r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
/*
Unix SMB / CIFS implementation .
2005-10-10 19:57:55 +00:00
A composite API for initializing a domain
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
Copyright ( C ) Volker Lendecke 2005
2007-05-25 08:04:39 +00:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2007
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
*/
# include "includes.h"
# include "libcli/composite/composite.h"
# include "winbind/wb_server.h"
2005-10-19 13:45:44 +00:00
# include "smbd/service_task.h"
2006-03-16 00:23:11 +00:00
# include "librpc/gen_ndr/ndr_netlogon.h"
2006-03-16 12:43:28 +00:00
# include "librpc/gen_ndr/ndr_lsa_c.h"
2007-05-25 08:04:39 +00:00
# include "librpc/gen_ndr/ndr_samr_c.h"
2007-05-25 11:59:52 +00:00
# include "libcli/libcli.h"
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2006-04-02 12:02:01 +00:00
# include "libcli/security/security.h"
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2005-11-05 23:46:57 +00:00
2006-03-14 01:29:56 +00:00
# include "auth/credentials/credentials.h"
2007-09-08 12:42:09 +00:00
# include "param/param.h"
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
/*
* Initialize a domain :
*
2007-05-25 08:04:39 +00:00
* - With schannel credentials , try to open the SMB connection and
* NETLOGON pipe with the machine creds . This works against W2k3SP1
* with an NTLMSSP session setup . Fall back to anonymous ( for the CIFS level ) .
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
*
* - If we have schannel creds , do the auth2 and open the schannel ' ed netlogon
* pipe .
*
2007-05-25 08:04:39 +00:00
* - Open LSA . If we have machine creds , try to open with SPNEGO or NTLMSSP . Fall back
* to schannel .
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
*
* - With queryinfopolicy , verify that we ' re talking to the right domain
*
* A bit complex , but with all the combinations I think it ' s the best we can
* get . NT4 , W2k3 and W2k all have different combinations , but in the end we
* have a signed & sealed lsa connection on all of them .
*
* Not sure if it is overkill , but it seems to work .
*/
struct init_domain_state {
struct composite_context * ctx ;
struct wbsrv_domain * domain ;
2005-10-24 09:34:12 +00:00
struct wbsrv_service * service ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2007-05-25 08:04:39 +00:00
struct lsa_ObjectAttribute objectattr ;
struct lsa_OpenPolicy2 lsa_openpolicy ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
struct lsa_QueryInfoPolicy queryinfo ;
2008-10-24 15:05:57 +02:00
union lsa_PolicyInformation * info ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
} ;
static void init_domain_recv_netlogonpipe ( struct composite_context * ctx ) ;
2007-05-25 08:04:39 +00:00
static void init_domain_recv_lsa_pipe ( struct composite_context * ctx ) ;
2010-03-10 10:03:56 +01:00
static void init_domain_recv_lsa_policy ( struct tevent_req * subreq ) ;
static void init_domain_recv_queryinfo ( struct tevent_req * subreq ) ;
2005-10-15 22:01:15 +00:00
static void init_domain_recv_samr ( struct composite_context * ctx ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2007-05-25 08:04:39 +00:00
static struct dcerpc_binding * init_domain_binding ( struct init_domain_state * state ,
2007-08-19 21:12:13 +00:00
const struct ndr_interface_table * table )
2007-05-25 08:04:39 +00:00
{
struct dcerpc_binding * binding ;
2014-01-30 09:11:48 +01:00
enum dcerpc_transport_t transport ;
2012-02-24 15:58:40 +01:00
char * s ;
2007-05-25 08:04:39 +00:00
NTSTATUS status ;
2007-05-25 11:59:52 +00:00
2007-05-25 08:04:39 +00:00
/* Make a binding string */
2012-02-24 15:58:40 +01:00
if ( ( lpcfg_server_role ( state - > service - > task - > lp_ctx ) ! = ROLE_DOMAIN_MEMBER ) & &
dom_sid_equal ( state - > domain - > info - > sid , state - > service - > primary_sid ) & &
state - > service - > sec_channel_type ! = SEC_CHAN_RODC ) {
2014-01-30 09:11:48 +01:00
s = talloc_asprintf ( state , " ncalrpc:%s[target_hostname=%s] " ,
state - > domain - > dc_address ,
state - > domain - > dc_name ) ;
2007-05-25 08:04:39 +00:00
if ( s = = NULL ) return NULL ;
2012-02-24 15:58:40 +01:00
} else {
2014-01-30 09:11:48 +01:00
s = talloc_asprintf ( state , " ncacn_np:%s[target_hostname=%s] " ,
state - > domain - > dc_address ,
state - > domain - > dc_name ) ;
2012-02-24 15:58:40 +01:00
if ( s = = NULL ) return NULL ;
}
status = dcerpc_parse_binding ( state , s , & binding ) ;
talloc_free ( s ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return NULL ;
2007-05-25 08:04:39 +00:00
}
2014-01-30 09:11:48 +01:00
transport = dcerpc_binding_get_transport ( binding ) ;
if ( transport = = NCALRPC ) {
2012-02-24 15:58:40 +01:00
return binding ;
}
2007-05-25 08:04:39 +00:00
/* This shouldn't make a network call, as the mappings for named pipes are well known */
2007-12-07 02:37:04 +01:00
status = dcerpc_epm_map_binding ( binding , binding , table , state - > service - > task - > event_ctx ,
state - > service - > task - > lp_ctx ) ;
2007-05-25 08:04:39 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return NULL ;
}
return binding ;
}
2005-11-05 23:46:57 +00:00
struct composite_context * wb_init_domain_send ( TALLOC_CTX * mem_ctx ,
struct wbsrv_service * service ,
struct wb_dom_info * dom_info )
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
{
struct composite_context * result , * ctx ;
struct init_domain_state * state ;
2007-04-29 21:40:48 +00:00
result = composite_create ( mem_ctx , service - > task - > event_ctx ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
if ( result = = NULL ) goto failed ;
state = talloc_zero ( result , struct init_domain_state ) ;
if ( state = = NULL ) goto failed ;
state - > ctx = result ;
result - > private_data = state ;
2005-10-24 09:34:12 +00:00
state - > service = service ;
2005-10-19 13:45:44 +00:00
2005-11-05 23:46:57 +00:00
state - > domain = talloc ( state , struct wbsrv_domain ) ;
if ( state - > domain = = NULL ) goto failed ;
2014-01-14 11:55:19 +01:00
state - > domain - > service = service ;
2005-11-05 23:46:57 +00:00
state - > domain - > info = talloc_reference ( state - > domain , dom_info ) ;
if ( state - > domain - > info = = NULL ) goto failed ;
2005-10-09 20:57:49 +00:00
2010-09-14 17:36:23 +10:00
state - > domain - > dc_name = dom_info - > dc - > name ;
state - > domain - > dc_address = dom_info - > dc - > address ;
2007-05-25 11:59:52 +00:00
2007-12-07 02:37:04 +01:00
state - > domain - > libnet_ctx = libnet_context_init ( service - > task - > event_ctx ,
service - > task - > lp_ctx ) ;
2013-05-31 16:04:26 +02:00
if ( state - > domain - > libnet_ctx = = NULL ) goto failed ;
talloc_steal ( state - > domain , state - > domain - > libnet_ctx ) ;
2007-07-23 02:56:51 +00:00
2007-05-25 08:04:39 +00:00
/* Create a credentials structure */
2007-07-23 02:56:51 +00:00
state - > domain - > libnet_ctx - > cred = cli_credentials_init ( state - > domain ) ;
if ( state - > domain - > libnet_ctx - > cred = = NULL ) goto failed ;
2005-11-05 23:46:57 +00:00
2007-12-03 21:25:17 +01:00
cli_credentials_set_conf ( state - > domain - > libnet_ctx - > cred , service - > task - > lp_ctx ) ;
2007-05-25 08:04:39 +00:00
/* Connect the machine account to the credentials */
2005-10-09 20:57:49 +00:00
state - > ctx - > status =
2007-12-13 22:46:17 +01:00
cli_credentials_set_machine_account ( state - > domain - > libnet_ctx - > cred , state - > domain - > libnet_ctx - > lp_ctx ) ;
2005-10-09 20:57:49 +00:00
if ( ! NT_STATUS_IS_OK ( state - > ctx - > status ) ) goto failed ;
2007-08-19 21:23:03 +00:00
state - > domain - > netlogon_binding = init_domain_binding ( state , & ndr_table_netlogon ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2007-05-25 08:04:39 +00:00
state - > domain - > netlogon_pipe = NULL ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2012-08-24 13:39:14 +02:00
state - > domain - > netlogon_queue = tevent_queue_create ( state - > domain ,
" netlogon_queue " ) ;
if ( state - > domain - > netlogon_queue = = NULL ) goto failed ;
/* We start the queue when the connection is usable */
tevent_queue_stop ( state - > domain - > netlogon_queue ) ;
2007-07-23 02:56:51 +00:00
if ( ( ! cli_credentials_is_anonymous ( state - > domain - > libnet_ctx - > cred ) ) & &
2010-07-16 14:32:42 +10:00
( ( lpcfg_server_role ( service - > task - > lp_ctx ) = = ROLE_DOMAIN_MEMBER ) | |
2012-06-10 22:08:20 +10:00
( lpcfg_server_role ( service - > task - > lp_ctx ) = = ROLE_ACTIVE_DIRECTORY_DC ) ) & &
2007-07-15 10:46:34 +00:00
( dom_sid_equal ( state - > domain - > info - > sid ,
state - > service - > primary_sid ) ) ) {
2014-02-04 09:55:11 +01:00
uint32_t flags = DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO ;
2007-05-25 08:04:39 +00:00
/* For debugging, it can be a real pain if all the traffic is encrypted */
2010-07-16 14:32:42 +10:00
if ( lpcfg_winbind_sealed_pipes ( service - > task - > lp_ctx ) ) {
2014-02-04 09:55:11 +01:00
flags | = DCERPC_SIGN | DCERPC_SEAL ;
2007-05-25 08:04:39 +00:00
} else {
2014-02-04 09:55:11 +01:00
flags | = DCERPC_SIGN ;
2007-05-25 08:04:39 +00:00
}
2014-02-04 09:55:11 +01:00
state - > ctx - > status = dcerpc_binding_set_flags ( state - > domain - > netlogon_binding ,
flags , 0 ) ;
if ( ! NT_STATUS_IS_OK ( state - > ctx - > status ) ) goto failed ;
2007-05-25 08:04:39 +00:00
}
2005-10-19 13:45:44 +00:00
2007-05-25 08:04:39 +00:00
/* No encryption on anonymous pipes */
2005-10-19 13:45:44 +00:00
2007-05-25 08:04:39 +00:00
ctx = dcerpc_pipe_connect_b_send ( state , state - > domain - > netlogon_binding ,
2007-08-19 21:23:03 +00:00
& ndr_table_netlogon ,
2007-07-23 02:56:51 +00:00
state - > domain - > libnet_ctx - > cred ,
2007-12-07 02:37:04 +01:00
service - > task - > event_ctx ,
service - > task - > lp_ctx ) ;
2007-05-25 08:04:39 +00:00
if ( composite_nomem ( ctx , state - > ctx ) ) {
goto failed ;
}
composite_continue ( state - > ctx , ctx , init_domain_recv_netlogonpipe ,
state ) ;
return result ;
2005-11-05 23:46:57 +00:00
failed :
talloc_free ( result ) ;
return NULL ;
2005-10-19 13:45:44 +00:00
}
2007-05-25 08:04:39 +00:00
/* Having make a netlogon connection (possibly secured with schannel),
* make an LSA connection to the same DC , on the same IPC $ share */
static void init_domain_recv_netlogonpipe ( struct composite_context * ctx )
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
{
struct init_domain_state * state =
talloc_get_type ( ctx - > async . private_data ,
struct init_domain_state ) ;
2014-02-04 09:55:11 +01:00
uint32_t flags ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2007-07-16 11:27:29 +00:00
state - > ctx - > status = dcerpc_pipe_connect_b_recv ( ctx , state - > domain ,
2007-05-25 08:04:39 +00:00
& state - > domain - > netlogon_pipe ) ;
if ( ! composite_is_ok ( state - > ctx ) ) {
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
return ;
}
2009-08-07 17:23:52 +10:00
talloc_reparent ( state , state - > domain - > netlogon_pipe , state - > domain - > netlogon_binding ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2012-08-24 13:39:14 +02:00
/* the netlogon connection is ready */
tevent_queue_start ( state - > domain - > netlogon_queue ) ;
2007-08-19 21:23:03 +00:00
state - > domain - > lsa_binding = init_domain_binding ( state , & ndr_table_lsarpc ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2007-05-25 08:04:39 +00:00
/* For debugging, it can be a real pain if all the traffic is encrypted */
2010-07-16 14:32:42 +10:00
if ( lpcfg_winbind_sealed_pipes ( state - > service - > task - > lp_ctx ) ) {
2014-02-04 09:55:11 +01:00
flags = DCERPC_SIGN | DCERPC_SEAL ;
2007-05-25 08:04:39 +00:00
} else {
2014-02-04 09:55:11 +01:00
flags = DCERPC_SIGN ;
}
state - > ctx - > status = dcerpc_binding_set_flags ( state - > domain - > lsa_binding ,
flags , 0 ) ;
if ( ! composite_is_ok ( state - > ctx ) ) {
return ;
2005-10-19 13:45:44 +00:00
}
2007-07-23 02:56:51 +00:00
state - > domain - > libnet_ctx - > lsa . pipe = NULL ;
2014-01-16 01:00:18 +01:00
state - > domain - > libnet_ctx - > lsa . lsa_handle = NULL ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2007-05-25 08:04:39 +00:00
/* this will make the secondary connection on the same IPC$ share,
secured with SPNEGO or NTLMSSP */
2007-07-16 11:27:29 +00:00
ctx = dcerpc_secondary_auth_connection_send ( state - > domain - > netlogon_pipe ,
state - > domain - > lsa_binding ,
2007-08-19 21:23:03 +00:00
& ndr_table_lsarpc ,
2007-12-07 02:37:04 +01:00
state - > domain - > libnet_ctx - > cred ,
state - > domain - > libnet_ctx - > lp_ctx
2007-07-16 11:27:29 +00:00
) ;
2007-05-25 08:04:39 +00:00
composite_continue ( state - > ctx , ctx , init_domain_recv_lsa_pipe , state ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
}
2007-05-25 08:04:39 +00:00
static bool retry_with_schannel ( struct init_domain_state * state ,
struct dcerpc_binding * binding ,
2007-08-19 21:12:13 +00:00
const struct ndr_interface_table * table ,
2007-05-25 08:04:39 +00:00
void ( * continuation ) ( struct composite_context * ) )
{
struct composite_context * ctx ;
2014-02-04 09:55:11 +01:00
uint32_t nflags ;
uint32_t bflags ;
2007-07-15 10:46:34 +00:00
state - > ctx - > status = NT_STATUS_OK ;
2014-02-04 09:55:11 +01:00
nflags = dcerpc_binding_get_flags ( state - > domain - > netlogon_binding ) ;
bflags = dcerpc_binding_get_flags ( binding ) ;
if ( ( nflags & DCERPC_SCHANNEL ) & & ! ( bflags & DCERPC_SCHANNEL ) ) {
2007-05-25 08:04:39 +00:00
/* Opening a policy handle failed, perhaps it was
* because we don ' t get a ' wrong password ' error on
* NTLMSSP binds */
/* Try again with schannel */
2014-02-04 09:55:11 +01:00
bflags | = DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO ;
state - > ctx - > status = dcerpc_binding_set_flags ( binding , bflags , 0 ) ;
if ( ! composite_is_ok ( state - > ctx ) ) return true ;
2007-05-25 08:04:39 +00:00
/* Try again, likewise on the same IPC$ share,
secured with SCHANNEL */
2007-07-16 11:27:29 +00:00
ctx = dcerpc_secondary_auth_connection_send ( state - > domain - > netlogon_pipe ,
binding ,
table ,
2007-12-07 02:37:04 +01:00
state - > domain - > libnet_ctx - > cred ,
state - > domain - > libnet_ctx - > lp_ctx ) ;
2007-05-25 08:04:39 +00:00
composite_continue ( state - > ctx , ctx , continuation , state ) ;
return true ;
} else {
return false ;
}
}
/* We should now have either an authenticated LSA pipe, or an error.
* On success , open a policy handle
*/
static void init_domain_recv_lsa_pipe ( struct composite_context * ctx )
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
{
struct init_domain_state * state =
talloc_get_type ( ctx - > async . private_data ,
struct init_domain_state ) ;
2010-03-10 10:03:56 +01:00
struct tevent_req * subreq ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2007-07-16 11:27:29 +00:00
state - > ctx - > status = dcerpc_secondary_auth_connection_recv ( ctx , state - > domain ,
2007-07-23 02:56:51 +00:00
& state - > domain - > libnet_ctx - > lsa . pipe ) ;
2007-05-25 08:04:39 +00:00
if ( NT_STATUS_EQUAL ( state - > ctx - > status , NT_STATUS_LOGON_FAILURE ) ) {
if ( retry_with_schannel ( state , state - > domain - > lsa_binding ,
2007-08-19 21:23:03 +00:00
& ndr_table_lsarpc ,
2007-05-25 08:04:39 +00:00
init_domain_recv_lsa_pipe ) ) {
return ;
}
}
2005-10-10 19:57:55 +00:00
if ( ! composite_is_ok ( state - > ctx ) ) return ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2007-07-23 02:56:51 +00:00
talloc_steal ( state - > domain - > libnet_ctx , state - > domain - > libnet_ctx - > lsa . pipe ) ;
2009-08-07 17:23:52 +10:00
talloc_reparent ( state , state - > domain - > libnet_ctx - > lsa . pipe , state - > domain - > lsa_binding ) ;
2014-01-16 01:00:18 +01:00
state - > domain - > libnet_ctx - > lsa . lsa_handle =
state - > domain - > libnet_ctx - > lsa . pipe - > binding_handle ;
2007-08-01 04:05:06 +00:00
state - > domain - > libnet_ctx - > lsa . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
state - > domain - > libnet_ctx - > lsa . name = state - > domain - > info - > name ;
2005-11-20 17:34:56 +00:00
2007-07-23 02:56:51 +00:00
ZERO_STRUCT ( state - > domain - > libnet_ctx - > lsa . handle ) ;
2007-05-25 08:04:39 +00:00
state - > lsa_openpolicy . in . system_name =
talloc_asprintf ( state , " \\ \\ %s " ,
2007-07-23 02:56:51 +00:00
dcerpc_server_name ( state - > domain - > libnet_ctx - > lsa . pipe ) ) ;
2007-05-25 08:04:39 +00:00
ZERO_STRUCT ( state - > objectattr ) ;
state - > lsa_openpolicy . in . attr = & state - > objectattr ;
state - > lsa_openpolicy . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2007-07-23 02:56:51 +00:00
state - > lsa_openpolicy . out . handle = & state - > domain - > libnet_ctx - > lsa . handle ;
2007-05-25 08:04:39 +00:00
2010-03-10 10:03:56 +01:00
subreq = dcerpc_lsa_OpenPolicy2_r_send ( state ,
state - > ctx - > event_ctx ,
state - > domain - > libnet_ctx - > lsa . pipe - > binding_handle ,
& state - > lsa_openpolicy ) ;
if ( composite_nomem ( subreq , state - > ctx ) ) return ;
tevent_req_set_callback ( subreq , init_domain_recv_lsa_policy , state ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
}
2007-05-25 08:04:39 +00:00
/* Receive a policy handle (or not, and retry the authentication) and
* obtain some basic information about the domain */
2010-03-10 10:03:56 +01:00
static void init_domain_recv_lsa_policy ( struct tevent_req * subreq )
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
{
struct init_domain_state * state =
2010-03-10 10:03:56 +01:00
tevent_req_callback_data ( subreq ,
struct init_domain_state ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2010-03-10 10:03:56 +01:00
state - > ctx - > status = dcerpc_lsa_OpenPolicy2_r_recv ( subreq , state ) ;
TALLOC_FREE ( subreq ) ;
2007-05-26 00:25:22 +00:00
if ( ( ! NT_STATUS_IS_OK ( state - > ctx - > status )
| | ! NT_STATUS_IS_OK ( state - > lsa_openpolicy . out . result ) ) ) {
2007-05-25 08:04:39 +00:00
if ( retry_with_schannel ( state , state - > domain - > lsa_binding ,
2007-08-19 21:23:03 +00:00
& ndr_table_lsarpc ,
2007-05-25 08:04:39 +00:00
init_domain_recv_lsa_pipe ) ) {
return ;
}
}
if ( ! composite_is_ok ( state - > ctx ) ) return ;
state - > ctx - > status = state - > lsa_openpolicy . out . result ;
2005-10-10 19:57:55 +00:00
if ( ! composite_is_ok ( state - > ctx ) ) return ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2008-10-24 15:05:57 +02:00
state - > info = talloc_zero ( state - > ctx , union lsa_PolicyInformation ) ;
if ( composite_nomem ( state - > info , state - > ctx ) ) return ;
2007-07-23 02:56:51 +00:00
state - > queryinfo . in . handle = & state - > domain - > libnet_ctx - > lsa . handle ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
state - > queryinfo . in . level = LSA_POLICY_INFO_ACCOUNT_DOMAIN ;
2008-10-24 15:05:57 +02:00
state - > queryinfo . out . info = & state - > info ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2010-03-10 10:03:56 +01:00
subreq = dcerpc_lsa_QueryInfoPolicy_r_send ( state ,
state - > ctx - > event_ctx ,
state - > domain - > libnet_ctx - > lsa . pipe - > binding_handle ,
& state - > queryinfo ) ;
if ( composite_nomem ( subreq , state - > ctx ) ) return ;
tevent_req_set_callback ( subreq , init_domain_recv_queryinfo , state ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
}
2010-03-10 10:03:56 +01:00
static void init_domain_recv_queryinfo ( struct tevent_req * subreq )
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
{
struct init_domain_state * state =
2010-03-10 10:03:56 +01:00
tevent_req_callback_data ( subreq ,
struct init_domain_state ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
struct lsa_DomainInfo * dominfo ;
2005-10-15 22:01:15 +00:00
struct composite_context * ctx ;
2014-02-04 09:55:11 +01:00
uint32_t lflags ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2010-03-10 10:03:56 +01:00
state - > ctx - > status = dcerpc_lsa_QueryInfoPolicy_r_recv ( subreq , state ) ;
TALLOC_FREE ( subreq ) ;
2005-10-10 19:57:55 +00:00
if ( ! composite_is_ok ( state - > ctx ) ) return ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
state - > ctx - > status = state - > queryinfo . out . result ;
2005-10-10 19:57:55 +00:00
if ( ! composite_is_ok ( state - > ctx ) ) return ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
2013-06-15 23:01:44 +10:00
if ( ! dom_sid_equal ( state - > domain - > info - > sid , & global_sid_Builtin ) ) {
dominfo = & ( * state - > queryinfo . out . info ) - > account_domain ;
if ( strcasecmp ( state - > domain - > info - > name , dominfo - > name . string ) ! = 0 ) {
DEBUG ( 2 , ( " Expected domain name %s, DC %s said %s \n " ,
state - > domain - > info - > name ,
dcerpc_server_name ( state - > domain - > libnet_ctx - > lsa . pipe ) ,
dominfo - > name . string ) ) ;
composite_error ( state - > ctx , NT_STATUS_INVALID_DOMAIN_STATE ) ;
return ;
}
if ( ! dom_sid_equal ( state - > domain - > info - > sid , dominfo - > sid ) ) {
DEBUG ( 2 , ( " Expected domain sid %s, DC %s said %s \n " ,
dom_sid_string ( state , state - > domain - > info - > sid ) ,
dcerpc_server_name ( state - > domain - > libnet_ctx - > lsa . pipe ) ,
dom_sid_string ( state , dominfo - > sid ) ) ) ;
composite_error ( state - > ctx , NT_STATUS_INVALID_DOMAIN_STATE ) ;
return ;
}
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
}
2007-08-19 21:23:03 +00:00
state - > domain - > samr_binding = init_domain_binding ( state , & ndr_table_samr ) ;
2007-05-25 08:04:39 +00:00
/* We want to use the same flags as the LSA pipe did (so, if
* it needed schannel , then we need that here too ) */
2014-02-04 09:55:11 +01:00
lflags = dcerpc_binding_get_flags ( state - > domain - > lsa_binding ) ;
state - > ctx - > status = dcerpc_binding_set_flags ( state - > domain - > samr_binding ,
lflags , 0 ) ;
if ( ! composite_is_ok ( state - > ctx ) ) return ;
2007-05-25 08:04:39 +00:00
2007-07-23 02:56:51 +00:00
state - > domain - > libnet_ctx - > samr . pipe = NULL ;
2014-01-16 01:00:18 +01:00
state - > domain - > libnet_ctx - > samr . samr_handle = NULL ;
2007-05-25 08:04:39 +00:00
ctx = wb_connect_samr_send ( state , state - > domain ) ;
composite_continue ( state - > ctx , ctx , init_domain_recv_samr , state ) ;
}
/* Recv the SAMR details (SamrConnect and SamrOpenDomain handle) and
* open an LDAP connection */
static void init_domain_recv_samr ( struct composite_context * ctx )
{
struct init_domain_state * state =
talloc_get_type ( ctx - > async . private_data ,
struct init_domain_state ) ;
state - > ctx - > status = wb_connect_samr_recv (
ctx , state - > domain ,
2007-07-23 02:56:51 +00:00
& state - > domain - > libnet_ctx - > samr . pipe ,
2008-12-06 15:48:10 +01:00
& state - > domain - > libnet_ctx - > samr . connect_handle ,
2007-07-23 02:56:51 +00:00
& state - > domain - > libnet_ctx - > samr . handle ) ;
2007-05-25 08:04:39 +00:00
if ( ! composite_is_ok ( state - > ctx ) ) return ;
2009-08-07 17:23:52 +10:00
talloc_reparent ( state , state - > domain - > libnet_ctx - > samr . pipe , state - > domain - > samr_binding ) ;
2014-01-16 01:00:18 +01:00
state - > domain - > libnet_ctx - > samr . samr_handle =
state - > domain - > libnet_ctx - > samr . pipe - > binding_handle ;
2007-08-01 04:05:06 +00:00
state - > domain - > libnet_ctx - > samr . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
state - > domain - > libnet_ctx - > samr . name = state - > domain - > info - > name ;
2009-01-06 09:55:09 +01:00
state - > domain - > libnet_ctx - > samr . sid = dom_sid_dup (
state - > domain - > libnet_ctx ,
state - > domain - > info - > sid ) ;
2007-05-25 08:04:39 +00:00
2005-10-10 19:57:55 +00:00
composite_done ( state - > ctx ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
}
2005-11-05 23:46:57 +00:00
NTSTATUS wb_init_domain_recv ( struct composite_context * c ,
TALLOC_CTX * mem_ctx ,
struct wbsrv_domain * * result )
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
{
NTSTATUS status = composite_wait ( c ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
struct init_domain_state * state =
talloc_get_type ( c - > private_data ,
struct init_domain_state ) ;
2005-11-05 23:46:57 +00:00
* result = talloc_steal ( mem_ctx , state - > domain ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
}
talloc_free ( c ) ;
return status ;
}
2005-11-05 23:46:57 +00:00
NTSTATUS wb_init_domain ( TALLOC_CTX * mem_ctx , struct wbsrv_service * service ,
struct wb_dom_info * dom_info ,
struct wbsrv_domain * * result )
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
{
struct composite_context * c =
2005-11-05 23:46:57 +00:00
wb_init_domain_send ( mem_ctx , service , dom_info ) ;
return wb_init_domain_recv ( c , mem_ctx , result ) ;
r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
2005-10-09 20:32:24 +00:00
}
