2 Unix SMB/CIFS implementation.
4 endpoint server for the netlogon pipe
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "librpc/gen_ndr/ndr_netlogon.h"
26 #include "rpc_server/dcerpc_server.h"
27 #include "rpc_server/common/common.h"
28 #include "librpc/gen_ndr/ndr_dcom.h"
29 #include "auth/auth.h"
30 #include "lib/ldb/include/ldb.h"
32 struct server_pipe_state {
33 struct netr_Credential client_challenge;
34 struct netr_Credential server_challenge;
37 char *computer_name; /* for logging only */
39 uint16_t sec_chan_type;
40 struct creds_CredentialState *creds;
45 a client has connected to the netlogon server using schannel, so we need
46 to re-establish the credentials state
48 static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call)
50 struct server_pipe_state *state;
53 state = talloc_p(dce_call->conn, struct server_pipe_state);
55 return NT_STATUS_NO_MEMORY;
58 state->authenticated = True;
60 if (dce_call->conn->auth_state.session_info == NULL) {
62 smb_panic("No session info provided by schannel level setup!");
63 return NT_STATUS_NO_USER_SESSION_KEY;
66 status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security,
70 if (!NT_STATUS_IS_OK(status)) {
71 DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status)));
76 dce_call->conn->private = state;
82 a hook for bind on the netlogon pipe
84 static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di)
86 dce_call->conn->private = NULL;
88 /* if this is a schannel bind then we need to reconstruct the pipe state */
89 if (dce_call->conn->auth_state.auth_info &&
90 dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
93 DEBUG(5, ("schannel bind on netlogon\n"));
95 status = netlogon_schannel_setup(dce_call);
96 if (!NT_STATUS_IS_OK(status)) {
97 DEBUG(3, ("schannel bind on netlogon failed with %s\n", nt_errstr(status)));
105 /* this function is called when the client disconnects the endpoint */
106 static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_interface *di)
108 struct server_pipe_state *pipe_state = conn->private;
111 talloc_free(pipe_state);
114 conn->private = NULL;
117 #define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind
118 #define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind
120 static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
121 struct netr_ServerReqChallenge *r)
123 struct server_pipe_state *pipe_state = dce_call->conn->private;
125 ZERO_STRUCTP(r->out.credentials);
127 /* destroyed on pipe shutdown */
130 talloc_free(pipe_state);
131 dce_call->conn->private = NULL;
134 pipe_state = talloc_p(dce_call->conn, struct server_pipe_state);
136 return NT_STATUS_NO_MEMORY;
139 pipe_state->authenticated = False;
140 pipe_state->creds = NULL;
141 pipe_state->account_name = NULL;
142 pipe_state->computer_name = NULL;
144 pipe_state->client_challenge = *r->in.credentials;
146 generate_random_buffer(pipe_state->server_challenge.data,
147 sizeof(pipe_state->server_challenge.data));
149 *r->out.credentials = pipe_state->server_challenge;
151 dce_call->conn->private = pipe_state;
156 static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
157 struct netr_ServerAuthenticate3 *r)
159 struct server_pipe_state *pipe_state = dce_call->conn->private;
161 struct samr_Password *mach_pwd;
164 struct ldb_message **msgs;
166 const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl",
169 ZERO_STRUCTP(r->out.credentials);
171 *r->out.negotiate_flags = *r->in.negotiate_flags;
174 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
175 return NT_STATUS_ACCESS_DENIED;
178 sam_ctx = samdb_connect(mem_ctx);
179 if (sam_ctx == NULL) {
180 return NT_STATUS_INVALID_SYSTEM_SERVICE;
182 /* pull the user attributes */
183 num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
184 "(&(sAMAccountName=%s)(objectclass=user))",
187 if (num_records == 0) {
188 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
189 r->in.account_name));
190 return NT_STATUS_NO_SUCH_USER;
193 if (num_records > 1) {
194 DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
195 return NT_STATUS_INTERNAL_DB_CORRUPTION;
198 acct_flags = samdb_result_acct_flags(msgs[0],
199 "userAccountControl");
201 if (acct_flags & ACB_DISABLED) {
202 DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
203 return NT_STATUS_ACCESS_DENIED;
206 if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
207 if (!(acct_flags & ACB_WSTRUST)) {
208 DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags));
209 return NT_STATUS_ACCESS_DENIED;
211 } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) {
212 if (!(acct_flags & ACB_DOMTRUST)) {
213 DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags));
214 return NT_STATUS_ACCESS_DENIED;
216 } else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
217 if (!(acct_flags & ACB_SVRTRUST)) {
218 DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags));
219 return NT_STATUS_ACCESS_DENIED;
222 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
223 r->in.secure_channel_type));
224 return NT_STATUS_ACCESS_DENIED;
227 pipe_state->acct_flags = acct_flags;
228 pipe_state->sec_chan_type = r->in.secure_channel_type;
230 *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0);
232 nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd);
233 if (!NT_STATUS_IS_OK(nt_status) || mach_pwd == NULL) {
234 return NT_STATUS_ACCESS_DENIED;
237 if (!pipe_state->creds) {
238 pipe_state->creds = talloc_p(pipe_state, struct creds_CredentialState);
239 if (!pipe_state->creds) {
240 return NT_STATUS_NO_MEMORY;
244 creds_server_init(pipe_state->creds, &pipe_state->client_challenge,
245 &pipe_state->server_challenge, mach_pwd,
247 *r->in.negotiate_flags);
249 if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
250 return NT_STATUS_ACCESS_DENIED;
253 pipe_state->authenticated = True;
255 if (pipe_state->account_name) {
256 /* We don't want a memory leak on this long-lived talloc context */
257 talloc_free(pipe_state->account_name);
260 pipe_state->account_name = talloc_strdup(pipe_state, r->in.account_name);
262 if (pipe_state->computer_name) {
263 /* We don't want a memory leak on this long-lived talloc context */
264 talloc_free(pipe_state->computer_name);
267 pipe_state->computer_name = talloc_strdup(pipe_state, r->in.computer_name);
269 /* remember this session key state */
270 nt_status = schannel_store_session_key(mem_ctx, pipe_state->computer_name, pipe_state->creds);
275 static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
276 struct netr_ServerAuthenticate *r)
278 struct netr_ServerAuthenticate3 r3;
281 * negotiate_flags is used as an [in] parameter
282 * so it need to be initialised.
284 * (I think ... = 0; seems wrong here --metze)
286 uint32 negotiate_flags = 0;
288 r3.in.server_name = r->in.server_name;
289 r3.in.account_name = r->in.account_name;
290 r3.in.secure_channel_type = r->in.secure_channel_type;
291 r3.in.computer_name = r->in.computer_name;
292 r3.in.credentials = r->in.credentials;
293 r3.out.credentials = r->out.credentials;
294 r3.in.negotiate_flags = &negotiate_flags;
295 r3.out.negotiate_flags = &negotiate_flags;
298 return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
301 static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
302 struct netr_ServerAuthenticate2 *r)
304 struct netr_ServerAuthenticate3 r3;
307 r3.in.server_name = r->in.server_name;
308 r3.in.account_name = r->in.account_name;
309 r3.in.secure_channel_type = r->in.secure_channel_type;
310 r3.in.computer_name = r->in.computer_name;
311 r3.in.credentials = r->in.credentials;
312 r3.out.credentials = r->out.credentials;
313 r3.in.negotiate_flags = r->in.negotiate_flags;
314 r3.out.negotiate_flags = r->out.negotiate_flags;
317 return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
321 static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state,
322 struct netr_Authenticator *received_authenticator,
323 struct netr_Authenticator *return_authenticator)
326 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
327 return NT_STATUS_ACCESS_DENIED;
330 if (!pipe_state->authenticated) {
331 return NT_STATUS_ACCESS_DENIED;
333 return creds_server_step_check(pipe_state->creds,
334 received_authenticator,
335 return_authenticator);
339 static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
340 struct netr_ServerPasswordSet *r)
342 struct server_pipe_state *pipe_state = dce_call->conn->private;
346 int num_records_domain;
348 struct ldb_message **msgs;
349 struct ldb_message **msgs_domain;
351 struct ldb_message mod, *msg_set_pw = &mod;
352 const char *domain_dn;
353 const char *domain_sid;
355 const char *attrs[] = {"objectSid", NULL };
357 const char **domain_attrs = attrs;
360 nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
361 if (NT_STATUS_IS_OK(nt_status)) {
365 sam_ctx = samdb_connect(mem_ctx);
366 if (sam_ctx == NULL) {
367 return NT_STATUS_INVALID_SYSTEM_SERVICE;
369 /* pull the user attributes */
370 num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
371 "(&(sAMAccountName=%s)(objectclass=user))",
372 pipe_state->account_name);
374 if (num_records == 0) {
375 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
376 pipe_state->account_name));
377 return NT_STATUS_NO_SUCH_USER;
380 if (num_records > 1) {
381 DEBUG(0,("Found %d records matching user [%s]\n", num_records,
382 pipe_state->account_name));
383 return NT_STATUS_INTERNAL_DB_CORRUPTION;
386 domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
388 DEBUG(0,("no objectSid in user record\n"));
389 return NT_STATUS_INTERNAL_DB_CORRUPTION;
392 /* find the domain's DN */
393 num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL,
394 &msgs_domain, domain_attrs,
395 "(&(objectSid=%s)(objectclass=domain))",
398 if (num_records_domain == 0) {
399 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
401 return NT_STATUS_NO_SUCH_USER;
404 if (num_records_domain > 1) {
405 DEBUG(0,("Found %d records matching domain [%s]\n",
406 num_records_domain, domain_sid));
407 return NT_STATUS_INTERNAL_DB_CORRUPTION;
410 domain_dn = msgs_domain[0]->dn;
412 mod.dn = talloc_strdup(mem_ctx, msgs[0]->dn);
414 return NT_STATUS_NO_MEMORY;
417 creds_des_decrypt(pipe_state->creds, &r->in.new_password);
419 /* set the password - samdb needs to know both the domain and user DNs,
420 so the domain password policy can be used */
421 nt_status = samdb_set_password(sam_ctx, mem_ctx,
422 msgs[0]->dn, domain_dn,
424 NULL, /* Don't have plaintext */
425 NULL, &r->in.new_password,
426 False /* This is not considered a password change */,
429 if (!NT_STATUS_IS_OK(nt_status)) {
433 ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw);
435 /* we really need samdb.c to return NTSTATUS */
436 return NT_STATUS_UNSUCCESSFUL;
446 static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
447 struct netr_LogonUasLogon *r)
449 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
456 static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
457 struct netr_LogonUasLogoff *r)
459 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
464 netr_LogonSamLogonWithFlags
466 This version of the function allows other wrappers to say 'do not check the credentials'
468 static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
469 struct netr_LogonSamLogonEx *r)
471 struct server_pipe_state *pipe_state = dce_call->conn->private;
473 struct auth_context *auth_context;
474 struct auth_usersupplied_info *user_info;
475 struct auth_serversupplied_info *server_info;
478 static const char zeros[16];
479 struct netr_SamBaseInfo *sam;
480 struct netr_SamInfo2 *sam2;
481 struct netr_SamInfo3 *sam3;
482 struct netr_SamInfo6 *sam6;
484 switch (r->in.logon_level) {
488 if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
489 creds_arcfour_crypt(pipe_state->creds,
490 r->in.logon.password->lmpassword.hash,
491 sizeof(r->in.logon.password->lmpassword.hash));
492 creds_arcfour_crypt(pipe_state->creds,
493 r->in.logon.password->ntpassword.hash,
494 sizeof(r->in.logon.password->ntpassword.hash));
496 creds_des_decrypt(pipe_state->creds, &r->in.logon.password->lmpassword);
497 creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword);
500 /* TODO: we need to deny anonymous access here */
501 nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context);
502 NT_STATUS_NOT_OK_RETURN(nt_status);
504 nt_status = auth_get_challenge(auth_context, &chal);
505 NT_STATUS_NOT_OK_RETURN(nt_status);
507 nt_status = make_user_info_netlogon_interactive(mem_ctx,
508 r->in.logon.password->identity_info.account_name.string,
509 r->in.logon.password->identity_info.domain_name.string,
510 r->in.logon.password->identity_info.workstation.string,
512 &r->in.logon.password->lmpassword,
513 &r->in.logon.password->ntpassword,
515 NT_STATUS_NOT_OK_RETURN(nt_status);
519 /* TODO: we need to deny anonymous access here */
520 nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context);
521 NT_STATUS_NOT_OK_RETURN(nt_status);
523 nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags");
524 NT_STATUS_NOT_OK_RETURN(nt_status);
526 nt_status = make_user_info_netlogon_network(auth_context,
527 r->in.logon.network->identity_info.account_name.string,
528 r->in.logon.network->identity_info.domain_name.string,
529 r->in.logon.network->identity_info.workstation.string,
530 r->in.logon.network->lm.data, r->in.logon.network->lm.length,
531 r->in.logon.network->nt.data, r->in.logon.network->nt.length,
533 NT_STATUS_NOT_OK_RETURN(nt_status);
536 return NT_STATUS_INVALID_PARAMETER;
539 nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info);
540 NT_STATUS_NOT_OK_RETURN(nt_status);
542 sam = talloc_p(mem_ctx, struct netr_SamBaseInfo);
543 NT_STATUS_HAVE_NO_MEMORY(sam);
545 sam->last_logon = server_info->last_logon;
546 sam->last_logoff = server_info->last_logoff;
547 sam->acct_expiry = server_info->acct_expiry;
548 sam->last_password_change = server_info->last_password_change;
549 sam->allow_password_change = server_info->allow_password_change;
550 sam->force_password_change = server_info->force_password_change;
552 sam->account_name.string = server_info->account_name;
553 sam->full_name.string = server_info->full_name;
554 sam->logon_script.string = server_info->logon_script;
555 sam->profile_path.string = server_info->profile_path;
556 sam->home_directory.string = server_info->home_directory;
557 sam->home_drive.string = server_info->home_drive;
559 sam->logon_count = server_info->logon_count;
560 sam->bad_password_count = sam->bad_password_count;
561 sam->rid = server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1];
562 sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1];
563 sam->group_count = 0;
564 sam->groupids = NULL;
565 sam->user_flags = 0; /* TODO: w2k3 uses 0x120 - what is this? */
566 sam->acct_flags = server_info->acct_flags;
567 sam->logon_server.string = lp_netbios_name();
568 sam->domain.string = server_info->domain_name;
570 sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid);
571 NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid);
572 sam->domain_sid->num_auths--;
574 ZERO_ARRAY(sam->unknown);
576 ZERO_STRUCT(sam->key);
577 if (server_info->user_session_key.length == sizeof(sam->key.key)) {
578 memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key));
581 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
582 /* It appears that level 6 is not individually encrypted */
583 if ((r->in.validation_level != 6)
584 && memcmp(sam->key.key, zeros,
585 sizeof(sam->key.key)) != 0) {
587 /* This key is sent unencrypted without the ARCFOUR flag set */
588 if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
589 creds_arcfour_crypt(pipe_state->creds,
591 sizeof(sam->key.key));
595 ZERO_STRUCT(sam->LMSessKey);
596 if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
597 memcpy(sam->LMSessKey.key, server_info->lm_session_key.data,
598 sizeof(sam->LMSessKey.key));
601 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
602 /* It appears that level 6 is not individually encrypted */
603 if ((r->in.validation_level != 6)
604 && memcmp(sam->LMSessKey.key, zeros,
605 sizeof(sam->LMSessKey.key)) != 0) {
606 if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
607 creds_arcfour_crypt(pipe_state->creds,
609 sizeof(sam->LMSessKey.key));
611 creds_des_encrypt_LMKey(pipe_state->creds,
616 switch (r->in.validation_level) {
618 sam2 = talloc_p(mem_ctx, struct netr_SamInfo2);
619 NT_STATUS_HAVE_NO_MEMORY(sam2);
622 r->out.validation.sam2 = sam2;
626 sam3 = talloc_p(mem_ctx, struct netr_SamInfo3);
627 NT_STATUS_HAVE_NO_MEMORY(sam3);
630 r->out.validation.sam3 = sam3;
634 sam6 = talloc_p(mem_ctx, struct netr_SamInfo6);
635 NT_STATUS_HAVE_NO_MEMORY(sam6);
638 sam6->forest.string = lp_realm();
639 sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s",
640 sam->account_name.string, sam6->forest.string);
641 r->out.validation.sam6 = sam6;
648 r->out.authoritative = 1;
654 netr_LogonSamLogonWithFlags
657 static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
658 struct netr_LogonSamLogonWithFlags *r)
661 struct netr_LogonSamLogonEx r2;
663 struct server_pipe_state *pipe_state = dce_call->conn->private;
665 r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator);
666 if (!r->out.return_authenticator) {
667 return NT_STATUS_NO_MEMORY;
670 nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator);
671 if (!NT_STATUS_IS_OK(nt_status)) {
677 r2.in.server_name = r->in.server_name;
678 r2.in.workstation = r->in.workstation;
679 r2.in.logon_level = r->in.logon_level;
680 r2.in.logon = r->in.logon;
681 r2.in.validation_level = r->in.validation_level;
682 r2.in.flags = r->in.flags;
684 nt_status = netr_LogonSamLogonEx(dce_call, mem_ctx, &r2);
686 r->out.validation = r2.out.validation;
687 r->out.authoritative = r2.out.authoritative;
695 static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
696 struct netr_LogonSamLogon *r)
698 struct netr_LogonSamLogonWithFlags r2;
703 r2.in.server_name = r->in.server_name;
704 r2.in.workstation = r->in.workstation;
705 r2.in.credential = r->in.credential;
706 r2.in.return_authenticator = r->in.return_authenticator;
707 r2.in.logon_level = r->in.logon_level;
708 r2.in.logon = r->in.logon;
709 r2.in.validation_level = r->in.validation_level;
712 status = netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2);
714 r->out.return_authenticator = r2.out.return_authenticator;
715 r->out.validation = r2.out.validation;
716 r->out.authoritative = r2.out.authoritative;
725 static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
726 struct netr_LogonSamLogoff *r)
728 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
736 static NTSTATUS netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
737 struct netr_DatabaseDeltas *r)
739 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
746 static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
747 struct netr_DatabaseSync *r)
749 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
756 static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
757 struct netr_AccountDeltas *r)
759 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
766 static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
767 struct netr_AccountSync *r)
769 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
776 static NTSTATUS netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
777 struct netr_GetDcName *r)
779 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
786 static WERROR netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
787 struct netr_LogonControl *r)
789 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
796 static WERROR netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
797 struct netr_GetAnyDCName *r)
799 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
806 static WERROR netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
807 struct netr_LogonControl2 *r)
809 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
816 static NTSTATUS netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
817 struct netr_DatabaseSync2 *r)
819 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
826 static NTSTATUS netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
827 struct netr_DatabaseRedo *r)
829 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
836 static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
837 struct netr_LogonControl2Ex *r)
839 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
844 netr_NETRENUMERATETRUSTEDDOMAINS
846 static WERROR netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
847 struct netr_NETRENUMERATETRUSTEDDOMAINS *r)
849 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
856 static WERROR netr_DSRGETDCNAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
857 struct netr_DSRGETDCNAME *r)
859 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
864 netr_NETRLOGONDUMMYROUTINE1
866 static WERROR netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
867 struct netr_NETRLOGONDUMMYROUTINE1 *r)
869 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
874 netr_NETRLOGONSETSERVICEBITS
876 static WERROR netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
877 struct netr_NETRLOGONSETSERVICEBITS *r)
879 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
884 netr_NETRLOGONGETTRUSTRID
886 static WERROR netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
887 struct netr_NETRLOGONGETTRUSTRID *r)
889 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
894 netr_NETRLOGONCOMPUTESERVERDIGEST
896 static WERROR netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
897 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
899 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
904 netr_NETRLOGONCOMPUTECLIENTDIGEST
906 static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
907 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
909 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
916 static WERROR netr_DSRGETDCNAMEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
917 struct netr_DSRGETDCNAMEX *r)
919 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
926 static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
927 struct netr_DSRGETSITENAME *r)
929 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
934 fill in a netr_DomainTrustInfo from a ldb search result
936 static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res,
937 struct netr_DomainTrustInfo *info, BOOL is_local)
942 info->domainname.string = samdb_result_string(res, "name", NULL);
943 info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL);
944 info->guid = samdb_result_guid(res, "objectGUID");
945 info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
947 info->domainname.string = samdb_result_string(res, "flatName", NULL);
948 info->fulldomainname.string = samdb_result_string(res, "name", NULL);
949 info->guid = samdb_result_guid(res, "objectGUID");
950 info->sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
953 /* TODO: we need proper forest support */
954 info->forest.string = info->fulldomainname.string;
960 netr_LogonGetDomainInfo
961 this is called as part of the ADS domain logon procedure.
963 static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
964 struct netr_LogonGetDomainInfo *r)
966 struct server_pipe_state *pipe_state = dce_call->conn->private;
967 const char * const attrs[] = { "name", "dnsDomain", "objectSid",
968 "objectGUID", "flatName", "securityIdentifier",
971 struct ldb_message **res1, **res2;
972 struct netr_DomainInfo1 *info1;
976 status = netr_creds_server_step_check(pipe_state,
977 r->in.credential, r->out.credential);
978 if (!NT_STATUS_IS_OK(status)) {
982 sam_ctx = samdb_connect(mem_ctx);
983 if (sam_ctx == NULL) {
984 return NT_STATUS_INVALID_SYSTEM_SERVICE;
987 /* we need to do two searches. The first will pull our primary
988 domain and the second will pull any trusted domains. Our
989 primary domain is also a "trusted" domain, so we need to
990 put the primary domain into the lists of returned trusts as
992 ret1 = samdb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)");
994 return NT_STATUS_INTERNAL_DB_CORRUPTION;
997 ret2 = samdb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)");
999 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1002 info1 = talloc_p(mem_ctx, struct netr_DomainInfo1);
1003 if (info1 == NULL) {
1004 return NT_STATUS_NO_MEMORY;
1007 ZERO_STRUCTP(info1);
1009 info1->num_trusts = ret2 + 1;
1010 info1->trusts = talloc_array_p(mem_ctx, struct netr_DomainTrustInfo,
1012 if (info1->trusts == NULL) {
1013 return NT_STATUS_NO_MEMORY;
1016 status = fill_domain_trust_info(mem_ctx, res1[0], &info1->domaininfo, True);
1017 if (!NT_STATUS_IS_OK(status)) {
1021 status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[0], True);
1022 if (!NT_STATUS_IS_OK(status)) {
1026 for (i=0;i<ret2;i++) {
1027 status = fill_domain_trust_info(mem_ctx, res2[i], &info1->trusts[i+1], False);
1028 if (!NT_STATUS_IS_OK(status)) {
1033 r->out.info.info1 = info1;
1035 return NT_STATUS_OK;
1040 netr_NETRSERVERPASSWORDSET2
1042 static WERROR netr_NETRSERVERPASSWORDSET2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1043 struct netr_NETRSERVERPASSWORDSET2 *r)
1045 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1050 netr_NETRSERVERPASSWORDGET
1052 static WERROR netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1053 struct netr_NETRSERVERPASSWORDGET *r)
1055 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1060 netr_NETRLOGONSENDTOSAM
1062 static WERROR netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1063 struct netr_NETRLOGONSENDTOSAM *r)
1065 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1070 netr_DSRADDRESSTOSITENAMESW
1072 static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1073 struct netr_DSRADDRESSTOSITENAMESW *r)
1075 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1080 netr_DrsGetDCNameEx2
1082 static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1083 struct netr_DrsGetDCNameEx2 *r)
1085 const char * const attrs[] = { "dnsDomain", "objectGUID", NULL };
1087 struct ldb_message **res;
1090 ZERO_STRUCT(r->out);
1092 sam_ctx = samdb_connect(mem_ctx);
1093 if (sam_ctx == NULL) {
1094 return WERR_DS_SERVICE_UNAVAILABLE;
1097 ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
1098 "(&(objectClass=domainDNS)(dnsDomain=%s))",
1101 return WERR_NO_SUCH_DOMAIN;
1104 r->out.info = talloc_p(mem_ctx, struct netr_DrsGetDCNameEx2Info);
1109 /* TODO: - return real IP address
1110 * - check all r->in.* parameters (server_unc is ignored by w2k3!)
1112 r->out.info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s", lp_netbios_name(),lp_realm());
1113 r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0");
1114 r->out.info->dc_address_type = 1;
1115 r->out.info->domain_guid = samdb_result_guid(res[0], "objectGUID");
1116 r->out.info->domain_name = samdb_result_string(res[0], "dnsDomain", NULL);
1117 r->out.info->forest_name = samdb_result_string(res[0], "dnsDomain", NULL);
1118 r->out.info->dc_flags = 0xE00001FD;
1119 r->out.info->dc_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name");
1120 r->out.info->client_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name");
1127 netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
1129 static WERROR netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1130 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1132 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1137 netr_NETRENUMERATETRUSTEDDOMAINSEX
1139 static WERROR netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1140 struct netr_NETRENUMERATETRUSTEDDOMAINSEX *r)
1142 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1147 netr_DSRADDRESSTOSITENAMESEXW
1149 static WERROR netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1150 struct netr_DSRADDRESSTOSITENAMESEXW *r)
1152 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1157 netr_DSRGETDCSITECOVERAGEW
1159 static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1160 struct netr_DSRGETDCSITECOVERAGEW *r)
1162 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1167 netr_DsrEnumerateDomainTrusts
1169 static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1170 struct netr_DsrEnumerateDomainTrusts *r)
1172 struct netr_DomainTrust *trusts;
1175 struct ldb_message **res;
1176 const char * const attrs[] = { "name", "dnsDomain", "objectSid", "objectGUID", NULL };
1178 ZERO_STRUCT(r->out);
1180 sam_ctx = samdb_connect(mem_ctx);
1181 if (sam_ctx == NULL) {
1182 return WERR_GENERAL_FAILURE;
1185 ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)");
1187 return WERR_GENERAL_FAILURE;
1194 trusts = talloc_array_p(mem_ctx, struct netr_DomainTrust, ret);
1195 if (trusts == NULL) {
1200 r->out.trusts = trusts;
1202 /* TODO: add filtering by trust_flags, and correct trust_type
1204 for (i=0;i<ret;i++) {
1205 trusts[i].netbios_name = samdb_result_string(res[i], "name", NULL);
1206 trusts[i].dns_name = samdb_result_string(res[i], "dnsDomain", NULL);
1207 trusts[i].trust_flags =
1208 NETR_TRUST_FLAG_TREEROOT |
1209 NETR_TRUST_FLAG_IN_FOREST |
1210 NETR_TRUST_FLAG_PRIMARY;
1211 trusts[i].parent_index = 0;
1212 trusts[i].trust_type = 2;
1213 trusts[i].trust_attributes = 0;
1214 trusts[i].sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
1215 trusts[i].guid = samdb_result_guid(res[i], "objectGUID");
1224 netr_DSRDEREGISTERDNSHOSTRECORDS
1226 static WERROR netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1227 struct netr_DSRDEREGISTERDNSHOSTRECORDS *r)
1229 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1234 netr_NETRSERVERTRUSTPASSWORDSGET
1236 static WERROR netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1237 struct netr_NETRSERVERTRUSTPASSWORDSGET *r)
1239 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1244 netr_DSRGETFORESTTRUSTINFORMATION
1246 static WERROR netr_DSRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1247 struct netr_DSRGETFORESTTRUSTINFORMATION *r)
1249 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1254 netr_NETRGETFORESTTRUSTINFORMATION
1256 static WERROR netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1257 struct netr_NETRGETFORESTTRUSTINFORMATION *r)
1259 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1264 netr_NETRSERVERGETTRUSTINFO
1266 static WERROR netr_NETRSERVERGETTRUSTINFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1267 struct netr_NETRSERVERGETTRUSTINFO *r)
1269 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1273 /* include the generated boilerplate */
1274 #include "librpc/gen_ndr/ndr_netlogon_s.c"