archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/netapi/svcdlls/logonsrv/server/nlldap.cxx

652 lines
19 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*--
  4. Copyright (c) 1996-1997 Microsoft Corporation
  6. Module Name:
  8. nlldap.cxx
  10. Abstract:
  12. Routines the use the DS's ldap filter.
  14. This is actually in a .cxx file by itself to work around a compiler bug
  15. where .c files cannot include ldap.h
  17. Author:
  20. Environment:
  22. User mode only.
  23. Contains NT-specific code.
  24. Requires ANSI C extensions: slash-slash comments, long external names.
  26. Revision History:
  28. --*/
  31. #ifdef __cplusplus
  32. extern "C" {
  33. #endif /* __cplusplus */
  34. #include <nt.h> // LARGE_INTEGER definition
  35. #include <ntrtl.h> // LARGE_INTEGER definition
  36. #include <nturtl.h> // LARGE_INTEGER definition
  37. #include <ntlsa.h> // Needed by lsrvdata.h
  38. #include <ntddbrow.h> // Needed by nlcommon.h
  40. #define NOMINMAX // Avoid redefinition of min and max in stdlib.h
  41. #include <rpc.h> // Needed by logon_s.h
  42. #include <logon_s.h> // includes lmcons.h, lmaccess.h, netlogon.h, ssi.h, windef.h
  43. //
  44. #include <windows.h>
  45. #include <winsock2.h> // Winsock support
  46. #include <lmapibuf.h> // NetApiBufferFree
  47. #include <logonp.h> // NetpLogon routines
  48. #include <lsarpc.h> // Needed by lsrvdata.h and logonsrv.h
  49. #include <lsaisrv.h> // Needed by changelg.h
  50. #include <wincrypt.h> // CryptoAPI, needed by lsrvdata.h
  51. #ifdef __cplusplus
  52. } /* extern "C" */
  53. #endif /* __cplusplus */
  54. #include <netlib.h> // Needed by nlcommon.h
  55. #ifdef __cplusplus
  56. extern "C" {
  57. #endif /* __cplusplus */
  58. #include <samrpc.h> // Needed by lsrvdata.h and logonsrv.h
  59. #include <ntdsa.h> // THSave/THRestore
  60. #include <wmistr.h> // Needed by lsrvdata.h
  61. #include <evntrace.h> // Needed by lsrvdata.h
  62. #include <sspi.h> // Needed by ssiinit.h
  64. //
  65. // Netlogon specific header files.
  66. //
  68. #define _AVOID_REPL_API 1
  69. #include <nlrepl.h> // I_Net*
  70. #include "worker.h" // Worker routines
  71. #include "nlcommon.h" // Routines shared with logonsrv\common
  72. #include "domain.h" // Hosted domain definitions
  73. #include "changelg.h" // Change Log support
  74. #include "chutil.h" // Change Log utilities
  75. #include "iniparm.h" // registry parameters
  76. #include "ssiinit.h" // Misc global definitions
  77. #include "nldebug.h" // Netlogon debugging
  78. #include "lsrvdata.h" // Globals
  80. // #include <string.h> // strnicmp ...
  81. #include <ldap.h> // Filter for LDAP query
  83. #define NL_MAXIMUM_USER_NAME_LENGTH 20 // The max SAM allows
  85. BOOLEAN
  86. IsFilterName(
  87. IN Filter *CurrentFilter,
  88. IN LPSTR NameToMatch
  89. )
  91. /*++
  93. Routine Description:
  95. If the CurrentFilter is for NameToMatch, return TRUE
  97. Arguments:
  99. Filter - Pointer to an equalityMatch Filter element.
  101. NameToMatch - Specifies the name to compare with the filter element.
  103. Return Value:
  105. TRUE name matches.
  107. --*/
  108. {
  109. ULONG NameLength;
  111. NameLength = strlen( NameToMatch );
  112. if ( NameLength != CurrentFilter->u.equalityMatch.attributeDesc.length ) {
  113. return FALSE;
  114. }
  115. if ( _strnicmp( NameToMatch,
  116. (LPSTR)CurrentFilter->u.equalityMatch.attributeDesc.value,
  117. NameLength ) != 0 ) {
  118. return FALSE;
  119. }
  120. return TRUE;
  121. }
  123. NET_API_STATUS
  124. FilterString(
  125. IN Filter *CurrentFilter,
  126. IN ULONG UnicodeStringBufferSize,
  127. OUT LPWSTR UnicodeStringBuffer OPTIONAL,
  128. OUT LPWSTR *UnicodeString
  129. )
  131. /*++
  133. Routine Description:
  135. Return a zero terminated unicode string containing the value of the
  136. current equalityMatch filter element.
  138. The value of the element is expected to be in UTF-8.
  140. Arguments:
  142. Filter - Pointer to an equalityMatch Filter element.
  144. UnicodeStringBuffer -- Buffer to copy the covnverted string to.
  145. If NULL, the function will allocate the needed memory and
  146. return it in UnicodeString.
  148. UnicodeStringSize - Size in wide charactes of UnicodeStringBuffer.
  149. If this size is less than what's needed to store the resulting
  150. NULL terminated unicode string, the function will allocate the
  151. needed memory and return it in UnicodeString.
  153. UnicodeString - Returns a pointer to the resulting string.
  154. If the passed in buffer for the resulting unicode string isn't
  155. large enough, the function will allocate the needed memory and
  156. the pointer to the allocated memory will be returned in this
  157. parameter. If NULL and the passed in buffer isn't large enough
  158. to store the resulting NULL terminated string, the function
  159. returns ERROR_INSUFFICIENT_BUFFER. On successful return, the
  160. caller should check whether UnicodeString != UnicodeStringBuffer
  161. and, if so, free the allocated buffer using NetApiBufferFree.
  163. Return Value:
  165. Error returned by NetpAllocWStrFromUtf8StrAsRequired.
  167. --*/
  168. {
  169. NET_API_STATUS NetStatus;
  170. LPWSTR AllocatedUnicodeString = NULL;
  172. //
  173. // Call the worker routine
  174. //
  176. NetStatus = NetpAllocWStrFromUtf8StrAsRequired(
  177. (LPSTR)CurrentFilter->u.equalityMatch.assertionValue.value,
  178. CurrentFilter->u.equalityMatch.assertionValue.length,
  179. UnicodeStringBufferSize,
  180. UnicodeStringBuffer,
  181. &AllocatedUnicodeString );
  183. //
  184. // Set the return pointer to point to the appropriate buffer
  185. //
  187. if ( NetStatus == NO_ERROR ) {
  188. if ( AllocatedUnicodeString != NULL ) {
  189. NlAssert( AllocatedUnicodeString != UnicodeStringBuffer );
  190. *UnicodeString = AllocatedUnicodeString;
  191. } else {
  192. *UnicodeString = UnicodeStringBuffer;
  193. }
  194. }
  196. return NetStatus;
  197. }
  199. NET_API_STATUS
  200. FilterBinary(
  201. IN Filter *CurrentFilter,
  202. IN ULONG BufferSize,
  203. OUT PVOID Buffer,
  204. OUT PULONG DataSize
  205. )
  207. /*++
  209. Routine Description:
  211. Returns a properly aligned pointer to the binary data.
  213. Arguments:
  215. Filter - Pointer to an equalityMatch Filter element.
  217. Buffer - Buffer to copy the data into.
  219. BufferSize - The size of the passed buffer. If the
  220. buffer isn't large enough to store the data,
  221. ERROR_INSUFFICIENT_BUFFER is returned.
  223. DataSize - Size of the data copied
  225. Return Value:
  227. NO_ERROR - The data has been successfully coppied.
  229. ERROR_INSUFFICIENT_BUFFER - The passed in buffer is too small.
  231. --*/
  232. {
  233. if ( BufferSize < CurrentFilter->u.equalityMatch.assertionValue.length ) {
  234. return ERROR_INSUFFICIENT_BUFFER;
  235. }
  237. RtlCopyMemory( Buffer,
  238. CurrentFilter->u.equalityMatch.assertionValue.value,
  239. CurrentFilter->u.equalityMatch.assertionValue.length );
  241. *DataSize = CurrentFilter->u.equalityMatch.assertionValue.length;
  243. return NO_ERROR;
  244. }
  247. NTSTATUS
  248. I_NetLogonLdapLookup(
  249. IN PVOID FilterParam,
  250. OUT PVOID *Response,
  251. OUT PULONG ResponseSize
  252. )
  254. /*++
  256. Routine Description:
  258. See I_NetLogonLdapLookupEx.
  260. Arguments:
  262. See I_NetLogonLdapLookupEx.
  264. Return Value:
  266. See I_NetLogonLdapLookupEx.
  268. --*/
  269. {
  271. return I_NetLogonLdapLookupEx( FilterParam,
  272. NULL, // No Ip Address from client,
  273. Response,
  274. ResponseSize );
  276. }
  279. NTSTATUS
  280. I_NetLogonLdapLookupEx(
  281. IN PVOID FilterParam,
  282. IN PVOID ClientSockAddr,
  283. OUT PVOID *Response,
  284. OUT PULONG ResponseSize
  285. )
  287. /*++
  289. Routine Description:
  291. This routine builds a response to an LDAP ping of a DC. DsGetDcName does
  292. such a ping to ensure the DC is functional and still meets the requirements
  293. of the DsGetDcName. DsGetDcName does an LDAP lookup of the NULL DN asking
  294. for attribute "Netlogon". The DS turns that into a call to this routine
  295. passing in the filter parameter.
  297. The DS is expected to save the DS thread state before calling. This routine
  298. calls SAM which expects to have its own DS thread state.
  300. Arguments:
  302. Filter - Filter describing the query. The filter is built by the DsGetDcName
  303. client, so we can limit the flexibility significantly.
  305. SockAddr - Socket Address of the client this request came in on.
  307. Response - Returns a pointer to an allocated buffer containing
  308. the response to return to the caller. This response is a binary blob
  309. which should be returned to the caller bit-for-bit intact.
  310. The buffer should be freed be calling I_NetLogonFree.
  312. ResponseSize - Size (in bytes) of the returned message.
  314. Return Value:
  316. STATUS_SUCCESS -- The response was returned in the supplied buffer.
  318. STATUS_INVALID_PARAMETER -- The filter was invalid.
  320. --*/
  321. {
  322. NTSTATUS Status = STATUS_SUCCESS;
  323. NET_API_STATUS NetStatus = NO_ERROR;
  325. Filter *LdapFilter = (Filter *) FilterParam;
  326. Filter *CurrentFilter;
  327. struct _setof3_ *CurrentAnd;
  329. LPSTR DnsDomainName = NULL;
  330. GUID DomainGuid;
  331. GUID *DomainGuidPtr = NULL;
  332. // The domain SID buffer must be DWORD alligned. Avoid any buffer overflow problem
  333. // due to truncation in case SECURITY_MAX_SID_SIZE isn't evenly divisible by 4
  334. ULONG DomainSid[SECURITY_MAX_SID_SIZE/sizeof(ULONG)+1];
  335. PSID DomainSidPtr = NULL;
  336. WCHAR UnicodeComputerNameBuffer[MAX_COMPUTERNAME_LENGTH+1];
  337. LPWSTR UnicodeComputerName = NULL;
  338. WCHAR UnicodeUserNameBuffer[NL_MAXIMUM_USER_NAME_LENGTH+1];
  339. LPWSTR UnicodeUserName = NULL;
  340. ULONG AllowableAccountControlBits = 0;
  341. DWORD NtVersion = LMNT_MESSAGE;
  342. DWORD NtVersionFlags = NETLOGON_NT_VERSION_5;
  343. ULONG Length = 0;
  344. SOCKADDR_IN SockAddrIn;
  346. //
  347. // Initialization.
  348. //
  350. *Response = NULL;
  351. *ResponseSize = 0;
  353. //
  354. // If caller is calling when the netlogon service isn't running,
  355. // tell it so.
  356. //
  358. if ( !NlStartNetlogonCall() ) {
  359. return STATUS_INVALID_PARAMETER;
  360. }
  362. //
  363. // Validate the client socket address.
  364. //
  366. if ( ClientSockAddr != NULL ) {
  367. if ( ((PSOCKADDR)ClientSockAddr)->sa_family != AF_INET ) {
  368. NlPrint((NL_CRITICAL,
  369. "I_NetlogonLdapLookupEx: DS passed us a SOCKADDR that wasn't AF_INET (ignoring it)\n" ));
  370. ClientSockAddr = NULL;
  371. } else {
  372. //
  373. // Force the port number to zero to avoid confusion later.
  374. SockAddrIn = *((PSOCKADDR_IN)ClientSockAddr);
  375. SockAddrIn.sin_port = 0;
  376. ClientSockAddr = &SockAddrIn;
  378. }
  379. }
  383. //
  384. // Parse the filter.
  385. //
  387. if ( LdapFilter != NULL ) {
  389. //
  390. // The first element of the filter must be an AND.
  391. //
  393. if ( LdapFilter->choice != and_chosen ) {
  394. NlPrint((NL_CRITICAL,
  395. "I_NetlogonLdapLookup: Filter doesn't have AND %ld\n",
  396. LdapFilter->choice ));
  397. Status = STATUS_INVALID_PARAMETER;
  398. goto Cleanup;
  399. }
  401. //
  402. // Loop through the AND'ed attributes.
  403. //
  404. //
  406. for ( CurrentAnd = LdapFilter->u.and;
  407. CurrentAnd != NULL;
  408. CurrentAnd = CurrentAnd->next ) {
  410. CurrentFilter = &CurrentAnd->value;
  412. if ( CurrentFilter->choice != equalityMatch_chosen ) {
  413. NlPrint((NL_CRITICAL,
  414. "I_NetlogonLdapLookup: Filter doesn't have EqualityMatch %ld\n",
  415. LdapFilter->choice ));
  416. Status = STATUS_INVALID_PARAMETER;
  417. goto Cleanup;
  418. }
  420. //
  421. // Handle DnsDomainName parameter.
  422. //
  424. if ( IsFilterName( CurrentFilter, NL_FILTER_DNS_DOMAIN_NAME ) ) {
  426. if ( CurrentFilter->u.equalityMatch.assertionValue.length == 0 ) {
  427. NlPrint((NL_CRITICAL,
  428. "I_NetlogonLdapLookup: Bad DnsDomainName\n" ));
  429. Status = STATUS_INVALID_PARAMETER;
  430. goto Cleanup;
  431. }
  433. NetStatus = NetApiBufferAllocate(
  434. CurrentFilter->u.equalityMatch.assertionValue.length + sizeof(CHAR),
  435. (LPVOID *) &DnsDomainName );
  437. if ( NetStatus != NO_ERROR ) {
  438. Status = STATUS_NO_MEMORY;
  439. goto Cleanup;
  440. }
  442. RtlCopyMemory( DnsDomainName,
  443. CurrentFilter->u.equalityMatch.assertionValue.value,
  444. CurrentFilter->u.equalityMatch.assertionValue.length );
  446. DnsDomainName[ CurrentFilter->u.equalityMatch.assertionValue.length ] = '\0';
  448. //
  449. // Handle Host parameter.
  450. //
  452. } else if ( IsFilterName( CurrentFilter, NL_FILTER_HOST_NAME ) ) {
  454. NetStatus = FilterString( CurrentFilter,
  455. MAX_COMPUTERNAME_LENGTH+1,
  456. UnicodeComputerNameBuffer,
  457. &UnicodeComputerName );
  459. if ( NetStatus != NO_ERROR ) {
  460. NlPrint((NL_CRITICAL,
  461. "I_NetlogonLdapLookup: Bad UnicodeComputerName 0x%lx\n",
  462. NetStatus ));
  463. Status = STATUS_INVALID_PARAMETER;
  464. goto Cleanup;
  465. }
  467. //
  468. // Handle User parameter.
  469. //
  471. } else if ( IsFilterName( CurrentFilter, NL_FILTER_USER_NAME ) ) {
  473. NetStatus = FilterString( CurrentFilter,
  474. NL_MAXIMUM_USER_NAME_LENGTH+1,
  475. UnicodeUserNameBuffer,
  476. &UnicodeUserName );
  478. if ( NetStatus != NO_ERROR ) {
  479. NlPrint((NL_CRITICAL,
  480. "I_NetlogonLdapLookup: Bad UnicodeUserName 0x%lx\n",
  481. NetStatus ));
  482. Status = STATUS_INVALID_PARAMETER;
  483. goto Cleanup;
  484. }
  486. //
  487. // Handle AccountControlBits parameter.
  488. //
  489. } else if ( IsFilterName( CurrentFilter, NL_FILTER_ALLOWABLE_ACCOUNT_CONTROL ) ) {
  491. NetStatus = FilterBinary( CurrentFilter,
  492. sizeof(AllowableAccountControlBits),
  493. &AllowableAccountControlBits,
  494. &Length );
  496. if ( NetStatus != NO_ERROR || Length != sizeof(AllowableAccountControlBits) ) {
  497. NlPrint((NL_CRITICAL,
  498. "I_NetlogonLdapLookup: Bad AllowableAccountControl 0x%lx %lu\n",
  499. NetStatus,
  500. Length ));
  502. Status = STATUS_INVALID_PARAMETER;
  503. goto Cleanup;
  504. }
  506. //
  507. // Handle DomainSid parameter.
  508. //
  509. } else if ( IsFilterName( CurrentFilter, NL_FILTER_DOMAIN_SID ) ) {
  511. NetStatus = FilterBinary( CurrentFilter,
  512. sizeof(DomainSid),
  513. DomainSid,
  514. &Length );
  516. //
  517. // Check the length
  518. //
  519. if ( NetStatus != NO_ERROR ||
  520. !RtlValidSid(DomainSid) ||
  521. RtlLengthSid(DomainSid) != Length ) {
  523. NlPrint((NL_CRITICAL,
  524. "I_NetlogonLdapLookup: Bad DomainSid 0x%lx %ld\n",
  525. NetStatus,
  526. Length ));
  528. Status = STATUS_INVALID_PARAMETER;
  529. goto Cleanup;
  530. }
  532. DomainSidPtr = DomainSid;
  534. //
  535. // Handle DomainGuid parameter.
  536. //
  537. } else if ( IsFilterName( CurrentFilter, NL_FILTER_DOMAIN_GUID ) ) {
  539. NetStatus = FilterBinary( CurrentFilter,
  540. sizeof(DomainGuid),
  541. &DomainGuid,
  542. &Length );
  544. //
  545. // Check the length
  546. //
  547. if ( NetStatus != NO_ERROR ||
  548. Length != sizeof(GUID) ) {
  550. NlPrint((NL_CRITICAL,
  551. "I_NetlogonLdapLookup: Bad DomainGuid 0x%lx %ld\n",
  552. NetStatus,
  553. Length ));
  555. Status = STATUS_INVALID_PARAMETER;
  556. goto Cleanup;
  557. }
  559. DomainGuidPtr = &DomainGuid;
  561. //
  562. // Handle NtVersion parameter.
  563. //
  564. } else if ( IsFilterName( CurrentFilter, NL_FILTER_NT_VERSION ) ) {
  566. NetStatus = FilterBinary( CurrentFilter,
  567. sizeof(NtVersionFlags),
  568. &NtVersionFlags,
  569. &Length );
  571. if ( NetStatus != NO_ERROR || Length != sizeof(NtVersionFlags) ) {
  572. NlPrint((NL_CRITICAL,
  573. "I_NetlogonLdapLookup: Bad NtVersionFlags 0x%lx %ld\n",
  574. NetStatus,
  575. Length ));
  577. Status = STATUS_INVALID_PARAMETER;
  578. goto Cleanup;
  579. }
  581. //
  582. // Attributes we don't understand are ignored. That way clients
  583. // that are newer than this version can pass additional information
  584. // to newer DCs and not worry about breaking older DCs.
  585. //
  587. } else {
  588. NlPrint((NL_CRITICAL,
  589. "I_NetlogonLdapLookup: unrecognized parameter %.*s\n",
  590. CurrentFilter->u.equalityMatch.attributeDesc.length,
  591. CurrentFilter->u.equalityMatch.attributeDesc.value ));
  592. }
  594. }
  596. }
  599. //
  600. // Build the ping based on the queried information.
  601. //
  603. NetStatus = NlGetLocalPingResponse(
  604. L"UDP LDAP",
  605. TRUE, // LDAP ping
  606. NULL, // No Netbios domain name
  607. DnsDomainName,
  608. DomainGuidPtr,
  609. DomainSidPtr,
  610. FALSE, // Not PDC only
  611. UnicodeComputerName,
  612. UnicodeUserName,
  613. AllowableAccountControlBits,
  614. NtVersion,
  615. NtVersionFlags,
  616. (PSOCKADDR)ClientSockAddr,
  617. Response,
  618. ResponseSize );
  620. if ( NetStatus != NO_ERROR ) {
  621. Status = STATUS_INVALID_PARAMETER;
  622. goto Cleanup;
  623. }
  625. #if NETLOGONDBG
  626. NlpDumpBuffer( NL_MAILSLOT_TEXT, *Response, *ResponseSize );
  627. #endif // NETLOGONDBG
  629. Status = STATUS_SUCCESS;
  631. Cleanup:
  632. if ( DnsDomainName != NULL ) {
  633. NetApiBufferFree( DnsDomainName );
  634. }
  635. if ( UnicodeComputerName != NULL &&
  636. UnicodeComputerName != UnicodeComputerNameBuffer ) {
  637. NetApiBufferFree( UnicodeComputerName );
  638. }
  639. if ( UnicodeUserName != NULL &&
  640. UnicodeUserName != UnicodeUserNameBuffer ) {
  641. NetApiBufferFree( UnicodeUserName );
  642. }
  644. // Let netlogon service exit.
  645. NlEndNetlogonCall();
  646. return Status;
  649. }
  650. #ifdef __cplusplus
  651. } /* extern "C" */
  652. #endif /* __cplusplus */