search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3/smbconf_reg: Fix typo.
[Samba/gbeck.git] / source4 / cldap_server / netlogon.c
blob33c0adc3b18b6d34a2f8abfe968d91124282cefb
1 /*
2 Unix SMB/CIFS implementation.
3
4 CLDAP server - netlogon handling
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "lib/ldb/include/ldb.h"
25 #include "lib/ldb/include/ldb_errors.h"
26 #include "lib/events/events.h"
27 #include "smbd/service_task.h"
28 #include "cldap_server/cldap_server.h"
29 #include "librpc/gen_ndr/ndr_misc.h"
30 #include "libcli/ldap/ldap_ndr.h"
31 #include "libcli/security/security.h"
32 #include "dsdb/samdb/samdb.h"
33 #include "auth/auth.h"
34 #include "ldb_wrap.h"
35 #include "system/network.h"
36 #include "lib/socket/netif.h"
37 #include "param/param.h"
38 #include "../lib/tsocket/tsocket.h"
39
40 /*
41 fill in the cldap netlogon union for a given version
42 */
43 NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
44 TALLOC_CTX *mem_ctx,
45 const char *domain,
46 const char *netbios_domain,
47 struct dom_sid *domain_sid,
48 const char *domain_guid,
49 const char *user,
50 uint32_t acct_control,
51 const char *src_address,
52 uint32_t version,
53 struct loadparm_context *lp_ctx,
54 struct netlogon_samlogon_response *netlogon)
55 {
56 const char *ref_attrs[] = {"nETBIOSName", "dnsRoot", "ncName", NULL};
57 const char *dom_attrs[] = {"objectGUID", NULL};
58 const char *none_attrs[] = {NULL};
59 struct ldb_result *ref_res = NULL, *dom_res = NULL, *user_res = NULL;
60 int ret;
61 const char **services = lp_server_services(lp_ctx);
62 uint32_t server_type;
63 const char *pdc_name;
64 struct GUID domain_uuid;
65 const char *realm;
66 const char *dns_domain;
67 const char *pdc_dns_name;
68 const char *flatname;
69 const char *server_site;
70 const char *client_site;
71 const char *pdc_ip;
72 struct ldb_dn *partitions_basedn;
73 struct interface *ifaces;
74 bool user_known;
75 NTSTATUS status;
76
77 partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
78
79 /* the domain has an optional trailing . */
80 if (domain && domain[strlen(domain)-1] == '.') {
81 domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1);
82 }
83
84 if (domain) {
85 struct ldb_dn *dom_dn;
86 /* try and find the domain */
87
88 ret = ldb_search(sam_ctx, mem_ctx, &ref_res,
89 partitions_basedn, LDB_SCOPE_ONELEVEL,
90 ref_attrs,
91 "(&(&(objectClass=crossRef)(dnsRoot=%s))(nETBIOSName=*))",
92 ldb_binary_encode_string(mem_ctx, domain));
93
94 if (ret != LDB_SUCCESS) {
95 DEBUG(2,("Unable to find referece to '%s' in sam: %s\n",
96 domain,
97 ldb_errstring(sam_ctx)));
98 return NT_STATUS_NO_SUCH_DOMAIN;
99 } else if (ref_res->count == 1) {
100 dom_dn = ldb_msg_find_attr_as_dn(sam_ctx, mem_ctx, ref_res->msgs[0], "ncName");
101 if (!dom_dn) {
102 return NT_STATUS_NO_SUCH_DOMAIN;
103 }
104 ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
105 dom_dn, LDB_SCOPE_BASE, dom_attrs,
106 "objectClass=domain");
107 if (ret != LDB_SUCCESS) {
108 DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_get_linearized(dom_dn), ldb_errstring(sam_ctx)));
109 return NT_STATUS_NO_SUCH_DOMAIN;
110 }
111 if (dom_res->count != 1) {
112 DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_get_linearized(dom_dn)));
113 return NT_STATUS_NO_SUCH_DOMAIN;
114 }
115 } else if (ref_res->count > 1) {
116 talloc_free(ref_res);
117 return NT_STATUS_NO_SUCH_DOMAIN;
118 }
119 }
120
121 if (netbios_domain) {
122 struct ldb_dn *dom_dn;
123 /* try and find the domain */
124
125 ret = ldb_search(sam_ctx, mem_ctx, &ref_res,
126 partitions_basedn, LDB_SCOPE_ONELEVEL,
127 ref_attrs,
128 "(&(objectClass=crossRef)(ncName=*)(nETBIOSName=%s))",
129 ldb_binary_encode_string(mem_ctx, netbios_domain));
130
131 if (ret != LDB_SUCCESS) {
132 DEBUG(2,("Unable to find referece to '%s' in sam: %s\n",
133 netbios_domain,
134 ldb_errstring(sam_ctx)));
135 return NT_STATUS_NO_SUCH_DOMAIN;
136 } else if (ref_res->count == 1) {
137 dom_dn = ldb_msg_find_attr_as_dn(sam_ctx, mem_ctx, ref_res->msgs[0], "ncName");
138 if (!dom_dn) {
139 return NT_STATUS_NO_SUCH_DOMAIN;
140 }
141 ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
142 dom_dn, LDB_SCOPE_BASE, dom_attrs,
143 "objectClass=domain");
144 if (ret != LDB_SUCCESS) {
145 DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_get_linearized(dom_dn), ldb_errstring(sam_ctx)));
146 return NT_STATUS_NO_SUCH_DOMAIN;
147 }
148 if (dom_res->count != 1) {
149 DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_get_linearized(dom_dn)));
150 return NT_STATUS_NO_SUCH_DOMAIN;
151 }
152 } else if (ref_res->count > 1) {
153 talloc_free(ref_res);
154 return NT_STATUS_NO_SUCH_DOMAIN;
155 }
156 }
157
158 if ((dom_res == NULL || dom_res->count == 0) && (domain_guid || domain_sid)) {
159 ref_res = NULL;
160
161 if (domain_guid) {
162 struct GUID binary_guid;
163 struct ldb_val guid_val;
164 enum ndr_err_code ndr_err;
165
166 /* By this means, we ensure we don't have funny stuff in the GUID */
167
168 status = GUID_from_string(domain_guid, &binary_guid);
169 if (!NT_STATUS_IS_OK(status)) {
170 return status;
171 }
172
173 /* And this gets the result into the binary format we want anyway */
174 ndr_err = ndr_push_struct_blob(&guid_val, mem_ctx, NULL, &binary_guid,
175 (ndr_push_flags_fn_t)ndr_push_GUID);
176 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
177 return NT_STATUS_INVALID_PARAMETER;
178 }
179 ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
180 NULL, LDB_SCOPE_SUBTREE,
181 dom_attrs,
182 "(&(objectCategory=DomainDNS)(objectGUID=%s))",
183 ldb_binary_encode(mem_ctx, guid_val));
184 } else { /* domain_sid case */
185 struct dom_sid *sid;
186 struct ldb_val sid_val;
187 enum ndr_err_code ndr_err;
188
189 /* Rather than go via the string, just push into the NDR form */
190 ndr_err = ndr_push_struct_blob(&sid_val, mem_ctx, NULL, &sid,
191 (ndr_push_flags_fn_t)ndr_push_dom_sid);
192 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
193 return NT_STATUS_INVALID_PARAMETER;
194 }
195
196 ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
197 NULL, LDB_SCOPE_SUBTREE,
198 dom_attrs,
199 "(&(objectCategory=DomainDNS)(objectSID=%s))",
200 ldb_binary_encode(mem_ctx, sid_val));
201 }
202
203 if (ret != LDB_SUCCESS) {
204 DEBUG(2,("Unable to find referece to GUID '%s' or SID %s in sam: %s\n",
205 domain_guid, dom_sid_string(mem_ctx, domain_sid),
206 ldb_errstring(sam_ctx)));
207 return NT_STATUS_NO_SUCH_DOMAIN;
208 } else if (dom_res->count == 1) {
209 /* try and find the domain */
210 ret = ldb_search(sam_ctx, mem_ctx, &ref_res,
211 partitions_basedn, LDB_SCOPE_ONELEVEL,
212 ref_attrs,
213 "(&(objectClass=crossRef)(ncName=%s))",
214 ldb_dn_get_linearized(dom_res->msgs[0]->dn));
215
216 if (ret != LDB_SUCCESS) {
217 DEBUG(2,("Unable to find referece to '%s' in sam: %s\n",
218 ldb_dn_get_linearized(dom_res->msgs[0]->dn),
219 ldb_errstring(sam_ctx)));
220 return NT_STATUS_NO_SUCH_DOMAIN;
221
222 } else if (ref_res->count != 1) {
223 DEBUG(2,("Unable to find referece to '%s' in sam\n",
224 ldb_dn_get_linearized(dom_res->msgs[0]->dn)));
225 return NT_STATUS_NO_SUCH_DOMAIN;
226 }
227 } else if (dom_res->count > 1) {
228 talloc_free(ref_res);
229 return NT_STATUS_NO_SUCH_DOMAIN;
230 }
231 }
232
233
234 if ((ref_res == NULL || ref_res->count == 0)) {
235 DEBUG(2,("Unable to find domain reference with name %s or GUID {%s}\n", domain, domain_guid));
236 return NT_STATUS_NO_SUCH_DOMAIN;
237 }
238
239 if ((dom_res == NULL || dom_res->count == 0)) {
240 DEBUG(2,("Unable to find domain with name %s or GUID {%s}\n", domain, domain_guid));
241 return NT_STATUS_NO_SUCH_DOMAIN;
242 }
243
244 /* work around different inputs for not-specified users */
245 if (!user) {
246 user = "";
247 }
248
249 /* Enquire about any valid username with just a CLDAP packet -
250 * if kerberos didn't also do this, the security folks would
251 * scream... */
252 if (user[0]) { \
253 /* Only allow some bits to be enquired: [MS-ATDS] 7.3.3.2 */
254 if (acct_control == (uint32_t)-1) {
255 acct_control = 0;
256 }
257 acct_control = acct_control & (ACB_TEMPDUP | ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST);
258
259 /* We must exclude disabled accounts, but otherwise do the bitwise match the client asked for */
260 ret = ldb_search(sam_ctx, mem_ctx, &user_res,
261 dom_res->msgs[0]->dn, LDB_SCOPE_SUBTREE,
262 none_attrs,
263 "(&(objectClass=user)(samAccountName=%s)"
264 "(!(userAccountControl:" LDB_OID_COMPARATOR_AND ":=%u))"
265 "(userAccountControl:" LDB_OID_COMPARATOR_OR ":=%u))",
266 ldb_binary_encode_string(mem_ctx, user),
267 UF_ACCOUNTDISABLE, samdb_acb2uf(acct_control));
268 if (ret != LDB_SUCCESS) {
269 DEBUG(2,("Unable to find referece to user '%s' with ACB 0x%8x under %s: %s\n",
270 user, acct_control, ldb_dn_get_linearized(dom_res->msgs[0]->dn),
271 ldb_errstring(sam_ctx)));
272 return NT_STATUS_NO_SUCH_USER;
273 } else if (user_res->count == 1) {
274 user_known = true;
275 } else {
276 user_known = false;
277 }
278
279 } else {
280 user_known = true;
281 }
282
283 server_type =
284 NBT_SERVER_DS | NBT_SERVER_TIMESERV |
285 NBT_SERVER_CLOSEST | NBT_SERVER_WRITABLE |
286 NBT_SERVER_GOOD_TIMESERV | DS_DNS_CONTROLLER |
287 DS_DNS_DOMAIN;
288
289 if (samdb_is_pdc(sam_ctx)) {
290 server_type |= NBT_SERVER_PDC;
291 }
292
293 if (samdb_is_gc(sam_ctx)) {
294 server_type |= NBT_SERVER_GC;
295 }
296
297 if (str_list_check(services, "ldap")) {
298 server_type |= NBT_SERVER_LDAP;
299 }
300
301 if (str_list_check(services, "kdc")) {
302 server_type |= NBT_SERVER_KDC;
303 }
304
305 if (ldb_dn_compare(ldb_get_root_basedn(sam_ctx), ldb_get_default_basedn(sam_ctx)) == 0) {
306 server_type |= DS_DNS_FOREST;
307 }
308
309 pdc_name = talloc_asprintf(mem_ctx, "\\\\%s", lp_netbios_name(lp_ctx));
310 domain_uuid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
311 realm = samdb_result_string(ref_res->msgs[0], "dnsRoot", lp_realm(lp_ctx));
312 dns_domain = samdb_result_string(ref_res->msgs[0], "dnsRoot", lp_realm(lp_ctx));
313 pdc_dns_name = talloc_asprintf(mem_ctx, "%s.%s",
314 strlower_talloc(mem_ctx,
315 lp_netbios_name(lp_ctx)),
316 dns_domain);
317
318 flatname = samdb_result_string(ref_res->msgs[0], "nETBIOSName",
319 lp_workgroup(lp_ctx));
320 /* FIXME: Hardcoded site names */
321 server_site = "Default-First-Site-Name";
322 client_site = "Default-First-Site-Name";
323 load_interfaces(mem_ctx, lp_interfaces(lp_ctx), &ifaces);
324 pdc_ip = iface_best_ip(ifaces, src_address);
325
326 ZERO_STRUCTP(netlogon);
327
328 /* check if either of these bits is present */
329 if (version & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP)) {
330 uint32_t extra_flags = 0;
331 netlogon->ntver = NETLOGON_NT_VERSION_5EX;
332
333 /* could check if the user exists */
334 if (user_known) {
335 netlogon->data.nt5_ex.command = LOGON_SAM_LOGON_RESPONSE_EX;
336 } else {
337 netlogon->data.nt5_ex.command = LOGON_SAM_LOGON_USER_UNKNOWN_EX;
338 }
339 netlogon->data.nt5_ex.server_type = server_type;
340 netlogon->data.nt5_ex.domain_uuid = domain_uuid;
341 netlogon->data.nt5_ex.forest = realm;
342 netlogon->data.nt5_ex.dns_domain = dns_domain;
343 netlogon->data.nt5_ex.pdc_dns_name = pdc_dns_name;
344 netlogon->data.nt5_ex.domain = flatname;
345 netlogon->data.nt5_ex.pdc_name = lp_netbios_name(lp_ctx);
346 netlogon->data.nt5_ex.user_name = user;
347 netlogon->data.nt5_ex.server_site = server_site;
348 netlogon->data.nt5_ex.client_site = client_site;
349
350 if (version & NETLOGON_NT_VERSION_5EX_WITH_IP) {
351 /* Clearly this needs to be fixed up for IPv6 */
352 extra_flags = NETLOGON_NT_VERSION_5EX_WITH_IP;
353 netlogon->data.nt5_ex.sockaddr.sockaddr_family = 2;
354 netlogon->data.nt5_ex.sockaddr.pdc_ip = pdc_ip;
355 netlogon->data.nt5_ex.sockaddr.remaining = data_blob_talloc_zero(mem_ctx, 8);
356 }
357 netlogon->data.nt5_ex.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5EX|extra_flags;
358 netlogon->data.nt5_ex.lmnt_token = 0xFFFF;
359 netlogon->data.nt5_ex.lm20_token = 0xFFFF;
360
361 } else if (version & NETLOGON_NT_VERSION_5) {
362 netlogon->ntver = NETLOGON_NT_VERSION_5;
363
364 /* could check if the user exists */
365 if (user_known) {
366 netlogon->data.nt5.command = LOGON_SAM_LOGON_RESPONSE;
367 } else {
368 netlogon->data.nt5.command = LOGON_SAM_LOGON_USER_UNKNOWN;
369 }
370 netlogon->data.nt5.pdc_name = pdc_name;
371 netlogon->data.nt5.user_name = user;
372 netlogon->data.nt5.domain_name = flatname;
373 netlogon->data.nt5.domain_uuid = domain_uuid;
374 netlogon->data.nt5.forest = realm;
375 netlogon->data.nt5.dns_domain = dns_domain;
376 netlogon->data.nt5.pdc_dns_name = pdc_dns_name;
377 netlogon->data.nt5.pdc_ip = pdc_ip;
378 netlogon->data.nt5.server_type = server_type;
379 netlogon->data.nt5.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5;
380 netlogon->data.nt5.lmnt_token = 0xFFFF;
381 netlogon->data.nt5.lm20_token = 0xFFFF;
382
383 } else /* (version & NETLOGON_NT_VERSION_1) and all other cases */ {
384 netlogon->ntver = NETLOGON_NT_VERSION_1;
385 /* could check if the user exists */
386 if (user_known) {
387 netlogon->data.nt4.command = LOGON_SAM_LOGON_RESPONSE;
388 } else {
389 netlogon->data.nt4.command = LOGON_SAM_LOGON_USER_UNKNOWN;
390 }
391 netlogon->data.nt4.server = pdc_name;
392 netlogon->data.nt4.user_name = user;
393 netlogon->data.nt4.domain = flatname;
394 netlogon->data.nt4.nt_version = NETLOGON_NT_VERSION_1;
395 netlogon->data.nt4.lmnt_token = 0xFFFF;
396 netlogon->data.nt4.lm20_token = 0xFFFF;
397 }
398
399 return NT_STATUS_OK;
400 }
401
402
403 /*
404 handle incoming cldap requests
405 */
406 void cldapd_netlogon_request(struct cldap_socket *cldap,
407 struct cldapd_server *cldapd,
408 TALLOC_CTX *tmp_ctx,
409 uint32_t message_id,
410 struct ldb_parse_tree *tree,
411 struct tsocket_address *src)
412 {
413 int i;
414 const char *domain = NULL;
415 const char *host = NULL;
416 const char *user = NULL;
417 const char *domain_guid = NULL;
418 const char *domain_sid = NULL;
419 int acct_control = -1;
420 int version = -1;
421 struct netlogon_samlogon_response netlogon;
422 NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
423
424 if (tree->operation != LDB_OP_AND) goto failed;
425
426 /* extract the query elements */
427 for (i=0;i<tree->u.list.num_elements;i++) {
428 struct ldb_parse_tree *t = tree->u.list.elements[i];
429 if (t->operation != LDB_OP_EQUALITY) goto failed;
430 if (strcasecmp(t->u.equality.attr, "DnsDomain") == 0) {
431 domain = talloc_strndup(tmp_ctx,
432 (const char *)t->u.equality.value.data,
433 t->u.equality.value.length);
434 }
435 if (strcasecmp(t->u.equality.attr, "Host") == 0) {
436 host = talloc_strndup(tmp_ctx,
437 (const char *)t->u.equality.value.data,
438 t->u.equality.value.length);
439 }
440 if (strcasecmp(t->u.equality.attr, "DomainGuid") == 0) {
441 NTSTATUS enc_status;
442 struct GUID guid;
443 enc_status = ldap_decode_ndr_GUID(tmp_ctx,
444 t->u.equality.value, &guid);
445 if (NT_STATUS_IS_OK(enc_status)) {
446 domain_guid = GUID_string(tmp_ctx, &guid);
447 }
448 }
449 if (strcasecmp(t->u.equality.attr, "DomainSid") == 0) {
450 domain_sid = talloc_strndup(tmp_ctx,
451 (const char *)t->u.equality.value.data,
452 t->u.equality.value.length);
453 }
454 if (strcasecmp(t->u.equality.attr, "User") == 0) {
455 user = talloc_strndup(tmp_ctx,
456 (const char *)t->u.equality.value.data,
457 t->u.equality.value.length);
458 }
459 if (strcasecmp(t->u.equality.attr, "NtVer") == 0 &&
460 t->u.equality.value.length == 4) {
461 version = IVAL(t->u.equality.value.data, 0);
462 }
463 if (strcasecmp(t->u.equality.attr, "AAC") == 0 &&
464 t->u.equality.value.length == 4) {
465 acct_control = IVAL(t->u.equality.value.data, 0);
466 }
467 }
468
469 if (domain_guid == NULL && domain == NULL) {
470 domain = lp_realm(cldapd->task->lp_ctx);
471 }
472
473 if (version == -1) {
474 goto failed;
475 }
476
477 DEBUG(5,("cldap netlogon query domain=%s host=%s user=%s version=%d guid=%s\n",
478 domain, host, user, version, domain_guid));
479
480 status = fill_netlogon_samlogon_response(cldapd->samctx, tmp_ctx, domain, NULL, NULL, domain_guid,
481 user, acct_control,
482 tsocket_address_inet_addr_string(src, tmp_ctx),
483 version, cldapd->task->lp_ctx, &netlogon);
484 if (!NT_STATUS_IS_OK(status)) {
485 goto failed;
486 }
487
488 status = cldap_netlogon_reply(cldap,
489 lp_iconv_convenience(cldapd->task->lp_ctx),
490 message_id, src, version,
491 &netlogon);
492 if (!NT_STATUS_IS_OK(status)) {
493 goto failed;
494 }
495
496 return;
497
498 failed:
499 DEBUG(2,("cldap netlogon query failed domain=%s host=%s version=%d - %s\n",
500 domain, host, version, nt_errstr(status)));
501 cldap_empty_reply(cldap, message_id, src);
502 }
WIP