source3/auth/auth_netlogond.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authenticate against a netlogon pipe listening on a unix domain socket
   4    Copyright (C) Volker Lendecke 2008
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "auth.h"
  22 #include "../libcli/auth/libcli_auth.h"
  23 #include "../librpc/gen_ndr/ndr_netlogon.h"
  24 #include "librpc/gen_ndr/ndr_schannel.h"
  25 #include "rpc_client/cli_pipe.h"
  26 #include "rpc_client/cli_netlogon.h"
  27 #include "secrets.h"
  28 #include "tldap.h"
  29 #include "tldap_util.h"
  30
  31 #undef DBGC_CLASS
  32 #define DBGC_CLASS DBGC_AUTH
  33
  34 static bool secrets_store_local_schannel_creds(
  35         const struct netlogon_creds_CredentialState *creds)
  36 {
  37         DATA_BLOB blob;
  38         enum ndr_err_code ndr_err;
  39         bool ret;
  40
  41         ndr_err = ndr_push_struct_blob(
  42                 &blob, talloc_tos(), creds,
  43                 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
  44         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  45                 DEBUG(10, ("ndr_push_netlogon_creds_CredentialState failed: "
  46                            "%s\n", ndr_errstr(ndr_err)));
  47                 return false;
  48         }
  49         ret = secrets_store(SECRETS_LOCAL_SCHANNEL_KEY,
  50                             blob.data, blob.length);
  51         data_blob_free(&blob);
  52         return ret;
  53 }
  54
  55 static struct netlogon_creds_CredentialState *
  56 secrets_fetch_local_schannel_creds(TALLOC_CTX *mem_ctx)
  57 {
  58         struct netlogon_creds_CredentialState *creds;
  59         enum ndr_err_code ndr_err;
  60         DATA_BLOB blob;
  61
  62         blob.data = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY,
  63                                              &blob.length);
  64         if (blob.data == NULL) {
  65                 DEBUG(10, ("secrets_fetch failed\n"));
  66                 return NULL;
  67         }
  68
  69         creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
  70         if (creds == NULL) {
  71                 DEBUG(10, ("talloc failed\n"));
  72                 SAFE_FREE(blob.data);
  73                 return NULL;
  74         }
  75         ndr_err = ndr_pull_struct_blob(
  76                 &blob, creds, creds,
  77                 (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
  78         SAFE_FREE(blob.data);
  79         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  80                 DEBUG(10, ("ndr_pull_netlogon_creds_CredentialState failed: "
  81                            "%s\n", ndr_errstr(ndr_err)));
  82                 TALLOC_FREE(creds);
  83                 return NULL;
  84         }
  85
  86         return creds;
  87 }
  88
  89 static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
  90                                    const struct auth_context *auth_context,
  91                                    const char *ncalrpc_sockname,
  92                                    struct netlogon_creds_CredentialState *creds,
  93                                    const struct auth_usersupplied_info *user_info,
  94                                    struct netr_SamInfo3 **pinfo3,
  95                                    NTSTATUS *schannel_bind_result)
  96 {
  97         struct rpc_pipe_client *p = NULL;
  98         struct pipe_auth_data *auth = NULL;
  99         struct netr_SamInfo3 *info3 = NULL;
 100         NTSTATUS status;
 101
 102         *schannel_bind_result = NT_STATUS_OK;
 103
 104         status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname,
 105                                        &ndr_table_netlogon.syntax_id, &p);
 106         if (!NT_STATUS_IS_OK(status)) {
 107                 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
 108                            nt_errstr(status)));
 109                 return status;
 110         }
 111
 112         p->dc = creds;
 113
 114         status = rpccli_schannel_bind_data(p, lp_workgroup(),
 115                                            DCERPC_AUTH_LEVEL_PRIVACY,
 116                                            p->dc, &auth);
 117         if (!NT_STATUS_IS_OK(status)) {
 118                 DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
 119                            nt_errstr(status)));
 120                 TALLOC_FREE(p);
 121                 return status;
 122         }
 123
 124         status = rpc_pipe_bind(p, auth);
 125         if (!NT_STATUS_IS_OK(status)) {
 126                 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
 127                 TALLOC_FREE(p);
 128                 *schannel_bind_result = status;
 129                 return status;
 130         }
 131
 132         status = rpccli_netlogon_sam_network_logon_ex(
 133                 p, p,
 134                 user_info->logon_parameters,           /* flags such as 'allow
 135                                                         * workstation logon' */
 136                 global_myname(),                       /* server name */
 137                 user_info->client.account_name,        /* user name logging on. */
 138                 user_info->client.domain_name,         /* domain name */
 139                 user_info->workstation_name,           /* workstation name */
 140                 (uchar *)auth_context->challenge.data, /* 8 byte challenge. */
 141                 3,                                     /* validation level */
 142                 user_info->password.response.lanman,   /* lanman 24 byte response */
 143                 user_info->password.response.nt,       /* nt 24 byte response */
 144                 &info3);                               /* info3 out */
 145
 146         DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
 147                    nt_errstr(status)));
 148
 149         if (!NT_STATUS_IS_OK(status)) {
 150                 TALLOC_FREE(p);
 151                 return status;
 152         }
 153
 154         *pinfo3 = talloc_move(mem_ctx, &info3);
 155
 156         TALLOC_FREE(p);
 157         return NT_STATUS_OK;
 158 }
 159
 160 static NTSTATUS get_ldapi_ctx(TALLOC_CTX *mem_ctx, struct tldap_context **pld)
 161 {
 162         struct tldap_context *ld;
 163         struct sockaddr_un addr;
 164         char *sockaddr;
 165         int fd;
 166         NTSTATUS status;
 167         int res;
 168
 169         sockaddr = talloc_asprintf(talloc_tos(), "/%s/ldap_priv/ldapi",
 170                                    lp_private_dir());
 171         if (sockaddr == NULL) {
 172                 DEBUG(10, ("talloc failed\n"));
 173                 return NT_STATUS_NO_MEMORY;
 174         }
 175
 176         ZERO_STRUCT(addr);
 177         addr.sun_family = AF_UNIX;
 178         strncpy(addr.sun_path, sockaddr, sizeof(addr.sun_path));
 179         TALLOC_FREE(sockaddr);
 180
 181         status = open_socket_out((struct sockaddr_storage *)(void *)&addr,
 182                                  0, 0, &fd);
 183         if (!NT_STATUS_IS_OK(status)) {
 184                 DEBUG(10, ("Could not connect to %s: %s\n", addr.sun_path,
 185                            nt_errstr(status)));
 186                 return status;
 187         }
 188         set_blocking(fd, false);
 189
 190         ld = tldap_context_create(mem_ctx, fd);
 191         if (ld == NULL) {
 192                 close(fd);
 193                 return NT_STATUS_NO_MEMORY;
 194         }
 195         res = tldap_fetch_rootdse(ld);
 196         if (res != TLDAP_SUCCESS) {
 197                 DEBUG(10, ("tldap_fetch_rootdse failed: %s\n",
 198                            tldap_errstr(talloc_tos(), ld, res)));
 199                 TALLOC_FREE(ld);
 200                 return NT_STATUS_LDAP(res);
 201         }
 202         *pld = ld;
 203         return NT_STATUS_OK;;
 204 }
 205
 206 static NTSTATUS mymachinepw(uint8_t pwd[16])
 207 {
 208         TALLOC_CTX *frame = talloc_stackframe();
 209         struct tldap_context *ld = NULL;
 210         struct tldap_message *rootdse, **msg;
 211         const char *attrs[1] = { "unicodePwd" };
 212         char *default_nc, *myname;
 213         int rc, num_msg;
 214         DATA_BLOB pwdblob;
 215         NTSTATUS status;
 216
 217         status = get_ldapi_ctx(talloc_tos(), &ld);
 218         if (!NT_STATUS_IS_OK(status)) {
 219                 goto fail;
 220         }
 221         rootdse = tldap_rootdse(ld);
 222         if (rootdse == NULL) {
 223                 DEBUG(10, ("Could not get rootdse\n"));
 224                 status = NT_STATUS_INTERNAL_ERROR;
 225                 goto fail;
 226         }
 227         default_nc = tldap_talloc_single_attribute(
 228                 rootdse, "defaultNamingContext", talloc_tos());
 229         if (default_nc == NULL) {
 230                 DEBUG(10, ("Could not get defaultNamingContext\n"));
 231                 status = NT_STATUS_NO_MEMORY;
 232                 goto fail;
 233         }
 234         DEBUG(10, ("default_nc = %s\n", default_nc));
 235
 236         myname = talloc_asprintf_strupper_m(talloc_tos(), "%s$",
 237                                             global_myname());
 238         if (myname == NULL) {
 239                 DEBUG(10, ("talloc failed\n"));
 240                 status = NT_STATUS_NO_MEMORY;
 241                 goto fail;
 242         }
 243
 244         rc = tldap_search_fmt(
 245                 ld, default_nc, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0,
 246                 talloc_tos(), &msg,
 247                 "(&(sAMAccountName=%s)(objectClass=computer))", myname);
 248         if (rc != TLDAP_SUCCESS) {
 249                 DEBUG(10, ("Could not retrieve our account: %s\n",
 250                            tldap_errstr(talloc_tos(), ld, rc)));
 251                 status = NT_STATUS_LDAP(rc);
 252                 goto fail;
 253         }
 254         num_msg = talloc_array_length(msg);
 255         if (num_msg != 1) {
 256                 DEBUG(10, ("Got %d accounts, expected one\n", num_msg));
 257                 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
 258                 goto fail;
 259         }
 260         if (!tldap_get_single_valueblob(msg[0], "unicodePwd", &pwdblob)) {
 261                 char *dn = NULL;
 262                 tldap_entry_dn(msg[0], &dn);
 263                 DEBUG(10, ("No unicodePwd attribute in %s\n",
 264                            dn ? dn : "<unknown DN>"));
 265                 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
 266                 goto fail;
 267         }
 268         if (pwdblob.length != 16) {
 269                 DEBUG(10, ("Password hash hash has length %d, expected 16\n",
 270                            (int)pwdblob.length));
 271                 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
 272                 goto fail;
 273         }
 274         memcpy(pwd, pwdblob.data, 16);
 275
 276 fail:
 277         TALLOC_FREE(frame);
 278         return status;
 279 }
 280
 281 static NTSTATUS check_netlogond_security(const struct auth_context *auth_context,
 282                                          void *my_private_data,
 283                                          TALLOC_CTX *mem_ctx,
 284                                          const struct auth_usersupplied_info *user_info,
 285                                          struct auth_serversupplied_info **server_info)
 286 {
 287         TALLOC_CTX *frame = talloc_stackframe();
 288         struct netr_SamInfo3 *info3 = NULL;
 289         struct rpc_pipe_client *p = NULL;
 290         struct pipe_auth_data *auth = NULL;
 291         uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 292         uint8_t machine_password[16];
 293         struct netlogon_creds_CredentialState *creds;
 294         NTSTATUS schannel_bind_result, status;
 295         struct named_mutex *mutex = NULL;
 296         const char *ncalrpcsock;
 297
 298         DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
 299
 300         ncalrpcsock = lp_parm_const_string(
 301                 GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL);
 302
 303         if (ncalrpcsock == NULL) {
 304                 ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s",
 305                                               get_dyn_NCALRPCDIR(), "DEFAULT");
 306         }
 307
 308         if (ncalrpcsock == NULL) {
 309                 status = NT_STATUS_NO_MEMORY;
 310                 goto done;
 311         }
 312
 313         creds = secrets_fetch_local_schannel_creds(talloc_tos());
 314         if (creds == NULL) {
 315                 goto new_key;
 316         }
 317
 318         status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
 319                                     creds, user_info, &info3,
 320                                     &schannel_bind_result);
 321
 322         DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
 323
 324         if (NT_STATUS_IS_OK(status)) {
 325                 goto okay;
 326         }
 327
 328         if (NT_STATUS_IS_OK(schannel_bind_result)) {
 329                 /*
 330                  * This is a real failure from the DC
 331                  */
 332                 goto done;
 333         }
 334
 335  new_key:
 336
 337         mutex = grab_named_mutex(talloc_tos(), "LOCAL_SCHANNEL_KEY", 60);
 338         if (mutex == NULL) {
 339                 DEBUG(10, ("Could not get mutex LOCAL_SCHANNEL_KEY\n"));
 340                 status = NT_STATUS_ACCESS_DENIED;
 341                 goto done;
 342         }
 343
 344         DEBUG(10, ("schannel bind failed, setting up new key\n"));
 345
 346         status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpcsock,
 347                                        &ndr_table_netlogon.syntax_id, &p);
 348
 349         if (!NT_STATUS_IS_OK(status)) {
 350                 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
 351                            nt_errstr(status)));
 352                 goto done;
 353         }
 354
 355         status = rpccli_anon_bind_data(p, &auth);
 356         if (!NT_STATUS_IS_OK(status)) {
 357                 DEBUG(10, ("rpccli_anon_bind_data failed: %s\n",
 358                            nt_errstr(status)));
 359                 goto done;
 360         }
 361
 362         status = rpc_pipe_bind(p, auth);
 363         if (!NT_STATUS_IS_OK(status)) {
 364                 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
 365                 goto done;
 366         }
 367
 368         status = mymachinepw(machine_password);
 369         if (!NT_STATUS_IS_OK(status)) {
 370                 DEBUG(10, ("mymachinepw failed: %s\n", nt_errstr(status)));
 371                 goto done;
 372         }
 373
 374         DEBUG(10, ("machinepw "));
 375         dump_data(10, machine_password, 16);
 376
 377         status = rpccli_netlogon_setup_creds(
 378                 p, global_myname(), lp_workgroup(), global_myname(),
 379                 global_myname(), machine_password, SEC_CHAN_BDC, &neg_flags);
 380
 381         if (!NT_STATUS_IS_OK(status)) {
 382                 DEBUG(10, ("rpccli_netlogon_setup_creds failed: %s\n",
 383                            nt_errstr(status)));
 384                 goto done;
 385         }
 386
 387         secrets_store_local_schannel_creds(p->dc);
 388
 389         /*
 390          * Retry the authentication with the mutex held. This way nobody else
 391          * can step on our toes.
 392          */
 393
 394         status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
 395                                     p->dc, user_info, &info3,
 396                                     &schannel_bind_result);
 397
 398         TALLOC_FREE(p);
 399
 400         DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
 401
 402         if (!NT_STATUS_IS_OK(status)) {
 403                 goto done;
 404         }
 405
 406  okay:
 407
 408         status = make_server_info_info3(mem_ctx, user_info->client.account_name,
 409                                         user_info->mapped.domain_name, server_info,
 410                                         info3);
 411         if (!NT_STATUS_IS_OK(status)) {
 412                 DEBUG(10, ("make_server_info_info3 failed: %s\n",
 413                            nt_errstr(status)));
 414                 TALLOC_FREE(frame);
 415                 return status;
 416         }
 417
 418         status = NT_STATUS_OK;
 419
 420  done:
 421         TALLOC_FREE(frame);
 422         return status;
 423 }
 424
 425 /* module initialisation */
 426 static NTSTATUS auth_init_netlogond(struct auth_context *auth_context,
 427                                     const char *param,
 428                                     auth_methods **auth_method)
 429 {
 430         struct auth_methods *result;
 431
 432         result = TALLOC_ZERO_P(auth_context, struct auth_methods);
 433         if (result == NULL) {
 434                 return NT_STATUS_NO_MEMORY;
 435         }
 436         result->name = "netlogond";
 437         result->auth = check_netlogond_security;
 438
 439         *auth_method = result;
 440         return NT_STATUS_OK;
 441 }
 442
 443 NTSTATUS auth_netlogond_init(void)
 444 {
 445         smb_register_auth(AUTH_INTERFACE_VERSION, "netlogond",
 446                           auth_init_netlogond);
 447         return NT_STATUS_OK;
 448 }