dcerpc schannel operations
Copyright (C) Andrew Tridgell 2004
-
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
*/
#include "includes.h"
+#include "auth/auth.h"
/*
- wrappers for the schannel_*() functions
-*/
-static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security,
- uchar *data, size_t length, DATA_BLOB *sig)
-{
- struct schannel_state *schannel_state = dcerpc_security->private;
- return schannel_unseal_packet(schannel_state, data, length, sig);
-}
-
-static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security,
- const uchar *data, size_t length,
- const DATA_BLOB *sig)
-{
- struct schannel_state *schannel_state = dcerpc_security->private;
- return schannel_check_packet(schannel_state, data, length, sig);
-}
-
-static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security,
- uchar *data, size_t length,
- DATA_BLOB *sig)
-{
- struct schannel_state *schannel_state = dcerpc_security->private;
- return schannel_seal_packet(schannel_state, data, length, sig);
-}
-
-static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security,
- const uchar *data, size_t length,
- DATA_BLOB *sig)
-{
- struct schannel_state *schannel_state = dcerpc_security->private;
- return schannel_sign_packet(schannel_state, data, length, sig);
-}
-
-static void schan_security_end(struct dcerpc_security *dcerpc_security)
-{
- struct schannel_state *schannel_state = dcerpc_security->private;
- return schannel_end(&schannel_state);
-}
-
-
-/*
- do a schannel style bind on a dcerpc pipe. The username is usually
- of the form HOSTNAME$ and the password is the domain trust password
+ get a schannel key using a netlogon challenge on a secondary pipe
*/
-NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
- const char *uuid, unsigned version,
- const char *domain,
- const char *username,
- const char *password)
+static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials *credentials)
{
NTSTATUS status;
+ struct dcerpc_binding *b;
struct dcerpc_pipe *p2;
struct netr_ServerReqChallenge r;
struct netr_ServerAuthenticate2 a;
- uint8 mach_pwd[16];
- uint8 session_key[16];
- struct netr_CredentialState creds;
- struct schannel_state *schannel_state;
- const char *workgroup, *workstation;
- uint32 negotiate_flags = 0;
+ struct netr_Credential credentials1, credentials2, credentials3;
+ const struct samr_Password *mach_pwd;
+ uint32_t negotiate_flags;
+ struct creds_CredentialState *creds;
+ creds = talloc(tmp_ctx, struct creds_CredentialState);
+ if (!creds) {
+ return NT_STATUS_NO_MEMORY;
+ }
- workstation = username;
- workgroup = domain;
+ if (p->conn->flags & DCERPC_SCHANNEL_128) {
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ } else {
+ negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
+ }
/*
step 1 - establish a netlogon connection, with no authentication
*/
- status = dcerpc_secondary_smb(p, &p2,
- DCERPC_NETLOGON_NAME,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION);
+ /* Find the original binding string */
+ status = dcerpc_parse_binding(tmp_ctx, p->conn->binding_string, &b);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string));
+ return status;
+ }
+
+ /* Make binding string for netlogon, not the other pipe */
+ status = dcerpc_epm_map_binding(tmp_ctx, b,
+ &dcerpc_table_netlogon,
+ p->conn->event_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
+ DCERPC_NETLOGON_UUID, nt_errstr(status)));
+ return status;
+ }
+
+ status = dcerpc_secondary_connection(p, &p2, b);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = dcerpc_bind_auth_none(p2, &dcerpc_table_netlogon);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(p2);
+ return status;
+ }
/*
step 2 - request a netlogon challenge
*/
- r.in.server_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dcerpc_server_name(p));
- r.in.computer_name = workstation;
- generate_random_buffer(r.in.credentials.data, sizeof(r.in.credentials.data), False);
+ r.in.server_name = talloc_asprintf(tmp_ctx, "\\\\%s", dcerpc_server_name(p));
+ r.in.computer_name = cli_credentials_get_workstation(credentials);
+ r.in.credentials = &credentials1;
+ r.out.credentials = &credentials2;
+
+ generate_random_buffer(credentials1.data, sizeof(credentials1.data));
- status = dcerpc_netr_ServerReqChallenge(p2, p->mem_ctx, &r);
+ status = dcerpc_netr_ServerReqChallenge(p2, tmp_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/*
step 3 - authenticate on the netlogon pipe
*/
- E_md4hash(password, mach_pwd);
- creds_client_init(&creds, &r.in.credentials, &r.out.credentials, mach_pwd,
- &a.in.credentials);
+ mach_pwd = cli_credentials_get_nt_hash(credentials, tmp_ctx);
+
+ creds_client_init(creds, &credentials1, &credentials2,
+ mach_pwd, &credentials3,
+ negotiate_flags);
a.in.server_name = r.in.server_name;
- a.in.username = talloc_asprintf(p->mem_ctx, "%s$", workstation);
- if (lp_server_role() == ROLE_DOMAIN_BDC) {
- a.in.secure_channel_type = SEC_CHAN_BDC;
- } else {
- a.in.secure_channel_type = SEC_CHAN_WKSTA;
- }
- a.in.computer_name = workstation;
+ a.in.account_name = cli_credentials_get_username(credentials);
+ a.in.secure_channel_type =
+ cli_credentials_get_secure_channel_type(credentials);
+ a.in.computer_name = cli_credentials_get_workstation(credentials);
a.in.negotiate_flags = &negotiate_flags;
a.out.negotiate_flags = &negotiate_flags;
+ a.in.credentials = &credentials3;
+ a.out.credentials = &credentials3;
- status = dcerpc_netr_ServerAuthenticate2(p2, p->mem_ctx, &a);
+ status = dcerpc_netr_ServerAuthenticate2(p2, tmp_ctx, &a);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- if (!creds_client_check(&creds, &a.out.credentials)) {
+
+ if (!creds_client_check(creds, a.out.credentials)) {
return NT_STATUS_UNSUCCESSFUL;
}
+ cli_credentials_set_netlogon_creds(credentials, creds);
+
/*
the schannel session key is now in creds.session_key
- */
-
- /*
- step 4 - perform a bind with security type schannel
+ we no longer need the netlogon pipe open
*/
- p->auth_info = talloc(p->mem_ctx, sizeof(*p->auth_info));
- if (!p->auth_info) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- p->auth_info->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
-
- if (p->flags & DCERPC_SEAL) {
- p->auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
- } else {
- /* note that DCERPC_AUTH_LEVEL_NONE does not make any
- sense, and would be rejected by the server */
- p->auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
- }
- p->auth_info->auth_pad_length = 0;
- p->auth_info->auth_reserved = 0;
- p->auth_info->auth_context_id = random();
- p->security_state = NULL;
-
- p->auth_info->credentials = data_blob_talloc(p->mem_ctx,
- NULL,
- 8 +
- strlen(workgroup)+1 +
- strlen(workstation)+1);
- if (!p->auth_info->credentials.data) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* oh, this is ugly! */
- SIVAL(p->auth_info->credentials.data, 0, 0);
- SIVAL(p->auth_info->credentials.data, 4, 3);
- memcpy(p->auth_info->credentials.data+8, workgroup, strlen(workgroup)+1);
- memcpy(p->auth_info->credentials.data+8+strlen(workgroup)+1,
- workstation, strlen(workstation)+1);
-
- /* send the authenticated bind request */
- status = dcerpc_bind_byuuid(p, p->mem_ctx, uuid, version);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
+ talloc_free(p2);
- p->security_state = talloc_p(p->mem_ctx, struct dcerpc_security);
- if (!p->security_state) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
+ return NT_STATUS_OK;
+}
- schannel_state = talloc_p(p->mem_ctx, struct schannel_state);
- if (!schannel_state) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
+NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
+ struct dcerpc_pipe *p,
+ const struct dcerpc_interface_table *table,
+ struct cli_credentials *credentials)
+{
+ NTSTATUS status;
- memcpy(session_key, creds.session_key, 8);
- memset(session_key+8, 0, 8);
+ /* Fills in NETLOGON credentials */
+ status = dcerpc_schannel_key(tmp_ctx,
+ p, credentials);
- status = schannel_start(&schannel_state, session_key, True);
if (!NT_STATUS_IS_OK(status)) {
- goto done;
+ DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
+ cli_credentials_get_username(credentials),
+ nt_errstr(status)));
+ return status;
}
- dump_data_pw("session key:\n", schannel_state->session_key, 16);
-
- p->security_state->private = schannel_state;
- p->security_state->unseal_packet = schan_unseal_packet;
- p->security_state->check_packet = schan_check_packet;
- p->security_state->seal_packet = schan_seal_packet;
- p->security_state->sign_packet = schan_sign_packet;
- p->security_state->security_end = schan_security_end;
-
-done:
- return status;
+ return dcerpc_bind_auth(p, table, credentials, DCERPC_AUTH_TYPE_SCHANNEL,
+ NULL);
}