diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-05-15 07:51:38 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:53:46 -0500 |
commit | 064e7447bebd715c8351d9a0ee31f648990f2336 (patch) | |
tree | 156925cd7c8d4616f0eca3a743b7323b3b0b23b7 /source4/libcli | |
parent | 31b9470996632d717c3c74482308e200906fdb8f (diff) | |
download | samba-064e7447bebd715c8351d9a0ee31f648990f2336.tar.gz samba-064e7447bebd715c8351d9a0ee31f648990f2336.tar.bz2 samba-064e7447bebd715c8351d9a0ee31f648990f2336.zip |
r743: Start on a NETLOGON server in Samba4.
Currently this only authentiates the machine, not real users.
As a consequence of running the Samba4 NETLOGON test against Samba4, I
found a number of issues in the SAMR server, which I have addressed.
There are more templates in the provison.ldif for this reason.
I also added some debug to our credentials code, and fixed some bugs
in the auth_sam module.
The static buffer in generate_random_string() bit me badly, so I
removed it in favor of a talloc based system.
Andrew Bartlett
(This used to be commit 94624e519b66def97758b8a48a01ffe9029176f0)
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/auth/credentials.c | 46 | ||||
-rw-r--r-- | source4/libcli/auth/credentials.h | 9 |
2 files changed, 52 insertions, 3 deletions
diff --git a/source4/libcli/auth/credentials.c b/source4/libcli/auth/credentials.c index 638bff7e8b..7d56f26b11 100644 --- a/source4/libcli/auth/credentials.c +++ b/source4/libcli/auth/credentials.c @@ -4,6 +4,7 @@ code to manipulate domain credentials Copyright (C) Andrew Tridgell 1997-2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -36,6 +37,10 @@ static void creds_init(struct creds_CredentialState *creds, uint32 sum[2]; uint8 sum2[8]; + dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data)); + dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data)); + dump_data_pw("Machine Pass", machine_password, 16); + sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0); sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4); @@ -44,8 +49,6 @@ static void creds_init(struct creds_CredentialState *creds, cred_hash1(creds->session_key, sum2, machine_password); - creds->sequence = time(NULL); - SIVAL(time_cred.data, 0, IVAL(client_challenge->data, 0)); SIVAL(time_cred.data, 4, IVAL(client_challenge->data, 4)); cred_hash2(creds->client.data, time_cred.data, creds->session_key, 1); @@ -136,6 +139,7 @@ void creds_client_init(struct creds_CredentialState *creds, struct netr_Credential *initial_credential) { creds_init(creds, client_challenge, server_challenge, machine_password); + creds->sequence = time(NULL); *initial_credential = creds->client; } @@ -146,7 +150,8 @@ void creds_client_init(struct creds_CredentialState *creds, BOOL creds_client_check(struct creds_CredentialState *creds, const struct netr_Credential *received_credentials) { - if (memcmp(received_credentials->data, creds->server.data, 8) != 0) { + if (!received_credentials || + memcmp(received_credentials->data, creds->server.data, 8) != 0) { DEBUG(2,("credentials check failed\n")); return False; } @@ -167,3 +172,38 @@ void creds_client_authenticator(struct creds_CredentialState *creds, } +/***************************************************************** +The above functions are common to the client and server interface +next comes the server specific functions +******************************************************************/ + +/* + initialise the credentials chain and return the first server + credentials +*/ +void creds_server_init(struct creds_CredentialState *creds, + const struct netr_Credential *client_challenge, + const struct netr_Credential *server_challenge, + const uint8 machine_password[16], + struct netr_Credential *initial_credential) +{ + creds_init(creds, client_challenge, server_challenge, machine_password); + + *initial_credential = creds->server; +} + +/* + check that a credentials reply from a server is correct +*/ +BOOL creds_server_check(const struct creds_CredentialState *creds, + const struct netr_Credential *received_credentials) +{ + if (memcmp(received_credentials->data, creds->client.data, 8) != 0) { + DEBUG(2,("credentials check failed\n")); + dump_data_pw("client creds", creds->client.data, 8); + dump_data_pw("calc creds", received_credentials->data, 8); + return False; + } + return True; +} + diff --git a/source4/libcli/auth/credentials.h b/source4/libcli/auth/credentials.h index 7a7a34ced2..a7e81d43af 100644 --- a/source4/libcli/auth/credentials.h +++ b/source4/libcli/auth/credentials.h @@ -27,3 +27,12 @@ struct creds_CredentialState { struct netr_Credential client; struct netr_Credential server; }; + + +/* for the timebeing, use the same neg flags as Samba3. */ +/* The 7 here seems to be required to get Win2k not to downgrade us + to NT4. Actually, anything other than 1ff would seem to do... */ +#define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff + +#define NETLOGON_NEG_SCHANNEL 0x40000000 + |