2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* This is the implementation of the netlogon pipe. */
28 #include "../libcli/auth/libcli_auth.h"
30 extern userdom_struct current_user_info
;
33 #define DBGC_CLASS DBGC_RPC_SRV
35 /*******************************************************************
36 Inits a netr_NETLOGON_INFO_1 structure.
37 ********************************************************************/
39 static void init_netlogon_info1(struct netr_NETLOGON_INFO_1
*r
,
41 uint32_t pdc_connection_status
)
44 r
->pdc_connection_status
= pdc_connection_status
;
47 /*******************************************************************
48 Inits a netr_NETLOGON_INFO_2 structure.
49 ********************************************************************/
51 static void init_netlogon_info2(struct netr_NETLOGON_INFO_2
*r
,
53 uint32_t pdc_connection_status
,
54 const char *trusted_dc_name
,
55 uint32_t tc_connection_status
)
58 r
->pdc_connection_status
= pdc_connection_status
;
59 r
->trusted_dc_name
= trusted_dc_name
;
60 r
->tc_connection_status
= tc_connection_status
;
63 /*******************************************************************
64 Inits a netr_NETLOGON_INFO_3 structure.
65 ********************************************************************/
67 static void init_netlogon_info3(struct netr_NETLOGON_INFO_3
*r
,
69 uint32_t logon_attempts
)
72 r
->logon_attempts
= logon_attempts
;
75 /*************************************************************************
77 *************************************************************************/
79 WERROR
_netr_LogonControl(pipes_struct
*p
,
80 struct netr_LogonControl
*r
)
82 struct netr_LogonControl2Ex l
;
84 switch (r
->in
.level
) {
88 return WERR_NOT_SUPPORTED
;
90 return WERR_UNKNOWN_LEVEL
;
93 l
.in
.logon_server
= r
->in
.logon_server
;
94 l
.in
.function_code
= r
->in
.function_code
;
95 l
.in
.level
= r
->in
.level
;
97 l
.out
.query
= r
->out
.query
;
99 return _netr_LogonControl2Ex(p
, &l
);
102 /****************************************************************************
103 Send a message to smbd to do a sam synchronisation
104 **************************************************************************/
106 static void send_sync_message(void)
108 DEBUG(3, ("sending sam synchronisation message\n"));
109 message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC
, NULL
, 0,
113 /*************************************************************************
115 *************************************************************************/
117 WERROR
_netr_LogonControl2(pipes_struct
*p
,
118 struct netr_LogonControl2
*r
)
120 struct netr_LogonControl2Ex l
;
122 l
.in
.logon_server
= r
->in
.logon_server
;
123 l
.in
.function_code
= r
->in
.function_code
;
124 l
.in
.level
= r
->in
.level
;
125 l
.in
.data
= r
->in
.data
;
126 l
.out
.query
= r
->out
.query
;
128 return _netr_LogonControl2Ex(p
, &l
);
131 /****************************************************************
132 _netr_LogonControl2Ex
133 ****************************************************************/
135 WERROR
_netr_LogonControl2Ex(pipes_struct
*p
,
136 struct netr_LogonControl2Ex
*r
)
139 uint32 pdc_connection_status
= 0x0;
140 uint32 logon_attempts
= 0x0;
143 const char *dc_name
= NULL
;
144 struct sockaddr_storage dc_ss
;
145 const char *domain
= NULL
;
146 struct netr_NETLOGON_INFO_1
*info1
;
147 struct netr_NETLOGON_INFO_2
*info2
;
148 struct netr_NETLOGON_INFO_3
*info3
;
151 switch (p
->hdr_req
.opnum
) {
152 case NDR_NETR_LOGONCONTROL
:
153 fn
= "_netr_LogonControl";
155 case NDR_NETR_LOGONCONTROL2
:
156 fn
= "_netr_LogonControl2";
158 case NDR_NETR_LOGONCONTROL2EX
:
159 fn
= "_netr_LogonControl2Ex";
162 return WERR_INVALID_PARAM
;
165 tc_status
= W_ERROR_V(WERR_NO_SUCH_DOMAIN
);
167 switch (r
->in
.function_code
) {
168 case NETLOGON_CONTROL_TC_QUERY
:
169 domain
= r
->in
.data
->domain
;
171 if ( !is_trusted_domain( domain
) )
174 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
175 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
179 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
184 tc_status
= W_ERROR_V(WERR_OK
);
188 case NETLOGON_CONTROL_REDISCOVER
:
189 domain
= r
->in
.data
->domain
;
191 if ( !is_trusted_domain( domain
) )
194 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
195 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
199 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
204 tc_status
= W_ERROR_V(WERR_OK
);
209 /* no idea what this should be */
210 DEBUG(0,("%s: unimplemented function level [%d]\n",
211 fn
, r
->in
.function_code
));
212 return WERR_UNKNOWN_LEVEL
;
215 /* prepare the response */
217 switch (r
->in
.level
) {
219 info1
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_1
);
220 W_ERROR_HAVE_NO_MEMORY(info1
);
222 init_netlogon_info1(info1
,
224 pdc_connection_status
);
225 r
->out
.query
->info1
= info1
;
228 info2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_2
);
229 W_ERROR_HAVE_NO_MEMORY(info2
);
231 init_netlogon_info2(info2
,
233 pdc_connection_status
,
236 r
->out
.query
->info2
= info2
;
239 info3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_3
);
240 W_ERROR_HAVE_NO_MEMORY(info3
);
242 init_netlogon_info3(info3
,
245 r
->out
.query
->info3
= info3
;
248 return WERR_UNKNOWN_LEVEL
;
251 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
258 /*************************************************************************
259 _netr_NetrEnumerateTrustedDomains
260 *************************************************************************/
262 WERROR
_netr_NetrEnumerateTrustedDomains(pipes_struct
*p
,
263 struct netr_NetrEnumerateTrustedDomains
*r
)
265 struct netr_Blob trusted_domains_blob
;
268 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
270 /* set up the Trusted Domain List response */
272 blob
= data_blob_talloc_zero(p
->mem_ctx
, 2);
273 trusted_domains_blob
.data
= blob
.data
;
274 trusted_domains_blob
.length
= blob
.length
;
276 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
278 *r
->out
.trusted_domains_blob
= trusted_domains_blob
;
283 /******************************************************************
284 gets a machine password entry. checks access rights of the host.
285 ******************************************************************/
287 static NTSTATUS
get_md4pw(struct samr_Password
*md4pw
, const char *mach_acct
,
288 uint16_t sec_chan_type
, uint32_t *rid
)
290 struct samu
*sampass
= NULL
;
296 char addr
[INET6_ADDRSTRLEN
];
299 * Currently this code is redundent as we already have a filter
300 * by hostname list. What this code really needs to do is to
301 * get a hosts allowed/hosts denied list from the SAM database
302 * on a per user basis, and make the access decision there.
303 * I will leave this code here for now as a reminder to implement
304 * this at a later date. JRA.
307 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
308 client_name(get_client_fd()),
309 client_addr(get_client_fd(),addr
,sizeof(addr
)))) {
310 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct
));
315 if ( !(sampass
= samu_new( NULL
)) ) {
316 return NT_STATUS_NO_MEMORY
;
319 /* JRA. This is ok as it is only used for generating the challenge. */
321 ret
= pdb_getsampwnam(sampass
, mach_acct
);
325 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct
));
326 TALLOC_FREE(sampass
);
327 return NT_STATUS_ACCESS_DENIED
;
330 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
331 if (acct_ctrl
& ACB_DISABLED
) {
332 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct
));
333 TALLOC_FREE(sampass
);
334 return NT_STATUS_ACCOUNT_DISABLED
;
337 if (!(acct_ctrl
& ACB_SVRTRUST
) &&
338 !(acct_ctrl
& ACB_WSTRUST
) &&
339 !(acct_ctrl
& ACB_DOMTRUST
))
341 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct
));
342 TALLOC_FREE(sampass
);
343 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
346 switch (sec_chan_type
) {
348 if (!(acct_ctrl
& ACB_SVRTRUST
)) {
349 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
350 "but not a server trust account\n", mach_acct
));
351 TALLOC_FREE(sampass
);
352 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
356 if (!(acct_ctrl
& ACB_WSTRUST
)) {
357 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
358 "but not a workstation trust account\n", mach_acct
));
359 TALLOC_FREE(sampass
);
360 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
363 case SEC_CHAN_DOMAIN
:
364 if (!(acct_ctrl
& ACB_DOMTRUST
)) {
365 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
366 "but not a interdomain trust account\n", mach_acct
));
367 TALLOC_FREE(sampass
);
368 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
375 if ((pass
= pdb_get_nt_passwd(sampass
)) == NULL
) {
376 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct
));
377 TALLOC_FREE(sampass
);
378 return NT_STATUS_LOGON_FAILURE
;
381 memcpy(md4pw
->hash
, pass
, 16);
382 dump_data(5, md4pw
->hash
, 16);
385 *rid
= pdb_get_user_rid(sampass
);
388 TALLOC_FREE(sampass
);
395 /*************************************************************************
396 _netr_ServerReqChallenge
397 *************************************************************************/
399 NTSTATUS
_netr_ServerReqChallenge(pipes_struct
*p
,
400 struct netr_ServerReqChallenge
*r
)
403 p
->dc
= TALLOC_ZERO_P(p
, struct dcinfo
);
405 return NT_STATUS_NO_MEMORY
;
408 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
412 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
414 /* Save the client challenge to the server. */
415 memcpy(p
->dc
->clnt_chal
.data
, r
->in
.credentials
->data
,
416 sizeof(r
->in
.credentials
->data
));
418 /* Create a server challenge for the client */
419 /* Set this to a random value. */
420 generate_random_buffer(p
->dc
->srv_chal
.data
, 8);
422 /* set up the LSA REQUEST CHALLENGE response */
423 *r
->out
.return_credentials
= p
->dc
->srv_chal
;
425 p
->dc
->challenge_sent
= True
;
430 /*************************************************************************
431 _netr_ServerAuthenticate
432 Create the initial credentials.
433 *************************************************************************/
435 NTSTATUS
_netr_ServerAuthenticate(pipes_struct
*p
,
436 struct netr_ServerAuthenticate
*r
)
438 struct netr_ServerAuthenticate3 a
;
439 uint32_t negotiate_flags
= 0;
442 a
.in
.server_name
= r
->in
.server_name
;
443 a
.in
.account_name
= r
->in
.account_name
;
444 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
445 a
.in
.computer_name
= r
->in
.computer_name
;
446 a
.in
.credentials
= r
->in
.credentials
;
447 a
.in
.negotiate_flags
= &negotiate_flags
;
449 a
.out
.return_credentials
= r
->out
.return_credentials
;
451 a
.out
.negotiate_flags
= &negotiate_flags
;
453 return _netr_ServerAuthenticate3(p
, &a
);
457 /*************************************************************************
458 _netr_ServerAuthenticate3
459 *************************************************************************/
461 NTSTATUS
_netr_ServerAuthenticate3(pipes_struct
*p
,
462 struct netr_ServerAuthenticate3
*r
)
466 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
467 * so use a copy to avoid destroying the client values. */
468 uint32_t in_neg_flags
= *r
->in
.negotiate_flags
;
469 struct netr_Credential srv_chal_out
;
472 struct samr_Password mach_pwd
;
474 /* According to Microsoft (see bugid #6099)
475 * Windows 7 looks at the negotiate_flags
476 * returned in this structure *even if the
477 * call fails with access denied* ! So in order
478 * to allow Win7 to connect to a Samba NT style
479 * PDC we set the flags before we know if it's
484 srv_flgs
= NETLOGON_NEG_ACCOUNT_LOCKOUT
|
485 NETLOGON_NEG_PERSISTENT_SAMREPL
|
486 NETLOGON_NEG_ARCFOUR
|
487 NETLOGON_NEG_PROMOTION_COUNT
|
488 NETLOGON_NEG_CHANGELOG_BDC
|
489 NETLOGON_NEG_FULL_SYNC_REPL
|
490 NETLOGON_NEG_MULTIPLE_SIDS
|
492 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
;
494 /* Ensure we support strong (128-bit) keys. */
495 if (in_neg_flags
& NETLOGON_NEG_STRONG_KEYS
) {
496 srv_flgs
|= NETLOGON_NEG_STRONG_KEYS
;
499 if (lp_server_schannel() != false) {
500 srv_flgs
|= NETLOGON_NEG_SCHANNEL
;
503 switch (p
->hdr_req
.opnum
) {
504 case NDR_NETR_SERVERAUTHENTICATE
:
505 fn
= "_netr_ServerAuthenticate";
507 case NDR_NETR_SERVERAUTHENTICATE2
:
508 fn
= "_netr_ServerAuthenticate2";
510 case NDR_NETR_SERVERAUTHENTICATE3
:
511 fn
= "_netr_ServerAuthenticate3";
514 return NT_STATUS_INTERNAL_ERROR
;
517 /* We use this as the key to store the creds: */
518 /* r->in.computer_name */
520 if (!p
->dc
|| !p
->dc
->challenge_sent
) {
521 DEBUG(0,("%s: no challenge sent to client %s\n", fn
,
522 r
->in
.computer_name
));
523 status
= NT_STATUS_ACCESS_DENIED
;
527 if ( (lp_server_schannel() == true) &&
528 ((in_neg_flags
& NETLOGON_NEG_SCHANNEL
) == 0) ) {
530 /* schannel must be used, but client did not offer it. */
531 DEBUG(0,("%s: schannel required but client failed "
532 "to offer it. Client was %s\n",
533 fn
, r
->in
.account_name
));
534 status
= NT_STATUS_ACCESS_DENIED
;
538 status
= get_md4pw(&mach_pwd
,
540 r
->in
.secure_channel_type
,
542 if (!NT_STATUS_IS_OK(status
)) {
543 DEBUG(0,("%s: failed to get machine password for "
545 fn
, r
->in
.account_name
, nt_errstr(status
) ));
546 /* always return NT_STATUS_ACCESS_DENIED */
547 status
= NT_STATUS_ACCESS_DENIED
;
551 /* From the client / server challenges and md4 password, generate sess key */
552 creds_server_init(in_neg_flags
,
554 &p
->dc
->clnt_chal
, /* Stored client chal. */
555 &p
->dc
->srv_chal
, /* Stored server chal. */
559 /* Check client credentials are valid. */
560 if (!netlogon_creds_server_check(p
->dc
, r
->in
.credentials
)) {
561 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
562 "request from client %s machine account %s\n",
563 fn
, r
->in
.computer_name
,
564 r
->in
.account_name
));
565 status
= NT_STATUS_ACCESS_DENIED
;
568 /* set up the LSA AUTH 2 response */
569 memcpy(r
->out
.return_credentials
->data
, &srv_chal_out
.data
,
570 sizeof(r
->out
.return_credentials
->data
));
572 fstrcpy(p
->dc
->mach_acct
, r
->in
.account_name
);
573 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
574 fstrcpy(p
->dc
->domain
, lp_workgroup() );
576 p
->dc
->authenticated
= True
;
578 /* Store off the state so we can continue after client disconnect. */
580 secrets_store_schannel_session_info(p
->mem_ctx
,
587 status
= NT_STATUS_OK
;
591 *r
->out
.negotiate_flags
= srv_flgs
;
595 /*************************************************************************
596 _netr_ServerAuthenticate2
597 *************************************************************************/
599 NTSTATUS
_netr_ServerAuthenticate2(pipes_struct
*p
,
600 struct netr_ServerAuthenticate2
*r
)
602 struct netr_ServerAuthenticate3 a
;
605 a
.in
.server_name
= r
->in
.server_name
;
606 a
.in
.account_name
= r
->in
.account_name
;
607 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
608 a
.in
.computer_name
= r
->in
.computer_name
;
609 a
.in
.credentials
= r
->in
.credentials
;
610 a
.in
.negotiate_flags
= r
->in
.negotiate_flags
;
612 a
.out
.return_credentials
= r
->out
.return_credentials
;
614 a
.out
.negotiate_flags
= r
->out
.negotiate_flags
;
616 return _netr_ServerAuthenticate3(p
, &a
);
619 /*************************************************************************
620 _netr_ServerPasswordSet
621 *************************************************************************/
623 NTSTATUS
_netr_ServerPasswordSet(pipes_struct
*p
,
624 struct netr_ServerPasswordSet
*r
)
626 NTSTATUS status
= NT_STATUS_OK
;
627 struct samu
*sampass
=NULL
;
629 unsigned char pwd
[16];
632 struct netr_Authenticator cred_out
;
635 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__
));
637 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
638 /* 'server schannel = yes' should enforce use of
639 schannel, the client did offer it in auth2, but
640 obviously did not use it. */
641 DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n",
642 r
->in
.computer_name
));
643 return NT_STATUS_ACCESS_DENIED
;
647 /* Restore the saved state of the netlogon creds. */
649 ret
= secrets_restore_schannel_session_info(p
, r
->in
.computer_name
,
653 return NT_STATUS_INVALID_HANDLE
;
657 if (!p
->dc
|| !p
->dc
->authenticated
) {
658 return NT_STATUS_INVALID_HANDLE
;
661 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
662 r
->in
.computer_name
, p
->dc
->mach_acct
));
664 /* Step the creds chain forward. */
665 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, &cred_out
)) {
666 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
667 "request from client %s machine account %s\n",
668 r
->in
.computer_name
, p
->dc
->mach_acct
));
669 return NT_STATUS_INVALID_PARAMETER
;
672 /* We must store the creds state after an update. */
673 sampass
= samu_new( NULL
);
675 return NT_STATUS_NO_MEMORY
;
679 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
680 ret
= pdb_getsampwnam(sampass
, p
->dc
->mach_acct
);
684 TALLOC_FREE(sampass
);
685 return NT_STATUS_ACCESS_DENIED
;
688 /* Ensure the account exists and is a machine account. */
690 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
692 if (!(acct_ctrl
& ACB_WSTRUST
||
693 acct_ctrl
& ACB_SVRTRUST
||
694 acct_ctrl
& ACB_DOMTRUST
)) {
695 TALLOC_FREE(sampass
);
696 return NT_STATUS_NO_SUCH_USER
;
699 if (pdb_get_acct_ctrl(sampass
) & ACB_DISABLED
) {
700 TALLOC_FREE(sampass
);
701 return NT_STATUS_ACCOUNT_DISABLED
;
704 /* Woah - what does this to to the credential chain ? JRA */
705 cred_hash3(pwd
, r
->in
.new_password
->hash
, p
->dc
->sess_key
, 0);
707 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
708 for(i
= 0; i
< sizeof(pwd
); i
++)
709 DEBUG(100,("%02X ", pwd
[i
]));
712 old_pw
= pdb_get_nt_passwd(sampass
);
714 if (old_pw
&& memcmp(pwd
, old_pw
, 16) == 0) {
715 /* Avoid backend modificiations and other fun if the
716 client changed the password to the *same thing* */
721 /* LM password should be NULL for machines */
722 if (!pdb_set_lanman_passwd(sampass
, NULL
, PDB_CHANGED
)) {
723 TALLOC_FREE(sampass
);
724 return NT_STATUS_NO_MEMORY
;
727 if (!pdb_set_nt_passwd(sampass
, pwd
, PDB_CHANGED
)) {
728 TALLOC_FREE(sampass
);
729 return NT_STATUS_NO_MEMORY
;
732 if (!pdb_set_pass_last_set_time(sampass
, time(NULL
), PDB_CHANGED
)) {
733 TALLOC_FREE(sampass
);
734 /* Not quite sure what this one qualifies as, but this will do */
735 return NT_STATUS_UNSUCCESSFUL
;
739 status
= pdb_update_sam_account(sampass
);
743 /* set up the LSA Server Password Set response */
745 memcpy(r
->out
.return_authenticator
, &cred_out
,
746 sizeof(*(r
->out
.return_authenticator
)));
748 TALLOC_FREE(sampass
);
752 /*************************************************************************
754 *************************************************************************/
756 NTSTATUS
_netr_LogonSamLogoff(pipes_struct
*p
,
757 struct netr_LogonSamLogoff
*r
)
759 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
760 /* 'server schannel = yes' should enforce use of
761 schannel, the client did offer it in auth2, but
762 obviously did not use it. */
763 DEBUG(0,("_netr_LogonSamLogoff: client %s not using schannel for netlogon\n",
764 get_remote_machine_name() ));
765 return NT_STATUS_ACCESS_DENIED
;
769 /* Using the remote machine name for the creds store: */
770 /* r->in.computer_name */
773 /* Restore the saved state of the netlogon creds. */
777 ret
= secrets_restore_schannel_session_info(
778 p
, r
->in
.computer_name
, &p
->dc
);
781 return NT_STATUS_INVALID_HANDLE
;
785 if (!p
->dc
|| !p
->dc
->authenticated
) {
786 return NT_STATUS_INVALID_HANDLE
;
789 /* checks and updates credentials. creates reply credentials */
790 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
791 DEBUG(2,("_netr_LogonSamLogoff: netlogon_creds_server_step failed. Rejecting auth "
792 "request from client %s machine account %s\n",
793 r
->in
.computer_name
, p
->dc
->mach_acct
));
794 return NT_STATUS_INVALID_PARAMETER
;
797 /* We must store the creds state after an update. */
799 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
805 /*************************************************************************
807 *************************************************************************/
809 NTSTATUS
_netr_LogonSamLogon(pipes_struct
*p
,
810 struct netr_LogonSamLogon
*r
)
812 NTSTATUS status
= NT_STATUS_OK
;
813 union netr_LogonLevel
*logon
= r
->in
.logon
;
814 const char *nt_username
, *nt_domain
, *nt_workstation
;
815 auth_usersupplied_info
*user_info
= NULL
;
816 auth_serversupplied_info
*server_info
= NULL
;
817 struct auth_context
*auth_context
= NULL
;
818 uint8_t pipe_session_key
[16];
819 bool process_creds
= true;
822 switch (p
->hdr_req
.opnum
) {
823 case NDR_NETR_LOGONSAMLOGON
:
824 process_creds
= true;
825 fn
= "_netr_LogonSamLogon";
827 case NDR_NETR_LOGONSAMLOGONEX
:
828 fn
= "_netr_LogonSamLogonEx";
830 process_creds
= false;
833 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
834 /* 'server schannel = yes' should enforce use of
835 schannel, the client did offer it in auth2, but
836 obviously did not use it. */
837 DEBUG(0,("%s: client %s not using schannel for netlogon\n",
838 fn
, get_remote_machine_name() ));
839 return NT_STATUS_ACCESS_DENIED
;
842 *r
->out
.authoritative
= true; /* authoritative response */
844 switch (r
->in
.validation_level
) {
846 r
->out
.validation
->sam2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo2
);
847 if (!r
->out
.validation
->sam2
) {
848 return NT_STATUS_NO_MEMORY
;
852 r
->out
.validation
->sam3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo3
);
853 if (!r
->out
.validation
->sam3
) {
854 return NT_STATUS_NO_MEMORY
;
858 DEBUG(0,("%s: bad validation_level value %d.\n",
859 fn
, (int)r
->in
.validation_level
));
860 return NT_STATUS_INVALID_INFO_CLASS
;
865 /* Get the remote machine name for the creds store. */
866 /* Note this is the remote machine this request is coming from (member server),
867 not neccessarily the workstation name the user is logging onto.
871 /* Restore the saved state of the netlogon creds. */
875 ret
= secrets_restore_schannel_session_info(
876 p
, r
->in
.computer_name
, &p
->dc
);
879 return NT_STATUS_INVALID_HANDLE
;
883 if (!p
->dc
|| !p
->dc
->authenticated
) {
884 return NT_STATUS_INVALID_HANDLE
;
887 /* checks and updates credentials. creates reply credentials */
888 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
889 DEBUG(2,("%s: creds_server_step failed. Rejecting auth "
890 "request from client %s machine account %s\n",
891 fn
, r
->in
.computer_name
, p
->dc
->mach_acct
));
892 return NT_STATUS_INVALID_PARAMETER
;
895 /* We must store the creds state after an update. */
897 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
901 switch (r
->in
.logon_level
) {
902 case NetlogonInteractiveInformation
:
903 nt_username
= logon
->password
->identity_info
.account_name
.string
;
904 nt_domain
= logon
->password
->identity_info
.domain_name
.string
;
905 nt_workstation
= logon
->password
->identity_info
.workstation
.string
;
907 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
909 case NetlogonNetworkInformation
:
910 nt_username
= logon
->network
->identity_info
.account_name
.string
;
911 nt_domain
= logon
->network
->identity_info
.domain_name
.string
;
912 nt_workstation
= logon
->network
->identity_info
.workstation
.string
;
914 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
917 DEBUG(2,("SAM Logon: unsupported switch value\n"));
918 return NT_STATUS_INVALID_INFO_CLASS
;
921 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username
, nt_workstation
, nt_domain
));
922 fstrcpy(current_user_info
.smb_name
, nt_username
);
923 sub_set_smb_name(nt_username
);
925 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
926 r
->in
.validation_level
, nt_username
));
928 status
= NT_STATUS_OK
;
930 switch (r
->in
.logon_level
) {
931 case NetlogonNetworkInformation
:
933 const char *wksname
= nt_workstation
;
935 status
= make_auth_context_fixed(&auth_context
,
936 logon
->network
->challenge
);
937 if (!NT_STATUS_IS_OK(status
)) {
941 /* For a network logon, the workstation name comes in with two
942 * backslashes in the front. Strip them if they are there. */
944 if (*wksname
== '\\') wksname
++;
945 if (*wksname
== '\\') wksname
++;
947 /* Standard challenge/response authenticaion */
948 if (!make_user_info_netlogon_network(&user_info
,
949 nt_username
, nt_domain
,
951 logon
->network
->identity_info
.parameter_control
,
952 logon
->network
->lm
.data
,
953 logon
->network
->lm
.length
,
954 logon
->network
->nt
.data
,
955 logon
->network
->nt
.length
)) {
956 status
= NT_STATUS_NO_MEMORY
;
960 case NetlogonInteractiveInformation
:
961 /* 'Interactive' authentication, supplies the password in its
962 MD4 form, encrypted with the session key. We will convert
963 this to challenge/response for the auth subsystem to chew
968 if (!NT_STATUS_IS_OK(status
= make_auth_context_subsystem(&auth_context
))) {
972 auth_context
->get_ntlm_challenge(auth_context
, chal
);
974 if (!make_user_info_netlogon_interactive(&user_info
,
975 nt_username
, nt_domain
,
977 logon
->password
->identity_info
.parameter_control
,
979 logon
->password
->lmpassword
.hash
,
980 logon
->password
->ntpassword
.hash
,
982 status
= NT_STATUS_NO_MEMORY
;
987 DEBUG(2,("SAM Logon: unsupported switch value\n"));
988 return NT_STATUS_INVALID_INFO_CLASS
;
991 if ( NT_STATUS_IS_OK(status
) ) {
992 status
= auth_context
->check_ntlm_password(auth_context
,
993 user_info
, &server_info
);
996 (auth_context
->free
)(&auth_context
);
997 free_user_info(&user_info
);
999 DEBUG(5,("%s: check_password returned status %s\n",
1000 fn
, nt_errstr(status
)));
1002 /* Check account and password */
1004 if (!NT_STATUS_IS_OK(status
)) {
1005 /* If we don't know what this domain is, we need to
1006 indicate that we are not authoritative. This
1007 allows the client to decide if it needs to try
1008 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1009 if ( NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)
1010 && !strequal(nt_domain
, get_global_sam_name())
1011 && !is_trusted_domain(nt_domain
) )
1012 *r
->out
.authoritative
= false; /* We are not authoritative */
1014 TALLOC_FREE(server_info
);
1018 if (server_info
->guest
) {
1019 /* We don't like guest domain logons... */
1020 DEBUG(5,("%s: Attempted domain logon as GUEST "
1022 TALLOC_FREE(server_info
);
1023 return NT_STATUS_LOGON_FAILURE
;
1026 /* This is the point at which, if the login was successful, that
1027 the SAM Local Security Authority should record that the user is
1028 logged in to the domain. */
1030 if (process_creds
) {
1031 /* Get the pipe session key from the creds. */
1032 memcpy(pipe_session_key
, p
->dc
->sess_key
, 16);
1034 /* Get the pipe session key from the schannel. */
1035 if ((p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
)
1036 || (p
->auth
.a_u
.schannel_auth
== NULL
)) {
1037 return NT_STATUS_INVALID_HANDLE
;
1039 memcpy(pipe_session_key
, p
->auth
.a_u
.schannel_auth
->sess_key
, 16);
1042 switch (r
->in
.validation_level
) {
1044 status
= serverinfo_to_SamInfo2(server_info
, pipe_session_key
, 16,
1045 r
->out
.validation
->sam2
);
1048 status
= serverinfo_to_SamInfo3(server_info
, pipe_session_key
, 16,
1049 r
->out
.validation
->sam3
);
1053 TALLOC_FREE(server_info
);
1058 /*************************************************************************
1059 _netr_LogonSamLogonEx
1060 - no credential chaining. Map into net sam logon.
1061 *************************************************************************/
1063 NTSTATUS
_netr_LogonSamLogonEx(pipes_struct
*p
,
1064 struct netr_LogonSamLogonEx
*r
)
1066 struct netr_LogonSamLogon q
;
1068 /* Only allow this if the pipe is protected. */
1069 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1070 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1071 get_remote_machine_name() ));
1072 return NT_STATUS_INVALID_PARAMETER
;
1075 q
.in
.server_name
= r
->in
.server_name
;
1076 q
.in
.computer_name
= r
->in
.computer_name
;
1077 q
.in
.logon_level
= r
->in
.logon_level
;
1078 q
.in
.logon
= r
->in
.logon
;
1079 q
.in
.validation_level
= r
->in
.validation_level
;
1080 /* we do not handle the flags */
1081 /* = r->in.flags; */
1083 q
.out
.validation
= r
->out
.validation
;
1084 q
.out
.authoritative
= r
->out
.authoritative
;
1085 /* we do not handle the flags */
1086 /* = r->out.flags; */
1088 return _netr_LogonSamLogon(p
, &q
);
1091 /*************************************************************************
1093 *************************************************************************/
1094 #if 0 /* JERRY -- not correct */
1095 NTSTATUS
_ds_enum_dom_trusts(pipes_struct
*p
, DS_Q_ENUM_DOM_TRUSTS
*q_u
,
1096 DS_R_ENUM_DOM_TRUSTS
*r_u
)
1098 NTSTATUS status
= NT_STATUS_OK
;
1100 /* TODO: According to MSDN, the can only be executed against a
1101 DC or domain member running Windows 2000 or later. Need
1102 to test against a standalone 2k server and see what it
1103 does. A windows 2000 DC includes its own domain in the
1111 /****************************************************************
1112 ****************************************************************/
1114 WERROR
_netr_LogonUasLogon(pipes_struct
*p
,
1115 struct netr_LogonUasLogon
*r
)
1117 p
->rng_fault_state
= true;
1118 return WERR_NOT_SUPPORTED
;
1121 /****************************************************************
1122 ****************************************************************/
1124 WERROR
_netr_LogonUasLogoff(pipes_struct
*p
,
1125 struct netr_LogonUasLogoff
*r
)
1127 p
->rng_fault_state
= true;
1128 return WERR_NOT_SUPPORTED
;
1131 /****************************************************************
1132 ****************************************************************/
1134 NTSTATUS
_netr_DatabaseDeltas(pipes_struct
*p
,
1135 struct netr_DatabaseDeltas
*r
)
1137 p
->rng_fault_state
= true;
1138 return NT_STATUS_NOT_IMPLEMENTED
;
1141 /****************************************************************
1142 ****************************************************************/
1144 NTSTATUS
_netr_DatabaseSync(pipes_struct
*p
,
1145 struct netr_DatabaseSync
*r
)
1147 p
->rng_fault_state
= true;
1148 return NT_STATUS_NOT_IMPLEMENTED
;
1151 /****************************************************************
1152 ****************************************************************/
1154 NTSTATUS
_netr_AccountDeltas(pipes_struct
*p
,
1155 struct netr_AccountDeltas
*r
)
1157 p
->rng_fault_state
= true;
1158 return NT_STATUS_NOT_IMPLEMENTED
;
1161 /****************************************************************
1162 ****************************************************************/
1164 NTSTATUS
_netr_AccountSync(pipes_struct
*p
,
1165 struct netr_AccountSync
*r
)
1167 p
->rng_fault_state
= true;
1168 return NT_STATUS_NOT_IMPLEMENTED
;
1171 /****************************************************************
1172 ****************************************************************/
1174 WERROR
_netr_GetDcName(pipes_struct
*p
,
1175 struct netr_GetDcName
*r
)
1177 p
->rng_fault_state
= true;
1178 return WERR_NOT_SUPPORTED
;
1181 /****************************************************************
1182 ****************************************************************/
1184 WERROR
_netr_GetAnyDCName(pipes_struct
*p
,
1185 struct netr_GetAnyDCName
*r
)
1187 p
->rng_fault_state
= true;
1188 return WERR_NOT_SUPPORTED
;
1191 /****************************************************************
1192 ****************************************************************/
1194 NTSTATUS
_netr_DatabaseSync2(pipes_struct
*p
,
1195 struct netr_DatabaseSync2
*r
)
1197 p
->rng_fault_state
= true;
1198 return NT_STATUS_NOT_IMPLEMENTED
;
1201 /****************************************************************
1202 ****************************************************************/
1204 NTSTATUS
_netr_DatabaseRedo(pipes_struct
*p
,
1205 struct netr_DatabaseRedo
*r
)
1207 p
->rng_fault_state
= true;
1208 return NT_STATUS_NOT_IMPLEMENTED
;
1211 /****************************************************************
1212 ****************************************************************/
1214 WERROR
_netr_DsRGetDCName(pipes_struct
*p
,
1215 struct netr_DsRGetDCName
*r
)
1217 p
->rng_fault_state
= true;
1218 return WERR_NOT_SUPPORTED
;
1221 /****************************************************************
1222 ****************************************************************/
1224 NTSTATUS
_netr_LogonGetCapabilities(pipes_struct
*p
,
1225 struct netr_LogonGetCapabilities
*r
)
1227 return NT_STATUS_NOT_IMPLEMENTED
;
1230 /****************************************************************
1231 ****************************************************************/
1233 WERROR
_netr_NETRLOGONSETSERVICEBITS(pipes_struct
*p
,
1234 struct netr_NETRLOGONSETSERVICEBITS
*r
)
1236 p
->rng_fault_state
= true;
1237 return WERR_NOT_SUPPORTED
;
1240 /****************************************************************
1241 ****************************************************************/
1243 WERROR
_netr_LogonGetTrustRid(pipes_struct
*p
,
1244 struct netr_LogonGetTrustRid
*r
)
1246 p
->rng_fault_state
= true;
1247 return WERR_NOT_SUPPORTED
;
1250 /****************************************************************
1251 ****************************************************************/
1253 WERROR
_netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct
*p
,
1254 struct netr_NETRLOGONCOMPUTESERVERDIGEST
*r
)
1256 p
->rng_fault_state
= true;
1257 return WERR_NOT_SUPPORTED
;
1260 /****************************************************************
1261 ****************************************************************/
1263 WERROR
_netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct
*p
,
1264 struct netr_NETRLOGONCOMPUTECLIENTDIGEST
*r
)
1266 p
->rng_fault_state
= true;
1267 return WERR_NOT_SUPPORTED
;
1270 /****************************************************************
1271 ****************************************************************/
1273 WERROR
_netr_DsRGetDCNameEx(pipes_struct
*p
,
1274 struct netr_DsRGetDCNameEx
*r
)
1276 p
->rng_fault_state
= true;
1277 return WERR_NOT_SUPPORTED
;
1280 /****************************************************************
1281 ****************************************************************/
1283 WERROR
_netr_DsRGetSiteName(pipes_struct
*p
,
1284 struct netr_DsRGetSiteName
*r
)
1286 p
->rng_fault_state
= true;
1287 return WERR_NOT_SUPPORTED
;
1290 /****************************************************************
1291 ****************************************************************/
1293 NTSTATUS
_netr_LogonGetDomainInfo(pipes_struct
*p
,
1294 struct netr_LogonGetDomainInfo
*r
)
1296 p
->rng_fault_state
= true;
1297 return NT_STATUS_NOT_IMPLEMENTED
;
1300 /****************************************************************
1301 ****************************************************************/
1303 NTSTATUS
_netr_ServerPasswordSet2(pipes_struct
*p
,
1304 struct netr_ServerPasswordSet2
*r
)
1306 p
->rng_fault_state
= true;
1307 return NT_STATUS_NOT_IMPLEMENTED
;
1310 /****************************************************************
1311 ****************************************************************/
1313 WERROR
_netr_ServerPasswordGet(pipes_struct
*p
,
1314 struct netr_ServerPasswordGet
*r
)
1316 p
->rng_fault_state
= true;
1317 return WERR_NOT_SUPPORTED
;
1320 /****************************************************************
1321 ****************************************************************/
1323 WERROR
_netr_NETRLOGONSENDTOSAM(pipes_struct
*p
,
1324 struct netr_NETRLOGONSENDTOSAM
*r
)
1326 p
->rng_fault_state
= true;
1327 return WERR_NOT_SUPPORTED
;
1330 /****************************************************************
1331 ****************************************************************/
1333 WERROR
_netr_DsRAddressToSitenamesW(pipes_struct
*p
,
1334 struct netr_DsRAddressToSitenamesW
*r
)
1336 p
->rng_fault_state
= true;
1337 return WERR_NOT_SUPPORTED
;
1340 /****************************************************************
1341 ****************************************************************/
1343 WERROR
_netr_DsRGetDCNameEx2(pipes_struct
*p
,
1344 struct netr_DsRGetDCNameEx2
*r
)
1346 p
->rng_fault_state
= true;
1347 return WERR_NOT_SUPPORTED
;
1350 /****************************************************************
1351 ****************************************************************/
1353 WERROR
_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct
*p
,
1354 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
*r
)
1356 p
->rng_fault_state
= true;
1357 return WERR_NOT_SUPPORTED
;
1360 /****************************************************************
1361 ****************************************************************/
1363 WERROR
_netr_NetrEnumerateTrustedDomainsEx(pipes_struct
*p
,
1364 struct netr_NetrEnumerateTrustedDomainsEx
*r
)
1366 p
->rng_fault_state
= true;
1367 return WERR_NOT_SUPPORTED
;
1370 /****************************************************************
1371 ****************************************************************/
1373 WERROR
_netr_DsRAddressToSitenamesExW(pipes_struct
*p
,
1374 struct netr_DsRAddressToSitenamesExW
*r
)
1376 p
->rng_fault_state
= true;
1377 return WERR_NOT_SUPPORTED
;
1380 /****************************************************************
1381 ****************************************************************/
1383 WERROR
_netr_DsrGetDcSiteCoverageW(pipes_struct
*p
,
1384 struct netr_DsrGetDcSiteCoverageW
*r
)
1386 p
->rng_fault_state
= true;
1387 return WERR_NOT_SUPPORTED
;
1390 /****************************************************************
1391 ****************************************************************/
1393 WERROR
_netr_DsrEnumerateDomainTrusts(pipes_struct
*p
,
1394 struct netr_DsrEnumerateDomainTrusts
*r
)
1396 p
->rng_fault_state
= true;
1397 return WERR_NOT_SUPPORTED
;
1400 /****************************************************************
1401 ****************************************************************/
1403 WERROR
_netr_DsrDeregisterDNSHostRecords(pipes_struct
*p
,
1404 struct netr_DsrDeregisterDNSHostRecords
*r
)
1406 p
->rng_fault_state
= true;
1407 return WERR_NOT_SUPPORTED
;
1410 /****************************************************************
1411 ****************************************************************/
1413 NTSTATUS
_netr_ServerTrustPasswordsGet(pipes_struct
*p
,
1414 struct netr_ServerTrustPasswordsGet
*r
)
1416 p
->rng_fault_state
= true;
1417 return NT_STATUS_NOT_IMPLEMENTED
;
1420 /****************************************************************
1421 ****************************************************************/
1423 WERROR
_netr_DsRGetForestTrustInformation(pipes_struct
*p
,
1424 struct netr_DsRGetForestTrustInformation
*r
)
1426 p
->rng_fault_state
= true;
1427 return WERR_NOT_SUPPORTED
;
1430 /****************************************************************
1431 ****************************************************************/
1433 WERROR
_netr_GetForestTrustInformation(pipes_struct
*p
,
1434 struct netr_GetForestTrustInformation
*r
)
1436 p
->rng_fault_state
= true;
1437 return WERR_NOT_SUPPORTED
;
1440 /****************************************************************
1441 ****************************************************************/
1443 NTSTATUS
_netr_LogonSamLogonWithFlags(pipes_struct
*p
,
1444 struct netr_LogonSamLogonWithFlags
*r
)
1446 p
->rng_fault_state
= true;
1447 return NT_STATUS_NOT_IMPLEMENTED
;
1450 /****************************************************************
1451 ****************************************************************/
1453 NTSTATUS
_netr_ServerGetTrustInfo(pipes_struct
*p
,
1454 struct netr_ServerGetTrustInfo
*r
)
1456 p
->rng_fault_state
= true;
1457 return NT_STATUS_NOT_IMPLEMENTED
;