/*
make sure we only add repsFrom entries for DCs who are masters for
the partition
*/
static bool check_MasterNC(struct kccsrv_partition *p, struct repsFromToBlob *r,
struct ldb_result *res)
{
struct repsFromTo1 *r1 = &r->ctr.ctr1;
struct GUID invocation_id = r1->source_dsa_invocation_id;
unsigned int i, j;
/* we are expecting only version 1 */
SMB_ASSERT(r->version == 1);
for (i=0; i<res->count; i++) {
struct ldb_message *msg = res->msgs[i];
struct ldb_message_element *el;
struct ldb_dn *dn;
struct GUID id2 = samdb_result_guid(msg, "invocationID");
if (GUID_all_zero(&id2) ||
!GUID_equal(&invocation_id, &id2)) {
continue;
}
el = ldb_msg_find_element(msg, "msDS-hasMasterNCs");
if (!el || el->num_values == 0) {
el = ldb_msg_find_element(msg, "hasMasterNCs");
if (!el || el->num_values == 0) {
continue;
}
}
for (j=0; j<el->num_values; j++) {
dn = ldb_dn_from_ldb_val(p, p->service->samdb, &el->values[j]);
if (!ldb_dn_validate(dn)) {
talloc_free(dn);
continue;
}
if (ldb_dn_compare(dn, p->dn) == 0) {
talloc_free(dn);
DEBUG(5,("%s %s match on %s in %s\n",
r1->other_info->dns_name,
el->name,
ldb_dn_get_linearized(dn),
ldb_dn_get_linearized(msg->dn)));
return true;
}
talloc_free(dn);
}
}
return false;
}
NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct lsa_policy_state **_state)
{
struct lsa_policy_state *state;
struct ldb_result *dom_res;
const char *dom_attrs[] = {
"objectSid",
"objectGUID",
"nTMixedDomain",
"fSMORoleOwner",
NULL
};
char *p;
int ret;
state = talloc(mem_ctx, struct lsa_policy_state);
if (!state) {
return NT_STATUS_NO_MEMORY;
}
/* make sure the sam database is accessible */
state->sam_ldb = samdb_connect(state, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info);
if (state->sam_ldb == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
/* work out the domain_dn - useful for so many calls its worth
fetching here */
state->domain_dn = ldb_get_default_basedn(state->sam_ldb);
if (!state->domain_dn) {
return NT_STATUS_NO_MEMORY;
}
/* work out the forest root_dn - useful for so many calls its worth
fetching here */
state->forest_dn = samdb_root_dn(state->sam_ldb);
if (!state->forest_dn) {
return NT_STATUS_NO_MEMORY;
}
ret = ldb_search(state->sam_ldb, mem_ctx, &dom_res,
state->domain_dn, LDB_SCOPE_BASE, dom_attrs, NULL);
if (ret != LDB_SUCCESS) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
if (dom_res->count != 1) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->domain_sid = samdb_result_dom_sid(state, dom_res->msgs[0], "objectSid");
if (!state->domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->domain_guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
state->mixed_domain = ldb_msg_find_attr_as_uint(dom_res->msgs[0], "nTMixedDomain", 0);
talloc_free(dom_res);
state->domain_name = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx);
state->domain_dns = ldb_dn_canonical_string(state, state->domain_dn);
if (!state->domain_dns) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
p = strchr(state->domain_dns, '/');
if (p) {
*p = '\0';
}
state->forest_dns = ldb_dn_canonical_string(state, state->forest_dn);
if (!state->forest_dns) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
p = strchr(state->forest_dns, '/');
if (p) {
*p = '\0';
}
/* work out the builtin_dn - useful for so many calls its worth
fetching here */
state->builtin_dn = samdb_search_dn(state->sam_ldb, state, state->domain_dn, "(objectClass=builtinDomain)");
if (!state->builtin_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
/* work out the system_dn - useful for so many calls its worth
fetching here */
state->system_dn = samdb_search_dn(state->sam_ldb, state,
state->domain_dn, "(&(objectClass=container)(cn=System))");
if (!state->system_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->builtin_sid = dom_sid_parse_talloc(state, SID_BUILTIN);
if (!state->builtin_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->nt_authority_sid = dom_sid_parse_talloc(state, SID_NT_AUTHORITY);
if (!state->nt_authority_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->creator_owner_domain_sid = dom_sid_parse_talloc(state, SID_CREATOR_OWNER_DOMAIN);
if (!state->creator_owner_domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->world_domain_sid = dom_sid_parse_talloc(state, SID_WORLD_DOMAIN);
if (!state->world_domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
*_state = state;
return NT_STATUS_OK;
}
/*
drsuapi_DsGetDomainControllerInfo
*/
static WERROR dcesrv_drsuapi_DsGetDomainControllerInfo_1(struct drsuapi_bind_state *b_state,
TALLOC_CTX *mem_ctx,
struct drsuapi_DsGetDomainControllerInfo *r)
{
struct ldb_dn *sites_dn;
struct ldb_result *res;
const char *attrs_account_1[] = { "cn", "dnsHostName", NULL };
const char *attrs_account_2[] = { "cn", "dnsHostName", "objectGUID", NULL };
const char *attrs_none[] = { NULL };
const char *attrs_site[] = { "objectGUID", NULL };
const char *attrs_ntds[] = { "options", "objectGUID", NULL };
const char *attrs_1[] = { "serverReference", "cn", "dnsHostName", NULL };
const char *attrs_2[] = { "serverReference", "cn", "dnsHostName", "objectGUID", NULL };
const char **attrs;
struct drsuapi_DsGetDCInfoCtr1 *ctr1;
struct drsuapi_DsGetDCInfoCtr2 *ctr2;
int ret, i;
*r->out.level_out = r->in.req->req1.level;
r->out.ctr = talloc(mem_ctx, union drsuapi_DsGetDCInfoCtr);
W_ERROR_HAVE_NO_MEMORY(r->out.ctr);
sites_dn = samdb_sites_dn(b_state->sam_ctx, mem_ctx);
if (!sites_dn) {
return WERR_DS_OBJ_NOT_FOUND;
}
switch (*r->out.level_out) {
case -1:
/* this level is not like the others */
return WERR_UNKNOWN_LEVEL;
case 1:
attrs = attrs_1;
break;
case 2:
attrs = attrs_2;
break;
default:
return WERR_UNKNOWN_LEVEL;
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res, sites_dn, LDB_SCOPE_SUBTREE, attrs,
"objectClass=server");
if (ret) {
DEBUG(1, ("searching for servers in sites DN %s failed: %s\n",
ldb_dn_get_linearized(sites_dn), ldb_errstring(b_state->sam_ctx)));
return WERR_GENERAL_FAILURE;
}
switch (*r->out.level_out) {
case 1:
ctr1 = &r->out.ctr->ctr1;
ctr1->count = res->count;
ctr1->array = talloc_zero_array(mem_ctx,
struct drsuapi_DsGetDCInfo1,
res->count);
for (i=0; i < res->count; i++) {
struct ldb_dn *domain_dn;
struct ldb_result *res_domain;
struct ldb_result *res_account;
struct ldb_dn *ntds_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
struct ldb_dn *ref_dn
= ldb_msg_find_attr_as_dn(b_state->sam_ctx,
mem_ctx, res->msgs[i],
"serverReference");
if (!ntds_dn || !ldb_dn_add_child_fmt(ntds_dn, "CN=NTDS Settings")) {
return WERR_NOMEM;
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_account, ref_dn,
LDB_SCOPE_BASE, attrs_account_1, "objectClass=computer");
if (ret == LDB_SUCCESS && res_account->count == 1) {
const char *errstr;
ctr1->array[i].dns_name
= ldb_msg_find_attr_as_string(res_account->msgs[0], "dNSHostName", NULL);
ctr1->array[i].netbios_name
= ldb_msg_find_attr_as_string(res_account->msgs[0], "cn", NULL);
ctr1->array[i].computer_dn
= ldb_dn_get_linearized(res_account->msgs[0]->dn);
/* Determine if this is the PDC */
ret = samdb_search_for_parent_domain(b_state->sam_ctx,
mem_ctx, res_account->msgs[0]->dn,
&domain_dn, &errstr);
if (ret == LDB_SUCCESS) {
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_domain, domain_dn,
LDB_SCOPE_BASE, attrs_none, "fSMORoleOwner=%s",
ldb_dn_get_linearized(ntds_dn));
if (ret) {
return WERR_GENERAL_FAILURE;
}
if (res_domain->count == 1) {
ctr1->array[i].is_pdc = true;
}
}
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for computer DN %s failed: %s\n",
ldb_dn_get_linearized(ref_dn), ldb_errstring(b_state->sam_ctx)));
}
/* Look at server DN and extract site component */
ctr1->array[i].site_name = result_site_name(res->msgs[i]->dn);
ctr1->array[i].server_dn = ldb_dn_get_linearized(res->msgs[i]->dn);
ctr1->array[i].is_enabled = true;
}
break;
case 2:
ctr2 = &r->out.ctr->ctr2;
ctr2->count = res->count;
ctr2->array = talloc_zero_array(mem_ctx,
struct drsuapi_DsGetDCInfo2,
res->count);
for (i=0; i < res->count; i++) {
struct ldb_dn *domain_dn;
struct ldb_result *res_domain;
struct ldb_result *res_account;
struct ldb_dn *ntds_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
struct ldb_result *res_ntds;
struct ldb_dn *site_dn = ldb_dn_copy(mem_ctx, res->msgs[i]->dn);
struct ldb_result *res_site;
struct ldb_dn *ref_dn
= ldb_msg_find_attr_as_dn(b_state->sam_ctx,
mem_ctx, res->msgs[i],
"serverReference");
if (!ntds_dn || !ldb_dn_add_child_fmt(ntds_dn, "CN=NTDS Settings")) {
return WERR_NOMEM;
}
/* Format is cn=<NETBIOS name>,cn=Servers,cn=<site>,cn=sites.... */
if (!site_dn || !ldb_dn_remove_child_components(site_dn, 2)) {
return WERR_NOMEM;
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_ntds, ntds_dn,
LDB_SCOPE_BASE, attrs_ntds, "objectClass=nTDSDSA");
if (ret == LDB_SUCCESS && res_ntds->count == 1) {
ctr2->array[i].is_gc
= (ldb_msg_find_attr_as_int(res_ntds->msgs[0], "options", 0) == 1);
ctr2->array[i].ntds_guid
= samdb_result_guid(res_ntds->msgs[0], "objectGUID");
ctr2->array[i].ntds_dn = ldb_dn_get_linearized(res_ntds->msgs[0]->dn);
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for NTDS DN %s failed: %s\n",
ldb_dn_get_linearized(ntds_dn), ldb_errstring(b_state->sam_ctx)));
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_site, site_dn,
LDB_SCOPE_BASE, attrs_site, "objectClass=site");
if (ret == LDB_SUCCESS && res_site->count == 1) {
ctr2->array[i].site_guid
= samdb_result_guid(res_site->msgs[0], "objectGUID");
ctr2->array[i].site_dn = ldb_dn_get_linearized(res_site->msgs[0]->dn);
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for site DN %s failed: %s\n",
ldb_dn_get_linearized(site_dn), ldb_errstring(b_state->sam_ctx)));
}
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_account, ref_dn,
LDB_SCOPE_BASE, attrs_account_2, "objectClass=computer");
if (ret == LDB_SUCCESS && res_account->count == 1) {
const char *errstr;
ctr2->array[i].dns_name
= ldb_msg_find_attr_as_string(res_account->msgs[0], "dNSHostName", NULL);
ctr2->array[i].netbios_name
= ldb_msg_find_attr_as_string(res_account->msgs[0], "cn", NULL);
ctr2->array[i].computer_dn = ldb_dn_get_linearized(res_account->msgs[0]->dn);
ctr2->array[i].computer_guid
= samdb_result_guid(res_account->msgs[0], "objectGUID");
/* Determine if this is the PDC */
ret = samdb_search_for_parent_domain(b_state->sam_ctx,
mem_ctx, res_account->msgs[0]->dn,
&domain_dn, &errstr);
if (ret == LDB_SUCCESS) {
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res_domain, domain_dn,
LDB_SCOPE_BASE, attrs_none, "fSMORoleOwner=%s",
ldb_dn_get_linearized(ntds_dn));
if (ret == LDB_SUCCESS && res_domain->count == 1) {
ctr2->array[i].is_pdc = true;
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for domain DN %s failed: %s\n",
ldb_dn_get_linearized(domain_dn), ldb_errstring(b_state->sam_ctx)));
}
}
}
if ((ret != LDB_SUCCESS) && (ret != LDB_ERR_NO_SUCH_OBJECT)) {
DEBUG(5, ("warning: searching for computer account DN %s failed: %s\n",
ldb_dn_get_linearized(ref_dn), ldb_errstring(b_state->sam_ctx)));
}
/* Look at server DN and extract site component */
ctr2->array[i].site_name = result_site_name(res->msgs[i]->dn);
ctr2->array[i].server_dn = ldb_dn_get_linearized(res->msgs[i]->dn);
ctr2->array[i].server_guid
= samdb_result_guid(res->msgs[i], "objectGUID");
ctr2->array[i].is_enabled = true;
}
break;
}
return WERR_OK;
}
/*
drsuapi_DsBind
*/
static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsBind *r)
{
struct drsuapi_bind_state *b_state;
struct dcesrv_handle *handle;
struct drsuapi_DsBindInfoCtr *bind_info;
struct GUID site_guid;
struct ldb_result *site_res;
struct ldb_dn *server_site_dn;
static const char *site_attrs[] = { "objectGUID", NULL };
struct ldb_result *ntds_res;
struct ldb_dn *ntds_dn;
static const char *ntds_attrs[] = { "ms-DS-ReplicationEpoch", NULL };
uint32_t pid;
uint32_t repl_epoch;
int ret;
struct auth_session_info *auth_info;
WERROR werr;
r->out.bind_info = NULL;
ZERO_STRUCTP(r->out.bind_handle);
b_state = talloc_zero(mem_ctx, struct drsuapi_bind_state);
W_ERROR_HAVE_NO_MEMORY(b_state);
/* if this is a DC connecting, give them system level access */
werr = drs_security_level_check(dce_call, NULL);
if (W_ERROR_IS_OK(werr)) {
DEBUG(3,(__location__ ": doing DsBind with system_session\n"));
auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
} else {
auth_info = dce_call->conn->auth_state.session_info;
}
/*
* connect to the samdb
*/
b_state->sam_ctx = samdb_connect(b_state, dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx, auth_info);
if (!b_state->sam_ctx) {
return WERR_FOOBAR;
}
/*
* find out the guid of our own site
*/
server_site_dn = samdb_server_site_dn(b_state->sam_ctx, mem_ctx);
W_ERROR_HAVE_NO_MEMORY(server_site_dn);
ret = ldb_search(b_state->sam_ctx, mem_ctx, &site_res,
server_site_dn, LDB_SCOPE_BASE, site_attrs,
"(objectClass=*)");
if (ret != LDB_SUCCESS) {
return WERR_DS_DRA_INTERNAL_ERROR;
}
if (site_res->count != 1) {
return WERR_DS_DRA_INTERNAL_ERROR;
}
site_guid = samdb_result_guid(site_res->msgs[0], "objectGUID");
/*
* lookup the local servers Replication Epoch
*/
ntds_dn = samdb_ntds_settings_dn(b_state->sam_ctx);
W_ERROR_HAVE_NO_MEMORY(ntds_dn);
ret = ldb_search(b_state->sam_ctx, mem_ctx, &ntds_res,
ntds_dn, LDB_SCOPE_BASE, ntds_attrs,
"(objectClass=*)");
if (ret != LDB_SUCCESS) {
return WERR_DS_DRA_INTERNAL_ERROR;
}
if (ntds_res->count != 1) {
return WERR_DS_DRA_INTERNAL_ERROR;
}
repl_epoch = samdb_result_uint(ntds_res->msgs[0], "ms-DS-ReplicationEpoch", 0);
/*
* The "process identifier" of the client.
* According to the WSPP docs, sectin 5.35, this is
* for informational and debugging purposes only.
* The assignment is implementation specific.
*/
pid = 0;
/*
* store the clients bind_guid
*/
if (r->in.bind_guid) {
b_state->remote_bind_guid = *r->in.bind_guid;
}
/*
* store the clients bind_info
*/
if (r->in.bind_info) {
switch (r->in.bind_info->length) {
case 24: {
struct drsuapi_DsBindInfo24 *info24;
info24 = &r->in.bind_info->info.info24;
b_state->remote_info28.supported_extensions = info24->supported_extensions;
b_state->remote_info28.site_guid = info24->site_guid;
b_state->remote_info28.pid = info24->pid;
b_state->remote_info28.repl_epoch = 0;
break;
}
case 28:
b_state->remote_info28 = r->in.bind_info->info.info28;
break;
}
}
/*
* fill in our local bind info 28
*/
b_state->local_info28.supported_extensions = 0;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_BASE;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2;
#if 0 /* we don't support MSZIP compression (only decompression) */
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS;
#endif
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_00100000;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7;
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT;
#if 0 /* we don't support XPRESS compression yet */
b_state->local_info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS;
#endif
b_state->local_info28.site_guid = site_guid;
b_state->local_info28.pid = pid;
b_state->local_info28.repl_epoch = repl_epoch;
/*
* allocate the return bind_info
*/
bind_info = talloc(mem_ctx, struct drsuapi_DsBindInfoCtr);
W_ERROR_HAVE_NO_MEMORY(bind_info);
bind_info->length = 28;
bind_info->info.info28 = b_state->local_info28;
/*
* allocate a bind handle
*/
handle = dcesrv_handle_new(dce_call->context, DRSUAPI_BIND_HANDLE);
W_ERROR_HAVE_NO_MEMORY(handle);
handle->data = talloc_steal(handle, b_state);
/*
* prepare reply
*/
r->out.bind_info = bind_info;
*r->out.bind_handle = handle->wire_handle;
return WERR_OK;
}
/*
fill in the cldap netlogon union for a given version
*/
NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
const char *domain,
const char *netbios_domain,
struct dom_sid *domain_sid,
const char *domain_guid,
const char *user,
uint32_t acct_control,
const char *src_address,
uint32_t version,
struct loadparm_context *lp_ctx,
struct netlogon_samlogon_response *netlogon,
bool fill_on_blank_request)
{
const char *dom_attrs[] = {"objectGUID", NULL};
const char *none_attrs[] = {NULL};
struct ldb_result *dom_res = NULL, *user_res = NULL;
int ret;
const char **services = lpcfg_server_services(lp_ctx);
uint32_t server_type;
const char *pdc_name;
struct GUID domain_uuid;
const char *dns_domain;
const char *forest_domain;
const char *pdc_dns_name;
const char *flatname;
const char *server_site;
const char *client_site;
const char *pdc_ip;
struct ldb_dn *domain_dn = NULL;
struct interface *ifaces;
bool user_known, am_rodc;
NTSTATUS status;
/* the domain parameter could have an optional trailing "." */
if (domain && domain[strlen(domain)-1] == '.') {
domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1);
NT_STATUS_HAVE_NO_MEMORY(domain);
}
/* Lookup using long or short domainname */
if (domain && (strcasecmp_m(domain, lpcfg_dnsdomain(lp_ctx)) == 0)) {
domain_dn = ldb_get_default_basedn(sam_ctx);
}
if (netbios_domain && (strcasecmp_m(netbios_domain, lpcfg_sam_name(lp_ctx)) == 0)) {
domain_dn = ldb_get_default_basedn(sam_ctx);
}
if (domain_dn) {
const char *domain_identifier = domain != NULL ? domain
: netbios_domain;
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
domain_dn, LDB_SCOPE_BASE, dom_attrs,
"objectClass=domain");
if (ret != LDB_SUCCESS) {
DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n",
domain_identifier,
ldb_dn_get_linearized(domain_dn),
ldb_errstring(sam_ctx)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
if (dom_res->count != 1) {
DEBUG(2,("Error finding domain '%s'/'%s' in sam\n",
domain_identifier,
ldb_dn_get_linearized(domain_dn)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
}
/* Lookup using GUID or SID */
if ((dom_res == NULL) && (domain_guid || domain_sid)) {
if (domain_guid) {
struct GUID binary_guid;
struct ldb_val guid_val;
/* By this means, we ensure we don't have funny stuff in the GUID */
status = GUID_from_string(domain_guid, &binary_guid);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* And this gets the result into the binary format we want anyway */
status = GUID_to_ndr_blob(&binary_guid, mem_ctx, &guid_val);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
NULL, LDB_SCOPE_SUBTREE,
dom_attrs,
"(&(objectCategory=DomainDNS)(objectGUID=%s))",
ldb_binary_encode(mem_ctx, guid_val));
} else { /* domain_sid case */
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
NULL, LDB_SCOPE_SUBTREE,
dom_attrs,
"(&(objectCategory=DomainDNS)(objectSid=%s))",
dom_sid_string(mem_ctx, domain_sid));
}
if (ret != LDB_SUCCESS) {
DEBUG(2,("Unable to find a correct reference to GUID '%s' or SID '%s' in sam: %s\n",
domain_guid, dom_sid_string(mem_ctx, domain_sid),
ldb_errstring(sam_ctx)));
return NT_STATUS_NO_SUCH_DOMAIN;
} else if (dom_res->count == 1) {
/* Ok, now just check it is our domain */
if (ldb_dn_compare(ldb_get_default_basedn(sam_ctx),
dom_res->msgs[0]->dn) != 0) {
DEBUG(2,("The GUID '%s' or SID '%s' doesn't identify our domain\n",
domain_guid,
dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
} else {
DEBUG(2,("Unable to find a correct reference to GUID '%s' or SID '%s' in sam\n",
domain_guid, dom_sid_string(mem_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
}
if (dom_res == NULL && fill_on_blank_request) {
/* blank inputs gives our domain - tested against
w2k8r2. Without this ADUC on Win7 won't start */
domain_dn = ldb_get_default_basedn(sam_ctx);
ret = ldb_search(sam_ctx, mem_ctx, &dom_res,
domain_dn, LDB_SCOPE_BASE, dom_attrs,
"objectClass=domain");
if (ret != LDB_SUCCESS) {
DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n",
lpcfg_dnsdomain(lp_ctx),
ldb_dn_get_linearized(domain_dn),
ldb_errstring(sam_ctx)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
}
if (dom_res == NULL) {
DEBUG(2,(__location__ ": Unable to get domain information with no inputs\n"));
return NT_STATUS_NO_SUCH_DOMAIN;
}
/* work around different inputs for not-specified users */
if (!user) {
user = "";
}
/* Enquire about any valid username with just a CLDAP packet -
* if kerberos didn't also do this, the security folks would
* scream... */
if (user[0]) { \
/* Only allow some bits to be enquired: [MS-ATDS] 7.3.3.2 */
if (acct_control == (uint32_t)-1) {
acct_control = 0;
}
acct_control = acct_control & (ACB_TEMPDUP | ACB_NORMAL | ACB_DOMTRUST | ACB_WSTRUST | ACB_SVRTRUST);
/* We must exclude disabled accounts, but otherwise do the bitwise match the client asked for */
ret = ldb_search(sam_ctx, mem_ctx, &user_res,
dom_res->msgs[0]->dn, LDB_SCOPE_SUBTREE,
none_attrs,
"(&(objectClass=user)(samAccountName=%s)"
"(!(userAccountControl:" LDB_OID_COMPARATOR_AND ":=%u))"
"(userAccountControl:" LDB_OID_COMPARATOR_OR ":=%u))",
ldb_binary_encode_string(mem_ctx, user),
UF_ACCOUNTDISABLE, ds_acb2uf(acct_control));
if (ret != LDB_SUCCESS) {
DEBUG(2,("Unable to find reference to user '%s' with ACB 0x%8x under %s: %s\n",
user, acct_control, ldb_dn_get_linearized(dom_res->msgs[0]->dn),
ldb_errstring(sam_ctx)));
return NT_STATUS_NO_SUCH_USER;
} else if (user_res->count == 1) {
user_known = true;
} else {
user_known = false;
}
} else {
user_known = true;
}
server_type =
DS_SERVER_DS | DS_SERVER_TIMESERV |
DS_SERVER_GOOD_TIMESERV;
if (samdb_is_pdc(sam_ctx)) {
server_type |= DS_SERVER_PDC;
}
if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
server_type |= DS_SERVER_FULL_SECRET_DOMAIN_6;
}
if (samdb_is_gc(sam_ctx)) {
server_type |= DS_SERVER_GC;
}
if (str_list_check(services, "ldap")) {
server_type |= DS_SERVER_LDAP;
}
if (str_list_check(services, "kdc")) {
server_type |= DS_SERVER_KDC;
}
if (samdb_rodc(sam_ctx, &am_rodc) == LDB_SUCCESS && !am_rodc) {
server_type |= DS_SERVER_WRITABLE;
}
pdc_name = talloc_asprintf(mem_ctx, "\\\\%s",
lpcfg_netbios_name(lp_ctx));
NT_STATUS_HAVE_NO_MEMORY(pdc_name);
domain_uuid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
dns_domain = lpcfg_dnsdomain(lp_ctx);
forest_domain = samdb_forest_name(sam_ctx, mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(forest_domain);
pdc_dns_name = talloc_asprintf(mem_ctx, "%s.%s",
strlower_talloc(mem_ctx,
lpcfg_netbios_name(lp_ctx)),
dns_domain);
NT_STATUS_HAVE_NO_MEMORY(pdc_dns_name);
flatname = lpcfg_workgroup(lp_ctx);
server_site = samdb_server_site_name(sam_ctx, mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(server_site);
client_site = samdb_client_site_name(sam_ctx, mem_ctx,
src_address, NULL);
NT_STATUS_HAVE_NO_MEMORY(client_site);
if (strcasecmp(server_site, client_site) == 0) {
server_type |= DS_SERVER_CLOSEST;
}
load_interface_list(mem_ctx, lp_ctx, &ifaces);
if (src_address) {
pdc_ip = iface_list_best_ip(ifaces, src_address);
} else {
pdc_ip = iface_list_first_v4(ifaces);
}
if (pdc_ip == NULL || !is_ipaddress_v4(pdc_ip)) {
/* this matches windows behaviour */
pdc_ip = "127.0.0.1";
}
ZERO_STRUCTP(netlogon);
/* check if either of these bits is present */
if (version & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP)) {
uint32_t extra_flags = 0;
netlogon->ntver = NETLOGON_NT_VERSION_5EX;
/* could check if the user exists */
if (user_known) {
netlogon->data.nt5_ex.command = LOGON_SAM_LOGON_RESPONSE_EX;
} else {
netlogon->data.nt5_ex.command = LOGON_SAM_LOGON_USER_UNKNOWN_EX;
}
netlogon->data.nt5_ex.pdc_name = pdc_name;
netlogon->data.nt5_ex.user_name = user;
netlogon->data.nt5_ex.domain_name = flatname;
netlogon->data.nt5_ex.domain_uuid = domain_uuid;
netlogon->data.nt5_ex.forest = forest_domain;
netlogon->data.nt5_ex.dns_domain = dns_domain;
netlogon->data.nt5_ex.pdc_dns_name = pdc_dns_name;
netlogon->data.nt5_ex.server_site = server_site;
netlogon->data.nt5_ex.client_site = client_site;
if (version & NETLOGON_NT_VERSION_5EX_WITH_IP) {
/* note that this is always a IPV4 address */
extra_flags = NETLOGON_NT_VERSION_5EX_WITH_IP;
netlogon->data.nt5_ex.sockaddr.sockaddr_family = 2;
netlogon->data.nt5_ex.sockaddr.pdc_ip = pdc_ip;
netlogon->data.nt5_ex.sockaddr.remaining = data_blob_talloc_zero(mem_ctx, 8);
}
netlogon->data.nt5_ex.server_type = server_type;
netlogon->data.nt5_ex.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5EX|extra_flags;
netlogon->data.nt5_ex.lmnt_token = 0xFFFF;
netlogon->data.nt5_ex.lm20_token = 0xFFFF;
} else if (version & NETLOGON_NT_VERSION_5) {
netlogon->ntver = NETLOGON_NT_VERSION_5;
/* could check if the user exists */
if (user_known) {
netlogon->data.nt5.command = LOGON_SAM_LOGON_RESPONSE;
} else {
netlogon->data.nt5.command = LOGON_SAM_LOGON_USER_UNKNOWN;
}
netlogon->data.nt5.pdc_name = pdc_name;
netlogon->data.nt5.user_name = user;
netlogon->data.nt5.domain_name = flatname;
netlogon->data.nt5.domain_uuid = domain_uuid;
netlogon->data.nt5.forest = forest_domain;
netlogon->data.nt5.dns_domain = dns_domain;
netlogon->data.nt5.pdc_dns_name = pdc_dns_name;
netlogon->data.nt5.pdc_ip = pdc_ip;
netlogon->data.nt5.server_type = server_type;
netlogon->data.nt5.nt_version = NETLOGON_NT_VERSION_1|NETLOGON_NT_VERSION_5;
netlogon->data.nt5.lmnt_token = 0xFFFF;
netlogon->data.nt5.lm20_token = 0xFFFF;
} else /* (version & NETLOGON_NT_VERSION_1) and all other cases */ {
netlogon->ntver = NETLOGON_NT_VERSION_1;
/* could check if the user exists */
if (user_known) {
netlogon->data.nt4.command = LOGON_SAM_LOGON_RESPONSE;
} else {
netlogon->data.nt4.command = LOGON_SAM_LOGON_USER_UNKNOWN;
}
netlogon->data.nt4.pdc_name = pdc_name;
netlogon->data.nt4.user_name = user;
netlogon->data.nt4.domain_name = flatname;
netlogon->data.nt4.nt_version = NETLOGON_NT_VERSION_1;
netlogon->data.nt4.lmnt_token = 0xFFFF;
netlogon->data.nt4.lm20_token = 0xFFFF;
}
return NT_STATUS_OK;
}
/*
fill in the cldap netlogon union for a given version
*/
static NTSTATUS cldapd_netlogon_fill(struct cldapd_server *cldapd,
TALLOC_CTX *mem_ctx,
const char *domain,
const char *domain_guid,
const char *user,
const char *src_address,
uint32_t version,
union nbt_cldap_netlogon *netlogon)
{
const char *ref_attrs[] = {"nETBIOSName", "dnsRoot", "ncName", NULL};
const char *dom_attrs[] = {"objectGUID", NULL};
struct ldb_message **ref_res, **dom_res;
int ret, count = 0;
const char **services = lp_server_services();
uint32_t server_type;
const char *pdc_name;
struct GUID domain_uuid;
const char *realm;
const char *dns_domain;
const char *pdc_dns_name;
const char *flatname;
const char *server_site;
const char *client_site;
const char *pdc_ip;
struct ldb_dn *partitions_basedn;
partitions_basedn = samdb_partitions_dn(cldapd->samctx, mem_ctx);
/* the domain has an optional trailing . */
if (domain && domain[strlen(domain)-1] == '.') {
domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1);
}
if (domain) {
struct ldb_result *dom_ldb_result;
struct ldb_dn *dom_dn;
/* try and find the domain */
count = gendb_search(cldapd->samctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs,
"(&(&(objectClass=crossRef)(dnsRoot=%s))(nETBIOSName=*))",
domain);
if (count == 1) {
dom_dn = samdb_result_dn(cldapd->samctx, mem_ctx, ref_res[0], "ncName", NULL);
if (!dom_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
ret = ldb_search(cldapd->samctx, dom_dn,
LDB_SCOPE_BASE, "objectClass=domain",
dom_attrs, &dom_ldb_result);
if (ret != LDB_SUCCESS) {
DEBUG(2,("Error finding domain '%s'/'%s' in sam: %s\n", domain, ldb_dn_get_linearized(dom_dn), ldb_errstring(cldapd->samctx)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
talloc_steal(mem_ctx, dom_ldb_result);
if (dom_ldb_result->count != 1) {
DEBUG(2,("Error finding domain '%s'/'%s' in sam\n", domain, ldb_dn_get_linearized(dom_dn)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
dom_res = dom_ldb_result->msgs;
}
}
if (count == 0 && domain_guid) {
/* OK, so no dice with the name, try and find the domain with the GUID */
count = gendb_search(cldapd->samctx, mem_ctx, NULL, &dom_res, dom_attrs,
"(&(objectClass=domainDNS)(objectGUID=%s))",
domain_guid);
if (count == 1) {
/* try and find the domain */
ret = gendb_search(cldapd->samctx, mem_ctx, partitions_basedn, &ref_res, ref_attrs,
"(&(objectClass=crossRef)(ncName=%s))",
ldb_dn_get_linearized(dom_res[0]->dn));
if (ret != 1) {
DEBUG(2,("Unable to find referece to '%s' in sam\n",
ldb_dn_get_linearized(dom_res[0]->dn)));
return NT_STATUS_NO_SUCH_DOMAIN;
}
}
}
if (count == 0) {
DEBUG(2,("Unable to find domain with name %s or GUID {%s}\n", domain, domain_guid));
return NT_STATUS_NO_SUCH_DOMAIN;
}
server_type =
NBT_SERVER_PDC | NBT_SERVER_GC |
NBT_SERVER_DS | NBT_SERVER_TIMESERV |
NBT_SERVER_CLOSEST | NBT_SERVER_WRITABLE |
NBT_SERVER_GOOD_TIMESERV;
if (str_list_check(services, "ldap")) {
server_type |= NBT_SERVER_LDAP;
}
if (str_list_check(services, "kdc")) {
server_type |= NBT_SERVER_KDC;
}
pdc_name = talloc_asprintf(mem_ctx, "\\\\%s", lp_netbios_name());
domain_uuid = samdb_result_guid(dom_res[0], "objectGUID");
realm = samdb_result_string(ref_res[0], "dnsRoot", lp_realm());
dns_domain = samdb_result_string(ref_res[0], "dnsRoot", lp_realm());
pdc_dns_name = talloc_asprintf(mem_ctx, "%s.%s",
strlower_talloc(mem_ctx, lp_netbios_name()),
dns_domain);
flatname = samdb_result_string(ref_res[0], "nETBIOSName", lp_workgroup());
server_site = "Default-First-Site-Name";
client_site = "Default-First-Site-Name";
pdc_ip = iface_best_ip(src_address);
ZERO_STRUCTP(netlogon);
switch (version & 0xF) {
case 0:
case 1:
netlogon->logon1.type = (user?19+2:19);
netlogon->logon1.pdc_name = pdc_name;
netlogon->logon1.user_name = user;
netlogon->logon1.domain_name = flatname;
netlogon->logon1.nt_version = 1;
netlogon->logon1.lmnt_token = 0xFFFF;
netlogon->logon1.lm20_token = 0xFFFF;
break;
case 2:
case 3:
netlogon->logon3.type = (user?19+2:19);
netlogon->logon3.pdc_name = pdc_name;
netlogon->logon3.user_name = user;
netlogon->logon3.domain_name = flatname;
netlogon->logon3.domain_uuid = domain_uuid;
netlogon->logon3.forest = realm;
netlogon->logon3.dns_domain = dns_domain;
netlogon->logon3.pdc_dns_name = pdc_dns_name;
netlogon->logon3.pdc_ip = pdc_ip;
netlogon->logon3.server_type = server_type;
netlogon->logon3.lmnt_token = 0xFFFF;
netlogon->logon3.lm20_token = 0xFFFF;
break;
case 4:
case 5:
case 6:
case 7:
netlogon->logon5.type = (user?23+2:23);
netlogon->logon5.server_type = server_type;
netlogon->logon5.domain_uuid = domain_uuid;
netlogon->logon5.forest = realm;
netlogon->logon5.dns_domain = dns_domain;
netlogon->logon5.pdc_dns_name = pdc_dns_name;
netlogon->logon5.domain = flatname;
netlogon->logon5.pdc_name = lp_netbios_name();
netlogon->logon5.user_name = user;
netlogon->logon5.server_site = server_site;
netlogon->logon5.client_site = client_site;
netlogon->logon5.lmnt_token = 0xFFFF;
netlogon->logon5.lm20_token = 0xFFFF;
break;
default:
netlogon->logon13.type = (user?23+2:23);
netlogon->logon13.server_type = server_type;
netlogon->logon13.domain_uuid = domain_uuid;
netlogon->logon13.forest = realm;
netlogon->logon13.dns_domain = dns_domain;
netlogon->logon13.pdc_dns_name = pdc_dns_name;
netlogon->logon13.domain = flatname;
netlogon->logon13.pdc_name = lp_netbios_name();
netlogon->logon13.user_name = user;
netlogon->logon13.server_site = server_site;
netlogon->logon13.client_site = client_site;
netlogon->logon13.unknown = 10;
netlogon->logon13.unknown2 = 2;
netlogon->logon13.pdc_ip = pdc_ip;
netlogon->logon13.lmnt_token = 0xFFFF;
netlogon->logon13.lm20_token = 0xFFFF;
break;
}
return NT_STATUS_OK;
}
/*
* complete a domain join, when joining to a AD domain:
* 1.) connect and bind to the DRSUAPI pipe
* 2.) do a DsCrackNames() to find the machine account dn
* 3.) connect to LDAP
* 4.) do an ldap search to find the "msDS-KeyVersionNumber" of the machine account
* 5.) set the servicePrincipalName's of the machine account via LDAP, (maybe we should use DsWriteAccountSpn()...)
* 6.) do a DsCrackNames() to find the domain dn
* 7.) find out Site specific stuff, look at libnet_JoinSite() for details
*/
static NTSTATUS libnet_JoinADSDomain(struct libnet_context *ctx, struct libnet_JoinDomain *r)
{
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
const char *realm = r->out.realm;
struct dcerpc_binding *samr_binding = r->out.samr_binding;
struct dcerpc_pipe *drsuapi_pipe;
struct dcerpc_binding *drsuapi_binding;
struct drsuapi_DsBind r_drsuapi_bind;
struct drsuapi_DsCrackNames r_crack_names;
struct drsuapi_DsNameString names[1];
struct policy_handle drsuapi_bind_handle;
struct GUID drsuapi_bind_guid;
struct ldb_context *remote_ldb;
struct ldb_dn *account_dn;
const char *account_dn_str;
const char *remote_ldb_url;
struct ldb_result *res;
struct ldb_message *msg;
int ret, rtn;
const char * const attrs[] = {
"msDS-KeyVersionNumber",
"servicePrincipalName",
"dNSHostName",
"objectGUID",
NULL,
};
r->out.error_string = NULL;
/* We need to convert between a samAccountName and domain to a
* DN in the directory. The correct way to do this is with
* DRSUAPI CrackNames */
/* Fiddle with the bindings, so get to DRSUAPI on
* NCACN_IP_TCP, sealed */
tmp_ctx = talloc_named(r, 0, "libnet_JoinADSDomain temp context");
if (!tmp_ctx) {
r->out.error_string = NULL;
return NT_STATUS_NO_MEMORY;
}
drsuapi_binding = talloc_zero(tmp_ctx, struct dcerpc_binding);
if (!drsuapi_binding) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
*drsuapi_binding = *samr_binding;
/* DRSUAPI is only available on IP_TCP, and locally on NCALRPC */
if (drsuapi_binding->transport != NCALRPC) {
drsuapi_binding->transport = NCACN_IP_TCP;
}
drsuapi_binding->endpoint = NULL;
drsuapi_binding->flags |= DCERPC_SEAL;
status = dcerpc_pipe_connect_b(tmp_ctx,
&drsuapi_pipe,
drsuapi_binding,
&ndr_table_drsuapi,
ctx->cred,
ctx->event_ctx,
ctx->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
r->out.error_string = talloc_asprintf(r,
"Connection to DRSUAPI pipe of PDC of domain '%s' failed: %s",
r->out.domain_name,
nt_errstr(status));
talloc_free(tmp_ctx);
return status;
}
/* get a DRSUAPI pipe handle */
GUID_from_string(DRSUAPI_DS_BIND_GUID, &drsuapi_bind_guid);
r_drsuapi_bind.in.bind_guid = &drsuapi_bind_guid;
r_drsuapi_bind.in.bind_info = NULL;
r_drsuapi_bind.out.bind_handle = &drsuapi_bind_handle;
status = dcerpc_drsuapi_DsBind_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_drsuapi_bind);
if (!NT_STATUS_IS_OK(status)) {
r->out.error_string
= talloc_asprintf(r,
"dcerpc_drsuapi_DsBind failed - %s",
nt_errstr(status));
talloc_free(tmp_ctx);
return status;
} else if (!W_ERROR_IS_OK(r_drsuapi_bind.out.result)) {
r->out.error_string
= talloc_asprintf(r,
"DsBind failed - %s",
win_errstr(r_drsuapi_bind.out.result));
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
/* Actually 'crack' the names */
ZERO_STRUCT(r_crack_names);
r_crack_names.in.bind_handle = &drsuapi_bind_handle;
r_crack_names.in.level = 1;
r_crack_names.in.req = talloc(r, union drsuapi_DsNameRequest);
if (!r_crack_names.in.req) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
r_crack_names.in.req->req1.codepage = 1252; /* western european */
r_crack_names.in.req->req1.language = 0x00000407; /* german */
r_crack_names.in.req->req1.count = 1;
r_crack_names.in.req->req1.names = names;
r_crack_names.in.req->req1.format_flags = DRSUAPI_DS_NAME_FLAG_NO_FLAGS;
r_crack_names.in.req->req1.format_offered = DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
r_crack_names.in.req->req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
names[0].str = dom_sid_string(tmp_ctx, r->out.account_sid);
if (!names[0].str) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
r_crack_names.out.ctr = talloc(r, union drsuapi_DsNameCtr);
r_crack_names.out.level_out = talloc(r, uint32_t);
if (!r_crack_names.out.ctr || !r_crack_names.out.level_out) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
status = dcerpc_drsuapi_DsCrackNames_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_crack_names);
if (!NT_STATUS_IS_OK(status)) {
r->out.error_string
= talloc_asprintf(r,
"dcerpc_drsuapi_DsCrackNames for [%s] failed - %s",
names[0].str,
nt_errstr(status));
talloc_free(tmp_ctx);
return status;
} else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
r->out.error_string
= talloc_asprintf(r,
"DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
} else if (*r_crack_names.out.level_out != 1
|| !r_crack_names.out.ctr->ctr1
|| r_crack_names.out.ctr->ctr1->count != 1) {
r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_PARAMETER;
} else if (r_crack_names.out.ctr->ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: %d", r_crack_names.out.ctr->ctr1->array[0].status);
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
} else if (r_crack_names.out.ctr->ctr1->array[0].result_name == NULL) {
r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: no result name");
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
/* Store the DN of our machine account. */
account_dn_str = r_crack_names.out.ctr->ctr1->array[0].result_name;
/* Now we know the user's DN, open with LDAP, read and modify a few things */
remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s",
drsuapi_binding->target_hostname);
if (!remote_ldb_url) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
remote_ldb = ldb_wrap_connect(tmp_ctx, ctx->event_ctx, ctx->lp_ctx,
remote_ldb_url,
NULL, ctx->cred, 0);
if (!remote_ldb) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
account_dn = ldb_dn_new(tmp_ctx, remote_ldb, account_dn_str);
if (account_dn == NULL) {
r->out.error_string = talloc_asprintf(r, "Invalid account dn: %s",
account_dn_str);
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
/* search for the user's record */
ret = ldb_search(remote_ldb, tmp_ctx, &res,
account_dn, LDB_SCOPE_BASE, attrs, NULL);
if (ret != LDB_SUCCESS) {
r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - %s",
account_dn_str, ldb_errstring(remote_ldb));
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
if (res->count != 1) {
r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - found %d entries",
account_dn_str, res->count);
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
/* Prepare a new message, for the modify */
msg = ldb_msg_new(tmp_ctx);
if (!msg) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
msg->dn = res->msgs[0]->dn;
{
unsigned int i;
const char *service_principal_name[2];
const char *dns_host_name = strlower_talloc(msg,
talloc_asprintf(msg,
"%s.%s",
r->in.netbios_name,
realm));
if (!dns_host_name) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
service_principal_name[0] = talloc_asprintf(msg, "HOST/%s",
dns_host_name);
service_principal_name[1] = talloc_asprintf(msg, "HOST/%s",
r->in.netbios_name);
for (i=0; i < ARRAY_SIZE(service_principal_name); i++) {
if (!service_principal_name[i]) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
rtn = ldb_msg_add_string(msg, "servicePrincipalName",
service_principal_name[i]);
if (rtn != LDB_SUCCESS) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
}
rtn = ldb_msg_add_string(msg, "dNSHostName", dns_host_name);
if (rtn != LDB_SUCCESS) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
rtn = dsdb_replace(remote_ldb, msg, 0);
if (rtn != LDB_SUCCESS) {
r->out.error_string
= talloc_asprintf(r,
"Failed to replace entries on %s",
ldb_dn_get_linearized(msg->dn));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
}
msg = ldb_msg_new(tmp_ctx);
if (!msg) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
msg->dn = res->msgs[0]->dn;
rtn = samdb_msg_add_uint(remote_ldb, msg, msg,
"msDS-SupportedEncryptionTypes", ENC_ALL_TYPES);
if (rtn != LDB_SUCCESS) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
rtn = dsdb_replace(remote_ldb, msg, 0);
/* The remote server may not support this attribute, if it
* isn't a modern schema */
if (rtn != LDB_SUCCESS && rtn != LDB_ERR_NO_SUCH_ATTRIBUTE) {
r->out.error_string
= talloc_asprintf(r,
"Failed to replace msDS-SupportedEncryptionTypes on %s",
ldb_dn_get_linearized(msg->dn));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* DsCrackNames to find out the DN of the domain. */
r_crack_names.in.req->req1.format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
r_crack_names.in.req->req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
names[0].str = talloc_asprintf(tmp_ctx, "%s\\", r->out.domain_name);
if (!names[0].str) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
status = dcerpc_drsuapi_DsCrackNames_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_crack_names);
if (!NT_STATUS_IS_OK(status)) {
r->out.error_string
= talloc_asprintf(r,
"dcerpc_drsuapi_DsCrackNames for [%s] failed - %s",
r->in.domain_name,
nt_errstr(status));
talloc_free(tmp_ctx);
return status;
} else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
r->out.error_string
= talloc_asprintf(r,
"DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
} else if (*r_crack_names.out.level_out != 1
|| !r_crack_names.out.ctr->ctr1
|| r_crack_names.out.ctr->ctr1->count != 1
|| !r_crack_names.out.ctr->ctr1->array[0].result_name
|| r_crack_names.out.ctr->ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
/* Store the account DN. */
r->out.account_dn_str = account_dn_str;
talloc_steal(r, account_dn_str);
/* Store the domain DN. */
r->out.domain_dn_str = r_crack_names.out.ctr->ctr1->array[0].result_name;
talloc_steal(r, r_crack_names.out.ctr->ctr1->array[0].result_name);
/* Store the KVNO of the account, critical for some kerberos
* operations */
r->out.kvno = ldb_msg_find_attr_as_uint(res->msgs[0], "msDS-KeyVersionNumber", 0);
/* Store the account GUID. */
r->out.account_guid = samdb_result_guid(res->msgs[0], "objectGUID");
if (r->in.acct_type == ACB_SVRTRUST) {
status = libnet_JoinSite(ctx, remote_ldb, r);
}
talloc_free(tmp_ctx);
return status;
}
WERROR dsdb_origin_objects_commit(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct drsuapi_DsReplicaObjectListItem *first_object,
uint32_t *_num,
struct drsuapi_DsReplicaObjectIdentifier2 **_ids)
{
WERROR status;
const struct dsdb_schema *schema;
const struct drsuapi_DsReplicaObjectListItem *cur;
struct ldb_message **objects;
struct drsuapi_DsReplicaObjectIdentifier2 *ids;
uint32_t i;
uint32_t num_objects = 0;
const char * const attrs[] = {
"objectGUID",
"objectSid",
NULL
};
struct ldb_result *res;
int ret;
schema = dsdb_get_schema(ldb);
if (!schema) {
return WERR_DS_SCHEMA_NOT_LOADED;
}
for (cur = first_object; cur; cur = cur->next_object) {
num_objects++;
}
if (num_objects == 0) {
return WERR_OK;
}
ret = ldb_transaction_start(ldb);
if (ret != LDB_SUCCESS) {
return WERR_DS_INTERNAL_FAILURE;
}
objects = talloc_array(mem_ctx, struct ldb_message *,
num_objects);
if (objects == NULL) {
status = WERR_NOMEM;
goto cancel;
}
for (i=0, cur = first_object; cur; cur = cur->next_object, i++) {
status = dsdb_convert_object(ldb, schema,
cur, objects, &objects[i]);
if (!W_ERROR_IS_OK(status)) {
goto cancel;
}
}
ids = talloc_array(mem_ctx,
struct drsuapi_DsReplicaObjectIdentifier2,
num_objects);
if (ids == NULL) {
status = WERR_NOMEM;
goto cancel;
}
for (i=0; i < num_objects; i++) {
struct dom_sid *sid = NULL;
struct ldb_request *add_req;
DEBUG(6,(__location__ ": adding %s\n",
ldb_dn_get_linearized(objects[i]->dn)));
ret = ldb_build_add_req(&add_req,
ldb,
objects,
objects[i],
NULL,
NULL,
ldb_op_default_callback,
NULL);
if (ret != LDB_SUCCESS) {
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
ret = ldb_request_add_control(add_req, LDB_CONTROL_RELAX_OID, true, NULL);
if (ret != LDB_SUCCESS) {
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
ret = ldb_request(ldb, add_req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(add_req->handle, LDB_WAIT_ALL);
}
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed add of %s - %s\n",
ldb_dn_get_linearized(objects[i]->dn), ldb_errstring(ldb)));
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
talloc_free(add_req);
ret = ldb_search(ldb, objects, &res, objects[i]->dn,
LDB_SCOPE_BASE, attrs,
"(objectClass=*)");
if (ret != LDB_SUCCESS) {
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
ids[i].guid = samdb_result_guid(res->msgs[0], "objectGUID");
sid = samdb_result_dom_sid(objects, res->msgs[0], "objectSid");
if (sid) {
ids[i].sid = *sid;
} else {
ZERO_STRUCT(ids[i].sid);
}
}
ret = ldb_transaction_commit(ldb);
if (ret != LDB_SUCCESS) {
return WERR_DS_INTERNAL_FAILURE;
}
talloc_free(objects);
*_num = num_objects;
*_ids = ids;
return WERR_OK;
cancel:
talloc_free(objects);
ldb_transaction_cancel(ldb);
return status;
}
WERROR dsdb_origin_objects_commit(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct drsuapi_DsReplicaObjectListItem *first_object,
uint32_t *_num,
uint32_t dsdb_repl_flags,
struct drsuapi_DsReplicaObjectIdentifier2 **_ids)
{
WERROR status;
const struct dsdb_schema *schema;
const struct drsuapi_DsReplicaObjectListItem *cur;
struct ldb_message **objects;
struct drsuapi_DsReplicaObjectIdentifier2 *ids;
uint32_t i;
uint32_t num_objects = 0;
const char * const attrs[] = {
"objectGUID",
"objectSid",
NULL
};
struct ldb_result *res;
int ret;
for (cur = first_object; cur; cur = cur->next_object) {
num_objects++;
}
if (num_objects == 0) {
return WERR_OK;
}
ret = ldb_transaction_start(ldb);
if (ret != LDB_SUCCESS) {
return WERR_DS_INTERNAL_FAILURE;
}
objects = talloc_array(mem_ctx, struct ldb_message *,
num_objects);
if (objects == NULL) {
status = WERR_NOMEM;
goto cancel;
}
schema = dsdb_get_schema(ldb, objects);
if (!schema) {
return WERR_DS_SCHEMA_NOT_LOADED;
}
for (i=0, cur = first_object; cur; cur = cur->next_object, i++) {
status = dsdb_origin_object_convert(ldb, schema, cur,
objects, &objects[i]);
if (!W_ERROR_IS_OK(status)) {
goto cancel;
}
}
ids = talloc_array(mem_ctx,
struct drsuapi_DsReplicaObjectIdentifier2,
num_objects);
if (ids == NULL) {
status = WERR_NOMEM;
goto cancel;
}
if (dsdb_repl_flags & DSDB_REPL_FLAG_ADD_NCNAME) {
/* check for possible NC creation */
for (i=0; i < num_objects; i++) {
struct ldb_message *msg = objects[i];
struct ldb_message_element *el;
struct ldb_dn *nc_dn;
if (ldb_msg_check_string_attribute(msg, "objectClass", "crossRef") == 0) {
continue;
}
el = ldb_msg_find_element(msg, "nCName");
if (el == NULL || el->num_values != 1) {
continue;
}
nc_dn = ldb_dn_from_ldb_val(objects, ldb, &el->values[0]);
if (!ldb_dn_validate(nc_dn)) {
continue;
}
ret = dsdb_create_partial_replica_NC(ldb, nc_dn);
if (ret != LDB_SUCCESS) {
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
}
}
for (i=0; i < num_objects; i++) {
struct dom_sid *sid = NULL;
struct ldb_request *add_req;
DEBUG(6,(__location__ ": adding %s\n",
ldb_dn_get_linearized(objects[i]->dn)));
ret = ldb_build_add_req(&add_req,
ldb,
objects,
objects[i],
NULL,
NULL,
ldb_op_default_callback,
NULL);
if (ret != LDB_SUCCESS) {
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
ret = ldb_request_add_control(add_req, LDB_CONTROL_RELAX_OID, true, NULL);
if (ret != LDB_SUCCESS) {
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
ret = ldb_request(ldb, add_req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(add_req->handle, LDB_WAIT_ALL);
}
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed add of %s - %s\n",
ldb_dn_get_linearized(objects[i]->dn), ldb_errstring(ldb)));
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
talloc_free(add_req);
ret = ldb_search(ldb, objects, &res, objects[i]->dn,
LDB_SCOPE_BASE, attrs,
"(objectClass=*)");
if (ret != LDB_SUCCESS) {
status = WERR_DS_INTERNAL_FAILURE;
goto cancel;
}
ids[i].guid = samdb_result_guid(res->msgs[0], "objectGUID");
sid = samdb_result_dom_sid(objects, res->msgs[0], "objectSid");
if (sid) {
ids[i].sid = *sid;
} else {
ZERO_STRUCT(ids[i].sid);
}
}
ret = ldb_transaction_commit(ldb);
if (ret != LDB_SUCCESS) {
return WERR_DS_INTERNAL_FAILURE;
}
talloc_free(objects);
*_num = num_objects;
*_ids = ids;
return WERR_OK;
cancel:
talloc_free(objects);
ldb_transaction_cancel(ldb);
return status;
}
static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
struct smb_krb5_context *smb_krb5_context,
uint32_t format_flags, enum drsuapi_DsNameFormat format_offered,
enum drsuapi_DsNameFormat format_desired,
struct ldb_dn *name_dn, const char *name,
const char *domain_filter, const char *result_filter,
struct drsuapi_DsNameInfo1 *info1,
int scope, struct ldb_dn *search_dn)
{
int ldb_ret;
struct ldb_result *domain_res = NULL;
const char * const *domain_attrs;
const char * const *result_attrs;
struct ldb_message **result_res = NULL;
struct ldb_message *result = NULL;
int i;
char *p;
struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
const char * const _domain_attrs_1779[] = { "ncName", "dnsRoot", NULL};
const char * const _result_attrs_null[] = { NULL };
const char * const _domain_attrs_canonical[] = { "ncName", "dnsRoot", NULL};
const char * const _result_attrs_canonical[] = { "canonicalName", NULL };
const char * const _domain_attrs_nt4[] = { "ncName", "dnsRoot", "nETBIOSName", NULL};
const char * const _result_attrs_nt4[] = { "sAMAccountName", "objectSid", "objectClass", NULL};
const char * const _domain_attrs_guid[] = { "ncName", "dnsRoot", NULL};
const char * const _result_attrs_guid[] = { "objectGUID", NULL};
const char * const _domain_attrs_display[] = { "ncName", "dnsRoot", NULL};
const char * const _result_attrs_display[] = { "displayName", "samAccountName", NULL};
const char * const _domain_attrs_none[] = { "ncName", "dnsRoot" , NULL};
const char * const _result_attrs_none[] = { NULL};
/* here we need to set the attrs lists for domain and result lookups */
switch (format_desired) {
case DRSUAPI_DS_NAME_FORMAT_FQDN_1779:
case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
domain_attrs = _domain_attrs_1779;
result_attrs = _result_attrs_null;
break;
case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
domain_attrs = _domain_attrs_canonical;
result_attrs = _result_attrs_canonical;
break;
case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT:
domain_attrs = _domain_attrs_nt4;
result_attrs = _result_attrs_nt4;
break;
case DRSUAPI_DS_NAME_FORMAT_GUID:
domain_attrs = _domain_attrs_guid;
result_attrs = _result_attrs_guid;
break;
case DRSUAPI_DS_NAME_FORMAT_DISPLAY:
domain_attrs = _domain_attrs_display;
result_attrs = _result_attrs_display;
break;
default:
domain_attrs = _domain_attrs_none;
result_attrs = _result_attrs_none;
break;
}
if (domain_filter) {
/* if we have a domain_filter look it up and set the result_basedn and the dns_domain_name */
ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
partitions_basedn,
LDB_SCOPE_ONELEVEL,
domain_attrs,
"%s", domain_filter);
if (ldb_ret != LDB_SUCCESS) {
DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
switch (domain_res->count) {
case 1:
break;
case 0:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
default:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
return WERR_OK;
}
info1->dns_domain_name = ldb_msg_find_attr_as_string(domain_res->msgs[0], "dnsRoot", NULL);
W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
} else {
info1->dns_domain_name = NULL;
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
}
if (result_filter) {
int ret;
struct ldb_result *res;
uint32_t dsdb_flags = 0;
struct ldb_dn *real_search_dn = NULL;
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
/*
* From 4.1.4.2.11 of MS-DRSR
* if DS_NAME_FLAG_GCVERIFY in flags then
* rt := select all O from all
* where attrValue in GetAttrVals(O, att, false)
* else
* rt := select all O from subtree DefaultNC()
* where attrValue in GetAttrVals(O, att, false)
* endif
* return rt
*/
if (format_flags & DRSUAPI_DS_NAME_FLAG_GCVERIFY ||
format_offered == DRSUAPI_DS_NAME_FORMAT_GUID)
{
dsdb_flags = DSDB_SEARCH_SEARCH_ALL_PARTITIONS;
} else if (domain_res) {
if (!search_dn) {
struct ldb_dn *tmp_dn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
real_search_dn = tmp_dn;
} else {
real_search_dn = search_dn;
}
} else {
real_search_dn = ldb_get_default_basedn(sam_ctx);
}
if (format_desired == DRSUAPI_DS_NAME_FORMAT_GUID){
dsdb_flags |= DSDB_SEARCH_SHOW_RECYCLED;
}
/* search with the 'phantom root' flag */
ret = dsdb_search(sam_ctx, mem_ctx, &res,
real_search_dn,
scope,
result_attrs,
dsdb_flags,
"%s", result_filter);
if (ret != LDB_SUCCESS) {
DEBUG(2, ("DsCrackNameOneFilter search from '%s' with flags 0x%08x failed: %s\n",
ldb_dn_get_linearized(real_search_dn),
dsdb_flags,
ldb_errstring(sam_ctx)));
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
ldb_ret = res->count;
result_res = res->msgs;
} else if (format_offered == DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
result_attrs);
} else if (domain_res) {
name_dn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
result_attrs);
} else {
/* Can't happen */
DEBUG(0, ("LOGIC ERROR: DsCrackNameOneFilter domain ref search not available: This can't happen...\n"));
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
switch (ldb_ret) {
case 1:
result = result_res[0];
break;
case 0:
switch (format_offered) {
case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL:
return DsCrackNameSPNAlias(sam_ctx, mem_ctx,
smb_krb5_context,
format_flags, format_offered, format_desired,
name, info1);
case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
return DsCrackNameUPN(sam_ctx, mem_ctx, smb_krb5_context,
format_flags, format_offered, format_desired,
name, info1);
default:
break;
}
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
case -1:
DEBUG(2, ("DsCrackNameOneFilter result search failed: %s\n", ldb_errstring(sam_ctx)));
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
default:
switch (format_offered) {
case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
{
const char *canonical_name = NULL; /* Not required, but we get warnings... */
/* We may need to manually filter further */
for (i = 0; i < ldb_ret; i++) {
switch (format_offered) {
case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
canonical_name = ldb_dn_canonical_string(mem_ctx, result_res[i]->dn);
break;
case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
canonical_name = ldb_dn_canonical_ex_string(mem_ctx, result_res[i]->dn);
break;
default:
break;
}
if (strcasecmp_m(canonical_name, name) == 0) {
result = result_res[i];
break;
}
}
if (!result) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
}
}
/* FALL TROUGH */
default:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
return WERR_OK;
}
}
info1->dns_domain_name = ldb_dn_canonical_string(mem_ctx, result->dn);
W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
p = strchr(info1->dns_domain_name, '/');
if (p) {
p[0] = '\0';
}
/* here we can use result and domain_res[0] */
switch (format_desired) {
case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
info1->result_name = ldb_dn_alloc_linearized(mem_ctx, result->dn);
W_ERROR_HAVE_NO_MEMORY(info1->result_name);
info1->status = DRSUAPI_DS_NAME_STATUS_OK;
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
info1->result_name = ldb_msg_find_attr_as_string(result, "canonicalName", NULL);
info1->status = DRSUAPI_DS_NAME_STATUS_OK;
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX: {
/* Not in the virtual ldb attribute */
return DsCrackNameOneSyntactical(mem_ctx,
DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
result->dn, name, info1);
}
case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
const char *_acc = "", *_dom = "";
if (sid == NULL) {
info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
return WERR_OK;
}
if (samdb_find_attribute(sam_ctx, result, "objectClass",
"domain")) {
/* This can also find a DomainDNSZones entry,
* but it won't have the SID we just
* checked. */
ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
partitions_basedn,
LDB_SCOPE_ONELEVEL,
domain_attrs,
"(ncName=%s)", ldb_dn_get_linearized(result->dn));
if (ldb_ret != LDB_SUCCESS) {
DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
switch (domain_res->count) {
case 1:
break;
case 0:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
default:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
return WERR_OK;
}
_dom = ldb_msg_find_attr_as_string(domain_res->msgs[0], "nETBIOSName", NULL);
W_ERROR_HAVE_NO_MEMORY(_dom);
} else {
_acc = ldb_msg_find_attr_as_string(result, "sAMAccountName", NULL);
if (!_acc) {
info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
return WERR_OK;
}
if (dom_sid_in_domain(dom_sid_parse_talloc(mem_ctx, SID_BUILTIN), sid)) {
_dom = "BUILTIN";
} else {
const char *attrs[] = { NULL };
struct ldb_result *domain_res2;
struct dom_sid *dom_sid = dom_sid_dup(mem_ctx, sid);
if (!dom_sid) {
return WERR_OK;
}
dom_sid->num_auths--;
ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
NULL,
LDB_SCOPE_BASE,
attrs,
"(&(objectSid=%s)(objectClass=domain))",
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
if (ldb_ret != LDB_SUCCESS) {
DEBUG(2, ("DsCrackNameOneFilter domain search failed: %s\n", ldb_errstring(sam_ctx)));
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
switch (domain_res->count) {
case 1:
break;
case 0:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
default:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
return WERR_OK;
}
ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res2,
partitions_basedn,
LDB_SCOPE_ONELEVEL,
domain_attrs,
"(ncName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
if (ldb_ret != LDB_SUCCESS) {
DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
switch (domain_res2->count) {
case 1:
break;
case 0:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
default:
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
return WERR_OK;
}
_dom = ldb_msg_find_attr_as_string(domain_res2->msgs[0], "nETBIOSName", NULL);
W_ERROR_HAVE_NO_MEMORY(_dom);
}
}
info1->result_name = talloc_asprintf(mem_ctx, "%s\\%s", _dom, _acc);
W_ERROR_HAVE_NO_MEMORY(info1->result_name);
info1->status = DRSUAPI_DS_NAME_STATUS_OK;
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_GUID: {
struct GUID guid;
guid = samdb_result_guid(result, "objectGUID");
info1->result_name = GUID_string2(mem_ctx, &guid);
W_ERROR_HAVE_NO_MEMORY(info1->result_name);
info1->status = DRSUAPI_DS_NAME_STATUS_OK;
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
info1->result_name = ldb_msg_find_attr_as_string(result, "displayName", NULL);
if (!info1->result_name) {
info1->result_name = ldb_msg_find_attr_as_string(result, "sAMAccountName", NULL);
}
if (!info1->result_name) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
} else {
info1->status = DRSUAPI_DS_NAME_STATUS_OK;
}
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
return WERR_OK;
}
case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:
case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
info1->dns_domain_name = NULL;
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
default:
info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
return WERR_OK;
}
}
/*
add special SPNs needed for DRS replication to machine accounts when
an AddEntry is done to create a nTDSDSA object
*/
static WERROR drsuapi_add_SPNs(struct drsuapi_bind_state *b_state,
struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
const struct drsuapi_DsReplicaObjectListItem *first_object)
{
int ret;
const struct drsuapi_DsReplicaObjectListItem *obj;
const char *attrs[] = { "serverReference", "objectGUID", NULL };
for (obj = first_object; obj; obj=obj->next_object) {
const char *dn_string = obj->object.identifier->dn;
struct ldb_dn *dn = ldb_dn_new(mem_ctx, b_state->sam_ctx, dn_string);
struct ldb_result *res, *res2;
struct ldb_dn *ref_dn;
struct GUID ntds_guid;
struct ldb_message *msg;
struct ldb_message_element *el;
const char *ntds_guid_str;
const char *dom_string;
const char *attrs2[] = { "dNSHostName", "cn", NULL };
const char *dNSHostName, *cn;
DEBUG(6,(__location__ ": Adding SPNs for %s\n",
ldb_dn_get_linearized(dn)));
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res,
dn, LDB_SCOPE_BASE, attrs,
"(objectClass=ntDSDSA)");
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find dn '%s'\n", dn_string));
return WERR_DS_DRA_INTERNAL_ERROR;
}
if (res->count < 1) {
/* we only add SPNs for nTDSDSA objects */
continue;
}
ref_dn = samdb_result_dn(b_state->sam_ctx, mem_ctx, res->msgs[0], "serverReference", NULL);
if (ref_dn == NULL) {
/* we only add SPNs for objects with a
serverReference */
continue;
}
DEBUG(6,(__location__ ": serverReference %s\n",
ldb_dn_get_linearized(ref_dn)));
ntds_guid = samdb_result_guid(res->msgs[0], "objectGUID");
ntds_guid_str = GUID_string(res, &ntds_guid);
dom_string = lpcfg_dnsdomain(dce_call->conn->dce_ctx->lp_ctx);
/* get the dNSHostName and cn */
ret = ldb_search(b_state->sam_ctx, mem_ctx, &res2,
ref_dn, LDB_SCOPE_BASE, attrs2, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find ref_dn '%s'\n",
ldb_dn_get_linearized(ref_dn)));
return WERR_DS_DRA_INTERNAL_ERROR;
}
dNSHostName = ldb_msg_find_attr_as_string(res2->msgs[0], "dNSHostName", NULL);
cn = ldb_msg_find_attr_as_string(res2->msgs[0], "cn", NULL);
/*
* construct a modify request to add the new SPNs to
* the machine account
*/
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
return WERR_NOT_ENOUGH_MEMORY;
}
msg->dn = ref_dn;
ret = ldb_msg_add_empty(msg, "servicePrincipalName",
LDB_FLAG_MOD_ADD, &el);
if (ret != LDB_SUCCESS) {
return WERR_NOT_ENOUGH_MEMORY;
}
ldb_msg_add_steal_string(msg, "servicePrincipalName",
talloc_asprintf(el->values,
"E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s",
ntds_guid_str, dom_string));
ldb_msg_add_steal_string(msg, "servicePrincipalName",
talloc_asprintf(el->values, "ldap/%s._msdcs.%s",
ntds_guid_str, dom_string));
if (cn) {
ldb_msg_add_steal_string(msg, "servicePrincipalName",
talloc_asprintf(el->values, "ldap/%s", cn));
}
if (dNSHostName) {
ldb_msg_add_steal_string(msg, "servicePrincipalName",
talloc_asprintf(el->values, "ldap/%s", dNSHostName));
}
if (el->num_values < 2) {
return WERR_NOT_ENOUGH_MEMORY;
}
ret = dsdb_modify(b_state->sam_ctx, msg, DSDB_MODIFY_PERMISSIVE);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to add SPNs - %s\n",
ldb_errstring(b_state->sam_ctx)));
return WERR_DS_DRA_INTERNAL_ERROR;
}
}
return WERR_OK;
}
NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call,
TALLOC_CTX *mem_ctx,
uint32_t access_desired,
struct lsa_policy_state **_state)
{
struct auth_session_info *session_info = dce_call->conn->auth_state.session_info;
enum security_user_level security_level;
struct lsa_policy_state *state;
struct ldb_result *dom_res;
const char *dom_attrs[] = {
"objectSid",
"objectGUID",
"nTMixedDomain",
"fSMORoleOwner",
NULL
};
char *p;
int ret;
state = talloc_zero(mem_ctx, struct lsa_policy_state);
if (!state) {
return NT_STATUS_NO_MEMORY;
}
/* make sure the sam database is accessible */
state->sam_ldb = samdb_connect(state,
dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
dce_call->conn->auth_state.session_info,
dce_call->conn->remote_address,
0);
if (state->sam_ldb == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
/* and the privilege database */
state->pdb = privilege_connect(state, dce_call->conn->dce_ctx->lp_ctx);
if (state->pdb == NULL) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
/* work out the domain_dn - useful for so many calls its worth
fetching here */
state->domain_dn = ldb_get_default_basedn(state->sam_ldb);
if (!state->domain_dn) {
return NT_STATUS_NO_MEMORY;
}
/* work out the forest root_dn - useful for so many calls its worth
fetching here */
state->forest_dn = ldb_get_root_basedn(state->sam_ldb);
if (!state->forest_dn) {
return NT_STATUS_NO_MEMORY;
}
ret = ldb_search(state->sam_ldb, mem_ctx, &dom_res,
state->domain_dn, LDB_SCOPE_BASE, dom_attrs, NULL);
if (ret != LDB_SUCCESS) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
if (dom_res->count != 1) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->domain_sid = samdb_result_dom_sid(state, dom_res->msgs[0], "objectSid");
if (!state->domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->domain_guid = samdb_result_guid(dom_res->msgs[0], "objectGUID");
state->mixed_domain = ldb_msg_find_attr_as_uint(dom_res->msgs[0], "nTMixedDomain", 0);
talloc_free(dom_res);
state->domain_name = lpcfg_sam_name(dce_call->conn->dce_ctx->lp_ctx);
state->domain_dns = ldb_dn_canonical_string(state, state->domain_dn);
if (!state->domain_dns) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
p = strchr(state->domain_dns, '/');
if (p) {
*p = '\0';
}
state->forest_dns = ldb_dn_canonical_string(state, state->forest_dn);
if (!state->forest_dns) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
p = strchr(state->forest_dns, '/');
if (p) {
*p = '\0';
}
/* work out the builtin_dn - useful for so many calls its worth
fetching here */
state->builtin_dn = samdb_search_dn(state->sam_ldb, state, state->domain_dn, "(objectClass=builtinDomain)");
if (!state->builtin_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
/* work out the system_dn - useful for so many calls its worth
fetching here */
state->system_dn = samdb_search_dn(state->sam_ldb, state,
state->domain_dn, "(&(objectClass=container)(cn=System))");
if (!state->system_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->builtin_sid = dom_sid_parse_talloc(state, SID_BUILTIN);
if (!state->builtin_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->nt_authority_sid = dom_sid_parse_talloc(state, SID_NT_AUTHORITY);
if (!state->nt_authority_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->creator_owner_domain_sid = dom_sid_parse_talloc(state, SID_CREATOR_OWNER_DOMAIN);
if (!state->creator_owner_domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->world_domain_sid = dom_sid_parse_talloc(state, SID_WORLD_DOMAIN);
if (!state->world_domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
state->sd = sddl_decode(state, DCESRV_LSA_POLICY_SD_SDDL,
state->domain_sid);
if (state->sd == NULL) {
return NT_STATUS_NO_MEMORY;
}
state->sd->dacl->revision = SECURITY_ACL_REVISION_NT4;
se_map_generic(&access_desired, &dcesrv_lsa_policy_mapping);
security_acl_map_generic(state->sd->dacl, &dcesrv_lsa_policy_mapping);
security_level = security_session_user_level(session_info, NULL);
if (security_level >= SECURITY_SYSTEM) {
/*
* The security descriptor doesn't allow system,
* but we want to allow system via ncalrpc as root.
*/
state->access_mask = access_desired;
if (state->access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
state->access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
state->access_mask |= LSA_POLICY_ALL_ACCESS;
}
} else {
NTSTATUS status;
status = se_access_check(state->sd,
session_info->security_token,
access_desired,
&state->access_mask);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2,("%s: access desired[0x%08X] rejected[0x%08X] - %s\n",
__func__,
(unsigned)access_desired,
(unsigned)state->access_mask,
nt_errstr(status)));
return status;
}
}
DEBUG(10,("%s: access desired[0x%08X] granted[0x%08X] - success.\n",
__func__,
(unsigned)access_desired,
(unsigned)state->access_mask));
*_state = state;
return NT_STATUS_OK;
}
