static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
const struct ndr_interface_table *iface,
const struct dcerpc_binding_vector *bind_vec,
const struct GUID *object_guid,
const char *annotation,
uint32_t replace,
uint32_t unregister,
struct dcerpc_binding_handle **pbh)
{
struct rpc_pipe_client *cli = NULL;
struct dcerpc_binding_handle *h;
struct pipe_auth_data *auth;
const char *ncalrpc_sock;
const char *rpcsrv_type;
struct epm_entry_t *entries;
uint32_t num_ents, i;
TALLOC_CTX *tmp_ctx;
uint32_t result = EPMAPPER_STATUS_OK;
NTSTATUS status;
if (iface == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
if (bind_vec == NULL || bind_vec->count == 0) {
return NT_STATUS_INVALID_PARAMETER;
}
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server", "epmapper",
"none");
if (StrCaseCmp(rpcsrv_type, "embedded") == 0) {
static struct client_address client_id;
strlcpy(client_id.addr, "localhost", sizeof(client_id.addr));
client_id.name = "localhost";
status = rpcint_binding_handle(tmp_ctx,
&ndr_table_epmapper,
&client_id,
get_session_info_system(),
server_messaging_context(),
&h);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("dcerpc_ep_register: Could not connect to "
"epmapper (%s)", nt_errstr(status)));
goto done;
}
} else if (StrCaseCmp(rpcsrv_type, "daemon") == 0) {
/* Connect to the endpoint mapper locally */
ncalrpc_sock = talloc_asprintf(tmp_ctx,
"%s/%s",
lp_ncalrpc_dir(),
"EPMAPPER");
if (ncalrpc_sock == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
status = rpc_pipe_open_ncalrpc(tmp_ctx,
ncalrpc_sock,
&ndr_table_epmapper.syntax_id,
&cli);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = rpccli_ncalrpc_bind_data(cli, &auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to initialize anonymous bind.\n"));
goto done;
}
status = rpc_pipe_bind(cli, auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2, ("Failed to bind ncalrpc socket.\n"));
goto done;
}
h = cli->binding_handle;
} else {
status = NT_STATUS_INVALID_PARAMETER;
goto done;
}
num_ents = bind_vec->count;
entries = talloc_array(tmp_ctx, struct epm_entry_t, num_ents);
for (i = 0; i < num_ents; i++) {
struct dcerpc_binding *map_binding = &bind_vec->bindings[i];
struct epm_twr_t *map_tower;
map_tower = talloc_zero(entries, struct epm_twr_t);
if (map_tower == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
status = dcerpc_binding_build_tower(entries,
map_binding,
&map_tower->tower);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
entries[i].tower = map_tower;
if (annotation == NULL) {
entries[i].annotation = talloc_strdup(entries, "");
} else {
entries[i].annotation = talloc_strndup(entries,
annotation,
EPM_MAX_ANNOTATION_SIZE);
}
if (entries[i].annotation == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (object_guid != NULL) {
entries[i].object = *object_guid;
} else {
entries[i].object = map_binding->object.uuid;
}
}
if (unregister) {
status = dcerpc_epm_Delete(h,
tmp_ctx,
num_ents,
entries,
&result);
} else {
status = dcerpc_epm_Insert(h,
tmp_ctx,
num_ents,
entries,
replace,
&result);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("dcerpc_ep_register: Could not insert tower (%s)\n",
nt_errstr(status)));
goto done;
}
if (result != EPMAPPER_STATUS_OK) {
DEBUG(0, ("dcerpc_ep_register: Could not insert tower (0x%.8x)\n",
result));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (pbh != NULL) {
*pbh = talloc_move(mem_ctx, &h);
talloc_steal(*pbh, cli);
}
done:
talloc_free(tmp_ctx);
return status;
}
NTSTATUS dcerpc_binding_vector_create(TALLOC_CTX *mem_ctx,
const struct ndr_interface_table *iface,
uint16_t port,
const char *ncalrpc,
struct dcerpc_binding_vector **pbvec)
{
struct dcerpc_binding_vector *bvec;
uint32_t ep_count;
uint32_t count = 0;
uint32_t i;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
ep_count = iface->endpoints->count;
bvec = talloc_zero(tmp_ctx, struct dcerpc_binding_vector);
if (bvec == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
bvec->bindings = talloc_zero_array(bvec, struct dcerpc_binding, ep_count);
if (bvec->bindings == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
for (i = 0; i < ep_count; i++) {
struct dcerpc_binding *b;
b = talloc_zero(bvec->bindings, struct dcerpc_binding);
if (b == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
status = dcerpc_parse_binding(b, iface->endpoints->names[i], &b);
if (!NT_STATUS_IS_OK(status)) {
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
b->object = iface->syntax_id;
switch (b->transport) {
case NCACN_NP:
b->host = talloc_asprintf(b, "\\\\%s", global_myname());
if (b->host == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
break;
case NCACN_IP_TCP:
if (port == 0) {
talloc_free(b);
continue;
}
b->endpoint = talloc_asprintf(b, "%u", port);
if (b->endpoint == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
break;
case NCALRPC:
if (ncalrpc == NULL) {
talloc_free(b);
continue;
}
b->endpoint = talloc_asprintf(b,
"%s/%s",
lp_ncalrpc_dir(),
ncalrpc);
if (b->endpoint == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
break;
default:
talloc_free(b);
continue;
}
bvec->bindings[count] = *b;
count++;
}
bvec->count = count;
*pbvec = talloc_move(mem_ctx, &bvec);
status = NT_STATUS_OK;
done:
talloc_free(tmp_ctx);
return status;
}
static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
bool *is_free,
bool *was_free,
TALLOC_CTX *mem_ctx,
struct smbXsrv_session_global0 **_g)
{
TDB_DATA key;
TDB_DATA val;
DATA_BLOB blob;
struct smbXsrv_session_globalB global_blob;
enum ndr_err_code ndr_err;
struct smbXsrv_session_global0 *global = NULL;
bool exists;
TALLOC_CTX *frame = talloc_stackframe();
*is_free = false;
if (was_free) {
*was_free = false;
}
if (_g) {
*_g = NULL;
}
key = dbwrap_record_get_key(db_rec);
val = dbwrap_record_get_value(db_rec);
if (val.dsize == 0) {
TALLOC_FREE(frame);
*is_free = true;
if (was_free) {
*was_free = true;
}
return;
}
blob = data_blob_const(val.dptr, val.dsize);
ndr_err = ndr_pull_struct_blob(&blob, frame, &global_blob,
(ndr_pull_flags_fn_t)ndr_pull_smbXsrv_session_globalB);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
DEBUG(1,("smbXsrv_session_global_verify_record: "
"key '%s' ndr_pull_struct_blob - %s\n",
hex_encode_talloc(frame, key.dptr, key.dsize),
nt_errstr(status)));
TALLOC_FREE(frame);
return;
}
DEBUG(10,("smbXsrv_session_global_verify_record\n"));
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
}
if (global_blob.version != SMBXSRV_VERSION_0) {
DEBUG(0,("smbXsrv_session_global_verify_record: "
"key '%s' use unsupported version %u\n",
hex_encode_talloc(frame, key.dptr, key.dsize),
global_blob.version));
NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
TALLOC_FREE(frame);
return;
}
global = global_blob.info.info0;
exists = serverid_exists(&global->channels[0].server_id);
if (!exists) {
struct server_id_buf idbuf;
DEBUG(2,("smbXsrv_session_global_verify_record: "
"key '%s' server_id %s does not exist.\n",
hex_encode_talloc(frame, key.dptr, key.dsize),
server_id_str_buf(global->channels[0].server_id,
&idbuf)));
if (DEBUGLVL(2)) {
NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
}
TALLOC_FREE(frame);
dbwrap_record_delete(db_rec);
*is_free = true;
return;
}
if (_g) {
*_g = talloc_move(mem_ctx, &global);
}
TALLOC_FREE(frame);
}
static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
const char *in_path,
uint8_t *out_share_type,
uint32_t *out_share_flags,
uint32_t *out_capabilities,
uint32_t *out_maximal_access,
uint32_t *out_tree_id)
{
struct smbXsrv_connection *conn = req->xconn;
const char *share = in_path;
char *service = NULL;
int snum = -1;
struct smbXsrv_tcon *tcon;
NTTIME now = timeval_to_nttime(&req->request_time);
connection_struct *compat_conn = NULL;
struct user_struct *compat_vuser = req->session->compat;
NTSTATUS status;
bool encryption_required = req->session->global->encryption_required;
bool guest_session = false;
if (strncmp(share, "\\\\", 2) == 0) {
const char *p = strchr(share+2, '\\');
if (p) {
share = p + 1;
}
}
DEBUG(10,("smbd_smb2_tree_connect: path[%s] share[%s]\n",
in_path, share));
service = talloc_strdup(talloc_tos(), share);
if(!service) {
return NT_STATUS_NO_MEMORY;
}
if (!strlower_m(service)) {
DEBUG(2, ("strlower_m %s failed\n", service));
return NT_STATUS_INVALID_PARAMETER;
}
/* TODO: do more things... */
if (strequal(service,HOMES_NAME)) {
if (compat_vuser->homes_snum == -1) {
DEBUG(2, ("[homes] share not available for "
"user %s because it was not found "
"or created at session setup "
"time\n",
compat_vuser->session_info->unix_info->unix_name));
return NT_STATUS_BAD_NETWORK_NAME;
}
snum = compat_vuser->homes_snum;
} else if ((compat_vuser->homes_snum != -1)
&& strequal(service,
lp_servicename(talloc_tos(), compat_vuser->homes_snum))) {
snum = compat_vuser->homes_snum;
} else {
snum = find_service(talloc_tos(), service, &service);
if (!service) {
return NT_STATUS_NO_MEMORY;
}
}
if (snum < 0) {
DEBUG(3,("smbd_smb2_tree_connect: couldn't find service %s\n",
service));
return NT_STATUS_BAD_NETWORK_NAME;
}
if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
encryption_required = true;
}
if (security_session_user_level(compat_vuser->session_info, NULL) < SECURITY_USER) {
guest_session = true;
}
if (guest_session && encryption_required) {
DEBUG(1,("reject guest as encryption is required for service %s\n",
service));
return NT_STATUS_ACCESS_DENIED;
}
if (conn->smb2.server.cipher == 0) {
if (encryption_required) {
DEBUG(1,("reject tcon with dialect[0x%04X] "
"as encryption is required for service %s\n",
conn->smb2.server.dialect, service));
return NT_STATUS_ACCESS_DENIED;
}
}
/* create a new tcon as child of the session */
status = smb2srv_tcon_create(req->session, now, &tcon);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
tcon->global->encryption_required = encryption_required;
compat_conn = make_connection_smb2(req,
tcon, snum,
req->session->compat,
"???",
&status);
if (compat_conn == NULL) {
TALLOC_FREE(tcon);
return status;
}
tcon->global->share_name = lp_servicename(tcon->global,
SNUM(compat_conn));
if (tcon->global->share_name == NULL) {
conn_free(compat_conn);
TALLOC_FREE(tcon);
return NT_STATUS_NO_MEMORY;
}
tcon->global->session_global_id =
req->session->global->session_global_id;
tcon->compat = talloc_move(tcon, &compat_conn);
tcon->status = NT_STATUS_OK;
status = smbXsrv_tcon_update(tcon);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(tcon);
return status;
}
if (IS_PRINT(tcon->compat)) {
*out_share_type = SMB2_SHARE_TYPE_PRINT;
} else if (IS_IPC(tcon->compat)) {
*out_share_type = SMB2_SHARE_TYPE_PIPE;
} else {
*out_share_type = SMB2_SHARE_TYPE_DISK;
}
*out_share_flags = 0;
if (lp_msdfs_root(SNUM(tcon->compat)) && lp_host_msdfs()) {
*out_share_flags |= (SMB2_SHAREFLAG_DFS|SMB2_SHAREFLAG_DFS_ROOT);
*out_capabilities = SMB2_SHARE_CAP_DFS;
} else {
*out_capabilities = 0;
}
switch(lp_csc_policy(SNUM(tcon->compat))) {
case CSC_POLICY_MANUAL:
break;
case CSC_POLICY_DOCUMENTS:
*out_share_flags |= SMB2_SHAREFLAG_AUTO_CACHING;
break;
case CSC_POLICY_PROGRAMS:
*out_share_flags |= SMB2_SHAREFLAG_VDO_CACHING;
break;
case CSC_POLICY_DISABLE:
*out_share_flags |= SMB2_SHAREFLAG_NO_CACHING;
break;
default:
break;
}
if (lp_hide_unreadable(SNUM(tcon->compat)) ||
lp_hide_unwriteable_files(SNUM(tcon->compat))) {
*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
}
if (encryption_required) {
*out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA;
}
*out_maximal_access = tcon->compat->share_access;
*out_tree_id = tcon->global->tcon_wire_id;
return NT_STATUS_OK;
}
/*
* epm_Insert
*
* Add the specified entries to an endpoint map.
*/
error_status_t _epm_Insert(struct pipes_struct *p,
struct epm_Insert *r)
{
TALLOC_CTX *tmp_ctx;
error_status_t rc;
NTSTATUS status;
uint32_t i;
struct dcerpc_binding *b;
struct dcesrv_endpoint *ep;
struct dcesrv_iface_list *iflist;
struct dcesrv_iface *iface;
bool add_ep;
/* If this is not a priviledged users, return */
if (p->transport != NCALRPC ||
!is_priviledged_pipe(p->session_info)) {
p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return EPMAPPER_STATUS_CANT_PERFORM_OP;
}
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return EPMAPPER_STATUS_NO_MEMORY;
}
DEBUG(3, ("_epm_Insert: Trying to add %u new entries.\n",
r->in.num_ents));
for (i = 0; i < r->in.num_ents; i++) {
add_ep = false;
b = NULL;
status = dcerpc_binding_from_tower(tmp_ctx,
&r->in.entries[i].tower->tower,
&b);
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
rc = EPMAPPER_STATUS_NO_MEMORY;
goto done;
}
if (!NT_STATUS_IS_OK(status)) {
rc = EPMAPPER_STATUS_CANT_PERFORM_OP;
goto done;
}
DEBUG(3, ("_epm_Insert: Adding transport %s for %s\n",
derpc_transport_string_by_transport(b->transport),
r->in.entries[i].annotation));
/* Check if the entry already exits */
ep = find_endpoint(endpoint_table, b);
if (ep == NULL) {
/* No entry found, create it */
ep = talloc_zero(NULL, struct dcesrv_endpoint);
if (ep == NULL) {
rc = EPMAPPER_STATUS_NO_MEMORY;
goto done;
}
add_ep = true;
ep->ep_description = talloc_steal(ep, b);
}
/* TODO Replace the entry if the replace flag is set */
/* Create an interface */
iface = talloc(tmp_ctx, struct dcesrv_iface);
if (iface == NULL) {
rc = EPMAPPER_STATUS_NO_MEMORY;
goto done;
}
iface->name = talloc_strdup(iface, r->in.entries[i].annotation);
if (iface->name == NULL) {
rc = EPMAPPER_STATUS_NO_MEMORY;
goto done;
}
iface->syntax_id = b->object;
/*
* Check if the rpc service is alrady registered on the
* endpoint.
*/
if (find_interface(ep, iface) != NULL) {
DEBUG(0, ("dcesrv_interface_register: interface '%s' "
"already registered on endpoint\n",
iface->name));
/* FIXME wrong error code? */
rc = EPMAPPER_STATUS_OK;
goto done;
}
/* Create an entry for the interface */
iflist = talloc(ep, struct dcesrv_iface_list);
if (iflist == NULL) {
rc = EPMAPPER_STATUS_NO_MEMORY;
goto done;
}
iflist->iface = talloc_move(iflist, &iface);
/* Finally add the interface on the endpoint */
DLIST_ADD(ep->iface_list, iflist);
/* If it's a new endpoint add it to the endpoint_table */
if (add_ep) {
DLIST_ADD(endpoint_table, ep);
}
}
static connection_struct *make_connection_smb1(struct smb_request *req,
NTTIME now,
int snum, struct user_struct *vuser,
const char *pdev,
NTSTATUS *pstatus)
{
struct smbXsrv_tcon *tcon;
NTSTATUS status;
struct connection_struct *conn;
status = smb1srv_tcon_create(req->xconn, now, &tcon);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("make_connection_smb1: Couldn't find free tcon %s.\n",
nt_errstr(status)));
*pstatus = status;
return NULL;
}
conn = conn_new(req->sconn);
if (!conn) {
TALLOC_FREE(tcon);
DEBUG(0,("make_connection_smb1: Couldn't find free connection.\n"));
*pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
return NULL;
}
conn->cnum = tcon->global->tcon_wire_id;
conn->tcon = tcon;
*pstatus = make_connection_snum(req->xconn,
conn,
snum,
vuser,
pdev);
if (!NT_STATUS_IS_OK(*pstatus)) {
conn_free(conn);
TALLOC_FREE(tcon);
return NULL;
}
tcon->global->share_name = lp_servicename(tcon->global, SNUM(conn));
if (tcon->global->share_name == NULL) {
conn_free(conn);
TALLOC_FREE(tcon);
*pstatus = NT_STATUS_NO_MEMORY;
return NULL;
}
tcon->global->session_global_id =
vuser->session->global->session_global_id;
tcon->compat = talloc_move(tcon, &conn);
tcon->status = NT_STATUS_OK;
*pstatus = smbXsrv_tcon_update(tcon);
if (!NT_STATUS_IS_OK(*pstatus)) {
TALLOC_FREE(tcon);
return NULL;
}
return tcon->compat;
}
/**
* get the list of share names defined in the configuration.
*/
static WERROR smbconf_txt_get_share_names(struct smbconf_ctx *ctx,
TALLOC_CTX *mem_ctx,
uint32_t *num_shares,
char ***share_names)
{
uint32_t count;
uint32_t added_count = 0;
TALLOC_CTX *tmp_ctx = NULL;
WERROR werr = WERR_OK;
char **tmp_share_names = NULL;
if ((num_shares == NULL) || (share_names == NULL)) {
werr = WERR_INVALID_PARAM;
goto done;
}
werr = smbconf_txt_load_file(ctx);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
tmp_ctx = talloc_stackframe();
/* make sure "global" is always listed first,
* possibly after NULL section */
if (smbconf_share_exists(ctx, NULL)) {
werr = smbconf_add_string_to_array(tmp_ctx, &tmp_share_names,
0, NULL);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
added_count++;
}
if (smbconf_share_exists(ctx, GLOBAL_NAME)) {
werr = smbconf_add_string_to_array(tmp_ctx, &tmp_share_names,
added_count, GLOBAL_NAME);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
added_count++;
}
for (count = 0; count < pd(ctx)->cache->num_shares; count++) {
if (strequal(pd(ctx)->cache->share_names[count], GLOBAL_NAME) ||
(pd(ctx)->cache->share_names[count] == NULL))
{
continue;
}
werr = smbconf_add_string_to_array(tmp_ctx, &tmp_share_names,
added_count,
pd(ctx)->cache->share_names[count]);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
added_count++;
}
*num_shares = added_count;
if (added_count > 0) {
*share_names = talloc_move(mem_ctx, &tmp_share_names);
} else {
*share_names = NULL;
}
done:
talloc_free(tmp_ctx);
return werr;
}
NTSTATUS dcerpc_winreg_enum_keys(TALLOC_CTX *mem_ctx,
struct dcerpc_binding_handle *h,
struct policy_handle *key_hnd,
uint32_t *pnum_subkeys,
const char ***psubkeys,
WERROR *pwerr)
{
const char **subkeys;
uint32_t num_subkeys, max_subkeylen, max_classlen;
uint32_t num_values, max_valnamelen, max_valbufsize;
uint32_t i;
NTTIME last_changed_time;
uint32_t secdescsize;
struct winreg_String classname;
WERROR result = WERR_OK;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCT(classname);
status = dcerpc_winreg_QueryInfoKey(h,
tmp_ctx,
key_hnd,
&classname,
&num_subkeys,
&max_subkeylen,
&max_classlen,
&num_values,
&max_valnamelen,
&max_valbufsize,
&secdescsize,
&last_changed_time,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto error;
}
if (!W_ERROR_IS_OK(result)) {
*pwerr = result;
goto error;
}
subkeys = talloc_zero_array(tmp_ctx, const char *, num_subkeys + 2);
if (subkeys == NULL) {
*pwerr = WERR_NOMEM;
goto error;
}
if (num_subkeys == 0) {
subkeys[0] = talloc_strdup(subkeys, "");
if (subkeys[0] == NULL) {
*pwerr = WERR_NOMEM;
goto error;
}
*pnum_subkeys = 0;
if (psubkeys) {
*psubkeys = talloc_move(mem_ctx, &subkeys);
}
TALLOC_FREE(tmp_ctx);
return NT_STATUS_OK;
}
for (i = 0; i < num_subkeys; i++) {
char c = '\0';
char n = '\0';
char *name = NULL;
struct winreg_StringBuf class_buf;
struct winreg_StringBuf name_buf;
NTTIME modtime;
class_buf.name = &c;
class_buf.size = max_classlen + 2;
class_buf.length = 0;
name_buf.name = &n;
name_buf.size = max_subkeylen + 2;
name_buf.length = 0;
ZERO_STRUCT(modtime);
status = dcerpc_winreg_EnumKey(h,
tmp_ctx,
key_hnd,
i,
&name_buf,
&class_buf,
&modtime,
&result);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5, ("dcerpc_winreg_enum_keys: Could not enumerate keys: %s\n",
nt_errstr(status)));
goto error;
}
if (W_ERROR_EQUAL(result, WERR_NO_MORE_ITEMS) ) {
*pwerr = WERR_OK;
break;
}
if (!W_ERROR_IS_OK(result)) {
DEBUG(5, ("dcerpc_winreg_enum_keys: Could not enumerate keys: %s\n",
win_errstr(result)));
*pwerr = result;
goto error;
}
if (name_buf.name == NULL) {
*pwerr = WERR_INVALID_PARAMETER;
goto error;
}
name = talloc_strdup(subkeys, name_buf.name);
if (name == NULL) {
*pwerr = WERR_NOMEM;
goto error;
}
subkeys[i] = name;
}
*pnum_subkeys = num_subkeys;
if (psubkeys) {
*psubkeys = talloc_move(mem_ctx, &subkeys);
}
error:
TALLOC_FREE(tmp_ctx);
return status;
}
static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
{
NTSTATUS ret;
TALLOC_CTX *mem_ctx;
char *tdbfile = NULL;
struct db_context *db = NULL;
int32_t version;
bool config_error = false;
struct idmap_tdb_context *ctx;
ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
if (ctx->db) {
/* it is already open */
return NT_STATUS_OK;
}
/* use our own context here */
mem_ctx = talloc_stackframe();
/* use the old database if present */
tdbfile = state_path("winbindd_idmap.tdb");
if (!tdbfile) {
DEBUG(0, ("Out of memory!\n"));
ret = NT_STATUS_NO_MEMORY;
goto done;
}
DEBUG(10,("Opening tdbfile %s\n", tdbfile ));
/* Open idmap repository */
db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
DBWRAP_LOCK_ORDER_1);
if (!db) {
DEBUG(0, ("Unable to open idmap database\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
/* check against earlier versions */
ret = dbwrap_fetch_int32(db, "IDMAP_VERSION", &version);
if (!NT_STATUS_IS_OK(ret)) {
version = -1;
}
if (version != IDMAP_VERSION) {
if (config_error) {
DEBUG(0,("Upgrade of IDMAP_VERSION from %d to %d is not "
"possible with incomplete configuration\n",
version, IDMAP_VERSION));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (dbwrap_transaction_start(db) != 0) {
DEBUG(0, ("Unable to start upgrade transaction!\n"));
ret = NT_STATUS_INTERNAL_DB_ERROR;
goto done;
}
if (!idmap_tdb_upgrade(dom, db)) {
dbwrap_transaction_cancel(db);
DEBUG(0, ("Unable to open idmap database, it's in an old format, and upgrade failed!\n"));
ret = NT_STATUS_INTERNAL_DB_ERROR;
goto done;
}
if (dbwrap_transaction_commit(db) != 0) {
DEBUG(0, ("Unable to commit upgrade transaction!\n"));
ret = NT_STATUS_INTERNAL_DB_ERROR;
goto done;
}
}
ctx->db = talloc_move(ctx, &db);
ret = idmap_tdb_init_hwm(dom);
done:
talloc_free(mem_ctx);
return ret;
}
static errno_t sudosrv_get_user(struct sudo_dom_ctx *dctx)
{
TALLOC_CTX *tmp_ctx = NULL;
struct sss_domain_info *dom = dctx->domain;
struct sudo_cmd_ctx *cmd_ctx = dctx->cmd_ctx;
struct cli_ctx *cli_ctx = dctx->cmd_ctx->cli_ctx;
struct ldb_result *user;
time_t cache_expire = 0;
struct tevent_req *dpreq;
struct dp_callback_ctx *cb_ctx;
const char *original_name = NULL;
const char *extra_flag = NULL;
char *name = NULL;
uid_t uid = 0;
errno_t ret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
return ENOMEM;
}
while (dom) {
/* if it is a domainless search, skip domains that require fully
* qualified names instead */
while (dom && cmd_ctx->check_next && dom->fqnames) {
dom = get_next_domain(dom, false);
}
if (!dom) break;
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
talloc_free(name);
name = sss_get_cased_name(tmp_ctx, cmd_ctx->username,
dom->case_sensitive);
if (name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n");
ret = ENOMEM;
goto done;
}
name = sss_reverse_replace_space(tmp_ctx, name,
cmd_ctx->sudo_ctx->rctx->override_space);
if (name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sss_reverse_replace_whitespaces failed\n");
return ENOMEM;
}
DEBUG(SSSDBG_FUNC_DATA, "Requesting info about [%s@%s]\n",
name, dom->name);
ret = sysdb_getpwnam_with_views(dctx, dctx->domain, name, &user);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to make request to our cache!\n");
ret = EIO;
goto done;
}
if (user->count > 1) {
DEBUG(SSSDBG_CRIT_FAILURE,
"getpwnam call returned more than one result !?!\n");
ret = EIO;
goto done;
}
if (user->count == 0 && !dctx->check_provider) {
/* if a multidomain search, try with next */
if (cmd_ctx->check_next) {
dctx->check_provider = true;
dom = get_next_domain(dom, false);
if (dom) continue;
}
DEBUG(SSSDBG_MINOR_FAILURE, "No results for getpwnam call\n");
ret = ENOENT;
goto done;
}
/* One result found, check cache expiry */
if (user->count == 1) {
cache_expire = ldb_msg_find_attr_as_uint64(user->msgs[0],
SYSDB_CACHE_EXPIRE, 0);
}
/* If cache miss and we haven't checked DP yet OR the entry is
* outdated, go to DP */
if ((user->count == 0 || cache_expire < time(NULL))
&& dctx->check_provider) {
if (DOM_HAS_VIEWS(dom) && user->count == 0) {
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
}
dpreq = sss_dp_get_account_send(cli_ctx, cli_ctx->rctx,
dom, false, SSS_DP_INITGROUPS,
cmd_ctx->username, 0, extra_flag);
if (!dpreq) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Out of memory sending data provider request\n");
ret = ENOMEM;
goto done;
}
cb_ctx = talloc_zero(cli_ctx, struct dp_callback_ctx);
if(!cb_ctx) {
talloc_zfree(dpreq);
ret = ENOMEM;
goto done;
}
cb_ctx->callback = sudosrv_check_user_dp_callback;
cb_ctx->ptr = dctx;
cb_ctx->cctx = cli_ctx;
cb_ctx->mem_ctx = cli_ctx;
tevent_req_set_callback(dpreq, sudosrv_dp_send_acct_req_done, cb_ctx);
/* tell caller we are in an async call */
ret = EAGAIN;
goto done;
}
/* check uid */
uid = sss_view_ldb_msg_find_attr_as_uint64(dom, user->msgs[0],
SYSDB_UIDNUM, 0);
if (uid != cmd_ctx->uid) {
/* if a multidomain search, try with next */
if (cmd_ctx->check_next) {
dctx->check_provider = true;
dom = get_next_domain(dom, false);
if (dom) continue;
}
DEBUG(SSSDBG_MINOR_FAILURE, "UID does not match\n");
ret = ENOENT;
goto done;
}
/* user is stored in cache, remember cased and original name */
original_name = ldb_msg_find_attr_as_string(user->msgs[0],
SYSDB_NAME, NULL);
if (original_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "A user with no name?\n");
ret = EFAULT;
goto done;
}
cmd_ctx->cased_username = talloc_move(cmd_ctx, &name);
cmd_ctx->orig_username = talloc_strdup(cmd_ctx, original_name);
if (cmd_ctx->orig_username == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n");
ret = ENOMEM;
goto done;
}
/* and set domain */
cmd_ctx->domain = dom;
DEBUG(SSSDBG_TRACE_FUNC, "Returning info for user [%s@%s]\n",
cmd_ctx->username, dctx->domain->name);
ret = EOK;
goto done;
}
ret = ENOENT;
done:
talloc_free(tmp_ctx);
return ret;
}
static NTSTATUS smbd_smb2_bind_auth_return(struct smbXsrv_session *session,
struct smbXsrv_session_auth0 **_auth,
struct smbd_smb2_request *smb2req,
struct auth_session_info *session_info,
uint16_t *out_session_flags,
uint64_t *out_session_id)
{
NTSTATUS status;
struct smbXsrv_session *x = session;
struct smbXsrv_session_auth0 *auth = *_auth;
struct smbXsrv_connection *xconn = smb2req->xconn;
struct smbXsrv_channel_global0 *c = NULL;
uint8_t session_key[16];
size_t i;
struct _derivation {
DATA_BLOB label;
DATA_BLOB context;
};
struct {
struct _derivation signing;
} derivation = { };
bool ok;
*_auth = NULL;
if (xconn->protocol >= PROTOCOL_SMB3_10) {
struct smbXsrv_preauth *preauth;
struct _derivation *d;
DATA_BLOB p;
struct hc_sha512state sctx;
preauth = talloc_move(smb2req, &auth->preauth);
samba_SHA512_Init(&sctx);
samba_SHA512_Update(&sctx, preauth->sha512_value,
sizeof(preauth->sha512_value));
for (i = 1; i < smb2req->in.vector_count; i++) {
samba_SHA512_Update(&sctx,
smb2req->in.vector[i].iov_base,
smb2req->in.vector[i].iov_len);
}
samba_SHA512_Final(preauth->sha512_value, &sctx);
p = data_blob_const(preauth->sha512_value,
sizeof(preauth->sha512_value));
d = &derivation.signing;
d->label = data_blob_string_const_null("SMBSigningKey");
d->context = p;
} else if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d;
d = &derivation.signing;
d->label = data_blob_string_const_null("SMB2AESCMAC");
d->context = data_blob_string_const_null("SmbSign");
}
status = smbXsrv_session_find_channel(session, xconn, &c);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
ok = security_token_is_sid(session_info->security_token,
&x->global->auth_session_info->security_token->sids[0]);
if (!ok) {
return NT_STATUS_NOT_SUPPORTED;
}
if (session_info->session_key.length == 0) {
/* See [MS-SMB2] 3.3.5.2.4 for the return code. */
return NT_STATUS_NOT_SUPPORTED;
}
ZERO_STRUCT(session_key);
memcpy(session_key, session_info->session_key.data,
MIN(session_info->session_key.length, sizeof(session_key)));
c->signing_key = data_blob_talloc(x->global,
session_key,
sizeof(session_key));
if (c->signing_key.data == NULL) {
ZERO_STRUCT(session_key);
return NT_STATUS_NO_MEMORY;
}
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.signing;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
c->signing_key.data);
}
ZERO_STRUCT(session_key);
TALLOC_FREE(auth);
status = smbXsrv_session_update(session);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
(unsigned long long)session->compat->vuid,
nt_errstr(status)));
return NT_STATUS_LOGON_FAILURE;
}
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
}
NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
uint32_t chal_flags, ntlmssp_command, unkn1 = 0, unkn2 = 0;
DATA_BLOB server_domain_blob;
DATA_BLOB challenge_blob;
DATA_BLOB target_info = data_blob(NULL, 0);
char *server_domain;
const char *chal_parse_string;
const char *chal_parse_string_short = NULL;
const char *auth_gen_string;
DATA_BLOB lm_response = data_blob(NULL, 0);
DATA_BLOB nt_response = data_blob(NULL, 0);
DATA_BLOB session_key = data_blob(NULL, 0);
DATA_BLOB lm_session_key = data_blob(NULL, 0);
DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
NTSTATUS nt_status;
int flags = 0;
const char *user = NULL, *domain = NULL, *workstation = NULL;
bool is_anonymous = false;
const DATA_BLOB version_blob = ntlmssp_version_blob();
TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
if (!msrpc_parse(mem_ctx,
&in, "CdBd",
"NTLMSSP",
&ntlmssp_command,
&server_domain_blob,
&chal_flags)) {
DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
dump_data(2, in.data, in.length);
talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
data_blob_free(&server_domain_blob);
DEBUG(3, ("Got challenge flags:\n"));
debug_ntlmssp_flags(chal_flags);
ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, ntlmssp_state->allow_lm_key);
if (ntlmssp_state->unicode) {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
chal_parse_string = "CdUdbddB";
} else {
chal_parse_string = "CdUdbdd";
chal_parse_string_short = "CdUdb";
}
auth_gen_string = "CdBBUUUBdb";
} else {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
chal_parse_string = "CdAdbddB";
} else {
chal_parse_string = "CdAdbdd";
chal_parse_string_short = "CdAdb";
}
auth_gen_string = "CdBBAAABdb";
}
if (!msrpc_parse(mem_ctx,
&in, chal_parse_string,
"NTLMSSP",
&ntlmssp_command,
&server_domain,
&chal_flags,
&challenge_blob, 8,
&unkn1, &unkn2,
&target_info)) {
bool ok = false;
DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#2)\n"));
if (chal_parse_string_short != NULL) {
/*
* In the case where NTLMSSP_NEGOTIATE_TARGET_INFO
* is not used, some NTLMSSP servers don't return
* the unused unkn1 and unkn2 fields.
* See bug:
* https://bugzilla.samba.org/show_bug.cgi?id=10016
* for packet traces.
* Try and parse again without them.
*/
ok = msrpc_parse(mem_ctx,
&in, chal_parse_string_short,
"NTLMSSP",
&ntlmssp_command,
&server_domain,
&chal_flags,
&challenge_blob, 8);
if (!ok) {
DEBUG(1, ("Failed to short parse "
"the NTLMSSP Challenge: (#2)\n"));
}
}
if (!ok) {
dump_data(2, in.data, in.length);
talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
}
if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
ntlmssp_state->server.is_standalone = true;
} else {
ntlmssp_state->server.is_standalone = false;
}
/* TODO: parse struct_blob and fill in the rest */
ntlmssp_state->server.netbios_name = "";
ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain);
ntlmssp_state->server.dns_name = "";
ntlmssp_state->server.dns_domain = "";
if (challenge_blob.length != 8) {
talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
is_anonymous = cli_credentials_is_anonymous(gensec_security->credentials);
cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
&user, &domain);
workstation = cli_credentials_get_workstation(gensec_security->credentials);
if (user == NULL) {
DEBUG(10, ("User is NULL, returning INVALID_PARAMETER\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (domain == NULL) {
DEBUG(10, ("Domain is NULL, returning INVALID_PARAMETER\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (workstation == NULL) {
DEBUG(10, ("Workstation is NULL, returning INVALID_PARAMETER\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (is_anonymous) {
ntlmssp_state->neg_flags |= NTLMSSP_ANONYMOUS;
/*
* don't use the ccache for anonymous auth
*/
ntlmssp_state->use_ccache = false;
}
if (ntlmssp_state->use_ccache) {
struct samr_Password *nt_hash = NULL;
/*
* If we have a password given we don't
* use the ccache
*/
nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials,
mem_ctx);
if (nt_hash != NULL) {
ZERO_STRUCTP(nt_hash);
TALLOC_FREE(nt_hash);
ntlmssp_state->use_ccache = false;
}
}
if (ntlmssp_state->use_ccache) {
struct wbcCredentialCacheParams params;
struct wbcCredentialCacheInfo *info = NULL;
struct wbcAuthErrorInfo *error = NULL;
struct wbcNamedBlob auth_blobs[1];
const struct wbcBlob *wbc_auth_blob = NULL;
const struct wbcBlob *wbc_session_key = NULL;
wbcErr wbc_status;
int i;
params.account_name = user;
params.domain_name = domain;
params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
auth_blobs[0].name = "challenge_blob";
auth_blobs[0].flags = 0;
auth_blobs[0].blob.data = in.data;
auth_blobs[0].blob.length = in.length;
params.num_blobs = ARRAY_SIZE(auth_blobs);
params.blobs = auth_blobs;
wbc_status = wbcCredentialCache(¶ms, &info, &error);
wbcFreeMemory(error);
if (!WBC_ERROR_IS_OK(wbc_status)) {
return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
}
for (i=0; i<info->num_blobs; i++) {
if (strequal(info->blobs[i].name, "auth_blob")) {
wbc_auth_blob = &info->blobs[i].blob;
}
if (strequal(info->blobs[i].name, "session_key")) {
wbc_session_key = &info->blobs[i].blob;
}
}
if ((wbc_auth_blob == NULL) || (wbc_session_key == NULL)) {
wbcFreeMemory(info);
return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
}
session_key = data_blob_talloc(mem_ctx,
wbc_session_key->data,
wbc_session_key->length);
if (session_key.length != wbc_session_key->length) {
wbcFreeMemory(info);
return NT_STATUS_NO_MEMORY;
}
*out = data_blob_talloc(mem_ctx,
wbc_auth_blob->data,
wbc_auth_blob->length);
if (out->length != wbc_auth_blob->length) {
wbcFreeMemory(info);
return NT_STATUS_NO_MEMORY;
}
wbcFreeMemory(info);
goto done;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
flags |= CLI_CRED_NTLM2;
}
if (ntlmssp_state->use_ntlmv2) {
flags |= CLI_CRED_NTLMv2_AUTH;
}
if (ntlmssp_state->use_nt_response) {
flags |= CLI_CRED_NTLM_AUTH;
}
if (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)) {
flags |= CLI_CRED_LANMAN_AUTH;
}
nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
&flags, challenge_blob, target_info,
&lm_response, &nt_response,
&lm_session_key, &session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
if (!(flags & CLI_CRED_LANMAN_AUTH)) {
/* LM Key is still possible, just silly, so we do not
* allow it. Fortunetly all LM crypto is off by
* default and we require command line options to end
* up here */
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
}
if (!(flags & CLI_CRED_NTLM2)) {
/* NTLM2 is incompatible... */
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
}
if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
&& lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) {
DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
if (lm_response.length == 24) {
SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
new_session_key.data);
} else {
static const uint8_t zeros[24];
SMBsesskeygen_lm_sess_key(lm_session_key.data, zeros,
new_session_key.data);
}
session_key = new_session_key;
dump_data_pw("LM session key\n", session_key.data, session_key.length);
}
/* Key exchange encryptes a new client-generated session key with
the password-derived key */
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
/* Make up a new session key */
uint8_t client_session_key[16];
generate_secret_buffer(client_session_key, sizeof(client_session_key));
/* Encrypt the new session key with the old one */
encrypted_session_key = data_blob_talloc(ntlmssp_state,
client_session_key, sizeof(client_session_key));
dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
/* Mark the new session key as the 'real' session key */
session_key = data_blob_talloc(mem_ctx, client_session_key, sizeof(client_session_key));
}
/* this generates the actual auth packet */
nt_status = msrpc_gen(mem_ctx,
out, auth_gen_string,
"NTLMSSP",
NTLMSSP_AUTH,
lm_response.data, lm_response.length,
nt_response.data, nt_response.length,
domain,
user,
workstation,
encrypted_session_key.data, encrypted_session_key.length,
ntlmssp_state->neg_flags,
version_blob.data, version_blob.length);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
done:
ntlmssp_state->session_key = session_key;
talloc_steal(ntlmssp_state, session_key.data);
DEBUG(3, ("NTLMSSP: Set final flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
talloc_steal(out_mem_ctx, out->data);
ntlmssp_state->expected_state = NTLMSSP_DONE;
if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
nt_status = ntlmssp_sign_init(ntlmssp_state);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",
nt_errstr(nt_status)));
talloc_free(mem_ctx);
return nt_status;
}
}
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded,
char **password)
{
SECStatus sret;
int ret;
TALLOC_CTX *tmp_ctx = NULL;
struct crypto_mech_data *mech_props;
struct sss_nss_crypto_ctx *cctx;
int plainlen;
unsigned int digestlen;
unsigned char *obfbuf = NULL;
size_t obflen;
char *pwdbuf;
/* for unmarshaling data */
uint16_t meth;
uint16_t ctsize;
size_t p = 0;
unsigned char *cryptotext;
unsigned char *keybuf;
unsigned char *ivbuf;
unsigned char sentinel_check[OBF_BUFFER_SENTINEL_SIZE];
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return ENOMEM;
}
/* initialize NSS if needed */
ret = nspr_nss_init();
if (ret != EOK) {
ret = EIO;
goto done;
}
/* Base64 decode the incoming buffer */
obfbuf = sss_base64_decode(tmp_ctx, b64encoded, &obflen);
if (!obfbuf) {
ret = ENOMEM;
goto done;
}
/* unpack obfuscation buffer */
SAFEALIGN_COPY_UINT16_CHECK(&meth, obfbuf+p, obflen, &p);
DEBUG(SSSDBG_TRACE_INTERNAL, "Read method: %d\n", meth);
SAFEALIGN_COPY_UINT16_CHECK(&ctsize, obfbuf+p, obflen, &p);
DEBUG(SSSDBG_TRACE_INTERNAL, "Read bufsize: %d\n", ctsize);
mech_props = get_crypto_mech_data(meth);
if (mech_props == NULL) {
ret = EINVAL;
goto done;
}
/* check that we got sane mechanism properties and cryptotext size */
memcpy(sentinel_check,
obfbuf + p + mech_props->keylen + mech_props->bsize + ctsize,
OBF_BUFFER_SENTINEL_SIZE);
if (memcmp(sentinel_check, OBF_BUFFER_SENTINEL, OBF_BUFFER_SENTINEL_SIZE) != 0) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Obfuscation buffer seems corrupt, aborting\n");
ret = EFAULT;
goto done;
}
/* copy out key, ivbuf and cryptotext */
keybuf = talloc_array(tmp_ctx, unsigned char, mech_props->keylen);
if (keybuf == NULL) {
ret = ENOMEM;
goto done;
}
safealign_memcpy(keybuf, obfbuf+p, mech_props->keylen, &p);
ivbuf = talloc_array(tmp_ctx, unsigned char, mech_props->bsize);
if (ivbuf == NULL) {
ret = ENOMEM;
goto done;
}
safealign_memcpy(ivbuf, obfbuf+p, mech_props->bsize, &p);
cryptotext = talloc_array(tmp_ctx, unsigned char, ctsize);
if (cryptotext == NULL) {
ret = ENOMEM;
goto done;
}
safealign_memcpy(cryptotext, obfbuf+p, ctsize, &p);
ret = nss_ctx_init(tmp_ctx, mech_props, &cctx);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context\n");
goto done;
}
cctx->iv = talloc_zero(cctx, SECItem);
cctx->key = talloc_zero(cctx, SECItem);
if (!cctx->iv || !cctx->key) {
ret = ENOMEM;
goto done;
}
MAKE_SECITEM(ivbuf, mech_props->bsize, cctx->iv);
MAKE_SECITEM(keybuf, mech_props->keylen, cctx->key);
ret = nss_encrypt_decrypt_init(mech_props, false, cctx);
if (ret) {
goto done;
}
pwdbuf = talloc_array(tmp_ctx, char, ctsize);
if (!pwdbuf) {
ret = ENOMEM;
goto done;
}
sret = PK11_CipherOp(cctx->ectx, (unsigned char *) pwdbuf, &plainlen, ctsize,
cryptotext, ctsize);
if (sret != SECSuccess) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot execute the encryption operation (err %d)\n",
PR_GetError());
ret = EIO;
goto done;
}
sret = PK11_DigestFinal(cctx->ectx, (unsigned char *) pwdbuf+plainlen, &digestlen,
ctsize - plainlen);
if (sret != SECSuccess) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot execute the encryption operation (err %d)\n",
PR_GetError());
ret = EIO;
goto done;
}
*password = talloc_move(mem_ctx, &pwdbuf);
ret = EOK;
done:
talloc_free(tmp_ctx);
nspr_nss_cleanup();
return ret;
}
bool is_printer_published(TALLOC_CTX *mem_ctx,
const struct auth_session_info *session_info,
struct messaging_context *msg_ctx,
const char *servername, char *printer, struct GUID *guid,
struct spoolss_PrinterInfo2 **info2)
{
struct spoolss_PrinterInfo2 *pinfo2 = NULL;
enum winreg_Type type;
uint8_t *data;
uint32_t data_size;
WERROR result;
NTSTATUS status;
struct dcerpc_binding_handle *b;
result = winreg_printer_binding_handle(mem_ctx,
session_info,
msg_ctx,
&b);
if (!W_ERROR_IS_OK(result)) {
return false;
}
result = winreg_get_printer(mem_ctx, b,
printer, &pinfo2);
if (!W_ERROR_IS_OK(result)) {
return false;
}
if (!(pinfo2->attributes & PRINTER_ATTRIBUTE_PUBLISHED)) {
TALLOC_FREE(pinfo2);
return false;
}
if (!guid) {
goto done;
}
/* fetching printer guids really ought to be a separate function. */
result = winreg_get_printer_dataex(mem_ctx, b,
printer,
SPOOL_DSSPOOLER_KEY, "objectGUID",
&type, &data, &data_size);
if (!W_ERROR_IS_OK(result)) {
TALLOC_FREE(pinfo2);
return false;
}
/* We used to store the guid as REG_BINARY, then swapped
to REG_SZ for Vista compatibility so check for both */
switch (type) {
case REG_SZ:
status = GUID_from_string((char *)data, guid);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(pinfo2);
return false;
}
break;
case REG_BINARY:
if (data_size != sizeof(struct GUID)) {
TALLOC_FREE(pinfo2);
return false;
}
memcpy(guid, data, sizeof(struct GUID));
break;
default:
DEBUG(0,("is_printer_published: GUID value stored as "
"invaluid type (%d)\n", type));
break;
}
done:
if (info2) {
*info2 = talloc_move(mem_ctx, &pinfo2);
}
talloc_free(pinfo2);
return true;
}
/**
* get a definition of a share (service) from configuration.
*/
static WERROR smbconf_txt_get_share(struct smbconf_ctx *ctx,
TALLOC_CTX *mem_ctx,
const char *servicename,
struct smbconf_service **service)
{
WERROR werr;
uint32_t sidx, count;
bool found;
TALLOC_CTX *tmp_ctx = NULL;
struct smbconf_service *tmp_service = NULL;
werr = smbconf_txt_load_file(ctx);
if (!W_ERROR_IS_OK(werr)) {
return werr;
}
found = smbconf_find_in_array(servicename,
pd(ctx)->cache->share_names,
pd(ctx)->cache->num_shares,
&sidx);
if (!found) {
return WERR_NO_SUCH_SERVICE;
}
tmp_ctx = talloc_stackframe();
tmp_service = TALLOC_ZERO_P(tmp_ctx, struct smbconf_service);
if (tmp_service == NULL) {
werr = WERR_NOMEM;
goto done;
}
if (servicename != NULL) {
tmp_service->name = talloc_strdup(tmp_service, servicename);
if (tmp_service->name == NULL) {
werr = WERR_NOMEM;
goto done;
}
}
for (count = 0; count < pd(ctx)->cache->num_params[sidx]; count++) {
werr = smbconf_add_string_to_array(tmp_service,
&(tmp_service->param_names),
count,
pd(ctx)->cache->param_names[sidx][count]);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
werr = smbconf_add_string_to_array(tmp_service,
&(tmp_service->param_values),
count,
pd(ctx)->cache->param_values[sidx][count]);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
}
tmp_service->num_params = count;
if (count > 0) {
*service = talloc_move(mem_ctx, &tmp_service);
} else {
*service = NULL;
}
done:
talloc_free(tmp_ctx);
return werr;
}
static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context,
const char *ncalrpc_sockname,
struct netlogon_creds_CredentialState *creds,
const struct auth_usersupplied_info *user_info,
struct netr_SamInfo3 **pinfo3,
NTSTATUS *schannel_bind_result)
{
struct rpc_pipe_client *p = NULL;
struct pipe_auth_data *auth = NULL;
struct netr_SamInfo3 *info3 = NULL;
NTSTATUS status;
*schannel_bind_result = NT_STATUS_OK;
status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname,
&ndr_table_netlogon.syntax_id, &p);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
nt_errstr(status)));
return status;
}
p->dc = creds;
status = rpccli_schannel_bind_data(p, lp_workgroup(),
DCERPC_AUTH_LEVEL_PRIVACY,
p->dc, &auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(p);
return status;
}
status = rpc_pipe_bind(p, auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
TALLOC_FREE(p);
*schannel_bind_result = status;
return status;
}
status = rpccli_netlogon_sam_network_logon_ex(
p, p,
user_info->logon_parameters, /* flags such as 'allow
* workstation logon' */
lp_netbios_name(), /* server name */
user_info->client.account_name, /* user name logging on. */
user_info->client.domain_name, /* domain name */
user_info->workstation_name, /* workstation name */
(uchar *)auth_context->challenge.data, /* 8 byte challenge. */
3, /* validation level */
user_info->password.response.lanman, /* lanman 24 byte response */
user_info->password.response.nt, /* nt 24 byte response */
&info3); /* info3 out */
DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
nt_errstr(status)));
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(p);
return status;
}
*pinfo3 = talloc_move(mem_ctx, &info3);
TALLOC_FREE(p);
return NT_STATUS_OK;
}
static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
struct smbXsrv_session_auth0 **_auth,
struct smbd_smb2_request *smb2req,
uint8_t in_security_mode,
struct auth_session_info *session_info,
uint16_t *out_session_flags,
uint64_t *out_session_id)
{
NTSTATUS status;
bool guest = false;
uint8_t session_key[16];
struct smbXsrv_session *x = session;
struct smbXsrv_session_auth0 *auth = *_auth;
struct smbXsrv_connection *xconn = smb2req->xconn;
size_t i;
struct _derivation {
DATA_BLOB label;
DATA_BLOB context;
};
struct {
struct _derivation signing;
struct _derivation encryption;
struct _derivation decryption;
struct _derivation application;
} derivation = { };
*_auth = NULL;
if (xconn->protocol >= PROTOCOL_SMB3_10) {
struct smbXsrv_preauth *preauth;
struct _derivation *d;
DATA_BLOB p;
struct hc_sha512state sctx;
preauth = talloc_move(smb2req, &auth->preauth);
samba_SHA512_Init(&sctx);
samba_SHA512_Update(&sctx, preauth->sha512_value,
sizeof(preauth->sha512_value));
for (i = 1; i < smb2req->in.vector_count; i++) {
samba_SHA512_Update(&sctx,
smb2req->in.vector[i].iov_base,
smb2req->in.vector[i].iov_len);
}
samba_SHA512_Final(preauth->sha512_value, &sctx);
p = data_blob_const(preauth->sha512_value,
sizeof(preauth->sha512_value));
d = &derivation.signing;
d->label = data_blob_string_const_null("SMBSigningKey");
d->context = p;
d = &derivation.decryption;
d->label = data_blob_string_const_null("SMBC2SCipherKey");
d->context = p;
d = &derivation.encryption;
d->label = data_blob_string_const_null("SMBS2CCipherKey");
d->context = p;
d = &derivation.application;
d->label = data_blob_string_const_null("SMBAppKey");
d->context = p;
} else if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d;
d = &derivation.signing;
d->label = data_blob_string_const_null("SMB2AESCMAC");
d->context = data_blob_string_const_null("SmbSign");
d = &derivation.decryption;
d->label = data_blob_string_const_null("SMB2AESCCM");
d->context = data_blob_string_const_null("ServerIn ");
d = &derivation.encryption;
d->label = data_blob_string_const_null("SMB2AESCCM");
d->context = data_blob_string_const_null("ServerOut");
d = &derivation.application;
d->label = data_blob_string_const_null("SMB2APP");
d->context = data_blob_string_const_null("SmbRpc");
}
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == SMB_SIGNING_REQUIRED) {
x->global->signing_flags = SMBXSRV_SIGNING_REQUIRED;
}
if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
(xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
x->global->encryption_flags = SMBXSRV_ENCRYPTION_DESIRED;
}
if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
x->global->encryption_flags = SMBXSRV_ENCRYPTION_REQUIRED |
SMBXSRV_ENCRYPTION_DESIRED;
}
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
/* force no signing */
x->global->signing_flags &= ~SMBXSRV_SIGNING_REQUIRED;
guest = true;
}
if (guest && (x->global->encryption_flags & SMBXSRV_ENCRYPTION_REQUIRED)) {
DEBUG(1,("reject guest session as encryption is required\n"));
return NT_STATUS_ACCESS_DENIED;
}
if (xconn->smb2.server.cipher == 0) {
if (x->global->encryption_flags & SMBXSRV_ENCRYPTION_REQUIRED) {
DEBUG(1,("reject session with dialect[0x%04X] "
"as encryption is required\n",
xconn->smb2.server.dialect));
return NT_STATUS_ACCESS_DENIED;
}
} else {
x->global->channels[0].encryption_cipher = xconn->smb2.server.cipher;
}
if (x->global->encryption_flags & SMBXSRV_ENCRYPTION_DESIRED) {
*out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
}
ZERO_STRUCT(session_key);
memcpy(session_key, session_info->session_key.data,
MIN(session_info->session_key.length, sizeof(session_key)));
x->global->signing_key = data_blob_talloc(x->global,
session_key,
sizeof(session_key));
if (x->global->signing_key.data == NULL) {
ZERO_STRUCT(session_key);
return NT_STATUS_NO_MEMORY;
}
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.signing;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->signing_key.data);
}
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.decryption;
x->global->decryption_key = data_blob_talloc(x->global,
session_key,
sizeof(session_key));
if (x->global->decryption_key.data == NULL) {
ZERO_STRUCT(session_key);
return NT_STATUS_NO_MEMORY;
}
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->decryption_key.data);
}
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.encryption;
size_t nonce_size;
x->global->encryption_key = data_blob_talloc(x->global,
session_key,
sizeof(session_key));
if (x->global->encryption_key.data == NULL) {
ZERO_STRUCT(session_key);
return NT_STATUS_NO_MEMORY;
}
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->encryption_key.data);
/*
* CCM and GCM algorithms must never have their
* nonce wrap, or the security of the whole
* communication and the keys is destroyed.
* We must drop the connection once we have
* transfered too much data.
*
* NOTE: We assume nonces greater than 8 bytes.
*/
generate_random_buffer((uint8_t *)&x->nonce_high_random,
sizeof(x->nonce_high_random));
switch (xconn->smb2.server.cipher) {
case SMB2_ENCRYPTION_AES128_CCM:
nonce_size = AES_CCM_128_NONCE_SIZE;
break;
case SMB2_ENCRYPTION_AES128_GCM:
nonce_size = AES_GCM_128_IV_SIZE;
break;
default:
nonce_size = 0;
break;
}
x->nonce_high_max = SMB2_NONCE_HIGH_MAX(nonce_size);
x->nonce_high = 0;
x->nonce_low = 0;
}
x->global->application_key = data_blob_dup_talloc(x->global,
x->global->signing_key);
if (x->global->application_key.data == NULL) {
ZERO_STRUCT(session_key);
return NT_STATUS_NO_MEMORY;
}
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.application;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->application_key.data);
}
ZERO_STRUCT(session_key);
x->global->channels[0].signing_key = data_blob_dup_talloc(x->global->channels,
x->global->signing_key);
if (x->global->channels[0].signing_key.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
data_blob_clear_free(&session_info->session_key);
session_info->session_key = data_blob_dup_talloc(session_info,
x->global->application_key);
if (session_info->session_key.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
session->compat = talloc_zero(session, struct user_struct);
if (session->compat == NULL) {
return NT_STATUS_NO_MEMORY;
}
session->compat->session = session;
session->compat->homes_snum = -1;
session->compat->session_info = session_info;
session->compat->session_keystr = NULL;
session->compat->vuid = session->global->session_wire_id;
DLIST_ADD(smb2req->sconn->users, session->compat);
smb2req->sconn->num_users++;
if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
session->compat->homes_snum =
register_homes_share(session_info->unix_info->unix_name);
}
set_current_user_info(session_info->unix_info->sanitized_username,
session_info->unix_info->unix_name,
session_info->info->domain_name);
reload_services(smb2req->sconn, conn_snum_used, true);
session->status = NT_STATUS_OK;
session->global->auth_session_info = talloc_move(session->global,
&session_info);
session->global->auth_session_info_seqnum += 1;
for (i=0; i < session->global->num_channels; i++) {
struct smbXsrv_channel_global0 *_c =
&session->global->channels[i];
_c->auth_session_info_seqnum =
session->global->auth_session_info_seqnum;
}
session->global->auth_time = timeval_to_nttime(&smb2req->request_time);
session->global->expiration_time = gensec_expire_time(auth->gensec);
if (!session_claim(session)) {
DEBUG(1, ("smb2: Failed to claim session "
"for vuid=%llu\n",
(unsigned long long)session->compat->vuid));
return NT_STATUS_LOGON_FAILURE;
}
TALLOC_FREE(auth);
status = smbXsrv_session_update(session);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
(unsigned long long)session->compat->vuid,
nt_errstr(status)));
return NT_STATUS_LOGON_FAILURE;
}
/*
* we attach the session to the request
* so that the response can be signed
*/
if (!guest) {
smb2req->do_signing = true;
}
global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
}
/*
* Given the username/password, do a kinit, store the ticket in
* cache_name if specified, and return the PAC_LOGON_INFO (the
* structure containing the important user information such as
* groups).
*/
NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
const char *name,
const char *pass,
time_t time_offset,
time_t *expire_time,
time_t *renew_till_time,
const char *cache_name,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
const char *auth_princ = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
struct gensec_security *gensec_server_context;
const struct gensec_security_ops **backends;
struct gensec_settings *gensec_settings;
size_t idx = 0;
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_DATA_CTR *pac_data_ctr = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
ZERO_STRUCT(tkt);
ZERO_STRUCT(ap_rep);
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
return NT_STATUS_INVALID_PARAMETER;
}
if (cache_name) {
cc = cache_name;
}
if (!strchr_m(name, '@')) {
auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
lp_realm());
} else {
auth_princ = name;
}
NT_STATUS_HAVE_NO_MEMORY(auth_princ);
ret = kerberos_kinit_password_ext(auth_princ,
pass,
time_offset,
expire_time,
renew_till_time,
cc,
request_pac,
add_netbios_addr,
renewable_time,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
auth_princ, error_message(ret), ret));
/* status already set */
goto out;
}
DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
if (expire_time) {
DEBUGADD(10,("\tvalid until: %s (%d)\n",
http_timestring(talloc_tos(), *expire_time),
(int)*expire_time));
}
if (renew_till_time) {
DEBUGADD(10,("\trenewable till: %s (%d)\n",
http_timestring(talloc_tos(), *renew_till_time),
(int)*renew_till_time));
}
/* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
* in that case fallback to NTLM - gd */
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
return NT_STATUS_INVALID_LOGON_TYPE;
}
ret = cli_krb5_get_ticket(mem_ctx,
local_service,
time_offset,
&tkt,
&sesskey1,
0,
cc,
NULL,
impersonate_princ_s);
if (ret) {
DEBUG(1,("failed to get ticket for %s: %s\n",
local_service, error_message(ret)));
if (impersonate_princ_s) {
DEBUGADD(1,("tried S4U2SELF impersonation as: %s\n",
impersonate_princ_s));
}
status = krb5_to_nt_status(ret);
goto out;
}
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(tmp_ctx, tkt, TOK_ID_KRB_AP_REQ);
if (tkt_wrapped.data == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
auth_context = talloc_zero(tmp_ctx, struct auth4_context);
if (auth_context == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
auth_context->generate_session_info_pac = kerberos_fetch_pac;
lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
if (lp_ctx == NULL) {
status = NT_STATUS_INVALID_SERVER_STATE;
DEBUG(10, ("loadparm_init_s3 failed\n"));
goto out;
}
gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx);
if (lp_ctx == NULL) {
status = NT_STATUS_NO_MEMORY;
DEBUG(10, ("lpcfg_gensec_settings failed\n"));
goto out;
}
backends = talloc_zero_array(gensec_settings,
const struct gensec_security_ops *, 2);
if (backends == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
gensec_settings->backends = backends;
gensec_init();
backends[idx++] = &gensec_gse_krb5_security_ops;
status = gensec_server_start(tmp_ctx, gensec_settings,
auth_context, &gensec_server_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ "Failed to start server-side GENSEC to validate a Kerberos ticket: %s\n", nt_errstr(status)));
goto out;
}
talloc_unlink(tmp_ctx, lp_ctx);
talloc_unlink(tmp_ctx, gensec_settings);
talloc_unlink(tmp_ctx, auth_context);
status = gensec_start_mech_by_oid(gensec_server_context, GENSEC_OID_KERBEROS5);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ "Failed to start server-side GENSEC krb5 to validate a Kerberos ticket: %s\n", nt_errstr(status)));
goto out;
}
/* Do a client-server update dance */
status = gensec_update(gensec_server_context, tmp_ctx, tkt_wrapped, &ap_rep);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("gensec_update() failed: %s\n", nt_errstr(status)));
goto out;
}
/* Now return the PAC information to the callers. We ingore
* the session_info and instead pick out the PAC via the
* private_data on the auth_context */
status = gensec_session_info(gensec_server_context, tmp_ctx, &session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Unable to obtain PAC via gensec_session_info\n"));
goto out;
}
pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
struct PAC_DATA_CTR);
if (pac_data_ctr == NULL) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
out:
talloc_free(tmp_ctx);
if (cc != cache_name) {
ads_kdestroy(cc);
}
data_blob_free(&tkt);
data_blob_free(&ap_rep);
data_blob_free(&sesskey1);
return status;
}
static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
struct smbXsrv_session_auth0 **_auth,
struct smbd_smb2_request *smb2req,
struct auth_session_info *session_info,
uint16_t *out_session_flags,
uint64_t *out_session_id)
{
NTSTATUS status;
struct smbXsrv_session *x = session;
struct smbXsrv_session_auth0 *auth = *_auth;
struct smbXsrv_connection *xconn = smb2req->xconn;
size_t i;
*_auth = NULL;
data_blob_clear_free(&session_info->session_key);
session_info->session_key = data_blob_dup_talloc(session_info,
x->global->application_key);
if (session_info->session_key.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
session->compat->session_info = session_info;
session->compat->vuid = session->global->session_wire_id;
session->compat->homes_snum =
register_homes_share(session_info->unix_info->unix_name);
set_current_user_info(session_info->unix_info->sanitized_username,
session_info->unix_info->unix_name,
session_info->info->domain_name);
reload_services(smb2req->sconn, conn_snum_used, true);
session->status = NT_STATUS_OK;
TALLOC_FREE(session->global->auth_session_info);
session->global->auth_session_info = talloc_move(session->global,
&session_info);
session->global->auth_session_info_seqnum += 1;
for (i=0; i < session->global->num_channels; i++) {
struct smbXsrv_channel_global0 *_c =
&session->global->channels[i];
_c->auth_session_info_seqnum =
session->global->auth_session_info_seqnum;
}
session->global->auth_time = timeval_to_nttime(&smb2req->request_time);
session->global->expiration_time = gensec_expire_time(auth->gensec);
TALLOC_FREE(auth);
status = smbXsrv_session_update(session);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
(unsigned long long)session->compat->vuid,
nt_errstr(status)));
return NT_STATUS_LOGON_FAILURE;
}
conn_clear_vuid_caches(xconn->client->sconn, session->compat->vuid);
if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
smb2req->do_signing = true;
}
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
}
NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
{
NTSTATUS status;
if (*lp_force_user(talloc_tos(), snum)) {
/*
* Replace conn->session_info with a completely faked up one
* from the username we are forced into :-)
*/
char *fuser;
char *sanitized_username;
struct auth_session_info *forced_serverinfo;
bool guest;
fuser = talloc_string_sub(conn, lp_force_user(talloc_tos(), snum), "%S",
lp_const_servicename(snum));
if (fuser == NULL) {
return NT_STATUS_NO_MEMORY;
}
guest = security_session_user_level(conn->session_info, NULL) < SECURITY_USER;
status = make_session_info_from_username(
conn, fuser,
guest,
&forced_serverinfo);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* We don't want to replace the original sanitized_username
as it is the original user given in the connect attempt.
This is used in '%U' substitutions. */
sanitized_username = discard_const_p(char,
forced_serverinfo->unix_info->sanitized_username);
TALLOC_FREE(sanitized_username);
forced_serverinfo->unix_info->sanitized_username =
talloc_move(forced_serverinfo->unix_info,
&conn->session_info->unix_info->sanitized_username);
TALLOC_FREE(conn->session_info);
conn->session_info = forced_serverinfo;
conn->force_user = true;
DEBUG(3,("Forced user %s\n", fuser));
}
/*
* If force group is true, then override
* any groupid stored for the connecting user.
*/
if (*lp_force_group(talloc_tos(), snum)) {
status = find_forced_group(
conn->force_user, snum, conn->session_info->unix_info->unix_name,
&conn->session_info->security_token->sids[1],
&conn->session_info->unix_token->gid);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/*
* We need to cache this gid, to use within
* change_to_user() separately from the conn->session_info
* struct. We only use conn->session_info directly if
* "force_user" was set.
*/
conn->force_group_gid = conn->session_info->unix_token->gid;
}
return NT_STATUS_OK;
}
/*
handle recv events on a cldap socket
*/
static bool cldap_socket_recv_dgram(struct cldap_socket *c,
struct cldap_incoming *in)
{
DATA_BLOB blob;
struct asn1_data *asn1;
void *p;
struct cldap_search_state *search;
NTSTATUS status;
if (in->recv_errno != 0) {
goto error;
}
blob = data_blob_const(in->buf, in->len);
asn1 = asn1_init(in);
if (!asn1) {
goto nomem;
}
if (!asn1_load(asn1, blob)) {
goto nomem;
}
in->ldap_msg = talloc(in, struct ldap_message);
if (in->ldap_msg == NULL) {
goto nomem;
}
/* this initial decode is used to find the message id */
status = ldap_decode(asn1, NULL, in->ldap_msg);
if (!NT_STATUS_IS_OK(status)) {
goto nterror;
}
/* find the pending request */
p = idr_find(c->searches.idr, in->ldap_msg->messageid);
if (p == NULL) {
if (!c->incoming.handler) {
TALLOC_FREE(in);
return true;
}
/* this function should free or steal 'in' */
c->incoming.handler(c, c->incoming.private_data, in);
return false;
}
search = talloc_get_type_abort(p, struct cldap_search_state);
search->response.in = talloc_move(search, &in);
search->response.asn1 = asn1;
search->response.asn1->ofs = 0;
DLIST_REMOVE(c->searches.list, search);
if (cldap_recvfrom_setup(c)) {
tevent_req_done(search->req);
return true;
}
/*
* This request was ok, just defer the notify of the caller
* and then just fail the next request if needed
*/
tevent_req_defer_callback(search->req, search->caller.ev);
tevent_req_done(search->req);
status = NT_STATUS_NO_MEMORY;
/* in is NULL it this point */
goto nterror;
nomem:
in->recv_errno = ENOMEM;
error:
status = map_nt_error_from_unix_common(in->recv_errno);
nterror:
TALLOC_FREE(in);
/* in connected mode the first pending search gets the error */
if (!c->connected) {
/* otherwise we just ignore the error */
return false;
}
if (!c->searches.list) {
return false;
}
/*
* We might called tevent_req_done() for a successful
* search before, so we better deliver the failure
* after the success, that is why we better also
* use tevent_req_defer_callback() here.
*/
tevent_req_defer_callback(c->searches.list->req,
c->searches.list->caller.ev);
tevent_req_nterror(c->searches.list->req, status);
return false;
}
static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
const char *in_path,
uint8_t *out_share_type,
uint32_t *out_share_flags,
uint32_t *out_capabilities,
uint32_t *out_maximal_access,
uint32_t *out_tree_id)
{
const char *share = in_path;
char *service = NULL;
int snum = -1;
struct smbd_smb2_tcon *tcon;
connection_struct *compat_conn = NULL;
user_struct *compat_vuser = req->session->compat_vuser;
int id;
NTSTATUS status;
if (strncmp(share, "\\\\", 2) == 0) {
const char *p = strchr(share+2, '\\');
if (p) {
share = p + 1;
}
}
DEBUG(10,("smbd_smb2_tree_connect: path[%s] share[%s]\n",
in_path, share));
service = talloc_strdup(talloc_tos(), share);
if(!service) {
return NT_STATUS_NO_MEMORY;
}
strlower_m(service);
/* TODO: do more things... */
if (strequal(service,HOMES_NAME)) {
if (compat_vuser->homes_snum == -1) {
DEBUG(2, ("[homes] share not available for "
"user %s because it was not found "
"or created at session setup "
"time\n",
compat_vuser->session_info->unix_info->unix_name));
return NT_STATUS_BAD_NETWORK_NAME;
}
snum = compat_vuser->homes_snum;
} else if ((compat_vuser->homes_snum != -1)
&& strequal(service,
lp_servicename(compat_vuser->homes_snum))) {
snum = compat_vuser->homes_snum;
} else {
snum = find_service(talloc_tos(), service, &service);
if (!service) {
return NT_STATUS_NO_MEMORY;
}
}
if (snum < 0) {
DEBUG(3,("smbd_smb2_tree_connect: couldn't find service %s\n",
service));
return NT_STATUS_BAD_NETWORK_NAME;
}
/* create a new tcon as child of the session */
tcon = talloc_zero(req->session, struct smbd_smb2_tcon);
if (tcon == NULL) {
return NT_STATUS_NO_MEMORY;
}
id = idr_get_new_random(req->session->tcons.idtree,
tcon,
req->session->tcons.limit);
if (id == -1) {
TALLOC_FREE(tcon);
return NT_STATUS_INSUFFICIENT_RESOURCES;
}
tcon->tid = id;
tcon->snum = snum;
DLIST_ADD_END(req->session->tcons.list, tcon,
struct smbd_smb2_tcon *);
tcon->session = req->session;
tcon->session->sconn->num_tcons_open++;
talloc_set_destructor(tcon, smbd_smb2_tcon_destructor);
compat_conn = make_connection_smb2(req->sconn,
tcon,
req->session->compat_vuser,
data_blob_null, "???",
&status);
if (compat_conn == NULL) {
TALLOC_FREE(tcon);
return status;
}
tcon->compat_conn = talloc_move(tcon, &compat_conn);
if (IS_PRINT(tcon->compat_conn)) {
*out_share_type = SMB2_SHARE_TYPE_PRINT;
} else if (IS_IPC(tcon->compat_conn)) {
*out_share_type = SMB2_SHARE_TYPE_PIPE;
} else {
*out_share_type = SMB2_SHARE_TYPE_DISK;
}
*out_share_flags = 0;
if (lp_msdfs_root(SNUM(tcon->compat_conn)) && lp_host_msdfs()) {
*out_share_flags |= (SMB2_SHAREFLAG_DFS|SMB2_SHAREFLAG_DFS_ROOT);
*out_capabilities = SMB2_SHARE_CAP_DFS;
} else {
*out_capabilities = 0;
}
switch(lp_csc_policy(SNUM(tcon->compat_conn))) {
case CSC_POLICY_MANUAL:
break;
case CSC_POLICY_DOCUMENTS:
*out_share_flags |= SMB2_SHAREFLAG_AUTO_CACHING;
break;
case CSC_POLICY_PROGRAMS:
*out_share_flags |= SMB2_SHAREFLAG_VDO_CACHING;
break;
case CSC_POLICY_DISABLE:
*out_share_flags |= SMB2_SHAREFLAG_NO_CACHING;
break;
default:
break;
}
if (lp_hideunreadable(SNUM(tcon->compat_conn)) ||
lp_hideunwriteable_files(SNUM(tcon->compat_conn))) {
*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
}
*out_maximal_access = tcon->compat_conn->share_access;
*out_tree_id = tcon->tid;
return NT_STATUS_OK;
}
static enum ndr_err_code get_blob_sequence_number(DATA_BLOB *blob,
uint64_t *pseq)
{
struct ndr_pull ndr = {.data = blob->data, .data_size = blob->length};
NDR_CHECK(ndr_pull_hyper(&ndr, NDR_SCALARS, pseq));
return NDR_ERR_SUCCESS;
}
static int share_mode_data_nofree_destructor(struct share_mode_data *d)
{
return -1;
}
static struct share_mode_data *share_mode_memcache_fetch(TALLOC_CTX *mem_ctx,
const TDB_DATA id_key,
DATA_BLOB *blob)
{
enum ndr_err_code ndr_err;
struct share_mode_data *d;
uint64_t sequence_number;
void *ptr;
struct file_id id;
DATA_BLOB key;
/* Ensure this is a locking_key record. */
if (id_key.dsize != sizeof(id)) {
return NULL;
}
memcpy(&id, id_key.dptr, id_key.dsize);
key = memcache_key(&id);
ptr = memcache_lookup_talloc(NULL,
SHARE_MODE_LOCK_CACHE,
key);
if (ptr == NULL) {
DEBUG(10,("failed to find entry for key %s\n",
file_id_string(mem_ctx, &id)));
return NULL;
}
/* sequence number key is at start of blob. */
ndr_err = get_blob_sequence_number(blob, &sequence_number);
if (ndr_err != NDR_ERR_SUCCESS) {
/* Bad blob. Remove entry. */
DEBUG(10,("bad blob %u key %s\n",
(unsigned int)ndr_err,
file_id_string(mem_ctx, &id)));
memcache_delete(NULL,
SHARE_MODE_LOCK_CACHE,
key);
return NULL;
}
d = (struct share_mode_data *)ptr;
if (d->sequence_number != sequence_number) {
DEBUG(10,("seq changed (cached 0x%llu) (new 0x%llu) "
"for key %s\n",
(unsigned long long)d->sequence_number,
(unsigned long long)sequence_number,
file_id_string(mem_ctx, &id)));
/* Cache out of date. Remove entry. */
memcache_delete(NULL,
SHARE_MODE_LOCK_CACHE,
key);
return NULL;
}
/* Move onto mem_ctx. */
d = talloc_move(mem_ctx, &ptr);
/*
* Now we own d, prevent the cache from freeing it
* when we delete the entry.
*/
talloc_set_destructor(d, share_mode_data_nofree_destructor);
/* Remove from the cache. We own it now. */
memcache_delete(NULL,
SHARE_MODE_LOCK_CACHE,
key);
/* And reset the destructor to none. */
talloc_set_destructor(d, NULL);
DEBUG(10,("fetched entry for file %s seq 0x%llu key %s\n",
d->base_name,
(unsigned long long)d->sequence_number,
file_id_string(mem_ctx, &id)));
return d;
}
/*******************************************************************
Get all share mode entries for a dev/inode pair.
********************************************************************/
static struct share_mode_data *parse_share_modes(TALLOC_CTX *mem_ctx,
const TDB_DATA key,
const TDB_DATA dbuf)
{
struct share_mode_data *d;
enum ndr_err_code ndr_err;
uint32_t i;
DATA_BLOB blob;
blob.data = dbuf.dptr;
blob.length = dbuf.dsize;
/* See if we already have a cached copy of this key. */
d = share_mode_memcache_fetch(mem_ctx, key, &blob);
if (d != NULL) {
return d;
}
d = talloc(mem_ctx, struct share_mode_data);
if (d == NULL) {
DEBUG(0, ("talloc failed\n"));
goto fail;
}
ndr_err = ndr_pull_struct_blob_all(
&blob, d, d, (ndr_pull_flags_fn_t)ndr_pull_share_mode_data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DEBUG(1, ("ndr_pull_share_mode_lock failed: %s\n",
ndr_errstr(ndr_err)));
goto fail;
}
/*
* Initialize the values that are [skip] in the idl. The NDR code does
* not initialize them.
*/
for (i=0; i<d->num_share_modes; i++) {
struct share_mode_entry *e = &d->share_modes[i];
e->stale = false;
e->lease = NULL;
if (e->op_type != LEASE_OPLOCK) {
continue;
}
if (e->lease_idx >= d->num_leases) {
continue;
}
e->lease = &d->leases[e->lease_idx];
}
d->modified = false;
d->fresh = false;
if (DEBUGLEVEL >= 10) {
DEBUG(10, ("parse_share_modes:\n"));
NDR_PRINT_DEBUG(share_mode_data, d);
}
return d;
fail:
TALLOC_FREE(d);
return NULL;
}
/*******************************************************************
Create a storable data blob from a modified share_mode_data struct.
********************************************************************/
static TDB_DATA unparse_share_modes(struct share_mode_data *d)
{
DATA_BLOB blob;
enum ndr_err_code ndr_err;
if (DEBUGLEVEL >= 10) {
DEBUG(10, ("unparse_share_modes:\n"));
NDR_PRINT_DEBUG(share_mode_data, d);
}
share_mode_memcache_delete(d);
/* Update the sequence number. */
d->sequence_number += 1;
remove_stale_share_mode_entries(d);
if (d->num_share_modes == 0) {
DEBUG(10, ("No used share mode found\n"));
return make_tdb_data(NULL, 0);
}
ndr_err = ndr_push_struct_blob(
&blob, d, d, (ndr_push_flags_fn_t)ndr_push_share_mode_data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
smb_panic("ndr_push_share_mode_lock failed");
}
return make_tdb_data(blob.data, blob.length);
}
static sbcErr smbconf_reg_get_includes_internal(TALLOC_CTX *mem_ctx,
struct registry_key *key,
uint32_t *num_includes,
char ***includes)
{
WERROR werr;
sbcErr err;
uint32_t count;
struct registry_value *value = NULL;
char **tmp_includes = NULL;
const char **array = NULL;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
if (!smbconf_value_exists(key, INCLUDES_VALNAME)) {
/* no includes */
*num_includes = 0;
*includes = NULL;
err = SBC_ERR_OK;
goto done;
}
werr = reg_queryvalue(tmp_ctx, key, INCLUDES_VALNAME, &value);
if (!W_ERROR_IS_OK(werr)) {
err = SBC_ERR_ACCESS_DENIED;
goto done;
}
if (value->type != REG_MULTI_SZ) {
/* wrong type -- ignore */
err = SBC_ERR_OK;
goto done;
}
if (!pull_reg_multi_sz(tmp_ctx, &value->data, &array)) {
err = SBC_ERR_NOMEM;
goto done;
}
for (count = 0; array[count] != NULL; count++) {
err = smbconf_add_string_to_array(tmp_ctx,
&tmp_includes,
count,
array[count]);
if (!SBC_ERROR_IS_OK(err)) {
goto done;
}
}
if (count > 0) {
*includes = talloc_move(mem_ctx, &tmp_includes);
if (*includes == NULL) {
err = SBC_ERR_NOMEM;
goto done;
}
*num_includes = count;
} else {
*num_includes = 0;
*includes = NULL;
}
err = SBC_ERR_OK;
done:
talloc_free(tmp_ctx);
return err;
}
/*
initialise a server_context from a open socket and register a event handler
for reading from that socket
*/
static void ldapsrv_accept(struct stream_connection *c,
struct auth_session_info *session_info)
{
struct ldapsrv_service *ldapsrv_service =
talloc_get_type(c->private_data, struct ldapsrv_service);
struct ldapsrv_connection *conn;
struct cli_credentials *server_credentials;
struct socket_address *socket_address;
NTSTATUS status;
int port;
conn = talloc_zero(c, struct ldapsrv_connection);
if (!conn) {
stream_terminate_connection(c, "ldapsrv_accept: out of memory");
return;
}
conn->packet = NULL;
conn->connection = c;
conn->service = ldapsrv_service;
conn->sockets.raw = c->socket;
conn->lp_ctx = ldapsrv_service->task->lp_ctx;
c->private_data = conn;
socket_address = socket_get_my_addr(c->socket, conn);
if (!socket_address) {
ldapsrv_terminate_connection(conn, "ldapsrv_accept: failed to obtain local socket address!");
return;
}
port = socket_address->port;
talloc_free(socket_address);
if (port == 636) {
struct socket_context *tls_socket = tls_init_server(ldapsrv_service->tls_params, c->socket,
c->event.fde, NULL);
if (!tls_socket) {
ldapsrv_terminate_connection(conn, "ldapsrv_accept: tls_init_server() failed");
return;
}
talloc_steal(c, tls_socket);
c->socket = tls_socket;
conn->sockets.tls = tls_socket;
} else if (port == 3268) /* Global catalog */ {
conn->global_catalog = true;
}
conn->packet = packet_init(conn);
if (conn->packet == NULL) {
ldapsrv_terminate_connection(conn, "out of memory");
return;
}
packet_set_private(conn->packet, conn);
packet_set_socket(conn->packet, c->socket);
packet_set_callback(conn->packet, ldapsrv_decode);
packet_set_full_request(conn->packet, ldap_full_packet);
packet_set_error_handler(conn->packet, ldapsrv_error_handler);
packet_set_event_context(conn->packet, c->event.ctx);
packet_set_fde(conn->packet, c->event.fde);
packet_set_serialise(conn->packet);
if (conn->sockets.tls) {
packet_set_unreliable_select(conn->packet);
}
/* Ensure we don't get packets until the database is ready below */
packet_recv_disable(conn->packet);
server_credentials = cli_credentials_init(conn);
if (!server_credentials) {
stream_terminate_connection(c, "Failed to init server credentials\n");
return;
}
cli_credentials_set_conf(server_credentials, conn->lp_ctx);
status = cli_credentials_set_machine_account(server_credentials, conn->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
stream_terminate_connection(c, talloc_asprintf(conn, "Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
return;
}
conn->server_credentials = server_credentials;
conn->session_info = talloc_move(conn, &session_info);
if (!NT_STATUS_IS_OK(ldapsrv_backend_Init(conn))) {
ldapsrv_terminate_connection(conn, "backend Init failed");
return;
}
/* load limits from the conf partition */
ldapsrv_load_limits(conn); /* should we fail on error ? */
/* register the server */
irpc_add_name(c->msg_ctx, "ldap_server");
/* set connections limits */
conn->limits.ite = event_add_timed(c->event.ctx, conn,
timeval_current_ofs(conn->limits.initial_timeout, 0),
ldapsrv_conn_init_timeout, conn);
packet_recv_enable(conn->packet);
}
