| static void init_net_r_req_chal | ( | NET_R_REQ_CHAL * | r_c, | |
| DOM_CHAL * | srv_chal, | |||
| NTSTATUS | status | |||
| ) | [static] |
srv_netlog_nt.c の 38 行で定義されています。
参照先 chal_info::data・net_r_req_chal_info::srv_chal・status・net_r_req_chal_info::status.
参照元 _net_req_chal().
00040 { 00041 DEBUG(6,("init_net_r_req_chal: %d\n", __LINE__)); 00042 memcpy(r_c->srv_chal.data, srv_chal->data, sizeof(srv_chal->data)); 00043 r_c->status = status; 00044 }
| NTSTATUS _net_logon_ctrl | ( | pipes_struct * | p, | |
| NET_Q_LOGON_CTRL * | q_u, | |||
| NET_R_LOGON_CTRL * | r_u | |||
| ) |
srv_netlog_nt.c の 58 行で定義されています。
参照先 flags・init_net_r_logon_ctrl()・net_q_logon_ctrl_info::query_level・net_r_logon_ctrl_info::status.
参照元 api_net_logon_ctrl().
00060 { 00061 uint32 flags = 0x0; 00062 uint32 pdc_connection_status = 0x00; /* Maybe a win32 error code? */ 00063 00064 /* Setup the Logon Control response */ 00065 00066 init_net_r_logon_ctrl(r_u, q_u->query_level, flags, 00067 pdc_connection_status); 00068 00069 return r_u->status; 00070 }
| static void send_sync_message | ( | void | ) | [static] |
srv_netlog_nt.c の 76 行で定義されています。
参照先 lock_path()・message_send_all()・tdb・tdb_close()・tdb_open_log().
参照元 _net_logon_ctrl2().
00077 { 00078 TDB_CONTEXT *tdb; 00079 00080 tdb = tdb_open_log(lock_path("connections.tdb"), 0, 00081 TDB_DEFAULT, O_RDONLY, 0); 00082 00083 if (!tdb) { 00084 DEBUG(3, ("send_sync_message(): failed to open connections " 00085 "database\n")); 00086 return; 00087 } 00088 00089 DEBUG(3, ("sending sam synchronisation message\n")); 00090 00091 message_send_all(tdb, MSG_SMB_SAM_SYNC, NULL, 0, False, NULL); 00092 00093 tdb_close(tdb); 00094 }
| NTSTATUS _net_logon_ctrl2 | ( | pipes_struct * | p, | |
| NET_Q_LOGON_CTRL2 * | q_u, | |||
| NET_R_LOGON_CTRL2 * | r_u | |||
| ) |
srv_netlog_nt.c の 100 行で定義されています。
参照先 ctrl_data_info_6::domain・flags・fstr_sprintf()・net_q_logon_ctrl2_info::function_code・get_dc_name()・net_q_logon_ctrl2_info::info・net_q_logon_ctrl2_info::info6・init_net_r_logon_ctrl2()・is_trusted_domain()・net_q_logon_ctrl2_info::query_level・ROLE_DOMAIN_BDC・send_sync_message()・net_r_logon_ctrl2_info::status・net_q_logon_ctrl2_info::uni_server_name・unistr2_to_ascii().
00101 { 00102 uint32 flags = 0x0; 00103 uint32 pdc_connection_status = 0x0; 00104 uint32 logon_attempts = 0x0; 00105 uint32 tc_status; 00106 fstring servername, domain, dc_name, dc_name2; 00107 struct in_addr dc_ip; 00108 00109 /* this should be \\global_myname() */ 00110 unistr2_to_ascii(servername, &q_u->uni_server_name, sizeof(servername)); 00111 00112 r_u->status = NT_STATUS_OK; 00113 00114 tc_status = ERROR_NO_SUCH_DOMAIN; 00115 fstrcpy( dc_name, "" ); 00116 00117 switch ( q_u->function_code ) { 00118 case NETLOGON_CONTROL_TC_QUERY: 00119 unistr2_to_ascii(domain, &q_u->info.info6.domain, sizeof(domain)); 00120 00121 if ( !is_trusted_domain( domain ) ) 00122 break; 00123 00124 if ( !get_dc_name( domain, NULL, dc_name2, &dc_ip ) ) { 00125 tc_status = ERROR_NO_LOGON_SERVERS; 00126 break; 00127 } 00128 00129 fstr_sprintf( dc_name, "\\\\%s", dc_name2 ); 00130 00131 tc_status = NO_ERROR; 00132 00133 break; 00134 00135 case NETLOGON_CONTROL_REDISCOVER: 00136 unistr2_to_ascii(domain, &q_u->info.info6.domain, sizeof(domain)); 00137 00138 if ( !is_trusted_domain( domain ) ) 00139 break; 00140 00141 if ( !get_dc_name( domain, NULL, dc_name2, &dc_ip ) ) { 00142 tc_status = ERROR_NO_LOGON_SERVERS; 00143 break; 00144 } 00145 00146 fstr_sprintf( dc_name, "\\\\%s", dc_name2 ); 00147 00148 tc_status = NO_ERROR; 00149 00150 break; 00151 00152 default: 00153 /* no idea what this should be */ 00154 DEBUG(0,("_net_logon_ctrl2: unimplemented function level [%d]\n", 00155 q_u->function_code)); 00156 } 00157 00158 /* prepare the response */ 00159 00160 init_net_r_logon_ctrl2( r_u, q_u->query_level, flags, 00161 pdc_connection_status, logon_attempts, tc_status, dc_name ); 00162 00163 if (lp_server_role() == ROLE_DOMAIN_BDC) 00164 send_sync_message(); 00165 00166 return r_u->status; 00167 }
| NTSTATUS _net_trust_dom_list | ( | pipes_struct * | p, | |
| NET_Q_TRUST_DOM_LIST * | q_u, | |||
| NET_R_TRUST_DOM_LIST * | r_u | |||
| ) |
srv_netlog_nt.c の 173 行で定義されています。
参照先 init_r_trust_dom()・net_r_trust_dom_info::status.
00174 { 00175 const char *trusted_domain = "test_domain"; 00176 uint32 num_trust_domains = 1; 00177 00178 DEBUG(6,("_net_trust_dom_list: %d\n", __LINE__)); 00179 00180 /* set up the Trusted Domain List response */ 00181 init_r_trust_dom(r_u, num_trust_domains, trusted_domain); 00182 00183 DEBUG(6,("_net_trust_dom_list: %d\n", __LINE__)); 00184 00185 return r_u->status; 00186 }
| static void init_net_r_srv_pwset | ( | NET_R_SRV_PWSET * | r_s, | |
| DOM_CRED * | srv_cred, | |||
| NTSTATUS | status | |||
| ) | [static] |
srv_netlog_nt.c の 192 行で定義されています。
参照先 net_r_srv_pwset_info::srv_cred・status・net_r_srv_pwset_info::status.
参照元 _net_srv_pwset().
00194 { 00195 DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__)); 00196 00197 memcpy(&r_s->srv_cred, srv_cred, sizeof(r_s->srv_cred)); 00198 r_s->status = status; 00199 00200 DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__)); 00201 }
| static NTSTATUS get_md4pw | ( | char * | md4pw, | |
| char * | mach_acct, | |||
| uint16 | sec_chan_type | |||
| ) | [static] |
srv_netlog_nt.c の 207 行で定義されています。
参照先 samu::acct_ctrl・allow_access()・become_root()・client_addr()・client_name()・dump_data()・pdb_get_acct_ctrl()・pdb_get_nt_passwd()・pdb_getsampwnam()・samu_new()・SEC_CHAN_BDC・SEC_CHAN_DOMAIN・SEC_CHAN_WKSTA・unbecome_root().
参照元 _net_auth()・_net_auth_2().
00208 { 00209 struct samu *sampass = NULL; 00210 const uint8 *pass; 00211 BOOL ret; 00212 uint32 acct_ctrl; 00213 00214 #if 0 00215 /* 00216 * Currently this code is redundent as we already have a filter 00217 * by hostname list. What this code really needs to do is to 00218 * get a hosts allowed/hosts denied list from the SAM database 00219 * on a per user basis, and make the access decision there. 00220 * I will leave this code here for now as a reminder to implement 00221 * this at a later date. JRA. 00222 */ 00223 00224 if (!allow_access(lp_domain_hostsdeny(), lp_domain_hostsallow(), 00225 client_name(), client_addr())) 00226 { 00227 DEBUG(0,("get_md4pw: Workstation %s denied access to domain\n", mach_acct)); 00228 return False; 00229 } 00230 #endif /* 0 */ 00231 00232 if ( !(sampass = samu_new( NULL )) ) { 00233 return NT_STATUS_NO_MEMORY; 00234 } 00235 00236 /* JRA. This is ok as it is only used for generating the challenge. */ 00237 become_root(); 00238 ret = pdb_getsampwnam(sampass, mach_acct); 00239 unbecome_root(); 00240 00241 if (!ret) { 00242 DEBUG(0,("get_md4pw: Workstation %s: no account in domain\n", mach_acct)); 00243 TALLOC_FREE(sampass); 00244 return NT_STATUS_ACCESS_DENIED; 00245 } 00246 00247 acct_ctrl = pdb_get_acct_ctrl(sampass); 00248 if (acct_ctrl & ACB_DISABLED) { 00249 DEBUG(0,("get_md4pw: Workstation %s: account is disabled\n", mach_acct)); 00250 TALLOC_FREE(sampass); 00251 return NT_STATUS_ACCOUNT_DISABLED; 00252 } 00253 00254 if (!(acct_ctrl & ACB_SVRTRUST) && 00255 !(acct_ctrl & ACB_WSTRUST) && 00256 !(acct_ctrl & ACB_DOMTRUST)) 00257 { 00258 DEBUG(0,("get_md4pw: Workstation %s: account is not a trust account\n", mach_acct)); 00259 TALLOC_FREE(sampass); 00260 return NT_STATUS_NO_TRUST_SAM_ACCOUNT; 00261 } 00262 00263 switch (sec_chan_type) { 00264 case SEC_CHAN_BDC: 00265 if (!(acct_ctrl & ACB_SVRTRUST)) { 00266 DEBUG(0,("get_md4pw: Workstation %s: BDC secure channel requested " 00267 "but not a server trust account\n", mach_acct)); 00268 TALLOC_FREE(sampass); 00269 return NT_STATUS_NO_TRUST_SAM_ACCOUNT; 00270 } 00271 break; 00272 case SEC_CHAN_WKSTA: 00273 if (!(acct_ctrl & ACB_WSTRUST)) { 00274 DEBUG(0,("get_md4pw: Workstation %s: WORKSTATION secure channel requested " 00275 "but not a workstation trust account\n", mach_acct)); 00276 TALLOC_FREE(sampass); 00277 return NT_STATUS_NO_TRUST_SAM_ACCOUNT; 00278 } 00279 break; 00280 case SEC_CHAN_DOMAIN: 00281 if (!(acct_ctrl & ACB_DOMTRUST)) { 00282 DEBUG(0,("get_md4pw: Workstation %s: DOMAIN secure channel requested " 00283 "but not a interdomain trust account\n", mach_acct)); 00284 TALLOC_FREE(sampass); 00285 return NT_STATUS_NO_TRUST_SAM_ACCOUNT; 00286 } 00287 break; 00288 default: 00289 break; 00290 } 00291 00292 if ((pass = pdb_get_nt_passwd(sampass)) == NULL) { 00293 DEBUG(0,("get_md4pw: Workstation %s: account does not have a password\n", mach_acct)); 00294 TALLOC_FREE(sampass); 00295 return NT_STATUS_LOGON_FAILURE; 00296 } 00297 00298 memcpy(md4pw, pass, 16); 00299 dump_data(5, md4pw, 16); 00300 00301 TALLOC_FREE(sampass); 00302 00303 return NT_STATUS_OK; 00304 00305 00306 }
| NTSTATUS _net_req_chal | ( | pipes_struct * | p, | |
| NET_Q_REQ_CHAL * | q_u, | |||
| NET_R_REQ_CHAL * | r_u | |||
| ) |
srv_netlog_nt.c の 312 行で定義されています。
参照先 UNISTR2::buffer・dcinfo::challenge_sent・net_q_req_chal_info::clnt_chal・dcinfo::clnt_chal・chal_info::data・pipes_struct::dc・generate_random_buffer()・init_net_r_req_chal()・pipes_struct::pipe_state_mem_ctx・dcinfo::remote_machine・rpcstr_pull()・dcinfo::srv_chal・net_q_req_chal_info::uni_logon_clnt・UNISTR2::uni_str_len.
参照元 api_net_req_chal().
00313 { 00314 if (!p->dc) { 00315 p->dc = TALLOC_ZERO_P(p->pipe_state_mem_ctx, struct dcinfo); 00316 if (!p->dc) { 00317 return NT_STATUS_NO_MEMORY; 00318 } 00319 } else { 00320 DEBUG(10,("_net_req_chal: new challenge requested. Clearing old state.\n")); 00321 ZERO_STRUCTP(p->dc); 00322 } 00323 00324 rpcstr_pull(p->dc->remote_machine, 00325 q_u->uni_logon_clnt.buffer, 00326 sizeof(fstring),q_u->uni_logon_clnt.uni_str_len*2,0); 00327 00328 /* Save the client challenge to the server. */ 00329 memcpy(p->dc->clnt_chal.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data)); 00330 00331 /* Create a server challenge for the client */ 00332 /* Set this to a random value. */ 00333 generate_random_buffer(p->dc->srv_chal.data, 8); 00334 00335 /* set up the LSA REQUEST CHALLENGE response */ 00336 init_net_r_req_chal(r_u, &p->dc->srv_chal, NT_STATUS_OK); 00337 00338 p->dc->challenge_sent = True; 00339 00340 return NT_STATUS_OK; 00341 }
| static void init_net_r_auth | ( | NET_R_AUTH * | r_a, | |
| DOM_CHAL * | resp_cred, | |||
| NTSTATUS | status | |||
| ) | [static] |
srv_netlog_nt.c の 347 行で定義されています。
参照先 chal_info::data・net_r_auth_info::srv_chal・status・net_r_auth_info::status.
参照元 _net_auth().
00348 { 00349 memcpy(r_a->srv_chal.data, resp_cred->data, sizeof(resp_cred->data)); 00350 r_a->status = status; 00351 }
| NTSTATUS _net_auth | ( | pipes_struct * | p, | |
| NET_Q_AUTH * | q_u, | |||
| NET_R_AUTH * | r_u | |||
| ) |
srv_netlog_nt.c の 357 行で定義されています。
参照先 dcinfo::authenticated・UNISTR2::buffer・dcinfo::challenge_sent・net_q_auth_info::clnt_chal・dcinfo::clnt_chal・net_q_auth_info::clnt_id・creds_server_check()・creds_server_init()・pipes_struct::dc・get_md4pw()・init_net_r_auth()・dcinfo::mach_acct・dcinfo::mach_pw・nt_errstr()・dcinfo::remote_machine・remote_machine・rpcstr_pull()・log_info::sec_chan・dcinfo::srv_chal・net_r_auth_info::status・status・log_info::uni_acct_name・log_info::uni_comp_name・UNISTR2::uni_str_len.
参照元 api_net_auth().
00358 { 00359 NTSTATUS status; 00360 fstring mach_acct; 00361 fstring remote_machine; 00362 DOM_CHAL srv_chal_out; 00363 00364 if (!p->dc || !p->dc->challenge_sent) { 00365 return NT_STATUS_ACCESS_DENIED; 00366 } 00367 00368 rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring), 00369 q_u->clnt_id.uni_acct_name.uni_str_len*2,0); 00370 rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring), 00371 q_u->clnt_id.uni_comp_name.uni_str_len*2,0); 00372 00373 status = get_md4pw((char *)p->dc->mach_pw, mach_acct, q_u->clnt_id.sec_chan); 00374 if (!NT_STATUS_IS_OK(status)) { 00375 DEBUG(0,("_net_auth: creds_server_check failed. Failed to " 00376 "get password for machine account %s " 00377 "from client %s: %s\n", 00378 mach_acct, remote_machine, nt_errstr(status) )); 00379 /* always return NT_STATUS_ACCESS_DENIED */ 00380 return NT_STATUS_ACCESS_DENIED; 00381 } 00382 00383 /* From the client / server challenges and md4 password, generate sess key */ 00384 creds_server_init(0, /* No neg flags. */ 00385 p->dc, 00386 &p->dc->clnt_chal, /* Stored client chal. */ 00387 &p->dc->srv_chal, /* Stored server chal. */ 00388 p->dc->mach_pw, 00389 &srv_chal_out); 00390 00391 /* Check client credentials are valid. */ 00392 if (!creds_server_check(p->dc, &q_u->clnt_chal)) { 00393 DEBUG(0,("_net_auth: creds_server_check failed. Rejecting auth " 00394 "request from client %s machine account %s\n", 00395 remote_machine, mach_acct )); 00396 return NT_STATUS_ACCESS_DENIED; 00397 } 00398 00399 fstrcpy(p->dc->mach_acct, mach_acct); 00400 fstrcpy(p->dc->remote_machine, remote_machine); 00401 p->dc->authenticated = True; 00402 00403 /* set up the LSA AUTH response */ 00404 /* Return the server credentials. */ 00405 init_net_r_auth(r_u, &srv_chal_out, NT_STATUS_OK); 00406 00407 return r_u->status; 00408 }
| static void init_net_r_auth_2 | ( | NET_R_AUTH_2 * | r_a, | |
| DOM_CHAL * | resp_cred, | |||
| NEG_FLAGS * | flgs, | |||
| NTSTATUS | status | |||
| ) | [static] |
srv_netlog_nt.c の 414 行で定義されています。
参照先 chal_info::data・net_r_auth2_info::srv_chal・net_r_auth2_info::srv_flgs・status・net_r_auth2_info::status.
参照元 _net_auth_2().
00416 { 00417 memcpy(r_a->srv_chal.data, resp_cred->data, sizeof(resp_cred->data)); 00418 memcpy(&r_a->srv_flgs, flgs, sizeof(r_a->srv_flgs)); 00419 r_a->status = status; 00420 }
| NTSTATUS _net_auth_2 | ( | pipes_struct * | p, | |
| NET_Q_AUTH_2 * | q_u, | |||
| NET_R_AUTH_2 * | r_u | |||
| ) |
srv_netlog_nt.c の 426 行で定義されています。
参照先 dcinfo::authenticated・become_root()・UNISTR2::buffer・dcinfo::challenge_sent・net_q_auth2_info::clnt_chal・dcinfo::clnt_chal・net_q_auth2_info::clnt_flgs・net_q_auth2_info::clnt_id・creds_server_check()・creds_server_init()・pipes_struct::dc・dcinfo::domain・get_md4pw()・init_net_r_auth_2()・lp_workgroup()・dcinfo::mach_acct・dcinfo::mach_pw・pipes_struct::mem_ctx・neg_flags_info::neg_flags・nt_errstr()・dcinfo::remote_machine・remote_machine・rpcstr_pull()・log_info::sec_chan・secrets_store_schannel_session_info()・dcinfo::srv_chal・net_r_auth2_info::status・status・unbecome_root()・log_info::uni_acct_name・log_info::uni_comp_name・UNISTR2::uni_str_len.
参照元 api_net_auth_2().
00427 { 00428 NTSTATUS status; 00429 NEG_FLAGS srv_flgs; 00430 fstring mach_acct; 00431 fstring remote_machine; 00432 DOM_CHAL srv_chal_out; 00433 00434 rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring), 00435 q_u->clnt_id.uni_acct_name.uni_str_len*2,0); 00436 00437 /* We use this as the key to store the creds. */ 00438 rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring), 00439 q_u->clnt_id.uni_comp_name.uni_str_len*2,0); 00440 00441 if (!p->dc || !p->dc->challenge_sent) { 00442 DEBUG(0,("_net_auth2: no challenge sent to client %s\n", 00443 remote_machine )); 00444 return NT_STATUS_ACCESS_DENIED; 00445 } 00446 00447 if ( (lp_server_schannel() == True) && 00448 ((q_u->clnt_flgs.neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { 00449 00450 /* schannel must be used, but client did not offer it. */ 00451 DEBUG(0,("_net_auth2: schannel required but client failed " 00452 "to offer it. Client was %s\n", 00453 mach_acct )); 00454 return NT_STATUS_ACCESS_DENIED; 00455 } 00456 00457 status = get_md4pw((char *)p->dc->mach_pw, mach_acct, q_u->clnt_id.sec_chan); 00458 if (!NT_STATUS_IS_OK(status)) { 00459 DEBUG(0,("_net_auth2: failed to get machine password for " 00460 "account %s: %s\n", 00461 mach_acct, nt_errstr(status) )); 00462 /* always return NT_STATUS_ACCESS_DENIED */ 00463 return NT_STATUS_ACCESS_DENIED; 00464 } 00465 00466 /* From the client / server challenges and md4 password, generate sess key */ 00467 creds_server_init(q_u->clnt_flgs.neg_flags, 00468 p->dc, 00469 &p->dc->clnt_chal, /* Stored client chal. */ 00470 &p->dc->srv_chal, /* Stored server chal. */ 00471 p->dc->mach_pw, 00472 &srv_chal_out); 00473 00474 /* Check client credentials are valid. */ 00475 if (!creds_server_check(p->dc, &q_u->clnt_chal)) { 00476 DEBUG(0,("_net_auth2: creds_server_check failed. Rejecting auth " 00477 "request from client %s machine account %s\n", 00478 remote_machine, mach_acct )); 00479 return NT_STATUS_ACCESS_DENIED; 00480 } 00481 00482 srv_flgs.neg_flags = 0x000001ff; 00483 00484 if (lp_server_schannel() != False) { 00485 srv_flgs.neg_flags |= NETLOGON_NEG_SCHANNEL; 00486 } 00487 00488 /* set up the LSA AUTH 2 response */ 00489 init_net_r_auth_2(r_u, &srv_chal_out, &srv_flgs, NT_STATUS_OK); 00490 00491 fstrcpy(p->dc->mach_acct, mach_acct); 00492 fstrcpy(p->dc->remote_machine, remote_machine); 00493 fstrcpy(p->dc->domain, lp_workgroup() ); 00494 00495 p->dc->authenticated = True; 00496 00497 /* Store off the state so we can continue after client disconnect. */ 00498 become_root(); 00499 secrets_store_schannel_session_info(p->mem_ctx, 00500 remote_machine, 00501 p->dc); 00502 unbecome_root(); 00503 00504 return r_u->status; 00505 }
| NTSTATUS _net_srv_pwset | ( | pipes_struct * | p, | |
| NET_Q_SRV_PWSET * | q_u, | |||
| NET_R_SRV_PWSET * | r_u | |||
| ) |
srv_netlog_nt.c の 511 行で定義されています。
参照先 samu::acct_ctrl・pipes_struct::auth・pipe_auth_data::auth_type・dcinfo::authenticated・become_root()・UNISTR2::buffer・net_q_srv_pwset_info::clnt_id・clnt_info::cred・cred_hash3()・creds_server_step()・pipes_struct::dc・init_net_r_srv_pwset()・clnt_info::login・dcinfo::mach_acct・PDB_CHANGED・pdb_get_acct_ctrl()・pdb_get_nt_passwd()・pdb_getsampwnam()・pdb_set_lanman_passwd()・pdb_set_nt_passwd()・pdb_set_pass_last_set_time()・pdb_update_sam_account()・PIPE_AUTH_TYPE_SCHANNEL・pipes_struct::pipe_state_mem_ctx・net_q_srv_pwset_info::pwd・remote_machine・rpcstr_pull()・samu_new()・secrets_restore_schannel_session_info()・secrets_store_schannel_session_info()・dcinfo::sess_key・net_r_srv_pwset_info::status・unbecome_root()・log_info::uni_comp_name・UNISTR2::uni_str_len.
参照元 api_net_srv_pwset().
00512 { 00513 fstring remote_machine; 00514 struct samu *sampass=NULL; 00515 BOOL ret = False; 00516 unsigned char pwd[16]; 00517 int i; 00518 uint32 acct_ctrl; 00519 DOM_CRED cred_out; 00520 const uchar *old_pw; 00521 00522 DEBUG(5,("_net_srv_pwset: %d\n", __LINE__)); 00523 00524 /* We need the remote machine name for the creds lookup. */ 00525 rpcstr_pull(remote_machine,q_u->clnt_id.login.uni_comp_name.buffer, 00526 sizeof(remote_machine),q_u->clnt_id.login.uni_comp_name.uni_str_len*2,0); 00527 00528 if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) { 00529 /* 'server schannel = yes' should enforce use of 00530 schannel, the client did offer it in auth2, but 00531 obviously did not use it. */ 00532 DEBUG(0,("_net_srv_pwset: client %s not using schannel for netlogon\n", 00533 remote_machine )); 00534 return NT_STATUS_ACCESS_DENIED; 00535 } 00536 00537 if (!p->dc) { 00538 /* Restore the saved state of the netlogon creds. */ 00539 become_root(); 00540 ret = secrets_restore_schannel_session_info(p->pipe_state_mem_ctx, 00541 remote_machine, 00542 &p->dc); 00543 unbecome_root(); 00544 if (!ret) { 00545 return NT_STATUS_INVALID_HANDLE; 00546 } 00547 } 00548 00549 if (!p->dc || !p->dc->authenticated) { 00550 return NT_STATUS_INVALID_HANDLE; 00551 } 00552 00553 DEBUG(3,("_net_srv_pwset: Server Password Set by remote machine:[%s] on account [%s]\n", 00554 remote_machine, p->dc->mach_acct)); 00555 00556 /* Step the creds chain forward. */ 00557 if (!creds_server_step(p->dc, &q_u->clnt_id.cred, &cred_out)) { 00558 DEBUG(2,("_net_srv_pwset: creds_server_step failed. Rejecting auth " 00559 "request from client %s machine account %s\n", 00560 remote_machine, p->dc->mach_acct )); 00561 return NT_STATUS_INVALID_PARAMETER; 00562 } 00563 00564 /* We must store the creds state after an update. */ 00565 sampass = samu_new( NULL ); 00566 if (!sampass) { 00567 return NT_STATUS_NO_MEMORY; 00568 } 00569 00570 become_root(); 00571 secrets_store_schannel_session_info(p->pipe_state_mem_ctx, 00572 remote_machine, 00573 p->dc); 00574 ret = pdb_getsampwnam(sampass, p->dc->mach_acct); 00575 unbecome_root(); 00576 00577 if (!ret) { 00578 TALLOC_FREE(sampass); 00579 return NT_STATUS_ACCESS_DENIED; 00580 } 00581 00582 /* Ensure the account exists and is a machine account. */ 00583 00584 acct_ctrl = pdb_get_acct_ctrl(sampass); 00585 00586 if (!(acct_ctrl & ACB_WSTRUST || 00587 acct_ctrl & ACB_SVRTRUST || 00588 acct_ctrl & ACB_DOMTRUST)) { 00589 TALLOC_FREE(sampass); 00590 return NT_STATUS_NO_SUCH_USER; 00591 } 00592 00593 if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { 00594 TALLOC_FREE(sampass); 00595 return NT_STATUS_ACCOUNT_DISABLED; 00596 } 00597 00598 /* Woah - what does this to to the credential chain ? JRA */ 00599 cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0); 00600 00601 DEBUG(100,("Server password set : new given value was :\n")); 00602 for(i = 0; i < sizeof(pwd); i++) 00603 DEBUG(100,("%02X ", pwd[i])); 00604 DEBUG(100,("\n")); 00605 00606 old_pw = pdb_get_nt_passwd(sampass); 00607 00608 if (old_pw && memcmp(pwd, old_pw, 16) == 0) { 00609 /* Avoid backend modificiations and other fun if the 00610 client changed the password to the *same thing* */ 00611 00612 ret = True; 00613 } else { 00614 00615 /* LM password should be NULL for machines */ 00616 if (!pdb_set_lanman_passwd(sampass, NULL, PDB_CHANGED)) { 00617 TALLOC_FREE(sampass); 00618 return NT_STATUS_NO_MEMORY; 00619 } 00620 00621 if (!pdb_set_nt_passwd(sampass, pwd, PDB_CHANGED)) { 00622 TALLOC_FREE(sampass); 00623 return NT_STATUS_NO_MEMORY; 00624 } 00625 00626 if (!pdb_set_pass_last_set_time(sampass, time(NULL), PDB_CHANGED)) { 00627 TALLOC_FREE(sampass); 00628 /* Not quite sure what this one qualifies as, but this will do */ 00629 return NT_STATUS_UNSUCCESSFUL; 00630 } 00631 00632 become_root(); 00633 r_u->status = pdb_update_sam_account(sampass); 00634 unbecome_root(); 00635 } 00636 00637 /* set up the LSA Server Password Set response */ 00638 init_net_r_srv_pwset(r_u, &cred_out, r_u->status); 00639 00640 TALLOC_FREE(sampass); 00641 return r_u->status; 00642 }
| NTSTATUS _net_sam_logoff | ( | pipes_struct * | p, | |
| NET_Q_SAM_LOGOFF * | q_u, | |||
| NET_R_SAM_LOGOFF * | r_u | |||
| ) |
srv_netlog_nt.c の 648 行で定義されています。
参照先 pipes_struct::auth・pipe_auth_data::auth_type・dcinfo::authenticated・become_root()・UNISTR2::buffer・net_r_sam_logoff_info::buffer_creds・sam_info::client・clnt_info2::cred・creds_server_step()・pipes_struct::dc・get_remote_machine_name()・get_valid_user_struct()・clnt_info2::login・dcinfo::mach_acct・PIPE_AUTH_TYPE_SCHANNEL・pipes_struct::pipe_state_mem_ctx・remote_machine・rpcstr_pull()・net_q_sam_logoff_info::sam_id・secrets_restore_schannel_session_info()・secrets_store_schannel_session_info()・net_r_sam_logoff_info::srv_creds・net_r_sam_logoff_info::status・unbecome_root()・clnt_srv_info::uni_comp_name・UNISTR2::uni_str_len・pipes_struct::vuid.
参照元 api_net_sam_logoff().
00649 { 00650 fstring remote_machine; 00651 00652 if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) { 00653 /* 'server schannel = yes' should enforce use of 00654 schannel, the client did offer it in auth2, but 00655 obviously did not use it. */ 00656 DEBUG(0,("_net_sam_logoff: client %s not using schannel for netlogon\n", 00657 get_remote_machine_name() )); 00658 return NT_STATUS_ACCESS_DENIED; 00659 } 00660 00661 00662 if (!get_valid_user_struct(p->vuid)) 00663 return NT_STATUS_NO_SUCH_USER; 00664 00665 /* Get the remote machine name for the creds store. */ 00666 rpcstr_pull(remote_machine,q_u->sam_id.client.login.uni_comp_name.buffer, 00667 sizeof(remote_machine),q_u->sam_id.client.login.uni_comp_name.uni_str_len*2,0); 00668 00669 if (!p->dc) { 00670 /* Restore the saved state of the netlogon creds. */ 00671 BOOL ret; 00672 00673 become_root(); 00674 ret = secrets_restore_schannel_session_info(p->pipe_state_mem_ctx, 00675 remote_machine, 00676 &p->dc); 00677 unbecome_root(); 00678 if (!ret) { 00679 return NT_STATUS_INVALID_HANDLE; 00680 } 00681 } 00682 00683 if (!p->dc || !p->dc->authenticated) { 00684 return NT_STATUS_INVALID_HANDLE; 00685 } 00686 00687 r_u->buffer_creds = 1; /* yes, we have valid server credentials */ 00688 00689 /* checks and updates credentials. creates reply credentials */ 00690 if (!creds_server_step(p->dc, &q_u->sam_id.client.cred, &r_u->srv_creds)) { 00691 DEBUG(2,("_net_sam_logoff: creds_server_step failed. Rejecting auth " 00692 "request from client %s machine account %s\n", 00693 remote_machine, p->dc->mach_acct )); 00694 return NT_STATUS_INVALID_PARAMETER; 00695 } 00696 00697 /* We must store the creds state after an update. */ 00698 become_root(); 00699 secrets_store_schannel_session_info(p->pipe_state_mem_ctx, 00700 remote_machine, 00701 p->dc); 00702 unbecome_root(); 00703 00704 r_u->status = NT_STATUS_OK; 00705 return r_u->status; 00706 }
| static NTSTATUS nt_token_to_group_list | ( | TALLOC_CTX * | mem_ctx, | |
| const DOM_SID * | domain_sid, | |||
| size_t | num_sids, | |||
| const DOM_SID * | sids, | |||
| int * | numgroups, | |||
| DOM_GID ** | pgids | |||
| ) | [static] |
srv_netlog_nt.c の 712 行で定義されています。
参照先 DOM_GID::attr・domain_sid・sid_peek_check_rid().
参照元 _net_sam_logon_internal().
00717 { 00718 int i; 00719 00720 *numgroups=0; 00721 *pgids = NULL; 00722 00723 for (i=0; i<num_sids; i++) { 00724 DOM_GID gid; 00725 if (!sid_peek_check_rid(domain_sid, &sids[i], &gid.g_rid)) { 00726 continue; 00727 } 00728 gid.attr = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT| 00729 SE_GROUP_ENABLED); 00730 ADD_TO_ARRAY(mem_ctx, DOM_GID, gid, pgids, numgroups); 00731 if (*pgids == NULL) { 00732 return NT_STATUS_NO_MEMORY; 00733 } 00734 } 00735 return NT_STATUS_OK; 00736 }
| static NTSTATUS _net_sam_logon_internal | ( | pipes_struct * | p, | |
| NET_Q_SAM_LOGON * | q_u, | |||
| NET_R_SAM_LOGON * | r_u, | |||
| BOOL | process_creds | |||
| ) | [static] |
srv_netlog_nt.c の 742 行で定義されています。
参照先 pipe_auth_data::a_u・net_id_info_ctr_info::auth・pipes_struct::auth・net_r_sam_logon_info::auth_resp・pipe_auth_data::auth_type・dcinfo::authenticated・become_root()・STRING2::buffer・UNISTR2::buffer・net_r_sam_logon_info::buffer_creds・auth_context::check_ntlm_password・sam_info::client・clnt_info2::cred・creds_server_step()・sam_info::ctr・current_user_info・data_blob_::data・owf_info::data・pipes_struct::dc・domain_sid・auth_context::free・free_user_info()・get_global_sam_name()・auth_context::get_ntlm_challenge・get_remote_machine_name()・get_time_t_max()・get_valid_user_struct()・global_myname・auth_serversupplied_info::guest・net_id_info_ctr_info::id1・net_id_info_ctr_info::id2・init_net_user_info3()・is_trusted_domain()・data_blob_::length・net_network_info_2::lm_chal・net_network_info_2::lm_chal_resp・id_info_1::lm_owf・auth_serversupplied_info::lm_session_key・clnt_info2::login・auth_serversupplied_info::login_server・sam_info::logon_level・lp_workgroup()・dcinfo::mach_acct・make_auth_context_fixed()・make_auth_context_subsystem()・make_user_info_netlogon_interactive()・make_user_info_netlogon_network()・pipes_struct::mem_ctx・net_network_info_2::nt_chal_resp・nt_errstr()・id_info_1::nt_owf・nt_token_to_group_list()・samu::nt_username・auth_serversupplied_info::num_sids・id_info_1::param_ctrl・net_network_info_2::param_ctrl・pdb_get_acct_ctrl()・pdb_get_dir_drive()・pdb_get_domain()・pdb_get_fullname()・pdb_get_group_sid()・pdb_get_homedir()・pdb_get_logon_script()・pdb_get_logon_time()・pdb_get_pass_can_change_time()・pdb_get_pass_last_set_time()・pdb_get_pass_must_change_time()・pdb_get_profile_path()・pdb_get_user_sid()・pdb_get_username()・PIPE_AUTH_TYPE_SCHANNEL・pipes_struct::pipe_state_mem_ctx・net_user_info_3::ptr_user_info・remote_machine・rpcstr_pull()・auth_serversupplied_info::sam_account・net_q_sam_logon_info::sam_id・SamOEMhash()・pipe_auth_data::schannel_auth・secrets_restore_schannel_session_info()・secrets_store_schannel_session_info()・schannel_auth_struct::sess_key・dcinfo::sess_key・sid_copy()・sid_peek_check_rid()・sid_split_rid()・sid_to_string()・auth_serversupplied_info::sids・userdom_struct::smb_name・net_r_sam_logon_info::srv_creds・status・STRING2::str_str_len・strequal()・sub_set_smb_name()・net_id_info_ctr_info::switch_value・net_r_sam_logon_info::switch_value・unbecome_root()・clnt_srv_info::uni_comp_name・net_network_info_2::uni_domain_name・id_info_1::uni_domain_name・UNISTR2::uni_str_len・net_network_info_2::uni_user_name・id_info_1::uni_user_name・net_network_info_2::uni_wksta_name・id_info_1::uni_wksta_name・net_r_sam_logon_info::user・auth_serversupplied_info::user_session_key・net_q_sam_logon_info::validation_level・pipes_struct::vuid.
参照元 _net_sam_logon()・_net_sam_logon_ex().
00746 { 00747 NTSTATUS status = NT_STATUS_OK; 00748 NET_USER_INFO_3 *usr_info = NULL; 00749 NET_ID_INFO_CTR *ctr = q_u->sam_id.ctr; 00750 UNISTR2 *uni_samlogon_user = NULL; 00751 UNISTR2 *uni_samlogon_domain = NULL; 00752 UNISTR2 *uni_samlogon_workstation = NULL; 00753 fstring nt_username, nt_domain, nt_workstation; 00754 auth_usersupplied_info *user_info = NULL; 00755 auth_serversupplied_info *server_info = NULL; 00756 struct samu *sampw; 00757 struct auth_context *auth_context = NULL; 00758 00759 if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) { 00760 /* 'server schannel = yes' should enforce use of 00761 schannel, the client did offer it in auth2, but 00762 obviously did not use it. */ 00763 DEBUG(0,("_net_sam_logon_internal: client %s not using schannel for netlogon\n", 00764 get_remote_machine_name() )); 00765 return NT_STATUS_ACCESS_DENIED; 00766 } 00767 00768 usr_info = TALLOC_P(p->mem_ctx, NET_USER_INFO_3); 00769 if (!usr_info) { 00770 return NT_STATUS_NO_MEMORY; 00771 } 00772 00773 ZERO_STRUCTP(usr_info); 00774 00775 /* store the user information, if there is any. */ 00776 r_u->user = usr_info; 00777 r_u->auth_resp = 1; /* authoritative response */ 00778 if (q_u->validation_level != 2 && q_u->validation_level != 3) { 00779 DEBUG(0,("_net_sam_logon: bad validation_level value %d.\n", (int)q_u->validation_level )); 00780 return NT_STATUS_ACCESS_DENIED; 00781 } 00782 /* We handle the return of USER_INFO_2 instead of 3 in the parse return. Sucks, I know... */ 00783 r_u->switch_value = q_u->validation_level; /* indicates type of validation user info */ 00784 r_u->buffer_creds = 1; /* Ensure we always return server creds. */ 00785 00786 if (!get_valid_user_struct(p->vuid)) 00787 return NT_STATUS_NO_SUCH_USER; 00788 00789 if (process_creds) { 00790 fstring remote_machine; 00791 00792 /* Get the remote machine name for the creds store. */ 00793 /* Note this is the remote machine this request is coming from (member server), 00794 not neccessarily the workstation name the user is logging onto. 00795 */ 00796 rpcstr_pull(remote_machine,q_u->sam_id.client.login.uni_comp_name.buffer, 00797 sizeof(remote_machine),q_u->sam_id.client.login.uni_comp_name.uni_str_len*2,0); 00798 00799 if (!p->dc) { 00800 /* Restore the saved state of the netlogon creds. */ 00801 BOOL ret; 00802 00803 become_root(); 00804 ret = secrets_restore_schannel_session_info(p->pipe_state_mem_ctx, 00805 remote_machine, 00806 &p->dc); 00807 unbecome_root(); 00808 if (!ret) { 00809 return NT_STATUS_INVALID_HANDLE; 00810 } 00811 } 00812 00813 if (!p->dc || !p->dc->authenticated) { 00814 return NT_STATUS_INVALID_HANDLE; 00815 } 00816 00817 /* checks and updates credentials. creates reply credentials */ 00818 if (!creds_server_step(p->dc, &q_u->sam_id.client.cred, &r_u->srv_creds)) { 00819 DEBUG(2,("_net_sam_logon: creds_server_step failed. Rejecting auth " 00820 "request from client %s machine account %s\n", 00821 remote_machine, p->dc->mach_acct )); 00822 return NT_STATUS_INVALID_PARAMETER; 00823 } 00824 00825 /* We must store the creds state after an update. */ 00826 become_root(); 00827 secrets_store_schannel_session_info(p->pipe_state_mem_ctx, 00828 remote_machine, 00829 p->dc); 00830 unbecome_root(); 00831 } 00832 00833 switch (q_u->sam_id.logon_level) { 00834 case INTERACTIVE_LOGON_TYPE: 00835 uni_samlogon_user = &ctr->auth.id1.uni_user_name; 00836 uni_samlogon_domain = &ctr->auth.id1.uni_domain_name; 00837 00838 uni_samlogon_workstation = &ctr->auth.id1.uni_wksta_name; 00839 00840 DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup())); 00841 break; 00842 case NET_LOGON_TYPE: 00843 uni_samlogon_user = &ctr->auth.id2.uni_user_name; 00844 uni_samlogon_domain = &ctr->auth.id2.uni_domain_name; 00845 uni_samlogon_workstation = &ctr->auth.id2.uni_wksta_name; 00846 00847 DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup())); 00848 break; 00849 default: 00850 DEBUG(2,("SAM Logon: unsupported switch value\n")); 00851 return NT_STATUS_INVALID_INFO_CLASS; 00852 } /* end switch */ 00853 00854 rpcstr_pull(nt_username,uni_samlogon_user->buffer,sizeof(nt_username),uni_samlogon_user->uni_str_len*2,0); 00855 rpcstr_pull(nt_domain,uni_samlogon_domain->buffer,sizeof(nt_domain),uni_samlogon_domain->uni_str_len*2,0); 00856 rpcstr_pull(nt_workstation,uni_samlogon_workstation->buffer,sizeof(nt_workstation),uni_samlogon_workstation->uni_str_len*2,0); 00857 00858 DEBUG(3,("User:[%s@%s] Requested Domain:[%s]\n", nt_username, nt_workstation, nt_domain)); 00859 fstrcpy(current_user_info.smb_name, nt_username); 00860 sub_set_smb_name(nt_username); 00861 00862 DEBUG(5,("Attempting validation level %d for unmapped username %s.\n", q_u->sam_id.ctr->switch_value, nt_username)); 00863 00864 status = NT_STATUS_OK; 00865 00866 switch (ctr->switch_value) { 00867 case NET_LOGON_TYPE: 00868 { 00869 const char *wksname = nt_workstation; 00870 00871 if (!NT_STATUS_IS_OK(status = make_auth_context_fixed(&auth_context, ctr->auth.id2.lm_chal))) { 00872 return status; 00873 } 00874 00875 /* For a network logon, the workstation name comes in with two 00876 * backslashes in the front. Strip them if they are there. */ 00877 00878 if (*wksname == '\\') wksname++; 00879 if (*wksname == '\\') wksname++; 00880 00881 /* Standard challenge/response authenticaion */ 00882 if (!make_user_info_netlogon_network(&user_info, 00883 nt_username, nt_domain, 00884 wksname, 00885 ctr->auth.id2.param_ctrl, 00886 ctr->auth.id2.lm_chal_resp.buffer, 00887 ctr->auth.id2.lm_chal_resp.str_str_len, 00888 ctr->auth.id2.nt_chal_resp.buffer, 00889 ctr->auth.id2.nt_chal_resp.str_str_len)) { 00890 status = NT_STATUS_NO_MEMORY; 00891 } 00892 break; 00893 } 00894 case INTERACTIVE_LOGON_TYPE: 00895 /* 'Interactive' authentication, supplies the password in its 00896 MD4 form, encrypted with the session key. We will convert 00897 this to challenge/response for the auth subsystem to chew 00898 on */ 00899 { 00900 const uint8 *chal; 00901 00902 if (!NT_STATUS_IS_OK(status = make_auth_context_subsystem(&auth_context))) { 00903 return status; 00904 } 00905 00906 chal = auth_context->get_ntlm_challenge(auth_context); 00907 00908 if (!make_user_info_netlogon_interactive(&user_info, 00909 nt_username, nt_domain, 00910 nt_workstation, 00911 ctr->auth.id1.param_ctrl, 00912 chal, 00913 ctr->auth.id1.lm_owf.data, 00914 ctr->auth.id1.nt_owf.data, 00915 p->dc->sess_key)) { 00916 status = NT_STATUS_NO_MEMORY; 00917 } 00918 break; 00919 } 00920 default: 00921 DEBUG(2,("SAM Logon: unsupported switch value\n")); 00922 return NT_STATUS_INVALID_INFO_CLASS; 00923 } /* end switch */ 00924 00925 if ( NT_STATUS_IS_OK(status) ) { 00926 status = auth_context->check_ntlm_password(auth_context, 00927 user_info, &server_info); 00928 } 00929 00930 (auth_context->free)(&auth_context); 00931 free_user_info(&user_info); 00932 00933 DEBUG(5, ("_net_sam_logon: check_password returned status %s\n", 00934 nt_errstr(status))); 00935 00936 /* Check account and password */ 00937 00938 if (!NT_STATUS_IS_OK(status)) { 00939 /* If we don't know what this domain is, we need to 00940 indicate that we are not authoritative. This 00941 allows the client to decide if it needs to try 00942 a local user. Fix by jpjanosi@us.ibm.com, #2976 */ 00943 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER) 00944 && !strequal(nt_domain, get_global_sam_name()) 00945 && !is_trusted_domain(nt_domain) ) 00946 r_u->auth_resp = 0; /* We are not authoritative */ 00947 00948 TALLOC_FREE(server_info); 00949 return status; 00950 } 00951 00952 if (server_info->guest) { 00953 /* We don't like guest domain logons... */ 00954 DEBUG(5,("_net_sam_logon: Attempted domain logon as GUEST " 00955 "denied.\n")); 00956 TALLOC_FREE(server_info); 00957 return NT_STATUS_LOGON_FAILURE; 00958 } 00959 00960 /* This is the point at which, if the login was successful, that 00961 the SAM Local Security Authority should record that the user is 00962 logged in to the domain. */ 00963 00964 { 00965 DOM_GID *gids = NULL; 00966 const DOM_SID *user_sid = NULL; 00967 const DOM_SID *group_sid = NULL; 00968 DOM_SID domain_sid; 00969 uint32 user_rid, group_rid; 00970 00971 int num_gids = 0; 00972 pstring my_name; 00973 fstring user_sid_string; 00974 fstring group_sid_string; 00975 unsigned char user_session_key[16]; 00976 unsigned char lm_session_key[8]; 00977 unsigned char pipe_session_key[16]; 00978 00979 sampw = server_info->sam_account; 00980 00981 /* set up pointer indicating user/password failed to be 00982 * found */ 00983 usr_info->ptr_user_info = 0; 00984 00985 user_sid = pdb_get_user_sid(sampw); 00986 group_sid = pdb_get_group_sid(sampw); 00987 00988 if ((user_sid == NULL) || (group_sid == NULL)) { 00989 DEBUG(1, ("_net_sam_logon: User without group or user SID\n")); 00990 return NT_STATUS_UNSUCCESSFUL; 00991 } 00992 00993 sid_copy(&domain_sid, user_sid); 00994 sid_split_rid(&domain_sid, &user_rid); 00995 00996 if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) { 00997 DEBUG(1, ("_net_sam_logon: user %s\\%s has user sid " 00998 "%s\n but group sid %s.\n" 00999 "The conflicting domain portions are not " 01000 "supported for NETLOGON calls\n", 01001 pdb_get_domain(sampw), 01002 pdb_get_username(sampw), 01003 sid_to_string(user_sid_string, user_sid), 01004 sid_to_string(group_sid_string, group_sid))); 01005 return NT_STATUS_UNSUCCESSFUL; 01006 } 01007 01008 01009 if(server_info->login_server) { 01010 pstrcpy(my_name, server_info->login_server); 01011 } else { 01012 pstrcpy(my_name, global_myname()); 01013 } 01014 01015 status = nt_token_to_group_list(p->mem_ctx, &domain_sid, 01016 server_info->num_sids, 01017 server_info->sids, 01018 &num_gids, &gids); 01019 01020 if (!NT_STATUS_IS_OK(status)) { 01021 return status; 01022 } 01023 01024 if (server_info->user_session_key.length) { 01025 memcpy(user_session_key, 01026 server_info->user_session_key.data, 01027 MIN(sizeof(user_session_key), 01028 server_info->user_session_key.length)); 01029 if (process_creds) { 01030 /* Get the pipe session key from the creds. */ 01031 memcpy(pipe_session_key, p->dc->sess_key, 16); 01032 } else { 01033 /* Get the pipe session key from the schannel. */ 01034 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL || p->auth.a_u.schannel_auth == NULL) { 01035 return NT_STATUS_INVALID_HANDLE; 01036 } 01037 memcpy(pipe_session_key, p->auth.a_u.schannel_auth->sess_key, 16); 01038 } 01039 SamOEMhash(user_session_key, pipe_session_key, 16); 01040 memset(pipe_session_key, '\0', 16); 01041 } 01042 if (server_info->lm_session_key.length) { 01043 memcpy(lm_session_key, 01044 server_info->lm_session_key.data, 01045 MIN(sizeof(lm_session_key), 01046 server_info->lm_session_key.length)); 01047 if (process_creds) { 01048 /* Get the pipe session key from the creds. */ 01049 memcpy(pipe_session_key, p->dc->sess_key, 16); 01050 } else { 01051 /* Get the pipe session key from the schannel. */ 01052 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL || p->auth.a_u.schannel_auth == NULL) { 01053 return NT_STATUS_INVALID_HANDLE; 01054 } 01055 memcpy(pipe_session_key, p->auth.a_u.schannel_auth->sess_key, 16); 01056 } 01057 SamOEMhash(lm_session_key, pipe_session_key, 8); 01058 memset(pipe_session_key, '\0', 16); 01059 } 01060 01061 init_net_user_info3(p->mem_ctx, usr_info, 01062 user_rid, 01063 group_rid, 01064 pdb_get_username(sampw), 01065 pdb_get_fullname(sampw), 01066 pdb_get_homedir(sampw), 01067 pdb_get_dir_drive(sampw), 01068 pdb_get_logon_script(sampw), 01069 pdb_get_profile_path(sampw), 01070 pdb_get_logon_time(sampw), 01071 get_time_t_max(), 01072 get_time_t_max(), 01073 pdb_get_pass_last_set_time(sampw), 01074 pdb_get_pass_can_change_time(sampw), 01075 pdb_get_pass_must_change_time(sampw), 01076 0, /* logon_count */ 01077 0, /* bad_pw_count */ 01078 num_gids, /* uint32 num_groups */ 01079 gids , /* DOM_GID *gids */ 01080 LOGON_EXTRA_SIDS, /* uint32 user_flgs (?) */ 01081 pdb_get_acct_ctrl(sampw), 01082 server_info->user_session_key.length ? user_session_key : NULL, 01083 server_info->lm_session_key.length ? lm_session_key : NULL, 01084 my_name , /* char *logon_srv */ 01085 pdb_get_domain(sampw), 01086 &domain_sid); /* DOM_SID *dom_sid */ 01087 ZERO_STRUCT(user_session_key); 01088 ZERO_STRUCT(lm_session_key); 01089 } 01090 TALLOC_FREE(server_info); 01091 return status; 01092 }
| NTSTATUS _net_sam_logon | ( | pipes_struct * | p, | |
| NET_Q_SAM_LOGON * | q_u, | |||
| NET_R_SAM_LOGON * | r_u | |||
| ) |
srv_netlog_nt.c の 1098 行で定義されています。
参照先 _net_sam_logon_internal().
参照元 api_net_sam_logon().
01099 { 01100 return _net_sam_logon_internal(p, q_u, r_u, True); 01101 }
| NTSTATUS _net_sam_logon_ex | ( | pipes_struct * | p, | |
| NET_Q_SAM_LOGON_EX * | q_u, | |||
| NET_R_SAM_LOGON_EX * | r_u | |||
| ) |
srv_netlog_nt.c の 1107 行で定義されています。
参照先 _net_sam_logon_internal()・pipes_struct::auth・net_r_sam_logon_info::auth_resp・net_r_sam_logon_info_ex::auth_resp・pipe_auth_data::auth_type・sam_info_ex::client・sam_info::client・sam_info_ex::ctr・sam_info::ctr・net_r_sam_logon_info_ex::flags・get_remote_machine_name()・clnt_info2::login・sam_info_ex::logon_level・sam_info::logon_level・PIPE_AUTH_TYPE_SCHANNEL・net_q_sam_logon_info_ex::sam_id・net_q_sam_logon_info::sam_id・net_r_sam_logon_info_ex::status・net_r_sam_logon_info::switch_value・net_r_sam_logon_info_ex::switch_value・net_r_sam_logon_info::user・net_r_sam_logon_info_ex::user・net_q_sam_logon_info_ex::validation_level・net_q_sam_logon_info::validation_level.
01108 { 01109 NET_Q_SAM_LOGON q; 01110 NET_R_SAM_LOGON r; 01111 01112 ZERO_STRUCT(q); 01113 ZERO_STRUCT(r); 01114 01115 /* Only allow this if the pipe is protected. */ 01116 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { 01117 DEBUG(0,("_net_sam_logon_ex: client %s not using schannel for netlogon\n", 01118 get_remote_machine_name() )); 01119 return NT_STATUS_INVALID_PARAMETER; 01120 } 01121 01122 /* Map a NET_Q_SAM_LOGON_EX to NET_Q_SAM_LOGON. */ 01123 q.validation_level = q_u->validation_level; 01124 01125 /* Map a DOM_SAM_INFO_EX into a DOM_SAM_INFO with no creds. */ 01126 q.sam_id.client.login = q_u->sam_id.client; 01127 q.sam_id.logon_level = q_u->sam_id.logon_level; 01128 q.sam_id.ctr = q_u->sam_id.ctr; 01129 01130 r_u->status = _net_sam_logon_internal(p, &q, &r, False); 01131 01132 if (!NT_STATUS_IS_OK(r_u->status)) { 01133 return r_u->status; 01134 } 01135 01136 /* Map the NET_R_SAM_LOGON to NET_R_SAM_LOGON_EX. */ 01137 r_u->switch_value = r.switch_value; 01138 r_u->user = r.user; 01139 r_u->auth_resp = r.auth_resp; 01140 r_u->flags = 0; /* FIXME ! */ 01141 return r_u->status; 01142 }
| NTSTATUS _ds_enum_dom_trusts | ( | pipes_struct * | p, | |
| DS_Q_ENUM_DOM_TRUSTS * | q_u, | |||
| DS_R_ENUM_DOM_TRUSTS * | r_u | |||
| ) |
srv_netlog_nt.c の 1148 行で定義されています。
参照先 status.
01150 { 01151 NTSTATUS status = NT_STATUS_OK; 01152 01153 /* TODO: According to MSDN, the can only be executed against a 01154 DC or domain member running Windows 2000 or later. Need 01155 to test against a standalone 2k server and see what it 01156 does. A windows 2000 DC includes its own domain in the 01157 list. --jerry */ 01158 01159 return status; 01160 }
substitute.c の 29 行で定義されています。
1.4.7