2 Unix SMB/CIFS implementation.
4 endpoint server for the netlogon pipe
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "rpc_server/common/common.h"
26 struct server_pipe_state {
28 struct netr_Credential client_challenge;
29 struct netr_Credential server_challenge;
32 char *computer_name; /* for logging only */
34 uint16_t sec_chan_type;
35 struct creds_CredentialState *creds;
40 a client has connected to the netlogon server using schannel, so we need
41 to re-establish the credentials state
43 static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call)
45 struct server_pipe_state *state;
49 mem_ctx = talloc_init("netlogon_bind");
51 return NT_STATUS_NO_MEMORY;
53 state = talloc_p(mem_ctx, struct server_pipe_state);
55 talloc_destroy(mem_ctx);
58 state->mem_ctx = mem_ctx;
59 state->authenticated = True;
61 state->creds = talloc_p(mem_ctx, struct creds_CredentialState);
62 if (state->creds == NULL) {
63 talloc_destroy(mem_ctx);
64 return NT_STATUS_NO_MEMORY;
66 ZERO_STRUCTP(state->creds);
68 if (dce_call->conn->auth_state.session_info == NULL) {
69 talloc_destroy(mem_ctx);
70 return NT_STATUS_NO_USER_SESSION_KEY;
73 status = schannel_fetch_session_key(mem_ctx,
74 dce_call->conn->auth_state.session_info->workstation,
76 if (!NT_STATUS_IS_OK(status)) {
77 talloc_destroy(mem_ctx);
81 dce_call->conn->private = state;
87 a hook for bind on the netlogon pipe
89 static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di)
91 dce_call->conn->private = NULL;
93 /* if this is a schannel bind then we need to reconstruct the pipe state */
94 if (dce_call->conn->auth_state.auth_info &&
95 dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
98 status = netlogon_schannel_setup(dce_call);
99 if (!NT_STATUS_IS_OK(status)) {
107 /* this function is called when the client disconnects the endpoint */
108 static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_interface *di)
110 struct server_pipe_state *pipe_state = conn->private;
113 talloc_destroy(pipe_state->mem_ctx);
116 conn->private = NULL;
119 #define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind
120 #define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind
122 static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
123 struct netr_ServerReqChallenge *r)
125 struct server_pipe_state *pipe_state = dce_call->conn->private;
126 TALLOC_CTX *pipe_mem_ctx;
128 ZERO_STRUCTP(r->out.credentials);
130 /* destroyed on pipe shutdown */
133 talloc_destroy(pipe_state->mem_ctx);
134 dce_call->conn->private = NULL;
137 pipe_mem_ctx = talloc_init("internal netlogon pipe state for %s",
138 r->in.computer_name);
141 return NT_STATUS_NO_MEMORY;
144 pipe_state = talloc_p(pipe_mem_ctx, struct server_pipe_state);
146 talloc_destroy(pipe_mem_ctx);
147 return NT_STATUS_NO_MEMORY;
150 pipe_state->mem_ctx = pipe_mem_ctx;
151 pipe_state->authenticated = False;
152 pipe_state->creds = NULL;
153 pipe_state->account_name = NULL;
154 pipe_state->computer_name = NULL;
156 pipe_state->client_challenge = *r->in.credentials;
158 generate_random_buffer(pipe_state->server_challenge.data,
159 sizeof(pipe_state->server_challenge.data),
162 *r->out.credentials = pipe_state->server_challenge;
164 dce_call->conn->private = pipe_state;
169 static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
170 struct netr_ServerAuthenticate3 *r)
172 struct server_pipe_state *pipe_state = dce_call->conn->private;
174 struct samr_Password *mach_pwd;
177 struct ldb_message **msgs;
179 const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl",
182 ZERO_STRUCTP(r->out.credentials);
184 *r->out.negotiate_flags = *r->in.negotiate_flags;
187 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
188 return NT_STATUS_ACCESS_DENIED;
191 sam_ctx = samdb_connect();
192 if (sam_ctx == NULL) {
193 return NT_STATUS_INVALID_SYSTEM_SERVICE;
195 /* pull the user attributes */
196 num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
197 "(&(sAMAccountName=%s)(objectclass=user))",
200 if (num_records == 0) {
201 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
202 r->in.account_name));
203 samdb_close(sam_ctx);
204 return NT_STATUS_NO_SUCH_USER;
207 if (num_records > 1) {
208 DEBUG(1,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
209 samdb_close(sam_ctx);
210 return NT_STATUS_INTERNAL_DB_CORRUPTION;
213 acct_flags = samdb_result_acct_flags(msgs[0],
214 "userAccountControl");
216 if (acct_flags & ACB_DISABLED) {
217 DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
218 return NT_STATUS_ACCESS_DENIED;
221 if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
222 if (!(acct_flags & ACB_WSTRUST)) {
223 DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags));
224 return NT_STATUS_ACCESS_DENIED;
226 } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) {
227 if (!(acct_flags & ACB_DOMTRUST)) {
228 DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags));
229 return NT_STATUS_ACCESS_DENIED;
231 } else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
232 if (!(acct_flags & ACB_SVRTRUST)) {
233 DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags));
234 return NT_STATUS_ACCESS_DENIED;
237 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
238 r->in.secure_channel_type));
239 return NT_STATUS_ACCESS_DENIED;
242 pipe_state->acct_flags = acct_flags;
243 pipe_state->sec_chan_type = r->in.secure_channel_type;
245 *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0);
247 nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd);
248 if (!NT_STATUS_IS_OK(nt_status) || mach_pwd == NULL) {
249 samdb_close(sam_ctx);
250 return NT_STATUS_ACCESS_DENIED;
253 samdb_close(sam_ctx);
255 if (!pipe_state->creds) {
256 pipe_state->creds = talloc_p(pipe_state->mem_ctx, struct creds_CredentialState);
257 if (!pipe_state->creds) {
258 return NT_STATUS_NO_MEMORY;
262 creds_server_init(pipe_state->creds, &pipe_state->client_challenge,
263 &pipe_state->server_challenge, mach_pwd,
265 *r->in.negotiate_flags);
267 if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
268 return NT_STATUS_ACCESS_DENIED;
271 pipe_state->authenticated = True;
273 if (pipe_state->account_name) {
274 /* We don't want a memory leak on this long-lived talloc context */
275 talloc_free(pipe_state->mem_ctx, pipe_state->account_name);
278 pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, r->in.account_name);
280 if (pipe_state->computer_name) {
281 /* We don't want a memory leak on this long-lived talloc context */
282 talloc_free(pipe_state->mem_ctx, pipe_state->account_name);
285 pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, r->in.computer_name);
287 /* remember this session key state */
288 nt_status = schannel_store_session_key(mem_ctx, pipe_state->computer_name, pipe_state->creds);
293 static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
294 struct netr_ServerAuthenticate *r)
296 struct netr_ServerAuthenticate3 r3;
297 uint32 negotiate_flags, rid;
299 r3.in.server_name = r->in.server_name;
300 r3.in.account_name = r->in.account_name;
301 r3.in.secure_channel_type = r->in.secure_channel_type;
302 r3.in.computer_name = r->in.computer_name;
303 r3.in.credentials = r->in.credentials;
304 r3.out.credentials = r->out.credentials;
305 r3.in.negotiate_flags = &negotiate_flags;
306 r3.out.negotiate_flags = &negotiate_flags;
309 return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
312 static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
313 struct netr_ServerAuthenticate2 *r)
315 struct netr_ServerAuthenticate3 r3;
318 r3.in.server_name = r->in.server_name;
319 r3.in.account_name = r->in.account_name;
320 r3.in.secure_channel_type = r->in.secure_channel_type;
321 r3.in.computer_name = r->in.computer_name;
322 r3.in.credentials = r->in.credentials;
323 r3.out.credentials = r->out.credentials;
324 r3.in.negotiate_flags = r->in.negotiate_flags;
325 r3.out.negotiate_flags = r->out.negotiate_flags;
328 return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
332 static BOOL netr_creds_server_step_check(struct server_pipe_state *pipe_state,
333 struct netr_Authenticator *received_authenticator,
334 struct netr_Authenticator *return_authenticator)
336 if (!pipe_state->authenticated) {
339 return creds_server_step_check(pipe_state->creds,
340 received_authenticator,
341 return_authenticator);
345 static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
346 struct netr_ServerPasswordSet *r)
348 struct server_pipe_state *pipe_state = dce_call->conn->private;
352 int num_records_domain;
354 struct ldb_message **msgs;
355 struct ldb_message **msgs_domain;
357 struct ldb_message mod, *msg_set_pw = &mod;
358 const char *domain_dn;
359 const char *domain_sid;
361 const char *attrs[] = {"objectSid", NULL };
363 const char **domain_attrs = attrs;
367 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
368 return NT_STATUS_ACCESS_DENIED;
371 if (!netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator)) {
372 return NT_STATUS_ACCESS_DENIED;
375 sam_ctx = samdb_connect();
376 if (sam_ctx == NULL) {
377 return NT_STATUS_INVALID_SYSTEM_SERVICE;
379 /* pull the user attributes */
380 num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
381 "(&(sAMAccountName=%s)(objectclass=user))",
382 pipe_state->account_name);
384 if (num_records == 0) {
385 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
386 pipe_state->account_name));
387 samdb_close(sam_ctx);
388 return NT_STATUS_NO_SUCH_USER;
391 if (num_records > 1) {
392 DEBUG(1,("Found %d records matching user [%s]\n", num_records,
393 pipe_state->account_name));
394 samdb_close(sam_ctx);
395 return NT_STATUS_INTERNAL_DB_CORRUPTION;
398 domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
400 samdb_close(sam_ctx);
401 DEBUG(1,("no objectSid in user record\n"));
402 return NT_STATUS_INTERNAL_DB_CORRUPTION;
405 /* find the domain's DN */
406 num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL,
407 &msgs_domain, domain_attrs,
408 "(&(objectSid=%s)(objectclass=domain))",
411 if (num_records_domain == 0) {
412 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
414 samdb_close(sam_ctx);
415 return NT_STATUS_NO_SUCH_USER;
418 if (num_records_domain > 1) {
419 DEBUG(1,("Found %d records matching domain [%s]\n",
420 num_records_domain, domain_sid));
421 samdb_close(sam_ctx);
422 return NT_STATUS_INTERNAL_DB_CORRUPTION;
425 domain_dn = msgs_domain[0]->dn;
427 mod.dn = talloc_strdup(mem_ctx, msgs[0]->dn);
429 samdb_close(sam_ctx);
430 return NT_STATUS_NO_MEMORY;
433 creds_des_decrypt(pipe_state->creds, &r->in.new_password);
435 /* set the password - samdb needs to know both the domain and user DNs,
436 so the domain password policy can be used */
437 nt_status = samdb_set_password(sam_ctx, mem_ctx,
438 msgs[0]->dn, domain_dn,
440 NULL, /* Don't have plaintext */
441 NULL, &r->in.new_password,
442 False /* This is not considered a password change */,
445 if (!NT_STATUS_IS_OK(nt_status)) {
446 samdb_close(sam_ctx);
450 ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw);
452 /* we really need samdb.c to return NTSTATUS */
454 samdb_close(sam_ctx);
455 return NT_STATUS_UNSUCCESSFUL;
458 samdb_close(sam_ctx);
466 static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
467 struct netr_LogonUasLogon *r)
469 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
476 static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
477 struct netr_LogonUasLogoff *r)
479 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
484 netr_LogonSamLogonWithFlags
487 static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
488 struct netr_LogonSamLogonWithFlags *r)
490 struct server_pipe_state *pipe_state = dce_call->conn->private;
492 struct auth_context *auth_context;
493 struct auth_usersupplied_info *user_info;
494 struct auth_serversupplied_info *server_info;
497 static const char zeros[16];
498 struct netr_SamInfo2 *sam2;
499 struct netr_SamInfo3 *sam;
502 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
503 return NT_STATUS_ACCESS_DENIED;
506 r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator);
507 if (!r->out.return_authenticator) {
508 return NT_STATUS_NO_MEMORY;
511 if (!netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator)) {
512 return NT_STATUS_ACCESS_DENIED;
515 switch (r->in.logon_level) {
518 creds_arcfour_crypt(pipe_state->creds,
519 r->in.logon.password->lmpassword.hash,
520 sizeof(r->in.logon.password->lmpassword.hash));
521 creds_arcfour_crypt(pipe_state->creds,
522 r->in.logon.password->ntpassword.hash,
523 sizeof(r->in.logon.password->ntpassword.hash));
525 nt_status = make_auth_context_subsystem(&auth_context);
526 if (!NT_STATUS_IS_OK(nt_status)) {
530 chal = auth_context->get_ntlm_challenge(auth_context);
531 nt_status = make_user_info_netlogon_interactive(&user_info,
532 r->in.logon.password->identity_info.account_name.string,
533 r->in.logon.password->identity_info.domain_name.string,
534 r->in.logon.password->identity_info.workstation.string,
536 &r->in.logon.password->lmpassword,
537 &r->in.logon.password->ntpassword);
542 nt_status = make_auth_context_fixed(&auth_context, r->in.logon.network->challenge);
543 if (!NT_STATUS_IS_OK(nt_status)) {
547 nt_status = make_user_info_netlogon_network(&user_info,
548 r->in.logon.network->identity_info.account_name.string,
549 r->in.logon.network->identity_info.domain_name.string,
550 r->in.logon.network->identity_info.workstation.string,
551 r->in.logon.network->lm.data, r->in.logon.network->lm.length,
552 r->in.logon.network->nt.data, r->in.logon.network->nt.length);
555 free_auth_context(&auth_context);
556 return NT_STATUS_INVALID_PARAMETER;
559 if (!NT_STATUS_IS_OK(nt_status)) {
563 nt_status = auth_context->check_ntlm_password(auth_context,
567 if (!NT_STATUS_IS_OK(nt_status)) {
568 free_auth_context(&auth_context);
571 free_auth_context(&auth_context);
573 sam = talloc_p(mem_ctx, struct netr_SamInfo3);
575 sam->last_logon = server_info->last_logon;
576 sam->last_logoff = server_info->last_logoff;
577 sam->acct_expiry = server_info->acct_expiry;
578 sam->last_password_change = server_info->last_password_change;
579 sam->allow_password_change = server_info->allow_password_change;
580 sam->force_password_change = server_info->force_password_change;
582 sam->account_name.string = talloc_strdup(mem_ctx, server_info->account_name);
583 sam->full_name.string = talloc_strdup(mem_ctx, server_info->full_name);
584 sam->logon_script.string = talloc_strdup(mem_ctx, server_info->account_name);
585 sam->profile_path.string = talloc_strdup(mem_ctx, server_info->profile_path);
586 sam->home_directory.string = talloc_strdup(mem_ctx, server_info->home_directory);
587 sam->home_drive.string = talloc_strdup(mem_ctx, server_info->home_drive);
589 sam->logon_count = server_info->logon_count;
590 sam->bad_password_count = sam->bad_password_count;
591 sam->rid = server_info->user_sid->sub_auths[server_info->user_sid->num_auths-1];
592 sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1];
593 sam->group_count = 0;
594 sam->groupids = NULL;
596 sam->acct_flags = server_info->acct_flags;
598 sam->logon_server.string = lp_netbios_name();
600 sam->domain.string = talloc_strdup(mem_ctx, server_info->domain);
602 sam->domain_sid = dom_sid_dup(mem_ctx, server_info->user_sid);
603 sam->domain_sid->num_auths--;
605 sam->AccountControl = 0;
618 if (server_info->user_session_key.length == sizeof(sam->key.key)) {
619 memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key));
621 ZERO_STRUCT(sam->key.key);
624 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
625 if (memcmp(sam->key.key, zeros,
626 sizeof(sam->key.key)) != 0) {
627 creds_arcfour_crypt(pipe_state->creds,
629 sizeof(sam->key.key));
632 if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
633 memcpy(sam->LMSessKey.key, server_info->lm_session_key.data,
634 sizeof(sam->LMSessKey.key));
636 ZERO_STRUCT(sam->LMSessKey.key);
639 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
640 if (memcmp(sam->LMSessKey.key, zeros,
641 sizeof(sam->LMSessKey.key)) != 0) {
642 creds_arcfour_crypt(pipe_state->creds,
644 sizeof(sam->LMSessKey.key));
647 switch (r->in.validation_level) {
650 sam2 = talloc_p(mem_ctx, struct netr_SamInfo2);
651 r->out.validation.sam2 = sam2;
652 sam2->last_logon = sam->last_logon;
653 sam2->last_logoff = sam->last_logoff;
654 sam2->acct_expiry = sam->acct_expiry;
656 sam2->last_password_change = sam->last_password_change;
657 sam2->allow_password_change = sam->allow_password_change;
658 sam2->force_password_change = sam->force_password_change;
660 sam2->account_name = sam->account_name;
661 sam2->full_name = sam->full_name;
662 sam2->logon_script = sam->logon_script;
663 sam2->profile_path = sam->profile_path;
664 sam2->home_directory = sam->home_directory;
665 sam2->home_drive = sam->home_drive;
667 sam2->logon_count = sam->logon_count;
668 sam2->bad_password_count = sam->bad_password_count;
669 sam2->rid = sam->rid;
670 sam2->primary_gid = sam->primary_gid;
671 sam2->group_count = sam->group_count;
672 sam2->groupids = sam->groupids;
674 sam2->acct_flags = sam->acct_flags;
676 sam2->key = sam->key;
678 sam2->logon_server = sam->logon_server;
680 sam2->domain = sam->domain;
682 sam2->domain_sid = sam->domain_sid;
684 sam2->LMSessKey = sam->LMSessKey;
686 sam2->AccountControl = sam->AccountControl;
688 sam2->unknown1 = sam->unknown1;
689 sam2->unknown2 = sam->unknown2;
690 sam2->unknown3 = sam->unknown3;
691 sam2->unknown4 = sam->unknown4;
692 sam2->unknown5 = sam->unknown5;
693 sam2->unknown6 = sam->unknown6;
694 sam2->unknown7 = sam->unknown7;
700 r->out.validation.sam3 = sam;
707 r->out.authoritative = 1;
715 static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
716 struct netr_LogonSamLogon *r)
718 struct netr_LogonSamLogonWithFlags r2;
723 r2.in.server_name = r->in.server_name;
724 r2.in.workstation = r->in.workstation;
725 r2.in.credential = r->in.credential;
726 r2.in.return_authenticator = r->in.return_authenticator;
727 r2.in.logon_level = r->in.logon_level;
728 r2.in.logon = r->in.logon;
729 r2.in.validation_level = r->in.validation_level;
732 status = netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2);
734 r->out.return_authenticator = r2.out.return_authenticator;
735 r->out.validation = r2.out.validation;
736 r->out.authoritative = r2.out.authoritative;
745 static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
746 struct netr_LogonSamLogoff *r)
748 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
756 static NTSTATUS netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
757 struct netr_DatabaseDeltas *r)
759 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
766 static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
767 struct netr_DatabaseSync *r)
769 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
776 static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
777 struct netr_AccountDeltas *r)
779 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
786 static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
787 struct netr_AccountSync *r)
789 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
796 static NTSTATUS netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
797 struct netr_GetDcName *r)
799 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
806 static WERROR netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
807 struct netr_LogonControl *r)
809 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
816 static WERROR netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
817 struct netr_GetAnyDCName *r)
819 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
826 static WERROR netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
827 struct netr_LogonControl2 *r)
829 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
836 static NTSTATUS netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
837 struct netr_DatabaseSync2 *r)
839 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
846 static NTSTATUS netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
847 struct netr_DatabaseRedo *r)
849 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
856 static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
857 struct netr_LogonControl2Ex *r)
859 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
864 netr_NETRENUMERATETRUSTEDDOMAINS
866 static WERROR netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
867 struct netr_NETRENUMERATETRUSTEDDOMAINS *r)
869 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
876 static WERROR netr_DSRGETDCNAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
877 struct netr_DSRGETDCNAME *r)
879 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
884 netr_NETRLOGONDUMMYROUTINE1
886 static WERROR netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
887 struct netr_NETRLOGONDUMMYROUTINE1 *r)
889 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
894 netr_NETRLOGONSETSERVICEBITS
896 static WERROR netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
897 struct netr_NETRLOGONSETSERVICEBITS *r)
899 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
904 netr_NETRLOGONGETTRUSTRID
906 static WERROR netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
907 struct netr_NETRLOGONGETTRUSTRID *r)
909 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
914 netr_NETRLOGONCOMPUTESERVERDIGEST
916 static WERROR netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
917 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
919 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
924 netr_NETRLOGONCOMPUTECLIENTDIGEST
926 static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
927 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
929 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
936 static WERROR netr_DSRGETDCNAMEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
937 struct netr_DSRGETDCNAMEX *r)
939 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
946 static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
947 struct netr_DSRGETSITENAME *r)
949 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
954 fill in a netr_DomainTrustInfo from a ldb search result
956 static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res,
957 struct netr_DomainTrustInfo *info)
961 info->domainname.string = samdb_result_string(res, "flatName", NULL);
962 if (info->domainname.string == NULL) {
963 info->domainname.string = samdb_result_string(res, "name", NULL);
964 info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL);
966 info->fulldomainname.string = samdb_result_string(res, "name", NULL);
969 /* TODO: we need proper forest support */
970 info->forest.string = info->fulldomainname.string;
972 info->guid = samdb_result_guid(res, "objectGUID");
973 info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
979 netr_LogonGetDomainInfo
980 this is called as part of the ADS domain logon procedure.
982 static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
983 struct netr_LogonGetDomainInfo *r)
985 struct server_pipe_state *pipe_state = dce_call->conn->private;
986 const char * const attrs[] = { "name", "dnsDomain", "objectSid",
987 "objectGUID", "flatName", NULL };
989 struct ldb_message **res1, **res2;
990 struct netr_DomainInfo1 *info1;
995 return NT_STATUS_ACCESS_DENIED;
998 if (!netr_creds_server_step_check(pipe_state,
999 r->in.credential, r->out.credential)) {
1000 return NT_STATUS_ACCESS_DENIED;
1003 sam_ctx = samdb_connect();
1004 if (sam_ctx == NULL) {
1005 return NT_STATUS_INVALID_SYSTEM_SERVICE;
1008 /* we need to do two searches. The first will pull our primary
1009 domain and the second will pull any trusted domains. Our
1010 primary domain is also a "trusted" domain, so we need to
1011 put the primary domain into the lists of returned trusts as
1013 ret1 = samdb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)");
1015 samdb_close(sam_ctx);
1016 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1019 ret2 = samdb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)");
1021 samdb_close(sam_ctx);
1022 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1025 /* we don't need the db link any more */
1026 samdb_close(sam_ctx);
1028 info1 = talloc_p(mem_ctx, struct netr_DomainInfo1);
1029 if (info1 == NULL) {
1030 return NT_STATUS_NO_MEMORY;
1033 ZERO_STRUCTP(info1);
1035 info1->num_trusts = ret2 + 1;
1036 info1->trusts = talloc_array_p(mem_ctx, struct netr_DomainTrustInfo,
1038 if (info1->trusts == NULL) {
1039 return NT_STATUS_NO_MEMORY;
1042 status = fill_domain_trust_info(mem_ctx, res1[0], &info1->domaininfo);
1043 if (!NT_STATUS_IS_OK(status)) {
1047 status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[0]);
1048 if (!NT_STATUS_IS_OK(status)) {
1052 for (i=0;i<ret2;i++) {
1053 status = fill_domain_trust_info(mem_ctx, res2[i], &info1->trusts[i+1]);
1054 if (!NT_STATUS_IS_OK(status)) {
1059 r->out.info.info1 = info1;
1061 return NT_STATUS_OK;
1066 netr_NETRSERVERPASSWORDSET2
1068 static WERROR netr_NETRSERVERPASSWORDSET2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1069 struct netr_NETRSERVERPASSWORDSET2 *r)
1071 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1076 netr_NETRSERVERPASSWORDGET
1078 static WERROR netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1079 struct netr_NETRSERVERPASSWORDGET *r)
1081 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1086 netr_NETRLOGONSENDTOSAM
1088 static WERROR netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1089 struct netr_NETRLOGONSENDTOSAM *r)
1091 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1096 netr_DSRADDRESSTOSITENAMESW
1098 static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1099 struct netr_DSRADDRESSTOSITENAMESW *r)
1101 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1106 netr_DSRGETDCNAMEEX2
1108 static WERROR netr_DSRGETDCNAMEEX2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1109 struct netr_DSRGETDCNAMEEX2 *r)
1111 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1116 netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
1118 static WERROR netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1119 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1121 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1126 netr_NETRENUMERATETRUSTEDDOMAINSEX
1128 static WERROR netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1129 struct netr_NETRENUMERATETRUSTEDDOMAINSEX *r)
1131 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1136 netr_DSRADDRESSTOSITENAMESEXW
1138 static WERROR netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1139 struct netr_DSRADDRESSTOSITENAMESEXW *r)
1141 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1146 netr_DSRGETDCSITECOVERAGEW
1148 static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1149 struct netr_DSRGETDCSITECOVERAGEW *r)
1151 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1156 netr_NETRLOGONSAMLOGONEX
1158 static WERROR netr_NETRLOGONSAMLOGONEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1159 struct netr_NETRLOGONSAMLOGONEX *r)
1161 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1166 netr_DsrEnumerateDomainTrusts
1168 static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1169 struct netr_DsrEnumerateDomainTrusts *r)
1171 struct netr_DomainTrust *trusts;
1174 struct ldb_message **res;
1175 const char * const attrs[] = { "name", "dnsDomain", "objectSid", "objectGUID", NULL };
1177 ZERO_STRUCT(r->out);
1179 sam_ctx = samdb_connect();
1180 if (sam_ctx == NULL) {
1181 return WERR_GENERAL_FAILURE;
1184 ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)");
1186 samdb_close(sam_ctx);
1187 return WERR_GENERAL_FAILURE;
1194 trusts = talloc_array_p(mem_ctx, struct netr_DomainTrust, ret);
1195 if (trusts == NULL) {
1200 r->out.trusts = trusts;
1202 /* TODO: add filtering by trust_flags, and correct trust_type
1204 for (i=0;i<ret;i++) {
1205 trusts[i].netbios_name = samdb_result_string(res[i], "name", NULL);
1206 trusts[i].dns_name = samdb_result_string(res[i], "dnsDomain", NULL);
1207 trusts[i].trust_flags =
1208 NETR_TRUST_FLAG_TREEROOT |
1209 NETR_TRUST_FLAG_IN_FOREST |
1210 NETR_TRUST_FLAG_PRIMARY;
1211 trusts[i].parent_index = 0;
1212 trusts[i].trust_type = 2;
1213 trusts[i].trust_attributes = 0;
1214 trusts[i].sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
1215 trusts[i].guid = samdb_result_guid(res[i], "objectGUID");
1224 netr_DSRDEREGISTERDNSHOSTRECORDS
1226 static WERROR netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1227 struct netr_DSRDEREGISTERDNSHOSTRECORDS *r)
1229 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1234 netr_NETRSERVERTRUSTPASSWORDSGET
1236 static WERROR netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1237 struct netr_NETRSERVERTRUSTPASSWORDSGET *r)
1239 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1244 netr_DSRGETFORESTTRUSTINFORMATION
1246 static WERROR netr_DSRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1247 struct netr_DSRGETFORESTTRUSTINFORMATION *r)
1249 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1254 netr_NETRGETFORESTTRUSTINFORMATION
1256 static WERROR netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1257 struct netr_NETRGETFORESTTRUSTINFORMATION *r)
1259 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1264 netr_NETRSERVERGETTRUSTINFO
1266 static WERROR netr_NETRSERVERGETTRUSTINFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1267 struct netr_NETRSERVERGETTRUSTINFO *r)
1269 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1273 /* include the generated boilerplate */
1274 #include "librpc/gen_ndr/ndr_netlogon_s.c"