#include "librpc/gen_ndr/ndr_winbind.h"
#include "librpc/gen_ndr/ndr_winbind_c.h"
#include "lib/socket/netif.h"
+#include "rpc_server/common/sid_helper.h"
+#include "lib/util/util_str_escape.h"
-#define DCESRV_INTERFACE_NETLOGON_BIND(call, iface) \
- dcesrv_interface_netlogon_bind(call, iface)
+#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
+ dcesrv_interface_netlogon_bind(context, iface)
/*
* This #define allows the netlogon interface to accept invalid
*/
#define DCESRV_INTERFACE_NETLOGON_FLAGS DCESRV_INTERFACE_FLAGS_HANDLES_NOT_USED
-static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_call_state *dce_call,
+static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
const struct dcesrv_interface *iface)
{
- return dcesrv_interface_bind_reject_connect(dce_call, iface);
+ return dcesrv_interface_bind_reject_connect(context, iface);
}
+#define NETLOGON_SERVER_PIPE_STATE_MAGIC 0x4f555358
struct netlogon_server_pipe_state {
struct netr_Credential client_challenge;
struct netr_Credential server_challenge;
static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_ServerReqChallenge *r)
{
- struct netlogon_server_pipe_state *pipe_state =
- talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
+ struct netlogon_server_pipe_state *pipe_state = NULL;
NTSTATUS ntstatus;
ZERO_STRUCTP(r->out.return_credentials);
- if (pipe_state) {
- talloc_free(pipe_state);
- dce_call->context->private_data = NULL;
- }
+ pipe_state = dcesrv_iface_state_find_conn(dce_call,
+ NETLOGON_SERVER_PIPE_STATE_MAGIC,
+ struct netlogon_server_pipe_state);
+ TALLOC_FREE(pipe_state);
- pipe_state = talloc(dce_call->context, struct netlogon_server_pipe_state);
- NT_STATUS_HAVE_NO_MEMORY(pipe_state);
+ pipe_state = talloc_zero(dce_call,
+ struct netlogon_server_pipe_state);
+ if (pipe_state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
pipe_state->client_challenge = *r->in.credentials;
*r->out.return_credentials = pipe_state->server_challenge;
- dce_call->context->private_data = pipe_state;
+ ntstatus = dcesrv_iface_state_store_conn(dce_call,
+ NETLOGON_SERVER_PIPE_STATE_MAGIC,
+ pipe_state);
+ if (!NT_STATUS_IS_OK(ntstatus)) {
+ return ntstatus;
+ }
ntstatus = schannel_save_challenge(dce_call->conn->dce_ctx->lp_ctx,
&pipe_state->client_challenge,
&pipe_state->server_challenge,
r->in.computer_name);
if (!NT_STATUS_IS_OK(ntstatus)) {
+ TALLOC_FREE(pipe_state);
return ntstatus;
}
return NT_STATUS_OK;
}
-static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_ServerAuthenticate3 *r)
+/*
+ * Do the actual processing of a netr_ServerAuthenticate3 message.
+ * called from dcesrv_netr_ServerAuthenticate3, which handles the logging.
+ */
+static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
+ struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct netr_ServerAuthenticate3 *r,
+ const char **trust_account_for_search,
+ const char **trust_account_in_db,
+ struct dom_sid **sid)
{
- struct netlogon_server_pipe_state *pipe_state =
- talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
+ struct netlogon_server_pipe_state *pipe_state = NULL;
bool challenge_valid = false;
struct netlogon_server_pipe_state challenge;
struct netlogon_creds_CredentialState *creds;
struct ldb_message **msgs;
NTSTATUS nt_status;
const char *attrs[] = {"unicodePwd", "userAccountControl",
- "objectSid", NULL};
- const char *account_name;
+ "objectSid", "samAccountName", NULL};
uint32_t server_flags = 0;
uint32_t negotiate_flags = 0;
bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
ZERO_STRUCTP(r->out.return_credentials);
*r->out.rid = 0;
+ pipe_state = dcesrv_iface_state_find_conn(dce_call,
+ NETLOGON_SERVER_PIPE_STATE_MAGIC,
+ struct netlogon_server_pipe_state);
if (pipe_state != NULL) {
- dce_call->context->private_data = NULL;
-
/*
* If we had a challenge remembered on the connection
* consider this for usage. This can't be cleanup
/* schannel must be used, but client did not offer it. */
DEBUG(0,("%s: schannel required but client failed "
"to offer it. Client was %s\n",
- __func__, r->in.account_name));
+ __func__,
+ log_escape(mem_ctx, r->in.account_name)));
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_INVALID_PARAMETER;
}
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx,
- system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ system_session(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
DEBUG(2, ("Client asked for a trusted domain secure channel, "
"but there's no tdo for [%s] => [%s] \n",
- r->in.account_name, encoded_name));
+ log_escape(mem_ctx, r->in.account_name),
+ encoded_name));
return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
if (!NT_STATUS_IS_OK(nt_status)) {
return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
- account_name = talloc_asprintf(mem_ctx, "%s$", flatname);
- if (account_name == NULL) {
+ *trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname);
+ if (*trust_account_for_search == NULL) {
return NT_STATUS_NO_MEMORY;
}
} else {
- account_name = r->in.account_name;
+ *trust_account_for_search = r->in.account_name;
}
/* pull the user attributes */
num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
"(&(sAMAccountName=%s)(objectclass=user))",
- ldb_binary_encode_string(mem_ctx, account_name));
+ ldb_binary_encode_string(mem_ctx,
+ *trust_account_for_search));
if (num_records == 0) {
DEBUG(3,("Couldn't find user [%s] in samdb.\n",
- r->in.account_name));
+ log_escape(mem_ctx, r->in.account_name)));
return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
if (num_records > 1) {
- DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
+ DEBUG(0,("Found %d records matching user [%s]\n",
+ num_records,
+ log_escape(mem_ctx, r->in.account_name)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
+ *trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0],
+ "samAccountName",
+ NULL);
+ if (*trust_account_in_db == NULL) {
+ DEBUG(0,("No samAccountName returned in record matching user [%s]\n",
+ r->in.account_name));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0);
if (user_account_control & UF_ACCOUNTDISABLE) {
- DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
+ DEBUG(1, ("Account [%s] is disabled\n",
+ log_escape(mem_ctx, r->in.account_name)));
return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
if (!challenge_valid) {
DEBUG(1, ("No challenge requested by client [%s/%s], "
"cannot authenticate\n",
- r->in.computer_name,
- r->in.account_name));
+ log_escape(mem_ctx, r->in.computer_name),
+ log_escape(mem_ctx, r->in.account_name)));
return NT_STATUS_ACCESS_DENIED;
}
r->out.return_credentials,
negotiate_flags);
}
+
if (creds == NULL) {
return NT_STATUS_ACCESS_DENIED;
}
-
creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
+ *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid));
nt_status = schannel_save_creds_state(mem_ctx,
dce_call->conn->dce_ctx->lp_ctx,
return NT_STATUS_OK;
}
+/*
+ * Log a netr_ServerAuthenticate3 request, and then invoke
+ * dcesrv_netr_ServerAuthenticate3_helper to perform the actual processing
+ */
+static NTSTATUS dcesrv_netr_ServerAuthenticate3(
+ struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct netr_ServerAuthenticate3 *r)
+{
+ NTSTATUS status;
+ struct dom_sid *sid = NULL;
+ const char *trust_account_for_search = NULL;
+ const char *trust_account_in_db = NULL;
+ struct auth_usersupplied_info ui = {
+ .local_host = dce_call->conn->local_address,
+ .remote_host = dce_call->conn->remote_address,
+ .client = {
+ .account_name = r->in.account_name,
+ .domain_name = lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx),
+ },
+ .service_description = "NETLOGON",
+ .auth_description = "ServerAuthenticate",
+ .netlogon_trust_account = {
+ .computer_name = r->in.computer_name,
+ .negotiate_flags = *r->in.negotiate_flags,
+ .secure_channel_type = r->in.secure_channel_type,
+ },
+ };
+
+ status = dcesrv_netr_ServerAuthenticate3_helper(dce_call,
+ mem_ctx,
+ r,
+ &trust_account_for_search,
+ &trust_account_in_db,
+ &sid);
+ ui.netlogon_trust_account.sid = sid;
+ ui.netlogon_trust_account.account_name = trust_account_in_db;
+ ui.mapped.account_name = trust_account_for_search;
+ log_authentication_event(
+ dce_call->conn->msg_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ NULL,
+ &ui,
+ status,
+ lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx),
+ trust_account_in_db,
+ NULL,
+ sid);
+
+ return status;
+}
static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_ServerAuthenticate *r)
{
* The reason we keep 2 copies is that they use different structures to
* represent the auth_info and the decrpc pipes.
*/
-
-/*
- * If schannel is required for this call test that it actually is available.
- */
-static NTSTATUS schannel_check_required(const struct dcesrv_auth *auth_info,
- const char *computer_name,
- bool integrity, bool privacy)
-{
-
- if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- if (!privacy && !integrity) {
- return NT_STATUS_OK;
- }
-
- if ((!privacy && integrity) &&
- auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
- return NT_STATUS_OK;
- }
-
- if ((privacy || integrity) &&
- auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
- return NT_STATUS_OK;
- }
- }
-
- /* test didn't pass */
- DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
- computer_name));
-
- return NT_STATUS_ACCESS_DENIED;
-}
-
static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
TALLOC_CTX *mem_ctx,
const char *computer_name,
bool schannel_global_required = (schannel == true);
if (schannel_global_required) {
- nt_status = schannel_check_required(&dce_call->conn->auth_state,
- computer_name,
- true, false);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+
+ dcesrv_call_auth_info(dce_call, &auth_type, NULL);
+
+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+ DBG_ERR("[%s] is not using schannel\n",
+ computer_name);
+ return NT_STATUS_ACCESS_DENIED;
}
}
&creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ system_session(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
&creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ system_session(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
}
-static NTSTATUS dcesrv_netr_LogonSamLogon_check(const struct netr_LogonSamLogonEx *r)
+static NTSTATUS dcesrv_netr_LogonSamLogon_check(struct dcesrv_call_state *dce_call,
+ const struct netr_LogonSamLogonEx *r)
{
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+
switch (r->in.logon_level) {
case NetlogonInteractiveInformation:
case NetlogonServiceInformation:
return NT_STATUS_INVALID_PARAMETER;
}
+ dcesrv_call_auth_info(dce_call, NULL, &auth_level);
+
+ switch (r->in.validation_level) {
+ case NetlogonValidationSamInfo4: /* 6 */
+ if (auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ break;
+
+ default:
+ break;
+ }
+
return NT_STATUS_OK;
}
+struct dcesrv_netr_LogonSamLogon_base_state {
+ struct dcesrv_call_state *dce_call;
+
+ TALLOC_CTX *mem_ctx;
+
+ struct netlogon_creds_CredentialState *creds;
+
+ struct netr_LogonSamLogonEx r;
+
+ uint32_t _ignored_flags;
+
+ struct {
+ struct netr_LogonSamLogon *lsl;
+ struct netr_LogonSamLogonWithFlags *lslwf;
+ struct netr_LogonSamLogonEx *lslex;
+ } _r;
+
+ struct kdc_check_generic_kerberos kr;
+};
+
+static void dcesrv_netr_LogonSamLogon_base_auth_done(struct tevent_req *subreq);
+static void dcesrv_netr_LogonSamLogon_base_krb5_done(struct tevent_req *subreq);
+static void dcesrv_netr_LogonSamLogon_base_reply(
+ struct dcesrv_netr_LogonSamLogon_base_state *state);
+
/*
netr_LogonSamLogon_base
We can't do the traditional 'wrapping' format completely, as this
function must only run under schannel
*/
-static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_LogonSamLogonEx *r, struct netlogon_creds_CredentialState *creds)
+static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamLogon_base_state *state)
{
+ struct dcesrv_call_state *dce_call = state->dce_call;
+ TALLOC_CTX *mem_ctx = state->mem_ctx;
+ struct netr_LogonSamLogonEx *r = &state->r;
+ struct netlogon_creds_CredentialState *creds = state->creds;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
const char *workgroup = lpcfg_workgroup(lp_ctx);
struct auth4_context *auth_context = NULL;
struct auth_usersupplied_info *user_info = NULL;
- struct auth_user_info_dc *user_info_dc = NULL;
NTSTATUS nt_status;
- struct netr_SamInfo2 *sam2 = NULL;
- struct netr_SamInfo3 *sam3 = NULL;
- struct netr_SamInfo6 *sam6 = NULL;
+ struct tevent_req *subreq = NULL;
*r->out.authoritative = 1;
+ if (*r->in.flags & NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT) {
+ /*
+ * Currently we're always the forest root ourself.
+ */
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (*r->in.flags & NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP) {
+ /*
+ * Currently we don't support trusts correctly yet.
+ */
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
NT_STATUS_HAVE_NO_MEMORY(user_info);
}
if (strcmp(r->in.logon->generic->package_name.string, "Kerberos") == 0) {
- NTSTATUS status;
struct dcerpc_binding_handle *irpc_handle;
- struct kdc_check_generic_kerberos check;
struct netr_GenericInfo2 *generic = talloc_zero(mem_ctx, struct netr_GenericInfo2);
NT_STATUS_HAVE_NO_MEMORY(generic);
- *r->out.authoritative = 1;
-
- /* TODO: Describe and deal with these flags */
- *r->out.flags = 0;
r->out.validation->generic = generic;
return NT_STATUS_NO_LOGON_SERVERS;
}
- check.in.generic_request =
+ state->kr.in.generic_request =
data_blob_const(r->in.logon->generic->data,
r->in.logon->generic->length);
/*
- * TODO: make this async and avoid
- * dcerpc_binding_handle_set_sync_ev()
+ * 60 seconds should be enough
*/
- dcerpc_binding_handle_set_sync_ev(irpc_handle,
- dce_call->event_ctx);
- status = dcerpc_kdc_check_generic_kerberos_r(irpc_handle,
- mem_ctx,
- &check);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ dcerpc_binding_handle_set_timeout(irpc_handle, 60);
+ subreq = dcerpc_kdc_check_generic_kerberos_r_send(state,
+ state->dce_call->event_ctx,
+ irpc_handle, &state->kr);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- generic->length = check.out.generic_reply.length;
- generic->data = check.out.generic_reply.data;
+ state->dce_call->state_flags |= DCESRV_CALL_STATE_FLAG_ASYNC;
+ tevent_req_set_callback(subreq,
+ dcesrv_netr_LogonSamLogon_base_krb5_done,
+ state);
return NT_STATUS_OK;
}
return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = auth_check_password(auth_context, mem_ctx, user_info,
- &user_info_dc, r->out.authoritative);
- NT_STATUS_NOT_OK_RETURN(nt_status);
+ subreq = auth_check_password_send(state, state->dce_call->event_ctx,
+ auth_context, user_info);
+ state->dce_call->state_flags |= DCESRV_CALL_STATE_FLAG_ASYNC;
+ tevent_req_set_callback(subreq,
+ dcesrv_netr_LogonSamLogon_base_auth_done,
+ state);
+ return NT_STATUS_OK;
+}
+
+static void dcesrv_netr_LogonSamLogon_base_auth_done(struct tevent_req *subreq)
+{
+ struct dcesrv_netr_LogonSamLogon_base_state *state =
+ tevent_req_callback_data(subreq,
+ struct dcesrv_netr_LogonSamLogon_base_state);
+ TALLOC_CTX *mem_ctx = state->mem_ctx;
+ struct netr_LogonSamLogonEx *r = &state->r;
+ struct auth_user_info_dc *user_info_dc = NULL;
+ struct netr_SamInfo2 *sam2 = NULL;
+ struct netr_SamInfo3 *sam3 = NULL;
+ struct netr_SamInfo6 *sam6 = NULL;
+ NTSTATUS nt_status;
+
+ nt_status = auth_check_password_recv(subreq, mem_ctx,
+ &user_info_dc,
+ r->out.authoritative);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ r->out.result = nt_status;
+ dcesrv_netr_LogonSamLogon_base_reply(state);
+ return;
+ }
switch (r->in.validation_level) {
case 2:
nt_status = auth_convert_user_info_dc_saminfo2(mem_ctx,
user_info_dc,
&sam2);
- NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ r->out.result = nt_status;
+ dcesrv_netr_LogonSamLogon_base_reply(state);
+ return;
+ }
r->out.validation->sam2 = sam2;
break;
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
user_info_dc,
&sam3);
- NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ r->out.result = nt_status;
+ dcesrv_netr_LogonSamLogon_base_reply(state);
+ return;
+ }
r->out.validation->sam3 = sam3;
break;
case 6:
- if (dce_call->conn->auth_state.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
nt_status = auth_convert_user_info_dc_saminfo6(mem_ctx,
user_info_dc,
&sam6);
- NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ r->out.result = nt_status;
+ dcesrv_netr_LogonSamLogon_base_reply(state);
+ return;
+ }
r->out.validation->sam6 = sam6;
break;
default:
- return NT_STATUS_INVALID_INFO_CLASS;
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ r->out.result = NT_STATUS_INVALID_INFO_CLASS;
+ dcesrv_netr_LogonSamLogon_base_reply(state);
+ return;
+ }
}
- netlogon_creds_encrypt_samlogon_validation(creds,
- r->in.validation_level,
- r->out.validation);
+ /* TODO: Describe and deal with these flags */
+ *r->out.flags = 0;
+
+ r->out.result = NT_STATUS_OK;
+
+ dcesrv_netr_LogonSamLogon_base_reply(state);
+}
+
+static void dcesrv_netr_LogonSamLogon_base_krb5_done(struct tevent_req *subreq)
+{
+ struct dcesrv_netr_LogonSamLogon_base_state *state =
+ tevent_req_callback_data(subreq,
+ struct dcesrv_netr_LogonSamLogon_base_state);
+ TALLOC_CTX *mem_ctx = state->mem_ctx;
+ struct netr_LogonSamLogonEx *r = &state->r;
+ struct netr_GenericInfo2 *generic = NULL;
+ NTSTATUS status;
+
+ status = dcerpc_kdc_check_generic_kerberos_r_recv(subreq, mem_ctx);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ r->out.result = status;
+ dcesrv_netr_LogonSamLogon_base_reply(state);
+ return;
+ }
+
+ generic = r->out.validation->generic;
+ generic->length = state->kr.out.generic_reply.length;
+ generic->data = state->kr.out.generic_reply.data;
/* TODO: Describe and deal with these flags */
*r->out.flags = 0;
- return NT_STATUS_OK;
+ r->out.result = NT_STATUS_OK;
+
+ dcesrv_netr_LogonSamLogon_base_reply(state);
+}
+
+static void dcesrv_netr_LogonSamLogon_base_reply(
+ struct dcesrv_netr_LogonSamLogon_base_state *state)
+{
+ struct netr_LogonSamLogonEx *r = &state->r;
+ NTSTATUS status;
+
+ if (NT_STATUS_IS_OK(r->out.result)) {
+ netlogon_creds_encrypt_samlogon_validation(state->creds,
+ r->in.validation_level,
+ r->out.validation);
+ }
+
+ if (state->_r.lslex != NULL) {
+ struct netr_LogonSamLogonEx *_r = state->_r.lslex;
+ _r->out.result = r->out.result;
+ } else if (state->_r.lslwf != NULL) {
+ struct netr_LogonSamLogonWithFlags *_r = state->_r.lslwf;
+ _r->out.result = r->out.result;
+ } else if (state->_r.lsl != NULL) {
+ struct netr_LogonSamLogon *_r = state->_r.lsl;
+ _r->out.result = r->out.result;
+ }
+
+ status = dcesrv_reply(state->dce_call);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dcesrv_reply() failed - %s\n",
+ nt_errstr(status));
+ }
}
static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonSamLogonEx *r)
{
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ struct dcesrv_netr_LogonSamLogon_base_state *state;
NTSTATUS nt_status;
- struct netlogon_creds_CredentialState *creds;
*r->out.authoritative = 1;
- nt_status = dcesrv_netr_LogonSamLogon_check(r);
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_LogonSamLogon_base_state);
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
+
+ state->r.in.server_name = r->in.server_name;
+ state->r.in.computer_name = r->in.computer_name;
+ state->r.in.logon_level = r->in.logon_level;
+ state->r.in.logon = r->in.logon;
+ state->r.in.validation_level = r->in.validation_level;
+ state->r.in.flags = r->in.flags;
+ state->r.out.validation = r->out.validation;
+ state->r.out.authoritative = r->out.authoritative;
+ state->r.out.flags = r->out.flags;
+
+ state->_r.lslex = r;
+
+ nt_status = dcesrv_netr_LogonSamLogon_check(dce_call, &state->r);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
nt_status = schannel_get_creds_state(mem_ctx,
dce_call->conn->dce_ctx->lp_ctx,
- r->in.computer_name, &creds);
+ r->in.computer_name, &state->creds);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- if (dce_call->conn->auth_state.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+ dcesrv_call_auth_info(dce_call, &auth_type, NULL);
+
+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
return NT_STATUS_ACCESS_DENIED;
}
- return dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds);
+
+ nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
+
+ if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
+ return nt_status;
+ }
+
+ return nt_status;
}
/*
static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonSamLogonWithFlags *r)
{
+ struct dcesrv_netr_LogonSamLogon_base_state *state;
NTSTATUS nt_status;
- struct netlogon_creds_CredentialState *creds;
- struct netr_LogonSamLogonEx r2;
- struct netr_Authenticator *return_authenticator;
+ *r->out.authoritative = 1;
- ZERO_STRUCT(r2);
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_LogonSamLogon_base_state);
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
- r2.in.server_name = r->in.server_name;
- r2.in.computer_name = r->in.computer_name;
- r2.in.logon_level = r->in.logon_level;
- r2.in.logon = r->in.logon;
- r2.in.validation_level = r->in.validation_level;
- r2.in.flags = r->in.flags;
- r2.out.validation = r->out.validation;
- r2.out.authoritative = r->out.authoritative;
- r2.out.flags = r->out.flags;
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
- *r->out.authoritative = 1;
+ state->r.in.server_name = r->in.server_name;
+ state->r.in.computer_name = r->in.computer_name;
+ state->r.in.logon_level = r->in.logon_level;
+ state->r.in.logon = r->in.logon;
+ state->r.in.validation_level = r->in.validation_level;
+ state->r.in.flags = r->in.flags;
+ state->r.out.validation = r->out.validation;
+ state->r.out.authoritative = r->out.authoritative;
+ state->r.out.flags = r->out.flags;
+
+ state->_r.lslwf = r;
- nt_status = dcesrv_netr_LogonSamLogon_check(&r2);
+ nt_status = dcesrv_netr_LogonSamLogon_check(dce_call, &state->r);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
- NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
+ r->out.return_authenticator = talloc_zero(mem_ctx,
+ struct netr_Authenticator);
+ if (r->out.return_authenticator == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
nt_status = dcesrv_netr_creds_server_step_check(dce_call,
mem_ctx,
r->in.computer_name,
- r->in.credential, return_authenticator,
- &creds);
- NT_STATUS_NOT_OK_RETURN(nt_status);
+ r->in.credential,
+ r->out.return_authenticator,
+ &state->creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
- nt_status = dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds);
+ nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
- r->out.return_authenticator = return_authenticator;
+ if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
+ return nt_status;
+ }
return nt_status;
}
static NTSTATUS dcesrv_netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonSamLogon *r)
{
- struct netr_LogonSamLogonWithFlags r2;
- uint32_t flags = 0;
- NTSTATUS status;
+ struct dcesrv_netr_LogonSamLogon_base_state *state;
+ NTSTATUS nt_status;
- ZERO_STRUCT(r2);
+ *r->out.authoritative = 1;
- r2.in.server_name = r->in.server_name;
- r2.in.computer_name = r->in.computer_name;
- r2.in.credential = r->in.credential;
- r2.in.return_authenticator = r->in.return_authenticator;
- r2.in.logon_level = r->in.logon_level;
- r2.in.logon = r->in.logon;
- r2.in.validation_level = r->in.validation_level;
- r2.in.flags = &flags;
- r2.out.validation = r->out.validation;
- r2.out.authoritative = r->out.authoritative;
- r2.out.flags = &flags;
-
- status = dcesrv_netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2);
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_LogonSamLogon_base_state);
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
- r->out.return_authenticator = r2.out.return_authenticator;
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
- return status;
+ state->r.in.server_name = r->in.server_name;
+ state->r.in.computer_name = r->in.computer_name;
+ state->r.in.logon_level = r->in.logon_level;
+ state->r.in.logon = r->in.logon;
+ state->r.in.validation_level = r->in.validation_level;
+ state->r.in.flags = &state->_ignored_flags;
+ state->r.out.validation = r->out.validation;
+ state->r.out.authoritative = r->out.authoritative;
+ state->r.out.flags = &state->_ignored_flags;
+
+ state->_r.lsl = r;
+
+ nt_status = dcesrv_netr_LogonSamLogon_check(dce_call, &state->r);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ r->out.return_authenticator = talloc_zero(mem_ctx,
+ struct netr_Authenticator);
+ if (r->out.return_authenticator == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ nt_status = dcesrv_netr_creds_server_step_check(dce_call,
+ mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &state->creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
+
+ if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
+ return nt_status;
+ }
+
+ return nt_status;
}
static WERROR dcesrv_netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_GetDcName *r)
{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
const char * const attrs[] = { NULL };
struct ldb_context *sam_ctx;
struct ldb_message **res;
*/
}
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
static WERROR dcesrv_netr_LogonControl_base_call(struct dcesrv_netr_LogonControl_base_state *state)
{
- struct dcesrv_connection *conn = state->dce_call->conn;
struct loadparm_context *lp_ctx = state->dce_call->conn->dce_ctx->lp_ctx;
- struct auth_session_info *session_info = conn->auth_state.session_info;
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(state->dce_call);
enum security_user_level security_level;
struct dcerpc_binding_handle *irpc_handle;
struct tevent_req *subreq;
if (!ok) {
struct ldb_context *sam_ctx;
- sam_ctx = samdb_connect(state, state->dce_call->event_ctx,
- lp_ctx, system_session(lp_ctx), 0);
+ sam_ctx = samdb_connect(
+ state,
+ state->dce_call->event_ctx,
+ lp_ctx,
+ system_session(lp_ctx),
+ state->dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
static WERROR dcesrv_netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_GetAnyDCName *r)
{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
struct netr_DomainTrustList *trusts;
struct ldb_context *sam_ctx;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
r->in.domainname = lpcfg_workgroup(lp_ctx);
}
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ lp_ctx,
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
static WERROR dcesrv_netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_DsRGetSiteName *r)
{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
struct ldb_context *sam_ctx;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ lp_ctx,
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
/*
- fill in a netr_OneDomainInfo from a ldb search result
+ fill in a netr_OneDomainInfo from our own domain/forest
*/
-static NTSTATUS fill_one_domain_info(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
- struct ldb_context *sam_ctx,
- struct ldb_message *res,
- struct netr_OneDomainInfo *info,
- bool is_local, bool is_trust_list)
+static NTSTATUS fill_our_one_domain_info(TALLOC_CTX *mem_ctx,
+ const struct lsa_TrustDomainInfoInfoEx *our_tdo,
+ struct GUID domain_guid,
+ struct netr_OneDomainInfo *info,
+ bool is_trust_list)
{
ZERO_STRUCTP(info);
if (is_trust_list) {
+ struct netr_trust_extension *tei = NULL;
+
/* w2k8 only fills this on trusted domains */
- info->trust_extension.info = talloc_zero(mem_ctx, struct netr_trust_extension);
- info->trust_extension.length = 16;
- info->trust_extension.info->flags =
- NETR_TRUST_FLAG_TREEROOT |
- NETR_TRUST_FLAG_IN_FOREST |
- NETR_TRUST_FLAG_PRIMARY |
- NETR_TRUST_FLAG_NATIVE;
+ tei = talloc_zero(mem_ctx, struct netr_trust_extension);
+ if (tei == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tei->flags |= NETR_TRUST_FLAG_PRIMARY;
+
+ /*
+ * We're always within a native forest
+ */
+ tei->flags |= NETR_TRUST_FLAG_IN_FOREST;
+ tei->flags |= NETR_TRUST_FLAG_NATIVE;
+
+ /* For now we assume we're always the tree root */
+ tei->flags |= NETR_TRUST_FLAG_TREEROOT;
+ tei->parent_index = 0;
+
+ tei->trust_type = our_tdo->trust_type;
+ /*
+ * This needs to be 0 instead of our_tdo->trust_attributes
+ * It means LSA_TRUST_ATTRIBUTE_WITHIN_FOREST won't
+ * be set, while NETR_TRUST_FLAG_IN_FOREST is set above.
+ */
+ tei->trust_attributes = 0;
- info->trust_extension.info->parent_index = 0; /* should be index into array
- of parent */
- info->trust_extension.info->trust_type = LSA_TRUST_TYPE_UPLEVEL; /* should be based on ldb search for trusts */
- info->trust_extension.info->trust_attributes = 0; /* TODO: base on ldb search? */
+ info->trust_extension.info = tei;
+ info->trust_extension.length = 16;
}
if (is_trust_list) {
+ info->dns_domainname.string = our_tdo->domain_name.string;
+
/* MS-NRPC 3.5.4.3.9 - must be set to NULL for trust list */
info->dns_forestname.string = NULL;
} else {
- info->dns_forestname.string = samdb_forest_name(sam_ctx, mem_ctx);
- NT_STATUS_HAVE_NO_MEMORY(info->dns_forestname.string);
- info->dns_forestname.string = talloc_asprintf(mem_ctx, "%s.", info->dns_forestname.string);
- NT_STATUS_HAVE_NO_MEMORY(info->dns_forestname.string);
+ info->dns_domainname.string = talloc_asprintf(mem_ctx, "%s.",
+ our_tdo->domain_name.string);
+ if (info->dns_domainname.string == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ info->dns_forestname.string = info->dns_domainname.string;
}
- if (is_local) {
- info->domainname.string = lpcfg_workgroup(lp_ctx);
- info->dns_domainname.string = lpcfg_dnsdomain(lp_ctx);
- info->domain_guid = samdb_result_guid(res, "objectGUID");
- info->domain_sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
- } else {
- info->domainname.string = ldb_msg_find_attr_as_string(res, "flatName", NULL);
- info->dns_domainname.string = ldb_msg_find_attr_as_string(res, "trustPartner", NULL);
- info->domain_guid = samdb_result_guid(res, "objectGUID");
- info->domain_sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
+ info->domainname.string = our_tdo->netbios_name.string;
+ info->domain_sid = our_tdo->sid;
+ info->domain_guid = domain_guid;
+
+ return NT_STATUS_OK;
+}
+
+/*
+ fill in a netr_OneDomainInfo from a trust tdo
+*/
+static NTSTATUS fill_trust_one_domain_info(TALLOC_CTX *mem_ctx,
+ struct GUID domain_guid,
+ const struct lsa_TrustDomainInfoInfoEx *tdo,
+ struct netr_OneDomainInfo *info)
+{
+ struct netr_trust_extension *tei = NULL;
+
+ ZERO_STRUCTP(info);
+
+ /* w2k8 only fills this on trusted domains */
+ tei = talloc_zero(mem_ctx, struct netr_trust_extension);
+ if (tei == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (tdo->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
+ tei->flags |= NETR_TRUST_FLAG_INBOUND;
+ }
+ if (tdo->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
+ tei->flags |= NETR_TRUST_FLAG_OUTBOUND;
}
- if (!is_trust_list) {
- info->dns_domainname.string = talloc_asprintf(mem_ctx, "%s.", info->dns_domainname.string);
+ if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ tei->flags |= NETR_TRUST_FLAG_IN_FOREST;
}
+ /*
+ * TODO: once we support multiple domains within our forest,
+ * we need to fill this correct (or let the caller do it
+ * for all domains marked with NETR_TRUST_FLAG_IN_FOREST).
+ */
+ tei->parent_index = 0;
+
+ tei->trust_type = tdo->trust_type;
+ tei->trust_attributes = tdo->trust_attributes;
+
+ info->trust_extension.info = tei;
+ info->trust_extension.length = 16;
+
+ info->domainname.string = tdo->netbios_name.string;
+ if (tdo->trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
+ info->dns_domainname.string = tdo->domain_name.string;
+ } else {
+ info->dns_domainname.string = NULL;
+ }
+ info->domain_sid = tdo->sid;
+ info->domain_guid = domain_guid;
+
+ /* MS-NRPC 3.5.4.3.9 - must be set to NULL for trust list */
+ info->dns_forestname.string = NULL;
+
return NT_STATUS_OK;
}
TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r)
{
struct netlogon_creds_CredentialState *creds;
- const char * const attrs[] = { "objectSid", "objectGUID", "flatName",
- "securityIdentifier", "trustPartner", NULL };
+ const char * const trusts_attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustPartner",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ NULL
+ };
const char * const attrs2[] = { "sAMAccountName", "dNSHostName",
"msDS-SupportedEncryptionTypes", NULL };
const char *sam_account_name, *old_dns_hostname, *prefix1, *prefix2;
struct ldb_context *sam_ctx;
- struct ldb_message **res1, **res2, **res3, *new_msg;
+ const struct GUID *our_domain_guid = NULL;
+ struct lsa_TrustDomainInfoInfoEx *our_tdo = NULL;
+ struct ldb_message **res1, *new_msg;
+ struct ldb_result *trusts_res = NULL;
struct ldb_dn *workstation_dn;
struct netr_DomainInformation *domain_info;
struct netr_LsaPolicyInformation *lsa_policy_info;
uint32_t default_supported_enc_types = 0xFFFFFFFF;
bool update_dns_hostname = true;
- int ret, ret3, i;
+ int ret, i;
NTSTATUS status;
status = dcesrv_netr_creds_server_step_check(dce_call,
r->out.return_authenticator,
&creds);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,(__location__ " Bad credentials - error\n"));
+ char* local = NULL;
+ char* remote = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+ remote = tsocket_address_string(dce_call->conn->remote_address,
+ frame);
+ local = tsocket_address_string(dce_call->conn->local_address,
+ frame);
+ DBG_ERR(("Bad credentials - "
+ "computer[%s] remote[%s] local[%s]\n"),
+ log_escape(frame, r->in.computer_name),
+ remote,
+ local);
+ talloc_free(frame);
}
NT_STATUS_NOT_OK_RETURN(status);
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
- system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
+ system_session(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
/* Writes back the domain information */
- /* We need to do two searches. The first will pull our primary
- domain and the second will pull any trusted domains. Our
- primary domain is also a "trusted" domain, so we need to
- put the primary domain into the lists of returned trusts as
- well. */
- ret = gendb_search_dn(sam_ctx, mem_ctx, ldb_get_default_basedn(sam_ctx),
- &res2, attrs);
- if (ret != 1) {
+ our_domain_guid = samdb_domain_guid(sam_ctx);
+ if (our_domain_guid == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- ret3 = gendb_search(sam_ctx, mem_ctx, NULL, &res3, attrs,
- "(objectClass=trustedDomain)");
- if (ret3 == -1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ status = dsdb_trust_local_tdo_info(mem_ctx, sam_ctx, &our_tdo);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = dsdb_trust_search_tdos(sam_ctx,
+ NULL, /* exclude */
+ trusts_attrs,
+ mem_ctx,
+ &trusts_res);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
domain_info = talloc(mem_ctx, struct netr_DomainInformation);
/* Informations about the local and trusted domains */
- status = fill_one_domain_info(mem_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- sam_ctx, res2[0], &domain_info->primary_domain,
- true, false);
- NT_STATUS_NOT_OK_RETURN(status);
+ status = fill_our_one_domain_info(mem_ctx,
+ our_tdo,
+ *our_domain_guid,
+ &domain_info->primary_domain,
+ false);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- domain_info->trusted_domain_count = ret3 + 1;
- domain_info->trusted_domains = talloc_array(mem_ctx,
+ domain_info->trusted_domain_count = trusts_res->count + 1;
+ domain_info->trusted_domains = talloc_zero_array(mem_ctx,
struct netr_OneDomainInfo,
domain_info->trusted_domain_count);
NT_STATUS_HAVE_NO_MEMORY(domain_info->trusted_domains);
- for (i=0;i<ret3;i++) {
- status = fill_one_domain_info(mem_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- sam_ctx, res3[i],
- &domain_info->trusted_domains[i],
- false, true);
- NT_STATUS_NOT_OK_RETURN(status);
+ for (i=0; i < trusts_res->count; i++) {
+ struct netr_OneDomainInfo *o =
+ &domain_info->trusted_domains[i];
+ /* we can't know the guid of trusts outside our forest */
+ struct GUID trust_domain_guid = GUID_zero();
+ struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+
+ status = dsdb_trust_parse_tdo_info(mem_ctx,
+ trusts_res->msgs[i],
+ &tdo);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = fill_trust_one_domain_info(mem_ctx,
+ trust_domain_guid,
+ tdo,
+ o);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
- status = fill_one_domain_info(mem_ctx,
- dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res2[0],
- &domain_info->trusted_domains[i], true, true);
- NT_STATUS_NOT_OK_RETURN(status);
+ status = fill_our_one_domain_info(mem_ctx,
+ our_tdo,
+ *our_domain_guid,
+ &domain_info->trusted_domains[i],
+ true);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
/* Sets the supported encryption types */
domain_info->supported_enc_types = ldb_msg_find_attr_as_uint(res1[0],
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
-/*
- see if any SIDs in list1 are in list2
- */
-static bool sid_list_match(const struct dom_sid **list1, const struct dom_sid **list2)
-{
- unsigned int i, j;
- /* do we ever have enough SIDs here to worry about O(n^2) ? */
- for (i=0; list1[i]; i++) {
- for (j=0; list2[j]; j++) {
- if (dom_sid_equal(list1[i], list2[j])) {
- return true;
- }
- }
- }
- return false;
-}
-
-/*
- return an array of SIDs from a ldb_message given an attribute name
- assumes the SIDs are in extended DN format
- */
-static WERROR samdb_result_sid_array_dn(struct ldb_context *sam_ctx,
- struct ldb_message *msg,
- TALLOC_CTX *mem_ctx,
- const char *attr,
- const struct dom_sid ***sids)
-{
- struct ldb_message_element *el;
- unsigned int i;
-
- el = ldb_msg_find_element(msg, attr);
- if (!el) {
- *sids = NULL;
- return WERR_OK;
- }
-
- (*sids) = talloc_array(mem_ctx, const struct dom_sid *, el->num_values + 1);
- W_ERROR_HAVE_NO_MEMORY(*sids);
-
- for (i=0; i<el->num_values; i++) {
- struct ldb_dn *dn = ldb_dn_from_ldb_val(mem_ctx, sam_ctx, &el->values[i]);
- NTSTATUS status;
- struct dom_sid *sid;
-
- sid = talloc(*sids, struct dom_sid);
- W_ERROR_HAVE_NO_MEMORY(sid);
- status = dsdb_get_extended_dn_sid(dn, sid, "SID");
- if (!NT_STATUS_IS_OK(status)) {
- return WERR_INTERNAL_DB_CORRUPTION;
- }
- (*sids)[i] = sid;
- }
- (*sids)[i] = NULL;
-
- return WERR_OK;
-}
-
-
-/*
- * Return an array of SIDs from a ldb_message given an attribute name assumes
- * the SIDs are in NDR form (with additional sids applied on the end).
- */
-static WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx,
- struct ldb_message *msg,
- TALLOC_CTX *mem_ctx,
- const char *attr,
- const struct dom_sid ***sids,
- const struct dom_sid **additional_sids,
- unsigned int num_additional)
-{
- struct ldb_message_element *el;
- unsigned int i, j;
-
- el = ldb_msg_find_element(msg, attr);
- if (!el) {
- *sids = NULL;
- return WERR_OK;
- }
-
- /* Make array long enough for NULL and additional SID */
- (*sids) = talloc_array(mem_ctx, const struct dom_sid *,
- el->num_values + num_additional + 1);
- W_ERROR_HAVE_NO_MEMORY(*sids);
-
- for (i=0; i<el->num_values; i++) {
- enum ndr_err_code ndr_err;
- struct dom_sid *sid;
-
- sid = talloc(*sids, struct dom_sid);
- W_ERROR_HAVE_NO_MEMORY(sid);
-
- ndr_err = ndr_pull_struct_blob(&el->values[i], sid, sid,
- (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- return WERR_INTERNAL_DB_CORRUPTION;
- }
- (*sids)[i] = sid;
- }
-
- for (j = 0; j < num_additional; j++) {
- (*sids)[i++] = additional_sids[j];
- }
-
- (*sids)[i] = NULL;
-
- return WERR_OK;
-}
-
static bool sam_rodc_access_check(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
struct dom_sid *user_sid,
return NT_STATUS_INVALID_PARAMETER;
}
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
- system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
+ system_session(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
return NT_STATUS_OK;
}
+struct dcesrv_netr_DsRGetDCName_base_state {
+ struct dcesrv_call_state *dce_call;
+ TALLOC_CTX *mem_ctx;
-/*
- netr_DsRGetDCNameEx2
-*/
-static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct netr_DsRGetDCNameEx2 *r)
+ struct netr_DsRGetDCNameEx2 r;
+ const char *client_site;
+
+ struct {
+ struct netr_DsRGetDCName *dc;
+ struct netr_DsRGetDCNameEx *dcex;
+ struct netr_DsRGetDCNameEx2 *dcex2;
+ } _r;
+};
+
+static void dcesrv_netr_DsRGetDCName_base_done(struct tevent_req *subreq);
+
+static WERROR dcesrv_netr_DsRGetDCName_base_call(struct dcesrv_netr_DsRGetDCName_base_state *state)
{
+ struct dcesrv_call_state *dce_call = state->dce_call;
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
+ TALLOC_CTX *mem_ctx = state->mem_ctx;
+ struct netr_DsRGetDCNameEx2 *r = &state->r;
struct ldb_context *sam_ctx;
struct netr_DsRGetDCNameInfo *info;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
const char *dc_name = NULL;
const char *domain_name = NULL;
const char *pdc_ip;
+ bool different_domain = true;
ZERO_STRUCTP(r->out.info);
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ sam_ctx = samdb_connect(state,
+ dce_call->event_ctx,
+ lp_ctx,
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
local_address = dcesrv_connection_get_local_address(dce_call->conn);
if (tsocket_address_is_inet(local_address, "ip")) {
- local_addr = tsocket_address_inet_addr_string(local_address, mem_ctx);
+ local_addr = tsocket_address_inet_addr_string(local_address, state);
W_ERROR_HAVE_NO_MEMORY(local_addr);
}
remote_address = dcesrv_connection_get_remote_address(dce_call->conn);
if (tsocket_address_is_inet(remote_address, "ip")) {
- remote_addr = tsocket_address_inet_addr_string(remote_address, mem_ctx);
+ remote_addr = tsocket_address_inet_addr_string(remote_address, state);
W_ERROR_HAVE_NO_MEMORY(remote_addr);
}
return WERR_INVALID_FLAGS;
}
+ /*
+ * If we send an all-zero GUID, we should ignore it as winbind actually
+ * checks it with a DNS query. Windows also appears to ignore it.
+ */
+ if (r->in.domain_guid != NULL && GUID_all_zero(r->in.domain_guid)) {
+ r->in.domain_guid = NULL;
+ }
+
+ /* Attempt winbind search only if we suspect the domain is incorrect */
+ if (r->in.domain_name != NULL && strcmp("", r->in.domain_name) != 0) {
+ if (r->in.flags & DS_IS_FLAT_NAME) {
+ if (strcasecmp_m(r->in.domain_name,
+ lpcfg_sam_name(lp_ctx)) == 0) {
+ different_domain = false;
+ }
+ } else if (r->in.flags & DS_IS_DNS_NAME) {
+ if (strcasecmp_m(r->in.domain_name,
+ lpcfg_dnsdomain(lp_ctx)) == 0) {
+ different_domain = false;
+ }
+ } else {
+ if (strcasecmp_m(r->in.domain_name,
+ lpcfg_sam_name(lp_ctx)) == 0 ||
+ strcasecmp_m(r->in.domain_name,
+ lpcfg_dnsdomain(lp_ctx)) == 0) {
+ different_domain = false;
+ }
+ }
+ } else {
+ /*
+ * We need to be able to handle empty domain names, where we
+ * revert to our domain by default.
+ */
+ different_domain = false;
+ }
+
/* Proof server site parameter "site_name" if it was specified */
- server_site_name = samdb_server_site_name(sam_ctx, mem_ctx);
+ server_site_name = samdb_server_site_name(sam_ctx, state);
W_ERROR_HAVE_NO_MEMORY(server_site_name);
- if ((r->in.site_name != NULL) && (strcasecmp(r->in.site_name,
- server_site_name) != 0)) {
- return WERR_NO_SUCH_DOMAIN;
+ if (different_domain || (r->in.site_name != NULL &&
+ (strcasecmp_m(r->in.site_name,
+ server_site_name) != 0))) {
+
+ struct dcerpc_binding_handle *irpc_handle = NULL;
+ struct tevent_req *subreq = NULL;
+
+ /*
+ * Retrieve the client site to override the winbind response.
+ *
+ * DO NOT use Windows fallback for client site.
+ * In the case of multiple domains, this is plainly wrong.
+ *
+ * Note: It's possible that the client may belong to multiple
+ * subnets across domains. It's not clear what this would mean,
+ * but here we only return what this domain knows.
+ */
+ state->client_site = samdb_client_site_name(sam_ctx,
+ state,
+ remote_addr,
+ NULL,
+ false);
+
+ irpc_handle = irpc_binding_handle_by_name(state,
+ dce_call->msg_ctx,
+ "winbind_server",
+ &ndr_table_winbind);
+ if (irpc_handle == NULL) {
+ DEBUG(0,("Failed to get binding_handle for "
+ "winbind_server task\n"));
+ dce_call->fault_code = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_SERVICE_NOT_FOUND;
+ }
+
+ dcerpc_binding_handle_set_timeout(irpc_handle, 60);
+
+ dce_call->state_flags |= DCESRV_CALL_STATE_FLAG_ASYNC;
+
+ subreq = dcerpc_wbint_DsGetDcName_send(state,
+ dce_call->event_ctx,
+ irpc_handle,
+ r->in.domain_name,
+ r->in.domain_guid,
+ r->in.site_name,
+ r->in.flags,
+ r->out.info);
+ if (subreq == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ tevent_req_set_callback(subreq,
+ dcesrv_netr_DsRGetDCName_base_done,
+ state);
+
+ return WERR_OK;
}
guid_str = r->in.domain_guid != NULL ?
- GUID_string(mem_ctx, r->in.domain_guid) : NULL;
+ GUID_string(state, r->in.domain_guid) : NULL;
status = fill_netlogon_samlogon_response(sam_ctx, mem_ctx,
r->in.domain_name,
return WERR_OK;
}
+static void dcesrv_netr_DsRGetDCName_base_done(struct tevent_req *subreq)
+{
+ struct dcesrv_netr_DsRGetDCName_base_state *state =
+ tevent_req_callback_data(subreq,
+ struct dcesrv_netr_DsRGetDCName_base_state);
+ struct dcesrv_call_state *dce_call = state->dce_call;
+ NTSTATUS result, status;
+
+ status = dcerpc_wbint_DsGetDcName_recv(subreq,
+ state->mem_ctx,
+ &result);
+ TALLOC_FREE(subreq);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
+ state->r.out.result = WERR_TIMEOUT;
+ goto finished;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR(__location__ ": IRPC callback failed %s\n",
+ nt_errstr(status));
+ state->r.out.result = WERR_GEN_FAILURE;
+ goto finished;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_NOTICE("DC location via winbind failed - %s\n",
+ nt_errstr(result));
+ state->r.out.result = WERR_NO_SUCH_DOMAIN;
+ goto finished;
+ }
+
+ if (state->r.out.info == NULL || state->r.out.info[0] == NULL) {
+ DBG_ERR("DC location via winbind returned no results\n");
+ state->r.out.result = WERR_GEN_FAILURE;
+ goto finished;
+ }
+
+ if (state->r.out.info[0]->dc_unc == NULL) {
+ DBG_ERR("DC location via winbind returned no DC unc\n");
+ state->r.out.result = WERR_GEN_FAILURE;
+ goto finished;
+ }
+
+ /*
+ * Either the supplied site name is NULL (possibly via
+ * TRY_NEXT_CLOSEST_SITE) or the resulting site name matches
+ * the input match name.
+ *
+ * TODO: Currently this means that requests with NETBIOS domain
+ * names can fail because they do not return the site name.
+ */
+ if (state->r.in.site_name == NULL ||
+ strcasecmp_m("", state->r.in.site_name) == 0 ||
+ (state->r.out.info[0]->dc_site_name != NULL &&
+ strcasecmp_m(state->r.out.info[0]->dc_site_name,
+ state->r.in.site_name) == 0)) {
+
+ state->r.out.info[0]->client_site_name =
+ talloc_move(state->mem_ctx, &state->client_site);
+
+ /*
+ * Make sure to return our DC UNC with // prefix.
+ * Winbind currently doesn't send the leading slashes
+ * for some reason.
+ */
+ if (strlen(state->r.out.info[0]->dc_unc) > 2 &&
+ strncmp("\\\\", state->r.out.info[0]->dc_unc, 2) != 0) {
+ const char *dc_unc = NULL;
+
+ dc_unc = talloc_asprintf(state->mem_ctx,
+ "\\\\%s",
+ state->r.out.info[0]->dc_unc);
+ state->r.out.info[0]->dc_unc = dc_unc;
+ }
+
+ state->r.out.result = WERR_OK;
+ } else {
+ state->r.out.info = NULL;
+ state->r.out.result = WERR_NO_SUCH_DOMAIN;
+ }
+
+finished:
+ if (state->_r.dcex2 != NULL) {
+ struct netr_DsRGetDCNameEx2 *r = state->_r.dcex2;
+ r->out.result = state->r.out.result;
+ } else if (state->_r.dcex != NULL) {
+ struct netr_DsRGetDCNameEx *r = state->_r.dcex;
+ r->out.result = state->r.out.result;
+ } else if (state->_r.dc != NULL) {
+ struct netr_DsRGetDCName *r = state->_r.dc;
+ r->out.result = state->r.out.result;
+ }
+
+ TALLOC_FREE(state);
+ status = dcesrv_reply(dce_call);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ ": dcesrv_reply() failed - %s\n",
+ nt_errstr(status)));
+ }
+}
+
+/*
+ netr_DsRGetDCNameEx2
+*/
+static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DsRGetDCNameEx2 *r)
+{
+ struct dcesrv_netr_DsRGetDCName_base_state *state;
+
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_DsRGetDCName_base_state);
+ if (state == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
+
+ state->r = *r;
+ state->_r.dcex2 = r;
+
+ return dcesrv_netr_DsRGetDCName_base_call(state);
+}
+
/*
netr_DsRGetDCNameEx
*/
static WERROR dcesrv_netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_DsRGetDCNameEx *r)
{
- struct netr_DsRGetDCNameEx2 r2;
- WERROR werr;
+ struct dcesrv_netr_DsRGetDCName_base_state *state;
- ZERO_STRUCT(r2);
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_DsRGetDCName_base_state);
+ if (state == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
- r2.in.server_unc = r->in.server_unc;
- r2.in.client_account = NULL;
- r2.in.mask = 0;
- r2.in.domain_guid = r->in.domain_guid;
- r2.in.domain_name = r->in.domain_name;
- r2.in.site_name = r->in.site_name;
- r2.in.flags = r->in.flags;
- r2.out.info = r->out.info;
+ state->r.in.server_unc = r->in.server_unc;
+ state->r.in.client_account = NULL;
+ state->r.in.mask = 0;
+ state->r.in.domain_guid = r->in.domain_guid;
+ state->r.in.domain_name = r->in.domain_name;
+ state->r.in.site_name = r->in.site_name;
+ state->r.in.flags = r->in.flags;
+ state->r.out.info = r->out.info;
- werr = dcesrv_netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2);
+ state->_r.dcex = r;
- return werr;
+ return dcesrv_netr_DsRGetDCName_base_call(state);
}
/*
- netr_DsRGetDCName
-*/
+ * netr_DsRGetDCName
+ *
+ * This function is a predecessor to DsrGetDcNameEx2 according to [MS-NRPC].
+ * Although it has a site-guid parameter, the documentation 3.5.4.3.3 DsrGetDcName
+ * insists that it be ignored.
+ */
static WERROR dcesrv_netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_DsRGetDCName *r)
+ struct netr_DsRGetDCName *r)
{
- struct netr_DsRGetDCNameEx2 r2;
- WERROR werr;
+ struct dcesrv_netr_DsRGetDCName_base_state *state;
- ZERO_STRUCT(r2);
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_DsRGetDCName_base_state);
+ if (state == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
- r2.in.server_unc = r->in.server_unc;
- r2.in.client_account = NULL;
- r2.in.mask = 0;
- r2.in.domain_name = r->in.domain_name;
- r2.in.domain_guid = r->in.domain_guid;
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
- r2.in.site_name = NULL; /* this is correct, we should ignore site GUID */
- r2.in.flags = r->in.flags;
- r2.out.info = r->out.info;
+ state->r.in.server_unc = r->in.server_unc;
+ state->r.in.client_account = NULL;
+ state->r.in.mask = 0;
+ state->r.in.domain_name = r->in.domain_name;
+ state->r.in.domain_guid = r->in.domain_guid;
- werr = dcesrv_netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2);
+ state->r.in.site_name = NULL; /* this is correct, we should ignore site GUID */
+ state->r.in.flags = r->in.flags;
+ state->r.out.info = r->out.info;
- return werr;
+ state->_r.dc = r;
+
+ return dcesrv_netr_DsRGetDCName_base_call(state);
}
/*
netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
static WERROR dcesrv_netr_DsRAddressToSitenamesExW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_DsRAddressToSitenamesExW *r)
{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
struct ldb_context *sam_ctx;
struct netr_DsRAddressToSitenamesExWCtr *ctr;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
const char *res;
uint32_t i;
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ lp_ctx,
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
ctr->sitename[i].string = samdb_client_site_name(sam_ctx,
mem_ctx,
addr_str,
- &subnet_name);
+ &subnet_name,
+ true);
W_ERROR_HAVE_NO_MEMORY(ctr->sitename[i].string);
ctr->subnetname[i].string = subnet_name;
}
static WERROR dcesrv_netr_DsrGetDcSiteCoverageW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_DsrGetDcSiteCoverageW *r)
{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
struct ldb_context *sam_ctx;
struct DcSitesCtr *ctr;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ lp_ctx,
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
TALLOC_CTX *mem_ctx,
struct netr_DsrEnumerateDomainTrusts *r)
{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
struct netr_DomainTrustList *trusts;
struct ldb_context *sam_ctx;
int ret;
trusts->count = 0;
r->out.trusts = trusts;
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ lp_ctx,
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_GEN_FAILURE;
}
struct netr_DsRGetForestTrustInformation *r)
{
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- struct dcesrv_connection *conn = dce_call->conn;
- struct auth_session_info *session_info = conn->auth_state.session_info;
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
enum security_user_level security_level;
struct ldb_context *sam_ctx = NULL;
struct dcesrv_netr_DsRGetForestTrustInformation_state *state = NULL;
return WERR_INVALID_FLAGS;
}
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ lp_ctx,
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return WERR_GEN_FAILURE;
}
TALLOC_CTX *mem_ctx,
struct netr_GetForestTrustInformation *r)
{
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
struct netlogon_creds_CredentialState *creds = NULL;
struct ldb_context *sam_ctx = NULL;
return NT_STATUS_NOT_IMPLEMENTED;
}
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info, 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ lp_ctx,
+ session_info,
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
return NT_STATUS_INVALID_PARAMETER;
}
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
- lp_ctx, system_session(lp_ctx), 0);
+ sam_ctx = samdb_connect(mem_ctx,
+ dce_call->event_ctx,
+ lp_ctx,
+ system_session(lp_ctx),
+ dce_call->conn->remote_address,
+ 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}