2 Unix SMB/CIFS implementation.
3 NT Domain Authentication SMB / MSRPC client
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Jeremy Allison 1998.
6 Largely re-written by Jeremy Allison (C) 2005.
7 Copyright (C) Guenther Deschner 2008.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "../libcli/auth/libcli_auth.h"
25 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
26 #include "rpc_client/cli_netlogon.h"
27 #include "rpc_client/init_netlogon.h"
28 #include "rpc_client/util_netlogon.h"
29 #include "../libcli/security/security.h"
31 /****************************************************************************
32 Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
33 credentials chain. Stores the credentials in the struct dcinfo in the
35 ****************************************************************************/
37 NTSTATUS
rpccli_netlogon_setup_creds(struct rpc_pipe_client
*cli
,
38 const char *server_name
,
40 const char *clnt_name
,
41 const char *machine_account
,
42 const unsigned char machine_pwd
[16],
43 enum netr_SchannelType sec_chan_type
,
44 uint32_t *neg_flags_inout
)
47 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
48 struct netr_Credential clnt_chal_send
;
49 struct netr_Credential srv_chal_recv
;
50 struct samr_Password password
;
53 uint32_t neg_flags
= *neg_flags_inout
;
54 struct dcerpc_binding_handle
*b
= cli
->binding_handle
;
56 if (!ndr_syntax_id_equal(&cli
->abstract_syntax
,
57 &ndr_table_netlogon
.syntax_id
)) {
58 return NT_STATUS_INVALID_PARAMETER
;
63 /* Store the machine account password we're going to use. */
64 memcpy(password
.hash
, machine_pwd
, 16);
66 fstr_sprintf( mach_acct
, "%s$", machine_account
);
69 /* Create the client challenge. */
70 generate_random_buffer(clnt_chal_send
.data
, 8);
72 /* Get the server challenge. */
73 status
= dcerpc_netr_ServerReqChallenge(b
, talloc_tos(),
79 if (!NT_STATUS_IS_OK(status
)) {
82 if (!NT_STATUS_IS_OK(result
)) {
86 /* Calculate the session key and client credentials */
88 cli
->dc
= netlogon_creds_client_init(cli
,
98 return NT_STATUS_NO_MEMORY
;
102 * Send client auth-2 challenge and receive server repy.
105 status
= dcerpc_netr_ServerAuthenticate2(b
, talloc_tos(),
107 cli
->dc
->account_name
,
109 cli
->dc
->computer_name
,
110 &clnt_chal_send
, /* input. */
111 &srv_chal_recv
, /* output. */
114 if (!NT_STATUS_IS_OK(status
)) {
117 /* we might be talking to NT4, so let's downgrade in that case and retry
118 * with the returned neg_flags - gd */
120 if (NT_STATUS_EQUAL(result
, NT_STATUS_ACCESS_DENIED
) && !retried
) {
122 TALLOC_FREE(cli
->dc
);
126 if (!NT_STATUS_IS_OK(result
)) {
131 * Check the returned value using the initial
132 * server received challenge.
135 if (!netlogon_creds_client_check(cli
->dc
, &srv_chal_recv
)) {
137 * Server replied with bad credential. Fail.
139 DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
140 "replied with bad credential\n",
142 return NT_STATUS_ACCESS_DENIED
;
145 DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
146 "chain established.\n",
149 cli
->dc
->negotiate_flags
= neg_flags
;
150 *neg_flags_inout
= neg_flags
;
155 /* Logon domain user */
157 NTSTATUS
rpccli_netlogon_sam_logon(struct rpc_pipe_client
*cli
,
159 uint32 logon_parameters
,
161 const char *username
,
162 const char *password
,
163 const char *workstation
,
164 uint16_t validation_level
,
167 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
169 struct netr_Authenticator clnt_creds
;
170 struct netr_Authenticator ret_creds
;
171 union netr_LogonLevel
*logon
;
172 union netr_Validation validation
;
173 uint8_t authoritative
;
174 fstring clnt_name_slash
;
175 struct dcerpc_binding_handle
*b
= cli
->binding_handle
;
177 ZERO_STRUCT(ret_creds
);
179 logon
= TALLOC_ZERO_P(mem_ctx
, union netr_LogonLevel
);
181 return NT_STATUS_NO_MEMORY
;
185 fstr_sprintf( clnt_name_slash
, "\\\\%s", workstation
);
187 fstr_sprintf( clnt_name_slash
, "\\\\%s", global_myname() );
190 /* Initialise input parameters */
192 netlogon_creds_client_authenticator(cli
->dc
, &clnt_creds
);
194 switch (logon_type
) {
195 case NetlogonInteractiveInformation
: {
197 struct netr_PasswordInfo
*password_info
;
199 struct samr_Password lmpassword
;
200 struct samr_Password ntpassword
;
202 password_info
= TALLOC_ZERO_P(mem_ctx
, struct netr_PasswordInfo
);
203 if (!password_info
) {
204 return NT_STATUS_NO_MEMORY
;
207 nt_lm_owf_gen(password
, ntpassword
.hash
, lmpassword
.hash
);
209 if (cli
->dc
->negotiate_flags
& NETLOGON_NEG_ARCFOUR
) {
210 netlogon_creds_arcfour_crypt(cli
->dc
, lmpassword
.hash
, 16);
211 netlogon_creds_arcfour_crypt(cli
->dc
, ntpassword
.hash
, 16);
213 netlogon_creds_des_encrypt(cli
->dc
, &lmpassword
);
214 netlogon_creds_des_encrypt(cli
->dc
, &ntpassword
);
217 password_info
->identity_info
.domain_name
.string
= domain
;
218 password_info
->identity_info
.parameter_control
= logon_parameters
;
219 password_info
->identity_info
.logon_id_low
= 0xdead;
220 password_info
->identity_info
.logon_id_high
= 0xbeef;
221 password_info
->identity_info
.account_name
.string
= username
;
222 password_info
->identity_info
.workstation
.string
= clnt_name_slash
;
224 password_info
->lmpassword
= lmpassword
;
225 password_info
->ntpassword
= ntpassword
;
227 logon
->password
= password_info
;
231 case NetlogonNetworkInformation
: {
232 struct netr_NetworkInfo
*network_info
;
234 unsigned char local_lm_response
[24];
235 unsigned char local_nt_response
[24];
236 struct netr_ChallengeResponse lm
;
237 struct netr_ChallengeResponse nt
;
242 network_info
= TALLOC_ZERO_P(mem_ctx
, struct netr_NetworkInfo
);
244 return NT_STATUS_NO_MEMORY
;
247 generate_random_buffer(chal
, 8);
249 SMBencrypt(password
, chal
, local_lm_response
);
250 SMBNTencrypt(password
, chal
, local_nt_response
);
253 lm
.data
= local_lm_response
;
256 nt
.data
= local_nt_response
;
258 network_info
->identity_info
.domain_name
.string
= domain
;
259 network_info
->identity_info
.parameter_control
= logon_parameters
;
260 network_info
->identity_info
.logon_id_low
= 0xdead;
261 network_info
->identity_info
.logon_id_high
= 0xbeef;
262 network_info
->identity_info
.account_name
.string
= username
;
263 network_info
->identity_info
.workstation
.string
= clnt_name_slash
;
265 memcpy(network_info
->challenge
, chal
, 8);
266 network_info
->nt
= nt
;
267 network_info
->lm
= lm
;
269 logon
->network
= network_info
;
274 DEBUG(0, ("switch value %d not supported\n",
276 return NT_STATUS_INVALID_INFO_CLASS
;
279 status
= dcerpc_netr_LogonSamLogon(b
, mem_ctx
,
290 if (!NT_STATUS_IS_OK(status
)) {
294 /* Always check returned credentials */
295 if (!netlogon_creds_client_check(cli
->dc
, &ret_creds
.cred
)) {
296 DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
297 return NT_STATUS_ACCESS_DENIED
;
303 static NTSTATUS
map_validation_to_info3(TALLOC_CTX
*mem_ctx
,
304 uint16_t validation_level
,
305 union netr_Validation
*validation
,
306 struct netr_SamInfo3
**info3_p
)
308 struct netr_SamInfo3
*info3
;
311 if (validation
== NULL
) {
312 return NT_STATUS_INVALID_PARAMETER
;
315 switch (validation_level
) {
317 if (validation
->sam3
== NULL
) {
318 return NT_STATUS_INVALID_PARAMETER
;
321 info3
= talloc_move(mem_ctx
, &validation
->sam3
);
324 if (validation
->sam6
== NULL
) {
325 return NT_STATUS_INVALID_PARAMETER
;
328 info3
= talloc_zero(mem_ctx
, struct netr_SamInfo3
);
330 return NT_STATUS_NO_MEMORY
;
332 status
= copy_netr_SamBaseInfo(info3
, &validation
->sam6
->base
, &info3
->base
);
333 if (!NT_STATUS_IS_OK(status
)) {
338 info3
->sidcount
= validation
->sam6
->sidcount
;
339 info3
->sids
= talloc_move(info3
, &validation
->sam6
->sids
);
342 return NT_STATUS_BAD_VALIDATION_CLASS
;
351 * Logon domain user with an 'network' SAM logon
353 * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
356 NTSTATUS
rpccli_netlogon_sam_network_logon(struct rpc_pipe_client
*cli
,
358 uint32 logon_parameters
,
360 const char *username
,
362 const char *workstation
,
364 uint16_t validation_level
,
365 DATA_BLOB lm_response
,
366 DATA_BLOB nt_response
,
367 struct netr_SamInfo3
**info3
)
369 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
371 const char *workstation_name_slash
;
372 const char *server_name_slash
;
373 struct netr_Authenticator clnt_creds
;
374 struct netr_Authenticator ret_creds
;
375 union netr_LogonLevel
*logon
= NULL
;
376 struct netr_NetworkInfo
*network_info
;
377 uint8_t authoritative
;
378 union netr_Validation validation
;
379 struct netr_ChallengeResponse lm
;
380 struct netr_ChallengeResponse nt
;
381 struct dcerpc_binding_handle
*b
= cli
->binding_handle
;
385 ZERO_STRUCT(ret_creds
);
390 logon
= TALLOC_ZERO_P(mem_ctx
, union netr_LogonLevel
);
392 return NT_STATUS_NO_MEMORY
;
395 network_info
= TALLOC_ZERO_P(mem_ctx
, struct netr_NetworkInfo
);
397 return NT_STATUS_NO_MEMORY
;
400 netlogon_creds_client_authenticator(cli
->dc
, &clnt_creds
);
402 if (server
[0] != '\\' && server
[1] != '\\') {
403 server_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", server
);
405 server_name_slash
= server
;
408 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
409 workstation_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", workstation
);
411 workstation_name_slash
= workstation
;
414 if (!workstation_name_slash
|| !server_name_slash
) {
415 DEBUG(0, ("talloc_asprintf failed!\n"));
416 return NT_STATUS_NO_MEMORY
;
419 /* Initialise input parameters */
421 lm
.data
= lm_response
.data
;
422 lm
.length
= lm_response
.length
;
423 nt
.data
= nt_response
.data
;
424 nt
.length
= nt_response
.length
;
426 network_info
->identity_info
.domain_name
.string
= domain
;
427 network_info
->identity_info
.parameter_control
= logon_parameters
;
428 network_info
->identity_info
.logon_id_low
= 0xdead;
429 network_info
->identity_info
.logon_id_high
= 0xbeef;
430 network_info
->identity_info
.account_name
.string
= username
;
431 network_info
->identity_info
.workstation
.string
= workstation_name_slash
;
433 memcpy(network_info
->challenge
, chal
, 8);
434 network_info
->nt
= nt
;
435 network_info
->lm
= lm
;
437 logon
->network
= network_info
;
439 /* Marshall data and send request */
441 status
= dcerpc_netr_LogonSamLogon(b
, mem_ctx
,
446 NetlogonNetworkInformation
,
452 if (!NT_STATUS_IS_OK(status
)) {
456 /* Always check returned credentials. */
457 if (!netlogon_creds_client_check(cli
->dc
, &ret_creds
.cred
)) {
458 DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
459 return NT_STATUS_ACCESS_DENIED
;
462 if (!NT_STATUS_IS_OK(result
)) {
466 netlogon_creds_decrypt_samlogon(cli
->dc
, validation_level
, &validation
);
468 result
= map_validation_to_info3(mem_ctx
, validation_level
, &validation
, info3
);
469 if (!NT_STATUS_IS_OK(result
)) {
476 NTSTATUS
rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client
*cli
,
478 uint32 logon_parameters
,
480 const char *username
,
482 const char *workstation
,
484 uint16_t validation_level
,
485 DATA_BLOB lm_response
,
486 DATA_BLOB nt_response
,
487 struct netr_SamInfo3
**info3
)
489 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
491 const char *workstation_name_slash
;
492 const char *server_name_slash
;
493 union netr_LogonLevel
*logon
= NULL
;
494 struct netr_NetworkInfo
*network_info
;
495 uint8_t authoritative
;
496 union netr_Validation validation
;
497 struct netr_ChallengeResponse lm
;
498 struct netr_ChallengeResponse nt
;
500 struct dcerpc_binding_handle
*b
= cli
->binding_handle
;
507 logon
= TALLOC_ZERO_P(mem_ctx
, union netr_LogonLevel
);
509 return NT_STATUS_NO_MEMORY
;
512 network_info
= TALLOC_ZERO_P(mem_ctx
, struct netr_NetworkInfo
);
514 return NT_STATUS_NO_MEMORY
;
517 if (server
[0] != '\\' && server
[1] != '\\') {
518 server_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", server
);
520 server_name_slash
= server
;
523 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
524 workstation_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", workstation
);
526 workstation_name_slash
= workstation
;
529 if (!workstation_name_slash
|| !server_name_slash
) {
530 DEBUG(0, ("talloc_asprintf failed!\n"));
531 return NT_STATUS_NO_MEMORY
;
534 /* Initialise input parameters */
536 lm
.data
= lm_response
.data
;
537 lm
.length
= lm_response
.length
;
538 nt
.data
= nt_response
.data
;
539 nt
.length
= nt_response
.length
;
541 network_info
->identity_info
.domain_name
.string
= domain
;
542 network_info
->identity_info
.parameter_control
= logon_parameters
;
543 network_info
->identity_info
.logon_id_low
= 0xdead;
544 network_info
->identity_info
.logon_id_high
= 0xbeef;
545 network_info
->identity_info
.account_name
.string
= username
;
546 network_info
->identity_info
.workstation
.string
= workstation_name_slash
;
548 memcpy(network_info
->challenge
, chal
, 8);
549 network_info
->nt
= nt
;
550 network_info
->lm
= lm
;
552 logon
->network
= network_info
;
554 /* Marshall data and send request */
556 status
= dcerpc_netr_LogonSamLogonEx(b
, mem_ctx
,
559 NetlogonNetworkInformation
,
566 if (!NT_STATUS_IS_OK(status
)) {
570 if (!NT_STATUS_IS_OK(result
)) {
574 netlogon_creds_decrypt_samlogon(cli
->dc
, validation_level
, &validation
);
576 result
= map_validation_to_info3(mem_ctx
, validation_level
, &validation
, info3
);
577 if (!NT_STATUS_IS_OK(result
)) {
584 /*********************************************************
585 Change the domain password on the PDC.
587 Just changes the password betwen the two values specified.
589 Caller must have the cli connected to the netlogon pipe
591 **********************************************************/
593 NTSTATUS
rpccli_netlogon_set_trust_password(struct rpc_pipe_client
*cli
,
595 const char *account_name
,
596 const unsigned char orig_trust_passwd_hash
[16],
597 const char *new_trust_pwd_cleartext
,
598 const unsigned char new_trust_passwd_hash
[16],
599 enum netr_SchannelType sec_channel_type
)
601 NTSTATUS result
, status
;
602 struct netr_Authenticator clnt_creds
, srv_cred
;
603 struct dcerpc_binding_handle
*b
= cli
->binding_handle
;
606 uint32_t neg_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
607 result
= rpccli_netlogon_setup_creds(cli
,
608 cli
->desthost
, /* server name */
609 lp_workgroup(), /* domain */
610 global_myname(), /* client name */
611 account_name
, /* machine account name */
612 orig_trust_passwd_hash
,
615 if (!NT_STATUS_IS_OK(result
)) {
616 DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
622 netlogon_creds_client_authenticator(cli
->dc
, &clnt_creds
);
624 if (cli
->dc
->negotiate_flags
& NETLOGON_NEG_PASSWORD_SET2
) {
626 struct netr_CryptPassword new_password
;
628 init_netr_CryptPassword(new_trust_pwd_cleartext
,
629 cli
->dc
->session_key
,
632 status
= dcerpc_netr_ServerPasswordSet2(b
, mem_ctx
,
634 cli
->dc
->account_name
,
636 cli
->dc
->computer_name
,
641 if (!NT_STATUS_IS_OK(status
)) {
642 DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n",
648 struct samr_Password new_password
;
649 memcpy(new_password
.hash
, new_trust_passwd_hash
, sizeof(new_password
.hash
));
650 netlogon_creds_des_encrypt(cli
->dc
, &new_password
);
652 status
= dcerpc_netr_ServerPasswordSet(b
, mem_ctx
,
654 cli
->dc
->account_name
,
656 cli
->dc
->computer_name
,
661 if (!NT_STATUS_IS_OK(status
)) {
662 DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n",
668 /* Always check returned credentials. */
669 if (!netlogon_creds_client_check(cli
->dc
, &srv_cred
.cred
)) {
670 DEBUG(0,("credentials chain check failed\n"));
671 return NT_STATUS_ACCESS_DENIED
;
674 if (!NT_STATUS_IS_OK(result
)) {
675 DEBUG(0,("dcerpc_netr_ServerPasswordSet{2} failed: %s\n",