Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2008
Copyright (C) Stefan Metzmacher <metze@samba.org> 2005
- Copyright (C) Matthias Dieter Wallnöfer 2009
+ Copyright (C) Matthias Dieter Wallnöfer 2009-2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "libcli/security/security.h"
#include "param/param.h"
#include "lib/messaging/irpc.h"
-#include "librpc/gen_ndr/ndr_irpc.h"
-#include "cldap_server/cldap_server.h"
+#include "librpc/gen_ndr/ndr_irpc_c.h"
+#include "../libcli/ldap/ldap_ndr.h"
+#include "dsdb/samdb/ldb_modules/util.h"
#include "lib/tsocket/tsocket.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_lsa.h"
+#include "librpc/gen_ndr/ndr_samr.h"
+#include "librpc/gen_ndr/ndr_irpc.h"
+#include "librpc/gen_ndr/ndr_winbind.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/socket/netif.h"
+
+#define DCESRV_INTERFACE_NETLOGON_BIND(call, iface) \
+ dcesrv_interface_netlogon_bind(call, iface)
+
+/*
+ * This #define allows the netlogon interface to accept invalid
+ * association groups, because association groups are to coordinate
+ * handles, and handles are not used in NETLOGON. This in turn avoids
+ * the need to coordinate these across multiple possible NETLOGON
+ * processes
+ */
+#define DCESRV_INTERFACE_NETLOGON_FLAGS DCESRV_INTERFACE_FLAGS_HANDLES_NOT_USED
+
+static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_call_state *dce_call,
+ const struct dcesrv_interface *iface)
+{
+ return dcesrv_interface_bind_reject_connect(dce_call, iface);
+}
struct netlogon_server_pipe_state {
struct netr_Credential client_challenge;
{
struct netlogon_server_pipe_state *pipe_state =
talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
+ NTSTATUS ntstatus;
ZERO_STRUCTP(r->out.return_credentials);
- /* destroyed on pipe shutdown */
-
if (pipe_state) {
talloc_free(pipe_state);
dce_call->context->private_data = NULL;
dce_call->context->private_data = pipe_state;
+ ntstatus = schannel_save_challenge(dce_call->conn->dce_ctx->lp_ctx,
+ &pipe_state->client_challenge,
+ &pipe_state->server_challenge,
+ r->in.computer_name);
+ if (!NT_STATUS_IS_OK(ntstatus)) {
+ return ntstatus;
+ }
+
return NT_STATUS_OK;
}
{
struct netlogon_server_pipe_state *pipe_state =
talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
+ bool challenge_valid = false;
+ struct netlogon_server_pipe_state challenge;
struct netlogon_creds_CredentialState *creds;
struct ldb_context *sam_ctx;
- struct samr_Password *mach_pwd;
+ struct samr_Password *curNtHash = NULL;
+ struct samr_Password *prevNtHash = NULL;
uint32_t user_account_control;
int num_records;
struct ldb_message **msgs;
NTSTATUS nt_status;
const char *attrs[] = {"unicodePwd", "userAccountControl",
"objectSid", NULL};
-
- const char *trust_dom_attrs[] = {"flatname", NULL};
const char *account_name;
+ uint32_t server_flags = 0;
+ uint32_t negotiate_flags = 0;
+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
+ bool reject_des_client = !allow_nt4_crypto;
+ bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
+ int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
+ bool reject_none_rpc = (schannel == true);
ZERO_STRUCTP(r->out.return_credentials);
*r->out.rid = 0;
+ if (pipe_state != NULL) {
+ dce_call->context->private_data = NULL;
+
+ /*
+ * If we had a challenge remembered on the connection
+ * consider this for usage. This can't be cleanup
+ * by other clients.
+ *
+ * This is the default code path for typical clients
+ * which call netr_ServerReqChallenge() and
+ * netr_ServerAuthenticate3() on the same dcerpc connection.
+ */
+ challenge = *pipe_state;
+
+ challenge_valid = true;
+
+ } else {
+ NTSTATUS ntstatus;
+
+ /*
+ * Fallback and try to get the challenge from
+ * the global cache.
+ *
+ * If too many clients are using this code path,
+ * they may destroy their cache entries as the
+ * TDB has a fixed size limited via a lossy hash
+ *
+ * The TDB used is the schannel store, which is
+ * initialised at startup.
+ *
+ * NOTE: The challenge is deleted from the DB as soon as it is
+ * fetched, to prevent reuse.
+ *
+ */
+
+ ntstatus = schannel_get_challenge(dce_call->conn->dce_ctx->lp_ctx,
+ &challenge.client_challenge,
+ &challenge.server_challenge,
+ r->in.computer_name);
+
+ if (!NT_STATUS_IS_OK(ntstatus)) {
+ ZERO_STRUCT(challenge);
+ } else {
+ challenge_valid = true;
+ }
+ }
+
+ server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
+ NETLOGON_NEG_PERSISTENT_SAMREPL |
+ NETLOGON_NEG_ARCFOUR |
+ NETLOGON_NEG_PROMOTION_COUNT |
+ NETLOGON_NEG_CHANGELOG_BDC |
+ NETLOGON_NEG_FULL_SYNC_REPL |
+ NETLOGON_NEG_MULTIPLE_SIDS |
+ NETLOGON_NEG_REDO |
+ NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
+ NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
+ NETLOGON_NEG_GENERIC_PASSTHROUGH |
+ NETLOGON_NEG_CONCURRENT_RPC |
+ NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
+ NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
+ NETLOGON_NEG_STRONG_KEYS |
+ NETLOGON_NEG_TRANSITIVE_TRUSTS |
+ NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+ NETLOGON_NEG_PASSWORD_SET2 |
+ NETLOGON_NEG_GETDOMAININFO |
+ NETLOGON_NEG_CROSS_FOREST_TRUSTS |
+ NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
+ NETLOGON_NEG_RODC_PASSTHROUGH |
+ NETLOGON_NEG_SUPPORTS_AES |
+ NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
+ NETLOGON_NEG_AUTHENTICATED_RPC;
+
+ negotiate_flags = *r->in.negotiate_flags & server_flags;
+
+ if (negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
+ reject_none_rpc = false;
+ }
+
+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
+ reject_des_client = false;
+ }
+
+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ reject_des_client = false;
+ reject_md5_client = false;
+ }
+
+ if (reject_des_client || reject_md5_client) {
+ /*
+ * Here we match Windows 2012 and return no flags.
+ */
+ *r->out.negotiate_flags = 0;
+ return NT_STATUS_DOWNGRADE_DETECTED;
+ }
+
+ /*
+ * This talloc_free is important to prevent re-use of the
+ * challenge. We have to delay it this far due to NETApp
+ * servers per:
+ * https://bugzilla.samba.org/show_bug.cgi?id=11291
+ */
+ TALLOC_FREE(pipe_state);
+
+ /*
+ * At this point we must also cleanup the TDB cache
+ * entry, if we fail the client needs to call
+ * netr_ServerReqChallenge again.
+ *
+ * Note: this handles a non existing record just fine,
+ * the r->in.computer_name might not be the one used
+ * in netr_ServerReqChallenge(), but we are trying to
+ * just tidy up the normal case to prevent re-use.
+ */
+ schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
+ r->in.computer_name);
+
/*
* According to Microsoft (see bugid #6099)
* Windows 7 looks at the negotiate_flags
* returned in this structure *even if the
* call fails with access denied!
*/
- *r->out.negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
- NETLOGON_NEG_PERSISTENT_SAMREPL |
- NETLOGON_NEG_ARCFOUR |
- NETLOGON_NEG_PROMOTION_COUNT |
- NETLOGON_NEG_CHANGELOG_BDC |
- NETLOGON_NEG_FULL_SYNC_REPL |
- NETLOGON_NEG_MULTIPLE_SIDS |
- NETLOGON_NEG_REDO |
- NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
- NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
- NETLOGON_NEG_GENERIC_PASSTHROUGH |
- NETLOGON_NEG_CONCURRENT_RPC |
- NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
- NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
- NETLOGON_NEG_STRONG_KEYS |
- NETLOGON_NEG_TRANSITIVE_TRUSTS |
- NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
- NETLOGON_NEG_PASSWORD_SET2 |
- NETLOGON_NEG_GETDOMAININFO |
- NETLOGON_NEG_CROSS_FOREST_TRUSTS |
- NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
- NETLOGON_NEG_RODC_PASSTHROUGH |
- NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
- NETLOGON_NEG_AUTHENTICATED_RPC;
-
- if (!pipe_state) {
- DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
+ *r->out.negotiate_flags = negotiate_flags;
+
+ if (reject_none_rpc) {
+ /* schannel must be used, but client did not offer it. */
+ DEBUG(0,("%s: schannel required but client failed "
+ "to offer it. Client was %s\n",
+ __func__, r->in.account_name));
return NT_STATUS_ACCESS_DENIED;
}
+ switch (r->in.secure_channel_type) {
+ case SEC_CHAN_WKSTA:
+ case SEC_CHAN_DNS_DOMAIN:
+ case SEC_CHAN_DOMAIN:
+ case SEC_CHAN_BDC:
+ case SEC_CHAN_RODC:
+ break;
+ case SEC_CHAN_NULL:
+ return NT_STATUS_INVALID_PARAMETER;
+ default:
+ DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
+ r->in.secure_channel_type));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx,
- system_session(dce_call->conn->dce_ctx->lp_ctx));
+ system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
- if (r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
- char *encoded_account = ldb_binary_encode_string(mem_ctx, r->in.account_name);
- const char *flatname;
- if (!encoded_account) {
+ if (r->in.secure_channel_type == SEC_CHAN_DOMAIN ||
+ r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN)
+ {
+ struct ldb_message *tdo_msg = NULL;
+ const char * const tdo_attrs[] = {
+ "trustAuthIncoming",
+ "trustAttributes",
+ "flatName",
+ NULL
+ };
+ char *encoded_name = NULL;
+ size_t len;
+ const char *flatname = NULL;
+ char trailer = '$';
+ bool require_trailer = true;
+ const char *netbios = NULL;
+ const char *dns = NULL;
+
+ if (r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
+ trailer = '.';
+ require_trailer = false;
+ }
+
+ encoded_name = ldb_binary_encode_string(mem_ctx,
+ r->in.account_name);
+ if (encoded_name == NULL) {
return NT_STATUS_NO_MEMORY;
}
- /* Kill the trailing dot */
- if (encoded_account[strlen(encoded_account)-1] == '.') {
- encoded_account[strlen(encoded_account)-1] = '\0';
+ len = strlen(encoded_name);
+ if (len < 2) {
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
- /* pull the user attributes */
- num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs,
- trust_dom_attrs,
- "(&(trustPartner=%s)(objectclass=trustedDomain))",
- encoded_account);
+ if (require_trailer && encoded_name[len - 1] != trailer) {
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ }
+ encoded_name[len - 1] = '\0';
- if (num_records == 0) {
- DEBUG(3,("Couldn't find trust [%s] in samdb.\n",
- encoded_account));
- return NT_STATUS_ACCESS_DENIED;
+ if (r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
+ dns = encoded_name;
+ } else {
+ netbios = encoded_name;
}
- if (num_records > 1) {
- DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ nt_status = dsdb_trust_search_tdo(sam_ctx,
+ netbios, dns,
+ tdo_attrs, mem_ctx, &tdo_msg);
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ DEBUG(2, ("Client asked for a trusted domain secure channel, "
+ "but there's no tdo for [%s] => [%s] \n",
+ r->in.account_name, encoded_name));
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
- flatname = ldb_msg_find_attr_as_string(msgs[0], "flatname", NULL);
- if (!flatname) {
- /* No flatname for this trust - we can't proceed */
- return NT_STATUS_ACCESS_DENIED;
+ nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx,
+ &curNtHash,
+ &prevNtHash);
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
- account_name = talloc_asprintf(mem_ctx, "%s$", flatname);
- if (!account_name) {
- return NT_STATUS_NO_MEMORY;
+ flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL);
+ if (flatname == NULL) {
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
+ account_name = talloc_asprintf(mem_ctx, "%s$", flatname);
+ if (account_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
} else {
account_name = r->in.account_name;
}
if (num_records == 0) {
DEBUG(3,("Couldn't find user [%s] in samdb.\n",
r->in.account_name));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
if (num_records > 1) {
if (user_account_control & UF_ACCOUNTDISABLE) {
DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
if (!(user_account_control & UF_WORKSTATION_TRUST_ACCOUNT)) {
DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", user_account_control));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
} else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN ||
r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
if (!(user_account_control & UF_INTERDOMAIN_TRUST_ACCOUNT)) {
DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", user_account_control));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
} else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
if (!(user_account_control & UF_SERVER_TRUST_ACCOUNT)) {
DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", user_account_control));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ }
+ } else if (r->in.secure_channel_type == SEC_CHAN_RODC) {
+ if (!(user_account_control & UF_PARTIAL_SECRETS_ACCOUNT)) {
+ DEBUG(1, ("Client asked for a RODC secure channel, but is not a RODC: acb flags: 0x%x\n", user_account_control));
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
} else {
- DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
- r->in.secure_channel_type));
- return NT_STATUS_ACCESS_DENIED;
+ /* we should never reach this */
+ return NT_STATUS_INTERNAL_ERROR;
}
- *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
- "objectSid", 0);
+ if (!(user_account_control & UF_INTERDOMAIN_TRUST_ACCOUNT)) {
+ nt_status = samdb_result_passwords_no_lockout(mem_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ msgs[0], NULL, &curNtHash);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ if (curNtHash == NULL) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
- mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
- if (mach_pwd == NULL) {
+ if (!challenge_valid) {
+ DEBUG(1, ("No challenge requested by client [%s/%s], "
+ "cannot authenticate\n",
+ r->in.computer_name,
+ r->in.account_name));
return NT_STATUS_ACCESS_DENIED;
}
r->in.account_name,
r->in.computer_name,
r->in.secure_channel_type,
- &pipe_state->client_challenge,
- &pipe_state->server_challenge,
- mach_pwd,
+ &challenge.client_challenge,
+ &challenge.server_challenge,
+ curNtHash,
r->in.credentials,
r->out.return_credentials,
- *r->in.negotiate_flags);
-
- if (!creds) {
+ negotiate_flags);
+ if (creds == NULL && prevNtHash != NULL) {
+ /*
+ * We fallback to the previous password for domain trusts.
+ *
+ * Note that lpcfg_old_password_allowed_period() doesn't
+ * apply here.
+ */
+ creds = netlogon_creds_server_init(mem_ctx,
+ r->in.account_name,
+ r->in.computer_name,
+ r->in.secure_channel_type,
+ &challenge.client_challenge,
+ &challenge.server_challenge,
+ prevNtHash,
+ r->in.credentials,
+ r->out.return_credentials,
+ negotiate_flags);
+ }
+ if (creds == NULL) {
return NT_STATUS_ACCESS_DENIED;
}
creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
nt_status = schannel_save_creds_state(mem_ctx,
- lp_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ ZERO_STRUCTP(r->out.return_credentials);
+ return nt_status;
+ }
- return nt_status;
+ *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
+ "objectSid", 0);
+
+ return NT_STATUS_OK;
}
static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
/*
* If schannel is required for this call test that it actually is available.
*/
-static NTSTATUS schannel_check_required(struct dcerpc_auth *auth_info,
+static NTSTATUS schannel_check_required(const struct dcesrv_auth *auth_info,
const char *computer_name,
bool integrity, bool privacy)
{
struct netlogon_creds_CredentialState **creds_out)
{
NTSTATUS nt_status;
- struct dcerpc_auth *auth_info = dce_call->conn->auth_state.auth_info;
- bool schannel_global_required = false; /* Should be lp_schannel_server() == true */
+ int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
+ bool schannel_global_required = (schannel == true);
if (schannel_global_required) {
- nt_status = schannel_check_required(auth_info,
+ nt_status = schannel_check_required(&dce_call->conn->auth_state,
computer_name,
true, false);
if (!NT_STATUS_IS_OK(nt_status)) {
}
nt_status = schannel_check_creds_state(mem_ctx,
- lp_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
computer_name,
received_authenticator,
return_authenticator,
{
struct netlogon_creds_CredentialState *creds;
struct ldb_context *sam_ctx;
+ const char * const attrs[] = { "unicodePwd", NULL };
+ struct ldb_message **res;
+ struct samr_Password *oldNtHash;
NTSTATUS nt_status;
+ int ret;
nt_status = dcesrv_netr_creds_server_step_check(dce_call,
mem_ctx,
&creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx));
+ sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
netlogon_creds_des_decrypt(creds, r->in.new_password);
+ /* fetch the old password hashes (the NT hash has to exist) */
+
+ ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
+ "(&(objectClass=user)(objectSid=%s))",
+ ldap_encode_ndr_dom_sid(mem_ctx, creds->sid));
+ if (ret != 1) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ nt_status = samdb_result_passwords_no_lockout(mem_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ res[0], NULL, &oldNtHash);
+ if (!NT_STATUS_IS_OK(nt_status) || !oldNtHash) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
/* Using the sid for the account as the key, set the password */
nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
creds->sid,
+ NULL, /* Don't have version */
NULL, /* Don't have plaintext */
NULL, r->in.new_password,
- true, /* Password change */
+ NULL, oldNtHash, /* Password change */
NULL, NULL);
return nt_status;
}
{
struct netlogon_creds_CredentialState *creds;
struct ldb_context *sam_ctx;
+ const char * const attrs[] = { "dBCSPwd", "unicodePwd", NULL };
+ struct ldb_message **res;
+ struct samr_Password *oldLmHash, *oldNtHash;
+ struct NL_PASSWORD_VERSION version = {};
+ const uint32_t *new_version = NULL;
NTSTATUS nt_status;
DATA_BLOB new_password;
-
+ int ret;
struct samr_CryptPassword password_buf;
nt_status = dcesrv_netr_creds_server_step_check(dce_call,
&creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx));
+ sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
memcpy(password_buf.data, r->in.new_password->data, 512);
SIVAL(password_buf.data, 512, r->in.new_password->length);
- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
+ } else {
+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+ }
+
+ switch (creds->secure_channel_type) {
+ case SEC_CHAN_DOMAIN:
+ case SEC_CHAN_DNS_DOMAIN: {
+ uint32_t len = IVAL(password_buf.data, 512);
+ if (len <= 500) {
+ uint32_t ofs = 500 - len;
+ uint8_t *p;
+
+ p = password_buf.data + ofs;
+
+ version.ReservedField = IVAL(p, 0);
+ version.PasswordVersionNumber = IVAL(p, 4);
+ version.PasswordVersionPresent = IVAL(p, 8);
+
+ if (version.PasswordVersionPresent == NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT) {
+ new_version = &version.PasswordVersionNumber;
+ }
+ }}
+ break;
+ default:
+ break;
+ }
if (!extract_pw_from_buffer(mem_ctx, password_buf.data, &new_password)) {
DEBUG(3,("samr: failed to decode password buffer\n"));
return NT_STATUS_WRONG_PASSWORD;
}
+ /* fetch the old password hashes (at least one of both has to exist) */
+
+ ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
+ "(&(objectClass=user)(objectSid=%s))",
+ ldap_encode_ndr_dom_sid(mem_ctx, creds->sid));
+ if (ret != 1) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ nt_status = samdb_result_passwords_no_lockout(mem_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ res[0], &oldLmHash, &oldNtHash);
+ if (!NT_STATUS_IS_OK(nt_status) || (!oldLmHash && !oldNtHash)) {
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
/* Using the sid for the account as the key, set the password */
nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
creds->sid,
+ new_version,
&new_password, /* we have plaintext */
NULL, NULL,
- true, /* Password change */
+ oldLmHash, oldNtHash, /* Password change */
NULL, NULL);
return nt_status;
}
}
+static NTSTATUS dcesrv_netr_LogonSamLogon_check(const struct netr_LogonSamLogonEx *r)
+{
+ switch (r->in.logon_level) {
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ case NetlogonServiceTransitiveInformation:
+ if (r->in.logon->password == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ case NetlogonValidationSamInfo: /* 2 */
+ case NetlogonValidationSamInfo2: /* 3 */
+ case NetlogonValidationSamInfo4: /* 6 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+ if (r->in.logon->network == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ case NetlogonValidationSamInfo: /* 2 */
+ case NetlogonValidationSamInfo2: /* 3 */
+ case NetlogonValidationSamInfo4: /* 6 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+
+ case NetlogonGenericInformation:
+ if (r->in.logon->generic == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ /* TODO: case NetlogonValidationGenericInfo: 4 */
+ case NetlogonValidationGenericInfo2: /* 5 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return NT_STATUS_OK;
+}
+
/*
netr_LogonSamLogon_base
This version of the function allows other wrappers to say 'do not check the credentials'
- We can't do the traditional 'wrapping' format completly, as this function must only run under schannel
+ We can't do the traditional 'wrapping' format completely, as this
+ function must only run under schannel
*/
static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonSamLogonEx *r, struct netlogon_creds_CredentialState *creds)
{
- struct auth_context *auth_context;
- struct auth_usersupplied_info *user_info;
- struct auth_serversupplied_info *server_info;
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ const char *workgroup = lpcfg_workgroup(lp_ctx);
+ struct auth4_context *auth_context = NULL;
+ struct auth_usersupplied_info *user_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
NTSTATUS nt_status;
- static const char zeros[16];
- struct netr_SamBaseInfo *sam;
- struct netr_SamInfo2 *sam2;
- struct netr_SamInfo3 *sam3;
- struct netr_SamInfo6 *sam6;
+ struct netr_SamInfo2 *sam2 = NULL;
+ struct netr_SamInfo3 *sam3 = NULL;
+ struct netr_SamInfo6 *sam6 = NULL;
+
+ *r->out.authoritative = 1;
- user_info = talloc(mem_ctx, struct auth_usersupplied_info);
+ user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
NT_STATUS_HAVE_NO_MEMORY(user_info);
- user_info->flags = 0;
- user_info->mapped_state = false;
- user_info->remote_host = NULL;
+ netlogon_creds_decrypt_samlogon_logon(creds,
+ r->in.logon_level,
+ r->in.logon);
switch (r->in.logon_level) {
case NetlogonInteractiveInformation:
case NetlogonServiceInformation:
case NetlogonInteractiveTransitiveInformation:
case NetlogonServiceTransitiveInformation:
- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- r->in.logon->password->lmpassword.hash,
- sizeof(r->in.logon->password->lmpassword.hash));
- netlogon_creds_arcfour_crypt(creds,
- r->in.logon->password->ntpassword.hash,
- sizeof(r->in.logon->password->ntpassword.hash));
- } else {
- netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
- netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
- }
/* TODO: we need to deny anonymous access here */
nt_status = auth_context_create(mem_ctx,
user_info->password.response.lanman = data_blob_talloc(mem_ctx, r->in.logon->network->lm.data, r->in.logon->network->lm.length);
user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon->network->nt.data, r->in.logon->network->nt.length);
+ nt_status = NTLMv2_RESPONSE_verify_netlogon_creds(
+ user_info->client.account_name,
+ user_info->client.domain_name,
+ user_info->password.response.nt,
+ creds, workgroup);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
+
break;
case NetlogonGenericInformation:
{
- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- r->in.logon->generic->data, r->in.logon->generic->length);
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ /* OK */
+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ /* OK */
} else {
/* Using DES to verify kerberos tickets makes no sense */
return NT_STATUS_INVALID_PARAMETER;
if (strcmp(r->in.logon->generic->package_name.string, "Kerberos") == 0) {
NTSTATUS status;
- struct server_id *kdc;
+ struct dcerpc_binding_handle *irpc_handle;
struct kdc_check_generic_kerberos check;
struct netr_GenericInfo2 *generic = talloc_zero(mem_ctx, struct netr_GenericInfo2);
NT_STATUS_HAVE_NO_MEMORY(generic);
r->out.validation->generic = generic;
- kdc = irpc_servers_byname(dce_call->msg_ctx, mem_ctx, "kdc_server");
- if ((kdc == NULL) || (kdc[0].id == 0)) {
+ irpc_handle = irpc_binding_handle_by_name(mem_ctx,
+ dce_call->msg_ctx,
+ "kdc_server",
+ &ndr_table_irpc);
+ if (irpc_handle == NULL) {
return NT_STATUS_NO_LOGON_SERVERS;
}
data_blob_const(r->in.logon->generic->data,
r->in.logon->generic->length);
- status = irpc_call(dce_call->msg_ctx, kdc[0],
- &ndr_table_irpc, NDR_KDC_CHECK_GENERIC_KERBEROS,
- &check, mem_ctx);
+ /*
+ * TODO: make this async and avoid
+ * dcerpc_binding_handle_set_sync_ev()
+ */
+ dcerpc_binding_handle_set_sync_ev(irpc_handle,
+ dce_call->event_ctx);
+ status = dcerpc_kdc_check_generic_kerberos_r(irpc_handle,
+ mem_ctx,
+ &check);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info);
+ nt_status = auth_check_password(auth_context, mem_ctx, user_info, &user_info_dc);
+ /* TODO: set *r->out.authoritative = 0 on specific errors */
NT_STATUS_NOT_OK_RETURN(nt_status);
switch (r->in.validation_level) {
case 2:
- nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
+ nt_status = auth_convert_user_info_dc_saminfo2(mem_ctx,
+ user_info_dc,
+ &sam2);
NT_STATUS_NOT_OK_RETURN(nt_status);
- sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2);
- NT_STATUS_HAVE_NO_MEMORY(sam2);
- sam2->base = *sam;
-
- /* And put into the talloc tree */
- talloc_steal(sam2, sam);
r->out.validation->sam2 = sam2;
-
- sam = &sam2->base;
break;
case 3:
- nt_status = auth_convert_server_info_saminfo3(mem_ctx,
- server_info,
- &sam3);
+ nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
+ user_info_dc,
+ &sam3);
NT_STATUS_NOT_OK_RETURN(nt_status);
r->out.validation->sam3 = sam3;
-
- sam = &sam3->base;
break;
case 6:
- nt_status = auth_convert_server_info_saminfo3(mem_ctx,
- server_info,
- &sam3);
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
- NT_STATUS_HAVE_NO_MEMORY(sam6);
- sam6->base = sam3->base;
- sam = &sam6->base;
- sam6->sidcount = sam3->sidcount;
- sam6->sids = sam3->sids;
+ if (dce_call->conn->auth_state.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- sam6->dns_domainname.string = lp_dnsdomain(dce_call->conn->dce_ctx->lp_ctx);
- sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s",
- sam->account_name.string, sam6->dns_domainname.string);
- NT_STATUS_HAVE_NO_MEMORY(sam6->principle.string);
- /* And put into the talloc tree */
- talloc_steal(sam6, sam3);
+ nt_status = auth_convert_user_info_dc_saminfo6(mem_ctx,
+ user_info_dc,
+ &sam6);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
r->out.validation->sam6 = sam6;
break;
default:
- break;
+ return NT_STATUS_INVALID_INFO_CLASS;
}
- /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- /* It appears that level 6 is not individually encrypted */
- if ((r->in.validation_level != 6) &&
- memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) {
- /* This key is sent unencrypted without the ARCFOUR flag set */
- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- sam->key.key,
- sizeof(sam->key.key));
- }
- }
-
- /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- /* It appears that level 6 is not individually encrypted */
- if ((r->in.validation_level != 6) &&
- memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) {
- if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- netlogon_creds_arcfour_crypt(creds,
- sam->LMSessKey.key,
- sizeof(sam->LMSessKey.key));
- } else {
- netlogon_creds_des_encrypt_LMKey(creds,
- &sam->LMSessKey);
- }
- }
-
- *r->out.authoritative = 1;
+ netlogon_creds_encrypt_samlogon_validation(creds,
+ r->in.validation_level,
+ r->out.validation);
/* TODO: Describe and deal with these flags */
*r->out.flags = 0;
NTSTATUS nt_status;
struct netlogon_creds_CredentialState *creds;
+ *r->out.authoritative = 1;
+
+ nt_status = dcesrv_netr_LogonSamLogon_check(r);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
nt_status = schannel_get_creds_state(mem_ctx,
- lp_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
r->in.computer_name, &creds);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- if (!dce_call->conn->auth_state.auth_info ||
- dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (dce_call->conn->auth_state.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
return NT_STATUS_ACCESS_DENIED;
}
return dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds);
struct netr_Authenticator *return_authenticator;
- return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
- NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
-
- nt_status = dcesrv_netr_creds_server_step_check(dce_call,
- mem_ctx,
- r->in.computer_name,
- r->in.credential, return_authenticator,
- &creds);
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
ZERO_STRUCT(r2);
r2.in.server_name = r->in.server_name;
r2.out.authoritative = r->out.authoritative;
r2.out.flags = r->out.flags;
+ *r->out.authoritative = 1;
+
+ nt_status = dcesrv_netr_LogonSamLogon_check(&r2);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
+ NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
+
+ nt_status = dcesrv_netr_creds_server_step_check(dce_call,
+ mem_ctx,
+ r->in.computer_name,
+ r->in.credential, return_authenticator,
+ &creds);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
+
nt_status = dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds);
r->out.return_authenticator = return_authenticator;
int ret;
const char *dcname;
+ /*
+ * [MS-NRPC] 3.5.5.3.4 NetrGetDCName says
+ * that the domainname needs to be a valid netbios domain
+ * name, if it is not NULL.
+ */
+ if (r->in.domainname) {
+ const char *dot = strchr(r->in.domainname, '.');
+ size_t len = strlen(r->in.domainname);
+
+ if (dot || len > 15) {
+ return WERR_NERR_DCNOTFOUND;
+ }
+
+ /*
+ * TODO: Should we also varify that only valid
+ * netbios name characters are used?
+ */
+ }
+
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
domain_dn = samdb_domain_to_dn(sam_ctx, mem_ctx,
r->in.domainname);
if (domain_dn == NULL) {
- return WERR_DS_UNAVAILABLE;
+ return WERR_NO_SUCH_DOMAIN;
}
ret = gendb_search_dn(sam_ctx, mem_ctx,
* - check all r->in.* parameters (server_unc is ignored by w2k3!)
*/
dcname = talloc_asprintf(mem_ctx, "\\\\%s",
- lp_netbios_name(dce_call->conn->dce_ctx->lp_ctx));
+ lpcfg_netbios_name(dce_call->conn->dce_ctx->lp_ctx));
W_ERROR_HAVE_NO_MEMORY(dcname);
*r->out.dcname = dcname;
return WERR_OK;
}
+struct dcesrv_netr_LogonControl_base_state {
+ struct dcesrv_call_state *dce_call;
-/*
- netr_LogonControl2Ex
-*/
-static WERROR dcesrv_netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_LogonControl2Ex *r)
+ TALLOC_CTX *mem_ctx;
+
+ struct netr_LogonControl2Ex r;
+
+ struct {
+ struct netr_LogonControl *l;
+ struct netr_LogonControl2 *l2;
+ struct netr_LogonControl2Ex *l2ex;
+ } _r;
+};
+
+static void dcesrv_netr_LogonControl_base_done(struct tevent_req *subreq);
+
+static WERROR dcesrv_netr_LogonControl_base_call(struct dcesrv_netr_LogonControl_base_state *state)
{
- return WERR_NOT_SUPPORTED;
+ struct dcesrv_connection *conn = state->dce_call->conn;
+ struct loadparm_context *lp_ctx = state->dce_call->conn->dce_ctx->lp_ctx;
+ struct auth_session_info *session_info = conn->auth_state.session_info;
+ enum security_user_level security_level;
+ struct dcerpc_binding_handle *irpc_handle;
+ struct tevent_req *subreq;
+ bool ok;
+
+ /* TODO: check for WERR_INVALID_COMPUTERNAME ? */
+
+ if (state->_r.l != NULL) {
+ /*
+ * netr_LogonControl
+ */
+ if (state->r.in.level == 0x00000002) {
+ return WERR_NOT_SUPPORTED;
+ } else if (state->r.in.level != 0x00000001) {
+ return WERR_INVALID_LEVEL;
+ }
+
+ switch (state->r.in.function_code) {
+ case NETLOGON_CONTROL_QUERY:
+ case NETLOGON_CONTROL_REPLICATE:
+ case NETLOGON_CONTROL_SYNCHRONIZE:
+ case NETLOGON_CONTROL_PDC_REPLICATE:
+ case NETLOGON_CONTROL_BREAKPOINT:
+ case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
+ case NETLOGON_CONTROL_TRUNCATE_LOG:
+ break;
+ default:
+ return WERR_NOT_SUPPORTED;
+ }
+ }
+
+ if (state->r.in.level < 0x00000001) {
+ return WERR_INVALID_LEVEL;
+ }
+
+ if (state->r.in.level > 0x00000004) {
+ return WERR_INVALID_LEVEL;
+ }
+
+ if (state->r.in.function_code == NETLOGON_CONTROL_QUERY) {
+ struct netr_NETLOGON_INFO_1 *info1 = NULL;
+ struct netr_NETLOGON_INFO_3 *info3 = NULL;
+
+ switch (state->r.in.level) {
+ case 0x00000001:
+ info1 = talloc_zero(state->mem_ctx,
+ struct netr_NETLOGON_INFO_1);
+ if (info1 == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ state->r.out.query->info1 = info1;
+ return WERR_OK;
+
+ case 0x00000003:
+ info3 = talloc_zero(state->mem_ctx,
+ struct netr_NETLOGON_INFO_3);
+ if (info3 == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ state->r.out.query->info3 = info3;
+ return WERR_OK;
+
+ default:
+ return WERR_INVALID_PARAMETER;
+ }
+ }
+
+ /*
+ * Some validations are done before the access check
+ * and some after the access check
+ */
+ security_level = security_session_user_level(session_info, NULL);
+ if (security_level < SECURITY_ADMINISTRATOR) {
+ return WERR_ACCESS_DENIED;
+ }
+
+ if (state->_r.l2 != NULL) {
+ /*
+ * netr_LogonControl2
+ */
+ if (state->r.in.level == 0x00000004) {
+ return WERR_INVALID_LEVEL;
+ }
+ }
+
+ switch (state->r.in.level) {
+ case 0x00000001:
+ break;
+
+ case 0x00000002:
+ switch (state->r.in.function_code) {
+ case NETLOGON_CONTROL_REDISCOVER:
+ case NETLOGON_CONTROL_TC_QUERY:
+ case NETLOGON_CONTROL_TC_VERIFY:
+ break;
+ default:
+ return WERR_INVALID_PARAMETER;
+ }
+
+ break;
+
+ case 0x00000003:
+ break;
+
+ case 0x00000004:
+ if (state->r.in.function_code != NETLOGON_CONTROL_FIND_USER) {
+ return WERR_INVALID_PARAMETER;
+ }
+
+ break;
+
+ default:
+ return WERR_INVALID_LEVEL;
+ }
+
+ switch (state->r.in.function_code) {
+ case NETLOGON_CONTROL_REDISCOVER:
+ case NETLOGON_CONTROL_TC_QUERY:
+ case NETLOGON_CONTROL_TC_VERIFY:
+ if (state->r.in.level != 2) {
+ return WERR_INVALID_PARAMETER;
+ }
+
+ if (state->r.in.data == NULL) {
+ return WERR_INVALID_PARAMETER;
+ }
+
+ if (state->r.in.data->domain == NULL) {
+ return WERR_INVALID_PARAMETER;
+ }
+
+ break;
+
+ case NETLOGON_CONTROL_CHANGE_PASSWORD:
+ if (state->r.in.level != 1) {
+ return WERR_INVALID_PARAMETER;
+ }
+
+ if (state->r.in.data == NULL) {
+ return WERR_INVALID_PARAMETER;
+ }
+
+ if (state->r.in.data->domain == NULL) {
+ return WERR_INVALID_PARAMETER;
+ }
+
+ ok = lpcfg_is_my_domain_or_realm(lp_ctx,
+ state->r.in.data->domain);
+ if (!ok) {
+ struct ldb_context *sam_ctx;
+
+ sam_ctx = samdb_connect(state, state->dce_call->event_ctx,
+ lp_ctx, system_session(lp_ctx), 0);
+ if (sam_ctx == NULL) {
+ return WERR_DS_UNAVAILABLE;
+ }
+
+ /*
+ * Secrets for trusted domains can only be triggered on
+ * the PDC.
+ */
+ ok = samdb_is_pdc(sam_ctx);
+ TALLOC_FREE(sam_ctx);
+ if (!ok) {
+ return WERR_INVALID_DOMAIN_ROLE;
+ }
+ }
+
+ break;
+ default:
+ return WERR_NOT_SUPPORTED;
+ }
+
+ irpc_handle = irpc_binding_handle_by_name(state,
+ state->dce_call->msg_ctx,
+ "winbind_server",
+ &ndr_table_winbind);
+ if (irpc_handle == NULL) {
+ DEBUG(0,("Failed to get binding_handle for winbind_server task\n"));
+ state->dce_call->fault_code = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_SERVICE_NOT_FOUND;
+ }
+
+ /*
+ * 60 seconds timeout should be enough
+ */
+ dcerpc_binding_handle_set_timeout(irpc_handle, 60);
+
+ subreq = dcerpc_winbind_LogonControl_send(state,
+ state->dce_call->event_ctx,
+ irpc_handle,
+ state->r.in.function_code,
+ state->r.in.level,
+ state->r.in.data,
+ state->r.out.query);
+ if (subreq == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ state->dce_call->state_flags |= DCESRV_CALL_STATE_FLAG_ASYNC;
+ tevent_req_set_callback(subreq,
+ dcesrv_netr_LogonControl_base_done,
+ state);
+
+ return WERR_OK;
}
+static void dcesrv_netr_LogonControl_base_done(struct tevent_req *subreq)
+{
+ struct dcesrv_netr_LogonControl_base_state *state =
+ tevent_req_callback_data(subreq,
+ struct dcesrv_netr_LogonControl_base_state);
+ NTSTATUS status;
+
+ status = dcerpc_winbind_LogonControl_recv(subreq, state->mem_ctx,
+ &state->r.out.result);
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
+ state->r.out.result = WERR_TIMEOUT;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ state->dce_call->fault_code = DCERPC_FAULT_CANT_PERFORM;
+ DEBUG(0,(__location__ ": IRPC callback failed %s\n",
+ nt_errstr(status)));
+ }
+
+ if (state->_r.l2ex != NULL) {
+ struct netr_LogonControl2Ex *r = state->_r.l2ex;
+ r->out.result = state->r.out.result;
+ } else if (state->_r.l2 != NULL) {
+ struct netr_LogonControl2 *r = state->_r.l2;
+ r->out.result = state->r.out.result;
+ } else if (state->_r.l != NULL) {
+ struct netr_LogonControl *r = state->_r.l;
+ r->out.result = state->r.out.result;
+ }
+
+ status = dcesrv_reply(state->dce_call);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ ": dcesrv_reply() failed - %s\n", nt_errstr(status)));
+ }
+}
/*
netr_LogonControl
static WERROR dcesrv_netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonControl *r)
{
- struct netr_LogonControl2Ex r2;
+ struct dcesrv_netr_LogonControl_base_state *state;
WERROR werr;
- if (r->in.level == 0x00000001) {
- ZERO_STRUCT(r2);
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_LogonControl_base_state);
+ if (state == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
- r2.in.logon_server = r->in.logon_server;
- r2.in.function_code = r->in.function_code;
- r2.in.level = r->in.level;
- r2.in.data = NULL;
- r2.out.query = r->out.query;
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
- werr = dcesrv_netr_LogonControl2Ex(dce_call, mem_ctx, &r2);
- } else if (r->in.level == 0x00000002) {
- werr = WERR_NOT_SUPPORTED;
- } else {
- werr = WERR_UNKNOWN_LEVEL;
+ state->r.in.logon_server = r->in.logon_server;
+ state->r.in.function_code = r->in.function_code;
+ state->r.in.level = r->in.level;
+ state->r.in.data = NULL;
+ state->r.out.query = r->out.query;
+
+ state->_r.l = r;
+
+ werr = dcesrv_netr_LogonControl_base_call(state);
+
+ if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
+ return werr;
}
return werr;
}
-
/*
netr_LogonControl2
*/
static WERROR dcesrv_netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonControl2 *r)
{
- struct netr_LogonControl2Ex r2;
+ struct dcesrv_netr_LogonControl_base_state *state;
WERROR werr;
- ZERO_STRUCT(r2);
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_LogonControl_base_state);
+ if (state == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
- r2.in.logon_server = r->in.logon_server;
- r2.in.function_code = r->in.function_code;
- r2.in.level = r->in.level;
- r2.in.data = r->in.data;
- r2.out.query = r->out.query;
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
+
+ state->r.in.logon_server = r->in.logon_server;
+ state->r.in.function_code = r->in.function_code;
+ state->r.in.level = r->in.level;
+ state->r.in.data = r->in.data;
+ state->r.out.query = r->out.query;
- werr = dcesrv_netr_LogonControl2Ex(dce_call, mem_ctx, &r2);
+ state->_r.l2 = r;
+
+ werr = dcesrv_netr_LogonControl_base_call(state);
+
+ if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
+ return werr;
+ }
+
+ return werr;
+}
+
+/*
+ netr_LogonControl2Ex
+*/
+static WERROR dcesrv_netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_LogonControl2Ex *r)
+{
+ struct dcesrv_netr_LogonControl_base_state *state;
+ WERROR werr;
+
+ state = talloc_zero(mem_ctx, struct dcesrv_netr_LogonControl_base_state);
+ if (state == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
+
+ state->r = *r;
+ state->_r.l2ex = r;
+
+ werr = dcesrv_netr_LogonControl_base_call(state);
+
+ if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
+ return werr;
+ }
return werr;
}
if ((r->in.domainname == NULL) || (r->in.domainname[0] == '\0')) {
/* if the domainname parameter wasn't set assume our domain */
- r->in.domainname = lp_workgroup(lp_ctx);
+ r->in.domainname = lpcfg_workgroup(lp_ctx);
}
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
- if (strcasecmp(r->in.domainname, lp_workgroup(lp_ctx)) == 0) {
+ if (strcasecmp(r->in.domainname, lpcfg_workgroup(lp_ctx)) == 0) {
/* well we asked for a DC of our own domain */
if (samdb_is_pdc(sam_ctx)) {
/* we are the PDC of the specified domain */
}
*r->out.dcname = talloc_asprintf(mem_ctx, "\\%s",
- lp_netbios_name(lp_ctx));
+ lpcfg_netbios_name(lp_ctx));
W_ERROR_HAVE_NO_MEMORY(*r->out.dcname);
return WERR_OK;
/*
- netr_NetrEnumerateTurstedDomains
+ netr_NetrEnumerateTrustedDomains
*/
-static WERROR dcesrv_netr_NetrEnumerateTrustedDomains(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+static NTSTATUS dcesrv_netr_NetrEnumerateTrustedDomains(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_NetrEnumerateTrustedDomains *r)
{
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonGetCapabilities *r)
{
- /* we don't support AES yet */
- return NT_STATUS_NOT_IMPLEMENTED;
+ struct netlogon_creds_CredentialState *creds;
+ NTSTATUS status;
+
+ status = dcesrv_netr_creds_server_step_check(dce_call,
+ mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ " Bad credentials - error\n"));
+ }
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ if (r->in.query_level != 1) {
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ r->out.capabilities->server_capabilities = creds->negotiate_flags;
+
+ return NT_STATUS_OK;
}
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
+ /*
+ * We assume to be a DC when we get called over NETLOGON. Hence we
+ * get our site name always by using "samdb_server_site_name()"
+ * and not "samdb_client_site_name()".
+ */
*r->out.site = samdb_server_site_name(sam_ctx, mem_ctx);
W_ERROR_HAVE_NO_MEMORY(*r->out.site);
}
if (is_local) {
- info->domainname.string = lp_workgroup(lp_ctx);
- info->dns_domainname.string = lp_dnsdomain(lp_ctx);
+ info->domainname.string = lpcfg_workgroup(lp_ctx);
+ info->dns_domainname.string = lpcfg_dnsdomain(lp_ctx);
info->domain_guid = samdb_result_guid(res, "objectGUID");
info->domain_sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
} else {
- info->domainname.string = samdb_result_string(res, "flatName", NULL);
- info->dns_domainname.string = samdb_result_string(res, "trustPartner", NULL);
+ info->domainname.string = ldb_msg_find_attr_as_string(res, "flatName", NULL);
+ info->dns_domainname.string = ldb_msg_find_attr_as_string(res, "trustPartner", NULL);
info->domain_guid = samdb_result_guid(res, "objectGUID");
info->domain_sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
}
struct netlogon_creds_CredentialState *creds;
const char * const attrs[] = { "objectSid", "objectGUID", "flatName",
"securityIdentifier", "trustPartner", NULL };
- const char * const attrs2[] = { "dNSHostName",
+ const char * const attrs2[] = { "sAMAccountName", "dNSHostName",
"msDS-SupportedEncryptionTypes", NULL };
- const char *temp_str, *temp_str2;
- const char *old_dns_hostname;
+ const char *sam_account_name, *old_dns_hostname, *prefix1, *prefix2;
struct ldb_context *sam_ctx;
struct ldb_message **res1, **res2, **res3, *new_msg;
struct ldb_dn *workstation_dn;
struct netr_DomainInformation *domain_info;
struct netr_LsaPolicyInformation *lsa_policy_info;
- struct netr_OsVersionInfoEx *os_version;
uint32_t default_supported_enc_types = 0xFFFFFFFF;
bool update_dns_hostname = true;
int ret, ret3, i;
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
- system_session(dce_call->conn->dce_ctx->lp_ctx));
+ system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
if (sam_ctx == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
return NT_STATUS_INVALID_PARAMETER;
}
- /*
- * Updates the DNS hostname when the client wishes that the
- * server should handle this for him
- * ("NETR_WS_FLAG_HANDLES_SPN_UPDATE" not set).
- * See MS-NRPC section 3.5.4.3.9
- */
- if ((r->in.query->workstation_info->workstation_flags
- & NETR_WS_FLAG_HANDLES_SPN_UPDATE) != 0) {
- update_dns_hostname = false;
+ /* Prepares the workstation DN */
+ workstation_dn = ldb_dn_new_fmt(mem_ctx, sam_ctx, "<SID=%s>",
+ dom_sid_string(mem_ctx, creds->sid));
+ NT_STATUS_HAVE_NO_MEMORY(workstation_dn);
+
+ /* Lookup for attributes in workstation object */
+ ret = gendb_search_dn(sam_ctx, mem_ctx, workstation_dn, &res1,
+ attrs2);
+ if (ret != 1) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ /* Gets the sam account name which is checked against the DNS
+ * hostname parameter. */
+ sam_account_name = ldb_msg_find_attr_as_string(res1[0],
+ "sAMAccountName",
+ NULL);
+ if (sam_account_name == NULL) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/*
- * Checks that the computer name parameter without possible "$"
+ * Checks that the sam account name without a possible "$"
* matches as prefix with the DNS hostname in the workstation
* info structure.
*/
- temp_str = talloc_strndup(mem_ctx,
- r->in.computer_name,
- strcspn(r->in.computer_name, "$"));
- NT_STATUS_HAVE_NO_MEMORY(temp_str);
- temp_str2 = talloc_strndup(mem_ctx,
- r->in.query->workstation_info->dns_hostname,
- strcspn(r->in.query->workstation_info->dns_hostname, "."));
- NT_STATUS_HAVE_NO_MEMORY(temp_str2);
- if (strcasecmp(temp_str, temp_str2) != 0) {
+ prefix1 = talloc_strndup(mem_ctx, sam_account_name,
+ strcspn(sam_account_name, "$"));
+ NT_STATUS_HAVE_NO_MEMORY(prefix1);
+ if (r->in.query->workstation_info->dns_hostname != NULL) {
+ prefix2 = talloc_strndup(mem_ctx,
+ r->in.query->workstation_info->dns_hostname,
+ strcspn(r->in.query->workstation_info->dns_hostname, "."));
+ NT_STATUS_HAVE_NO_MEMORY(prefix2);
+
+ if (strcasecmp(prefix1, prefix2) != 0) {
+ update_dns_hostname = false;
+ }
+ } else {
update_dns_hostname = false;
}
- /* Prepare the workstation DN */
- workstation_dn = ldb_dn_new_fmt(mem_ctx, sam_ctx, "<SID=%s>",
- dom_sid_string(mem_ctx, creds->sid));
- NT_STATUS_HAVE_NO_MEMORY(workstation_dn);
+ /* Gets the old DNS hostname */
+ old_dns_hostname = ldb_msg_find_attr_as_string(res1[0],
+ "dNSHostName",
+ NULL);
- /* Lookup for attributes in workstation object */
- ret = gendb_search_dn(sam_ctx, mem_ctx, workstation_dn,
- &res1, attrs2);
- if (ret != 1) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ /*
+ * Updates the DNS hostname when the client wishes that the
+ * server should handle this for him
+ * ("NETR_WS_FLAG_HANDLES_SPN_UPDATE" not set). And this is
+ * obviously only checked when we do already have a
+ * "dNSHostName".
+ * See MS-NRPC section 3.5.4.3.9
+ */
+ if ((old_dns_hostname != NULL) &&
+ (r->in.query->workstation_info->workstation_flags
+ & NETR_WS_FLAG_HANDLES_SPN_UPDATE) != 0) {
+ update_dns_hostname = false;
}
- /* Gets the old DNS hostname */
- old_dns_hostname = samdb_result_string(res1[0], "dNSHostName",
- NULL);
+ /* Gets host information and put them into our directory */
- /* Gets host informations and put them in our directory */
new_msg = ldb_msg_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(new_msg);
new_msg->dn = workstation_dn;
- /* Deletes old OS version values */
- samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
- "operatingSystemServicePack");
- samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
- "operatingSystemVersion");
+ /* Sets the OS name */
- if (dsdb_replace(sam_ctx, new_msg, 0) != LDB_SUCCESS) {
- DEBUG(3,("Impossible to update samdb: %s\n",
- ldb_errstring(sam_ctx)));
+ if (r->in.query->workstation_info->os_name.string == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
}
- talloc_free(new_msg);
-
- new_msg = ldb_msg_new(mem_ctx);
- NT_STATUS_HAVE_NO_MEMORY(new_msg);
-
- new_msg->dn = workstation_dn;
-
- /* Sets the OS name */
- samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
- "operatingSystem",
- r->in.query->workstation_info->os_name.string);
+ ret = ldb_msg_add_string(new_msg, "operatingSystem",
+ r->in.query->workstation_info->os_name.string);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
/*
- * Sets informations from "os_version". On a empty structure
+ * Sets information from "os_version". On an empty structure
* the values are cleared.
*/
if (r->in.query->workstation_info->os_version.os != NULL) {
+ struct netr_OsVersionInfoEx *os_version;
+ const char *os_version_str;
+
os_version = &r->in.query->workstation_info->os_version.os->os;
- samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
- "operatingSystemServicePack",
- os_version->CSDVersion);
+ if (os_version->CSDVersion == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ os_version_str = talloc_asprintf(new_msg, "%u.%u (%u)",
+ os_version->MajorVersion,
+ os_version->MinorVersion,
+ os_version->BuildNumber);
+ NT_STATUS_HAVE_NO_MEMORY(os_version_str);
+
+ ret = ldb_msg_add_string(new_msg,
+ "operatingSystemServicePack",
+ os_version->CSDVersion);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = ldb_msg_add_string(new_msg,
+ "operatingSystemVersion",
+ os_version_str);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ ret = samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
+ "operatingSystemServicePack");
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
- samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
- "operatingSystemVersion",
- talloc_asprintf(mem_ctx, "%d.%d (%d)",
- os_version->MajorVersion,
- os_version->MinorVersion,
- os_version->BuildNumber
- )
- );
+ ret = samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
+ "operatingSystemVersion");
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
/*
* are fine to start the update.
*/
if (update_dns_hostname) {
- samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
- "dNSHostname",
- r->in.query->workstation_info->dns_hostname);
-
- samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
- "servicePrincipalName",
- talloc_asprintf(mem_ctx, "HOST/%s",
- r->in.computer_name)
- );
- samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
- "servicePrincipalName",
- talloc_asprintf(mem_ctx, "HOST/%s",
- r->in.query->workstation_info->dns_hostname)
- );
+ ret = ldb_msg_add_string(new_msg,
+ "dNSHostname",
+ r->in.query->workstation_info->dns_hostname);
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* This manual "servicePrincipalName" generation is
+ * still needed! Since the update in the samldb LDB
+ * module does only work if the entries already exist
+ * which isn't always the case. */
+ ret = ldb_msg_add_string(new_msg,
+ "servicePrincipalName",
+ talloc_asprintf(new_msg, "HOST/%s",
+ r->in.computer_name));
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = ldb_msg_add_string(new_msg,
+ "servicePrincipalName",
+ talloc_asprintf(new_msg, "HOST/%s",
+ r->in.query->workstation_info->dns_hostname));
+ if (ret != LDB_SUCCESS) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (dsdb_replace(sam_ctx, new_msg, 0) != LDB_SUCCESS) {
NT_STATUS_NOT_OK_RETURN(status);
/* Sets the supported encryption types */
- domain_info->supported_enc_types = samdb_result_uint(res1[0],
+ domain_info->supported_enc_types = ldb_msg_find_attr_as_uint(res1[0],
"msDS-SupportedEncryptionTypes",
default_supported_enc_types);
- /* Other host domain informations */
+ /* Other host domain information */
lsa_policy_info = talloc(mem_ctx,
struct netr_LsaPolicyInformation);
}
domain_info->workstation_flags =
- r->in.query->workstation_info->workstation_flags;
+ r->in.query->workstation_info->workstation_flags & (
+ NETR_WS_FLAG_HANDLES_SPN_UPDATE | NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS);
r->out.info->domain_info = domain_info;
break;
}
-
/*
netr_ServerPasswordGet
*/
-static WERROR dcesrv_netr_ServerPasswordGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+static NTSTATUS dcesrv_netr_ServerPasswordGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_ServerPasswordGet *r)
{
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
struct ldb_context *sam_ctx;
struct netr_DsRGetDCNameInfo *info;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ const struct tsocket_address *local_address;
+ char *local_addr = NULL;
const struct tsocket_address *remote_address;
- char *addr = NULL;
+ char *remote_addr = NULL;
const char *server_site_name;
char *guid_str;
struct netlogon_samlogon_response response;
NTSTATUS status;
+ const char *dc_name = NULL;
+ const char *domain_name = NULL;
+ const char *pdc_ip;
ZERO_STRUCTP(r->out.info);
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
+ local_address = dcesrv_connection_get_local_address(dce_call->conn);
+ if (tsocket_address_is_inet(local_address, "ip")) {
+ local_addr = tsocket_address_inet_addr_string(local_address, mem_ctx);
+ W_ERROR_HAVE_NO_MEMORY(local_addr);
+ }
+
remote_address = dcesrv_connection_get_remote_address(dce_call->conn);
if (tsocket_address_is_inet(remote_address, "ip")) {
- addr = tsocket_address_inet_addr_string(remote_address, mem_ctx);
- W_ERROR_HAVE_NO_MEMORY(addr);
+ remote_addr = tsocket_address_inet_addr_string(remote_address, mem_ctx);
+ W_ERROR_HAVE_NO_MEMORY(remote_addr);
}
/* "server_unc" is ignored by w2k3 */
+ if (r->in.flags & ~(DSGETDC_VALID_FLAGS)) {
+ return WERR_INVALID_FLAGS;
+ }
+
+ if (r->in.flags & DS_GC_SERVER_REQUIRED &&
+ r->in.flags & DS_PDC_REQUIRED &&
+ r->in.flags & DS_KDC_REQUIRED) {
+ return WERR_INVALID_FLAGS;
+ }
+ if (r->in.flags & DS_IS_FLAT_NAME &&
+ r->in.flags & DS_IS_DNS_NAME) {
+ return WERR_INVALID_FLAGS;
+ }
+ if (r->in.flags & DS_RETURN_DNS_NAME &&
+ r->in.flags & DS_RETURN_FLAT_NAME) {
+ return WERR_INVALID_FLAGS;
+ }
+ if (r->in.flags & DS_DIRECTORY_SERVICE_REQUIRED &&
+ r->in.flags & DS_DIRECTORY_SERVICE_6_REQUIRED) {
+ return WERR_INVALID_FLAGS;
+ }
+
+ if (r->in.flags & DS_GOOD_TIMESERV_PREFERRED &&
+ r->in.flags &
+ (DS_DIRECTORY_SERVICE_REQUIRED |
+ DS_DIRECTORY_SERVICE_PREFERRED |
+ DS_GC_SERVER_REQUIRED |
+ DS_PDC_REQUIRED |
+ DS_KDC_REQUIRED)) {
+ return WERR_INVALID_FLAGS;
+ }
+
+ if (r->in.flags & DS_TRY_NEXTCLOSEST_SITE &&
+ r->in.site_name) {
+ return WERR_INVALID_FLAGS;
+ }
+
/* Proof server site parameter "site_name" if it was specified */
server_site_name = samdb_server_site_name(sam_ctx, mem_ctx);
W_ERROR_HAVE_NO_MEMORY(server_site_name);
return WERR_NO_SUCH_DOMAIN;
}
- /* TODO: the flags are ignored for now */
-
guid_str = r->in.domain_guid != NULL ?
GUID_string(mem_ctx, r->in.domain_guid) : NULL;
r->in.domain_name,
NULL, guid_str,
r->in.client_account,
- r->in.mask, addr,
+ r->in.mask, remote_addr,
NETLOGON_NT_VERSION_5EX_WITH_IP,
lp_ctx, &response, true);
if (!NT_STATUS_IS_OK(status)) {
return ntstatus_to_werror(status);
}
+ /*
+ * According to MS-NRPC 2.2.1.2.1 we should set the "DS_DNS_FOREST_ROOT"
+ * (O) flag when the returned forest name is in DNS format. This is here
+ * always the case (see below).
+ */
+ response.data.nt5_ex.server_type |= DS_DNS_FOREST_ROOT;
+
+ if (r->in.flags & DS_RETURN_DNS_NAME) {
+ dc_name = response.data.nt5_ex.pdc_dns_name;
+ domain_name = response.data.nt5_ex.dns_domain;
+ /*
+ * According to MS-NRPC 2.2.1.2.1 we should set the
+ * "DS_DNS_CONTROLLER" (M) and "DS_DNS_DOMAIN" (N) flags when
+ * the returned information is in DNS form.
+ */
+ response.data.nt5_ex.server_type |=
+ DS_DNS_CONTROLLER | DS_DNS_DOMAIN;
+ } else if (r->in.flags & DS_RETURN_FLAT_NAME) {
+ dc_name = response.data.nt5_ex.pdc_name;
+ domain_name = response.data.nt5_ex.domain_name;
+ } else {
+
+ /*
+ * TODO: autodetect what we need to return
+ * based on the given arguments
+ */
+ dc_name = response.data.nt5_ex.pdc_name;
+ domain_name = response.data.nt5_ex.domain_name;
+ }
+
+ if (!dc_name || !dc_name[0]) {
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ if (!domain_name || !domain_name[0]) {
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo);
W_ERROR_HAVE_NO_MEMORY(info);
- info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s",
- response.data.nt5_ex.pdc_dns_name);
+ info->dc_unc = talloc_asprintf(mem_ctx, "%s%s",
+ dc_name[0] != '\\'? "\\\\":"",
+ talloc_strdup(mem_ctx, dc_name));
W_ERROR_HAVE_NO_MEMORY(info->dc_unc);
- info->dc_address = talloc_asprintf(mem_ctx, "\\\\%s",
- response.data.nt5_ex.sockaddr.pdc_ip);
+
+ pdc_ip = local_addr;
+ if (pdc_ip == NULL) {
+ pdc_ip = "127.0.0.1";
+ }
+ info->dc_address = talloc_asprintf(mem_ctx, "\\\\%s", pdc_ip);
W_ERROR_HAVE_NO_MEMORY(info->dc_address);
- info->dc_address_type = DS_ADDRESS_TYPE_INET; /* TODO: make this dynamic? for ipv6 */
+ info->dc_address_type = DS_ADDRESS_TYPE_INET;
info->domain_guid = response.data.nt5_ex.domain_uuid;
- info->domain_name = response.data.nt5_ex.dns_domain;
+ info->domain_name = domain_name;
info->forest_name = response.data.nt5_ex.forest;
info->dc_flags = response.data.nt5_ex.server_type;
+ if (r->in.flags & DS_RETURN_DNS_NAME) {
+ /* As MS-NRPC.pdf in 2.2.1.2.1 the DS_DNS_CONTROLLER flag should be
+ * returned if we are returning info->dc_unc containing a FQDN.
+ * This attribute is called DomainControllerName in the specs,
+ * it seems that we decide to return FQDN or netbios depending on
+ * DS_RETURN_DNS_NAME.
+ */
+ info->dc_flags |= DS_DNS_CONTROLLER;
+ }
info->dc_site_name = response.data.nt5_ex.server_site;
info->client_site_name = response.data.nt5_ex.client_site;
r2.in.domain_name = r->in.domain_name;
r2.in.domain_guid = r->in.domain_guid;
- r2.in.site_name = NULL; /* should fill in from site GUID */
+ r2.in.site_name = NULL; /* this is correct, we should ignore site GUID */
r2.in.flags = r->in.flags;
r2.out.info = r->out.info;
struct ldb_context *sam_ctx;
struct netr_DsRAddressToSitenamesExWCtr *ctr;
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- uint16_t sin_family;
+ sa_family_t sin_family;
struct sockaddr_in *addr;
#ifdef HAVE_IPV6
struct sockaddr_in6 *addr6;
uint32_t i;
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
ctr->sitename[i].string = NULL;
ctr->subnetname[i].string = NULL;
- if (r->in.addresses[i].size < sizeof(sin_family)) {
+ if (r->in.addresses[i].size < sizeof(sa_family_t)) {
continue;
}
- sin_family = SVAL(r->in.addresses[i].buffer, 0);
+ /* The first two byte of the buffer are reserved for the
+ * "sin_family" but for now only the first one is used. */
+ sin_family = r->in.addresses[i].buffer[0];
switch (sin_family) {
case AF_INET:
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
return WERR_DS_UNAVAILABLE;
}
}
-#define GET_CHECK_STR(dest, mem, msg, attr) \
-do {\
- const char *s; \
- s = samdb_result_string(msg, attr, NULL); \
- if (!s) { \
- DEBUG(0, ("DB Error, TustedDomain entry (%s) " \
- "without flatname\n", \
- ldb_dn_get_linearized(msg->dn))); \
- continue; \
- } \
- dest = talloc_strdup(mem, s); \
- W_ERROR_HAVE_NO_MEMORY(dest); \
-} while(0)
-
-
static WERROR fill_trusted_domains_array(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
struct netr_DomainTrustList *trusts,
ldb_get_default_basedn(sam_ctx),
"(&(objectClass=container)(cn=System))");
if (!system_dn) {
- return WERR_GENERAL_FAILURE;
+ return WERR_GEN_FAILURE;
}
ret = gendb_search(sam_ctx, mem_ctx, system_dn,
unsigned int trust_dir;
uint32_t flags = 0;
- trust_dir = samdb_result_uint(dom_res[i],
- "trustDirection", 0);
+ trust_dir = ldb_msg_find_attr_as_uint(dom_res[i],
+ "trustDirection", 0);
if (trust_dir & LSA_TRUST_DIRECTION_INBOUND) {
flags |= NETR_TRUST_FLAG_INBOUND;
n + 1);
W_ERROR_HAVE_NO_MEMORY(trusts->array);
- GET_CHECK_STR(trusts->array[n].netbios_name, trusts,
- dom_res[i], "flatname");
- GET_CHECK_STR(trusts->array[n].dns_name, trusts,
- dom_res[i], "trustPartner");
+ trusts->array[n].netbios_name = talloc_steal(trusts->array, ldb_msg_find_attr_as_string(dom_res[i], "flatname", NULL));
+ if (!trusts->array[n].netbios_name) {
+ DEBUG(0, ("DB Error, TrustedDomain entry (%s) "
+ "without flatname\n",
+ ldb_dn_get_linearized(dom_res[i]->dn)));
+ }
+
+ trusts->array[n].dns_name = talloc_steal(trusts->array, ldb_msg_find_attr_as_string(dom_res[i], "trustPartner", NULL));
trusts->array[n].trust_flags = flags;
if ((trust_flags & NETR_TRUST_FLAG_IN_FOREST) &&
}
trusts->array[n].trust_type =
- samdb_result_uint(dom_res[i],
+ ldb_msg_find_attr_as_uint(dom_res[i],
"trustType", 0);
trusts->array[n].trust_attributes =
- samdb_result_uint(dom_res[i],
+ ldb_msg_find_attr_as_uint(dom_res[i],
"trustAttributes", 0);
- if ((trusts->array[n].trust_type == NETR_TRUST_TYPE_MIT) ||
- (trusts->array[n].trust_type == NETR_TRUST_TYPE_DCE)) {
+ if ((trusts->array[n].trust_type == LSA_TRUST_TYPE_MIT) ||
+ (trusts->array[n].trust_type == LSA_TRUST_TYPE_DCE)) {
struct dom_sid zero_sid;
ZERO_STRUCT(zero_sid);
trusts->array[n].sid =
struct ldb_message **dom_res;
const char * const dom_attrs[] = { "objectSid", "objectGUID", NULL };
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- const char *dnsdomain = lp_dnsdomain(lp_ctx);
+ const char *dnsdomain = lpcfg_dnsdomain(lp_ctx);
const char *p;
WERROR werr;
r->out.trusts = trusts;
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
- return WERR_GENERAL_FAILURE;
+ return WERR_GEN_FAILURE;
}
if ((r->in.trust_flags & NETR_TRUST_FLAG_INBOUND) ||
/* NOTE: we currently are always the root of the forest */
if (r->in.trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
- int n = trusts->count;
+ uint32_t n = trusts->count;
ret = gendb_search_dn(sam_ctx, mem_ctx, NULL,
&dom_res, dom_attrs);
if (ret != 1) {
- return WERR_GENERAL_FAILURE;
+ return WERR_GEN_FAILURE;
}
trusts->count = n + 1;
trusts->count);
W_ERROR_HAVE_NO_MEMORY(trusts->array);
- trusts->array[n].netbios_name = lp_workgroup(lp_ctx);
- trusts->array[n].dns_name = lp_dnsdomain(lp_ctx);
+ trusts->array[n].netbios_name = lpcfg_workgroup(lp_ctx);
+ trusts->array[n].dns_name = lpcfg_dnsdomain(lp_ctx);
trusts->array[n].trust_flags =
NETR_TRUST_FLAG_NATIVE |
NETR_TRUST_FLAG_TREEROOT |
NETR_TRUST_FLAG_PRIMARY;
/* we are always the root domain for now */
trusts->array[n].parent_index = 0;
- trusts->array[n].trust_type = NETR_TRUST_TYPE_UPLEVEL;
+ trusts->array[n].trust_type = LSA_TRUST_TYPE_UPLEVEL;
trusts->array[n].trust_attributes = 0;
trusts->array[n].sid = samdb_result_dom_sid(mem_ctx,
dom_res[0],
}
+static NTSTATUS dcesrv_netr_ServerGetTrustInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_ServerGetTrustInfo *r);
+
/*
netr_ServerTrustPasswordsGet
*/
static NTSTATUS dcesrv_netr_ServerTrustPasswordsGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_ServerTrustPasswordsGet *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-static WERROR fill_forest_trust_array(TALLOC_CTX *mem_ctx,
- struct ldb_context *sam_ctx,
- struct loadparm_context *lp_ctx,
- struct lsa_ForestTrustInformation *info)
-{
- struct lsa_ForestTrustDomainInfo *domain_info;
- struct lsa_ForestTrustRecord *e;
- struct ldb_message **dom_res;
- const char * const dom_attrs[] = { "objectSid", NULL };
- int ret;
-
- /* we need to provide 2 entries:
- * 1. the Root Forest name
- * 2. the Domain Information
- */
-
- info->count = 2;
- info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, 2);
- W_ERROR_HAVE_NO_MEMORY(info->entries);
-
- /* Forest root info */
- e = talloc(info, struct lsa_ForestTrustRecord);
- W_ERROR_HAVE_NO_MEMORY(e);
-
- e->flags = 0;
- e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
- e->time = 0; /* so far always 0 in trces. */
- e->forest_trust_data.top_level_name.string = samdb_forest_name(sam_ctx,
- mem_ctx);
- W_ERROR_HAVE_NO_MEMORY(e->forest_trust_data.top_level_name.string);
-
- info->entries[0] = e;
-
- /* Domain info */
- e = talloc(info, struct lsa_ForestTrustRecord);
- W_ERROR_HAVE_NO_MEMORY(e);
-
- /* get our own domain info */
- ret = gendb_search_dn(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs);
- if (ret != 1) {
- return WERR_GENERAL_FAILURE;
- }
+ struct netr_ServerGetTrustInfo r2 = {};
+ struct netr_TrustInfo *_ti = NULL;
+ NTSTATUS status;
- /* TODO: check if disabled and set flags accordingly */
- e->flags = 0;
- e->type = LSA_FOREST_TRUST_DOMAIN_INFO;
- e->time = 0; /* so far always 0 in traces. */
+ r2.in.server_name = r->in.server_name;
+ r2.in.account_name = r->in.account_name;
+ r2.in.secure_channel_type = r->in.secure_channel_type;
+ r2.in.computer_name = r->in.computer_name;
+ r2.in.credential = r->in.credential;
- domain_info = &e->forest_trust_data.domain_info;
- domain_info->domain_sid = samdb_result_dom_sid(info, dom_res[0],
- "objectSid");
- domain_info->dns_domain_name.string = lp_dnsdomain(lp_ctx);
- domain_info->netbios_domain_name.string = lp_workgroup(lp_ctx);
+ r2.out.return_authenticator = r->out.return_authenticator;
+ r2.out.new_owf_password = r->out.new_owf_password;
+ r2.out.old_owf_password = r->out.old_owf_password;
+ r2.out.trust_info = &_ti;
- info->entries[1] = e;
+ status = dcesrv_netr_ServerGetTrustInfo(dce_call, mem_ctx, &r2);
- talloc_free(dom_res);
+ r->out.return_authenticator = r2.out.return_authenticator;
+ r->out.new_owf_password = r2.out.new_owf_password;
+ r->out.old_owf_password = r2.out.old_owf_password;
- return WERR_OK;
+ return status;
}
/*
netr_DsRGetForestTrustInformation
*/
+struct dcesrv_netr_DsRGetForestTrustInformation_state {
+ struct dcesrv_call_state *dce_call;
+ TALLOC_CTX *mem_ctx;
+ struct netr_DsRGetForestTrustInformation *r;
+};
+
+static void dcesrv_netr_DsRGetForestTrustInformation_done(struct tevent_req *subreq);
+
static WERROR dcesrv_netr_DsRGetForestTrustInformation(struct dcesrv_call_state *dce_call,
TALLOC_CTX *mem_ctx,
struct netr_DsRGetForestTrustInformation *r)
{
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- struct lsa_ForestTrustInformation *info, **info_ptr;
- struct ldb_context *sam_ctx;
- WERROR werr;
+ struct dcesrv_connection *conn = dce_call->conn;
+ struct auth_session_info *session_info = conn->auth_state.session_info;
+ enum security_user_level security_level;
+ struct ldb_context *sam_ctx = NULL;
+ struct dcesrv_netr_DsRGetForestTrustInformation_state *state = NULL;
+ struct dcerpc_binding_handle *irpc_handle = NULL;
+ struct tevent_req *subreq = NULL;
+ struct ldb_dn *domain_dn = NULL;
+ struct ldb_dn *forest_dn = NULL;
+ int cmp;
+ int forest_level;
+
+ security_level = security_session_user_level(session_info, NULL);
+ if (security_level < SECURITY_USER) {
+ return WERR_ACCESS_DENIED;
+ }
if (r->in.flags & 0xFFFFFFFE) {
return WERR_INVALID_FLAGS;
}
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
- return WERR_GENERAL_FAILURE;
+ return WERR_GEN_FAILURE;
+ }
+
+ domain_dn = ldb_get_default_basedn(sam_ctx);
+ if (domain_dn == NULL) {
+ return WERR_GEN_FAILURE;
+ }
+
+ forest_dn = ldb_get_root_basedn(sam_ctx);
+ if (forest_dn == NULL) {
+ return WERR_GEN_FAILURE;
+ }
+
+ cmp = ldb_dn_compare(domain_dn, forest_dn);
+ if (cmp != 0) {
+ return WERR_NERR_ACFNOTLOADED;
+ }
+
+ forest_level = dsdb_forest_functional_level(sam_ctx);
+ if (forest_level < DS_DOMAIN_FUNCTION_2003) {
+ return WERR_INVALID_FUNCTION;
}
if (r->in.flags & DS_GFTI_UPDATE_TDO) {
if (r->in.trusted_domain_name == NULL) {
return WERR_INVALID_FLAGS;
}
+ }
- /* TODO: establish an schannel connection with
- * r->in.trusted_domain_name and perform a
- * netr_GetForestTrustInformation call against it */
+ if (r->in.trusted_domain_name == NULL) {
+ NTSTATUS status;
- /* for now return not implementd */
- return WERR_CALL_NOT_IMPLEMENTED;
- }
+ /*
+ * information about our own domain
+ */
+ status = dsdb_trust_xref_forest_info(mem_ctx, sam_ctx,
+ r->out.forest_trust_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return ntstatus_to_werror(status);
+ }
- /* TODO: check r->in.server_name is our name */
+ return WERR_OK;
+ }
- info_ptr = talloc(mem_ctx, struct lsa_ForestTrustInformation *);
- W_ERROR_HAVE_NO_MEMORY(info_ptr);
+ /*
+ * Forward the request to winbindd
+ */
- info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
- W_ERROR_HAVE_NO_MEMORY(info);
+ state = talloc_zero(mem_ctx,
+ struct dcesrv_netr_DsRGetForestTrustInformation_state);
+ if (state == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ state->dce_call = dce_call;
+ state->mem_ctx = mem_ctx;
+ state->r = r;
- werr = fill_forest_trust_array(mem_ctx, sam_ctx, lp_ctx, info);
- W_ERROR_NOT_OK_RETURN(werr);
+ irpc_handle = irpc_binding_handle_by_name(state,
+ state->dce_call->msg_ctx,
+ "winbind_server",
+ &ndr_table_winbind);
+ if (irpc_handle == NULL) {
+ DEBUG(0,("Failed to get binding_handle for winbind_server task\n"));
+ state->dce_call->fault_code = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_SERVICE_NOT_FOUND;
+ }
- *info_ptr = info;
- r->out.forest_trust_info = info_ptr;
+ /*
+ * 60 seconds timeout should be enough
+ */
+ dcerpc_binding_handle_set_timeout(irpc_handle, 60);
+
+ subreq = dcerpc_winbind_GetForestTrustInformation_send(state,
+ state->dce_call->event_ctx,
+ irpc_handle,
+ r->in.trusted_domain_name,
+ r->in.flags,
+ r->out.forest_trust_info);
+ if (subreq == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ state->dce_call->state_flags |= DCESRV_CALL_STATE_FLAG_ASYNC;
+ tevent_req_set_callback(subreq,
+ dcesrv_netr_DsRGetForestTrustInformation_done,
+ state);
return WERR_OK;
}
+static void dcesrv_netr_DsRGetForestTrustInformation_done(struct tevent_req *subreq)
+{
+ struct dcesrv_netr_DsRGetForestTrustInformation_state *state =
+ tevent_req_callback_data(subreq,
+ struct dcesrv_netr_DsRGetForestTrustInformation_state);
+ NTSTATUS status;
+
+ status = dcerpc_winbind_GetForestTrustInformation_recv(subreq,
+ state->mem_ctx,
+ &state->r->out.result);
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
+ state->r->out.result = WERR_TIMEOUT;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ state->dce_call->fault_code = DCERPC_FAULT_CANT_PERFORM;
+ DEBUG(0,(__location__ ": IRPC callback failed %s\n",
+ nt_errstr(status)));
+ }
+
+ status = dcesrv_reply(state->dce_call);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ ": dcesrv_reply() failed - %s\n", nt_errstr(status)));
+ }
+}
/*
netr_GetForestTrustInformation
struct netr_GetForestTrustInformation *r)
{
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- struct netlogon_creds_CredentialState *creds;
- struct lsa_ForestTrustInformation *info, **info_ptr;
- struct ldb_context *sam_ctx;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ struct ldb_context *sam_ctx = NULL;
+ struct ldb_dn *domain_dn = NULL;
+ struct ldb_dn *forest_dn = NULL;
+ int cmp;
+ int forest_level;
NTSTATUS status;
- WERROR werr;
status = dcesrv_netr_creds_server_step_check(dce_call,
mem_ctx,
}
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, lp_ctx,
- dce_call->conn->auth_state.session_info);
+ dce_call->conn->auth_state.session_info, 0);
if (sam_ctx == NULL) {
- return NT_STATUS_UNSUCCESSFUL;
+ return NT_STATUS_INTERNAL_ERROR;
}
/* TODO: check r->in.server_name is our name */
- info_ptr = talloc(mem_ctx, struct lsa_ForestTrustInformation *);
- if (!info_ptr) {
- return NT_STATUS_NO_MEMORY;
+ domain_dn = ldb_get_default_basedn(sam_ctx);
+ if (domain_dn == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
}
- info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
- if (!info) {
- return NT_STATUS_NO_MEMORY;
+
+ forest_dn = ldb_get_root_basedn(sam_ctx);
+ if (forest_dn == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
}
- werr = fill_forest_trust_array(mem_ctx, sam_ctx, lp_ctx, info);
- if (!W_ERROR_IS_OK(werr)) {
- return werror_to_ntstatus(werr);
+ cmp = ldb_dn_compare(domain_dn, forest_dn);
+ if (cmp != 0) {
+ return NT_STATUS_INVALID_DOMAIN_STATE;
}
- *info_ptr = info;
- r->out.forest_trust_info = info_ptr;
+ forest_level = dsdb_forest_functional_level(sam_ctx);
+ if (forest_level < DS_DOMAIN_FUNCTION_2003) {
+ return NT_STATUS_INVALID_DOMAIN_STATE;
+ }
+
+ status = dsdb_trust_xref_forest_info(mem_ctx, sam_ctx,
+ r->out.forest_trust_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
return NT_STATUS_OK;
}
*/
static NTSTATUS dcesrv_netr_ServerGetTrustInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_ServerGetTrustInfo *r)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ struct ldb_context *sam_ctx = NULL;
+ const char * const attrs[] = {
+ "unicodePwd",
+ "sAMAccountName",
+ "userAccountControl",
+ NULL
+ };
+ struct ldb_message **res = NULL;
+ struct samr_Password *curNtHash = NULL, *prevNtHash = NULL;
+ NTSTATUS nt_status;
+ int ret;
+ const char *asid = NULL;
+ uint32_t uac = 0;
+ const char *aname = NULL;
+ struct ldb_message *tdo_msg = NULL;
+ const char * const tdo_attrs[] = {
+ "trustAuthIncoming",
+ "trustAttributes",
+ NULL
+ };
+ struct netr_TrustInfo *trust_info = NULL;
+
+ ZERO_STRUCTP(r->out.new_owf_password);
+ ZERO_STRUCTP(r->out.old_owf_password);
+
+ nt_status = dcesrv_netr_creds_server_step_check(dce_call,
+ mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ /* TODO: check r->in.server_name is our name */
+
+ if (strcasecmp_m(r->in.account_name, creds->account_name) != 0) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (r->in.secure_channel_type != creds->secure_channel_type) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (strcasecmp_m(r->in.computer_name, creds->computer_name) != 0) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+ lp_ctx, system_session(lp_ctx), 0);
+ if (sam_ctx == NULL) {
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
+ asid = ldap_encode_ndr_dom_sid(mem_ctx, creds->sid);
+ if (asid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
+ "(&(objectClass=user)(objectSid=%s))",
+ asid);
+ if (ret != 1) {
+ return NT_STATUS_ACCOUNT_DISABLED;
+ }
+
+ switch (creds->secure_channel_type) {
+ case SEC_CHAN_DNS_DOMAIN:
+ case SEC_CHAN_DOMAIN:
+ uac = ldb_msg_find_attr_as_uint(res[0], "userAccountControl", 0);
+
+ if (uac & UF_ACCOUNTDISABLE) {
+ return NT_STATUS_ACCOUNT_DISABLED;
+ }
+
+ if (!(uac & UF_INTERDOMAIN_TRUST_ACCOUNT)) {
+ return NT_STATUS_ACCOUNT_DISABLED;
+ }
+
+ aname = ldb_msg_find_attr_as_string(res[0], "sAMAccountName", NULL);
+ if (aname == NULL) {
+ return NT_STATUS_ACCOUNT_DISABLED;
+ }
+
+ nt_status = dsdb_trust_search_tdo_by_type(sam_ctx,
+ SEC_CHAN_DOMAIN, aname,
+ tdo_attrs, mem_ctx, &tdo_msg);
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ return NT_STATUS_ACCOUNT_DISABLED;
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx,
+ &curNtHash,
+ &prevNtHash);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ trust_info = talloc_zero(mem_ctx, struct netr_TrustInfo);
+ if (trust_info == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ trust_info->count = 1;
+ trust_info->data = talloc_array(trust_info, uint32_t,
+ trust_info->count);
+ if (trust_info->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ trust_info->data[0] = ldb_msg_find_attr_as_uint(tdo_msg,
+ "trustAttributes",
+ 0);
+ break;
+
+ default:
+ nt_status = samdb_result_passwords_no_lockout(mem_ctx, lp_ctx,
+ res[0],
+ NULL, &curNtHash);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ prevNtHash = talloc(mem_ctx, struct samr_Password);
+ if (prevNtHash == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ E_md4hash("", prevNtHash->hash);
+ break;
+ }
+
+ if (curNtHash != NULL) {
+ *r->out.new_owf_password = *curNtHash;
+ netlogon_creds_des_encrypt(creds, r->out.new_owf_password);
+ }
+ if (prevNtHash != NULL) {
+ *r->out.old_owf_password = *prevNtHash;
+ netlogon_creds_des_encrypt(creds, r->out.old_owf_password);
+ }
+
+ if (trust_info != NULL) {
+ *r->out.trust_info = trust_info;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*
+ netr_Unused47
+*/
+static NTSTATUS dcesrv_netr_Unused47(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_Unused47 *r)
{
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
+struct netr_dnsupdate_RODC_state {
+ struct dcesrv_call_state *dce_call;
+ struct netr_DsrUpdateReadOnlyServerDnsRecords *r;
+ struct dnsupdate_RODC *r2;
+};
+
+/*
+ called when the forwarded RODC dns update request is finished
+ */
+static void netr_dnsupdate_RODC_callback(struct tevent_req *subreq)
+{
+ struct netr_dnsupdate_RODC_state *st =
+ tevent_req_callback_data(subreq,
+ struct netr_dnsupdate_RODC_state);
+ NTSTATUS status;
+
+ status = dcerpc_dnsupdate_RODC_r_recv(subreq, st->dce_call);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ ": IRPC callback failed %s\n", nt_errstr(status)));
+ st->dce_call->fault_code = DCERPC_FAULT_CANT_PERFORM;
+ }
+
+ st->r->out.dns_names = talloc_steal(st->dce_call, st->r2->out.dns_names);
+
+ status = dcesrv_reply(st->dce_call);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,(__location__ ": dcesrv_reply() failed - %s\n", nt_errstr(status)));
+ }
+}
+
+/*
+ netr_DsrUpdateReadOnlyServerDnsRecords
+*/
+static NTSTATUS dcesrv_netr_DsrUpdateReadOnlyServerDnsRecords(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DsrUpdateReadOnlyServerDnsRecords *r)
+{
+ struct netlogon_creds_CredentialState *creds;
+ NTSTATUS nt_status;
+ struct dcerpc_binding_handle *binding_handle;
+ struct netr_dnsupdate_RODC_state *st;
+ struct tevent_req *subreq;
+
+ nt_status = dcesrv_netr_creds_server_step_check(dce_call,
+ mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
+
+ if (creds->secure_channel_type != SEC_CHAN_RODC) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ st = talloc_zero(mem_ctx, struct netr_dnsupdate_RODC_state);
+ NT_STATUS_HAVE_NO_MEMORY(st);
+
+ st->dce_call = dce_call;
+ st->r = r;
+ st->r2 = talloc_zero(st, struct dnsupdate_RODC);
+ NT_STATUS_HAVE_NO_MEMORY(st->r2);
+
+ st->r2->in.dom_sid = creds->sid;
+ st->r2->in.site_name = r->in.site_name;
+ st->r2->in.dns_ttl = r->in.dns_ttl;
+ st->r2->in.dns_names = r->in.dns_names;
+ st->r2->out.dns_names = r->out.dns_names;
+
+ binding_handle = irpc_binding_handle_by_name(st, dce_call->msg_ctx,
+ "dnsupdate", &ndr_table_irpc);
+ if (binding_handle == NULL) {
+ DEBUG(0,("Failed to get binding_handle for dnsupdate task\n"));
+ dce_call->fault_code = DCERPC_FAULT_CANT_PERFORM;
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ /* forward the call */
+ subreq = dcerpc_dnsupdate_RODC_r_send(st, dce_call->event_ctx,
+ binding_handle, st->r2);
+ NT_STATUS_HAVE_NO_MEMORY(subreq);
+
+ dce_call->state_flags |= DCESRV_CALL_STATE_FLAG_ASYNC;
+
+ /* setup the callback */
+ tevent_req_set_callback(subreq, netr_dnsupdate_RODC_callback, st);
+
+ return NT_STATUS_OK;
+}
+
+
/* include the generated boilerplate */
#include "librpc/gen_ndr/ndr_netlogon_s.c"
git.samba.org / nivanova / samba-autobuild / .git / blobdiff