2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32 #include "librpc/rpc/dcerpc_proto.h"
33 #include "param/param.h"
35 struct schannel_key_state
{
36 struct dcerpc_pipe
*pipe
;
37 struct dcerpc_pipe
*pipe2
;
38 struct dcerpc_binding
*binding
;
39 bool dcerpc_schannel_auto
;
40 struct cli_credentials
*credentials
;
41 struct netlogon_creds_CredentialState
*creds
;
42 uint32_t local_negotiate_flags
;
43 uint32_t remote_negotiate_flags
;
44 struct netr_Credential credentials1
;
45 struct netr_Credential credentials2
;
46 struct netr_Credential credentials3
;
47 struct netr_ServerReqChallenge r
;
48 struct netr_ServerAuthenticate2 a
;
49 const struct samr_Password
*mach_pwd
;
53 static void continue_secondary_connection(struct composite_context
*ctx
);
54 static void continue_bind_auth_none(struct composite_context
*ctx
);
55 static void continue_srv_challenge(struct tevent_req
*subreq
);
56 static void continue_srv_auth2(struct tevent_req
*subreq
);
60 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
63 static void continue_epm_map_binding(struct composite_context
*ctx
)
65 struct composite_context
*c
;
66 struct schannel_key_state
*s
;
67 struct composite_context
*sec_conn_req
;
69 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
70 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
72 /* receive endpoint mapping */
73 c
->status
= dcerpc_epm_map_binding_recv(ctx
);
74 if (!NT_STATUS_IS_OK(c
->status
)) {
75 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
76 NDR_NETLOGON_UUID
, nt_errstr(c
->status
)));
77 composite_error(c
, c
->status
);
81 /* send a request for secondary rpc connection */
82 sec_conn_req
= dcerpc_secondary_connection_send(s
->pipe
,
84 if (composite_nomem(sec_conn_req
, c
)) return;
86 composite_continue(c
, sec_conn_req
, continue_secondary_connection
, c
);
91 Stage 3 of schannel_key: Receive secondary rpc connection and perform
92 non-authenticated bind request
94 static void continue_secondary_connection(struct composite_context
*ctx
)
96 struct composite_context
*c
;
97 struct schannel_key_state
*s
;
98 struct composite_context
*auth_none_req
;
100 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
101 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
103 /* receive secondary rpc connection */
104 c
->status
= dcerpc_secondary_connection_recv(ctx
, &s
->pipe2
);
105 if (!composite_is_ok(c
)) return;
107 talloc_steal(s
, s
->pipe2
);
109 /* initiate a non-authenticated bind */
110 auth_none_req
= dcerpc_bind_auth_none_send(c
, s
->pipe2
, &ndr_table_netlogon
);
111 if (composite_nomem(auth_none_req
, c
)) return;
113 composite_continue(c
, auth_none_req
, continue_bind_auth_none
, c
);
118 Stage 4 of schannel_key: Receive non-authenticated bind and get
121 static void continue_bind_auth_none(struct composite_context
*ctx
)
123 struct composite_context
*c
;
124 struct schannel_key_state
*s
;
125 struct tevent_req
*subreq
;
127 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
128 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
130 /* receive result of non-authenticated bind request */
131 c
->status
= dcerpc_bind_auth_none_recv(ctx
);
132 if (!composite_is_ok(c
)) return;
134 /* prepare a challenge request */
135 s
->r
.in
.server_name
= talloc_asprintf(c
, "\\\\%s", dcerpc_server_name(s
->pipe
));
136 if (composite_nomem(s
->r
.in
.server_name
, c
)) return;
137 s
->r
.in
.computer_name
= cli_credentials_get_workstation(s
->credentials
);
138 s
->r
.in
.credentials
= &s
->credentials1
;
139 s
->r
.out
.return_credentials
= &s
->credentials2
;
141 generate_random_buffer(s
->credentials1
.data
, sizeof(s
->credentials1
.data
));
144 request a netlogon challenge - a rpc request over opened secondary pipe
146 subreq
= dcerpc_netr_ServerReqChallenge_r_send(s
, c
->event_ctx
,
147 s
->pipe2
->binding_handle
,
149 if (composite_nomem(subreq
, c
)) return;
151 tevent_req_set_callback(subreq
, continue_srv_challenge
, c
);
156 Stage 5 of schannel_key: Receive a challenge and perform authentication
159 static void continue_srv_challenge(struct tevent_req
*subreq
)
161 struct composite_context
*c
;
162 struct schannel_key_state
*s
;
164 c
= tevent_req_callback_data(subreq
, struct composite_context
);
165 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
167 /* receive rpc request result - netlogon challenge */
168 c
->status
= dcerpc_netr_ServerReqChallenge_r_recv(subreq
, s
);
170 if (!composite_is_ok(c
)) return;
172 /* prepare credentials for auth2 request */
173 s
->mach_pwd
= cli_credentials_get_nt_hash(s
->credentials
, c
);
175 /* auth2 request arguments */
176 s
->a
.in
.server_name
= s
->r
.in
.server_name
;
177 s
->a
.in
.account_name
= cli_credentials_get_username(s
->credentials
);
178 s
->a
.in
.secure_channel_type
=
179 cli_credentials_get_secure_channel_type(s
->credentials
);
180 s
->a
.in
.computer_name
= cli_credentials_get_workstation(s
->credentials
);
181 s
->a
.in
.negotiate_flags
= &s
->local_negotiate_flags
;
182 s
->a
.in
.credentials
= &s
->credentials3
;
183 s
->a
.out
.negotiate_flags
= &s
->remote_negotiate_flags
;
184 s
->a
.out
.return_credentials
= &s
->credentials3
;
186 s
->creds
= netlogon_creds_client_init(s
,
187 s
->a
.in
.account_name
,
188 s
->a
.in
.computer_name
,
189 &s
->credentials1
, &s
->credentials2
,
190 s
->mach_pwd
, &s
->credentials3
,
191 s
->local_negotiate_flags
);
192 if (composite_nomem(s
->creds
, c
)) {
196 authenticate on the netlogon pipe - a rpc request over secondary pipe
198 subreq
= dcerpc_netr_ServerAuthenticate2_r_send(s
, c
->event_ctx
,
199 s
->pipe2
->binding_handle
,
201 if (composite_nomem(subreq
, c
)) return;
203 tevent_req_set_callback(subreq
, continue_srv_auth2
, c
);
208 Stage 6 of schannel_key: Receive authentication request result and verify
211 static void continue_srv_auth2(struct tevent_req
*subreq
)
213 struct composite_context
*c
;
214 struct schannel_key_state
*s
;
216 c
= tevent_req_callback_data(subreq
, struct composite_context
);
217 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
219 /* receive rpc request result - auth2 credentials */
220 c
->status
= dcerpc_netr_ServerAuthenticate2_r_recv(subreq
, s
);
222 if (!composite_is_ok(c
)) return;
225 * Strong keys could be unsupported (NT4) or disables. So retry with the
226 * flags returned by the server. - asn
228 if (NT_STATUS_EQUAL(s
->a
.out
.result
, NT_STATUS_ACCESS_DENIED
) &&
229 s
->dcerpc_schannel_auto
&&
230 (s
->local_negotiate_flags
& NETLOGON_NEG_STRONG_KEYS
)) {
231 DEBUG(3, ("Server doesn't support strong keys, "
232 "downgrade and retry!\n"));
233 s
->local_negotiate_flags
= s
->remote_negotiate_flags
;
235 generate_random_buffer(s
->credentials1
.data
,
236 sizeof(s
->credentials1
.data
));
238 subreq
= dcerpc_netr_ServerReqChallenge_r_send(s
,
240 s
->pipe2
->binding_handle
,
242 if (composite_nomem(subreq
, c
)) return;
244 tevent_req_set_callback(subreq
, continue_srv_challenge
, c
);
248 /* verify credentials */
249 if (!netlogon_creds_client_check(s
->creds
, s
->a
.out
.return_credentials
)) {
250 composite_error(c
, NT_STATUS_UNSUCCESSFUL
);
254 /* setup current netlogon credentials */
255 cli_credentials_set_netlogon_creds(s
->credentials
, s
->creds
);
262 Initiate establishing a schannel key using netlogon challenge
265 struct composite_context
*dcerpc_schannel_key_send(TALLOC_CTX
*mem_ctx
,
266 struct dcerpc_pipe
*p
,
267 struct cli_credentials
*credentials
,
268 struct loadparm_context
*lp_ctx
)
270 struct composite_context
*c
;
271 struct schannel_key_state
*s
;
272 struct composite_context
*epm_map_req
;
273 enum netr_SchannelType schannel_type
= cli_credentials_get_secure_channel_type(credentials
);
275 /* composite context allocation and setup */
276 c
= composite_create(mem_ctx
, p
->conn
->event_ctx
);
277 if (c
== NULL
) return NULL
;
279 s
= talloc_zero(c
, struct schannel_key_state
);
280 if (composite_nomem(s
, c
)) return c
;
283 /* store parameters in the state structure */
285 s
->credentials
= credentials
;
286 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_FLAGS
;
288 /* allocate credentials */
289 /* type of authentication depends on schannel type */
290 if (schannel_type
== SEC_CHAN_RODC
) {
291 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_RODC_FLAGS
;
293 if (s
->pipe
->conn
->flags
& DCERPC_SCHANNEL_128
) {
294 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
296 if (s
->pipe
->conn
->flags
& DCERPC_SCHANNEL_AUTO
) {
297 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
298 s
->dcerpc_schannel_auto
= true;
301 /* allocate binding structure */
302 s
->binding
= talloc_zero(c
, struct dcerpc_binding
);
303 if (composite_nomem(s
->binding
, c
)) return c
;
305 *s
->binding
= *s
->pipe
->binding
;
307 /* request the netlogon endpoint mapping */
308 epm_map_req
= dcerpc_epm_map_binding_send(c
, s
->binding
,
310 s
->pipe
->conn
->event_ctx
,
312 if (composite_nomem(epm_map_req
, c
)) return c
;
314 composite_continue(c
, epm_map_req
, continue_epm_map_binding
, c
);
320 Receive result of schannel key request
322 NTSTATUS
dcerpc_schannel_key_recv(struct composite_context
*c
)
324 NTSTATUS status
= composite_wait(c
);
331 struct auth_schannel_state
{
332 struct dcerpc_pipe
*pipe
;
333 struct cli_credentials
*credentials
;
334 const struct ndr_interface_table
*table
;
335 struct loadparm_context
*lp_ctx
;
340 static void continue_bind_auth(struct composite_context
*ctx
);
344 Stage 2 of auth_schannel: Receive schannel key and intitiate an
345 authenticated bind using received credentials
347 static void continue_schannel_key(struct composite_context
*ctx
)
349 struct composite_context
*auth_req
;
350 struct composite_context
*c
= talloc_get_type(ctx
->async
.private_data
,
351 struct composite_context
);
352 struct auth_schannel_state
*s
= talloc_get_type(c
->private_data
,
353 struct auth_schannel_state
);
356 /* receive schannel key */
357 status
= c
->status
= dcerpc_schannel_key_recv(ctx
);
358 if (!composite_is_ok(c
)) {
359 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status
)));
363 /* send bind auth request with received creds */
364 auth_req
= dcerpc_bind_auth_send(c
, s
->pipe
, s
->table
, s
->credentials
,
365 lpcfg_gensec_settings(c
, s
->lp_ctx
),
366 DCERPC_AUTH_TYPE_SCHANNEL
, s
->auth_level
,
368 if (composite_nomem(auth_req
, c
)) return;
370 composite_continue(c
, auth_req
, continue_bind_auth
, c
);
375 Stage 3 of auth_schannel: Receivce result of authenticated bind
376 and say if we're done ok.
378 static void continue_bind_auth(struct composite_context
*ctx
)
380 struct composite_context
*c
= talloc_get_type(ctx
->async
.private_data
,
381 struct composite_context
);
383 c
->status
= dcerpc_bind_auth_recv(ctx
);
384 if (!composite_is_ok(c
)) return;
391 Initiate schannel authentication request
393 struct composite_context
*dcerpc_bind_auth_schannel_send(TALLOC_CTX
*tmp_ctx
,
394 struct dcerpc_pipe
*p
,
395 const struct ndr_interface_table
*table
,
396 struct cli_credentials
*credentials
,
397 struct loadparm_context
*lp_ctx
,
400 struct composite_context
*c
;
401 struct auth_schannel_state
*s
;
402 struct composite_context
*schan_key_req
;
404 /* composite context allocation and setup */
405 c
= composite_create(tmp_ctx
, p
->conn
->event_ctx
);
406 if (c
== NULL
) return NULL
;
408 s
= talloc_zero(c
, struct auth_schannel_state
);
409 if (composite_nomem(s
, c
)) return c
;
412 /* store parameters in the state structure */
414 s
->credentials
= credentials
;
416 s
->auth_level
= auth_level
;
419 /* start getting schannel key first */
420 schan_key_req
= dcerpc_schannel_key_send(c
, p
, credentials
, lp_ctx
);
421 if (composite_nomem(schan_key_req
, c
)) return c
;
423 composite_continue(c
, schan_key_req
, continue_schannel_key
, c
);
429 Receive result of schannel authentication request
431 NTSTATUS
dcerpc_bind_auth_schannel_recv(struct composite_context
*c
)
433 NTSTATUS status
= composite_wait(c
);
441 Perform schannel authenticated bind - sync version
443 _PUBLIC_ NTSTATUS
dcerpc_bind_auth_schannel(TALLOC_CTX
*tmp_ctx
,
444 struct dcerpc_pipe
*p
,
445 const struct ndr_interface_table
*table
,
446 struct cli_credentials
*credentials
,
447 struct loadparm_context
*lp_ctx
,
450 struct composite_context
*c
;
452 c
= dcerpc_bind_auth_schannel_send(tmp_ctx
, p
, table
, credentials
, lp_ctx
,
454 return dcerpc_bind_auth_schannel_recv(c
);