2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008-2009.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* This is the implementation of the netlogon pipe. */
28 #include "../libcli/auth/schannel.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_samr.h"
31 #include "../librpc/gen_ndr/srv_lsa.h"
32 #include "../librpc/gen_ndr/cli_samr.h"
33 #include "../librpc/gen_ndr/cli_lsa.h"
34 #include "rpc_client/cli_lsarpc.h"
35 #include "librpc/gen_ndr/messaging.h"
36 #include "../lib/crypto/md4.h"
38 extern userdom_struct current_user_info
;
41 #define DBGC_CLASS DBGC_RPC_SRV
43 struct netlogon_server_pipe_state
{
44 struct netr_Credential client_challenge
;
45 struct netr_Credential server_challenge
;
48 /*************************************************************************
50 *************************************************************************/
52 WERROR
_netr_LogonControl(struct pipes_struct
*p
,
53 struct netr_LogonControl
*r
)
55 struct netr_LogonControl2Ex l
;
57 switch (r
->in
.level
) {
61 return WERR_NOT_SUPPORTED
;
63 return WERR_UNKNOWN_LEVEL
;
66 l
.in
.logon_server
= r
->in
.logon_server
;
67 l
.in
.function_code
= r
->in
.function_code
;
68 l
.in
.level
= r
->in
.level
;
70 l
.out
.query
= r
->out
.query
;
72 return _netr_LogonControl2Ex(p
, &l
);
75 /****************************************************************************
76 Send a message to smbd to do a sam synchronisation
77 **************************************************************************/
79 static void send_sync_message(struct messaging_context
*msg_ctx
)
81 DEBUG(3, ("sending sam synchronisation message\n"));
82 message_send_all(msg_ctx
, MSG_SMB_SAM_SYNC
, NULL
, 0, NULL
);
85 /*************************************************************************
87 *************************************************************************/
89 WERROR
_netr_LogonControl2(struct pipes_struct
*p
,
90 struct netr_LogonControl2
*r
)
92 struct netr_LogonControl2Ex l
;
94 l
.in
.logon_server
= r
->in
.logon_server
;
95 l
.in
.function_code
= r
->in
.function_code
;
96 l
.in
.level
= r
->in
.level
;
97 l
.in
.data
= r
->in
.data
;
98 l
.out
.query
= r
->out
.query
;
100 return _netr_LogonControl2Ex(p
, &l
);
103 /*************************************************************************
104 *************************************************************************/
106 static bool wb_change_trust_creds(const char *domain
, WERROR
*tc_status
)
109 struct wbcAuthErrorInfo
*error
= NULL
;
111 result
= wbcChangeTrustCredentials(domain
, &error
);
113 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
115 case WBC_ERR_DOMAIN_NOT_FOUND
:
116 *tc_status
= WERR_NO_SUCH_DOMAIN
;
118 case WBC_ERR_SUCCESS
:
119 *tc_status
= WERR_OK
;
125 if (error
&& error
->nt_status
!= 0) {
126 *tc_status
= ntstatus_to_werror(NT_STATUS(error
->nt_status
));
128 *tc_status
= WERR_TRUST_FAILURE
;
130 wbcFreeMemory(error
);
134 /*************************************************************************
135 *************************************************************************/
137 static bool wb_check_trust_creds(const char *domain
, WERROR
*tc_status
)
140 struct wbcAuthErrorInfo
*error
= NULL
;
142 result
= wbcCheckTrustCredentials(domain
, &error
);
144 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
146 case WBC_ERR_DOMAIN_NOT_FOUND
:
147 *tc_status
= WERR_NO_SUCH_DOMAIN
;
149 case WBC_ERR_SUCCESS
:
150 *tc_status
= WERR_OK
;
156 if (error
&& error
->nt_status
!= 0) {
157 *tc_status
= ntstatus_to_werror(NT_STATUS(error
->nt_status
));
159 *tc_status
= WERR_TRUST_FAILURE
;
161 wbcFreeMemory(error
);
165 /****************************************************************
166 _netr_LogonControl2Ex
167 ****************************************************************/
169 WERROR
_netr_LogonControl2Ex(struct pipes_struct
*p
,
170 struct netr_LogonControl2Ex
*r
)
172 uint32_t flags
= 0x0;
173 WERROR pdc_connection_status
= WERR_OK
;
174 uint32_t logon_attempts
= 0x0;
177 const char *dc_name
= NULL
;
178 struct sockaddr_storage dc_ss
;
179 const char *domain
= NULL
;
180 struct netr_NETLOGON_INFO_1
*info1
;
181 struct netr_NETLOGON_INFO_2
*info2
;
182 struct netr_NETLOGON_INFO_3
*info3
;
183 struct netr_NETLOGON_INFO_4
*info4
;
188 case NDR_NETR_LOGONCONTROL
:
189 fn
= "_netr_LogonControl";
191 case NDR_NETR_LOGONCONTROL2
:
192 fn
= "_netr_LogonControl2";
194 case NDR_NETR_LOGONCONTROL2EX
:
195 fn
= "_netr_LogonControl2Ex";
198 return WERR_INVALID_PARAM
;
201 acct_ctrl
= p
->server_info
->info3
->base
.acct_flags
;
203 switch (r
->in
.function_code
) {
204 case NETLOGON_CONTROL_TC_VERIFY
:
205 case NETLOGON_CONTROL_CHANGE_PASSWORD
:
206 case NETLOGON_CONTROL_REDISCOVER
:
207 if ((geteuid() != sec_initial_uid()) &&
208 !nt_token_check_domain_rid(p
->server_info
->ptok
, DOMAIN_RID_ADMINS
) &&
209 !nt_token_check_sid(&global_sid_Builtin_Administrators
, p
->server_info
->ptok
) &&
210 !(acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
))) {
211 return WERR_ACCESS_DENIED
;
218 tc_status
= WERR_NO_SUCH_DOMAIN
;
220 switch (r
->in
.function_code
) {
221 case NETLOGON_CONTROL_QUERY
:
224 case NETLOGON_CONTROL_REPLICATE
:
225 case NETLOGON_CONTROL_SYNCHRONIZE
:
226 case NETLOGON_CONTROL_PDC_REPLICATE
:
227 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG
:
228 case NETLOGON_CONTROL_BREAKPOINT
:
229 if (acct_ctrl
& ACB_NORMAL
) {
230 return WERR_NOT_SUPPORTED
;
231 } else if (acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
)) {
232 return WERR_ACCESS_DENIED
;
234 return WERR_ACCESS_DENIED
;
236 case NETLOGON_CONTROL_TRUNCATE_LOG
:
237 if (acct_ctrl
& ACB_NORMAL
) {
239 } else if (acct_ctrl
& (ACB_WSTRUST
| ACB_SVRTRUST
)) {
240 return WERR_ACCESS_DENIED
;
242 return WERR_ACCESS_DENIED
;
245 case NETLOGON_CONTROL_TRANSPORT_NOTIFY
:
246 case NETLOGON_CONTROL_FORCE_DNS_REG
:
247 case NETLOGON_CONTROL_QUERY_DNS_REG
:
248 return WERR_NOT_SUPPORTED
;
249 case NETLOGON_CONTROL_FIND_USER
:
250 if (!r
->in
.data
|| !r
->in
.data
->user
) {
251 return WERR_NOT_SUPPORTED
;
254 case NETLOGON_CONTROL_SET_DBFLAG
:
256 return WERR_NOT_SUPPORTED
;
259 case NETLOGON_CONTROL_TC_VERIFY
:
260 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
261 return WERR_NOT_SUPPORTED
;
264 if (!wb_check_trust_creds(r
->in
.data
->domain
, &tc_status
)) {
265 return WERR_NOT_SUPPORTED
;
268 case NETLOGON_CONTROL_TC_QUERY
:
269 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
270 return WERR_NOT_SUPPORTED
;
273 domain
= r
->in
.data
->domain
;
275 if (!is_trusted_domain(domain
)) {
279 if (!get_dc_name(domain
, NULL
, dc_name2
, &dc_ss
)) {
280 tc_status
= WERR_NO_LOGON_SERVERS
;
284 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
293 case NETLOGON_CONTROL_REDISCOVER
:
294 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
295 return WERR_NOT_SUPPORTED
;
298 domain
= r
->in
.data
->domain
;
300 if (!is_trusted_domain(domain
)) {
304 if (!get_dc_name(domain
, NULL
, dc_name2
, &dc_ss
)) {
305 tc_status
= WERR_NO_LOGON_SERVERS
;
309 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
318 case NETLOGON_CONTROL_CHANGE_PASSWORD
:
319 if (!r
->in
.data
|| !r
->in
.data
->domain
) {
320 return WERR_NOT_SUPPORTED
;
323 if (!wb_change_trust_creds(r
->in
.data
->domain
, &tc_status
)) {
324 return WERR_NOT_SUPPORTED
;
329 /* no idea what this should be */
330 DEBUG(0,("%s: unimplemented function level [%d]\n",
331 fn
, r
->in
.function_code
));
332 return WERR_UNKNOWN_LEVEL
;
335 /* prepare the response */
337 switch (r
->in
.level
) {
339 info1
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_1
);
340 W_ERROR_HAVE_NO_MEMORY(info1
);
342 info1
->flags
= flags
;
343 info1
->pdc_connection_status
= pdc_connection_status
;
345 r
->out
.query
->info1
= info1
;
348 info2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_2
);
349 W_ERROR_HAVE_NO_MEMORY(info2
);
351 info2
->flags
= flags
;
352 info2
->pdc_connection_status
= pdc_connection_status
;
353 info2
->trusted_dc_name
= dc_name
;
354 info2
->tc_connection_status
= tc_status
;
356 r
->out
.query
->info2
= info2
;
359 info3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_3
);
360 W_ERROR_HAVE_NO_MEMORY(info3
);
362 info3
->flags
= flags
;
363 info3
->logon_attempts
= logon_attempts
;
365 r
->out
.query
->info3
= info3
;
368 info4
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_4
);
369 W_ERROR_HAVE_NO_MEMORY(info4
);
371 info4
->trusted_dc_name
= dc_name
;
372 info4
->trusted_domain_name
= r
->in
.data
->domain
;
374 r
->out
.query
->info4
= info4
;
377 return WERR_UNKNOWN_LEVEL
;
380 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
381 send_sync_message(p
->msg_ctx
);
387 /*************************************************************************
388 _netr_NetrEnumerateTrustedDomains
389 *************************************************************************/
391 NTSTATUS
_netr_NetrEnumerateTrustedDomains(struct pipes_struct
*p
,
392 struct netr_NetrEnumerateTrustedDomains
*r
)
397 const char **trusted_domains
= NULL
;
398 struct lsa_DomainList domain_list
;
399 struct rpc_pipe_client
*cli
= NULL
;
400 struct policy_handle pol
;
401 uint32_t enum_ctx
= 0;
403 uint32_t max_size
= (uint32_t)-1;
405 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
407 status
= rpc_pipe_open_internal(p
->mem_ctx
, &ndr_table_lsarpc
.syntax_id
,
410 if (!NT_STATUS_IS_OK(status
)) {
414 status
= rpccli_lsa_open_policy2(cli
, p
->mem_ctx
,
416 LSA_POLICY_VIEW_LOCAL_INFORMATION
,
418 if (!NT_STATUS_IS_OK(status
)) {
423 /* Lookup list of trusted domains */
425 status
= rpccli_lsa_EnumTrustDom(cli
, p
->mem_ctx
,
430 if (!NT_STATUS_IS_OK(status
) &&
431 !NT_STATUS_EQUAL(status
, NT_STATUS_NO_MORE_ENTRIES
) &&
432 !NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
)) {
436 for (i
= 0; i
< domain_list
.count
; i
++) {
437 if (!add_string_to_array(p
->mem_ctx
, domain_list
.domains
[i
].name
.string
,
438 &trusted_domains
, &num_domains
)) {
439 status
= NT_STATUS_NO_MEMORY
;
443 } while (NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
));
445 if (num_domains
> 0) {
446 /* multi sz terminate */
447 trusted_domains
= talloc_realloc(p
->mem_ctx
, trusted_domains
, const char *, num_domains
+ 1);
448 if (trusted_domains
== NULL
) {
449 status
= NT_STATUS_NO_MEMORY
;
453 trusted_domains
[num_domains
] = NULL
;
456 if (!push_reg_multi_sz(trusted_domains
, &blob
, trusted_domains
)) {
457 TALLOC_FREE(trusted_domains
);
458 status
= NT_STATUS_NO_MEMORY
;
462 r
->out
.trusted_domains_blob
->data
= blob
.data
;
463 r
->out
.trusted_domains_blob
->length
= blob
.length
;
465 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
467 status
= NT_STATUS_OK
;
470 if (cli
&& is_valid_policy_hnd(&pol
)) {
471 rpccli_lsa_Close(cli
, p
->mem_ctx
, &pol
);
477 /*************************************************************************
478 *************************************************************************/
480 static NTSTATUS
samr_find_machine_account(TALLOC_CTX
*mem_ctx
,
481 struct rpc_pipe_client
*cli
,
482 const char *account_name
,
483 uint32_t access_mask
,
484 struct dom_sid2
**domain_sid_p
,
485 uint32_t *user_rid_p
,
486 struct policy_handle
*user_handle
)
489 struct policy_handle connect_handle
, domain_handle
;
490 struct lsa_String domain_name
;
491 struct dom_sid2
*domain_sid
;
492 struct lsa_String names
;
493 struct samr_Ids rids
;
494 struct samr_Ids types
;
497 status
= rpccli_samr_Connect2(cli
, mem_ctx
,
499 SAMR_ACCESS_CONNECT_TO_SERVER
|
500 SAMR_ACCESS_ENUM_DOMAINS
|
501 SAMR_ACCESS_LOOKUP_DOMAIN
,
503 if (!NT_STATUS_IS_OK(status
)) {
507 init_lsa_String(&domain_name
, get_global_sam_name());
509 status
= rpccli_samr_LookupDomain(cli
, mem_ctx
,
513 if (!NT_STATUS_IS_OK(status
)) {
517 status
= rpccli_samr_OpenDomain(cli
, mem_ctx
,
519 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
,
522 if (!NT_STATUS_IS_OK(status
)) {
526 init_lsa_String(&names
, account_name
);
528 status
= rpccli_samr_LookupNames(cli
, mem_ctx
,
534 if (!NT_STATUS_IS_OK(status
)) {
538 if (rids
.count
!= 1) {
539 status
= NT_STATUS_NO_SUCH_USER
;
542 if (rids
.count
!= types
.count
) {
543 status
= NT_STATUS_INVALID_PARAMETER
;
546 if (types
.ids
[0] != SID_NAME_USER
) {
547 status
= NT_STATUS_NO_SUCH_USER
;
553 status
= rpccli_samr_OpenUser(cli
, mem_ctx
,
558 if (!NT_STATUS_IS_OK(status
)) {
567 *domain_sid_p
= domain_sid
;
571 if (cli
&& is_valid_policy_hnd(&domain_handle
)) {
572 rpccli_samr_Close(cli
, mem_ctx
, &domain_handle
);
574 if (cli
&& is_valid_policy_hnd(&connect_handle
)) {
575 rpccli_samr_Close(cli
, mem_ctx
, &connect_handle
);
581 /******************************************************************
582 gets a machine password entry. checks access rights of the host.
583 ******************************************************************/
585 static NTSTATUS
get_md4pw(struct samr_Password
*md4pw
, const char *mach_acct
,
586 enum netr_SchannelType sec_chan_type
, struct dom_sid
*sid
)
590 struct rpc_pipe_client
*cli
= NULL
;
591 struct policy_handle user_handle
;
593 struct dom_sid
*domain_sid
;
595 union samr_UserInfo
*info
;
596 struct auth_serversupplied_info
*server_info
;
598 char addr
[INET6_ADDRSTRLEN
];
601 * Currently this code is redundent as we already have a filter
602 * by hostname list. What this code really needs to do is to
603 * get a hosts allowed/hosts denied list from the SAM database
604 * on a per user basis, and make the access decision there.
605 * I will leave this code here for now as a reminder to implement
606 * this at a later date. JRA.
609 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
610 client_name(get_client_fd()),
611 client_addr(get_client_fd(),addr
,sizeof(addr
)))) {
612 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct
));
617 mem_ctx
= talloc_new(talloc_tos());
618 if (mem_ctx
== NULL
) {
619 status
= NT_STATUS_NO_MEMORY
;
623 status
= make_server_info_system(mem_ctx
, &server_info
);
624 if (!NT_STATUS_IS_OK(status
)) {
628 ZERO_STRUCT(user_handle
);
630 status
= rpc_pipe_open_internal(mem_ctx
, &ndr_table_samr
.syntax_id
,
633 if (!NT_STATUS_IS_OK(status
)) {
638 status
= samr_find_machine_account(mem_ctx
, cli
, mach_acct
,
639 SEC_FLAG_MAXIMUM_ALLOWED
,
640 &domain_sid
, &user_rid
,
643 if (!NT_STATUS_IS_OK(status
)) {
647 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
649 UserControlInformation
,
651 if (!NT_STATUS_IS_OK(status
)) {
655 acct_ctrl
= info
->info16
.acct_flags
;
657 if (acct_ctrl
& ACB_DISABLED
) {
658 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct
));
659 status
= NT_STATUS_ACCOUNT_DISABLED
;
663 if (!(acct_ctrl
& ACB_SVRTRUST
) &&
664 !(acct_ctrl
& ACB_WSTRUST
) &&
665 !(acct_ctrl
& ACB_DOMTRUST
))
667 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct
));
668 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
672 switch (sec_chan_type
) {
674 if (!(acct_ctrl
& ACB_SVRTRUST
)) {
675 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
676 "but not a server trust account\n", mach_acct
));
677 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
682 if (!(acct_ctrl
& ACB_WSTRUST
)) {
683 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
684 "but not a workstation trust account\n", mach_acct
));
685 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
689 case SEC_CHAN_DOMAIN
:
690 if (!(acct_ctrl
& ACB_DOMTRUST
)) {
691 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
692 "but not a interdomain trust account\n", mach_acct
));
693 status
= NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
702 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
704 UserInternal1Information
,
707 if (!NT_STATUS_IS_OK(status
)) {
710 if (info
->info18
.nt_pwd_active
== 0) {
711 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct
));
712 status
= NT_STATUS_LOGON_FAILURE
;
716 /* samr gives out nthash unencrypted (!) */
717 memcpy(md4pw
->hash
, info
->info18
.nt_pwd
.hash
, 16);
719 sid_compose(sid
, domain_sid
, user_rid
);
722 if (cli
&& is_valid_policy_hnd(&user_handle
)) {
723 rpccli_samr_Close(cli
, mem_ctx
, &user_handle
);
726 talloc_free(mem_ctx
);
731 /*************************************************************************
732 _netr_ServerReqChallenge
733 *************************************************************************/
735 NTSTATUS
_netr_ServerReqChallenge(struct pipes_struct
*p
,
736 struct netr_ServerReqChallenge
*r
)
738 struct netlogon_server_pipe_state
*pipe_state
=
739 talloc_get_type(p
->private_data
, struct netlogon_server_pipe_state
);
742 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
743 talloc_free(pipe_state
);
744 p
->private_data
= NULL
;
747 pipe_state
= talloc(p
, struct netlogon_server_pipe_state
);
748 NT_STATUS_HAVE_NO_MEMORY(pipe_state
);
750 pipe_state
->client_challenge
= *r
->in
.credentials
;
752 generate_random_buffer(pipe_state
->server_challenge
.data
,
753 sizeof(pipe_state
->server_challenge
.data
));
755 *r
->out
.return_credentials
= pipe_state
->server_challenge
;
757 p
->private_data
= pipe_state
;
762 /*************************************************************************
763 _netr_ServerAuthenticate
764 Create the initial credentials.
765 *************************************************************************/
767 NTSTATUS
_netr_ServerAuthenticate(struct pipes_struct
*p
,
768 struct netr_ServerAuthenticate
*r
)
770 struct netr_ServerAuthenticate3 a
;
771 uint32_t negotiate_flags
= 0;
774 a
.in
.server_name
= r
->in
.server_name
;
775 a
.in
.account_name
= r
->in
.account_name
;
776 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
777 a
.in
.computer_name
= r
->in
.computer_name
;
778 a
.in
.credentials
= r
->in
.credentials
;
779 a
.in
.negotiate_flags
= &negotiate_flags
;
781 a
.out
.return_credentials
= r
->out
.return_credentials
;
783 a
.out
.negotiate_flags
= &negotiate_flags
;
785 return _netr_ServerAuthenticate3(p
, &a
);
789 /*************************************************************************
790 _netr_ServerAuthenticate3
791 *************************************************************************/
793 NTSTATUS
_netr_ServerAuthenticate3(struct pipes_struct
*p
,
794 struct netr_ServerAuthenticate3
*r
)
798 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
799 * so use a copy to avoid destroying the client values. */
800 uint32_t in_neg_flags
= *r
->in
.negotiate_flags
;
803 struct samr_Password mach_pwd
;
804 struct netlogon_creds_CredentialState
*creds
;
805 struct netlogon_server_pipe_state
*pipe_state
=
806 talloc_get_type(p
->private_data
, struct netlogon_server_pipe_state
);
808 /* According to Microsoft (see bugid #6099)
809 * Windows 7 looks at the negotiate_flags
810 * returned in this structure *even if the
811 * call fails with access denied* ! So in order
812 * to allow Win7 to connect to a Samba NT style
813 * PDC we set the flags before we know if it's
818 srv_flgs
= NETLOGON_NEG_ACCOUNT_LOCKOUT
|
819 NETLOGON_NEG_PERSISTENT_SAMREPL
|
820 NETLOGON_NEG_ARCFOUR
|
821 NETLOGON_NEG_PROMOTION_COUNT
|
822 NETLOGON_NEG_CHANGELOG_BDC
|
823 NETLOGON_NEG_FULL_SYNC_REPL
|
824 NETLOGON_NEG_MULTIPLE_SIDS
|
826 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
|
827 NETLOGON_NEG_PASSWORD_SET2
;
829 /* Ensure we support strong (128-bit) keys. */
830 if (in_neg_flags
& NETLOGON_NEG_STRONG_KEYS
) {
831 srv_flgs
|= NETLOGON_NEG_STRONG_KEYS
;
834 if (lp_server_schannel() != false) {
835 srv_flgs
|= NETLOGON_NEG_SCHANNEL
;
839 case NDR_NETR_SERVERAUTHENTICATE
:
840 fn
= "_netr_ServerAuthenticate";
842 case NDR_NETR_SERVERAUTHENTICATE2
:
843 fn
= "_netr_ServerAuthenticate2";
845 case NDR_NETR_SERVERAUTHENTICATE3
:
846 fn
= "_netr_ServerAuthenticate3";
849 return NT_STATUS_INTERNAL_ERROR
;
852 /* We use this as the key to store the creds: */
853 /* r->in.computer_name */
856 DEBUG(0,("%s: no challenge sent to client %s\n", fn
,
857 r
->in
.computer_name
));
858 status
= NT_STATUS_ACCESS_DENIED
;
862 if ( (lp_server_schannel() == true) &&
863 ((in_neg_flags
& NETLOGON_NEG_SCHANNEL
) == 0) ) {
865 /* schannel must be used, but client did not offer it. */
866 DEBUG(0,("%s: schannel required but client failed "
867 "to offer it. Client was %s\n",
868 fn
, r
->in
.account_name
));
869 status
= NT_STATUS_ACCESS_DENIED
;
873 status
= get_md4pw(&mach_pwd
,
875 r
->in
.secure_channel_type
,
877 if (!NT_STATUS_IS_OK(status
)) {
878 DEBUG(0,("%s: failed to get machine password for "
880 fn
, r
->in
.account_name
, nt_errstr(status
) ));
881 /* always return NT_STATUS_ACCESS_DENIED */
882 status
= NT_STATUS_ACCESS_DENIED
;
886 /* From the client / server challenges and md4 password, generate sess key */
887 /* Check client credentials are valid. */
888 creds
= netlogon_creds_server_init(p
->mem_ctx
,
891 r
->in
.secure_channel_type
,
892 &pipe_state
->client_challenge
,
893 &pipe_state
->server_challenge
,
896 r
->out
.return_credentials
,
897 *r
->in
.negotiate_flags
);
899 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
900 "request from client %s machine account %s\n",
901 fn
, r
->in
.computer_name
,
902 r
->in
.account_name
));
903 status
= NT_STATUS_ACCESS_DENIED
;
907 creds
->sid
= sid_dup_talloc(creds
, &sid
);
909 status
= NT_STATUS_NO_MEMORY
;
913 /* Store off the state so we can continue after client disconnect. */
915 status
= schannel_save_creds_state(p
->mem_ctx
, lp_private_dir(), creds
);
918 if (!NT_STATUS_IS_OK(status
)) {
922 sid_peek_rid(&sid
, r
->out
.rid
);
924 status
= NT_STATUS_OK
;
928 *r
->out
.negotiate_flags
= srv_flgs
;
932 /*************************************************************************
933 _netr_ServerAuthenticate2
934 *************************************************************************/
936 NTSTATUS
_netr_ServerAuthenticate2(struct pipes_struct
*p
,
937 struct netr_ServerAuthenticate2
*r
)
939 struct netr_ServerAuthenticate3 a
;
942 a
.in
.server_name
= r
->in
.server_name
;
943 a
.in
.account_name
= r
->in
.account_name
;
944 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
945 a
.in
.computer_name
= r
->in
.computer_name
;
946 a
.in
.credentials
= r
->in
.credentials
;
947 a
.in
.negotiate_flags
= r
->in
.negotiate_flags
;
949 a
.out
.return_credentials
= r
->out
.return_credentials
;
951 a
.out
.negotiate_flags
= r
->out
.negotiate_flags
;
953 return _netr_ServerAuthenticate3(p
, &a
);
956 /*************************************************************************
957 * If schannel is required for this call test that it actually is available.
958 *************************************************************************/
959 static NTSTATUS
schannel_check_required(struct pipe_auth_data
*auth_info
,
960 const char *computer_name
,
961 bool integrity
, bool privacy
)
963 if (auth_info
&& auth_info
->auth_type
== DCERPC_AUTH_TYPE_SCHANNEL
) {
964 if (!privacy
&& !integrity
) {
968 if ((!privacy
&& integrity
) &&
969 auth_info
->auth_level
== DCERPC_AUTH_LEVEL_INTEGRITY
) {
973 if ((privacy
|| integrity
) &&
974 auth_info
->auth_level
== DCERPC_AUTH_LEVEL_PRIVACY
) {
979 /* test didn't pass */
980 DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
983 return NT_STATUS_ACCESS_DENIED
;
986 /*************************************************************************
987 *************************************************************************/
989 static NTSTATUS
netr_creds_server_step_check(struct pipes_struct
*p
,
991 const char *computer_name
,
992 struct netr_Authenticator
*received_authenticator
,
993 struct netr_Authenticator
*return_authenticator
,
994 struct netlogon_creds_CredentialState
**creds_out
)
997 bool schannel_global_required
= (lp_server_schannel() == true) ? true:false;
999 if (schannel_global_required
) {
1000 status
= schannel_check_required(&p
->auth
,
1003 if (!NT_STATUS_IS_OK(status
)) {
1008 status
= schannel_check_creds_state(mem_ctx
, lp_private_dir(),
1009 computer_name
, received_authenticator
,
1010 return_authenticator
, creds_out
);
1015 /*************************************************************************
1016 *************************************************************************/
1018 static NTSTATUS
netr_set_machine_account_password(TALLOC_CTX
*mem_ctx
,
1019 struct auth_serversupplied_info
*server_info
,
1020 const char *account_name
,
1021 struct samr_Password
*nt_hash
)
1024 struct rpc_pipe_client
*cli
= NULL
;
1025 struct policy_handle user_handle
;
1027 union samr_UserInfo
*info
;
1028 struct samr_UserInfo18 info18
;
1031 ZERO_STRUCT(user_handle
);
1033 status
= rpc_pipe_open_internal(mem_ctx
, &ndr_table_samr
.syntax_id
,
1036 if (!NT_STATUS_IS_OK(status
)) {
1040 status
= samr_find_machine_account(mem_ctx
, cli
, account_name
,
1041 SEC_FLAG_MAXIMUM_ALLOWED
,
1044 if (!NT_STATUS_IS_OK(status
)) {
1048 status
= rpccli_samr_QueryUserInfo2(cli
, mem_ctx
,
1050 UserControlInformation
,
1052 if (!NT_STATUS_IS_OK(status
)) {
1056 acct_ctrl
= info
->info16
.acct_flags
;
1058 if (!(acct_ctrl
& ACB_WSTRUST
||
1059 acct_ctrl
& ACB_SVRTRUST
||
1060 acct_ctrl
& ACB_DOMTRUST
)) {
1061 status
= NT_STATUS_NO_SUCH_USER
;
1065 if (acct_ctrl
& ACB_DISABLED
) {
1066 status
= NT_STATUS_ACCOUNT_DISABLED
;
1070 ZERO_STRUCT(info18
);
1072 in
= data_blob_const(nt_hash
->hash
, 16);
1073 out
= data_blob_talloc_zero(mem_ctx
, 16);
1074 sess_crypt_blob(&out
, &in
, &server_info
->user_session_key
, true);
1075 memcpy(info18
.nt_pwd
.hash
, out
.data
, out
.length
);
1077 info18
.nt_pwd_active
= true;
1079 info
->info18
= info18
;
1081 status
= rpccli_samr_SetUserInfo2(cli
, mem_ctx
,
1083 UserInternal1Information
,
1085 if (!NT_STATUS_IS_OK(status
)) {
1090 if (cli
&& is_valid_policy_hnd(&user_handle
)) {
1091 rpccli_samr_Close(cli
, mem_ctx
, &user_handle
);
1097 /*************************************************************************
1098 _netr_ServerPasswordSet
1099 *************************************************************************/
1101 NTSTATUS
_netr_ServerPasswordSet(struct pipes_struct
*p
,
1102 struct netr_ServerPasswordSet
*r
)
1104 NTSTATUS status
= NT_STATUS_OK
;
1106 struct netlogon_creds_CredentialState
*creds
;
1108 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__
));
1111 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1112 r
->in
.computer_name
,
1114 r
->out
.return_authenticator
,
1118 if (!NT_STATUS_IS_OK(status
)) {
1119 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
1120 "request from client %s machine account %s\n",
1121 r
->in
.computer_name
, creds
->computer_name
));
1126 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
1127 r
->in
.computer_name
, creds
->computer_name
));
1129 netlogon_creds_des_decrypt(creds
, r
->in
.new_password
);
1131 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
1132 for(i
= 0; i
< sizeof(r
->in
.new_password
->hash
); i
++)
1133 DEBUG(100,("%02X ", r
->in
.new_password
->hash
[i
]));
1136 status
= netr_set_machine_account_password(p
->mem_ctx
,
1138 creds
->account_name
,
1139 r
->in
.new_password
);
1143 /****************************************************************
1144 _netr_ServerPasswordSet2
1145 ****************************************************************/
1147 NTSTATUS
_netr_ServerPasswordSet2(struct pipes_struct
*p
,
1148 struct netr_ServerPasswordSet2
*r
)
1151 struct netlogon_creds_CredentialState
*creds
;
1152 DATA_BLOB plaintext
;
1153 struct samr_CryptPassword password_buf
;
1154 struct samr_Password nt_hash
;
1157 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1158 r
->in
.computer_name
,
1160 r
->out
.return_authenticator
,
1164 if (!NT_STATUS_IS_OK(status
)) {
1165 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1166 "failed. Rejecting auth request from client %s machine account %s\n",
1167 r
->in
.computer_name
, creds
->computer_name
));
1172 memcpy(password_buf
.data
, r
->in
.new_password
->data
, 512);
1173 SIVAL(password_buf
.data
, 512, r
->in
.new_password
->length
);
1174 netlogon_creds_arcfour_crypt(creds
, password_buf
.data
, 516);
1176 if (!extract_pw_from_buffer(p
->mem_ctx
, password_buf
.data
, &plaintext
)) {
1177 return NT_STATUS_WRONG_PASSWORD
;
1180 mdfour(nt_hash
.hash
, plaintext
.data
, plaintext
.length
);
1182 status
= netr_set_machine_account_password(p
->mem_ctx
,
1184 creds
->account_name
,
1189 /*************************************************************************
1190 _netr_LogonSamLogoff
1191 *************************************************************************/
1193 NTSTATUS
_netr_LogonSamLogoff(struct pipes_struct
*p
,
1194 struct netr_LogonSamLogoff
*r
)
1197 struct netlogon_creds_CredentialState
*creds
;
1200 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1201 r
->in
.computer_name
,
1203 r
->out
.return_authenticator
,
1210 /*************************************************************************
1211 _netr_LogonSamLogon_base
1212 *************************************************************************/
1214 static NTSTATUS
_netr_LogonSamLogon_base(struct pipes_struct
*p
,
1215 struct netr_LogonSamLogonEx
*r
,
1216 struct netlogon_creds_CredentialState
*creds
)
1218 NTSTATUS status
= NT_STATUS_OK
;
1219 union netr_LogonLevel
*logon
= r
->in
.logon
;
1220 const char *nt_username
, *nt_domain
, *nt_workstation
;
1221 struct auth_usersupplied_info
*user_info
= NULL
;
1222 struct auth_serversupplied_info
*server_info
= NULL
;
1223 struct auth_context
*auth_context
= NULL
;
1224 uint8_t pipe_session_key
[16];
1225 bool process_creds
= true;
1229 case NDR_NETR_LOGONSAMLOGON
:
1230 process_creds
= true;
1231 fn
= "_netr_LogonSamLogon";
1233 case NDR_NETR_LOGONSAMLOGONWITHFLAGS
:
1234 process_creds
= true;
1235 fn
= "_netr_LogonSamLogonWithFlags";
1237 case NDR_NETR_LOGONSAMLOGONEX
:
1238 process_creds
= false;
1239 fn
= "_netr_LogonSamLogonEx";
1242 return NT_STATUS_INTERNAL_ERROR
;
1245 *r
->out
.authoritative
= true; /* authoritative response */
1247 switch (r
->in
.validation_level
) {
1249 r
->out
.validation
->sam2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo2
);
1250 if (!r
->out
.validation
->sam2
) {
1251 return NT_STATUS_NO_MEMORY
;
1255 r
->out
.validation
->sam3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo3
);
1256 if (!r
->out
.validation
->sam3
) {
1257 return NT_STATUS_NO_MEMORY
;
1261 r
->out
.validation
->sam6
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo6
);
1262 if (!r
->out
.validation
->sam6
) {
1263 return NT_STATUS_NO_MEMORY
;
1267 DEBUG(0,("%s: bad validation_level value %d.\n",
1268 fn
, (int)r
->in
.validation_level
));
1269 return NT_STATUS_INVALID_INFO_CLASS
;
1272 switch (r
->in
.logon_level
) {
1273 case NetlogonInteractiveInformation
:
1274 case NetlogonServiceInformation
:
1275 case NetlogonInteractiveTransitiveInformation
:
1276 case NetlogonServiceTransitiveInformation
:
1277 nt_username
= logon
->password
->identity_info
.account_name
.string
?
1278 logon
->password
->identity_info
.account_name
.string
: "";
1279 nt_domain
= logon
->password
->identity_info
.domain_name
.string
?
1280 logon
->password
->identity_info
.domain_name
.string
: "";
1281 nt_workstation
= logon
->password
->identity_info
.workstation
.string
?
1282 logon
->password
->identity_info
.workstation
.string
: "";
1284 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
1286 case NetlogonNetworkInformation
:
1287 case NetlogonNetworkTransitiveInformation
:
1288 nt_username
= logon
->network
->identity_info
.account_name
.string
?
1289 logon
->network
->identity_info
.account_name
.string
: "";
1290 nt_domain
= logon
->network
->identity_info
.domain_name
.string
?
1291 logon
->network
->identity_info
.domain_name
.string
: "";
1292 nt_workstation
= logon
->network
->identity_info
.workstation
.string
?
1293 logon
->network
->identity_info
.workstation
.string
: "";
1295 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
1298 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1299 return NT_STATUS_INVALID_INFO_CLASS
;
1302 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username
, nt_workstation
, nt_domain
));
1303 fstrcpy(current_user_info
.smb_name
, nt_username
);
1304 sub_set_smb_name(nt_username
);
1306 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1307 r
->in
.validation_level
, nt_username
));
1309 status
= NT_STATUS_OK
;
1311 switch (r
->in
.logon_level
) {
1312 case NetlogonNetworkInformation
:
1313 case NetlogonNetworkTransitiveInformation
:
1315 const char *wksname
= nt_workstation
;
1317 status
= make_auth_context_fixed(&auth_context
,
1318 logon
->network
->challenge
);
1319 if (!NT_STATUS_IS_OK(status
)) {
1323 /* For a network logon, the workstation name comes in with two
1324 * backslashes in the front. Strip them if they are there. */
1326 if (*wksname
== '\\') wksname
++;
1327 if (*wksname
== '\\') wksname
++;
1329 /* Standard challenge/response authenticaion */
1330 if (!make_user_info_netlogon_network(&user_info
,
1331 nt_username
, nt_domain
,
1333 logon
->network
->identity_info
.parameter_control
,
1334 logon
->network
->lm
.data
,
1335 logon
->network
->lm
.length
,
1336 logon
->network
->nt
.data
,
1337 logon
->network
->nt
.length
)) {
1338 status
= NT_STATUS_NO_MEMORY
;
1342 case NetlogonInteractiveInformation
:
1343 case NetlogonServiceInformation
:
1344 case NetlogonInteractiveTransitiveInformation
:
1345 case NetlogonServiceTransitiveInformation
:
1347 /* 'Interactive' authentication, supplies the password in its
1348 MD4 form, encrypted with the session key. We will convert
1349 this to challenge/response for the auth subsystem to chew
1354 if (!NT_STATUS_IS_OK(status
= make_auth_context_subsystem(&auth_context
))) {
1358 auth_context
->get_ntlm_challenge(auth_context
, chal
);
1360 if (!make_user_info_netlogon_interactive(&user_info
,
1361 nt_username
, nt_domain
,
1363 logon
->password
->identity_info
.parameter_control
,
1365 logon
->password
->lmpassword
.hash
,
1366 logon
->password
->ntpassword
.hash
,
1367 creds
->session_key
)) {
1368 status
= NT_STATUS_NO_MEMORY
;
1373 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1374 return NT_STATUS_INVALID_INFO_CLASS
;
1377 if ( NT_STATUS_IS_OK(status
) ) {
1378 status
= auth_context
->check_ntlm_password(auth_context
,
1379 user_info
, &server_info
);
1382 TALLOC_FREE(auth_context
);
1383 free_user_info(&user_info
);
1385 DEBUG(5,("%s: check_password returned status %s\n",
1386 fn
, nt_errstr(status
)));
1388 /* Check account and password */
1390 if (!NT_STATUS_IS_OK(status
)) {
1391 /* If we don't know what this domain is, we need to
1392 indicate that we are not authoritative. This
1393 allows the client to decide if it needs to try
1394 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1395 if ( NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)
1396 && !strequal(nt_domain
, get_global_sam_name())
1397 && !is_trusted_domain(nt_domain
) )
1398 *r
->out
.authoritative
= false; /* We are not authoritative */
1400 TALLOC_FREE(server_info
);
1404 if (server_info
->guest
) {
1405 /* We don't like guest domain logons... */
1406 DEBUG(5,("%s: Attempted domain logon as GUEST "
1408 TALLOC_FREE(server_info
);
1409 return NT_STATUS_LOGON_FAILURE
;
1412 /* This is the point at which, if the login was successful, that
1413 the SAM Local Security Authority should record that the user is
1414 logged in to the domain. */
1416 if (process_creds
) {
1417 /* Get the pipe session key from the creds. */
1418 memcpy(pipe_session_key
, creds
->session_key
, 16);
1420 /* Get the pipe session key from the schannel. */
1421 if ((p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
)
1422 || (p
->auth
.a_u
.schannel_auth
== NULL
)) {
1423 return NT_STATUS_INVALID_HANDLE
;
1425 memcpy(pipe_session_key
, p
->auth
.a_u
.schannel_auth
->creds
->session_key
, 16);
1428 switch (r
->in
.validation_level
) {
1430 status
= serverinfo_to_SamInfo2(server_info
, pipe_session_key
, 16,
1431 r
->out
.validation
->sam2
);
1434 status
= serverinfo_to_SamInfo3(server_info
, pipe_session_key
, 16,
1435 r
->out
.validation
->sam3
);
1438 status
= serverinfo_to_SamInfo6(server_info
, pipe_session_key
, 16,
1439 r
->out
.validation
->sam6
);
1443 TALLOC_FREE(server_info
);
1448 /****************************************************************
1449 _netr_LogonSamLogonWithFlags
1450 ****************************************************************/
1452 NTSTATUS
_netr_LogonSamLogonWithFlags(struct pipes_struct
*p
,
1453 struct netr_LogonSamLogonWithFlags
*r
)
1456 struct netlogon_creds_CredentialState
*creds
;
1457 struct netr_LogonSamLogonEx r2
;
1458 struct netr_Authenticator return_authenticator
;
1461 status
= netr_creds_server_step_check(p
, p
->mem_ctx
,
1462 r
->in
.computer_name
,
1464 &return_authenticator
,
1467 if (!NT_STATUS_IS_OK(status
)) {
1471 r2
.in
.server_name
= r
->in
.server_name
;
1472 r2
.in
.computer_name
= r
->in
.computer_name
;
1473 r2
.in
.logon_level
= r
->in
.logon_level
;
1474 r2
.in
.logon
= r
->in
.logon
;
1475 r2
.in
.validation_level
= r
->in
.validation_level
;
1476 r2
.in
.flags
= r
->in
.flags
;
1477 r2
.out
.validation
= r
->out
.validation
;
1478 r2
.out
.authoritative
= r
->out
.authoritative
;
1479 r2
.out
.flags
= r
->out
.flags
;
1481 status
= _netr_LogonSamLogon_base(p
, &r2
, creds
);
1483 *r
->out
.return_authenticator
= return_authenticator
;
1488 /*************************************************************************
1490 *************************************************************************/
1492 NTSTATUS
_netr_LogonSamLogon(struct pipes_struct
*p
,
1493 struct netr_LogonSamLogon
*r
)
1496 struct netr_LogonSamLogonWithFlags r2
;
1499 r2
.in
.server_name
= r
->in
.server_name
;
1500 r2
.in
.computer_name
= r
->in
.computer_name
;
1501 r2
.in
.credential
= r
->in
.credential
;
1502 r2
.in
.logon_level
= r
->in
.logon_level
;
1503 r2
.in
.logon
= r
->in
.logon
;
1504 r2
.in
.validation_level
= r
->in
.validation_level
;
1505 r2
.in
.return_authenticator
= r
->in
.return_authenticator
;
1506 r2
.in
.flags
= &flags
;
1507 r2
.out
.validation
= r
->out
.validation
;
1508 r2
.out
.authoritative
= r
->out
.authoritative
;
1509 r2
.out
.flags
= &flags
;
1510 r2
.out
.return_authenticator
= r
->out
.return_authenticator
;
1512 status
= _netr_LogonSamLogonWithFlags(p
, &r2
);
1517 /*************************************************************************
1518 _netr_LogonSamLogonEx
1519 - no credential chaining. Map into net sam logon.
1520 *************************************************************************/
1522 NTSTATUS
_netr_LogonSamLogonEx(struct pipes_struct
*p
,
1523 struct netr_LogonSamLogonEx
*r
)
1526 struct netlogon_creds_CredentialState
*creds
= NULL
;
1529 status
= schannel_get_creds_state(p
->mem_ctx
, lp_private_dir(),
1530 r
->in
.computer_name
, &creds
);
1532 if (!NT_STATUS_IS_OK(status
)) {
1536 /* Only allow this if the pipe is protected. */
1537 if (p
->auth
.auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
) {
1538 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1539 get_remote_machine_name() ));
1540 return NT_STATUS_INVALID_PARAMETER
;
1543 status
= _netr_LogonSamLogon_base(p
, r
, creds
);
1549 /*************************************************************************
1551 *************************************************************************/
1552 #if 0 /* JERRY -- not correct */
1553 NTSTATUS
_ds_enum_dom_trusts(struct pipes_struct
*p
, DS_Q_ENUM_DOM_TRUSTS
*q_u
,
1554 DS_R_ENUM_DOM_TRUSTS
*r_u
)
1556 NTSTATUS status
= NT_STATUS_OK
;
1558 /* TODO: According to MSDN, the can only be executed against a
1559 DC or domain member running Windows 2000 or later. Need
1560 to test against a standalone 2k server and see what it
1561 does. A windows 2000 DC includes its own domain in the
1569 /****************************************************************
1570 ****************************************************************/
1572 WERROR
_netr_LogonUasLogon(struct pipes_struct
*p
,
1573 struct netr_LogonUasLogon
*r
)
1575 p
->rng_fault_state
= true;
1576 return WERR_NOT_SUPPORTED
;
1579 /****************************************************************
1580 ****************************************************************/
1582 WERROR
_netr_LogonUasLogoff(struct pipes_struct
*p
,
1583 struct netr_LogonUasLogoff
*r
)
1585 p
->rng_fault_state
= true;
1586 return WERR_NOT_SUPPORTED
;
1589 /****************************************************************
1590 ****************************************************************/
1592 NTSTATUS
_netr_DatabaseDeltas(struct pipes_struct
*p
,
1593 struct netr_DatabaseDeltas
*r
)
1595 p
->rng_fault_state
= true;
1596 return NT_STATUS_NOT_IMPLEMENTED
;
1599 /****************************************************************
1600 ****************************************************************/
1602 NTSTATUS
_netr_DatabaseSync(struct pipes_struct
*p
,
1603 struct netr_DatabaseSync
*r
)
1605 p
->rng_fault_state
= true;
1606 return NT_STATUS_NOT_IMPLEMENTED
;
1609 /****************************************************************
1610 ****************************************************************/
1612 NTSTATUS
_netr_AccountDeltas(struct pipes_struct
*p
,
1613 struct netr_AccountDeltas
*r
)
1615 p
->rng_fault_state
= true;
1616 return NT_STATUS_NOT_IMPLEMENTED
;
1619 /****************************************************************
1620 ****************************************************************/
1622 NTSTATUS
_netr_AccountSync(struct pipes_struct
*p
,
1623 struct netr_AccountSync
*r
)
1625 p
->rng_fault_state
= true;
1626 return NT_STATUS_NOT_IMPLEMENTED
;
1629 /****************************************************************
1630 ****************************************************************/
1632 static bool wb_getdcname(TALLOC_CTX
*mem_ctx
,
1634 const char **dcname
,
1639 struct wbcDomainControllerInfo
*dc_info
= NULL
;
1641 result
= wbcLookupDomainController(domain
,
1645 case WBC_ERR_SUCCESS
:
1647 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
1649 case WBC_ERR_DOMAIN_NOT_FOUND
:
1650 *werr
= WERR_NO_SUCH_DOMAIN
;
1653 *werr
= WERR_DOMAIN_CONTROLLER_NOT_FOUND
;
1657 *dcname
= talloc_strdup(mem_ctx
, dc_info
->dc_name
);
1658 wbcFreeMemory(dc_info
);
1669 /****************************************************************
1671 ****************************************************************/
1673 WERROR
_netr_GetDcName(struct pipes_struct
*p
,
1674 struct netr_GetDcName
*r
)
1679 struct netr_DsRGetDCNameInfo
*info
;
1682 ret
= wb_getdcname(p
->mem_ctx
,
1685 WBC_LOOKUP_DC_IS_FLAT_NAME
|
1686 WBC_LOOKUP_DC_RETURN_FLAT_NAME
|
1687 WBC_LOOKUP_DC_PDC_REQUIRED
,
1693 flags
= DS_PDC_REQUIRED
| DS_IS_FLAT_NAME
| DS_RETURN_FLAT_NAME
;
1695 status
= dsgetdcname(p
->mem_ctx
,
1702 if (!NT_STATUS_IS_OK(status
)) {
1703 return ntstatus_to_werror(status
);
1706 *r
->out
.dcname
= talloc_strdup(p
->mem_ctx
, info
->dc_unc
);
1708 if (!*r
->out
.dcname
) {
1715 /****************************************************************
1717 ****************************************************************/
1719 WERROR
_netr_GetAnyDCName(struct pipes_struct
*p
,
1720 struct netr_GetAnyDCName
*r
)
1725 struct netr_DsRGetDCNameInfo
*info
;
1728 ret
= wb_getdcname(p
->mem_ctx
,
1731 WBC_LOOKUP_DC_IS_FLAT_NAME
|
1732 WBC_LOOKUP_DC_RETURN_FLAT_NAME
,
1738 flags
= DS_IS_FLAT_NAME
| DS_RETURN_FLAT_NAME
;
1740 status
= dsgetdcname(p
->mem_ctx
,
1747 if (!NT_STATUS_IS_OK(status
)) {
1748 return ntstatus_to_werror(status
);
1751 *r
->out
.dcname
= talloc_strdup(p
->mem_ctx
, info
->dc_unc
);
1753 if (!*r
->out
.dcname
) {
1760 /****************************************************************
1761 ****************************************************************/
1763 NTSTATUS
_netr_DatabaseSync2(struct pipes_struct
*p
,
1764 struct netr_DatabaseSync2
*r
)
1766 p
->rng_fault_state
= true;
1767 return NT_STATUS_NOT_IMPLEMENTED
;
1770 /****************************************************************
1771 ****************************************************************/
1773 NTSTATUS
_netr_DatabaseRedo(struct pipes_struct
*p
,
1774 struct netr_DatabaseRedo
*r
)
1776 p
->rng_fault_state
= true;
1777 return NT_STATUS_NOT_IMPLEMENTED
;
1780 /****************************************************************
1781 ****************************************************************/
1783 WERROR
_netr_DsRGetDCName(struct pipes_struct
*p
,
1784 struct netr_DsRGetDCName
*r
)
1786 p
->rng_fault_state
= true;
1787 return WERR_NOT_SUPPORTED
;
1790 /****************************************************************
1791 ****************************************************************/
1793 NTSTATUS
_netr_LogonGetCapabilities(struct pipes_struct
*p
,
1794 struct netr_LogonGetCapabilities
*r
)
1796 return NT_STATUS_NOT_IMPLEMENTED
;
1799 /****************************************************************
1800 ****************************************************************/
1802 WERROR
_netr_NETRLOGONSETSERVICEBITS(struct pipes_struct
*p
,
1803 struct netr_NETRLOGONSETSERVICEBITS
*r
)
1805 p
->rng_fault_state
= true;
1806 return WERR_NOT_SUPPORTED
;
1809 /****************************************************************
1810 ****************************************************************/
1812 WERROR
_netr_LogonGetTrustRid(struct pipes_struct
*p
,
1813 struct netr_LogonGetTrustRid
*r
)
1815 p
->rng_fault_state
= true;
1816 return WERR_NOT_SUPPORTED
;
1819 /****************************************************************
1820 ****************************************************************/
1822 WERROR
_netr_NETRLOGONCOMPUTESERVERDIGEST(struct pipes_struct
*p
,
1823 struct netr_NETRLOGONCOMPUTESERVERDIGEST
*r
)
1825 p
->rng_fault_state
= true;
1826 return WERR_NOT_SUPPORTED
;
1829 /****************************************************************
1830 ****************************************************************/
1832 WERROR
_netr_NETRLOGONCOMPUTECLIENTDIGEST(struct pipes_struct
*p
,
1833 struct netr_NETRLOGONCOMPUTECLIENTDIGEST
*r
)
1835 p
->rng_fault_state
= true;
1836 return WERR_NOT_SUPPORTED
;
1839 /****************************************************************
1840 ****************************************************************/
1842 WERROR
_netr_DsRGetDCNameEx(struct pipes_struct
*p
,
1843 struct netr_DsRGetDCNameEx
*r
)
1845 p
->rng_fault_state
= true;
1846 return WERR_NOT_SUPPORTED
;
1849 /****************************************************************
1850 ****************************************************************/
1852 WERROR
_netr_DsRGetSiteName(struct pipes_struct
*p
,
1853 struct netr_DsRGetSiteName
*r
)
1855 p
->rng_fault_state
= true;
1856 return WERR_NOT_SUPPORTED
;
1859 /****************************************************************
1860 ****************************************************************/
1862 NTSTATUS
_netr_LogonGetDomainInfo(struct pipes_struct
*p
,
1863 struct netr_LogonGetDomainInfo
*r
)
1865 p
->rng_fault_state
= true;
1866 return NT_STATUS_NOT_IMPLEMENTED
;
1869 /****************************************************************
1870 ****************************************************************/
1872 WERROR
_netr_ServerPasswordGet(struct pipes_struct
*p
,
1873 struct netr_ServerPasswordGet
*r
)
1875 p
->rng_fault_state
= true;
1876 return WERR_NOT_SUPPORTED
;
1879 /****************************************************************
1880 ****************************************************************/
1882 WERROR
_netr_NETRLOGONSENDTOSAM(struct pipes_struct
*p
,
1883 struct netr_NETRLOGONSENDTOSAM
*r
)
1885 p
->rng_fault_state
= true;
1886 return WERR_NOT_SUPPORTED
;
1889 /****************************************************************
1890 ****************************************************************/
1892 WERROR
_netr_DsRAddressToSitenamesW(struct pipes_struct
*p
,
1893 struct netr_DsRAddressToSitenamesW
*r
)
1895 p
->rng_fault_state
= true;
1896 return WERR_NOT_SUPPORTED
;
1899 /****************************************************************
1900 ****************************************************************/
1902 WERROR
_netr_DsRGetDCNameEx2(struct pipes_struct
*p
,
1903 struct netr_DsRGetDCNameEx2
*r
)
1905 p
->rng_fault_state
= true;
1906 return WERR_NOT_SUPPORTED
;
1909 /****************************************************************
1910 ****************************************************************/
1912 WERROR
_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct pipes_struct
*p
,
1913 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
*r
)
1915 p
->rng_fault_state
= true;
1916 return WERR_NOT_SUPPORTED
;
1919 /****************************************************************
1920 ****************************************************************/
1922 WERROR
_netr_NetrEnumerateTrustedDomainsEx(struct pipes_struct
*p
,
1923 struct netr_NetrEnumerateTrustedDomainsEx
*r
)
1925 p
->rng_fault_state
= true;
1926 return WERR_NOT_SUPPORTED
;
1929 /****************************************************************
1930 ****************************************************************/
1932 WERROR
_netr_DsRAddressToSitenamesExW(struct pipes_struct
*p
,
1933 struct netr_DsRAddressToSitenamesExW
*r
)
1935 p
->rng_fault_state
= true;
1936 return WERR_NOT_SUPPORTED
;
1939 /****************************************************************
1940 ****************************************************************/
1942 WERROR
_netr_DsrGetDcSiteCoverageW(struct pipes_struct
*p
,
1943 struct netr_DsrGetDcSiteCoverageW
*r
)
1945 p
->rng_fault_state
= true;
1946 return WERR_NOT_SUPPORTED
;
1949 /****************************************************************
1950 ****************************************************************/
1952 WERROR
_netr_DsrEnumerateDomainTrusts(struct pipes_struct
*p
,
1953 struct netr_DsrEnumerateDomainTrusts
*r
)
1955 p
->rng_fault_state
= true;
1956 return WERR_NOT_SUPPORTED
;
1959 /****************************************************************
1960 ****************************************************************/
1962 WERROR
_netr_DsrDeregisterDNSHostRecords(struct pipes_struct
*p
,
1963 struct netr_DsrDeregisterDNSHostRecords
*r
)
1965 p
->rng_fault_state
= true;
1966 return WERR_NOT_SUPPORTED
;
1969 /****************************************************************
1970 ****************************************************************/
1972 NTSTATUS
_netr_ServerTrustPasswordsGet(struct pipes_struct
*p
,
1973 struct netr_ServerTrustPasswordsGet
*r
)
1975 p
->rng_fault_state
= true;
1976 return NT_STATUS_NOT_IMPLEMENTED
;
1979 /****************************************************************
1980 ****************************************************************/
1982 WERROR
_netr_DsRGetForestTrustInformation(struct pipes_struct
*p
,
1983 struct netr_DsRGetForestTrustInformation
*r
)
1985 p
->rng_fault_state
= true;
1986 return WERR_NOT_SUPPORTED
;
1989 /****************************************************************
1990 ****************************************************************/
1992 NTSTATUS
_netr_GetForestTrustInformation(struct pipes_struct
*p
,
1993 struct netr_GetForestTrustInformation
*r
)
1995 p
->rng_fault_state
= true;
1996 return NT_STATUS_NOT_IMPLEMENTED
;
1999 /****************************************************************
2000 ****************************************************************/
2002 NTSTATUS
_netr_ServerGetTrustInfo(struct pipes_struct
*p
,
2003 struct netr_ServerGetTrustInfo
*r
)
2005 p
->rng_fault_state
= true;
2006 return NT_STATUS_NOT_IMPLEMENTED
;