2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008-2009.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* This is the implementation of the netlogon pipe. */
28 #include "../libcli/auth/schannel.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_samr.h"
31 #include "../librpc/gen_ndr/srv_lsa.h"
32 #include "../librpc/gen_ndr/cli_samr.h"
33 #include "../librpc/gen_ndr/cli_lsa.h"
34 #include "rpc_client/cli_lsarpc.h"
35 #include "librpc/gen_ndr/messaging.h"
36 #include "../lib/crypto/md4.h"
37 #include "rpc_client/init_lsa.h"
39 extern userdom_struct current_user_info
;
42 #define DBGC_CLASS DBGC_RPC_SRV
44 struct netlogon_server_pipe_state
{
45 struct netr_Credential client_challenge
;
46 struct netr_Credential server_challenge
;
49 /*************************************************************************
51 *************************************************************************/
53 WERROR
_netr_LogonControl(struct pipes_struct
*p
,
54 struct netr_LogonControl
*r
)
56 struct netr_LogonControl2Ex l
;
58 switch (r
->in
.level
) {
62 return WERR_NOT_SUPPORTED
;
64 return WERR_UNKNOWN_LEVEL
;
67 l
.in
.logon_server
= r
->in
.logon_server
;
68 l
.in
.function_code
= r
->in
.function_code
;
69 l
.in
.level
= r
->in
.level
;
71 l
.out
.query
= r
->out
.query
;
73 return _netr_LogonControl2Ex(p
, &l
);
76 /****************************************************************************
77 Send a message to smbd to do a sam synchronisation
78 **************************************************************************/
80 static void send_sync_message(struct messaging_context
*msg_ctx
)
82 DEBUG(3, ("sending sam synchronisation message\n"));
83 message_send_all(msg_ctx
, MSG_SMB_SAM_SYNC
, NULL
, 0, NULL
);
86 /*************************************************************************
88 *************************************************************************/
90 WERROR
_netr_LogonControl2(struct pipes_struct
*p
,
91 struct netr_LogonControl2
*r
)
93 struct netr_LogonControl2Ex l
;
95 l
.in
.logon_server
= r
->in
.logon_server
;
96 l
.in
.function_code
= r
->in
.function_code
;
97 l
.in
.level
= r
->in
.level
;
98 l
.in
.data
= r
->in
.data
;
99 l
.out
.query
= r
->out
.query
;
101 return _netr_LogonControl2Ex(p
, &l
);
104 /*************************************************************************
105 *************************************************************************/
107 static bool wb_change_trust_creds(const char *domain
, WERROR
*tc_status
)
110 struct wbcAuthErrorInfo
*error
= NULL
;
112 result
= wbcChangeTrustCredentials(domain
, &error
);
114 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
116 case WBC_ERR_DOMAIN_NOT_FOUND
:
117 *tc_status
= WERR_NO_SUCH_DOMAIN
;
119 case WBC_ERR_SUCCESS
:
120 *tc_status
= WERR_OK
;
126 if (error
&& error
->nt_status
!= 0) {
127 *tc_status
= ntstatus_to_werror(NT_STATUS(error
->nt_status
));
129 *tc_status
= WERR_TRUST_FAILURE
;
131 wbcFreeMemory(error
);
135 /*************************************************************************
136 *************************************************************************/
138 static bool wb_check_trust_creds(const char *domain
, WERROR
*tc_status
)
141 struct wbcAuthErrorInfo
*error
= NULL
;
143 result
= wbcCheckTrustCredentials(domain
, &error
);
145 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
147 case WBC_ERR_DOMAIN_NOT_FOUND
:
148 *tc_status
= WERR_NO_SUCH_DOMAIN
;
150 case WBC_ERR_SUCCESS
:
151 *tc_status
= WERR_OK
;
157 if (error
&& error
->nt_status
!= 0) {
158 *tc_status
= ntstatus_to_werror(NT_STATUS(error
->nt_status
));
160 *tc_status
= WERR_TRUST_FAILURE
;
162 wbcFreeMemory(error
);
166 /****************************************************************
167 _netr_LogonControl2Ex
168 ****************************************************************/
170 WERROR
_netr_LogonControl2Ex(struct pipes_struct
*p
,
171 struct netr_LogonControl2Ex
*r
)
173 uint32_t flags
= 0x0;
174 WERROR pdc_connection_status
= WERR_OK
;
175 uint32_t logon_attempts
= 0x0;
178 const char *dc_name
= NULL
;
179 struct sockaddr_storage dc_ss
;
180 const char *domain
= NULL
;
181 struct netr_NETLOGON_INFO_1
*info1
;
182 struct netr_NETLOGON_INFO_2
*info2
;
183 struct netr_NETLOGON_INFO_3
*info3
;
184 struct netr_NETLOGON_INFO_4
*info4
;
189 case NDR_NETR_LOGONCONTROL
:
190 fn
= "_netr_LogonControl";
192 case NDR_NETR_LOGONCONTROL2
:
193 fn
= "_netr_LogonControl2";
195 case NDR_NETR_LOGONCONTROL2EX
:
196 fn
= "_netr_LogonControl2Ex";
199 return WERR_INVALID_PARAM
;
202 acct_ctrl
= p
->server_info
->info3
->base
.acct_flags
;
204 switch (r
->in
.function_code
) {
205 case NETLOGON_CONTROL_TC_VERIFY
:
206 case NETLOGON_CONTROL_CHANGE_PASSWORD
:
207 case NETLOGON_CONTROL_REDISCOVER
:
208 if ((geteuid() != sec_initial_uid()) &&
209 !nt_token_check_domain_rid(p
->server_info
->ptok
, DOMAIN_RID_ADMINS
) &&
210 !nt_token_check_sid(&global_sid_Builtin_Administrators
, p
->server_info
->ptok
) &&
211 !(acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
))) {
212 return WERR_ACCESS_DENIED
;
219 tc_status
= WERR_NO_SUCH_DOMAIN
;
221 switch (r
->in
.function_code
) {
222 case NETLOGON_CONTROL_QUERY
:
225 case NETLOGON_CONTROL_REPLICATE
:
226 case NETLOGON_CONTROL_SYNCHRONIZE
:
227 case NETLOGON_CONTROL_PDC_REPLICATE
:
228 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG
:
229 case NETLOGON_CONTROL_BREAKPOINT
:
230 if (acct_ctrl
& ACB_NORMAL
) {
231 return WERR_NOT_SUPPORTED
;
232 } else if (acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
)) {
233 return WERR_ACCESS_DENIED
;
235 return WERR_ACCESS_DENIED
;
237 case NETLOGON_CONTROL_TRUNCATE_LOG
:
238 if (acct_ctrl
& ACB_NORMAL
) {
240 } else if (acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
)) {
241 return WERR_ACCESS_DENIED
;
243 return WERR_ACCESS_DENIED
;
246 case NETLOGON_CONTROL_TRANSPORT_NOTIFY
:
247 case NETLOGON_CONTROL_FORCE_DNS_REG
:
248 case NETLOGON_CONTROL_QUERY_DNS_REG
:
249 return WERR_NOT_SUPPORTED
;
250 case NETLOGON_CONTROL_FIND_USER
:
251 if (!r
->in
.data
|| !r
->in
.data
->user
) {
252 return WERR_NOT_SUPPORTED
;
255 case NETLOGON_CONTROL_SET_DBFLAG
:
257 return WERR_NOT_SUPPORTED
;
260 case NETLOGON_CONTROL_TC_VERIFY
:
261 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
262 return WERR_NOT_SUPPORTED
;
265 if (!wb_check_trust_creds(r
->in
.data
->domain
, &tc_status
)) {
266 return WERR_NOT_SUPPORTED
;
269 case NETLOGON_CONTROL_TC_QUERY
:
270 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
271 return WERR_NOT_SUPPORTED
;
274 domain
= r
->in
.data
->domain
;
276 if (!is_trusted_domain(domain
)) {
280 if (!get_dc_name(domain
, NULL
, dc_name2
, &dc_ss
)) {
281 tc_status
= WERR_NO_LOGON_SERVERS
;
285 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
294 case NETLOGON_CONTROL_REDISCOVER
:
295 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
296 return WERR_NOT_SUPPORTED
;
299 domain
= r
->in
.data
->domain
;
301 if (!is_trusted_domain(domain
)) {
305 if (!get_dc_name(domain
, NULL
, dc_name2
, &dc_ss
)) {
306 tc_status
= WERR_NO_LOGON_SERVERS
;
310 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
319 case NETLOGON_CONTROL_CHANGE_PASSWORD
:
320 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
321 return WERR_NOT_SUPPORTED
;
324 if (!wb_change_trust_creds(r
->in
.data
->domain
, &tc_status
)) {
325 return WERR_NOT_SUPPORTED
;
330 /* no idea what this should be */
331 DEBUG(0,("%s: unimplemented function level [%d]\n",
332 fn
, r
->in
.function_code
));
333 return WERR_UNKNOWN_LEVEL
;
336 /* prepare the response */
338 switch (r
->in
.level
) {
340 info1
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_1
);
341 W_ERROR_HAVE_NO_MEMORY(info1
);
343 info1
->flags
= flags
;
344 info1
->pdc_connection_status
= pdc_connection_status
;
346 r
->out
.query
->info1
= info1
;
349 info2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_2
);
350 W_ERROR_HAVE_NO_MEMORY(info2
);
352 info2
->flags
= flags
;
353 info2
->pdc_connection_status
= pdc_connection_status
;
354 info2
->trusted_dc_name
= dc_name
;
355 info2
->tc_connection_status
= tc_status
;
357 r
->out
.query
->info2
= info2
;
360 info3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_3
);
361 W_ERROR_HAVE_NO_MEMORY(info3
);
363 info3
->flags
= flags
;
364 info3
->logon_attempts
= logon_attempts
;
366 r
->out
.query
->info3
= info3
;
369 info4
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_4
);
370 W_ERROR_HAVE_NO_MEMORY(info4
);
372 info4
->trusted_dc_name
= dc_name
;
373 info4
->trusted_domain_name
= r
->in
.data
->domain
;
375 r
->out
.query
->info4
= info4
;
378 return WERR_UNKNOWN_LEVEL
;
381 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
382 send_sync_message(p
->msg_ctx
);
388 /*************************************************************************
389 _netr_NetrEnumerateTrustedDomains
390 *************************************************************************/
392 NTSTATUS
_netr_NetrEnumerateTrustedDomains(struct pipes_struct
*p
,
393 struct netr_NetrEnumerateTrustedDomains
*r
)
398 const char **trusted_domains
= NULL
;
399 struct lsa_DomainList domain_list
;
400 struct rpc_pipe_client
*cli
= NULL
;
401 struct policy_handle pol
;
402 uint32_t enum_ctx
= 0;
404 uint32_t max_size
= (uint32_t)-1;
406 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
408 status
= rpc_pipe_open_internal(p
->mem_ctx
, &ndr_table_lsarpc
.syntax_id
,
413 if (!NT_STATUS_IS_OK(status
)) {
417 status
= rpccli_lsa_open_policy2(cli
, p
->mem_ctx
,
419 LSA_POLICY_VIEW_LOCAL_INFORMATION
,
421 if (!NT_STATUS_IS_OK(status
)) {
426 /* Lookup list of trusted domains */
428 status
= rpccli_lsa_EnumTrustDom(cli
, p
->mem_ctx
,
433 if (!NT_STATUS_IS_OK(status
) &&
434 !NT_STATUS_EQUAL(status
, NT_STATUS_NO_MORE_ENTRIES
) &&
435 !NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
)) {
439 for (i
= 0; i
< domain_list
.count
; i
++) {
440 if (!add_string_to_array(p
->mem_ctx
, domain_list
.domains
[i
].name
.string
,
441 &trusted_domains
, &num_domains
)) {
442 status
= NT_STATUS_NO_MEMORY
;
446 } while (NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
));
448 if (num_domains
> 0) {
449 /* multi sz terminate */
450 trusted_domains
= talloc_realloc(p
->mem_ctx
, trusted_domains
, const char *, num_domains
+ 1);
451 if (trusted_domains
== NULL
) {
452 status
= NT_STATUS_NO_MEMORY
;
456 trusted_domains
[num_domains
] = NULL
;
459 if (!push_reg_multi_sz(trusted_domains
, &blob
, trusted_domains
)) {
460 TALLOC_FREE(trusted_domains
);
461 status
= NT_STATUS_NO_MEMORY
;
465 r
->out
.trusted_domains_blob
->data
= blob
.data
;
466 r
->out
.trusted_domains_blob
->length
= blob
.length
;
468 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
470 status
= NT_STATUS_OK
;
473 if (cli
&& is_valid_policy_hnd(&pol
)) {
474 rpccli_lsa_Close(cli
, p
->mem_ctx
, &pol
);
480 /*************************************************************************
481 *************************************************************************/
483 static NTSTATUS
samr_find_machine_account(TALLOC_CTX
*mem_ctx
,
484 struct rpc_pipe_client
*cli
,
485 const char *account_name
,
486 uint32_t access_mask
,
487 struct dom_sid2
**domain_sid_p
,
488 uint32_t *user_rid_p
,
489 struct policy_handle
*user_handle
)
492 struct policy_handle connect_handle
, domain_handle
;
493 struct lsa_String domain_name
;
494 struct dom_sid2
*domain_sid
;
495 struct lsa_String names
;
496 struct samr_Ids rids
;
497 struct samr_Ids types
;
500 status
= rpccli_samr_Connect2(cli
, mem_ctx
,
502 SAMR_ACCESS_CONNECT_TO_SERVER
|
503 SAMR_ACCESS_ENUM_DOMAINS
|
504 SAMR_ACCESS_LOOKUP_DOMAIN
,
506 if (!NT_STATUS_IS_OK(status
)) {
510 init_lsa_String(&domain_name
, get_global_sam_name());
512 status
= rpccli_samr_LookupDomain(cli
, mem_ctx
,
516 if (!NT_STATUS_IS_OK(status
)) {
520 status
= rpccli_samr_OpenDomain(cli
, mem_ctx
,
522 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
,
525 if (!NT_STATUS_IS_OK(status
)) {
529 init_lsa_String(&names
, account_name
);
531 status
= rpccli_samr_LookupNames(cli
, mem_ctx
,
537 if (!NT_STATUS_IS_OK(status
)) {
541 if (rids
.count
!= 1) {
542 status
= NT_STATUS_NO_SUCH_USER
;
545 if (rids
.count
!= types
.count
) {
546 status
= NT_STATUS_INVALID_PARAMETER
;
549 if (types
.ids
[0] != SID_NAME_USER
) {
550 status
= NT_STATUS_NO_SUCH_USER
;
556 status
= rpccli_samr_OpenUser(cli
, mem_ctx
,
561 if (!NT_STATUS_IS_OK(status
)) {
570 *domain_sid_p
= domain_sid
;
574 if (cli
&& is_valid_policy_hnd(&domain_handle
)) {
575 rpccli_samr_Close(cli
, mem_ctx
, &domain_handle
);
577 if (cli
&& is_valid_policy_hnd(&connect_handle
)) {
578 rpccli_samr_Close(cli
, mem_ctx
, &connect_handle
);
584 /******************************************************************
585 gets a machine password entry. checks access rights of the host.
586 ******************************************************************/
588 static NTSTATUS
get_md4pw(struct samr_Password
*md4pw
, const char *mach_acct
,
589 enum netr_SchannelType sec_chan_type
,
591 struct messaging_context
*msg_ctx
)
595 struct rpc_pipe_client
*cli
= NULL
;
596 struct policy_handle user_handle
;
598 struct dom_sid
*domain_sid
;
600 union samr_UserInfo
*info
;
601 struct auth_serversupplied_info
*server_info
;
605 * Currently this code is redundent as we already have a filter
606 * by hostname list. What this code really needs to do is to
607 * get a hosts allowed/hosts denied list from the SAM database
608 * on a per user basis, and make the access decision there.
609 * I will leave this code here for now as a reminder to implement
610 * this at a later date. JRA.
613 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
615 p
->client_id
.addr
)) {
616 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct
));
621 mem_ctx
= talloc_new(talloc_tos());
622 if (mem_ctx
== NULL
) {
623 status
= NT_STATUS_NO_MEMORY
;
627 status
= make_server_info_system(mem_ctx
, &server_info
);
628 if (!NT_STATUS_IS_OK(status
)) {
632 ZERO_STRUCT(user_handle
);
634 status
= rpc_pipe_open_internal(mem_ctx
, &ndr_table_samr
.syntax_id
,
635 server_info
, NULL
, msg_ctx
,
637 if (!NT_STATUS_IS_OK(status
)) {
642 status
= samr_find_machine_account(mem_ctx
, cli
, mach_acct
,
643 SEC_FLAG_MAXIMUM_ALLOWED
,
644 &domain_sid
, &user_rid
,
647 if (!NT_STATUS_IS_OK(status
)) {
651 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
653 UserControlInformation
,
655 if (!NT_STATUS_IS_OK(status
)) {
659 acct_ctrl
= info
->info16
.acct_flags
;
661 if (acct_ctrl
& ACB_DISABLED
) {
662 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct
));
663 status
= NT_STATUS_ACCOUNT_DISABLED
;
667 if (!(acct_ctrl
& ACB_SVRTRUST
) &&
668 !(acct_ctrl
& ACB_WSTRUST
) &&
669 !(acct_ctrl
& ACB_DOMTRUST
))
671 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct
));
672 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
676 switch (sec_chan_type
) {
678 if (!(acct_ctrl
& ACB_SVRTRUST
)) {
679 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
680 "but not a server trust account\n", mach_acct
));
681 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
686 if (!(acct_ctrl
& ACB_WSTRUST
)) {
687 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
688 "but not a workstation trust account\n", mach_acct
));
689 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
693 case SEC_CHAN_DOMAIN
:
694 if (!(acct_ctrl
& ACB_DOMTRUST
)) {
695 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
696 "but not a interdomain trust account\n", mach_acct
));
697 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
706 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
708 UserInternal1Information
,
711 if (!NT_STATUS_IS_OK(status
)) {
714 if (info
->info18
.nt_pwd_active
== 0) {
715 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct
));
716 status
= NT_STATUS_LOGON_FAILURE
;
720 /* samr gives out nthash unencrypted (!) */
721 memcpy(md4pw
->hash
, info
->info18
.nt_pwd
.hash
, 16);
723 sid_compose(sid
, domain_sid
, user_rid
);
726 if (cli
&& is_valid_policy_hnd(&user_handle
)) {
727 rpccli_samr_Close(cli
, mem_ctx
, &user_handle
);
730 talloc_free(mem_ctx
);
735 /*************************************************************************
736 _netr_ServerReqChallenge
737 *************************************************************************/
739 NTSTATUS
_netr_ServerReqChallenge(struct pipes_struct
*p
,
740 struct netr_ServerReqChallenge
*r
)
742 struct netlogon_server_pipe_state
*pipe_state
=
743 talloc_get_type(p
->private_data
, struct netlogon_server_pipe_state
);
746 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
747 talloc_free(pipe_state
);
748 p
->private_data
= NULL
;
751 pipe_state
= talloc(p
, struct netlogon_server_pipe_state
);
752 NT_STATUS_HAVE_NO_MEMORY(pipe_state
);
754 pipe_state
->client_challenge
= *r
->in
.credentials
;
756 generate_random_buffer(pipe_state
->server_challenge
.data
,
757 sizeof(pipe_state
->server_challenge
.data
));
759 *r
->out
.return_credentials
= pipe_state
->server_challenge
;
761 p
->private_data
= pipe_state
;
766 /*************************************************************************
767 _netr_ServerAuthenticate
768 Create the initial credentials.
769 *************************************************************************/
771 NTSTATUS
_netr_ServerAuthenticate(struct pipes_struct
*p
,
772 struct netr_ServerAuthenticate
*r
)
774 struct netr_ServerAuthenticate3 a
;
775 uint32_t negotiate_flags
= 0;
778 a
.in
.server_name
= r
->in
.server_name
;
779 a
.in
.account_name
= r
->in
.account_name
;
780 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
781 a
.in
.computer_name
= r
->in
.computer_name
;
782 a
.in
.credentials
= r
->in
.credentials
;
783 a
.in
.negotiate_flags
= &negotiate_flags
;
785 a
.out
.return_credentials
= r
->out
.return_credentials
;
787 a
.out
.negotiate_flags
= &negotiate_flags
;
789 return _netr_ServerAuthenticate3(p
, &a
);
793 /*************************************************************************
794 _netr_ServerAuthenticate3
795 *************************************************************************/
797 NTSTATUS
_netr_ServerAuthenticate3(struct pipes_struct
*p
,
798 struct netr_ServerAuthenticate3
*r
)
802 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
803 * so use a copy to avoid destroying the client values. */
804 uint32_t in_neg_flags
= *r
->in
.negotiate_flags
;
807 struct samr_Password mach_pwd
;
808 struct netlogon_creds_CredentialState
*creds
;
809 struct netlogon_server_pipe_state
*pipe_state
=
810 talloc_get_type(p
->private_data
, struct netlogon_server_pipe_state
);
812 /* According to Microsoft (see bugid #6099)
813 * Windows 7 looks at the negotiate_flags
814 * returned in this structure *even if the
815 * call fails with access denied* ! So in order
816 * to allow Win7 to connect to a Samba NT style
817 * PDC we set the flags before we know if it's
822 srv_flgs
= NETLOGON_NEG_ACCOUNT_LOCKOUT
|
823 NETLOGON_NEG_PERSISTENT_SAMREPL
|
824 NETLOGON_NEG_ARCFOUR
|
825 NETLOGON_NEG_PROMOTION_COUNT
|
826 NETLOGON_NEG_CHANGELOG_BDC
|
827 NETLOGON_NEG_FULL_SYNC_REPL
|
828 NETLOGON_NEG_MULTIPLE_SIDS
|
830 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
|
831 NETLOGON_NEG_PASSWORD_SET2
;
833 /* Ensure we support strong (128-bit) keys. */
834 if (in_neg_flags
& NETLOGON_NEG_STRONG_KEYS
) {
835 srv_flgs
|= NETLOGON_NEG_STRONG_KEYS
;
838 if (lp_server_schannel() != false) {
839 srv_flgs
|= NETLOGON_NEG_SCHANNEL
;
843 case NDR_NETR_SERVERAUTHENTICATE
:
844 fn
= "_netr_ServerAuthenticate";
846 case NDR_NETR_SERVERAUTHENTICATE2
:
847 fn
= "_netr_ServerAuthenticate2";
849 case NDR_NETR_SERVERAUTHENTICATE3
:
850 fn
= "_netr_ServerAuthenticate3";
853 return NT_STATUS_INTERNAL_ERROR
;
856 /* We use this as the key to store the creds: */
857 /* r->in.computer_name */
860 DEBUG(0,("%s: no challenge sent to client %s\n", fn
,
861 r
->in
.computer_name
));
862 status
= NT_STATUS_ACCESS_DENIED
;
866 if ( (lp_server_schannel() == true) &&
867 ((in_neg_flags
& NETLOGON_NEG_SCHANNEL
) == 0) ) {
869 /* schannel must be used, but client did not offer it. */
870 DEBUG(0,("%s: schannel required but client failed "
871 "to offer it. Client was %s\n",
872 fn
, r
->in
.account_name
));
873 status
= NT_STATUS_ACCESS_DENIED
;
877 status
= get_md4pw(&mach_pwd
,
879 r
->in
.secure_channel_type
,
881 if (!NT_STATUS_IS_OK(status
)) {
882 DEBUG(0,("%s: failed to get machine password for "
884 fn
, r
->in
.account_name
, nt_errstr(status
) ));
885 /* always return NT_STATUS_ACCESS_DENIED */
886 status
= NT_STATUS_ACCESS_DENIED
;
890 /* From the client / server challenges and md4 password, generate sess key */
891 /* Check client credentials are valid. */
892 creds
= netlogon_creds_server_init(p
->mem_ctx
,
895 r
->in
.secure_channel_type
,
896 &pipe_state
->client_challenge
,
897 &pipe_state
->server_challenge
,
900 r
->out
.return_credentials
,
901 *r
->in
.negotiate_flags
);
903 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
904 "request from client %s machine account %s\n",
905 fn
, r
->in
.computer_name
,
906 r
->in
.account_name
));
907 status
= NT_STATUS_ACCESS_DENIED
;
911 creds
->sid
= sid_dup_talloc(creds
, &sid
);
913 status
= NT_STATUS_NO_MEMORY
;
917 /* Store off the state so we can continue after client disconnect. */
919 status
= schannel_save_creds_state(p
->mem_ctx
, lp_private_dir(), creds
);
922 if (!NT_STATUS_IS_OK(status
)) {
926 sid_peek_rid(&sid
, r
->out
.rid
);
928 status
= NT_STATUS_OK
;
932 *r
->out
.negotiate_flags
= srv_flgs
;
936 /*************************************************************************
937 _netr_ServerAuthenticate2
938 *************************************************************************/
940 NTSTATUS
_netr_ServerAuthenticate2(struct pipes_struct
*p
,
941 struct netr_ServerAuthenticate2
*r
)
943 struct netr_ServerAuthenticate3 a
;
946 a
.in
.server_name
= r
->in
.server_name
;
947 a
.in
.account_name
= r
->in
.account_name
;
948 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
949 a
.in
.computer_name
= r
->in
.computer_name
;
950 a
.in
.credentials
= r
->in
.credentials
;
951 a
.in
.negotiate_flags
= r
->in
.negotiate_flags
;
953 a
.out
.return_credentials
= r
->out
.return_credentials
;
955 a
.out
.negotiate_flags
= r
->out
.negotiate_flags
;
957 return _netr_ServerAuthenticate3(p
, &a
);
960 /*************************************************************************
961 * If schannel is required for this call test that it actually is available.
962 *************************************************************************/
963 static NTSTATUS
schannel_check_required(struct pipe_auth_data
*auth_info
,
964 const char *computer_name
,
965 bool integrity
, bool privacy
)
967 if (auth_info
&& auth_info
->auth_type
== DCERPC_AUTH_TYPE_SCHANNEL
) {
968 if (!privacy
&& !integrity
) {
972 if ((!privacy
&& integrity
) &&
973 auth_info
->auth_level
== DCERPC_AUTH_LEVEL_INTEGRITY
) {
977 if ((privacy
|| integrity
) &&
978 auth_info
->auth_level
== DCERPC_AUTH_LEVEL_PRIVACY
) {
983 /* test didn't pass */
984 DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
987 return NT_STATUS_ACCESS_DENIED
;
990 /*************************************************************************
991 *************************************************************************/
993 static NTSTATUS
netr_creds_server_step_check(struct pipes_struct
*p
,
995 const char *computer_name
,
996 struct netr_Authenticator
*received_authenticator
,
997 struct netr_Authenticator
*return_authenticator
,
998 struct netlogon_creds_CredentialState
**creds_out
)
1001 bool schannel_global_required
= (lp_server_schannel() == true) ? true:false;
1003 if (schannel_global_required
) {
1004 status
= schannel_check_required(&p
->auth
,
1007 if (!NT_STATUS_IS_OK(status
)) {
1012 status
= schannel_check_creds_state(mem_ctx
, lp_private_dir(),
1013 computer_name
, received_authenticator
,
1014 return_authenticator
, creds_out
);
1019 /*************************************************************************
1020 *************************************************************************/
1022 static NTSTATUS
netr_set_machine_account_password(TALLOC_CTX
*mem_ctx
,
1023 struct auth_serversupplied_info
*server_info
,
1024 struct messaging_context
*msg_ctx
,
1025 const char *account_name
,
1026 struct samr_Password
*nt_hash
)
1029 struct rpc_pipe_client
*cli
= NULL
;
1030 struct policy_handle user_handle
;
1032 union samr_UserInfo
*info
;
1033 struct samr_UserInfo18 info18
;
1036 ZERO_STRUCT(user_handle
);
1038 status
= rpc_pipe_open_internal(mem_ctx
, &ndr_table_samr
.syntax_id
,
1039 server_info
, NULL
, msg_ctx
,
1041 if (!NT_STATUS_IS_OK(status
)) {
1045 status
= samr_find_machine_account(mem_ctx
, cli
, account_name
,
1046 SEC_FLAG_MAXIMUM_ALLOWED
,
1049 if (!NT_STATUS_IS_OK(status
)) {
1053 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
1055 UserControlInformation
,
1057 if (!NT_STATUS_IS_OK(status
)) {
1061 acct_ctrl
= info
->info16
.acct_flags
;
1063 if (!(acct_ctrl
& ACB_WSTRUST
||
1064 acct_ctrl
& ACB_SVRTRUST
||
1065 acct_ctrl
& ACB_DOMTRUST
)) {
1066 status
= NT_STATUS_NO_SUCH_USER
;
1070 if (acct_ctrl
& ACB_DISABLED
) {
1071 status
= NT_STATUS_ACCOUNT_DISABLED
;
1075 ZERO_STRUCT(info18
);
1077 in
= data_blob_const(nt_hash
->hash
, 16);
1078 out
= data_blob_talloc_zero(mem_ctx
, 16);
1079 sess_crypt_blob(&out
, &in
, &server_info
->user_session_key
, true);
1080 memcpy(info18
.nt_pwd
.hash
, out
.data
, out
.length
);
1082 info18
.nt_pwd_active
= true;
1084 info
->info18
= info18
;
1086 status
= rpccli_samr_SetUserInfo2(cli
, mem_ctx
,
1088 UserInternal1Information
,
1090 if (!NT_STATUS_IS_OK(status
)) {
1095 if (cli
&& is_valid_policy_hnd(&user_handle
)) {
1096 rpccli_samr_Close(cli
, mem_ctx
, &user_handle
);
1102 /*************************************************************************
1103 _netr_ServerPasswordSet
1104 *************************************************************************/
1106 NTSTATUS
_netr_ServerPasswordSet(struct pipes_struct
*p
,
1107 struct netr_ServerPasswordSet
*r
)
1109 NTSTATUS status
= NT_STATUS_OK
;
1111 struct netlogon_creds_CredentialState
*creds
;
1113 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__
));
1116 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1117 r
->in
.computer_name
,
1119 r
->out
.return_authenticator
,
1123 if (!NT_STATUS_IS_OK(status
)) {
1124 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
1125 "request from client %s machine account %s\n",
1126 r
->in
.computer_name
, creds
->computer_name
));
1131 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
1132 r
->in
.computer_name
, creds
->computer_name
));
1134 netlogon_creds_des_decrypt(creds
, r
->in
.new_password
);
1136 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
1137 for(i
= 0; i
< sizeof(r
->in
.new_password
->hash
); i
++)
1138 DEBUG(100,("%02X ", r
->in
.new_password
->hash
[i
]));
1141 status
= netr_set_machine_account_password(p
->mem_ctx
,
1144 creds
->account_name
,
1145 r
->in
.new_password
);
1149 /****************************************************************
1150 _netr_ServerPasswordSet2
1151 ****************************************************************/
1153 NTSTATUS
_netr_ServerPasswordSet2(struct pipes_struct
*p
,
1154 struct netr_ServerPasswordSet2
*r
)
1157 struct netlogon_creds_CredentialState
*creds
;
1158 DATA_BLOB plaintext
;
1159 struct samr_CryptPassword password_buf
;
1160 struct samr_Password nt_hash
;
1163 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1164 r
->in
.computer_name
,
1166 r
->out
.return_authenticator
,
1170 if (!NT_STATUS_IS_OK(status
)) {
1171 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1172 "failed. Rejecting auth request from client %s machine account %s\n",
1173 r
->in
.computer_name
, creds
->computer_name
));
1178 memcpy(password_buf
.data
, r
->in
.new_password
->data
, 512);
1179 SIVAL(password_buf
.data
, 512, r
->in
.new_password
->length
);
1180 netlogon_creds_arcfour_crypt(creds
, password_buf
.data
, 516);
1182 if (!extract_pw_from_buffer(p
->mem_ctx
, password_buf
.data
, &plaintext
)) {
1183 return NT_STATUS_WRONG_PASSWORD
;
1186 mdfour(nt_hash
.hash
, plaintext
.data
, plaintext
.length
);
1188 status
= netr_set_machine_account_password(p
->mem_ctx
,
1191 creds
->account_name
,
1196 /*************************************************************************
1197 _netr_LogonSamLogoff
1198 *************************************************************************/
1200 NTSTATUS
_netr_LogonSamLogoff(struct pipes_struct
*p
,
1201 struct netr_LogonSamLogoff
*r
)
1204 struct netlogon_creds_CredentialState
*creds
;
1207 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1208 r
->in
.computer_name
,
1210 r
->out
.return_authenticator
,
1217 /*************************************************************************
1218 _netr_LogonSamLogon_base
1219 *************************************************************************/
1221 static NTSTATUS
_netr_LogonSamLogon_base(struct pipes_struct
*p
,
1222 struct netr_LogonSamLogonEx
*r
,
1223 struct netlogon_creds_CredentialState
*creds
)
1225 NTSTATUS status
= NT_STATUS_OK
;
1226 union netr_LogonLevel
*logon
= r
->in
.logon
;
1227 const char *nt_username
, *nt_domain
, *nt_workstation
;
1228 struct auth_usersupplied_info
*user_info
= NULL
;
1229 struct auth_serversupplied_info
*server_info
= NULL
;
1230 struct auth_context
*auth_context
= NULL
;
1231 uint8_t pipe_session_key
[16];
1232 bool process_creds
= true;
1236 case NDR_NETR_LOGONSAMLOGON
:
1237 process_creds
= true;
1238 fn
= "_netr_LogonSamLogon";
1240 case NDR_NETR_LOGONSAMLOGONWITHFLAGS
:
1241 process_creds
= true;
1242 fn
= "_netr_LogonSamLogonWithFlags";
1244 case NDR_NETR_LOGONSAMLOGONEX
:
1245 process_creds
= false;
1246 fn
= "_netr_LogonSamLogonEx";
1249 return NT_STATUS_INTERNAL_ERROR
;
1252 *r
->out
.authoritative
= true; /* authoritative response */
1254 switch (r
->in
.validation_level
) {
1256 r
->out
.validation
->sam2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo2
);
1257 if (!r
->out
.validation
->sam2
) {
1258 return NT_STATUS_NO_MEMORY
;
1262 r
->out
.validation
->sam3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo3
);
1263 if (!r
->out
.validation
->sam3
) {
1264 return NT_STATUS_NO_MEMORY
;
1268 r
->out
.validation
->sam6
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo6
);
1269 if (!r
->out
.validation
->sam6
) {
1270 return NT_STATUS_NO_MEMORY
;
1274 DEBUG(0,("%s: bad validation_level value %d.\n",
1275 fn
, (int)r
->in
.validation_level
));
1276 return NT_STATUS_INVALID_INFO_CLASS
;
1279 switch (r
->in
.logon_level
) {
1280 case NetlogonInteractiveInformation
:
1281 case NetlogonServiceInformation
:
1282 case NetlogonInteractiveTransitiveInformation
:
1283 case NetlogonServiceTransitiveInformation
:
1284 nt_username
= logon
->password
->identity_info
.account_name
.string
?
1285 logon
->password
->identity_info
.account_name
.string
: "";
1286 nt_domain
= logon
->password
->identity_info
.domain_name
.string
?
1287 logon
->password
->identity_info
.domain_name
.string
: "";
1288 nt_workstation
= logon
->password
->identity_info
.workstation
.string
?
1289 logon
->password
->identity_info
.workstation
.string
: "";
1291 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
1293 case NetlogonNetworkInformation
:
1294 case NetlogonNetworkTransitiveInformation
:
1295 nt_username
= logon
->network
->identity_info
.account_name
.string
?
1296 logon
->network
->identity_info
.account_name
.string
: "";
1297 nt_domain
= logon
->network
->identity_info
.domain_name
.string
?
1298 logon
->network
->identity_info
.domain_name
.string
: "";
1299 nt_workstation
= logon
->network
->identity_info
.workstation
.string
?
1300 logon
->network
->identity_info
.workstation
.string
: "";
1302 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
1305 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1306 return NT_STATUS_INVALID_INFO_CLASS
;
1309 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username
, nt_workstation
, nt_domain
));
1310 fstrcpy(current_user_info
.smb_name
, nt_username
);
1311 sub_set_smb_name(nt_username
);
1313 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1314 r
->in
.validation_level
, nt_username
));
1316 status
= NT_STATUS_OK
;
1318 switch (r
->in
.logon_level
) {
1319 case NetlogonNetworkInformation
:
1320 case NetlogonNetworkTransitiveInformation
:
1322 const char *wksname
= nt_workstation
;
1324 status
= make_auth_context_fixed(&auth_context
,
1325 logon
->network
->challenge
);
1326 if (!NT_STATUS_IS_OK(status
)) {
1330 /* For a network logon, the workstation name comes in with two
1331 * backslashes in the front. Strip them if they are there. */
1333 if (*wksname
== '\\') wksname
++;
1334 if (*wksname
== '\\') wksname
++;
1336 /* Standard challenge/response authenticaion */
1337 if (!make_user_info_netlogon_network(&user_info
,
1338 nt_username
, nt_domain
,
1340 logon
->network
->identity_info
.parameter_control
,
1341 logon
->network
->lm
.data
,
1342 logon
->network
->lm
.length
,
1343 logon
->network
->nt
.data
,
1344 logon
->network
->nt
.length
)) {
1345 status
= NT_STATUS_NO_MEMORY
;
1349 case NetlogonInteractiveInformation
:
1350 case NetlogonServiceInformation
:
1351 case NetlogonInteractiveTransitiveInformation
:
1352 case NetlogonServiceTransitiveInformation
:
1354 /* 'Interactive' authentication, supplies the password in its
1355 MD4 form, encrypted with the session key. We will convert
1356 this to challenge/response for the auth subsystem to chew
1361 if (!NT_STATUS_IS_OK(status
= make_auth_context_subsystem(&auth_context
))) {
1365 auth_context
->get_ntlm_challenge(auth_context
, chal
);
1367 if (!make_user_info_netlogon_interactive(&user_info
,
1368 nt_username
, nt_domain
,
1370 logon
->password
->identity_info
.parameter_control
,
1372 logon
->password
->lmpassword
.hash
,
1373 logon
->password
->ntpassword
.hash
,
1374 creds
->session_key
)) {
1375 status
= NT_STATUS_NO_MEMORY
;
1380 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1381 return NT_STATUS_INVALID_INFO_CLASS
;
1384 if ( NT_STATUS_IS_OK(status
) ) {
1385 status
= auth_context
->check_ntlm_password(auth_context
,
1386 user_info
, &server_info
);
1389 TALLOC_FREE(auth_context
);
1390 free_user_info(&user_info
);
1392 DEBUG(5,("%s: check_password returned status %s\n",
1393 fn
, nt_errstr(status
)));
1395 /* Check account and password */
1397 if (!NT_STATUS_IS_OK(status
)) {
1398 /* If we don't know what this domain is, we need to
1399 indicate that we are not authoritative. This
1400 allows the client to decide if it needs to try
1401 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1402 if ( NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)
1403 && !strequal(nt_domain
, get_global_sam_name())
1404 && !is_trusted_domain(nt_domain
) )
1405 *r
->out
.authoritative
= false; /* We are not authoritative */
1407 TALLOC_FREE(server_info
);
1411 if (server_info
->guest
) {
1412 /* We don't like guest domain logons... */
1413 DEBUG(5,("%s: Attempted domain logon as GUEST "
1415 TALLOC_FREE(server_info
);
1416 return NT_STATUS_LOGON_FAILURE
;
1419 /* This is the point at which, if the login was successful, that
1420 the SAM Local Security Authority should record that the user is
1421 logged in to the domain. */
1423 if (process_creds
) {
1424 /* Get the pipe session key from the creds. */
1425 memcpy(pipe_session_key
, creds
->session_key
, 16);
1427 /* Get the pipe session key from the schannel. */
1428 if ((p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
)
1429 || (p
->auth
.a_u
.schannel_auth
== NULL
)) {
1430 return NT_STATUS_INVALID_HANDLE
;
1432 memcpy(pipe_session_key
, p
->auth
.a_u
.schannel_auth
->creds
->session_key
, 16);
1435 switch (r
->in
.validation_level
) {
1437 status
= serverinfo_to_SamInfo2(server_info
, pipe_session_key
, 16,
1438 r
->out
.validation
->sam2
);
1441 status
= serverinfo_to_SamInfo3(server_info
, pipe_session_key
, 16,
1442 r
->out
.validation
->sam3
);
1445 status
= serverinfo_to_SamInfo6(server_info
, pipe_session_key
, 16,
1446 r
->out
.validation
->sam6
);
1450 TALLOC_FREE(server_info
);
1455 /****************************************************************
1456 _netr_LogonSamLogonWithFlags
1457 ****************************************************************/
1459 NTSTATUS
_netr_LogonSamLogonWithFlags(struct pipes_struct
*p
,
1460 struct netr_LogonSamLogonWithFlags
*r
)
1463 struct netlogon_creds_CredentialState
*creds
;
1464 struct netr_LogonSamLogonEx r2
;
1465 struct netr_Authenticator return_authenticator
;
1468 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1469 r
->in
.computer_name
,
1471 &return_authenticator
,
1474 if (!NT_STATUS_IS_OK(status
)) {
1478 r2
.in
.server_name
= r
->in
.server_name
;
1479 r2
.in
.computer_name
= r
->in
.computer_name
;
1480 r2
.in
.logon_level
= r
->in
.logon_level
;
1481 r2
.in
.logon
= r
->in
.logon
;
1482 r2
.in
.validation_level
= r
->in
.validation_level
;
1483 r2
.in
.flags
= r
->in
.flags
;
1484 r2
.out
.validation
= r
->out
.validation
;
1485 r2
.out
.authoritative
= r
->out
.authoritative
;
1486 r2
.out
.flags
= r
->out
.flags
;
1488 status
= _netr_LogonSamLogon_base(p
, &r2
, creds
);
1490 *r
->out
.return_authenticator
= return_authenticator
;
1495 /*************************************************************************
1497 *************************************************************************/
1499 NTSTATUS
_netr_LogonSamLogon(struct pipes_struct
*p
,
1500 struct netr_LogonSamLogon
*r
)
1503 struct netr_LogonSamLogonWithFlags r2
;
1506 r2
.in
.server_name
= r
->in
.server_name
;
1507 r2
.in
.computer_name
= r
->in
.computer_name
;
1508 r2
.in
.credential
= r
->in
.credential
;
1509 r2
.in
.logon_level
= r
->in
.logon_level
;
1510 r2
.in
.logon
= r
->in
.logon
;
1511 r2
.in
.validation_level
= r
->in
.validation_level
;
1512 r2
.in
.return_authenticator
= r
->in
.return_authenticator
;
1513 r2
.in
.flags
= &flags
;
1514 r2
.out
.validation
= r
->out
.validation
;
1515 r2
.out
.authoritative
= r
->out
.authoritative
;
1516 r2
.out
.flags
= &flags
;
1517 r2
.out
.return_authenticator
= r
->out
.return_authenticator
;
1519 status
= _netr_LogonSamLogonWithFlags(p
, &r2
);
1524 /*************************************************************************
1525 _netr_LogonSamLogonEx
1526 - no credential chaining. Map into net sam logon.
1527 *************************************************************************/
1529 NTSTATUS
_netr_LogonSamLogonEx(struct pipes_struct
*p
,
1530 struct netr_LogonSamLogonEx
*r
)
1533 struct netlogon_creds_CredentialState
*creds
= NULL
;
1536 status
= schannel_get_creds_state(p
->mem_ctx
, lp_private_dir(),
1537 r
->in
.computer_name
, &creds
);
1539 if (!NT_STATUS_IS_OK(status
)) {
1543 /* Only allow this if the pipe is protected. */
1544 if (p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
) {
1545 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1546 get_remote_machine_name() ));
1547 return NT_STATUS_INVALID_PARAMETER
;
1550 status
= _netr_LogonSamLogon_base(p
, r
, creds
);
1556 /*************************************************************************
1558 *************************************************************************/
1559 #if 0 /* JERRY -- not correct */
1560 NTSTATUS
_ds_enum_dom_trusts(struct pipes_struct
*p
, DS_Q_ENUM_DOM_TRUSTS
*q_u
,
1561 DS_R_ENUM_DOM_TRUSTS
*r_u
)
1563 NTSTATUS status
= NT_STATUS_OK
;
1565 /* TODO: According to MSDN, the can only be executed against a
1566 DC or domain member running Windows 2000 or later. Need
1567 to test against a standalone 2k server and see what it
1568 does. A windows 2000 DC includes its own domain in the
1576 /****************************************************************
1577 ****************************************************************/
1579 WERROR
_netr_LogonUasLogon(struct pipes_struct
*p
,
1580 struct netr_LogonUasLogon
*r
)
1582 p
->rng_fault_state
= true;
1583 return WERR_NOT_SUPPORTED
;
1586 /****************************************************************
1587 ****************************************************************/
1589 WERROR
_netr_LogonUasLogoff(struct pipes_struct
*p
,
1590 struct netr_LogonUasLogoff
*r
)
1592 p
->rng_fault_state
= true;
1593 return WERR_NOT_SUPPORTED
;
1596 /****************************************************************
1597 ****************************************************************/
1599 NTSTATUS
_netr_DatabaseDeltas(struct pipes_struct
*p
,
1600 struct netr_DatabaseDeltas
*r
)
1602 p
->rng_fault_state
= true;
1603 return NT_STATUS_NOT_IMPLEMENTED
;
1606 /****************************************************************
1607 ****************************************************************/
1609 NTSTATUS
_netr_DatabaseSync(struct pipes_struct
*p
,
1610 struct netr_DatabaseSync
*r
)
1612 p
->rng_fault_state
= true;
1613 return NT_STATUS_NOT_IMPLEMENTED
;
1616 /****************************************************************
1617 ****************************************************************/
1619 NTSTATUS
_netr_AccountDeltas(struct pipes_struct
*p
,
1620 struct netr_AccountDeltas
*r
)
1622 p
->rng_fault_state
= true;
1623 return NT_STATUS_NOT_IMPLEMENTED
;
1626 /****************************************************************
1627 ****************************************************************/
1629 NTSTATUS
_netr_AccountSync(struct pipes_struct
*p
,
1630 struct netr_AccountSync
*r
)
1632 p
->rng_fault_state
= true;
1633 return NT_STATUS_NOT_IMPLEMENTED
;
1636 /****************************************************************
1637 ****************************************************************/
1639 static bool wb_getdcname(TALLOC_CTX
*mem_ctx
,
1641 const char **dcname
,
1646 struct wbcDomainControllerInfo
*dc_info
= NULL
;
1648 result
= wbcLookupDomainController(domain
,
1652 case WBC_ERR_SUCCESS
:
1654 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
1656 case WBC_ERR_DOMAIN_NOT_FOUND
:
1657 *werr
= WERR_NO_SUCH_DOMAIN
;
1660 *werr
= WERR_DOMAIN_CONTROLLER_NOT_FOUND
;
1664 *dcname
= talloc_strdup(mem_ctx
, dc_info
->dc_name
);
1665 wbcFreeMemory(dc_info
);
1676 /****************************************************************
1678 ****************************************************************/
1680 WERROR
_netr_GetDcName(struct pipes_struct
*p
,
1681 struct netr_GetDcName
*r
)
1686 struct netr_DsRGetDCNameInfo
*info
;
1689 ret
= wb_getdcname(p
->mem_ctx
,
1692 WBC_LOOKUP_DC_IS_FLAT_NAME
|
1693 WBC_LOOKUP_DC_RETURN_FLAT_NAME
|
1694 WBC_LOOKUP_DC_PDC_REQUIRED
,
1700 flags
= DS_PDC_REQUIRED
| DS_IS_FLAT_NAME
| DS_RETURN_FLAT_NAME
;
1702 status
= dsgetdcname(p
->mem_ctx
,
1709 if (!NT_STATUS_IS_OK(status
)) {
1710 return ntstatus_to_werror(status
);
1713 *r
->out
.dcname
= talloc_strdup(p
->mem_ctx
, info
->dc_unc
);
1715 if (!*r
->out
.dcname
) {
1722 /****************************************************************
1724 ****************************************************************/
1726 WERROR
_netr_GetAnyDCName(struct pipes_struct
*p
,
1727 struct netr_GetAnyDCName
*r
)
1732 struct netr_DsRGetDCNameInfo
*info
;
1735 ret
= wb_getdcname(p
->mem_ctx
,
1738 WBC_LOOKUP_DC_IS_FLAT_NAME
|
1739 WBC_LOOKUP_DC_RETURN_FLAT_NAME
,
1745 flags
= DS_IS_FLAT_NAME
| DS_RETURN_FLAT_NAME
;
1747 status
= dsgetdcname(p
->mem_ctx
,
1754 if (!NT_STATUS_IS_OK(status
)) {
1755 return ntstatus_to_werror(status
);
1758 *r
->out
.dcname
= talloc_strdup(p
->mem_ctx
, info
->dc_unc
);
1760 if (!*r
->out
.dcname
) {
1767 /****************************************************************
1768 ****************************************************************/
1770 NTSTATUS
_netr_DatabaseSync2(struct pipes_struct
*p
,
1771 struct netr_DatabaseSync2
*r
)
1773 p
->rng_fault_state
= true;
1774 return NT_STATUS_NOT_IMPLEMENTED
;
1777 /****************************************************************
1778 ****************************************************************/
1780 NTSTATUS
_netr_DatabaseRedo(struct pipes_struct
*p
,
1781 struct netr_DatabaseRedo
*r
)
1783 p
->rng_fault_state
= true;
1784 return NT_STATUS_NOT_IMPLEMENTED
;
1787 /****************************************************************
1788 ****************************************************************/
1790 WERROR
_netr_DsRGetDCName(struct pipes_struct
*p
,
1791 struct netr_DsRGetDCName
*r
)
1793 p
->rng_fault_state
= true;
1794 return WERR_NOT_SUPPORTED
;
1797 /****************************************************************
1798 ****************************************************************/
1800 NTSTATUS
_netr_LogonGetCapabilities(struct pipes_struct
*p
,
1801 struct netr_LogonGetCapabilities
*r
)
1803 return NT_STATUS_NOT_IMPLEMENTED
;
1806 /****************************************************************
1807 ****************************************************************/
1809 WERROR
_netr_NETRLOGONSETSERVICEBITS(struct pipes_struct
*p
,
1810 struct netr_NETRLOGONSETSERVICEBITS
*r
)
1812 p
->rng_fault_state
= true;
1813 return WERR_NOT_SUPPORTED
;
1816 /****************************************************************
1817 ****************************************************************/
1819 WERROR
_netr_LogonGetTrustRid(struct pipes_struct
*p
,
1820 struct netr_LogonGetTrustRid
*r
)
1822 p
->rng_fault_state
= true;
1823 return WERR_NOT_SUPPORTED
;
1826 /****************************************************************
1827 ****************************************************************/
1829 WERROR
_netr_NETRLOGONCOMPUTESERVERDIGEST(struct pipes_struct
*p
,
1830 struct netr_NETRLOGONCOMPUTESERVERDIGEST
*r
)
1832 p
->rng_fault_state
= true;
1833 return WERR_NOT_SUPPORTED
;
1836 /****************************************************************
1837 ****************************************************************/
1839 WERROR
_netr_NETRLOGONCOMPUTECLIENTDIGEST(struct pipes_struct
*p
,
1840 struct netr_NETRLOGONCOMPUTECLIENTDIGEST
*r
)
1842 p
->rng_fault_state
= true;
1843 return WERR_NOT_SUPPORTED
;
1846 /****************************************************************
1847 ****************************************************************/
1849 WERROR
_netr_DsRGetDCNameEx(struct pipes_struct
*p
,
1850 struct netr_DsRGetDCNameEx
*r
)
1852 p
->rng_fault_state
= true;
1853 return WERR_NOT_SUPPORTED
;
1856 /****************************************************************
1857 ****************************************************************/
1859 WERROR
_netr_DsRGetSiteName(struct pipes_struct
*p
,
1860 struct netr_DsRGetSiteName
*r
)
1862 p
->rng_fault_state
= true;
1863 return WERR_NOT_SUPPORTED
;
1866 /****************************************************************
1867 ****************************************************************/
1869 NTSTATUS
_netr_LogonGetDomainInfo(struct pipes_struct
*p
,
1870 struct netr_LogonGetDomainInfo
*r
)
1872 p
->rng_fault_state
= true;
1873 return NT_STATUS_NOT_IMPLEMENTED
;
1876 /****************************************************************
1877 ****************************************************************/
1879 WERROR
_netr_ServerPasswordGet(struct pipes_struct
*p
,
1880 struct netr_ServerPasswordGet
*r
)
1882 p
->rng_fault_state
= true;
1883 return WERR_NOT_SUPPORTED
;
1886 /****************************************************************
1887 ****************************************************************/
1889 WERROR
_netr_NETRLOGONSENDTOSAM(struct pipes_struct
*p
,
1890 struct netr_NETRLOGONSENDTOSAM
*r
)
1892 p
->rng_fault_state
= true;
1893 return WERR_NOT_SUPPORTED
;
1896 /****************************************************************
1897 ****************************************************************/
1899 WERROR
_netr_DsRAddressToSitenamesW(struct pipes_struct
*p
,
1900 struct netr_DsRAddressToSitenamesW
*r
)
1902 p
->rng_fault_state
= true;
1903 return WERR_NOT_SUPPORTED
;
1906 /****************************************************************
1907 ****************************************************************/
1909 WERROR
_netr_DsRGetDCNameEx2(struct pipes_struct
*p
,
1910 struct netr_DsRGetDCNameEx2
*r
)
1912 p
->rng_fault_state
= true;
1913 return WERR_NOT_SUPPORTED
;
1916 /****************************************************************
1917 ****************************************************************/
1919 WERROR
_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct pipes_struct
*p
,
1920 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
*r
)
1922 p
->rng_fault_state
= true;
1923 return WERR_NOT_SUPPORTED
;
1926 /****************************************************************
1927 ****************************************************************/
1929 WERROR
_netr_NetrEnumerateTrustedDomainsEx(struct pipes_struct
*p
,
1930 struct netr_NetrEnumerateTrustedDomainsEx
*r
)
1932 p
->rng_fault_state
= true;
1933 return WERR_NOT_SUPPORTED
;
1936 /****************************************************************
1937 ****************************************************************/
1939 WERROR
_netr_DsRAddressToSitenamesExW(struct pipes_struct
*p
,
1940 struct netr_DsRAddressToSitenamesExW
*r
)
1942 p
->rng_fault_state
= true;
1943 return WERR_NOT_SUPPORTED
;
1946 /****************************************************************
1947 ****************************************************************/
1949 WERROR
_netr_DsrGetDcSiteCoverageW(struct pipes_struct
*p
,
1950 struct netr_DsrGetDcSiteCoverageW
*r
)
1952 p
->rng_fault_state
= true;
1953 return WERR_NOT_SUPPORTED
;
1956 /****************************************************************
1957 ****************************************************************/
1959 WERROR
_netr_DsrEnumerateDomainTrusts(struct pipes_struct
*p
,
1960 struct netr_DsrEnumerateDomainTrusts
*r
)
1962 p
->rng_fault_state
= true;
1963 return WERR_NOT_SUPPORTED
;
1966 /****************************************************************
1967 ****************************************************************/
1969 WERROR
_netr_DsrDeregisterDNSHostRecords(struct pipes_struct
*p
,
1970 struct netr_DsrDeregisterDNSHostRecords
*r
)
1972 p
->rng_fault_state
= true;
1973 return WERR_NOT_SUPPORTED
;
1976 /****************************************************************
1977 ****************************************************************/
1979 NTSTATUS
_netr_ServerTrustPasswordsGet(struct pipes_struct
*p
,
1980 struct netr_ServerTrustPasswordsGet
*r
)
1982 p
->rng_fault_state
= true;
1983 return NT_STATUS_NOT_IMPLEMENTED
;
1986 /****************************************************************
1987 ****************************************************************/
1989 WERROR
_netr_DsRGetForestTrustInformation(struct pipes_struct
*p
,
1990 struct netr_DsRGetForestTrustInformation
*r
)
1992 p
->rng_fault_state
= true;
1993 return WERR_NOT_SUPPORTED
;
1996 /****************************************************************
1997 ****************************************************************/
1999 NTSTATUS
_netr_GetForestTrustInformation(struct pipes_struct
*p
,
2000 struct netr_GetForestTrustInformation
*r
)
2002 p
->rng_fault_state
= true;
2003 return NT_STATUS_NOT_IMPLEMENTED
;
2006 /****************************************************************
2007 ****************************************************************/
2009 NTSTATUS
_netr_ServerGetTrustInfo(struct pipes_struct
*p
,
2010 struct netr_ServerGetTrustInfo
*r
)
2012 p
->rng_fault_state
= true;
2013 return NT_STATUS_NOT_IMPLEMENTED
;