Context Navigation

source: vendor/3.6.0/source3/nmbd/nmbd_processlogon.c

Visit:

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago
Samba Server: update vendor to 3.6.0
File size: 18.0 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	NBT netbios routines and daemon - version 2
4	Copyright (C) Andrew Tridgell 1994-1998
5	Copyright (C) Luke Kenneth Casson Leighton 1994-1998
6	Copyright (C) Jeremy Allison 1994-2003
7	Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21
22	Revision History:
23
24	*/
25
26	#include "includes.h"
27	#include "../libcli/netlogon/netlogon.h"
28	#include "../libcli/cldap/cldap.h"
29	#include "../lib/tsocket/tsocket.h"
30	#include "../libcli/security/security.h"
31	#include "secrets.h"
32	#include "nmbd/nmbd.h"
33
34	struct sam_database_info {
35	uint32 index;
36	uint32 serial_lo, serial_hi;
37	uint32 date_lo, date_hi;
38	};
39
40	/**
41	* check whether the client belongs to the hosts
42	* for which initial logon should be delayed...
43	*/
44	static bool delay_logon(const char peer_name, const char peer_addr)
45	{
46	const char **delay_list = lp_init_logon_delayed_hosts();
47	const char *peer[2];
48
49	if (delay_list == NULL) {
50	return False;
51	}
52
53	peer[0] = peer_name;
54	peer[1] = peer_addr;
55
56	return list_match(delay_list, (const char *)peer, client_match);
57	}
58
59	static void delayed_init_logon_handler(struct event_context *event_ctx,
60	struct timed_event *te,
61	struct timeval now,
62	void *private_data)
63	{
64	struct packet_struct p = (struct packet_struct )private_data;
65
66	DEBUG(10, ("delayed_init_logon_handler (%lx): re-queuing packet.\n",
67	(unsigned long)te));
68
69	queue_packet(p);
70
71	TALLOC_FREE(te);
72	}
73
74	struct nmbd_proxy_logon_context {
75	struct cldap_socket *cldap_sock;
76	};
77
78	static struct nmbd_proxy_logon_context *global_nmbd_proxy_logon;
79
80	bool initialize_nmbd_proxy_logon(void)
81	{
82	const char *cldap_server = lp_parm_const_string(-1, "nmbd_proxy_logon",
83	"cldap_server", NULL);
84	struct nmbd_proxy_logon_context *ctx;
85	NTSTATUS status;
86	struct in_addr addr;
87	char addrstr[INET_ADDRSTRLEN];
88	const char *server_str;
89	int ret;
90	struct tsocket_address *server_addr;
91
92	if (!cldap_server) {
93	return true;
94	}
95
96	addr = interpret_addr2(cldap_server);
97	server_str = inet_ntop(AF_INET, &addr,
98	addrstr, sizeof(addrstr));
99	if (!server_str \|\| strcmp("0.0.0.0", server_str) == 0) {
100	DEBUG(0,("Failed to resolve[%s] for nmbd_proxy_logon\n",
101	cldap_server));
102	return false;
103	}
104
105	ctx = talloc_zero(nmbd_event_context(),
106	struct nmbd_proxy_logon_context);
107	if (!ctx) {
108	return false;
109	}
110
111	ret = tsocket_address_inet_from_strings(ctx, "ipv4",
112	server_str, LDAP_PORT,
113	&server_addr);
114	if (ret != 0) {
115	TALLOC_FREE(ctx);
116	status = map_nt_error_from_unix(errno);
117	DEBUG(0,("Failed to create cldap tsocket_address for %s - %s\n",
118	server_str, nt_errstr(status)));
119	return false;
120	}
121
122	/* we create a connected udp socket */
123	status = cldap_socket_init(ctx, nmbd_event_context(), NULL,
124	server_addr, &ctx->cldap_sock);
125	TALLOC_FREE(server_addr);
126	if (!NT_STATUS_IS_OK(status)) {
127	TALLOC_FREE(ctx);
128	DEBUG(0,("failed to create cldap socket for %s: %s\n",
129	server_str, nt_errstr(status)));
130	return false;
131	}
132
133	global_nmbd_proxy_logon = ctx;
134	return true;
135	}
136
137	struct nmbd_proxy_logon_state {
138	struct in_addr local_ip;
139	struct packet_struct *p;
140	const char *remote_name;
141	uint8_t remote_name_type;
142	const char *remote_mailslot;
143	struct nbt_netlogon_packet req;
144	struct nbt_netlogon_response resp;
145	struct cldap_netlogon io;
146	};
147
148	static int nmbd_proxy_logon_state_destructor(struct nmbd_proxy_logon_state *s)
149	{
150	s->p->locked = false;
151	free_packet(s->p);
152	return 0;
153	}
154
155	static void nmbd_proxy_logon_done(struct tevent_req *subreq);
156
157	static void nmbd_proxy_logon(struct nmbd_proxy_logon_context *ctx,
158	struct in_addr local_ip,
159	struct packet_struct *p,
160	uint8_t *buf,
161	uint32_t len)
162	{
163	struct nmbd_proxy_logon_state *state;
164	enum ndr_err_code ndr_err;
165	DATA_BLOB blob = data_blob_const(buf, len);
166	const char *computer_name = NULL;
167	const char *mailslot_name = NULL;
168	const char *user_name = NULL;
169	const char *domain_sid = NULL;
170	uint32_t acct_control = 0;
171	uint32_t nt_version = 0;
172	struct tevent_req *subreq;
173	fstring source_name;
174	struct dgram_packet *dgram = &p->packet.dgram;
175
176	state = TALLOC_ZERO_P(ctx, struct nmbd_proxy_logon_state);
177	if (!state) {
178	DEBUG(0,("failed to allocate nmbd_proxy_logon_state\n"));
179	return;
180	}
181
182	pull_ascii_nstring(source_name, sizeof(source_name), dgram->source_name.name);
183	state->remote_name = talloc_strdup(state, source_name);
184	state->remote_name_type = dgram->source_name.name_type,
185	state->local_ip = local_ip;
186	state->p = p;
187
188	ndr_err = ndr_pull_struct_blob(
189	&blob, state, &state->req,
190	(ndr_pull_flags_fn_t)ndr_pull_nbt_netlogon_packet);
191	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
192	NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
193	DEBUG(0,("failed parse nbt_netlogon_packet: %s\n",
194	nt_errstr(status)));
195	TALLOC_FREE(state);
196	return;
197	}
198
199	if (DEBUGLEVEL >= 10) {
200	DEBUG(10, ("nmbd_proxy_logon:\n"));
201	NDR_PRINT_DEBUG(nbt_netlogon_packet, &state->req);
202	}
203
204	switch (state->req.command) {
205	case LOGON_SAM_LOGON_REQUEST:
206	computer_name = state->req.req.logon.computer_name;
207	user_name = state->req.req.logon.user_name;
208	mailslot_name = state->req.req.logon.mailslot_name;
209	acct_control = state->req.req.logon.acct_control;
210	if (state->req.req.logon.sid_size > 0) {
211	domain_sid = dom_sid_string(state,
212	&state->req.req.logon.sid);
213	if (!domain_sid) {
214	DEBUG(0,("failed to get a string for sid\n"));
215	TALLOC_FREE(state);
216	return;
217	}
218	}
219	nt_version = state->req.req.logon.nt_version;
220	break;
221
222	default:
223	/* this can't happen as the caller already checks the command */
224	break;
225	}
226
227	state->remote_mailslot = mailslot_name;
228
229	if (user_name && strlen(user_name) == 0) {
230	user_name = NULL;
231	}
232
233	if (computer_name && strlen(computer_name) == 0) {
234	computer_name = NULL;
235	}
236
237	/*
238	* as the socket is connected,
239	* we don't need to specify the destination
240	*/
241	state->io.in.dest_address = NULL;
242	state->io.in.dest_port = 0;
243	state->io.in.realm = NULL;
244	state->io.in.host = computer_name;
245	state->io.in.user = user_name;
246	state->io.in.domain_guid = NULL;
247	state->io.in.domain_sid = domain_sid;
248	state->io.in.acct_control = acct_control;
249	state->io.in.version = nt_version;
250	state->io.in.map_response = false;
251
252	subreq = cldap_netlogon_send(state,
253	ctx->cldap_sock,
254	&state->io);
255	if (!subreq) {
256	DEBUG(0,("failed to send cldap netlogon call\n"));
257	TALLOC_FREE(state);
258	return;
259	}
260	tevent_req_set_callback(subreq, nmbd_proxy_logon_done, state);
261
262	/* we reply async */
263	state->p->locked = true;
264	talloc_set_destructor(state, nmbd_proxy_logon_state_destructor);
265	}
266
267	static void nmbd_proxy_logon_done(struct tevent_req *subreq)
268	{
269	struct nmbd_proxy_logon_state *state =
270	tevent_req_callback_data(subreq,
271	struct nmbd_proxy_logon_state);
272	NTSTATUS status;
273	DATA_BLOB response = data_blob_null;
274
275	status = cldap_netlogon_recv(subreq, state, &state->io);
276	if (!NT_STATUS_IS_OK(status)) {
277	DEBUG(0,("failed to recv cldap netlogon call: %s\n",
278	nt_errstr(status)));
279	TALLOC_FREE(state);
280	return;
281	}
282
283	status = push_netlogon_samlogon_response(&response, state,
284	&state->io.out.netlogon);
285	if (!NT_STATUS_IS_OK(status)) {
286	DEBUG(0,("failed to push netlogon_samlogon_response: %s\n",
287	nt_errstr(status)));
288	TALLOC_FREE(state);
289	return;
290	}
291
292	send_mailslot(true, state->remote_mailslot,
293	(char *)response.data, response.length,
294	global_myname(), 0x0,
295	state->remote_name,
296	state->remote_name_type,
297	state->p->ip,
298	state->local_ip,
299	state->p->port);
300	TALLOC_FREE(state);
301	}
302
303	/****************************************************************************
304	Process a domain logon packet
305	**************************************************************************/
306
307	void process_logon_packet(struct packet_struct p, const char buf,int len,
308	const char *mailslot)
309	{
310	fstring source_name;
311	struct dgram_packet *dgram = &p->packet.dgram;
312	struct sockaddr_storage ss;
313	const struct sockaddr_storage *pss;
314	struct in_addr ip;
315
316	DATA_BLOB blob_in, blob_out;
317	enum ndr_err_code ndr_err;
318	struct nbt_netlogon_packet request;
319	struct nbt_netlogon_response response;
320	NTSTATUS status;
321	const char *pdc_name;
322
323	in_addr_to_sockaddr_storage(&ss, p->ip);
324	pss = iface_ip((struct sockaddr *)&ss);
325	if (!pss) {
326	DEBUG(5,("process_logon_packet:can't find outgoing interface "
327	"for packet from IP %s\n",
328	inet_ntoa(p->ip) ));
329	return;
330	}
331	ip = ((struct sockaddr_in *)pss)->sin_addr;
332
333	if (!lp_domain_logons()) {
334	DEBUG(5,("process_logon_packet: Logon packet received from IP %s and domain \
335	logons are not enabled.\n", inet_ntoa(p->ip) ));
336	return;
337	}
338
339	pull_ascii_nstring(source_name, sizeof(source_name), dgram->source_name.name);
340
341	pdc_name = talloc_asprintf(talloc_tos(), "\\\\%s", global_myname());
342	if (!pdc_name) {
343	return;
344	}
345
346	ZERO_STRUCT(request);
347
348	blob_in = data_blob_const(buf, len);
349
350	ndr_err = ndr_pull_struct_blob(&blob_in, talloc_tos(), &request,
351	(ndr_pull_flags_fn_t)ndr_pull_nbt_netlogon_packet);
352	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
353	DEBUG(1,("process_logon_packet: Failed to pull logon packet\n"));
354	return;
355	}
356
357	if (DEBUGLEVEL >= 10) {
358	NDR_PRINT_DEBUG(nbt_netlogon_packet, &request);
359	}
360
361	DEBUG(4,("process_logon_packet: Logon from %s: code = 0x%x\n",
362	inet_ntoa(p->ip), request.command));
363
364	switch (request.command) {
365	case LOGON_REQUEST: {
366
367	struct nbt_netlogon_response2 response2;
368
369	DEBUG(5,("process_logon_packet: Domain login request from %s at IP %s user=%s token=%x\n",
370	request.req.logon0.computer_name, inet_ntoa(p->ip),
371	request.req.logon0.user_name,
372	request.req.logon0.lm20_token));
373
374	response2.command = LOGON_RESPONSE2;
375	response2.pdc_name = pdc_name;
376	response2.lm20_token = 0xffff;
377
378	response.response_type = NETLOGON_RESPONSE2;
379	response.data.response2 = response2;
380
381	status = push_nbt_netlogon_response(&blob_out, talloc_tos(), &response);
382	if (!NT_STATUS_IS_OK(status)) {
383	DEBUG(0,("process_logon_packet: failed to push packet\n"));
384	return;
385	}
386
387	if (DEBUGLEVEL >= 10) {
388	NDR_PRINT_DEBUG(nbt_netlogon_response2, &response.data.response2);
389	}
390
391	send_mailslot(True, request.req.logon0.mailslot_name,
392	(char *)blob_out.data,
393	blob_out.length,
394	global_myname(), 0x0,
395	source_name,
396	dgram->source_name.name_type,
397	p->ip, ip, p->port);
398	break;
399	}
400
401	case LOGON_PRIMARY_QUERY: {
402
403	struct nbt_netlogon_response_from_pdc get_pdc;
404
405	if (!lp_domain_master()) {
406	/* We're not Primary Domain Controller -- ignore this */
407	return;
408	}
409
410	DEBUG(5,("process_logon_packet: GETDC request from %s at IP %s, "
411	"reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
412	request.req.pdc.computer_name,
413	inet_ntoa(p->ip),
414	global_myname(),
415	lp_workgroup(),
416	NETLOGON_RESPONSE_FROM_PDC,
417	request.req.pdc.nt_version,
418	request.req.pdc.lmnt_token,
419	request.req.pdc.lm20_token));
420
421	get_pdc.command = NETLOGON_RESPONSE_FROM_PDC;
422	get_pdc.pdc_name = global_myname();
423	get_pdc._pad = data_blob_null;
424	get_pdc.unicode_pdc_name = global_myname();
425	get_pdc.domain_name = lp_workgroup();
426	get_pdc.nt_version = NETLOGON_NT_VERSION_1;
427	get_pdc.lmnt_token = 0xffff;
428	get_pdc.lm20_token = 0xffff;
429
430	response.response_type = NETLOGON_GET_PDC;
431	response.data.get_pdc = get_pdc;
432
433	status = push_nbt_netlogon_response(&blob_out, talloc_tos(), &response);
434	if (!NT_STATUS_IS_OK(status)) {
435	DEBUG(0,("process_logon_packet: failed to push packet\n"));
436	return;
437	}
438
439	if (DEBUGLEVEL >= 10) {
440	NDR_PRINT_DEBUG(nbt_netlogon_response_from_pdc, &response.data.get_pdc);
441	}
442
443	send_mailslot(True, request.req.pdc.mailslot_name,
444	(char *)blob_out.data,
445	blob_out.length,
446	global_myname(), 0x0,
447	source_name,
448	dgram->source_name.name_type,
449	p->ip, ip, p->port);
450
451	return;
452	}
453
454	case LOGON_SAM_LOGON_REQUEST: {
455	char *source_addr;
456	bool user_unknown = false;
457
458	struct netlogon_samlogon_response samlogon;
459
460	if (global_nmbd_proxy_logon) {
461	nmbd_proxy_logon(global_nmbd_proxy_logon,
462	ip, p, (uint8_t *)buf, len);
463	return;
464	}
465
466	source_addr = SMB_STRDUP(inet_ntoa(dgram->header.source_ip));
467	if (source_addr == NULL) {
468	DEBUG(3, ("out of memory copying client"
469	" address string\n"));
470	return;
471	}
472
473	DEBUG(5,("process_logon_packet: LOGON_SAM_LOGON_REQUEST request from %s(%s) for %s, returning logon svr %s domain %s code %x token=%x\n",
474	request.req.logon.computer_name,
475	inet_ntoa(p->ip),
476	request.req.logon.user_name,
477	pdc_name,
478	lp_workgroup(),
479	LOGON_SAM_LOGON_RESPONSE,
480	request.req.logon.lmnt_token));
481
482	if (!request.req.logon.user_name) {
483	user_unknown = true;
484	}
485
486	/* we want the simple version unless we are an ADS PDC..which means */
487	/* never, at least for now */
488
489	if ((request.req.logon.nt_version < (NETLOGON_NT_VERSION_1 \| NETLOGON_NT_VERSION_5 \| NETLOGON_NT_VERSION_5EX_WITH_IP)) \|\|
490	(SEC_ADS != lp_security()) \|\| (ROLE_DOMAIN_PDC != lp_server_role())) {
491
492	struct NETLOGON_SAM_LOGON_RESPONSE_NT40 nt4;
493
494	nt4.command = user_unknown ? LOGON_SAM_LOGON_USER_UNKNOWN :
495	LOGON_SAM_LOGON_RESPONSE;
496	nt4.pdc_name = pdc_name;
497	nt4.user_name = request.req.logon.user_name;
498	nt4.domain_name = lp_workgroup();
499	nt4.nt_version = NETLOGON_NT_VERSION_1;
500	nt4.lmnt_token = 0xffff;
501	nt4.lm20_token = 0xffff;
502
503	samlogon.ntver = NETLOGON_NT_VERSION_1;
504	samlogon.data.nt4 = nt4;
505
506	if (DEBUGLEVEL >= 10) {
507	NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_NT40, &nt4);
508	}
509	}
510	#ifdef HAVE_ADS
511	else {
512
513	struct NETLOGON_SAM_LOGON_RESPONSE_EX nt5_ex;
514	struct GUID domain_guid;
515	struct nbt_sockaddr saddr;
516	char *domain;
517	const char *hostname;
518
519	saddr.sockaddr_family = 2; /* AF_INET */
520	saddr.pdc_ip = inet_ntoa(ip);
521	saddr.remaining = data_blob_talloc_zero(talloc_tos(), 8); /* ??? */
522
523	domain = get_mydnsdomname(talloc_tos());
524	if (!domain) {
525	DEBUG(2,("get_mydnsdomname failed.\n"));
526	return;
527	}
528
529	hostname = get_mydnsfullname();
530	if (!hostname) {
531	DEBUG(2,("get_mydnsfullname failed.\n"));
532	return;
533	}
534
535	if (!secrets_fetch_domain_guid(domain, &domain_guid)) {
536	DEBUG(2,("Could not fetch DomainGUID for %s\n", domain));
537	return;
538	}
539
540	nt5_ex.command = user_unknown ? LOGON_SAM_LOGON_USER_UNKNOWN_EX :
541	LOGON_SAM_LOGON_RESPONSE_EX;
542	nt5_ex.sbz = 0;
543	nt5_ex.server_type = NBT_SERVER_PDC \|
544	NBT_SERVER_GC \|
545	NBT_SERVER_LDAP \|
546	NBT_SERVER_DS \|
547	NBT_SERVER_KDC \|
548	NBT_SERVER_TIMESERV \|
549	NBT_SERVER_CLOSEST \|
550	NBT_SERVER_WRITABLE;
551	nt5_ex.domain_uuid = domain_guid;
552	nt5_ex.forest = domain;
553	nt5_ex.dns_domain = domain;
554	nt5_ex.pdc_dns_name = hostname;
555	nt5_ex.domain_name = lp_workgroup();
556	nt5_ex.pdc_name = global_myname();
557	nt5_ex.user_name = request.req.logon.user_name;
558	nt5_ex.server_site = "Default-First-Site-Name";
559	nt5_ex.client_site = "Default-First-Site-Name";
560	nt5_ex.sockaddr_size = 0x10; /* the w32 winsock addr size */
561	nt5_ex.sockaddr = saddr;
562	nt5_ex.next_closest_site= NULL;
563	nt5_ex.nt_version = NETLOGON_NT_VERSION_1 \|
564	NETLOGON_NT_VERSION_5EX \|
565	NETLOGON_NT_VERSION_5EX_WITH_IP;
566	nt5_ex.lmnt_token = 0xffff;
567	nt5_ex.lm20_token = 0xffff;
568
569	samlogon.ntver = NETLOGON_NT_VERSION_1 \|
570	NETLOGON_NT_VERSION_5EX \|
571	NETLOGON_NT_VERSION_5EX_WITH_IP;
572	samlogon.data.nt5_ex = nt5_ex;
573
574	if (DEBUGLEVEL >= 10) {
575	NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX, &nt5_ex);
576	}
577	}
578	#endif /* HAVE_ADS */
579
580	response.response_type = NETLOGON_SAMLOGON;
581	response.data.samlogon = samlogon;
582
583	status = push_nbt_netlogon_response(&blob_out, talloc_tos(), &response);
584	if (!NT_STATUS_IS_OK(status)) {
585	DEBUG(0,("process_logon_packet: failed to push packet\n"));
586	return;
587	}
588
589	/*
590	* handle delay.
591	* packets requeued after delay are marked as
592	* locked.
593	*/
594	if ((p->locked == False) &&
595	(strlen(request.req.logon.user_name) == 0) &&
596	delay_logon(source_name, source_addr))
597	{
598	struct timeval when;
599
600	DEBUG(3, ("process_logon_packet: "
601	"delaying initial logon "
602	"reply for client %s(%s) for "
603	"%u milliseconds\n",
604	source_name, source_addr,
605	lp_init_logon_delay()));
606
607	when = timeval_current_ofs(0,
608	lp_init_logon_delay() * 1000);
609	p->locked = true;
610	event_add_timed(nmbd_event_context(),
611	NULL,
612	when,
613	delayed_init_logon_handler,
614	p);
615	} else {
616	DEBUG(3, ("process_logon_packet: "
617	"processing delayed initial "
618	"logon reply for client "
619	"%s(%s)\n",
620	source_name, source_addr));
621	p->locked = false;
622	send_mailslot(true, request.req.logon.mailslot_name,
623	(char *)blob_out.data,
624	blob_out.length,
625	global_myname(), 0x0,
626	source_name,
627	dgram->source_name.name_type,
628	p->ip, ip, p->port);
629	}
630
631	SAFE_FREE(source_addr);
632
633	break;
634	}
635
636	/* Announce change to UAS or SAM. Send by the domain controller when a
637	replication event is required. */
638
639	case NETLOGON_ANNOUNCE_UAS:
640	DEBUG(5, ("Got NETLOGON_ANNOUNCE_UAS\n"));
641	break;
642
643	default:
644	DEBUG(3,("process_logon_packet: Unknown domain request %d\n",
645	request.command));
646	return;
647	}
648	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: