diff options
| author | Volker Lendecke <vlendec@samba.org> | 2003-04-04 15:21:04 +0000 |
|---|---|---|
| committer | Volker Lendecke <vlendec@samba.org> | 2003-04-04 15:21:04 +0000 |
| commit | 02bb4e1b8ae931d9eefa2fbd4a6f5456aca99b2b (patch) | |
| tree | 099bc90dbf63fd218f7f6d45cf88223b172c0c34 /source3/include | |
| parent | d9613a1a3c37dca9f695b1361a0fd5d2b3f503cd (diff) | |
| download | samba-02bb4e1b8ae931d9eefa2fbd4a6f5456aca99b2b.tar.gz samba-02bb4e1b8ae931d9eefa2fbd4a6f5456aca99b2b.tar.bz2 samba-02bb4e1b8ae931d9eefa2fbd4a6f5456aca99b2b.zip | |
This is a merge of the NETLOGON schannel server code from Samba
TNG. Actually, it exists in the main Samba cvs tree in APPLIANCE_TNG
as I found out later :-)
It adds a new parameter: server schannel = yes/auto/no defaulting to
auto.
What does this mean to the user: No requireSignOrSeal registry patch
for XP anymore.
Many thanks for this code to Luke Leighton, Elrond and anybody else I
forgot to mention.
My next thing will be to see if this applies cleanly to 3_0.
Please test and comment!
Volker
(This used to be commit e1f953241eb020f19fe657f29afdae28dcf5a03b)
Diffstat (limited to 'source3/include')
| -rw-r--r-- | source3/include/ntdomain.h | 7 | ||||
| -rw-r--r-- | source3/include/rpc_dce.h | 39 |
2 files changed, 44 insertions, 2 deletions
diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index cf5bb5046c..d02195b378 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -192,6 +192,13 @@ typedef struct pipes_struct uint32 ntlmssp_seq_num; struct dcinfo dc; /* Keeps the creds data. */ + /* Hmm. In my understanding the authentication happens + implicitly later, so there are no two stages for + schannel. */ + + BOOL netsec_auth_validated; + struct netsec_auth_struct netsec_auth; + /* * Windows user info. */ diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h index 6a8c650650..7e8bc3949e 100644 --- a/source3/include/rpc_dce.h +++ b/source3/include/rpc_dce.h @@ -55,6 +55,13 @@ enum RPC_PKT_TYPE #define NTLMSSP_AUTH_TYPE 0xa #define NTLMSSP_AUTH_LEVEL 0x6 +/* Netlogon schannel auth type and level */ +#define NETSEC_AUTH_TYPE 0x44 +#define NETSEC_AUTH_LEVEL 0x6 +#define NETSEC_SIGNATURE { 0x77, 0x00, 0x7a, 0x00, 0xff, 0xff, 0x00, 0x00 } +#define RPC_AUTH_NETSEC_CHK_LEN 0x20 +#define NETLOGON_NEG_SCHANNEL 0x40000000 + /* Maximum PDU fragment size. */ #define MAX_PDU_FRAG_LEN 0x1630 /* #define MAX_PDU_FRAG_LEN 0x10b8 this is what w2k sets */ @@ -199,6 +206,34 @@ typedef struct rpc_hdr_auth_info #define RPC_HDR_AUTH_LEN 8 +/* this is TEMPORARILY coded up as a specific structure */ +/* this structure comes after the bind request */ +/* RPC_AUTH_NETSEC_NEG */ +typedef struct rpc_auth_netsec_neg_info +{ + uint32 unknown1; + uint32 unknown2; + fstring domain; /* calling workstations's domain */ + fstring myname; /* calling workstation's name */ +} RPC_AUTH_NETSEC_NEG; + +/* attached to the end of encrypted rpc requests and responses */ +/* RPC_AUTH_NETSEC_CHK */ +typedef struct rpc_auth_netsec_chk_info +{ + uint8 sig [8]; /* 77 00 7a 00 ff ff 00 00 */ + uint8 data1[8]; + uint8 data3[8]; /* verifier, seq num */ + uint8 data8[8]; /* random 8-byte nonce */ +} RPC_AUTH_NETSEC_CHK; + +struct netsec_auth_struct +{ + RPC_AUTH_NETSEC_NEG netsec_neg; + uchar sess_key[16]; + uint32 seq_num; +}; + /* RPC_BIND_REQ - ms req bind */ typedef struct rpc_bind_req_info { @@ -248,8 +283,8 @@ typedef struct rpc_hdr_ba_info /* RPC_AUTH_VERIFIER */ typedef struct rpc_auth_verif_info { - fstring signature; /* "NTLMSSP" */ - uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) */ + fstring signature; /* "NTLMSSP".. Ok, not quite anymore */ + uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) and 5 for schannel */ } RPC_AUTH_VERIFIER; |