search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Remove duplicate logic
[samba4-gss.git] / source3 / rpc_server / netlogon / srv_netlog_nt.c
blob2ba16d423e3c1d4e2c78c862e4836c276bb70acf
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997.
7 * Copyright (C) Jeremy Allison 1998-2001.
8 * Copyright (C) Andrew Bartlett 2001.
9 * Copyright (C) Guenther Deschner 2008-2009.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* This is the implementation of the netlogon pipe. */
26
27 #include "includes.h"
28 #include "system/passwd.h" /* uid_wrapper */
29 #include "ntdomain.h"
30 #include "../libcli/auth/schannel.h"
31 #include "librpc/rpc/dcesrv_core.h"
32 #include "librpc/gen_ndr/ndr_netlogon.h"
33 #include "librpc/gen_ndr/ndr_netlogon_scompat.h"
34 #include "librpc/gen_ndr/ndr_samr_c.h"
35 #include "librpc/gen_ndr/ndr_lsa_c.h"
36 #include "rpc_client/cli_lsarpc.h"
37 #include "rpc_client/init_lsa.h"
38 #include "rpc_client/init_samr.h"
39 #include "rpc_server/rpc_ncacn_np.h"
40 #include "../libcli/security/security.h"
41 #include "../libcli/security/dom_sid.h"
42 #include "librpc/gen_ndr/ndr_drsblobs.h"
43 #include "lib/crypto/md4.h"
44 #include "nsswitch/libwbclient/wbclient.h"
45 #include "../libcli/registry/util_reg.h"
46 #include "passdb.h"
47 #include "auth.h"
48 #include "messages.h"
49 #include "../lib/tsocket/tsocket.h"
50 #include "lib/param/param.h"
51 #include "libsmb/dsgetdcname.h"
52 #include "lib/util/util_str_escape.h"
53 #include "source3/lib/substitute.h"
54 #include "librpc/rpc/server/netlogon/schannel_util.h"
55
56 #undef DBGC_CLASS
57 #define DBGC_CLASS DBGC_RPC_SRV
58
59 /*************************************************************************
60 _netr_LogonControl
61 *************************************************************************/
62
63 WERROR _netr_LogonControl(struct pipes_struct *p,
64 struct netr_LogonControl *r)
65 {
66 struct netr_LogonControl2Ex l;
67
68 switch (r->in.level) {
69 case 1:
70 break;
71 case 2:
72 return WERR_NOT_SUPPORTED;
73 default:
74 return WERR_INVALID_LEVEL;
75 }
76
77 switch (r->in.function_code) {
78 case NETLOGON_CONTROL_QUERY:
79 case NETLOGON_CONTROL_REPLICATE:
80 case NETLOGON_CONTROL_SYNCHRONIZE:
81 case NETLOGON_CONTROL_PDC_REPLICATE:
82 case NETLOGON_CONTROL_BREAKPOINT:
83 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
84 case NETLOGON_CONTROL_TRUNCATE_LOG:
85 break;
86 default:
87 return WERR_NOT_SUPPORTED;
88 }
89
90 l.in.logon_server = r->in.logon_server;
91 l.in.function_code = r->in.function_code;
92 l.in.level = r->in.level;
93 l.in.data = NULL;
94 l.out.query = r->out.query;
95
96 return _netr_LogonControl2Ex(p, &l);
97 }
98
99 /*************************************************************************
100 _netr_LogonControl2
101 *************************************************************************/
102
103 WERROR _netr_LogonControl2(struct pipes_struct *p,
104 struct netr_LogonControl2 *r)
105 {
106 struct netr_LogonControl2Ex l;
107
108 l.in.logon_server = r->in.logon_server;
109 l.in.function_code = r->in.function_code;
110 l.in.level = r->in.level;
111 l.in.data = r->in.data;
112 l.out.query = r->out.query;
113
114 return _netr_LogonControl2Ex(p, &l);
115 }
116
117 /*************************************************************************
118 *************************************************************************/
119
120 static bool wb_change_trust_creds(const char *domain, WERROR *tc_status)
121 {
122 wbcErr result;
123 struct wbcAuthErrorInfo *error = NULL;
124
125 result = wbcChangeTrustCredentials(domain, &error);
126 switch (result) {
127 case WBC_ERR_WINBIND_NOT_AVAILABLE:
128 return false;
129 case WBC_ERR_DOMAIN_NOT_FOUND:
130 *tc_status = WERR_NO_SUCH_DOMAIN;
131 return true;
132 case WBC_ERR_SUCCESS:
133 *tc_status = WERR_OK;
134 return true;
135 default:
136 break;
137 }
138
139 if (error && error->nt_status != 0) {
140 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
141 } else {
142 *tc_status = WERR_TRUST_FAILURE;
143 }
144 wbcFreeMemory(error);
145 return true;
146 }
147
148 /*************************************************************************
149 *************************************************************************/
150
151 static bool wb_check_trust_creds(const char *domain, WERROR *tc_status)
152 {
153 wbcErr result;
154 struct wbcAuthErrorInfo *error = NULL;
155
156 result = wbcCheckTrustCredentials(domain, &error);
157 switch (result) {
158 case WBC_ERR_WINBIND_NOT_AVAILABLE:
159 return false;
160 case WBC_ERR_DOMAIN_NOT_FOUND:
161 *tc_status = WERR_NO_SUCH_DOMAIN;
162 return true;
163 case WBC_ERR_SUCCESS:
164 *tc_status = WERR_OK;
165 return true;
166 default:
167 break;
168 }
169
170 if (error && error->nt_status != 0) {
171 *tc_status = ntstatus_to_werror(NT_STATUS(error->nt_status));
172 } else {
173 *tc_status = WERR_TRUST_FAILURE;
174 }
175 wbcFreeMemory(error);
176 return true;
177 }
178
179 /****************************************************************
180 _netr_LogonControl2Ex
181 ****************************************************************/
182
183 WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
184 struct netr_LogonControl2Ex *r)
185 {
186 struct dcesrv_call_state *dce_call = p->dce_call;
187 struct auth_session_info *session_info =
188 dcesrv_call_session_info(dce_call);
189 uint32_t flags = 0x0;
190 WERROR pdc_connection_status = WERR_OK;
191 uint32_t logon_attempts = 0x0;
192 WERROR tc_status;
193 fstring dc_name2;
194 const char *dc_name = NULL;
195 struct sockaddr_storage dc_ss;
196 const char *domain = NULL;
197 struct netr_NETLOGON_INFO_1 *info1;
198 struct netr_NETLOGON_INFO_2 *info2;
199 struct netr_NETLOGON_INFO_3 *info3;
200 const char *fn;
201 NTSTATUS status;
202 struct netr_DsRGetDCNameInfo *dc_info;
203
204 switch (dce_call->pkt.u.request.opnum) {
205 case NDR_NETR_LOGONCONTROL:
206 fn = "_netr_LogonControl";
207 break;
208 case NDR_NETR_LOGONCONTROL2:
209 fn = "_netr_LogonControl2";
210 break;
211 case NDR_NETR_LOGONCONTROL2EX:
212 fn = "_netr_LogonControl2Ex";
213 break;
214 default:
215 return WERR_INVALID_PARAMETER;
216 }
217
218 switch (r->in.level) {
219 case 1:
220 case 2:
221 case 3:
222 case 4:
223 break;
224 default:
225 return WERR_INVALID_LEVEL;
226 }
227
228 switch (r->in.function_code) {
229 case NETLOGON_CONTROL_QUERY:
230 break;
231 default:
232 if ((geteuid() != sec_initial_uid()) &&
233 !nt_token_check_domain_rid(
234 session_info->security_token, DOMAIN_RID_ADMINS) &&
235 !nt_token_check_sid(
236 &global_sid_Builtin_Administrators,
237 session_info->security_token))
238 {
239 return WERR_ACCESS_DENIED;
240 }
241 break;
242 }
243
244 tc_status = WERR_NO_SUCH_DOMAIN;
245
246 switch (r->in.function_code) {
247 case NETLOGON_CONTROL_QUERY:
248 switch (r->in.level) {
249 case 1:
250 case 3:
251 break;
252 default:
253 return WERR_INVALID_PARAMETER;
254 }
255
256 tc_status = WERR_OK;
257 break;
258 case NETLOGON_CONTROL_REPLICATE:
259 case NETLOGON_CONTROL_SYNCHRONIZE:
260 case NETLOGON_CONTROL_PDC_REPLICATE:
261 case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
262 case NETLOGON_CONTROL_BREAKPOINT:
263 case NETLOGON_CONTROL_TRUNCATE_LOG:
264 case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
265 case NETLOGON_CONTROL_FORCE_DNS_REG:
266 return WERR_NOT_SUPPORTED;
267 case NETLOGON_CONTROL_QUERY_DNS_REG:
268 if (r->in.level != 1) {
269 return WERR_INVALID_PARAMETER;
270 }
271 return WERR_NOT_SUPPORTED;
272 case NETLOGON_CONTROL_FIND_USER:
273 if (r->in.level != 4) {
274 return WERR_INVALID_PARAMETER;
275 }
276 if (!r->in.data || !r->in.data->user) {
277 return WERR_NOT_SUPPORTED;
278 }
279 break;
280 case NETLOGON_CONTROL_SET_DBFLAG:
281 if (!r->in.data) {
282 return WERR_NOT_SUPPORTED;
283 }
284 break;
285 case NETLOGON_CONTROL_TC_VERIFY:
286 if (r->in.level != 2) {
287 return WERR_INVALID_PARAMETER;
288 }
289 if (!r->in.data || !r->in.data->domain) {
290 return WERR_NOT_SUPPORTED;
291 }
292
293 if (!wb_check_trust_creds(r->in.data->domain, &tc_status)) {
294 return WERR_NOT_SUPPORTED;
295 }
296 break;
297 case NETLOGON_CONTROL_TC_QUERY:
298 if (!r->in.data || !r->in.data->domain) {
299 return WERR_NOT_SUPPORTED;
300 }
301
302 domain = r->in.data->domain;
303
304 if (!is_trusted_domain(domain)) {
305 break;
306 }
307
308 if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
309 tc_status = WERR_NO_LOGON_SERVERS;
310 break;
311 }
312
313 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
314 if (!dc_name) {
315 return WERR_NOT_ENOUGH_MEMORY;
316 }
317
318 tc_status = WERR_OK;
319
320 break;
321
322 case NETLOGON_CONTROL_REDISCOVER:
323 if (!r->in.data || !r->in.data->domain) {
324 return WERR_NOT_SUPPORTED;
325 }
326
327 domain = r->in.data->domain;
328
329 if (!is_trusted_domain(domain)) {
330 break;
331 }
332
333 status = dsgetdcname(p->mem_ctx, p->msg_ctx, domain, NULL, NULL,
334 DS_FORCE_REDISCOVERY | DS_RETURN_FLAT_NAME,
335 &dc_info);
336 if (!NT_STATUS_IS_OK(status)) {
337 tc_status = WERR_NO_LOGON_SERVERS;
338 break;
339 }
340
341 dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_info->dc_unc);
342 if (!dc_name) {
343 return WERR_NOT_ENOUGH_MEMORY;
344 }
345
346 tc_status = WERR_OK;
347
348 break;
349
350 case NETLOGON_CONTROL_CHANGE_PASSWORD:
351 if (!r->in.data || !r->in.data->domain) {
352 return WERR_NOT_SUPPORTED;
353 }
354
355 if (!wb_change_trust_creds(r->in.data->domain, &tc_status)) {
356 return WERR_NOT_SUPPORTED;
357 }
358 break;
359
360 default:
361 /* no idea what this should be */
362 DEBUG(0,("%s: unimplemented function level [%d]\n",
363 fn, r->in.function_code));
364 return WERR_NOT_SUPPORTED;
365 }
366
367 /* prepare the response */
368
369 switch (r->in.level) {
370 case 1:
371 info1 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_1);
372 W_ERROR_HAVE_NO_MEMORY(info1);
373
374 info1->flags = flags;
375 info1->pdc_connection_status = pdc_connection_status;
376
377 r->out.query->info1 = info1;
378 break;
379 case 2:
380 if (r->in.function_code != NETLOGON_CONTROL_REDISCOVER &&
381 r->in.function_code != NETLOGON_CONTROL_TC_QUERY &&
382 r->in.function_code != NETLOGON_CONTROL_TC_VERIFY)
383 {
384 return WERR_INVALID_PARAMETER;
385 }
386 info2 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_2);
387 W_ERROR_HAVE_NO_MEMORY(info2);
388
389 info2->flags = flags;
390 info2->pdc_connection_status = pdc_connection_status;
391 info2->trusted_dc_name = dc_name;
392 info2->tc_connection_status = tc_status;
393
394 r->out.query->info2 = info2;
395 break;
396 case 3:
397 info3 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_3);
398 W_ERROR_HAVE_NO_MEMORY(info3);
399
400 info3->flags = flags;
401 info3->logon_attempts = logon_attempts;
402
403 r->out.query->info3 = info3;
404 break;
405 case 4:
406 if (r->in.function_code != NETLOGON_CONTROL_FIND_USER) {
407 return WERR_INVALID_PARAMETER;
408 }
409 return WERR_NOT_SUPPORTED;
410 default:
411 return WERR_INVALID_LEVEL;
412 }
413
414 return WERR_OK;
415 }
416
417 /*************************************************************************
418 _netr_NetrEnumerateTrustedDomains
419 *************************************************************************/
420
421 NTSTATUS _netr_NetrEnumerateTrustedDomains(struct pipes_struct *p,
422 struct netr_NetrEnumerateTrustedDomains *r)
423 {
424 struct dcesrv_call_state *dce_call = p->dce_call;
425 struct dcesrv_connection *dcesrv_conn = dce_call->conn;
426 const struct tsocket_address *local_address =
427 dcesrv_connection_get_local_address(dcesrv_conn);
428 const struct tsocket_address *remote_address =
429 dcesrv_connection_get_remote_address(dcesrv_conn);
430 struct auth_session_info *session_info =
431 dcesrv_call_session_info(dce_call);
432 NTSTATUS status;
433 NTSTATUS result = NT_STATUS_OK;
434 DATA_BLOB blob;
435 size_t num_domains = 0;
436 const char **trusted_domains = NULL;
437 struct lsa_DomainList domain_list;
438 struct dcerpc_binding_handle *h = NULL;
439 struct policy_handle pol;
440 uint32_t enum_ctx = 0;
441 uint32_t max_size = (uint32_t)-1;
442 union lsa_revision_info out_revision_info = {
443 .info1 = {
444 .revision = 0,
445 },
446 };
447 uint32_t out_version = 0;
448
449 ZERO_STRUCT(pol);
450 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
451
452 status = rpcint_binding_handle(p->mem_ctx,
453 &ndr_table_lsarpc,
454 remote_address,
455 local_address,
456 session_info,
457 p->msg_ctx,
458 &h);
459 if (!NT_STATUS_IS_OK(status)) {
460 return status;
461 }
462
463 status = dcerpc_lsa_open_policy_fallback(
464 h,
465 p->mem_ctx,
466 NULL,
467 true,
468 LSA_POLICY_VIEW_LOCAL_INFORMATION,
469 &out_version,
470 &out_revision_info,
471 &pol,
472 &result);
473 if (any_nt_status_not_ok(status, result, &status)) {
474 goto out;
475 }
476
477 do {
478 uint32_t i;
479
480 /* Lookup list of trusted domains */
481 status = dcerpc_lsa_EnumTrustDom(h,
482 p->mem_ctx,
483 &pol,
484 &enum_ctx,
485 &domain_list,
486 max_size,
487 &result);
488 if (!NT_STATUS_IS_OK(status)) {
489 goto out;
490 }
491 if (!NT_STATUS_IS_OK(result) &&
492 !NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
493 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
494 status = result;
495 goto out;
496 }
497
498 for (i = 0; i < domain_list.count; i++) {
499 if (!add_string_to_array(p->mem_ctx, domain_list.domains[i].name.string,
500 &trusted_domains, &num_domains)) {
501 status = NT_STATUS_NO_MEMORY;
502 goto out;
503 }
504 }
505 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
506
507 if (num_domains > 0) {
508 /* multi sz terminate */
509 trusted_domains = talloc_realloc(p->mem_ctx, trusted_domains, const char *, num_domains + 1);
510 if (trusted_domains == NULL) {
511 status = NT_STATUS_NO_MEMORY;
512 goto out;
513 }
514
515 trusted_domains[num_domains] = NULL;
516 }
517
518 if (!push_reg_multi_sz(trusted_domains, &blob, trusted_domains)) {
519 TALLOC_FREE(trusted_domains);
520 status = NT_STATUS_NO_MEMORY;
521 goto out;
522 }
523
524 r->out.trusted_domains_blob->data = blob.data;
525 r->out.trusted_domains_blob->length = blob.length;
526
527 DEBUG(6,("_netr_NetrEnumerateTrustedDomains: %d\n", __LINE__));
528
529 status = NT_STATUS_OK;
530
531 out:
532 if (is_valid_policy_hnd(&pol)) {
533 dcerpc_lsa_Close(h, p->mem_ctx, &pol, &result);
534 }
535
536 return status;
537 }
538
539 /*************************************************************************
540 *************************************************************************/
541
542 static NTSTATUS samr_find_machine_account(TALLOC_CTX *mem_ctx,
543 struct dcerpc_binding_handle *b,
544 const char *account_name,
545 uint32_t access_mask,
546 struct dom_sid2 **domain_sid_p,
547 uint32_t *user_rid_p,
548 struct policy_handle *user_handle)
549 {
550 NTSTATUS status;
551 NTSTATUS result = NT_STATUS_OK;
552 struct policy_handle connect_handle;
553 struct policy_handle domain_handle = { 0, };
554 struct lsa_String domain_name;
555 struct dom_sid2 *domain_sid;
556 struct lsa_String names;
557 struct samr_Ids rids;
558 struct samr_Ids types;
559 uint32_t rid;
560
561 status = dcerpc_samr_Connect2(b, mem_ctx,
562 lp_netbios_name(),
563 SAMR_ACCESS_CONNECT_TO_SERVER |
564 SAMR_ACCESS_ENUM_DOMAINS |
565 SAMR_ACCESS_LOOKUP_DOMAIN,
566 &connect_handle,
567 &result);
568 if (any_nt_status_not_ok(status, result, &status)) {
569 goto out;
570 }
571
572 init_lsa_String(&domain_name, get_global_sam_name());
573
574 status = dcerpc_samr_LookupDomain(b, mem_ctx,
575 &connect_handle,
576 &domain_name,
577 &domain_sid,
578 &result);
579 if (any_nt_status_not_ok(status, result, &status)) {
580 goto out;
581 }
582
583 status = dcerpc_samr_OpenDomain(b, mem_ctx,
584 &connect_handle,
585 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
586 domain_sid,
587 &domain_handle,
588 &result);
589 if (any_nt_status_not_ok(status, result, &status)) {
590 goto out;
591 }
592
593 init_lsa_String(&names, account_name);
594
595 status = dcerpc_samr_LookupNames(b, mem_ctx,
596 &domain_handle,
597 1,
598 &names,
599 &rids,
600 &types,
601 &result);
602 if (any_nt_status_not_ok(status, result, &status)) {
603 goto out;
604 }
605
606 if (rids.count != 1) {
607 status = NT_STATUS_NO_SUCH_USER;
608 goto out;
609 }
610 if (types.count != 1) {
611 status = NT_STATUS_INVALID_PARAMETER;
612 goto out;
613 }
614 if (types.ids[0] != SID_NAME_USER) {
615 status = NT_STATUS_NO_SUCH_USER;
616 goto out;
617 }
618
619 rid = rids.ids[0];
620
621 status = dcerpc_samr_OpenUser(b, mem_ctx,
622 &domain_handle,
623 access_mask,
624 rid,
625 user_handle,
626 &result);
627 if (any_nt_status_not_ok(status, result, &status)) {
628 goto out;
629 }
630
631 if (user_rid_p) {
632 *user_rid_p = rid;
633 }
634
635 if (domain_sid_p) {
636 *domain_sid_p = domain_sid;
637 }
638
639 out:
640 if (is_valid_policy_hnd(&domain_handle)) {
641 dcerpc_samr_Close(b, mem_ctx, &domain_handle, &result);
642 }
643 if (is_valid_policy_hnd(&connect_handle)) {
644 dcerpc_samr_Close(b, mem_ctx, &connect_handle, &result);
645 }
646
647 return status;
648 }
649
650 /******************************************************************
651 gets a machine password entry. checks access rights of the host.
652 ******************************************************************/
653
654 static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct,
655 enum netr_SchannelType sec_chan_type,
656 struct dom_sid *sid,
657 struct messaging_context *msg_ctx)
658 {
659 NTSTATUS status;
660 NTSTATUS result = NT_STATUS_OK;
661 TALLOC_CTX *mem_ctx = NULL;
662 struct dcerpc_binding_handle *h = NULL;
663 struct tsocket_address *local = NULL;
664 struct policy_handle user_handle = { .handle_type = 0 };
665 uint32_t user_rid = UINT32_MAX;
666 struct dom_sid *domain_sid = NULL;
667 uint32_t acct_ctrl = 0;
668 union samr_UserInfo *info = NULL;
669 struct auth_session_info *session_info = NULL;
670 int rc;
671
672 #if 0
673
674 /*
675 * Currently this code is redundant as we already have a filter
676 * by hostname list. What this code really needs to do is to
677 * get a hosts allowed/hosts denied list from the SAM database
678 * on a per user basis, and make the access decision there.
679 * I will leave this code here for now as a reminder to implement
680 * this at a later date. JRA.
681 */
682
683 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(),
684 p->client_id.name,
685 p->client_id.addr)) {
686 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct));
687 return False;
688 }
689 #endif /* 0 */
690
691 mem_ctx = talloc_stackframe();
692
693 status = make_session_info_system(mem_ctx, &session_info);
694 if (!NT_STATUS_IS_OK(status)) {
695 goto out;
696 }
697
698 ZERO_STRUCT(user_handle);
699
700 rc = tsocket_address_inet_from_strings(mem_ctx,
701 "ip",
702 "127.0.0.1",
703 0,
704 &local);
705 if (rc < 0) {
706 status = NT_STATUS_NO_MEMORY;
707 goto out;
708 }
709
710 status = rpcint_binding_handle(mem_ctx,
711 &ndr_table_samr,
712 local,
713 NULL,
714 session_info,
715 msg_ctx,
716 &h);
717 if (!NT_STATUS_IS_OK(status)) {
718 goto out;
719 }
720
721 status = samr_find_machine_account(mem_ctx, h, mach_acct,
722 SEC_FLAG_MAXIMUM_ALLOWED,
723 &domain_sid, &user_rid,
724 &user_handle);
725 if (!NT_STATUS_IS_OK(status)) {
726 goto out;
727 }
728
729 status = dcerpc_samr_QueryUserInfo2(h,
730 mem_ctx,
731 &user_handle,
732 UserControlInformation,
733 &info,
734 &result);
735 if (any_nt_status_not_ok(status, result, &status)) {
736 goto out;
737 }
738
739 acct_ctrl = info->info16.acct_flags;
740
741 if (acct_ctrl & ACB_DISABLED) {
742 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct));
743 status = NT_STATUS_ACCOUNT_DISABLED;
744 goto out;
745 }
746
747 if (!(acct_ctrl & ACB_SVRTRUST) &&
748 !(acct_ctrl & ACB_WSTRUST) &&
749 !(acct_ctrl & ACB_DOMTRUST))
750 {
751 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct));
752 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
753 goto out;
754 }
755
756 switch (sec_chan_type) {
757 case SEC_CHAN_BDC:
758 if (!(acct_ctrl & ACB_SVRTRUST)) {
759 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested "
760 "but not a server trust account\n", mach_acct));
761 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
762 goto out;
763 }
764 break;
765 case SEC_CHAN_WKSTA:
766 if (!(acct_ctrl & ACB_WSTRUST)) {
767 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested "
768 "but not a workstation trust account\n", mach_acct));
769 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
770 goto out;
771 }
772 break;
773 case SEC_CHAN_DOMAIN:
774 if (!(acct_ctrl & ACB_DOMTRUST)) {
775 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested "
776 "but not a interdomain trust account\n", mach_acct));
777 status = NT_STATUS_NO_TRUST_SAM_ACCOUNT;
778 goto out;
779 }
780 break;
781 default:
782 break;
783 }
784
785 become_root();
786 status = dcerpc_samr_QueryUserInfo2(h,
787 mem_ctx,
788 &user_handle,
789 UserInternal1Information,
790 &info,
791 &result);
792 unbecome_root();
793 if (any_nt_status_not_ok(status, result, &status)) {
794 goto out;
795 }
796
797 if (info->info18.nt_pwd_active == 0) {
798 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct));
799 status = NT_STATUS_LOGON_FAILURE;
800 goto out;
801 }
802
803 /* samr gives out nthash unencrypted (!) */
804 memcpy(md4pw->hash, info->info18.nt_pwd.hash, 16);
805
806 sid_compose(sid, domain_sid, user_rid);
807
808 out:
809 if (h && is_valid_policy_hnd(&user_handle)) {
810 dcerpc_samr_Close(h, mem_ctx, &user_handle, &result);
811 }
812
813 talloc_free(mem_ctx);
814
815 return status;
816 }
817
818 /*************************************************************************
819 _netr_ServerReqChallenge
820 *************************************************************************/
821
822 NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p,
823 struct netr_ServerReqChallenge *r)
824 {
825 struct dcesrv_call_state *dce_call = p->dce_call;
826 struct netlogon_server_pipe_state *pipe_state = NULL;
827 NTSTATUS status;
828
829 pipe_state = dcesrv_iface_state_find_conn(
830 dce_call,
831 NETLOGON_SERVER_PIPE_STATE_MAGIC,
832 struct netlogon_server_pipe_state);
833
834 if (pipe_state) {
835 DEBUG(10,("_netr_ServerReqChallenge: new challenge requested. Clearing old state.\n"));
836 talloc_free(pipe_state);
837 }
838
839 pipe_state = talloc(p->mem_ctx, struct netlogon_server_pipe_state);
840 NT_STATUS_HAVE_NO_MEMORY(pipe_state);
841
842 pipe_state->client_challenge = *r->in.credentials;
843
844 netlogon_creds_random_challenge(&pipe_state->server_challenge);
845
846 *r->out.return_credentials = pipe_state->server_challenge;
847
848 status = dcesrv_iface_state_store_conn(
849 dce_call,
850 NETLOGON_SERVER_PIPE_STATE_MAGIC,
851 pipe_state);
852 if (!NT_STATUS_IS_OK(status)) {
853 return status;
854 }
855
856 return NT_STATUS_OK;
857 }
858
859 /*************************************************************************
860 _netr_ServerAuthenticate
861 Create the initial credentials.
862 *************************************************************************/
863
864 NTSTATUS _netr_ServerAuthenticate(struct pipes_struct *p,
865 struct netr_ServerAuthenticate *r)
866 {
867 struct netr_ServerAuthenticate3 a;
868 uint32_t negotiate_flags = 0;
869 uint32_t rid;
870
871 a.in.server_name = r->in.server_name;
872 a.in.account_name = r->in.account_name;
873 a.in.secure_channel_type = r->in.secure_channel_type;
874 a.in.computer_name = r->in.computer_name;
875 a.in.credentials = r->in.credentials;
876 a.in.negotiate_flags = &negotiate_flags;
877
878 a.out.return_credentials = r->out.return_credentials;
879 a.out.rid = &rid;
880 a.out.negotiate_flags = &negotiate_flags;
881
882 return _netr_ServerAuthenticate3(p, &a);
883
884 }
885
886 /*************************************************************************
887 _netr_ServerAuthenticate3
888 *************************************************************************/
889
890 NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
891 struct netr_ServerAuthenticate3 *r)
892 {
893 struct dcesrv_call_state *dce_call = p->dce_call;
894 NTSTATUS status;
895 uint32_t srv_flgs;
896 /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
897 * so use a copy to avoid destroying the client values. */
898 uint32_t in_neg_flags = *r->in.negotiate_flags;
899 uint32_t neg_flags = 0;
900 const char *fn;
901 struct loadparm_context *lp_ctx = p->dce_call->conn->dce_ctx->lp_ctx;
902 struct dom_sid sid;
903 struct samr_Password mach_pwd;
904 struct netlogon_creds_CredentialState *creds;
905 struct netlogon_server_pipe_state *pipe_state = NULL;
906
907 /* According to Microsoft (see bugid #6099)
908 * Windows 7 looks at the negotiate_flags
909 * returned in this structure *even if the
910 * call fails with access denied* ! So in order
911 * to allow Win7 to connect to a Samba NT style
912 * PDC we set the flags before we know if it's
913 * an error or not.
914 */
915
916 srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
917 NETLOGON_NEG_PERSISTENT_SAMREPL |
918 NETLOGON_NEG_ARCFOUR |
919 NETLOGON_NEG_PROMOTION_COUNT |
920 NETLOGON_NEG_CHANGELOG_BDC |
921 NETLOGON_NEG_FULL_SYNC_REPL |
922 NETLOGON_NEG_MULTIPLE_SIDS |
923 NETLOGON_NEG_REDO |
924 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
925 NETLOGON_NEG_PASSWORD_SET2 |
926 NETLOGON_NEG_STRONG_KEYS |
927 NETLOGON_NEG_SUPPORTS_AES |
928 NETLOGON_NEG_SCHANNEL;
929
930 /*
931 * With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED
932 * with negotiate_flags = 0 below, if NETLOGON_NEG_SUPPORTS_AES was not
933 * negotiated...
934 *
935 * And if NETLOGON_NEG_SUPPORTS_AES was negotiated there's no harm in
936 * returning the NETLOGON_NEG_ARCFOUR flag too...
937 *
938 * So there's no reason to remove NETLOGON_NEG_ARCFOUR nor
939 * NETLOGON_NEG_STRONG_KEYS from srv_flgs...
940 */
941
942 /*
943 * Support authentication of trusted domains.
944 *
945 * These flags are the minimum required set which works with win2k3
946 * and win2k8.
947 */
948 if (pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX) {
949 srv_flgs |= NETLOGON_NEG_TRANSITIVE_TRUSTS |
950 NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
951 NETLOGON_NEG_CROSS_FOREST_TRUSTS |
952 NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
953 }
954
955 neg_flags = in_neg_flags & srv_flgs;
956
957 switch (dce_call->pkt.u.request.opnum) {
958 case NDR_NETR_SERVERAUTHENTICATE:
959 fn = "_netr_ServerAuthenticate";
960 break;
961 case NDR_NETR_SERVERAUTHENTICATE2:
962 fn = "_netr_ServerAuthenticate2";
963 break;
964 case NDR_NETR_SERVERAUTHENTICATE3:
965 fn = "_netr_ServerAuthenticate3";
966 break;
967 default:
968 return NT_STATUS_INTERNAL_ERROR;
969 }
970
971 if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
972 if (!(neg_flags & NETLOGON_NEG_SUPPORTS_AES)) {
973 DBG_NOTICE("%s: no AES support negotiated from client %s\n",
974 fn, r->in.computer_name);
975 /*
976 * Here we match Windows 2012 and return no flags.
977 */
978 neg_flags = 0;
979 status = NT_STATUS_DOWNGRADE_DETECTED;
980 goto out;
981 }
982 }
983
984 /* We use this as the key to store the creds: */
985 /* r->in.computer_name */
986
987 pipe_state = dcesrv_iface_state_find_conn(
988 dce_call,
989 NETLOGON_SERVER_PIPE_STATE_MAGIC,
990 struct netlogon_server_pipe_state);
991
992 if (!pipe_state) {
993 DEBUG(0,("%s: no challenge sent to client %s\n", fn,
994 r->in.computer_name));
995 status = NT_STATUS_ACCESS_DENIED;
996 goto out;
997 }
998
999 status = get_md4pw(&mach_pwd,
1000 r->in.account_name,
1001 r->in.secure_channel_type,
1002 &sid, p->msg_ctx);
1003 if (!NT_STATUS_IS_OK(status)) {
1004 DEBUG(0,("%s: failed to get machine password for "
1005 "account %s: %s\n",
1006 fn, r->in.account_name, nt_errstr(status) ));
1007 /* always return NT_STATUS_ACCESS_DENIED */
1008 status = NT_STATUS_ACCESS_DENIED;
1009 goto out;
1010 }
1011
1012 /* From the client / server challenges and md4 password, generate sess key */
1013 /* Check client credentials are valid. */
1014 creds = netlogon_creds_server_init(p->mem_ctx,
1015 r->in.account_name,
1016 r->in.computer_name,
1017 r->in.secure_channel_type,
1018 &pipe_state->client_challenge,
1019 &pipe_state->server_challenge,
1020 &mach_pwd,
1021 r->in.credentials,
1022 r->out.return_credentials,
1023 in_neg_flags,
1024 &sid,
1025 neg_flags);
1026 if (!creds) {
1027 DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
1028 "request from client %s machine account %s\n",
1029 fn, r->in.computer_name,
1030 r->in.account_name));
1031 status = NT_STATUS_ACCESS_DENIED;
1032 goto out;
1033 }
1034
1035 /* Store off the state so we can continue after client disconnect. */
1036 become_root();
1037 status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds);
1038 unbecome_root();
1039
1040 if (!NT_STATUS_IS_OK(status)) {
1041 ZERO_STRUCTP(r->out.return_credentials);
1042 goto out;
1043 }
1044
1045 sid_peek_rid(&sid, r->out.rid);
1046
1047 status = NT_STATUS_OK;
1048
1049 out:
1050
1051 *r->out.negotiate_flags = neg_flags;
1052 return status;
1053 }
1054
1055 /*************************************************************************
1056 _netr_ServerAuthenticate2
1057 *************************************************************************/
1058
1059 NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
1060 struct netr_ServerAuthenticate2 *r)
1061 {
1062 struct netr_ServerAuthenticate3 a;
1063 uint32_t rid;
1064
1065 a.in.server_name = r->in.server_name;
1066 a.in.account_name = r->in.account_name;
1067 a.in.secure_channel_type = r->in.secure_channel_type;
1068 a.in.computer_name = r->in.computer_name;
1069 a.in.credentials = r->in.credentials;
1070 a.in.negotiate_flags = r->in.negotiate_flags;
1071
1072 a.out.return_credentials = r->out.return_credentials;
1073 a.out.rid = &rid;
1074 a.out.negotiate_flags = r->out.negotiate_flags;
1075
1076 return _netr_ServerAuthenticate3(p, &a);
1077 }
1078
1079 /*************************************************************************
1080 *************************************************************************/
1081
1082 static NTSTATUS samr_open_machine_account(
1083 struct dcerpc_binding_handle *b,
1084 const struct dom_sid *machine_sid,
1085 uint32_t access_mask,
1086 struct policy_handle *machine_handle)
1087 {
1088 TALLOC_CTX *frame = talloc_stackframe();
1089 struct policy_handle connect_handle = { .handle_type = 0 };
1090 struct policy_handle domain_handle = { .handle_type = 0 };
1091 struct dom_sid domain_sid = *machine_sid;
1092 uint32_t machine_rid;
1093 NTSTATUS result = NT_STATUS_OK;
1094 NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
1095 bool ok;
1096
1097 ok = sid_split_rid(&domain_sid, &machine_rid);
1098 if (!ok) {
1099 goto out;
1100 }
1101
1102 status = dcerpc_samr_Connect2(
1103 b,
1104 frame,
1105 lp_netbios_name(),
1106 SAMR_ACCESS_CONNECT_TO_SERVER |
1107 SAMR_ACCESS_ENUM_DOMAINS |
1108 SAMR_ACCESS_LOOKUP_DOMAIN,
1109 &connect_handle,
1110 &result);
1111 if (any_nt_status_not_ok(status, result, &status)) {
1112 goto out;
1113 }
1114
1115 status = dcerpc_samr_OpenDomain(
1116 b,
1117 frame,
1118 &connect_handle,
1119 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
1120 &domain_sid,
1121 &domain_handle,
1122 &result);
1123 if (any_nt_status_not_ok(status, result, &status)) {
1124 goto out;
1125 }
1126
1127 status = dcerpc_samr_OpenUser(
1128 b,
1129 frame,
1130 &domain_handle,
1131 SEC_FLAG_MAXIMUM_ALLOWED,
1132 machine_rid,
1133 machine_handle,
1134 &result);
1135 if (any_nt_status_not_ok(status, result, &status)) {
1136 goto out;
1137 }
1138
1139 out:
1140 if ((b != NULL) && is_valid_policy_hnd(&domain_handle)) {
1141 dcerpc_samr_Close(b, frame, &domain_handle, &result);
1142 }
1143 if ((b != NULL) && is_valid_policy_hnd(&connect_handle)) {
1144 dcerpc_samr_Close(b, frame, &connect_handle, &result);
1145 }
1146 TALLOC_FREE(frame);
1147 return status;
1148 }
1149
1150 struct _samr_Credentials_t {
1151 enum {
1152 CRED_TYPE_NT_HASH,
1153 CRED_TYPE_PLAIN_TEXT,
1154 } cred_type;
1155 union {
1156 struct samr_Password *nt_hash;
1157 const char *password;
1158 } creds;
1159 };
1160
1161
1162 static NTSTATUS netr_set_machine_account_password(
1163 TALLOC_CTX *mem_ctx,
1164 struct auth_session_info *session_info,
1165 struct messaging_context *msg_ctx,
1166 const struct dom_sid *machine_sid,
1167 struct _samr_Credentials_t *cr)
1168 {
1169 NTSTATUS status;
1170 NTSTATUS result = NT_STATUS_OK;
1171 struct dcerpc_binding_handle *h = NULL;
1172 struct tsocket_address *local;
1173 struct policy_handle user_handle = { .handle_type = 0 };
1174 uint32_t acct_ctrl;
1175 union samr_UserInfo *info;
1176 struct samr_UserInfo18 info18;
1177 struct samr_UserInfo26 info26;
1178 DATA_BLOB in,out;
1179 int rc;
1180 DATA_BLOB session_key;
1181 enum samr_UserInfoLevel infolevel;
1182 TALLOC_CTX *frame = talloc_stackframe();
1183
1184 status = session_extract_session_key(session_info,
1185 &session_key,
1186 KEY_USE_16BYTES);
1187 if (!NT_STATUS_IS_OK(status)) {
1188 goto out;
1189 }
1190
1191 rc = tsocket_address_inet_from_strings(frame,
1192 "ip",
1193 "127.0.0.1",
1194 0,
1195 &local);
1196 if (rc < 0) {
1197 status = NT_STATUS_NO_MEMORY;
1198 goto out;
1199 }
1200
1201 status = rpcint_binding_handle(frame,
1202 &ndr_table_samr,
1203 local,
1204 NULL,
1205 get_session_info_system(),
1206 msg_ctx,
1207 &h);
1208 if (!NT_STATUS_IS_OK(status)) {
1209 goto out;
1210 }
1211
1212 status = samr_open_machine_account(
1213 h, machine_sid, SEC_FLAG_MAXIMUM_ALLOWED, &user_handle);
1214 if (!NT_STATUS_IS_OK(status)) {
1215 goto out;
1216 }
1217
1218 status = dcerpc_samr_QueryUserInfo2(h,
1219 frame,
1220 &user_handle,
1221 UserControlInformation,
1222 &info,
1223 &result);
1224 if (any_nt_status_not_ok(status, result, &status)) {
1225 goto out;
1226 }
1227
1228 acct_ctrl = info->info16.acct_flags;
1229
1230 if (!(acct_ctrl & ACB_WSTRUST ||
1231 acct_ctrl & ACB_SVRTRUST ||
1232 acct_ctrl & ACB_DOMTRUST)) {
1233 status = NT_STATUS_NO_SUCH_USER;
1234 goto out;
1235 }
1236
1237 if (acct_ctrl & ACB_DISABLED) {
1238 status = NT_STATUS_ACCOUNT_DISABLED;
1239 goto out;
1240 }
1241
1242 switch(cr->cred_type) {
1243 case CRED_TYPE_NT_HASH:
1244 ZERO_STRUCT(info18);
1245
1246 infolevel = UserInternal1Information;
1247
1248 in = data_blob_const(cr->creds.nt_hash, 16);
1249 out = data_blob_talloc_zero(frame, 16);
1250 if (out.data == NULL) {
1251 status = NT_STATUS_NO_MEMORY;
1252 goto out;
1253 }
1254 rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_ENCRYPT);
1255 if (rc != 0) {
1256 status = gnutls_error_to_ntstatus(rc,
1257 NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
1258 goto out;
1259 }
1260 memcpy(info18.nt_pwd.hash, out.data, out.length);
1261
1262 info18.nt_pwd_active = true;
1263
1264 info->info18 = info18;
1265 break;
1266 case CRED_TYPE_PLAIN_TEXT:
1267 ZERO_STRUCT(info26);
1268
1269 infolevel = UserInternal5InformationNew;
1270
1271 status = init_samr_CryptPasswordEx(cr->creds.password,
1272 &session_key,
1273 &info26.password);
1274 if (!NT_STATUS_IS_OK(status)) {
1275 goto out;
1276 }
1277
1278 info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1279 info->info26 = info26;
1280 break;
1281 default:
1282 status = NT_STATUS_INTERNAL_ERROR;
1283 goto out;
1284 break;
1285 }
1286
1287 status = dcerpc_samr_SetUserInfo2(h,
1288 frame,
1289 &user_handle,
1290 infolevel,
1291 info,
1292 &result);
1293 if (any_nt_status_not_ok(status, result, &status)) {
1294 goto out;
1295 }
1296
1297 out:
1298 if (h && is_valid_policy_hnd(&user_handle)) {
1299 dcerpc_samr_Close(h, frame, &user_handle, &result);
1300 }
1301 TALLOC_FREE(frame);
1302
1303 return status;
1304 }
1305
1306 /*************************************************************************
1307 _netr_ServerPasswordSet
1308 *************************************************************************/
1309
1310 NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
1311 struct netr_ServerPasswordSet *r)
1312 {
1313 struct dcesrv_call_state *dce_call = p->dce_call;
1314 struct auth_session_info *session_info =
1315 dcesrv_call_session_info(dce_call);
1316 NTSTATUS status = NT_STATUS_OK;
1317 size_t i;
1318 struct netlogon_creds_CredentialState *creds = NULL;
1319 struct _samr_Credentials_t cr = { CRED_TYPE_NT_HASH, {0}};
1320 const struct dom_sid *client_sid = NULL;
1321 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1322 enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
1323
1324 dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
1325
1326 DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
1327
1328 become_root();
1329 status = dcesrv_netr_creds_server_step_check(p->dce_call,
1330 p->mem_ctx,
1331 r->in.computer_name,
1332 r->in.credential,
1333 r->out.return_authenticator,
1334 &creds);
1335 unbecome_root();
1336
1337 if (!NT_STATUS_IS_OK(status)) {
1338 const char *computer_name = "<unknown>";
1339
1340 if (creds != NULL && creds->computer_name != NULL) {
1341 computer_name = creds->computer_name;
1342 }
1343 DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
1344 "request from client %s machine account %s\n",
1345 r->in.computer_name, computer_name));
1346 TALLOC_FREE(creds);
1347 return status;
1348 }
1349 client_sid = &creds->ex->client_sid;
1350
1351 DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
1352 r->in.computer_name, creds->computer_name));
1353
1354 status = netlogon_creds_decrypt_samr_Password(creds,
1355 r->in.new_password,
1356 auth_type,
1357 auth_level);
1358 if (!NT_STATUS_IS_OK(status)) {
1359 return status;
1360 }
1361
1362 DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
1363 for(i = 0; i < sizeof(r->in.new_password->hash); i++)
1364 DEBUG(100,("%02X ", r->in.new_password->hash[i]));
1365 DEBUG(100,("\n"));
1366
1367 cr.creds.nt_hash = r->in.new_password;
1368 status = netr_set_machine_account_password(p->mem_ctx,
1369 session_info,
1370 p->msg_ctx,
1371 client_sid,
1372 &cr);
1373 return status;
1374 }
1375
1376 /****************************************************************
1377 _netr_ServerPasswordSet2
1378 ****************************************************************/
1379
1380 NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
1381 struct netr_ServerPasswordSet2 *r)
1382 {
1383 struct dcesrv_call_state *dce_call = p->dce_call;
1384 struct auth_session_info *session_info =
1385 dcesrv_call_session_info(dce_call);
1386 NTSTATUS status;
1387 struct netlogon_creds_CredentialState *creds = NULL;
1388 const struct dom_sid *client_sid = NULL;
1389 DATA_BLOB plaintext = data_blob_null;
1390 DATA_BLOB new_password = data_blob_null;
1391 size_t confounder_len;
1392 DATA_BLOB dec_blob = data_blob_null;
1393 DATA_BLOB enc_blob = data_blob_null;
1394 struct samr_CryptPassword password_buf;
1395 struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}};
1396 bool ok;
1397 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1398 enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
1399
1400 dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
1401
1402 become_root();
1403 status = dcesrv_netr_creds_server_step_check(p->dce_call,
1404 p->mem_ctx,
1405 r->in.computer_name,
1406 r->in.credential,
1407 r->out.return_authenticator,
1408 &creds);
1409 unbecome_root();
1410
1411 if (!NT_STATUS_IS_OK(status)) {
1412 DBG_NOTICE("netlogon_creds_server_step failed. "
1413 "Rejecting auth request from client %s\n",
1414 r->in.computer_name);
1415 TALLOC_FREE(creds);
1416 return status;
1417 }
1418 client_sid = &creds->ex->client_sid;
1419
1420 DBG_NOTICE("Server Password Set2 by remote "
1421 "machine:[%s] on account [%s]\n",
1422 r->in.computer_name,
1423 creds->computer_name != NULL ?
1424 creds->computer_name : "<unknown>");
1425
1426 memcpy(password_buf.data, r->in.new_password->data, 512);
1427 SIVAL(password_buf.data, 512, r->in.new_password->length);
1428
1429 status = netlogon_creds_decrypt_samr_CryptPassword(creds,
1430 &password_buf,
1431 auth_type,
1432 auth_level);
1433 if (!NT_STATUS_IS_OK(status)) {
1434 TALLOC_FREE(creds);
1435 return status;
1436 }
1437
1438 if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &new_password)) {
1439 DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password "
1440 "from a buffer. Rejecting auth request as a wrong password\n"));
1441 TALLOC_FREE(creds);
1442 return NT_STATUS_WRONG_PASSWORD;
1443 }
1444
1445 /*
1446 * Make sure the length field was encrypted,
1447 * otherwise we are under attack.
1448 */
1449 if (new_password.length == r->in.new_password->length) {
1450 DBG_WARNING("Length[%zu] field not encrypted\n",
1451 new_password.length);
1452 TALLOC_FREE(creds);
1453 return NT_STATUS_WRONG_PASSWORD;
1454 }
1455
1456 /*
1457 * We don't allow empty passwords for machine accounts.
1458 */
1459 if (new_password.length < 2) {
1460 DBG_WARNING("Empty password Length[%zu]\n",
1461 new_password.length);
1462 TALLOC_FREE(creds);
1463 return NT_STATUS_WRONG_PASSWORD;
1464 }
1465
1466 /*
1467 * Make sure the confounder part of CryptPassword
1468 * buffer was encrypted, otherwise we are under attack.
1469 */
1470 confounder_len = 512 - new_password.length;
1471 enc_blob = data_blob_const(r->in.new_password->data, confounder_len);
1472 dec_blob = data_blob_const(password_buf.data, confounder_len);
1473 if (confounder_len > 0 && data_blob_equal_const_time(&dec_blob, &enc_blob)) {
1474 DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n",
1475 confounder_len);
1476 TALLOC_FREE(creds);
1477 return NT_STATUS_WRONG_PASSWORD;
1478 }
1479
1480 /*
1481 * Check that the password part was actually encrypted,
1482 * otherwise we are under attack.
1483 */
1484 enc_blob = data_blob_const(r->in.new_password->data + confounder_len,
1485 new_password.length);
1486 dec_blob = data_blob_const(password_buf.data + confounder_len,
1487 new_password.length);
1488 if (data_blob_equal_const_time(&dec_blob, &enc_blob)) {
1489 DBG_WARNING("Password buffer not encrypted Length[%zu]\n",
1490 new_password.length);
1491 TALLOC_FREE(creds);
1492 return NT_STATUS_WRONG_PASSWORD;
1493 }
1494
1495 /*
1496 * don't allow zero buffers
1497 */
1498 if (all_zero(new_password.data, new_password.length)) {
1499 DBG_WARNING("Password zero buffer Length[%zu]\n",
1500 new_password.length);
1501 TALLOC_FREE(creds);
1502 return NT_STATUS_WRONG_PASSWORD;
1503 }
1504
1505 /* Convert from UTF16 -> plaintext. */
1506 ok = convert_string_talloc(p->mem_ctx,
1507 CH_UTF16,
1508 CH_UNIX,
1509 new_password.data,
1510 new_password.length,
1511 &plaintext.data,
1512 &plaintext.length);
1513 if (!ok) {
1514 DBG_WARNING("unable to extract password from a buffer. "
1515 "Rejecting auth request as a wrong password\n");
1516 TALLOC_FREE(creds);
1517 return NT_STATUS_WRONG_PASSWORD;
1518 }
1519
1520 /*
1521 * We don't allow empty passwords for machine accounts.
1522 */
1523
1524 cr.creds.password = (const char*) plaintext.data;
1525 if (strlen(cr.creds.password) == 0) {
1526 DBG_WARNING("Empty plaintext password\n");
1527 TALLOC_FREE(creds);
1528 return NT_STATUS_WRONG_PASSWORD;
1529 }
1530
1531 status = netr_set_machine_account_password(p->mem_ctx,
1532 session_info,
1533 p->msg_ctx,
1534 client_sid,
1535 &cr);
1536 TALLOC_FREE(creds);
1537 return status;
1538 }
1539
1540 /*************************************************************************
1541 _netr_LogonSamLogoff
1542 *************************************************************************/
1543
1544 NTSTATUS _netr_LogonSamLogoff(struct pipes_struct *p,
1545 struct netr_LogonSamLogoff *r)
1546 {
1547 NTSTATUS status;
1548 struct netlogon_creds_CredentialState *creds;
1549
1550 become_root();
1551 status = dcesrv_netr_creds_server_step_check(p->dce_call,
1552 p->mem_ctx,
1553 r->in.computer_name,
1554 r->in.credential,
1555 r->out.return_authenticator,
1556 &creds);
1557 unbecome_root();
1558
1559 return status;
1560 }
1561
1562 static NTSTATUS _netr_LogonSamLogon_check(const struct netr_LogonSamLogonEx *r)
1563 {
1564 switch (r->in.logon_level) {
1565 case NetlogonInteractiveInformation:
1566 case NetlogonServiceInformation:
1567 case NetlogonInteractiveTransitiveInformation:
1568 case NetlogonServiceTransitiveInformation:
1569 if (r->in.logon->password == NULL) {
1570 return NT_STATUS_INVALID_PARAMETER;
1571 }
1572
1573 switch (r->in.validation_level) {
1574 case NetlogonValidationSamInfo: /* 2 */
1575 case NetlogonValidationSamInfo2: /* 3 */
1576 break;
1577 case NetlogonValidationSamInfo4: /* 6 */
1578 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
1579 DEBUG(10,("Not adding validation info level 6 "
1580 "without ADS passdb backend\n"));
1581 return NT_STATUS_INVALID_INFO_CLASS;
1582 }
1583 break;
1584 default:
1585 return NT_STATUS_INVALID_INFO_CLASS;
1586 }
1587
1588 break;
1589 case NetlogonNetworkInformation:
1590 case NetlogonNetworkTransitiveInformation:
1591 if (r->in.logon->network == NULL) {
1592 return NT_STATUS_INVALID_PARAMETER;
1593 }
1594
1595 switch (r->in.validation_level) {
1596 case NetlogonValidationSamInfo: /* 2 */
1597 case NetlogonValidationSamInfo2: /* 3 */
1598 break;
1599 case NetlogonValidationSamInfo4: /* 6 */
1600 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
1601 DEBUG(10,("Not adding validation info level 6 "
1602 "without ADS passdb backend\n"));
1603 return NT_STATUS_INVALID_INFO_CLASS;
1604 }
1605 break;
1606 default:
1607 return NT_STATUS_INVALID_INFO_CLASS;
1608 }
1609
1610 break;
1611
1612 case NetlogonGenericInformation:
1613 if (r->in.logon->generic == NULL) {
1614 return NT_STATUS_INVALID_PARAMETER;
1615 }
1616
1617 /* we don't support this here */
1618 return NT_STATUS_INVALID_PARAMETER;
1619 #if 0
1620 switch (r->in.validation_level) {
1621 /* TODO: case NetlogonValidationGenericInfo: 4 */
1622 case NetlogonValidationGenericInfo2: /* 5 */
1623 break;
1624 default:
1625 return NT_STATUS_INVALID_INFO_CLASS;
1626 }
1627
1628 break;
1629 #endif
1630 default:
1631 return NT_STATUS_INVALID_PARAMETER;
1632 }
1633
1634 return NT_STATUS_OK;
1635 }
1636
1637 /*************************************************************************
1638 _netr_LogonSamLogon_base
1639 *************************************************************************/
1640
1641 static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
1642 struct netr_LogonSamLogonEx *r,
1643 struct netlogon_creds_CredentialState *creds)
1644 {
1645 struct dcesrv_call_state *dce_call = p->dce_call;
1646 struct dcesrv_connection *dcesrv_conn = dce_call->conn;
1647 const struct tsocket_address *local_address =
1648 dcesrv_connection_get_local_address(dcesrv_conn);
1649 const struct tsocket_address *remote_address =
1650 dcesrv_connection_get_remote_address(dcesrv_conn);
1651 NTSTATUS status = NT_STATUS_OK;
1652 union netr_LogonLevel *logon = r->in.logon;
1653 const char *nt_username, *nt_domain, *nt_workstation;
1654 char *sanitized_username = NULL;
1655 struct auth_usersupplied_info *user_info = NULL;
1656 struct auth_serversupplied_info *server_info = NULL;
1657 struct auth_context *auth_context = NULL;
1658 const char *fn;
1659 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
1660 enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
1661 uint16_t opnum = dce_call->pkt.u.request.opnum;
1662
1663 dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
1664
1665 #ifdef DEBUG_PASSWORD
1666 logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
1667 r->in.logon_level,
1668 r->in.logon);
1669 if (logon == NULL) {
1670 logon = r->in.logon;
1671 }
1672 #endif
1673
1674 switch (opnum) {
1675 case NDR_NETR_LOGONSAMLOGON:
1676 fn = "_netr_LogonSamLogon";
1677 /*
1678 * Already called netr_check_schannel() via
1679 * netr_creds_server_step_check()
1680 */
1681 break;
1682 case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
1683 fn = "_netr_LogonSamLogonWithFlags";
1684 /*
1685 * Already called netr_check_schannel() via
1686 * netr_creds_server_step_check()
1687 */
1688 break;
1689 case NDR_NETR_LOGONSAMLOGONEX:
1690 fn = "_netr_LogonSamLogonEx";
1691
1692 if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1693 return NT_STATUS_ACCESS_DENIED;
1694 }
1695
1696 status = dcesrv_netr_check_schannel(p->dce_call,
1697 creds,
1698 auth_type,
1699 auth_level,
1700 opnum);
1701 if (NT_STATUS_IS_ERR(status)) {
1702 return status;
1703 }
1704
1705 break;
1706 default:
1707 return NT_STATUS_INTERNAL_ERROR;
1708 }
1709
1710 *r->out.authoritative = 1; /* authoritative response */
1711
1712 switch (r->in.validation_level) {
1713 case 2:
1714 r->out.validation->sam2 = talloc_zero(p->mem_ctx, struct netr_SamInfo2);
1715 if (!r->out.validation->sam2) {
1716 return NT_STATUS_NO_MEMORY;
1717 }
1718 break;
1719 case 3:
1720 r->out.validation->sam3 = talloc_zero(p->mem_ctx, struct netr_SamInfo3);
1721 if (!r->out.validation->sam3) {
1722 return NT_STATUS_NO_MEMORY;
1723 }
1724 break;
1725 case 6:
1726 r->out.validation->sam6 = talloc_zero(p->mem_ctx, struct netr_SamInfo6);
1727 if (!r->out.validation->sam6) {
1728 return NT_STATUS_NO_MEMORY;
1729 }
1730 break;
1731 default:
1732 DEBUG(0,("%s: bad validation_level value %d.\n",
1733 fn, (int)r->in.validation_level));
1734 return NT_STATUS_INVALID_INFO_CLASS;
1735 }
1736
1737 switch (r->in.logon_level) {
1738 case NetlogonInteractiveInformation:
1739 case NetlogonServiceInformation:
1740 case NetlogonInteractiveTransitiveInformation:
1741 case NetlogonServiceTransitiveInformation:
1742 nt_username = logon->password->identity_info.account_name.string ?
1743 logon->password->identity_info.account_name.string : "";
1744 nt_domain = logon->password->identity_info.domain_name.string ?
1745 logon->password->identity_info.domain_name.string : "";
1746 nt_workstation = logon->password->identity_info.workstation.string ?
1747 logon->password->identity_info.workstation.string : "";
1748
1749 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup()));
1750 break;
1751 case NetlogonNetworkInformation:
1752 case NetlogonNetworkTransitiveInformation:
1753 nt_username = logon->network->identity_info.account_name.string ?
1754 logon->network->identity_info.account_name.string : "";
1755 nt_domain = logon->network->identity_info.domain_name.string ?
1756 logon->network->identity_info.domain_name.string : "";
1757 nt_workstation = logon->network->identity_info.workstation.string ?
1758 logon->network->identity_info.workstation.string : "";
1759
1760 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup()));
1761 break;
1762 default:
1763 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1764 return NT_STATUS_INVALID_INFO_CLASS;
1765 } /* end switch */
1766
1767 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain));
1768
1769 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n",
1770 r->in.validation_level, nt_username));
1771
1772 status = netlogon_creds_decrypt_samlogon_logon(creds,
1773 r->in.logon_level,
1774 logon,
1775 auth_type,
1776 auth_level);
1777 if (!NT_STATUS_IS_OK(status)) {
1778 return status;
1779 }
1780
1781 status = make_auth3_context_for_netlogon(talloc_tos(), &auth_context);
1782 if (!NT_STATUS_IS_OK(status)) {
1783 return status;
1784 }
1785
1786 switch (r->in.logon_level) {
1787 case NetlogonNetworkInformation:
1788 case NetlogonNetworkTransitiveInformation:
1789 {
1790 const char *wksname = nt_workstation;
1791 const char *workgroup = lp_workgroup();
1792 bool ok;
1793
1794 ok = auth3_context_set_challenge(
1795 auth_context, logon->network->challenge, "fixed");
1796 if (!ok) {
1797 return NT_STATUS_NO_MEMORY;
1798 }
1799
1800 /* For a network logon, the workstation name comes in with two
1801 * backslashes in the front. Strip them if they are there. */
1802
1803 if (*wksname == '\\') wksname++;
1804 if (*wksname == '\\') wksname++;
1805
1806 /* Standard challenge/response authentication */
1807 if (!make_user_info_netlogon_network(talloc_tos(),
1808 &user_info,
1809 nt_username, nt_domain,
1810 wksname,
1811 remote_address,
1812 local_address,
1813 logon->network->identity_info.parameter_control,
1814 logon->network->lm.data,
1815 logon->network->lm.length,
1816 logon->network->nt.data,
1817 logon->network->nt.length)) {
1818 status = NT_STATUS_NO_MEMORY;
1819 }
1820
1821 if (NT_STATUS_IS_OK(status)) {
1822 status = NTLMv2_RESPONSE_verify_netlogon_creds(
1823 user_info->client.account_name,
1824 user_info->client.domain_name,
1825 user_info->password.response.nt,
1826 creds, workgroup);
1827 }
1828 break;
1829 }
1830 case NetlogonInteractiveInformation:
1831 case NetlogonServiceInformation:
1832 case NetlogonInteractiveTransitiveInformation:
1833 case NetlogonServiceTransitiveInformation:
1834
1835 /* 'Interactive' authentication, supplies the password in its
1836 MD4 form, encrypted with the session key. We will convert
1837 this to challenge/response for the auth subsystem to chew
1838 on */
1839 {
1840 uint8_t chal[8];
1841
1842 #ifdef DEBUG_PASSWORD
1843 if (logon != r->in.logon) {
1844 DEBUG(100,("lm owf password:"));
1845 dump_data(100,
1846 r->in.logon->password->lmpassword.hash, 16);
1847
1848 DEBUG(100,("nt owf password:"));
1849 dump_data(100,
1850 r->in.logon->password->ntpassword.hash, 16);
1851 }
1852
1853 DEBUG(100,("decrypt of lm owf password:"));
1854 dump_data(100, logon->password->lmpassword.hash, 16);
1855
1856 DEBUG(100,("decrypt of nt owf password:"));
1857 dump_data(100, logon->password->ntpassword.hash, 16);
1858 #endif
1859
1860 auth_get_ntlm_challenge(auth_context, chal);
1861
1862 if (!make_user_info_netlogon_interactive(talloc_tos(),
1863 &user_info,
1864 nt_username, nt_domain,
1865 nt_workstation,
1866 remote_address,
1867 local_address,
1868 logon->password->identity_info.parameter_control,
1869 chal,
1870 logon->password->lmpassword.hash,
1871 logon->password->ntpassword.hash)) {
1872 status = NT_STATUS_NO_MEMORY;
1873 }
1874 break;
1875 }
1876 default:
1877 DEBUG(2,("SAM Logon: unsupported switch value\n"));
1878 return NT_STATUS_INVALID_INFO_CLASS;
1879 } /* end switch */
1880
1881 if ( NT_STATUS_IS_OK(status) ) {
1882 status = auth_check_ntlm_password(p->mem_ctx,
1883 auth_context,
1884 user_info,
1885 &server_info,
1886 r->out.authoritative);
1887 }
1888
1889 TALLOC_FREE(auth_context);
1890 TALLOC_FREE(user_info);
1891
1892 DEBUG(5,("%s: check_password returned status %s\n",
1893 fn, nt_errstr(status)));
1894
1895 /* Check account and password */
1896
1897 if (!NT_STATUS_IS_OK(status)) {
1898 TALLOC_FREE(server_info);
1899 return status;
1900 }
1901
1902 if (server_info->guest) {
1903 /* We don't like guest domain logons... */
1904 DEBUG(5,("%s: Attempted domain logon as GUEST "
1905 "denied.\n", fn));
1906 TALLOC_FREE(server_info);
1907 return NT_STATUS_LOGON_FAILURE;
1908 }
1909
1910 sanitized_username = talloc_alpha_strcpy(talloc_tos(),
1911 nt_username,
1912 SAFE_NETBIOS_CHARS "$");
1913 if (sanitized_username == NULL) {
1914 TALLOC_FREE(server_info);
1915 return NT_STATUS_NO_MEMORY;
1916 }
1917
1918 set_current_user_info(sanitized_username,
1919 server_info->unix_name,
1920 server_info->info3->base.logon_domain.string);
1921 TALLOC_FREE(sanitized_username);
1922
1923 /* This is the point at which, if the login was successful, that
1924 the SAM Local Security Authority should record that the user is
1925 logged in to the domain. */
1926
1927 switch (r->in.validation_level) {
1928 case 2:
1929 status = serverinfo_to_SamInfo2(server_info,
1930 r->out.validation->sam2);
1931 break;
1932 case 3:
1933 status = serverinfo_to_SamInfo3(server_info,
1934 r->out.validation->sam3);
1935 break;
1936 case 6: {
1937 /* Only allow this if the pipe is protected. */
1938 if (auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
1939 DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
1940 get_remote_machine_name()));
1941 status = NT_STATUS_INVALID_PARAMETER;
1942 break;
1943 }
1944
1945 status = serverinfo_to_SamInfo6(server_info,
1946 r->out.validation->sam6);
1947 break;
1948 }
1949 }
1950
1951 TALLOC_FREE(server_info);
1952
1953 if (!NT_STATUS_IS_OK(status)) {
1954 return status;
1955 }
1956
1957 status = netlogon_creds_encrypt_samlogon_validation(creds,
1958 r->in.validation_level,
1959 r->out.validation,
1960 auth_type,
1961 auth_level);
1962
1963 return status;
1964 }
1965
1966 /****************************************************************
1967 _netr_LogonSamLogonWithFlags
1968 ****************************************************************/
1969
1970 NTSTATUS _netr_LogonSamLogonWithFlags(struct pipes_struct *p,
1971 struct netr_LogonSamLogonWithFlags *r)
1972 {
1973 NTSTATUS status;
1974 struct netlogon_creds_CredentialState *creds;
1975 struct netr_LogonSamLogonEx r2;
1976 struct netr_Authenticator return_authenticator;
1977
1978 *r->out.authoritative = true;
1979
1980 r2.in.server_name = r->in.server_name;
1981 r2.in.computer_name = r->in.computer_name;
1982 r2.in.logon_level = r->in.logon_level;
1983 r2.in.logon = r->in.logon;
1984 r2.in.validation_level = r->in.validation_level;
1985 r2.in.flags = r->in.flags;
1986 r2.out.validation = r->out.validation;
1987 r2.out.authoritative = r->out.authoritative;
1988 r2.out.flags = r->out.flags;
1989
1990 status = _netr_LogonSamLogon_check(&r2);
1991 if (!NT_STATUS_IS_OK(status)) {
1992 return status;
1993 }
1994
1995 become_root();
1996 status = dcesrv_netr_creds_server_step_check(p->dce_call,
1997 p->mem_ctx,
1998 r->in.computer_name,
1999 r->in.credential,
2000 &return_authenticator,
2001 &creds);
2002 unbecome_root();
2003 if (!NT_STATUS_IS_OK(status)) {
2004 return status;
2005 }
2006
2007 status = _netr_LogonSamLogon_base(p, &r2, creds);
2008
2009 *r->out.return_authenticator = return_authenticator;
2010
2011 return status;
2012 }
2013
2014 /*************************************************************************
2015 _netr_LogonSamLogon
2016 *************************************************************************/
2017
2018 NTSTATUS _netr_LogonSamLogon(struct pipes_struct *p,
2019 struct netr_LogonSamLogon *r)
2020 {
2021 NTSTATUS status;
2022 struct netr_LogonSamLogonWithFlags r2;
2023 uint32_t flags = 0;
2024
2025 r2.in.server_name = r->in.server_name;
2026 r2.in.computer_name = r->in.computer_name;
2027 r2.in.credential = r->in.credential;
2028 r2.in.logon_level = r->in.logon_level;
2029 r2.in.logon = r->in.logon;
2030 r2.in.validation_level = r->in.validation_level;
2031 r2.in.return_authenticator = r->in.return_authenticator;
2032 r2.in.flags = &flags;
2033 r2.out.validation = r->out.validation;
2034 r2.out.authoritative = r->out.authoritative;
2035 r2.out.flags = &flags;
2036 r2.out.return_authenticator = r->out.return_authenticator;
2037
2038 status = _netr_LogonSamLogonWithFlags(p, &r2);
2039
2040 return status;
2041 }
2042
2043 /*************************************************************************
2044 _netr_LogonSamLogonEx
2045 - no credential chaining. Map into net sam logon.
2046 *************************************************************************/
2047
2048 NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
2049 struct netr_LogonSamLogonEx *r)
2050 {
2051 NTSTATUS status;
2052 struct netlogon_creds_CredentialState *creds = NULL;
2053 struct loadparm_context *lp_ctx = p->dce_call->conn->dce_ctx->lp_ctx;
2054
2055 *r->out.authoritative = true;
2056
2057 status = _netr_LogonSamLogon_check(r);
2058 if (!NT_STATUS_IS_OK(status)) {
2059 return status;
2060 }
2061
2062 become_root();
2063 status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
2064 r->in.computer_name, &creds);
2065 unbecome_root();
2066 if (!NT_STATUS_IS_OK(status)) {
2067 return status;
2068 }
2069
2070 status = _netr_LogonSamLogon_base(p, r, creds);
2071 TALLOC_FREE(creds);
2072
2073 return status;
2074 }
2075
2076 /*************************************************************************
2077 _ds_enum_dom_trusts
2078 *************************************************************************/
2079 #if 0 /* JERRY -- not correct */
2080 NTSTATUS _ds_enum_dom_trusts(struct pipes_struct *p, DS_Q_ENUM_DOM_TRUSTS *q_u,
2081 DS_R_ENUM_DOM_TRUSTS *r_u)
2082 {
2083 NTSTATUS status = NT_STATUS_OK;
2084
2085 /* TODO: According to MSDN, the can only be executed against a
2086 DC or domain member running Windows 2000 or later. Need
2087 to test against a standalone 2k server and see what it
2088 does. A windows 2000 DC includes its own domain in the
2089 list. --jerry */
2090
2091 return status;
2092 }
2093 #endif /* JERRY */
2094
2095
2096 /****************************************************************
2097 ****************************************************************/
2098
2099 WERROR _netr_LogonUasLogon(struct pipes_struct *p,
2100 struct netr_LogonUasLogon *r)
2101 {
2102 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2103 return WERR_NOT_SUPPORTED;
2104 }
2105
2106 /****************************************************************
2107 ****************************************************************/
2108
2109 WERROR _netr_LogonUasLogoff(struct pipes_struct *p,
2110 struct netr_LogonUasLogoff *r)
2111 {
2112 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2113 return WERR_NOT_SUPPORTED;
2114 }
2115
2116 /****************************************************************
2117 ****************************************************************/
2118
2119 NTSTATUS _netr_DatabaseDeltas(struct pipes_struct *p,
2120 struct netr_DatabaseDeltas *r)
2121 {
2122 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2123 return NT_STATUS_NOT_IMPLEMENTED;
2124 }
2125
2126 /****************************************************************
2127 ****************************************************************/
2128
2129 NTSTATUS _netr_DatabaseSync(struct pipes_struct *p,
2130 struct netr_DatabaseSync *r)
2131 {
2132 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2133 return NT_STATUS_NOT_IMPLEMENTED;
2134 }
2135
2136 /****************************************************************
2137 ****************************************************************/
2138
2139 NTSTATUS _netr_AccountDeltas(struct pipes_struct *p,
2140 struct netr_AccountDeltas *r)
2141 {
2142 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2143 return NT_STATUS_NOT_IMPLEMENTED;
2144 }
2145
2146 /****************************************************************
2147 ****************************************************************/
2148
2149 NTSTATUS _netr_AccountSync(struct pipes_struct *p,
2150 struct netr_AccountSync *r)
2151 {
2152 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2153 return NT_STATUS_NOT_IMPLEMENTED;
2154 }
2155
2156 /****************************************************************
2157 ****************************************************************/
2158
2159 static bool wb_getdcname(TALLOC_CTX *mem_ctx,
2160 const char *domain,
2161 const char **dcname,
2162 uint32_t flags,
2163 WERROR *werr)
2164 {
2165 wbcErr result;
2166 struct wbcDomainControllerInfo *dc_info = NULL;
2167
2168 result = wbcLookupDomainController(domain,
2169 flags,
2170 &dc_info);
2171 switch (result) {
2172 case WBC_ERR_SUCCESS:
2173 break;
2174 case WBC_ERR_WINBIND_NOT_AVAILABLE:
2175 return false;
2176 case WBC_ERR_DOMAIN_NOT_FOUND:
2177 *werr = WERR_NO_SUCH_DOMAIN;
2178 return true;
2179 default:
2180 *werr = WERR_DOMAIN_CONTROLLER_NOT_FOUND;
2181 return true;
2182 }
2183
2184 *dcname = talloc_strdup(mem_ctx, dc_info->dc_name);
2185 wbcFreeMemory(dc_info);
2186 if (!*dcname) {
2187 *werr = WERR_NOT_ENOUGH_MEMORY;
2188 return false;
2189 }
2190
2191 *werr = WERR_OK;
2192
2193 return true;
2194 }
2195
2196 /****************************************************************
2197 _netr_GetDcName
2198 ****************************************************************/
2199
2200 WERROR _netr_GetDcName(struct pipes_struct *p,
2201 struct netr_GetDcName *r)
2202 {
2203 NTSTATUS status;
2204 WERROR werr;
2205 uint32_t flags;
2206 struct netr_DsRGetDCNameInfo *info;
2207 bool ret;
2208
2209 ret = wb_getdcname(p->mem_ctx,
2210 r->in.domainname,
2211 r->out.dcname,
2212 WBC_LOOKUP_DC_IS_FLAT_NAME |
2213 WBC_LOOKUP_DC_RETURN_FLAT_NAME |
2214 WBC_LOOKUP_DC_PDC_REQUIRED,
2215 &werr);
2216 if (ret == true) {
2217 return werr;
2218 }
2219
2220 flags = DS_PDC_REQUIRED | DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
2221
2222 status = dsgetdcname(p->mem_ctx,
2223 p->msg_ctx,
2224 r->in.domainname,
2225 NULL,
2226 NULL,
2227 flags,
2228 &info);
2229 if (!NT_STATUS_IS_OK(status)) {
2230 return ntstatus_to_werror(status);
2231 }
2232
2233 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
2234 talloc_free(info);
2235 if (!*r->out.dcname) {
2236 return WERR_NOT_ENOUGH_MEMORY;
2237 }
2238
2239 return WERR_OK;
2240 }
2241
2242 /****************************************************************
2243 _netr_GetAnyDCName
2244 ****************************************************************/
2245
2246 WERROR _netr_GetAnyDCName(struct pipes_struct *p,
2247 struct netr_GetAnyDCName *r)
2248 {
2249 NTSTATUS status;
2250 WERROR werr;
2251 uint32_t flags;
2252 struct netr_DsRGetDCNameInfo *info;
2253 bool ret;
2254
2255 ret = wb_getdcname(p->mem_ctx,
2256 r->in.domainname,
2257 r->out.dcname,
2258 WBC_LOOKUP_DC_IS_FLAT_NAME |
2259 WBC_LOOKUP_DC_RETURN_FLAT_NAME,
2260 &werr);
2261 if (ret == true) {
2262 return werr;
2263 }
2264
2265 flags = DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME;
2266
2267 status = dsgetdcname(p->mem_ctx,
2268 p->msg_ctx,
2269 r->in.domainname,
2270 NULL,
2271 NULL,
2272 flags,
2273 &info);
2274 if (!NT_STATUS_IS_OK(status)) {
2275 return ntstatus_to_werror(status);
2276 }
2277
2278 *r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
2279 talloc_free(info);
2280 if (!*r->out.dcname) {
2281 return WERR_NOT_ENOUGH_MEMORY;
2282 }
2283
2284 return WERR_OK;
2285 }
2286
2287 /****************************************************************
2288 ****************************************************************/
2289
2290 NTSTATUS _netr_DatabaseSync2(struct pipes_struct *p,
2291 struct netr_DatabaseSync2 *r)
2292 {
2293 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2294 return NT_STATUS_NOT_IMPLEMENTED;
2295 }
2296
2297 /****************************************************************
2298 ****************************************************************/
2299
2300 NTSTATUS _netr_DatabaseRedo(struct pipes_struct *p,
2301 struct netr_DatabaseRedo *r)
2302 {
2303 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2304 return NT_STATUS_NOT_IMPLEMENTED;
2305 }
2306
2307 /****************************************************************
2308 ****************************************************************/
2309
2310 WERROR _netr_DsRGetDCName(struct pipes_struct *p,
2311 struct netr_DsRGetDCName *r)
2312 {
2313 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2314 return WERR_NOT_SUPPORTED;
2315 }
2316
2317 /****************************************************************
2318 ****************************************************************/
2319
2320 NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
2321 struct netr_LogonGetCapabilities *r)
2322 {
2323 struct netlogon_creds_CredentialState *creds;
2324 NTSTATUS status;
2325
2326 switch (r->in.query_level) {
2327 case 1:
2328 break;
2329 case 2:
2330 break;
2331 default:
2332 /*
2333 * There would not be a way to marshall the
2334 * the response. Which would mean our final
2335 * ndr_push would fail an we would return
2336 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
2337 *
2338 * But it's important to match a Windows server
2339 * especially before KB5028166, see also our bug #15418
2340 * Otherwise Windows client would stop talking to us.
2341 */
2342 p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
2343 return NT_STATUS_NOT_SUPPORTED;
2344 }
2345
2346 become_root();
2347 status = dcesrv_netr_creds_server_step_check(p->dce_call,
2348 p->mem_ctx,
2349 r->in.computer_name,
2350 r->in.credential,
2351 r->out.return_authenticator,
2352 &creds);
2353 unbecome_root();
2354 if (!NT_STATUS_IS_OK(status)) {
2355 return status;
2356 }
2357
2358 switch (r->in.query_level) {
2359 case 1:
2360 r->out.capabilities->server_capabilities = creds->negotiate_flags;
2361 break;
2362 case 2:
2363 r->out.capabilities->requested_flags =
2364 creds->ex->client_requested_flags;
2365 break;
2366 }
2367
2368 return NT_STATUS_OK;
2369 }
2370
2371 /****************************************************************
2372 ****************************************************************/
2373
2374 WERROR _netr_NETRLOGONSETSERVICEBITS(struct pipes_struct *p,
2375 struct netr_NETRLOGONSETSERVICEBITS *r)
2376 {
2377 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2378 return WERR_NOT_SUPPORTED;
2379 }
2380
2381 /****************************************************************
2382 ****************************************************************/
2383
2384 WERROR _netr_LogonGetTrustRid(struct pipes_struct *p,
2385 struct netr_LogonGetTrustRid *r)
2386 {
2387 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2388 return WERR_NOT_SUPPORTED;
2389 }
2390
2391 /****************************************************************
2392 ****************************************************************/
2393
2394 WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(struct pipes_struct *p,
2395 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
2396 {
2397 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2398 return WERR_NOT_SUPPORTED;
2399 }
2400
2401 /****************************************************************
2402 ****************************************************************/
2403
2404 WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(struct pipes_struct *p,
2405 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
2406 {
2407 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2408 return WERR_NOT_SUPPORTED;
2409 }
2410
2411 /****************************************************************
2412 ****************************************************************/
2413
2414 WERROR _netr_DsRGetDCNameEx(struct pipes_struct *p,
2415 struct netr_DsRGetDCNameEx *r)
2416 {
2417 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2418 return WERR_NOT_SUPPORTED;
2419 }
2420
2421 /****************************************************************
2422 ****************************************************************/
2423
2424 WERROR _netr_DsRGetSiteName(struct pipes_struct *p,
2425 struct netr_DsRGetSiteName *r)
2426 {
2427 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2428 return WERR_NOT_SUPPORTED;
2429 }
2430
2431 /****************************************************************
2432 ****************************************************************/
2433
2434 NTSTATUS _netr_LogonGetDomainInfo(struct pipes_struct *p,
2435 struct netr_LogonGetDomainInfo *r)
2436 {
2437 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2438 return NT_STATUS_NOT_IMPLEMENTED;
2439 }
2440
2441 /****************************************************************
2442 ****************************************************************/
2443
2444 NTSTATUS _netr_ServerPasswordGet(struct pipes_struct *p,
2445 struct netr_ServerPasswordGet *r)
2446 {
2447 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2448 return NT_STATUS_NOT_SUPPORTED;
2449 }
2450
2451 /****************************************************************
2452 ****************************************************************/
2453
2454 NTSTATUS _netr_NetrLogonSendToSam(struct pipes_struct *p,
2455 struct netr_NetrLogonSendToSam *r)
2456 {
2457 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2458 return NT_STATUS_NOT_IMPLEMENTED;
2459 }
2460
2461 /****************************************************************
2462 ****************************************************************/
2463
2464 WERROR _netr_DsRAddressToSitenamesW(struct pipes_struct *p,
2465 struct netr_DsRAddressToSitenamesW *r)
2466 {
2467 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2468 return WERR_NOT_SUPPORTED;
2469 }
2470
2471 /****************************************************************
2472 ****************************************************************/
2473
2474 WERROR _netr_DsRGetDCNameEx2(struct pipes_struct *p,
2475 struct netr_DsRGetDCNameEx2 *r)
2476 {
2477 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2478 return WERR_NOT_SUPPORTED;
2479 }
2480
2481 /****************************************************************
2482 ****************************************************************/
2483
2484 WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct pipes_struct *p,
2485 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
2486 {
2487 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2488 return WERR_NOT_SUPPORTED;
2489 }
2490
2491 /****************************************************************
2492 ****************************************************************/
2493
2494 WERROR _netr_NetrEnumerateTrustedDomainsEx(struct pipes_struct *p,
2495 struct netr_NetrEnumerateTrustedDomainsEx *r)
2496 {
2497 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2498 return WERR_NOT_SUPPORTED;
2499 }
2500
2501 /****************************************************************
2502 ****************************************************************/
2503
2504 WERROR _netr_DsRAddressToSitenamesExW(struct pipes_struct *p,
2505 struct netr_DsRAddressToSitenamesExW *r)
2506 {
2507 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2508 return WERR_NOT_SUPPORTED;
2509 }
2510
2511 /****************************************************************
2512 ****************************************************************/
2513
2514 WERROR _netr_DsrGetDcSiteCoverageW(struct pipes_struct *p,
2515 struct netr_DsrGetDcSiteCoverageW *r)
2516 {
2517 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2518 return WERR_NOT_SUPPORTED;
2519 }
2520
2521 /****************************************************************
2522 ****************************************************************/
2523
2524 WERROR _netr_DsrEnumerateDomainTrusts(struct pipes_struct *p,
2525 struct netr_DsrEnumerateDomainTrusts *r)
2526 {
2527 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2528 return WERR_NOT_SUPPORTED;
2529 }
2530
2531 /****************************************************************
2532 ****************************************************************/
2533
2534 WERROR _netr_DsrDeregisterDNSHostRecords(struct pipes_struct *p,
2535 struct netr_DsrDeregisterDNSHostRecords *r)
2536 {
2537 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2538 return WERR_NOT_SUPPORTED;
2539 }
2540
2541 /****************************************************************
2542 ****************************************************************/
2543
2544 NTSTATUS _netr_ServerTrustPasswordsGet(struct pipes_struct *p,
2545 struct netr_ServerTrustPasswordsGet *r)
2546 {
2547 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2548 return NT_STATUS_NOT_IMPLEMENTED;
2549 }
2550
2551 /****************************************************************
2552 ****************************************************************/
2553
2554 static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
2555 struct lsa_ForestTrustInformation *info)
2556 {
2557 struct lsa_ForestTrustRecord *e;
2558 struct pdb_domain_info *dom_info;
2559 struct lsa_ForestTrustDomainInfo *domain_info;
2560 char **upn_suffixes = NULL;
2561 uint32_t num_suffixes = 0;
2562 uint32_t i = 0;
2563 NTSTATUS status;
2564
2565 dom_info = pdb_get_domain_info(mem_ctx);
2566 if (dom_info == NULL) {
2567 return NT_STATUS_NO_MEMORY;
2568 }
2569
2570 info->count = 2;
2571
2572 become_root();
2573 status = pdb_enum_upn_suffixes(info, &num_suffixes, &upn_suffixes);
2574 unbecome_root();
2575 if (NT_STATUS_IS_OK(status) && (num_suffixes > 0)) {
2576 info->count += num_suffixes;
2577 }
2578
2579 info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, info->count);
2580 if (info->entries == NULL) {
2581 return NT_STATUS_NO_MEMORY;
2582 }
2583
2584 e = talloc(info, struct lsa_ForestTrustRecord);
2585 if (e == NULL) {
2586 return NT_STATUS_NO_MEMORY;
2587 }
2588
2589 e->flags = 0;
2590 e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
2591 e->time = 0; /* so far always 0 in trces. */
2592 e->forest_trust_data.top_level_name.string = talloc_steal(info,
2593 dom_info->dns_forest);
2594
2595 info->entries[0] = e;
2596
2597 if (num_suffixes > 0) {
2598 for (i = 0; i < num_suffixes ; i++) {
2599 e = talloc(info, struct lsa_ForestTrustRecord);
2600 if (e == NULL) {
2601 return NT_STATUS_NO_MEMORY;
2602 }
2603
2604 e->flags = 0;
2605 e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
2606 e->time = 0; /* so far always 0 in traces. */
2607 e->forest_trust_data.top_level_name.string = upn_suffixes[i];
2608 info->entries[1 + i] = e;
2609 }
2610 }
2611
2612 e = talloc(info, struct lsa_ForestTrustRecord);
2613 if (e == NULL) {
2614 return NT_STATUS_NO_MEMORY;
2615 }
2616
2617 /* TODO: check if disabled and set flags accordingly */
2618 e->flags = 0;
2619 e->type = LSA_FOREST_TRUST_DOMAIN_INFO;
2620 e->time = 0; /* so far always 0 in traces. */
2621
2622 domain_info = &e->forest_trust_data.domain_info;
2623 domain_info->domain_sid = dom_sid_dup(info, &dom_info->sid);
2624
2625 domain_info->dns_domain_name.string = talloc_steal(info,
2626 dom_info->dns_domain);
2627 domain_info->netbios_domain_name.string = talloc_steal(info,
2628 dom_info->name);
2629
2630 info->entries[info->count - 1] = e;
2631
2632 return NT_STATUS_OK;
2633 }
2634
2635 /****************************************************************
2636 ****************************************************************/
2637
2638 WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
2639 struct netr_DsRGetForestTrustInformation *r)
2640 {
2641 struct dcesrv_call_state *dce_call = p->dce_call;
2642 struct auth_session_info *session_info =
2643 dcesrv_call_session_info(dce_call);
2644 NTSTATUS status;
2645 struct lsa_ForestTrustInformation *info, **info_ptr;
2646 enum security_user_level security_level;
2647
2648 security_level = security_session_user_level(session_info, NULL);
2649 if (security_level < SECURITY_USER) {
2650 return WERR_ACCESS_DENIED;
2651 }
2652
2653 if (r->in.flags & (~DS_GFTI_UPDATE_TDO)) {
2654 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2655 return WERR_INVALID_FLAGS;
2656 }
2657
2658 if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() != ROLE_DOMAIN_PDC)) {
2659 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2660 return WERR_NERR_NOTPRIMARY;
2661 }
2662
2663 if ((r->in.trusted_domain_name == NULL) && (r->in.flags & DS_GFTI_UPDATE_TDO)) {
2664 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2665 return WERR_INVALID_PARAMETER;
2666 }
2667
2668 /* retrieve forest trust information and stop further processing */
2669 if (r->in.trusted_domain_name == NULL) {
2670 info_ptr = talloc(p->mem_ctx, struct lsa_ForestTrustInformation *);
2671 if (info_ptr == NULL) {
2672 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
2673 return WERR_NOT_ENOUGH_MEMORY;
2674 }
2675 info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
2676 if (info == NULL) {
2677 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
2678 return WERR_NOT_ENOUGH_MEMORY;
2679 }
2680
2681 /* Fill forest trust information and expand UPN suffixes list */
2682 status = fill_forest_trust_array(p->mem_ctx, info);
2683 if (!NT_STATUS_IS_OK(status)) {
2684 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
2685 return WERR_NOT_ENOUGH_MEMORY;
2686 }
2687
2688 *info_ptr = info;
2689 r->out.forest_trust_info = info_ptr;
2690
2691 return WERR_OK;
2692
2693 }
2694
2695 /* TODO: implement remaining parts of DsrGetForestTrustInformation (opnum 43)
2696 * when trusted_domain_name is not NULL */
2697
2698 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2699 return WERR_NOT_SUPPORTED;
2700 }
2701
2702 /****************************************************************
2703 _netr_GetForestTrustInformation
2704 ****************************************************************/
2705
2706 NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
2707 struct netr_GetForestTrustInformation *r)
2708 {
2709 NTSTATUS status;
2710 struct netlogon_creds_CredentialState *creds;
2711 struct lsa_ForestTrustInformation *info, **info_ptr;
2712
2713 /* TODO: check server name */
2714
2715 become_root();
2716 status = dcesrv_netr_creds_server_step_check(p->dce_call,
2717 p->mem_ctx,
2718 r->in.computer_name,
2719 r->in.credential,
2720 r->out.return_authenticator,
2721 &creds);
2722 unbecome_root();
2723 if (!NT_STATUS_IS_OK(status)) {
2724 return status;
2725 }
2726
2727 if ((creds->secure_channel_type != SEC_CHAN_DNS_DOMAIN) &&
2728 (creds->secure_channel_type != SEC_CHAN_DOMAIN)) {
2729 return NT_STATUS_NOT_IMPLEMENTED;
2730 }
2731
2732 info_ptr = talloc(p->mem_ctx, struct lsa_ForestTrustInformation *);
2733 if (!info_ptr) {
2734 return NT_STATUS_NO_MEMORY;
2735 }
2736 info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
2737 if (!info) {
2738 return NT_STATUS_NO_MEMORY;
2739 }
2740
2741 /* Fill forest trust information, do expand UPN suffixes list */
2742 status = fill_forest_trust_array(p->mem_ctx, info);
2743 if (!NT_STATUS_IS_OK(status)) {
2744 return status;
2745 }
2746
2747 *info_ptr = info;
2748 r->out.forest_trust_info = info_ptr;
2749
2750 return NT_STATUS_OK;
2751 }
2752
2753 /****************************************************************
2754 ****************************************************************/
2755
2756 static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx,
2757 const DATA_BLOB *trustAuth_blob,
2758 struct netlogon_creds_CredentialState *creds,
2759 struct samr_Password *current_pw_enc,
2760 struct samr_Password *previous_pw_enc,
2761 enum dcerpc_AuthType auth_type,
2762 enum dcerpc_AuthLevel auth_level)
2763 {
2764 enum ndr_err_code ndr_err;
2765 struct trustAuthInOutBlob trustAuth;
2766 NTSTATUS status;
2767
2768 ndr_err = ndr_pull_struct_blob_all(trustAuth_blob, mem_ctx, &trustAuth,
2769 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
2770 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2771 return NT_STATUS_UNSUCCESSFUL;
2772 }
2773
2774 if (trustAuth.count != 0 && trustAuth.current.count != 0 &&
2775 trustAuth.current.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) {
2776 mdfour(current_pw_enc->hash,
2777 trustAuth.current.array[0].AuthInfo.clear.password,
2778 trustAuth.current.array[0].AuthInfo.clear.size);
2779 status = netlogon_creds_encrypt_samr_Password(creds,
2780 current_pw_enc,
2781 auth_type,
2782 auth_level);
2783 if (!NT_STATUS_IS_OK(status)) {
2784 return status;
2785 }
2786 } else {
2787 return NT_STATUS_UNSUCCESSFUL;
2788 }
2789
2790
2791 if (trustAuth.previous.count != 0 &&
2792 trustAuth.previous.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) {
2793 mdfour(previous_pw_enc->hash,
2794 trustAuth.previous.array[0].AuthInfo.clear.password,
2795 trustAuth.previous.array[0].AuthInfo.clear.size);
2796 status = netlogon_creds_encrypt_samr_Password(creds,
2797 previous_pw_enc,
2798 auth_type,
2799 auth_level);
2800 if (!NT_STATUS_IS_OK(status)) {
2801 return status;
2802 }
2803 } else {
2804 ZERO_STRUCTP(previous_pw_enc);
2805 }
2806
2807 return NT_STATUS_OK;
2808 }
2809
2810 /****************************************************************
2811 _netr_ServerGetTrustInfo
2812 ****************************************************************/
2813
2814 NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
2815 struct netr_ServerGetTrustInfo *r)
2816 {
2817 NTSTATUS status;
2818 struct netlogon_creds_CredentialState *creds;
2819 char *account_name;
2820 size_t account_name_last;
2821 bool trusted;
2822 struct netr_TrustInfo *trust_info;
2823 struct pdb_trusted_domain *td;
2824 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
2825 enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
2826
2827 dcesrv_call_auth_info(p->dce_call, &auth_type, &auth_level);
2828
2829 /* TODO: check server name */
2830
2831 become_root();
2832 status = dcesrv_netr_creds_server_step_check(p->dce_call,
2833 p->mem_ctx,
2834 r->in.computer_name,
2835 r->in.credential,
2836 r->out.return_authenticator,
2837 &creds);
2838 unbecome_root();
2839 if (!NT_STATUS_IS_OK(status)) {
2840 return status;
2841 }
2842
2843 account_name = talloc_strdup(p->mem_ctx, r->in.account_name);
2844 if (account_name == NULL) {
2845 return NT_STATUS_NO_MEMORY;
2846 }
2847
2848 account_name_last = strlen(account_name);
2849 if (account_name_last == 0) {
2850 return NT_STATUS_INVALID_PARAMETER;
2851 }
2852 account_name_last--;
2853 if (account_name[account_name_last] == '.') {
2854 account_name[account_name_last] = '\0';
2855 }
2856
2857 if ((creds->secure_channel_type != SEC_CHAN_DNS_DOMAIN) &&
2858 (creds->secure_channel_type != SEC_CHAN_DOMAIN)) {
2859 trusted = false;
2860 } else {
2861 trusted = true;
2862 }
2863
2864
2865 if (trusted) {
2866 account_name_last = strlen(account_name);
2867 if (account_name_last == 0) {
2868 return NT_STATUS_INVALID_PARAMETER;
2869 }
2870 account_name_last--;
2871 if (account_name[account_name_last] == '$') {
2872 account_name[account_name_last] = '\0';
2873 }
2874
2875 status = pdb_get_trusted_domain(p->mem_ctx, account_name, &td);
2876 if (!NT_STATUS_IS_OK(status)) {
2877 return status;
2878 }
2879
2880 if (r->out.trust_info != NULL) {
2881 trust_info = talloc_zero(p->mem_ctx, struct netr_TrustInfo);
2882 if (trust_info == NULL) {
2883 return NT_STATUS_NO_MEMORY;
2884 }
2885 trust_info->count = 1;
2886
2887 trust_info->data = talloc_array(trust_info, uint32_t, 1);
2888 if (trust_info->data == NULL) {
2889 return NT_STATUS_NO_MEMORY;
2890 }
2891 trust_info->data[0] = td->trust_attributes;
2892
2893 *r->out.trust_info = trust_info;
2894 }
2895
2896 if (td->trust_auth_incoming.data == NULL) {
2897 return NT_STATUS_INVALID_PARAMETER;
2898 }
2899
2900 status = get_password_from_trustAuth(p->mem_ctx,
2901 &td->trust_auth_incoming,
2902 creds,
2903 r->out.new_owf_password,
2904 r->out.old_owf_password,
2905 auth_type,
2906 auth_level);
2907 if (!NT_STATUS_IS_OK(status)) {
2908 return status;
2909 }
2910
2911 } else {
2912 /* TODO: look for machine password */
2913 ZERO_STRUCTP(r->out.new_owf_password);
2914 ZERO_STRUCTP(r->out.old_owf_password);
2915
2916 return NT_STATUS_NOT_IMPLEMENTED;
2917 }
2918
2919 return NT_STATUS_OK;
2920 }
2921
2922 /****************************************************************
2923 ****************************************************************/
2924
2925 NTSTATUS _netr_Unused47(struct pipes_struct *p,
2926 struct netr_Unused47 *r)
2927 {
2928 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2929 return NT_STATUS_NOT_IMPLEMENTED;
2930 }
2931
2932 /****************************************************************
2933 ****************************************************************/
2934
2935 NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p,
2936 struct netr_DsrUpdateReadOnlyServerDnsRecords *r)
2937 {
2938 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2939 return NT_STATUS_NOT_IMPLEMENTED;
2940 }
2941
2942 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum49NotUsedOnWire)
2943 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum50NotUsedOnWire)
2944 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum51NotUsedOnWire)
2945 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum52NotUsedOnWire)
2946 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum53NotUsedOnWire)
2947
2948 NTSTATUS _netr_ChainSetClientAttributes(struct pipes_struct *p,
2949 struct netr_ChainSetClientAttributes *r)
2950 {
2951 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2952 return NT_STATUS_NOT_IMPLEMENTED;
2953 }
2954
2955 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum55NotUsedOnWire)
2956 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum56NotUsedOnWire)
2957 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum57NotUsedOnWire)
2958 DCESRV_COMPAT_NOT_USED_ON_WIRE(netr_Opnum58NotUsedOnWire)
2959
2960 NTSTATUS _netr_ServerAuthenticateKerberos(struct pipes_struct *p,
2961 struct netr_ServerAuthenticateKerberos *r)
2962 {
2963 p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
2964 return NT_STATUS_NOT_IMPLEMENTED;
2965 }
2966
2967 /*
2968 * Define the bind function that will be used by ndr_netlogon_scompat.c,
2969 * included at the bottom of this file.
2970 */
2971 #define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
2972 dcesrv_interface_netlogon_bind(context, iface)
2973
2974 static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
2975 const struct dcesrv_interface *iface)
2976 {
2977 struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
2978 int schannel = lpcfg_server_schannel(lp_ctx);
2979 bool schannel_global_required = (schannel == true);
2980 bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
2981 static bool warned_global_schannel_once = false;
2982 static bool warned_global_seal_once = false;
2983
2984 if (!schannel_global_required && !warned_global_schannel_once) {
2985 /*
2986 * We want admins to notice their misconfiguration!
2987 */
2988 D_ERR("CVE-2020-1472(ZeroLogon): "
2989 "Please configure 'server schannel = yes' (the default), "
2990 "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
2991 warned_global_schannel_once = true;
2992 }
2993
2994 if (!global_require_seal && !warned_global_seal_once) {
2995 /*
2996 * We want admins to notice their misconfiguration!
2997 */
2998 D_ERR("CVE-2022-38023 (and others): "
2999 "Please configure 'server schannel require seal = yes' (the default), "
3000 "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
3001 warned_global_seal_once = true;
3002 }
3003
3004 return NT_STATUS_OK;
3005 }
3006
3007 /* include the generated boilerplate */
3008 #include "librpc/gen_ndr/ndr_netlogon_scompat.c"
GSS-enabled samba4