2020-09-30 16:53:55 +02:00

1745 lines
45 KiB
C
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*++
Copyright (c) 1987-1991 Microsoft Corporation
Module Name:
nlrepl.c
Abstract:
The database replication functions called either from LSA OR SAM.
The actual code resides in netlogon.dll.
Author:
Madan Appiah (Madana)
Environment:
User mode only.
Contains NT-specific code.
Requires ANSI C extensions: slash-slash comments, long external names.
Revision History:
14-Apr-1992 (madana)
Created.
--*/
#include <nt.h> // needed for NTSTATUS
#include <ntrtl.h> // needed for nturtl.h
#include <nturtl.h> // needed for windows.h
#include <windows.h> // win32 typedefs
#include <crypt.h> // samsrv.h will need this
#include <ntlsa.h> // needed for POLICY_LSA_SERVER_ROLE
#include <samrpc.h>
#include <samisrv.h> // needed for SECURITY_DB_TYPE etc.
#include <winsock2.h> // needed for SOCKET defn's
#include <nlrepl.h> // proto types
typedef NTSTATUS
(*PI_NetNotifyDelta) (
IN SECURITY_DB_TYPE DbType,
IN LARGE_INTEGER ModificationCount,
IN SECURITY_DB_DELTA_TYPE DeltaType,
IN SECURITY_DB_OBJECT_TYPE ObjectType,
IN ULONG ObjectRid,
IN PSID ObjectSid,
IN PUNICODE_STRING ObjectName,
IN DWORD ReplicationImmediately,
IN PSAM_DELTA_DATA MemberId
);
typedef NTSTATUS
(*PI_NetNotifyRole) (
IN POLICY_LSA_SERVER_ROLE Role
);
typedef NTSTATUS
(*PI_NetNotifyMachineAccount) (
IN ULONG ObjectRid,
IN PSID DomainSid,
IN ULONG OldUserAccountControl,
IN ULONG NewUserAccountControl,
IN PUNICODE_STRING ObjectName
);
typedef NTSTATUS
(*PI_NetNotifyTrustedDomain) (
IN PSID HostedDomainSid,
IN PSID TrustedDomainSid,
IN BOOLEAN IsDeletion
);
typedef NTSTATUS
(*PI_NetNotifyNetlogonDllHandle) (
IN PHANDLE Role
);
typedef NTSTATUS
(*PI_NetLogonSetServiceBits)(
IN DWORD ServiceBitsOfInterest,
IN DWORD ServiceBits
);
typedef NTSTATUS
(*PI_NetLogonGetSerialNumber) (
IN SECURITY_DB_TYPE DbType,
IN PSID DomainSid,
OUT PLARGE_INTEGER SerialNumber
);
typedef NTSTATUS
(*PI_NetLogonLdapLookupEx)(
IN PVOID Filter,
IN PVOID SockAddr,
OUT PVOID *Response,
OUT PULONG ResponseSize
);
typedef VOID
(*PI_NetLogonFree)(
IN PVOID Buffer
);
typedef NET_API_STATUS
(*PI_DsGetDcCache)(
IN LPCWSTR NetbiosDomainName OPTIONAL,
IN LPCWSTR DnsDomainName OPTIONAL,
OUT PBOOLEAN InNt4Domain,
OUT LPDWORD InNt4DomainTime
);
typedef NET_API_STATUS
(*PDsrGetDcNameEx2)(
IN LPWSTR ComputerName OPTIONAL,
IN LPCWSTR AccountName OPTIONAL,
IN ULONG AllowableAccountControlBits,
IN LPWSTR DomainName OPTIONAL,
IN GUID *DomainGuid OPTIONAL,
IN LPWSTR SiteName OPTIONAL,
IN ULONG Flags,
OUT PDOMAIN_CONTROLLER_INFOW *DomainControllerInfo
);
typedef NTSTATUS
(*PI_NetNotifyDsChange)(
IN NL_DS_CHANGE_TYPE DsChangeType
);
typedef NTSTATUS
(*PI_NetLogonReadChangeLog)(
IN PVOID InContext,
IN ULONG InContextSize,
IN ULONG ChangeBufferSize,
OUT PVOID *ChangeBuffer,
OUT PULONG BytesRead,
OUT PVOID *OutContext,
OUT PULONG OutContextSize
);
typedef NTSTATUS
(*PI_NetLogonNewChangeLog)(
OUT HANDLE *ChangeLogHandle
);
typedef NTSTATUS
(*PI_NetLogonAppendChangeLog)(
IN HANDLE ChangeLogHandle,
IN PVOID ChangeBuffer,
IN ULONG ChangeBufferSize
);
typedef NTSTATUS
(*PI_NetLogonCloseChangeLog)(
IN HANDLE ChangeLogHandle,
IN BOOLEAN Commit
);
typedef NTSTATUS
(*PI_NetLogonSendToSamOnPdc)(
IN LPWSTR DomainName,
IN LPBYTE OpaqueBuffer,
IN ULONG OpaqueBufferSize
);
typedef NET_API_STATUS
(*PI_NetLogonGetIpAddresses)(
OUT PULONG IpAddressCount,
OUT LPBYTE *IpAddresses
);
typedef NTSTATUS
(*PI_NetLogonGetAuthDataEx)(
IN LPWSTR HostedDomainName OPTIONAL,
IN LPWSTR TrustedDomainName,
IN ULONG Flags,
IN PLARGE_INTEGER FailedSessionSetupTime OPTIONAL,
OUT LPWSTR *OurClientPrincipleName,
OUT PVOID *ClientContext OPTIONAL,
OUT LPWSTR *ServerName,
OUT PNL_OS_VERSION ServerOsVersion,
OUT PULONG AuthnLevel,
OUT PLARGE_INTEGER SessionSetupTime
);
typedef NTSTATUS
(*PI_NetNotifyNtdsDsaDeletion) (
IN LPWSTR DnsDomainName,
IN GUID *DomainGuid,
IN GUID *DsaGuid,
IN LPWSTR DnsHostName
);
typedef NET_API_STATUS
(*PI_NetLogonAddressToSiteName)(
IN PSOCKET_ADDRESS SocketAddress,
OUT LPWSTR *SiteName
);
//
// Global status
//
HANDLE NetlogonDllHandle = NULL;
PI_NetNotifyDelta pI_NetNotifyDelta = NULL;
PI_NetNotifyRole pI_NetNotifyRole = NULL;
PI_NetNotifyMachineAccount pI_NetNotifyMachineAccount = NULL;
PI_NetNotifyTrustedDomain pI_NetNotifyTrustedDomain = NULL;
PI_NetLogonSetServiceBits pI_NetLogonSetServiceBits = NULL;
PI_NetLogonGetSerialNumber pI_NetLogonGetSerialNumber = NULL;
PI_NetLogonLdapLookupEx pI_NetLogonLdapLookupEx = NULL;
PI_NetLogonFree pI_NetLogonFree = NULL;
PI_DsGetDcCache pI_DsGetDcCache = NULL;
PDsrGetDcNameEx2 pDsrGetDcNameEx2 = NULL;
PI_NetNotifyDsChange pI_NetNotifyDsChange = NULL;
PI_NetLogonReadChangeLog pI_NetLogonReadChangeLog = NULL;
PI_NetLogonNewChangeLog pI_NetLogonNewChangeLog = NULL;
PI_NetLogonAppendChangeLog pI_NetLogonAppendChangeLog = NULL;
PI_NetLogonCloseChangeLog pI_NetLogonCloseChangeLog = NULL;
PI_NetLogonSendToSamOnPdc pI_NetLogonSendToSamOnPdc = NULL;
PI_NetLogonGetIpAddresses pI_NetLogonGetIpAddresses = NULL;
PI_NetLogonGetAuthDataEx pI_NetLogonGetAuthDataEx = NULL;
PI_NetNotifyNtdsDsaDeletion pI_NetNotifyNtdsDsaDeletion = NULL;
PI_NetLogonAddressToSiteName pI_NetLogonAddressToSiteName = NULL;
NTSTATUS
NlLoadNetlogonDll(
VOID
)
/*++
Routine Description:
This function loads the netlogon.dll module if it is not loaded
already. If the network is not installed then netlogon.dll will not
present in the system and the LoadLibrary will fail.
Arguments:
None
Return Value:
NT Status code.
--*/
{
static NTSTATUS DllLoadStatus = STATUS_SUCCESS;
PI_NetNotifyNetlogonDllHandle pI_NetNotifyNetlogonDllHandle = NULL;
HANDLE DllHandle = NULL;
//
// If we've tried to load the DLL before and it failed,
// return the same error code again.
//
if( DllLoadStatus != STATUS_SUCCESS ) {
goto Cleanup;
}
//
// Load netlogon.dll
//
DllHandle = LoadLibraryA( "Netlogon" );
if ( DllHandle == NULL ) {
#if DBG
DWORD DbgError;
DbgError = GetLastError();
DbgPrint("[Security Process] can't load netlogon.dll %d \n",
DbgError);
#endif // DBG
DllLoadStatus = STATUS_DLL_NOT_FOUND;
goto Cleanup;
}
//
// Macro to grab the address of the named procedure from netlogon.dll
//
#if DBG
#define GRAB_ADDRESS( _X ) \
p##_X = (P##_X) GetProcAddress( DllHandle, #_X ); \
\
if ( p##_X == NULL ) { \
DbgPrint("[security process] can't load " #_X " procedure. %ld\n", GetLastError()); \
DllLoadStatus = STATUS_PROCEDURE_NOT_FOUND;\
goto Cleanup; \
}
#else // DBG
#define GRAB_ADDRESS( _X ) \
p##_X = (P##_X) GetProcAddress( DllHandle, #_X ); \
\
if ( p##_X == NULL ) { \
DllLoadStatus = STATUS_PROCEDURE_NOT_FOUND;\
goto Cleanup; \
}
#endif // DBG
//
// Get the addresses of the required procedures.
//
GRAB_ADDRESS( I_NetNotifyDelta );
GRAB_ADDRESS( I_NetNotifyRole );
GRAB_ADDRESS( I_NetNotifyMachineAccount );
GRAB_ADDRESS( I_NetNotifyTrustedDomain );
GRAB_ADDRESS( I_NetLogonSetServiceBits );
GRAB_ADDRESS( I_NetLogonGetSerialNumber );
GRAB_ADDRESS( I_NetLogonLdapLookupEx );
GRAB_ADDRESS( I_NetLogonFree );
GRAB_ADDRESS( I_DsGetDcCache );
GRAB_ADDRESS( DsrGetDcNameEx2 );
GRAB_ADDRESS( I_NetNotifyDsChange );
GRAB_ADDRESS( I_NetLogonReadChangeLog );
GRAB_ADDRESS( I_NetLogonNewChangeLog );
GRAB_ADDRESS( I_NetLogonAppendChangeLog );
GRAB_ADDRESS( I_NetLogonCloseChangeLog );
GRAB_ADDRESS( I_NetLogonSendToSamOnPdc );
GRAB_ADDRESS( I_NetLogonGetIpAddresses );
GRAB_ADDRESS( I_NetLogonGetAuthDataEx );
GRAB_ADDRESS( I_NetNotifyNtdsDsaDeletion );
GRAB_ADDRESS( I_NetLogonAddressToSiteName );
//
// Find the address of the I_NetNotifyNetlogonDllHandle procedure.
// This is an optional procedure so don't complain if it isn't there.
//
pI_NetNotifyNetlogonDllHandle = (PI_NetNotifyNetlogonDllHandle)
GetProcAddress( DllHandle, "I_NetNotifyNetlogonDllHandle" );
DllLoadStatus = STATUS_SUCCESS;
Cleanup:
if (DllLoadStatus == STATUS_SUCCESS) {
NetlogonDllHandle = DllHandle;
//
// Notify Netlogon that we've loaded it.
//
if( pI_NetNotifyNetlogonDllHandle != NULL ) {
(VOID) (*pI_NetNotifyNetlogonDllHandle)( &NetlogonDllHandle );
}
} else {
if ( DllHandle != NULL ) {
FreeLibrary( DllHandle );
}
}
return( DllLoadStatus );
}
NTSTATUS
I_NetNotifyDelta (
IN SECURITY_DB_TYPE DbType,
IN LARGE_INTEGER ModificationCount,
IN SECURITY_DB_DELTA_TYPE DeltaType,
IN SECURITY_DB_OBJECT_TYPE ObjectType,
IN ULONG ObjectRid,
IN PSID ObjectSid,
IN PUNICODE_STRING ObjectName,
IN DWORD ReplicationImmediately,
IN PSAM_DELTA_DATA MemberId
)
/*++
Routine Description:
This function is called by the SAM and LSA services after each
change is made to the SAM and LSA databases. The services describe
the type of object that is modified, the type of modification made
on the object, the serial number of this modification etc. This
information is stored for later retrieval when a BDC or member
server wants a copy of this change. See the description of
I_NetSamDeltas for a description of how the change log is used.
Add a change log entry to circular change log maintained in cache as
well as on the disk and update the head and tail pointers
It is assumed that Tail points to a block where this new change log
entry may be stored.
NOTE: The actual code is in netlogon.dll. This wrapper function
will determine whether the network is installed, if so, it calls the
actual worker function after loading the netlogon.dll module. If the
network is not installed then this will function will return with
appropriate error code.
Arguments:
DbType - Type of the database that has been modified.
ModificationCount - The value of the DomainModifiedCount field for the
domain following the modification.
DeltaType - The type of modification that has been made on the object.
ObjectType - The type of object that has been modified.
ObjectRid - The relative ID of the object that has been modified.
This parameter is valid only when the object type specified is
either SecurityDbObjectSamUser, SecurityDbObjectSamGroup or
SecurityDbObjectSamAlias otherwise this parameter is set to zero.
ObjectSid - The SID of the object that has been modified. If the object
modified is in a SAM database, ObjectSid is the DomainId of the Domain
containing the object.
ObjectName - The name of the secret object when the object type
specified is SecurityDbObjectLsaSecret or the old name of the object
when the object type specified is either SecurityDbObjectSamUser,
SecurityDbObjectSamGroup or SecurityDbObjectSamAlias and the delta
type is SecurityDbRename otherwise this parameter is set to NULL.
ReplicateImmediately - TRUE if the change should be immediately
replicated to all BDCs. A password change should set the flag
TRUE.
MemberId - This parameter is specified when group/alias membership
is modified. This structure will then point to the member's ID that
has been updated.
Return Value:
STATUS_SUCCESS - The Service completed successfully.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetNotifyDelta)(
DbType,
ModificationCount,
DeltaType,
ObjectType,
ObjectRid,
ObjectSid,
ObjectName,
ReplicationImmediately,
MemberId
);
return( STATUS_SUCCESS );
}
NTSTATUS
I_NetNotifyRole(
IN POLICY_LSA_SERVER_ROLE Role
)
/*++
Routine Description:
This function is called by the LSA service upon LSA initialization
and when LSA changes domain role. This routine will initialize the
change log cache if the role specified is PDC or delete the change
log cache if the role specified is other than PDC.
When this function initializing the change log if the change log
currently exists on disk, the cache will be initialized from disk.
LSA should treat errors from this routine as non-fatal. LSA should
log the errors so they may be corrected then continue
initialization. However, LSA should treat the system databases as
read-only in this case.
NOTE: The actual code is in netlogon.dll. This wrapper function
will determine whether the network is installed, if so, it calls the
actual worker function after loading the netlogon.dll module. If the
network is not installed then this will function will return with
appropriate error code.
Arguments:
Role - Current role of the server.
Return Value:
STATUS_SUCCESS - The Service completed successfully.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetNotifyRole)(
Role
);
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetNotifyRole returns 0x%lx \n",
NtStatus);
}
#endif // DBG
return( STATUS_SUCCESS );
}
NTSTATUS
I_NetNotifyMachineAccount (
IN ULONG ObjectRid,
IN PSID DomainSid,
IN ULONG OldUserAccountControl,
IN ULONG NewUserAccountControl,
IN PUNICODE_STRING ObjectName
)
/*++
Routine Description:
This function is called by the SAM to indicate that the account type
of a machine account has changed. Specifically, if
USER_INTERDOMAIN_TRUST_ACCOUNT, USER_WORKSTATION_TRUST_ACCOUNT, or
USER_SERVER_TRUST_ACCOUNT change for a particular account, this
routine is called to let Netlogon know of the account change.
NOTE: The actual code is in netlogon.dll. This wrapper function
will determine whether the network is installed, if so, it calls the
actual worker function after loading the netlogon.dll module. If the
network is not installed then this will function will return with
appropriate error code.
Arguments:
ObjectRid - The relative ID of the object that has been modified.
DomainSid - Specifies the SID of the Domain containing the object.
OldUserAccountControl - Specifies the previous value of the
UserAccountControl field of the user.
NewUserAccountControl - Specifies the new (current) value of the
UserAccountControl field of the user.
ObjectName - The name of the account being changed.
Return Value:
Status of the operation.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetNotifyMachineAccount)(
ObjectRid,
DomainSid,
OldUserAccountControl,
NewUserAccountControl,
ObjectName );
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetNotifyMachineAccount returns 0x%lx\n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetNotifyTrustedDomain (
IN PSID HostedDomainSid,
IN PSID TrustedDomainSid,
IN BOOLEAN IsDeletion
)
/*++
Routine Description:
This function is called by the LSA to indicate that a trusted domain
object has changed.
This function is called for both PDC and BDC.
Arguments:
HostedDomainSid - Domain SID of the domain the trust is from.
TrustedDomainSid - Domain SID of the domain the trust is to.
IsDeletion - TRUE if the trusted domain object was deleted.
FALSE if the trusted domain object was created or modified.
Return Value:
Status of the operation.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetNotifyTrustedDomain)(
HostedDomainSid,
TrustedDomainSid,
IsDeletion );
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetNotifyTrustedDomain returns 0x%lx\n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetLogonSetServiceBits(
IN DWORD ServiceBitsOfInterest,
IN DWORD ServiceBits
)
/*++
Routine Description:
Inidcates whether this DC is currently running the specified service.
For instance,
I_NetLogonSetServiceBits( DS_KDC_FLAG, DS_KDC_FLAG );
tells Netlogon the KDC is running. And
I_NetLogonSetServiceBits( DS_KDC_FLAG, 0 );
tells Netlogon the KDC is not running.
Arguments:
ServiceBitsOfInterest - A mask of the service bits being changed, set,
or reset by this call. Only the following flags are valid:
DS_KDC_FLAG
DS_DS_FLAG
DS_TIMESERV_FLAG
ServiceBits - A mask indicating what the bits specified by ServiceBitsOfInterest
should be set to.
Return Value:
STATUS_SUCCESS - Success.
STATUS_INVALID_PARAMETER - The parameters have extaneous bits set.
STATUS_DLL_NOT_FOUND - Netlogon.dll could not be loaded.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonSetServiceBits)(
ServiceBitsOfInterest,
ServiceBits );
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetLogonSetServiceBits returns 0x%lx\n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetLogonGetSerialNumber (
IN SECURITY_DB_TYPE DbType,
IN PSID DomainSid,
OUT PLARGE_INTEGER SerialNumber
)
/*++
Routine Description:
This function is called by the SAM and LSA services when they startup
to get the current serial number written to the changelog.
Arguments:
DbType - Type of the database that has been modified.
DomainSid - For the SAM and builtin database, this specifies the DomainId of
the domain whose serial number is to be returned.
SerialNumber - Returns the latest set value of the DomainModifiedCount
field for the domain.
Return Value:
STATUS_SUCCESS - The Service completed successfully.
STATUS_INVALID_DOMAIN_ROLE - This machine is not the PDC.
STATUS_DLL_NOT_FOUND - Netlogon.dll could not be loaded.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonGetSerialNumber)(
DbType,
DomainSid,
SerialNumber );
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetLogonGetSerialNumber returns 0x%lx\n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetLogonLdapLookupEx(
IN PVOID Filter,
IN PVOID SockAddr,
OUT PVOID *Response,
OUT PULONG ResponseSize
)
/*++
Routine Description:
This routine builds a response to an LDAP ping of a DC. DsGetDcName does
such a ping to ensure the DC is functional and still meets the requirements
of the DsGetDcName. DsGetDcName does an LDAP lookup of the NULL DN asking
for attribute "Netlogon". The DS turns that into a call to this routine
passing in the filter parameter.
Arguments:
Filter - Filter describing the query. The filter is built by the DsGetDcName
client, so we can limit the flexibility significantly. The filter is:
SockAddr - Address of the client that sent the ping.
Response - Returns a pointer to an allocated buffer containing
the response to return to the caller. This response is a binary blob
which should be returned to the caller bit-for-bit intact.
The buffer should be freed be calling I_NetLogonFree.
ResponseSize - Size (in bytes) of the returned message.
Return Value:
STATUS_SUCCESS -- The response was returned in the supplied buffer.
STATUS_INVALID_PARAMETER -- The filter was invalid.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonLdapLookupEx)(
Filter,
SockAddr,
Response,
ResponseSize );
#ifdef notdef // Failures occur frequently in nature
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetLogonLdapLookupEx returns 0x%lx\n",
NtStatus);
}
#endif // DBG
#endif // notdef
return( NtStatus );
}
VOID
I_NetLogonFree(
IN PVOID Buffer
)
/*++
Routine Description:
Free any buffer allocated by Netlogon and returned to an in-process caller.
Arguments:
Buffer - Buffer to deallocate.
Return Value:
None.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return;
}
}
(*pI_NetLogonFree)( Buffer );
}
NET_API_STATUS
I_DsGetDcCache(
IN LPCWSTR NetbiosDomainName OPTIONAL,
IN LPCWSTR DnsDomainName OPTIONAL,
OUT PBOOLEAN InNt4Domain,
OUT LPDWORD InNt4DomainTime
)
/*++
Routine Description:
This routine finds a domain entry that matches the caller's query.
Arguments:
NetbiosDomainName - Specifies the Netbios name of the domain to find.
DnsDomainName - Specifies the Dns name of the domain to find.
At least one of the above parameters should be non-NULL.
InNt4Domain - Returns true if the domain is an NT 4.0 domain.
InNt4DomainTime - Returns the GetTickCount time of when the domain was
detected to be an NT 4.0 domain.
Return Value:
NO_ERROR: Information is returned about the domain.
ERROR_NO_SUCH_DOMAIN: cached information is not available for this domain.
--*/
{
NTSTATUS NtStatus;
NET_API_STATUS NetStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NetStatus = (*pI_DsGetDcCache)(
NetbiosDomainName,
DnsDomainName,
InNt4Domain,
InNt4DomainTime );
return( NetStatus );
}
NET_API_STATUS
DsrGetDcNameEx2(
IN LPWSTR ComputerName OPTIONAL,
IN LPWSTR AccountName OPTIONAL,
IN ULONG AllowableAccountControlBits,
IN LPWSTR DomainName OPTIONAL,
IN GUID *DomainGuid OPTIONAL,
IN LPWSTR SiteName OPTIONAL,
IN ULONG Flags,
OUT PDOMAIN_CONTROLLER_INFOW *DomainControllerInfo
)
/*++
Routine Description:
Same as DsGetDcNameW except:
AccountName - Account name to pass on the ping request.
If NULL, no account name will be sent.
AllowableAccountControlBits - Mask of allowable account types for AccountName.
* This is the RPC server side implementation.
Arguments:
Same as DsGetDcNameW except as above.
Return Value:
Same as DsGetDcNameW except as above.
--*/
{
NTSTATUS NtStatus;
NET_API_STATUS NetStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NetStatus = (*pDsrGetDcNameEx2)(
ComputerName,
AccountName,
AllowableAccountControlBits,
DomainName,
DomainGuid,
SiteName,
Flags,
DomainControllerInfo );
return( NetStatus );
}
NTSTATUS
I_NetNotifyDsChange(
IN NL_DS_CHANGE_TYPE DsChangeType
)
/*++
Routine Description:
This function is called by the LSA to indicate that configuration information
in the DS has changed.
This function is called for both PDC and BDC.
Arguments:
DsChangeType - Indicates the type of information that has changed.
Return Value:
Status of the operation.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetNotifyDsChange)(
DsChangeType
);
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetNotifyDsChange &ld returns 0x%lx \n",
DsChangeType,
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetLogonReadChangeLog(
IN PVOID InContext,
IN ULONG InContextSize,
IN ULONG ChangeBufferSize,
OUT PVOID *ChangeBuffer,
OUT PULONG BytesRead,
OUT PVOID *OutContext,
OUT PULONG OutContextSize
)
/*++
Routine Description:
This function returns a portion of the change log to the caller.
The caller asks for the first portion of the change log by passing zero as
the InContext/InContextSize. Each call passes out an OutContext that
identifies the last change returned to the caller. That context can
be passed in on a subsequent call to I_NetlogonReadChangeLog.
Arguments:
InContext - Opaque context describing the last entry to have been previously
returned. Specify NULL to request the first entry.
InContextSize - Size (in bytes) of InContext. Specify 0 to request the
first entry.
ChangeBufferSize - Specifies the size (in bytes) of the passed in ChangeBuffer.
ChangeBuffer - Returns the next several entries from the change log.
Buffer must be DWORD aligned.
BytesRead - Returns the size (in bytes) of the entries returned in ChangeBuffer.
OutContext - Returns an opaque context describing the last entry returned
in ChangeBuffer. NULL is returned if no entries were returned.
The buffer must be freed using I_NetLogonFree
OutContextSize - Returns the size (in bytes) of OutContext.
Return Value:
STATUS_MORE_ENTRIES - More entries are available. This function should
be called again to retrieve the remaining entries.
STATUS_SUCCESS - No more entries are currently available. Some entries may
have been returned on this call. This function need not be called again.
However, the caller can determine if new change log entries were
added to the log, by calling this function again passing in the returned
context.
STATUS_INVALID_PARAMETER - InContext is invalid.
Either it is too short or the change log entry described no longer
exists in the change log.
STATUS_INVALID_DOMAIN_ROLE - Change log not initialized
STATUS_NO_MEMORY - There is not enough memory to allocate OutContext.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonReadChangeLog)(
InContext,
InContextSize,
ChangeBufferSize,
ChangeBuffer,
BytesRead,
OutContext,
OutContextSize
);
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetLogonReadChangeLog returns 0x%lx \n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetLogonNewChangeLog(
OUT HANDLE *ChangeLogHandle
)
/*++
Routine Description:
This function opens a new changelog file for writing. The new changelog
is a temporary file. The real change log will not be modified until
I_NetLogonCloseChangeLog is called asking to Commit the changes.
The caller should follow this call by Zero more calls to
I_NetLogonAppendChangeLog followed by a call to I_NetLogonCloseChangeLog.
Only one temporary change log can be active at once.
Arguments:
ChangeLogHandle - Returns a handle identifying the temporary change log.
Return Value:
STATUS_SUCCESS - The temporary change log has been successfully opened.
STATUS_INVALID_DOMAIN_ROLE - DC is neither PDC nor BDC.
STATUS_NO_MEMORY - Not enough memory to create the change log buffer.
Sundry file creation errors.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonNewChangeLog)(
ChangeLogHandle
);
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetLogonNewChangeLog returns 0x%lx \n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetLogonAppendChangeLog(
IN HANDLE ChangeLogHandle,
IN PVOID ChangeBuffer,
IN ULONG ChangeBufferSize
)
/*++
Routine Description:
This function appends change log information to new changelog file.
The ChangeBuffer must be a change buffer returned from I_NetLogonReadChangeLog.
Care should be taken to ensure each call to I_NetLogonReadChangeLog is
exactly matched by one call to I_NetLogonAppendChangeLog.
Arguments:
ChangeLogHandle - A handle identifying the temporary change log.
ChangeBuffer - A buffer describing a set of changes returned from
I_NetLogonReadChangeLog.
ChangeBufferSize - Size (in bytes) of ChangeBuffer.
Return Value:
STATUS_SUCCESS - The temporary change log has been successfully opened.
STATUS_INVALID_DOMAIN_ROLE - DC is neither PDC nor BDC.
STATUS_INVALID_HANDLE - ChangeLogHandle is not valid.
STATUS_INVALID_PARAMETER - ChangeBuffer contains invalid data.
Sundry disk write errors.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonAppendChangeLog)(
ChangeLogHandle,
ChangeBuffer,
ChangeBufferSize
);
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetLogonAppendChangeLog returns 0x%lx \n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetLogonCloseChangeLog(
IN HANDLE ChangeLogHandle,
IN BOOLEAN Commit
)
/*++
Routine Description:
This function closes a new changelog file.
Arguments:
ChangeLogHandle - A handle identifying the temporary change log.
Commit - If true, the specified changes are written to the primary change log.
If false, the specified change are deleted.
Return Value:
STATUS_SUCCESS - The temporary change log has been successfully opened.
STATUS_INVALID_DOMAIN_ROLE - DC is neither PDC nor BDC.
STATUS_INVALID_HANDLE - ChangeLogHandle is not valid.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonCloseChangeLog)(
ChangeLogHandle,
Commit
);
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetLogonCloseChangeLog returns 0x%lx \n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NTSTATUS
I_NetLogonSendToSamOnPdc(
IN LPWSTR DomainName,
IN LPBYTE OpaqueBuffer,
IN ULONG OpaqueBufferSize
)
/*++
Routine Description:
This function sends an opaque buffer from SAM on a BDC to SAM on the PDC of
the specified domain.
The original use of this routine will be to allow the BDC to forward user
account password changes to the PDC.
Arguments:
DomainName - Identifies the hosted domain that this request applies to.
DomainName may be the Netbios domain name or the DNS domain name.
NULL implies the primary domain hosted by this DC.
OpaqueBuffer - Buffer to be passed to the SAM service on the PDC.
The buffer will be encrypted on the wire.
OpaqueBufferSize - Size (in bytes) of OpaqueBuffer.
Return Value:
STATUS_SUCCESS: Message successfully sent to PDC
STATUS_NO_MEMORY: There is not enough memory to complete the operation
STATUS_NO_SUCH_DOMAIN: DomainName does not correspond to a hosted domain
STATUS_NO_LOGON_SERVERS: PDC is not currently available
STATUS_NOT_SUPPORTED: PDC does not support this operation
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonSendToSamOnPdc)(
DomainName,
OpaqueBuffer,
OpaqueBufferSize );
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetLogonSendToSamOnPdc returns 0x%lx \n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NET_API_STATUS
I_NetLogonGetIpAddresses(
OUT PULONG IpAddressCount,
OUT LPBYTE *IpAddresses
)
/*++
Routine Description:
Returns all of the IP Addresses assigned to this machine.
Arguments:
IpAddressCount - Returns the number of IP addresses assigned to this machine.
IpAddresses - Returns a buffer containing an array of SOCKET_ADDRESS
structures.
This buffer should be freed using I_NetLogonFree().
Return Value:
NO_ERROR - Success
ERROR_NOT_ENOUGH_MEMORY - There was not enough memory to complete the operation.
ERROR_NETLOGON_NOT_STARTED - Netlogon is not started.
--*/
{
NTSTATUS NtStatus;
NET_API_STATUS NetStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NetStatus = (*pI_NetLogonGetIpAddresses)(
IpAddressCount,
IpAddresses );
return( NetStatus );
}
NTSTATUS
I_NetLogonGetAuthDataEx(
IN LPWSTR HostedDomainName OPTIONAL,
IN LPWSTR TrustedDomainName,
IN ULONG Flags,
IN PLARGE_INTEGER FailedSessionSetupTime OPTIONAL,
OUT LPWSTR *OurClientPrincipleName,
OUT PVOID *ClientContext OPTIONAL,
OUT LPWSTR *ServerName,
OUT PNL_OS_VERSION ServerOsVersion,
OUT PULONG AuthnLevel,
OUT PLARGE_INTEGER SessionSetupTime
)
/*++
Routine Description:
This function returns the data that a caller could passed to
RpcBindingSetAuthInfoW to do an RPC call using the Netlogon security package.
The returned data is valid for the life of Netlogon's secure channel to
the current DC. There is no way for the caller to determine that lifetime.
So, the caller should be prepared for access to be denied and respond to that
by calling I_NetLogonGetAuthData again. This condition is indicated by passing
the previuosly used client context that resulted in denied access.
Once the returned data is passed to RpcBindingSetAuthInfoW, the data should
not be deallocated until after the binding handle is closed.
Arguments:
HostedDomainName - Identifies the hosted domain that this request applies to.
May be the Netbios domain name or the DNS domain name.
NULL implies the primary domain hosted by this machine.
TrustedDomainName - Identifies the domain the trust relationship is to.
May be the Netbios domain name or the DNS domain name.
Flags - Flags defining which ClientContext to return:
NL_DIRECT_TRUST_REQUIRED: Indicates that STATUS_NO_SUCH_DOMAIN should be returned
if TrustedDomainName is not directly trusted.
NL_RETURN_CLOSEST_HOP: Indicates that for indirect trust, the "closest hop"
session should be returned rather than the actual session
NL_ROLE_PRIMARY_OK: Indicates that if this is a PDC, it's OK to return
the client session to the primary domain.
NL_REQUIRE_DOMAIN_IN_FOREST - Indicates that STATUS_NO_SUCH_DOMAIN should be
returned if TrustedDomainName is not a domain in the forest.
FailedSessionSetupTime - The time of the previous session setup to the server
that the caller detected as no longer available. If this parameter is
passed, the secure channel will be reset by this routine unless the timestamp
on the current secure channel is different from the one passed by the caller
(in which case the secure channel got already reset between the two calls to
this routine).
OurClientPrincipleName - The principle name of this machine (which is a client as far
as authenication is concerned). This is the ServerPrincipleName parameter to pass
to RpcBindingSetAuthInfo. Must be freed using NetApiBufferFree.
ClientContext - Authentication data for ServerName to pass as AuthIdentity to
RpcBindingSetAuthInfo. Must be freed using I_NetLogonFree.
Note this OUT parameter is NULL if ServerName doesn't support this
functionality.
ServerName - UNC name of a DC in the trusted domain.
The caller should RPC to the named DC. This DC is the only DC that has the server
side context associated with the returned ClientContext. The buffer must be freed
using NetApiBufferFree.
ServerOsVersion - Returns the operating system version of the DC named ServerName.
AuthnLevel - Authentication level Netlogon will use for its secure channel. This value
will be one of:
RPC_C_AUTHN_LEVEL_PKT_PRIVACY: Sign and seal
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY: Sign only
The caller can ignore this value and independently choose an authentication level.
SessionSetupTime - The time of the secure channel session setup to the server.
Return Value:
STATUS_SUCCESS: The auth data was successfully returned.
STATUS_NO_MEMORY: There is not enough memory to complete the operation
STATUS_NETLOGON_NOT_STARTED: Netlogon is not running
STATUS_NO_SUCH_DOMAIN: HostedDomainName does not correspond to a hosted domain, OR
TrustedDomainName is not a trusted domain corresponding to Flags.
STATUS_NO_LOGON_SERVERS: No DCs are not currently available
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetLogonGetAuthDataEx)(
HostedDomainName,
TrustedDomainName,
Flags,
FailedSessionSetupTime,
OurClientPrincipleName,
ClientContext,
ServerName,
ServerOsVersion,
AuthnLevel,
SessionSetupTime );
return( NtStatus );
}
NTSTATUS
I_NetNotifyNtdsDsaDeletion (
IN LPWSTR DnsDomainName,
IN GUID *DomainGuid,
IN GUID *DsaGuid,
IN LPWSTR DnsHostName
)
/*++
Routine Description:
This function is called by the DS to indicate that a NTDS-DSA object
is being deleted.
This function is called on the DC that the object is originally deleted on.
It is not called when the deletion is replicated to other DCs.
Arguments:
DnsDomainName - DNS domain name of the domain the DC was in.
This need not be a domain hosted by this DC.
DomainGuid - Domain Guid of the domain specified by DnsDomainName
DsaGuid - GUID of the NtdsDsa object that is being deleted.
DnsHostName - DNS host name of the DC whose NTDS-DSA object is being deleted.
Return Value:
Status of the operation.
--*/
{
NTSTATUS NtStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NtStatus = (*pI_NetNotifyNtdsDsaDeletion)(
DnsDomainName,
DomainGuid,
DsaGuid,
DnsHostName );
#if DBG
if( !NT_SUCCESS(NtStatus) ) {
DbgPrint("[Security Process] I_NetNotifyNtdsDsaDeletion returns 0x%lx \n",
NtStatus);
}
#endif // DBG
return( NtStatus );
}
NET_API_STATUS
I_NetLogonAddressToSiteName(
IN PSOCKET_ADDRESS SocketAddress,
OUT LPWSTR *SiteName
)
/*++
Routine Description:
This function translates a socket addresses to site name.
Arguments:
SocketAddress -- the requested socket address
SiteName -- the corresponding site name
Return Value:
Status of the operation.
--*/
{
NTSTATUS NtStatus;
NET_API_STATUS NetStatus;
//
// Load netlogon.dll if it hasn't already been loaded.
//
if( NetlogonDllHandle == NULL ) {
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
return( NtStatus );
}
}
NetStatus = (*pI_NetLogonAddressToSiteName)(SocketAddress,
SiteName );
return( NetStatus );
}