2 Unix SMB/CIFS implementation.
3 NT Domain Authentication SMB / MSRPC client
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Jeremy Allison 1998.
6 Largely re-written by Jeremy Allison (C) 2005.
7 Copyright (C) Guenther Deschner 2008.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/filesys.h"
25 #include "libsmb/libsmb.h"
26 #include "rpc_client/rpc_client.h"
27 #include "rpc_client/cli_pipe.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../libcli/auth/netlogon_creds_cli.h"
30 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "../librpc/gen_ndr/schannel.h"
32 #include "rpc_client/cli_netlogon.h"
33 #include "rpc_client/util_netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "lib/param/param.h"
36 #include "libcli/smb/smbXcli_base.h"
37 #include "dbwrap/dbwrap.h"
38 #include "dbwrap/dbwrap_open.h"
40 #include "lib/crypto/gnutls_helpers.h"
43 NTSTATUS
rpccli_pre_open_netlogon_creds(void)
45 static bool already_open
= false;
47 struct loadparm_context
*lp_ctx
;
49 struct db_context
*global_db
;
56 frame
= talloc_stackframe();
58 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
61 return NT_STATUS_NO_MEMORY
;
64 fname
= lpcfg_private_db_path(frame
, lp_ctx
, "netlogon_creds_cli");
67 return NT_STATUS_NO_MEMORY
;
70 global_db
= db_open(frame
, fname
,
71 0, TDB_CLEAR_IF_FIRST
|TDB_INCOMPATIBLE_HASH
,
72 O_RDWR
|O_CREAT
, 0600, DBWRAP_LOCK_ORDER_2
,
73 DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
);
74 if (global_db
== NULL
) {
76 return NT_STATUS_NO_MEMORY
;
79 status
= netlogon_creds_cli_set_global_db(lp_ctx
, &global_db
);
81 if (!NT_STATUS_IS_OK(status
)) {
89 static NTSTATUS
rpccli_create_netlogon_creds(
90 const char *server_computer
,
91 const char *server_netbios_domain
,
92 const char *server_dns_domain
,
93 const char *client_account
,
94 enum netr_SchannelType sec_chan_type
,
95 struct messaging_context
*msg_ctx
,
97 struct netlogon_creds_cli_context
**netlogon_creds
)
99 TALLOC_CTX
*frame
= talloc_stackframe();
100 struct loadparm_context
*lp_ctx
;
103 status
= rpccli_pre_open_netlogon_creds();
104 if (!NT_STATUS_IS_OK(status
)) {
109 lp_ctx
= loadparm_init_s3(frame
, loadparm_s3_helpers());
110 if (lp_ctx
== NULL
) {
112 return NT_STATUS_NO_MEMORY
;
114 status
= netlogon_creds_cli_context_global(lp_ctx
,
119 server_netbios_domain
,
121 mem_ctx
, netlogon_creds
);
123 if (!NT_STATUS_IS_OK(status
)) {
130 NTSTATUS
rpccli_create_netlogon_creds_ctx(
131 struct cli_credentials
*creds
,
132 const char *server_computer
,
133 struct messaging_context
*msg_ctx
,
135 struct netlogon_creds_cli_context
**creds_ctx
)
137 enum netr_SchannelType sec_chan_type
;
138 const char *server_netbios_domain
;
139 const char *server_dns_domain
;
140 const char *client_account
;
142 sec_chan_type
= cli_credentials_get_secure_channel_type(creds
);
143 client_account
= cli_credentials_get_username(creds
);
144 server_netbios_domain
= cli_credentials_get_domain(creds
);
145 server_dns_domain
= cli_credentials_get_realm(creds
);
147 return rpccli_create_netlogon_creds(server_computer
,
148 server_netbios_domain
,
156 static NTSTATUS
rpccli_setup_netlogon_creds_locked(
157 struct cli_state
*cli
,
158 enum dcerpc_transport_t transport
,
159 const char *remote_name
,
160 const struct sockaddr_storage
*remote_sockaddr
,
161 struct netlogon_creds_cli_context
*creds_ctx
,
163 struct cli_credentials
*cli_creds
,
165 struct rpc_pipe_client
**_netlogon_pipe
,
166 uint32_t *negotiate_flags
)
168 TALLOC_CTX
*frame
= talloc_stackframe();
169 struct rpc_pipe_client
*netlogon_pipe
= NULL
;
170 struct netlogon_creds_CredentialState
*creds
= NULL
;
171 uint8_t num_nt_hashes
= 0;
172 const struct samr_Password
*nt_hashes
[2] = { NULL
, NULL
};
173 uint8_t idx_nt_hashes
= 0;
176 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
177 if (NT_STATUS_IS_OK(status
)) {
178 const char *action
= "using";
181 action
= "overwrite";
184 DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
185 __FUNCTION__
, action
,
186 creds
->account_name
, creds
->computer_name
,
194 nt_hashes
[0] = cli_credentials_get_nt_hash(cli_creds
, talloc_tos());
195 if (nt_hashes
[0] == NULL
) {
197 return NT_STATUS_NO_MEMORY
;
201 nt_hashes
[1] = cli_credentials_get_old_nt_hash(cli_creds
,
203 if (nt_hashes
[1] != NULL
) {
207 status
= cli_rpc_pipe_open_noauth_transport(cli
,
213 if (!NT_STATUS_IS_OK(status
)) {
214 DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
221 talloc_steal(frame
, netlogon_pipe
);
223 status
= netlogon_creds_cli_auth(creds_ctx
,
224 netlogon_pipe
->binding_handle
,
228 if (!NT_STATUS_IS_OK(status
)) {
233 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
234 if (!NT_STATUS_IS_OK(status
)) {
236 return NT_STATUS_INTERNAL_ERROR
;
239 DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
241 creds
->account_name
, creds
->computer_name
,
245 if (_netlogon_pipe
!= NULL
) {
246 *_netlogon_pipe
= talloc_move(mem_ctx
, &netlogon_pipe
);
249 if (negotiate_flags
!= NULL
) {
250 *negotiate_flags
= creds
->negotiate_flags
;
257 NTSTATUS
rpccli_setup_netlogon_creds(
258 struct cli_state
*cli
,
259 enum dcerpc_transport_t transport
,
260 const char *remote_name
,
261 const struct sockaddr_storage
*remote_sockaddr
,
262 struct netlogon_creds_cli_context
*creds_ctx
,
264 struct cli_credentials
*cli_creds
)
266 TALLOC_CTX
*frame
= talloc_stackframe();
267 struct netlogon_creds_cli_lck
*lck
;
270 status
= netlogon_creds_cli_lck(
271 creds_ctx
, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
,
273 if (!NT_STATUS_IS_OK(status
)) {
274 DBG_WARNING("netlogon_creds_cli_lck failed: %s\n",
280 status
= rpccli_setup_netlogon_creds_locked(cli
,
296 NTSTATUS
rpccli_connect_netlogon(
297 struct cli_state
*cli
,
298 enum dcerpc_transport_t transport
,
299 const char *remote_name
,
300 const struct sockaddr_storage
*remote_sockaddr
,
301 struct netlogon_creds_cli_context
*creds_ctx
,
303 struct cli_credentials
*trust_creds
,
304 struct rpc_pipe_client
**_rpccli
)
306 TALLOC_CTX
*frame
= talloc_stackframe();
307 struct netlogon_creds_CredentialState
*creds
= NULL
;
308 enum netlogon_creds_cli_lck_type lck_type
;
309 enum netr_SchannelType sec_chan_type
;
310 struct netlogon_creds_cli_lck
*lck
= NULL
;
311 uint32_t negotiate_flags
;
312 uint8_t found_session_key
[16] = {0};
313 bool found_existing_creds
= false;
315 struct rpc_pipe_client
*rpccli
;
319 sec_chan_type
= cli_credentials_get_secure_channel_type(trust_creds
);
320 if (sec_chan_type
== SEC_CHAN_NULL
) {
321 DBG_ERR("secure_channel_type gave SEC_CHAN_NULL\n");
322 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
329 * See whether we can use existing netlogon_creds or
330 * whether we have to serverauthenticate.
332 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
334 if (NT_STATUS_IS_OK(status
)) {
335 bool cmp
= mem_equal_const_time(found_session_key
,
337 sizeof(found_session_key
));
338 found_existing_creds
= !cmp
;
340 memcpy(found_session_key
,
342 sizeof(found_session_key
));
347 lck_type
= (force_reauth
|| !found_existing_creds
) ?
348 NETLOGON_CREDS_CLI_LCK_EXCLUSIVE
:
349 NETLOGON_CREDS_CLI_LCK_SHARED
;
351 status
= netlogon_creds_cli_lck(creds_ctx
, lck_type
, frame
, &lck
);
352 if (!NT_STATUS_IS_OK(status
)) {
353 DBG_DEBUG("netlogon_creds_cli_lck failed: %s\n",
358 if (!found_existing_creds
) {
360 * Try to find creds under the lock again. Someone
361 * else might have done it for us.
363 status
= netlogon_creds_cli_get(creds_ctx
, frame
, &creds
);
365 if (NT_STATUS_IS_OK(status
)) {
366 bool cmp
= mem_equal_const_time(found_session_key
,
368 sizeof(found_session_key
));
369 found_existing_creds
= !cmp
;
371 memcpy(found_session_key
, creds
->session_key
,
372 sizeof(found_session_key
));
378 do_serverauth
= force_reauth
|| !found_existing_creds
;
380 if (!do_serverauth
) {
382 * Do the quick schannel bind without a reauth
384 status
= cli_rpc_pipe_open_bind_schannel(cli
,
391 if (!retry
&& NT_STATUS_EQUAL(status
, NT_STATUS_NETWORK_ACCESS_DENIED
)) {
392 DBG_DEBUG("Retrying with serverauthenticate\n");
398 if (!NT_STATUS_IS_OK(status
)) {
399 DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
400 "failed: %s\n", nt_errstr(status
));
406 if (cli_credentials_is_anonymous(trust_creds
)) {
407 DBG_WARNING("get_trust_credential for %s only gave anonymous,"
408 "unable to negotiate NETLOGON credentials\n",
409 netlogon_creds_cli_debug_string(
411 status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
415 status
= rpccli_setup_netlogon_creds_locked(cli
,
425 if (!NT_STATUS_IS_OK(status
)) {
426 DBG_DEBUG("rpccli_setup_netlogon_creds failed for %s, "
427 "unable to setup NETLOGON credentials: %s\n",
428 netlogon_creds_cli_debug_string(
433 talloc_steal(frame
, rpccli
);
435 if (!(negotiate_flags
& NETLOGON_NEG_AUTHENTICATED_RPC
)) {
436 if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
437 status
= NT_STATUS_DOWNGRADE_DETECTED
;
438 DBG_WARNING("Unwilling to make connection to %s"
439 "without connection level security, "
440 "must set 'winbind sealed pipes = false'"
441 " and 'require strong key = false' "
443 netlogon_creds_cli_debug_string(
450 * we keep the AUTH_TYPE_NONE rpccli for the
456 status
= cli_rpc_pipe_client_prepare_alter(rpccli
,
457 true, /* new_auth_context */
459 false); /* new_pres_context */
460 if (!NT_STATUS_IS_OK(status
)) {
461 DBG_WARNING("cli_rpc_pipe_client_prepare_alter "
462 "failed: %s\n", nt_errstr(status
));
466 status
= cli_rpc_pipe_client_auth_schannel(rpccli
,
469 if (!NT_STATUS_IS_OK(status
)) {
470 DBG_DEBUG("cli_rpc_pipe_client_auth_schannel "
471 "failed: %s\n", nt_errstr(status
));
475 status
= netlogon_creds_cli_check(creds_ctx
, rpccli
->binding_handle
,
477 if (!NT_STATUS_IS_OK(status
)) {
478 DBG_WARNING("netlogon_creds_cli_check failed: %s\n",
484 *_rpccli
= talloc_move(NULL
, &rpccli
);
485 status
= NT_STATUS_OK
;
487 ZERO_STRUCT(found_session_key
);
493 /* Logon domain user */
495 NTSTATUS
rpccli_netlogon_password_logon(
496 struct netlogon_creds_cli_context
*creds_ctx
,
497 struct dcerpc_binding_handle
*binding_handle
,
499 uint32_t logon_parameters
,
501 const char *username
,
502 const char *password
,
503 const char *workstation
,
504 const uint64_t logon_id
,
505 enum netr_LogonInfoClass logon_type
,
506 uint8_t *authoritative
,
508 uint16_t *_validation_level
,
509 union netr_Validation
**_validation
)
511 TALLOC_CTX
*frame
= talloc_stackframe();
513 union netr_LogonLevel
*logon
;
514 uint16_t validation_level
= 0;
515 union netr_Validation
*validation
= NULL
;
516 char *workstation_slash
= NULL
;
518 unsigned char local_nt_response
[24];
519 unsigned char local_lm_response
[24];
520 struct samr_Password lmpassword
= {.hash
= {0}};
521 struct samr_Password ntpassword
= {.hash
= {0}};
522 struct netr_ChallengeResponse lm
= {0};
523 struct netr_ChallengeResponse nt
= {0};
525 logon
= talloc_zero(frame
, union netr_LogonLevel
);
528 return NT_STATUS_NO_MEMORY
;
531 if (workstation
== NULL
) {
532 workstation
= lp_netbios_name();
535 workstation_slash
= talloc_asprintf(frame
, "\\\\%s", workstation
);
536 if (workstation_slash
== NULL
) {
538 return NT_STATUS_NO_MEMORY
;
541 /* Initialise input parameters */
543 switch (logon_type
) {
544 case NetlogonInteractiveInformation
:
545 case NetlogonInteractiveTransitiveInformation
: {
547 struct netr_PasswordInfo
*password_info
;
550 password_info
= talloc_zero(frame
, struct netr_PasswordInfo
);
551 if (password_info
== NULL
) {
553 return NT_STATUS_NO_MEMORY
;
556 nt_lm_owf_gen(password
, ntpassword
.hash
, lmpassword
.hash
);
558 password_info
->identity_info
.domain_name
.string
= domain
;
559 password_info
->identity_info
.parameter_control
= logon_parameters
;
560 password_info
->identity_info
.logon_id
= logon_id
;
561 password_info
->identity_info
.account_name
.string
= username
;
562 password_info
->identity_info
.workstation
.string
= workstation_slash
;
564 password_info
->lmpassword
= lmpassword
;
565 password_info
->ntpassword
= ntpassword
;
567 logon
->password
= password_info
;
571 case NetlogonNetworkInformation
:
572 case NetlogonNetworkTransitiveInformation
: {
573 struct netr_NetworkInfo
*network_info
;
580 network_info
= talloc_zero(frame
, struct netr_NetworkInfo
);
581 if (network_info
== NULL
) {
583 return NT_STATUS_NO_MEMORY
;
586 generate_random_buffer(chal
, 8);
588 SMBencrypt(password
, chal
, local_lm_response
);
589 rc
= SMBNTencrypt(password
, chal
, local_nt_response
);
592 return gnutls_error_to_ntstatus(rc
, NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
596 lm
.data
= local_lm_response
;
599 nt
.data
= local_nt_response
;
601 network_info
->identity_info
.domain_name
.string
= domain
;
602 network_info
->identity_info
.parameter_control
= logon_parameters
;
603 network_info
->identity_info
.logon_id
= logon_id
;
604 network_info
->identity_info
.account_name
.string
= username
;
605 network_info
->identity_info
.workstation
.string
= workstation_slash
;
607 memcpy(network_info
->challenge
, chal
, 8);
608 network_info
->nt
= nt
;
609 network_info
->lm
= lm
;
611 logon
->network
= network_info
;
616 DEBUG(0, ("switch value %d not supported\n",
619 return NT_STATUS_INVALID_INFO_CLASS
;
622 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
631 if (!NT_STATUS_IS_OK(status
)) {
637 *_validation_level
= validation_level
;
638 *_validation
= validation
;
644 * Logon domain user with an 'network' SAM logon
646 * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
650 NTSTATUS
rpccli_netlogon_network_logon(
651 struct netlogon_creds_cli_context
*creds_ctx
,
652 struct dcerpc_binding_handle
*binding_handle
,
654 uint32_t logon_parameters
,
655 const char *username
,
657 const char *workstation
,
658 const uint64_t logon_id
,
660 DATA_BLOB lm_response
,
661 DATA_BLOB nt_response
,
662 enum netr_LogonInfoClass logon_type
,
663 uint8_t *authoritative
,
665 uint16_t *_validation_level
,
666 union netr_Validation
**_validation
)
669 const char *workstation_name_slash
;
670 union netr_LogonLevel
*logon
= NULL
;
671 struct netr_NetworkInfo
*network_info
;
672 uint16_t validation_level
= 0;
673 union netr_Validation
*validation
= NULL
;
674 struct netr_ChallengeResponse lm
;
675 struct netr_ChallengeResponse nt
;
682 switch (logon_type
) {
683 case NetlogonNetworkInformation
:
684 case NetlogonNetworkTransitiveInformation
:
687 DEBUG(0, ("switch value %d not supported\n",
689 return NT_STATUS_INVALID_INFO_CLASS
;
692 logon
= talloc_zero(mem_ctx
, union netr_LogonLevel
);
694 return NT_STATUS_NO_MEMORY
;
697 network_info
= talloc_zero(mem_ctx
, struct netr_NetworkInfo
);
699 return NT_STATUS_NO_MEMORY
;
702 if (workstation
== NULL
) {
703 workstation
= lp_netbios_name();
706 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
707 workstation_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", workstation
);
709 workstation_name_slash
= workstation
;
712 if (!workstation_name_slash
) {
713 DEBUG(0, ("talloc_asprintf failed!\n"));
714 return NT_STATUS_NO_MEMORY
;
717 /* Initialise input parameters */
719 lm
.data
= lm_response
.data
;
720 lm
.length
= lm_response
.length
;
721 nt
.data
= nt_response
.data
;
722 nt
.length
= nt_response
.length
;
724 network_info
->identity_info
.domain_name
.string
= domain
;
725 network_info
->identity_info
.parameter_control
= logon_parameters
;
726 network_info
->identity_info
.logon_id
= logon_id
;
727 network_info
->identity_info
.account_name
.string
= username
;
728 network_info
->identity_info
.workstation
.string
= workstation_name_slash
;
730 if (chal
.length
!= 8) {
731 DBG_WARNING("Invalid challenge length %zd\n", chal
.length
);
732 return NT_STATUS_INVALID_PARAMETER
;
735 memcpy(network_info
->challenge
, chal
.data
, chal
.length
);
736 network_info
->nt
= nt
;
737 network_info
->lm
= lm
;
739 logon
->network
= network_info
;
741 /* Marshall data and send request */
743 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
752 if (!NT_STATUS_IS_OK(status
)) {
756 *_validation_level
= validation_level
;
757 *_validation
= validation
;
762 NTSTATUS
rpccli_netlogon_interactive_logon(
763 struct netlogon_creds_cli_context
*creds_ctx
,
764 struct dcerpc_binding_handle
*binding_handle
,
766 uint32_t logon_parameters
,
767 const char *username
,
769 const char *workstation
,
770 const uint64_t logon_id
,
773 enum netr_LogonInfoClass logon_type
,
774 uint8_t *authoritative
,
776 uint16_t *_validation_level
,
777 union netr_Validation
**_validation
)
779 TALLOC_CTX
*frame
= talloc_stackframe();
781 const char *workstation_name_slash
;
782 union netr_LogonLevel
*logon
= NULL
;
783 struct netr_PasswordInfo
*password_info
= NULL
;
784 uint16_t validation_level
= 0;
785 union netr_Validation
*validation
= NULL
;
786 struct netr_ChallengeResponse lm
;
787 struct netr_ChallengeResponse nt
;
794 switch (logon_type
) {
795 case NetlogonInteractiveInformation
:
796 case NetlogonInteractiveTransitiveInformation
:
799 DEBUG(0, ("switch value %d not supported\n",
802 return NT_STATUS_INVALID_INFO_CLASS
;
805 logon
= talloc_zero(mem_ctx
, union netr_LogonLevel
);
808 return NT_STATUS_NO_MEMORY
;
811 password_info
= talloc_zero(logon
, struct netr_PasswordInfo
);
812 if (password_info
== NULL
) {
814 return NT_STATUS_NO_MEMORY
;
817 if (workstation
[0] != '\\' && workstation
[1] != '\\') {
818 workstation_name_slash
= talloc_asprintf(frame
, "\\\\%s", workstation
);
820 workstation_name_slash
= workstation
;
823 if (workstation_name_slash
== NULL
) {
825 return NT_STATUS_NO_MEMORY
;
828 /* Initialise input parameters */
830 password_info
->identity_info
.domain_name
.string
= domain
;
831 password_info
->identity_info
.parameter_control
= logon_parameters
;
832 password_info
->identity_info
.logon_id
= logon_id
;
833 password_info
->identity_info
.account_name
.string
= username
;
834 password_info
->identity_info
.workstation
.string
= workstation_name_slash
;
836 if (nt_hash
.length
!= sizeof(password_info
->ntpassword
.hash
)) {
838 return NT_STATUS_INVALID_PARAMETER
;
840 memcpy(password_info
->ntpassword
.hash
, nt_hash
.data
, nt_hash
.length
);
841 if (lm_hash
.length
!= 0) {
842 if (lm_hash
.length
!= sizeof(password_info
->lmpassword
.hash
)) {
844 return NT_STATUS_INVALID_PARAMETER
;
846 memcpy(password_info
->lmpassword
.hash
, lm_hash
.data
, lm_hash
.length
);
849 logon
->password
= password_info
;
851 /* Marshall data and send request */
853 status
= netlogon_creds_cli_LogonSamLogon(creds_ctx
,
862 if (!NT_STATUS_IS_OK(status
)) {
867 *_validation_level
= validation_level
;
868 *_validation
= validation
;