2 Unix SMB/CIFS implementation.
4 module to store/fetch session keys for the schannel client
6 Copyright (C) Stefan Metzmacher 2013
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/filesys.h"
25 #include "lib/util/tevent_ntstatus.h"
26 #include "lib/dbwrap/dbwrap.h"
27 #include "lib/dbwrap/dbwrap_rbt.h"
28 #include "lib/util/util_tdb.h"
29 #include "libcli/security/security.h"
30 #include "../lib/param/param.h"
31 #include "../libcli/auth/schannel.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
34 #include "../librpc/gen_ndr/server_id.h"
35 #include "netlogon_creds_cli.h"
36 #include "source3/include/messages.h"
37 #include "source3/include/g_lock.h"
39 struct netlogon_creds_cli_locked_state;
41 struct netlogon_creds_cli_context {
45 uint32_t proposed_flags;
46 uint32_t required_flags;
47 enum netr_SchannelType type;
48 enum dcerpc_AuthLevel auth_level;
53 const char *netbios_domain;
54 uint32_t cached_flags;
63 struct db_context *ctx;
64 struct g_lock_ctx *g_ctx;
65 struct netlogon_creds_cli_locked_state *locked_state;
69 struct netlogon_creds_cli_locked_state {
70 struct netlogon_creds_cli_context *context;
72 struct netlogon_creds_CredentialState *creds;
75 static int netlogon_creds_cli_locked_state_destructor(
76 struct netlogon_creds_cli_locked_state *state)
78 struct netlogon_creds_cli_context *context = state->context;
80 if (context == NULL) {
84 if (context->db.locked_state == state) {
85 context->db.locked_state = NULL;
88 if (state->is_glocked) {
89 g_lock_unlock(context->db.g_ctx,
90 context->db.key_name);
96 static NTSTATUS netlogon_creds_cli_context_common(
97 const char *client_computer,
98 const char *client_account,
99 enum netr_SchannelType type,
100 enum dcerpc_AuthLevel auth_level,
101 uint32_t proposed_flags,
102 uint32_t required_flags,
103 const char *server_computer,
104 const char *server_netbios_domain,
106 struct netlogon_creds_cli_context **_context)
108 struct netlogon_creds_cli_context *context = NULL;
109 TALLOC_CTX *frame = talloc_stackframe();
110 char *_key_name = NULL;
111 char *server_netbios_name = NULL;
116 context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
117 if (context == NULL) {
119 return NT_STATUS_NO_MEMORY;
122 context->client.computer = talloc_strdup(context, client_computer);
123 if (context->client.computer == NULL) {
124 TALLOC_FREE(context);
126 return NT_STATUS_NO_MEMORY;
129 context->client.account = talloc_strdup(context, client_account);
130 if (context->client.account == NULL) {
131 TALLOC_FREE(context);
133 return NT_STATUS_NO_MEMORY;
136 context->client.proposed_flags = proposed_flags;
137 context->client.required_flags = required_flags;
138 context->client.type = type;
139 context->client.auth_level = auth_level;
141 context->server.computer = talloc_strdup(context, server_computer);
142 if (context->server.computer == NULL) {
143 TALLOC_FREE(context);
145 return NT_STATUS_NO_MEMORY;
148 context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
149 if (context->server.netbios_domain == NULL) {
150 TALLOC_FREE(context);
152 return NT_STATUS_NO_MEMORY;
157 * Force the callers to provide a unique
158 * value for server_computer and use this directly.
160 * For now we have to deal with
161 * "HOSTNAME" vs. "hostname.example.com".
163 server_netbios_name = talloc_strdup(frame, server_computer);
164 if (server_netbios_name == NULL) {
165 TALLOC_FREE(context);
167 return NT_STATUS_NO_MEMORY;
170 p = strchr(server_netbios_name, '.');
175 _key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
179 server_netbios_domain);
180 if (_key_name == NULL) {
181 TALLOC_FREE(context);
183 return NT_STATUS_NO_MEMORY;
186 context->db.key_name = talloc_strdup_upper(context, _key_name);
187 if (context->db.key_name == NULL) {
188 TALLOC_FREE(context);
190 return NT_STATUS_NO_MEMORY;
193 context->db.key_data = string_term_tdb_data(context->db.key_name);
200 static struct db_context *netlogon_creds_cli_global_db;
202 NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
204 if (netlogon_creds_cli_global_db != NULL) {
205 return NT_STATUS_INVALID_PARAMETER_MIX;
208 netlogon_creds_cli_global_db = talloc_move(talloc_autofree_context(), db);
212 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
215 struct db_context *global_db;
217 if (netlogon_creds_cli_global_db != NULL) {
221 fname = lpcfg_private_db_path(talloc_autofree_context(), lp_ctx, "netlogon_creds_cli");
223 return NT_STATUS_NO_MEMORY;
226 global_db = dbwrap_local_open(talloc_autofree_context(), lp_ctx,
228 TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
230 0600, DBWRAP_LOCK_ORDER_2,
232 if (global_db == NULL) {
233 DEBUG(0,("netlogon_creds_cli_open_global_db: Failed to open %s - %s\n",
234 fname, strerror(errno)));
236 return NT_STATUS_NO_MEMORY;
240 netlogon_creds_cli_global_db = global_db;
244 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
245 struct messaging_context *msg_ctx,
246 const char *client_account,
247 enum netr_SchannelType type,
248 const char *server_computer,
249 const char *server_netbios_domain,
251 struct netlogon_creds_cli_context **_context)
253 TALLOC_CTX *frame = talloc_stackframe();
255 struct netlogon_creds_cli_context *context = NULL;
256 const char *client_computer;
257 uint32_t proposed_flags;
258 uint32_t required_flags = 0;
259 bool reject_md5_servers = false;
260 bool require_strong_key = false;
261 int require_sign_or_seal = true;
262 bool seal_secure_channel = true;
263 enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
264 bool neutralize_nt4_emulation = false;
268 client_computer = lpcfg_netbios_name(lp_ctx);
269 if (strlen(client_computer) > 15) {
270 return NT_STATUS_INVALID_PARAMETER_MIX;
274 * allow overwrite per domain
275 * reject md5 servers:<netbios_domain>
277 reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
278 reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
279 "reject md5 servers",
280 server_netbios_domain,
284 * allow overwrite per domain
285 * require strong key:<netbios_domain>
287 require_strong_key = lpcfg_require_strong_key(lp_ctx);
288 require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
289 "require strong key",
290 server_netbios_domain,
294 * allow overwrite per domain
295 * client schannel:<netbios_domain>
297 require_sign_or_seal = lpcfg_client_schannel(lp_ctx);
298 require_sign_or_seal = lpcfg_parm_int(lp_ctx, NULL,
300 server_netbios_domain,
301 require_sign_or_seal);
304 * allow overwrite per domain
305 * winbind sealed pipes:<netbios_domain>
307 seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
308 seal_secure_channel = lpcfg_parm_bool(lp_ctx, NULL,
309 "winbind sealed pipes",
310 server_netbios_domain,
311 seal_secure_channel);
314 * allow overwrite per domain
315 * neutralize nt4 emulation:<netbios_domain>
317 neutralize_nt4_emulation = lpcfg_neutralize_nt4_emulation(lp_ctx);
318 neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
319 "neutralize nt4 emulation",
320 server_netbios_domain,
321 neutralize_nt4_emulation);
323 proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
324 proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
328 if (lpcfg_security(lp_ctx) == SEC_ADS) {
330 * AD domains should be secure
332 required_flags |= NETLOGON_NEG_PASSWORD_SET2;
333 require_sign_or_seal = true;
334 require_strong_key = true;
338 case SEC_CHAN_DOMAIN:
341 case SEC_CHAN_DNS_DOMAIN:
343 * AD domains should be secure
345 required_flags |= NETLOGON_NEG_PASSWORD_SET2;
346 require_sign_or_seal = true;
347 require_strong_key = true;
348 neutralize_nt4_emulation = true;
352 required_flags |= NETLOGON_NEG_PASSWORD_SET2;
353 require_sign_or_seal = true;
354 require_strong_key = true;
358 required_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
359 required_flags |= NETLOGON_NEG_PASSWORD_SET2;
360 require_sign_or_seal = true;
361 require_strong_key = true;
362 neutralize_nt4_emulation = true;
367 return NT_STATUS_INVALID_PARAMETER;
370 if (neutralize_nt4_emulation) {
371 proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
374 if (require_sign_or_seal == false) {
375 proposed_flags &= ~NETLOGON_NEG_AUTHENTICATED_RPC;
377 required_flags |= NETLOGON_NEG_ARCFOUR;
378 required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
381 if (reject_md5_servers) {
382 required_flags |= NETLOGON_NEG_ARCFOUR;
383 required_flags |= NETLOGON_NEG_PASSWORD_SET2;
384 required_flags |= NETLOGON_NEG_SUPPORTS_AES;
385 required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
388 if (require_strong_key) {
389 required_flags |= NETLOGON_NEG_ARCFOUR;
390 required_flags |= NETLOGON_NEG_STRONG_KEYS;
391 required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
394 proposed_flags |= required_flags;
396 if (seal_secure_channel) {
397 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
399 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
402 status = netlogon_creds_cli_context_common(client_computer,
409 server_netbios_domain,
412 if (!NT_STATUS_IS_OK(status)) {
417 if (msg_ctx != NULL) {
418 context->db.g_ctx = g_lock_ctx_init(context, msg_ctx);
419 if (context->db.g_ctx == NULL) {
420 TALLOC_FREE(context);
422 return NT_STATUS_NO_MEMORY;
426 if (netlogon_creds_cli_global_db != NULL) {
427 context->db.ctx = netlogon_creds_cli_global_db;
433 status = netlogon_creds_cli_open_global_db(lp_ctx);
434 if (!NT_STATUS_IS_OK(status)) {
435 TALLOC_FREE(context);
437 return NT_STATUS_NO_MEMORY;
440 context->db.ctx = netlogon_creds_cli_global_db;
446 NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
447 const char *client_account,
448 enum netr_SchannelType type,
449 uint32_t proposed_flags,
450 uint32_t required_flags,
451 enum dcerpc_AuthLevel auth_level,
452 const char *server_computer,
453 const char *server_netbios_domain,
455 struct netlogon_creds_cli_context **_context)
458 struct netlogon_creds_cli_context *context = NULL;
462 status = netlogon_creds_cli_context_common(client_computer,
469 server_netbios_domain,
472 if (!NT_STATUS_IS_OK(status)) {
476 context->db.ctx = db_open_rbt(context);
477 if (context->db.ctx == NULL) {
478 talloc_free(context);
479 return NT_STATUS_NO_MEMORY;
486 enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
487 struct netlogon_creds_cli_context *context)
489 return context->client.auth_level;
492 struct netlogon_creds_cli_fetch_state {
494 struct netlogon_creds_CredentialState *creds;
495 uint32_t required_flags;
499 static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
502 struct netlogon_creds_cli_fetch_state *state =
503 (struct netlogon_creds_cli_fetch_state *)private_data;
504 enum ndr_err_code ndr_err;
508 state->creds = talloc_zero(state->mem_ctx,
509 struct netlogon_creds_CredentialState);
510 if (state->creds == NULL) {
511 state->status = NT_STATUS_NO_MEMORY;
515 blob.data = data.dptr;
516 blob.length = data.dsize;
518 ndr_err = ndr_pull_struct_blob(&blob, state->creds, state->creds,
519 (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
520 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
521 TALLOC_FREE(state->creds);
522 state->status = ndr_map_error2ntstatus(ndr_err);
526 tmp_flags = state->creds->negotiate_flags;
527 tmp_flags &= state->required_flags;
528 if (tmp_flags != state->required_flags) {
529 TALLOC_FREE(state->creds);
530 state->status = NT_STATUS_DOWNGRADE_DETECTED;
534 state->status = NT_STATUS_OK;
537 NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
539 struct netlogon_creds_CredentialState **_creds)
542 struct netlogon_creds_cli_fetch_state fstate = {
544 .status = NT_STATUS_INTERNAL_ERROR,
545 .required_flags = context->client.required_flags,
547 static const struct netr_Credential zero_creds;
551 status = dbwrap_parse_record(context->db.ctx,
552 context->db.key_data,
553 netlogon_creds_cli_fetch_parser,
555 if (!NT_STATUS_IS_OK(status)) {
558 status = fstate.status;
559 if (!NT_STATUS_IS_OK(status)) {
564 * mark it as invalid for step operations.
566 fstate.creds->sequence = 0;
567 fstate.creds->seed = zero_creds;
568 fstate.creds->client = zero_creds;
569 fstate.creds->server = zero_creds;
571 if (context->server.cached_flags == fstate.creds->negotiate_flags) {
572 *_creds = fstate.creds;
577 * It is really important to try SamLogonEx here,
578 * because multiple processes can talk to the same
579 * domain controller, without using the credential
582 * With a normal SamLogon call, we must keep the
583 * credentials chain updated and intact between all
584 * users of the machine account (which would imply
585 * cross-node communication for every NTLM logon).
587 * The credentials chain is not per NETLOGON pipe
588 * connection, but globally on the server/client pair
589 * by computer name, while the client is free to use
590 * any computer name. We include the cluster node number
591 * in our computer name in order to avoid cross node
592 * coordination of the credential chain.
594 * It's also important to use NetlogonValidationSamInfo4 (6),
595 * because it relies on the rpc transport encryption
596 * and avoids using the global netlogon schannel
597 * session key to en/decrypt secret information
598 * like the user_session_key for network logons.
600 * [MS-APDS] 3.1.5.2 NTLM Network Logon
601 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
602 * NETLOGON_NEG_AUTHENTICATED_RPC set together
603 * are the indication that the server supports
604 * NetlogonValidationSamInfo4 (6). And it must only
605 * be used if "SealSecureChannel" is used.
607 * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
608 * check is done in netlogon_creds_cli_LogonSamLogon*().
610 context->server.cached_flags = fstate.creds->negotiate_flags;
611 context->server.try_validation6 = true;
612 context->server.try_logon_ex = true;
613 context->server.try_logon_with = true;
615 if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
616 context->server.try_validation6 = false;
617 context->server.try_logon_ex = false;
619 if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
620 context->server.try_validation6 = false;
623 *_creds = fstate.creds;
627 bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
628 const struct netlogon_creds_CredentialState *creds1)
630 TALLOC_CTX *frame = talloc_stackframe();
631 struct netlogon_creds_CredentialState *creds2;
635 enum ndr_err_code ndr_err;
638 status = netlogon_creds_cli_get(context, frame, &creds2);
639 if (!NT_STATUS_IS_OK(status)) {
644 ndr_err = ndr_push_struct_blob(&blob1, frame, creds1,
645 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
646 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
651 ndr_err = ndr_push_struct_blob(&blob2, frame, creds2,
652 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
653 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
658 if (blob1.length != blob2.length) {
663 cmp = memcmp(blob1.data, blob2.data, blob1.length);
673 NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
674 struct netlogon_creds_CredentialState **_creds)
676 struct netlogon_creds_CredentialState *creds = *_creds;
678 enum ndr_err_code ndr_err;
684 if (context->db.locked_state == NULL) {
686 * this was not the result of netlogon_creds_cli_lock*()
689 return NT_STATUS_INVALID_PAGE_PROTECTION;
692 if (context->db.locked_state->creds != creds) {
694 * this was not the result of netlogon_creds_cli_lock*()
697 return NT_STATUS_INVALID_PAGE_PROTECTION;
700 ndr_err = ndr_push_struct_blob(&blob, creds, creds,
701 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
702 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
704 status = ndr_map_error2ntstatus(ndr_err);
708 data.dptr = blob.data;
709 data.dsize = blob.length;
711 status = dbwrap_store(context->db.ctx,
712 context->db.key_data,
715 if (!NT_STATUS_IS_OK(status)) {
722 NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
723 struct netlogon_creds_CredentialState **_creds)
725 struct netlogon_creds_CredentialState *creds = *_creds;
730 if (context->db.locked_state == NULL) {
732 * this was not the result of netlogon_creds_cli_lock*()
735 return NT_STATUS_INVALID_PAGE_PROTECTION;
738 if (context->db.locked_state->creds != creds) {
740 * this was not the result of netlogon_creds_cli_lock*()
743 return NT_STATUS_INVALID_PAGE_PROTECTION;
746 status = dbwrap_delete(context->db.ctx,
747 context->db.key_data);
749 if (!NT_STATUS_IS_OK(status)) {
756 struct netlogon_creds_cli_lock_state {
757 struct netlogon_creds_cli_locked_state *locked_state;
758 struct netlogon_creds_CredentialState *creds;
761 static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
762 static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
764 struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
765 struct tevent_context *ev,
766 struct netlogon_creds_cli_context *context)
768 struct tevent_req *req;
769 struct netlogon_creds_cli_lock_state *state;
770 struct netlogon_creds_cli_locked_state *locked_state;
771 struct tevent_req *subreq;
773 req = tevent_req_create(mem_ctx, &state,
774 struct netlogon_creds_cli_lock_state);
779 if (context->db.locked_state != NULL) {
780 tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
781 return tevent_req_post(req, ev);
784 locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
785 if (tevent_req_nomem(locked_state, req)) {
786 return tevent_req_post(req, ev);
788 talloc_set_destructor(locked_state,
789 netlogon_creds_cli_locked_state_destructor);
790 locked_state->context = context;
792 context->db.locked_state = locked_state;
793 state->locked_state = locked_state;
795 if (context->db.g_ctx == NULL) {
796 netlogon_creds_cli_lock_fetch(req);
797 if (!tevent_req_is_in_progress(req)) {
798 return tevent_req_post(req, ev);
804 subreq = g_lock_lock_send(state, ev,
806 context->db.key_name,
808 if (tevent_req_nomem(subreq, req)) {
809 return tevent_req_post(req, ev);
811 tevent_req_set_callback(subreq, netlogon_creds_cli_lock_done, req);
816 static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
818 struct tevent_req *req =
819 tevent_req_callback_data(subreq,
821 struct netlogon_creds_cli_lock_state *state =
823 struct netlogon_creds_cli_lock_state);
826 status = g_lock_lock_recv(subreq);
828 if (tevent_req_nterror(req, status)) {
831 state->locked_state->is_glocked = true;
833 netlogon_creds_cli_lock_fetch(req);
836 static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
838 struct netlogon_creds_cli_lock_state *state =
840 struct netlogon_creds_cli_lock_state);
841 struct netlogon_creds_cli_context *context = state->locked_state->context;
842 struct netlogon_creds_cli_fetch_state fstate = {
843 .status = NT_STATUS_INTERNAL_ERROR,
844 .required_flags = context->client.required_flags,
848 fstate.mem_ctx = state;
849 status = dbwrap_parse_record(context->db.ctx,
850 context->db.key_data,
851 netlogon_creds_cli_fetch_parser,
853 if (tevent_req_nterror(req, status)) {
856 status = fstate.status;
857 if (tevent_req_nterror(req, status)) {
861 if (context->server.cached_flags == fstate.creds->negotiate_flags) {
862 state->creds = fstate.creds;
863 tevent_req_done(req);
867 context->server.cached_flags = fstate.creds->negotiate_flags;
868 context->server.try_validation6 = true;
869 context->server.try_logon_ex = true;
870 context->server.try_logon_with = true;
872 if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
873 context->server.try_validation6 = false;
874 context->server.try_logon_ex = false;
876 if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
877 context->server.try_validation6 = false;
880 state->creds = fstate.creds;
881 tevent_req_done(req);
885 NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
887 struct netlogon_creds_CredentialState **creds)
889 struct netlogon_creds_cli_lock_state *state =
891 struct netlogon_creds_cli_lock_state);
894 if (tevent_req_is_nterror(req, &status)) {
895 tevent_req_received(req);
899 talloc_steal(state->creds, state->locked_state);
900 state->locked_state->creds = state->creds;
901 *creds = talloc_move(mem_ctx, &state->creds);
902 tevent_req_received(req);
906 NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
908 struct netlogon_creds_CredentialState **creds)
910 TALLOC_CTX *frame = talloc_stackframe();
911 struct tevent_context *ev;
912 struct tevent_req *req;
913 NTSTATUS status = NT_STATUS_NO_MEMORY;
915 ev = samba_tevent_context_init(frame);
919 req = netlogon_creds_cli_lock_send(frame, ev, context);
923 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
926 status = netlogon_creds_cli_lock_recv(req, mem_ctx, creds);
932 struct netlogon_creds_cli_auth_state {
933 struct tevent_context *ev;
934 struct netlogon_creds_cli_context *context;
935 struct dcerpc_binding_handle *binding_handle;
936 struct samr_Password current_nt_hash;
937 struct samr_Password previous_nt_hash;
938 struct samr_Password used_nt_hash;
939 char *srv_name_slash;
940 uint32_t current_flags;
941 struct netr_Credential client_challenge;
942 struct netr_Credential server_challenge;
943 struct netlogon_creds_CredentialState *creds;
944 struct netr_Credential client_credential;
945 struct netr_Credential server_credential;
950 bool try_previous_nt_hash;
951 struct netlogon_creds_cli_locked_state *locked_state;
954 static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq);
955 static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
957 struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
958 struct tevent_context *ev,
959 struct netlogon_creds_cli_context *context,
960 struct dcerpc_binding_handle *b,
961 struct samr_Password current_nt_hash,
962 const struct samr_Password *previous_nt_hash)
964 struct tevent_req *req;
965 struct netlogon_creds_cli_auth_state *state;
966 struct netlogon_creds_cli_locked_state *locked_state;
969 req = tevent_req_create(mem_ctx, &state,
970 struct netlogon_creds_cli_auth_state);
976 state->context = context;
977 state->binding_handle = b;
978 state->current_nt_hash = current_nt_hash;
979 if (previous_nt_hash != NULL) {
980 state->previous_nt_hash = *previous_nt_hash;
981 state->try_previous_nt_hash = true;
984 if (context->db.locked_state != NULL) {
985 tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
986 return tevent_req_post(req, ev);
989 locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
990 if (tevent_req_nomem(locked_state, req)) {
991 return tevent_req_post(req, ev);
993 talloc_set_destructor(locked_state,
994 netlogon_creds_cli_locked_state_destructor);
995 locked_state->context = context;
997 context->db.locked_state = locked_state;
998 state->locked_state = locked_state;
1000 state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
1001 context->server.computer);
1002 if (tevent_req_nomem(state->srv_name_slash, req)) {
1003 return tevent_req_post(req, ev);
1006 state->try_auth3 = true;
1007 state->try_auth2 = true;
1009 if (context->client.required_flags != 0) {
1010 state->require_auth2 = true;
1013 state->used_nt_hash = state->current_nt_hash;
1014 state->current_flags = context->client.proposed_flags;
1016 if (context->db.g_ctx != NULL) {
1017 struct tevent_req *subreq;
1019 subreq = g_lock_lock_send(state, ev,
1021 context->db.key_name,
1023 if (tevent_req_nomem(subreq, req)) {
1024 return tevent_req_post(req, ev);
1026 tevent_req_set_callback(subreq,
1027 netlogon_creds_cli_auth_locked,
1033 status = dbwrap_delete(state->context->db.ctx,
1034 state->context->db.key_data);
1035 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1036 status = NT_STATUS_OK;
1038 if (tevent_req_nterror(req, status)) {
1039 return tevent_req_post(req, ev);
1042 netlogon_creds_cli_auth_challenge_start(req);
1043 if (!tevent_req_is_in_progress(req)) {
1044 return tevent_req_post(req, ev);
1050 static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq)
1052 struct tevent_req *req =
1053 tevent_req_callback_data(subreq,
1055 struct netlogon_creds_cli_auth_state *state =
1056 tevent_req_data(req,
1057 struct netlogon_creds_cli_auth_state);
1060 status = g_lock_lock_recv(subreq);
1061 TALLOC_FREE(subreq);
1062 if (tevent_req_nterror(req, status)) {
1065 state->locked_state->is_glocked = true;
1067 status = dbwrap_delete(state->context->db.ctx,
1068 state->context->db.key_data);
1069 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1070 status = NT_STATUS_OK;
1072 if (tevent_req_nterror(req, status)) {
1076 netlogon_creds_cli_auth_challenge_start(req);
1079 static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq);
1081 static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
1083 struct netlogon_creds_cli_auth_state *state =
1084 tevent_req_data(req,
1085 struct netlogon_creds_cli_auth_state);
1086 struct tevent_req *subreq;
1088 TALLOC_FREE(state->creds);
1090 generate_random_buffer(state->client_challenge.data,
1091 sizeof(state->client_challenge.data));
1093 subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
1094 state->binding_handle,
1095 state->srv_name_slash,
1096 state->context->client.computer,
1097 &state->client_challenge,
1098 &state->server_challenge);
1099 if (tevent_req_nomem(subreq, req)) {
1102 tevent_req_set_callback(subreq,
1103 netlogon_creds_cli_auth_challenge_done,
1107 static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
1109 static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
1111 struct tevent_req *req =
1112 tevent_req_callback_data(subreq,
1114 struct netlogon_creds_cli_auth_state *state =
1115 tevent_req_data(req,
1116 struct netlogon_creds_cli_auth_state);
1120 status = dcerpc_netr_ServerReqChallenge_recv(subreq, state, &result);
1121 TALLOC_FREE(subreq);
1122 if (tevent_req_nterror(req, status)) {
1125 if (tevent_req_nterror(req, result)) {
1129 if (!state->try_auth3 && !state->try_auth2) {
1130 state->current_flags = 0;
1133 /* Calculate the session key and client credentials */
1135 state->creds = netlogon_creds_client_init(state,
1136 state->context->client.account,
1137 state->context->client.computer,
1138 state->context->client.type,
1139 &state->client_challenge,
1140 &state->server_challenge,
1141 &state->used_nt_hash,
1142 &state->client_credential,
1143 state->current_flags);
1144 if (tevent_req_nomem(state->creds, req)) {
1148 if (state->try_auth3) {
1149 subreq = dcerpc_netr_ServerAuthenticate3_send(state, state->ev,
1150 state->binding_handle,
1151 state->srv_name_slash,
1152 state->context->client.account,
1153 state->context->client.type,
1154 state->context->client.computer,
1155 &state->client_credential,
1156 &state->server_credential,
1157 &state->creds->negotiate_flags,
1159 if (tevent_req_nomem(subreq, req)) {
1162 } else if (state->try_auth2) {
1165 subreq = dcerpc_netr_ServerAuthenticate2_send(state, state->ev,
1166 state->binding_handle,
1167 state->srv_name_slash,
1168 state->context->client.account,
1169 state->context->client.type,
1170 state->context->client.computer,
1171 &state->client_credential,
1172 &state->server_credential,
1173 &state->creds->negotiate_flags);
1174 if (tevent_req_nomem(subreq, req)) {
1180 subreq = dcerpc_netr_ServerAuthenticate_send(state, state->ev,
1181 state->binding_handle,
1182 state->srv_name_slash,
1183 state->context->client.account,
1184 state->context->client.type,
1185 state->context->client.computer,
1186 &state->client_credential,
1187 &state->server_credential);
1188 if (tevent_req_nomem(subreq, req)) {
1192 tevent_req_set_callback(subreq,
1193 netlogon_creds_cli_auth_srvauth_done,
1197 static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
1199 struct tevent_req *req =
1200 tevent_req_callback_data(subreq,
1202 struct netlogon_creds_cli_auth_state *state =
1203 tevent_req_data(req,
1204 struct netlogon_creds_cli_auth_state);
1208 enum ndr_err_code ndr_err;
1213 if (state->try_auth3) {
1214 status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
1216 TALLOC_FREE(subreq);
1217 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1218 state->try_auth3 = false;
1219 netlogon_creds_cli_auth_challenge_start(req);
1222 if (tevent_req_nterror(req, status)) {
1225 } else if (state->try_auth2) {
1226 status = dcerpc_netr_ServerAuthenticate2_recv(subreq, state,
1228 TALLOC_FREE(subreq);
1229 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1230 state->try_auth2 = false;
1231 if (state->require_auth2) {
1232 status = NT_STATUS_DOWNGRADE_DETECTED;
1233 tevent_req_nterror(req, status);
1236 netlogon_creds_cli_auth_challenge_start(req);
1239 if (tevent_req_nterror(req, status)) {
1243 status = dcerpc_netr_ServerAuthenticate_recv(subreq, state,
1245 TALLOC_FREE(subreq);
1246 if (tevent_req_nterror(req, status)) {
1251 if (!NT_STATUS_IS_OK(result) &&
1252 !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
1254 tevent_req_nterror(req, result);
1258 tmp_flags = state->creds->negotiate_flags;
1259 tmp_flags &= state->context->client.required_flags;
1260 if (tmp_flags != state->context->client.required_flags) {
1261 if (NT_STATUS_IS_OK(result)) {
1262 tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
1265 tevent_req_nterror(req, result);
1269 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
1271 tmp_flags = state->context->client.proposed_flags;
1272 if ((state->current_flags == tmp_flags) &&
1273 (state->creds->negotiate_flags != tmp_flags))
1276 * lets retry with the negotiated flags
1278 state->current_flags = state->creds->negotiate_flags;
1279 netlogon_creds_cli_auth_challenge_start(req);
1283 if (!state->try_previous_nt_hash) {
1285 * we already retried, giving up...
1287 tevent_req_nterror(req, result);
1292 * lets retry with the old nt hash.
1294 state->try_previous_nt_hash = false;
1295 state->used_nt_hash = state->previous_nt_hash;
1296 state->current_flags = state->context->client.proposed_flags;
1297 netlogon_creds_cli_auth_challenge_start(req);
1301 ok = netlogon_creds_client_check(state->creds,
1302 &state->server_credential);
1304 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
1308 ndr_err = ndr_push_struct_blob(&blob, state, state->creds,
1309 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
1310 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1311 status = ndr_map_error2ntstatus(ndr_err);
1312 tevent_req_nterror(req, status);
1316 data.dptr = blob.data;
1317 data.dsize = blob.length;
1319 status = dbwrap_store(state->context->db.ctx,
1320 state->context->db.key_data,
1322 TALLOC_FREE(state->locked_state);
1323 if (tevent_req_nterror(req, status)) {
1327 tevent_req_done(req);
1330 NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
1334 if (tevent_req_is_nterror(req, &status)) {
1335 tevent_req_received(req);
1339 tevent_req_received(req);
1340 return NT_STATUS_OK;
1343 NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
1344 struct dcerpc_binding_handle *b,
1345 struct samr_Password current_nt_hash,
1346 const struct samr_Password *previous_nt_hash)
1348 TALLOC_CTX *frame = talloc_stackframe();
1349 struct tevent_context *ev;
1350 struct tevent_req *req;
1351 NTSTATUS status = NT_STATUS_NO_MEMORY;
1353 ev = samba_tevent_context_init(frame);
1357 req = netlogon_creds_cli_auth_send(frame, ev, context, b,
1363 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
1366 status = netlogon_creds_cli_auth_recv(req);
1372 struct netlogon_creds_cli_check_state {
1373 struct tevent_context *ev;
1374 struct netlogon_creds_cli_context *context;
1375 struct dcerpc_binding_handle *binding_handle;
1377 char *srv_name_slash;
1379 union netr_Capabilities caps;
1381 struct netlogon_creds_CredentialState *creds;
1382 struct netlogon_creds_CredentialState tmp_creds;
1383 struct netr_Authenticator req_auth;
1384 struct netr_Authenticator rep_auth;
1387 static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
1389 static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
1391 struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
1392 struct tevent_context *ev,
1393 struct netlogon_creds_cli_context *context,
1394 struct dcerpc_binding_handle *b)
1396 struct tevent_req *req;
1397 struct netlogon_creds_cli_check_state *state;
1398 struct tevent_req *subreq;
1399 enum dcerpc_AuthType auth_type;
1400 enum dcerpc_AuthLevel auth_level;
1402 req = tevent_req_create(mem_ctx, &state,
1403 struct netlogon_creds_cli_check_state);
1409 state->context = context;
1410 state->binding_handle = b;
1412 state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
1413 context->server.computer);
1414 if (tevent_req_nomem(state->srv_name_slash, req)) {
1415 return tevent_req_post(req, ev);
1418 dcerpc_binding_handle_auth_info(state->binding_handle,
1419 &auth_type, &auth_level);
1421 if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1422 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
1423 return tevent_req_post(req, ev);
1426 switch (auth_level) {
1427 case DCERPC_AUTH_LEVEL_INTEGRITY:
1428 case DCERPC_AUTH_LEVEL_PRIVACY:
1431 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
1432 return tevent_req_post(req, ev);
1435 subreq = netlogon_creds_cli_lock_send(state, state->ev,
1437 if (tevent_req_nomem(subreq, req)) {
1438 return tevent_req_post(req, ev);
1441 tevent_req_set_callback(subreq,
1442 netlogon_creds_cli_check_locked,
1448 static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
1451 struct netlogon_creds_cli_check_state *state =
1452 tevent_req_data(req,
1453 struct netlogon_creds_cli_check_state);
1455 if (state->creds == NULL) {
1459 if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
1460 !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
1461 !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
1462 !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
1463 !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
1464 TALLOC_FREE(state->creds);
1468 netlogon_creds_cli_delete(state->context, &state->creds);
1471 static void netlogon_creds_cli_check_caps(struct tevent_req *subreq);
1473 static void netlogon_creds_cli_check_locked(struct tevent_req *subreq)
1475 struct tevent_req *req =
1476 tevent_req_callback_data(subreq,
1478 struct netlogon_creds_cli_check_state *state =
1479 tevent_req_data(req,
1480 struct netlogon_creds_cli_check_state);
1483 status = netlogon_creds_cli_lock_recv(subreq, state,
1485 TALLOC_FREE(subreq);
1486 if (tevent_req_nterror(req, status)) {
1491 * we defer all callbacks in order to cleanup
1492 * the database record.
1494 tevent_req_defer_callback(req, state->ev);
1496 state->tmp_creds = *state->creds;
1497 netlogon_creds_client_authenticator(&state->tmp_creds,
1499 ZERO_STRUCT(state->rep_auth);
1501 subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev,
1502 state->binding_handle,
1503 state->srv_name_slash,
1504 state->context->client.computer,
1509 if (tevent_req_nomem(subreq, req)) {
1510 status = NT_STATUS_NO_MEMORY;
1511 netlogon_creds_cli_check_cleanup(req, status);
1514 tevent_req_set_callback(subreq,
1515 netlogon_creds_cli_check_caps,
1519 static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
1521 struct tevent_req *req =
1522 tevent_req_callback_data(subreq,
1524 struct netlogon_creds_cli_check_state *state =
1525 tevent_req_data(req,
1526 struct netlogon_creds_cli_check_state);
1531 status = dcerpc_netr_LogonGetCapabilities_recv(subreq, state,
1533 TALLOC_FREE(subreq);
1534 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1536 * Note that the negotiated flags are already checked
1537 * for our required flags after the ServerAuthenticate3/2 call.
1539 uint32_t negotiated = state->tmp_creds.negotiate_flags;
1541 if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
1543 * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
1544 * already, we expect this to work!
1546 status = NT_STATUS_DOWNGRADE_DETECTED;
1547 tevent_req_nterror(req, status);
1548 netlogon_creds_cli_check_cleanup(req, status);
1552 if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
1554 * If we have negotiated NETLOGON_NEG_STRONG_KEYS
1555 * we expect this to work at least as far as the
1556 * NOT_SUPPORTED error handled below!
1558 * NT 4.0 and Old Samba servers are not
1559 * allowed without "require strong key = no"
1561 status = NT_STATUS_DOWNGRADE_DETECTED;
1562 tevent_req_nterror(req, status);
1563 netlogon_creds_cli_check_cleanup(req, status);
1568 * If we not require NETLOGON_NEG_SUPPORTS_AES or
1569 * NETLOGON_NEG_STRONG_KEYS, it's ok to ignore
1570 * NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1572 * This is needed against NT 4.0 and old Samba servers.
1574 * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
1575 * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
1576 * we should detect a faked NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
1577 * with the next request as the sequence number processing
1580 netlogon_creds_cli_check_cleanup(req, status);
1581 tevent_req_done(req);
1584 if (tevent_req_nterror(req, status)) {
1585 netlogon_creds_cli_check_cleanup(req, status);
1589 if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
1591 * Note that the negotiated flags are already checked
1592 * for our required flags after the ServerAuthenticate3/2 call.
1594 uint32_t negotiated = state->tmp_creds.negotiate_flags;
1596 if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
1598 * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
1599 * already, we expect this to work!
1601 status = NT_STATUS_DOWNGRADE_DETECTED;
1602 tevent_req_nterror(req, status);
1603 netlogon_creds_cli_check_cleanup(req, status);
1608 * This is ok, the server does not support
1609 * NETLOGON_NEG_SUPPORTS_AES.
1611 * netr_LogonGetCapabilities() was
1612 * netr_LogonDummyRoutine1() before
1613 * NETLOGON_NEG_SUPPORTS_AES was invented.
1615 netlogon_creds_cli_check_cleanup(req, result);
1616 tevent_req_done(req);
1620 ok = netlogon_creds_client_check(&state->tmp_creds,
1621 &state->rep_auth.cred);
1623 status = NT_STATUS_ACCESS_DENIED;
1624 tevent_req_nterror(req, status);
1625 netlogon_creds_cli_check_cleanup(req, status);
1629 if (tevent_req_nterror(req, result)) {
1630 netlogon_creds_cli_check_cleanup(req, result);
1634 if (state->caps.server_capabilities != state->tmp_creds.negotiate_flags) {
1635 status = NT_STATUS_DOWNGRADE_DETECTED;
1636 tevent_req_nterror(req, status);
1637 netlogon_creds_cli_check_cleanup(req, status);
1642 * This is the key check that makes this check secure. If we
1643 * get OK here (rather than NOT_SUPPORTED), then the server
1644 * did support AES. If the server only proposed STRONG_KEYS
1645 * and not AES, then it should have failed with
1646 * NOT_IMPLEMENTED. We always send AES as a client, so the
1647 * server should always have returned it.
1649 if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
1650 status = NT_STATUS_DOWNGRADE_DETECTED;
1651 tevent_req_nterror(req, status);
1652 netlogon_creds_cli_check_cleanup(req, status);
1656 *state->creds = state->tmp_creds;
1657 status = netlogon_creds_cli_store(state->context,
1659 netlogon_creds_cli_check_cleanup(req, status);
1660 if (tevent_req_nterror(req, status)) {
1664 tevent_req_done(req);
1667 NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req)
1671 if (tevent_req_is_nterror(req, &status)) {
1672 netlogon_creds_cli_check_cleanup(req, status);
1673 tevent_req_received(req);
1677 tevent_req_received(req);
1678 return NT_STATUS_OK;
1681 NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
1682 struct dcerpc_binding_handle *b)
1684 TALLOC_CTX *frame = talloc_stackframe();
1685 struct tevent_context *ev;
1686 struct tevent_req *req;
1687 NTSTATUS status = NT_STATUS_NO_MEMORY;
1689 ev = samba_tevent_context_init(frame);
1693 req = netlogon_creds_cli_check_send(frame, ev, context, b);
1697 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
1700 status = netlogon_creds_cli_check_recv(req);
1706 struct netlogon_creds_cli_ServerPasswordSet_state {
1707 struct tevent_context *ev;
1708 struct netlogon_creds_cli_context *context;
1709 struct dcerpc_binding_handle *binding_handle;
1710 uint32_t old_timeout;
1712 char *srv_name_slash;
1713 enum dcerpc_AuthType auth_type;
1714 enum dcerpc_AuthLevel auth_level;
1716 struct samr_CryptPassword samr_crypt_password;
1717 struct netr_CryptPassword netr_crypt_password;
1718 struct samr_Password samr_password;
1720 struct netlogon_creds_CredentialState *creds;
1721 struct netlogon_creds_CredentialState tmp_creds;
1722 struct netr_Authenticator req_auth;
1723 struct netr_Authenticator rep_auth;
1726 static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
1728 static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq);
1730 struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
1731 struct tevent_context *ev,
1732 struct netlogon_creds_cli_context *context,
1733 struct dcerpc_binding_handle *b,
1734 const char *new_password,
1735 const uint32_t *new_version)
1737 struct tevent_req *req;
1738 struct netlogon_creds_cli_ServerPasswordSet_state *state;
1739 struct tevent_req *subreq;
1742 req = tevent_req_create(mem_ctx, &state,
1743 struct netlogon_creds_cli_ServerPasswordSet_state);
1749 state->context = context;
1750 state->binding_handle = b;
1753 * netr_ServerPasswordSet
1755 E_md4hash(new_password, state->samr_password.hash);
1758 * netr_ServerPasswordSet2
1760 ok = encode_pw_buffer(state->samr_crypt_password.data,
1761 new_password, STR_UNICODE);
1763 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
1764 return tevent_req_post(req, ev);
1767 if (new_version != NULL) {
1768 struct NL_PASSWORD_VERSION version;
1769 uint32_t len = IVAL(state->samr_crypt_password.data, 512);
1770 uint32_t ofs = 512 - len;
1774 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
1775 return tevent_req_post(req, ev);
1779 version.ReservedField = 0;
1780 version.PasswordVersionNumber = *new_version;
1781 version.PasswordVersionPresent =
1782 NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;
1784 p = state->samr_crypt_password.data + ofs;
1785 SIVAL(p, 0, version.ReservedField);
1786 SIVAL(p, 4, version.PasswordVersionNumber);
1787 SIVAL(p, 8, version.PasswordVersionPresent);
1790 state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
1791 context->server.computer);
1792 if (tevent_req_nomem(state->srv_name_slash, req)) {
1793 return tevent_req_post(req, ev);
1796 dcerpc_binding_handle_auth_info(state->binding_handle,
1798 &state->auth_level);
1800 subreq = netlogon_creds_cli_lock_send(state, state->ev,
1802 if (tevent_req_nomem(subreq, req)) {
1803 return tevent_req_post(req, ev);
1806 tevent_req_set_callback(subreq,
1807 netlogon_creds_cli_ServerPasswordSet_locked,
1813 static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
1816 struct netlogon_creds_cli_ServerPasswordSet_state *state =
1817 tevent_req_data(req,
1818 struct netlogon_creds_cli_ServerPasswordSet_state);
1820 if (state->creds == NULL) {
1824 dcerpc_binding_handle_set_timeout(state->binding_handle,
1825 state->old_timeout);
1827 if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
1828 !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
1829 !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
1830 !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
1831 !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
1832 TALLOC_FREE(state->creds);
1836 netlogon_creds_cli_delete(state->context, &state->creds);
1839 static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq);
1841 static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq)
1843 struct tevent_req *req =
1844 tevent_req_callback_data(subreq,
1846 struct netlogon_creds_cli_ServerPasswordSet_state *state =
1847 tevent_req_data(req,
1848 struct netlogon_creds_cli_ServerPasswordSet_state);
1851 status = netlogon_creds_cli_lock_recv(subreq, state,
1853 TALLOC_FREE(subreq);
1854 if (tevent_req_nterror(req, status)) {
1858 if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
1859 switch (state->auth_level) {
1860 case DCERPC_AUTH_LEVEL_INTEGRITY:
1861 case DCERPC_AUTH_LEVEL_PRIVACY:
1864 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
1868 uint32_t tmp = state->creds->negotiate_flags;
1870 if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
1872 * if DCERPC_AUTH_TYPE_SCHANNEL is supported
1873 * it should be used, which means
1874 * we had a chance to verify no downgrade
1877 * This relies on netlogon_creds_cli_check*
1878 * being called before, as first request after
1881 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
1886 state->old_timeout = dcerpc_binding_handle_set_timeout(
1887 state->binding_handle, 600000);
1890 * we defer all callbacks in order to cleanup
1891 * the database record.
1893 tevent_req_defer_callback(req, state->ev);
1895 state->tmp_creds = *state->creds;
1896 netlogon_creds_client_authenticator(&state->tmp_creds,
1898 ZERO_STRUCT(state->rep_auth);
1900 if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
1902 if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
1903 netlogon_creds_aes_encrypt(&state->tmp_creds,
1904 state->samr_crypt_password.data,
1907 netlogon_creds_arcfour_crypt(&state->tmp_creds,
1908 state->samr_crypt_password.data,
1912 memcpy(state->netr_crypt_password.data,
1913 state->samr_crypt_password.data, 512);
1914 state->netr_crypt_password.length =
1915 IVAL(state->samr_crypt_password.data, 512);
1917 subreq = dcerpc_netr_ServerPasswordSet2_send(state, state->ev,
1918 state->binding_handle,
1919 state->srv_name_slash,
1920 state->tmp_creds.account_name,
1921 state->tmp_creds.secure_channel_type,
1922 state->tmp_creds.computer_name,
1925 &state->netr_crypt_password);
1926 if (tevent_req_nomem(subreq, req)) {
1927 status = NT_STATUS_NO_MEMORY;
1928 netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
1932 netlogon_creds_des_encrypt(&state->tmp_creds,
1933 &state->samr_password);
1935 subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
1936 state->binding_handle,
1937 state->srv_name_slash,
1938 state->tmp_creds.account_name,
1939 state->tmp_creds.secure_channel_type,
1940 state->tmp_creds.computer_name,
1943 &state->samr_password);
1944 if (tevent_req_nomem(subreq, req)) {
1945 status = NT_STATUS_NO_MEMORY;
1946 netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
1951 tevent_req_set_callback(subreq,
1952 netlogon_creds_cli_ServerPasswordSet_done,
1956 static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq)
1958 struct tevent_req *req =
1959 tevent_req_callback_data(subreq,
1961 struct netlogon_creds_cli_ServerPasswordSet_state *state =
1962 tevent_req_data(req,
1963 struct netlogon_creds_cli_ServerPasswordSet_state);
1968 if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
1969 status = dcerpc_netr_ServerPasswordSet2_recv(subreq, state,
1971 TALLOC_FREE(subreq);
1972 if (tevent_req_nterror(req, status)) {
1973 netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
1977 status = dcerpc_netr_ServerPasswordSet_recv(subreq, state,
1979 TALLOC_FREE(subreq);
1980 if (tevent_req_nterror(req, status)) {
1981 netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
1986 ok = netlogon_creds_client_check(&state->tmp_creds,
1987 &state->rep_auth.cred);
1989 status = NT_STATUS_ACCESS_DENIED;
1990 tevent_req_nterror(req, status);
1991 netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
1995 if (tevent_req_nterror(req, result)) {
1996 netlogon_creds_cli_ServerPasswordSet_cleanup(req, result);
2000 dcerpc_binding_handle_set_timeout(state->binding_handle,
2001 state->old_timeout);
2003 *state->creds = state->tmp_creds;
2004 status = netlogon_creds_cli_store(state->context,
2006 if (tevent_req_nterror(req, status)) {
2007 netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
2011 tevent_req_done(req);
2014 NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
2018 if (tevent_req_is_nterror(req, &status)) {
2019 netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
2020 tevent_req_received(req);
2024 tevent_req_received(req);
2025 return NT_STATUS_OK;
2028 NTSTATUS netlogon_creds_cli_ServerPasswordSet(
2029 struct netlogon_creds_cli_context *context,
2030 struct dcerpc_binding_handle *b,
2031 const char *new_password,
2032 const uint32_t *new_version)
2034 TALLOC_CTX *frame = talloc_stackframe();
2035 struct tevent_context *ev;
2036 struct tevent_req *req;
2037 NTSTATUS status = NT_STATUS_NO_MEMORY;
2039 ev = samba_tevent_context_init(frame);
2043 req = netlogon_creds_cli_ServerPasswordSet_send(frame, ev, context, b,
2049 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
2052 status = netlogon_creds_cli_ServerPasswordSet_recv(req);
2058 struct netlogon_creds_cli_LogonSamLogon_state {
2059 struct tevent_context *ev;
2060 struct netlogon_creds_cli_context *context;
2061 struct dcerpc_binding_handle *binding_handle;
2063 char *srv_name_slash;
2065 enum netr_LogonInfoClass logon_level;
2066 const union netr_LogonLevel *const_logon;
2067 union netr_LogonLevel *logon;
2070 uint16_t validation_level;
2071 union netr_Validation *validation;
2072 uint8_t authoritative;
2075 * do we need encryption at the application layer?
2079 bool try_validation6;
2082 * the read only credentials before we started the operation
2084 struct netlogon_creds_CredentialState *ro_creds;
2086 struct netlogon_creds_CredentialState *lk_creds;
2088 struct netlogon_creds_CredentialState tmp_creds;
2089 struct netr_Authenticator req_auth;
2090 struct netr_Authenticator rep_auth;
2093 static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req);
2094 static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
2097 struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
2098 struct tevent_context *ev,
2099 struct netlogon_creds_cli_context *context,
2100 struct dcerpc_binding_handle *b,
2101 enum netr_LogonInfoClass logon_level,
2102 const union netr_LogonLevel *logon,
2105 struct tevent_req *req;
2106 struct netlogon_creds_cli_LogonSamLogon_state *state;
2108 req = tevent_req_create(mem_ctx, &state,
2109 struct netlogon_creds_cli_LogonSamLogon_state);
2115 state->context = context;
2116 state->binding_handle = b;
2118 state->logon_level = logon_level;
2119 state->const_logon = logon;
2120 state->flags = flags;
2122 state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
2123 context->server.computer);
2124 if (tevent_req_nomem(state->srv_name_slash, req)) {
2125 return tevent_req_post(req, ev);
2128 switch (logon_level) {
2129 case NetlogonInteractiveInformation:
2130 case NetlogonInteractiveTransitiveInformation:
2131 case NetlogonServiceInformation:
2132 case NetlogonServiceTransitiveInformation:
2133 case NetlogonGenericInformation:
2134 state->user_encrypt = true;
2137 case NetlogonNetworkInformation:
2138 case NetlogonNetworkTransitiveInformation:
2142 state->validation = talloc_zero(state, union netr_Validation);
2143 if (tevent_req_nomem(state->validation, req)) {
2144 return tevent_req_post(req, ev);
2147 netlogon_creds_cli_LogonSamLogon_start(req);
2148 if (!tevent_req_is_in_progress(req)) {
2149 return tevent_req_post(req, ev);
2153 * we defer all callbacks in order to cleanup
2154 * the database record.
2156 tevent_req_defer_callback(req, state->ev);
2160 static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
2163 struct netlogon_creds_cli_LogonSamLogon_state *state =
2164 tevent_req_data(req,
2165 struct netlogon_creds_cli_LogonSamLogon_state);
2167 if (state->lk_creds == NULL) {
2171 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
2173 * This is a hack to recover from a bug in old
2174 * Samba servers, when LogonSamLogonEx() fails:
2176 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
2178 * All following request will get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
2180 * A second bug generates NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE,
2181 * instead of NT_STATUS_ACCESS_DENIED or NT_STATUS_RPC_SEC_PKG_ERROR
2182 * If the sign/seal check fails.
2184 * In that case we need to cleanup the netlogon session.
2186 * It's the job of the caller to disconnect the current
2187 * connection, if netlogon_creds_cli_LogonSamLogon()
2188 * returns NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
2190 if (!state->context->server.try_logon_with) {
2191 status = NT_STATUS_NETWORK_ACCESS_DENIED;
2195 if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
2196 !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
2197 !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
2198 !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
2199 !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
2200 TALLOC_FREE(state->lk_creds);
2204 netlogon_creds_cli_delete(state->context, &state->lk_creds);
2207 static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq);
2209 static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
2211 struct netlogon_creds_cli_LogonSamLogon_state *state =
2212 tevent_req_data(req,
2213 struct netlogon_creds_cli_LogonSamLogon_state);
2214 struct tevent_req *subreq;
2216 enum dcerpc_AuthType auth_type;
2217 enum dcerpc_AuthLevel auth_level;
2219 TALLOC_FREE(state->ro_creds);
2220 TALLOC_FREE(state->logon);
2221 ZERO_STRUCTP(state->validation);
2223 dcerpc_binding_handle_auth_info(state->binding_handle,
2224 &auth_type, &auth_level);
2226 state->try_logon_ex = state->context->server.try_logon_ex;
2227 state->try_validation6 = state->context->server.try_validation6;
2229 if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2230 state->try_logon_ex = false;
2233 if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
2234 state->try_validation6 = false;
2237 if (state->try_logon_ex) {
2238 if (state->try_validation6) {
2239 state->validation_level = 6;
2241 state->validation_level = 3;
2242 state->user_encrypt = true;
2245 state->logon = netlogon_creds_shallow_copy_logon(state,
2247 state->const_logon);
2248 if (tevent_req_nomem(state->logon, req)) {
2249 status = NT_STATUS_NO_MEMORY;
2250 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2254 if (state->user_encrypt) {
2255 status = netlogon_creds_cli_get(state->context,
2258 if (!NT_STATUS_IS_OK(status)) {
2259 status = NT_STATUS_ACCESS_DENIED;
2260 tevent_req_nterror(req, status);
2261 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2265 netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
2270 subreq = dcerpc_netr_LogonSamLogonEx_send(state, state->ev,
2271 state->binding_handle,
2272 state->srv_name_slash,
2273 state->context->client.computer,
2276 state->validation_level,
2278 &state->authoritative,
2280 if (tevent_req_nomem(subreq, req)) {
2281 status = NT_STATUS_NO_MEMORY;
2282 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2285 tevent_req_set_callback(subreq,
2286 netlogon_creds_cli_LogonSamLogon_done,
2291 if (state->lk_creds == NULL) {
2292 subreq = netlogon_creds_cli_lock_send(state, state->ev,
2294 if (tevent_req_nomem(subreq, req)) {
2295 status = NT_STATUS_NO_MEMORY;
2296 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2299 tevent_req_set_callback(subreq,
2300 netlogon_creds_cli_LogonSamLogon_done,
2305 state->tmp_creds = *state->lk_creds;
2306 netlogon_creds_client_authenticator(&state->tmp_creds,
2308 ZERO_STRUCT(state->rep_auth);
2310 state->logon = netlogon_creds_shallow_copy_logon(state,
2312 state->const_logon);
2313 if (tevent_req_nomem(state->logon, req)) {
2314 status = NT_STATUS_NO_MEMORY;
2315 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2319 netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
2323 state->validation_level = 3;
2325 if (state->context->server.try_logon_with) {
2326 subreq = dcerpc_netr_LogonSamLogonWithFlags_send(state, state->ev,
2327 state->binding_handle,
2328 state->srv_name_slash,
2329 state->context->client.computer,
2334 state->validation_level,
2336 &state->authoritative,
2338 if (tevent_req_nomem(subreq, req)) {
2339 status = NT_STATUS_NO_MEMORY;
2340 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2346 subreq = dcerpc_netr_LogonSamLogon_send(state, state->ev,
2347 state->binding_handle,
2348 state->srv_name_slash,
2349 state->context->client.computer,
2354 state->validation_level,
2356 &state->authoritative);
2357 if (tevent_req_nomem(subreq, req)) {
2358 status = NT_STATUS_NO_MEMORY;
2359 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2364 tevent_req_set_callback(subreq,
2365 netlogon_creds_cli_LogonSamLogon_done,
2369 static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
2371 struct tevent_req *req =
2372 tevent_req_callback_data(subreq,
2374 struct netlogon_creds_cli_LogonSamLogon_state *state =
2375 tevent_req_data(req,
2376 struct netlogon_creds_cli_LogonSamLogon_state);
2381 if (state->try_logon_ex) {
2382 status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
2385 TALLOC_FREE(subreq);
2386 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
2387 state->context->server.try_validation6 = false;
2388 state->context->server.try_logon_ex = false;
2389 netlogon_creds_cli_LogonSamLogon_start(req);
2392 if (tevent_req_nterror(req, status)) {
2393 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2397 if ((state->validation_level == 6) &&
2398 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
2399 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
2400 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)))
2402 state->context->server.try_validation6 = false;
2403 netlogon_creds_cli_LogonSamLogon_start(req);
2407 if (tevent_req_nterror(req, result)) {
2408 netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
2412 if (state->ro_creds == NULL) {
2413 tevent_req_done(req);
2417 ok = netlogon_creds_cli_validate(state->context, state->ro_creds);
2420 * We got a race, lets retry with on authenticator
2423 TALLOC_FREE(state->ro_creds);
2424 state->try_logon_ex = false;
2425 netlogon_creds_cli_LogonSamLogon_start(req);
2429 netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
2430 state->validation_level,
2433 tevent_req_done(req);
2437 if (state->lk_creds == NULL) {
2438 status = netlogon_creds_cli_lock_recv(subreq, state,
2440 TALLOC_FREE(subreq);
2441 if (tevent_req_nterror(req, status)) {
2442 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2446 netlogon_creds_cli_LogonSamLogon_start(req);
2450 if (state->context->server.try_logon_with) {
2451 status = dcerpc_netr_LogonSamLogonWithFlags_recv(subreq,
2454 TALLOC_FREE(subreq);
2455 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
2456 state->context->server.try_logon_with = false;
2457 netlogon_creds_cli_LogonSamLogon_start(req);
2460 if (tevent_req_nterror(req, status)) {
2461 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2465 status = dcerpc_netr_LogonSamLogon_recv(subreq,
2468 TALLOC_FREE(subreq);
2469 if (tevent_req_nterror(req, status)) {
2470 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2475 ok = netlogon_creds_client_check(&state->tmp_creds,
2476 &state->rep_auth.cred);
2478 status = NT_STATUS_ACCESS_DENIED;
2479 tevent_req_nterror(req, status);
2480 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2484 *state->lk_creds = state->tmp_creds;
2485 status = netlogon_creds_cli_store(state->context,
2487 if (tevent_req_nterror(req, status)) {
2488 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2492 if (tevent_req_nterror(req, result)) {
2493 netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
2497 netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
2498 state->validation_level,
2501 tevent_req_done(req);
2504 NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
2505 TALLOC_CTX *mem_ctx,
2506 uint16_t *validation_level,
2507 union netr_Validation **validation,
2508 uint8_t *authoritative,
2511 struct netlogon_creds_cli_LogonSamLogon_state *state =
2512 tevent_req_data(req,
2513 struct netlogon_creds_cli_LogonSamLogon_state);
2516 /* authoritative is also returned on error */
2517 *authoritative = state->authoritative;
2519 if (tevent_req_is_nterror(req, &status)) {
2520 netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
2521 tevent_req_received(req);
2525 *validation_level = state->validation_level;
2526 *validation = talloc_move(mem_ctx, &state->validation);
2527 *flags = state->flags;
2529 tevent_req_received(req);
2530 return NT_STATUS_OK;
2533 NTSTATUS netlogon_creds_cli_LogonSamLogon(
2534 struct netlogon_creds_cli_context *context,
2535 struct dcerpc_binding_handle *b,
2536 enum netr_LogonInfoClass logon_level,
2537 const union netr_LogonLevel *logon,
2538 TALLOC_CTX *mem_ctx,
2539 uint16_t *validation_level,
2540 union netr_Validation **validation,
2541 uint8_t *authoritative,
2544 TALLOC_CTX *frame = talloc_stackframe();
2545 struct tevent_context *ev;
2546 struct tevent_req *req;
2547 NTSTATUS status = NT_STATUS_NO_MEMORY;
2549 ev = samba_tevent_context_init(frame);
2553 req = netlogon_creds_cli_LogonSamLogon_send(frame, ev, context, b,
2559 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
2562 status = netlogon_creds_cli_LogonSamLogon_recv(req, mem_ctx,
2572 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state {
2573 struct tevent_context *ev;
2574 struct netlogon_creds_cli_context *context;
2575 struct dcerpc_binding_handle *binding_handle;
2577 char *srv_name_slash;
2578 enum dcerpc_AuthType auth_type;
2579 enum dcerpc_AuthLevel auth_level;
2581 const char *site_name;
2583 struct NL_DNS_NAME_INFO_ARRAY *dns_names;
2585 struct netlogon_creds_CredentialState *creds;
2586 struct netlogon_creds_CredentialState tmp_creds;
2587 struct netr_Authenticator req_auth;
2588 struct netr_Authenticator rep_auth;
2591 static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(struct tevent_req *req,
2593 static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked(struct tevent_req *subreq);
2595 struct tevent_req *netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send(TALLOC_CTX *mem_ctx,
2596 struct tevent_context *ev,
2597 struct netlogon_creds_cli_context *context,
2598 struct dcerpc_binding_handle *b,
2599 const char *site_name,
2601 struct NL_DNS_NAME_INFO_ARRAY *dns_names)
2603 struct tevent_req *req;
2604 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state;
2605 struct tevent_req *subreq;
2607 req = tevent_req_create(mem_ctx, &state,
2608 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
2614 state->context = context;
2615 state->binding_handle = b;
2617 state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
2618 context->server.computer);
2619 if (tevent_req_nomem(state->srv_name_slash, req)) {
2620 return tevent_req_post(req, ev);
2623 state->site_name = site_name;
2624 state->dns_ttl = dns_ttl;
2625 state->dns_names = dns_names;
2627 dcerpc_binding_handle_auth_info(state->binding_handle,
2629 &state->auth_level);
2631 subreq = netlogon_creds_cli_lock_send(state, state->ev,
2633 if (tevent_req_nomem(subreq, req)) {
2634 return tevent_req_post(req, ev);
2637 tevent_req_set_callback(subreq,
2638 netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked,
2644 static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(struct tevent_req *req,
2647 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state =
2648 tevent_req_data(req,
2649 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
2651 if (state->creds == NULL) {
2655 if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
2656 !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
2657 !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
2658 !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
2659 !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
2660 TALLOC_FREE(state->creds);
2664 netlogon_creds_cli_delete(state->context, &state->creds);
2667 static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tevent_req *subreq);
2669 static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked(struct tevent_req *subreq)
2671 struct tevent_req *req =
2672 tevent_req_callback_data(subreq,
2674 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state =
2675 tevent_req_data(req,
2676 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
2679 status = netlogon_creds_cli_lock_recv(subreq, state,
2681 TALLOC_FREE(subreq);
2682 if (tevent_req_nterror(req, status)) {
2686 if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
2687 switch (state->auth_level) {
2688 case DCERPC_AUTH_LEVEL_INTEGRITY:
2689 case DCERPC_AUTH_LEVEL_PRIVACY:
2692 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
2696 uint32_t tmp = state->creds->negotiate_flags;
2698 if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
2700 * if DCERPC_AUTH_TYPE_SCHANNEL is supported
2701 * it should be used, which means
2702 * we had a chance to verify no downgrade
2705 * This relies on netlogon_creds_cli_check*
2706 * being called before, as first request after
2709 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
2715 * we defer all callbacks in order to cleanup
2716 * the database record.
2718 tevent_req_defer_callback(req, state->ev);
2720 state->tmp_creds = *state->creds;
2721 netlogon_creds_client_authenticator(&state->tmp_creds,
2723 ZERO_STRUCT(state->rep_auth);
2725 subreq = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_send(state, state->ev,
2726 state->binding_handle,
2727 state->srv_name_slash,
2728 state->tmp_creds.computer_name,
2734 if (tevent_req_nomem(subreq, req)) {
2735 status = NT_STATUS_NO_MEMORY;
2736 netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
2740 tevent_req_set_callback(subreq,
2741 netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done,
2745 static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tevent_req *subreq)
2747 struct tevent_req *req =
2748 tevent_req_callback_data(subreq,
2750 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state =
2751 tevent_req_data(req,
2752 struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
2758 * We use state->dns_names as the memory context, as this is
2759 * the only in/out variable and it has been overwritten by the
2760 * out parameter from the server.
2762 * We need to preserve the return value until the caller can use it.
2764 status = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_recv(subreq, state->dns_names,
2766 TALLOC_FREE(subreq);
2767 if (tevent_req_nterror(req, status)) {
2768 netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
2772 ok = netlogon_creds_client_check(&state->tmp_creds,
2773 &state->rep_auth.cred);
2775 status = NT_STATUS_ACCESS_DENIED;
2776 tevent_req_nterror(req, status);
2777 netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
2781 if (tevent_req_nterror(req, result)) {
2782 netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, result);
2786 *state->creds = state->tmp_creds;
2787 status = netlogon_creds_cli_store(state->context,
2789 if (tevent_req_nterror(req, status)) {
2790 netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
2794 tevent_req_done(req);
2797 NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_recv(struct tevent_req *req)
2801 if (tevent_req_is_nterror(req, &status)) {
2802 netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
2803 tevent_req_received(req);
2807 tevent_req_received(req);
2808 return NT_STATUS_OK;
2811 NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords(
2812 struct netlogon_creds_cli_context *context,
2813 struct dcerpc_binding_handle *b,
2814 const char *site_name,
2816 struct NL_DNS_NAME_INFO_ARRAY *dns_names)
2818 TALLOC_CTX *frame = talloc_stackframe();
2819 struct tevent_context *ev;
2820 struct tevent_req *req;
2821 NTSTATUS status = NT_STATUS_NO_MEMORY;
2823 ev = samba_tevent_context_init(frame);
2827 req = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send(frame, ev, context, b,
2834 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
2837 status = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_recv(req);
git.samba.org / obnox / samba / samba-obnox.git / blob