2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "auth/auth.h"
26 #include "libcli/auth/proto.h"
29 get a schannel key using a netlogon challenge on a secondary pipe
31 static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
32 struct dcerpc_pipe *p,
33 struct cli_credentials *credentials)
36 struct dcerpc_binding *b;
37 struct dcerpc_pipe *p2;
38 struct netr_ServerReqChallenge r;
39 struct netr_ServerAuthenticate2 a;
40 struct netr_Credential credentials1, credentials2, credentials3;
41 const struct samr_Password *mach_pwd;
42 uint32_t negotiate_flags;
43 struct creds_CredentialState *creds;
44 creds = talloc(tmp_ctx, struct creds_CredentialState);
46 return NT_STATUS_NO_MEMORY;
49 if (p->conn->flags & DCERPC_SCHANNEL_128) {
50 negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
52 negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
56 step 1 - establish a netlogon connection, with no authentication
59 b = talloc(tmp_ctx, struct dcerpc_binding);
61 return NT_STATUS_NO_MEMORY;
65 /* Make binding string for netlogon, not the other pipe */
66 status = dcerpc_epm_map_binding(tmp_ctx, b,
67 &dcerpc_table_netlogon,
69 if (!NT_STATUS_IS_OK(status)) {
70 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
71 DCERPC_NETLOGON_UUID, nt_errstr(status)));
75 status = dcerpc_secondary_connection(p, &p2, b);
76 if (!NT_STATUS_IS_OK(status)) {
80 status = dcerpc_bind_auth_none(p2, &dcerpc_table_netlogon);
81 if (!NT_STATUS_IS_OK(status)) {
87 step 2 - request a netlogon challenge
89 r.in.server_name = talloc_asprintf(tmp_ctx, "\\\\%s", dcerpc_server_name(p));
90 r.in.computer_name = cli_credentials_get_workstation(credentials);
91 r.in.credentials = &credentials1;
92 r.out.credentials = &credentials2;
94 generate_random_buffer(credentials1.data, sizeof(credentials1.data));
96 status = dcerpc_netr_ServerReqChallenge(p2, tmp_ctx, &r);
97 if (!NT_STATUS_IS_OK(status)) {
102 step 3 - authenticate on the netlogon pipe
104 mach_pwd = cli_credentials_get_nt_hash(credentials, tmp_ctx);
106 creds_client_init(creds, &credentials1, &credentials2,
107 mach_pwd, &credentials3,
110 a.in.server_name = r.in.server_name;
111 a.in.account_name = cli_credentials_get_username(credentials);
112 a.in.secure_channel_type =
113 cli_credentials_get_secure_channel_type(credentials);
114 a.in.computer_name = cli_credentials_get_workstation(credentials);
115 a.in.negotiate_flags = &negotiate_flags;
116 a.out.negotiate_flags = &negotiate_flags;
117 a.in.credentials = &credentials3;
118 a.out.credentials = &credentials3;
120 status = dcerpc_netr_ServerAuthenticate2(p2, tmp_ctx, &a);
121 if (!NT_STATUS_IS_OK(status)) {
125 if (!creds_client_check(creds, a.out.credentials)) {
126 return NT_STATUS_UNSUCCESSFUL;
129 cli_credentials_set_netlogon_creds(credentials, creds);
132 the schannel session key is now in creds.session_key
134 we no longer need the netlogon pipe open
141 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
142 struct dcerpc_pipe *p,
143 const struct dcerpc_interface_table *table,
144 struct cli_credentials *credentials,
149 /* Fills in NETLOGON credentials */
150 status = dcerpc_schannel_key(tmp_ctx,
153 if (!NT_STATUS_IS_OK(status)) {
154 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
155 cli_credentials_get_username(credentials),
160 return dcerpc_bind_auth(p, table, credentials,
161 DCERPC_AUTH_TYPE_SCHANNEL, auth_level,