xref: /titanic_51/usr/src/lib/smbsrv/libsmbns/common/smbns_netlogon.c (revision ac19272f7eb4a433cfccf2fdccc769cca5528169)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * This module handles the primary domain controller location protocol.
30  * The document claims to be version 1.15 of the browsing protocol. It also
31  * claims to specify the mailslot protocol.
32  *
33  * The NETLOGON protocol uses \MAILSLOT\NET mailslots. The protocol
34  * specification is incomplete, contains errors and is out-of-date but
35  * it does provide some useful background information. The document
36  * doesn't mention the NETLOGON_SAMLOGON version of the protocol.
37  */
38 
39 #include <stdlib.h>
40 #include <syslog.h>
41 #include <alloca.h>
42 #include <arpa/inet.h>
43 #include <resolv.h>
44 
45 #include <smbsrv/mailslot.h>
46 #include <smbsrv/libsmbns.h>
47 #include <smbns_ads.h>
48 #include <smbns_browser.h>
49 #include <smbns_netbios.h>
50 
51 static void smb_netlogon_query(struct name_entry *server, char *mailbox,
52     char *domain);
53 
54 static void smb_netlogon_samlogon(struct name_entry *server, char *mailbox,
55     char *domain);
56 
57 static void smb_netlogon_send(struct name_entry *name, char *domain,
58     unsigned char *buffer, int count);
59 
60 static void smb_netlogon_rdc_rsp(char *src_name, uint32_t src_ipaddr);
61 static int better_dc(uint32_t cur_ip, uint32_t new_ip);
62 
63 static char resource_domain[SMB_PI_MAX_DOMAIN];
64 
65 /*
66  * smb_netlogon_request
67  *
68  * This is the entry point locating the resource domain PDC. A netlogon
69  * request is sent using the specified protocol on the specified network.
70  * Note that we need to know the domain SID in order to use the samlogon
71  * format.
72  *
73  * Netlogon responses are received asynchronously and eventually handled
74  * in smb_netlogon_receive.
75  */
76 void
77 smb_netlogon_request(int net, int protocol, char *domain)
78 {
79 	struct name_entry *server;
80 	nt_domain_t *ntdp;
81 
82 	server = smb_browser_get_srvname(net);
83 	if (server == 0)
84 		return;
85 
86 	(void) strlcpy(resource_domain, domain,
87 	    sizeof (resource_domain));
88 
89 	if (strlen(resource_domain) > 0) {
90 		ntdp = nt_domain_lookup_name(resource_domain);
91 		if (protocol == NETLOGON_PROTO_SAMLOGON && ntdp)
92 			smb_netlogon_samlogon(server,
93 			    MAILSLOT_NETLOGON_SAMLOGON_RDC,
94 			    resource_domain);
95 		else
96 			smb_netlogon_query(server,
97 			    MAILSLOT_NETLOGON_RDC,
98 			    resource_domain);
99 	}
100 }
101 
102 /*
103  * smb_netlogon_receive
104  *
105  * This is where we handle all incoming NetLogon messages. Currently, we
106  * ignore requests from anyone else. We are only interested in responses
107  * to our own requests. The NetLogonResponse provides the name of the PDC.
108  * If we don't already have a controller name, we use the name provided
109  * in the message. Otherwise we use the name already in the environment.
110  */
111 void
112 smb_netlogon_receive(struct datagram *datagram,
113 				char *mailbox,
114 				unsigned char *data,
115 				int datalen)
116 {
117 	struct netlogon_opt {
118 		char *mailslot;
119 		void (*handler)();
120 	} netlogon_opt[] = {
121 		{ MAILSLOT_NETLOGON_RDC, smb_netlogon_rdc_rsp },
122 		{ MAILSLOT_NETLOGON_SAMLOGON_RDC, smb_netlogon_rdc_rsp },
123 	};
124 
125 	smb_msgbuf_t mb;
126 	unsigned short opcode;
127 	char src_name[SMB_PI_MAX_HOST];
128 	mts_wchar_t unicode_src_name[SMB_PI_MAX_HOST];
129 	unsigned int cpid = oem_get_smb_cpid();
130 	uint32_t src_ipaddr;
131 	char *junk;
132 	char *primary;
133 	char *domain;
134 	int i;
135 	char ipstr[16];
136 	int rc;
137 
138 	src_ipaddr = datagram->src.addr_list.sin.sin_addr.s_addr;
139 
140 	/*
141 	 * The datagram->src.name is in oem codepage format.
142 	 * Therefore, we need to convert it to unicode and
143 	 * store it in multi-bytes format.
144 	 */
145 	(void) oemstounicodes(unicode_src_name, (char *)datagram->src.name,
146 	    SMB_PI_MAX_HOST, cpid);
147 	(void) mts_wcstombs(src_name, unicode_src_name, SMB_PI_MAX_HOST);
148 
149 	(void) trim_whitespace(src_name);
150 
151 	(void) inet_ntop(AF_INET, (const void *)(&src_ipaddr), ipstr,
152 	    sizeof (ipstr));
153 	syslog(LOG_DEBUG, "NetLogonReceive: src=%s [%s], mbx=%s",
154 	    src_name, ipstr, mailbox);
155 
156 	smb_msgbuf_init(&mb, data, datalen, 0);
157 
158 	if (smb_msgbuf_decode(&mb, "w", &opcode) < 0) {
159 		syslog(LOG_ERR, "NetLogonReceive: decode error");
160 		smb_msgbuf_term(&mb);
161 		return;
162 	}
163 
164 	switch (opcode) {
165 	case LOGON_PRIMARY_RESPONSE:
166 		/*
167 		 * Message contains:
168 		 * PDC name (MBS), PDC name (Unicode), Domain name (unicode)
169 		 */
170 		rc = smb_msgbuf_decode(&mb, "sUU", &junk, &primary, &domain);
171 		if (rc < 0) {
172 			syslog(LOG_ERR,
173 			    "NetLogonResponse: opcode %d decode error",
174 			    opcode);
175 			smb_msgbuf_term(&mb);
176 			return;
177 		}
178 		break;
179 
180 	case LOGON_SAM_LOGON_RESPONSE:
181 	case LOGON_SAM_USER_UNKNOWN:
182 		/*
183 		 * Message contains:
184 		 * PDC name, User name, Domain name (all unicode)
185 		 */
186 		rc = smb_msgbuf_decode(&mb, "UUU", &primary, &junk, &domain);
187 		if (rc < 0) {
188 			syslog(LOG_ERR,
189 			    "NetLogonResponse: opcode %d decode error",
190 			    opcode);
191 			smb_msgbuf_term(&mb);
192 			return;
193 		}
194 
195 		/*
196 		 * skip past the "\\" prefix
197 		 */
198 		primary += strspn(primary, "\\");
199 		break;
200 
201 	default:
202 		/*
203 		 * We don't respond to PDC discovery requests.
204 		 */
205 		syslog(LOG_DEBUG, "NetLogonReceive: opcode 0x%04x", opcode);
206 		smb_msgbuf_term(&mb);
207 		return;
208 	}
209 
210 	if (domain == 0 || primary == 0) {
211 		syslog(LOG_ERR, "NetLogonResponse: malformed packet");
212 		smb_msgbuf_term(&mb);
213 		return;
214 	}
215 
216 	syslog(LOG_DEBUG, "DC Offer Dom=%s PDC=%s From=%s",
217 	    domain, primary, src_name);
218 
219 	if (strcasecmp(domain, resource_domain)) {
220 		syslog(LOG_DEBUG, "NetLogonResponse: other domain "
221 		    "%s, requested %s", domain, resource_domain);
222 		smb_msgbuf_term(&mb);
223 		return;
224 	}
225 
226 	for (i = 0; i < sizeof (netlogon_opt)/sizeof (netlogon_opt[0]); ++i) {
227 		if (strcasecmp(netlogon_opt[i].mailslot, mailbox) == 0) {
228 			syslog(LOG_DEBUG, "NetLogonReceive: %s", mailbox);
229 			(*netlogon_opt[i].handler)(primary, src_ipaddr);
230 			smb_msgbuf_term(&mb);
231 			return;
232 		}
233 	}
234 
235 	syslog(LOG_DEBUG, "NetLogonReceive[%s]: unknown mailslot", mailbox);
236 	smb_msgbuf_term(&mb);
237 }
238 
239 
240 
241 /*
242  * smb_netlogon_query
243  *
244  * Build and send a LOGON_PRIMARY_QUERY to the MAILSLOT_NETLOGON. At some
245  * point we should receive a LOGON_PRIMARY_RESPONSE in the mailslot we
246  * specify in the request.
247  *
248  *  struct NETLOGON_QUERY {
249  *	unsigned short Opcode;		# LOGON_PRIMARY_QUERY
250  *	char ComputerName[];		# ASCII hostname. The response
251  *					# is sent to <ComputerName>(00).
252  *	char MailslotName[];		# MAILSLOT_NETLOGON
253  *	char Pad[];			# Pad to short
254  *	wchar_t ComputerName[]		# UNICODE hostname
255  *	DWORD NT_Version;		# 0x00000001
256  *	WORD LmNTToken;			# 0xffff
257  *	WORD Lm20Token;			# 0xffff
258  *  };
259  */
260 static void
261 smb_netlogon_query(struct name_entry *server,
262 			char *mailbox,
263 			char *domain)
264 {
265 	smb_msgbuf_t mb;
266 	int offset, announce_len, data_length, name_lengths;
267 	unsigned char buffer[MAX_DATAGRAM_LENGTH];
268 	char hostname[MAXHOSTNAMELEN];
269 
270 	if (smb_gethostname(hostname, MAXHOSTNAMELEN, 1) != 0)
271 		return;
272 
273 	name_lengths = strlen(mailbox)+1+strlen(hostname)+1;
274 
275 	/*
276 	 * The (name_lengths & 1) part is to word align the name_lengths
277 	 * before the wc equiv strlen and the "+ 2" is to cover the two
278 	 * zero bytes that terminate the wchar string.
279 	 */
280 	data_length = sizeof (short) + name_lengths + (name_lengths & 1) +
281 	    mts_wcequiv_strlen(hostname) + 2 + sizeof (long) + sizeof (short) +
282 	    sizeof (short);
283 
284 	offset = smb_browser_load_transact_header(buffer,
285 	    sizeof (buffer), data_length, ONE_WAY_TRANSACTION,
286 	    MAILSLOT_NETLOGON);
287 
288 	if (offset < 0)
289 		return;
290 
291 	smb_msgbuf_init(&mb, buffer + offset, sizeof (buffer) - offset, 0);
292 
293 	announce_len = smb_msgbuf_encode(&mb, "wssUlww",
294 	    (short)LOGON_PRIMARY_QUERY,
295 	    hostname,
296 	    mailbox,
297 	    hostname,
298 	    0x1,
299 	    0xffff,
300 	    0xffff);
301 
302 	if (announce_len <= 0) {
303 		smb_msgbuf_term(&mb);
304 		syslog(LOG_ERR, "NetLogonQuery: encode error");
305 		return;
306 	}
307 
308 	smb_netlogon_send(server, domain, buffer, offset + announce_len);
309 	smb_msgbuf_term(&mb);
310 }
311 
312 
313 /*
314  * smb_netlogon_samlogon
315  *
316  * The SamLogon version of the NetLogon request uses the workstation trust
317  * account and, I think, may be a prerequisite to the challenge/response
318  * netr authentication. The trust account username is the hostname with a
319  * $ appended. The mailslot for this request is MAILSLOT_NTLOGON. At some
320  * we should receive a LOGON_SAM_LOGON_RESPONSE in the mailslot we
321  * specify in the request.
322  *
323  * struct NETLOGON_SAM_LOGON {
324  *	unsigned short Opcode;			# LOGON_SAM_LOGON_REQUEST
325  *	unsigned short RequestCount;		# 0
326  *	wchar_t UnicodeComputerName;		# hostname
327  *	wchar_t UnicodeUserName;		# hostname$
328  *	char *MailslotName;			# response mailslot
329  *	DWORD AllowableAccountControlBits;	# 0x80 = WorkstationTrustAccount
330  *	DWORD DomainSidSize;			# domain sid length in bytes
331  *	BYTE *DomainSid;			# domain sid
332  *	uint32_t   NT_Version;		# 0x00000001
333  *	unsigned short  LmNTToken;		# 0xffff
334  *	unsigned short  Lm20Token;		# 0xffff
335  * };
336  */
337 static void
338 smb_netlogon_samlogon(struct name_entry *server,
339 			char *mailbox,
340 			char *domain)
341 {
342 	smb_msgbuf_t mb;
343 	nt_domain_t *ntdp;
344 	nt_sid_t *domain_sid;
345 	unsigned domain_sid_len;
346 	char *username;
347 	unsigned char buffer[MAX_DATAGRAM_LENGTH];
348 	int offset;
349 	int announce_len;
350 	int data_length;
351 	int name_length;
352 	char hostname[MAXHOSTNAMELEN];
353 
354 	syslog(LOG_DEBUG, "NetLogonSamLogonReq: %s", domain);
355 
356 	if ((ntdp = nt_domain_lookup_name(domain)) == 0) {
357 		syslog(LOG_ERR, "NetLogonSamLogonReq[%s]: no sid", domain);
358 		return;
359 	}
360 
361 	domain_sid = ntdp->sid;
362 	domain_sid_len = nt_sid_length(domain_sid);
363 	nt_sid_logf(domain_sid);
364 
365 	if (smb_gethostname(hostname, MAXHOSTNAMELEN, 1) != 0)
366 		return;
367 
368 	/*
369 	 * The username will be the trust account name on the PDC.
370 	 */
371 	name_length = strlen(hostname) + 2;
372 	username = alloca(name_length);
373 	(void) snprintf(username, name_length, "%s$", hostname);
374 
375 	/*
376 	 * Add 2 to wide-char equivalent strlen to cover the
377 	 * two zero bytes that terminate the wchar string.
378 	 */
379 	name_length = strlen(mailbox)+1;
380 
381 	data_length = sizeof (short)
382 	    + sizeof (short)
383 	    + mts_wcequiv_strlen(hostname) + 2
384 	    + mts_wcequiv_strlen(username) + 2
385 	    + name_length
386 	    + sizeof (long)
387 	    + sizeof (long)
388 	    + domain_sid_len + 3 /* padding */
389 	    + sizeof (long)
390 	    + sizeof (short)
391 	    + sizeof (short);
392 
393 	offset = smb_browser_load_transact_header(buffer,
394 	    sizeof (buffer), data_length, ONE_WAY_TRANSACTION,
395 	    MAILSLOT_NTLOGON);
396 
397 	if (offset < 0) {
398 		syslog(LOG_ERR, "NetLogonSamLogonReq: header error");
399 		return;
400 	}
401 
402 	/*
403 	 * The domain SID is padded with 3 leading zeros.
404 	 */
405 	smb_msgbuf_init(&mb, buffer + offset, sizeof (buffer) - offset, 0);
406 	announce_len = smb_msgbuf_encode(&mb, "wwUUsll3.#clww",
407 	    (short)LOGON_SAM_LOGON_REQUEST,
408 	    0,				/* RequestCount */
409 	    hostname,	/* UnicodeComputerName */
410 	    username,			/* UnicodeUserName */
411 	    mailbox,			/* MailslotName */
412 	    0x00000080,			/* AllowableAccountControlBits */
413 	    domain_sid_len,		/* DomainSidSize */
414 	    domain_sid_len, domain_sid,	/* DomainSid */
415 	    0x00000001,			/* NT_Version */
416 	    0xffff,			/* LmNTToken */
417 	    0xffff);			/* Lm20Token */
418 
419 	if (announce_len <= 0) {
420 		syslog(LOG_ERR, "NetLogonSamLogonReq: encode error");
421 		smb_msgbuf_term(&mb);
422 		return;
423 	}
424 
425 	smb_netlogon_send(server, domain, buffer, offset + announce_len);
426 	smb_msgbuf_term(&mb);
427 }
428 
429 
430 /*
431  * Send a query for each version of the protocol.
432  */
433 static void
434 smb_netlogon_send(struct name_entry *name,
435 			char *domain,
436 			unsigned char *buffer,
437 			int count)
438 {
439 	static char suffix[] = { 0x1B, 0x1C };
440 	struct name_entry dname;
441 	struct name_entry *dest;
442 	struct name_entry *dest_dup;
443 	int i;
444 
445 	for (i = 0; i < sizeof (suffix)/sizeof (suffix[0]); i++) {
446 		smb_init_name_struct((unsigned char *)domain, suffix[i],
447 		    0, 0, 0, 0, 0, &dname);
448 
449 		syslog(LOG_DEBUG, "smb_netlogon_send");
450 		smb_netbios_name_dump(&dname);
451 		if ((dest = smb_name_find_name(&dname)) != 0) {
452 			dest_dup = smb_netbios_name_dup(dest, 1);
453 			smb_name_unlock_name(dest);
454 			if (dest_dup) {
455 				(void) smb_netbios_datagram_send(name, dest_dup,
456 				    buffer, count);
457 				free(dest_dup);
458 			}
459 		} else {
460 			syslog(LOG_DEBUG, "smbd: NBNS couldn't find %s<0x%X>",
461 			    domain, suffix[i]);
462 		}
463 	}
464 }
465 
466 /*
467  * smb_netlogon_rdc_rsp
468  *
469  * This is where we process netlogon responses for the resource domain.
470  * The src_name is the real name of the remote machine.
471  */
472 static void
473 smb_netlogon_rdc_rsp(char *src_name, uint32_t src_ipaddr)
474 {
475 	static int initialized = 0;
476 	smb_ntdomain_t *pi;
477 	uint32_t ipaddr;
478 	uint32_t prefer_ipaddr = 0;
479 	char ipstr[16];
480 	char srcip[16];
481 	char *p;
482 	int rc;
483 
484 	(void) inet_ntop(AF_INET, (const void *)(&src_ipaddr),
485 	    srcip, sizeof (srcip));
486 
487 	smb_config_rdlock();
488 	if ((p = smb_config_get(SMB_CI_DOMAIN_SRV)) != 0) {
489 		rc = inet_pton(AF_INET, p, &prefer_ipaddr);
490 		if (rc == 0)
491 			prefer_ipaddr = 0;
492 
493 		if (!initialized) {
494 			(void) inet_ntop(AF_INET,
495 			    (const void *)(&prefer_ipaddr),
496 			    ipstr, sizeof (ipstr));
497 			syslog(LOG_DEBUG, "SMB DC Preference: %s", ipstr);
498 			initialized = 1;
499 		}
500 	}
501 	smb_config_unlock();
502 
503 	syslog(LOG_DEBUG, "DC Offer [%s]: %s [%s]",
504 	    resource_domain, src_name, srcip);
505 
506 	if ((pi = smb_getdomaininfo(0)) != 0) {
507 		if (prefer_ipaddr != 0 && prefer_ipaddr == pi->ipaddr) {
508 			syslog(LOG_DEBUG, "DC for %s: %s [%s]",
509 			    resource_domain, src_name, srcip);
510 			return;
511 		}
512 
513 		ipaddr = pi->ipaddr;
514 	} else
515 		ipaddr = 0;
516 
517 	if (better_dc(ipaddr, src_ipaddr) ||
518 	    (prefer_ipaddr != 0 && prefer_ipaddr == src_ipaddr)) {
519 		smb_setdomaininfo(resource_domain, src_name,
520 		    src_ipaddr);
521 		syslog(LOG_DEBUG, "DC discovered for %s: %s [%s]",
522 		    resource_domain, src_name, srcip);
523 	}
524 }
525 
526 static int
527 better_dc(uint32_t cur_ip, uint32_t new_ip)
528 {
529 	net_cfg_t cfg;
530 
531 	/*
532 	 * If we don't have any current DC,
533 	 * then use the new one of course.
534 	 */
535 	if (cur_ip == 0)
536 		return (1);
537 
538 	if (smb_nic_get_bysubnet(cur_ip, &cfg) != NULL)
539 		return (0);
540 	if (smb_nic_get_bysubnet(new_ip, &cfg) != NULL)
541 		return (1);
542 	/*
543 	 * Otherwise, just keep the old one.
544 	 */
545 	return (0);
546 }
547 
548 /*
549  * msdcs_lookup_ads
550  *
551  * Try to find a domain controller in ADS. Actually we want to query DNS
552  * but we need to find out if ADS is enabled and this is probably the
553  * best way. The IP address isn't set up in the ADS_HANDLE so we need to
554  * make the ads_find_host call. This will only succeed if ADS is enabled.
555  *
556  * Returns 1 if a domain controller was found and its name and IP address
557  * have been updated. Otherwise returns 0.
558  */
559 int
560 msdcs_lookup_ads(void)
561 {
562 	ADS_HOST_INFO *hinfo = 0;
563 	int ads_port = 0;
564 	char ads_domain[MAXHOSTNAMELEN];
565 	char site_service[MAXHOSTNAMELEN];
566 	char service[MAXHOSTNAMELEN];
567 	char *site;
568 	char *p;
569 	char *ip_addr;
570 	struct in_addr ns_list[MAXNS];
571 	int i, cnt, go_next;
572 
573 	if (smb_getdomainname(ads_domain, MAXHOSTNAMELEN) != 0)
574 		return (0);
575 
576 	/*
577 	 * Initialize the NT domain name.
578 	 */
579 	(void) strlcpy(resource_domain, ads_domain, SMB_PI_MAX_DOMAIN);
580 	if ((p = strchr(resource_domain, '.')) != 0)
581 		*p = '\0';
582 
583 	smb_config_rdlock();
584 	if (smb_config_getyorn(SMB_CI_MSDCS_DISABLE) != 0) {
585 		/*
586 		 * The system administrator doesn't
587 		 * want to use ADS to find the PDC.
588 		 */
589 		syslog(LOG_DEBUG, "msdcsLookupADS: disabled");
590 		smb_config_unlock();
591 		return (0);
592 	}
593 	site = smb_config_getstr(SMB_CI_ADS_SITE);
594 	smb_config_unlock();
595 
596 	syslog(LOG_DEBUG, "msdcsLookupADS %s, MAXHOSTNAMELEN=%d",
597 	    ads_domain, MAXHOSTNAMELEN);
598 	if (site && *site != 0) {
599 		(void) snprintf(site_service, MAXHOSTNAMELEN,
600 		    "_ldap._tcp.%s._sites.dc._msdcs.%s",
601 		    site, ads_domain);
602 	}
603 
604 	(void) snprintf(service, MAXHOSTNAMELEN,
605 	    "_ldap._tcp.dc._msdcs.%s", ads_domain);
606 
607 	cnt = smb_get_nameservers(ns_list, MAXNS);
608 
609 	go_next = 0;
610 	for (i = 0; i < cnt; i++) {
611 		ip_addr = inet_ntoa(ns_list[i]);
612 
613 		hinfo = ads_find_host(ip_addr, ads_domain, &ads_port,
614 		    site_service, &go_next);
615 
616 		if (hinfo == NULL) {
617 			hinfo = ads_find_host(ip_addr, ads_domain, &ads_port,
618 			    service, &go_next);
619 		}
620 
621 		if ((hinfo != NULL) || (go_next == 0))
622 			break;
623 	}
624 
625 	if (hinfo == NULL) {
626 		syslog(LOG_DEBUG, "msdcsLookupADS: unable to find host");
627 		return (0);
628 	}
629 
630 	syslog(LOG_DEBUG, "msdcsLookupADS: %s [%I]", hinfo->name,
631 	    hinfo->ip_addr);
632 
633 	/*
634 	 * Remove the domain extension - the
635 	 * NetBIOS browser can't handle it.
636 	 */
637 	if ((p = strchr(hinfo->name, '.')) != 0)
638 		*p = '\0';
639 
640 	smb_netlogon_rdc_rsp(hinfo->name, hinfo->ip_addr);
641 
642 	return (1);
643 }
644