The branch, master has been updated
via 821a202 s4:rpc_server/netlogon: netr_ServerAuthenticate3 should
return NO_TRUST_SAM_ACCOUNT
via f0879fc s4:rpc_server/netlogon: netr_ServerAuthenticate3 should
reject invalid sec_channel_types early
via c2696b2 s4:rpc_server/netlogon: netr_ServerAuthenticate3 should
check the challenge after the account
via 5ee49fc s4:rpc_server/netlogon: fix comment in netr_DsRGetDCName()
via 675c354 s4:rpc_server/netlogon: handle DC_RETURN_NETBIOS and
DC_RETURN_DNS in netr_DsRGetDCNameEx2()
via fcc2f6b s4:rpc_server/netlogon: validate flags in
netr_DsRGetDCNameEx2() and callers
via e297625 s4:rpc_server/netlogon: netr_GetDcName should return
WERR_DCNOTFOUND for invalid names
via 4a4738b misc.idl: add SEC_CHAN_LOCAL and SEC_CHAN_LANMAN
from c320c1a lib/util: Add tevent WERROR wrappers
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 821a20221df8e5ad8c8ca3ebf43bd4257b724ad9
Author: Stefan Metzmacher <[email protected]>
Date: Sat Oct 23 11:03:41 2010 +0200
s4:rpc_server/netlogon: netr_ServerAuthenticate3 should return
NO_TRUST_SAM_ACCOUNT
If we can't find the account we should return NT_STATUS_NO_TRUST_SAM_ACCOUNT
instead of NT_STATUS_ACCESS_DENIED.
metze
Autobuild-User: Stefan Metzmacher <[email protected]>
Autobuild-Date: Sat Oct 23 10:05:35 UTC 2010 on sn-devel-104
commit f0879fc3b2dbdf9508443429cdb242f759d31cfe
Author: Stefan Metzmacher <[email protected]>
Date: Sat Oct 23 11:02:43 2010 +0200
s4:rpc_server/netlogon: netr_ServerAuthenticate3 should reject invalid
sec_channel_types early
metze
commit c2696b2ec37815a1bc0594295b6fe81b3e156c11
Author: Stefan Metzmacher <[email protected]>
Date: Sat Oct 23 11:01:43 2010 +0200
s4:rpc_server/netlogon: netr_ServerAuthenticate3 should check the challenge
after the account
metze
commit 5ee49fc1c1afe7a0d4cc2ae6bfe44c21dd1fdb83
Author: Stefan Metzmacher <[email protected]>
Date: Thu Sep 30 00:33:18 2010 +0200
s4:rpc_server/netlogon: fix comment in netr_DsRGetDCName()
metze
commit 675c354b6bdc525bec1c1aa0a67c1a79b5f93e0c
Author: Stefan Metzmacher <[email protected]>
Date: Thu Sep 30 00:29:48 2010 +0200
s4:rpc_server/netlogon: handle DC_RETURN_NETBIOS and DC_RETURN_DNS in
netr_DsRGetDCNameEx2()
metze
commit fcc2f6ba4a1c853a6e836cd4b45c8da3e6601992
Author: Stefan Metzmacher <[email protected]>
Date: Thu Sep 30 00:27:52 2010 +0200
s4:rpc_server/netlogon: validate flags in netr_DsRGetDCNameEx2() and callers
Thanks to Tarun Chopra for the help of looking up all the bits in
the docs.
metze
commit e297625d96a6ad6deba4edf2dc69756ba67aa452
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 29 20:36:40 2010 +0200
s4:rpc_server/netlogon: netr_GetDcName should return WERR_DCNOTFOUND for
invalid names
Only netbios domain names are allowed.
metze
commit 4a4738b56a0ed34b9cea2c66a1867dbff1d785df
Author: Stefan Metzmacher <[email protected]>
Date: Sat Oct 23 10:55:49 2010 +0200
misc.idl: add SEC_CHAN_LOCAL and SEC_CHAN_LANMAN
MsvApSecureChannel and UasServerSecureChannel in [MS-NRPC]
metze
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/misc.idl | 2 +
source4/rpc_server/netlogon/dcerpc_netlogon.c | 131 +++++++++++++++++++++----
2 files changed, 113 insertions(+), 20 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/misc.idl b/librpc/idl/misc.idl
index e928460..d37e515 100644
--- a/librpc/idl/misc.idl
+++ b/librpc/idl/misc.idl
@@ -37,9 +37,11 @@ interface misc
typedef [public] enum {
SEC_CHAN_NULL = 0,
+ SEC_CHAN_LOCAL = 1,
SEC_CHAN_WKSTA = 2,
SEC_CHAN_DNS_DOMAIN = 3,
SEC_CHAN_DOMAIN = 4,
+ SEC_CHAN_LANMAN = 5,
SEC_CHAN_BDC = 6,
SEC_CHAN_RODC = 7
} netr_SchannelType;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c
b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index b4fe5dc..680b766 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -125,9 +125,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct
dcesrv_call_state *dce_ca
NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
NETLOGON_NEG_AUTHENTICATED_RPC;
- if (!pipe_state) {
- DEBUG(1, ("No challenge requested by client, cannot
authenticate\n"));
- return NT_STATUS_ACCESS_DENIED;
+ switch (r->in.secure_channel_type) {
+ case SEC_CHAN_WKSTA:
+ case SEC_CHAN_DNS_DOMAIN:
+ case SEC_CHAN_DOMAIN:
+ case SEC_CHAN_BDC:
+ case SEC_CHAN_RODC:
+ break;
+ default:
+ DEBUG(1, ("Client asked for an invalid secure channel type:
%d\n",
+ r->in.secure_channel_type));
+ return NT_STATUS_INVALID_PARAMETER;
}
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
@@ -157,7 +165,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct
dcesrv_call_state *dce_ca
if (num_records == 0) {
DEBUG(3,("Couldn't find trust [%s] in samdb.\n",
encoded_account));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
if (num_records > 1) {
@@ -168,7 +176,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct
dcesrv_call_state *dce_ca
flatname = ldb_msg_find_attr_as_string(msgs[0], "flatname",
NULL);
if (!flatname) {
/* No flatname for this trust - we can't proceed */
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
account_name = talloc_asprintf(mem_ctx, "%s$", flatname);
@@ -188,7 +196,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct
dcesrv_call_state *dce_ca
if (num_records == 0) {
DEBUG(3,("Couldn't find user [%s] in samdb.\n",
r->in.account_name));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
if (num_records > 1) {
@@ -200,35 +208,34 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct
dcesrv_call_state *dce_ca
if (user_account_control & UF_ACCOUNTDISABLE) {
DEBUG(1, ("Account [%s] is disabled\n", r->in.account_name));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
if (r->in.secure_channel_type == SEC_CHAN_WKSTA) {
if (!(user_account_control & UF_WORKSTATION_TRUST_ACCOUNT)) {
DEBUG(1, ("Client asked for a workstation secure
channel, but is not a workstation (member server) acb flags: 0x%x\n",
user_account_control));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
} else if (r->in.secure_channel_type == SEC_CHAN_DOMAIN ||
r->in.secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
if (!(user_account_control & UF_INTERDOMAIN_TRUST_ACCOUNT)) {
DEBUG(1, ("Client asked for a trusted domain secure
channel, but is not a trusted domain: acb flags: 0x%x\n",
user_account_control));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
} else if (r->in.secure_channel_type == SEC_CHAN_BDC) {
if (!(user_account_control & UF_SERVER_TRUST_ACCOUNT)) {
DEBUG(1, ("Client asked for a server secure channel,
but is not a server (domain controller): acb flags: 0x%x\n",
user_account_control));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
} else if (r->in.secure_channel_type == SEC_CHAN_RODC) {
if (!(user_account_control & UF_PARTIAL_SECRETS_ACCOUNT)) {
DEBUG(1, ("Client asked for a RODC secure channel, but
is not a RODC: acb flags: 0x%x\n", user_account_control));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
}
} else {
- DEBUG(1, ("Client asked for an invalid secure channel type:
%d\n",
- r->in.secure_channel_type));
- return NT_STATUS_ACCESS_DENIED;
+ /* we should never reach this */
+ return NT_STATUS_INTERNAL_ERROR;
}
*r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
@@ -239,6 +246,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct
dcesrv_call_state *dce_ca
return NT_STATUS_ACCESS_DENIED;
}
+ if (!pipe_state) {
+ DEBUG(1, ("No challenge requested by client, cannot
authenticate\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
creds = netlogon_creds_server_init(mem_ctx,
r->in.account_name,
r->in.computer_name,
@@ -940,6 +952,25 @@ static WERROR dcesrv_netr_GetDcName(struct
dcesrv_call_state *dce_call, TALLOC_C
int ret;
const char *dcname;
+ /*
+ * [MS-NRPC] 3.5.5.3.4 NetrGetDCName says
+ * that the domainname needs to be a valid netbios domain
+ * name, if it is not NULL.
+ */
+ if (r->in.domainname) {
+ const char *dot = strchr(r->in.domainname, '.');
+ size_t len = strlen(r->in.domainname);
+
+ if (dot || len > 15) {
+ return WERR_DCNOTFOUND;
+ }
+
+ /*
+ * TODO: Should we also varify that only valid
+ * netbios name characters are used?
+ */
+ }
+
sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
dce_call->conn->dce_ctx->lp_ctx,
dce_call->conn->auth_state.session_info, 0);
@@ -1553,6 +1584,8 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct
dcesrv_call_state *dce_call,
char *guid_str;
struct netlogon_samlogon_response response;
NTSTATUS status;
+ const char *dc_name = NULL;
+ const char *domain_name = NULL;
ZERO_STRUCTP(r->out.info);
@@ -1570,6 +1603,43 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct
dcesrv_call_state *dce_call,
/* "server_unc" is ignored by w2k3 */
+ if (r->in.flags & ~(DSGETDC_VALID_FLAGS)) {
+ return WERR_INVALID_FLAGS;
+ }
+
+ if (r->in.flags & DS_GC_SERVER_REQUIRED &&
+ r->in.flags & DS_PDC_REQUIRED &&
+ r->in.flags & DS_KDC_REQUIRED) {
+ return WERR_INVALID_FLAGS;
+ }
+ if (r->in.flags & DS_IS_FLAT_NAME &&
+ r->in.flags & DS_IS_DNS_NAME) {
+ return WERR_INVALID_FLAGS;
+ }
+ if (r->in.flags & DS_RETURN_DNS_NAME &&
+ r->in.flags & DS_RETURN_FLAT_NAME) {
+ return WERR_INVALID_FLAGS;
+ }
+ if (r->in.flags & DS_DIRECTORY_SERVICE_REQUIRED &&
+ r->in.flags & DS_DIRECTORY_SERVICE_6_REQUIRED) {
+ return WERR_INVALID_FLAGS;
+ }
+
+ if (r->in.flags & DS_GOOD_TIMESERV_PREFERRED &&
+ r->in.flags &
+ (DS_DIRECTORY_SERVICE_REQUIRED |
+ DS_DIRECTORY_SERVICE_PREFERRED |
+ DS_GC_SERVER_REQUIRED |
+ DS_PDC_REQUIRED |
+ DS_KDC_REQUIRED)) {
+ return WERR_INVALID_FLAGS;
+ }
+
+ if (r->in.flags & DS_TRY_NEXTCLOSEST_SITE &&
+ r->in.site_name) {
+ return WERR_INVALID_FLAGS;
+ }
+
/* Proof server site parameter "site_name" if it was specified */
server_site_name = samdb_server_site_name(sam_ctx, mem_ctx);
W_ERROR_HAVE_NO_MEMORY(server_site_name);
@@ -1578,8 +1648,6 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct
dcesrv_call_state *dce_call,
return WERR_NO_SUCH_DOMAIN;
}
- /* TODO: the flags are ignored for now */
-
guid_str = r->in.domain_guid != NULL ?
GUID_string(mem_ctx, r->in.domain_guid) : NULL;
@@ -1595,17 +1663,40 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct
dcesrv_call_state *dce_call,
return ntstatus_to_werror(status);
}
+ if (r->in.flags & DS_RETURN_DNS_NAME) {
+ dc_name = response.data.nt5_ex.pdc_dns_name;
+ domain_name = response.data.nt5_ex.dns_domain;
+ } else if (r->in.flags & DS_RETURN_FLAT_NAME) {
+ dc_name = response.data.nt5_ex.pdc_name;
+ domain_name = response.data.nt5_ex.domain_name;
+ } else {
+
+ /*
+ * TODO: autodetect what we need to return
+ * based on the given arguments
+ */
+ dc_name = response.data.nt5_ex.pdc_name;
+ domain_name = response.data.nt5_ex.domain_name;
+ }
+
+ if (!dc_name || !dc_name[0]) {
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ if (!domain_name || !domain_name[0]) {
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo);
W_ERROR_HAVE_NO_MEMORY(info);
- info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s",
-
response.data.nt5_ex.pdc_dns_name);
+ info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s", dc_name);
W_ERROR_HAVE_NO_MEMORY(info->dc_unc);
info->dc_address = talloc_asprintf(mem_ctx, "\\\\%s",
response.data.nt5_ex.sockaddr.pdc_ip);
W_ERROR_HAVE_NO_MEMORY(info->dc_address);
info->dc_address_type = DS_ADDRESS_TYPE_INET; /* TODO: make this
dynamic? for ipv6 */
info->domain_guid = response.data.nt5_ex.domain_uuid;
- info->domain_name = response.data.nt5_ex.dns_domain;
+ info->domain_name = domain_name;
info->forest_name = response.data.nt5_ex.forest;
info->dc_flags = response.data.nt5_ex.server_type;
info->dc_site_name = response.data.nt5_ex.server_site;
@@ -1658,7 +1749,7 @@ static WERROR dcesrv_netr_DsRGetDCName(struct
dcesrv_call_state *dce_call, TALLO
r2.in.domain_name = r->in.domain_name;
r2.in.domain_guid = r->in.domain_guid;
- r2.in.site_name = NULL; /* should fill in from site GUID */
+ r2.in.site_name = NULL; /* this is correct, we should ignore site GUID
*/
r2.in.flags = r->in.flags;
r2.out.info = r->out.info;
--
Samba Shared Repository
