#include "includes.h"
-extern struct dcinfo last_dcinfo;
extern userdom_struct current_user_info;
#undef DBGC_CLASS
net_reply_logon_ctrl:
*************************************************************************/
-/* Some flag values reverse engineered from NLTEST.EXE */
-
-#define LOGON_CTRL_IN_SYNC 0x00
-#define LOGON_CTRL_REPL_NEEDED 0x01
-#define LOGON_CTRL_REPL_IN_PROGRESS 0x02
-
NTSTATUS _net_logon_ctrl(pipes_struct *p, NET_Q_LOGON_CTRL *q_u,
NET_R_LOGON_CTRL *r_u)
{
/****************************************************************************
Send a message to smbd to do a sam synchronisation
**************************************************************************/
+
static void send_sync_message(void)
{
TDB_CONTEXT *tdb;
NTSTATUS _net_req_chal(pipes_struct *p, NET_Q_REQ_CHAL *q_u, NET_R_REQ_CHAL *r_u)
{
- NTSTATUS status = NT_STATUS_OK;
-
- rpcstr_pull(p->dc.remote_machine,q_u->uni_logon_clnt.buffer,sizeof(fstring),q_u->uni_logon_clnt.uni_str_len*2,0);
-
- /* create a server challenge for the client */
- /* Set these to random values. */
- generate_random_buffer(p->dc.srv_chal.data, 8);
-
- memcpy(p->dc.srv_cred.challenge.data, p->dc.srv_chal.data, 8);
+ if (!p->dc) {
+ p->dc = TALLOC_ZERO_P(p->pipe_state_mem_ctx, struct dcinfo);
+ if (!p->dc) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ DEBUG(10,("_net_req_chal: new challenge requested. Clearing old state.\n"));
+ ZERO_STRUCTP(p->dc);
+ }
- memcpy(p->dc.clnt_chal.data , q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
- memcpy(p->dc.clnt_cred.challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
+ rpcstr_pull(p->dc->remote_machine,
+ q_u->uni_logon_clnt.buffer,
+ sizeof(fstring),q_u->uni_logon_clnt.uni_str_len*2,0);
- memset((char *)p->dc.sess_key, '\0', sizeof(p->dc.sess_key));
+ /* Save the client challenge to the server. */
+ memcpy(p->dc->clnt_chal.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
- p->dc.challenge_sent = True;
+ /* Create a server challenge for the client */
+ /* Set this to a random value. */
+ generate_random_buffer(p->dc->srv_chal.data, 8);
+
/* set up the LSA REQUEST CHALLENGE response */
- init_net_r_req_chal(r_u, &p->dc.srv_chal, status);
+ init_net_r_req_chal(r_u, &p->dc->srv_chal, NT_STATUS_OK);
- return status;
+ p->dc->challenge_sent = True;
+
+ return NT_STATUS_OK;
}
/*************************************************************************
}
/*************************************************************************
- _net_auth
+ _net_auth. Create the initial credentials.
*************************************************************************/
NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u)
{
- NTSTATUS status = NT_STATUS_OK;
- DOM_CHAL srv_cred;
- UTIME srv_time;
fstring mach_acct;
+ fstring remote_machine;
+ DOM_CHAL srv_chal_out;
- srv_time.time = 0;
-
- rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
+ if (!p->dc || !p->dc->challenge_sent) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
- if (p->dc.challenge_sent && get_md4pw((char *)p->dc.md4pw, mach_acct)) {
+ rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),
+ q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
+ rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring),
+ q_u->clnt_id.uni_comp_name.uni_str_len*2,0);
- /* from client / server challenges and md4 password, generate sess key */
- cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal,
- p->dc.md4pw, p->dc.sess_key);
-
- /* check that the client credentials are valid */
- if (cred_assert(&q_u->clnt_chal, p->dc.sess_key, &p->dc.clnt_cred.challenge, srv_time)) {
-
- /* create server challenge for inclusion in the reply */
- cred_create(p->dc.sess_key, &p->dc.srv_cred.challenge, srv_time, &srv_cred);
-
- /* copy the received client credentials for use next time */
- memcpy(p->dc.clnt_cred.challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
- memcpy(p->dc.srv_cred .challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
-
- /* Save the machine account name. */
- fstrcpy(p->dc.mach_acct, mach_acct);
-
- p->dc.authenticated = True;
+ if (!get_md4pw((char *)p->dc->mach_pw, mach_acct)) {
+ DEBUG(0,("_net_auth: creds_server_check failed. Failed to "
+ "get pasword for machine account %s "
+ "from client %s\n",
+ mach_acct, remote_machine ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
- } else {
- status = NT_STATUS_ACCESS_DENIED;
- }
- } else {
- status = NT_STATUS_ACCESS_DENIED;
+ /* From the client / server challenges and md4 password, generate sess key */
+ creds_server_init(p->dc,
+ &p->dc->clnt_chal, /* Stored client chal. */
+ &p->dc->srv_chal, /* Stored server chal. */
+ (const char *)p->dc->mach_pw,
+ &srv_chal_out);
+
+ /* Check client credentials are valid. */
+ if (!creds_server_check(p->dc, &q_u->clnt_chal)) {
+ DEBUG(0,("_net_auth: creds_server_check failed. Rejecting auth "
+ "request from client %s machine account %s\n",
+ remote_machine, mach_acct ));
+ return NT_STATUS_ACCESS_DENIED;
}
-
+
+ fstrcpy(p->dc->mach_acct, mach_acct);
+ fstrcpy(p->dc->remote_machine, remote_machine);
+ p->dc->authenticated = True;
+
/* set up the LSA AUTH response */
- init_net_r_auth(r_u, &srv_cred, status);
+ /* Return the server credentials. */
+ init_net_r_auth(r_u, &srv_chal_out, NT_STATUS_OK);
return r_u->status;
}
NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u)
{
- NTSTATUS status = NT_STATUS_OK;
- DOM_CHAL srv_cred;
- UTIME srv_time;
NEG_FLAGS srv_flgs;
fstring mach_acct;
+ fstring remote_machine;
+ DOM_CHAL srv_chal_out;
- srv_time.time = 0;
+ rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),
+ q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
+ rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring),
+ q_u->clnt_id.uni_comp_name.uni_str_len*2,0);
+
+ if (!p->dc || !p->dc->challenge_sent) {
+ DEBUG(0,("_net_auth2: no challenge sent to client %s\n",
+ remote_machine ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
if ( (lp_server_schannel() == True) &&
((q_u->clnt_flgs.neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
/* schannel must be used, but client did not offer it. */
- status = NT_STATUS_ACCESS_DENIED;
+ DEBUG(0,("_net_auth2: schannel required but client failed "
+ "to offer it. Client was %s\n",
+ mach_acct ));
+ return NT_STATUS_ACCESS_DENIED;
}
- rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
-
- if (p->dc.challenge_sent && get_md4pw((char *)p->dc.md4pw, mach_acct)) {
-
- /* from client / server challenges and md4 password, generate sess key */
- cred_session_key(&p->dc.clnt_chal, &p->dc.srv_chal,
- p->dc.md4pw, p->dc.sess_key);
-
- /* check that the client credentials are valid */
- if (cred_assert(&q_u->clnt_chal, p->dc.sess_key, &p->dc.clnt_cred.challenge, srv_time)) {
-
- /* create server challenge for inclusion in the reply */
- cred_create(p->dc.sess_key, &p->dc.srv_cred.challenge, srv_time, &srv_cred);
-
- /* copy the received client credentials for use next time */
- memcpy(p->dc.clnt_cred.challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
- memcpy(p->dc.srv_cred .challenge.data, q_u->clnt_chal.data, sizeof(q_u->clnt_chal.data));
-
- /* Save the machine account name. */
- fstrcpy(p->dc.mach_acct, mach_acct);
-
- p->dc.authenticated = True;
+ if (!get_md4pw((char *)p->dc->mach_pw, mach_acct)) {
+ DEBUG(0,("_net_auth2: failed to get machine password for "
+ "account %s\n",
+ mach_acct ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
- } else {
- status = NT_STATUS_ACCESS_DENIED;
- }
- } else {
- status = NT_STATUS_ACCESS_DENIED;
+ /* From the client / server challenges and md4 password, generate sess key */
+ creds_server_init(p->dc,
+ &p->dc->clnt_chal, /* Stored client chal. */
+ &p->dc->srv_chal, /* Stored server chal. */
+ (const char *)p->dc->mach_pw,
+ &srv_chal_out);
+
+ /* Check client credentials are valid. */
+ if (!creds_server_check(p->dc, &q_u->clnt_chal)) {
+ DEBUG(0,("_net_auth2: creds_server_check failed. Rejecting auth "
+ "request from client %s machine account %s\n",
+ remote_machine, mach_acct ));
+ return NT_STATUS_ACCESS_DENIED;
}
-
+
srv_flgs.neg_flags = 0x000001ff;
if (lp_server_schannel() != False) {
}
/* set up the LSA AUTH 2 response */
- init_net_r_auth_2(r_u, &srv_cred, &srv_flgs, status);
+ init_net_r_auth_2(r_u, &srv_chal_out, &srv_flgs, NT_STATUS_OK);
- if (NT_STATUS_IS_OK(status)) {
- last_dcinfo = p->dc;
- }
+ fstrcpy(p->dc->mach_acct, mach_acct);
+ fstrcpy(p->dc->remote_machine, remote_machine);
+ fstrcpy(p->dc->domain, lp_workgroup() );
+
+ p->dc->authenticated = True;
+
+ /* Store off the state so we can continue after client disconnect. */
+ become_root();
+ secrets_store_schannel_session_info(p->mem_ctx, p->dc);
+ unbecome_root();
return r_u->status;
}
NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_u)
{
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
- DOM_CRED srv_cred;
- pstring workstation;
+ fstring workstation;
SAM_ACCOUNT *sampass=NULL;
BOOL ret = False;
unsigned char pwd[16];
int i;
uint32 acct_ctrl;
+ DOM_CRED cred_out;
const uchar *old_pw;
- /* checks and updates credentials. creates reply credentials */
- if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->clnt_id.cred, &srv_cred)))
+ if (!p->dc || !p->dc->authenticated) {
return NT_STATUS_INVALID_HANDLE;
+ }
- memcpy(&p->dc.srv_cred, &p->dc.clnt_cred, sizeof(p->dc.clnt_cred));
+ /* Step the creds chain forward. */
+ if (!creds_server_step(p->dc, &q_u->clnt_id.cred, &cred_out)) {
+ DEBUG(0,("_net_srv_pwset: creds_server_step failed. Rejecting auth "
+ "request from client %s machine account %s\n",
+ p->dc->remote_machine, p->dc->mach_acct ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
DEBUG(5,("_net_srv_pwset: %d\n", __LINE__));
rpcstr_pull(workstation,q_u->clnt_id.login.uni_comp_name.buffer,
sizeof(workstation),q_u->clnt_id.login.uni_comp_name.uni_str_len*2,0);
- DEBUG(3,("Server Password Set by Wksta:[%s] on account [%s]\n", workstation, p->dc.mach_acct));
+ DEBUG(3,("_net_srv_pwset: Server Password Set by Wksta:[%s] on account [%s]\n",
+ workstation, p->dc->mach_acct));
pdb_init_sam(&sampass);
become_root();
- ret=pdb_getsampwnam(sampass, p->dc.mach_acct);
+ ret=pdb_getsampwnam(sampass, p->dc->mach_acct);
unbecome_root();
/* Ensure the account exists and is a machine account. */
return NT_STATUS_ACCOUNT_DISABLED;
}
- cred_hash3( pwd, q_u->pwd, p->dc.sess_key, 0);
+ /* Woah - what does this to to the credential chain ? JRA */
+ cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0);
DEBUG(100,("Server password set : new given value was :\n"));
for(i = 0; i < sizeof(pwd); i++)
} else {
/* LM password should be NULL for machines */
- if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED)) {
+ if (!pdb_set_lanman_passwd(sampass, NULL, PDB_CHANGED)) {
pdb_free_sam(&sampass);
return NT_STATUS_NO_MEMORY;
}
- if (!pdb_set_nt_passwd (sampass, pwd, PDB_CHANGED)) {
+ if (!pdb_set_nt_passwd(sampass, pwd, PDB_CHANGED)) {
pdb_free_sam(&sampass);
return NT_STATUS_NO_MEMORY;
}
- if (!pdb_set_pass_changed_now (sampass)) {
+ if (!pdb_set_pass_changed_now(sampass)) {
pdb_free_sam(&sampass);
/* Not quite sure what this one qualifies as, but this will do */
return NT_STATUS_UNSUCCESSFUL;
ret = pdb_update_sam_account (sampass);
unbecome_root();
}
- if (ret)
+ if (ret) {
status = NT_STATUS_OK;
+ }
/* set up the LSA Server Password Set response */
- init_net_r_srv_pwset(r_u, &srv_cred, status);
+ init_net_r_srv_pwset(r_u, &cred_out, status);
pdb_free_sam(&sampass);
return r_u->status;
}
-
/*************************************************************************
_net_sam_logoff:
*************************************************************************/
NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOFF *r_u)
{
- DOM_CRED srv_cred;
-
if (!get_valid_user_struct(p->vuid))
return NT_STATUS_NO_SUCH_USER;
- /* checks and updates credentials. creates reply credentials */
- if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred,
- &q_u->sam_id.client.cred, &srv_cred)))
+ if (!p->dc || !p->dc->authenticated) {
return NT_STATUS_INVALID_HANDLE;
+ }
- memcpy(&p->dc.srv_cred, &p->dc.clnt_cred, sizeof(p->dc.clnt_cred));
-
- /* XXXX maybe we want to say 'no', reject the client's credentials */
r_u->buffer_creds = 1; /* yes, we have valid server credentials */
- memcpy(&r_u->srv_creds, &srv_cred, sizeof(r_u->srv_creds));
- r_u->status = NT_STATUS_OK;
+ /* checks and updates credentials. creates reply credentials */
+ if (!creds_server_step(p->dc, &q_u->sam_id.client.cred, &r_u->srv_creds)) {
+ DEBUG(0,("_net_sam_logoff: creds_server_step failed. Rejecting auth "
+ "request from client %s machine account %s\n",
+ p->dc->remote_machine, p->dc->mach_acct ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ r_u->status = NT_STATUS_OK;
return r_u->status;
}
NTSTATUS status = NT_STATUS_OK;
NET_USER_INFO_3 *usr_info = NULL;
NET_ID_INFO_CTR *ctr = q_u->sam_id.ctr;
- DOM_CRED srv_cred;
UNISTR2 *uni_samlogon_user = NULL;
UNISTR2 *uni_samlogon_domain = NULL;
UNISTR2 *uni_samlogon_workstation = NULL;
r_u->switch_value = 0; /* indicates no info */
r_u->auth_resp = 1; /* authoritative response */
r_u->switch_value = 3; /* indicates type of validation user info */
+ r_u->buffer_creds = 1; /* Ensure we always return server creds. */
if (!get_valid_user_struct(p->vuid))
return NT_STATUS_NO_SUCH_USER;
+ if (!p->dc || !p->dc->authenticated) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
- if ( (lp_server_schannel() == True) && (!p->netsec_auth_validated) ) {
+ if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) {
/* 'server schannel = yes' should enforce use of
schannel, the client did offer it in auth2, but
obviously did not use it. */
+ DEBUG(0,("_net_sam_logoff: client %s not using schannel for netlogon\n",
+ p->dc->remote_machine ));
return NT_STATUS_ACCESS_DENIED;
}
/* checks and updates credentials. creates reply credentials */
- if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->sam_id.client.cred, &srv_cred)))
- return NT_STATUS_INVALID_HANDLE;
-
- memcpy(&p->dc.srv_cred, &p->dc.clnt_cred, sizeof(p->dc.clnt_cred));
-
- r_u->buffer_creds = 1; /* yes, we have valid server credentials */
- memcpy(&r_u->srv_creds, &srv_cred, sizeof(r_u->srv_creds));
+ if (!creds_server_step(p->dc, &q_u->sam_id.client.cred, &r_u->srv_creds)) {
+ DEBUG(0,("_net_sam_logoff: creds_server_step failed. Rejecting auth "
+ "request from client %s machine account %s\n",
+ p->dc->remote_machine, p->dc->mach_acct ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
/* find the username */
if (!make_user_info_netlogon_network(&user_info,
nt_username, nt_domain,
wksname,
+ ctr->auth.id2.param_ctrl,
ctr->auth.id2.lm_chal_resp.buffer,
ctr->auth.id2.lm_chal_resp.str_str_len,
ctr->auth.id2.nt_chal_resp.buffer,
if (!make_user_info_netlogon_interactive(&user_info,
nt_username, nt_domain,
- nt_workstation, chal,
+ nt_workstation,
+ ctr->auth.id1.param_ctrl,
+ chal,
ctr->auth.id1.lm_owf.data,
ctr->auth.id1.nt_owf.data,
- p->dc.sess_key)) {
+ p->dc->sess_key)) {
status = NT_STATUS_NO_MEMORY;
}
break;
/* Check account and password */
if (!NT_STATUS_IS_OK(status)) {
+ /* If we don't know what this domain is, we need to
+ indicate that we are not authoritative. This
+ allows the client to decide if it needs to try
+ a local user. Fix by jpjanosi@us.ibm.com, #2976 */
+ if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
+ && !strequal(nt_domain, get_global_sam_name())
+ && !is_trusted_domain(nt_domain) )
+ r_u->auth_resp = 0; /* We are not authoritative */
+
free_server_info(&server_info);
return status;
}
return NT_STATUS_UNSUCCESSFUL;
}
- pstrcpy(my_name, global_myname());
-
+
+ if(server_info->login_server) {
+ pstrcpy(my_name, server_info->login_server);
+ } else {
+ pstrcpy(my_name, global_myname());
+ }
+
if (!NT_STATUS_IS_OK(status
= nt_token_to_group_list(p->mem_ctx,
&domain_sid,
}
ZERO_STRUCT(netlogon_sess_key);
- memcpy(netlogon_sess_key, p->dc.sess_key, 8);
+ memcpy(netlogon_sess_key, p->dc->sess_key, 8);
if (server_info->user_session_key.length) {
memcpy(user_session_key, server_info->user_session_key.data,
MIN(sizeof(user_session_key), server_info->user_session_key.length));