2008-02-13 12:24:56 +01:00
/*
2002-01-30 06:08:46 +00:00
* Unix SMB / CIFS implementation .
2001-02-27 00:32:11 +00:00
* RPC Pipe client / server routines
* Copyright ( C ) Andrew Tridgell 1992 - 1997 ,
* Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 1997 ,
* Copyright ( C ) Paul Ashton 1997.
* Copyright ( C ) Jeremy Allison 1998 - 2001.
2003-07-23 06:11:38 +00:00
* Copyright ( C ) Andrew Bartlett 2001.
2009-09-30 13:40:17 +02:00
* Copyright ( C ) Guenther Deschner 2008 - 2009.
2001-02-27 00:32:11 +00:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
* the Free Software Foundation ; either version 3 of the License , or
2001-02-27 00:32:11 +00:00
* ( at your option ) any later version .
2008-02-13 12:24:56 +01:00
*
2001-02-27 00:32:11 +00:00
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
2008-02-13 12:24:56 +01:00
*
2001-02-27 00:32:11 +00:00
* You should have received a copy of the GNU General Public License
2007-07-10 05:23:25 +00:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2001-02-27 00:32:11 +00:00
*/
/* This is the implementation of the netlogon pipe. */
# include "includes.h"
2011-10-07 19:00:29 +02:00
# include "system/passwd.h" /* uid_wrapper */
2011-05-02 13:21:53 +02:00
# include "ntdomain.h"
2009-09-16 00:26:17 +02:00
# include "../libcli/auth/schannel.h"
2021-10-04 10:19:24 +02:00
# include "librpc/rpc/dcesrv_core.h"
2019-05-28 16:12:51 +02:00
# include "librpc/gen_ndr/ndr_netlogon.h"
# include "librpc/gen_ndr/ndr_netlogon_scompat.h"
# include "librpc/gen_ndr/ndr_samr_c.h"
# include "librpc/gen_ndr/ndr_lsa_c.h"
2010-05-28 15:31:35 +02:00
# include "rpc_client/cli_lsarpc.h"
2010-08-19 23:15:22 +02:00
# include "rpc_client/init_lsa.h"
2017-03-31 12:44:58 +03:00
# include "rpc_client/init_samr.h"
2010-07-07 15:24:30 -04:00
# include "rpc_server/rpc_ncacn_np.h"
2010-10-12 15:27:50 +11:00
# include "../libcli/security/security.h"
2010-09-03 11:56:31 +02:00
# include "../libcli/security/dom_sid.h"
# include "librpc/gen_ndr/ndr_drsblobs.h"
# include "lib/crypto/md4.h"
2011-02-24 22:30:16 +01:00
# include "nsswitch/libwbclient/wbclient.h"
2011-02-26 00:28:15 +01:00
# include "../libcli/registry/util_reg.h"
2011-03-18 18:58:37 +01:00
# include "passdb.h"
2011-03-24 12:08:15 +01:00
# include "auth.h"
2011-03-24 15:31:06 +01:00
# include "messages.h"
2011-06-07 17:21:28 +02:00
# include "../lib/tsocket/tsocket.h"
2011-10-12 22:55:34 +11:00
# include "lib/param/param.h"
2018-01-05 14:21:05 +01:00
# include "libsmb/dsgetdcname.h"
2020-09-17 14:57:22 +02:00
# include "lib/util/util_str_escape.h"
2021-11-10 20:18:07 +01:00
# include "source3/lib/substitute.h"
2022-12-22 16:30:26 +01:00
# include "librpc/rpc/server/netlogon/schannel_util.h"
2001-02-27 00:32:11 +00:00
2002-07-15 10:35:28 +00:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_RPC_SRV
2001-05-24 08:05:12 +00:00
/*************************************************************************
2008-02-13 11:56:24 +01:00
_netr_LogonControl
2001-05-24 08:05:12 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_LogonControl ( struct pipes_struct * p ,
2008-02-13 11:56:24 +01:00
struct netr_LogonControl * r )
2001-05-24 08:05:12 +00:00
{
2008-12-13 00:55:04 +01:00
struct netr_LogonControl2Ex l ;
2001-05-24 08:05:12 +00:00
2008-02-13 11:56:24 +01:00
switch ( r - > in . level ) {
2008-12-13 00:55:04 +01:00
case 1 :
break ;
case 2 :
return WERR_NOT_SUPPORTED ;
default :
2015-12-03 15:24:42 +01:00
return WERR_INVALID_LEVEL ;
2008-02-13 11:56:24 +01:00
}
2015-03-24 13:29:14 +01:00
switch ( r - > in . function_code ) {
case NETLOGON_CONTROL_QUERY :
case NETLOGON_CONTROL_REPLICATE :
case NETLOGON_CONTROL_SYNCHRONIZE :
case NETLOGON_CONTROL_PDC_REPLICATE :
case NETLOGON_CONTROL_BREAKPOINT :
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG :
case NETLOGON_CONTROL_TRUNCATE_LOG :
break ;
default :
return WERR_NOT_SUPPORTED ;
}
2008-12-13 00:55:04 +01:00
l . in . logon_server = r - > in . logon_server ;
l . in . function_code = r - > in . function_code ;
l . in . level = r - > in . level ;
l . in . data = NULL ;
2009-06-18 15:00:28 +10:00
l . out . query = r - > out . query ;
2008-12-13 00:55:04 +01:00
return _netr_LogonControl2Ex ( p , & l ) ;
2001-05-24 08:05:12 +00:00
}
2001-02-27 00:32:11 +00:00
/*************************************************************************
2008-02-13 23:06:09 +01:00
_netr_LogonControl2
2001-02-27 00:32:11 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_LogonControl2 ( struct pipes_struct * p ,
2008-02-13 23:06:09 +01:00
struct netr_LogonControl2 * r )
2008-12-13 00:55:04 +01:00
{
struct netr_LogonControl2Ex l ;
l . in . logon_server = r - > in . logon_server ;
l . in . function_code = r - > in . function_code ;
l . in . level = r - > in . level ;
l . in . data = r - > in . data ;
l . out . query = r - > out . query ;
return _netr_LogonControl2Ex ( p , & l ) ;
}
2009-10-08 00:38:53 +02:00
/*************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static bool wb_change_trust_creds ( const char * domain , WERROR * tc_status )
{
wbcErr result ;
struct wbcAuthErrorInfo * error = NULL ;
result = wbcChangeTrustCredentials ( domain , & error ) ;
switch ( result ) {
case WBC_ERR_WINBIND_NOT_AVAILABLE :
return false ;
case WBC_ERR_DOMAIN_NOT_FOUND :
* tc_status = WERR_NO_SUCH_DOMAIN ;
return true ;
case WBC_ERR_SUCCESS :
* tc_status = WERR_OK ;
return true ;
default :
break ;
}
if ( error & & error - > nt_status ! = 0 ) {
* tc_status = ntstatus_to_werror ( NT_STATUS ( error - > nt_status ) ) ;
} else {
* tc_status = WERR_TRUST_FAILURE ;
}
wbcFreeMemory ( error ) ;
return true ;
}
2009-10-19 11:28:00 +02:00
/*************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static bool wb_check_trust_creds ( const char * domain , WERROR * tc_status )
{
wbcErr result ;
struct wbcAuthErrorInfo * error = NULL ;
result = wbcCheckTrustCredentials ( domain , & error ) ;
switch ( result ) {
case WBC_ERR_WINBIND_NOT_AVAILABLE :
return false ;
case WBC_ERR_DOMAIN_NOT_FOUND :
* tc_status = WERR_NO_SUCH_DOMAIN ;
return true ;
case WBC_ERR_SUCCESS :
* tc_status = WERR_OK ;
return true ;
default :
break ;
}
if ( error & & error - > nt_status ! = 0 ) {
* tc_status = ntstatus_to_werror ( NT_STATUS ( error - > nt_status ) ) ;
} else {
* tc_status = WERR_TRUST_FAILURE ;
}
wbcFreeMemory ( error ) ;
return true ;
}
2008-12-13 00:55:04 +01:00
/****************************************************************
_netr_LogonControl2Ex
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_LogonControl2Ex ( struct pipes_struct * p ,
2008-12-13 00:55:04 +01:00
struct netr_LogonControl2Ex * r )
2001-02-27 00:32:11 +00:00
{
2021-10-04 10:19:24 +02:00
struct dcesrv_call_state * dce_call = p - > dce_call ;
2021-10-04 13:40:02 +02:00
struct auth_session_info * session_info =
dcesrv_call_session_info ( dce_call ) ;
2009-09-02 15:29:44 +02:00
uint32_t flags = 0x0 ;
WERROR pdc_connection_status = WERR_OK ;
uint32_t logon_attempts = 0x0 ;
WERROR tc_status ;
2008-03-26 19:18:08 +01:00
fstring dc_name2 ;
const char * dc_name = NULL ;
2007-10-24 14:16:54 -07:00
struct sockaddr_storage dc_ss ;
2008-02-13 23:06:09 +01:00
const char * domain = NULL ;
struct netr_NETLOGON_INFO_1 * info1 ;
struct netr_NETLOGON_INFO_2 * info2 ;
struct netr_NETLOGON_INFO_3 * info3 ;
2009-10-08 00:58:02 +02:00
struct netr_NETLOGON_INFO_4 * info4 ;
2009-02-13 16:56:52 +01:00
const char * fn ;
2011-11-24 12:22:57 -05:00
NTSTATUS status ;
struct netr_DsRGetDCNameInfo * dc_info ;
2009-02-13 16:56:52 +01:00
2021-10-04 10:19:24 +02:00
switch ( dce_call - > pkt . u . request . opnum ) {
2009-10-06 17:50:15 +02:00
case NDR_NETR_LOGONCONTROL :
fn = " _netr_LogonControl " ;
break ;
case NDR_NETR_LOGONCONTROL2 :
fn = " _netr_LogonControl2 " ;
break ;
case NDR_NETR_LOGONCONTROL2EX :
fn = " _netr_LogonControl2Ex " ;
break ;
default :
2015-12-03 15:24:25 +01:00
return WERR_INVALID_PARAMETER ;
2009-02-13 16:56:52 +01:00
}
2008-02-13 12:24:56 +01:00
2015-03-24 13:29:14 +01:00
switch ( r - > in . level ) {
case 1 :
case 2 :
case 3 :
case 4 :
break ;
default :
return WERR_INVALID_LEVEL ;
}
2009-11-09 17:34:47 +01:00
2009-11-04 00:34:29 +01:00
switch ( r - > in . function_code ) {
2015-03-24 13:29:14 +01:00
case NETLOGON_CONTROL_QUERY :
break ;
default :
2009-11-09 17:34:47 +01:00
if ( ( geteuid ( ) ! = sec_initial_uid ( ) ) & &
2021-10-04 13:40:02 +02:00
! nt_token_check_domain_rid (
session_info - > security_token , DOMAIN_RID_ADMINS ) & &
! nt_token_check_sid (
& global_sid_Builtin_Administrators ,
session_info - > security_token ) )
2015-03-24 13:29:14 +01:00
{
2009-11-04 00:34:29 +01:00
return WERR_ACCESS_DENIED ;
}
break ;
}
2009-09-02 15:29:44 +02:00
tc_status = WERR_NO_SUCH_DOMAIN ;
2008-02-13 12:24:56 +01:00
2008-02-13 23:06:09 +01:00
switch ( r - > in . function_code ) {
2009-10-19 11:28:00 +02:00
case NETLOGON_CONTROL_QUERY :
2015-03-24 13:29:14 +01:00
switch ( r - > in . level ) {
case 1 :
case 3 :
break ;
default :
return WERR_INVALID_PARAMETER ;
}
2009-10-19 11:28:00 +02:00
tc_status = WERR_OK ;
break ;
case NETLOGON_CONTROL_REPLICATE :
case NETLOGON_CONTROL_SYNCHRONIZE :
case NETLOGON_CONTROL_PDC_REPLICATE :
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG :
case NETLOGON_CONTROL_BREAKPOINT :
2009-11-09 17:34:47 +01:00
case NETLOGON_CONTROL_TRUNCATE_LOG :
2009-10-19 11:28:00 +02:00
case NETLOGON_CONTROL_TRANSPORT_NOTIFY :
case NETLOGON_CONTROL_FORCE_DNS_REG :
case NETLOGON_CONTROL_QUERY_DNS_REG :
return WERR_NOT_SUPPORTED ;
2015-03-24 13:29:14 +01:00
2009-10-19 11:28:00 +02:00
case NETLOGON_CONTROL_FIND_USER :
if ( ! r - > in . data | | ! r - > in . data - > user ) {
return WERR_NOT_SUPPORTED ;
}
break ;
case NETLOGON_CONTROL_SET_DBFLAG :
if ( ! r - > in . data ) {
return WERR_NOT_SUPPORTED ;
}
break ;
case NETLOGON_CONTROL_TC_VERIFY :
if ( ! r - > in . data | | ! r - > in . data - > domain ) {
return WERR_NOT_SUPPORTED ;
}
if ( ! wb_check_trust_creds ( r - > in . data - > domain , & tc_status ) ) {
return WERR_NOT_SUPPORTED ;
}
break ;
2009-10-06 17:50:15 +02:00
case NETLOGON_CONTROL_TC_QUERY :
2009-10-19 11:28:00 +02:00
if ( ! r - > in . data | | ! r - > in . data - > domain ) {
return WERR_NOT_SUPPORTED ;
}
2009-10-06 17:50:15 +02:00
domain = r - > in . data - > domain ;
2008-02-13 12:24:56 +01:00
2009-10-06 17:50:15 +02:00
if ( ! is_trusted_domain ( domain ) ) {
break ;
}
2008-02-13 12:24:56 +01:00
2009-10-06 17:50:15 +02:00
if ( ! get_dc_name ( domain , NULL , dc_name2 , & dc_ss ) ) {
tc_status = WERR_NO_LOGON_SERVERS ;
break ;
}
2004-06-03 18:00:22 +00:00
2009-10-06 17:50:15 +02:00
dc_name = talloc_asprintf ( p - > mem_ctx , " \\ \\ %s " , dc_name2 ) ;
if ( ! dc_name ) {
2015-12-03 15:24:15 +01:00
return WERR_NOT_ENOUGH_MEMORY ;
2009-10-06 17:50:15 +02:00
}
2008-02-13 12:24:56 +01:00
2009-10-06 17:50:15 +02:00
tc_status = WERR_OK ;
2008-02-13 12:24:56 +01:00
2009-10-06 17:50:15 +02:00
break ;
2008-02-13 12:24:56 +01:00
2009-10-06 17:50:15 +02:00
case NETLOGON_CONTROL_REDISCOVER :
2009-10-19 11:28:00 +02:00
if ( ! r - > in . data | | ! r - > in . data - > domain ) {
return WERR_NOT_SUPPORTED ;
}
2009-10-06 17:50:15 +02:00
domain = r - > in . data - > domain ;
2008-02-13 12:24:56 +01:00
2009-10-06 17:50:15 +02:00
if ( ! is_trusted_domain ( domain ) ) {
break ;
}
2008-02-13 12:24:56 +01:00
2011-11-24 12:22:57 -05:00
status = dsgetdcname ( p - > mem_ctx , p - > msg_ctx , domain , NULL , NULL ,
DS_FORCE_REDISCOVERY | DS_RETURN_FLAT_NAME ,
& dc_info ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-10-06 17:50:15 +02:00
tc_status = WERR_NO_LOGON_SERVERS ;
break ;
}
2004-06-03 18:00:22 +00:00
2011-11-24 12:22:57 -05:00
dc_name = talloc_asprintf ( p - > mem_ctx , " \\ \\ %s " , dc_info - > dc_unc ) ;
2009-10-06 17:50:15 +02:00
if ( ! dc_name ) {
2015-12-03 15:24:15 +01:00
return WERR_NOT_ENOUGH_MEMORY ;
2009-10-06 17:50:15 +02:00
}
2008-02-13 12:24:56 +01:00
2009-10-06 17:50:15 +02:00
tc_status = WERR_OK ;
2008-02-13 12:24:56 +01:00
2009-10-06 17:50:15 +02:00
break ;
2008-02-13 12:24:56 +01:00
2009-10-08 00:38:53 +02:00
case NETLOGON_CONTROL_CHANGE_PASSWORD :
if ( ! r - > in . data | | ! r - > in . data - > domain ) {
return WERR_NOT_SUPPORTED ;
}
if ( ! wb_change_trust_creds ( r - > in . data - > domain , & tc_status ) ) {
return WERR_NOT_SUPPORTED ;
}
break ;
2009-10-06 17:50:15 +02:00
default :
/* no idea what this should be */
DEBUG ( 0 , ( " %s: unimplemented function level [%d] \n " ,
fn , r - > in . function_code ) ) ;
2015-03-24 13:29:14 +01:00
return WERR_NOT_SUPPORTED ;
2004-06-03 18:00:22 +00:00
}
2008-02-13 12:24:56 +01:00
2004-06-03 18:00:22 +00:00
/* prepare the response */
2008-02-13 12:24:56 +01:00
2008-02-13 23:06:09 +01:00
switch ( r - > in . level ) {
2009-10-06 17:50:15 +02:00
case 1 :
2011-06-07 11:44:43 +10:00
info1 = talloc_zero ( p - > mem_ctx , struct netr_NETLOGON_INFO_1 ) ;
2009-10-06 17:50:15 +02:00
W_ERROR_HAVE_NO_MEMORY ( info1 ) ;
2001-02-27 00:32:11 +00:00
2009-10-06 17:50:15 +02:00
info1 - > flags = flags ;
info1 - > pdc_connection_status = pdc_connection_status ;
2009-09-02 15:29:44 +02:00
2009-10-06 17:50:15 +02:00
r - > out . query - > info1 = info1 ;
break ;
case 2 :
2011-06-07 11:44:43 +10:00
info2 = talloc_zero ( p - > mem_ctx , struct netr_NETLOGON_INFO_2 ) ;
2009-10-06 17:50:15 +02:00
W_ERROR_HAVE_NO_MEMORY ( info2 ) ;
2008-02-13 23:06:09 +01:00
2009-10-06 17:50:15 +02:00
info2 - > flags = flags ;
info2 - > pdc_connection_status = pdc_connection_status ;
info2 - > trusted_dc_name = dc_name ;
info2 - > tc_connection_status = tc_status ;
2009-09-02 15:29:44 +02:00
2009-10-06 17:50:15 +02:00
r - > out . query - > info2 = info2 ;
break ;
case 3 :
2011-06-07 11:44:43 +10:00
info3 = talloc_zero ( p - > mem_ctx , struct netr_NETLOGON_INFO_3 ) ;
2009-10-06 17:50:15 +02:00
W_ERROR_HAVE_NO_MEMORY ( info3 ) ;
2008-02-13 23:06:09 +01:00
2009-10-06 17:50:15 +02:00
info3 - > flags = flags ;
info3 - > logon_attempts = logon_attempts ;
2009-09-02 15:29:44 +02:00
2009-10-06 17:50:15 +02:00
r - > out . query - > info3 = info3 ;
break ;
2009-10-08 00:58:02 +02:00
case 4 :
2011-06-07 11:44:43 +10:00
info4 = talloc_zero ( p - > mem_ctx , struct netr_NETLOGON_INFO_4 ) ;
2009-10-08 00:58:02 +02:00
W_ERROR_HAVE_NO_MEMORY ( info4 ) ;
info4 - > trusted_dc_name = dc_name ;
info4 - > trusted_domain_name = r - > in . data - > domain ;
r - > out . query - > info4 = info4 ;
break ;
2009-10-06 17:50:15 +02:00
default :
2015-12-03 15:24:42 +01:00
return WERR_INVALID_LEVEL ;
2008-02-13 23:06:09 +01:00
}
return WERR_OK ;
2001-02-27 00:32:11 +00:00
}
/*************************************************************************
2008-02-13 10:23:45 +01:00
_netr_NetrEnumerateTrustedDomains
2001-02-27 00:32:11 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_NetrEnumerateTrustedDomains ( struct pipes_struct * p ,
2010-05-31 10:15:25 +02:00
struct netr_NetrEnumerateTrustedDomains * r )
2001-02-27 00:32:11 +00:00
{
2021-10-04 12:19:57 +02:00
struct dcesrv_call_state * dce_call = p - > dce_call ;
struct dcesrv_connection * dcesrv_conn = dce_call - > conn ;
const struct tsocket_address * local_address =
dcesrv_connection_get_local_address ( dcesrv_conn ) ;
2021-10-04 12:26:18 +02:00
const struct tsocket_address * remote_address =
dcesrv_connection_get_remote_address ( dcesrv_conn ) ;
2021-10-04 13:40:02 +02:00
struct auth_session_info * session_info =
dcesrv_call_session_info ( dce_call ) ;
2009-09-24 18:53:40 +02:00
NTSTATUS status ;
2010-09-03 11:15:25 +02:00
NTSTATUS result = NT_STATUS_OK ;
2008-02-13 10:23:45 +01:00
DATA_BLOB blob ;
2014-11-14 14:12:26 +01:00
size_t num_domains = 0 ;
2010-05-28 15:31:35 +02:00
const char * * trusted_domains = NULL ;
struct lsa_DomainList domain_list ;
2010-09-03 11:15:25 +02:00
struct dcerpc_binding_handle * h = NULL ;
2010-05-28 15:31:35 +02:00
struct policy_handle pol ;
uint32_t enum_ctx = 0 ;
uint32_t max_size = ( uint32_t ) - 1 ;
2023-08-31 10:19:08 +02:00
union lsa_revision_info out_revision_info = {
. info1 = {
. revision = 0 ,
} ,
} ;
uint32_t out_version = 0 ;
2001-02-27 00:32:11 +00:00
2019-07-12 17:29:23 +02:00
ZERO_STRUCT ( pol ) ;
2008-02-13 10:23:45 +01:00
DEBUG ( 6 , ( " _netr_NetrEnumerateTrustedDomains: %d \n " , __LINE__ ) ) ;
2001-02-27 00:32:11 +00:00
2010-09-03 11:15:25 +02:00
status = rpcint_binding_handle ( p - > mem_ctx ,
& ndr_table_lsarpc ,
2021-10-04 12:26:18 +02:00
remote_address ,
2021-10-04 12:19:57 +02:00
local_address ,
2021-10-04 13:40:02 +02:00
session_info ,
2010-09-03 11:15:25 +02:00
p - > msg_ctx ,
& h ) ;
2009-09-24 18:53:40 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2010-05-31 10:15:25 +02:00
return status ;
2009-09-24 18:53:40 +02:00
}
2023-08-31 10:19:08 +02:00
status = dcerpc_lsa_open_policy_fallback (
h ,
p - > mem_ctx ,
NULL ,
true ,
LSA_POLICY_VIEW_LOCAL_INFORMATION ,
& out_version ,
& out_revision_info ,
& pol ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2009-09-24 18:53:40 +02:00
2010-05-31 21:26:30 +02:00
do {
2021-02-24 13:33:44 +01:00
uint32_t i ;
2010-05-28 15:31:35 +02:00
/* Lookup list of trusted domains */
2010-09-03 11:15:25 +02:00
status = dcerpc_lsa_EnumTrustDom ( h ,
p - > mem_ctx ,
2010-05-28 15:31:35 +02:00
& pol ,
& enum_ctx ,
& domain_list ,
2010-09-03 11:15:25 +02:00
max_size ,
& result ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
}
if ( ! NT_STATUS_IS_OK ( result ) & &
! NT_STATUS_EQUAL ( result , NT_STATUS_NO_MORE_ENTRIES ) & &
! NT_STATUS_EQUAL ( result , STATUS_MORE_ENTRIES ) ) {
status = result ;
2010-05-28 15:31:35 +02:00
goto out ;
2009-09-24 18:53:40 +02:00
}
2010-05-28 15:31:35 +02:00
for ( i = 0 ; i < domain_list . count ; i + + ) {
if ( ! add_string_to_array ( p - > mem_ctx , domain_list . domains [ i ] . name . string ,
& trusted_domains , & num_domains ) ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
}
2010-09-03 11:15:25 +02:00
} while ( NT_STATUS_EQUAL ( result , STATUS_MORE_ENTRIES ) ) ;
2010-05-28 15:31:35 +02:00
2010-05-31 21:26:30 +02:00
if ( num_domains > 0 ) {
/* multi sz terminate */
trusted_domains = talloc_realloc ( p - > mem_ctx , trusted_domains , const char * , num_domains + 1 ) ;
if ( trusted_domains = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
2009-09-24 18:53:40 +02:00
2010-05-31 21:26:30 +02:00
trusted_domains [ num_domains ] = NULL ;
}
2010-05-28 15:31:35 +02:00
2010-05-10 00:42:06 +02:00
if ( ! push_reg_multi_sz ( trusted_domains , & blob , trusted_domains ) ) {
2009-09-24 18:53:40 +02:00
TALLOC_FREE ( trusted_domains ) ;
2010-05-28 15:31:35 +02:00
status = NT_STATUS_NO_MEMORY ;
goto out ;
2009-09-24 18:53:40 +02:00
}
2008-02-13 10:23:45 +01:00
2009-09-24 18:53:40 +02:00
r - > out . trusted_domains_blob - > data = blob . data ;
r - > out . trusted_domains_blob - > length = blob . length ;
DEBUG ( 6 , ( " _netr_NetrEnumerateTrustedDomains: %d \n " , __LINE__ ) ) ;
2008-02-13 10:23:45 +01:00
2010-05-28 15:31:35 +02:00
status = NT_STATUS_OK ;
out :
2011-03-16 21:48:50 +01:00
if ( is_valid_policy_hnd ( & pol ) ) {
2010-09-03 11:15:25 +02:00
dcerpc_lsa_Close ( h , p - > mem_ctx , & pol , & result ) ;
2010-05-28 15:31:35 +02:00
}
return status ;
2001-02-27 00:32:11 +00:00
}
2010-05-28 12:39:12 +02:00
/*************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS samr_find_machine_account ( TALLOC_CTX * mem_ctx ,
2010-09-03 11:15:25 +02:00
struct dcerpc_binding_handle * b ,
2010-05-28 12:39:12 +02:00
const char * account_name ,
uint32_t access_mask ,
struct dom_sid2 * * domain_sid_p ,
uint32_t * user_rid_p ,
struct policy_handle * user_handle )
{
NTSTATUS status ;
2010-09-03 11:15:25 +02:00
NTSTATUS result = NT_STATUS_OK ;
2012-05-09 10:56:54 +02:00
struct policy_handle connect_handle ;
struct policy_handle domain_handle = { 0 , } ;
2010-05-28 12:39:12 +02:00
struct lsa_String domain_name ;
struct dom_sid2 * domain_sid ;
struct lsa_String names ;
struct samr_Ids rids ;
struct samr_Ids types ;
uint32_t rid ;
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_Connect2 ( b , mem_ctx ,
2011-06-09 15:31:03 +10:00
lp_netbios_name ( ) ,
2010-05-28 12:39:12 +02:00
SAMR_ACCESS_CONNECT_TO_SERVER |
SAMR_ACCESS_ENUM_DOMAINS |
SAMR_ACCESS_LOOKUP_DOMAIN ,
2010-09-03 11:15:25 +02:00
& connect_handle ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2010-05-28 12:39:12 +02:00
init_lsa_String ( & domain_name , get_global_sam_name ( ) ) ;
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_LookupDomain ( b , mem_ctx ,
2010-05-28 12:39:12 +02:00
& connect_handle ,
& domain_name ,
2010-09-03 11:15:25 +02:00
& domain_sid ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2010-05-28 12:39:12 +02:00
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_OpenDomain ( b , mem_ctx ,
2010-05-28 12:39:12 +02:00
& connect_handle ,
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT ,
domain_sid ,
2010-09-03 11:15:25 +02:00
& domain_handle ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2010-05-28 12:39:12 +02:00
init_lsa_String ( & names , account_name ) ;
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_LookupNames ( b , mem_ctx ,
2010-05-28 12:39:12 +02:00
& domain_handle ,
1 ,
& names ,
& rids ,
2010-09-03 11:15:25 +02:00
& types ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2010-05-28 12:39:12 +02:00
if ( rids . count ! = 1 ) {
status = NT_STATUS_NO_SUCH_USER ;
goto out ;
}
2013-11-07 21:40:55 -08:00
if ( types . count ! = 1 ) {
2010-05-28 12:39:12 +02:00
status = NT_STATUS_INVALID_PARAMETER ;
goto out ;
}
if ( types . ids [ 0 ] ! = SID_NAME_USER ) {
status = NT_STATUS_NO_SUCH_USER ;
goto out ;
}
rid = rids . ids [ 0 ] ;
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_OpenUser ( b , mem_ctx ,
2010-05-28 12:39:12 +02:00
& domain_handle ,
access_mask ,
rid ,
2010-09-03 11:15:25 +02:00
user_handle ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2010-05-28 12:39:12 +02:00
if ( user_rid_p ) {
* user_rid_p = rid ;
}
if ( domain_sid_p ) {
* domain_sid_p = domain_sid ;
}
out :
2011-03-16 21:47:10 +01:00
if ( is_valid_policy_hnd ( & domain_handle ) ) {
2010-09-03 11:15:25 +02:00
dcerpc_samr_Close ( b , mem_ctx , & domain_handle , & result ) ;
2010-05-28 12:39:12 +02:00
}
2011-03-16 21:47:10 +01:00
if ( is_valid_policy_hnd ( & connect_handle ) ) {
2010-09-03 11:15:25 +02:00
dcerpc_samr_Close ( b , mem_ctx , & connect_handle , & result ) ;
2010-05-28 12:39:12 +02:00
}
return status ;
}
2001-02-27 00:32:11 +00:00
/******************************************************************
gets a machine password entry . checks access rights of the host .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-08-25 18:44:24 +02:00
static NTSTATUS get_md4pw ( struct samr_Password * md4pw , const char * mach_acct ,
2010-08-08 14:19:53 +02:00
enum netr_SchannelType sec_chan_type ,
struct dom_sid * sid ,
struct messaging_context * msg_ctx )
2001-02-27 00:32:11 +00:00
{
2010-05-28 14:22:08 +02:00
NTSTATUS status ;
2010-09-03 11:15:25 +02:00
NTSTATUS result = NT_STATUS_OK ;
2021-03-14 10:18:12 +01:00
TALLOC_CTX * mem_ctx = NULL ;
2010-09-03 11:15:25 +02:00
struct dcerpc_binding_handle * h = NULL ;
2021-03-14 10:18:12 +01:00
struct tsocket_address * local = NULL ;
struct policy_handle user_handle = { . handle_type = 0 } ;
uint32_t user_rid = UINT32_MAX ;
struct dom_sid * domain_sid = NULL ;
uint32_t acct_ctrl = 0 ;
union samr_UserInfo * info = NULL ;
struct auth_session_info * session_info = NULL ;
2011-06-07 17:21:28 +02:00
int rc ;
2001-02-27 00:32:11 +00:00
#if 0
2007-11-03 18:15:45 -07:00
2001-02-27 00:32:11 +00:00
/*
2013-02-18 10:03:51 +01:00
* Currently this code is redundant as we already have a filter
2008-02-13 12:24:56 +01:00
* by hostname list . What this code really needs to do is to
2001-02-27 00:32:11 +00:00
* get a hosts allowed / hosts denied list from the SAM database
* on a per user basis , and make the access decision there .
* I will leave this code here for now as a reminder to implement
* this at a later date . JRA .
*/
if ( ! allow_access ( lp_domain_hostsdeny ( ) , lp_domain_hostsallow ( ) ,
2010-08-28 17:19:42 +02:00
p - > client_id . name ,
p - > client_id . addr ) ) {
2001-02-27 00:32:11 +00:00
DEBUG ( 0 , ( " get_md4pw: Workstation %s denied access to domain \n " , mach_acct ) ) ;
return False ;
}
# endif /* 0 */
2010-09-03 11:15:25 +02:00
mem_ctx = talloc_stackframe ( ) ;
2010-05-28 14:22:08 +02:00
2011-02-21 10:25:52 +01:00
status = make_session_info_system ( mem_ctx , & session_info ) ;
2010-05-28 14:22:08 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
}
ZERO_STRUCT ( user_handle ) ;
2011-06-07 17:21:28 +02:00
rc = tsocket_address_inet_from_strings ( mem_ctx ,
" ip " ,
2018-03-17 14:50:49 -04:00
" 127.0.0.1 " ,
2011-06-07 17:21:28 +02:00
0 ,
& local ) ;
if ( rc < 0 ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
2010-09-03 11:15:25 +02:00
status = rpcint_binding_handle ( mem_ctx ,
& ndr_table_samr ,
2011-06-07 17:21:28 +02:00
local ,
2017-02-24 13:29:12 +13:00
NULL ,
2011-02-21 10:25:52 +01:00
session_info ,
2010-09-03 11:15:25 +02:00
msg_ctx ,
& h ) ;
2010-05-28 14:22:08 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
2006-02-21 14:34:11 +00:00
}
2001-03-11 22:26:28 +00:00
2010-09-03 11:15:25 +02:00
status = samr_find_machine_account ( mem_ctx , h , mach_acct ,
2010-05-28 14:22:08 +02:00
SEC_FLAG_MAXIMUM_ALLOWED ,
& domain_sid , & user_rid ,
& user_handle ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
}
2008-02-13 12:24:56 +01:00
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_QueryUserInfo2 ( h ,
mem_ctx ,
2010-05-28 14:22:08 +02:00
& user_handle ,
UserControlInformation ,
2010-09-03 11:15:25 +02:00
& info ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2001-05-04 15:44:27 +00:00
2010-05-28 14:22:08 +02:00
acct_ctrl = info - > info16 . acct_flags ;
2006-03-15 12:23:09 +00:00
if ( acct_ctrl & ACB_DISABLED ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: account is disabled \n " , mach_acct ) ) ;
2010-05-28 14:22:08 +02:00
status = NT_STATUS_ACCOUNT_DISABLED ;
goto out ;
2001-02-27 00:32:11 +00:00
}
2006-03-15 12:23:09 +00:00
2006-03-15 14:58:39 +00:00
if ( ! ( acct_ctrl & ACB_SVRTRUST ) & &
! ( acct_ctrl & ACB_WSTRUST ) & &
2008-02-13 12:24:56 +01:00
! ( acct_ctrl & ACB_DOMTRUST ) )
2006-03-15 14:58:39 +00:00
{
2006-03-15 12:23:09 +00:00
DEBUG ( 0 , ( " get_md4pw: Workstation %s: account is not a trust account \n " , mach_acct ) ) ;
2010-05-28 14:22:08 +02:00
status = NT_STATUS_NO_TRUST_SAM_ACCOUNT ;
goto out ;
2006-03-15 12:23:09 +00:00
}
switch ( sec_chan_type ) {
case SEC_CHAN_BDC :
if ( ! ( acct_ctrl & ACB_SVRTRUST ) ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: BDC secure channel requested "
" but not a server trust account \n " , mach_acct ) ) ;
2010-05-28 14:22:08 +02:00
status = NT_STATUS_NO_TRUST_SAM_ACCOUNT ;
goto out ;
2006-03-15 12:23:09 +00:00
}
2006-03-15 15:38:15 +00:00
break ;
2006-03-15 12:23:09 +00:00
case SEC_CHAN_WKSTA :
if ( ! ( acct_ctrl & ACB_WSTRUST ) ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: WORKSTATION secure channel requested "
" but not a workstation trust account \n " , mach_acct ) ) ;
2010-05-28 14:22:08 +02:00
status = NT_STATUS_NO_TRUST_SAM_ACCOUNT ;
goto out ;
2006-03-15 12:23:09 +00:00
}
2006-03-15 15:38:15 +00:00
break ;
2006-03-15 12:23:09 +00:00
case SEC_CHAN_DOMAIN :
if ( ! ( acct_ctrl & ACB_DOMTRUST ) ) {
DEBUG ( 0 , ( " get_md4pw: Workstation %s: DOMAIN secure channel requested "
" but not a interdomain trust account \n " , mach_acct ) ) ;
2010-05-28 14:22:08 +02:00
status = NT_STATUS_NO_TRUST_SAM_ACCOUNT ;
goto out ;
2006-03-15 12:23:09 +00:00
}
2006-03-15 15:38:15 +00:00
break ;
2006-03-15 12:23:09 +00:00
default :
break ;
}
2010-05-28 14:22:08 +02:00
become_root ( ) ;
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_QueryUserInfo2 ( h ,
mem_ctx ,
2010-05-28 14:22:08 +02:00
& user_handle ,
UserInternal1Information ,
2010-09-03 11:15:25 +02:00
& info ,
& result ) ;
2010-05-28 14:22:08 +02:00
unbecome_root ( ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2010-05-28 14:22:08 +02:00
if ( info - > info18 . nt_pwd_active = = 0 ) {
2006-03-15 12:23:09 +00:00
DEBUG ( 0 , ( " get_md4pw: Workstation %s: account does not have a password \n " , mach_acct ) ) ;
2010-05-28 14:22:08 +02:00
status = NT_STATUS_LOGON_FAILURE ;
goto out ;
2006-03-15 12:23:09 +00:00
}
2010-05-28 14:22:08 +02:00
/* samr gives out nthash unencrypted (!) */
memcpy ( md4pw - > hash , info - > info18 . nt_pwd . hash , 16 ) ;
2009-02-13 01:35:35 +01:00
2010-05-28 14:22:08 +02:00
sid_compose ( sid , domain_sid , user_rid ) ;
2008-02-13 12:24:56 +01:00
2010-05-28 14:22:08 +02:00
out :
2010-09-03 11:15:25 +02:00
if ( h & & is_valid_policy_hnd ( & user_handle ) ) {
dcerpc_samr_Close ( h , mem_ctx , & user_handle , & result ) ;
2010-05-28 14:22:08 +02:00
}
2008-02-13 12:24:56 +01:00
2010-05-28 14:22:08 +02:00
talloc_free ( mem_ctx ) ;
2001-05-04 15:44:27 +00:00
2010-05-28 14:22:08 +02:00
return status ;
2001-02-27 00:32:11 +00:00
}
/*************************************************************************
2008-02-13 14:08:59 +01:00
_netr_ServerReqChallenge
2001-02-27 00:32:11 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_ServerReqChallenge ( struct pipes_struct * p ,
2008-02-13 14:08:59 +01:00
struct netr_ServerReqChallenge * r )
2001-02-27 00:32:11 +00:00
{
2021-10-07 11:22:20 +02:00
struct dcesrv_call_state * dce_call = p - > dce_call ;
struct netlogon_server_pipe_state * pipe_state = NULL ;
NTSTATUS status ;
pipe_state = dcesrv_iface_state_find_conn (
dce_call ,
NETLOGON_SERVER_PIPE_STATE_MAGIC ,
struct netlogon_server_pipe_state ) ;
2009-08-25 22:38:55 +02:00
if ( pipe_state ) {
2008-02-13 14:08:59 +01:00
DEBUG ( 10 , ( " _netr_ServerReqChallenge: new challenge requested. Clearing old state. \n " ) ) ;
2009-08-25 22:38:55 +02:00
talloc_free ( pipe_state ) ;
2005-09-30 17:13:37 +00:00
}
2001-02-27 00:32:11 +00:00
2021-10-07 11:22:20 +02:00
pipe_state = talloc ( p - > mem_ctx , struct netlogon_server_pipe_state ) ;
2009-08-25 22:38:55 +02:00
NT_STATUS_HAVE_NO_MEMORY ( pipe_state ) ;
2001-02-27 00:32:11 +00:00
2009-08-25 22:38:55 +02:00
pipe_state - > client_challenge = * r - > in . credentials ;
2001-02-27 00:32:11 +00:00
2020-09-16 16:10:53 +02:00
netlogon_creds_random_challenge ( & pipe_state - > server_challenge ) ;
2008-02-13 12:24:56 +01:00
2009-08-25 22:38:55 +02:00
* r - > out . return_credentials = pipe_state - > server_challenge ;
2008-02-13 12:24:56 +01:00
2021-10-07 11:22:20 +02:00
status = dcesrv_iface_state_store_conn (
dce_call ,
NETLOGON_SERVER_PIPE_STATE_MAGIC ,
pipe_state ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2005-09-30 17:13:37 +00:00
return NT_STATUS_OK ;
2001-02-27 00:32:11 +00:00
}
2001-04-23 23:31:09 +00:00
/*************************************************************************
2008-02-15 21:24:39 +01:00
_netr_ServerAuthenticate
Create the initial credentials .
2001-04-23 23:31:09 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_ServerAuthenticate ( struct pipes_struct * p ,
2008-02-15 21:24:39 +01:00
struct netr_ServerAuthenticate * r )
2001-04-23 23:31:09 +00:00
{
2009-08-25 18:36:28 +02:00
struct netr_ServerAuthenticate3 a ;
uint32_t negotiate_flags = 0 ;
uint32_t rid ;
2005-09-30 17:13:37 +00:00
2009-08-25 18:36:28 +02:00
a . in . server_name = r - > in . server_name ;
a . in . account_name = r - > in . account_name ;
a . in . secure_channel_type = r - > in . secure_channel_type ;
a . in . computer_name = r - > in . computer_name ;
a . in . credentials = r - > in . credentials ;
a . in . negotiate_flags = & negotiate_flags ;
2005-09-30 17:13:37 +00:00
2009-08-25 18:36:28 +02:00
a . out . return_credentials = r - > out . return_credentials ;
a . out . rid = & rid ;
a . out . negotiate_flags = & negotiate_flags ;
2001-04-23 23:31:09 +00:00
2009-08-25 18:36:28 +02:00
return _netr_ServerAuthenticate3 ( p , & a ) ;
2008-02-15 21:24:39 +01:00
2001-04-23 23:31:09 +00:00
}
/*************************************************************************
2009-02-13 01:35:35 +01:00
_netr_ServerAuthenticate3
2001-04-23 23:31:09 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_ServerAuthenticate3 ( struct pipes_struct * p ,
2009-02-13 01:35:35 +01:00
struct netr_ServerAuthenticate3 * r )
2001-02-27 00:32:11 +00:00
{
2021-10-04 10:19:24 +02:00
struct dcesrv_call_state * dce_call = p - > dce_call ;
2006-03-15 12:23:09 +00:00
NTSTATUS status ;
2008-02-15 21:41:16 +01:00
uint32_t srv_flgs ;
2009-05-06 16:10:20 -07:00
/* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
* so use a copy to avoid destroying the client values . */
uint32_t in_neg_flags = * r - > in . negotiate_flags ;
2009-02-13 01:35:35 +01:00
const char * fn ;
2022-12-22 16:32:40 +01:00
struct loadparm_context * lp_ctx = p - > dce_call - > conn - > dce_ctx - > lp_ctx ;
2009-08-26 11:35:40 +02:00
struct dom_sid sid ;
2009-08-25 18:44:24 +02:00
struct samr_Password mach_pwd ;
2009-08-25 22:38:55 +02:00
struct netlogon_creds_CredentialState * creds ;
2021-10-07 11:22:20 +02:00
struct netlogon_server_pipe_state * pipe_state = NULL ;
2009-02-13 01:35:35 +01:00
2009-02-15 18:12:20 -08:00
/* According to Microsoft (see bugid #6099)
* Windows 7 looks at the negotiate_flags
* returned in this structure * even if the
2009-05-06 16:10:20 -07:00
* call fails with access denied * ! So in order
2009-02-15 18:12:20 -08:00
* to allow Win7 to connect to a Samba NT style
* PDC we set the flags before we know if it ' s
* an error or not .
*/
/* 0x000001ff */
srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
NETLOGON_NEG_PERSISTENT_SAMREPL |
NETLOGON_NEG_ARCFOUR |
NETLOGON_NEG_PROMOTION_COUNT |
NETLOGON_NEG_CHANGELOG_BDC |
NETLOGON_NEG_FULL_SYNC_REPL |
NETLOGON_NEG_MULTIPLE_SIDS |
NETLOGON_NEG_REDO |
2009-08-27 23:30:50 +02:00
NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
NETLOGON_NEG_PASSWORD_SET2 ;
2009-02-15 18:12:20 -08:00
2009-05-06 16:10:20 -07:00
/* Ensure we support strong (128-bit) keys. */
if ( in_neg_flags & NETLOGON_NEG_STRONG_KEYS ) {
srv_flgs | = NETLOGON_NEG_STRONG_KEYS ;
}
2009-09-29 09:29:00 +02:00
if ( in_neg_flags & NETLOGON_NEG_SUPPORTS_AES ) {
srv_flgs | = NETLOGON_NEG_SUPPORTS_AES ;
}
2019-05-27 12:38:43 +02:00
if ( in_neg_flags & NETLOGON_NEG_SCHANNEL ) {
2009-02-15 18:12:20 -08:00
srv_flgs | = NETLOGON_NEG_SCHANNEL ;
}
2011-11-22 08:02:20 -05:00
/*
2023-03-01 13:32:39 +13:00
* Support authentication of trusted domains .
2011-11-22 08:02:20 -05:00
*
* These flags are the minimum required set which works with win2k3
* and win2k8 .
*/
if ( pdb_capabilities ( ) & PDB_CAP_TRUSTED_DOMAINS_EX ) {
srv_flgs | = NETLOGON_NEG_TRANSITIVE_TRUSTS |
NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
NETLOGON_NEG_CROSS_FOREST_TRUSTS |
NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION ;
}
2020-09-03 15:58:56 +02:00
/*
2023-07-17 15:01:21 +02:00
* If weak crypto is disabled , do not announce that we support RC4 .
2020-09-03 15:58:56 +02:00
*/
if ( lp_weak_crypto ( ) = = SAMBA_WEAK_CRYPTO_DISALLOWED ) {
srv_flgs & = ~ NETLOGON_NEG_ARCFOUR ;
}
2021-10-04 10:19:24 +02:00
switch ( dce_call - > pkt . u . request . opnum ) {
2009-08-25 18:36:28 +02:00
case NDR_NETR_SERVERAUTHENTICATE :
fn = " _netr_ServerAuthenticate " ;
break ;
2009-02-13 01:35:35 +01:00
case NDR_NETR_SERVERAUTHENTICATE2 :
fn = " _netr_ServerAuthenticate2 " ;
break ;
case NDR_NETR_SERVERAUTHENTICATE3 :
fn = " _netr_ServerAuthenticate3 " ;
break ;
default :
return NT_STATUS_INTERNAL_ERROR ;
}
2005-09-30 17:13:37 +00:00
2008-02-15 21:41:16 +01:00
/* We use this as the key to store the creds: */
/* r->in.computer_name */
2001-02-27 00:32:11 +00:00
2021-10-07 11:22:20 +02:00
pipe_state = dcesrv_iface_state_find_conn (
dce_call ,
NETLOGON_SERVER_PIPE_STATE_MAGIC ,
struct netlogon_server_pipe_state ) ;
2009-08-25 22:38:55 +02:00
if ( ! pipe_state ) {
2009-02-13 01:35:35 +01:00
DEBUG ( 0 , ( " %s: no challenge sent to client %s \n " , fn ,
2008-02-15 21:41:16 +01:00
r - > in . computer_name ) ) ;
2009-05-06 16:10:20 -07:00
status = NT_STATUS_ACCESS_DENIED ;
goto out ;
2005-09-30 17:13:37 +00:00
}
2001-02-27 00:32:11 +00:00
2009-08-25 18:44:24 +02:00
status = get_md4pw ( & mach_pwd ,
2008-02-15 21:41:16 +01:00
r - > in . account_name ,
2009-02-13 01:35:35 +01:00
r - > in . secure_channel_type ,
2010-08-08 14:19:53 +02:00
& sid , p - > msg_ctx ) ;
2006-03-15 12:23:09 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-02-13 01:35:35 +01:00
DEBUG ( 0 , ( " %s: failed to get machine password for "
2006-03-15 12:23:09 +00:00
" account %s: %s \n " ,
2009-02-13 01:35:35 +01:00
fn , r - > in . account_name , nt_errstr ( status ) ) ) ;
2006-03-15 12:23:09 +00:00
/* always return NT_STATUS_ACCESS_DENIED */
2009-05-06 16:10:20 -07:00
status = NT_STATUS_ACCESS_DENIED ;
goto out ;
2005-09-30 17:13:37 +00:00
}
2002-03-03 03:56:53 +00:00
2005-09-30 17:13:37 +00:00
/* From the client / server challenges and md4 password, generate sess key */
/* Check client credentials are valid. */
2009-08-25 22:38:55 +02:00
creds = netlogon_creds_server_init ( p - > mem_ctx ,
r - > in . account_name ,
r - > in . computer_name ,
r - > in . secure_channel_type ,
& pipe_state - > client_challenge ,
& pipe_state - > server_challenge ,
& mach_pwd ,
r - > in . credentials ,
r - > out . return_credentials ,
2009-09-29 09:16:13 +02:00
srv_flgs ) ;
2009-08-25 22:38:55 +02:00
if ( ! creds ) {
2009-02-13 01:35:35 +01:00
DEBUG ( 0 , ( " %s: netlogon_creds_server_check failed. Rejecting auth "
2005-09-30 17:13:37 +00:00
" request from client %s machine account %s \n " ,
2009-02-13 01:35:35 +01:00
fn , r - > in . computer_name ,
2008-02-15 21:41:16 +01:00
r - > in . account_name ) ) ;
2009-05-06 16:10:20 -07:00
status = NT_STATUS_ACCESS_DENIED ;
goto out ;
2001-02-27 00:32:11 +00:00
}
2005-10-05 01:47:52 +00:00
2010-08-26 17:21:39 +02:00
creds - > sid = dom_sid_dup ( creds , & sid ) ;
2009-08-25 22:38:55 +02:00
if ( ! creds - > sid ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
2005-10-07 01:46:19 +00:00
/* Store off the state so we can continue after client disconnect. */
become_root ( ) ;
2011-10-12 22:55:34 +11:00
status = schannel_save_creds_state ( p - > mem_ctx , lp_ctx , creds ) ;
2005-10-07 01:46:19 +00:00
unbecome_root ( ) ;
2009-08-24 23:00:47 +02:00
2009-08-25 22:38:55 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2014-01-11 17:13:04 +01:00
ZERO_STRUCTP ( r - > out . return_credentials ) ;
2009-08-25 22:38:55 +02:00
goto out ;
}
2009-08-26 11:35:40 +02:00
sid_peek_rid ( & sid , r - > out . rid ) ;
2009-08-24 23:00:47 +02:00
2009-05-06 16:10:20 -07:00
status = NT_STATUS_OK ;
2003-04-06 07:04:09 +00:00
2009-05-06 16:10:20 -07:00
out :
2009-05-06 19:29:01 +02:00
2009-05-06 16:10:20 -07:00
* r - > out . negotiate_flags = srv_flgs ;
return status ;
2001-02-27 00:32:11 +00:00
}
2009-02-13 01:35:35 +01:00
/*************************************************************************
_netr_ServerAuthenticate2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_ServerAuthenticate2 ( struct pipes_struct * p ,
2009-02-13 01:35:35 +01:00
struct netr_ServerAuthenticate2 * r )
{
struct netr_ServerAuthenticate3 a ;
uint32_t rid ;
a . in . server_name = r - > in . server_name ;
a . in . account_name = r - > in . account_name ;
a . in . secure_channel_type = r - > in . secure_channel_type ;
a . in . computer_name = r - > in . computer_name ;
a . in . credentials = r - > in . credentials ;
a . in . negotiate_flags = r - > in . negotiate_flags ;
a . out . return_credentials = r - > out . return_credentials ;
a . out . rid = & rid ;
a . out . negotiate_flags = r - > out . negotiate_flags ;
return _netr_ServerAuthenticate3 ( p , & a ) ;
}
2001-02-27 00:32:11 +00:00
/*************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2021-03-14 10:05:33 +01:00
static NTSTATUS samr_open_machine_account (
struct dcerpc_binding_handle * b ,
const struct dom_sid * machine_sid ,
uint32_t access_mask ,
struct policy_handle * machine_handle )
{
TALLOC_CTX * frame = talloc_stackframe ( ) ;
struct policy_handle connect_handle = { . handle_type = 0 } ;
struct policy_handle domain_handle = { . handle_type = 0 } ;
struct dom_sid domain_sid = * machine_sid ;
uint32_t machine_rid ;
NTSTATUS result = NT_STATUS_OK ;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER ;
bool ok ;
ok = sid_split_rid ( & domain_sid , & machine_rid ) ;
if ( ! ok ) {
goto out ;
}
status = dcerpc_samr_Connect2 (
b ,
frame ,
lp_netbios_name ( ) ,
SAMR_ACCESS_CONNECT_TO_SERVER |
SAMR_ACCESS_ENUM_DOMAINS |
SAMR_ACCESS_LOOKUP_DOMAIN ,
& connect_handle ,
& result ) ;
if ( any_nt_status_not_ok ( status , result , & status ) ) {
goto out ;
}
status = dcerpc_samr_OpenDomain (
b ,
frame ,
& connect_handle ,
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT ,
& domain_sid ,
& domain_handle ,
& result ) ;
if ( any_nt_status_not_ok ( status , result , & status ) ) {
goto out ;
}
status = dcerpc_samr_OpenUser (
b ,
frame ,
& domain_handle ,
SEC_FLAG_MAXIMUM_ALLOWED ,
machine_rid ,
machine_handle ,
& result ) ;
if ( any_nt_status_not_ok ( status , result , & status ) ) {
goto out ;
}
out :
if ( ( b ! = NULL ) & & is_valid_policy_hnd ( & domain_handle ) ) {
dcerpc_samr_Close ( b , frame , & domain_handle , & result ) ;
}
if ( ( b ! = NULL ) & & is_valid_policy_hnd ( & connect_handle ) ) {
dcerpc_samr_Close ( b , frame , & connect_handle , & result ) ;
}
TALLOC_FREE ( frame ) ;
return status ;
}
2017-03-31 12:44:58 +03:00
struct _samr_Credentials_t {
enum {
CRED_TYPE_NT_HASH ,
CRED_TYPE_PLAIN_TEXT ,
} cred_type ;
union {
struct samr_Password * nt_hash ;
const char * password ;
} creds ;
} ;
2021-03-14 10:05:33 +01:00
static NTSTATUS netr_set_machine_account_password (
TALLOC_CTX * mem_ctx ,
struct auth_session_info * session_info ,
struct messaging_context * msg_ctx ,
const struct dom_sid * machine_sid ,
struct _samr_Credentials_t * cr )
2001-02-27 00:32:11 +00:00
{
2010-05-28 12:39:12 +02:00
NTSTATUS status ;
2010-09-03 11:15:25 +02:00
NTSTATUS result = NT_STATUS_OK ;
struct dcerpc_binding_handle * h = NULL ;
2011-06-07 17:21:28 +02:00
struct tsocket_address * local ;
2021-02-24 15:49:49 +01:00
struct policy_handle user_handle = { . handle_type = 0 } ;
2009-08-27 23:30:14 +02:00
uint32_t acct_ctrl ;
2010-05-28 12:39:12 +02:00
union samr_UserInfo * info ;
struct samr_UserInfo18 info18 ;
2017-03-31 12:44:58 +03:00
struct samr_UserInfo26 info26 ;
2010-05-28 12:39:12 +02:00
DATA_BLOB in , out ;
2011-06-07 17:21:28 +02:00
int rc ;
2012-08-04 10:05:51 +02:00
DATA_BLOB session_key ;
2017-03-31 12:44:58 +03:00
enum samr_UserInfoLevel infolevel ;
2019-07-16 16:02:12 +02:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2008-02-13 12:24:56 +01:00
2012-08-04 10:05:51 +02:00
status = session_extract_session_key ( session_info ,
& session_key ,
KEY_USE_16BYTES ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
}
2019-07-16 16:02:12 +02:00
rc = tsocket_address_inet_from_strings ( frame ,
2011-06-07 17:21:28 +02:00
" ip " ,
2018-03-17 14:50:49 -04:00
" 127.0.0.1 " ,
2011-06-07 17:21:28 +02:00
0 ,
& local ) ;
if ( rc < 0 ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
2010-09-03 11:15:25 +02:00
2019-07-16 16:02:12 +02:00
status = rpcint_binding_handle ( frame ,
2010-09-03 11:15:25 +02:00
& ndr_table_samr ,
2011-06-07 17:21:28 +02:00
local ,
2017-02-24 13:29:12 +13:00
NULL ,
2021-06-18 19:11:19 +02:00
get_session_info_system ( ) ,
2010-09-03 11:15:25 +02:00
msg_ctx ,
& h ) ;
2010-05-28 12:39:12 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
}
2001-02-27 00:32:11 +00:00
2021-03-14 10:05:33 +01:00
status = samr_open_machine_account (
h , machine_sid , SEC_FLAG_MAXIMUM_ALLOWED , & user_handle ) ;
2010-05-28 12:39:12 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
2006-06-15 01:54:09 +00:00
}
2006-02-21 14:34:11 +00:00
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_QueryUserInfo2 ( h ,
2019-07-16 16:02:12 +02:00
frame ,
2010-05-28 12:39:12 +02:00
& user_handle ,
UserControlInformation ,
2010-09-03 11:15:25 +02:00
& info ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2008-02-13 12:24:56 +01:00
2010-05-28 12:39:12 +02:00
acct_ctrl = info - > info16 . acct_flags ;
2001-03-11 22:26:28 +00:00
2006-06-15 01:54:09 +00:00
if ( ! ( acct_ctrl & ACB_WSTRUST | |
2009-08-27 23:30:14 +02:00
acct_ctrl & ACB_SVRTRUST | |
acct_ctrl & ACB_DOMTRUST ) ) {
2010-05-28 12:39:12 +02:00
status = NT_STATUS_NO_SUCH_USER ;
goto out ;
2001-05-04 15:44:27 +00:00
}
2008-02-13 12:24:56 +01:00
2009-08-27 23:30:14 +02:00
if ( acct_ctrl & ACB_DISABLED ) {
2010-05-28 12:39:12 +02:00
status = NT_STATUS_ACCOUNT_DISABLED ;
goto out ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
}
2017-03-31 12:44:58 +03:00
switch ( cr - > cred_type ) {
case CRED_TYPE_NT_HASH :
ZERO_STRUCT ( info18 ) ;
infolevel = UserInternal1Information ;
in = data_blob_const ( cr - > creds . nt_hash , 16 ) ;
2019-07-16 16:02:12 +02:00
out = data_blob_talloc_zero ( frame , 16 ) ;
if ( out . data = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto out ;
}
2019-11-21 14:02:03 +01:00
rc = sess_crypt_blob ( & out , & in , & session_key , SAMBA_GNUTLS_ENCRYPT ) ;
if ( rc ! = 0 ) {
status = gnutls_error_to_ntstatus ( rc ,
NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER ) ;
goto out ;
}
2017-03-31 12:44:58 +03:00
memcpy ( info18 . nt_pwd . hash , out . data , out . length ) ;
info18 . nt_pwd_active = true ;
info - > info18 = info18 ;
break ;
case CRED_TYPE_PLAIN_TEXT :
ZERO_STRUCT ( info26 ) ;
2004-08-31 19:56:16 +00:00
2017-03-31 12:44:58 +03:00
infolevel = UserInternal5InformationNew ;
2001-02-27 00:32:11 +00:00
2019-05-29 17:16:26 +02:00
status = init_samr_CryptPasswordEx ( cr - > creds . password ,
& session_key ,
& info26 . password ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto out ;
}
2001-02-27 00:32:11 +00:00
2017-03-31 12:44:58 +03:00
info26 . password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON ;
info - > info26 = info26 ;
break ;
default :
status = NT_STATUS_INTERNAL_ERROR ;
goto out ;
break ;
}
2001-09-29 13:08:26 +00:00
2010-09-03 11:15:25 +02:00
status = dcerpc_samr_SetUserInfo2 ( h ,
2019-07-16 16:02:12 +02:00
frame ,
2010-05-28 12:39:12 +02:00
& user_handle ,
2017-03-31 12:44:58 +03:00
infolevel ,
2010-09-03 11:15:25 +02:00
info ,
& result ) ;
2021-02-24 16:01:27 +01:00
if ( any_nt_status_not_ok ( status , result , & status ) ) {
2010-09-03 11:15:25 +02:00
goto out ;
}
2009-08-27 23:30:14 +02:00
2010-05-28 12:39:12 +02:00
out :
2010-09-03 11:15:25 +02:00
if ( h & & is_valid_policy_hnd ( & user_handle ) ) {
2019-07-16 16:02:12 +02:00
dcerpc_samr_Close ( h , frame , & user_handle , & result ) ;
2009-08-27 23:30:14 +02:00
}
2019-07-16 16:02:12 +02:00
TALLOC_FREE ( frame ) ;
2009-08-27 23:30:14 +02:00
return status ;
}
/*************************************************************************
_netr_ServerPasswordSet
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-13 12:24:56 +01:00
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_ServerPasswordSet ( struct pipes_struct * p ,
2009-08-27 23:30:14 +02:00
struct netr_ServerPasswordSet * r )
{
2021-10-04 13:40:02 +02:00
struct dcesrv_call_state * dce_call = p - > dce_call ;
struct auth_session_info * session_info =
dcesrv_call_session_info ( dce_call ) ;
2009-08-27 23:30:14 +02:00
NTSTATUS status = NT_STATUS_OK ;
2021-02-24 13:33:44 +01:00
size_t i ;
2015-01-28 14:47:31 -08:00
struct netlogon_creds_CredentialState * creds = NULL ;
2017-03-31 12:44:58 +03:00
struct _samr_Credentials_t cr = { CRED_TYPE_NT_HASH , { 0 } } ;
2009-08-27 23:30:14 +02:00
DEBUG ( 5 , ( " _netr_ServerPasswordSet: %d \n " , __LINE__ ) ) ;
become_root ( ) ;
2022-12-22 16:30:26 +01:00
status = dcesrv_netr_creds_server_step_check ( p - > dce_call ,
p - > mem_ctx ,
r - > in . computer_name ,
r - > in . credential ,
r - > out . return_authenticator ,
& creds ) ;
2009-08-27 23:30:14 +02:00
unbecome_root ( ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2015-02-16 10:59:23 +01:00
const char * computer_name = " <unknown> " ;
if ( creds ! = NULL & & creds - > computer_name ! = NULL ) {
computer_name = creds - > computer_name ;
}
2009-08-27 23:30:14 +02:00
DEBUG ( 2 , ( " _netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
" request from client %s machine account %s \n " ,
2015-02-16 10:59:23 +01:00
r - > in . computer_name , computer_name ) ) ;
2009-08-27 23:30:14 +02:00
TALLOC_FREE ( creds ) ;
return status ;
}
DEBUG ( 3 , ( " _netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s] \n " ,
r - > in . computer_name , creds - > computer_name ) ) ;
2019-11-20 16:02:16 +01:00
status = netlogon_creds_des_decrypt ( creds , r - > in . new_password ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2009-08-27 23:30:14 +02:00
DEBUG ( 100 , ( " _netr_ServerPasswordSet: new given value was : \n " ) ) ;
for ( i = 0 ; i < sizeof ( r - > in . new_password - > hash ) ; i + + )
DEBUG ( 100 , ( " %02X " , r - > in . new_password - > hash [ i ] ) ) ;
DEBUG ( 100 , ( " \n " ) ) ;
2017-03-31 12:44:58 +03:00
cr . creds . nt_hash = r - > in . new_password ;
2010-05-28 12:39:12 +02:00
status = netr_set_machine_account_password ( p - > mem_ctx ,
2021-10-04 13:40:02 +02:00
session_info ,
2010-08-08 14:20:48 +02:00
p - > msg_ctx ,
2021-03-14 10:05:33 +01:00
creds - > sid ,
2017-03-31 12:44:58 +03:00
& cr ) ;
2008-02-15 21:13:50 +01:00
return status ;
2001-02-27 00:32:11 +00:00
}
2009-08-27 23:30:50 +02:00
/****************************************************************
_netr_ServerPasswordSet2
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_ServerPasswordSet2 ( struct pipes_struct * p ,
2009-08-27 23:30:50 +02:00
struct netr_ServerPasswordSet2 * r )
{
2021-10-04 13:40:02 +02:00
struct dcesrv_call_state * dce_call = p - > dce_call ;
struct auth_session_info * session_info =
dcesrv_call_session_info ( dce_call ) ;
2009-08-27 23:30:50 +02:00
NTSTATUS status ;
2011-11-03 14:30:11 -07:00
struct netlogon_creds_CredentialState * creds = NULL ;
2020-09-16 12:53:50 -07:00
DATA_BLOB plaintext = data_blob_null ;
DATA_BLOB new_password = data_blob_null ;
size_t confounder_len ;
DATA_BLOB dec_blob = data_blob_null ;
DATA_BLOB enc_blob = data_blob_null ;
2009-08-27 23:30:50 +02:00
struct samr_CryptPassword password_buf ;
2017-03-31 12:44:58 +03:00
struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT , { 0 } } ;
2020-09-16 12:53:50 -07:00
bool ok ;
2009-08-27 23:30:50 +02:00
become_root ( ) ;
2022-12-22 16:30:26 +01:00
status = dcesrv_netr_creds_server_step_check ( p - > dce_call ,
p - > mem_ctx ,
r - > in . computer_name ,
r - > in . credential ,
r - > out . return_authenticator ,
& creds ) ;
2009-08-27 23:30:50 +02:00
unbecome_root ( ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2022-01-07 11:50:16 +01:00
DBG_NOTICE ( " netlogon_creds_server_step failed. "
" Rejecting auth request from client %s \n " ,
r - > in . computer_name ) ;
2009-08-27 23:30:50 +02:00
TALLOC_FREE ( creds ) ;
return status ;
}
2021-02-24 13:33:58 +01:00
DBG_NOTICE ( " Server Password Set2 by remote "
" machine:[%s] on account [%s] \n " ,
r - > in . computer_name ,
2022-01-07 11:50:16 +01:00
creds - > computer_name ! = NULL ?
creds - > computer_name : " <unknown> " ) ;
2017-03-31 12:44:58 +03:00
2009-08-27 23:30:50 +02:00
memcpy ( password_buf . data , r - > in . new_password - > data , 512 ) ;
SIVAL ( password_buf . data , 512 , r - > in . new_password - > length ) ;
2012-11-29 21:35:04 +01:00
if ( creds - > negotiate_flags & NETLOGON_NEG_SUPPORTS_AES ) {
2019-08-16 14:05:38 +12:00
status = netlogon_creds_aes_decrypt ( creds ,
password_buf . data ,
516 ) ;
2012-11-29 21:35:04 +01:00
} else {
2019-05-29 14:46:17 +02:00
status = netlogon_creds_arcfour_crypt ( creds ,
password_buf . data ,
516 ) ;
2019-08-16 14:05:38 +12:00
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
2020-09-16 12:48:21 -07:00
TALLOC_FREE ( creds ) ;
2019-08-16 14:05:38 +12:00
return status ;
2012-11-29 21:35:04 +01:00
}
2009-08-27 23:30:50 +02:00
2020-09-16 12:53:50 -07:00
if ( ! extract_pw_from_buffer ( p - > mem_ctx , password_buf . data , & new_password ) ) {
2017-03-31 12:44:58 +03:00
DEBUG ( 2 , ( " _netr_ServerPasswordSet2: unable to extract password "
" from a buffer. Rejecting auth request as a wrong password \n " ) ) ;
2011-11-03 14:30:11 -07:00
TALLOC_FREE ( creds ) ;
2009-08-27 23:30:50 +02:00
return NT_STATUS_WRONG_PASSWORD ;
}
2020-09-16 12:53:50 -07:00
/*
* Make sure the length field was encrypted ,
* otherwise we are under attack .
*/
if ( new_password . length = = r - > in . new_password - > length ) {
DBG_WARNING ( " Length[%zu] field not encrypted \n " ,
new_password . length ) ;
TALLOC_FREE ( creds ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
/*
* We don ' t allow empty passwords for machine accounts .
*/
if ( new_password . length < 2 ) {
DBG_WARNING ( " Empty password Length[%zu] \n " ,
new_password . length ) ;
TALLOC_FREE ( creds ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
/*
* Make sure the confounder part of CryptPassword
* buffer was encrypted , otherwise we are under attack .
*/
confounder_len = 512 - new_password . length ;
enc_blob = data_blob_const ( r - > in . new_password - > data , confounder_len ) ;
dec_blob = data_blob_const ( password_buf . data , confounder_len ) ;
2022-05-11 11:39:14 +12:00
if ( confounder_len > 0 & & data_blob_equal_const_time ( & dec_blob , & enc_blob ) ) {
2020-09-16 12:53:50 -07:00
DBG_WARNING ( " Confounder buffer not encrypted Length[%zu] \n " ,
confounder_len ) ;
TALLOC_FREE ( creds ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
/*
* Check that the password part was actually encrypted ,
* otherwise we are under attack .
*/
enc_blob = data_blob_const ( r - > in . new_password - > data + confounder_len ,
new_password . length ) ;
dec_blob = data_blob_const ( password_buf . data + confounder_len ,
new_password . length ) ;
2022-05-11 11:39:14 +12:00
if ( data_blob_equal_const_time ( & dec_blob , & enc_blob ) ) {
2020-09-16 12:53:50 -07:00
DBG_WARNING ( " Password buffer not encrypted Length[%zu] \n " ,
new_password . length ) ;
TALLOC_FREE ( creds ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
/*
* don ' t allow zero buffers
*/
if ( all_zero ( new_password . data , new_password . length ) ) {
DBG_WARNING ( " Password zero buffer Length[%zu] \n " ,
new_password . length ) ;
TALLOC_FREE ( creds ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
/* Convert from UTF16 -> plaintext. */
ok = convert_string_talloc ( p - > mem_ctx ,
CH_UTF16 ,
CH_UNIX ,
new_password . data ,
new_password . length ,
2023-08-09 16:54:02 +12:00
& plaintext . data ,
2020-09-16 12:53:50 -07:00
& plaintext . length ) ;
if ( ! ok ) {
DBG_WARNING ( " unable to extract password from a buffer. "
" Rejecting auth request as a wrong password \n " ) ;
TALLOC_FREE ( creds ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
/*
* We don ' t allow empty passwords for machine accounts .
*/
2017-03-31 12:44:58 +03:00
cr . creds . password = ( const char * ) plaintext . data ;
2020-09-16 12:53:50 -07:00
if ( strlen ( cr . creds . password ) = = 0 ) {
DBG_WARNING ( " Empty plaintext password \n " ) ;
TALLOC_FREE ( creds ) ;
return NT_STATUS_WRONG_PASSWORD ;
}
2010-05-28 12:39:12 +02:00
status = netr_set_machine_account_password ( p - > mem_ctx ,
2021-10-04 13:40:02 +02:00
session_info ,
2010-08-08 14:20:48 +02:00
p - > msg_ctx ,
2021-03-14 10:05:33 +01:00
creds - > sid ,
2017-03-31 12:44:58 +03:00
& cr ) ;
2011-11-03 14:30:11 -07:00
TALLOC_FREE ( creds ) ;
2009-08-27 23:30:50 +02:00
return status ;
}
2001-02-27 00:32:11 +00:00
/*************************************************************************
2008-02-15 21:46:42 +01:00
_netr_LogonSamLogoff
2001-02-27 00:32:11 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_LogonSamLogoff ( struct pipes_struct * p ,
2008-02-15 21:46:42 +01:00
struct netr_LogonSamLogoff * r )
2001-02-27 00:32:11 +00:00
{
2009-08-25 22:38:55 +02:00
NTSTATUS status ;
struct netlogon_creds_CredentialState * creds ;
2001-02-27 00:32:11 +00:00
2006-02-15 23:15:55 +00:00
become_root ( ) ;
2022-12-22 16:30:26 +01:00
status = dcesrv_netr_creds_server_step_check ( p - > dce_call ,
p - > mem_ctx ,
r - > in . computer_name ,
r - > in . credential ,
r - > out . return_authenticator ,
& creds ) ;
2006-02-15 23:15:55 +00:00
unbecome_root ( ) ;
2009-08-25 22:38:55 +02:00
return status ;
2001-02-27 00:32:11 +00:00
}
2011-02-01 14:47:05 +01:00
static NTSTATUS _netr_LogonSamLogon_check ( const struct netr_LogonSamLogonEx * r )
{
switch ( r - > in . logon_level ) {
case NetlogonInteractiveInformation :
case NetlogonServiceInformation :
case NetlogonInteractiveTransitiveInformation :
case NetlogonServiceTransitiveInformation :
if ( r - > in . logon - > password = = NULL ) {
return NT_STATUS_INVALID_PARAMETER ;
}
switch ( r - > in . validation_level ) {
case NetlogonValidationSamInfo : /* 2 */
case NetlogonValidationSamInfo2 : /* 3 */
2011-02-03 16:11:32 +01:00
break ;
2011-02-01 14:47:05 +01:00
case NetlogonValidationSamInfo4 : /* 6 */
2011-02-03 16:11:32 +01:00
if ( ( pdb_capabilities ( ) & PDB_CAP_ADS ) = = 0 ) {
DEBUG ( 10 , ( " Not adding validation info level 6 "
" without ADS passdb backend \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
}
2011-02-01 14:47:05 +01:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
break ;
case NetlogonNetworkInformation :
case NetlogonNetworkTransitiveInformation :
if ( r - > in . logon - > network = = NULL ) {
return NT_STATUS_INVALID_PARAMETER ;
}
switch ( r - > in . validation_level ) {
case NetlogonValidationSamInfo : /* 2 */
case NetlogonValidationSamInfo2 : /* 3 */
2011-02-03 16:11:32 +01:00
break ;
2011-02-01 14:47:05 +01:00
case NetlogonValidationSamInfo4 : /* 6 */
2011-02-03 16:11:32 +01:00
if ( ( pdb_capabilities ( ) & PDB_CAP_ADS ) = = 0 ) {
DEBUG ( 10 , ( " Not adding validation info level 6 "
" without ADS passdb backend \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
}
2011-02-01 14:47:05 +01:00
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
break ;
case NetlogonGenericInformation :
if ( r - > in . logon - > generic = = NULL ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2011-02-03 16:11:32 +01:00
/* we don't support this here */
return NT_STATUS_INVALID_PARAMETER ;
#if 0
2011-02-01 14:47:05 +01:00
switch ( r - > in . validation_level ) {
/* TODO: case NetlogonValidationGenericInfo: 4 */
case NetlogonValidationGenericInfo2 : /* 5 */
break ;
default :
return NT_STATUS_INVALID_INFO_CLASS ;
}
break ;
2011-02-03 16:11:32 +01:00
# endif
2011-02-01 14:47:05 +01:00
default :
return NT_STATUS_INVALID_PARAMETER ;
}
return NT_STATUS_OK ;
}
2001-02-27 00:32:11 +00:00
/*************************************************************************
2009-08-25 22:38:55 +02:00
_netr_LogonSamLogon_base
2001-02-27 00:32:11 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
static NTSTATUS _netr_LogonSamLogon_base ( struct pipes_struct * p ,
2009-08-25 22:38:55 +02:00
struct netr_LogonSamLogonEx * r ,
struct netlogon_creds_CredentialState * creds )
2001-02-27 00:32:11 +00:00
{
2021-10-04 10:19:24 +02:00
struct dcesrv_call_state * dce_call = p - > dce_call ;
2021-10-04 12:19:57 +02:00
struct dcesrv_connection * dcesrv_conn = dce_call - > conn ;
const struct tsocket_address * local_address =
dcesrv_connection_get_local_address ( dcesrv_conn ) ;
2021-10-04 12:26:18 +02:00
const struct tsocket_address * remote_address =
dcesrv_connection_get_remote_address ( dcesrv_conn ) ;
2001-08-27 19:46:22 +00:00
NTSTATUS status = NT_STATUS_OK ;
2008-10-15 16:14:15 +02:00
union netr_LogonLevel * logon = r - > in . logon ;
2009-06-30 17:18:47 +02:00
const char * nt_username , * nt_domain , * nt_workstation ;
2020-01-17 21:56:27 +01:00
char * sanitized_username = NULL ;
2010-01-10 14:16:04 +01:00
struct auth_usersupplied_info * user_info = NULL ;
2010-01-10 14:24:22 +01:00
struct auth_serversupplied_info * server_info = NULL ;
2003-06-30 20:45:14 +00:00
struct auth_context * auth_context = NULL ;
2009-02-13 16:56:52 +01:00
const char * fn ;
2022-12-22 09:29:04 +01:00
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE ;
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE ;
uint16_t opnum = dce_call - > pkt . u . request . opnum ;
dcesrv_call_auth_info ( dce_call , & auth_type , & auth_level ) ;
2008-02-16 13:28:03 +01:00
2013-04-24 16:00:44 +02:00
# ifdef DEBUG_PASSWORD
logon = netlogon_creds_shallow_copy_logon ( p - > mem_ctx ,
r - > in . logon_level ,
r - > in . logon ) ;
if ( logon = = NULL ) {
logon = r - > in . logon ;
}
# endif
2022-12-22 09:29:04 +01:00
switch ( opnum ) {
2008-02-16 13:28:03 +01:00
case NDR_NETR_LOGONSAMLOGON :
2009-02-13 16:56:52 +01:00
fn = " _netr_LogonSamLogon " ;
2022-12-22 09:29:04 +01:00
/*
* Already called netr_check_schannel ( ) via
* netr_creds_server_step_check ( )
*/
2008-02-16 13:28:03 +01:00
break ;
2009-08-31 17:13:05 +02:00
case NDR_NETR_LOGONSAMLOGONWITHFLAGS :
fn = " _netr_LogonSamLogonWithFlags " ;
2022-12-22 09:29:04 +01:00
/*
* Already called netr_check_schannel ( ) via
* netr_creds_server_step_check ( )
*/
2009-08-31 17:13:05 +02:00
break ;
2008-02-16 13:28:03 +01:00
case NDR_NETR_LOGONSAMLOGONEX :
2009-02-13 16:56:52 +01:00
fn = " _netr_LogonSamLogonEx " ;
2022-12-22 09:29:04 +01:00
if ( auth_type ! = DCERPC_AUTH_TYPE_SCHANNEL ) {
return NT_STATUS_ACCESS_DENIED ;
}
status = dcesrv_netr_check_schannel ( p - > dce_call ,
creds ,
auth_type ,
auth_level ,
opnum ) ;
if ( NT_STATUS_IS_ERR ( status ) ) {
return status ;
}
2009-08-26 01:03:47 +02:00
break ;
2008-02-16 13:28:03 +01:00
default :
2009-08-26 01:03:47 +02:00
return NT_STATUS_INTERNAL_ERROR ;
2008-02-16 13:28:03 +01:00
}
2008-02-13 12:24:56 +01:00
2017-03-09 15:19:06 +01:00
* r - > out . authoritative = 1 ; /* authoritative response */
2009-06-25 12:00:20 +02:00
switch ( r - > in . validation_level ) {
case 2 :
2011-06-07 11:44:43 +10:00
r - > out . validation - > sam2 = talloc_zero ( p - > mem_ctx , struct netr_SamInfo2 ) ;
2009-06-25 12:00:20 +02:00
if ( ! r - > out . validation - > sam2 ) {
return NT_STATUS_NO_MEMORY ;
}
break ;
case 3 :
2011-06-07 11:44:43 +10:00
r - > out . validation - > sam3 = talloc_zero ( p - > mem_ctx , struct netr_SamInfo3 ) ;
2009-06-25 12:00:20 +02:00
if ( ! r - > out . validation - > sam3 ) {
return NT_STATUS_NO_MEMORY ;
}
break ;
2009-08-31 20:21:40 +02:00
case 6 :
2011-06-07 11:44:43 +10:00
r - > out . validation - > sam6 = talloc_zero ( p - > mem_ctx , struct netr_SamInfo6 ) ;
2009-08-31 20:21:40 +02:00
if ( ! r - > out . validation - > sam6 ) {
return NT_STATUS_NO_MEMORY ;
}
break ;
2009-06-25 12:00:20 +02:00
default :
2009-05-29 13:15:27 +02:00
DEBUG ( 0 , ( " %s: bad validation_level value %d. \n " ,
fn , ( int ) r - > in . validation_level ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
}
2008-02-16 13:28:03 +01:00
switch ( r - > in . logon_level ) {
2008-10-15 16:14:15 +02:00
case NetlogonInteractiveInformation :
2009-08-31 20:20:52 +02:00
case NetlogonServiceInformation :
case NetlogonInteractiveTransitiveInformation :
case NetlogonServiceTransitiveInformation :
2010-03-12 00:30:52 +01:00
nt_username = logon - > password - > identity_info . account_name . string ?
logon - > password - > identity_info . account_name . string : " " ;
nt_domain = logon - > password - > identity_info . domain_name . string ?
logon - > password - > identity_info . domain_name . string : " " ;
nt_workstation = logon - > password - > identity_info . workstation . string ?
logon - > password - > identity_info . workstation . string : " " ;
2008-02-13 12:24:56 +01:00
2006-02-17 21:32:31 +00:00
DEBUG ( 3 , ( " SAM Logon (Interactive). Domain:[%s]. " , lp_workgroup ( ) ) ) ;
break ;
2008-10-15 16:14:15 +02:00
case NetlogonNetworkInformation :
2009-08-31 20:20:52 +02:00
case NetlogonNetworkTransitiveInformation :
2010-03-12 00:30:52 +01:00
nt_username = logon - > network - > identity_info . account_name . string ?
logon - > network - > identity_info . account_name . string : " " ;
nt_domain = logon - > network - > identity_info . domain_name . string ?
logon - > network - > identity_info . domain_name . string : " " ;
nt_workstation = logon - > network - > identity_info . workstation . string ?
logon - > network - > identity_info . workstation . string : " " ;
2008-02-13 12:24:56 +01:00
2006-02-17 21:32:31 +00:00
DEBUG ( 3 , ( " SAM Logon (Network). Domain:[%s]. " , lp_workgroup ( ) ) ) ;
break ;
default :
DEBUG ( 2 , ( " SAM Logon: unsupported switch value \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
} /* end switch */
DEBUG ( 3 , ( " User:[%s@%s] Requested Domain:[%s] \n " , nt_username , nt_workstation , nt_domain ) ) ;
2008-02-13 12:24:56 +01:00
2008-02-16 13:28:03 +01:00
DEBUG ( 5 , ( " Attempting validation level %d for unmapped username %s. \n " ,
r - > in . validation_level , nt_username ) ) ;
2001-02-27 00:32:11 +00:00
2019-05-29 16:49:29 +02:00
status = netlogon_creds_decrypt_samlogon_logon ( creds ,
r - > in . logon_level ,
logon ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2013-04-24 16:00:44 +02:00
2017-03-17 09:18:25 +01:00
status = make_auth3_context_for_netlogon ( talloc_tos ( ) , & auth_context ) ;
2017-03-16 15:54:18 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2008-02-16 13:28:03 +01:00
switch ( r - > in . logon_level ) {
2008-10-15 16:14:15 +02:00
case NetlogonNetworkInformation :
2009-08-31 20:20:52 +02:00
case NetlogonNetworkTransitiveInformation :
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 12:12:38 +00:00
{
2004-03-18 07:36:36 +00:00
const char * wksname = nt_workstation ;
2015-12-09 13:12:43 +01:00
const char * workgroup = lp_workgroup ( ) ;
2017-03-13 08:14:00 +01:00
bool ok ;
2008-02-13 12:24:56 +01:00
2017-03-13 08:14:00 +01:00
ok = auth3_context_set_challenge (
auth_context , logon - > network - > challenge , " fixed " ) ;
if ( ! ok ) {
return NT_STATUS_NO_MEMORY ;
}
2004-03-18 07:36:36 +00:00
/* For a network logon, the workstation name comes in with two
* backslashes in the front . Strip them if they are there . */
if ( * wksname = = ' \\ ' ) wksname + + ;
if ( * wksname = = ' \\ ' ) wksname + + ;
2011-02-04 17:31:13 +01:00
/* Standard challenge/response authentication */
2014-03-27 09:17:15 +13:00
if ( ! make_user_info_netlogon_network ( talloc_tos ( ) ,
& user_info ,
2008-02-13 12:24:56 +01:00
nt_username , nt_domain ,
2004-03-18 07:36:36 +00:00
wksname ,
2021-10-04 12:26:18 +02:00
remote_address ,
2021-10-04 12:19:57 +02:00
local_address ,
2008-02-16 13:28:03 +01:00
logon - > network - > identity_info . parameter_control ,
logon - > network - > lm . data ,
logon - > network - > lm . length ,
logon - > network - > nt . data ,
logon - > network - > nt . length ) ) {
2002-01-05 04:55:41 +00:00
status = NT_STATUS_NO_MEMORY ;
2008-02-13 12:24:56 +01:00
}
2015-12-09 13:12:43 +01:00
if ( NT_STATUS_IS_OK ( status ) ) {
status = NTLMv2_RESPONSE_verify_netlogon_creds (
user_info - > client . account_name ,
user_info - > client . domain_name ,
user_info - > password . response . nt ,
creds , workgroup ) ;
}
2001-10-31 10:46:25 +00:00
break ;
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-24 12:12:38 +00:00
}
2008-10-15 16:14:15 +02:00
case NetlogonInteractiveInformation :
2009-08-31 20:20:52 +02:00
case NetlogonServiceInformation :
case NetlogonInteractiveTransitiveInformation :
case NetlogonServiceTransitiveInformation :
2006-02-03 22:19:41 +00:00
/* 'Interactive' authentication, supplies the password in its
MD4 form , encrypted with the session key . We will convert
this to challenge / response for the auth subsystem to chew
on */
2001-10-31 10:46:25 +00:00
{
2009-02-19 23:41:48 +01:00
uint8_t chal [ 8 ] ;
2008-02-13 12:24:56 +01:00
2012-12-05 19:49:52 +01:00
# ifdef DEBUG_PASSWORD
2013-04-24 16:00:44 +02:00
if ( logon ! = r - > in . logon ) {
DEBUG ( 100 , ( " lm owf password: " ) ) ;
dump_data ( 100 ,
r - > in . logon - > password - > lmpassword . hash , 16 ) ;
DEBUG ( 100 , ( " nt owf password: " ) ) ;
dump_data ( 100 ,
r - > in . logon - > password - > ntpassword . hash , 16 ) ;
2012-12-05 19:49:52 +01:00
}
DEBUG ( 100 , ( " decrypt of lm owf password: " ) ) ;
dump_data ( 100 , logon - > password - > lmpassword . hash , 16 ) ;
DEBUG ( 100 , ( " decrypt of nt owf password: " ) ) ;
dump_data ( 100 , logon - > password - > ntpassword . hash , 16 ) ;
# endif
2008-02-13 12:24:56 +01:00
2012-02-03 21:58:44 +11:00
auth_get_ntlm_challenge ( auth_context , chal ) ;
2002-01-05 04:55:41 +00:00
2014-03-27 09:17:15 +13:00
if ( ! make_user_info_netlogon_interactive ( talloc_tos ( ) ,
& user_info ,
2008-02-13 12:24:56 +01:00
nt_username , nt_domain ,
nt_workstation ,
2021-10-04 12:26:18 +02:00
remote_address ,
2021-10-04 12:19:57 +02:00
local_address ,
2008-02-16 13:28:03 +01:00
logon - > password - > identity_info . parameter_control ,
2005-11-08 06:19:34 +00:00
chal ,
2008-02-16 13:28:03 +01:00
logon - > password - > lmpassword . hash ,
2012-12-05 19:49:52 +01:00
logon - > password - > ntpassword . hash ) ) {
2002-01-05 04:55:41 +00:00
status = NT_STATUS_NO_MEMORY ;
}
2001-10-31 10:46:25 +00:00
break ;
}
default :
DEBUG ( 2 , ( " SAM Logon: unsupported switch value \n " ) ) ;
return NT_STATUS_INVALID_INFO_CLASS ;
} /* end switch */
2008-02-13 12:24:56 +01:00
2003-06-30 20:45:14 +00:00
if ( NT_STATUS_IS_OK ( status ) ) {
2014-02-18 10:19:57 +01:00
status = auth_check_ntlm_password ( p - > mem_ctx ,
auth_context ,
user_info ,
2017-03-17 09:43:59 +01:00
& server_info ,
r - > out . authoritative ) ;
2003-06-30 20:45:14 +00:00
}
2010-07-16 18:23:55 -04:00
TALLOC_FREE ( auth_context ) ;
2014-03-27 09:17:15 +13:00
TALLOC_FREE ( user_info ) ;
2008-02-13 12:24:56 +01:00
2009-02-13 16:56:52 +01:00
DEBUG ( 5 , ( " %s: check_password returned status %s \n " ,
fn , nt_errstr ( status ) ) ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 13:09:23 +00:00
/* Check account and password */
2008-02-13 12:24:56 +01:00
2001-11-25 02:30:30 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2006-02-20 17:59:58 +00:00
TALLOC_FREE ( server_info ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-08-03 13:09:23 +00:00
return status ;
2001-05-04 15:44:27 +00:00
}
2001-10-31 10:46:25 +00:00
2001-11-08 22:19:01 +00:00
if ( server_info - > guest ) {
/* We don't like guest domain logons... */
2009-02-13 16:56:52 +01:00
DEBUG ( 5 , ( " %s: Attempted domain logon as GUEST "
" denied. \n " , fn ) ) ;
2006-02-20 17:59:58 +00:00
TALLOC_FREE ( server_info ) ;
2001-11-08 22:19:01 +00:00
return NT_STATUS_LOGON_FAILURE ;
}
2020-01-17 21:56:27 +01:00
sanitized_username = talloc_alpha_strcpy ( talloc_tos ( ) ,
nt_username ,
SAFE_NETBIOS_CHARS " $ " ) ;
if ( sanitized_username = = NULL ) {
TALLOC_FREE ( server_info ) ;
return NT_STATUS_NO_MEMORY ;
}
set_current_user_info ( sanitized_username ,
server_info - > unix_name ,
server_info - > info3 - > base . logon_domain . string ) ;
TALLOC_FREE ( sanitized_username ) ;
2001-09-06 05:24:37 +00:00
/* This is the point at which, if the login was successful, that
the SAM Local Security Authority should record that the user is
logged in to the domain . */
2007-11-27 11:22:58 -08:00
2009-06-25 12:00:20 +02:00
switch ( r - > in . validation_level ) {
case 2 :
2012-12-06 15:21:02 +01:00
status = serverinfo_to_SamInfo2 ( server_info ,
2009-06-25 12:00:20 +02:00
r - > out . validation - > sam2 ) ;
break ;
case 3 :
2012-12-06 15:21:02 +01:00
status = serverinfo_to_SamInfo3 ( server_info ,
2009-06-25 12:00:20 +02:00
r - > out . validation - > sam3 ) ;
break ;
2021-10-04 13:50:02 +02:00
case 6 : {
2015-08-07 13:33:17 +02:00
/* Only allow this if the pipe is protected. */
2021-10-04 13:50:02 +02:00
if ( auth_level < DCERPC_AUTH_LEVEL_PRIVACY ) {
2015-08-07 13:33:17 +02:00
DEBUG ( 0 , ( " netr_Validation6: client %s not using privacy for netlogon \n " ,
get_remote_machine_name ( ) ) ) ;
status = NT_STATUS_INVALID_PARAMETER ;
break ;
}
2012-12-06 15:21:02 +01:00
status = serverinfo_to_SamInfo6 ( server_info ,
2009-08-31 20:21:40 +02:00
r - > out . validation - > sam6 ) ;
break ;
2009-06-25 12:00:20 +02:00
}
2021-10-04 13:50:02 +02:00
}
2009-06-25 12:00:20 +02:00
2006-02-20 17:59:58 +00:00
TALLOC_FREE ( server_info ) ;
2009-06-25 12:00:20 +02:00
2012-12-06 15:21:02 +01:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2019-05-29 14:25:57 +02:00
status = netlogon_creds_encrypt_samlogon_validation ( creds ,
r - > in . validation_level ,
r - > out . validation ) ;
return status ;
2001-02-27 00:32:11 +00:00
}
2001-10-31 10:46:25 +00:00
2009-08-31 17:13:05 +02:00
/****************************************************************
_netr_LogonSamLogonWithFlags
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-08-25 22:38:55 +02:00
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_LogonSamLogonWithFlags ( struct pipes_struct * p ,
2009-08-31 17:13:05 +02:00
struct netr_LogonSamLogonWithFlags * r )
2009-08-25 22:38:55 +02:00
{
NTSTATUS status ;
struct netlogon_creds_CredentialState * creds ;
struct netr_LogonSamLogonEx r2 ;
struct netr_Authenticator return_authenticator ;
2011-02-01 14:47:05 +01:00
* r - > out . authoritative = true ;
2009-08-25 22:38:55 +02:00
r2 . in . server_name = r - > in . server_name ;
r2 . in . computer_name = r - > in . computer_name ;
r2 . in . logon_level = r - > in . logon_level ;
r2 . in . logon = r - > in . logon ;
r2 . in . validation_level = r - > in . validation_level ;
2009-08-31 17:13:05 +02:00
r2 . in . flags = r - > in . flags ;
2009-08-25 22:38:55 +02:00
r2 . out . validation = r - > out . validation ;
r2 . out . authoritative = r - > out . authoritative ;
2009-08-31 17:13:05 +02:00
r2 . out . flags = r - > out . flags ;
2009-08-25 22:38:55 +02:00
2011-02-01 14:47:05 +01:00
status = _netr_LogonSamLogon_check ( & r2 ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
become_root ( ) ;
2022-12-22 16:30:26 +01:00
status = dcesrv_netr_creds_server_step_check ( p - > dce_call ,
p - > mem_ctx ,
r - > in . computer_name ,
r - > in . credential ,
& return_authenticator ,
& creds ) ;
2011-02-01 14:47:05 +01:00
unbecome_root ( ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2009-08-25 22:38:55 +02:00
status = _netr_LogonSamLogon_base ( p , & r2 , creds ) ;
* r - > out . return_authenticator = return_authenticator ;
return status ;
}
2009-08-31 17:13:05 +02:00
/*************************************************************************
_netr_LogonSamLogon
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_LogonSamLogon ( struct pipes_struct * p ,
2009-08-31 17:13:05 +02:00
struct netr_LogonSamLogon * r )
{
NTSTATUS status ;
struct netr_LogonSamLogonWithFlags r2 ;
uint32_t flags = 0 ;
r2 . in . server_name = r - > in . server_name ;
r2 . in . computer_name = r - > in . computer_name ;
r2 . in . credential = r - > in . credential ;
r2 . in . logon_level = r - > in . logon_level ;
r2 . in . logon = r - > in . logon ;
r2 . in . validation_level = r - > in . validation_level ;
r2 . in . return_authenticator = r - > in . return_authenticator ;
r2 . in . flags = & flags ;
r2 . out . validation = r - > out . validation ;
r2 . out . authoritative = r - > out . authoritative ;
r2 . out . flags = & flags ;
r2 . out . return_authenticator = r - > out . return_authenticator ;
status = _netr_LogonSamLogonWithFlags ( p , & r2 ) ;
return status ;
}
2006-02-10 18:05:55 +00:00
/*************************************************************************
2008-02-16 13:28:03 +01:00
_netr_LogonSamLogonEx
- no credential chaining . Map into net sam logon .
2006-02-10 18:51:18 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_LogonSamLogonEx ( struct pipes_struct * p ,
2008-02-16 13:28:03 +01:00
struct netr_LogonSamLogonEx * r )
2006-02-10 18:05:55 +00:00
{
2009-08-25 22:38:55 +02:00
NTSTATUS status ;
2009-09-13 21:28:23 +02:00
struct netlogon_creds_CredentialState * creds = NULL ;
2022-12-22 16:32:40 +01:00
struct loadparm_context * lp_ctx = p - > dce_call - > conn - > dce_ctx - > lp_ctx ;
2009-08-25 22:38:55 +02:00
2011-02-01 14:47:05 +01:00
* r - > out . authoritative = true ;
status = _netr_LogonSamLogon_check ( r ) ;
2009-08-25 22:38:55 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2006-02-10 18:51:18 +00:00
2011-02-01 14:47:05 +01:00
become_root ( ) ;
2011-10-12 22:55:34 +11:00
status = schannel_get_creds_state ( p - > mem_ctx , lp_ctx ,
2011-02-01 14:47:05 +01:00
r - > in . computer_name , & creds ) ;
unbecome_root ( ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2009-08-25 22:38:55 +02:00
status = _netr_LogonSamLogon_base ( p , r , creds ) ;
TALLOC_FREE ( creds ) ;
2006-02-10 18:51:18 +00:00
2009-08-25 22:38:55 +02:00
return status ;
2006-02-10 18:05:55 +00:00
}
2004-04-13 14:39:48 +00:00
/*************************************************************************
_ds_enum_dom_trusts
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
#if 0 /* JERRY -- not correct */
2010-07-28 09:49:07 +02:00
NTSTATUS _ds_enum_dom_trusts ( struct pipes_struct * p , DS_Q_ENUM_DOM_TRUSTS * q_u ,
2004-04-13 14:39:48 +00:00
DS_R_ENUM_DOM_TRUSTS * r_u )
{
NTSTATUS status = NT_STATUS_OK ;
2001-10-31 10:46:25 +00:00
2008-02-13 12:24:56 +01:00
/* TODO: According to MSDN, the can only be executed against a
2004-04-13 14:39:48 +00:00
DC or domain member running Windows 2000 or later . Need
2008-02-13 12:24:56 +01:00
to test against a standalone 2 k server and see what it
does . A windows 2000 DC includes its own domain in the
2004-04-13 14:39:48 +00:00
list . - - jerry */
return status ;
}
# endif /* JERRY */
2008-01-31 00:38:12 +01:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_LogonUasLogon ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_LogonUasLogon * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_LogonUasLogoff ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_LogonUasLogoff * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_DatabaseDeltas ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DatabaseDeltas * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_DatabaseSync ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DatabaseSync * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_AccountDeltas ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_AccountDeltas * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_AccountSync ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_AccountSync * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-09-30 13:40:17 +02:00
static bool wb_getdcname ( TALLOC_CTX * mem_ctx ,
const char * domain ,
const char * * dcname ,
uint32_t flags ,
WERROR * werr )
{
wbcErr result ;
struct wbcDomainControllerInfo * dc_info = NULL ;
result = wbcLookupDomainController ( domain ,
flags ,
& dc_info ) ;
switch ( result ) {
case WBC_ERR_SUCCESS :
break ;
case WBC_ERR_WINBIND_NOT_AVAILABLE :
return false ;
case WBC_ERR_DOMAIN_NOT_FOUND :
* werr = WERR_NO_SUCH_DOMAIN ;
return true ;
default :
* werr = WERR_DOMAIN_CONTROLLER_NOT_FOUND ;
return true ;
}
* dcname = talloc_strdup ( mem_ctx , dc_info - > dc_name ) ;
wbcFreeMemory ( dc_info ) ;
if ( ! * dcname ) {
2015-12-03 15:24:15 +01:00
* werr = WERR_NOT_ENOUGH_MEMORY ;
2009-09-30 13:40:17 +02:00
return false ;
}
* werr = WERR_OK ;
return true ;
}
/****************************************************************
_netr_GetDcName
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_GetDcName ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_GetDcName * r )
{
2009-09-30 13:40:17 +02:00
NTSTATUS status ;
WERROR werr ;
uint32_t flags ;
struct netr_DsRGetDCNameInfo * info ;
bool ret ;
ret = wb_getdcname ( p - > mem_ctx ,
r - > in . domainname ,
r - > out . dcname ,
WBC_LOOKUP_DC_IS_FLAT_NAME |
WBC_LOOKUP_DC_RETURN_FLAT_NAME |
WBC_LOOKUP_DC_PDC_REQUIRED ,
& werr ) ;
if ( ret = = true ) {
return werr ;
}
flags = DS_PDC_REQUIRED | DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME ;
status = dsgetdcname ( p - > mem_ctx ,
2010-08-07 11:58:48 +02:00
p - > msg_ctx ,
2009-09-30 13:40:17 +02:00
r - > in . domainname ,
NULL ,
NULL ,
flags ,
& info ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return ntstatus_to_werror ( status ) ;
}
* r - > out . dcname = talloc_strdup ( p - > mem_ctx , info - > dc_unc ) ;
talloc_free ( info ) ;
if ( ! * r - > out . dcname ) {
2015-12-03 15:24:15 +01:00
return WERR_NOT_ENOUGH_MEMORY ;
2009-09-30 13:40:17 +02:00
}
return WERR_OK ;
2008-01-31 00:38:12 +01:00
}
/****************************************************************
2009-09-30 13:40:17 +02:00
_netr_GetAnyDCName
2008-01-31 00:38:12 +01:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_GetAnyDCName ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_GetAnyDCName * r )
{
2009-09-30 13:40:17 +02:00
NTSTATUS status ;
WERROR werr ;
uint32_t flags ;
struct netr_DsRGetDCNameInfo * info ;
bool ret ;
ret = wb_getdcname ( p - > mem_ctx ,
r - > in . domainname ,
r - > out . dcname ,
WBC_LOOKUP_DC_IS_FLAT_NAME |
WBC_LOOKUP_DC_RETURN_FLAT_NAME ,
& werr ) ;
if ( ret = = true ) {
return werr ;
}
flags = DS_IS_FLAT_NAME | DS_RETURN_FLAT_NAME ;
status = dsgetdcname ( p - > mem_ctx ,
2010-08-07 11:58:48 +02:00
p - > msg_ctx ,
2009-09-30 13:40:17 +02:00
r - > in . domainname ,
NULL ,
NULL ,
flags ,
& info ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return ntstatus_to_werror ( status ) ;
}
* r - > out . dcname = talloc_strdup ( p - > mem_ctx , info - > dc_unc ) ;
talloc_free ( info ) ;
if ( ! * r - > out . dcname ) {
2015-12-03 15:24:15 +01:00
return WERR_NOT_ENOUGH_MEMORY ;
2009-09-30 13:40:17 +02:00
}
return WERR_OK ;
2008-01-31 00:38:12 +01:00
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_DatabaseSync2 ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DatabaseSync2 * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_DatabaseRedo ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DatabaseRedo * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsRGetDCName ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsRGetDCName * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_LogonGetCapabilities ( struct pipes_struct * p ,
2009-02-16 10:20:55 +01:00
struct netr_LogonGetCapabilities * r )
2008-01-31 00:38:12 +01:00
{
2009-09-19 21:07:20 +02:00
struct netlogon_creds_CredentialState * creds ;
NTSTATUS status ;
2023-07-15 16:11:48 +02:00
switch ( r - > in . query_level ) {
case 1 :
break ;
case 2 :
/*
* Until we know the details behind KB5028166
* just return DCERPC_NCA_S_FAULT_INVALID_TAG
* like an unpatched Windows Server .
*/
FALL_THROUGH ;
default :
/*
* There would not be a way to marshall the
* the response . Which would mean our final
* ndr_push would fail an we would return
* an RPC - level fault with DCERPC_FAULT_BAD_STUB_DATA .
*
* But it ' s important to match a Windows server
* especially before KB5028166 , see also our bug # 15418
* Otherwise Windows client would stop talking to us .
*/
p - > fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG ;
return NT_STATUS_NOT_SUPPORTED ;
}
2009-09-19 21:07:20 +02:00
become_root ( ) ;
2022-12-22 16:30:26 +01:00
status = dcesrv_netr_creds_server_step_check ( p - > dce_call ,
p - > mem_ctx ,
r - > in . computer_name ,
r - > in . credential ,
r - > out . return_authenticator ,
& creds ) ;
2009-09-19 21:07:20 +02:00
unbecome_root ( ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
r - > out . capabilities - > server_capabilities = creds - > negotiate_flags ;
return NT_STATUS_OK ;
2008-01-31 00:38:12 +01:00
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_NETRLOGONSETSERVICEBITS ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_NETRLOGONSETSERVICEBITS * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_LogonGetTrustRid ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_LogonGetTrustRid * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_NETRLOGONCOMPUTESERVERDIGEST ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_NETRLOGONCOMPUTESERVERDIGEST * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_NETRLOGONCOMPUTECLIENTDIGEST ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_NETRLOGONCOMPUTECLIENTDIGEST * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsRGetDCNameEx ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsRGetDCNameEx * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsRGetSiteName ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsRGetSiteName * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_LogonGetDomainInfo ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_LogonGetDomainInfo * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2012-12-18 15:27:06 +01:00
NTSTATUS _netr_ServerPasswordGet ( struct pipes_struct * p ,
struct netr_ServerPasswordGet * r )
2008-01-31 00:38:12 +01:00
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2012-12-18 15:27:06 +01:00
return NT_STATUS_NOT_SUPPORTED ;
2008-01-31 00:38:12 +01:00
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2017-04-11 15:51:50 +12:00
NTSTATUS _netr_NetrLogonSendToSam ( struct pipes_struct * p ,
struct netr_NetrLogonSendToSam * r )
2008-01-31 00:38:12 +01:00
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2017-04-11 15:51:50 +12:00
return NT_STATUS_NOT_IMPLEMENTED ;
2008-01-31 00:38:12 +01:00
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsRAddressToSitenamesW ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsRAddressToSitenamesW * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsRGetDCNameEx2 ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsRGetDCNameEx2 * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_NetrEnumerateTrustedDomainsEx ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_NetrEnumerateTrustedDomainsEx * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsRAddressToSitenamesExW ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsRAddressToSitenamesExW * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsrGetDcSiteCoverageW ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsrGetDcSiteCoverageW * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsrEnumerateDomainTrusts ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsrEnumerateDomainTrusts * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
WERROR _netr_DsrDeregisterDNSHostRecords ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_DsrDeregisterDNSHostRecords * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return WERR_NOT_SUPPORTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_ServerTrustPasswordsGet ( struct pipes_struct * p ,
2008-01-31 00:38:12 +01:00
struct netr_ServerTrustPasswordsGet * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2008-01-31 00:38:12 +01:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-09-03 11:56:31 +02:00
static NTSTATUS fill_forest_trust_array ( TALLOC_CTX * mem_ctx ,
struct lsa_ForestTrustInformation * info )
{
struct lsa_ForestTrustRecord * e ;
struct pdb_domain_info * dom_info ;
struct lsa_ForestTrustDomainInfo * domain_info ;
2013-04-03 16:52:45 +03:00
char * * upn_suffixes = NULL ;
uint32_t num_suffixes = 0 ;
uint32_t i = 0 ;
NTSTATUS status ;
2010-09-03 11:56:31 +02:00
dom_info = pdb_get_domain_info ( mem_ctx ) ;
if ( dom_info = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
info - > count = 2 ;
2013-04-03 16:52:45 +03:00
become_root ( ) ;
status = pdb_enum_upn_suffixes ( info , & num_suffixes , & upn_suffixes ) ;
unbecome_root ( ) ;
if ( NT_STATUS_IS_OK ( status ) & & ( num_suffixes > 0 ) ) {
info - > count + = num_suffixes ;
}
info - > entries = talloc_array ( info , struct lsa_ForestTrustRecord * , info - > count ) ;
2010-09-03 11:56:31 +02:00
if ( info - > entries = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
e = talloc ( info , struct lsa_ForestTrustRecord ) ;
if ( e = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
e - > flags = 0 ;
e - > type = LSA_FOREST_TRUST_TOP_LEVEL_NAME ;
e - > time = 0 ; /* so far always 0 in trces. */
e - > forest_trust_data . top_level_name . string = talloc_steal ( info ,
dom_info - > dns_forest ) ;
info - > entries [ 0 ] = e ;
2013-04-03 16:52:45 +03:00
if ( num_suffixes > 0 ) {
for ( i = 0 ; i < num_suffixes ; i + + ) {
e = talloc ( info , struct lsa_ForestTrustRecord ) ;
if ( e = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
e - > flags = 0 ;
e - > type = LSA_FOREST_TRUST_TOP_LEVEL_NAME ;
e - > time = 0 ; /* so far always 0 in traces. */
e - > forest_trust_data . top_level_name . string = upn_suffixes [ i ] ;
info - > entries [ 1 + i ] = e ;
}
}
2010-09-03 11:56:31 +02:00
e = talloc ( info , struct lsa_ForestTrustRecord ) ;
if ( e = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
/* TODO: check if disabled and set flags accordingly */
e - > flags = 0 ;
e - > type = LSA_FOREST_TRUST_DOMAIN_INFO ;
e - > time = 0 ; /* so far always 0 in traces. */
domain_info = & e - > forest_trust_data . domain_info ;
domain_info - > domain_sid = dom_sid_dup ( info , & dom_info - > sid ) ;
domain_info - > dns_domain_name . string = talloc_steal ( info ,
dom_info - > dns_domain ) ;
domain_info - > netbios_domain_name . string = talloc_steal ( info ,
dom_info - > name ) ;
2013-04-03 16:52:45 +03:00
info - > entries [ info - > count - 1 ] = e ;
2010-09-03 11:56:31 +02:00
return NT_STATUS_OK ;
}
2013-04-03 16:52:45 +03:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
WERROR _netr_DsRGetForestTrustInformation ( struct pipes_struct * p ,
struct netr_DsRGetForestTrustInformation * r )
{
2021-10-04 13:40:02 +02:00
struct dcesrv_call_state * dce_call = p - > dce_call ;
struct auth_session_info * session_info =
dcesrv_call_session_info ( dce_call ) ;
2013-04-03 16:52:45 +03:00
NTSTATUS status ;
struct lsa_ForestTrustInformation * info , * * info_ptr ;
s3-rpcserver: fix security level check for DsRGetForestTrustInformation
Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
didn't change since DCE RPC channel refactoring.
With the current code we return RPC faul as can be seen in the logs:
2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
in: struct netr_DsRGetForestTrustInformation
server_name : *
server_name : '\\some-dc.example.com'
trusted_domain_name : NULL
flags : 0x00000000 (0)
[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
api_rpcTNP: fault(5) return.
This is due to this check in processing a request:
if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
&& (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
return WERR_ACCESS_DENIED;
}
and since we get AuthZ response,
Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
"type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
"localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
"serviceDescription": "netlogon", "authType": "ncacn_np",
"domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
"sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
"transportProtection": "SMB", "accountFlags": "0x00000010"}}
this means we are actually getting anonymous DCE/RPC access to netlogon
on top of authenticated SMB connection. In such case we have exactly
auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
Update the code to follow the same security level check as in s4 variant
of the call.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
2020-01-07 19:25:53 +02:00
enum security_user_level security_level ;
2013-04-03 16:52:45 +03:00
2021-10-04 13:40:02 +02:00
security_level = security_session_user_level ( session_info , NULL ) ;
s3-rpcserver: fix security level check for DsRGetForestTrustInformation
Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
didn't change since DCE RPC channel refactoring.
With the current code we return RPC faul as can be seen in the logs:
2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
in: struct netr_DsRGetForestTrustInformation
server_name : *
server_name : '\\some-dc.example.com'
trusted_domain_name : NULL
flags : 0x00000000 (0)
[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
api_rpcTNP: fault(5) return.
This is due to this check in processing a request:
if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
&& (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
return WERR_ACCESS_DENIED;
}
and since we get AuthZ response,
Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
"type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
"localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
"serviceDescription": "netlogon", "authType": "ncacn_np",
"domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
"sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
"transportProtection": "SMB", "accountFlags": "0x00000010"}}
this means we are actually getting anonymous DCE/RPC access to netlogon
on top of authenticated SMB connection. In such case we have exactly
auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
Update the code to follow the same security level check as in s4 variant
of the call.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
2020-01-07 19:25:53 +02:00
if ( security_level < SECURITY_USER ) {
2013-04-03 16:52:45 +03:00
return WERR_ACCESS_DENIED ;
}
if ( r - > in . flags & ( ~ DS_GFTI_UPDATE_TDO ) ) {
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
return WERR_INVALID_FLAGS ;
}
if ( ( r - > in . flags & DS_GFTI_UPDATE_TDO ) & & ( lp_server_role ( ) ! = ROLE_DOMAIN_PDC ) ) {
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
return WERR_NERR_NOTPRIMARY ;
}
if ( ( r - > in . trusted_domain_name = = NULL ) & & ( r - > in . flags & DS_GFTI_UPDATE_TDO ) ) {
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
return WERR_INVALID_PARAMETER ;
}
/* retrieve forest trust information and stop further processing */
if ( r - > in . trusted_domain_name = = NULL ) {
info_ptr = talloc ( p - > mem_ctx , struct lsa_ForestTrustInformation * ) ;
if ( info_ptr = = NULL ) {
p - > fault_state = DCERPC_FAULT_CANT_PERFORM ;
2015-12-03 15:24:15 +01:00
return WERR_NOT_ENOUGH_MEMORY ;
2013-04-03 16:52:45 +03:00
}
info = talloc_zero ( info_ptr , struct lsa_ForestTrustInformation ) ;
if ( info = = NULL ) {
p - > fault_state = DCERPC_FAULT_CANT_PERFORM ;
2015-12-03 15:24:15 +01:00
return WERR_NOT_ENOUGH_MEMORY ;
2013-04-03 16:52:45 +03:00
}
/* Fill forest trust information and expand UPN suffixes list */
status = fill_forest_trust_array ( p - > mem_ctx , info ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
p - > fault_state = DCERPC_FAULT_CANT_PERFORM ;
2015-12-03 15:24:15 +01:00
return WERR_NOT_ENOUGH_MEMORY ;
2013-04-03 16:52:45 +03:00
}
* info_ptr = info ;
r - > out . forest_trust_info = info_ptr ;
return WERR_OK ;
}
/* TODO: implement remaining parts of DsrGetForestTrustInformation (opnum 43)
* when trusted_domain_name is not NULL */
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
return WERR_NOT_SUPPORTED ;
}
2010-09-03 11:56:31 +02:00
/****************************************************************
_netr_GetForestTrustInformation
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_GetForestTrustInformation ( struct pipes_struct * p ,
2010-02-22 21:18:07 -05:00
struct netr_GetForestTrustInformation * r )
2008-01-31 00:38:12 +01:00
{
2010-09-03 11:56:31 +02:00
NTSTATUS status ;
struct netlogon_creds_CredentialState * creds ;
struct lsa_ForestTrustInformation * info , * * info_ptr ;
/* TODO: check server name */
2015-09-26 01:29:10 +02:00
become_root ( ) ;
2022-12-22 16:30:26 +01:00
status = dcesrv_netr_creds_server_step_check ( p - > dce_call ,
p - > mem_ctx ,
r - > in . computer_name ,
r - > in . credential ,
r - > out . return_authenticator ,
& creds ) ;
2015-09-26 01:29:10 +02:00
unbecome_root ( ) ;
2010-09-03 11:56:31 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
if ( ( creds - > secure_channel_type ! = SEC_CHAN_DNS_DOMAIN ) & &
( creds - > secure_channel_type ! = SEC_CHAN_DOMAIN ) ) {
return NT_STATUS_NOT_IMPLEMENTED ;
}
info_ptr = talloc ( p - > mem_ctx , struct lsa_ForestTrustInformation * ) ;
if ( ! info_ptr ) {
return NT_STATUS_NO_MEMORY ;
}
info = talloc_zero ( info_ptr , struct lsa_ForestTrustInformation ) ;
if ( ! info ) {
return NT_STATUS_NO_MEMORY ;
}
2013-04-03 16:52:45 +03:00
/* Fill forest trust information, do expand UPN suffixes list */
2010-09-03 11:56:31 +02:00
status = fill_forest_trust_array ( p - > mem_ctx , info ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
* info_ptr = info ;
r - > out . forest_trust_info = info_ptr ;
return NT_STATUS_OK ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS get_password_from_trustAuth ( TALLOC_CTX * mem_ctx ,
const DATA_BLOB * trustAuth_blob ,
2012-12-05 16:37:02 +01:00
struct netlogon_creds_CredentialState * creds ,
2010-09-03 11:56:31 +02:00
struct samr_Password * current_pw_enc ,
struct samr_Password * previous_pw_enc )
{
enum ndr_err_code ndr_err ;
struct trustAuthInOutBlob trustAuth ;
2019-11-20 16:02:16 +01:00
NTSTATUS status ;
2010-09-03 11:56:31 +02:00
ndr_err = ndr_pull_struct_blob_all ( trustAuth_blob , mem_ctx , & trustAuth ,
( ndr_pull_flags_fn_t ) ndr_pull_trustAuthInOutBlob ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
return NT_STATUS_UNSUCCESSFUL ;
}
if ( trustAuth . count ! = 0 & & trustAuth . current . count ! = 0 & &
trustAuth . current . array [ 0 ] . AuthType = = TRUST_AUTH_TYPE_CLEAR ) {
2013-02-04 13:15:18 +01:00
mdfour ( current_pw_enc - > hash ,
2010-09-03 11:56:31 +02:00
trustAuth . current . array [ 0 ] . AuthInfo . clear . password ,
trustAuth . current . array [ 0 ] . AuthInfo . clear . size ) ;
2019-11-20 16:02:16 +01:00
status = netlogon_creds_des_encrypt ( creds , current_pw_enc ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2010-09-03 11:56:31 +02:00
} else {
return NT_STATUS_UNSUCCESSFUL ;
}
if ( trustAuth . previous . count ! = 0 & &
trustAuth . previous . array [ 0 ] . AuthType = = TRUST_AUTH_TYPE_CLEAR ) {
mdfour ( previous_pw_enc - > hash ,
trustAuth . previous . array [ 0 ] . AuthInfo . clear . password ,
trustAuth . previous . array [ 0 ] . AuthInfo . clear . size ) ;
2019-11-20 16:02:16 +01:00
status = netlogon_creds_des_encrypt ( creds , previous_pw_enc ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2010-09-03 11:56:31 +02:00
} else {
2013-02-04 13:15:18 +01:00
ZERO_STRUCTP ( previous_pw_enc ) ;
2010-09-03 11:56:31 +02:00
}
2012-12-05 16:37:02 +01:00
2010-09-03 11:56:31 +02:00
return NT_STATUS_OK ;
2008-01-31 00:38:12 +01:00
}
/****************************************************************
2010-09-03 11:56:31 +02:00
_netr_ServerGetTrustInfo
2008-01-31 00:38:12 +01:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-07-28 09:49:07 +02:00
NTSTATUS _netr_ServerGetTrustInfo ( struct pipes_struct * p ,
2008-12-13 00:27:25 +01:00
struct netr_ServerGetTrustInfo * r )
2008-01-31 00:38:12 +01:00
{
2010-09-03 11:56:31 +02:00
NTSTATUS status ;
struct netlogon_creds_CredentialState * creds ;
char * account_name ;
size_t account_name_last ;
bool trusted ;
struct netr_TrustInfo * trust_info ;
struct pdb_trusted_domain * td ;
/* TODO: check server name */
2015-09-26 01:29:10 +02:00
become_root ( ) ;
2022-12-22 16:30:26 +01:00
status = dcesrv_netr_creds_server_step_check ( p - > dce_call ,
p - > mem_ctx ,
r - > in . computer_name ,
r - > in . credential ,
r - > out . return_authenticator ,
& creds ) ;
2015-09-26 01:29:10 +02:00
unbecome_root ( ) ;
2010-09-03 11:56:31 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
account_name = talloc_strdup ( p - > mem_ctx , r - > in . account_name ) ;
if ( account_name = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
account_name_last = strlen ( account_name ) ;
if ( account_name_last = = 0 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
account_name_last - - ;
if ( account_name [ account_name_last ] = = ' . ' ) {
account_name [ account_name_last ] = ' \0 ' ;
}
if ( ( creds - > secure_channel_type ! = SEC_CHAN_DNS_DOMAIN ) & &
( creds - > secure_channel_type ! = SEC_CHAN_DOMAIN ) ) {
trusted = false ;
} else {
trusted = true ;
}
if ( trusted ) {
account_name_last = strlen ( account_name ) ;
if ( account_name_last = = 0 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
account_name_last - - ;
if ( account_name [ account_name_last ] = = ' $ ' ) {
account_name [ account_name_last ] = ' \0 ' ;
}
status = pdb_get_trusted_domain ( p - > mem_ctx , account_name , & td ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
if ( r - > out . trust_info ! = NULL ) {
trust_info = talloc_zero ( p - > mem_ctx , struct netr_TrustInfo ) ;
if ( trust_info = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
trust_info - > count = 1 ;
trust_info - > data = talloc_array ( trust_info , uint32_t , 1 ) ;
if ( trust_info - > data = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
trust_info - > data [ 0 ] = td - > trust_attributes ;
* r - > out . trust_info = trust_info ;
}
2013-02-04 13:15:18 +01:00
if ( td - > trust_auth_incoming . data = = NULL ) {
return NT_STATUS_INVALID_PARAMETER ;
2010-09-03 11:56:31 +02:00
}
2013-02-04 13:15:18 +01:00
status = get_password_from_trustAuth ( p - > mem_ctx ,
& td - > trust_auth_incoming ,
2012-12-05 16:37:02 +01:00
creds ,
2012-12-11 09:29:37 +01:00
r - > out . new_owf_password ,
r - > out . old_owf_password ) ;
2010-09-03 11:56:31 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
} else {
/* TODO: look for machine password */
2012-12-11 09:29:37 +01:00
ZERO_STRUCTP ( r - > out . new_owf_password ) ;
ZERO_STRUCTP ( r - > out . old_owf_password ) ;
2010-09-03 11:56:31 +02:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
return NT_STATUS_OK ;
2008-01-31 00:38:12 +01:00
}
2010-09-16 17:05:58 +10:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_Unused47 ( struct pipes_struct * p ,
struct netr_Unused47 * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2010-09-16 17:05:58 +10:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS _netr_DsrUpdateReadOnlyServerDnsRecords ( struct pipes_struct * p ,
struct netr_DsrUpdateReadOnlyServerDnsRecords * r )
{
2012-06-27 15:21:11 +02:00
p - > fault_state = DCERPC_FAULT_OP_RNG_ERROR ;
2010-09-16 17:05:58 +10:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
2019-02-22 18:30:45 +01:00
2022-12-21 15:53:04 +01:00
/*
* Define the bind function that will be used by ndr_netlogon_scompat . c ,
* included at the bottom of this file .
*/
# define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
dcesrv_interface_netlogon_bind ( context , iface )
static NTSTATUS dcesrv_interface_netlogon_bind ( struct dcesrv_connection_context * context ,
const struct dcesrv_interface * iface )
{
struct loadparm_context * lp_ctx = context - > conn - > dce_ctx - > lp_ctx ;
int schannel = lpcfg_server_schannel ( lp_ctx ) ;
bool schannel_global_required = ( schannel = = true ) ;
2022-12-22 11:05:33 +01:00
bool global_require_seal = lpcfg_server_schannel_require_seal ( lp_ctx ) ;
2022-12-21 15:53:04 +01:00
static bool warned_global_schannel_once = false ;
2022-12-22 11:05:33 +01:00
static bool warned_global_seal_once = false ;
2022-12-21 15:53:04 +01:00
if ( ! schannel_global_required & & ! warned_global_schannel_once ) {
/*
* We want admins to notice their misconfiguration !
*/
D_ERR ( " CVE-2020-1472(ZeroLogon): "
" Please configure 'server schannel = yes' (the default), "
" See https://bugzilla.samba.org/show_bug.cgi?id=14497 \n " ) ;
warned_global_schannel_once = true ;
}
2022-12-22 11:05:33 +01:00
if ( ! global_require_seal & & ! warned_global_seal_once ) {
/*
* We want admins to notice their misconfiguration !
*/
D_ERR ( " CVE-2022-38023 (and others): "
" Please configure 'server schannel require seal = yes' (the default), "
" See https://bugzilla.samba.org/show_bug.cgi?id=15240 \n " ) ;
warned_global_seal_once = true ;
}
2022-12-21 15:53:04 +01:00
return NT_STATUS_OK ;
}
2019-02-22 18:30:45 +01:00
/* include the generated boilerplate */
# include "librpc/gen_ndr/ndr_netlogon_scompat.c"