2 Unix SMB/CIFS implementation.
4 Do a netr_LogonSamLogon to a remote DC
6 Copyright (C) Volker Lendecke 2005
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
8 Copyright (C) Stefan Metzmacher 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/composite/composite.h"
26 #include "winbind/wb_server.h"
27 #include "smbd/service_task.h"
28 #include "auth/credentials/credentials.h"
29 #include "libcli/auth/libcli_auth.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
32 struct wb_sam_logon_state
{
33 struct composite_context
*ctx
;
35 struct winbind_SamLogon
*req
;
37 struct netlogon_creds_CredentialState
*creds_state
;
38 struct netr_Authenticator auth1
, auth2
;
40 TALLOC_CTX
*r_mem_ctx
;
41 struct netr_LogonSamLogon r
;
44 static void wb_sam_logon_recv_domain(struct composite_context
*ctx
);
45 static void wb_sam_logon_recv_samlogon(struct rpc_request
*req
);
48 Find the connection to the DC (or find an existing connection)
50 struct composite_context
*wb_sam_logon_send(TALLOC_CTX
*mem_ctx
,
51 struct wbsrv_service
*service
,
52 struct winbind_SamLogon
*req
)
54 struct composite_context
*c
, *creq
;
55 struct wb_sam_logon_state
*s
;
57 c
= composite_create(mem_ctx
, service
->task
->event_ctx
);
60 s
= talloc_zero(c
, struct wb_sam_logon_state
);
61 if (composite_nomem(s
, c
)) return c
;
67 creq
= wb_sid2domain_send(s
, service
, service
->primary_sid
);
68 composite_continue(c
, creq
, wb_sam_logon_recv_domain
, s
);
73 Having finished making the connection to the DC
74 Send of a SamLogon request to authenticate a user.
76 static void wb_sam_logon_recv_domain(struct composite_context
*creq
)
78 struct wb_sam_logon_state
*s
= talloc_get_type(creq
->async
.private_data
,
79 struct wb_sam_logon_state
);
80 struct rpc_request
*req
;
81 struct wbsrv_domain
*domain
;
83 s
->ctx
->status
= wb_sid2domain_recv(creq
, &domain
);
84 if (!composite_is_ok(s
->ctx
)) return;
86 s
->creds_state
= cli_credentials_get_netlogon_creds(domain
->libnet_ctx
->cred
);
87 netlogon_creds_client_authenticator(s
->creds_state
, &s
->auth1
);
89 s
->r
.in
.server_name
= talloc_asprintf(s
, "\\\\%s",
90 dcerpc_server_name(domain
->netlogon_pipe
));
91 if (composite_nomem(s
->r
.in
.server_name
, s
->ctx
)) return;
93 s
->r
.in
.computer_name
= cli_credentials_get_workstation(domain
->libnet_ctx
->cred
);
94 s
->r
.in
.credential
= &s
->auth1
;
95 s
->r
.in
.return_authenticator
= &s
->auth2
;
96 s
->r
.in
.logon_level
= s
->req
->in
.logon_level
;
97 s
->r
.in
.logon
= &s
->req
->in
.logon
;
98 s
->r
.in
.validation_level
= s
->req
->in
.validation_level
;
99 s
->r
.out
.return_authenticator
= NULL
;
100 s
->r
.out
.validation
= talloc(s
, union netr_Validation
);
101 if (composite_nomem(s
->r
.out
.validation
, s
->ctx
)) return;
102 s
->r
.out
.authoritative
= talloc(s
, uint8_t);
103 if (composite_nomem(s
->r
.out
.authoritative
, s
->ctx
)) return;
107 * use a new talloc context for the LogonSamLogon call
108 * because then we can just to a talloc_steal on this context
109 * in the final _recv() function to give the caller all the content of
110 * the s->r.out.validation
112 s
->r_mem_ctx
= talloc_new(s
);
113 if (composite_nomem(s
->r_mem_ctx
, s
->ctx
)) return;
115 req
= dcerpc_netr_LogonSamLogon_send(domain
->netlogon_pipe
, s
->r_mem_ctx
, &s
->r
);
116 composite_continue_rpc(s
->ctx
, req
, wb_sam_logon_recv_samlogon
, s
);
122 Check the SamLogon reply and decrypt the session keys
124 static void wb_sam_logon_recv_samlogon(struct rpc_request
*req
)
126 struct wb_sam_logon_state
*s
= talloc_get_type(req
->async
.private_data
,
127 struct wb_sam_logon_state
);
129 s
->ctx
->status
= dcerpc_netr_LogonSamLogon_recv(req
);
130 if (!composite_is_ok(s
->ctx
)) return;
132 s
->ctx
->status
= s
->r
.out
.result
;
133 if (!composite_is_ok(s
->ctx
)) return;
135 if ((s
->r
.out
.return_authenticator
== NULL
) ||
136 (!netlogon_creds_client_check(s
->creds_state
,
137 &s
->r
.out
.return_authenticator
->cred
))) {
138 DEBUG(0, ("Credentials check failed!\n"));
139 composite_error(s
->ctx
, NT_STATUS_ACCESS_DENIED
);
143 /* Decrypt the session keys before we reform the info3, so the
144 * person on the other end of winbindd pipe doesn't have to.
145 * They won't have the encryption key anyway */
146 netlogon_creds_decrypt_samlogon(s
->creds_state
,
147 s
->r
.in
.validation_level
,
148 s
->r
.out
.validation
);
150 composite_done(s
->ctx
);
153 NTSTATUS
wb_sam_logon_recv(struct composite_context
*c
,
155 struct winbind_SamLogon
*req
)
157 struct wb_sam_logon_state
*s
= talloc_get_type(c
->private_data
,
158 struct wb_sam_logon_state
);
159 NTSTATUS status
= composite_wait(c
);
161 if (NT_STATUS_IS_OK(status
)) {
162 talloc_steal(mem_ctx
, s
->r_mem_ctx
);
163 req
->out
.validation
= *s
->r
.out
.validation
;
164 req
->out
.authoritative
= 1;