2008-02-13 14:24:56 +03:00
/*
2002-01-30 09:08:46 +03:00
* Unix SMB / CIFS implementation .
2001-02-27 03:32:11 +03:00
* RPC Pipe client / server routines
* Copyright ( C ) Andrew Tridgell 1992 - 1997 ,
* Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1997 ,
* Copyright ( C ) Paul Ashton 1997.
* Copyright ( C ) Jeremy Allison 1998 - 2001.
2003-07-23 10:11:38 +04:00
* Copyright ( C ) Andrew Bartlett 2001.
2008-02-27 21:38:48 +03:00
* Copyright ( C ) Guenther Deschner 2008.
2001-02-27 03:32:11 +03:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
* the Free Software Foundation ; either version 3 of the License , or
2001-02-27 03:32:11 +03:00
* ( at your option ) any later version .
2008-02-13 14:24:56 +03:00
*
2001-02-27 03:32:11 +03:00
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
2008-02-13 14:24:56 +03:00
*
2001-02-27 03:32:11 +03:00
* You should have received a copy of the GNU General Public License
2007-07-10 09:23:25 +04:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2001-02-27 03:32:11 +03:00
*/
/* This is the implementation of the netlogon pipe. */
# include "includes.h"
2005-04-06 20:28:04 +04:00
extern userdom_struct current_user_info ;
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_RPC_SRV
2001-02-27 03:32:11 +03:00
/*************************************************************************
init_net_r_req_chal :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-13 16:08:59 +03:00
static void init_net_r_req_chal ( struct netr_Credential * r ,
2008-02-16 01:57:19 +03:00
struct netr_Credential * srv_chal )
2001-02-27 03:32:11 +03:00
{
DEBUG ( 6 , ( " init_net_r_req_chal: %d \n " , __LINE__ ) ) ;
2008-02-13 16:08:59 +03:00
memcpy ( r - > data , srv_chal - > data , sizeof ( r - > data ) ) ;
2001-02-27 03:32:11 +03:00
}
2008-02-14 00:55:44 +03:00
/*******************************************************************
Inits a netr_NETLOGON_INFO_1 structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_netlogon_info1 ( struct netr_NETLOGON_INFO_1 * r ,
uint32_t flags ,
uint32_t pdc_connection_status )
{
r - > flags = flags ;
r - > pdc_connection_status = pdc_connection_status ;
}
/*******************************************************************
Inits a netr_NETLOGON_INFO_2 structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_netlogon_info2 ( struct netr_NETLOGON_INFO_2 * r ,
uint32_t flags ,
uint32_t pdc_connection_status ,
const char * trusted_dc_name ,
uint32_t tc_connection_status )
{
r - > flags = flags ;
r - > pdc_connection_status = pdc_connection_status ;
r - > trusted_dc_name = trusted_dc_name ;
r - > tc_connection_status = tc_connection_status ;
}
/*******************************************************************
Inits a netr_NETLOGON_INFO_3 structure .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static void init_netlogon_info3 ( struct netr_NETLOGON_INFO_3 * r ,
uint32_t flags ,
uint32_t logon_attempts )
{
r - > flags = flags ;
r - > logon_attempts = logon_attempts ;
}
2001-05-24 12:05:12 +04:00
/*************************************************************************
2008-02-13 13:56:24 +03:00
_netr_LogonControl
2001-05-24 12:05:12 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-13 13:56:24 +03:00
WERROR _netr_LogonControl ( pipes_struct * p ,
struct netr_LogonControl * r )
2001-05-24 12:05:12 +04:00
{
2008-02-13 13:56:24 +03:00
struct netr_NETLOGON_INFO_1 * info1 ;
uint32_t flags = 0x0 ;
uint32_t pdc_connection_status = W_ERROR_V ( WERR_OK ) ;
2001-05-24 12:05:12 +04:00
/* Setup the Logon Control response */
2008-02-13 13:56:24 +03:00
switch ( r - > in . level ) {
case 1 :
info1 = TALLOC_ZERO_P ( p - > mem_ctx , struct netr_NETLOGON_INFO_1 ) ;
if ( ! info1 ) {
return WERR_NOMEM ;
}
2008-02-14 00:55:44 +03:00
init_netlogon_info1 ( info1 ,
flags ,
pdc_connection_status ) ;
2008-02-13 13:56:24 +03:00
r - > out . info - > info1 = info1 ;
break ;
default :
return WERR_UNKNOWN_LEVEL ;
}
return WERR_OK ;
2001-05-24 12:05:12 +04:00
}
2001-08-28 10:34:08 +04:00
/****************************************************************************
Send a message to smbd to do a sam synchronisation
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
2001-09-06 09:24:37 +04:00
static void send_sync_message ( void )
2001-08-28 10:34:08 +04:00
{
DEBUG ( 3 , ( " sending sam synchronisation message \n " ) ) ;
2007-05-15 19:49:55 +04:00
message_send_all ( smbd_messaging_context ( ) , MSG_SMB_SAM_SYNC , NULL , 0 ,
2007-05-22 02:17:13 +04:00
NULL ) ;
2001-08-28 10:34:08 +04:00
}
2001-02-27 03:32:11 +03:00
/*************************************************************************
2008-02-14 01:06:09 +03:00
_netr_LogonControl2
2001-02-27 03:32:11 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-14 01:06:09 +03:00
WERROR _netr_LogonControl2 ( pipes_struct * p ,
struct netr_LogonControl2 * r )
2001-02-27 03:32:11 +03:00
{
2001-08-28 10:34:08 +04:00
uint32 flags = 0x0 ;
uint32 pdc_connection_status = 0x0 ;
uint32 logon_attempts = 0x0 ;
2004-06-03 22:00:22 +04:00
uint32 tc_status ;
2008-03-26 21:18:08 +03:00
fstring dc_name2 ;
const char * dc_name = NULL ;
2007-10-25 01:16:54 +04:00
struct sockaddr_storage dc_ss ;
2008-02-14 01:06:09 +03:00
const char * domain = NULL ;
struct netr_NETLOGON_INFO_1 * info1 ;
struct netr_NETLOGON_INFO_2 * info2 ;
struct netr_NETLOGON_INFO_3 * info3 ;
2008-02-13 14:24:56 +03:00
2008-01-31 03:23:49 +03:00
tc_status = W_ERROR_V ( WERR_NO_SUCH_DOMAIN ) ;
2008-02-13 14:24:56 +03:00
2008-02-14 01:06:09 +03:00
switch ( r - > in . function_code ) {
2004-06-03 22:00:22 +04:00
case NETLOGON_CONTROL_TC_QUERY :
2008-02-14 01:06:09 +03:00
domain = r - > in . data - > domain ;
2008-02-13 14:24:56 +03:00
2004-06-03 22:00:22 +04:00
if ( ! is_trusted_domain ( domain ) )
break ;
2008-02-13 14:24:56 +03:00
2007-10-25 01:16:54 +04:00
if ( ! get_dc_name ( domain , NULL , dc_name2 , & dc_ss ) ) {
2008-01-31 03:23:49 +03:00
tc_status = W_ERROR_V ( WERR_NO_LOGON_SERVERS ) ;
2004-06-03 22:00:22 +04:00
break ;
}
2008-03-26 21:18:08 +03:00
dc_name = talloc_asprintf ( p - > mem_ctx , " \\ \\ %s " , dc_name2 ) ;
if ( ! dc_name ) {
return WERR_NOMEM ;
}
2008-02-13 14:24:56 +03:00
2008-01-31 03:23:49 +03:00
tc_status = W_ERROR_V ( WERR_OK ) ;
2008-02-13 14:24:56 +03:00
2004-06-03 22:00:22 +04:00
break ;
2008-02-13 14:24:56 +03:00
2004-06-03 22:00:22 +04:00
case NETLOGON_CONTROL_REDISCOVER :
2008-02-14 01:06:09 +03:00
domain = r - > in . data - > domain ;
2008-02-13 14:24:56 +03:00
2004-06-03 22:00:22 +04:00
if ( ! is_trusted_domain ( domain ) )
break ;
2008-02-13 14:24:56 +03:00
2007-10-25 01:16:54 +04:00
if ( ! get_dc_name ( domain , NULL , dc_name2 , & dc_ss ) ) {
2008-01-31 03:23:49 +03:00
tc_status = W_ERROR_V ( WERR_NO_LOGON_SERVERS ) ;
2004-06-03 22:00:22 +04:00
break ;
}
2008-03-26 21:18:08 +03:00
dc_name = talloc_asprintf ( p - > mem_ctx , " \\ \\ %s " , dc_name2 ) ;
if ( ! dc_name ) {
return WERR_NOMEM ;
}
2008-02-13 14:24:56 +03:00
2008-01-31 03:23:49 +03:00
tc_status = W_ERROR_V ( WERR_OK ) ;
2008-02-13 14:24:56 +03:00
2004-06-03 22:00:22 +04:00
break ;
2008-02-13 14:24:56 +03:00
2004-06-03 22:00:22 +04:00
default :
/* no idea what this should be */
2008-02-14 01:06:09 +03:00
DEBUG ( 0 , ( " _netr_LogonControl2: unimplemented function level [%d] \n " ,
r - > in . function_code ) ) ;
return WERR_UNKNOWN_LEVEL ;
2004-06-03 22:00:22 +04:00
}
2008-02-13 14:24:56 +03:00
2004-06-03 22:00:22 +04:00
/* prepare the response */
2008-02-13 14:24:56 +03:00
2008-02-14 01:06:09 +03:00
switch ( r - > in . level ) {
case 1 :
info1 = TALLOC_ZERO_P ( p - > mem_ctx , struct netr_NETLOGON_INFO_1 ) ;
W_ERROR_HAVE_NO_MEMORY ( info1 ) ;
2001-02-27 03:32:11 +03:00
2008-02-14 01:06:09 +03:00
init_netlogon_info1 ( info1 ,
flags ,
pdc_connection_status ) ;
r - > out . query - > info1 = info1 ;
break ;
case 2 :
info2 = TALLOC_ZERO_P ( p - > mem_ctx , struct netr_NETLOGON_INFO_2 ) ;
W_ERROR_HAVE_NO_MEMORY ( info2 ) ;
init_netlogon_info2 ( info2 ,
flags ,
pdc_connection_status ,
dc_name ,
tc_status ) ;
r - > out . query - > info2 = info2 ;
break ;
case 3 :
info3 = TALLOC_ZERO_P ( p - > mem_ctx , struct netr_NETLOGON_INFO_3 ) ;
W_ERROR_HAVE_NO_MEMORY ( info3 ) ;
init_netlogon_info3 ( info3 ,
flags ,
logon_attempts ) ;
r - > out . query - > info3 = info3 ;
break ;
default :
return WERR_UNKNOWN_LEVEL ;
}
if ( lp_server_role ( ) = = ROLE_DOMAIN_BDC ) {
2001-08-28 10:34:08 +04:00
send_sync_message ( ) ;
2008-02-14 01:06:09 +03:00
}
2001-08-28 10:34:08 +04:00
2008-02-14 01:06:09 +03:00
return WERR_OK ;
2001-02-27 03:32:11 +03:00
}
/*************************************************************************
2008-02-13 12:23:45 +03:00
_netr_NetrEnumerateTrustedDomains
2001-02-27 03:32:11 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-13 12:23:45 +03:00
WERROR _netr_NetrEnumerateTrustedDomains ( pipes_struct * p ,
struct netr_NetrEnumerateTrustedDomains * r )
2001-02-27 03:32:11 +03:00
{
2008-02-13 12:23:45 +03:00
struct netr_Blob trusted_domains_blob ;
DATA_BLOB blob ;
2001-02-27 03:32:11 +03:00
2008-02-13 12:23:45 +03:00
DEBUG ( 6 , ( " _netr_NetrEnumerateTrustedDomains: %d \n " , __LINE__ ) ) ;
2001-02-27 03:32:11 +03:00
/* set up the Trusted Domain List response */
2008-02-13 12:23:45 +03:00
blob = data_blob_talloc_zero ( p - > mem_ctx , 2 ) ;
trusted_domains_blob . data = blob . data ;
trusted_domains_blob . length = blob . length ;
2001-02-27 03:32:11 +03:00
2008-02-13 12:23:45 +03:00
DEBUG ( 6 , ( " _netr_NetrEnumerateTrustedDomains: %d \n " , __LINE__ ) ) ;
* r - > out . trusted_domains_blob = trusted_domains_blob ;
return WERR_OK ;
2001-02-27 03:32:11 +03:00
}
/******************************************************************
gets a machine password entry . checks access rights of the host .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-15 23:24:39 +03:00
static NTSTATUS get_md4pw ( char * md4pw , const char * mach_acct , uint16 sec_chan_type )
2001-02-27 03:32:11 +03:00
{
2006-02-20 23:09:36 +03:00
struct samu * sampass = NULL ;
This commit is number 4 of 4.
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29 10:35:11 +03:00
const uint8 * pass ;
2007-10-19 04:40:25 +04:00
bool ret ;
2002-03-02 01:45:23 +03:00
uint32 acct_ctrl ;
2008-02-13 14:24:56 +03:00
2001-02-27 03:32:11 +03:00
#if 0
2007-11-04 04:15:45 +03:00
char addr [ INET6_ADDRSTRLEN ] ;
2001-02-27 03:32:11 +03:00
/*
* Currently this code is redundent as we already have a filter
2008-02-13 14:24:56 +03:00
* by hostname list . What this code really needs to do is to
2001-02-27 03:32:11 +03:00
* get a hosts allowed / hosts denied list from the SAM database
* on a per user basis , and make the access decision there .
* I will leave this code here for now as a reminder to implement
* this at a later date . JRA .
*/
if ( ! allow_access ( lp_domain_hostsdeny ( ) , lp_domain_hostsallow ( ) ,
2007-11-04 09:20:10 +03:00
client_name ( get_client_fd ( ) ) ,
client_addr ( get_client_fd ( ) , addr , sizeof ( addr ) ) ) ) {
2001-02-27 03:32:11 +03:00
DEBUG ( 0 , ( " get_md4pw: Workstation %s denied access to domain \n " , mach_acct ) ) ;
return False ;
}
# endif /* 0 */
2006-02-21 17:34:11 +03:00
if ( ! ( sampass = samu_new ( NULL ) ) ) {
2006-03-15 15:23:09 +03:00
return NT_STATUS_NO_MEMORY ;
2006-02-21 17:34:11 +03:00
}
2001-03-12 01:26:28 +03:00
2001-05-04 19:44:27 +04:00
/* JRA. This is ok as it is only used for generating the challenge. */
2001-02-27 03:32:11 +03:00
become_root ( ) ;
2006-03-15 15:23:09 +03:00
ret = pdb_getsampwnam ( sampass , mach_acct ) ;
2001-02-27 03:32:11 +03:00
unbecome_root ( ) ;
2008-02-13 14:24:56 +03:00
2006-06-15 05:54:09 +04:00
if ( ! ret ) {
2001-05-04 19:44:27 +04:00
DEBUG ( 0 , ( " get_md4pw: Workstation %s: no account in domain \n " , mach_acct ) ) ;
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sampass ) ;
2006-03-15 15:23:09 +03:00
return NT_STATUS_ACCESS_DENIED ;
2001-05-04 19:44:27 +04:00
}
2002-03-02 01:45:23 +03:00
acct_ctrl = pdb_get_acct_ctrl ( sampass ) ;
2006-03-15 15:23:09 +03:00
if ( acct_ctrl & ACB_DISABLED ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: account is disabled \n " , mach_acct ) ) ;
TALLOC_FREE ( sampass ) ;
return NT_STATUS_ACCOUNT_DISABLED ;
2001-02-27 03:32:11 +03:00
}
2006-03-15 15:23:09 +03:00
2006-03-15 17:58:39 +03:00
if ( ! ( acct_ctrl & ACB_SVRTRUST ) & &
! ( acct_ctrl & ACB_WSTRUST ) & &
2008-02-13 14:24:56 +03:00
! ( acct_ctrl & ACB_DOMTRUST ) )
2006-03-15 17:58:39 +03:00
{
2006-03-15 15:23:09 +03:00
DEBUG ( 0 , ( " get_md4pw: Workstation %s: account is not a trust account \n " , mach_acct ) ) ;
TALLOC_FREE ( sampass ) ;
return NT_STATUS_NO_TRUST_SAM_ACCOUNT ;
}
switch ( sec_chan_type ) {
case SEC_CHAN_BDC :
if ( ! ( acct_ctrl & ACB_SVRTRUST ) ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: BDC secure channel requested "
" but not a server trust account \n " , mach_acct ) ) ;
TALLOC_FREE ( sampass ) ;
return NT_STATUS_NO_TRUST_SAM_ACCOUNT ;
}
2006-03-15 18:38:15 +03:00
break ;
2006-03-15 15:23:09 +03:00
case SEC_CHAN_WKSTA :
if ( ! ( acct_ctrl & ACB_WSTRUST ) ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: WORKSTATION secure channel requested "
" but not a workstation trust account \n " , mach_acct ) ) ;
TALLOC_FREE ( sampass ) ;
return NT_STATUS_NO_TRUST_SAM_ACCOUNT ;
}
2006-03-15 18:38:15 +03:00
break ;
2006-03-15 15:23:09 +03:00
case SEC_CHAN_DOMAIN :
if ( ! ( acct_ctrl & ACB_DOMTRUST ) ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: DOMAIN secure channel requested "
" but not a interdomain trust account \n " , mach_acct ) ) ;
TALLOC_FREE ( sampass ) ;
return NT_STATUS_NO_TRUST_SAM_ACCOUNT ;
}
2006-03-15 18:38:15 +03:00
break ;
2006-03-15 15:23:09 +03:00
default :
break ;
}
if ( ( pass = pdb_get_nt_passwd ( sampass ) ) = = NULL ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: account does not have a password \n " , mach_acct ) ) ;
TALLOC_FREE ( sampass ) ;
return NT_STATUS_LOGON_FAILURE ;
}
memcpy ( md4pw , pass , 16 ) ;
2007-03-28 17:34:59 +04:00
dump_data ( 5 , ( uint8 * ) md4pw , 16 ) ;
2006-03-15 15:23:09 +03:00
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sampass ) ;
2008-02-13 14:24:56 +03:00
2006-03-15 15:23:09 +03:00
return NT_STATUS_OK ;
2008-02-13 14:24:56 +03:00
2001-05-04 19:44:27 +04:00
2001-02-27 03:32:11 +03:00
}
/*************************************************************************
2008-02-13 16:08:59 +03:00
_netr_ServerReqChallenge
2001-02-27 03:32:11 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-13 16:08:59 +03:00
NTSTATUS _netr_ServerReqChallenge ( pipes_struct * p ,
struct netr_ServerReqChallenge * r )
2001-02-27 03:32:11 +03:00
{
2005-09-30 21:13:37 +04:00
if ( ! p - > dc ) {
2008-06-20 18:22:49 +04:00
p - > dc = TALLOC_ZERO_P ( p , struct dcinfo ) ;
2005-09-30 21:13:37 +04:00
if ( ! p - > dc ) {
return NT_STATUS_NO_MEMORY ;
}
} else {
2008-02-13 16:08:59 +03:00
DEBUG ( 10 , ( " _netr_ServerReqChallenge: new challenge requested. Clearing old state. \n " ) ) ;
2005-09-30 21:13:37 +04:00
ZERO_STRUCTP ( p - > dc ) ;
}
2001-02-27 03:32:11 +03:00
2008-02-13 16:08:59 +03:00
fstrcpy ( p - > dc - > remote_machine , r - > in . computer_name ) ;
2001-02-27 03:32:11 +03:00
2005-09-30 21:13:37 +04:00
/* Save the client challenge to the server. */
2008-02-13 16:08:59 +03:00
memcpy ( p - > dc - > clnt_chal . data , r - > in . credentials - > data ,
sizeof ( r - > in . credentials - > data ) ) ;
2001-02-27 03:32:11 +03:00
2005-09-30 21:13:37 +04:00
/* Create a server challenge for the client */
/* Set this to a random value. */
generate_random_buffer ( p - > dc - > srv_chal . data , 8 ) ;
2008-02-13 14:24:56 +03:00
2001-02-27 03:32:11 +03:00
/* set up the LSA REQUEST CHALLENGE response */
2008-02-16 01:36:31 +03:00
init_net_r_req_chal ( r - > out . return_credentials , & p - > dc - > srv_chal ) ;
2008-02-13 14:24:56 +03:00
2005-09-30 21:13:37 +04:00
p - > dc - > challenge_sent = True ;
return NT_STATUS_OK ;
2001-02-27 03:32:11 +03:00
}
2001-04-24 03:31:09 +04:00
/*************************************************************************
2008-02-15 23:24:39 +03:00
_netr_ServerAuthenticate
Create the initial credentials .
2001-04-24 03:31:09 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-15 23:24:39 +03:00
NTSTATUS _netr_ServerAuthenticate ( pipes_struct * p ,
struct netr_ServerAuthenticate * r )
2001-04-24 03:31:09 +04:00
{
2006-03-15 15:23:09 +03:00
NTSTATUS status ;
2008-02-16 01:57:19 +03:00
struct netr_Credential srv_chal_out ;
2001-04-24 03:31:09 +04:00
2005-09-30 21:13:37 +04:00
if ( ! p - > dc | | ! p - > dc - > challenge_sent ) {
return NT_STATUS_ACCESS_DENIED ;
}
2001-04-24 03:31:09 +04:00
2008-02-15 23:24:39 +03:00
status = get_md4pw ( ( char * ) p - > dc - > mach_pw ,
r - > in . account_name ,
r - > in . secure_channel_type ) ;
2006-03-15 15:23:09 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2008-02-15 23:24:39 +03:00
DEBUG ( 0 , ( " _netr_ServerAuthenticate: get_md4pw failed. Failed to "
2006-03-15 15:23:09 +03:00
" get password for machine account %s "
" from client %s: %s \n " ,
2008-02-15 23:24:39 +03:00
r - > in . account_name ,
r - > in . computer_name ,
nt_errstr ( status ) ) ) ;
2006-03-15 15:23:09 +03:00
/* always return NT_STATUS_ACCESS_DENIED */
2005-09-30 21:13:37 +04:00
return NT_STATUS_ACCESS_DENIED ;
}
2002-03-03 07:25:29 +03:00
2005-09-30 21:13:37 +04:00
/* From the client / server challenges and md4 password, generate sess key */
2006-02-17 07:22:32 +03:00
creds_server_init ( 0 , /* No neg flags. */
p - > dc ,
2005-09-30 21:13:37 +04:00
& p - > dc - > clnt_chal , /* Stored client chal. */
& p - > dc - > srv_chal , /* Stored server chal. */
2006-02-18 03:27:31 +03:00
p - > dc - > mach_pw ,
2008-02-13 14:24:56 +03:00
& srv_chal_out ) ;
2005-09-30 21:13:37 +04:00
/* Check client credentials are valid. */
2008-02-15 23:24:39 +03:00
if ( ! netlogon_creds_server_check ( p - > dc , r - > in . credentials ) ) {
DEBUG ( 0 , ( " _netr_ServerAuthenticate: netlogon_creds_server_check failed. Rejecting auth "
2005-09-30 21:13:37 +04:00
" request from client %s machine account %s \n " ,
2008-02-15 23:24:39 +03:00
r - > in . computer_name ,
r - > in . account_name ) ) ;
2005-09-30 21:13:37 +04:00
return NT_STATUS_ACCESS_DENIED ;
2001-04-24 03:31:09 +04:00
}
2005-09-30 21:13:37 +04:00
2008-02-15 23:24:39 +03:00
fstrcpy ( p - > dc - > mach_acct , r - > in . account_name ) ;
fstrcpy ( p - > dc - > remote_machine , r - > in . computer_name ) ;
2005-09-30 21:13:37 +04:00
p - > dc - > authenticated = True ;
2002-03-03 06:56:53 +03:00
/* set up the LSA AUTH response */
2005-09-30 21:13:37 +04:00
/* Return the server credentials. */
2001-04-24 03:31:09 +04:00
2008-02-16 01:36:31 +03:00
memcpy ( r - > out . return_credentials - > data , & srv_chal_out . data ,
sizeof ( r - > out . return_credentials - > data ) ) ;
2008-02-15 23:24:39 +03:00
return NT_STATUS_OK ;
2001-04-24 03:31:09 +04:00
}
/*************************************************************************
2008-02-15 23:41:16 +03:00
_netr_ServerAuthenticate2
2001-04-24 03:31:09 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-15 23:41:16 +03:00
NTSTATUS _netr_ServerAuthenticate2 ( pipes_struct * p ,
struct netr_ServerAuthenticate2 * r )
2001-02-27 03:32:11 +03:00
{
2006-03-15 15:23:09 +03:00
NTSTATUS status ;
2008-02-15 23:41:16 +03:00
uint32_t srv_flgs ;
2008-02-16 01:57:19 +03:00
struct netr_Credential srv_chal_out ;
2005-09-30 21:13:37 +04:00
2008-02-15 23:41:16 +03:00
/* We use this as the key to store the creds: */
/* r->in.computer_name */
2001-02-27 03:32:11 +03:00
2005-09-30 21:13:37 +04:00
if ( ! p - > dc | | ! p - > dc - > challenge_sent ) {
2008-02-15 23:41:16 +03:00
DEBUG ( 0 , ( " _netr_ServerAuthenticate2: no challenge sent to client %s \n " ,
r - > in . computer_name ) ) ;
2005-09-30 21:13:37 +04:00
return NT_STATUS_ACCESS_DENIED ;
}
2001-02-27 03:32:11 +03:00
2008-02-15 23:41:16 +03:00
if ( ( lp_server_schannel ( ) = = true ) & &
( ( * r - > in . negotiate_flags & NETLOGON_NEG_SCHANNEL ) = = 0 ) ) {
2003-04-06 11:04:09 +04:00
/* schannel must be used, but client did not offer it. */
2008-02-15 23:41:16 +03:00
DEBUG ( 0 , ( " _netr_ServerAuthenticate2: schannel required but client failed "
2005-09-30 21:13:37 +04:00
" to offer it. Client was %s \n " ,
2008-02-15 23:41:16 +03:00
r - > in . account_name ) ) ;
2005-09-30 21:13:37 +04:00
return NT_STATUS_ACCESS_DENIED ;
2003-04-06 11:04:09 +04:00
}
2008-02-15 23:41:16 +03:00
status = get_md4pw ( ( char * ) p - > dc - > mach_pw ,
r - > in . account_name ,
r - > in . secure_channel_type ) ;
2006-03-15 15:23:09 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2008-02-15 23:41:16 +03:00
DEBUG ( 0 , ( " _netr_ServerAuthenticate2: failed to get machine password for "
2006-03-15 15:23:09 +03:00
" account %s: %s \n " ,
2008-02-15 23:41:16 +03:00
r - > in . account_name , nt_errstr ( status ) ) ) ;
2006-03-15 15:23:09 +03:00
/* always return NT_STATUS_ACCESS_DENIED */
2005-09-30 21:13:37 +04:00
return NT_STATUS_ACCESS_DENIED ;
}
2002-03-03 06:56:53 +03:00
2005-09-30 21:13:37 +04:00
/* From the client / server challenges and md4 password, generate sess key */
2008-02-15 23:41:16 +03:00
creds_server_init ( * r - > in . negotiate_flags ,
2006-02-17 07:22:32 +03:00
p - > dc ,
2005-09-30 21:13:37 +04:00
& p - > dc - > clnt_chal , /* Stored client chal. */
& p - > dc - > srv_chal , /* Stored server chal. */
2006-02-18 03:27:31 +03:00
p - > dc - > mach_pw ,
2008-02-13 14:24:56 +03:00
& srv_chal_out ) ;
2005-09-30 21:13:37 +04:00
/* Check client credentials are valid. */
2008-02-15 23:41:16 +03:00
if ( ! netlogon_creds_server_check ( p - > dc , r - > in . credentials ) ) {
DEBUG ( 0 , ( " _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth "
2005-09-30 21:13:37 +04:00
" request from client %s machine account %s \n " ,
2008-02-15 23:41:16 +03:00
r - > in . computer_name ,
r - > in . account_name ) ) ;
2005-09-30 21:13:37 +04:00
return NT_STATUS_ACCESS_DENIED ;
2001-02-27 03:32:11 +03:00
}
2005-09-30 21:13:37 +04:00
2008-08-22 02:20:46 +04:00
/* 0x000001ff */
srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
NETLOGON_NEG_PERSISTENT_SAMREPL |
NETLOGON_NEG_ARCFOUR |
NETLOGON_NEG_PROMOTION_COUNT |
NETLOGON_NEG_CHANGELOG_BDC |
NETLOGON_NEG_FULL_SYNC_REPL |
NETLOGON_NEG_MULTIPLE_SIDS |
NETLOGON_NEG_REDO |
NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL ;
2001-02-27 03:32:11 +03:00
2008-02-15 23:41:16 +03:00
if ( lp_server_schannel ( ) ! = false ) {
srv_flgs | = NETLOGON_NEG_SCHANNEL ;
2003-04-06 11:04:09 +04:00
}
2001-02-27 03:32:11 +03:00
/* set up the LSA AUTH 2 response */
2008-02-16 01:36:31 +03:00
memcpy ( r - > out . return_credentials - > data , & srv_chal_out . data ,
sizeof ( r - > out . return_credentials - > data ) ) ;
2008-02-15 23:41:16 +03:00
* r - > out . negotiate_flags = srv_flgs ;
2001-02-27 03:32:11 +03:00
2008-02-15 23:41:16 +03:00
fstrcpy ( p - > dc - > mach_acct , r - > in . account_name ) ;
fstrcpy ( p - > dc - > remote_machine , r - > in . computer_name ) ;
2005-10-07 05:46:19 +04:00
fstrcpy ( p - > dc - > domain , lp_workgroup ( ) ) ;
2005-10-05 05:47:52 +04:00
2005-09-30 21:13:37 +04:00
p - > dc - > authenticated = True ;
2005-10-07 05:46:19 +04:00
/* Store off the state so we can continue after client disconnect. */
become_root ( ) ;
2006-02-18 00:32:31 +03:00
secrets_store_schannel_session_info ( p - > mem_ctx ,
2008-02-15 23:41:16 +03:00
r - > in . computer_name ,
p - > dc ) ;
2005-10-07 05:46:19 +04:00
unbecome_root ( ) ;
2003-04-06 11:04:09 +04:00
2008-02-15 23:41:16 +03:00
return NT_STATUS_OK ;
2001-02-27 03:32:11 +03:00
}
/*************************************************************************
2008-02-15 23:13:50 +03:00
_netr_ServerPasswordSet
2001-02-27 03:32:11 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-15 23:13:50 +03:00
NTSTATUS _netr_ServerPasswordSet ( pipes_struct * p ,
struct netr_ServerPasswordSet * r )
2001-02-27 03:32:11 +03:00
{
2008-02-15 23:13:50 +03:00
NTSTATUS status = NT_STATUS_OK ;
2006-02-18 04:21:18 +03:00
fstring remote_machine ;
2006-02-20 23:09:36 +03:00
struct samu * sampass = NULL ;
2007-10-19 04:40:25 +04:00
bool ret = False ;
2001-02-27 03:32:11 +03:00
unsigned char pwd [ 16 ] ;
int i ;
2002-03-03 06:56:53 +03:00
uint32 acct_ctrl ;
2008-02-15 23:13:50 +03:00
struct netr_Authenticator cred_out ;
2004-08-31 23:56:16 +04:00
const uchar * old_pw ;
2001-02-27 03:32:11 +03:00
2008-02-15 23:13:50 +03:00
DEBUG ( 5 , ( " _netr_ServerPasswordSet: %d \n " , __LINE__ ) ) ;
2006-02-16 02:15:55 +03:00
2006-02-18 04:21:18 +03:00
/* We need the remote machine name for the creds lookup. */
2008-02-15 23:13:50 +03:00
fstrcpy ( remote_machine , r - > in . computer_name ) ;
2006-02-16 02:15:55 +03:00
2006-02-18 03:39:31 +03:00
if ( ( lp_server_schannel ( ) = = True ) & & ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_SCHANNEL ) ) {
/* 'server schannel = yes' should enforce use of
schannel , the client did offer it in auth2 , but
obviously did not use it . */
2008-02-15 23:13:50 +03:00
DEBUG ( 0 , ( " _netr_ServerPasswordSet: client %s not using schannel for netlogon \n " ,
2006-02-18 04:21:18 +03:00
remote_machine ) ) ;
2006-02-18 03:39:31 +03:00
return NT_STATUS_ACCESS_DENIED ;
}
2006-02-16 02:15:55 +03:00
if ( ! p - > dc ) {
/* Restore the saved state of the netlogon creds. */
become_root ( ) ;
2008-06-20 18:22:49 +04:00
ret = secrets_restore_schannel_session_info ( p , remote_machine ,
& p - > dc ) ;
2006-02-16 02:15:55 +03:00
unbecome_root ( ) ;
if ( ! ret ) {
return NT_STATUS_INVALID_HANDLE ;
}
}
2005-09-30 21:13:37 +04:00
if ( ! p - > dc | | ! p - > dc - > authenticated ) {
2001-02-27 03:32:11 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-09-30 21:13:37 +04:00
}
2001-02-27 03:32:11 +03:00
2008-02-15 23:13:50 +03:00
DEBUG ( 3 , ( " _netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s] \n " ,
2006-02-18 04:21:18 +03:00
remote_machine , p - > dc - > mach_acct ) ) ;
2008-02-13 14:24:56 +03:00
2005-09-30 21:13:37 +04:00
/* Step the creds chain forward. */
2008-02-15 23:13:50 +03:00
if ( ! netlogon_creds_server_step ( p - > dc , r - > in . credential , & cred_out ) ) {
DEBUG ( 2 , ( " _netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
2005-09-30 21:13:37 +04:00
" request from client %s machine account %s \n " ,
2006-02-18 04:21:18 +03:00
remote_machine , p - > dc - > mach_acct ) ) ;
2006-02-09 03:23:40 +03:00
return NT_STATUS_INVALID_PARAMETER ;
2005-09-30 21:13:37 +04:00
}
2001-02-27 03:32:11 +03:00
2006-02-16 02:15:55 +03:00
/* We must store the creds state after an update. */
2006-06-15 05:54:09 +04:00
sampass = samu_new ( NULL ) ;
if ( ! sampass ) {
return NT_STATUS_NO_MEMORY ;
}
2001-02-27 03:32:11 +03:00
become_root ( ) ;
2008-06-20 18:22:49 +04:00
secrets_store_schannel_session_info ( p , remote_machine , p - > dc ) ;
2006-06-15 05:54:09 +04:00
ret = pdb_getsampwnam ( sampass , p - > dc - > mach_acct ) ;
2001-02-27 03:32:11 +03:00
unbecome_root ( ) ;
2006-06-15 05:54:09 +04:00
if ( ! ret ) {
TALLOC_FREE ( sampass ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2006-02-21 17:34:11 +03:00
2001-03-12 01:26:28 +03:00
/* Ensure the account exists and is a machine account. */
2008-02-13 14:24:56 +03:00
2002-03-03 06:56:53 +03:00
acct_ctrl = pdb_get_acct_ctrl ( sampass ) ;
2001-03-12 01:26:28 +03:00
2006-06-15 05:54:09 +04:00
if ( ! ( acct_ctrl & ACB_WSTRUST | |
2002-03-03 06:56:53 +03:00
acct_ctrl & ACB_SVRTRUST | |
2006-06-15 05:54:09 +04:00
acct_ctrl & ACB_DOMTRUST ) ) {
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sampass ) ;
2001-02-27 03:32:11 +03:00
return NT_STATUS_NO_SUCH_USER ;
2001-05-04 19:44:27 +04:00
}
2008-02-13 14:24:56 +03:00
2002-01-21 02:05:23 +03:00
if ( pdb_get_acct_ctrl ( sampass ) & ACB_DISABLED ) {
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sampass ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
return NT_STATUS_ACCOUNT_DISABLED ;
}
2005-09-30 21:13:37 +04:00
/* Woah - what does this to to the credential chain ? JRA */
2008-02-15 23:13:50 +03:00
cred_hash3 ( pwd , r - > in . new_password - > hash , p - > dc - > sess_key , 0 ) ;
2004-08-31 23:56:16 +04:00
2008-02-15 23:13:50 +03:00
DEBUG ( 100 , ( " _netr_ServerPasswordSet: new given value was : \n " ) ) ;
2004-10-01 07:14:57 +04:00
for ( i = 0 ; i < sizeof ( pwd ) ; i + + )
DEBUG ( 100 , ( " %02X " , pwd [ i ] ) ) ;
2001-02-27 03:32:11 +03:00
DEBUG ( 100 , ( " \n " ) ) ;
2004-08-31 23:56:16 +04:00
old_pw = pdb_get_nt_passwd ( sampass ) ;
2001-02-27 03:32:11 +03:00
2004-08-31 23:56:16 +04:00
if ( old_pw & & memcmp ( pwd , old_pw , 16 ) = = 0 ) {
2008-02-13 14:24:56 +03:00
/* Avoid backend modificiations and other fun if the
2004-08-31 23:56:16 +04:00
client changed the password to the * same thing * */
2001-09-29 17:08:26 +04:00
2004-08-31 23:56:16 +04:00
ret = True ;
} else {
2001-09-29 17:08:26 +04:00
2004-08-31 23:56:16 +04:00
/* LM password should be NULL for machines */
2005-09-30 21:13:37 +04:00
if ( ! pdb_set_lanman_passwd ( sampass , NULL , PDB_CHANGED ) ) {
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sampass ) ;
2004-08-31 23:56:16 +04:00
return NT_STATUS_NO_MEMORY ;
}
2008-02-13 14:24:56 +03:00
2005-09-30 21:13:37 +04:00
if ( ! pdb_set_nt_passwd ( sampass , pwd , PDB_CHANGED ) ) {
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sampass ) ;
2004-08-31 23:56:16 +04:00
return NT_STATUS_NO_MEMORY ;
}
2008-02-13 14:24:56 +03:00
2006-10-03 21:14:18 +04:00
if ( ! pdb_set_pass_last_set_time ( sampass , time ( NULL ) , PDB_CHANGED ) ) {
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sampass ) ;
2004-08-31 23:56:16 +04:00
/* Not quite sure what this one qualifies as, but this will do */
2008-02-13 14:24:56 +03:00
return NT_STATUS_UNSUCCESSFUL ;
2004-08-31 23:56:16 +04:00
}
2008-02-13 14:24:56 +03:00
2004-08-31 23:56:16 +04:00
become_root ( ) ;
2008-02-15 23:13:50 +03:00
status = pdb_update_sam_account ( sampass ) ;
2004-08-31 23:56:16 +04:00
unbecome_root ( ) ;
2001-10-29 10:15:51 +03:00
}
2001-02-27 03:32:11 +03:00
/* set up the LSA Server Password Set response */
2008-02-15 23:13:50 +03:00
memcpy ( r - > out . return_authenticator , & cred_out ,
sizeof ( r - > out . return_authenticator ) ) ;
2001-02-27 03:32:11 +03:00
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( sampass ) ;
2008-02-15 23:13:50 +03:00
return status ;
2001-02-27 03:32:11 +03:00
}
/*************************************************************************
2008-02-15 23:46:42 +03:00
_netr_LogonSamLogoff
2001-02-27 03:32:11 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-15 23:46:42 +03:00
NTSTATUS _netr_LogonSamLogoff ( pipes_struct * p ,
struct netr_LogonSamLogoff * r )
2001-02-27 03:32:11 +03:00
{
2006-02-18 03:39:31 +03:00
if ( ( lp_server_schannel ( ) = = True ) & & ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_SCHANNEL ) ) {
/* 'server schannel = yes' should enforce use of
schannel , the client did offer it in auth2 , but
obviously did not use it . */
2008-02-15 23:46:42 +03:00
DEBUG ( 0 , ( " _netr_LogonSamLogoff: client %s not using schannel for netlogon \n " ,
2006-02-18 03:39:31 +03:00
get_remote_machine_name ( ) ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2008-02-15 23:46:42 +03:00
/* Using the remote machine name for the creds store: */
/* r->in.computer_name */
2006-02-18 04:21:18 +03:00
2006-02-16 02:15:55 +03:00
if ( ! p - > dc ) {
/* Restore the saved state of the netlogon creds. */
2007-10-19 04:40:25 +04:00
bool ret ;
2006-02-16 02:15:55 +03:00
become_root ( ) ;
2008-06-20 18:22:49 +04:00
ret = secrets_restore_schannel_session_info (
p , r - > in . computer_name , & p - > dc ) ;
2006-02-16 02:15:55 +03:00
unbecome_root ( ) ;
if ( ! ret ) {
return NT_STATUS_INVALID_HANDLE ;
}
}
2005-09-30 21:13:37 +04:00
if ( ! p - > dc | | ! p - > dc - > authenticated ) {
2001-02-27 03:32:11 +03:00
return NT_STATUS_INVALID_HANDLE ;
2005-09-30 21:13:37 +04:00
}
2001-02-27 03:32:11 +03:00
2005-09-30 21:13:37 +04:00
/* checks and updates credentials. creates reply credentials */
2008-02-15 23:46:42 +03:00
if ( ! netlogon_creds_server_step ( p - > dc , r - > in . credential , r - > out . return_authenticator ) ) {
DEBUG ( 2 , ( " _netr_LogonSamLogoff: netlogon_creds_server_step failed. Rejecting auth "
2005-09-30 21:13:37 +04:00
" request from client %s machine account %s \n " ,
2008-02-15 23:46:42 +03:00
r - > in . computer_name , p - > dc - > mach_acct ) ) ;
2006-02-09 03:23:40 +03:00
return NT_STATUS_INVALID_PARAMETER ;
2005-09-30 21:13:37 +04:00
}
2001-02-27 03:32:11 +03:00
2006-02-16 02:15:55 +03:00
/* We must store the creds state after an update. */
become_root ( ) ;
2008-06-20 18:22:49 +04:00
secrets_store_schannel_session_info ( p , r - > in . computer_name , p - > dc ) ;
2006-02-16 02:15:55 +03:00
unbecome_root ( ) ;
2008-02-15 23:46:42 +03:00
return NT_STATUS_OK ;
2001-02-27 03:32:11 +03:00
}
/*************************************************************************
2008-02-16 15:28:03 +03:00
_netr_LogonSamLogon
2001-02-27 03:32:11 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-16 15:28:03 +03:00
NTSTATUS _netr_LogonSamLogon ( pipes_struct * p ,
struct netr_LogonSamLogon * r )
2001-02-27 03:32:11 +03:00
{
2001-08-27 23:46:22 +04:00
NTSTATUS status = NT_STATUS_OK ;
2008-02-16 15:28:03 +03:00
struct netr_SamInfo3 * sam3 = NULL ;
2008-10-15 18:14:15 +04:00
union netr_LogonLevel * logon = r - > in . logon ;
2001-09-06 09:24:37 +04:00
fstring nt_username , nt_domain , nt_workstation ;
2001-10-31 15:07:59 +03:00
auth_usersupplied_info * user_info = NULL ;
auth_serversupplied_info * server_info = NULL ;
2003-07-01 00:45:14 +04:00
struct auth_context * auth_context = NULL ;
2008-05-18 00:44:35 +04:00
uint8_t pipe_session_key [ 16 ] ;
2008-02-16 15:28:03 +03:00
bool process_creds = true ;
switch ( p - > hdr_req . opnum ) {
case NDR_NETR_LOGONSAMLOGON :
process_creds = true ;
break ;
case NDR_NETR_LOGONSAMLOGONEX :
default :
process_creds = false ;
}
2008-02-13 14:24:56 +03:00
2006-02-18 03:39:31 +03:00
if ( ( lp_server_schannel ( ) = = True ) & & ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_SCHANNEL ) ) {
/* 'server schannel = yes' should enforce use of
schannel , the client did offer it in auth2 , but
obviously did not use it . */
2008-02-16 15:28:03 +03:00
DEBUG ( 0 , ( " _netr_LogonSamLogon: client %s not using schannel for netlogon \n " ,
2006-02-18 03:39:31 +03:00
get_remote_machine_name ( ) ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2008-02-16 15:28:03 +03:00
sam3 = TALLOC_ZERO_P ( p - > mem_ctx , struct netr_SamInfo3 ) ;
if ( ! sam3 ) {
2001-02-27 03:32:11 +03:00
return NT_STATUS_NO_MEMORY ;
2006-02-18 03:39:31 +03:00
}
2001-05-04 19:44:27 +04:00
2002-03-27 20:39:01 +03:00
/* store the user information, if there is any. */
2008-02-16 15:28:03 +03:00
r - > out . validation - > sam3 = sam3 ;
* r - > out . authoritative = true ; /* authoritative response */
if ( r - > in . validation_level ! = 2 & & r - > in . validation_level ! = 3 ) {
DEBUG ( 0 , ( " _netr_LogonSamLogon: bad validation_level value %d. \n " ,
( int ) r - > in . validation_level ) ) ;
2006-02-09 03:23:40 +03:00
return NT_STATUS_ACCESS_DENIED ;
}
2008-02-13 14:24:56 +03:00
2006-02-16 02:15:55 +03:00
if ( process_creds ) {
2006-02-18 04:21:18 +03:00
/* Get the remote machine name for the creds store. */
/* Note this is the remote machine this request is coming from (member server),
not neccessarily the workstation name the user is logging onto .
*/
2008-02-16 15:28:03 +03:00
2006-02-16 02:15:55 +03:00
if ( ! p - > dc ) {
/* Restore the saved state of the netlogon creds. */
2007-10-19 04:40:25 +04:00
bool ret ;
2006-02-16 02:15:55 +03:00
become_root ( ) ;
2008-06-20 18:22:49 +04:00
ret = secrets_restore_schannel_session_info (
2008-10-27 20:23:50 +03:00
p , r - > in . computer_name , & p - > dc ) ;
2006-02-16 02:15:55 +03:00
unbecome_root ( ) ;
if ( ! ret ) {
return NT_STATUS_INVALID_HANDLE ;
}
}
if ( ! p - > dc | | ! p - > dc - > authenticated ) {
return NT_STATUS_INVALID_HANDLE ;
}
/* checks and updates credentials. creates reply credentials */
2008-02-16 15:28:03 +03:00
if ( ! netlogon_creds_server_step ( p - > dc , r - > in . credential , r - > out . return_authenticator ) ) {
DEBUG ( 2 , ( " _netr_LogonSamLogon: creds_server_step failed. Rejecting auth "
2006-02-16 02:15:55 +03:00
" request from client %s machine account %s \n " ,
2008-10-27 20:23:50 +03:00
r - > in . computer_name , p - > dc - > mach_acct ) ) ;
2006-02-16 02:15:55 +03:00
return NT_STATUS_INVALID_PARAMETER ;
}
/* We must store the creds state after an update. */
become_root ( ) ;
2008-10-27 20:23:50 +03:00
secrets_store_schannel_session_info ( p , r - > in . computer_name , p - > dc ) ;
2006-02-16 02:15:55 +03:00
unbecome_root ( ) ;
}
2008-02-16 15:28:03 +03:00
switch ( r - > in . logon_level ) {
2008-10-15 18:14:15 +04:00
case NetlogonInteractiveInformation :
2008-02-16 15:28:03 +03:00
fstrcpy ( nt_username ,
logon - > password - > identity_info . account_name . string ) ;
fstrcpy ( nt_domain ,
logon - > password - > identity_info . domain_name . string ) ;
fstrcpy ( nt_workstation ,
logon - > password - > identity_info . workstation . string ) ;
2008-02-13 14:24:56 +03:00
2006-02-18 00:32:31 +03:00
DEBUG ( 3 , ( " SAM Logon (Interactive). Domain:[%s]. " , lp_workgroup ( ) ) ) ;
break ;
2008-10-15 18:14:15 +04:00
case NetlogonNetworkInformation :
2008-02-16 15:28:03 +03:00
fstrcpy ( nt_username ,
logon - > network - > identity_info . account_name . string ) ;
fstrcpy ( nt_domain ,
logon - > network - > identity_info . domain_name . string ) ;
fstrcpy ( nt_workstation ,
logon - > network - > identity_info . workstation . string ) ;
2008-02-13 14:24:56 +03:00
2006-02-18 00:32:31 +03:00
DEBUG ( 3 , ( " SAM Logon (Network). Domain:[%s]. " , lp_workgroup ( ) ) ) ;
break ;
default :
DEBUG ( 2 , ( " SAM Logon: unsupported switch value \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
} /* end switch */
DEBUG ( 3 , ( " User:[%s@%s] Requested Domain:[%s] \n " , nt_username , nt_workstation , nt_domain ) ) ;
2003-01-04 09:15:24 +03:00
fstrcpy ( current_user_info . smb_name , nt_username ) ;
2002-11-20 03:53:24 +03:00
sub_set_smb_name ( nt_username ) ;
2008-02-13 14:24:56 +03:00
2008-02-16 15:28:03 +03:00
DEBUG ( 5 , ( " Attempting validation level %d for unmapped username %s. \n " ,
r - > in . validation_level , nt_username ) ) ;
2001-02-27 03:32:11 +03:00
2003-07-01 00:45:14 +04:00
status = NT_STATUS_OK ;
2008-02-13 14:24:56 +03:00
2008-02-16 15:28:03 +03:00
switch ( r - > in . logon_level ) {
2008-10-15 18:14:15 +04:00
case NetlogonNetworkInformation :
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
{
2004-03-18 10:36:36 +03:00
const char * wksname = nt_workstation ;
2008-02-13 14:24:56 +03:00
2008-02-16 15:28:03 +03:00
status = make_auth_context_fixed ( & auth_context ,
logon - > network - > challenge ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2002-01-05 07:55:41 +03:00
return status ;
}
2004-03-18 10:36:36 +03:00
/* For a network logon, the workstation name comes in with two
* backslashes in the front . Strip them if they are there . */
if ( * wksname = = ' \\ ' ) wksname + + ;
if ( * wksname = = ' \\ ' ) wksname + + ;
2001-11-26 07:05:28 +03:00
/* Standard challenge/response authenticaion */
2008-02-13 14:24:56 +03:00
if ( ! make_user_info_netlogon_network ( & user_info ,
nt_username , nt_domain ,
2004-03-18 10:36:36 +03:00
wksname ,
2008-02-16 15:28:03 +03:00
logon - > network - > identity_info . parameter_control ,
logon - > network - > lm . data ,
logon - > network - > lm . length ,
logon - > network - > nt . data ,
logon - > network - > nt . length ) ) {
2002-01-05 07:55:41 +03:00
status = NT_STATUS_NO_MEMORY ;
2008-02-13 14:24:56 +03:00
}
2001-10-31 13:46:25 +03:00
break ;
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
}
2008-10-15 18:14:15 +04:00
case NetlogonInteractiveInformation :
2006-02-04 01:19:41 +03:00
/* 'Interactive' authentication, supplies the password in its
MD4 form , encrypted with the session key . We will convert
this to challenge / response for the auth subsystem to chew
on */
2001-10-31 13:46:25 +03:00
{
2002-01-05 07:55:41 +03:00
const uint8 * chal ;
2008-02-13 14:24:56 +03:00
2002-01-05 07:55:41 +03:00
if ( ! NT_STATUS_IS_OK ( status = make_auth_context_subsystem ( & auth_context ) ) ) {
return status ;
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 15:12:38 +03:00
}
2008-02-13 14:24:56 +03:00
2002-01-05 07:55:41 +03:00
chal = auth_context - > get_ntlm_challenge ( auth_context ) ;
2008-02-13 14:24:56 +03:00
if ( ! make_user_info_netlogon_interactive ( & user_info ,
nt_username , nt_domain ,
nt_workstation ,
2008-02-16 15:28:03 +03:00
logon - > password - > identity_info . parameter_control ,
2005-11-08 09:19:34 +03:00
chal ,
2008-02-16 15:28:03 +03:00
logon - > password - > lmpassword . hash ,
logon - > password - > ntpassword . hash ,
2005-09-30 21:13:37 +04:00
p - > dc - > sess_key ) ) {
2002-01-05 07:55:41 +03:00
status = NT_STATUS_NO_MEMORY ;
}
2001-10-31 13:46:25 +03:00
break ;
}
default :
DEBUG ( 2 , ( " SAM Logon: unsupported switch value \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
} /* end switch */
2008-02-13 14:24:56 +03:00
2003-07-01 00:45:14 +04:00
if ( NT_STATUS_IS_OK ( status ) ) {
2008-02-13 14:24:56 +03:00
status = auth_context - > check_ntlm_password ( auth_context ,
2003-07-01 00:45:14 +04:00
user_info , & server_info ) ;
}
2008-02-13 14:24:56 +03:00
( auth_context - > free ) ( & auth_context ) ;
2001-10-31 13:46:25 +03:00
free_user_info ( & user_info ) ;
2008-02-13 14:24:56 +03:00
2008-02-16 15:28:03 +03:00
DEBUG ( 5 , ( " _netr_LogonSamLogon: check_password returned status %s \n " ,
2002-03-17 07:36:35 +03:00
nt_errstr ( status ) ) ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
/* Check account and password */
2008-02-13 14:24:56 +03:00
2001-11-25 05:30:30 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2008-02-13 14:24:56 +03:00
/* If we don't know what this domain is, we need to
indicate that we are not authoritative . This
allows the client to decide if it needs to try
2005-08-12 19:28:19 +04:00
a local user . Fix by jpjanosi @ us . ibm . com , # 2976 */
2008-02-13 14:24:56 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NO_SUCH_USER )
2005-08-12 19:28:19 +04:00
& & ! strequal ( nt_domain , get_global_sam_name ( ) )
& & ! is_trusted_domain ( nt_domain ) )
2008-02-16 15:28:03 +03:00
* r - > out . authoritative = false ; /* We are not authoritative */
2005-08-12 19:28:19 +04:00
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( server_info ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 17:09:23 +04:00
return status ;
2001-05-04 19:44:27 +04:00
}
2001-10-31 13:46:25 +03:00
2001-11-09 01:19:01 +03:00
if ( server_info - > guest ) {
/* We don't like guest domain logons... */
2008-02-16 15:28:03 +03:00
DEBUG ( 5 , ( " _netr_LogonSamLogon: Attempted domain logon as GUEST "
2006-02-04 01:19:41 +03:00
" denied. \n " ) ) ;
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( server_info ) ;
2001-11-09 01:19:01 +03:00
return NT_STATUS_LOGON_FAILURE ;
}
2001-09-06 09:24:37 +04:00
/* This is the point at which, if the login was successful, that
the SAM Local Security Authority should record that the user is
logged in to the domain . */
2007-11-27 22:22:58 +03:00
2008-05-18 00:44:35 +04:00
if ( process_creds ) {
/* Get the pipe session key from the creds. */
memcpy ( pipe_session_key , p - > dc - > sess_key , 16 ) ;
} else {
/* Get the pipe session key from the schannel. */
if ( ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_SCHANNEL )
| | ( p - > auth . a_u . schannel_auth = = NULL ) ) {
return NT_STATUS_INVALID_HANDLE ;
2008-02-16 15:28:03 +03:00
}
2008-05-18 00:44:35 +04:00
memcpy ( pipe_session_key , p - > auth . a_u . schannel_auth - > sess_key , 16 ) ;
2001-05-04 19:44:27 +04:00
}
2008-05-18 00:44:35 +04:00
2008-11-06 12:19:20 +03:00
status = serverinfo_to_SamInfo3 ( server_info , pipe_session_key , 16 , sam3 ) ;
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( server_info ) ;
2001-05-04 19:44:27 +04:00
return status ;
2001-02-27 03:32:11 +03:00
}
2001-10-31 13:46:25 +03:00
2006-02-10 21:05:55 +03:00
/*************************************************************************
2008-02-16 15:28:03 +03:00
_netr_LogonSamLogonEx
- no credential chaining . Map into net sam logon .
2006-02-10 21:51:18 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-16 15:28:03 +03:00
NTSTATUS _netr_LogonSamLogonEx ( pipes_struct * p ,
struct netr_LogonSamLogonEx * r )
2006-02-10 21:05:55 +03:00
{
2008-02-16 15:28:03 +03:00
struct netr_LogonSamLogon q ;
2006-02-10 21:51:18 +03:00
/* Only allow this if the pipe is protected. */
2006-02-11 02:52:53 +03:00
if ( p - > auth . auth_type ! = PIPE_AUTH_TYPE_SCHANNEL ) {
DEBUG ( 0 , ( " _net_sam_logon_ex: client %s not using schannel for netlogon \n " ,
2006-02-11 03:04:39 +03:00
get_remote_machine_name ( ) ) ) ;
2006-02-11 02:52:53 +03:00
return NT_STATUS_INVALID_PARAMETER ;
}
2006-02-10 21:51:18 +03:00
2008-02-16 15:28:03 +03:00
q . in . server_name = r - > in . server_name ;
q . in . computer_name = r - > in . computer_name ;
q . in . logon_level = r - > in . logon_level ;
q . in . logon = r - > in . logon ;
q . in . validation_level = r - > in . validation_level ;
/* we do not handle the flags */
/* = r->in.flags; */
2006-02-10 21:51:18 +03:00
2008-02-16 15:28:03 +03:00
q . out . validation = r - > out . validation ;
q . out . authoritative = r - > out . authoritative ;
/* we do not handle the flags */
/* = r->out.flags; */
2006-02-10 21:51:18 +03:00
2008-02-16 15:28:03 +03:00
return _netr_LogonSamLogon ( p , & q ) ;
2006-02-10 21:05:55 +03:00
}
2004-04-13 18:39:48 +04:00
/*************************************************************************
_ds_enum_dom_trusts
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
#if 0 /* JERRY -- not correct */
2008-01-29 17:51:19 +03:00
NTSTATUS _ds_enum_dom_trusts ( pipes_struct * p , DS_Q_ENUM_DOM_TRUSTS * q_u ,
2004-04-13 18:39:48 +04:00
DS_R_ENUM_DOM_TRUSTS * r_u )
{
NTSTATUS status = NT_STATUS_OK ;
2001-10-31 13:46:25 +03:00
2008-02-13 14:24:56 +03:00
/* TODO: According to MSDN, the can only be executed against a
2004-04-13 18:39:48 +04:00
DC or domain member running Windows 2000 or later . Need
2008-02-13 14:24:56 +03:00
to test against a standalone 2 k server and see what it
does . A windows 2000 DC includes its own domain in the
2004-04-13 18:39:48 +04:00
list . - - jerry */
return status ;
}
# endif /* JERRY */
2008-01-31 02:38:12 +03:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_LogonUasLogon ( pipes_struct * p ,
struct netr_LogonUasLogon * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_LogonUasLogoff ( pipes_struct * p ,
struct netr_LogonUasLogoff * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_DatabaseDeltas ( pipes_struct * p ,
struct netr_DatabaseDeltas * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_DatabaseSync ( pipes_struct * p ,
struct netr_DatabaseSync * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_AccountDeltas ( pipes_struct * p ,
struct netr_AccountDeltas * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_AccountSync ( pipes_struct * p ,
struct netr_AccountSync * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_GetDcName ( pipes_struct * p ,
struct netr_GetDcName * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_GetAnyDCName ( pipes_struct * p ,
struct netr_GetAnyDCName * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_DatabaseSync2 ( pipes_struct * p ,
struct netr_DatabaseSync2 * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_DatabaseRedo ( pipes_struct * p ,
struct netr_DatabaseRedo * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_LogonControl2Ex ( pipes_struct * p ,
struct netr_LogonControl2Ex * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsRGetDCName ( pipes_struct * p ,
struct netr_DsRGetDCName * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_NETRLOGONDUMMYROUTINE1 ( pipes_struct * p ,
struct netr_NETRLOGONDUMMYROUTINE1 * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_NETRLOGONSETSERVICEBITS ( pipes_struct * p ,
struct netr_NETRLOGONSETSERVICEBITS * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_LogonGetTrustRid ( pipes_struct * p ,
struct netr_LogonGetTrustRid * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST ( pipes_struct * p ,
struct netr_NETRLOGONCOMPUTESERVERDIGEST * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST ( pipes_struct * p ,
struct netr_NETRLOGONCOMPUTECLIENTDIGEST * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_ServerAuthenticate3 ( pipes_struct * p ,
struct netr_ServerAuthenticate3 * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsRGetDCNameEx ( pipes_struct * p ,
struct netr_DsRGetDCNameEx * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsRGetSiteName ( pipes_struct * p ,
struct netr_DsRGetSiteName * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_LogonGetDomainInfo ( pipes_struct * p ,
struct netr_LogonGetDomainInfo * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_ServerPasswordSet2 ( pipes_struct * p ,
struct netr_ServerPasswordSet2 * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_ServerPasswordGet ( pipes_struct * p ,
struct netr_ServerPasswordGet * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_NETRLOGONSENDTOSAM ( pipes_struct * p ,
struct netr_NETRLOGONSENDTOSAM * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsRAddressToSitenamesW ( pipes_struct * p ,
struct netr_DsRAddressToSitenamesW * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsRGetDCNameEx2 ( pipes_struct * p ,
struct netr_DsRGetDCNameEx2 * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN ( pipes_struct * p ,
struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_NetrEnumerateTrustedDomainsEx ( pipes_struct * p ,
struct netr_NetrEnumerateTrustedDomainsEx * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsRAddressToSitenamesExW ( pipes_struct * p ,
struct netr_DsRAddressToSitenamesExW * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsrGetDcSiteCoverageW ( pipes_struct * p ,
struct netr_DsrGetDcSiteCoverageW * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsrEnumerateDomainTrusts ( pipes_struct * p ,
struct netr_DsrEnumerateDomainTrusts * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsrDeregisterDNSHostRecords ( pipes_struct * p ,
struct netr_DsrDeregisterDNSHostRecords * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_ServerTrustPasswordsGet ( pipes_struct * p ,
struct netr_ServerTrustPasswordsGet * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsRGetForestTrustInformation ( pipes_struct * p ,
struct netr_DsRGetForestTrustInformation * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_GetForestTrustInformation ( pipes_struct * p ,
struct netr_GetForestTrustInformation * r )
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_LogonSamLogonWithFlags ( pipes_struct * p ,
struct netr_LogonSamLogonWithFlags * r )
{
p - > rng_fault_state = true ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-12-10 04:54:06 +03:00
WERROR _netr_ServerGetTrustInfo ( pipes_struct * p ,
struct netr_ServerGetTrustInfo * r )
2008-01-31 02:38:12 +03:00
{
p - > rng_fault_state = true ;
return WERR_NOT_SUPPORTED ;
}
