source3/libsmb/cli_netlogon.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    NT Domain Authentication SMB / MSRPC client
   5    Copyright (C) Andrew Tridgell 1992-2000
   6    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
   7    Copyright (C) Tim Potter 2001
   8    Copyright (C) Paul Ashton                       1997.
   9    Copyright (C) Jeremy Allison                    1998.
  10    Copyright (C) Andrew Bartlett                   2001.
  11
  12    This program is free software; you can redistribute it and/or modify
  13    it under the terms of the GNU General Public License as published by
  14    the Free Software Foundation; either version 2 of the License, or
  15    (at your option) any later version.
  16
  17    This program is distributed in the hope that it will be useful,
  18    but WITHOUT ANY WARRANTY; without even the implied warranty of
  19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20    GNU General Public License for more details.
  21
  22    You should have received a copy of the GNU General Public License
  23    along with this program; if not, write to the Free Software
  24    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  25 */
  26
  27 #include "includes.h"
  28
  29 /* Opens a SMB connection to the netlogon pipe */
  30
  31 struct cli_state *cli_netlogon_initialise(struct cli_state *cli,
  32                                           char *system_name,
  33                                           struct ntuser_creds *creds)
  34 {
  35         return cli_pipe_initialise(cli, system_name, PIPE_NETLOGON, creds);
  36 }
  37
  38 /* LSA Request Challenge. Sends our challenge to server, then gets
  39    server response. These are used to generate the credentials. */
  40
  41 NTSTATUS new_cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal,
  42                               DOM_CHAL *srv_chal)
  43 {
  44         prs_struct qbuf, rbuf;
  45         NET_Q_REQ_CHAL q;
  46         NET_R_REQ_CHAL r;
  47         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
  48         extern pstring global_myname;
  49
  50         prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL);
  51         prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL);
  52
  53         /* create and send a MSRPC command with api NET_REQCHAL */
  54
  55         DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n",
  56                  cli->desthost, global_myname, credstr(clnt_chal->data)));
  57
  58         /* store the parameters */
  59         init_q_req_chal(&q, cli->srv_name_slash, global_myname, clnt_chal);
  60
  61         /* Marshall data and send request */
  62
  63         if (!net_io_q_req_chal("", &q,  &qbuf, 0) ||
  64             !rpc_api_pipe_req(cli, NET_REQCHAL, &qbuf, &rbuf)) {
  65                 goto done;
  66         }
  67
  68         /* Unmarhall response */
  69
  70         if (!net_io_r_req_chal("", &r, &rbuf, 0)) {
  71                 goto done;
  72         }
  73
  74         result = r.status;
  75
  76         /* Return result */
  77
  78         if (NT_STATUS_IS_OK(result)) {
  79                 memcpy(srv_chal, r.srv_chal.data, sizeof(srv_chal->data));
  80         }
  81
  82  done:
  83         prs_mem_free(&qbuf);
  84         prs_mem_free(&rbuf);
  85
  86         return result;
  87 }
  88
  89 /****************************************************************************
  90 LSA Authenticate 2
  91
  92 Send the client credential, receive back a server credential.
  93 Ensure that the server credential returned matches the session key
  94 encrypt of the server challenge originally received. JRA.
  95 ****************************************************************************/
  96
  97 NTSTATUS new_cli_net_auth2(struct cli_state *cli, uint16 sec_chan,
  98                            uint32 neg_flags, DOM_CHAL *srv_chal)
  99 {
 100         prs_struct qbuf, rbuf;
 101         NET_Q_AUTH_2 q;
 102         NET_R_AUTH_2 r;
 103         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 104         extern pstring global_myname;
 105
 106         prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL);
 107         prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL);
 108
 109         /* create and send a MSRPC command with api NET_AUTH2 */
 110
 111         DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n",
 112                  cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname,
 113                  credstr(cli->clnt_cred.challenge.data), neg_flags));
 114
 115         /* store the parameters */
 116         init_q_auth_2(&q, cli->srv_name_slash, cli->mach_acct,
 117                       sec_chan, global_myname, &cli->clnt_cred.challenge,
 118                       neg_flags);
 119
 120         /* turn parameters into data stream */
 121
 122         if (!net_io_q_auth_2("", &q,  &qbuf, 0) ||
 123             !rpc_api_pipe_req(cli, NET_AUTH2, &qbuf, &rbuf)) {
 124                 goto done;
 125         }
 126
 127         /* Unmarshall response */
 128
 129         if (!net_io_r_auth_2("", &r, &rbuf, 0)) {
 130                 goto done;
 131         }
 132
 133         result = r.status;
 134
 135         if (NT_STATUS_IS_OK(result)) {
 136                 UTIME zerotime;
 137
 138                 /*
 139                  * Check the returned value using the initial
 140                  * server received challenge.
 141                  */
 142
 143                 zerotime.time = 0;
 144                 if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal,
 145                                  zerotime) == 0) {
 146
 147                         /*
 148                          * Server replied with bad credential. Fail.
 149                          */
 150                         DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \
 151 password ?).\n", cli->desthost ));
 152                         result = NT_STATUS_ACCESS_DENIED;
 153                         goto done;
 154                 }
 155         }
 156
 157  done:
 158         prs_mem_free(&qbuf);
 159         prs_mem_free(&rbuf);
 160
 161         return result;
 162 }
 163
 164 /* Initialize domain session credentials */
 165
 166 NTSTATUS new_cli_nt_setup_creds(struct cli_state *cli,
 167                                 unsigned char mach_pwd[16])
 168 {
 169         DOM_CHAL clnt_chal;
 170         DOM_CHAL srv_chal;
 171         UTIME zerotime;
 172         NTSTATUS result;
 173
 174         /******************* Request Challenge ********************/
 175
 176         generate_random_buffer(clnt_chal.data, 8, False);
 177
 178         /* send a client challenge; receive a server challenge */
 179         result = new_cli_net_req_chal(cli, &clnt_chal, &srv_chal);
 180
 181         if (!NT_STATUS_IS_OK(result)) {
 182                 DEBUG(0,("cli_nt_setup_creds: request challenge failed\n"));
 183                 return result;
 184         }
 185
 186         /**************** Long-term Session key **************/
 187
 188         /* calculate the session key */
 189         cred_session_key(&clnt_chal, &srv_chal, (char *)mach_pwd,
 190                          cli->sess_key);
 191         memset((char *)cli->sess_key+8, '\0', 8);
 192
 193         /******************* Authenticate 2 ********************/
 194
 195         /* calculate auth-2 credentials */
 196         zerotime.time = 0;
 197         cred_create(cli->sess_key, &clnt_chal, zerotime,
 198                     &cli->clnt_cred.challenge);
 199
 200         /*
 201          * Send client auth-2 challenge.
 202          * Receive an auth-2 challenge response and check it.
 203          */
 204
 205         result = new_cli_net_auth2(cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
 206                                    SEC_CHAN_WKSTA : SEC_CHAN_BDC, 0x000001ff,
 207                                    &srv_chal);
 208         if (!NT_STATUS_IS_OK(result)) {
 209                 DEBUG(0,("cli_nt_setup_creds: auth2 challenge failed %s\n",
 210                          get_nt_error_msg(result)));
 211         }
 212
 213         return result;
 214 }
 215
 216 /* Logon Control 2 */
 217
 218 NTSTATUS cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 219                                   uint32 query_level)
 220 {
 221         prs_struct qbuf, rbuf;
 222         NET_Q_LOGON_CTRL2 q;
 223         NET_R_LOGON_CTRL2 r;
 224         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 225
 226         ZERO_STRUCT(q);
 227         ZERO_STRUCT(r);
 228
 229         /* Initialise parse structures */
 230
 231         prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
 232         prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
 233
 234         /* Initialise input parameters */
 235
 236         init_net_q_logon_ctrl2(&q, cli->srv_name_slash, query_level);
 237
 238         /* Marshall data and send request */
 239
 240         if (!net_io_q_logon_ctrl2("", &q, &qbuf, 0) ||
 241             !rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &qbuf, &rbuf)) {
 242                 result = NT_STATUS_UNSUCCESSFUL;
 243                 goto done;
 244         }
 245
 246         /* Unmarshall response */
 247
 248         if (!net_io_r_logon_ctrl2("", &r, &rbuf, 0)) {
 249                 result = NT_STATUS_UNSUCCESSFUL;
 250                 goto done;
 251         }
 252
 253         result = r.status;
 254
 255  done:
 256         prs_mem_free(&qbuf);
 257         prs_mem_free(&rbuf);
 258
 259         return result;
 260 }
 261
 262 /****************************************************************************
 263 Generate the next creds to use.  Yuck - this is a cut&paste from another
 264 file.  They should be combined at some stage.  )-:
 265 ****************************************************************************/
 266
 267 static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred)
 268 {
 269   /*
 270    * Create the new client credentials.
 271    */
 272
 273   cli->clnt_cred.timestamp.time = time(NULL);
 274
 275   memcpy(new_clnt_cred, &cli->clnt_cred, sizeof(*new_clnt_cred));
 276
 277   /* Calculate the new credentials. */
 278   cred_create(cli->sess_key, &(cli->clnt_cred.challenge),
 279               new_clnt_cred->timestamp, &(new_clnt_cred->challenge));
 280
 281 }
 282
 283 /* Sam synchronisation */
 284
 285 NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 286                                uint32 database_id, uint32 *num_deltas,
 287                                SAM_DELTA_HDR **hdr_deltas,
 288                                SAM_DELTA_CTR **deltas)
 289 {
 290         prs_struct qbuf, rbuf;
 291         NET_Q_SAM_SYNC q;
 292         NET_R_SAM_SYNC r;
 293         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 294         DOM_CRED clnt_creds;
 295
 296         ZERO_STRUCT(q);
 297         ZERO_STRUCT(r);
 298
 299         /* Initialise parse structures */
 300
 301         prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
 302         prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
 303
 304         /* Initialise input parameters */
 305
 306         gen_next_creds(cli, &clnt_creds);
 307
 308         init_net_q_sam_sync(&q, cli->srv_name_slash, cli->clnt_name_slash + 2,
 309                             &clnt_creds, database_id);
 310
 311         /* Marshall data and send request */
 312
 313         if (!net_io_q_sam_sync("", &q, &qbuf, 0) ||
 314             !rpc_api_pipe_req(cli, NET_SAM_SYNC, &qbuf, &rbuf)) {
 315                 result = NT_STATUS_UNSUCCESSFUL;
 316                 goto done;
 317         }
 318
 319         /* Unmarshall response */
 320
 321         if (!net_io_r_sam_sync("", cli->sess_key, &r, &rbuf, 0)) {
 322                 result = NT_STATUS_UNSUCCESSFUL;
 323                 goto done;
 324         }
 325
 326         /* Return results */
 327
 328         result = r.status;
 329         *num_deltas = r.num_deltas2;
 330         *hdr_deltas = r.hdr_deltas;
 331         *deltas = r.deltas;
 332
 333  done:
 334         prs_mem_free(&qbuf);
 335         prs_mem_free(&rbuf);
 336
 337         return result;
 338 }
 339
 340 /* Sam synchronisation */
 341
 342 NTSTATUS cli_netlogon_sam_deltas(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 343                                  uint32 database_id, UINT64_S seqnum,
 344                                  uint32 *num_deltas,
 345                                  SAM_DELTA_HDR **hdr_deltas,
 346                                  SAM_DELTA_CTR **deltas)
 347 {
 348         prs_struct qbuf, rbuf;
 349         NET_Q_SAM_DELTAS q;
 350         NET_R_SAM_DELTAS r;
 351         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 352         DOM_CRED clnt_creds;
 353
 354         ZERO_STRUCT(q);
 355         ZERO_STRUCT(r);
 356
 357         /* Initialise parse structures */
 358
 359         prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
 360         prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
 361
 362         /* Initialise input parameters */
 363
 364         gen_next_creds(cli, &clnt_creds);
 365
 366         init_net_q_sam_deltas(&q, cli->srv_name_slash,
 367                               cli->clnt_name_slash + 2, &clnt_creds,
 368                               database_id, seqnum);
 369
 370         /* Marshall data and send request */
 371
 372         if (!net_io_q_sam_deltas("", &q, &qbuf, 0) ||
 373             !rpc_api_pipe_req(cli, NET_SAM_DELTAS, &qbuf, &rbuf)) {
 374                 result = NT_STATUS_UNSUCCESSFUL;
 375                 goto done;
 376         }
 377
 378         /* Unmarshall response */
 379
 380         if (!net_io_r_sam_deltas("", cli->sess_key, &r, &rbuf, 0)) {
 381                 result = NT_STATUS_UNSUCCESSFUL;
 382                 goto done;
 383         }
 384
 385         /* Return results */
 386
 387         result = r.status;
 388         *num_deltas = r.num_deltas2;
 389         *hdr_deltas = r.hdr_deltas;
 390         *deltas = r.deltas;
 391
 392  done:
 393         prs_mem_free(&qbuf);
 394         prs_mem_free(&rbuf);
 395
 396         return result;
 397 }
 398
 399 /* Logon domain user */
 400
 401 NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 402                                 char *username, char *password,
 403                                 int logon_type)
 404 {
 405         prs_struct qbuf, rbuf;
 406         NET_Q_SAM_LOGON q;
 407         NET_R_SAM_LOGON r;
 408         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 409         DOM_CRED clnt_creds, dummy_rtn_creds;
 410         extern pstring global_myname;
 411         NET_ID_INFO_CTR ctr;
 412         NET_USER_INFO_3 user;
 413         int validation_level = 3;
 414
 415         ZERO_STRUCT(q);
 416         ZERO_STRUCT(r);
 417
 418         /* Initialise parse structures */
 419
 420         prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
 421         prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
 422
 423         /* Initialise input parameters */
 424
 425         gen_next_creds(cli, &clnt_creds);
 426
 427         q.validation_level = validation_level;
 428
 429         memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds));
 430         dummy_rtn_creds.timestamp.time = time(NULL);
 431
 432         ctr.switch_value = logon_type;
 433
 434         switch (logon_type) {
 435         case INTERACTIVE_LOGON_TYPE: {
 436                 unsigned char lm_owf_user_pwd[16], nt_owf_user_pwd[16];
 437
 438                 nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
 439
 440                 init_id_info1(&ctr.auth.id1, lp_workgroup(),
 441                               0, /* param_ctrl */
 442                               0xdead, 0xbeef, /* LUID? */
 443                               username, cli->clnt_name_slash,
 444                               cli->sess_key, lm_owf_user_pwd,
 445                               nt_owf_user_pwd);
 446
 447                 break;
 448         }
 449         case NET_LOGON_TYPE: {
 450                 uint8 chal[8];
 451                 unsigned char local_lm_response[24];
 452                 unsigned char local_nt_response[24];
 453
 454                 generate_random_buffer(chal, 8, False);
 455
 456                 SMBencrypt(password, chal, local_lm_response);
 457                 SMBNTencrypt(password, chal, local_nt_response);
 458
 459                 init_id_info2(&ctr.auth.id2, lp_workgroup(),
 460                               0, /* param_ctrl */
 461                               0xdead, 0xbeef, /* LUID? */
 462                               username, cli->clnt_name_slash, chal,
 463                               local_lm_response, 24, local_nt_response, 24);
 464                 break;
 465         }
 466         default:
 467                 DEBUG(0, ("switch value %d not supported\n",
 468                           ctr.switch_value));
 469                 goto done;
 470         }
 471
 472         init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname,
 473                       &clnt_creds, &dummy_rtn_creds, logon_type,
 474                       &ctr);
 475
 476         /* Marshall data and send request */
 477
 478         if (!net_io_q_sam_logon("", &q, &qbuf, 0) ||
 479             !rpc_api_pipe_req(cli, NET_SAMLOGON, &qbuf, &rbuf)) {
 480                 goto done;
 481         }
 482
 483         /* Unmarshall response */
 484
 485         r.user = &user;
 486
 487         if (!net_io_r_sam_logon("", &r, &rbuf, 0)) {
 488                 goto done;
 489         }
 490
 491         /* Return results */
 492
 493         result = r.status;
 494
 495  done:
 496         return result;
 497 }
 498
 499 /***************************************************************************
 500 LSA Server Password Set.
 501 ****************************************************************************/
 502
 503 NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 504                            char* machine_name, uint8 hashed_mach_pwd[16])
 505 {
 506         prs_struct rbuf;
 507         prs_struct buf;
 508         DOM_CRED new_clnt_cred;
 509         NET_Q_SRV_PWSET q_s;
 510         uint16 sec_chan_type = 2;
 511         NTSTATUS nt_status;
 512         char *mach_acct;
 513
 514         gen_next_creds( cli, &new_clnt_cred);
 515
 516         prs_init(&buf , 1024, mem_ctx, MARSHALL);
 517         prs_init(&rbuf, 0,    mem_ctx, UNMARSHALL);
 518
 519         /* create and send a MSRPC command with api NET_SRV_PWSET */
 520
 521         mach_acct = talloc_asprintf(mem_ctx, "%s$", machine_name);
 522
 523         if (!mach_acct) {
 524                 DEBUG(0,("talloc_asprintf failed!\n"));
 525                 return NT_STATUS_NO_MEMORY;
 526         }
 527
 528         DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n",
 529                  cli->srv_name_slash, mach_acct, sec_chan_type, machine_name,
 530                  credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time));
 531
 532         /* store the parameters */
 533         init_q_srv_pwset(&q_s, cli->srv_name_slash, cli->sess_key,
 534                          mach_acct, sec_chan_type, machine_name,
 535                          &new_clnt_cred, (char *)hashed_mach_pwd);
 536
 537         /* turn parameters into data stream */
 538         if(!net_io_q_srv_pwset("", &q_s,  &buf, 0)) {
 539                 DEBUG(0,("cli_net_srv_pwset: Error : failed to marshall NET_Q_SRV_PWSET struct.\n"));
 540                 return NT_STATUS_UNSUCCESSFUL;
 541         }
 542
 543         /* send the data on \PIPE\ */
 544         if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf))
 545         {
 546                 NET_R_SRV_PWSET r_s;
 547
 548                 if (!net_io_r_srv_pwset("", &r_s, &rbuf, 0)) {
 549                         return NT_STATUS_UNSUCCESSFUL;
 550                 }
 551
 552                 nt_status = r_s.status;
 553
 554                 if (!NT_STATUS_IS_OK(r_s.status))
 555                 {
 556                         /* report error code */
 557                         DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(nt_status)));
 558                         return nt_status;
 559                 }
 560
 561                 /* Update the credentials. */
 562                 if (!clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred)))
 563                 {
 564                         /*
 565                          * Server replied with bad credential. Fail.
 566                          */
 567                         DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \
 568 password ?).\n", cli->desthost ));
 569                         nt_status = NT_STATUS_UNSUCCESSFUL;
 570                 }
 571         }
 572
 573         return nt_status;
 574 }
 575