From 064e7447bebd715c8351d9a0ee31f648990f2336 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 15 May 2004 07:51:38 +0000 Subject: r743: Start on a NETLOGON server in Samba4. Currently this only authentiates the machine, not real users. As a consequence of running the Samba4 NETLOGON test against Samba4, I found a number of issues in the SAMR server, which I have addressed. There are more templates in the provison.ldif for this reason. I also added some debug to our credentials code, and fixed some bugs in the auth_sam module. The static buffer in generate_random_string() bit me badly, so I removed it in favor of a talloc based system. Andrew Bartlett (This used to be commit 94624e519b66def97758b8a48a01ffe9029176f0) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 467 ++++++++++++++++++++++++++ 1 file changed, 467 insertions(+) create mode 100644 source4/rpc_server/netlogon/dcerpc_netlogon.c (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c new file mode 100644 index 0000000000..0c78ed1864 --- /dev/null +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -0,0 +1,467 @@ +/* + Unix SMB/CIFS implementation. + + endpoint server for the netlogon pipe + + Copyright (C) Andrew Bartlett 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "rpc_server/common/common.h" + +struct server_pipe_state { + TALLOC_CTX *mem_ctx; + struct netr_Credential client_challenge; + struct netr_Credential server_challenge; + BOOL authenticated; + char *account_name; + char *computer_name; /* for logging only */ + uint32 acct_flags; + uint16 sec_chan_type; + struct creds_CredentialState *creds; +}; + +static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di) +{ + dce_call->conn->private = NULL; + + return NT_STATUS_OK; +} + +/* this function is called when the client disconnects the endpoint */ +static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_interface *di) +{ + struct server_pipe_state *pipe_state = conn->private; + + if (pipe_state) + talloc_destroy(pipe_state->mem_ctx); + + conn->private = NULL; +} + +#define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind +#define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind + +/* + netr_ServerReqChallenge + + NTSTATUS netr_ServerReqChallenge( + [in] unistr *server_name, + [in] unistr computer_name, + [in][out] netr_Credential credentials + ); + +*/ +static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerReqChallenge *r) +{ + struct server_pipe_state *pipe_state = dce_call->conn->private; + TALLOC_CTX *pipe_mem_ctx; + + ZERO_STRUCT(r->out.credentials); + + /* destroyed on pipe shutdown */ + + if (pipe_state) { + talloc_destroy(pipe_state->mem_ctx); + dce_call->conn->private = NULL; + } + + pipe_mem_ctx = talloc_init("internal netlogon pipe state for %s", + r->in.computer_name); + + if (!pipe_mem_ctx) { + return NT_STATUS_NO_MEMORY; + } + + pipe_state = talloc_p(pipe_mem_ctx, struct server_pipe_state); + if (!pipe_state) { + talloc_destroy(pipe_mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + pipe_state->mem_ctx = pipe_mem_ctx; + pipe_state->authenticated = False; + pipe_state->creds = NULL; + pipe_state->account_name = NULL; + pipe_state->computer_name = NULL; + + pipe_state->client_challenge = r->in.credentials; + + generate_random_buffer(pipe_state->server_challenge.data, + sizeof(pipe_state->server_challenge.data), + False); + + r->out.credentials = pipe_state->server_challenge; + + dce_call->conn->private = pipe_state; + + return NT_STATUS_OK; +} + + +/* + netr_ServerAuthenticate + + secure channel types: + + const int SEC_CHAN_WKSTA = 2; + const int SEC_CHAN_DOMAIN = 4; + const int SEC_CHAN_BDC = 6; + + NTSTATUS netr_ServerAuthenticate( + [in] unistr *server_name, + [in] unistr username, + [in] uint16 secure_channel_type, + [in] unistr computer_name, + [in,out] netr_Credential credentials + ); + + +*/ + +static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_state, + TALLOC_CTX *mem_ctx, + const char *account_name, + const char *computer_name, + uint16 secure_channel_type, + uint32 in_flags, + const struct netr_Credential *client_credentials, + struct netr_Credential *server_credentials, + uint32 *out_flags) +{ + void *sam_ctx; + uint8 *mach_pwd; + uint16 acct_flags; + int num_records; + struct ldb_message **msgs; + NTSTATUS nt_status; + + const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", + "userAccountControl", NULL + }; + + ZERO_STRUCTP(server_credentials); + if (out_flags) { + *out_flags = 0; + } + + if (!pipe_state) { + DEBUG(1, ("No challange requested by client, cannot authenticate\n")); + return NT_STATUS_ACCESS_DENIED; + } + + sam_ctx = samdb_connect(); + if (sam_ctx == NULL) { + return NT_STATUS_INVALID_SYSTEM_SERVICE; + } + /* pull the user attributes */ + num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, + "(&(sAMAccountName=%s)(objectclass=user))", + account_name); + + if (num_records == 0) { + DEBUG(3,("Couldn't find user [%s] in passdb file.\n", + account_name)); + samdb_close(sam_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + if (num_records > 1) { + DEBUG(1,("Found %d records matching user [%s]\n", num_records, account_name)); + samdb_close(sam_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + acct_flags = samdb_result_acct_flags(msgs[0], + "userAccountControl"); + + if (acct_flags & ACB_DISABLED) { + DEBUG(1, ("Account [%s] is disabled\n", account_name)); + return NT_STATUS_ACCESS_DENIED; + } + + if (secure_channel_type == SEC_CHAN_WKSTA) { + if (!(acct_flags & ACB_WSTRUST)) { + DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags)); + return NT_STATUS_ACCESS_DENIED; + } + } else if (secure_channel_type == SEC_CHAN_DOMAIN) { + if (!(acct_flags & ACB_DOMTRUST)) { + DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags)); + return NT_STATUS_ACCESS_DENIED; + } + } else if (secure_channel_type == SEC_CHAN_BDC) { + if (!(acct_flags & ACB_SVRTRUST)) { + DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags)); + return NT_STATUS_ACCESS_DENIED; + } + } else { + DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", secure_channel_type)); + return NT_STATUS_ACCESS_DENIED; + } + + pipe_state->acct_flags = acct_flags; + pipe_state->sec_chan_type = secure_channel_type; + + if (!NT_STATUS_IS_OK(nt_status = samdb_result_passwords(mem_ctx, msgs[0], + NULL, &mach_pwd))) { + samdb_close(sam_ctx); + return NT_STATUS_ACCESS_DENIED; + } + + samdb_close(sam_ctx); + + if (!pipe_state->creds) { + pipe_state->creds = talloc_p(mem_ctx, struct creds_CredentialState); + if (!pipe_state->creds) { + return NT_STATUS_NO_MEMORY; + } + } + + creds_server_init(pipe_state->creds, &pipe_state->client_challenge, + &pipe_state->server_challenge, mach_pwd, + server_credentials); + + if (!creds_server_check(pipe_state->creds, client_credentials)) { + return NT_STATUS_ACCESS_DENIED; + } + + pipe_state->authenticated = True; + + if (pipe_state->account_name) { + /* We don't want a memory leak on this long-lived talloc context */ + talloc_free(pipe_state->mem_ctx, pipe_state->account_name); + } + + pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, account_name); + + if (pipe_state->computer_name) { + /* We don't want a memory leak on this long-lived talloc context */ + talloc_free(pipe_state->mem_ctx, pipe_state->account_name); + } + + pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, computer_name); + + if (out_flags) { + *out_flags = NETLOGON_NEG_AUTH2_FLAGS; + } + + return NT_STATUS_OK; +} + + +static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerAuthenticate *r) +{ + struct server_pipe_state *pipe_state = dce_call->conn->private; + + return netr_ServerAuthenticateInternals(pipe_state, + mem_ctx, + r->in.username, + r->in.computer_name, + r->in.secure_channel_type, + 0, + &r->in.credentials, + &r->out.credentials, + NULL); +} + +static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerAuthenticate2 *r) +{ + struct server_pipe_state *pipe_state = dce_call->conn->private; + + return netr_ServerAuthenticateInternals(pipe_state, + mem_ctx, + r->in.username, + r->in.computer_name, + r->in.secure_channel_type, + *r->in.negotiate_flags, + &r->in.credentials, + &r->out.credentials, + r->out.negotiate_flags); +} + +/* + netr_LogonUasLogon +*/ +static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonUasLogon *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_LogonUasLogoff +*/ +static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonUasLogoff *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_LogonSamLogon + + + +*/ +static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogon *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_LogonSamLogoff +*/ +static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogoff *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + + +/* + netr_ServerPasswordSet +*/ +static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerPasswordSet *r) +{ + + + +} + + +/* + netr_DatabaseDeltas +*/ +static NTSTATUS netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DatabaseDeltas *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DatabaseSync +*/ +static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DatabaseSync *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_AccountDeltas +*/ +static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_AccountDeltas *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_AccountSync +*/ +static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_AccountSync *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_GetDcName +*/ +static NTSTATUS netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_GetDcName *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_LogonControl +*/ +static WERROR netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonControl *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_GetAnyDCName +*/ +static WERROR netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_GetAnyDCName *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_LogonControl2 +*/ +static WERROR netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonControl2 *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DatabaseSync2 +*/ +static NTSTATUS netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DatabaseSync2 *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DatabaseRedo +*/ +static NTSTATUS netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DatabaseRedo *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_LogonControl2Ex +*/ +static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonControl2Ex *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* include the generated boilerplate */ +#include "librpc/gen_ndr/ndr_netlogon_s.c" -- cgit From 82306753e26558d8fd6c1452bfa08ec9b361fba9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 15 May 2004 12:04:07 +0000 Subject: r745: Move netr_ServerPasswordSet up with the other secure channel management functions, and make sure to include the fault until this is no longer a stub. Andrew Bartlett (This used to be commit b886cb65f8d7b8b9f587d8a22d830938d4c6eb3e) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 ++++++++++++++++++--------- 1 file changed, 24 insertions(+), 12 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 0c78ed1864..87945ffef0 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -297,6 +297,30 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL r->out.negotiate_flags); } +/* + netr_ServerPasswordSet + + NTSTATUS netr_ServerPasswordSet( + [in] unistr *server_name, + [in] unistr username, + [in] uint16 secure_channel_type, + [in] unistr computer_name, + [in] netr_Authenticator credential, + [in] netr_Password new_password, + [out] netr_Authenticator return_authenticator + ); + +*/ +static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerPasswordSet *r) +{ + + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + + +} + + /* netr_LogonUasLogon */ @@ -341,18 +365,6 @@ static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_C -/* - netr_ServerPasswordSet -*/ -static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_ServerPasswordSet *r) -{ - - - -} - - /* netr_DatabaseDeltas */ -- cgit From 92dd542aa01f2c3b64ca104696c731919f4d7ec7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 16 May 2004 21:30:48 +0000 Subject: r754: Implement the SetPassword operation on the netlogon pipe. This involves allowing the password set code in samdb to take an already hashed password, and some fixes to our torture code. Andrew Bartlett (This used to be commit f9f581b5804a20785df06cde157b23c952edc2ce) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 141 +++++++++++++++++++++++++- 1 file changed, 138 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 87945ffef0..853a8b39e9 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -175,7 +175,7 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ account_name); if (num_records == 0) { - DEBUG(3,("Couldn't find user [%s] in passdb file.\n", + DEBUG(3,("Couldn't find user [%s] in samdb.\n", account_name)); samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; @@ -227,7 +227,7 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ samdb_close(sam_ctx); if (!pipe_state->creds) { - pipe_state->creds = talloc_p(mem_ctx, struct creds_CredentialState); + pipe_state->creds = talloc_p(pipe_state->mem_ctx, struct creds_CredentialState); if (!pipe_state->creds) { return NT_STATUS_NO_MEMORY; } @@ -297,6 +297,18 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL r->out.negotiate_flags); } +static BOOL netr_creds_server_step_check(struct server_pipe_state *pipe_state, + struct netr_Authenticator *received_authenticator, + struct netr_Authenticator *return_authenticator) +{ + if (!pipe_state->authenticated) { + return False; + } + return creds_server_step_check(pipe_state->creds, + received_authenticator, + return_authenticator); +} + /* netr_ServerPasswordSet @@ -314,10 +326,133 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet *r) { + struct server_pipe_state *pipe_state = dce_call->conn->private; - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + void *sam_ctx; + int num_records; + int num_records_domain; + int ret; + int i; + struct ldb_message **msgs; + struct ldb_message **msgs_domain; + NTSTATUS nt_status; + struct samr_Hash newNtHash; + struct ldb_message mod, *msg_set_pw = &mod; + const char *domain_dn; + struct dom_sid *domain_sid; + + const char *attrs[] = {"objectSid", NULL + }; + + const char **domain_attrs = attrs; + ZERO_STRUCT(mod); + + if (!netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator)) { + return NT_STATUS_ACCESS_DENIED; + } + + if (!pipe_state) { + DEBUG(1, ("No challange requested by client, cannot authenticate\n")); + return NT_STATUS_ACCESS_DENIED; + } + + sam_ctx = samdb_connect(); + if (sam_ctx == NULL) { + return NT_STATUS_INVALID_SYSTEM_SERVICE; + } + /* pull the user attributes */ + num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, + "(&(sAMAccountName=%s)(objectclass=user))", + pipe_state->account_name); + + if (num_records == 0) { + DEBUG(3,("Couldn't find user [%s] in samdb.\n", + pipe_state->account_name)); + samdb_close(sam_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + if (num_records > 1) { + DEBUG(1,("Found %d records matching user [%s]\n", num_records, + pipe_state->account_name)); + samdb_close(sam_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + domain_sid = dom_sid_parse_talloc(mem_ctx, + samdb_result_string(msgs[0], + "objectSid", + NULL)); + if (!domain_sid) { + samdb_close(sam_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + sid_split_rid(domain_sid, NULL); + + /* find the domain's DN */ + num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL, + &msgs_domain, domain_attrs, + "(&(objectSid=%s)(objectclass=domain))", + dom_sid_string(mem_ctx, domain_sid)); + + if (num_records_domain == 0) { + DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", + dom_sid_string(mem_ctx, domain_sid))); + samdb_close(sam_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + if (num_records_domain > 1) { + DEBUG(1,("Found %d records matching domain [%s]\n", num_records_domain, dom_sid_string(mem_ctx, domain_sid))); + samdb_close(sam_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + domain_dn = msgs_domain[0]->dn; + + mod.dn = talloc_strdup(mem_ctx, msgs[0]->dn); + if (!mod.dn) { + samdb_close(sam_ctx); + return NT_STATUS_NO_MEMORY; + } + creds_des_decrypt(pipe_state->creds, &r->in.new_password); + + memcpy(newNtHash.hash, r->in.new_password.data, sizeof(newNtHash.hash)); + + /* set the password - samdb needs to know both the domain and user DNs, + so the domain password policy can be used */ + nt_status = samdb_set_password(sam_ctx, mem_ctx, + msgs[0]->dn, domain_dn, + msg_set_pw, + NULL, /* Don't have plaintext */ + NULL, &newNtHash, + False /* This is not considered a password change */); + + if (!NT_STATUS_IS_OK(nt_status)) { + samdb_close(sam_ctx); + return nt_status; + } + /* mark all the message elements as LDB_FLAG_MOD_REPLACE, + unless they are already marked with some other flag */ + for (i=0;i Date: Sat, 22 May 2004 07:55:48 +0000 Subject: r816: - Make use of tridge's new samdb_result_sid_prefix() helper function. - Remove legacy sid_to_string (which contained a memleak) - Remove some unused parts of lib/util_sid.c Andrew Bartlett (This used to be commit 7c69a85984e47c004ddfd9bb5eadcb3191b56f9d) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 853a8b39e9..1dab39ebc1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -332,14 +332,13 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO int num_records; int num_records_domain; int ret; - int i; struct ldb_message **msgs; struct ldb_message **msgs_domain; NTSTATUS nt_status; struct samr_Hash newNtHash; struct ldb_message mod, *msg_set_pw = &mod; const char *domain_dn; - struct dom_sid *domain_sid; + const char *domain_sid; const char *attrs[] = {"objectSid", NULL }; @@ -379,32 +378,28 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return NT_STATUS_INTERNAL_DB_CORRUPTION; } - domain_sid = dom_sid_parse_talloc(mem_ctx, - samdb_result_string(msgs[0], - "objectSid", - NULL)); + domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); if (!domain_sid) { samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } - sid_split_rid(domain_sid, NULL); - /* find the domain's DN */ num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - dom_sid_string(mem_ctx, domain_sid)); + domain_sid); if (num_records_domain == 0) { DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", - dom_sid_string(mem_ctx, domain_sid))); + domain_sid)); samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { - DEBUG(1,("Found %d records matching domain [%s]\n", num_records_domain, dom_sid_string(mem_ctx, domain_sid))); + DEBUG(1,("Found %d records matching domain [%s]\n", + num_records_domain, domain_sid)); samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -435,15 +430,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return nt_status; } - /* mark all the message elements as LDB_FLAG_MOD_REPLACE, - unless they are already marked with some other flag */ - for (i=0;i Date: Tue, 25 May 2004 13:57:39 +0000 Subject: r873: converted samba4 to use real 64 bit integers instead of structures. This was suggested by metze recently. I checked on the build farm and all the machines we have support 64 bit ints, and support the LL suffix for 64 bit constants. I suspect some won't support strtoll() and related functions, so we will probably need replacements for those. (This used to be commit 9a9244a1c66654c12abe4379661cba83a73c4c21) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1dab39ebc1..d4e60771ba 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -423,7 +423,8 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO msg_set_pw, NULL, /* Don't have plaintext */ NULL, &newNtHash, - False /* This is not considered a password change */); + False /* This is not considered a password change */, + NULL); if (!NT_STATUS_IS_OK(nt_status)) { samdb_close(sam_ctx); -- cgit From f9d8f8843dc0ab8c9d59abde7222e0f118b86b5d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 25 May 2004 16:24:13 +0000 Subject: r884: convert samba4 to use [u]int32_t instead of [u]int32 metze (This used to be commit 0e5517d937a2eb7cf707991d1c7498c1ab456095) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d4e60771ba..f6b758ad98 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -30,7 +30,7 @@ struct server_pipe_state { BOOL authenticated; char *account_name; char *computer_name; /* for logging only */ - uint32 acct_flags; + uint32_t acct_flags; uint16 sec_chan_type; struct creds_CredentialState *creds; }; @@ -139,10 +139,10 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ const char *account_name, const char *computer_name, uint16 secure_channel_type, - uint32 in_flags, + uint32_t in_flags, const struct netr_Credential *client_credentials, struct netr_Credential *server_credentials, - uint32 *out_flags) + uint32_t *out_flags) { void *sam_ctx; uint8 *mach_pwd; -- cgit From f88bf54c7f6d1c2ef833047eb8327953c304b5ff Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 25 May 2004 17:24:24 +0000 Subject: r889: convert samba4 to use [u]int16_t instead of [u]int16 metze (This used to be commit af6f1f8a01bebbecd99bc8c066519e89966e65e3) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index f6b758ad98..c3ec1f48a1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -31,7 +31,7 @@ struct server_pipe_state { char *account_name; char *computer_name; /* for logging only */ uint32_t acct_flags; - uint16 sec_chan_type; + uint16_t sec_chan_type; struct creds_CredentialState *creds; }; @@ -138,7 +138,7 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ TALLOC_CTX *mem_ctx, const char *account_name, const char *computer_name, - uint16 secure_channel_type, + uint16_t secure_channel_type, uint32_t in_flags, const struct netr_Credential *client_credentials, struct netr_Credential *server_credentials, @@ -146,7 +146,7 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ { void *sam_ctx; uint8 *mach_pwd; - uint16 acct_flags; + uint16_t acct_flags; int num_records; struct ldb_message **msgs; NTSTATUS nt_status; -- cgit From fcd718c7d8a6850ae8719f23ed044b06b57501cd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 25 May 2004 17:50:17 +0000 Subject: r890: convert samba4 to use [u]int8_t instead of [u]int8 metze (This used to be commit 2986c5f08c8f0c26a2ea7b6ce20aae025183109f) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index c3ec1f48a1..336da6821e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -145,7 +145,7 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ uint32_t *out_flags) { void *sam_ctx; - uint8 *mach_pwd; + uint8_t *mach_pwd; uint16_t acct_flags; int num_records; struct ldb_message **msgs; -- cgit From db3c011977e9aad535be298d64fa63af61c0669c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 27 May 2004 04:13:58 +0000 Subject: r917: - added the start of a LSA server to samba4. - added start of QueryDomainInfo in samr server "net rpc info" from samba3 now works against a samba4 server. I suspect join will work fairly soon. (This used to be commit 0a2c6a1062d0e364356853001f5f39bdb542f453) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 336da6821e..4481df6aa8 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -448,7 +448,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO netr_LogonUasLogon */ static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonUasLogon *r) + struct netr_LogonUasLogon *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From d9538e7412c593a9dc10a600676939d2cf0205ea Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 28 May 2004 13:23:30 +0000 Subject: r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 326 ++++++++++++++++++++++++++ 1 file changed, 326 insertions(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 4481df6aa8..7cf2965323 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -598,5 +598,331 @@ static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CT } +/* + netr_NETRENUMERATETRUSTEDDOMAINS +*/ +static WERROR netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRENUMERATETRUSTEDDOMAINS *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DSRGETDCNAME +*/ +static WERROR netr_DSRGETDCNAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DSRGETDCNAME *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONDUMMYROUTINE1 +*/ +static WERROR netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONDUMMYROUTINE1 *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONSETSERVICEBITS +*/ +static WERROR netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONSETSERVICEBITS *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONGETTRUSTRID +*/ +static WERROR netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONGETTRUSTRID *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONCOMPUTESERVERDIGEST +*/ +static WERROR netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONCOMPUTESERVERDIGEST *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONCOMPUTECLIENTDIGEST +*/ +static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRSERVERAUTHENTICATE3 +*/ +static WERROR netr_NETRSERVERAUTHENTICATE3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRSERVERAUTHENTICATE3 *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DSRGETDCNAMEX +*/ +static WERROR netr_DSRGETDCNAMEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DSRGETDCNAMEX *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DSRGETSITENAME +*/ +static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DSRGETSITENAME *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONGETDOMAININFO +*/ +static WERROR netr_NETRLOGONGETDOMAININFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONGETDOMAININFO *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRSERVERPASSWORDSET2 +*/ +static WERROR netr_NETRSERVERPASSWORDSET2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRSERVERPASSWORDSET2 *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRSERVERPASSWORDGET +*/ +static WERROR netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRSERVERPASSWORDGET *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONSENDTOSAM +*/ +static WERROR netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONSENDTOSAM *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DSRADDRESSTOSITENAMESW +*/ +static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DSRADDRESSTOSITENAMESW *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DSRGETDCNAMEEX2 +*/ +static WERROR netr_DSRGETDCNAMEEX2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DSRGETDCNAMEEX2 *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN +*/ +static WERROR netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRENUMERATETRUSTEDDOMAINSEX +*/ +static WERROR netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRENUMERATETRUSTEDDOMAINSEX *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DSRADDRESSTOSITENAMESEXW +*/ +static WERROR netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DSRADDRESSTOSITENAMESEXW *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DSRGETDCSITECOVERAGEW +*/ +static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DSRGETDCSITECOVERAGEW *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_NETRLOGONSAMLOGONEX +*/ +static WERROR netr_NETRLOGONSAMLOGONEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NETRLOGONSAMLOGONEX *r) +{ + DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); +} + + +/* + netr_DsrEnumerateDomainTrusts +*/ +static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsrEnumerateDomainTrusts *r) +{ + struct netr_DomainTrust *trusts; + void *sam_ctx; + int ret, i; + struct ldb_message **res; + const char * const attrs[] = { "name", "dnsDomain", "objectSid", "objectGUID", NULL }; + + ZERO_STRUCT(r->out); + + sam_ctx = samdb_connect(); + if (sam_ctx == NULL) { + return WERR_GENERAL_FAILURE; + } + + ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)"); + if (ret == -1) { + samdb_close(sam_ctx); + return WERR_GENERAL_FAILURE; + } + + if (ret == 0) { + return WERR_OK; + } + + trusts = talloc_array_p(mem_ctx, struct netr_DomainTrust, ret); + if (trusts == NULL) { + return WERR_NOMEM; + } + + r->out.count = ret; + r->out.trusts = trusts; + + for (i=0;i Date: Sun, 30 May 2004 13:15:15 +0000 Subject: r950: - added netr_ServerAuthenticate3(). This is used by WinXP clients who try to login to Samba4, as WinXP sees us as an ADS server. Unfortunately WinXP also uses a set of negotiate_flags that we don't support yet. Some crypto work needed. (This used to be commit 2d740b65706fb5b4ebc138587472a885d680517f) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 157 ++++++++++++-------------- 1 file changed, 73 insertions(+), 84 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 7cf2965323..523b042845 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -60,9 +60,9 @@ static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_ netr_ServerReqChallenge NTSTATUS netr_ServerReqChallenge( - [in] unistr *server_name, - [in] unistr computer_name, - [in][out] netr_Credential credentials + [in] unistr *server_name, + [in] unistr computer_name, + [in,out,ref] netr_Credential *credentials ); */ @@ -72,7 +72,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL struct server_pipe_state *pipe_state = dce_call->conn->private; TALLOC_CTX *pipe_mem_ctx; - ZERO_STRUCT(r->out.credentials); + ZERO_STRUCTP(r->out.credentials); /* destroyed on pipe shutdown */ @@ -100,13 +100,13 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL pipe_state->account_name = NULL; pipe_state->computer_name = NULL; - pipe_state->client_challenge = r->in.credentials; + pipe_state->client_challenge = *r->in.credentials; generate_random_buffer(pipe_state->server_challenge.data, sizeof(pipe_state->server_challenge.data), False); - r->out.credentials = pipe_state->server_challenge; + *r->out.credentials = pipe_state->server_challenge; dce_call->conn->private = pipe_state; @@ -123,42 +123,32 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL const int SEC_CHAN_DOMAIN = 4; const int SEC_CHAN_BDC = 6; - NTSTATUS netr_ServerAuthenticate( - [in] unistr *server_name, - [in] unistr username, - [in] uint16 secure_channel_type, - [in] unistr computer_name, - [in,out] netr_Credential credentials + NTSTATUS netr_ServerAuthenticate3( + [in] unistr *server_name, + [in] unistr username, + [in] uint16 secure_channel_type, + [in] unistr computer_name, + [in,out,ref] netr_Credential *credentials + [in,out,ref] uint32 *negotiate_flags, + [out,ref] uint32 *rid ); - - */ - -static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_state, - TALLOC_CTX *mem_ctx, - const char *account_name, - const char *computer_name, - uint16_t secure_channel_type, - uint32_t in_flags, - const struct netr_Credential *client_credentials, - struct netr_Credential *server_credentials, - uint32_t *out_flags) +static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerAuthenticate3 *r) { + struct server_pipe_state *pipe_state = dce_call->conn->private; void *sam_ctx; uint8_t *mach_pwd; uint16_t acct_flags; int num_records; struct ldb_message **msgs; NTSTATUS nt_status; + const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl", + "objectSid", NULL}; - const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", - "userAccountControl", NULL - }; - - ZERO_STRUCTP(server_credentials); - if (out_flags) { - *out_flags = 0; - } + ZERO_STRUCTP(r->out.credentials); + *r->out.negotiate_flags = 0; + *r->out.rid = 0; if (!pipe_state) { DEBUG(1, ("No challange requested by client, cannot authenticate\n")); @@ -172,17 +162,17 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ /* pull the user attributes */ num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", - account_name); + r->in.username); if (num_records == 0) { DEBUG(3,("Couldn't find user [%s] in samdb.\n", - account_name)); + r->in.username)); samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (num_records > 1) { - DEBUG(1,("Found %d records matching user [%s]\n", num_records, account_name)); + DEBUG(1,("Found %d records matching user [%s]\n", num_records, r->in.username)); samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -191,35 +181,38 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ "userAccountControl"); if (acct_flags & ACB_DISABLED) { - DEBUG(1, ("Account [%s] is disabled\n", account_name)); + DEBUG(1, ("Account [%s] is disabled\n", r->in.username)); return NT_STATUS_ACCESS_DENIED; } - if (secure_channel_type == SEC_CHAN_WKSTA) { + if (r->in.secure_channel_type == SEC_CHAN_WKSTA) { if (!(acct_flags & ACB_WSTRUST)) { DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags)); return NT_STATUS_ACCESS_DENIED; } - } else if (secure_channel_type == SEC_CHAN_DOMAIN) { + } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) { if (!(acct_flags & ACB_DOMTRUST)) { DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags)); return NT_STATUS_ACCESS_DENIED; } - } else if (secure_channel_type == SEC_CHAN_BDC) { + } else if (r->in.secure_channel_type == SEC_CHAN_BDC) { if (!(acct_flags & ACB_SVRTRUST)) { DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags)); return NT_STATUS_ACCESS_DENIED; } } else { - DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", secure_channel_type)); + DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", + r->in.secure_channel_type)); return NT_STATUS_ACCESS_DENIED; } pipe_state->acct_flags = acct_flags; - pipe_state->sec_chan_type = secure_channel_type; + pipe_state->sec_chan_type = r->in.secure_channel_type; + + *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0); - if (!NT_STATUS_IS_OK(nt_status = samdb_result_passwords(mem_ctx, msgs[0], - NULL, &mach_pwd))) { + nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd); + if (!NT_STATUS_IS_OK(nt_status)) { samdb_close(sam_ctx); return NT_STATUS_ACCESS_DENIED; } @@ -235,9 +228,9 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ creds_server_init(pipe_state->creds, &pipe_state->client_challenge, &pipe_state->server_challenge, mach_pwd, - server_credentials); + r->out.credentials); - if (!creds_server_check(pipe_state->creds, client_credentials)) { + if (!creds_server_check(pipe_state->creds, r->in.credentials)) { return NT_STATUS_ACCESS_DENIED; } @@ -248,18 +241,16 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ talloc_free(pipe_state->mem_ctx, pipe_state->account_name); } - pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, account_name); + pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, r->in.username); if (pipe_state->computer_name) { /* We don't want a memory leak on this long-lived talloc context */ talloc_free(pipe_state->mem_ctx, pipe_state->account_name); } - pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, computer_name); + pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, r->in.computer_name); - if (out_flags) { - *out_flags = NETLOGON_NEG_AUTH2_FLAGS; - } + *r->out.negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS; return NT_STATUS_OK; } @@ -268,35 +259,42 @@ static NTSTATUS netr_ServerAuthenticateInternals(struct server_pipe_state *pipe_ static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate *r) { - struct server_pipe_state *pipe_state = dce_call->conn->private; + struct netr_ServerAuthenticate3 r3; + uint32 negotiate_flags, rid; + + r3.in.server_name = r->in.server_name; + r3.in.username = r->in.username; + r3.in.secure_channel_type = r->in.secure_channel_type; + r3.in.computer_name = r->in.computer_name; + r3.in.credentials = r->in.credentials; + r3.out.credentials = r->out.credentials; + r3.in.negotiate_flags = &negotiate_flags; + r3.out.negotiate_flags = &negotiate_flags; + r3.out.rid = &rid; - return netr_ServerAuthenticateInternals(pipe_state, - mem_ctx, - r->in.username, - r->in.computer_name, - r->in.secure_channel_type, - 0, - &r->in.credentials, - &r->out.credentials, - NULL); + return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); } static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_ServerAuthenticate2 *r) -{ - struct server_pipe_state *pipe_state = dce_call->conn->private; + struct netr_ServerAuthenticate2 *r) +{ + struct netr_ServerAuthenticate3 r3; + uint32 rid; + + r3.in.server_name = r->in.server_name; + r3.in.username = r->in.username; + r3.in.secure_channel_type = r->in.secure_channel_type; + r3.in.computer_name = r->in.computer_name; + r3.in.credentials = r->in.credentials; + r3.out.credentials = r->out.credentials; + r3.in.negotiate_flags = r->in.negotiate_flags; + r3.out.negotiate_flags = r->out.negotiate_flags; + r3.out.rid = &rid; - return netr_ServerAuthenticateInternals(pipe_state, - mem_ctx, - r->in.username, - r->in.computer_name, - r->in.secure_channel_type, - *r->in.negotiate_flags, - &r->in.credentials, - &r->out.credentials, - r->out.negotiate_flags); + return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); } + static BOOL netr_creds_server_step_check(struct server_pipe_state *pipe_state, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator) @@ -340,8 +338,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO const char *domain_dn; const char *domain_sid; - const char *attrs[] = {"objectSid", NULL - }; + const char *attrs[] = {"objectSid", NULL }; const char **domain_attrs = attrs; ZERO_STRUCT(mod); @@ -668,16 +665,6 @@ static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_ca } -/* - netr_NETRSERVERAUTHENTICATE3 -*/ -static WERROR netr_NETRSERVERAUTHENTICATE3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRSERVERAUTHENTICATE3 *r) -{ - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -} - - /* netr_DSRGETDCNAMEX */ @@ -845,6 +832,8 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, r->out.count = ret; r->out.trusts = trusts; + /* TODO: add filtering by trust_flags, and correct trust_type + and attributes */ for (i=0;i Date: Sun, 30 May 2004 13:27:14 +0000 Subject: r951: from w2k3 behaviour, the netlogon server is supposed to give back the negotiate flags it can support. (This used to be commit 7ad56fc4db37009dc2dba376724fdfb650f65611) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 523b042845..81d37d0984 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -147,8 +147,8 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL "objectSid", NULL}; ZERO_STRUCTP(r->out.credentials); - *r->out.negotiate_flags = 0; *r->out.rid = 0; + *r->out.negotiate_flags = *r->in.negotiate_flags & NETLOGON_NEG_AUTH2_FLAGS; if (!pipe_state) { DEBUG(1, ("No challange requested by client, cannot authenticate\n")); -- cgit From 8087d844ef59a82617be51f7c887b9bafe362f80 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 3 Jun 2004 23:15:16 +0000 Subject: r995: - renamed many of our crypto routines to use the industry standard names rather than our crazy naming scheme. So DES is now called des_crypt() rather than smbhash() - added the code from the solution of the ADS crypto challenge that allows Samba to correctly handle a 128 bit session key in all of the netr_ServerAuthenticateX() varients. A huge thanks to Luke Howard from PADL for solving this one! - restructured the server side rpc authentication to allow for other than NTLMSSP sign and seal. This commit just adds the structure, the next commit will add schannel server side support. - added 128 bit session key support to our client side code, and testing against w2k3 with smbtorture. Works well. (This used to be commit 729b2f41c924a0b435d44a14209e6dacc2304cee) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 81d37d0984..5f4717a5c6 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -148,7 +148,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL ZERO_STRUCTP(r->out.credentials); *r->out.rid = 0; - *r->out.negotiate_flags = *r->in.negotiate_flags & NETLOGON_NEG_AUTH2_FLAGS; + *r->out.negotiate_flags = *r->in.negotiate_flags; if (!pipe_state) { DEBUG(1, ("No challange requested by client, cannot authenticate\n")); @@ -228,8 +228,9 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL creds_server_init(pipe_state->creds, &pipe_state->client_challenge, &pipe_state->server_challenge, mach_pwd, - r->out.credentials); - + r->out.credentials, + *r->in.negotiate_flags); + if (!creds_server_check(pipe_state->creds, r->in.credentials)) { return NT_STATUS_ACCESS_DENIED; } @@ -249,8 +250,6 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL } pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, r->in.computer_name); - - *r->out.negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS; return NT_STATUS_OK; } -- cgit From 9eb6afb00d85c1a7b367d51a19eed41172f7a2e9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 4 Jun 2004 11:58:46 +0000 Subject: r1009: Make all users of NT and LM passwords use the samr_Password structure. This includes the netlogon pipe, for the machine account password change system. Andrew Bartlett (This used to be commit 49d545a82057ee8b60d50aa55e908efe59875150) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 5f4717a5c6..f662e45246 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -332,7 +332,6 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO struct ldb_message **msgs; struct ldb_message **msgs_domain; NTSTATUS nt_status; - struct samr_Hash newNtHash; struct ldb_message mod, *msg_set_pw = &mod; const char *domain_dn; const char *domain_sid; @@ -410,15 +409,13 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO creds_des_decrypt(pipe_state->creds, &r->in.new_password); - memcpy(newNtHash.hash, r->in.new_password.data, sizeof(newNtHash.hash)); - /* set the password - samdb needs to know both the domain and user DNs, so the domain password policy can be used */ nt_status = samdb_set_password(sam_ctx, mem_ctx, msgs[0]->dn, domain_dn, msg_set_pw, NULL, /* Don't have plaintext */ - NULL, &newNtHash, + NULL, &r->in.new_password, False /* This is not considered a password change */, NULL); -- cgit From 1a993b800eca5dc8daccc715da46e7b84c604389 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 5 Jun 2004 01:29:20 +0000 Subject: r1016: - store the schannel session key after it is established - move to a centralised way of handling talloc/ldb interaction (This used to be commit 2b9b752875ba5e03e82f40e31f26bc1f245b3825) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index f662e45246..ea76be44f5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -251,7 +251,10 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, r->in.computer_name); - return NT_STATUS_OK; + /* remember this session key state */ + nt_status = schannel_store_session_key(mem_ctx, pipe_state->computer_name, pipe_state->creds); + + return nt_status; } -- cgit From 5b04ca8080708573207eb58f2c2b207780a6ea28 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jun 2004 03:22:10 +0000 Subject: r1025: Rename (across the samr and netlogon pipes, so far) pwd -> password passwd -> password username -> account_name Also work on consistant structure feild names between these two pipes, and fix up some callers to use samr_Password for the netlogon credential code. Andrew Bartlett (This used to be commit 4e35418c2776f7b79be5b358ffd077754685d1ac) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 59 ++++----------------------- 1 file changed, 8 insertions(+), 51 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index ea76be44f5..e159123c87 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -56,16 +56,6 @@ static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_ #define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind #define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind -/* - netr_ServerReqChallenge - - NTSTATUS netr_ServerReqChallenge( - [in] unistr *server_name, - [in] unistr computer_name, - [in,out,ref] netr_Credential *credentials - ); - -*/ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerReqChallenge *r) { @@ -113,32 +103,12 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_OK; } - -/* - netr_ServerAuthenticate - - secure channel types: - - const int SEC_CHAN_WKSTA = 2; - const int SEC_CHAN_DOMAIN = 4; - const int SEC_CHAN_BDC = 6; - - NTSTATUS netr_ServerAuthenticate3( - [in] unistr *server_name, - [in] unistr username, - [in] uint16 secure_channel_type, - [in] unistr computer_name, - [in,out,ref] netr_Credential *credentials - [in,out,ref] uint32 *negotiate_flags, - [out,ref] uint32 *rid - ); -*/ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate3 *r) { struct server_pipe_state *pipe_state = dce_call->conn->private; void *sam_ctx; - uint8_t *mach_pwd; + struct samr_Password *mach_pwd; uint16_t acct_flags; int num_records; struct ldb_message **msgs; @@ -162,17 +132,17 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL /* pull the user attributes */ num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", - r->in.username); + r->in.account_name); if (num_records == 0) { DEBUG(3,("Couldn't find user [%s] in samdb.\n", - r->in.username)); + r->in.account_name)); samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (num_records > 1) { - DEBUG(1,("Found %d records matching user [%s]\n", num_records, r->in.username)); + DEBUG(1,("Found %d records matching user [%s]\n", num_records, r->in.account_name)); samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -181,7 +151,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL "userAccountControl"); if (acct_flags & ACB_DISABLED) { - DEBUG(1, ("Account [%s] is disabled\n", r->in.username)); + DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name)); return NT_STATUS_ACCESS_DENIED; } @@ -242,7 +212,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL talloc_free(pipe_state->mem_ctx, pipe_state->account_name); } - pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, r->in.username); + pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, r->in.account_name); if (pipe_state->computer_name) { /* We don't want a memory leak on this long-lived talloc context */ @@ -265,7 +235,7 @@ static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALL uint32 negotiate_flags, rid; r3.in.server_name = r->in.server_name; - r3.in.username = r->in.username; + r3.in.account_name = r->in.account_name; r3.in.secure_channel_type = r->in.secure_channel_type; r3.in.computer_name = r->in.computer_name; r3.in.credentials = r->in.credentials; @@ -284,7 +254,7 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL uint32 rid; r3.in.server_name = r->in.server_name; - r3.in.username = r->in.username; + r3.in.account_name = r->in.account_name; r3.in.secure_channel_type = r->in.secure_channel_type; r3.in.computer_name = r->in.computer_name; r3.in.credentials = r->in.credentials; @@ -309,20 +279,7 @@ static BOOL netr_creds_server_step_check(struct server_pipe_state *pipe_state, return_authenticator); } -/* - netr_ServerPasswordSet - - NTSTATUS netr_ServerPasswordSet( - [in] unistr *server_name, - [in] unistr username, - [in] uint16 secure_channel_type, - [in] unistr computer_name, - [in] netr_Authenticator credential, - [in] netr_Password new_password, - [out] netr_Authenticator return_authenticator - ); -*/ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet *r) { -- cgit From 21aaa719b5c3bc59216fcb2cc81a3c8e69ce12fe Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sat, 5 Jun 2004 03:37:27 +0000 Subject: r1026: Spelling. (This used to be commit b7fe73613acf5423b77fd91c56849351bf386960) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index e159123c87..05ee0521fc 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -121,7 +121,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL *r->out.negotiate_flags = *r->in.negotiate_flags; if (!pipe_state) { - DEBUG(1, ("No challange requested by client, cannot authenticate\n")); + DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); return NT_STATUS_ACCESS_DENIED; } @@ -306,7 +306,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO } if (!pipe_state) { - DEBUG(1, ("No challange requested by client, cannot authenticate\n")); + DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); return NT_STATUS_ACCESS_DENIED; } -- cgit From 4c6f04d83f20ecfe62cd87dadf9b48a898502ea7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 5 Jun 2004 04:51:24 +0000 Subject: r1029: cope wiith samdb_result_passwords() returning a null machine password (This used to be commit ee6c17f3735381568d38e6c2df80bec687d00fbb) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 05ee0521fc..5c5e812805 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -182,7 +182,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0); nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd); - if (!NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_IS_OK(nt_status) || mach_pwd == NULL) { samdb_close(sam_ctx); return NT_STATUS_ACCESS_DENIED; } @@ -336,6 +336,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); if (!domain_sid) { samdb_close(sam_ctx); + DEBUG(1,("no objectSid in user record\n")); return NT_STATUS_INTERNAL_DB_CORRUPTION; } -- cgit From bcac502d4470094108348bd3945e569f81a26b19 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 7 Jun 2004 03:46:32 +0000 Subject: r1058: The start of work on the SamLogon call for NETLOGON. This starts to store information about the user in the server_info struct - like the account name, the full name etc. Also, continue to make the names of the structure elements in the logon reply more consistant with those in the SAMR pipe. Andrew Bartlett (This used to be commit 3ccd96bd945e0fd95e42c69ad8ff07055af2e62b) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 133 +++++++++++++++++++++++++- 1 file changed, 130 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 5c5e812805..bfc5e3b759 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -47,9 +47,10 @@ static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_ { struct server_pipe_state *pipe_state = conn->private; - if (pipe_state) + if (pipe_state) { talloc_destroy(pipe_state->mem_ctx); - + } + conn->private = NULL; } @@ -424,12 +425,138 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX */ + +#if 0 + +static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogon *r) +{ + struct server_pipe_state *pipe_state = dce_call->conn->private; + + struct auth_context *auth_context; + struct auth_usersupplied_info *user_info; + struct auth_serversupplied_info *server_info; + NTSTATUS nt_status; + const uint8_t *chal; + + + switch (r->in.logon_level) { + case 1: + case 3: + creds_arcfour_crypt(pipe_state->creds, + r->in.logon.password->lmpassword.hash, + sizeof(r->in.logon.password->lmpassword.hash)); + creds_arcfour_crypt(pipe_state->creds, + r->in.logon.password->ntpassword.hash, + sizeof(r->in.logon.password->ntpassword.hash)); + + nt_status = make_auth_context_subsystem(&auth_context); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + chal = auth_context->get_ntlm_challenge(auth_context); + nt_status = make_user_info_netlogon_interactive(&user_info, + r->in.logon.password->identity_info.account_name.string, + r->in.logon.password->identity_info.domain_name.string, + r->in.logon.password->identity_info.workstation.string, + chal, + &r->in.logon.password->lmpassword, + &r->in.logon.password->ntpassword); + break; + + case 2: + case 6: + nt_status = make_auth_context_fixed(&auth_context, r->in.logon.network->challenge); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + nt_status = make_user_info_netlogon_network(&user_info, + r->in.logon.network->identity_info.account_name.string, + r->in.logon.network->identity_info.domain_name.string, + r->in.logon.network->identity_info.workstation.string, + r->in.logon.network->nt.data, r->in.logon.network->nt.length, + r->in.logon.network->lm.data, r->in.logon.network->lm.length); + break; + default: + free_auth_context(&auth_context); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + nt_status = auth_context->check_ntlm_password(auth_context, + user_info, + &server_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + free_auth_context(&auth_context); + return nt_status; + } + free_auth_context(&auth_context); + + switch (r->in.validation_level) { + case 2: + { + struct netr_SamInfo *sam; + sam = talloc_p(mem_ctx, struct netr_SamInfo); + r->out.validation.sam = sam; + + sam->last_logon = server_info->last_logon; + sam->last_logoff = server_info->last_logoff; + sam->acct_expiry = server_info->acct_expiry; + sam->last_password_change = server_info->last_password_change; + sam->allow_password_change = server_info->allow_password_change; + sam->force_password_change = server_info->force_password_change; + + sam->account_name.string = talloc_strdup(mem_ctx, server_info->account_name); + sam->full_name.string = talloc_strdup(mem_ctx, server_info->full_name); + sam->logon_script.string = talloc_strdup(mem_ctx, server_info->account_name); + sam->profile_path.string = talloc_strdup(mem_ctx, server_info->profile_path); + sam->home_directory.string = talloc_strdup(mem_ctx, server_info->home_directory); + sam->home_drive.string = talloc_strdup(mem_ctx, server_info->home_drive); + + sam->logon_count = server_info->logon_count; + sam->bad_password_count = sam->bad_password_count; + sam->rid = server_info->user_sid->sub_auths[server_info->user_sid->num_auths-1]; + sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; + sam->group_count = 0; + sam->groupids = NULL; + + sam->acct_flags = server_info->acct_flags; + + sam->domain.string = talloc_strdup(mem_ctx, server_info->domain); + + /* need to finish */ + + break; + } + case 3: + { + struct netr_SamInfo2 *sam; + sam = talloc_p(mem_ctx, struct netr_SamInfo2); + r->out.validation.sam2 = sam; + + break; + } + default: + break; + } + + r->out.authoritative = 1; + + return NT_STATUS_OK; +} +#else static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogon *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } - +#endif /* netr_LogonSamLogoff -- cgit From 46c88d561f9a5cbaf2b70e937fbc20dff6d31703 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 7 Jun 2004 08:54:49 +0000 Subject: r1061: The start of the SamLogon call for the NETLOGON pipe. Changes: - Check for a valid 'pipe_state' in netr_ServerAuthenticate3 before we dereference it - removes the expansionroom[7] in the netr_SamInfo* structs to 7 individual elements. - renames netr_SamInfo -> netr_SamInfo2 netr_SamInfo2 -> netr_SamInfo3 - Having the thing we always called an 'info3' being 'netr_SamInfo2' was just too confusing. - Expand and fill in extra details about users from the SAM, into the server_info, for processing into the SamLogon reply. - Add a dum_sid_dup() function to duplicate a struct dom_sid The SamLogon code currently does not return supplementary groups, and is only tested with Samba4 smbtorture. Andrew Bartlett (This used to be commit 6c92563b7961f15fc74b02601e105d5e1d04f04d) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 185 +++++++++++++++++++------- 1 file changed, 135 insertions(+), 50 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index bfc5e3b759..933f28d84a 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -228,7 +228,6 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return nt_status; } - static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate *r) { @@ -302,12 +301,12 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO const char **domain_attrs = attrs; ZERO_STRUCT(mod); - if (!netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator)) { + if (!pipe_state) { + DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); return NT_STATUS_ACCESS_DENIED; } - if (!pipe_state) { - DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); + if (!netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator)) { return NT_STATUS_ACCESS_DENIED; } @@ -426,8 +425,6 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX */ -#if 0 - static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogon *r) { @@ -438,8 +435,24 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT struct auth_serversupplied_info *server_info; NTSTATUS nt_status; const uint8_t *chal; + static const char zeros[16]; + struct netr_SamInfo2 *sam2; + struct netr_SamInfo3 *sam; - + if (!pipe_state) { + DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); + return NT_STATUS_ACCESS_DENIED; + } + + r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator); + if (!r->out.return_authenticator) { + return NT_STATUS_NO_MEMORY; + } + + if (!netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator)) { + return NT_STATUS_ACCESS_DENIED; + } + switch (r->in.logon_level) { case 1: case 3: @@ -476,8 +489,8 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT r->in.logon.network->identity_info.account_name.string, r->in.logon.network->identity_info.domain_name.string, r->in.logon.network->identity_info.workstation.string, - r->in.logon.network->nt.data, r->in.logon.network->nt.length, - r->in.logon.network->lm.data, r->in.logon.network->lm.length); + r->in.logon.network->lm.data, r->in.logon.network->lm.length, + r->in.logon.network->nt.data, r->in.logon.network->nt.length); break; default: free_auth_context(&auth_context); @@ -498,48 +511,127 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT } free_auth_context(&auth_context); + sam = talloc_p(mem_ctx, struct netr_SamInfo3); + + sam->last_logon = server_info->last_logon; + sam->last_logoff = server_info->last_logoff; + sam->acct_expiry = server_info->acct_expiry; + sam->last_password_change = server_info->last_password_change; + sam->allow_password_change = server_info->allow_password_change; + sam->force_password_change = server_info->force_password_change; + + sam->account_name.string = talloc_strdup(mem_ctx, server_info->account_name); + sam->full_name.string = talloc_strdup(mem_ctx, server_info->full_name); + sam->logon_script.string = talloc_strdup(mem_ctx, server_info->account_name); + sam->profile_path.string = talloc_strdup(mem_ctx, server_info->profile_path); + sam->home_directory.string = talloc_strdup(mem_ctx, server_info->home_directory); + sam->home_drive.string = talloc_strdup(mem_ctx, server_info->home_drive); + + sam->logon_count = server_info->logon_count; + sam->bad_password_count = sam->bad_password_count; + sam->rid = server_info->user_sid->sub_auths[server_info->user_sid->num_auths-1]; + sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; + sam->group_count = 0; + sam->groupids = NULL; + + sam->acct_flags = server_info->acct_flags; + + sam->logon_server.string = lp_netbios_name(); + + sam->domain.string = talloc_strdup(mem_ctx, server_info->domain); + + sam->domain_sid = dom_sid_dup(mem_ctx, server_info->user_sid); + sam->domain_sid->num_auths--; + + sam->sidcount = 0; + sam->sids = NULL; + + if (server_info->user_session_key.length == sizeof(sam->key.key)) { + memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key)); + } else { + ZERO_STRUCT(sam->key.key); + } + + if (memcmp(sam->key.key, zeros, + sizeof(sam->key.key)) != 0) { + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ + creds_arcfour_crypt(pipe_state->creds, + sam->key.key, + sizeof(sam->key.key)); + } + + if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) { + memcpy(sam->LMSessKey.key, server_info->lm_session_key.data, + sizeof(sam->LMSessKey.key)); + } else { + ZERO_STRUCT(sam->LMSessKey.key); + } + + if (memcmp(sam->LMSessKey.key, zeros, + sizeof(sam->LMSessKey.key)) != 0) { + creds_arcfour_crypt(pipe_state->creds, + sam->LMSessKey.key, + sizeof(sam->LMSessKey.key)); + } + switch (r->in.validation_level) { case 2: { - struct netr_SamInfo *sam; - sam = talloc_p(mem_ctx, struct netr_SamInfo); - r->out.validation.sam = sam; - - sam->last_logon = server_info->last_logon; - sam->last_logoff = server_info->last_logoff; - sam->acct_expiry = server_info->acct_expiry; - sam->last_password_change = server_info->last_password_change; - sam->allow_password_change = server_info->allow_password_change; - sam->force_password_change = server_info->force_password_change; - - sam->account_name.string = talloc_strdup(mem_ctx, server_info->account_name); - sam->full_name.string = talloc_strdup(mem_ctx, server_info->full_name); - sam->logon_script.string = talloc_strdup(mem_ctx, server_info->account_name); - sam->profile_path.string = talloc_strdup(mem_ctx, server_info->profile_path); - sam->home_directory.string = talloc_strdup(mem_ctx, server_info->home_directory); - sam->home_drive.string = talloc_strdup(mem_ctx, server_info->home_drive); - - sam->logon_count = server_info->logon_count; - sam->bad_password_count = sam->bad_password_count; - sam->rid = server_info->user_sid->sub_auths[server_info->user_sid->num_auths-1]; - sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; - sam->group_count = 0; - sam->groupids = NULL; - - sam->acct_flags = server_info->acct_flags; - - sam->domain.string = talloc_strdup(mem_ctx, server_info->domain); - - /* need to finish */ + sam2 = talloc_p(mem_ctx, struct netr_SamInfo2); + r->out.validation.sam2 = sam2; + sam2->last_logon = sam->last_logon; + sam2->last_logoff = sam->last_logoff; + sam2->acct_expiry = sam->acct_expiry; + + sam2->last_password_change = sam->last_password_change; + sam2->allow_password_change = sam->allow_password_change; + + sam2->force_password_change = sam->force_password_change; + + + sam2->account_name = sam->account_name; + sam2->full_name = sam->full_name; + sam2->logon_script = sam->logon_script; + sam2->profile_path = sam->profile_path; + sam2->home_directory = sam->home_directory; + sam2->home_drive = sam->home_drive; + + sam2->logon_count = sam->logon_count; + sam2->bad_password_count = sam->bad_password_count; + sam2->rid = sam->rid; + sam2->primary_gid = sam->primary_gid; + sam2->group_count = sam->group_count; + sam2->groupids = sam->groupids; + + sam2->acct_flags = sam->acct_flags; + + sam2->key = sam->key; + + sam2->logon_server = sam->logon_server; + + sam2->domain = sam->domain; + + sam2->domain_sid = sam->domain_sid; + + sam2->LMSessKey = sam->LMSessKey; + + sam2->AccountControl = sam->AccountControl; + + /* can we implicit memcpy an array? */ + + sam2->unknown1 = sam->unknown1; + sam2->unknown2 = sam->unknown2; + sam2->unknown3 = sam->unknown3; + sam2->unknown4 = sam->unknown4; + sam2->unknown5 = sam->unknown5; + sam2->unknown6 = sam->unknown6; + sam2->unknown7 = sam->unknown7; break; } case 3: { - struct netr_SamInfo2 *sam; - sam = talloc_p(mem_ctx, struct netr_SamInfo2); - r->out.validation.sam2 = sam; - + r->out.validation.sam3 = sam; break; } default: @@ -550,13 +642,6 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT return NT_STATUS_OK; } -#else -static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonSamLogon *r) -{ - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -} -#endif /* netr_LogonSamLogoff -- cgit From f3826432fb14b1e10516afe9f6525aab7c1b720f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 7 Jun 2004 22:17:51 +0000 Subject: r1080: Make sure to initialise all the returned elements in the SamLogon reply also initialise the LM session key, when we have it (was failing because the auth code was setting it's length wrong). Andrew Bartlett (This used to be commit de97d9df224f769953e850a276515923a830839c) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 933f28d84a..301f2ed041 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -543,6 +543,16 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT sam->domain_sid = dom_sid_dup(mem_ctx, server_info->user_sid); sam->domain_sid->num_auths--; + sam->AccountControl = 0; + + sam->unknown1 = 0; + sam->unknown2 = 0; + sam->unknown3 = 0; + sam->unknown4 = 0; + sam->unknown5 = 0; + sam->unknown6 = 0; + sam->unknown7 = 0; + sam->sidcount = 0; sam->sids = NULL; @@ -552,9 +562,9 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT ZERO_STRUCT(sam->key.key); } + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ if (memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) { - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ creds_arcfour_crypt(pipe_state->creds, sam->key.key, sizeof(sam->key.key)); @@ -567,6 +577,7 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT ZERO_STRUCT(sam->LMSessKey.key); } + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ if (memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) { creds_arcfour_crypt(pipe_state->creds, @@ -584,11 +595,9 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT sam2->acct_expiry = sam->acct_expiry; sam2->last_password_change = sam->last_password_change; - sam2->allow_password_change = sam->allow_password_change; - - sam2->force_password_change = sam->force_password_change; + sam2->allow_password_change = sam->allow_password_change; + sam2->force_password_change = sam->force_password_change; - sam2->account_name = sam->account_name; sam2->full_name = sam->full_name; sam2->logon_script = sam->logon_script; @@ -617,8 +626,6 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT sam2->AccountControl = sam->AccountControl; - /* can we implicit memcpy an array? */ - sam2->unknown1 = sam->unknown1; sam2->unknown2 = sam->unknown2; sam2->unknown3 = sam->unknown3; -- cgit From bccac81d8792f85ae37d4a6617a92e2fae75aa50 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 14 Jun 2004 08:12:50 +0000 Subject: r1136: - added IDL for netr_LogonGetDomainInfo() - added workstation to auth_session_info in rpc servers - added session key fetch hook in crypto backends in dcesrv - store and fetch seed as well as a session key in schannel ldb - when a client uses schannel to setup a netlogon pipe connection we also need to setup the credentials from the schannel negotiation so credentials chaining works - added server side netr_LogonGetDomainInfo() call (This used to be commit a35459387de3b6a422c5af6f658338fc7e4314b0) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 172 +++++++++++++++++++++++++- 1 file changed, 168 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 301f2ed041..8d7b97802f 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -35,10 +35,72 @@ struct server_pipe_state { struct creds_CredentialState *creds; }; + +/* + a client has connected to the netlogon server using schannel, so we need + to re-establish the credentials state +*/ +static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) +{ + struct server_pipe_state *state; + NTSTATUS status; + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_init("netlogon_bind"); + if (!mem_ctx) { + return NT_STATUS_NO_MEMORY; + } + state = talloc_p(mem_ctx, struct server_pipe_state); + if (state == NULL) { + talloc_destroy(mem_ctx); + } + ZERO_STRUCTP(state); + state->mem_ctx = mem_ctx; + state->authenticated = True; + + state->creds = talloc_p(mem_ctx, struct creds_CredentialState); + if (state->creds == NULL) { + talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + ZERO_STRUCTP(state->creds); + + if (dce_call->conn->auth_state.session_info == NULL) { + talloc_destroy(mem_ctx); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + status = schannel_fetch_session_key(mem_ctx, + dce_call->conn->auth_state.session_info->workstation, + state->creds); + if (!NT_STATUS_IS_OK(status)) { + talloc_destroy(mem_ctx); + return status; + } + + dce_call->conn->private = state; + + return NT_STATUS_OK; +} + +/* + a hook for bind on the netlogon pipe +*/ static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di) { dce_call->conn->private = NULL; + /* if this is a schannel bind then we need to reconstruct the pipe state */ + if (dce_call->conn->auth_state.auth_info && + dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + NTSTATUS status; + + status = netlogon_schannel_setup(dce_call); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } + return NT_STATUS_OK; } @@ -861,13 +923,115 @@ static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX } +/* + fill in a netr_DomainTrustInfo from a ldb search result +*/ +static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res, + struct netr_DomainTrustInfo *info) +{ + ZERO_STRUCTP(info); + + info->domainname.string = samdb_result_string(res, "flatName", NULL); + if (info->domainname.string == NULL) { + info->domainname.string = samdb_result_string(res, "name", NULL); + info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL); + } else { + info->fulldomainname.string = samdb_result_string(res, "name", NULL); + } + + /* TODO: we need proper forest support */ + info->forest.string = info->fulldomainname.string; + + info->guid = samdb_result_guid(res, "objectGUID"); + info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid"); + + return NT_STATUS_OK; +} + /* - netr_NETRLOGONGETDOMAININFO + netr_LogonGetDomainInfo + this is called as part of the ADS domain logon procedure. */ -static WERROR netr_NETRLOGONGETDOMAININFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRLOGONGETDOMAININFO *r) +static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonGetDomainInfo *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + struct server_pipe_state *pipe_state = dce_call->conn->private; + const char * const attrs[] = { "name", "dnsDomain", "objectSid", + "objectGUID", "flatName", NULL }; + void *sam_ctx; + struct ldb_message **res1, **res2; + struct netr_DomainInfo1 *info1; + int ret1, ret2, i; + NTSTATUS status; + + if (!pipe_state) { + return NT_STATUS_ACCESS_DENIED; + } + + if (!netr_creds_server_step_check(pipe_state, + r->in.credential, r->out.credential)) { + return NT_STATUS_ACCESS_DENIED; + } + + sam_ctx = samdb_connect(); + if (sam_ctx == NULL) { + return NT_STATUS_INVALID_SYSTEM_SERVICE; + } + + /* we need to do two searches. The first will pull our primary + domain and the second will pull any trusted domains. Our + primary domain is also a "trusted" domain, so we need to + put the primary domain into the lists of returned trusts as + well */ + ret1 = samdb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)"); + if (ret1 != 1) { + samdb_close(sam_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + ret2 = samdb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)"); + if (ret2 == -1) { + samdb_close(sam_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + /* we don't need the db link any more */ + samdb_close(sam_ctx); + + info1 = talloc_p(mem_ctx, struct netr_DomainInfo1); + if (info1 == NULL) { + return NT_STATUS_NO_MEMORY; + } + + ZERO_STRUCTP(info1); + + info1->num_trusts = ret2 + 1; + info1->trusts = talloc_array_p(mem_ctx, struct netr_DomainTrustInfo, + info1->num_trusts); + if (info1->trusts == NULL) { + return NT_STATUS_NO_MEMORY; + } + + status = fill_domain_trust_info(mem_ctx, res1[0], &info1->domaininfo); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[0]); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + for (i=0;itrusts[i+1]); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } + + r->out.info.info1 = info1; + + return NT_STATUS_OK; } -- cgit From a384d2f1a1d54ba25e2a78006e260c99bd7362f4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 14 Jun 2004 09:31:47 +0000 Subject: r1139: added IDL and server code for netr_LogonSamLogonWithFlags() (This used to be commit 4eac7340d8d7a109bed8fe7bb7cf663d6e7f0a56) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 49 ++++++++++++++++++--------- 1 file changed, 33 insertions(+), 16 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 8d7b97802f..dc0b8582fe 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -481,14 +481,11 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX /* - netr_LogonSamLogon - - + netr_LogonSamLogonWithFlags */ - -static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonSamLogon *r) +static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonWithFlags *r) { struct server_pipe_state *pipe_state = dce_call->conn->private; @@ -712,6 +709,36 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT return NT_STATUS_OK; } +/* + netr_LogonSamLogon +*/ +static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogon *r) +{ + struct netr_LogonSamLogonWithFlags r2; + NTSTATUS status; + + ZERO_STRUCT(r2); + + r2.in.server_name = r->in.server_name; + r2.in.workstation = r->in.workstation; + r2.in.credential = r->in.credential; + r2.in.return_authenticator = r->in.return_authenticator; + r2.in.logon_level = r->in.logon_level; + r2.in.logon = r->in.logon; + r2.in.validation_level = r->in.validation_level; + r2.in.flags = 0; + + status = netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2); + + r->out.return_authenticator = r2.out.return_authenticator; + r->out.validation = r2.out.validation; + r->out.authoritative = r2.out.authoritative; + + return status; +} + + /* netr_LogonSamLogoff */ @@ -1233,16 +1260,6 @@ static WERROR netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_c } -/* - netr_NETRLOGONSAMLOGONWITHFLAGS -*/ -static WERROR netr_NETRLOGONSAMLOGONWITHFLAGS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRLOGONSAMLOGONWITHFLAGS *r) -{ - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -} - - /* netr_NETRSERVERGETTRUSTINFO */ -- cgit From 7ae1735798250a7625dfd8d005c08cc8302f400f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 14 Jun 2004 12:06:53 +0000 Subject: r1141: - consolidated the netr_SamInfo structures using a netr_SamBaseInfo structure (andrew, this is the type of structure consolidation I think you were asking about. It's possible here in NDR as it isn't in the top level fn code) - added validation level 6 in sam logon With these changes I can successfully authentication smbclient to a winxp server, with the winxp server using a Samba4 ADS DC for account auth (This used to be commit 705205083a6e2430c420f44436a1d1ff8826bc73) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 86 ++++++++------------------- 1 file changed, 24 insertions(+), 62 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index dc0b8582fe..603d90f440 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -495,8 +495,10 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, NTSTATUS nt_status; const uint8_t *chal; static const char zeros[16]; + struct netr_SamBaseInfo *sam; struct netr_SamInfo2 *sam2; - struct netr_SamInfo3 *sam; + struct netr_SamInfo3 *sam3; + struct netr_SamInfo6 *sam6; if (!pipe_state) { DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); @@ -570,7 +572,9 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, } free_auth_context(&auth_context); - sam = talloc_p(mem_ctx, struct netr_SamInfo3); + sam = talloc_p(mem_ctx, struct netr_SamBaseInfo); + + ZERO_STRUCTP(sam); sam->last_logon = server_info->last_logon; sam->last_logoff = server_info->last_logoff; @@ -603,17 +607,6 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, sam->domain_sid->num_auths--; sam->AccountControl = 0; - - sam->unknown1 = 0; - sam->unknown2 = 0; - sam->unknown3 = 0; - sam->unknown4 = 0; - sam->unknown5 = 0; - sam->unknown6 = 0; - sam->unknown7 = 0; - - sam->sidcount = 0; - sam->sids = NULL; if (server_info->user_session_key.length == sizeof(sam->key.key)) { memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key)); @@ -646,60 +639,29 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, switch (r->in.validation_level) { case 2: - { sam2 = talloc_p(mem_ctx, struct netr_SamInfo2); + ZERO_STRUCTP(sam2); + sam2->base = *sam; r->out.validation.sam2 = sam2; - sam2->last_logon = sam->last_logon; - sam2->last_logoff = sam->last_logoff; - sam2->acct_expiry = sam->acct_expiry; - - sam2->last_password_change = sam->last_password_change; - sam2->allow_password_change = sam->allow_password_change; - sam2->force_password_change = sam->force_password_change; - - sam2->account_name = sam->account_name; - sam2->full_name = sam->full_name; - sam2->logon_script = sam->logon_script; - sam2->profile_path = sam->profile_path; - sam2->home_directory = sam->home_directory; - sam2->home_drive = sam->home_drive; - - sam2->logon_count = sam->logon_count; - sam2->bad_password_count = sam->bad_password_count; - sam2->rid = sam->rid; - sam2->primary_gid = sam->primary_gid; - sam2->group_count = sam->group_count; - sam2->groupids = sam->groupids; - - sam2->acct_flags = sam->acct_flags; - - sam2->key = sam->key; - - sam2->logon_server = sam->logon_server; - - sam2->domain = sam->domain; - - sam2->domain_sid = sam->domain_sid; - - sam2->LMSessKey = sam->LMSessKey; - - sam2->AccountControl = sam->AccountControl; - - sam2->unknown1 = sam->unknown1; - sam2->unknown2 = sam->unknown2; - sam2->unknown3 = sam->unknown3; - sam2->unknown4 = sam->unknown4; - sam2->unknown5 = sam->unknown5; - sam2->unknown6 = sam->unknown6; - sam2->unknown7 = sam->unknown7; - break; - } + case 3: - { - r->out.validation.sam3 = sam; + sam3 = talloc_p(mem_ctx, struct netr_SamInfo3); + ZERO_STRUCTP(sam3); + sam3->base = *sam; + r->out.validation.sam3 = sam3; break; - } + + case 6: + sam6 = talloc_p(mem_ctx, struct netr_SamInfo6); + ZERO_STRUCTP(sam6); + sam6->base = *sam; + sam6->forest.string = sam->domain.string; + sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s", + sam->account_name.string, sam->domain.string); + r->out.validation.sam6 = sam6; + break; + default: break; } -- cgit From ef34f4de254a790cba45a6d05b4be4b48fe04eb8 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 14 Jun 2004 13:21:37 +0000 Subject: r1145: added server support for logon level 5 in sam logon (This used to be commit cb3d3b5e51dc9d52854c922b0c50686284ac8f1b) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 603d90f440..aa7c9eb019 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -517,6 +517,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, switch (r->in.logon_level) { case 1: case 3: + case 5: creds_arcfour_crypt(pipe_state->creds, r->in.logon.password->lmpassword.hash, sizeof(r->in.logon.password->lmpassword.hash)); -- cgit From 5b044b30ca6a9595b88b676e9ab282555bf29b84 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 15 Jun 2004 03:53:21 +0000 Subject: r1150: - fixed interactive sam logon in the rpc server - added a torture test for interactive login in smbtorture These changes allow winxp to perform an interactive login (a login on the winxp console) against a Samba4 DC. Our netlogon server code is still filling in many of the fields incorrectly, but it fills in enough that winxp can login. (This used to be commit db9ea488b047b5f0f7538fd75fb7dde8277eb06b) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index aa7c9eb019..c3b1bfc516 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -586,7 +586,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, sam->account_name.string = talloc_strdup(mem_ctx, server_info->account_name); sam->full_name.string = talloc_strdup(mem_ctx, server_info->full_name); - sam->logon_script.string = talloc_strdup(mem_ctx, server_info->account_name); + sam->logon_script.string = talloc_strdup(mem_ctx, server_info->logon_script); sam->profile_path.string = talloc_strdup(mem_ctx, server_info->profile_path); sam->home_directory.string = talloc_strdup(mem_ctx, server_info->home_directory); sam->home_drive.string = talloc_strdup(mem_ctx, server_info->home_drive); @@ -597,9 +597,8 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; sam->group_count = 0; sam->groupids = NULL; - - sam->acct_flags = server_info->acct_flags; - + sam->user_flags = 0; /* TODO: w2k3 uses 0x120 - what is this? */ + sam->acct_flags = server_info->acct_flags; sam->logon_server.string = lp_netbios_name(); sam->domain.string = talloc_strdup(mem_ctx, server_info->domain); @@ -607,8 +606,6 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, sam->domain_sid = dom_sid_dup(mem_ctx, server_info->user_sid); sam->domain_sid->num_auths--; - sam->AccountControl = 0; - if (server_info->user_session_key.length == sizeof(sam->key.key)) { memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key)); } else { @@ -657,9 +654,9 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, sam6 = talloc_p(mem_ctx, struct netr_SamInfo6); ZERO_STRUCTP(sam6); sam6->base = *sam; - sam6->forest.string = sam->domain.string; + sam6->forest.string = lp_realm(); sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s", - sam->account_name.string, sam->domain.string); + sam->account_name.string, sam6->forest.string); r->out.validation.sam6 = sam6; break; -- cgit From cf5fdae640e3678a68279b728d19a8aefb1b09ec Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Jun 2004 00:08:15 +0000 Subject: r1234: valgrind found this uninitialised var... But I don't know how to fix this correct, so maybe this needs to be fixed (tridge: can you please look at this) metze (This used to be commit b8b4d0d5bf037c79102709ea995ad8b8d6a9caff) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index c3b1bfc516..ee3970d0f2 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -294,7 +294,14 @@ static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALL struct netr_ServerAuthenticate *r) { struct netr_ServerAuthenticate3 r3; - uint32 negotiate_flags, rid; + uint32_t rid; + /* TODO: + * negotiate_flags is used as an [in] parameter + * so it need to be initialised. + * + * (I think ... = 0; seems wrong here --metze) + */ + uint32 negotiate_flags = 0; r3.in.server_name = r->in.server_name; r3.in.account_name = r->in.account_name; -- cgit From db8c78c497be9406d45acd4cff1ebbb566c0356a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Jun 2004 00:25:38 +0000 Subject: r1235: as the pidl code init all output data. we should do it manualy too. metze (This used to be commit d3b80fd40a07575c18593523070986b7aed6de92) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index ee3970d0f2..80bbb6b583 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -294,7 +294,7 @@ static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALL struct netr_ServerAuthenticate *r) { struct netr_ServerAuthenticate3 r3; - uint32_t rid; + uint32_t rid = 0; /* TODO: * negotiate_flags is used as an [in] parameter * so it need to be initialised. @@ -320,7 +320,7 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL struct netr_ServerAuthenticate2 *r) { struct netr_ServerAuthenticate3 r3; - uint32 rid; + uint32 rid = 0; r3.in.server_name = r->in.server_name; r3.in.account_name = r->in.account_name; -- cgit From dc9f55dbec5f892b39d924d5fd033b5eec1e14e4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 29 Jun 2004 09:40:10 +0000 Subject: r1294: A nice, large, commit... This implements gensec for Samba's server side, and brings gensec up to the standards of a full subsystem. This means that use of the subsystem is by gensec_* functions, not function pointers in structures (this is internal). This causes changes in all the existing gensec users. Our RPC server no longer contains it's own generalised security scheme, and now calls gensec directly. Gensec has also taken over the role of auth/auth_ntlmssp.c An important part of gensec, is the output of the 'session_info' struct. This is now reference counted, so that we can correctly free it when a pipe is closed, no matter if it was inherited, or created by per-pipe authentication. The schannel code is reworked, to be in the same file for client and server. ntlm_auth is reworked to use gensec. The major problem with this code is the way it relies on subsystem auto-initialisation. The primary reason for this commit now.is to allow these problems to be looked at, and fixed. There are problems with the new code: - I've tested it with smbtorture, but currently don't have VMware and valgrind working (this I'll fix soon). - The SPNEGO code is client-only at this point. - We still do not do kerberos. Andrew Bartlett (This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 80bbb6b583..7eb4c0e815 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -58,21 +58,15 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) state->mem_ctx = mem_ctx; state->authenticated = True; - state->creds = talloc_p(mem_ctx, struct creds_CredentialState); - if (state->creds == NULL) { - talloc_destroy(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - ZERO_STRUCTP(state->creds); - if (dce_call->conn->auth_state.session_info == NULL) { talloc_destroy(mem_ctx); return NT_STATUS_NO_USER_SESSION_KEY; } - status = schannel_fetch_session_key(mem_ctx, - dce_call->conn->auth_state.session_info->workstation, - state->creds); + status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security, + mem_ctx, + &state->creds); + if (!NT_STATUS_IS_OK(status)) { talloc_destroy(mem_ctx); return status; -- cgit From b82881591cd1c63ed28d14ab31a652ef5319b2d0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 5 Jul 2004 07:24:14 +0000 Subject: r1335: NT_STATUS_INTERNAL_DB_CORRUPTION should cause DEBUG(0,(...)); metze (This used to be commit 80851e67783a9c3c8bdd7f2b52e0b46dd7b18d05) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 7eb4c0e815..9f0ca5443a 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -199,7 +199,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL } if (num_records > 1) { - DEBUG(1,("Found %d records matching user [%s]\n", num_records, r->in.account_name)); + DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name)); samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -390,7 +390,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO } if (num_records > 1) { - DEBUG(1,("Found %d records matching user [%s]\n", num_records, + DEBUG(0,("Found %d records matching user [%s]\n", num_records, pipe_state->account_name)); samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -399,7 +399,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); if (!domain_sid) { samdb_close(sam_ctx); - DEBUG(1,("no objectSid in user record\n")); + DEBUG(0,("no objectSid in user record\n")); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -417,7 +417,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO } if (num_records_domain > 1) { - DEBUG(1,("Found %d records matching domain [%s]\n", + DEBUG(0,("Found %d records matching domain [%s]\n", num_records_domain, domain_sid)); samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; -- cgit From f607197054436a8195e3d0a695fe31574b418059 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Jul 2004 12:14:07 +0000 Subject: r1498: (merge from 3.0) Rework our random number generation system. On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). This also requires that we start the secrets subsystem, as that is where the reseed value is stored, for systems without /dev/urandom. In order to aviod identical streams in forked children, the random state is re-initialised after the fork(), at the same point were we do that to the tdbs. Andrew Bartlett (This used to be commit b97d3cb2efd68310b1aea8a3ac40a64979c8cdae) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 9f0ca5443a..a4ef06128c 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -150,8 +150,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL pipe_state->client_challenge = *r->in.credentials; generate_random_buffer(pipe_state->server_challenge.data, - sizeof(pipe_state->server_challenge.data), - False); + sizeof(pipe_state->server_challenge.data)); *r->out.credentials = pipe_state->server_challenge; -- cgit From b83ba93eaeb2dcb0bf11615591d886fda84e4162 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 21 Aug 2004 01:54:46 +0000 Subject: r1983: a completely new implementation of talloc This version does the following: 1) talloc_free(), talloc_realloc() and talloc_steal() lose their (redundent) first arguments 2) you can use _any_ talloc pointer as a talloc context to allocate more memory. This allows you to create complex data structures where the top level structure is the logical parent of the next level down, and those are the parents of the level below that. Then destroy either the lot with a single talloc_free() or destroy any sub-part with a talloc_free() of that part 3) you can name any pointer. Use talloc_named() which is just like talloc() but takes the printf style name argument as well as the parent context and the size. The whole thing ends up being a very simple piece of code, although some of the pointer walking gets hairy. So far, I'm just using the new talloc() like the old one. The next step is to actually take advantage of the new interface properly. Expect some new commits soon that simplify some common coding styles in samba4 by using the new talloc(). (This used to be commit e35bb094c52e550b3105dd1638d8d90de71d854f) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index a4ef06128c..d01c0c577b 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -265,14 +265,14 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL if (pipe_state->account_name) { /* We don't want a memory leak on this long-lived talloc context */ - talloc_free(pipe_state->mem_ctx, pipe_state->account_name); + talloc_free(pipe_state->account_name); } pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, r->in.account_name); if (pipe_state->computer_name) { /* We don't want a memory leak on this long-lived talloc context */ - talloc_free(pipe_state->mem_ctx, pipe_state->account_name); + talloc_free(pipe_state->account_name); } pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, r->in.computer_name); -- cgit From aca6a1e1ee46fea49a5290613347d2f1d4b235c8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 Aug 2004 05:51:38 +0000 Subject: r1993: Allow WinXP domain logon to progress a bit further (it seems broken for me). Fix indent, and add a few more useful debug messages. Send a fault, if the bind is not accepted - don't just leave the client hanging. Andrew Bartlett (This used to be commit 486215edc1148ad754632be37760dc0d38b0340d) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d01c0c577b..b58a33ded1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -53,6 +53,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) state = talloc_p(mem_ctx, struct server_pipe_state); if (state == NULL) { talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(state); state->mem_ctx = mem_ctx; @@ -60,6 +61,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) if (dce_call->conn->auth_state.session_info == NULL) { talloc_destroy(mem_ctx); + smb_panic("No session info provided by schannel level setup!"); return NT_STATUS_NO_USER_SESSION_KEY; } @@ -68,6 +70,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) &state->creds); if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status))); talloc_destroy(mem_ctx); return status; } @@ -89,8 +92,11 @@ static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct d dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { NTSTATUS status; + DEBUG(5, ("schannel bind on netlogon\n")); + status = netlogon_schannel_setup(dce_call); if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("schannel bind on netlogon failed with %s\n", nt_errstr(status))); return status; } } @@ -190,16 +196,16 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL "(&(sAMAccountName=%s)(objectclass=user))", r->in.account_name); + samdb_close(sam_ctx); + if (num_records == 0) { DEBUG(3,("Couldn't find user [%s] in samdb.\n", r->in.account_name)); - samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (num_records > 1) { DEBUG(0,("Found %d records matching user [%s]\n", num_records, r->in.account_name)); - samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -239,12 +245,9 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd); if (!NT_STATUS_IS_OK(nt_status) || mach_pwd == NULL) { - samdb_close(sam_ctx); return NT_STATUS_ACCESS_DENIED; } - samdb_close(sam_ctx); - if (!pipe_state->creds) { pipe_state->creds = talloc_p(pipe_state->mem_ctx, struct creds_CredentialState); if (!pipe_state->creds) { -- cgit From ede02ee03867d2f6582c446fcab0882072baaa5a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 25 Aug 2004 06:44:23 +0000 Subject: r2051: switched the samdb over to using the new destructor and reference count features of talloc, instead of re-implementing both those features inside of samdb (which is what we did before). This makes samdb considerably simpler, and also fixes some bugs, as I found some error paths that didn't call samdb_close(). Those are now handled by the fact that a talloc_free() will auto-close and destroy the samdb context, using a destructor. (This used to be commit da60987a92266734c33b81ee217081abdc4330f3) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 ++++---------------------- 1 file changed, 4 insertions(+), 22 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b58a33ded1..de41838da5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -187,7 +187,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(); + sam_ctx = samdb_connect(mem_ctx); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -196,8 +196,6 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL "(&(sAMAccountName=%s)(objectclass=user))", r->in.account_name); - samdb_close(sam_ctx); - if (num_records == 0) { DEBUG(3,("Couldn't find user [%s] in samdb.\n", r->in.account_name)); @@ -375,7 +373,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(); + sam_ctx = samdb_connect(mem_ctx); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -387,20 +385,17 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO if (num_records == 0) { DEBUG(3,("Couldn't find user [%s] in samdb.\n", pipe_state->account_name)); - samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (num_records > 1) { DEBUG(0,("Found %d records matching user [%s]\n", num_records, pipe_state->account_name)); - samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); if (!domain_sid) { - samdb_close(sam_ctx); DEBUG(0,("no objectSid in user record\n")); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -414,14 +409,12 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO if (num_records_domain == 0) { DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", domain_sid)); - samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", num_records_domain, domain_sid)); - samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -429,7 +422,6 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO mod.dn = talloc_strdup(mem_ctx, msgs[0]->dn); if (!mod.dn) { - samdb_close(sam_ctx); return NT_STATUS_NO_MEMORY; } @@ -446,19 +438,15 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO NULL); if (!NT_STATUS_IS_OK(nt_status)) { - samdb_close(sam_ctx); return nt_status; } ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw); if (ret != 0) { /* we really need samdb.c to return NTSTATUS */ - - samdb_close(sam_ctx); return NT_STATUS_UNSUCCESSFUL; } - samdb_close(sam_ctx); return NT_STATUS_OK; } @@ -963,7 +951,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(); + sam_ctx = samdb_connect(mem_ctx); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -975,19 +963,14 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL well */ ret1 = samdb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)"); if (ret1 != 1) { - samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } ret2 = samdb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)"); if (ret2 == -1) { - samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } - /* we don't need the db link any more */ - samdb_close(sam_ctx); - info1 = talloc_p(mem_ctx, struct netr_DomainInfo1); if (info1 == NULL) { return NT_STATUS_NO_MEMORY; @@ -1139,14 +1122,13 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(); + sam_ctx = samdb_connect(mem_ctx); if (sam_ctx == NULL) { return WERR_GENERAL_FAILURE; } ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)"); if (ret == -1) { - samdb_close(sam_ctx); return WERR_GENERAL_FAILURE; } -- cgit From 8293df91bcec574fb4a2b290cc11dd83353264ae Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 8 Sep 2004 00:00:56 +0000 Subject: r2247: talloc_destroy -> talloc_free (This used to be commit 6c1a72c5d667245b1eec94f58e68acd22dd720ce) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index de41838da5..b6182d31c6 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -52,7 +52,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) } state = talloc_p(mem_ctx, struct server_pipe_state); if (state == NULL) { - talloc_destroy(mem_ctx); + talloc_free(mem_ctx); return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(state); @@ -60,7 +60,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) state->authenticated = True; if (dce_call->conn->auth_state.session_info == NULL) { - talloc_destroy(mem_ctx); + talloc_free(mem_ctx); smb_panic("No session info provided by schannel level setup!"); return NT_STATUS_NO_USER_SESSION_KEY; } @@ -71,7 +71,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status))); - talloc_destroy(mem_ctx); + talloc_free(mem_ctx); return status; } @@ -110,7 +110,7 @@ static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_ struct server_pipe_state *pipe_state = conn->private; if (pipe_state) { - talloc_destroy(pipe_state->mem_ctx); + talloc_free(pipe_state->mem_ctx); } conn->private = NULL; @@ -130,7 +130,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL /* destroyed on pipe shutdown */ if (pipe_state) { - talloc_destroy(pipe_state->mem_ctx); + talloc_free(pipe_state->mem_ctx); dce_call->conn->private = NULL; } @@ -143,7 +143,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL pipe_state = talloc_p(pipe_mem_ctx, struct server_pipe_state); if (!pipe_state) { - talloc_destroy(pipe_mem_ctx); + talloc_free(pipe_mem_ctx); return NT_STATUS_NO_MEMORY; } -- cgit From 64df8e7e0b732afd26e944fc53bbbfbe174f88d8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 Sep 2004 12:17:51 +0000 Subject: r2515: Fixes from smbtorture - these session keys are not individually encrypted. Andrew Bartlett (This used to be commit 131420b45e88cb72090c9b28a53295edfa364cfe) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b6182d31c6..1451e17464 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -604,8 +604,10 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, } /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ - if (memcmp(sam->key.key, zeros, - sizeof(sam->key.key)) != 0) { + /* It appears that level 6 is not individually encrypted */ + if ((r->in.validation_level != 6) + && memcmp(sam->key.key, zeros, + sizeof(sam->key.key)) != 0) { creds_arcfour_crypt(pipe_state->creds, sam->key.key, sizeof(sam->key.key)); @@ -619,8 +621,10 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, } /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ - if (memcmp(sam->LMSessKey.key, zeros, - sizeof(sam->LMSessKey.key)) != 0) { + /* It appears that level 6 is not individually encrypted */ + if ((r->in.validation_level != 6) + && memcmp(sam->LMSessKey.key, zeros, + sizeof(sam->LMSessKey.key)) != 0) { creds_arcfour_crypt(pipe_state->creds, sam->LMSessKey.key, sizeof(sam->LMSessKey.key)); -- cgit From 159f81ee32dbd7c832fb8c3723d0f0207d039078 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2004 13:28:38 +0000 Subject: r2635: mem_ctx cleanups on the lsa and netlogon pipes in the rpc server (This used to be commit 1ee5ed4197f49f12372835f66160801f19ee35a6) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 38 +++++++-------------------- 1 file changed, 10 insertions(+), 28 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1451e17464..fdd5ead660 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -24,7 +24,6 @@ #include "rpc_server/common/common.h" struct server_pipe_state { - TALLOC_CTX *mem_ctx; struct netr_Credential client_challenge; struct netr_Credential server_challenge; BOOL authenticated; @@ -44,34 +43,27 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) { struct server_pipe_state *state; NTSTATUS status; - TALLOC_CTX *mem_ctx; - mem_ctx = talloc_init("netlogon_bind"); - if (!mem_ctx) { - return NT_STATUS_NO_MEMORY; - } - state = talloc_p(mem_ctx, struct server_pipe_state); + state = talloc_p(dce_call->conn, struct server_pipe_state); if (state == NULL) { - talloc_free(mem_ctx); return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(state); - state->mem_ctx = mem_ctx; state->authenticated = True; if (dce_call->conn->auth_state.session_info == NULL) { - talloc_free(mem_ctx); + talloc_free(state); smb_panic("No session info provided by schannel level setup!"); return NT_STATUS_NO_USER_SESSION_KEY; } status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security, - mem_ctx, + state, &state->creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status))); - talloc_free(mem_ctx); + talloc_free(state); return status; } @@ -110,7 +102,7 @@ static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_ struct server_pipe_state *pipe_state = conn->private; if (pipe_state) { - talloc_free(pipe_state->mem_ctx); + talloc_free(pipe_state); } conn->private = NULL; @@ -123,31 +115,21 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL struct netr_ServerReqChallenge *r) { struct server_pipe_state *pipe_state = dce_call->conn->private; - TALLOC_CTX *pipe_mem_ctx; ZERO_STRUCTP(r->out.credentials); /* destroyed on pipe shutdown */ if (pipe_state) { - talloc_free(pipe_state->mem_ctx); + talloc_free(pipe_state); dce_call->conn->private = NULL; } - pipe_mem_ctx = talloc_init("internal netlogon pipe state for %s", - r->in.computer_name); - - if (!pipe_mem_ctx) { - return NT_STATUS_NO_MEMORY; - } - - pipe_state = talloc_p(pipe_mem_ctx, struct server_pipe_state); + pipe_state = talloc_p(dce_call->conn, struct server_pipe_state); if (!pipe_state) { - talloc_free(pipe_mem_ctx); return NT_STATUS_NO_MEMORY; } - pipe_state->mem_ctx = pipe_mem_ctx; pipe_state->authenticated = False; pipe_state->creds = NULL; pipe_state->account_name = NULL; @@ -247,7 +229,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL } if (!pipe_state->creds) { - pipe_state->creds = talloc_p(pipe_state->mem_ctx, struct creds_CredentialState); + pipe_state->creds = talloc_p(pipe_state, struct creds_CredentialState); if (!pipe_state->creds) { return NT_STATUS_NO_MEMORY; } @@ -269,14 +251,14 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL talloc_free(pipe_state->account_name); } - pipe_state->account_name = talloc_strdup(pipe_state->mem_ctx, r->in.account_name); + pipe_state->account_name = talloc_strdup(pipe_state, r->in.account_name); if (pipe_state->computer_name) { /* We don't want a memory leak on this long-lived talloc context */ talloc_free(pipe_state->account_name); } - pipe_state->computer_name = talloc_strdup(pipe_state->mem_ctx, r->in.computer_name); + pipe_state->computer_name = talloc_strdup(pipe_state, r->in.computer_name); /* remember this session key state */ nt_status = schannel_store_session_key(mem_ctx, pipe_state->computer_name, pipe_state->creds); -- cgit From 9a62dce0ac2dd751c9cc3b9906eec8c4fe7c51b7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 26 Sep 2004 03:50:24 +0000 Subject: r2648: - use a destructor on struct server_connection to simplify the connection termination cleanup, and to ensure that the event contexts are properly removed for every process model - gave auth_context the new talloc treatment, which removes another source of memory leaks. (This used to be commit 230e1cd777b0fba82dffcbd656cfa23c155d0560) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index fdd5ead660..d35a8476df 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -498,7 +498,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, r->in.logon.password->ntpassword.hash, sizeof(r->in.logon.password->ntpassword.hash)); - nt_status = make_auth_context_subsystem(&auth_context); + nt_status = make_auth_context_subsystem(pipe_state, &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -515,7 +515,8 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, case 2: case 6: - nt_status = make_auth_context_fixed(&auth_context, r->in.logon.network->challenge); + nt_status = make_auth_context_fixed(pipe_state, + &auth_context, r->in.logon.network->challenge); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } -- cgit From 5a064d4a62c35167d888356d01dfdb76f59bc6b1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 26 Sep 2004 23:39:18 +0000 Subject: r2669: convert make_user_info() and associated functions from malloc to talloc (This used to be commit 278cef77f083c002d17ecbbe18c20825a380eda3) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d35a8476df..11827d5625 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -504,7 +504,8 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, } chal = auth_context->get_ntlm_challenge(auth_context); - nt_status = make_user_info_netlogon_interactive(&user_info, + nt_status = make_user_info_netlogon_interactive(auth_context, + &user_info, r->in.logon.password->identity_info.account_name.string, r->in.logon.password->identity_info.domain_name.string, r->in.logon.password->identity_info.workstation.string, @@ -521,7 +522,8 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, return nt_status; } - nt_status = make_user_info_netlogon_network(&user_info, + nt_status = make_user_info_netlogon_network(auth_context, + &user_info, r->in.logon.network->identity_info.account_name.string, r->in.logon.network->identity_info.domain_name.string, r->in.logon.network->identity_info.workstation.string, -- cgit From 757215dc8b417765b74a824dd2744957274efd01 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 29 Oct 2004 09:57:31 +0000 Subject: r3364: Add parameter to fix the compile. Andrew Bartlett (This used to be commit effd10883b7b9d879a3e96801ef37992bc93bc97) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 11827d5625..bad0b36077 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -541,6 +541,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, nt_status = auth_context->check_ntlm_password(auth_context, user_info, + mem_ctx, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { -- cgit From 90067934cd3195df80f8b1e614629d51fffcb38b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 1 Nov 2004 10:30:34 +0000 Subject: r3428: switched to using minimal includes for the auto-generated RPC code. The thing that finally convinced me that minimal includes was worth pursuing for rpc was a compiler (tcc) that failed to build Samba due to reaching internal limits of the size of include files. Also the fact that includes.h.gch was 16MB, which really seems excessive. This patch brings it back to 12M, which is still too large, but better. Note that this patch speeds up compile times for both the pch and non-pch case. This change also includes the addition iof a "depends()" option in our IDL files, allowing you to specify that one IDL file depends on another. This capability was needed for the auto-includes generation. (This used to be commit b8f5fa8ac8e8725f3d321004f0aedf4246fc6b49) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index bad0b36077..61f0f58fba 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -21,6 +21,7 @@ */ #include "includes.h" +#include "librpc/gen_ndr/ndr_netlogon.h" #include "rpc_server/common/common.h" struct server_pipe_state { -- cgit From edbfc0f6e70150e321822365bf0eead2821551bd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 02:57:18 +0000 Subject: r3453: - split out the auth and popt includes - tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 61f0f58fba..e4afa3d45e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -23,6 +23,8 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "rpc_server/common/common.h" +#include "librpc/gen_ndr/ndr_dcom.h" +#include "auth/auth.h" struct server_pipe_state { struct netr_Credential client_challenge; -- cgit From c051779a0a34a9c40a5425fb1eb821983b8dc852 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 07:42:47 +0000 Subject: r3468: split out dcerpc_server.h (This used to be commit 729e0026e4408f74f140375537d4fe48c1fc3242) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index e4afa3d45e..5319705e32 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -22,6 +22,7 @@ #include "includes.h" #include "librpc/gen_ndr/ndr_netlogon.h" +#include "rpc_server/dcerpc_server.h" #include "rpc_server/common/common.h" #include "librpc/gen_ndr/ndr_dcom.h" #include "auth/auth.h" -- cgit From 930f9090ba44aba8ead7fef895033bd58d4f14f9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 7 Nov 2004 12:40:07 +0000 Subject: r3599: fixed a couple of memory errors in the rpc netlogon server (found with valgrind) (This used to be commit 151dd4593d30c703b70099cd240784134fdb4e0f) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 5319705e32..dcdcd7237c 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -548,11 +548,12 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, mem_ctx, &server_info); + /* keep the auth_context for the life of this call */ + talloc_steal(dce_call, auth_context); + if (!NT_STATUS_IS_OK(nt_status)) { - free_auth_context(&auth_context); return nt_status; } - free_auth_context(&auth_context); sam = talloc_p(mem_ctx, struct netr_SamBaseInfo); -- cgit From 8a18778286a16423d7d6e483fdb308a91e294efe Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 16 Nov 2004 09:00:52 +0000 Subject: r3783: - don't use make proto for ldb anymore - split ldh.h out of samba's includes.h - make ldb_context and ldb_module private to the subsystem - use ltdb_ prefix for all ldb_tdb functions metze (This used to be commit f5ee40d6ce8224e280070975efc9911558fe675c) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index dcdcd7237c..c4a4208667 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -26,6 +26,7 @@ #include "rpc_server/common/common.h" #include "librpc/gen_ndr/ndr_dcom.h" #include "auth/auth.h" +#include "lib/ldb/include/ldb.h" struct server_pipe_state { struct netr_Credential client_challenge; -- cgit From e94c88cedc97cb59ff6c73c5bf82d343925a0fa9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 22 Nov 2004 17:14:57 +0000 Subject: r3914: add idl, torture test and simple server for netr_DrsGetDCNameEx2() metze (This used to be commit 1ffabbaa667c7dec6657ec523f92f072a2a47a95) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 45 ++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index c4a4208667..00e27c75a8 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1045,12 +1045,49 @@ static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TA /* - netr_DSRGETDCNAMEEX2 + netr_DrsGetDCNameEx2 */ -static WERROR netr_DSRGETDCNAMEEX2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRGETDCNAMEEX2 *r) +static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DrsGetDCNameEx2 *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + const char * const attrs[] = { "dnsDomain", "objectGUID", NULL }; + void *sam_ctx; + struct ldb_message **res; + int ret; + + ZERO_STRUCT(r->out); + + sam_ctx = samdb_connect(mem_ctx); + if (sam_ctx == NULL) { + return WERR_DS_SERVICE_UNAVAILABLE; + } + + ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, + "(&(objectClass=domainDNS)(dnsDomain=%s))", + r->in.domain_name); + if (ret != 1) { + return WERR_NO_SUCH_DOMAIN; + } + + r->out.info = talloc_p(mem_ctx, struct netr_DrsGetDCNameEx2Info); + if (!r->out.info) { + return WERR_NOMEM; + } + + /* TODO: - return real IP address + * - check all r->in.* parameters (server_unc is ignored by w2k3!) + */ + r->out.info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s", lp_netbios_name(),lp_realm()); + r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0"); + r->out.info->dc_address_type = 1; + r->out.info->domain_guid = samdb_result_guid(res[0], "objectGUID"); + r->out.info->domain_name = samdb_result_string(res[0], "dnsDomain", NULL); + r->out.info->forest_name = samdb_result_string(res[0], "dnsDomain", NULL); + r->out.info->dc_flags = 0xE00001FD; + r->out.info->dc_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name"); + r->out.info->client_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name"); + + return WERR_OK; } -- cgit From 21ebf8b942417be1f9a0e87b0807f3f5e44fa863 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 23 Nov 2004 12:34:11 +0000 Subject: r3922: Add yet another NETLOGON RPC. This is another varient of SamLogon, that works only on SCHANNEL secured connections (as it needs the implicit credentials). Fix some of the IDL. Andrew Bartlett (This used to be commit 90cd7b34cc18e758e939e0183281b7a517d728f0) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 00e27c75a8..0720e317c5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1132,10 +1132,10 @@ static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TAL /* - netr_NETRLOGONSAMLOGONEX + netr_LogonSamLogonEx */ -static WERROR netr_NETRLOGONSAMLOGONEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRLOGONSAMLOGONEX *r) +static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonEx *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From b71458c742f355eebe6ed38e4394fb06ea81f210 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 2 Dec 2004 11:40:18 +0000 Subject: r4041: fix cut-n-paste typo metze (This used to be commit 54398aa889b5954c7c387b252dd1a9173eac36f0) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 0720e317c5..c46f240630 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -260,7 +260,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL if (pipe_state->computer_name) { /* We don't want a memory leak on this long-lived talloc context */ - talloc_free(pipe_state->account_name); + talloc_free(pipe_state->computer_name); } pipe_state->computer_name = talloc_strdup(pipe_state, r->in.computer_name); -- cgit From 6fbf487ec0c69d4e8c38768484e526025da03ca4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Dec 2004 11:52:53 +0000 Subject: r4321: objectClass trustedDomain uses "securityIdentifier" for the sid also explicit tell the fill_info code what kind of object the current result is. metze (This used to be commit 6d74d31e50cd8f9d37fca53ef32bd50952a3a759) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index c46f240630..422aa626ed 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -901,24 +901,25 @@ static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX fill in a netr_DomainTrustInfo from a ldb search result */ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res, - struct netr_DomainTrustInfo *info) + struct netr_DomainTrustInfo *info, BOOL is_local) { ZERO_STRUCTP(info); - - info->domainname.string = samdb_result_string(res, "flatName", NULL); - if (info->domainname.string == NULL) { + + if (is_local) { info->domainname.string = samdb_result_string(res, "name", NULL); info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL); + info->guid = samdb_result_guid(res, "objectGUID"); + info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid"); } else { + info->domainname.string = samdb_result_string(res, "flatName", NULL); info->fulldomainname.string = samdb_result_string(res, "name", NULL); + info->guid = samdb_result_guid(res, "objectGUID"); + info->sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier"); } /* TODO: we need proper forest support */ info->forest.string = info->fulldomainname.string; - info->guid = samdb_result_guid(res, "objectGUID"); - info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid"); - return NT_STATUS_OK; } @@ -931,7 +932,8 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL { struct server_pipe_state *pipe_state = dce_call->conn->private; const char * const attrs[] = { "name", "dnsDomain", "objectSid", - "objectGUID", "flatName", NULL }; + "objectGUID", "flatName", "securityIdentifier", + NULL }; void *sam_ctx; struct ldb_message **res1, **res2; struct netr_DomainInfo1 *info1; @@ -981,18 +983,18 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; } - status = fill_domain_trust_info(mem_ctx, res1[0], &info1->domaininfo); + status = fill_domain_trust_info(mem_ctx, res1[0], &info1->domaininfo, True); if (!NT_STATUS_IS_OK(status)) { return status; } - status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[0]); + status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[0], True); if (!NT_STATUS_IS_OK(status)) { return status; } for (i=0;itrusts[i+1]); + status = fill_domain_trust_info(mem_ctx, res2[i], &info1->trusts[i+1], False); if (!NT_STATUS_IS_OK(status)) { return status; } -- cgit From 8eb981c90a6094b15d4b71cc14fee4f23c713cf8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 3 Jan 2005 06:23:02 +0000 Subject: r4499: Almost make our Samba4 server pass the RPC-SAMLOGON torture test. I just need to fix a couple of NTLMv2 issues before we can fully pass, and put this in test_rpc.sh, as a 'should pass' test. Andrew Bartlett (This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 140 +++++++++++++++----------- 1 file changed, 84 insertions(+), 56 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 422aa626ed..167c4e8ceb 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -317,12 +317,17 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL } -static BOOL netr_creds_server_step_check(struct server_pipe_state *pipe_state, - struct netr_Authenticator *received_authenticator, - struct netr_Authenticator *return_authenticator) +static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state, + struct netr_Authenticator *received_authenticator, + struct netr_Authenticator *return_authenticator) { + if (!pipe_state) { + DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); + return NT_STATUS_ACCESS_DENIED; + } + if (!pipe_state->authenticated) { - return False; + return NT_STATUS_ACCESS_DENIED; } return creds_server_step_check(pipe_state->creds, received_authenticator, @@ -351,13 +356,9 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO const char **domain_attrs = attrs; ZERO_STRUCT(mod); - if (!pipe_state) { - DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); - return NT_STATUS_ACCESS_DENIED; - } - - if (!netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator)) { - return NT_STATUS_ACCESS_DENIED; + nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); + if (NT_STATUS_IS_OK(nt_status)) { + return nt_status; } sam_ctx = samdb_connect(mem_ctx); @@ -461,9 +462,10 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX /* netr_LogonSamLogonWithFlags + This version of the function allows other wrappers to say 'do not check the credentials' */ -static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonSamLogonWithFlags *r) +static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonEx *r) { struct server_pipe_state *pipe_state = dce_call->conn->private; @@ -478,30 +480,21 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, struct netr_SamInfo3 *sam3; struct netr_SamInfo6 *sam6; - if (!pipe_state) { - DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); - return NT_STATUS_ACCESS_DENIED; - } - - r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator); - if (!r->out.return_authenticator) { - return NT_STATUS_NO_MEMORY; - } - - if (!netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator)) { - return NT_STATUS_ACCESS_DENIED; - } - switch (r->in.logon_level) { case 1: case 3: case 5: - creds_arcfour_crypt(pipe_state->creds, - r->in.logon.password->lmpassword.hash, - sizeof(r->in.logon.password->lmpassword.hash)); - creds_arcfour_crypt(pipe_state->creds, - r->in.logon.password->ntpassword.hash, - sizeof(r->in.logon.password->ntpassword.hash)); + if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + creds_arcfour_crypt(pipe_state->creds, + r->in.logon.password->lmpassword.hash, + sizeof(r->in.logon.password->lmpassword.hash)); + creds_arcfour_crypt(pipe_state->creds, + r->in.logon.password->ntpassword.hash, + sizeof(r->in.logon.password->ntpassword.hash)); + } else { + creds_des_decrypt(pipe_state->creds, &r->in.logon.password->lmpassword); + creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword); + } nt_status = make_auth_context_subsystem(pipe_state, &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { @@ -600,9 +593,13 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, if ((r->in.validation_level != 6) && memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) { - creds_arcfour_crypt(pipe_state->creds, - sam->key.key, - sizeof(sam->key.key)); + + /* This key is sent unencrypted without the ARCFOUR flag set */ + if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + creds_arcfour_crypt(pipe_state->creds, + sam->key.key, + sizeof(sam->key.key)); + } } if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) { @@ -617,9 +614,14 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, if ((r->in.validation_level != 6) && memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) { - creds_arcfour_crypt(pipe_state->creds, - sam->LMSessKey.key, - sizeof(sam->LMSessKey.key)); + if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + creds_arcfour_crypt(pipe_state->creds, + sam->LMSessKey.key, + sizeof(sam->LMSessKey.key)); + } else { + creds_des_encrypt_LMKey(pipe_state->creds, + &sam->LMSessKey); + } } switch (r->in.validation_level) { @@ -656,6 +658,45 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, return NT_STATUS_OK; } +/* + netr_LogonSamLogonWithFlags + +*/ +static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonWithFlags *r) +{ + NTSTATUS nt_status; + struct netr_LogonSamLogonEx r2; + + struct server_pipe_state *pipe_state = dce_call->conn->private; + + r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator); + if (!r->out.return_authenticator) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + ZERO_STRUCT(r2); + + r2.in.server_name = r->in.server_name; + r2.in.workstation = r->in.workstation; + r2.in.logon_level = r->in.logon_level; + r2.in.logon = r->in.logon; + r2.in.validation_level = r->in.validation_level; + r2.in.flags = r->in.flags; + + nt_status = netr_LogonSamLogonEx(dce_call, mem_ctx, &r2); + + r->out.validation = r2.out.validation; + r->out.authoritative = r2.out.authoritative; + + return nt_status; +} + /* netr_LogonSamLogon */ @@ -940,13 +981,10 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL int ret1, ret2, i; NTSTATUS status; - if (!pipe_state) { - return NT_STATUS_ACCESS_DENIED; - } - - if (!netr_creds_server_step_check(pipe_state, - r->in.credential, r->out.credential)) { - return NT_STATUS_ACCESS_DENIED; + status = netr_creds_server_step_check(pipe_state, + r->in.credential, r->out.credential); + if (!NT_STATUS_IS_OK(status)) { + return status; } sam_ctx = samdb_connect(mem_ctx); @@ -1133,16 +1171,6 @@ static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TAL } -/* - netr_LogonSamLogonEx -*/ -static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonSamLogonEx *r) -{ - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -} - - /* netr_DsrEnumerateDomainTrusts */ -- cgit From 46a32687da249174a666d9166fccbe705c8beba0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 9 Jan 2005 12:55:25 +0000 Subject: r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 89 ++++++++++++--------------- 1 file changed, 41 insertions(+), 48 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 167c4e8ceb..0733a467f7 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -4,6 +4,7 @@ endpoint server for the netlogon pipe Copyright (C) Andrew Bartlett 2004 + Copyright (C) Stefan Metzmacher 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -496,90 +497,79 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword); } - nt_status = make_auth_context_subsystem(pipe_state, &auth_context); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + /* TODO: we need to deny anonymous access here */ + nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context); + NT_STATUS_NOT_OK_RETURN(nt_status); + + nt_status = auth_get_challenge(auth_context, &chal); + NT_STATUS_NOT_OK_RETURN(nt_status); - chal = auth_context->get_ntlm_challenge(auth_context); - nt_status = make_user_info_netlogon_interactive(auth_context, - &user_info, + nt_status = make_user_info_netlogon_interactive(mem_ctx, r->in.logon.password->identity_info.account_name.string, r->in.logon.password->identity_info.domain_name.string, r->in.logon.password->identity_info.workstation.string, chal, &r->in.logon.password->lmpassword, - &r->in.logon.password->ntpassword); - break; - + &r->in.logon.password->ntpassword, + &user_info); + NT_STATUS_NOT_OK_RETURN(nt_status); + break; case 2: case 6: - nt_status = make_auth_context_fixed(pipe_state, - &auth_context, r->in.logon.network->challenge); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + /* TODO: we need to deny anonymous access here */ + nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context); + NT_STATUS_NOT_OK_RETURN(nt_status); + + nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags"); + NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = make_user_info_netlogon_network(auth_context, - &user_info, r->in.logon.network->identity_info.account_name.string, r->in.logon.network->identity_info.domain_name.string, r->in.logon.network->identity_info.workstation.string, r->in.logon.network->lm.data, r->in.logon.network->lm.length, - r->in.logon.network->nt.data, r->in.logon.network->nt.length); + r->in.logon.network->nt.data, r->in.logon.network->nt.length, + &user_info); + NT_STATUS_NOT_OK_RETURN(nt_status); break; default: - free_auth_context(&auth_context); return NT_STATUS_INVALID_PARAMETER; } - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - nt_status = auth_context->check_ntlm_password(auth_context, - user_info, - mem_ctx, - &server_info); - - /* keep the auth_context for the life of this call */ - talloc_steal(dce_call, auth_context); - - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info); + NT_STATUS_NOT_OK_RETURN(nt_status); sam = talloc_p(mem_ctx, struct netr_SamBaseInfo); + NT_STATUS_HAVE_NO_MEMORY(sam); - ZERO_STRUCTP(sam); - sam->last_logon = server_info->last_logon; sam->last_logoff = server_info->last_logoff; sam->acct_expiry = server_info->acct_expiry; sam->last_password_change = server_info->last_password_change; sam->allow_password_change = server_info->allow_password_change; sam->force_password_change = server_info->force_password_change; - - sam->account_name.string = talloc_strdup(mem_ctx, server_info->account_name); - sam->full_name.string = talloc_strdup(mem_ctx, server_info->full_name); - sam->logon_script.string = talloc_strdup(mem_ctx, server_info->logon_script); - sam->profile_path.string = talloc_strdup(mem_ctx, server_info->profile_path); - sam->home_directory.string = talloc_strdup(mem_ctx, server_info->home_directory); - sam->home_drive.string = talloc_strdup(mem_ctx, server_info->home_drive); - + + sam->account_name.string = server_info->account_name; + sam->full_name.string = server_info->full_name; + sam->logon_script.string = server_info->logon_script; + sam->profile_path.string = server_info->profile_path; + sam->home_directory.string = server_info->home_directory; + sam->home_drive.string = server_info->home_drive; + sam->logon_count = server_info->logon_count; sam->bad_password_count = sam->bad_password_count; - sam->rid = server_info->user_sid->sub_auths[server_info->user_sid->num_auths-1]; + sam->rid = server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1]; sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; sam->group_count = 0; sam->groupids = NULL; sam->user_flags = 0; /* TODO: w2k3 uses 0x120 - what is this? */ sam->acct_flags = server_info->acct_flags; sam->logon_server.string = lp_netbios_name(); - - sam->domain.string = talloc_strdup(mem_ctx, server_info->domain); - - sam->domain_sid = dom_sid_dup(mem_ctx, server_info->user_sid); + + sam->domain.string = server_info->domain_name; + + sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid); + NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid); sam->domain_sid->num_auths--; if (server_info->user_session_key.length == sizeof(sam->key.key)) { @@ -627,6 +617,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ switch (r->in.validation_level) { case 2: sam2 = talloc_p(mem_ctx, struct netr_SamInfo2); + NT_STATUS_HAVE_NO_MEMORY(sam2); ZERO_STRUCTP(sam2); sam2->base = *sam; r->out.validation.sam2 = sam2; @@ -634,6 +625,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ case 3: sam3 = talloc_p(mem_ctx, struct netr_SamInfo3); + NT_STATUS_HAVE_NO_MEMORY(sam3); ZERO_STRUCTP(sam3); sam3->base = *sam; r->out.validation.sam3 = sam3; @@ -641,6 +633,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ case 6: sam6 = talloc_p(mem_ctx, struct netr_SamInfo6); + NT_STATUS_HAVE_NO_MEMORY(sam6); ZERO_STRUCTP(sam6); sam6->base = *sam; sam6->forest.string = lp_realm(); -- cgit From 3136462ea9d2b97e5385386e2c37b1ac403db6ca Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Jan 2005 12:14:26 +0000 Subject: r4639: initialize all struct members! tridge: sorry for making you such a pain... could you check if that fixes your bugs metze (This used to be commit c215372eb0916df1e532b77c8365f401a8c32a38) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 0733a467f7..259f43895b 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -563,21 +563,21 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ sam->group_count = 0; sam->groupids = NULL; sam->user_flags = 0; /* TODO: w2k3 uses 0x120 - what is this? */ - sam->acct_flags = server_info->acct_flags; + sam->acct_flags = server_info->acct_flags; sam->logon_server.string = lp_netbios_name(); - sam->domain.string = server_info->domain_name; sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid); NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid); sam->domain_sid->num_auths--; + ZERO_ARRAY(sam->unknown); + + ZERO_STRUCT(sam->key); if (server_info->user_session_key.length == sizeof(sam->key.key)) { memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key)); - } else { - ZERO_STRUCT(sam->key.key); } - + /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ /* It appears that level 6 is not individually encrypted */ if ((r->in.validation_level != 6) @@ -591,12 +591,11 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ sizeof(sam->key.key)); } } - + + ZERO_STRUCT(sam->LMSessKey); if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) { memcpy(sam->LMSessKey.key, server_info->lm_session_key.data, sizeof(sam->LMSessKey.key)); - } else { - ZERO_STRUCT(sam->LMSessKey.key); } /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ -- cgit From 577218b2aded7adb367f3f33bcc5560f3d4c0ec2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 10 Jan 2005 12:15:26 +0000 Subject: r4640: first stage in the server side support for multiple context_ids on one pipe this stage does the following: - simplifies the dcerpc_handle handling, and all the callers of it - split out the context_id depenent state into a linked list of established contexts - fixed some talloc handling in several rpc servers that i noticed while doing the above (This used to be commit fde042b3fc609c94e2c7eedcdd72ecdf489cf63b) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 ++++++++++++--------------- 1 file changed, 16 insertions(+), 20 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 259f43895b..afb066f4ee 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -73,7 +73,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) return status; } - dce_call->conn->private = state; + dce_call->context->private = state; return NT_STATUS_OK; } @@ -83,7 +83,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) */ static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di) { - dce_call->conn->private = NULL; + dce_call->context->private = NULL; /* if this is a schannel bind then we need to reconstruct the pipe state */ if (dce_call->conn->auth_state.auth_info && @@ -103,15 +103,11 @@ static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct d } /* this function is called when the client disconnects the endpoint */ -static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_interface *di) +static void netlogon_unbind(struct dcesrv_connection_context *context, const struct dcesrv_interface *di) { - struct server_pipe_state *pipe_state = conn->private; - - if (pipe_state) { - talloc_free(pipe_state); - } - - conn->private = NULL; + struct server_pipe_state *pipe_state = context->private; + talloc_free(pipe_state); + context->private = NULL; } #define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind @@ -120,7 +116,7 @@ static void netlogon_unbind(struct dcesrv_connection *conn, const struct dcesrv_ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerReqChallenge *r) { - struct server_pipe_state *pipe_state = dce_call->conn->private; + struct server_pipe_state *pipe_state = dce_call->context->private; ZERO_STRUCTP(r->out.credentials); @@ -128,10 +124,10 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL if (pipe_state) { talloc_free(pipe_state); - dce_call->conn->private = NULL; + dce_call->context->private = NULL; } - pipe_state = talloc_p(dce_call->conn, struct server_pipe_state); + pipe_state = talloc_p(dce_call->context, struct server_pipe_state); if (!pipe_state) { return NT_STATUS_NO_MEMORY; } @@ -148,7 +144,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL *r->out.credentials = pipe_state->server_challenge; - dce_call->conn->private = pipe_state; + dce_call->context->private = pipe_state; return NT_STATUS_OK; } @@ -156,7 +152,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate3 *r) { - struct server_pipe_state *pipe_state = dce_call->conn->private; + struct server_pipe_state *pipe_state = dce_call->context->private; void *sam_ctx; struct samr_Password *mach_pwd; uint16_t acct_flags; @@ -339,7 +335,7 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet *r) { - struct server_pipe_state *pipe_state = dce_call->conn->private; + struct server_pipe_state *pipe_state = dce_call->context->private; void *sam_ctx; int num_records; @@ -468,7 +464,7 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogonEx *r) { - struct server_pipe_state *pipe_state = dce_call->conn->private; + struct server_pipe_state *pipe_state = dce_call->context->private; struct auth_context *auth_context; struct auth_usersupplied_info *user_info; @@ -539,7 +535,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info); NT_STATUS_NOT_OK_RETURN(nt_status); - sam = talloc_p(mem_ctx, struct netr_SamBaseInfo); + sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo); NT_STATUS_HAVE_NO_MEMORY(sam); sam->last_logon = server_info->last_logon; @@ -660,7 +656,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, NTSTATUS nt_status; struct netr_LogonSamLogonEx r2; - struct server_pipe_state *pipe_state = dce_call->conn->private; + struct server_pipe_state *pipe_state = dce_call->context->private; r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator); if (!r->out.return_authenticator) { @@ -963,7 +959,7 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message * static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r) { - struct server_pipe_state *pipe_state = dce_call->conn->private; + struct server_pipe_state *pipe_state = dce_call->context->private; const char * const attrs[] = { "name", "dnsDomain", "objectSid", "objectGUID", "flatName", "securityIdentifier", NULL }; -- cgit From e8c06b9221d9818042ea8a08efccfc88f17a9e3e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 10 Jan 2005 12:30:13 +0000 Subject: r4641: Push a few more details into the schannel ldb, and into the credentials struct it maintains. Clearly much of this will be replaced with some system to pass and store the session_info, as that is the 'right way' to handle this. Andrew Bartlett (This used to be commit c6fcb33a887fbf0c0b42c3bc331df942a985128c) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 62 ++++++++------------------- 1 file changed, 18 insertions(+), 44 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index afb066f4ee..ab67a2595e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -32,11 +32,6 @@ struct server_pipe_state { struct netr_Credential client_challenge; struct netr_Credential server_challenge; - BOOL authenticated; - char *account_name; - char *computer_name; /* for logging only */ - uint32_t acct_flags; - uint16_t sec_chan_type; struct creds_CredentialState *creds; }; @@ -55,7 +50,6 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(state); - state->authenticated = True; if (dce_call->conn->auth_state.session_info == NULL) { talloc_free(state); @@ -102,16 +96,7 @@ static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct d return NT_STATUS_OK; } -/* this function is called when the client disconnects the endpoint */ -static void netlogon_unbind(struct dcesrv_connection_context *context, const struct dcesrv_interface *di) -{ - struct server_pipe_state *pipe_state = context->private; - talloc_free(pipe_state); - context->private = NULL; -} - #define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind -#define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerReqChallenge *r) @@ -132,10 +117,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; } - pipe_state->authenticated = False; pipe_state->creds = NULL; - pipe_state->account_name = NULL; - pipe_state->computer_name = NULL; pipe_state->client_challenge = *r->in.credentials; @@ -220,8 +202,6 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_ACCESS_DENIED; } - pipe_state->acct_flags = acct_flags; - pipe_state->sec_chan_type = r->in.secure_channel_type; *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0); @@ -230,11 +210,12 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_ACCESS_DENIED; } + if (pipe_state->creds) { + talloc_free(pipe_state->creds); + } + pipe_state->creds = talloc_p(pipe_state, struct creds_CredentialState); if (!pipe_state->creds) { - pipe_state->creds = talloc_p(pipe_state, struct creds_CredentialState); - if (!pipe_state->creds) { - return NT_STATUS_NO_MEMORY; - } + return NT_STATUS_NO_MEMORY; } creds_server_init(pipe_state->creds, &pipe_state->client_challenge, @@ -243,27 +224,19 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL *r->in.negotiate_flags); if (!creds_server_check(pipe_state->creds, r->in.credentials)) { + talloc_free(pipe_state->creds); + pipe_state->creds = NULL; return NT_STATUS_ACCESS_DENIED; } - pipe_state->authenticated = True; - - if (pipe_state->account_name) { - /* We don't want a memory leak on this long-lived talloc context */ - talloc_free(pipe_state->account_name); - } - - pipe_state->account_name = talloc_strdup(pipe_state, r->in.account_name); + pipe_state->creds->account_name = talloc_reference(pipe_state->creds, r->in.account_name); - if (pipe_state->computer_name) { - /* We don't want a memory leak on this long-lived talloc context */ - talloc_free(pipe_state->computer_name); - } + pipe_state->creds->computer_name = talloc_reference(pipe_state->creds, r->in.computer_name); - pipe_state->computer_name = talloc_strdup(pipe_state, r->in.computer_name); + pipe_state->creds->secure_channel_type = r->in.secure_channel_type; /* remember this session key state */ - nt_status = schannel_store_session_key(mem_ctx, pipe_state->computer_name, pipe_state->creds); + nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds); return nt_status; } @@ -323,9 +296,6 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat return NT_STATUS_ACCESS_DENIED; } - if (!pipe_state->authenticated) { - return NT_STATUS_ACCESS_DENIED; - } return creds_server_step_check(pipe_state->creds, received_authenticator, return_authenticator); @@ -365,17 +335,17 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO /* pull the user attributes */ num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", - pipe_state->account_name); + pipe_state->creds->account_name); if (num_records == 0) { DEBUG(3,("Couldn't find user [%s] in samdb.\n", - pipe_state->account_name)); + pipe_state->creds->account_name)); return NT_STATUS_NO_SUCH_USER; } if (num_records > 1) { DEBUG(0,("Found %d records matching user [%s]\n", num_records, - pipe_state->account_name)); + pipe_state->creds->account_name)); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -643,6 +613,9 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ r->out.authoritative = 1; + /* TODO: Describe and deal with these flags */ + r->out.flags = 0; + return NT_STATUS_OK; } @@ -681,6 +654,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, r->out.validation = r2.out.validation; r->out.authoritative = r2.out.authoritative; + r->out.flags = r2.out.flags; return nt_status; } -- cgit From 0457324cc8ee3eb1a8c4d2067db3c7e7934e8702 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Jan 2005 15:56:37 +0000 Subject: r4647: - use talloc_zero() instead of ZERO_STRUCTP() - fix uninitialized memory bug found by valgrind metze (This used to be commit 1118a1b1bb09c9a369bb9600fbe8ad3523b7e36f) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 43 +++++++++++++-------------- 1 file changed, 20 insertions(+), 23 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index ab67a2595e..c3ca59a041 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -581,29 +581,27 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ switch (r->in.validation_level) { case 2: - sam2 = talloc_p(mem_ctx, struct netr_SamInfo2); + sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2); NT_STATUS_HAVE_NO_MEMORY(sam2); - ZERO_STRUCTP(sam2); sam2->base = *sam; r->out.validation.sam2 = sam2; break; case 3: - sam3 = talloc_p(mem_ctx, struct netr_SamInfo3); + sam3 = talloc_zero(mem_ctx, struct netr_SamInfo3); NT_STATUS_HAVE_NO_MEMORY(sam3); - ZERO_STRUCTP(sam3); sam3->base = *sam; r->out.validation.sam3 = sam3; break; case 6: - sam6 = talloc_p(mem_ctx, struct netr_SamInfo6); + sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6); NT_STATUS_HAVE_NO_MEMORY(sam6); - ZERO_STRUCTP(sam6); sam6->base = *sam; sam6->forest.string = lp_realm(); sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s", sam->account_name.string, sam6->forest.string); + NT_STATUS_HAVE_NO_MEMORY(sam6->principle.string); r->out.validation.sam6 = sam6; break; @@ -626,34 +624,33 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogonWithFlags *r) { + struct server_pipe_state *pipe_state = dce_call->context->private; NTSTATUS nt_status; struct netr_LogonSamLogonEx r2; - struct server_pipe_state *pipe_state = dce_call->context->private; + struct netr_Authenticator *return_authenticator; - r->out.return_authenticator = talloc_p(mem_ctx, struct netr_Authenticator); - if (!r->out.return_authenticator) { - return NT_STATUS_NO_MEMORY; - } + return_authenticator = talloc(mem_ctx, struct netr_Authenticator); + NT_STATUS_HAVE_NO_MEMORY(return_authenticator); - nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, return_authenticator); + NT_STATUS_NOT_OK_RETURN(nt_status); ZERO_STRUCT(r2); - r2.in.server_name = r->in.server_name; - r2.in.workstation = r->in.workstation; - r2.in.logon_level = r->in.logon_level; - r2.in.logon = r->in.logon; - r2.in.validation_level = r->in.validation_level; - r2.in.flags = r->in.flags; + r2.in.server_name = r->in.server_name; + r2.in.workstation = r->in.workstation; + r2.in.logon_level = r->in.logon_level; + r2.in.logon = r->in.logon; + r2.in.validation_level = r->in.validation_level; + r2.in.flags = r->in.flags; nt_status = netr_LogonSamLogonEx(dce_call, mem_ctx, &r2); - r->out.validation = r2.out.validation; - r->out.authoritative = r2.out.authoritative; + r->out.return_authenticator = return_authenticator; + r->out.validation = r2.out.validation; + r->out.authoritative = r2.out.authoritative; + r->out.flags = r2.out.flags; r->out.flags = r2.out.flags; return nt_status; -- cgit From a070551e7aece72cba7b801c05107f739b17301c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Jan 2005 16:12:41 +0000 Subject: r4648: fix netr_ServerPasswordSet() bugs metze (This used to be commit 7feface9b77f2be4f592d04a6131348af761a8e8) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 40 ++++++++++++--------------- 1 file changed, 18 insertions(+), 22 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index c3ca59a041..731905e2a6 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -314,19 +314,15 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO struct ldb_message **msgs; struct ldb_message **msgs_domain; NTSTATUS nt_status; - struct ldb_message mod, *msg_set_pw = &mod; - const char *domain_dn; + struct ldb_message *mod; const char *domain_sid; const char *attrs[] = {"objectSid", NULL }; const char **domain_attrs = attrs; - ZERO_STRUCT(mod); nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); - if (NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + NT_STATUS_NOT_OK_RETURN(nt_status); sam_ctx = samdb_connect(mem_ctx); if (sam_ctx == NULL) { @@ -336,6 +332,9 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", pipe_state->creds->account_name); + if (num_records == -1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } if (num_records == 0) { DEBUG(3,("Couldn't find user [%s] in samdb.\n", @@ -360,6 +359,9 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", domain_sid); + if (num_records_domain == -1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } if (num_records_domain == 0) { DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", @@ -373,30 +375,25 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return NT_STATUS_INTERNAL_DB_CORRUPTION; } - domain_dn = msgs_domain[0]->dn; - - mod.dn = talloc_strdup(mem_ctx, msgs[0]->dn); - if (!mod.dn) { - return NT_STATUS_NO_MEMORY; - } - + mod = talloc_zero(mem_ctx, struct ldb_message); + NT_STATUS_HAVE_NO_MEMORY(mod); + mod->dn = talloc_reference(mod, msgs[0]->dn); + creds_des_decrypt(pipe_state->creds, &r->in.new_password); /* set the password - samdb needs to know both the domain and user DNs, so the domain password policy can be used */ - nt_status = samdb_set_password(sam_ctx, mem_ctx, - msgs[0]->dn, domain_dn, - msg_set_pw, + nt_status = samdb_set_password(sam_ctx, mod, + msgs[0]->dn, + msgs_domain[0]->dn, + mod, NULL, /* Don't have plaintext */ NULL, &r->in.new_password, False /* This is not considered a password change */, NULL); - - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + NT_STATUS_NOT_OK_RETURN(nt_status); - ret = samdb_replace(sam_ctx, mem_ctx, msg_set_pw); + ret = samdb_replace(sam_ctx, mem_ctx, mod); if (ret != 0) { /* we really need samdb.c to return NTSTATUS */ return NT_STATUS_UNSUCCESSFUL; @@ -651,7 +648,6 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, r->out.validation = r2.out.validation; r->out.authoritative = r2.out.authoritative; r->out.flags = r2.out.flags; - r->out.flags = r2.out.flags; return nt_status; } -- cgit From 516dbfd5ed45159366840087398669c5224d2844 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 12 Jan 2005 07:22:34 +0000 Subject: r4702: implment idl, torture test and server code for netr_ServerPasswordSet2() metze (This used to be commit 7d8ba92da2b8babe7165f105591fd3e5738b2319) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 113 ++++++++++++++++++++++++-- 1 file changed, 108 insertions(+), 5 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 731905e2a6..9eed9eb1f3 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -364,7 +364,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO } if (num_records_domain == 0) { - DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", + DEBUG(3,("Couldn't find domain [%s] in samdb.\n", domain_sid)); return NT_STATUS_NO_SUCH_USER; } @@ -1000,12 +1000,115 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL /* - netr_NETRSERVERPASSWORDSET2 + netr_ServerPasswordSet2 */ -static WERROR netr_NETRSERVERPASSWORDSET2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRSERVERPASSWORDSET2 *r) +static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerPasswordSet2 *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + struct server_pipe_state *pipe_state = dce_call->context->private; + + void *sam_ctx; + int num_records; + int num_records_domain; + int ret; + struct ldb_message **msgs; + struct ldb_message **msgs_domain; + NTSTATUS nt_status; + struct ldb_message *mod; + const char *domain_sid; + char new_pass[512]; + uint32_t new_pass_len; + + const char *attrs[] = {"objectSid", NULL }; + + const char **domain_attrs = attrs; + + nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); + NT_STATUS_NOT_OK_RETURN(nt_status); + + sam_ctx = samdb_connect(mem_ctx); + if (sam_ctx == NULL) { + return NT_STATUS_INVALID_SYSTEM_SERVICE; + } + /* pull the user attributes */ + num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, + "(&(sAMAccountName=%s)(objectclass=user))", + pipe_state->creds->account_name); + if (num_records == -1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + if (num_records == 0) { + DEBUG(3,("Couldn't find user [%s] in samdb.\n", + pipe_state->creds->account_name)); + return NT_STATUS_NO_SUCH_USER; + } + + if (num_records > 1) { + DEBUG(0,("Found %d records matching user [%s]\n", num_records, + pipe_state->creds->account_name)); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); + if (!domain_sid) { + DEBUG(0,("no objectSid in user record\n")); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + /* find the domain's DN */ + num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL, + &msgs_domain, domain_attrs, + "(&(objectSid=%s)(objectclass=domain))", + domain_sid); + if (num_records_domain == -1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + if (num_records_domain == 0) { + DEBUG(3,("Couldn't find domain [%s] in samdb.\n", + domain_sid)); + return NT_STATUS_NO_SUCH_USER; + } + + if (num_records_domain > 1) { + DEBUG(0,("Found %d records matching domain [%s]\n", + num_records_domain, domain_sid)); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + mod = talloc_zero(mem_ctx, struct ldb_message); + NT_STATUS_HAVE_NO_MEMORY(mod); + mod->dn = talloc_reference(mod, msgs[0]->dn); + + creds_arcfour_crypt(pipe_state->creds, r->in.new_password.data, 516); + + ret = decode_pw_buffer(r->in.new_password.data, new_pass, sizeof(new_pass), + &new_pass_len, STR_UNICODE); + if (!ret) { + DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n")); + return NT_STATUS_ACCESS_DENIED; + } + + /* set the password - samdb needs to know both the domain and user DNs, + so the domain password policy can be used */ + nt_status = samdb_set_password(sam_ctx, mod, + msgs[0]->dn, + msgs_domain[0]->dn, + mod, new_pass, /* we have plaintext */ + NULL, NULL, + False /* This is not considered a password change */, + NULL); + ZERO_ARRAY(new_pass); + NT_STATUS_NOT_OK_RETURN(nt_status); + + ret = samdb_replace(sam_ctx, mem_ctx, mod); + if (ret != 0) { + /* we really need samdb.c to return NTSTATUS */ + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS_OK; } -- cgit From 9178e7b8bf18ca2782b4e19a3f4ce49e54366712 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 12 Jan 2005 10:49:52 +0000 Subject: r4707: w2k3 don't restict passwords on netr_ServerPasswordSet and netr_ServerPasswordSet2 so we do now I also add a torture test for this metze (This used to be commit d896ac603a5cf387a10b21e64e2c92ff2626bc4d) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 9eed9eb1f3..6ef1c66714 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -389,7 +389,8 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO mod, NULL, /* Don't have plaintext */ NULL, &r->in.new_password, - False /* This is not considered a password change */, + False, /* This is not considered a password change */ + False, /* don't restrict this password change (match w2k3) */ NULL); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -1097,7 +1098,8 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL msgs_domain[0]->dn, mod, new_pass, /* we have plaintext */ NULL, NULL, - False /* This is not considered a password change */, + False, /* This is not considered a password change */ + False, /* don't restrict this password change (match w2k3) */ NULL); ZERO_ARRAY(new_pass); NT_STATUS_NOT_OK_RETURN(nt_status); -- cgit From 759da3b915e2006d4c87b5ace47f399accd9ce91 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 27 Jan 2005 07:08:20 +0000 Subject: r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 6ef1c66714..665d778ec9 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -45,7 +45,7 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) struct server_pipe_state *state; NTSTATUS status; - state = talloc_p(dce_call->conn, struct server_pipe_state); + state = talloc(dce_call->conn, struct server_pipe_state); if (state == NULL) { return NT_STATUS_NO_MEMORY; } @@ -112,7 +112,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL dce_call->context->private = NULL; } - pipe_state = talloc_p(dce_call->context, struct server_pipe_state); + pipe_state = talloc(dce_call->context, struct server_pipe_state); if (!pipe_state) { return NT_STATUS_NO_MEMORY; } @@ -213,7 +213,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL if (pipe_state->creds) { talloc_free(pipe_state->creds); } - pipe_state->creds = talloc_p(pipe_state, struct creds_CredentialState); + pipe_state->creds = talloc(pipe_state, struct creds_CredentialState); if (!pipe_state->creds) { return NT_STATUS_NO_MEMORY; } @@ -963,7 +963,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_INTERNAL_DB_CORRUPTION; } - info1 = talloc_p(mem_ctx, struct netr_DomainInfo1); + info1 = talloc(mem_ctx, struct netr_DomainInfo1); if (info1 == NULL) { return NT_STATUS_NO_MEMORY; } @@ -971,7 +971,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL ZERO_STRUCTP(info1); info1->num_trusts = ret2 + 1; - info1->trusts = talloc_array_p(mem_ctx, struct netr_DomainTrustInfo, + info1->trusts = talloc_array(mem_ctx, struct netr_DomainTrustInfo, info1->num_trusts); if (info1->trusts == NULL) { return NT_STATUS_NO_MEMORY; @@ -1169,7 +1169,7 @@ static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT return WERR_NO_SUCH_DOMAIN; } - r->out.info = talloc_p(mem_ctx, struct netr_DrsGetDCNameEx2Info); + r->out.info = talloc(mem_ctx, struct netr_DrsGetDCNameEx2Info); if (!r->out.info) { return WERR_NOMEM; } @@ -1259,7 +1259,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, return WERR_OK; } - trusts = talloc_array_p(mem_ctx, struct netr_DomainTrust, ret); + trusts = talloc_array(mem_ctx, struct netr_DomainTrust, ret); if (trusts == NULL) { return WERR_NOMEM; } -- cgit From 5045bdc2a4a4c4844857cfc393a5b3b6fac28f1a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 29 Jan 2005 04:02:13 +0000 Subject: r5090: Fix up the IDL for LogonGetDomainInfo in NETLOGON. Andrew Bartlett (This used to be commit e5afc3609382a7b534c9d845e809d135a0d4eb3a) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 665d778ec9..fac0d75ef1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -938,7 +938,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL NTSTATUS status; status = netr_creds_server_step_check(pipe_state, - r->in.credential, r->out.credential); + r->in.credential, r->out.return_authenticator); if (!NT_STATUS_IS_OK(status)) { return status; } -- cgit From e82aad1ce39a6b7a2e51b9e2cb494d74ec70e158 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 05:09:35 +0000 Subject: r5298: - got rid of pstring.h from includes.h. This at least makes it a bit less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index fac0d75ef1..67048e4a3d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -252,7 +252,7 @@ static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALL * * (I think ... = 0; seems wrong here --metze) */ - uint32 negotiate_flags = 0; + uint32_t negotiate_flags = 0; r3.in.server_name = r->in.server_name; r3.in.account_name = r->in.account_name; @@ -271,7 +271,7 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL struct netr_ServerAuthenticate2 *r) { struct netr_ServerAuthenticate3 r3; - uint32 rid = 0; + uint32_t rid = 0; r3.in.server_name = r->in.server_name; r3.in.account_name = r->in.account_name; -- cgit From 75ddf59ea110117578acd3a7b889549bfb40473c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 07:39:14 +0000 Subject: r5308: trimmed back a lot of the old macros from smb_macros.h (This used to be commit bf43c9bdcf9e654d123f6a2b29feb9189ca9e561) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 67048e4a3d..bb16ed54c6 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -535,7 +535,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid); sam->domain_sid->num_auths--; - ZERO_ARRAY(sam->unknown); + ZERO_STRUCT(sam->unknown); ZERO_STRUCT(sam->key); if (server_info->user_session_key.length == sizeof(sam->key.key)) { @@ -1101,7 +1101,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL False, /* This is not considered a password change */ False, /* don't restrict this password change (match w2k3) */ NULL); - ZERO_ARRAY(new_pass); + ZERO_STRUCT(new_pass); NT_STATUS_NOT_OK_RETURN(nt_status); ret = samdb_replace(sam_ctx, mem_ctx, mod); -- cgit From 765832748b4ef6141802ff72e3dea99453bf23d8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 6 Mar 2005 06:37:38 +0000 Subject: r5667: Move schannel state into libcli/auth (as it belongs with schannel, which will move in with the rest of GENSEC shortly). Add the RID as another element in the schannel state. Andrew Bartlett (This used to be commit 69114b4a8e1c937ab5ff12ca91dd22bd83fd9a3b) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index bb16ed54c6..fd93d495e2 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -45,17 +45,11 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) struct server_pipe_state *state; NTSTATUS status; - state = talloc(dce_call->conn, struct server_pipe_state); + /* We want the client and server challenge zero */ + state = talloc_zero(dce_call->conn, struct server_pipe_state); if (state == NULL) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(state); - - if (dce_call->conn->auth_state.session_info == NULL) { - talloc_free(state); - smb_panic("No session info provided by schannel level setup!"); - return NT_STATUS_NO_USER_SESSION_KEY; - } status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security, state, @@ -235,6 +229,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL pipe_state->creds->secure_channel_type = r->in.secure_channel_type; + pipe_state->creds->rid = *r->out.rid; /* remember this session key state */ nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds); -- cgit From df643022136a4b229aca817f5b57f7302a97f852 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 19 Mar 2005 08:34:43 +0000 Subject: r5902: A rather large change... I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index fd93d495e2..6a29bf7db8 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -230,6 +230,9 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL pipe_state->creds->secure_channel_type = r->in.secure_channel_type; pipe_state->creds->rid = *r->out.rid; + + pipe_state->creds->domain = talloc_strdup(pipe_state->creds, lp_workgroup()); + /* remember this session key state */ nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds); -- cgit From 79f6bcd5ae1711075ce0e75392ce83a72766698e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Mar 2005 01:30:43 +0000 Subject: r5988: Fix the -P option (use machine account credentials) to use the Samba4 secrets system, and not the old system from Samba3. This allowed the code from auth_domain to be shared - we now only lookup the secrets.ldb in lib/credentials.c. In order to link the resultant binary, samdb_search() has been moved from deep inside rpc_server into lib/gendb.c, along with the existing gendb_search_v(). The vast majority of this patch is the simple rename that followed, (Depending on the whole SAMDB for just this function seemed pointless, and brought in futher dependencies, such as smbencrypt.c). Andrew Bartlett (This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 6a29bf7db8..0b6106d485 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -152,7 +152,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_INVALID_SYSTEM_SERVICE; } /* pull the user attributes */ - num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, + num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", r->in.account_name); @@ -327,7 +327,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return NT_STATUS_INVALID_SYSTEM_SERVICE; } /* pull the user attributes */ - num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, + num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", pipe_state->creds->account_name); if (num_records == -1) { @@ -353,7 +353,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO } /* find the domain's DN */ - num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL, + num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", domain_sid); @@ -951,12 +951,12 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL primary domain is also a "trusted" domain, so we need to put the primary domain into the lists of returned trusts as well */ - ret1 = samdb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)"); + ret1 = gendb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)"); if (ret1 != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } - ret2 = samdb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)"); + ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)"); if (ret2 == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1030,7 +1030,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_INVALID_SYSTEM_SERVICE; } /* pull the user attributes */ - num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, + num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", pipe_state->creds->account_name); if (num_records == -1) { @@ -1056,7 +1056,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL } /* find the domain's DN */ - num_records_domain = samdb_search(sam_ctx, mem_ctx, NULL, + num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", domain_sid); @@ -1160,7 +1160,7 @@ static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT return WERR_DS_SERVICE_UNAVAILABLE; } - ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, + ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(&(objectClass=domainDNS)(dnsDomain=%s))", r->in.domain_name); if (ret != 1) { @@ -1248,7 +1248,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, return WERR_GENERAL_FAILURE; } - ret = samdb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)"); + ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)"); if (ret == -1) { return WERR_GENERAL_FAILURE; } -- cgit From a19d002ceea84b0b7350b1b3ebf181a03ac5b494 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 24 Mar 2005 06:30:38 +0000 Subject: r6032: Fix up SetServerPassword2 on NETLOGON for [bigendian]. Clearly nobody has the patience to run test_w2k3.sh to completion :-) It looks to me that the Windows server runs the RC4 over the C struct, not the NDR data. Andrew Bartlett (This used to be commit c324d974134c35b4c50c91d5a932a63c78b67046) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 0b6106d485..141aeef1bf 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1018,6 +1018,8 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL char new_pass[512]; uint32_t new_pass_len; + struct samr_CryptPassword password_buf; + const char *attrs[] = {"objectSid", NULL }; const char **domain_attrs = attrs; @@ -1080,10 +1082,12 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL NT_STATUS_HAVE_NO_MEMORY(mod); mod->dn = talloc_reference(mod, msgs[0]->dn); - creds_arcfour_crypt(pipe_state->creds, r->in.new_password.data, 516); + memcpy(password_buf.data, r->in.new_password.data, 512); + SIVAL(password_buf.data,512,r->in.new_password.length); + creds_arcfour_crypt(pipe_state->creds, password_buf.data, 516); - ret = decode_pw_buffer(r->in.new_password.data, new_pass, sizeof(new_pass), - &new_pass_len, STR_UNICODE); + ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass), + &new_pass_len, STR_UNICODE); if (!ret) { DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n")); return NT_STATUS_ACCESS_DENIED; -- cgit From bb6e2059ee0b07d15ef3f924a137321d5fd6aa0f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 1 May 2005 08:05:17 +0000 Subject: r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC. Fill out the group list for the SamLogon reply, so clients get the supplementary groups. Andrew Bartlett (This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 141aeef1bf..6c32ac8b2c 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -522,8 +522,28 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ sam->bad_password_count = sam->bad_password_count; sam->rid = server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1]; sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; - sam->group_count = 0; - sam->groupids = NULL; + + sam->groups.count = 0; + sam->groups.rids = NULL; + + if (server_info->n_domain_groups > 0) { + int i; + sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithType, + server_info->n_domain_groups); + + if (sam->groups.rids == NULL) + return NT_STATUS_NO_MEMORY; + + for (i=0; in_domain_groups; i++) { + + struct dom_sid *group_sid = server_info->domain_groups[i]; + sam->groups.rids[sam->groups.count].rid = + group_sid->sub_auths[group_sid->num_auths-1]; + sam->groups.rids[sam->groups.count].type = 7; + sam->groups.count += 1; + } + } + sam->user_flags = 0; /* TODO: w2k3 uses 0x120 - what is this? */ sam->acct_flags = server_info->acct_flags; sam->logon_server.string = lp_netbios_name(); -- cgit From af237084ecd4f9928c6c282b9c5c73598d5c73d6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 16 Jun 2005 11:36:09 +0000 Subject: r7633: this patch started as an attempt to make the dcerpc code use a given event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 6c32ac8b2c..bd20deedb9 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -460,7 +460,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ } /* TODO: we need to deny anonymous access here */ - nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context); + nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context, + dce_call->event_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = auth_get_challenge(auth_context, &chal); @@ -479,7 +480,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ case 2: case 6: /* TODO: we need to deny anonymous access here */ - nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context); + nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context, + dce_call->event_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags"); -- cgit From bdee131f30e1bef31498b08bb648ddee35ea4892 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 24 Jun 2005 00:18:20 +0000 Subject: r7860: switch our ldb storage format to use a NDR encoded objectSid. This is quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index bd20deedb9..4dd8312df5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -313,7 +313,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO struct ldb_message **msgs_domain; NTSTATUS nt_status; struct ldb_message *mod; - const char *domain_sid; + struct dom_sid *domain_sid; const char *attrs[] = {"objectSid", NULL }; @@ -356,20 +356,20 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (num_records_domain == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (num_records_domain == 0) { DEBUG(3,("Couldn't find domain [%s] in samdb.\n", - domain_sid)); + dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", - num_records_domain, domain_sid)); + num_records_domain, dom_sid_string(mem_ctx, domain_sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1036,7 +1036,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL struct ldb_message **msgs_domain; NTSTATUS nt_status; struct ldb_message *mod; - const char *domain_sid; + struct dom_sid *domain_sid; char new_pass[512]; uint32_t new_pass_len; @@ -1083,20 +1083,21 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(objectSid=%s)(objectclass=domain))", - domain_sid); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); if (num_records_domain == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } if (num_records_domain == 0) { DEBUG(3,("Couldn't find domain [%s] in samdb.\n", - domain_sid)); + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } if (num_records_domain > 1) { DEBUG(0,("Found %d records matching domain [%s]\n", - num_records_domain, domain_sid)); + num_records_domain, + ldap_encode_ndr_dom_sid(mem_ctx, domain_sid))); return NT_STATUS_INTERNAL_DB_CORRUPTION; } -- cgit From 9a7481bcfeff29495334eff8803878c2c238878f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 29 Jun 2005 13:55:09 +0000 Subject: r7993: Further work on the Krb5 PAC. We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 65 +-------------------------- 1 file changed, 2 insertions(+), 63 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 4dd8312df5..1317ea31a9 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -503,64 +503,9 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info); NT_STATUS_NOT_OK_RETURN(nt_status); - sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo); - NT_STATUS_HAVE_NO_MEMORY(sam); - - sam->last_logon = server_info->last_logon; - sam->last_logoff = server_info->last_logoff; - sam->acct_expiry = server_info->acct_expiry; - sam->last_password_change = server_info->last_password_change; - sam->allow_password_change = server_info->allow_password_change; - sam->force_password_change = server_info->force_password_change; - - sam->account_name.string = server_info->account_name; - sam->full_name.string = server_info->full_name; - sam->logon_script.string = server_info->logon_script; - sam->profile_path.string = server_info->profile_path; - sam->home_directory.string = server_info->home_directory; - sam->home_drive.string = server_info->home_drive; - - sam->logon_count = server_info->logon_count; - sam->bad_password_count = sam->bad_password_count; - sam->rid = server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1]; - sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; - - sam->groups.count = 0; - sam->groups.rids = NULL; - - if (server_info->n_domain_groups > 0) { - int i; - sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithType, - server_info->n_domain_groups); - - if (sam->groups.rids == NULL) - return NT_STATUS_NO_MEMORY; - - for (i=0; in_domain_groups; i++) { - - struct dom_sid *group_sid = server_info->domain_groups[i]; - sam->groups.rids[sam->groups.count].rid = - group_sid->sub_auths[group_sid->num_auths-1]; - sam->groups.rids[sam->groups.count].type = 7; - sam->groups.count += 1; - } - } - - sam->user_flags = 0; /* TODO: w2k3 uses 0x120 - what is this? */ - sam->acct_flags = server_info->acct_flags; - sam->logon_server.string = lp_netbios_name(); - sam->domain.string = server_info->domain_name; - - sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid); - NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid); - sam->domain_sid->num_auths--; - - ZERO_STRUCT(sam->unknown); + nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam); - ZERO_STRUCT(sam->key); - if (server_info->user_session_key.length == sizeof(sam->key.key)) { - memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key)); - } + NT_STATUS_NOT_OK_RETURN(nt_status); /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ /* It appears that level 6 is not individually encrypted */ @@ -576,12 +521,6 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ } } - ZERO_STRUCT(sam->LMSessKey); - if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) { - memcpy(sam->LMSessKey.key, server_info->lm_session_key.data, - sizeof(sam->LMSessKey.key)); - } - /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ /* It appears that level 6 is not individually encrypted */ if ((r->in.validation_level != 6) -- cgit From b7952f805872083da9ce233ef0d278f364a1c738 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Jul 2005 05:19:28 +0000 Subject: r8226: w2k3 adds a '.' after the forest and domain dns names for the primary domain and NULL for the trusted domains forest dns name metze (This used to be commit 225fc1b8658f01217b55e2d1c6d5814ee5022559) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 37 +++++++++++++++++++-------- 1 file changed, 27 insertions(+), 10 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1317ea31a9..ca7b938ea6 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -853,6 +853,24 @@ static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX } +/* + fill in a netr_DomainTrustInfo from a ldb search result +*/ +static NTSTATUS fill_domain_primary_info(TALLOC_CTX *mem_ctx, struct ldb_message *res, + struct netr_DomainTrustInfo *info) +{ + ZERO_STRUCTP(info); + + info->domainname.string = samdb_result_string(res, "name", NULL); + info->fulldomainname.string = talloc_asprintf(info, "%s.", samdb_result_string(res, "dnsDomain", NULL)); + /* TODO: we need proper forest support */ + info->forest.string = info->fulldomainname.string; + info->guid = samdb_result_guid(res, "objectGUID"); + info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid"); + + return NT_STATUS_OK; +} + /* fill in a netr_DomainTrustInfo from a ldb search result */ @@ -864,18 +882,17 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message * if (is_local) { info->domainname.string = samdb_result_string(res, "name", NULL); info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL); + info->forest.string = NULL; info->guid = samdb_result_guid(res, "objectGUID"); info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid"); } else { info->domainname.string = samdb_result_string(res, "flatName", NULL); info->fulldomainname.string = samdb_result_string(res, "name", NULL); + info->forest.string = NULL; info->guid = samdb_result_guid(res, "objectGUID"); info->sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier"); } - /* TODO: we need proper forest support */ - info->forest.string = info->fulldomainname.string; - return NT_STATUS_OK; } @@ -936,23 +953,23 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; } - status = fill_domain_trust_info(mem_ctx, res1[0], &info1->domaininfo, True); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[0], True); + status = fill_domain_primary_info(mem_ctx, res1[0], &info1->domaininfo); if (!NT_STATUS_IS_OK(status)) { return status; } for (i=0;itrusts[i+1], False); + status = fill_domain_trust_info(mem_ctx, res2[i], &info1->trusts[i], False); if (!NT_STATUS_IS_OK(status)) { return status; } } + status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[i], True); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + r->out.info.info1 = info1; return NT_STATUS_OK; -- cgit From b16362fab65d0700bd6a8cf6569a9e21c7e6b069 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 22 Jul 2005 04:10:07 +0000 Subject: r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 53 +++++++++++++++++---------- 1 file changed, 33 insertions(+), 20 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index ca7b938ea6..31db7c81f3 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -436,13 +436,21 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ struct auth_usersupplied_info *user_info; struct auth_serversupplied_info *server_info; NTSTATUS nt_status; - const uint8_t *chal; static const char zeros[16]; struct netr_SamBaseInfo *sam; struct netr_SamInfo2 *sam2; struct netr_SamInfo3 *sam3; struct netr_SamInfo6 *sam6; + user_info = talloc(mem_ctx, struct auth_usersupplied_info); + if (!user_info) { + return NT_STATUS_NO_MEMORY; + } + + user_info->flags = 0; + user_info->mapped_state = False; + user_info->remote_host = NULL; + switch (r->in.logon_level) { case 1: case 3: @@ -464,21 +472,26 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ dce_call->event_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); - nt_status = auth_get_challenge(auth_context, &chal); - NT_STATUS_NOT_OK_RETURN(nt_status); + user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; + user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; + user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; + + user_info->password_state = AUTH_PASSWORD_HASH; + user_info->password.hash.lanman = talloc(user_info, struct samr_Password); + if (!user_info->password.hash.lanman) { + return NT_STATUS_NO_MEMORY; + } + *user_info->password.hash.lanman = r->in.logon.password->lmpassword; - nt_status = make_user_info_netlogon_interactive(mem_ctx, - r->in.logon.password->identity_info.account_name.string, - r->in.logon.password->identity_info.domain_name.string, - r->in.logon.password->identity_info.workstation.string, - chal, - &r->in.logon.password->lmpassword, - &r->in.logon.password->ntpassword, - &user_info); - NT_STATUS_NOT_OK_RETURN(nt_status); + user_info->password.hash.nt = talloc(user_info, struct samr_Password); + if (!user_info->password.hash.nt) { + return NT_STATUS_NO_MEMORY; + } + *user_info->password.hash.nt = r->in.logon.password->ntpassword; break; case 2: case 6: + /* TODO: we need to deny anonymous access here */ nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context, dce_call->event_ctx); @@ -487,14 +500,14 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags"); NT_STATUS_NOT_OK_RETURN(nt_status); - nt_status = make_user_info_netlogon_network(auth_context, - r->in.logon.network->identity_info.account_name.string, - r->in.logon.network->identity_info.domain_name.string, - r->in.logon.network->identity_info.workstation.string, - r->in.logon.network->lm.data, r->in.logon.network->lm.length, - r->in.logon.network->nt.data, r->in.logon.network->nt.length, - &user_info); - NT_STATUS_NOT_OK_RETURN(nt_status); + user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; + user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; + user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; + + user_info->password_state = AUTH_PASSWORD_RESPONSE; + user_info->password.response.lanman = data_blob(r->in.logon.network->lm.data, r->in.logon.network->lm.length); + user_info->password.response.nt = data_blob(r->in.logon.network->nt.data, r->in.logon.network->nt.length); + break; default: return NT_STATUS_INVALID_PARAMETER; -- cgit From 14fd6efaf5bfa5fe069373f1dd46c84c0872bc1a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 3 Aug 2005 07:24:42 +0000 Subject: r8998: More work on the RPC server code to avoid abusing the name attribute as a netbios name. Andrew Bartlett (This used to be commit 242db48b98a04eed46bb35946dcd68b579bffe00) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 51 ++++++++++++++++----------- 1 file changed, 30 insertions(+), 21 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 31db7c81f3..ace5f9fffe 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1233,9 +1233,10 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, { struct netr_DomainTrust *trusts; void *sam_ctx; - int ret, i; - struct ldb_message **res; - const char * const attrs[] = { "name", "dnsDomain", "objectSid", "objectGUID", NULL }; + int ret; + struct ldb_message **dom_res, **ref_res; + const char * const dom_attrs[] = { "dnsDomain", "objectSid", "objectGUID", NULL }; + const char * const ref_attrs[] = { "nETBIOSName", NULL }; ZERO_STRUCT(r->out); @@ -1244,39 +1245,47 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, return WERR_GENERAL_FAILURE; } - ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, "(objectClass=domainDNS)"); + ret = gendb_search(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs, "(&(objectClass=domainDNS)(dnsDomain=%s))", lp_realm()); if (ret == -1) { return WERR_GENERAL_FAILURE; } - if (ret == 0) { - return WERR_OK; + if (ret != 1) { + return WERR_GENERAL_FAILURE; + } + + ret = gendb_search(sam_ctx, mem_ctx, NULL, &ref_res, ref_attrs, "(&(objectClass=crossRef)(ncName=%s))", dom_res[0]->dn); + if (ret == -1) { + return WERR_GENERAL_FAILURE; + } + + if (ret != 1) { + return WERR_GENERAL_FAILURE; } + + trusts = talloc_array(mem_ctx, struct netr_DomainTrust, ret); if (trusts == NULL) { return WERR_NOMEM; } - r->out.count = ret; + r->out.count = 1; r->out.trusts = trusts; /* TODO: add filtering by trust_flags, and correct trust_type and attributes */ - for (i=0;i Date: Wed, 3 Aug 2005 20:27:33 +0000 Subject: r9016: More work to avoid abuse of the "name" attribute, this time on NETLOGON. Andrew Bartlett (This used to be commit e9837d49bc8d784b365c0a7470ebfbd6f396464d) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 38 +++++++++++++++++++-------- 1 file changed, 27 insertions(+), 11 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index ace5f9fffe..aad66ad314 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -870,11 +870,12 @@ static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX fill in a netr_DomainTrustInfo from a ldb search result */ static NTSTATUS fill_domain_primary_info(TALLOC_CTX *mem_ctx, struct ldb_message *res, - struct netr_DomainTrustInfo *info) + struct netr_DomainTrustInfo *info, + const char *local_domain) { ZERO_STRUCTP(info); - info->domainname.string = samdb_result_string(res, "name", NULL); + info->domainname.string = local_domain; info->fulldomainname.string = talloc_asprintf(info, "%s.", samdb_result_string(res, "dnsDomain", NULL)); /* TODO: we need proper forest support */ info->forest.string = info->fulldomainname.string; @@ -888,12 +889,13 @@ static NTSTATUS fill_domain_primary_info(TALLOC_CTX *mem_ctx, struct ldb_message fill in a netr_DomainTrustInfo from a ldb search result */ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res, - struct netr_DomainTrustInfo *info, BOOL is_local) + struct netr_DomainTrustInfo *info, + const char *local_domain, BOOL is_local) { ZERO_STRUCTP(info); if (is_local) { - info->domainname.string = samdb_result_string(res, "name", NULL); + info->domainname.string = local_domain; info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL); info->forest.string = NULL; info->guid = samdb_result_guid(res, "objectGUID"); @@ -917,15 +919,18 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL struct netr_LogonGetDomainInfo *r) { struct server_pipe_state *pipe_state = dce_call->context->private; - const char * const attrs[] = { "name", "dnsDomain", "objectSid", + const char * const attrs[] = { "dnsDomain", "objectSid", "objectGUID", "flatName", "securityIdentifier", NULL }; - void *sam_ctx; - struct ldb_message **res1, **res2; + const char * const ref_attrs[] = { "nETBIOSName", NULL }; + struct ldb_context *sam_ctx; + struct ldb_message **res1, **res2, **ref_res; struct netr_DomainInfo1 *info1; - int ret1, ret2, i; + int ret, ret1, ret2, i; NTSTATUS status; + const char *local_domain; + status = netr_creds_server_step_check(pipe_state, r->in.credential, r->out.return_authenticator); if (!NT_STATUS_IS_OK(status)) { @@ -947,6 +952,17 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_INTERNAL_DB_CORRUPTION; } + /* try and find the domain */ + ret = gendb_search(sam_ctx, mem_ctx, NULL, + &ref_res, ref_attrs, + "(&(objectClass=crossRef)(ncName=%s))", + res1[0]->dn); + if (ret != 1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + local_domain = samdb_result_string(ref_res[0], "nETBIOSName", NULL); + ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)"); if (ret2 == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -966,19 +982,19 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; } - status = fill_domain_primary_info(mem_ctx, res1[0], &info1->domaininfo); + status = fill_domain_primary_info(mem_ctx, res1[0], &info1->domaininfo, local_domain); if (!NT_STATUS_IS_OK(status)) { return status; } for (i=0;itrusts[i], False); + status = fill_domain_trust_info(mem_ctx, res2[i], &info1->trusts[i], NULL, False); if (!NT_STATUS_IS_OK(status)) { return status; } } - status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[i], True); + status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[i], local_domain, True); if (!NT_STATUS_IS_OK(status)) { return status; } -- cgit From 3e4c4cff2177af33efdb15f03a1bbcb639505cee Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 18 Aug 2005 15:02:01 +0000 Subject: r9391: Convert all the code to use struct ldb_dn to ohandle ldap like distinguished names Provide more functions to handle DNs in this form (This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index aad66ad314..cea645cd02 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -956,7 +956,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL ret = gendb_search(sam_ctx, mem_ctx, NULL, &ref_res, ref_attrs, "(&(objectClass=crossRef)(ncName=%s))", - res1[0]->dn); + ldb_dn_linearize(mem_ctx, res1[0]->dn)); if (ret != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1261,7 +1261,8 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, return WERR_GENERAL_FAILURE; } - ret = gendb_search(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs, "(&(objectClass=domainDNS)(dnsDomain=%s))", lp_realm()); + ret = gendb_search(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs, + "(&(objectClass=domainDNS)(dnsDomain=%s))", lp_realm()); if (ret == -1) { return WERR_GENERAL_FAILURE; } @@ -1270,7 +1271,9 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, return WERR_GENERAL_FAILURE; } - ret = gendb_search(sam_ctx, mem_ctx, NULL, &ref_res, ref_attrs, "(&(objectClass=crossRef)(ncName=%s))", dom_res[0]->dn); + ret = gendb_search(sam_ctx, mem_ctx, NULL, &ref_res, ref_attrs, + "(&(objectClass=crossRef)(ncName=%s))", + ldb_dn_linearize(mem_ctx, dom_res[0]->dn)); if (ret == -1) { return WERR_GENERAL_FAILURE; } -- cgit From 1377cca5f4beb43cf67fcc65eed79f14178d6349 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 7 Oct 2005 11:31:45 +0000 Subject: r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index cea645cd02..99701fc4f1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -26,8 +26,8 @@ #include "rpc_server/dcerpc_server.h" #include "rpc_server/common/common.h" #include "librpc/gen_ndr/ndr_dcom.h" -#include "auth/auth.h" #include "lib/ldb/include/ldb.h" +#include "auth/auth.h" struct server_pipe_state { struct netr_Credential client_challenge; @@ -147,7 +147,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(mem_ctx); + sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -159,7 +159,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL if (num_records == 0) { DEBUG(3,("Couldn't find user [%s] in samdb.\n", r->in.account_name)); - return NT_STATUS_NO_SUCH_USER; + return NT_STATUS_ACCESS_DENIED; } if (num_records > 1) { @@ -322,7 +322,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx); + sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -937,7 +937,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL return status; } - sam_ctx = samdb_connect(mem_ctx); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -1034,7 +1034,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx); + sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -1167,7 +1167,7 @@ static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(mem_ctx); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return WERR_DS_SERVICE_UNAVAILABLE; } @@ -1256,13 +1256,12 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(mem_ctx); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return WERR_GENERAL_FAILURE; } - ret = gendb_search(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs, - "(&(objectClass=domainDNS)(dnsDomain=%s))", lp_realm()); + ret = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &dom_res, dom_attrs); if (ret == -1) { return WERR_GENERAL_FAILURE; } -- cgit From 02c32587a88fa8a0a336981e7a5cf88042b75e6d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 03:17:42 +0000 Subject: r11195: Add a new helper function (needed by my kpasswdd work, but hooked in for netlogon as well) to change/set a user's password, given only their SID. This avoids the callers doing the lookups, and also performs the actual 'set', as these callers do not wish any further buisness with the entry. Andrew Bartlett (This used to be commit 060a2a7bcca6b58d50bc4e0930c13616742a55d3) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 192 ++++---------------------- 1 file changed, 24 insertions(+), 168 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 99701fc4f1..472fcca785 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -223,13 +223,13 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_ACCESS_DENIED; } - pipe_state->creds->account_name = talloc_reference(pipe_state->creds, r->in.account_name); + pipe_state->creds->account_name = talloc_steal(pipe_state->creds, r->in.account_name); - pipe_state->creds->computer_name = talloc_reference(pipe_state->creds, r->in.computer_name); + pipe_state->creds->computer_name = talloc_steal(pipe_state->creds, r->in.computer_name); pipe_state->creds->secure_channel_type = r->in.secure_channel_type; - pipe_state->creds->rid = *r->out.rid; + pipe_state->creds->sid = samdb_result_dom_sid(pipe_state->creds, msgs[0], "objectSid"); pipe_state->creds->domain = talloc_strdup(pipe_state->creds, lp_workgroup()); @@ -305,19 +305,8 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO { struct server_pipe_state *pipe_state = dce_call->context->private; - void *sam_ctx; - int num_records; - int num_records_domain; - int ret; - struct ldb_message **msgs; - struct ldb_message **msgs_domain; + struct ldb_context *sam_ctx; NTSTATUS nt_status; - struct ldb_message *mod; - struct dom_sid *domain_sid; - - const char *attrs[] = {"objectSid", NULL }; - - const char **domain_attrs = attrs; nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -326,79 +315,18 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } - /* pull the user attributes */ - num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, - "(&(sAMAccountName=%s)(objectclass=user))", - pipe_state->creds->account_name); - if (num_records == -1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (num_records == 0) { - DEBUG(3,("Couldn't find user [%s] in samdb.\n", - pipe_state->creds->account_name)); - return NT_STATUS_NO_SUCH_USER; - } - - if (num_records > 1) { - DEBUG(0,("Found %d records matching user [%s]\n", num_records, - pipe_state->creds->account_name)); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); - if (!domain_sid) { - DEBUG(0,("no objectSid in user record\n")); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - /* find the domain's DN */ - num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, - &msgs_domain, domain_attrs, - "(&(objectSid=%s)(objectclass=domain))", - ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); - if (num_records_domain == -1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (num_records_domain == 0) { - DEBUG(3,("Couldn't find domain [%s] in samdb.\n", - dom_sid_string(mem_ctx, domain_sid))); - return NT_STATUS_NO_SUCH_USER; - } - if (num_records_domain > 1) { - DEBUG(0,("Found %d records matching domain [%s]\n", - num_records_domain, dom_sid_string(mem_ctx, domain_sid))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - mod = talloc_zero(mem_ctx, struct ldb_message); - NT_STATUS_HAVE_NO_MEMORY(mod); - mod->dn = talloc_reference(mod, msgs[0]->dn); - creds_des_decrypt(pipe_state->creds, &r->in.new_password); - /* set the password - samdb needs to know both the domain and user DNs, - so the domain password policy can be used */ - nt_status = samdb_set_password(sam_ctx, mod, - msgs[0]->dn, - msgs_domain[0]->dn, - mod, - NULL, /* Don't have plaintext */ - NULL, &r->in.new_password, - False, /* This is not considered a password change */ - False, /* don't restrict this password change (match w2k3) */ - NULL); - NT_STATUS_NOT_OK_RETURN(nt_status); - - ret = samdb_replace(sam_ctx, mem_ctx, mod); - if (ret != 0) { - /* we really need samdb.c to return NTSTATUS */ - return NT_STATUS_UNSUCCESSFUL; - } - - return NT_STATUS_OK; + /* Using the sid for the account as the key, set the password */ + nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, + pipe_state->creds->sid, + NULL, /* Don't have plaintext */ + NULL, &r->in.new_password, + False, /* This is not considered a password change */ + False, /* don't restrict this password change (match w2k3) */ + NULL, NULL); + return nt_status; } @@ -1013,24 +941,14 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL { struct server_pipe_state *pipe_state = dce_call->context->private; - void *sam_ctx; - int num_records; - int num_records_domain; - int ret; - struct ldb_message **msgs; - struct ldb_message **msgs_domain; + struct ldb_context *sam_ctx; NTSTATUS nt_status; - struct ldb_message *mod; - struct dom_sid *domain_sid; char new_pass[512]; uint32_t new_pass_len; + BOOL ret; struct samr_CryptPassword password_buf; - const char *attrs[] = {"objectSid", NULL }; - - const char **domain_attrs = attrs; - nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -1038,58 +956,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } - /* pull the user attributes */ - num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, - "(&(sAMAccountName=%s)(objectclass=user))", - pipe_state->creds->account_name); - if (num_records == -1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (num_records == 0) { - DEBUG(3,("Couldn't find user [%s] in samdb.\n", - pipe_state->creds->account_name)); - return NT_STATUS_NO_SUCH_USER; - } - - if (num_records > 1) { - DEBUG(0,("Found %d records matching user [%s]\n", num_records, - pipe_state->creds->account_name)); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - domain_sid = samdb_result_sid_prefix(mem_ctx, msgs[0], "objectSid"); - if (!domain_sid) { - DEBUG(0,("no objectSid in user record\n")); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - /* find the domain's DN */ - num_records_domain = gendb_search(sam_ctx, mem_ctx, NULL, - &msgs_domain, domain_attrs, - "(&(objectSid=%s)(objectclass=domain))", - ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); - if (num_records_domain == -1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (num_records_domain == 0) { - DEBUG(3,("Couldn't find domain [%s] in samdb.\n", - ldap_encode_ndr_dom_sid(mem_ctx, domain_sid))); - return NT_STATUS_NO_SUCH_USER; - } - if (num_records_domain > 1) { - DEBUG(0,("Found %d records matching domain [%s]\n", - num_records_domain, - ldap_encode_ndr_dom_sid(mem_ctx, domain_sid))); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - mod = talloc_zero(mem_ctx, struct ldb_message); - NT_STATUS_HAVE_NO_MEMORY(mod); - mod->dn = talloc_reference(mod, msgs[0]->dn); - memcpy(password_buf.data, r->in.new_password.data, 512); SIVAL(password_buf.data,512,r->in.new_password.length); creds_arcfour_crypt(pipe_state->creds, password_buf.data, 516); @@ -1101,26 +968,15 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_ACCESS_DENIED; } - /* set the password - samdb needs to know both the domain and user DNs, - so the domain password policy can be used */ - nt_status = samdb_set_password(sam_ctx, mod, - msgs[0]->dn, - msgs_domain[0]->dn, - mod, new_pass, /* we have plaintext */ - NULL, NULL, - False, /* This is not considered a password change */ - False, /* don't restrict this password change (match w2k3) */ - NULL); - ZERO_STRUCT(new_pass); - NT_STATUS_NOT_OK_RETURN(nt_status); - - ret = samdb_replace(sam_ctx, mem_ctx, mod); - if (ret != 0) { - /* we really need samdb.c to return NTSTATUS */ - return NT_STATUS_UNSUCCESSFUL; - } - - return NT_STATUS_OK; + /* Using the sid for the account as the key, set the password */ + nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, + pipe_state->creds->sid, + new_pass, /* we have plaintext */ + NULL, NULL, + False, /* This is not considered a password change */ + False, /* don't restrict this password change (match w2k3) */ + NULL, NULL); + return nt_status; } -- cgit From 1e7bc73e009e1c0adcd06129ae75ddc134956b40 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Oct 2005 12:37:20 +0000 Subject: r11289: Fix comment. Andrew Bartlett (This used to be commit fc18276389d17684bd14a2012d18fb7a9695f69e) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 472fcca785..200cfd79db 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -351,7 +351,7 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX /* - netr_LogonSamLogonWithFlags + netr_LogonSamLogonEx This version of the function allows other wrappers to say 'do not check the credentials' */ -- cgit From 152988a828ee958b9452474885460e9e46f65e79 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Oct 2005 08:54:37 +0000 Subject: r11366: Pass around the flags which indicate if we should support plaintext logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 200cfd79db..6366a58f4a 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -400,9 +400,10 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ dce_call->event_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); - user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; - user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; - user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; + user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control; + user_info->client.account_name = r->in.logon.password->identity_info.account_name.string; + user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string; + user_info->workstation_name = r->in.logon.password->identity_info.workstation.string; user_info->password_state = AUTH_PASSWORD_HASH; user_info->password.hash.lanman = talloc(user_info, struct samr_Password); @@ -428,6 +429,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags"); NT_STATUS_NOT_OK_RETURN(nt_status); + user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control; user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; -- cgit From 546f63df5b214a1419069887ecfd9118aae8030a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 28 Oct 2005 11:20:48 +0000 Subject: r11370: Samba4 now passes it's own RPC-SAMLOGON test again. This avoids the nasty user@DOMAIN test for now, as it has very odd semantics with NTLMv2. Allow only user accounts to do an interactive login. Andrew Bartlett (This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 6366a58f4a..63c211baec 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -417,6 +417,9 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ return NT_STATUS_NO_MEMORY; } *user_info->password.hash.nt = r->in.logon.password->ntpassword; + + user_info->flags |= USER_INFO_INTERACTIVE_LOGON; + break; case 2: case 6: -- cgit From 56b4e4b62ce452515ec1b390eb578f55a195fdf9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Oct 2005 02:12:13 +0000 Subject: r11402: In response to comments by volker, expand our Netlogon DsRGetDCName IDL and testsuites. The server-side of this remains a stub, we should probably be doing ldb searches for the server reference record. Andrew Bartlett (This used to be commit 0141ed309a664e7a9893c95232c2dcb9768f9315) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 87 +++++++++++++++++++-------- 1 file changed, 61 insertions(+), 26 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 63c211baec..e482a229b7 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -719,16 +719,6 @@ static WERROR netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_cal } -/* - netr_DSRGETDCNAME -*/ -static WERROR netr_DSRGETDCNAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRGETDCNAME *r) -{ - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -} - - /* netr_NETRLOGONDUMMYROUTINE1 */ @@ -779,21 +769,12 @@ static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_ca } -/* - netr_DSRGETDCNAMEX -*/ -static WERROR netr_DSRGETDCNAMEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRGETDCNAMEX *r) -{ - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -} - /* - netr_DSRGETSITENAME + netr_DsRGetSiteName */ -static WERROR netr_DSRGETSITENAME(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRGETSITENAME *r) +static WERROR netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsRGetSiteName *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } @@ -1016,10 +997,10 @@ static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TA /* - netr_DrsGetDCNameEx2 + netr_DsRGetDCNameEx2 */ -static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DrsGetDCNameEx2 *r) +static WERROR netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsRGetDCNameEx2 *r) { const char * const attrs[] = { "dnsDomain", "objectGUID", NULL }; void *sam_ctx; @@ -1040,7 +1021,7 @@ static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT return WERR_NO_SUCH_DOMAIN; } - r->out.info = talloc(mem_ctx, struct netr_DrsGetDCNameEx2Info); + r->out.info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo); if (!r->out.info) { return WERR_NOMEM; } @@ -1061,6 +1042,60 @@ static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT return WERR_OK; } +/* + netr_DsRGetDCNameEx +*/ +static WERROR netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsRGetDCNameEx *r) +{ + struct netr_DsRGetDCNameEx2 r2; + WERROR werr; + + ZERO_STRUCT(r2); + + r2.in.server_unc = r->in.server_unc; + r2.in.client_account = NULL; + r2.in.mask = 0; + r2.in.domain_guid = r->in.domain_guid; + r2.in.domain_name = r->in.domain_name; + r2.in.site_name = r->in.site_name; + r2.in.flags = r->in.flags; + r2.out.info = NULL; + + werr = netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2); + + r->out.info = r2.out.info; + + return werr; +} + +/* + netr_DsRGetDCName +*/ +static WERROR netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsRGetDCName *r) +{ + struct netr_DsRGetDCNameEx2 r2; + WERROR werr; + + ZERO_STRUCT(r2); + + r2.in.server_unc = r->in.server_unc; + r2.in.client_account = NULL; + r2.in.mask = 0; + r2.in.domain_name = r->in.domain_name; + r2.in.domain_guid = r->in.domain_guid; + + r2.in.site_name = NULL; /* should fill in from site GUID */ + r2.in.flags = r->in.flags; + r2.out.info = NULL; + + werr = netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2); + + r->out.info = r2.out.info; + + return werr; +} /* netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN -- cgit From 2cd5ca7d25f12aa9198bf8c2deb6aea282f573ee Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 28 Dec 2005 15:38:36 +0000 Subject: r12542: Move some more prototypes out to seperate headers (This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index e482a229b7..335cd3d9e7 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -28,6 +28,7 @@ #include "librpc/gen_ndr/ndr_dcom.h" #include "lib/ldb/include/ldb.h" #include "auth/auth.h" +#include "dsdb/samdb/samdb.h" struct server_pipe_state { struct netr_Credential client_challenge; -- cgit From c82c9fe7bb47aa95d112159e46e79f52afe6f58d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 30 Dec 2005 08:40:16 +0000 Subject: r12599: This new LDB module (and associated changes) allows Samba4 to operate using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 335cd3d9e7..cc5937060a 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -136,7 +136,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL int num_records; struct ldb_message **msgs; NTSTATUS nt_status; - const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl", + const char *attrs[] = {"ntPwdHash", "userAccountControl", "objectSid", NULL}; ZERO_STRUCTP(r->out.credentials); @@ -197,11 +197,11 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_ACCESS_DENIED; } + *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], + "objectSid", 0); - *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0); - - nt_status = samdb_result_passwords(mem_ctx, msgs[0], NULL, &mach_pwd); - if (!NT_STATUS_IS_OK(nt_status) || mach_pwd == NULL) { + mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "ntPwdHash"); + if (mach_pwd == NULL) { return NT_STATUS_ACCESS_DENIED; } -- cgit From d4de4c2d210d2e8c9b5aedf70695594809ad6a0b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 30 Dec 2005 13:16:54 +0000 Subject: r12608: Remove some unused #include lines. (This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index cc5937060a..f3ef74641d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -22,10 +22,8 @@ */ #include "includes.h" -#include "librpc/gen_ndr/ndr_netlogon.h" #include "rpc_server/dcerpc_server.h" #include "rpc_server/common/common.h" -#include "librpc/gen_ndr/ndr_dcom.h" #include "lib/ldb/include/ldb.h" #include "auth/auth.h" #include "dsdb/samdb/samdb.h" -- cgit From 5cecce1761c06b0641190cf7bb8e93bff9a88cf4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 9 Feb 2006 02:30:43 +0000 Subject: r13402: Make Samba4 pass a nastier RPC-SCHANNEL test. The new RPC-SCHANNEL test shows that the full credentials state must be kept in some shared memory, for some length of time. In particular, clients will reconnect with SCHANNEL (after loosing all connections) and expect that the credentials chain will remain in the same place. To achive this, we do the server-side crypto in a transaction, including the fetch/store of the shared state. Andrew Bartlett (This used to be commit 982a6aa871c9fce17410a9712cd9fa726025ff90) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 221 ++++++++++++++++---------- 1 file changed, 139 insertions(+), 82 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index f3ef74641d..03d325020f 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -128,6 +128,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL struct netr_ServerAuthenticate3 *r) { struct server_pipe_state *pipe_state = dce_call->context->private; + struct creds_CredentialState *creds; void *sam_ctx; struct samr_Password *mach_pwd; uint16_t acct_flags; @@ -203,37 +204,39 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_ACCESS_DENIED; } - if (pipe_state->creds) { - talloc_free(pipe_state->creds); - } - pipe_state->creds = talloc(pipe_state, struct creds_CredentialState); - if (!pipe_state->creds) { + creds = talloc(mem_ctx, struct creds_CredentialState); + if (!creds) { return NT_STATUS_NO_MEMORY; } - creds_server_init(pipe_state->creds, &pipe_state->client_challenge, + creds_server_init(creds, &pipe_state->client_challenge, &pipe_state->server_challenge, mach_pwd, r->out.credentials, *r->in.negotiate_flags); - if (!creds_server_check(pipe_state->creds, r->in.credentials)) { - talloc_free(pipe_state->creds); - pipe_state->creds = NULL; + if (!creds_server_check(creds, r->in.credentials)) { + talloc_free(creds); return NT_STATUS_ACCESS_DENIED; } - pipe_state->creds->account_name = talloc_steal(pipe_state->creds, r->in.account_name); + creds->account_name = talloc_steal(creds, r->in.account_name); - pipe_state->creds->computer_name = talloc_steal(pipe_state->creds, r->in.computer_name); + creds->computer_name = talloc_steal(creds, r->in.computer_name); + creds->domain = talloc_strdup(creds, lp_workgroup()); - pipe_state->creds->secure_channel_type = r->in.secure_channel_type; + creds->secure_channel_type = r->in.secure_channel_type; - pipe_state->creds->sid = samdb_result_dom_sid(pipe_state->creds, msgs[0], "objectSid"); + creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid"); - pipe_state->creds->domain = talloc_strdup(pipe_state->creds, lp_workgroup()); /* remember this session key state */ - nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds); + nt_status = schannel_store_session_key(mem_ctx, creds); + + if (pipe_state->creds) { + talloc_free(pipe_state->creds); + } + talloc_steal(pipe_state, creds); + pipe_state->creds = creds; return nt_status; } @@ -285,29 +288,76 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state, + TALLOC_CTX *mem_ctx, struct netr_Authenticator *received_authenticator, - struct netr_Authenticator *return_authenticator) + struct netr_Authenticator *return_authenticator, + struct creds_CredentialState **creds_out) { + struct creds_CredentialState *creds; + NTSTATUS nt_status; + struct ldb_context *ldb; + int ret; + if (!pipe_state) { DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); return NT_STATUS_ACCESS_DENIED; } - return creds_server_step_check(pipe_state->creds, - received_authenticator, - return_authenticator); + ldb = schannel_db_connect(mem_ctx); + if (!ldb) { + return NT_STATUS_ACCESS_DENIED; + } + + ret = ldb_transaction_start(ldb); + if (ret != 0) { + talloc_free(ldb); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + /* Because this is a shared structure (even across + * disconnects) we must update the database every time we + * update the structure */ + + nt_status = schannel_fetch_session_key_ldb(ldb, ldb, pipe_state->creds->computer_name, + pipe_state->creds->domain, &creds); + if (NT_STATUS_IS_OK(nt_status)) { + nt_status = creds_server_step_check(creds, + received_authenticator, + return_authenticator); + } + if (NT_STATUS_IS_OK(nt_status)) { + nt_status = schannel_store_session_key_ldb(ldb, ldb, creds); + } + + if (NT_STATUS_IS_OK(nt_status)) { + ldb_transaction_commit(ldb); + if (creds_out) { + *creds_out = creds; + talloc_steal(mem_ctx, creds); + } + } else { + ldb_transaction_cancel(ldb); + } + talloc_free(ldb); + return nt_status; } +/* + Change the machine account password for the currently connected + client. Supplies only the NT#. +*/ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet *r) { struct server_pipe_state *pipe_state = dce_call->context->private; - + struct creds_CredentialState *creds; struct ldb_context *sam_ctx; NTSTATUS nt_status; - nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); + nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + &r->in.credential, &r->out.return_authenticator, + &creds); NT_STATUS_NOT_OK_RETURN(nt_status); sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); @@ -315,11 +365,11 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return NT_STATUS_INVALID_SYSTEM_SERVICE; } - creds_des_decrypt(pipe_state->creds, &r->in.new_password); + creds_des_decrypt(creds, &r->in.new_password); /* Using the sid for the account as the key, set the password */ nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, - pipe_state->creds->sid, + creds->sid, NULL, /* Don't have plaintext */ NULL, &r->in.new_password, False, /* This is not considered a password change */ @@ -328,6 +378,55 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO return nt_status; } +/* + Change the machine account password for the currently connected + client. Supplies new plaintext. +*/ +static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerPasswordSet2 *r) +{ + struct server_pipe_state *pipe_state = dce_call->context->private; + struct creds_CredentialState *creds; + struct ldb_context *sam_ctx; + NTSTATUS nt_status; + char new_pass[512]; + uint32_t new_pass_len; + BOOL ret; + + struct samr_CryptPassword password_buf; + + nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + &r->in.credential, &r->out.return_authenticator, + &creds); + NT_STATUS_NOT_OK_RETURN(nt_status); + + sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); + if (sam_ctx == NULL) { + return NT_STATUS_INVALID_SYSTEM_SERVICE; + } + + memcpy(password_buf.data, r->in.new_password.data, 512); + SIVAL(password_buf.data,512,r->in.new_password.length); + creds_arcfour_crypt(creds, password_buf.data, 516); + + ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass), + &new_pass_len, STR_UNICODE); + if (!ret) { + DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n")); + return NT_STATUS_ACCESS_DENIED; + } + + /* Using the sid for the account as the key, set the password */ + nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, + creds->sid, + new_pass, /* we have plaintext */ + NULL, NULL, + False, /* This is not considered a password change */ + False, /* don't restrict this password change (match w2k3) */ + NULL, NULL); + return nt_status; +} + /* netr_LogonUasLogon @@ -358,7 +457,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ struct netr_LogonSamLogonEx *r) { struct server_pipe_state *pipe_state = dce_call->context->private; - + struct creds_CredentialState *creds = pipe_state->creds; struct auth_context *auth_context; struct auth_usersupplied_info *user_info; struct auth_serversupplied_info *server_info; @@ -383,15 +482,15 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ case 3: case 5: if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(pipe_state->creds, + creds_arcfour_crypt(creds, r->in.logon.password->lmpassword.hash, sizeof(r->in.logon.password->lmpassword.hash)); - creds_arcfour_crypt(pipe_state->creds, + creds_arcfour_crypt(creds, r->in.logon.password->ntpassword.hash, sizeof(r->in.logon.password->ntpassword.hash)); } else { - creds_des_decrypt(pipe_state->creds, &r->in.logon.password->lmpassword); - creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword); + creds_des_decrypt(creds, &r->in.logon.password->lmpassword); + creds_des_decrypt(creds, &r->in.logon.password->ntpassword); } /* TODO: we need to deny anonymous access here */ @@ -459,8 +558,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ sizeof(sam->key.key)) != 0) { /* This key is sent unencrypted without the ARCFOUR flag set */ - if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(pipe_state->creds, + if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + creds_arcfour_crypt(creds, sam->key.key, sizeof(sam->key.key)); } @@ -471,12 +570,12 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ if ((r->in.validation_level != 6) && memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) { - if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(pipe_state->creds, + if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + creds_arcfour_crypt(creds, sam->LMSessKey.key, sizeof(sam->LMSessKey.key)); } else { - creds_des_encrypt_LMKey(pipe_state->creds, + creds_des_encrypt_LMKey(creds, &sam->LMSessKey); } } @@ -535,7 +634,9 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, return_authenticator = talloc(mem_ctx, struct netr_Authenticator); NT_STATUS_HAVE_NO_MEMORY(return_authenticator); - nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, return_authenticator); + nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + r->in.credential, return_authenticator, + NULL); NT_STATUS_NOT_OK_RETURN(nt_status); ZERO_STRUCT(r2); @@ -844,8 +945,10 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL const char *local_domain; - status = netr_creds_server_step_check(pipe_state, - r->in.credential, r->out.return_authenticator); + status = netr_creds_server_step_check(pipe_state, mem_ctx, + r->in.credential, + r->out.return_authenticator, + NULL); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -918,52 +1021,6 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL } -/* - netr_ServerPasswordSet2 -*/ -static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_ServerPasswordSet2 *r) -{ - struct server_pipe_state *pipe_state = dce_call->context->private; - - struct ldb_context *sam_ctx; - NTSTATUS nt_status; - char new_pass[512]; - uint32_t new_pass_len; - BOOL ret; - - struct samr_CryptPassword password_buf; - - nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator); - NT_STATUS_NOT_OK_RETURN(nt_status); - - sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); - if (sam_ctx == NULL) { - return NT_STATUS_INVALID_SYSTEM_SERVICE; - } - - memcpy(password_buf.data, r->in.new_password.data, 512); - SIVAL(password_buf.data,512,r->in.new_password.length); - creds_arcfour_crypt(pipe_state->creds, password_buf.data, 516); - - ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass), - &new_pass_len, STR_UNICODE); - if (!ret) { - DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n")); - return NT_STATUS_ACCESS_DENIED; - } - - /* Using the sid for the account as the key, set the password */ - nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, - pipe_state->creds->sid, - new_pass, /* we have plaintext */ - NULL, NULL, - False, /* This is not considered a password change */ - False, /* don't restrict this password change (match w2k3) */ - NULL, NULL); - return nt_status; -} - /* netr_NETRSERVERPASSWORDGET -- cgit From e9815c38dddbb79c0cd47c3b81eae2cec850a760 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 13 Feb 2006 00:04:28 +0000 Subject: r13480: Explain a little about how these credentials structures should be used. Andrew Bartlett (This used to be commit b90959f7968ebbfc82ac55d4775d5574b1fc6925) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 03d325020f..176246901b 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -31,7 +31,13 @@ struct server_pipe_state { struct netr_Credential client_challenge; struct netr_Credential server_challenge; - struct creds_CredentialState *creds; + + /* This is a bit (dangeroursly?) tricky: + - The session key, computer name and domain elements are + valid. + - However the credentials chaining (seed, client, server etc) + should be obtained from the database at runtime */ + struct creds_CredentialState *creds; }; @@ -286,7 +292,16 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); } +/* + Validate an incoming authenticator against the credentials for the remote machine. + + The credentials are (re)read and from the schannel database, and + written back after the caclulations are performed. + + The creds_out parameter (if not NULL) returns the credentials, if + the caller needs some of that information. +*/ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state, TALLOC_CTX *mem_ctx, struct netr_Authenticator *received_authenticator, -- cgit From 9d1954c25d646c46daa38c3f96f4c4029b9bb417 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Feb 2006 00:07:59 +0000 Subject: r13583: Realise that the member server name appears in all calls that use the credentials. Consistantly rename these elements in the IDL to computer_name. Fix the server-side code to always lookup by this name. Add new, even nastier tests to RPC-SCHANNEL to prove this. Andrew Bartlett (This used to be commit 341a0abeb4a9f88d64ffd4681249cb1f643a7a5a) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 132 +++++++------------------- 1 file changed, 35 insertions(+), 97 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 176246901b..d506d9192d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -31,72 +31,9 @@ struct server_pipe_state { struct netr_Credential client_challenge; struct netr_Credential server_challenge; - - /* This is a bit (dangeroursly?) tricky: - - The session key, computer name and domain elements are - valid. - - However the credentials chaining (seed, client, server etc) - should be obtained from the database at runtime */ - struct creds_CredentialState *creds; }; -/* - a client has connected to the netlogon server using schannel, so we need - to re-establish the credentials state -*/ -static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) -{ - struct server_pipe_state *state; - NTSTATUS status; - - /* We want the client and server challenge zero */ - state = talloc_zero(dce_call->conn, struct server_pipe_state); - if (state == NULL) { - return NT_STATUS_NO_MEMORY; - } - - status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security, - state, - &state->creds); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status))); - talloc_free(state); - return status; - } - - dce_call->context->private = state; - - return NT_STATUS_OK; -} - -/* - a hook for bind on the netlogon pipe -*/ -static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di) -{ - dce_call->context->private = NULL; - - /* if this is a schannel bind then we need to reconstruct the pipe state */ - if (dce_call->conn->auth_state.auth_info && - dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - NTSTATUS status; - - DEBUG(5, ("schannel bind on netlogon\n")); - - status = netlogon_schannel_setup(dce_call); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("schannel bind on netlogon failed with %s\n", nt_errstr(status))); - return status; - } - } - - return NT_STATUS_OK; -} - -#define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind - static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerReqChallenge *r) { @@ -116,8 +53,6 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; } - pipe_state->creds = NULL; - pipe_state->client_challenge = *r->in.credentials; generate_random_buffer(pipe_state->server_challenge.data, @@ -238,12 +173,6 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL /* remember this session key state */ nt_status = schannel_store_session_key(mem_ctx, creds); - if (pipe_state->creds) { - talloc_free(pipe_state->creds); - } - talloc_steal(pipe_state, creds); - pipe_state->creds = creds; - return nt_status; } @@ -302,7 +231,7 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL the caller needs some of that information. */ -static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state, +static NTSTATUS netr_creds_server_step_check(const char *computer_name, TALLOC_CTX *mem_ctx, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, @@ -313,11 +242,6 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat struct ldb_context *ldb; int ret; - if (!pipe_state) { - DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); - return NT_STATUS_ACCESS_DENIED; - } - ldb = schannel_db_connect(mem_ctx); if (!ldb) { return NT_STATUS_ACCESS_DENIED; @@ -333,8 +257,8 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat * disconnects) we must update the database every time we * update the structure */ - nt_status = schannel_fetch_session_key_ldb(ldb, ldb, pipe_state->creds->computer_name, - pipe_state->creds->domain, &creds); + nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, lp_workgroup(), + &creds); if (NT_STATUS_IS_OK(nt_status)) { nt_status = creds_server_step_check(creds, received_authenticator, @@ -365,12 +289,11 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet *r) { - struct server_pipe_state *pipe_state = dce_call->context->private; struct creds_CredentialState *creds; struct ldb_context *sam_ctx; NTSTATUS nt_status; - nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -400,7 +323,6 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet2 *r) { - struct server_pipe_state *pipe_state = dce_call->context->private; struct creds_CredentialState *creds; struct ldb_context *sam_ctx; NTSTATUS nt_status; @@ -410,7 +332,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL struct samr_CryptPassword password_buf; - nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -464,15 +386,15 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX /* - netr_LogonSamLogonEx + netr_LogonSamLogon_base This version of the function allows other wrappers to say 'do not check the credentials' + + We can't do the traditional 'wrapping' format completly, as this function must only run under schannel */ -static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonSamLogonEx *r) +static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonEx *r, struct creds_CredentialState *creds) { - struct server_pipe_state *pipe_state = dce_call->context->private; - struct creds_CredentialState *creds = pipe_state->creds; struct auth_context *auth_context; struct auth_usersupplied_info *user_info; struct auth_serversupplied_info *server_info; @@ -496,7 +418,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ case 1: case 3: case 5: - if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { creds_arcfour_crypt(creds, r->in.logon.password->lmpassword.hash, sizeof(r->in.logon.password->lmpassword.hash)); @@ -633,6 +555,23 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ return NT_STATUS_OK; } +static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonEx *r) +{ + NTSTATUS nt_status; + struct creds_CredentialState *creds; + nt_status = schannel_fetch_session_key(mem_ctx, r->in.computer_name, lp_workgroup(), &creds); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (!dce_call->conn->auth_state.auth_info + || dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + return NT_STATUS_INTERNAL_ERROR; + } + return netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds); +} + /* netr_LogonSamLogonWithFlags @@ -640,8 +579,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogonWithFlags *r) { - struct server_pipe_state *pipe_state = dce_call->context->private; NTSTATUS nt_status; + struct creds_CredentialState *creds; struct netr_LogonSamLogonEx r2; struct netr_Authenticator *return_authenticator; @@ -649,21 +588,21 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, return_authenticator = talloc(mem_ctx, struct netr_Authenticator); NT_STATUS_HAVE_NO_MEMORY(return_authenticator); - nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, r->in.credential, return_authenticator, - NULL); + &creds); NT_STATUS_NOT_OK_RETURN(nt_status); ZERO_STRUCT(r2); r2.in.server_name = r->in.server_name; - r2.in.workstation = r->in.workstation; + r2.in.computer_name = r->in.computer_name; r2.in.logon_level = r->in.logon_level; r2.in.logon = r->in.logon; r2.in.validation_level = r->in.validation_level; r2.in.flags = r->in.flags; - nt_status = netr_LogonSamLogonEx(dce_call, mem_ctx, &r2); + nt_status = netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds); r->out.return_authenticator = return_authenticator; r->out.validation = r2.out.validation; @@ -685,7 +624,7 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT ZERO_STRUCT(r2); r2.in.server_name = r->in.server_name; - r2.in.workstation = r->in.workstation; + r2.in.computer_name = r->in.computer_name; r2.in.credential = r->in.credential; r2.in.return_authenticator = r->in.return_authenticator; r2.in.logon_level = r->in.logon_level; @@ -947,7 +886,6 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message * static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r) { - struct server_pipe_state *pipe_state = dce_call->context->private; const char * const attrs[] = { "dnsDomain", "objectSid", "objectGUID", "flatName", "securityIdentifier", NULL }; @@ -960,7 +898,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL const char *local_domain; - status = netr_creds_server_step_check(pipe_state, mem_ctx, + status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, r->in.credential, r->out.return_authenticator, NULL); -- cgit From ba564a901e519b0f2cf2b7651bd260f618506b5c Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 6 Mar 2006 23:28:18 +0000 Subject: r13903: Don't generate prototypes for modules and binaries in include/proto.h by default. (This used to be commit c80a8f1102caf744b66c13bebde38fba74983dc4) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d506d9192d..1b13548c6b 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -27,6 +27,7 @@ #include "lib/ldb/include/ldb.h" #include "auth/auth.h" #include "dsdb/samdb/samdb.h" +#include "rpc_server/samr/proto.h" struct server_pipe_state { struct netr_Credential client_challenge; -- cgit From 4ac2be99588b48b0652a524bf12fb1aa9c3f5fbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 11:07:23 +0000 Subject: r13924: Split more prototypes out of include/proto.h + initial work on header file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1b13548c6b..7696888249 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -28,6 +28,8 @@ #include "auth/auth.h" #include "dsdb/samdb/samdb.h" #include "rpc_server/samr/proto.h" +#include "db_wrap.h" +#include "libcli/auth/proto.h" struct server_pipe_state { struct netr_Credential client_challenge; -- cgit From 17ae598141b44142ad52a66cc4767029e3a73d6c Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 13:36:26 +0000 Subject: r13938: Around round of splitups (This used to be commit 2d655f05285a86bb1bbb882e4dd843def15c9dfa) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 7696888249..f434086425 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -30,6 +30,7 @@ #include "rpc_server/samr/proto.h" #include "db_wrap.h" #include "libcli/auth/proto.h" +#include "auth/gensec/schannel_state.h" struct server_pipe_state { struct netr_Credential client_challenge; -- cgit From e3f2414cf9e582a4e4deecc662b64a7bb2679a34 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 15:03:25 +0000 Subject: r14380: Reduce the size of structs.h (This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index f434086425..9f1b84f77e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -29,7 +29,7 @@ #include "dsdb/samdb/samdb.h" #include "rpc_server/samr/proto.h" #include "db_wrap.h" -#include "libcli/auth/proto.h" +#include "libcli/auth/libcli_auth.h" #include "auth/gensec/schannel_state.h" struct server_pipe_state { -- cgit From 620d759f49f4b648d0fa4a84e67f1cecbbdd0f06 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 27 Apr 2006 19:50:13 +0000 Subject: r15298: Fix the build using a few hacks in the build system. Recursive dependencies are now forbidden (the build system will bail out if there are any). I've split up auth_sam.c into auth_sam.c and sam.c. Andrew, please rename sam.c / move its contents to whatever/wherever you think suits best. (This used to be commit 6646384aaf3e7fa2aa798c3e564b94b0617ec4d0) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 9f1b84f77e..dc9537e66c 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -25,6 +25,7 @@ #include "rpc_server/dcerpc_server.h" #include "rpc_server/common/common.h" #include "lib/ldb/include/ldb.h" +#include "auth/auth_sam.h" #include "auth/auth.h" #include "dsdb/samdb/samdb.h" #include "rpc_server/samr/proto.h" -- cgit From e002300f238dd0937dd9f768e366c006945e8baa Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 29 Apr 2006 17:34:49 +0000 Subject: r15328: Move some functions around, remove dependencies. Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index dc9537e66c..547c538003 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -25,13 +25,14 @@ #include "rpc_server/dcerpc_server.h" #include "rpc_server/common/common.h" #include "lib/ldb/include/ldb.h" -#include "auth/auth_sam.h" #include "auth/auth.h" +#include "auth/auth_sam.h" #include "dsdb/samdb/samdb.h" #include "rpc_server/samr/proto.h" #include "db_wrap.h" #include "libcli/auth/libcli_auth.h" #include "auth/gensec/schannel_state.h" +#include "libcli/security/security.h" struct server_pipe_state { struct netr_Credential client_challenge; -- cgit From 47e7f457513a1b85940154d713481d612e39cb66 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 23 May 2006 05:26:22 +0000 Subject: r15831: fixed a memory leak in the netlogon server (This used to be commit c4425f8988186a18703b6a723b766bf13d59b727) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 547c538003..4075ce82ce 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -479,8 +479,8 @@ static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALL user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; user_info->password_state = AUTH_PASSWORD_RESPONSE; - user_info->password.response.lanman = data_blob(r->in.logon.network->lm.data, r->in.logon.network->lm.length); - user_info->password.response.nt = data_blob(r->in.logon.network->nt.data, r->in.logon.network->nt.length); + user_info->password.response.lanman = data_blob_talloc(mem_ctx, r->in.logon.network->lm.data, r->in.logon.network->lm.length); + user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon.network->nt.data, r->in.logon.network->nt.length); break; default: -- cgit From 7c3af0d06a254c6b0e4d8f57ebc26e2923fd8beb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Jun 2006 23:47:45 +0000 Subject: r16236: Add a proper baseDN to a large number of queries. Searching the NULL baseDN won't work once the partitions module is loaded. Andrew Bartlett (This used to be commit c4ab9e8a754ca4a23a47f38a2344df305b4a351d) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 4075ce82ce..e3814f4c0d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -99,7 +99,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_INVALID_SYSTEM_SERVICE; } /* pull the user attributes */ - num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, + num_records = gendb_search(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", r->in.account_name); @@ -901,6 +901,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL struct netr_DomainInfo1 *info1; int ret, ret1, ret2, i; NTSTATUS status; + const struct ldb_dn *partitions_basedn = ldb_dn_string_compose(mem_ctx, samdb_base_dn(mem_ctx), "CN=Partitions,CN=Configuration"); const char *local_domain; @@ -922,13 +923,13 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL primary domain is also a "trusted" domain, so we need to put the primary domain into the lists of returned trusts as well */ - ret1 = gendb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)"); + ret1 = gendb_search(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &res1, attrs, "(objectClass=domainDNS)"); if (ret1 != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } /* try and find the domain */ - ret = gendb_search(sam_ctx, mem_ctx, NULL, + ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs, "(&(objectClass=crossRef)(ncName=%s))", ldb_dn_linearize(mem_ctx, res1[0]->dn)); @@ -938,7 +939,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL local_domain = samdb_result_string(ref_res[0], "nETBIOSName", NULL); - ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)"); + ret2 = gendb_search(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &res2, attrs, "(objectClass=trustedDomain)"); if (ret2 == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1164,6 +1165,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, struct ldb_message **dom_res, **ref_res; const char * const dom_attrs[] = { "dnsDomain", "objectSid", "objectGUID", NULL }; const char * const ref_attrs[] = { "nETBIOSName", NULL }; + const struct ldb_dn *partitions_basedn = ldb_dn_string_compose(mem_ctx, samdb_base_dn(mem_ctx), "CN=Partitions,CN=Configuration"); ZERO_STRUCT(r->out); @@ -1181,7 +1183,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, return WERR_GENERAL_FAILURE; } - ret = gendb_search(sam_ctx, mem_ctx, NULL, &ref_res, ref_attrs, + ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs, "(&(objectClass=crossRef)(ncName=%s))", ldb_dn_linearize(mem_ctx, dom_res[0]->dn)); if (ret == -1) { -- cgit From af8f55367c613c1a6b36f8904ef79003b4b53d5e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 27 Jul 2006 09:37:55 +0000 Subject: r17265: some reformatting metze (This used to be commit e4c28001d336f69534437d3eaae1ec8b52455cd9) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++------------------ 1 file changed, 27 insertions(+), 57 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index e3814f4c0d..93ae7a18ed 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -55,9 +55,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL } pipe_state = talloc(dce_call->context, struct server_pipe_state); - if (!pipe_state) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(pipe_state); pipe_state->client_challenge = *r->in.credentials; @@ -152,9 +150,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL } creds = talloc(mem_ctx, struct creds_CredentialState); - if (!creds) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(creds); creds_server_init(creds, &pipe_state->client_challenge, &pipe_state->server_challenge, mach_pwd, @@ -412,9 +408,7 @@ static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALL struct netr_SamInfo6 *sam6; user_info = talloc(mem_ctx, struct auth_usersupplied_info); - if (!user_info) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(user_info); user_info->flags = 0; user_info->mapped_state = False; @@ -446,22 +440,18 @@ static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALL user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string; user_info->workstation_name = r->in.logon.password->identity_info.workstation.string; + user_info->flags |= USER_INFO_INTERACTIVE_LOGON; user_info->password_state = AUTH_PASSWORD_HASH; + user_info->password.hash.lanman = talloc(user_info, struct samr_Password); - if (!user_info->password.hash.lanman) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(user_info->password.hash.lanman); *user_info->password.hash.lanman = r->in.logon.password->lmpassword; user_info->password.hash.nt = talloc(user_info, struct samr_Password); - if (!user_info->password.hash.nt) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(user_info->password.hash.nt); *user_info->password.hash.nt = r->in.logon.password->ntpassword; - user_info->flags |= USER_INFO_INTERACTIVE_LOGON; - - break; + break; case 2: case 6: @@ -491,15 +481,12 @@ static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALL NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam); - NT_STATUS_NOT_OK_RETURN(nt_status); /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ /* It appears that level 6 is not individually encrypted */ - if ((r->in.validation_level != 6) - && memcmp(sam->key.key, zeros, - sizeof(sam->key.key)) != 0) { - + if ((r->in.validation_level != 6) && + memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) { /* This key is sent unencrypted without the ARCFOUR flag set */ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { creds_arcfour_crypt(creds, @@ -510,9 +497,8 @@ static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALL /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */ /* It appears that level 6 is not individually encrypted */ - if ((r->in.validation_level != 6) - && memcmp(sam->LMSessKey.key, zeros, - sizeof(sam->LMSessKey.key)) != 0) { + if ((r->in.validation_level != 6) && + memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) { if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { creds_arcfour_crypt(creds, sam->LMSessKey.key, @@ -571,8 +557,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ return nt_status; } - if (!dce_call->conn->auth_state.auth_info - || dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + if (!dce_call->conn->auth_state.auth_info || + dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { return NT_STATUS_INTERNAL_ERROR; } return netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds); @@ -909,9 +895,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL r->in.credential, r->out.return_authenticator, NULL); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NT_STATUS_NOT_OK_RETURN(status); sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { @@ -945,35 +929,25 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL } info1 = talloc(mem_ctx, struct netr_DomainInfo1); - if (info1 == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(info1); ZERO_STRUCTP(info1); info1->num_trusts = ret2 + 1; info1->trusts = talloc_array(mem_ctx, struct netr_DomainTrustInfo, info1->num_trusts); - if (info1->trusts == NULL) { - return NT_STATUS_NO_MEMORY; - } + NT_STATUS_HAVE_NO_MEMORY(info1->trusts); status = fill_domain_primary_info(mem_ctx, res1[0], &info1->domaininfo, local_domain); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NT_STATUS_NOT_OK_RETURN(status); for (i=0;itrusts[i], NULL, False); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NT_STATUS_NOT_OK_RETURN(status); } status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[i], local_domain, True); - if (!NT_STATUS_IS_OK(status)) { - return status; - } + NT_STATUS_NOT_OK_RETURN(status); r->out.info.info1 = info1; @@ -1038,22 +1012,24 @@ static WERROR netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT } r->out.info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo); - if (!r->out.info) { - return WERR_NOMEM; - } + W_ERROR_HAVE_NO_MEMORY(r->out.info); /* TODO: - return real IP address * - check all r->in.* parameters (server_unc is ignored by w2k3!) */ r->out.info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s", lp_netbios_name(),lp_realm()); - r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0"); + W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_unc); + r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0"); + W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_address); r->out.info->dc_address_type = 1; r->out.info->domain_guid = samdb_result_guid(res[0], "objectGUID"); r->out.info->domain_name = samdb_result_string(res[0], "dnsDomain", NULL); r->out.info->forest_name = samdb_result_string(res[0], "dnsDomain", NULL); r->out.info->dc_flags = 0xE00001FD; r->out.info->dc_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name"); + W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_site_name); r->out.info->client_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name"); + W_ERROR_HAVE_NO_MEMORY(r->out.info->client_site_name); return WERR_OK; } @@ -1178,7 +1154,6 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, if (ret == -1) { return WERR_GENERAL_FAILURE; } - if (ret != 1) { return WERR_GENERAL_FAILURE; } @@ -1189,17 +1164,12 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, if (ret == -1) { return WERR_GENERAL_FAILURE; } - if (ret != 1) { return WERR_GENERAL_FAILURE; } - - trusts = talloc_array(mem_ctx, struct netr_DomainTrust, ret); - if (trusts == NULL) { - return WERR_NOMEM; - } + W_ERROR_HAVE_NO_MEMORY(trusts); r->out.count = 1; r->out.trusts = trusts; -- cgit From 7a845bcb0141a895d5685afcef1ffe7f93428d0f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 31 Jul 2006 14:05:08 +0000 Subject: r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 93ae7a18ed..569ec9f2b3 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -431,8 +431,9 @@ static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALL } /* TODO: we need to deny anonymous access here */ - nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context, - dce_call->event_ctx); + nt_status = auth_context_create(mem_ctx, lp_auth_methods(), + dce_call->event_ctx, dce_call->msg_ctx, + &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control; @@ -456,8 +457,9 @@ static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALL case 6: /* TODO: we need to deny anonymous access here */ - nt_status = auth_context_create(mem_ctx, lp_auth_methods(), &auth_context, - dce_call->event_ctx); + nt_status = auth_context_create(mem_ctx, lp_auth_methods(), + dce_call->event_ctx, dce_call->msg_ctx, + &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags"); -- cgit From 0fd98079425cff37c45be824ffa2695458ff12f3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 25 Aug 2006 07:08:06 +0000 Subject: r17823: get rid of most of the samdb_base_dn() calls, as they are no longer needed in searches (This used to be commit a5ea749f0ac63bf495a55ee8d9d002208ab93572) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 569ec9f2b3..74a70e8bcf 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -97,7 +97,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return NT_STATUS_INVALID_SYSTEM_SERVICE; } /* pull the user attributes */ - num_records = gendb_search(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &msgs, attrs, + num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", r->in.account_name); @@ -909,7 +909,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL primary domain is also a "trusted" domain, so we need to put the primary domain into the lists of returned trusts as well */ - ret1 = gendb_search(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &res1, attrs, "(objectClass=domainDNS)"); + ret1 = gendb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)"); if (ret1 != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -925,7 +925,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL local_domain = samdb_result_string(ref_res[0], "nETBIOSName", NULL); - ret2 = gendb_search(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &res2, attrs, "(objectClass=trustedDomain)"); + ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, "(objectClass=trustedDomain)"); if (ret2 == -1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1152,7 +1152,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, return WERR_GENERAL_FAILURE; } - ret = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &dom_res, dom_attrs); + ret = gendb_search_dn(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs); if (ret == -1) { return WERR_GENERAL_FAILURE; } -- cgit From b21b119cbcff175453173d7061e3be3888dc8ec3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 25 Aug 2006 07:32:18 +0000 Subject: r17824: add a wrapper for the common partitions_basedn calculation (This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 74a70e8bcf..dd6bdf3f6a 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -889,7 +889,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL struct netr_DomainInfo1 *info1; int ret, ret1, ret2, i; NTSTATUS status; - const struct ldb_dn *partitions_basedn = ldb_dn_string_compose(mem_ctx, samdb_base_dn(mem_ctx), "CN=Partitions,CN=Configuration"); + const struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); const char *local_domain; @@ -1143,7 +1143,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, struct ldb_message **dom_res, **ref_res; const char * const dom_attrs[] = { "dnsDomain", "objectSid", "objectGUID", NULL }; const char * const ref_attrs[] = { "nETBIOSName", NULL }; - const struct ldb_dn *partitions_basedn = ldb_dn_string_compose(mem_ctx, samdb_base_dn(mem_ctx), "CN=Partitions,CN=Configuration"); + const struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); ZERO_STRUCT(r->out); -- cgit From e905fed4e03a50f8c17b9ff0726fccc9558ca8c4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 31 Aug 2006 08:22:13 +0000 Subject: r17956: LSA Cleanup! This commit cleans up a number of aspects of the LSA interface. Firstly, we do 2 simple searches on opening the LSA policy, to obtain the basic information we need. This also avoids us searching for dnsDomain (an invented attribute). While I was at it, I added and tested new LSA calls, including the enumTrustedDomainsEx call. I have also merged the identical structures lsa_DomainInformation and lsa_DomainList. Also in this commit: Fix netlogon use of uninitialised variables. Andrew Bartlett (This used to be commit 3f3fa7f466df56612064029143fbae8effb668aa) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index dd6bdf3f6a..29b57ec2b2 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -889,7 +889,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL struct netr_DomainInfo1 *info1; int ret, ret1, ret2, i; NTSTATUS status; - const struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); + const struct ldb_dn *partitions_basedn; const char *local_domain; @@ -904,6 +904,8 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_INVALID_SYSTEM_SERVICE; } + partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); + /* we need to do two searches. The first will pull our primary domain and the second will pull any trusted domains. Our primary domain is also a "trusted" domain, so we need to @@ -1143,7 +1145,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, struct ldb_message **dom_res, **ref_res; const char * const dom_attrs[] = { "dnsDomain", "objectSid", "objectGUID", NULL }; const char * const ref_attrs[] = { "nETBIOSName", NULL }; - const struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); + const struct ldb_dn *partitions_basedn; ZERO_STRUCT(r->out); @@ -1152,6 +1154,8 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, return WERR_GENERAL_FAILURE; } + partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx); + ret = gendb_search_dn(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs); if (ret == -1) { return WERR_GENERAL_FAILURE; -- cgit From bb71578696ad87e2848a7d05aac5c284f760a187 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 1 Sep 2006 10:41:27 +0000 Subject: r17991: Implement a few more calls (with not implemented :-). Remove references to dnsDomain, replace with references to dnsRoot Andrew Bartlett (This used to be commit e09dd33379c79982dffadd69d7a4e9e24be7c248) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 57 ++++++++++----------------- 1 file changed, 21 insertions(+), 36 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 29b57ec2b2..bd8b289ae5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -673,7 +673,8 @@ static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_AccountDeltas *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + /* w2k3 returns "NOT IMPLEMENTED" for this call */ + return NT_STATUS_NOT_IMPLEMENTED; } @@ -683,7 +684,8 @@ static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CT static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_AccountSync *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + /* w2k3 returns "NOT IMPLEMENTED" for this call */ + return NT_STATUS_NOT_IMPLEMENTED; } @@ -831,40 +833,23 @@ static WERROR netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TALLOC_CTX /* fill in a netr_DomainTrustInfo from a ldb search result */ -static NTSTATUS fill_domain_primary_info(TALLOC_CTX *mem_ctx, struct ldb_message *res, - struct netr_DomainTrustInfo *info, - const char *local_domain) -{ - ZERO_STRUCTP(info); - - info->domainname.string = local_domain; - info->fulldomainname.string = talloc_asprintf(info, "%s.", samdb_result_string(res, "dnsDomain", NULL)); - /* TODO: we need proper forest support */ - info->forest.string = info->fulldomainname.string; - info->guid = samdb_result_guid(res, "objectGUID"); - info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid"); - - return NT_STATUS_OK; -} - -/* - fill in a netr_DomainTrustInfo from a ldb search result -*/ -static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res, +static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, + struct ldb_message *res, + struct ldb_message *ref_res, struct netr_DomainTrustInfo *info, - const char *local_domain, BOOL is_local) + BOOL is_local) { ZERO_STRUCTP(info); if (is_local) { - info->domainname.string = local_domain; - info->fulldomainname.string = samdb_result_string(res, "dnsDomain", NULL); + info->domainname.string = samdb_result_string(ref_res, "nETBIOSName", NULL); + info->fulldomainname.string = samdb_result_string(ref_res, "dnsRoot", NULL); info->forest.string = NULL; info->guid = samdb_result_guid(res, "objectGUID"); info->sid = samdb_result_dom_sid(mem_ctx, res, "objectSid"); } else { info->domainname.string = samdb_result_string(res, "flatName", NULL); - info->fulldomainname.string = samdb_result_string(res, "name", NULL); + info->fulldomainname.string = samdb_result_string(res, "trustPartner", NULL); info->forest.string = NULL; info->guid = samdb_result_guid(res, "objectGUID"); info->sid = samdb_result_dom_sid(mem_ctx, res, "securityIdentifier"); @@ -880,10 +865,10 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message * static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r) { - const char * const attrs[] = { "dnsDomain", "objectSid", + const char * const attrs[] = { "objectSid", "objectGUID", "flatName", "securityIdentifier", - NULL }; - const char * const ref_attrs[] = { "nETBIOSName", NULL }; + "trustPartner", NULL }; + const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL }; struct ldb_context *sam_ctx; struct ldb_message **res1, **res2, **ref_res; struct netr_DomainInfo1 *info1; @@ -911,7 +896,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL primary domain is also a "trusted" domain, so we need to put the primary domain into the lists of returned trusts as well */ - ret1 = gendb_search(sam_ctx, mem_ctx, NULL, &res1, attrs, "(objectClass=domainDNS)"); + ret1 = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(sam_ctx), &res1, attrs); if (ret1 != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -942,15 +927,15 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL info1->num_trusts); NT_STATUS_HAVE_NO_MEMORY(info1->trusts); - status = fill_domain_primary_info(mem_ctx, res1[0], &info1->domaininfo, local_domain); + status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->domaininfo, True); NT_STATUS_NOT_OK_RETURN(status); for (i=0;itrusts[i], NULL, False); + status = fill_domain_trust_info(mem_ctx, res2[i], NULL, &info1->trusts[i], False); NT_STATUS_NOT_OK_RETURN(status); } - status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[i], local_domain, True); + status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->trusts[i], True); NT_STATUS_NOT_OK_RETURN(status); r->out.info.info1 = info1; @@ -1143,8 +1128,8 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, void *sam_ctx; int ret; struct ldb_message **dom_res, **ref_res; - const char * const dom_attrs[] = { "dnsDomain", "objectSid", "objectGUID", NULL }; - const char * const ref_attrs[] = { "nETBIOSName", NULL }; + const char * const dom_attrs[] = { "objectSid", "objectGUID", NULL }; + const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL }; const struct ldb_dn *partitions_basedn; ZERO_STRUCT(r->out); @@ -1183,7 +1168,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, /* TODO: add filtering by trust_flags, and correct trust_type and attributes */ trusts[0].netbios_name = samdb_result_string(ref_res[0], "nETBIOSName", NULL); - trusts[0].dns_name = samdb_result_string(dom_res[0], "dnsDomain", NULL); + trusts[0].dns_name = samdb_result_string(ref_res[0], "dnsRoot", NULL); trusts[0].trust_flags = NETR_TRUST_FLAG_TREEROOT | NETR_TRUST_FLAG_IN_FOREST | -- cgit From 4889eb9f7aae9349e426d0f6d2217adff67eaebd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Nov 2006 00:59:34 +0000 Subject: r19831: Big ldb_dn optimization and interfaces enhancement patch This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index bd8b289ae5..9b43d1c70f 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -874,7 +874,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL struct netr_DomainInfo1 *info1; int ret, ret1, ret2, i; NTSTATUS status; - const struct ldb_dn *partitions_basedn; + struct ldb_dn *partitions_basedn; const char *local_domain; @@ -1130,7 +1130,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, struct ldb_message **dom_res, **ref_res; const char * const dom_attrs[] = { "objectSid", "objectGUID", NULL }; const char * const ref_attrs[] = { "nETBIOSName", "dnsRoot", NULL }; - const struct ldb_dn *partitions_basedn; + struct ldb_dn *partitions_basedn; ZERO_STRUCT(r->out); -- cgit From a9e31b33b55a873c2f01db5e348560176adf863d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Nov 2006 02:05:19 +0000 Subject: r19832: better prototypes for the linearization functions: - ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 9b43d1c70f..f05551bf42 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -905,7 +905,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs, "(&(objectClass=crossRef)(ncName=%s))", - ldb_dn_linearize(mem_ctx, res1[0]->dn)); + ldb_dn_get_linearized(res1[0]->dn)); if (ret != 1) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -1151,7 +1151,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, ret = gendb_search(sam_ctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs, "(&(objectClass=crossRef)(ncName=%s))", - ldb_dn_linearize(mem_ctx, dom_res[0]->dn)); + ldb_dn_get_linearized(dom_res[0]->dn)); if (ret == -1) { return WERR_GENERAL_FAILURE; } -- cgit From 64e88a8ccf2faa34ee9d182f4e89fa6e44c609a6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 17 Jan 2007 14:49:36 +0000 Subject: r20850: Prefix all server calls with dcesrv_ (This used to be commit 76c78b0339cd88c61a13745f7f4e037f400db21b) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 120 +++++++++++++------------- 1 file changed, 60 insertions(+), 60 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index f05551bf42..b1d129e782 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -40,7 +40,7 @@ struct server_pipe_state { }; -static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerReqChallenge *r) { struct server_pipe_state *pipe_state = dce_call->context->private; @@ -69,7 +69,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_OK; } -static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate3 *r) { struct server_pipe_state *pipe_state = dce_call->context->private; @@ -178,7 +178,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL return nt_status; } -static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate *r) { struct netr_ServerAuthenticate3 r3; @@ -201,10 +201,10 @@ static NTSTATUS netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALL r3.out.negotiate_flags = &negotiate_flags; r3.out.rid = &rid; - return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); + return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); } -static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate2 *r) { struct netr_ServerAuthenticate3 r3; @@ -220,7 +220,7 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL r3.out.negotiate_flags = r->out.negotiate_flags; r3.out.rid = &rid; - return netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); + return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); } /* @@ -233,7 +233,7 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL the caller needs some of that information. */ -static NTSTATUS netr_creds_server_step_check(const char *computer_name, +static NTSTATUS dcesrv_netr_creds_server_step_check(const char *computer_name, TALLOC_CTX *mem_ctx, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, @@ -288,14 +288,14 @@ static NTSTATUS netr_creds_server_step_check(const char *computer_name, client. Supplies only the NT#. */ -static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet *r) { struct creds_CredentialState *creds; struct ldb_context *sam_ctx; NTSTATUS nt_status; - nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, + nt_status = dcesrv_netr_creds_server_step_check(r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -322,7 +322,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO Change the machine account password for the currently connected client. Supplies new plaintext. */ -static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet2 *r) { struct creds_CredentialState *creds; @@ -334,7 +334,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL struct samr_CryptPassword password_buf; - nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, + nt_status = dcesrv_netr_creds_server_step_check(r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -370,7 +370,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL /* netr_LogonUasLogon */ -static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonUasLogon *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -380,7 +380,7 @@ static WERROR netr_LogonUasLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX /* netr_LogonUasLogoff */ -static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonUasLogoff *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -394,7 +394,7 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX We can't do the traditional 'wrapping' format completly, as this function must only run under schannel */ -static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogonEx *r, struct creds_CredentialState *creds) { struct auth_context *auth_context; @@ -549,7 +549,7 @@ static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_OK; } -static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogonEx *r) { NTSTATUS nt_status; @@ -563,14 +563,14 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { return NT_STATUS_INTERNAL_ERROR; } - return netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds); + return dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds); } /* netr_LogonSamLogonWithFlags */ -static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogonWithFlags *r) { NTSTATUS nt_status; @@ -582,7 +582,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, return_authenticator = talloc(mem_ctx, struct netr_Authenticator); NT_STATUS_HAVE_NO_MEMORY(return_authenticator); - nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, + nt_status = dcesrv_netr_creds_server_step_check(r->in.computer_name, mem_ctx, r->in.credential, return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -596,7 +596,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, r2.in.validation_level = r->in.validation_level; r2.in.flags = r->in.flags; - nt_status = netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds); + nt_status = dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds); r->out.return_authenticator = return_authenticator; r->out.validation = r2.out.validation; @@ -609,7 +609,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, /* netr_LogonSamLogon */ -static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogon *r) { struct netr_LogonSamLogonWithFlags r2; @@ -626,7 +626,7 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT r2.in.validation_level = r->in.validation_level; r2.in.flags = 0; - status = netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2); + status = dcesrv_netr_LogonSamLogonWithFlags(dce_call, mem_ctx, &r2); r->out.return_authenticator = r2.out.return_authenticator; r->out.validation = r2.out.validation; @@ -639,7 +639,7 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT /* netr_LogonSamLogoff */ -static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogoff *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -650,7 +650,7 @@ static NTSTATUS netr_LogonSamLogoff(struct dcesrv_call_state *dce_call, TALLOC_C /* netr_DatabaseDeltas */ -static NTSTATUS netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DatabaseDeltas *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -660,7 +660,7 @@ static NTSTATUS netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, TALLOC_C /* netr_DatabaseSync */ -static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DatabaseSync *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -670,7 +670,7 @@ static NTSTATUS netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX /* netr_AccountDeltas */ -static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_AccountDeltas *r) { /* w2k3 returns "NOT IMPLEMENTED" for this call */ @@ -681,7 +681,7 @@ static NTSTATUS netr_AccountDeltas(struct dcesrv_call_state *dce_call, TALLOC_CT /* netr_AccountSync */ -static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_AccountSync *r) { /* w2k3 returns "NOT IMPLEMENTED" for this call */ @@ -692,7 +692,7 @@ static NTSTATUS netr_AccountSync(struct dcesrv_call_state *dce_call, TALLOC_CTX /* netr_GetDcName */ -static NTSTATUS netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_GetDcName *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -702,7 +702,7 @@ static NTSTATUS netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *m /* netr_LogonControl */ -static WERROR netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonControl *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -712,7 +712,7 @@ static WERROR netr_LogonControl(struct dcesrv_call_state *dce_call, TALLOC_CTX * /* netr_GetAnyDCName */ -static WERROR netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_GetAnyDCName *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -722,7 +722,7 @@ static WERROR netr_GetAnyDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX * /* netr_LogonControl2 */ -static WERROR netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonControl2 *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -732,7 +732,7 @@ static WERROR netr_LogonControl2(struct dcesrv_call_state *dce_call, TALLOC_CTX /* netr_DatabaseSync2 */ -static NTSTATUS netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DatabaseSync2 *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -742,7 +742,7 @@ static NTSTATUS netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CT /* netr_DatabaseRedo */ -static NTSTATUS netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DatabaseRedo *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -752,7 +752,7 @@ static NTSTATUS netr_DatabaseRedo(struct dcesrv_call_state *dce_call, TALLOC_CTX /* netr_LogonControl2Ex */ -static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonControl2Ex *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -762,7 +762,7 @@ static WERROR netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TALLOC_CT /* netr_NETRENUMERATETRUSTEDDOMAINS */ -static WERROR netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRENUMERATETRUSTEDDOMAINS *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -772,7 +772,7 @@ static WERROR netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_cal /* netr_NETRLOGONDUMMYROUTINE1 */ -static WERROR netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRLOGONDUMMYROUTINE1 *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -782,7 +782,7 @@ static WERROR netr_NETRLOGONDUMMYROUTINE1(struct dcesrv_call_state *dce_call, TA /* netr_NETRLOGONSETSERVICEBITS */ -static WERROR netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRLOGONSETSERVICEBITS *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -792,7 +792,7 @@ static WERROR netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_call, T /* netr_NETRLOGONGETTRUSTRID */ -static WERROR netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRLOGONGETTRUSTRID *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -802,7 +802,7 @@ static WERROR netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALL /* netr_NETRLOGONCOMPUTESERVERDIGEST */ -static WERROR netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRLOGONCOMPUTESERVERDIGEST *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -812,7 +812,7 @@ static WERROR netr_NETRLOGONCOMPUTESERVERDIGEST(struct dcesrv_call_state *dce_ca /* netr_NETRLOGONCOMPUTECLIENTDIGEST */ -static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRLOGONCOMPUTECLIENTDIGEST *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -823,7 +823,7 @@ static WERROR netr_NETRLOGONCOMPUTECLIENTDIGEST(struct dcesrv_call_state *dce_ca /* netr_DsRGetSiteName */ -static WERROR netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DsRGetSiteName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DsRGetSiteName *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -862,7 +862,7 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, netr_LogonGetDomainInfo this is called as part of the ADS domain logon procedure. */ -static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r) { const char * const attrs[] = { "objectSid", @@ -878,7 +878,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL const char *local_domain; - status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, + status = dcesrv_netr_creds_server_step_check(r->in.computer_name, mem_ctx, r->in.credential, r->out.return_authenticator, NULL); @@ -948,7 +948,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL /* netr_NETRSERVERPASSWORDGET */ -static WERROR netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRSERVERPASSWORDGET *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -958,7 +958,7 @@ static WERROR netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TAL /* netr_NETRLOGONSENDTOSAM */ -static WERROR netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRLOGONSENDTOSAM *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -968,7 +968,7 @@ static WERROR netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, TALLOC /* netr_DSRADDRESSTOSITENAMESW */ -static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DSRADDRESSTOSITENAMESW *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -978,7 +978,7 @@ static WERROR netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TA /* netr_DsRGetDCNameEx2 */ -static WERROR netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DsRGetDCNameEx2 *r) { const char * const attrs[] = { "dnsDomain", "objectGUID", NULL }; @@ -1026,7 +1026,7 @@ static WERROR netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT /* netr_DsRGetDCNameEx */ -static WERROR netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DsRGetDCNameEx *r) { struct netr_DsRGetDCNameEx2 r2; @@ -1043,7 +1043,7 @@ static WERROR netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX r2.in.flags = r->in.flags; r2.out.info = NULL; - werr = netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2); + werr = dcesrv_netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2); r->out.info = r2.out.info; @@ -1053,7 +1053,7 @@ static WERROR netr_DsRGetDCNameEx(struct dcesrv_call_state *dce_call, TALLOC_CTX /* netr_DsRGetDCName */ -static WERROR netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DsRGetDCName *r) { struct netr_DsRGetDCNameEx2 r2; @@ -1071,7 +1071,7 @@ static WERROR netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX * r2.in.flags = r->in.flags; r2.out.info = NULL; - werr = netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2); + werr = dcesrv_netr_DsRGetDCNameEx2(dce_call, mem_ctx, &r2); r->out.info = r2.out.info; @@ -1081,7 +1081,7 @@ static WERROR netr_DsRGetDCName(struct dcesrv_call_state *dce_call, TALLOC_CTX * /* netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN */ -static WERROR netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -1091,7 +1091,7 @@ static WERROR netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call_state /* netr_NETRENUMERATETRUSTEDDOMAINSEX */ -static WERROR netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRENUMERATETRUSTEDDOMAINSEX *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -1101,7 +1101,7 @@ static WERROR netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_c /* netr_DSRADDRESSTOSITENAMESEXW */ -static WERROR netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DSRADDRESSTOSITENAMESEXW *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -1111,7 +1111,7 @@ static WERROR netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, /* netr_DSRGETDCSITECOVERAGEW */ -static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DSRGETDCSITECOVERAGEW *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -1121,7 +1121,7 @@ static WERROR netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TAL /* netr_DsrEnumerateDomainTrusts */ -static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DsrEnumerateDomainTrusts *r) { struct netr_DomainTrust *trusts; @@ -1186,7 +1186,7 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call, /* netr_DSRDEREGISTERDNSHOSTRECORDS */ -static WERROR netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DSRDEREGISTERDNSHOSTRECORDS *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -1196,7 +1196,7 @@ static WERROR netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_cal /* netr_NETRSERVERTRUSTPASSWORDSGET */ -static WERROR netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRSERVERTRUSTPASSWORDSGET *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -1206,7 +1206,7 @@ static WERROR netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state *dce_cal /* netr_DSRGETFORESTTRUSTINFORMATION */ -static WERROR netr_DSRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_DSRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DSRGETFORESTTRUSTINFORMATION *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -1216,7 +1216,7 @@ static WERROR netr_DSRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_ca /* netr_NETRGETFORESTTRUSTINFORMATION */ -static WERROR netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRGETFORESTTRUSTINFORMATION *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); @@ -1226,7 +1226,7 @@ static WERROR netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_c /* netr_NETRSERVERGETTRUSTINFO */ -static WERROR netr_NETRSERVERGETTRUSTINFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_NETRSERVERGETTRUSTINFO(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_NETRSERVERGETTRUSTINFO *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -- cgit From 3b14713f6d583a33fc2b2bb8c2c3aab6f5928630 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 15 Feb 2007 12:54:58 +0000 Subject: r21362: rename: "ntPwdHash" => "unicodePwd" "lmPwdHash" => "dBCSPwd" "sambaLMPwdHistory" => "lmPwdHistory" "sambaNTPwdHistory" => "ntPwdHistory" Note: you need to reprovision after this change! metze (This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b1d129e782..03625bfd43 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -80,7 +80,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca int num_records; struct ldb_message **msgs; NTSTATUS nt_status; - const char *attrs[] = {"ntPwdHash", "userAccountControl", + const char *attrs[] = {"unicodePwd", "userAccountControl", "objectSid", NULL}; ZERO_STRUCTP(r->out.credentials); @@ -144,7 +144,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0); - mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "ntPwdHash"); + mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd"); if (mach_pwd == NULL) { return NT_STATUS_ACCESS_DENIED; } -- cgit From d875b7d620c1007f38fb886cb8d5342a2d261585 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 24 May 2007 23:38:46 +0000 Subject: r23129: Merge from 3_0: * netr_DsRGetDCName_flags, netr_DsRGetDCNameInfo_AddressType and netr_DsR_DcFlags * the mask in netr_DsRGetDCNameEx2 turns out to be samr_AcctFlags Guenther (This used to be commit 9cdd6d9782a7a70f01d748228beb80c454d1468b) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 03625bfd43..619f678b3f 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1010,11 +1010,21 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_unc); r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0"); W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_address); - r->out.info->dc_address_type = 1; + r->out.info->dc_address_type = DS_ADDRESS_TYPE_INET; r->out.info->domain_guid = samdb_result_guid(res[0], "objectGUID"); r->out.info->domain_name = samdb_result_string(res[0], "dnsDomain", NULL); r->out.info->forest_name = samdb_result_string(res[0], "dnsDomain", NULL); - r->out.info->dc_flags = 0xE00001FD; + r->out.info->dc_flags = DS_DNS_FOREST | + DS_DNS_DOMAIN | + DS_DNS_CONTROLLER | + DS_SERVER_WRITABLE | + DS_SERVER_CLOSEST | + DS_SERVER_TIMESERV | + DS_SERVER_KDC | + DS_SERVER_DS | + DS_SERVER_LDAP | + DS_SERVER_GC | + DS_SERVER_PDC; r->out.info->dc_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name"); W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_site_name); r->out.info->client_site_name = talloc_strdup(mem_ctx, "Default-First-Site-Name"); -- cgit From adf23c651b120d3bfe67a551d0569705831999b8 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 30 May 2007 10:24:40 +0000 Subject: r23240: Fill in netr_DsrGetDcSiteCoverageW. Guenther (This used to be commit 9c2b9642336ed954c8f9fc0ccce95547d7c18aa8) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 619f678b3f..38356f7260 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1119,10 +1119,10 @@ static WERROR dcesrv_netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce /* - netr_DSRGETDCSITECOVERAGEW + netr_DsrGetDcSiteCoverageW */ -static WERROR dcesrv_netr_DSRGETDCSITECOVERAGEW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRGETDCSITECOVERAGEW *r) +static WERROR dcesrv_netr_DsrGetDcSiteCoverageW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsrGetDcSiteCoverageW *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From eb9ae52981d0275d3830fb533a06472aef3508db Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Jun 2007 10:32:29 +0000 Subject: r23381: Merge netr_GetDcName WERROR return and WERROR_DOMAIN_CONTROLLER_NOT_FOUND from SAMBA_3_0. Guenther (This used to be commit 841ad140a34648ff52d5e44a6642f346ef9eee02) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 38356f7260..20f2959abc 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -692,7 +692,7 @@ static NTSTATUS dcesrv_netr_AccountSync(struct dcesrv_call_state *dce_call, TALL /* netr_GetDcName */ -static NTSTATUS dcesrv_netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, +static WERROR dcesrv_netr_GetDcName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_GetDcName *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); -- cgit From e4710c9dcfe54c610ea29b0bbed21ed17011274b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Jun 2007 10:49:46 +0000 Subject: r23384: Fill in NETLOGON netr_DsRGetForestTrustInformation(). Guenther (This used to be commit 82477b311e2a7a51906d0c00d8714f545b12b0bd) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 20f2959abc..4e699cdc49 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1214,10 +1214,10 @@ static WERROR dcesrv_netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state * /* - netr_DSRGETFORESTTRUSTINFORMATION + netr_DsRGetForestTrustInformation */ -static WERROR dcesrv_netr_DSRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRGETFORESTTRUSTINFORMATION *r) +static WERROR dcesrv_netr_DsRGetForestTrustInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsRGetForestTrustInformation *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From 222c6dd7818c729540079cc480ee56812681854e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 3 Jul 2007 08:05:55 +0000 Subject: r23680: Make it easier to setup a domain member server - the 'server role' will now control the auth methods, but an override is still available, ex: auth methods:domain controller = Andrew Bartlett (This used to be commit b7e727186ed8eda6a68c873e089f655dc24fe8ae) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 4e699cdc49..d0cadefb84 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -431,7 +431,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal } /* TODO: we need to deny anonymous access here */ - nt_status = auth_context_create(mem_ctx, lp_auth_methods(), + nt_status = auth_context_create(mem_ctx, dce_call->event_ctx, dce_call->msg_ctx, &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -457,7 +457,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal case 6: /* TODO: we need to deny anonymous access here */ - nt_status = auth_context_create(mem_ctx, lp_auth_methods(), + nt_status = auth_context_create(mem_ctx, dce_call->event_ctx, dce_call->msg_ctx, &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d0cadefb84..5a2fd7a07f 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From d7f84b51f96c2e1b48a38de823329f2e4ea86e55 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 Aug 2007 04:28:15 +0000 Subject: r24611: Following up on the re-opening of bug 4817 is it pretty clear that machine accounts are not subject to password policy in Win2k3 R2 (at least in terms of password quality). In testing this, I found that Win2k3 R2 has changed the way the old ChangePassword RPC call is handled - the 'cross-checks' between new LM and NT passwords are not required. Andrew Bartlett (This used to be commit 417ea885b41cc097a0bb3a10ffbffb31f234f25d) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 5a2fd7a07f..2198dc5ebc 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -312,7 +312,6 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call NULL, /* Don't have plaintext */ NULL, &r->in.new_password, False, /* This is not considered a password change */ - False, /* don't restrict this password change (match w2k3) */ NULL, NULL); return nt_status; } @@ -360,7 +359,6 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal new_pass, /* we have plaintext */ NULL, NULL, False, /* This is not considered a password change */ - False, /* don't restrict this password change (match w2k3) */ NULL, NULL); return nt_status; } -- cgit From ffeee68e4b72dd94fee57366bd8d38b8c284c3d4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 12:42:09 +0000 Subject: r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 2198dc5ebc..14a724a6f6 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -32,6 +32,7 @@ #include "libcli/auth/libcli_auth.h" #include "auth/gensec/schannel_state.h" #include "libcli/security/security.h" +#include "param/param.h" struct server_pipe_state { struct netr_Credential client_challenge; -- cgit From 37d53832a4623653f706e77985a79d84bd7c6694 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Sep 2007 01:17:46 +0000 Subject: r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 14a724a6f6..2d551da4d1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -165,7 +165,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca creds->account_name = talloc_steal(creds, r->in.account_name); creds->computer_name = talloc_steal(creds, r->in.computer_name); - creds->domain = talloc_strdup(creds, lp_workgroup()); + creds->domain = talloc_strdup(creds, lp_workgroup(global_loadparm)); creds->secure_channel_type = r->in.secure_channel_type; @@ -259,7 +259,8 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(const char *computer_name, * disconnects) we must update the database every time we * update the structure */ - nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, lp_workgroup(), + nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, + lp_workgroup(global_loadparm), &creds); if (NT_STATUS_IS_OK(nt_status)) { nt_status = creds_server_step_check(creds, @@ -528,7 +529,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6); NT_STATUS_HAVE_NO_MEMORY(sam6); sam6->base = *sam; - sam6->forest.string = lp_realm(); + sam6->forest.string = lp_realm(global_loadparm); sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s", sam->account_name.string, sam6->forest.string); NT_STATUS_HAVE_NO_MEMORY(sam6->principle.string); @@ -552,7 +553,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, { NTSTATUS nt_status; struct creds_CredentialState *creds; - nt_status = schannel_fetch_session_key(mem_ctx, r->in.computer_name, lp_workgroup(), &creds); + nt_status = schannel_fetch_session_key(mem_ctx, r->in.computer_name, lp_workgroup(global_loadparm), &creds); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -1004,7 +1005,9 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA /* TODO: - return real IP address * - check all r->in.* parameters (server_unc is ignored by w2k3!) */ - r->out.info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s", lp_netbios_name(),lp_realm()); + r->out.info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s", + lp_netbios_name(global_loadparm), + lp_realm(global_loadparm)); W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_unc); r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0"); W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_address); -- cgit From 05e7c481465e3065effaf21b43636d6605d7c313 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:25:41 +0000 Subject: r25553: Convert to standard bool type. (This used to be commit b7371f1a191fb86834c0d586d094f39f0b04544b) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 2d551da4d1..45277dc3ed 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -313,7 +313,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call creds->sid, NULL, /* Don't have plaintext */ NULL, &r->in.new_password, - False, /* This is not considered a password change */ + false, /* This is not considered a password change */ NULL, NULL); return nt_status; } @@ -330,7 +330,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal NTSTATUS nt_status; char new_pass[512]; uint32_t new_pass_len; - BOOL ret; + bool ret; struct samr_CryptPassword password_buf; @@ -360,7 +360,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal creds->sid, new_pass, /* we have plaintext */ NULL, NULL, - False, /* This is not considered a password change */ + false, /* This is not considered a password change */ NULL, NULL); return nt_status; } @@ -410,7 +410,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal NT_STATUS_HAVE_NO_MEMORY(user_info); user_info->flags = 0; - user_info->mapped_state = False; + user_info->mapped_state = false; user_info->remote_host = NULL; switch (r->in.logon_level) { @@ -836,7 +836,7 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message *res, struct ldb_message *ref_res, struct netr_DomainTrustInfo *info, - BOOL is_local) + bool is_local) { ZERO_STRUCTP(info); @@ -926,15 +926,15 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal info1->num_trusts); NT_STATUS_HAVE_NO_MEMORY(info1->trusts); - status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->domaininfo, True); + status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->domaininfo, true); NT_STATUS_NOT_OK_RETURN(status); for (i=0;itrusts[i], False); + status = fill_domain_trust_info(mem_ctx, res2[i], NULL, &info1->trusts[i], false); NT_STATUS_NOT_OK_RETURN(status); } - status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->trusts[i], True); + status = fill_domain_trust_info(mem_ctx, res1[0], ref_res[0], &info1->trusts[i], true); NT_STATUS_NOT_OK_RETURN(status); r->out.info.info1 = info1; -- cgit From faa5ef6ba889b014e7f4ea5d7506aef57105c599 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 7 Nov 2007 18:42:00 +0100 Subject: r25896: Rename netlogon server stubs. Guenther (This used to be commit 2f8b8c046010c54d708a8e109b78fbd6e1958f40) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 45277dc3ed..7bee070251 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -965,10 +965,10 @@ static WERROR dcesrv_netr_NETRLOGONSENDTOSAM(struct dcesrv_call_state *dce_call, /* - netr_DSRADDRESSTOSITENAMESW + netr_DsRAddressToSitenamesW */ -static WERROR dcesrv_netr_DSRADDRESSTOSITENAMESW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRADDRESSTOSITENAMESW *r) +static WERROR dcesrv_netr_DsRAddressToSitenamesW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsRAddressToSitenamesW *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } @@ -1110,10 +1110,10 @@ static WERROR dcesrv_netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state /* - netr_DSRADDRESSTOSITENAMESEXW + netr_DsRAddressToSitenamesExW */ -static WERROR dcesrv_netr_DSRADDRESSTOSITENAMESEXW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRADDRESSTOSITENAMESEXW *r) +static WERROR dcesrv_netr_DsRAddressToSitenamesExW(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsRAddressToSitenamesExW *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From ca0b72a1fdb7bd965065e833df34662afef0423e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 16 Nov 2007 20:12:00 +0100 Subject: r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies. (This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 7bee070251..b8f0103901 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -28,7 +28,7 @@ #include "auth/auth_sam.h" #include "dsdb/samdb/samdb.h" #include "rpc_server/samr/proto.h" -#include "db_wrap.h" +#include "util/util_ldb.h" #include "libcli/auth/libcli_auth.h" #include "auth/gensec/schannel_state.h" #include "libcli/security/security.h" -- cgit From 181aab56d528c3a270ff9f349c8e91ecb402142b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 16:20:18 +0100 Subject: r26221: Add loadparm_context parameter to auth_context_create. (This used to be commit a9a9634df8f3137ecb308adb90a755f12af94972) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b8f0103901..d441be807a 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -432,6 +432,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal /* TODO: we need to deny anonymous access here */ nt_status = auth_context_create(mem_ctx, dce_call->event_ctx, dce_call->msg_ctx, + global_loadparm, &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -458,6 +459,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal /* TODO: we need to deny anonymous access here */ nt_status = auth_context_create(mem_ctx, dce_call->event_ctx, dce_call->msg_ctx, + global_loadparm, &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); -- cgit From f4a1083cf9f64b4d2b65b68942e93861409ea90f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 17:09:52 +0100 Subject: r26227: Make loadparm_context part of a server task, move loadparm_contexts further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d441be807a..d5e385f70d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -92,7 +92,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -301,7 +301,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call &creds); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -339,7 +339,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal &creds); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -885,7 +885,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal NULL); NT_STATUS_NOT_OK_RETURN(status); - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -989,7 +989,7 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return WERR_DS_SERVICE_UNAVAILABLE; } @@ -1147,7 +1147,7 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return WERR_GENERAL_FAILURE; } -- cgit From 51db4c3f3d81d1ed03beae6426786c843ac59807 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 17:56:09 +0100 Subject: r26228: Store loadparm context in auth context, move more loadparm_contexts up the call stack. (This used to be commit ba75f1613a9aac69dd5df94dd8a2b37820acd166) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d5e385f70d..448f2b93f9 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -244,7 +244,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(const char *computer_name, struct ldb_context *ldb; int ret; - ldb = schannel_db_connect(mem_ctx); + ldb = schannel_db_connect(mem_ctx, global_loadparm); if (!ldb) { return NT_STATUS_ACCESS_DENIED; } -- cgit From 7e298580e06a5b9a0c1210937af47f277849080e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 21:14:16 +0100 Subject: r26234: More global_loadparm fixes. (This used to be commit 84892d030de6266fc0f3a699cade960dd5dc37bc) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 448f2b93f9..fd590c8c7d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -173,7 +173,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca /* remember this session key state */ - nt_status = schannel_store_session_key(mem_ctx, creds); + nt_status = schannel_store_session_key(mem_ctx, global_loadparm, creds); return nt_status; } @@ -555,7 +555,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, { NTSTATUS nt_status; struct creds_CredentialState *creds; - nt_status = schannel_fetch_session_key(mem_ctx, r->in.computer_name, lp_workgroup(global_loadparm), &creds); + nt_status = schannel_fetch_session_key(mem_ctx, global_loadparm, r->in.computer_name, lp_workgroup(global_loadparm), &creds); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } -- cgit From 43696d2752e2faad34fb3ed2a7dbf01d40ffdc46 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 15:53:28 +0100 Subject: r26252: Specify loadparm_context explicitly when creating sessions. (This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index fd590c8c7d..0aa39ea7bd 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -92,7 +92,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx)); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx, global_loadparm)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -301,7 +301,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call &creds); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx)); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx, global_loadparm)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -339,7 +339,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal &creds); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx)); + sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx, global_loadparm)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } -- cgit From 785928dcecf12c9cf2250ff4e9868232d4faa88c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 3 Dec 2007 23:38:54 +0100 Subject: r26273: Add IDL and torture test for netr_NetrEnumerateTurstedDomains() and netr_NetrEnumerateTurstedDomainsEx(). Guenther (This used to be commit 32a189e85026f5b54f82df88306005d9a9f50beb) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 0aa39ea7bd..1c6a1d0588 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -761,10 +761,10 @@ static WERROR dcesrv_netr_LogonControl2Ex(struct dcesrv_call_state *dce_call, TA /* - netr_NETRENUMERATETRUSTEDDOMAINS + netr_NetrEnumerateTurstedDomains */ -static WERROR dcesrv_netr_NETRENUMERATETRUSTEDDOMAINS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRENUMERATETRUSTEDDOMAINS *r) +static WERROR dcesrv_netr_NetrEnumerateTrustedDomains(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NetrEnumerateTrustedDomains *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } @@ -1101,11 +1101,11 @@ static WERROR dcesrv_netr_NETRLOGONGETTIMESERVICEPARENTDOMAIN(struct dcesrv_call } -/* - netr_NETRENUMERATETRUSTEDDOMAINSEX +/* + netr_NetrEnumerateTrustedDomainsEx */ -static WERROR dcesrv_netr_NETRENUMERATETRUSTEDDOMAINSEX(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRENUMERATETRUSTEDDOMAINSEX *r) +static WERROR dcesrv_netr_NetrEnumerateTrustedDomainsEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_NetrEnumerateTrustedDomainsEx *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From 96b46e99072f0c31ade85a5fa539cafc021fb42c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 4 Dec 2007 09:41:28 +0100 Subject: r26285: Add IDL and torture test for netr_ServerPasswordGet(). Guenther (This used to be commit d64244cfe871cd549a991ac2a708263fc77d2fef) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1c6a1d0588..d2390a8de0 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -946,11 +946,11 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal -/* - netr_NETRSERVERPASSWORDGET +/* + netr_ServerPasswordGet */ -static WERROR dcesrv_netr_NETRSERVERPASSWORDGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRSERVERPASSWORDGET *r) +static WERROR dcesrv_netr_ServerPasswordGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerPasswordGet *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From b466534a0dc592ad03a249228ef02d5ac339089f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 4 Dec 2007 10:20:13 +0100 Subject: r26286: IDL and torture test for netr_ServerTrustPasswordsGet(). Guenther (This used to be commit 231fe8826b7d8b0f4307ffbb3cd71b4c7723a290) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d2390a8de0..a6e955178d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1206,11 +1206,11 @@ static WERROR dcesrv_netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state * } -/* - netr_NETRSERVERTRUSTPASSWORDSGET +/* + netr_ServerTrustPasswordsGet */ -static WERROR dcesrv_netr_NETRSERVERTRUSTPASSWORDSGET(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRSERVERTRUSTPASSWORDSGET *r) +static NTSTATUS dcesrv_netr_ServerTrustPasswordsGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_ServerTrustPasswordsGet *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From 57f20ccd242e45ff91850341594aa040d113c19e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 4 Dec 2007 20:05:00 +0100 Subject: r26296: Store loadparm context in DCE/RPC server context. (This used to be commit fc1f4d2d65d4c983cba5421e7ffb64dd75482860) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 +++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index a6e955178d..d51f9e218d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -92,7 +92,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx, global_loadparm)); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, global_loadparm)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -165,7 +165,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca creds->account_name = talloc_steal(creds, r->in.account_name); creds->computer_name = talloc_steal(creds, r->in.computer_name); - creds->domain = talloc_strdup(creds, lp_workgroup(global_loadparm)); + creds->domain = talloc_strdup(creds, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx)); creds->secure_channel_type = r->in.secure_channel_type; @@ -173,7 +173,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca /* remember this session key state */ - nt_status = schannel_store_session_key(mem_ctx, global_loadparm, creds); + nt_status = schannel_store_session_key(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, creds); return nt_status; } @@ -301,7 +301,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call &creds); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx, global_loadparm)); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -339,7 +339,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal &creds); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx, global_loadparm, system_session(mem_ctx, global_loadparm)); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -432,7 +432,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal /* TODO: we need to deny anonymous access here */ nt_status = auth_context_create(mem_ctx, dce_call->event_ctx, dce_call->msg_ctx, - global_loadparm, + dce_call->conn->dce_ctx->lp_ctx, &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -459,7 +459,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal /* TODO: we need to deny anonymous access here */ nt_status = auth_context_create(mem_ctx, dce_call->event_ctx, dce_call->msg_ctx, - global_loadparm, + dce_call->conn->dce_ctx->lp_ctx, &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -531,7 +531,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6); NT_STATUS_HAVE_NO_MEMORY(sam6); sam6->base = *sam; - sam6->forest.string = lp_realm(global_loadparm); + sam6->forest.string = lp_realm(dce_call->conn->dce_ctx->lp_ctx); sam6->principle.string = talloc_asprintf(mem_ctx, "%s@%s", sam->account_name.string, sam6->forest.string); NT_STATUS_HAVE_NO_MEMORY(sam6->principle.string); @@ -555,7 +555,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, { NTSTATUS nt_status; struct creds_CredentialState *creds; - nt_status = schannel_fetch_session_key(mem_ctx, global_loadparm, r->in.computer_name, lp_workgroup(global_loadparm), &creds); + nt_status = schannel_fetch_session_key(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx), &creds); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -885,7 +885,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal NULL); NT_STATUS_NOT_OK_RETURN(status); - sam_ctx = samdb_connect(mem_ctx, global_loadparm, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -989,7 +989,7 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(mem_ctx, global_loadparm, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return WERR_DS_SERVICE_UNAVAILABLE; } @@ -1008,8 +1008,8 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA * - check all r->in.* parameters (server_unc is ignored by w2k3!) */ r->out.info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s.%s", - lp_netbios_name(global_loadparm), - lp_realm(global_loadparm)); + lp_netbios_name(dce_call->conn->dce_ctx->lp_ctx), + lp_realm(dce_call->conn->dce_ctx->lp_ctx)); W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_unc); r->out.info->dc_address = talloc_strdup(mem_ctx, "\\\\0.0.0.0"); W_ERROR_HAVE_NO_MEMORY(r->out.info->dc_address); @@ -1147,7 +1147,7 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(mem_ctx, global_loadparm, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return WERR_GENERAL_FAILURE; } -- cgit From f5860b5a853c40c9e48f5bb0a87c086d268c53bd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 5 Dec 2007 00:40:48 +0100 Subject: r26298: Use metze's schema loading code to pre-initialise the schema into the samdb before we start writing entries into it. In doing so, I realised we still used 'dnsDomain', which is not part of the standard schema (now removed). We also set the 'wrong' side of the linked attributes for the masteredBy on each partition - this is now set in provision_self_join and backlinks via the linked attributes code. When we have the schema loaded, we must also have a valid domain SID loaded, so that the objectclass module works. This required some ejs glue. Andrew Bartlett (This used to be commit b0de08916e8cb59ce6a2ea94bbc9ac0679830ac1) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d51f9e218d..d7f9fdde3d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -985,6 +985,7 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA const char * const attrs[] = { "dnsDomain", "objectGUID", NULL }; void *sam_ctx; struct ldb_message **res; + struct ldb_dn *domain_dn; int ret; ZERO_STRUCT(r->out); @@ -994,9 +995,13 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA return WERR_DS_SERVICE_UNAVAILABLE; } - ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, - "(&(objectClass=domainDNS)(dnsDomain=%s))", - r->in.domain_name); + domain_dn = samdb_dns_domain_to_dn(sam_ctx, mem_ctx, + r->in.domain_name); + if (domain_dn == NULL) { + return WERR_DS_SERVICE_UNAVAILABLE; + } + + ret = gendb_search_dn(sam_ctx, mem_ctx, domain_dn, &res, attrs); if (ret != 1) { return WERR_NO_SUCH_DOMAIN; } -- cgit From d378cf4c15e09b980f874bb103b28e89d9dd3a26 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 6 Dec 2007 16:36:54 +0100 Subject: r26310: Remove more uses of global_loadparm. (This used to be commit 9d806da113b5f0688b6193dfdee9b8765e18b38f) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d7f9fdde3d..0ddc11c8b8 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -92,7 +92,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, global_loadparm)); + sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, + system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -233,7 +234,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca the caller needs some of that information. */ -static NTSTATUS dcesrv_netr_creds_server_step_check(const char *computer_name, +static NTSTATUS dcesrv_netr_creds_server_step_check(struct loadparm_context *lp_ctx, + const char *computer_name, TALLOC_CTX *mem_ctx, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, @@ -296,7 +298,8 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call struct ldb_context *sam_ctx; NTSTATUS nt_status; - nt_status = dcesrv_netr_creds_server_step_check(r->in.computer_name, mem_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx, + r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -334,7 +337,8 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal struct samr_CryptPassword password_buf; - nt_status = dcesrv_netr_creds_server_step_check(r->in.computer_name, mem_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx, + r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -583,7 +587,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce return_authenticator = talloc(mem_ctx, struct netr_Authenticator); NT_STATUS_HAVE_NO_MEMORY(return_authenticator); - nt_status = dcesrv_netr_creds_server_step_check(r->in.computer_name, mem_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx, + r->in.computer_name, mem_ctx, r->in.credential, return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -879,7 +884,8 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal const char *local_domain; - status = dcesrv_netr_creds_server_step_check(r->in.computer_name, mem_ctx, + status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx, + r->in.computer_name, mem_ctx, r->in.credential, r->out.return_authenticator, NULL); -- cgit From 2f5ca872a80ad872ab864061f0c6982d8605393f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 6 Dec 2007 16:54:34 +0100 Subject: r26313: Fix more uses of static loadparm. (This used to be commit 6fd0d9d3b75546d08c24c513e05b1843d5777608) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 0ddc11c8b8..15916a81fc 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -246,7 +246,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct loadparm_context *lp_ struct ldb_context *ldb; int ret; - ldb = schannel_db_connect(mem_ctx, global_loadparm); + ldb = schannel_db_connect(mem_ctx, lp_ctx); if (!ldb) { return NT_STATUS_ACCESS_DENIED; } @@ -262,7 +262,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct loadparm_context *lp_ * update the structure */ nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, - lp_workgroup(global_loadparm), + lp_workgroup(lp_ctx), &creds); if (NT_STATUS_IS_OK(nt_status)) { nt_status = creds_server_step_check(creds, -- cgit From 038c75c0cb6307ee411cb3eabdf2305f2f3b653d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 10 Dec 2007 04:33:29 +0100 Subject: r26357: Add separate subsystem for auth_sam_reply parsing. (This used to be commit 2d61e7c96e249d7031b709e9f727626a78e435f1) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 15916a81fc..25f9939576 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -25,7 +25,7 @@ #include "rpc_server/common/common.h" #include "lib/ldb/include/ldb.h" #include "auth/auth.h" -#include "auth/auth_sam.h" +#include "auth/auth_sam_reply.h" #include "dsdb/samdb/samdb.h" #include "rpc_server/samr/proto.h" #include "util/util_ldb.h" -- cgit From db225eeef1ff06df44dbc4d8af618c96530157c1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 21 Dec 2007 23:52:14 -0600 Subject: r26558: Add IDL for netr_GetForestTrustInformation(). Guenther (This used to be commit 7aa34b48795d303ba600f34a4b1bc916007aee44) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 25f9939576..1ef50cd96f 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1237,11 +1237,11 @@ static WERROR dcesrv_netr_DsRGetForestTrustInformation(struct dcesrv_call_state } -/* - netr_NETRGETFORESTTRUSTINFORMATION +/* + netr_GetForestTrustInformation */ -static WERROR dcesrv_netr_NETRGETFORESTTRUSTINFORMATION(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRGETFORESTTRUSTINFORMATION *r) +static WERROR dcesrv_netr_GetForestTrustInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_GetForestTrustInformation *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From 7054ce65485482d1cc5fa4ff83272feb752e71c2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Jan 2008 09:24:38 +1100 Subject: Return 'not implemented' on more RPCs. (easy way to 'pass' the torture test, as I see little reason to implement these RPCs). Add information regarding the importance of the LogonGetDomainInfo calls Andrew Bartlett (This used to be commit 9cd3a76c25019f4d8d7b41d75e1f7efb4475e86a) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1ef50cd96f..3d9262b995 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -669,7 +669,8 @@ static NTSTATUS dcesrv_netr_DatabaseDeltas(struct dcesrv_call_state *dce_call, T static NTSTATUS dcesrv_netr_DatabaseSync(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DatabaseSync *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + /* win2k3 native mode returns "NOT IMPLEMENTED" for this call */ + return NT_STATUS_NOT_IMPLEMENTED; } @@ -741,7 +742,8 @@ static WERROR dcesrv_netr_LogonControl2(struct dcesrv_call_state *dce_call, TALL static NTSTATUS dcesrv_netr_DatabaseSync2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_DatabaseSync2 *r) { - DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); + /* win2k3 native mode returns "NOT IMPLEMENTED" for this call */ + return NT_STATUS_NOT_IMPLEMENTED; } @@ -867,6 +869,9 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, /* netr_LogonGetDomainInfo this is called as part of the ADS domain logon procedure. + + It has an important role in convaying details about the client, such + as Operating System, Version, Service Pack etc. */ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r) -- cgit From de50115c38f6086237a555a2b2adc314fbbd26e6 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 25 Jan 2008 00:04:24 +0100 Subject: Fix netlogon rpc-server build. Guenther (This used to be commit 31980e03faedaa44317f64d940c458d38a103627) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 3d9262b995..6a5e0a17a2 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -797,11 +797,11 @@ static WERROR dcesrv_netr_NETRLOGONSETSERVICEBITS(struct dcesrv_call_state *dce_ } -/* - netr_NETRLOGONGETTRUSTRID +/* + netr_LogonGetTrustRid */ -static WERROR dcesrv_netr_NETRLOGONGETTRUSTRID(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_NETRLOGONGETTRUSTRID *r) +static WERROR dcesrv_netr_LogonGetTrustRid(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonGetTrustRid *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From bedecbc9990d0cf09437337ae3a266b784b93adf Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 25 Jan 2008 22:42:14 +0100 Subject: Fix netlogon rpc-server build. Guenther (This used to be commit 7a10be2ac77124a78fcc4ddda5e05c036ed920fa) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 6a5e0a17a2..4d38dc069e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1212,11 +1212,11 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce } -/* - netr_DSRDEREGISTERDNSHOSTRECORDS +/* + netr_DsrDeregisterDNSHostRecords */ -static WERROR dcesrv_netr_DSRDEREGISTERDNSHOSTRECORDS(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_DSRDEREGISTERDNSHOSTRECORDS *r) +static WERROR dcesrv_netr_DsrDeregisterDNSHostRecords(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_DsrDeregisterDNSHostRecords *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } -- cgit From 5043215f219f90a899a8dc75518540a04b93301f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 28 Feb 2008 08:50:00 +1100 Subject: Generate ACB_PW_EXPIRED correctly More correctly handle expired passwords, and do not expire machine accounts. Test that the behaviour is consistant with windows, using the RPC-SAMR test. Change NETLOGON to directly query the userAccountControl, just because we don't want to do the extra expiry processing here. Andrew Bartlett (This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 4d38dc069e..37e6351864 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -27,6 +27,7 @@ #include "auth/auth.h" #include "auth/auth_sam_reply.h" #include "dsdb/samdb/samdb.h" +#include "dsdb/common/flags.h" #include "rpc_server/samr/proto.h" #include "util/util_ldb.h" #include "libcli/auth/libcli_auth.h" @@ -76,7 +77,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca struct creds_CredentialState *creds; void *sam_ctx; struct samr_Password *mach_pwd; - uint16_t acct_flags; + uint32_t user_account_control; int num_records; struct ldb_message **msgs; NTSTATUS nt_status; @@ -113,27 +114,28 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_INTERNAL_DB_CORRUPTION; } - acct_flags = samdb_result_acct_flags(msgs[0], - "userAccountControl"); + + user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0); - if (acct_flags & ACB_DISABLED) { + if (user_account_control & UF_ACCOUNTDISABLE) { DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name)); return NT_STATUS_ACCESS_DENIED; } if (r->in.secure_channel_type == SEC_CHAN_WKSTA) { - if (!(acct_flags & ACB_WSTRUST)) { - DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", acct_flags)); + if (!(user_account_control & UF_WORKSTATION_TRUST_ACCOUNT)) { + DEBUG(1, ("Client asked for a workstation secure channel, but is not a workstation (member server) acb flags: 0x%x\n", user_account_control)); return NT_STATUS_ACCESS_DENIED; } } else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN) { - if (!(acct_flags & ACB_DOMTRUST)) { - DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", acct_flags)); + if (!(user_account_control & UF_INTERDOMAIN_TRUST_ACCOUNT)) { + DEBUG(1, ("Client asked for a trusted domain secure channel, but is not a trusted domain: acb flags: 0x%x\n", user_account_control)); + return NT_STATUS_ACCESS_DENIED; } } else if (r->in.secure_channel_type == SEC_CHAN_BDC) { - if (!(acct_flags & ACB_SVRTRUST)) { - DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", acct_flags)); + if (!(user_account_control & UF_SERVER_TRUST_ACCOUNT)) { + DEBUG(1, ("Client asked for a server secure channel, but is not a server (domain controller): acb flags: 0x%x\n", user_account_control)); return NT_STATUS_ACCESS_DENIED; } } else { -- cgit From 21fc7673780aa1d7c0caab7b17ff9171238913ba Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2008 12:23:44 +0200 Subject: Specify event_context to ldb_wrap_connect explicitly. (This used to be commit b4e1ae07a284c044704322446c94351c2decff91) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 29 ++++++++++++++------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 37e6351864..d9ae92c0fa 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -93,7 +93,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_ACCESS_DENIED; } - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; @@ -176,7 +176,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca /* remember this session key state */ - nt_status = schannel_store_session_key(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, creds); + nt_status = schannel_store_session_key(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, creds); return nt_status; } @@ -236,7 +236,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca the caller needs some of that information. */ -static NTSTATUS dcesrv_netr_creds_server_step_check(struct loadparm_context *lp_ctx, +static NTSTATUS dcesrv_netr_creds_server_step_check(struct event_context *event_ctx, + struct loadparm_context *lp_ctx, const char *computer_name, TALLOC_CTX *mem_ctx, struct netr_Authenticator *received_authenticator, @@ -248,7 +249,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct loadparm_context *lp_ struct ldb_context *ldb; int ret; - ldb = schannel_db_connect(mem_ctx, lp_ctx); + ldb = schannel_db_connect(mem_ctx, event_ctx, lp_ctx); if (!ldb) { return NT_STATUS_ACCESS_DENIED; } @@ -300,13 +301,13 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call struct ldb_context *sam_ctx; NTSTATUS nt_status; - nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -339,13 +340,13 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal struct samr_CryptPassword password_buf; - nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -561,7 +562,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, { NTSTATUS nt_status; struct creds_CredentialState *creds; - nt_status = schannel_fetch_session_key(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx), &creds); + nt_status = schannel_fetch_session_key(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx), &creds); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -589,7 +590,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce return_authenticator = talloc(mem_ctx, struct netr_Authenticator); NT_STATUS_HAVE_NO_MEMORY(return_authenticator); - nt_status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, mem_ctx, r->in.credential, return_authenticator, &creds); @@ -891,14 +892,14 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal const char *local_domain; - status = dcesrv_netr_creds_server_step_check(dce_call->conn->dce_ctx->lp_ctx, + status = dcesrv_netr_creds_server_step_check(dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, mem_ctx, r->in.credential, r->out.return_authenticator, NULL); NT_STATUS_NOT_OK_RETURN(status); - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } @@ -1003,7 +1004,7 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call, TA ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return WERR_DS_SERVICE_UNAVAILABLE; } @@ -1165,7 +1166,7 @@ static WERROR dcesrv_netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce ZERO_STRUCT(r->out); - sam_ctx = samdb_connect(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); if (sam_ctx == NULL) { return WERR_GENERAL_FAILURE; } -- cgit From b5a3f45f645204bcc3d6caa47993b7839c8e4c99 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 12 Aug 2008 17:46:01 +1000 Subject: Add GenericInfo level for SamLogon calls from the WSPP IDL. Andrew Bartlett (This used to be commit ea58b650a81b48b0477edbcda1e4e26a3b2a9b9e) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d9ae92c0fa..763e6a327e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -421,9 +421,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal user_info->remote_host = NULL; switch (r->in.logon_level) { - case 1: - case 3: - case 5: + case NetlogonInteractiveInformation: + case NetlogonServiceInformation: + case NetlogonInteractiveTransitiveInformation: + case NetlogonServiceTransitiveInformation: if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { creds_arcfour_crypt(creds, r->in.logon.password->lmpassword.hash, @@ -460,8 +461,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal *user_info->password.hash.nt = r->in.logon.password->ntpassword; break; - case 2: - case 6: + case NetlogonNetworkInformation: + case NetlogonNetworkTransitiveInformation: /* TODO: we need to deny anonymous access here */ nt_status = auth_context_create(mem_ctx, @@ -483,6 +484,13 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal user_info->password.response.nt = data_blob_talloc(mem_ctx, r->in.logon.network->nt.data, r->in.logon.network->nt.length); break; + + + case NetlogonGenericInformation: + { + /* Until we get enough information for an implemetnation */ + return NT_STATUS_INVALID_PARAMETER; + } default: return NT_STATUS_INVALID_PARAMETER; } -- cgit From 60936dd2c4e82550e31e5f1b6d476d8b10bde687 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 29 Aug 2008 18:05:06 +1000 Subject: Start implementing the server-sde NETLOGON PAC verification. (This used to be commit 8741e8fee619cccd84f2f10e00426df1d4f34074) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 47 ++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 763e6a327e..5672d29cb2 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -488,7 +488,52 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal case NetlogonGenericInformation: { - /* Until we get enough information for an implemetnation */ + if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + creds_arcfour_crypt(creds, + r->in.logon.generic->data, r->in.logon.generic->length); + } else { + /* Using DES to verify kerberos tickets makes no sense */ + return NT_STATUS_INVALID_PARAMETER; + } + + if (strcmp(r->in.logon.generic->package_name.string, "Kerberos")) { + struct PAC_Validate pac_validate; + DATA_BLOB srv_sig; + struct PAC_SIGNATURE_DATA kdc_sig; + DATA_BLOB pac_validate_blob = data_blob_const(r->in.logon.generic->data, + r->in.logon.generic->length); + ndr_err = ndr_pull_struct_blob(&pac_validate_blob, mem_ctx, + lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx), + &pac_validate, + (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (pac_validate->MessageType != 3) { + /* We don't implement any other message types - such as certificate validation - yet */ + return NT_STATUS_INVALID_PARAMETER; + } + + if (pac_validate->ChecksumAndSignature.length != (pac_validate->ChecksumLength + pac_validate->SignatureLength) + || pac_validate->ChecksumAndSignature.length < pac_validate->ChecksumLength + || pac_validate->ChecksumAndSignature.length < pac_validate->SignatureLength ) { + return NT_STATUS_INVALID_PARAMETER; + } + + srv_sig = data_blob_const(pac_validate->ChecksumAndSignature.data, + pac_validate->ChecksumLength); + + kdc_sig.type = pac_validate->SignatureType; + kdc_sig.signature = data_blob_const(&pac_validate->ChecksumAndSignature.data[pac_validate->ChecksumLength], + pac_validate->SignatureLength); + check_pac_checksum(mem_ctx, srv_sig, &kdc_sig, + context, keyblock); + + + } + + /* Until we get an implemetnation of these other packages */ return NT_STATUS_INVALID_PARAMETER; } default: -- cgit From a35263e1ab81cac7855158012157769e3e9000f7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 3 Sep 2008 15:30:17 +1000 Subject: Implement NETLOGON PAC verfication on the server-side This is implemented by means of a message to the KDC, to avoid having to link most of the KDC into netlogon. Andrew Bartlett (This used to be commit 82fcd7941f5c54da2d994c8bd99dd8d86299a296) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 60 +++++++++++++-------------- 1 file changed, 29 insertions(+), 31 deletions(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 5672d29cb2..36ac650b08 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -34,6 +34,8 @@ #include "auth/gensec/schannel_state.h" #include "libcli/security/security.h" #include "param/param.h" +#include "lib/messaging/irpc.h" +#include "librpc/gen_ndr/ndr_irpc.h" struct server_pipe_state { struct netr_Credential client_challenge; @@ -496,41 +498,37 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal return NT_STATUS_INVALID_PARAMETER; } - if (strcmp(r->in.logon.generic->package_name.string, "Kerberos")) { - struct PAC_Validate pac_validate; - DATA_BLOB srv_sig; - struct PAC_SIGNATURE_DATA kdc_sig; - DATA_BLOB pac_validate_blob = data_blob_const(r->in.logon.generic->data, - r->in.logon.generic->length); - ndr_err = ndr_pull_struct_blob(&pac_validate_blob, mem_ctx, - lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx), - &pac_validate, - (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - return NT_STATUS_INVALID_PARAMETER; - } + if (strcmp(r->in.logon.generic->package_name.string, "Kerberos") == 0) { + NTSTATUS status; + struct server_id *kdc; + struct kdc_check_generic_kerberos check; + struct netr_GenericInfo2 *generic = talloc_zero(mem_ctx, struct netr_GenericInfo2); + NT_STATUS_HAVE_NO_MEMORY(generic); + r->out.authoritative = 1; + + /* TODO: Describe and deal with these flags */ + r->out.flags = 0; - if (pac_validate->MessageType != 3) { - /* We don't implement any other message types - such as certificate validation - yet */ - return NT_STATUS_INVALID_PARAMETER; + r->out.validation.generic = generic; + + kdc = irpc_servers_byname(dce_call->msg_ctx, mem_ctx, "kdc_server"); + if ((kdc == NULL) || (kdc[0].id == 0)) { + return NT_STATUS_NO_LOGON_SERVERS; } - if (pac_validate->ChecksumAndSignature.length != (pac_validate->ChecksumLength + pac_validate->SignatureLength) - || pac_validate->ChecksumAndSignature.length < pac_validate->ChecksumLength - || pac_validate->ChecksumAndSignature.length < pac_validate->SignatureLength ) { - return NT_STATUS_INVALID_PARAMETER; + check.in.generic_request = + data_blob_const(r->in.logon.generic->data, + r->in.logon.generic->length); + + status = irpc_call(dce_call->msg_ctx, kdc[0], + &ndr_table_irpc, NDR_KDC_CHECK_GENERIC_KERBEROS, + &check, mem_ctx); + if (!NT_STATUS_IS_OK(status)) { + return status; } - - srv_sig = data_blob_const(pac_validate->ChecksumAndSignature.data, - pac_validate->ChecksumLength); - - kdc_sig.type = pac_validate->SignatureType; - kdc_sig.signature = data_blob_const(&pac_validate->ChecksumAndSignature.data[pac_validate->ChecksumLength], - pac_validate->SignatureLength); - check_pac_checksum(mem_ctx, srv_sig, &kdc_sig, - context, keyblock); - - + generic->length = check.out.generic_reply.length; + generic->data = check.out.generic_reply.data; + return NT_STATUS_OK; } /* Until we get an implemetnation of these other packages */ -- cgit From 07a3b7a9300fc3d515bb14889bee1341e8c18735 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 5 Sep 2008 16:45:37 +1000 Subject: Update copyright, I've been working here many long years... (This used to be commit 842ab594124198453fc88f46ab83b712a7d34dc1) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/rpc_server/netlogon/dcerpc_netlogon.c') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 36ac650b08..6f4287f9d8 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -3,7 +3,7 @@ endpoint server for the netlogon pipe - Copyright (C) Andrew Bartlett 2004 + Copyright (C) Andrew Bartlett 2004-2008 Copyright (C) Stefan Metzmacher 2005 This program is free software; you can redistribute it and/or modify -- cgit