2009-07-28 23:06:11 +04:00
/*
Unix SMB / CIFS implementation .
In - Child server implementation of the routines defined in wbint . idl
Copyright ( C ) Volker Lendecke 2009
2009-10-06 20:26:33 +04:00
Copyright ( C ) Guenther Deschner 2009
2009-07-28 23:06:11 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
# include "winbindd/winbindd.h"
# include "winbindd/winbindd_proto.h"
2011-02-28 12:19:44 +03:00
# include "rpc_client/cli_pipe.h"
2011-05-02 15:21:53 +04:00
# include "ntdomain.h"
2019-05-28 17:12:51 +03:00
# include "librpc/gen_ndr/ndr_winbind.h"
# include "librpc/gen_ndr/ndr_winbind_scompat.h"
2011-01-12 13:55:34 +03:00
# include "../librpc/gen_ndr/ndr_netlogon_c.h"
2014-12-23 11:04:42 +03:00
# include "../librpc/gen_ndr/ndr_lsa_c.h"
2010-08-18 20:13:42 +04:00
# include "idmap.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2014-05-06 09:00:09 +04:00
# include "../libcli/auth/netlogon_creds_cli.h"
2014-12-23 11:04:42 +03:00
# include "passdb.h"
# include "../source4/dsdb/samdb/samdb.h"
2017-12-11 18:25:35 +03:00
# include "rpc_client/cli_netlogon.h"
# include "rpc_client/util_netlogon.h"
2018-01-05 16:21:05 +03:00
# include "libsmb/dsgetdcname.h"
2021-01-03 23:53:49 +03:00
# include "lib/global_contexts.h"
2009-07-28 23:06:11 +04:00
2010-07-28 12:28:36 +04:00
void _wbint_Ping ( struct pipes_struct * p , struct wbint_Ping * r )
2009-07-28 23:06:11 +04:00
{
* r - > out . out_data = r - > in . in_data ;
}
2009-08-04 01:44:46 +04:00
2018-03-12 13:29:22 +03:00
bool reset_cm_connection_on_error ( struct winbindd_domain * domain ,
2018-03-12 18:11:37 +03:00
struct dcerpc_binding_handle * b ,
2018-03-12 13:29:22 +03:00
NTSTATUS status )
2011-06-04 01:28:33 +04:00
{
2018-03-12 15:39:59 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) | |
NT_STATUS_EQUAL ( status , NT_STATUS_RPC_SEC_PKG_ERROR ) | |
NT_STATUS_EQUAL ( status , NT_STATUS_NETWORK_ACCESS_DENIED ) ) {
invalidate_cm_connection ( domain ) ;
domain - > conn . netlogon_force_reauth = true ;
return true ;
}
2018-03-12 13:12:34 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_IO_TIMEOUT ) | |
NT_STATUS_EQUAL ( status , NT_STATUS_IO_DEVICE_ERROR ) )
{
2014-09-23 21:35:21 +04:00
invalidate_cm_connection ( domain ) ;
2011-06-04 01:28:33 +04:00
/* We invalidated the connection. */
return true ;
}
2018-03-12 18:11:37 +03:00
if ( b ! = NULL & & ! dcerpc_binding_handle_is_connected ( b ) ) {
invalidate_cm_connection ( domain ) ;
return true ;
}
2011-06-04 01:28:33 +04:00
return false ;
}
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_LookupSid ( struct pipes_struct * p , struct wbint_LookupSid * r )
2009-08-04 01:44:46 +04:00
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
char * dom_name ;
char * name ;
enum lsa_SidType type ;
NTSTATUS status ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2016-10-08 02:31:40 +03:00
status = wb_cache_sid_to_name ( domain , p - > mem_ctx , r - > in . sid ,
& dom_name , & name , & type ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2009-08-04 01:44:46 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
* r - > out . domain = dom_name ;
* r - > out . name = name ;
* r - > out . type = type ;
return NT_STATUS_OK ;
}
2009-08-04 15:22:34 +04:00
2011-03-11 14:48:11 +03:00
NTSTATUS _wbint_LookupSids ( struct pipes_struct * p , struct wbint_LookupSids * r )
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
2014-02-20 16:14:31 +04:00
struct lsa_RefDomainList * domains = r - > out . domains ;
2011-06-04 01:28:33 +04:00
NTSTATUS status ;
2018-03-12 19:09:34 +03:00
bool retry = false ;
2011-03-11 14:48:11 +03:00
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
/*
* This breaks the winbindd_domain - > methods abstraction : This
* is only called for remote domains , and both winbindd_msrpc
* and winbindd_ad call into lsa_lookupsids anyway . Caching is
* done at the wbint RPC layer .
*/
2018-03-12 19:09:34 +03:00
again :
2011-06-04 01:28:33 +04:00
status = rpc_lookup_sids ( p - > mem_ctx , domain , r - > in . sids ,
2014-02-20 16:14:31 +04:00
& domains , & r - > out . names ) ;
if ( domains ! = NULL ) {
r - > out . domains = domains ;
}
2018-03-12 19:09:34 +03:00
if ( ! retry & & reset_cm_connection_on_error ( domain , NULL , status ) ) {
retry = true ;
goto again ;
}
2011-06-04 01:28:33 +04:00
return status ;
2011-03-11 14:48:11 +03:00
}
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_LookupName ( struct pipes_struct * p , struct wbint_LookupName * r )
2009-08-04 15:22:34 +04:00
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
2011-06-04 01:28:33 +04:00
NTSTATUS status ;
2009-08-04 15:22:34 +04:00
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2016-10-08 02:31:40 +03:00
status = wb_cache_name_to_sid ( domain , p - > mem_ctx , r - > in . domain ,
r - > in . name , r - > in . flags ,
r - > out . sid , r - > out . type ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2011-06-04 01:28:33 +04:00
return status ;
2009-08-04 15:22:34 +04:00
}
2009-08-04 21:28:59 +04:00
2011-03-23 20:18:13 +03:00
NTSTATUS _wbint_Sids2UnixIDs ( struct pipes_struct * p ,
struct wbint_Sids2UnixIDs * r )
{
2015-12-30 00:33:20 +03:00
uint32_t i ;
struct lsa_DomainInfo * d ;
struct wbint_TransID * ids ;
uint32_t num_ids ;
struct id_map * * id_map_ptrs = NULL ;
struct idmap_domain * dom ;
2011-03-23 20:18:13 +03:00
NTSTATUS status = NT_STATUS_NO_MEMORY ;
2015-12-30 00:33:20 +03:00
if ( r - > in . domains - > count ! = 1 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2011-03-23 20:18:13 +03:00
2015-12-30 00:33:20 +03:00
d = & r - > in . domains - > domains [ 0 ] ;
ids = r - > in . ids - > ids ;
num_ids = r - > in . ids - > num_ids ;
2011-03-23 20:18:13 +03:00
2015-12-30 00:33:20 +03:00
dom = idmap_find_domain_with_sid ( d - > name . string , d - > sid ) ;
if ( dom = = NULL ) {
2018-12-14 23:09:51 +03:00
struct dom_sid_buf buf ;
2015-12-30 00:33:20 +03:00
DEBUG ( 10 , ( " idmap domain %s:%s not found \n " ,
2018-12-14 23:09:51 +03:00
d - > name . string ,
dom_sid_str_buf ( d - > sid , & buf ) ) ) ;
2011-03-23 20:18:13 +03:00
2015-12-30 00:33:20 +03:00
for ( i = 0 ; i < num_ids ; i + + ) {
2011-03-23 20:18:13 +03:00
2015-12-30 00:33:20 +03:00
ids [ i ] . xid = ( struct unixid ) {
. id = UINT32_MAX ,
. type = ID_TYPE_NOT_SPECIFIED
} ;
2011-03-23 20:18:13 +03:00
}
2015-12-30 00:33:20 +03:00
return NT_STATUS_OK ;
}
2016-03-04 16:23:51 +03:00
id_map_ptrs = id_map_ptrs_init ( talloc_tos ( ) , num_ids ) ;
2015-12-30 00:33:20 +03:00
if ( id_map_ptrs = = NULL ) {
goto nomem ;
}
2011-03-23 20:18:13 +03:00
2015-12-30 00:33:20 +03:00
/*
* Convert the input data into a list of id_map structs
* suitable for handing in to the idmap sids_to_unixids
* method .
*/
for ( i = 0 ; i < num_ids ; i + + ) {
2016-03-04 16:23:51 +03:00
struct id_map * m = id_map_ptrs [ i ] ;
2015-12-30 00:33:20 +03:00
2016-03-04 16:23:51 +03:00
sid_compose ( m - > sid , d - > sid , ids [ i ] . rid ) ;
m - > status = ID_UNKNOWN ;
2020-09-15 17:01:04 +03:00
m - > xid = ( struct unixid ) { . type = ids [ i ] . type_hint } ;
2015-12-30 00:33:20 +03:00
}
status = dom - > methods - > sids_to_unixids ( dom , id_map_ptrs ) ;
2018-12-18 17:53:48 +03:00
if ( NT_STATUS_EQUAL ( status , STATUS_SOME_UNMAPPED ) ) {
/*
* This is okay . We need to transfer the mapped ones
* up to our caller . The individual mappings carry the
* information whether they are mapped or not .
*/
status = NT_STATUS_OK ;
}
2015-12-30 00:33:20 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2011-03-23 20:18:13 +03:00
DEBUG ( 10 , ( " sids_to_unixids returned %s \n " ,
nt_errstr ( status ) ) ) ;
2015-12-30 00:33:20 +03:00
goto done ;
}
2011-03-23 20:18:13 +03:00
2015-12-30 00:33:20 +03:00
/*
* Extract the results for handing them back to the caller .
*/
2011-03-23 20:18:13 +03:00
2015-12-30 00:33:20 +03:00
for ( i = 0 ; i < num_ids ; i + + ) {
2016-03-04 16:23:51 +03:00
struct id_map * m = id_map_ptrs [ i ] ;
2012-11-18 16:51:13 +04:00
2020-09-15 18:26:11 +03:00
if ( m - > status = = ID_REQUIRE_TYPE ) {
ids [ i ] . xid . id = UINT32_MAX ;
ids [ i ] . xid . type = ID_TYPE_WB_REQUIRE_TYPE ;
continue ;
}
2016-08-09 19:25:12 +03:00
if ( ! idmap_unix_id_is_in_range ( m - > xid . id , dom ) ) {
2017-03-07 16:06:52 +03:00
DBG_DEBUG ( " id % " PRIu32 " is out of range "
" % " PRIu32 " -% " PRIu32 " for domain %s \n " ,
m - > xid . id , dom - > low_id , dom - > high_id ,
dom - > name ) ;
2016-08-09 19:25:12 +03:00
m - > status = ID_UNMAPPED ;
}
2016-03-04 16:23:51 +03:00
if ( m - > status = = ID_MAPPED ) {
ids [ i ] . xid = m - > xid ;
2015-12-30 00:33:20 +03:00
} else {
ids [ i ] . xid . id = UINT32_MAX ;
ids [ i ] . xid . type = ID_TYPE_NOT_SPECIFIED ;
2011-03-23 20:18:13 +03:00
}
}
2015-12-30 00:33:20 +03:00
goto done ;
2011-03-23 20:18:13 +03:00
nomem :
2015-12-30 00:33:20 +03:00
status = NT_STATUS_NO_MEMORY ;
done :
TALLOC_FREE ( id_map_ptrs ) ;
2011-03-23 20:18:13 +03:00
return status ;
}
2015-08-20 18:07:19 +03:00
NTSTATUS _wbint_UnixIDs2Sids ( struct pipes_struct * p ,
struct wbint_UnixIDs2Sids * r )
{
2016-03-04 17:45:24 +03:00
struct id_map * * maps ;
NTSTATUS status ;
2015-08-20 18:07:19 +03:00
uint32_t i ;
2016-03-04 17:45:24 +03:00
maps = id_map_ptrs_init ( talloc_tos ( ) , r - > in . num_ids ) ;
if ( maps = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2015-08-20 18:07:19 +03:00
for ( i = 0 ; i < r - > in . num_ids ; i + + ) {
2016-03-04 17:45:24 +03:00
maps [ i ] - > status = ID_UNKNOWN ;
maps [ i ] - > xid = r - > in . xids [ i ] ;
}
2015-08-20 18:07:19 +03:00
2017-09-25 16:39:39 +03:00
status = idmap_backend_unixids_to_sids ( maps , r - > in . domain_name ,
r - > in . domain_sid ) ;
2016-03-04 17:45:24 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
TALLOC_FREE ( maps ) ;
return status ;
}
for ( i = 0 ; i < r - > in . num_ids ; i + + ) {
2016-12-21 13:29:08 +03:00
r - > out . xids [ i ] = maps [ i ] - > xid ;
2016-03-04 17:45:24 +03:00
sid_copy ( & r - > out . sids [ i ] , maps [ i ] - > sid ) ;
2015-08-20 18:07:19 +03:00
}
2016-03-04 17:45:24 +03:00
TALLOC_FREE ( maps ) ;
2015-08-20 18:07:19 +03:00
return NT_STATUS_OK ;
}
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_AllocateUid ( struct pipes_struct * p , struct wbint_AllocateUid * r )
2009-08-30 11:41:43 +04:00
{
struct unixid xid ;
NTSTATUS status ;
status = idmap_allocate_uid ( & xid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
* r - > out . uid = xid . id ;
return NT_STATUS_OK ;
}
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_AllocateGid ( struct pipes_struct * p , struct wbint_AllocateGid * r )
2009-08-30 11:46:34 +04:00
{
struct unixid xid ;
NTSTATUS status ;
status = idmap_allocate_gid ( & xid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
* r - > out . gid = xid . id ;
return NT_STATUS_OK ;
}
2016-12-29 12:56:29 +03:00
NTSTATUS _wbint_GetNssInfo ( struct pipes_struct * p , struct wbint_GetNssInfo * r )
{
struct idmap_domain * domain ;
NTSTATUS status ;
domain = idmap_find_domain ( r - > in . info - > domain_name ) ;
if ( ( domain = = NULL ) | | ( domain - > query_user = = NULL ) ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
status = domain - > query_user ( domain , r - > in . info ) ;
return status ;
}
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_LookupUserAliases ( struct pipes_struct * p ,
2009-08-04 23:54:05 +04:00
struct wbint_LookupUserAliases * r )
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
2011-06-04 01:28:33 +04:00
NTSTATUS status ;
2009-08-04 23:54:05 +04:00
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2016-10-08 02:31:40 +03:00
status = wb_cache_lookup_useraliases ( domain , p - > mem_ctx ,
r - > in . sids - > num_sids ,
r - > in . sids - > sids ,
& r - > out . rids - > num_rids ,
& r - > out . rids - > rids ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2011-06-04 01:28:33 +04:00
return status ;
2009-08-04 23:54:05 +04:00
}
2009-08-05 00:07:01 +04:00
2017-03-02 16:55:15 +03:00
NTSTATUS _wbint_LookupUserGroups ( struct pipes_struct * p ,
struct wbint_LookupUserGroups * r )
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
NTSTATUS status ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
status = wb_cache_lookup_usergroups ( domain , p - > mem_ctx , r - > in . sid ,
& r - > out . sids - > num_sids ,
& r - > out . sids - > sids ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2017-03-02 16:55:15 +03:00
return status ;
}
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_QuerySequenceNumber ( struct pipes_struct * p ,
2009-08-15 13:16:28 +04:00
struct wbint_QuerySequenceNumber * r )
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
2011-06-04 01:28:33 +04:00
NTSTATUS status ;
2009-08-15 13:16:28 +04:00
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2016-10-08 02:31:40 +03:00
status = wb_cache_sequence_number ( domain , r - > out . sequence ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2011-06-04 01:28:33 +04:00
return status ;
2009-08-15 13:16:28 +04:00
}
2009-08-16 12:58:43 +04:00
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_LookupGroupMembers ( struct pipes_struct * p ,
2009-08-16 12:58:43 +04:00
struct wbint_LookupGroupMembers * r )
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
uint32_t i , num_names ;
struct dom_sid * sid_mem ;
char * * names ;
uint32_t * name_types ;
NTSTATUS status ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2016-10-08 02:31:40 +03:00
status = wb_cache_lookup_groupmem ( domain , p - > mem_ctx , r - > in . sid ,
r - > in . type , & num_names , & sid_mem ,
& names , & name_types ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2009-08-16 12:58:43 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2009-08-23 14:43:43 +04:00
r - > out . members - > num_principals = num_names ;
r - > out . members - > principals = talloc_array (
2009-08-23 14:38:35 +04:00
r - > out . members , struct wbint_Principal , num_names ) ;
2009-08-23 14:43:43 +04:00
if ( r - > out . members - > principals = = NULL ) {
2009-08-16 12:58:43 +04:00
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < num_names ; i + + ) {
2009-08-23 14:43:43 +04:00
struct wbint_Principal * m = & r - > out . members - > principals [ i ] ;
2009-08-16 12:58:43 +04:00
sid_copy ( & m - > sid , & sid_mem [ i ] ) ;
2009-08-23 14:43:43 +04:00
m - > name = talloc_move ( r - > out . members - > principals , & names [ i ] ) ;
2009-08-16 12:58:43 +04:00
m - > type = ( enum lsa_SidType ) name_types [ i ] ;
}
return NT_STATUS_OK ;
}
2009-08-18 00:40:19 +04:00
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_QueryGroupList ( struct pipes_struct * p ,
struct wbint_QueryGroupList * r )
2009-08-27 21:54:18 +04:00
{
2017-12-06 20:48:47 +03:00
TALLOC_CTX * frame = NULL ;
2009-08-27 21:54:18 +04:00
struct winbindd_domain * domain = wb_child_domain ( ) ;
2015-03-28 11:36:11 +03:00
uint32_t i ;
uint32_t num_local_groups = 0 ;
struct wb_acct_info * local_groups = NULL ;
uint32_t num_dom_groups = 0 ;
struct wb_acct_info * dom_groups = NULL ;
uint32_t ti = 0 ;
uint64_t num_total = 0 ;
2009-08-27 21:54:18 +04:00
struct wbint_Principal * result ;
2017-12-06 20:48:47 +03:00
NTSTATUS status = NT_STATUS_UNSUCCESSFUL ;
2015-03-28 11:36:11 +03:00
bool include_local_groups = false ;
2009-08-27 21:54:18 +04:00
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2017-12-06 20:48:47 +03:00
frame = talloc_stackframe ( ) ;
2015-03-28 11:36:11 +03:00
switch ( lp_server_role ( ) ) {
case ROLE_ACTIVE_DIRECTORY_DC :
if ( domain - > internal ) {
/*
* we want to include local groups
* for BUILTIN and WORKGROUP
*/
include_local_groups = true ;
}
break ;
default :
/*
* We might include local groups in more
* setups later , but that requires more work
* elsewhere .
*/
break ;
}
if ( include_local_groups ) {
2017-12-06 20:48:47 +03:00
status = wb_cache_enum_local_groups ( domain , frame ,
2016-10-08 02:31:40 +03:00
& num_local_groups ,
& local_groups ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2015-03-28 11:36:11 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2017-12-06 20:48:47 +03:00
goto out ;
2015-03-28 11:36:11 +03:00
}
}
2017-12-06 20:48:47 +03:00
status = wb_cache_enum_dom_groups ( domain , frame ,
2016-10-08 02:31:40 +03:00
& num_dom_groups ,
& dom_groups ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2009-08-27 21:54:18 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2017-12-06 20:48:47 +03:00
goto out ;
2009-08-27 21:54:18 +04:00
}
2015-03-28 11:36:11 +03:00
num_total = num_local_groups + num_dom_groups ;
if ( num_total > UINT32_MAX ) {
2017-12-06 20:48:47 +03:00
status = NT_STATUS_INTERNAL_ERROR ;
goto out ;
2015-03-28 11:36:11 +03:00
}
2017-12-06 20:48:47 +03:00
result = talloc_array ( frame , struct wbint_Principal , num_total ) ;
2009-08-27 21:54:18 +04:00
if ( result = = NULL ) {
2017-12-06 20:48:47 +03:00
status = NT_STATUS_NO_MEMORY ;
goto out ;
2009-08-27 21:54:18 +04:00
}
2015-03-28 11:36:11 +03:00
for ( i = 0 ; i < num_local_groups ; i + + ) {
struct wb_acct_info * lg = & local_groups [ i ] ;
struct wbint_Principal * rg = & result [ ti + + ] ;
sid_compose ( & rg - > sid , & domain - > sid , lg - > rid ) ;
rg - > type = SID_NAME_ALIAS ;
rg - > name = talloc_strdup ( result , lg - > acct_name ) ;
if ( rg - > name = = NULL ) {
2017-12-06 20:48:47 +03:00
status = NT_STATUS_NO_MEMORY ;
goto out ;
2015-03-28 11:36:11 +03:00
}
}
num_local_groups = 0 ;
for ( i = 0 ; i < num_dom_groups ; i + + ) {
struct wb_acct_info * dg = & dom_groups [ i ] ;
struct wbint_Principal * rg = & result [ ti + + ] ;
sid_compose ( & rg - > sid , & domain - > sid , dg - > rid ) ;
rg - > type = SID_NAME_DOM_GRP ;
rg - > name = talloc_strdup ( result , dg - > acct_name ) ;
if ( rg - > name = = NULL ) {
2017-12-06 20:48:47 +03:00
status = NT_STATUS_NO_MEMORY ;
goto out ;
2009-08-27 21:54:18 +04:00
}
}
2015-03-28 11:36:11 +03:00
num_dom_groups = 0 ;
2009-08-27 21:54:18 +04:00
2015-03-28 11:36:11 +03:00
r - > out . groups - > num_principals = ti ;
2017-12-06 20:48:47 +03:00
r - > out . groups - > principals = talloc_move ( r - > out . groups , & result ) ;
2010-06-14 13:49:32 +04:00
2017-12-06 20:48:47 +03:00
status = NT_STATUS_OK ;
out :
TALLOC_FREE ( frame ) ;
return status ;
2009-08-27 21:54:18 +04:00
}
2016-12-29 21:13:28 +03:00
NTSTATUS _wbint_QueryUserRidList ( struct pipes_struct * p ,
struct wbint_QueryUserRidList * r )
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
NTSTATUS status ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
/*
* Right now this is overkill . We should add a backend call
* just querying the rids .
*/
status = wb_cache_query_user_list ( domain , p - > mem_ctx ,
2017-01-03 15:11:30 +03:00
& r - > out . rids - > rids ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2016-12-29 21:13:28 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2017-01-03 15:11:30 +03:00
r - > out . rids - > num_rids = talloc_array_length ( r - > out . rids - > rids ) ;
2016-12-29 21:13:28 +03:00
2017-01-03 15:11:30 +03:00
return NT_STATUS_OK ;
2016-12-29 21:13:28 +03:00
}
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_DsGetDcName ( struct pipes_struct * p , struct wbint_DsGetDcName * r )
2009-08-26 00:13:34 +04:00
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
struct rpc_pipe_client * netlogon_pipe ;
struct netr_DsRGetDCNameInfo * dc_info ;
NTSTATUS status ;
WERROR werr ;
unsigned int orig_timeout ;
2011-01-12 13:55:34 +03:00
struct dcerpc_binding_handle * b ;
2018-03-12 21:53:26 +03:00
bool retry = false ;
bool try_dsrgetdcname = false ;
2009-08-26 00:13:34 +04:00
if ( domain = = NULL ) {
2018-08-21 21:09:16 +03:00
return dsgetdcname ( p - > mem_ctx , global_messaging_context ( ) ,
2009-08-26 00:13:34 +04:00
r - > in . domain_name , r - > in . domain_guid ,
r - > in . site_name ? r - > in . site_name : " " ,
r - > in . flags ,
r - > out . dc_info ) ;
}
2018-03-12 21:53:26 +03:00
if ( domain - > active_directory ) {
try_dsrgetdcname = true ;
}
reconnect :
2009-08-26 00:13:34 +04:00
status = cm_connect_netlogon ( domain , & netlogon_pipe ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2009-08-26 00:13:34 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 10 , ( " Can't contact the NETLOGON pipe \n " ) ) ;
return status ;
}
2011-01-12 13:55:34 +03:00
b = netlogon_pipe - > binding_handle ;
2009-08-26 00:13:34 +04:00
/* This call can take a long time - allow the server to time out.
35 seconds should do it . */
orig_timeout = rpccli_set_timeout ( netlogon_pipe , 35000 ) ;
2018-03-12 21:53:26 +03:00
if ( try_dsrgetdcname ) {
2011-01-12 13:55:34 +03:00
status = dcerpc_netr_DsRGetDCName ( b ,
p - > mem_ctx , domain - > dcname ,
2009-08-26 00:13:34 +04:00
r - > in . domain_name , NULL , r - > in . domain_guid ,
r - > in . flags , r - > out . dc_info , & werr ) ;
if ( NT_STATUS_IS_OK ( status ) & & W_ERROR_IS_OK ( werr ) ) {
goto done ;
}
2018-03-12 21:53:26 +03:00
if ( ! retry & &
reset_cm_connection_on_error ( domain , NULL , status ) )
{
retry = true ;
goto reconnect ;
2011-06-04 01:28:33 +04:00
}
2018-03-12 21:53:26 +03:00
try_dsrgetdcname = false ;
retry = false ;
2009-08-26 00:13:34 +04:00
}
/*
* Fallback to less capable methods
*/
dc_info = talloc_zero ( r - > out . dc_info , struct netr_DsRGetDCNameInfo ) ;
if ( dc_info = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto done ;
}
if ( r - > in . flags & DS_PDC_REQUIRED ) {
2011-01-12 13:55:34 +03:00
status = dcerpc_netr_GetDcName ( b ,
p - > mem_ctx , domain - > dcname ,
2009-08-26 00:13:34 +04:00
r - > in . domain_name , & dc_info - > dc_unc , & werr ) ;
} else {
2011-01-12 13:55:34 +03:00
status = dcerpc_netr_GetAnyDCName ( b ,
p - > mem_ctx , domain - > dcname ,
2009-08-26 00:13:34 +04:00
r - > in . domain_name , & dc_info - > dc_unc , & werr ) ;
}
2018-03-12 21:53:26 +03:00
if ( ! retry & & reset_cm_connection_on_error ( domain , b , status ) ) {
retry = true ;
goto reconnect ;
}
2009-08-26 00:13:34 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2011-01-12 13:55:34 +03:00
DEBUG ( 10 , ( " dcerpc_netr_Get[Any]DCName failed: %s \n " ,
2009-08-26 00:13:34 +04:00
nt_errstr ( status ) ) ) ;
goto done ;
}
if ( ! W_ERROR_IS_OK ( werr ) ) {
2011-01-12 13:55:34 +03:00
DEBUG ( 10 , ( " dcerpc_netr_Get[Any]DCName failed: %s \n " ,
2009-08-26 00:13:34 +04:00
win_errstr ( werr ) ) ) ;
status = werror_to_ntstatus ( werr ) ;
goto done ;
}
* r - > out . dc_info = dc_info ;
status = NT_STATUS_OK ;
done :
/* And restore our original timeout. */
rpccli_set_timeout ( netlogon_pipe , orig_timeout ) ;
return status ;
}
2009-08-27 19:11:24 +04:00
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_LookupRids ( struct pipes_struct * p , struct wbint_LookupRids * r )
2009-08-27 19:11:24 +04:00
{
struct winbindd_domain * domain = wb_child_domain ( ) ;
char * domain_name ;
char * * names ;
enum lsa_SidType * types ;
struct wbint_Principal * result ;
NTSTATUS status ;
2017-01-24 18:17:31 +03:00
uint32_t i ;
2009-08-27 19:11:24 +04:00
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2016-10-08 02:31:40 +03:00
status = wb_cache_rids_to_names ( domain , talloc_tos ( ) , r - > in . domain_sid ,
r - > in . rids - > rids , r - > in . rids - > num_rids ,
& domain_name , & names , & types ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2020-07-08 16:09:45 +03:00
if ( ! NT_STATUS_IS_OK ( status ) & &
! NT_STATUS_EQUAL ( status , STATUS_SOME_UNMAPPED ) ) {
2009-08-27 19:11:24 +04:00
return status ;
}
2010-12-04 22:16:00 +03:00
* r - > out . domain_name = talloc_move ( r - > out . domain_name , & domain_name ) ;
2009-08-27 19:11:24 +04:00
result = talloc_array ( p - > mem_ctx , struct wbint_Principal ,
r - > in . rids - > num_rids ) ;
if ( result = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < r - > in . rids - > num_rids ; i + + ) {
2011-06-27 16:34:39 +04:00
sid_compose ( & result [ i ] . sid , r - > in . domain_sid ,
r - > in . rids - > rids [ i ] ) ;
2009-08-27 19:11:24 +04:00
result [ i ] . type = types [ i ] ;
result [ i ] . name = talloc_move ( result , & names [ i ] ) ;
}
TALLOC_FREE ( types ) ;
TALLOC_FREE ( names ) ;
r - > out . names - > num_principals = r - > in . rids - > num_rids ;
r - > out . names - > principals = result ;
return NT_STATUS_OK ;
}
2009-09-06 11:32:34 +04:00
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_CheckMachineAccount ( struct pipes_struct * p ,
2009-09-06 11:32:34 +04:00
struct wbint_CheckMachineAccount * r )
{
struct winbindd_domain * domain ;
int num_retries = 0 ;
NTSTATUS status ;
domain = wb_child_domain ( ) ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2009-11-23 15:58:23 +03:00
again :
2014-09-23 21:35:21 +04:00
invalidate_cm_connection ( domain ) ;
2013-08-07 13:32:44 +04:00
domain - > conn . netlogon_force_reauth = true ;
2009-09-06 11:32:34 +04:00
{
2018-02-02 17:24:00 +03:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2009-09-06 11:32:34 +04:00
}
/* There is a race condition between fetching the trust account
password and the periodic machine password change . So it ' s
possible that the trust account password has been changed on us .
We are returned NT_STATUS_ACCESS_DENIED if this happens . */
# define MAX_RETRIES 3
if ( ( num_retries < MAX_RETRIES )
& & NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
num_retries + + ;
goto again ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not open handle to NETLOGON pipe \n " ) ) ;
goto done ;
}
/* Pass back result code - zero for success, other values for
specific failures . */
2009-10-06 19:46:25 +04:00
DEBUG ( 3 , ( " domain %s secret is %s \n " , domain - > name ,
NT_STATUS_IS_OK ( status ) ? " good " : " bad " ) ) ;
2009-09-06 11:32:34 +04:00
done :
DEBUG ( NT_STATUS_IS_OK ( status ) ? 5 : 2 ,
2009-10-06 19:46:25 +04:00
( " Checking the trust account password for domain %s returned %s \n " ,
domain - > name , nt_errstr ( status ) ) ) ;
2009-09-06 11:32:34 +04:00
return status ;
}
2009-09-06 16:47:06 +04:00
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_ChangeMachineAccount ( struct pipes_struct * p ,
2009-10-06 20:26:33 +04:00
struct wbint_ChangeMachineAccount * r )
{
2018-08-21 21:09:16 +03:00
struct messaging_context * msg_ctx = global_messaging_context ( ) ;
2009-10-06 20:26:33 +04:00
struct winbindd_domain * domain ;
NTSTATUS status ;
2018-02-02 17:24:00 +03:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
2009-10-06 20:26:33 +04:00
domain = wb_child_domain ( ) ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2018-02-02 17:24:00 +03:00
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2009-10-06 20:26:33 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not open handle to NETLOGON pipe \n " ) ) ;
goto done ;
}
2018-02-02 17:24:00 +03:00
status = trust_pw_change ( netlogon_creds_ctx ,
2013-09-16 20:37:34 +04:00
msg_ctx ,
netlogon_pipe - > binding_handle ,
domain - > name ,
2017-05-22 16:36:29 +03:00
domain - > dcname ,
2013-09-16 20:37:34 +04:00
true ) ; /* force */
2009-10-06 20:26:33 +04:00
/* Pass back result code - zero for success, other values for
specific failures . */
DEBUG ( 3 , ( " domain %s secret %s \n " , domain - > name ,
NT_STATUS_IS_OK ( status ) ? " changed " : " unchanged " ) ) ;
done :
DEBUG ( NT_STATUS_IS_OK ( status ) ? 5 : 2 ,
( " Changing the trust account password for domain %s returned %s \n " ,
domain - > name , nt_errstr ( status ) ) ) ;
return status ;
}
2010-07-28 12:28:36 +04:00
NTSTATUS _wbint_PingDc ( struct pipes_struct * p , struct wbint_PingDc * r )
2009-12-21 23:50:43 +03:00
{
NTSTATUS status ;
struct winbindd_domain * domain ;
struct rpc_pipe_client * netlogon_pipe ;
union netr_CONTROL_QUERY_INFORMATION info ;
WERROR werr ;
fstring logon_server ;
2011-01-12 13:55:34 +03:00
struct dcerpc_binding_handle * b ;
2014-12-23 02:19:47 +03:00
bool retry = false ;
2009-12-21 23:50:43 +03:00
domain = wb_child_domain ( ) ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2014-12-23 02:19:47 +03:00
reconnect :
2009-12-21 23:50:43 +03:00
status = cm_connect_netlogon ( domain , & netlogon_pipe ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2009-12-21 23:50:43 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2013-05-24 23:40:49 +04:00
DEBUG ( 3 , ( " could not open handle to NETLOGON pipe: %s \n " ,
nt_errstr ( status ) ) ) ;
2009-12-21 23:50:43 +03:00
return status ;
}
2011-01-12 13:55:34 +03:00
b = netlogon_pipe - > binding_handle ;
2009-12-21 23:50:43 +03:00
fstr_sprintf ( logon_server , " \\ \\ %s " , domain - > dcname ) ;
2012-08-10 19:10:42 +04:00
* r - > out . dcname = talloc_strdup ( p - > mem_ctx , domain - > dcname ) ;
2013-02-25 17:55:48 +04:00
if ( * r - > out . dcname = = NULL ) {
2012-08-10 19:10:42 +04:00
DEBUG ( 2 , ( " Could not allocate memory \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2009-12-21 23:50:43 +03:00
/*
* This provokes a WERR_NOT_SUPPORTED error message . This is
* documented in the wspp docs . I could not get a successful
* call to work , but the main point here is testing that the
* netlogon pipe works .
*/
2011-01-12 13:55:34 +03:00
status = dcerpc_netr_LogonControl ( b , p - > mem_ctx ,
2009-12-21 23:50:43 +03:00
logon_server , NETLOGON_CONTROL_QUERY ,
2 , & info , & werr ) ;
2018-03-12 18:53:49 +03:00
if ( ! retry & & reset_cm_connection_on_error ( domain , b , status ) ) {
2014-12-23 02:19:47 +03:00
retry = true ;
goto reconnect ;
}
2011-01-12 13:55:34 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 2 , ( " dcerpc_netr_LogonControl failed: %s \n " ,
nt_errstr ( status ) ) ) ;
2009-12-21 23:50:43 +03:00
return status ;
}
2011-01-12 13:55:34 +03:00
if ( ! W_ERROR_EQUAL ( werr , WERR_NOT_SUPPORTED ) ) {
DEBUG ( 2 , ( " dcerpc_netr_LogonControl returned %s, expected "
" WERR_NOT_SUPPORTED \n " ,
win_errstr ( werr ) ) ) ;
return werror_to_ntstatus ( werr ) ;
}
2009-12-21 23:50:43 +03:00
DEBUG ( 5 , ( " winbindd_dual_ping_dc succeeded \n " ) ) ;
return NT_STATUS_OK ;
}
2014-05-06 09:00:09 +04:00
2014-05-08 04:17:32 +04:00
NTSTATUS _winbind_DsrUpdateReadOnlyServerDnsRecords ( struct pipes_struct * p ,
struct winbind_DsrUpdateReadOnlyServerDnsRecords * r )
2014-05-06 09:00:09 +04:00
{
struct winbindd_domain * domain ;
NTSTATUS status ;
2018-02-02 17:24:00 +03:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
2018-03-12 21:53:53 +03:00
struct dcerpc_binding_handle * b = NULL ;
bool retry = false ;
2014-05-06 09:00:09 +04:00
domain = wb_child_domain ( ) ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2018-03-12 21:53:53 +03:00
reconnect :
2018-02-02 17:24:00 +03:00
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2014-05-06 09:00:09 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not open handle to NETLOGON pipe \n " ) ) ;
goto done ;
}
2018-03-12 21:53:53 +03:00
b = netlogon_pipe - > binding_handle ;
2018-02-02 17:24:00 +03:00
status = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords ( netlogon_creds_ctx ,
2014-05-06 09:00:09 +04:00
netlogon_pipe - > binding_handle ,
r - > in . site_name ,
r - > in . dns_ttl ,
r - > in . dns_names ) ;
2018-03-12 21:53:53 +03:00
if ( ! retry & & reset_cm_connection_on_error ( domain , b , status ) ) {
retry = true ;
goto reconnect ;
}
2014-05-06 09:00:09 +04:00
/* Pass back result code - zero for success, other values for
specific failures . */
DEBUG ( 3 , ( " DNS records for domain %s %s \n " , domain - > name ,
NT_STATUS_IS_OK ( status ) ? " changed " : " unchanged " ) ) ;
done :
DEBUG ( NT_STATUS_IS_OK ( status ) ? 5 : 2 ,
( " Update of DNS records via RW DC %s returned %s \n " ,
domain - > name , nt_errstr ( status ) ) ) ;
return status ;
}
2014-05-08 04:17:32 +04:00
NTSTATUS _winbind_SamLogon ( struct pipes_struct * p ,
2014-05-08 08:49:13 +04:00
struct winbind_SamLogon * r )
2014-05-08 04:17:32 +04:00
{
2014-05-08 08:49:13 +04:00
struct winbindd_domain * domain ;
NTSTATUS status ;
2018-01-23 19:39:15 +03:00
struct netr_IdentityInfo * identity_info = NULL ;
const uint8_t chal_zero [ 8 ] = { 0 , } ;
const uint8_t * challenge = chal_zero ;
2014-05-08 08:49:13 +04:00
DATA_BLOB lm_response , nt_response ;
2017-06-08 18:10:12 +03:00
uint32_t flags = 0 ;
2017-12-11 18:25:35 +03:00
uint16_t validation_level ;
union netr_Validation * validation = NULL ;
2018-01-23 19:39:15 +03:00
bool interactive = false ;
2017-01-28 23:20:59 +03:00
2014-05-08 08:49:13 +04:00
domain = wb_child_domain ( ) ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2018-01-23 19:57:37 +03:00
switch ( r - > in . validation_level ) {
case 3 :
case 6 :
break ;
default :
2014-05-08 08:49:13 +04:00
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2018-01-23 19:39:15 +03:00
switch ( r - > in . logon_level ) {
case NetlogonInteractiveInformation :
case NetlogonServiceInformation :
case NetlogonInteractiveTransitiveInformation :
case NetlogonServiceTransitiveInformation :
if ( r - > in . logon . password = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
interactive = true ;
identity_info = & r - > in . logon . password - > identity_info ;
challenge = chal_zero ;
lm_response = data_blob_talloc ( p - > mem_ctx ,
r - > in . logon . password - > lmpassword . hash ,
sizeof ( r - > in . logon . password - > lmpassword . hash ) ) ;
nt_response = data_blob_talloc ( p - > mem_ctx ,
r - > in . logon . password - > ntpassword . hash ,
sizeof ( r - > in . logon . password - > ntpassword . hash ) ) ;
break ;
case NetlogonNetworkInformation :
case NetlogonNetworkTransitiveInformation :
if ( r - > in . logon . network = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
interactive = false ;
identity_info = & r - > in . logon . network - > identity_info ;
challenge = r - > in . logon . network - > challenge ;
lm_response = data_blob_talloc ( p - > mem_ctx ,
r - > in . logon . network - > lm . data ,
r - > in . logon . network - > lm . length ) ;
nt_response = data_blob_talloc ( p - > mem_ctx ,
r - > in . logon . network - > nt . data ,
r - > in . logon . network - > nt . length ) ;
break ;
2014-05-08 08:49:13 +04:00
2018-01-23 19:39:15 +03:00
case NetlogonGenericInformation :
if ( r - > in . logon . generic = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
identity_info = & r - > in . logon . generic - > identity_info ;
/*
* Not implemented here . . .
*/
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
default :
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2014-05-08 08:49:13 +04:00
status = winbind_dual_SamLogon ( domain , p - > mem_ctx ,
2018-01-23 19:39:15 +03:00
interactive ,
identity_info - > parameter_control ,
identity_info - > account_name . string ,
identity_info - > domain_name . string ,
identity_info - > workstation . string ,
2019-02-01 03:49:49 +03:00
identity_info - > logon_id ,
2019-01-28 05:31:46 +03:00
" SamLogon " ,
0 ,
2018-01-23 19:39:15 +03:00
challenge ,
2017-01-28 23:20:59 +03:00
lm_response , nt_response ,
2019-01-28 05:31:46 +03:00
p - > remote_address ,
p - > local_address ,
2017-04-12 05:12:32 +03:00
& r - > out . authoritative ,
2018-02-08 19:23:49 +03:00
true , /* skip_sam */
2017-04-12 05:12:32 +03:00
& flags ,
2017-12-11 18:25:35 +03:00
& validation_level ,
& validation ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2018-01-23 19:57:37 +03:00
switch ( r - > in . validation_level ) {
case 3 :
status = map_validation_to_info3 ( p - > mem_ctx ,
validation_level ,
validation ,
& r - > out . validation . sam3 ) ;
TALLOC_FREE ( validation ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
return NT_STATUS_OK ;
case 6 :
status = map_validation_to_info6 ( p - > mem_ctx ,
validation_level ,
validation ,
& r - > out . validation . sam6 ) ;
TALLOC_FREE ( validation ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
return NT_STATUS_OK ;
2017-12-11 18:25:35 +03:00
}
2018-01-23 19:57:37 +03:00
smb_panic ( __location__ ) ;
return NT_STATUS_INTERNAL_ERROR ;
2014-05-08 04:17:32 +04:00
}
2014-12-19 12:36:29 +03:00
2014-12-23 11:04:42 +03:00
static WERROR _winbind_LogonControl_REDISCOVER ( struct pipes_struct * p ,
struct winbindd_domain * domain ,
struct winbind_LogonControl * r )
{
NTSTATUS status ;
struct rpc_pipe_client * netlogon_pipe = NULL ;
2018-02-02 17:24:00 +03:00
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
2014-12-23 11:04:42 +03:00
struct netr_NETLOGON_INFO_2 * info2 = NULL ;
WERROR check_result = WERR_INTERNAL_ERROR ;
info2 = talloc_zero ( p - > mem_ctx , struct netr_NETLOGON_INFO_2 ) ;
if ( info2 = = NULL ) {
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
if ( domain - > internal ) {
check_result = WERR_OK ;
goto check_return ;
}
/*
* For now we just force a reconnect
*
* TODO : take care of the optional ' \ dcname '
*/
invalidate_cm_connection ( domain ) ;
domain - > conn . netlogon_force_reauth = true ;
2018-02-02 17:24:00 +03:00
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2014-12-23 11:04:42 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ) ) {
status = NT_STATUS_NO_LOGON_SERVERS ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 2 , ( " %s: domain[%s/%s] cm_connect_netlogon() returned %s \n " ,
__func__ , domain - > name , domain - > alt_name ,
nt_errstr ( status ) ) ) ;
/*
* Here we return a top level error !
* This is different than TC_QUERY or TC_VERIFY .
*/
return ntstatus_to_werror ( status ) ;
}
check_result = WERR_OK ;
check_return :
info2 - > pdc_connection_status = WERR_OK ;
if ( domain - > dcname ! = NULL ) {
info2 - > flags | = NETLOGON_HAS_IP ;
info2 - > flags | = NETLOGON_HAS_TIMESERV ;
info2 - > trusted_dc_name = talloc_asprintf ( info2 , " \\ \\ %s " ,
domain - > dcname ) ;
if ( info2 - > trusted_dc_name = = NULL ) {
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
} else {
info2 - > trusted_dc_name = talloc_strdup ( info2 , " " ) ;
if ( info2 - > trusted_dc_name = = NULL ) {
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
}
info2 - > tc_connection_status = check_result ;
if ( ! W_ERROR_IS_OK ( info2 - > pdc_connection_status ) ) {
DEBUG ( 2 , ( " %s: domain[%s/%s] dcname[%s] "
" pdc_connection[%s] tc_connection[%s] \n " ,
__func__ , domain - > name , domain - > alt_name ,
domain - > dcname ,
win_errstr ( info2 - > pdc_connection_status ) ,
win_errstr ( info2 - > tc_connection_status ) ) ) ;
}
r - > out . query - > info2 = info2 ;
DEBUG ( 5 , ( " %s: succeeded. \n " , __func__ ) ) ;
return WERR_OK ;
}
static WERROR _winbind_LogonControl_TC_QUERY ( struct pipes_struct * p ,
struct winbindd_domain * domain ,
struct winbind_LogonControl * r )
{
NTSTATUS status ;
struct rpc_pipe_client * netlogon_pipe = NULL ;
2018-02-02 17:24:00 +03:00
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
2014-12-23 11:04:42 +03:00
struct netr_NETLOGON_INFO_2 * info2 = NULL ;
WERROR check_result = WERR_INTERNAL_ERROR ;
info2 = talloc_zero ( p - > mem_ctx , struct netr_NETLOGON_INFO_2 ) ;
if ( info2 = = NULL ) {
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
if ( domain - > internal ) {
check_result = WERR_OK ;
goto check_return ;
}
2018-02-02 17:24:00 +03:00
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2014-12-23 11:04:42 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ) ) {
status = NT_STATUS_NO_LOGON_SERVERS ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not open handle to NETLOGON pipe: %s \n " ,
nt_errstr ( status ) ) ) ;
check_result = ntstatus_to_werror ( status ) ;
goto check_return ;
}
check_result = WERR_OK ;
check_return :
info2 - > pdc_connection_status = WERR_OK ;
if ( domain - > dcname ! = NULL ) {
info2 - > flags | = NETLOGON_HAS_IP ;
info2 - > flags | = NETLOGON_HAS_TIMESERV ;
info2 - > trusted_dc_name = talloc_asprintf ( info2 , " \\ \\ %s " ,
domain - > dcname ) ;
if ( info2 - > trusted_dc_name = = NULL ) {
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
} else {
info2 - > trusted_dc_name = talloc_strdup ( info2 , " " ) ;
if ( info2 - > trusted_dc_name = = NULL ) {
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
}
info2 - > tc_connection_status = check_result ;
if ( ! W_ERROR_IS_OK ( info2 - > pdc_connection_status ) ) {
DEBUG ( 2 , ( " %s: domain[%s/%s] dcname[%s] "
" pdc_connection[%s] tc_connection[%s] \n " ,
__func__ , domain - > name , domain - > alt_name ,
domain - > dcname ,
win_errstr ( info2 - > pdc_connection_status ) ,
win_errstr ( info2 - > tc_connection_status ) ) ) ;
}
r - > out . query - > info2 = info2 ;
DEBUG ( 5 , ( " %s: succeeded. \n " , __func__ ) ) ;
return WERR_OK ;
}
static WERROR _winbind_LogonControl_TC_VERIFY ( struct pipes_struct * p ,
struct winbindd_domain * domain ,
struct winbind_LogonControl * r )
{
TALLOC_CTX * frame = talloc_stackframe ( ) ;
NTSTATUS status ;
NTSTATUS result ;
struct lsa_String trusted_domain_name = { } ;
struct lsa_StringLarge trusted_domain_name_l = { } ;
struct rpc_pipe_client * local_lsa_pipe = NULL ;
struct policy_handle local_lsa_policy = { } ;
struct dcerpc_binding_handle * local_lsa = NULL ;
struct rpc_pipe_client * netlogon_pipe = NULL ;
2018-02-02 17:24:00 +03:00
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
2014-12-23 11:04:42 +03:00
struct cli_credentials * creds = NULL ;
struct samr_Password * cur_nt_hash = NULL ;
uint32_t trust_attributes = 0 ;
struct samr_Password new_owf_password = { } ;
int cmp_new = - 1 ;
struct samr_Password old_owf_password = { } ;
int cmp_old = - 1 ;
const struct lsa_TrustDomainInfoInfoEx * local_tdo = NULL ;
bool fetch_fti = false ;
struct lsa_ForestTrustInformation * new_fti = NULL ;
struct netr_TrustInfo * trust_info = NULL ;
struct netr_NETLOGON_INFO_2 * info2 = NULL ;
struct dcerpc_binding_handle * b = NULL ;
WERROR check_result = WERR_INTERNAL_ERROR ;
WERROR verify_result = WERR_INTERNAL_ERROR ;
bool retry = false ;
trusted_domain_name . string = domain - > name ;
trusted_domain_name_l . string = domain - > name ;
info2 = talloc_zero ( p - > mem_ctx , struct netr_NETLOGON_INFO_2 ) ;
if ( info2 = = NULL ) {
TALLOC_FREE ( frame ) ;
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
if ( domain - > internal ) {
check_result = WERR_OK ;
goto check_return ;
}
status = pdb_get_trust_credentials ( domain - > name ,
domain - > alt_name ,
frame ,
& creds ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
cur_nt_hash = cli_credentials_get_nt_hash ( creds , frame ) ;
TALLOC_FREE ( creds ) ;
}
if ( ! domain - > primary ) {
union lsa_TrustedDomainInfo * tdi = NULL ;
status = open_internal_lsa_conn ( frame , & local_lsa_pipe ,
& local_lsa_policy ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: open_internal_lsa_conn() failed - %s \n " ,
__location__ , __func__ , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
local_lsa = local_lsa_pipe - > binding_handle ;
status = dcerpc_lsa_QueryTrustedDomainInfoByName ( local_lsa , frame ,
& local_lsa_policy ,
& trusted_domain_name ,
LSA_TRUSTED_DOMAIN_INFO_INFO_EX ,
& tdi , & result ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) failed - %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( NT_STATUS_EQUAL ( result , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
DEBUG ( 1 , ( " %s:%s: domain[%s] not found via LSA, might be removed already. \n " ,
__location__ , __func__ , domain - > name ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_NO_SUCH_DOMAIN ;
}
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) returned %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( result ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( tdi = = NULL ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.QueryTrustedDomainInfoByName() "
" returned no trusted domain information \n " ,
__location__ , __func__ ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
local_tdo = & tdi - > info_ex ;
trust_attributes = local_tdo - > trust_attributes ;
}
if ( trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE ) {
struct lsa_ForestTrustInformation * old_fti = NULL ;
status = dcerpc_lsa_lsaRQueryForestTrustInformation ( local_lsa , frame ,
& local_lsa_policy ,
& trusted_domain_name ,
LSA_FOREST_TRUST_DOMAIN_INFO ,
& old_fti , & result ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) failed %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( NT_STATUS_EQUAL ( result , NT_STATUS_NOT_FOUND ) ) {
DEBUG ( 2 , ( " %s: no forest trust information available for domain[%s] yet. \n " ,
__func__ , domain - > name ) ) ;
old_fti = NULL ;
fetch_fti = true ;
result = NT_STATUS_OK ;
}
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) returned %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( result ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
TALLOC_FREE ( old_fti ) ;
}
reconnect :
2018-02-02 17:24:00 +03:00
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2014-12-23 11:04:42 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ) ) {
status = NT_STATUS_NO_LOGON_SERVERS ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not open handle to NETLOGON pipe: %s \n " ,
nt_errstr ( status ) ) ) ;
check_result = ntstatus_to_werror ( status ) ;
goto check_return ;
}
check_result = WERR_OK ;
b = netlogon_pipe - > binding_handle ;
if ( cur_nt_hash = = NULL ) {
verify_result = WERR_NO_TRUST_LSA_SECRET ;
goto verify_return ;
}
if ( fetch_fti ) {
2018-02-02 17:24:00 +03:00
status = netlogon_creds_cli_GetForestTrustInformation ( netlogon_creds_ctx ,
2014-12-23 11:04:42 +03:00
b , frame ,
& new_fti ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE ) ) {
status = NT_STATUS_NOT_SUPPORTED ;
}
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NOT_SUPPORTED ) ) {
new_fti = NULL ;
status = NT_STATUS_OK ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
2018-03-12 18:53:49 +03:00
if ( ! retry & &
reset_cm_connection_on_error ( domain , b , status ) )
{
2014-12-23 11:04:42 +03:00
retry = true ;
goto reconnect ;
}
DEBUG ( 2 , ( " netlogon_creds_cli_GetForestTrustInformation(%s) "
" failed: %s \n " ,
domain - > name , nt_errstr ( status ) ) ) ;
check_result = ntstatus_to_werror ( status ) ;
goto check_return ;
}
}
if ( new_fti ! = NULL ) {
struct lsa_ForestTrustInformation old_fti = { } ;
struct lsa_ForestTrustInformation * merged_fti = NULL ;
struct lsa_ForestTrustCollisionInfo * collision_info = NULL ;
status = dsdb_trust_merge_forest_info ( frame , local_tdo ,
& old_fti , new_fti ,
& merged_fti ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: dsdb_trust_merge_forest_info(%s) failed %s \n " ,
__location__ , __func__ ,
domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return ntstatus_to_werror ( status ) ;
}
status = dcerpc_lsa_lsaRSetForestTrustInformation ( local_lsa , frame ,
& local_lsa_policy ,
& trusted_domain_name_l ,
LSA_FOREST_TRUST_DOMAIN_INFO ,
merged_fti ,
0 , /* check_only=0 => store it! */
& collision_info ,
& result ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRSetForestTrustInformation(%s) failed %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRSetForestTrustInformation(%s) returned %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( result ) ) ) ;
TALLOC_FREE ( frame ) ;
2015-07-14 12:33:35 +03:00
return ntstatus_to_werror ( result ) ;
2014-12-23 11:04:42 +03:00
}
}
2018-02-02 17:24:00 +03:00
status = netlogon_creds_cli_ServerGetTrustInfo ( netlogon_creds_ctx ,
2014-12-23 11:04:42 +03:00
b , frame ,
& new_owf_password ,
& old_owf_password ,
& trust_info ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE ) ) {
status = NT_STATUS_NOT_SUPPORTED ;
}
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NOT_SUPPORTED ) ) {
DEBUG ( 5 , ( " netlogon_creds_cli_ServerGetTrustInfo failed: %s \n " ,
nt_errstr ( status ) ) ) ;
verify_result = WERR_OK ;
goto verify_return ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
2018-03-12 18:53:49 +03:00
if ( ! retry & & reset_cm_connection_on_error ( domain , b , status ) ) {
2014-12-23 11:04:42 +03:00
retry = true ;
goto reconnect ;
}
DEBUG ( 2 , ( " netlogon_creds_cli_ServerGetTrustInfo failed: %s \n " ,
nt_errstr ( status ) ) ) ;
if ( ! dcerpc_binding_handle_is_connected ( b ) ) {
check_result = ntstatus_to_werror ( status ) ;
goto check_return ;
} else {
verify_result = ntstatus_to_werror ( status ) ;
goto verify_return ;
}
}
if ( trust_info ! = NULL & & trust_info - > count > = 1 ) {
uint32_t diff = trust_info - > data [ 0 ] ^ trust_attributes ;
if ( diff & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE ) {
verify_result = WERR_DOMAIN_TRUST_INCONSISTENT ;
goto verify_return ;
}
}
cmp_new = memcmp ( new_owf_password . hash ,
cur_nt_hash - > hash ,
sizeof ( cur_nt_hash - > hash ) ) ;
cmp_old = memcmp ( old_owf_password . hash ,
cur_nt_hash - > hash ,
sizeof ( cur_nt_hash - > hash ) ) ;
if ( cmp_new ! = 0 & & cmp_old ! = 0 ) {
DEBUG ( 1 , ( " %s:Error: credentials for domain[%s/%s] doesn't match "
" any password known to dcname[%s] \n " ,
__func__ , domain - > name , domain - > alt_name ,
domain - > dcname ) ) ;
verify_result = WERR_WRONG_PASSWORD ;
goto verify_return ;
}
if ( cmp_new ! = 0 ) {
DEBUG ( 2 , ( " %s:Warning: credentials for domain[%s/%s] only match "
" against the old password known to dcname[%s] \n " ,
__func__ , domain - > name , domain - > alt_name ,
domain - > dcname ) ) ;
}
verify_result = WERR_OK ;
goto verify_return ;
check_return :
verify_result = check_result ;
verify_return :
info2 - > flags | = NETLOGON_VERIFY_STATUS_RETURNED ;
info2 - > pdc_connection_status = verify_result ;
if ( domain - > dcname ! = NULL ) {
info2 - > flags | = NETLOGON_HAS_IP ;
info2 - > flags | = NETLOGON_HAS_TIMESERV ;
info2 - > trusted_dc_name = talloc_asprintf ( info2 , " \\ \\ %s " ,
domain - > dcname ) ;
if ( info2 - > trusted_dc_name = = NULL ) {
TALLOC_FREE ( frame ) ;
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
} else {
info2 - > trusted_dc_name = talloc_strdup ( info2 , " " ) ;
if ( info2 - > trusted_dc_name = = NULL ) {
TALLOC_FREE ( frame ) ;
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
}
info2 - > tc_connection_status = check_result ;
if ( ! W_ERROR_IS_OK ( info2 - > pdc_connection_status ) ) {
DEBUG ( 2 , ( " %s: domain[%s/%s] dcname[%s] "
" pdc_connection[%s] tc_connection[%s] \n " ,
__func__ , domain - > name , domain - > alt_name ,
domain - > dcname ,
win_errstr ( info2 - > pdc_connection_status ) ,
win_errstr ( info2 - > tc_connection_status ) ) ) ;
}
r - > out . query - > info2 = info2 ;
DEBUG ( 5 , ( " %s: succeeded. \n " , __func__ ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_OK ;
}
static WERROR _winbind_LogonControl_CHANGE_PASSWORD ( struct pipes_struct * p ,
struct winbindd_domain * domain ,
struct winbind_LogonControl * r )
{
2018-08-21 21:09:16 +03:00
struct messaging_context * msg_ctx = global_messaging_context ( ) ;
2014-12-23 11:04:42 +03:00
NTSTATUS status ;
2018-02-02 17:24:00 +03:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
2014-12-23 11:04:42 +03:00
struct cli_credentials * creds = NULL ;
struct samr_Password * cur_nt_hash = NULL ;
struct netr_NETLOGON_INFO_1 * info1 = NULL ;
struct dcerpc_binding_handle * b ;
WERROR change_result = WERR_OK ;
bool retry = false ;
info1 = talloc_zero ( p - > mem_ctx , struct netr_NETLOGON_INFO_1 ) ;
if ( info1 = = NULL ) {
2015-12-03 17:24:18 +03:00
return WERR_NOT_ENOUGH_MEMORY ;
2014-12-23 11:04:42 +03:00
}
if ( domain - > internal ) {
return WERR_NOT_SUPPORTED ;
}
status = pdb_get_trust_credentials ( domain - > name ,
domain - > alt_name ,
p - > mem_ctx ,
& creds ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
cur_nt_hash = cli_credentials_get_nt_hash ( creds , p - > mem_ctx ) ;
TALLOC_FREE ( creds ) ;
}
reconnect :
2018-02-02 17:24:00 +03:00
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2014-12-23 11:04:42 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ) ) {
status = NT_STATUS_NO_LOGON_SERVERS ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 2 , ( " %s: domain[%s/%s] cm_connect_netlogon() returned %s \n " ,
__func__ , domain - > name , domain - > alt_name ,
nt_errstr ( status ) ) ) ;
/*
* Here we return a top level error !
* This is different than TC_QUERY or TC_VERIFY .
*/
return ntstatus_to_werror ( status ) ;
}
b = netlogon_pipe - > binding_handle ;
if ( cur_nt_hash = = NULL ) {
change_result = WERR_NO_TRUST_LSA_SECRET ;
goto change_return ;
}
TALLOC_FREE ( cur_nt_hash ) ;
2018-02-02 17:24:00 +03:00
status = trust_pw_change ( netlogon_creds_ctx ,
2014-12-23 11:04:42 +03:00
msg_ctx , b , domain - > name ,
2017-05-22 16:36:29 +03:00
domain - > dcname ,
2014-12-23 11:04:42 +03:00
true ) ; /* force */
if ( ! NT_STATUS_IS_OK ( status ) ) {
2018-03-12 18:53:49 +03:00
if ( ! retry & & reset_cm_connection_on_error ( domain , b , status ) ) {
2014-12-23 11:04:42 +03:00
retry = true ;
goto reconnect ;
}
DEBUG ( 1 , ( " trust_pw_change(%s): %s \n " ,
domain - > name , nt_errstr ( status ) ) ) ;
change_result = ntstatus_to_werror ( status ) ;
goto change_return ;
}
change_result = WERR_OK ;
change_return :
info1 - > pdc_connection_status = change_result ;
if ( ! W_ERROR_IS_OK ( info1 - > pdc_connection_status ) ) {
DEBUG ( 2 , ( " %s: domain[%s/%s] dcname[%s] "
" pdc_connection[%s] \n " ,
__func__ , domain - > name , domain - > alt_name ,
domain - > dcname ,
win_errstr ( info1 - > pdc_connection_status ) ) ) ;
}
r - > out . query - > info1 = info1 ;
DEBUG ( 5 , ( " %s: succeeded. \n " , __func__ ) ) ;
return WERR_OK ;
}
2014-12-19 12:36:29 +03:00
WERROR _winbind_LogonControl ( struct pipes_struct * p ,
struct winbind_LogonControl * r )
{
struct winbindd_domain * domain ;
domain = wb_child_domain ( ) ;
if ( domain = = NULL ) {
return WERR_NO_SUCH_DOMAIN ;
}
2014-12-23 11:04:42 +03:00
switch ( r - > in . function_code ) {
case NETLOGON_CONTROL_REDISCOVER :
if ( r - > in . level ! = 2 ) {
return WERR_INVALID_PARAMETER ;
}
return _winbind_LogonControl_REDISCOVER ( p , domain , r ) ;
case NETLOGON_CONTROL_TC_QUERY :
if ( r - > in . level ! = 2 ) {
return WERR_INVALID_PARAMETER ;
}
return _winbind_LogonControl_TC_QUERY ( p , domain , r ) ;
case NETLOGON_CONTROL_TC_VERIFY :
if ( r - > in . level ! = 2 ) {
return WERR_INVALID_PARAMETER ;
}
return _winbind_LogonControl_TC_VERIFY ( p , domain , r ) ;
case NETLOGON_CONTROL_CHANGE_PASSWORD :
if ( r - > in . level ! = 1 ) {
return WERR_INVALID_PARAMETER ;
}
return _winbind_LogonControl_CHANGE_PASSWORD ( p , domain , r ) ;
default :
break ;
}
DEBUG ( 4 , ( " %s: function_code[0x%x] not supported \n " ,
__func__ , r - > in . function_code ) ) ;
2014-12-19 12:36:29 +03:00
return WERR_NOT_SUPPORTED ;
}
2015-01-23 15:07:14 +03:00
WERROR _winbind_GetForestTrustInformation ( struct pipes_struct * p ,
struct winbind_GetForestTrustInformation * r )
{
2015-01-23 15:07:14 +03:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
NTSTATUS status , result ;
2015-01-23 15:07:14 +03:00
struct winbindd_domain * domain ;
2018-02-02 17:24:00 +03:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
2015-01-23 15:07:14 +03:00
struct dcerpc_binding_handle * b ;
bool retry = false ;
struct lsa_String trusted_domain_name = { } ;
struct lsa_StringLarge trusted_domain_name_l = { } ;
union lsa_TrustedDomainInfo * tdi = NULL ;
const struct lsa_TrustDomainInfoInfoEx * tdo = NULL ;
struct lsa_ForestTrustInformation _old_fti = { } ;
struct lsa_ForestTrustInformation * old_fti = NULL ;
struct lsa_ForestTrustInformation * new_fti = NULL ;
struct lsa_ForestTrustInformation * merged_fti = NULL ;
struct lsa_ForestTrustCollisionInfo * collision_info = NULL ;
bool update_fti = false ;
struct rpc_pipe_client * local_lsa_pipe ;
struct policy_handle local_lsa_policy ;
struct dcerpc_binding_handle * local_lsa = NULL ;
2015-01-23 15:07:14 +03:00
domain = wb_child_domain ( ) ;
if ( domain = = NULL ) {
2015-01-23 15:07:14 +03:00
TALLOC_FREE ( frame ) ;
2015-01-23 15:07:14 +03:00
return WERR_NO_SUCH_DOMAIN ;
}
2015-01-23 15:07:14 +03:00
/*
* checking for domain - > internal and domain - > primary
* makes sure we only do some work when running as DC .
*/
if ( domain - > internal ) {
TALLOC_FREE ( frame ) ;
return WERR_NO_SUCH_DOMAIN ;
}
if ( domain - > primary ) {
TALLOC_FREE ( frame ) ;
return WERR_NO_SUCH_DOMAIN ;
}
trusted_domain_name . string = domain - > name ;
trusted_domain_name_l . string = domain - > name ;
status = open_internal_lsa_conn ( frame , & local_lsa_pipe ,
& local_lsa_policy ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: open_internal_lsa_conn() failed - %s \n " ,
__location__ , __func__ , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
local_lsa = local_lsa_pipe - > binding_handle ;
status = dcerpc_lsa_QueryTrustedDomainInfoByName ( local_lsa , frame ,
& local_lsa_policy ,
& trusted_domain_name ,
LSA_TRUSTED_DOMAIN_INFO_INFO_EX ,
& tdi , & result ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) failed - %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( NT_STATUS_EQUAL ( result , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
DEBUG ( 1 , ( " %s:%s: domain[%s] not found via LSA, might be removed already. \n " ,
__location__ , __func__ , domain - > name ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_NO_SUCH_DOMAIN ;
}
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) returned %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( result ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( tdi = = NULL ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.QueryTrustedDomainInfoByName() "
" returned no trusted domain information \n " ,
__location__ , __func__ ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
tdo = & tdi - > info_ex ;
if ( ! ( tdo - > trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE ) ) {
DEBUG ( 2 , ( " %s: tdo[%s/%s] is no forest trust attributes[0x%08X] \n " ,
__func__ , tdo - > netbios_name . string ,
tdo - > domain_name . string ,
( unsigned ) tdo - > trust_attributes ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_NO_SUCH_DOMAIN ;
}
if ( r - > in . flags & ~ DS_GFTI_UPDATE_TDO ) {
TALLOC_FREE ( frame ) ;
return WERR_INVALID_FLAGS ;
}
reconnect :
2018-02-02 17:24:00 +03:00
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2018-03-12 18:11:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2015-01-23 15:07:14 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ) ) {
status = NT_STATUS_NO_LOGON_SERVERS ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not open handle to NETLOGON pipe: %s \n " ,
nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return ntstatus_to_werror ( status ) ;
}
b = netlogon_pipe - > binding_handle ;
2018-02-02 17:24:00 +03:00
status = netlogon_creds_cli_GetForestTrustInformation ( netlogon_creds_ctx ,
2015-01-23 15:07:14 +03:00
b , p - > mem_ctx ,
& new_fti ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2018-03-12 18:53:49 +03:00
if ( ! retry & & reset_cm_connection_on_error ( domain , b , status ) ) {
2015-01-23 15:07:14 +03:00
retry = true ;
goto reconnect ;
}
DEBUG ( 2 , ( " netlogon_creds_cli_GetForestTrustInformation(%s) failed: %s \n " ,
domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return ntstatus_to_werror ( status ) ;
}
* r - > out . forest_trust_info = new_fti ;
if ( r - > in . flags & DS_GFTI_UPDATE_TDO ) {
update_fti = true ;
}
status = dcerpc_lsa_lsaRQueryForestTrustInformation ( local_lsa , frame ,
& local_lsa_policy ,
& trusted_domain_name ,
LSA_FOREST_TRUST_DOMAIN_INFO ,
& old_fti , & result ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) failed %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( NT_STATUS_EQUAL ( result , NT_STATUS_NOT_FOUND ) ) {
DEBUG ( 2 , ( " %s: no forest trust information available for domain[%s] yet. \n " ,
__func__ , domain - > name ) ) ;
update_fti = true ;
old_fti = & _old_fti ;
result = NT_STATUS_OK ;
}
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) returned %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( result ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( old_fti = = NULL ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRQueryForestTrustInformation() "
" returned success without returning forest trust information \n " ,
__location__ , __func__ ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( ! update_fti ) {
goto done ;
}
status = dsdb_trust_merge_forest_info ( frame , tdo , old_fti , new_fti ,
& merged_fti ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: dsdb_trust_merge_forest_info(%s) failed %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return ntstatus_to_werror ( status ) ;
}
status = dcerpc_lsa_lsaRSetForestTrustInformation ( local_lsa , frame ,
& local_lsa_policy ,
& trusted_domain_name_l ,
LSA_FOREST_TRUST_DOMAIN_INFO ,
merged_fti ,
0 , /* check_only=0 => store it! */
& collision_info ,
& result ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRSetForestTrustInformation(%s) failed %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( status ) ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_INTERNAL_ERROR ;
}
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " %s:%s: local_lsa.lsaRSetForestTrustInformation(%s) returned %s \n " ,
__location__ , __func__ , domain - > name , nt_errstr ( result ) ) ) ;
TALLOC_FREE ( frame ) ;
return ntstatus_to_werror ( result ) ;
}
done :
DEBUG ( 5 , ( " _winbind_GetForestTrustInformation succeeded \n " ) ) ;
TALLOC_FREE ( frame ) ;
return WERR_OK ;
2015-01-23 15:07:14 +03:00
}
2017-04-11 06:51:50 +03:00
NTSTATUS _winbind_SendToSam ( struct pipes_struct * p , struct winbind_SendToSam * r )
{
struct winbindd_domain * domain ;
NTSTATUS status ;
struct rpc_pipe_client * netlogon_pipe ;
2018-02-02 17:24:00 +03:00
struct netlogon_creds_cli_context * netlogon_creds_ctx = NULL ;
2018-03-12 21:54:37 +03:00
struct dcerpc_binding_handle * b = NULL ;
bool retry = false ;
2017-04-11 06:51:50 +03:00
DEBUG ( 5 , ( " _winbind_SendToSam received \n " ) ) ;
domain = wb_child_domain ( ) ;
if ( domain = = NULL ) {
return NT_STATUS_REQUEST_NOT_ACCEPTED ;
}
2018-03-12 21:54:37 +03:00
reconnect :
2018-02-02 17:24:00 +03:00
status = cm_connect_netlogon_secure ( domain ,
& netlogon_pipe ,
& netlogon_creds_ctx ) ;
2018-03-12 21:54:37 +03:00
reset_cm_connection_on_error ( domain , NULL , status ) ;
2017-04-11 06:51:50 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not open handle to NETLOGON pipe \n " ) ) ;
return status ;
}
2018-03-12 21:54:37 +03:00
b = netlogon_pipe - > binding_handle ;
2018-02-02 17:24:00 +03:00
status = netlogon_creds_cli_SendToSam ( netlogon_creds_ctx ,
2018-03-12 21:54:37 +03:00
b ,
2017-04-11 06:51:50 +03:00
& r - > in . message ) ;
2018-03-12 21:54:37 +03:00
if ( ! retry & & reset_cm_connection_on_error ( domain , b , status ) ) {
retry = true ;
goto reconnect ;
}
2017-04-11 06:51:50 +03:00
return status ;
}
2019-10-22 19:28:44 +03:00
# include "librpc/gen_ndr/ndr_winbind_scompat.c"
