2 Unix SMB/CIFS implementation.
3 NT Domain Authentication SMB / MSRPC client
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Jeremy Allison 1998.
6 Largely re-written by Jeremy Allison (C) 2005.
7 Copyright (C) Guenther Deschner 2008.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/filesys.h"
25 #include "libsmb/libsmb.h"
26 #include "rpc_client/rpc_client.h"
27 #include "rpc_client/cli_pipe.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../libcli/auth/netlogon_creds_cli.h"
30 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "../librpc/gen_ndr/schannel.h"
32 #include "rpc_client/cli_netlogon.h"
33 #include "rpc_client/init_netlogon.h"
34 #include "rpc_client/util_netlogon.h"
35 #include "../libcli/security/security.h"
36 #include "lib/param/param.h"
37 #include "libcli/smb/smbXcli_base.h"
38 #include "dbwrap/dbwrap.h"
39 #include "dbwrap/dbwrap_open.h"
43 NTSTATUS
rpccli_pre_open_netlogon_creds(void)
45 static bool already_open
= false;
47 struct loadparm_context
*lp_ctx
;
49 struct db_context
*global_db
;
56 frame
= talloc_stackframe();
58 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
61 return NT_STATUS_NO_MEMORY
;
64 fname
= lpcfg_private_db_path(frame
, lp_ctx
, "netlogon_creds_cli");
67 return NT_STATUS_NO_MEMORY
;
70 global_db
= db_open(frame
, fname
,
71 0, TDB_CLEAR_IF_FIRST
|TDB_INCOMPATIBLE_HASH
,
72 O_RDWR
|O_CREAT
, 0600, DBWRAP_LOCK_ORDER_2
,
73 DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
);
74 if (global_db
== NULL
) {
76 return NT_STATUS_NO_MEMORY
;
79 status
= netlogon_creds_cli_set_global_db(&global_db
);
81 if (!NT_STATUS_IS_OK(status
)) {
89 static NTSTATUS
rpccli_create_netlogon_creds(
90 const char *server_computer
,
91 const char *server_netbios_domain
,
92 const char *server_dns_domain
,
93 const char *client_account
,
94 enum netr_SchannelType sec_chan_type
,
95 struct messaging_context
*msg_ctx
,
97 struct netlogon_creds_cli_context
**netlogon_creds
)
99 TALLOC_CTX
*frame
= talloc_stackframe();
100 struct loadparm_context
*lp_ctx
;
103 status
= rpccli_pre_open_netlogon_creds();
104 if (!NT_STATUS_IS_OK(status
)) {
109 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
110 if (lp_ctx
== NULL
) {
112 return NT_STATUS_NO_MEMORY
;
114 status
= netlogon_creds_cli_context_global(lp_ctx
,
119 server_netbios_domain
,
121 mem_ctx
, netlogon_creds
);
123 if (!NT_STATUS_IS_OK(status
)) {
130 NTSTATUS
rpccli_create_netlogon_creds_ctx(
131 struct cli_credentials
*creds
,
132 const char *server_computer
,
133 struct messaging_context
*msg_ctx
,
135 struct netlogon_creds_cli_context
**creds_ctx
)
137 enum netr_SchannelType sec_chan_type
;
138 const char *server_netbios_domain
;
139 const char *server_dns_domain
;
140 const char *client_account
;
142 sec_chan_type
= cli_credentials_get_secure_channel_type(creds
);
143 client_account
= cli_credentials_get_username(creds
);
144 server_netbios_domain
= cli_credentials_get_domain(creds
);
145 server_dns_domain
= cli_credentials_get_realm(creds
);
147 return rpccli_create_netlogon_creds(server_computer
,
148 server_netbios_domain
,
156 NTSTATUS
rpccli_setup_netlogon_creds_locked(
157 struct cli_state
*cli
,
158 enum dcerpc_transport_t transport
,
159 struct netlogon_creds_cli_context
*creds_ctx
,
161 struct cli_credentials
*cli_creds
,
162 uint32_t *negotiate_flags
)
164 TALLOC_CTX
*frame
= talloc_stackframe();
165 struct rpc_pipe_client
*netlogon_pipe
= NULL
;
166 struct netlogon_creds_CredentialState
*creds
= NULL
;
167 uint8_t num_nt_hashes
= 0;
168 const struct samr_Password
*nt_hashes
[2] = { NULL
, NULL
};
169 uint8_t idx_nt_hashes
= 0;
172 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
173 if (NT_STATUS_IS_OK(status
)) {
174 const char *action
= "using";
177 action
= "overwrite";
180 DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
181 __FUNCTION__
, action
,
182 creds
->account_name
, creds
->computer_name
,
183 smbXcli_conn_remote_name(cli
->conn
)));
190 nt_hashes
[0] = cli_credentials_get_nt_hash(cli_creds
, talloc_tos());
191 if (nt_hashes
[0] == NULL
) {
193 return NT_STATUS_NO_MEMORY
;
197 nt_hashes
[1] = cli_credentials_get_old_nt_hash(cli_creds
,
199 if (nt_hashes
[1] != NULL
) {
203 status
= cli_rpc_pipe_open_noauth_transport(cli
,
207 if (!NT_STATUS_IS_OK(status
)) {
208 DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
210 smbXcli_conn_remote_name(cli
->conn
),
215 talloc_steal(frame
, netlogon_pipe
);
217 status
= netlogon_creds_cli_auth(creds_ctx
,
218 netlogon_pipe
->binding_handle
,
222 if (!NT_STATUS_IS_OK(status
)) {
227 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
228 if (!NT_STATUS_IS_OK(status
)) {
230 return NT_STATUS_INTERNAL_ERROR
;
233 DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
235 creds
->account_name
, creds
->computer_name
,
236 smbXcli_conn_remote_name(cli
->conn
)));
239 if (negotiate_flags
!= NULL
) {
240 *negotiate_flags
= creds
->negotiate_flags
;
247 NTSTATUS
rpccli_setup_netlogon_creds(
248 struct cli_state
*cli
,
249 enum dcerpc_transport_t transport
,
250 struct netlogon_creds_cli_context
*creds_ctx
,
252 struct cli_credentials
*cli_creds
)
254 TALLOC_CTX
*frame
= talloc_stackframe();
255 struct netlogon_creds_cli_lck
*lck
;
258 status
= netlogon_creds_cli_lck(
259 creds_ctx
, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
,
261 if (!NT_STATUS_IS_OK(status
)) {
262 DBG_WARNING("netlogon_creds_cli_lck failed: %s\n",
268 status
= rpccli_setup_netlogon_creds_locked(
269 cli
, transport
, creds_ctx
, force_reauth
, cli_creds
, NULL
);
276 NTSTATUS
rpccli_connect_netlogon(
277 struct cli_state
*cli
,
278 enum dcerpc_transport_t transport
,
279 struct netlogon_creds_cli_context
*creds_ctx
,
281 struct cli_credentials
*trust_creds
,
282 struct rpc_pipe_client
**_rpccli
)
284 TALLOC_CTX
*frame
= talloc_stackframe();
285 struct netlogon_creds_CredentialState
*creds
= NULL
;
286 enum netlogon_creds_cli_lck_type lck_type
;
287 enum netr_SchannelType sec_chan_type
;
288 struct netlogon_creds_cli_lck
*lck
;
289 uint32_t negotiate_flags
;
290 uint8_t found_session_key
[16] = {0};
291 bool found_existing_creds
= false;
293 struct rpc_pipe_client
*rpccli
;
299 * See whether we can use existing netlogon_creds or
300 * whether we have to serverauthenticate.
302 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
304 if (NT_STATUS_IS_OK(status
)) {
305 int cmp
= memcmp(found_session_key
,
307 sizeof(found_session_key
));
308 found_existing_creds
= (cmp
!= 0);
310 memcpy(found_session_key
,
312 sizeof(found_session_key
));
317 lck_type
= (force_reauth
|| !found_existing_creds
) ?
318 NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
:
319 NETLOGON_CREDS_CLI_LCK_SHARED
;
321 status
= netlogon_creds_cli_lck(creds_ctx
, lck_type
, frame
, &lck
);
322 if (!NT_STATUS_IS_OK(status
)) {
323 DBG_DEBUG("netlogon_creds_cli_lck failed: %s\n",
328 if (!found_existing_creds
) {
330 * Try to find creds under the lock again. Someone
331 * else might have done it for us.
333 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
335 if (NT_STATUS_IS_OK(status
)) {
336 int cmp
= memcmp(found_session_key
,
338 sizeof(found_session_key
));
339 found_existing_creds
= (cmp
!= 0);
341 memcpy(found_session_key
, creds
->session_key
,
342 sizeof(found_session_key
));
348 do_serverauth
= force_reauth
|| !found_existing_creds
;
350 if (!do_serverauth
) {
352 * Do the quick schannel bind without a reauth
354 status
= cli_rpc_pipe_open_bind_schannel(
355 cli
, &ndr_table_netlogon
, transport
, creds_ctx
,
357 if (!NT_STATUS_IS_OK(status
)) {
358 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
359 "failed: %s\n", nt_errstr(status
));
361 if (NT_STATUS_EQUAL(status
, NT_STATUS_NETWORK_ACCESS_DENIED
)) {
362 DBG_DEBUG("Retrying with serverauthenticate\n");
369 if (cli_credentials_is_anonymous(trust_creds
)) {
370 DBG_WARNING("get_trust_credential for %s only gave anonymous,"
371 "unable to make get NETLOGON credentials\n",
372 netlogon_creds_cli_debug_string(
374 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
378 sec_chan_type
= cli_credentials_get_secure_channel_type(trust_creds
);
379 if (sec_chan_type
== SEC_CHAN_NULL
) {
380 if (transport
== NCACN_IP_TCP
) {
381 DBG_NOTICE("secure_channel_type gave SEC_CHAN_NULL "
382 "for %s, deny NCACN_IP_TCP and let the "
383 "caller fallback to NCACN_NP.\n",
384 netlogon_creds_cli_debug_string(
386 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
390 DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
391 "for %s, fallback to noauth on NCACN_NP.\n",
392 netlogon_creds_cli_debug_string(
397 status
= cli_rpc_pipe_open_noauth_transport(
398 cli
, transport
, &ndr_table_netlogon
, &rpccli
);
399 if (!NT_STATUS_IS_OK(status
)) {
400 DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
401 "failed: %s\n", nt_errstr(status
));
406 status
= rpccli_setup_netlogon_creds_locked(
407 cli
, transport
, creds_ctx
, true, trust_creds
,
409 if (!NT_STATUS_IS_OK(status
)) {
410 DBG_DEBUG("rpccli_setup_netlogon_creds failed for %s, "
411 "unable to setup NETLOGON credentials: %s\n",
412 netlogon_creds_cli_debug_string(
418 if (!(negotiate_flags
& NETLOGON_NEG_AUTHENTICATED_RPC
)) {
419 if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
420 status
= NT_STATUS_DOWNGRADE_DETECTED
;
421 DBG_WARNING("Unwilling to make connection to %s"
422 "without connection level security, "
423 "must set 'winbind sealed pipes = false'"
424 " and 'require strong key = false' "
426 netlogon_creds_cli_debug_string(
432 status
= cli_rpc_pipe_open_noauth_transport(
433 cli
, transport
, &ndr_table_netlogon
, &rpccli
);
434 if (!NT_STATUS_IS_OK(status
)) {
435 DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
436 "failed: %s\n", nt_errstr(status
));
441 status
= cli_rpc_pipe_open_bind_schannel(
442 cli
, &ndr_table_netlogon
, transport
, creds_ctx
, &rpccli
);
443 if (!NT_STATUS_IS_OK(status
)) {
444 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
445 "failed: %s\n", nt_errstr(status
));
449 status
= netlogon_creds_cli_check(creds_ctx
, rpccli
->binding_handle
,
451 if (!NT_STATUS_IS_OK(status
)) {
452 DBG_WARNING("netlogon_creds_cli_check failed: %s\n",
459 status
= NT_STATUS_OK
;
461 ZERO_STRUCT(found_session_key
);
467 static NTSTATUS
map_validation_to_info3(TALLOC_CTX
*mem_ctx
,
468 uint16_t validation_level
,
469 union netr_Validation
*validation
,
470 struct netr_SamInfo3
**info3_p
)
472 struct netr_SamInfo3
*info3
;
475 if (validation
== NULL
) {
476 return NT_STATUS_INVALID_PARAMETER
;
479 switch (validation_level
) {
481 if (validation
->sam3
== NULL
) {
482 return NT_STATUS_INVALID_PARAMETER
;
485 info3
= talloc_move(mem_ctx
, &validation
->sam3
);
488 if (validation
->sam6
== NULL
) {
489 return NT_STATUS_INVALID_PARAMETER
;
492 info3
= talloc_zero(mem_ctx
, struct netr_SamInfo3
);
494 return NT_STATUS_NO_MEMORY
;
496 status
= copy_netr_SamBaseInfo(info3
, &validation
->sam6
->base
, &info3
->base
);
497 if (!NT_STATUS_IS_OK(status
)) {
502 info3
->sidcount
= validation
->sam6
->sidcount
;
503 info3
->sids
= talloc_move(info3
, &validation
->sam6
->sids
);
506 return NT_STATUS_BAD_VALIDATION_CLASS
;
514 /* Logon domain user */
516 NTSTATUS
rpccli_netlogon_password_logon(
517 struct netlogon_creds_cli_context
*creds_ctx
,
518 struct dcerpc_binding_handle
*binding_handle
,
520 uint32_t logon_parameters
,
522 const char *username
,
523 const char *password
,
524 const char *workstation
,
525 enum netr_LogonInfoClass logon_type
,
526 uint8_t *authoritative
,
528 struct netr_SamInfo3
**info3
)
530 TALLOC_CTX
*frame
= talloc_stackframe();
532 union netr_LogonLevel
*logon
;
533 uint16_t validation_level
= 0;
534 union netr_Validation
*validation
= NULL
;
535 char *workstation_slash
= NULL
;
537 logon
= talloc_zero(frame
, union netr_LogonLevel
);
540 return NT_STATUS_NO_MEMORY
;
543 if (workstation
== NULL
) {
544 workstation
= lp_netbios_name();
547 workstation_slash
= talloc_asprintf(frame
, "\\\\%s", workstation
);
548 if (workstation_slash
== NULL
) {
550 return NT_STATUS_NO_MEMORY
;
553 /* Initialise input parameters */
555 switch (logon_type
) {
556 case NetlogonInteractiveInformation
: {
558 struct netr_PasswordInfo
*password_info
;
560 struct samr_Password lmpassword
;
561 struct samr_Password ntpassword
;
563 password_info
= talloc_zero(frame
, struct netr_PasswordInfo
);
564 if (password_info
== NULL
) {
566 return NT_STATUS_NO_MEMORY
;
569 nt_lm_owf_gen(password
, ntpassword
.hash
, lmpassword
.hash
);
571 password_info
->identity_info
.domain_name
.string
= domain
;
572 password_info
->identity_info
.parameter_control
= logon_parameters
;
573 password_info
->identity_info
.logon_id_low
= 0xdead;
574 password_info
->identity_info
.logon_id_high
= 0xbeef;
575 password_info
->identity_info
.account_name
.string
= username
;
576 password_info
->identity_info
.workstation
.string
= workstation_slash
;
578 password_info
->lmpassword
= lmpassword
;
579 password_info
->ntpassword
= ntpassword
;
581 logon
->password
= password_info
;
585 case NetlogonNetworkInformation
: {
586 struct netr_NetworkInfo
*network_info
;
588 unsigned char local_lm_response
[24];
589 unsigned char local_nt_response
[24];
590 struct netr_ChallengeResponse lm
;
591 struct netr_ChallengeResponse nt
;
596 network_info
= talloc_zero(frame
, struct netr_NetworkInfo
);
597 if (network_info
== NULL
) {
599 return NT_STATUS_NO_MEMORY
;
602 generate_random_buffer(chal
, 8);
604 SMBencrypt(password
, chal
, local_lm_response
);
605 SMBNTencrypt(password
, chal
, local_nt_response
);
608 lm
.data
= local_lm_response
;
611 nt
.data
= local_nt_response
;
613 network_info
->identity_info
.domain_name
.string
= domain
;
614 network_info
->identity_info
.parameter_control
= logon_parameters
;
615 network_info
->identity_info
.logon_id_low
= 0xdead;
616 network_info
->identity_info
.logon_id_high
= 0xbeef;
617 network_info
->identity_info
.account_name
.string
= username
;
618 network_info
->identity_info
.workstation
.string
= workstation_slash
;
620 memcpy(network_info
->challenge
, chal
, 8);
621 network_info
->nt
= nt
;
622 network_info
->lm
= lm
;
624 logon
->network
= network_info
;
629 DEBUG(0, ("switch value %d not supported\n",
632 return NT_STATUS_INVALID_INFO_CLASS
;
635 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
644 if (!NT_STATUS_IS_OK(status
)) {
649 status
= map_validation_to_info3(mem_ctx
,
650 validation_level
, validation
,
653 if (!NT_STATUS_IS_OK(status
)) {
662 * Logon domain user with an 'network' SAM logon
664 * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
668 NTSTATUS
rpccli_netlogon_network_logon(
669 struct netlogon_creds_cli_context
*creds_ctx
,
670 struct dcerpc_binding_handle
*binding_handle
,
672 uint32_t logon_parameters
,
673 const char *username
,
675 const char *workstation
,
676 const uint8_t chal
[8],
677 DATA_BLOB lm_response
,
678 DATA_BLOB nt_response
,
679 uint8_t *authoritative
,
681 struct netr_SamInfo3
**info3
)
684 const char *workstation_name_slash
;
685 union netr_LogonLevel
*logon
= NULL
;
686 struct netr_NetworkInfo
*network_info
;
687 uint16_t validation_level
= 0;
688 union netr_Validation
*validation
= NULL
;
689 struct netr_ChallengeResponse lm
;
690 struct netr_ChallengeResponse nt
;
697 logon
= talloc_zero(mem_ctx
, union netr_LogonLevel
);
699 return NT_STATUS_NO_MEMORY
;
702 network_info
= talloc_zero(mem_ctx
, struct netr_NetworkInfo
);
704 return NT_STATUS_NO_MEMORY
;
707 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
708 workstation_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", workstation
);
710 workstation_name_slash
= workstation
;
713 if (!workstation_name_slash
) {
714 DEBUG(0, ("talloc_asprintf failed!\n"));
715 return NT_STATUS_NO_MEMORY
;
718 /* Initialise input parameters */
720 lm
.data
= lm_response
.data
;
721 lm
.length
= lm_response
.length
;
722 nt
.data
= nt_response
.data
;
723 nt
.length
= nt_response
.length
;
725 network_info
->identity_info
.domain_name
.string
= domain
;
726 network_info
->identity_info
.parameter_control
= logon_parameters
;
727 network_info
->identity_info
.logon_id_low
= 0xdead;
728 network_info
->identity_info
.logon_id_high
= 0xbeef;
729 network_info
->identity_info
.account_name
.string
= username
;
730 network_info
->identity_info
.workstation
.string
= workstation_name_slash
;
732 memcpy(network_info
->challenge
, chal
, 8);
733 network_info
->nt
= nt
;
734 network_info
->lm
= lm
;
736 logon
->network
= network_info
;
738 /* Marshall data and send request */
740 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
742 NetlogonNetworkInformation
,
749 if (!NT_STATUS_IS_OK(status
)) {
753 status
= map_validation_to_info3(mem_ctx
,
754 validation_level
, validation
,
756 if (!NT_STATUS_IS_OK(status
)) {