search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r6229: Back out these changes ...
[Samba/gebeck_regimport.git] / source4 / librpc / rpc / dcerpc_schannel.c
blob3ae2624ff9df208b407b138cc76b027c1406f1a5
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "librpc/gen_ndr/ndr_schannel.h"
26 #include "auth/auth.h"
27
28 /*
29 get a schannel key using a netlogon challenge on a secondary pipe
30 */
31 static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
32 struct dcerpc_pipe *p,
33 struct cli_credentials *credentials,
34 int chan_type)
35 {
36 NTSTATUS status;
37 struct dcerpc_binding *b;
38 struct dcerpc_pipe *p2;
39 struct netr_ServerReqChallenge r;
40 struct netr_ServerAuthenticate2 a;
41 struct netr_Credential credentials1, credentials2, credentials3;
42 struct samr_Password mach_pwd;
43 uint32_t negotiate_flags;
44 struct creds_CredentialState *creds;
45 creds = talloc(tmp_ctx, struct creds_CredentialState);
46 if (!creds) {
47 return NT_STATUS_NO_MEMORY;
48 }
49
50 if (p->conn->flags & DCERPC_SCHANNEL_128) {
51 negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
52 } else {
53 negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
54 }
55
56 /*
57 step 1 - establish a netlogon connection, with no authentication
58 */
59
60 /* Find the original binding string */
61 status = dcerpc_parse_binding(tmp_ctx, p->conn->binding_string, &b);
62 if (!NT_STATUS_IS_OK(status)) {
63 DEBUG(0,("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string));
64 return status;
65 }
66
67 /* Make binding string for netlogon, not the other pipe */
68 status = dcerpc_epm_map_binding(tmp_ctx, b, DCERPC_NETLOGON_UUID, DCERPC_NETLOGON_VERSION);
69 if (!NT_STATUS_IS_OK(status)) {
70 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
71 DCERPC_NETLOGON_UUID, nt_errstr(status)));
72 return status;
73 }
74
75 status = dcerpc_secondary_connection(p, &p2, b);
76 if (!NT_STATUS_IS_OK(status)) {
77 return status;
78 }
79
80 status = dcerpc_bind_auth_none(p2, DCERPC_NETLOGON_UUID,
81 DCERPC_NETLOGON_VERSION);
82 if (!NT_STATUS_IS_OK(status)) {
83 talloc_free(p2);
84 return status;
85 }
86
87 /*
88 step 2 - request a netlogon challenge
89 */
90 r.in.server_name = talloc_asprintf(tmp_ctx, "\\\\%s", dcerpc_server_name(p));
91 r.in.computer_name = cli_credentials_get_workstation(credentials);
92 r.in.credentials = &credentials1;
93 r.out.credentials = &credentials2;
94
95 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
96
97 status = dcerpc_netr_ServerReqChallenge(p2, tmp_ctx, &r);
98 if (!NT_STATUS_IS_OK(status)) {
99 return status;
100 }
101
102 /*
103 step 3 - authenticate on the netlogon pipe
104 */
105 E_md4hash(cli_credentials_get_password(credentials), mach_pwd.hash);
106 creds_client_init(creds, &credentials1, &credentials2,
107 &mach_pwd, &credentials3,
108 negotiate_flags);
109
110 a.in.server_name = r.in.server_name;
111 a.in.account_name = cli_credentials_get_username(credentials);
112 a.in.secure_channel_type = chan_type;
113 a.in.computer_name = cli_credentials_get_workstation(credentials);
114 a.in.negotiate_flags = &negotiate_flags;
115 a.out.negotiate_flags = &negotiate_flags;
116 a.in.credentials = &credentials3;
117 a.out.credentials = &credentials3;
118
119 status = dcerpc_netr_ServerAuthenticate2(p2, tmp_ctx, &a);
120 if (!NT_STATUS_IS_OK(status)) {
121 return status;
122 }
123
124 if (!creds_client_check(creds, a.out.credentials)) {
125 return NT_STATUS_UNSUCCESSFUL;
126 }
127
128 cli_credentials_set_netlogon_creds(credentials, creds);
129
130 /*
131 the schannel session key is now in creds.session_key
132
133 we no longer need the netlogon pipe open
134 */
135 talloc_free(p2);
136
137 return NT_STATUS_OK;
138 }
139
140 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
141 struct dcerpc_pipe *p,
142 const char *uuid, uint_t version,
143 struct cli_credentials *credentials)
144 {
145 NTSTATUS status;
146 int chan_type = 0;
147
148 if (p->conn->flags & DCERPC_SCHANNEL_BDC) {
149 chan_type = SEC_CHAN_BDC;
150 } else if (p->conn->flags & DCERPC_SCHANNEL_WORKSTATION) {
151 chan_type = SEC_CHAN_WKSTA;
152 } else if (p->conn->flags & DCERPC_SCHANNEL_DOMAIN) {
153 chan_type = SEC_CHAN_DOMAIN;
154 }
155
156 /* Fills in NETLOGON credentials */
157 status = dcerpc_schannel_key(tmp_ctx,
158 p, credentials,
159 chan_type);
160
161 if (!NT_STATUS_IS_OK(status)) {
162 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
163 cli_credentials_get_username(credentials),
164 nt_errstr(status)));
165 return status;
166 }
167
168 return dcerpc_bind_auth_password(p, uuid, version,
169 credentials, DCERPC_AUTH_TYPE_SCHANNEL,
170 NULL);
171 }
172
reg import