2 Unix SMB/CIFS implementation.
4 endpoint server for the netlogon pipe
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2008
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2005
8 Copyright (C) Matthias Dieter Wallnöfer 2009
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "rpc_server/dcerpc_server.h"
26 #include "auth/auth.h"
27 #include "auth/auth_sam_reply.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "../lib/util/util_ldb.h"
30 #include "../libcli/auth/schannel.h"
31 #include "auth/gensec/schannel_state.h"
32 #include "libcli/security/security.h"
33 #include "param/param.h"
34 #include "lib/messaging/irpc.h"
35 #include "librpc/gen_ndr/ndr_irpc.h"
37 struct netlogon_server_pipe_state {
38 struct netr_Credential client_challenge;
39 struct netr_Credential server_challenge;
43 static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
44 struct netr_ServerReqChallenge *r)
46 struct netlogon_server_pipe_state *pipe_state =
47 talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
49 ZERO_STRUCTP(r->out.return_credentials);
51 /* destroyed on pipe shutdown */
54 talloc_free(pipe_state);
55 dce_call->context->private_data = NULL;
58 pipe_state = talloc(dce_call->context, struct netlogon_server_pipe_state);
59 NT_STATUS_HAVE_NO_MEMORY(pipe_state);
61 pipe_state->client_challenge = *r->in.credentials;
63 generate_random_buffer(pipe_state->server_challenge.data,
64 sizeof(pipe_state->server_challenge.data));
66 *r->out.return_credentials = pipe_state->server_challenge;
68 dce_call->context->private_data = pipe_state;
73 static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
74 struct netr_ServerAuthenticate3 *r)
76 struct netlogon_server_pipe_state *pipe_state =
77 talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
78 struct netlogon_creds_CredentialState *creds;
79 struct ldb_context *schannel_ldb;
80 struct ldb_context *sam_ctx;
81 struct samr_Password *mach_pwd;
82 uint32_t user_account_control;
84 struct ldb_message **msgs;
86 const char *attrs[] = {"unicodePwd", "userAccountControl",
89 const char *trust_dom_attrs[] = {"flatname", NULL};
90 const char *account_name;
92 ZERO_STRUCTP(r->out.return_credentials);
96 * According to Microsoft (see bugid #6099)
97 * Windows 7 looks at the negotiate_flags
98 * returned in this structure *even if the
99 * call fails with access denied!
101 *r->out.negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
102 NETLOGON_NEG_PERSISTENT_SAMREPL |
103 NETLOGON_NEG_ARCFOUR |
104 NETLOGON_NEG_PROMOTION_COUNT |
105 NETLOGON_NEG_CHANGELOG_BDC |
106 NETLOGON_NEG_FULL_SYNC_REPL |
107 NETLOGON_NEG_MULTIPLE_SIDS |
109 NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
110 NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
111 NETLOGON_NEG_GENERIC_PASSTHROUGH |
112 NETLOGON_NEG_CONCURRENT_RPC |
113 NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
114 NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
115 NETLOGON_NEG_STRONG_KEYS |
116 NETLOGON_NEG_TRANSITIVE_TRUSTS |
117 NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
118 NETLOGON_NEG_PASSWORD_SET2 |
119 NETLOGON_NEG_GETDOMAININFO |
120 NETLOGON_NEG_CROSS_FOREST_TRUSTS |
121 NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
122 NETLOGON_NEG_RODC_PASSTHROUGH |
123 NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
124 NETLOGON_NEG_AUTHENTICATED_RPC;
127 DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
128 return NT_STATUS_ACCESS_DENIED;
131 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx,
132 system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
133 if (sam_ctx == NULL) {
134 return NT_STATUS_INVALID_SYSTEM_SERVICE;
137 if (r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
138 char *encoded_account = ldb_binary_encode_string(mem_ctx, r->in.account_name);
139 const char *flatname;
140 if (!encoded_account) {
141 return NT_STATUS_NO_MEMORY;
144 /* Kill the trailing dot */
145 if (encoded_account[strlen(encoded_account)-1] == '.') {
146 encoded_account[strlen(encoded_account)-1] = '\0';
149 /* pull the user attributes */
150 num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs,
152 "(&(trustPartner=%s)(objectclass=trustedDomain))",
155 if (num_records == 0) {
156 DEBUG(3,("Couldn't find trust [%s] in samdb.\n",
158 return NT_STATUS_ACCESS_DENIED;
161 if (num_records > 1) {
162 DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
163 return NT_STATUS_INTERNAL_DB_CORRUPTION;
166 flatname = ldb_msg_find_attr_as_string(msgs[0], "flatname", NULL);
168 /* No flatname for this trust - we can't proceed */
169 return NT_STATUS_ACCESS_DENIED;
171 account_name = talloc_asprintf(mem_ctx, "%s$", flatname);
174 return NT_STATUS_NO_MEMORY;
178 account_name = r->in.account_name;
181 /* pull the user attributes */
182 num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
183 "(&(sAMAccountName=%s)(objectclass=user))",
184 ldb_binary_encode_string(mem_ctx, account_name));
186 if (num_records == 0) {
187 DEBUG(3,("Couldn't find user [%s] in samdb.\n",
188 r->in.account_name));
189 return NT_STATUS_ACCESS_DENIED;
192 if (num_records > 1) {
193 DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name));
194 return NT_STATUS_INTERNAL_DB_CORRUPTION;
198 user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0);
200 if (user_account_control & UF_ACCOUNTDISABLE) {
201 DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
202 return NT_STATUS_ACCESS_DENIED;
205 if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
206 if (!(user_account_control & UF_WORKSTATION_TRUST_ACCOUNT)) {
207 DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", user_account_control));
208 return NT_STATUS_ACCESS_DENIED;
210 } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN ||
211 r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
212 if (!(user_account_control & UF_INTERDOMAIN_TRUST_ACCOUNT)) {
213 DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", user_account_control));
215 return NT_STATUS_ACCESS_DENIED;
217 } else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
218 if (!(user_account_control & UF_SERVER_TRUST_ACCOUNT)) {
219 DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", user_account_control));
220 return NT_STATUS_ACCESS_DENIED;
223 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
224 r->in.secure_channel_type));
225 return NT_STATUS_ACCESS_DENIED;
228 *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
231 mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
232 if (mach_pwd == NULL) {
233 return NT_STATUS_ACCESS_DENIED;
236 creds = netlogon_creds_server_init(mem_ctx,
239 r->in.secure_channel_type,
240 &pipe_state->client_challenge,
241 &pipe_state->server_challenge,
244 r->out.return_credentials,
245 *r->in.negotiate_flags);
248 return NT_STATUS_ACCESS_DENIED;
251 creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
253 schannel_ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
255 return NT_STATUS_ACCESS_DENIED;
258 nt_status = schannel_store_session_key_ldb(schannel_ldb, mem_ctx, creds);
259 talloc_free(schannel_ldb);
264 static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
265 struct netr_ServerAuthenticate *r)
267 struct netr_ServerAuthenticate3 a;
270 * negotiate_flags is used as an [in] parameter
271 * so it need to be initialised.
273 * (I think ... = 0; seems wrong here --metze)
275 uint32_t negotiate_flags_in = 0;
276 uint32_t negotiate_flags_out = 0;
278 a.in.server_name = r->in.server_name;
279 a.in.account_name = r->in.account_name;
280 a.in.secure_channel_type = r->in.secure_channel_type;
281 a.in.computer_name = r->in.computer_name;
282 a.in.credentials = r->in.credentials;
283 a.in.negotiate_flags = &negotiate_flags_in;
285 a.out.return_credentials = r->out.return_credentials;
287 a.out.negotiate_flags = &negotiate_flags_out;
289 return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &a);
292 static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
293 struct netr_ServerAuthenticate2 *r)
295 struct netr_ServerAuthenticate3 r3;
298 r3.in.server_name = r->in.server_name;
299 r3.in.account_name = r->in.account_name;
300 r3.in.secure_channel_type = r->in.secure_channel_type;
301 r3.in.computer_name = r->in.computer_name;
302 r3.in.credentials = r->in.credentials;
303 r3.out.return_credentials = r->out.return_credentials;
304 r3.in.negotiate_flags = r->in.negotiate_flags;
305 r3.out.negotiate_flags = r->out.negotiate_flags;
308 return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
312 Validate an incoming authenticator against the credentials for the remote machine.
314 The credentials are (re)read and from the schannel database, and
315 written back after the caclulations are performed.
317 The creds_out parameter (if not NULL) returns the credentials, if
318 the caller needs some of that information.
321 static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
323 const char *computer_name,
324 struct netr_Authenticator *received_authenticator,
325 struct netr_Authenticator *return_authenticator,
326 struct netlogon_creds_CredentialState **creds_out)
329 struct ldb_context *ldb;
330 bool schannel_global_required = false; /* Should be lp_schannel_server() == true */
331 bool schannel_in_use = dce_call->conn->auth_state.auth_info
332 && dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL
333 && (dce_call->conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY
334 || dce_call->conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY);
336 ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
338 return NT_STATUS_ACCESS_DENIED;
340 nt_status = schannel_creds_server_step_check_ldb(ldb, mem_ctx,
342 schannel_global_required,
344 received_authenticator,
345 return_authenticator, creds_out);
351 Change the machine account password for the currently connected
352 client. Supplies only the NT#.
355 static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
356 struct netr_ServerPasswordSet *r)
358 struct netlogon_creds_CredentialState *creds;
359 struct ldb_context *sam_ctx;
362 nt_status = dcesrv_netr_creds_server_step_check(dce_call,
365 r->in.credential, r->out.return_authenticator,
367 NT_STATUS_NOT_OK_RETURN(nt_status);
369 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
370 if (sam_ctx == NULL) {
371 return NT_STATUS_INVALID_SYSTEM_SERVICE;
374 netlogon_creds_des_decrypt(creds, r->in.new_password);
376 /* Using the sid for the account as the key, set the password */
377 nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
379 NULL, /* Don't have plaintext */
380 NULL, r->in.new_password,
381 true, /* Password change */
387 Change the machine account password for the currently connected
388 client. Supplies new plaintext.
390 static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
391 struct netr_ServerPasswordSet2 *r)
393 struct netlogon_creds_CredentialState *creds;
394 struct ldb_context *sam_ctx;
396 DATA_BLOB new_password;
398 struct samr_CryptPassword password_buf;
400 nt_status = dcesrv_netr_creds_server_step_check(dce_call,
403 r->in.credential, r->out.return_authenticator,
405 NT_STATUS_NOT_OK_RETURN(nt_status);
407 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
408 if (sam_ctx == NULL) {
409 return NT_STATUS_INVALID_SYSTEM_SERVICE;
412 memcpy(password_buf.data, r->in.new_password->data, 512);
413 SIVAL(password_buf.data, 512, r->in.new_password->length);
414 netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
416 if (!extract_pw_from_buffer(mem_ctx, password_buf.data, &new_password)) {
417 DEBUG(3,("samr: failed to decode password buffer\n"));
418 return NT_STATUS_WRONG_PASSWORD;
421 /* Using the sid for the account as the key, set the password */
422 nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
424 &new_password, /* we have plaintext */
426 true, /* Password change */
435 static WERROR dcesrv_netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
436 struct netr_LogonUasLogon *r)
438 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
445 static WERROR dcesrv_netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
446 struct netr_LogonUasLogoff *r)
448 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
453 netr_LogonSamLogon_base
455 This version of the function allows other wrappers to say 'do not check the credentials'
457 We can't do the traditional 'wrapping' format completly, as this function must only run under schannel
459 static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
460 struct netr_LogonSamLogonEx *r, struct netlogon_creds_CredentialState *creds)
462 struct auth_context *auth_context;
463 struct auth_usersupplied_info *user_info;
464 struct auth_serversupplied_info *server_info;
466 static const char zeros[16];
467 struct netr_SamBaseInfo *sam;
468 struct netr_SamInfo2 *sam2;
469 struct netr_SamInfo3 *sam3;
470 struct netr_SamInfo6 *sam6;
472 user_info = talloc(mem_ctx, struct auth_usersupplied_info);
473 NT_STATUS_HAVE_NO_MEMORY(user_info);
475 user_info->flags = 0;
476 user_info->mapped_state = false;
477 user_info->remote_host = NULL;
479 switch (r->in.logon_level) {
480 case NetlogonInteractiveInformation:
481 case NetlogonServiceInformation:
482 case NetlogonInteractiveTransitiveInformation:
483 case NetlogonServiceTransitiveInformation:
484 if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
485 netlogon_creds_arcfour_crypt(creds,
486 r->in.logon->password->lmpassword.hash,
487 sizeof(r->in.logon->password->lmpassword.hash));
488 netlogon_creds_arcfour_crypt(creds,
489 r->in.logon->password->ntpassword.hash,
490 sizeof(r->in.logon->password->ntpassword.hash));
492 netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
493 netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
496 /* TODO: we need to deny anonymous access here */
497 nt_status = auth_context_create(mem_ctx,
498 dce_call->event_ctx, dce_call->msg_ctx,
499 dce_call->conn->dce_ctx->lp_ctx,
501 NT_STATUS_NOT_OK_RETURN(nt_status);
503 user_info->logon_parameters = r->in.logon->password->identity_info.parameter_control;
504 user_info->client.account_name = r->in.logon->password->identity_info.account_name.string;
505 user_info->client.domain_name = r->in.logon->password->identity_info.domain_name.string;
506 user_info->workstation_name = r->in.logon->password->identity_info.workstation.string;
508 user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
509 user_info->password_state = AUTH_PASSWORD_HASH;
511 user_info->password.hash.lanman = talloc(user_info, struct samr_Password);
512 NT_STATUS_HAVE_NO_MEMORY(user_info->password.hash.lanman);
513 *user_info->password.hash.lanman = r->in.logon->password->lmpassword;
515 user_info->password.hash.nt = talloc(user_info, struct samr_Password);
516 NT_STATUS_HAVE_NO_MEMORY(user_info->password.hash.nt);
517 *user_info->password.hash.nt = r->in.logon->password->ntpassword;
520 case NetlogonNetworkInformation:
521 case NetlogonNetworkTransitiveInformation:
523 /* TODO: we need to deny anonymous access here */
524 nt_status = auth_context_create(mem_ctx,
525 dce_call->event_ctx, dce_call->msg_ctx,
526 dce_call->conn->dce_ctx->lp_ctx,
528 NT_STATUS_NOT_OK_RETURN(nt_status);
530 nt_status = auth_context_set_challenge(auth_context, r->in.logon->network->challenge, "netr_LogonSamLogonWithFlags");
531 NT_STATUS_NOT_OK_RETURN(nt_status);
533 user_info->logon_parameters = r->in.logon->network->identity_info.parameter_control;
534 user_info->client.account_name = r->in.logon->network->identity_info.account_name.string;
535 user_info->client.domain_name = r->in.logon->network->identity_info.domain_name.string;
536 user_info->workstation_name = r->in.logon->network->identity_info.workstation.string;
538 user_info->password_state = AUTH_PASSWORD_RESPONSE;
539 user_info->password.response.lanman = data_blob_talloc(mem_ctx, r->in.logon->network->lm.data, r->in.logon->network->lm.length);
540 user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon->network->nt.data, r->in.logon->network->nt.length);
545 case NetlogonGenericInformation:
547 if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
548 netlogon_creds_arcfour_crypt(creds,
549 r->in.logon->generic->data, r->in.logon->generic->length);
551 /* Using DES to verify kerberos tickets makes no sense */
552 return NT_STATUS_INVALID_PARAMETER;
555 if (strcmp(r->in.logon->generic->package_name.string, "Kerberos") == 0) {
557 struct server_id *kdc;
558 struct kdc_check_generic_kerberos check;
559 struct netr_GenericInfo2 *generic = talloc_zero(mem_ctx, struct netr_GenericInfo2);
560 NT_STATUS_HAVE_NO_MEMORY(generic);
561 *r->out.authoritative = 1;
563 /* TODO: Describe and deal with these flags */
566 r->out.validation->generic = generic;
568 kdc = irpc_servers_byname(dce_call->msg_ctx, mem_ctx, "kdc_server");
569 if ((kdc == NULL) || (kdc[0].id == 0)) {
570 return NT_STATUS_NO_LOGON_SERVERS;
573 check.in.generic_request =
574 data_blob_const(r->in.logon->generic->data,
575 r->in.logon->generic->length);
577 status = irpc_call(dce_call->msg_ctx, kdc[0],
578 &ndr_table_irpc, NDR_KDC_CHECK_GENERIC_KERBEROS,
580 if (!NT_STATUS_IS_OK(status)) {
583 generic->length = check.out.generic_reply.length;
584 generic->data = check.out.generic_reply.data;
588 /* Until we get an implemetnation of these other packages */
589 return NT_STATUS_INVALID_PARAMETER;
592 return NT_STATUS_INVALID_PARAMETER;
595 nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info);
596 NT_STATUS_NOT_OK_RETURN(nt_status);
598 nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
599 NT_STATUS_NOT_OK_RETURN(nt_status);
601 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
602 /* It appears that level 6 is not individually encrypted */
603 if ((r->in.validation_level != 6) &&
604 memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) {
605 /* This key is sent unencrypted without the ARCFOUR flag set */
606 if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
607 netlogon_creds_arcfour_crypt(creds,
609 sizeof(sam->key.key));
613 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
614 /* It appears that level 6 is not individually encrypted */
615 if ((r->in.validation_level != 6) &&
616 memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) {
617 if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
618 netlogon_creds_arcfour_crypt(creds,
620 sizeof(sam->LMSessKey.key));
622 netlogon_creds_des_encrypt_LMKey(creds,
627 switch (r->in.validation_level) {
629 sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2);
630 NT_STATUS_HAVE_NO_MEMORY(sam2);
632 r->out.validation->sam2 = sam2;
636 sam3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
637 NT_STATUS_HAVE_NO_MEMORY(sam3);
639 r->out.validation->sam3 = sam3;
643 sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
644 NT_STATUS_HAVE_NO_MEMORY(sam6);
646 sam6->forest.string = lp_realm(dce_call->conn->dce_ctx->lp_ctx);
647 sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s",
648 sam->account_name.string, sam6->forest.string);
649 NT_STATUS_HAVE_NO_MEMORY(sam6->principle.string);
650 r->out.validation->sam6 = sam6;
657 *r->out.authoritative = 1;
659 /* TODO: Describe and deal with these flags */
665 static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
666 struct netr_LogonSamLogonEx *r)
669 struct netlogon_creds_CredentialState *creds;
670 struct ldb_context *ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
672 return NT_STATUS_ACCESS_DENIED;
675 nt_status = schannel_fetch_session_key_ldb(ldb, mem_ctx, r->in.computer_name, &creds);
676 if (!NT_STATUS_IS_OK(nt_status)) {
680 if (!dce_call->conn->auth_state.auth_info ||
681 dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
682 return NT_STATUS_ACCESS_DENIED;
684 return dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds);
688 netr_LogonSamLogonWithFlags
691 static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
692 struct netr_LogonSamLogonWithFlags *r)
695 struct netlogon_creds_CredentialState *creds;
696 struct netr_LogonSamLogonEx r2;
698 struct netr_Authenticator *return_authenticator;
700 return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
701 NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
703 nt_status = dcesrv_netr_creds_server_step_check(dce_call,
706 r->in.credential, return_authenticator,
708 NT_STATUS_NOT_OK_RETURN(nt_status);
712 r2.in.server_name = r->in.server_name;
713 r2.in.computer_name = r->in.computer_name;
714 r2.in.logon_level = r->in.logon_level;
715 r2.in.logon = r->in.logon;
716 r2.in.validation_level = r->in.validation_level;
717 r2.in.flags = r->in.flags;
718 r2.out.validation = r->out.validation;
719 r2.out.authoritative = r->out.authoritative;
720 r2.out.flags = r->out.flags;
722 nt_status = dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds);
724 r->out.return_authenticator = return_authenticator;
732 static NTSTATUS dcesrv_netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
733 struct netr_LogonSamLogon *r)
735 struct netr_LogonSamLogonWithFlags r2;
741 r2.in.server_name = r->in.server_name;
742 r2.in.computer_name = r->in.computer_name;
743 r2.in.credential = r->in.credential;
744 r2.in.return_authenticator = r->in.return_authenticator;
745 r2.in.logon_level = r->in.logon_level;
746 r2.in.logon = r->in.logon;
747 r2.in.validation_level = r->in.validation_level;
748 r2.in.flags = &flags;
749 r2.out.validation = r->out.validation;
750 r2.out.authoritative = r->out.authoritative;
751 r2.out.flags = &flags;
753 status = dcesrv_netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2);
755 r->out.return_authenticator = r2.out.return_authenticator;
764 static NTSTATUS dcesrv_netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
765 struct netr_LogonSamLogoff *r)
767 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
775 static NTSTATUS dcesrv_netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
776 struct netr_DatabaseDeltas *r)
778 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
785 static NTSTATUS dcesrv_netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
786 struct netr_DatabaseSync2 *r)
788 /* win2k3 native mode returns "NOT IMPLEMENTED" for this call */
789 return NT_STATUS_NOT_IMPLEMENTED;
796 static NTSTATUS dcesrv_netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
797 struct netr_DatabaseSync *r)
799 struct netr_DatabaseSync2 r2;
804 r2.in.logon_server = r->in.logon_server;
805 r2.in.computername = r->in.computername;
806 r2.in.credential = r->in.credential;
807 r2.in.database_id = r->in.database_id;
808 r2.in.restart_state = SYNCSTATE_NORMAL_STATE;
809 r2.in.sync_context = r->in.sync_context;
810 r2.out.sync_context = r->out.sync_context;
811 r2.out.delta_enum_array = r->out.delta_enum_array;
812 r2.in.preferredmaximumlength = r->in.preferredmaximumlength;
814 status = dcesrv_netr_DatabaseSync2(dce_call, mem_ctx, &r2);
823 static NTSTATUS dcesrv_netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
824 struct netr_AccountDeltas *r)
826 /* w2k3 returns "NOT IMPLEMENTED" for this call */
827 return NT_STATUS_NOT_IMPLEMENTED;
834 static NTSTATUS dcesrv_netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
835 struct netr_AccountSync *r)
837 /* w2k3 returns "NOT IMPLEMENTED" for this call */
838 return NT_STATUS_NOT_IMPLEMENTED;
845 static WERROR dcesrv_netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
846 struct netr_GetDcName *r)
848 const char * const attrs[] = { NULL };
849 struct ldb_context *sam_ctx;
850 struct ldb_message **res;
851 struct ldb_dn *domain_dn;
855 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
856 dce_call->conn->dce_ctx->lp_ctx,
857 dce_call->conn->auth_state.session_info);
858 if (sam_ctx == NULL) {
859 return WERR_DS_UNAVAILABLE;
862 domain_dn = samdb_domain_to_dn(sam_ctx, mem_ctx,
864 if (domain_dn == NULL) {
865 return WERR_DS_UNAVAILABLE;
868 ret = gendb_search_dn(sam_ctx, mem_ctx,
869 domain_dn, &res, attrs);
871 return WERR_NO_SUCH_DOMAIN;
874 /* TODO: - return real IP address
875 * - check all r->in.* parameters (server_unc is ignored by w2k3!)
877 dcname = talloc_asprintf(mem_ctx, "\\\\%s",
878 lp_netbios_name(dce_call->conn->dce_ctx->lp_ctx));
879 W_ERROR_HAVE_NO_MEMORY(dcname);
881 *r->out.dcname = dcname;
889 static WERROR dcesrv_netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
890 struct netr_LogonControl2Ex *r)
892 return WERR_NOT_SUPPORTED;
899 static WERROR dcesrv_netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
900 struct netr_LogonControl *r)
902 struct netr_LogonControl2Ex r2;
905 if (r->in.level == 0x00000001) {
908 r2.in.logon_server = r->in.logon_server;
909 r2.in.function_code = r->in.function_code;
910 r2.in.level = r->in.level;
912 r2.out.query = r->out.query;
914 werr = dcesrv_netr_LogonControl2Ex(dce_call, mem_ctx, &r2);
915 } else if (r->in.level == 0x00000002) {
916 werr = WERR_NOT_SUPPORTED;
918 werr = WERR_UNKNOWN_LEVEL;
928 static WERROR dcesrv_netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
929 struct netr_LogonControl2 *r)
931 struct netr_LogonControl2Ex r2;
936 r2.in.logon_server = r->in.logon_server;
937 r2.in.function_code = r->in.function_code;
938 r2.in.level = r->in.level;
939 r2.in.data = r->in.data;
940 r2.out.query = r->out.query;
942 werr = dcesrv_netr_LogonControl2Ex(dce_call, mem_ctx, &r2);
951 static WERROR dcesrv_netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
952 struct netr_GetAnyDCName *r)
954 struct netr_GetDcName r2;
959 r2.in.logon_server = r->in.logon_server;
960 r2.in.domainname = r->in.domainname;
961 r2.out.dcname = r->out.dcname;
963 werr = dcesrv_netr_GetDcName(dce_call, mem_ctx, &r2);
972 static NTSTATUS dcesrv_netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
973 struct netr_DatabaseRedo *r)
975 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
980 netr_NetrEnumerateTurstedDomains
982 static WERROR dcesrv_netr_NetrEnumerateTrustedDomains(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
983 struct netr_NetrEnumerateTrustedDomains *r)
985 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
990 netr_LogonGetCapabilities
992 static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
993 struct netr_LogonGetCapabilities *r)
995 /* we don't support AES yet */
996 return NT_STATUS_NOT_IMPLEMENTED;
1001 netr_NETRLOGONSETSERVICEBITS
1003 static WERROR dcesrv_netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1004 struct netr_NETRLOGONSETSERVICEBITS *r)
1006 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1011 netr_LogonGetTrustRid
1013 static WERROR dcesrv_netr_LogonGetTrustRid(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1014 struct netr_LogonGetTrustRid *r)
1016 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1021 netr_NETRLOGONCOMPUTESERVERDIGEST
1023 static WERROR dcesrv_netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1024 struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
1026 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1031 netr_NETRLOGONCOMPUTECLIENTDIGEST
1033 static WERROR dcesrv_netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1034 struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
1036 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1044 static WERROR dcesrv_netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1045 struct netr_DsRGetSiteName *r)
1047 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1052 fill in a netr_OneDomainInfo from a ldb search result
1054 static NTSTATUS fill_one_domain_info(TALLOC_CTX *mem_ctx,
1055 struct loadparm_context *lp_ctx,
1056 struct ldb_context *sam_ctx,
1057 struct ldb_message *res,
1058 struct netr_OneDomainInfo *info,
1059 bool is_local, bool is_trust_list)
1063 if (is_trust_list) {
1064 /* w2k8 only fills this on trusted domains */
1065 info->trust_extension.info = talloc_zero(mem_ctx, struct netr_trust_extension);
1066 info->trust_extension.length = 16;
1067 info->trust_extension.info->flags =
1068 NETR_TRUST_FLAG_TREEROOT |
1069 NETR_TRUST_FLAG_IN_FOREST |
1070 NETR_TRUST_FLAG_PRIMARY |
1071 NETR_TRUST_FLAG_NATIVE;
1073 info->trust_extension.info->parent_index = 0; /* should be index into array
1075 info->trust_extension.info->trust_type = LSA_TRUST_TYPE_UPLEVEL; /* should be based on ldb search for trusts */
1076 info->trust_extension.info->trust_attributes = 0; /* TODO: base on ldb search? */
1079 if (is_trust_list) {
1080 /* MS-NRPC 3.5.4.3.9 - must be set to NULL for trust list */
1081 info->dns_forestname.string = NULL;
1084 /* TODO: we need a common function for pulling the forest */
1085 info->dns_forestname.string = ldb_dn_canonical_string(info, ldb_get_root_basedn(sam_ctx));
1086 if (!info->dns_forestname.string) {
1087 return NT_STATUS_NO_SUCH_DOMAIN;
1089 p = strchr(info->dns_forestname.string, '/');
1093 info->dns_forestname.string = talloc_asprintf(mem_ctx, "%s.", info->dns_forestname.string);
1098 info->domainname.string = lp_sam_name(lp_ctx);
1099 info->dns_domainname.string = lp_realm(lp_ctx);
1100 info->domain_guid = samdb_result_guid(res, "objectGUID");
1101 info->domain_sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
1103 info->domainname.string = samdb_result_string(res, "flatName", NULL);
1104 info->dns_domainname.string = samdb_result_string(res, "trustPartner", NULL);
1105 info->domain_guid = samdb_result_guid(res, "objectGUID");
1106 info->domain_sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
1108 if (!is_trust_list) {
1109 info->dns_domainname.string = talloc_asprintf(mem_ctx, "%s.", info->dns_domainname.string);
1112 return NT_STATUS_OK;
1116 netr_LogonGetDomainInfo
1117 this is called as part of the ADS domain logon procedure.
1119 It has an important role in convaying details about the client, such
1120 as Operating System, Version, Service Pack etc.
1122 static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call,
1123 TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r)
1125 struct netlogon_creds_CredentialState *creds;
1126 const char * const attrs[] = { "objectSid", "objectGUID", "flatName",
1127 "securityIdentifier", "trustPartner", NULL };
1128 const char *temp_str;
1129 const char *old_dns_hostname;
1130 struct ldb_context *sam_ctx;
1131 struct ldb_message **res1, **res2, *new_msg;
1132 struct ldb_dn *workstation_dn;
1133 struct netr_DomainInformation *domain_info;
1134 struct netr_LsaPolicyInformation *lsa_policy_info;
1135 struct netr_OsVersionInfoEx *os_version;
1136 uint32_t default_supported_enc_types = 0xFFFFFFFF;
1140 status = dcesrv_netr_creds_server_step_check(dce_call,
1142 r->in.computer_name,
1144 r->out.return_authenticator,
1146 if (!NT_STATUS_IS_OK(status)) {
1147 DEBUG(0,(__location__ " Bad credentials - error\n"));
1149 NT_STATUS_NOT_OK_RETURN(status);
1151 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
1152 dce_call->conn->dce_ctx->lp_ctx,
1153 system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
1154 if (sam_ctx == NULL) {
1155 return NT_STATUS_INVALID_SYSTEM_SERVICE;
1158 switch (r->in.level) {
1159 case 1: /* Domain information */
1161 /* TODO: check NTSTATUS results - and fail also on SAMDB
1162 * errors (needs some testing against Windows Server 2008) */
1165 * Check that the computer name parameter matches as prefix with
1166 * the DNS hostname in the workstation info structure.
1168 temp_str = strndup(r->in.query->workstation_info->dns_hostname,
1169 strcspn(r->in.query->workstation_info->dns_hostname,
1171 if (strcasecmp(r->in.computer_name, temp_str) != 0)
1172 return NT_STATUS_INVALID_PARAMETER;
1174 workstation_dn = ldb_dn_new_fmt(mem_ctx, sam_ctx, "<SID=%s>",
1175 dom_sid_string(mem_ctx, creds->sid));
1176 NT_STATUS_HAVE_NO_MEMORY(workstation_dn);
1178 /* Gets the old DNS hostname */
1179 old_dns_hostname = samdb_search_string(sam_ctx, mem_ctx,
1184 /* Gets host informations and put them in our directory */
1185 new_msg = ldb_msg_new(mem_ctx);
1186 NT_STATUS_HAVE_NO_MEMORY(new_msg);
1188 new_msg->dn = workstation_dn;
1190 /* Deletes old OS version values */
1191 samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
1192 "operatingSystemServicePack");
1193 samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
1194 "operatingSystemVersion");
1196 if (samdb_replace(sam_ctx, mem_ctx, new_msg) != LDB_SUCCESS) {
1197 DEBUG(3,("Impossible to update samdb: %s\n",
1198 ldb_errstring(sam_ctx)));
1201 talloc_free(new_msg);
1203 new_msg = ldb_msg_new(mem_ctx);
1204 NT_STATUS_HAVE_NO_MEMORY(new_msg);
1206 new_msg->dn = workstation_dn;
1208 /* Sets the OS name */
1209 samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
1211 r->in.query->workstation_info->os_name.string);
1214 * Sets informations from "os_version". On a empty structure
1215 * the values are cleared.
1217 if (r->in.query->workstation_info->os_version.os != NULL) {
1218 os_version = &r->in.query->workstation_info->os_version.os->os;
1220 samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
1221 "operatingSystemServicePack",
1222 os_version->CSDVersion);
1224 samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
1225 "operatingSystemVersion",
1226 talloc_asprintf(mem_ctx, "%d.%d (%d)",
1227 os_version->MajorVersion,
1228 os_version->MinorVersion,
1229 os_version->BuildNumber
1235 * Updates the "dNSHostname" and the "servicePrincipalName"s
1236 * since the client wishes that the server should handle this
1237 * for him ("NETR_WS_FLAG_HANDLES_SPN_UPDATE" not set).
1238 * See MS-NRPC section 3.5.4.3.9
1240 if ((r->in.query->workstation_info->workstation_flags
1241 & NETR_WS_FLAG_HANDLES_SPN_UPDATE) == 0) {
1243 samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
1245 r->in.query->workstation_info->dns_hostname);
1246 samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
1247 "servicePrincipalName",
1248 talloc_asprintf(mem_ctx, "HOST/%s",
1249 r->in.computer_name)
1251 samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
1252 "servicePrincipalName",
1253 talloc_asprintf(mem_ctx, "HOST/%s",
1254 r->in.query->workstation_info->dns_hostname)
1258 if (samdb_replace(sam_ctx, mem_ctx, new_msg) != LDB_SUCCESS) {
1259 DEBUG(3,("Impossible to update samdb: %s\n",
1260 ldb_errstring(sam_ctx)));
1263 talloc_free(new_msg);
1265 /* Writes back the domain information */
1267 /* We need to do two searches. The first will pull our primary
1268 domain and the second will pull any trusted domains. Our
1269 primary domain is also a "trusted" domain, so we need to
1270 put the primary domain into the lists of returned trusts as
1272 ret1 = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(sam_ctx),
1275 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1278 ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs,
1279 "(objectClass=trustedDomain)");
1281 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1284 domain_info = talloc(mem_ctx, struct netr_DomainInformation);
1285 NT_STATUS_HAVE_NO_MEMORY(domain_info);
1287 ZERO_STRUCTP(domain_info);
1289 /* Informations about the local and trusted domains */
1291 status = fill_one_domain_info(mem_ctx,
1292 dce_call->conn->dce_ctx->lp_ctx,
1293 sam_ctx, res1[0], &domain_info->primary_domain,
1295 NT_STATUS_NOT_OK_RETURN(status);
1297 domain_info->trusted_domain_count = ret2 + 1;
1298 domain_info->trusted_domains = talloc_array(mem_ctx,
1299 struct netr_OneDomainInfo,
1300 domain_info->trusted_domain_count);
1301 NT_STATUS_HAVE_NO_MEMORY(domain_info->trusted_domains);
1303 for (i=0;i<ret2;i++) {
1304 status = fill_one_domain_info(mem_ctx,
1305 dce_call->conn->dce_ctx->lp_ctx,
1307 &domain_info->trusted_domains[i],
1309 NT_STATUS_NOT_OK_RETURN(status);
1312 status = fill_one_domain_info(mem_ctx,
1313 dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res1[0],
1314 &domain_info->trusted_domains[i], true, true);
1315 NT_STATUS_NOT_OK_RETURN(status);
1317 /* Sets the supported encryption types */
1318 domain_info->supported_enc_types = samdb_search_uint(
1320 default_supported_enc_types, workstation_dn,
1321 "msDS-SupportedEncryptionTypes", NULL);
1323 /* Other host domain informations */
1325 lsa_policy_info = talloc(mem_ctx,
1326 struct netr_LsaPolicyInformation);
1327 NT_STATUS_HAVE_NO_MEMORY(lsa_policy_info);
1328 ZERO_STRUCTP(lsa_policy_info);
1330 domain_info->lsa_policy = *lsa_policy_info;
1332 domain_info->dns_hostname.string = old_dns_hostname;
1333 domain_info->workstation_flags =
1334 r->in.query->workstation_info->workstation_flags;
1336 r->out.info->domain_info = domain_info;
1338 case 2: /* LSA policy information - not used at the moment */
1339 lsa_policy_info = talloc(mem_ctx,
1340 struct netr_LsaPolicyInformation);
1341 NT_STATUS_HAVE_NO_MEMORY(lsa_policy_info);
1342 ZERO_STRUCTP(lsa_policy_info);
1344 r->out.info->lsa_policy_info = lsa_policy_info;
1347 return NT_STATUS_INVALID_LEVEL;
1351 return NT_STATUS_OK;
1357 netr_ServerPasswordGet
1359 static WERROR dcesrv_netr_ServerPasswordGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1360 struct netr_ServerPasswordGet *r)
1362 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1367 netr_NETRLOGONSENDTOSAM
1369 static WERROR dcesrv_netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1370 struct netr_NETRLOGONSENDTOSAM *r)
1372 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1377 netr_DsRAddressToSitenamesW
1379 static WERROR dcesrv_netr_DsRAddressToSitenamesW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1380 struct netr_DsRAddressToSitenamesW *r)
1382 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1387 netr_DsRGetDCNameEx2
1389 static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1390 struct netr_DsRGetDCNameEx2 *r)
1392 const char * const attrs[] = { "objectGUID", NULL };
1393 struct ldb_context *sam_ctx;
1394 struct ldb_message **res;
1395 struct ldb_dn *domain_dn;
1397 struct netr_DsRGetDCNameInfo *info;
1399 ZERO_STRUCTP(r->out.info);
1401 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
1402 if (sam_ctx == NULL) {
1403 return WERR_DS_UNAVAILABLE;
1406 /* Win7-beta will send the domain name in the form the user typed, so we have to cope
1407 with both the short and long form here */
1408 if (r->in.domain_name != NULL && !lp_is_my_domain_or_realm(dce_call->conn->dce_ctx->lp_ctx,
1409 r->in.domain_name)) {
1410 return WERR_NO_SUCH_DOMAIN;
1413 domain_dn = ldb_get_default_basedn(sam_ctx);
1414 if (domain_dn == NULL) {
1415 return WERR_DS_UNAVAILABLE;
1418 ret = gendb_search_dn(sam_ctx, mem_ctx,
1419 domain_dn, &res, attrs);
1423 info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo);
1424 W_ERROR_HAVE_NO_MEMORY(info);
1426 /* TODO: - return real IP address
1427 * - check all r->in.* parameters (server_unc is ignored by w2k3!)
1429 info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s",
1430 lp_netbios_name(dce_call->conn->dce_ctx->lp_ctx),
1431 lp_realm(dce_call->conn->dce_ctx->lp_ctx));
1432 W_ERROR_HAVE_NO_MEMORY(info->dc_unc);
1433 info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0");
1434 W_ERROR_HAVE_NO_MEMORY(info->dc_address);
1435 info->dc_address_type = DS_ADDRESS_TYPE_INET;
1436 info->domain_guid = samdb_result_guid(res[0], "objectGUID");
1437 info->domain_name = lp_realm(dce_call->conn->dce_ctx->lp_ctx);
1438 info->forest_name = lp_realm(dce_call->conn->dce_ctx->lp_ctx);
1439 info->dc_flags = DS_DNS_FOREST |
1442 DS_SERVER_WRITABLE |
1444 DS_SERVER_TIMESERV |
1450 info->dc_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name");
1451 W_ERROR_HAVE_NO_MEMORY(info->dc_site_name);
1452 info->client_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name");
1453 W_ERROR_HAVE_NO_MEMORY(info->client_site_name);
1455 *r->out.info = info;
1463 static WERROR dcesrv_netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1464 struct netr_DsRGetDCNameEx *r)
1466 struct netr_DsRGetDCNameEx2 r2;
1471 r2.in.server_unc = r->in.server_unc;
1472 r2.in.client_account = NULL;
1474 r2.in.domain_guid = r->in.domain_guid;
1475 r2.in.domain_name = r->in.domain_name;
1476 r2.in.site_name = r->in.site_name;
1477 r2.in.flags = r->in.flags;
1478 r2.out.info = r->out.info;
1480 werr = dcesrv_netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2);
1488 static WERROR dcesrv_netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1489 struct netr_DsRGetDCName *r)
1491 struct netr_DsRGetDCNameEx2 r2;
1496 r2.in.server_unc = r->in.server_unc;
1497 r2.in.client_account = NULL;
1499 r2.in.domain_name = r->in.domain_name;
1500 r2.in.domain_guid = r->in.domain_guid;
1502 r2.in.site_name = NULL; /* should fill in from site GUID */
1503 r2.in.flags = r->in.flags;
1504 r2.out.info = r->out.info;
1506 werr = dcesrv_netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2);
1511 netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN
1513 static WERROR dcesrv_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1514 struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
1516 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1521 netr_NetrEnumerateTrustedDomainsEx
1523 static WERROR dcesrv_netr_NetrEnumerateTrustedDomainsEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1524 struct netr_NetrEnumerateTrustedDomainsEx *r)
1526 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1531 netr_DsRAddressToSitenamesExW
1533 static WERROR dcesrv_netr_DsRAddressToSitenamesExW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1534 struct netr_DsRAddressToSitenamesExW *r)
1536 struct netr_DsRAddressToSitenamesExWCtr *ctr;
1539 /* we should map the provided IPs to site names, once we have
1542 ctr = talloc(mem_ctx, struct netr_DsRAddressToSitenamesExWCtr);
1543 W_ERROR_HAVE_NO_MEMORY(ctr);
1547 ctr->count = r->in.count;
1548 ctr->sitename = talloc_array(ctr, struct lsa_String, ctr->count);
1549 W_ERROR_HAVE_NO_MEMORY(ctr->sitename);
1550 ctr->subnetname = talloc_array(ctr, struct lsa_String, ctr->count);
1551 W_ERROR_HAVE_NO_MEMORY(ctr->subnetname);
1553 for (i=0; i<ctr->count; i++) {
1554 ctr->sitename[i].string = "Default-First-Site-Name";
1555 ctr->subnetname[i].string = NULL;
1563 netr_DsrGetDcSiteCoverageW
1565 static WERROR dcesrv_netr_DsrGetDcSiteCoverageW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1566 struct netr_DsrGetDcSiteCoverageW *r)
1568 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1573 netr_DsrEnumerateDomainTrusts
1575 static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1576 struct netr_DsrEnumerateDomainTrusts *r)
1578 struct netr_DomainTrustList *trusts;
1579 struct ldb_context *sam_ctx;
1581 struct ldb_message **dom_res;
1582 const char * const dom_attrs[] = { "objectSid", "objectGUID", NULL };
1584 ZERO_STRUCT(r->out);
1586 sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
1587 if (sam_ctx == NULL) {
1588 return WERR_GENERAL_FAILURE;
1591 ret = gendb_search_dn(sam_ctx, mem_ctx, NULL,
1592 &dom_res, dom_attrs);
1594 return WERR_GENERAL_FAILURE;
1597 return WERR_GENERAL_FAILURE;
1600 trusts = talloc(mem_ctx, struct netr_DomainTrustList);
1601 W_ERROR_HAVE_NO_MEMORY(trusts);
1603 trusts->array = talloc_array(trusts, struct netr_DomainTrust, ret);
1604 W_ERROR_HAVE_NO_MEMORY(trusts->array);
1606 trusts->count = 1; /* ?? */
1608 r->out.trusts = trusts;
1610 /* TODO: add filtering by trust_flags, and correct trust_type
1612 trusts->array[0].netbios_name = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx);
1613 trusts->array[0].dns_name = lp_realm(dce_call->conn->dce_ctx->lp_ctx);
1614 trusts->array[0].trust_flags =
1615 NETR_TRUST_FLAG_TREEROOT |
1616 NETR_TRUST_FLAG_IN_FOREST |
1617 NETR_TRUST_FLAG_PRIMARY;
1618 trusts->array[0].parent_index = 0;
1619 trusts->array[0].trust_type = 2;
1620 trusts->array[0].trust_attributes = 0;
1621 trusts->array[0].sid = samdb_result_dom_sid(mem_ctx, dom_res[0], "objectSid");
1622 trusts->array[0].guid = samdb_result_guid(dom_res[0], "objectGUID");
1629 netr_DsrDeregisterDNSHostRecords
1631 static WERROR dcesrv_netr_DsrDeregisterDNSHostRecords(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1632 struct netr_DsrDeregisterDNSHostRecords *r)
1634 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1639 netr_ServerTrustPasswordsGet
1641 static NTSTATUS dcesrv_netr_ServerTrustPasswordsGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1642 struct netr_ServerTrustPasswordsGet *r)
1644 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1649 netr_DsRGetForestTrustInformation
1651 static WERROR dcesrv_netr_DsRGetForestTrustInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1652 struct netr_DsRGetForestTrustInformation *r)
1654 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1659 netr_GetForestTrustInformation
1661 static WERROR dcesrv_netr_GetForestTrustInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1662 struct netr_GetForestTrustInformation *r)
1664 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1669 netr_ServerGetTrustInfo
1671 static NTSTATUS dcesrv_netr_ServerGetTrustInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1672 struct netr_ServerGetTrustInfo *r)
1674 DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
1678 /* include the generated boilerplate */
1679 #include "librpc/gen_ndr/ndr_netlogon_s.c"
git.samba.org / kamenim / samba.git / blob