git.samba.org / gd / samba / .git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
r816: - Make use of tridge's new samdb_result_sid_prefix() helper function.
[gd/samba/.git] / source4 / rpc_server / netlogon / dcerpc_netlogon.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    endpoint server for the netlogon pipe
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 2 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program; if not, write to the Free Software
20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "rpc_server/common/common.h"
25
26 struct server_pipe_state {
27         TALLOC_CTX *mem_ctx;
28         struct netr_Credential client_challenge;
29         struct netr_Credential server_challenge;
30         BOOL authenticated;
31         char *account_name;
32         char *computer_name;  /* for logging only */
33         uint32 acct_flags;
34         uint16 sec_chan_type;
35         struct creds_CredentialState *creds;
36 };
37
38 static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di) 
39 {
40         dce_call->conn->private = NULL;
41
42         return NT_STATUS_OK;
43 }
44
45 /* this function is called when the client disconnects the endpoint */
46 static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_interface *di) 
47 {
48         struct server_pipe_state *pipe_state = conn->private;
49
50         if (pipe_state)
51                 talloc_destroy(pipe_state->mem_ctx);
52         
53         conn->private = NULL;
54 }
55
56 #define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind
57 #define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind
58
59 /* 
60   netr_ServerReqChallenge 
61
62         NTSTATUS netr_ServerReqChallenge(
63                 [in]        unistr *server_name,
64                 [in]        unistr computer_name,
65                 [in][out]   netr_Credential credentials
66                 );
67
68 */
69 static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
70                                         struct netr_ServerReqChallenge *r)
71 {
72         struct server_pipe_state *pipe_state = dce_call->conn->private;
73         TALLOC_CTX *pipe_mem_ctx;
74
75         ZERO_STRUCT(r->out.credentials);
76
77         /* destroyed on pipe shutdown */
78
79         if (pipe_state) {
80                 talloc_destroy(pipe_state->mem_ctx);
81                 dce_call->conn->private = NULL;
82         }
83         
84         pipe_mem_ctx = talloc_init("internal netlogon pipe state for %s", 
85                                    r->in.computer_name);
86         
87         if (!pipe_mem_ctx) {
88                 return NT_STATUS_NO_MEMORY;
89         }
90
91         pipe_state = talloc_p(pipe_mem_ctx, struct server_pipe_state);
92         if (!pipe_state) {
93                 talloc_destroy(pipe_mem_ctx);
94                 return NT_STATUS_NO_MEMORY;
95         }
96
97         pipe_state->mem_ctx = pipe_mem_ctx;
98         pipe_state->authenticated = False;
99         pipe_state->creds = NULL;
100         pipe_state->account_name = NULL;
101         pipe_state->computer_name = NULL;
102
103         pipe_state->client_challenge = r->in.credentials;
104
105         generate_random_buffer(pipe_state->server_challenge.data, 
106                                sizeof(pipe_state->server_challenge.data),
107                                False);
108
109         r->out.credentials = pipe_state->server_challenge;
110
111         dce_call->conn->private = pipe_state;
112
113         return NT_STATUS_OK;
114 }
115
116
117 /* 
118   netr_ServerAuthenticate 
119
120          secure channel types:
121  
122         const int SEC_CHAN_WKSTA   = 2;
123         const int SEC_CHAN_DOMAIN  = 4;
124         const int SEC_CHAN_BDC     = 6;
125
126         NTSTATUS netr_ServerAuthenticate(
127                 [in]        unistr *server_name,
128                 [in]        unistr username,
129                 [in]        uint16 secure_channel_type,
130                 [in]        unistr computer_name,
131                 [in,out]    netr_Credential credentials
132                 );
133
134
135 */
136
137 static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_state,
138                                                  TALLOC_CTX *mem_ctx,
139                                                  const char *account_name, 
140                                                  const char *computer_name, 
141                                                  uint16 secure_channel_type,
142                                                  uint32 in_flags,
143                                                  const struct netr_Credential *client_credentials,
144                                                  struct netr_Credential *server_credentials,
145                                                  uint32 *out_flags) 
146 {
147         void *sam_ctx;
148         uint8 *mach_pwd;
149         uint16 acct_flags;
150         int num_records;
151         struct ldb_message **msgs;
152         NTSTATUS nt_status;
153
154         const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", 
155                                "userAccountControl", NULL 
156         };
157
158         ZERO_STRUCTP(server_credentials);
159         if (out_flags) {
160                 *out_flags = 0;
161         }
162
163         if (!pipe_state) {
164                 DEBUG(1, ("No challange requested by client, cannot authenticate\n"));
165                 return NT_STATUS_ACCESS_DENIED;
166         }
167
168         sam_ctx = samdb_connect();
169         if (sam_ctx == NULL) {
170                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
171         }
172         /* pull the user attributes */
173         num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
174                                    "(&(sAMAccountName=%s)(objectclass=user))", 
175                                    account_name);
176
177         if (num_records == 0) {
178                 DEBUG(3,("Couldn't find user [%s] in samdb.\n", 
179                          account_name));
180                 samdb_close(sam_ctx);
181                 return NT_STATUS_NO_SUCH_USER;
182         }
183
184         if (num_records > 1) {
185                 DEBUG(1,("Found %d records matching user [%s]\n", num_records, account_name));
186                 samdb_close(sam_ctx);
187                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
188         }
189
190         acct_flags = samdb_result_acct_flags(msgs[0], 
191                                              "userAccountControl");
192
193         if (acct_flags & ACB_DISABLED) {
194                 DEBUG(1, ("Account [%s] is disabled\n", account_name));
195                 return NT_STATUS_ACCESS_DENIED;
196         }
197
198         if (secure_channel_type == SEC_CHAN_WKSTA) {
199                 if (!(acct_flags & ACB_WSTRUST)) {
200                         DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags));
201                         return NT_STATUS_ACCESS_DENIED;
202                 }
203         } else if (secure_channel_type == SEC_CHAN_DOMAIN) {
204                 if (!(acct_flags & ACB_DOMTRUST)) {
205                         DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags));
206                         return NT_STATUS_ACCESS_DENIED;
207                 }
208         } else if (secure_channel_type == SEC_CHAN_BDC) {
209                 if (!(acct_flags & ACB_SVRTRUST)) {
210                         DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags));
211                         return NT_STATUS_ACCESS_DENIED;
212                 }
213         } else {
214                 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", secure_channel_type));
215                 return NT_STATUS_ACCESS_DENIED;
216         }
217
218         pipe_state->acct_flags = acct_flags;
219         pipe_state->sec_chan_type = secure_channel_type;
220
221         if (!NT_STATUS_IS_OK(nt_status = samdb_result_passwords(mem_ctx, msgs[0], 
222                                                                 NULL, &mach_pwd))) {
223                 samdb_close(sam_ctx);
224                 return NT_STATUS_ACCESS_DENIED;
225         }
226
227         samdb_close(sam_ctx);
228
229         if (!pipe_state->creds) {
230                 pipe_state->creds = talloc_p(pipe_state->mem_ctx, struct creds_CredentialState);
231                 if (!pipe_state->creds) {
232                         return NT_STATUS_NO_MEMORY;
233                 }
234         }
235
236         creds_server_init(pipe_state->creds, &pipe_state->client_challenge, 
237                           &pipe_state->server_challenge, mach_pwd,
238                           server_credentials);
239
240         if (!creds_server_check(pipe_state->creds, client_credentials)) {
241                 return NT_STATUS_ACCESS_DENIED;
242         }
243
244         pipe_state->authenticated = True;
245
246         if (pipe_state->account_name) {
247                 /* We don't want a memory leak on this long-lived talloc context */
248                 talloc_free(pipe_state->mem_ctx, pipe_state->account_name);
249         }
250
251         pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, account_name);
252         
253         if (pipe_state->computer_name) {
254                 /* We don't want a memory leak on this long-lived talloc context */
255                 talloc_free(pipe_state->mem_ctx, pipe_state->account_name);
256         }
257
258         pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, computer_name);
259         
260         if (out_flags) {
261                 *out_flags = NETLOGON_NEG_AUTH2_FLAGS;
262         }
263
264         return NT_STATUS_OK;
265 }
266                                                  
267
268 static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
269                                         struct netr_ServerAuthenticate *r)
270 {
271         struct server_pipe_state *pipe_state = dce_call->conn->private;
272         
273         return netr_ServerAuthenticateInternals(pipe_state,
274                                                 mem_ctx,
275                                                 r->in.username,
276                                                 r->in.computer_name,
277                                                 r->in.secure_channel_type,
278                                                 0,
279                                                 &r->in.credentials,
280                                                 &r->out.credentials,
281                                                 NULL); 
282 }
283
284 static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
285                                         struct netr_ServerAuthenticate2 *r)
286 {
287         struct server_pipe_state *pipe_state = dce_call->conn->private;
288         
289         return netr_ServerAuthenticateInternals(pipe_state,
290                                                 mem_ctx,
291                                                 r->in.username,
292                                                 r->in.computer_name,
293                                                 r->in.secure_channel_type,
294                                                 *r->in.negotiate_flags,
295                                                 &r->in.credentials,
296                                                 &r->out.credentials,
297                                                 r->out.negotiate_flags); 
298 }
299
300 static BOOL netr_creds_server_step_check(struct server_pipe_state *pipe_state,
301                                          struct netr_Authenticator *received_authenticator,
302                                          struct netr_Authenticator *return_authenticator) 
303 {
304         if (!pipe_state->authenticated) {
305                 return False;
306         }
307         return creds_server_step_check(pipe_state->creds, 
308                                        received_authenticator, 
309                                        return_authenticator);
310 }
311
312 /* 
313  netr_ServerPasswordSet 
314
315         NTSTATUS netr_ServerPasswordSet(
316                 [in]  unistr *server_name,
317                 [in]  unistr username,
318                 [in]  uint16 secure_channel_type,
319                 [in]  unistr computer_name,
320                 [in]  netr_Authenticator credential,
321                 [in]  netr_Password new_password,
322                 [out] netr_Authenticator return_authenticator
323                 );
324
325 */
326 static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
327                                        struct netr_ServerPasswordSet *r)
328 {
329         struct server_pipe_state *pipe_state = dce_call->conn->private;
330
331         void *sam_ctx;
332         int num_records;
333         int num_records_domain;
334         int ret;
335         struct ldb_message **msgs;
336         struct ldb_message **msgs_domain;
337         NTSTATUS nt_status;
338         struct samr_Hash newNtHash;
339         struct ldb_message mod, *msg_set_pw = &mod;
340         const char *domain_dn;
341         const char *domain_sid;
342
343         const char *attrs[] = {"objectSid", NULL 
344         };
345
346         const char **domain_attrs = attrs;
347         ZERO_STRUCT(mod);
348
349         if (!netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator)) {
350                 return NT_STATUS_ACCESS_DENIED;
351         }
352
353         if (!pipe_state) {
354                 DEBUG(1, ("No challange requested by client, cannot authenticate\n"));
355                 return NT_STATUS_ACCESS_DENIED;
356         }
357
358         sam_ctx = samdb_connect();
359         if (sam_ctx == NULL) {
360                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
361         }
362         /* pull the user attributes */
363         num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
364                                    "(&(sAMAccountName=%s)(objectclass=user))", 
365                                    pipe_state->account_name);
366
367         if (num_records == 0) {
368                 DEBUG(3,("Couldn't find user [%s] in samdb.\n", 
369                          pipe_state->account_name));
370                 samdb_close(sam_ctx);
371                 return NT_STATUS_NO_SUCH_USER;
372         }
373
374         if (num_records > 1) {
375                 DEBUG(1,("Found %d records matching user [%s]\n", num_records, 
376                          pipe_state->account_name));
377                 samdb_close(sam_ctx);
378                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
379         }
380
381         domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
382         if (!domain_sid) {
383                 samdb_close(sam_ctx);
384                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
385         }
386
387         /* find the domain's DN */
388         num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL, 
389                                           &msgs_domain, domain_attrs,
390                                           "(&(objectSid=%s)(objectclass=domain))", 
391                                           domain_sid);
392
393         if (num_records_domain == 0) {
394                 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", 
395                          domain_sid));
396                 samdb_close(sam_ctx);
397                 return NT_STATUS_NO_SUCH_USER;
398         }
399
400         if (num_records_domain > 1) {
401                 DEBUG(1,("Found %d records matching domain [%s]\n", 
402                          num_records_domain, domain_sid));
403                 samdb_close(sam_ctx);
404                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
405         }
406
407         domain_dn = msgs_domain[0]->dn;
408         
409         mod.dn = talloc_strdup(mem_ctx, msgs[0]->dn);
410         if (!mod.dn) {
411                 samdb_close(sam_ctx);
412                 return NT_STATUS_NO_MEMORY;
413         }
414         
415         creds_des_decrypt(pipe_state->creds, &r->in.new_password);
416
417         memcpy(newNtHash.hash, r->in.new_password.data, sizeof(newNtHash.hash));
418
419         /* set the password - samdb needs to know both the domain and user DNs,
420            so the domain password policy can be used */
421         nt_status = samdb_set_password(sam_ctx, mem_ctx,
422                                        msgs[0]->dn, domain_dn,
423                                        msg_set_pw, 
424                                        NULL, /* Don't have plaintext */
425                                        NULL, &newNtHash,
426                                        False /* This is not considered a password change */);
427         
428         if (!NT_STATUS_IS_OK(nt_status)) {
429                 samdb_close(sam_ctx);
430                 return nt_status;
431         }
432
433         ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw);
434         if (ret != 0) {
435                 /* we really need samdb.c to return NTSTATUS */
436
437                 samdb_close(sam_ctx);
438                 return NT_STATUS_UNSUCCESSFUL;
439         }
440
441         samdb_close(sam_ctx);
442         return NT_STATUS_OK;
443 }
444
445
446 /* 
447   netr_LogonUasLogon 
448 */
449 static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
450                        struct netr_LogonUasLogon *r)
451 {
452         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
453 }
454
455
456 /* 
457   netr_LogonUasLogoff 
458 */
459 static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
460                        struct netr_LogonUasLogoff *r)
461 {
462         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
463 }
464
465
466 /* 
467   netr_LogonSamLogon 
468
469
470
471 */
472 static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
473                        struct netr_LogonSamLogon *r)
474 {
475         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
476 }
477
478
479 /* 
480   netr_LogonSamLogoff 
481 */
482 static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
483                        struct netr_LogonSamLogoff *r)
484 {
485         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
486 }
487
488
489
490 /* 
491   netr_DatabaseDeltas 
492 */
493 static NTSTATUS netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
494                        struct netr_DatabaseDeltas *r)
495 {
496         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
497 }
498
499
500 /* 
501   netr_DatabaseSync 
502 */
503 static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
504                        struct netr_DatabaseSync *r)
505 {
506         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
507 }
508
509
510 /* 
511   netr_AccountDeltas 
512 */
513 static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
514                        struct netr_AccountDeltas *r)
515 {
516         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
517 }
518
519
520 /* 
521   netr_AccountSync 
522 */
523 static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
524                        struct netr_AccountSync *r)
525 {
526         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
527 }
528
529
530 /* 
531   netr_GetDcName 
532 */
533 static NTSTATUS netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
534                        struct netr_GetDcName *r)
535 {
536         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
537 }
538
539
540 /* 
541   netr_LogonControl 
542 */
543 static WERROR netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
544                        struct netr_LogonControl *r)
545 {
546         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
547 }
548
549
550 /* 
551   netr_GetAnyDCName 
552 */
553 static WERROR netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
554                        struct netr_GetAnyDCName *r)
555 {
556         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
557 }
558
559
560 /* 
561   netr_LogonControl2 
562 */
563 static WERROR netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
564                        struct netr_LogonControl2 *r)
565 {
566         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
567 }
568
569
570 /* 
571   netr_DatabaseSync2 
572 */
573 static NTSTATUS netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
574                        struct netr_DatabaseSync2 *r)
575 {
576         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
577 }
578
579
580 /* 
581   netr_DatabaseRedo 
582 */
583 static NTSTATUS netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
584                        struct netr_DatabaseRedo *r)
585 {
586         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
587 }
588
589
590 /* 
591   netr_LogonControl2Ex 
592 */
593 static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
594                        struct netr_LogonControl2Ex *r)
595 {
596         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
597 }
598
599
600 /* include the generated boilerplate */
601 #include "librpc/gen_ndr/ndr_netlogon_s.c"
Samba Development trees