summaryrefslogtreecommitdiff
path: root/source4/rpc_server/netlogon
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-09-03 15:30:17 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-09-03 15:30:17 +1000
commita35263e1ab81cac7855158012157769e3e9000f7 (patch)
treee0130c48ed4b58f0544d875d094272e5a58d2e3a /source4/rpc_server/netlogon
parentbaf0b360812dc8532f9420e224bf3ee3a51fb04a (diff)
downloadsamba-a35263e1ab81cac7855158012157769e3e9000f7.tar.gz
samba-a35263e1ab81cac7855158012157769e3e9000f7.tar.bz2
samba-a35263e1ab81cac7855158012157769e3e9000f7.zip
Implement NETLOGON PAC verfication on the server-side
This is implemented by means of a message to the KDC, to avoid having to link most of the KDC into netlogon. Andrew Bartlett (This used to be commit 82fcd7941f5c54da2d994c8bd99dd8d86299a296)
Diffstat (limited to 'source4/rpc_server/netlogon')
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c60
1 files changed, 29 insertions, 31 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 5672d29cb2..36ac650b08 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -34,6 +34,8 @@
#include "auth/gensec/schannel_state.h"
#include "libcli/security/security.h"
#include "param/param.h"
+#include "lib/messaging/irpc.h"
+#include "librpc/gen_ndr/ndr_irpc.h"
struct server_pipe_state {
struct netr_Credential client_challenge;
@@ -496,41 +498,37 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
return NT_STATUS_INVALID_PARAMETER;
}
- if (strcmp(r->in.logon.generic->package_name.string, "Kerberos")) {
- struct PAC_Validate pac_validate;
- DATA_BLOB srv_sig;
- struct PAC_SIGNATURE_DATA kdc_sig;
- DATA_BLOB pac_validate_blob = data_blob_const(r->in.logon.generic->data,
- r->in.logon.generic->length);
- ndr_err = ndr_pull_struct_blob(&pac_validate_blob, mem_ctx,
- lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
- &pac_validate,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
+ if (strcmp(r->in.logon.generic->package_name.string, "Kerberos") == 0) {
+ NTSTATUS status;
+ struct server_id *kdc;
+ struct kdc_check_generic_kerberos check;
+ struct netr_GenericInfo2 *generic = talloc_zero(mem_ctx, struct netr_GenericInfo2);
+ NT_STATUS_HAVE_NO_MEMORY(generic);
+ r->out.authoritative = 1;
+
+ /* TODO: Describe and deal with these flags */
+ r->out.flags = 0;
- if (pac_validate->MessageType != 3) {
- /* We don't implement any other message types - such as certificate validation - yet */
- return NT_STATUS_INVALID_PARAMETER;
+ r->out.validation.generic = generic;
+
+ kdc = irpc_servers_byname(dce_call->msg_ctx, mem_ctx, "kdc_server");
+ if ((kdc == NULL) || (kdc[0].id == 0)) {
+ return NT_STATUS_NO_LOGON_SERVERS;
}
- if (pac_validate->ChecksumAndSignature.length != (pac_validate->ChecksumLength + pac_validate->SignatureLength)
- || pac_validate->ChecksumAndSignature.length < pac_validate->ChecksumLength
- || pac_validate->ChecksumAndSignature.length < pac_validate->SignatureLength ) {
- return NT_STATUS_INVALID_PARAMETER;
+ check.in.generic_request =
+ data_blob_const(r->in.logon.generic->data,
+ r->in.logon.generic->length);
+
+ status = irpc_call(dce_call->msg_ctx, kdc[0],
+ &ndr_table_irpc, NDR_KDC_CHECK_GENERIC_KERBEROS,
+ &check, mem_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
-
- srv_sig = data_blob_const(pac_validate->ChecksumAndSignature.data,
- pac_validate->ChecksumLength);
-
- kdc_sig.type = pac_validate->SignatureType;
- kdc_sig.signature = data_blob_const(&pac_validate->ChecksumAndSignature.data[pac_validate->ChecksumLength],
- pac_validate->SignatureLength);
- check_pac_checksum(mem_ctx, srv_sig, &kdc_sig,
- context, keyblock);
-
-
+ generic->length = check.out.generic_reply.length;
+ generic->data = check.out.generic_reply.data;
+ return NT_STATUS_OK;
}
/* Until we get an implemetnation of these other packages */