2 Unix SMB/CIFS implementation.
3 NT Domain Authentication SMB / MSRPC client
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Jeremy Allison 1998.
6 Largely re-written by Jeremy Allison (C) 2005.
7 Copyright (C) Guenther Deschner 2008.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "../libcli/auth/libcli_auth.h"
25 #include "../librpc/gen_ndr/cli_netlogon.h"
27 /****************************************************************************
28 Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
29 credentials chain. Stores the credentials in the struct dcinfo in the
31 ****************************************************************************/
33 NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
34 const char *server_name,
36 const char *clnt_name,
37 const char *machine_account,
38 const unsigned char machine_pwd[16],
39 enum netr_SchannelType sec_chan_type,
40 uint32_t *neg_flags_inout)
42 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
43 struct netr_Credential clnt_chal_send;
44 struct netr_Credential srv_chal_recv;
45 struct samr_Password password;
48 uint32_t neg_flags = *neg_flags_inout;
50 if (!ndr_syntax_id_equal(&cli->abstract_syntax,
51 &ndr_table_netlogon.syntax_id)) {
52 return NT_STATUS_INVALID_PARAMETER;
57 /* Store the machine account password we're going to use. */
58 memcpy(password.hash, machine_pwd, 16);
60 fstr_sprintf( mach_acct, "%s$", machine_account);
63 /* Create the client challenge. */
64 generate_random_buffer(clnt_chal_send.data, 8);
66 /* Get the server challenge. */
67 result = rpccli_netr_ServerReqChallenge(cli, talloc_tos(),
72 if (!NT_STATUS_IS_OK(result)) {
76 /* Calculate the session key and client credentials */
78 cli->dc = netlogon_creds_client_init(cli,
88 return NT_STATUS_NO_MEMORY;
92 * Send client auth-2 challenge and receive server repy.
95 result = rpccli_netr_ServerAuthenticate2(cli, talloc_tos(),
97 cli->dc->account_name,
99 cli->dc->computer_name,
100 &clnt_chal_send, /* input. */
101 &srv_chal_recv, /* output. */
104 /* we might be talking to NT4, so let's downgrade in that case and retry
105 * with the returned neg_flags - gd */
107 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
109 TALLOC_FREE(cli->dc);
113 if (!NT_STATUS_IS_OK(result)) {
118 * Check the returned value using the initial
119 * server received challenge.
122 if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) {
124 * Server replied with bad credential. Fail.
126 DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
127 "replied with bad credential\n",
129 return NT_STATUS_ACCESS_DENIED;
132 DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
133 "chain established.\n",
136 cli->dc->negotiate_flags = neg_flags;
137 *neg_flags_inout = neg_flags;
142 /* Logon domain user */
144 NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
146 uint32 logon_parameters,
148 const char *username,
149 const char *password,
150 const char *workstation,
153 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
154 struct netr_Authenticator clnt_creds;
155 struct netr_Authenticator ret_creds;
156 union netr_LogonLevel *logon;
157 union netr_Validation validation;
158 uint8_t authoritative;
159 int validation_level = 3;
160 fstring clnt_name_slash;
163 ZERO_STRUCT(ret_creds);
166 logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel);
168 return NT_STATUS_NO_MEMORY;
172 fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
174 fstr_sprintf( clnt_name_slash, "\\\\%s", global_myname() );
177 /* Initialise input parameters */
179 netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
181 switch (logon_type) {
182 case NetlogonInteractiveInformation: {
184 struct netr_PasswordInfo *password_info;
186 struct samr_Password lmpassword;
187 struct samr_Password ntpassword;
189 password_info = TALLOC_ZERO_P(mem_ctx, struct netr_PasswordInfo);
190 if (!password_info) {
191 return NT_STATUS_NO_MEMORY;
194 nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
196 if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
197 netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
198 netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
200 netlogon_creds_des_encrypt(cli->dc, &lmpassword);
201 netlogon_creds_des_encrypt(cli->dc, &ntpassword);
204 password_info->identity_info.domain_name.string = domain;
205 password_info->identity_info.parameter_control = logon_parameters;
206 password_info->identity_info.logon_id_low = 0xdead;
207 password_info->identity_info.logon_id_high = 0xbeef;
208 password_info->identity_info.account_name.string = username;
209 password_info->identity_info.workstation.string = clnt_name_slash;
211 password_info->lmpassword = lmpassword;
212 password_info->ntpassword = ntpassword;
214 logon->password = password_info;
218 case NetlogonNetworkInformation: {
219 struct netr_NetworkInfo *network_info;
221 unsigned char local_lm_response[24];
222 unsigned char local_nt_response[24];
223 struct netr_ChallengeResponse lm;
224 struct netr_ChallengeResponse nt;
229 network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo);
231 return NT_STATUS_NO_MEMORY;
234 generate_random_buffer(chal, 8);
236 SMBencrypt(password, chal, local_lm_response);
237 SMBNTencrypt(password, chal, local_nt_response);
240 lm.data = local_lm_response;
243 nt.data = local_nt_response;
245 network_info->identity_info.domain_name.string = domain;
246 network_info->identity_info.parameter_control = logon_parameters;
247 network_info->identity_info.logon_id_low = 0xdead;
248 network_info->identity_info.logon_id_high = 0xbeef;
249 network_info->identity_info.account_name.string = username;
250 network_info->identity_info.workstation.string = clnt_name_slash;
252 memcpy(network_info->challenge, chal, 8);
253 network_info->nt = nt;
254 network_info->lm = lm;
256 logon->network = network_info;
261 DEBUG(0, ("switch value %d not supported\n",
263 return NT_STATUS_INVALID_INFO_CLASS;
266 result = rpccli_netr_LogonSamLogon(cli, mem_ctx,
277 /* Always check returned credentials */
278 if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
279 DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
280 return NT_STATUS_ACCESS_DENIED;
286 #define COPY_LSA_STRING(mem_ctx, in, out, name) do { \
287 if (in->name.string) { \
288 out->name.string = talloc_strdup(mem_ctx, in->name.string); \
289 NT_STATUS_HAVE_NO_MEMORY(out->name.string); \
293 static NTSTATUS copy_netr_SamBaseInfo(TALLOC_CTX *mem_ctx,
294 const struct netr_SamBaseInfo *in,
295 struct netr_SamBaseInfo *out)
297 /* first copy all, then realloc pointers */
300 COPY_LSA_STRING(mem_ctx, in, out, account_name);
301 COPY_LSA_STRING(mem_ctx, in, out, full_name);
302 COPY_LSA_STRING(mem_ctx, in, out, logon_script);
303 COPY_LSA_STRING(mem_ctx, in, out, profile_path);
304 COPY_LSA_STRING(mem_ctx, in, out, home_directory);
305 COPY_LSA_STRING(mem_ctx, in, out, home_drive);
307 if (in->groups.count) {
308 out->groups.rids = (struct samr_RidWithAttribute *)
309 talloc_memdup(mem_ctx, in->groups.rids,
310 (sizeof(struct samr_RidWithAttribute) *
312 NT_STATUS_HAVE_NO_MEMORY(out->groups.rids);
315 COPY_LSA_STRING(mem_ctx, in, out, logon_server);
316 COPY_LSA_STRING(mem_ctx, in, out, domain);
318 if (in->domain_sid) {
319 out->domain_sid = sid_dup_talloc(mem_ctx, in->domain_sid);
320 NT_STATUS_HAVE_NO_MEMORY(out->domain_sid);
326 static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
327 uint16_t validation_level,
328 union netr_Validation *validation,
329 struct netr_SamInfo3 **info3_p)
331 struct netr_SamInfo3 *info3;
334 if (validation == NULL) {
335 return NT_STATUS_INVALID_PARAMETER;
338 switch (validation_level) {
340 if (validation->sam3 == NULL) {
341 return NT_STATUS_INVALID_PARAMETER;
344 info3 = talloc_move(mem_ctx, &validation->sam3);
347 if (validation->sam6 == NULL) {
348 return NT_STATUS_INVALID_PARAMETER;
351 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
353 return NT_STATUS_NO_MEMORY;
355 status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
356 if (!NT_STATUS_IS_OK(status)) {
361 info3->sidcount = validation->sam6->sidcount;
362 info3->sids = talloc_move(info3, &validation->sam6->sids);
365 return NT_STATUS_BAD_VALIDATION_CLASS;
374 * Logon domain user with an 'network' SAM logon
376 * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
379 NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
381 uint32 logon_parameters,
383 const char *username,
385 const char *workstation,
387 uint16_t validation_level,
388 DATA_BLOB lm_response,
389 DATA_BLOB nt_response,
390 struct netr_SamInfo3 **info3)
392 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
393 const char *workstation_name_slash;
394 const char *server_name_slash;
396 struct netr_Authenticator clnt_creds;
397 struct netr_Authenticator ret_creds;
398 union netr_LogonLevel *logon = NULL;
399 struct netr_NetworkInfo *network_info;
400 uint8_t authoritative;
401 union netr_Validation validation;
402 struct netr_ChallengeResponse lm;
403 struct netr_ChallengeResponse nt;
408 ZERO_STRUCT(ret_creds);
413 logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel);
415 return NT_STATUS_NO_MEMORY;
418 network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo);
420 return NT_STATUS_NO_MEMORY;
423 netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
425 if (server[0] != '\\' && server[1] != '\\') {
426 server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
428 server_name_slash = server;
431 if (workstation[0] != '\\' && workstation[1] != '\\') {
432 workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
434 workstation_name_slash = workstation;
437 if (!workstation_name_slash || !server_name_slash) {
438 DEBUG(0, ("talloc_asprintf failed!\n"));
439 return NT_STATUS_NO_MEMORY;
442 /* Initialise input parameters */
444 lm.data = lm_response.data;
445 lm.length = lm_response.length;
446 nt.data = nt_response.data;
447 nt.length = nt_response.length;
449 network_info->identity_info.domain_name.string = domain;
450 network_info->identity_info.parameter_control = logon_parameters;
451 network_info->identity_info.logon_id_low = 0xdead;
452 network_info->identity_info.logon_id_high = 0xbeef;
453 network_info->identity_info.account_name.string = username;
454 network_info->identity_info.workstation.string = workstation_name_slash;
456 memcpy(network_info->challenge, chal, 8);
457 network_info->nt = nt;
458 network_info->lm = lm;
460 logon->network = network_info;
462 /* Marshall data and send request */
464 result = rpccli_netr_LogonSamLogon(cli, mem_ctx,
469 NetlogonNetworkInformation,
474 if (!NT_STATUS_IS_OK(result)) {
478 /* Always check returned credentials. */
479 if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
480 DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
481 return NT_STATUS_ACCESS_DENIED;
484 netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation);
486 result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
487 if (!NT_STATUS_IS_OK(result)) {
494 NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
496 uint32 logon_parameters,
498 const char *username,
500 const char *workstation,
502 uint16_t validation_level,
503 DATA_BLOB lm_response,
504 DATA_BLOB nt_response,
505 struct netr_SamInfo3 **info3)
507 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
508 const char *workstation_name_slash;
509 const char *server_name_slash;
511 union netr_LogonLevel *logon = NULL;
512 struct netr_NetworkInfo *network_info;
513 uint8_t authoritative;
514 union netr_Validation validation;
515 struct netr_ChallengeResponse lm;
516 struct netr_ChallengeResponse nt;
526 logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel);
528 return NT_STATUS_NO_MEMORY;
531 network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo);
533 return NT_STATUS_NO_MEMORY;
536 if (server[0] != '\\' && server[1] != '\\') {
537 server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
539 server_name_slash = server;
542 if (workstation[0] != '\\' && workstation[1] != '\\') {
543 workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
545 workstation_name_slash = workstation;
548 if (!workstation_name_slash || !server_name_slash) {
549 DEBUG(0, ("talloc_asprintf failed!\n"));
550 return NT_STATUS_NO_MEMORY;
553 /* Initialise input parameters */
555 lm.data = lm_response.data;
556 lm.length = lm_response.length;
557 nt.data = nt_response.data;
558 nt.length = nt_response.length;
560 network_info->identity_info.domain_name.string = domain;
561 network_info->identity_info.parameter_control = logon_parameters;
562 network_info->identity_info.logon_id_low = 0xdead;
563 network_info->identity_info.logon_id_high = 0xbeef;
564 network_info->identity_info.account_name.string = username;
565 network_info->identity_info.workstation.string = workstation_name_slash;
567 memcpy(network_info->challenge, chal, 8);
568 network_info->nt = nt;
569 network_info->lm = lm;
571 logon->network = network_info;
573 /* Marshall data and send request */
575 result = rpccli_netr_LogonSamLogonEx(cli, mem_ctx,
578 NetlogonNetworkInformation,
584 if (!NT_STATUS_IS_OK(result)) {
588 netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation);
590 result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
591 if (!NT_STATUS_IS_OK(result)) {
598 /*********************************************************
599 Change the domain password on the PDC.
601 Just changes the password betwen the two values specified.
603 Caller must have the cli connected to the netlogon pipe
605 **********************************************************/
607 NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
609 const char *account_name,
610 const unsigned char orig_trust_passwd_hash[16],
611 const char *new_trust_pwd_cleartext,
612 const unsigned char new_trust_passwd_hash[16],
613 enum netr_SchannelType sec_channel_type)
616 struct netr_Authenticator clnt_creds, srv_cred;
619 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
620 result = rpccli_netlogon_setup_creds(cli,
621 cli->desthost, /* server name */
622 lp_workgroup(), /* domain */
623 global_myname(), /* client name */
624 account_name, /* machine account name */
625 orig_trust_passwd_hash,
628 if (!NT_STATUS_IS_OK(result)) {
629 DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
635 netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
637 if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
639 struct netr_CryptPassword new_password;
641 init_netr_CryptPassword(new_trust_pwd_cleartext,
642 cli->dc->session_key,
645 result = rpccli_netr_ServerPasswordSet2(cli, mem_ctx,
647 cli->dc->account_name,
649 cli->dc->computer_name,
653 if (!NT_STATUS_IS_OK(result)) {
654 DEBUG(0,("rpccli_netr_ServerPasswordSet2 failed: %s\n",
660 struct samr_Password new_password;
661 memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash));
662 netlogon_creds_des_encrypt(cli->dc, &new_password);
664 result = rpccli_netr_ServerPasswordSet(cli, mem_ctx,
666 cli->dc->account_name,
668 cli->dc->computer_name,
672 if (!NT_STATUS_IS_OK(result)) {
673 DEBUG(0,("rpccli_netr_ServerPasswordSet failed: %s\n",
679 /* Always check returned credentials. */
680 if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
681 DEBUG(0,("credentials chain check failed\n"));
682 return NT_STATUS_ACCESS_DENIED;