s3-netlogon: Add support to authenticate trusted domains.

[mat/samba.git] / source3 / rpc_server / netlogon / srv_netlog_nt.c

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 26b92c8618acf7a620d56b9ac089a50001b23ad8..086a0ea3c5ab90a59b76918aa3e2f6331a80208e 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -84,16 +84,6 @@ WERROR _netr_LogonControl(struct pipes_struct *p,
        return _netr_LogonControl2Ex(p, &l);
 }
 
-/****************************************************************************
-Send a message to smbd to do a sam synchronisation
-**************************************************************************/
-
-static void send_sync_message(struct messaging_context *msg_ctx)
-{
-        DEBUG(3, ("sending sam synchronisation message\n"));
-        message_send_all(msg_ctx, MSG_SMB_SAM_SYNC, NULL, 0, NULL);
-}
-
 /*************************************************************************
  _netr_LogonControl2
  *************************************************************************/
@@ -389,10 +379,6 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
                return WERR_UNKNOWN_LEVEL;
        }
 
-        if (lp_server_role() == ROLE_DOMAIN_BDC) {
-                send_sync_message(p->msg_ctx);
-       }
-
        return WERR_OK;
 }
 
@@ -921,6 +907,19 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                srv_flgs |= NETLOGON_NEG_SCHANNEL;
        }
 
+       /*
+        * Support authenticaten of trusted domains.
+        *
+        * These flags are the minimum required set which works with win2k3
+        * and win2k8.
+        */
+       if (pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX) {
+               srv_flgs |= NETLOGON_NEG_TRANSITIVE_TRUSTS |
+                           NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+                           NETLOGON_NEG_CROSS_FOREST_TRUSTS |
+                           NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
+       }
+
        switch (p->opnum) {
                case NDR_NETR_SERVERAUTHENTICATE:
                        fn = "_netr_ServerAuthenticate";
@@ -980,7 +979,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                                           &mach_pwd,
                                           r->in.credentials,
                                           r->out.return_credentials,
-                                          *r->in.negotiate_flags);
+                                          srv_flgs);
        if (!creds) {
                DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
                        "request from client %s machine account %s\n",
@@ -2046,7 +2045,27 @@ WERROR _netr_DsRGetDCName(struct pipes_struct *p,
 NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
                                    struct netr_LogonGetCapabilities *r)
 {
-       return NT_STATUS_NOT_IMPLEMENTED;
+       struct netlogon_creds_CredentialState *creds;
+       NTSTATUS status;
+
+       become_root();
+       status = netr_creds_server_step_check(p, p->mem_ctx,
+                                             r->in.computer_name,
+                                             r->in.credential,
+                                             r->out.return_authenticator,
+                                             &creds);
+       unbecome_root();
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       if (r->in.query_level != 1) {
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
+       r->out.capabilities->server_capabilities = creds->negotiate_flags;
+
+       return NT_STATUS_OK;
 }
 
 /****************************************************************