s3:schannel streamline interface
[ira/wip.git] / source3 / rpc_server / srv_netlog_nt.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1997,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6  *  Copyright (C) Paul Ashton                       1997.
7  *  Copyright (C) Jeremy Allison               1998-2001.
8  *  Copyright (C) Andrew Bartlett                   2001.
9  *  Copyright (C) Guenther Deschner                 2008-2009.
10  *
11  *  This program is free software; you can redistribute it and/or modify
12  *  it under the terms of the GNU General Public License as published by
13  *  the Free Software Foundation; either version 3 of the License, or
14  *  (at your option) any later version.
15  *
16  *  This program is distributed in the hope that it will be useful,
17  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
18  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19  *  GNU General Public License for more details.
20  *
21  *  You should have received a copy of the GNU General Public License
22  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
23  */
24
25 /* This is the implementation of the netlogon pipe. */
26
27 #include "includes.h"
28 #include "../libcli/auth/schannel.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30
31 extern userdom_struct current_user_info;
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_RPC_SRV
35
36 struct netlogon_server_pipe_state {
37         struct netr_Credential client_challenge;
38         struct netr_Credential server_challenge;
39 };
40
41 /*************************************************************************
42  _netr_LogonControl
43  *************************************************************************/
44
45 WERROR _netr_LogonControl(pipes_struct *p,
46                           struct netr_LogonControl *r)
47 {
48         struct netr_LogonControl2Ex l;
49
50         switch (r->in.level) {
51         case 1:
52                 break;
53         case 2:
54                 return WERR_NOT_SUPPORTED;
55         default:
56                 return WERR_UNKNOWN_LEVEL;
57         }
58
59         l.in.logon_server       = r->in.logon_server;
60         l.in.function_code      = r->in.function_code;
61         l.in.level              = r->in.level;
62         l.in.data               = NULL;
63         l.out.query             = r->out.query;
64
65         return _netr_LogonControl2Ex(p, &l);
66 }
67
68 /****************************************************************************
69 Send a message to smbd to do a sam synchronisation
70 **************************************************************************/
71
72 static void send_sync_message(void)
73 {
74         DEBUG(3, ("sending sam synchronisation message\n"));
75         message_send_all(smbd_messaging_context(), MSG_SMB_SAM_SYNC, NULL, 0,
76                          NULL);
77 }
78
79 /*************************************************************************
80  _netr_LogonControl2
81  *************************************************************************/
82
83 WERROR _netr_LogonControl2(pipes_struct *p,
84                            struct netr_LogonControl2 *r)
85 {
86         struct netr_LogonControl2Ex l;
87
88         l.in.logon_server       = r->in.logon_server;
89         l.in.function_code      = r->in.function_code;
90         l.in.level              = r->in.level;
91         l.in.data               = r->in.data;
92         l.out.query             = r->out.query;
93
94         return _netr_LogonControl2Ex(p, &l);
95 }
96
97 /*************************************************************************
98  *************************************************************************/
99
100 static bool wb_change_trust_creds(const char *domain, WERROR *tc_status)
101 {
102         wbcErr result;
103         struct wbcAuthErrorInfo *error = NULL;
104
105         result = wbcChangeTrustCredentials(domain, &error);
106         switch (result) {
107         case WBC_ERR_WINBIND_NOT_AVAILABLE:
108                 return false;
109         case WBC_ERR_DOMAIN_NOT_FOUND:
110                 *tc_status = WERR_NO_SUCH_DOMAIN;
111                 return true;
112         case WBC_ERR_SUCCESS:
113                 *tc_status = WERR_OK;
114                 return true;
115         default:
116                 break;
117         }
118
119         if (error && error->nt_status != 0) {
120                 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
121         } else {
122                 *tc_status = WERR_TRUST_FAILURE;
123         }
124         wbcFreeMemory(error);
125         return true;
126 }
127
128 /*************************************************************************
129  *************************************************************************/
130
131 static bool wb_check_trust_creds(const char *domain, WERROR *tc_status)
132 {
133         wbcErr result;
134         struct wbcAuthErrorInfo *error = NULL;
135
136         result = wbcCheckTrustCredentials(domain, &error);
137         switch (result) {
138         case WBC_ERR_WINBIND_NOT_AVAILABLE:
139                 return false;
140         case WBC_ERR_DOMAIN_NOT_FOUND:
141                 *tc_status = WERR_NO_SUCH_DOMAIN;
142                 return true;
143         case WBC_ERR_SUCCESS:
144                 *tc_status = WERR_OK;
145                 return true;
146         default:
147                 break;
148         }
149
150         if (error && error->nt_status != 0) {
151                 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
152         } else {
153                 *tc_status = WERR_TRUST_FAILURE;
154         }
155         wbcFreeMemory(error);
156         return true;
157 }
158
159 /****************************************************************
160  _netr_LogonControl2Ex
161 ****************************************************************/
162
163 WERROR _netr_LogonControl2Ex(pipes_struct *p,
164                              struct netr_LogonControl2Ex *r)
165 {
166         uint32_t flags = 0x0;
167         WERROR pdc_connection_status = WERR_OK;
168         uint32_t logon_attempts = 0x0;
169         WERROR tc_status;
170         fstring dc_name2;
171         const char *dc_name = NULL;
172         struct sockaddr_storage dc_ss;
173         const char *domain = NULL;
174         struct netr_NETLOGON_INFO_1 *info1;
175         struct netr_NETLOGON_INFO_2 *info2;
176         struct netr_NETLOGON_INFO_3 *info3;
177         struct netr_NETLOGON_INFO_4 *info4;
178         const char *fn;
179         uint32_t acct_ctrl;
180
181         switch (p->hdr_req.opnum) {
182         case NDR_NETR_LOGONCONTROL:
183                 fn = "_netr_LogonControl";
184                 break;
185         case NDR_NETR_LOGONCONTROL2:
186                 fn = "_netr_LogonControl2";
187                 break;
188         case NDR_NETR_LOGONCONTROL2EX:
189                 fn = "_netr_LogonControl2Ex";
190                 break;
191         default:
192                 return WERR_INVALID_PARAM;
193         }
194
195         acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
196
197         switch (r->in.function_code) {
198         case NETLOGON_CONTROL_TC_VERIFY:
199         case NETLOGON_CONTROL_CHANGE_PASSWORD:
200         case NETLOGON_CONTROL_REDISCOVER:
201                 if ((geteuid() != sec_initial_uid()) &&
202                     !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
203                     !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
204                     !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
205                         return WERR_ACCESS_DENIED;
206                 }
207                 break;
208         default:
209                 break;
210         }
211
212         tc_status = WERR_NO_SUCH_DOMAIN;
213
214         switch (r->in.function_code) {
215         case NETLOGON_CONTROL_QUERY:
216                 tc_status = WERR_OK;
217                 break;
218         case NETLOGON_CONTROL_REPLICATE:
219         case NETLOGON_CONTROL_SYNCHRONIZE:
220         case NETLOGON_CONTROL_PDC_REPLICATE:
221         case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
222         case NETLOGON_CONTROL_BREAKPOINT:
223                 if (acct_ctrl & ACB_NORMAL) {
224                         return WERR_NOT_SUPPORTED;
225                 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
226                         return WERR_ACCESS_DENIED;
227                 } else {
228                         return WERR_ACCESS_DENIED;
229                 }
230         case NETLOGON_CONTROL_TRUNCATE_LOG:
231                 if (acct_ctrl & ACB_NORMAL) {
232                         break;
233                 } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
234                         return WERR_ACCESS_DENIED;
235                 } else {
236                         return WERR_ACCESS_DENIED;
237                 }
238
239         case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
240         case NETLOGON_CONTROL_FORCE_DNS_REG:
241         case NETLOGON_CONTROL_QUERY_DNS_REG:
242                 return WERR_NOT_SUPPORTED;
243         case NETLOGON_CONTROL_FIND_USER:
244                 if (!r->in.data || !r->in.data->user) {
245                         return WERR_NOT_SUPPORTED;
246                 }
247                 break;
248         case NETLOGON_CONTROL_SET_DBFLAG:
249                 if (!r->in.data) {
250                         return WERR_NOT_SUPPORTED;
251                 }
252                 break;
253         case NETLOGON_CONTROL_TC_VERIFY:
254                 if (!r->in.data || !r->in.data->domain) {
255                         return WERR_NOT_SUPPORTED;
256                 }
257
258                 if (!wb_check_trust_creds(r->in.data->domain, &tc_status)) {
259                         return WERR_NOT_SUPPORTED;
260                 }
261                 break;
262         case NETLOGON_CONTROL_TC_QUERY:
263                 if (!r->in.data || !r->in.data->domain) {
264                         return WERR_NOT_SUPPORTED;
265                 }
266
267                 domain = r->in.data->domain;
268
269                 if (!is_trusted_domain(domain)) {
270                         break;
271                 }
272
273                 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
274                         tc_status = WERR_NO_LOGON_SERVERS;
275                         break;
276                 }
277
278                 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
279                 if (!dc_name) {
280                         return WERR_NOMEM;
281                 }
282
283                 tc_status = WERR_OK;
284
285                 break;
286
287         case NETLOGON_CONTROL_REDISCOVER:
288                 if (!r->in.data || !r->in.data->domain) {
289                         return WERR_NOT_SUPPORTED;
290                 }
291
292                 domain = r->in.data->domain;
293
294                 if (!is_trusted_domain(domain)) {
295                         break;
296                 }
297
298                 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
299                         tc_status = WERR_NO_LOGON_SERVERS;
300                         break;
301                 }
302
303                 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
304                 if (!dc_name) {
305                         return WERR_NOMEM;
306                 }
307
308                 tc_status = WERR_OK;
309
310                 break;
311
312         case NETLOGON_CONTROL_CHANGE_PASSWORD:
313                 if (!r->in.data || !r->in.data->domain) {
314                         return WERR_NOT_SUPPORTED;
315                 }
316
317                 if (!wb_change_trust_creds(r->in.data->domain, &tc_status)) {
318                         return WERR_NOT_SUPPORTED;
319                 }
320                 break;
321
322         default:
323                 /* no idea what this should be */
324                 DEBUG(0,("%s: unimplemented function level [%d]\n",
325                         fn, r->in.function_code));
326                 return WERR_UNKNOWN_LEVEL;
327         }
328
329         /* prepare the response */
330
331         switch (r->in.level) {
332         case 1:
333                 info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1);
334                 W_ERROR_HAVE_NO_MEMORY(info1);
335
336                 info1->flags                    = flags;
337                 info1->pdc_connection_status    = pdc_connection_status;
338
339                 r->out.query->info1 = info1;
340                 break;
341         case 2:
342                 info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2);
343                 W_ERROR_HAVE_NO_MEMORY(info2);
344
345                 info2->flags                    = flags;
346                 info2->pdc_connection_status    = pdc_connection_status;
347                 info2->trusted_dc_name          = dc_name;
348                 info2->tc_connection_status     = tc_status;
349
350                 r->out.query->info2 = info2;
351                 break;
352         case 3:
353                 info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3);
354                 W_ERROR_HAVE_NO_MEMORY(info3);
355
356                 info3->flags                    = flags;
357                 info3->logon_attempts           = logon_attempts;
358
359                 r->out.query->info3 = info3;
360                 break;
361         case 4:
362                 info4 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_4);
363                 W_ERROR_HAVE_NO_MEMORY(info4);
364
365                 info4->trusted_dc_name          = dc_name;
366                 info4->trusted_domain_name      = r->in.data->domain;
367
368                 r->out.query->info4 = info4;
369                 break;
370         default:
371                 return WERR_UNKNOWN_LEVEL;
372         }
373
374         if (lp_server_role() == ROLE_DOMAIN_BDC) {
375                 send_sync_message();
376         }
377
378         return WERR_OK;
379 }
380
381 /*************************************************************************
382  _netr_NetrEnumerateTrustedDomains
383  *************************************************************************/
384
385 WERROR _netr_NetrEnumerateTrustedDomains(pipes_struct *p,
386                                          struct netr_NetrEnumerateTrustedDomains *r)
387 {
388         NTSTATUS status;
389         DATA_BLOB blob;
390         struct trustdom_info **domains;
391         uint32_t num_domains;
392         const char **trusted_domains;
393         int i;
394
395         DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
396
397         /* set up the Trusted Domain List response */
398
399         become_root();
400         status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
401         unbecome_root();
402
403         if (!NT_STATUS_IS_OK(status)) {
404                 return ntstatus_to_werror(status);
405         }
406
407         trusted_domains = talloc_zero_array(p->mem_ctx, const char *, num_domains + 1);
408         if (!trusted_domains) {
409                 return WERR_NOMEM;
410         }
411
412         for (i = 0; i < num_domains; i++) {
413                 trusted_domains[i] = talloc_strdup(trusted_domains, domains[i]->name);
414                 if (!trusted_domains[i]) {
415                         TALLOC_FREE(trusted_domains);
416                         return WERR_NOMEM;
417                 }
418         }
419
420         if (!push_reg_multi_sz(trusted_domains, &blob, trusted_domains)) {
421                 TALLOC_FREE(trusted_domains);
422                 return WERR_NOMEM;
423         }
424
425         r->out.trusted_domains_blob->data = blob.data;
426         r->out.trusted_domains_blob->length = blob.length;
427
428         DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
429
430         return WERR_OK;
431 }
432
433 /******************************************************************
434  gets a machine password entry.  checks access rights of the host.
435  ******************************************************************/
436
437 static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct,
438                           enum netr_SchannelType sec_chan_type, struct dom_sid *sid)
439 {
440         struct samu *sampass = NULL;
441         const uint8 *pass;
442         bool ret;
443         uint32 acct_ctrl;
444
445 #if 0
446         char addr[INET6_ADDRSTRLEN];
447
448     /*
449      * Currently this code is redundent as we already have a filter
450      * by hostname list. What this code really needs to do is to
451      * get a hosts allowed/hosts denied list from the SAM database
452      * on a per user basis, and make the access decision there.
453      * I will leave this code here for now as a reminder to implement
454      * this at a later date. JRA.
455      */
456
457         if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
458                         client_name(get_client_fd()),
459                         client_addr(get_client_fd(),addr,sizeof(addr)))) {
460                 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct));
461                 return False;
462         }
463 #endif /* 0 */
464
465         if ( !(sampass = samu_new( NULL )) ) {
466                 return NT_STATUS_NO_MEMORY;
467         }
468
469         /* JRA. This is ok as it is only used for generating the challenge. */
470         become_root();
471         ret = pdb_getsampwnam(sampass, mach_acct);
472         unbecome_root();
473
474         if (!ret) {
475                 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct));
476                 TALLOC_FREE(sampass);
477                 return NT_STATUS_ACCESS_DENIED;
478         }
479
480         acct_ctrl = pdb_get_acct_ctrl(sampass);
481         if (acct_ctrl & ACB_DISABLED) {
482                 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct));
483                 TALLOC_FREE(sampass);
484                 return NT_STATUS_ACCOUNT_DISABLED;
485         }
486
487         if (!(acct_ctrl & ACB_SVRTRUST) &&
488             !(acct_ctrl & ACB_WSTRUST) &&
489             !(acct_ctrl & ACB_DOMTRUST))
490         {
491                 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct));
492                 TALLOC_FREE(sampass);
493                 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
494         }
495
496         switch (sec_chan_type) {
497                 case SEC_CHAN_BDC:
498                         if (!(acct_ctrl & ACB_SVRTRUST)) {
499                                 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
500                                          "but not a server trust account\n", mach_acct));
501                                 TALLOC_FREE(sampass);
502                                 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
503                         }
504                         break;
505                 case SEC_CHAN_WKSTA:
506                         if (!(acct_ctrl & ACB_WSTRUST)) {
507                                 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
508                                          "but not a workstation trust account\n", mach_acct));
509                                 TALLOC_FREE(sampass);
510                                 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
511                         }
512                         break;
513                 case SEC_CHAN_DOMAIN:
514                         if (!(acct_ctrl & ACB_DOMTRUST)) {
515                                 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
516                                          "but not a interdomain trust account\n", mach_acct));
517                                 TALLOC_FREE(sampass);
518                                 return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
519                         }
520                         break;
521                 default:
522                         break;
523         }
524
525         if ((pass = pdb_get_nt_passwd(sampass)) == NULL) {
526                 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct));
527                 TALLOC_FREE(sampass);
528                 return NT_STATUS_LOGON_FAILURE;
529         }
530
531         memcpy(md4pw->hash, pass, 16);
532         dump_data(5, md4pw->hash, 16);
533
534         sid_copy(sid, pdb_get_user_sid(sampass));
535
536         TALLOC_FREE(sampass);
537
538         return NT_STATUS_OK;
539
540
541 }
542
543 /*************************************************************************
544  _netr_ServerReqChallenge
545  *************************************************************************/
546
547 NTSTATUS _netr_ServerReqChallenge(pipes_struct *p,
548                                   struct netr_ServerReqChallenge *r)
549 {
550         struct netlogon_server_pipe_state *pipe_state =
551                 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
552
553         if (pipe_state) {
554                 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
555                 talloc_free(pipe_state);
556                 p->private_data = NULL;
557         }
558
559         pipe_state = talloc(p, struct netlogon_server_pipe_state);
560         NT_STATUS_HAVE_NO_MEMORY(pipe_state);
561
562         pipe_state->client_challenge = *r->in.credentials;
563
564         generate_random_buffer(pipe_state->server_challenge.data,
565                                sizeof(pipe_state->server_challenge.data));
566
567         *r->out.return_credentials = pipe_state->server_challenge;
568
569         p->private_data = pipe_state;
570
571         return NT_STATUS_OK;
572 }
573
574 /*************************************************************************
575  _netr_ServerAuthenticate
576  Create the initial credentials.
577  *************************************************************************/
578
579 NTSTATUS _netr_ServerAuthenticate(pipes_struct *p,
580                                   struct netr_ServerAuthenticate *r)
581 {
582         struct netr_ServerAuthenticate3 a;
583         uint32_t negotiate_flags = 0;
584         uint32_t rid;
585
586         a.in.server_name                = r->in.server_name;
587         a.in.account_name               = r->in.account_name;
588         a.in.secure_channel_type        = r->in.secure_channel_type;
589         a.in.computer_name              = r->in.computer_name;
590         a.in.credentials                = r->in.credentials;
591         a.in.negotiate_flags            = &negotiate_flags;
592
593         a.out.return_credentials        = r->out.return_credentials;
594         a.out.rid                       = &rid;
595         a.out.negotiate_flags           = &negotiate_flags;
596
597         return _netr_ServerAuthenticate3(p, &a);
598
599 }
600
601 /*************************************************************************
602  _netr_ServerAuthenticate3
603  *************************************************************************/
604
605 NTSTATUS _netr_ServerAuthenticate3(pipes_struct *p,
606                                    struct netr_ServerAuthenticate3 *r)
607 {
608         NTSTATUS status;
609         uint32_t srv_flgs;
610         /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
611          * so use a copy to avoid destroying the client values. */
612         uint32_t in_neg_flags = *r->in.negotiate_flags;
613         const char *fn;
614         struct dom_sid sid;
615         struct samr_Password mach_pwd;
616         struct netlogon_creds_CredentialState *creds;
617         struct netlogon_server_pipe_state *pipe_state =
618                 talloc_get_type(p->private_data, struct netlogon_server_pipe_state);
619
620         /* According to Microsoft (see bugid #6099)
621          * Windows 7 looks at the negotiate_flags
622          * returned in this structure *even if the
623          * call fails with access denied* ! So in order
624          * to allow Win7 to connect to a Samba NT style
625          * PDC we set the flags before we know if it's
626          * an error or not.
627          */
628
629         /* 0x000001ff */
630         srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
631                    NETLOGON_NEG_PERSISTENT_SAMREPL |
632                    NETLOGON_NEG_ARCFOUR |
633                    NETLOGON_NEG_PROMOTION_COUNT |
634                    NETLOGON_NEG_CHANGELOG_BDC |
635                    NETLOGON_NEG_FULL_SYNC_REPL |
636                    NETLOGON_NEG_MULTIPLE_SIDS |
637                    NETLOGON_NEG_REDO |
638                    NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
639                    NETLOGON_NEG_PASSWORD_SET2;
640
641         /* Ensure we support strong (128-bit) keys. */
642         if (in_neg_flags & NETLOGON_NEG_STRONG_KEYS) {
643                 srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
644         }
645
646         if (lp_server_schannel() != false) {
647                 srv_flgs |= NETLOGON_NEG_SCHANNEL;
648         }
649
650         switch (p->hdr_req.opnum) {
651                 case NDR_NETR_SERVERAUTHENTICATE:
652                         fn = "_netr_ServerAuthenticate";
653                         break;
654                 case NDR_NETR_SERVERAUTHENTICATE2:
655                         fn = "_netr_ServerAuthenticate2";
656                         break;
657                 case NDR_NETR_SERVERAUTHENTICATE3:
658                         fn = "_netr_ServerAuthenticate3";
659                         break;
660                 default:
661                         return NT_STATUS_INTERNAL_ERROR;
662         }
663
664         /* We use this as the key to store the creds: */
665         /* r->in.computer_name */
666
667         if (!pipe_state) {
668                 DEBUG(0,("%s: no challenge sent to client %s\n", fn,
669                         r->in.computer_name));
670                 status = NT_STATUS_ACCESS_DENIED;
671                 goto out;
672         }
673
674         if ( (lp_server_schannel() == true) &&
675              ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
676
677                 /* schannel must be used, but client did not offer it. */
678                 DEBUG(0,("%s: schannel required but client failed "
679                         "to offer it. Client was %s\n",
680                         fn, r->in.account_name));
681                 status = NT_STATUS_ACCESS_DENIED;
682                 goto out;
683         }
684
685         status = get_md4pw(&mach_pwd,
686                            r->in.account_name,
687                            r->in.secure_channel_type,
688                            &sid);
689         if (!NT_STATUS_IS_OK(status)) {
690                 DEBUG(0,("%s: failed to get machine password for "
691                         "account %s: %s\n",
692                         fn, r->in.account_name, nt_errstr(status) ));
693                 /* always return NT_STATUS_ACCESS_DENIED */
694                 status = NT_STATUS_ACCESS_DENIED;
695                 goto out;
696         }
697
698         /* From the client / server challenges and md4 password, generate sess key */
699         /* Check client credentials are valid. */
700         creds = netlogon_creds_server_init(p->mem_ctx,
701                                            r->in.account_name,
702                                            r->in.computer_name,
703                                            r->in.secure_channel_type,
704                                            &pipe_state->client_challenge,
705                                            &pipe_state->server_challenge,
706                                            &mach_pwd,
707                                            r->in.credentials,
708                                            r->out.return_credentials,
709                                            *r->in.negotiate_flags);
710         if (!creds) {
711                 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
712                         "request from client %s machine account %s\n",
713                         fn, r->in.computer_name,
714                         r->in.account_name));
715                 status = NT_STATUS_ACCESS_DENIED;
716                 goto out;
717         }
718
719         creds->sid = sid_dup_talloc(creds, &sid);
720         if (!creds->sid) {
721                 status = NT_STATUS_NO_MEMORY;
722                 goto out;
723         }
724
725         /* Store off the state so we can continue after client disconnect. */
726         become_root();
727         status = schannel_save_creds_state(p->mem_ctx, creds);
728         unbecome_root();
729
730         if (!NT_STATUS_IS_OK(status)) {
731                 goto out;
732         }
733
734         sid_peek_rid(&sid, r->out.rid);
735
736         status = NT_STATUS_OK;
737
738   out:
739
740         *r->out.negotiate_flags = srv_flgs;
741         return status;
742 }
743
744 /*************************************************************************
745  _netr_ServerAuthenticate2
746  *************************************************************************/
747
748 NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
749                                    struct netr_ServerAuthenticate2 *r)
750 {
751         struct netr_ServerAuthenticate3 a;
752         uint32_t rid;
753
754         a.in.server_name                = r->in.server_name;
755         a.in.account_name               = r->in.account_name;
756         a.in.secure_channel_type        = r->in.secure_channel_type;
757         a.in.computer_name              = r->in.computer_name;
758         a.in.credentials                = r->in.credentials;
759         a.in.negotiate_flags            = r->in.negotiate_flags;
760
761         a.out.return_credentials        = r->out.return_credentials;
762         a.out.rid                       = &rid;
763         a.out.negotiate_flags           = r->out.negotiate_flags;
764
765         return _netr_ServerAuthenticate3(p, &a);
766 }
767
768 /*************************************************************************
769  * If schannel is required for this call test that it actually is available.
770  *************************************************************************/
771 static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
772                                         const char *computer_name,
773                                         bool integrity, bool privacy)
774 {
775         if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
776                 if (!privacy && !integrity) {
777                         return NT_STATUS_OK;
778                 }
779
780                 if ((!privacy && integrity) &&
781                     auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
782                         return NT_STATUS_OK;
783                 }
784
785                 if ((privacy || integrity) &&
786                     auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
787                         return NT_STATUS_OK;
788                 }
789         }
790
791         /* test didn't pass */
792         DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
793                   computer_name));
794
795         return NT_STATUS_ACCESS_DENIED;
796 }
797
798 /*************************************************************************
799  *************************************************************************/
800
801 static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
802                                              TALLOC_CTX *mem_ctx,
803                                              const char *computer_name,
804                                              struct netr_Authenticator *received_authenticator,
805                                              struct netr_Authenticator *return_authenticator,
806                                              struct netlogon_creds_CredentialState **creds_out)
807 {
808         NTSTATUS status;
809         bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
810
811         if (schannel_global_required) {
812                 status = schannel_check_required(&p->auth,
813                                                  computer_name,
814                                                  false, false);
815                 if (!NT_STATUS_IS_OK(status)) {
816                         return status;
817                 }
818         }
819
820         status = schannel_check_creds_state(mem_ctx,
821                                             computer_name,
822                                             received_authenticator,
823                                             return_authenticator,
824                                             creds_out);
825
826         return status;
827 }
828
829 /*************************************************************************
830  *************************************************************************/
831
832 static NTSTATUS netr_find_machine_account(TALLOC_CTX *mem_ctx,
833                                           const char *account_name,
834                                           struct samu **sampassp)
835 {
836         struct samu *sampass;
837         bool ret = false;
838         uint32_t acct_ctrl;
839
840         sampass = samu_new(mem_ctx);
841         if (!sampass) {
842                 return NT_STATUS_NO_MEMORY;
843         }
844
845         become_root();
846         ret = pdb_getsampwnam(sampass, account_name);
847         unbecome_root();
848
849         if (!ret) {
850                 TALLOC_FREE(sampass);
851                 return NT_STATUS_ACCESS_DENIED;
852         }
853
854         /* Ensure the account exists and is a machine account. */
855
856         acct_ctrl = pdb_get_acct_ctrl(sampass);
857
858         if (!(acct_ctrl & ACB_WSTRUST ||
859               acct_ctrl & ACB_SVRTRUST ||
860               acct_ctrl & ACB_DOMTRUST)) {
861                 TALLOC_FREE(sampass);
862                 return NT_STATUS_NO_SUCH_USER;
863         }
864
865         if (acct_ctrl & ACB_DISABLED) {
866                 TALLOC_FREE(sampass);
867                 return NT_STATUS_ACCOUNT_DISABLED;
868         }
869
870         *sampassp = sampass;
871
872         return NT_STATUS_OK;
873 }
874
875 /*************************************************************************
876  *************************************************************************/
877
878 static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
879                                                   struct samu *sampass,
880                                                   DATA_BLOB *plaintext_blob,
881                                                   struct samr_Password *nt_hash,
882                                                   struct samr_Password *lm_hash)
883 {
884         NTSTATUS status;
885         const uchar *old_pw;
886         const char *plaintext = NULL;
887         size_t plaintext_len;
888         struct samr_Password nt_hash_local;
889
890         if (!sampass) {
891                 return NT_STATUS_INVALID_PARAMETER;
892         }
893
894         if (plaintext_blob) {
895                 if (!convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX,
896                                            plaintext_blob->data, plaintext_blob->length,
897                                            &plaintext, &plaintext_len, false))
898                 {
899                         plaintext = NULL;
900                         mdfour(nt_hash_local.hash, plaintext_blob->data, plaintext_blob->length);
901                         nt_hash = &nt_hash_local;
902                 }
903         }
904
905         if (plaintext) {
906                 if (!pdb_set_plaintext_passwd(sampass, plaintext)) {
907                         return NT_STATUS_ACCESS_DENIED;
908                 }
909
910                 goto done;
911         }
912
913         if (nt_hash) {
914                 old_pw = pdb_get_nt_passwd(sampass);
915
916                 if (old_pw && memcmp(nt_hash->hash, old_pw, 16) == 0) {
917                         /* Avoid backend modificiations and other fun if the
918                            client changed the password to the *same thing* */
919                 } else {
920                         /* LM password should be NULL for machines */
921                         if (!pdb_set_lanman_passwd(sampass, NULL, PDB_CHANGED)) {
922                                 return NT_STATUS_NO_MEMORY;
923                         }
924                         if (!pdb_set_nt_passwd(sampass, nt_hash->hash, PDB_CHANGED)) {
925                                 return NT_STATUS_NO_MEMORY;
926                         }
927
928                         if (!pdb_set_pass_last_set_time(sampass, time(NULL), PDB_CHANGED)) {
929                                 /* Not quite sure what this one qualifies as, but this will do */
930                                 return NT_STATUS_UNSUCCESSFUL;
931                         }
932                 }
933         }
934
935  done:
936         become_root();
937         status = pdb_update_sam_account(sampass);
938         unbecome_root();
939
940         return status;
941 }
942
943 /*************************************************************************
944  _netr_ServerPasswordSet
945  *************************************************************************/
946
947 NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
948                                  struct netr_ServerPasswordSet *r)
949 {
950         NTSTATUS status = NT_STATUS_OK;
951         struct samu *sampass=NULL;
952         int i;
953         struct netlogon_creds_CredentialState *creds;
954
955         DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
956
957         become_root();
958         status = netr_creds_server_step_check(p, p->mem_ctx,
959                                               r->in.computer_name,
960                                               r->in.credential,
961                                               r->out.return_authenticator,
962                                               &creds);
963         unbecome_root();
964
965         if (!NT_STATUS_IS_OK(status)) {
966                 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
967                         "request from client %s machine account %s\n",
968                         r->in.computer_name, creds->computer_name));
969                 TALLOC_FREE(creds);
970                 return status;
971         }
972
973         DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
974                         r->in.computer_name, creds->computer_name));
975
976         netlogon_creds_des_decrypt(creds, r->in.new_password);
977
978         DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
979         for(i = 0; i < sizeof(r->in.new_password->hash); i++)
980                 DEBUG(100,("%02X ", r->in.new_password->hash[i]));
981         DEBUG(100,("\n"));
982
983         status = netr_find_machine_account(p->mem_ctx,
984                                            creds->account_name,
985                                            &sampass);
986         if (!NT_STATUS_IS_OK(status)) {
987                 return status;
988         }
989
990         status = netr_set_machine_account_password(sampass,
991                                                    sampass,
992                                                    NULL,
993                                                    r->in.new_password,
994                                                    NULL);
995         TALLOC_FREE(sampass);
996         return status;
997 }
998
999 /****************************************************************
1000  _netr_ServerPasswordSet2
1001 ****************************************************************/
1002
1003 NTSTATUS _netr_ServerPasswordSet2(pipes_struct *p,
1004                                   struct netr_ServerPasswordSet2 *r)
1005 {
1006         NTSTATUS status;
1007         struct netlogon_creds_CredentialState *creds;
1008         struct samu *sampass;
1009         DATA_BLOB plaintext;
1010         struct samr_CryptPassword password_buf;
1011         struct samr_Password nt_hash;
1012
1013         become_root();
1014         status = netr_creds_server_step_check(p, p->mem_ctx,
1015                                               r->in.computer_name,
1016                                               r->in.credential,
1017                                               r->out.return_authenticator,
1018                                               &creds);
1019         unbecome_root();
1020
1021         if (!NT_STATUS_IS_OK(status)) {
1022                 DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
1023                         "failed. Rejecting auth request from client %s machine account %s\n",
1024                         r->in.computer_name, creds->computer_name));
1025                 TALLOC_FREE(creds);
1026                 return status;
1027         }
1028
1029         memcpy(password_buf.data, r->in.new_password->data, 512);
1030         SIVAL(password_buf.data, 512, r->in.new_password->length);
1031         netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
1032
1033         if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
1034                 return NT_STATUS_WRONG_PASSWORD;
1035         }
1036
1037         mdfour(nt_hash.hash, plaintext.data, plaintext.length);
1038
1039         status = netr_find_machine_account(p->mem_ctx,
1040                                            creds->account_name,
1041                                            &sampass);
1042         if (!NT_STATUS_IS_OK(status)) {
1043                 return status;
1044         }
1045
1046         status = netr_set_machine_account_password(sampass,
1047                                                    sampass,
1048                                                    NULL,
1049                                                    &nt_hash,
1050                                                    NULL);
1051         TALLOC_FREE(sampass);
1052         return status;
1053 }
1054
1055 /*************************************************************************
1056  _netr_LogonSamLogoff
1057  *************************************************************************/
1058
1059 NTSTATUS _netr_LogonSamLogoff(pipes_struct *p,
1060                               struct netr_LogonSamLogoff *r)
1061 {
1062         NTSTATUS status;
1063         struct netlogon_creds_CredentialState *creds;
1064
1065         become_root();
1066         status = netr_creds_server_step_check(p, p->mem_ctx,
1067                                               r->in.computer_name,
1068                                               r->in.credential,
1069                                               r->out.return_authenticator,
1070                                               &creds);
1071         unbecome_root();
1072
1073         return status;
1074 }
1075
1076 /*************************************************************************
1077  _netr_LogonSamLogon_base
1078  *************************************************************************/
1079
1080 static NTSTATUS _netr_LogonSamLogon_base(pipes_struct *p,
1081                                          struct netr_LogonSamLogonEx *r,
1082                                          struct netlogon_creds_CredentialState *creds)
1083 {
1084         NTSTATUS status = NT_STATUS_OK;
1085         union netr_LogonLevel *logon = r->in.logon;
1086         const char *nt_username, *nt_domain, *nt_workstation;
1087         struct auth_usersupplied_info *user_info = NULL;
1088         struct auth_serversupplied_info *server_info = NULL;
1089         struct auth_context *auth_context = NULL;
1090         uint8_t pipe_session_key[16];
1091         bool process_creds = true;
1092         const char *fn;
1093
1094         switch (p->hdr_req.opnum) {
1095                 case NDR_NETR_LOGONSAMLOGON:
1096                         process_creds = true;
1097                         fn = "_netr_LogonSamLogon";
1098                         break;
1099                 case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
1100                         process_creds = true;
1101                         fn = "_netr_LogonSamLogonWithFlags";
1102                         break;
1103                 case NDR_NETR_LOGONSAMLOGONEX:
1104                         process_creds = false;
1105                         fn = "_netr_LogonSamLogonEx";
1106                         break;
1107                 default:
1108                         return NT_STATUS_INTERNAL_ERROR;
1109         }
1110
1111         *r->out.authoritative = true; /* authoritative response */
1112
1113         switch (r->in.validation_level) {
1114         case 2:
1115                 r->out.validation->sam2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo2);
1116                 if (!r->out.validation->sam2) {
1117                         return NT_STATUS_NO_MEMORY;
1118                 }
1119                 break;
1120         case 3:
1121                 r->out.validation->sam3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo3);
1122                 if (!r->out.validation->sam3) {
1123                         return NT_STATUS_NO_MEMORY;
1124                 }
1125                 break;
1126         case 6:
1127                 r->out.validation->sam6 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo6);
1128                 if (!r->out.validation->sam6) {
1129                         return NT_STATUS_NO_MEMORY;
1130                 }
1131                 break;
1132         default:
1133                 DEBUG(0,("%s: bad validation_level value %d.\n",
1134                         fn, (int)r->in.validation_level));
1135                 return NT_STATUS_INVALID_INFO_CLASS;
1136         }
1137
1138         switch (r->in.logon_level) {
1139         case NetlogonInteractiveInformation:
1140         case NetlogonServiceInformation:
1141         case NetlogonInteractiveTransitiveInformation:
1142         case NetlogonServiceTransitiveInformation:
1143                 nt_username     = logon->password->identity_info.account_name.string;
1144                 nt_domain       = logon->password->identity_info.domain_name.string;
1145                 nt_workstation  = logon->password->identity_info.workstation.string;
1146
1147                 DEBUG(3,("SAM Logon (Interactive). Domain:[%s].  ", lp_workgroup()));
1148                 break;
1149         case NetlogonNetworkInformation:
1150         case NetlogonNetworkTransitiveInformation:
1151                 nt_username     = logon->network->identity_info.account_name.string;
1152                 nt_domain       = logon->network->identity_info.domain_name.string;
1153                 nt_workstation  = logon->network->identity_info.workstation.string;
1154
1155                 DEBUG(3,("SAM Logon (Network). Domain:[%s].  ", lp_workgroup()));
1156                 break;
1157         default:
1158                 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1159                 return NT_STATUS_INVALID_INFO_CLASS;
1160         } /* end switch */
1161
1162         DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain));
1163         fstrcpy(current_user_info.smb_name, nt_username);
1164         sub_set_smb_name(nt_username);
1165
1166         DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1167                 r->in.validation_level, nt_username));
1168
1169         status = NT_STATUS_OK;
1170
1171         switch (r->in.logon_level) {
1172         case NetlogonNetworkInformation:
1173         case NetlogonNetworkTransitiveInformation:
1174         {
1175                 const char *wksname = nt_workstation;
1176
1177                 status = make_auth_context_fixed(&auth_context,
1178                                                  logon->network->challenge);
1179                 if (!NT_STATUS_IS_OK(status)) {
1180                         return status;
1181                 }
1182
1183                 /* For a network logon, the workstation name comes in with two
1184                  * backslashes in the front. Strip them if they are there. */
1185
1186                 if (*wksname == '\\') wksname++;
1187                 if (*wksname == '\\') wksname++;
1188
1189                 /* Standard challenge/response authenticaion */
1190                 if (!make_user_info_netlogon_network(&user_info,
1191                                                      nt_username, nt_domain,
1192                                                      wksname,
1193                                                      logon->network->identity_info.parameter_control,
1194                                                      logon->network->lm.data,
1195                                                      logon->network->lm.length,
1196                                                      logon->network->nt.data,
1197                                                      logon->network->nt.length)) {
1198                         status = NT_STATUS_NO_MEMORY;
1199                 }
1200                 break;
1201         }
1202         case NetlogonInteractiveInformation:
1203         case NetlogonServiceInformation:
1204         case NetlogonInteractiveTransitiveInformation:
1205         case NetlogonServiceTransitiveInformation:
1206
1207                 /* 'Interactive' authentication, supplies the password in its
1208                    MD4 form, encrypted with the session key.  We will convert
1209                    this to challenge/response for the auth subsystem to chew
1210                    on */
1211         {
1212                 uint8_t chal[8];
1213
1214                 if (!NT_STATUS_IS_OK(status = make_auth_context_subsystem(&auth_context))) {
1215                         return status;
1216                 }
1217
1218                 auth_context->get_ntlm_challenge(auth_context, chal);
1219
1220                 if (!make_user_info_netlogon_interactive(&user_info,
1221                                                          nt_username, nt_domain,
1222                                                          nt_workstation,
1223                                                          logon->password->identity_info.parameter_control,
1224                                                          chal,
1225                                                          logon->password->lmpassword.hash,
1226                                                          logon->password->ntpassword.hash,
1227                                                          creds->session_key)) {
1228                         status = NT_STATUS_NO_MEMORY;
1229                 }
1230                 break;
1231         }
1232         default:
1233                 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1234                 return NT_STATUS_INVALID_INFO_CLASS;
1235         } /* end switch */
1236
1237         if ( NT_STATUS_IS_OK(status) ) {
1238                 status = auth_context->check_ntlm_password(auth_context,
1239                         user_info, &server_info);
1240         }
1241
1242         (auth_context->free)(&auth_context);
1243         free_user_info(&user_info);
1244
1245         DEBUG(5,("%s: check_password returned status %s\n",
1246                   fn, nt_errstr(status)));
1247
1248         /* Check account and password */
1249
1250         if (!NT_STATUS_IS_OK(status)) {
1251                 /* If we don't know what this domain is, we need to
1252                    indicate that we are not authoritative.  This
1253                    allows the client to decide if it needs to try
1254                    a local user.  Fix by jpjanosi@us.ibm.com, #2976 */
1255                 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
1256                      && !strequal(nt_domain, get_global_sam_name())
1257                      && !is_trusted_domain(nt_domain) )
1258                         *r->out.authoritative = false; /* We are not authoritative */
1259
1260                 TALLOC_FREE(server_info);
1261                 return status;
1262         }
1263
1264         if (server_info->guest) {
1265                 /* We don't like guest domain logons... */
1266                 DEBUG(5,("%s: Attempted domain logon as GUEST "
1267                          "denied.\n", fn));
1268                 TALLOC_FREE(server_info);
1269                 return NT_STATUS_LOGON_FAILURE;
1270         }
1271
1272         /* This is the point at which, if the login was successful, that
1273            the SAM Local Security Authority should record that the user is
1274            logged in to the domain.  */
1275
1276         if (process_creds) {
1277                 /* Get the pipe session key from the creds. */
1278                 memcpy(pipe_session_key, creds->session_key, 16);
1279         } else {
1280                 /* Get the pipe session key from the schannel. */
1281                 if ((p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL)
1282                     || (p->auth.a_u.schannel_auth == NULL)) {
1283                         return NT_STATUS_INVALID_HANDLE;
1284                 }
1285                 memcpy(pipe_session_key, p->auth.a_u.schannel_auth->creds->session_key, 16);
1286         }
1287
1288         switch (r->in.validation_level) {
1289         case 2:
1290                 status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16,
1291                                                 r->out.validation->sam2);
1292                 break;
1293         case 3:
1294                 status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16,
1295                                                 r->out.validation->sam3);
1296                 break;
1297         case 6:
1298                 status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
1299                                                 r->out.validation->sam6);
1300                 break;
1301         }
1302
1303         TALLOC_FREE(server_info);
1304
1305         return status;
1306 }
1307
1308 /****************************************************************
1309  _netr_LogonSamLogonWithFlags
1310 ****************************************************************/
1311
1312 NTSTATUS _netr_LogonSamLogonWithFlags(pipes_struct *p,
1313                                       struct netr_LogonSamLogonWithFlags *r)
1314 {
1315         NTSTATUS status;
1316         struct netlogon_creds_CredentialState *creds;
1317         struct netr_LogonSamLogonEx r2;
1318         struct netr_Authenticator return_authenticator;
1319
1320         become_root();
1321         status = netr_creds_server_step_check(p, p->mem_ctx,
1322                                               r->in.computer_name,
1323                                               r->in.credential,
1324                                               &return_authenticator,
1325                                               &creds);
1326         unbecome_root();
1327         if (!NT_STATUS_IS_OK(status)) {
1328                 return status;
1329         }
1330
1331         r2.in.server_name       = r->in.server_name;
1332         r2.in.computer_name     = r->in.computer_name;
1333         r2.in.logon_level       = r->in.logon_level;
1334         r2.in.logon             = r->in.logon;
1335         r2.in.validation_level  = r->in.validation_level;
1336         r2.in.flags             = r->in.flags;
1337         r2.out.validation       = r->out.validation;
1338         r2.out.authoritative    = r->out.authoritative;
1339         r2.out.flags            = r->out.flags;
1340
1341         status = _netr_LogonSamLogon_base(p, &r2, creds);
1342
1343         *r->out.return_authenticator = return_authenticator;
1344
1345         return status;
1346 }
1347
1348 /*************************************************************************
1349  _netr_LogonSamLogon
1350  *************************************************************************/
1351
1352 NTSTATUS _netr_LogonSamLogon(pipes_struct *p,
1353                              struct netr_LogonSamLogon *r)
1354 {
1355         NTSTATUS status;
1356         struct netr_LogonSamLogonWithFlags r2;
1357         uint32_t flags = 0;
1358
1359         r2.in.server_name               = r->in.server_name;
1360         r2.in.computer_name             = r->in.computer_name;
1361         r2.in.credential                = r->in.credential;
1362         r2.in.logon_level               = r->in.logon_level;
1363         r2.in.logon                     = r->in.logon;
1364         r2.in.validation_level          = r->in.validation_level;
1365         r2.in.return_authenticator      = r->in.return_authenticator;
1366         r2.in.flags                     = &flags;
1367         r2.out.validation               = r->out.validation;
1368         r2.out.authoritative            = r->out.authoritative;
1369         r2.out.flags                    = &flags;
1370         r2.out.return_authenticator     = r->out.return_authenticator;
1371
1372         status = _netr_LogonSamLogonWithFlags(p, &r2);
1373
1374         return status;
1375 }
1376
1377 /*************************************************************************
1378  _netr_LogonSamLogonEx
1379  - no credential chaining. Map into net sam logon.
1380  *************************************************************************/
1381
1382 NTSTATUS _netr_LogonSamLogonEx(pipes_struct *p,
1383                                struct netr_LogonSamLogonEx *r)
1384 {
1385         NTSTATUS status;
1386         struct netlogon_creds_CredentialState *creds = NULL;
1387
1388         become_root();
1389         status = schannel_get_creds_state(p->mem_ctx,
1390                                           r->in.computer_name, &creds);
1391         unbecome_root();
1392         if (!NT_STATUS_IS_OK(status)) {
1393                 return status;
1394         }
1395
1396         /* Only allow this if the pipe is protected. */
1397         if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1398                 DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
1399                         get_remote_machine_name() ));
1400                 return NT_STATUS_INVALID_PARAMETER;
1401         }
1402
1403         status = _netr_LogonSamLogon_base(p, r, creds);
1404         TALLOC_FREE(creds);
1405
1406         return status;
1407 }
1408
1409 /*************************************************************************
1410  _ds_enum_dom_trusts
1411  *************************************************************************/
1412 #if 0   /* JERRY -- not correct */
1413  NTSTATUS _ds_enum_dom_trusts(pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u,
1414                              DS_R_ENUM_DOM_TRUSTS *r_u)
1415 {
1416         NTSTATUS status = NT_STATUS_OK;
1417
1418         /* TODO: According to MSDN, the can only be executed against a
1419            DC or domain member running Windows 2000 or later.  Need
1420            to test against a standalone 2k server and see what it
1421            does.  A windows 2000 DC includes its own domain in the
1422            list.  --jerry */
1423
1424         return status;
1425 }
1426 #endif  /* JERRY */
1427
1428
1429 /****************************************************************
1430 ****************************************************************/
1431
1432 WERROR _netr_LogonUasLogon(pipes_struct *p,
1433                            struct netr_LogonUasLogon *r)
1434 {
1435         p->rng_fault_state = true;
1436         return WERR_NOT_SUPPORTED;
1437 }
1438
1439 /****************************************************************
1440 ****************************************************************/
1441
1442 WERROR _netr_LogonUasLogoff(pipes_struct *p,
1443                             struct netr_LogonUasLogoff *r)
1444 {
1445         p->rng_fault_state = true;
1446         return WERR_NOT_SUPPORTED;
1447 }
1448
1449 /****************************************************************
1450 ****************************************************************/
1451
1452 NTSTATUS _netr_DatabaseDeltas(pipes_struct *p,
1453                               struct netr_DatabaseDeltas *r)
1454 {
1455         p->rng_fault_state = true;
1456         return NT_STATUS_NOT_IMPLEMENTED;
1457 }
1458
1459 /****************************************************************
1460 ****************************************************************/
1461
1462 NTSTATUS _netr_DatabaseSync(pipes_struct *p,
1463                             struct netr_DatabaseSync *r)
1464 {
1465         p->rng_fault_state = true;
1466         return NT_STATUS_NOT_IMPLEMENTED;
1467 }
1468
1469 /****************************************************************
1470 ****************************************************************/
1471
1472 NTSTATUS _netr_AccountDeltas(pipes_struct *p,
1473                              struct netr_AccountDeltas *r)
1474 {
1475         p->rng_fault_state = true;
1476         return NT_STATUS_NOT_IMPLEMENTED;
1477 }
1478
1479 /****************************************************************
1480 ****************************************************************/
1481
1482 NTSTATUS _netr_AccountSync(pipes_struct *p,
1483                            struct netr_AccountSync *r)
1484 {
1485         p->rng_fault_state = true;
1486         return NT_STATUS_NOT_IMPLEMENTED;
1487 }
1488
1489 /****************************************************************
1490 ****************************************************************/
1491
1492 static bool wb_getdcname(TALLOC_CTX *mem_ctx,
1493                          const char *domain,
1494                          const char **dcname,
1495                          uint32_t flags,
1496                          WERROR *werr)
1497 {
1498         wbcErr result;
1499         struct wbcDomainControllerInfo *dc_info = NULL;
1500
1501         result = wbcLookupDomainController(domain,
1502                                            flags,
1503                                            &dc_info);
1504         switch (result) {
1505         case WBC_ERR_SUCCESS:
1506                 break;
1507         case WBC_ERR_WINBIND_NOT_AVAILABLE:
1508                 return false;
1509         case WBC_ERR_DOMAIN_NOT_FOUND:
1510                 *werr = WERR_NO_SUCH_DOMAIN;
1511                 return true;
1512         default:
1513                 *werr = WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1514                 return true;
1515         }
1516
1517         *dcname = talloc_strdup(mem_ctx, dc_info->dc_name);
1518         wbcFreeMemory(dc_info);
1519         if (!*dcname) {
1520                 *werr = WERR_NOMEM;
1521                 return false;
1522         }
1523
1524         *werr = WERR_OK;
1525
1526         return true;
1527 }
1528
1529 /****************************************************************
1530  _netr_GetDcName
1531 ****************************************************************/
1532
1533 WERROR _netr_GetDcName(pipes_struct *p,
1534                        struct netr_GetDcName *r)
1535 {
1536         NTSTATUS status;
1537         WERROR werr;
1538         uint32_t flags;
1539         struct netr_DsRGetDCNameInfo *info;
1540         bool ret;
1541
1542         ret = wb_getdcname(p->mem_ctx,
1543                            r->in.domainname,
1544                            r->out.dcname,
1545                            WBC_LOOKUP_DC_IS_FLAT_NAME |
1546                            WBC_LOOKUP_DC_RETURN_FLAT_NAME |
1547                            WBC_LOOKUP_DC_PDC_REQUIRED,
1548                            &werr);
1549         if (ret == true) {
1550                 return werr;
1551         }
1552
1553         flags = DS_PDC_REQUIRED | DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1554
1555         status = dsgetdcname(p->mem_ctx,
1556                              smbd_messaging_context(),
1557                              r->in.domainname,
1558                              NULL,
1559                              NULL,
1560                              flags,
1561                              &info);
1562         if (!NT_STATUS_IS_OK(status)) {
1563                 return ntstatus_to_werror(status);
1564         }
1565
1566         *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1567         talloc_free(info);
1568         if (!*r->out.dcname) {
1569                 return WERR_NOMEM;
1570         }
1571
1572         return WERR_OK;
1573 }
1574
1575 /****************************************************************
1576  _netr_GetAnyDCName
1577 ****************************************************************/
1578
1579 WERROR _netr_GetAnyDCName(pipes_struct *p,
1580                           struct netr_GetAnyDCName *r)
1581 {
1582         NTSTATUS status;
1583         WERROR werr;
1584         uint32_t flags;
1585         struct netr_DsRGetDCNameInfo *info;
1586         bool ret;
1587
1588         ret = wb_getdcname(p->mem_ctx,
1589                            r->in.domainname,
1590                            r->out.dcname,
1591                            WBC_LOOKUP_DC_IS_FLAT_NAME |
1592                            WBC_LOOKUP_DC_RETURN_FLAT_NAME,
1593                            &werr);
1594         if (ret == true) {
1595                 return werr;
1596         }
1597
1598         flags = DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
1599
1600         status = dsgetdcname(p->mem_ctx,
1601                              smbd_messaging_context(),
1602                              r->in.domainname,
1603                              NULL,
1604                              NULL,
1605                              flags,
1606                              &info);
1607         if (!NT_STATUS_IS_OK(status)) {
1608                 return ntstatus_to_werror(status);
1609         }
1610
1611         *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
1612         talloc_free(info);
1613         if (!*r->out.dcname) {
1614                 return WERR_NOMEM;
1615         }
1616
1617         return WERR_OK;
1618 }
1619
1620 /****************************************************************
1621 ****************************************************************/
1622
1623 NTSTATUS _netr_DatabaseSync2(pipes_struct *p,
1624                              struct netr_DatabaseSync2 *r)
1625 {
1626         p->rng_fault_state = true;
1627         return NT_STATUS_NOT_IMPLEMENTED;
1628 }
1629
1630 /****************************************************************
1631 ****************************************************************/
1632
1633 NTSTATUS _netr_DatabaseRedo(pipes_struct *p,
1634                             struct netr_DatabaseRedo *r)
1635 {
1636         p->rng_fault_state = true;
1637         return NT_STATUS_NOT_IMPLEMENTED;
1638 }
1639
1640 /****************************************************************
1641 ****************************************************************/
1642
1643 WERROR _netr_DsRGetDCName(pipes_struct *p,
1644                           struct netr_DsRGetDCName *r)
1645 {
1646         p->rng_fault_state = true;
1647         return WERR_NOT_SUPPORTED;
1648 }
1649
1650 /****************************************************************
1651 ****************************************************************/
1652
1653 NTSTATUS _netr_LogonGetCapabilities(pipes_struct *p,
1654                                     struct netr_LogonGetCapabilities *r)
1655 {
1656         return NT_STATUS_NOT_IMPLEMENTED;
1657 }
1658
1659 /****************************************************************
1660 ****************************************************************/
1661
1662 WERROR _netr_NETRLOGONSETSERVICEBITS(pipes_struct *p,
1663                                      struct netr_NETRLOGONSETSERVICEBITS *r)
1664 {
1665         p->rng_fault_state = true;
1666         return WERR_NOT_SUPPORTED;
1667 }
1668
1669 /****************************************************************
1670 ****************************************************************/
1671
1672 WERROR _netr_LogonGetTrustRid(pipes_struct *p,
1673                               struct netr_LogonGetTrustRid *r)
1674 {
1675         p->rng_fault_state = true;
1676         return WERR_NOT_SUPPORTED;
1677 }
1678
1679 /****************************************************************
1680 ****************************************************************/
1681
1682 WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(pipes_struct *p,
1683                                           struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
1684 {
1685         p->rng_fault_state = true;
1686         return WERR_NOT_SUPPORTED;
1687 }
1688
1689 /****************************************************************
1690 ****************************************************************/
1691
1692 WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(pipes_struct *p,
1693                                           struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
1694 {
1695         p->rng_fault_state = true;
1696         return WERR_NOT_SUPPORTED;
1697 }
1698
1699 /****************************************************************
1700 ****************************************************************/
1701
1702 WERROR _netr_DsRGetDCNameEx(pipes_struct *p,
1703                             struct netr_DsRGetDCNameEx *r)
1704 {
1705         p->rng_fault_state = true;
1706         return WERR_NOT_SUPPORTED;
1707 }
1708
1709 /****************************************************************
1710 ****************************************************************/
1711
1712 WERROR _netr_DsRGetSiteName(pipes_struct *p,
1713                             struct netr_DsRGetSiteName *r)
1714 {
1715         p->rng_fault_state = true;
1716         return WERR_NOT_SUPPORTED;
1717 }
1718
1719 /****************************************************************
1720 ****************************************************************/
1721
1722 NTSTATUS _netr_LogonGetDomainInfo(pipes_struct *p,
1723                                   struct netr_LogonGetDomainInfo *r)
1724 {
1725         p->rng_fault_state = true;
1726         return NT_STATUS_NOT_IMPLEMENTED;
1727 }
1728
1729 /****************************************************************
1730 ****************************************************************/
1731
1732 WERROR _netr_ServerPasswordGet(pipes_struct *p,
1733                                struct netr_ServerPasswordGet *r)
1734 {
1735         p->rng_fault_state = true;
1736         return WERR_NOT_SUPPORTED;
1737 }
1738
1739 /****************************************************************
1740 ****************************************************************/
1741
1742 WERROR _netr_NETRLOGONSENDTOSAM(pipes_struct *p,
1743                                 struct netr_NETRLOGONSENDTOSAM *r)
1744 {
1745         p->rng_fault_state = true;
1746         return WERR_NOT_SUPPORTED;
1747 }
1748
1749 /****************************************************************
1750 ****************************************************************/
1751
1752 WERROR _netr_DsRAddressToSitenamesW(pipes_struct *p,
1753                                     struct netr_DsRAddressToSitenamesW *r)
1754 {
1755         p->rng_fault_state = true;
1756         return WERR_NOT_SUPPORTED;
1757 }
1758
1759 /****************************************************************
1760 ****************************************************************/
1761
1762 WERROR _netr_DsRGetDCNameEx2(pipes_struct *p,
1763                              struct netr_DsRGetDCNameEx2 *r)
1764 {
1765         p->rng_fault_state = true;
1766         return WERR_NOT_SUPPORTED;
1767 }
1768
1769 /****************************************************************
1770 ****************************************************************/
1771
1772 WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(pipes_struct *p,
1773                                                  struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1774 {
1775         p->rng_fault_state = true;
1776         return WERR_NOT_SUPPORTED;
1777 }
1778
1779 /****************************************************************
1780 ****************************************************************/
1781
1782 WERROR _netr_NetrEnumerateTrustedDomainsEx(pipes_struct *p,
1783                                            struct netr_NetrEnumerateTrustedDomainsEx *r)
1784 {
1785         p->rng_fault_state = true;
1786         return WERR_NOT_SUPPORTED;
1787 }
1788
1789 /****************************************************************
1790 ****************************************************************/
1791
1792 WERROR _netr_DsRAddressToSitenamesExW(pipes_struct *p,
1793                                       struct netr_DsRAddressToSitenamesExW *r)
1794 {
1795         p->rng_fault_state = true;
1796         return WERR_NOT_SUPPORTED;
1797 }
1798
1799 /****************************************************************
1800 ****************************************************************/
1801
1802 WERROR _netr_DsrGetDcSiteCoverageW(pipes_struct *p,
1803                                    struct netr_DsrGetDcSiteCoverageW *r)
1804 {
1805         p->rng_fault_state = true;
1806         return WERR_NOT_SUPPORTED;
1807 }
1808
1809 /****************************************************************
1810 ****************************************************************/
1811
1812 WERROR _netr_DsrEnumerateDomainTrusts(pipes_struct *p,
1813                                       struct netr_DsrEnumerateDomainTrusts *r)
1814 {
1815         p->rng_fault_state = true;
1816         return WERR_NOT_SUPPORTED;
1817 }
1818
1819 /****************************************************************
1820 ****************************************************************/
1821
1822 WERROR _netr_DsrDeregisterDNSHostRecords(pipes_struct *p,
1823                                          struct netr_DsrDeregisterDNSHostRecords *r)
1824 {
1825         p->rng_fault_state = true;
1826         return WERR_NOT_SUPPORTED;
1827 }
1828
1829 /****************************************************************
1830 ****************************************************************/
1831
1832 NTSTATUS _netr_ServerTrustPasswordsGet(pipes_struct *p,
1833                                        struct netr_ServerTrustPasswordsGet *r)
1834 {
1835         p->rng_fault_state = true;
1836         return NT_STATUS_NOT_IMPLEMENTED;
1837 }
1838
1839 /****************************************************************
1840 ****************************************************************/
1841
1842 WERROR _netr_DsRGetForestTrustInformation(pipes_struct *p,
1843                                           struct netr_DsRGetForestTrustInformation *r)
1844 {
1845         p->rng_fault_state = true;
1846         return WERR_NOT_SUPPORTED;
1847 }
1848
1849 /****************************************************************
1850 ****************************************************************/
1851
1852 NTSTATUS _netr_GetForestTrustInformation(pipes_struct *p,
1853                                          struct netr_GetForestTrustInformation *r)
1854 {
1855         p->rng_fault_state = true;
1856         return NT_STATUS_NOT_IMPLEMENTED;
1857 }
1858
1859 /****************************************************************
1860 ****************************************************************/
1861
1862 NTSTATUS _netr_ServerGetTrustInfo(pipes_struct *p,
1863                                   struct netr_ServerGetTrustInfo *r)
1864 {
1865         p->rng_fault_state = true;
1866         return NT_STATUS_NOT_IMPLEMENTED;
1867 }
1868