diff options
| -rw-r--r-- | howto.txt | 2 | ||||
| -rw-r--r-- | source4/cldap_server/netlogon.c | 60 | ||||
| -rw-r--r-- | source4/dsdb/samdb/samdb.h | 1 | ||||
| -rw-r--r-- | source4/libcli/config.mk | 12 | ||||
| -rw-r--r-- | source4/libcli/ndr_netlogon.c | 209 | ||||
| -rw-r--r-- | source4/libcli/netlogon.c | 112 | ||||
| -rw-r--r-- | source4/libcli/netlogon.h | 1 | ||||
| -rw-r--r-- | source4/librpc/config.mk | 2 | ||||
| -rw-r--r-- | source4/librpc/idl/nbt.idl | 16 | ||||
| -rw-r--r-- | source4/nbt_server/dgram/netlogon.c | 7 | ||||
| -rw-r--r-- | source4/scripting/python/samba/provision.py | 32 | ||||
| -rw-r--r-- | source4/setup/named.conf | 135 | ||||
| -rw-r--r-- | source4/setup/secrets_dc.ldif | 1 | ||||
| -rw-r--r-- | source4/torture/ldap/cldap.c | 22 | ||||
| -rw-r--r-- | source4/torture/nbt/dgram.c | 277 |
15 files changed, 719 insertions, 170 deletions
@@ -27,7 +27,7 @@ There are 2 methods of doing this: method 1: "rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba4" - method 2: "git clone git://git.samba.org/samba.git samba4; cd samba4; git checkout v4-0-test; cd .." + method 2: "git clone git://git.samba.org/samba.git samba4; cd samba4 && git checkout -b v4-0-test origin/v4-0-test; cd .." both methods will create a directory called "samba4" in the current directory. If you don't have rsync or git then install one of them. diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c index b2a034d5a4..f263f33d48 100644 --- a/source4/cldap_server/netlogon.c +++ b/source4/cldap_server/netlogon.c @@ -46,6 +46,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, struct dom_sid *domain_sid, const char *domain_guid, const char *user, + uint32_t acct_control, const char *src_address, uint32_t version, struct loadparm_context *lp_ctx, @@ -53,7 +54,8 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, { const char *ref_attrs[] = {"nETBIOSName", "dnsRoot", "ncName", NULL}; const char *dom_attrs[] = {"objectGUID", NULL}; - struct ldb_result *ref_res = NULL, *dom_res = NULL; + const char *none_attrs[] = {NULL}; + struct ldb_result *ref_res = NULL, *dom_res = NULL, *user_res = NULL; int ret; const char **services = lp_server_services(lp_ctx); uint32_t server_type; @@ -68,6 +70,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, const char *pdc_ip; struct ldb_dn *partitions_basedn; struct interface *ifaces; + bool user_known; partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); @@ -201,6 +204,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, } } + if ((ref_res == NULL || ref_res->count == 0)) { DEBUG(2,("Unable to find domain reference with name %s or GUID {%s}\n", domain, domain_guid)); return NT_STATUS_NO_SUCH_DOMAIN; @@ -211,6 +215,44 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, return NT_STATUS_NO_SUCH_DOMAIN; } + /* work around different inputs for not-specified users */ + if (!user) { + user = ""; + } + + /* Enquire about any valid username with just a CLDAP packet - + * if kerberos didn't also do this, the security folks would + * scream... */ + if (user[0]) { \ + /* Only allow some bits to be enquired: [MS-ATDS] 7.3.3.2 */ + if (acct_control == (uint32_t)-1) { + acct_control = 0; + } + acct_control = acct_control & (ACB_TEMPDUP | ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST); + + /* We must exclude disabled accounts, but otherwise do the bitwise match the client asked for */ + ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &user_res, + dom_res->msgs[0]->dn, LDB_SCOPE_SUBTREE, + none_attrs, + "(&(objectClass=user)(samAccountName=%s)" + "(!(userAccountControl:" LDB_OID_COMPARATOR_AND ":=%u))" + "(userAccountControl:" LDB_OID_COMPARATOR_OR ":=%u))", + user, UF_ACCOUNTDISABLE, samdb_acb2uf(acct_control)); + if (ret != LDB_SUCCESS) { + DEBUG(2,("Unable to find referece to user '%s' with ACB 0x%8x under %s: %s\n", + user, acct_control, ldb_dn_get_linearized(dom_res->msgs[0]->dn), + ldb_errstring(sam_ctx))); + return NT_STATUS_NO_SUCH_USER; + } else if (user_res->count == 1) { + user_known = true; + } else { + user_known = false; + } + + } else { + user_known = true; + } + server_type = NBT_SERVER_DS | NBT_SERVER_TIMESERV | NBT_SERVER_CLOSEST | NBT_SERVER_WRITABLE | @@ -250,13 +292,13 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, ZERO_STRUCTP(netlogon); - if (version & NETLOGON_NT_VERSION_5EX) { + /* check if either of these bits is present */ + if (version & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP)) { uint32_t extra_flags = 0; netlogon->ntver = NETLOGON_NT_VERSION_5EX; /* could check if the user exists */ - if (!user) { - user = ""; + if (user_known) { netlogon->nt5_ex.command = LOGON_SAM_LOGON_RESPONSE_EX; } else { netlogon->nt5_ex.command = LOGON_SAM_LOGON_USER_UNKNOWN_EX; @@ -277,7 +319,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, extra_flags = NETLOGON_NT_VERSION_5EX_WITH_IP; netlogon->nt5_ex.sockaddr.sa_family = 2; netlogon->nt5_ex.sockaddr.pdc_ip = pdc_ip; - netlogon->nt5_ex.sockaddr.remaining = data_blob(NULL, 4); + netlogon->nt5_ex.sockaddr.remaining = data_blob_talloc_zero(mem_ctx, 8); } netlogon->nt5_ex.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5EX|extra_flags; netlogon->nt5_ex.lmnt_token = 0xFFFF; @@ -287,8 +329,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, netlogon->ntver = NETLOGON_NT_VERSION_5; /* could check if the user exists */ - if (!user) { - user = ""; + if (user_known) { netlogon->nt5.command = LOGON_SAM_LOGON_RESPONSE; } else { netlogon->nt5.command = LOGON_SAM_LOGON_USER_UNKNOWN; @@ -309,8 +350,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, } else /* (version & NETLOGON_NT_VERSION_1) and all other cases */ { netlogon->ntver = NETLOGON_NT_VERSION_1; /* could check if the user exists */ - if (!user) { - user = ""; + if (user_known) { netlogon->nt4.command = LOGON_SAM_LOGON_RESPONSE; } else { netlogon->nt4.command = LOGON_SAM_LOGON_USER_UNKNOWN; @@ -406,7 +446,7 @@ void cldapd_netlogon_request(struct cldap_socket *cldap, domain, host, user, version, domain_guid)); status = fill_netlogon_samlogon_response(cldapd->samctx, tmp_ctx, domain, NULL, NULL, domain_guid, - user, src->addr, + user, acct_control, src->addr, version, cldapd->task->lp_ctx, &netlogon); if (!NT_STATUS_IS_OK(status)) { goto failed; diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 9e02ef76c6..8370857aba 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -37,6 +37,7 @@ struct event_context; #include "dsdb/schema/schema.h" #include "dsdb/samdb/samdb_proto.h" #include "dsdb/common/proto.h" +#include "dsdb/common/flags.h" #define DSDB_CONTROL_CURRENT_PARTITION_OID "1.3.6.1.4.1.7165.4.3.2" struct dsdb_control_current_partition { diff --git a/source4/libcli/config.mk b/source4/libcli/config.mk index f502091b07..16e23430d7 100644 --- a/source4/libcli/config.mk +++ b/source4/libcli/config.mk @@ -57,9 +57,17 @@ LIBCLI_NBT_OBJ_FILES = $(addprefix $(libclisrcdir)/nbt/, \ $(eval $(call proto_header_template,$(libclisrcdir)/nbt/nbt_proto.h,$(LIBCLI_NBT_OBJ_FILES:.o=.c))) +[SUBSYSTEM::LIBCLI_NDR_NETLOGON] +PUBLIC_DEPENDENCIES = LIBNDR \ + NDR_SECURITY + +LIBCLI_NDR_NETLOGON_OBJ_FILES = $(addprefix libcli/, \ + ndr_netlogon.o) + +$(eval $(call proto_header_template,$(libclisrcdir)/ndr_netlogon_proto.h,$(LIBCLI_NDR_NETLOGON_OBJ_FILES:.o=.c))) + [SUBSYSTEM::LIBCLI_NETLOGON] -PUBLIC_DEPENDENCIES = LIBNDR NDR_NBT \ - NDR_SECURITY LIBSAMBA-UTIL +PUBLIC_DEPENDENCIES = LIBSAMBA-UTIL LIBCLI_NDR_NETLOGON LIBCLI_NETLOGON_OBJ_FILES = $(addprefix libcli/, \ netlogon.o) diff --git a/source4/libcli/ndr_netlogon.c b/source4/libcli/ndr_netlogon.c new file mode 100644 index 0000000000..504b3b02a7 --- /dev/null +++ b/source4/libcli/ndr_netlogon.c @@ -0,0 +1,209 @@ +/* + Unix SMB/CIFS implementation. + + CLDAP server structures + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +/* parser auto-generated by pidl, then hand-modified by abartlet */ + +#include "includes.h" +#include "libcli/netlogon.h" +/* Manually modified to handle the dom_sid being optional based on if it is present or all zero */ +enum ndr_err_code ndr_push_NETLOGON_SAM_LOGON_REQUEST(struct ndr_push *ndr, int ndr_flags, const struct NETLOGON_SAM_LOGON_REQUEST *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->request_count)); + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); + NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->computer_name)); + ndr->flags = _flags_save_string; + } + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); + NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->user_name)); + ndr->flags = _flags_save_string; + } + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); + NDR_CHECK(ndr_push_string(ndr, NDR_SCALARS, r->mailslot_name)); + ndr->flags = _flags_save_string; + } + NDR_CHECK(ndr_push_samr_AcctFlags(ndr, NDR_SCALARS, r->acct_control)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_size_dom_sid0(&r->sid, ndr->flags))); + if (ndr_size_dom_sid0(&r->sid, ndr->flags)) { + struct ndr_push *_ndr_sid; + uint32_t _flags_save_DATA_BLOB = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN4); + NDR_CHECK(ndr_push_DATA_BLOB(ndr, NDR_SCALARS, r->_pad)); + ndr->flags = _flags_save_DATA_BLOB; + NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_sid, 0, ndr_size_dom_sid0(&r->sid, ndr->flags))); + NDR_CHECK(ndr_push_dom_sid0(_ndr_sid, NDR_SCALARS|NDR_BUFFERS, &r->sid)); + NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_sid, 0, ndr_size_dom_sid0(&r->sid, ndr->flags))); + } + NDR_CHECK(ndr_push_netlogon_nt_version_flags(ndr, NDR_SCALARS, r->nt_version)); + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->lmnt_token)); + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->lm20_token)); + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} + +/* Manually modified to handle the dom_sid being optional based on if it is present (size is non-zero) or not */ +enum ndr_err_code ndr_pull_NETLOGON_SAM_LOGON_REQUEST(struct ndr_pull *ndr, int ndr_flags, struct NETLOGON_SAM_LOGON_REQUEST *r) +{ + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->request_count)); + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->computer_name)); + ndr->flags = _flags_save_string; + } + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_NULLTERM); + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->user_name)); + ndr->flags = _flags_save_string; + } + { + uint32_t _flags_save_string = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM); + NDR_CHECK(ndr_pull_string(ndr, NDR_SCALARS, &r->mailslot_name)); + ndr->flags = _flags_save_string; + } + NDR_CHECK(ndr_pull_samr_AcctFlags(ndr, NDR_SCALARS, &r->acct_control)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sid_size)); + if (r->sid_size) { + uint32_t _flags_save_DATA_BLOB = ndr->flags; + struct ndr_pull *_ndr_sid; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN4); + NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->_pad)); + ndr->flags = _flags_save_DATA_BLOB; + NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_sid, 0, r->sid_size)); + NDR_CHECK(ndr_pull_dom_sid0(_ndr_sid, NDR_SCALARS|NDR_BUFFERS, &r->sid)); + NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_sid, 0, r->sid_size)); + } else { + ZERO_STRUCT(r->sid); + } + NDR_CHECK(ndr_pull_netlogon_nt_version_flags(ndr, NDR_SCALARS, &r->nt_version)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lmnt_token)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm20_token)); + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} + +/* Manually modified to only push some parts of the structure if certain flags are set */ +enum ndr_err_code ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags(struct ndr_push *ndr, int ndr_flags, const struct NETLOGON_SAM_LOGON_RESPONSE_EX *r) +{ + { + uint32_t _flags_save_STRUCT = ndr->flags; + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_netlogon_command(ndr, NDR_SCALARS, r->command)); + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->sbz)); + NDR_CHECK(ndr_push_nbt_server_type(ndr, NDR_SCALARS, r->server_type)); + NDR_CHECK(ndr_push_GUID(ndr, NDR_SCALARS, &r->domain_uuid)); + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->forest)); + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->dns_domain)); + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->pdc_dns_name)); + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->domain)); + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->pdc_name)); + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->user_name)); + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->server_site)); + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->client_site)); + if (r->nt_version & NETLOGON_NT_VERSION_5EX_WITH_IP) { + NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, ndr_size_nbt_sockaddr(&r->sockaddr, ndr->flags))); + { + struct ndr_push *_ndr_sockaddr; + NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_sockaddr, 0, ndr_size_nbt_sockaddr(&r->sockaddr, ndr->flags))); + NDR_CHECK(ndr_push_nbt_sockaddr(_ndr_sockaddr, NDR_SCALARS|NDR_BUFFERS, &r->sockaddr)); + NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_sockaddr, 0, ndr_size_nbt_sockaddr(&r->sockaddr, ndr->flags))); + } + } + if (r->nt_version & NETLOGON_NT_VERSION_WITH_CLOSEST_SITE) { + NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->next_closest_site)); + } + NDR_CHECK(ndr_push_netlogon_nt_version_flags(ndr, NDR_SCALARS, r->nt_version)); + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->lmnt_token)); + NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->lm20_token)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_push_GUID(ndr, NDR_BUFFERS, &r->domain_uuid)); + } + ndr->flags = _flags_save_STRUCT; + } + return NDR_ERR_SUCCESS; +} + +/* Manually modified to only pull some parts of the structure if certain flags provided */ +enum ndr_err_code ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags(struct ndr_pull *ndr, int ndr_flags, struct NETLOGON_SAM_LOGON_RESPONSE_EX *r, + uint32_t nt_version_flags) +{ + { + uint32_t _flags_save_STRUCT = ndr->flags; + ZERO_STRUCTP(r); + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_netlogon_command(ndr, NDR_SCALARS, &r->command)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->sbz)); + NDR_CHECK(ndr_pull_nbt_server_type(ndr, NDR_SCALARS, &r->server_type)); + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->domain_uuid)); + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->forest)); + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->dns_domain)); + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->pdc_dns_name)); + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->domain)); + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->pdc_name)); + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->user_name)); + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->server_site)); + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->client_site)); + if (nt_version_flags & NETLOGON_NT_VERSION_5EX_WITH_IP) { + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sockaddr_size)); + { + struct ndr_pull *_ndr_sockaddr; + NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_sockaddr, 0, r->sockaddr_size)); + NDR_CHECK(ndr_pull_nbt_sockaddr(_ndr_sockaddr, NDR_SCALARS|NDR_BUFFERS, &r->sockaddr)); + NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_sockaddr, 0, r->sockaddr_size)); + } + } + if (nt_version_flags & NETLOGON_NT_VERSION_WITH_CLOSEST_SITE) { + NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->next_closest_site)); + } + NDR_CHECK(ndr_pull_netlogon_nt_version_flags(ndr, NDR_SCALARS, &r->nt_version)); + if (r->nt_version != nt_version_flags) { + return NDR_ERR_VALIDATE; + } + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lmnt_token)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm20_token)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_GUID(ndr, NDR_BUFFERS, &r->domain_uuid)); + } + ndr->flags = _flags_save_STRUCT; + } + return NDR_ERR_SUCCESS; +} diff --git a/source4/libcli/netlogon.c b/source4/libcli/netlogon.c index 3ef7cf6335..052d7cbc1e 100644 --- a/source4/libcli/netlogon.c +++ b/source4/libcli/netlogon.c @@ -1,99 +1,27 @@ -/* parser auto-generated by pidl, then hand-modified by abartlet */ +/* + Unix SMB/CIFS implementation. + + CLDAP server structures + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ #include "includes.h" #include "libcli/netlogon.h" -_PUBLIC_ enum ndr_err_code ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags(struct ndr_push *ndr, int ndr_flags, const struct NETLOGON_SAM_LOGON_RESPONSE_EX *r) -{ - { - uint32_t _flags_save_STRUCT = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_netlogon_command(ndr, NDR_SCALARS, r->command)); - NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->sbz)); - NDR_CHECK(ndr_push_nbt_server_type(ndr, NDR_SCALARS, r->server_type)); - NDR_CHECK(ndr_push_GUID(ndr, NDR_SCALARS, &r->domain_uuid)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->forest)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->dns_domain)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->pdc_dns_name)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->domain)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->pdc_name)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->user_name)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->server_site)); - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->client_site)); - if (r->nt_version & NETLOGON_NT_VERSION_5EX_WITH_IP) { - NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, ndr_size_nbt_sockaddr(&r->sockaddr, ndr->flags))); - { - struct ndr_push *_ndr_sockaddr; - NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_sockaddr, 0, ndr_size_nbt_sockaddr(&r->sockaddr, ndr->flags))); - NDR_CHECK(ndr_push_nbt_sockaddr(_ndr_sockaddr, NDR_SCALARS|NDR_BUFFERS, &r->sockaddr)); - NDR_CHECK(ndr_push_subcontext_end(ndr, _ndr_sockaddr, 0, ndr_size_nbt_sockaddr(&r->sockaddr, ndr->flags))); - } - } - if (r->nt_version & NETLOGON_NT_VERSION_WITH_CLOSEST_SITE) { - NDR_CHECK(ndr_push_nbt_string(ndr, NDR_SCALARS, r->next_closest_site)); - } - NDR_CHECK(ndr_push_netlogon_nt_version_flags(ndr, NDR_SCALARS, r->nt_version)); - NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->lmnt_token)); - NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->lm20_token)); - } - if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_push_GUID(ndr, NDR_BUFFERS, &r->domain_uuid)); - } - ndr->flags = _flags_save_STRUCT; - } - return NDR_ERR_SUCCESS; -} - -static enum ndr_err_code ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags(struct ndr_pull *ndr, int ndr_flags, struct NETLOGON_SAM_LOGON_RESPONSE_EX *r, - uint32_t nt_version_flags) -{ - { - uint32_t _flags_save_STRUCT = ndr->flags; - ZERO_STRUCTP(r); - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_NOALIGN); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_align(ndr, 4)); - NDR_CHECK(ndr_pull_netlogon_command(ndr, NDR_SCALARS, &r->command)); - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->sbz)); - NDR_CHECK(ndr_pull_nbt_server_type(ndr, NDR_SCALARS, &r->server_type)); - NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->domain_uuid)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->forest)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->dns_domain)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->pdc_dns_name)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->domain)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->pdc_name)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->user_name)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->server_site)); - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->client_site)); - if (nt_version_flags & NETLOGON_NT_VERSION_5EX_WITH_IP) { - NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sockaddr_size)); - { - struct ndr_pull *_ndr_sockaddr; - NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_sockaddr, 0, r->sockaddr_size)); - NDR_CHECK(ndr_pull_nbt_sockaddr(_ndr_sockaddr, NDR_SCALARS|NDR_BUFFERS, &r->sockaddr)); - NDR_CHECK(ndr_pull_subcontext_end(ndr, _ndr_sockaddr, 0, r->sockaddr_size)); - } - } - if (nt_version_flags & NETLOGON_NT_VERSION_WITH_CLOSEST_SITE) { - NDR_CHECK(ndr_pull_nbt_string(ndr, NDR_SCALARS, &r->next_closest_site)); - } - NDR_CHECK(ndr_pull_netlogon_nt_version_flags(ndr, NDR_SCALARS, &r->nt_version)); - if (r->nt_version != nt_version_flags) { - return NDR_ERR_VALIDATE; - } - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lmnt_token)); - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->lm20_token)); - } - if (ndr_flags & NDR_BUFFERS) { - NDR_CHECK(ndr_pull_GUID(ndr, NDR_BUFFERS, &r->domain_uuid)); - } - ndr->flags = _flags_save_STRUCT; - } - return NDR_ERR_SUCCESS; -} - NTSTATUS push_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx, struct smb_iconv_convenience *iconv_convenience, struct netlogon_samlogon_response *response) diff --git a/source4/libcli/netlogon.h b/source4/libcli/netlogon.h index b8615b55a5..177ed3a514 100644 --- a/source4/libcli/netlogon.h +++ b/source4/libcli/netlogon.h @@ -50,4 +50,5 @@ struct nbt_netlogon_response }; #include "libcli/netlogon_proto.h" +#include "libcli/ndr_netlogon_proto.h" #endif /* __CLDAP_SERVER_PROTO_H__ */ diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk index c2a8d536b2..69dafb34c6 100644 --- a/source4/librpc/config.mk +++ b/source4/librpc/config.mk @@ -332,7 +332,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_NBT NDR_SCHANNEL_OBJ_FILES = $(gen_ndrsrcdir)/ndr_schannel.o [SUBSYSTEM::NDR_NBT] -PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC NDR_NBT_BUF NDR_SVCCTL NDR_SECURITY NDR_SAMR +PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC NDR_NBT_BUF NDR_SVCCTL NDR_SECURITY NDR_SAMR LIBCLI_NDR_NETLOGON NDR_NBT_OBJ_FILES = $(gen_ndrsrcdir)/ndr_nbt.o diff --git a/source4/librpc/idl/nbt.idl b/source4/librpc/idl/nbt.idl index e6af2cd035..783f04eb42 100644 --- a/source4/librpc/idl/nbt.idl +++ b/source4/librpc/idl/nbt.idl @@ -10,7 +10,7 @@ import "misc.idl", "security.idl", "svcctl.idl", "samr.idl"; [ -helper("libcli/nbt/libnbt.h") + helper("libcli/netlogon.h", "libcli/nbt/libnbt.h") ] interface nbt { @@ -391,15 +391,23 @@ interface nbt typedef bitmap samr_AcctFlags samr_AcctFlags; - typedef struct { + /* query to dc hand marshaled, as it has 'optional' + * parts */ + typedef [nopull,nopush] struct { uint16 request_count; nstring computer_name; nstring user_name; astring mailslot_name; samr_AcctFlags acct_control; [value(ndr_size_dom_sid0(&sid, ndr->flags))] uint32 sid_size; - /* Must not be present (ie, zero size, in request to \MAILSLOT\NET\NTLOGON */ - [subcontext(0),subcontext_size(sid_size)] dom_sid0 sid; + /* The manual alignment is required because this + * structure is marked flag(NDR_NOALIGN) via the + * nbt_netlogon_packet below. + * + * However, both MUST only be present if sid_size > 0 + */ + [flag(NDR_ALIGN4)] DATA_BLOB _pad; + [subcontext(0),subcontext_size(sid_size)] dom_sid0 sid; netlogon_nt_version_flags nt_version; uint16 lmnt_token; uint16 lm20_token; diff --git a/source4/nbt_server/dgram/netlogon.c b/source4/nbt_server/dgram/netlogon.c index b8fb1b8677..5e263a5854 100644 --- a/source4/nbt_server/dgram/netlogon.c +++ b/source4/nbt_server/dgram/netlogon.c @@ -133,18 +133,13 @@ static void nbtd_netlogon_samlogon(struct dgram_mailslot_handler *dgmslot, } if (netlogon->req.logon.sid_size) { - if (strcasecmp(dgmslot->mailslot_name, NBT_MAILSLOT_NTLOGON) == 0) { - DEBUG(2,("NBT netlogon query failed because SID specified in request to NTLOGON\n")); - /* SID not permitted on NTLOGON (for some reason...) */ - return; - } sid = &netlogon->req.logon.sid; } else { sid = NULL; } status = fill_netlogon_samlogon_response(samctx, packet, NULL, name->name, sid, NULL, - netlogon->req.logon.user_name, src->addr, + netlogon->req.logon.user_name, netlogon->req.logon.acct_control, src->addr, netlogon->req.logon.nt_version, iface->nbtsrv->task->lp_ctx, &netlogon_response.samlogon); if (!NT_STATUS_IS_OK(status)) { DEBUG(2,("NBT netlogon query failed domain=%s sid=%s version=%d - %s\n", diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index ad8eb8bffd..4818a79f00 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -236,6 +236,7 @@ def provision_paths_from_lp(lp, dnsdomain): paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb") paths.templates = os.path.join(paths.private_dir, "templates.ldb") paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone") + paths.namedconf = os.path.join(paths.private_dir, "named.conf") paths.winsdb = os.path.join(paths.private_dir, "wins.ldb") paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi") paths.phpldapadminconfig = os.path.join(paths.private_dir, @@ -1059,12 +1060,14 @@ def provision(setup_dir, message, session_info, scope=SCOPE_SUBTREE) assert isinstance(hostguid, str) - create_zone_file(paths.dns, setup_path, samdb, + create_zone_file(paths.dns, paths.namedconf, setup_path, samdb, hostname=names.hostname, hostip=hostip, hostip6=hostip6, dnsdomain=names.dnsdomain, domaindn=names.domaindn, dnspass=dnspass, realm=names.realm, - domainguid=domainguid, hostguid=hostguid) + domainguid=domainguid, hostguid=hostguid, + private_dir=paths.private_dir, keytab_name=paths.dns_keytab) message("Please install the zone located in %s into your DNS server" % paths.dns) + message("See %s if you want to use secure GSS-TSIG updates" % paths.namedconf) create_phpldapadmin_config(paths.phpldapadminconfig, setup_path, ldapi_url) @@ -1281,12 +1284,18 @@ def create_phpldapadmin_config(path, setup_path, ldapi_uri): {"S4_LDAPI_URI": ldapi_uri}) -def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn, - hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid): +def create_zone_file(path_zone, path_conf, setup_path, samdb, dnsdomain, domaindn, + hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid, + private_dir, keytab_name): """Write out a DNS zone file, from the info in the current database. + + Also writes a file with stubs appropriate for a DNS configuration file + (including GSS-TSIG configuration), and details as to some of the other + configuration changes that may be necessary. - :param path: Path of the new file. - :param setup_path": Setup path function. + :param path_zone: Path of the new zone file. + :param path_conf: Path of the config stubs file. + :param setup_path: Setup path function. :param samdb: SamDB object :param dnsdomain: DNS Domain name :param domaindn: DN of the Domain @@ -1307,7 +1316,7 @@ def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn, hostip6_base_line = " IN AAAA " + hostip6 hostip6_host_line = hostname + " IN AAAA " + hostip6 - setup_file(setup_path("provision.zone"), path, { + setup_file(setup_path("provision.zone"), path_zone, { "DNSPASS_B64": b64encode(dnspass), "HOSTNAME": hostname, "DNSDOMAIN": dnsdomain, @@ -1321,6 +1330,15 @@ def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn, "HOSTIP6_HOST_LINE": hostip6_host_line, }) + setup_file(setup_path("named.conf"), path_conf, { + "DNSDOMAIN": dnsdomain, + "REALM": realm, + "REALM_WC": "*." + ".".join(realm.split(".")[1:]), + "HOSTNAME": hostname, + "DNS_KEYTAB": keytab_name, + "DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name), + }) + def load_schema(setup_path, samdb, schemadn, netbiosname, configdn, sitename): """Load schema for the SamDB. diff --git a/source4/setup/named.conf b/source4/setup/named.conf index 025788093e..9cf0b48a7c 100644 --- a/source4/setup/named.conf +++ b/source4/setup/named.conf @@ -3,35 +3,116 @@ # the BIND nameserver. # -# If you have a very recent BIND, supporting GSS-TSIG, -# insert this into options {} (otherwise omit, it is not required if we don't accept updates) -tkey-gssapi-credential "DNS/${DNSDOMAIN}"; -tkey-domain "${REALM}"; - -# You should always include the actual zone configuration reference: +# You should always include the actual forward zone configuration: zone "${DNSDOMAIN}." IN { - type master; - file "${DNSDOMAIN}.zone"; + type master; + file "${DNSDOMAIN}.zone"; update-policy { - /* use ANY only for Domain controllers for now */ - /* for normal machines A AAAA PTR is probbaly all is needed */ - grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY; + /* + * A rather long description here, as the "ms-self" option does + * not appear in any docs yet (it can only be found in the + * source code). + * + * The short of it is that each host is allowed to update its + * own A and AAAA records, when the update request is properly + * signed by the host itself. + * + * The long description is (look at the + * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and + * its definition in lib/dns/gssapictx.c for details): + * + * A GSS-TSIG update request will be signed by a given signer + * (e.g. machine-name$@${REALM}). The signer name is split into + * the machine component (e.g. "machine-name") and the realm + * component (e.g. "${REALM}"). The update is allowed if the + * following conditions are met: + * + * 1) The machine component of the signer name matches the first + * (host) component of the FQDN that is being updated. + * + * 2) The realm component of the signer name matches the realm + * in the grant statement below (${REALM}). + * + * 3) The domain component of the FQDN that is being updated + * matches the realm in the grant statement below. + * + * If the 3 conditions above are satisfied, the update succeeds. + */ + grant ${REALM} ms-self * A AAAA; }; }; -# Also, you need to change your init scripts to set this environment variable -# for named: KRB5_KTNAME so that it points to the keytab generated. -# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following -# line to the /etc/sysconfig/named file: -# export KRB5_KTNAME=${DNS_KEYTAB_ABS} -# -# Please note that most distributions have BIND configured to run under -# a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as -# the user "named" once the daemon relinquishes its rights. Therefore, -# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as. -# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its -# permissions altered to allow the daemon to read it. In the FC6 -# example, execute the commands: -# -# chgrp named ${DNS_KEYTAB_ABS} -# chmod g+r ${DNS_KEYTAB_ABS} +# The reverse zone configuration is optional. The following example assumes a +# subnet of 192.168.123.0/24: +zone "123.168.192.in-addr.arpa" in { + type master; + file "123.168.192.in-addr.arpa.zone"; + update-policy { + grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR; + }; +}; +# Note that the reverse zone file is not created during the provision process. + +# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG +# updates. If you are running an earlier version of BIND, or if you do not wish +# to use secure GSS-TSIG updates, you may remove the update-policy sections in +# both examples above. + +# If you are running a capable version of BIND and you wish to support secure +# GSS-TSIG updates, you must make the following configuration changes: + +# - Insert the following lines into the options {} section of your named.conf +# file: +tkey-gssapi-credential "DNS/${DNSDOMAIN}"; +tkey-domain "${REALM}"; + +# - Add settings for the ${REALM} realm to the Kerberos configuration on the DNS +# server. The easiest way is to add the following blocks to the appropriate +# sections in /etc/krb5.conf: +[realms] + ${REALM} = { + kdc = ${HOSTNAME}.${DNSDOMAIN}:88 + admin_server = ${HOSTNAME}.${DNSDOMAIN}:749 + default_domain = ${DNSDOMAIN} + } + +[domain_realm] + .${DNSDOMAIN} = ${REALM} + ${DNSDOMAIN} = ${REALM} + +# - Modify BIND init scripts to pass the location of the generated keytab file. +# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named +# for this purpose: +KEYTAB_FILE="${DNS_KEYTAB_ABS}" +# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a +# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If +# your distribution does not provide a variable like KEYTAB_FILE to pass a +# keytab file to the BIND daemon, a workaround is to place the following line in +# BIND's sysconfig file or in the init script for BIND: +export KRB5_KTNAME="${DNS_KEYTAB_ABS}" + +# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note +# that most distributions have BIND configured to run under a non-root user +# account. For example, Fedora 9 runs BIND as the user "named" once the daemon +# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable +# by the user that BIND run as. If BIND is running as a non-root user, the +# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to +# read it. Under Fedora 9, execute the following commands: +chgrp named ${DNS_KEYTAB_ABS} +chmod g+r ${DNS_KEYTAB_ABS} + +# - Ensure the BIND zone file(s) that will be dynamically updated are in a +# directory where the BIND daemon can write. When BIND performs dynamic +# updates, it not only needs to update the zone file itself but it must also +# create a journal (.jnl) file to track the dynamic updates as they occur. +# Under Fedora 9, the /var/named directory can not be written to by the "named" +# user. However, the directory /var/named/dynamic directory does provide write +# access. Therefore the zone files were placed under the /var/named/dynamic +# directory. The file directives in both example zone statements at the +# beginning of this file were changed by prepending the directory "dynamic/". + +# - If SELinux is enabled, ensure that all files have the appropriate SELinux +# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon +# and should have a SELinux type of named_conf_t. This can be set with the +# following command: +chcon -t named_conf_t ${DNS_KEYTAB_ABS} diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif index 71c7fc2f5b..abc5860cf7 100644 --- a/source4/setup/secrets_dc.ldif +++ b/source4/setup/secrets_dc.ldif @@ -33,6 +33,7 @@ objectClass: secret objectClass: kerberosSecret realm: ${REALM} servicePrincipalName: DNS/${DNSDOMAIN} +msDS-KeyVersionNumber: 1 privateKeytab: ${DNS_KEYTAB} secret:: ${DNSPASS_B64} diff --git a/source4/torture/ldap/cldap.c b/source4/torture/ldap/cldap.c index a77920d4e6..5d4acd581b 100644 --- a/source4/torture/ldap/cldap.c +++ b/source4/torture/ldap/cldap.c @@ -144,18 +144,38 @@ static bool test_cldap_netlogon(struct torture_context *tctx, const char *dest) CHECK_STATUS(status, NT_STATUS_NOT_FOUND); printf("Trying with a AAC\n"); - search.in.acct_control = 0x180; + search.in.acct_control = ACB_WSTRUST|ACB_SVRTRUST; search.in.realm = n1.nt5_ex.dns_domain; status = cldap_netlogon(cldap, tctx, &search); CHECK_STATUS(status, NT_STATUS_OK); CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX); CHECK_STRING(search.out.netlogon.nt5_ex.user_name, ""); + printf("Trying with a zero AAC\n"); + search.in.acct_control = 0x0; + search.in.realm = n1.nt5_ex.dns_domain; + status = cldap_netlogon(cldap, tctx, &search); + CHECK_STATUS(status, NT_STATUS_OK); + CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX); + CHECK_STRING(search.out.netlogon.nt5_ex.user_name, ""); + + printf("Trying with a zero AAC and user=Administrator\n"); + search.in.acct_control = 0x0; + search.in.user = "Administrator"; + search.in.realm = n1.nt5_ex.dns_domain; + status = cldap_netlogon(cldap, tctx, &search); + CHECK_STATUS(status, NT_STATUS_OK); + CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN_EX); + CHECK_STRING(search.out.netlogon.nt5_ex.user_name, "Administrator"); + printf("Trying with a bad AAC\n"); + search.in.user = NULL; search.in.acct_control = 0xFF00FF00; search.in.realm = n1.nt5_ex.dns_domain; status = cldap_netlogon(cldap, tctx, &search); CHECK_STATUS(status, NT_STATUS_OK); + CHECK_VAL(search.out.netlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX); + CHECK_STRING(search.out.netlogon.nt5_ex.user_name, ""); printf("Trying with a user only\n"); search = empty_search; diff --git a/source4/torture/nbt/dgram.c b/source4/torture/nbt/dgram.c index 2bc3d3d75e..887c6f32ab 100644 --- a/source4/torture/nbt/dgram.c +++ b/source4/torture/nbt/dgram.c @@ -42,19 +42,24 @@ static void netlogon_handler(struct dgram_mailslot_handler *dgmslot, struct socket_address *src) { NTSTATUS status; - struct nbt_netlogon_response netlogon; - int *replies = (int *)dgmslot->private; + struct nbt_netlogon_response *netlogon = dgmslot->private; + dgmslot->private = netlogon = talloc(dgmslot, struct nbt_netlogon_response); + + if (!dgmslot->private) { + return; + } + printf("netlogon reply from %s:%d\n", src->addr, src->port); - status = dgram_mailslot_netlogon_parse_response(dgmslot, dgmslot, packet, &netlogon); + /* Fills in the netlogon pointer */ + status = dgram_mailslot_netlogon_parse_response(dgmslot, netlogon, packet, netlogon); if (!NT_STATUS_IS_OK(status)) { printf("Failed to parse netlogon packet from %s:%d\n", src->addr, src->port); return; } - - (*replies)++; + } @@ -67,10 +72,10 @@ static bool nbt_test_netlogon(struct torture_context *tctx) struct socket_address *dest; const char *myaddress; struct nbt_netlogon_packet logon; + struct nbt_netlogon_response *response; struct nbt_name myname; NTSTATUS status; struct timeval tv = timeval_current(); - int replies = 0; struct socket_address *socket_address; @@ -78,7 +83,7 @@ static bool nbt_test_netlogon(struct torture_context *tctx) struct nbt_name name; struct interface *ifaces; - + name.name = lp_workgroup(tctx->lp_ctx); name.type = NBT_NAME_LOGON; name.scope = NULL; @@ -112,7 +117,7 @@ static bool nbt_test_netlogon(struct torture_context *tctx) /* setup a temporary mailslot listener for replies */ dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, - netlogon_handler, &replies); + netlogon_handler, NULL); ZERO_STRUCT(logon); logon.command = LOGON_PRIMARY_QUERY; @@ -134,10 +139,17 @@ static bool nbt_test_netlogon(struct torture_context *tctx) &myname, &logon); torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request"); - while (timeval_elapsed(&tv) < 5 && replies == 0) { + while (timeval_elapsed(&tv) < 5 && !dgmslot->private) { event_loop_once(dgmsock->event_ctx); } + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert(tctx, response->response_type == NETLOGON_GET_PDC, "Got incorrect type of netlogon response"); + torture_assert(tctx, response->get_pdc.command == NETLOGON_RESPONSE_FROM_PDC, "Got incorrect netlogon response command"); + return true; } @@ -151,10 +163,10 @@ static bool nbt_test_netlogon2(struct torture_context *tctx) struct socket_address *dest; const char *myaddress; struct nbt_netlogon_packet logon; + struct nbt_netlogon_response *response; struct nbt_name myname; NTSTATUS status; struct timeval tv = timeval_current(); - int replies = 0; struct socket_address *socket_address; @@ -198,7 +210,7 @@ static bool nbt_test_netlogon2(struct torture_context *tctx) /* setup a temporary mailslot listener for replies */ dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, - netlogon_handler, &replies); + netlogon_handler, NULL); ZERO_STRUCT(logon); @@ -207,7 +219,7 @@ static bool nbt_test_netlogon2(struct torture_context *tctx) logon.req.logon.computer_name = TEST_NAME; logon.req.logon.user_name = ""; logon.req.logon.mailslot_name = dgmslot->mailslot_name; - logon.req.logon.nt_version = 11; + logon.req.logon.nt_version = NETLOGON_NT_VERSION_5EX_WITH_IP|NETLOGON_NT_VERSION_5|NETLOGON_NT_VERSION_1; logon.req.logon.lmnt_token = 0xFFFF; logon.req.logon.lm20_token = 0xFFFF; @@ -222,10 +234,24 @@ static bool nbt_test_netlogon2(struct torture_context *tctx) &myname, &logon); torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request"); - while (timeval_elapsed(&tv) < 5 && replies == 0) { + while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) { event_loop_once(dgmsock->event_ctx); } + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response"); + map_netlogon_samlogon_response(&response->samlogon); + + torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE_EX, "Got incorrect netlogon response command"); + torture_assert_int_equal(tctx, response->samlogon.nt5_ex.nt_version, NETLOGON_NT_VERSION_5EX_WITH_IP|NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1, "Got incorrect netlogon response command"); + + /* setup (another) temporary mailslot listener for replies */ + dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, + netlogon_handler, NULL); + ZERO_STRUCT(logon); logon.command = LOGON_SAM_LOGON_REQUEST; logon.req.logon.request_count = 0; @@ -247,15 +273,109 @@ static bool nbt_test_netlogon2(struct torture_context *tctx) &myname, &logon); torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request"); - while (timeval_elapsed(&tv) < 5 && replies == 0) { + while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) { event_loop_once(dgmsock->event_ctx); } + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response"); + map_netlogon_samlogon_response(&response->samlogon); + + torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN, "Got incorrect netlogon response command"); + + torture_assert_str_equal(tctx, response->samlogon.nt5_ex.user_name, TEST_NAME"$", "Got incorrect user in netlogon response"); + join_ctx = torture_join_domain(tctx, TEST_NAME, ACB_WSTRUST, &machine_credentials); dom_sid = torture_join_sid(join_ctx); + /* setup (another) temporary mailslot listener for replies */ + dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, + netlogon_handler, NULL); + + ZERO_STRUCT(logon); + logon.command = LOGON_SAM_LOGON_REQUEST; + logon.req.logon.request_count = 0; + logon.req.logon.computer_name = TEST_NAME; + logon.req.logon.user_name = TEST_NAME"$"; + logon.req.logon.mailslot_name = dgmslot->mailslot_name; + logon.req.logon.sid = *dom_sid; + logon.req.logon.nt_version = 1; + logon.req.logon.lmnt_token = 0xFFFF; + logon.req.logon.lm20_token = 0xFFFF; + + make_nbt_name_client(&myname, TEST_NAME); + + dest = socket_address_from_strings(dgmsock, dgmsock->sock->backend_name, + address, lp_dgram_port(tctx->lp_ctx)); + + torture_assert(tctx, dest != NULL, "Error getting address"); + status = dgram_mailslot_netlogon_send(dgmsock, &name, dest, + NBT_MAILSLOT_NETLOGON, + &myname, &logon); + torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request"); + + + while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) { + event_loop_once(dgmsock->event_ctx); + } + + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response"); + map_netlogon_samlogon_response(&response->samlogon); + + torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN, "Got incorrect netlogon response command"); + + /* setup (another) temporary mailslot listener for replies */ + dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, + netlogon_handler, NULL); + + ZERO_STRUCT(logon); + logon.command = LOGON_SAM_LOGON_REQUEST; + logon.req.logon.request_count = 0; + logon.req.logon.computer_name = TEST_NAME; + logon.req.logon.user_name = TEST_NAME"$"; + logon.req.logon.mailslot_name = dgmslot->mailslot_name; + logon.req.logon.sid = *dom_sid; + logon.req.logon.acct_control = ACB_WSTRUST; + logon.req.logon.nt_version = 1; + logon.req.logon.lmnt_token = 0xFFFF; + logon.req.logon.lm20_token = 0xFFFF; + + make_nbt_name_client(&myname, TEST_NAME); + + dest = socket_address_from_strings(dgmsock, dgmsock->sock->backend_name, + address, lp_dgram_port(tctx->lp_ctx)); + + torture_assert(tctx, dest != NULL, "Error getting address"); + status = dgram_mailslot_netlogon_send(dgmsock, &name, dest, + NBT_MAILSLOT_NETLOGON, + &myname, &logon); + torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request"); + + + while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) { + event_loop_once(dgmsock->event_ctx); + } + + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response"); + map_netlogon_samlogon_response(&response->samlogon); + + torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE, "Got incorrect netlogon response command"); + + dgmslot->private = NULL; + ZERO_STRUCT(logon); logon.command = LOGON_SAM_LOGON_REQUEST; logon.req.logon.request_count = 0; @@ -263,6 +383,7 @@ static bool nbt_test_netlogon2(struct torture_context *tctx) logon.req.logon.user_name = TEST_NAME"$"; logon.req.logon.mailslot_name = dgmslot->mailslot_name; logon.req.logon.sid = *dom_sid; + logon.req.logon.acct_control = ACB_NORMAL; logon.req.logon.nt_version = 1; logon.req.logon.lmnt_token = 0xFFFF; logon.req.logon.lm20_token = 0xFFFF; @@ -278,10 +399,20 @@ static bool nbt_test_netlogon2(struct torture_context *tctx) &myname, &logon); torture_assert_ntstatus_ok(tctx, status, "Failed to send netlogon request"); - while (timeval_elapsed(&tv) < 5 && replies == 0) { + + while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) { event_loop_once(dgmsock->event_ctx); } + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response"); + map_netlogon_samlogon_response(&response->samlogon); + + torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_USER_UNKNOWN, "Got incorrect netlogon response command"); + torture_leave_domain(join_ctx); return true; } @@ -295,14 +426,15 @@ static bool nbt_test_ntlogon(struct torture_context *tctx) lp_iconv_convenience(tctx->lp_ctx)); struct socket_address *dest; struct test_join *join_ctx; + const struct dom_sid *dom_sid; struct cli_credentials *machine_credentials; const char *myaddress; struct nbt_netlogon_packet logon; + struct nbt_netlogon_response *response; struct nbt_name myname; NTSTATUS status; struct timeval tv = timeval_current(); - int replies = 0; struct socket_address *socket_address; const char *address; @@ -342,13 +474,60 @@ static bool nbt_test_ntlogon(struct torture_context *tctx) join_ctx = torture_join_domain(tctx, TEST_NAME, ACB_WSTRUST, &machine_credentials); + dom_sid = torture_join_sid(join_ctx); + torture_assert(tctx, join_ctx != NULL, talloc_asprintf(tctx, "Failed to join domain %s as %s\n", lp_workgroup(tctx->lp_ctx), TEST_NAME)); /* setup a temporary mailslot listener for replies */ dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, - netlogon_handler, &replies); + netlogon_handler, NULL); + + + ZERO_STRUCT(logon); + logon.command = LOGON_SAM_LOGON_REQUEST; + logon.req.logon.request_count = 0; + logon.req.logon.computer_name = TEST_NAME; + logon.req.logon.user_name = TEST_NAME"$"; + logon.req.logon.mailslot_name = dgmslot->mailslot_name; + logon.req.logon.acct_control = ACB_WSTRUST; + /* Try with a SID this time */ + logon.req.logon.sid = *dom_sid; + logon.req.logon.nt_version = 1; + logon.req.logon.lmnt_token = 0xFFFF; + logon.req.logon.lm20_token = 0xFFFF; + + make_nbt_name_client(&myname, TEST_NAME); + + dest = socket_address_from_strings(dgmsock, dgmsock->sock->backend_name, + address, lp_dgram_port(tctx->lp_ctx)); + torture_assert(tctx, dest != NULL, "Error getting address"); + status = dgram_mailslot_netlogon_send(dgmsock, + &name, dest, + NBT_MAILSLOT_NTLOGON, + &myname, &logon); + torture_assert_ntstatus_ok(tctx, status, "Failed to send ntlogon request"); + + while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) { + event_loop_once(dgmsock->event_ctx); + } + + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response"); + map_netlogon_samlogon_response(&response->samlogon); + + torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE, "Got incorrect netlogon response command"); + + torture_assert_str_equal(tctx, response->samlogon.nt5_ex.user_name, TEST_NAME"$", "Got incorrect user in netlogon response"); + + + /* setup a temporary mailslot listener for replies */ + dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, + netlogon_handler, NULL); ZERO_STRUCT(logon); @@ -374,10 +553,26 @@ static bool nbt_test_ntlogon(struct torture_context *tctx) &myname, &logon); torture_assert_ntstatus_ok(tctx, status, "Failed to send ntlogon request"); - while (timeval_elapsed(&tv) < 5 && replies == 0) { + while (timeval_elapsed(&tv) < 5 && dgmslot->private == NULL) { event_loop_once(dgmsock->event_ctx); } + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_SAMLOGON, "Got incorrect type of netlogon response"); + map_netlogon_samlogon_response(&response->samlogon); + + torture_assert_int_equal(tctx, response->samlogon.nt5_ex.command, LOGON_SAM_LOGON_RESPONSE, "Got incorrect netlogon response command"); + + torture_assert_str_equal(tctx, response->samlogon.nt5_ex.user_name, TEST_NAME"$", "Got incorrect user in netlogon response"); + + + /* setup (another) temporary mailslot listener for replies */ + dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, + netlogon_handler, NULL); + ZERO_STRUCT(logon); logon.command = LOGON_PRIMARY_QUERY; logon.req.pdc.computer_name = TEST_NAME; @@ -398,11 +593,55 @@ static bool nbt_test_ntlogon(struct torture_context *tctx) &myname, &logon); torture_assert_ntstatus_ok(tctx, status, "Failed to send ntlogon request"); - while (timeval_elapsed(&tv) < 5 && replies == 0) { + while (timeval_elapsed(&tv) < 5 && !dgmslot->private) { event_loop_once(dgmsock->event_ctx); } + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_GET_PDC, "Got incorrect type of ntlogon response"); + torture_assert_int_equal(tctx, response->get_pdc.command, NETLOGON_RESPONSE_FROM_PDC, "Got incorrect ntlogon response command"); + torture_leave_domain(join_ctx); + + /* setup (another) temporary mailslot listener for replies */ + dgmslot = dgram_mailslot_temp(dgmsock, NBT_MAILSLOT_GETDC, + netlogon_handler, NULL); + + ZERO_STRUCT(logon); + logon.command = LOGON_PRIMARY_QUERY; + logon.req.pdc.computer_name = TEST_NAME; + logon.req.pdc.mailslot_name = dgmslot->mailslot_name; + logon.req.pdc.unicode_name = TEST_NAME; + logon.req.pdc.nt_version = 1; + logon.req.pdc.lmnt_token = 0xFFFF; + logon.req.pdc.lm20_token = 0xFFFF; + + make_nbt_name_client(&myname, TEST_NAME); + + dest = socket_address_from_strings(dgmsock, dgmsock->sock->backend_name, + address, lp_dgram_port(tctx->lp_ctx)); + torture_assert(tctx, dest != NULL, "Error getting address"); + status = dgram_mailslot_netlogon_send(dgmsock, + &name, dest, + NBT_MAILSLOT_NTLOGON, + &myname, &logon); + torture_assert_ntstatus_ok(tctx, status, "Failed to send ntlogon request"); + + while (timeval_elapsed(&tv) < 5 && !dgmslot->private) { + event_loop_once(dgmsock->event_ctx); + } + + response = talloc_get_type(dgmslot->private, struct nbt_netlogon_response); + + torture_assert(tctx, response != NULL, "Failed to receive a netlogon reply packet"); + + torture_assert_int_equal(tctx, response->response_type, NETLOGON_GET_PDC, "Got incorrect type of ntlogon response"); + torture_assert_int_equal(tctx, response->get_pdc.command, NETLOGON_RESPONSE_FROM_PDC, "Got incorrect ntlogon response command"); + + return true; } |