2 Unix SMB/CIFS implementation.
3 NT Domain Authentication SMB / MSRPC client
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Jeremy Allison 1998.
6 Largely re-written by Jeremy Allison (C) 2005.
7 Copyright (C) Guenther Deschner 2008.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/filesys.h"
25 #include "libsmb/libsmb.h"
26 #include "rpc_client/rpc_client.h"
27 #include "rpc_client/cli_pipe.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../libcli/auth/netlogon_creds_cli.h"
30 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "../librpc/gen_ndr/schannel.h"
32 #include "rpc_client/cli_netlogon.h"
33 #include "rpc_client/util_netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "lib/param/param.h"
36 #include "libcli/smb/smbXcli_base.h"
37 #include "dbwrap/dbwrap.h"
38 #include "dbwrap/dbwrap_open.h"
40 #include "lib/crypto/gnutls_helpers.h"
43 NTSTATUS
rpccli_pre_open_netlogon_creds(void)
45 static bool already_open
= false;
47 struct loadparm_context
*lp_ctx
;
49 struct db_context
*global_db
;
56 frame
= talloc_stackframe();
58 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
61 return NT_STATUS_NO_MEMORY
;
64 fname
= lpcfg_private_db_path(frame
, lp_ctx
, "netlogon_creds_cli");
67 return NT_STATUS_NO_MEMORY
;
70 global_db
= db_open(frame
, fname
,
71 0, TDB_CLEAR_IF_FIRST
|TDB_INCOMPATIBLE_HASH
,
72 O_RDWR
|O_CREAT
, 0600, DBWRAP_LOCK_ORDER_2
,
73 DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
);
74 if (global_db
== NULL
) {
76 return NT_STATUS_NO_MEMORY
;
79 status
= netlogon_creds_cli_set_global_db(lp_ctx
, &global_db
);
81 if (!NT_STATUS_IS_OK(status
)) {
89 static NTSTATUS
rpccli_create_netlogon_creds(
90 const char *server_computer
,
91 const char *server_netbios_domain
,
92 const char *server_dns_domain
,
93 const char *client_account
,
94 enum netr_SchannelType sec_chan_type
,
95 struct messaging_context
*msg_ctx
,
97 struct netlogon_creds_cli_context
**netlogon_creds
)
99 TALLOC_CTX
*frame
= talloc_stackframe();
100 struct loadparm_context
*lp_ctx
;
103 status
= rpccli_pre_open_netlogon_creds();
104 if (!NT_STATUS_IS_OK(status
)) {
109 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
110 if (lp_ctx
== NULL
) {
112 return NT_STATUS_NO_MEMORY
;
114 status
= netlogon_creds_cli_context_global(lp_ctx
,
119 server_netbios_domain
,
121 mem_ctx
, netlogon_creds
);
123 if (!NT_STATUS_IS_OK(status
)) {
130 NTSTATUS
rpccli_create_netlogon_creds_ctx(
131 struct cli_credentials
*creds
,
132 const char *server_computer
,
133 struct messaging_context
*msg_ctx
,
135 struct netlogon_creds_cli_context
**creds_ctx
)
137 enum netr_SchannelType sec_chan_type
;
138 const char *server_netbios_domain
;
139 const char *server_dns_domain
;
140 const char *client_account
;
142 sec_chan_type
= cli_credentials_get_secure_channel_type(creds
);
143 client_account
= cli_credentials_get_username(creds
);
144 server_netbios_domain
= cli_credentials_get_domain(creds
);
145 server_dns_domain
= cli_credentials_get_realm(creds
);
147 return rpccli_create_netlogon_creds(server_computer
,
148 server_netbios_domain
,
156 NTSTATUS
rpccli_setup_netlogon_creds_locked(
157 struct cli_state
*cli
,
158 enum dcerpc_transport_t transport
,
159 struct netlogon_creds_cli_context
*creds_ctx
,
161 struct cli_credentials
*cli_creds
,
162 uint32_t *negotiate_flags
)
164 TALLOC_CTX
*frame
= talloc_stackframe();
165 struct rpc_pipe_client
*netlogon_pipe
= NULL
;
166 struct netlogon_creds_CredentialState
*creds
= NULL
;
167 uint8_t num_nt_hashes
= 0;
168 const struct samr_Password
*nt_hashes
[2] = { NULL
, NULL
};
169 uint8_t idx_nt_hashes
= 0;
171 const char *remote_name
= NULL
;
172 const struct sockaddr_storage
*remote_sockaddr
= NULL
;
174 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
175 if (NT_STATUS_IS_OK(status
)) {
176 const char *action
= "using";
179 action
= "overwrite";
183 remote_name
= smbXcli_conn_remote_name(cli
->conn
);
185 remote_name
= "<UNKNOWN>";
188 DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
189 __FUNCTION__
, action
,
190 creds
->account_name
, creds
->computer_name
,
198 nt_hashes
[0] = cli_credentials_get_nt_hash(cli_creds
, talloc_tos());
199 if (nt_hashes
[0] == NULL
) {
201 return NT_STATUS_NO_MEMORY
;
205 nt_hashes
[1] = cli_credentials_get_old_nt_hash(cli_creds
,
207 if (nt_hashes
[1] != NULL
) {
211 remote_name
= smbXcli_conn_remote_name(cli
->conn
);
212 remote_sockaddr
= smbXcli_conn_remote_sockaddr(cli
->conn
);
214 status
= cli_rpc_pipe_open_noauth_transport(cli
,
220 if (!NT_STATUS_IS_OK(status
)) {
221 DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
228 talloc_steal(frame
, netlogon_pipe
);
230 status
= netlogon_creds_cli_auth(creds_ctx
,
231 netlogon_pipe
->binding_handle
,
235 if (!NT_STATUS_IS_OK(status
)) {
240 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
241 if (!NT_STATUS_IS_OK(status
)) {
243 return NT_STATUS_INTERNAL_ERROR
;
246 DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
248 creds
->account_name
, creds
->computer_name
,
252 if (negotiate_flags
!= NULL
) {
253 *negotiate_flags
= creds
->negotiate_flags
;
260 NTSTATUS
rpccli_setup_netlogon_creds(
261 struct cli_state
*cli
,
262 enum dcerpc_transport_t transport
,
263 struct netlogon_creds_cli_context
*creds_ctx
,
265 struct cli_credentials
*cli_creds
)
267 TALLOC_CTX
*frame
= talloc_stackframe();
268 struct netlogon_creds_cli_lck
*lck
;
271 status
= netlogon_creds_cli_lck(
272 creds_ctx
, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
,
274 if (!NT_STATUS_IS_OK(status
)) {
275 DBG_WARNING("netlogon_creds_cli_lck failed: %s\n",
281 status
= rpccli_setup_netlogon_creds_locked(
282 cli
, transport
, creds_ctx
, force_reauth
, cli_creds
, NULL
);
289 NTSTATUS
rpccli_connect_netlogon(
290 struct cli_state
*cli
,
291 enum dcerpc_transport_t transport
,
292 struct netlogon_creds_cli_context
*creds_ctx
,
294 struct cli_credentials
*trust_creds
,
295 struct rpc_pipe_client
**_rpccli
)
297 TALLOC_CTX
*frame
= talloc_stackframe();
298 struct netlogon_creds_CredentialState
*creds
= NULL
;
299 enum netlogon_creds_cli_lck_type lck_type
;
300 enum netr_SchannelType sec_chan_type
;
301 struct netlogon_creds_cli_lck
*lck
= NULL
;
302 uint32_t negotiate_flags
;
303 uint8_t found_session_key
[16] = {0};
304 bool found_existing_creds
= false;
306 struct rpc_pipe_client
*rpccli
;
309 const char *remote_name
= NULL
;
310 const struct sockaddr_storage
*remote_sockaddr
= NULL
;
312 sec_chan_type
= cli_credentials_get_secure_channel_type(trust_creds
);
313 if (sec_chan_type
== SEC_CHAN_NULL
) {
314 DBG_ERR("secure_channel_type gave SEC_CHAN_NULL\n");
315 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
322 * See whether we can use existing netlogon_creds or
323 * whether we have to serverauthenticate.
325 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
327 if (NT_STATUS_IS_OK(status
)) {
328 bool cmp
= mem_equal_const_time(found_session_key
,
330 sizeof(found_session_key
));
331 found_existing_creds
= !cmp
;
333 memcpy(found_session_key
,
335 sizeof(found_session_key
));
340 lck_type
= (force_reauth
|| !found_existing_creds
) ?
341 NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
:
342 NETLOGON_CREDS_CLI_LCK_SHARED
;
344 status
= netlogon_creds_cli_lck(creds_ctx
, lck_type
, frame
, &lck
);
345 if (!NT_STATUS_IS_OK(status
)) {
346 DBG_DEBUG("netlogon_creds_cli_lck failed: %s\n",
351 if (!found_existing_creds
) {
353 * Try to find creds under the lock again. Someone
354 * else might have done it for us.
356 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
358 if (NT_STATUS_IS_OK(status
)) {
359 bool cmp
= mem_equal_const_time(found_session_key
,
361 sizeof(found_session_key
));
362 found_existing_creds
= !cmp
;
364 memcpy(found_session_key
, creds
->session_key
,
365 sizeof(found_session_key
));
371 remote_name
= smbXcli_conn_remote_name(cli
->conn
);
372 remote_sockaddr
= smbXcli_conn_remote_sockaddr(cli
->conn
);
374 do_serverauth
= force_reauth
|| !found_existing_creds
;
376 if (!do_serverauth
) {
378 * Do the quick schannel bind without a reauth
380 status
= cli_rpc_pipe_open_bind_schannel(cli
,
387 if (!retry
&& NT_STATUS_EQUAL(status
, NT_STATUS_NETWORK_ACCESS_DENIED
)) {
388 DBG_DEBUG("Retrying with serverauthenticate\n");
393 if (!NT_STATUS_IS_OK(status
)) {
394 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
395 "failed: %s\n", nt_errstr(status
));
401 if (cli_credentials_is_anonymous(trust_creds
)) {
402 DBG_WARNING("get_trust_credential for %s only gave anonymous,"
403 "unable to negotiate NETLOGON credentials\n",
404 netlogon_creds_cli_debug_string(
406 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
410 status
= rpccli_setup_netlogon_creds_locked(
411 cli
, transport
, creds_ctx
, true, trust_creds
,
413 if (!NT_STATUS_IS_OK(status
)) {
414 DBG_DEBUG("rpccli_setup_netlogon_creds failed for %s, "
415 "unable to setup NETLOGON credentials: %s\n",
416 netlogon_creds_cli_debug_string(
422 if (!(negotiate_flags
& NETLOGON_NEG_AUTHENTICATED_RPC
)) {
423 if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
424 status
= NT_STATUS_DOWNGRADE_DETECTED
;
425 DBG_WARNING("Unwilling to make connection to %s"
426 "without connection level security, "
427 "must set 'winbind sealed pipes = false'"
428 " and 'require strong key = false' "
430 netlogon_creds_cli_debug_string(
436 status
= cli_rpc_pipe_open_noauth_transport(cli
,
442 if (!NT_STATUS_IS_OK(status
)) {
443 DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
444 "failed: %s\n", nt_errstr(status
));
450 status
= cli_rpc_pipe_open_bind_schannel(cli
,
457 if (!NT_STATUS_IS_OK(status
)) {
458 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
459 "failed: %s\n", nt_errstr(status
));
463 status
= netlogon_creds_cli_check(creds_ctx
, rpccli
->binding_handle
,
465 if (!NT_STATUS_IS_OK(status
)) {
466 DBG_WARNING("netlogon_creds_cli_check failed: %s\n",
473 status
= NT_STATUS_OK
;
475 ZERO_STRUCT(found_session_key
);
481 /* Logon domain user */
483 NTSTATUS
rpccli_netlogon_password_logon(
484 struct netlogon_creds_cli_context
*creds_ctx
,
485 struct dcerpc_binding_handle
*binding_handle
,
487 uint32_t logon_parameters
,
489 const char *username
,
490 const char *password
,
491 const char *workstation
,
492 const uint64_t logon_id
,
493 enum netr_LogonInfoClass logon_type
,
494 uint8_t *authoritative
,
496 uint16_t *_validation_level
,
497 union netr_Validation
**_validation
)
499 TALLOC_CTX
*frame
= talloc_stackframe();
501 union netr_LogonLevel
*logon
;
502 uint16_t validation_level
= 0;
503 union netr_Validation
*validation
= NULL
;
504 char *workstation_slash
= NULL
;
506 unsigned char local_nt_response
[24];
507 unsigned char local_lm_response
[24];
508 struct samr_Password lmpassword
= {.hash
= {0}};
509 struct samr_Password ntpassword
= {.hash
= {0}};
510 struct netr_ChallengeResponse lm
= {0};
511 struct netr_ChallengeResponse nt
= {0};
513 logon
= talloc_zero(frame
, union netr_LogonLevel
);
516 return NT_STATUS_NO_MEMORY
;
519 if (workstation
== NULL
) {
520 workstation
= lp_netbios_name();
523 workstation_slash
= talloc_asprintf(frame
, "\\\\%s", workstation
);
524 if (workstation_slash
== NULL
) {
526 return NT_STATUS_NO_MEMORY
;
529 /* Initialise input parameters */
531 switch (logon_type
) {
532 case NetlogonInteractiveInformation
:
533 case NetlogonInteractiveTransitiveInformation
: {
535 struct netr_PasswordInfo
*password_info
;
538 password_info
= talloc_zero(frame
, struct netr_PasswordInfo
);
539 if (password_info
== NULL
) {
541 return NT_STATUS_NO_MEMORY
;
544 nt_lm_owf_gen(password
, ntpassword
.hash
, lmpassword
.hash
);
546 password_info
->identity_info
.domain_name
.string
= domain
;
547 password_info
->identity_info
.parameter_control
= logon_parameters
;
548 password_info
->identity_info
.logon_id
= logon_id
;
549 password_info
->identity_info
.account_name
.string
= username
;
550 password_info
->identity_info
.workstation
.string
= workstation_slash
;
552 password_info
->lmpassword
= lmpassword
;
553 password_info
->ntpassword
= ntpassword
;
555 logon
->password
= password_info
;
559 case NetlogonNetworkInformation
:
560 case NetlogonNetworkTransitiveInformation
: {
561 struct netr_NetworkInfo
*network_info
;
568 network_info
= talloc_zero(frame
, struct netr_NetworkInfo
);
569 if (network_info
== NULL
) {
571 return NT_STATUS_NO_MEMORY
;
574 generate_random_buffer(chal
, 8);
576 SMBencrypt(password
, chal
, local_lm_response
);
577 rc
= SMBNTencrypt(password
, chal
, local_nt_response
);
580 return gnutls_error_to_ntstatus(rc
, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
584 lm
.data
= local_lm_response
;
587 nt
.data
= local_nt_response
;
589 network_info
->identity_info
.domain_name
.string
= domain
;
590 network_info
->identity_info
.parameter_control
= logon_parameters
;
591 network_info
->identity_info
.logon_id
= logon_id
;
592 network_info
->identity_info
.account_name
.string
= username
;
593 network_info
->identity_info
.workstation
.string
= workstation_slash
;
595 memcpy(network_info
->challenge
, chal
, 8);
596 network_info
->nt
= nt
;
597 network_info
->lm
= lm
;
599 logon
->network
= network_info
;
604 DEBUG(0, ("switch value %d not supported\n",
607 return NT_STATUS_INVALID_INFO_CLASS
;
610 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
619 if (!NT_STATUS_IS_OK(status
)) {
625 *_validation_level
= validation_level
;
626 *_validation
= validation
;
632 * Logon domain user with an 'network' SAM logon
634 * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
638 NTSTATUS
rpccli_netlogon_network_logon(
639 struct netlogon_creds_cli_context
*creds_ctx
,
640 struct dcerpc_binding_handle
*binding_handle
,
642 uint32_t logon_parameters
,
643 const char *username
,
645 const char *workstation
,
646 const uint64_t logon_id
,
648 DATA_BLOB lm_response
,
649 DATA_BLOB nt_response
,
650 enum netr_LogonInfoClass logon_type
,
651 uint8_t *authoritative
,
653 uint16_t *_validation_level
,
654 union netr_Validation
**_validation
)
657 const char *workstation_name_slash
;
658 union netr_LogonLevel
*logon
= NULL
;
659 struct netr_NetworkInfo
*network_info
;
660 uint16_t validation_level
= 0;
661 union netr_Validation
*validation
= NULL
;
662 struct netr_ChallengeResponse lm
;
663 struct netr_ChallengeResponse nt
;
670 switch (logon_type
) {
671 case NetlogonNetworkInformation
:
672 case NetlogonNetworkTransitiveInformation
:
675 DEBUG(0, ("switch value %d not supported\n",
677 return NT_STATUS_INVALID_INFO_CLASS
;
680 logon
= talloc_zero(mem_ctx
, union netr_LogonLevel
);
682 return NT_STATUS_NO_MEMORY
;
685 network_info
= talloc_zero(mem_ctx
, struct netr_NetworkInfo
);
687 return NT_STATUS_NO_MEMORY
;
690 if (workstation
== NULL
) {
691 workstation
= lp_netbios_name();
694 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
695 workstation_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", workstation
);
697 workstation_name_slash
= workstation
;
700 if (!workstation_name_slash
) {
701 DEBUG(0, ("talloc_asprintf failed!\n"));
702 return NT_STATUS_NO_MEMORY
;
705 /* Initialise input parameters */
707 lm
.data
= lm_response
.data
;
708 lm
.length
= lm_response
.length
;
709 nt
.data
= nt_response
.data
;
710 nt
.length
= nt_response
.length
;
712 network_info
->identity_info
.domain_name
.string
= domain
;
713 network_info
->identity_info
.parameter_control
= logon_parameters
;
714 network_info
->identity_info
.logon_id
= logon_id
;
715 network_info
->identity_info
.account_name
.string
= username
;
716 network_info
->identity_info
.workstation
.string
= workstation_name_slash
;
718 if (chal
.length
!= 8) {
719 DBG_WARNING("Invalid challenge length %zd\n", chal
.length
);
720 return NT_STATUS_INVALID_PARAMETER
;
723 memcpy(network_info
->challenge
, chal
.data
, chal
.length
);
724 network_info
->nt
= nt
;
725 network_info
->lm
= lm
;
727 logon
->network
= network_info
;
729 /* Marshall data and send request */
731 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
740 if (!NT_STATUS_IS_OK(status
)) {
744 *_validation_level
= validation_level
;
745 *_validation
= validation
;
750 NTSTATUS
rpccli_netlogon_interactive_logon(
751 struct netlogon_creds_cli_context
*creds_ctx
,
752 struct dcerpc_binding_handle
*binding_handle
,
754 uint32_t logon_parameters
,
755 const char *username
,
757 const char *workstation
,
758 const uint64_t logon_id
,
761 enum netr_LogonInfoClass logon_type
,
762 uint8_t *authoritative
,
764 uint16_t *_validation_level
,
765 union netr_Validation
**_validation
)
767 TALLOC_CTX
*frame
= talloc_stackframe();
769 const char *workstation_name_slash
;
770 union netr_LogonLevel
*logon
= NULL
;
771 struct netr_PasswordInfo
*password_info
= NULL
;
772 uint16_t validation_level
= 0;
773 union netr_Validation
*validation
= NULL
;
774 struct netr_ChallengeResponse lm
;
775 struct netr_ChallengeResponse nt
;
782 switch (logon_type
) {
783 case NetlogonInteractiveInformation
:
784 case NetlogonInteractiveTransitiveInformation
:
787 DEBUG(0, ("switch value %d not supported\n",
790 return NT_STATUS_INVALID_INFO_CLASS
;
793 logon
= talloc_zero(mem_ctx
, union netr_LogonLevel
);
796 return NT_STATUS_NO_MEMORY
;
799 password_info
= talloc_zero(logon
, struct netr_PasswordInfo
);
800 if (password_info
== NULL
) {
802 return NT_STATUS_NO_MEMORY
;
805 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
806 workstation_name_slash
= talloc_asprintf(frame
, "\\\\%s", workstation
);
808 workstation_name_slash
= workstation
;
811 if (workstation_name_slash
== NULL
) {
813 return NT_STATUS_NO_MEMORY
;
816 /* Initialise input parameters */
818 password_info
->identity_info
.domain_name
.string
= domain
;
819 password_info
->identity_info
.parameter_control
= logon_parameters
;
820 password_info
->identity_info
.logon_id
= logon_id
;
821 password_info
->identity_info
.account_name
.string
= username
;
822 password_info
->identity_info
.workstation
.string
= workstation_name_slash
;
824 if (nt_hash
.length
!= sizeof(password_info
->ntpassword
.hash
)) {
826 return NT_STATUS_INVALID_PARAMETER
;
828 memcpy(password_info
->ntpassword
.hash
, nt_hash
.data
, nt_hash
.length
);
829 if (lm_hash
.length
!= 0) {
830 if (lm_hash
.length
!= sizeof(password_info
->lmpassword
.hash
)) {
832 return NT_STATUS_INVALID_PARAMETER
;
834 memcpy(password_info
->lmpassword
.hash
, lm_hash
.data
, lm_hash
.length
);
837 logon
->password
= password_info
;
839 /* Marshall data and send request */
841 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
850 if (!NT_STATUS_IS_OK(status
)) {
855 *_validation_level
= validation_level
;
856 *_validation
= validation
;