git.samba.org / metze / samba / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
r23880: Don't crash when we run wbinfo -a against our own winbind when we are a DC.
[metze/samba/wip.git] / source / winbind / wb_init_domain.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    A composite API for initializing a domain
5
6    Copyright (C) Volker Lendecke 2005
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "libcli/composite/composite.h"
25 #include "libcli/smb_composite/smb_composite.h"
26 #include "winbind/wb_server.h"
27 #include "winbind/wb_async_helpers.h"
28 #include "winbind/wb_helper.h"
29 #include "smbd/service_task.h"
30 #include "librpc/gen_ndr/ndr_netlogon.h"
31 #include "librpc/gen_ndr/ndr_lsa_c.h"
32 #include "librpc/gen_ndr/ndr_samr_c.h"
33 #include "libcli/libcli.h"
34
35 #include "libcli/auth/credentials.h"
36 #include "libcli/security/security.h"
37
38 #include "libcli/ldap/ldap_client.h"
39
40 #include "auth/credentials/credentials.h"
41
42 /*
43  * Initialize a domain:
44  *
45  * - With schannel credentials, try to open the SMB connection and
46  *   NETLOGON pipe with the machine creds. This works against W2k3SP1
47  *   with an NTLMSSP session setup. Fall back to anonymous (for the CIFS level).
48  *
49  * - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
50  *   pipe.
51  *
52  * - Open LSA. If we have machine creds, try to open with SPNEGO or NTLMSSP. Fall back
53  *   to schannel.
54  *
55  * - With queryinfopolicy, verify that we're talking to the right domain
56  *
57  * A bit complex, but with all the combinations I think it's the best we can
58  * get. NT4, W2k3 and W2k all have different combinations, but in the end we
59  * have a signed&sealed lsa connection on all of them.
60  *
61  * Not sure if it is overkill, but it seems to work.
62  */
63
64 struct init_domain_state {
65         struct composite_context *ctx;
66         struct wbsrv_domain *domain;
67         struct wbsrv_service *service;
68
69         struct lsa_ObjectAttribute objectattr;
70         struct lsa_OpenPolicy2 lsa_openpolicy;
71         struct lsa_QueryInfoPolicy queryinfo;
72 };
73
74 static void init_domain_recv_netlogonpipe(struct composite_context *ctx);
75 static void init_domain_recv_lsa_pipe(struct composite_context *ctx);
76 static void init_domain_recv_lsa_policy(struct rpc_request *req);
77 static void init_domain_recv_queryinfo(struct rpc_request *req);
78 static void init_domain_recv_ldapconn(struct composite_context *ctx);
79 static void init_domain_recv_samr(struct composite_context *ctx);
80
81 static struct dcerpc_binding *init_domain_binding(struct init_domain_state *state, 
82                                                   const struct dcerpc_interface_table *table) 
83 {
84         struct dcerpc_binding *binding;
85         NTSTATUS status;
86
87         /* Make a binding string */
88         {
89                 char *s = talloc_asprintf(state, "ncacn_np:%s", state->domain->dc_name);
90                 if (s == NULL) return NULL;
91                 status = dcerpc_parse_binding(state, s, &binding);
92                 talloc_free(s);
93                 if (!NT_STATUS_IS_OK(status)) {
94                         return NULL;
95                 }
96         }
97
98         /* Alter binding to contain hostname, but also address (so we don't look it up twice) */
99         binding->target_hostname = state->domain->dc_name;
100         binding->host = state->domain->dc_address;
101
102         /* This shouldn't make a network call, as the mappings for named pipes are well known */
103         status = dcerpc_epm_map_binding(binding, binding, table, state->service->task->event_ctx);
104         if (!NT_STATUS_IS_OK(status)) {
105                 return NULL;
106         }
107
108         return binding;
109 }
110
111 struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
112                                               struct wbsrv_service *service,
113                                               struct wb_dom_info *dom_info)
114 {
115         struct composite_context *result, *ctx;
116         struct init_domain_state *state;
117
118         result = composite_create(mem_ctx, service->task->event_ctx);
119         if (result == NULL) goto failed;
120
121         state = talloc_zero(result, struct init_domain_state);
122         if (state == NULL) goto failed;
123         state->ctx = result;
124         result->private_data = state;
125
126         state->service = service;
127
128         state->domain = talloc(state, struct wbsrv_domain);
129         if (state->domain == NULL) goto failed;
130
131         state->domain->info = talloc_reference(state->domain, dom_info);
132         if (state->domain->info == NULL) goto failed;
133
134         /* Caller should check, but to be safe: */
135         if (dom_info->num_dcs < 1) {
136                 goto failed;
137         }
138         
139         /* For now, we just pick the first.  The next step will be to
140          * walk the entire list.  Also need to fix finddcs() to return
141          * the entire list */
142         state->domain->dc_name = dom_info->dcs[0].name;
143         state->domain->dc_address = dom_info->dcs[0].address;
144
145         /* Create a credentials structure */
146         state->domain->schannel_creds = cli_credentials_init(state->domain);
147         if (state->domain->schannel_creds == NULL) goto failed;
148
149         cli_credentials_set_event_context(state->domain->schannel_creds, service->task->event_ctx);
150
151         cli_credentials_set_conf(state->domain->schannel_creds);
152
153         /* Connect the machine account to the credentials */
154         state->ctx->status =
155                 cli_credentials_set_machine_account(state->domain->
156                                                     schannel_creds);
157         if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
158
159         state->domain->netlogon_binding = init_domain_binding(state, &dcerpc_table_netlogon);
160
161         state->domain->netlogon_pipe = NULL;
162
163         if ((!cli_credentials_is_anonymous(state->domain->schannel_creds)) &&
164             ((lp_server_role() == ROLE_DOMAIN_MEMBER) ||
165              (lp_server_role() == ROLE_DOMAIN_CONTROLLER)) &&
166             (dom_sid_equal(state->domain->info->sid,
167                            state->service->primary_sid))) {
168                 state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL;
169
170                 /* For debugging, it can be a real pain if all the traffic is encrypted */
171                 if (lp_winbind_sealed_pipes()) {
172                         state->domain->netlogon_binding->flags |= (DCERPC_SIGN | DCERPC_SEAL );
173                 } else {
174                         state->domain->netlogon_binding->flags |= (DCERPC_SIGN);
175                 }
176         }
177
178         /* No encryption on anonymous pipes */
179
180         ctx = dcerpc_pipe_connect_b_send(state, state->domain->netlogon_binding, 
181                                          &dcerpc_table_netlogon,
182                                          state->domain->schannel_creds,
183                                          service->task->event_ctx);
184         
185         if (composite_nomem(ctx, state->ctx)) {
186                 goto failed;
187         }
188         
189         composite_continue(state->ctx, ctx, init_domain_recv_netlogonpipe,
190                            state);
191         return result;
192  failed:
193         talloc_free(result);
194         return NULL;
195 }
196
197 /* Having make a netlogon connection (possibly secured with schannel),
198  * make an LSA connection to the same DC, on the same IPC$ share */
199 static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
200 {
201         struct init_domain_state *state =
202                 talloc_get_type(ctx->async.private_data,
203                                 struct init_domain_state);
204
205         state->ctx->status = dcerpc_pipe_connect_b_recv(ctx, state, 
206                                                    &state->domain->netlogon_pipe);
207         
208         if (!composite_is_ok(state->ctx)) {
209                 talloc_free(state->domain->netlogon_binding);
210                 return;
211         }
212         talloc_steal(state->domain->netlogon_pipe, state->domain->netlogon_binding);
213
214         state->domain->lsa_binding = init_domain_binding(state, &dcerpc_table_lsarpc);
215
216         /* For debugging, it can be a real pain if all the traffic is encrypted */
217         if (lp_winbind_sealed_pipes()) {
218                 state->domain->lsa_binding->flags |= (DCERPC_SIGN | DCERPC_SEAL );
219         } else {
220                 state->domain->lsa_binding->flags |= (DCERPC_SIGN);
221         }
222
223         state->domain->lsa_pipe = NULL;
224
225         /* this will make the secondary connection on the same IPC$ share, 
226            secured with SPNEGO or NTLMSSP */
227         ctx = dcerpc_secondary_connection_send(state->domain->netlogon_pipe,
228                                                state->domain->lsa_binding);
229         composite_continue(state->ctx, ctx, init_domain_recv_lsa_pipe, state);
230 }
231
232 static bool retry_with_schannel(struct init_domain_state *state, 
233                                 struct dcerpc_binding *binding,
234                                 void (*continuation)(struct composite_context *))
235 {
236         struct composite_context *ctx;
237         state->ctx->status = NT_STATUS_OK;
238         if (state->domain->netlogon_binding->flags & DCERPC_SCHANNEL 
239             && !(binding->flags & DCERPC_SCHANNEL)) {
240                 /* Opening a policy handle failed, perhaps it was
241                  * because we don't get a 'wrong password' error on
242                  * NTLMSSP binds */
243
244                 /* Try again with schannel */
245                 binding->flags |= DCERPC_SCHANNEL;
246
247                 /* Try again, likewise on the same IPC$ share, 
248                    secured with SCHANNEL */
249                 ctx = dcerpc_secondary_connection_send(state->domain->netlogon_pipe,
250                                                        binding);
251                 composite_continue(state->ctx, ctx, continuation, state);               
252                 return true;
253         } else {
254                 return false;
255         }
256 }
257 /* We should now have either an authenticated LSA pipe, or an error.  
258  * On success, open a policy handle
259  */     
260 static void init_domain_recv_lsa_pipe(struct composite_context *ctx)
261 {
262         struct rpc_request *req;
263         struct init_domain_state *state =
264                 talloc_get_type(ctx->async.private_data,
265                                 struct init_domain_state);
266
267         state->ctx->status = dcerpc_secondary_connection_recv(ctx, 
268                                                               &state->domain->lsa_pipe);
269         if (NT_STATUS_EQUAL(state->ctx->status, NT_STATUS_LOGON_FAILURE)) {
270                 if (retry_with_schannel(state, state->domain->lsa_binding, 
271                                         init_domain_recv_lsa_pipe)) {
272                         return;
273                 }
274         }
275         if (!composite_is_ok(state->ctx)) return;
276
277         talloc_steal(state->domain, state->domain->lsa_pipe);
278         talloc_steal(state->domain->lsa_pipe, state->domain->lsa_binding);
279
280         state->domain->lsa_policy_handle = talloc(state, struct policy_handle);
281         if (composite_nomem(state->domain->lsa_policy_handle, state->ctx)) return;
282
283         state->lsa_openpolicy.in.system_name =
284                 talloc_asprintf(state, "\\\\%s",
285                                 dcerpc_server_name(state->domain->lsa_pipe));
286         ZERO_STRUCT(state->objectattr);
287         state->lsa_openpolicy.in.attr = &state->objectattr;
288         state->lsa_openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
289         state->lsa_openpolicy.out.handle = state->domain->lsa_policy_handle;
290
291         req = dcerpc_lsa_OpenPolicy2_send(state->domain->lsa_pipe, state,
292                                           &state->lsa_openpolicy);
293
294         composite_continue_rpc(state->ctx, req, init_domain_recv_lsa_policy, state);
295 }
296
297 /* Receive a policy handle (or not, and retry the authentication) and
298  * obtain some basic information about the domain */
299
300 static void init_domain_recv_lsa_policy(struct rpc_request *req)
301 {
302         struct init_domain_state *state =
303                 talloc_get_type(req->async.private_data,
304                                 struct init_domain_state);
305
306         state->ctx->status = dcerpc_ndr_request_recv(req);
307         if ((!NT_STATUS_IS_OK(state->ctx->status)
308               || !NT_STATUS_IS_OK(state->lsa_openpolicy.out.result))) {
309                 if (retry_with_schannel(state, state->domain->lsa_binding, 
310                                         init_domain_recv_lsa_pipe)) {
311                         return;
312                 }
313         }
314         if (!composite_is_ok(state->ctx)) return;
315         state->ctx->status = state->lsa_openpolicy.out.result;
316         if (!composite_is_ok(state->ctx)) return;
317
318         state->queryinfo.in.handle = state->domain->lsa_policy_handle;
319         state->queryinfo.in.level = LSA_POLICY_INFO_ACCOUNT_DOMAIN;
320
321         req = dcerpc_lsa_QueryInfoPolicy_send(state->domain->lsa_pipe, state,
322                                               &state->queryinfo);
323         composite_continue_rpc(state->ctx, req,
324                                init_domain_recv_queryinfo, state);
325 }
326
327 static void init_domain_recv_queryinfo(struct rpc_request *req)
328 {
329         struct init_domain_state *state =
330                 talloc_get_type(req->async.private_data, struct init_domain_state);
331         struct lsa_DomainInfo *dominfo;
332         struct composite_context *ctx;
333
334         state->ctx->status = dcerpc_ndr_request_recv(req);
335         if (!composite_is_ok(state->ctx)) return;
336         state->ctx->status = state->queryinfo.out.result;
337         if (!composite_is_ok(state->ctx)) return;
338
339         dominfo = &state->queryinfo.out.info->account_domain;
340
341         if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
342                 DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
343                           state->domain->info->name,
344                           dcerpc_server_name(state->domain->lsa_pipe),
345                           dominfo->name.string));
346                 composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
347                 return;
348         }
349
350         if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
351                 DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
352                           dom_sid_string(state, state->domain->info->sid),
353                           dcerpc_server_name(state->domain->lsa_pipe),
354                           dom_sid_string(state, dominfo->sid)));
355                 composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
356                 return;
357         }
358
359         state->domain->samr_binding = init_domain_binding(state, &dcerpc_table_samr);
360
361         /* We want to use the same flags as the LSA pipe did (so, if
362          * it needed schannel, then we need that here too) */
363         state->domain->samr_binding->flags = state->domain->lsa_binding->flags;
364
365         state->domain->samr_pipe = NULL;
366
367         ctx = wb_connect_samr_send(state, state->domain);
368         composite_continue(state->ctx, ctx, init_domain_recv_samr, state);
369 }
370
371 /* Recv the SAMR details (SamrConnect and SamrOpenDomain handle) and
372  * open an LDAP connection */
373 static void init_domain_recv_samr(struct composite_context *ctx)
374 {
375         const char *ldap_url;
376         struct init_domain_state *state =
377                 talloc_get_type(ctx->async.private_data,
378                                 struct init_domain_state);
379
380         state->ctx->status = wb_connect_samr_recv(
381                 ctx, state->domain,
382                 &state->domain->samr_pipe,
383                 &state->domain->samr_handle, 
384                 &state->domain->domain_handle);
385         if (!composite_is_ok(state->ctx)) return;
386
387         talloc_steal(state->domain->samr_pipe, state->domain->samr_binding);
388
389         state->domain->ldap_conn =
390                 ldap4_new_connection(state->domain, state->ctx->event_ctx);
391         composite_nomem(state->domain->ldap_conn, state->ctx);
392
393         ldap_url = talloc_asprintf(state, "ldap://%s/",
394                                    state->domain->dc_address);
395         composite_nomem(ldap_url, state->ctx);
396
397         ctx = ldap_connect_send(state->domain->ldap_conn, ldap_url);
398         composite_continue(state->ctx, ctx, init_domain_recv_ldapconn, state);
399 }
400
401 static void init_domain_recv_ldapconn(struct composite_context *ctx)
402 {
403         struct init_domain_state *state =
404                 talloc_get_type(ctx->async.private_data,
405                                 struct init_domain_state);
406
407         state->ctx->status = ldap_connect_recv(ctx);
408         if (NT_STATUS_IS_OK(state->ctx->status)) {
409                 state->domain->ldap_conn->host =
410                         talloc_strdup(state->domain->ldap_conn,
411                                       state->domain->dc_name);
412                 state->ctx->status =
413                         ldap_bind_sasl(state->domain->ldap_conn,
414                                        state->domain->schannel_creds);
415                 DEBUG(0, ("ldap_bind returned %s\n",
416                           nt_errstr(state->ctx->status)));
417         }
418
419         composite_done(state->ctx);
420 }
421
422 NTSTATUS wb_init_domain_recv(struct composite_context *c,
423                              TALLOC_CTX *mem_ctx,
424                              struct wbsrv_domain **result)
425 {
426         NTSTATUS status = composite_wait(c);
427         if (NT_STATUS_IS_OK(status)) {
428                 struct init_domain_state *state =
429                         talloc_get_type(c->private_data,
430                                         struct init_domain_state);
431                 *result = talloc_steal(mem_ctx, state->domain);
432         }
433         talloc_free(c);
434         return status;
435 }
436
437 NTSTATUS wb_init_domain(TALLOC_CTX *mem_ctx, struct wbsrv_service *service,
438                         struct wb_dom_info *dom_info,
439                         struct wbsrv_domain **result)
440 {
441         struct composite_context *c =
442                 wb_init_domain_send(mem_ctx, service, dom_info);
443         return wb_init_domain_recv(c, mem_ctx, result);
444 }
Work in progress branches