2 Unix SMB/CIFS implementation.
3 NT Domain Authentication SMB / MSRPC client
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Jeremy Allison 1998.
6 Largely re-written by Jeremy Allison (C) 2005.
7 Copyright (C) Guenther Deschner 2008.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/filesys.h"
25 #include "libsmb/libsmb.h"
26 #include "rpc_client/rpc_client.h"
27 #include "rpc_client/cli_pipe.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../libcli/auth/netlogon_creds_cli.h"
30 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "../librpc/gen_ndr/schannel.h"
32 #include "rpc_client/cli_netlogon.h"
33 #include "rpc_client/util_netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "lib/param/param.h"
36 #include "libcli/smb/smbXcli_base.h"
37 #include "dbwrap/dbwrap.h"
38 #include "dbwrap/dbwrap_open.h"
40 #include "lib/crypto/gnutls_helpers.h"
43 NTSTATUS
rpccli_pre_open_netlogon_creds(void)
45 static bool already_open
= false;
47 struct loadparm_context
*lp_ctx
;
49 struct db_context
*global_db
;
56 frame
= talloc_stackframe();
58 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
61 return NT_STATUS_NO_MEMORY
;
64 fname
= lpcfg_private_db_path(frame
, lp_ctx
, "netlogon_creds_cli");
67 return NT_STATUS_NO_MEMORY
;
70 global_db
= db_open(frame
, fname
,
71 0, TDB_CLEAR_IF_FIRST
|TDB_INCOMPATIBLE_HASH
,
72 O_RDWR
|O_CREAT
, 0600, DBWRAP_LOCK_ORDER_2
,
73 DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
);
74 if (global_db
== NULL
) {
76 return NT_STATUS_NO_MEMORY
;
79 status
= netlogon_creds_cli_set_global_db(&global_db
);
81 if (!NT_STATUS_IS_OK(status
)) {
89 static NTSTATUS
rpccli_create_netlogon_creds(
90 const char *server_computer
,
91 const char *server_netbios_domain
,
92 const char *server_dns_domain
,
93 const char *client_account
,
94 enum netr_SchannelType sec_chan_type
,
95 struct messaging_context
*msg_ctx
,
97 struct netlogon_creds_cli_context
**netlogon_creds
)
99 TALLOC_CTX
*frame
= talloc_stackframe();
100 struct loadparm_context
*lp_ctx
;
103 status
= rpccli_pre_open_netlogon_creds();
104 if (!NT_STATUS_IS_OK(status
)) {
109 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
110 if (lp_ctx
== NULL
) {
112 return NT_STATUS_NO_MEMORY
;
114 status
= netlogon_creds_cli_context_global(lp_ctx
,
119 server_netbios_domain
,
121 mem_ctx
, netlogon_creds
);
123 if (!NT_STATUS_IS_OK(status
)) {
130 NTSTATUS
rpccli_create_netlogon_creds_ctx(
131 struct cli_credentials
*creds
,
132 const char *server_computer
,
133 struct messaging_context
*msg_ctx
,
135 struct netlogon_creds_cli_context
**creds_ctx
)
137 enum netr_SchannelType sec_chan_type
;
138 const char *server_netbios_domain
;
139 const char *server_dns_domain
;
140 const char *client_account
;
142 sec_chan_type
= cli_credentials_get_secure_channel_type(creds
);
143 client_account
= cli_credentials_get_username(creds
);
144 server_netbios_domain
= cli_credentials_get_domain(creds
);
145 server_dns_domain
= cli_credentials_get_realm(creds
);
147 return rpccli_create_netlogon_creds(server_computer
,
148 server_netbios_domain
,
156 NTSTATUS
rpccli_setup_netlogon_creds_locked(
157 struct cli_state
*cli
,
158 enum dcerpc_transport_t transport
,
159 struct netlogon_creds_cli_context
*creds_ctx
,
161 struct cli_credentials
*cli_creds
,
162 uint32_t *negotiate_flags
)
164 TALLOC_CTX
*frame
= talloc_stackframe();
165 struct rpc_pipe_client
*netlogon_pipe
= NULL
;
166 struct netlogon_creds_CredentialState
*creds
= NULL
;
167 uint8_t num_nt_hashes
= 0;
168 const struct samr_Password
*nt_hashes
[2] = { NULL
, NULL
};
169 uint8_t idx_nt_hashes
= 0;
172 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
173 if (NT_STATUS_IS_OK(status
)) {
174 const char *action
= "using";
177 action
= "overwrite";
180 DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
181 __FUNCTION__
, action
,
182 creds
->account_name
, creds
->computer_name
,
183 smbXcli_conn_remote_name(cli
->conn
)));
190 nt_hashes
[0] = cli_credentials_get_nt_hash(cli_creds
, talloc_tos());
191 if (nt_hashes
[0] == NULL
) {
193 return NT_STATUS_NO_MEMORY
;
197 nt_hashes
[1] = cli_credentials_get_old_nt_hash(cli_creds
,
199 if (nt_hashes
[1] != NULL
) {
203 status
= cli_rpc_pipe_open_noauth_transport(cli
,
207 if (!NT_STATUS_IS_OK(status
)) {
208 DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
210 smbXcli_conn_remote_name(cli
->conn
),
215 talloc_steal(frame
, netlogon_pipe
);
217 status
= netlogon_creds_cli_auth(creds_ctx
,
218 netlogon_pipe
->binding_handle
,
222 if (!NT_STATUS_IS_OK(status
)) {
227 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
228 if (!NT_STATUS_IS_OK(status
)) {
230 return NT_STATUS_INTERNAL_ERROR
;
233 DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
235 creds
->account_name
, creds
->computer_name
,
236 smbXcli_conn_remote_name(cli
->conn
)));
239 if (negotiate_flags
!= NULL
) {
240 *negotiate_flags
= creds
->negotiate_flags
;
247 NTSTATUS
rpccli_setup_netlogon_creds(
248 struct cli_state
*cli
,
249 enum dcerpc_transport_t transport
,
250 struct netlogon_creds_cli_context
*creds_ctx
,
252 struct cli_credentials
*cli_creds
)
254 TALLOC_CTX
*frame
= talloc_stackframe();
255 struct netlogon_creds_cli_lck
*lck
;
258 status
= netlogon_creds_cli_lck(
259 creds_ctx
, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
,
261 if (!NT_STATUS_IS_OK(status
)) {
262 DBG_WARNING("netlogon_creds_cli_lck failed: %s\n",
268 status
= rpccli_setup_netlogon_creds_locked(
269 cli
, transport
, creds_ctx
, force_reauth
, cli_creds
, NULL
);
276 NTSTATUS
rpccli_connect_netlogon(
277 struct cli_state
*cli
,
278 enum dcerpc_transport_t transport
,
279 struct netlogon_creds_cli_context
*creds_ctx
,
281 struct cli_credentials
*trust_creds
,
282 struct rpc_pipe_client
**_rpccli
)
284 TALLOC_CTX
*frame
= talloc_stackframe();
285 struct netlogon_creds_CredentialState
*creds
= NULL
;
286 enum netlogon_creds_cli_lck_type lck_type
;
287 enum netr_SchannelType sec_chan_type
;
288 struct netlogon_creds_cli_lck
*lck
= NULL
;
289 uint32_t negotiate_flags
;
290 uint8_t found_session_key
[16] = {0};
291 bool found_existing_creds
= false;
293 struct rpc_pipe_client
*rpccli
;
297 sec_chan_type
= cli_credentials_get_secure_channel_type(trust_creds
);
298 if (sec_chan_type
== SEC_CHAN_NULL
) {
299 DBG_ERR("secure_channel_type gave SEC_CHAN_NULL\n");
300 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
307 * See whether we can use existing netlogon_creds or
308 * whether we have to serverauthenticate.
310 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
312 if (NT_STATUS_IS_OK(status
)) {
313 int cmp
= memcmp(found_session_key
,
315 sizeof(found_session_key
));
316 found_existing_creds
= (cmp
!= 0);
318 memcpy(found_session_key
,
320 sizeof(found_session_key
));
325 lck_type
= (force_reauth
|| !found_existing_creds
) ?
326 NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
:
327 NETLOGON_CREDS_CLI_LCK_SHARED
;
329 status
= netlogon_creds_cli_lck(creds_ctx
, lck_type
, frame
, &lck
);
330 if (!NT_STATUS_IS_OK(status
)) {
331 DBG_DEBUG("netlogon_creds_cli_lck failed: %s\n",
336 if (!found_existing_creds
) {
338 * Try to find creds under the lock again. Someone
339 * else might have done it for us.
341 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
343 if (NT_STATUS_IS_OK(status
)) {
344 int cmp
= memcmp(found_session_key
,
346 sizeof(found_session_key
));
347 found_existing_creds
= (cmp
!= 0);
349 memcpy(found_session_key
, creds
->session_key
,
350 sizeof(found_session_key
));
356 do_serverauth
= force_reauth
|| !found_existing_creds
;
358 if (!do_serverauth
) {
360 * Do the quick schannel bind without a reauth
362 status
= cli_rpc_pipe_open_bind_schannel(
363 cli
, &ndr_table_netlogon
, transport
, creds_ctx
,
365 if (!retry
&& NT_STATUS_EQUAL(status
, NT_STATUS_NETWORK_ACCESS_DENIED
)) {
366 DBG_DEBUG("Retrying with serverauthenticate\n");
371 if (!NT_STATUS_IS_OK(status
)) {
372 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
373 "failed: %s\n", nt_errstr(status
));
379 if (cli_credentials_is_anonymous(trust_creds
)) {
380 DBG_WARNING("get_trust_credential for %s only gave anonymous,"
381 "unable to negotiate NETLOGON credentials\n",
382 netlogon_creds_cli_debug_string(
384 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
388 status
= rpccli_setup_netlogon_creds_locked(
389 cli
, transport
, creds_ctx
, true, trust_creds
,
391 if (!NT_STATUS_IS_OK(status
)) {
392 DBG_DEBUG("rpccli_setup_netlogon_creds failed for %s, "
393 "unable to setup NETLOGON credentials: %s\n",
394 netlogon_creds_cli_debug_string(
400 if (!(negotiate_flags
& NETLOGON_NEG_AUTHENTICATED_RPC
)) {
401 if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
402 status
= NT_STATUS_DOWNGRADE_DETECTED
;
403 DBG_WARNING("Unwilling to make connection to %s"
404 "without connection level security, "
405 "must set 'winbind sealed pipes = false'"
406 " and 'require strong key = false' "
408 netlogon_creds_cli_debug_string(
414 status
= cli_rpc_pipe_open_noauth_transport(
415 cli
, transport
, &ndr_table_netlogon
, &rpccli
);
416 if (!NT_STATUS_IS_OK(status
)) {
417 DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
418 "failed: %s\n", nt_errstr(status
));
424 status
= cli_rpc_pipe_open_bind_schannel(
425 cli
, &ndr_table_netlogon
, transport
, creds_ctx
, &rpccli
);
426 if (!NT_STATUS_IS_OK(status
)) {
427 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
428 "failed: %s\n", nt_errstr(status
));
432 status
= netlogon_creds_cli_check(creds_ctx
, rpccli
->binding_handle
,
434 if (!NT_STATUS_IS_OK(status
)) {
435 DBG_WARNING("netlogon_creds_cli_check failed: %s\n",
442 status
= NT_STATUS_OK
;
444 ZERO_STRUCT(found_session_key
);
450 /* Logon domain user */
452 NTSTATUS
rpccli_netlogon_password_logon(
453 struct netlogon_creds_cli_context
*creds_ctx
,
454 struct dcerpc_binding_handle
*binding_handle
,
456 uint32_t logon_parameters
,
458 const char *username
,
459 const char *password
,
460 const char *workstation
,
461 const uint64_t logon_id
,
462 enum netr_LogonInfoClass logon_type
,
463 uint8_t *authoritative
,
465 uint16_t *_validation_level
,
466 union netr_Validation
**_validation
)
468 TALLOC_CTX
*frame
= talloc_stackframe();
470 union netr_LogonLevel
*logon
;
471 uint16_t validation_level
= 0;
472 union netr_Validation
*validation
= NULL
;
473 char *workstation_slash
= NULL
;
475 unsigned char local_nt_response
[24];
476 unsigned char local_lm_response
[24];
477 struct samr_Password lmpassword
= {.hash
= {0}};
478 struct samr_Password ntpassword
= {.hash
= {0}};
479 struct netr_ChallengeResponse lm
= {0};
480 struct netr_ChallengeResponse nt
= {0};
482 logon
= talloc_zero(frame
, union netr_LogonLevel
);
485 return NT_STATUS_NO_MEMORY
;
488 if (workstation
== NULL
) {
489 workstation
= lp_netbios_name();
492 workstation_slash
= talloc_asprintf(frame
, "\\\\%s", workstation
);
493 if (workstation_slash
== NULL
) {
495 return NT_STATUS_NO_MEMORY
;
498 /* Initialise input parameters */
500 switch (logon_type
) {
501 case NetlogonInteractiveInformation
:
502 case NetlogonInteractiveTransitiveInformation
: {
504 struct netr_PasswordInfo
*password_info
;
507 password_info
= talloc_zero(frame
, struct netr_PasswordInfo
);
508 if (password_info
== NULL
) {
510 return NT_STATUS_NO_MEMORY
;
513 nt_lm_owf_gen(password
, ntpassword
.hash
, lmpassword
.hash
);
515 password_info
->identity_info
.domain_name
.string
= domain
;
516 password_info
->identity_info
.parameter_control
= logon_parameters
;
517 password_info
->identity_info
.logon_id
= logon_id
;
518 password_info
->identity_info
.account_name
.string
= username
;
519 password_info
->identity_info
.workstation
.string
= workstation_slash
;
521 password_info
->lmpassword
= lmpassword
;
522 password_info
->ntpassword
= ntpassword
;
524 logon
->password
= password_info
;
528 case NetlogonNetworkInformation
:
529 case NetlogonNetworkTransitiveInformation
: {
530 struct netr_NetworkInfo
*network_info
;
537 network_info
= talloc_zero(frame
, struct netr_NetworkInfo
);
538 if (network_info
== NULL
) {
540 return NT_STATUS_NO_MEMORY
;
543 generate_random_buffer(chal
, 8);
545 SMBencrypt(password
, chal
, local_lm_response
);
546 rc
= SMBNTencrypt(password
, chal
, local_nt_response
);
549 return gnutls_error_to_ntstatus(rc
, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
553 lm
.data
= local_lm_response
;
556 nt
.data
= local_nt_response
;
558 network_info
->identity_info
.domain_name
.string
= domain
;
559 network_info
->identity_info
.parameter_control
= logon_parameters
;
560 network_info
->identity_info
.logon_id
= logon_id
;
561 network_info
->identity_info
.account_name
.string
= username
;
562 network_info
->identity_info
.workstation
.string
= workstation_slash
;
564 memcpy(network_info
->challenge
, chal
, 8);
565 network_info
->nt
= nt
;
566 network_info
->lm
= lm
;
568 logon
->network
= network_info
;
573 DEBUG(0, ("switch value %d not supported\n",
576 return NT_STATUS_INVALID_INFO_CLASS
;
579 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
588 if (!NT_STATUS_IS_OK(status
)) {
594 *_validation_level
= validation_level
;
595 *_validation
= validation
;
601 * Logon domain user with an 'network' SAM logon
603 * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
607 NTSTATUS
rpccli_netlogon_network_logon(
608 struct netlogon_creds_cli_context
*creds_ctx
,
609 struct dcerpc_binding_handle
*binding_handle
,
611 uint32_t logon_parameters
,
612 const char *username
,
614 const char *workstation
,
615 const uint64_t logon_id
,
616 const uint8_t chal
[8],
617 DATA_BLOB lm_response
,
618 DATA_BLOB nt_response
,
619 enum netr_LogonInfoClass logon_type
,
620 uint8_t *authoritative
,
622 uint16_t *_validation_level
,
623 union netr_Validation
**_validation
)
626 const char *workstation_name_slash
;
627 union netr_LogonLevel
*logon
= NULL
;
628 struct netr_NetworkInfo
*network_info
;
629 uint16_t validation_level
= 0;
630 union netr_Validation
*validation
= NULL
;
631 struct netr_ChallengeResponse lm
;
632 struct netr_ChallengeResponse nt
;
639 switch (logon_type
) {
640 case NetlogonNetworkInformation
:
641 case NetlogonNetworkTransitiveInformation
:
644 DEBUG(0, ("switch value %d not supported\n",
646 return NT_STATUS_INVALID_INFO_CLASS
;
649 logon
= talloc_zero(mem_ctx
, union netr_LogonLevel
);
651 return NT_STATUS_NO_MEMORY
;
654 network_info
= talloc_zero(mem_ctx
, struct netr_NetworkInfo
);
656 return NT_STATUS_NO_MEMORY
;
659 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
660 workstation_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", workstation
);
662 workstation_name_slash
= workstation
;
665 if (!workstation_name_slash
) {
666 DEBUG(0, ("talloc_asprintf failed!\n"));
667 return NT_STATUS_NO_MEMORY
;
670 /* Initialise input parameters */
672 lm
.data
= lm_response
.data
;
673 lm
.length
= lm_response
.length
;
674 nt
.data
= nt_response
.data
;
675 nt
.length
= nt_response
.length
;
677 network_info
->identity_info
.domain_name
.string
= domain
;
678 network_info
->identity_info
.parameter_control
= logon_parameters
;
679 network_info
->identity_info
.logon_id
= logon_id
;
680 network_info
->identity_info
.account_name
.string
= username
;
681 network_info
->identity_info
.workstation
.string
= workstation_name_slash
;
683 memcpy(network_info
->challenge
, chal
, 8);
684 network_info
->nt
= nt
;
685 network_info
->lm
= lm
;
687 logon
->network
= network_info
;
689 /* Marshall data and send request */
691 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
700 if (!NT_STATUS_IS_OK(status
)) {
704 *_validation_level
= validation_level
;
705 *_validation
= validation
;
710 NTSTATUS
rpccli_netlogon_interactive_logon(
711 struct netlogon_creds_cli_context
*creds_ctx
,
712 struct dcerpc_binding_handle
*binding_handle
,
714 uint32_t logon_parameters
,
715 const char *username
,
717 const char *workstation
,
718 const uint64_t logon_id
,
721 enum netr_LogonInfoClass logon_type
,
722 uint8_t *authoritative
,
724 uint16_t *_validation_level
,
725 union netr_Validation
**_validation
)
727 TALLOC_CTX
*frame
= talloc_stackframe();
729 const char *workstation_name_slash
;
730 union netr_LogonLevel
*logon
= NULL
;
731 struct netr_PasswordInfo
*password_info
= NULL
;
732 uint16_t validation_level
= 0;
733 union netr_Validation
*validation
= NULL
;
734 struct netr_ChallengeResponse lm
;
735 struct netr_ChallengeResponse nt
;
742 switch (logon_type
) {
743 case NetlogonInteractiveInformation
:
744 case NetlogonInteractiveTransitiveInformation
:
747 DEBUG(0, ("switch value %d not supported\n",
750 return NT_STATUS_INVALID_INFO_CLASS
;
753 logon
= talloc_zero(mem_ctx
, union netr_LogonLevel
);
756 return NT_STATUS_NO_MEMORY
;
759 password_info
= talloc_zero(logon
, struct netr_PasswordInfo
);
760 if (password_info
== NULL
) {
762 return NT_STATUS_NO_MEMORY
;
765 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
766 workstation_name_slash
= talloc_asprintf(frame
, "\\\\%s", workstation
);
768 workstation_name_slash
= workstation
;
771 if (workstation_name_slash
== NULL
) {
773 return NT_STATUS_NO_MEMORY
;
776 /* Initialise input parameters */
778 password_info
->identity_info
.domain_name
.string
= domain
;
779 password_info
->identity_info
.parameter_control
= logon_parameters
;
780 password_info
->identity_info
.logon_id
= logon_id
;
781 password_info
->identity_info
.account_name
.string
= username
;
782 password_info
->identity_info
.workstation
.string
= workstation_name_slash
;
784 if (nt_hash
.length
!= sizeof(password_info
->ntpassword
.hash
)) {
786 return NT_STATUS_INVALID_PARAMETER
;
788 memcpy(password_info
->ntpassword
.hash
, nt_hash
.data
, nt_hash
.length
);
789 if (lm_hash
.length
!= 0) {
790 if (lm_hash
.length
!= sizeof(password_info
->lmpassword
.hash
)) {
792 return NT_STATUS_INVALID_PARAMETER
;
794 memcpy(password_info
->lmpassword
.hash
, lm_hash
.data
, lm_hash
.length
);
797 logon
->password
= password_info
;
799 /* Marshall data and send request */
801 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
810 if (!NT_STATUS_IS_OK(status
)) {
815 *_validation_level
= validation_level
;
816 *_validation
= validation
;