2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2004
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "libnet/libnet.h"
23 #include "libcli/auth/libcli_auth.h"
24 #include "librpc/gen_ndr/ndr_samr_c.h"
25 #include "source4/librpc/rpc/dcerpc.h"
27 #include "lib/crypto/gnutls_helpers.h"
28 #include <gnutls/gnutls.h>
29 #include <gnutls/crypto.h>
32 * do a password change using DCERPC/SAMR calls
33 * 1. connect to the SAMR pipe of users domain PDC (maybe a standalone server or workstation)
34 * 2. try samr_ChangePasswordUser3
35 * 3. try samr_ChangePasswordUser2
36 * 4. try samr_OemChangePasswordUser2
37 * (not yet: 5. try samr_ChangePasswordUser)
39 static NTSTATUS
libnet_ChangePassword_samr(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_ChangePassword
*r
)
42 struct libnet_RpcConnect c
;
44 struct policy_handle user_handle
;
45 struct samr_Password hash1
, hash2
, hash3
, hash4
, hash5
, hash6
;
46 struct samr_ChangePasswordUser pw
;
48 struct samr_OemChangePasswordUser2 oe2
;
49 struct samr_ChangePasswordUser2 pw2
;
50 struct samr_ChangePasswordUser3 pw3
;
51 struct lsa_String server
, account
;
52 struct lsa_AsciiString a_server
, a_account
;
53 struct samr_CryptPassword nt_pass
, lm_pass
;
54 struct samr_Password nt_verifier
, lm_verifier
;
55 uint8_t old_nt_hash
[16], new_nt_hash
[16];
56 uint8_t old_lm_hash
[16], new_lm_hash
[16];
57 struct samr_DomInfo1
*dominfo
= NULL
;
58 struct userPwdChangeFailureInformation
*reject
= NULL
;
59 gnutls_cipher_hd_t cipher_hnd
= NULL
;
60 gnutls_datum_t nt_session_key
= {
62 .size
= sizeof(old_nt_hash
),
64 gnutls_datum_t lm_session_key
= {
66 .size
= sizeof(old_lm_hash
),
72 /* prepare connect to the SAMR pipe of the users domain PDC */
73 c
.level
= LIBNET_RPC_CONNECT_PDC
;
74 c
.in
.name
= r
->samr
.in
.domain_name
;
75 c
.in
.dcerpc_iface
= &ndr_table_samr
;
76 c
.in
.dcerpc_flags
= DCERPC_ANON_FALLBACK
;
78 /* 1. connect to the SAMR pipe of users domain PDC (maybe a standalone server or workstation) */
79 status
= libnet_RpcConnect(ctx
, mem_ctx
, &c
);
80 if (!NT_STATUS_IS_OK(status
)) {
81 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
82 "Connection to SAMR pipe of PDC of domain '%s' failed: %s",
83 r
->samr
.in
.domain_name
, nt_errstr(status
));
87 /* prepare password change for account */
88 server
.string
= talloc_asprintf(mem_ctx
, "\\\\%s", dcerpc_server_name(c
.out
.dcerpc_pipe
));
89 account
.string
= r
->samr
.in
.account_name
;
91 E_md4hash(r
->samr
.in
.oldpassword
, old_nt_hash
);
92 E_md4hash(r
->samr
.in
.newpassword
, new_nt_hash
);
94 E_deshash(r
->samr
.in
.oldpassword
, old_lm_hash
);
95 E_deshash(r
->samr
.in
.newpassword
, new_lm_hash
);
97 /* prepare samr_ChangePasswordUser3 */
98 encode_pw_buffer(lm_pass
.data
, r
->samr
.in
.newpassword
, STR_UNICODE
);
100 rc
= gnutls_cipher_init(&cipher_hnd
,
101 GNUTLS_CIPHER_ARCFOUR_128
,
105 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
109 rc
= gnutls_cipher_encrypt(cipher_hnd
,
112 gnutls_cipher_deinit(cipher_hnd
);
114 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
118 rc
= E_old_pw_hash(new_lm_hash
, old_lm_hash
, lm_verifier
.hash
);
120 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
124 encode_pw_buffer(nt_pass
.data
, r
->samr
.in
.newpassword
, STR_UNICODE
);
126 rc
= gnutls_cipher_init(&cipher_hnd
,
127 GNUTLS_CIPHER_ARCFOUR_128
,
131 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
135 rc
= gnutls_cipher_encrypt(cipher_hnd
,
138 gnutls_cipher_deinit(cipher_hnd
);
140 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
144 rc
= E_old_pw_hash(new_nt_hash
, old_nt_hash
, nt_verifier
.hash
);
146 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
150 pw3
.in
.server
= &server
;
151 pw3
.in
.account
= &account
;
152 pw3
.in
.nt_password
= &nt_pass
;
153 pw3
.in
.nt_verifier
= &nt_verifier
;
154 pw3
.in
.lm_change
= 1;
155 pw3
.in
.lm_password
= &lm_pass
;
156 pw3
.in
.lm_verifier
= &lm_verifier
;
157 pw3
.in
.password3
= NULL
;
158 pw3
.out
.dominfo
= &dominfo
;
159 pw3
.out
.reject
= &reject
;
161 /* 2. try samr_ChangePasswordUser3 */
162 status
= dcerpc_samr_ChangePasswordUser3_r(c
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &pw3
);
163 if (!NT_STATUS_EQUAL(status
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
)) {
164 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(pw3
.out
.result
)) {
165 status
= pw3
.out
.result
;
167 if (!NT_STATUS_IS_OK(status
)) {
168 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
169 "samr_ChangePasswordUser3 failed: %s",
171 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
172 "samr_ChangePasswordUser3 for '%s\\%s' failed: %s",
173 r
->samr
.in
.domain_name
, r
->samr
.in
.account_name
,
179 /* prepare samr_ChangePasswordUser2 */
180 encode_pw_buffer(lm_pass
.data
, r
->samr
.in
.newpassword
, STR_ASCII
|STR_TERMINATE
);
182 rc
= gnutls_cipher_init(&cipher_hnd
,
183 GNUTLS_CIPHER_ARCFOUR_128
,
187 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
191 rc
= gnutls_cipher_encrypt(cipher_hnd
,
194 gnutls_cipher_deinit(cipher_hnd
);
196 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
200 rc
= E_old_pw_hash(new_lm_hash
, old_lm_hash
, lm_verifier
.hash
);
202 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
206 encode_pw_buffer(nt_pass
.data
, r
->samr
.in
.newpassword
, STR_UNICODE
);
208 rc
= gnutls_cipher_init(&cipher_hnd
,
209 GNUTLS_CIPHER_ARCFOUR_128
,
213 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
216 rc
= gnutls_cipher_encrypt(cipher_hnd
,
219 gnutls_cipher_deinit(cipher_hnd
);
221 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
225 rc
= E_old_pw_hash(new_nt_hash
, old_nt_hash
, nt_verifier
.hash
);
227 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
231 pw2
.in
.server
= &server
;
232 pw2
.in
.account
= &account
;
233 pw2
.in
.nt_password
= &nt_pass
;
234 pw2
.in
.nt_verifier
= &nt_verifier
;
235 pw2
.in
.lm_change
= 1;
236 pw2
.in
.lm_password
= &lm_pass
;
237 pw2
.in
.lm_verifier
= &lm_verifier
;
239 /* 3. try samr_ChangePasswordUser2 */
240 status
= dcerpc_samr_ChangePasswordUser2_r(c
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &pw2
);
241 if (!NT_STATUS_EQUAL(status
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
)) {
242 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(pw2
.out
.result
)) {
243 status
= pw2
.out
.result
;
245 if (!NT_STATUS_IS_OK(status
)) {
246 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
247 "samr_ChangePasswordUser2 for '%s\\%s' failed: %s",
248 r
->samr
.in
.domain_name
, r
->samr
.in
.account_name
,
255 /* prepare samr_OemChangePasswordUser2 */
256 a_server
.string
= talloc_asprintf(mem_ctx
, "\\\\%s", dcerpc_server_name(c
.out
.dcerpc_pipe
));
257 a_account
.string
= r
->samr
.in
.account_name
;
259 encode_pw_buffer(lm_pass
.data
, r
->samr
.in
.newpassword
, STR_ASCII
);
261 rc
= gnutls_cipher_init(&cipher_hnd
,
262 GNUTLS_CIPHER_ARCFOUR_128
,
266 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
270 rc
= gnutls_cipher_encrypt(cipher_hnd
,
273 gnutls_cipher_deinit(cipher_hnd
);
275 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
279 rc
= E_old_pw_hash(new_lm_hash
, old_lm_hash
, lm_verifier
.hash
);
281 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
285 oe2
.in
.server
= &a_server
;
286 oe2
.in
.account
= &a_account
;
287 oe2
.in
.password
= &lm_pass
;
288 oe2
.in
.hash
= &lm_verifier
;
290 /* 4. try samr_OemChangePasswordUser2 */
291 status
= dcerpc_samr_OemChangePasswordUser2_r(c
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &oe2
);
292 if (!NT_STATUS_EQUAL(status
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
)) {
293 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(oe2
.out
.result
)) {
294 status
= oe2
.out
.result
;
296 if (!NT_STATUS_IS_OK(oe2
.out
.result
)) {
297 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
298 "samr_OemChangePasswordUser2 for '%s\\%s' failed: %s",
299 r
->samr
.in
.domain_name
, r
->samr
.in
.account_name
,
306 /* prepare samr_ChangePasswordUser */
307 E_old_pw_hash(new_lm_hash
, old_lm_hash
, hash1
.hash
);
308 E_old_pw_hash(old_lm_hash
, new_lm_hash
, hash2
.hash
);
309 E_old_pw_hash(new_nt_hash
, old_nt_hash
, hash3
.hash
);
310 E_old_pw_hash(old_nt_hash
, new_nt_hash
, hash4
.hash
);
311 E_old_pw_hash(old_lm_hash
, new_nt_hash
, hash5
.hash
);
312 E_old_pw_hash(old_nt_hash
, new_lm_hash
, hash6
.hash
);
314 /* TODO: ask for a user_handle */
315 pw
.in
.handle
= &user_handle
;
316 pw
.in
.lm_present
= 1;
317 pw
.in
.old_lm_crypted
= &hash1
;
318 pw
.in
.new_lm_crypted
= &hash2
;
319 pw
.in
.nt_present
= 1;
320 pw
.in
.old_nt_crypted
= &hash3
;
321 pw
.in
.new_nt_crypted
= &hash4
;
322 pw
.in
.cross1_present
= 1;
323 pw
.in
.nt_cross
= &hash5
;
324 pw
.in
.cross2_present
= 1;
325 pw
.in
.lm_cross
= &hash6
;
327 /* 5. try samr_ChangePasswordUser */
328 status
= dcerpc_samr_ChangePasswordUser_r(c
.pdc
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &pw
);
329 if (!NT_STATUS_IS_OK(status
)) {
330 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
331 "samr_ChangePasswordUser failed: %s",
336 /* check result of samr_ChangePasswordUser */
337 if (!NT_STATUS_IS_OK(pw
.out
.result
)) {
338 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
339 "samr_ChangePasswordUser for '%s\\%s' failed: %s",
340 r
->samr
.in
.domain_name
, r
->samr
.in
.account_name
,
341 nt_errstr(pw
.out
.result
));
342 if (NT_STATUS_EQUAL(pw
.out
.result
, NT_STATUS_PASSWORD_RESTRICTION
)) {
343 status
= pw
.out
.result
;
350 /* close connection */
351 talloc_unlink(ctx
, c
.out
.dcerpc_pipe
);
356 static NTSTATUS
libnet_ChangePassword_generic(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_ChangePassword
*r
)
359 union libnet_ChangePassword r2
;
361 r2
.samr
.level
= LIBNET_CHANGE_PASSWORD_SAMR
;
362 r2
.samr
.in
.account_name
= r
->generic
.in
.account_name
;
363 r2
.samr
.in
.domain_name
= r
->generic
.in
.domain_name
;
364 r2
.samr
.in
.oldpassword
= r
->generic
.in
.oldpassword
;
365 r2
.samr
.in
.newpassword
= r
->generic
.in
.newpassword
;
367 status
= libnet_ChangePassword(ctx
, mem_ctx
, &r2
);
369 r
->generic
.out
.error_string
= r2
.samr
.out
.error_string
;
374 NTSTATUS
libnet_ChangePassword(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_ChangePassword
*r
)
376 switch (r
->generic
.level
) {
377 case LIBNET_CHANGE_PASSWORD_GENERIC
:
378 return libnet_ChangePassword_generic(ctx
, mem_ctx
, r
);
379 case LIBNET_CHANGE_PASSWORD_SAMR
:
380 return libnet_ChangePassword_samr(ctx
, mem_ctx
, r
);
381 case LIBNET_CHANGE_PASSWORD_KRB5
:
382 return NT_STATUS_NOT_IMPLEMENTED
;
383 case LIBNET_CHANGE_PASSWORD_LDAP
:
384 return NT_STATUS_NOT_IMPLEMENTED
;
385 case LIBNET_CHANGE_PASSWORD_RAP
:
386 return NT_STATUS_NOT_IMPLEMENTED
;
389 return NT_STATUS_INVALID_LEVEL
;
392 static NTSTATUS
libnet_SetPassword_samr_handle_26(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_SetPassword
*r
)
395 struct samr_SetUserInfo2 sui
;
396 union samr_UserInfo u_info
;
397 DATA_BLOB session_key
;
399 if (r
->samr_handle
.in
.info21
) {
400 return NT_STATUS_INVALID_PARAMETER_MIX
;
403 /* prepare samr_SetUserInfo2 level 26 */
405 u_info
.info26
.password_expired
= 0;
407 status
= dcerpc_fetch_session_key(r
->samr_handle
.in
.dcerpc_pipe
, &session_key
);
408 if (!NT_STATUS_IS_OK(status
)) {
409 r
->samr_handle
.out
.error_string
= talloc_asprintf(mem_ctx
,
410 "dcerpc_fetch_session_key failed: %s",
415 status
= encode_rc4_passwd_buffer(r
->samr_handle
.in
.newpassword
,
417 &u_info
.info26
.password
);
418 if (!NT_STATUS_IS_OK(status
)) {
419 r
->samr_handle
.out
.error_string
=
420 talloc_asprintf(mem_ctx
,
421 "encode_rc4_passwd_buffer failed: %s",
426 sui
.in
.user_handle
= r
->samr_handle
.in
.user_handle
;
427 sui
.in
.info
= &u_info
;
430 /* 7. try samr_SetUserInfo2 level 26 to set the password */
431 status
= dcerpc_samr_SetUserInfo2_r(r
->samr_handle
.in
.dcerpc_pipe
->binding_handle
, mem_ctx
, &sui
);
432 /* check result of samr_SetUserInfo2 level 26 */
433 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(sui
.out
.result
)) {
434 status
= sui
.out
.result
;
436 if (!NT_STATUS_IS_OK(status
)) {
437 r
->samr_handle
.out
.error_string
438 = talloc_asprintf(mem_ctx
,
439 "SetUserInfo2 level 26 for [%s] failed: %s",
440 r
->samr_handle
.in
.account_name
, nt_errstr(status
));
446 static NTSTATUS
libnet_SetPassword_samr_handle_25(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_SetPassword
*r
)
449 struct samr_SetUserInfo2 sui
;
450 union samr_UserInfo u_info
;
451 DATA_BLOB session_key
;
453 if (!r
->samr_handle
.in
.info21
) {
454 return NT_STATUS_INVALID_PARAMETER_MIX
;
457 /* prepare samr_SetUserInfo2 level 25 */
459 u_info
.info25
.info
= *r
->samr_handle
.in
.info21
;
460 u_info
.info25
.info
.fields_present
|= SAMR_FIELD_NT_PASSWORD_PRESENT
;
462 status
= dcerpc_fetch_session_key(r
->samr_handle
.in
.dcerpc_pipe
, &session_key
);
463 if (!NT_STATUS_IS_OK(status
)) {
464 r
->samr_handle
.out
.error_string
= talloc_asprintf(mem_ctx
,
465 "dcerpc_fetch_session_key failed: %s",
470 status
= encode_rc4_passwd_buffer(r
->samr_handle
.in
.newpassword
,
472 &u_info
.info25
.password
);
473 if (!NT_STATUS_IS_OK(status
)) {
474 r
->samr_handle
.out
.error_string
=
475 talloc_asprintf(mem_ctx
,
476 "encode_rc4_passwd_buffer failed: %s",
482 sui
.in
.user_handle
= r
->samr_handle
.in
.user_handle
;
483 sui
.in
.info
= &u_info
;
486 /* 8. try samr_SetUserInfo2 level 25 to set the password */
487 status
= dcerpc_samr_SetUserInfo2_r(r
->samr_handle
.in
.dcerpc_pipe
->binding_handle
, mem_ctx
, &sui
);
488 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(sui
.out
.result
)) {
489 status
= sui
.out
.result
;
491 if (!NT_STATUS_IS_OK(status
)) {
492 r
->samr_handle
.out
.error_string
493 = talloc_asprintf(mem_ctx
,
494 "SetUserInfo2 level 25 for [%s] failed: %s",
495 r
->samr_handle
.in
.account_name
, nt_errstr(status
));
501 static NTSTATUS
libnet_SetPassword_samr_handle_24(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_SetPassword
*r
)
504 struct samr_SetUserInfo2 sui
;
505 union samr_UserInfo u_info
;
506 DATA_BLOB session_key
;
507 gnutls_cipher_hd_t cipher_hnd
= NULL
;
508 gnutls_datum_t enc_session_key
;
511 if (r
->samr_handle
.in
.info21
) {
512 return NT_STATUS_INVALID_PARAMETER_MIX
;
515 /* prepare samr_SetUserInfo2 level 24 */
517 encode_pw_buffer(u_info
.info24
.password
.data
, r
->samr_handle
.in
.newpassword
, STR_UNICODE
);
518 u_info
.info24
.password_expired
= 0;
520 status
= dcerpc_fetch_session_key(r
->samr_handle
.in
.dcerpc_pipe
, &session_key
);
521 if (!NT_STATUS_IS_OK(status
)) {
522 r
->samr_handle
.out
.error_string
= talloc_asprintf(mem_ctx
,
523 "dcerpc_fetch_session_key failed: %s",
528 enc_session_key
= (gnutls_datum_t
) {
529 .data
= session_key
.data
,
530 .size
= session_key
.length
,
533 rc
= gnutls_cipher_init(&cipher_hnd
,
534 GNUTLS_CIPHER_ARCFOUR_128
,
538 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
542 rc
= gnutls_cipher_encrypt(cipher_hnd
,
543 u_info
.info24
.password
.data
,
545 gnutls_cipher_deinit(cipher_hnd
);
547 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
551 sui
.in
.user_handle
= r
->samr_handle
.in
.user_handle
;
552 sui
.in
.info
= &u_info
;
555 /* 9. try samr_SetUserInfo2 level 24 to set the password */
556 status
= dcerpc_samr_SetUserInfo2_r(r
->samr_handle
.in
.dcerpc_pipe
->binding_handle
, mem_ctx
, &sui
);
557 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(sui
.out
.result
)) {
558 status
= sui
.out
.result
;
560 if (!NT_STATUS_IS_OK(status
)) {
561 r
->samr_handle
.out
.error_string
562 = talloc_asprintf(mem_ctx
,
563 "SetUserInfo2 level 24 for [%s] failed: %s",
564 r
->samr_handle
.in
.account_name
, nt_errstr(status
));
568 data_blob_clear(&session_key
);
572 static NTSTATUS
libnet_SetPassword_samr_handle_23(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_SetPassword
*r
)
575 struct samr_SetUserInfo2 sui
;
576 union samr_UserInfo u_info
;
577 DATA_BLOB session_key
;
578 gnutls_cipher_hd_t cipher_hnd
= NULL
;
579 gnutls_datum_t _session_key
;
582 if (!r
->samr_handle
.in
.info21
) {
583 return NT_STATUS_INVALID_PARAMETER_MIX
;
586 /* prepare samr_SetUserInfo2 level 23 */
588 u_info
.info23
.info
= *r
->samr_handle
.in
.info21
;
589 u_info
.info23
.info
.fields_present
|= SAMR_FIELD_NT_PASSWORD_PRESENT
;
590 encode_pw_buffer(u_info
.info23
.password
.data
, r
->samr_handle
.in
.newpassword
, STR_UNICODE
);
592 status
= dcerpc_fetch_session_key(r
->samr_handle
.in
.dcerpc_pipe
, &session_key
);
593 if (!NT_STATUS_IS_OK(status
)) {
594 r
->samr_handle
.out
.error_string
595 = talloc_asprintf(mem_ctx
,
596 "dcerpc_fetch_session_key failed: %s",
601 _session_key
= (gnutls_datum_t
) {
602 .data
= session_key
.data
,
603 .size
= session_key
.length
,
606 rc
= gnutls_cipher_init(&cipher_hnd
,
607 GNUTLS_CIPHER_ARCFOUR_128
,
611 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
615 rc
= gnutls_cipher_encrypt(cipher_hnd
,
616 u_info
.info23
.password
.data
,
618 data_blob_clear_free(&session_key
);
619 gnutls_cipher_deinit(cipher_hnd
);
621 status
= gnutls_error_to_ntstatus(rc
, NT_STATUS_CRYPTO_SYSTEM_INVALID
);
625 sui
.in
.user_handle
= r
->samr_handle
.in
.user_handle
;
626 sui
.in
.info
= &u_info
;
629 /* 10. try samr_SetUserInfo2 level 23 to set the password */
630 status
= dcerpc_samr_SetUserInfo2_r(r
->samr_handle
.in
.dcerpc_pipe
->binding_handle
, mem_ctx
, &sui
);
631 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(sui
.out
.result
)) {
632 status
= sui
.out
.result
;
634 if (!NT_STATUS_IS_OK(status
)) {
635 r
->samr_handle
.out
.error_string
636 = talloc_asprintf(mem_ctx
,
637 "SetUserInfo2 level 23 for [%s] failed: %s",
638 r
->samr_handle
.in
.account_name
, nt_errstr(status
));
646 * 1. try samr_SetUserInfo2 level 26 to set the password
647 * 2. try samr_SetUserInfo2 level 25 to set the password
648 * 3. try samr_SetUserInfo2 level 24 to set the password
649 * 4. try samr_SetUserInfo2 level 23 to set the password
651 static NTSTATUS
libnet_SetPassword_samr_handle(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_SetPassword
*r
)
655 enum libnet_SetPassword_level levels
[] = {
656 LIBNET_SET_PASSWORD_SAMR_HANDLE_26
,
657 LIBNET_SET_PASSWORD_SAMR_HANDLE_25
,
658 LIBNET_SET_PASSWORD_SAMR_HANDLE_24
,
659 LIBNET_SET_PASSWORD_SAMR_HANDLE_23
,
663 for (i
=0; i
< ARRAY_SIZE(levels
); i
++) {
664 r
->generic
.level
= levels
[i
];
665 status
= libnet_SetPassword(ctx
, mem_ctx
, r
);
666 if (NT_STATUS_EQUAL(status
, NT_STATUS_INVALID_INFO_CLASS
)
667 || NT_STATUS_EQUAL(status
, NT_STATUS_INVALID_PARAMETER_MIX
)
668 || NT_STATUS_EQUAL(status
, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
)) {
669 /* Try another password set mechanism */
678 * set a password with DCERPC/SAMR calls
679 * 1. connect to the SAMR pipe of users domain PDC (maybe a standalone server or workstation)
680 * is it correct to contact the the pdc of the domain of the user who's password should be set?
681 * 2. do a samr_Connect to get a policy handle
682 * 3. do a samr_LookupDomain to get the domain sid
683 * 4. do a samr_OpenDomain to get a domain handle
684 * 5. do a samr_LookupNames to get the users rid
685 * 6. do a samr_OpenUser to get a user handle
686 * 7 call libnet_SetPassword_samr_handle to set the password
688 static NTSTATUS
libnet_SetPassword_samr(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_SetPassword
*r
)
691 struct libnet_RpcConnect c
;
692 struct samr_Connect sc
;
693 struct policy_handle p_handle
;
694 struct samr_LookupDomain ld
;
695 struct dom_sid2
*sid
= NULL
;
696 struct lsa_String d_name
;
697 struct samr_OpenDomain od
;
698 struct policy_handle d_handle
;
699 struct samr_LookupNames ln
;
700 struct samr_Ids rids
, types
;
701 struct samr_OpenUser ou
;
702 struct policy_handle u_handle
;
703 union libnet_SetPassword r2
;
706 /* prepare connect to the SAMR pipe of users domain PDC */
707 c
.level
= LIBNET_RPC_CONNECT_PDC
;
708 c
.in
.name
= r
->samr
.in
.domain_name
;
709 c
.in
.dcerpc_iface
= &ndr_table_samr
;
711 /* 1. connect to the SAMR pipe of users domain PDC (maybe a standalone server or workstation) */
712 status
= libnet_RpcConnect(ctx
, mem_ctx
, &c
);
713 if (!NT_STATUS_IS_OK(status
)) {
714 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
715 "Connection to SAMR pipe of PDC of domain '%s' failed: %s",
716 r
->samr
.in
.domain_name
, nt_errstr(status
));
720 /* prepare samr_Connect */
721 ZERO_STRUCT(p_handle
);
722 sc
.in
.system_name
= NULL
;
723 sc
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
724 sc
.out
.connect_handle
= &p_handle
;
726 /* 2. do a samr_Connect to get a policy handle */
727 status
= dcerpc_samr_Connect_r(c
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &sc
);
728 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(sc
.out
.result
)) {
729 status
= sc
.out
.result
;
731 if (!NT_STATUS_IS_OK(status
)) {
732 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
733 "samr_Connect failed: %s",
738 /* prepare samr_LookupDomain */
739 d_name
.string
= r
->samr
.in
.domain_name
;
740 ld
.in
.connect_handle
= &p_handle
;
741 ld
.in
.domain_name
= &d_name
;
744 /* 3. do a samr_LookupDomain to get the domain sid */
745 status
= dcerpc_samr_LookupDomain_r(c
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &ld
);
746 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(ld
.out
.result
)) {
747 status
= ld
.out
.result
;
749 if (!NT_STATUS_IS_OK(status
)) {
750 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
751 "samr_LookupDomain for [%s] failed: %s",
752 r
->samr
.in
.domain_name
, nt_errstr(status
));
756 /* prepare samr_OpenDomain */
757 ZERO_STRUCT(d_handle
);
758 od
.in
.connect_handle
= &p_handle
;
759 od
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
760 od
.in
.sid
= *ld
.out
.sid
;
761 od
.out
.domain_handle
= &d_handle
;
763 /* 4. do a samr_OpenDomain to get a domain handle */
764 status
= dcerpc_samr_OpenDomain_r(c
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &od
);
765 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(od
.out
.result
)) {
766 status
= od
.out
.result
;
768 if (!NT_STATUS_IS_OK(status
)) {
769 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
770 "samr_OpenDomain for [%s] failed: %s",
771 r
->samr
.in
.domain_name
, nt_errstr(status
));
775 /* prepare samr_LookupNames */
776 ln
.in
.domain_handle
= &d_handle
;
778 ln
.in
.names
= talloc_array(mem_ctx
, struct lsa_String
, 1);
780 ln
.out
.types
= &types
;
782 r
->samr
.out
.error_string
= "Out of Memory";
783 return NT_STATUS_NO_MEMORY
;
785 ln
.in
.names
[0].string
= r
->samr
.in
.account_name
;
787 /* 5. do a samr_LookupNames to get the users rid */
788 status
= dcerpc_samr_LookupNames_r(c
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &ln
);
789 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(ln
.out
.result
)) {
790 status
= ln
.out
.result
;
792 if (!NT_STATUS_IS_OK(status
)) {
793 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
794 "samr_LookupNames for [%s] failed: %s",
795 r
->samr
.in
.account_name
, nt_errstr(status
));
799 /* check if we got one RID for the user */
800 if (ln
.out
.rids
->count
!= 1) {
801 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
802 "samr_LookupNames for [%s] returns %d RIDs",
803 r
->samr
.in
.account_name
, ln
.out
.rids
->count
);
804 status
= NT_STATUS_INVALID_NETWORK_RESPONSE
;
808 if (ln
.out
.types
->count
!= 1) {
809 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
810 "samr_LookupNames for [%s] returns %d RID TYPEs",
811 r
->samr
.in
.account_name
, ln
.out
.types
->count
);
812 status
= NT_STATUS_INVALID_NETWORK_RESPONSE
;
816 /* prepare samr_OpenUser */
817 ZERO_STRUCT(u_handle
);
818 ou
.in
.domain_handle
= &d_handle
;
819 ou
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
820 ou
.in
.rid
= ln
.out
.rids
->ids
[0];
821 ou
.out
.user_handle
= &u_handle
;
823 /* 6. do a samr_OpenUser to get a user handle */
824 status
= dcerpc_samr_OpenUser_r(c
.out
.dcerpc_pipe
->binding_handle
, mem_ctx
, &ou
);
825 if (NT_STATUS_IS_OK(status
) && !NT_STATUS_IS_OK(ou
.out
.result
)) {
826 status
= ou
.out
.result
;
828 if (!NT_STATUS_IS_OK(status
)) {
829 r
->samr
.out
.error_string
= talloc_asprintf(mem_ctx
,
830 "samr_OpenUser for [%s] failed: %s",
831 r
->samr
.in
.account_name
, nt_errstr(status
));
835 r2
.samr_handle
.level
= LIBNET_SET_PASSWORD_SAMR_HANDLE
;
836 r2
.samr_handle
.in
.account_name
= r
->samr
.in
.account_name
;
837 r2
.samr_handle
.in
.newpassword
= r
->samr
.in
.newpassword
;
838 r2
.samr_handle
.in
.user_handle
= &u_handle
;
839 r2
.samr_handle
.in
.dcerpc_pipe
= c
.out
.dcerpc_pipe
;
840 r2
.samr_handle
.in
.info21
= NULL
;
842 status
= libnet_SetPassword(ctx
, mem_ctx
, &r2
);
844 r
->generic
.out
.error_string
= r2
.samr_handle
.out
.error_string
;
847 /* close connection */
848 talloc_unlink(ctx
, c
.out
.dcerpc_pipe
);
853 static NTSTATUS
libnet_SetPassword_generic(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_SetPassword
*r
)
856 union libnet_SetPassword r2
;
858 r2
.samr
.level
= LIBNET_SET_PASSWORD_SAMR
;
859 r2
.samr
.in
.account_name
= r
->generic
.in
.account_name
;
860 r2
.samr
.in
.domain_name
= r
->generic
.in
.domain_name
;
861 r2
.samr
.in
.newpassword
= r
->generic
.in
.newpassword
;
863 r
->generic
.out
.error_string
= "Unknown Error";
864 status
= libnet_SetPassword(ctx
, mem_ctx
, &r2
);
866 r
->generic
.out
.error_string
= r2
.samr
.out
.error_string
;
871 NTSTATUS
libnet_SetPassword(struct libnet_context
*ctx
, TALLOC_CTX
*mem_ctx
, union libnet_SetPassword
*r
)
873 switch (r
->generic
.level
) {
874 case LIBNET_SET_PASSWORD_GENERIC
:
875 return libnet_SetPassword_generic(ctx
, mem_ctx
, r
);
876 case LIBNET_SET_PASSWORD_SAMR
:
877 return libnet_SetPassword_samr(ctx
, mem_ctx
, r
);
878 case LIBNET_SET_PASSWORD_SAMR_HANDLE
:
879 return libnet_SetPassword_samr_handle(ctx
, mem_ctx
, r
);
880 case LIBNET_SET_PASSWORD_SAMR_HANDLE_26
:
881 return libnet_SetPassword_samr_handle_26(ctx
, mem_ctx
, r
);
882 case LIBNET_SET_PASSWORD_SAMR_HANDLE_25
:
883 return libnet_SetPassword_samr_handle_25(ctx
, mem_ctx
, r
);
884 case LIBNET_SET_PASSWORD_SAMR_HANDLE_24
:
885 return libnet_SetPassword_samr_handle_24(ctx
, mem_ctx
, r
);
886 case LIBNET_SET_PASSWORD_SAMR_HANDLE_23
:
887 return libnet_SetPassword_samr_handle_23(ctx
, mem_ctx
, r
);
888 case LIBNET_SET_PASSWORD_KRB5
:
889 return NT_STATUS_NOT_IMPLEMENTED
;
890 case LIBNET_SET_PASSWORD_LDAP
:
891 return NT_STATUS_NOT_IMPLEMENTED
;
892 case LIBNET_SET_PASSWORD_RAP
:
893 return NT_STATUS_NOT_IMPLEMENTED
;
896 return NT_STATUS_INVALID_LEVEL
;