Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2008
Copyright (C) Stefan Metzmacher <metze@samba.org> 2005
- Copyright (C) Matthias Dieter Wallnöfer 2009
+ Copyright (C) Matthias Dieter Wallnöfer 2009-2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "lib/tsocket/tsocket.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
#include "librpc/gen_ndr/ndr_irpc.h"
+#include "lib/socket/netif.h"
struct netlogon_server_pipe_state {
struct netr_Credential client_challenge;
creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
nt_status = schannel_save_creds_state(mem_ctx,
- lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
creds);
return nt_status;
}
nt_status = schannel_check_creds_state(mem_ctx,
- lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
computer_name,
received_authenticator,
return_authenticator,
}
+static NTSTATUS dcesrv_netr_LogonSamLogon_check(const struct netr_LogonSamLogonEx *r)
+{
+ switch (r->in.logon_level) {
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ case NetlogonServiceTransitiveInformation:
+ if (r->in.logon->password == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ case NetlogonValidationSamInfo: /* 2 */
+ case NetlogonValidationSamInfo2: /* 3 */
+ case NetlogonValidationSamInfo4: /* 6 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+ if (r->in.logon->network == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ case NetlogonValidationSamInfo: /* 2 */
+ case NetlogonValidationSamInfo2: /* 3 */
+ case NetlogonValidationSamInfo4: /* 6 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+
+ case NetlogonGenericInformation:
+ if (r->in.logon->generic == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ /* TODO: case NetlogonValidationGenericInfo: 4 */
+ case NetlogonValidationGenericInfo2: /* 5 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return NT_STATUS_OK;
+}
+
/*
netr_LogonSamLogon_base
static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonSamLogonEx *r, struct netlogon_creds_CredentialState *creds)
{
- struct auth_context *auth_context;
+ struct auth4_context *auth_context;
struct auth_usersupplied_info *user_info;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
NTSTATUS nt_status;
static const char zeros[16];
struct netr_SamBaseInfo *sam;
struct netr_SamInfo3 *sam3;
struct netr_SamInfo6 *sam6;
+ *r->out.authoritative = 1;
+
user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
NT_STATUS_HAVE_NO_MEMORY(user_info);
return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info);
+ nt_status = auth_check_password(auth_context, mem_ctx, user_info, &user_info_dc);
+ /* TODO: set *r->out.authoritative = 0 on specific errors */
NT_STATUS_NOT_OK_RETURN(nt_status);
switch (r->in.validation_level) {
case 2:
- nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
+ nt_status = auth_convert_user_info_dc_sambaseinfo(mem_ctx, user_info_dc, &sam);
NT_STATUS_NOT_OK_RETURN(nt_status);
sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2);
break;
case 3:
- nt_status = auth_convert_server_info_saminfo3(mem_ctx,
- server_info,
+ nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
+ user_info_dc,
&sam3);
NT_STATUS_NOT_OK_RETURN(nt_status);
break;
case 6:
- nt_status = auth_convert_server_info_saminfo3(mem_ctx,
- server_info,
+ nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
+ user_info_dc,
&sam3);
NT_STATUS_NOT_OK_RETURN(nt_status);
break;
default:
- break;
+ return NT_STATUS_INVALID_INFO_CLASS;
}
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
}
}
- *r->out.authoritative = 1;
-
/* TODO: Describe and deal with these flags */
*r->out.flags = 0;
NTSTATUS nt_status;
struct netlogon_creds_CredentialState *creds;
+ *r->out.authoritative = 1;
+
+ nt_status = dcesrv_netr_LogonSamLogon_check(r);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
nt_status = schannel_get_creds_state(mem_ctx,
- lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
r->in.computer_name, &creds);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
struct netr_Authenticator *return_authenticator;
- return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
- NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
-
- nt_status = dcesrv_netr_creds_server_step_check(dce_call,
- mem_ctx,
- r->in.computer_name,
- r->in.credential, return_authenticator,
- &creds);
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
ZERO_STRUCT(r2);
r2.in.server_name = r->in.server_name;
r2.out.authoritative = r->out.authoritative;
r2.out.flags = r->out.flags;
+ *r->out.authoritative = 1;
+
+ nt_status = dcesrv_netr_LogonSamLogon_check(&r2);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
+ NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
+
+ nt_status = dcesrv_netr_creds_server_step_check(dce_call,
+ mem_ctx,
+ r->in.computer_name,
+ r->in.credential, return_authenticator,
+ &creds);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
+
nt_status = dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds);
r->out.return_authenticator = return_authenticator;
domain_dn = samdb_domain_to_dn(sam_ctx, mem_ctx,
r->in.domainname);
if (domain_dn == NULL) {
- return WERR_DS_UNAVAILABLE;
+ return WERR_NO_SUCH_DOMAIN;
}
ret = gendb_search_dn(sam_ctx, mem_ctx,
static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonGetCapabilities *r)
{
+
/* we don't support AES yet */
return NT_STATUS_NOT_IMPLEMENTED;
}
return WERR_DS_UNAVAILABLE;
}
+ /*
+ * We assume to be a DC when we get called over NETLOGON. Hence we
+ * get our site name always by using "samdb_server_site_name()"
+ * and not "samdb_client_site_name()".
+ */
*r->out.site = samdb_server_site_name(sam_ctx, mem_ctx);
W_ERROR_HAVE_NO_MEMORY(*r->out.site);
struct netlogon_creds_CredentialState *creds;
const char * const attrs[] = { "objectSid", "objectGUID", "flatName",
"securityIdentifier", "trustPartner", NULL };
- const char * const attrs2[] = { "dNSHostName",
+ const char * const attrs2[] = { "sAMAccountName", "dNSHostName",
"msDS-SupportedEncryptionTypes", NULL };
- const char *temp_str, *temp_str2;
- const char *old_dns_hostname;
+ const char *sam_account_name, *old_dns_hostname, *prefix1, *prefix2;
struct ldb_context *sam_ctx;
struct ldb_message **res1, **res2, **res3, *new_msg;
struct ldb_dn *workstation_dn;
struct netr_DomainInformation *domain_info;
struct netr_LsaPolicyInformation *lsa_policy_info;
- struct netr_OsVersionInfoEx *os_version;
uint32_t default_supported_enc_types = 0xFFFFFFFF;
bool update_dns_hostname = true;
int ret, ret3, i;
return NT_STATUS_INVALID_PARAMETER;
}
- /*
- * Checks that the computer name parameter without possible "$"
- * matches as prefix with the DNS hostname in the workstation
- * info structure.
- */
- temp_str = talloc_strndup(mem_ctx,
- r->in.computer_name,
- strcspn(r->in.computer_name, "$"));
- NT_STATUS_HAVE_NO_MEMORY(temp_str);
- temp_str2 = talloc_strndup(mem_ctx,
- r->in.query->workstation_info->dns_hostname,
- strcspn(r->in.query->workstation_info->dns_hostname, "."));
- NT_STATUS_HAVE_NO_MEMORY(temp_str2);
- if (strcasecmp(temp_str, temp_str2) != 0) {
- update_dns_hostname = false;
- }
-
- /* Prepare the workstation DN */
+ /* Prepares the workstation DN */
workstation_dn = ldb_dn_new_fmt(mem_ctx, sam_ctx, "<SID=%s>",
- dom_sid_string(mem_ctx, creds->sid));
+ dom_sid_string(mem_ctx, creds->sid));
NT_STATUS_HAVE_NO_MEMORY(workstation_dn);
/* Lookup for attributes in workstation object */
- ret = gendb_search_dn(sam_ctx, mem_ctx, workstation_dn,
- &res1, attrs2);
+ ret = gendb_search_dn(sam_ctx, mem_ctx, workstation_dn, &res1,
+ attrs2);
if (ret != 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
+ /* Gets the sam account name which is checked against the DNS
+ * hostname parameter. */
+ sam_account_name = ldb_msg_find_attr_as_string(res1[0],
+ "sAMAccountName",
+ NULL);
+ if (sam_account_name == NULL) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ /*
+ * Checks that the sam account name without a possible "$"
+ * matches as prefix with the DNS hostname in the workstation
+ * info structure.
+ */
+ prefix1 = talloc_strndup(mem_ctx, sam_account_name,
+ strcspn(sam_account_name, "$"));
+ NT_STATUS_HAVE_NO_MEMORY(prefix1);
+ if (r->in.query->workstation_info->dns_hostname != NULL) {
+ prefix2 = talloc_strndup(mem_ctx,
+ r->in.query->workstation_info->dns_hostname,
+ strcspn(r->in.query->workstation_info->dns_hostname, "."));
+ NT_STATUS_HAVE_NO_MEMORY(prefix2);
+
+ if (strcasecmp(prefix1, prefix2) != 0) {
+ update_dns_hostname = false;
+ }
+ } else {
+ update_dns_hostname = false;
+ }
+
/* Gets the old DNS hostname */
- old_dns_hostname = ldb_msg_find_attr_as_string(res1[0], "dNSHostName",
- NULL);
+ old_dns_hostname = ldb_msg_find_attr_as_string(res1[0],
+ "dNSHostName",
+ NULL);
/*
* Updates the DNS hostname when the client wishes that the
update_dns_hostname = false;
}
- /* Gets host informations and put them into our directory */
+ /* Gets host information and put them into our directory */
new_msg = ldb_msg_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(new_msg);
new_msg->dn = workstation_dn;
/* Sets the OS name */
- samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
- "operatingSystem",
- r->in.query->workstation_info->os_name.string);
+
+ if (r->in.query->workstation_info->os_name.string == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ret = ldb_msg_add_string(new_msg, "operatingSystem",
+ r->in.query->workstation_info->os_name.string);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
/*
- * Sets informations from "os_version". On an empty structure
+ * Sets information from "os_version". On an empty structure
* the values are cleared.
*/
if (r->in.query->workstation_info->os_version.os != NULL) {
+ struct netr_OsVersionInfoEx *os_version;
+ const char *os_version_str;
+
os_version = &r->in.query->workstation_info->os_version.os->os;
- samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
- "operatingSystemServicePack",
- os_version->CSDVersion);
-
- samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
- "operatingSystemVersion",
- talloc_asprintf(mem_ctx, "%d.%d (%d)",
- os_version->MajorVersion,
- os_version->MinorVersion,
- os_version->BuildNumber
- )
- );
+ if (os_version->CSDVersion == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ os_version_str = talloc_asprintf(new_msg, "%u.%u (%u)",
+ os_version->MajorVersion,
+ os_version->MinorVersion,
+ os_version->BuildNumber);
+ NT_STATUS_HAVE_NO_MEMORY(os_version_str);
+
+ ret = ldb_msg_add_string(new_msg,
+ "operatingSystemServicePack",
+ os_version->CSDVersion);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = ldb_msg_add_string(new_msg,
+ "operatingSystemVersion",
+ os_version_str);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
} else {
- samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
- "operatingSystemServicePack");
+ ret = samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
+ "operatingSystemServicePack");
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
- samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
- "operatingSystemVersion");
+ ret = samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
+ "operatingSystemVersion");
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
/*
* are fine to start the update.
*/
if (update_dns_hostname) {
- samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
- "dNSHostname",
- r->in.query->workstation_info->dns_hostname);
-
- samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
- "servicePrincipalName",
- talloc_asprintf(mem_ctx, "HOST/%s",
- r->in.computer_name)
- );
- samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
- "servicePrincipalName",
- talloc_asprintf(mem_ctx, "HOST/%s",
- r->in.query->workstation_info->dns_hostname)
- );
+ ret = ldb_msg_add_string(new_msg,
+ "dNSHostname",
+ r->in.query->workstation_info->dns_hostname);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* This manual "servicePrincipalName" generation is
+ * still needed! Since the update in the samldb LDB
+ * module does only work if the entries already exist
+ * which isn't always the case. */
+ ret = ldb_msg_add_string(new_msg,
+ "servicePrincipalName",
+ talloc_asprintf(new_msg, "HOST/%s",
+ r->in.computer_name));
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = ldb_msg_add_string(new_msg,
+ "servicePrincipalName",
+ talloc_asprintf(new_msg, "HOST/%s",
+ r->in.query->workstation_info->dns_hostname));
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (dsdb_replace(sam_ctx, new_msg, 0) != LDB_SUCCESS) {
"msDS-SupportedEncryptionTypes",
default_supported_enc_types);
- /* Other host domain informations */
+ /* Other host domain information */
lsa_policy_info = talloc(mem_ctx,
struct netr_LsaPolicyInformation);
}
-
/*
netr_ServerPasswordGet
*/
NTSTATUS status;
const char *dc_name = NULL;
const char *domain_name = NULL;
+ struct interface *ifaces;
+ const char *pdc_ip;
ZERO_STRUCTP(r->out.info);
return ntstatus_to_werror(status);
}
+ /*
+ * According to MS-NRPC 2.2.1.2.1 we should set the "DS_DNS_FOREST_ROOT"
+ * (O) flag when the returned forest name is in DNS format. This is here
+ * always the case (see below).
+ */
+ response.data.nt5_ex.server_type |= DS_DNS_FOREST_ROOT;
+
if (r->in.flags & DS_RETURN_DNS_NAME) {
dc_name = response.data.nt5_ex.pdc_dns_name;
domain_name = response.data.nt5_ex.dns_domain;
+ /*
+ * According to MS-NRPC 2.2.1.2.1 we should set the
+ * "DS_DNS_CONTROLLER" (M) and "DS_DNS_DOMAIN" (N) flags when
+ * the returned information is in DNS form.
+ */
+ response.data.nt5_ex.server_type |=
+ DS_DNS_CONTROLLER | DS_DNS_DOMAIN;
} else if (r->in.flags & DS_RETURN_FLAT_NAME) {
dc_name = response.data.nt5_ex.pdc_name;
domain_name = response.data.nt5_ex.domain_name;
W_ERROR_HAVE_NO_MEMORY(info);
info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s", dc_name);
W_ERROR_HAVE_NO_MEMORY(info->dc_unc);
- info->dc_address = talloc_asprintf(mem_ctx, "\\\\%s",
- response.data.nt5_ex.sockaddr.pdc_ip);
+
+ load_interface_list(mem_ctx, lp_ctx, &ifaces);
+ pdc_ip = iface_list_best_ip(ifaces, addr);
+ if (pdc_ip == NULL) {
+ pdc_ip = "127.0.0.1";
+ }
+ info->dc_address = talloc_asprintf(mem_ctx, "\\\\%s", pdc_ip);
W_ERROR_HAVE_NO_MEMORY(info->dc_address);
- info->dc_address_type = DS_ADDRESS_TYPE_INET; /* TODO: make this dynamic? for ipv6 */
+ info->dc_address_type = DS_ADDRESS_TYPE_INET;
info->domain_guid = response.data.nt5_ex.domain_uuid;
info->domain_name = domain_name;
info->forest_name = response.data.nt5_ex.forest;
}
-#define GET_CHECK_STR(dest, mem, msg, attr) \
-do {\
- const char *s; \
- s = ldb_msg_find_attr_as_string(msg, attr, NULL); \
- if (!s) { \
- DEBUG(0, ("DB Error, TustedDomain entry (%s) " \
- "without flatname\n", \
- ldb_dn_get_linearized(msg->dn))); \
- continue; \
- } \
- dest = talloc_strdup(mem, s); \
- W_ERROR_HAVE_NO_MEMORY(dest); \
-} while(0)
-
-
static WERROR fill_trusted_domains_array(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
struct netr_DomainTrustList *trusts,
n + 1);
W_ERROR_HAVE_NO_MEMORY(trusts->array);
- GET_CHECK_STR(trusts->array[n].netbios_name, trusts,
- dom_res[i], "flatname");
- GET_CHECK_STR(trusts->array[n].dns_name, trusts,
- dom_res[i], "trustPartner");
+ trusts->array[n].netbios_name = talloc_steal(trusts->array, ldb_msg_find_attr_as_string(dom_res[i], "flatname", NULL));
+ if (!trusts->array[n].netbios_name) {
+ DEBUG(0, ("DB Error, TrustedDomain entry (%s) "
+ "without flatname\n",
+ ldb_dn_get_linearized(dom_res[i]->dn)));
+ }
+
+ trusts->array[n].dns_name = talloc_steal(trusts->array, ldb_msg_find_attr_as_string(dom_res[i], "trustPartner", NULL));
trusts->array[n].trust_flags = flags;
if ((trust_flags & NETR_TRUST_FLAG_IN_FOREST) &&
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
+ return NT_STATUS_INTERNAL_ERROR;
}
/* TODO: check r->in.server_name is our name */