From f62d9f5b5774c6066229ce029bc7c96f8478a3b1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 25 Jun 2009 12:00:20 +0200 Subject: s3-netlogon: fix validation level 2 support in netr_SamLogon and friends. Guenther --- source3/include/proto.h | 4 ++ source3/rpc_server/srv_netlog_nt.c | 38 ++++++++---- source3/rpc_server/srv_pipe_hnd.c | 121 ++++++++++++++++++++++++++----------- 3 files changed, 116 insertions(+), 47 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index d55d6c1976..17d754c832 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5605,6 +5605,10 @@ void init_netr_SamInfo3(struct netr_SamInfo3 *r, uint32_t acct_flags, uint32_t sidcount, struct netr_SidAttr *sids); +NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, + uint8_t *pipe_session_key, + size_t pipe_session_key_len, + struct netr_SamInfo2 *sam2); NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, uint8_t *pipe_session_key, size_t pipe_session_key_len, diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 906de04147..c74d2acc4a 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -851,7 +851,6 @@ NTSTATUS _netr_LogonSamLogon(pipes_struct *p, struct netr_LogonSamLogon *r) { NTSTATUS status = NT_STATUS_OK; - struct netr_SamInfo3 *sam3 = NULL; union netr_LogonLevel *logon = r->in.logon; fstring nt_username, nt_domain, nt_workstation; auth_usersupplied_info *user_info = NULL; @@ -883,20 +882,26 @@ NTSTATUS _netr_LogonSamLogon(pipes_struct *p, } *r->out.authoritative = true; /* authoritative response */ - if (r->in.validation_level != 2 && r->in.validation_level != 3) { + + switch (r->in.validation_level) { + case 2: + r->out.validation->sam2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo2); + if (!r->out.validation->sam2) { + return NT_STATUS_NO_MEMORY; + } + break; + case 3: + r->out.validation->sam3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo3); + if (!r->out.validation->sam3) { + return NT_STATUS_NO_MEMORY; + } + break; + default: DEBUG(0,("%s: bad validation_level value %d.\n", fn, (int)r->in.validation_level)); return NT_STATUS_INVALID_INFO_CLASS; } - sam3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_SamInfo3); - if (!sam3) { - return NT_STATUS_NO_MEMORY; - } - - /* store the user information, if there is any. */ - r->out.validation->sam3 = sam3; - if (process_creds) { /* Get the remote machine name for the creds store. */ @@ -1082,8 +1087,19 @@ NTSTATUS _netr_LogonSamLogon(pipes_struct *p, memcpy(pipe_session_key, p->auth.a_u.schannel_auth->sess_key, 16); } - status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16, sam3); + switch (r->in.validation_level) { + case 2: + status = serverinfo_to_SamInfo2(server_info, pipe_session_key, 16, + r->out.validation->sam2); + break; + case 3: + status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16, + r->out.validation->sam3); + break; + } + TALLOC_FREE(server_info); + return status; } diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index a17adfb7a0..d79c3f5491 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -1514,14 +1514,14 @@ static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx, } /**************************************************************************** - inits a netr_SamInfo3 structure from an auth_serversupplied_info. sam3 must - already be initialized and is used as the talloc parent for its members. + inits a netr_SamBaseInfo structure from an auth_serversupplied_info. *****************************************************************************/ -NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, - uint8_t *pipe_session_key, - size_t pipe_session_key_len, - struct netr_SamInfo3 *sam3) +static NTSTATUS serverinfo_to_SamInfo_base(TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info *server_info, + uint8_t *pipe_session_key, + size_t pipe_session_key_len, + struct netr_SamBaseInfo *base) { struct samu *sampw; struct samr_RidWithAttribute *gids = NULL; @@ -1566,7 +1566,7 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, sid_copy(&domain_sid, user_sid); sid_split_rid(&domain_sid, &user_rid); - sid = sid_dup_talloc(sam3, &domain_sid); + sid = sid_dup_talloc(mem_ctx, &domain_sid); if (!sid) { return NT_STATUS_NO_MEMORY; } @@ -1589,7 +1589,7 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, my_name = global_myname(); } - status = nt_token_to_group_list(sam3, &domain_sid, + status = nt_token_to_group_list(mem_ctx, &domain_sid, server_info->num_sids, server_info->sids, &num_gids, &gids); @@ -1618,7 +1618,7 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, } groups.count = num_gids; - groups.rids = TALLOC_ARRAY(sam3, struct samr_RidWithAttribute, groups.count); + groups.rids = TALLOC_ARRAY(mem_ctx, struct samr_RidWithAttribute, groups.count); if (!groups.rids) { return NT_STATUS_NO_MEMORY; } @@ -1635,35 +1635,84 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(sampw)); unix_to_nt_time(&force_password_change, pdb_get_pass_must_change_time(sampw)); - init_netr_SamInfo3(sam3, - last_logon, - last_logoff, - acct_expiry, - last_password_change, - allow_password_change, - force_password_change, - talloc_strdup(sam3, pdb_get_username(sampw)), - talloc_strdup(sam3, pdb_get_fullname(sampw)), - talloc_strdup(sam3, pdb_get_logon_script(sampw)), - talloc_strdup(sam3, pdb_get_profile_path(sampw)), - talloc_strdup(sam3, pdb_get_homedir(sampw)), - talloc_strdup(sam3, pdb_get_dir_drive(sampw)), - 0, /* logon_count */ - 0, /* bad_password_count */ - user_rid, - group_rid, - groups, - NETLOGON_EXTRA_SIDS, - user_session_key, - my_name, - talloc_strdup(sam3, pdb_get_domain(sampw)), - sid, - lm_session_key, - pdb_get_acct_ctrl(sampw), - 0, /* sidcount */ - NULL); /* struct netr_SidAttr *sids */ + init_netr_SamBaseInfo(base, + last_logon, + last_logoff, + acct_expiry, + last_password_change, + allow_password_change, + force_password_change, + talloc_strdup(mem_ctx, pdb_get_username(sampw)), + talloc_strdup(mem_ctx, pdb_get_fullname(sampw)), + talloc_strdup(mem_ctx, pdb_get_logon_script(sampw)), + talloc_strdup(mem_ctx, pdb_get_profile_path(sampw)), + talloc_strdup(mem_ctx, pdb_get_homedir(sampw)), + talloc_strdup(mem_ctx, pdb_get_dir_drive(sampw)), + 0, /* logon_count */ + 0, /* bad_password_count */ + user_rid, + group_rid, + groups, + NETLOGON_EXTRA_SIDS, + user_session_key, + my_name, + talloc_strdup(mem_ctx, pdb_get_domain(sampw)), + sid, + lm_session_key, + pdb_get_acct_ctrl(sampw)); ZERO_STRUCT(user_session_key); ZERO_STRUCT(lm_session_key); return NT_STATUS_OK; } + +/**************************************************************************** + inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must + already be initialized and is used as the talloc parent for its members. +*****************************************************************************/ + +NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, + uint8_t *pipe_session_key, + size_t pipe_session_key_len, + struct netr_SamInfo2 *sam2) +{ + NTSTATUS status; + + status = serverinfo_to_SamInfo_base(sam2, + server_info, + pipe_session_key, + pipe_session_key_len, + &sam2->base); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; +} + +/**************************************************************************** + inits a netr_SamInfo3 structure from an auth_serversupplied_info. sam3 must + already be initialized and is used as the talloc parent for its members. +*****************************************************************************/ + +NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info, + uint8_t *pipe_session_key, + size_t pipe_session_key_len, + struct netr_SamInfo3 *sam3) +{ + NTSTATUS status; + + status = serverinfo_to_SamInfo_base(sam3, + server_info, + pipe_session_key, + pipe_session_key_len, + &sam3->base); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + sam3->sidcount = 0; + sam3->sids = NULL; + + return NT_STATUS_OK; +} -- cgit