git.samba.org / metze / samba / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodc
[metze/samba/wip.git] / source4 / librpc / rpc / dcerpc_schannel.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    dcerpc schannel operations
5
6    Copyright (C) Andrew Tridgell 2004
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8    Copyright (C) Rafal Szczesniak 2006
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32 #include "librpc/rpc/dcerpc_proto.h"
33 #include "param/param.h"
34
35 struct schannel_key_state {
36         struct dcerpc_pipe *pipe;
37         struct dcerpc_pipe *pipe2;
38         struct dcerpc_binding *binding;
39         bool dcerpc_schannel_auto;
40         struct cli_credentials *credentials;
41         struct netlogon_creds_CredentialState *creds;
42         uint32_t local_negotiate_flags;
43         uint32_t remote_negotiate_flags;
44         struct netr_Credential credentials1;
45         struct netr_Credential credentials2;
46         struct netr_Credential credentials3;
47         struct netr_ServerReqChallenge r;
48         struct netr_ServerAuthenticate2 a;
49         const struct samr_Password *mach_pwd;
50 };
51
52
53 static void continue_secondary_connection(struct composite_context *ctx);
54 static void continue_bind_auth_none(struct composite_context *ctx);
55 static void continue_srv_challenge(struct tevent_req *subreq);
56 static void continue_srv_auth2(struct tevent_req *subreq);
57
58
59 /*
60   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
61   rpc connection
62 */
63 static void continue_epm_map_binding(struct composite_context *ctx)
64 {
65         struct composite_context *c;
66         struct schannel_key_state *s;
67         struct composite_context *sec_conn_req;
68
69         c = talloc_get_type(ctx->async.private_data, struct composite_context);
70         s = talloc_get_type(c->private_data, struct schannel_key_state);
71
72         /* receive endpoint mapping */
73         c->status = dcerpc_epm_map_binding_recv(ctx);
74         if (!NT_STATUS_IS_OK(c->status)) {
75                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
76                          NDR_NETLOGON_UUID, nt_errstr(c->status)));
77                 composite_error(c, c->status);
78                 return;
79         }
80
81         /* send a request for secondary rpc connection */
82         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
83                                                         s->binding);
84         if (composite_nomem(sec_conn_req, c)) return;
85
86         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
87 }
88
89
90 /*
91   Stage 3 of schannel_key: Receive secondary rpc connection and perform
92   non-authenticated bind request
93 */
94 static void continue_secondary_connection(struct composite_context *ctx)
95 {
96         struct composite_context *c;
97         struct schannel_key_state *s;
98         struct composite_context *auth_none_req;
99
100         c = talloc_get_type(ctx->async.private_data, struct composite_context);
101         s = talloc_get_type(c->private_data, struct schannel_key_state);
102
103         /* receive secondary rpc connection */
104         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
105         if (!composite_is_ok(c)) return;
106
107         talloc_steal(s, s->pipe2);
108
109         /* initiate a non-authenticated bind */
110         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
111         if (composite_nomem(auth_none_req, c)) return;
112
113         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
114 }
115
116
117 /*
118   Stage 4 of schannel_key: Receive non-authenticated bind and get
119   a netlogon challenge
120 */
121 static void continue_bind_auth_none(struct composite_context *ctx)
122 {
123         struct composite_context *c;
124         struct schannel_key_state *s;
125         struct tevent_req *subreq;
126
127         c = talloc_get_type(ctx->async.private_data, struct composite_context);
128         s = talloc_get_type(c->private_data, struct schannel_key_state);
129
130         /* receive result of non-authenticated bind request */
131         c->status = dcerpc_bind_auth_none_recv(ctx);
132         if (!composite_is_ok(c)) return;
133         
134         /* prepare a challenge request */
135         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
136         if (composite_nomem(s->r.in.server_name, c)) return;
137         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
138         s->r.in.credentials   = &s->credentials1;
139         s->r.out.return_credentials  = &s->credentials2;
140         
141         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
142
143         /*
144           request a netlogon challenge - a rpc request over opened secondary pipe
145         */
146         subreq = dcerpc_netr_ServerReqChallenge_r_send(s, c->event_ctx,
147                                                        s->pipe2->binding_handle,
148                                                        &s->r);
149         if (composite_nomem(subreq, c)) return;
150
151         tevent_req_set_callback(subreq, continue_srv_challenge, c);
152 }
153
154
155 /*
156   Stage 5 of schannel_key: Receive a challenge and perform authentication
157   on the netlogon pipe
158 */
159 static void continue_srv_challenge(struct tevent_req *subreq)
160 {
161         struct composite_context *c;
162         struct schannel_key_state *s;
163
164         c = tevent_req_callback_data(subreq, struct composite_context);
165         s = talloc_get_type(c->private_data, struct schannel_key_state);
166
167         /* receive rpc request result - netlogon challenge */
168         c->status = dcerpc_netr_ServerReqChallenge_r_recv(subreq, s);
169         TALLOC_FREE(subreq);
170         if (!composite_is_ok(c)) return;
171
172         /* prepare credentials for auth2 request */
173         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
174
175         /* auth2 request arguments */
176         s->a.in.server_name      = s->r.in.server_name;
177         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
178         s->a.in.secure_channel_type =
179                 cli_credentials_get_secure_channel_type(s->credentials);
180         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
181         s->a.in.negotiate_flags  = &s->local_negotiate_flags;
182         s->a.in.credentials      = &s->credentials3;
183         s->a.out.negotiate_flags = &s->remote_negotiate_flags;
184         s->a.out.return_credentials     = &s->credentials3;
185
186         s->creds = netlogon_creds_client_init(s, 
187                                               s->a.in.account_name, 
188                                               s->a.in.computer_name,
189                                               &s->credentials1, &s->credentials2,
190                                               s->mach_pwd, &s->credentials3,
191                                               s->local_negotiate_flags);
192         if (composite_nomem(s->creds, c)) {
193                 return;
194         }
195         /*
196           authenticate on the netlogon pipe - a rpc request over secondary pipe
197         */
198         subreq = dcerpc_netr_ServerAuthenticate2_r_send(s, c->event_ctx,
199                                                         s->pipe2->binding_handle,
200                                                         &s->a);
201         if (composite_nomem(subreq, c)) return;
202
203         tevent_req_set_callback(subreq, continue_srv_auth2, c);
204 }
205
206
207 /*
208   Stage 6 of schannel_key: Receive authentication request result and verify
209   received credentials
210 */
211 static void continue_srv_auth2(struct tevent_req *subreq)
212 {
213         struct composite_context *c;
214         struct schannel_key_state *s;
215
216         c = tevent_req_callback_data(subreq, struct composite_context);
217         s = talloc_get_type(c->private_data, struct schannel_key_state);
218
219         /* receive rpc request result - auth2 credentials */ 
220         c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
221         TALLOC_FREE(subreq);
222         if (!composite_is_ok(c)) return;
223
224         if (!NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) &&
225             !NT_STATUS_IS_OK(s->a.out.result)) {
226                 composite_error(c, s->a.out.result);
227                 return;
228         }
229
230         /*
231          * Strong keys could be unsupported (NT4) or disables. So retry with the
232          * flags returned by the server. - asn
233          */
234         if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED)) {
235                 uint32_t lf = s->local_negotiate_flags;
236                 const char *ln = NULL;
237                 uint32_t rf = s->remote_negotiate_flags;
238                 const char *rn = NULL;
239
240                 if (!s->dcerpc_schannel_auto) {
241                         composite_error(c, s->a.out.result);
242                         return;
243                 }
244                 s->dcerpc_schannel_auto = false;
245
246                 if (lf & NETLOGON_NEG_STRONG_KEYS) {
247                         ln = "strong";
248                         if (rf & NETLOGON_NEG_STRONG_KEYS) {
249                                 composite_error(c, s->a.out.result);
250                                 return;
251                         }
252                 } else {
253                         ln = "des";
254                 }
255
256                 if (rf & NETLOGON_NEG_STRONG_KEYS) {
257                         rn = "strong";
258                 } else {
259                         rn = "des";
260                 }
261
262                 DEBUG(3, ("Server doesn't support %s keys, downgrade to %s"
263                           "and retry! local[0x%08X] remote[0x%08X]\n",
264                           ln, rn, lf, rf));
265
266                 s->local_negotiate_flags = s->remote_negotiate_flags;
267
268                 generate_random_buffer(s->credentials1.data,
269                                        sizeof(s->credentials1.data));
270
271                 subreq = dcerpc_netr_ServerReqChallenge_r_send(s,
272                                                                c->event_ctx,
273                                                                s->pipe2->binding_handle,
274                                                                &s->r);
275                 if (composite_nomem(subreq, c)) return;
276
277                 tevent_req_set_callback(subreq, continue_srv_challenge, c);
278                 return;
279         }
280
281         s->creds->negotiate_flags = s->remote_negotiate_flags;
282
283         /* verify credentials */
284         if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
285                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
286                 return;
287         }
288
289         /* setup current netlogon credentials */
290         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
291
292         composite_done(c);
293 }
294
295
296 /*
297   Initiate establishing a schannel key using netlogon challenge
298   on a secondary pipe
299 */
300 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
301                                                    struct dcerpc_pipe *p,
302                                                    struct cli_credentials *credentials,
303                                                    struct loadparm_context *lp_ctx)
304 {
305         struct composite_context *c;
306         struct schannel_key_state *s;
307         struct composite_context *epm_map_req;
308         enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
309         
310         /* composite context allocation and setup */
311         c = composite_create(mem_ctx, p->conn->event_ctx);
312         if (c == NULL) return NULL;
313
314         s = talloc_zero(c, struct schannel_key_state);
315         if (composite_nomem(s, c)) return c;
316         c->private_data = s;
317
318         /* store parameters in the state structure */
319         s->pipe        = p;
320         s->credentials = credentials;
321         s->local_negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
322
323         /* allocate credentials */
324         if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
325                 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
326         }
327         if (s->pipe->conn->flags & DCERPC_SCHANNEL_AUTO) {
328                 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
329                 s->dcerpc_schannel_auto = true;
330         }
331
332         /* type of authentication depends on schannel type */
333         if (schannel_type == SEC_CHAN_RODC) {
334                 s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
335         }
336
337         /* allocate binding structure */
338         s->binding = talloc_zero(c, struct dcerpc_binding);
339         if (composite_nomem(s->binding, c)) return c;
340
341         *s->binding = *s->pipe->binding;
342
343         /* request the netlogon endpoint mapping */
344         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
345                                                   &ndr_table_netlogon,
346                                                   s->pipe->conn->event_ctx,
347                                                   lp_ctx);
348         if (composite_nomem(epm_map_req, c)) return c;
349
350         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
351         return c;
352 }
353
354
355 /*
356   Receive result of schannel key request
357  */
358 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
359 {
360         NTSTATUS status = composite_wait(c);
361         
362         talloc_free(c);
363         return status;
364 }
365
366
367 struct auth_schannel_state {
368         struct dcerpc_pipe *pipe;
369         struct cli_credentials *credentials;
370         const struct ndr_interface_table *table;
371         struct loadparm_context *lp_ctx;
372         uint8_t auth_level;
373 };
374
375
376 static void continue_bind_auth(struct composite_context *ctx);
377
378
379 /*
380   Stage 2 of auth_schannel: Receive schannel key and intitiate an
381   authenticated bind using received credentials
382  */
383 static void continue_schannel_key(struct composite_context *ctx)
384 {
385         struct composite_context *auth_req;
386         struct composite_context *c = talloc_get_type(ctx->async.private_data,
387                                                       struct composite_context);
388         struct auth_schannel_state *s = talloc_get_type(c->private_data,
389                                                         struct auth_schannel_state);
390         NTSTATUS status;
391
392         /* receive schannel key */
393         status = c->status = dcerpc_schannel_key_recv(ctx);
394         if (!composite_is_ok(c)) {
395                 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
396                 return;
397         }
398
399         /* send bind auth request with received creds */
400         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials, 
401                                          lpcfg_gensec_settings(c, s->lp_ctx),
402                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
403                                          NULL);
404         if (composite_nomem(auth_req, c)) return;
405         
406         composite_continue(c, auth_req, continue_bind_auth, c);
407 }
408
409
410 /*
411   Stage 3 of auth_schannel: Receivce result of authenticated bind
412   and say if we're done ok.
413 */
414 static void continue_bind_auth(struct composite_context *ctx)
415 {
416         struct composite_context *c = talloc_get_type(ctx->async.private_data,
417                                                       struct composite_context);
418
419         c->status = dcerpc_bind_auth_recv(ctx);
420         if (!composite_is_ok(c)) return;
421
422         composite_done(c);
423 }
424
425
426 /*
427   Initiate schannel authentication request
428 */
429 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx, 
430                                                          struct dcerpc_pipe *p,
431                                                          const struct ndr_interface_table *table,
432                                                          struct cli_credentials *credentials,
433                                                          struct loadparm_context *lp_ctx,
434                                                          uint8_t auth_level)
435 {
436         struct composite_context *c;
437         struct auth_schannel_state *s;
438         struct composite_context *schan_key_req;
439
440         /* composite context allocation and setup */
441         c = composite_create(tmp_ctx, p->conn->event_ctx);
442         if (c == NULL) return NULL;
443         
444         s = talloc_zero(c, struct auth_schannel_state);
445         if (composite_nomem(s, c)) return c;
446         c->private_data = s;
447
448         /* store parameters in the state structure */
449         s->pipe        = p;
450         s->credentials = credentials;
451         s->table       = table;
452         s->auth_level  = auth_level;
453         s->lp_ctx      = lp_ctx;
454
455         /* start getting schannel key first */
456         schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
457         if (composite_nomem(schan_key_req, c)) return c;
458
459         composite_continue(c, schan_key_req, continue_schannel_key, c);
460         return c;
461 }
462
463
464 /*
465   Receive result of schannel authentication request
466 */
467 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
468 {
469         NTSTATUS status = composite_wait(c);
470         
471         talloc_free(c);
472         return status;
473 }
474
475
476 /*
477   Perform schannel authenticated bind - sync version
478  */
479 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, 
480                                    struct dcerpc_pipe *p,
481                                    const struct ndr_interface_table *table,
482                                    struct cli_credentials *credentials,
483                                    struct loadparm_context *lp_ctx,
484                                    uint8_t auth_level)
485 {
486         struct composite_context *c;
487
488         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
489                                            auth_level);
490         return dcerpc_bind_auth_schannel_recv(c);
491 }
Work in progress branches