2 Unix SMB/CIFS implementation.
3 NT Domain Authentication SMB / MSRPC client
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Jeremy Allison 1998.
6 Largely re-written by Jeremy Allison (C) 2005.
7 Copyright (C) Guenther Deschner 2008.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/filesys.h"
25 #include "libsmb/libsmb.h"
26 #include "rpc_client/rpc_client.h"
27 #include "rpc_client/cli_pipe.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../libcli/auth/netlogon_creds_cli.h"
30 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "../librpc/gen_ndr/schannel.h"
32 #include "rpc_client/cli_netlogon.h"
33 #include "rpc_client/init_netlogon.h"
34 #include "rpc_client/util_netlogon.h"
35 #include "../libcli/security/security.h"
36 #include "lib/param/param.h"
37 #include "libcli/smb/smbXcli_base.h"
38 #include "dbwrap/dbwrap.h"
39 #include "dbwrap/dbwrap_open.h"
43 NTSTATUS
rpccli_pre_open_netlogon_creds(void)
45 static bool already_open
= false;
47 struct loadparm_context
*lp_ctx
;
49 struct db_context
*global_db
;
56 frame
= talloc_stackframe();
58 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
61 return NT_STATUS_NO_MEMORY
;
64 fname
= lpcfg_private_db_path(frame
, lp_ctx
, "netlogon_creds_cli");
67 return NT_STATUS_NO_MEMORY
;
70 global_db
= db_open(frame
, fname
,
71 0, TDB_CLEAR_IF_FIRST
|TDB_INCOMPATIBLE_HASH
,
72 O_RDWR
|O_CREAT
, 0600, DBWRAP_LOCK_ORDER_2
,
73 DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
);
74 if (global_db
== NULL
) {
76 return NT_STATUS_NO_MEMORY
;
79 status
= netlogon_creds_cli_set_global_db(&global_db
);
81 if (!NT_STATUS_IS_OK(status
)) {
89 static NTSTATUS
rpccli_create_netlogon_creds(
90 const char *server_computer
,
91 const char *server_netbios_domain
,
92 const char *server_dns_domain
,
93 const char *client_account
,
94 enum netr_SchannelType sec_chan_type
,
95 struct messaging_context
*msg_ctx
,
97 struct netlogon_creds_cli_context
**netlogon_creds
)
99 TALLOC_CTX
*frame
= talloc_stackframe();
100 struct loadparm_context
*lp_ctx
;
103 status
= rpccli_pre_open_netlogon_creds();
104 if (!NT_STATUS_IS_OK(status
)) {
109 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
110 if (lp_ctx
== NULL
) {
112 return NT_STATUS_NO_MEMORY
;
114 status
= netlogon_creds_cli_context_global(lp_ctx
,
119 server_netbios_domain
,
121 mem_ctx
, netlogon_creds
);
123 if (!NT_STATUS_IS_OK(status
)) {
130 NTSTATUS
rpccli_create_netlogon_creds_ctx(
131 struct cli_credentials
*creds
,
132 const char *server_computer
,
133 struct messaging_context
*msg_ctx
,
135 struct netlogon_creds_cli_context
**creds_ctx
)
137 enum netr_SchannelType sec_chan_type
;
138 const char *server_netbios_domain
;
139 const char *server_dns_domain
;
140 const char *client_account
;
142 sec_chan_type
= cli_credentials_get_secure_channel_type(creds
);
143 client_account
= cli_credentials_get_username(creds
);
144 server_netbios_domain
= cli_credentials_get_domain(creds
);
145 server_dns_domain
= cli_credentials_get_realm(creds
);
147 return rpccli_create_netlogon_creds(server_computer
,
148 server_netbios_domain
,
156 NTSTATUS
rpccli_setup_netlogon_creds_locked(
157 struct cli_state
*cli
,
158 enum dcerpc_transport_t transport
,
159 struct netlogon_creds_cli_context
*creds_ctx
,
161 struct cli_credentials
*cli_creds
,
162 uint32_t *negotiate_flags
)
164 TALLOC_CTX
*frame
= talloc_stackframe();
165 struct rpc_pipe_client
*netlogon_pipe
= NULL
;
166 struct netlogon_creds_CredentialState
*creds
= NULL
;
167 uint8_t num_nt_hashes
= 0;
168 const struct samr_Password
*nt_hashes
[2] = { NULL
, NULL
};
169 uint8_t idx_nt_hashes
= 0;
172 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
173 if (NT_STATUS_IS_OK(status
)) {
174 const char *action
= "using";
177 action
= "overwrite";
180 DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
181 __FUNCTION__
, action
,
182 creds
->account_name
, creds
->computer_name
,
183 smbXcli_conn_remote_name(cli
->conn
)));
190 nt_hashes
[0] = cli_credentials_get_nt_hash(cli_creds
, talloc_tos());
191 if (nt_hashes
[0] == NULL
) {
193 return NT_STATUS_NO_MEMORY
;
197 nt_hashes
[1] = cli_credentials_get_old_nt_hash(cli_creds
,
199 if (nt_hashes
[1] != NULL
) {
203 status
= cli_rpc_pipe_open_noauth_transport(cli
,
207 if (!NT_STATUS_IS_OK(status
)) {
208 DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
210 smbXcli_conn_remote_name(cli
->conn
),
215 talloc_steal(frame
, netlogon_pipe
);
217 status
= netlogon_creds_cli_auth(creds_ctx
,
218 netlogon_pipe
->binding_handle
,
222 if (!NT_STATUS_IS_OK(status
)) {
227 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
228 if (!NT_STATUS_IS_OK(status
)) {
230 return NT_STATUS_INTERNAL_ERROR
;
233 DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
235 creds
->account_name
, creds
->computer_name
,
236 smbXcli_conn_remote_name(cli
->conn
)));
239 if (negotiate_flags
!= NULL
) {
240 *negotiate_flags
= creds
->negotiate_flags
;
247 NTSTATUS
rpccli_setup_netlogon_creds(
248 struct cli_state
*cli
,
249 enum dcerpc_transport_t transport
,
250 struct netlogon_creds_cli_context
*creds_ctx
,
252 struct cli_credentials
*cli_creds
)
254 TALLOC_CTX
*frame
= talloc_stackframe();
255 struct netlogon_creds_cli_lck
*lck
;
258 status
= netlogon_creds_cli_lck(
259 creds_ctx
, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
,
261 if (!NT_STATUS_IS_OK(status
)) {
262 DBG_WARNING("netlogon_creds_cli_lck failed: %s\n",
268 status
= rpccli_setup_netlogon_creds_locked(
269 cli
, transport
, creds_ctx
, force_reauth
, cli_creds
, NULL
);
276 NTSTATUS
rpccli_connect_netlogon(
277 struct cli_state
*cli
,
278 enum dcerpc_transport_t transport
,
279 struct netlogon_creds_cli_context
*creds_ctx
,
281 struct cli_credentials
*trust_creds
,
282 struct rpc_pipe_client
**_rpccli
)
284 TALLOC_CTX
*frame
= talloc_stackframe();
285 struct netlogon_creds_CredentialState
*creds
= NULL
;
286 enum netlogon_creds_cli_lck_type lck_type
;
287 enum netr_SchannelType sec_chan_type
;
288 struct netlogon_creds_cli_lck
*lck
= NULL
;
289 uint32_t negotiate_flags
;
290 uint8_t found_session_key
[16] = {0};
291 bool found_existing_creds
= false;
293 struct rpc_pipe_client
*rpccli
;
297 sec_chan_type
= cli_credentials_get_secure_channel_type(trust_creds
);
298 if (sec_chan_type
== SEC_CHAN_NULL
) {
299 DBG_ERR("secure_channel_type gave SEC_CHAN_NULL\n");
300 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
307 * See whether we can use existing netlogon_creds or
308 * whether we have to serverauthenticate.
310 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
312 if (NT_STATUS_IS_OK(status
)) {
313 int cmp
= memcmp(found_session_key
,
315 sizeof(found_session_key
));
316 found_existing_creds
= (cmp
!= 0);
318 memcpy(found_session_key
,
320 sizeof(found_session_key
));
325 lck_type
= (force_reauth
|| !found_existing_creds
) ?
326 NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
:
327 NETLOGON_CREDS_CLI_LCK_SHARED
;
329 status
= netlogon_creds_cli_lck(creds_ctx
, lck_type
, frame
, &lck
);
330 if (!NT_STATUS_IS_OK(status
)) {
331 DBG_DEBUG("netlogon_creds_cli_lck failed: %s\n",
336 if (!found_existing_creds
) {
338 * Try to find creds under the lock again. Someone
339 * else might have done it for us.
341 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
343 if (NT_STATUS_IS_OK(status
)) {
344 int cmp
= memcmp(found_session_key
,
346 sizeof(found_session_key
));
347 found_existing_creds
= (cmp
!= 0);
349 memcpy(found_session_key
, creds
->session_key
,
350 sizeof(found_session_key
));
356 do_serverauth
= force_reauth
|| !found_existing_creds
;
358 if (!do_serverauth
) {
360 * Do the quick schannel bind without a reauth
362 status
= cli_rpc_pipe_open_bind_schannel(
363 cli
, &ndr_table_netlogon
, transport
, creds_ctx
,
365 if (!retry
&& NT_STATUS_EQUAL(status
, NT_STATUS_NETWORK_ACCESS_DENIED
)) {
366 DBG_DEBUG("Retrying with serverauthenticate\n");
371 if (!NT_STATUS_IS_OK(status
)) {
372 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
373 "failed: %s\n", nt_errstr(status
));
379 if (cli_credentials_is_anonymous(trust_creds
)) {
380 DBG_WARNING("get_trust_credential for %s only gave anonymous,"
381 "unable to negotiate NETLOGON credentials\n",
382 netlogon_creds_cli_debug_string(
384 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
388 status
= rpccli_setup_netlogon_creds_locked(
389 cli
, transport
, creds_ctx
, true, trust_creds
,
391 if (!NT_STATUS_IS_OK(status
)) {
392 DBG_DEBUG("rpccli_setup_netlogon_creds failed for %s, "
393 "unable to setup NETLOGON credentials: %s\n",
394 netlogon_creds_cli_debug_string(
400 if (!(negotiate_flags
& NETLOGON_NEG_AUTHENTICATED_RPC
)) {
401 if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
402 status
= NT_STATUS_DOWNGRADE_DETECTED
;
403 DBG_WARNING("Unwilling to make connection to %s"
404 "without connection level security, "
405 "must set 'winbind sealed pipes = false'"
406 " and 'require strong key = false' "
408 netlogon_creds_cli_debug_string(
414 status
= cli_rpc_pipe_open_noauth_transport(
415 cli
, transport
, &ndr_table_netlogon
, &rpccli
);
416 if (!NT_STATUS_IS_OK(status
)) {
417 DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
418 "failed: %s\n", nt_errstr(status
));
424 status
= cli_rpc_pipe_open_bind_schannel(
425 cli
, &ndr_table_netlogon
, transport
, creds_ctx
, &rpccli
);
426 if (!NT_STATUS_IS_OK(status
)) {
427 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
428 "failed: %s\n", nt_errstr(status
));
432 status
= netlogon_creds_cli_check(creds_ctx
, rpccli
->binding_handle
,
434 if (!NT_STATUS_IS_OK(status
)) {
435 DBG_WARNING("netlogon_creds_cli_check failed: %s\n",
442 status
= NT_STATUS_OK
;
444 ZERO_STRUCT(found_session_key
);
450 /* Logon domain user */
452 NTSTATUS
rpccli_netlogon_password_logon(
453 struct netlogon_creds_cli_context
*creds_ctx
,
454 struct dcerpc_binding_handle
*binding_handle
,
456 uint32_t logon_parameters
,
458 const char *username
,
459 const char *password
,
460 const char *workstation
,
461 enum netr_LogonInfoClass logon_type
,
462 uint8_t *authoritative
,
464 struct netr_SamInfo3
**info3
)
466 TALLOC_CTX
*frame
= talloc_stackframe();
468 union netr_LogonLevel
*logon
;
469 uint16_t validation_level
= 0;
470 union netr_Validation
*validation
= NULL
;
471 char *workstation_slash
= NULL
;
473 logon
= talloc_zero(frame
, union netr_LogonLevel
);
476 return NT_STATUS_NO_MEMORY
;
479 if (workstation
== NULL
) {
480 workstation
= lp_netbios_name();
483 workstation_slash
= talloc_asprintf(frame
, "\\\\%s", workstation
);
484 if (workstation_slash
== NULL
) {
486 return NT_STATUS_NO_MEMORY
;
489 /* Initialise input parameters */
491 switch (logon_type
) {
492 case NetlogonInteractiveInformation
: {
494 struct netr_PasswordInfo
*password_info
;
496 struct samr_Password lmpassword
;
497 struct samr_Password ntpassword
;
499 password_info
= talloc_zero(frame
, struct netr_PasswordInfo
);
500 if (password_info
== NULL
) {
502 return NT_STATUS_NO_MEMORY
;
505 nt_lm_owf_gen(password
, ntpassword
.hash
, lmpassword
.hash
);
507 password_info
->identity_info
.domain_name
.string
= domain
;
508 password_info
->identity_info
.parameter_control
= logon_parameters
;
509 password_info
->identity_info
.logon_id_low
= 0xdead;
510 password_info
->identity_info
.logon_id_high
= 0xbeef;
511 password_info
->identity_info
.account_name
.string
= username
;
512 password_info
->identity_info
.workstation
.string
= workstation_slash
;
514 password_info
->lmpassword
= lmpassword
;
515 password_info
->ntpassword
= ntpassword
;
517 logon
->password
= password_info
;
521 case NetlogonNetworkInformation
: {
522 struct netr_NetworkInfo
*network_info
;
524 unsigned char local_lm_response
[24];
525 unsigned char local_nt_response
[24];
526 struct netr_ChallengeResponse lm
;
527 struct netr_ChallengeResponse nt
;
532 network_info
= talloc_zero(frame
, struct netr_NetworkInfo
);
533 if (network_info
== NULL
) {
535 return NT_STATUS_NO_MEMORY
;
538 generate_random_buffer(chal
, 8);
540 SMBencrypt(password
, chal
, local_lm_response
);
541 SMBNTencrypt(password
, chal
, local_nt_response
);
544 lm
.data
= local_lm_response
;
547 nt
.data
= local_nt_response
;
549 network_info
->identity_info
.domain_name
.string
= domain
;
550 network_info
->identity_info
.parameter_control
= logon_parameters
;
551 network_info
->identity_info
.logon_id_low
= 0xdead;
552 network_info
->identity_info
.logon_id_high
= 0xbeef;
553 network_info
->identity_info
.account_name
.string
= username
;
554 network_info
->identity_info
.workstation
.string
= workstation_slash
;
556 memcpy(network_info
->challenge
, chal
, 8);
557 network_info
->nt
= nt
;
558 network_info
->lm
= lm
;
560 logon
->network
= network_info
;
565 DEBUG(0, ("switch value %d not supported\n",
568 return NT_STATUS_INVALID_INFO_CLASS
;
571 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
580 if (!NT_STATUS_IS_OK(status
)) {
585 status
= map_validation_to_info3(mem_ctx
,
586 validation_level
, validation
,
589 if (!NT_STATUS_IS_OK(status
)) {
598 * Logon domain user with an 'network' SAM logon
600 * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
604 NTSTATUS
rpccli_netlogon_network_logon(
605 struct netlogon_creds_cli_context
*creds_ctx
,
606 struct dcerpc_binding_handle
*binding_handle
,
608 uint32_t logon_parameters
,
609 const char *username
,
611 const char *workstation
,
612 const uint8_t chal
[8],
613 DATA_BLOB lm_response
,
614 DATA_BLOB nt_response
,
615 uint8_t *authoritative
,
617 struct netr_SamInfo3
**info3
)
620 const char *workstation_name_slash
;
621 union netr_LogonLevel
*logon
= NULL
;
622 struct netr_NetworkInfo
*network_info
;
623 uint16_t validation_level
= 0;
624 union netr_Validation
*validation
= NULL
;
625 struct netr_ChallengeResponse lm
;
626 struct netr_ChallengeResponse nt
;
633 logon
= talloc_zero(mem_ctx
, union netr_LogonLevel
);
635 return NT_STATUS_NO_MEMORY
;
638 network_info
= talloc_zero(mem_ctx
, struct netr_NetworkInfo
);
640 return NT_STATUS_NO_MEMORY
;
643 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
644 workstation_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", workstation
);
646 workstation_name_slash
= workstation
;
649 if (!workstation_name_slash
) {
650 DEBUG(0, ("talloc_asprintf failed!\n"));
651 return NT_STATUS_NO_MEMORY
;
654 /* Initialise input parameters */
656 lm
.data
= lm_response
.data
;
657 lm
.length
= lm_response
.length
;
658 nt
.data
= nt_response
.data
;
659 nt
.length
= nt_response
.length
;
661 network_info
->identity_info
.domain_name
.string
= domain
;
662 network_info
->identity_info
.parameter_control
= logon_parameters
;
663 network_info
->identity_info
.logon_id_low
= 0xdead;
664 network_info
->identity_info
.logon_id_high
= 0xbeef;
665 network_info
->identity_info
.account_name
.string
= username
;
666 network_info
->identity_info
.workstation
.string
= workstation_name_slash
;
668 memcpy(network_info
->challenge
, chal
, 8);
669 network_info
->nt
= nt
;
670 network_info
->lm
= lm
;
672 logon
->network
= network_info
;
674 /* Marshall data and send request */
676 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
678 NetlogonNetworkInformation
,
685 if (!NT_STATUS_IS_OK(status
)) {
689 status
= map_validation_to_info3(mem_ctx
,
690 validation_level
, validation
,
692 if (!NT_STATUS_IS_OK(status
)) {