s3-param: Rename lp_dns_proxy() -> lp_wins_dns_proxy() for clarity
[Samba/gebeck_regimport.git] / source3 / auth / auth_netlogond.c
blob7fb037457e738bbb4ddfac8146babb97ce80d7a1
1 /*
2 Unix SMB/CIFS implementation.
3 Authenticate against a netlogon pipe listening on a unix domain socket
4 Copyright (C) Volker Lendecke 2008
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #include "includes.h"
21 #include "auth.h"
22 #include "../libcli/auth/libcli_auth.h"
23 #include "../librpc/gen_ndr/ndr_netlogon.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "rpc_client/cli_netlogon.h"
27 #include "secrets.h"
28 #include "tldap.h"
29 #include "tldap_util.h"
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_AUTH
34 static bool secrets_store_local_schannel_creds(
35 const struct netlogon_creds_CredentialState *creds)
37 DATA_BLOB blob;
38 enum ndr_err_code ndr_err;
39 bool ret;
41 ndr_err = ndr_push_struct_blob(
42 &blob, talloc_tos(), creds,
43 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
44 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
45 DEBUG(10, ("ndr_push_netlogon_creds_CredentialState failed: "
46 "%s\n", ndr_errstr(ndr_err)));
47 return false;
49 ret = secrets_store(SECRETS_LOCAL_SCHANNEL_KEY,
50 blob.data, blob.length);
51 data_blob_free(&blob);
52 return ret;
55 static struct netlogon_creds_CredentialState *
56 secrets_fetch_local_schannel_creds(TALLOC_CTX *mem_ctx)
58 struct netlogon_creds_CredentialState *creds;
59 enum ndr_err_code ndr_err;
60 DATA_BLOB blob;
62 blob.data = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY,
63 &blob.length);
64 if (blob.data == NULL) {
65 DEBUG(10, ("secrets_fetch failed\n"));
66 return NULL;
69 creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
70 if (creds == NULL) {
71 DEBUG(10, ("talloc failed\n"));
72 SAFE_FREE(blob.data);
73 return NULL;
75 ndr_err = ndr_pull_struct_blob(
76 &blob, creds, creds,
77 (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
78 SAFE_FREE(blob.data);
79 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
80 DEBUG(10, ("ndr_pull_netlogon_creds_CredentialState failed: "
81 "%s\n", ndr_errstr(ndr_err)));
82 TALLOC_FREE(creds);
83 return NULL;
86 return creds;
89 static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
90 const struct auth_context *auth_context,
91 const char *ncalrpc_sockname,
92 struct netlogon_creds_CredentialState *creds,
93 const struct auth_usersupplied_info *user_info,
94 struct netr_SamInfo3 **pinfo3,
95 NTSTATUS *schannel_bind_result)
97 struct rpc_pipe_client *p = NULL;
98 struct pipe_auth_data *auth = NULL;
99 struct netr_SamInfo3 *info3 = NULL;
100 NTSTATUS status;
102 *schannel_bind_result = NT_STATUS_OK;
104 status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname,
105 &ndr_table_netlogon.syntax_id, &p);
106 if (!NT_STATUS_IS_OK(status)) {
107 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
108 nt_errstr(status)));
109 return status;
112 p->dc = creds;
114 status = rpccli_schannel_bind_data(p, lp_workgroup(),
115 DCERPC_AUTH_LEVEL_PRIVACY,
116 p->dc, &auth);
117 if (!NT_STATUS_IS_OK(status)) {
118 DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
119 nt_errstr(status)));
120 TALLOC_FREE(p);
121 return status;
124 status = rpc_pipe_bind(p, auth);
125 if (!NT_STATUS_IS_OK(status)) {
126 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
127 TALLOC_FREE(p);
128 *schannel_bind_result = status;
129 return status;
132 status = rpccli_netlogon_sam_network_logon_ex(
133 p, p,
134 user_info->logon_parameters, /* flags such as 'allow
135 * workstation logon' */
136 lp_netbios_name(), /* server name */
137 user_info->client.account_name, /* user name logging on. */
138 user_info->client.domain_name, /* domain name */
139 user_info->workstation_name, /* workstation name */
140 (uchar *)auth_context->challenge.data, /* 8 byte challenge. */
141 3, /* validation level */
142 user_info->password.response.lanman, /* lanman 24 byte response */
143 user_info->password.response.nt, /* nt 24 byte response */
144 &info3); /* info3 out */
146 DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
147 nt_errstr(status)));
149 if (!NT_STATUS_IS_OK(status)) {
150 TALLOC_FREE(p);
151 return status;
154 *pinfo3 = talloc_move(mem_ctx, &info3);
156 TALLOC_FREE(p);
157 return NT_STATUS_OK;
160 static NTSTATUS get_ldapi_ctx(TALLOC_CTX *mem_ctx, struct tldap_context **pld)
162 struct tldap_context *ld;
163 struct sockaddr_un addr;
164 char *sockaddr;
165 int fd;
166 NTSTATUS status;
167 int res;
169 sockaddr = talloc_asprintf(talloc_tos(), "/%s/ldap_priv/ldapi",
170 lp_private_dir());
171 if (sockaddr == NULL) {
172 DEBUG(10, ("talloc failed\n"));
173 return NT_STATUS_NO_MEMORY;
176 ZERO_STRUCT(addr);
177 addr.sun_family = AF_UNIX;
178 strncpy(addr.sun_path, sockaddr, sizeof(addr.sun_path));
179 TALLOC_FREE(sockaddr);
181 status = open_socket_out((struct sockaddr_storage *)(void *)&addr,
182 0, 0, &fd);
183 if (!NT_STATUS_IS_OK(status)) {
184 DEBUG(10, ("Could not connect to %s: %s\n", addr.sun_path,
185 nt_errstr(status)));
186 return status;
188 set_blocking(fd, false);
190 ld = tldap_context_create(mem_ctx, fd);
191 if (ld == NULL) {
192 close(fd);
193 return NT_STATUS_NO_MEMORY;
195 res = tldap_fetch_rootdse(ld);
196 if (res != TLDAP_SUCCESS) {
197 DEBUG(10, ("tldap_fetch_rootdse failed: %s\n",
198 tldap_errstr(talloc_tos(), ld, res)));
199 TALLOC_FREE(ld);
200 return NT_STATUS_LDAP(res);
202 *pld = ld;
203 return NT_STATUS_OK;;
206 static NTSTATUS mymachinepw(uint8_t pwd[16])
208 TALLOC_CTX *frame = talloc_stackframe();
209 struct tldap_context *ld = NULL;
210 struct tldap_message *rootdse, **msg;
211 const char *attrs[1] = { "unicodePwd" };
212 char *default_nc, *myname;
213 int rc, num_msg;
214 DATA_BLOB pwdblob;
215 NTSTATUS status;
217 status = get_ldapi_ctx(talloc_tos(), &ld);
218 if (!NT_STATUS_IS_OK(status)) {
219 goto fail;
221 rootdse = tldap_rootdse(ld);
222 if (rootdse == NULL) {
223 DEBUG(10, ("Could not get rootdse\n"));
224 status = NT_STATUS_INTERNAL_ERROR;
225 goto fail;
227 default_nc = tldap_talloc_single_attribute(
228 rootdse, "defaultNamingContext", talloc_tos());
229 if (default_nc == NULL) {
230 DEBUG(10, ("Could not get defaultNamingContext\n"));
231 status = NT_STATUS_NO_MEMORY;
232 goto fail;
234 DEBUG(10, ("default_nc = %s\n", default_nc));
236 myname = talloc_asprintf_strupper_m(talloc_tos(), "%s$",
237 lp_netbios_name());
238 if (myname == NULL) {
239 DEBUG(10, ("talloc failed\n"));
240 status = NT_STATUS_NO_MEMORY;
241 goto fail;
244 rc = tldap_search_fmt(
245 ld, default_nc, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0,
246 talloc_tos(), &msg,
247 "(&(sAMAccountName=%s)(objectClass=computer))", myname);
248 if (rc != TLDAP_SUCCESS) {
249 DEBUG(10, ("Could not retrieve our account: %s\n",
250 tldap_errstr(talloc_tos(), ld, rc)));
251 status = NT_STATUS_LDAP(rc);
252 goto fail;
254 num_msg = talloc_array_length(msg);
255 if (num_msg != 1) {
256 DEBUG(10, ("Got %d accounts, expected one\n", num_msg));
257 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
258 goto fail;
260 if (!tldap_get_single_valueblob(msg[0], "unicodePwd", &pwdblob)) {
261 char *dn = NULL;
262 tldap_entry_dn(msg[0], &dn);
263 DEBUG(10, ("No unicodePwd attribute in %s\n",
264 dn ? dn : "<unknown DN>"));
265 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
266 goto fail;
268 if (pwdblob.length != 16) {
269 DEBUG(10, ("Password hash hash has length %d, expected 16\n",
270 (int)pwdblob.length));
271 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
272 goto fail;
274 memcpy(pwd, pwdblob.data, 16);
276 fail:
277 TALLOC_FREE(frame);
278 return status;
281 static NTSTATUS check_netlogond_security(const struct auth_context *auth_context,
282 void *my_private_data,
283 TALLOC_CTX *mem_ctx,
284 const struct auth_usersupplied_info *user_info,
285 struct auth_serversupplied_info **server_info)
287 TALLOC_CTX *frame = talloc_stackframe();
288 struct netr_SamInfo3 *info3 = NULL;
289 struct rpc_pipe_client *p = NULL;
290 struct pipe_auth_data *auth = NULL;
291 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
292 uint8_t machine_password[16];
293 struct netlogon_creds_CredentialState *creds;
294 NTSTATUS schannel_bind_result, status;
295 struct named_mutex *mutex = NULL;
296 const char *ncalrpcsock;
298 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
300 ncalrpcsock = lp_parm_const_string(
301 GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL);
303 if (ncalrpcsock == NULL) {
304 ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s",
305 get_dyn_NCALRPCDIR(), "DEFAULT");
308 if (ncalrpcsock == NULL) {
309 status = NT_STATUS_NO_MEMORY;
310 goto done;
313 creds = secrets_fetch_local_schannel_creds(talloc_tos());
314 if (creds == NULL) {
315 goto new_key;
318 status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
319 creds, user_info, &info3,
320 &schannel_bind_result);
322 DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
324 if (NT_STATUS_IS_OK(status)) {
325 goto okay;
328 if (NT_STATUS_IS_OK(schannel_bind_result)) {
330 * This is a real failure from the DC
332 goto done;
335 new_key:
337 mutex = grab_named_mutex(talloc_tos(), "LOCAL_SCHANNEL_KEY", 60);
338 if (mutex == NULL) {
339 DEBUG(10, ("Could not get mutex LOCAL_SCHANNEL_KEY\n"));
340 status = NT_STATUS_ACCESS_DENIED;
341 goto done;
344 DEBUG(10, ("schannel bind failed, setting up new key\n"));
346 status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpcsock,
347 &ndr_table_netlogon.syntax_id, &p);
349 if (!NT_STATUS_IS_OK(status)) {
350 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
351 nt_errstr(status)));
352 goto done;
355 status = rpccli_anon_bind_data(p, &auth);
356 if (!NT_STATUS_IS_OK(status)) {
357 DEBUG(10, ("rpccli_anon_bind_data failed: %s\n",
358 nt_errstr(status)));
359 goto done;
362 status = rpc_pipe_bind(p, auth);
363 if (!NT_STATUS_IS_OK(status)) {
364 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
365 goto done;
368 status = mymachinepw(machine_password);
369 if (!NT_STATUS_IS_OK(status)) {
370 DEBUG(10, ("mymachinepw failed: %s\n", nt_errstr(status)));
371 goto done;
374 DEBUG(10, ("machinepw "));
375 dump_data(10, machine_password, 16);
377 status = rpccli_netlogon_setup_creds(
378 p, lp_netbios_name(), lp_workgroup(), lp_netbios_name(),
379 lp_netbios_name(), machine_password, SEC_CHAN_BDC, &neg_flags);
381 if (!NT_STATUS_IS_OK(status)) {
382 DEBUG(10, ("rpccli_netlogon_setup_creds failed: %s\n",
383 nt_errstr(status)));
384 goto done;
387 secrets_store_local_schannel_creds(p->dc);
390 * Retry the authentication with the mutex held. This way nobody else
391 * can step on our toes.
394 status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
395 p->dc, user_info, &info3,
396 &schannel_bind_result);
398 TALLOC_FREE(p);
400 DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
402 if (!NT_STATUS_IS_OK(status)) {
403 goto done;
406 okay:
408 status = make_server_info_info3(mem_ctx, user_info->client.account_name,
409 user_info->mapped.domain_name, server_info,
410 info3);
411 if (!NT_STATUS_IS_OK(status)) {
412 DEBUG(10, ("make_server_info_info3 failed: %s\n",
413 nt_errstr(status)));
414 TALLOC_FREE(frame);
415 return status;
418 status = NT_STATUS_OK;
420 done:
421 TALLOC_FREE(frame);
422 return status;
425 /* module initialisation */
426 static NTSTATUS auth_init_netlogond(struct auth_context *auth_context,
427 const char *param,
428 auth_methods **auth_method)
430 struct auth_methods *result;
432 result = talloc_zero(auth_context, struct auth_methods);
433 if (result == NULL) {
434 return NT_STATUS_NO_MEMORY;
436 result->name = "netlogond";
437 result->auth = check_netlogond_security;
439 *auth_method = result;
440 return NT_STATUS_OK;
443 NTSTATUS auth_netlogond_init(void)
445 smb_register_auth(AUTH_INTERFACE_VERSION, "netlogond",
446 auth_init_netlogond);
447 return NT_STATUS_OK;