source3/auth/auth_netlogond.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authenticate against a netlogon pipe listening on a unix domain socket
   4    Copyright (C) Volker Lendecke 2008
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "../libcli/auth/libcli_auth.h"
  22 #include "../librpc/gen_ndr/ndr_netlogon.h"
  23 #include "rpc_client/cli_netlogon.h"
  24 #include "secrets.h"
  25
  26 #undef DBGC_CLASS
  27 #define DBGC_CLASS DBGC_AUTH
  28
  29 static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
  30                                    const struct auth_context *auth_context,
  31                                    const char *ncalrpc_sockname,
  32                                    uint8_t schannel_key[16],
  33                                    const struct auth_usersupplied_info *user_info,
  34                                    struct netr_SamInfo3 **pinfo3,
  35                                    NTSTATUS *schannel_bind_result)
  36 {
  37         struct rpc_pipe_client *p = NULL;
  38         struct pipe_auth_data *auth = NULL;
  39         struct netr_SamInfo3 *info3 = NULL;
  40         NTSTATUS status;
  41
  42         *schannel_bind_result = NT_STATUS_OK;
  43
  44         status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname,
  45                                        &ndr_table_netlogon.syntax_id, &p);
  46         if (!NT_STATUS_IS_OK(status)) {
  47                 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
  48                            nt_errstr(status)));
  49                 return status;
  50         }
  51
  52         /*
  53          * We have to fake a struct dcinfo, so that
  54          * rpccli_netlogon_sam_network_logon_ex can decrypt the session keys.
  55          */
  56
  57         p->dc = netlogon_creds_client_init_session_key(p, schannel_key);
  58         if (p->dc == NULL) {
  59                 DEBUG(0, ("talloc failed\n"));
  60                 TALLOC_FREE(p);
  61                 return NT_STATUS_NO_MEMORY;
  62         }
  63
  64         status = rpccli_schannel_bind_data(p, lp_workgroup(),
  65                                            DCERPC_AUTH_LEVEL_PRIVACY,
  66                                            p->dc, &auth);
  67         if (!NT_STATUS_IS_OK(status)) {
  68                 DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
  69                            nt_errstr(status)));
  70                 TALLOC_FREE(p);
  71                 return status;
  72         }
  73
  74         status = rpc_pipe_bind(p, auth);
  75         if (!NT_STATUS_IS_OK(status)) {
  76                 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
  77                 TALLOC_FREE(p);
  78                 *schannel_bind_result = status;
  79                 return status;
  80         }
  81
  82         status = rpccli_netlogon_sam_network_logon_ex(
  83                 p, p,
  84                 user_info->logon_parameters,           /* flags such as 'allow
  85                                                         * workstation logon' */
  86                 global_myname(),                       /* server name */
  87                 user_info->client.account_name,                   /* user name logging on. */
  88                 user_info->client.domain_name,              /* domain name */
  89                 user_info->workstation_name,           /* workstation name */
  90                 (uchar *)auth_context->challenge.data, /* 8 byte challenge. */
  91                 user_info->password.response.lanman,   /* lanman 24 byte response */
  92                 user_info->password.response.nt,       /* nt 24 byte response */
  93                 &info3);                               /* info3 out */
  94
  95         DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
  96                    nt_errstr(status)));
  97
  98         if (!NT_STATUS_IS_OK(status)) {
  99                 TALLOC_FREE(p);
 100                 return status;
 101         }
 102
 103         *pinfo3 = talloc_move(mem_ctx, &info3);
 104
 105         TALLOC_FREE(p);
 106         return NT_STATUS_OK;
 107 }
 108
 109 static char *mymachinepw(TALLOC_CTX *mem_ctx)
 110 {
 111         fstring pwd;
 112         const char *script;
 113         char *to_free = NULL;
 114         ssize_t nread;
 115         int ret, fd;
 116
 117         script = lp_parm_const_string(
 118                 GLOBAL_SECTION_SNUM, "auth_netlogond", "machinepwscript",
 119                 NULL);
 120
 121         if (script == NULL) {
 122                 to_free = talloc_asprintf(talloc_tos(), "%s/%s",
 123                                           get_dyn_SBINDIR(), "mymachinepw");
 124                 script = to_free;
 125         }
 126         if (script == NULL) {
 127                 return NULL;
 128         }
 129
 130         ret = smbrun(script, &fd);
 131         DEBUG(ret ? 0 : 3, ("mymachinepw: Running the command `%s' gave %d\n",
 132                             script, ret));
 133         TALLOC_FREE(to_free);
 134
 135         if (ret != 0) {
 136                 return NULL;
 137         }
 138
 139         nread = read(fd, pwd, sizeof(pwd)-1);
 140         close(fd);
 141
 142         if (nread <= 0) {
 143                 DEBUG(3, ("mymachinepwd: Could not read password\n"));
 144                 return NULL;
 145         }
 146
 147         pwd[nread] = '\0';
 148
 149         if (pwd[nread-1] == '\n') {
 150                 pwd[nread-1] = '\0';
 151         }
 152
 153         return talloc_strdup(mem_ctx, pwd);
 154 }
 155
 156 static NTSTATUS check_netlogond_security(const struct auth_context *auth_context,
 157                                          void *my_private_data,
 158                                          TALLOC_CTX *mem_ctx,
 159                                          const struct auth_usersupplied_info *user_info,
 160                                          struct auth_serversupplied_info **server_info)
 161 {
 162         TALLOC_CTX *frame = talloc_stackframe();
 163         struct netr_SamInfo3 *info3 = NULL;
 164         struct rpc_pipe_client *p = NULL;
 165         struct pipe_auth_data *auth = NULL;
 166         uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 167         char *plaintext_machinepw = NULL;
 168         uint8_t machine_password[16];
 169         uint8_t schannel_key[16];
 170         NTSTATUS schannel_bind_result, status;
 171         struct named_mutex *mutex = NULL;
 172         const char *ncalrpcsock;
 173
 174         DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
 175
 176         ncalrpcsock = lp_parm_const_string(
 177                 GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL);
 178
 179         if (ncalrpcsock == NULL) {
 180                 ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s",
 181                                               get_dyn_NCALRPCDIR(), "DEFAULT");
 182         }
 183
 184         if (ncalrpcsock == NULL) {
 185                 status = NT_STATUS_NO_MEMORY;
 186                 goto done;
 187         }
 188
 189         if (!secrets_fetch_local_schannel_key(schannel_key)) {
 190                 goto new_key;
 191         }
 192
 193         status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
 194                                     schannel_key, user_info, &info3,
 195                                     &schannel_bind_result);
 196
 197         DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
 198
 199         if (NT_STATUS_IS_OK(status)) {
 200                 goto okay;
 201         }
 202
 203         if (NT_STATUS_IS_OK(schannel_bind_result)) {
 204                 /*
 205                  * This is a real failure from the DC
 206                  */
 207                 goto done;
 208         }
 209
 210  new_key:
 211
 212         mutex = grab_named_mutex(talloc_tos(), "LOCAL_SCHANNEL_KEY", 60);
 213         if (mutex == NULL) {
 214                 DEBUG(10, ("Could not get mutex LOCAL_SCHANNEL_KEY\n"));
 215                 status = NT_STATUS_ACCESS_DENIED;
 216                 goto done;
 217         }
 218
 219         DEBUG(10, ("schannel bind failed, setting up new key\n"));
 220
 221         status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpcsock,
 222                                        &ndr_table_netlogon.syntax_id, &p);
 223
 224         if (!NT_STATUS_IS_OK(status)) {
 225                 DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
 226                            nt_errstr(status)));
 227                 goto done;
 228         }
 229
 230         status = rpccli_anon_bind_data(p, &auth);
 231         if (!NT_STATUS_IS_OK(status)) {
 232                 DEBUG(10, ("rpccli_anon_bind_data failed: %s\n",
 233                            nt_errstr(status)));
 234                 goto done;
 235         }
 236
 237         status = rpc_pipe_bind(p, auth);
 238         if (!NT_STATUS_IS_OK(status)) {
 239                 DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
 240                 goto done;
 241         }
 242
 243         plaintext_machinepw = mymachinepw(talloc_tos());
 244         if (plaintext_machinepw == NULL) {
 245                 status = NT_STATUS_NO_MEMORY;
 246                 goto done;
 247         }
 248
 249         E_md4hash(plaintext_machinepw, machine_password);
 250
 251         TALLOC_FREE(plaintext_machinepw);
 252
 253         status = rpccli_netlogon_setup_creds(
 254                 p, global_myname(), lp_workgroup(), global_myname(),
 255                 global_myname(), machine_password, SEC_CHAN_BDC, &neg_flags);
 256
 257         if (!NT_STATUS_IS_OK(status)) {
 258                 DEBUG(10, ("rpccli_netlogon_setup_creds failed: %s\n",
 259                            nt_errstr(status)));
 260                 goto done;
 261         }
 262
 263         memcpy(schannel_key, p->dc->session_key, 16);
 264         secrets_store_local_schannel_key(schannel_key);
 265
 266         TALLOC_FREE(p);
 267
 268         /*
 269          * Retry the authentication with the mutex held. This way nobody else
 270          * can step on our toes.
 271          */
 272
 273         status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
 274                                     schannel_key, user_info, &info3,
 275                                     &schannel_bind_result);
 276
 277         DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
 278
 279         if (!NT_STATUS_IS_OK(status)) {
 280                 goto done;
 281         }
 282
 283  okay:
 284
 285         status = make_server_info_info3(mem_ctx, user_info->client.account_name,
 286                                         user_info->mapped.domain_name, server_info,
 287                                         info3);
 288         if (!NT_STATUS_IS_OK(status)) {
 289                 DEBUG(10, ("make_server_info_info3 failed: %s\n",
 290                            nt_errstr(status)));
 291                 TALLOC_FREE(frame);
 292                 return status;
 293         }
 294
 295         status = NT_STATUS_OK;
 296
 297  done:
 298         TALLOC_FREE(frame);
 299         return status;
 300 }
 301
 302 /* module initialisation */
 303 static NTSTATUS auth_init_netlogond(struct auth_context *auth_context,
 304                                     const char *param,
 305                                     auth_methods **auth_method)
 306 {
 307         struct auth_methods *result;
 308
 309         result = TALLOC_ZERO_P(auth_context, struct auth_methods);
 310         if (result == NULL) {
 311                 return NT_STATUS_NO_MEMORY;
 312         }
 313         result->name = "netlogond";
 314         result->auth = check_netlogond_security;
 315
 316         *auth_method = result;
 317         return NT_STATUS_OK;
 318 }
 319
 320 NTSTATUS auth_netlogond_init(void)
 321 {
 322         smb_register_auth(AUTH_INTERFACE_VERSION, "netlogond",
 323                           auth_init_netlogond);
 324         return NT_STATUS_OK;
 325 }