search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:torture/test_smb2: check directory listing during reauth
[Samba.git] / source3 / auth / auth_netlogond.c
blob7fb037457e738bbb4ddfac8146babb97ce80d7a1
1 /*
2 Unix SMB/CIFS implementation.
3 Authenticate against a netlogon pipe listening on a unix domain socket
4 Copyright (C) Volker Lendecke 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "auth.h"
22 #include "../libcli/auth/libcli_auth.h"
23 #include "../librpc/gen_ndr/ndr_netlogon.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "rpc_client/cli_netlogon.h"
27 #include "secrets.h"
28 #include "tldap.h"
29 #include "tldap_util.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_AUTH
33
34 static bool secrets_store_local_schannel_creds(
35 const struct netlogon_creds_CredentialState *creds)
36 {
37 DATA_BLOB blob;
38 enum ndr_err_code ndr_err;
39 bool ret;
40
41 ndr_err = ndr_push_struct_blob(
42 &blob, talloc_tos(), creds,
43 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
44 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
45 DEBUG(10, ("ndr_push_netlogon_creds_CredentialState failed: "
46 "%s\n", ndr_errstr(ndr_err)));
47 return false;
48 }
49 ret = secrets_store(SECRETS_LOCAL_SCHANNEL_KEY,
50 blob.data, blob.length);
51 data_blob_free(&blob);
52 return ret;
53 }
54
55 static struct netlogon_creds_CredentialState *
56 secrets_fetch_local_schannel_creds(TALLOC_CTX *mem_ctx)
57 {
58 struct netlogon_creds_CredentialState *creds;
59 enum ndr_err_code ndr_err;
60 DATA_BLOB blob;
61
62 blob.data = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY,
63 &blob.length);
64 if (blob.data == NULL) {
65 DEBUG(10, ("secrets_fetch failed\n"));
66 return NULL;
67 }
68
69 creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
70 if (creds == NULL) {
71 DEBUG(10, ("talloc failed\n"));
72 SAFE_FREE(blob.data);
73 return NULL;
74 }
75 ndr_err = ndr_pull_struct_blob(
76 &blob, creds, creds,
77 (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
78 SAFE_FREE(blob.data);
79 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
80 DEBUG(10, ("ndr_pull_netlogon_creds_CredentialState failed: "
81 "%s\n", ndr_errstr(ndr_err)));
82 TALLOC_FREE(creds);
83 return NULL;
84 }
85
86 return creds;
87 }
88
89 static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
90 const struct auth_context *auth_context,
91 const char *ncalrpc_sockname,
92 struct netlogon_creds_CredentialState *creds,
93 const struct auth_usersupplied_info *user_info,
94 struct netr_SamInfo3 **pinfo3,
95 NTSTATUS *schannel_bind_result)
96 {
97 struct rpc_pipe_client *p = NULL;
98 struct pipe_auth_data *auth = NULL;
99 struct netr_SamInfo3 *info3 = NULL;
100 NTSTATUS status;
101
102 *schannel_bind_result = NT_STATUS_OK;
103
104 status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname,
105 &ndr_table_netlogon.syntax_id, &p);
106 if (!NT_STATUS_IS_OK(status)) {
107 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
108 nt_errstr(status)));
109 return status;
110 }
111
112 p->dc = creds;
113
114 status = rpccli_schannel_bind_data(p, lp_workgroup(),
115 DCERPC_AUTH_LEVEL_PRIVACY,
116 p->dc, &auth);
117 if (!NT_STATUS_IS_OK(status)) {
118 DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
119 nt_errstr(status)));
120 TALLOC_FREE(p);
121 return status;
122 }
123
124 status = rpc_pipe_bind(p, auth);
125 if (!NT_STATUS_IS_OK(status)) {
126 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
127 TALLOC_FREE(p);
128 *schannel_bind_result = status;
129 return status;
130 }
131
132 status = rpccli_netlogon_sam_network_logon_ex(
133 p, p,
134 user_info->logon_parameters, /* flags such as 'allow
135 * workstation logon' */
136 lp_netbios_name(), /* server name */
137 user_info->client.account_name, /* user name logging on. */
138 user_info->client.domain_name, /* domain name */
139 user_info->workstation_name, /* workstation name */
140 (uchar *)auth_context->challenge.data, /* 8 byte challenge. */
141 3, /* validation level */
142 user_info->password.response.lanman, /* lanman 24 byte response */
143 user_info->password.response.nt, /* nt 24 byte response */
144 &info3); /* info3 out */
145
146 DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
147 nt_errstr(status)));
148
149 if (!NT_STATUS_IS_OK(status)) {
150 TALLOC_FREE(p);
151 return status;
152 }
153
154 *pinfo3 = talloc_move(mem_ctx, &info3);
155
156 TALLOC_FREE(p);
157 return NT_STATUS_OK;
158 }
159
160 static NTSTATUS get_ldapi_ctx(TALLOC_CTX *mem_ctx, struct tldap_context **pld)
161 {
162 struct tldap_context *ld;
163 struct sockaddr_un addr;
164 char *sockaddr;
165 int fd;
166 NTSTATUS status;
167 int res;
168
169 sockaddr = talloc_asprintf(talloc_tos(), "/%s/ldap_priv/ldapi",
170 lp_private_dir());
171 if (sockaddr == NULL) {
172 DEBUG(10, ("talloc failed\n"));
173 return NT_STATUS_NO_MEMORY;
174 }
175
176 ZERO_STRUCT(addr);
177 addr.sun_family = AF_UNIX;
178 strncpy(addr.sun_path, sockaddr, sizeof(addr.sun_path));
179 TALLOC_FREE(sockaddr);
180
181 status = open_socket_out((struct sockaddr_storage *)(void *)&addr,
182 0, 0, &fd);
183 if (!NT_STATUS_IS_OK(status)) {
184 DEBUG(10, ("Could not connect to %s: %s\n", addr.sun_path,
185 nt_errstr(status)));
186 return status;
187 }
188 set_blocking(fd, false);
189
190 ld = tldap_context_create(mem_ctx, fd);
191 if (ld == NULL) {
192 close(fd);
193 return NT_STATUS_NO_MEMORY;
194 }
195 res = tldap_fetch_rootdse(ld);
196 if (res != TLDAP_SUCCESS) {
197 DEBUG(10, ("tldap_fetch_rootdse failed: %s\n",
198 tldap_errstr(talloc_tos(), ld, res)));
199 TALLOC_FREE(ld);
200 return NT_STATUS_LDAP(res);
201 }
202 *pld = ld;
203 return NT_STATUS_OK;;
204 }
205
206 static NTSTATUS mymachinepw(uint8_t pwd[16])
207 {
208 TALLOC_CTX *frame = talloc_stackframe();
209 struct tldap_context *ld = NULL;
210 struct tldap_message *rootdse, **msg;
211 const char *attrs[1] = { "unicodePwd" };
212 char *default_nc, *myname;
213 int rc, num_msg;
214 DATA_BLOB pwdblob;
215 NTSTATUS status;
216
217 status = get_ldapi_ctx(talloc_tos(), &ld);
218 if (!NT_STATUS_IS_OK(status)) {
219 goto fail;
220 }
221 rootdse = tldap_rootdse(ld);
222 if (rootdse == NULL) {
223 DEBUG(10, ("Could not get rootdse\n"));
224 status = NT_STATUS_INTERNAL_ERROR;
225 goto fail;
226 }
227 default_nc = tldap_talloc_single_attribute(
228 rootdse, "defaultNamingContext", talloc_tos());
229 if (default_nc == NULL) {
230 DEBUG(10, ("Could not get defaultNamingContext\n"));
231 status = NT_STATUS_NO_MEMORY;
232 goto fail;
233 }
234 DEBUG(10, ("default_nc = %s\n", default_nc));
235
236 myname = talloc_asprintf_strupper_m(talloc_tos(), "%s$",
237 lp_netbios_name());
238 if (myname == NULL) {
239 DEBUG(10, ("talloc failed\n"));
240 status = NT_STATUS_NO_MEMORY;
241 goto fail;
242 }
243
244 rc = tldap_search_fmt(
245 ld, default_nc, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0,
246 talloc_tos(), &msg,
247 "(&(sAMAccountName=%s)(objectClass=computer))", myname);
248 if (rc != TLDAP_SUCCESS) {
249 DEBUG(10, ("Could not retrieve our account: %s\n",
250 tldap_errstr(talloc_tos(), ld, rc)));
251 status = NT_STATUS_LDAP(rc);
252 goto fail;
253 }
254 num_msg = talloc_array_length(msg);
255 if (num_msg != 1) {
256 DEBUG(10, ("Got %d accounts, expected one\n", num_msg));
257 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
258 goto fail;
259 }
260 if (!tldap_get_single_valueblob(msg[0], "unicodePwd", &pwdblob)) {
261 char *dn = NULL;
262 tldap_entry_dn(msg[0], &dn);
263 DEBUG(10, ("No unicodePwd attribute in %s\n",
264 dn ? dn : "<unknown DN>"));
265 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
266 goto fail;
267 }
268 if (pwdblob.length != 16) {
269 DEBUG(10, ("Password hash hash has length %d, expected 16\n",
270 (int)pwdblob.length));
271 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
272 goto fail;
273 }
274 memcpy(pwd, pwdblob.data, 16);
275
276 fail:
277 TALLOC_FREE(frame);
278 return status;
279 }
280
281 static NTSTATUS check_netlogond_security(const struct auth_context *auth_context,
282 void *my_private_data,
283 TALLOC_CTX *mem_ctx,
284 const struct auth_usersupplied_info *user_info,
285 struct auth_serversupplied_info **server_info)
286 {
287 TALLOC_CTX *frame = talloc_stackframe();
288 struct netr_SamInfo3 *info3 = NULL;
289 struct rpc_pipe_client *p = NULL;
290 struct pipe_auth_data *auth = NULL;
291 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
292 uint8_t machine_password[16];
293 struct netlogon_creds_CredentialState *creds;
294 NTSTATUS schannel_bind_result, status;
295 struct named_mutex *mutex = NULL;
296 const char *ncalrpcsock;
297
298 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
299
300 ncalrpcsock = lp_parm_const_string(
301 GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL);
302
303 if (ncalrpcsock == NULL) {
304 ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s",
305 get_dyn_NCALRPCDIR(), "DEFAULT");
306 }
307
308 if (ncalrpcsock == NULL) {
309 status = NT_STATUS_NO_MEMORY;
310 goto done;
311 }
312
313 creds = secrets_fetch_local_schannel_creds(talloc_tos());
314 if (creds == NULL) {
315 goto new_key;
316 }
317
318 status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
319 creds, user_info, &info3,
320 &schannel_bind_result);
321
322 DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
323
324 if (NT_STATUS_IS_OK(status)) {
325 goto okay;
326 }
327
328 if (NT_STATUS_IS_OK(schannel_bind_result)) {
329 /*
330 * This is a real failure from the DC
331 */
332 goto done;
333 }
334
335 new_key:
336
337 mutex = grab_named_mutex(talloc_tos(), "LOCAL_SCHANNEL_KEY", 60);
338 if (mutex == NULL) {
339 DEBUG(10, ("Could not get mutex LOCAL_SCHANNEL_KEY\n"));
340 status = NT_STATUS_ACCESS_DENIED;
341 goto done;
342 }
343
344 DEBUG(10, ("schannel bind failed, setting up new key\n"));
345
346 status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpcsock,
347 &ndr_table_netlogon.syntax_id, &p);
348
349 if (!NT_STATUS_IS_OK(status)) {
350 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
351 nt_errstr(status)));
352 goto done;
353 }
354
355 status = rpccli_anon_bind_data(p, &auth);
356 if (!NT_STATUS_IS_OK(status)) {
357 DEBUG(10, ("rpccli_anon_bind_data failed: %s\n",
358 nt_errstr(status)));
359 goto done;
360 }
361
362 status = rpc_pipe_bind(p, auth);
363 if (!NT_STATUS_IS_OK(status)) {
364 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
365 goto done;
366 }
367
368 status = mymachinepw(machine_password);
369 if (!NT_STATUS_IS_OK(status)) {
370 DEBUG(10, ("mymachinepw failed: %s\n", nt_errstr(status)));
371 goto done;
372 }
373
374 DEBUG(10, ("machinepw "));
375 dump_data(10, machine_password, 16);
376
377 status = rpccli_netlogon_setup_creds(
378 p, lp_netbios_name(), lp_workgroup(), lp_netbios_name(),
379 lp_netbios_name(), machine_password, SEC_CHAN_BDC, &neg_flags);
380
381 if (!NT_STATUS_IS_OK(status)) {
382 DEBUG(10, ("rpccli_netlogon_setup_creds failed: %s\n",
383 nt_errstr(status)));
384 goto done;
385 }
386
387 secrets_store_local_schannel_creds(p->dc);
388
389 /*
390 * Retry the authentication with the mutex held. This way nobody else
391 * can step on our toes.
392 */
393
394 status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
395 p->dc, user_info, &info3,
396 &schannel_bind_result);
397
398 TALLOC_FREE(p);
399
400 DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
401
402 if (!NT_STATUS_IS_OK(status)) {
403 goto done;
404 }
405
406 okay:
407
408 status = make_server_info_info3(mem_ctx, user_info->client.account_name,
409 user_info->mapped.domain_name, server_info,
410 info3);
411 if (!NT_STATUS_IS_OK(status)) {
412 DEBUG(10, ("make_server_info_info3 failed: %s\n",
413 nt_errstr(status)));
414 TALLOC_FREE(frame);
415 return status;
416 }
417
418 status = NT_STATUS_OK;
419
420 done:
421 TALLOC_FREE(frame);
422 return status;
423 }
424
425 /* module initialisation */
426 static NTSTATUS auth_init_netlogond(struct auth_context *auth_context,
427 const char *param,
428 auth_methods **auth_method)
429 {
430 struct auth_methods *result;
431
432 result = talloc_zero(auth_context, struct auth_methods);
433 if (result == NULL) {
434 return NT_STATUS_NO_MEMORY;
435 }
436 result->name = "netlogond";
437 result->auth = check_netlogond_security;
438
439 *auth_method = result;
440 return NT_STATUS_OK;
441 }
442
443 NTSTATUS auth_netlogond_init(void)
444 {
445 smb_register_auth(AUTH_INTERFACE_VERSION, "netlogond",
446 auth_init_netlogond);
447 return NT_STATUS_OK;
448 }
Samba GIT mirror