2 Unix SMB/CIFS implementation.
4 CLDAP server - netlogon handling
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/ldb/include/ldb.h"
25 #include "lib/ldb/include/ldb_errors.h"
26 #include "lib/events/events.h"
27 #include "smbd/service_task.h"
28 #include "cldap_server/cldap_server.h"
29 #include "librpc/gen_ndr/ndr_misc.h"
30 #include "libcli/ldap/ldap_ndr.h"
31 #include "libcli/security/security.h"
32 #include "dsdb/samdb/samdb.h"
33 #include "auth/auth.h"
35 #include "system/network.h"
36 #include "lib/socket/netif.h"
37 #include "param/param.h"
38 #include "../lib/tsocket/tsocket.h"
41 fill in the cldap netlogon union for a given version
43 NTSTATUS
fill_netlogon_samlogon_response(struct ldb_context
*sam_ctx
,
46 const char *netbios_domain
,
47 struct dom_sid
*domain_sid
,
48 const char *domain_guid
,
50 uint32_t acct_control
,
51 const char *src_address
,
53 struct loadparm_context
*lp_ctx
,
54 struct netlogon_samlogon_response
*netlogon
,
55 bool fill_on_blank_request
)
57 const char *dom_attrs
[] = {"objectGUID", NULL
};
58 const char *none_attrs
[] = {NULL
};
59 struct ldb_result
*dom_res
= NULL
, *user_res
= NULL
;
61 const char **services
= lpcfg_server_services(lp_ctx
);
64 struct GUID domain_uuid
;
65 const char *dns_domain
;
66 const char *forest_domain
;
67 const char *pdc_dns_name
;
69 const char *server_site
;
70 const char *client_site
;
72 struct ldb_dn
*domain_dn
= NULL
;
73 struct interface
*ifaces
;
74 bool user_known
, am_rodc
;
77 /* the domain parameter could have an optional trailing "." */
78 if (domain
&& domain
[strlen(domain
)-1] == '.') {
79 domain
= talloc_strndup(mem_ctx
, domain
, strlen(domain
)-1);
80 NT_STATUS_HAVE_NO_MEMORY(domain
);
83 /* Lookup using long or short domainname */
84 if (domain
&& (strcasecmp_m(domain
, lpcfg_dnsdomain(lp_ctx
)) == 0)) {
85 domain_dn
= ldb_get_default_basedn(sam_ctx
);
87 if (netbios_domain
&& (strcasecmp_m(netbios_domain
, lpcfg_sam_name(lp_ctx
)) == 0)) {
88 domain_dn
= ldb_get_default_basedn(sam_ctx
);
91 const char *domain_identifier
= domain
!= NULL
? domain
93 ret
= ldb_search(sam_ctx
, mem_ctx
, &dom_res
,
94 domain_dn
, LDB_SCOPE_BASE
, dom_attrs
,
95 "objectClass=domain");
96 if (ret
!= LDB_SUCCESS
) {
97 DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n",
99 ldb_dn_get_linearized(domain_dn
),
100 ldb_errstring(sam_ctx
)));
101 return NT_STATUS_NO_SUCH_DOMAIN
;
103 if (dom_res
->count
!= 1) {
104 DEBUG(2,("Error finding domain '%s'/'%s' in sam\n",
106 ldb_dn_get_linearized(domain_dn
)));
107 return NT_STATUS_NO_SUCH_DOMAIN
;
111 /* Lookup using GUID or SID */
112 if ((dom_res
== NULL
) && (domain_guid
|| domain_sid
)) {
114 struct GUID binary_guid
;
115 struct ldb_val guid_val
;
117 /* By this means, we ensure we don't have funny stuff in the GUID */
119 status
= GUID_from_string(domain_guid
, &binary_guid
);
120 if (!NT_STATUS_IS_OK(status
)) {
124 /* And this gets the result into the binary format we want anyway */
125 status
= GUID_to_ndr_blob(&binary_guid
, mem_ctx
, &guid_val
);
126 if (!NT_STATUS_IS_OK(status
)) {
129 ret
= ldb_search(sam_ctx
, mem_ctx
, &dom_res
,
130 NULL
, LDB_SCOPE_SUBTREE
,
132 "(&(objectCategory=DomainDNS)(objectGUID=%s))",
133 ldb_binary_encode(mem_ctx
, guid_val
));
134 } else { /* domain_sid case */
136 struct ldb_val sid_val
;
137 enum ndr_err_code ndr_err
;
139 /* Rather than go via the string, just push into the NDR form */
140 ndr_err
= ndr_push_struct_blob(&sid_val
, mem_ctx
, &sid
,
141 (ndr_push_flags_fn_t
)ndr_push_dom_sid
);
142 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
143 return NT_STATUS_INVALID_PARAMETER
;
146 ret
= ldb_search(sam_ctx
, mem_ctx
, &dom_res
,
147 NULL
, LDB_SCOPE_SUBTREE
,
149 "(&(objectCategory=DomainDNS)(objectSid=%s))",
150 ldb_binary_encode(mem_ctx
, sid_val
));
153 if (ret
!= LDB_SUCCESS
) {
154 DEBUG(2,("Unable to find a correct reference to GUID '%s' or SID '%s' in sam: %s\n",
155 domain_guid
, dom_sid_string(mem_ctx
, domain_sid
),
156 ldb_errstring(sam_ctx
)));
157 return NT_STATUS_NO_SUCH_DOMAIN
;
158 } else if (dom_res
->count
== 1) {
159 /* Ok, now just check it is our domain */
160 if (ldb_dn_compare(ldb_get_default_basedn(sam_ctx
),
161 dom_res
->msgs
[0]->dn
) != 0) {
162 DEBUG(2,("The GUID '%s' or SID '%s' doesn't identify our domain\n",
164 dom_sid_string(mem_ctx
, domain_sid
)));
165 return NT_STATUS_NO_SUCH_DOMAIN
;
168 DEBUG(2,("Unable to find a correct reference to GUID '%s' or SID '%s' in sam\n",
169 domain_guid
, dom_sid_string(mem_ctx
, domain_sid
)));
170 return NT_STATUS_NO_SUCH_DOMAIN
;
174 if (dom_res
== NULL
&& fill_on_blank_request
) {
175 /* blank inputs gives our domain - tested against
176 w2k8r2. Without this ADUC on Win7 won't start */
177 domain_dn
= ldb_get_default_basedn(sam_ctx
);
178 ret
= ldb_search(sam_ctx
, mem_ctx
, &dom_res
,
179 domain_dn
, LDB_SCOPE_BASE
, dom_attrs
,
180 "objectClass=domain");
181 if (ret
!= LDB_SUCCESS
) {
182 DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n",
183 lpcfg_dnsdomain(lp_ctx
),
184 ldb_dn_get_linearized(domain_dn
),
185 ldb_errstring(sam_ctx
)));
186 return NT_STATUS_NO_SUCH_DOMAIN
;
190 if (dom_res
== NULL
) {
191 DEBUG(2,(__location__
": Unable to get domain informations with no inputs\n"));
192 return NT_STATUS_NO_SUCH_DOMAIN
;
195 /* work around different inputs for not-specified users */
200 /* Enquire about any valid username with just a CLDAP packet -
201 * if kerberos didn't also do this, the security folks would
204 /* Only allow some bits to be enquired: [MS-ATDS] 7.3.3.2 */
205 if (acct_control
== (uint32_t)-1) {
208 acct_control
= acct_control
& (ACB_TEMPDUP
| ACB_NORMAL
| ACB_DOMTRUST
| ACB_WSTRUST
| ACB_SVRTRUST
);
210 /* We must exclude disabled accounts, but otherwise do the bitwise match the client asked for */
211 ret
= ldb_search(sam_ctx
, mem_ctx
, &user_res
,
212 dom_res
->msgs
[0]->dn
, LDB_SCOPE_SUBTREE
,
214 "(&(objectClass=user)(samAccountName=%s)"
215 "(!(userAccountControl:" LDB_OID_COMPARATOR_AND
":=%u))"
216 "(userAccountControl:" LDB_OID_COMPARATOR_OR
":=%u))",
217 ldb_binary_encode_string(mem_ctx
, user
),
218 UF_ACCOUNTDISABLE
, ds_acb2uf(acct_control
));
219 if (ret
!= LDB_SUCCESS
) {
220 DEBUG(2,("Unable to find reference to user '%s' with ACB 0x%8x under %s: %s\n",
221 user
, acct_control
, ldb_dn_get_linearized(dom_res
->msgs
[0]->dn
),
222 ldb_errstring(sam_ctx
)));
223 return NT_STATUS_NO_SUCH_USER
;
224 } else if (user_res
->count
== 1) {
235 DS_SERVER_DS
| DS_SERVER_TIMESERV
|
237 DS_SERVER_GOOD_TIMESERV
;
240 /* w2k8-r2 as a DC does not claim these */
241 server_type
|= DS_DNS_CONTROLLER
| DS_DNS_DOMAIN
;
244 if (samdb_is_pdc(sam_ctx
)) {
245 server_type
|= DS_SERVER_PDC
;
248 if (dsdb_functional_level(sam_ctx
) >= DS_DOMAIN_FUNCTION_2008
) {
249 server_type
|= DS_SERVER_FULL_SECRET_DOMAIN_6
;
252 if (samdb_is_gc(sam_ctx
)) {
253 server_type
|= DS_SERVER_GC
;
256 if (str_list_check(services
, "ldap")) {
257 server_type
|= DS_SERVER_LDAP
;
260 if (str_list_check(services
, "kdc")) {
261 server_type
|= DS_SERVER_KDC
;
264 if (samdb_rodc(sam_ctx
, &am_rodc
) == LDB_SUCCESS
&& !am_rodc
) {
265 server_type
|= DS_SERVER_WRITABLE
;
269 /* w2k8-r2 as a sole DC does not claim this */
270 if (ldb_dn_compare(ldb_get_root_basedn(sam_ctx
), ldb_get_default_basedn(sam_ctx
)) == 0) {
271 server_type
|= DS_DNS_FOREST_ROOT
;
275 pdc_name
= talloc_asprintf(mem_ctx
, "\\\\%s",
276 lpcfg_netbios_name(lp_ctx
));
277 NT_STATUS_HAVE_NO_MEMORY(pdc_name
);
278 domain_uuid
= samdb_result_guid(dom_res
->msgs
[0], "objectGUID");
279 dns_domain
= lpcfg_dnsdomain(lp_ctx
);
280 forest_domain
= samdb_forest_name(sam_ctx
, mem_ctx
);
281 NT_STATUS_HAVE_NO_MEMORY(forest_domain
);
282 pdc_dns_name
= talloc_asprintf(mem_ctx
, "%s.%s",
283 strlower_talloc(mem_ctx
,
284 lpcfg_netbios_name(lp_ctx
)),
286 NT_STATUS_HAVE_NO_MEMORY(pdc_dns_name
);
287 flatname
= lpcfg_workgroup(lp_ctx
);
288 server_site
= samdb_server_site_name(sam_ctx
, mem_ctx
);
289 NT_STATUS_HAVE_NO_MEMORY(server_site
);
290 client_site
= samdb_client_site_name(sam_ctx
, mem_ctx
,
292 NT_STATUS_HAVE_NO_MEMORY(client_site
);
293 load_interfaces(mem_ctx
, lpcfg_interfaces(lp_ctx
), &ifaces
);
295 * TODO: the caller should pass the address which the client
296 * used to trigger this call, as the client is able to reach
300 pdc_ip
= iface_best_ip(ifaces
, src_address
);
302 pdc_ip
= iface_n_ip(ifaces
, 0);
304 ZERO_STRUCTP(netlogon
);
306 /* check if either of these bits is present */
307 if (version
& (NETLOGON_NT_VERSION_5EX
|NETLOGON_NT_VERSION_5EX_WITH_IP
)) {
308 uint32_t extra_flags
= 0;
309 netlogon
->ntver
= NETLOGON_NT_VERSION_5EX
;
311 /* could check if the user exists */
313 netlogon
->data
.nt5_ex
.command
= LOGON_SAM_LOGON_RESPONSE_EX
;
315 netlogon
->data
.nt5_ex
.command
= LOGON_SAM_LOGON_USER_UNKNOWN_EX
;
317 netlogon
->data
.nt5_ex
.pdc_name
= pdc_name
;
318 netlogon
->data
.nt5_ex
.user_name
= user
;
319 netlogon
->data
.nt5_ex
.domain_name
= flatname
;
320 netlogon
->data
.nt5_ex
.domain_uuid
= domain_uuid
;
321 netlogon
->data
.nt5_ex
.forest
= forest_domain
;
322 netlogon
->data
.nt5_ex
.dns_domain
= dns_domain
;
323 netlogon
->data
.nt5_ex
.pdc_dns_name
= pdc_dns_name
;
324 netlogon
->data
.nt5_ex
.server_site
= server_site
;
325 netlogon
->data
.nt5_ex
.client_site
= client_site
;
326 if (version
& NETLOGON_NT_VERSION_5EX_WITH_IP
) {
327 /* Clearly this needs to be fixed up for IPv6 */
328 extra_flags
= NETLOGON_NT_VERSION_5EX_WITH_IP
;
329 netlogon
->data
.nt5_ex
.sockaddr
.sockaddr_family
= 2;
330 netlogon
->data
.nt5_ex
.sockaddr
.pdc_ip
= pdc_ip
;
331 netlogon
->data
.nt5_ex
.sockaddr
.remaining
= data_blob_talloc_zero(mem_ctx
, 8);
333 netlogon
->data
.nt5_ex
.server_type
= server_type
;
334 netlogon
->data
.nt5_ex
.nt_version
= NETLOGON_NT_VERSION_1
|NETLOGON_NT_VERSION_5EX
|extra_flags
;
335 netlogon
->data
.nt5_ex
.lmnt_token
= 0xFFFF;
336 netlogon
->data
.nt5_ex
.lm20_token
= 0xFFFF;
338 } else if (version
& NETLOGON_NT_VERSION_5
) {
339 netlogon
->ntver
= NETLOGON_NT_VERSION_5
;
341 /* could check if the user exists */
343 netlogon
->data
.nt5
.command
= LOGON_SAM_LOGON_RESPONSE
;
345 netlogon
->data
.nt5
.command
= LOGON_SAM_LOGON_USER_UNKNOWN
;
347 netlogon
->data
.nt5
.pdc_name
= pdc_name
;
348 netlogon
->data
.nt5
.user_name
= user
;
349 netlogon
->data
.nt5
.domain_name
= flatname
;
350 netlogon
->data
.nt5
.domain_uuid
= domain_uuid
;
351 netlogon
->data
.nt5
.forest
= forest_domain
;
352 netlogon
->data
.nt5
.dns_domain
= dns_domain
;
353 netlogon
->data
.nt5
.pdc_dns_name
= pdc_dns_name
;
354 netlogon
->data
.nt5
.pdc_ip
= pdc_ip
;
355 netlogon
->data
.nt5
.server_type
= server_type
;
356 netlogon
->data
.nt5
.nt_version
= NETLOGON_NT_VERSION_1
|NETLOGON_NT_VERSION_5
;
357 netlogon
->data
.nt5
.lmnt_token
= 0xFFFF;
358 netlogon
->data
.nt5
.lm20_token
= 0xFFFF;
360 } else /* (version & NETLOGON_NT_VERSION_1) and all other cases */ {
361 netlogon
->ntver
= NETLOGON_NT_VERSION_1
;
362 /* could check if the user exists */
364 netlogon
->data
.nt4
.command
= LOGON_SAM_LOGON_RESPONSE
;
366 netlogon
->data
.nt4
.command
= LOGON_SAM_LOGON_USER_UNKNOWN
;
368 netlogon
->data
.nt4
.pdc_name
= pdc_name
;
369 netlogon
->data
.nt4
.user_name
= user
;
370 netlogon
->data
.nt4
.domain_name
= flatname
;
371 netlogon
->data
.nt4
.nt_version
= NETLOGON_NT_VERSION_1
;
372 netlogon
->data
.nt4
.lmnt_token
= 0xFFFF;
373 netlogon
->data
.nt4
.lm20_token
= 0xFFFF;
381 handle incoming cldap requests
383 void cldapd_netlogon_request(struct cldap_socket
*cldap
,
384 struct cldapd_server
*cldapd
,
387 struct ldb_parse_tree
*tree
,
388 struct tsocket_address
*src
)
391 const char *domain
= NULL
;
392 const char *host
= NULL
;
393 const char *user
= NULL
;
394 const char *domain_guid
= NULL
;
395 struct dom_sid
*domain_sid
= NULL
;
396 int acct_control
= -1;
398 struct netlogon_samlogon_response netlogon
;
399 NTSTATUS status
= NT_STATUS_INVALID_PARAMETER
;
401 if (tree
->operation
!= LDB_OP_AND
) goto failed
;
403 /* extract the query elements */
404 for (i
=0;i
<tree
->u
.list
.num_elements
;i
++) {
405 struct ldb_parse_tree
*t
= tree
->u
.list
.elements
[i
];
406 if (t
->operation
!= LDB_OP_EQUALITY
) goto failed
;
407 if (strcasecmp(t
->u
.equality
.attr
, "DnsDomain") == 0) {
408 domain
= talloc_strndup(tmp_ctx
,
409 (const char *)t
->u
.equality
.value
.data
,
410 t
->u
.equality
.value
.length
);
412 if (strcasecmp(t
->u
.equality
.attr
, "Host") == 0) {
413 host
= talloc_strndup(tmp_ctx
,
414 (const char *)t
->u
.equality
.value
.data
,
415 t
->u
.equality
.value
.length
);
417 if (strcasecmp(t
->u
.equality
.attr
, "DomainGuid") == 0) {
420 enc_status
= ldap_decode_ndr_GUID(tmp_ctx
,
421 t
->u
.equality
.value
, &guid
);
422 if (NT_STATUS_IS_OK(enc_status
)) {
423 domain_guid
= GUID_string(tmp_ctx
, &guid
);
426 if (strcasecmp(t
->u
.equality
.attr
, "DomainSid") == 0) {
427 enum ndr_err_code ndr_err
;
429 domain_sid
= talloc(tmp_ctx
, struct dom_sid
);
430 if (domain_sid
== NULL
) {
433 ndr_err
= ndr_pull_struct_blob(&t
->u
.equality
.value
,
434 domain_sid
, domain_sid
,
435 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
436 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
437 talloc_free(domain_sid
);
441 if (strcasecmp(t
->u
.equality
.attr
, "User") == 0) {
442 user
= talloc_strndup(tmp_ctx
,
443 (const char *)t
->u
.equality
.value
.data
,
444 t
->u
.equality
.value
.length
);
446 if (strcasecmp(t
->u
.equality
.attr
, "NtVer") == 0 &&
447 t
->u
.equality
.value
.length
== 4) {
448 version
= IVAL(t
->u
.equality
.value
.data
, 0);
450 if (strcasecmp(t
->u
.equality
.attr
, "AAC") == 0 &&
451 t
->u
.equality
.value
.length
== 4) {
452 acct_control
= IVAL(t
->u
.equality
.value
.data
, 0);
456 if ((domain
== NULL
) && (domain_guid
== NULL
) && (domain_sid
== NULL
)) {
457 domain
= lpcfg_dnsdomain(cldapd
->task
->lp_ctx
);
464 DEBUG(5,("cldap netlogon query domain=%s host=%s user=%s version=%d guid=%s\n",
465 domain
, host
, user
, version
, domain_guid
));
467 status
= fill_netlogon_samlogon_response(cldapd
->samctx
, tmp_ctx
,
468 domain
, NULL
, domain_sid
,
471 tsocket_address_inet_addr_string(src
, tmp_ctx
),
472 version
, cldapd
->task
->lp_ctx
,
474 if (!NT_STATUS_IS_OK(status
)) {
478 status
= cldap_netlogon_reply(cldap
, message_id
, src
, version
, &netlogon
);
479 if (!NT_STATUS_IS_OK(status
)) {
486 DEBUG(2,("cldap netlogon query failed domain=%s host=%s version=%d - %s\n",
487 domain
, host
, version
, nt_errstr(status
)));
488 cldap_empty_reply(cldap
, message_id
, src
);