search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Remove some references to smbd_messaging_context()
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_netlog_nt.c
blob300d2d4bf6f0f5c1b2897a809824c4cada0416a4
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008-2009.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* This is the implementation of the netlogon pipe. */
26
27 #include "includes.h"
28 #include "../libcli/auth/schannel.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_samr.h"
31 #include "../librpc/gen_ndr/srv_lsa.h"
32 #include "../librpc/gen_ndr/cli_samr.h"
33 #include "../librpc/gen_ndr/cli_lsa.h"
34 #include "rpc_client/cli_lsarpc.h"
35 #include "librpc/gen_ndr/messaging.h"
36 #include "../lib/crypto/md4.h"
37
38 extern userdom_struct current_user_info;
39
40 #undef DBGC_CLASS
41 #define DBGC_CLASS DBGC_RPC_SRV
42
43 struct netlogon_server_pipe_state {
44 struct netr_Credential client_challenge;
45 struct netr_Credential server_challenge;
46 };
47
48 /*************************************************************************
49 _netr_LogonControl
50 *************************************************************************/
51
52 WERROR _netr_LogonControl(struct pipes_struct *p,
53 struct netr_LogonControl *r)
54 {
55 struct netr_LogonControl2Ex l;
56
57 switch (r->in.level) {
58 case 1:
59 break;
60 case 2:
61 return WERR_NOT_SUPPORTED;
62 default:
63 return WERR_UNKNOWN_LEVEL;
64 }
65
66 l.in.logon_server = r->in.logon_server;
67 l.in.function_code = r->in.function_code;
68 l.in.level = r->in.level;
69 l.in.data = NULL;
70 l.out.query = r->out.query;
71
72 return _netr_LogonControl2Ex(p, &l);
73 }
74
75 /****************************************************************************
76 Send a message to smbd to do a sam synchronisation
77 **************************************************************************/
78
79 static void send_sync_message(struct messaging_context *msg_ctx)
80 {
81 DEBUG(3, ("sending sam synchronisation message\n"));
82 message_send_all(msg_ctx, MSG_SMB_SAM_SYNC, NULL, 0, NULL);
83 }
84
85 /*************************************************************************
86 _netr_LogonControl2
87 *************************************************************************/
88
89 WERROR _netr_LogonControl2(struct pipes_struct *p,
90 struct netr_LogonControl2 *r)
91 {
92 struct netr_LogonControl2Ex l;
93
94 l.in.logon_server = r->in.logon_server;
95 l.in.function_code = r->in.function_code;
96 l.in.level = r->in.level;
97 l.in.data = r->in.data;
98 l.out.query = r->out.query;
99
100 return _netr_LogonControl2Ex(p, &l);
101 }
102
103 /*************************************************************************
104 *************************************************************************/
105
106 static bool wb_change_trust_creds(const char *domain, WERROR *tc_status)
107 {
108 wbcErr result;
109 struct wbcAuthErrorInfo *error = NULL;
110
111 result = wbcChangeTrustCredentials(domain, &error);
112 switch (result) {
113 case WBC_ERR_WINBIND_NOT_AVAILABLE:
114 return false;
115 case WBC_ERR_DOMAIN_NOT_FOUND:
116 *tc_status = WERR_NO_SUCH_DOMAIN;
117 return true;
118 case WBC_ERR_SUCCESS:
119 *tc_status = WERR_OK;
120 return true;
121 default:
122 break;
123 }
124
125 if (error && error->nt_status != 0) {
126 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
127 } else {
128 *tc_status = WERR_TRUST_FAILURE;
129 }
130 wbcFreeMemory(error);
131 return true;
132 }
133
134 /*************************************************************************
135 *************************************************************************/
136
137 static bool wb_check_trust_creds(const char *domain, WERROR *tc_status)
138 {
139 wbcErr result;
140 struct wbcAuthErrorInfo *error = NULL;
141
142 result = wbcCheckTrustCredentials(domain, &error);
143 switch (result) {
144 case WBC_ERR_WINBIND_NOT_AVAILABLE:
145 return false;
146 case WBC_ERR_DOMAIN_NOT_FOUND:
147 *tc_status = WERR_NO_SUCH_DOMAIN;
148 return true;
149 case WBC_ERR_SUCCESS:
150 *tc_status = WERR_OK;
151 return true;
152 default:
153 break;
154 }
155
156 if (error && error->nt_status != 0) {
157 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
158 } else {
159 *tc_status = WERR_TRUST_FAILURE;
160 }
161 wbcFreeMemory(error);
162 return true;
163 }
164
165 /****************************************************************
166 _netr_LogonControl2Ex
167 ****************************************************************/
168
169 WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
170 struct netr_LogonControl2Ex *r)
171 {
172 uint32_t flags = 0x0;
173 WERROR pdc_connection_status = WERR_OK;
174 uint32_t logon_attempts = 0x0;
175 WERROR tc_status;
176 fstring dc_name2;
177 const char *dc_name = NULL;
178 struct sockaddr_storage dc_ss;
179 const char *domain = NULL;
180 struct netr_NETLOGON_INFO_1 *info1;
181 struct netr_NETLOGON_INFO_2 *info2;
182 struct netr_NETLOGON_INFO_3 *info3;
183 struct netr_NETLOGON_INFO_4 *info4;
184 const char *fn;
185 uint32_t acct_ctrl;
186
187 switch (p->opnum) {
188 case NDR_NETR_LOGONCONTROL:
189 fn = "_netr_LogonControl";
190 break;
191 case NDR_NETR_LOGONCONTROL2:
192 fn = "_netr_LogonControl2";
193 break;
194 case NDR_NETR_LOGONCONTROL2EX:
195 fn = "_netr_LogonControl2Ex";
196 break;
197 default:
198 return WERR_INVALID_PARAM;
199 }
200
201 acct_ctrl = p->server_info->info3->base.acct_flags;
202
203 switch (r->in.function_code) {
204 case NETLOGON_CONTROL_TC_VERIFY:
205 case NETLOGON_CONTROL_CHANGE_PASSWORD:
206 case NETLOGON_CONTROL_REDISCOVER:
207 if ((geteuid() != sec_initial_uid()) &&
208 !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
209 !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
210 !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
211 return WERR_ACCESS_DENIED;
212 }
213 break;
214 default:
215 break;
216 }
217
218 tc_status = WERR_NO_SUCH_DOMAIN;
219
220 switch (r->in.function_code) {
221 case NETLOGON_CONTROL_QUERY:
222 tc_status = WERR_OK;
223 break;
224 case NETLOGON_CONTROL_REPLICATE:
225 case NETLOGON_CONTROL_SYNCHRONIZE:
226 case NETLOGON_CONTROL_PDC_REPLICATE:
227 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
228 case NETLOGON_CONTROL_BREAKPOINT:
229 if (acct_ctrl & ACB_NORMAL) {
230 return WERR_NOT_SUPPORTED;
231 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
232 return WERR_ACCESS_DENIED;
233 } else {
234 return WERR_ACCESS_DENIED;
235 }
236 case NETLOGON_CONTROL_TRUNCATE_LOG:
237 if (acct_ctrl & ACB_NORMAL) {
238 break;
239 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
240 return WERR_ACCESS_DENIED;
241 } else {
242 return WERR_ACCESS_DENIED;
243 }
244
245 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
246 case NETLOGON_CONTROL_FORCE_DNS_REG:
247 case NETLOGON_CONTROL_QUERY_DNS_REG:
248 return WERR_NOT_SUPPORTED;
249 case NETLOGON_CONTROL_FIND_USER:
250 if (!r->in.data || !r->in.data->user) {
251 return WERR_NOT_SUPPORTED;
252 }
253 break;
254 case NETLOGON_CONTROL_SET_DBFLAG:
255 if (!r->in.data) {
256 return WERR_NOT_SUPPORTED;
257 }
258 break;
259 case NETLOGON_CONTROL_TC_VERIFY:
260 if (!r->in.data || !r->in.data->domain) {
261 return WERR_NOT_SUPPORTED;
262 }
263
264 if (!wb_check_trust_creds(r->in.data->domain, &tc_status)) {
265 return WERR_NOT_SUPPORTED;
266 }
267 break;
268 case NETLOGON_CONTROL_TC_QUERY:
269 if (!r->in.data || !r->in.data->domain) {
270 return WERR_NOT_SUPPORTED;
271 }
272
273 domain = r->in.data->domain;
274
275 if (!is_trusted_domain(domain)) {
276 break;
277 }
278
279 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
280 tc_status = WERR_NO_LOGON_SERVERS;
281 break;
282 }
283
284 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
285 if (!dc_name) {
286 return WERR_NOMEM;
287 }
288
289 tc_status = WERR_OK;
290
291 break;
292
293 case NETLOGON_CONTROL_REDISCOVER:
294 if (!r->in.data || !r->in.data->domain) {
295 return WERR_NOT_SUPPORTED;
296 }
297
298 domain = r->in.data->domain;
299
300 if (!is_trusted_domain(domain)) {
301 break;
302 }
303
304 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
305 tc_status = WERR_NO_LOGON_SERVERS;
306 break;
307 }
308
309 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
310 if (!dc_name) {
311 return WERR_NOMEM;
312 }
313
314 tc_status = WERR_OK;
315
316 break;
317
318 case NETLOGON_CONTROL_CHANGE_PASSWORD:
319 if (!r->in.data || !r->in.data->domain) {
320 return WERR_NOT_SUPPORTED;
321 }
322
323 if (!wb_change_trust_creds(r->in.data->domain, &tc_status)) {
324 return WERR_NOT_SUPPORTED;
325 }
326 break;
327
328 default:
329 /* no idea what this should be */
330 DEBUG(0,("%s: unimplemented function level [%d]\n",
331 fn, r->in.function_code));
332 return WERR_UNKNOWN_LEVEL;
333 }
334
335 /* prepare the response */
336
337 switch (r->in.level) {
338 case 1:
339 info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1);
340 W_ERROR_HAVE_NO_MEMORY(info1);
341
342 info1->flags = flags;
343 info1->pdc_connection_status = pdc_connection_status;
344
345 r->out.query->info1 = info1;
346 break;
347 case 2:
348 info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2);
349 W_ERROR_HAVE_NO_MEMORY(info2);
350
351 info2->flags = flags;
352 info2->pdc_connection_status = pdc_connection_status;
353 info2->trusted_dc_name = dc_name;
354 info2->tc_connection_status = tc_status;
355
356 r->out.query->info2 = info2;
357 break;
358 case 3:
359 info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3);
360 W_ERROR_HAVE_NO_MEMORY(info3);
361
362 info3->flags = flags;
363 info3->logon_attempts = logon_attempts;
364
365 r->out.query->info3 = info3;
366 break;
367 case 4:
368 info4 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_4);
369 W_ERROR_HAVE_NO_MEMORY(info4);
370
371 info4->trusted_dc_name = dc_name;
372 info4->trusted_domain_name = r->in.data->domain;
373
374 r->out.query->info4 = info4;
375 break;
376 default:
377 return WERR_UNKNOWN_LEVEL;
378 }
379
380 if (lp_server_role() == ROLE_DOMAIN_BDC) {
381 send_sync_message(p->msg_ctx);
382 }
383
384 return WERR_OK;
385 }
386
387 /*************************************************************************
388 _netr_NetrEnumerateTrustedDomains
389 *************************************************************************/
390
391 NTSTATUS _netr_NetrEnumerateTrustedDomains(struct pipes_struct *p,
392 struct netr_NetrEnumerateTrustedDomains *r)
393 {
394 NTSTATUS status;
395 DATA_BLOB blob;
396 int num_domains = 0;
397 const char **trusted_domains = NULL;
398 struct lsa_DomainList domain_list;
399 struct rpc_pipe_client *cli = NULL;
400 struct policy_handle pol;
401 uint32_t enum_ctx = 0;
402 int i;
403 uint32_t max_size = (uint32_t)-1;
404
405 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
406
407 status = rpc_pipe_open_internal(p->mem_ctx, &ndr_table_lsarpc.syntax_id,
408 p->server_info,
409 &cli);
410 if (!NT_STATUS_IS_OK(status)) {
411 return status;
412 }
413
414 status = rpccli_lsa_open_policy2(cli, p->mem_ctx,
415 true,
416 LSA_POLICY_VIEW_LOCAL_INFORMATION,
417 &pol);
418 if (!NT_STATUS_IS_OK(status)) {
419 goto out;
420 }
421
422 do {
423 /* Lookup list of trusted domains */
424
425 status = rpccli_lsa_EnumTrustDom(cli, p->mem_ctx,
426 &pol,
427 &enum_ctx,
428 &domain_list,
429 max_size);
430 if (!NT_STATUS_IS_OK(status) &&
431 !NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES) &&
432 !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
433 goto out;
434 }
435
436 for (i = 0; i < domain_list.count; i++) {
437 if (!add_string_to_array(p->mem_ctx, domain_list.domains[i].name.string,
438 &trusted_domains, &num_domains)) {
439 status = NT_STATUS_NO_MEMORY;
440 goto out;
441 }
442 }
443 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
444
445 if (num_domains > 0) {
446 /* multi sz terminate */
447 trusted_domains = talloc_realloc(p->mem_ctx, trusted_domains, const char *, num_domains + 1);
448 if (trusted_domains == NULL) {
449 status = NT_STATUS_NO_MEMORY;
450 goto out;
451 }
452
453 trusted_domains[num_domains] = NULL;
454 }
455
456 if (!push_reg_multi_sz(trusted_domains, &blob, trusted_domains)) {
457 TALLOC_FREE(trusted_domains);
458 status = NT_STATUS_NO_MEMORY;
459 goto out;
460 }
461
462 r->out.trusted_domains_blob->data = blob.data;
463 r->out.trusted_domains_blob->length = blob.length;
464
465 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
466
467 status = NT_STATUS_OK;
468
469 out:
470 if (cli && is_valid_policy_hnd(&pol)) {
471 rpccli_lsa_Close(cli, p->mem_ctx, &pol);
472 }
473
474 return status;
475 }
476
477 /*************************************************************************
478 *************************************************************************/
479
480 static NTSTATUS samr_find_machine_account(TALLOC_CTX *mem_ctx,
481 struct rpc_pipe_client *cli,
482 const char *account_name,
483 uint32_t access_mask,
484 struct dom_sid2 **domain_sid_p,
485 uint32_t *user_rid_p,
486 struct policy_handle *user_handle)
487 {
488 NTSTATUS status;
489 struct policy_handle connect_handle, domain_handle;
490 struct lsa_String domain_name;
491 struct dom_sid2 *domain_sid;
492 struct lsa_String names;
493 struct samr_Ids rids;
494 struct samr_Ids types;
495 uint32_t rid;
496
497 status = rpccli_samr_Connect2(cli, mem_ctx,
498 global_myname(),
499 SAMR_ACCESS_CONNECT_TO_SERVER |
500 SAMR_ACCESS_ENUM_DOMAINS |
501 SAMR_ACCESS_LOOKUP_DOMAIN,
502 &connect_handle);
503 if (!NT_STATUS_IS_OK(status)) {
504 goto out;
505 }
506
507 init_lsa_String(&domain_name, get_global_sam_name());
508
509 status = rpccli_samr_LookupDomain(cli, mem_ctx,
510 &connect_handle,
511 &domain_name,
512 &domain_sid);
513 if (!NT_STATUS_IS_OK(status)) {
514 goto out;
515 }
516
517 status = rpccli_samr_OpenDomain(cli, mem_ctx,
518 &connect_handle,
519 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
520 domain_sid,
521 &domain_handle);
522 if (!NT_STATUS_IS_OK(status)) {
523 goto out;
524 }
525
526 init_lsa_String(&names, account_name);
527
528 status = rpccli_samr_LookupNames(cli, mem_ctx,
529 &domain_handle,
530 1,
531 &names,
532 &rids,
533 &types);
534 if (!NT_STATUS_IS_OK(status)) {
535 goto out;
536 }
537
538 if (rids.count != 1) {
539 status = NT_STATUS_NO_SUCH_USER;
540 goto out;
541 }
542 if (rids.count != types.count) {
543 status = NT_STATUS_INVALID_PARAMETER;
544 goto out;
545 }
546 if (types.ids[0] != SID_NAME_USER) {
547 status = NT_STATUS_NO_SUCH_USER;
548 goto out;
549 }
550
551 rid = rids.ids[0];
552
553 status = rpccli_samr_OpenUser(cli, mem_ctx,
554 &domain_handle,
555 access_mask,
556 rid,
557 user_handle);
558 if (!NT_STATUS_IS_OK(status)) {
559 goto out;
560 }
561
562 if (user_rid_p) {
563 *user_rid_p = rid;
564 }
565
566 if (domain_sid_p) {
567 *domain_sid_p = domain_sid;
568 }
569
570 out:
571 if (cli && is_valid_policy_hnd(&domain_handle)) {
572 rpccli_samr_Close(cli, mem_ctx, &domain_handle);
573 }
574 if (cli && is_valid_policy_hnd(&connect_handle)) {
575 rpccli_samr_Close(cli, mem_ctx, &connect_handle);
576 }
577
578 return status;
579 }
580
581 /******************************************************************
582 gets a machine password entry. checks access rights of the host.
583 ******************************************************************/
584
585 static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct,
586 enum netr_SchannelType sec_chan_type, struct dom_sid *sid)
587 {
588 NTSTATUS status;
589 TALLOC_CTX *mem_ctx;
590 struct rpc_pipe_client *cli = NULL;
591 struct policy_handle user_handle;
592 uint32_t user_rid;
593 struct dom_sid *domain_sid;
594 uint32_t acct_ctrl;
595 union samr_UserInfo *info;
596 struct auth_serversupplied_info *server_info;
597 #if 0
598 char addr[INET6_ADDRSTRLEN];
599
600 /*
601 * Currently this code is redundent as we already have a filter
602 * by hostname list. What this code really needs to do is to
603 * get a hosts allowed/hosts denied list from the SAM database
604 * on a per user basis, and make the access decision there.
605 * I will leave this code here for now as a reminder to implement
606 * this at a later date. JRA.
607 */
608
609 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
610 client_name(get_client_fd()),
611 client_addr(get_client_fd(),addr,sizeof(addr)))) {
612 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct));
613 return False;
614 }
615 #endif /* 0 */
616
617 mem_ctx = talloc_new(talloc_tos());
618 if (mem_ctx == NULL) {
619 status = NT_STATUS_NO_MEMORY;
620 goto out;
621 }
622
623 status = make_server_info_system(mem_ctx, &server_info);
624 if (!NT_STATUS_IS_OK(status)) {
625 goto out;
626 }
627
628 ZERO_STRUCT(user_handle);
629
630 status = rpc_pipe_open_internal(mem_ctx, &ndr_table_samr.syntax_id,
631 server_info,
632 &cli);
633 if (!NT_STATUS_IS_OK(status)) {
634 goto out;
635 }
636
637 become_root();
638 status = samr_find_machine_account(mem_ctx, cli, mach_acct,
639 SEC_FLAG_MAXIMUM_ALLOWED,
640 &domain_sid, &user_rid,
641 &user_handle);
642 unbecome_root();
643 if (!NT_STATUS_IS_OK(status)) {
644 goto out;
645 }
646
647 status = rpccli_samr_QueryUserInfo2(cli, mem_ctx,
648 &user_handle,
649 UserControlInformation,
650 &info);
651 if (!NT_STATUS_IS_OK(status)) {
652 goto out;
653 }
654
655 acct_ctrl = info->info16.acct_flags;
656
657 if (acct_ctrl & ACB_DISABLED) {
658 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct));
659 status = NT_STATUS_ACCOUNT_DISABLED;
660 goto out;
661 }
662
663 if (!(acct_ctrl & ACB_SVRTRUST) &&
664 !(acct_ctrl & ACB_WSTRUST) &&
665 !(acct_ctrl & ACB_DOMTRUST))
666 {
667 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct));
668 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
669 goto out;
670 }
671
672 switch (sec_chan_type) {
673 case SEC_CHAN_BDC:
674 if (!(acct_ctrl & ACB_SVRTRUST)) {
675 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
676 "but not a server trust account\n", mach_acct));
677 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
678 goto out;
679 }
680 break;
681 case SEC_CHAN_WKSTA:
682 if (!(acct_ctrl & ACB_WSTRUST)) {
683 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
684 "but not a workstation trust account\n", mach_acct));
685 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
686 goto out;
687 }
688 break;
689 case SEC_CHAN_DOMAIN:
690 if (!(acct_ctrl & ACB_DOMTRUST)) {
691 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
692 "but not a interdomain trust account\n", mach_acct));
693 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
694 goto out;
695 }
696 break;
697 default:
698 break;
699 }
700
701 become_root();
702 status = rpccli_samr_QueryUserInfo2(cli, mem_ctx,
703 &user_handle,
704 UserInternal1Information,
705 &info);
706 unbecome_root();
707 if (!NT_STATUS_IS_OK(status)) {
708 goto out;
709 }
710 if (info->info18.nt_pwd_active == 0) {
711 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct));
712 status = NT_STATUS_LOGON_FAILURE;
713 goto out;
714 }
715
716 /* samr gives out nthash unencrypted (!) */
717 memcpy(md4pw->hash, info->info18.nt_pwd.hash, 16);
718
719 sid_compose(sid, domain_sid, user_rid);
720
721 out:
722 if (cli && is_valid_policy_hnd(&user_handle)) {
723 rpccli_samr_Close(cli, mem_ctx, &user_handle);
724 }
725
726 talloc_free(mem_ctx);
727
728 return status;
729 }
730
731 /*************************************************************************
732 _netr_ServerReqChallenge
733 *************************************************************************/
734
735 NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p,
736 struct netr_ServerReqChallenge *r)
737 {
738 struct netlogon_server_pipe_state *pipe_state =
739 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
740
741 if (pipe_state) {
742 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
743 talloc_free(pipe_state);
744 p->private_data = NULL;
745 }
746
747 pipe_state = talloc(p, struct netlogon_server_pipe_state);
748 NT_STATUS_HAVE_NO_MEMORY(pipe_state);
749
750 pipe_state->client_challenge = *r->in.credentials;
751
752 generate_random_buffer(pipe_state->server_challenge.data,
753 sizeof(pipe_state->server_challenge.data));
754
755 *r->out.return_credentials = pipe_state->server_challenge;
756
757 p->private_data = pipe_state;
758
759 return NT_STATUS_OK;
760 }
761
762 /*************************************************************************
763 _netr_ServerAuthenticate
764 Create the initial credentials.
765 *************************************************************************/
766
767 NTSTATUS _netr_ServerAuthenticate(struct pipes_struct *p,
768 struct netr_ServerAuthenticate *r)
769 {
770 struct netr_ServerAuthenticate3 a;
771 uint32_t negotiate_flags = 0;
772 uint32_t rid;
773
774 a.in.server_name = r->in.server_name;
775 a.in.account_name = r->in.account_name;
776 a.in.secure_channel_type = r->in.secure_channel_type;
777 a.in.computer_name = r->in.computer_name;
778 a.in.credentials = r->in.credentials;
779 a.in.negotiate_flags = &negotiate_flags;
780
781 a.out.return_credentials = r->out.return_credentials;
782 a.out.rid = &rid;
783 a.out.negotiate_flags = &negotiate_flags;
784
785 return _netr_ServerAuthenticate3(p, &a);
786
787 }
788
789 /*************************************************************************
790 _netr_ServerAuthenticate3
791 *************************************************************************/
792
793 NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
794 struct netr_ServerAuthenticate3 *r)
795 {
796 NTSTATUS status;
797 uint32_t srv_flgs;
798 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
799 * so use a copy to avoid destroying the client values. */
800 uint32_t in_neg_flags = *r->in.negotiate_flags;
801 const char *fn;
802 struct dom_sid sid;
803 struct samr_Password mach_pwd;
804 struct netlogon_creds_CredentialState *creds;
805 struct netlogon_server_pipe_state *pipe_state =
806 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
807
808 /* According to Microsoft (see bugid #6099)
809 * Windows 7 looks at the negotiate_flags
810 * returned in this structure *even if the
811 * call fails with access denied* ! So in order
812 * to allow Win7 to connect to a Samba NT style
813 * PDC we set the flags before we know if it's
814 * an error or not.
815 */
816
817 /* 0x000001ff */
818 srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
819 NETLOGON_NEG_PERSISTENT_SAMREPL |
820 NETLOGON_NEG_ARCFOUR |
821 NETLOGON_NEG_PROMOTION_COUNT |
822 NETLOGON_NEG_CHANGELOG_BDC |
823 NETLOGON_NEG_FULL_SYNC_REPL |
824 NETLOGON_NEG_MULTIPLE_SIDS |
825 NETLOGON_NEG_REDO |
826 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
827 NETLOGON_NEG_PASSWORD_SET2;
828
829 /* Ensure we support strong (128-bit) keys. */
830 if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
831 srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
832 }
833
834 if (lp_server_schannel() != false) {
835 srv_flgs |= NETLOGON_NEG_SCHANNEL;
836 }
837
838 switch (p->opnum) {
839 case NDR_NETR_SERVERAUTHENTICATE:
840 fn = "_netr_ServerAuthenticate";
841 break;
842 case NDR_NETR_SERVERAUTHENTICATE2:
843 fn = "_netr_ServerAuthenticate2";
844 break;
845 case NDR_NETR_SERVERAUTHENTICATE3:
846 fn = "_netr_ServerAuthenticate3";
847 break;
848 default:
849 return NT_STATUS_INTERNAL_ERROR;
850 }
851
852 /* We use this as the key to store the creds: */
853 /* r->in.computer_name */
854
855 if (!pipe_state) {
856 DEBUG(0,("%s: no challenge sent to client %s\n", fn,
857 r->in.computer_name));
858 status = NT_STATUS_ACCESS_DENIED;
859 goto out;
860 }
861
862 if ( (lp_server_schannel() == true) &&
863 ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
864
865 /* schannel must be used, but client did not offer it. */
866 DEBUG(0,("%s: schannel required but client failed "
867 "to offer it. Client was %s\n",
868 fn, r->in.account_name));
869 status = NT_STATUS_ACCESS_DENIED;
870 goto out;
871 }
872
873 status = get_md4pw(&mach_pwd,
874 r->in.account_name,
875 r->in.secure_channel_type,
876 &sid);
877 if (!NT_STATUS_IS_OK(status)) {
878 DEBUG(0,("%s: failed to get machine password for "
879 "account %s: %s\n",
880 fn, r->in.account_name, nt_errstr(status) ));
881 /* always return NT_STATUS_ACCESS_DENIED */
882 status = NT_STATUS_ACCESS_DENIED;
883 goto out;
884 }
885
886 /* From the client / server challenges and md4 password, generate sess key */
887 /* Check client credentials are valid. */
888 creds = netlogon_creds_server_init(p->mem_ctx,
889 r->in.account_name,
890 r->in.computer_name,
891 r->in.secure_channel_type,
892 &pipe_state->client_challenge,
893 &pipe_state->server_challenge,
894 &mach_pwd,
895 r->in.credentials,
896 r->out.return_credentials,
897 *r->in.negotiate_flags);
898 if (!creds) {
899 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
900 "request from client %s machine account %s\n",
901 fn, r->in.computer_name,
902 r->in.account_name));
903 status = NT_STATUS_ACCESS_DENIED;
904 goto out;
905 }
906
907 creds->sid = sid_dup_talloc(creds, &sid);
908 if (!creds->sid) {
909 status = NT_STATUS_NO_MEMORY;
910 goto out;
911 }
912
913 /* Store off the state so we can continue after client disconnect. */
914 become_root();
915 status = schannel_save_creds_state(p->mem_ctx, lp_private_dir(), creds);
916 unbecome_root();
917
918 if (!NT_STATUS_IS_OK(status)) {
919 goto out;
920 }
921
922 sid_peek_rid(&sid, r->out.rid);
923
924 status = NT_STATUS_OK;
925
926 out:
927
928 *r->out.negotiate_flags = srv_flgs;
929 return status;
930 }
931
932 /*************************************************************************
933 _netr_ServerAuthenticate2
934 *************************************************************************/
935
936 NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
937 struct netr_ServerAuthenticate2 *r)
938 {
939 struct netr_ServerAuthenticate3 a;
940 uint32_t rid;
941
942 a.in.server_name = r->in.server_name;
943 a.in.account_name = r->in.account_name;
944 a.in.secure_channel_type = r->in.secure_channel_type;
945 a.in.computer_name = r->in.computer_name;
946 a.in.credentials = r->in.credentials;
947 a.in.negotiate_flags = r->in.negotiate_flags;
948
949 a.out.return_credentials = r->out.return_credentials;
950 a.out.rid = &rid;
951 a.out.negotiate_flags = r->out.negotiate_flags;
952
953 return _netr_ServerAuthenticate3(p, &a);
954 }
955
956 /*************************************************************************
957 * If schannel is required for this call test that it actually is available.
958 *************************************************************************/
959 static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
960 const char *computer_name,
961 bool integrity, bool privacy)
962 {
963 if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
964 if (!privacy && !integrity) {
965 return NT_STATUS_OK;
966 }
967
968 if ((!privacy && integrity) &&
969 auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
970 return NT_STATUS_OK;
971 }
972
973 if ((privacy || integrity) &&
974 auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
975 return NT_STATUS_OK;
976 }
977 }
978
979 /* test didn't pass */
980 DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
981 computer_name));
982
983 return NT_STATUS_ACCESS_DENIED;
984 }
985
986 /*************************************************************************
987 *************************************************************************/
988
989 static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
990 TALLOC_CTX *mem_ctx,
991 const char *computer_name,
992 struct netr_Authenticator *received_authenticator,
993 struct netr_Authenticator *return_authenticator,
994 struct netlogon_creds_CredentialState **creds_out)
995 {
996 NTSTATUS status;
997 bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
998
999 if (schannel_global_required) {
1000 status = schannel_check_required(&p->auth,
1001 computer_name,
1002 false, false);
1003 if (!NT_STATUS_IS_OK(status)) {
1004 return status;
1005 }
1006 }
1007
1008 status = schannel_check_creds_state(mem_ctx, lp_private_dir(),
1009 computer_name, received_authenticator,
1010 return_authenticator, creds_out);
1011
1012 return status;
1013 }
1014
1015 /*************************************************************************
1016 *************************************************************************/
1017
1018 static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
1019 struct auth_serversupplied_info *server_info,
1020 const char *account_name,
1021 struct samr_Password *nt_hash)
1022 {
1023 NTSTATUS status;
1024 struct rpc_pipe_client *cli = NULL;
1025 struct policy_handle user_handle;
1026 uint32_t acct_ctrl;
1027 union samr_UserInfo *info;
1028 struct samr_UserInfo18 info18;
1029 DATA_BLOB in,out;
1030
1031 ZERO_STRUCT(user_handle);
1032
1033 status = rpc_pipe_open_internal(mem_ctx, &ndr_table_samr.syntax_id,
1034 server_info,
1035 &cli);
1036 if (!NT_STATUS_IS_OK(status)) {
1037 goto out;
1038 }
1039
1040 status = samr_find_machine_account(mem_ctx, cli, account_name,
1041 SEC_FLAG_MAXIMUM_ALLOWED,
1042 NULL, NULL,
1043 &user_handle);
1044 if (!NT_STATUS_IS_OK(status)) {
1045 goto out;
1046 }
1047
1048 status = rpccli_samr_QueryUserInfo2(cli, mem_ctx,
1049 &user_handle,
1050 UserControlInformation,
1051 &info);
1052 if (!NT_STATUS_IS_OK(status)) {
1053 goto out;
1054 }
1055
1056 acct_ctrl = info->info16.acct_flags;
1057
1058 if (!(acct_ctrl & ACB_WSTRUST ||
1059 acct_ctrl & ACB_SVRTRUST ||
1060 acct_ctrl & ACB_DOMTRUST)) {
1061 status = NT_STATUS_NO_SUCH_USER;
1062 goto out;
1063 }
1064
1065 if (acct_ctrl & ACB_DISABLED) {
1066 status = NT_STATUS_ACCOUNT_DISABLED;
1067 goto out;
1068 }
1069
1070 ZERO_STRUCT(info18);
1071
1072 in = data_blob_const(nt_hash->hash, 16);
1073 out = data_blob_talloc_zero(mem_ctx, 16);
1074 sess_crypt_blob(&out, &in, &server_info->user_session_key, true);
1075 memcpy(info18.nt_pwd.hash, out.data, out.length);
1076
1077 info18.nt_pwd_active = true;
1078
1079 info->info18 = info18;
1080
1081 status = rpccli_samr_SetUserInfo2(cli, mem_ctx,
1082 &user_handle,
1083 UserInternal1Information,
1084 info);
1085 if (!NT_STATUS_IS_OK(status)) {
1086 goto out;
1087 }
1088
1089 out:
1090 if (cli && is_valid_policy_hnd(&user_handle)) {
1091 rpccli_samr_Close(cli, mem_ctx, &user_handle);
1092 }
1093
1094 return status;
1095 }
1096
1097 /*************************************************************************
1098 _netr_ServerPasswordSet
1099 *************************************************************************/
1100
1101 NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
1102 struct netr_ServerPasswordSet *r)
1103 {
1104 NTSTATUS status = NT_STATUS_OK;
1105 int i;
1106 struct netlogon_creds_CredentialState *creds;
1107
1108 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
1109
1110 become_root();
1111 status = netr_creds_server_step_check(p, p->mem_ctx,
1112 r->in.computer_name,
1113 r->in.credential,
1114 r->out.return_authenticator,
1115 &creds);
1116 unbecome_root();
1117
1118 if (!NT_STATUS_IS_OK(status)) {
1119 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
1120 "request from client %s machine account %s\n",
1121 r->in.computer_name, creds->computer_name));
1122 TALLOC_FREE(creds);
1123 return status;
1124 }
1125
1126 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
1127 r->in.computer_name, creds->computer_name));
1128
1129 netlogon_creds_des_decrypt(creds, r->in.new_password);
1130
1131 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
1132 for(i = 0; i < sizeof(r->in.new_password->hash); i++)
1133 DEBUG(100,("%02X ", r->in.new_password->hash[i]));
1134 DEBUG(100,("\n"));
1135
1136 status = netr_set_machine_account_password(p->mem_ctx,
1137 p->server_info,
1138 creds->account_name,
1139 r->in.new_password);
1140 return status;
1141 }
1142
1143 /****************************************************************
1144 _netr_ServerPasswordSet2
1145 ****************************************************************/
1146
1147 NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
1148 struct netr_ServerPasswordSet2 *r)
1149 {
1150 NTSTATUS status;
1151 struct netlogon_creds_CredentialState *creds;
1152 DATA_BLOB plaintext;
1153 struct samr_CryptPassword password_buf;
1154 struct samr_Password nt_hash;
1155
1156 become_root();
1157 status = netr_creds_server_step_check(p, p->mem_ctx,
1158 r->in.computer_name,
1159 r->in.credential,
1160 r->out.return_authenticator,
1161 &creds);
1162 unbecome_root();
1163
1164 if (!NT_STATUS_IS_OK(status)) {
1165 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1166 "failed. Rejecting auth request from client %s machine account %s\n",
1167 r->in.computer_name, creds->computer_name));
1168 TALLOC_FREE(creds);
1169 return status;
1170 }
1171
1172 memcpy(password_buf.data, r->in.new_password->data, 512);
1173 SIVAL(password_buf.data, 512, r->in.new_password->length);
1174 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
1175
1176 if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
1177 return NT_STATUS_WRONG_PASSWORD;
1178 }
1179
1180 mdfour(nt_hash.hash, plaintext.data, plaintext.length);
1181
1182 status = netr_set_machine_account_password(p->mem_ctx,
1183 p->server_info,
1184 creds->account_name,
1185 &nt_hash);
1186 return status;
1187 }
1188
1189 /*************************************************************************
1190 _netr_LogonSamLogoff
1191 *************************************************************************/
1192
1193 NTSTATUS _netr_LogonSamLogoff(struct pipes_struct *p,
1194 struct netr_LogonSamLogoff *r)
1195 {
1196 NTSTATUS status;
1197 struct netlogon_creds_CredentialState *creds;
1198
1199 become_root();
1200 status = netr_creds_server_step_check(p, p->mem_ctx,
1201 r->in.computer_name,
1202 r->in.credential,
1203 r->out.return_authenticator,
1204 &creds);
1205 unbecome_root();
1206
1207 return status;
1208 }
1209
1210 /*************************************************************************
1211 _netr_LogonSamLogon_base
1212 *************************************************************************/
1213
1214 static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
1215 struct netr_LogonSamLogonEx *r,
1216 struct netlogon_creds_CredentialState *creds)
1217 {
1218 NTSTATUS status = NT_STATUS_OK;
1219 union netr_LogonLevel *logon = r->in.logon;
1220 const char *nt_username, *nt_domain, *nt_workstation;
1221 struct auth_usersupplied_info *user_info = NULL;
1222 struct auth_serversupplied_info *server_info = NULL;
1223 struct auth_context *auth_context = NULL;
1224 uint8_t pipe_session_key[16];
1225 bool process_creds = true;
1226 const char *fn;
1227
1228 switch (p->opnum) {
1229 case NDR_NETR_LOGONSAMLOGON:
1230 process_creds = true;
1231 fn = "_netr_LogonSamLogon";
1232 break;
1233 case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
1234 process_creds = true;
1235 fn = "_netr_LogonSamLogonWithFlags";
1236 break;
1237 case NDR_NETR_LOGONSAMLOGONEX:
1238 process_creds = false;
1239 fn = "_netr_LogonSamLogonEx";
1240 break;
1241 default:
1242 return NT_STATUS_INTERNAL_ERROR;
1243 }
1244
1245 *r->out.authoritative = true; /* authoritative response */
1246
1247 switch (r->in.validation_level) {
1248 case 2:
1249 r->out.validation->sam2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo2);
1250 if (!r->out.validation->sam2) {
1251 return NT_STATUS_NO_MEMORY;
1252 }
1253 break;
1254 case 3:
1255 r->out.validation->sam3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo3);
1256 if (!r->out.validation->sam3) {
1257 return NT_STATUS_NO_MEMORY;
1258 }
1259 break;
1260 case 6:
1261 r->out.validation->sam6 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo6);
1262 if (!r->out.validation->sam6) {
1263 return NT_STATUS_NO_MEMORY;
1264 }
1265 break;
1266 default:
1267 DEBUG(0,("%s: bad validation_level value %d.\n",
1268 fn, (int)r->in.validation_level));
1269 return NT_STATUS_INVALID_INFO_CLASS;
1270 }
1271
1272 switch (r->in.logon_level) {
1273 case NetlogonInteractiveInformation:
1274 case NetlogonServiceInformation:
1275 case NetlogonInteractiveTransitiveInformation:
1276 case NetlogonServiceTransitiveInformation:
1277 nt_username = logon->password->identity_info.account_name.string ?
1278 logon->password->identity_info.account_name.string : "";
1279 nt_domain = logon->password->identity_info.domain_name.string ?
1280 logon->password->identity_info.domain_name.string : "";
1281 nt_workstation = logon->password->identity_info.workstation.string ?
1282 logon->password->identity_info.workstation.string : "";
1283
1284 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
1285 break;
1286 case NetlogonNetworkInformation:
1287 case NetlogonNetworkTransitiveInformation:
1288 nt_username = logon->network->identity_info.account_name.string ?
1289 logon->network->identity_info.account_name.string : "";
1290 nt_domain = logon->network->identity_info.domain_name.string ?
1291 logon->network->identity_info.domain_name.string : "";
1292 nt_workstation = logon->network->identity_info.workstation.string ?
1293 logon->network->identity_info.workstation.string : "";
1294
1295 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
1296 break;
1297 default:
1298 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1299 return NT_STATUS_INVALID_INFO_CLASS;
1300 } /* end switch */
1301
1302 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain));
1303 fstrcpy(current_user_info.smb_name, nt_username);
1304 sub_set_smb_name(nt_username);
1305
1306 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1307 r->in.validation_level, nt_username));
1308
1309 status = NT_STATUS_OK;
1310
1311 switch (r->in.logon_level) {
1312 case NetlogonNetworkInformation:
1313 case NetlogonNetworkTransitiveInformation:
1314 {
1315 const char *wksname = nt_workstation;
1316
1317 status = make_auth_context_fixed(&auth_context,
1318 logon->network->challenge);
1319 if (!NT_STATUS_IS_OK(status)) {
1320 return status;
1321 }
1322
1323 /* For a network logon, the workstation name comes in with two
1324 * backslashes in the front. Strip them if they are there. */
1325
1326 if (*wksname == '\\') wksname++;
1327 if (*wksname == '\\') wksname++;
1328
1329 /* Standard challenge/response authenticaion */
1330 if (!make_user_info_netlogon_network(&user_info,
1331 nt_username, nt_domain,
1332 wksname,
1333 logon->network->identity_info.parameter_control,
1334 logon->network->lm.data,
1335 logon->network->lm.length,
1336 logon->network->nt.data,
1337 logon->network->nt.length)) {
1338 status = NT_STATUS_NO_MEMORY;
1339 }
1340 break;
1341 }
1342 case NetlogonInteractiveInformation:
1343 case NetlogonServiceInformation:
1344 case NetlogonInteractiveTransitiveInformation:
1345 case NetlogonServiceTransitiveInformation:
1346
1347 /* 'Interactive' authentication, supplies the password in its
1348 MD4 form, encrypted with the session key. We will convert
1349 this to challenge/response for the auth subsystem to chew
1350 on */
1351 {
1352 uint8_t chal[8];
1353
1354 if (!NT_STATUS_IS_OK(status = make_auth_context_subsystem(&auth_context))) {
1355 return status;
1356 }
1357
1358 auth_context->get_ntlm_challenge(auth_context, chal);
1359
1360 if (!make_user_info_netlogon_interactive(&user_info,
1361 nt_username, nt_domain,
1362 nt_workstation,
1363 logon->password->identity_info.parameter_control,
1364 chal,
1365 logon->password->lmpassword.hash,
1366 logon->password->ntpassword.hash,
1367 creds->session_key)) {
1368 status = NT_STATUS_NO_MEMORY;
1369 }
1370 break;
1371 }
1372 default:
1373 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1374 return NT_STATUS_INVALID_INFO_CLASS;
1375 } /* end switch */
1376
1377 if ( NT_STATUS_IS_OK(status) ) {
1378 status = auth_context->check_ntlm_password(auth_context,
1379 user_info, &server_info);
1380 }
1381
1382 TALLOC_FREE(auth_context);
1383 free_user_info(&user_info);
1384
1385 DEBUG(5,("%s: check_password returned status %s\n",
1386 fn, nt_errstr(status)));
1387
1388 /* Check account and password */
1389
1390 if (!NT_STATUS_IS_OK(status)) {
1391 /* If we don't know what this domain is, we need to
1392 indicate that we are not authoritative. This
1393 allows the client to decide if it needs to try
1394 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1395 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
1396 && !strequal(nt_domain, get_global_sam_name())
1397 && !is_trusted_domain(nt_domain) )
1398 *r->out.authoritative = false; /* We are not authoritative */
1399
1400 TALLOC_FREE(server_info);
1401 return status;
1402 }
1403
1404 if (server_info->guest) {
1405 /* We don't like guest domain logons... */
1406 DEBUG(5,("%s: Attempted domain logon as GUEST "
1407 "denied.\n", fn));
1408 TALLOC_FREE(server_info);
1409 return NT_STATUS_LOGON_FAILURE;
1410 }
1411
1412 /* This is the point at which, if the login was successful, that
1413 the SAM Local Security Authority should record that the user is
1414 logged in to the domain. */
1415
1416 if (process_creds) {
1417 /* Get the pipe session key from the creds. */
1418 memcpy(pipe_session_key, creds->session_key, 16);
1419 } else {
1420 /* Get the pipe session key from the schannel. */
1421 if ((p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL)
1422 || (p->auth.a_u.schannel_auth == NULL)) {
1423 return NT_STATUS_INVALID_HANDLE;
1424 }
1425 memcpy(pipe_session_key, p->auth.a_u.schannel_auth->creds->session_key, 16);
1426 }
1427
1428 switch (r->in.validation_level) {
1429 case 2:
1430 status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16,
1431 r->out.validation->sam2);
1432 break;
1433 case 3:
1434 status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16,
1435 r->out.validation->sam3);
1436 break;
1437 case 6:
1438 status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
1439 r->out.validation->sam6);
1440 break;
1441 }
1442
1443 TALLOC_FREE(server_info);
1444
1445 return status;
1446 }
1447
1448 /****************************************************************
1449 _netr_LogonSamLogonWithFlags
1450 ****************************************************************/
1451
1452 NTSTATUS _netr_LogonSamLogonWithFlags(struct pipes_struct *p,
1453 struct netr_LogonSamLogonWithFlags *r)
1454 {
1455 NTSTATUS status;
1456 struct netlogon_creds_CredentialState *creds;
1457 struct netr_LogonSamLogonEx r2;
1458 struct netr_Authenticator return_authenticator;
1459
1460 become_root();
1461 status = netr_creds_server_step_check(p, p->mem_ctx,
1462 r->in.computer_name,
1463 r->in.credential,
1464 &return_authenticator,
1465 &creds);
1466 unbecome_root();
1467 if (!NT_STATUS_IS_OK(status)) {
1468 return status;
1469 }
1470
1471 r2.in.server_name = r->in.server_name;
1472 r2.in.computer_name = r->in.computer_name;
1473 r2.in.logon_level = r->in.logon_level;
1474 r2.in.logon = r->in.logon;
1475 r2.in.validation_level = r->in.validation_level;
1476 r2.in.flags = r->in.flags;
1477 r2.out.validation = r->out.validation;
1478 r2.out.authoritative = r->out.authoritative;
1479 r2.out.flags = r->out.flags;
1480
1481 status = _netr_LogonSamLogon_base(p, &r2, creds);
1482
1483 *r->out.return_authenticator = return_authenticator;
1484
1485 return status;
1486 }
1487
1488 /*************************************************************************
1489 _netr_LogonSamLogon
1490 *************************************************************************/
1491
1492 NTSTATUS _netr_LogonSamLogon(struct pipes_struct *p,
1493 struct netr_LogonSamLogon *r)
1494 {
1495 NTSTATUS status;
1496 struct netr_LogonSamLogonWithFlags r2;
1497 uint32_t flags = 0;
1498
1499 r2.in.server_name = r->in.server_name;
1500 r2.in.computer_name = r->in.computer_name;
1501 r2.in.credential = r->in.credential;
1502 r2.in.logon_level = r->in.logon_level;
1503 r2.in.logon = r->in.logon;
1504 r2.in.validation_level = r->in.validation_level;
1505 r2.in.return_authenticator = r->in.return_authenticator;
1506 r2.in.flags = &flags;
1507 r2.out.validation = r->out.validation;
1508 r2.out.authoritative = r->out.authoritative;
1509 r2.out.flags = &flags;
1510 r2.out.return_authenticator = r->out.return_authenticator;
1511
1512 status = _netr_LogonSamLogonWithFlags(p, &r2);
1513
1514 return status;
1515 }
1516
1517 /*************************************************************************
1518 _netr_LogonSamLogonEx
1519 - no credential chaining. Map into net sam logon.
1520 *************************************************************************/
1521
1522 NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
1523 struct netr_LogonSamLogonEx *r)
1524 {
1525 NTSTATUS status;
1526 struct netlogon_creds_CredentialState *creds = NULL;
1527
1528 become_root();
1529 status = schannel_get_creds_state(p->mem_ctx, lp_private_dir(),
1530 r->in.computer_name, &creds);
1531 unbecome_root();
1532 if (!NT_STATUS_IS_OK(status)) {
1533 return status;
1534 }
1535
1536 /* Only allow this if the pipe is protected. */
1537 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1538 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1539 get_remote_machine_name() ));
1540 return NT_STATUS_INVALID_PARAMETER;
1541 }
1542
1543 status = _netr_LogonSamLogon_base(p, r, creds);
1544 TALLOC_FREE(creds);
1545
1546 return status;
1547 }
1548
1549 /*************************************************************************
1550 _ds_enum_dom_trusts
1551 *************************************************************************/
1552 #if 0 /* JERRY -- not correct */
1553 NTSTATUS _ds_enum_dom_trusts(struct pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u,
1554 DS_R_ENUM_DOM_TRUSTS *r_u)
1555 {
1556 NTSTATUS status = NT_STATUS_OK;
1557
1558 /* TODO: According to MSDN, the can only be executed against a
1559 DC or domain member running Windows 2000 or later. Need
1560 to test against a standalone 2k server and see what it
1561 does. A windows 2000 DC includes its own domain in the
1562 list. --jerry */
1563
1564 return status;
1565 }
1566 #endif /* JERRY */
1567
1568
1569 /****************************************************************
1570 ****************************************************************/
1571
1572 WERROR _netr_LogonUasLogon(struct pipes_struct *p,
1573 struct netr_LogonUasLogon *r)
1574 {
1575 p->rng_fault_state = true;
1576 return WERR_NOT_SUPPORTED;
1577 }
1578
1579 /****************************************************************
1580 ****************************************************************/
1581
1582 WERROR _netr_LogonUasLogoff(struct pipes_struct *p,
1583 struct netr_LogonUasLogoff *r)
1584 {
1585 p->rng_fault_state = true;
1586 return WERR_NOT_SUPPORTED;
1587 }
1588
1589 /****************************************************************
1590 ****************************************************************/
1591
1592 NTSTATUS _netr_DatabaseDeltas(struct pipes_struct *p,
1593 struct netr_DatabaseDeltas *r)
1594 {
1595 p->rng_fault_state = true;
1596 return NT_STATUS_NOT_IMPLEMENTED;
1597 }
1598
1599 /****************************************************************
1600 ****************************************************************/
1601
1602 NTSTATUS _netr_DatabaseSync(struct pipes_struct *p,
1603 struct netr_DatabaseSync *r)
1604 {
1605 p->rng_fault_state = true;
1606 return NT_STATUS_NOT_IMPLEMENTED;
1607 }
1608
1609 /****************************************************************
1610 ****************************************************************/
1611
1612 NTSTATUS _netr_AccountDeltas(struct pipes_struct *p,
1613 struct netr_AccountDeltas *r)
1614 {
1615 p->rng_fault_state = true;
1616 return NT_STATUS_NOT_IMPLEMENTED;
1617 }
1618
1619 /****************************************************************
1620 ****************************************************************/
1621
1622 NTSTATUS _netr_AccountSync(struct pipes_struct *p,
1623 struct netr_AccountSync *r)
1624 {
1625 p->rng_fault_state = true;
1626 return NT_STATUS_NOT_IMPLEMENTED;
1627 }
1628
1629 /****************************************************************
1630 ****************************************************************/
1631
1632 static bool wb_getdcname(TALLOC_CTX *mem_ctx,
1633 const char *domain,
1634 const char **dcname,
1635 uint32_t flags,
1636 WERROR *werr)
1637 {
1638 wbcErr result;
1639 struct wbcDomainControllerInfo *dc_info = NULL;
1640
1641 result = wbcLookupDomainController(domain,
1642 flags,
1643 &dc_info);
1644 switch (result) {
1645 case WBC_ERR_SUCCESS:
1646 break;
1647 case WBC_ERR_WINBIND_NOT_AVAILABLE:
1648 return false;
1649 case WBC_ERR_DOMAIN_NOT_FOUND:
1650 *werr = WERR_NO_SUCH_DOMAIN;
1651 return true;
1652 default:
1653 *werr = WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1654 return true;
1655 }
1656
1657 *dcname = talloc_strdup(mem_ctx, dc_info->dc_name);
1658 wbcFreeMemory(dc_info);
1659 if (!*dcname) {
1660 *werr = WERR_NOMEM;
1661 return false;
1662 }
1663
1664 *werr = WERR_OK;
1665
1666 return true;
1667 }
1668
1669 /****************************************************************
1670 _netr_GetDcName
1671 ****************************************************************/
1672
1673 WERROR _netr_GetDcName(struct pipes_struct *p,
1674 struct netr_GetDcName *r)
1675 {
1676 NTSTATUS status;
1677 WERROR werr;
1678 uint32_t flags;
1679 struct netr_DsRGetDCNameInfo *info;
1680 bool ret;
1681
1682 ret = wb_getdcname(p->mem_ctx,
1683 r->in.domainname,
1684 r->out.dcname,
1685 WBC_LOOKUP_DC_IS_FLAT_NAME |
1686 WBC_LOOKUP_DC_RETURN_FLAT_NAME |
1687 WBC_LOOKUP_DC_PDC_REQUIRED,
1688 &werr);
1689 if (ret == true) {
1690 return werr;
1691 }
1692
1693 flags = DS_PDC_REQUIRED | DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1694
1695 status = dsgetdcname(p->mem_ctx,
1696 p->msg_ctx,
1697 r->in.domainname,
1698 NULL,
1699 NULL,
1700 flags,
1701 &info);
1702 if (!NT_STATUS_IS_OK(status)) {
1703 return ntstatus_to_werror(status);
1704 }
1705
1706 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1707 talloc_free(info);
1708 if (!*r->out.dcname) {
1709 return WERR_NOMEM;
1710 }
1711
1712 return WERR_OK;
1713 }
1714
1715 /****************************************************************
1716 _netr_GetAnyDCName
1717 ****************************************************************/
1718
1719 WERROR _netr_GetAnyDCName(struct pipes_struct *p,
1720 struct netr_GetAnyDCName *r)
1721 {
1722 NTSTATUS status;
1723 WERROR werr;
1724 uint32_t flags;
1725 struct netr_DsRGetDCNameInfo *info;
1726 bool ret;
1727
1728 ret = wb_getdcname(p->mem_ctx,
1729 r->in.domainname,
1730 r->out.dcname,
1731 WBC_LOOKUP_DC_IS_FLAT_NAME |
1732 WBC_LOOKUP_DC_RETURN_FLAT_NAME,
1733 &werr);
1734 if (ret == true) {
1735 return werr;
1736 }
1737
1738 flags = DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1739
1740 status = dsgetdcname(p->mem_ctx,
1741 p->msg_ctx,
1742 r->in.domainname,
1743 NULL,
1744 NULL,
1745 flags,
1746 &info);
1747 if (!NT_STATUS_IS_OK(status)) {
1748 return ntstatus_to_werror(status);
1749 }
1750
1751 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1752 talloc_free(info);
1753 if (!*r->out.dcname) {
1754 return WERR_NOMEM;
1755 }
1756
1757 return WERR_OK;
1758 }
1759
1760 /****************************************************************
1761 ****************************************************************/
1762
1763 NTSTATUS _netr_DatabaseSync2(struct pipes_struct *p,
1764 struct netr_DatabaseSync2 *r)
1765 {
1766 p->rng_fault_state = true;
1767 return NT_STATUS_NOT_IMPLEMENTED;
1768 }
1769
1770 /****************************************************************
1771 ****************************************************************/
1772
1773 NTSTATUS _netr_DatabaseRedo(struct pipes_struct *p,
1774 struct netr_DatabaseRedo *r)
1775 {
1776 p->rng_fault_state = true;
1777 return NT_STATUS_NOT_IMPLEMENTED;
1778 }
1779
1780 /****************************************************************
1781 ****************************************************************/
1782
1783 WERROR _netr_DsRGetDCName(struct pipes_struct *p,
1784 struct netr_DsRGetDCName *r)
1785 {
1786 p->rng_fault_state = true;
1787 return WERR_NOT_SUPPORTED;
1788 }
1789
1790 /****************************************************************
1791 ****************************************************************/
1792
1793 NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
1794 struct netr_LogonGetCapabilities *r)
1795 {
1796 return NT_STATUS_NOT_IMPLEMENTED;
1797 }
1798
1799 /****************************************************************
1800 ****************************************************************/
1801
1802 WERROR _netr_NETRLOGONSETSERVICEBITS(struct pipes_struct *p,
1803 struct netr_NETRLOGONSETSERVICEBITS *r)
1804 {
1805 p->rng_fault_state = true;
1806 return WERR_NOT_SUPPORTED;
1807 }
1808
1809 /****************************************************************
1810 ****************************************************************/
1811
1812 WERROR _netr_LogonGetTrustRid(struct pipes_struct *p,
1813 struct netr_LogonGetTrustRid *r)
1814 {
1815 p->rng_fault_state = true;
1816 return WERR_NOT_SUPPORTED;
1817 }
1818
1819 /****************************************************************
1820 ****************************************************************/
1821
1822 WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(struct pipes_struct *p,
1823 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
1824 {
1825 p->rng_fault_state = true;
1826 return WERR_NOT_SUPPORTED;
1827 }
1828
1829 /****************************************************************
1830 ****************************************************************/
1831
1832 WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(struct pipes_struct *p,
1833 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
1834 {
1835 p->rng_fault_state = true;
1836 return WERR_NOT_SUPPORTED;
1837 }
1838
1839 /****************************************************************
1840 ****************************************************************/
1841
1842 WERROR _netr_DsRGetDCNameEx(struct pipes_struct *p,
1843 struct netr_DsRGetDCNameEx *r)
1844 {
1845 p->rng_fault_state = true;
1846 return WERR_NOT_SUPPORTED;
1847 }
1848
1849 /****************************************************************
1850 ****************************************************************/
1851
1852 WERROR _netr_DsRGetSiteName(struct pipes_struct *p,
1853 struct netr_DsRGetSiteName *r)
1854 {
1855 p->rng_fault_state = true;
1856 return WERR_NOT_SUPPORTED;
1857 }
1858
1859 /****************************************************************
1860 ****************************************************************/
1861
1862 NTSTATUS _netr_LogonGetDomainInfo(struct pipes_struct *p,
1863 struct netr_LogonGetDomainInfo *r)
1864 {
1865 p->rng_fault_state = true;
1866 return NT_STATUS_NOT_IMPLEMENTED;
1867 }
1868
1869 /****************************************************************
1870 ****************************************************************/
1871
1872 WERROR _netr_ServerPasswordGet(struct pipes_struct *p,
1873 struct netr_ServerPasswordGet *r)
1874 {
1875 p->rng_fault_state = true;
1876 return WERR_NOT_SUPPORTED;
1877 }
1878
1879 /****************************************************************
1880 ****************************************************************/
1881
1882 WERROR _netr_NETRLOGONSENDTOSAM(struct pipes_struct *p,
1883 struct netr_NETRLOGONSENDTOSAM *r)
1884 {
1885 p->rng_fault_state = true;
1886 return WERR_NOT_SUPPORTED;
1887 }
1888
1889 /****************************************************************
1890 ****************************************************************/
1891
1892 WERROR _netr_DsRAddressToSitenamesW(struct pipes_struct *p,
1893 struct netr_DsRAddressToSitenamesW *r)
1894 {
1895 p->rng_fault_state = true;
1896 return WERR_NOT_SUPPORTED;
1897 }
1898
1899 /****************************************************************
1900 ****************************************************************/
1901
1902 WERROR _netr_DsRGetDCNameEx2(struct pipes_struct *p,
1903 struct netr_DsRGetDCNameEx2 *r)
1904 {
1905 p->rng_fault_state = true;
1906 return WERR_NOT_SUPPORTED;
1907 }
1908
1909 /****************************************************************
1910 ****************************************************************/
1911
1912 WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct pipes_struct *p,
1913 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1914 {
1915 p->rng_fault_state = true;
1916 return WERR_NOT_SUPPORTED;
1917 }
1918
1919 /****************************************************************
1920 ****************************************************************/
1921
1922 WERROR _netr_NetrEnumerateTrustedDomainsEx(struct pipes_struct *p,
1923 struct netr_NetrEnumerateTrustedDomainsEx *r)
1924 {
1925 p->rng_fault_state = true;
1926 return WERR_NOT_SUPPORTED;
1927 }
1928
1929 /****************************************************************
1930 ****************************************************************/
1931
1932 WERROR _netr_DsRAddressToSitenamesExW(struct pipes_struct *p,
1933 struct netr_DsRAddressToSitenamesExW *r)
1934 {
1935 p->rng_fault_state = true;
1936 return WERR_NOT_SUPPORTED;
1937 }
1938
1939 /****************************************************************
1940 ****************************************************************/
1941
1942 WERROR _netr_DsrGetDcSiteCoverageW(struct pipes_struct *p,
1943 struct netr_DsrGetDcSiteCoverageW *r)
1944 {
1945 p->rng_fault_state = true;
1946 return WERR_NOT_SUPPORTED;
1947 }
1948
1949 /****************************************************************
1950 ****************************************************************/
1951
1952 WERROR _netr_DsrEnumerateDomainTrusts(struct pipes_struct *p,
1953 struct netr_DsrEnumerateDomainTrusts *r)
1954 {
1955 p->rng_fault_state = true;
1956 return WERR_NOT_SUPPORTED;
1957 }
1958
1959 /****************************************************************
1960 ****************************************************************/
1961
1962 WERROR _netr_DsrDeregisterDNSHostRecords(struct pipes_struct *p,
1963 struct netr_DsrDeregisterDNSHostRecords *r)
1964 {
1965 p->rng_fault_state = true;
1966 return WERR_NOT_SUPPORTED;
1967 }
1968
1969 /****************************************************************
1970 ****************************************************************/
1971
1972 NTSTATUS _netr_ServerTrustPasswordsGet(struct pipes_struct *p,
1973 struct netr_ServerTrustPasswordsGet *r)
1974 {
1975 p->rng_fault_state = true;
1976 return NT_STATUS_NOT_IMPLEMENTED;
1977 }
1978
1979 /****************************************************************
1980 ****************************************************************/
1981
1982 WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
1983 struct netr_DsRGetForestTrustInformation *r)
1984 {
1985 p->rng_fault_state = true;
1986 return WERR_NOT_SUPPORTED;
1987 }
1988
1989 /****************************************************************
1990 ****************************************************************/
1991
1992 NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
1993 struct netr_GetForestTrustInformation *r)
1994 {
1995 p->rng_fault_state = true;
1996 return NT_STATUS_NOT_IMPLEMENTED;
1997 }
1998
1999 /****************************************************************
2000 ****************************************************************/
2001
2002 NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
2003 struct netr_ServerGetTrustInfo *r)
2004 {
2005 p->rng_fault_state = true;
2006 return NT_STATUS_NOT_IMPLEMENTED;
2007 }
2008
reg import