CLDAP server - netlogon handling
Copyright (C) Andrew Tridgell 2005
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "libcli/ldap/ldap.h"
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "lib/events/events.h"
-#include "lib/socket/socket.h"
#include "smbd/service_task.h"
#include "cldap_server/cldap_server.h"
#include "librpc/gen_ndr/ndr_misc.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "libcli/security/security.h"
#include "dsdb/samdb/samdb.h"
#include "auth/auth.h"
-#include "db_wrap.h"
+#include "ldb_wrap.h"
#include "system/network.h"
-#include "netif/netif.h"
+#include "lib/socket/netif.h"
+#include "param/param.h"
+#include "../lib/tsocket/tsocket.h"
/*
fill in the cldap netlogon union for a given version
*/
-static NTSTATUS cldapd_netlogon_fill(struct cldapd_server *cldapd,
- TALLOC_CTX *mem_ctx,
- const char *domain,
- const char *domain_guid,
- const char *user,
- const char *src_address,
- uint32_t version,
- union nbt_cldap_netlogon *netlogon)
+NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ const char *domain,
+ const char *netbios_domain,
+ struct dom_sid *domain_sid,
+ const char *domain_guid,
+ const char *user,
+ uint32_t acct_control,
+ const char *src_address,
+ uint32_t version,
+ struct loadparm_context *lp_ctx,
+ struct netlogon_samlogon_response *netlogon)
{
- const char *ref_attrs[] = {"nETBIOSName", "ncName", NULL};
- const char *dom_attrs[] = {"dnsDomain", "objectGUID", NULL};
- struct ldb_message **ref_res, **dom_res;
- int ret, count = 0;
- const char **services = lp_server_services();
+ const char *dom_attrs[] = {"objectGUID", NULL};
+ const char *none_attrs[] = {NULL};
+ struct ldb_result *dom_res = NULL, *user_res = NULL;
+ int ret;
+ const char **services = lp_server_services(lp_ctx);
uint32_t server_type;
const char *pdc_name;
struct GUID domain_uuid;
- const char *realm;
const char *dns_domain;
const char *pdc_dns_name;
const char *flatname;
- const char *site_name;
- const char *site_name2;
+ const char *server_site;
+ const char *client_site;
const char *pdc_ip;
- const struct ldb_dn *partitions_basedn = ldb_dn_string_compose(mem_ctx, samdb_base_dn(mem_ctx), "CN=Partitions,CN=Configuration");
-
- if (cldapd->samctx == NULL) {
- cldapd->samctx = samdb_connect(cldapd, anonymous_session(cldapd));
- if (cldapd->samctx == NULL) {
- DEBUG(2,("Unable to open sam in cldap netlogon reply\n"));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
- }
+ struct ldb_dn *domain_dn = NULL;
+ struct interface *ifaces;
+ bool user_known;
+ NTSTATUS status;
/* the domain has an optional trailing . */
if (domain && domain[strlen(domain)-1] == '.') {
domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1);
}
- if (domain) {
- struct ldb_result *dom_ldb_result;
- struct ldb_dn *dom_dn;
- /* try and find the domain */
- count = gendb_search(cldapd->samctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs,
- "(&(&(objectClass=crossRef)(dnsRoot=%s))(nETBIOSName=*))",
- domain);
- if (count == 1) {
- dom_dn = samdb_result_dn(mem_ctx, ref_res[0], "ncName", NULL);
- if (!dom_dn) {
- return NT_STATUS_NO_SUCH_DOMAIN;
+ if (domain && strcasecmp_m(domain, lp_dnsdomain(lp_ctx)) == 0) {
+ domain_dn = ldb_get_default_basedn(sam_ctx);
+ }
+
+ if (netbios_domain && strcasecmp_m(domain, lp_sam_name(lp_ctx))) {
+ domain_dn = ldb_get_default_basedn(sam_ctx);
+ }
+
+ if (domain_dn) {
+ ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
+ domain_dn, LDB_SCOPE_BASE, dom_attrs,
+ "objectClass=domain");
+ if (ret != LDB_SUCCESS) {
+ DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_get_linearized(domain_dn), ldb_errstring(sam_ctx)));
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+ if (dom_res->count != 1) {
+ DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_get_linearized(domain_dn)));
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+ }
+
+ if ((dom_res == NULL || dom_res->count == 0) && (domain_guid || domain_sid)) {
+
+ if (domain_guid) {
+ struct GUID binary_guid;
+ struct ldb_val guid_val;
+
+ /* By this means, we ensure we don't have funny stuff in the GUID */
+
+ status = GUID_from_string(domain_guid, &binary_guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- ret = ldb_search(cldapd->samctx, dom_dn,
- LDB_SCOPE_BASE, "objectClass=domain",
- dom_attrs, &dom_ldb_result);
- if (ret != LDB_SUCCESS) {
- DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_linearize(mem_ctx, dom_dn), ldb_errstring(cldapd->samctx)));
- return NT_STATUS_NO_SUCH_DOMAIN;
+
+ /* And this gets the result into the binary format we want anyway */
+ status = GUID_to_ndr_blob(&binary_guid, mem_ctx, &guid_val);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- if (dom_ldb_result->count != 1) {
- DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_linearize(mem_ctx, dom_dn)));
- return NT_STATUS_NO_SUCH_DOMAIN;
+ ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
+ NULL, LDB_SCOPE_SUBTREE,
+ dom_attrs,
+ "(&(objectCategory=DomainDNS)(objectGUID=%s))",
+ ldb_binary_encode(mem_ctx, guid_val));
+ } else { /* domain_sid case */
+ struct dom_sid *sid;
+ struct ldb_val sid_val;
+ enum ndr_err_code ndr_err;
+
+ /* Rather than go via the string, just push into the NDR form */
+ ndr_err = ndr_push_struct_blob(&sid_val, mem_ctx, NULL, &sid,
+ (ndr_push_flags_fn_t)ndr_push_dom_sid);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return NT_STATUS_INVALID_PARAMETER;
}
- dom_res = dom_ldb_result->msgs;
- }
- }
- if (count == 0 && domain_guid) {
- /* OK, so no dice with the name, try and find the domain with the GUID */
- count = gendb_search(cldapd->samctx, mem_ctx, samdb_base_dn(mem_ctx), &dom_res, dom_attrs,
- "(&(objectClass=domainDNS)(objectGUID=%s))",
- domain_guid);
- if (count == 1) {
- /* try and find the domain */
- ret = gendb_search(cldapd->samctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs,
- "(&(objectClass=crossRef)(ncName=%s))",
- ldb_dn_linearize(mem_ctx, dom_res[0]->dn));
- if (ret != 1) {
- DEBUG(2,("Unable to find referece to '%s' in sam\n",
- ldb_dn_linearize(mem_ctx, dom_res[0]->dn)));
+ ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
+ NULL, LDB_SCOPE_SUBTREE,
+ dom_attrs,
+ "(&(objectCategory=DomainDNS)(objectSID=%s))",
+ ldb_binary_encode(mem_ctx, sid_val));
+ }
+
+ if (ret != LDB_SUCCESS) {
+ DEBUG(2,("Unable to find referece to GUID '%s' or SID %s in sam: %s\n",
+ domain_guid, dom_sid_string(mem_ctx, domain_sid),
+ ldb_errstring(sam_ctx)));
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ } else if (dom_res->count == 1) {
+ /* Ok, now just check it is our domain */
+
+ if (ldb_dn_compare(ldb_get_default_basedn(sam_ctx), dom_res->msgs[0]->dn) != 0) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
+ } else if (dom_res->count > 1) {
+ return NT_STATUS_NO_SUCH_DOMAIN;
}
}
- if (count == 0) {
+
+ if ((dom_res == NULL || dom_res->count == 0)) {
DEBUG(2,("Unable to find domain with name %s or GUID {%s}\n", domain, domain_guid));
return NT_STATUS_NO_SUCH_DOMAIN;
}
+ /* work around different inputs for not-specified users */
+ if (!user) {
+ user = "";
+ }
+
+ /* Enquire about any valid username with just a CLDAP packet -
+ * if kerberos didn't also do this, the security folks would
+ * scream... */
+ if (user[0]) { \
+ /* Only allow some bits to be enquired: [MS-ATDS] 7.3.3.2 */
+ if (acct_control == (uint32_t)-1) {
+ acct_control = 0;
+ }
+ acct_control = acct_control & (ACB_TEMPDUP | ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST);
+
+ /* We must exclude disabled accounts, but otherwise do the bitwise match the client asked for */
+ ret = ldb_search(sam_ctx, mem_ctx, &user_res,
+ dom_res->msgs[0]->dn, LDB_SCOPE_SUBTREE,
+ none_attrs,
+ "(&(objectClass=user)(samAccountName=%s)"
+ "(!(userAccountControl:" LDB_OID_COMPARATOR_AND ":=%u))"
+ "(userAccountControl:" LDB_OID_COMPARATOR_OR ":=%u))",
+ ldb_binary_encode_string(mem_ctx, user),
+ UF_ACCOUNTDISABLE, ds_acb2uf(acct_control));
+ if (ret != LDB_SUCCESS) {
+ DEBUG(2,("Unable to find referece to user '%s' with ACB 0x%8x under %s: %s\n",
+ user, acct_control, ldb_dn_get_linearized(dom_res->msgs[0]->dn),
+ ldb_errstring(sam_ctx)));
+ return NT_STATUS_NO_SUCH_USER;
+ } else if (user_res->count == 1) {
+ user_known = true;
+ } else {
+ user_known = false;
+ }
+
+ } else {
+ user_known = true;
+ }
+
server_type =
- NBT_SERVER_PDC | NBT_SERVER_GC |
- NBT_SERVER_DS | NBT_SERVER_TIMESERV |
- NBT_SERVER_CLOSEST | NBT_SERVER_WRITABLE |
- NBT_SERVER_GOOD_TIMESERV;
+ DS_SERVER_DS | DS_SERVER_TIMESERV |
+ DS_SERVER_CLOSEST | DS_SERVER_WRITABLE |
+ DS_SERVER_GOOD_TIMESERV;
+
+#if 0
+ /* w2k8-r2 as a DC does not claim these */
+ server_type |= DS_DNS_CONTROLLER | DS_DNS_DOMAIN;
+#endif
+
+ if (samdb_is_pdc(sam_ctx)) {
+ server_type |= DS_SERVER_PDC;
+ if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
+ server_type |= DS_SERVER_FULL_SECRET_DOMAIN_6;
+ }
+ }
+
+ if (samdb_is_gc(sam_ctx)) {
+ server_type |= DS_SERVER_GC;
+ }
if (str_list_check(services, "ldap")) {
- server_type |= NBT_SERVER_LDAP;
+ server_type |= DS_SERVER_LDAP;
}
if (str_list_check(services, "kdc")) {
- server_type |= NBT_SERVER_KDC;
+ server_type |= DS_SERVER_KDC;
}
- pdc_name = talloc_asprintf(mem_ctx, "\\\\%s", lp_netbios_name());
- domain_uuid = samdb_result_guid(dom_res[0], "objectGUID");
- realm = samdb_result_string(dom_res[0], "dnsDomain", lp_realm());
- dns_domain = samdb_result_string(dom_res[0], "dnsDomain", lp_realm());
+#if 0
+ /* w2k8-r2 as a sole DC does not claim this */
+ if (ldb_dn_compare(ldb_get_root_basedn(sam_ctx), ldb_get_default_basedn(sam_ctx)) == 0) {
+ server_type |= DS_DNS_FOREST_ROOT;
+ }
+#endif
+
+ pdc_name = talloc_asprintf(mem_ctx, "\\\\%s", lp_netbios_name(lp_ctx));
+ domain_uuid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
+ dns_domain = lp_dnsdomain(lp_ctx);
pdc_dns_name = talloc_asprintf(mem_ctx, "%s.%s",
- strlower_talloc(mem_ctx, lp_netbios_name()),
+ strlower_talloc(mem_ctx,
+ lp_netbios_name(lp_ctx)),
dns_domain);
- flatname = samdb_result_string(ref_res[0], "nETBIOSName", lp_workgroup());
- site_name = "Default-First-Site-Name";
- site_name2 = "Default-First-Site-Name";
- pdc_ip = iface_best_ip(src_address);
+ flatname = lp_sam_name(lp_ctx);
+ server_site = samdb_server_site_name(sam_ctx, mem_ctx);
+ /* FIXME: Hardcoded site name */
+ client_site = "Default-First-Site-Name";
+ load_interfaces(mem_ctx, lp_interfaces(lp_ctx), &ifaces);
+ pdc_ip = iface_best_ip(ifaces, src_address);
ZERO_STRUCTP(netlogon);
- switch (version & 0xF) {
- case 0:
- case 1:
- netlogon->logon1.type = (user?19+2:19);
- netlogon->logon1.pdc_name = pdc_name;
- netlogon->logon1.user_name = user;
- netlogon->logon1.domain_name = flatname;
- netlogon->logon1.nt_version = 1;
- netlogon->logon1.lmnt_token = 0xFFFF;
- netlogon->logon1.lm20_token = 0xFFFF;
- break;
- case 2:
- case 3:
- netlogon->logon3.type = (user?19+2:19);
- netlogon->logon3.pdc_name = pdc_name;
- netlogon->logon3.user_name = user;
- netlogon->logon3.domain_name = flatname;
- netlogon->logon3.domain_uuid = domain_uuid;
- netlogon->logon3.forest = realm;
- netlogon->logon3.dns_domain = dns_domain;
- netlogon->logon3.pdc_dns_name = pdc_dns_name;
- netlogon->logon3.pdc_ip = pdc_ip;
- netlogon->logon3.server_type = server_type;
- netlogon->logon3.lmnt_token = 0xFFFF;
- netlogon->logon3.lm20_token = 0xFFFF;
- break;
- case 4:
- case 5:
- case 6:
- case 7:
- netlogon->logon5.type = (user?23+2:23);
- netlogon->logon5.server_type = server_type;
- netlogon->logon5.domain_uuid = domain_uuid;
- netlogon->logon5.forest = realm;
- netlogon->logon5.dns_domain = dns_domain;
- netlogon->logon5.pdc_dns_name = pdc_dns_name;
- netlogon->logon5.domain = flatname;
- netlogon->logon5.pdc_name = lp_netbios_name();
- netlogon->logon5.user_name = user;
- netlogon->logon5.site_name = site_name;
- netlogon->logon5.site_name2 = site_name2;
- netlogon->logon5.lmnt_token = 0xFFFF;
- netlogon->logon5.lm20_token = 0xFFFF;
- break;
- default:
- netlogon->logon13.type = (user?23+2:23);
- netlogon->logon13.server_type = server_type;
- netlogon->logon13.domain_uuid = domain_uuid;
- netlogon->logon13.forest = realm;
- netlogon->logon13.dns_domain = dns_domain;
- netlogon->logon13.pdc_dns_name = pdc_dns_name;
- netlogon->logon13.domain = flatname;
- netlogon->logon13.pdc_name = lp_netbios_name();
- netlogon->logon13.user_name = user;
- netlogon->logon13.site_name = site_name;
- netlogon->logon13.site_name2 = site_name2;
- netlogon->logon13.unknown = 10;
- netlogon->logon13.unknown2 = 2;
- netlogon->logon13.pdc_ip = pdc_ip;
- netlogon->logon13.lmnt_token = 0xFFFF;
- netlogon->logon13.lm20_token = 0xFFFF;
- break;
+ /* check if either of these bits is present */
+ if (version & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP)) {
+ uint32_t extra_flags = 0;
+ netlogon->ntver = NETLOGON_NT_VERSION_5EX;
+
+ /* could check if the user exists */
+ if (user_known) {
+ netlogon->data.nt5_ex.command = LOGON_SAM_LOGON_RESPONSE_EX;
+ } else {
+ netlogon->data.nt5_ex.command = LOGON_SAM_LOGON_USER_UNKNOWN_EX;
+ }
+ netlogon->data.nt5_ex.server_type = server_type;
+ netlogon->data.nt5_ex.domain_uuid = domain_uuid;
+ netlogon->data.nt5_ex.forest = dns_domain;
+ netlogon->data.nt5_ex.dns_domain = dns_domain;
+ netlogon->data.nt5_ex.pdc_dns_name = pdc_dns_name;
+ netlogon->data.nt5_ex.domain = flatname;
+ netlogon->data.nt5_ex.pdc_name = lp_netbios_name(lp_ctx);
+ netlogon->data.nt5_ex.user_name = user;
+ netlogon->data.nt5_ex.server_site = server_site;
+ netlogon->data.nt5_ex.client_site = client_site;
+
+ if (version & NETLOGON_NT_VERSION_5EX_WITH_IP) {
+ /* Clearly this needs to be fixed up for IPv6 */
+ extra_flags = NETLOGON_NT_VERSION_5EX_WITH_IP;
+ netlogon->data.nt5_ex.sockaddr.sockaddr_family = 2;
+ netlogon->data.nt5_ex.sockaddr.pdc_ip = pdc_ip;
+ netlogon->data.nt5_ex.sockaddr.remaining = data_blob_talloc_zero(mem_ctx, 8);
+ }
+ netlogon->data.nt5_ex.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5EX|extra_flags;
+ netlogon->data.nt5_ex.lmnt_token = 0xFFFF;
+ netlogon->data.nt5_ex.lm20_token = 0xFFFF;
+
+ } else if (version & NETLOGON_NT_VERSION_5) {
+ netlogon->ntver = NETLOGON_NT_VERSION_5;
+
+ /* could check if the user exists */
+ if (user_known) {
+ netlogon->data.nt5.command = LOGON_SAM_LOGON_RESPONSE;
+ } else {
+ netlogon->data.nt5.command = LOGON_SAM_LOGON_USER_UNKNOWN;
+ }
+ netlogon->data.nt5.pdc_name = pdc_name;
+ netlogon->data.nt5.user_name = user;
+ netlogon->data.nt5.domain_name = flatname;
+ netlogon->data.nt5.domain_uuid = domain_uuid;
+ netlogon->data.nt5.forest = dns_domain;
+ netlogon->data.nt5.dns_domain = dns_domain;
+ netlogon->data.nt5.pdc_dns_name = pdc_dns_name;
+ netlogon->data.nt5.pdc_ip = pdc_ip;
+ netlogon->data.nt5.server_type = server_type;
+ netlogon->data.nt5.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5;
+ netlogon->data.nt5.lmnt_token = 0xFFFF;
+ netlogon->data.nt5.lm20_token = 0xFFFF;
+
+ } else /* (version & NETLOGON_NT_VERSION_1) and all other cases */ {
+ netlogon->ntver = NETLOGON_NT_VERSION_1;
+ /* could check if the user exists */
+ if (user_known) {
+ netlogon->data.nt4.command = LOGON_SAM_LOGON_RESPONSE;
+ } else {
+ netlogon->data.nt4.command = LOGON_SAM_LOGON_USER_UNKNOWN;
+ }
+ netlogon->data.nt4.server = pdc_name;
+ netlogon->data.nt4.user_name = user;
+ netlogon->data.nt4.domain = flatname;
+ netlogon->data.nt4.nt_version = NETLOGON_NT_VERSION_1;
+ netlogon->data.nt4.lmnt_token = 0xFFFF;
+ netlogon->data.nt4.lm20_token = 0xFFFF;
}
return NT_STATUS_OK;
/*
handle incoming cldap requests
*/
-void cldapd_netlogon_request(struct cldap_socket *cldap,
+void cldapd_netlogon_request(struct cldap_socket *cldap,
+ struct cldapd_server *cldapd,
+ TALLOC_CTX *tmp_ctx,
uint32_t message_id,
struct ldb_parse_tree *tree,
- struct socket_address *src)
+ struct tsocket_address *src)
{
- struct cldapd_server *cldapd = talloc_get_type(cldap->incoming.private, struct cldapd_server);
int i;
const char *domain = NULL;
const char *host = NULL;
const char *domain_sid = NULL;
int acct_control = -1;
int version = -1;
- union nbt_cldap_netlogon netlogon;
+ struct netlogon_samlogon_response netlogon;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- TALLOC_CTX *tmp_ctx = talloc_new(cldap);
-
if (tree->operation != LDB_OP_AND) goto failed;
/* extract the query elements */
}
if (domain_guid == NULL && domain == NULL) {
- domain = lp_realm();
+ domain = lp_dnsdomain(cldapd->task->lp_ctx);
}
if (version == -1) {
DEBUG(5,("cldap netlogon query domain=%s host=%s user=%s version=%d guid=%s\n",
domain, host, user, version, domain_guid));
- status = cldapd_netlogon_fill(cldapd, tmp_ctx, domain, domain_guid,
- user, src->addr,
- version, &netlogon);
+ status = fill_netlogon_samlogon_response(cldapd->samctx, tmp_ctx, domain, NULL, NULL, domain_guid,
+ user, acct_control,
+ tsocket_address_inet_addr_string(src, tmp_ctx),
+ version, cldapd->task->lp_ctx, &netlogon);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
- status = cldap_netlogon_reply(cldap, message_id, src, version,
+ status = cldap_netlogon_reply(cldap,
+ lp_iconv_convenience(cldapd->task->lp_ctx),
+ message_id, src, version,
&netlogon);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
- talloc_free(tmp_ctx);
return;
failed:
DEBUG(2,("cldap netlogon query failed domain=%s host=%s version=%d - %s\n",
domain, host, version, nt_errstr(status)));
- talloc_free(tmp_ctx);
- cldap_empty_reply(cldap, message_id, src);
+ cldap_empty_reply(cldap, message_id, src);
}
git.samba.org / ira / wip.git / blobdiff