static void unbecomeDC_drsuapi_connect_send(struct libnet_UnbecomeDC_state *s)
{
struct composite_context *c = s->creq;
struct composite_context *creq;
char *binding_str;
binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[seal,target_hostname=%s]",
s->source_dsa.address,
s->source_dsa.dns_name);
if (composite_nomem(binding_str, c)) return;
c->status = dcerpc_parse_binding(s, binding_str, &s->drsuapi.binding);
talloc_free(binding_str);
if (!composite_is_ok(c)) return;
if (DEBUGLEVEL >= 10) {
c->status = dcerpc_binding_set_flags(s->drsuapi.binding,
DCERPC_DEBUG_PRINT_BOTH,
0);
if (!composite_is_ok(c)) return;
}
creq = dcerpc_pipe_connect_b_send(s, s->drsuapi.binding, &ndr_table_drsuapi,
s->libnet->cred, s->libnet->event_ctx,
s->libnet->lp_ctx);
composite_continue(c, creq, unbecomeDC_drsuapi_connect_recv, s);
}
static void unbecomeDC_drsuapi_connect_send(struct libnet_UnbecomeDC_state *s)
{
struct composite_context *c = s->creq;
struct composite_context *creq;
char *binding_str;
binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[seal]", s->source_dsa.dns_name);
if (composite_nomem(binding_str, c)) return;
c->status = dcerpc_parse_binding(s, binding_str, &s->drsuapi.binding);
talloc_free(binding_str);
if (!composite_is_ok(c)) return;
creq = dcerpc_pipe_connect_b_send(s, s->drsuapi.binding, &ndr_table_drsuapi,
s->libnet->cred, s->libnet->event_ctx,
s->libnet->lp_ctx);
composite_continue(c, creq, unbecomeDC_drsuapi_connect_recv, s);
}
struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
struct wbsrv_service *service,
struct wb_dom_info *dom_info)
{
struct composite_context *result, *ctx;
struct init_domain_state *state;
result = composite_create(mem_ctx, service->task->event_ctx);
if (result == NULL) goto failed;
state = talloc_zero(result, struct init_domain_state);
if (state == NULL) goto failed;
state->ctx = result;
result->private_data = state;
state->service = service;
state->domain = talloc(state, struct wbsrv_domain);
if (state->domain == NULL) goto failed;
state->domain->info = talloc_reference(state->domain, dom_info);
if (state->domain->info == NULL) goto failed;
/* Caller should check, but to be safe: */
if (dom_info->num_dcs < 1) {
goto failed;
}
/* For now, we just pick the first. The next step will be to
* walk the entire list. Also need to fix finddcs() to return
* the entire list */
state->domain->dc_name = dom_info->dcs[0].name;
state->domain->dc_address = dom_info->dcs[0].address;
/* Create a credentials structure */
state->domain->schannel_creds = cli_credentials_init(state->domain);
if (state->domain->schannel_creds == NULL) goto failed;
cli_credentials_set_event_context(state->domain->schannel_creds, service->task->event_ctx);
cli_credentials_set_conf(state->domain->schannel_creds);
/* Connect the machine account to the credentials */
state->ctx->status =
cli_credentials_set_machine_account(state->domain->
schannel_creds);
if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
state->domain->netlogon_binding = init_domain_binding(state, &dcerpc_table_netlogon);
state->domain->netlogon_pipe = NULL;
if ((!cli_credentials_is_anonymous(state->domain->schannel_creds)) &&
((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
(dom_sid_equal(state->domain->info->sid,
state->service->primary_sid)))) {
state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL;
/* For debugging, it can be a real pain if all the traffic is encrypted */
if (lp_winbind_sealed_pipes()) {
state->domain->netlogon_binding->flags |= (DCERPC_SIGN | DCERPC_SEAL );
} else {
state->domain->netlogon_binding->flags |= (DCERPC_SIGN);
}
}
/* No encryption on anonymous pipes */
ctx = dcerpc_pipe_connect_b_send(state, state->domain->netlogon_binding,
&dcerpc_table_netlogon,
state->domain->schannel_creds,
service->task->event_ctx);
if (composite_nomem(ctx, state->ctx)) {
goto failed;
}
composite_continue(state->ctx, ctx, init_domain_recv_netlogonpipe,
state);
return result;
failed:
talloc_free(result);
return NULL;
}
static NTSTATUS remote_op_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *iface, uint32_t if_version)
{
NTSTATUS status;
const struct ndr_interface_table *table;
struct dcesrv_remote_private *priv;
const char *binding = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "binding");
const char *user, *pass, *domain;
struct cli_credentials *credentials;
bool must_free_credentials = true;
bool machine_account;
struct dcerpc_binding *b;
struct composite_context *pipe_conn_req;
machine_account = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "use_machine_account", false);
priv = talloc(dce_call->conn, struct dcesrv_remote_private);
if (!priv) {
return NT_STATUS_NO_MEMORY;
}
priv->c_pipe = NULL;
dce_call->context->private_data = priv;
if (!binding) {
DEBUG(0,("You must specify a DCE/RPC binding string\n"));
return NT_STATUS_INVALID_PARAMETER;
}
user = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "user");
pass = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "password");
domain = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dceprc_remote", "domain");
table = ndr_table_by_syntax(&iface->syntax_id);
if (!table) {
dce_call->fault_code = DCERPC_FAULT_UNK_IF;
return NT_STATUS_NET_WRITE_FAULT;
}
if (user && pass) {
DEBUG(5, ("dcerpc_remote: RPC Proxy: Using specified account\n"));
credentials = cli_credentials_init(priv);
if (!credentials) {
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(credentials, dce_call->conn->dce_ctx->lp_ctx);
cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
if (domain) {
cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
}
cli_credentials_set_password(credentials, pass, CRED_SPECIFIED);
} else if (machine_account) {
DEBUG(5, ("dcerpc_remote: RPC Proxy: Using machine account\n"));
credentials = cli_credentials_init(priv);
cli_credentials_set_conf(credentials, dce_call->conn->dce_ctx->lp_ctx);
if (domain) {
cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
}
status = cli_credentials_set_machine_account(credentials, dce_call->conn->dce_ctx->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
} else if (dce_call->conn->auth_state.session_info->credentials) {
DEBUG(5, ("dcerpc_remote: RPC Proxy: Using delegated credentials\n"));
credentials = dce_call->conn->auth_state.session_info->credentials;
must_free_credentials = false;
} else {
DEBUG(1,("dcerpc_remote: RPC Proxy: You must supply binding, user and password or have delegated credentials\n"));
return NT_STATUS_INVALID_PARAMETER;
}
/* parse binding string to the structure */
status = dcerpc_parse_binding(dce_call->context, binding, &b);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to parse dcerpc binding '%s'\n", binding));
return status;
}
/* If we already have a remote association group ID, then use that */
if (dce_call->context->assoc_group->proxied_id != 0) {
status = dcerpc_binding_set_assoc_group_id(b,
dce_call->context->assoc_group->proxied_id);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("dcerpc_binding_set_assoc_group_id() - %s'\n",
nt_errstr(status)));
return status;
}
}
status = dcerpc_binding_set_abstract_syntax(b, &iface->syntax_id);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("dcerpc_binding_set_abstract_syntax() - %s'\n",
nt_errstr(status)));
return status;
}
DEBUG(3, ("Using binding %s\n", dcerpc_binding_string(dce_call->context, b)));
pipe_conn_req = dcerpc_pipe_connect_b_send(dce_call->context, b, table,
credentials, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
status = dcerpc_pipe_connect_b_recv(pipe_conn_req, dce_call->context, &(priv->c_pipe));
if (must_free_credentials) {
talloc_free(credentials);
}
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (dce_call->context->assoc_group->proxied_id == 0) {
dce_call->context->assoc_group->proxied_id =
dcerpc_binding_get_assoc_group_id(priv->c_pipe->binding);
}
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
struct wbsrv_service *service,
struct wb_dom_info *dom_info)
{
struct composite_context *result, *ctx;
struct init_domain_state *state;
result = composite_create(mem_ctx, service->task->event_ctx);
if (result == NULL) goto failed;
state = talloc_zero(result, struct init_domain_state);
if (state == NULL) goto failed;
state->ctx = result;
result->private_data = state;
state->service = service;
state->domain = talloc(state, struct wbsrv_domain);
if (state->domain == NULL) goto failed;
state->domain->service = service;
state->domain->info = talloc_reference(state->domain, dom_info);
if (state->domain->info == NULL) goto failed;
state->domain->dc_name = dom_info->dc->name;
state->domain->dc_address = dom_info->dc->address;
state->domain->libnet_ctx = libnet_context_init(service->task->event_ctx,
service->task->lp_ctx);
if (state->domain->libnet_ctx == NULL) goto failed;
talloc_steal(state->domain, state->domain->libnet_ctx);
/* Create a credentials structure */
state->domain->libnet_ctx->cred = cli_credentials_init(state->domain);
if (state->domain->libnet_ctx->cred == NULL) goto failed;
cli_credentials_set_conf(state->domain->libnet_ctx->cred, service->task->lp_ctx);
/* Connect the machine account to the credentials */
state->ctx->status =
cli_credentials_set_machine_account(state->domain->libnet_ctx->cred, state->domain->libnet_ctx->lp_ctx);
if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
state->domain->netlogon_binding = init_domain_binding(state, &ndr_table_netlogon);
state->domain->netlogon_pipe = NULL;
state->domain->netlogon_queue = tevent_queue_create(state->domain,
"netlogon_queue");
if (state->domain->netlogon_queue == NULL) goto failed;
/* We start the queue when the connection is usable */
tevent_queue_stop(state->domain->netlogon_queue);
if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) &&
((lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) ||
(lpcfg_server_role(service->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC)) &&
(dom_sid_equal(state->domain->info->sid,
state->service->primary_sid))) {
uint32_t flags = DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO;
/* For debugging, it can be a real pain if all the traffic is encrypted */
if (lpcfg_winbind_sealed_pipes(service->task->lp_ctx)) {
flags |= DCERPC_SIGN | DCERPC_SEAL;
} else {
flags |= DCERPC_SIGN;
}
state->ctx->status = dcerpc_binding_set_flags(state->domain->netlogon_binding,
flags, 0);
if (!NT_STATUS_IS_OK(state->ctx->status)) goto failed;
}
/* No encryption on anonymous pipes */
ctx = dcerpc_pipe_connect_b_send(state, state->domain->netlogon_binding,
&ndr_table_netlogon,
state->domain->libnet_ctx->cred,
service->task->event_ctx,
service->task->lp_ctx);
if (composite_nomem(ctx, state->ctx)) {
goto failed;
}
composite_continue(state->ctx, ctx, init_domain_recv_netlogonpipe,
state);
return result;
failed:
talloc_free(result);
return NULL;
}
