diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2009-04-06 22:56:13 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2009-04-14 16:23:44 +1000 |
| commit | baf7274fed2f1ae7a9e3a57160bf5471566e636c (patch) | |
| tree | b6bbaad24556ecf5e3cb93eae6470f67229ab12f /source3 | |
| parent | 5095d7b1c84e7e37f553867d699a1983f74d4314 (diff) | |
| download | samba-baf7274fed2f1ae7a9e3a57160bf5471566e636c.tar.gz samba-baf7274fed2f1ae7a9e3a57160bf5471566e636c.tar.bz2 samba-baf7274fed2f1ae7a9e3a57160bf5471566e636c.zip | |
Make Samba3 use the new common libcli/auth code
This is particuarly in the netlogon client (but not server at this
stage)
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/Makefile.in | 8 | ||||
| -rw-r--r-- | source3/auth/auth_netlogond.c | 6 | ||||
| -rw-r--r-- | source3/auth/auth_sam.c | 50 | ||||
| -rw-r--r-- | source3/include/client.h | 4 | ||||
| -rw-r--r-- | source3/include/ntlmssp.h | 5 | ||||
| -rw-r--r-- | source3/include/proto.h | 10 | ||||
| -rw-r--r-- | source3/lib/charcnv.c | 38 | ||||
| -rw-r--r-- | source3/libnet/libnet_samsync.c | 8 | ||||
| -rw-r--r-- | source3/rpc_client/cli_netlogon.c | 155 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe.c | 10 | ||||
| -rw-r--r-- | source3/rpcclient/cmd_netlogon.c | 8 | ||||
| -rw-r--r-- | source3/utils/ntlm_auth.c | 6 |
12 files changed, 164 insertions, 144 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 9c6b2df8ff..b47c6e91b2 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -374,7 +374,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \ lib/bitmap.o lib/dprintf.o $(UTIL_REG_OBJ) \ lib/wins_srv.o \ lib/util_str.o lib/clobber.o lib/util_sid.o lib/util_uuid.o \ - lib/util_unistr.o ../lib/util/charset/util_unistr.c lib/util_file.o \ + lib/util_unistr.o lib/util_file.o \ lib/util.o lib/util_sock.o lib/sock_exec.o lib/util_sec.o \ lib/substitute.o lib/dbwrap_util.o \ lib/ms_fnmatch.o lib/select.o lib/errmap_unix.o \ @@ -447,7 +447,7 @@ DCE_RPC_ERR_OBJ = ../librpc/rpc/dcerpc_error.o LIBSMB_ERR_OBJ0 = $(NTERR_OBJ) $(DOSERR_OBJ) $(ERRORMAP_OBJ) $(DCE_RPC_ERR_OBJ) -LIBSMB_ERR_OBJ1 = ../libcli/auth/smbdes.o ../libcli/auth/smbencrypt.o ../libcli/auth/msrpc_parse.o +LIBSMB_ERR_OBJ1 = ../libcli/auth/smbdes.o ../libcli/auth/smbencrypt.o ../libcli/auth/msrpc_parse.o ../libcli/auth/session.o LIBSMB_ERR_OBJ = $(LIBSMB_ERR_OBJ0) $(LIBSMB_ERR_OBJ1) \ $(RPC_PARSE_OBJ1) \ @@ -930,7 +930,9 @@ LIBNET_OBJ = libnet/libnet_join.o \ libnet/libnet_samsync_keytab.o \ libnet/libnet_dssync.o \ libnet/libnet_dssync_keytab.o \ - librpc/gen_ndr/ndr_libnet_join.o + librpc/gen_ndr/ndr_libnet_join.o \ + ../libcli/samsync/decrypt.o \ + ../libcli/drsuapi/repl_decrypt.o NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_help.o \ utils/net_rap.o utils/net_rpc.o utils/net_rpc_samsync.o \ diff --git a/source3/auth/auth_netlogond.c b/source3/auth/auth_netlogond.c index d595e27a60..3947873aaa 100644 --- a/source3/auth/auth_netlogond.c +++ b/source3/auth/auth_netlogond.c @@ -69,15 +69,13 @@ static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx, * rpccli_netlogon_sam_network_logon_ex can decrypt the session keys. */ - p->dc = talloc(p, struct dcinfo); + p->dc = netlogon_creds_client_init_session_key(p, schannel_key); if (p->dc == NULL) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(p); return NT_STATUS_NO_MEMORY; } - memcpy(p->dc->sess_key, schannel_key, 16); - status = rpccli_netlogon_sam_network_logon_ex( p, p, user_info->logon_parameters,/* flags such as 'allow @@ -257,7 +255,7 @@ static NTSTATUS check_netlogond_security(const struct auth_context *auth_context goto done; } - memcpy(schannel_key, p->dc->sess_key, 16); + memcpy(schannel_key, p->dc->session_key, 16); secrets_store_local_schannel_key(schannel_key); TALLOC_FREE(p); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index dc15509922..d6edd01026 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -40,7 +40,9 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, { uint32 acct_ctrl; const uint8 *lm_pw, *nt_pw; + struct samr_Password lm_hash, nt_hash, client_lm_hash, client_nt_hash; const char *username = pdb_get_username(sampass); + bool got_lm = false, got_nt = false; acct_ctrl = pdb_get_acct_ctrl(sampass); if (acct_ctrl & ACB_PWNOTREQ) { @@ -55,14 +57,46 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, lm_pw = pdb_get_lanman_passwd(sampass); nt_pw = pdb_get_nt_passwd(sampass); - - return ntlm_password_check(mem_ctx, &auth_context->challenge, - &user_info->lm_resp, &user_info->nt_resp, - &user_info->lm_interactive_pwd, &user_info->nt_interactive_pwd, - username, - user_info->smb_name, - user_info->client_domain, - lm_pw, nt_pw, user_sess_key, lm_sess_key); + if (lm_pw) { + memcpy(lm_hash.hash, lm_pw, sizeof(lm_hash.hash)); + } + if (nt_pw) { + memcpy(nt_hash.hash, nt_pw, sizeof(nt_hash.hash)); + } + if (user_info->lm_interactive_pwd.data && sizeof(client_lm_hash.hash) == user_info->lm_interactive_pwd.length) { + memcpy(client_lm_hash.hash, user_info->lm_interactive_pwd.data, sizeof(lm_hash.hash)); + got_lm = true; + } + if (user_info->nt_interactive_pwd.data && sizeof(client_nt_hash.hash) == user_info->nt_interactive_pwd.length) { + memcpy(client_nt_hash.hash, user_info->nt_interactive_pwd.data, sizeof(nt_hash.hash)); + got_nt = true; + } + if (got_lm || got_nt) { + *user_sess_key = data_blob(mem_ctx, 16); + if (!user_sess_key->data) { + return NT_STATUS_NO_MEMORY; + } + SMBsesskeygen_ntv1(nt_pw, user_sess_key->data); + *lm_sess_key = data_blob(NULL, 0); + return hash_password_check(mem_ctx, lp_lanman_auth(), + got_lm ? &client_lm_hash : NULL, + got_nt ? &client_nt_hash : NULL, + username, + lm_pw ? &lm_hash: NULL, + nt_pw ? &nt_hash : NULL); + } else { + return ntlm_password_check(mem_ctx, lp_lanman_auth(), + lp_ntlm_auth(), + user_info->logon_parameters, + &auth_context->challenge, + &user_info->lm_resp, &user_info->nt_resp, + username, + user_info->smb_name, + user_info->client_domain, + lm_pw ? &lm_hash: NULL, + nt_pw ? &nt_hash : NULL, + user_sess_key, lm_sess_key); + } } /**************************************************************************** diff --git a/source3/include/client.h b/source3/include/client.h index c314c9c6a9..6d84f482c2 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -132,8 +132,8 @@ struct rpc_pipe_client { struct cli_pipe_auth_data *auth; - /* The following is only non-null on a netlogon pipe. */ - struct dcinfo *dc; + /* The following is only non-null on a netlogon client pipe. */ + struct netlogon_creds_CredentialState *dc; /* Used by internal rpc_pipe_client */ pipes_struct *pipes_struct; diff --git a/source3/include/ntlmssp.h b/source3/include/ntlmssp.h index f3414fe928..67cdd5a551 100644 --- a/source3/include/ntlmssp.h +++ b/source3/include/ntlmssp.h @@ -68,11 +68,6 @@ enum NTLM_MESSAGE_TYPE #define NTLMSSP_FEATURE_SIGN 0x00000002 #define NTLMSSP_FEATURE_SEAL 0x00000004 -#define NTLMSSP_NAME_TYPE_SERVER 0x01 -#define NTLMSSP_NAME_TYPE_DOMAIN 0x02 -#define NTLMSSP_NAME_TYPE_SERVER_DNS 0x03 -#define NTLMSSP_NAME_TYPE_DOMAIN_DNS 0x04 - #define NTLMSSP_SIG_SIZE 16 typedef struct ntlmssp_state diff --git a/source3/include/proto.h b/source3/include/proto.h index 64b1d7c43c..98fb3b50c9 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -4636,11 +4636,11 @@ bool secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile *keyfi bool secrets_fetch_afs_key(const char *cell, struct afs_key *result); void secrets_fetch_ipc_userpass(char **username, char **domain, char **password); bool secrets_store_schannel_session_info(TALLOC_CTX *mem_ctx, - const char *remote_machine, - const struct dcinfo *pdc); + const char *remote_machine, + const struct dcinfo *pdc); bool secrets_restore_schannel_session_info(TALLOC_CTX *mem_ctx, - const char *remote_machine, - struct dcinfo **ppdc); + const char *remote_machine, + struct dcinfo **ppdc); bool secrets_store_generic(const char *owner, const char *key, const char *secret); char *secrets_fetch_generic(const char *owner, const char *key); bool secrets_store_local_schannel_key(uint8_t schannel_key[16]); @@ -5245,7 +5245,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, const struct ndr_syntax_id *interface, enum pipe_auth_level auth_level, const char *domain, - const struct dcinfo *pdc, + struct netlogon_creds_CredentialState *pdc, struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, const struct ndr_syntax_id *interface, diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c index 567ee7b8d1..374079c8ae 100644 --- a/source3/lib/charcnv.c +++ b/source3/lib/charcnv.c @@ -1600,6 +1600,7 @@ size_t push_string_check_fn(const char *function, unsigned int line, return push_ascii(dest, src, dest_len, flags); } + /** Copy a string from a char* src to a unicode or ascii dos codepage destination choosing unicode or ascii based on the @@ -1641,6 +1642,43 @@ size_t push_string_base(const char *function, unsigned int line, return push_ascii(dest, src, dest_len, flags); } +/** + Copy a string from a char* src to a unicode or ascii + dos codepage destination choosing unicode or ascii based on the + flags supplied + Return the number of bytes occupied by the string in the destination. + flags can have: + STR_TERMINATE means include the null termination. + STR_UPPER means uppercase in the destination. + STR_ASCII use ascii even with unicode packet. + STR_NOALIGN means don't do alignment. + dest_len is the maximum length allowed in the destination. If dest_len + is -1 then no maxiumum is used. +**/ + +ssize_t push_string(void *dest, const char *src, size_t dest_len, int flags) +{ + size_t ret; +#ifdef DEVELOPER + /* We really need to zero fill here, not clobber + * region, as we want to ensure that valgrind thinks + * all of the outgoing buffer has been written to + * so a send() or write() won't trap an error. + * JRA. + */ + memset(dest, '\0', dest_len); +#endif + + if (!(flags & STR_ASCII) && \ + (flags & STR_UNICODE)) { + ret = push_ucs2(NULL, dest, src, dest_len, flags); + } + ret = push_ascii(dest, src, dest_len, flags); + if (ret == (size_t)-1) { + return -1; + } + return ret; +} /** Copy a string from a unicode or ascii source (depending on diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c index 8928f1c052..df7e875ab6 100644 --- a/source3/libnet/libnet_samsync.c +++ b/source3/libnet/libnet_samsync.c @@ -33,7 +33,7 @@ */ static NTSTATUS samsync_fix_delta_array(TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, enum netr_SamDatabaseID database_id, struct netr_DELTA_ENUM_ARRAY *r) { @@ -206,7 +206,7 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx, do { struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; - creds_client_authenticator(ctx->cli->dc, &credential); + netlogon_creds_client_authenticator(ctx->cli->dc, &credential); if (ctx->single_object_replication && !ctx->force_full_replication) { @@ -247,8 +247,8 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx, } /* Check returned credentials. */ - if (!creds_client_check(ctx->cli->dc, - &return_authenticator.cred)) { + if (!netlogon_creds_client_check(ctx->cli->dc, + &return_authenticator.cred)) { DEBUG(0,("credentials chain check failed\n")); return NT_STATUS_ACCESS_DENIED; } diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 00d7f8515b..32485ead9f 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -41,28 +41,19 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; struct netr_Credential clnt_chal_send; struct netr_Credential srv_chal_recv; - struct netr_Credentials *dc; + struct samr_Password password; bool retried = false; + fstring mach_acct; SMB_ASSERT(ndr_syntax_id_equal(&cli->abstract_syntax, &ndr_table_netlogon.syntax_id)); TALLOC_FREE(cli->dc); - cli->dc = talloc_zero(cli, struct dcinfo); - if (cli->dc == NULL) { - return NT_STATUS_NO_MEMORY; - } - dc = cli->dc; /* Store the machine account password we're going to use. */ - memcpy(dc->mach_pw, machine_pwd, 16); - - fstrcpy(dc->remote_machine, "\\\\"); - fstrcat(dc->remote_machine, server_name); - - fstrcpy(dc->domain, domain); + memcpy(password.hash, machine_pwd, 16); - fstr_sprintf( dc->mach_acct, "%s$", machine_account); + fstr_sprintf( mach_acct, "%s$", machine_account); again: /* Create the client challenge. */ @@ -70,7 +61,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, /* Get the server challenge. */ result = rpccli_netr_ServerReqChallenge(cli, talloc_tos(), - dc->remote_machine, + cli->srv_name_slash, clnt_name, &clnt_chal_send, &srv_chal_recv); @@ -79,22 +70,29 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, } /* Calculate the session key and client credentials */ - creds_client_init(*neg_flags_inout, - dc, - &clnt_chal_send, - &srv_chal_recv, - machine_pwd, - &clnt_chal_send); + + cli->dc = netlogon_creds_client_init(cli, + clnt_name, + machine_account, + &clnt_chal_send, + &srv_chal_recv, + &password, + &clnt_chal_send, + *neg_flags_inout); + + if (!cli->dc) { + return NT_STATUS_NO_MEMORY; + } /* * Send client auth-2 challenge and receive server repy. */ result = rpccli_netr_ServerAuthenticate2(cli, talloc_tos(), - dc->remote_machine, - dc->mach_acct, + cli->srv_name_slash, + cli->dc->account_name, sec_chan_type, - clnt_name, + cli->dc->computer_name, &clnt_chal_send, /* input. */ &srv_chal_recv, /* output. */ neg_flags_inout); @@ -103,7 +101,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, * with the returned neg_flags - gd */ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) { - retried = true; + TALLOC_FREE(cli->dc); goto again; } @@ -116,7 +114,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, * server received challenge. */ - if (!netlogon_creds_client_check(dc, &srv_chal_recv)) { + if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) { /* * Server replied with bad credential. Fail. */ @@ -170,7 +168,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, /* Initialise input parameters */ - netlogon_creds_client_step(cli->dc, &clnt_creds); + netlogon_creds_client_authenticator(cli->dc, &clnt_creds); switch (logon_type) { case NetlogonInteractiveInformation: { @@ -180,43 +178,20 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, struct samr_Password lmpassword; struct samr_Password ntpassword; - unsigned char lm_owf_user_pwd[16], nt_owf_user_pwd[16]; - - unsigned char lm_owf[16]; - unsigned char nt_owf[16]; - unsigned char key[16]; - password_info = TALLOC_ZERO_P(mem_ctx, struct netr_PasswordInfo); if (!password_info) { return NT_STATUS_NO_MEMORY; } - nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); - -#ifdef DEBUG_PASSWORD - DEBUG(100,("lm cypher:")); - dump_data(100, lm_owf_user_pwd, 16); - - DEBUG(100,("nt cypher:")); - dump_data(100, nt_owf_user_pwd, 16); -#endif - memset(key, 0, 16); - memcpy(key, cli->dc->sess_key, 8); + nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash); - memcpy(lm_owf, lm_owf_user_pwd, 16); - arcfour_crypt(lm_owf, key, 16); - memcpy(nt_owf, nt_owf_user_pwd, 16); - arcfour_crypt(nt_owf, key, 16); - -#ifdef DEBUG_PASSWORD - DEBUG(100,("encrypt of lm owf password:")); - dump_data(100, lm_owf, 16); - - DEBUG(100,("encrypt of nt owf password:")); - dump_data(100, nt_owf, 16); -#endif - memcpy(lmpassword.hash, lm_owf, 16); - memcpy(ntpassword.hash, nt_owf, 16); + if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16); + netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16); + } else { + netlogon_creds_des_encrypt(cli->dc, &lmpassword); + netlogon_creds_des_encrypt(cli->dc, &ntpassword); + } init_netr_PasswordInfo(password_info, domain, @@ -281,7 +256,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, } result = rpccli_netr_LogonSamLogon(cli, mem_ctx, - cli->dc->remote_machine, + cli->srv_name_slash, global_myname(), &clnt_creds, &ret_creds, @@ -291,12 +266,10 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, &validation, &authoritative); - if (memcmp(zeros, &ret_creds.cred.data, sizeof(ret_creds.cred.data)) != 0) { - /* Check returned credentials if present. */ - if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) { - DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n")); - return NT_STATUS_ACCESS_DENIED; - } + /* Always check returned credentials */ + if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) { + DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; } return result; @@ -353,7 +326,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, return NT_STATUS_NO_MEMORY; } - netlogon_creds_client_step(cli->dc, &clnt_creds); + netlogon_creds_client_authenticator(cli->dc, &clnt_creds); if (server[0] != '\\' && server[1] != '\\') { server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server); @@ -408,23 +381,13 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, return result; } - if (memcmp(zeros, validation.sam3->base.key.key, 16) != 0) { - arcfour_crypt(validation.sam3->base.key.key, - cli->dc->sess_key, 16); - } - - if (memcmp(zeros, validation.sam3->base.LMSessKey.key, 8) != 0) { - arcfour_crypt(validation.sam3->base.LMSessKey.key, - cli->dc->sess_key, 8); + /* Always check returned credentials. */ + if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) { + DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; } - if (memcmp(zeros, ret_creds.cred.data, sizeof(ret_creds.cred.data)) != 0) { - /* Check returned credentials if present. */ - if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) { - DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n")); - return NT_STATUS_ACCESS_DENIED; - } - } + netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation); *info3 = validation.sam3; @@ -525,15 +488,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, return result; } - if (memcmp(zeros, validation.sam3->base.key.key, 16) != 0) { - arcfour_crypt(validation.sam3->base.key.key, - cli->dc->sess_key, 16); - } - - if (memcmp(zeros, validation.sam3->base.LMSessKey.key, 8) != 0) { - arcfour_crypt(validation.sam3->base.LMSessKey.key, - cli->dc->sess_key, 8); - } + netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation); *info3 = validation.sam3; @@ -575,21 +530,21 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, return result; } - netlogon_creds_client_step(cli->dc, &clnt_creds); + netlogon_creds_client_authenticator(cli->dc, &clnt_creds); if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) { struct netr_CryptPassword new_password; init_netr_CryptPassword(new_trust_pwd_cleartext, - cli->dc->sess_key, + cli->dc->session_key, &new_password); result = rpccli_netr_ServerPasswordSet2(cli, mem_ctx, - cli->dc->remote_machine, - cli->dc->mach_acct, + cli->srv_name_slash, + cli->dc->account_name, sec_channel_type, - global_myname(), + cli->dc->computer_name, &clnt_creds, &srv_cred, &new_password); @@ -601,16 +556,14 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, } else { struct samr_Password new_password; - - cred_hash3(new_password.hash, - new_trust_passwd_hash, - cli->dc->sess_key, 1); + memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash)); + netlogon_creds_des_encrypt(cli->dc, &new_password); result = rpccli_netr_ServerPasswordSet(cli, mem_ctx, - cli->dc->remote_machine, - cli->dc->mach_acct, + cli->srv_name_slash, + cli->dc->account_name, sec_channel_type, - global_myname(), + cli->dc->computer_name, &clnt_creds, &srv_cred, &new_password); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 2832a6d1c3..567794db88 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3851,7 +3851,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, const struct ndr_syntax_id *interface, enum pipe_auth_level auth_level, const char *domain, - const struct dcinfo *pdc, + struct netlogon_creds_CredentialState *pdc, struct rpc_pipe_client **presult) { struct rpc_pipe_client *result; @@ -3864,7 +3864,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, } status = rpccli_schannel_bind_data(result, domain, auth_level, - pdc->sess_key, &auth); + pdc->session_key, &auth); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("rpccli_schannel_bind_data returned %s\n", nt_errstr(status))); @@ -3883,11 +3883,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, /* * The credentials on a new netlogon pipe are the ones we are passed - * in - copy them over. + * in - reference them in */ - result->dc = (struct dcinfo *)talloc_memdup(result, pdc, sizeof(*pdc)); + result->dc = talloc_reference(result, pdc); if (result->dc == NULL) { - DEBUG(0, ("talloc failed\n")); + DEBUG(0, ("talloc reference failed\n")); TALLOC_FREE(result); return NT_STATUS_NO_MEMORY; } diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c index abc2455e75..aa493214d7 100644 --- a/source3/rpcclient/cmd_netlogon.c +++ b/source3/rpcclient/cmd_netlogon.c @@ -585,7 +585,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli, do { struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; - netlogon_creds_client_step(cli->dc, &credential); + netlogon_creds_client_authenticator(cli->dc, &credential); result = rpccli_netr_DatabaseSync2(cli, mem_ctx, logon_server, @@ -648,7 +648,7 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli, do { struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; - netlogon_creds_client_step(cli->dc, &credential); + netlogon_creds_client_authenticator(cli->dc, &credential); result = rpccli_netr_DatabaseDeltas(cli, mem_ctx, logon_server, @@ -1083,7 +1083,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli, return status; } - netlogon_creds_client_step(cli->dc, &clnt_creds); + netlogon_creds_client_authenticator(cli->dc, &clnt_creds); ZERO_STRUCT(e); @@ -1128,7 +1128,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli, } #if 0 - netlogon_creds_client_step(cli->dc, &credential); + netlogon_creds_client_authenticator(cli->dc, &credential); #else ZERO_STRUCT(credential); #endif diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 838aaf5216..66108bd167 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -567,15 +567,15 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { NTSTATUS nt_status; - uint8 lm_pw[16], nt_pw[16]; + struct samr_Password lm_pw, nt_pw; - nt_lm_owf_gen (opt_password, nt_pw, lm_pw); + nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash); nt_status = ntlm_password_check(ntlmssp_state, + true, true, &ntlmssp_state->chal, &ntlmssp_state->lm_resp, &ntlmssp_state->nt_resp, - NULL, NULL, ntlmssp_state->user, ntlmssp_state->user, ntlmssp_state->domain, |