1ef50cd96faa71233ad0f2b646f2a6725b21e081
[ira/wip.git] / source / rpc_server / netlogon / dcerpc_netlogon.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    endpoint server for the netlogon pipe
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7    Copyright (C) Stefan Metzmacher <metze@samba.org>  2005
8    
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpc_server/dcerpc_server.h"
25 #include "rpc_server/common/common.h"
26 #include "lib/ldb/include/ldb.h"
27 #include "auth/auth.h"
28 #include "auth/auth_sam_reply.h"
29 #include "dsdb/samdb/samdb.h"
30 #include "rpc_server/samr/proto.h"
31 #include "util/util_ldb.h"
32 #include "libcli/auth/libcli_auth.h"
33 #include "auth/gensec/schannel_state.h"
34 #include "libcli/security/security.h"
35 #include "param/param.h"
36
37 struct server_pipe_state {
38         struct netr_Credential client_challenge;
39         struct netr_Credential server_challenge;
40 };
41
42
43 static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
44                                         struct netr_ServerReqChallenge *r)
45 {
46         struct server_pipe_state *pipe_state = dce_call->context->private;
47
48         ZERO_STRUCTP(r->out.credentials);
49
50         /* destroyed on pipe shutdown */
51
52         if (pipe_state) {
53                 talloc_free(pipe_state);
54                 dce_call->context->private = NULL;
55         }
56         
57         pipe_state = talloc(dce_call->context, struct server_pipe_state);
58         NT_STATUS_HAVE_NO_MEMORY(pipe_state);
59
60         pipe_state->client_challenge = *r->in.credentials;
61
62         generate_random_buffer(pipe_state->server_challenge.data, 
63                                sizeof(pipe_state->server_challenge.data));
64
65         *r->out.credentials = pipe_state->server_challenge;
66
67         dce_call->context->private = pipe_state;
68
69         return NT_STATUS_OK;
70 }
71
72 static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
73                                          struct netr_ServerAuthenticate3 *r)
74 {
75         struct server_pipe_state *pipe_state = dce_call->context->private;
76         struct creds_CredentialState *creds;
77         void *sam_ctx;
78         struct samr_Password *mach_pwd;
79         uint16_t acct_flags;
80         int num_records;
81         struct ldb_message **msgs;
82         NTSTATUS nt_status;
83         const char *attrs[] = {"unicodePwd", "userAccountControl", 
84                                "objectSid", NULL};
85
86         ZERO_STRUCTP(r->out.credentials);
87         *r->out.rid = 0;
88         *r->out.negotiate_flags = *r->in.negotiate_flags;
89
90         if (!pipe_state) {
91                 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
92                 return NT_STATUS_ACCESS_DENIED;
93         }
94
95         sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, 
96                                 system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
97         if (sam_ctx == NULL) {
98                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
99         }
100         /* pull the user attributes */
101         num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
102                                    "(&(sAMAccountName=%s)(objectclass=user))", 
103                                    r->in.account_name);
104
105         if (num_records == 0) {
106                 DEBUG(3,("Couldn't find user [%s] in samdb.\n", 
107                          r->in.account_name));
108                 return NT_STATUS_ACCESS_DENIED;
109         }
110
111         if (num_records > 1) {
112                 DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
113                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
114         }
115
116         acct_flags = samdb_result_acct_flags(msgs[0], 
117                                              "userAccountControl");
118
119         if (acct_flags & ACB_DISABLED) {
120                 DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
121                 return NT_STATUS_ACCESS_DENIED;
122         }
123
124         if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
125                 if (!(acct_flags & ACB_WSTRUST)) {
126                         DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags));
127                         return NT_STATUS_ACCESS_DENIED;
128                 }
129         } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) {
130                 if (!(acct_flags & ACB_DOMTRUST)) {
131                         DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags));
132                         return NT_STATUS_ACCESS_DENIED;
133                 }
134         } else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
135                 if (!(acct_flags & ACB_SVRTRUST)) {
136                         DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags));
137                         return NT_STATUS_ACCESS_DENIED;
138                 }
139         } else {
140                 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", 
141                           r->in.secure_channel_type));
142                 return NT_STATUS_ACCESS_DENIED;
143         }
144
145         *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], 
146                                                 "objectSid", 0);
147
148         mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
149         if (mach_pwd == NULL) {
150                 return NT_STATUS_ACCESS_DENIED;
151         }
152
153         creds = talloc(mem_ctx, struct creds_CredentialState);
154         NT_STATUS_HAVE_NO_MEMORY(creds);
155
156         creds_server_init(creds, &pipe_state->client_challenge, 
157                           &pipe_state->server_challenge, mach_pwd,
158                           r->out.credentials,
159                           *r->in.negotiate_flags);
160         
161         if (!creds_server_check(creds, r->in.credentials)) {
162                 talloc_free(creds);
163                 return NT_STATUS_ACCESS_DENIED;
164         }
165
166         creds->account_name = talloc_steal(creds, r->in.account_name);
167         
168         creds->computer_name = talloc_steal(creds, r->in.computer_name);
169         creds->domain = talloc_strdup(creds, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx));
170
171         creds->secure_channel_type = r->in.secure_channel_type;
172
173         creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
174
175
176         /* remember this session key state */
177         nt_status = schannel_store_session_key(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, creds);
178
179         return nt_status;
180 }
181                                                  
182 static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
183                                         struct netr_ServerAuthenticate *r)
184 {
185         struct netr_ServerAuthenticate3 r3;
186         uint32_t rid = 0;
187         /* TODO: 
188          * negotiate_flags is used as an [in] parameter
189          * so it need to be initialised.
190          *
191          * (I think ... = 0; seems wrong here --metze)
192          */
193         uint32_t negotiate_flags = 0;  
194
195         r3.in.server_name = r->in.server_name;
196         r3.in.account_name = r->in.account_name;
197         r3.in.secure_channel_type = r->in.secure_channel_type;
198         r3.in.computer_name = r->in.computer_name;
199         r3.in.credentials = r->in.credentials;
200         r3.out.credentials = r->out.credentials;
201         r3.in.negotiate_flags = &negotiate_flags;
202         r3.out.negotiate_flags = &negotiate_flags;
203         r3.out.rid = &rid;
204         
205         return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
206 }
207
208 static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
209                                          struct netr_ServerAuthenticate2 *r)
210 {
211         struct netr_ServerAuthenticate3 r3;
212         uint32_t rid = 0;
213
214         r3.in.server_name = r->in.server_name;
215         r3.in.account_name = r->in.account_name;
216         r3.in.secure_channel_type = r->in.secure_channel_type;
217         r3.in.computer_name = r->in.computer_name;
218         r3.in.credentials = r->in.credentials;
219         r3.out.credentials = r->out.credentials;
220         r3.in.negotiate_flags = r->in.negotiate_flags;
221         r3.out.negotiate_flags = r->out.negotiate_flags;
222         r3.out.rid = &rid;
223         
224         return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
225 }
226
227 /*
228   Validate an incoming authenticator against the credentials for the remote machine.
229
230   The credentials are (re)read and from the schannel database, and
231   written back after the caclulations are performed.
232
233   The creds_out parameter (if not NULL) returns the credentials, if
234   the caller needs some of that information.
235
236 */
237 static NTSTATUS dcesrv_netr_creds_server_step_check(struct loadparm_context *lp_ctx,
238                                                     const char *computer_name,
239                                              TALLOC_CTX *mem_ctx, 
240                                              struct netr_Authenticator *received_authenticator,
241                                              struct netr_Authenticator *return_authenticator,
242                                              struct creds_CredentialState **creds_out) 
243 {
244         struct creds_CredentialState *creds;
245         NTSTATUS nt_status;
246         struct ldb_context *ldb;
247         int ret;
248
249         ldb = schannel_db_connect(mem_ctx, lp_ctx);
250         if (!ldb) {
251                 return NT_STATUS_ACCESS_DENIED;
252         }
253
254         ret = ldb_transaction_start(ldb);
255         if (ret != 0) {
256                 talloc_free(ldb);
257                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
258         }
259
260         /* Because this is a shared structure (even across
261          * disconnects) we must update the database every time we
262          * update the structure */ 
263         
264         nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, 
265                                                    lp_workgroup(lp_ctx),
266                                                    &creds);
267         if (NT_STATUS_IS_OK(nt_status)) {
268                 nt_status = creds_server_step_check(creds, 
269                                                     received_authenticator, 
270                                                     return_authenticator);
271         }
272         if (NT_STATUS_IS_OK(nt_status)) {
273                 nt_status = schannel_store_session_key_ldb(ldb, ldb, creds);
274         }
275
276         if (NT_STATUS_IS_OK(nt_status)) {
277                 ldb_transaction_commit(ldb);
278                 if (creds_out) {
279                         *creds_out = creds;
280                         talloc_steal(mem_ctx, creds);
281                 }
282         } else {
283                 ldb_transaction_cancel(ldb);
284         }
285         talloc_free(ldb);
286         return nt_status;
287 }
288
289 /* 
290   Change the machine account password for the currently connected
291   client.  Supplies only the NT#.
292 */
293
294 static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
295                                        struct netr_ServerPasswordSet *r)
296 {
297         struct creds_CredentialState *creds;
298         struct ldb_context *sam_ctx;
299         NTSTATUS nt_status;
300
301         nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx,
302                                                         r->in.computer_name, mem_ctx, 
303                                                  &r->in.credential, &r->out.return_authenticator,
304                                                  &creds);
305         NT_STATUS_NOT_OK_RETURN(nt_status);
306
307         sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
308         if (sam_ctx == NULL) {
309                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
310         }
311
312         creds_des_decrypt(creds, &r->in.new_password);
313
314         /* Using the sid for the account as the key, set the password */
315         nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, 
316                                            creds->sid,
317                                            NULL, /* Don't have plaintext */
318                                            NULL, &r->in.new_password,
319                                            false, /* This is not considered a password change */
320                                            NULL, NULL);
321         return nt_status;
322 }
323
324 /* 
325   Change the machine account password for the currently connected
326   client.  Supplies new plaintext.
327 */
328 static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
329                                        struct netr_ServerPasswordSet2 *r)
330 {
331         struct creds_CredentialState *creds;
332         struct ldb_context *sam_ctx;
333         NTSTATUS nt_status;
334         char new_pass[512];
335         uint32_t new_pass_len;
336         bool ret;
337
338         struct samr_CryptPassword password_buf;
339
340         nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx,
341                                                         r->in.computer_name, mem_ctx, 
342                                                  &r->in.credential, &r->out.return_authenticator,
343                                                  &creds);
344         NT_STATUS_NOT_OK_RETURN(nt_status);
345
346         sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
347         if (sam_ctx == NULL) {
348                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
349         }
350
351         memcpy(password_buf.data, r->in.new_password.data, 512);
352         SIVAL(password_buf.data,512,r->in.new_password.length);
353         creds_arcfour_crypt(creds, password_buf.data, 516);
354
355         ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
356                                &new_pass_len, STR_UNICODE);
357         if (!ret) {
358                 DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
359                 return NT_STATUS_ACCESS_DENIED;
360         }
361
362         /* Using the sid for the account as the key, set the password */
363         nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
364                                            creds->sid,
365                                            new_pass, /* we have plaintext */
366                                            NULL, NULL,
367                                            false, /* This is not considered a password change */
368                                            NULL, NULL);
369         return nt_status;
370 }
371
372
373 /* 
374   netr_LogonUasLogon 
375 */
376 static WERROR dcesrv_netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
377                                  struct netr_LogonUasLogon *r)
378 {
379         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
380 }
381
382
383 /* 
384   netr_LogonUasLogoff 
385 */
386 static WERROR dcesrv_netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
387                        struct netr_LogonUasLogoff *r)
388 {
389         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
390 }
391
392
393 /* 
394   netr_LogonSamLogon_base
395
396   This version of the function allows other wrappers to say 'do not check the credentials'
397
398   We can't do the traditional 'wrapping' format completly, as this function must only run under schannel
399 */
400 static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
401                                         struct netr_LogonSamLogonEx *r, struct creds_CredentialState *creds)
402 {
403         struct auth_context *auth_context;
404         struct auth_usersupplied_info *user_info;
405         struct auth_serversupplied_info *server_info;
406         NTSTATUS nt_status;
407         static const char zeros[16];
408         struct netr_SamBaseInfo *sam;
409         struct netr_SamInfo2 *sam2;
410         struct netr_SamInfo3 *sam3;
411         struct netr_SamInfo6 *sam6;
412         
413         user_info = talloc(mem_ctx, struct auth_usersupplied_info);
414         NT_STATUS_HAVE_NO_MEMORY(user_info);
415
416         user_info->flags = 0;
417         user_info->mapped_state = false;
418         user_info->remote_host = NULL;
419
420         switch (r->in.logon_level) {
421         case 1:
422         case 3:
423         case 5:
424                 if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
425                         creds_arcfour_crypt(creds, 
426                                             r->in.logon.password->lmpassword.hash, 
427                                             sizeof(r->in.logon.password->lmpassword.hash));
428                         creds_arcfour_crypt(creds, 
429                                             r->in.logon.password->ntpassword.hash, 
430                                             sizeof(r->in.logon.password->ntpassword.hash));
431                 } else {
432                         creds_des_decrypt(creds, &r->in.logon.password->lmpassword);
433                         creds_des_decrypt(creds, &r->in.logon.password->ntpassword);
434                 }
435
436                 /* TODO: we need to deny anonymous access here */
437                 nt_status = auth_context_create(mem_ctx, 
438                                                 dce_call->event_ctx, dce_call->msg_ctx,
439                                                 dce_call->conn->dce_ctx->lp_ctx,
440                                                 &auth_context);
441                 NT_STATUS_NOT_OK_RETURN(nt_status);
442
443                 user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control;
444                 user_info->client.account_name = r->in.logon.password->identity_info.account_name.string;
445                 user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string;
446                 user_info->workstation_name = r->in.logon.password->identity_info.workstation.string;
447                 
448                 user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
449                 user_info->password_state = AUTH_PASSWORD_HASH;
450
451                 user_info->password.hash.lanman = talloc(user_info, struct samr_Password);
452                 NT_STATUS_HAVE_NO_MEMORY(user_info->password.hash.lanman);
453                 *user_info->password.hash.lanman = r->in.logon.password->lmpassword;
454
455                 user_info->password.hash.nt = talloc(user_info, struct samr_Password);
456                 NT_STATUS_HAVE_NO_MEMORY(user_info->password.hash.nt);
457                 *user_info->password.hash.nt = r->in.logon.password->ntpassword;
458
459                 break;
460         case 2:
461         case 6:
462
463                 /* TODO: we need to deny anonymous access here */
464                 nt_status = auth_context_create(mem_ctx, 
465                                                 dce_call->event_ctx, dce_call->msg_ctx,
466                                                 dce_call->conn->dce_ctx->lp_ctx,
467                                                 &auth_context);
468                 NT_STATUS_NOT_OK_RETURN(nt_status);
469
470                 nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags");
471                 NT_STATUS_NOT_OK_RETURN(nt_status);
472
473                 user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control;
474                 user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
475                 user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
476                 user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
477                 
478                 user_info->password_state = AUTH_PASSWORD_RESPONSE;
479                 user_info->password.response.lanman = data_blob_talloc(mem_ctx, r->in.logon.network->lm.data, r->in.logon.network->lm.length);
480                 user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon.network->nt.data, r->in.logon.network->nt.length);
481         
482                 break;
483         default:
484                 return NT_STATUS_INVALID_PARAMETER;
485         }
486         
487         nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info);
488         NT_STATUS_NOT_OK_RETURN(nt_status);
489
490         nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
491         NT_STATUS_NOT_OK_RETURN(nt_status);
492
493         /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
494         /* It appears that level 6 is not individually encrypted */
495         if ((r->in.validation_level != 6) &&
496             memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) {
497                 /* This key is sent unencrypted without the ARCFOUR flag set */
498                 if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
499                         creds_arcfour_crypt(creds, 
500                                             sam->key.key, 
501                                             sizeof(sam->key.key));
502                 }
503         }
504
505         /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
506         /* It appears that level 6 is not individually encrypted */
507         if ((r->in.validation_level != 6) &&
508             memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) {
509                 if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
510                         creds_arcfour_crypt(creds, 
511                                             sam->LMSessKey.key, 
512                                             sizeof(sam->LMSessKey.key));
513                 } else {
514                         creds_des_encrypt_LMKey(creds, 
515                                                 &sam->LMSessKey);
516                 }
517         }
518
519         switch (r->in.validation_level) {
520         case 2:
521                 sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2);
522                 NT_STATUS_HAVE_NO_MEMORY(sam2);
523                 sam2->base = *sam;
524                 r->out.validation.sam2 = sam2;
525                 break;
526
527         case 3:
528                 sam3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
529                 NT_STATUS_HAVE_NO_MEMORY(sam3);
530                 sam3->base = *sam;
531                 r->out.validation.sam3 = sam3;
532                 break;
533
534         case 6:
535                 sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
536                 NT_STATUS_HAVE_NO_MEMORY(sam6);
537                 sam6->base = *sam;
538                 sam6->forest.string = lp_realm(dce_call->conn->dce_ctx->lp_ctx);
539                 sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s", 
540                                                          sam->account_name.string, sam6->forest.string);
541                 NT_STATUS_HAVE_NO_MEMORY(sam6->principle.string);
542                 r->out.validation.sam6 = sam6;
543                 break;
544
545         default:
546                 break;
547         }
548
549         r->out.authoritative = 1;
550
551         /* TODO: Describe and deal with these flags */
552         r->out.flags = 0;
553
554         return NT_STATUS_OK;
555 }
556
557 static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
558                                      struct netr_LogonSamLogonEx *r) 
559 {
560         NTSTATUS nt_status;
561         struct creds_CredentialState *creds;
562         nt_status = schannel_fetch_session_key(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx), &creds);
563         if (!NT_STATUS_IS_OK(nt_status)) {
564                 return nt_status;
565         }
566
567         if (!dce_call->conn->auth_state.auth_info ||
568             dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
569                 return NT_STATUS_INTERNAL_ERROR;
570         }
571         return dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds);
572 }
573
574 /* 
575   netr_LogonSamLogonWithFlags
576
577 */
578 static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
579                                             struct netr_LogonSamLogonWithFlags *r)
580 {
581         NTSTATUS nt_status;
582         struct creds_CredentialState *creds;
583         struct netr_LogonSamLogonEx r2;
584
585         struct netr_Authenticator *return_authenticator;
586
587         return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
588         NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
589
590         nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx,
591                                                         r->in.computer_name, mem_ctx, 
592                                                  r->in.credential, return_authenticator,
593                                                  &creds);
594         NT_STATUS_NOT_OK_RETURN(nt_status);
595
596         ZERO_STRUCT(r2);
597
598         r2.in.server_name       = r->in.server_name;
599         r2.in.computer_name     = r->in.computer_name;
600         r2.in.logon_level       = r->in.logon_level;
601         r2.in.logon             = r->in.logon;
602         r2.in.validation_level  = r->in.validation_level;
603         r2.in.flags             = r->in.flags;
604
605         nt_status = dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds);
606
607         r->out.return_authenticator     = return_authenticator;
608         r->out.validation               = r2.out.validation;
609         r->out.authoritative            = r2.out.authoritative;
610         r->out.flags                    = r2.out.flags;
611
612         return nt_status;
613 }
614
615 /* 
616   netr_LogonSamLogon
617 */
618 static NTSTATUS dcesrv_netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
619                                    struct netr_LogonSamLogon *r)
620 {
621         struct netr_LogonSamLogonWithFlags r2;
622         NTSTATUS status;
623
624         ZERO_STRUCT(r2);
625
626         r2.in.server_name = r->in.server_name;
627         r2.in.computer_name = r->in.computer_name;
628         r2.in.credential  = r->in.credential;
629         r2.in.return_authenticator = r->in.return_authenticator;
630         r2.in.logon_level = r->in.logon_level;
631         r2.in.logon = r->in.logon;
632         r2.in.validation_level = r->in.validation_level;
633         r2.in.flags = 0;
634
635         status = dcesrv_netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2);
636
637         r->out.return_authenticator = r2.out.return_authenticator;
638         r->out.validation = r2.out.validation;
639         r->out.authoritative = r2.out.authoritative;
640
641         return status;
642 }
643
644
645 /* 
646   netr_LogonSamLogoff 
647 */
648 static NTSTATUS dcesrv_netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
649                        struct netr_LogonSamLogoff *r)
650 {
651         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
652 }
653
654
655
656 /* 
657   netr_DatabaseDeltas 
658 */
659 static NTSTATUS dcesrv_netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
660                        struct netr_DatabaseDeltas *r)
661 {
662         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
663 }
664
665
666 /* 
667   netr_DatabaseSync 
668 */
669 static NTSTATUS dcesrv_netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
670                        struct netr_DatabaseSync *r)
671 {
672         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
673 }
674
675
676 /* 
677   netr_AccountDeltas 
678 */
679 static NTSTATUS dcesrv_netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
680                        struct netr_AccountDeltas *r)
681 {
682         /* w2k3 returns "NOT IMPLEMENTED" for this call */
683         return NT_STATUS_NOT_IMPLEMENTED;
684 }
685
686
687 /* 
688   netr_AccountSync 
689 */
690 static NTSTATUS dcesrv_netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
691                        struct netr_AccountSync *r)
692 {
693         /* w2k3 returns "NOT IMPLEMENTED" for this call */
694         return NT_STATUS_NOT_IMPLEMENTED;
695 }
696
697
698 /* 
699   netr_GetDcName 
700 */
701 static WERROR dcesrv_netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
702                        struct netr_GetDcName *r)
703 {
704         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
705 }
706
707
708 /* 
709   netr_LogonControl 
710 */
711 static WERROR dcesrv_netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
712                        struct netr_LogonControl *r)
713 {
714         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
715 }
716
717
718 /* 
719   netr_GetAnyDCName 
720 */
721 static WERROR dcesrv_netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
722                        struct netr_GetAnyDCName *r)
723 {
724         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
725 }
726
727
728 /* 
729   netr_LogonControl2 
730 */
731 static WERROR dcesrv_netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
732                        struct netr_LogonControl2 *r)
733 {
734         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
735 }
736
737
738 /* 
739   netr_DatabaseSync2 
740 */
741 static NTSTATUS dcesrv_netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
742                        struct netr_DatabaseSync2 *r)
743 {
744         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
745 }
746
747
748 /* 
749   netr_DatabaseRedo 
750 */
751 static NTSTATUS dcesrv_netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
752                        struct netr_DatabaseRedo *r)
753 {
754         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
755 }
756
757
758 /* 
759   netr_LogonControl2Ex 
760 */
761 static WERROR dcesrv_netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
762                        struct netr_LogonControl2Ex *r)
763 {
764         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
765 }
766
767
768 /* 
769   netr_NetrEnumerateTurstedDomains
770 */
771 static WERROR dcesrv_netr_NetrEnumerateTrustedDomains(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
772                        struct netr_NetrEnumerateTrustedDomains *r)
773 {
774         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
775 }
776
777
778 /* 
779   netr_NETRLOGONDUMMYROUTINE1 
780 */
781 static WERROR dcesrv_netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
782                        struct netr_NETRLOGONDUMMYROUTINE1 *r)
783 {
784         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
785 }
786
787
788 /* 
789   netr_NETRLOGONSETSERVICEBITS 
790 */
791 static WERROR dcesrv_netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
792                        struct netr_NETRLOGONSETSERVICEBITS *r)
793 {
794         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
795 }
796
797
798 /* 
799   netr_NETRLOGONGETTRUSTRID 
800 */
801 static WERROR dcesrv_netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
802                        struct netr_NETRLOGONGETTRUSTRID *r)
803 {
804         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
805 }
806
807
808 /* 
809   netr_NETRLOGONCOMPUTESERVERDIGEST 
810 */
811 static WERROR dcesrv_netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
812                        struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
813 {
814         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
815 }
816
817
818 /* 
819   netr_NETRLOGONCOMPUTECLIENTDIGEST 
820 */
821 static WERROR dcesrv_netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
822                        struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
823 {
824         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
825 }
826
827
828
829 /* 
830   netr_DsRGetSiteName
831 */
832 static WERROR dcesrv_netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
833                                   struct netr_DsRGetSiteName *r)
834 {
835         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
836 }
837
838
839 /*
840   fill in a netr_DomainTrustInfo from a ldb search result
841 */
842 static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx,
843                                        struct ldb_message *res,
844                                        struct ldb_message *ref_res,
845                                        struct netr_DomainTrustInfo *info, 
846                                        bool is_local)
847 {
848         ZERO_STRUCTP(info);
849
850         if (is_local) {
851                 info->domainname.string = samdb_result_string(ref_res, "nETBIOSName", NULL);
852                 info->fulldomainname.string = samdb_result_string(ref_res, "dnsRoot", NULL);
853                 info->forest.string = NULL;
854                 info->guid = samdb_result_guid(res, "objectGUID");
855                 info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
856         } else {
857                 info->domainname.string = samdb_result_string(res, "flatName", NULL);
858                 info->fulldomainname.string = samdb_result_string(res, "trustPartner", NULL);
859                 info->forest.string = NULL;
860                 info->guid = samdb_result_guid(res, "objectGUID");
861                 info->sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
862         }
863
864         return NT_STATUS_OK;
865 }
866
867 /* 
868   netr_LogonGetDomainInfo
869   this is called as part of the ADS domain logon procedure.
870 */
871 static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
872                                         struct netr_LogonGetDomainInfo *r)
873 {
874         const char * const attrs[] = { "objectSid", 
875                                        "objectGUID", "flatName", "securityIdentifier",
876                                        "trustPartner", NULL };
877         const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL };
878         struct ldb_context *sam_ctx;
879         struct ldb_message **res1, **res2, **ref_res;
880         struct netr_DomainInfo1 *info1;
881         int ret, ret1, ret2, i;
882         NTSTATUS status;
883         struct ldb_dn *partitions_basedn;
884
885         const char *local_domain;
886
887         status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx,
888                                                      r->in.computer_name, mem_ctx, 
889                                               r->in.credential, 
890                                               r->out.return_authenticator,
891                                               NULL);
892         NT_STATUS_NOT_OK_RETURN(status);
893
894         sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
895         if (sam_ctx == NULL) {
896                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
897         }
898
899         partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
900
901         /* we need to do two searches. The first will pull our primary
902            domain and the second will pull any trusted domains. Our
903            primary domain is also a "trusted" domain, so we need to
904            put the primary domain into the lists of returned trusts as
905            well */
906         ret1 = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(sam_ctx), &res1, attrs);
907         if (ret1 != 1) {
908                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
909         }
910
911         /* try and find the domain */
912         ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn, 
913                            &ref_res, ref_attrs, 
914                            "(&(objectClass=crossRef)(ncName=%s))", 
915                            ldb_dn_get_linearized(res1[0]->dn));
916         if (ret != 1) {
917                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
918         }
919
920         local_domain = samdb_result_string(ref_res[0], "nETBIOSName", NULL);
921
922         ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)");
923         if (ret2 == -1) {
924                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
925         }
926
927         info1 = talloc(mem_ctx, struct netr_DomainInfo1);
928         NT_STATUS_HAVE_NO_MEMORY(info1);
929
930         ZERO_STRUCTP(info1);
931
932         info1->num_trusts = ret2 + 1;
933         info1->trusts = talloc_array(mem_ctx, struct netr_DomainTrustInfo, 
934                                        info1->num_trusts);
935         NT_STATUS_HAVE_NO_MEMORY(info1->trusts);
936
937         status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->domaininfo, true);
938         NT_STATUS_NOT_OK_RETURN(status);
939
940         for (i=0;i<ret2;i++) {
941                 status = fill_domain_trust_info(mem_ctx, res2[i], NULL, &info1->trusts[i], false);
942                 NT_STATUS_NOT_OK_RETURN(status);
943         }
944
945         status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->trusts[i], true);
946         NT_STATUS_NOT_OK_RETURN(status);
947
948         r->out.info.info1 = info1;
949
950         return NT_STATUS_OK;
951 }
952
953
954
955 /*
956   netr_ServerPasswordGet
957 */
958 static WERROR dcesrv_netr_ServerPasswordGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
959                        struct netr_ServerPasswordGet *r)
960 {
961         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
962 }
963
964
965 /* 
966   netr_NETRLOGONSENDTOSAM 
967 */
968 static WERROR dcesrv_netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
969                        struct netr_NETRLOGONSENDTOSAM *r)
970 {
971         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
972 }
973
974
975 /* 
976   netr_DsRAddressToSitenamesW 
977 */
978 static WERROR dcesrv_netr_DsRAddressToSitenamesW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
979                        struct netr_DsRAddressToSitenamesW *r)
980 {
981         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
982 }
983
984
985 /* 
986   netr_DsRGetDCNameEx2
987 */
988 static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
989                                    struct netr_DsRGetDCNameEx2 *r)
990 {
991         const char * const attrs[] = { "dnsDomain", "objectGUID", NULL };
992         void *sam_ctx;
993         struct ldb_message **res;
994         struct ldb_dn *domain_dn;
995         int ret;
996
997         ZERO_STRUCT(r->out);
998
999         sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
1000         if (sam_ctx == NULL) {
1001                 return WERR_DS_SERVICE_UNAVAILABLE;
1002         }
1003
1004         domain_dn = samdb_dns_domain_to_dn(sam_ctx, mem_ctx,
1005                                            r->in.domain_name);   
1006         if (domain_dn == NULL) {
1007                 return WERR_DS_SERVICE_UNAVAILABLE;
1008         }
1009
1010         ret = gendb_search_dn(sam_ctx, mem_ctx, domain_dn, &res, attrs);
1011         if (ret != 1) {
1012                 return WERR_NO_SUCH_DOMAIN;
1013         }
1014
1015         r->out.info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo);
1016         W_ERROR_HAVE_NO_MEMORY(r->out.info);
1017
1018         /* TODO: - return real IP address
1019          *       - check all r->in.* parameters (server_unc is ignored by w2k3!)
1020          */
1021         r->out.info->dc_unc             = talloc_asprintf(mem_ctx, "\\\\%s.%s", 
1022                                                           lp_netbios_name(dce_call->conn->dce_ctx->lp_ctx), 
1023                                                           lp_realm(dce_call->conn->dce_ctx->lp_ctx));
1024         W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_unc);
1025         r->out.info->dc_address         = talloc_strdup(mem_ctx, "\\\\0.0.0.0");
1026         W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_address);
1027         r->out.info->dc_address_type    = DS_ADDRESS_TYPE_INET;
1028         r->out.info->domain_guid        = samdb_result_guid(res[0], "objectGUID");
1029         r->out.info->domain_name        = samdb_result_string(res[0], "dnsDomain", NULL);
1030         r->out.info->forest_name        = samdb_result_string(res[0], "dnsDomain", NULL);
1031         r->out.info->dc_flags           = DS_DNS_FOREST |
1032                                           DS_DNS_DOMAIN |
1033                                           DS_DNS_CONTROLLER |
1034                                           DS_SERVER_WRITABLE |
1035                                           DS_SERVER_CLOSEST |
1036                                           DS_SERVER_TIMESERV |
1037                                           DS_SERVER_KDC |
1038                                           DS_SERVER_DS |
1039                                           DS_SERVER_LDAP |
1040                                           DS_SERVER_GC |
1041                                           DS_SERVER_PDC;
1042         r->out.info->dc_site_name       = talloc_strdup(mem_ctx, "Default-First-Site-Name");
1043         W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_site_name);
1044         r->out.info->client_site_name   = talloc_strdup(mem_ctx, "Default-First-Site-Name");
1045         W_ERROR_HAVE_NO_MEMORY(r->out.info->client_site_name);
1046
1047         return WERR_OK;
1048 }
1049
1050 /* 
1051   netr_DsRGetDCNameEx
1052 */
1053 static WERROR dcesrv_netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1054                                   struct netr_DsRGetDCNameEx *r)
1055 {
1056         struct netr_DsRGetDCNameEx2 r2;
1057         WERROR werr;
1058
1059         ZERO_STRUCT(r2);
1060
1061         r2.in.server_unc = r->in.server_unc;
1062         r2.in.client_account = NULL;
1063         r2.in.mask = 0;
1064         r2.in.domain_guid = r->in.domain_guid;
1065         r2.in.domain_name = r->in.domain_name;
1066         r2.in.site_name = r->in.site_name;
1067         r2.in.flags = r->in.flags;
1068         r2.out.info = NULL;
1069
1070         werr = dcesrv_netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2);
1071         
1072         r->out.info = r2.out.info;
1073         
1074         return werr;
1075 }
1076
1077 /* 
1078   netr_DsRGetDCName
1079 */
1080 static WERROR dcesrv_netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1081                                 struct netr_DsRGetDCName *r)
1082 {
1083         struct netr_DsRGetDCNameEx2 r2;
1084         WERROR werr;
1085
1086         ZERO_STRUCT(r2);
1087
1088         r2.in.server_unc = r->in.server_unc;
1089         r2.in.client_account = NULL;
1090         r2.in.mask = 0;
1091         r2.in.domain_name = r->in.domain_name;
1092         r2.in.domain_guid = r->in.domain_guid;
1093         
1094         r2.in.site_name = NULL; /* should fill in from site GUID */
1095         r2.in.flags = r->in.flags;
1096         r2.out.info = NULL;
1097
1098         werr = dcesrv_netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2);
1099         
1100         r->out.info = r2.out.info;
1101         
1102         return werr;
1103 }
1104
1105 /* 
1106   netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN 
1107 */
1108 static WERROR dcesrv_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1109                        struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1110 {
1111         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1112 }
1113
1114
1115 /*
1116   netr_NetrEnumerateTrustedDomainsEx
1117 */
1118 static WERROR dcesrv_netr_NetrEnumerateTrustedDomainsEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1119                        struct netr_NetrEnumerateTrustedDomainsEx *r)
1120 {
1121         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1122 }
1123
1124
1125 /* 
1126   netr_DsRAddressToSitenamesExW 
1127 */
1128 static WERROR dcesrv_netr_DsRAddressToSitenamesExW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1129                        struct netr_DsRAddressToSitenamesExW *r)
1130 {
1131         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1132 }
1133
1134
1135 /* 
1136   netr_DsrGetDcSiteCoverageW
1137 */
1138 static WERROR dcesrv_netr_DsrGetDcSiteCoverageW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1139                        struct netr_DsrGetDcSiteCoverageW *r)
1140 {
1141         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1142 }
1143
1144
1145 /* 
1146   netr_DsrEnumerateDomainTrusts 
1147 */
1148 static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1149                                               struct netr_DsrEnumerateDomainTrusts *r)
1150 {
1151         struct netr_DomainTrust *trusts;
1152         void *sam_ctx;
1153         int ret;
1154         struct ldb_message **dom_res, **ref_res;
1155         const char * const dom_attrs[] = { "objectSid", "objectGUID", NULL };
1156         const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL };
1157         struct ldb_dn *partitions_basedn;
1158
1159         ZERO_STRUCT(r->out);
1160
1161         sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
1162         if (sam_ctx == NULL) {
1163                 return WERR_GENERAL_FAILURE;
1164         }
1165
1166         partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
1167
1168         ret = gendb_search_dn(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs);
1169         if (ret == -1) {
1170                 return WERR_GENERAL_FAILURE;            
1171         }
1172         if (ret != 1) {
1173                 return WERR_GENERAL_FAILURE;
1174         }
1175
1176         ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs,
1177                            "(&(objectClass=crossRef)(ncName=%s))",
1178                            ldb_dn_get_linearized(dom_res[0]->dn));
1179         if (ret == -1) {
1180                 return WERR_GENERAL_FAILURE;
1181         }
1182         if (ret != 1) {
1183                 return WERR_GENERAL_FAILURE;
1184         }
1185
1186         trusts = talloc_array(mem_ctx, struct netr_DomainTrust, ret);
1187         W_ERROR_HAVE_NO_MEMORY(trusts);
1188         
1189         r->out.count = 1;
1190         r->out.trusts = trusts;
1191
1192         /* TODO: add filtering by trust_flags, and correct trust_type
1193            and attributes */
1194         trusts[0].netbios_name = samdb_result_string(ref_res[0], "nETBIOSName", NULL);
1195         trusts[0].dns_name     = samdb_result_string(ref_res[0], "dnsRoot", NULL);
1196         trusts[0].trust_flags = 
1197                 NETR_TRUST_FLAG_TREEROOT | 
1198                 NETR_TRUST_FLAG_IN_FOREST | 
1199                 NETR_TRUST_FLAG_PRIMARY;
1200         trusts[0].parent_index = 0;
1201         trusts[0].trust_type = 2;
1202         trusts[0].trust_attributes = 0;
1203         trusts[0].sid  = samdb_result_dom_sid(mem_ctx, dom_res[0], "objectSid");
1204         trusts[0].guid = samdb_result_guid(dom_res[0], "objectGUID");
1205
1206         return WERR_OK;
1207 }
1208
1209
1210 /* 
1211   netr_DSRDEREGISTERDNSHOSTRECORDS 
1212 */
1213 static WERROR dcesrv_netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1214                        struct netr_DSRDEREGISTERDNSHOSTRECORDS *r)
1215 {
1216         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1217 }
1218
1219
1220 /*
1221   netr_ServerTrustPasswordsGet
1222 */
1223 static NTSTATUS dcesrv_netr_ServerTrustPasswordsGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1224                        struct netr_ServerTrustPasswordsGet *r)
1225 {
1226         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1227 }
1228
1229
1230 /* 
1231   netr_DsRGetForestTrustInformation 
1232 */
1233 static WERROR dcesrv_netr_DsRGetForestTrustInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1234                        struct netr_DsRGetForestTrustInformation *r)
1235 {
1236         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1237 }
1238
1239
1240 /*
1241   netr_GetForestTrustInformation
1242 */
1243 static WERROR dcesrv_netr_GetForestTrustInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1244                        struct netr_GetForestTrustInformation *r)
1245 {
1246         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1247 }
1248
1249
1250 /* 
1251   netr_NETRSERVERGETTRUSTINFO 
1252 */
1253 static WERROR dcesrv_netr_NETRSERVERGETTRUSTINFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1254                        struct netr_NETRSERVERGETTRUSTINFO *r)
1255 {
1256         DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1257 }
1258
1259
1260 /* include the generated boilerplate */
1261 #include "librpc/gen_ndr/ndr_netlogon_s.c"