2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* This is the implementation of the netlogon pipe. */
29 extern userdom_struct current_user_info
;
32 #define DBGC_CLASS DBGC_RPC_SRV
34 /*************************************************************************
36 *************************************************************************/
38 static void init_net_r_req_chal(struct netr_Credential
*r
,
39 struct netr_Credential
*srv_chal
)
41 DEBUG(6,("init_net_r_req_chal: %d\n", __LINE__
));
43 memcpy(r
->data
, srv_chal
->data
, sizeof(r
->data
));
46 /*******************************************************************
47 Inits a netr_NETLOGON_INFO_1 structure.
48 ********************************************************************/
50 static void init_netlogon_info1(struct netr_NETLOGON_INFO_1
*r
,
52 uint32_t pdc_connection_status
)
55 r
->pdc_connection_status
= pdc_connection_status
;
58 /*******************************************************************
59 Inits a netr_NETLOGON_INFO_2 structure.
60 ********************************************************************/
62 static void init_netlogon_info2(struct netr_NETLOGON_INFO_2
*r
,
64 uint32_t pdc_connection_status
,
65 const char *trusted_dc_name
,
66 uint32_t tc_connection_status
)
69 r
->pdc_connection_status
= pdc_connection_status
;
70 r
->trusted_dc_name
= trusted_dc_name
;
71 r
->tc_connection_status
= tc_connection_status
;
74 /*******************************************************************
75 Inits a netr_NETLOGON_INFO_3 structure.
76 ********************************************************************/
78 static void init_netlogon_info3(struct netr_NETLOGON_INFO_3
*r
,
80 uint32_t logon_attempts
)
83 r
->logon_attempts
= logon_attempts
;
86 /*************************************************************************
88 *************************************************************************/
90 WERROR
_netr_LogonControl(pipes_struct
*p
,
91 struct netr_LogonControl
*r
)
93 struct netr_LogonControl2Ex l
;
95 switch (r
->in
.level
) {
99 return WERR_NOT_SUPPORTED
;
101 return WERR_UNKNOWN_LEVEL
;
104 l
.in
.logon_server
= r
->in
.logon_server
;
105 l
.in
.function_code
= r
->in
.function_code
;
106 l
.in
.level
= r
->in
.level
;
108 l
.out
.query
= r
->out
.info
;
110 return _netr_LogonControl2Ex(p
, &l
);
113 /****************************************************************************
114 Send a message to smbd to do a sam synchronisation
115 **************************************************************************/
117 static void send_sync_message(void)
119 DEBUG(3, ("sending sam synchronisation message\n"));
120 message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC
, NULL
, 0,
124 /*************************************************************************
126 *************************************************************************/
128 WERROR
_netr_LogonControl2(pipes_struct
*p
,
129 struct netr_LogonControl2
*r
)
131 struct netr_LogonControl2Ex l
;
133 l
.in
.logon_server
= r
->in
.logon_server
;
134 l
.in
.function_code
= r
->in
.function_code
;
135 l
.in
.level
= r
->in
.level
;
136 l
.in
.data
= r
->in
.data
;
137 l
.out
.query
= r
->out
.query
;
139 return _netr_LogonControl2Ex(p
, &l
);
142 /****************************************************************
143 _netr_LogonControl2Ex
144 ****************************************************************/
146 WERROR
_netr_LogonControl2Ex(pipes_struct
*p
,
147 struct netr_LogonControl2Ex
*r
)
150 uint32 pdc_connection_status
= 0x0;
151 uint32 logon_attempts
= 0x0;
154 const char *dc_name
= NULL
;
155 struct sockaddr_storage dc_ss
;
156 const char *domain
= NULL
;
157 struct netr_NETLOGON_INFO_1
*info1
;
158 struct netr_NETLOGON_INFO_2
*info2
;
159 struct netr_NETLOGON_INFO_3
*info3
;
162 switch (p
->hdr_req
.opnum
) {
163 case NDR_NETR_LOGONCONTROL
:
164 fn
= "_netr_LogonControl";
166 case NDR_NETR_LOGONCONTROL2
:
167 fn
= "_netr_LogonControl2";
169 case NDR_NETR_LOGONCONTROL2EX
:
170 fn
= "_netr_LogonControl2Ex";
173 return WERR_INVALID_PARAM
;
176 tc_status
= W_ERROR_V(WERR_NO_SUCH_DOMAIN
);
178 switch (r
->in
.function_code
) {
179 case NETLOGON_CONTROL_TC_QUERY
:
180 domain
= r
->in
.data
->domain
;
182 if ( !is_trusted_domain( domain
) )
185 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
186 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
190 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
195 tc_status
= W_ERROR_V(WERR_OK
);
199 case NETLOGON_CONTROL_REDISCOVER
:
200 domain
= r
->in
.data
->domain
;
202 if ( !is_trusted_domain( domain
) )
205 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
206 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
210 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
215 tc_status
= W_ERROR_V(WERR_OK
);
220 /* no idea what this should be */
221 DEBUG(0,("%s: unimplemented function level [%d]\n",
222 fn
, r
->in
.function_code
));
223 return WERR_UNKNOWN_LEVEL
;
226 /* prepare the response */
228 switch (r
->in
.level
) {
230 info1
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_1
);
231 W_ERROR_HAVE_NO_MEMORY(info1
);
233 init_netlogon_info1(info1
,
235 pdc_connection_status
);
236 r
->out
.query
->info1
= info1
;
239 info2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_2
);
240 W_ERROR_HAVE_NO_MEMORY(info2
);
242 init_netlogon_info2(info2
,
244 pdc_connection_status
,
247 r
->out
.query
->info2
= info2
;
250 info3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_3
);
251 W_ERROR_HAVE_NO_MEMORY(info3
);
253 init_netlogon_info3(info3
,
256 r
->out
.query
->info3
= info3
;
259 return WERR_UNKNOWN_LEVEL
;
262 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
269 /*************************************************************************
270 _netr_NetrEnumerateTrustedDomains
271 *************************************************************************/
273 WERROR
_netr_NetrEnumerateTrustedDomains(pipes_struct
*p
,
274 struct netr_NetrEnumerateTrustedDomains
*r
)
276 struct netr_Blob trusted_domains_blob
;
279 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
281 /* set up the Trusted Domain List response */
283 blob
= data_blob_talloc_zero(p
->mem_ctx
, 2);
284 trusted_domains_blob
.data
= blob
.data
;
285 trusted_domains_blob
.length
= blob
.length
;
287 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
289 *r
->out
.trusted_domains_blob
= trusted_domains_blob
;
294 /******************************************************************
295 gets a machine password entry. checks access rights of the host.
296 ******************************************************************/
298 static NTSTATUS
get_md4pw(char *md4pw
, const char *mach_acct
,
299 uint16_t sec_chan_type
, uint32_t *rid
)
301 struct samu
*sampass
= NULL
;
307 char addr
[INET6_ADDRSTRLEN
];
310 * Currently this code is redundent as we already have a filter
311 * by hostname list. What this code really needs to do is to
312 * get a hosts allowed/hosts denied list from the SAM database
313 * on a per user basis, and make the access decision there.
314 * I will leave this code here for now as a reminder to implement
315 * this at a later date. JRA.
318 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
319 client_name(get_client_fd()),
320 client_addr(get_client_fd(),addr
,sizeof(addr
)))) {
321 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct
));
326 if ( !(sampass
= samu_new( NULL
)) ) {
327 return NT_STATUS_NO_MEMORY
;
330 /* JRA. This is ok as it is only used for generating the challenge. */
332 ret
= pdb_getsampwnam(sampass
, mach_acct
);
336 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct
));
337 TALLOC_FREE(sampass
);
338 return NT_STATUS_ACCESS_DENIED
;
341 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
342 if (acct_ctrl
& ACB_DISABLED
) {
343 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct
));
344 TALLOC_FREE(sampass
);
345 return NT_STATUS_ACCOUNT_DISABLED
;
348 if (!(acct_ctrl
& ACB_SVRTRUST
) &&
349 !(acct_ctrl
& ACB_WSTRUST
) &&
350 !(acct_ctrl
& ACB_DOMTRUST
))
352 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct
));
353 TALLOC_FREE(sampass
);
354 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
357 switch (sec_chan_type
) {
359 if (!(acct_ctrl
& ACB_SVRTRUST
)) {
360 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
361 "but not a server trust account\n", mach_acct
));
362 TALLOC_FREE(sampass
);
363 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
367 if (!(acct_ctrl
& ACB_WSTRUST
)) {
368 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
369 "but not a workstation trust account\n", mach_acct
));
370 TALLOC_FREE(sampass
);
371 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
374 case SEC_CHAN_DOMAIN
:
375 if (!(acct_ctrl
& ACB_DOMTRUST
)) {
376 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
377 "but not a interdomain trust account\n", mach_acct
));
378 TALLOC_FREE(sampass
);
379 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
386 if ((pass
= pdb_get_nt_passwd(sampass
)) == NULL
) {
387 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct
));
388 TALLOC_FREE(sampass
);
389 return NT_STATUS_LOGON_FAILURE
;
392 memcpy(md4pw
, pass
, 16);
393 dump_data(5, (uint8
*)md4pw
, 16);
396 *rid
= pdb_get_user_rid(sampass
);
399 TALLOC_FREE(sampass
);
406 /*************************************************************************
407 _netr_ServerReqChallenge
408 *************************************************************************/
410 NTSTATUS
_netr_ServerReqChallenge(pipes_struct
*p
,
411 struct netr_ServerReqChallenge
*r
)
414 p
->dc
= TALLOC_ZERO_P(p
, struct dcinfo
);
416 return NT_STATUS_NO_MEMORY
;
419 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
423 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
425 /* Save the client challenge to the server. */
426 memcpy(p
->dc
->clnt_chal
.data
, r
->in
.credentials
->data
,
427 sizeof(r
->in
.credentials
->data
));
429 /* Create a server challenge for the client */
430 /* Set this to a random value. */
431 generate_random_buffer(p
->dc
->srv_chal
.data
, 8);
433 /* set up the LSA REQUEST CHALLENGE response */
434 init_net_r_req_chal(r
->out
.return_credentials
, &p
->dc
->srv_chal
);
436 p
->dc
->challenge_sent
= True
;
441 /*************************************************************************
442 _netr_ServerAuthenticate
443 Create the initial credentials.
444 *************************************************************************/
446 NTSTATUS
_netr_ServerAuthenticate(pipes_struct
*p
,
447 struct netr_ServerAuthenticate
*r
)
450 struct netr_Credential srv_chal_out
;
452 if (!p
->dc
|| !p
->dc
->challenge_sent
) {
453 return NT_STATUS_ACCESS_DENIED
;
456 status
= get_md4pw((char *)p
->dc
->mach_pw
,
458 r
->in
.secure_channel_type
,
460 if (!NT_STATUS_IS_OK(status
)) {
461 DEBUG(0,("_netr_ServerAuthenticate: get_md4pw failed. Failed to "
462 "get password for machine account %s "
463 "from client %s: %s\n",
466 nt_errstr(status
) ));
467 /* always return NT_STATUS_ACCESS_DENIED */
468 return NT_STATUS_ACCESS_DENIED
;
471 /* From the client / server challenges and md4 password, generate sess key */
472 creds_server_init(0, /* No neg flags. */
474 &p
->dc
->clnt_chal
, /* Stored client chal. */
475 &p
->dc
->srv_chal
, /* Stored server chal. */
479 /* Check client credentials are valid. */
480 if (!netlogon_creds_server_check(p
->dc
, r
->in
.credentials
)) {
481 DEBUG(0,("_netr_ServerAuthenticate: netlogon_creds_server_check failed. Rejecting auth "
482 "request from client %s machine account %s\n",
484 r
->in
.account_name
));
485 return NT_STATUS_ACCESS_DENIED
;
488 fstrcpy(p
->dc
->mach_acct
, r
->in
.account_name
);
489 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
490 p
->dc
->authenticated
= True
;
492 /* set up the LSA AUTH response */
493 /* Return the server credentials. */
495 memcpy(r
->out
.return_credentials
->data
, &srv_chal_out
.data
,
496 sizeof(r
->out
.return_credentials
->data
));
501 /*************************************************************************
502 _netr_ServerAuthenticate3
503 *************************************************************************/
505 NTSTATUS
_netr_ServerAuthenticate3(pipes_struct
*p
,
506 struct netr_ServerAuthenticate3
*r
)
510 struct netr_Credential srv_chal_out
;
513 /* According to Microsoft (see bugid #6099)
514 * Windows 7 looks at the negotiate_flags
515 * returned in this structure *even if the
516 * call fails with access denied ! So in order
517 * to allow Win7 to connect to a Samba NT style
518 * PDC we set the flags before we know if it's
523 srv_flgs
= NETLOGON_NEG_ACCOUNT_LOCKOUT
|
524 NETLOGON_NEG_PERSISTENT_SAMREPL
|
525 NETLOGON_NEG_ARCFOUR
|
526 NETLOGON_NEG_PROMOTION_COUNT
|
527 NETLOGON_NEG_CHANGELOG_BDC
|
528 NETLOGON_NEG_FULL_SYNC_REPL
|
529 NETLOGON_NEG_MULTIPLE_SIDS
|
531 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
;
533 if (lp_server_schannel() != false) {
534 srv_flgs
|= NETLOGON_NEG_SCHANNEL
;
537 *r
->out
.negotiate_flags
= srv_flgs
;
539 switch (p
->hdr_req
.opnum
) {
540 case NDR_NETR_SERVERAUTHENTICATE2
:
541 fn
= "_netr_ServerAuthenticate2";
543 case NDR_NETR_SERVERAUTHENTICATE3
:
544 fn
= "_netr_ServerAuthenticate3";
547 return NT_STATUS_INTERNAL_ERROR
;
550 /* We use this as the key to store the creds: */
551 /* r->in.computer_name */
553 if (!p
->dc
|| !p
->dc
->challenge_sent
) {
554 DEBUG(0,("%s: no challenge sent to client %s\n", fn
,
555 r
->in
.computer_name
));
556 return NT_STATUS_ACCESS_DENIED
;
559 if ( (lp_server_schannel() == true) &&
560 ((*r
->in
.negotiate_flags
& NETLOGON_NEG_SCHANNEL
) == 0) ) {
562 /* schannel must be used, but client did not offer it. */
563 DEBUG(0,("%s: schannel required but client failed "
564 "to offer it. Client was %s\n",
565 fn
, r
->in
.account_name
));
566 return NT_STATUS_ACCESS_DENIED
;
569 status
= get_md4pw((char *)p
->dc
->mach_pw
,
571 r
->in
.secure_channel_type
,
573 if (!NT_STATUS_IS_OK(status
)) {
574 DEBUG(0,("%s: failed to get machine password for "
576 fn
, r
->in
.account_name
, nt_errstr(status
) ));
577 /* always return NT_STATUS_ACCESS_DENIED */
578 return NT_STATUS_ACCESS_DENIED
;
581 /* From the client / server challenges and md4 password, generate sess key */
582 creds_server_init(*r
->in
.negotiate_flags
,
584 &p
->dc
->clnt_chal
, /* Stored client chal. */
585 &p
->dc
->srv_chal
, /* Stored server chal. */
589 /* Check client credentials are valid. */
590 if (!netlogon_creds_server_check(p
->dc
, r
->in
.credentials
)) {
591 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
592 "request from client %s machine account %s\n",
593 fn
, r
->in
.computer_name
,
594 r
->in
.account_name
));
595 return NT_STATUS_ACCESS_DENIED
;
597 /* set up the LSA AUTH 2 response */
598 memcpy(r
->out
.return_credentials
->data
, &srv_chal_out
.data
,
599 sizeof(r
->out
.return_credentials
->data
));
601 fstrcpy(p
->dc
->mach_acct
, r
->in
.account_name
);
602 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
603 fstrcpy(p
->dc
->domain
, lp_workgroup() );
605 p
->dc
->authenticated
= True
;
607 /* Store off the state so we can continue after client disconnect. */
609 secrets_store_schannel_session_info(p
->mem_ctx
,
617 /*************************************************************************
618 _netr_ServerAuthenticate2
619 *************************************************************************/
621 NTSTATUS
_netr_ServerAuthenticate2(pipes_struct
*p
,
622 struct netr_ServerAuthenticate2
*r
)
624 struct netr_ServerAuthenticate3 a
;
627 a
.in
.server_name
= r
->in
.server_name
;
628 a
.in
.account_name
= r
->in
.account_name
;
629 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
630 a
.in
.computer_name
= r
->in
.computer_name
;
631 a
.in
.credentials
= r
->in
.credentials
;
632 a
.in
.negotiate_flags
= r
->in
.negotiate_flags
;
634 a
.out
.return_credentials
= r
->out
.return_credentials
;
636 a
.out
.negotiate_flags
= r
->out
.negotiate_flags
;
638 return _netr_ServerAuthenticate3(p
, &a
);
641 /*************************************************************************
642 _netr_ServerPasswordSet
643 *************************************************************************/
645 NTSTATUS
_netr_ServerPasswordSet(pipes_struct
*p
,
646 struct netr_ServerPasswordSet
*r
)
648 NTSTATUS status
= NT_STATUS_OK
;
649 fstring remote_machine
;
650 struct samu
*sampass
=NULL
;
652 unsigned char pwd
[16];
655 struct netr_Authenticator cred_out
;
658 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__
));
660 /* We need the remote machine name for the creds lookup. */
661 fstrcpy(remote_machine
, r
->in
.computer_name
);
663 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
664 /* 'server schannel = yes' should enforce use of
665 schannel, the client did offer it in auth2, but
666 obviously did not use it. */
667 DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n",
669 return NT_STATUS_ACCESS_DENIED
;
673 /* Restore the saved state of the netlogon creds. */
675 ret
= secrets_restore_schannel_session_info(p
, remote_machine
,
679 return NT_STATUS_INVALID_HANDLE
;
683 if (!p
->dc
|| !p
->dc
->authenticated
) {
684 return NT_STATUS_INVALID_HANDLE
;
687 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
688 remote_machine
, p
->dc
->mach_acct
));
690 /* Step the creds chain forward. */
691 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, &cred_out
)) {
692 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
693 "request from client %s machine account %s\n",
694 remote_machine
, p
->dc
->mach_acct
));
695 return NT_STATUS_INVALID_PARAMETER
;
698 /* We must store the creds state after an update. */
699 sampass
= samu_new( NULL
);
701 return NT_STATUS_NO_MEMORY
;
705 secrets_store_schannel_session_info(p
, remote_machine
, p
->dc
);
706 ret
= pdb_getsampwnam(sampass
, p
->dc
->mach_acct
);
710 TALLOC_FREE(sampass
);
711 return NT_STATUS_ACCESS_DENIED
;
714 /* Ensure the account exists and is a machine account. */
716 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
718 if (!(acct_ctrl
& ACB_WSTRUST
||
719 acct_ctrl
& ACB_SVRTRUST
||
720 acct_ctrl
& ACB_DOMTRUST
)) {
721 TALLOC_FREE(sampass
);
722 return NT_STATUS_NO_SUCH_USER
;
725 if (pdb_get_acct_ctrl(sampass
) & ACB_DISABLED
) {
726 TALLOC_FREE(sampass
);
727 return NT_STATUS_ACCOUNT_DISABLED
;
730 /* Woah - what does this to to the credential chain ? JRA */
731 cred_hash3(pwd
, r
->in
.new_password
->hash
, p
->dc
->sess_key
, 0);
733 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
734 for(i
= 0; i
< sizeof(pwd
); i
++)
735 DEBUG(100,("%02X ", pwd
[i
]));
738 old_pw
= pdb_get_nt_passwd(sampass
);
740 if (old_pw
&& memcmp(pwd
, old_pw
, 16) == 0) {
741 /* Avoid backend modificiations and other fun if the
742 client changed the password to the *same thing* */
747 /* LM password should be NULL for machines */
748 if (!pdb_set_lanman_passwd(sampass
, NULL
, PDB_CHANGED
)) {
749 TALLOC_FREE(sampass
);
750 return NT_STATUS_NO_MEMORY
;
753 if (!pdb_set_nt_passwd(sampass
, pwd
, PDB_CHANGED
)) {
754 TALLOC_FREE(sampass
);
755 return NT_STATUS_NO_MEMORY
;
758 if (!pdb_set_pass_last_set_time(sampass
, time(NULL
), PDB_CHANGED
)) {
759 TALLOC_FREE(sampass
);
760 /* Not quite sure what this one qualifies as, but this will do */
761 return NT_STATUS_UNSUCCESSFUL
;
765 status
= pdb_update_sam_account(sampass
);
769 /* set up the LSA Server Password Set response */
771 memcpy(r
->out
.return_authenticator
, &cred_out
,
772 sizeof(*(r
->out
.return_authenticator
)));
774 TALLOC_FREE(sampass
);
778 /*************************************************************************
780 *************************************************************************/
782 NTSTATUS
_netr_LogonSamLogoff(pipes_struct
*p
,
783 struct netr_LogonSamLogoff
*r
)
785 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
786 /* 'server schannel = yes' should enforce use of
787 schannel, the client did offer it in auth2, but
788 obviously did not use it. */
789 DEBUG(0,("_netr_LogonSamLogoff: client %s not using schannel for netlogon\n",
790 get_remote_machine_name() ));
791 return NT_STATUS_ACCESS_DENIED
;
795 /* Using the remote machine name for the creds store: */
796 /* r->in.computer_name */
799 /* Restore the saved state of the netlogon creds. */
803 ret
= secrets_restore_schannel_session_info(
804 p
, r
->in
.computer_name
, &p
->dc
);
807 return NT_STATUS_INVALID_HANDLE
;
811 if (!p
->dc
|| !p
->dc
->authenticated
) {
812 return NT_STATUS_INVALID_HANDLE
;
815 /* checks and updates credentials. creates reply credentials */
816 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
817 DEBUG(2,("_netr_LogonSamLogoff: netlogon_creds_server_step failed. Rejecting auth "
818 "request from client %s machine account %s\n",
819 r
->in
.computer_name
, p
->dc
->mach_acct
));
820 return NT_STATUS_INVALID_PARAMETER
;
823 /* We must store the creds state after an update. */
825 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
831 /*************************************************************************
833 *************************************************************************/
835 NTSTATUS
_netr_LogonSamLogon(pipes_struct
*p
,
836 struct netr_LogonSamLogon
*r
)
838 NTSTATUS status
= NT_STATUS_OK
;
839 struct netr_SamInfo3
*sam3
= NULL
;
840 union netr_LogonLevel
*logon
= r
->in
.logon
;
841 fstring nt_username
, nt_domain
, nt_workstation
;
842 auth_usersupplied_info
*user_info
= NULL
;
843 auth_serversupplied_info
*server_info
= NULL
;
844 struct auth_context
*auth_context
= NULL
;
845 uint8_t pipe_session_key
[16];
846 bool process_creds
= true;
849 switch (p
->hdr_req
.opnum
) {
850 case NDR_NETR_LOGONSAMLOGON
:
851 process_creds
= true;
852 fn
= "_netr_LogonSamLogon";
854 case NDR_NETR_LOGONSAMLOGONEX
:
855 fn
= "_netr_LogonSamLogonEx";
858 process_creds
= false;
861 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
862 /* 'server schannel = yes' should enforce use of
863 schannel, the client did offer it in auth2, but
864 obviously did not use it. */
865 DEBUG(0,("%s: client %s not using schannel for netlogon\n",
866 fn
, get_remote_machine_name() ));
867 return NT_STATUS_ACCESS_DENIED
;
870 sam3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo3
);
872 return NT_STATUS_NO_MEMORY
;
875 /* store the user information, if there is any. */
876 r
->out
.validation
->sam3
= sam3
;
877 *r
->out
.authoritative
= true; /* authoritative response */
878 if (r
->in
.validation_level
!= 2 && r
->in
.validation_level
!= 3) {
879 DEBUG(0,("%s: bad validation_level value %d.\n",
880 fn
, (int)r
->in
.validation_level
));
881 return NT_STATUS_ACCESS_DENIED
;
886 /* Get the remote machine name for the creds store. */
887 /* Note this is the remote machine this request is coming from (member server),
888 not neccessarily the workstation name the user is logging onto.
892 /* Restore the saved state of the netlogon creds. */
896 ret
= secrets_restore_schannel_session_info(
897 p
, r
->in
.computer_name
, &p
->dc
);
900 return NT_STATUS_INVALID_HANDLE
;
904 if (!p
->dc
|| !p
->dc
->authenticated
) {
905 return NT_STATUS_INVALID_HANDLE
;
908 /* checks and updates credentials. creates reply credentials */
909 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
910 DEBUG(2,("%s: creds_server_step failed. Rejecting auth "
911 "request from client %s machine account %s\n",
912 fn
, r
->in
.computer_name
, p
->dc
->mach_acct
));
913 return NT_STATUS_INVALID_PARAMETER
;
916 /* We must store the creds state after an update. */
918 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
922 switch (r
->in
.logon_level
) {
923 case NetlogonInteractiveInformation
:
925 logon
->password
->identity_info
.account_name
.string
);
927 logon
->password
->identity_info
.domain_name
.string
);
928 fstrcpy(nt_workstation
,
929 logon
->password
->identity_info
.workstation
.string
);
931 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
933 case NetlogonNetworkInformation
:
935 logon
->network
->identity_info
.account_name
.string
);
937 logon
->network
->identity_info
.domain_name
.string
);
938 fstrcpy(nt_workstation
,
939 logon
->network
->identity_info
.workstation
.string
);
941 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
944 DEBUG(2,("SAM Logon: unsupported switch value\n"));
945 return NT_STATUS_INVALID_INFO_CLASS
;
948 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username
, nt_workstation
, nt_domain
));
949 fstrcpy(current_user_info
.smb_name
, nt_username
);
950 sub_set_smb_name(nt_username
);
952 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
953 r
->in
.validation_level
, nt_username
));
955 status
= NT_STATUS_OK
;
957 switch (r
->in
.logon_level
) {
958 case NetlogonNetworkInformation
:
960 const char *wksname
= nt_workstation
;
962 status
= make_auth_context_fixed(&auth_context
,
963 logon
->network
->challenge
);
964 if (!NT_STATUS_IS_OK(status
)) {
968 /* For a network logon, the workstation name comes in with two
969 * backslashes in the front. Strip them if they are there. */
971 if (*wksname
== '\\') wksname
++;
972 if (*wksname
== '\\') wksname
++;
974 /* Standard challenge/response authenticaion */
975 if (!make_user_info_netlogon_network(&user_info
,
976 nt_username
, nt_domain
,
978 logon
->network
->identity_info
.parameter_control
,
979 logon
->network
->lm
.data
,
980 logon
->network
->lm
.length
,
981 logon
->network
->nt
.data
,
982 logon
->network
->nt
.length
)) {
983 status
= NT_STATUS_NO_MEMORY
;
987 case NetlogonInteractiveInformation
:
988 /* 'Interactive' authentication, supplies the password in its
989 MD4 form, encrypted with the session key. We will convert
990 this to challenge/response for the auth subsystem to chew
995 if (!NT_STATUS_IS_OK(status
= make_auth_context_subsystem(&auth_context
))) {
999 auth_context
->get_ntlm_challenge(auth_context
, chal
);
1001 if (!make_user_info_netlogon_interactive(&user_info
,
1002 nt_username
, nt_domain
,
1004 logon
->password
->identity_info
.parameter_control
,
1006 logon
->password
->lmpassword
.hash
,
1007 logon
->password
->ntpassword
.hash
,
1009 status
= NT_STATUS_NO_MEMORY
;
1014 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1015 return NT_STATUS_INVALID_INFO_CLASS
;
1018 if ( NT_STATUS_IS_OK(status
) ) {
1019 status
= auth_context
->check_ntlm_password(auth_context
,
1020 user_info
, &server_info
);
1023 (auth_context
->free
)(&auth_context
);
1024 free_user_info(&user_info
);
1026 DEBUG(5,("%s: check_password returned status %s\n",
1027 fn
, nt_errstr(status
)));
1029 /* Check account and password */
1031 if (!NT_STATUS_IS_OK(status
)) {
1032 /* If we don't know what this domain is, we need to
1033 indicate that we are not authoritative. This
1034 allows the client to decide if it needs to try
1035 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1036 if ( NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)
1037 && !strequal(nt_domain
, get_global_sam_name())
1038 && !is_trusted_domain(nt_domain
) )
1039 *r
->out
.authoritative
= false; /* We are not authoritative */
1041 TALLOC_FREE(server_info
);
1045 if (server_info
->guest
) {
1046 /* We don't like guest domain logons... */
1047 DEBUG(5,("%s: Attempted domain logon as GUEST "
1049 TALLOC_FREE(server_info
);
1050 return NT_STATUS_LOGON_FAILURE
;
1053 /* This is the point at which, if the login was successful, that
1054 the SAM Local Security Authority should record that the user is
1055 logged in to the domain. */
1057 if (process_creds
) {
1058 /* Get the pipe session key from the creds. */
1059 memcpy(pipe_session_key
, p
->dc
->sess_key
, 16);
1061 /* Get the pipe session key from the schannel. */
1062 if ((p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
)
1063 || (p
->auth
.a_u
.schannel_auth
== NULL
)) {
1064 return NT_STATUS_INVALID_HANDLE
;
1066 memcpy(pipe_session_key
, p
->auth
.a_u
.schannel_auth
->sess_key
, 16);
1069 status
= serverinfo_to_SamInfo3(server_info
, pipe_session_key
, 16, sam3
);
1070 TALLOC_FREE(server_info
);
1074 /*************************************************************************
1075 _netr_LogonSamLogonEx
1076 - no credential chaining. Map into net sam logon.
1077 *************************************************************************/
1079 NTSTATUS
_netr_LogonSamLogonEx(pipes_struct
*p
,
1080 struct netr_LogonSamLogonEx
*r
)
1082 struct netr_LogonSamLogon q
;
1084 /* Only allow this if the pipe is protected. */
1085 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1086 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1087 get_remote_machine_name() ));
1088 return NT_STATUS_INVALID_PARAMETER
;
1091 q
.in
.server_name
= r
->in
.server_name
;
1092 q
.in
.computer_name
= r
->in
.computer_name
;
1093 q
.in
.logon_level
= r
->in
.logon_level
;
1094 q
.in
.logon
= r
->in
.logon
;
1095 q
.in
.validation_level
= r
->in
.validation_level
;
1096 /* we do not handle the flags */
1097 /* = r->in.flags; */
1099 q
.out
.validation
= r
->out
.validation
;
1100 q
.out
.authoritative
= r
->out
.authoritative
;
1101 /* we do not handle the flags */
1102 /* = r->out.flags; */
1104 return _netr_LogonSamLogon(p
, &q
);
1107 /*************************************************************************
1109 *************************************************************************/
1110 #if 0 /* JERRY -- not correct */
1111 NTSTATUS
_ds_enum_dom_trusts(pipes_struct
*p
, DS_Q_ENUM_DOM_TRUSTS
*q_u
,
1112 DS_R_ENUM_DOM_TRUSTS
*r_u
)
1114 NTSTATUS status
= NT_STATUS_OK
;
1116 /* TODO: According to MSDN, the can only be executed against a
1117 DC or domain member running Windows 2000 or later. Need
1118 to test against a standalone 2k server and see what it
1119 does. A windows 2000 DC includes its own domain in the
1127 /****************************************************************
1128 ****************************************************************/
1130 WERROR
_netr_LogonUasLogon(pipes_struct
*p
,
1131 struct netr_LogonUasLogon
*r
)
1133 p
->rng_fault_state
= true;
1134 return WERR_NOT_SUPPORTED
;
1137 /****************************************************************
1138 ****************************************************************/
1140 WERROR
_netr_LogonUasLogoff(pipes_struct
*p
,
1141 struct netr_LogonUasLogoff
*r
)
1143 p
->rng_fault_state
= true;
1144 return WERR_NOT_SUPPORTED
;
1147 /****************************************************************
1148 ****************************************************************/
1150 NTSTATUS
_netr_DatabaseDeltas(pipes_struct
*p
,
1151 struct netr_DatabaseDeltas
*r
)
1153 p
->rng_fault_state
= true;
1154 return NT_STATUS_NOT_IMPLEMENTED
;
1157 /****************************************************************
1158 ****************************************************************/
1160 NTSTATUS
_netr_DatabaseSync(pipes_struct
*p
,
1161 struct netr_DatabaseSync
*r
)
1163 p
->rng_fault_state
= true;
1164 return NT_STATUS_NOT_IMPLEMENTED
;
1167 /****************************************************************
1168 ****************************************************************/
1170 NTSTATUS
_netr_AccountDeltas(pipes_struct
*p
,
1171 struct netr_AccountDeltas
*r
)
1173 p
->rng_fault_state
= true;
1174 return NT_STATUS_NOT_IMPLEMENTED
;
1177 /****************************************************************
1178 ****************************************************************/
1180 NTSTATUS
_netr_AccountSync(pipes_struct
*p
,
1181 struct netr_AccountSync
*r
)
1183 p
->rng_fault_state
= true;
1184 return NT_STATUS_NOT_IMPLEMENTED
;
1187 /****************************************************************
1188 ****************************************************************/
1190 WERROR
_netr_GetDcName(pipes_struct
*p
,
1191 struct netr_GetDcName
*r
)
1193 p
->rng_fault_state
= true;
1194 return WERR_NOT_SUPPORTED
;
1197 /****************************************************************
1198 ****************************************************************/
1200 WERROR
_netr_GetAnyDCName(pipes_struct
*p
,
1201 struct netr_GetAnyDCName
*r
)
1203 p
->rng_fault_state
= true;
1204 return WERR_NOT_SUPPORTED
;
1207 /****************************************************************
1208 ****************************************************************/
1210 NTSTATUS
_netr_DatabaseSync2(pipes_struct
*p
,
1211 struct netr_DatabaseSync2
*r
)
1213 p
->rng_fault_state
= true;
1214 return NT_STATUS_NOT_IMPLEMENTED
;
1217 /****************************************************************
1218 ****************************************************************/
1220 NTSTATUS
_netr_DatabaseRedo(pipes_struct
*p
,
1221 struct netr_DatabaseRedo
*r
)
1223 p
->rng_fault_state
= true;
1224 return NT_STATUS_NOT_IMPLEMENTED
;
1227 /****************************************************************
1228 ****************************************************************/
1230 WERROR
_netr_DsRGetDCName(pipes_struct
*p
,
1231 struct netr_DsRGetDCName
*r
)
1233 p
->rng_fault_state
= true;
1234 return WERR_NOT_SUPPORTED
;
1237 /****************************************************************
1238 ****************************************************************/
1240 NTSTATUS
_netr_LogonGetCapabilities(pipes_struct
*p
,
1241 struct netr_LogonGetCapabilities
*r
)
1243 return NT_STATUS_NOT_IMPLEMENTED
;
1246 /****************************************************************
1247 ****************************************************************/
1249 WERROR
_netr_NETRLOGONSETSERVICEBITS(pipes_struct
*p
,
1250 struct netr_NETRLOGONSETSERVICEBITS
*r
)
1252 p
->rng_fault_state
= true;
1253 return WERR_NOT_SUPPORTED
;
1256 /****************************************************************
1257 ****************************************************************/
1259 WERROR
_netr_LogonGetTrustRid(pipes_struct
*p
,
1260 struct netr_LogonGetTrustRid
*r
)
1262 p
->rng_fault_state
= true;
1263 return WERR_NOT_SUPPORTED
;
1266 /****************************************************************
1267 ****************************************************************/
1269 WERROR
_netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct
*p
,
1270 struct netr_NETRLOGONCOMPUTESERVERDIGEST
*r
)
1272 p
->rng_fault_state
= true;
1273 return WERR_NOT_SUPPORTED
;
1276 /****************************************************************
1277 ****************************************************************/
1279 WERROR
_netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct
*p
,
1280 struct netr_NETRLOGONCOMPUTECLIENTDIGEST
*r
)
1282 p
->rng_fault_state
= true;
1283 return WERR_NOT_SUPPORTED
;
1286 /****************************************************************
1287 ****************************************************************/
1289 WERROR
_netr_DsRGetDCNameEx(pipes_struct
*p
,
1290 struct netr_DsRGetDCNameEx
*r
)
1292 p
->rng_fault_state
= true;
1293 return WERR_NOT_SUPPORTED
;
1296 /****************************************************************
1297 ****************************************************************/
1299 WERROR
_netr_DsRGetSiteName(pipes_struct
*p
,
1300 struct netr_DsRGetSiteName
*r
)
1302 p
->rng_fault_state
= true;
1303 return WERR_NOT_SUPPORTED
;
1306 /****************************************************************
1307 ****************************************************************/
1309 NTSTATUS
_netr_LogonGetDomainInfo(pipes_struct
*p
,
1310 struct netr_LogonGetDomainInfo
*r
)
1312 p
->rng_fault_state
= true;
1313 return NT_STATUS_NOT_IMPLEMENTED
;
1316 /****************************************************************
1317 ****************************************************************/
1319 NTSTATUS
_netr_ServerPasswordSet2(pipes_struct
*p
,
1320 struct netr_ServerPasswordSet2
*r
)
1322 p
->rng_fault_state
= true;
1323 return NT_STATUS_NOT_IMPLEMENTED
;
1326 /****************************************************************
1327 ****************************************************************/
1329 WERROR
_netr_ServerPasswordGet(pipes_struct
*p
,
1330 struct netr_ServerPasswordGet
*r
)
1332 p
->rng_fault_state
= true;
1333 return WERR_NOT_SUPPORTED
;
1336 /****************************************************************
1337 ****************************************************************/
1339 WERROR
_netr_NETRLOGONSENDTOSAM(pipes_struct
*p
,
1340 struct netr_NETRLOGONSENDTOSAM
*r
)
1342 p
->rng_fault_state
= true;
1343 return WERR_NOT_SUPPORTED
;
1346 /****************************************************************
1347 ****************************************************************/
1349 WERROR
_netr_DsRAddressToSitenamesW(pipes_struct
*p
,
1350 struct netr_DsRAddressToSitenamesW
*r
)
1352 p
->rng_fault_state
= true;
1353 return WERR_NOT_SUPPORTED
;
1356 /****************************************************************
1357 ****************************************************************/
1359 WERROR
_netr_DsRGetDCNameEx2(pipes_struct
*p
,
1360 struct netr_DsRGetDCNameEx2
*r
)
1362 p
->rng_fault_state
= true;
1363 return WERR_NOT_SUPPORTED
;
1366 /****************************************************************
1367 ****************************************************************/
1369 WERROR
_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct
*p
,
1370 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
*r
)
1372 p
->rng_fault_state
= true;
1373 return WERR_NOT_SUPPORTED
;
1376 /****************************************************************
1377 ****************************************************************/
1379 WERROR
_netr_NetrEnumerateTrustedDomainsEx(pipes_struct
*p
,
1380 struct netr_NetrEnumerateTrustedDomainsEx
*r
)
1382 p
->rng_fault_state
= true;
1383 return WERR_NOT_SUPPORTED
;
1386 /****************************************************************
1387 ****************************************************************/
1389 WERROR
_netr_DsRAddressToSitenamesExW(pipes_struct
*p
,
1390 struct netr_DsRAddressToSitenamesExW
*r
)
1392 p
->rng_fault_state
= true;
1393 return WERR_NOT_SUPPORTED
;
1396 /****************************************************************
1397 ****************************************************************/
1399 WERROR
_netr_DsrGetDcSiteCoverageW(pipes_struct
*p
,
1400 struct netr_DsrGetDcSiteCoverageW
*r
)
1402 p
->rng_fault_state
= true;
1403 return WERR_NOT_SUPPORTED
;
1406 /****************************************************************
1407 ****************************************************************/
1409 WERROR
_netr_DsrEnumerateDomainTrusts(pipes_struct
*p
,
1410 struct netr_DsrEnumerateDomainTrusts
*r
)
1412 p
->rng_fault_state
= true;
1413 return WERR_NOT_SUPPORTED
;
1416 /****************************************************************
1417 ****************************************************************/
1419 WERROR
_netr_DsrDeregisterDNSHostRecords(pipes_struct
*p
,
1420 struct netr_DsrDeregisterDNSHostRecords
*r
)
1422 p
->rng_fault_state
= true;
1423 return WERR_NOT_SUPPORTED
;
1426 /****************************************************************
1427 ****************************************************************/
1429 NTSTATUS
_netr_ServerTrustPasswordsGet(pipes_struct
*p
,
1430 struct netr_ServerTrustPasswordsGet
*r
)
1432 p
->rng_fault_state
= true;
1433 return NT_STATUS_NOT_IMPLEMENTED
;
1436 /****************************************************************
1437 ****************************************************************/
1439 WERROR
_netr_DsRGetForestTrustInformation(pipes_struct
*p
,
1440 struct netr_DsRGetForestTrustInformation
*r
)
1442 p
->rng_fault_state
= true;
1443 return WERR_NOT_SUPPORTED
;
1446 /****************************************************************
1447 ****************************************************************/
1449 WERROR
_netr_GetForestTrustInformation(pipes_struct
*p
,
1450 struct netr_GetForestTrustInformation
*r
)
1452 p
->rng_fault_state
= true;
1453 return WERR_NOT_SUPPORTED
;
1456 /****************************************************************
1457 ****************************************************************/
1459 NTSTATUS
_netr_LogonSamLogonWithFlags(pipes_struct
*p
,
1460 struct netr_LogonSamLogonWithFlags
*r
)
1462 p
->rng_fault_state
= true;
1463 return NT_STATUS_NOT_IMPLEMENTED
;
1466 /****************************************************************
1467 ****************************************************************/
1469 NTSTATUS
_netr_ServerGetTrustInfo(pipes_struct
*p
,
1470 struct netr_ServerGetTrustInfo
*r
)
1472 p
->rng_fault_state
= true;
1473 return NT_STATUS_NOT_IMPLEMENTED
;