2 Unix SMB/CIFS implementation.
4 endpoint server for the netlogon pipe
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "rpc_server/common/common.h"
26 struct server_pipe_state {
28 struct netr_Credential client_challenge;
29 struct netr_Credential server_challenge;
32 char *computer_name; /* for logging only */
34 uint16_t sec_chan_type;
35 struct creds_CredentialState *creds;
40 a client has connected to the netlogon server using schannel, so we need
41 to re-establish the credentials state
43 static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call)
45 struct server_pipe_state *state;
49 mem_ctx = talloc_init("netlogon_bind");
51 return NT_STATUS_NO_MEMORY;
53 state = talloc_p(mem_ctx, struct server_pipe_state);
55 talloc_destroy(mem_ctx);
56 return NT_STATUS_NO_MEMORY;
59 state->mem_ctx = mem_ctx;
60 state->authenticated = True;
62 if (dce_call->conn->auth_state.session_info == NULL) {
63 talloc_destroy(mem_ctx);
64 smb_panic("No session info provided by schannel level setup!");
65 return NT_STATUS_NO_USER_SESSION_KEY;
68 status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security,
72 if (!NT_STATUS_IS_OK(status)) {
73 DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status)));
74 talloc_destroy(mem_ctx);
78 dce_call->conn->private = state;
84 a hook for bind on the netlogon pipe
86 static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di)
88 dce_call->conn->private = NULL;
90 /* if this is a schannel bind then we need to reconstruct the pipe state */
91 if (dce_call->conn->auth_state.auth_info &&
92 dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
95 DEBUG(5, ("schannel bind on netlogon\n"));
97 status = netlogon_schannel_setup(dce_call);
98 if (!NT_STATUS_IS_OK(status)) {
99 DEBUG(3, ("schannel bind on netlogon failed with %s\n", nt_errstr(status)));
107 /* this function is called when the client disconnects the endpoint */
108 static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_interface *di)
110 struct server_pipe_state *pipe_state = conn->private;
113 talloc_destroy(pipe_state->mem_ctx);
116 conn->private = NULL;
119 #define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind
120 #define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind
122 static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
123 struct netr_ServerReqChallenge *r)
125 struct server_pipe_state *pipe_state = dce_call->conn->private;
126 TALLOC_CTX *pipe_mem_ctx;
128 ZERO_STRUCTP(r->out.credentials);
130 /* destroyed on pipe shutdown */
133 talloc_destroy(pipe_state->mem_ctx);
134 dce_call->conn->private = NULL;
137 pipe_mem_ctx = talloc_init("internal netlogon pipe state for %s",
138 r->in.computer_name);
141 return NT_STATUS_NO_MEMORY;
144 pipe_state = talloc_p(pipe_mem_ctx, struct server_pipe_state);
146 talloc_destroy(pipe_mem_ctx);
147 return NT_STATUS_NO_MEMORY;
150 pipe_state->mem_ctx = pipe_mem_ctx;
151 pipe_state->authenticated = False;
152 pipe_state->creds = NULL;
153 pipe_state->account_name = NULL;
154 pipe_state->computer_name = NULL;
156 pipe_state->client_challenge = *r->in.credentials;
158 generate_random_buffer(pipe_state->server_challenge.data,
159 sizeof(pipe_state->server_challenge.data));
161 *r->out.credentials = pipe_state->server_challenge;
163 dce_call->conn->private = pipe_state;
168 static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
169 struct netr_ServerAuthenticate3 *r)
171 struct server_pipe_state *pipe_state = dce_call->conn->private;
173 struct samr_Password *mach_pwd;
176 struct ldb_message **msgs;
178 const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl",
181 ZERO_STRUCTP(r->out.credentials);
183 *r->out.negotiate_flags = *r->in.negotiate_flags;
186 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
187 return NT_STATUS_ACCESS_DENIED;
190 sam_ctx = samdb_connect();
191 if (sam_ctx == NULL) {
192 return NT_STATUS_INVALID_SYSTEM_SERVICE;
194 /* pull the user attributes */
195 num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
196 "(&(sAMAccountName=%s)(objectclass=user))",
199 samdb_close(sam_ctx);
201 if (num_records == 0) {
202 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
203 r->in.account_name));
204 return NT_STATUS_NO_SUCH_USER;
207 if (num_records > 1) {
208 DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
209 return NT_STATUS_INTERNAL_DB_CORRUPTION;
212 acct_flags = samdb_result_acct_flags(msgs[0],
213 "userAccountControl");
215 if (acct_flags & ACB_DISABLED) {
216 DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
217 return NT_STATUS_ACCESS_DENIED;
220 if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
221 if (!(acct_flags & ACB_WSTRUST)) {
222 DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags));
223 return NT_STATUS_ACCESS_DENIED;
225 } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) {
226 if (!(acct_flags & ACB_DOMTRUST)) {
227 DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags));
228 return NT_STATUS_ACCESS_DENIED;
230 } else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
231 if (!(acct_flags & ACB_SVRTRUST)) {
232 DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags));
233 return NT_STATUS_ACCESS_DENIED;
236 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
237 r->in.secure_channel_type));
238 return NT_STATUS_ACCESS_DENIED;
241 pipe_state->acct_flags = acct_flags;
242 pipe_state->sec_chan_type = r->in.secure_channel_type;
244 *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0);
246 nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd);
247 if (!NT_STATUS_IS_OK(nt_status) || mach_pwd == NULL) {
248 return NT_STATUS_ACCESS_DENIED;
251 if (!pipe_state->creds) {
252 pipe_state->creds = talloc_p(pipe_state->mem_ctx, struct creds_CredentialState);
253 if (!pipe_state->creds) {
254 return NT_STATUS_NO_MEMORY;
258 creds_server_init(pipe_state->creds, &pipe_state->client_challenge,
259 &pipe_state->server_challenge, mach_pwd,
261 *r->in.negotiate_flags);
263 if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
264 return NT_STATUS_ACCESS_DENIED;
267 pipe_state->authenticated = True;
269 if (pipe_state->account_name) {
270 /* We don't want a memory leak on this long-lived talloc context */
271 talloc_free(pipe_state->account_name);
274 pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, r->in.account_name);
276 if (pipe_state->computer_name) {
277 /* We don't want a memory leak on this long-lived talloc context */
278 talloc_free(pipe_state->account_name);
281 pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, r->in.computer_name);
283 /* remember this session key state */
284 nt_status = schannel_store_session_key(mem_ctx, pipe_state->computer_name, pipe_state->creds);
289 static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
290 struct netr_ServerAuthenticate *r)
292 struct netr_ServerAuthenticate3 r3;
295 * negotiate_flags is used as an [in] parameter
296 * so it need to be initialised.
298 * (I think ... = 0; seems wrong here --metze)
300 uint32 negotiate_flags = 0;
302 r3.in.server_name = r->in.server_name;
303 r3.in.account_name = r->in.account_name;
304 r3.in.secure_channel_type = r->in.secure_channel_type;
305 r3.in.computer_name = r->in.computer_name;
306 r3.in.credentials = r->in.credentials;
307 r3.out.credentials = r->out.credentials;
308 r3.in.negotiate_flags = &negotiate_flags;
309 r3.out.negotiate_flags = &negotiate_flags;
312 return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
315 static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
316 struct netr_ServerAuthenticate2 *r)
318 struct netr_ServerAuthenticate3 r3;
321 r3.in.server_name = r->in.server_name;
322 r3.in.account_name = r->in.account_name;
323 r3.in.secure_channel_type = r->in.secure_channel_type;
324 r3.in.computer_name = r->in.computer_name;
325 r3.in.credentials = r->in.credentials;
326 r3.out.credentials = r->out.credentials;
327 r3.in.negotiate_flags = r->in.negotiate_flags;
328 r3.out.negotiate_flags = r->out.negotiate_flags;
331 return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
335 static BOOL netr_creds_server_step_check(struct server_pipe_state *pipe_state,
336 struct netr_Authenticator *received_authenticator,
337 struct netr_Authenticator *return_authenticator)
339 if (!pipe_state->authenticated) {
342 return creds_server_step_check(pipe_state->creds,
343 received_authenticator,
344 return_authenticator);
348 static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
349 struct netr_ServerPasswordSet *r)
351 struct server_pipe_state *pipe_state = dce_call->conn->private;
355 int num_records_domain;
357 struct ldb_message **msgs;
358 struct ldb_message **msgs_domain;
360 struct ldb_message mod, *msg_set_pw = &mod;
361 const char *domain_dn;
362 const char *domain_sid;
364 const char *attrs[] = {"objectSid", NULL };
366 const char **domain_attrs = attrs;
370 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
371 return NT_STATUS_ACCESS_DENIED;
374 if (!netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator)) {
375 return NT_STATUS_ACCESS_DENIED;
378 sam_ctx = samdb_connect();
379 if (sam_ctx == NULL) {
380 return NT_STATUS_INVALID_SYSTEM_SERVICE;
382 /* pull the user attributes */
383 num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
384 "(&(sAMAccountName=%s)(objectclass=user))",
385 pipe_state->account_name);
387 if (num_records == 0) {
388 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
389 pipe_state->account_name));
390 samdb_close(sam_ctx);
391 return NT_STATUS_NO_SUCH_USER;
394 if (num_records > 1) {
395 DEBUG(0,("Found %d records matching user [%s]\n", num_records,
396 pipe_state->account_name));
397 samdb_close(sam_ctx);
398 return NT_STATUS_INTERNAL_DB_CORRUPTION;
401 domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
403 samdb_close(sam_ctx);
404 DEBUG(0,("no objectSid in user record\n"));
405 return NT_STATUS_INTERNAL_DB_CORRUPTION;
408 /* find the domain's DN */
409 num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL,
410 &msgs_domain, domain_attrs,
411 "(&(objectSid=%s)(objectclass=domain))",
414 if (num_records_domain == 0) {
415 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
417 samdb_close(sam_ctx);
418 return NT_STATUS_NO_SUCH_USER;
421 if (num_records_domain > 1) {
422 DEBUG(0,("Found %d records matching domain [%s]\n",
423 num_records_domain, domain_sid));
424 samdb_close(sam_ctx);
425 return NT_STATUS_INTERNAL_DB_CORRUPTION;
428 domain_dn = msgs_domain[0]->dn;
430 mod.dn = talloc_strdup(mem_ctx, msgs[0]->dn);
432 samdb_close(sam_ctx);
433 return NT_STATUS_NO_MEMORY;
436 creds_des_decrypt(pipe_state->creds, &r->in.new_password);
438 /* set the password - samdb needs to know both the domain and user DNs,
439 so the domain password policy can be used */
440 nt_status = samdb_set_password(sam_ctx, mem_ctx,
441 msgs[0]->dn, domain_dn,
443 NULL, /* Don't have plaintext */
444 NULL, &r->in.new_password,
445 False /* This is not considered a password change */,
448 if (!NT_STATUS_IS_OK(nt_status)) {
449 samdb_close(sam_ctx);
453 ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw);
455 /* we really need samdb.c to return NTSTATUS */
457 samdb_close(sam_ctx);
458 return NT_STATUS_UNSUCCESSFUL;
461 samdb_close(sam_ctx);
469 static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
470 struct netr_LogonUasLogon *r)
472 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
479 static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
480 struct netr_LogonUasLogoff *r)
482 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
487 netr_LogonSamLogonWithFlags
490 static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
491 struct netr_LogonSamLogonWithFlags *r)
493 struct server_pipe_state *pipe_state = dce_call->conn->private;
495 struct auth_context *auth_context;
496 struct auth_usersupplied_info *user_info;
497 struct auth_serversupplied_info *server_info;
500 static const char zeros[16];
501 struct netr_SamBaseInfo *sam;
502 struct netr_SamInfo2 *sam2;
503 struct netr_SamInfo3 *sam3;
504 struct netr_SamInfo6 *sam6;
507 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
508 return NT_STATUS_ACCESS_DENIED;
511 r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator);
512 if (!r->out.return_authenticator) {
513 return NT_STATUS_NO_MEMORY;
516 if (!netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator)) {
517 return NT_STATUS_ACCESS_DENIED;
520 switch (r->in.logon_level) {
524 creds_arcfour_crypt(pipe_state->creds,
525 r->in.logon.password->lmpassword.hash,
526 sizeof(r->in.logon.password->lmpassword.hash));
527 creds_arcfour_crypt(pipe_state->creds,
528 r->in.logon.password->ntpassword.hash,
529 sizeof(r->in.logon.password->ntpassword.hash));
531 nt_status = make_auth_context_subsystem(&auth_context);
532 if (!NT_STATUS_IS_OK(nt_status)) {
536 chal = auth_context->get_ntlm_challenge(auth_context);
537 nt_status = make_user_info_netlogon_interactive(&user_info,
538 r->in.logon.password->identity_info.account_name.string,
539 r->in.logon.password->identity_info.domain_name.string,
540 r->in.logon.password->identity_info.workstation.string,
542 &r->in.logon.password->lmpassword,
543 &r->in.logon.password->ntpassword);
548 nt_status = make_auth_context_fixed(&auth_context, r->in.logon.network->challenge);
549 if (!NT_STATUS_IS_OK(nt_status)) {
553 nt_status = make_user_info_netlogon_network(&user_info,
554 r->in.logon.network->identity_info.account_name.string,
555 r->in.logon.network->identity_info.domain_name.string,
556 r->in.logon.network->identity_info.workstation.string,
557 r->in.logon.network->lm.data, r->in.logon.network->lm.length,
558 r->in.logon.network->nt.data, r->in.logon.network->nt.length);
561 free_auth_context(&auth_context);
562 return NT_STATUS_INVALID_PARAMETER;
565 if (!NT_STATUS_IS_OK(nt_status)) {
569 nt_status = auth_context->check_ntlm_password(auth_context,
573 if (!NT_STATUS_IS_OK(nt_status)) {
574 free_auth_context(&auth_context);
577 free_auth_context(&auth_context);
579 sam = talloc_p(mem_ctx, struct netr_SamBaseInfo);
583 sam->last_logon = server_info->last_logon;
584 sam->last_logoff = server_info->last_logoff;
585 sam->acct_expiry = server_info->acct_expiry;
586 sam->last_password_change = server_info->last_password_change;
587 sam->allow_password_change = server_info->allow_password_change;
588 sam->force_password_change = server_info->force_password_change;
590 sam->account_name.string = talloc_strdup(mem_ctx, server_info->account_name);
591 sam->full_name.string = talloc_strdup(mem_ctx, server_info->full_name);
592 sam->logon_script.string = talloc_strdup(mem_ctx, server_info->logon_script);
593 sam->profile_path.string = talloc_strdup(mem_ctx, server_info->profile_path);
594 sam->home_directory.string = talloc_strdup(mem_ctx, server_info->home_directory);
595 sam->home_drive.string = talloc_strdup(mem_ctx, server_info->home_drive);
597 sam->logon_count = server_info->logon_count;
598 sam->bad_password_count = sam->bad_password_count;
599 sam->rid = server_info->user_sid->sub_auths[server_info->user_sid->num_auths-1];
600 sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1];
601 sam->group_count = 0;
602 sam->groupids = NULL;
603 sam->user_flags = 0; /* TODO: w2k3 uses 0x120 - what is this? */
604 sam->acct_flags = server_info->acct_flags;
605 sam->logon_server.string = lp_netbios_name();
607 sam->domain.string = talloc_strdup(mem_ctx, server_info->domain);
609 sam->domain_sid = dom_sid_dup(mem_ctx, server_info->user_sid);
610 sam->domain_sid->num_auths--;
612 if (server_info->user_session_key.length == sizeof(sam->key.key)) {
613 memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key));
615 ZERO_STRUCT(sam->key.key);
618 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
619 if (memcmp(sam->key.key, zeros,
620 sizeof(sam->key.key)) != 0) {
621 creds_arcfour_crypt(pipe_state->creds,
623 sizeof(sam->key.key));
626 if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
627 memcpy(sam->LMSessKey.key, server_info->lm_session_key.data,
628 sizeof(sam->LMSessKey.key));
630 ZERO_STRUCT(sam->LMSessKey.key);
633 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
634 if (memcmp(sam->LMSessKey.key, zeros,
635 sizeof(sam->LMSessKey.key)) != 0) {
636 creds_arcfour_crypt(pipe_state->creds,
638 sizeof(sam->LMSessKey.key));
641 switch (r->in.validation_level) {
643 sam2 = talloc_p(mem_ctx, struct netr_SamInfo2);
646 r->out.validation.sam2 = sam2;
650 sam3 = talloc_p(mem_ctx, struct netr_SamInfo3);
653 r->out.validation.sam3 = sam3;
657 sam6 = talloc_p(mem_ctx, struct netr_SamInfo6);
660 sam6->forest.string = lp_realm();
661 sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s",
662 sam->account_name.string, sam6->forest.string);
663 r->out.validation.sam6 = sam6;
670 r->out.authoritative = 1;
678 static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
679 struct netr_LogonSamLogon *r)
681 struct netr_LogonSamLogonWithFlags r2;
686 r2.in.server_name = r->in.server_name;
687 r2.in.workstation = r->in.workstation;
688 r2.in.credential = r->in.credential;
689 r2.in.return_authenticator = r->in.return_authenticator;
690 r2.in.logon_level = r->in.logon_level;
691 r2.in.logon = r->in.logon;
692 r2.in.validation_level = r->in.validation_level;
695 status = netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2);
697 r->out.return_authenticator = r2.out.return_authenticator;
698 r->out.validation = r2.out.validation;
699 r->out.authoritative = r2.out.authoritative;
708 static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
709 struct netr_LogonSamLogoff *r)
711 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
719 static NTSTATUS netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
720 struct netr_DatabaseDeltas *r)
722 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
729 static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
730 struct netr_DatabaseSync *r)
732 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
739 static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
740 struct netr_AccountDeltas *r)
742 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
749 static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
750 struct netr_AccountSync *r)
752 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
759 static NTSTATUS netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
760 struct netr_GetDcName *r)
762 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
769 static WERROR netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
770 struct netr_LogonControl *r)
772 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
779 static WERROR netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
780 struct netr_GetAnyDCName *r)
782 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
789 static WERROR netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
790 struct netr_LogonControl2 *r)
792 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
799 static NTSTATUS netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
800 struct netr_DatabaseSync2 *r)
802 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
809 static NTSTATUS netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
810 struct netr_DatabaseRedo *r)
812 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
819 static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
820 struct netr_LogonControl2Ex *r)
822 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
827 netr_NETRENUMERATETRUSTEDDOMAINS
829 static WERROR netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
830 struct netr_NETRENUMERATETRUSTEDDOMAINS *r)
832 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
839 static WERROR netr_DSRGETDCNAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
840 struct netr_DSRGETDCNAME *r)
842 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
847 netr_NETRLOGONDUMMYROUTINE1
849 static WERROR netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
850 struct netr_NETRLOGONDUMMYROUTINE1 *r)
852 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
857 netr_NETRLOGONSETSERVICEBITS
859 static WERROR netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
860 struct netr_NETRLOGONSETSERVICEBITS *r)
862 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
867 netr_NETRLOGONGETTRUSTRID
869 static WERROR netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
870 struct netr_NETRLOGONGETTRUSTRID *r)
872 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
877 netr_NETRLOGONCOMPUTESERVERDIGEST
879 static WERROR netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
880 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
882 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
887 netr_NETRLOGONCOMPUTECLIENTDIGEST
889 static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
890 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
892 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
899 static WERROR netr_DSRGETDCNAMEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
900 struct netr_DSRGETDCNAMEX *r)
902 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
909 static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
910 struct netr_DSRGETSITENAME *r)
912 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
917 fill in a netr_DomainTrustInfo from a ldb search result
919 static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res,
920 struct netr_DomainTrustInfo *info)
924 info->domainname.string = samdb_result_string(res, "flatName", NULL);
925 if (info->domainname.string == NULL) {
926 info->domainname.string = samdb_result_string(res, "name", NULL);
927 info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL);
929 info->fulldomainname.string = samdb_result_string(res, "name", NULL);
932 /* TODO: we need proper forest support */
933 info->forest.string = info->fulldomainname.string;
935 info->guid = samdb_result_guid(res, "objectGUID");
936 info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
942 netr_LogonGetDomainInfo
943 this is called as part of the ADS domain logon procedure.
945 static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
946 struct netr_LogonGetDomainInfo *r)
948 struct server_pipe_state *pipe_state = dce_call->conn->private;
949 const char * const attrs[] = { "name", "dnsDomain", "objectSid",
950 "objectGUID", "flatName", NULL };
952 struct ldb_message **res1, **res2;
953 struct netr_DomainInfo1 *info1;
958 return NT_STATUS_ACCESS_DENIED;
961 if (!netr_creds_server_step_check(pipe_state,
962 r->in.credential, r->out.credential)) {
963 return NT_STATUS_ACCESS_DENIED;
966 sam_ctx = samdb_connect();
967 if (sam_ctx == NULL) {
968 return NT_STATUS_INVALID_SYSTEM_SERVICE;
971 /* we need to do two searches. The first will pull our primary
972 domain and the second will pull any trusted domains. Our
973 primary domain is also a "trusted" domain, so we need to
974 put the primary domain into the lists of returned trusts as
976 ret1 = samdb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)");
978 samdb_close(sam_ctx);
979 return NT_STATUS_INTERNAL_DB_CORRUPTION;
982 ret2 = samdb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)");
984 samdb_close(sam_ctx);
985 return NT_STATUS_INTERNAL_DB_CORRUPTION;
988 /* we don't need the db link any more */
989 samdb_close(sam_ctx);
991 info1 = talloc_p(mem_ctx, struct netr_DomainInfo1);
993 return NT_STATUS_NO_MEMORY;
998 info1->num_trusts = ret2 + 1;
999 info1->trusts = talloc_array_p(mem_ctx, struct netr_DomainTrustInfo,
1001 if (info1->trusts == NULL) {
1002 return NT_STATUS_NO_MEMORY;
1005 status = fill_domain_trust_info(mem_ctx, res1[0], &info1->domaininfo);
1006 if (!NT_STATUS_IS_OK(status)) {
1010 status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[0]);
1011 if (!NT_STATUS_IS_OK(status)) {
1015 for (i=0;i<ret2;i++) {
1016 status = fill_domain_trust_info(mem_ctx, res2[i], &info1->trusts[i+1]);
1017 if (!NT_STATUS_IS_OK(status)) {
1022 r->out.info.info1 = info1;
1024 return NT_STATUS_OK;
1029 netr_NETRSERVERPASSWORDSET2
1031 static WERROR netr_NETRSERVERPASSWORDSET2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1032 struct netr_NETRSERVERPASSWORDSET2 *r)
1034 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1039 netr_NETRSERVERPASSWORDGET
1041 static WERROR netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1042 struct netr_NETRSERVERPASSWORDGET *r)
1044 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1049 netr_NETRLOGONSENDTOSAM
1051 static WERROR netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1052 struct netr_NETRLOGONSENDTOSAM *r)
1054 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1059 netr_DSRADDRESSTOSITENAMESW
1061 static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1062 struct netr_DSRADDRESSTOSITENAMESW *r)
1064 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1069 netr_DSRGETDCNAMEEX2
1071 static WERROR netr_DSRGETDCNAMEEX2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1072 struct netr_DSRGETDCNAMEEX2 *r)
1074 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1079 netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
1081 static WERROR netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1082 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1084 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1089 netr_NETRENUMERATETRUSTEDDOMAINSEX
1091 static WERROR netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1092 struct netr_NETRENUMERATETRUSTEDDOMAINSEX *r)
1094 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1099 netr_DSRADDRESSTOSITENAMESEXW
1101 static WERROR netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1102 struct netr_DSRADDRESSTOSITENAMESEXW *r)
1104 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1109 netr_DSRGETDCSITECOVERAGEW
1111 static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1112 struct netr_DSRGETDCSITECOVERAGEW *r)
1114 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1119 netr_NETRLOGONSAMLOGONEX
1121 static WERROR netr_NETRLOGONSAMLOGONEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1122 struct netr_NETRLOGONSAMLOGONEX *r)
1124 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1129 netr_DsrEnumerateDomainTrusts
1131 static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1132 struct netr_DsrEnumerateDomainTrusts *r)
1134 struct netr_DomainTrust *trusts;
1137 struct ldb_message **res;
1138 const char * const attrs[] = { "name", "dnsDomain", "objectSid", "objectGUID", NULL };
1140 ZERO_STRUCT(r->out);
1142 sam_ctx = samdb_connect();
1143 if (sam_ctx == NULL) {
1144 return WERR_GENERAL_FAILURE;
1147 ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)");
1149 samdb_close(sam_ctx);
1150 return WERR_GENERAL_FAILURE;
1157 trusts = talloc_array_p(mem_ctx, struct netr_DomainTrust, ret);
1158 if (trusts == NULL) {
1163 r->out.trusts = trusts;
1165 /* TODO: add filtering by trust_flags, and correct trust_type
1167 for (i=0;i<ret;i++) {
1168 trusts[i].netbios_name = samdb_result_string(res[i], "name", NULL);
1169 trusts[i].dns_name = samdb_result_string(res[i], "dnsDomain", NULL);
1170 trusts[i].trust_flags =
1171 NETR_TRUST_FLAG_TREEROOT |
1172 NETR_TRUST_FLAG_IN_FOREST |
1173 NETR_TRUST_FLAG_PRIMARY;
1174 trusts[i].parent_index = 0;
1175 trusts[i].trust_type = 2;
1176 trusts[i].trust_attributes = 0;
1177 trusts[i].sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
1178 trusts[i].guid = samdb_result_guid(res[i], "objectGUID");
1187 netr_DSRDEREGISTERDNSHOSTRECORDS
1189 static WERROR netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1190 struct netr_DSRDEREGISTERDNSHOSTRECORDS *r)
1192 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1197 netr_NETRSERVERTRUSTPASSWORDSGET
1199 static WERROR netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1200 struct netr_NETRSERVERTRUSTPASSWORDSGET *r)
1202 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1207 netr_DSRGETFORESTTRUSTINFORMATION
1209 static WERROR netr_DSRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1210 struct netr_DSRGETFORESTTRUSTINFORMATION *r)
1212 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1217 netr_NETRGETFORESTTRUSTINFORMATION
1219 static WERROR netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1220 struct netr_NETRGETFORESTTRUSTINFORMATION *r)
1222 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1227 netr_NETRSERVERGETTRUSTINFO
1229 static WERROR netr_NETRSERVERGETTRUSTINFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1230 struct netr_NETRSERVERGETTRUSTINFO *r)
1232 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1236 /* include the generated boilerplate */
1237 #include "librpc/gen_ndr/ndr_netlogon_s.c"