/* Lookup user information from a rid */
static NTSTATUS query_user(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *user_sid,
WINBIND_USERINFO *info)
{
struct winbind_cache *cache = get_cache(domain);
struct cache_entry *centry = NULL;
NTSTATUS status;
if (!cache->tdb)
goto do_query;
centry = wcache_fetch(cache, domain, "U/%s", sid_string_static(user_sid));
/* If we have an access denied cache entry and a cached info3 in the
samlogon cache then do a query. This will force the rpc back end
to return the info3 data. */
if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) &&
netsamlogon_cache_have(user_sid)) {
DEBUG(10, ("query_user: cached access denied and have cached info3\n"));
domain->last_status = NT_STATUS_OK;
centry_free(centry);
goto do_query;
}
if (!centry)
goto do_query;
info->acct_name = centry_string(centry, mem_ctx);
info->full_name = centry_string(centry, mem_ctx);
info->user_sid = centry_sid(centry, mem_ctx);
info->group_sid = centry_sid(centry, mem_ctx);
status = centry->status;
DEBUG(10,("query_user: [Cached] - cached info for domain %s status %s\n",
domain->name, get_friendly_nt_error_msg(status) ));
centry_free(centry);
return status;
do_query:
ZERO_STRUCTP(info);
/* Return status value returned by seq number check */
if (!NT_STATUS_IS_OK(domain->last_status))
return domain->last_status;
DEBUG(10,("sid_to_name: [Cached] - doing backend query for info for domain %s\n",
domain->name ));
status = domain->backend->query_user(domain, mem_ctx, user_sid, info);
/* and save it */
refresh_sequence_number(domain, False);
wcache_save_user(domain, status, info);
return status;
}
WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
const char *server_name,
const struct ndr_syntax_id *interface,
struct rpc_pipe_client **presult)
{
struct rpc_pipe_client *result = NULL;
NTSTATUS status;
WERROR werr;
struct client_ipc_connection *ipc = NULL;
if (!presult) {
return WERR_INVALID_PARAM;
}
werr = libnetapi_open_ipc_connection(ctx, server_name, &ipc);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
status = pipe_cm_open(ctx, ipc, interface, &result);
if (!NT_STATUS_IS_OK(status)) {
libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
get_pipe_name_from_syntax(talloc_tos(), interface),
get_friendly_nt_error_msg(status));
return WERR_DEST_NOT_FOUND;
}
*presult = result;
return WERR_OK;
}
WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
const char *server_name,
const struct ndr_interface_table *table,
struct rpc_pipe_client **presult)
{
struct rpc_pipe_client *result = NULL;
NTSTATUS status;
WERROR werr;
struct client_ipc_connection *ipc = NULL;
if (!presult) {
return WERR_INVALID_PARAMETER;
}
werr = libnetapi_open_ipc_connection(ctx, server_name, &ipc);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
status = pipe_cm_open(ctx, ipc, table, &result);
if (!NT_STATUS_IS_OK(status)) {
libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
table->name,
get_friendly_nt_error_msg(status));
return WERR_NERR_DESTNOTFOUND;
}
*presult = result;
return WERR_OK;
}
const char *libnetapi_errstr(NET_API_STATUS status)
{
if (status & 0xc0000000) {
return get_friendly_nt_error_msg(NT_STATUS(status));
}
return get_friendly_werror_msg(W_ERROR(status));
}
/* convert a sid to a user or group name. The sid is guaranteed to be in the domain
given */
static NTSTATUS sid_to_name(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *sid,
char **domain_name,
char **name,
enum SID_NAME_USE *type)
{
struct winbind_cache *cache = get_cache(domain);
struct cache_entry *centry = NULL;
NTSTATUS status;
fstring sid_string;
if (!cache->tdb)
goto do_query;
centry = wcache_fetch(cache, domain, "SN/%s", sid_to_string(sid_string, sid));
if (!centry)
goto do_query;
if (NT_STATUS_IS_OK(centry->status)) {
*type = (enum SID_NAME_USE)centry_uint32(centry);
*domain_name = centry_string(centry, mem_ctx);
*name = centry_string(centry, mem_ctx);
}
status = centry->status;
DEBUG(10,("sid_to_name: [Cached] - cached name for domain %s status %s\n",
domain->name, get_friendly_nt_error_msg(status) ));
centry_free(centry);
return status;
do_query:
*name = NULL;
*domain_name = NULL;
/* If the seq number check indicated that there is a problem
* with this DC, then return that status... except for
* access_denied. This is special because the dc may be in
* "restrict anonymous = 1" mode, in which case it will deny
* most unauthenticated operations, but *will* allow the LSA
* sid-to-name that we try as a fallback. */
if (!(NT_STATUS_IS_OK(domain->last_status)
|| NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)))
return domain->last_status;
DEBUG(10,("sid_to_name: [Cached] - doing backend query for name for domain %s\n",
domain->name ));
status = domain->backend->sid_to_name(domain, mem_ctx, sid, domain_name, name, type);
/* and save it */
refresh_sequence_number(domain, False);
wcache_save_sid_to_name(domain, status, sid, *domain_name, *name, *type);
wcache_save_name_to_sid(domain, status, *domain_name, *name, sid, *type);
return status;
}
/*
return a string for an error from an ads routine
*/
const char *ads_errstr(ADS_STATUS status)
{
switch (status.error_type) {
case ENUM_ADS_ERROR_SYSTEM:
return strerror(status.err.rc);
case ENUM_ADS_ERROR_LDAP:
return ldb_strerror(status.err.rc);
case ENUM_ADS_ERROR_NT:
return get_friendly_nt_error_msg(ads_ntstatus(status));
default:
return "Unknown ADS error type!? (not compiled in?)";
}
}
char *libnetapi_errstr(NET_API_STATUS status)
{
TALLOC_CTX *frame = talloc_stackframe();
char *ret;
if (status & 0xc0000000) {
ret = talloc_strdup(NULL,
get_friendly_nt_error_msg(NT_STATUS(status)));
} else {
ret = talloc_strdup(NULL,
get_friendly_werror_msg(W_ERROR(status)));
}
TALLOC_FREE(frame);
return ret;
}
static bool torture_winbind_struct_check_machacc(struct torture_context *torture)
{
bool ok;
bool strict = torture_setting_bool(torture, "strict mode", false);
struct winbindd_response rep;
ZERO_STRUCT(rep);
torture_comment(torture, "Running WINBINDD_CHECK_MACHACC (struct based)\n");
ok = true;
DO_STRUCT_REQ_REP_EXT(WINBINDD_CHECK_MACHACC, NULL, &rep,
NSS_STATUS_SUCCESS, strict, ok = false,
"WINBINDD_CHECK_MACHACC");
if (!ok) {
torture_assert(torture,
strlen(rep.data.auth.nt_status_string)>0,
"Failed with empty nt_status_string");
torture_warning(torture,"%s:%s:%s:%d\n",
nt_errstr(NT_STATUS(rep.data.auth.nt_status)),
rep.data.auth.nt_status_string,
rep.data.auth.error_string,
rep.data.auth.pam_error);
return true;
}
torture_assert_ntstatus_ok(torture,
NT_STATUS(rep.data.auth.nt_status),
"WINBINDD_CHECK_MACHACC ok: nt_status");
torture_assert_str_equal(torture,
rep.data.auth.nt_status_string,
nt_errstr(NT_STATUS_OK),
"WINBINDD_CHECK_MACHACC ok:nt_status_string");
torture_assert_str_equal(torture,
rep.data.auth.error_string,
get_friendly_nt_error_msg(NT_STATUS_OK),
"WINBINDD_CHECK_MACHACC ok: error_string");
torture_assert_int_equal(torture,
rep.data.auth.pam_error,
nt_status_to_pam(NT_STATUS_OK),
"WINBINDD_CHECK_MACHACC ok: pam_error");
return true;
}
static NTSTATUS do_smb_load_module(const char *subsystem,
const char *module_name, bool is_probe)
{
void *handle;
init_module_fn init;
NTSTATUS status;
char *full_path = NULL;
TALLOC_CTX *ctx = talloc_stackframe();
/* Check for absolute path */
DEBUG(5, ("%s module '%s'\n", is_probe ? "Probing" : "Loading", module_name));
if (subsystem && module_name[0] != '/') {
full_path = talloc_asprintf(ctx,
"%s/%s.%s",
modules_path(ctx, subsystem),
module_name,
shlib_ext());
if (!full_path) {
TALLOC_FREE(ctx);
return NT_STATUS_NO_MEMORY;
}
DEBUG(5, ("%s module '%s': Trying to load from %s\n",
is_probe ? "Probing": "Loading", module_name, full_path));
init = load_module(full_path, is_probe, &handle);
} else {
init = load_module(module_name, is_probe, &handle);
}
if (!init) {
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2, ("Module '%s' loaded\n", module_name));
status = init();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Module '%s' initialization failed: %s\n",
module_name, get_friendly_nt_error_msg(status)));
dlclose(handle);
}
return status;
}
static NTSTATUS do_smb_load_module(const char *module_name, bool is_probe)
{
void *handle;
init_module_function *init;
NTSTATUS status;
const char *error;
/* Always try to use LAZY symbol resolving; if the plugin has
* backwards compatibility, there might be symbols in the
* plugin referencing to old (removed) functions
*/
handle = sys_dlopen(module_name, RTLD_LAZY);
/* This call should reset any possible non-fatal errors that
occured since last call to dl* functions */
error = sys_dlerror();
if(!handle) {
int level = is_probe ? 3 : 0;
DEBUG(level, ("Error loading module '%s': %s\n", module_name, error ? error : ""));
return NT_STATUS_UNSUCCESSFUL;
}
init = (init_module_function *)sys_dlsym(handle, "init_samba_module");
/* we must check sys_dlerror() to determine if it worked, because
sys_dlsym() can validly return NULL */
error = sys_dlerror();
if (error) {
DEBUG(0, ("Error trying to resolve symbol 'init_samba_module' "
"in %s: %s\n", module_name, error));
sys_dlclose(handle);
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2, ("Module '%s' loaded\n", module_name));
status = init();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Module '%s' initialization failed: %s\n",
module_name, get_friendly_nt_error_msg(status)));
sys_dlclose(handle);
}
return status;
}
/*
return a string for an error from a ads routine
*/
const char *ads_errstr(ADS_STATUS status)
{
static char *ret;
SAFE_FREE(ret);
switch (status.error_type) {
case ENUM_ADS_ERROR_SYSTEM:
return strerror(status.err.rc);
#ifdef HAVE_LDAP
case ENUM_ADS_ERROR_LDAP:
return ldap_err2string(status.err.rc);
#endif
#ifdef HAVE_KRB5
case ENUM_ADS_ERROR_KRB5:
return error_message(status.err.rc);
#endif
#ifdef HAVE_GSSAPI
case ENUM_ADS_ERROR_GSS:
{
uint32 msg_ctx;
uint32 minor;
gss_buffer_desc msg1, msg2;
msg_ctx = 0;
msg1.value = NULL;
msg2.value = NULL;
gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE,
GSS_C_NULL_OID, &msg_ctx, &msg1);
gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE,
GSS_C_NULL_OID, &msg_ctx, &msg2);
asprintf(&ret, "%s : %s", (char *)msg1.value, (char *)msg2.value);
gss_release_buffer(&minor, &msg1);
gss_release_buffer(&minor, &msg2);
return ret;
}
#endif
case ENUM_ADS_ERROR_NT:
return get_friendly_nt_error_msg(ads_ntstatus(status));
default:
return "Unknown ADS error type!? (not compiled in?)";
}
}
WERROR DsGetDcName_l(struct libnetapi_ctx *ctx,
struct DsGetDcName *r)
{
NTSTATUS status;
status = dsgetdcname(ctx,
NULL,
r->in.domain_name,
r->in.domain_guid,
r->in.site_name,
r->in.flags,
(struct netr_DsRGetDCNameInfo **)r->out.dc_info);
if (!NT_STATUS_IS_OK(status)) {
libnetapi_set_error_string(ctx,
"failed to find DC: %s",
get_friendly_nt_error_msg(status));
}
return ntstatus_to_werror(status);
}
static void wbsrv_samba3_async_auth_epilogue(NTSTATUS status,
struct wbsrv_samba3_call *s3call)
{
struct winbindd_response *resp = &s3call->response;
if (!NT_STATUS_IS_OK(status)) {
resp->result = WINBINDD_ERROR;
} else {
resp->result = WINBINDD_OK;
}
WBSRV_SAMBA3_SET_STRING(resp->data.auth.nt_status_string,
nt_errstr(status));
WBSRV_SAMBA3_SET_STRING(resp->data.auth.error_string,
get_friendly_nt_error_msg(status));
resp->data.auth.pam_error = nt_status_to_pam(status);
resp->data.auth.nt_status = NT_STATUS_V(status);
wbsrv_samba3_send_reply(s3call);
}
WERROR DsGetDcName_l(struct libnetapi_ctx *ctx,
struct DsGetDcName *r)
{
NTSTATUS status;
struct libnetapi_private_ctx *priv;
priv = talloc_get_type_abort(ctx->private_data,
struct libnetapi_private_ctx);
status = dsgetdcname(ctx,
priv->msg_ctx,
r->in.domain_name,
r->in.domain_guid,
r->in.site_name,
r->in.flags,
(struct netr_DsRGetDCNameInfo **)r->out.dc_info);
if (!NT_STATUS_IS_OK(status)) {
libnetapi_set_error_string(ctx,
"failed to find DC: %s",
get_friendly_nt_error_msg(status));
}
return ntstatus_to_werror(status);
}
enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
{
NTSTATUS result;
fstring name_domain, name_user;
unsigned char trust_passwd[16];
time_t last_change_time;
uint32 sec_channel_type;
NET_USER_INFO_3 info3;
struct cli_state *cli = NULL;
uchar chal[8];
TALLOC_CTX *mem_ctx = NULL;
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
DOM_CRED ret_creds;
int attempts = 0;
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
struct winbindd_domain *contact_domain;
BOOL retry;
/* Ensure null termination */
state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
/* Ensure null termination */
state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
state->request.data.auth.user));
if (!(mem_ctx = talloc_init("winbind pam auth for %s", state->request.data.auth.user))) {
DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
/* Parse domain and username */
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
/* do password magic */
generate_random_buffer(chal, 8);
SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
/* what domain should we contact? */
if ( IS_DC ) {
if (!(contact_domain = find_domain_from_name(name_domain))) {
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
state->request.data.auth.user, name_domain, name_user, name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
} else {
if (is_myname(name_domain)) {
DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (!(contact_domain = find_our_domain())) {
DEBUG(1, ("Authentication for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n",
state->request.data.auth.user, name_domain, name_user));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
}
if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) {
result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
goto done;
}
/* check authentication loop */
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
retry = False;
/* Don't shut this down - it belongs to the connection cache code */
result = cm_get_netlogon_cli(contact_domain, trust_passwd,
sec_channel_type, False, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
goto done;
}
result = cli_netlogon_sam_network_logon(cli, mem_ctx,
&ret_creds,
name_user, name_domain,
global_myname(), chal,
lm_resp, nt_resp,
&info3);
attempts += 1;
/* We have to try a second time as cm_get_netlogon_cli
might not yet have noticed that the DC has killed
our connection. */
if ( cli->fd == -1 ) {
retry = True;
continue;
}
/* if we get access denied, a possible cuase was that we had and open
connection to the DC, but someone changed our machine account password
out from underneath us using 'net rpc changetrustpw' */
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
DEBUG(3,("winbindd_pam_auth: sam_logon returned ACCESS_DENIED. Maybe the trust account "
"password was changed and we didn't know it. Killing connections to domain %s\n",
name_domain));
winbindd_cm_flush();
retry = True;
cli = NULL;
}
} while ( (attempts < 2) && retry );
if (cli != NULL) {
/* We might have come out of the loop above with cli == NULL,
so don't dereference that. */
clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
}
if (NT_STATUS_IS_OK(result)) {
netsamlogon_cache_store( cli->mem_ctx, &info3 );
wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
/* Check if the user is in the right group */
if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.required_membership_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request.data.auth.user,
state->request.data.auth.required_membership_sid));
}
}
done:
/* give us a more useful (more correct?) error code */
if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
result = NT_STATUS_NO_LOGON_SERVERS;
}
state->response.data.auth.nt_status = NT_STATUS_V(result);
fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
/* we might have given a more useful error above */
if (!*state->response.data.auth.error_string)
fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
state->request.data.auth.user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
if ( NT_STATUS_IS_OK(result) &&
(state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
char *afsname = strdup(lp_afs_username_map());
char *cell;
if (afsname == NULL) goto no_token;
afsname = realloc_string_sub(afsname, "%D", name_domain);
afsname = realloc_string_sub(afsname, "%u", name_user);
afsname = realloc_string_sub(afsname, "%U", name_user);
if (afsname == NULL) goto no_token;
strlower_m(afsname);
cell = strchr(afsname, '@');
if (cell == NULL) goto no_token;
*cell = '\0';
cell += 1;
/* Append an AFS token string */
state->response.extra_data =
afs_createtoken_str(afsname, cell);
if (state->response.extra_data != NULL)
state->response.length +=
strlen(state->response.extra_data)+1;
no_token:
SAFE_FREE(afsname);
}
if (mem_ctx)
talloc_destroy(mem_ctx);
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
/* Lookup groups a user is a member of. */
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *user_sid,
uint32 *num_groups, DOM_SID ***user_gids)
{
struct winbind_cache *cache = get_cache(domain);
struct cache_entry *centry = NULL;
NTSTATUS status;
unsigned int i;
fstring sid_string;
if (!cache->tdb)
goto do_query;
centry = wcache_fetch(cache, domain, "UG/%s", sid_to_string(sid_string, user_sid));
/* If we have an access denied cache entry and a cached info3 in the
samlogon cache then do a query. This will force the rpc back end
to return the info3 data. */
if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) &&
netsamlogon_cache_have(user_sid)) {
DEBUG(10, ("query_user: cached access denied and have cached info3\n"));
domain->last_status = NT_STATUS_OK;
centry_free(centry);
goto do_query;
}
if (!centry)
goto do_query;
*num_groups = centry_uint32(centry);
if (*num_groups == 0)
goto do_cached;
(*user_gids) = talloc(mem_ctx, sizeof(**user_gids) * (*num_groups));
if (! (*user_gids))
smb_panic("lookup_usergroups out of memory");
for (i=0; i<(*num_groups); i++) {
(*user_gids)[i] = centry_sid(centry, mem_ctx);
}
do_cached:
status = centry->status;
DEBUG(10,("lookup_usergroups: [Cached] - cached info for domain %s status %s\n",
domain->name, get_friendly_nt_error_msg(status) ));
centry_free(centry);
return status;
do_query:
(*num_groups) = 0;
(*user_gids) = NULL;
/* Return status value returned by seq number check */
if (!NT_STATUS_IS_OK(domain->last_status))
return domain->last_status;
DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info for domain %s\n",
domain->name ));
status = domain->backend->lookup_usergroups(domain, mem_ctx, user_sid, num_groups, user_gids);
/* and save it */
refresh_sequence_number(domain, False);
centry = centry_start(domain, status);
if (!centry)
goto skip_save;
centry_put_uint32(centry, *num_groups);
for (i=0; i<(*num_groups); i++) {
centry_put_sid(centry, (*user_gids)[i]);
}
centry_end(centry, "UG/%s", sid_to_string(sid_string, user_sid));
centry_free(centry);
skip_save:
return status;
}
NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
const char *old_passwd, const char *new_passwd,
char **err_str)
{
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
char *user, *domain, *p;
NTSTATUS result;
bool pass_must_change = False;
user = talloc_strdup(talloc_tos(), user_name);
SMB_ASSERT(user != NULL);
domain = talloc_strdup(talloc_tos(), "");
SMB_ASSERT(domain != NULL);
/* allow usernames of the form domain\\user or domain/user */
if ((p = strchr_m(user,'\\')) || (p = strchr_m(user,'/')) ||
(p = strchr_m(user,*lp_winbind_separator()))) {
*p = 0;
domain = user;
user = p+1;
}
*err_str = NULL;
result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL,
SMB_SIGNING_DEFAULT, 0, &cli);
if (!NT_STATUS_IS_OK(result)) {
if (asprintf(err_str, "Unable to connect to SMB server on "
"machine %s. Error was : %s.\n",
remote_machine, nt_errstr(result))==-1) {
*err_str = NULL;
}
return result;
}
result = cli_negprot(cli, PROTOCOL_NT1);
if (!NT_STATUS_IS_OK(result)) {
if (asprintf(err_str, "machine %s rejected the negotiate "
"protocol. Error was : %s.\n",
remote_machine, nt_errstr(result)) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
}
/* Given things like SMB signing, restrict anonymous and the like,
try an authenticated connection first */
result = cli_session_setup(cli, user_name,
old_passwd, strlen(old_passwd)+1,
old_passwd, strlen(old_passwd)+1, "");
if (!NT_STATUS_IS_OK(result)) {
/* Password must change or Password expired are the only valid
* error conditions here from where we can proceed, the rest like
* account locked out or logon failure will lead to errors later
* anyway */
if (!NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) &&
!NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED)) {
if (asprintf(err_str, "Could not connect to machine %s: "
"%s\n", remote_machine, nt_errstr(result)) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
}
pass_must_change = True;
/*
* We should connect as the anonymous user here, in case
* the server has "must change password" checked...
* Thanks to <*****@*****.**> for this fix.
*/
result = cli_session_setup(cli, "", "", 0, "", 0, "");
if (!NT_STATUS_IS_OK(result)) {
if (asprintf(err_str, "machine %s rejected the session "
"setup. Error was : %s.\n",
remote_machine, nt_errstr(result)) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
}
result = cli_init_creds(cli, "", "", NULL);
if (!NT_STATUS_IS_OK(result)) {
cli_shutdown(cli);
return result;
}
} else {
result = cli_init_creds(cli, user, domain, old_passwd);
if (!NT_STATUS_IS_OK(result)) {
cli_shutdown(cli);
return result;
}
}
result = cli_tree_connect(cli, "IPC$", "IPC", "", 1);
if (!NT_STATUS_IS_OK(result)) {
if (asprintf(err_str, "machine %s rejected the tconX on the "
"IPC$ share. Error was : %s.\n",
remote_machine, nt_errstr(result))) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
}
/* Try not to give the password away too easily */
if (!pass_must_change) {
result = cli_rpc_pipe_open_ntlmssp(cli,
&ndr_table_samr.syntax_id,
NCACN_NP,
DCERPC_AUTH_LEVEL_PRIVACY,
domain, user,
old_passwd,
&pipe_hnd);
} else {
/*
* If the user password must be changed the ntlmssp bind will
* fail the same way as the session setup above did. The
* difference ist that with a pipe bind we don't get a good
* error message, the result will be that the rpc call below
* will just fail. So we do it anonymously, there's no other
* way.
*/
result = cli_rpc_pipe_open_noauth(
cli, &ndr_table_samr.syntax_id, &pipe_hnd);
}
if (!NT_STATUS_IS_OK(result)) {
if (lp_client_lanman_auth()) {
/* Use the old RAP method. */
if (!cli_oem_change_password(cli, user_name, new_passwd, old_passwd)) {
result = cli_nt_error(cli);
if (asprintf(err_str, "machine %s rejected the "
"password change: Error was : %s.\n",
remote_machine, nt_errstr(result)) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
}
} else {
if (asprintf(err_str, "SAMR connection to machine %s "
"failed. Error was %s, but LANMAN password "
"changes are disabled\n",
remote_machine, nt_errstr(result)) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
}
}
result = rpccli_samr_chgpasswd_user2(pipe_hnd, talloc_tos(),
user_name, new_passwd, old_passwd);
if (NT_STATUS_IS_OK(result)) {
/* Great - it all worked! */
cli_shutdown(cli);
return NT_STATUS_OK;
} else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
/* it failed, but for reasons such as wrong password, too short etc ... */
if (asprintf(err_str, "machine %s rejected the password change: "
"Error was : %s.\n",
remote_machine, get_friendly_nt_error_msg(result)) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
}
/* OK, that failed, so try again... */
TALLOC_FREE(pipe_hnd);
/* Try anonymous NTLMSSP... */
result = cli_init_creds(cli, "", "", NULL);
if (!NT_STATUS_IS_OK(result)) {
cli_shutdown(cli);
return result;
}
result = NT_STATUS_UNSUCCESSFUL;
/* OK, this is ugly, but... try an anonymous pipe. */
result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
&pipe_hnd);
if ( NT_STATUS_IS_OK(result) &&
(NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user2(
pipe_hnd, talloc_tos(), user_name,
new_passwd, old_passwd)))) {
/* Great - it all worked! */
cli_shutdown(cli);
return NT_STATUS_OK;
} else {
if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
/* it failed, but again it was due to things like new password too short */
if (asprintf(err_str, "machine %s rejected the "
"(anonymous) password change: Error was : "
"%s.\n", remote_machine,
get_friendly_nt_error_msg(result)) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
}
/* We have failed to change the user's password, and we think the server
just might not support SAMR password changes, so fall back */
if (lp_client_lanman_auth()) {
/* Use the old RAP method. */
if (cli_oem_change_password(cli, user_name, new_passwd, old_passwd)) {
/* SAMR failed, but the old LanMan protocol worked! */
cli_shutdown(cli);
return NT_STATUS_OK;
}
result = cli_nt_error(cli);
if (asprintf(err_str, "machine %s rejected the password "
"change: Error was : %s.\n",
remote_machine, nt_errstr(result)) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return result;
} else {
if (asprintf(err_str, "SAMR connection to machine %s "
"failed. Error was %s, but LANMAN password "
"changes are disabled\n",
nt_errstr(result), remote_machine) == -1) {
*err_str = NULL;
}
cli_shutdown(cli);
return NT_STATUS_UNSUCCESSFUL;
}
}
}
static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *group_sid, uint32 *num_names,
DOM_SID ***sid_mem, char ***names,
uint32 **name_types)
{
struct winbind_cache *cache = get_cache(domain);
struct cache_entry *centry = NULL;
NTSTATUS status;
unsigned int i;
fstring sid_string;
if (!cache->tdb)
goto do_query;
centry = wcache_fetch(cache, domain, "GM/%s", sid_to_string(sid_string, group_sid));
if (!centry)
goto do_query;
*num_names = centry_uint32(centry);
if (*num_names == 0)
goto do_cached;
(*sid_mem) = talloc(mem_ctx, sizeof(**sid_mem) * (*num_names));
(*names) = talloc(mem_ctx, sizeof(**names) * (*num_names));
(*name_types) = talloc(mem_ctx, sizeof(**name_types) * (*num_names));
if (! (*sid_mem) || ! (*names) || ! (*name_types)) {
smb_panic("lookup_groupmem out of memory");
}
for (i=0; i<(*num_names); i++) {
(*sid_mem)[i] = centry_sid(centry, mem_ctx);
(*names)[i] = centry_string(centry, mem_ctx);
(*name_types)[i] = centry_uint32(centry);
}
do_cached:
status = centry->status;
DEBUG(10,("lookup_groupmem: [Cached] - cached info for domain %s status %s\n",
domain->name, get_friendly_nt_error_msg(status) ));
centry_free(centry);
return status;
do_query:
(*num_names) = 0;
(*sid_mem) = NULL;
(*names) = NULL;
(*name_types) = NULL;
/* Return status value returned by seq number check */
if (!NT_STATUS_IS_OK(domain->last_status))
return domain->last_status;
DEBUG(10,("lookup_groupmem: [Cached] - doing backend query for info for domain %s\n",
domain->name ));
status = domain->backend->lookup_groupmem(domain, mem_ctx, group_sid, num_names,
sid_mem, names, name_types);
/* and save it */
refresh_sequence_number(domain, False);
centry = centry_start(domain, status);
if (!centry)
goto skip_save;
centry_put_uint32(centry, *num_names);
for (i=0; i<(*num_names); i++) {
centry_put_sid(centry, (*sid_mem)[i]);
centry_put_string(centry, (*names)[i]);
centry_put_uint32(centry, (*name_types)[i]);
}
centry_end(centry, "GM/%s", sid_to_string(sid_string, group_sid));
centry_free(centry);
skip_save:
return status;
}
/* list all domain groups */
static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
struct acct_info **info)
{
struct winbind_cache *cache = get_cache(domain);
struct cache_entry *centry = NULL;
NTSTATUS status;
unsigned int i;
if (!cache->tdb)
goto do_query;
centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
if (!centry)
goto do_query;
*num_entries = centry_uint32(centry);
if (*num_entries == 0)
goto do_cached;
(*info) = talloc(mem_ctx, sizeof(**info) * (*num_entries));
if (! (*info))
smb_panic("enum_dom_groups out of memory");
for (i=0; i<(*num_entries); i++) {
fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx));
(*info)[i].rid = centry_uint32(centry);
}
do_cached:
/* If we are returning cached data and the domain controller
is down then we don't know whether the data is up to date
or not. Return NT_STATUS_MORE_PROCESSING_REQUIRED to
indicate this. */
if (wcache_server_down(domain)) {
DEBUG(10, ("enum_local_groups: returning cached user list and server was down\n"));
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else
status = centry->status;
DEBUG(10,("enum_local_groups: [Cached] - cached list for domain %s status %s\n",
domain->name, get_friendly_nt_error_msg(status) ));
centry_free(centry);
return status;
do_query:
*num_entries = 0;
*info = NULL;
/* Return status value returned by seq number check */
if (!NT_STATUS_IS_OK(domain->last_status))
return domain->last_status;
DEBUG(10,("enum_local_groups: [Cached] - doing backend query for list for domain %s\n",
domain->name ));
status = domain->backend->enum_local_groups(domain, mem_ctx, num_entries, info);
/* and save it */
refresh_sequence_number(domain, False);
centry = centry_start(domain, status);
if (!centry)
goto skip_save;
centry_put_uint32(centry, *num_entries);
for (i=0; i<(*num_entries); i++) {
centry_put_string(centry, (*info)[i].acct_name);
centry_put_string(centry, (*info)[i].acct_desc);
centry_put_uint32(centry, (*info)[i].rid);
}
centry_end(centry, "GL/%s/local", domain->name);
centry_free(centry);
skip_save:
return status;
}
static WERROR cmd_drsuapi_getncchanges(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
NTSTATUS status;
WERROR werr;
struct policy_handle bind_handle;
struct dcerpc_binding_handle *b = cli->binding_handle;
struct GUID bind_guid;
struct drsuapi_DsBindInfoCtr bind_info;
struct drsuapi_DsBindInfo28 info28;
const char *nc_dn = NULL;
DATA_BLOB session_key;
uint32_t level = 8;
bool single = false;
uint32_t level_out = 0;
union drsuapi_DsGetNCChangesRequest req;
union drsuapi_DsGetNCChangesCtr ctr;
struct drsuapi_DsReplicaObjectIdentifier nc;
struct drsuapi_DsGetNCChangesCtr1 *ctr1 = NULL;
struct drsuapi_DsGetNCChangesCtr6 *ctr6 = NULL;
uint32_t out_level = 0;
int y;
uint32_t supported_extensions = 0;
uint32_t replica_flags = DRSUAPI_DRS_WRIT_REP |
DRSUAPI_DRS_INIT_SYNC |
DRSUAPI_DRS_PER_SYNC |
DRSUAPI_DRS_GET_ANC |
DRSUAPI_DRS_NEVER_SYNCED;
if (argc > 3) {
printf("usage: %s [naming_context_or_object_dn [single]]\n", argv[0]);
return WERR_OK;
}
if (argc >= 2) {
nc_dn = argv[1];
}
if (argc == 3) {
if (strequal(argv[2], "single")) {
single = true;
} else {
printf("warning: ignoring unknown argument '%s'\n",
argv[2]);
}
}
ZERO_STRUCT(info28);
ZERO_STRUCT(req);
GUID_from_string(DRSUAPI_DS_BIND_GUID, &bind_guid);
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_BASE;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7;
info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT;
info28.site_guid = GUID_zero();
info28.pid = 0;
info28.repl_epoch = 0;
bind_info.length = 28;
bind_info.info.info28 = info28;
status = dcerpc_drsuapi_DsBind(b, mem_ctx,
&bind_guid,
&bind_info,
&bind_handle,
&werr);
if (!NT_STATUS_IS_OK(status)) {
return ntstatus_to_werror(status);
}
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
if (bind_info.length == 24) {
supported_extensions = bind_info.info.info24.supported_extensions;
} else if (bind_info.length == 28) {
supported_extensions = bind_info.info.info28.supported_extensions;
} else if (bind_info.length == 32) {
supported_extensions = bind_info.info.info32.supported_extensions;
} else if (bind_info.length == 48) {
supported_extensions = bind_info.info.info48.supported_extensions;
} else if (bind_info.length == 52) {
supported_extensions = bind_info.info.info52.supported_extensions;
}
if (!nc_dn) {
union drsuapi_DsNameCtr crack_ctr;
const char *name;
name = talloc_asprintf(mem_ctx, "%s\\", lp_workgroup());
W_ERROR_HAVE_NO_MEMORY(name);
werr = cracknames(cli, mem_ctx,
&bind_handle,
DRSUAPI_DS_NAME_FORMAT_UNKNOWN,
DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1,
&name,
&crack_ctr);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
if (crack_ctr.ctr1->count != 1) {
return WERR_NO_SUCH_DOMAIN;
}
if (crack_ctr.ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
return WERR_NO_SUCH_DOMAIN;
}
nc_dn = talloc_strdup(mem_ctx, crack_ctr.ctr1->array[0].result_name);
W_ERROR_HAVE_NO_MEMORY(nc_dn);
printf("using: %s\n", nc_dn);
}
nc.dn = nc_dn;
nc.guid = GUID_zero();
nc.sid = (struct dom_sid) {0};
if (supported_extensions & DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8) {
level = 8;
req.req8.naming_context = &nc;
req.req8.replica_flags = replica_flags;
req.req8.max_object_count = 402;
req.req8.max_ndr_size = 402116;
if (single) {
req.req8.extended_op = DRSUAPI_EXOP_REPL_OBJ;
}
} else {
level = 5;
req.req5.naming_context = &nc;
req.req5.replica_flags = replica_flags;
req.req5.max_object_count = 402;
req.req5.max_ndr_size = 402116;
if (single) {
req.req5.extended_op = DRSUAPI_EXOP_REPL_OBJ;
}
}
for (y=0; ;y++) {
if (level == 8) {
DEBUG(1,("start[%d] tmp_higest_usn: %llu , highest_usn: %llu\n",y,
(long long)req.req8.highwatermark.tmp_highest_usn,
(long long)req.req8.highwatermark.highest_usn));
}
status = dcerpc_drsuapi_DsGetNCChanges(b, mem_ctx,
&bind_handle,
level,
&req,
&level_out,
&ctr,
&werr);
if (!NT_STATUS_IS_OK(status)) {
werr = ntstatus_to_werror(status);
printf("Failed to get NC Changes: %s",
get_friendly_nt_error_msg(status));
goto out;
}
if (!W_ERROR_IS_OK(werr)) {
printf("Failed to get NC Changes: %s",
get_friendly_werror_msg(werr));
goto out;
}
if (level_out == 1) {
out_level = 1;
ctr1 = &ctr.ctr1;
} else if (level_out == 2 && ctr.ctr2.mszip1.ts) {
out_level = 1;
ctr1 = &ctr.ctr2.mszip1.ts->ctr1;
}
status = cli_get_session_key(mem_ctx, cli, &session_key);
if (!NT_STATUS_IS_OK(status)) {
printf("Failed to get Session Key: %s",
nt_errstr(status));
return ntstatus_to_werror(status);
}
if (out_level == 1) {
DEBUG(1,("end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",y,
(long long)ctr1->new_highwatermark.tmp_highest_usn,
(long long)ctr1->new_highwatermark.highest_usn));
#if 0
libnet_dssync_decrypt_attributes(mem_ctx,
&session_key,
ctr1->first_object);
#endif
if (ctr1->more_data) {
req.req5.highwatermark = ctr1->new_highwatermark;
continue;
}
}
if (level_out == 6) {
out_level = 6;
ctr6 = &ctr.ctr6;
} else if (level_out == 7
&& ctr.ctr7.level == 6
&& ctr.ctr7.type == DRSUAPI_COMPRESSION_TYPE_MSZIP
&& ctr.ctr7.ctr.mszip6.ts) {
out_level = 6;
ctr6 = &ctr.ctr7.ctr.mszip6.ts->ctr6;
} else if (level_out == 7
&& ctr.ctr7.level == 6
&& ctr.ctr7.type == DRSUAPI_COMPRESSION_TYPE_XPRESS
&& ctr.ctr7.ctr.xpress6.ts) {
out_level = 6;
ctr6 = &ctr.ctr7.ctr.xpress6.ts->ctr6;
}
if (out_level == 6) {
DEBUG(1,("end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",y,
(long long)ctr6->new_highwatermark.tmp_highest_usn,
(long long)ctr6->new_highwatermark.highest_usn));
#if 0
libnet_dssync_decrypt_attributes(mem_ctx,
&session_key,
ctr6->first_object);
#endif
if (ctr6->more_data) {
req.req8.highwatermark = ctr6->new_highwatermark;
continue;
}
}
break;
}
out:
return werr;
}
/* List of commands exported by this module */
struct cmd_set drsuapi_commands[] = {
{ "DRSUAPI" },
{ "dscracknames", RPC_RTYPE_WERROR, NULL, cmd_drsuapi_cracknames, &ndr_table_drsuapi, NULL, "Crack Name", "" },
{ "dsgetdcinfo", RPC_RTYPE_WERROR, NULL, cmd_drsuapi_getdcinfo, &ndr_table_drsuapi, NULL, "Get Domain Controller Info", "" },
{ "dsgetncchanges", RPC_RTYPE_WERROR, NULL, cmd_drsuapi_getncchanges, &ndr_table_drsuapi, NULL, "Get NC Changes", "" },
{ "dswriteaccountspn", RPC_RTYPE_WERROR, NULL, cmd_drsuapi_writeaccountspn, &ndr_table_drsuapi, NULL, "Write Account SPN", "" },
{ NULL }
};
WERROR NetJoinDomain_l(struct libnetapi_ctx *mem_ctx,
struct NetJoinDomain *r)
{
struct libnet_JoinCtx *j = NULL;
WERROR werr;
if (!r->in.domain) {
return WERR_INVALID_PARAM;
}
werr = libnet_init_JoinCtx(mem_ctx, &j);
W_ERROR_NOT_OK_RETURN(werr);
j->in.domain_name = talloc_strdup(mem_ctx, r->in.domain);
W_ERROR_HAVE_NO_MEMORY(j->in.domain_name);
if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
NTSTATUS status;
struct netr_DsRGetDCNameInfo *info = NULL;
const char *dc = NULL;
uint32_t flags = DS_DIRECTORY_SERVICE_REQUIRED |
DS_WRITABLE_REQUIRED |
DS_RETURN_DNS_NAME;
status = dsgetdcname(mem_ctx, NULL, r->in.domain,
NULL, NULL, flags, &info);
if (!NT_STATUS_IS_OK(status)) {
libnetapi_set_error_string(mem_ctx,
"%s", get_friendly_nt_error_msg(status));
return ntstatus_to_werror(status);
}
dc = strip_hostname(info->dc_unc);
j->in.dc_name = talloc_strdup(mem_ctx, dc);
W_ERROR_HAVE_NO_MEMORY(j->in.dc_name);
}
if (r->in.account_ou) {
j->in.account_ou = talloc_strdup(mem_ctx, r->in.account_ou);
W_ERROR_HAVE_NO_MEMORY(j->in.account_ou);
}
if (r->in.account) {
j->in.admin_account = talloc_strdup(mem_ctx, r->in.account);
W_ERROR_HAVE_NO_MEMORY(j->in.admin_account);
}
if (r->in.password) {
j->in.admin_password = talloc_strdup(mem_ctx, r->in.password);
W_ERROR_HAVE_NO_MEMORY(j->in.admin_password);
}
j->in.join_flags = r->in.join_flags;
j->in.modify_config = true;
j->in.debug = true;
werr = libnet_Join(mem_ctx, j);
if (!W_ERROR_IS_OK(werr) && j->out.error_string) {
libnetapi_set_error_string(mem_ctx, "%s", j->out.error_string);
}
TALLOC_FREE(j);
return werr;
}
WERROR NetUnjoinDomain_l(struct libnetapi_ctx *mem_ctx,
struct NetUnjoinDomain *r)
{
struct libnet_UnjoinCtx *u = NULL;
struct dom_sid domain_sid;
const char *domain = NULL;
WERROR werr;
if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
return WERR_SETUP_NOT_JOINED;
}
werr = libnet_init_UnjoinCtx(mem_ctx, &u);
W_ERROR_NOT_OK_RETURN(werr);
if (lp_realm()) {
domain = lp_realm();
} else {
domain = lp_workgroup();
}
if (r->in.server_name) {
u->in.dc_name = talloc_strdup(mem_ctx, r->in.server_name);
W_ERROR_HAVE_NO_MEMORY(u->in.dc_name);
} else {
NTSTATUS status;
struct netr_DsRGetDCNameInfo *info = NULL;
const char *dc = NULL;
uint32_t flags = DS_DIRECTORY_SERVICE_REQUIRED |
DS_WRITABLE_REQUIRED |
DS_RETURN_DNS_NAME;
status = dsgetdcname(mem_ctx, NULL, domain,
NULL, NULL, flags, &info);
if (!NT_STATUS_IS_OK(status)) {
libnetapi_set_error_string(mem_ctx,
"failed to find DC for domain %s: %s",
domain,
get_friendly_nt_error_msg(status));
return ntstatus_to_werror(status);
}
dc = strip_hostname(info->dc_unc);
u->in.dc_name = talloc_strdup(mem_ctx, dc);
W_ERROR_HAVE_NO_MEMORY(u->in.dc_name);
u->in.domain_name = domain;
}
if (r->in.account) {
u->in.admin_account = talloc_strdup(mem_ctx, r->in.account);
W_ERROR_HAVE_NO_MEMORY(u->in.admin_account);
}
if (r->in.password) {
u->in.admin_password = talloc_strdup(mem_ctx, r->in.password);
W_ERROR_HAVE_NO_MEMORY(u->in.admin_password);
}
u->in.domain_name = domain;
u->in.unjoin_flags = r->in.unjoin_flags;
u->in.delete_machine_account = false;
u->in.modify_config = true;
u->in.debug = true;
u->in.domain_sid = &domain_sid;
werr = libnet_Unjoin(mem_ctx, u);
if (!W_ERROR_IS_OK(werr) && u->out.error_string) {
libnetapi_set_error_string(mem_ctx, "%s", u->out.error_string);
}
TALLOC_FREE(u);
return werr;
}
/* list all domain groups */
static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
struct acct_info **info)
{
struct winbind_cache *cache = get_cache(domain);
struct cache_entry *centry = NULL;
NTSTATUS status;
unsigned int i;
if (!cache->tdb)
goto do_query;
centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
if (!centry)
goto do_query;
*num_entries = centry_uint32(centry);
if (*num_entries == 0)
goto do_cached;
(*info) = talloc(mem_ctx, sizeof(**info) * (*num_entries));
if (! (*info))
smb_panic("enum_dom_groups out of memory");
for (i=0; i<(*num_entries); i++) {
fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx));
(*info)[i].rid = centry_uint32(centry);
}
do_cached:
status = centry->status;
DEBUG(10,("enum_dom_groups: [Cached] - cached list for domain %s status %s\n",
domain->name, get_friendly_nt_error_msg(status) ));
centry_free(centry);
return status;
do_query:
*num_entries = 0;
*info = NULL;
/* Return status value returned by seq number check */
if (!NT_STATUS_IS_OK(domain->last_status))
return domain->last_status;
DEBUG(10,("enum_dom_groups: [Cached] - doing backend query for list for domain %s\n",
domain->name ));
status = domain->backend->enum_dom_groups(domain, mem_ctx, num_entries, info);
/* and save it */
refresh_sequence_number(domain, False);
centry = centry_start(domain, status);
if (!centry)
goto skip_save;
centry_put_uint32(centry, *num_entries);
for (i=0; i<(*num_entries); i++) {
centry_put_string(centry, (*info)[i].acct_name);
centry_put_string(centry, (*info)[i].acct_desc);
centry_put_uint32(centry, (*info)[i].rid);
}
centry_end(centry, "GL/%s/domain", domain->name);
centry_free(centry);
skip_save:
return status;
}
NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
const char *old_passwd, const char *new_passwd,
char **err_str)
{
struct nmb_name calling, called;
struct cli_state *cli;
struct rpc_pipe_client *pipe_hnd;
struct sockaddr_storage ss;
NTSTATUS result;
bool pass_must_change = False;
*err_str = NULL;
if(!resolve_name( remote_machine, &ss, 0x20)) {
asprintf(err_str, "Unable to find an IP address for machine "
"%s.\n", remote_machine);
return NT_STATUS_UNSUCCESSFUL;
}
cli = cli_initialise();
if (!cli) {
return NT_STATUS_NO_MEMORY;
}
result = cli_connect(cli, remote_machine, &ss);
if (!NT_STATUS_IS_OK(result)) {
asprintf(err_str, "Unable to connect to SMB server on "
"machine %s. Error was : %s.\n",
remote_machine, nt_errstr(result));
cli_shutdown(cli);
return result;
}
make_nmb_name(&calling, global_myname() , 0x0);
make_nmb_name(&called , remote_machine, 0x20);
if (!cli_session_request(cli, &calling, &called)) {
asprintf(err_str, "machine %s rejected the session setup. "
"Error was : %s.\n",
remote_machine, cli_errstr(cli) );
result = cli_nt_error(cli);
cli_shutdown(cli);
return result;
}
cli->protocol = PROTOCOL_NT1;
if (!cli_negprot(cli)) {
asprintf(err_str, "machine %s rejected the negotiate "
"protocol. Error was : %s.\n",
remote_machine, cli_errstr(cli) );
result = cli_nt_error(cli);
cli_shutdown(cli);
return result;
}
/* Given things like SMB signing, restrict anonymous and the like,
try an authenticated connection first */
result = cli_session_setup(cli, user_name,
old_passwd, strlen(old_passwd)+1,
old_passwd, strlen(old_passwd)+1, "");
if (!NT_STATUS_IS_OK(result)) {
/* Password must change or Password expired are the only valid
* error conditions here from where we can proceed, the rest like
* account locked out or logon failure will lead to errors later
* anyway */
if (!NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) &&
!NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED)) {
asprintf(err_str, "Could not connect to machine %s: "
"%s\n", remote_machine, cli_errstr(cli));
cli_shutdown(cli);
return result;
}
pass_must_change = True;
/*
* We should connect as the anonymous user here, in case
* the server has "must change password" checked...
* Thanks to <*****@*****.**> for this fix.
*/
result = cli_session_setup(cli, "", "", 0, "", 0, "");
if (!NT_STATUS_IS_OK(result)) {
asprintf(err_str, "machine %s rejected the session "
"setup. Error was : %s.\n",
remote_machine, cli_errstr(cli) );
cli_shutdown(cli);
return result;
}
cli_init_creds(cli, "", "", NULL);
} else {
cli_init_creds(cli, user_name, "", old_passwd);
}
if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
asprintf(err_str, "machine %s rejected the tconX on the IPC$ "
"share. Error was : %s.\n",
remote_machine, cli_errstr(cli) );
result = cli_nt_error(cli);
cli_shutdown(cli);
return result;
}
/* Try not to give the password away too easily */
if (!pass_must_change) {
pipe_hnd = cli_rpc_pipe_open_ntlmssp(cli,
PI_SAMR,
PIPE_AUTH_LEVEL_PRIVACY,
"", /* what domain... ? */
user_name,
old_passwd,
&result);
} else {
/*
* If the user password must be changed the ntlmssp bind will
* fail the same way as the session setup above did. The
* difference ist that with a pipe bind we don't get a good
* error message, the result will be that the rpc call below
* will just fail. So we do it anonymously, there's no other
* way.
*/
pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &result);
}
if (!pipe_hnd) {
if (lp_client_lanman_auth()) {
/* Use the old RAP method. */
if (!cli_oem_change_password(cli, user_name, new_passwd, old_passwd)) {
asprintf(err_str, "machine %s rejected the "
"password change: Error was : %s.\n",
remote_machine, cli_errstr(cli) );
result = cli_nt_error(cli);
cli_shutdown(cli);
return result;
}
} else {
asprintf(err_str, "SAMR connection to machine %s "
"failed. Error was %s, but LANMAN password "
"changed are disabled\n",
nt_errstr(result), remote_machine);
result = cli_nt_error(cli);
cli_shutdown(cli);
return result;
}
}
if (NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user(pipe_hnd, pipe_hnd->mem_ctx, user_name,
new_passwd, old_passwd))) {
/* Great - it all worked! */
cli_shutdown(cli);
return NT_STATUS_OK;
} else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
/* it failed, but for reasons such as wrong password, too short etc ... */
asprintf(err_str, "machine %s rejected the password change: "
"Error was : %s.\n",
remote_machine, get_friendly_nt_error_msg(result));
cli_shutdown(cli);
return result;
}
/* OK, that failed, so try again... */
cli_rpc_pipe_close(pipe_hnd);
/* Try anonymous NTLMSSP... */
cli_init_creds(cli, "", "", NULL);
result = NT_STATUS_UNSUCCESSFUL;
/* OK, this is ugly, but... try an anonymous pipe. */
pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &result);
if ( pipe_hnd &&
(NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user(pipe_hnd,
pipe_hnd->mem_ctx,
user_name,
new_passwd,
old_passwd)))) {
/* Great - it all worked! */
cli_shutdown(cli);
return NT_STATUS_OK;
} else {
if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
/* it failed, but again it was due to things like new password too short */
asprintf(err_str, "machine %s rejected the "
"(anonymous) password change: Error was : "
"%s.\n", remote_machine,
get_friendly_nt_error_msg(result));
cli_shutdown(cli);
return result;
}
/* We have failed to change the user's password, and we think the server
just might not support SAMR password changes, so fall back */
if (lp_client_lanman_auth()) {
/* Use the old RAP method. */
if (cli_oem_change_password(cli, user_name, new_passwd, old_passwd)) {
/* SAMR failed, but the old LanMan protocol worked! */
cli_shutdown(cli);
return NT_STATUS_OK;
}
asprintf(err_str, "machine %s rejected the password "
"change: Error was : %s.\n",
remote_machine, cli_errstr(cli) );
result = cli_nt_error(cli);
cli_shutdown(cli);
return result;
} else {
asprintf(err_str, "SAMR connection to machine %s "
"failed. Error was %s, but LANMAN password "
"changed are disabled\n",
nt_errstr(result), remote_machine);
cli_shutdown(cli);
return NT_STATUS_UNSUCCESSFUL;
}
}
}
int main(int argc, char **argv)
{
TALLOC_CTX *ctx;
struct samu *out = NULL;
struct samu *in = NULL;
NTSTATUS rv;
int i;
struct timeval tv;
BOOL error = False;
struct passwd *pwd;
uint8 *buf;
uint32 expire, min_age, history;
struct pdb_methods *pdb;
poptContext pc;
static const char *backend = NULL;
static const char *unix_user = "******";
struct poptOption long_options[] = {
{"username", 'u', POPT_ARG_STRING, &unix_user, 0, "Unix user to use for testing", "USERNAME" },
{"backend", 'b', POPT_ARG_STRING, &backend, 0, "Backend to use if not default", "BACKEND[:SETTINGS]" },
POPT_AUTOHELP
POPT_COMMON_SAMBA
POPT_TABLEEND
};
load_case_tables();
pc = poptGetContext("vfstest", argc, (const char **) argv,
long_options, 0);
poptSetOtherOptionHelp(pc, "backend[:settings] username");
while(poptGetNextOpt(pc) != -1);
poptFreeContext(pc);
/* Load configuration */
lp_load(dyn_CONFIGFILE, False, False, True, True);
setup_logging("pdbtest", True);
if (backend == NULL) {
backend = lp_passdb_backend();
}
rv = make_pdb_method_name(&pdb, backend);
if (NT_STATUS_IS_ERR(rv)) {
fprintf(stderr, "Error initializing '%s': %s\n", backend, get_friendly_nt_error_msg(rv));
exit(1);
}
ctx = talloc_init("PDBTEST");
if (!(out = samu_new(ctx))) {
fprintf(stderr, "Can't create samu structure.\n");
exit(1);
}
if ((pwd = getpwnam_alloc(ctx, unix_user)) == NULL) {
fprintf(stderr, "Error getting user information for %s\n", unix_user);
exit(1);
}
samu_set_unix(out, pwd);
pdb_set_profile_path(out, "\\\\torture\\profile", PDB_SET);
pdb_set_homedir(out, "\\\\torture\\home", PDB_SET);
pdb_set_logon_script(out, "torture_script.cmd", PDB_SET);
pdb_get_account_policy(AP_PASSWORD_HISTORY, &history);
if (history * PW_HISTORY_ENTRY_LEN < NT_HASH_LEN) {
buf = (uint8 *)TALLOC(ctx, NT_HASH_LEN);
} else {
buf = (uint8 *)TALLOC(ctx, history * PW_HISTORY_ENTRY_LEN);
}
/* Generate some random hashes */
GetTimeOfDay(&tv);
srand(tv.tv_usec);
for (i = 0; i < NT_HASH_LEN; i++) {
buf[i] = (uint8) rand();
}
pdb_set_nt_passwd(out, buf, PDB_SET);
for (i = 0; i < LM_HASH_LEN; i++) {
buf[i] = (uint8) rand();
}
pdb_set_lanman_passwd(out, buf, PDB_SET);
for (i = 0; i < history * PW_HISTORY_ENTRY_LEN; i++) {
buf[i] = (uint8) rand();
}
pdb_set_pw_history(out, buf, history, PDB_SET);
pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire);
pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age);
pdb_set_pass_last_set_time(out, time(NULL), PDB_SET);
if (expire == 0 || expire == (uint32)-1) {
pdb_set_pass_must_change_time(out, get_time_t_max(), PDB_SET);
} else {
pdb_set_pass_must_change_time(out, time(NULL)+expire, PDB_SET);
}
if (min_age == (uint32)-1) {
pdb_set_pass_can_change_time(out, 0, PDB_SET);
} else {
pdb_set_pass_can_change_time(out, time(NULL)+min_age, PDB_SET);
}
/* Create account */
if (!NT_STATUS_IS_OK(rv = pdb->add_sam_account(pdb, out))) {
fprintf(stderr, "Error in add_sam_account: %s\n",
get_friendly_nt_error_msg(rv));
exit(1);
}
if (!(in = samu_new(ctx))) {
fprintf(stderr, "Can't create samu structure.\n");
exit(1);
}
/* Get account information through getsampwnam() */
if (NT_STATUS_IS_ERR(pdb->getsampwnam(pdb, in, out->username))) {
fprintf(stderr, "Error getting sampw of added user %s.\n",
out->username);
if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
fprintf(stderr, "Error in delete_sam_account %s\n",
get_friendly_nt_error_msg(rv));
}
TALLOC_FREE(ctx);
}
/* Verify integrity */
if (samu_correct(out, in)) {
printf("User info written correctly\n");
} else {
printf("User info NOT written correctly\n");
error = True;
}
/* Delete account */
if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) {
fprintf(stderr, "Error in delete_sam_account %s\n",
get_friendly_nt_error_msg(rv));
}
pdb->setsampwent(pdb, False, 0);
while (NT_STATUS_IS_OK(pdb->getsampwent(pdb, out))) {
if (pdb_get_username(out) == NULL) {
fprintf(stderr, "Got bad username through getsampwent()\n");
error = True;
break;
}
if (NT_STATUS_IS_ERR(pdb->getsampwnam(pdb, in, pdb_get_username(out)))) {
fprintf(stderr, "Error getting samu through getsampwnam() of an account we got through getsampwent!\n");
error = True;
continue;
}
if (!samu_correct(out, in)) {
printf("Record gotten through getsampwnam() differs from same record through getsampwent()\n");
}
}
pdb->endsampwent(pdb);
TALLOC_FREE(ctx);
if (error) {
return 1;
}
return 0;
}
enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
{
NTSTATUS result;
unsigned char trust_passwd[16];
time_t last_change_time;
uint32 sec_channel_type;
NET_USER_INFO_3 info3;
struct cli_state *cli = NULL;
TALLOC_CTX *mem_ctx = NULL;
char *name_user = NULL;
const char *name_domain = NULL;
const char *workstation;
struct winbindd_domain *contact_domain;
DOM_CRED ret_creds;
int attempts = 0;
BOOL retry;
DATA_BLOB lm_resp, nt_resp;
if (!state->privileged) {
char *error_string = NULL;
DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied. !\n"));
DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions on %s are set correctly.\n",
get_winbind_priv_pipe_dir()));
/* send a better message than ACCESS_DENIED */
asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on %s are set correctly.",
get_winbind_priv_pipe_dir());
push_utf8_fstring(state->response.data.auth.error_string, error_string);
SAFE_FREE(error_string);
result = NT_STATUS_ACCESS_DENIED;
goto done;
}
/* Ensure null termination */
state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) {
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (*state->request.data.auth_crap.domain) {
char *dom = NULL;
if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) {
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
name_domain = dom;
} else if (lp_winbind_use_default_domain()) {
name_domain = lp_workgroup();
} else {
DEBUG(5,("no domain specified with username (%s) - failing auth\n",
name_user));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
name_domain, name_user));
if (*state->request.data.auth_crap.workstation) {
char *wrk = NULL;
if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) {
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
workstation = wrk;
} else {
workstation = global_myname();
}
if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
|| state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
state->request.data.auth_crap.lm_resp_len,
state->request.data.auth_crap.nt_resp_len));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
/* what domain should we contact? */
if ( IS_DC ) {
if (!(contact_domain = find_domain_from_name(name_domain))) {
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
state->request.data.auth_crap.user, name_domain, name_user, name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
} else {
if (is_myname(name_domain)) {
DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (!(contact_domain = find_our_domain())) {
DEBUG(1, ("Authenticatoin for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n",
state->request.data.auth_crap.user, name_domain, name_user));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
}
if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) {
result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
goto done;
}
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
retry = False;
/* Don't shut this down - it belongs to the connection cache code */
result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, False, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
nt_errstr(result)));
goto done;
}
result = cli_netlogon_sam_network_logon(cli, mem_ctx,
&ret_creds,
name_user, name_domain,
workstation,
state->request.data.auth_crap.chal,
lm_resp, nt_resp,
&info3);
attempts += 1;
/* We have to try a second time as cm_get_netlogon_cli
might not yet have noticed that the DC has killed
our connection. */
if ( cli->fd == -1 ) {
retry = True;
continue;
}
/* if we get access denied, a possible cause was that we had and open
connection to the DC, but someone changed our machine account password
out from underneath us using 'net rpc changetrustpw' */
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust account "
"password was changed and we didn't know it. Killing connections to domain %s\n",
contact_domain->name));
winbindd_cm_flush();
retry = True;
cli = NULL;
}
} while ( (attempts < 2) && retry );
if (cli != NULL) {
/* We might have come out of the loop above with cli == NULL,
so don't dereference that. */
clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
}
if (NT_STATUS_IS_OK(result)) {
netsamlogon_cache_store( cli->mem_ctx, &info3 );
wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.required_membership_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request.data.auth_crap.user,
state->request.data.auth_crap.required_membership_sid));
goto done;
}
if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
result = append_info3_as_ndr(mem_ctx, state, &info3);
} else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
/* ntlm_auth should return the unix username, per
'winbind use default domain' settings and the like */
fstring username_out;
const char *nt_username, *nt_domain;
if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) {
/* If the server didn't give us one, just use the one we sent them */
nt_username = name_user;
}
if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) {
/* If the server didn't give us one, just use the one we sent them */
nt_domain = name_domain;
}
fill_domain_username(username_out, nt_domain, nt_username);
DEBUG(5, ("Setting unix username to [%s]\n", username_out));
/* this interface is in UTF8 */
if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
state->response.length += strlen(state->response.extra_data)+1;
}
if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
memcpy(state->response.data.auth.user_session_key, info3.user_sess_key, sizeof(state->response.data.auth.user_session_key) /* 16 */);
}
if (state->request.flags & WBFLAG_PAM_LMKEY) {
memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
}
}
done:
/* give us a more useful (more correct?) error code */
if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
result = NT_STATUS_NO_LOGON_SERVERS;
}
if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
result = nt_status_squash(result);
}
state->response.data.auth.nt_status = NT_STATUS_V(result);
push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
/* we might have given a more useful error above */
if (!*state->response.data.auth.error_string)
push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
name_domain,
name_user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
if (mem_ctx)
talloc_destroy(mem_ctx);
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
struct NetGetJoinableOUs *r)
{
#ifdef WITH_ADS
NTSTATUS status;
ADS_STATUS ads_status;
ADS_STRUCT *ads = NULL;
struct netr_DsRGetDCNameInfo *info = NULL;
const char *dc = NULL;
uint32_t flags = DS_DIRECTORY_SERVICE_REQUIRED |
DS_RETURN_DNS_NAME;
status = dsgetdcname(ctx, NULL, r->in.domain,
NULL, NULL, flags, &info);
if (!NT_STATUS_IS_OK(status)) {
libnetapi_set_error_string(ctx, "%s",
get_friendly_nt_error_msg(status));
return ntstatus_to_werror(status);
}
dc = strip_hostname(info->dc_unc);
ads = ads_init(info->domain_name, info->domain_name, dc);
if (!ads) {
return WERR_GENERAL_FAILURE;
}
SAFE_FREE(ads->auth.user_name);
if (r->in.account) {
ads->auth.user_name = SMB_STRDUP(r->in.account);
} else if (ctx->username) {
ads->auth.user_name = SMB_STRDUP(ctx->username);
}
SAFE_FREE(ads->auth.password);
if (r->in.password) {
ads->auth.password = SMB_STRDUP(r->in.password);
} else if (ctx->password) {
ads->auth.password = SMB_STRDUP(ctx->password);
}
ads_status = ads_connect_user_creds(ads);
if (!ADS_ERR_OK(ads_status)) {
ads_destroy(&ads);
return WERR_DEFAULT_JOIN_REQUIRED;
}
ads_status = ads_get_joinable_ous(ads, ctx,
(char ***)r->out.ous,
(size_t *)r->out.ou_count);
if (!ADS_ERR_OK(ads_status)) {
ads_destroy(&ads);
return WERR_DEFAULT_JOIN_REQUIRED;
}
ads_destroy(&ads);
return WERR_OK;
#else
return WERR_NOT_SUPPORTED;
#endif
}
/* Query display info. This is the basic user list fn */
static NTSTATUS query_user_list(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
WINBIND_USERINFO **info)
{
struct winbind_cache *cache = get_cache(domain);
struct cache_entry *centry = NULL;
NTSTATUS status;
unsigned int i, retry;
if (!cache->tdb)
goto do_query;
centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
if (!centry)
goto do_query;
*num_entries = centry_uint32(centry);
if (*num_entries == 0)
goto do_cached;
(*info) = talloc(mem_ctx, sizeof(**info) * (*num_entries));
if (! (*info))
smb_panic("query_user_list out of memory");
for (i=0; i<(*num_entries); i++) {
(*info)[i].acct_name = centry_string(centry, mem_ctx);
(*info)[i].full_name = centry_string(centry, mem_ctx);
(*info)[i].user_sid = centry_sid(centry, mem_ctx);
(*info)[i].group_sid = centry_sid(centry, mem_ctx);
}
do_cached:
status = centry->status;
DEBUG(10,("query_user_list: [Cached] - cached list for domain %s status %s\n",
domain->name, get_friendly_nt_error_msg(status) ));
centry_free(centry);
return status;
do_query:
*num_entries = 0;
*info = NULL;
/* Return status value returned by seq number check */
if (!NT_STATUS_IS_OK(domain->last_status))
return domain->last_status;
/* Put the query_user_list() in a retry loop. There appears to be
* some bug either with Windows 2000 or Samba's handling of large
* rpc replies. This manifests itself as sudden disconnection
* at a random point in the enumeration of a large (60k) user list.
* The retry loop simply tries the operation again. )-: It's not
* pretty but an acceptable workaround until we work out what the
* real problem is. */
retry = 0;
do {
DEBUG(10,("query_user_list: [Cached] - doing backend query for list for domain %s\n",
domain->name ));
status = domain->backend->query_user_list(domain, mem_ctx, num_entries, info);
if (!NT_STATUS_IS_OK(status))
DEBUG(3, ("query_user_list: returned 0x%08x, retrying\n", NT_STATUS_V(status)));
if (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL)) {
DEBUG(3, ("query_user_list: flushing connection cache\n"));
winbindd_cm_flush();
}
} while (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) &&
(retry++ < 5));
/* and save it */
refresh_sequence_number(domain, False);
centry = centry_start(domain, status);
if (!centry)
goto skip_save;
centry_put_uint32(centry, *num_entries);
for (i=0; i<(*num_entries); i++) {
centry_put_string(centry, (*info)[i].acct_name);
centry_put_string(centry, (*info)[i].full_name);
centry_put_sid(centry, (*info)[i].user_sid);
centry_put_sid(centry, (*info)[i].group_sid);
if (domain->backend->consistent) {
/* when the backend is consistent we can pre-prime some mappings */
wcache_save_name_to_sid(domain, NT_STATUS_OK,
(*info)[i].acct_name,
domain->name,
(*info)[i].user_sid,
SID_NAME_USER);
wcache_save_sid_to_name(domain, NT_STATUS_OK,
(*info)[i].user_sid,
domain->name,
(*info)[i].acct_name,
SID_NAME_USER);
wcache_save_user(domain, NT_STATUS_OK, &(*info)[i]);
}
}
centry_end(centry, "UL/%s", domain->name);
centry_free(centry);
skip_save:
return status;
}
static NTSTATUS libnet_dssync_lookup_nc(TALLOC_CTX *mem_ctx,
struct dssync_context *ctx)
{
NTSTATUS status;
WERROR werr;
uint32_t level = 1;
union drsuapi_DsNameRequest req;
uint32_t level_out;
struct drsuapi_DsNameString names[1];
union drsuapi_DsNameCtr ctr;
struct dcerpc_binding_handle *b = ctx->cli->binding_handle;
names[0].str = talloc_asprintf(mem_ctx, "%s\\", ctx->domain_name);
NT_STATUS_HAVE_NO_MEMORY(names[0].str);
req.req1.codepage = 1252; /* german */
req.req1.language = 0x00000407; /* german */
req.req1.count = 1;
req.req1.names = names;
req.req1.format_flags = DRSUAPI_DS_NAME_FLAG_NO_FLAGS;
req.req1.format_offered = DRSUAPI_DS_NAME_FORMAT_UNKNOWN;
req.req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
status = dcerpc_drsuapi_DsCrackNames(b, mem_ctx,
&ctx->bind_handle,
level,
&req,
&level_out,
&ctr,
&werr);
if (!NT_STATUS_IS_OK(status)) {
ctx->error_message = talloc_asprintf(ctx,
"Failed to lookup DN for domain name: %s",
get_friendly_nt_error_msg(status));
return status;
}
if (!W_ERROR_IS_OK(werr)) {
ctx->error_message = talloc_asprintf(ctx,
"Failed to lookup DN for domain name: %s",
get_friendly_werror_msg(werr));
return werror_to_ntstatus(werr);
}
if (ctr.ctr1->count != 1) {
return NT_STATUS_UNSUCCESSFUL;
}
if (ctr.ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
return NT_STATUS_UNSUCCESSFUL;
}
ctx->nc_dn = talloc_strdup(mem_ctx, ctr.ctr1->array[0].result_name);
NT_STATUS_HAVE_NO_MEMORY(ctx->nc_dn);
if (!ctx->dns_domain_name) {
ctx->dns_domain_name = talloc_strdup_upper(mem_ctx,
ctr.ctr1->array[0].dns_domain_name);
NT_STATUS_HAVE_NO_MEMORY(ctx->dns_domain_name);
}
return NT_STATUS_OK;
}
/* convert a single name to a sid in a domain */
static NTSTATUS name_to_sid(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const char *domain_name,
const char *name,
DOM_SID *sid,
enum SID_NAME_USE *type)
{
struct winbind_cache *cache = get_cache(domain);
struct cache_entry *centry = NULL;
NTSTATUS status;
fstring uname;
DOM_SID *sid2;
if (!cache->tdb)
goto do_query;
fstrcpy(uname, name);
strupper_m(uname);
centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname);
if (!centry)
goto do_query;
*type = (enum SID_NAME_USE)centry_uint32(centry);
sid2 = centry_sid(centry, mem_ctx);
if (!sid2) {
ZERO_STRUCTP(sid);
} else {
sid_copy(sid, sid2);
}
status = centry->status;
DEBUG(10,("name_to_sid: [Cached] - cached name for domain %s status %s\n",
domain->name, get_friendly_nt_error_msg(status) ));
centry_free(centry);
return status;
do_query:
ZERO_STRUCTP(sid);
/* If the seq number check indicated that there is a problem
* with this DC, then return that status... except for
* access_denied. This is special because the dc may be in
* "restrict anonymous = 1" mode, in which case it will deny
* most unauthenticated operations, but *will* allow the LSA
* name-to-sid that we try as a fallback. */
if (!(NT_STATUS_IS_OK(domain->last_status)
|| NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)))
return domain->last_status;
DEBUG(10,("name_to_sid: [Cached] - doing backend query for name for domain %s\n",
domain->name ));
status = domain->backend->name_to_sid(domain, mem_ctx, domain_name, name, sid, type);
/* and save it */
wcache_save_name_to_sid(domain, status, domain_name, name, sid, *type);
/* We can't save the sid to name mapping as we don't know the
correct case of the name without looking it up */
return status;
}
