*/
#include "includes.h"
-#include "librpc/gen_ndr/ndr_netlogon.h"
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/common/common.h"
-#include "librpc/gen_ndr/ndr_dcom.h"
-#include "auth/auth.h"
#include "lib/ldb/include/ldb.h"
+#include "auth/auth.h"
+#include "auth/auth_sam.h"
+#include "dsdb/samdb/samdb.h"
+#include "rpc_server/samr/proto.h"
+#include "db_wrap.h"
+#include "libcli/auth/libcli_auth.h"
+#include "auth/gensec/schannel_state.h"
+#include "libcli/security/security.h"
struct server_pipe_state {
struct netr_Credential client_challenge;
struct netr_Credential server_challenge;
- struct creds_CredentialState *creds;
};
-/*
- a client has connected to the netlogon server using schannel, so we need
- to re-establish the credentials state
-*/
-static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call)
-{
- struct server_pipe_state *state;
- NTSTATUS status;
-
- /* We want the client and server challenge zero */
- state = talloc_zero(dce_call->conn, struct server_pipe_state);
- if (state == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security,
- state,
- &state->creds);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status)));
- talloc_free(state);
- return status;
- }
-
- dce_call->context->private = state;
-
- return NT_STATUS_OK;
-}
-
-/*
- a hook for bind on the netlogon pipe
-*/
-static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di)
-{
- dce_call->context->private = NULL;
-
- /* if this is a schannel bind then we need to reconstruct the pipe state */
- if (dce_call->conn->auth_state.auth_info &&
- dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- NTSTATUS status;
-
- DEBUG(5, ("schannel bind on netlogon\n"));
-
- status = netlogon_schannel_setup(dce_call);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("schannel bind on netlogon failed with %s\n", nt_errstr(status)));
- return status;
- }
- }
-
- return NT_STATUS_OK;
-}
-
-#define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind
-
static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_ServerReqChallenge *r)
{
}
pipe_state = talloc(dce_call->context, struct server_pipe_state);
- if (!pipe_state) {
- return NT_STATUS_NO_MEMORY;
- }
-
- pipe_state->creds = NULL;
+ NT_STATUS_HAVE_NO_MEMORY(pipe_state);
pipe_state->client_challenge = *r->in.credentials;
struct netr_ServerAuthenticate3 *r)
{
struct server_pipe_state *pipe_state = dce_call->context->private;
+ struct creds_CredentialState *creds;
void *sam_ctx;
struct samr_Password *mach_pwd;
uint16_t acct_flags;
int num_records;
struct ldb_message **msgs;
NTSTATUS nt_status;
- const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl",
+ const char *attrs[] = {"ntPwdHash", "userAccountControl",
"objectSid", NULL};
ZERO_STRUCTP(r->out.credentials);
return NT_STATUS_ACCESS_DENIED;
}
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
if (num_records == 0) {
DEBUG(3,("Couldn't find user [%s] in samdb.\n",
r->in.account_name));
- return NT_STATUS_NO_SUCH_USER;
+ return NT_STATUS_ACCESS_DENIED;
}
if (num_records > 1) {
return NT_STATUS_ACCESS_DENIED;
}
+ *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
+ "objectSid", 0);
- *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0);
-
- nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd);
- if (!NT_STATUS_IS_OK(nt_status) || mach_pwd == NULL) {
+ mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "ntPwdHash");
+ if (mach_pwd == NULL) {
return NT_STATUS_ACCESS_DENIED;
}
- if (pipe_state->creds) {
- talloc_free(pipe_state->creds);
- }
- pipe_state->creds = talloc(pipe_state, struct creds_CredentialState);
- if (!pipe_state->creds) {
- return NT_STATUS_NO_MEMORY;
- }
+ creds = talloc(mem_ctx, struct creds_CredentialState);
+ NT_STATUS_HAVE_NO_MEMORY(creds);
- creds_server_init(pipe_state->creds, &pipe_state->client_challenge,
+ creds_server_init(creds, &pipe_state->client_challenge,
&pipe_state->server_challenge, mach_pwd,
r->out.credentials,
*r->in.negotiate_flags);
- if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
- talloc_free(pipe_state->creds);
- pipe_state->creds = NULL;
+ if (!creds_server_check(creds, r->in.credentials)) {
+ talloc_free(creds);
return NT_STATUS_ACCESS_DENIED;
}
- pipe_state->creds->account_name = talloc_reference(pipe_state->creds, r->in.account_name);
+ creds->account_name = talloc_steal(creds, r->in.account_name);
- pipe_state->creds->computer_name = talloc_reference(pipe_state->creds, r->in.computer_name);
+ creds->computer_name = talloc_steal(creds, r->in.computer_name);
+ creds->domain = talloc_strdup(creds, lp_workgroup());
- pipe_state->creds->secure_channel_type = r->in.secure_channel_type;
+ creds->secure_channel_type = r->in.secure_channel_type;
- pipe_state->creds->rid = *r->out.rid;
+ creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
- pipe_state->creds->domain = talloc_strdup(pipe_state->creds, lp_workgroup());
/* remember this session key state */
- nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds);
+ nt_status = schannel_store_session_key(mem_ctx, creds);
return nt_status;
}
return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
}
+/*
+ Validate an incoming authenticator against the credentials for the remote machine.
+
+ The credentials are (re)read and from the schannel database, and
+ written back after the caclulations are performed.
-static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state,
+ The creds_out parameter (if not NULL) returns the credentials, if
+ the caller needs some of that information.
+
+*/
+static NTSTATUS netr_creds_server_step_check(const char *computer_name,
+ TALLOC_CTX *mem_ctx,
struct netr_Authenticator *received_authenticator,
- struct netr_Authenticator *return_authenticator)
+ struct netr_Authenticator *return_authenticator,
+ struct creds_CredentialState **creds_out)
{
- if (!pipe_state) {
- DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
+ struct creds_CredentialState *creds;
+ NTSTATUS nt_status;
+ struct ldb_context *ldb;
+ int ret;
+
+ ldb = schannel_db_connect(mem_ctx);
+ if (!ldb) {
return NT_STATUS_ACCESS_DENIED;
}
- return creds_server_step_check(pipe_state->creds,
- received_authenticator,
- return_authenticator);
+ ret = ldb_transaction_start(ldb);
+ if (ret != 0) {
+ talloc_free(ldb);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ /* Because this is a shared structure (even across
+ * disconnects) we must update the database every time we
+ * update the structure */
+
+ nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, lp_workgroup(),
+ &creds);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ nt_status = creds_server_step_check(creds,
+ received_authenticator,
+ return_authenticator);
+ }
+ if (NT_STATUS_IS_OK(nt_status)) {
+ nt_status = schannel_store_session_key_ldb(ldb, ldb, creds);
+ }
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ ldb_transaction_commit(ldb);
+ if (creds_out) {
+ *creds_out = creds;
+ talloc_steal(mem_ctx, creds);
+ }
+ } else {
+ ldb_transaction_cancel(ldb);
+ }
+ talloc_free(ldb);
+ return nt_status;
}
+/*
+ Change the machine account password for the currently connected
+ client. Supplies only the NT#.
+*/
static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_ServerPasswordSet *r)
{
- struct server_pipe_state *pipe_state = dce_call->context->private;
-
- void *sam_ctx;
- int num_records;
- int num_records_domain;
- int ret;
- struct ldb_message **msgs;
- struct ldb_message **msgs_domain;
+ struct creds_CredentialState *creds;
+ struct ldb_context *sam_ctx;
NTSTATUS nt_status;
- struct ldb_message *mod;
- struct dom_sid *domain_sid;
-
- const char *attrs[] = {"objectSid", NULL };
-
- const char **domain_attrs = attrs;
- nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
+ nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx,
+ &r->in.credential, &r->out.return_authenticator,
+ &creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
- /* pull the user attributes */
- num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
- "(&(sAMAccountName=%s)(objectclass=user))",
- pipe_state->creds->account_name);
- if (num_records == -1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
- if (num_records == 0) {
- DEBUG(3,("Couldn't find user [%s] in samdb.\n",
- pipe_state->creds->account_name));
- return NT_STATUS_NO_SUCH_USER;
- }
+ creds_des_decrypt(creds, &r->in.new_password);
- if (num_records > 1) {
- DEBUG(0,("Found %d records matching user [%s]\n", num_records,
- pipe_state->creds->account_name));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
+ /* Using the sid for the account as the key, set the password */
+ nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
+ creds->sid,
+ NULL, /* Don't have plaintext */
+ NULL, &r->in.new_password,
+ False, /* This is not considered a password change */
+ False, /* don't restrict this password change (match w2k3) */
+ NULL, NULL);
+ return nt_status;
+}
- domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
- if (!domain_sid) {
- DEBUG(0,("no objectSid in user record\n"));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
+/*
+ Change the machine account password for the currently connected
+ client. Supplies new plaintext.
+*/
+static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_ServerPasswordSet2 *r)
+{
+ struct creds_CredentialState *creds;
+ struct ldb_context *sam_ctx;
+ NTSTATUS nt_status;
+ char new_pass[512];
+ uint32_t new_pass_len;
+ BOOL ret;
- /* find the domain's DN */
- num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL,
- &msgs_domain, domain_attrs,
- "(&(objectSid=%s)(objectclass=domain))",
- ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
- if (num_records_domain == -1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
+ struct samr_CryptPassword password_buf;
- if (num_records_domain == 0) {
- DEBUG(3,("Couldn't find domain [%s] in samdb.\n",
- dom_sid_string(mem_ctx, domain_sid)));
- return NT_STATUS_NO_SUCH_USER;
- }
+ nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx,
+ &r->in.credential, &r->out.return_authenticator,
+ &creds);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
- if (num_records_domain > 1) {
- DEBUG(0,("Found %d records matching domain [%s]\n",
- num_records_domain, dom_sid_string(mem_ctx, domain_sid)));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
+ if (sam_ctx == NULL) {
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
- mod = talloc_zero(mem_ctx, struct ldb_message);
- NT_STATUS_HAVE_NO_MEMORY(mod);
- mod->dn = talloc_reference(mod, msgs[0]->dn);
-
- creds_des_decrypt(pipe_state->creds, &r->in.new_password);
-
- /* set the password - samdb needs to know both the domain and user DNs,
- so the domain password policy can be used */
- nt_status = samdb_set_password(sam_ctx, mod,
- msgs[0]->dn,
- msgs_domain[0]->dn,
- mod,
- NULL, /* Don't have plaintext */
- NULL, &r->in.new_password,
- False, /* This is not considered a password change */
- False, /* don't restrict this password change (match w2k3) */
- NULL);
- NT_STATUS_NOT_OK_RETURN(nt_status);
+ memcpy(password_buf.data, r->in.new_password.data, 512);
+ SIVAL(password_buf.data,512,r->in.new_password.length);
+ creds_arcfour_crypt(creds, password_buf.data, 516);
- ret = samdb_replace(sam_ctx, mem_ctx, mod);
- if (ret != 0) {
- /* we really need samdb.c to return NTSTATUS */
- return NT_STATUS_UNSUCCESSFUL;
+ ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
+ &new_pass_len, STR_UNICODE);
+ if (!ret) {
+ DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
+ return NT_STATUS_ACCESS_DENIED;
}
- return NT_STATUS_OK;
+ /* Using the sid for the account as the key, set the password */
+ nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
+ creds->sid,
+ new_pass, /* we have plaintext */
+ NULL, NULL,
+ False, /* This is not considered a password change */
+ False, /* don't restrict this password change (match w2k3) */
+ NULL, NULL);
+ return nt_status;
}
/*
- netr_LogonSamLogonWithFlags
+ netr_LogonSamLogon_base
This version of the function allows other wrappers to say 'do not check the credentials'
+
+ We can't do the traditional 'wrapping' format completly, as this function must only run under schannel
*/
-static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_LogonSamLogonEx *r)
+static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_LogonSamLogonEx *r, struct creds_CredentialState *creds)
{
- struct server_pipe_state *pipe_state = dce_call->context->private;
-
struct auth_context *auth_context;
struct auth_usersupplied_info *user_info;
struct auth_serversupplied_info *server_info;
struct netr_SamInfo6 *sam6;
user_info = talloc(mem_ctx, struct auth_usersupplied_info);
- if (!user_info) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(user_info);
user_info->flags = 0;
user_info->mapped_state = False;
case 1:
case 3:
case 5:
- if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- creds_arcfour_crypt(pipe_state->creds,
+ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ creds_arcfour_crypt(creds,
r->in.logon.password->lmpassword.hash,
sizeof(r->in.logon.password->lmpassword.hash));
- creds_arcfour_crypt(pipe_state->creds,
+ creds_arcfour_crypt(creds,
r->in.logon.password->ntpassword.hash,
sizeof(r->in.logon.password->ntpassword.hash));
} else {
- creds_des_decrypt(pipe_state->creds, &r->in.logon.password->lmpassword);
- creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword);
+ creds_des_decrypt(creds, &r->in.logon.password->lmpassword);
+ creds_des_decrypt(creds, &r->in.logon.password->ntpassword);
}
/* TODO: we need to deny anonymous access here */
- nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context,
- dce_call->event_ctx);
+ nt_status = auth_context_create(mem_ctx, lp_auth_methods(),
+ dce_call->event_ctx, dce_call->msg_ctx,
+ &auth_context);
NT_STATUS_NOT_OK_RETURN(nt_status);
- user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
- user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
- user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
+ user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control;
+ user_info->client.account_name = r->in.logon.password->identity_info.account_name.string;
+ user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string;
+ user_info->workstation_name = r->in.logon.password->identity_info.workstation.string;
+ user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
user_info->password_state = AUTH_PASSWORD_HASH;
+
user_info->password.hash.lanman = talloc(user_info, struct samr_Password);
- if (!user_info->password.hash.lanman) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(user_info->password.hash.lanman);
*user_info->password.hash.lanman = r->in.logon.password->lmpassword;
user_info->password.hash.nt = talloc(user_info, struct samr_Password);
- if (!user_info->password.hash.nt) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(user_info->password.hash.nt);
*user_info->password.hash.nt = r->in.logon.password->ntpassword;
- break;
+
+ break;
case 2:
case 6:
/* TODO: we need to deny anonymous access here */
- nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context,
- dce_call->event_ctx);
+ nt_status = auth_context_create(mem_ctx, lp_auth_methods(),
+ dce_call->event_ctx, dce_call->msg_ctx,
+ &auth_context);
NT_STATUS_NOT_OK_RETURN(nt_status);
nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags");
NT_STATUS_NOT_OK_RETURN(nt_status);
+ user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control;
user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
user_info->password_state = AUTH_PASSWORD_RESPONSE;
- user_info->password.response.lanman = data_blob(r->in.logon.network->lm.data, r->in.logon.network->lm.length);
- user_info->password.response.nt = data_blob(r->in.logon.network->nt.data, r->in.logon.network->nt.length);
+ user_info->password.response.lanman = data_blob_talloc(mem_ctx, r->in.logon.network->lm.data, r->in.logon.network->lm.length);
+ user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon.network->nt.data, r->in.logon.network->nt.length);
break;
default:
NT_STATUS_NOT_OK_RETURN(nt_status);
nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
-
NT_STATUS_NOT_OK_RETURN(nt_status);
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
/* It appears that level 6 is not individually encrypted */
- if ((r->in.validation_level != 6)
- && memcmp(sam->key.key, zeros,
- sizeof(sam->key.key)) != 0) {
-
+ if ((r->in.validation_level != 6) &&
+ memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) {
/* This key is sent unencrypted without the ARCFOUR flag set */
- if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- creds_arcfour_crypt(pipe_state->creds,
+ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ creds_arcfour_crypt(creds,
sam->key.key,
sizeof(sam->key.key));
}
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
/* It appears that level 6 is not individually encrypted */
- if ((r->in.validation_level != 6)
- && memcmp(sam->LMSessKey.key, zeros,
- sizeof(sam->LMSessKey.key)) != 0) {
- if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- creds_arcfour_crypt(pipe_state->creds,
+ if ((r->in.validation_level != 6) &&
+ memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) {
+ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ creds_arcfour_crypt(creds,
sam->LMSessKey.key,
sizeof(sam->LMSessKey.key));
} else {
- creds_des_encrypt_LMKey(pipe_state->creds,
+ creds_des_encrypt_LMKey(creds,
&sam->LMSessKey);
}
}
return NT_STATUS_OK;
}
+static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_LogonSamLogonEx *r)
+{
+ NTSTATUS nt_status;
+ struct creds_CredentialState *creds;
+ nt_status = schannel_fetch_session_key(mem_ctx, r->in.computer_name, lp_workgroup(), &creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ if (!dce_call->conn->auth_state.auth_info ||
+ dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ return netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds);
+}
+
/*
netr_LogonSamLogonWithFlags
static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonSamLogonWithFlags *r)
{
- struct server_pipe_state *pipe_state = dce_call->context->private;
NTSTATUS nt_status;
+ struct creds_CredentialState *creds;
struct netr_LogonSamLogonEx r2;
struct netr_Authenticator *return_authenticator;
return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
- nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, return_authenticator);
+ nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx,
+ r->in.credential, return_authenticator,
+ &creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
ZERO_STRUCT(r2);
r2.in.server_name = r->in.server_name;
- r2.in.workstation = r->in.workstation;
+ r2.in.computer_name = r->in.computer_name;
r2.in.logon_level = r->in.logon_level;
r2.in.logon = r->in.logon;
r2.in.validation_level = r->in.validation_level;
r2.in.flags = r->in.flags;
- nt_status = netr_LogonSamLogonEx(dce_call, mem_ctx, &r2);
+ nt_status = netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds);
r->out.return_authenticator = return_authenticator;
r->out.validation = r2.out.validation;
ZERO_STRUCT(r2);
r2.in.server_name = r->in.server_name;
- r2.in.workstation = r->in.workstation;
+ r2.in.computer_name = r->in.computer_name;
r2.in.credential = r->in.credential;
r2.in.return_authenticator = r->in.return_authenticator;
r2.in.logon_level = r->in.logon_level;
static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_AccountDeltas *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ /* w2k3 returns "NOT IMPLEMENTED" for this call */
+ return NT_STATUS_NOT_IMPLEMENTED;
}
static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_AccountSync *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ /* w2k3 returns "NOT IMPLEMENTED" for this call */
+ return NT_STATUS_NOT_IMPLEMENTED;
}
}
-/*
- netr_DSRGETDCNAME
-*/
-static WERROR netr_DSRGETDCNAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_DSRGETDCNAME *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
/*
netr_NETRLOGONDUMMYROUTINE1
*/
}
-/*
- netr_DSRGETDCNAMEX
-*/
-static WERROR netr_DSRGETDCNAMEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_DSRGETDCNAMEX *r)
-{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
/*
- netr_DSRGETSITENAME
+ netr_DsRGetSiteName
*/
-static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_DSRGETSITENAME *r)
+static WERROR netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_DsRGetSiteName *r)
{
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
/*
fill in a netr_DomainTrustInfo from a ldb search result
*/
-static NTSTATUS fill_domain_primary_info(TALLOC_CTX *mem_ctx, struct ldb_message *res,
- struct netr_DomainTrustInfo *info,
- const char *local_domain)
-{
- ZERO_STRUCTP(info);
-
- info->domainname.string = local_domain;
- info->fulldomainname.string = talloc_asprintf(info, "%s.", samdb_result_string(res, "dnsDomain", NULL));
- /* TODO: we need proper forest support */
- info->forest.string = info->fulldomainname.string;
- info->guid = samdb_result_guid(res, "objectGUID");
- info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
-
- return NT_STATUS_OK;
-}
-
-/*
- fill in a netr_DomainTrustInfo from a ldb search result
-*/
-static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res,
+static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx,
+ struct ldb_message *res,
+ struct ldb_message *ref_res,
struct netr_DomainTrustInfo *info,
- const char *local_domain, BOOL is_local)
+ BOOL is_local)
{
ZERO_STRUCTP(info);
if (is_local) {
- info->domainname.string = local_domain;
- info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL);
+ info->domainname.string = samdb_result_string(ref_res, "nETBIOSName", NULL);
+ info->fulldomainname.string = samdb_result_string(ref_res, "dnsRoot", NULL);
info->forest.string = NULL;
info->guid = samdb_result_guid(res, "objectGUID");
info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
} else {
info->domainname.string = samdb_result_string(res, "flatName", NULL);
- info->fulldomainname.string = samdb_result_string(res, "name", NULL);
+ info->fulldomainname.string = samdb_result_string(res, "trustPartner", NULL);
info->forest.string = NULL;
info->guid = samdb_result_guid(res, "objectGUID");
info->sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonGetDomainInfo *r)
{
- struct server_pipe_state *pipe_state = dce_call->context->private;
- const char * const attrs[] = { "dnsDomain", "objectSid",
+ const char * const attrs[] = { "objectSid",
"objectGUID", "flatName", "securityIdentifier",
- NULL };
- const char * const ref_attrs[] = { "nETBIOSName", NULL };
+ "trustPartner", NULL };
+ const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL };
struct ldb_context *sam_ctx;
struct ldb_message **res1, **res2, **ref_res;
struct netr_DomainInfo1 *info1;
int ret, ret1, ret2, i;
NTSTATUS status;
+ struct ldb_dn *partitions_basedn;
const char *local_domain;
- status = netr_creds_server_step_check(pipe_state,
- r->in.credential, r->out.return_authenticator);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ status = netr_creds_server_step_check(r->in.computer_name, mem_ctx,
+ r->in.credential,
+ r->out.return_authenticator,
+ NULL);
+ NT_STATUS_NOT_OK_RETURN(status);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
+ partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
+
/* we need to do two searches. The first will pull our primary
domain and the second will pull any trusted domains. Our
primary domain is also a "trusted" domain, so we need to
put the primary domain into the lists of returned trusts as
well */
- ret1 = gendb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)");
+ ret1 = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(sam_ctx), &res1, attrs);
if (ret1 != 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* try and find the domain */
- ret = gendb_search(sam_ctx, mem_ctx, NULL,
+ ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn,
&ref_res, ref_attrs,
"(&(objectClass=crossRef)(ncName=%s))",
- ldb_dn_linearize(mem_ctx, res1[0]->dn));
+ ldb_dn_get_linearized(res1[0]->dn));
if (ret != 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
}
info1 = talloc(mem_ctx, struct netr_DomainInfo1);
- if (info1 == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(info1);
ZERO_STRUCTP(info1);
info1->num_trusts = ret2 + 1;
info1->trusts = talloc_array(mem_ctx, struct netr_DomainTrustInfo,
info1->num_trusts);
- if (info1->trusts == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY(info1->trusts);
- status = fill_domain_primary_info(mem_ctx, res1[0], &info1->domaininfo, local_domain);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->domaininfo, True);
+ NT_STATUS_NOT_OK_RETURN(status);
for (i=0;i<ret2;i++) {
- status = fill_domain_trust_info(mem_ctx, res2[i], &info1->trusts[i], NULL, False);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ status = fill_domain_trust_info(mem_ctx, res2[i], NULL, &info1->trusts[i], False);
+ NT_STATUS_NOT_OK_RETURN(status);
}
- status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[i], local_domain, True);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->trusts[i], True);
+ NT_STATUS_NOT_OK_RETURN(status);
r->out.info.info1 = info1;
}
-/*
- netr_ServerPasswordSet2
-*/
-static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_ServerPasswordSet2 *r)
-{
- struct server_pipe_state *pipe_state = dce_call->context->private;
-
- void *sam_ctx;
- int num_records;
- int num_records_domain;
- int ret;
- struct ldb_message **msgs;
- struct ldb_message **msgs_domain;
- NTSTATUS nt_status;
- struct ldb_message *mod;
- struct dom_sid *domain_sid;
- char new_pass[512];
- uint32_t new_pass_len;
-
- struct samr_CryptPassword password_buf;
-
- const char *attrs[] = {"objectSid", NULL };
-
- const char **domain_attrs = attrs;
-
- nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- sam_ctx = samdb_connect(mem_ctx);
- if (sam_ctx == NULL) {
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
- /* pull the user attributes */
- num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
- "(&(sAMAccountName=%s)(objectclass=user))",
- pipe_state->creds->account_name);
- if (num_records == -1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- if (num_records == 0) {
- DEBUG(3,("Couldn't find user [%s] in samdb.\n",
- pipe_state->creds->account_name));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- if (num_records > 1) {
- DEBUG(0,("Found %d records matching user [%s]\n", num_records,
- pipe_state->creds->account_name));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid");
- if (!domain_sid) {
- DEBUG(0,("no objectSid in user record\n"));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- /* find the domain's DN */
- num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL,
- &msgs_domain, domain_attrs,
- "(&(objectSid=%s)(objectclass=domain))",
- ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
- if (num_records_domain == -1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- if (num_records_domain == 0) {
- DEBUG(3,("Couldn't find domain [%s] in samdb.\n",
- ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- if (num_records_domain > 1) {
- DEBUG(0,("Found %d records matching domain [%s]\n",
- num_records_domain,
- ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- mod = talloc_zero(mem_ctx, struct ldb_message);
- NT_STATUS_HAVE_NO_MEMORY(mod);
- mod->dn = talloc_reference(mod, msgs[0]->dn);
-
- memcpy(password_buf.data, r->in.new_password.data, 512);
- SIVAL(password_buf.data,512,r->in.new_password.length);
- creds_arcfour_crypt(pipe_state->creds, password_buf.data, 516);
-
- ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
- &new_pass_len, STR_UNICODE);
- if (!ret) {
- DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- /* set the password - samdb needs to know both the domain and user DNs,
- so the domain password policy can be used */
- nt_status = samdb_set_password(sam_ctx, mod,
- msgs[0]->dn,
- msgs_domain[0]->dn,
- mod, new_pass, /* we have plaintext */
- NULL, NULL,
- False, /* This is not considered a password change */
- False, /* don't restrict this password change (match w2k3) */
- NULL);
- ZERO_STRUCT(new_pass);
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- ret = samdb_replace(sam_ctx, mem_ctx, mod);
- if (ret != 0) {
- /* we really need samdb.c to return NTSTATUS */
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- return NT_STATUS_OK;
-}
-
/*
netr_NETRSERVERPASSWORDGET
/*
- netr_DrsGetDCNameEx2
+ netr_DsRGetDCNameEx2
*/
-static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_DrsGetDCNameEx2 *r)
+static WERROR netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_DsRGetDCNameEx2 *r)
{
const char * const attrs[] = { "dnsDomain", "objectGUID", NULL };
void *sam_ctx;
ZERO_STRUCT(r->out);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
if (sam_ctx == NULL) {
return WERR_DS_SERVICE_UNAVAILABLE;
}
return WERR_NO_SUCH_DOMAIN;
}
- r->out.info = talloc(mem_ctx, struct netr_DrsGetDCNameEx2Info);
- if (!r->out.info) {
- return WERR_NOMEM;
- }
+ r->out.info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo);
+ W_ERROR_HAVE_NO_MEMORY(r->out.info);
/* TODO: - return real IP address
* - check all r->in.* parameters (server_unc is ignored by w2k3!)
*/
r->out.info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s", lp_netbios_name(),lp_realm());
- r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0");
+ W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_unc);
+ r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0");
+ W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_address);
r->out.info->dc_address_type = 1;
r->out.info->domain_guid = samdb_result_guid(res[0], "objectGUID");
r->out.info->domain_name = samdb_result_string(res[0], "dnsDomain", NULL);
r->out.info->forest_name = samdb_result_string(res[0], "dnsDomain", NULL);
r->out.info->dc_flags = 0xE00001FD;
r->out.info->dc_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name");
+ W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_site_name);
r->out.info->client_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name");
+ W_ERROR_HAVE_NO_MEMORY(r->out.info->client_site_name);
return WERR_OK;
}
+/*
+ netr_DsRGetDCNameEx
+*/
+static WERROR netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_DsRGetDCNameEx *r)
+{
+ struct netr_DsRGetDCNameEx2 r2;
+ WERROR werr;
+
+ ZERO_STRUCT(r2);
+
+ r2.in.server_unc = r->in.server_unc;
+ r2.in.client_account = NULL;
+ r2.in.mask = 0;
+ r2.in.domain_guid = r->in.domain_guid;
+ r2.in.domain_name = r->in.domain_name;
+ r2.in.site_name = r->in.site_name;
+ r2.in.flags = r->in.flags;
+ r2.out.info = NULL;
+
+ werr = netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2);
+
+ r->out.info = r2.out.info;
+
+ return werr;
+}
+
+/*
+ netr_DsRGetDCName
+*/
+static WERROR netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_DsRGetDCName *r)
+{
+ struct netr_DsRGetDCNameEx2 r2;
+ WERROR werr;
+
+ ZERO_STRUCT(r2);
+
+ r2.in.server_unc = r->in.server_unc;
+ r2.in.client_account = NULL;
+ r2.in.mask = 0;
+ r2.in.domain_name = r->in.domain_name;
+ r2.in.domain_guid = r->in.domain_guid;
+
+ r2.in.site_name = NULL; /* should fill in from site GUID */
+ r2.in.flags = r->in.flags;
+ r2.out.info = NULL;
+
+ werr = netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2);
+
+ r->out.info = r2.out.info;
+
+ return werr;
+}
/*
netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
void *sam_ctx;
int ret;
struct ldb_message **dom_res, **ref_res;
- const char * const dom_attrs[] = { "dnsDomain", "objectSid", "objectGUID", NULL };
- const char * const ref_attrs[] = { "nETBIOSName", NULL };
+ const char * const dom_attrs[] = { "objectSid", "objectGUID", NULL };
+ const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL };
+ struct ldb_dn *partitions_basedn;
ZERO_STRUCT(r->out);
- sam_ctx = samdb_connect(mem_ctx);
+ sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
if (sam_ctx == NULL) {
return WERR_GENERAL_FAILURE;
}
- ret = gendb_search(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs,
- "(&(objectClass=domainDNS)(dnsDomain=%s))", lp_realm());
+ partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
+
+ ret = gendb_search_dn(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs);
if (ret == -1) {
return WERR_GENERAL_FAILURE;
}
-
if (ret != 1) {
return WERR_GENERAL_FAILURE;
}
- ret = gendb_search(sam_ctx, mem_ctx, NULL, &ref_res, ref_attrs,
+ ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs,
"(&(objectClass=crossRef)(ncName=%s))",
- ldb_dn_linearize(mem_ctx, dom_res[0]->dn));
+ ldb_dn_get_linearized(dom_res[0]->dn));
if (ret == -1) {
return WERR_GENERAL_FAILURE;
}
-
if (ret != 1) {
return WERR_GENERAL_FAILURE;
}
-
-
trusts = talloc_array(mem_ctx, struct netr_DomainTrust, ret);
- if (trusts == NULL) {
- return WERR_NOMEM;
- }
+ W_ERROR_HAVE_NO_MEMORY(trusts);
r->out.count = 1;
r->out.trusts = trusts;
/* TODO: add filtering by trust_flags, and correct trust_type
and attributes */
trusts[0].netbios_name = samdb_result_string(ref_res[0], "nETBIOSName", NULL);
- trusts[0].dns_name = samdb_result_string(dom_res[0], "dnsDomain", NULL);
+ trusts[0].dns_name = samdb_result_string(ref_res[0], "dnsRoot", NULL);
trusts[0].trust_flags =
NETR_TRUST_FLAG_TREEROOT |
NETR_TRUST_FLAG_IN_FOREST |