2006-07-31 19:38:18 +04:00
/*
Unix SMB / CIFS implementation .
Do a netr_LogonSamLogon to a remote DC
Copyright ( C ) Volker Lendecke 2005
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005
Copyright ( C ) Stefan Metzmacher 2006
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2006-07-31 19:38:18 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2006-07-31 19:38:18 +04:00
*/
# include "includes.h"
2012-08-24 15:15:42 +04:00
# include <tevent.h>
# include "../lib/util/tevent_ntstatus.h"
2006-07-31 19:38:18 +04:00
# include "libcli/composite/composite.h"
# include "winbind/wb_server.h"
# include "smbd/service_task.h"
2006-11-07 03:48:36 +03:00
# include "auth/credentials/credentials.h"
2006-07-31 19:38:18 +04:00
# include "libcli/auth/libcli_auth.h"
# include "librpc/gen_ndr/ndr_netlogon_c.h"
2010-05-24 04:52:18 +04:00
# include "librpc/gen_ndr/winbind.h"
2006-07-31 19:38:18 +04:00
struct wb_sam_logon_state {
2012-08-24 15:15:42 +04:00
struct tevent_context * ev ;
2006-07-31 19:38:18 +04:00
struct winbind_SamLogon * req ;
2012-08-24 15:40:13 +04:00
struct wbsrv_domain * domain ;
struct tevent_queue_entry * queue_entry ;
2009-04-06 16:54:44 +04:00
struct netlogon_creds_CredentialState * creds_state ;
2006-07-31 19:38:18 +04:00
struct netr_Authenticator auth1 , auth2 ;
TALLOC_CTX * r_mem_ctx ;
struct netr_LogonSamLogon r ;
} ;
static void wb_sam_logon_recv_domain ( struct composite_context * ctx ) ;
2012-08-24 15:40:13 +04:00
static void wb_sam_logon_queue_trigger ( struct tevent_req * req , void * priv ) ;
2010-03-10 12:04:20 +03:00
static void wb_sam_logon_recv_samlogon ( struct tevent_req * subreq ) ;
2006-07-31 19:38:18 +04:00
/*
Find the connection to the DC ( or find an existing connection )
*/
2012-08-24 15:15:42 +04:00
struct tevent_req * wb_sam_logon_send ( TALLOC_CTX * mem_ctx ,
struct tevent_context * ev ,
struct wbsrv_service * service ,
struct winbind_SamLogon * _req )
2006-07-31 19:38:18 +04:00
{
2012-08-24 15:15:42 +04:00
struct tevent_req * req ;
struct wb_sam_logon_state * state ;
struct composite_context * csubreq ;
req = tevent_req_create ( mem_ctx , & state ,
struct wb_sam_logon_state ) ;
if ( req = = NULL ) {
return NULL ;
}
state - > ev = ev ;
state - > req = _req ;
2006-07-31 19:38:18 +04:00
2012-08-24 15:15:42 +04:00
csubreq = wb_sid2domain_send ( state , service , service - > primary_sid ) ;
if ( tevent_req_nomem ( csubreq , req ) ) {
return tevent_req_post ( req , ev ) ;
}
csubreq - > async . fn = wb_sam_logon_recv_domain ;
csubreq - > async . private_data = req ;
2006-07-31 19:38:18 +04:00
2012-08-24 15:15:42 +04:00
return req ;
2006-07-31 19:38:18 +04:00
}
/*
2007-04-30 20:52:30 +04:00
Having finished making the connection to the DC
2006-07-31 19:38:18 +04:00
Send of a SamLogon request to authenticate a user .
*/
2012-08-24 15:15:42 +04:00
static void wb_sam_logon_recv_domain ( struct composite_context * csubreq )
2006-07-31 19:38:18 +04:00
{
2012-08-24 15:15:42 +04:00
struct tevent_req * req =
talloc_get_type_abort ( csubreq - > async . private_data ,
struct tevent_req ) ;
struct wb_sam_logon_state * state =
tevent_req_data ( req ,
struct wb_sam_logon_state ) ;
NTSTATUS status ;
2012-08-24 15:40:13 +04:00
struct tevent_queue_entry * e ;
2006-07-31 19:38:18 +04:00
2012-08-24 15:40:13 +04:00
status = wb_sid2domain_recv ( csubreq , & state - > domain ) ;
2012-08-24 15:15:42 +04:00
if ( tevent_req_nterror ( req , status ) ) {
return ;
}
2006-07-31 19:38:18 +04:00
2012-08-24 15:40:13 +04:00
/*
* Because of the netlogon_creds behavior we have to
* queue the netr_LogonSamLogon ( ) calls
*/
e = tevent_queue_add_entry ( state - > domain - > netlogon_queue ,
state - > ev ,
req ,
wb_sam_logon_queue_trigger ,
NULL ) ;
state - > queue_entry = e ;
}
static void wb_sam_logon_queue_trigger ( struct tevent_req * req , void * priv )
{
struct wb_sam_logon_state * state =
tevent_req_data ( req ,
struct wb_sam_logon_state ) ;
struct wbsrv_domain * domain = state - > domain ;
struct tevent_req * subreq ;
2012-08-24 15:15:42 +04:00
state - > creds_state = cli_credentials_get_netlogon_creds ( domain - > libnet_ctx - > cred ) ;
netlogon_creds_client_authenticator ( state - > creds_state , & state - > auth1 ) ;
2006-07-31 19:38:18 +04:00
2012-08-24 15:15:42 +04:00
state - > r . in . server_name = talloc_asprintf ( state , " \\ \\ %s " ,
2006-07-31 19:38:18 +04:00
dcerpc_server_name ( domain - > netlogon_pipe ) ) ;
2012-08-24 15:15:42 +04:00
if ( tevent_req_nomem ( state - > r . in . server_name , req ) ) {
return ;
}
2008-10-28 21:03:50 +03:00
2012-08-24 15:15:42 +04:00
state - > r . in . computer_name = cli_credentials_get_workstation ( domain - > libnet_ctx - > cred ) ;
state - > r . in . credential = & state - > auth1 ;
state - > r . in . return_authenticator = & state - > auth2 ;
state - > r . in . logon_level = state - > req - > in . logon_level ;
state - > r . in . logon = & state - > req - > in . logon ;
state - > r . in . validation_level = state - > req - > in . validation_level ;
state - > r . out . return_authenticator = NULL ;
state - > r . out . validation = talloc ( state , union netr_Validation ) ;
if ( tevent_req_nomem ( state - > r . out . validation , req ) ) {
return ;
}
state - > r . out . authoritative = talloc ( state , uint8_t ) ;
if ( tevent_req_nomem ( state - > r . out . authoritative , req ) ) {
return ;
}
2006-07-31 19:38:18 +04:00
/*
* use a new talloc context for the LogonSamLogon call
* because then we can just to a talloc_steal on this context
* in the final _recv ( ) function to give the caller all the content of
2012-08-24 15:15:42 +04:00
* the state - > r . out . validation
2006-07-31 19:38:18 +04:00
*/
2012-08-24 15:15:42 +04:00
state - > r_mem_ctx = talloc_new ( state ) ;
if ( tevent_req_nomem ( state - > r_mem_ctx , req ) ) {
return ;
}
2006-07-31 19:38:18 +04:00
2012-08-24 15:15:42 +04:00
subreq = dcerpc_netr_LogonSamLogon_r_send ( state ,
state - > ev ,
2010-03-10 12:04:20 +03:00
domain - > netlogon_pipe - > binding_handle ,
2012-08-24 15:15:42 +04:00
& state - > r ) ;
if ( tevent_req_nomem ( subreq , req ) ) {
return ;
}
tevent_req_set_callback ( subreq , wb_sam_logon_recv_samlogon , req ) ;
2006-07-31 19:38:18 +04:00
}
/*
NTLM Authentication
Check the SamLogon reply and decrypt the session keys
*/
2010-03-10 12:04:20 +03:00
static void wb_sam_logon_recv_samlogon ( struct tevent_req * subreq )
2006-07-31 19:38:18 +04:00
{
2012-08-24 15:15:42 +04:00
struct tevent_req * req =
tevent_req_callback_data ( subreq ,
struct tevent_req ) ;
struct wb_sam_logon_state * state =
tevent_req_data ( req ,
struct wb_sam_logon_state ) ;
NTSTATUS status ;
bool ok ;
status = dcerpc_netr_LogonSamLogon_r_recv ( subreq , state - > r_mem_ctx ) ;
2010-03-10 12:04:20 +03:00
TALLOC_FREE ( subreq ) ;
2012-08-24 15:15:42 +04:00
if ( tevent_req_nterror ( req , status ) ) {
return ;
}
2006-07-31 19:38:18 +04:00
2012-08-24 15:15:42 +04:00
if ( tevent_req_nterror ( req , state - > r . out . result ) ) {
return ;
}
if ( state - > r . out . return_authenticator = = NULL ) {
tevent_req_nterror ( req , NT_STATUS_ACCESS_DENIED ) ;
return ;
}
2006-07-31 19:38:18 +04:00
2012-08-24 15:15:42 +04:00
ok = netlogon_creds_client_check ( state - > creds_state ,
& state - > r . out . return_authenticator - > cred ) ;
if ( ! ok ) {
2006-07-31 19:38:18 +04:00
DEBUG ( 0 , ( " Credentials check failed! \n " ) ) ;
2012-08-24 15:15:42 +04:00
tevent_req_nterror ( req , NT_STATUS_ACCESS_DENIED ) ;
2006-07-31 19:38:18 +04:00
return ;
}
/* Decrypt the session keys before we reform the info3, so the
* person on the other end of winbindd pipe doesn ' t have to .
* They won ' t have the encryption key anyway */
2012-12-14 17:17:22 +04:00
netlogon_creds_decrypt_samlogon_validation ( state - > creds_state ,
state - > r . in . validation_level ,
state - > r . out . validation ) ;
2006-07-31 19:38:18 +04:00
2012-08-24 15:40:13 +04:00
/*
* we do not need the netlogon_creds lock anymore
*/
TALLOC_FREE ( state - > queue_entry ) ;
2012-08-24 15:15:42 +04:00
tevent_req_done ( req ) ;
2006-07-31 19:38:18 +04:00
}
2012-08-24 15:15:42 +04:00
NTSTATUS wb_sam_logon_recv ( struct tevent_req * req ,
2006-07-31 19:38:18 +04:00
TALLOC_CTX * mem_ctx ,
2012-08-24 15:15:42 +04:00
struct winbind_SamLogon * _req )
2006-07-31 19:38:18 +04:00
{
2012-08-24 15:15:42 +04:00
struct wb_sam_logon_state * state =
tevent_req_data ( req ,
struct wb_sam_logon_state ) ;
NTSTATUS status ;
if ( tevent_req_is_nterror ( req , & status ) ) {
tevent_req_received ( req ) ;
return status ;
2006-07-31 19:38:18 +04:00
}
2012-08-24 15:15:42 +04:00
talloc_steal ( mem_ctx , state - > r_mem_ctx ) ;
_req - > out . validation = * state - > r . out . validation ;
_req - > out . authoritative = 1 ;
tevent_req_received ( req ) ;
return NT_STATUS_OK ;
2006-07-31 19:38:18 +04:00
}