/**
* confirm that a domain join is still valid
*
* @return A shell status integer (0 for success)
*
**/
static int net_rpc_join_ok(const char *domain)
{
struct cli_state *cli;
uchar stored_md4_trust_password[16];
int retval = 1;
uint32 channel;
NTSTATUS result;
/* Connect to remote machine */
if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) {
return 1;
}
if (!cli_nt_session_open(cli, PI_NETLOGON)) {
DEBUG(0,("Error connecting to NETLOGON pipe\n"));
goto done;
}
if (!secrets_fetch_trust_account_password(domain,
stored_md4_trust_password,
NULL, &channel)) {
DEBUG(0,("Could not retreive domain trust secret"));
goto done;
}
/* ensure that schannel uses the right domain */
fstrcpy(cli->domain, domain);
if (! NT_STATUS_IS_OK(result = cli_nt_establish_netlogon(cli, channel, stored_md4_trust_password))) {
DEBUG(0,("Error in domain join verfication (fresh connection)\n"));
goto done;
}
retval = 0; /* Success! */
done:
/* Close down pipe - this will clean up open policy handles */
if (cli->nt_pipe_fnum[cli->pipe_idx])
cli_nt_session_close(cli);
cli_shutdown(cli);
return retval;
}
/**
* Connect a server and open a given pipe
*
* @param cli_dst A cli_state
* @param pipe The pipe to open
* @param got_pipe boolean that stores if we got a pipe
*
* @return Normal NTSTATUS return.
**/
NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
struct rpc_pipe_client **pp_pipe_hnd,
const struct ndr_syntax_id *interface)
{
NTSTATUS nt_status;
char *server_name = SMB_STRDUP("127.0.0.1");
struct cli_state *cli_tmp = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
if (server_name == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (c->opt_destination) {
SAFE_FREE(server_name);
if ((server_name = SMB_STRDUP(c->opt_destination)) == NULL) {
return NT_STATUS_NO_MEMORY;
}
}
/* make a connection to a named pipe */
nt_status = connect_to_ipc(c, &cli_tmp, NULL, server_name);
if (!NT_STATUS_IS_OK(nt_status)) {
SAFE_FREE(server_name);
return nt_status;
}
nt_status = cli_rpc_pipe_open_noauth(cli_tmp, interface,
&pipe_hnd);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("couldn't not initialize pipe\n"));
cli_shutdown(cli_tmp);
SAFE_FREE(server_name);
return nt_status;
}
*cli_dst = cli_tmp;
*pp_pipe_hnd = pipe_hnd;
SAFE_FREE(server_name);
return nt_status;
}
int net_rap_domain(struct net_context *c, int argc, const char **argv)
{
struct cli_state *cli;
int ret;
if (c->display_usage)
return net_rap_domain_usage(c, argc, argv);
if (!NT_STATUS_IS_OK(net_make_ipc_connection(c, 0, &cli)))
return -1;
d_printf(_("\nEnumerating domains:\n\n"
"\tDomain name Server name of Browse Master\n"
"\t------------- ----------------------------\n"));
ret = cli_NetServerEnum(cli, cli->server_domain, SV_TYPE_DOMAIN_ENUM,
display_server_func,NULL);
cli_shutdown(cli);
return ret;
}
/****************************************************************************
make smb client connection
****************************************************************************/
static BOOL rpcclient_connect(struct client_info *info)
{
struct nmb_name calling;
struct nmb_name called;
make_nmb_name(&called , dns_to_netbios_name(info->dest_host ), info->name_type);
make_nmb_name(&calling, dns_to_netbios_name(info->myhostname), 0x0);
if (!cli_establish_connection(smb_cli,
info->dest_host, &info->dest_ip,
&calling, &called,
info->share, info->svc_type,
False, True))
{
DEBUG(0,("rpcclient_connect: connection failed\n"));
cli_shutdown(smb_cli);
return False;
}
return True;
}
static int rap_share_add(struct net_context *c, int argc, const char **argv)
{
struct cli_state *cli;
int ret;
struct rap_share_info_2 sinfo;
char *p;
char *sharename;
if (argc == 0 || c->display_usage) {
return net_rap_share_usage(c, argc, argv);
}
if (!NT_STATUS_IS_OK(net_make_ipc_connection(c, 0, &cli)))
return -1;
sharename = SMB_STRDUP(argv[0]);
p = strchr(sharename, '=');
if (p == NULL) {
d_printf(_("Server path not specified\n"));
SAFE_FREE(sharename);
return net_rap_share_usage(c, argc, argv);
}
*p = 0;
strlcpy((char *)sinfo.share_name, sharename, sizeof(sinfo.share_name));
sinfo.reserved1 = '\0';
sinfo.share_type = 0;
sinfo.comment = c->opt_comment ? smb_xstrdup(c->opt_comment) : "";
sinfo.perms = 0;
sinfo.maximum_users = c->opt_maxusers;
sinfo.active_users = 0;
sinfo.path = p+1;
memset(sinfo.password, '\0', sizeof(sinfo.password));
sinfo.reserved2 = '\0';
ret = cli_NetShareAdd(cli, &sinfo);
cli_shutdown(cli);
SAFE_FREE(sharename);
return ret;
}
/**
* Connect a server and open a given pipe
*
* @param cli_dst A cli_state
* @param pipe The pipe to open
* @param got_pipe boolean that stores if we got a pipe
*
* @return Normal NTSTATUS return.
**/
NTSTATUS connect_dst_pipe(struct cli_state **cli_dst, struct rpc_pipe_client **pp_pipe_hnd, int pipe_num)
{
NTSTATUS nt_status;
char *server_name = SMB_STRDUP("127.0.0.1");
struct cli_state *cli_tmp = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
if (server_name == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (opt_destination) {
SAFE_FREE(server_name);
if ((server_name = SMB_STRDUP(opt_destination)) == NULL) {
return NT_STATUS_NO_MEMORY;
}
}
/* make a connection to a named pipe */
nt_status = connect_to_ipc(&cli_tmp, NULL, server_name);
if (!NT_STATUS_IS_OK(nt_status)) {
SAFE_FREE(server_name);
return nt_status;
}
pipe_hnd = cli_rpc_pipe_open_noauth(cli_tmp, pipe_num, &nt_status);
if (!pipe_hnd) {
DEBUG(1, ("couldn't not initialize pipe\n"));
cli_shutdown(cli_tmp);
SAFE_FREE(server_name);
return nt_status;
}
*cli_dst = cli_tmp;
*pp_pipe_hnd = pipe_hnd;
SAFE_FREE(server_name);
return nt_status;
}
static int rap_share_add(int argc, const char **argv)
{
struct cli_state *cli;
int ret;
RAP_SHARE_INFO_2 sinfo;
char *p;
char *sharename;
if (argc == 0) {
d_printf("\n\nShare name not specified\n");
return net_rap_share_usage(argc, argv);
}
if (!(cli = net_make_ipc_connection(0)))
return -1;
sharename = SMB_STRDUP(argv[0]);
p = strchr(sharename, '=');
if (p == NULL) {
d_printf("Server path not specified\n");
return net_rap_share_usage(argc, argv);
}
*p = 0;
strlcpy(sinfo.share_name, sharename, sizeof(sinfo.share_name));
sinfo.reserved1 = '\0';
sinfo.share_type = 0;
sinfo.comment = smb_xstrdup(opt_comment);
sinfo.perms = 0;
sinfo.maximum_users = opt_maxusers;
sinfo.active_users = 0;
sinfo.path = p+1;
memset(sinfo.password, '\0', sizeof(sinfo.password));
sinfo.reserved2 = '\0';
ret = cli_NetShareAdd(cli, &sinfo);
cli_shutdown(cli);
return ret;
}
static int rap_group_add(struct net_context *c, int argc, const char **argv)
{
struct cli_state *cli;
int ret;
struct rap_group_info_1 grinfo;
if (argc == 0 || c->display_usage) {
return net_rap_group_usage(c, argc, argv);
}
if (!NT_STATUS_IS_OK(net_make_ipc_connection(c, 0, &cli)))
return -1;
/* BB check for length 21 or smaller explicitly ? BB */
strlcpy((char *)grinfo.group_name, argv[0], sizeof(grinfo.group_name));
grinfo.reserved1 = '\0';
grinfo.comment = smb_xstrdup(c->opt_comment ? c->opt_comment : "");
ret = cli_NetGroupAdd(cli, &grinfo);
cli_shutdown(cli);
return ret;
}
static struct cli_state *connect_one(const char *share)
{
struct cli_state *c;
NTSTATUS nt_status;
uint32_t flags = 0;
if (get_cmdline_auth_info_use_kerberos(smbcquotas_auth_info)) {
flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
}
nt_status = cli_full_connection(&c, lp_netbios_name(), server,
NULL, 0,
share, "?????",
get_cmdline_auth_info_username(smbcquotas_auth_info),
lp_workgroup(),
get_cmdline_auth_info_password(smbcquotas_auth_info),
flags,
get_cmdline_auth_info_signing_state(smbcquotas_auth_info));
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
return NULL;
}
if (get_cmdline_auth_info_smb_encrypt(smbcquotas_auth_info)) {
nt_status = cli_cm_force_encryption(c,
get_cmdline_auth_info_username(smbcquotas_auth_info),
get_cmdline_auth_info_password(smbcquotas_auth_info),
lp_workgroup(),
share);
if (!NT_STATUS_IS_OK(nt_status)) {
cli_shutdown(c);
return NULL;
}
}
return c;
}
static int rap_group_add(int argc, const char **argv)
{
struct cli_state *cli;
int ret;
RAP_GROUP_INFO_1 grinfo;
if (argc == 0) {
d_printf("\n\nGroup name not specified\n");
return net_rap_group_usage(argc, argv);
}
if (!(cli = net_make_ipc_connection(0)))
return -1;
/* BB check for length 21 or smaller explicitly ? BB */
safe_strcpy(grinfo.group_name, argv[0], sizeof(grinfo.group_name)-1);
grinfo.reserved1 = '\0';
grinfo.comment = smb_xstrdup(opt_comment);
ret = cli_NetGroupAdd(cli, &grinfo);
cli_shutdown(cli);
return ret;
}
int net_rap_printq(int argc, const char **argv)
{
struct cli_state *cli;
int ret;
struct functable func[] = {
{"INFO", rap_printq_info},
{"DELETE", rap_printq_delete},
{NULL, NULL}
};
if (argc == 0) {
if (!(cli = net_make_ipc_connection(0)))
return -1;
d_printf(PRINTQ_ENUM_DISPLAY, cli->desthost); /* list header */
ret = cli_NetPrintQEnum(cli, enum_queue, enum_jobs);
cli_shutdown(cli);
return ret;
}
return net_run_function(argc, argv, func, net_rap_printq_usage);
}
static int rap_file_user(struct net_context *c, int argc, const char **argv)
{
struct cli_state *cli;
int ret;
if (argc == 0 || c->display_usage)
return net_rap_file_usage(c, argc, argv);
if (!NT_STATUS_IS_OK(net_make_ipc_connection(c, 0, &cli)))
return -1;
/* list open files */
d_printf(_("\nEnumerating open files on remote server:\n\n"
"\nFileId Opened by Perms Locks Path \n"
"------ --------- ----- ----- ---- \n"));
ret = cli_NetFileEnum(cli, argv[0], NULL, file_fn);
if (ret == -1)
d_printf(_("\nOperation not supported by server!\n\n"));
cli_shutdown(cli);
return ret;
}
static void reconnect(struct cli_state *cli[NSERVERS][NCONNECTIONS], uint16_t fnum[NSERVERS][NCONNECTIONS][NFILES],
char *share[NSERVERS])
{
int server, conn, f;
for (server=0;server<NSERVERS;server++)
for (conn=0;conn<NCONNECTIONS;conn++) {
if (cli[server][conn]) {
for (f=0;f<NFILES;f++) {
if (fnum[server][conn][f] != (uint16_t)-1) {
cli_close(cli[server][conn], fnum[server][conn][f]);
fnum[server][conn][f] = (uint16_t)-1;
}
}
cli_ulogoff(cli[server][conn]);
cli_shutdown(cli[server][conn]);
}
cli[server][conn] = connect_one(share[server], server);
if (!cli[server][conn]) {
DEBUG(0,("Failed to connect to %s\n", share[server]));
exit(1);
}
}
}
int net_rpc_shell(struct net_context *c, int argc, const char **argv)
{
NTSTATUS status;
struct rpc_sh_ctx *ctx;
if (argc != 0 || c->display_usage) {
d_printf("%s\nnet rpc shell\n", _("Usage:"));
return -1;
}
if (libnetapi_net_init(&c->netapi_ctx) != 0) {
return -1;
}
libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
libnetapi_set_password(c->netapi_ctx, c->opt_password);
if (c->opt_kerberos) {
libnetapi_set_use_kerberos(c->netapi_ctx);
}
ctx = talloc(NULL, struct rpc_sh_ctx);
if (ctx == NULL) {
d_fprintf(stderr, _("talloc failed\n"));
return -1;
}
status = net_make_ipc_connection(c, 0, &(ctx->cli));
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, _("Could not open connection: %s\n"),
nt_errstr(status));
return -1;
}
ctx->cmds = sh_cmds;
ctx->whoami = "net rpc";
ctx->parent = NULL;
status = net_get_remote_domain_sid(ctx->cli, ctx, &ctx->domain_sid,
&ctx->domain_name);
if (!NT_STATUS_IS_OK(status)) {
return -1;
}
d_printf(_("Talking to domain %s (%s)\n"), ctx->domain_name,
sid_string_tos(ctx->domain_sid));
this_ctx = ctx;
while(1) {
char *prompt = NULL;
char *line = NULL;
int ret;
if (asprintf(&prompt, "%s> ", this_ctx->whoami) < 0) {
break;
}
line = smb_readline(prompt, NULL, completion_fn);
SAFE_FREE(prompt);
if (line == NULL) {
break;
}
ret = poptParseArgvString(line, &argc, &argv);
if (ret == POPT_ERROR_NOARG) {
SAFE_FREE(line);
continue;
}
if (ret != 0) {
d_fprintf(stderr, _("cmdline invalid: %s\n"),
poptStrerror(ret));
SAFE_FREE(line);
return false;
}
if ((line[0] != '\n') &&
(!net_sh_process(c, this_ctx, argc, argv))) {
SAFE_FREE(line);
break;
}
SAFE_FREE(line);
}
cli_shutdown(ctx->cli);
TALLOC_FREE(ctx);
return 0;
}
static struct cli_state *do_connect( const char *server, const char *share,
BOOL show_sessetup )
{
struct cli_state *c = NULL;
struct nmb_name called, calling;
const char *server_n;
struct in_addr ip;
pstring servicename;
char *sharename;
fstring newserver, newshare;
NTSTATUS status;
/* make a copy so we don't modify the global string 'service' */
pstrcpy(servicename, share);
sharename = servicename;
if (*sharename == '\\') {
server = sharename+2;
sharename = strchr_m(server,'\\');
if (!sharename) return NULL;
*sharename = 0;
sharename++;
}
server_n = server;
zero_ip(&ip);
make_nmb_name(&calling, global_myname(), 0x0);
make_nmb_name(&called , server, name_type);
again:
zero_ip(&ip);
if (have_ip)
ip = dest_ip;
/* have to open a new connection */
if (!(c=cli_initialise()) || (cli_set_port(c, port) != port)) {
d_printf("Connection to %s failed\n", server_n);
return NULL;
}
status = cli_connect(c, server_n, &ip);
if (!NT_STATUS_IS_OK(status)) {
d_printf("Connection to %s failed (Error %s)\n", server_n, nt_errstr(status));
return NULL;
}
c->protocol = max_protocol;
c->use_kerberos = use_kerberos;
cli_setup_signing_state(c, signing_state);
if (!cli_session_request(c, &calling, &called, NULL)) {
char *p;
d_printf("session request to %s failed (%s)\n",
called.name, cli_errstr(c));
cli_shutdown(c);
c = NULL;
if ((p=strchr_m(called.name, '.'))) {
*p = 0;
goto again;
}
if (strcmp(called.name, "*SMBSERVER")) {
make_nmb_name(&called , "*SMBSERVER", 0x20);
goto again;
}
return NULL;
}
DEBUG(4,(" session request ok\n"));
if (!cli_negprot(c)) {
d_printf("protocol negotiation failed\n");
cli_shutdown(c);
return NULL;
}
if (!got_pass) {
char *pass = getpass("Password: "******"", "", 0, "", 0,
lp_workgroup()))) {
d_printf("session setup failed: %s\n", cli_errstr(c));
if (NT_STATUS_V(cli_nt_error(c)) ==
NT_STATUS_V(NT_STATUS_MORE_PROCESSING_REQUIRED))
d_printf("did you forget to run kinit?\n");
cli_shutdown(c);
return NULL;
}
d_printf("Anonymous login successful\n");
}
if ( show_sessetup ) {
if (*c->server_domain) {
DEBUG(0,("Domain=[%s] OS=[%s] Server=[%s]\n",
c->server_domain,c->server_os,c->server_type));
} else if (*c->server_os || *c->server_type){
DEBUG(0,("OS=[%s] Server=[%s]\n",
c->server_os,c->server_type));
}
}
DEBUG(4,(" session setup ok\n"));
/* here's the fun part....to support 'msdfs proxy' shares
(on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL
here before trying to connect to the original share.
check_dfs_proxy() will fail if it is a normal share. */
if ( (c->capabilities & CAP_DFS) && cli_check_msdfs_proxy( c, sharename, newserver, newshare ) ) {
cli_shutdown(c);
return do_connect( newserver, newshare, False );
}
/* must be a normal share */
if (!cli_send_tconX(c, sharename, "?????", password, strlen(password)+1)) {
d_printf("tree connect failed: %s\n", cli_errstr(c));
cli_shutdown(c);
return NULL;
}
DEBUG(4,(" tconx ok\n"));
return c;
}
PyObject *spoolss_openprinter(PyObject *self, PyObject *args, PyObject *kw)
{
char *unc_name, *server, *errstr;
TALLOC_CTX *mem_ctx = NULL;
POLICY_HND hnd;
WERROR werror;
PyObject *result = NULL, *creds = NULL;
static char *kwlist[] = { "printername", "creds", "access", NULL };
uint32 desired_access = MAXIMUM_ALLOWED_ACCESS;
struct cli_state *cli;
if (!PyArg_ParseTupleAndKeywords(
args, kw, "s|Oi", kwlist, &unc_name, &creds,
&desired_access))
return NULL;
if (unc_name[0] != '\\' || unc_name[1] != '\\') {
PyErr_SetString(PyExc_ValueError, "UNC name required");
return NULL;
}
server = strdup(unc_name + 2);
if (strchr(server, '\\')) {
char *c = strchr(server, '\\');
*c = 0;
}
if (creds && creds != Py_None && !PyDict_Check(creds)) {
PyErr_SetString(PyExc_TypeError,
"credentials must be dictionary or None");
return NULL;
}
if (!(cli = open_pipe_creds(server, creds, PI_SPOOLSS, &errstr))) {
PyErr_SetString(spoolss_error, errstr);
free(errstr);
goto done;
}
if (!(mem_ctx = talloc_init("spoolss_openprinter"))) {
PyErr_SetString(spoolss_error,
"unable to init talloc context\n");
goto done;
}
werror = cli_spoolss_open_printer_ex(
cli, mem_ctx, unc_name, "", desired_access, server,
"", &hnd);
if (!W_ERROR_IS_OK(werror)) {
PyErr_SetObject(spoolss_werror, py_werror_tuple(werror));
goto done;
}
result = new_spoolss_policy_hnd_object(cli, mem_ctx, &hnd);
done:
if (!result) {
if (cli)
cli_shutdown(cli);
if (mem_ctx)
talloc_destroy(mem_ctx);
}
SAFE_FREE(server);
return result;
}
PyObject *spoolss_enumprinters(PyObject *self, PyObject *args, PyObject *kw)
{
WERROR werror;
PyObject *result = NULL, *creds = NULL;
PRINTER_INFO_CTR ctr;
int level = 1, flags = PRINTER_ENUM_LOCAL, i;
uint32 needed, num_printers;
static char *kwlist[] = {"server", "name", "level", "flags",
"creds", NULL};
TALLOC_CTX *mem_ctx = NULL;
struct cli_state *cli = NULL;
char *server, *errstr, *name = NULL;
/* Parse parameters */
if (!PyArg_ParseTupleAndKeywords(
args, kw, "s|siiO", kwlist, &server, &name, &level,
&flags, &creds))
return NULL;
if (server[0] != '\\' || server[1] != '\\') {
PyErr_SetString(PyExc_ValueError, "UNC name required");
return NULL;
}
server += 2;
if (creds && creds != Py_None && !PyDict_Check(creds)) {
PyErr_SetString(PyExc_TypeError,
"credentials must be dictionary or None");
return NULL;
}
if (!(cli = open_pipe_creds(server, creds, PI_SPOOLSS, &errstr))) {
PyErr_SetString(spoolss_error, errstr);
free(errstr);
goto done;
}
if (!(mem_ctx = talloc_init("spoolss_enumprinters"))) {
PyErr_SetString(
spoolss_error, "unable to init talloc context\n");
goto done;
}
/* This RPC is weird. By setting the server name to different
values we can get different behaviour. If however the server
name is not specified, we default it to being the full server
name as this is probably what the caller intended. To pass a
NULL name, pass a value of "" */
if (!name)
name = server;
else {
if (!name[0])
name = NULL;
}
/* Call rpc function */
werror = cli_spoolss_enum_printers(
cli, mem_ctx, 0, &needed, name, flags, level,
&num_printers, &ctr);
if (W_ERROR_V(werror) == ERRinsufficientbuffer)
werror = cli_spoolss_enum_printers(
cli, mem_ctx, needed, NULL, name, flags,
level, &num_printers, &ctr);
if (!W_ERROR_IS_OK(werror)) {
PyErr_SetObject(spoolss_werror, py_werror_tuple(werror));
goto done;
}
/* Return value */
switch (level) {
case 0:
result = PyDict_New();
for (i = 0; i < num_printers; i++) {
PyObject *value;
fstring s;
rpcstr_pull(s, ctr.printers_0[i].printername.buffer,
sizeof(fstring), -1, STR_TERMINATE);
py_from_PRINTER_INFO_0(&value, &ctr.printers_0[i]);
PyDict_SetItemString(
value, "level", PyInt_FromLong(0));
PyDict_SetItemString(result, s, value);
}
break;
case 1:
result = PyDict_New();
for(i = 0; i < num_printers; i++) {
PyObject *value;
fstring s;
rpcstr_pull(s, ctr.printers_1[i].name.buffer,
sizeof(fstring), -1, STR_TERMINATE);
py_from_PRINTER_INFO_1(&value, &ctr.printers_1[i]);
PyDict_SetItemString(
value, "level", PyInt_FromLong(1));
PyDict_SetItemString(result, s, value);
}
break;
case 2:
result = PyDict_New();
for(i = 0; i < num_printers; i++) {
PyObject *value;
fstring s;
rpcstr_pull(s, ctr.printers_2[i].printername.buffer,
sizeof(fstring), -1, STR_TERMINATE);
py_from_PRINTER_INFO_2(&value, &ctr.printers_2[i]);
PyDict_SetItemString(
value, "level", PyInt_FromLong(2));
PyDict_SetItemString(result, s, value);
}
break;
default:
PyErr_SetString(spoolss_error, "unknown info level");
goto done;
}
done:
if (cli)
cli_shutdown(cli);
if (mem_ctx)
talloc_destroy(mem_ctx);
return result;
}
int /* O - Exit status */
main(int argc, /* I - Number of command-line arguments */
char *argv[]) /* I - Command-line arguments */
{
int i; /* Looping var */
int copies; /* Number of copies */
int port; /* Port number */
char uri[1024], /* URI */
*sep, /* Pointer to separator */
*password; /* Password */
const char *username, /* Username */
*server, /* Server name */
*printer; /* Printer name */
const char *workgroup; /* Workgroup */
FILE *fp; /* File to print */
int status=0; /* Status of LPD job */
struct cli_state *cli; /* SMB interface */
char null_str[1];
int tries = 0;
const char *dev_uri;
null_str[0] = '\0';
/* we expect the URI in argv[0]. Detect the case where it is in argv[1] and cope */
if (argc > 2 && strncmp(argv[0],"smb://", 6) && !strncmp(argv[1],"smb://", 6)) {
argv++;
argc--;
}
if (argc == 1)
{
/*
* NEW! In CUPS 1.1 the backends are run with no arguments to list the
* available devices. These can be devices served by this backend
* or any other backends (i.e. you can have an SNMP backend that
* is only used to enumerate the available network printers... :)
*/
list_devices();
return (0);
}
if (argc < 6 || argc > 7)
{
fprintf(stderr, "Usage: %s [DEVICE_URI] job-id user title copies options [file]\n",
argv[0]);
fputs(" The DEVICE_URI environment variable can also contain the\n", stderr);
fputs(" destination printer:\n", stderr);
fputs("\n", stderr);
fputs(" smb://[username:password@][workgroup/]server[:port]/printer\n", stderr);
return (1);
}
/*
* If we have 7 arguments, print the file named on the command-line.
* Otherwise, print data from stdin...
*/
if (argc == 6)
{
/*
* Print from Copy stdin to a temporary file...
*/
fp = stdin;
copies = 1;
}
else if ((fp = fopen(argv[6], "rb")) == NULL)
{
perror("ERROR: Unable to open print file");
return (1);
}
else
copies = atoi(argv[4]);
/*
* Find the URI...
*/
dev_uri = getenv("DEVICE_URI");
if (dev_uri)
strncpy(uri, dev_uri, sizeof(uri) - 1);
else if (strncmp(argv[0], "smb://", 6) == 0)
strncpy(uri, argv[0], sizeof(uri) - 1);
else
{
fputs("ERROR: No device URI found in DEVICE_URI environment variable or argv[0] !\n", stderr);
return (1);
}
uri[sizeof(uri) - 1] = '\0';
/*
* Extract the destination from the URI...
*/
if ((sep = strrchr_m(uri, '@')) != NULL)
{
username = uri + 6;
*sep++ = '\0';
server = sep;
/*
* Extract password as needed...
*/
if ((password = strchr_m(username, ':')) != NULL)
*password++ = '\0';
else
password = null_str;
}
else
{
username = null_str;
password = null_str;
server = uri + 6;
}
if ((sep = strchr_m(server, '/')) == NULL)
{
fputs("ERROR: Bad URI - need printer name!\n", stderr);
return (1);
}
*sep++ = '\0';
printer = sep;
if ((sep = strchr_m(printer, '/')) != NULL)
{
/*
* Convert to smb://[username:password@]workgroup/server/printer...
*/
*sep++ = '\0';
workgroup = server;
server = printer;
printer = sep;
}
else
workgroup = NULL;
if ((sep = strrchr_m(server, ':')) != NULL)
{
*sep++ = '\0';
port=atoi(sep);
}
else
port=0;
/*
* Setup the SAMBA server state...
*/
setup_logging("smbspool", True);
in_client = True; /* Make sure that we tell lp_load we are */
load_case_tables();
if (!lp_load(dyn_CONFIGFILE, True, False, False, True))
{
fprintf(stderr, "ERROR: Can't load %s - run testparm to debug it\n", dyn_CONFIGFILE);
return (1);
}
if (workgroup == NULL)
workgroup = lp_workgroup();
load_interfaces();
do
{
if ((cli = smb_connect(workgroup, server, port, printer, username, password, argv[2])) == NULL)
{
if (getenv("CLASS") == NULL)
{
fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
sleep (60); /* should just waiting and retrying fix authentication ??? */
tries++;
}
else
{
fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
return (1);
}
}
}
while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
if (cli == NULL) {
fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
return (1);
}
/*
* Now that we are connected to the server, ignore SIGTERM so that we
* can finish out any page data the driver sends (e.g. to eject the
* current page... Only ignore SIGTERM if we are printing data from
* stdin (otherwise you can't cancel raw jobs...)
*/
if (argc < 7)
CatchSignal(SIGTERM, SIG_IGN);
/*
* Queue the job...
*/
for (i = 0; i < copies; i ++)
if ((status = smb_print(cli, argv[3] /* title */, fp)) != 0)
break;
cli_shutdown(cli);
/*
* Return the queue status...
*/
return (status);
}
static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
{
struct cli_state *cli = NULL;
fstring desthost;
struct in_addr dest_ip;
const char *p;
char *pserver;
BOOL connected_ok = False;
if (!(cli = cli_initialise()))
return NULL;
/* security = server just can't function with spnego */
cli->use_spnego = False;
pserver = talloc_strdup(mem_ctx, lp_passwordserver());
p = pserver;
while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
standard_sub_basic(current_user_info.smb_name, current_user_info.domain,
desthost, sizeof(desthost));
strupper_m(desthost);
if(!resolve_name( desthost, &dest_ip, 0x20)) {
DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
continue;
}
if (ismyip(dest_ip)) {
DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
continue;
}
/* we use a mutex to prevent two connections at once - when a
Win2k PDC get two connections where one hasn't completed a
session setup yet it will send a TCP reset to the first
connection (tridge) */
if (!grab_server_mutex(desthost)) {
return NULL;
}
if (cli_connect(cli, desthost, &dest_ip)) {
DEBUG(3,("connected to password server %s\n",desthost));
connected_ok = True;
break;
}
}
if (!connected_ok) {
release_server_mutex();
DEBUG(0,("password server not available\n"));
cli_shutdown(cli);
return NULL;
}
if (!attempt_netbios_session_request(&cli, global_myname(),
desthost, &dest_ip)) {
release_server_mutex();
DEBUG(1,("password server fails session request\n"));
cli_shutdown(cli);
return NULL;
}
if (strequal(desthost,myhostname())) {
exit_server_cleanly("Password server loop!");
}
DEBUG(3,("got session\n"));
if (!cli_negprot(cli)) {
DEBUG(1,("%s rejected the negprot\n",desthost));
release_server_mutex();
cli_shutdown(cli);
return NULL;
}
if (cli->protocol < PROTOCOL_LANMAN2 ||
!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
DEBUG(1,("%s isn't in user level security mode\n",desthost));
release_server_mutex();
cli_shutdown(cli);
return NULL;
}
/* Get the first session setup done quickly, to avoid silly
Win2k bugs. (The next connection to the server will kill
this one...
*/
if (!NT_STATUS_IS_OK(cli_session_setup(cli, "", "", 0, "", 0,
""))) {
DEBUG(0,("%s rejected the initial session setup (%s)\n",
desthost, cli_errstr(cli)));
release_server_mutex();
cli_shutdown(cli);
return NULL;
}
release_server_mutex();
DEBUG(3,("password server OK\n"));
return cli;
}
static struct cli_state
*smb_complete_connection(const char *myname,
const char *server,
int port,
const char *username,
const char *password,
const char *workgroup,
const char *share,
int flags)
{
struct cli_state *cli; /* New connection */
NTSTATUS nt_status;
/* Start the SMB connection */
nt_status = cli_start_connection( &cli, myname, server, NULL, port,
Undefined, flags, NULL);
if (!NT_STATUS_IS_OK(nt_status))
{
return NULL;
}
/* We pretty much guarentee password must be valid or a pointer
to a 0 char. */
if (!password) {
return NULL;
}
if ( (username) && (*username) &&
(strlen(password) == 0 ) &&
(cli->use_kerberos) )
{
/* Use kerberos authentication */
struct passwd *pw;
char *cache_file;
if ( !(pw = sys_getpwnam(username)) ) {
fprintf(stderr,"ERROR Can not get %s uid\n", username);
cli_shutdown(cli);
return NULL;
}
/*
* Get the ticket cache of the user to set KRB5CCNAME env
* variable
*/
cache_file = get_ticket_cache( pw->pw_uid );
if ( cache_file == NULL )
{
fprintf(stderr, "ERROR: Can not get the ticket cache for %s\n", username);
cli_shutdown(cli);
return NULL;
}
if ( setenv(KRB5CCNAME, cache_file, OVERWRITE) < 0 )
{
fprintf(stderr, "ERROR: Can not add KRB5CCNAME to the environment");
cli_shutdown(cli);
free(cache_file);
return NULL;
}
free(cache_file);
/*
* Change the UID of the process to be able to read the kerberos
* ticket cache
*/
setuid(pw->pw_uid);
}
if (!NT_STATUS_IS_OK(cli_session_setup(cli, username,
password, strlen(password)+1,
password, strlen(password)+1,
workgroup)))
{
fprintf(stderr,"ERROR: Session setup failed: %s\n", cli_errstr(cli));
if (NT_STATUS_V(cli_nt_error(cli)) ==
NT_STATUS_V(NT_STATUS_MORE_PROCESSING_REQUIRED))
{
fprintf(stderr, "did you forget to run kinit?\n");
}
cli_shutdown(cli);
return NULL;
}
if (!cli_send_tconX(cli, share, "?????", password, strlen(password)+1))
{
fprintf(stderr, "ERROR: Tree connect failed (%s)\n", cli_errstr(cli));
cli_shutdown(cli);
return NULL;
}
return cli;
}
/*
* Connect to a server for getting/setting attributes, possibly on an existing
* connection. This works similarly to SMBC_server().
*/
SMBCSRV *
SMBC_attr_server(TALLOC_CTX *ctx,
SMBCCTX *context,
const char *server,
uint16_t port,
const char *share,
char **pp_workgroup,
char **pp_username,
char **pp_password)
{
int flags;
struct cli_state *ipc_cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
NTSTATUS nt_status;
SMBCSRV *srv=NULL;
SMBCSRV *ipc_srv=NULL;
/*
* Use srv->cli->desthost and srv->cli->share instead of
* server and share below to connect to the actual share,
* i.e., a normal share or a referred share from
* 'msdfs proxy' share.
*/
srv = SMBC_server(ctx, context, true, server, port, share,
pp_workgroup, pp_username, pp_password);
if (!srv) {
return NULL;
}
server = smbXcli_conn_remote_name(srv->cli->conn);
share = srv->cli->share;
/*
* See if we've already created this special connection. Reference
* our "special" share name '*IPC$', which is an impossible real share
* name due to the leading asterisk.
*/
ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
pp_workgroup, pp_username, pp_password);
if (!ipc_srv) {
int signing_state = SMB_SIGNING_DEFAULT;
/* We didn't find a cached connection. Get the password */
if (!*pp_password || (*pp_password)[0] == '\0') {
/* ... then retrieve it now. */
SMBC_call_auth_fn(ctx, context, server, share,
pp_workgroup,
pp_username,
pp_password);
if (!*pp_workgroup || !*pp_username || !*pp_password) {
errno = ENOMEM;
return NULL;
}
}
flags = 0;
if (smbc_getOptionUseKerberos(context)) {
flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
}
if (smbc_getOptionUseCCache(context)) {
flags |= CLI_FULL_CONNECTION_USE_CCACHE;
}
if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
signing_state = SMB_SIGNING_REQUIRED;
}
nt_status = cli_full_connection(&ipc_cli,
lp_netbios_name(), server,
NULL, 0, "IPC$", "?????",
*pp_username,
*pp_workgroup,
*pp_password,
flags,
signing_state);
if (! NT_STATUS_IS_OK(nt_status)) {
DEBUG(1,("cli_full_connection failed! (%s)\n",
nt_errstr(nt_status)));
errno = ENOTSUP;
return NULL;
}
if (context->internal->smb_encryption_level) {
/* Attempt UNIX smb encryption. */
if (!NT_STATUS_IS_OK(cli_force_encryption(ipc_cli,
*pp_username,
*pp_password,
*pp_workgroup))) {
/*
* context->smb_encryption_level ==
* 1 means don't fail if encryption can't be
* negotiated, == 2 means fail if encryption
* can't be negotiated.
*/
DEBUG(4,(" SMB encrypt failed on IPC$\n"));
if (context->internal->smb_encryption_level == 2) {
cli_shutdown(ipc_cli);
errno = EPERM;
return NULL;
}
}
DEBUG(4,(" SMB encrypt ok on IPC$\n"));
}
ipc_srv = SMB_MALLOC_P(SMBCSRV);
if (!ipc_srv) {
errno = ENOMEM;
cli_shutdown(ipc_cli);
return NULL;
}
ZERO_STRUCTP(ipc_srv);
DLIST_ADD(ipc_srv->cli, ipc_cli);
nt_status = cli_rpc_pipe_open_noauth(
ipc_srv->cli, &ndr_table_lsarpc, &pipe_hnd);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("cli_nt_session_open fail!\n"));
errno = ENOTSUP;
cli_shutdown(ipc_srv->cli);
free(ipc_srv);
return NULL;
}
/*
* Some systems don't support
* SEC_FLAG_MAXIMUM_ALLOWED, but NT sends 0x2000000
* so we might as well do it too.
*/
nt_status = rpccli_lsa_open_policy(
pipe_hnd,
talloc_tos(),
True,
GENERIC_EXECUTE_ACCESS,
&ipc_srv->pol);
if (!NT_STATUS_IS_OK(nt_status)) {
errno = SMBC_errno(context, ipc_srv->cli);
cli_shutdown(ipc_srv->cli);
free(ipc_srv);
return NULL;
}
/* now add it to the cache (internal or external) */
errno = 0; /* let cache function set errno if it likes */
if (smbc_getFunctionAddCachedServer(context)(context, ipc_srv,
server,
"*IPC$",
*pp_workgroup,
*pp_username)) {
DEBUG(3, (" Failed to add server to cache\n"));
if (errno == 0) {
errno = ENOMEM;
}
cli_shutdown(ipc_srv->cli);
free(ipc_srv);
return NULL;
}
DLIST_ADD(context->internal->servers, ipc_srv);
}
return ipc_srv;
}
NTSTATUS connect_to_service(struct net_context *c,
struct cli_state **cli_ctx,
struct sockaddr_storage *server_ss,
const char *server_name,
const char *service_name,
const char *service_type)
{
NTSTATUS nt_status;
int flags = 0;
c->opt_password = net_prompt_pass(c, c->opt_user_name);
if (c->opt_kerberos) {
flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
}
if (c->opt_kerberos && c->opt_password) {
flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
}
if (c->opt_ccache) {
flags |= CLI_FULL_CONNECTION_USE_CCACHE;
}
nt_status = cli_full_connection(cli_ctx, NULL, server_name,
server_ss, c->opt_port,
service_name, service_type,
c->opt_user_name, c->opt_workgroup,
c->opt_password, flags, Undefined);
if (!NT_STATUS_IS_OK(nt_status)) {
d_fprintf(stderr, _("Could not connect to server %s\n"),
server_name);
/* Display a nicer message depending on the result */
if (NT_STATUS_V(nt_status) ==
NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
d_fprintf(stderr,
_("The username or password was not "
"correct.\n"));
if (NT_STATUS_V(nt_status) ==
NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
d_fprintf(stderr, _("The account was locked out.\n"));
if (NT_STATUS_V(nt_status) ==
NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
d_fprintf(stderr, _("The account was disabled.\n"));
return nt_status;
}
if (c->smb_encrypt) {
nt_status = cli_force_encryption(*cli_ctx,
c->opt_user_name,
c->opt_password,
c->opt_workgroup);
if (NT_STATUS_EQUAL(nt_status,NT_STATUS_NOT_SUPPORTED)) {
d_printf(_("Encryption required and "
"server that doesn't support "
"UNIX extensions - failing connect\n"));
} else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNKNOWN_REVISION)) {
d_printf(_("Encryption required and "
"can't get UNIX CIFS extensions "
"version from server.\n"));
} else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNSUPPORTED_COMPRESSION)) {
d_printf(_("Encryption required and "
"share %s doesn't support "
"encryption.\n"), service_name);
} else if (!NT_STATUS_IS_OK(nt_status)) {
d_printf(_("Encryption required and "
"setup failed with error %s.\n"),
nt_errstr(nt_status));
}
if (!NT_STATUS_IS_OK(nt_status)) {
cli_shutdown(*cli_ctx);
*cli_ctx = NULL;
}
}
return nt_status;
}
/**
* confirm that a domain join is still valid
*
* @return A shell status integer (0 for success)
*
**/
NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
const char *server, struct sockaddr_storage *pss)
{
enum security_types sec;
unsigned int conn_flags = NET_FLAGS_PDC;
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
sec = (enum security_types)lp_security();
if (sec == SEC_ADS) {
/* Connect to IPC$ using machine account's credentials. We don't use anonymous
connection here, as it may be denied by server's local policy. */
net_use_machine_account(c);
} else {
/* some servers (e.g. WinNT) don't accept machine-authenticated
smb connections */
conn_flags |= NET_FLAGS_ANONYMOUS;
}
/* Connect to remote machine */
ntret = net_make_ipc_connection_ex(c, domain, server, pss, conn_flags,
&cli);
if (!NT_STATUS_IS_OK(ntret)) {
return ntret;
}
/* Setup the creds as though we're going to do schannel... */
ntret = get_schannel_session_key(cli, domain, &neg_flags,
&netlogon_pipe);
/* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing
to negotiate schannel, but the creds were set up ok. That'll have to do. */
if (!NT_STATUS_IS_OK(ntret)) {
if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
cli_shutdown(cli);
return NT_STATUS_OK;
} else {
DEBUG(0,("net_rpc_join_ok: failed to get schannel session "
"key from server %s for domain %s. Error was %s\n",
cli->desthost, domain, nt_errstr(ntret) ));
cli_shutdown(cli);
return ntret;
}
}
/* Only do the rest of the schannel test if the client is allowed to do this. */
if (!lp_client_schannel()) {
cli_shutdown(cli);
/* We're good... */
return ntret;
}
ntret = cli_rpc_pipe_open_schannel_with_key(
cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
DCERPC_AUTH_LEVEL_PRIVACY,
domain, &netlogon_pipe->dc, &pipe_hnd);
if (!NT_STATUS_IS_OK(ntret)) {
DEBUG(0,("net_rpc_join_ok: failed to open schannel session "
"on netlogon pipe to server %s for domain %s. Error was %s\n",
cli->desthost, domain, nt_errstr(ntret) ));
/*
* Note: here, we have:
* (pipe_hnd != NULL) if and only if NT_STATUS_IS_OK(ntret)
*/
}
cli_shutdown(cli);
return ntret;
}
static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
{
struct cli_state *cli = NULL;
char *desthost = NULL;
struct sockaddr_storage dest_ss;
const char *p;
char *pserver = NULL;
bool connected_ok = False;
struct named_mutex *mutex = NULL;
NTSTATUS status;
pserver = talloc_strdup(mem_ctx, lp_passwordserver());
p = pserver;
while(next_token_talloc(mem_ctx, &p, &desthost, LIST_SEP)) {
desthost = talloc_sub_basic(mem_ctx,
current_user_info.smb_name,
current_user_info.domain,
desthost);
if (!desthost) {
return NULL;
}
strupper_m(desthost);
if (strequal(desthost, myhostname())) {
DEBUG(1,("Password server loop - disabling "
"password server %s\n", desthost));
continue;
}
if(!resolve_name( desthost, &dest_ss, 0x20, false)) {
DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
continue;
}
if (ismyaddr((struct sockaddr *)(void *)&dest_ss)) {
DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
continue;
}
/* we use a mutex to prevent two connections at once - when a
Win2k PDC get two connections where one hasn't completed a
session setup yet it will send a TCP reset to the first
connection (tridge) */
mutex = grab_named_mutex(talloc_tos(), desthost, 10);
if (mutex == NULL) {
return NULL;
}
status = cli_connect_nb(desthost, &dest_ss, 0, 0x20,
lp_netbios_name(), Undefined, &cli);
if (NT_STATUS_IS_OK(status)) {
DEBUG(3,("connected to password server %s\n",desthost));
connected_ok = True;
break;
}
DEBUG(10,("server_cryptkey: failed to connect to server %s. Error %s\n",
desthost, nt_errstr(status) ));
TALLOC_FREE(mutex);
}
if (!connected_ok) {
DEBUG(0,("password server not available\n"));
return NULL;
}
/* security = server just can't function with spnego */
cli->use_spnego = False;
DEBUG(3,("got session\n"));
status = cli_negprot(cli);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(mutex);
DEBUG(1, ("%s rejected the negprot: %s\n",
desthost, nt_errstr(status)));
cli_shutdown(cli);
return NULL;
}
if (cli->protocol < PROTOCOL_LANMAN2 ||
!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
TALLOC_FREE(mutex);
DEBUG(1,("%s isn't in user level security mode\n",desthost));
cli_shutdown(cli);
return NULL;
}
/* Get the first session setup done quickly, to avoid silly
Win2k bugs. (The next connection to the server will kill
this one...
*/
status = cli_session_setup(cli, "", "", 0, "", 0, "");
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(mutex);
DEBUG(0,("%s rejected the initial session setup (%s)\n",
desthost, nt_errstr(status)));
cli_shutdown(cli);
return NULL;
}
TALLOC_FREE(mutex);
DEBUG(3,("password server OK\n"));
return cli;
}
static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
const char *domain,
const char *dc_name,
const struct sockaddr_storage *dc_ss,
struct rpc_pipe_client **pipe_ret)
{
NTSTATUS result;
struct rpc_pipe_client *netlogon_pipe = NULL;
*cli = NULL;
*pipe_ret = NULL;
/* TODO: Send a SAMLOGON request to determine whether this is a valid
logonserver. We can avoid a 30-second timeout if the DC is down
if the SAMLOGON request fails as it is only over UDP. */
/* we use a mutex to prevent two connections at once - when a
Win2k PDC get two connections where one hasn't completed a
session setup yet it will send a TCP reset to the first
connection (tridge) */
/*
* With NT4.x DC's *all* authentication must be serialized to avoid
* ACCESS_DENIED errors if 2 auths are done from the same machine. JRA.
*/
mutex = grab_named_mutex(NULL, dc_name, 10);
if (mutex == NULL) {
return NT_STATUS_NO_LOGON_SERVERS;
}
/* Attempt connection */
result = cli_full_connection(cli, lp_netbios_name(), dc_name, dc_ss, 0,
"IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
if (!NT_STATUS_IS_OK(result)) {
/* map to something more useful */
if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
result = NT_STATUS_NO_LOGON_SERVERS;
}
if (*cli) {
cli_shutdown(*cli);
*cli = NULL;
}
TALLOC_FREE(mutex);
return result;
}
/*
* We now have an anonymous connection to IPC$ on the domain password server.
*/
/*
* Even if the connect succeeds we need to setup the netlogon
* pipe here. We do this as we may just have changed the domain
* account password on the PDC and yet we may be talking to
* a BDC that doesn't have this replicated yet. In this case
* a successful connect to a DC needs to take the netlogon connect
* into account also. This patch from "Bjart Kvarme" <*****@*****.**>.
*/
/* open the netlogon pipe. */
if (lp_client_schannel()) {
/* We also setup the creds chain in the open_schannel call. */
result = cli_rpc_pipe_open_schannel(
*cli, &ndr_table_netlogon, NCACN_NP,
DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
} else {
result = cli_rpc_pipe_open_noauth(
*cli, &ndr_table_netlogon, &netlogon_pipe);
}
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
cli_shutdown(*cli);
*cli = NULL;
TALLOC_FREE(mutex);
return result;
}
/****************************************************************************
support for server level security
****************************************************************************/
struct cli_state *server_cryptkey(void)
{
fstring desthost;
struct in_addr dest_ip;
extern fstring local_machine;
char *p;
if (!cli_initialise(&cli))
return NULL;
for (p=strtok(lp_passwordserver(),LIST_SEP); p ; p = strtok(NULL,LIST_SEP)) {
fstrcpy(desthost,p);
standard_sub_basic(desthost);
strupper(desthost);
if(!resolve_name( desthost, &dest_ip)) {
DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",p));
continue;
}
if (ismyip(dest_ip)) {
DEBUG(1,("Password server loop - disabling password server %s\n",p));
continue;
}
if (cli_connect(&cli, desthost, &dest_ip)) {
DEBUG(3,("connected to password server %s\n",p));
break;
}
}
if (!p) {
DEBUG(1,("password server not available\n"));
cli_shutdown(&cli);
return NULL;
}
if (!cli_session_request(&cli, desthost, 0x20, local_machine)) {
DEBUG(1,("%s rejected the session\n",desthost));
cli_shutdown(&cli);
return NULL;
}
DEBUG(3,("got session\n"));
if (!cli_negprot(&cli)) {
DEBUG(1,("%s rejected the negprot\n",desthost));
cli_shutdown(&cli);
return NULL;
}
if (cli.protocol < PROTOCOL_LANMAN2 ||
!(cli.sec_mode & 1)) {
DEBUG(1,("%s isn't in user level security mode\n",desthost));
cli_shutdown(&cli);
return NULL;
}
DEBUG(3,("password server OK\n"));
return &cli;
}
int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
{
/* libsmb variables */
struct cli_state *cli;
TALLOC_CTX *mem_ctx;
uint32 acb_info = ACB_WSTRUST;
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
enum netr_SchannelType sec_channel_type;
struct rpc_pipe_client *pipe_hnd = NULL;
struct dcerpc_binding_handle *b = NULL;
/* rpc variables */
struct policy_handle lsa_pol, sam_pol, domain_pol, user_pol;
struct dom_sid *domain_sid;
uint32 user_rid;
/* Password stuff */
char *clear_trust_password = NULL;
struct samr_CryptPassword crypt_pwd;
uchar md4_trust_password[16];
union samr_UserInfo set_info;
/* Misc */
NTSTATUS status, result;
int retval = 1;
const char *domain = NULL;
char *acct_name;
struct lsa_String lsa_acct_name;
uint32 acct_flags=0;
uint32_t access_granted = 0;
union lsa_PolicyInformation *info = NULL;
struct samr_Ids user_rids;
struct samr_Ids name_types;
/* check what type of join */
if (argc >= 0) {
sec_channel_type = get_sec_channel_type(argv[0]);
} else {
sec_channel_type = get_sec_channel_type(NULL);
}
switch (sec_channel_type) {
case SEC_CHAN_WKSTA:
acb_info = ACB_WSTRUST;
break;
case SEC_CHAN_BDC:
acb_info = ACB_SVRTRUST;
break;
#if 0
case SEC_CHAN_DOMAIN:
acb_info = ACB_DOMTRUST;
break;
#endif
default:
DEBUG(0,("secure channel type %d not yet supported\n",
sec_channel_type));
break;
}
/* Make authenticated connection to remote machine */
status = net_make_ipc_connection(c, NET_FLAGS_PDC, &cli);
if (!NT_STATUS_IS_OK(status)) {
return 1;
}
if (!(mem_ctx = talloc_init("net_rpc_join_newstyle"))) {
DEBUG(0, ("Could not initialise talloc context\n"));
goto done;
}
/* Fetch domain sid */
status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
&pipe_hnd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
nt_errstr(status) ));
goto done;
}
b = pipe_hnd->binding_handle;
CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
SEC_FLAG_MAXIMUM_ALLOWED,
&lsa_pol),
"error opening lsa policy handle");
CHECK_DCERPC_ERR(dcerpc_lsa_QueryInfoPolicy(b, mem_ctx,
&lsa_pol,
LSA_POLICY_INFO_ACCOUNT_DOMAIN,
&info,
&result),
"error querying info policy");
domain = info->account_domain.name.string;
domain_sid = info->account_domain.sid;
dcerpc_lsa_Close(b, mem_ctx, &lsa_pol, &result);
TALLOC_FREE(pipe_hnd); /* Done with this pipe */
/* Bail out if domain didn't get set. */
if (!domain) {
DEBUG(0, ("Could not get domain name.\n"));
goto done;
}
/* Create domain user */
status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
&pipe_hnd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
nt_errstr(status) ));
goto done;
}
b = pipe_hnd->binding_handle;
CHECK_DCERPC_ERR(dcerpc_samr_Connect2(b, mem_ctx,
pipe_hnd->desthost,
SAMR_ACCESS_ENUM_DOMAINS
| SAMR_ACCESS_LOOKUP_DOMAIN,
&sam_pol,
&result),
"could not connect to SAM database");
CHECK_DCERPC_ERR(dcerpc_samr_OpenDomain(b, mem_ctx,
&sam_pol,
SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
| SAMR_DOMAIN_ACCESS_CREATE_USER
| SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
domain_sid,
&domain_pol,
&result),
"could not open domain");
/* Create domain user */
if ((acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname())) == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
strlower_m(acct_name);
init_lsa_String(&lsa_acct_name, acct_name);
acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
SEC_STD_WRITE_DAC | SEC_STD_DELETE |
SAMR_USER_ACCESS_SET_PASSWORD |
SAMR_USER_ACCESS_GET_ATTRIBUTES |
SAMR_USER_ACCESS_SET_ATTRIBUTES;
DEBUG(10, ("Creating account with flags: %d\n",acct_flags));
status = dcerpc_samr_CreateUser2(b, mem_ctx,
&domain_pol,
&lsa_acct_name,
acb_info,
acct_flags,
&user_pol,
&access_granted,
&user_rid,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) {
status = result;
d_fprintf(stderr,_("Creation of workstation account failed\n"));
/* If NT_STATUS_ACCESS_DENIED then we have a valid
username/password combo but the user does not have
administrator access. */
if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED))
d_fprintf(stderr, _("User specified does not have "
"administrator privileges\n"));
goto done;
}
/* We *must* do this.... don't ask... */
if (NT_STATUS_IS_OK(result)) {
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
}
CHECK_DCERPC_ERR_DEBUG(dcerpc_samr_LookupNames(b, mem_ctx,
&domain_pol,
1,
&lsa_acct_name,
&user_rids,
&name_types,
&result),
("error looking up rid for user %s: %s/%s\n",
acct_name, nt_errstr(status), nt_errstr(result)));
if (user_rids.count != 1) {
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
goto done;
}
if (name_types.count != 1) {
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
goto done;
}
if (name_types.ids[0] != SID_NAME_USER) {
DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
goto done;
}
user_rid = user_rids.ids[0];
/* Open handle on user */
CHECK_DCERPC_ERR_DEBUG(
dcerpc_samr_OpenUser(b, mem_ctx,
&domain_pol,
SEC_FLAG_MAXIMUM_ALLOWED,
user_rid,
&user_pol,
&result),
("could not re-open existing user %s: %s/%s\n",
acct_name, nt_errstr(status), nt_errstr(result)));
/* Create a random machine account password */
clear_trust_password = generate_random_str(talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
E_md4hash(clear_trust_password, md4_trust_password);
/* Set password on machine account */
init_samr_CryptPassword(clear_trust_password,
&cli->user_session_key,
&crypt_pwd);
set_info.info24.password = crypt_pwd;
set_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
CHECK_DCERPC_ERR(dcerpc_samr_SetUserInfo2(b, mem_ctx,
&user_pol,
24,
&set_info,
&result),
"error setting trust account password");
/* Why do we have to try to (re-)set the ACB to be the same as what
we passed in the samr_create_dom_user() call? When a NT
workstation is joined to a domain by an administrator the
acb_info is set to 0x80. For a normal user with "Add
workstations to the domain" rights the acb_info is 0x84. I'm
not sure whether it is supposed to make a difference or not. NT
seems to cope with either value so don't bomb out if the set
userinfo2 level 0x10 fails. -tpot */
set_info.info16.acct_flags = acb_info;
/* Ignoring the return value is necessary for joining a domain
as a normal user with "Add workstation to domain" privilege. */
status = dcerpc_samr_SetUserInfo(b, mem_ctx,
&user_pol,
16,
&set_info,
&result);
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
TALLOC_FREE(pipe_hnd); /* Done with this pipe */
/* Now check the whole process from top-to-bottom */
status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
&pipe_hnd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
nt_errstr(status) ));
goto done;
}
status = rpccli_netlogon_setup_creds(pipe_hnd,
cli->desthost, /* server name */
domain, /* domain */
global_myname(), /* client name */
global_myname(), /* machine account name */
md4_trust_password,
sec_channel_type,
&neg_flags);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Error in domain join verification (credential setup failed): %s\n\n",
nt_errstr(status)));
if ( NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
(sec_channel_type == SEC_CHAN_BDC) ) {
d_fprintf(stderr, _("Please make sure that no computer "
"account\nnamed like this machine "
"(%s) exists in the domain\n"),
global_myname());
}
goto done;
}
/* We can only check the schannel connection if the client is allowed
to do this and the server supports it. If not, just assume success
(after all the rpccli_netlogon_setup_creds() succeeded, and we'll
do the same again (setup creds) in net_rpc_join_ok(). JRA. */
if (lp_client_schannel() && (neg_flags & NETLOGON_NEG_SCHANNEL)) {
struct rpc_pipe_client *netlogon_schannel_pipe;
status = cli_rpc_pipe_open_schannel_with_key(
cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
&netlogon_schannel_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n",
nt_errstr(status)));
if ( NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
(sec_channel_type == SEC_CHAN_BDC) ) {
d_fprintf(stderr, _("Please make sure that no "
"computer account\nnamed "
"like this machine (%s) "
"exists in the domain\n"),
global_myname());
}
goto done;
}
TALLOC_FREE(netlogon_schannel_pipe);
}
TALLOC_FREE(pipe_hnd);
/* Now store the secret in the secrets database */
strupper_m(CONST_DISCARD(char *, domain));
if (!secrets_store_domain_sid(domain, domain_sid)) {
DEBUG(0, ("error storing domain sid for %s\n", domain));
goto done;
}
if (!secrets_store_machine_password(clear_trust_password, domain, sec_channel_type)) {
DEBUG(0, ("error storing plaintext domain secrets for %s\n", domain));
}
/* double-check, connection from scratch */
status = net_rpc_join_ok(c, domain, cli->desthost, &cli->dest_ss);
retval = NT_STATUS_IS_OK(status) ? 0 : -1;
done:
/* Display success or failure */
if (domain) {
if (retval != 0) {
fprintf(stderr,_("Unable to join domain %s.\n"),domain);
} else {
printf(_("Joined domain %s.\n"),domain);
}
}
cli_shutdown(cli);
TALLOC_FREE(clear_trust_password);
return retval;
}
bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
char ***domain_names, uint32 *num_domains,
DOM_SID **sids )
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
fstring dc_name;
struct sockaddr_storage dc_ss;
uint32 enum_ctx = 0;
struct cli_state *cli = NULL;
struct rpc_pipe_client *lsa_pipe;
bool retry;
struct lsa_DomainList dom_list;
int i;
*domain_names = NULL;
*num_domains = 0;
*sids = NULL;
/* lookup a DC first */
if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
domain));
return False;
}
/* setup the anonymous connection */
result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
"", "", "", 0, Undefined, &retry);
if ( !NT_STATUS_IS_OK(result) )
goto done;
/* open the LSARPC_PIPE */
result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
&lsa_pipe);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* get a handle */
result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
if ( !NT_STATUS_IS_OK(result) )
goto done;
/* Lookup list of trusted domains */
result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
&pol,
&enum_ctx,
&dom_list,
(uint32_t)-1);
if ( !NT_STATUS_IS_OK(result) )
goto done;
*num_domains = dom_list.count;
*domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
if (!*domain_names) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
*sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_domains);
if (!*sids) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
for (i=0; i< *num_domains; i++) {
(*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
(*sids)[i] = *dom_list.domains[i].sid;
}
done:
/* cleanup */
if (cli) {
DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
cli_shutdown( cli );
}
return NT_STATUS_IS_OK(result);
}
/*************************************************************
change a password on a remote machine using IPC calls
*************************************************************/
BOOL remote_password_change(const char *remote_machine, const char *user_name,
const char *old_passwd, const char *new_passwd,
char *err_str, size_t err_str_len)
{
struct nmb_name calling, called;
struct cli_state cli;
struct in_addr ip;
*err_str = '\0';
if(!resolve_name( remote_machine, &ip, 0x20)) {
slprintf(err_str, err_str_len-1, "unable to find an IP address for machine %s.\n",
remote_machine );
return False;
}
ZERO_STRUCT(cli);
if (!cli_initialise(&cli) || !cli_connect(&cli, remote_machine, &ip)) {
slprintf(err_str, err_str_len-1, "unable to connect to SMB server on machine %s. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
return False;
}
make_nmb_name(&calling, global_myname() , 0x0);
make_nmb_name(&called , remote_machine, 0x20);
if (!cli_session_request(&cli, &calling, &called)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the session setup. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
cli_shutdown(&cli);
return False;
}
cli.protocol = PROTOCOL_NT1;
if (!cli_negprot(&cli)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the negotiate protocol. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
cli_shutdown(&cli);
return False;
}
/*
* We should connect as the anonymous user here, in case
* the server has "must change password" checked...
* Thanks to <*****@*****.**> for this fix.
*/
if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
slprintf(err_str, err_str_len-1, "machine %s rejected the session setup. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
cli_shutdown(&cli);
return False;
}
if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the tconX on the IPC$ share. Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
cli_shutdown(&cli);
return False;
}
if(!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the password change: Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
cli_shutdown(&cli);
return False;
}
cli_shutdown(&cli);
return True;
}
static SMBCSRV *
SMBC_server_internal(TALLOC_CTX *ctx,
SMBCCTX *context,
bool connect_if_not_found,
const char *server,
uint16_t port,
const char *share,
char **pp_workgroup,
char **pp_username,
char **pp_password,
bool *in_cache)
{
SMBCSRV *srv=NULL;
char *workgroup = NULL;
struct cli_state *c = NULL;
const char *server_n = server;
int is_ipc = (share != NULL && strcmp(share, "IPC$") == 0);
uint32_t fs_attrs = 0;
const char *username_used;
NTSTATUS status;
char *newserver, *newshare;
int flags = 0;
struct smbXcli_tcon *tcon = NULL;
int signing_state = SMB_SIGNING_DEFAULT;
ZERO_STRUCT(c);
*in_cache = false;
if (server[0] == 0) {
errno = EPERM;
return NULL;
}
/* Look for a cached connection */
srv = SMBC_find_server(ctx, context, server, share,
pp_workgroup, pp_username, pp_password);
/*
* If we found a connection and we're only allowed one share per
* server...
*/
if (srv &&
share != NULL && *share != '\0' &&
smbc_getOptionOneSharePerServer(context)) {
/*
* ... then if there's no current connection to the share,
* connect to it. SMBC_find_server(), or rather the function
* pointed to by context->get_cached_srv_fn which
* was called by SMBC_find_server(), will have issued a tree
* disconnect if the requested share is not the same as the
* one that was already connected.
*/
/*
* Use srv->cli->desthost and srv->cli->share instead of
* server and share below to connect to the actual share,
* i.e., a normal share or a referred share from
* 'msdfs proxy' share.
*/
if (!cli_state_has_tcon(srv->cli)) {
/* Ensure we have accurate auth info */
SMBC_call_auth_fn(ctx, context,
smbXcli_conn_remote_name(srv->cli->conn),
srv->cli->share,
pp_workgroup,
pp_username,
pp_password);
if (!*pp_workgroup || !*pp_username || !*pp_password) {
errno = ENOMEM;
cli_shutdown(srv->cli);
srv->cli = NULL;
smbc_getFunctionRemoveCachedServer(context)(context,
srv);
return NULL;
}
/*
* We don't need to renegotiate encryption
* here as the encryption context is not per
* tid.
*/
status = cli_tree_connect(srv->cli,
srv->cli->share,
"?????",
*pp_password,
strlen(*pp_password)+1);
if (!NT_STATUS_IS_OK(status)) {
errno = map_errno_from_nt_status(status);
cli_shutdown(srv->cli);
srv->cli = NULL;
smbc_getFunctionRemoveCachedServer(context)(context,
srv);
srv = NULL;
}
/* Determine if this share supports case sensitivity */
if (is_ipc) {
DEBUG(4,
("IPC$ so ignore case sensitivity\n"));
status = NT_STATUS_OK;
} else {
status = cli_get_fs_attr_info(c, &fs_attrs);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(4, ("Could not retrieve "
"case sensitivity flag: %s.\n",
nt_errstr(status)));
/*
* We can't determine the case sensitivity of
* the share. We have no choice but to use the
* user-specified case sensitivity setting.
*/
if (smbc_getOptionCaseSensitive(context)) {
cli_set_case_sensitive(c, True);
} else {
cli_set_case_sensitive(c, False);
}
} else if (!is_ipc) {
DEBUG(4,
("Case sensitive: %s\n",
(fs_attrs & FILE_CASE_SENSITIVE_SEARCH
? "True"
: "False")));
cli_set_case_sensitive(
c,
(fs_attrs & FILE_CASE_SENSITIVE_SEARCH
? True
: False));
}
/*
* Regenerate the dev value since it's based on both
* server and share
*/
if (srv) {
const char *remote_name =
smbXcli_conn_remote_name(srv->cli->conn);
srv->dev = (dev_t)(str_checksum(remote_name) ^
str_checksum(srv->cli->share));
}
}
}
/* If we have a connection... */
if (srv) {
/* ... then we're done here. Give 'em what they came for. */
*in_cache = true;
goto done;
}
/* If we're not asked to connect when a connection doesn't exist... */
if (! connect_if_not_found) {
/* ... then we're done here. */
return NULL;
}
if (!*pp_workgroup || !*pp_username || !*pp_password) {
errno = ENOMEM;
return NULL;
}
DEBUG(4,("SMBC_server: server_n=[%s] server=[%s]\n", server_n, server));
DEBUG(4,(" -> server_n=[%s] server=[%s]\n", server_n, server));
status = NT_STATUS_UNSUCCESSFUL;
if (smbc_getOptionUseKerberos(context)) {
flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
}
if (smbc_getOptionFallbackAfterKerberos(context)) {
flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
}
if (smbc_getOptionUseCCache(context)) {
flags |= CLI_FULL_CONNECTION_USE_CCACHE;
}
if (smbc_getOptionUseNTHash(context)) {
flags |= CLI_FULL_CONNECTION_USE_NT_HASH;
}
if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
signing_state = SMB_SIGNING_REQUIRED;
}
if (port == 0) {
if (share == NULL || *share == '\0' || is_ipc) {
/*
* Try 139 first for IPC$
*/
status = cli_connect_nb(server_n, NULL, NBT_SMB_PORT, 0x20,
smbc_getNetbiosName(context),
signing_state, flags, &c);
}
}
if (!NT_STATUS_IS_OK(status)) {
/*
* No IPC$ or 139 did not work
*/
status = cli_connect_nb(server_n, NULL, port, 0x20,
smbc_getNetbiosName(context),
signing_state, flags, &c);
}
if (!NT_STATUS_IS_OK(status)) {
errno = map_errno_from_nt_status(status);
return NULL;
}
cli_set_timeout(c, smbc_getTimeout(context));
status = smbXcli_negprot(c->conn, c->timeout,
lp_client_min_protocol(),
lp_client_max_protocol());
if (!NT_STATUS_IS_OK(status)) {
cli_shutdown(c);
errno = ETIMEDOUT;
return NULL;
}
if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) {
/* Ensure we ask for some initial credits. */
smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
}
username_used = *pp_username;
if (!NT_STATUS_IS_OK(cli_session_setup(c, username_used,
*pp_password,
strlen(*pp_password),
*pp_password,
strlen(*pp_password),
*pp_workgroup))) {
/* Failed. Try an anonymous login, if allowed by flags. */
username_used = "";
if (smbc_getOptionNoAutoAnonymousLogin(context) ||
!NT_STATUS_IS_OK(cli_session_setup(c, username_used,
*pp_password, 1,
*pp_password, 0,
*pp_workgroup))) {
cli_shutdown(c);
errno = EPERM;
return NULL;
}
}
DEBUG(4,(" session setup ok\n"));
/* here's the fun part....to support 'msdfs proxy' shares
(on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL
here before trying to connect to the original share.
cli_check_msdfs_proxy() will fail if it is a normal share. */
if (smbXcli_conn_dfs_supported(c->conn) &&
cli_check_msdfs_proxy(ctx, c, share,
&newserver, &newshare,
/* FIXME: cli_check_msdfs_proxy() does
not support smbc_smb_encrypt_level type */
context->internal->smb_encryption_level ?
true : false,
*pp_username,
*pp_password,
*pp_workgroup)) {
cli_shutdown(c);
srv = SMBC_server_internal(ctx, context, connect_if_not_found,
newserver, port, newshare, pp_workgroup,
pp_username, pp_password, in_cache);
TALLOC_FREE(newserver);
TALLOC_FREE(newshare);
return srv;
}
/* must be a normal share */
status = cli_tree_connect(c, share, "?????", *pp_password,
strlen(*pp_password)+1);
if (!NT_STATUS_IS_OK(status)) {
errno = map_errno_from_nt_status(status);
cli_shutdown(c);
return NULL;
}
DEBUG(4,(" tconx ok\n"));
if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) {
tcon = c->smb2.tcon;
} else {
tcon = c->smb1.tcon;
}
/* Determine if this share supports case sensitivity */
if (is_ipc) {
DEBUG(4, ("IPC$ so ignore case sensitivity\n"));
status = NT_STATUS_OK;
} else {
status = cli_get_fs_attr_info(c, &fs_attrs);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(4, ("Could not retrieve case sensitivity flag: %s.\n",
nt_errstr(status)));
/*
* We can't determine the case sensitivity of the share. We
* have no choice but to use the user-specified case
* sensitivity setting.
*/
if (smbc_getOptionCaseSensitive(context)) {
cli_set_case_sensitive(c, True);
} else {
cli_set_case_sensitive(c, False);
}
} else if (!is_ipc) {
DEBUG(4, ("Case sensitive: %s\n",
(fs_attrs & FILE_CASE_SENSITIVE_SEARCH
? "True"
: "False")));
smbXcli_tcon_set_fs_attributes(tcon, fs_attrs);
}
if (context->internal->smb_encryption_level) {
/* Attempt UNIX smb encryption. */
if (!NT_STATUS_IS_OK(cli_force_encryption(c,
username_used,
*pp_password,
*pp_workgroup))) {
/*
* context->smb_encryption_level == 1
* means don't fail if encryption can't be negotiated,
* == 2 means fail if encryption can't be negotiated.
*/
DEBUG(4,(" SMB encrypt failed\n"));
if (context->internal->smb_encryption_level == 2) {
cli_shutdown(c);
errno = EPERM;
return NULL;
}
}
DEBUG(4,(" SMB encrypt ok\n"));
}
/*
* Ok, we have got a nice connection
* Let's allocate a server structure.
*/
srv = SMB_MALLOC_P(SMBCSRV);
if (!srv) {
cli_shutdown(c);
errno = ENOMEM;
return NULL;
}
ZERO_STRUCTP(srv);
DLIST_ADD(srv->cli, c);
srv->dev = (dev_t)(str_checksum(server) ^ str_checksum(share));
srv->no_pathinfo = False;
srv->no_pathinfo2 = False;
srv->no_pathinfo3 = False;
srv->no_nt_session = False;
done:
if (!pp_workgroup || !*pp_workgroup || !**pp_workgroup) {
workgroup = talloc_strdup(ctx, smbc_getWorkgroup(context));
} else {
workgroup = *pp_workgroup;
}
if(!workgroup) {
if (c != NULL) {
cli_shutdown(c);
}
SAFE_FREE(srv);
return NULL;
}
/* set the credentials to make DFS work */
smbc_set_credentials_with_fallback(context,
workgroup,
*pp_username,
*pp_password);
return srv;
}
