "";
1291 nt_domain
= logon
->network
->identity_info
.domain_name
.string
?
1292 logon
->network
->identity_info
.domain_name
.string
: "";
1293 nt_workstation
= logon
->network
->identity_info
.workstation
.string
?
1294 logon
->network
->identity_info
.workstation
.string
: "";
1296 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
1299 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1300 return NT_STATUS_INVALID_INFO_CLASS
;
1303 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username
, nt_workstation
, nt_domain
));
1304 fstrcpy(current_user_info
.smb_name
, nt_username
);
1305 sub_set_smb_name(nt_username
);
1307 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1308 r
->in
.validation_level
, nt_username
));
1310 status
= NT_STATUS_OK
;
1312 switch (r
->in
.logon_level
) {
1313 case NetlogonNetworkInformation
:
1314 case NetlogonNetworkTransitiveInformation
:
1316 const char *wksname
= nt_workstation
;
1318 status
= make_auth_context_fixed(&auth_context
,
1319 logon
->network
->challenge
);
1320 if (!NT_STATUS_IS_OK(status
)) {
1324 /* For a network logon, the workstation name comes in with two
1325 * backslashes in the front. Strip them if they are there. */
1327 if (*wksname
== '\\') wksname
++;
1328 if (*wksname
== '\\') wksname
++;
1330 /* Standard challenge/response authenticaion */
1331 if (!make_user_info_netlogon_network(&user_info
,
1332 nt_username
, nt_domain
,
1334 logon
->network
->identity_info
.parameter_control
,
1335 logon
->network
->lm
.data
,
1336 logon
->network
->lm
.length
,
1337 logon
->network
->nt
.data
,
1338 logon
->network
->nt
.length
)) {
1339 status
= NT_STATUS_NO_MEMORY
;
1343 case NetlogonInteractiveInformation
:
1344 case NetlogonServiceInformation
:
1345 case NetlogonInteractiveTransitiveInformation
:
1346 case NetlogonServiceTransitiveInformation
:
1348 /* 'Interactive' authentication, supplies the password in its
1349 MD4 form, encrypted with the session key. We will convert
1350 this to challenge/response for the auth subsystem to chew
1355 if (!NT_STATUS_IS_OK(status
= make_auth_context_subsystem(&auth_context
))) {
1359 auth_context
->get_ntlm_challenge(auth_context
, chal
);
1361 if (!make_user_info_netlogon_interactive(&user_info
,
1362 nt_username
, nt_domain
,
1364 logon
->password
->identity_info
.parameter_control
,
1366 logon
->password
->lmpassword
.hash
,
1367 logon
->password
->ntpassword
.hash
,
1368 creds
->session_key
)) {
1369 status
= NT_STATUS_NO_MEMORY
;
1374 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1375 return NT_STATUS_INVALID_INFO_CLASS
;
1378 if ( NT_STATUS_IS_OK(status
) ) {
1379 status
= auth_context
->check_ntlm_password(auth_context
,
1380 user_info
, &server_info
);
1383 TALLOC_FREE(auth_context
);
1384 free_user_info(&user_info
);
1386 DEBUG(5,("%s: check_password returned status %s\n",
1387 fn
, nt_errstr(status
)));
1389 /* Check account and password */
1391 if (!NT_STATUS_IS_OK(status
)) {
1392 /* If we don't know what this domain is, we need to
1393 indicate that we are not authoritative. This
1394 allows the client to decide if it needs to try
1395 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1396 if ( NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)
1397 && !strequal(nt_domain
, get_global_sam_name())
1398 && !is_trusted_domain(nt_domain
) )
1399 *r
->out
.authoritative
= false; /* We are not authoritative */
1401 TALLOC_FREE(server_info
);
1405 if (server_info
->guest
) {
1406 /* We don't like guest domain logons... */
1407 DEBUG(5,("%s: Attempted domain logon as GUEST "
1409 TALLOC_FREE(server_info
);
1410 return NT_STATUS_LOGON_FAILURE
;
1413 /* This is the point at which, if the login was successful, that
1414 the SAM Local Security Authority should record that the user is
1415 logged in to the domain. */
1417 if (process_creds
) {
1418 /* Get the pipe session key from the creds. */
1419 memcpy(pipe_session_key
, creds
->session_key
, 16);
1421 /* Get the pipe session key from the schannel. */
1422 if ((p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
)
1423 || (p
->auth
.a_u
.schannel_auth
== NULL
)) {
1424 return NT_STATUS_INVALID_HANDLE
;
1426 memcpy(pipe_session_key
, p
->auth
.a_u
.schannel_auth
->creds
->session_key
, 16);
1429 switch (r
->in
.validation_level
) {
1431 status
= serverinfo_to_SamInfo2(server_info
, pipe_session_key
, 16,
1432 r
->out
.validation
->sam2
);
1435 status
= serverinfo_to_SamInfo3(server_info
, pipe_session_key
, 16,
1436 r
->out
.validation
->sam3
);
1439 status
= serverinfo_to_SamInfo6(server_info
, pipe_session_key
, 16,
1440 r
->out
.validation
->sam6
);
1444 TALLOC_FREE(server_info
);
1449 /****************************************************************
1450 _netr_LogonSamLogonWithFlags
1451 ****************************************************************/
1453 NTSTATUS
_netr_LogonSamLogonWithFlags(struct pipes_struct
*p
,
1454 struct netr_LogonSamLogonWithFlags
*r
)
1457 struct netlogon_creds_CredentialState
*creds
;
1458 struct netr_LogonSamLogonEx r2
;
1459 struct netr_Authenticator return_authenticator
;
1462 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1463 r
->in
.computer_name
,
1465 &return_authenticator
,
1468 if (!NT_STATUS_IS_OK(status
)) {
1472 r2
.in
.server_name
= r
->in
.server_name
;
1473 r2
.in
.computer_name
= r
->in
.computer_name
;
1474 r2
.in
.logon_level
= r
->in
.logon_level
;
1475 r2
.in
.logon
= r
->in
.logon
;
1476 r2
.in
.validation_level
= r
->in
.validation_level
;
1477 r2
.in
.flags
= r
->in
.flags
;
1478 r2
.out
.validation
= r
->out
.validation
;
1479 r2
.out
.authoritative
= r
->out
.authoritative
;
1480 r2
.out
.flags
= r
->out
.flags
;
1482 status
= _netr_LogonSamLogon_base(p
, &r2
, creds
);
1484 *r
->out
.return_authenticator
= return_authenticator
;
1489 /*************************************************************************
1491 *************************************************************************/
1493 NTSTATUS
_netr_LogonSamLogon(struct pipes_struct
*p
,
1494 struct netr_LogonSamLogon
*r
)
1497 struct netr_LogonSamLogonWithFlags r2
;
1500 r2
.in
.server_name
= r
->in
.server_name
;
1501 r2
.in
.computer_name
= r
->in
.computer_name
;
1502 r2
.in
.credential
= r
->in
.credential
;
1503 r2
.in
.logon_level
= r
->in
.logon_level
;
1504 r2
.in
.logon
= r
->in
.logon
;
1505 r2
.in
.validation_level
= r
->in
.validation_level
;
1506 r2
.in
.return_authenticator
= r
->in
.return_authenticator
;
1507 r2
.in
.flags
= &flags
;
1508 r2
.out
.validation
= r
->out
.validation
;
1509 r2
.out
.authoritative
= r
->out
.authoritative
;
1510 r2
.out
.flags
= &flags
;
1511 r2
.out
.return_authenticator
= r
->out
.return_authenticator
;
1513 status
= _netr_LogonSamLogonWithFlags(p
, &r2
);
1518 /*************************************************************************
1519 _netr_LogonSamLogonEx
1520 - no credential chaining. Map into net sam logon.
1521 *************************************************************************/
1523 NTSTATUS
_netr_LogonSamLogonEx(struct pipes_struct
*p
,
1524 struct netr_LogonSamLogonEx
*r
)
1527 struct netlogon_creds_CredentialState
*creds
= NULL
;
1530 status
= schannel_get_creds_state(p
->mem_ctx
, lp_private_dir(),
1531 r
->in
.computer_name
, &creds
);
1533 if (!NT_STATUS_IS_OK(status
)) {
1537 /* Only allow this if the pipe is protected. */
1538 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1539 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1540 get_remote_machine_name() ));
1541 return NT_STATUS_INVALID_PARAMETER
;
1544 status
= _netr_LogonSamLogon_base(p
, r
, creds
);
1550 /*************************************************************************
1552 *************************************************************************/
1553 #if 0 /* JERRY -- not correct */
1554 NTSTATUS
_ds_enum_dom_trusts(struct pipes_struct
*p
, DS_Q_ENUM_DOM_TRUSTS
*q_u
,
1555 DS_R_ENUM_DOM_TRUSTS
*r_u
)
1557 NTSTATUS status
= NT_STATUS_OK
;
1559 /* TODO: According to MSDN, the can only be executed against a
1560 DC or domain member running Windows 2000 or later. Need
1561 to test against a standalone 2k server and see what it
1562 does. A windows 2000 DC includes its own domain in the
1570 /****************************************************************
1571 ****************************************************************/
1573 WERROR
_netr_LogonUasLogon(struct pipes_struct
*p
,
1574 struct netr_LogonUasLogon
*r
)
1576 p
->rng_fault_state
= true;
1577 return WERR_NOT_SUPPORTED
;
1580 /****************************************************************
1581 ****************************************************************/
1583 WERROR
_netr_LogonUasLogoff(struct pipes_struct
*p
,
1584 struct netr_LogonUasLogoff
*r
)
1586 p
->rng_fault_state
= true;
1587 return WERR_NOT_SUPPORTED
;
1590 /****************************************************************
1591 ****************************************************************/
1593 NTSTATUS
_netr_DatabaseDeltas(struct pipes_struct
*p
,
1594 struct netr_DatabaseDeltas
*r
)
1596 p
->rng_fault_state
= true;
1597 return NT_STATUS_NOT_IMPLEMENTED
;
1600 /****************************************************************
1601 ****************************************************************/
1603 NTSTATUS
_netr_DatabaseSync(struct pipes_struct
*p
,
1604 struct netr_DatabaseSync
*r
)
1606 p
->rng_fault_state
= true;
1607 return NT_STATUS_NOT_IMPLEMENTED
;
1610 /****************************************************************
1611 ****************************************************************/
1613 NTSTATUS
_netr_AccountDeltas(struct pipes_struct
*p
,
1614 struct netr_AccountDeltas
*r
)
1616 p
->rng_fault_state
= true;
1617 return NT_STATUS_NOT_IMPLEMENTED
;
1620 /****************************************************************
1621 ****************************************************************/
1623 NTSTATUS
_netr_AccountSync(struct pipes_struct
*p
,
1624 struct netr_AccountSync
*r
)
1626 p
->rng_fault_state
= true;
1627 return NT_STATUS_NOT_IMPLEMENTED
;
1630 /****************************************************************
1631 ****************************************************************/
1633 static bool wb_getdcname(TALLOC_CTX
*mem_ctx
,
1635 const char **dcname
,
1640 struct wbcDomainControllerInfo
*dc_info
= NULL
;
1642 result
= wbcLookupDomainController(domain
,
1646 case WBC_ERR_SUCCESS
:
1648 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
1650 case WBC_ERR_DOMAIN_NOT_FOUND
:
1651 *werr
= WERR_NO_SUCH_DOMAIN
;
1654 *werr
= WERR_DOMAIN_CONTROLLER_NOT_FOUND
;
1658 *dcname
= talloc_strdup(mem_ctx
, dc_info
->dc_name
);
1659 wbcFreeMemory(dc_info
);
1670 /****************************************************************
1672 ****************************************************************/
1674 WERROR
_netr_GetDcName(struct pipes_struct
*p
,
1675 struct netr_GetDcName
*r
)
1680 struct netr_DsRGetDCNameInfo
*info
;
1683 ret
= wb_getdcname(p
->mem_ctx
,
1686 WBC_LOOKUP_DC_IS_FLAT_NAME
|
1687 WBC_LOOKUP_DC_RETURN_FLAT_NAME
|
1688 WBC_LOOKUP_DC_PDC_REQUIRED
,
1694 flags
= DS_PDC_REQUIRED
| DS_IS_FLAT_NAME
| DS_RETURN_FLAT_NAME
;
1696 status
= dsgetdcname(p
->mem_ctx
,
1697 smbd_messaging_context(),
1703 if (!NT_STATUS_IS_OK(status
)) {
1704 return ntstatus_to_werror(status
);
1707 *r
->out
.dcname
= talloc_strdup(p
->mem_ctx
, info
->dc_unc
);
1709 if (!*r
->out
.dcname
) {
1716 /****************************************************************
1718 ****************************************************************/
1720 WERROR
_netr_GetAnyDCName(struct pipes_struct
*p
,
1721 struct netr_GetAnyDCName
*r
)
1726 struct netr_DsRGetDCNameInfo
*info
;
1729 ret
= wb_getdcname(p
->mem_ctx
,
1732 WBC_LOOKUP_DC_IS_FLAT_NAME
|
1733 WBC_LOOKUP_DC_RETURN_FLAT_NAME
,
1739 flags
= DS_IS_FLAT_NAME
| DS_RETURN_FLAT_NAME
;
1741 status
= dsgetdcname(p
->mem_ctx
,
1742 smbd_messaging_context(),
1748 if (!NT_STATUS_IS_OK(status
)) {
1749 return ntstatus_to_werror(status
);
1752 *r
->out
.dcname
= talloc_strdup(p
->mem_ctx
, info
->dc_unc
);
1754 if (!*r
->out
.dcname
) {
1761 /****************************************************************
1762 ****************************************************************/
1764 NTSTATUS
_netr_DatabaseSync2(struct pipes_struct
*p
,
1765 struct netr_DatabaseSync2
*r
)
1767 p
->rng_fault_state
= true;
1768 return NT_STATUS_NOT_IMPLEMENTED
;
1771 /****************************************************************
1772 ****************************************************************/
1774 NTSTATUS
_netr_DatabaseRedo(struct pipes_struct
*p
,
1775 struct netr_DatabaseRedo
*r
)
1777 p
->rng_fault_state
= true;
1778 return NT_STATUS_NOT_IMPLEMENTED
;
1781 /****************************************************************
1782 ****************************************************************/
1784 WERROR
_netr_DsRGetDCName(struct pipes_struct
*p
,
1785 struct netr_DsRGetDCName
*r
)
1787 p
->rng_fault_state
= true;
1788 return WERR_NOT_SUPPORTED
;
1791 /****************************************************************
1792 ****************************************************************/
1794 NTSTATUS
_netr_LogonGetCapabilities(struct pipes_struct
*p
,
1795 struct netr_LogonGetCapabilities
*r
)
1797 return NT_STATUS_NOT_IMPLEMENTED
;
1800 /****************************************************************
1801 ****************************************************************/
1803 WERROR
_netr_NETRLOGONSETSERVICEBITS(struct pipes_struct
*p
,
1804 struct netr_NETRLOGONSETSERVICEBITS
*r
)
1806 p
->rng_fault_state
= true;
1807 return WERR_NOT_SUPPORTED
;
1810 /****************************************************************
1811 ****************************************************************/
1813 WERROR
_netr_LogonGetTrustRid(struct pipes_struct
*p
,
1814 struct netr_LogonGetTrustRid
*r
)
1816 p
->rng_fault_state
= true;
1817 return WERR_NOT_SUPPORTED
;
1820 /****************************************************************
1821 ****************************************************************/
1823 WERROR
_netr_NETRLOGONCOMPUTESERVERDIGEST(struct pipes_struct
*p
,
1824 struct netr_NETRLOGONCOMPUTESERVERDIGEST
*r
)
1826 p
->rng_fault_state
= true;
1827 return WERR_NOT_SUPPORTED
;
1830 /****************************************************************
1831 ****************************************************************/
1833 WERROR
_netr_NETRLOGONCOMPUTECLIENTDIGEST(struct pipes_struct
*p
,
1834 struct netr_NETRLOGONCOMPUTECLIENTDIGEST
*r
)
1836 p
->rng_fault_state
= true;
1837 return WERR_NOT_SUPPORTED
;
1840 /****************************************************************
1841 ****************************************************************/
1843 WERROR
_netr_DsRGetDCNameEx(struct pipes_struct
*p
,
1844 struct netr_DsRGetDCNameEx
*r
)
1846 p
->rng_fault_state
= true;
1847 return WERR_NOT_SUPPORTED
;
1850 /****************************************************************
1851 ****************************************************************/
1853 WERROR
_netr_DsRGetSiteName(struct pipes_struct
*p
,
1854 struct netr_DsRGetSiteName
*r
)
1856 p
->rng_fault_state
= true;
1857 return WERR_NOT_SUPPORTED
;
1860 /****************************************************************
1861 ****************************************************************/
1863 NTSTATUS
_netr_LogonGetDomainInfo(struct pipes_struct
*p
,
1864 struct netr_LogonGetDomainInfo
*r
)
1866 p
->rng_fault_state
= true;
1867 return NT_STATUS_NOT_IMPLEMENTED
;
1870 /****************************************************************
1871 ****************************************************************/
1873 WERROR
_netr_ServerPasswordGet(struct pipes_struct
*p
,
1874 struct netr_ServerPasswordGet
*r
)
1876 p
->rng_fault_state
= true;
1877 return WERR_NOT_SUPPORTED
;
1880 /****************************************************************
1881 ****************************************************************/
1883 WERROR
_netr_NETRLOGONSENDTOSAM(struct pipes_struct
*p
,
1884 struct netr_NETRLOGONSENDTOSAM
*r
)
1886 p
->rng_fault_state
= true;
1887 return WERR_NOT_SUPPORTED
;
1890 /****************************************************************
1891 ****************************************************************/
1893 WERROR
_netr_DsRAddressToSitenamesW(struct pipes_struct
*p
,
1894 struct netr_DsRAddressToSitenamesW
*r
)
1896 p
->rng_fault_state
= true;
1897 return WERR_NOT_SUPPORTED
;
1900 /****************************************************************
1901 ****************************************************************/
1903 WERROR
_netr_DsRGetDCNameEx2(struct pipes_struct
*p
,
1904 struct netr_DsRGetDCNameEx2
*r
)
1906 p
->rng_fault_state
= true;
1907 return WERR_NOT_SUPPORTED
;
1910 /****************************************************************
1911 ****************************************************************/
1913 WERROR
_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct pipes_struct
*p
,
1914 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
*r
)
1916 p
->rng_fault_state
= true;
1917 return WERR_NOT_SUPPORTED
;
1920 /****************************************************************
1921 ****************************************************************/
1923 WERROR
_netr_NetrEnumerateTrustedDomainsEx(struct pipes_struct
*p
,
1924 struct netr_NetrEnumerateTrustedDomainsEx
*r
)
1926 p
->rng_fault_state
= true;
1927 return WERR_NOT_SUPPORTED
;
1930 /****************************************************************
1931 ****************************************************************/
1933 WERROR
_netr_DsRAddressToSitenamesExW(struct pipes_struct
*p
,
1934 struct netr_DsRAddressToSitenamesExW
*r
)
1936 p
->rng_fault_state
= true;
1937 return WERR_NOT_SUPPORTED
;
1940 /****************************************************************
1941 ****************************************************************/
1943 WERROR
_netr_DsrGetDcSiteCoverageW(struct pipes_struct
*p
,
1944 struct netr_DsrGetDcSiteCoverageW
*r
)
1946 p
->rng_fault_state
= true;
1947 return WERR_NOT_SUPPORTED
;
1950 /****************************************************************
1951 ****************************************************************/
1953 WERROR
_netr_DsrEnumerateDomainTrusts(struct pipes_struct
*p
,
1954 struct netr_DsrEnumerateDomainTrusts
*r
)
1956 p
->rng_fault_state
= true;
1957 return WERR_NOT_SUPPORTED
;
1960 /****************************************************************
1961 ****************************************************************/
1963 WERROR
_netr_DsrDeregisterDNSHostRecords(struct pipes_struct
*p
,
1964 struct netr_DsrDeregisterDNSHostRecords
*r
)
1966 p
->rng_fault_state
= true;
1967 return WERR_NOT_SUPPORTED
;
1970 /****************************************************************
1971 ****************************************************************/
1973 NTSTATUS
_netr_ServerTrustPasswordsGet(struct pipes_struct
*p
,
1974 struct netr_ServerTrustPasswordsGet
*r
)
1976 p
->rng_fault_state
= true;
1977 return NT_STATUS_NOT_IMPLEMENTED
;
1980 /****************************************************************
1981 ****************************************************************/
1983 WERROR
_netr_DsRGetForestTrustInformation(struct pipes_struct
*p
,
1984 struct netr_DsRGetForestTrustInformation
*r
)
1986 p
->rng_fault_state
= true;
1987 return WERR_NOT_SUPPORTED
;
1990 /****************************************************************
1991 ****************************************************************/
1993 NTSTATUS
_netr_GetForestTrustInformation(struct pipes_struct
*p
,
1994 struct netr_GetForestTrustInformation
*r
)
1996 p
->rng_fault_state
= true;
1997 return NT_STATUS_NOT_IMPLEMENTED
;
2000 /****************************************************************
2001 ****************************************************************/
2003 NTSTATUS
_netr_ServerGetTrustInfo(struct pipes_struct
*p
,
2004 struct netr_ServerGetTrustInfo
*r
)
2006 p
->rng_fault_state
= true;
2007 return NT_STATUS_NOT_IMPLEMENTED
;