You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1744 lines
45 KiB
1744 lines
45 KiB
/*++
|
|
|
|
Copyright (c) 1987-1991 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
nlrepl.c
|
|
|
|
Abstract:
|
|
|
|
The database replication functions called either from LSA OR SAM.
|
|
The actual code resides in netlogon.dll.
|
|
|
|
Author:
|
|
|
|
Madan Appiah (Madana)
|
|
|
|
Environment:
|
|
|
|
User mode only.
|
|
Contains NT-specific code.
|
|
Requires ANSI C extensions: slash-slash comments, long external names.
|
|
|
|
Revision History:
|
|
|
|
14-Apr-1992 (madana)
|
|
Created.
|
|
|
|
--*/
|
|
|
|
#include <nt.h> // needed for NTSTATUS
|
|
#include <ntrtl.h> // needed for nturtl.h
|
|
#include <nturtl.h> // needed for windows.h
|
|
#include <windows.h> // win32 typedefs
|
|
|
|
#include <crypt.h> // samsrv.h will need this
|
|
#include <ntlsa.h> // needed for POLICY_LSA_SERVER_ROLE
|
|
#include <samrpc.h>
|
|
#include <samisrv.h> // needed for SECURITY_DB_TYPE etc.
|
|
#include <winsock2.h> // needed for SOCKET defn's
|
|
#include <nlrepl.h> // proto types
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetNotifyDelta) (
|
|
IN SECURITY_DB_TYPE DbType,
|
|
IN LARGE_INTEGER ModificationCount,
|
|
IN SECURITY_DB_DELTA_TYPE DeltaType,
|
|
IN SECURITY_DB_OBJECT_TYPE ObjectType,
|
|
IN ULONG ObjectRid,
|
|
IN PSID ObjectSid,
|
|
IN PUNICODE_STRING ObjectName,
|
|
IN DWORD ReplicationImmediately,
|
|
IN PSAM_DELTA_DATA MemberId
|
|
);
|
|
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetNotifyRole) (
|
|
IN POLICY_LSA_SERVER_ROLE Role
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetNotifyMachineAccount) (
|
|
IN ULONG ObjectRid,
|
|
IN PSID DomainSid,
|
|
IN ULONG OldUserAccountControl,
|
|
IN ULONG NewUserAccountControl,
|
|
IN PUNICODE_STRING ObjectName
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetNotifyTrustedDomain) (
|
|
IN PSID HostedDomainSid,
|
|
IN PSID TrustedDomainSid,
|
|
IN BOOLEAN IsDeletion
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetNotifyNetlogonDllHandle) (
|
|
IN PHANDLE Role
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonSetServiceBits)(
|
|
IN DWORD ServiceBitsOfInterest,
|
|
IN DWORD ServiceBits
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonGetSerialNumber) (
|
|
IN SECURITY_DB_TYPE DbType,
|
|
IN PSID DomainSid,
|
|
OUT PLARGE_INTEGER SerialNumber
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonLdapLookupEx)(
|
|
IN PVOID Filter,
|
|
IN PVOID SockAddr,
|
|
OUT PVOID *Response,
|
|
OUT PULONG ResponseSize
|
|
);
|
|
|
|
typedef VOID
|
|
(*PI_NetLogonFree)(
|
|
IN PVOID Buffer
|
|
);
|
|
|
|
typedef NET_API_STATUS
|
|
(*PI_DsGetDcCache)(
|
|
IN LPCWSTR NetbiosDomainName OPTIONAL,
|
|
IN LPCWSTR DnsDomainName OPTIONAL,
|
|
OUT PBOOLEAN InNt4Domain,
|
|
OUT LPDWORD InNt4DomainTime
|
|
);
|
|
|
|
typedef NET_API_STATUS
|
|
(*PDsrGetDcNameEx2)(
|
|
IN LPWSTR ComputerName OPTIONAL,
|
|
IN LPCWSTR AccountName OPTIONAL,
|
|
IN ULONG AllowableAccountControlBits,
|
|
IN LPWSTR DomainName OPTIONAL,
|
|
IN GUID *DomainGuid OPTIONAL,
|
|
IN LPWSTR SiteName OPTIONAL,
|
|
IN ULONG Flags,
|
|
OUT PDOMAIN_CONTROLLER_INFOW *DomainControllerInfo
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetNotifyDsChange)(
|
|
IN NL_DS_CHANGE_TYPE DsChangeType
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonReadChangeLog)(
|
|
IN PVOID InContext,
|
|
IN ULONG InContextSize,
|
|
IN ULONG ChangeBufferSize,
|
|
OUT PVOID *ChangeBuffer,
|
|
OUT PULONG BytesRead,
|
|
OUT PVOID *OutContext,
|
|
OUT PULONG OutContextSize
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonNewChangeLog)(
|
|
OUT HANDLE *ChangeLogHandle
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonAppendChangeLog)(
|
|
IN HANDLE ChangeLogHandle,
|
|
IN PVOID ChangeBuffer,
|
|
IN ULONG ChangeBufferSize
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonCloseChangeLog)(
|
|
IN HANDLE ChangeLogHandle,
|
|
IN BOOLEAN Commit
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonSendToSamOnPdc)(
|
|
IN LPWSTR DomainName,
|
|
IN LPBYTE OpaqueBuffer,
|
|
IN ULONG OpaqueBufferSize
|
|
);
|
|
|
|
typedef NET_API_STATUS
|
|
(*PI_NetLogonGetIpAddresses)(
|
|
OUT PULONG IpAddressCount,
|
|
OUT LPBYTE *IpAddresses
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetLogonGetAuthDataEx)(
|
|
IN LPWSTR HostedDomainName OPTIONAL,
|
|
IN LPWSTR TrustedDomainName,
|
|
IN ULONG Flags,
|
|
IN PLARGE_INTEGER FailedSessionSetupTime OPTIONAL,
|
|
OUT LPWSTR *OurClientPrincipleName,
|
|
OUT PVOID *ClientContext OPTIONAL,
|
|
OUT LPWSTR *ServerName,
|
|
OUT PNL_OS_VERSION ServerOsVersion,
|
|
OUT PULONG AuthnLevel,
|
|
OUT PLARGE_INTEGER SessionSetupTime
|
|
);
|
|
|
|
typedef NTSTATUS
|
|
(*PI_NetNotifyNtdsDsaDeletion) (
|
|
IN LPWSTR DnsDomainName,
|
|
IN GUID *DomainGuid,
|
|
IN GUID *DsaGuid,
|
|
IN LPWSTR DnsHostName
|
|
);
|
|
|
|
typedef NET_API_STATUS
|
|
(*PI_NetLogonAddressToSiteName)(
|
|
IN PSOCKET_ADDRESS SocketAddress,
|
|
OUT LPWSTR *SiteName
|
|
);
|
|
|
|
//
|
|
// Global status
|
|
//
|
|
|
|
HANDLE NetlogonDllHandle = NULL;
|
|
PI_NetNotifyDelta pI_NetNotifyDelta = NULL;
|
|
PI_NetNotifyRole pI_NetNotifyRole = NULL;
|
|
PI_NetNotifyMachineAccount pI_NetNotifyMachineAccount = NULL;
|
|
PI_NetNotifyTrustedDomain pI_NetNotifyTrustedDomain = NULL;
|
|
PI_NetLogonSetServiceBits pI_NetLogonSetServiceBits = NULL;
|
|
PI_NetLogonGetSerialNumber pI_NetLogonGetSerialNumber = NULL;
|
|
PI_NetLogonLdapLookupEx pI_NetLogonLdapLookupEx = NULL;
|
|
PI_NetLogonFree pI_NetLogonFree = NULL;
|
|
PI_DsGetDcCache pI_DsGetDcCache = NULL;
|
|
PDsrGetDcNameEx2 pDsrGetDcNameEx2 = NULL;
|
|
PI_NetNotifyDsChange pI_NetNotifyDsChange = NULL;
|
|
PI_NetLogonReadChangeLog pI_NetLogonReadChangeLog = NULL;
|
|
PI_NetLogonNewChangeLog pI_NetLogonNewChangeLog = NULL;
|
|
PI_NetLogonAppendChangeLog pI_NetLogonAppendChangeLog = NULL;
|
|
PI_NetLogonCloseChangeLog pI_NetLogonCloseChangeLog = NULL;
|
|
PI_NetLogonSendToSamOnPdc pI_NetLogonSendToSamOnPdc = NULL;
|
|
PI_NetLogonGetIpAddresses pI_NetLogonGetIpAddresses = NULL;
|
|
PI_NetLogonGetAuthDataEx pI_NetLogonGetAuthDataEx = NULL;
|
|
PI_NetNotifyNtdsDsaDeletion pI_NetNotifyNtdsDsaDeletion = NULL;
|
|
PI_NetLogonAddressToSiteName pI_NetLogonAddressToSiteName = NULL;
|
|
|
|
|
|
NTSTATUS
|
|
NlLoadNetlogonDll(
|
|
VOID
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function loads the netlogon.dll module if it is not loaded
|
|
already. If the network is not installed then netlogon.dll will not
|
|
present in the system and the LoadLibrary will fail.
|
|
|
|
Arguments:
|
|
|
|
None
|
|
|
|
Return Value:
|
|
|
|
NT Status code.
|
|
|
|
--*/
|
|
{
|
|
static NTSTATUS DllLoadStatus = STATUS_SUCCESS;
|
|
PI_NetNotifyNetlogonDllHandle pI_NetNotifyNetlogonDllHandle = NULL;
|
|
HANDLE DllHandle = NULL;
|
|
|
|
|
|
//
|
|
// If we've tried to load the DLL before and it failed,
|
|
// return the same error code again.
|
|
//
|
|
|
|
if( DllLoadStatus != STATUS_SUCCESS ) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Load netlogon.dll
|
|
//
|
|
|
|
DllHandle = LoadLibraryA( "Netlogon" );
|
|
|
|
if ( DllHandle == NULL ) {
|
|
|
|
#if DBG
|
|
DWORD DbgError;
|
|
|
|
DbgError = GetLastError();
|
|
|
|
DbgPrint("[Security Process] can't load netlogon.dll %d \n",
|
|
DbgError);
|
|
#endif // DBG
|
|
|
|
DllLoadStatus = STATUS_DLL_NOT_FOUND;
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Macro to grab the address of the named procedure from netlogon.dll
|
|
//
|
|
|
|
#if DBG
|
|
#define GRAB_ADDRESS( _X ) \
|
|
p##_X = (P##_X) GetProcAddress( DllHandle, #_X ); \
|
|
\
|
|
if ( p##_X == NULL ) { \
|
|
DbgPrint("[security process] can't load " #_X " procedure. %ld\n", GetLastError()); \
|
|
DllLoadStatus = STATUS_PROCEDURE_NOT_FOUND;\
|
|
goto Cleanup; \
|
|
}
|
|
|
|
#else // DBG
|
|
#define GRAB_ADDRESS( _X ) \
|
|
p##_X = (P##_X) GetProcAddress( DllHandle, #_X ); \
|
|
\
|
|
if ( p##_X == NULL ) { \
|
|
DllLoadStatus = STATUS_PROCEDURE_NOT_FOUND;\
|
|
goto Cleanup; \
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
|
|
//
|
|
// Get the addresses of the required procedures.
|
|
//
|
|
|
|
GRAB_ADDRESS( I_NetNotifyDelta );
|
|
GRAB_ADDRESS( I_NetNotifyRole );
|
|
GRAB_ADDRESS( I_NetNotifyMachineAccount );
|
|
GRAB_ADDRESS( I_NetNotifyTrustedDomain );
|
|
GRAB_ADDRESS( I_NetLogonSetServiceBits );
|
|
GRAB_ADDRESS( I_NetLogonGetSerialNumber );
|
|
GRAB_ADDRESS( I_NetLogonLdapLookupEx );
|
|
GRAB_ADDRESS( I_NetLogonFree );
|
|
GRAB_ADDRESS( I_DsGetDcCache );
|
|
GRAB_ADDRESS( DsrGetDcNameEx2 );
|
|
GRAB_ADDRESS( I_NetNotifyDsChange );
|
|
GRAB_ADDRESS( I_NetLogonReadChangeLog );
|
|
GRAB_ADDRESS( I_NetLogonNewChangeLog );
|
|
GRAB_ADDRESS( I_NetLogonAppendChangeLog );
|
|
GRAB_ADDRESS( I_NetLogonCloseChangeLog );
|
|
GRAB_ADDRESS( I_NetLogonSendToSamOnPdc );
|
|
GRAB_ADDRESS( I_NetLogonGetIpAddresses );
|
|
GRAB_ADDRESS( I_NetLogonGetAuthDataEx );
|
|
GRAB_ADDRESS( I_NetNotifyNtdsDsaDeletion );
|
|
GRAB_ADDRESS( I_NetLogonAddressToSiteName );
|
|
|
|
//
|
|
// Find the address of the I_NetNotifyNetlogonDllHandle procedure.
|
|
// This is an optional procedure so don't complain if it isn't there.
|
|
//
|
|
|
|
pI_NetNotifyNetlogonDllHandle = (PI_NetNotifyNetlogonDllHandle)
|
|
GetProcAddress( DllHandle, "I_NetNotifyNetlogonDllHandle" );
|
|
|
|
|
|
|
|
DllLoadStatus = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
if (DllLoadStatus == STATUS_SUCCESS) {
|
|
NetlogonDllHandle = DllHandle;
|
|
|
|
//
|
|
// Notify Netlogon that we've loaded it.
|
|
//
|
|
|
|
if( pI_NetNotifyNetlogonDllHandle != NULL ) {
|
|
(VOID) (*pI_NetNotifyNetlogonDllHandle)( &NetlogonDllHandle );
|
|
}
|
|
|
|
} else {
|
|
if ( DllHandle != NULL ) {
|
|
FreeLibrary( DllHandle );
|
|
}
|
|
}
|
|
return( DllLoadStatus );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
I_NetNotifyDelta (
|
|
IN SECURITY_DB_TYPE DbType,
|
|
IN LARGE_INTEGER ModificationCount,
|
|
IN SECURITY_DB_DELTA_TYPE DeltaType,
|
|
IN SECURITY_DB_OBJECT_TYPE ObjectType,
|
|
IN ULONG ObjectRid,
|
|
IN PSID ObjectSid,
|
|
IN PUNICODE_STRING ObjectName,
|
|
IN DWORD ReplicationImmediately,
|
|
IN PSAM_DELTA_DATA MemberId
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called by the SAM and LSA services after each
|
|
change is made to the SAM and LSA databases. The services describe
|
|
the type of object that is modified, the type of modification made
|
|
on the object, the serial number of this modification etc. This
|
|
information is stored for later retrieval when a BDC or member
|
|
server wants a copy of this change. See the description of
|
|
I_NetSamDeltas for a description of how the change log is used.
|
|
|
|
Add a change log entry to circular change log maintained in cache as
|
|
well as on the disk and update the head and tail pointers
|
|
|
|
It is assumed that Tail points to a block where this new change log
|
|
entry may be stored.
|
|
|
|
NOTE: The actual code is in netlogon.dll. This wrapper function
|
|
will determine whether the network is installed, if so, it calls the
|
|
actual worker function after loading the netlogon.dll module. If the
|
|
network is not installed then this will function will return with
|
|
appropriate error code.
|
|
|
|
Arguments:
|
|
|
|
DbType - Type of the database that has been modified.
|
|
|
|
ModificationCount - The value of the DomainModifiedCount field for the
|
|
domain following the modification.
|
|
|
|
DeltaType - The type of modification that has been made on the object.
|
|
|
|
ObjectType - The type of object that has been modified.
|
|
|
|
ObjectRid - The relative ID of the object that has been modified.
|
|
This parameter is valid only when the object type specified is
|
|
either SecurityDbObjectSamUser, SecurityDbObjectSamGroup or
|
|
SecurityDbObjectSamAlias otherwise this parameter is set to zero.
|
|
|
|
ObjectSid - The SID of the object that has been modified. If the object
|
|
modified is in a SAM database, ObjectSid is the DomainId of the Domain
|
|
containing the object.
|
|
|
|
ObjectName - The name of the secret object when the object type
|
|
specified is SecurityDbObjectLsaSecret or the old name of the object
|
|
when the object type specified is either SecurityDbObjectSamUser,
|
|
SecurityDbObjectSamGroup or SecurityDbObjectSamAlias and the delta
|
|
type is SecurityDbRename otherwise this parameter is set to NULL.
|
|
|
|
ReplicateImmediately - TRUE if the change should be immediately
|
|
replicated to all BDCs. A password change should set the flag
|
|
TRUE.
|
|
|
|
MemberId - This parameter is specified when group/alias membership
|
|
is modified. This structure will then point to the member's ID that
|
|
has been updated.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The Service completed successfully.
|
|
|
|
--*/
|
|
{
|
|
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetNotifyDelta)(
|
|
DbType,
|
|
ModificationCount,
|
|
DeltaType,
|
|
ObjectType,
|
|
ObjectRid,
|
|
ObjectSid,
|
|
ObjectName,
|
|
ReplicationImmediately,
|
|
MemberId
|
|
);
|
|
|
|
return( STATUS_SUCCESS );
|
|
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
I_NetNotifyRole(
|
|
IN POLICY_LSA_SERVER_ROLE Role
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called by the LSA service upon LSA initialization
|
|
and when LSA changes domain role. This routine will initialize the
|
|
change log cache if the role specified is PDC or delete the change
|
|
log cache if the role specified is other than PDC.
|
|
|
|
When this function initializing the change log if the change log
|
|
currently exists on disk, the cache will be initialized from disk.
|
|
LSA should treat errors from this routine as non-fatal. LSA should
|
|
log the errors so they may be corrected then continue
|
|
initialization. However, LSA should treat the system databases as
|
|
read-only in this case.
|
|
|
|
NOTE: The actual code is in netlogon.dll. This wrapper function
|
|
will determine whether the network is installed, if so, it calls the
|
|
actual worker function after loading the netlogon.dll module. If the
|
|
network is not installed then this will function will return with
|
|
appropriate error code.
|
|
|
|
Arguments:
|
|
|
|
Role - Current role of the server.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The Service completed successfully.
|
|
|
|
--*/
|
|
{
|
|
|
|
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetNotifyRole)(
|
|
Role
|
|
);
|
|
|
|
#if DBG
|
|
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetNotifyRole returns 0x%lx \n",
|
|
NtStatus);
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
return( STATUS_SUCCESS );
|
|
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
I_NetNotifyMachineAccount (
|
|
IN ULONG ObjectRid,
|
|
IN PSID DomainSid,
|
|
IN ULONG OldUserAccountControl,
|
|
IN ULONG NewUserAccountControl,
|
|
IN PUNICODE_STRING ObjectName
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called by the SAM to indicate that the account type
|
|
of a machine account has changed. Specifically, if
|
|
USER_INTERDOMAIN_TRUST_ACCOUNT, USER_WORKSTATION_TRUST_ACCOUNT, or
|
|
USER_SERVER_TRUST_ACCOUNT change for a particular account, this
|
|
routine is called to let Netlogon know of the account change.
|
|
|
|
NOTE: The actual code is in netlogon.dll. This wrapper function
|
|
will determine whether the network is installed, if so, it calls the
|
|
actual worker function after loading the netlogon.dll module. If the
|
|
network is not installed then this will function will return with
|
|
appropriate error code.
|
|
|
|
Arguments:
|
|
|
|
ObjectRid - The relative ID of the object that has been modified.
|
|
|
|
DomainSid - Specifies the SID of the Domain containing the object.
|
|
|
|
OldUserAccountControl - Specifies the previous value of the
|
|
UserAccountControl field of the user.
|
|
|
|
NewUserAccountControl - Specifies the new (current) value of the
|
|
UserAccountControl field of the user.
|
|
|
|
ObjectName - The name of the account being changed.
|
|
|
|
Return Value:
|
|
|
|
Status of the operation.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetNotifyMachineAccount)(
|
|
ObjectRid,
|
|
DomainSid,
|
|
OldUserAccountControl,
|
|
NewUserAccountControl,
|
|
ObjectName );
|
|
|
|
#if DBG
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetNotifyMachineAccount returns 0x%lx\n",
|
|
NtStatus);
|
|
}
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
I_NetNotifyTrustedDomain (
|
|
IN PSID HostedDomainSid,
|
|
IN PSID TrustedDomainSid,
|
|
IN BOOLEAN IsDeletion
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called by the LSA to indicate that a trusted domain
|
|
object has changed.
|
|
|
|
This function is called for both PDC and BDC.
|
|
|
|
Arguments:
|
|
|
|
HostedDomainSid - Domain SID of the domain the trust is from.
|
|
|
|
TrustedDomainSid - Domain SID of the domain the trust is to.
|
|
|
|
IsDeletion - TRUE if the trusted domain object was deleted.
|
|
FALSE if the trusted domain object was created or modified.
|
|
|
|
|
|
Return Value:
|
|
|
|
Status of the operation.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetNotifyTrustedDomain)(
|
|
HostedDomainSid,
|
|
TrustedDomainSid,
|
|
IsDeletion );
|
|
|
|
#if DBG
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetNotifyTrustedDomain returns 0x%lx\n",
|
|
NtStatus);
|
|
}
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
I_NetLogonSetServiceBits(
|
|
IN DWORD ServiceBitsOfInterest,
|
|
IN DWORD ServiceBits
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Inidcates whether this DC is currently running the specified service.
|
|
|
|
For instance,
|
|
|
|
I_NetLogonSetServiceBits( DS_KDC_FLAG, DS_KDC_FLAG );
|
|
|
|
tells Netlogon the KDC is running. And
|
|
|
|
I_NetLogonSetServiceBits( DS_KDC_FLAG, 0 );
|
|
|
|
tells Netlogon the KDC is not running.
|
|
|
|
Arguments:
|
|
|
|
ServiceBitsOfInterest - A mask of the service bits being changed, set,
|
|
or reset by this call. Only the following flags are valid:
|
|
|
|
DS_KDC_FLAG
|
|
DS_DS_FLAG
|
|
DS_TIMESERV_FLAG
|
|
|
|
ServiceBits - A mask indicating what the bits specified by ServiceBitsOfInterest
|
|
should be set to.
|
|
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - Success.
|
|
|
|
STATUS_INVALID_PARAMETER - The parameters have extaneous bits set.
|
|
|
|
STATUS_DLL_NOT_FOUND - Netlogon.dll could not be loaded.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonSetServiceBits)(
|
|
ServiceBitsOfInterest,
|
|
ServiceBits );
|
|
|
|
#if DBG
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetLogonSetServiceBits returns 0x%lx\n",
|
|
NtStatus);
|
|
}
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
I_NetLogonGetSerialNumber (
|
|
IN SECURITY_DB_TYPE DbType,
|
|
IN PSID DomainSid,
|
|
OUT PLARGE_INTEGER SerialNumber
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called by the SAM and LSA services when they startup
|
|
to get the current serial number written to the changelog.
|
|
|
|
Arguments:
|
|
|
|
DbType - Type of the database that has been modified.
|
|
|
|
DomainSid - For the SAM and builtin database, this specifies the DomainId of
|
|
the domain whose serial number is to be returned.
|
|
|
|
SerialNumber - Returns the latest set value of the DomainModifiedCount
|
|
field for the domain.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The Service completed successfully.
|
|
|
|
STATUS_INVALID_DOMAIN_ROLE - This machine is not the PDC.
|
|
|
|
STATUS_DLL_NOT_FOUND - Netlogon.dll could not be loaded.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonGetSerialNumber)(
|
|
DbType,
|
|
DomainSid,
|
|
SerialNumber );
|
|
|
|
#if DBG
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetLogonGetSerialNumber returns 0x%lx\n",
|
|
NtStatus);
|
|
}
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
NTSTATUS
|
|
I_NetLogonLdapLookupEx(
|
|
IN PVOID Filter,
|
|
IN PVOID SockAddr,
|
|
OUT PVOID *Response,
|
|
OUT PULONG ResponseSize
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine builds a response to an LDAP ping of a DC. DsGetDcName does
|
|
such a ping to ensure the DC is functional and still meets the requirements
|
|
of the DsGetDcName. DsGetDcName does an LDAP lookup of the NULL DN asking
|
|
for attribute "Netlogon". The DS turns that into a call to this routine
|
|
passing in the filter parameter.
|
|
|
|
Arguments:
|
|
|
|
Filter - Filter describing the query. The filter is built by the DsGetDcName
|
|
client, so we can limit the flexibility significantly. The filter is:
|
|
|
|
SockAddr - Address of the client that sent the ping.
|
|
|
|
Response - Returns a pointer to an allocated buffer containing
|
|
the response to return to the caller. This response is a binary blob
|
|
which should be returned to the caller bit-for-bit intact.
|
|
The buffer should be freed be calling I_NetLogonFree.
|
|
|
|
ResponseSize - Size (in bytes) of the returned message.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS -- The response was returned in the supplied buffer.
|
|
|
|
STATUS_INVALID_PARAMETER -- The filter was invalid.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonLdapLookupEx)(
|
|
Filter,
|
|
SockAddr,
|
|
Response,
|
|
ResponseSize );
|
|
|
|
#ifdef notdef // Failures occur frequently in nature
|
|
#if DBG
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetLogonLdapLookupEx returns 0x%lx\n",
|
|
NtStatus);
|
|
}
|
|
#endif // DBG
|
|
#endif // notdef
|
|
|
|
return( NtStatus );
|
|
|
|
}
|
|
|
|
VOID
|
|
I_NetLogonFree(
|
|
IN PVOID Buffer
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Free any buffer allocated by Netlogon and returned to an in-process caller.
|
|
|
|
Arguments:
|
|
|
|
Buffer - Buffer to deallocate.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return;
|
|
}
|
|
}
|
|
|
|
(*pI_NetLogonFree)( Buffer );
|
|
}
|
|
|
|
|
|
NET_API_STATUS
|
|
I_DsGetDcCache(
|
|
IN LPCWSTR NetbiosDomainName OPTIONAL,
|
|
IN LPCWSTR DnsDomainName OPTIONAL,
|
|
OUT PBOOLEAN InNt4Domain,
|
|
OUT LPDWORD InNt4DomainTime
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine finds a domain entry that matches the caller's query.
|
|
|
|
Arguments:
|
|
|
|
NetbiosDomainName - Specifies the Netbios name of the domain to find.
|
|
|
|
DnsDomainName - Specifies the Dns name of the domain to find.
|
|
|
|
At least one of the above parameters should be non-NULL.
|
|
|
|
InNt4Domain - Returns true if the domain is an NT 4.0 domain.
|
|
|
|
InNt4DomainTime - Returns the GetTickCount time of when the domain was
|
|
detected to be an NT 4.0 domain.
|
|
|
|
Return Value:
|
|
|
|
NO_ERROR: Information is returned about the domain.
|
|
|
|
ERROR_NO_SUCH_DOMAIN: cached information is not available for this domain.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
NET_API_STATUS NetStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NetStatus = (*pI_DsGetDcCache)(
|
|
NetbiosDomainName,
|
|
DnsDomainName,
|
|
InNt4Domain,
|
|
InNt4DomainTime );
|
|
|
|
return( NetStatus );
|
|
}
|
|
|
|
NET_API_STATUS
|
|
DsrGetDcNameEx2(
|
|
IN LPWSTR ComputerName OPTIONAL,
|
|
IN LPWSTR AccountName OPTIONAL,
|
|
IN ULONG AllowableAccountControlBits,
|
|
IN LPWSTR DomainName OPTIONAL,
|
|
IN GUID *DomainGuid OPTIONAL,
|
|
IN LPWSTR SiteName OPTIONAL,
|
|
IN ULONG Flags,
|
|
OUT PDOMAIN_CONTROLLER_INFOW *DomainControllerInfo
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Same as DsGetDcNameW except:
|
|
|
|
AccountName - Account name to pass on the ping request.
|
|
If NULL, no account name will be sent.
|
|
|
|
AllowableAccountControlBits - Mask of allowable account types for AccountName.
|
|
|
|
* This is the RPC server side implementation.
|
|
|
|
Arguments:
|
|
|
|
Same as DsGetDcNameW except as above.
|
|
|
|
Return Value:
|
|
|
|
Same as DsGetDcNameW except as above.
|
|
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
NET_API_STATUS NetStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NetStatus = (*pDsrGetDcNameEx2)(
|
|
ComputerName,
|
|
AccountName,
|
|
AllowableAccountControlBits,
|
|
DomainName,
|
|
DomainGuid,
|
|
SiteName,
|
|
Flags,
|
|
DomainControllerInfo );
|
|
|
|
return( NetStatus );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
I_NetNotifyDsChange(
|
|
IN NL_DS_CHANGE_TYPE DsChangeType
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called by the LSA to indicate that configuration information
|
|
in the DS has changed.
|
|
|
|
This function is called for both PDC and BDC.
|
|
|
|
Arguments:
|
|
|
|
DsChangeType - Indicates the type of information that has changed.
|
|
|
|
Return Value:
|
|
|
|
Status of the operation.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetNotifyDsChange)(
|
|
DsChangeType
|
|
);
|
|
|
|
#if DBG
|
|
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetNotifyDsChange &ld returns 0x%lx \n",
|
|
DsChangeType,
|
|
NtStatus);
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
I_NetLogonReadChangeLog(
|
|
IN PVOID InContext,
|
|
IN ULONG InContextSize,
|
|
IN ULONG ChangeBufferSize,
|
|
OUT PVOID *ChangeBuffer,
|
|
OUT PULONG BytesRead,
|
|
OUT PVOID *OutContext,
|
|
OUT PULONG OutContextSize
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function returns a portion of the change log to the caller.
|
|
|
|
The caller asks for the first portion of the change log by passing zero as
|
|
the InContext/InContextSize. Each call passes out an OutContext that
|
|
identifies the last change returned to the caller. That context can
|
|
be passed in on a subsequent call to I_NetlogonReadChangeLog.
|
|
|
|
Arguments:
|
|
|
|
InContext - Opaque context describing the last entry to have been previously
|
|
returned. Specify NULL to request the first entry.
|
|
|
|
InContextSize - Size (in bytes) of InContext. Specify 0 to request the
|
|
first entry.
|
|
|
|
ChangeBufferSize - Specifies the size (in bytes) of the passed in ChangeBuffer.
|
|
|
|
ChangeBuffer - Returns the next several entries from the change log.
|
|
Buffer must be DWORD aligned.
|
|
|
|
BytesRead - Returns the size (in bytes) of the entries returned in ChangeBuffer.
|
|
|
|
OutContext - Returns an opaque context describing the last entry returned
|
|
in ChangeBuffer. NULL is returned if no entries were returned.
|
|
The buffer must be freed using I_NetLogonFree
|
|
|
|
OutContextSize - Returns the size (in bytes) of OutContext.
|
|
|
|
|
|
Return Value:
|
|
|
|
STATUS_MORE_ENTRIES - More entries are available. This function should
|
|
be called again to retrieve the remaining entries.
|
|
|
|
STATUS_SUCCESS - No more entries are currently available. Some entries may
|
|
have been returned on this call. This function need not be called again.
|
|
However, the caller can determine if new change log entries were
|
|
added to the log, by calling this function again passing in the returned
|
|
context.
|
|
|
|
STATUS_INVALID_PARAMETER - InContext is invalid.
|
|
Either it is too short or the change log entry described no longer
|
|
exists in the change log.
|
|
|
|
STATUS_INVALID_DOMAIN_ROLE - Change log not initialized
|
|
|
|
STATUS_NO_MEMORY - There is not enough memory to allocate OutContext.
|
|
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonReadChangeLog)(
|
|
InContext,
|
|
InContextSize,
|
|
ChangeBufferSize,
|
|
ChangeBuffer,
|
|
BytesRead,
|
|
OutContext,
|
|
OutContextSize
|
|
);
|
|
|
|
#if DBG
|
|
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetLogonReadChangeLog returns 0x%lx \n",
|
|
NtStatus);
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
I_NetLogonNewChangeLog(
|
|
OUT HANDLE *ChangeLogHandle
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function opens a new changelog file for writing. The new changelog
|
|
is a temporary file. The real change log will not be modified until
|
|
I_NetLogonCloseChangeLog is called asking to Commit the changes.
|
|
|
|
The caller should follow this call by Zero more calls to
|
|
I_NetLogonAppendChangeLog followed by a call to I_NetLogonCloseChangeLog.
|
|
|
|
Only one temporary change log can be active at once.
|
|
|
|
Arguments:
|
|
|
|
ChangeLogHandle - Returns a handle identifying the temporary change log.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The temporary change log has been successfully opened.
|
|
|
|
STATUS_INVALID_DOMAIN_ROLE - DC is neither PDC nor BDC.
|
|
|
|
STATUS_NO_MEMORY - Not enough memory to create the change log buffer.
|
|
|
|
Sundry file creation errors.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonNewChangeLog)(
|
|
ChangeLogHandle
|
|
);
|
|
|
|
#if DBG
|
|
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetLogonNewChangeLog returns 0x%lx \n",
|
|
NtStatus);
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
I_NetLogonAppendChangeLog(
|
|
IN HANDLE ChangeLogHandle,
|
|
IN PVOID ChangeBuffer,
|
|
IN ULONG ChangeBufferSize
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function appends change log information to new changelog file.
|
|
|
|
The ChangeBuffer must be a change buffer returned from I_NetLogonReadChangeLog.
|
|
Care should be taken to ensure each call to I_NetLogonReadChangeLog is
|
|
exactly matched by one call to I_NetLogonAppendChangeLog.
|
|
|
|
Arguments:
|
|
|
|
ChangeLogHandle - A handle identifying the temporary change log.
|
|
|
|
ChangeBuffer - A buffer describing a set of changes returned from
|
|
I_NetLogonReadChangeLog.
|
|
|
|
ChangeBufferSize - Size (in bytes) of ChangeBuffer.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The temporary change log has been successfully opened.
|
|
|
|
STATUS_INVALID_DOMAIN_ROLE - DC is neither PDC nor BDC.
|
|
|
|
STATUS_INVALID_HANDLE - ChangeLogHandle is not valid.
|
|
|
|
STATUS_INVALID_PARAMETER - ChangeBuffer contains invalid data.
|
|
|
|
Sundry disk write errors.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonAppendChangeLog)(
|
|
ChangeLogHandle,
|
|
ChangeBuffer,
|
|
ChangeBufferSize
|
|
);
|
|
|
|
#if DBG
|
|
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetLogonAppendChangeLog returns 0x%lx \n",
|
|
NtStatus);
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
I_NetLogonCloseChangeLog(
|
|
IN HANDLE ChangeLogHandle,
|
|
IN BOOLEAN Commit
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function closes a new changelog file.
|
|
|
|
Arguments:
|
|
|
|
ChangeLogHandle - A handle identifying the temporary change log.
|
|
|
|
Commit - If true, the specified changes are written to the primary change log.
|
|
If false, the specified change are deleted.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The temporary change log has been successfully opened.
|
|
|
|
STATUS_INVALID_DOMAIN_ROLE - DC is neither PDC nor BDC.
|
|
|
|
STATUS_INVALID_HANDLE - ChangeLogHandle is not valid.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonCloseChangeLog)(
|
|
ChangeLogHandle,
|
|
Commit
|
|
);
|
|
|
|
#if DBG
|
|
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetLogonCloseChangeLog returns 0x%lx \n",
|
|
NtStatus);
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
I_NetLogonSendToSamOnPdc(
|
|
IN LPWSTR DomainName,
|
|
IN LPBYTE OpaqueBuffer,
|
|
IN ULONG OpaqueBufferSize
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function sends an opaque buffer from SAM on a BDC to SAM on the PDC of
|
|
the specified domain.
|
|
|
|
The original use of this routine will be to allow the BDC to forward user
|
|
account password changes to the PDC.
|
|
|
|
|
|
Arguments:
|
|
|
|
DomainName - Identifies the hosted domain that this request applies to.
|
|
DomainName may be the Netbios domain name or the DNS domain name.
|
|
NULL implies the primary domain hosted by this DC.
|
|
|
|
OpaqueBuffer - Buffer to be passed to the SAM service on the PDC.
|
|
The buffer will be encrypted on the wire.
|
|
|
|
OpaqueBufferSize - Size (in bytes) of OpaqueBuffer.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS: Message successfully sent to PDC
|
|
|
|
STATUS_NO_MEMORY: There is not enough memory to complete the operation
|
|
|
|
STATUS_NO_SUCH_DOMAIN: DomainName does not correspond to a hosted domain
|
|
|
|
STATUS_NO_LOGON_SERVERS: PDC is not currently available
|
|
|
|
STATUS_NOT_SUPPORTED: PDC does not support this operation
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonSendToSamOnPdc)(
|
|
DomainName,
|
|
OpaqueBuffer,
|
|
OpaqueBufferSize );
|
|
|
|
#if DBG
|
|
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetLogonSendToSamOnPdc returns 0x%lx \n",
|
|
NtStatus);
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
NET_API_STATUS
|
|
I_NetLogonGetIpAddresses(
|
|
OUT PULONG IpAddressCount,
|
|
OUT LPBYTE *IpAddresses
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Returns all of the IP Addresses assigned to this machine.
|
|
|
|
Arguments:
|
|
|
|
|
|
IpAddressCount - Returns the number of IP addresses assigned to this machine.
|
|
|
|
IpAddresses - Returns a buffer containing an array of SOCKET_ADDRESS
|
|
structures.
|
|
This buffer should be freed using I_NetLogonFree().
|
|
|
|
Return Value:
|
|
|
|
NO_ERROR - Success
|
|
|
|
ERROR_NOT_ENOUGH_MEMORY - There was not enough memory to complete the operation.
|
|
|
|
ERROR_NETLOGON_NOT_STARTED - Netlogon is not started.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
NET_API_STATUS NetStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NetStatus = (*pI_NetLogonGetIpAddresses)(
|
|
IpAddressCount,
|
|
IpAddresses );
|
|
|
|
return( NetStatus );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
I_NetLogonGetAuthDataEx(
|
|
IN LPWSTR HostedDomainName OPTIONAL,
|
|
IN LPWSTR TrustedDomainName,
|
|
IN ULONG Flags,
|
|
IN PLARGE_INTEGER FailedSessionSetupTime OPTIONAL,
|
|
OUT LPWSTR *OurClientPrincipleName,
|
|
OUT PVOID *ClientContext OPTIONAL,
|
|
OUT LPWSTR *ServerName,
|
|
OUT PNL_OS_VERSION ServerOsVersion,
|
|
OUT PULONG AuthnLevel,
|
|
OUT PLARGE_INTEGER SessionSetupTime
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function returns the data that a caller could passed to
|
|
RpcBindingSetAuthInfoW to do an RPC call using the Netlogon security package.
|
|
|
|
The returned data is valid for the life of Netlogon's secure channel to
|
|
the current DC. There is no way for the caller to determine that lifetime.
|
|
So, the caller should be prepared for access to be denied and respond to that
|
|
by calling I_NetLogonGetAuthData again. This condition is indicated by passing
|
|
the previuosly used client context that resulted in denied access.
|
|
|
|
Once the returned data is passed to RpcBindingSetAuthInfoW, the data should
|
|
not be deallocated until after the binding handle is closed.
|
|
|
|
Arguments:
|
|
|
|
HostedDomainName - Identifies the hosted domain that this request applies to.
|
|
May be the Netbios domain name or the DNS domain name.
|
|
NULL implies the primary domain hosted by this machine.
|
|
|
|
TrustedDomainName - Identifies the domain the trust relationship is to.
|
|
May be the Netbios domain name or the DNS domain name.
|
|
|
|
Flags - Flags defining which ClientContext to return:
|
|
|
|
NL_DIRECT_TRUST_REQUIRED: Indicates that STATUS_NO_SUCH_DOMAIN should be returned
|
|
if TrustedDomainName is not directly trusted.
|
|
|
|
NL_RETURN_CLOSEST_HOP: Indicates that for indirect trust, the "closest hop"
|
|
session should be returned rather than the actual session
|
|
|
|
NL_ROLE_PRIMARY_OK: Indicates that if this is a PDC, it's OK to return
|
|
the client session to the primary domain.
|
|
|
|
NL_REQUIRE_DOMAIN_IN_FOREST - Indicates that STATUS_NO_SUCH_DOMAIN should be
|
|
returned if TrustedDomainName is not a domain in the forest.
|
|
|
|
FailedSessionSetupTime - The time of the previous session setup to the server
|
|
that the caller detected as no longer available. If this parameter is
|
|
passed, the secure channel will be reset by this routine unless the timestamp
|
|
on the current secure channel is different from the one passed by the caller
|
|
(in which case the secure channel got already reset between the two calls to
|
|
this routine).
|
|
|
|
OurClientPrincipleName - The principle name of this machine (which is a client as far
|
|
as authenication is concerned). This is the ServerPrincipleName parameter to pass
|
|
to RpcBindingSetAuthInfo. Must be freed using NetApiBufferFree.
|
|
|
|
ClientContext - Authentication data for ServerName to pass as AuthIdentity to
|
|
RpcBindingSetAuthInfo. Must be freed using I_NetLogonFree.
|
|
Note this OUT parameter is NULL if ServerName doesn't support this
|
|
functionality.
|
|
|
|
ServerName - UNC name of a DC in the trusted domain.
|
|
The caller should RPC to the named DC. This DC is the only DC that has the server
|
|
side context associated with the returned ClientContext. The buffer must be freed
|
|
using NetApiBufferFree.
|
|
|
|
ServerOsVersion - Returns the operating system version of the DC named ServerName.
|
|
|
|
AuthnLevel - Authentication level Netlogon will use for its secure channel. This value
|
|
will be one of:
|
|
|
|
RPC_C_AUTHN_LEVEL_PKT_PRIVACY: Sign and seal
|
|
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY: Sign only
|
|
|
|
The caller can ignore this value and independently choose an authentication level.
|
|
|
|
SessionSetupTime - The time of the secure channel session setup to the server.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS: The auth data was successfully returned.
|
|
|
|
STATUS_NO_MEMORY: There is not enough memory to complete the operation
|
|
|
|
STATUS_NETLOGON_NOT_STARTED: Netlogon is not running
|
|
|
|
STATUS_NO_SUCH_DOMAIN: HostedDomainName does not correspond to a hosted domain, OR
|
|
TrustedDomainName is not a trusted domain corresponding to Flags.
|
|
|
|
STATUS_NO_LOGON_SERVERS: No DCs are not currently available
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetLogonGetAuthDataEx)(
|
|
HostedDomainName,
|
|
TrustedDomainName,
|
|
Flags,
|
|
FailedSessionSetupTime,
|
|
OurClientPrincipleName,
|
|
ClientContext,
|
|
ServerName,
|
|
ServerOsVersion,
|
|
AuthnLevel,
|
|
SessionSetupTime );
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
NTSTATUS
|
|
I_NetNotifyNtdsDsaDeletion (
|
|
IN LPWSTR DnsDomainName,
|
|
IN GUID *DomainGuid,
|
|
IN GUID *DsaGuid,
|
|
IN LPWSTR DnsHostName
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called by the DS to indicate that a NTDS-DSA object
|
|
is being deleted.
|
|
|
|
This function is called on the DC that the object is originally deleted on.
|
|
It is not called when the deletion is replicated to other DCs.
|
|
|
|
Arguments:
|
|
|
|
DnsDomainName - DNS domain name of the domain the DC was in.
|
|
This need not be a domain hosted by this DC.
|
|
|
|
DomainGuid - Domain Guid of the domain specified by DnsDomainName
|
|
|
|
DsaGuid - GUID of the NtdsDsa object that is being deleted.
|
|
|
|
DnsHostName - DNS host name of the DC whose NTDS-DSA object is being deleted.
|
|
|
|
Return Value:
|
|
|
|
Status of the operation.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NtStatus = (*pI_NetNotifyNtdsDsaDeletion)(
|
|
DnsDomainName,
|
|
DomainGuid,
|
|
DsaGuid,
|
|
DnsHostName );
|
|
|
|
#if DBG
|
|
|
|
if( !NT_SUCCESS(NtStatus) ) {
|
|
DbgPrint("[Security Process] I_NetNotifyNtdsDsaDeletion returns 0x%lx \n",
|
|
NtStatus);
|
|
}
|
|
|
|
#endif // DBG
|
|
|
|
return( NtStatus );
|
|
}
|
|
|
|
NET_API_STATUS
|
|
I_NetLogonAddressToSiteName(
|
|
IN PSOCKET_ADDRESS SocketAddress,
|
|
OUT LPWSTR *SiteName
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function translates a socket addresses to site name.
|
|
|
|
Arguments:
|
|
|
|
SocketAddress -- the requested socket address
|
|
|
|
SiteName -- the corresponding site name
|
|
|
|
Return Value:
|
|
|
|
Status of the operation.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus;
|
|
NET_API_STATUS NetStatus;
|
|
|
|
//
|
|
// Load netlogon.dll if it hasn't already been loaded.
|
|
//
|
|
|
|
if( NetlogonDllHandle == NULL ) {
|
|
if( (NtStatus = NlLoadNetlogonDll()) != STATUS_SUCCESS ) {
|
|
return( NtStatus );
|
|
}
|
|
}
|
|
|
|
NetStatus = (*pI_NetLogonAddressToSiteName)(SocketAddress,
|
|
SiteName );
|
|
|
|
return( NetStatus );
|
|
}
|