diff options
author | Andrew Bartlett <abartlet@samba.org> | 2009-05-26 12:31:39 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2009-05-26 12:37:09 +1000 |
commit | 6ef65389fd2f2bdcafe840e0cd0221bb9f26bdfc (patch) | |
tree | 04df0bce183d759a17d25483f302ed56d65e8153 | |
parent | 86039855759ce38e6074f956073199b0ccd29bdf (diff) | |
download | samba-6ef65389fd2f2bdcafe840e0cd0221bb9f26bdfc.tar.gz samba-6ef65389fd2f2bdcafe840e0cd0221bb9f26bdfc.tar.bz2 samba-6ef65389fd2f2bdcafe840e0cd0221bb9f26bdfc.zip |
Don't use crossRef records to find our own domain
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
-rw-r--r-- | source4/auth/auth.h | 8 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 144 | ||||
-rw-r--r-- | source4/auth/sam.c | 49 | ||||
-rw-r--r-- | source4/cldap_server/netlogon.c | 116 | ||||
-rw-r--r-- | source4/kdc/config.mk | 4 | ||||
-rw-r--r-- | source4/kdc/hdb-samba4.c | 207 | ||||
-rw-r--r-- | source4/kdc/kdc.h | 4 | ||||
-rw-r--r-- | source4/kdc/pac-glue.c | 10 | ||||
-rw-r--r-- | source4/nbt_server/dgram/netlogon.c | 21 | ||||
-rw-r--r-- | source4/param/loadparm.c | 1 | ||||
-rw-r--r-- | source4/param/param.h | 5 | ||||
-rw-r--r-- | source4/param/util.c | 17 | ||||
-rw-r--r-- | source4/rpc_server/config.mk | 3 | ||||
-rw-r--r-- | source4/rpc_server/lsa/lsa_init.c | 69 | ||||
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 82 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.c | 128 |
16 files changed, 253 insertions, 615 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 973102d842..f6d739325d 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -221,24 +221,26 @@ struct auth_critical_sizes { struct ldb_message; struct ldb_context; +struct ldb_dn; struct gensec_security; NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal); NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, uint32_t logon_parameters, + struct ldb_dn *domain_dn, struct ldb_message *msg, - struct ldb_message *msg_domain_ref, const char *logon_workstation, const char *name_for_logs, bool allow_domain_trust); struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, + const char *domain_name, + struct ldb_dn *domain_dn, struct ldb_message *msg, - struct ldb_message *msg_domain_ref, DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, - struct auth_serversupplied_info **_server_info); + struct auth_serversupplied_info **_server_info); NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info) ; diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index e99d0e1f51..75ed3243d4 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -42,26 +42,12 @@ extern const char *domain_ref_attrs[]; static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *account_name, - const char *domain_name, - struct ldb_message ***ret_msgs, - struct ldb_message ***ret_msgs_domain_ref) + struct ldb_dn *domain_dn, + struct ldb_message ***ret_msgs) { - struct ldb_message **msgs_tmp; struct ldb_message **msgs; - struct ldb_message **msgs_domain_ref; - struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); int ret; - int ret_domain; - - struct ldb_dn *domain_dn = NULL; - - if (domain_name) { - domain_dn = samdb_domain_to_dn(sam_ctx, mem_ctx, domain_name); - if (!domain_dn) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - } /* pull the user attributes */ ret = gendb_search(sam_ctx, mem_ctx, domain_dn, &msgs, user_attrs, @@ -72,8 +58,8 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * } if (ret == 0) { - DEBUG(3,("sam_search_user: Couldn't find user [%s\\%s] in samdb, under %s\n", - domain_name, account_name, ldb_dn_get_linearized(domain_dn))); + DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb, under %s\n", + account_name, ldb_dn_get_linearized(domain_dn))); return NT_STATUS_NO_SUCH_USER; } @@ -82,57 +68,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * return NT_STATUS_INTERNAL_DB_CORRUPTION; } - if (!domain_dn) { - struct dom_sid *domain_sid; - - domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); - if (!domain_sid) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - /* find the domain's DN */ - ret = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_tmp, NULL, - "(&(objectSid=%s)(objectClass=domain))", - ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); - if (ret == -1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (ret == 0) { - DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n", - dom_sid_string(mem_ctx, domain_sid))); - return NT_STATUS_NO_SUCH_USER; - } - - if (ret > 1) { - DEBUG(0,("Found %d records matching domain_sid [%s]\n", - ret, dom_sid_string(mem_ctx, domain_sid))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - domain_dn = msgs_tmp[0]->dn; - } - - ret_domain = gendb_search(sam_ctx, mem_ctx, partitions_basedn, &msgs_domain_ref, domain_ref_attrs, - "(nCName=%s)", ldb_dn_get_linearized(domain_dn)); - if (ret_domain == -1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (ret_domain == 0) { - DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", - ldb_dn_get_linearized(msgs_tmp[0]->dn))); - return NT_STATUS_NO_SUCH_USER; - } - - if (ret_domain > 1) { - DEBUG(0,("Found %d records matching domain [%s]\n", - ret_domain, ldb_dn_get_linearized(msgs_tmp[0]->dn))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - *ret_msgs = msgs; - *ret_msgs_domain_ref = msgs_domain_ref; return NT_STATUS_OK; } @@ -210,14 +146,13 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, static NTSTATUS authsam_authenticate(struct auth_context *auth_context, TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, + struct ldb_dn *domain_dn, struct ldb_message **msgs, - struct ldb_message **msgs_domain_ref, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) { struct samr_Password *lm_pwd, *nt_pwd; NTSTATUS nt_status; - struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msgs_domain_ref[0], "nCName", NULL); uint16_t acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msgs[0], domain_dn); @@ -245,8 +180,8 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, nt_status = authsam_account_ok(mem_ctx, sam_ctx, user_info->logon_parameters, + domain_dn, msgs[0], - msgs_domain_ref[0], user_info->workstation_name, user_info->mapped.account_name, false); @@ -258,15 +193,14 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, - const char *domain, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; const char *account_name = user_info->mapped.account_name; struct ldb_message **msgs; - struct ldb_message **domain_ref_msgs; struct ldb_context *sam_ctx; + struct ldb_dn *domain_dn; DATA_BLOB user_sess_key, lm_sess_key; TALLOC_CTX *tmp_ctx; @@ -286,13 +220,19 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx return NT_STATUS_INVALID_SYSTEM_SERVICE; } - nt_status = authsam_search_account(tmp_ctx, sam_ctx, account_name, domain, &msgs, &domain_ref_msgs); + domain_dn = ldb_get_default_basedn(sam_ctx); + if (domain_dn == NULL) { + talloc_free(tmp_ctx); + return NT_STATUS_NO_SUCH_DOMAIN; + } + + nt_status = authsam_search_account(tmp_ctx, sam_ctx, account_name, domain_dn, &msgs); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } - nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, sam_ctx, msgs, domain_ref_msgs, user_info, + nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, sam_ctx, domain_dn, msgs, user_info, &user_sess_key, &lm_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -300,7 +240,9 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx } nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, lp_netbios_name(ctx->auth_ctx->lp_ctx), - msgs[0], domain_ref_msgs[0], + lp_sam_name(ctx->auth_ctx->lp_ctx), + domain_dn, + msgs[0], user_sess_key, lm_sess_key, server_info); if (!NT_STATUS_IS_OK(nt_status)) { @@ -325,14 +267,6 @@ static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx, return NT_STATUS_OK; } -static NTSTATUS authsam_ignoredomain_check_password(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) -{ - return authsam_check_password_internals(ctx, mem_ctx, NULL, user_info, server_info); -} - /**************************************************************************** Check SAM security (above) but with a few extra checks. ****************************************************************************/ @@ -377,34 +311,6 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, return NT_STATUS_NOT_IMPLEMENTED; } -/**************************************************************************** -Check SAM security (above) but with a few extra checks. -****************************************************************************/ -static NTSTATUS authsam_check_password(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) -{ - const char *domain; - - /* check whether or not we service this domain/workgroup name */ - switch (lp_server_role(ctx->auth_ctx->lp_ctx)) { - case ROLE_STANDALONE: - case ROLE_DOMAIN_MEMBER: - domain = lp_netbios_name(ctx->auth_ctx->lp_ctx); - break; - - case ROLE_DOMAIN_CONTROLLER: - domain = lp_workgroup(ctx->auth_ctx->lp_ctx); - break; - - default: - return NT_STATUS_NO_SUCH_USER; - } - - return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info); -} - /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, @@ -417,9 +323,9 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, DATA_BLOB lm_sess_key = data_blob(NULL, 0); struct ldb_message **msgs; - struct ldb_message **msgs_domain_ref; struct ldb_context *sam_ctx; - + struct ldb_dn *domain_dn; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; @@ -433,14 +339,16 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, } nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, - &msgs, &msgs_domain_ref); + &domain_dn, &msgs); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, lp_netbios_name(auth_context->lp_ctx), - msgs[0], msgs_domain_ref[0], + lp_workgroup(auth_context->lp_ctx), + domain_dn, + msgs[0], user_sess_key, lm_sess_key, server_info); if (NT_STATUS_IS_OK(nt_status)) { @@ -454,7 +362,7 @@ static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", .get_challenge = auth_get_challenge_not_implemented, .want_check = authsam_ignoredomain_want_check, - .check_password = authsam_ignoredomain_check_password, + .check_password = authsam_check_password_internals, .get_server_info_principal = authsam_get_server_info_principal }; @@ -462,7 +370,7 @@ static const struct auth_operations sam_ops = { .name = "sam", .get_challenge = auth_get_challenge_not_implemented, .want_check = authsam_want_check, - .check_password = authsam_check_password, + .check_password = authsam_check_password_internals, .get_server_info_principal = authsam_get_server_info_principal }; diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 819bca0db0..ebdf1932af 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -139,21 +139,19 @@ static bool logon_hours_ok(struct ldb_message *msg, const char *name_for_logs) (ie not disabled, expired and the like). ****************************************************************************/ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, - struct ldb_context *sam_ctx, - uint32_t logon_parameters, - struct ldb_message *msg, - struct ldb_message *msg_domain_ref, - const char *logon_workstation, - const char *name_for_logs, - bool allow_domain_trust) + struct ldb_context *sam_ctx, + uint32_t logon_parameters, + struct ldb_dn *domain_dn, + struct ldb_message *msg, + const char *logon_workstation, + const char *name_for_logs, + bool allow_domain_trust) { uint16_t acct_flags; const char *workstation_list; NTTIME acct_expiry; NTTIME must_change_time; - struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL)); - NTTIME now; DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs)); @@ -256,8 +254,9 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, + const char *domain_name, + struct ldb_dn *domain_dn, struct ldb_message *msg, - struct ldb_message *msg_domain_ref, DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, struct auth_serversupplied_info **_server_info) { @@ -269,7 +268,6 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte struct dom_sid **groupSIDs = NULL; struct dom_sid *account_sid; struct dom_sid *primary_group_sid; - struct ldb_dn *domain_dn; const char *str; struct ldb_dn *ncname; int i; @@ -327,7 +325,8 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->account_name = talloc_steal(server_info, samdb_result_string(msg, "sAMAccountName", NULL)); - server_info->domain_name = talloc_steal(server_info, samdb_result_string(msg_domain_ref, "nETBIOSName", NULL)); + server_info->domain_name = talloc_strdup(server_info, domain_name); + NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); str = samdb_result_string(msg, "displayName", ""); server_info->full_name = talloc_strdup(server_info, str); @@ -357,10 +356,6 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->acct_expiry = samdb_result_account_expires(msg); server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); - ncname = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); - if (!ncname) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, ncname, msg, "pwdLastSet"); @@ -371,8 +366,6 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte server_info->logon_count = samdb_result_uint(msg, "logonCount", 0); server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0); - domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL); - server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); @@ -388,34 +381,24 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, const char *principal, - struct ldb_message ***msgs, - struct ldb_message ***msgs_domain_ref) + struct ldb_dn **domain_dn, + struct ldb_message ***msgs) { - struct ldb_dn *user_dn, *domain_dn; + struct ldb_dn *user_dn; NTSTATUS nt_status; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); int ret; - struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, &domain_dn); + nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, domain_dn); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } - /* grab domain info from the reference */ - ret = gendb_search(sam_ctx, tmp_ctx, partitions_basedn, msgs_domain_ref, domain_ref_attrs, - "(ncName=%s)", ldb_dn_get_linearized(domain_dn)); - - if (ret != 1) { - talloc_free(tmp_ctx); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - /* pull the user attributes */ ret = gendb_search_dn(sam_ctx, tmp_ctx, user_dn, msgs, user_attrs); if (ret != 1) { @@ -423,7 +406,7 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, return NT_STATUS_INTERNAL_DB_CORRUPTION; } talloc_steal(mem_ctx, *msgs); - talloc_steal(mem_ctx, *msgs_domain_ref); + talloc_steal(mem_ctx, *domain_dn); talloc_free(tmp_ctx); return NT_STATUS_OK; diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c index 33c0adc3b1..8a21ea55c9 100644 --- a/source4/cldap_server/netlogon.c +++ b/source4/cldap_server/netlogon.c @@ -53,10 +53,9 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, struct loadparm_context *lp_ctx, struct netlogon_samlogon_response *netlogon) { - const char *ref_attrs[] = {"nETBIOSName", "dnsRoot", "ncName", NULL}; const char *dom_attrs[] = {"objectGUID", NULL}; const char *none_attrs[] = {NULL}; - struct ldb_result *ref_res = NULL, *dom_res = NULL, *user_res = NULL; + struct ldb_result *dom_res = NULL, *user_res = NULL; int ret; const char **services = lp_server_services(lp_ctx); uint32_t server_type; @@ -69,94 +68,39 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, const char *server_site; const char *client_site; const char *pdc_ip; - struct ldb_dn *partitions_basedn; + struct ldb_dn *domain_dn = NULL; struct interface *ifaces; bool user_known; NTSTATUS status; - partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); - /* the domain has an optional trailing . */ if (domain && domain[strlen(domain)-1] == '.') { domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1); } - if (domain) { - struct ldb_dn *dom_dn; - /* try and find the domain */ - - ret = ldb_search(sam_ctx, mem_ctx, &ref_res, - partitions_basedn, LDB_SCOPE_ONELEVEL, - ref_attrs, - "(&(&(objectClass=crossRef)(dnsRoot=%s))(nETBIOSName=*))", - ldb_binary_encode_string(mem_ctx, domain)); - - if (ret != LDB_SUCCESS) { - DEBUG(2,("Unable to find referece to '%s' in sam: %s\n", - domain, - ldb_errstring(sam_ctx))); - return NT_STATUS_NO_SUCH_DOMAIN; - } else if (ref_res->count == 1) { - dom_dn = ldb_msg_find_attr_as_dn(sam_ctx, mem_ctx, ref_res->msgs[0], "ncName"); - if (!dom_dn) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - ret = ldb_search(sam_ctx, mem_ctx, &dom_res, - dom_dn, LDB_SCOPE_BASE, dom_attrs, - "objectClass=domain"); - if (ret != LDB_SUCCESS) { - DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_get_linearized(dom_dn), ldb_errstring(sam_ctx))); - return NT_STATUS_NO_SUCH_DOMAIN; - } - if (dom_res->count != 1) { - DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_get_linearized(dom_dn))); - return NT_STATUS_NO_SUCH_DOMAIN; - } - } else if (ref_res->count > 1) { - talloc_free(ref_res); - return NT_STATUS_NO_SUCH_DOMAIN; - } + if (domain && strcasecmp_m(domain, lp_realm(lp_ctx)) == 0) { + domain_dn = ldb_get_default_basedn(sam_ctx); } - if (netbios_domain) { - struct ldb_dn *dom_dn; - /* try and find the domain */ + if (netbios_domain && strcasecmp_m(domain, lp_sam_name(lp_ctx))) { + domain_dn = ldb_get_default_basedn(sam_ctx); + } - ret = ldb_search(sam_ctx, mem_ctx, &ref_res, - partitions_basedn, LDB_SCOPE_ONELEVEL, - ref_attrs, - "(&(objectClass=crossRef)(ncName=*)(nETBIOSName=%s))", - ldb_binary_encode_string(mem_ctx, netbios_domain)); - + if (domain_dn) { + ret = ldb_search(sam_ctx, mem_ctx, &dom_res, + domain_dn, LDB_SCOPE_BASE, dom_attrs, + "objectClass=domain"); if (ret != LDB_SUCCESS) { - DEBUG(2,("Unable to find referece to '%s' in sam: %s\n", - netbios_domain, - ldb_errstring(sam_ctx))); + DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_get_linearized(domain_dn), ldb_errstring(sam_ctx))); return NT_STATUS_NO_SUCH_DOMAIN; - } else if (ref_res->count == 1) { - dom_dn = ldb_msg_find_attr_as_dn(sam_ctx, mem_ctx, ref_res->msgs[0], "ncName"); - if (!dom_dn) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - ret = ldb_search(sam_ctx, mem_ctx, &dom_res, - dom_dn, LDB_SCOPE_BASE, dom_attrs, - "objectClass=domain"); - if (ret != LDB_SUCCESS) { - DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_get_linearized(dom_dn), ldb_errstring(sam_ctx))); - return NT_STATUS_NO_SUCH_DOMAIN; - } - if (dom_res->count != 1) { - DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_get_linearized(dom_dn))); - return NT_STATUS_NO_SUCH_DOMAIN; - } - } else if (ref_res->count > 1) { - talloc_free(ref_res); + } + if (dom_res->count != 1) { + DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_get_linearized(domain_dn))); return NT_STATUS_NO_SUCH_DOMAIN; } } if ((dom_res == NULL || dom_res->count == 0) && (domain_guid || domain_sid)) { - ref_res = NULL; if (domain_guid) { struct GUID binary_guid; @@ -206,36 +150,17 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, ldb_errstring(sam_ctx))); return NT_STATUS_NO_SUCH_DOMAIN; } else if (dom_res->count == 1) { - /* try and find the domain */ - ret = ldb_search(sam_ctx, mem_ctx, &ref_res, - partitions_basedn, LDB_SCOPE_ONELEVEL, - ref_attrs, - "(&(objectClass=crossRef)(ncName=%s))", - ldb_dn_get_linearized(dom_res->msgs[0]->dn)); + /* Ok, now just check it is our domain */ - if (ret != LDB_SUCCESS) { - DEBUG(2,("Unable to find referece to '%s' in sam: %s\n", - ldb_dn_get_linearized(dom_res->msgs[0]->dn), - ldb_errstring(sam_ctx))); - return NT_STATUS_NO_SUCH_DOMAIN; - - } else if (ref_res->count != 1) { - DEBUG(2,("Unable to find referece to '%s' in sam\n", - ldb_dn_get_linearized(dom_res->msgs[0]->dn))); + if (ldb_dn_compare(ldb_get_default_basedn(sam_ctx), dom_res->msgs[0]->dn) != 0) { return NT_STATUS_NO_SUCH_DOMAIN; } } else if (dom_res->count > 1) { - talloc_free(ref_res); return NT_STATUS_NO_SUCH_DOMAIN; } } - if ((ref_res == NULL || ref_res->count == 0)) { - DEBUG(2,("Unable to find domain reference with name %s or GUID {%s}\n", domain, domain_guid)); - return NT_STATUS_NO_SUCH_DOMAIN; - } - if ((dom_res == NULL || dom_res->count == 0)) { DEBUG(2,("Unable to find domain with name %s or GUID {%s}\n", domain, domain_guid)); return NT_STATUS_NO_SUCH_DOMAIN; @@ -308,15 +233,14 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, pdc_name = talloc_asprintf(mem_ctx, "\\\\%s", lp_netbios_name(lp_ctx)); domain_uuid = samdb_result_guid(dom_res->msgs[0], "objectGUID"); - realm = samdb_result_string(ref_res->msgs[0], "dnsRoot", lp_realm(lp_ctx)); - dns_domain = samdb_result_string(ref_res->msgs[0], "dnsRoot", lp_realm(lp_ctx)); + realm = lp_realm(lp_ctx); + dns_domain = lp_realm(lp_ctx); pdc_dns_name = talloc_asprintf(mem_ctx, "%s.%s", strlower_talloc(mem_ctx, lp_netbios_name(lp_ctx)), dns_domain); - flatname = samdb_result_string(ref_res->msgs[0], "nETBIOSName", - lp_workgroup(lp_ctx)); + flatname = lp_sam_name(lp_ctx); /* FIXME: Hardcoded site names */ server_site = "Default-First-Site-Name"; client_site = "Default-First-Site-Name"; diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk index bd8a313316..03fa2db295 100644 --- a/source4/kdc/config.mk +++ b/source4/kdc/config.mk @@ -6,7 +6,7 @@ INIT_FUNCTION = server_service_kdc_init SUBSYSTEM = service PRIVATE_DEPENDENCIES = \ - HEIMDAL_KDC HDB_SAMBA4 + HEIMDAL_KDC HDB_SAMBA4 LIBSAMBA-HOSTCONFIG # End SUBSYSTEM KDC ####################### @@ -18,7 +18,7 @@ KDC_OBJ_FILES = $(addprefix $(kdcsrcdir)/, kdc.o kpasswdd.o) CFLAGS = -Iheimdal/kdc -Iheimdal/lib/hdb PRIVATE_DEPENDENCIES = \ LIBLDB auth_sam auth_sam_reply CREDENTIALS \ - HEIMDAL_HDB + HEIMDAL_HDB LIBSAMBA-HOSTCONFIG # End SUBSYSTEM KDC ####################### diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index daeed77975..1fdb744a84 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -1,6 +1,6 @@ /* * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd. - * Copyright (c) 2004, Andrew Bartlett <abartlet@samba.org>. + * Copyright (c) 2004-2009, Andrew Bartlett <abartlet@samba.org>. * Copyright (c) 2004, Stefan Metzmacher <metze@samba.org> * All rights reserved. * @@ -62,12 +62,6 @@ enum trust_direction { OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND }; -static const char *realm_ref_attrs[] = { - "nCName", - "dnsRoot", - NULL -}; - static const char *trust_attrs[] = { "trustPartner", "trustAuthIncoming", @@ -491,32 +485,33 @@ out: */ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, TALLOC_CTX *mem_ctx, krb5_const_principal principal, - enum hdb_ldb_ent_type ent_type, + enum hdb_ldb_ent_type ent_type, + struct ldb_dn *realm_dn, struct ldb_message *msg, - struct ldb_message *realm_ref_msg, hdb_entry_ex *entry_ex) { unsigned int userAccountControl; int i; krb5_error_code ret = 0; krb5_boolean is_computer = FALSE; - const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg, "dnsRoot", NULL); - char *realm = strupper_talloc(mem_ctx, dnsdomain); struct loadparm_context *lp_ctx = ldb_get_opaque((struct ldb_context *)db->hdb_db, "loadparm"); - struct ldb_dn *domain_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, - mem_ctx, - realm_ref_msg, - "nCName", - ldb_dn_new(mem_ctx, (struct ldb_context *)db->hdb_db, NULL)); + char *realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx)); struct hdb_ldb_private *p; NTTIME acct_expiry; struct ldb_message_element *objectclasses; struct ldb_val computer_val; + const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); computer_val.data = discard_const_p(uint8_t,"computer"); computer_val.length = strlen((const char *)computer_val.data); + if (!samAccountName) { + krb5_set_error_string(context, "LDB_message2entry: no samAccountName present"); + ret = ENOENT; + goto out; + } + objectclasses = ldb_msg_find_element(msg, "objectClass"); if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) { @@ -539,7 +534,12 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, p->entry_ex = entry_ex; p->iconv_convenience = lp_iconv_convenience(lp_ctx); - p->netbios_name = lp_netbios_name(lp_ctx); + p->lp_ctx = lp_ctx; + p->realm_dn = talloc_reference(p, realm_dn); + if (!p->realm_dn) { + ret = ENOMEM; + goto out; + } talloc_set_destructor(p, hdb_ldb_destructor); @@ -551,13 +551,6 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal))); if (ent_type == HDB_SAMBA4_ENT_TYPE_ANY && principal == NULL) { - const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); - if (!samAccountName) { - krb5_set_error_string(context, "LDB_message2entry: no samAccountName present"); - ret = ENOENT; - goto out; - } - samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); krb5_make_principal(context, &entry_ex->entry.principal, realm, samAccountName, NULL); } else { char *strdup_realm; @@ -584,6 +577,7 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, krb5_princ_set_realm(context, entry_ex->entry.principal, &strdup_realm); } + /* First try and figure out the flags based on the userAccountControl */ entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type); if (ent_type == HDB_SAMBA4_ENT_TYPE_KRBTGT) { @@ -593,6 +587,11 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, entry_ex->entry.flags.ok_as_delegate = 1; } + /* Windows 2008 seems to enforce this (very sensible) rule by + * default - don't allow offline attacks on a user's password + * by asking for a ticket to them as a service (encrypted with + * their probably patheticly insecure password) */ + if (lp_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) { if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) { entry_ex->entry.flags.server = 0; @@ -618,22 +617,19 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, entry_ex->entry.valid_start = NULL; - acct_expiry = samdb_result_account_expires(msg); - if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) { + /* The account/password expiry only applies when the account is used as a + * client (ie password login), not when used as a server */ + if (ent_type == HDB_SAMBA4_ENT_TYPE_KRBTGT || ent_type == HDB_SAMBA4_ENT_TYPE_SERVER) { + /* Make very well sure we don't use this for a client, + * it could bypass the above password restrictions */ + entry_ex->entry.flags.client = 0; entry_ex->entry.valid_end = NULL; - } else { - entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end)); - if (entry_ex->entry.valid_end == NULL) { - ret = ENOMEM; - goto out; - } - *entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry); - } + entry_ex->entry.pw_end = NULL; - if (ent_type != HDB_SAMBA4_ENT_TYPE_KRBTGT) { + } else { NTTIME must_change_time = samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx, - domain_dn, msg); + realm_dn, msg); if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) { entry_ex->entry.pw_end = NULL; } else { @@ -644,8 +640,18 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, } *entry_ex->entry.pw_end = nt_time_to_unix(must_change_time); } - } else { - entry_ex->entry.pw_end = NULL; + + acct_expiry = samdb_result_account_expires(msg); + if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) { + entry_ex->entry.valid_end = NULL; + } else { + entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end)); + if (entry_ex->entry.valid_end == NULL) { + ret = ENOMEM; + goto out; + } + *entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry); + } } entry_ex->entry.max_life = NULL; @@ -680,7 +686,6 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, p->msg = talloc_steal(p, msg); - p->realm_ref_msg = talloc_steal(p, realm_ref_msg); p->samdb = (struct ldb_context *)db->hdb_db; out: @@ -701,6 +706,7 @@ static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, enum trust_direction direction, + struct ldb_dn *realm_dn, struct ldb_message *msg, hdb_entry_ex *entry_ex) { @@ -725,7 +731,8 @@ static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db, p->entry_ex = entry_ex; p->iconv_convenience = lp_iconv_convenience(lp_ctx); - p->netbios_name = lp_netbios_name(lp_ctx); + p->lp_ctx = lp_ctx; + p->realm_dn = realm_dn; talloc_set_destructor(p, hdb_ldb_destructor); @@ -869,7 +876,6 @@ static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db, p->msg = talloc_steal(p, msg); - p->realm_ref_msg = NULL; p->samdb = (struct ldb_context *)db->hdb_db; out: @@ -988,40 +994,6 @@ static krb5_error_code LDB_lookup_trust(krb5_context context, struct ldb_context return 0; } -static krb5_error_code LDB_lookup_realm(krb5_context context, struct ldb_context *ldb_ctx, - TALLOC_CTX *mem_ctx, - const char *realm, - struct ldb_message ***pmsg) -{ - int ret; - struct ldb_result *cross_ref_res; - struct ldb_dn *partitions_basedn = samdb_partitions_dn(ldb_ctx, mem_ctx); - - ret = ldb_search(ldb_ctx, mem_ctx, &cross_ref_res, - partitions_basedn, LDB_SCOPE_SUBTREE, realm_ref_attrs, - "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))", - realm, realm); - - if (ret != LDB_SUCCESS) { - DEBUG(3, ("Failed to search to lookup realm(%s): %s\n", realm, ldb_errstring(ldb_ctx))); - talloc_free(cross_ref_res); - return HDB_ERR_NOENTRY; - } else if (cross_ref_res->count == 0 || cross_ref_res->count > 1) { - DEBUG(3, ("Failed find a single entry for realm %s: got %d\n", realm, cross_ref_res->count)); - talloc_free(cross_ref_res); - return HDB_ERR_NOENTRY; - } - - if (pmsg) { - *pmsg = cross_ref_res->msgs; - talloc_steal(mem_ctx, cross_ref_res->msgs); - } - talloc_free(cross_ref_res); - - return 0; -} - - static krb5_error_code LDB_open(krb5_context context, HDB *db, int flags, mode_t mode) { if (db->hdb_master_key_set) { @@ -1060,9 +1032,9 @@ static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, hdb_entry_ex *entry_ex) { NTSTATUS nt_status; char *principal_string; + struct ldb_dn *realm_dn; krb5_error_code ret; struct ldb_message **msg = NULL; - struct ldb_message **realm_ref_msg = NULL; ret = krb5_unparse_name(context, principal, &principal_string); @@ -1072,7 +1044,7 @@ static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db, mem_ctx, principal_string, - &msg, &realm_ref_msg); + &realm_dn, &msg); free(principal_string); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { return HDB_ERR_NOENTRY; @@ -1084,7 +1056,7 @@ static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, ret = LDB_message2entry(context, db, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_CLIENT, - msg[0], realm_ref_msg[0], entry_ex); + realm_dn, msg[0], entry_ex); return ret; } @@ -1096,10 +1068,9 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, { krb5_error_code ret; struct ldb_message **msg = NULL; - struct ldb_message **realm_ref_msg_1 = NULL; - struct ldb_message **realm_ref_msg_2 = NULL; - struct ldb_dn *realm_dn; + struct ldb_dn *realm_dn = ldb_get_default_basedn(db->hdb_db); const char *realm; + struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(db->hdb_db, "loadparm"), struct loadparm_context); krb5_principal alloc_principal = NULL; if (principal->name.name_string.len != 2 @@ -1110,18 +1081,14 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, /* krbtgt case. Either us or a trusted realm */ - if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, - mem_ctx, principal->realm, &realm_ref_msg_1) == 0) - && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, - mem_ctx, principal->name.name_string.val[1], &realm_ref_msg_2) == 0) - && (ldb_dn_compare(realm_ref_msg_1[0]->dn, realm_ref_msg_1[0]->dn) == 0)) { + if (lp_is_my_domain_or_realm(lp_ctx, principal->realm) + && lp_is_my_domain_or_realm(lp_ctx, principal->name.name_string.val[1])) { /* us */ /* Cludge, cludge cludge. If the realm part of krbtgt/realm, * is in our db, then direct the caller at our primary * krbtgt */ - const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg_1[0], "dnsRoot", NULL); - char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain); + char *realm_fixed = strupper_talloc(mem_ctx, lp_realm(lp_ctx)); if (!realm_fixed) { krb5_set_error_string(context, "strupper_talloc: out of memory"); return ENOMEM; @@ -1140,8 +1107,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, return ENOMEM; } principal = alloc_principal; - realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg_1[0], "nCName", NULL); - + ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_KRBTGT, realm_dn, &msg); @@ -1154,7 +1120,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, ret = LDB_message2entry(context, db, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_KRBTGT, - msg[0], realm_ref_msg_1[0], entry_ex); + realm_dn, msg[0], entry_ex); if (ret != 0) { krb5_warnx(context, "LDB_fetch: self krbtgt message2entry failed"); } @@ -1163,7 +1129,6 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, } else { enum trust_direction direction = UNKNOWN; - struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(db->hdb_db, "loadparm"), struct loadparm_context); /* Either an inbound or outbound trust */ if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) { @@ -1192,7 +1157,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, ret = LDB_trust_message2entry(context, db, lp_ctx, mem_ctx, principal, direction, - msg[0], entry_ex); + realm_dn, msg[0], entry_ex); if (ret != 0) { krb5_warnx(context, "LDB_fetch: trust_message2entry failed"); } @@ -1214,13 +1179,12 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, krb5_error_code ret; const char *realm; struct ldb_message **msg = NULL; - struct ldb_message **realm_ref_msg = NULL; - struct ldb_dn *partitions_basedn = samdb_partitions_dn(db->hdb_db, mem_ctx); + struct ldb_dn *realm_dn; if (principal->name.name_string.len >= 2) { /* 'normal server' case */ int ldb_ret; NTSTATUS nt_status; - struct ldb_dn *user_dn, *domain_dn; + struct ldb_dn *user_dn; char *principal_string; ret = krb5_unparse_name_flags(context, principal, @@ -1235,7 +1199,7 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, * referral instead */ nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db, mem_ctx, principal_string, - &user_dn, &domain_dn); + &user_dn, &realm_dn); free(principal_string); if (!NT_STATUS_IS_OK(nt_status)) { @@ -1249,28 +1213,13 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, return HDB_ERR_NOENTRY; } - ldb_ret = gendb_search((struct ldb_context *)db->hdb_db, - mem_ctx, partitions_basedn, &realm_ref_msg, realm_ref_attrs, - "ncName=%s", ldb_dn_get_linearized(domain_dn)); - - if (ldb_ret != 1) { - return HDB_ERR_NOENTRY; - } - } else { - struct ldb_dn *realm_dn; /* server as client principal case, but we must not lookup userPrincipalNames */ - + realm_dn = ldb_get_default_basedn((struct ldb_context *)db->hdb_db); realm = krb5_principal_get_realm(context, principal); - ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, - mem_ctx, realm, &realm_ref_msg); - if (ret != 0) { - return HDB_ERR_NOENTRY; - } - - realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL); - + /* Check if it is our realm, otherwise give referall */ + ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_SERVER, realm_dn, &msg); @@ -1282,7 +1231,7 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, ret = LDB_message2entry(context, db, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_SERVER, - msg[0], realm_ref_msg[0], entry_ex); + realm_dn, msg[0], entry_ex); if (ret != 0) { krb5_warnx(context, "LDB_fetch: message2entry failed"); } @@ -1342,7 +1291,7 @@ struct hdb_ldb_seq { int index; int count; struct ldb_message **msgs; - struct ldb_message **realm_ref_msgs; + struct ldb_dn *realm_dn; }; static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) @@ -1367,8 +1316,7 @@ static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hd if (priv->index < priv->count) { ret = LDB_message2entry(context, db, mem_ctx, NULL, HDB_SAMBA4_ENT_TYPE_ANY, - priv->msgs[priv->index++], - priv->realm_ref_msgs[0], entry); + priv->realm_dn, priv->msgs[priv->index++], entry); } else { ret = HDB_ERR_NOENTRY; } @@ -1389,9 +1337,7 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db; struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_dbc; char *realm; - struct ldb_dn *realm_dn = NULL; struct ldb_result *res = NULL; - struct ldb_message **realm_ref_msgs = NULL; krb5_error_code ret; TALLOC_CTX *mem_ctx; int lret; @@ -1410,7 +1356,7 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag priv->ctx = ldb_ctx; priv->index = 0; priv->msgs = NULL; - priv->realm_ref_msgs = NULL; + priv->realm_dn = ldb_get_default_basedn(ldb_ctx); priv->count = 0; mem_ctx = talloc_named(priv, 0, "LDB_firstkey context"); @@ -1426,23 +1372,8 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag return ret; } - ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, - mem_ctx, realm, &realm_ref_msgs); - - free(realm); - - if (ret != 0) { - talloc_free(priv); - krb5_warnx(context, "LDB_firstkey: could not find realm\n"); - return HDB_ERR_NOENTRY; - } - - realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msgs[0], "nCName", NULL); - - priv->realm_ref_msgs = talloc_steal(priv, realm_ref_msgs); - lret = ldb_search(ldb_ctx, priv, &res, - realm_dn, LDB_SCOPE_SUBTREE, user_attrs, + priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs, "(objectClass=user)"); if (lret != LDB_SUCCESS) { diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h index 417f327a57..a281e1d9c9 100644 --- a/source4/kdc/kdc.h +++ b/source4/kdc/kdc.h @@ -55,8 +55,8 @@ struct kdc_server { struct hdb_ldb_private { struct ldb_context *samdb; struct smb_iconv_convenience *iconv_convenience; + struct loadparm_context *lp_ctx; struct ldb_message *msg; - struct ldb_message *realm_ref_msg; + struct ldb_dn *realm_dn; hdb_entry_ex *entry_ex; - const char *netbios_name; }; diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 1a0df8e4a1..411e752c04 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -3,7 +3,7 @@ PAC Glue between Samba and the KDC - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,6 +29,7 @@ #include "auth/auth_sam.h" #include "auth/auth_sam_reply.h" #include "kdc/kdc.h" +#include "param/param.h" struct krb5_dh_moduli; struct _krb5_krb_auth_data; @@ -127,9 +128,10 @@ krb5_error_code samba_kdc_get_pac(void *priv, } nt_status = authsam_make_server_info(mem_ctx, p->samdb, - p->netbios_name, + lp_netbios_name(p->lp_ctx), + lp_sam_name(p->lp_ctx), + p->realm_dn, p->msg, - p->realm_ref_msg, data_blob(NULL, 0), data_blob(NULL, 0), &server_info); @@ -274,8 +276,8 @@ krb5_error_code samba_kdc_check_client_access(void *priv, nt_status = authsam_account_ok(tmp_ctx, p->samdb, MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, + p->realm_dn, p->msg, - p->realm_ref_msg, workstation, name, true); free(name); diff --git a/source4/nbt_server/dgram/netlogon.c b/source4/nbt_server/dgram/netlogon.c index e5c82280e3..2ed37fde59 100644 --- a/source4/nbt_server/dgram/netlogon.c +++ b/source4/nbt_server/dgram/netlogon.c @@ -45,33 +45,22 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot, struct nbt_name *name = &packet->data.msg.dest_name; struct nbtd_interface *reply_iface = nbtd_find_reply_iface(iface, src->addr, false); struct nbt_netlogon_response_from_pdc *pdc; - const char *ref_attrs[] = {"nETBIOSName", NULL}; - struct ldb_message **ref_res; struct ldb_context *samctx; - struct ldb_dn *partitions_basedn; struct nbt_netlogon_response netlogon_response; - int ret; /* only answer getdc requests on the PDC or LOGON names */ if (name->type != NBT_NAME_PDC && name->type != NBT_NAME_LOGON) { return; } - samctx = iface->nbtsrv->sam_ctx; - - if (!samdb_is_pdc(samctx)) { + if (lp_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_DOMAIN_CONTROLLER + || !samdb_is_pdc(samctx)) { DEBUG(2, ("Not a PDC, so not processing LOGON_PRIMARY_QUERY\n")); return; } - partitions_basedn = samdb_partitions_dn(samctx, packet); - - ret = gendb_search(samctx, packet, partitions_basedn, &ref_res, ref_attrs, - "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", - name->name); - - if (ret != 1) { - DEBUG(2,("Unable to find domain reference '%s' in sam\n", name->name)); + if (strcasecmp_m(name->name, lp_workgroup(iface->nbtsrv->task->lp_ctx)) != 0) { + DEBUG(5,("GetDC requested for a domian %s that we don't host\n", name->name)); return; } @@ -83,7 +72,7 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot, pdc->command = NETLOGON_RESPONSE_FROM_PDC; pdc->pdc_name = lp_netbios_name(iface->nbtsrv->task->lp_ctx); pdc->unicode_pdc_name = pdc->pdc_name; - pdc->domain_name = samdb_result_string(ref_res[0], "nETBIOSName", name->name);; + pdc->domain_name = lp_workgroup(iface->nbtsrv->task->lp_ctx); pdc->nt_version = 1; pdc->lmnt_token = 0xFFFF; pdc->lm20_token = 0xFFFF; diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c index d6f418e568..eeffe9874f 100644 --- a/source4/param/loadparm.c +++ b/source4/param/loadparm.c @@ -2725,3 +2725,4 @@ struct gensec_settings *lp_gensec_settings(TALLOC_CTX *mem_ctx, struct loadparm_ settings->target_hostname = lp_parm_string(lp_ctx, NULL, "gensec", "target_hostname"); return settings; } + diff --git a/source4/param/param.h b/source4/param/param.h index 3d257be062..27bc32f9b9 100644 --- a/source4/param/param.h +++ b/source4/param/param.h @@ -362,6 +362,9 @@ int param_write(struct param_context *ctx, const char *fn); bool lp_is_mydomain(struct loadparm_context *lp_ctx, const char *domain); +bool lp_is_my_domain_or_realm(struct loadparm_context *lp_ctx, + const char *domain); + /** see if a string matches either our primary or one of our secondary netbios aliases. do a case insensitive match @@ -434,6 +437,8 @@ const char *lp_messaging_path(TALLOC_CTX *mem_ctx, struct smb_iconv_convenience *smb_iconv_convenience_init_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); +const char *lp_sam_name(struct loadparm_context *lp_ctx); + /* The following definitions come from lib/version.c */ const char *samba_version_string(void); diff --git a/source4/param/util.c b/source4/param/util.c index 3881107cbc..366c3f1d78 100644 --- a/source4/param/util.c +++ b/source4/param/util.c @@ -41,6 +41,13 @@ bool lp_is_mydomain(struct loadparm_context *lp_ctx, return strequal(lp_workgroup(lp_ctx), domain); } +bool lp_is_my_domain_or_realm(struct loadparm_context *lp_ctx, + const char *domain) +{ + return strequal(lp_workgroup(lp_ctx), domain) || + strequal(lp_realm(lp_ctx), domain); +} + /** see if a string matches either our primary or one of our secondary netbios aliases. do a case insensitive match @@ -296,3 +303,13 @@ struct smb_iconv_convenience *smb_iconv_convenience_init_lp(TALLOC_CTX *mem_ctx, } +const char *lp_sam_name(struct loadparm_context *lp_ctx) +{ + switch (lp_server_role(lp_ctx)) { + case ROLE_DOMAIN_CONTROLLER: + return lp_workgroup(lp_ctx); + default: + return lp_netbios_name(lp_ctx); + } +} + diff --git a/source4/rpc_server/config.mk b/source4/rpc_server/config.mk index d05b0a0c0d..dfc3d17bed 100644 --- a/source4/rpc_server/config.mk +++ b/source4/rpc_server/config.mk @@ -129,7 +129,8 @@ PRIVATE_DEPENDENCIES = \ DCERPC_COMMON \ SCHANNELDB \ NDR_NETLOGON \ - auth_sam + auth_sam \ + LIBSAMBA-HOSTCONFIG # End MODULE dcerpc_netlogon ################################################ diff --git a/source4/rpc_server/lsa/lsa_init.c b/source4/rpc_server/lsa/lsa_init.c index 8d8417109f..ae565a3ff1 100644 --- a/source4/rpc_server/lsa/lsa_init.c +++ b/source4/rpc_server/lsa/lsa_init.c @@ -26,7 +26,6 @@ NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_ struct lsa_policy_state **_state) { struct lsa_policy_state *state; - struct ldb_dn *partitions_basedn; struct ldb_result *dom_res; const char *dom_attrs[] = { "objectSid", @@ -35,13 +34,7 @@ NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_ "fSMORoleOwner", NULL }; - struct ldb_result *ref_res; - struct ldb_result *forest_ref_res; - const char *ref_attrs[] = { - "nETBIOSName", - "dnsRoot", - NULL - }; + char *p; int ret; state = talloc(mem_ctx, struct lsa_policy_state); @@ -55,11 +48,9 @@ NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_ return NT_STATUS_INVALID_SYSTEM_SERVICE; } - partitions_basedn = samdb_partitions_dn(state->sam_ldb, mem_ctx); - /* work out the domain_dn - useful for so many calls its worth fetching here */ - state->domain_dn = samdb_base_dn(state->sam_ldb); + state->domain_dn = ldb_get_default_basedn(state->sam_ldb); if (!state->domain_dn) { return NT_STATUS_NO_MEMORY; } @@ -86,66 +77,30 @@ NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_ } state->domain_guid = samdb_result_guid(dom_res->msgs[0], "objectGUID"); - if (!state->domain_sid) { - return NT_STATUS_NO_SUCH_DOMAIN; - } state->mixed_domain = ldb_msg_find_attr_as_uint(dom_res->msgs[0], "nTMixedDomain", 0); talloc_free(dom_res); - ret = ldb_search(state->sam_ldb, state, &ref_res, - partitions_basedn, LDB_SCOPE_SUBTREE, ref_attrs, - "(&(objectclass=crossRef)(ncName=%s))", - ldb_dn_get_linearized(state->domain_dn)); - - if (ret != LDB_SUCCESS) { - talloc_free(ref_res); - return NT_STATUS_INVALID_SYSTEM_SERVICE; - } - if (ref_res->count != 1) { - talloc_free(ref_res); - return NT_STATUS_NO_SUCH_DOMAIN; - } - - state->domain_name = ldb_msg_find_attr_as_string(ref_res->msgs[0], "nETBIOSName", NULL); - if (!state->domain_name) { - talloc_free(ref_res); - return NT_STATUS_NO_SUCH_DOMAIN; - } - talloc_steal(state, state->domain_name); + state->domain_name = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx); - state->domain_dns = ldb_msg_find_attr_as_string(ref_res->msgs[0], "dnsRoot", NULL); + state->domain_dns = ldb_dn_canonical_string(state, state->domain_dn); if (!state->domain_dns) { - talloc_free(ref_res); return NT_STATUS_NO_SUCH_DOMAIN; } - talloc_steal(state, state->domain_dns); - - talloc_free(ref_res); - - ret = ldb_search(state->sam_ldb, state, &forest_ref_res, - partitions_basedn, LDB_SCOPE_SUBTREE, ref_attrs, - "(&(objectclass=crossRef)(ncName=%s))", - ldb_dn_get_linearized(state->forest_dn)); - - if (ret != LDB_SUCCESS) { - talloc_free(forest_ref_res); - return NT_STATUS_INVALID_SYSTEM_SERVICE; - } - if (forest_ref_res->count != 1) { - talloc_free(forest_ref_res); - return NT_STATUS_NO_SUCH_DOMAIN; + p = strchr(state->domain_dns, '/'); + if (p) { + *p = '\0'; } - state->forest_dns = ldb_msg_find_attr_as_string(forest_ref_res->msgs[0], "dnsRoot", NULL); + state->forest_dns = ldb_dn_canonical_string(state, state->forest_dn); if (!state->forest_dns) { - talloc_free(forest_ref_res); return NT_STATUS_NO_SUCH_DOMAIN; } - talloc_steal(state, state->forest_dns); - - talloc_free(forest_ref_res); + p = strchr(state->forest_dns, '/'); + if (p) { + *p = '\0'; + } /* work out the builtin_dn - useful for so many calls its worth fetching here */ diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b17ab86e26..51849fc52e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1010,8 +1010,9 @@ static WERROR dcesrv_netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TAL fill in a netr_DomainTrustInfo from a ldb search result */ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct ldb_context *sam_ctx, struct ldb_message *res, - struct ldb_message *ref_res, struct netr_DomainTrustInfo *info, bool is_local, bool is_trust_list) { @@ -1020,9 +1021,10 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, info->trust_extension.info = talloc_zero(mem_ctx, struct netr_trust_extension); info->trust_extension.length = 16; info->trust_extension.info->flags = - NETR_TRUST_FLAG_TREEROOT | + NETR_TRUST_FLAG_TREEROOT | NETR_TRUST_FLAG_IN_FOREST | NETR_TRUST_FLAG_PRIMARY; + info->trust_extension.info->parent_index = 0; /* should be index into array of parent */ info->trust_extension.info->trust_type = LSA_TRUST_TYPE_UPLEVEL; /* should be based on ldb search for trusts */ @@ -1032,13 +1034,21 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, /* MS-NRPC 3.5.4.3.9 - must be set to NULL for trust list */ info->forest.string = NULL; } else { + char *p; /* TODO: we need a common function for pulling the forest */ - info->forest.string = samdb_result_string(ref_res, "dnsRoot", NULL); + info->forest.string = ldb_dn_canonical_string(info, ldb_get_root_basedn(sam_ctx)); + if (!info->forest.string) { + return NT_STATUS_NO_SUCH_DOMAIN; + } + p = strchr(info->forest.string, '/'); + if (p) { + *p = '\0'; + } } if (is_local) { - info->domainname.string = samdb_result_string(ref_res, "nETBIOSName", NULL); - info->fulldomainname.string = samdb_result_string(ref_res, "dnsRoot", NULL); + info->domainname.string = lp_sam_name(lp_ctx); + info->fulldomainname.string = lp_realm(lp_ctx); info->guid = samdb_result_guid(res, "objectGUID"); info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid"); } else { @@ -1064,13 +1074,11 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal const char * const attrs[] = { "objectSid", "objectGUID", "flatName", "securityIdentifier", "trustPartner", NULL }; - const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL }; struct ldb_context *sam_ctx; - struct ldb_message **res1, **res2, **ref_res; + struct ldb_message **res1, **res2; struct netr_DomainInfo1 *info1; - int ret, ret1, ret2, i; + int ret1, ret2, i; NTSTATUS status; - struct ldb_dn *partitions_basedn; const char *local_domain; @@ -1090,8 +1098,6 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal return NT_STATUS_INVALID_SYSTEM_SERVICE; } - partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); - /* we need to do two searches. The first will pull our primary domain and the second will pull any trusted domains. Our primary domain is also a "trusted" domain, so we need to @@ -1103,15 +1109,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal } /* try and find the domain */ - ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn, - &ref_res, ref_attrs, - "(&(objectClass=crossRef)(ncName=%s))", - ldb_dn_get_linearized(res1[0]->dn)); - if (ret != 1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - local_domain = samdb_result_string(ref_res[0], "nETBIOSName", NULL); + local_domain = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx); ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)"); if (ret2 == -1) { @@ -1128,21 +1126,21 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal info1->num_trusts); NT_STATUS_HAVE_NO_MEMORY(info1->trusts); - status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->domaininfo, + status = fill_domain_trust_info(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res1[0], &info1->domaininfo, true, false); NT_STATUS_NOT_OK_RETURN(status); for (i=0;i<ret2;i++) { - status = fill_domain_trust_info(mem_ctx, res2[i], NULL, &info1->trusts[i], + status = fill_domain_trust_info(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res2[i], &info1->trusts[i], false, true); NT_STATUS_NOT_OK_RETURN(status); } - status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->trusts[i], + status = fill_domain_trust_info(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res1[0], &info1->trusts[i], true, true); NT_STATUS_NOT_OK_RETURN(status); - info1->dns_hostname.string = samdb_result_string(ref_res[0], "dnsRoot", NULL); + info1->dns_hostname.string = lp_realm(dce_call->conn->dce_ctx->lp_ctx); info1->workstation_flags = NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS | NETR_WS_FLAG_HANDLES_SPN_UPDATE; info1->supported_enc_types = 0; /* w2008 gives this 0 */ @@ -1191,7 +1189,7 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA struct netr_DsRGetDCNameEx2 *r) { const char * const attrs[] = { "objectGUID", NULL }; - void *sam_ctx; + struct ldb_context *sam_ctx; struct ldb_message **res; struct ldb_dn *domain_dn; int ret; @@ -1206,21 +1204,19 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA /* Win7-beta will send the domain name in the form the user typed, so we have to cope with both the short and long form here */ - if (r->in.domain_name == NULL || strcasecmp(r->in.domain_name, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx)) == 0) { - r->in.domain_name = lp_realm(dce_call->conn->dce_ctx->lp_ctx); + if (r->in.domain_name != NULL && !lp_is_my_domain_or_realm(dce_call->conn->dce_ctx->lp_ctx, + r->in.domain_name)) { + return WERR_NO_SUCH_DOMAIN; } - domain_dn = samdb_dns_domain_to_dn((struct ldb_context *)sam_ctx, - mem_ctx, - r->in.domain_name); + domain_dn = ldb_get_default_basedn(sam_ctx); if (domain_dn == NULL) { return WERR_DS_SERVICE_UNAVAILABLE; } - ret = gendb_search_dn((struct ldb_context *)sam_ctx, mem_ctx, + ret = gendb_search_dn(sam_ctx, mem_ctx, domain_dn, &res, attrs); if (ret != 1) { - return WERR_NO_SUCH_DOMAIN; } info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo); @@ -1359,10 +1355,8 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce struct netr_DomainTrustList *trusts; void *sam_ctx; int ret; - struct ldb_message **dom_res, **ref_res; + struct ldb_message **dom_res; const char * const dom_attrs[] = { "objectSid", "objectGUID", NULL }; - const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL }; - struct ldb_dn *partitions_basedn; ZERO_STRUCT(r->out); @@ -1371,9 +1365,6 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce return WERR_GENERAL_FAILURE; } - partitions_basedn = samdb_partitions_dn((struct ldb_context *)sam_ctx, - mem_ctx); - ret = gendb_search_dn((struct ldb_context *)sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs); if (ret == -1) { @@ -1383,17 +1374,6 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce return WERR_GENERAL_FAILURE; } - ret = gendb_search((struct ldb_context *)sam_ctx, mem_ctx, - partitions_basedn, &ref_res, ref_attrs, - "(&(objectClass=crossRef)(ncName=%s))", - ldb_dn_get_linearized(dom_res[0]->dn)); - if (ret == -1) { - return WERR_GENERAL_FAILURE; - } - if (ret != 1) { - return WERR_GENERAL_FAILURE; - } - trusts = talloc(mem_ctx, struct netr_DomainTrustList); W_ERROR_HAVE_NO_MEMORY(trusts); @@ -1406,8 +1386,8 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce /* TODO: add filtering by trust_flags, and correct trust_type and attributes */ - trusts->array[0].netbios_name = samdb_result_string(ref_res[0], "nETBIOSName", NULL); - trusts->array[0].dns_name = samdb_result_string(ref_res[0], "dnsRoot", NULL); + trusts->array[0].netbios_name = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx); + trusts->array[0].dns_name = lp_realm(dce_call->conn->dce_ctx->lp_ctx); trusts->array[0].trust_flags = NETR_TRUST_FLAG_TREEROOT | NETR_TRUST_FLAG_IN_FOREST | diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index df23e11a67..fabc88d02d 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -273,11 +273,8 @@ static NTSTATUS dcesrv_samr_LookupDomain(struct dcesrv_call_state *dce_call, TAL struct dcesrv_handle *h; struct dom_sid *sid; const char * const dom_attrs[] = { "objectSid", NULL}; - const char * const ref_attrs[] = { "ncName", NULL}; struct ldb_message **dom_msgs; - struct ldb_message **ref_msgs; int ret; - struct ldb_dn *partitions_basedn; *r->out.sid = NULL; @@ -289,27 +286,17 @@ static NTSTATUS dcesrv_samr_LookupDomain(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_INVALID_PARAMETER; } - partitions_basedn = samdb_partitions_dn(c_state->sam_ctx, mem_ctx); - if (strcasecmp(r->in.domain_name->string, "BUILTIN") == 0) { ret = gendb_search(c_state->sam_ctx, mem_ctx, NULL, &dom_msgs, dom_attrs, "(objectClass=builtinDomain)"); - } else { - ret = gendb_search(c_state->sam_ctx, - mem_ctx, partitions_basedn, &ref_msgs, ref_attrs, - "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", - ldb_binary_encode_string(mem_ctx, r->in.domain_name->string)); - if (ret != 1) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - - ret = gendb_search_dn(c_state->sam_ctx, mem_ctx, - samdb_result_dn(c_state->sam_ctx, mem_ctx, - ref_msgs[0], "ncName", NULL), + } else if (strcasecmp_m(r->in.domain_name->string, lp_sam_name(dce_call->conn->dce_ctx->lp_ctx)) == 0) { + ret = gendb_search_dn(c_state->sam_ctx, + mem_ctx, ldb_get_default_basedn(c_state->sam_ctx), &dom_msgs, dom_attrs); + } else { + return NT_STATUS_NO_SUCH_DOMAIN; } - if (ret != 1) { return NT_STATUS_NO_SUCH_DOMAIN; } @@ -338,12 +325,7 @@ static NTSTATUS dcesrv_samr_EnumDomains(struct dcesrv_call_state *dce_call, TALL struct samr_connect_state *c_state; struct dcesrv_handle *h; struct samr_SamArray *array; - int i, start_i, ret; - const char * const dom_attrs[] = { "cn", NULL}; - const char * const ref_attrs[] = { "nETBIOSName", NULL}; - struct ldb_result *dom_res; - struct ldb_result *ref_res; - struct ldb_dn *partitions_basedn; + int i, start_i; *r->out.resume_handle = 0; *r->out.sam = NULL; @@ -353,20 +335,11 @@ static NTSTATUS dcesrv_samr_EnumDomains(struct dcesrv_call_state *dce_call, TALL c_state = h->data; - partitions_basedn = samdb_partitions_dn(c_state->sam_ctx, mem_ctx); - - ret = ldb_search(c_state->sam_ctx, mem_ctx, &dom_res, ldb_get_default_basedn(c_state->sam_ctx), - LDB_SCOPE_SUBTREE, dom_attrs, "(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain))"); - if (ret != LDB_SUCCESS) { - DEBUG(0,("samdb: unable to find domains: %s\n", ldb_errstring(c_state->sam_ctx))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - *r->out.resume_handle = dom_res->count; + *r->out.resume_handle = 2; start_i = *r->in.resume_handle; - if (start_i >= dom_res->count) { + if (start_i >= 2) { /* search past end of list is not an error for this call */ return NT_STATUS_OK; } @@ -379,27 +352,17 @@ static NTSTATUS dcesrv_samr_EnumDomains(struct dcesrv_call_state *dce_call, TALL array->count = 0; array->entries = NULL; - array->entries = talloc_array(mem_ctx, struct samr_SamEntry, dom_res->count - start_i); + array->entries = talloc_array(mem_ctx, struct samr_SamEntry, 2 - start_i); if (array->entries == NULL) { return NT_STATUS_NO_MEMORY; } - for (i=0;i<dom_res->count-start_i;i++) { + for (i=0;i<2-start_i;i++) { array->entries[i].idx = start_i + i; - /* try and find the domain */ - ret = ldb_search(c_state->sam_ctx, mem_ctx, &ref_res, partitions_basedn, - LDB_SCOPE_SUBTREE, ref_attrs, "(&(objectClass=crossRef)(ncName=%s))", - ldb_dn_get_linearized(dom_res->msgs[i]->dn)); - - if (ret != LDB_SUCCESS) { - DEBUG(0,("samdb: unable to find domains: %s\n", ldb_errstring(c_state->sam_ctx))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (ref_res->count == 1) { - array->entries[i].name.string = samdb_result_string(ref_res->msgs[0], "nETBIOSName", NULL); + if (i == 0) { + array->entries[i].name.string = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx); } else { - array->entries[i].name.string = samdb_result_string(dom_res->msgs[i], "cn", NULL); + array->entries[i].name.string = "BUILTIN"; } } @@ -418,15 +381,11 @@ static NTSTATUS dcesrv_samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLO struct samr_OpenDomain *r) { struct dcesrv_handle *h_conn, *h_domain; - const char *domain_name; struct samr_connect_state *c_state; struct samr_domain_state *d_state; const char * const dom_attrs[] = { "cn", NULL}; - const char * const ref_attrs[] = { "nETBIOSName", NULL}; struct ldb_message **dom_msgs; - struct ldb_message **ref_msgs; int ret; - struct ldb_dn *partitions_basedn; ZERO_STRUCTP(r->out.domain_handle); @@ -438,63 +397,44 @@ static NTSTATUS dcesrv_samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLO return NT_STATUS_INVALID_PARAMETER; } - partitions_basedn = samdb_partitions_dn(c_state->sam_ctx, mem_ctx); + d_state = talloc(c_state, struct samr_domain_state); + if (!d_state) { + return NT_STATUS_NO_MEMORY; + } + + d_state->domain_sid = talloc_steal(d_state, r->in.sid); + + if (dom_sid_equal(d_state->domain_sid, dom_sid_parse_talloc(mem_ctx, SID_BUILTIN))) { + d_state->builtin = true; + d_state->domain_name = "BUILTIN"; + } else { + d_state->builtin = false; + d_state->domain_name = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx); + } ret = gendb_search(c_state->sam_ctx, - mem_ctx, NULL, &dom_msgs, dom_attrs, - "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", + mem_ctx, ldb_get_default_basedn(c_state->sam_ctx), &dom_msgs, dom_attrs, + "(objectSid=%s)", ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid)); + if (ret == 0) { + talloc_free(d_state); return NT_STATUS_NO_SUCH_DOMAIN; } else if (ret > 1) { + talloc_free(d_state); return NT_STATUS_INTERNAL_DB_CORRUPTION; } else if (ret == -1) { + talloc_free(d_state); DEBUG(1, ("Failed to open domain %s: %s\n", dom_sid_string(mem_ctx, r->in.sid), ldb_errstring(c_state->sam_ctx))); return NT_STATUS_INTERNAL_DB_CORRUPTION; - } else { - ret = gendb_search(c_state->sam_ctx, - mem_ctx, partitions_basedn, &ref_msgs, ref_attrs, - "(&(&(nETBIOSName=*)(objectclass=crossRef))(ncName=%s))", - ldb_dn_get_linearized(dom_msgs[0]->dn)); - if (ret == 0) { - domain_name = ldb_msg_find_attr_as_string(dom_msgs[0], "cn", NULL); - if (domain_name == NULL) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - } else if (ret == 1) { - - domain_name = ldb_msg_find_attr_as_string(ref_msgs[0], "nETBIOSName", NULL); - if (domain_name == NULL) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - } else { - return NT_STATUS_NO_SUCH_DOMAIN; - } - } - - d_state = talloc(c_state, struct samr_domain_state); - if (!d_state) { - return NT_STATUS_NO_MEMORY; } + d_state->domain_dn = talloc_steal(d_state, dom_msgs[0]->dn); d_state->role = lp_server_role(dce_call->conn->dce_ctx->lp_ctx); d_state->connect_state = talloc_reference(d_state, c_state); d_state->sam_ctx = c_state->sam_ctx; - d_state->domain_sid = dom_sid_dup(d_state, r->in.sid); - d_state->domain_name = talloc_strdup(d_state, domain_name); - d_state->domain_dn = ldb_dn_copy(d_state, dom_msgs[0]->dn); - if (!d_state->domain_sid || !d_state->domain_name || !d_state->domain_dn) { - talloc_free(d_state); - return NT_STATUS_NO_MEMORY; - } d_state->access_mask = r->in.access_mask; - if (dom_sid_equal(d_state->domain_sid, dom_sid_parse_talloc(mem_ctx, SID_BUILTIN))) { - d_state->builtin = true; - } else { - d_state->builtin = false; - } - d_state->lp_ctx = dce_call->conn->dce_ctx->lp_ctx; h_domain = dcesrv_handle_new(dce_call->context, SAMR_HANDLE_DOMAIN); |