source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "librpc/gen_ndr/ndr_schannel.h"
  26 #include "auth/auth.h"
  27
  28 /*
  29   get a schannel key using a netlogon challenge on a secondary pipe
  30 */
  31 static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
  32                                     struct dcerpc_pipe *p,
  33                                     struct cli_credentials *credentials,
  34                                     int chan_type)
  35 {
  36         NTSTATUS status;
  37         struct dcerpc_binding *b;
  38         struct dcerpc_pipe *p2;
  39         struct netr_ServerReqChallenge r;
  40         struct netr_ServerAuthenticate2 a;
  41         struct netr_Credential credentials1, credentials2, credentials3;
  42         struct samr_Password mach_pwd;
  43         uint32_t negotiate_flags;
  44         struct creds_CredentialState *creds;
  45         creds = talloc(tmp_ctx, struct creds_CredentialState);
  46         if (!creds) {
  47                 return NT_STATUS_NO_MEMORY;
  48         }
  49
  50         if (p->conn->flags & DCERPC_SCHANNEL_128) {
  51                 negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
  52         } else {
  53                 negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
  54         }
  55
  56         /*
  57           step 1 - establish a netlogon connection, with no authentication
  58         */
  59
  60         /* Find the original binding string */
  61         status = dcerpc_parse_binding(tmp_ctx, p->conn->binding_string, &b);
  62         if (!NT_STATUS_IS_OK(status)) {
  63                 DEBUG(0,("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string));
  64                 return status;
  65         }
  66
  67         /* Make binding string for netlogon, not the other pipe */
  68         status = dcerpc_epm_map_binding(tmp_ctx, b, DCERPC_NETLOGON_UUID, DCERPC_NETLOGON_VERSION);
  69         if (!NT_STATUS_IS_OK(status)) {
  70                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
  71                          DCERPC_NETLOGON_UUID, nt_errstr(status)));
  72                 return status;
  73         }
  74
  75         status = dcerpc_secondary_connection(p, &p2, b);
  76         if (!NT_STATUS_IS_OK(status)) {
  77                 return status;
  78         }
  79
  80         status = dcerpc_bind_auth_none(p2, DCERPC_NETLOGON_UUID,
  81                                        DCERPC_NETLOGON_VERSION);
  82         if (!NT_STATUS_IS_OK(status)) {
  83                 talloc_free(p2);
  84                 return status;
  85         }
  86
  87         /*
  88           step 2 - request a netlogon challenge
  89         */
  90         r.in.server_name = talloc_asprintf(tmp_ctx, "\\\\%s", dcerpc_server_name(p));
  91         r.in.computer_name = cli_credentials_get_workstation(credentials);
  92         r.in.credentials = &credentials1;
  93         r.out.credentials = &credentials2;
  94
  95         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
  96
  97         status = dcerpc_netr_ServerReqChallenge(p2, tmp_ctx, &r);
  98         if (!NT_STATUS_IS_OK(status)) {
  99                 return status;
 100         }
 101
 102         /*
 103           step 3 - authenticate on the netlogon pipe
 104         */
 105         E_md4hash(cli_credentials_get_password(credentials), mach_pwd.hash);
 106         creds_client_init(creds, &credentials1, &credentials2,
 107                           &mach_pwd, &credentials3,
 108                           negotiate_flags);
 109
 110         a.in.server_name = r.in.server_name;
 111         a.in.account_name = cli_credentials_get_username(credentials);
 112         a.in.secure_channel_type = chan_type;
 113         a.in.computer_name = cli_credentials_get_workstation(credentials);
 114         a.in.negotiate_flags = &negotiate_flags;
 115         a.out.negotiate_flags = &negotiate_flags;
 116         a.in.credentials = &credentials3;
 117         a.out.credentials = &credentials3;
 118
 119         status = dcerpc_netr_ServerAuthenticate2(p2, tmp_ctx, &a);
 120         if (!NT_STATUS_IS_OK(status)) {
 121                 return status;
 122         }
 123
 124         if (!creds_client_check(creds, a.out.credentials)) {
 125                 return NT_STATUS_UNSUCCESSFUL;
 126         }
 127
 128         cli_credentials_set_netlogon_creds(credentials, creds);
 129
 130         /*
 131           the schannel session key is now in creds.session_key
 132
 133           we no longer need the netlogon pipe open
 134         */
 135         talloc_free(p2);
 136
 137         return NT_STATUS_OK;
 138 }
 139
 140 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 141                                    struct dcerpc_pipe *p,
 142                                    const char *uuid, uint_t version,
 143                                    struct cli_credentials *credentials)
 144 {
 145         NTSTATUS status;
 146         int chan_type = 0;
 147
 148         if (p->conn->flags & DCERPC_SCHANNEL_BDC) {
 149                 chan_type = SEC_CHAN_BDC;
 150         } else if (p->conn->flags & DCERPC_SCHANNEL_WORKSTATION) {
 151                 chan_type = SEC_CHAN_WKSTA;
 152         } else if (p->conn->flags & DCERPC_SCHANNEL_DOMAIN) {
 153                 chan_type = SEC_CHAN_DOMAIN;
 154         }
 155
 156         /* Fills in NETLOGON credentials */
 157         status = dcerpc_schannel_key(tmp_ctx,
 158                                      p, credentials,
 159                                      chan_type);
 160
 161         if (!NT_STATUS_IS_OK(status)) {
 162                 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
 163                           cli_credentials_get_username(credentials),
 164                           nt_errstr(status)));
 165                 return status;
 166         }
 167
 168         return dcerpc_bind_auth_password(p, uuid, version,
 169                                          credentials, DCERPC_AUTH_TYPE_SCHANNEL,
 170                                          NULL);
 171 }
 172