2 Unix SMB/CIFS implementation.
4 CLDAP server - netlogon handling
6 Copyright (C) Andrew Tridgell 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "libcli/ldap/ldap.h"
25 #include "lib/events/events.h"
26 #include "lib/socket/socket.h"
27 #include "smbd/service_task.h"
28 #include "cldap_server/cldap_server.h"
31 fill in the cldap netlogon union for a given version
33 static NTSTATUS cldapd_netlogon_fill(struct cldapd_server *cldapd,
36 const char *domain_guid,
38 const char *src_address,
40 union nbt_cldap_netlogon *netlogon)
42 const char *attrs[] = {"realm", "dnsDomain", "objectGUID", "name", NULL};
43 struct ldb_message **res;
45 const char **services = lp_server_services();
48 struct GUID domain_uuid;
50 const char *dns_domain;
51 const char *pdc_dns_name;
53 const char *site_name;
54 const char *site_name2;
57 if (cldapd->samctx == NULL) {
58 cldapd->samctx = samdb_connect(mem_ctx);
59 if (cldapd->samctx == NULL) {
60 DEBUG(2,("Unable to open sam in cldap netlogon reply\n"));
61 return NT_STATUS_INTERNAL_DB_CORRUPTION;
65 /* the domain has an optional trailing . */
66 if (domain && domain[strlen(domain)-1] == '.') {
67 domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1);
70 /* try and find the domain */
71 ret = gendb_search(cldapd->samctx, mem_ctx, NULL, &res, attrs,
72 "(&(objectClass=domainDNS)(|(dnsDomain=%s)(objectGUID=%s)))",
74 domain_guid?domain_guid:"");
76 DEBUG(2,("Unable to find domain '%s' in sam\n", domain));
77 return NT_STATUS_NO_SUCH_DOMAIN;
81 NBT_SERVER_PDC | NBT_SERVER_GC |
82 NBT_SERVER_DS | NBT_SERVER_TIMESERV |
83 NBT_SERVER_CLOSEST | NBT_SERVER_WRITABLE |
84 NBT_SERVER_GOOD_TIMESERV;
86 if (str_list_check(services, "ldap")) {
87 server_type |= NBT_SERVER_LDAP;
90 if (str_list_check(services, "kdc")) {
91 server_type |= NBT_SERVER_KDC;
94 pdc_name = talloc_asprintf(mem_ctx, "\\\\%s", lp_netbios_name());
95 domain_uuid = samdb_result_guid(res[0], "objectGUID");
96 realm = samdb_result_string(res[0], "realm", lp_realm());
97 dns_domain = samdb_result_string(res[0], "dnsDomain", lp_realm());
98 pdc_dns_name = talloc_asprintf(mem_ctx, "%s.%s",
99 strlower_talloc(mem_ctx, lp_netbios_name()),
101 flatname = samdb_result_string(res[0], "name", lp_workgroup());
102 site_name = "Default-First-Site-Name";
104 pdc_ip = iface_best_ip(src_address);
106 ZERO_STRUCTP(netlogon);
108 switch (version & 0xF) {
111 netlogon->logon1.pdc_name = pdc_name;
112 netlogon->logon1.user_name = user;
113 netlogon->logon1.domain_name = flatname;
114 netlogon->logon1.nt_version = 1;
115 netlogon->logon1.lmnt_token = 0xFFFF;
116 netlogon->logon1.lm20_token = 0xFFFF;
120 netlogon->logon2.pdc_name = pdc_name;
121 netlogon->logon2.user_name = user;
122 netlogon->logon2.domain_name = flatname;
123 netlogon->logon2.domain_uuid = domain_uuid;
124 netlogon->logon2.forest = realm;
125 netlogon->logon2.dns_domain = dns_domain;
126 netlogon->logon2.pdc_dns_name = pdc_dns_name;
127 netlogon->logon2.pdc_ip = pdc_ip;
128 netlogon->logon2.server_type = server_type;
129 netlogon->logon2.nt_version = 3;
130 netlogon->logon2.lmnt_token = 0xFFFF;
131 netlogon->logon2.lm20_token = 0xFFFF;
137 netlogon->logon3.server_type = server_type;
138 netlogon->logon3.domain_uuid = domain_uuid;
139 netlogon->logon3.forest = realm;
140 netlogon->logon3.dns_domain = dns_domain;
141 netlogon->logon3.pdc_dns_name = pdc_dns_name;
142 netlogon->logon3.domain = flatname;
143 netlogon->logon3.pdc_name = pdc_name;
144 netlogon->logon3.user_name = user;
145 netlogon->logon3.site_name = site_name;
146 netlogon->logon3.site_name2 = site_name2;
147 netlogon->logon3.nt_version = 3;
148 netlogon->logon3.lmnt_token = 0xFFFF;
149 netlogon->logon3.lm20_token = 0xFFFF;
152 netlogon->logon4.server_type = server_type;
153 netlogon->logon4.domain_uuid = domain_uuid;
154 netlogon->logon4.forest = realm;
155 netlogon->logon4.dns_domain = dns_domain;
156 netlogon->logon4.pdc_dns_name = pdc_dns_name;
157 netlogon->logon4.domain = flatname;
158 netlogon->logon4.pdc_name = lp_netbios_name();
159 netlogon->logon4.user_name = user;
160 netlogon->logon4.site_name = site_name;
161 netlogon->logon4.site_name2 = site_name2;
162 netlogon->logon4.unknown = 10;
163 netlogon->logon4.unknown2 = 2;
164 netlogon->logon4.pdc_ip = pdc_ip;
165 netlogon->logon4.nt_version = 5;
166 netlogon->logon4.lmnt_token = 0xFFFF;
167 netlogon->logon4.lm20_token = 0xFFFF;
176 handle incoming cldap requests
178 void cldapd_netlogon_request(struct cldap_socket *cldap,
181 const char *src_address, int src_port)
183 struct cldapd_server *cldapd = talloc_get_type(cldap->incoming.private, struct cldapd_server);
184 struct ldap_parse_tree *tree;
186 const char *domain = NULL;
187 const char *host = NULL;
188 const char *user = "";
189 const char *domain_guid = NULL;
190 const char *domain_sid = NULL;
191 int acct_control = -1;
193 union nbt_cldap_netlogon netlogon;
194 NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
196 TALLOC_CTX *tmp_ctx = talloc_new(cldap);
198 DEBUG(5,("cldap filter='%s'\n", filter));
200 tree = ldap_parse_filter_string(tmp_ctx, filter);
201 if (tree == NULL) goto failed;
203 if (tree->operation != LDAP_OP_AND) goto failed;
205 /* extract the query elements */
206 for (i=0;i<tree->u.list.num_elements;i++) {
207 struct ldap_parse_tree *t = tree->u.list.elements[i];
208 if (t->operation != LDAP_OP_SIMPLE) goto failed;
209 if (strcasecmp(t->u.simple.attr, "DnsDomain") == 0) {
210 domain = talloc_strndup(tmp_ctx,
211 t->u.simple.value.data,
212 t->u.simple.value.length);
214 if (strcasecmp(t->u.simple.attr, "Host") == 0) {
215 host = talloc_strndup(tmp_ctx,
216 t->u.simple.value.data,
217 t->u.simple.value.length);
219 if (strcasecmp(t->u.simple.attr, "DomainGuid") == 0) {
222 enc_status = ldap_decode_ndr_GUID(tmp_ctx,
223 t->u.simple.value, &guid);
224 if (NT_STATUS_IS_OK(enc_status)) {
225 domain_guid = GUID_string(tmp_ctx, &guid);
228 if (strcasecmp(t->u.simple.attr, "DomainSid") == 0) {
229 domain_sid = talloc_strndup(tmp_ctx,
230 t->u.simple.value.data,
231 t->u.simple.value.length);
233 if (strcasecmp(t->u.simple.attr, "User") == 0) {
234 user = talloc_strndup(tmp_ctx,
235 t->u.simple.value.data,
236 t->u.simple.value.length);
238 if (strcasecmp(t->u.simple.attr, "NtVer") == 0 &&
239 t->u.simple.value.length == 4) {
240 version = IVAL(t->u.simple.value.data, 0);
242 if (strcasecmp(t->u.simple.attr, "AAC") == 0 &&
243 t->u.simple.value.length == 4) {
244 acct_control = IVAL(t->u.simple.value.data, 0);
248 if (domain_guid == NULL && domain == NULL) {
256 DEBUG(5,("cldap netlogon query domain=%s host=%s user=%s version=%d guid=%s\n",
257 domain, host, user, version, domain_guid));
259 status = cldapd_netlogon_fill(cldapd, tmp_ctx, domain, domain_guid,
262 if (!NT_STATUS_IS_OK(status)) {
266 status = cldap_netlogon_reply(cldap, message_id, src_address, src_port, version,
268 if (!NT_STATUS_IS_OK(status)) {
272 talloc_free(tmp_ctx);
276 DEBUG(0,("cldap netlogon query failed domain=%s host=%s version=%d - %s\n",
277 domain, host, version, nt_errstr(status)));
278 talloc_free(tmp_ctx);
279 cldap_empty_reply(cldap, message_id, src_address, src_port);