search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: add functions to flush the idmap memcache
[Samba.git] / source3 / auth / auth_netlogond.c
blob9c367e6b8df041f5c78e730c3ad707ed9f0bce4c
1 /*
2 Unix SMB/CIFS implementation.
3 Authenticate against a netlogon pipe listening on a unix domain socket
4 Copyright (C) Volker Lendecke 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "../libcli/auth/libcli_auth.h"
22 #include "../librpc/gen_ndr/ndr_netlogon.h"
23 #include "librpc/gen_ndr/ndr_schannel.h"
24 #include "rpc_client/cli_netlogon.h"
25 #include "secrets.h"
26 #include "tldap.h"
27 #include "tldap_util.h"
28
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_AUTH
31
32 static bool secrets_store_local_schannel_creds(
33 const struct netlogon_creds_CredentialState *creds)
34 {
35 DATA_BLOB blob;
36 enum ndr_err_code ndr_err;
37 bool ret;
38
39 ndr_err = ndr_push_struct_blob(
40 &blob, talloc_tos(), creds,
41 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
42 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
43 DEBUG(10, ("ndr_push_netlogon_creds_CredentialState failed: "
44 "%s\n", ndr_errstr(ndr_err)));
45 return false;
46 }
47 ret = secrets_store(SECRETS_LOCAL_SCHANNEL_KEY,
48 blob.data, blob.length);
49 data_blob_free(&blob);
50 return ret;
51 }
52
53 static struct netlogon_creds_CredentialState *
54 secrets_fetch_local_schannel_creds(TALLOC_CTX *mem_ctx)
55 {
56 struct netlogon_creds_CredentialState *creds;
57 enum ndr_err_code ndr_err;
58 DATA_BLOB blob;
59
60 blob.data = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY,
61 &blob.length);
62 if (blob.data == NULL) {
63 DEBUG(10, ("secrets_fetch failed\n"));
64 return NULL;
65 }
66
67 creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
68 if (creds == NULL) {
69 DEBUG(10, ("talloc failed\n"));
70 SAFE_FREE(blob.data);
71 return NULL;
72 }
73 ndr_err = ndr_pull_struct_blob(
74 &blob, creds, creds,
75 (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
76 SAFE_FREE(blob.data);
77 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
78 DEBUG(10, ("ndr_pull_netlogon_creds_CredentialState failed: "
79 "%s\n", ndr_errstr(ndr_err)));
80 TALLOC_FREE(creds);
81 return NULL;
82 }
83
84 return creds;
85 }
86
87 static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
88 const struct auth_context *auth_context,
89 const char *ncalrpc_sockname,
90 struct netlogon_creds_CredentialState *creds,
91 const struct auth_usersupplied_info *user_info,
92 struct netr_SamInfo3 **pinfo3,
93 NTSTATUS *schannel_bind_result)
94 {
95 struct rpc_pipe_client *p = NULL;
96 struct pipe_auth_data *auth = NULL;
97 struct netr_SamInfo3 *info3 = NULL;
98 NTSTATUS status;
99
100 *schannel_bind_result = NT_STATUS_OK;
101
102 status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname,
103 &ndr_table_netlogon.syntax_id, &p);
104 if (!NT_STATUS_IS_OK(status)) {
105 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
106 nt_errstr(status)));
107 return status;
108 }
109
110 p->dc = creds;
111
112 status = rpccli_schannel_bind_data(p, lp_workgroup(),
113 DCERPC_AUTH_LEVEL_PRIVACY,
114 p->dc, &auth);
115 if (!NT_STATUS_IS_OK(status)) {
116 DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
117 nt_errstr(status)));
118 TALLOC_FREE(p);
119 return status;
120 }
121
122 status = rpc_pipe_bind(p, auth);
123 if (!NT_STATUS_IS_OK(status)) {
124 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
125 TALLOC_FREE(p);
126 *schannel_bind_result = status;
127 return status;
128 }
129
130 status = rpccli_netlogon_sam_network_logon_ex(
131 p, p,
132 user_info->logon_parameters, /* flags such as 'allow
133 * workstation logon' */
134 global_myname(), /* server name */
135 user_info->client.account_name, /* user name logging on. */
136 user_info->client.domain_name, /* domain name */
137 user_info->workstation_name, /* workstation name */
138 (uchar *)auth_context->challenge.data, /* 8 byte challenge. */
139 3, /* validation level */
140 user_info->password.response.lanman, /* lanman 24 byte response */
141 user_info->password.response.nt, /* nt 24 byte response */
142 &info3); /* info3 out */
143
144 DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
145 nt_errstr(status)));
146
147 if (!NT_STATUS_IS_OK(status)) {
148 TALLOC_FREE(p);
149 return status;
150 }
151
152 *pinfo3 = talloc_move(mem_ctx, &info3);
153
154 TALLOC_FREE(p);
155 return NT_STATUS_OK;
156 }
157
158 static NTSTATUS get_ldapi_ctx(TALLOC_CTX *mem_ctx, struct tldap_context **pld)
159 {
160 struct tldap_context *ld;
161 struct sockaddr_un addr;
162 char *sockaddr;
163 int fd;
164 NTSTATUS status;
165 int res;
166
167 sockaddr = talloc_asprintf(talloc_tos(), "/%s/ldap_priv/ldapi",
168 lp_private_dir());
169 if (sockaddr == NULL) {
170 DEBUG(10, ("talloc failed\n"));
171 return NT_STATUS_NO_MEMORY;
172 }
173
174 ZERO_STRUCT(addr);
175 addr.sun_family = AF_UNIX;
176 strncpy(addr.sun_path, sockaddr, sizeof(addr.sun_path));
177 TALLOC_FREE(sockaddr);
178
179 status = open_socket_out((struct sockaddr_storage *)(void *)&addr,
180 0, 0, &fd);
181 if (!NT_STATUS_IS_OK(status)) {
182 DEBUG(10, ("Could not connect to %s: %s\n", addr.sun_path,
183 nt_errstr(status)));
184 return status;
185 }
186 set_blocking(fd, false);
187
188 ld = tldap_context_create(mem_ctx, fd);
189 if (ld == NULL) {
190 close(fd);
191 return NT_STATUS_NO_MEMORY;
192 }
193 res = tldap_fetch_rootdse(ld);
194 if (res != TLDAP_SUCCESS) {
195 DEBUG(10, ("tldap_fetch_rootdse failed: %s\n",
196 tldap_errstr(talloc_tos(), ld, res)));
197 TALLOC_FREE(ld);
198 return NT_STATUS_LDAP(res);
199 }
200 *pld = ld;
201 return NT_STATUS_OK;;
202 }
203
204 static NTSTATUS mymachinepw(uint8_t pwd[16])
205 {
206 TALLOC_CTX *frame = talloc_stackframe();
207 struct tldap_context *ld;
208 struct tldap_message *rootdse, **msg;
209 const char *attrs[1] = { "unicodePwd" };
210 char *default_nc, *myname;
211 int rc, num_msg;
212 DATA_BLOB pwdblob;
213 NTSTATUS status;
214
215 status = get_ldapi_ctx(talloc_tos(), &ld);
216 if (!NT_STATUS_IS_OK(status)) {
217 goto fail;
218 }
219 rootdse = tldap_rootdse(ld);
220 if (rootdse == NULL) {
221 DEBUG(10, ("Could not get rootdse\n"));
222 status = NT_STATUS_INTERNAL_ERROR;
223 goto fail;
224 }
225 default_nc = tldap_talloc_single_attribute(
226 rootdse, "defaultNamingContext", talloc_tos());
227 if (default_nc == NULL) {
228 DEBUG(10, ("Could not get defaultNamingContext\n"));
229 status = NT_STATUS_NO_MEMORY;
230 goto fail;
231 }
232 DEBUG(10, ("default_nc = %s\n", default_nc));
233
234 myname = talloc_asprintf_strupper_m(talloc_tos(), "%s$",
235 global_myname());
236 if (myname == NULL) {
237 DEBUG(10, ("talloc failed\n"));
238 status = NT_STATUS_NO_MEMORY;
239 goto fail;
240 }
241
242 rc = tldap_search_fmt(
243 ld, default_nc, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0,
244 talloc_tos(), &msg,
245 "(&(sAMAccountName=%s)(objectClass=computer))", myname);
246 if (rc != TLDAP_SUCCESS) {
247 DEBUG(10, ("Could not retrieve our account: %s\n",
248 tldap_errstr(talloc_tos(), ld, rc)));
249 status = NT_STATUS_LDAP(rc);
250 goto fail;
251 }
252 num_msg = talloc_array_length(msg);
253 if (num_msg != 1) {
254 DEBUG(10, ("Got %d accounts, expected one\n", num_msg));
255 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
256 goto fail;
257 }
258 if (!tldap_get_single_valueblob(msg[0], "unicodePwd", &pwdblob)) {
259 char *dn = NULL;
260 tldap_entry_dn(msg[0], &dn);
261 DEBUG(10, ("No unicodePwd attribute in %s\n",
262 dn ? dn : "<unknown DN>"));
263 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
264 goto fail;
265 }
266 if (pwdblob.length != 16) {
267 DEBUG(10, ("Password hash hash has length %d, expected 16\n",
268 (int)pwdblob.length));
269 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
270 goto fail;
271 }
272 memcpy(pwd, pwdblob.data, 16);
273
274 fail:
275 TALLOC_FREE(frame);
276 return status;
277 }
278
279 static NTSTATUS check_netlogond_security(const struct auth_context *auth_context,
280 void *my_private_data,
281 TALLOC_CTX *mem_ctx,
282 const struct auth_usersupplied_info *user_info,
283 struct auth_serversupplied_info **server_info)
284 {
285 TALLOC_CTX *frame = talloc_stackframe();
286 struct netr_SamInfo3 *info3 = NULL;
287 struct rpc_pipe_client *p = NULL;
288 struct pipe_auth_data *auth = NULL;
289 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
290 uint8_t machine_password[16];
291 struct netlogon_creds_CredentialState *creds;
292 NTSTATUS schannel_bind_result, status;
293 struct named_mutex *mutex = NULL;
294 const char *ncalrpcsock;
295
296 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
297
298 ncalrpcsock = lp_parm_const_string(
299 GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL);
300
301 if (ncalrpcsock == NULL) {
302 ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s",
303 get_dyn_NCALRPCDIR(), "DEFAULT");
304 }
305
306 if (ncalrpcsock == NULL) {
307 status = NT_STATUS_NO_MEMORY;
308 goto done;
309 }
310
311 creds = secrets_fetch_local_schannel_creds(talloc_tos());
312 if (creds == NULL) {
313 goto new_key;
314 }
315
316 status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
317 creds, user_info, &info3,
318 &schannel_bind_result);
319
320 DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
321
322 if (NT_STATUS_IS_OK(status)) {
323 goto okay;
324 }
325
326 if (NT_STATUS_IS_OK(schannel_bind_result)) {
327 /*
328 * This is a real failure from the DC
329 */
330 goto done;
331 }
332
333 new_key:
334
335 mutex = grab_named_mutex(talloc_tos(), "LOCAL_SCHANNEL_KEY", 60);
336 if (mutex == NULL) {
337 DEBUG(10, ("Could not get mutex LOCAL_SCHANNEL_KEY\n"));
338 status = NT_STATUS_ACCESS_DENIED;
339 goto done;
340 }
341
342 DEBUG(10, ("schannel bind failed, setting up new key\n"));
343
344 status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpcsock,
345 &ndr_table_netlogon.syntax_id, &p);
346
347 if (!NT_STATUS_IS_OK(status)) {
348 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
349 nt_errstr(status)));
350 goto done;
351 }
352
353 status = rpccli_anon_bind_data(p, &auth);
354 if (!NT_STATUS_IS_OK(status)) {
355 DEBUG(10, ("rpccli_anon_bind_data failed: %s\n",
356 nt_errstr(status)));
357 goto done;
358 }
359
360 status = rpc_pipe_bind(p, auth);
361 if (!NT_STATUS_IS_OK(status)) {
362 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
363 goto done;
364 }
365
366 status = mymachinepw(machine_password);
367 if (!NT_STATUS_IS_OK(status)) {
368 DEBUG(10, ("mymachinepw failed: %s\n", nt_errstr(status)));
369 goto done;
370 }
371
372 DEBUG(10, ("machinepw "));
373 dump_data(10, machine_password, 16);
374
375 status = rpccli_netlogon_setup_creds(
376 p, global_myname(), lp_workgroup(), global_myname(),
377 global_myname(), machine_password, SEC_CHAN_BDC, &neg_flags);
378
379 if (!NT_STATUS_IS_OK(status)) {
380 DEBUG(10, ("rpccli_netlogon_setup_creds failed: %s\n",
381 nt_errstr(status)));
382 goto done;
383 }
384
385 secrets_store_local_schannel_creds(p->dc);
386
387 /*
388 * Retry the authentication with the mutex held. This way nobody else
389 * can step on our toes.
390 */
391
392 status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
393 p->dc, user_info, &info3,
394 &schannel_bind_result);
395
396 TALLOC_FREE(p);
397
398 DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
399
400 if (!NT_STATUS_IS_OK(status)) {
401 goto done;
402 }
403
404 okay:
405
406 status = make_server_info_info3(mem_ctx, user_info->client.account_name,
407 user_info->mapped.domain_name, server_info,
408 info3);
409 if (!NT_STATUS_IS_OK(status)) {
410 DEBUG(10, ("make_server_info_info3 failed: %s\n",
411 nt_errstr(status)));
412 TALLOC_FREE(frame);
413 return status;
414 }
415
416 status = NT_STATUS_OK;
417
418 done:
419 TALLOC_FREE(frame);
420 return status;
421 }
422
423 /* module initialisation */
424 static NTSTATUS auth_init_netlogond(struct auth_context *auth_context,
425 const char *param,
426 auth_methods **auth_method)
427 {
428 struct auth_methods *result;
429
430 result = TALLOC_ZERO_P(auth_context, struct auth_methods);
431 if (result == NULL) {
432 return NT_STATUS_NO_MEMORY;
433 }
434 result->name = "netlogond";
435 result->auth = check_netlogond_security;
436
437 *auth_method = result;
438 return NT_STATUS_OK;
439 }
440
441 NTSTATUS auth_netlogond_init(void)
442 {
443 smb_register_auth(AUTH_INTERFACE_VERSION, "netlogond",
444 auth_init_netlogond);
445 return NT_STATUS_OK;
446 }
Samba GIT mirror