2 Unix SMB/CIFS implementation.
4 endpoint server for the netlogon pipe
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "librpc/gen_ndr/ndr_netlogon.h"
25 #include "rpc_server/dcerpc_server.h"
26 #include "rpc_server/common/common.h"
27 #include "librpc/gen_ndr/ndr_dcom.h"
28 #include "auth/auth.h"
29 #include "lib/ldb/include/ldb.h"
31 struct server_pipe_state {
32 struct netr_Credential client_challenge;
33 struct netr_Credential server_challenge;
36 char *computer_name; /* for logging only */
38 uint16_t sec_chan_type;
39 struct creds_CredentialState *creds;
44 a client has connected to the netlogon server using schannel, so we need
45 to re-establish the credentials state
47 static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call)
49 struct server_pipe_state *state;
52 state = talloc_p(dce_call->conn, struct server_pipe_state);
54 return NT_STATUS_NO_MEMORY;
57 state->authenticated = True;
59 if (dce_call->conn->auth_state.session_info == NULL) {
61 smb_panic("No session info provided by schannel level setup!");
62 return NT_STATUS_NO_USER_SESSION_KEY;
65 status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security,
69 if (!NT_STATUS_IS_OK(status)) {
70 DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status)));
75 dce_call->conn->private = state;
81 a hook for bind on the netlogon pipe
83 static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di)
85 dce_call->conn->private = NULL;
87 /* if this is a schannel bind then we need to reconstruct the pipe state */
88 if (dce_call->conn->auth_state.auth_info &&
89 dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
92 DEBUG(5, ("schannel bind on netlogon\n"));
94 status = netlogon_schannel_setup(dce_call);
95 if (!NT_STATUS_IS_OK(status)) {
96 DEBUG(3, ("schannel bind on netlogon failed with %s\n", nt_errstr(status)));
104 /* this function is called when the client disconnects the endpoint */
105 static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_interface *di)
107 struct server_pipe_state *pipe_state = conn->private;
110 talloc_free(pipe_state);
113 conn->private = NULL;
116 #define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind
117 #define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind
119 static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
120 struct netr_ServerReqChallenge *r)
122 struct server_pipe_state *pipe_state = dce_call->conn->private;
124 ZERO_STRUCTP(r->out.credentials);
126 /* destroyed on pipe shutdown */
129 talloc_free(pipe_state);
130 dce_call->conn->private = NULL;
133 pipe_state = talloc_p(dce_call->conn, struct server_pipe_state);
135 return NT_STATUS_NO_MEMORY;
138 pipe_state->authenticated = False;
139 pipe_state->creds = NULL;
140 pipe_state->account_name = NULL;
141 pipe_state->computer_name = NULL;
143 pipe_state->client_challenge = *r->in.credentials;
145 generate_random_buffer(pipe_state->server_challenge.data,
146 sizeof(pipe_state->server_challenge.data));
148 *r->out.credentials = pipe_state->server_challenge;
150 dce_call->conn->private = pipe_state;
155 static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
156 struct netr_ServerAuthenticate3 *r)
158 struct server_pipe_state *pipe_state = dce_call->conn->private;
160 struct samr_Password *mach_pwd;
163 struct ldb_message **msgs;
165 const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl",
168 ZERO_STRUCTP(r->out.credentials);
170 *r->out.negotiate_flags = *r->in.negotiate_flags;
173 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
174 return NT_STATUS_ACCESS_DENIED;
177 sam_ctx = samdb_connect(mem_ctx);
178 if (sam_ctx == NULL) {
179 return NT_STATUS_INVALID_SYSTEM_SERVICE;
181 /* pull the user attributes */
182 num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
183 "(&(sAMAccountName=%s)(objectclass=user))",
186 if (num_records == 0) {
187 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
188 r->in.account_name));
189 return NT_STATUS_NO_SUCH_USER;
192 if (num_records > 1) {
193 DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
194 return NT_STATUS_INTERNAL_DB_CORRUPTION;
197 acct_flags = samdb_result_acct_flags(msgs[0],
198 "userAccountControl");
200 if (acct_flags & ACB_DISABLED) {
201 DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
202 return NT_STATUS_ACCESS_DENIED;
205 if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
206 if (!(acct_flags & ACB_WSTRUST)) {
207 DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags));
208 return NT_STATUS_ACCESS_DENIED;
210 } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) {
211 if (!(acct_flags & ACB_DOMTRUST)) {
212 DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags));
213 return NT_STATUS_ACCESS_DENIED;
215 } else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
216 if (!(acct_flags & ACB_SVRTRUST)) {
217 DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags));
218 return NT_STATUS_ACCESS_DENIED;
221 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
222 r->in.secure_channel_type));
223 return NT_STATUS_ACCESS_DENIED;
226 pipe_state->acct_flags = acct_flags;
227 pipe_state->sec_chan_type = r->in.secure_channel_type;
229 *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0);
231 nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd);
232 if (!NT_STATUS_IS_OK(nt_status) || mach_pwd == NULL) {
233 return NT_STATUS_ACCESS_DENIED;
236 if (!pipe_state->creds) {
237 pipe_state->creds = talloc_p(pipe_state, struct creds_CredentialState);
238 if (!pipe_state->creds) {
239 return NT_STATUS_NO_MEMORY;
243 creds_server_init(pipe_state->creds, &pipe_state->client_challenge,
244 &pipe_state->server_challenge, mach_pwd,
246 *r->in.negotiate_flags);
248 if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
249 return NT_STATUS_ACCESS_DENIED;
252 pipe_state->authenticated = True;
254 if (pipe_state->account_name) {
255 /* We don't want a memory leak on this long-lived talloc context */
256 talloc_free(pipe_state->account_name);
259 pipe_state->account_name = talloc_strdup(pipe_state, r->in.account_name);
261 if (pipe_state->computer_name) {
262 /* We don't want a memory leak on this long-lived talloc context */
263 talloc_free(pipe_state->computer_name);
266 pipe_state->computer_name = talloc_strdup(pipe_state, r->in.computer_name);
268 /* remember this session key state */
269 nt_status = schannel_store_session_key(mem_ctx, pipe_state->computer_name, pipe_state->creds);
274 static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
275 struct netr_ServerAuthenticate *r)
277 struct netr_ServerAuthenticate3 r3;
280 * negotiate_flags is used as an [in] parameter
281 * so it need to be initialised.
283 * (I think ... = 0; seems wrong here --metze)
285 uint32 negotiate_flags = 0;
287 r3.in.server_name = r->in.server_name;
288 r3.in.account_name = r->in.account_name;
289 r3.in.secure_channel_type = r->in.secure_channel_type;
290 r3.in.computer_name = r->in.computer_name;
291 r3.in.credentials = r->in.credentials;
292 r3.out.credentials = r->out.credentials;
293 r3.in.negotiate_flags = &negotiate_flags;
294 r3.out.negotiate_flags = &negotiate_flags;
297 return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
300 static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
301 struct netr_ServerAuthenticate2 *r)
303 struct netr_ServerAuthenticate3 r3;
306 r3.in.server_name = r->in.server_name;
307 r3.in.account_name = r->in.account_name;
308 r3.in.secure_channel_type = r->in.secure_channel_type;
309 r3.in.computer_name = r->in.computer_name;
310 r3.in.credentials = r->in.credentials;
311 r3.out.credentials = r->out.credentials;
312 r3.in.negotiate_flags = r->in.negotiate_flags;
313 r3.out.negotiate_flags = r->out.negotiate_flags;
316 return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
320 static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state,
321 struct netr_Authenticator *received_authenticator,
322 struct netr_Authenticator *return_authenticator)
325 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
326 return NT_STATUS_ACCESS_DENIED;
329 if (!pipe_state->authenticated) {
330 return NT_STATUS_ACCESS_DENIED;
332 return creds_server_step_check(pipe_state->creds,
333 received_authenticator,
334 return_authenticator);
338 static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
339 struct netr_ServerPasswordSet *r)
341 struct server_pipe_state *pipe_state = dce_call->conn->private;
345 int num_records_domain;
347 struct ldb_message **msgs;
348 struct ldb_message **msgs_domain;
350 struct ldb_message mod, *msg_set_pw = &mod;
351 const char *domain_dn;
352 const char *domain_sid;
354 const char *attrs[] = {"objectSid", NULL };
356 const char **domain_attrs = attrs;
359 nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
360 if (NT_STATUS_IS_OK(nt_status)) {
364 sam_ctx = samdb_connect(mem_ctx);
365 if (sam_ctx == NULL) {
366 return NT_STATUS_INVALID_SYSTEM_SERVICE;
368 /* pull the user attributes */
369 num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
370 "(&(sAMAccountName=%s)(objectclass=user))",
371 pipe_state->account_name);
373 if (num_records == 0) {
374 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
375 pipe_state->account_name));
376 return NT_STATUS_NO_SUCH_USER;
379 if (num_records > 1) {
380 DEBUG(0,("Found %d records matching user [%s]\n", num_records,
381 pipe_state->account_name));
382 return NT_STATUS_INTERNAL_DB_CORRUPTION;
385 domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
387 DEBUG(0,("no objectSid in user record\n"));
388 return NT_STATUS_INTERNAL_DB_CORRUPTION;
391 /* find the domain's DN */
392 num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL,
393 &msgs_domain, domain_attrs,
394 "(&(objectSid=%s)(objectclass=domain))",
397 if (num_records_domain == 0) {
398 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
400 return NT_STATUS_NO_SUCH_USER;
403 if (num_records_domain > 1) {
404 DEBUG(0,("Found %d records matching domain [%s]\n",
405 num_records_domain, domain_sid));
406 return NT_STATUS_INTERNAL_DB_CORRUPTION;
409 domain_dn = msgs_domain[0]->dn;
411 mod.dn = talloc_strdup(mem_ctx, msgs[0]->dn);
413 return NT_STATUS_NO_MEMORY;
416 creds_des_decrypt(pipe_state->creds, &r->in.new_password);
418 /* set the password - samdb needs to know both the domain and user DNs,
419 so the domain password policy can be used */
420 nt_status = samdb_set_password(sam_ctx, mem_ctx,
421 msgs[0]->dn, domain_dn,
423 NULL, /* Don't have plaintext */
424 NULL, &r->in.new_password,
425 False /* This is not considered a password change */,
428 if (!NT_STATUS_IS_OK(nt_status)) {
432 ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw);
434 /* we really need samdb.c to return NTSTATUS */
435 return NT_STATUS_UNSUCCESSFUL;
445 static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
446 struct netr_LogonUasLogon *r)
448 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
455 static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
456 struct netr_LogonUasLogoff *r)
458 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
463 netr_LogonSamLogonWithFlags
465 This version of the function allows other wrappers to say 'do not check the credentials'
467 static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
468 struct netr_LogonSamLogonEx *r)
470 struct server_pipe_state *pipe_state = dce_call->conn->private;
472 struct auth_context *auth_context;
473 struct auth_usersupplied_info *user_info;
474 struct auth_serversupplied_info *server_info;
477 static const char zeros[16];
478 struct netr_SamBaseInfo *sam;
479 struct netr_SamInfo2 *sam2;
480 struct netr_SamInfo3 *sam3;
481 struct netr_SamInfo6 *sam6;
483 switch (r->in.logon_level) {
487 if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
488 creds_arcfour_crypt(pipe_state->creds,
489 r->in.logon.password->lmpassword.hash,
490 sizeof(r->in.logon.password->lmpassword.hash));
491 creds_arcfour_crypt(pipe_state->creds,
492 r->in.logon.password->ntpassword.hash,
493 sizeof(r->in.logon.password->ntpassword.hash));
495 creds_des_decrypt(pipe_state->creds, &r->in.logon.password->lmpassword);
496 creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword);
499 nt_status = make_auth_context_subsystem(pipe_state, &auth_context);
500 if (!NT_STATUS_IS_OK(nt_status)) {
504 chal = auth_context->get_ntlm_challenge(auth_context);
505 nt_status = make_user_info_netlogon_interactive(auth_context,
507 r->in.logon.password->identity_info.account_name.string,
508 r->in.logon.password->identity_info.domain_name.string,
509 r->in.logon.password->identity_info.workstation.string,
511 &r->in.logon.password->lmpassword,
512 &r->in.logon.password->ntpassword);
517 nt_status = make_auth_context_fixed(pipe_state,
518 &auth_context, r->in.logon.network->challenge);
519 if (!NT_STATUS_IS_OK(nt_status)) {
523 nt_status = make_user_info_netlogon_network(auth_context,
525 r->in.logon.network->identity_info.account_name.string,
526 r->in.logon.network->identity_info.domain_name.string,
527 r->in.logon.network->identity_info.workstation.string,
528 r->in.logon.network->lm.data, r->in.logon.network->lm.length,
529 r->in.logon.network->nt.data, r->in.logon.network->nt.length);
532 free_auth_context(&auth_context);
533 return NT_STATUS_INVALID_PARAMETER;
536 if (!NT_STATUS_IS_OK(nt_status)) {
540 nt_status = auth_context->check_ntlm_password(auth_context,
545 /* keep the auth_context for the life of this call */
546 talloc_steal(dce_call, auth_context);
548 if (!NT_STATUS_IS_OK(nt_status)) {
552 sam = talloc_p(mem_ctx, struct netr_SamBaseInfo);
556 sam->last_logon = server_info->last_logon;
557 sam->last_logoff = server_info->last_logoff;
558 sam->acct_expiry = server_info->acct_expiry;
559 sam->last_password_change = server_info->last_password_change;
560 sam->allow_password_change = server_info->allow_password_change;
561 sam->force_password_change = server_info->force_password_change;
563 sam->account_name.string = talloc_strdup(mem_ctx, server_info->account_name);
564 sam->full_name.string = talloc_strdup(mem_ctx, server_info->full_name);
565 sam->logon_script.string = talloc_strdup(mem_ctx, server_info->logon_script);
566 sam->profile_path.string = talloc_strdup(mem_ctx, server_info->profile_path);
567 sam->home_directory.string = talloc_strdup(mem_ctx, server_info->home_directory);
568 sam->home_drive.string = talloc_strdup(mem_ctx, server_info->home_drive);
570 sam->logon_count = server_info->logon_count;
571 sam->bad_password_count = sam->bad_password_count;
572 sam->rid = server_info->user_sid->sub_auths[server_info->user_sid->num_auths-1];
573 sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1];
574 sam->group_count = 0;
575 sam->groupids = NULL;
576 sam->user_flags = 0; /* TODO: w2k3 uses 0x120 - what is this? */
577 sam->acct_flags = server_info->acct_flags;
578 sam->logon_server.string = lp_netbios_name();
580 sam->domain.string = talloc_strdup(mem_ctx, server_info->domain);
582 sam->domain_sid = dom_sid_dup(mem_ctx, server_info->user_sid);
583 sam->domain_sid->num_auths--;
585 if (server_info->user_session_key.length == sizeof(sam->key.key)) {
586 memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key));
588 ZERO_STRUCT(sam->key.key);
591 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
592 /* It appears that level 6 is not individually encrypted */
593 if ((r->in.validation_level != 6)
594 && memcmp(sam->key.key, zeros,
595 sizeof(sam->key.key)) != 0) {
597 /* This key is sent unencrypted without the ARCFOUR flag set */
598 if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
599 creds_arcfour_crypt(pipe_state->creds,
601 sizeof(sam->key.key));
605 if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
606 memcpy(sam->LMSessKey.key, server_info->lm_session_key.data,
607 sizeof(sam->LMSessKey.key));
609 ZERO_STRUCT(sam->LMSessKey.key);
612 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
613 /* It appears that level 6 is not individually encrypted */
614 if ((r->in.validation_level != 6)
615 && memcmp(sam->LMSessKey.key, zeros,
616 sizeof(sam->LMSessKey.key)) != 0) {
617 if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
618 creds_arcfour_crypt(pipe_state->creds,
620 sizeof(sam->LMSessKey.key));
622 creds_des_encrypt_LMKey(pipe_state->creds,
627 switch (r->in.validation_level) {
629 sam2 = talloc_p(mem_ctx, struct netr_SamInfo2);
632 r->out.validation.sam2 = sam2;
636 sam3 = talloc_p(mem_ctx, struct netr_SamInfo3);
639 r->out.validation.sam3 = sam3;
643 sam6 = talloc_p(mem_ctx, struct netr_SamInfo6);
646 sam6->forest.string = lp_realm();
647 sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s",
648 sam->account_name.string, sam6->forest.string);
649 r->out.validation.sam6 = sam6;
656 r->out.authoritative = 1;
662 netr_LogonSamLogonWithFlags
665 static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
666 struct netr_LogonSamLogonWithFlags *r)
669 struct netr_LogonSamLogonEx r2;
671 struct server_pipe_state *pipe_state = dce_call->conn->private;
673 r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator);
674 if (!r->out.return_authenticator) {
675 return NT_STATUS_NO_MEMORY;
678 nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator);
679 if (!NT_STATUS_IS_OK(nt_status)) {
685 r2.in.server_name = r->in.server_name;
686 r2.in.workstation = r->in.workstation;
687 r2.in.logon_level = r->in.logon_level;
688 r2.in.logon = r->in.logon;
689 r2.in.validation_level = r->in.validation_level;
690 r2.in.flags = r->in.flags;
692 nt_status = netr_LogonSamLogonEx(dce_call, mem_ctx, &r2);
694 r->out.validation = r2.out.validation;
695 r->out.authoritative = r2.out.authoritative;
703 static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
704 struct netr_LogonSamLogon *r)
706 struct netr_LogonSamLogonWithFlags r2;
711 r2.in.server_name = r->in.server_name;
712 r2.in.workstation = r->in.workstation;
713 r2.in.credential = r->in.credential;
714 r2.in.return_authenticator = r->in.return_authenticator;
715 r2.in.logon_level = r->in.logon_level;
716 r2.in.logon = r->in.logon;
717 r2.in.validation_level = r->in.validation_level;
720 status = netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2);
722 r->out.return_authenticator = r2.out.return_authenticator;
723 r->out.validation = r2.out.validation;
724 r->out.authoritative = r2.out.authoritative;
733 static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
734 struct netr_LogonSamLogoff *r)
736 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
744 static NTSTATUS netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
745 struct netr_DatabaseDeltas *r)
747 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
754 static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
755 struct netr_DatabaseSync *r)
757 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
764 static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
765 struct netr_AccountDeltas *r)
767 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
774 static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
775 struct netr_AccountSync *r)
777 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
784 static NTSTATUS netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
785 struct netr_GetDcName *r)
787 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
794 static WERROR netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
795 struct netr_LogonControl *r)
797 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
804 static WERROR netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
805 struct netr_GetAnyDCName *r)
807 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
814 static WERROR netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
815 struct netr_LogonControl2 *r)
817 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
824 static NTSTATUS netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
825 struct netr_DatabaseSync2 *r)
827 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
834 static NTSTATUS netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
835 struct netr_DatabaseRedo *r)
837 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
844 static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
845 struct netr_LogonControl2Ex *r)
847 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
852 netr_NETRENUMERATETRUSTEDDOMAINS
854 static WERROR netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
855 struct netr_NETRENUMERATETRUSTEDDOMAINS *r)
857 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
864 static WERROR netr_DSRGETDCNAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
865 struct netr_DSRGETDCNAME *r)
867 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
872 netr_NETRLOGONDUMMYROUTINE1
874 static WERROR netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
875 struct netr_NETRLOGONDUMMYROUTINE1 *r)
877 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
882 netr_NETRLOGONSETSERVICEBITS
884 static WERROR netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
885 struct netr_NETRLOGONSETSERVICEBITS *r)
887 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
892 netr_NETRLOGONGETTRUSTRID
894 static WERROR netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
895 struct netr_NETRLOGONGETTRUSTRID *r)
897 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
902 netr_NETRLOGONCOMPUTESERVERDIGEST
904 static WERROR netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
905 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
907 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
912 netr_NETRLOGONCOMPUTECLIENTDIGEST
914 static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
915 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
917 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
924 static WERROR netr_DSRGETDCNAMEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
925 struct netr_DSRGETDCNAMEX *r)
927 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
934 static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
935 struct netr_DSRGETSITENAME *r)
937 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
942 fill in a netr_DomainTrustInfo from a ldb search result
944 static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res,
945 struct netr_DomainTrustInfo *info, BOOL is_local)
950 info->domainname.string = samdb_result_string(res, "name", NULL);
951 info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL);
952 info->guid = samdb_result_guid(res, "objectGUID");
953 info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
955 info->domainname.string = samdb_result_string(res, "flatName", NULL);
956 info->fulldomainname.string = samdb_result_string(res, "name", NULL);
957 info->guid = samdb_result_guid(res, "objectGUID");
958 info->sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
961 /* TODO: we need proper forest support */
962 info->forest.string = info->fulldomainname.string;
968 netr_LogonGetDomainInfo
969 this is called as part of the ADS domain logon procedure.
971 static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
972 struct netr_LogonGetDomainInfo *r)
974 struct server_pipe_state *pipe_state = dce_call->conn->private;
975 const char * const attrs[] = { "name", "dnsDomain", "objectSid",
976 "objectGUID", "flatName", "securityIdentifier",
979 struct ldb_message **res1, **res2;
980 struct netr_DomainInfo1 *info1;
984 status = netr_creds_server_step_check(pipe_state,
985 r->in.credential, r->out.credential);
986 if (!NT_STATUS_IS_OK(status)) {
990 sam_ctx = samdb_connect(mem_ctx);
991 if (sam_ctx == NULL) {
992 return NT_STATUS_INVALID_SYSTEM_SERVICE;
995 /* we need to do two searches. The first will pull our primary
996 domain and the second will pull any trusted domains. Our
997 primary domain is also a "trusted" domain, so we need to
998 put the primary domain into the lists of returned trusts as
1000 ret1 = samdb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)");
1002 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1005 ret2 = samdb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)");
1007 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1010 info1 = talloc_p(mem_ctx, struct netr_DomainInfo1);
1011 if (info1 == NULL) {
1012 return NT_STATUS_NO_MEMORY;
1015 ZERO_STRUCTP(info1);
1017 info1->num_trusts = ret2 + 1;
1018 info1->trusts = talloc_array_p(mem_ctx, struct netr_DomainTrustInfo,
1020 if (info1->trusts == NULL) {
1021 return NT_STATUS_NO_MEMORY;
1024 status = fill_domain_trust_info(mem_ctx, res1[0], &info1->domaininfo, True);
1025 if (!NT_STATUS_IS_OK(status)) {
1029 status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[0], True);
1030 if (!NT_STATUS_IS_OK(status)) {
1034 for (i=0;i<ret2;i++) {
1035 status = fill_domain_trust_info(mem_ctx, res2[i], &info1->trusts[i+1], False);
1036 if (!NT_STATUS_IS_OK(status)) {
1041 r->out.info.info1 = info1;
1043 return NT_STATUS_OK;
1048 netr_NETRSERVERPASSWORDSET2
1050 static WERROR netr_NETRSERVERPASSWORDSET2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1051 struct netr_NETRSERVERPASSWORDSET2 *r)
1053 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1058 netr_NETRSERVERPASSWORDGET
1060 static WERROR netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1061 struct netr_NETRSERVERPASSWORDGET *r)
1063 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1068 netr_NETRLOGONSENDTOSAM
1070 static WERROR netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1071 struct netr_NETRLOGONSENDTOSAM *r)
1073 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1078 netr_DSRADDRESSTOSITENAMESW
1080 static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1081 struct netr_DSRADDRESSTOSITENAMESW *r)
1083 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1088 netr_DrsGetDCNameEx2
1090 static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1091 struct netr_DrsGetDCNameEx2 *r)
1093 const char * const attrs[] = { "dnsDomain", "objectGUID", NULL };
1095 struct ldb_message **res;
1098 ZERO_STRUCT(r->out);
1100 sam_ctx = samdb_connect(mem_ctx);
1101 if (sam_ctx == NULL) {
1102 return WERR_DS_SERVICE_UNAVAILABLE;
1105 ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
1106 "(&(objectClass=domainDNS)(dnsDomain=%s))",
1109 return WERR_NO_SUCH_DOMAIN;
1112 r->out.info = talloc_p(mem_ctx, struct netr_DrsGetDCNameEx2Info);
1117 /* TODO: - return real IP address
1118 * - check all r->in.* parameters (server_unc is ignored by w2k3!)
1120 r->out.info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s", lp_netbios_name(),lp_realm());
1121 r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0");
1122 r->out.info->dc_address_type = 1;
1123 r->out.info->domain_guid = samdb_result_guid(res[0], "objectGUID");
1124 r->out.info->domain_name = samdb_result_string(res[0], "dnsDomain", NULL);
1125 r->out.info->forest_name = samdb_result_string(res[0], "dnsDomain", NULL);
1126 r->out.info->dc_flags = 0xE00001FD;
1127 r->out.info->dc_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name");
1128 r->out.info->client_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name");
1135 netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
1137 static WERROR netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1138 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1140 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1145 netr_NETRENUMERATETRUSTEDDOMAINSEX
1147 static WERROR netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1148 struct netr_NETRENUMERATETRUSTEDDOMAINSEX *r)
1150 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1155 netr_DSRADDRESSTOSITENAMESEXW
1157 static WERROR netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1158 struct netr_DSRADDRESSTOSITENAMESEXW *r)
1160 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1165 netr_DSRGETDCSITECOVERAGEW
1167 static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1168 struct netr_DSRGETDCSITECOVERAGEW *r)
1170 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1175 netr_DsrEnumerateDomainTrusts
1177 static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1178 struct netr_DsrEnumerateDomainTrusts *r)
1180 struct netr_DomainTrust *trusts;
1183 struct ldb_message **res;
1184 const char * const attrs[] = { "name", "dnsDomain", "objectSid", "objectGUID", NULL };
1186 ZERO_STRUCT(r->out);
1188 sam_ctx = samdb_connect(mem_ctx);
1189 if (sam_ctx == NULL) {
1190 return WERR_GENERAL_FAILURE;
1193 ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)");
1195 return WERR_GENERAL_FAILURE;
1202 trusts = talloc_array_p(mem_ctx, struct netr_DomainTrust, ret);
1203 if (trusts == NULL) {
1208 r->out.trusts = trusts;
1210 /* TODO: add filtering by trust_flags, and correct trust_type
1212 for (i=0;i<ret;i++) {
1213 trusts[i].netbios_name = samdb_result_string(res[i], "name", NULL);
1214 trusts[i].dns_name = samdb_result_string(res[i], "dnsDomain", NULL);
1215 trusts[i].trust_flags =
1216 NETR_TRUST_FLAG_TREEROOT |
1217 NETR_TRUST_FLAG_IN_FOREST |
1218 NETR_TRUST_FLAG_PRIMARY;
1219 trusts[i].parent_index = 0;
1220 trusts[i].trust_type = 2;
1221 trusts[i].trust_attributes = 0;
1222 trusts[i].sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
1223 trusts[i].guid = samdb_result_guid(res[i], "objectGUID");
1232 netr_DSRDEREGISTERDNSHOSTRECORDS
1234 static WERROR netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1235 struct netr_DSRDEREGISTERDNSHOSTRECORDS *r)
1237 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1242 netr_NETRSERVERTRUSTPASSWORDSGET
1244 static WERROR netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1245 struct netr_NETRSERVERTRUSTPASSWORDSGET *r)
1247 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1252 netr_DSRGETFORESTTRUSTINFORMATION
1254 static WERROR netr_DSRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1255 struct netr_DSRGETFORESTTRUSTINFORMATION *r)
1257 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1262 netr_NETRGETFORESTTRUSTINFORMATION
1264 static WERROR netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1265 struct netr_NETRGETFORESTTRUSTINFORMATION *r)
1267 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1272 netr_NETRSERVERGETTRUSTINFO
1274 static WERROR netr_NETRSERVERGETTRUSTINFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1275 struct netr_NETRSERVERGETTRUSTINFO *r)
1277 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1281 /* include the generated boilerplate */
1282 #include "librpc/gen_ndr/ndr_netlogon_s.c"