#include "../librpc/gen_ndr/ndr_lsa_c.h"
#include "rpc_client/cli_lsarpc.h"
#include "rpc_client/init_lsa.h"
+#include "rpc_client/init_samr.h"
#include "rpc_server/rpc_ncacn_np.h"
#include "../libcli/security/security.h"
#include "../libcli/security/dom_sid.h"
case 2:
return WERR_NOT_SUPPORTED;
default:
- return WERR_UNKNOWN_LEVEL;
+ return WERR_INVALID_LEVEL;
+ }
+
+ switch (r->in.function_code) {
+ case NETLOGON_CONTROL_QUERY:
+ case NETLOGON_CONTROL_REPLICATE:
+ case NETLOGON_CONTROL_SYNCHRONIZE:
+ case NETLOGON_CONTROL_PDC_REPLICATE:
+ case NETLOGON_CONTROL_BREAKPOINT:
+ case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
+ case NETLOGON_CONTROL_TRUNCATE_LOG:
+ break;
+ default:
+ return WERR_NOT_SUPPORTED;
}
l.in.logon_server = r->in.logon_server;
struct netr_NETLOGON_INFO_3 *info3;
struct netr_NETLOGON_INFO_4 *info4;
const char *fn;
- uint32_t acct_ctrl;
NTSTATUS status;
struct netr_DsRGetDCNameInfo *dc_info;
fn = "_netr_LogonControl2Ex";
break;
default:
- return WERR_INVALID_PARAM;
+ return WERR_INVALID_PARAMETER;
}
- acct_ctrl = p->session_info->info->acct_flags;
+ switch (r->in.level) {
+ case 1:
+ case 2:
+ case 3:
+ case 4:
+ break;
+ default:
+ return WERR_INVALID_LEVEL;
+ }
switch (r->in.function_code) {
- case NETLOGON_CONTROL_TC_VERIFY:
- case NETLOGON_CONTROL_CHANGE_PASSWORD:
- case NETLOGON_CONTROL_REDISCOVER:
+ case NETLOGON_CONTROL_QUERY:
+ break;
+ default:
if ((geteuid() != sec_initial_uid()) &&
!nt_token_check_domain_rid(p->session_info->security_token, DOMAIN_RID_ADMINS) &&
- !nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token) &&
- !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
+ !nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token))
+ {
return WERR_ACCESS_DENIED;
}
break;
- default:
- break;
}
tc_status = WERR_NO_SUCH_DOMAIN;
switch (r->in.function_code) {
case NETLOGON_CONTROL_QUERY:
+ switch (r->in.level) {
+ case 1:
+ case 3:
+ break;
+ default:
+ return WERR_INVALID_PARAMETER;
+ }
+
tc_status = WERR_OK;
break;
case NETLOGON_CONTROL_REPLICATE:
case NETLOGON_CONTROL_PDC_REPLICATE:
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
case NETLOGON_CONTROL_BREAKPOINT:
- if (acct_ctrl & ACB_NORMAL) {
- return WERR_NOT_SUPPORTED;
- } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
- return WERR_ACCESS_DENIED;
- } else {
- return WERR_ACCESS_DENIED;
- }
case NETLOGON_CONTROL_TRUNCATE_LOG:
- if (acct_ctrl & ACB_NORMAL) {
- break;
- } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
- return WERR_ACCESS_DENIED;
- } else {
- return WERR_ACCESS_DENIED;
- }
-
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
case NETLOGON_CONTROL_FORCE_DNS_REG:
case NETLOGON_CONTROL_QUERY_DNS_REG:
return WERR_NOT_SUPPORTED;
+
case NETLOGON_CONTROL_FIND_USER:
if (!r->in.data || !r->in.data->user) {
return WERR_NOT_SUPPORTED;
dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
if (!dc_name) {
- return WERR_NOMEM;
+ return WERR_NOT_ENOUGH_MEMORY;
}
tc_status = WERR_OK;
dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_info->dc_unc);
if (!dc_name) {
- return WERR_NOMEM;
+ return WERR_NOT_ENOUGH_MEMORY;
}
tc_status = WERR_OK;
/* no idea what this should be */
DEBUG(0,("%s: unimplemented function level [%d]\n",
fn, r->in.function_code));
- return WERR_UNKNOWN_LEVEL;
+ return WERR_NOT_SUPPORTED;
}
/* prepare the response */
r->out.query->info4 = info4;
break;
default:
- return WERR_UNKNOWN_LEVEL;
+ return WERR_INVALID_LEVEL;
}
return WERR_OK;
NTSTATUS status;
NTSTATUS result = NT_STATUS_OK;
DATA_BLOB blob;
- int num_domains = 0;
+ size_t num_domains = 0;
const char **trusted_domains = NULL;
struct lsa_DomainList domain_list;
struct dcerpc_binding_handle *h = NULL;
status = rpcint_binding_handle(p->mem_ctx,
&ndr_table_lsarpc,
p->remote_address,
+ p->local_address,
p->session_info,
p->msg_ctx,
&h);
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_OK;
- struct policy_handle connect_handle, domain_handle;
+ struct policy_handle connect_handle;
+ struct policy_handle domain_handle = { 0, };
struct lsa_String domain_name;
struct dom_sid2 *domain_sid;
struct lsa_String names;
status = NT_STATUS_NO_SUCH_USER;
goto out;
}
- if (rids.count != types.count) {
+ if (types.count != 1) {
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
#if 0
/*
- * Currently this code is redundent as we already have a filter
+ * Currently this code is redundant as we already have a filter
* by hostname list. What this code really needs to do is to
* get a hosts allowed/hosts denied list from the SAM database
* on a per user basis, and make the access decision there.
status = rpcint_binding_handle(mem_ctx,
&ndr_table_samr,
local,
+ NULL,
session_info,
msg_ctx,
&h);
goto out;
}
- become_root();
status = samr_find_machine_account(mem_ctx, h, mach_acct,
SEC_FLAG_MAXIMUM_ALLOWED,
&domain_sid, &user_rid,
&user_handle);
- unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
srv_flgs |= NETLOGON_NEG_STRONG_KEYS;
}
+ if (in_neg_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ srv_flgs |= NETLOGON_NEG_SUPPORTS_AES;
+ }
+
if (lp_server_schannel() != false) {
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
goto out;
}
- lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+ lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
if (lp_ctx == NULL) {
DEBUG(10, ("loadparm_init_s3 failed\n"));
status = NT_STATUS_INTERNAL_ERROR;
talloc_unlink(p->mem_ctx, lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
+ ZERO_STRUCTP(r->out.return_credentials);
goto out;
}
bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
struct loadparm_context *lp_ctx;
+ if (creds_out != NULL) {
+ *creds_out = NULL;
+ }
+
if (schannel_global_required) {
status = schannel_check_required(&p->auth,
computer_name,
}
}
- lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_context());
+ lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
if (lp_ctx == NULL) {
DEBUG(0, ("loadparm_init_s3 failed\n"));
return NT_STATUS_INTERNAL_ERROR;
return status;
}
+
/*************************************************************************
*************************************************************************/
+struct _samr_Credentials_t {
+ enum {
+ CRED_TYPE_NT_HASH,
+ CRED_TYPE_PLAIN_TEXT,
+ } cred_type;
+ union {
+ struct samr_Password *nt_hash;
+ const char *password;
+ } creds;
+};
+
+
static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
struct messaging_context *msg_ctx,
const char *account_name,
- struct samr_Password *nt_hash)
+ struct _samr_Credentials_t *cr)
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_OK;
uint32_t acct_ctrl;
union samr_UserInfo *info;
struct samr_UserInfo18 info18;
+ struct samr_UserInfo26 info26;
DATA_BLOB in,out;
int rc;
+ DATA_BLOB session_key;
+ enum samr_UserInfoLevel infolevel;
ZERO_STRUCT(user_handle);
+ status = session_extract_session_key(session_info,
+ &session_key,
+ KEY_USE_16BYTES);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
rc = tsocket_address_inet_from_strings(mem_ctx,
"ip",
"127.0.0.1",
status = rpcint_binding_handle(mem_ctx,
&ndr_table_samr,
local,
+ NULL,
session_info,
msg_ctx,
&h);
goto out;
}
- ZERO_STRUCT(info18);
+ switch(cr->cred_type) {
+ case CRED_TYPE_NT_HASH:
+ ZERO_STRUCT(info18);
+
+ infolevel = UserInternal1Information;
+
+ in = data_blob_const(cr->creds.nt_hash, 16);
+ out = data_blob_talloc_zero(mem_ctx, 16);
+ sess_crypt_blob(&out, &in, &session_key, true);
+ memcpy(info18.nt_pwd.hash, out.data, out.length);
+
+ info18.nt_pwd_active = true;
+
+ info->info18 = info18;
+ break;
+ case CRED_TYPE_PLAIN_TEXT:
+ ZERO_STRUCT(info26);
- in = data_blob_const(nt_hash->hash, 16);
- out = data_blob_talloc_zero(mem_ctx, 16);
- sess_crypt_blob(&out, &in, &session_info->session_key, true);
- memcpy(info18.nt_pwd.hash, out.data, out.length);
+ infolevel = UserInternal5InformationNew;
- info18.nt_pwd_active = true;
+ init_samr_CryptPasswordEx(cr->creds.password,
+ &session_key,
+ &info26.password);
- info->info18 = info18;
+ info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
+ info->info26 = info26;
+ break;
+ default:
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ break;
+ }
become_root();
status = dcerpc_samr_SetUserInfo2(h,
mem_ctx,
&user_handle,
- UserInternal1Information,
+ infolevel,
info,
&result);
unbecome_root();
{
NTSTATUS status = NT_STATUS_OK;
int i;
- struct netlogon_creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ struct _samr_Credentials_t cr = { CRED_TYPE_NT_HASH, {0}};
DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
+ const char *computer_name = "<unknown>";
+
+ if (creds != NULL && creds->computer_name != NULL) {
+ computer_name = creds->computer_name;
+ }
DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
"request from client %s machine account %s\n",
- r->in.computer_name, creds->computer_name));
+ r->in.computer_name, computer_name));
TALLOC_FREE(creds);
return status;
}
DEBUG(100,("%02X ", r->in.new_password->hash[i]));
DEBUG(100,("\n"));
+ cr.creds.nt_hash = r->in.new_password;
status = netr_set_machine_account_password(p->mem_ctx,
p->session_info,
p->msg_ctx,
creds->account_name,
- r->in.new_password);
+ &cr);
return status;
}
struct netlogon_creds_CredentialState *creds = NULL;
DATA_BLOB plaintext;
struct samr_CryptPassword password_buf;
- struct samr_Password nt_hash;
+ struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}};
become_root();
status = netr_creds_server_step_check(p, p->mem_ctx,
return status;
}
+ DEBUG(3,("_netr_ServerPasswordSet2: Server Password Seti2 by remote "
+ "machine:[%s] on account [%s]\n",
+ r->in.computer_name, creds->computer_name));
+
memcpy(password_buf.data, r->in.new_password->data, 512);
SIVAL(password_buf.data, 512, r->in.new_password->length);
- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
- if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ netlogon_creds_aes_decrypt(creds, password_buf.data, 516);
+ } else {
+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+ }
+
+ if (!decode_pw_buffer(p->mem_ctx,
+ password_buf.data,
+ (char**) &plaintext.data,
+ &plaintext.length,
+ CH_UTF16)) {
+ DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password "
+ "from a buffer. Rejecting auth request as a wrong password\n"));
TALLOC_FREE(creds);
return NT_STATUS_WRONG_PASSWORD;
}
- mdfour(nt_hash.hash, plaintext.data, plaintext.length);
-
+ cr.creds.password = (const char*) plaintext.data;
status = netr_set_machine_account_password(p->mem_ctx,
p->session_info,
p->msg_ctx,
creds->account_name,
- &nt_hash);
+ &cr);
TALLOC_FREE(creds);
return status;
}
struct auth_usersupplied_info *user_info = NULL;
struct auth_serversupplied_info *server_info = NULL;
struct auth_context *auth_context = NULL;
- uint8_t pipe_session_key[16];
- bool process_creds = true;
const char *fn;
+#ifdef DEBUG_PASSWORD
+ logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
+ r->in.logon_level,
+ r->in.logon);
+ if (logon == NULL) {
+ logon = r->in.logon;
+ }
+#endif
+
switch (p->opnum) {
case NDR_NETR_LOGONSAMLOGON:
- process_creds = true;
fn = "_netr_LogonSamLogon";
break;
case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
- process_creds = true;
fn = "_netr_LogonSamLogonWithFlags";
break;
case NDR_NETR_LOGONSAMLOGONEX:
- process_creds = false;
fn = "_netr_LogonSamLogonEx";
break;
default:
return NT_STATUS_INTERNAL_ERROR;
}
- *r->out.authoritative = true; /* authoritative response */
+ *r->out.authoritative = 1; /* authoritative response */
switch (r->in.validation_level) {
case 2:
status = NT_STATUS_OK;
+ netlogon_creds_decrypt_samlogon_logon(creds,
+ r->in.logon_level,
+ logon);
+
+ status = make_auth3_context_for_netlogon(talloc_tos(), &auth_context);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
switch (r->in.logon_level) {
case NetlogonNetworkInformation:
case NetlogonNetworkTransitiveInformation:
{
const char *wksname = nt_workstation;
+ const char *workgroup = lp_workgroup();
+ bool ok;
- status = make_auth_context_fixed(talloc_tos(), &auth_context,
- logon->network->challenge);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ ok = auth3_context_set_challenge(
+ auth_context, logon->network->challenge, "fixed");
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
}
/* For a network logon, the workstation name comes in with two
if (*wksname == '\\') wksname++;
/* Standard challenge/response authentication */
- if (!make_user_info_netlogon_network(&user_info,
+ if (!make_user_info_netlogon_network(talloc_tos(),
+ &user_info,
nt_username, nt_domain,
wksname,
p->remote_address,
+ p->local_address,
logon->network->identity_info.parameter_control,
logon->network->lm.data,
logon->network->lm.length,
logon->network->nt.length)) {
status = NT_STATUS_NO_MEMORY;
}
+
+ if (NT_STATUS_IS_OK(status)) {
+ status = NTLMv2_RESPONSE_verify_netlogon_creds(
+ user_info->client.account_name,
+ user_info->client.domain_name,
+ user_info->password.response.nt,
+ creds, workgroup);
+ }
break;
}
case NetlogonInteractiveInformation:
{
uint8_t chal[8];
- status = make_auth_context_subsystem(talloc_tos(),
- &auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+#ifdef DEBUG_PASSWORD
+ if (logon != r->in.logon) {
+ DEBUG(100,("lm owf password:"));
+ dump_data(100,
+ r->in.logon->password->lmpassword.hash, 16);
+
+ DEBUG(100,("nt owf password:"));
+ dump_data(100,
+ r->in.logon->password->ntpassword.hash, 16);
}
+ DEBUG(100,("decrypt of lm owf password:"));
+ dump_data(100, logon->password->lmpassword.hash, 16);
+
+ DEBUG(100,("decrypt of nt owf password:"));
+ dump_data(100, logon->password->ntpassword.hash, 16);
+#endif
+
auth_get_ntlm_challenge(auth_context, chal);
- if (!make_user_info_netlogon_interactive(&user_info,
+ if (!make_user_info_netlogon_interactive(talloc_tos(),
+ &user_info,
nt_username, nt_domain,
nt_workstation,
p->remote_address,
+ p->local_address,
logon->password->identity_info.parameter_control,
chal,
logon->password->lmpassword.hash,
- logon->password->ntpassword.hash,
- creds->session_key)) {
+ logon->password->ntpassword.hash)) {
status = NT_STATUS_NO_MEMORY;
}
break;
} /* end switch */
if ( NT_STATUS_IS_OK(status) ) {
- status = auth_check_ntlm_password(auth_context,
- user_info, &server_info);
+ status = auth_check_ntlm_password(p->mem_ctx,
+ auth_context,
+ user_info,
+ &server_info,
+ r->out.authoritative);
}
TALLOC_FREE(auth_context);
- free_user_info(&user_info);
+ TALLOC_FREE(user_info);
DEBUG(5,("%s: check_password returned status %s\n",
fn, nt_errstr(status)));
/* Check account and password */
if (!NT_STATUS_IS_OK(status)) {
- /* If we don't know what this domain is, we need to
- indicate that we are not authoritative. This
- allows the client to decide if it needs to try
- a local user. Fix by jpjanosi@us.ibm.com, #2976 */
- if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
- && !strequal(nt_domain, get_global_sam_name())
- && !is_trusted_domain(nt_domain) )
- *r->out.authoritative = false; /* We are not authoritative */
-
TALLOC_FREE(server_info);
return status;
}
the SAM Local Security Authority should record that the user is
logged in to the domain. */
- if (process_creds) {
- /* Get the pipe session key from the creds. */
- memcpy(pipe_session_key, creds->session_key, 16);
- } else {
- struct schannel_state *schannel_auth;
- /* Get the pipe session key from the schannel. */
- if ((p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL)
- || (p->auth.auth_ctx == NULL)) {
- return NT_STATUS_INVALID_HANDLE;
- }
-
- schannel_auth = talloc_get_type_abort(p->auth.auth_ctx,
- struct schannel_state);
- memcpy(pipe_session_key, schannel_auth->creds->session_key, 16);
- }
-
switch (r->in.validation_level) {
case 2:
- status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16,
+ status = serverinfo_to_SamInfo2(server_info,
r->out.validation->sam2);
break;
case 3:
- status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16,
+ status = serverinfo_to_SamInfo3(server_info,
r->out.validation->sam3);
break;
case 6:
- status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
+ /* Only allow this if the pipe is protected. */
+ if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+ DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
+ get_remote_machine_name()));
+ status = NT_STATUS_INVALID_PARAMETER;
+ break;
+ }
+
+ status = serverinfo_to_SamInfo6(server_info,
r->out.validation->sam6);
break;
}
TALLOC_FREE(server_info);
- return status;
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ netlogon_creds_encrypt_samlogon_validation(creds,
+ r->in.validation_level,
+ r->out.validation);
+ return NT_STATUS_OK;
}
/****************************************************************
return NT_STATUS_INVALID_PARAMETER;
}
- lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+ lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
if (lp_ctx == NULL) {
DEBUG(0, ("loadparm_init_s3 failed\n"));
return NT_STATUS_INTERNAL_ERROR;
WERROR _netr_LogonUasLogon(struct pipes_struct *p,
struct netr_LogonUasLogon *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_LogonUasLogoff(struct pipes_struct *p,
struct netr_LogonUasLogoff *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
NTSTATUS _netr_DatabaseDeltas(struct pipes_struct *p,
struct netr_DatabaseDeltas *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _netr_DatabaseSync(struct pipes_struct *p,
struct netr_DatabaseSync *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _netr_AccountDeltas(struct pipes_struct *p,
struct netr_AccountDeltas *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _netr_AccountSync(struct pipes_struct *p,
struct netr_AccountSync *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
*dcname = talloc_strdup(mem_ctx, dc_info->dc_name);
wbcFreeMemory(dc_info);
if (!*dcname) {
- *werr = WERR_NOMEM;
+ *werr = WERR_NOT_ENOUGH_MEMORY;
return false;
}
*r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
talloc_free(info);
if (!*r->out.dcname) {
- return WERR_NOMEM;
+ return WERR_NOT_ENOUGH_MEMORY;
}
return WERR_OK;
*r->out.dcname = talloc_strdup(p->mem_ctx, info->dc_unc);
talloc_free(info);
if (!*r->out.dcname) {
- return WERR_NOMEM;
+ return WERR_NOT_ENOUGH_MEMORY;
}
return WERR_OK;
NTSTATUS _netr_DatabaseSync2(struct pipes_struct *p,
struct netr_DatabaseSync2 *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _netr_DatabaseRedo(struct pipes_struct *p,
struct netr_DatabaseRedo *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
WERROR _netr_DsRGetDCName(struct pipes_struct *p,
struct netr_DsRGetDCName *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_NETRLOGONSETSERVICEBITS(struct pipes_struct *p,
struct netr_NETRLOGONSETSERVICEBITS *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_LogonGetTrustRid(struct pipes_struct *p,
struct netr_LogonGetTrustRid *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST(struct pipes_struct *p,
struct netr_NETRLOGONCOMPUTESERVERDIGEST *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST(struct pipes_struct *p,
struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_DsRGetDCNameEx(struct pipes_struct *p,
struct netr_DsRGetDCNameEx *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_DsRGetSiteName(struct pipes_struct *p,
struct netr_DsRGetSiteName *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
NTSTATUS _netr_LogonGetDomainInfo(struct pipes_struct *p,
struct netr_LogonGetDomainInfo *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
/****************************************************************
****************************************************************/
-WERROR _netr_ServerPasswordGet(struct pipes_struct *p,
- struct netr_ServerPasswordGet *r)
+NTSTATUS _netr_ServerPasswordGet(struct pipes_struct *p,
+ struct netr_ServerPasswordGet *r)
{
- p->rng_fault_state = true;
- return WERR_NOT_SUPPORTED;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return NT_STATUS_NOT_SUPPORTED;
}
/****************************************************************
****************************************************************/
-WERROR _netr_NETRLOGONSENDTOSAM(struct pipes_struct *p,
- struct netr_NETRLOGONSENDTOSAM *r)
+NTSTATUS _netr_NetrLogonSendToSam(struct pipes_struct *p,
+ struct netr_NetrLogonSendToSam *r)
{
- p->rng_fault_state = true;
- return WERR_NOT_SUPPORTED;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return NT_STATUS_NOT_IMPLEMENTED;
}
/****************************************************************
WERROR _netr_DsRAddressToSitenamesW(struct pipes_struct *p,
struct netr_DsRAddressToSitenamesW *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_DsRGetDCNameEx2(struct pipes_struct *p,
struct netr_DsRGetDCNameEx2 *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct pipes_struct *p,
struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_NetrEnumerateTrustedDomainsEx(struct pipes_struct *p,
struct netr_NetrEnumerateTrustedDomainsEx *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_DsRAddressToSitenamesExW(struct pipes_struct *p,
struct netr_DsRAddressToSitenamesExW *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_DsrGetDcSiteCoverageW(struct pipes_struct *p,
struct netr_DsrGetDcSiteCoverageW *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_DsrEnumerateDomainTrusts(struct pipes_struct *p,
struct netr_DsrEnumerateDomainTrusts *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
WERROR _netr_DsrDeregisterDNSHostRecords(struct pipes_struct *p,
struct netr_DsrDeregisterDNSHostRecords *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NOT_SUPPORTED;
}
NTSTATUS _netr_ServerTrustPasswordsGet(struct pipes_struct *p,
struct netr_ServerTrustPasswordsGet *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
/****************************************************************
****************************************************************/
-WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
- struct netr_DsRGetForestTrustInformation *r)
-{
- p->rng_fault_state = true;
- return WERR_NOT_SUPPORTED;
-}
-
-/****************************************************************
-****************************************************************/
-
static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
struct lsa_ForestTrustInformation *info)
{
struct lsa_ForestTrustRecord *e;
struct pdb_domain_info *dom_info;
struct lsa_ForestTrustDomainInfo *domain_info;
+ char **upn_suffixes = NULL;
+ uint32_t num_suffixes = 0;
+ uint32_t i = 0;
+ NTSTATUS status;
dom_info = pdb_get_domain_info(mem_ctx);
if (dom_info == NULL) {
}
info->count = 2;
- info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, 2);
+
+ become_root();
+ status = pdb_enum_upn_suffixes(info, &num_suffixes, &upn_suffixes);
+ unbecome_root();
+ if (NT_STATUS_IS_OK(status) && (num_suffixes > 0)) {
+ info->count += num_suffixes;
+ }
+
+ info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, info->count);
if (info->entries == NULL) {
return NT_STATUS_NO_MEMORY;
}
info->entries[0] = e;
+ if (num_suffixes > 0) {
+ for (i = 0; i < num_suffixes ; i++) {
+ e = talloc(info, struct lsa_ForestTrustRecord);
+ if (e == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ e->flags = 0;
+ e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
+ e->time = 0; /* so far always 0 in traces. */
+ e->forest_trust_data.top_level_name.string = upn_suffixes[i];
+ info->entries[1 + i] = e;
+ }
+ }
+
e = talloc(info, struct lsa_ForestTrustRecord);
if (e == NULL) {
return NT_STATUS_NO_MEMORY;
domain_info->netbios_domain_name.string = talloc_steal(info,
dom_info->name);
- info->entries[1] = e;
+ info->entries[info->count - 1] = e;
return NT_STATUS_OK;
}
+/****************************************************************
+****************************************************************/
+
+WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
+ struct netr_DsRGetForestTrustInformation *r)
+{
+ NTSTATUS status;
+ struct lsa_ForestTrustInformation *info, **info_ptr;
+
+ if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+ && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return WERR_ACCESS_DENIED;
+ }
+
+ if (r->in.flags & (~DS_GFTI_UPDATE_TDO)) {
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return WERR_INVALID_FLAGS;
+ }
+
+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() != ROLE_DOMAIN_PDC)) {
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return WERR_NERR_NOTPRIMARY;
+ }
+
+ if ((r->in.trusted_domain_name == NULL) && (r->in.flags & DS_GFTI_UPDATE_TDO)) {
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return WERR_INVALID_PARAMETER;
+ }
+
+ /* retrieve forest trust information and stop further processing */
+ if (r->in.trusted_domain_name == NULL) {
+ info_ptr = talloc(p->mem_ctx, struct lsa_ForestTrustInformation *);
+ if (info_ptr == NULL) {
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
+ if (info == NULL) {
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ /* Fill forest trust information and expand UPN suffixes list */
+ status = fill_forest_trust_array(p->mem_ctx, info);
+ if (!NT_STATUS_IS_OK(status)) {
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ *info_ptr = info;
+ r->out.forest_trust_info = info_ptr;
+
+ return WERR_OK;
+
+ }
+
+ /* TODO: implement remaining parts of DsrGetForestTrustInformation (opnum 43)
+ * when trusted_domain_name is not NULL */
+
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
+ return WERR_NOT_SUPPORTED;
+}
+
/****************************************************************
_netr_GetForestTrustInformation
****************************************************************/
NTSTATUS status;
struct netlogon_creds_CredentialState *creds;
struct lsa_ForestTrustInformation *info, **info_ptr;
- struct loadparm_context *lp_ctx;
/* TODO: check server name */
- lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
- if (lp_ctx == NULL) {
- DEBUG(0, ("loadparm_init_s3 failed\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- status = schannel_check_creds_state(p->mem_ctx, lp_ctx,
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
- talloc_unlink(p->mem_ctx, lp_ctx);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_NO_MEMORY;
}
+ /* Fill forest trust information, do expand UPN suffixes list */
status = fill_forest_trust_array(p->mem_ctx, info);
if (!NT_STATUS_IS_OK(status)) {
return status;
static NTSTATUS get_password_from_trustAuth(TALLOC_CTX *mem_ctx,
const DATA_BLOB *trustAuth_blob,
- const DATA_BLOB *session_key,
+ struct netlogon_creds_CredentialState *creds,
struct samr_Password *current_pw_enc,
struct samr_Password *previous_pw_enc)
{
return NT_STATUS_UNSUCCESSFUL;
}
-
if (trustAuth.count != 0 && trustAuth.current.count != 0 &&
trustAuth.current.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) {
- mdfour(previous_pw_enc->hash,
+ mdfour(current_pw_enc->hash,
trustAuth.current.array[0].AuthInfo.clear.password,
trustAuth.current.array[0].AuthInfo.clear.size);
+ netlogon_creds_des_encrypt(creds, current_pw_enc);
} else {
return NT_STATUS_UNSUCCESSFUL;
}
- arcfour_crypt_blob(current_pw_enc->hash, sizeof(current_pw_enc->hash),
- session_key);
if (trustAuth.previous.count != 0 &&
trustAuth.previous.array[0].AuthType == TRUST_AUTH_TYPE_CLEAR) {
mdfour(previous_pw_enc->hash,
trustAuth.previous.array[0].AuthInfo.clear.password,
trustAuth.previous.array[0].AuthInfo.clear.size);
+ netlogon_creds_des_encrypt(creds, previous_pw_enc);
} else {
- mdfour(previous_pw_enc->hash, NULL, 0);
+ ZERO_STRUCTP(previous_pw_enc);
}
- arcfour_crypt_blob(previous_pw_enc->hash, sizeof(previous_pw_enc->hash),
- session_key);
return NT_STATUS_OK;
}
bool trusted;
struct netr_TrustInfo *trust_info;
struct pdb_trusted_domain *td;
- DATA_BLOB trustAuth_blob;
- struct samr_Password *new_owf_enc;
- struct samr_Password *old_owf_enc;
- DATA_BLOB session_key;
- struct loadparm_context *lp_ctx;
-
- lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
- if (lp_ctx == NULL) {
- DEBUG(0, ("loadparm_init_s3 failed\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_ctx,
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
- talloc_unlink(p->mem_ctx, lp_ctx);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
*r->out.trust_info = trust_info;
}
- new_owf_enc = talloc_zero(p->mem_ctx, struct samr_Password);
- old_owf_enc = talloc_zero(p->mem_ctx, struct samr_Password);
- if (new_owf_enc == NULL || old_owf_enc == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
-/* TODO: which trustAuth shall we use if we have in/out trust or do they have to
- * be equal ? */
- if (td->trust_direction & NETR_TRUST_FLAG_INBOUND) {
- trustAuth_blob = td->trust_auth_incoming;
- } else if (td->trust_direction & NETR_TRUST_FLAG_OUTBOUND) {
- trustAuth_blob = td->trust_auth_outgoing;
+ if (td->trust_auth_incoming.data == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
}
- session_key.data = creds->session_key;
- session_key.length = sizeof(creds->session_key);
- status = get_password_from_trustAuth(p->mem_ctx, &trustAuth_blob,
- &session_key,
- new_owf_enc, old_owf_enc);
+ status = get_password_from_trustAuth(p->mem_ctx,
+ &td->trust_auth_incoming,
+ creds,
+ r->out.new_owf_password,
+ r->out.old_owf_password);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- r->out.new_owf_password = new_owf_enc;
- r->out.old_owf_password = old_owf_enc;
} else {
/* TODO: look for machine password */
- r->out.new_owf_password = NULL;
- r->out.old_owf_password = NULL;
+ ZERO_STRUCTP(r->out.new_owf_password);
+ ZERO_STRUCTP(r->out.old_owf_password);
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _netr_Unused47(struct pipes_struct *p,
struct netr_Unused47 *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p,
struct netr_DsrUpdateReadOnlyServerDnsRecords *r)
{
- p->rng_fault_state = true;
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return NT_STATUS_NOT_IMPLEMENTED;
}
git.samba.org / metze / samba / wip.git / blobdiff