2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* This is the implementation of the netlogon pipe. */
28 #include "../libcli/auth/libcli_auth.h"
30 extern userdom_struct current_user_info
;
33 #define DBGC_CLASS DBGC_RPC_SRV
35 /*******************************************************************
36 Inits a netr_NETLOGON_INFO_1 structure.
37 ********************************************************************/
39 static void init_netlogon_info1(struct netr_NETLOGON_INFO_1
*r
,
41 uint32_t pdc_connection_status
)
44 r
->pdc_connection_status
= pdc_connection_status
;
47 /*******************************************************************
48 Inits a netr_NETLOGON_INFO_2 structure.
49 ********************************************************************/
51 static void init_netlogon_info2(struct netr_NETLOGON_INFO_2
*r
,
53 uint32_t pdc_connection_status
,
54 const char *trusted_dc_name
,
55 uint32_t tc_connection_status
)
58 r
->pdc_connection_status
= pdc_connection_status
;
59 r
->trusted_dc_name
= trusted_dc_name
;
60 r
->tc_connection_status
= tc_connection_status
;
63 /*******************************************************************
64 Inits a netr_NETLOGON_INFO_3 structure.
65 ********************************************************************/
67 static void init_netlogon_info3(struct netr_NETLOGON_INFO_3
*r
,
69 uint32_t logon_attempts
)
72 r
->logon_attempts
= logon_attempts
;
75 /*************************************************************************
77 *************************************************************************/
79 WERROR
_netr_LogonControl(pipes_struct
*p
,
80 struct netr_LogonControl
*r
)
82 struct netr_LogonControl2Ex l
;
84 switch (r
->in
.level
) {
88 return WERR_NOT_SUPPORTED
;
90 return WERR_UNKNOWN_LEVEL
;
93 l
.in
.logon_server
= r
->in
.logon_server
;
94 l
.in
.function_code
= r
->in
.function_code
;
95 l
.in
.level
= r
->in
.level
;
97 l
.out
.query
= r
->out
.query
;
99 return _netr_LogonControl2Ex(p
, &l
);
102 /****************************************************************************
103 Send a message to smbd to do a sam synchronisation
104 **************************************************************************/
106 static void send_sync_message(void)
108 DEBUG(3, ("sending sam synchronisation message\n"));
109 message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC
, NULL
, 0,
113 /*************************************************************************
115 *************************************************************************/
117 WERROR
_netr_LogonControl2(pipes_struct
*p
,
118 struct netr_LogonControl2
*r
)
120 struct netr_LogonControl2Ex l
;
122 l
.in
.logon_server
= r
->in
.logon_server
;
123 l
.in
.function_code
= r
->in
.function_code
;
124 l
.in
.level
= r
->in
.level
;
125 l
.in
.data
= r
->in
.data
;
126 l
.out
.query
= r
->out
.query
;
128 return _netr_LogonControl2Ex(p
, &l
);
131 /****************************************************************
132 _netr_LogonControl2Ex
133 ****************************************************************/
135 WERROR
_netr_LogonControl2Ex(pipes_struct
*p
,
136 struct netr_LogonControl2Ex
*r
)
139 uint32 pdc_connection_status
= 0x0;
140 uint32 logon_attempts
= 0x0;
143 const char *dc_name
= NULL
;
144 struct sockaddr_storage dc_ss
;
145 const char *domain
= NULL
;
146 struct netr_NETLOGON_INFO_1
*info1
;
147 struct netr_NETLOGON_INFO_2
*info2
;
148 struct netr_NETLOGON_INFO_3
*info3
;
151 switch (p
->hdr_req
.opnum
) {
152 case NDR_NETR_LOGONCONTROL
:
153 fn
= "_netr_LogonControl";
155 case NDR_NETR_LOGONCONTROL2
:
156 fn
= "_netr_LogonControl2";
158 case NDR_NETR_LOGONCONTROL2EX
:
159 fn
= "_netr_LogonControl2Ex";
162 return WERR_INVALID_PARAM
;
165 tc_status
= W_ERROR_V(WERR_NO_SUCH_DOMAIN
);
167 switch (r
->in
.function_code
) {
168 case NETLOGON_CONTROL_TC_QUERY
:
169 domain
= r
->in
.data
->domain
;
171 if ( !is_trusted_domain( domain
) )
174 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
175 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
179 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
184 tc_status
= W_ERROR_V(WERR_OK
);
188 case NETLOGON_CONTROL_REDISCOVER
:
189 domain
= r
->in
.data
->domain
;
191 if ( !is_trusted_domain( domain
) )
194 if ( !get_dc_name( domain
, NULL
, dc_name2
, &dc_ss
) ) {
195 tc_status
= W_ERROR_V(WERR_NO_LOGON_SERVERS
);
199 dc_name
= talloc_asprintf(p
->mem_ctx
, "\\\\%s", dc_name2
);
204 tc_status
= W_ERROR_V(WERR_OK
);
209 /* no idea what this should be */
210 DEBUG(0,("%s: unimplemented function level [%d]\n",
211 fn
, r
->in
.function_code
));
212 return WERR_UNKNOWN_LEVEL
;
215 /* prepare the response */
217 switch (r
->in
.level
) {
219 info1
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_1
);
220 W_ERROR_HAVE_NO_MEMORY(info1
);
222 init_netlogon_info1(info1
,
224 pdc_connection_status
);
225 r
->out
.query
->info1
= info1
;
228 info2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_2
);
229 W_ERROR_HAVE_NO_MEMORY(info2
);
231 init_netlogon_info2(info2
,
233 pdc_connection_status
,
236 r
->out
.query
->info2
= info2
;
239 info3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_NETLOGON_INFO_3
);
240 W_ERROR_HAVE_NO_MEMORY(info3
);
242 init_netlogon_info3(info3
,
245 r
->out
.query
->info3
= info3
;
248 return WERR_UNKNOWN_LEVEL
;
251 if (lp_server_role() == ROLE_DOMAIN_BDC
) {
258 /*************************************************************************
259 _netr_NetrEnumerateTrustedDomains
260 *************************************************************************/
262 WERROR
_netr_NetrEnumerateTrustedDomains(pipes_struct
*p
,
263 struct netr_NetrEnumerateTrustedDomains
*r
)
265 struct netr_Blob trusted_domains_blob
;
268 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
270 /* set up the Trusted Domain List response */
272 blob
= data_blob_talloc_zero(p
->mem_ctx
, 2);
273 trusted_domains_blob
.data
= blob
.data
;
274 trusted_domains_blob
.length
= blob
.length
;
276 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__
));
278 *r
->out
.trusted_domains_blob
= trusted_domains_blob
;
283 /******************************************************************
284 gets a machine password entry. checks access rights of the host.
285 ******************************************************************/
287 static NTSTATUS
get_md4pw(struct samr_Password
*md4pw
, const char *mach_acct
,
288 uint16_t sec_chan_type
, uint32_t *rid
)
290 struct samu
*sampass
= NULL
;
296 char addr
[INET6_ADDRSTRLEN
];
299 * Currently this code is redundent as we already have a filter
300 * by hostname list. What this code really needs to do is to
301 * get a hosts allowed/hosts denied list from the SAM database
302 * on a per user basis, and make the access decision there.
303 * I will leave this code here for now as a reminder to implement
304 * this at a later date. JRA.
307 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
308 client_name(get_client_fd()),
309 client_addr(get_client_fd(),addr
,sizeof(addr
)))) {
310 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct
));
315 if ( !(sampass
= samu_new( NULL
)) ) {
316 return NT_STATUS_NO_MEMORY
;
319 /* JRA. This is ok as it is only used for generating the challenge. */
321 ret
= pdb_getsampwnam(sampass
, mach_acct
);
325 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct
));
326 TALLOC_FREE(sampass
);
327 return NT_STATUS_ACCESS_DENIED
;
330 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
331 if (acct_ctrl
& ACB_DISABLED
) {
332 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct
));
333 TALLOC_FREE(sampass
);
334 return NT_STATUS_ACCOUNT_DISABLED
;
337 if (!(acct_ctrl
& ACB_SVRTRUST
) &&
338 !(acct_ctrl
& ACB_WSTRUST
) &&
339 !(acct_ctrl
& ACB_DOMTRUST
))
341 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct
));
342 TALLOC_FREE(sampass
);
343 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
346 switch (sec_chan_type
) {
348 if (!(acct_ctrl
& ACB_SVRTRUST
)) {
349 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
350 "but not a server trust account\n", mach_acct
));
351 TALLOC_FREE(sampass
);
352 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
356 if (!(acct_ctrl
& ACB_WSTRUST
)) {
357 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
358 "but not a workstation trust account\n", mach_acct
));
359 TALLOC_FREE(sampass
);
360 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
363 case SEC_CHAN_DOMAIN
:
364 if (!(acct_ctrl
& ACB_DOMTRUST
)) {
365 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
366 "but not a interdomain trust account\n", mach_acct
));
367 TALLOC_FREE(sampass
);
368 return NT_STATUS_NO_TRUST_SAM_ACCOUNT
;
375 if ((pass
= pdb_get_nt_passwd(sampass
)) == NULL
) {
376 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct
));
377 TALLOC_FREE(sampass
);
378 return NT_STATUS_LOGON_FAILURE
;
381 memcpy(md4pw
->hash
, pass
, 16);
382 dump_data(5, md4pw
->hash
, 16);
385 *rid
= pdb_get_user_rid(sampass
);
388 TALLOC_FREE(sampass
);
395 /*************************************************************************
396 _netr_ServerReqChallenge
397 *************************************************************************/
399 NTSTATUS
_netr_ServerReqChallenge(pipes_struct
*p
,
400 struct netr_ServerReqChallenge
*r
)
403 p
->dc
= TALLOC_ZERO_P(p
, struct dcinfo
);
405 return NT_STATUS_NO_MEMORY
;
408 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
412 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
414 /* Save the client challenge to the server. */
415 memcpy(p
->dc
->clnt_chal
.data
, r
->in
.credentials
->data
,
416 sizeof(r
->in
.credentials
->data
));
418 /* Create a server challenge for the client */
419 /* Set this to a random value. */
420 generate_random_buffer(p
->dc
->srv_chal
.data
, 8);
422 /* set up the LSA REQUEST CHALLENGE response */
423 *r
->out
.return_credentials
= p
->dc
->srv_chal
;
425 p
->dc
->challenge_sent
= True
;
430 /*************************************************************************
431 _netr_ServerAuthenticate
432 Create the initial credentials.
433 *************************************************************************/
435 NTSTATUS
_netr_ServerAuthenticate(pipes_struct
*p
,
436 struct netr_ServerAuthenticate
*r
)
438 struct netr_ServerAuthenticate3 a
;
439 uint32_t negotiate_flags
= 0;
442 a
.in
.server_name
= r
->in
.server_name
;
443 a
.in
.account_name
= r
->in
.account_name
;
444 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
445 a
.in
.computer_name
= r
->in
.computer_name
;
446 a
.in
.credentials
= r
->in
.credentials
;
447 a
.in
.negotiate_flags
= &negotiate_flags
;
449 a
.out
.return_credentials
= r
->out
.return_credentials
;
451 a
.out
.negotiate_flags
= &negotiate_flags
;
453 return _netr_ServerAuthenticate3(p
, &a
);
457 /*************************************************************************
458 _netr_ServerAuthenticate3
459 *************************************************************************/
461 NTSTATUS
_netr_ServerAuthenticate3(pipes_struct
*p
,
462 struct netr_ServerAuthenticate3
*r
)
466 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
467 * so use a copy to avoid destroying the client values. */
468 uint32_t in_neg_flags
= *r
->in
.negotiate_flags
;
469 struct netr_Credential srv_chal_out
;
472 struct samr_Password mach_pwd
;
474 /* According to Microsoft (see bugid #6099)
475 * Windows 7 looks at the negotiate_flags
476 * returned in this structure *even if the
477 * call fails with access denied* ! So in order
478 * to allow Win7 to connect to a Samba NT style
479 * PDC we set the flags before we know if it's
484 srv_flgs
= NETLOGON_NEG_ACCOUNT_LOCKOUT
|
485 NETLOGON_NEG_PERSISTENT_SAMREPL
|
486 NETLOGON_NEG_ARCFOUR
|
487 NETLOGON_NEG_PROMOTION_COUNT
|
488 NETLOGON_NEG_CHANGELOG_BDC
|
489 NETLOGON_NEG_FULL_SYNC_REPL
|
490 NETLOGON_NEG_MULTIPLE_SIDS
|
492 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
;
494 /* Ensure we support strong (128-bit) keys. */
495 if (in_neg_flags
& NETLOGON_NEG_STRONG_KEYS
) {
496 srv_flgs
|= NETLOGON_NEG_STRONG_KEYS
;
499 if (lp_server_schannel() != false) {
500 srv_flgs
|= NETLOGON_NEG_SCHANNEL
;
503 switch (p
->hdr_req
.opnum
) {
504 case NDR_NETR_SERVERAUTHENTICATE
:
505 fn
= "_netr_ServerAuthenticate";
507 case NDR_NETR_SERVERAUTHENTICATE2
:
508 fn
= "_netr_ServerAuthenticate2";
510 case NDR_NETR_SERVERAUTHENTICATE3
:
511 fn
= "_netr_ServerAuthenticate3";
514 return NT_STATUS_INTERNAL_ERROR
;
517 /* We use this as the key to store the creds: */
518 /* r->in.computer_name */
520 if (!p
->dc
|| !p
->dc
->challenge_sent
) {
521 DEBUG(0,("%s: no challenge sent to client %s\n", fn
,
522 r
->in
.computer_name
));
523 status
= NT_STATUS_ACCESS_DENIED
;
527 if ( (lp_server_schannel() == true) &&
528 ((in_neg_flags
& NETLOGON_NEG_SCHANNEL
) == 0) ) {
530 /* schannel must be used, but client did not offer it. */
531 DEBUG(0,("%s: schannel required but client failed "
532 "to offer it. Client was %s\n",
533 fn
, r
->in
.account_name
));
534 status
= NT_STATUS_ACCESS_DENIED
;
538 status
= get_md4pw(&mach_pwd
,
540 r
->in
.secure_channel_type
,
542 if (!NT_STATUS_IS_OK(status
)) {
543 DEBUG(0,("%s: failed to get machine password for "
545 fn
, r
->in
.account_name
, nt_errstr(status
) ));
546 /* always return NT_STATUS_ACCESS_DENIED */
547 status
= NT_STATUS_ACCESS_DENIED
;
551 /* From the client / server challenges and md4 password, generate sess key */
552 creds_server_init(in_neg_flags
,
554 &p
->dc
->clnt_chal
, /* Stored client chal. */
555 &p
->dc
->srv_chal
, /* Stored server chal. */
559 /* Check client credentials are valid. */
560 if (!netlogon_creds_server_check(p
->dc
, r
->in
.credentials
)) {
561 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
562 "request from client %s machine account %s\n",
563 fn
, r
->in
.computer_name
,
564 r
->in
.account_name
));
565 status
= NT_STATUS_ACCESS_DENIED
;
568 /* set up the LSA AUTH 2 response */
569 memcpy(r
->out
.return_credentials
->data
, &srv_chal_out
.data
,
570 sizeof(r
->out
.return_credentials
->data
));
572 fstrcpy(p
->dc
->mach_acct
, r
->in
.account_name
);
573 fstrcpy(p
->dc
->remote_machine
, r
->in
.computer_name
);
574 fstrcpy(p
->dc
->domain
, lp_workgroup() );
576 p
->dc
->authenticated
= True
;
578 /* Store off the state so we can continue after client disconnect. */
580 secrets_store_schannel_session_info(p
->mem_ctx
,
587 status
= NT_STATUS_OK
;
591 *r
->out
.negotiate_flags
= srv_flgs
;
595 /*************************************************************************
596 _netr_ServerAuthenticate2
597 *************************************************************************/
599 NTSTATUS
_netr_ServerAuthenticate2(pipes_struct
*p
,
600 struct netr_ServerAuthenticate2
*r
)
602 struct netr_ServerAuthenticate3 a
;
605 a
.in
.server_name
= r
->in
.server_name
;
606 a
.in
.account_name
= r
->in
.account_name
;
607 a
.in
.secure_channel_type
= r
->in
.secure_channel_type
;
608 a
.in
.computer_name
= r
->in
.computer_name
;
609 a
.in
.credentials
= r
->in
.credentials
;
610 a
.in
.negotiate_flags
= r
->in
.negotiate_flags
;
612 a
.out
.return_credentials
= r
->out
.return_credentials
;
614 a
.out
.negotiate_flags
= r
->out
.negotiate_flags
;
616 return _netr_ServerAuthenticate3(p
, &a
);
619 /*************************************************************************
620 _netr_ServerPasswordSet
621 *************************************************************************/
623 NTSTATUS
_netr_ServerPasswordSet(pipes_struct
*p
,
624 struct netr_ServerPasswordSet
*r
)
626 NTSTATUS status
= NT_STATUS_OK
;
627 struct samu
*sampass
=NULL
;
629 unsigned char pwd
[16];
632 struct netr_Authenticator cred_out
;
635 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__
));
637 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
638 /* 'server schannel = yes' should enforce use of
639 schannel, the client did offer it in auth2, but
640 obviously did not use it. */
641 DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n",
642 r
->in
.computer_name
));
643 return NT_STATUS_ACCESS_DENIED
;
647 /* Restore the saved state of the netlogon creds. */
649 ret
= secrets_restore_schannel_session_info(p
, r
->in
.computer_name
,
653 return NT_STATUS_INVALID_HANDLE
;
657 if (!p
->dc
|| !p
->dc
->authenticated
) {
658 return NT_STATUS_INVALID_HANDLE
;
661 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
662 r
->in
.computer_name
, p
->dc
->mach_acct
));
664 /* Step the creds chain forward. */
665 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, &cred_out
)) {
666 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
667 "request from client %s machine account %s\n",
668 r
->in
.computer_name
, p
->dc
->mach_acct
));
669 return NT_STATUS_INVALID_PARAMETER
;
672 /* We must store the creds state after an update. */
673 sampass
= samu_new( NULL
);
675 return NT_STATUS_NO_MEMORY
;
679 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
680 ret
= pdb_getsampwnam(sampass
, p
->dc
->mach_acct
);
684 TALLOC_FREE(sampass
);
685 return NT_STATUS_ACCESS_DENIED
;
688 /* Ensure the account exists and is a machine account. */
690 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
692 if (!(acct_ctrl
& ACB_WSTRUST
||
693 acct_ctrl
& ACB_SVRTRUST
||
694 acct_ctrl
& ACB_DOMTRUST
)) {
695 TALLOC_FREE(sampass
);
696 return NT_STATUS_NO_SUCH_USER
;
699 if (pdb_get_acct_ctrl(sampass
) & ACB_DISABLED
) {
700 TALLOC_FREE(sampass
);
701 return NT_STATUS_ACCOUNT_DISABLED
;
704 /* Woah - what does this to to the credential chain ? JRA */
705 cred_hash3(pwd
, r
->in
.new_password
->hash
, p
->dc
->sess_key
, 0);
707 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
708 for(i
= 0; i
< sizeof(pwd
); i
++)
709 DEBUG(100,("%02X ", pwd
[i
]));
712 old_pw
= pdb_get_nt_passwd(sampass
);
714 if (old_pw
&& memcmp(pwd
, old_pw
, 16) == 0) {
715 /* Avoid backend modificiations and other fun if the
716 client changed the password to the *same thing* */
721 /* LM password should be NULL for machines */
722 if (!pdb_set_lanman_passwd(sampass
, NULL
, PDB_CHANGED
)) {
723 TALLOC_FREE(sampass
);
724 return NT_STATUS_NO_MEMORY
;
727 if (!pdb_set_nt_passwd(sampass
, pwd
, PDB_CHANGED
)) {
728 TALLOC_FREE(sampass
);
729 return NT_STATUS_NO_MEMORY
;
732 if (!pdb_set_pass_last_set_time(sampass
, time(NULL
), PDB_CHANGED
)) {
733 TALLOC_FREE(sampass
);
734 /* Not quite sure what this one qualifies as, but this will do */
735 return NT_STATUS_UNSUCCESSFUL
;
739 status
= pdb_update_sam_account(sampass
);
743 /* set up the LSA Server Password Set response */
745 memcpy(r
->out
.return_authenticator
, &cred_out
,
746 sizeof(*(r
->out
.return_authenticator
)));
748 TALLOC_FREE(sampass
);
752 /*************************************************************************
754 *************************************************************************/
756 NTSTATUS
_netr_LogonSamLogoff(pipes_struct
*p
,
757 struct netr_LogonSamLogoff
*r
)
759 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
760 /* 'server schannel = yes' should enforce use of
761 schannel, the client did offer it in auth2, but
762 obviously did not use it. */
763 DEBUG(0,("_netr_LogonSamLogoff: client %s not using schannel for netlogon\n",
764 get_remote_machine_name() ));
765 return NT_STATUS_ACCESS_DENIED
;
769 /* Using the remote machine name for the creds store: */
770 /* r->in.computer_name */
773 /* Restore the saved state of the netlogon creds. */
777 ret
= secrets_restore_schannel_session_info(
778 p
, r
->in
.computer_name
, &p
->dc
);
781 return NT_STATUS_INVALID_HANDLE
;
785 if (!p
->dc
|| !p
->dc
->authenticated
) {
786 return NT_STATUS_INVALID_HANDLE
;
789 /* checks and updates credentials. creates reply credentials */
790 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
791 DEBUG(2,("_netr_LogonSamLogoff: netlogon_creds_server_step failed. Rejecting auth "
792 "request from client %s machine account %s\n",
793 r
->in
.computer_name
, p
->dc
->mach_acct
));
794 return NT_STATUS_INVALID_PARAMETER
;
797 /* We must store the creds state after an update. */
799 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
805 /*************************************************************************
807 *************************************************************************/
809 NTSTATUS
_netr_LogonSamLogon(pipes_struct
*p
,
810 struct netr_LogonSamLogon
*r
)
812 NTSTATUS status
= NT_STATUS_OK
;
813 union netr_LogonLevel
*logon
= r
->in
.logon
;
814 const char *nt_username
, *nt_domain
, *nt_workstation
;
815 auth_usersupplied_info
*user_info
= NULL
;
816 auth_serversupplied_info
*server_info
= NULL
;
817 struct auth_context
*auth_context
= NULL
;
818 uint8_t pipe_session_key
[16];
819 bool process_creds
= true;
822 switch (p
->hdr_req
.opnum
) {
823 case NDR_NETR_LOGONSAMLOGON
:
824 process_creds
= true;
825 fn
= "_netr_LogonSamLogon";
827 case NDR_NETR_LOGONSAMLOGONEX
:
828 process_creds
= false;
829 fn
= "_netr_LogonSamLogonEx";
832 return NT_STATUS_INTERNAL_ERROR
;
835 if ( (lp_server_schannel() == True
) && (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) ) {
836 /* 'server schannel = yes' should enforce use of
837 schannel, the client did offer it in auth2, but
838 obviously did not use it. */
839 DEBUG(0,("%s: client %s not using schannel for netlogon\n",
840 fn
, get_remote_machine_name() ));
841 return NT_STATUS_ACCESS_DENIED
;
844 *r
->out
.authoritative
= true; /* authoritative response */
846 switch (r
->in
.validation_level
) {
848 r
->out
.validation
->sam2
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo2
);
849 if (!r
->out
.validation
->sam2
) {
850 return NT_STATUS_NO_MEMORY
;
854 r
->out
.validation
->sam3
= TALLOC_ZERO_P(p
->mem_ctx
, struct netr_SamInfo3
);
855 if (!r
->out
.validation
->sam3
) {
856 return NT_STATUS_NO_MEMORY
;
860 DEBUG(0,("%s: bad validation_level value %d.\n",
861 fn
, (int)r
->in
.validation_level
));
862 return NT_STATUS_INVALID_INFO_CLASS
;
867 /* Get the remote machine name for the creds store. */
868 /* Note this is the remote machine this request is coming from (member server),
869 not neccessarily the workstation name the user is logging onto.
873 /* Restore the saved state of the netlogon creds. */
877 ret
= secrets_restore_schannel_session_info(
878 p
, r
->in
.computer_name
, &p
->dc
);
881 return NT_STATUS_INVALID_HANDLE
;
885 if (!p
->dc
|| !p
->dc
->authenticated
) {
886 return NT_STATUS_INVALID_HANDLE
;
889 /* checks and updates credentials. creates reply credentials */
890 if (!netlogon_creds_server_step(p
->dc
, r
->in
.credential
, r
->out
.return_authenticator
)) {
891 DEBUG(2,("%s: creds_server_step failed. Rejecting auth "
892 "request from client %s machine account %s\n",
893 fn
, r
->in
.computer_name
, p
->dc
->mach_acct
));
894 return NT_STATUS_INVALID_PARAMETER
;
897 /* We must store the creds state after an update. */
899 secrets_store_schannel_session_info(p
, r
->in
.computer_name
, p
->dc
);
903 switch (r
->in
.logon_level
) {
904 case NetlogonInteractiveInformation
:
905 nt_username
= logon
->password
->identity_info
.account_name
.string
;
906 nt_domain
= logon
->password
->identity_info
.domain_name
.string
;
907 nt_workstation
= logon
->password
->identity_info
.workstation
.string
;
909 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
911 case NetlogonNetworkInformation
:
912 nt_username
= logon
->network
->identity_info
.account_name
.string
;
913 nt_domain
= logon
->network
->identity_info
.domain_name
.string
;
914 nt_workstation
= logon
->network
->identity_info
.workstation
.string
;
916 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
919 DEBUG(2,("SAM Logon: unsupported switch value\n"));
920 return NT_STATUS_INVALID_INFO_CLASS
;
923 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username
, nt_workstation
, nt_domain
));
924 fstrcpy(current_user_info
.smb_name
, nt_username
);
925 sub_set_smb_name(nt_username
);
927 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
928 r
->in
.validation_level
, nt_username
));
930 status
= NT_STATUS_OK
;
932 switch (r
->in
.logon_level
) {
933 case NetlogonNetworkInformation
:
935 const char *wksname
= nt_workstation
;
937 status
= make_auth_context_fixed(&auth_context
,
938 logon
->network
->challenge
);
939 if (!NT_STATUS_IS_OK(status
)) {
943 /* For a network logon, the workstation name comes in with two
944 * backslashes in the front. Strip them if they are there. */
946 if (*wksname
== '\\') wksname
++;
947 if (*wksname
== '\\') wksname
++;
949 /* Standard challenge/response authenticaion */
950 if (!make_user_info_netlogon_network(&user_info
,
951 nt_username
, nt_domain
,
953 logon
->network
->identity_info
.parameter_control
,
954 logon
->network
->lm
.data
,
955 logon
->network
->lm
.length
,
956 logon
->network
->nt
.data
,
957 logon
->network
->nt
.length
)) {
958 status
= NT_STATUS_NO_MEMORY
;
962 case NetlogonInteractiveInformation
:
963 /* 'Interactive' authentication, supplies the password in its
964 MD4 form, encrypted with the session key. We will convert
965 this to challenge/response for the auth subsystem to chew
970 if (!NT_STATUS_IS_OK(status
= make_auth_context_subsystem(&auth_context
))) {
974 auth_context
->get_ntlm_challenge(auth_context
, chal
);
976 if (!make_user_info_netlogon_interactive(&user_info
,
977 nt_username
, nt_domain
,
979 logon
->password
->identity_info
.parameter_control
,
981 logon
->password
->lmpassword
.hash
,
982 logon
->password
->ntpassword
.hash
,
984 status
= NT_STATUS_NO_MEMORY
;
989 DEBUG(2,("SAM Logon: unsupported switch value\n"));
990 return NT_STATUS_INVALID_INFO_CLASS
;
993 if ( NT_STATUS_IS_OK(status
) ) {
994 status
= auth_context
->check_ntlm_password(auth_context
,
995 user_info
, &server_info
);
998 (auth_context
->free
)(&auth_context
);
999 free_user_info(&user_info
);
1001 DEBUG(5,("%s: check_password returned status %s\n",
1002 fn
, nt_errstr(status
)));
1004 /* Check account and password */
1006 if (!NT_STATUS_IS_OK(status
)) {
1007 /* If we don't know what this domain is, we need to
1008 indicate that we are not authoritative. This
1009 allows the client to decide if it needs to try
1010 a local user. Fix by jpjanosi@us.ibm.com, #2976 */
1011 if ( NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_USER
)
1012 && !strequal(nt_domain
, get_global_sam_name())
1013 && !is_trusted_domain(nt_domain
) )
1014 *r
->out
.authoritative
= false; /* We are not authoritative */
1016 TALLOC_FREE(server_info
);
1020 if (server_info
->guest
) {
1021 /* We don't like guest domain logons... */
1022 DEBUG(5,("%s: Attempted domain logon as GUEST "
1024 TALLOC_FREE(server_info
);
1025 return NT_STATUS_LOGON_FAILURE
;
1028 /* This is the point at which, if the login was successful, that
1029 the SAM Local Security Authority should record that the user is
1030 logged in to the domain. */
1032 if (process_creds
) {
1033 /* Get the pipe session key from the creds. */
1034 memcpy(pipe_session_key
, p
->dc
->sess_key
, 16);
1036 /* Get the pipe session key from the schannel. */
1037 if ((p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
)
1038 || (p
->auth
.a_u
.schannel_auth
== NULL
)) {
1039 return NT_STATUS_INVALID_HANDLE
;
1041 memcpy(pipe_session_key
, p
->auth
.a_u
.schannel_auth
->sess_key
, 16);
1044 switch (r
->in
.validation_level
) {
1046 status
= serverinfo_to_SamInfo2(server_info
, pipe_session_key
, 16,
1047 r
->out
.validation
->sam2
);
1050 status
= serverinfo_to_SamInfo3(server_info
, pipe_session_key
, 16,
1051 r
->out
.validation
->sam3
);
1055 TALLOC_FREE(server_info
);
1060 /*************************************************************************
1061 _netr_LogonSamLogonEx
1062 - no credential chaining. Map into net sam logon.
1063 *************************************************************************/
1065 NTSTATUS
_netr_LogonSamLogonEx(pipes_struct
*p
,
1066 struct netr_LogonSamLogonEx
*r
)
1068 struct netr_LogonSamLogon q
;
1070 /* Only allow this if the pipe is protected. */
1071 if (p
->auth
.auth_type
!= PIPE_AUTH_TYPE_SCHANNEL
) {
1072 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1073 get_remote_machine_name() ));
1074 return NT_STATUS_INVALID_PARAMETER
;
1077 q
.in
.server_name
= r
->in
.server_name
;
1078 q
.in
.computer_name
= r
->in
.computer_name
;
1079 q
.in
.logon_level
= r
->in
.logon_level
;
1080 q
.in
.logon
= r
->in
.logon
;
1081 q
.in
.validation_level
= r
->in
.validation_level
;
1082 /* we do not handle the flags */
1083 /* = r->in.flags; */
1085 q
.out
.validation
= r
->out
.validation
;
1086 q
.out
.authoritative
= r
->out
.authoritative
;
1087 /* we do not handle the flags */
1088 /* = r->out.flags; */
1090 return _netr_LogonSamLogon(p
, &q
);
1093 /*************************************************************************
1095 *************************************************************************/
1096 #if 0 /* JERRY -- not correct */
1097 NTSTATUS
_ds_enum_dom_trusts(pipes_struct
*p
, DS_Q_ENUM_DOM_TRUSTS
*q_u
,
1098 DS_R_ENUM_DOM_TRUSTS
*r_u
)
1100 NTSTATUS status
= NT_STATUS_OK
;
1102 /* TODO: According to MSDN, the can only be executed against a
1103 DC or domain member running Windows 2000 or later. Need
1104 to test against a standalone 2k server and see what it
1105 does. A windows 2000 DC includes its own domain in the
1113 /****************************************************************
1114 ****************************************************************/
1116 WERROR
_netr_LogonUasLogon(pipes_struct
*p
,
1117 struct netr_LogonUasLogon
*r
)
1119 p
->rng_fault_state
= true;
1120 return WERR_NOT_SUPPORTED
;
1123 /****************************************************************
1124 ****************************************************************/
1126 WERROR
_netr_LogonUasLogoff(pipes_struct
*p
,
1127 struct netr_LogonUasLogoff
*r
)
1129 p
->rng_fault_state
= true;
1130 return WERR_NOT_SUPPORTED
;
1133 /****************************************************************
1134 ****************************************************************/
1136 NTSTATUS
_netr_DatabaseDeltas(pipes_struct
*p
,
1137 struct netr_DatabaseDeltas
*r
)
1139 p
->rng_fault_state
= true;
1140 return NT_STATUS_NOT_IMPLEMENTED
;
1143 /****************************************************************
1144 ****************************************************************/
1146 NTSTATUS
_netr_DatabaseSync(pipes_struct
*p
,
1147 struct netr_DatabaseSync
*r
)
1149 p
->rng_fault_state
= true;
1150 return NT_STATUS_NOT_IMPLEMENTED
;
1153 /****************************************************************
1154 ****************************************************************/
1156 NTSTATUS
_netr_AccountDeltas(pipes_struct
*p
,
1157 struct netr_AccountDeltas
*r
)
1159 p
->rng_fault_state
= true;
1160 return NT_STATUS_NOT_IMPLEMENTED
;
1163 /****************************************************************
1164 ****************************************************************/
1166 NTSTATUS
_netr_AccountSync(pipes_struct
*p
,
1167 struct netr_AccountSync
*r
)
1169 p
->rng_fault_state
= true;
1170 return NT_STATUS_NOT_IMPLEMENTED
;
1173 /****************************************************************
1174 ****************************************************************/
1176 WERROR
_netr_GetDcName(pipes_struct
*p
,
1177 struct netr_GetDcName
*r
)
1179 p
->rng_fault_state
= true;
1180 return WERR_NOT_SUPPORTED
;
1183 /****************************************************************
1184 ****************************************************************/
1186 WERROR
_netr_GetAnyDCName(pipes_struct
*p
,
1187 struct netr_GetAnyDCName
*r
)
1189 p
->rng_fault_state
= true;
1190 return WERR_NOT_SUPPORTED
;
1193 /****************************************************************
1194 ****************************************************************/
1196 NTSTATUS
_netr_DatabaseSync2(pipes_struct
*p
,
1197 struct netr_DatabaseSync2
*r
)
1199 p
->rng_fault_state
= true;
1200 return NT_STATUS_NOT_IMPLEMENTED
;
1203 /****************************************************************
1204 ****************************************************************/
1206 NTSTATUS
_netr_DatabaseRedo(pipes_struct
*p
,
1207 struct netr_DatabaseRedo
*r
)
1209 p
->rng_fault_state
= true;
1210 return NT_STATUS_NOT_IMPLEMENTED
;
1213 /****************************************************************
1214 ****************************************************************/
1216 WERROR
_netr_DsRGetDCName(pipes_struct
*p
,
1217 struct netr_DsRGetDCName
*r
)
1219 p
->rng_fault_state
= true;
1220 return WERR_NOT_SUPPORTED
;
1223 /****************************************************************
1224 ****************************************************************/
1226 NTSTATUS
_netr_LogonGetCapabilities(pipes_struct
*p
,
1227 struct netr_LogonGetCapabilities
*r
)
1229 return NT_STATUS_NOT_IMPLEMENTED
;
1232 /****************************************************************
1233 ****************************************************************/
1235 WERROR
_netr_NETRLOGONSETSERVICEBITS(pipes_struct
*p
,
1236 struct netr_NETRLOGONSETSERVICEBITS
*r
)
1238 p
->rng_fault_state
= true;
1239 return WERR_NOT_SUPPORTED
;
1242 /****************************************************************
1243 ****************************************************************/
1245 WERROR
_netr_LogonGetTrustRid(pipes_struct
*p
,
1246 struct netr_LogonGetTrustRid
*r
)
1248 p
->rng_fault_state
= true;
1249 return WERR_NOT_SUPPORTED
;
1252 /****************************************************************
1253 ****************************************************************/
1255 WERROR
_netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct
*p
,
1256 struct netr_NETRLOGONCOMPUTESERVERDIGEST
*r
)
1258 p
->rng_fault_state
= true;
1259 return WERR_NOT_SUPPORTED
;
1262 /****************************************************************
1263 ****************************************************************/
1265 WERROR
_netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct
*p
,
1266 struct netr_NETRLOGONCOMPUTECLIENTDIGEST
*r
)
1268 p
->rng_fault_state
= true;
1269 return WERR_NOT_SUPPORTED
;
1272 /****************************************************************
1273 ****************************************************************/
1275 WERROR
_netr_DsRGetDCNameEx(pipes_struct
*p
,
1276 struct netr_DsRGetDCNameEx
*r
)
1278 p
->rng_fault_state
= true;
1279 return WERR_NOT_SUPPORTED
;
1282 /****************************************************************
1283 ****************************************************************/
1285 WERROR
_netr_DsRGetSiteName(pipes_struct
*p
,
1286 struct netr_DsRGetSiteName
*r
)
1288 p
->rng_fault_state
= true;
1289 return WERR_NOT_SUPPORTED
;
1292 /****************************************************************
1293 ****************************************************************/
1295 NTSTATUS
_netr_LogonGetDomainInfo(pipes_struct
*p
,
1296 struct netr_LogonGetDomainInfo
*r
)
1298 p
->rng_fault_state
= true;
1299 return NT_STATUS_NOT_IMPLEMENTED
;
1302 /****************************************************************
1303 ****************************************************************/
1305 NTSTATUS
_netr_ServerPasswordSet2(pipes_struct
*p
,
1306 struct netr_ServerPasswordSet2
*r
)
1308 p
->rng_fault_state
= true;
1309 return NT_STATUS_NOT_IMPLEMENTED
;
1312 /****************************************************************
1313 ****************************************************************/
1315 WERROR
_netr_ServerPasswordGet(pipes_struct
*p
,
1316 struct netr_ServerPasswordGet
*r
)
1318 p
->rng_fault_state
= true;
1319 return WERR_NOT_SUPPORTED
;
1322 /****************************************************************
1323 ****************************************************************/
1325 WERROR
_netr_NETRLOGONSENDTOSAM(pipes_struct
*p
,
1326 struct netr_NETRLOGONSENDTOSAM
*r
)
1328 p
->rng_fault_state
= true;
1329 return WERR_NOT_SUPPORTED
;
1332 /****************************************************************
1333 ****************************************************************/
1335 WERROR
_netr_DsRAddressToSitenamesW(pipes_struct
*p
,
1336 struct netr_DsRAddressToSitenamesW
*r
)
1338 p
->rng_fault_state
= true;
1339 return WERR_NOT_SUPPORTED
;
1342 /****************************************************************
1343 ****************************************************************/
1345 WERROR
_netr_DsRGetDCNameEx2(pipes_struct
*p
,
1346 struct netr_DsRGetDCNameEx2
*r
)
1348 p
->rng_fault_state
= true;
1349 return WERR_NOT_SUPPORTED
;
1352 /****************************************************************
1353 ****************************************************************/
1355 WERROR
_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct
*p
,
1356 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
*r
)
1358 p
->rng_fault_state
= true;
1359 return WERR_NOT_SUPPORTED
;
1362 /****************************************************************
1363 ****************************************************************/
1365 WERROR
_netr_NetrEnumerateTrustedDomainsEx(pipes_struct
*p
,
1366 struct netr_NetrEnumerateTrustedDomainsEx
*r
)
1368 p
->rng_fault_state
= true;
1369 return WERR_NOT_SUPPORTED
;
1372 /****************************************************************
1373 ****************************************************************/
1375 WERROR
_netr_DsRAddressToSitenamesExW(pipes_struct
*p
,
1376 struct netr_DsRAddressToSitenamesExW
*r
)
1378 p
->rng_fault_state
= true;
1379 return WERR_NOT_SUPPORTED
;
1382 /****************************************************************
1383 ****************************************************************/
1385 WERROR
_netr_DsrGetDcSiteCoverageW(pipes_struct
*p
,
1386 struct netr_DsrGetDcSiteCoverageW
*r
)
1388 p
->rng_fault_state
= true;
1389 return WERR_NOT_SUPPORTED
;
1392 /****************************************************************
1393 ****************************************************************/
1395 WERROR
_netr_DsrEnumerateDomainTrusts(pipes_struct
*p
,
1396 struct netr_DsrEnumerateDomainTrusts
*r
)
1398 p
->rng_fault_state
= true;
1399 return WERR_NOT_SUPPORTED
;
1402 /****************************************************************
1403 ****************************************************************/
1405 WERROR
_netr_DsrDeregisterDNSHostRecords(pipes_struct
*p
,
1406 struct netr_DsrDeregisterDNSHostRecords
*r
)
1408 p
->rng_fault_state
= true;
1409 return WERR_NOT_SUPPORTED
;
1412 /****************************************************************
1413 ****************************************************************/
1415 NTSTATUS
_netr_ServerTrustPasswordsGet(pipes_struct
*p
,
1416 struct netr_ServerTrustPasswordsGet
*r
)
1418 p
->rng_fault_state
= true;
1419 return NT_STATUS_NOT_IMPLEMENTED
;
1422 /****************************************************************
1423 ****************************************************************/
1425 WERROR
_netr_DsRGetForestTrustInformation(pipes_struct
*p
,
1426 struct netr_DsRGetForestTrustInformation
*r
)
1428 p
->rng_fault_state
= true;
1429 return WERR_NOT_SUPPORTED
;
1432 /****************************************************************
1433 ****************************************************************/
1435 WERROR
_netr_GetForestTrustInformation(pipes_struct
*p
,
1436 struct netr_GetForestTrustInformation
*r
)
1438 p
->rng_fault_state
= true;
1439 return WERR_NOT_SUPPORTED
;
1442 /****************************************************************
1443 ****************************************************************/
1445 NTSTATUS
_netr_LogonSamLogonWithFlags(pipes_struct
*p
,
1446 struct netr_LogonSamLogonWithFlags
*r
)
1448 p
->rng_fault_state
= true;
1449 return NT_STATUS_NOT_IMPLEMENTED
;
1452 /****************************************************************
1453 ****************************************************************/
1455 NTSTATUS
_netr_ServerGetTrustInfo(pipes_struct
*p
,
1456 struct netr_ServerGetTrustInfo
*r
)
1458 p
->rng_fault_state
= true;
1459 return NT_STATUS_NOT_IMPLEMENTED
;