#include "includes.h"
-/****************************************************************************
- Check user is in correct domain if required
-****************************************************************************/
-
-static BOOL check_domain_match(char *user, char *domain)
+/**
+ * Check user is in correct domain (if required)
+ *
+ * @param user Only used to fill in the debug message
+ *
+ * @param domain The domain to be verified
+ *
+ * @return True if the user can connect with that domain,
+ * False otherwise.
+**/
+
+static BOOL check_domain_match(const char *user, const char *domain)
{
/*
* If we aren't serving to trusted domains, we must make sure that
}
}
-/****************************************************************************
- Check a users password, as given in the user-info struct and return various
- interesting details in the server_info struct.
-
- This functions does NOT need to be in a become_root()/unbecome_root() pair
- as it makes the calls itself when needed.
-
- The return value takes precedence over the contents of the server_info
- struct. When the return is other than NT_STATUS_NOPROBLEMO the contents
- of that structure is undefined.
-
-****************************************************************************/
+/**
+ * Check a user's Plaintext, LM or NTLM password.
+ *
+ * Check a user's password, as given in the user_info struct and return various
+ * interesting details in the server_info struct.
+ *
+ * This function does NOT need to be in a become_root()/unbecome_root() pair
+ * as it makes the calls itself when needed.
+ *
+ * The return value takes precedence over the contents of the server_info
+ * struct. When the return is other than NT_STATUS_OK the contents
+ * of that structure is undefined.
+ *
+ * @param user_info Contains the user supplied components, including the passwords.
+ * Must be created with make_user_info() or one of its wrappers.
+ *
+ * @param auth_info Supplies the challanges and some other data.
+ * Must be created with make_auth_info(), and the challanges should be
+ * filled in, either at creation or by calling the challange geneation
+ * function auth_get_challange().
+ *
+ * @param server_info If successful, contains information about the authenticaion,
+ * including a SAM_ACCOUNT struct describing the user.
+ *
+ * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
+ *
+ **/
NTSTATUS check_password(const auth_usersupplied_info *user_info,
- const auth_authsupplied_info *auth_info,
- auth_serversupplied_info **server_info)
+ const auth_authsupplied_info *auth_info,
+ auth_serversupplied_info **server_info)
{
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
dump_data(100, user_info->nt_resp.data, user_info->nt_resp.length);
#endif
+ /* This needs to be sorted: If it doesn't match, what should we do? */
+ if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
for (auth_method = auth_info->auth_method_list;auth_method; auth_method = auth_method->next)
{
nt_status = auth_method->auth(auth_method->private_data, user_info, auth_info, server_info);
}
}
- /* This needs to be sorted: If it doesn't match, what should we do? */
- if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) {
- return NT_STATUS_LOGON_FAILURE;
- }
-
-
/* This is one of the few places the *relies* (rather than just sets defaults
on the value of lp_security(). This needs to change. A new paramater
perhaps? */
}
-/****************************************************************************
- Squash an NT_STATUS return in line with requirements for unauthenticated
- connections. (session setups in particular)
-****************************************************************************/
+/**
+ * Squash an NT_STATUS in line with security requirements.
+ * In an attempt to avoid giving the whole game away when users
+ * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and
+ * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
+ * (session setups in particular).
+ *
+ * @param nt_status NTSTATUS input for squashing.
+ * @return the 'squashed' nt_status
+ **/
NTSTATUS nt_status_squash(NTSTATUS nt_status)
{
#include "includes.h"
#include "../utils/net.h"
-
+/**
+ * @file net_rpc.c
+ *
+ * @brief RPC based subcommands for the 'net' utility.
+ *
+ * This file should contain much of the functionality that used to
+ * be found in rpcclient, execpt that the commands should change
+ * less often, and the fucntionality should be sane (the user is not
+ * expected to know a rid/sid before they conduct an operation etc.)
+ *
+ * @todo Perhaps eventually these should be split out into a number
+ * of files, as this could get quite big.
+ **/
+
+
+/* A function of this type is passed to the 'run_rpc_command' wrapper */
typedef NTSTATUS (*rpc_command_fn)(const DOM_SID *, struct cli_state *, TALLOC_CTX *, int, const char **);
+/**
+ * Many of the RPC functions need the domain sid. This function gets
+ * it at the start of every run
+ *
+ * @param cli A cli_state already connected to the remote machine
+ *
+ * @return The Domain SID of the remote machine.
+ */
static DOM_SID *net_get_remote_domain_sid(struct cli_state *cli)
{
exit(1);
}
+/**
+ * Run a single RPC command, from start to finish.
+ *
+ * @param pipe_name the pipe to connect to (usually a PIPE_ constant)
+ * @param conn_flag a NET_FLAG_ combination. Passed to
+ * net_make_ipc_connection.
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ * @return A shell status integer (0 for success)
+ */
static int run_rpc_command(const char *pipe_name, int conn_flags,
rpc_command_fn fn,
struct cli_state *cli = net_make_ipc_connection(conn_flags);
TALLOC_CTX *mem_ctx;
NTSTATUS nt_status;
- DOM_SID *domain_sid = net_get_remote_domain_sid(cli);
+ DOM_SID *domain_sid;
+
+ if (!cli) {
+ return -1;
+ }
+
+ domain_sid = net_get_remote_domain_sid(cli);
+
/* Create mem_ctx */
if (!(mem_ctx = talloc_init())) {
return (!NT_STATUS_IS_OK(nt_status));
}
-static NTSTATUS rpc_user_add_internals(const DOM_SID *domain_sid, struct cli_state *cli, TALLOC_CTX *mem_ctx,
- int argc, const char **argv) {
-
- POLICY_HND connect_pol, domain_pol, user_pol;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- const char *acct_name;
- uint16 acb_info;
- uint32 unknown, user_rid;
-
- if (argc != 1) {
- d_printf("Usage: net rpc user add username\n");
- return NT_STATUS_OK;
- }
-
- acct_name = argv[0];
-
- /* Get sam policy handle */
-
- result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
- &connect_pol);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- /* Get domain policy handle */
-
- result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
- MAXIMUM_ALLOWED_ACCESS,
- domain_sid, &domain_pol);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- /* Create domain user */
- acb_info = ACB_NORMAL;
- unknown = 0xe005000b; /* No idea what this is - a permission mask? */
+/****************************************************************************/
- result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol,
- acct_name, acb_info, unknown,
- &user_pol, &user_rid);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
- done:
- return result;
-}
+/**
+ * Force a change of the trust acccount password.
+ *
+ * All paramaters are provided by the run_rpc_command funcion, except for
+ * argc, argv which are passes through.
+ *
+ * @param domain_sid The domain sid aquired from the remote server
+ * @param cli A cli_state connected to the server.
+ * @param mem_ctx Talloc context, destoyed on compleation of the function.
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return Normal NTSTATUS return.
+ **/
static NTSTATUS rpc_changetrustpw_internals(const DOM_SID *domain_sid, struct cli_state *cli, TALLOC_CTX *mem_ctx,
int argc, const char **argv) {
return trust_pw_find_change_and_store_it(cli, mem_ctx, opt_target_workgroup);
}
+/**
+ * Force a change of the trust acccount password.
+ *
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return A shell status integer (0 for success)
+ **/
+
static int rpc_changetrustpw(int argc, const char **argv)
{
return run_rpc_command(PIPE_NETLOGON, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC, rpc_changetrustpw_internals,
argc, argv);
}
+
+/****************************************************************************/
+
+
+/**
+ * Join a domain, the old way.
+ *
+ * This uses 'machinename' as the inital password, and changes it.
+ *
+ * The password should be created with 'server manager' or eqiv first.
+ *
+ * All paramaters are provided by the run_rpc_command funcion, except for
+ * argc, argv which are passes through.
+ *
+ * @param domain_sid The domain sid aquired from the remote server
+ * @param cli A cli_state connected to the server.
+ * @param mem_ctx Talloc context, destoyed on compleation of the function.
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return Normal NTSTATUS return.
+ **/
+
static NTSTATUS rpc_join_oldstyle_internals(const DOM_SID *domain_sid, struct cli_state *cli, TALLOC_CTX *mem_ctx,
int argc, const char **argv) {
return trust_pw_change_and_store_it(cli, mem_ctx, orig_trust_passwd_hash);
}
+/**
+ * Join a domain, the old way.
+ *
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return A shell status integer (0 for success)
+ **/
+
static int rpc_join_oldstyle(int argc, const char **argv)
{
return run_rpc_command(PIPE_NETLOGON, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC, rpc_join_oldstyle_internals,
argc, argv);
}
+/**
+ * Basic usage function for 'net rpc join'
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ **/
+
static int rpc_join_usage(int argc, const char **argv)
{
d_printf(" net rpc join \t to join a domain with admin username & password\n");
return -1;
}
+/**
+ * 'net rpc join' entrypoint.
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * Main 'net_rpc_join()' (where the admain username/password is used) is
+ * in net_rpc_join.c
+ **/
+
static int rpc_join(int argc, const char **argv)
{
struct functable func[] = {
return net_run_function(argc, argv, func, rpc_join_usage);
}
+
+/****************************************************************************/
+
+
+/**
+ * Add a new user to a remote RPC server
+ *
+ * All paramaters are provided by the run_rpc_command funcion, except for
+ * argc, argv which are passes through.
+ *
+ * @param domain_sid The domain sid aquired from the remote server
+ * @param cli A cli_state connected to the server.
+ * @param mem_ctx Talloc context, destoyed on compleation of the function.
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return Normal NTSTATUS return.
+ **/
+
+static NTSTATUS rpc_user_add_internals(const DOM_SID *domain_sid, struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ int argc, const char **argv) {
+
+ POLICY_HND connect_pol, domain_pol, user_pol;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ const char *acct_name;
+ uint16 acb_info;
+ uint32 unknown, user_rid;
+
+ if (argc != 1) {
+ d_printf("Usage: net rpc user add username\n");
+ return NT_STATUS_OK;
+ }
+
+ acct_name = argv[0];
+
+ /* Get sam policy handle */
+
+ result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
+ &connect_pol);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ /* Get domain policy handle */
+
+ result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
+ MAXIMUM_ALLOWED_ACCESS,
+ domain_sid, &domain_pol);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ /* Create domain user */
+
+ acb_info = ACB_NORMAL;
+ unknown = 0xe005000b; /* No idea what this is - a permission mask? */
+
+ result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol,
+ acct_name, acb_info, unknown,
+ &user_pol, &user_rid);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ done:
+ return result;
+}
+
+/**
+ * Add a new user to a remote RPC server
+ *
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return A shell status integer (0 for success)
+ **/
+
static int rpc_user_add(int argc, const char **argv)
{
return run_rpc_command(PIPE_SAMR, 0, rpc_user_add_internals,
argc, argv);
}
+/**
+ * Basic usage function for 'net rpc join'
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ **/
+
static int rpc_user_usage(int argc, const char **argv)
{
d_printf(" net rpc user add \t to add a user\n");
return -1;
}
+/**
+ * 'net rpc user' entrypoint.
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ **/
+
static int rpc_user(int argc, const char **argv)
{
struct functable func[] = {
return net_run_function(argc, argv, func, rpc_user_usage);
}
+/**
+ * Basic usage function for 'net rpc join'
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ **/
+
int net_rpc_usage(int argc, const char **argv)
{
d_printf(" net rpc join \tto join a domain \n");
return -1;
}
+/**
+ * 'net rpc user' entrypoint.
+ * @param argc Standard main() style argc
+ * @param argc Standard main() style argv. Initial components are already
+ * stripped
+ **/
+
int net_rpc(int argc, const char **argv)
{
struct functable func[] = {