schannel_tdb: make code compilable in both trees
[samba.git] / source3 / rpc_server / srv_netlog_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6  *  Copyright (C) Paul Ashton                       1997.
7  *  Copyright (C) Jeremy Allison               1998-2001.
8  *  Copyright (C) Andrew Bartlett                   2001.
9  *  Copyright (C) Guenther Deschner                 2008-2009.
10  *
11  *  This program is free software; you can redistribute it and/or modify
12  *  it under the terms of the GNU General Public License as published by
13  *  the Free Software Foundation; either version 3 of the License, or
14  *  (at your option) any later version.
15  *
16  *  This program is distributed in the hope that it will be useful,
17  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
18  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19  *  GNU General Public License for more details.
20  *
21  *  You should have received a copy of the GNU General Public License
22  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
23  */
24
25 /* This is the implementation of the netlogon pipe. */
26
27 #include "includes.h"
28 #include "../libcli/auth/schannel.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30
31 extern userdom_struct current_user_info;
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 struct netlogon_server_pipe_state {
37         struct netr_Credential client_challenge;
38         struct netr_Credential server_challenge;
39 };
40
41 /*************************************************************************
42  _netr_LogonControl
43  *************************************************************************/
44
45 WERROR _netr_LogonControl(pipes_struct *p,
46                           struct netr_LogonControl *r)
47 {
48         struct netr_LogonControl2Ex l;
49
50         switch (r->in.level) {
51         case 1:
52                 break;
53         case 2:
54                 return WERR_NOT_SUPPORTED;
55         default:
56                 return WERR_UNKNOWN_LEVEL;
57         }
58
59         l.in.logon_server       = r->in.logon_server;
60         l.in.function_code      = r->in.function_code;
61         l.in.level              = r->in.level;
62         l.in.data               = NULL;
63         l.out.query             = r->out.query;
64
65         return _netr_LogonControl2Ex(p, &l);
66 }
67
68 /****************************************************************************
69 Send a message to smbd to do a sam synchronisation
70 **************************************************************************/
71
72 static void send_sync_message(void)
73 {
74         DEBUG(3, ("sending sam synchronisation message\n"));
75         message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC, NULL, 0,
76                          NULL);
77 }
78
79 /*************************************************************************
80  _netr_LogonControl2
81  *************************************************************************/
82
83 WERROR _netr_LogonControl2(pipes_struct *p,
84                            struct netr_LogonControl2 *r)
85 {
86         struct netr_LogonControl2Ex l;
87
88         l.in.logon_server       = r->in.logon_server;
89         l.in.function_code      = r->in.function_code;
90         l.in.level              = r->in.level;
91         l.in.data               = r->in.data;
92         l.out.query             = r->out.query;
93
94         return _netr_LogonControl2Ex(p, &l);
95 }
96
97 /*************************************************************************
98  *************************************************************************/
99
100 static bool wb_change_trust_creds(const char *domain, WERROR *tc_status)
101 {
102         wbcErr result;
103         struct wbcAuthErrorInfo *error = NULL;
104
105         result = wbcChangeTrustCredentials(domain, &error);
106         switch (result) {
107         case WBC_ERR_WINBIND_NOT_AVAILABLE:
108                 return false;
109         case WBC_ERR_DOMAIN_NOT_FOUND:
110                 *tc_status = WERR_NO_SUCH_DOMAIN;
111                 return true;
112         case WBC_ERR_SUCCESS:
113                 *tc_status = WERR_OK;
114                 return true;
115         default:
116                 break;
117         }
118
119         if (error && error->nt_status != 0) {
120                 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
121         } else {
122                 *tc_status = WERR_TRUST_FAILURE;
123         }
124         wbcFreeMemory(error);
125         return true;
126 }
127
128 /*************************************************************************
129  *************************************************************************/
130
131 static bool wb_check_trust_creds(const char *domain, WERROR *tc_status)
132 {
133         wbcErr result;
134         struct wbcAuthErrorInfo *error = NULL;
135
136         result = wbcCheckTrustCredentials(domain, &error);
137         switch (result) {
138         case WBC_ERR_WINBIND_NOT_AVAILABLE:
139                 return false;
140         case WBC_ERR_DOMAIN_NOT_FOUND:
141                 *tc_status = WERR_NO_SUCH_DOMAIN;
142                 return true;
143         case WBC_ERR_SUCCESS:
144                 *tc_status = WERR_OK;
145                 return true;
146         default:
147                 break;
148         }
149
150         if (error && error->nt_status != 0) {
151                 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
152         } else {
153                 *tc_status = WERR_TRUST_FAILURE;
154         }
155         wbcFreeMemory(error);
156         return true;
157 }
158
159 /****************************************************************
160  _netr_LogonControl2Ex
161 ****************************************************************/
162
163 WERROR _netr_LogonControl2Ex(pipes_struct *p,
164                              struct netr_LogonControl2Ex *r)
165 {
166         uint32_t flags = 0x0;
167         WERROR pdc_connection_status = WERR_OK;
168         uint32_t logon_attempts = 0x0;
169         WERROR tc_status;
170         fstring dc_name2;
171         const char *dc_name = NULL;
172         struct sockaddr_storage dc_ss;
173         const char *domain = NULL;
174         struct netr_NETLOGON_INFO_1 *info1;
175         struct netr_NETLOGON_INFO_2 *info2;
176         struct netr_NETLOGON_INFO_3 *info3;
177         struct netr_NETLOGON_INFO_4 *info4;
178         const char *fn;
179         uint32_t acct_ctrl;
180
181         switch (p->hdr_req.opnum) {
182         case NDR_NETR_LOGONCONTROL:
183                 fn = "_netr_LogonControl";
184                 break;
185         case NDR_NETR_LOGONCONTROL2:
186                 fn = "_netr_LogonControl2";
187                 break;
188         case NDR_NETR_LOGONCONTROL2EX:
189                 fn = "_netr_LogonControl2Ex";
190                 break;
191         default:
192                 return WERR_INVALID_PARAM;
193         }
194
195         acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
196
197         switch (r->in.function_code) {
198         case NETLOGON_CONTROL_TC_VERIFY:
199         case NETLOGON_CONTROL_CHANGE_PASSWORD:
200         case NETLOGON_CONTROL_REDISCOVER:
201                 if ((geteuid() != sec_initial_uid()) &&
202                     !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
203                     !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
204                     !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
205                         return WERR_ACCESS_DENIED;
206                 }
207                 break;
208         default:
209                 break;
210         }
211
212         tc_status = WERR_NO_SUCH_DOMAIN;
213
214         switch (r->in.function_code) {
215         case NETLOGON_CONTROL_QUERY:
216                 tc_status = WERR_OK;
217                 break;
218         case NETLOGON_CONTROL_REPLICATE:
219         case NETLOGON_CONTROL_SYNCHRONIZE:
220         case NETLOGON_CONTROL_PDC_REPLICATE:
221         case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
222         case NETLOGON_CONTROL_BREAKPOINT:
223                 if (acct_ctrl & ACB_NORMAL) {
224                         return WERR_NOT_SUPPORTED;
225                 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
226                         return WERR_ACCESS_DENIED;
227                 } else {
228                         return WERR_ACCESS_DENIED;
229                 }
230         case NETLOGON_CONTROL_TRUNCATE_LOG:
231                 if (acct_ctrl & ACB_NORMAL) {
232                         break;
233                 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
234                         return WERR_ACCESS_DENIED;
235                 } else {
236                         return WERR_ACCESS_DENIED;
237                 }
238
239         case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
240         case NETLOGON_CONTROL_FORCE_DNS_REG:
241         case NETLOGON_CONTROL_QUERY_DNS_REG:
242                 return WERR_NOT_SUPPORTED;
243         case NETLOGON_CONTROL_FIND_USER:
244                 if (!r->in.data || !r->in.data->user) {
245                         return WERR_NOT_SUPPORTED;
246                 }
247                 break;
248         case NETLOGON_CONTROL_SET_DBFLAG:
249                 if (!r->in.data) {
250                         return WERR_NOT_SUPPORTED;
251                 }
252                 break;
253         case NETLOGON_CONTROL_TC_VERIFY:
254                 if (!r->in.data || !r->in.data->domain) {
255                         return WERR_NOT_SUPPORTED;
256                 }
257
258                 if (!wb_check_trust_creds(r->in.data->domain, &tc_status)) {
259                         return WERR_NOT_SUPPORTED;
260                 }
261                 break;
262         case NETLOGON_CONTROL_TC_QUERY:
263                 if (!r->in.data || !r->in.data->domain) {
264                         return WERR_NOT_SUPPORTED;
265                 }
266
267                 domain = r->in.data->domain;
268
269                 if (!is_trusted_domain(domain)) {
270                         break;
271                 }
272
273                 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
274                         tc_status = WERR_NO_LOGON_SERVERS;
275                         break;
276                 }
277
278                 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
279                 if (!dc_name) {
280                         return WERR_NOMEM;
281                 }
282
283                 tc_status = WERR_OK;
284
285                 break;
286
287         case NETLOGON_CONTROL_REDISCOVER:
288                 if (!r->in.data || !r->in.data->domain) {
289                         return WERR_NOT_SUPPORTED;
290                 }
291
292                 domain = r->in.data->domain;
293
294                 if (!is_trusted_domain(domain)) {
295                         break;
296                 }
297
298                 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
299                         tc_status = WERR_NO_LOGON_SERVERS;
300                         break;
301                 }
302
303                 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
304                 if (!dc_name) {
305                         return WERR_NOMEM;
306                 }
307
308                 tc_status = WERR_OK;
309
310                 break;
311
312         case NETLOGON_CONTROL_CHANGE_PASSWORD:
313                 if (!r->in.data || !r->in.data->domain) {
314                         return WERR_NOT_SUPPORTED;
315                 }
316
317                 if (!wb_change_trust_creds(r->in.data->domain, &tc_status)) {
318                         return WERR_NOT_SUPPORTED;
319                 }
320                 break;
321
322         default:
323                 /* no idea what this should be */
324                 DEBUG(0,("%s: unimplemented function level [%d]\n",
325                         fn, r->in.function_code));
326                 return WERR_UNKNOWN_LEVEL;
327         }
328
329         /* prepare the response */
330
331         switch (r->in.level) {
332         case 1:
333                 info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1);
334                 W_ERROR_HAVE_NO_MEMORY(info1);
335
336                 info1->flags                    = flags;
337                 info1->pdc_connection_status    = pdc_connection_status;
338
339                 r->out.query->info1 = info1;
340                 break;
341         case 2:
342                 info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2);
343                 W_ERROR_HAVE_NO_MEMORY(info2);
344
345                 info2->flags                    = flags;
346                 info2->pdc_connection_status    = pdc_connection_status;
347                 info2->trusted_dc_name          = dc_name;
348                 info2->tc_connection_status     = tc_status;
349
350                 r->out.query->info2 = info2;
351                 break;
352         case 3:
353                 info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3);
354                 W_ERROR_HAVE_NO_MEMORY(info3);
355
356                 info3->flags                    = flags;
357                 info3->logon_attempts           = logon_attempts;
358
359                 r->out.query->info3 = info3;
360                 break;
361         case 4:
362                 info4 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_4);
363                 W_ERROR_HAVE_NO_MEMORY(info4);
364
365                 info4->trusted_dc_name          = dc_name;
366                 info4->trusted_domain_name      = r->in.data->domain;
367
368                 r->out.query->info4 = info4;
369                 break;
370         default:
371                 return WERR_UNKNOWN_LEVEL;
372         }
373
374         if (lp_server_role() == ROLE_DOMAIN_BDC) {
375                 send_sync_message();
376         }
377
378         return WERR_OK;
379 }
380
381 /*************************************************************************
382  _netr_NetrEnumerateTrustedDomains
383  *************************************************************************/
384
385 WERROR _netr_NetrEnumerateTrustedDomains(pipes_struct *p,
386                                          struct netr_NetrEnumerateTrustedDomains *r)
387 {
388         NTSTATUS status;
389         DATA_BLOB blob;
390         struct trustdom_info **domains;
391         uint32_t num_domains;
392         const char **trusted_domains;
393         int i;
394
395         DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
396
397         /* set up the Trusted Domain List response */
398
399         become_root();
400         status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
401         unbecome_root();
402
403         if (!NT_STATUS_IS_OK(status)) {
404                 return ntstatus_to_werror(status);
405         }
406
407         trusted_domains = talloc_zero_array(p->mem_ctx, const char *, num_domains + 1);
408         if (!trusted_domains) {
409                 return WERR_NOMEM;
410         }
411
412         for (i = 0; i < num_domains; i++) {
413                 trusted_domains[i] = talloc_strdup(trusted_domains, domains[i]->name);
414                 if (!trusted_domains[i]) {
415                         TALLOC_FREE(trusted_domains);
416                         return WERR_NOMEM;
417                 }
418         }
419
420         if (!push_reg_multi_sz(trusted_domains, &blob, trusted_domains)) {
421                 TALLOC_FREE(trusted_domains);
422                 return WERR_NOMEM;
423         }
424
425         r->out.trusted_domains_blob->data = blob.data;
426         r->out.trusted_domains_blob->length = blob.length;
427
428         DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
429
430         return WERR_OK;
431 }
432
433 /******************************************************************
434  gets a machine password entry.  checks access rights of the host.
435  ******************************************************************/
436
437 static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct,
438                           enum netr_SchannelType sec_chan_type, struct dom_sid *sid)
439 {
440         struct samu *sampass = NULL;
441         const uint8 *pass;
442         bool ret;
443         uint32 acct_ctrl;
444
445 #if 0
446         char addr[INET6_ADDRSTRLEN];
447
448     /*
449      * Currently this code is redundent as we already have a filter
450      * by hostname list. What this code really needs to do is to
451      * get a hosts allowed/hosts denied list from the SAM database
452      * on a per user basis, and make the access decision there.
453      * I will leave this code here for now as a reminder to implement
454      * this at a later date. JRA.
455      */
456
457         if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
458                         client_name(get_client_fd()),
459                         client_addr(get_client_fd(),addr,sizeof(addr)))) {
460                 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct));
461                 return False;
462         }
463 #endif /* 0 */
464
465         if ( !(sampass = samu_new( NULL )) ) {
466                 return NT_STATUS_NO_MEMORY;
467         }
468
469         /* JRA. This is ok as it is only used for generating the challenge. */
470         become_root();
471         ret = pdb_getsampwnam(sampass, mach_acct);
472         unbecome_root();
473
474         if (!ret) {
475                 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct));
476                 TALLOC_FREE(sampass);
477                 return NT_STATUS_ACCESS_DENIED;
478         }
479
480         acct_ctrl = pdb_get_acct_ctrl(sampass);
481         if (acct_ctrl & ACB_DISABLED) {
482                 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct));
483                 TALLOC_FREE(sampass);
484                 return NT_STATUS_ACCOUNT_DISABLED;
485         }
486
487         if (!(acct_ctrl & ACB_SVRTRUST) &&
488             !(acct_ctrl & ACB_WSTRUST) &&
489             !(acct_ctrl & ACB_DOMTRUST))
490         {
491                 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct));
492                 TALLOC_FREE(sampass);
493                 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
494         }
495
496         switch (sec_chan_type) {
497                 case SEC_CHAN_BDC:
498                         if (!(acct_ctrl & ACB_SVRTRUST)) {
499                                 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
500                                          "but not a server trust account\n", mach_acct));
501                                 TALLOC_FREE(sampass);
502                                 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
503                         }
504                         break;
505                 case SEC_CHAN_WKSTA:
506                         if (!(acct_ctrl & ACB_WSTRUST)) {
507                                 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
508                                          "but not a workstation trust account\n", mach_acct));
509                                 TALLOC_FREE(sampass);
510                                 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
511                         }
512                         break;
513                 case SEC_CHAN_DOMAIN:
514                         if (!(acct_ctrl & ACB_DOMTRUST)) {
515                                 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
516                                          "but not a interdomain trust account\n", mach_acct));
517                                 TALLOC_FREE(sampass);
518                                 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
519                         }
520                         break;
521                 default:
522                         break;
523         }
524
525         if ((pass = pdb_get_nt_passwd(sampass)) == NULL) {
526                 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct));
527                 TALLOC_FREE(sampass);
528                 return NT_STATUS_LOGON_FAILURE;
529         }
530
531         memcpy(md4pw->hash, pass, 16);
532         dump_data(5, md4pw->hash, 16);
533
534         sid_copy(sid, pdb_get_user_sid(sampass));
535
536         TALLOC_FREE(sampass);
537
538         return NT_STATUS_OK;
539
540
541 }
542
543 /*************************************************************************
544  _netr_ServerReqChallenge
545  *************************************************************************/
546
547 NTSTATUS _netr_ServerReqChallenge(pipes_struct *p,
548                                   struct netr_ServerReqChallenge *r)
549 {
550         struct netlogon_server_pipe_state *pipe_state =
551                 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
552
553         if (pipe_state) {
554                 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
555                 talloc_free(pipe_state);
556                 p->private_data = NULL;
557         }
558
559         pipe_state = talloc(p, struct netlogon_server_pipe_state);
560         NT_STATUS_HAVE_NO_MEMORY(pipe_state);
561
562         pipe_state->client_challenge = *r->in.credentials;
563
564         generate_random_buffer(pipe_state->server_challenge.data,
565                                sizeof(pipe_state->server_challenge.data));
566
567         *r->out.return_credentials = pipe_state->server_challenge;
568
569         p->private_data = pipe_state;
570
571         return NT_STATUS_OK;
572 }
573
574 /*************************************************************************
575  _netr_ServerAuthenticate
576  Create the initial credentials.
577  *************************************************************************/
578
579 NTSTATUS _netr_ServerAuthenticate(pipes_struct *p,
580                                   struct netr_ServerAuthenticate *r)
581 {
582         struct netr_ServerAuthenticate3 a;
583         uint32_t negotiate_flags = 0;
584         uint32_t rid;
585
586         a.in.server_name                = r->in.server_name;
587         a.in.account_name               = r->in.account_name;
588         a.in.secure_channel_type        = r->in.secure_channel_type;
589         a.in.computer_name              = r->in.computer_name;
590         a.in.credentials                = r->in.credentials;
591         a.in.negotiate_flags            = &negotiate_flags;
592
593         a.out.return_credentials        = r->out.return_credentials;
594         a.out.rid                       = &rid;
595         a.out.negotiate_flags           = &negotiate_flags;
596
597         return _netr_ServerAuthenticate3(p, &a);
598
599 }
600
601 /*************************************************************************
602  _netr_ServerAuthenticate3
603  *************************************************************************/
604
605 NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
606                                    struct netr_ServerAuthenticate3 *r)
607 {
608         NTSTATUS status;
609         uint32_t srv_flgs;
610         /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
611          * so use a copy to avoid destroying the client values. */
612         uint32_t in_neg_flags = *r->in.negotiate_flags;
613         const char *fn;
614         struct dom_sid sid;
615         struct samr_Password mach_pwd;
616         struct netlogon_creds_CredentialState *creds;
617         struct netlogon_server_pipe_state *pipe_state =
618                 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
619
620         /* According to Microsoft (see bugid #6099)
621          * Windows 7 looks at the negotiate_flags
622          * returned in this structure *even if the
623          * call fails with access denied* ! So in order
624          * to allow Win7 to connect to a Samba NT style
625          * PDC we set the flags before we know if it's
626          * an error or not.
627          */
628
629         /* 0x000001ff */
630         srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
631                    NETLOGON_NEG_PERSISTENT_SAMREPL |
632                    NETLOGON_NEG_ARCFOUR |
633                    NETLOGON_NEG_PROMOTION_COUNT |
634                    NETLOGON_NEG_CHANGELOG_BDC |
635                    NETLOGON_NEG_FULL_SYNC_REPL |
636                    NETLOGON_NEG_MULTIPLE_SIDS |
637                    NETLOGON_NEG_REDO |
638                    NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
639                    NETLOGON_NEG_PASSWORD_SET2;
640
641         /* Ensure we support strong (128-bit) keys. */
642         if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
643                 srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
644         }
645
646         if (lp_server_schannel() != false) {
647                 srv_flgs |= NETLOGON_NEG_SCHANNEL;
648         }
649
650         switch (p->hdr_req.opnum) {
651                 case NDR_NETR_SERVERAUTHENTICATE:
652                         fn = "_netr_ServerAuthenticate";
653                         break;
654                 case NDR_NETR_SERVERAUTHENTICATE2:
655                         fn = "_netr_ServerAuthenticate2";
656                         break;
657                 case NDR_NETR_SERVERAUTHENTICATE3:
658                         fn = "_netr_ServerAuthenticate3";
659                         break;
660                 default:
661                         return NT_STATUS_INTERNAL_ERROR;
662         }
663
664         /* We use this as the key to store the creds: */
665         /* r->in.computer_name */
666
667         if (!pipe_state) {
668                 DEBUG(0,("%s: no challenge sent to client %s\n", fn,
669                         r->in.computer_name));
670                 status = NT_STATUS_ACCESS_DENIED;
671                 goto out;
672         }
673
674         if ( (lp_server_schannel() == true) &&
675              ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
676
677                 /* schannel must be used, but client did not offer it. */
678                 DEBUG(0,("%s: schannel required but client failed "
679                         "to offer it. Client was %s\n",
680                         fn, r->in.account_name));
681                 status = NT_STATUS_ACCESS_DENIED;
682                 goto out;
683         }
684
685         status = get_md4pw(&mach_pwd,
686                            r->in.account_name,
687                            r->in.secure_channel_type,
688                            &sid);
689         if (!NT_STATUS_IS_OK(status)) {
690                 DEBUG(0,("%s: failed to get machine password for "
691                         "account %s: %s\n",
692                         fn, r->in.account_name, nt_errstr(status) ));
693                 /* always return NT_STATUS_ACCESS_DENIED */
694                 status = NT_STATUS_ACCESS_DENIED;
695                 goto out;
696         }
697
698         /* From the client / server challenges and md4 password, generate sess key */
699         /* Check client credentials are valid. */
700         creds = netlogon_creds_server_init(p->mem_ctx,
701                                            r->in.account_name,
702                                            r->in.computer_name,
703                                            r->in.secure_channel_type,
704                                            &pipe_state->client_challenge,
705                                            &pipe_state->server_challenge,
706                                            &mach_pwd,
707                                            r->in.credentials,
708                                            r->out.return_credentials,
709                                            *r->in.negotiate_flags);
710         if (!creds) {
711                 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
712                         "request from client %s machine account %s\n",
713                         fn, r->in.computer_name,
714                         r->in.account_name));
715                 status = NT_STATUS_ACCESS_DENIED;
716                 goto out;
717         }
718
719         creds->sid = sid_dup_talloc(creds, &sid);
720         if (!creds->sid) {
721                 status = NT_STATUS_NO_MEMORY;
722                 goto out;
723         }
724
725         /* Store off the state so we can continue after client disconnect. */
726         become_root();
727         status = schannel_save_creds_state(p->mem_ctx,
728                                            NULL, lp_private_dir(), creds);
729         unbecome_root();
730
731         if (!NT_STATUS_IS_OK(status)) {
732                 goto out;
733         }
734
735         sid_peek_rid(&sid, r->out.rid);
736
737         status = NT_STATUS_OK;
738
739   out:
740
741         *r->out.negotiate_flags = srv_flgs;
742         return status;
743 }
744
745 /*************************************************************************
746  _netr_ServerAuthenticate2
747  *************************************************************************/
748
749 NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
750                                    struct netr_ServerAuthenticate2 *r)
751 {
752         struct netr_ServerAuthenticate3 a;
753         uint32_t rid;
754
755         a.in.server_name                = r->in.server_name;
756         a.in.account_name               = r->in.account_name;
757         a.in.secure_channel_type        = r->in.secure_channel_type;
758         a.in.computer_name              = r->in.computer_name;
759         a.in.credentials                = r->in.credentials;
760         a.in.negotiate_flags            = r->in.negotiate_flags;
761
762         a.out.return_credentials        = r->out.return_credentials;
763         a.out.rid                       = &rid;
764         a.out.negotiate_flags           = r->out.negotiate_flags;
765
766         return _netr_ServerAuthenticate3(p, &a);
767 }
768
769 /*************************************************************************
770  * If schannel is required for this call test that it actually is available.
771  *************************************************************************/
772 static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
773                                         const char *computer_name,
774                                         bool integrity, bool privacy)
775 {
776         if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
777                 if (!privacy && !integrity) {
778                         return NT_STATUS_OK;
779                 }
780
781                 if ((!privacy && integrity) &&
782                     auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
783                         return NT_STATUS_OK;
784                 }
785
786                 if ((privacy || integrity) &&
787                     auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
788                         return NT_STATUS_OK;
789                 }
790         }
791
792         /* test didn't pass */
793         DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
794                   computer_name));
795
796         return NT_STATUS_ACCESS_DENIED;
797 }
798
799 /*************************************************************************
800  *************************************************************************/
801
802 static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
803                                              TALLOC_CTX *mem_ctx,
804                                              const char *computer_name,
805                                              struct netr_Authenticator *received_authenticator,
806                                              struct netr_Authenticator *return_authenticator,
807                                              struct netlogon_creds_CredentialState **creds_out)
808 {
809         NTSTATUS status;
810         bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
811
812         if (schannel_global_required) {
813                 status = schannel_check_required(&p->auth,
814                                                  computer_name,
815                                                  false, false);
816                 if (!NT_STATUS_IS_OK(status)) {
817                         return status;
818                 }
819         }
820
821         status = schannel_check_creds_state(mem_ctx, NULL,
822                                             lp_private_dir(),
823                                             computer_name,
824                                             received_authenticator,
825                                             return_authenticator,
826                                             creds_out);
827
828         return status;
829 }
830
831 /*************************************************************************
832  *************************************************************************/
833
834 static NTSTATUS netr_find_machine_account(TALLOC_CTX *mem_ctx,
835                                           const char *account_name,
836                                           struct samu **sampassp)
837 {
838         struct samu *sampass;
839         bool ret = false;
840         uint32_t acct_ctrl;
841
842         sampass = samu_new(mem_ctx);
843         if (!sampass) {
844                 return NT_STATUS_NO_MEMORY;
845         }
846
847         become_root();
848         ret = pdb_getsampwnam(sampass, account_name);
849         unbecome_root();
850
851         if (!ret) {
852                 TALLOC_FREE(sampass);
853                 return NT_STATUS_ACCESS_DENIED;
854         }
855
856         /* Ensure the account exists and is a machine account. */
857
858         acct_ctrl = pdb_get_acct_ctrl(sampass);
859
860         if (!(acct_ctrl & ACB_WSTRUST ||
861               acct_ctrl & ACB_SVRTRUST ||
862               acct_ctrl & ACB_DOMTRUST)) {
863                 TALLOC_FREE(sampass);
864                 return NT_STATUS_NO_SUCH_USER;
865         }
866
867         if (acct_ctrl & ACB_DISABLED) {
868                 TALLOC_FREE(sampass);
869                 return NT_STATUS_ACCOUNT_DISABLED;
870         }
871
872         *sampassp = sampass;
873
874         return NT_STATUS_OK;
875 }
876
877 /*************************************************************************
878  *************************************************************************/
879
880 static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
881                                                   struct samu *sampass,
882                                                   DATA_BLOB *plaintext_blob,
883                                                   struct samr_Password *nt_hash,
884                                                   struct samr_Password *lm_hash)
885 {
886         NTSTATUS status;
887         const uchar *old_pw;
888         const char *plaintext = NULL;
889         size_t plaintext_len;
890         struct samr_Password nt_hash_local;
891
892         if (!sampass) {
893                 return NT_STATUS_INVALID_PARAMETER;
894         }
895
896         if (plaintext_blob) {
897                 if (!convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX,
898                                            plaintext_blob->data, plaintext_blob->length,
899                                            &plaintext, &plaintext_len, false))
900                 {
901                         plaintext = NULL;
902                         mdfour(nt_hash_local.hash, plaintext_blob->data, plaintext_blob->length);
903                         nt_hash = &nt_hash_local;
904                 }
905         }
906
907         if (plaintext) {
908                 if (!pdb_set_plaintext_passwd(sampass, plaintext)) {
909                         return NT_STATUS_ACCESS_DENIED;
910                 }
911
912                 goto done;
913         }
914
915         if (nt_hash) {
916                 old_pw = pdb_get_nt_passwd(sampass);
917
918                 if (old_pw && memcmp(nt_hash->hash, old_pw, 16) == 0) {
919                         /* Avoid backend modificiations and other fun if the
920                            client changed the password to the *same thing* */
921                 } else {
922                         /* LM password should be NULL for machines */
923                         if (!pdb_set_lanman_passwd(sampass, NULL, PDB_CHANGED)) {
924                                 return NT_STATUS_NO_MEMORY;
925                         }
926                         if (!pdb_set_nt_passwd(sampass, nt_hash->hash, PDB_CHANGED)) {
927                                 return NT_STATUS_NO_MEMORY;
928                         }
929
930                         if (!pdb_set_pass_last_set_time(sampass, time(NULL), PDB_CHANGED)) {
931                                 /* Not quite sure what this one qualifies as, but this will do */
932                                 return NT_STATUS_UNSUCCESSFUL;
933                         }
934                 }
935         }
936
937  done:
938         become_root();
939         status = pdb_update_sam_account(sampass);
940         unbecome_root();
941
942         return status;
943 }
944
945 /*************************************************************************
946  _netr_ServerPasswordSet
947  *************************************************************************/
948
949 NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
950                                  struct netr_ServerPasswordSet *r)
951 {
952         NTSTATUS status = NT_STATUS_OK;
953         struct samu *sampass=NULL;
954         int i;
955         struct netlogon_creds_CredentialState *creds;
956
957         DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
958
959         become_root();
960         status = netr_creds_server_step_check(p, p->mem_ctx,
961                                               r->in.computer_name,
962                                               r->in.credential,
963                                               r->out.return_authenticator,
964                                               &creds);
965         unbecome_root();
966
967         if (!NT_STATUS_IS_OK(status)) {
968                 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
969                         "request from client %s machine account %s\n",
970                         r->in.computer_name, creds->computer_name));
971                 TALLOC_FREE(creds);
972                 return status;
973         }
974
975         DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
976                         r->in.computer_name, creds->computer_name));
977
978         netlogon_creds_des_decrypt(creds, r->in.new_password);
979
980         DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
981         for(i = 0; i < sizeof(r->in.new_password->hash); i++)
982                 DEBUG(100,("%02X ", r->in.new_password->hash[i]));
983         DEBUG(100,("\n"));
984
985         status = netr_find_machine_account(p->mem_ctx,
986                                            creds->account_name,
987                                            &sampass);
988         if (!NT_STATUS_IS_OK(status)) {
989                 return status;
990         }
991
992         status = netr_set_machine_account_password(sampass,
993                                                    sampass,
994                                                    NULL,
995                                                    r->in.new_password,
996                                                    NULL);
997         TALLOC_FREE(sampass);
998         return status;
999 }
1000
1001 /****************************************************************
1002  _netr_ServerPasswordSet2
1003 ****************************************************************/
1004
1005 NTSTATUS _netr_ServerPasswordSet2(pipes_struct *p,
1006                                   struct netr_ServerPasswordSet2 *r)
1007 {
1008         NTSTATUS status;
1009         struct netlogon_creds_CredentialState *creds;
1010         struct samu *sampass;
1011         DATA_BLOB plaintext;
1012         struct samr_CryptPassword password_buf;
1013         struct samr_Password nt_hash;
1014
1015         become_root();
1016         status = netr_creds_server_step_check(p, p->mem_ctx,
1017                                               r->in.computer_name,
1018                                               r->in.credential,
1019                                               r->out.return_authenticator,
1020                                               &creds);
1021         unbecome_root();
1022
1023         if (!NT_STATUS_IS_OK(status)) {
1024                 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1025                         "failed. Rejecting auth request from client %s machine account %s\n",
1026                         r->in.computer_name, creds->computer_name));
1027                 TALLOC_FREE(creds);
1028                 return status;
1029         }
1030
1031         memcpy(password_buf.data, r->in.new_password->data, 512);
1032         SIVAL(password_buf.data, 512, r->in.new_password->length);
1033         netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
1034
1035         if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
1036                 return NT_STATUS_WRONG_PASSWORD;
1037         }
1038
1039         mdfour(nt_hash.hash, plaintext.data, plaintext.length);
1040
1041         status = netr_find_machine_account(p->mem_ctx,
1042                                            creds->account_name,
1043                                            &sampass);
1044         if (!NT_STATUS_IS_OK(status)) {
1045                 return status;
1046         }
1047
1048         status = netr_set_machine_account_password(sampass,
1049                                                    sampass,
1050                                                    NULL,
1051                                                    &nt_hash,
1052                                                    NULL);
1053         TALLOC_FREE(sampass);
1054         return status;
1055 }
1056
1057 /*************************************************************************
1058  _netr_LogonSamLogoff
1059  *************************************************************************/
1060
1061 NTSTATUS _netr_LogonSamLogoff(pipes_struct *p,
1062                               struct netr_LogonSamLogoff *r)
1063 {
1064         NTSTATUS status;
1065         struct netlogon_creds_CredentialState *creds;
1066
1067         become_root();
1068         status = netr_creds_server_step_check(p, p->mem_ctx,
1069                                               r->in.computer_name,
1070                                               r->in.credential,
1071                                               r->out.return_authenticator,
1072                                               &creds);
1073         unbecome_root();
1074
1075         return status;
1076 }
1077
1078 /*************************************************************************
1079  _netr_LogonSamLogon_base
1080  *************************************************************************/
1081
1082 static NTSTATUS _netr_LogonSamLogon_base(pipes_struct *p,
1083                                          struct netr_LogonSamLogonEx *r,
1084                                          struct netlogon_creds_CredentialState *creds)
1085 {
1086         NTSTATUS status = NT_STATUS_OK;
1087         union netr_LogonLevel *logon = r->in.logon;
1088         const char *nt_username, *nt_domain, *nt_workstation;
1089         struct auth_usersupplied_info *user_info = NULL;
1090         struct auth_serversupplied_info *server_info = NULL;
1091         struct auth_context *auth_context = NULL;
1092         uint8_t pipe_session_key[16];
1093         bool process_creds = true;
1094         const char *fn;
1095
1096         switch (p->hdr_req.opnum) {
1097                 case NDR_NETR_LOGONSAMLOGON:
1098                         process_creds = true;
1099                         fn = "_netr_LogonSamLogon";
1100                         break;
1101                 case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
1102                         process_creds = true;
1103                         fn = "_netr_LogonSamLogonWithFlags";
1104                         break;
1105                 case NDR_NETR_LOGONSAMLOGONEX:
1106                         process_creds = false;
1107                         fn = "_netr_LogonSamLogonEx";
1108                         break;
1109                 default:
1110                         return NT_STATUS_INTERNAL_ERROR;
1111         }
1112
1113         *r->out.authoritative = true; /* authoritative response */
1114
1115         switch (r->in.validation_level) {
1116         case 2:
1117                 r->out.validation->sam2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo2);
1118                 if (!r->out.validation->sam2) {
1119                         return NT_STATUS_NO_MEMORY;
1120                 }
1121                 break;
1122         case 3:
1123                 r->out.validation->sam3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo3);
1124                 if (!r->out.validation->sam3) {
1125                         return NT_STATUS_NO_MEMORY;
1126                 }
1127                 break;
1128         case 6:
1129                 r->out.validation->sam6 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo6);
1130                 if (!r->out.validation->sam6) {
1131                         return NT_STATUS_NO_MEMORY;
1132                 }
1133                 break;
1134         default:
1135                 DEBUG(0,("%s: bad validation_level value %d.\n",
1136                         fn, (int)r->in.validation_level));
1137                 return NT_STATUS_INVALID_INFO_CLASS;
1138         }
1139
1140         switch (r->in.logon_level) {
1141         case NetlogonInteractiveInformation:
1142         case NetlogonServiceInformation:
1143         case NetlogonInteractiveTransitiveInformation:
1144         case NetlogonServiceTransitiveInformation:
1145                 nt_username     = logon->password->identity_info.account_name.string;
1146                 nt_domain       = logon->password->identity_info.domain_name.string;
1147                 nt_workstation  = logon->password->identity_info.workstation.string;
1148
1149                 DEBUG(3,("SAM Logon (Interactive). Domain:[%s].  ", lp_workgroup()));
1150                 break;
1151         case NetlogonNetworkInformation:
1152         case NetlogonNetworkTransitiveInformation:
1153                 nt_username     = logon->network->identity_info.account_name.string;
1154                 nt_domain       = logon->network->identity_info.domain_name.string;
1155                 nt_workstation  = logon->network->identity_info.workstation.string;
1156
1157                 DEBUG(3,("SAM Logon (Network). Domain:[%s].  ", lp_workgroup()));
1158                 break;
1159         default:
1160                 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1161                 return NT_STATUS_INVALID_INFO_CLASS;
1162         } /* end switch */
1163
1164         DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain));
1165         fstrcpy(current_user_info.smb_name, nt_username);
1166         sub_set_smb_name(nt_username);
1167
1168         DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1169                 r->in.validation_level, nt_username));
1170
1171         status = NT_STATUS_OK;
1172
1173         switch (r->in.logon_level) {
1174         case NetlogonNetworkInformation:
1175         case NetlogonNetworkTransitiveInformation:
1176         {
1177                 const char *wksname = nt_workstation;
1178
1179                 status = make_auth_context_fixed(&auth_context,
1180                                                  logon->network->challenge);
1181                 if (!NT_STATUS_IS_OK(status)) {
1182                         return status;
1183                 }
1184
1185                 /* For a network logon, the workstation name comes in with two
1186                  * backslashes in the front. Strip them if they are there. */
1187
1188                 if (*wksname == '\\') wksname++;
1189                 if (*wksname == '\\') wksname++;
1190
1191                 /* Standard challenge/response authenticaion */
1192                 if (!make_user_info_netlogon_network(&user_info,
1193                                                      nt_username, nt_domain,
1194                                                      wksname,
1195                                                      logon->network->identity_info.parameter_control,
1196                                                      logon->network->lm.data,
1197                                                      logon->network->lm.length,
1198                                                      logon->network->nt.data,
1199                                                      logon->network->nt.length)) {
1200                         status = NT_STATUS_NO_MEMORY;
1201                 }
1202                 break;
1203         }
1204         case NetlogonInteractiveInformation:
1205         case NetlogonServiceInformation:
1206         case NetlogonInteractiveTransitiveInformation:
1207         case NetlogonServiceTransitiveInformation:
1208
1209                 /* 'Interactive' authentication, supplies the password in its
1210                    MD4 form, encrypted with the session key.  We will convert
1211                    this to challenge/response for the auth subsystem to chew
1212                    on */
1213         {
1214                 uint8_t chal[8];
1215
1216                 if (!NT_STATUS_IS_OK(status = make_auth_context_subsystem(&auth_context))) {
1217                         return status;
1218                 }
1219
1220                 auth_context->get_ntlm_challenge(auth_context, chal);
1221
1222                 if (!make_user_info_netlogon_interactive(&user_info,
1223                                                          nt_username, nt_domain,
1224                                                          nt_workstation,
1225                                                          logon->password->identity_info.parameter_control,
1226                                                          chal,
1227                                                          logon->password->lmpassword.hash,
1228                                                          logon->password->ntpassword.hash,
1229                                                          creds->session_key)) {
1230                         status = NT_STATUS_NO_MEMORY;
1231                 }
1232                 break;
1233         }
1234         default:
1235                 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1236                 return NT_STATUS_INVALID_INFO_CLASS;
1237         } /* end switch */
1238
1239         if ( NT_STATUS_IS_OK(status) ) {
1240                 status = auth_context->check_ntlm_password(auth_context,
1241                         user_info, &server_info);
1242         }
1243
1244         (auth_context->free)(&auth_context);
1245         free_user_info(&user_info);
1246
1247         DEBUG(5,("%s: check_password returned status %s\n",
1248                   fn, nt_errstr(status)));
1249
1250         /* Check account and password */
1251
1252         if (!NT_STATUS_IS_OK(status)) {
1253                 /* If we don't know what this domain is, we need to
1254                    indicate that we are not authoritative.  This
1255                    allows the client to decide if it needs to try
1256                    a local user.  Fix by jpjanosi@us.ibm.com, #2976 */
1257                 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
1258                      && !strequal(nt_domain, get_global_sam_name())
1259                      && !is_trusted_domain(nt_domain) )
1260                         *r->out.authoritative = false; /* We are not authoritative */
1261
1262                 TALLOC_FREE(server_info);
1263                 return status;
1264         }
1265
1266         if (server_info->guest) {
1267                 /* We don't like guest domain logons... */
1268                 DEBUG(5,("%s: Attempted domain logon as GUEST "
1269                          "denied.\n", fn));
1270                 TALLOC_FREE(server_info);
1271                 return NT_STATUS_LOGON_FAILURE;
1272         }
1273
1274         /* This is the point at which, if the login was successful, that
1275            the SAM Local Security Authority should record that the user is
1276            logged in to the domain.  */
1277
1278         if (process_creds) {
1279                 /* Get the pipe session key from the creds. */
1280                 memcpy(pipe_session_key, creds->session_key, 16);
1281         } else {
1282                 /* Get the pipe session key from the schannel. */
1283                 if ((p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL)
1284                     || (p->auth.a_u.schannel_auth == NULL)) {
1285                         return NT_STATUS_INVALID_HANDLE;
1286                 }
1287                 memcpy(pipe_session_key, p->auth.a_u.schannel_auth->creds->session_key, 16);
1288         }
1289
1290         switch (r->in.validation_level) {
1291         case 2:
1292                 status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16,
1293                                                 r->out.validation->sam2);
1294                 break;
1295         case 3:
1296                 status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16,
1297                                                 r->out.validation->sam3);
1298                 break;
1299         case 6:
1300                 status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
1301                                                 r->out.validation->sam6);
1302                 break;
1303         }
1304
1305         TALLOC_FREE(server_info);
1306
1307         return status;
1308 }
1309
1310 /****************************************************************
1311  _netr_LogonSamLogonWithFlags
1312 ****************************************************************/
1313
1314 NTSTATUS _netr_LogonSamLogonWithFlags(pipes_struct *p,
1315                                       struct netr_LogonSamLogonWithFlags *r)
1316 {
1317         NTSTATUS status;
1318         struct netlogon_creds_CredentialState *creds;
1319         struct netr_LogonSamLogonEx r2;
1320         struct netr_Authenticator return_authenticator;
1321
1322         become_root();
1323         status = netr_creds_server_step_check(p, p->mem_ctx,
1324                                               r->in.computer_name,
1325                                               r->in.credential,
1326                                               &return_authenticator,
1327                                               &creds);
1328         unbecome_root();
1329         if (!NT_STATUS_IS_OK(status)) {
1330                 return status;
1331         }
1332
1333         r2.in.server_name       = r->in.server_name;
1334         r2.in.computer_name     = r->in.computer_name;
1335         r2.in.logon_level       = r->in.logon_level;
1336         r2.in.logon             = r->in.logon;
1337         r2.in.validation_level  = r->in.validation_level;
1338         r2.in.flags             = r->in.flags;
1339         r2.out.validation       = r->out.validation;
1340         r2.out.authoritative    = r->out.authoritative;
1341         r2.out.flags            = r->out.flags;
1342
1343         status = _netr_LogonSamLogon_base(p, &r2, creds);
1344
1345         *r->out.return_authenticator = return_authenticator;
1346
1347         return status;
1348 }
1349
1350 /*************************************************************************
1351  _netr_LogonSamLogon
1352  *************************************************************************/
1353
1354 NTSTATUS _netr_LogonSamLogon(pipes_struct *p,
1355                              struct netr_LogonSamLogon *r)
1356 {
1357         NTSTATUS status;
1358         struct netr_LogonSamLogonWithFlags r2;
1359         uint32_t flags = 0;
1360
1361         r2.in.server_name               = r->in.server_name;
1362         r2.in.computer_name             = r->in.computer_name;
1363         r2.in.credential                = r->in.credential;
1364         r2.in.logon_level               = r->in.logon_level;
1365         r2.in.logon                     = r->in.logon;
1366         r2.in.validation_level          = r->in.validation_level;
1367         r2.in.return_authenticator      = r->in.return_authenticator;
1368         r2.in.flags                     = &flags;
1369         r2.out.validation               = r->out.validation;
1370         r2.out.authoritative            = r->out.authoritative;
1371         r2.out.flags                    = &flags;
1372         r2.out.return_authenticator     = r->out.return_authenticator;
1373
1374         status = _netr_LogonSamLogonWithFlags(p, &r2);
1375
1376         return status;
1377 }
1378
1379 /*************************************************************************
1380  _netr_LogonSamLogonEx
1381  - no credential chaining. Map into net sam logon.
1382  *************************************************************************/
1383
1384 NTSTATUS _netr_LogonSamLogonEx(pipes_struct *p,
1385                                struct netr_LogonSamLogonEx *r)
1386 {
1387         NTSTATUS status;
1388         struct netlogon_creds_CredentialState *creds = NULL;
1389
1390         become_root();
1391         status = schannel_get_creds_state(p->mem_ctx,
1392                                           NULL, lp_private_dir(),
1393                                           r->in.computer_name, &creds);
1394         unbecome_root();
1395         if (!NT_STATUS_IS_OK(status)) {
1396                 return status;
1397         }
1398
1399         /* Only allow this if the pipe is protected. */
1400         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1401                 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1402                         get_remote_machine_name() ));
1403                 return NT_STATUS_INVALID_PARAMETER;
1404         }
1405
1406         status = _netr_LogonSamLogon_base(p, r, creds);
1407         TALLOC_FREE(creds);
1408
1409         return status;
1410 }
1411
1412 /*************************************************************************
1413  _ds_enum_dom_trusts
1414  *************************************************************************/
1415 #if 0   /* JERRY -- not correct */
1416  NTSTATUS _ds_enum_dom_trusts(pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u,
1417                              DS_R_ENUM_DOM_TRUSTS *r_u)
1418 {
1419         NTSTATUS status = NT_STATUS_OK;
1420
1421         /* TODO: According to MSDN, the can only be executed against a
1422            DC or domain member running Windows 2000 or later.  Need
1423            to test against a standalone 2k server and see what it
1424            does.  A windows 2000 DC includes its own domain in the
1425            list.  --jerry */
1426
1427         return status;
1428 }
1429 #endif  /* JERRY */
1430
1431
1432 /****************************************************************
1433 ****************************************************************/
1434
1435 WERROR _netr_LogonUasLogon(pipes_struct *p,
1436                            struct netr_LogonUasLogon *r)
1437 {
1438         p->rng_fault_state = true;
1439         return WERR_NOT_SUPPORTED;
1440 }
1441
1442 /****************************************************************
1443 ****************************************************************/
1444
1445 WERROR _netr_LogonUasLogoff(pipes_struct *p,
1446                             struct netr_LogonUasLogoff *r)
1447 {
1448         p->rng_fault_state = true;
1449         return WERR_NOT_SUPPORTED;
1450 }
1451
1452 /****************************************************************
1453 ****************************************************************/
1454
1455 NTSTATUS _netr_DatabaseDeltas(pipes_struct *p,
1456                               struct netr_DatabaseDeltas *r)
1457 {
1458         p->rng_fault_state = true;
1459         return NT_STATUS_NOT_IMPLEMENTED;
1460 }
1461
1462 /****************************************************************
1463 ****************************************************************/
1464
1465 NTSTATUS _netr_DatabaseSync(pipes_struct *p,
1466                             struct netr_DatabaseSync *r)
1467 {
1468         p->rng_fault_state = true;
1469         return NT_STATUS_NOT_IMPLEMENTED;
1470 }
1471
1472 /****************************************************************
1473 ****************************************************************/
1474
1475 NTSTATUS _netr_AccountDeltas(pipes_struct *p,
1476                              struct netr_AccountDeltas *r)
1477 {
1478         p->rng_fault_state = true;
1479         return NT_STATUS_NOT_IMPLEMENTED;
1480 }
1481
1482 /****************************************************************
1483 ****************************************************************/
1484
1485 NTSTATUS _netr_AccountSync(pipes_struct *p,
1486                            struct netr_AccountSync *r)
1487 {
1488         p->rng_fault_state = true;
1489         return NT_STATUS_NOT_IMPLEMENTED;
1490 }
1491
1492 /****************************************************************
1493 ****************************************************************/
1494
1495 static bool wb_getdcname(TALLOC_CTX *mem_ctx,
1496                          const char *domain,
1497                          const char **dcname,
1498                          uint32_t flags,
1499                          WERROR *werr)
1500 {
1501         wbcErr result;
1502         struct wbcDomainControllerInfo *dc_info = NULL;
1503
1504         result = wbcLookupDomainController(domain,
1505                                            flags,
1506                                            &dc_info);
1507         switch (result) {
1508         case WBC_ERR_SUCCESS:
1509                 break;
1510         case WBC_ERR_WINBIND_NOT_AVAILABLE:
1511                 return false;
1512         case WBC_ERR_DOMAIN_NOT_FOUND:
1513                 *werr = WERR_NO_SUCH_DOMAIN;
1514                 return true;
1515         default:
1516                 *werr = WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1517                 return true;
1518         }
1519
1520         *dcname = talloc_strdup(mem_ctx, dc_info->dc_name);
1521         wbcFreeMemory(dc_info);
1522         if (!*dcname) {
1523                 *werr = WERR_NOMEM;
1524                 return false;
1525         }
1526
1527         *werr = WERR_OK;
1528
1529         return true;
1530 }
1531
1532 /****************************************************************
1533  _netr_GetDcName
1534 ****************************************************************/
1535
1536 WERROR _netr_GetDcName(pipes_struct *p,
1537                        struct netr_GetDcName *r)
1538 {
1539         NTSTATUS status;
1540         WERROR werr;
1541         uint32_t flags;
1542         struct netr_DsRGetDCNameInfo *info;
1543         bool ret;
1544
1545         ret = wb_getdcname(p->mem_ctx,
1546                            r->in.domainname,
1547                            r->out.dcname,
1548                            WBC_LOOKUP_DC_IS_FLAT_NAME |
1549                            WBC_LOOKUP_DC_RETURN_FLAT_NAME |
1550                            WBC_LOOKUP_DC_PDC_REQUIRED,
1551                            &werr);
1552         if (ret == true) {
1553                 return werr;
1554         }
1555
1556         flags = DS_PDC_REQUIRED | DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1557
1558         status = dsgetdcname(p->mem_ctx,
1559                              smbd_messaging_context(),
1560                              r->in.domainname,
1561                              NULL,
1562                              NULL,
1563                              flags,
1564                              &info);
1565         if (!NT_STATUS_IS_OK(status)) {
1566                 return ntstatus_to_werror(status);
1567         }
1568
1569         *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1570         talloc_free(info);
1571         if (!*r->out.dcname) {
1572                 return WERR_NOMEM;
1573         }
1574
1575         return WERR_OK;
1576 }
1577
1578 /****************************************************************
1579  _netr_GetAnyDCName
1580 ****************************************************************/
1581
1582 WERROR _netr_GetAnyDCName(pipes_struct *p,
1583                           struct netr_GetAnyDCName *r)
1584 {
1585         NTSTATUS status;
1586         WERROR werr;
1587         uint32_t flags;
1588         struct netr_DsRGetDCNameInfo *info;
1589         bool ret;
1590
1591         ret = wb_getdcname(p->mem_ctx,
1592                            r->in.domainname,
1593                            r->out.dcname,
1594                            WBC_LOOKUP_DC_IS_FLAT_NAME |
1595                            WBC_LOOKUP_DC_RETURN_FLAT_NAME,
1596                            &werr);
1597         if (ret == true) {
1598                 return werr;
1599         }
1600
1601         flags = DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1602
1603         status = dsgetdcname(p->mem_ctx,
1604                              smbd_messaging_context(),
1605                              r->in.domainname,
1606                              NULL,
1607                              NULL,
1608                              flags,
1609                              &info);
1610         if (!NT_STATUS_IS_OK(status)) {
1611                 return ntstatus_to_werror(status);
1612         }
1613
1614         *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1615         talloc_free(info);
1616         if (!*r->out.dcname) {
1617                 return WERR_NOMEM;
1618         }
1619
1620         return WERR_OK;
1621 }
1622
1623 /****************************************************************
1624 ****************************************************************/
1625
1626 NTSTATUS _netr_DatabaseSync2(pipes_struct *p,
1627                              struct netr_DatabaseSync2 *r)
1628 {
1629         p->rng_fault_state = true;
1630         return NT_STATUS_NOT_IMPLEMENTED;
1631 }
1632
1633 /****************************************************************
1634 ****************************************************************/
1635
1636 NTSTATUS _netr_DatabaseRedo(pipes_struct *p,
1637                             struct netr_DatabaseRedo *r)
1638 {
1639         p->rng_fault_state = true;
1640         return NT_STATUS_NOT_IMPLEMENTED;
1641 }
1642
1643 /****************************************************************
1644 ****************************************************************/
1645
1646 WERROR _netr_DsRGetDCName(pipes_struct *p,
1647                           struct netr_DsRGetDCName *r)
1648 {
1649         p->rng_fault_state = true;
1650         return WERR_NOT_SUPPORTED;
1651 }
1652
1653 /****************************************************************
1654 ****************************************************************/
1655
1656 NTSTATUS _netr_LogonGetCapabilities(pipes_struct *p,
1657                                     struct netr_LogonGetCapabilities *r)
1658 {
1659         return NT_STATUS_NOT_IMPLEMENTED;
1660 }
1661
1662 /****************************************************************
1663 ****************************************************************/
1664
1665 WERROR _netr_NETRLOGONSETSERVICEBITS(pipes_struct *p,
1666                                      struct netr_NETRLOGONSETSERVICEBITS *r)
1667 {
1668         p->rng_fault_state = true;
1669         return WERR_NOT_SUPPORTED;
1670 }
1671
1672 /****************************************************************
1673 ****************************************************************/
1674
1675 WERROR _netr_LogonGetTrustRid(pipes_struct *p,
1676                               struct netr_LogonGetTrustRid *r)
1677 {
1678         p->rng_fault_state = true;
1679         return WERR_NOT_SUPPORTED;
1680 }
1681
1682 /****************************************************************
1683 ****************************************************************/
1684
1685 WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct *p,
1686                                           struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
1687 {
1688         p->rng_fault_state = true;
1689         return WERR_NOT_SUPPORTED;
1690 }
1691
1692 /****************************************************************
1693 ****************************************************************/
1694
1695 WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct *p,
1696                                           struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
1697 {
1698         p->rng_fault_state = true;
1699         return WERR_NOT_SUPPORTED;
1700 }
1701
1702 /****************************************************************
1703 ****************************************************************/
1704
1705 WERROR _netr_DsRGetDCNameEx(pipes_struct *p,
1706                             struct netr_DsRGetDCNameEx *r)
1707 {
1708         p->rng_fault_state = true;
1709         return WERR_NOT_SUPPORTED;
1710 }
1711
1712 /****************************************************************
1713 ****************************************************************/
1714
1715 WERROR _netr_DsRGetSiteName(pipes_struct *p,
1716                             struct netr_DsRGetSiteName *r)
1717 {
1718         p->rng_fault_state = true;
1719         return WERR_NOT_SUPPORTED;
1720 }
1721
1722 /****************************************************************
1723 ****************************************************************/
1724
1725 NTSTATUS _netr_LogonGetDomainInfo(pipes_struct *p,
1726                                   struct netr_LogonGetDomainInfo *r)
1727 {
1728         p->rng_fault_state = true;
1729         return NT_STATUS_NOT_IMPLEMENTED;
1730 }
1731
1732 /****************************************************************
1733 ****************************************************************/
1734
1735 WERROR _netr_ServerPasswordGet(pipes_struct *p,
1736                                struct netr_ServerPasswordGet *r)
1737 {
1738         p->rng_fault_state = true;
1739         return WERR_NOT_SUPPORTED;
1740 }
1741
1742 /****************************************************************
1743 ****************************************************************/
1744
1745 WERROR _netr_NETRLOGONSENDTOSAM(pipes_struct *p,
1746                                 struct netr_NETRLOGONSENDTOSAM *r)
1747 {
1748         p->rng_fault_state = true;
1749         return WERR_NOT_SUPPORTED;
1750 }
1751
1752 /****************************************************************
1753 ****************************************************************/
1754
1755 WERROR _netr_DsRAddressToSitenamesW(pipes_struct *p,
1756                                     struct netr_DsRAddressToSitenamesW *r)
1757 {
1758         p->rng_fault_state = true;
1759         return WERR_NOT_SUPPORTED;
1760 }
1761
1762 /****************************************************************
1763 ****************************************************************/
1764
1765 WERROR _netr_DsRGetDCNameEx2(pipes_struct *p,
1766                              struct netr_DsRGetDCNameEx2 *r)
1767 {
1768         p->rng_fault_state = true;
1769         return WERR_NOT_SUPPORTED;
1770 }
1771
1772 /****************************************************************
1773 ****************************************************************/
1774
1775 WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct *p,
1776                                                  struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1777 {
1778         p->rng_fault_state = true;
1779         return WERR_NOT_SUPPORTED;
1780 }
1781
1782 /****************************************************************
1783 ****************************************************************/
1784
1785 WERROR _netr_NetrEnumerateTrustedDomainsEx(pipes_struct *p,
1786                                            struct netr_NetrEnumerateTrustedDomainsEx *r)
1787 {
1788         p->rng_fault_state = true;
1789         return WERR_NOT_SUPPORTED;
1790 }
1791
1792 /****************************************************************
1793 ****************************************************************/
1794
1795 WERROR _netr_DsRAddressToSitenamesExW(pipes_struct *p,
1796                                       struct netr_DsRAddressToSitenamesExW *r)
1797 {
1798         p->rng_fault_state = true;
1799         return WERR_NOT_SUPPORTED;
1800 }
1801
1802 /****************************************************************
1803 ****************************************************************/
1804
1805 WERROR _netr_DsrGetDcSiteCoverageW(pipes_struct *p,
1806                                    struct netr_DsrGetDcSiteCoverageW *r)
1807 {
1808         p->rng_fault_state = true;
1809         return WERR_NOT_SUPPORTED;
1810 }
1811
1812 /****************************************************************
1813 ****************************************************************/
1814
1815 WERROR _netr_DsrEnumerateDomainTrusts(pipes_struct *p,
1816                                       struct netr_DsrEnumerateDomainTrusts *r)
1817 {
1818         p->rng_fault_state = true;
1819         return WERR_NOT_SUPPORTED;
1820 }
1821
1822 /****************************************************************
1823 ****************************************************************/
1824
1825 WERROR _netr_DsrDeregisterDNSHostRecords(pipes_struct *p,
1826                                          struct netr_DsrDeregisterDNSHostRecords *r)
1827 {
1828         p->rng_fault_state = true;
1829         return WERR_NOT_SUPPORTED;
1830 }
1831
1832 /****************************************************************
1833 ****************************************************************/
1834
1835 NTSTATUS _netr_ServerTrustPasswordsGet(pipes_struct *p,
1836                                        struct netr_ServerTrustPasswordsGet *r)
1837 {
1838         p->rng_fault_state = true;
1839         return NT_STATUS_NOT_IMPLEMENTED;
1840 }
1841
1842 /****************************************************************
1843 ****************************************************************/
1844
1845 WERROR _netr_DsRGetForestTrustInformation(pipes_struct *p,
1846                                           struct netr_DsRGetForestTrustInformation *r)
1847 {
1848         p->rng_fault_state = true;
1849         return WERR_NOT_SUPPORTED;
1850 }
1851
1852 /****************************************************************
1853 ****************************************************************/
1854
1855 NTSTATUS _netr_GetForestTrustInformation(pipes_struct *p,
1856                                          struct netr_GetForestTrustInformation *r)
1857 {
1858         p->rng_fault_state = true;
1859         return NT_STATUS_NOT_IMPLEMENTED;
1860 }
1861
1862 /****************************************************************
1863 ****************************************************************/
1864
1865 NTSTATUS _netr_ServerGetTrustInfo(pipes_struct *p,
1866                                   struct netr_ServerGetTrustInfo *r)
1867 {
1868         p->rng_fault_state = true;
1869         return NT_STATUS_NOT_IMPLEMENTED;
1870 }
1871