diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/cldap_server/netlogon.c | 72 | ||||
-rw-r--r-- | source4/nbt_server/dgram/netlogon.c | 17 |
2 files changed, 78 insertions, 11 deletions
diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c index b59a54ade7..b2a034d5a4 100644 --- a/source4/cldap_server/netlogon.c +++ b/source4/cldap_server/netlogon.c @@ -42,6 +42,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, const char *domain, + const char *netbios_domain, struct dom_sid *domain_sid, const char *domain_guid, const char *user, @@ -114,6 +115,45 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, } } + if (netbios_domain) { + struct ldb_dn *dom_dn; + /* try and find the domain */ + + ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &ref_res, + partitions_basedn, LDB_SCOPE_ONELEVEL, + ref_attrs, + "(&(objectClass=crossRef)(ncName=*)(nETBIOSName=%s))", + netbios_domain); + + if (ret != LDB_SUCCESS) { + DEBUG(2,("Unable to find referece to '%s' in sam: %s\n", + netbios_domain, + ldb_errstring(sam_ctx))); + return NT_STATUS_NO_SUCH_DOMAIN; + } else if (ref_res->count == 1) { + talloc_steal(mem_ctx, dom_res); + dom_dn = ldb_msg_find_attr_as_dn(sam_ctx, mem_ctx, ref_res->msgs[0], "ncName"); + if (!dom_dn) { + return NT_STATUS_NO_SUCH_DOMAIN; + } + ret = ldb_search(sam_ctx, dom_dn, + LDB_SCOPE_BASE, "objectClass=domain", + dom_attrs, &dom_res); + if (ret != LDB_SUCCESS) { + DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_get_linearized(dom_dn), ldb_errstring(sam_ctx))); + return NT_STATUS_NO_SUCH_DOMAIN; + } + talloc_steal(mem_ctx, dom_res); + if (dom_res->count != 1) { + DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_get_linearized(dom_dn))); + return NT_STATUS_NO_SUCH_DOMAIN; + } + } else if (ref_res->count > 1) { + talloc_free(ref_res); + return NT_STATUS_NO_SUCH_DOMAIN; + } + } + if ((dom_res == NULL || dom_res->count == 0) && (domain_guid || domain_sid)) { ref_res = NULL; @@ -211,11 +251,16 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, ZERO_STRUCTP(netlogon); if (version & NETLOGON_NT_VERSION_5EX) { - uint32_t extra_flags; + uint32_t extra_flags = 0; netlogon->ntver = NETLOGON_NT_VERSION_5EX; /* could check if the user exists */ - netlogon->nt5_ex.command = LOGON_SAM_LOGON_RESPONSE_EX; + if (!user) { + user = ""; + netlogon->nt5_ex.command = LOGON_SAM_LOGON_RESPONSE_EX; + } else { + netlogon->nt5_ex.command = LOGON_SAM_LOGON_USER_UNKNOWN_EX; + } netlogon->nt5_ex.server_type = server_type; netlogon->nt5_ex.domain_uuid = domain_uuid; netlogon->nt5_ex.forest = realm; @@ -232,8 +277,9 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, extra_flags = NETLOGON_NT_VERSION_5EX_WITH_IP; netlogon->nt5_ex.sockaddr.sa_family = 2; netlogon->nt5_ex.sockaddr.pdc_ip = pdc_ip; + netlogon->nt5_ex.sockaddr.remaining = data_blob(NULL, 4); } - netlogon->nt5_ex.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5|extra_flags; + netlogon->nt5_ex.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5EX|extra_flags; netlogon->nt5_ex.lmnt_token = 0xFFFF; netlogon->nt5_ex.lm20_token = 0xFFFF; @@ -241,7 +287,12 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, netlogon->ntver = NETLOGON_NT_VERSION_5; /* could check if the user exists */ - netlogon->nt5.command = LOGON_SAM_LOGON_RESPONSE; + if (!user) { + user = ""; + netlogon->nt5.command = LOGON_SAM_LOGON_RESPONSE; + } else { + netlogon->nt5.command = LOGON_SAM_LOGON_USER_UNKNOWN; + } netlogon->nt5.pdc_name = pdc_name; netlogon->nt5.user_name = user; netlogon->nt5.domain_name = flatname; @@ -254,17 +305,22 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, netlogon->nt5.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5; netlogon->nt5.lmnt_token = 0xFFFF; netlogon->nt5.lm20_token = 0xFFFF; - } else { + + } else /* (version & NETLOGON_NT_VERSION_1) and all other cases */ { netlogon->ntver = NETLOGON_NT_VERSION_1; /* could check if the user exists */ - netlogon->nt4.command = LOGON_SAM_LOGON_RESPONSE; + if (!user) { + user = ""; + netlogon->nt4.command = LOGON_SAM_LOGON_RESPONSE; + } else { + netlogon->nt4.command = LOGON_SAM_LOGON_USER_UNKNOWN; + } netlogon->nt4.server = pdc_name; netlogon->nt4.user_name = user; netlogon->nt4.domain = flatname; netlogon->nt4.nt_version = NETLOGON_NT_VERSION_1; netlogon->nt4.lmnt_token = 0xFFFF; netlogon->nt4.lm20_token = 0xFFFF; - } return NT_STATUS_OK; @@ -349,7 +405,7 @@ void cldapd_netlogon_request(struct cldap_socket *cldap, DEBUG(5,("cldap netlogon query domain=%s host=%s user=%s version=%d guid=%s\n", domain, host, user, version, domain_guid)); - status = fill_netlogon_samlogon_response(cldapd->samctx, tmp_ctx, domain, NULL, domain_guid, + status = fill_netlogon_samlogon_response(cldapd->samctx, tmp_ctx, domain, NULL, NULL, domain_guid, user, src->addr, version, cldapd->task->lp_ctx, &netlogon); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/nbt_server/dgram/netlogon.c b/source4/nbt_server/dgram/netlogon.c index ae24a7cd2b..c66089523b 100644 --- a/source4/nbt_server/dgram/netlogon.c +++ b/source4/nbt_server/dgram/netlogon.c @@ -30,6 +30,7 @@ #include "param/param.h" #include "smbd/service_task.h" #include "cldap_server/cldap_server.h" +#include "libcli/security/security.h" /* reply to a GETDC request @@ -51,8 +52,8 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot, struct nbt_netlogon_response netlogon_response; int ret; - /* only answer getdc requests on the PDC name */ - if (name->type != NBT_NAME_PDC) { + /* only answer getdc requests on the PDC or LOGON names */ + if (name->type != NBT_NAME_PDC && name->type != NBT_NAME_LOGON) { return; } @@ -62,6 +63,11 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot, return; } + if (!samdb_is_pdc(samctx)) { + DEBUG(2, ("Not a PDC, so not processing LOGON_PRIMARY_QUERY\n")); + return; + } + partitions_basedn = samdb_partitions_dn(samctx, packet); ret = gendb_search(samctx, packet, partitions_basedn, &ref_res, ref_attrs, @@ -130,6 +136,7 @@ static void nbtd_netlogon_samlogon(struct dgram_mailslot_handler *dgmslot, if (netlogon->req.logon.sid_size) { if (strcasecmp(mailslot_name, NBT_MAILSLOT_NTLOGON) == 0) { + DEBUG(2,("NBT netlogon query failed because SID specified in request to NTLOGON\n")); /* SID not permitted on NTLOGON (for some reason...) */ return; } @@ -138,13 +145,17 @@ static void nbtd_netlogon_samlogon(struct dgram_mailslot_handler *dgmslot, sid = NULL; } - status = fill_netlogon_samlogon_response(samctx, packet, name->name, sid, NULL, + status = fill_netlogon_samlogon_response(samctx, packet, NULL, name->name, sid, NULL, netlogon->req.logon.user_name, src->addr, netlogon->req.logon.nt_version, iface->nbtsrv->task->lp_ctx, &netlogon_response.samlogon); if (!NT_STATUS_IS_OK(status)) { + DEBUG(2,("NBT netlogon query failed domain=%s sid=%s version=%d - %s\n", + name->name, dom_sid_string(packet, sid), netlogon->req.logon.nt_version, nt_errstr(status))); return; } + netlogon_response.response_type = NETLOGON_SAMLOGON; + packet->data.msg.dest_name.type = 0; dgram_mailslot_netlogon_reply(reply_iface->dgmsock, |