2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "auth/auth.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "librpc/gen_ndr/ndr_netlogon.h"
29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
30 #include "auth/credentials/credentials.h"
32 struct schannel_key_state {
33 struct dcerpc_pipe *pipe;
34 struct dcerpc_pipe *pipe2;
35 struct dcerpc_binding *binding;
36 struct cli_credentials *credentials;
37 struct creds_CredentialState *creds;
38 uint32_t negotiate_flags;
39 struct netr_Credential credentials1;
40 struct netr_Credential credentials2;
41 struct netr_Credential credentials3;
42 struct netr_ServerReqChallenge r;
43 struct netr_ServerAuthenticate2 a;
44 const struct samr_Password *mach_pwd;
48 static void continue_secondary_connection(struct composite_context *ctx);
49 static void continue_bind_auth_none(struct composite_context *ctx);
50 static void continue_srv_challenge(struct rpc_request *req);
51 static void continue_srv_auth2(struct rpc_request *req);
55 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
58 static void continue_epm_map_binding(struct composite_context *ctx)
60 struct composite_context *c;
61 struct schannel_key_state *s;
62 struct composite_context *sec_conn_req;
64 c = talloc_get_type(ctx->async.private_data, struct composite_context);
65 s = talloc_get_type(c->private_data, struct schannel_key_state);
67 /* receive endpoint mapping */
68 c->status = dcerpc_epm_map_binding_recv(ctx);
69 if (!NT_STATUS_IS_OK(c->status)) {
70 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
71 NDR_NETLOGON_UUID, nt_errstr(c->status)));
72 composite_error(c, c->status);
76 /* send a request for secondary rpc connection */
77 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
79 if (composite_nomem(sec_conn_req, c)) return;
81 composite_continue(c, sec_conn_req, continue_secondary_connection, c);
86 Stage 3 of schannel_key: Receive secondary rpc connection and perform
87 non-authenticated bind request
89 static void continue_secondary_connection(struct composite_context *ctx)
91 struct composite_context *c;
92 struct schannel_key_state *s;
93 struct composite_context *auth_none_req;
95 c = talloc_get_type(ctx->async.private_data, struct composite_context);
96 s = talloc_get_type(c->private_data, struct schannel_key_state);
98 /* receive secondary rpc connection */
99 c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
100 if (!composite_is_ok(c)) return;
102 talloc_steal(s, s->pipe2);
104 /* initiate a non-authenticated bind */
105 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
106 if (composite_nomem(auth_none_req, c)) return;
108 composite_continue(c, auth_none_req, continue_bind_auth_none, c);
113 Stage 4 of schannel_key: Receive non-authenticated bind and get
116 static void continue_bind_auth_none(struct composite_context *ctx)
118 struct composite_context *c;
119 struct schannel_key_state *s;
120 struct rpc_request *srv_challenge_req;
122 c = talloc_get_type(ctx->async.private_data, struct composite_context);
123 s = talloc_get_type(c->private_data, struct schannel_key_state);
125 /* receive result of non-authenticated bind request */
126 c->status = dcerpc_bind_auth_none_recv(ctx);
127 if (!composite_is_ok(c)) return;
129 /* prepare a challenge request */
130 s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
131 if (composite_nomem(s->r.in.server_name, c)) return;
132 s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
133 s->r.in.credentials = &s->credentials1;
134 s->r.out.credentials = &s->credentials2;
136 generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
139 request a netlogon challenge - a rpc request over opened secondary pipe
141 srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
142 if (composite_nomem(srv_challenge_req, c)) return;
144 composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
149 Stage 5 of schannel_key: Receive a challenge and perform authentication
152 static void continue_srv_challenge(struct rpc_request *req)
154 struct composite_context *c;
155 struct schannel_key_state *s;
156 struct rpc_request *srv_auth2_req;
158 c = talloc_get_type(req->async.private_data, struct composite_context);
159 s = talloc_get_type(c->private_data, struct schannel_key_state);
161 /* receive rpc request result - netlogon challenge */
162 c->status = dcerpc_ndr_request_recv(req);
163 if (!composite_is_ok(c)) return;
165 /* prepare credentials for auth2 request */
166 s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
168 creds_client_init(s->creds, &s->credentials1, &s->credentials2,
169 s->mach_pwd, &s->credentials3, s->negotiate_flags);
171 /* auth2 request arguments */
172 s->a.in.server_name = s->r.in.server_name;
173 s->a.in.account_name = cli_credentials_get_username(s->credentials);
174 s->a.in.secure_channel_type =
175 cli_credentials_get_secure_channel_type(s->credentials);
176 s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
177 s->a.in.negotiate_flags = &s->negotiate_flags;
178 s->a.in.credentials = &s->credentials3;
179 s->a.out.negotiate_flags = &s->negotiate_flags;
180 s->a.out.credentials = &s->credentials3;
183 authenticate on the netlogon pipe - a rpc request over secondary pipe
185 srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
186 if (composite_nomem(srv_auth2_req, c)) return;
188 composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
193 Stage 6 of schannel_key: Receive authentication request result and verify
196 static void continue_srv_auth2(struct rpc_request *req)
198 struct composite_context *c;
199 struct schannel_key_state *s;
201 c = talloc_get_type(req->async.private_data, struct composite_context);
202 s = talloc_get_type(c->private_data, struct schannel_key_state);
204 /* receive rpc request result - auth2 credentials */
205 c->status = dcerpc_ndr_request_recv(req);
206 if (!composite_is_ok(c)) return;
208 /* verify credentials */
209 if (!creds_client_check(s->creds, s->a.out.credentials)) {
210 composite_error(c, NT_STATUS_UNSUCCESSFUL);
214 /* setup current netlogon credentials */
215 cli_credentials_set_netlogon_creds(s->credentials, s->creds);
222 Initiate establishing a schannel key using netlogon challenge
225 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
226 struct dcerpc_pipe *p,
227 struct cli_credentials *credentials,
228 struct loadparm_context *lp_ctx)
230 struct composite_context *c;
231 struct schannel_key_state *s;
232 struct composite_context *epm_map_req;
234 /* composite context allocation and setup */
235 c = composite_create(mem_ctx, p->conn->event_ctx);
236 if (c == NULL) return NULL;
238 s = talloc_zero(c, struct schannel_key_state);
239 if (composite_nomem(s, c)) return c;
242 /* store parameters in the state structure */
244 s->credentials = credentials;
246 /* allocate credentials */
247 s->creds = talloc(c, struct creds_CredentialState);
248 if (composite_nomem(s->creds, c)) return c;
250 /* type of authentication depends on schannel type */
251 if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
252 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
254 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
257 /* allocate binding structure */
258 s->binding = talloc(c, struct dcerpc_binding);
259 if (composite_nomem(s->binding, c)) return c;
261 *s->binding = *s->pipe->binding;
263 /* request the netlogon endpoint mapping */
264 epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
266 s->pipe->conn->event_ctx,
268 if (composite_nomem(epm_map_req, c)) return c;
270 composite_continue(c, epm_map_req, continue_epm_map_binding, c);
276 Receive result of schannel key request
278 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
280 NTSTATUS status = composite_wait(c);
287 struct auth_schannel_state {
288 struct dcerpc_pipe *pipe;
289 struct cli_credentials *credentials;
290 const struct ndr_interface_table *table;
291 struct loadparm_context *lp_ctx;
296 static void continue_bind_auth(struct composite_context *ctx);
300 Stage 2 of auth_schannel: Receive schannel key and intitiate an
301 authenticated bind using received credentials
303 static void continue_schannel_key(struct composite_context *ctx)
305 struct composite_context *auth_req;
306 struct composite_context *c = talloc_get_type(ctx->async.private_data,
307 struct composite_context);
308 struct auth_schannel_state *s = talloc_get_type(c->private_data,
309 struct auth_schannel_state);
311 /* receive schannel key */
312 c->status = dcerpc_schannel_key_recv(ctx);
313 if (!composite_is_ok(c)) {
314 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
315 cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
319 /* send bind auth request with received creds */
320 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
322 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
324 if (composite_nomem(auth_req, c)) return;
326 composite_continue(c, auth_req, continue_bind_auth, c);
331 Stage 3 of auth_schannel: Receivce result of authenticated bind
332 and say if we're done ok.
334 static void continue_bind_auth(struct composite_context *ctx)
336 struct composite_context *c = talloc_get_type(ctx->async.private_data,
337 struct composite_context);
339 c->status = dcerpc_bind_auth_recv(ctx);
340 if (!composite_is_ok(c)) return;
347 Initiate schannel authentication request
349 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
350 struct dcerpc_pipe *p,
351 const struct ndr_interface_table *table,
352 struct cli_credentials *credentials,
353 struct loadparm_context *lp_ctx,
356 struct composite_context *c;
357 struct auth_schannel_state *s;
358 struct composite_context *schan_key_req;
360 /* composite context allocation and setup */
361 c = composite_create(tmp_ctx, p->conn->event_ctx);
362 if (c == NULL) return NULL;
364 s = talloc_zero(c, struct auth_schannel_state);
365 if (composite_nomem(s, c)) return c;
368 /* store parameters in the state structure */
370 s->credentials = credentials;
372 s->auth_level = auth_level;
375 /* start getting schannel key first */
376 schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
377 if (composite_nomem(schan_key_req, c)) return c;
379 composite_continue(c, schan_key_req, continue_schannel_key, c);
385 Receive result of schannel authentication request
387 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
389 NTSTATUS status = composite_wait(c);
397 Perform schannel authenticated bind - sync version
399 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
400 struct dcerpc_pipe *p,
401 const struct ndr_interface_table *table,
402 struct cli_credentials *credentials,
403 struct loadparm_context *lp_ctx,
406 struct composite_context *c;
408 c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
410 return dcerpc_bind_auth_schannel_recv(c);