search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-librpc: Fix NETLOGON credential chain with Windows 2008.
[Samba/gebeck_regimport.git] / source4 / librpc / rpc / dcerpc_schannel.c
blob9501e3e047ef0f1aff3b260a68c8e42ad29ab1eb
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32 #include "librpc/rpc/dcerpc_proto.h"
33 #include "param/param.h"
34
35 struct schannel_key_state {
36 struct dcerpc_pipe *pipe;
37 struct dcerpc_pipe *pipe2;
38 struct dcerpc_binding *binding;
39 bool dcerpc_schannel_auto;
40 struct cli_credentials *credentials;
41 struct netlogon_creds_CredentialState *creds;
42 uint32_t local_negotiate_flags;
43 uint32_t remote_negotiate_flags;
44 struct netr_Credential credentials1;
45 struct netr_Credential credentials2;
46 struct netr_Credential credentials3;
47 struct netr_ServerReqChallenge r;
48 struct netr_ServerAuthenticate2 a;
49 const struct samr_Password *mach_pwd;
50 };
51
52
53 static void continue_secondary_connection(struct composite_context *ctx);
54 static void continue_bind_auth_none(struct composite_context *ctx);
55 static void continue_srv_challenge(struct tevent_req *subreq);
56 static void continue_srv_auth2(struct tevent_req *subreq);
57
58
59 /*
60 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
61 rpc connection
62 */
63 static void continue_epm_map_binding(struct composite_context *ctx)
64 {
65 struct composite_context *c;
66 struct schannel_key_state *s;
67 struct composite_context *sec_conn_req;
68
69 c = talloc_get_type(ctx->async.private_data, struct composite_context);
70 s = talloc_get_type(c->private_data, struct schannel_key_state);
71
72 /* receive endpoint mapping */
73 c->status = dcerpc_epm_map_binding_recv(ctx);
74 if (!NT_STATUS_IS_OK(c->status)) {
75 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
76 NDR_NETLOGON_UUID, nt_errstr(c->status)));
77 composite_error(c, c->status);
78 return;
79 }
80
81 /* send a request for secondary rpc connection */
82 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
83 s->binding);
84 if (composite_nomem(sec_conn_req, c)) return;
85
86 composite_continue(c, sec_conn_req, continue_secondary_connection, c);
87 }
88
89
90 /*
91 Stage 3 of schannel_key: Receive secondary rpc connection and perform
92 non-authenticated bind request
93 */
94 static void continue_secondary_connection(struct composite_context *ctx)
95 {
96 struct composite_context *c;
97 struct schannel_key_state *s;
98 struct composite_context *auth_none_req;
99
100 c = talloc_get_type(ctx->async.private_data, struct composite_context);
101 s = talloc_get_type(c->private_data, struct schannel_key_state);
102
103 /* receive secondary rpc connection */
104 c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
105 if (!composite_is_ok(c)) return;
106
107 talloc_steal(s, s->pipe2);
108
109 /* initiate a non-authenticated bind */
110 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
111 if (composite_nomem(auth_none_req, c)) return;
112
113 composite_continue(c, auth_none_req, continue_bind_auth_none, c);
114 }
115
116
117 /*
118 Stage 4 of schannel_key: Receive non-authenticated bind and get
119 a netlogon challenge
120 */
121 static void continue_bind_auth_none(struct composite_context *ctx)
122 {
123 struct composite_context *c;
124 struct schannel_key_state *s;
125 struct tevent_req *subreq;
126
127 c = talloc_get_type(ctx->async.private_data, struct composite_context);
128 s = talloc_get_type(c->private_data, struct schannel_key_state);
129
130 /* receive result of non-authenticated bind request */
131 c->status = dcerpc_bind_auth_none_recv(ctx);
132 if (!composite_is_ok(c)) return;
133
134 /* prepare a challenge request */
135 s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
136 if (composite_nomem(s->r.in.server_name, c)) return;
137 s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
138 s->r.in.credentials = &s->credentials1;
139 s->r.out.return_credentials = &s->credentials2;
140
141 generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
142
143 /*
144 request a netlogon challenge - a rpc request over opened secondary pipe
145 */
146 subreq = dcerpc_netr_ServerReqChallenge_r_send(s, c->event_ctx,
147 s->pipe2->binding_handle,
148 &s->r);
149 if (composite_nomem(subreq, c)) return;
150
151 tevent_req_set_callback(subreq, continue_srv_challenge, c);
152 }
153
154
155 /*
156 Stage 5 of schannel_key: Receive a challenge and perform authentication
157 on the netlogon pipe
158 */
159 static void continue_srv_challenge(struct tevent_req *subreq)
160 {
161 struct composite_context *c;
162 struct schannel_key_state *s;
163
164 c = tevent_req_callback_data(subreq, struct composite_context);
165 s = talloc_get_type(c->private_data, struct schannel_key_state);
166
167 /* receive rpc request result - netlogon challenge */
168 c->status = dcerpc_netr_ServerReqChallenge_r_recv(subreq, s);
169 TALLOC_FREE(subreq);
170 if (!composite_is_ok(c)) return;
171
172 /* prepare credentials for auth2 request */
173 s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
174
175 /* auth2 request arguments */
176 s->a.in.server_name = s->r.in.server_name;
177 s->a.in.account_name = cli_credentials_get_username(s->credentials);
178 s->a.in.secure_channel_type =
179 cli_credentials_get_secure_channel_type(s->credentials);
180 s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
181 s->a.in.negotiate_flags = &s->local_negotiate_flags;
182 s->a.in.credentials = &s->credentials3;
183 s->a.out.negotiate_flags = &s->remote_negotiate_flags;
184 s->a.out.return_credentials = &s->credentials3;
185
186 s->creds = netlogon_creds_client_init(s,
187 s->a.in.account_name,
188 s->a.in.computer_name,
189 &s->credentials1, &s->credentials2,
190 s->mach_pwd, &s->credentials3,
191 s->local_negotiate_flags);
192 if (composite_nomem(s->creds, c)) {
193 return;
194 }
195 /*
196 authenticate on the netlogon pipe - a rpc request over secondary pipe
197 */
198 subreq = dcerpc_netr_ServerAuthenticate2_r_send(s, c->event_ctx,
199 s->pipe2->binding_handle,
200 &s->a);
201 if (composite_nomem(subreq, c)) return;
202
203 tevent_req_set_callback(subreq, continue_srv_auth2, c);
204 }
205
206
207 /*
208 Stage 6 of schannel_key: Receive authentication request result and verify
209 received credentials
210 */
211 static void continue_srv_auth2(struct tevent_req *subreq)
212 {
213 struct composite_context *c;
214 struct schannel_key_state *s;
215
216 c = tevent_req_callback_data(subreq, struct composite_context);
217 s = talloc_get_type(c->private_data, struct schannel_key_state);
218
219 /* receive rpc request result - auth2 credentials */
220 c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
221 TALLOC_FREE(subreq);
222 if (!composite_is_ok(c)) return;
223
224 /*
225 * Strong keys could be unsupported (NT4) or disables. So retry with the
226 * flags returned by the server. - asn
227 */
228 if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) &&
229 s->dcerpc_schannel_auto &&
230 (s->local_negotiate_flags & NETLOGON_NEG_STRONG_KEYS)) {
231 DEBUG(3, ("Server doesn't support strong keys, "
232 "downgrade and retry!\n"));
233 s->local_negotiate_flags = s->remote_negotiate_flags;
234
235 generate_random_buffer(s->credentials1.data,
236 sizeof(s->credentials1.data));
237
238 subreq = dcerpc_netr_ServerReqChallenge_r_send(s,
239 c->event_ctx,
240 s->pipe2->binding_handle,
241 &s->r);
242 if (composite_nomem(subreq, c)) return;
243
244 tevent_req_set_callback(subreq, continue_srv_challenge, c);
245 return;
246 }
247
248 /* verify credentials */
249 if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
250 composite_error(c, NT_STATUS_UNSUCCESSFUL);
251 return;
252 }
253
254 /* setup current netlogon credentials */
255 cli_credentials_set_netlogon_creds(s->credentials, s->creds);
256
257 composite_done(c);
258 }
259
260
261 /*
262 Initiate establishing a schannel key using netlogon challenge
263 on a secondary pipe
264 */
265 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
266 struct dcerpc_pipe *p,
267 struct cli_credentials *credentials,
268 struct loadparm_context *lp_ctx)
269 {
270 struct composite_context *c;
271 struct schannel_key_state *s;
272 struct composite_context *epm_map_req;
273 enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
274
275 /* composite context allocation and setup */
276 c = composite_create(mem_ctx, p->conn->event_ctx);
277 if (c == NULL) return NULL;
278
279 s = talloc_zero(c, struct schannel_key_state);
280 if (composite_nomem(s, c)) return c;
281 c->private_data = s;
282
283 /* store parameters in the state structure */
284 s->pipe = p;
285 s->credentials = credentials;
286 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
287
288 /* allocate credentials */
289 /* type of authentication depends on schannel type */
290 if (schannel_type == SEC_CHAN_RODC) {
291 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_RODC_FLAGS;
292 }
293 if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
294 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
295 }
296 if (s->pipe->conn->flags & DCERPC_SCHANNEL_AUTO) {
297 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
298 s->dcerpc_schannel_auto = true;
299 }
300
301 /* allocate binding structure */
302 s->binding = talloc_zero(c, struct dcerpc_binding);
303 if (composite_nomem(s->binding, c)) return c;
304
305 *s->binding = *s->pipe->binding;
306
307 /* request the netlogon endpoint mapping */
308 epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
309 &ndr_table_netlogon,
310 s->pipe->conn->event_ctx,
311 lp_ctx);
312 if (composite_nomem(epm_map_req, c)) return c;
313
314 composite_continue(c, epm_map_req, continue_epm_map_binding, c);
315 return c;
316 }
317
318
319 /*
320 Receive result of schannel key request
321 */
322 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
323 {
324 NTSTATUS status = composite_wait(c);
325
326 talloc_free(c);
327 return status;
328 }
329
330
331 struct auth_schannel_state {
332 struct dcerpc_pipe *pipe;
333 struct cli_credentials *credentials;
334 const struct ndr_interface_table *table;
335 struct loadparm_context *lp_ctx;
336 uint8_t auth_level;
337 };
338
339
340 static void continue_bind_auth(struct composite_context *ctx);
341
342
343 /*
344 Stage 2 of auth_schannel: Receive schannel key and intitiate an
345 authenticated bind using received credentials
346 */
347 static void continue_schannel_key(struct composite_context *ctx)
348 {
349 struct composite_context *auth_req;
350 struct composite_context *c = talloc_get_type(ctx->async.private_data,
351 struct composite_context);
352 struct auth_schannel_state *s = talloc_get_type(c->private_data,
353 struct auth_schannel_state);
354 NTSTATUS status;
355
356 /* receive schannel key */
357 status = c->status = dcerpc_schannel_key_recv(ctx);
358 if (!composite_is_ok(c)) {
359 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
360 return;
361 }
362
363 /* send bind auth request with received creds */
364 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
365 lpcfg_gensec_settings(c, s->lp_ctx),
366 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
367 NULL);
368 if (composite_nomem(auth_req, c)) return;
369
370 composite_continue(c, auth_req, continue_bind_auth, c);
371 }
372
373
374 /*
375 Stage 3 of auth_schannel: Receivce result of authenticated bind
376 and say if we're done ok.
377 */
378 static void continue_bind_auth(struct composite_context *ctx)
379 {
380 struct composite_context *c = talloc_get_type(ctx->async.private_data,
381 struct composite_context);
382
383 c->status = dcerpc_bind_auth_recv(ctx);
384 if (!composite_is_ok(c)) return;
385
386 composite_done(c);
387 }
388
389
390 /*
391 Initiate schannel authentication request
392 */
393 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
394 struct dcerpc_pipe *p,
395 const struct ndr_interface_table *table,
396 struct cli_credentials *credentials,
397 struct loadparm_context *lp_ctx,
398 uint8_t auth_level)
399 {
400 struct composite_context *c;
401 struct auth_schannel_state *s;
402 struct composite_context *schan_key_req;
403
404 /* composite context allocation and setup */
405 c = composite_create(tmp_ctx, p->conn->event_ctx);
406 if (c == NULL) return NULL;
407
408 s = talloc_zero(c, struct auth_schannel_state);
409 if (composite_nomem(s, c)) return c;
410 c->private_data = s;
411
412 /* store parameters in the state structure */
413 s->pipe = p;
414 s->credentials = credentials;
415 s->table = table;
416 s->auth_level = auth_level;
417 s->lp_ctx = lp_ctx;
418
419 /* start getting schannel key first */
420 schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
421 if (composite_nomem(schan_key_req, c)) return c;
422
423 composite_continue(c, schan_key_req, continue_schannel_key, c);
424 return c;
425 }
426
427
428 /*
429 Receive result of schannel authentication request
430 */
431 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
432 {
433 NTSTATUS status = composite_wait(c);
434
435 talloc_free(c);
436 return status;
437 }
438
439
440 /*
441 Perform schannel authenticated bind - sync version
442 */
443 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
444 struct dcerpc_pipe *p,
445 const struct ndr_interface_table *table,
446 struct cli_credentials *credentials,
447 struct loadparm_context *lp_ctx,
448 uint8_t auth_level)
449 {
450 struct composite_context *c;
451
452 c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
453 auth_level);
454 return dcerpc_bind_auth_schannel_recv(c);
455 }
reg import