s4: Enhancements in the "netr_LogonGetDomainInformations" call

This addresses bug #4888 and #6596 in SAMBA 4 Bugzilla - It implements the call in the complete form as specified in the MSPP/WSPP docs and on the discussion on the "cifs-protocol" list - Therefore client informations (OS name, OS version, "servicePrincipalName"...) are now saved in the AD each time the client invokes the call
author: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> 2009-07-22 22:11:12 +0200
committer: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> 2009-08-03 09:46:30 +0200
commit: c688d374971cbd2de8e4be229422d00d383937f6 (patch)
tree: 3d23eb638a4a0ebfa62a3802e14edb636e8ee5eb /source4
parent: 721402b8de9a94c4a7ca6ed2f039d0fe42f53351 (diff)
download: samba-c688d374971cbd2de8e4be229422d00d383937f6.tar.gz
samba-c688d374971cbd2de8e4be229422d00d383937f6.tar.bz2
samba-c688d374971cbd2de8e4be229422d00d383937f6.zip
1 files changed, 194 insertions, 65 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 30c7ccda55..4fedf54fbc 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -5,6 +5,7 @@
 
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2008
    Copyright (C) Stefan Metzmacher <metze@samba.org>  2005
+   Copyright (C) Matthias Dieter Wallnöfer            2009
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1053,14 +1054,14 @@ static WERROR dcesrv_netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TAL
 
 
 /*
-  fill in a netr_DomainTrustInfo from a ldb search result
+  fill in a netr_OneDomainInfo from a ldb search result
 */
-static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx,
-				       struct loadparm_context *lp_ctx,
-				       struct ldb_context *sam_ctx,
-				       struct ldb_message *res,
-				       struct netr_DomainTrustInfo *info, 
-				       bool is_local, bool is_trust_list)
+static NTSTATUS fill_one_domain_info(TALLOC_CTX *mem_ctx,
+				     struct loadparm_context *lp_ctx,
+				     struct ldb_context *sam_ctx,
+				     struct ldb_message *res,
+				     struct netr_OneDomainInfo *info,
+				     bool is_local, bool is_trust_list)
 {
 	ZERO_STRUCTP(info);
 
@@ -1078,15 +1079,15 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx,
 
 	if (is_trust_list) {
 		/* MS-NRPC 3.5.4.3.9 - must be set to NULL for trust list */
-		info->forest.string = NULL;
+		info->dns_forestname.string = NULL;
 	} else {
 		char *p;
 		/* TODO: we need a common function for pulling the forest */
-		info->forest.string = ldb_dn_canonical_string(info, ldb_get_root_basedn(sam_ctx));
-		if (!info->forest.string) {
+		info->dns_forestname.string = ldb_dn_canonical_string(info, ldb_get_root_basedn(sam_ctx));
+		if (!info->dns_forestname.string) {
 			return NT_STATUS_NO_SUCH_DOMAIN;		
 		}
-		p = strchr(info->forest.string, '/');
+		p = strchr(info->dns_forestname.string, '/');
 		if (p) {
 			*p = '\0';
 		}
@@ -1094,14 +1095,14 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx,
 
 	if (is_local) {
 		info->domainname.string = lp_sam_name(lp_ctx);
-		info->fulldomainname.string = lp_realm(lp_ctx);
-		info->guid = samdb_result_guid(res, "objectGUID");
-		info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
+		info->dns_domainname.string = lp_realm(lp_ctx);
+		info->domain_guid = samdb_result_guid(res, "objectGUID");
+		info->domain_sid = samdb_result_dom_sid(mem_ctx, res, "objectSid");
 	} else {
 		info->domainname.string = samdb_result_string(res, "flatName", NULL);
-		info->fulldomainname.string = samdb_result_string(res, "trustPartner", NULL);
-		info->guid = samdb_result_guid(res, "objectGUID");
-		info->sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
+		info->dns_domainname.string = samdb_result_string(res, "trustPartner", NULL);
+		info->domain_guid = samdb_result_guid(res, "objectGUID");
+		info->domain_sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier");
 	}
 
 	return NT_STATUS_OK;
@@ -1114,84 +1115,212 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx,
   It has an important role in convaying details about the client, such
   as Operating System, Version, Service Pack etc.
 */
-static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-					struct netr_LogonGetDomainInfo *r)
+static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call,
+	TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r)
 {
-	const char * const attrs[] = { "objectSid", 
-				       "objectGUID", "flatName", "securityIdentifier",
-				       "trustPartner", NULL };
+	struct netlogon_creds_CredentialState *creds;
+	const char * const attrs[] = { "objectSid", "objectGUID", "flatName",
+		"securityIdentifier", "trustPartner", NULL };
+	const char *old_dns_hostname;
 	struct ldb_context *sam_ctx;
-	struct ldb_message **res1, **res2;
-	struct netr_DomainInfo1 *info1;
+	struct ldb_message **res1, **res2, *new_msg;
+	struct ldb_dn *workstation_dn;
+	struct netr_DomainInformation *domain_info;
+	struct netr_LsaPolicyInformation *lsa_policy_info;
+	struct netr_OsVersionInfoEx *os_version;
 	int ret1, ret2, i;
 	NTSTATUS status;
 
-	const char *local_domain;
-
 	status = dcesrv_netr_creds_server_step_check(dce_call,
 						     mem_ctx, 
 						     r->in.computer_name, 
 						     r->in.credential, 
 						     r->out.return_authenticator,
-						     NULL);
+						     &creds);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,(__location__ " Bad credentials - error\n"));
 	}
 	NT_STATUS_NOT_OK_RETURN(status);
 
-	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
+	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+		dce_call->conn->dce_ctx->lp_ctx,
+		system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
 
-	/* we need to do two searches. The first will pull our primary
-	   domain and the second will pull any trusted domains. Our
-	   primary domain is also a "trusted" domain, so we need to
-	   put the primary domain into the lists of returned trusts as
-	   well */
-	ret1 = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(sam_ctx), &res1, attrs);
-	if (ret1 != 1) {
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
+	switch (r->in.level) {
+	case 1: /* Domain information */
 
-	/* try and find the domain */
-	local_domain = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx);
+		workstation_dn = ldb_dn_new_fmt(mem_ctx, sam_ctx, "<SID=%s>",
+			dom_sid_string(mem_ctx, creds->sid));
+		NT_STATUS_HAVE_NO_MEMORY(workstation_dn);
 
-	ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)");
-	if (ret2 == -1) {
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
+		/* Gets the old DNS hostname */
+		old_dns_hostname = samdb_search_string_v(sam_ctx, mem_ctx,
+			workstation_dn,	"dNSHostName", "", NULL);
 
-	info1 = talloc(mem_ctx, struct netr_DomainInfo1);
-	NT_STATUS_HAVE_NO_MEMORY(info1);
+		/* Gets host informations and put them in our directory */
+		new_msg = ldb_msg_new(mem_ctx);
+		NT_STATUS_HAVE_NO_MEMORY(new_msg);
 
-	ZERO_STRUCTP(info1);
+		new_msg->dn = workstation_dn;
 
-	info1->num_trusts = ret2 + 1;
-	info1->trusts = talloc_array(mem_ctx, struct netr_DomainTrustInfo, 
-				       info1->num_trusts);
-	NT_STATUS_HAVE_NO_MEMORY(info1->trusts);
+		/* Deletes old OS version values */
+		samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
+			"operatingSystemServicePack");
+		samdb_msg_add_delete(sam_ctx, mem_ctx, new_msg,
+			"operatingSystemVersion");
 
-	status = fill_domain_trust_info(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res1[0], &info1->domaininfo, 
-					true, false);
-	NT_STATUS_NOT_OK_RETURN(status);
+		if (samdb_replace(sam_ctx, mem_ctx, new_msg) != LDB_SUCCESS) {
+			DEBUG(3,("Impossible to update samdb: %s\n",
+				ldb_errstring(sam_ctx)));
+		}
+
+		talloc_free(new_msg);
+
+		new_msg = ldb_msg_new(mem_ctx);
+		NT_STATUS_HAVE_NO_MEMORY(new_msg);
+
+		new_msg->dn = workstation_dn;
+
+		/* Sets the OS name */
+		samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
+			"operatingSystem",
+			r->in.query->workstation_info->os_name.string);
+
+		/*
+		 * Sets informations from "os_version". On a empty structure
+		 * the values are cleared.
+		 */
+		if (r->in.query->workstation_info->os_version.os != NULL) {
+			os_version = &r->in.query->workstation_info->os_version.os->os;
+
+			samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
+				"operatingSystemServicePack",
+				talloc_asprintf(mem_ctx, os_version->CSDVersion));
+
+			samdb_msg_set_string(sam_ctx, mem_ctx, new_msg,
+				"operatingSystemVersion",
+				talloc_asprintf(mem_ctx, "%d.%d (%d)",
+					os_version->MajorVersion,
+					os_version->MinorVersion,
+					os_version->BuildNumber
+				)
+			);
+		}
+
+		/*
+		 * Updates the "dNSHostname" and the "servicePrincipalName"s
+		 * since the client wishes that the server should handle this
+		 * for him ("NETR_WS_FLAG_HANDLES_SPN_UPDATE" not set).
+		 * See MS-NRPC section 3.5.4.3.9
+		 */
+		if ((r->in.query->workstation_info->workstation_flags
+			& NETR_WS_FLAG_HANDLES_SPN_UPDATE) == 0) {
+
+			samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
+				"dNSHostname",
+				r->in.query->workstation_info->dns_hostname);
+			samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
+				"servicePrincipalName",
+				talloc_asprintf(mem_ctx, "HOST/%s",
+				r->in.computer_name)
+			);
+			samdb_msg_add_string(sam_ctx, mem_ctx, new_msg,
+				"servicePrincipalName",
+				talloc_asprintf(mem_ctx, "HOST/%s",
+				r->in.query->workstation_info->dns_hostname)
+			);
+		}
+
+		if (samdb_replace(sam_ctx, mem_ctx, new_msg) != LDB_SUCCESS) {
+			DEBUG(3,("Impossible to update samdb: %s\n",
+				ldb_errstring(sam_ctx)));
+		}
+
+		talloc_free(new_msg);
+
+		/* Writes back the domain information */
+
+		/* We need to do two searches. The first will pull our primary
+		   domain and the second will pull any trusted domains. Our
+		   primary domain is also a "trusted" domain, so we need to
+		   put the primary domain into the lists of returned trusts as
+		   well. */
+		ret1 = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(sam_ctx),
+			&res1, attrs);
+		if (ret1 != 1) {
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+
+		ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs,
+			"(objectClass=trustedDomain)");
+		if (ret2 == -1) {
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+
+		domain_info = talloc(mem_ctx, struct netr_DomainInformation);
+		NT_STATUS_HAVE_NO_MEMORY(domain_info);
 
-	for (i=0;i<ret2;i++) {
-		status = fill_domain_trust_info(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res2[i], &info1->trusts[i], 
-						false, true);
+		ZERO_STRUCTP(domain_info);
+
+		/* Informations about the local and trusted domains */
+
+		status = fill_one_domain_info(mem_ctx,
+			dce_call->conn->dce_ctx->lp_ctx,
+			sam_ctx, res1[0], &domain_info->primary_domain,
+			true, false);
 		NT_STATUS_NOT_OK_RETURN(status);
-	}
 
-	status = fill_domain_trust_info(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res1[0], &info1->trusts[i], 
-					true, true);
-	NT_STATUS_NOT_OK_RETURN(status);
+		domain_info->trusted_domain_count = ret2 + 1;
+		domain_info->trusted_domains = talloc_array(mem_ctx,
+			struct netr_OneDomainInfo,
+			domain_info->trusted_domain_count);
+		NT_STATUS_HAVE_NO_MEMORY(domain_info->trusted_domains);
+
+		for (i=0;i<ret2;i++) {
+			status = fill_one_domain_info(mem_ctx,
+				dce_call->conn->dce_ctx->lp_ctx,
+				sam_ctx, res2[i],
+				&domain_info->trusted_domains[i],
+				false, true);
+			NT_STATUS_NOT_OK_RETURN(status);
+		}
+
+		status = fill_one_domain_info(mem_ctx,
+			dce_call->conn->dce_ctx->lp_ctx, sam_ctx, res1[0],
+			&domain_info->trusted_domains[i], true, true);
+		NT_STATUS_NOT_OK_RETURN(status);
+
+		/* Other host domain informations */
 
-	info1->dns_hostname.string = lp_realm(dce_call->conn->dce_ctx->lp_ctx);
-	info1->workstation_flags = 
-		NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS | NETR_WS_FLAG_HANDLES_SPN_UPDATE;
-	info1->supported_enc_types = 0; /* w2008 gives this 0 */
+		lsa_policy_info = talloc(mem_ctx,
+			struct netr_LsaPolicyInformation);
+		NT_STATUS_HAVE_NO_MEMORY(lsa_policy_info);
+		ZERO_STRUCTP(lsa_policy_info);
 
-	r->out.info->info1 = info1;
+		domain_info->lsa_policy = *lsa_policy_info;
+
+		domain_info->dns_hostname.string = old_dns_hostname;
+		domain_info->workstation_flags =
+			r->in.query->workstation_info->workstation_flags;
+		domain_info->supported_enc_types = 0; /* w2008 gives this 0 */
+
+		r->out.info->domain_info = domain_info;
+	break;
+	case 2: /* LSA policy information - not used at the moment */
+		lsa_policy_info = talloc(mem_ctx,
+			struct netr_LsaPolicyInformation);
+		NT_STATUS_HAVE_NO_MEMORY(lsa_policy_info);
+		ZERO_STRUCTP(lsa_policy_info);
+
+		r->out.info->lsa_policy_info = lsa_policy_info;
+	break;
+	default:
+		return NT_STATUS_INVALID_LEVEL;
+	break;
+	}
 
 	return NT_STATUS_OK;
 }
author	Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>	2009-07-22 22:11:12 +0200
committer	Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>	2009-08-03 09:46:30 +0200
commit	c688d374971cbd2de8e4be229422d00d383937f6 (patch)
tree	3d23eb638a4a0ebfa62a3802e14edb636e8ee5eb /source4
parent	721402b8de9a94c4a7ca6ed2f039d0fe42f53351 (diff)
download	samba-c688d374971cbd2de8e4be229422d00d383937f6.tar.gz samba-c688d374971cbd2de8e4be229422d00d383937f6.tar.bz2 samba-c688d374971cbd2de8e4be229422d00d383937f6.zip