2 Unix SMB/CIFS implementation.
4 CLDAP server - netlogon handling
6 Copyright (C) Andrew Tridgell 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "libcli/ldap/ldap.h"
25 #include "lib/events/events.h"
26 #include "lib/socket/socket.h"
27 #include "smbd/service_task.h"
28 #include "cldap_server/cldap_server.h"
31 fill in the cldap netlogon union for a given version
33 static NTSTATUS cldapd_netlogon_fill(struct cldap_socket *cldap,
36 const char *domain_guid,
38 const char *src_address,
40 union nbt_cldap_netlogon *netlogon)
42 struct ldb_context *samctx;
43 const char *attrs[] = {"realm", "dnsDomain", "objectGUID", "name", NULL};
44 struct ldb_message **res;
46 const char **services = lp_server_services();
49 struct GUID domain_uuid;
51 const char *dns_domain;
52 const char *pdc_dns_name;
54 const char *site_name;
55 const char *site_name2;
58 samctx = samdb_connect(mem_ctx);
60 DEBUG(2,("Unable to open sam in cldap netlogon reply\n"));
61 return NT_STATUS_INTERNAL_DB_CORRUPTION;
64 /* the domain has an optional trailing . */
65 if (domain && domain[strlen(domain)-1] == '.') {
66 domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1);
69 /* try and find the domain */
70 ret = gendb_search(samctx, samctx, NULL, &res, attrs,
71 "(&(objectClass=domainDNS)(|(dnsDomain=%s)(objectGUID=%s)))",
73 domain_guid?domain_guid:"");
75 DEBUG(2,("Unable to find domain '%s' in sam\n", domain));
76 return NT_STATUS_NO_SUCH_DOMAIN;
80 NBT_SERVER_PDC | NBT_SERVER_GC |
81 NBT_SERVER_DS | NBT_SERVER_TIMESERV |
82 NBT_SERVER_CLOSEST | NBT_SERVER_WRITABLE |
83 NBT_SERVER_GOOD_TIMESERV;
85 if (lp_parm_bool(-1, "gensec", "krb5", True)) {
86 server_type |= NBT_SERVER_KDC;
88 if (str_list_check(services, "ldap")) {
89 server_type |= NBT_SERVER_LDAP;
92 pdc_name = talloc_asprintf(mem_ctx, "\\\\%s", lp_netbios_name());
93 domain_uuid = samdb_result_guid(res[0], "objectGUID");
94 realm = samdb_result_string(res[0], "realm", lp_realm());
95 dns_domain = samdb_result_string(res[0], "dnsDomain", lp_realm());
96 pdc_dns_name = talloc_asprintf(mem_ctx, "%s.%s",
97 lp_netbios_name(), dns_domain);
98 flatname = samdb_result_string(res[0], "name", lp_workgroup());
99 site_name = "Default-First-Site-Name";
101 pdc_ip = iface_best_ip(src_address);
103 ZERO_STRUCTP(netlogon);
105 switch (version & 0xF) {
108 netlogon->logon1.pdc_name = pdc_name;
109 netlogon->logon1.user_name = user;
110 netlogon->logon1.domain_name = flatname;
111 netlogon->logon1.nt_version = 1;
112 netlogon->logon1.lmnt_token = 0xFFFF;
113 netlogon->logon1.lm20_token = 0xFFFF;
117 netlogon->logon2.pdc_name = pdc_name;
118 netlogon->logon2.user_name = user;
119 netlogon->logon2.domain_name = flatname;
120 netlogon->logon2.domain_uuid = domain_uuid;
121 netlogon->logon2.forest = realm;
122 netlogon->logon2.dns_domain = dns_domain;
123 netlogon->logon2.pdc_dns_name = pdc_dns_name;
124 netlogon->logon2.pdc_ip = pdc_ip;
125 netlogon->logon2.server_type = server_type;
126 netlogon->logon2.nt_version = 3;
127 netlogon->logon2.lmnt_token = 0xFFFF;
128 netlogon->logon2.lm20_token = 0xFFFF;
134 netlogon->logon3.server_type = server_type;
135 netlogon->logon3.domain_uuid = domain_uuid;
136 netlogon->logon3.forest = realm;
137 netlogon->logon3.dns_domain = dns_domain;
138 netlogon->logon3.pdc_dns_name = pdc_dns_name;
139 netlogon->logon3.domain = flatname;
140 netlogon->logon3.pdc_name = pdc_name;
141 netlogon->logon3.user_name = user;
142 netlogon->logon3.site_name = site_name;
143 netlogon->logon3.site_name2 = site_name2;
144 netlogon->logon3.nt_version = 3;
145 netlogon->logon3.lmnt_token = 0xFFFF;
146 netlogon->logon3.lm20_token = 0xFFFF;
149 netlogon->logon4.server_type = server_type;
150 netlogon->logon4.domain_uuid = domain_uuid;
151 netlogon->logon4.forest = realm;
152 netlogon->logon4.dns_domain = dns_domain;
153 netlogon->logon4.pdc_dns_name = pdc_dns_name;
154 netlogon->logon4.domain = flatname;
155 netlogon->logon4.pdc_name = lp_netbios_name();
156 netlogon->logon4.user_name = user;
157 netlogon->logon4.site_name = site_name;
158 netlogon->logon4.site_name2 = site_name2;
159 netlogon->logon4.unknown = 10;
160 netlogon->logon4.unknown2 = 2;
161 netlogon->logon4.pdc_ip = pdc_ip;
162 netlogon->logon4.nt_version = 5;
163 netlogon->logon4.lmnt_token = 0xFFFF;
164 netlogon->logon4.lm20_token = 0xFFFF;
173 handle incoming cldap requests
175 void cldapd_netlogon_request(struct cldap_socket *cldap,
178 const char *src_address, int src_port)
180 struct ldap_parse_tree *tree;
182 const char *domain = NULL;
183 const char *host = NULL;
184 const char *user = "";
185 const char *domain_guid = NULL;
186 const char *domain_sid = NULL;
187 int acct_control = -1;
189 union nbt_cldap_netlogon netlogon;
190 NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
192 TALLOC_CTX *tmp_ctx = talloc_new(cldap);
194 DEBUG(0,("cldap filter='%s'\n", filter));
196 tree = ldap_parse_filter_string(tmp_ctx, filter);
197 if (tree == NULL) goto failed;
199 if (tree->operation != LDAP_OP_AND) goto failed;
201 /* extract the query elements */
202 for (i=0;i<tree->u.list.num_elements;i++) {
203 struct ldap_parse_tree *t = tree->u.list.elements[i];
204 if (t->operation != LDAP_OP_SIMPLE) goto failed;
205 if (strcasecmp(t->u.simple.attr, "DnsDomain") == 0) {
206 domain = talloc_strndup(tmp_ctx,
207 t->u.simple.value.data,
208 t->u.simple.value.length);
210 if (strcasecmp(t->u.simple.attr, "Host") == 0) {
211 host = talloc_strndup(tmp_ctx,
212 t->u.simple.value.data,
213 t->u.simple.value.length);
215 if (strcasecmp(t->u.simple.attr, "DomainGuid") == 0) {
218 enc_status = ldap_decode_ndr_GUID(tmp_ctx,
219 t->u.simple.value, &guid);
220 if (NT_STATUS_IS_OK(enc_status)) {
221 domain_guid = GUID_string(tmp_ctx, &guid);
224 if (strcasecmp(t->u.simple.attr, "DomainSid") == 0) {
225 domain_sid = talloc_strndup(tmp_ctx,
226 t->u.simple.value.data,
227 t->u.simple.value.length);
229 if (strcasecmp(t->u.simple.attr, "User") == 0) {
230 user = talloc_strndup(tmp_ctx,
231 t->u.simple.value.data,
232 t->u.simple.value.length);
234 if (strcasecmp(t->u.simple.attr, "NtVer") == 0 &&
235 t->u.simple.value.length == 4) {
236 version = IVAL(t->u.simple.value.data, 0);
238 if (strcasecmp(t->u.simple.attr, "AAC") == 0 &&
239 t->u.simple.value.length == 4) {
240 acct_control = IVAL(t->u.simple.value.data, 0);
244 if (domain_guid == NULL && domain == NULL) {
252 DEBUG(0,("cldap netlogon query domain=%s host=%s user=%s version=%d guid=%s\n",
253 domain, host, user, version, domain_guid));
255 status = cldapd_netlogon_fill(cldap, tmp_ctx, domain, domain_guid,
258 if (!NT_STATUS_IS_OK(status)) {
262 status = cldap_netlogon_reply(cldap, message_id, src_address, src_port, version,
264 if (!NT_STATUS_IS_OK(status)) {
268 talloc_free(tmp_ctx);
272 DEBUG(0,("cldap netlogon query failed domain=%s host=%s version=%d - %s\n",
273 domain, host, version, nt_errstr(status)));
274 talloc_free(tmp_ctx);
275 cldap_empty_reply(cldap, message_id, src_address, src_port);