3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1997-1998.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 extern int DEBUGLEVEL;
45 extern DOM_SID global_machine_sid;
48 * A list of the rids of well known BUILTIN and Domain users
52 rid_name builtin_alias_rids[] =
54 { BUILTIN_ALIAS_RID_ADMINS , "Administrators" },
55 { BUILTIN_ALIAS_RID_USERS , "Users" },
56 { BUILTIN_ALIAS_RID_GUESTS , "Guests" },
57 { BUILTIN_ALIAS_RID_POWER_USERS , "Power Users" },
59 { BUILTIN_ALIAS_RID_ACCOUNT_OPS , "Account Operators" },
60 { BUILTIN_ALIAS_RID_SYSTEM_OPS , "System Operators" },
61 { BUILTIN_ALIAS_RID_PRINT_OPS , "Print Operators" },
62 { BUILTIN_ALIAS_RID_BACKUP_OPS , "Backup Operators" },
63 { BUILTIN_ALIAS_RID_REPLICATOR , "Replicator" },
67 /* array lookup of well-known Domain RID users. */
68 rid_name domain_user_rids[] =
70 { DOMAIN_USER_RID_ADMIN , "Administrator" },
71 { DOMAIN_USER_RID_GUEST , "Guest" },
75 /* array lookup of well-known Domain RID groups. */
76 rid_name domain_group_rids[] =
78 { DOMAIN_GROUP_RID_ADMINS , "Domain Admins" },
79 { DOMAIN_GROUP_RID_USERS , "Domain Users" },
80 { DOMAIN_GROUP_RID_GUESTS , "Domain Guests" },
84 int make_dom_gids(char *gids_str, DOM_GID **ppgids)
93 DEBUG(4,("make_dom_gids: %s\n", gids_str));
95 if (gids_str == NULL || *gids_str == 0)
98 for (count = 0, ptr = gids_str;
99 next_token(&ptr, s2, NULL, sizeof(s2));
103 gids = (DOM_GID *)malloc( sizeof(DOM_GID) * count );
106 DEBUG(0,("make_dom_gids: malloc fail !\n"));
110 for (count = 0, ptr = gids_str;
111 next_token(&ptr, s2, NULL, sizeof(s2)) &&
112 count < LSA_MAX_GROUPS;
115 /* the entries are of the form GID/ATTR, ATTR being optional.*/
120 attr = strchr(s2,'/');
125 attr = "7"; /* default value for attribute is 7 */
127 /* look up the RID string and see if we can turn it into a rid number */
128 for (i = 0; builtin_alias_rids[i].name != NULL; i++)
130 if (strequal(builtin_alias_rids[i].name, s2))
132 rid = builtin_alias_rids[i].rid;
142 DEBUG(1,("make_dom_gids: unknown well-known alias RID %s/%s\n", s2, attr));
147 gids[count].g_rid = rid;
148 gids[count].attr = atoi(attr);
150 DEBUG(5,("group id: %d attr: %d\n", gids[count].g_rid, gids[count].attr));
158 /*******************************************************************
159 turns a DCE/RPC request into a DCE/RPC reply
161 this is where the data really should be split up into an array of
162 headers and data sections.
164 ********************************************************************/
165 BOOL create_rpc_reply(pipes_struct *p,
166 uint32 data_start, uint32 data_end)
168 DEBUG(5,("create_rpc_reply: data_start: %d data_end: %d max_tsize: %d\n",
169 data_start, data_end, p->hdr_ba.bba.max_tsize));
171 mem_buf_init(&(p->rhdr.data), 0);
172 mem_alloc_data(p->rhdr.data, 0x18);
177 p->hdr_resp.alloc_hint = data_end - data_start; /* calculate remaining data to be sent */
178 p->hdr.pkt_type = RPC_RESPONSE; /* mark header as an rpc response */
180 /* set up rpc header (fragmentation issues) */
183 p->hdr.flags = RPC_FLG_FIRST;
190 if (p->hdr_resp.alloc_hint + 0x18 <= p->hdr_ba.bba.max_tsize)
192 p->hdr.flags |= RPC_FLG_LAST;
193 p->hdr.frag_len = p->hdr_resp.alloc_hint + 0x18;
197 p->hdr.frag_len = p->hdr_ba.bba.max_tsize;
200 p->rhdr.data->offset.start = 0;
201 p->rhdr.data->offset.end = 0x18;
203 /* store the header in the data stream */
205 smb_io_rpc_hdr ("hdr", &(p->hdr ), &(p->rhdr), 0);
206 smb_io_rpc_hdr_resp("resp", &(p->hdr_resp), &(p->rhdr), 0);
208 return p->rhdr.data != NULL && p->rhdr.offset == 0x18;
212 static BOOL api_pipe_ntlmssp(pipes_struct *p, prs_struct *pd)
214 /* receive a negotiate; send a challenge; receive a response */
215 switch (p->auth_verifier.msg_type)
217 case NTLMSSP_NEGOTIATE:
219 smb_io_rpc_auth_ntlmssp_neg("", &p->ntlmssp_neg, pd, 0);
224 smb_io_rpc_auth_ntlmssp_resp("", &p->ntlmssp_resp, pd, 0);
229 /* NTLMSSP expected: unexpected message type */
230 DEBUG(3,("unexpected message type in NTLMSSP %d\n",
231 p->auth_verifier.msg_type));
236 return (pd->offset != 0);
241 char * pipe_clnt_name;
242 char * pipe_srv_name;
243 BOOL (*fn) (pipes_struct *, prs_struct *);
246 static struct api_cmd api_fd_commands[] =
248 { "lsarpc", "lsass", api_ntlsa_rpc },
249 { "samr", "lsass", api_samr_rpc },
250 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
251 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
252 { "NETLOGON", "lsass", api_netlog_rpc },
253 { "winreg", "winreg", api_reg_rpc },
257 static BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *pd)
259 p->ntlmssp_auth = False;
261 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
263 if (p->hdr.auth_len != 0)
265 /* decode the authentication verifier response */
266 smb_io_rpc_hdr_autha("", &p->autha_info, pd, 0);
267 if (pd->offset == 0) return False;
269 p->ntlmssp_auth = p->auth_info.auth_type = 0x0a;
273 smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0);
274 if (pd->offset == 0) return False;
276 p->ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP");
281 if (!api_pipe_ntlmssp(p, pd)) return False;
285 return p->ntlmssp_auth;
288 static BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *pd)
291 fstring ack_pipe_name;
294 p->ntlmssp_auth = False;
296 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
298 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
300 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
301 api_fd_commands[i].fn != NULL)
303 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
304 api_fd_commands[i].pipe_clnt_name,
305 api_fd_commands[i].pipe_srv_name));
306 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
311 if (api_fd_commands[i].fn == NULL) return False;
313 /* decode the bind request */
314 smb_io_rpc_hdr_rb("", &p->hdr_rb, pd, 0);
316 if (pd->offset == 0) return False;
318 if (p->hdr.auth_len != 0)
320 /* decode the authentication verifier */
321 smb_io_rpc_hdr_auth ("", &p->auth_info , pd, 0);
322 if (pd->offset == 0) return False;
324 p->ntlmssp_auth = p->auth_info.auth_type = 0x0a;
328 smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0);
329 if (pd->offset == 0) return False;
331 p->ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP");
336 if (!api_pipe_ntlmssp(p, pd)) return False;
340 /* name has to be \PIPE\xxxxx */
341 fstrcpy(ack_pipe_name, "\\PIPE\\");
342 fstrcat(ack_pipe_name, p->pipe_srv_name);
344 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
346 prs_init(&(p->rdata), 1024, 4, 0, False);
347 prs_init(&(p->rhdr ), 0x10, 4, 0, False);
348 prs_init(&(p->rauth), 1024, 4, 0, False);
349 prs_init(&(p->rverf), 0x08, 4, 0, False);
350 prs_init(&(p->rntlm), 1024, 4, 0, False);
353 /*** do the bind ack first ***/
362 assoc_gid = p->hdr_rb.bba.assoc_gid;
365 make_rpc_hdr_ba(&p->hdr_ba,
366 p->hdr_rb.bba.max_tsize,
367 p->hdr_rb.bba.max_rsize,
371 &(p->hdr_rb.transfer));
373 smb_io_rpc_hdr_ba("", &p->hdr_ba, &p->rdata, 0);
374 mem_realloc_data(p->rdata.data, p->rdata.offset);
377 /*** now the authentication ***/
383 generate_random_buffer(challenge, 8, False);
385 /*** authentication info ***/
387 make_rpc_hdr_auth(&p->auth_info, 0x0a, 0x06, 0, 1);
388 smb_io_rpc_hdr_auth("", &p->auth_info, &p->rverf, 0);
389 mem_realloc_data(p->rverf.data, p->rverf.offset);
391 /*** NTLMSSP verifier ***/
393 make_rpc_auth_verifier(&p->auth_verifier,
394 "NTLMSSP", NTLMSSP_CHALLENGE);
395 smb_io_rpc_auth_verifier("", &p->auth_verifier, &p->rauth, 0);
396 mem_realloc_data(p->rauth.data, p->rauth.offset);
398 /* NTLMSSP challenge ***/
400 make_rpc_auth_ntlmssp_chal(&p->ntlmssp_chal,
401 0x000082b1, challenge);
402 smb_io_rpc_auth_ntlmssp_chal("", &p->ntlmssp_chal, &p->rntlm, 0);
403 mem_realloc_data(p->rntlm.data, p->rntlm.offset);
407 /*** then do the header, now we know the length ***/
410 make_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
412 p->rdata.offset + p->rverf.offset + p->rauth.offset + p->rntlm.offset + 0x10,
413 p->rauth.offset + p->rntlm.offset);
415 smb_io_rpc_hdr("", &p->hdr, &p->rhdr, 0);
416 mem_realloc_data(p->rhdr.data, p->rdata.offset);
419 /*** link rpc header, bind acknowledgment and authentication responses ***/
424 prs_link(NULL , &p->rhdr , &p->rdata);
425 prs_link(&p->rhdr , &p->rdata, &p->rverf);
426 prs_link(&p->rdata, &p->rverf, &p->rauth);
427 prs_link(&p->rverf, &p->rauth, &p->rntlm);
428 prs_link(&p->rauth, &p->rntlm, NULL );
432 prs_link(NULL , &p->rhdr , &p->rdata);
433 prs_link(&p->rhdr, &p->rdata, NULL );
439 static BOOL api_pipe_request(pipes_struct *p, prs_struct *pd)
443 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
445 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
446 api_fd_commands[i].fn != NULL)
448 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
449 return api_fd_commands[i].fn(p, pd);
455 BOOL rpc_command(pipes_struct *p, prs_struct *pd)
458 if (pd->data == NULL) return False;
460 /* process the rpc header */
461 smb_io_rpc_hdr("", &p->hdr, pd, 0);
463 if (pd->offset == 0) return False;
465 switch (p->hdr.pkt_type)
469 reply = api_pipe_bind_req(p, pd);
474 reply = api_pipe_request (p, pd);
477 case RPC_BINDRESP: /* not the real name! */
479 reply = api_pipe_bind_auth_resp(p, pd);
489 /*******************************************************************
490 receives a netlogon pipe and responds.
491 ********************************************************************/
492 static BOOL api_rpc_command(pipes_struct *p,
493 char *rpc_name, struct api_struct *api_rpc_cmds,
497 DEBUG(4,("api_rpc_command: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
499 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++)
501 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL)
503 DEBUG(3,("api_rpc_command: %s\n", api_rpc_cmds[fn_num].name));
508 if (api_rpc_cmds[fn_num].name == NULL)
510 DEBUG(4, ("unknown\n"));
514 /* start off with 1024 bytes, and a large safety margin too */
515 mem_buf_init(&(p->rdata.data), SAFETY_MARGIN);
516 mem_alloc_data(p->rdata.data, 1024);
521 p->rdata.data->offset.start = 0;
522 p->rdata.data->offset.end = 0xffffffff;
524 /* do the actual command */
526 api_rpc_cmds[fn_num].fn(p->vuid, data, &(p->rdata));
528 if (p->rdata.data == NULL || p->rdata.offset == 0)
530 mem_free_data(p->rdata.data);
534 mem_realloc_data(p->rdata.data, p->rdata.offset);
536 DEBUG(10,("called %s\n", rpc_name));
542 /*******************************************************************
543 receives a netlogon pipe and responds.
544 ********************************************************************/
545 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds,
548 if (data == NULL || data->data == NULL)
550 DEBUG(2,("%s: NULL data received\n", rpc_name));
554 /* read the rpc header */
555 smb_io_rpc_hdr_req("req", &(p->hdr_req), data, 0);
557 /* interpret the command */
558 if (!api_rpc_command(p, rpc_name, api_rpc_cmds, data))
563 /* create the rpc header */
564 if (!create_rpc_reply(p, 0, p->rdata.offset))
569 p->frag_len_left = p->hdr.frag_len - p->file_offset;
570 p->next_frag_start = p->hdr.frag_len;
572 /* set up the data chain */
573 p->rhdr.data->offset.start = 0;
574 p->rhdr.data->offset.end = p->rhdr.offset;
575 p->rhdr.data->next = p->rdata.data;
577 p->rdata.data->offset.start = p->rhdr.data->offset.end;
578 p->rdata.data->offset.end = p->rhdr.data->offset.end + p->rdata.offset;
579 p->rdata.data->next = NULL;
585 /*******************************************************************
586 gets a domain user's groups
587 ********************************************************************/
588 void get_domain_user_groups(char *domain_groups, char *user)
592 if (domain_groups == NULL || user == NULL) return;
594 /* any additional groups this user is in. e.g power users */
595 pstrcpy(domain_groups, lp_domain_groups());
597 /* can only be a user or a guest. cannot be guest _and_ admin */
598 if (user_in_list(user, lp_domain_guest_group()))
600 slprintf(tmp, sizeof(tmp) - 1, " %ld/7 ", DOMAIN_GROUP_RID_GUESTS);
601 pstrcat(domain_groups, tmp);
603 DEBUG(3,("domain guest group access %s granted\n", tmp));
607 slprintf(tmp, sizeof(tmp) -1, " %ld/7 ", DOMAIN_GROUP_RID_USERS);
608 pstrcat(domain_groups, tmp);
610 DEBUG(3,("domain group access %s granted\n", tmp));
612 if (user_in_list(user, lp_domain_admin_group()))
614 slprintf(tmp, sizeof(tmp) - 1, " %ld/7 ", DOMAIN_GROUP_RID_ADMINS);
615 pstrcat(domain_groups, tmp);
617 DEBUG(3,("domain admin group access %s granted\n", tmp));
623 /*******************************************************************
625 ********************************************************************/
626 uint32 lookup_group_name(uint32 rid, char *group_name, uint32 *type)
629 (*type) = SID_NAME_DOM_GRP;
631 DEBUG(5,("lookup_group_name: rid: %d", rid));
633 while (domain_group_rids[i].rid != rid && domain_group_rids[i].rid != 0)
638 if (domain_group_rids[i].rid != 0)
640 fstrcpy(group_name, domain_group_rids[i].name);
641 DEBUG(5,(" = %s\n", group_name));
645 DEBUG(5,(" none mapped\n"));
646 return 0xC0000000 | NT_STATUS_NONE_MAPPED;
649 /*******************************************************************
651 ********************************************************************/
652 uint32 lookup_alias_name(uint32 rid, char *alias_name, uint32 *type)
655 (*type) = SID_NAME_WKN_GRP;
657 DEBUG(5,("lookup_alias_name: rid: %d", rid));
659 while (builtin_alias_rids[i].rid != rid && builtin_alias_rids[i].rid != 0)
664 if (builtin_alias_rids[i].rid != 0)
666 fstrcpy(alias_name, builtin_alias_rids[i].name);
667 DEBUG(5,(" = %s\n", alias_name));
671 DEBUG(5,(" none mapped\n"));
672 return 0xC0000000 | NT_STATUS_NONE_MAPPED;
675 /*******************************************************************
677 ********************************************************************/
678 uint32 lookup_user_name(uint32 rid, char *user_name, uint32 *type)
680 struct sam_disp_info *disp_info;
682 (*type) = SID_NAME_USER;
684 DEBUG(5,("lookup_user_name: rid: %d", rid));
686 /* look up the well-known domain user rids first */
687 while (domain_user_rids[i].rid != rid && domain_user_rids[i].rid != 0)
692 if (domain_user_rids[i].rid != 0)
694 fstrcpy(user_name, domain_user_rids[i].name);
695 DEBUG(5,(" = %s\n", user_name));
699 /* ok, it's a user. find the user account */
701 disp_info = getsamdisprid(rid);
704 if (disp_info != NULL)
706 fstrcpy(user_name, disp_info->smb_name);
707 DEBUG(5,(" = %s\n", user_name));
711 DEBUG(5,(" none mapped\n"));
712 return 0xC0000000 | NT_STATUS_NONE_MAPPED;
715 /*******************************************************************
717 ********************************************************************/
718 uint32 lookup_group_rid(char *group_name, uint32 *rid)
721 int i = -1; /* start do loop at -1 */
723 do /* find, if it exists, a group rid for the group name*/
726 (*rid) = domain_group_rids[i].rid;
727 grp_name = domain_group_rids[i].name;
729 } while (grp_name != NULL && !strequal(grp_name, group_name));
731 return (grp_name != NULL) ? 0 : 0xC0000000 | NT_STATUS_NONE_MAPPED;
734 /*******************************************************************
736 ********************************************************************/
737 uint32 lookup_alias_rid(char *alias_name, uint32 *rid)
740 int i = -1; /* start do loop at -1 */
742 do /* find, if it exists, a alias rid for the alias name*/
745 (*rid) = builtin_alias_rids[i].rid;
746 als_name = builtin_alias_rids[i].name;
748 } while (als_name != NULL && !strequal(als_name, alias_name));
750 return (als_name != NULL) ? 0 : 0xC0000000 | NT_STATUS_NONE_MAPPED;
753 /*******************************************************************
755 ********************************************************************/
756 uint32 lookup_user_rid(char *user_name, uint32 *rid)
758 struct sam_passwd *sam_pass;
761 /* find the user account */
763 sam_pass = getsam21pwnam(user_name);
766 if (sam_pass != NULL)
768 (*rid) = sam_pass->user_rid;
772 return 0xC0000000 | NT_STATUS_NONE_MAPPED;