summaryrefslogtreecommitdiff
path: root/source4/rpc_server
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-02-09 02:30:43 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:51:53 -0500
commit5cecce1761c06b0641190cf7bb8e93bff9a88cf4 (patch)
tree749d647c537a3d7ed2c1081c3bef705d95a26227 /source4/rpc_server
parent4c78d1bfa21947f649b061279e7388c478f77fe0 (diff)
downloadsamba-5cecce1761c06b0641190cf7bb8e93bff9a88cf4.tar.gz
samba-5cecce1761c06b0641190cf7bb8e93bff9a88cf4.tar.bz2
samba-5cecce1761c06b0641190cf7bb8e93bff9a88cf4.zip
r13402: Make Samba4 pass a nastier RPC-SCHANNEL test.
The new RPC-SCHANNEL test shows that the full credentials state must be kept in some shared memory, for some length of time. In particular, clients will reconnect with SCHANNEL (after loosing all connections) and expect that the credentials chain will remain in the same place. To achive this, we do the server-side crypto in a transaction, including the fetch/store of the shared state. Andrew Bartlett (This used to be commit 982a6aa871c9fce17410a9712cd9fa726025ff90)
Diffstat (limited to 'source4/rpc_server')
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c221
1 files changed, 139 insertions, 82 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index f3ef74641d..03d325020f 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -128,6 +128,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
struct netr_ServerAuthenticate3 *r)
{
struct server_pipe_state *pipe_state = dce_call->context->private;
+ struct creds_CredentialState *creds;
void *sam_ctx;
struct samr_Password *mach_pwd;
uint16_t acct_flags;
@@ -203,37 +204,39 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
return NT_STATUS_ACCESS_DENIED;
}
- if (pipe_state->creds) {
- talloc_free(pipe_state->creds);
- }
- pipe_state->creds = talloc(pipe_state, struct creds_CredentialState);
- if (!pipe_state->creds) {
+ creds = talloc(mem_ctx, struct creds_CredentialState);
+ if (!creds) {
return NT_STATUS_NO_MEMORY;
}
- creds_server_init(pipe_state->creds, &pipe_state->client_challenge,
+ creds_server_init(creds, &pipe_state->client_challenge,
&pipe_state->server_challenge, mach_pwd,
r->out.credentials,
*r->in.negotiate_flags);
- if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
- talloc_free(pipe_state->creds);
- pipe_state->creds = NULL;
+ if (!creds_server_check(creds, r->in.credentials)) {
+ talloc_free(creds);
return NT_STATUS_ACCESS_DENIED;
}
- pipe_state->creds->account_name = talloc_steal(pipe_state->creds, r->in.account_name);
+ creds->account_name = talloc_steal(creds, r->in.account_name);
- pipe_state->creds->computer_name = talloc_steal(pipe_state->creds, r->in.computer_name);
+ creds->computer_name = talloc_steal(creds, r->in.computer_name);
+ creds->domain = talloc_strdup(creds, lp_workgroup());
- pipe_state->creds->secure_channel_type = r->in.secure_channel_type;
+ creds->secure_channel_type = r->in.secure_channel_type;
- pipe_state->creds->sid = samdb_result_dom_sid(pipe_state->creds, msgs[0], "objectSid");
+ creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
- pipe_state->creds->domain = talloc_strdup(pipe_state->creds, lp_workgroup());
/* remember this session key state */
- nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds);
+ nt_status = schannel_store_session_key(mem_ctx, creds);
+
+ if (pipe_state->creds) {
+ talloc_free(pipe_state->creds);
+ }
+ talloc_steal(pipe_state, creds);
+ pipe_state->creds = creds;
return nt_status;
}
@@ -285,29 +288,76 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL
static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state,
+ TALLOC_CTX *mem_ctx,
struct netr_Authenticator *received_authenticator,
- struct netr_Authenticator *return_authenticator)
+ struct netr_Authenticator *return_authenticator,
+ struct creds_CredentialState **creds_out)
{
+ struct creds_CredentialState *creds;
+ NTSTATUS nt_status;
+ struct ldb_context *ldb;
+ int ret;
+
if (!pipe_state) {
DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
return NT_STATUS_ACCESS_DENIED;
}
- return creds_server_step_check(pipe_state->creds,
- received_authenticator,
- return_authenticator);
+ ldb = schannel_db_connect(mem_ctx);
+ if (!ldb) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ ret = ldb_transaction_start(ldb);
+ if (ret != 0) {
+ talloc_free(ldb);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ /* Because this is a shared structure (even across
+ * disconnects) we must update the database every time we
+ * update the structure */
+
+ nt_status = schannel_fetch_session_key_ldb(ldb, ldb, pipe_state->creds->computer_name,
+ pipe_state->creds->domain, &creds);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ nt_status = creds_server_step_check(creds,
+ received_authenticator,
+ return_authenticator);
+ }
+ if (NT_STATUS_IS_OK(nt_status)) {
+ nt_status = schannel_store_session_key_ldb(ldb, ldb, creds);
+ }
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ ldb_transaction_commit(ldb);
+ if (creds_out) {
+ *creds_out = creds;
+ talloc_steal(mem_ctx, creds);
+ }
+ } else {
+ ldb_transaction_cancel(ldb);
+ }
+ talloc_free(ldb);
+ return nt_status;
}
+/*
+ Change the machine account password for the currently connected
+ client. Supplies only the NT#.
+*/
static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_ServerPasswordSet *r)
{
struct server_pipe_state *pipe_state = dce_call->context->private;
-
+ struct creds_CredentialState *creds;
struct ldb_context *sam_ctx;
NTSTATUS nt_status;
- nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
+ nt_status = netr_creds_server_step_check(pipe_state, mem_ctx,
+ &r->in.credential, &r->out.return_authenticator,
+ &creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
@@ -315,11 +365,11 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
- creds_des_decrypt(pipe_state->creds, &r->in.new_password);
+ creds_des_decrypt(creds, &r->in.new_password);
/* Using the sid for the account as the key, set the password */
nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
- pipe_state->creds->sid,
+ creds->sid,
NULL, /* Don't have plaintext */
NULL, &r->in.new_password,
False, /* This is not considered a password change */
@@ -328,6 +378,55 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
return nt_status;
}
+/*
+ Change the machine account password for the currently connected
+ client. Supplies new plaintext.
+*/
+static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+ struct netr_ServerPasswordSet2 *r)
+{
+ struct server_pipe_state *pipe_state = dce_call->context->private;
+ struct creds_CredentialState *creds;
+ struct ldb_context *sam_ctx;
+ NTSTATUS nt_status;
+ char new_pass[512];
+ uint32_t new_pass_len;
+ BOOL ret;
+
+ struct samr_CryptPassword password_buf;
+
+ nt_status = netr_creds_server_step_check(pipe_state, mem_ctx,
+ &r->in.credential, &r->out.return_authenticator,
+ &creds);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
+
+ sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
+ if (sam_ctx == NULL) {
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
+ memcpy(password_buf.data, r->in.new_password.data, 512);
+ SIVAL(password_buf.data,512,r->in.new_password.length);
+ creds_arcfour_crypt(creds, password_buf.data, 516);
+
+ ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
+ &new_pass_len, STR_UNICODE);
+ if (!ret) {
+ DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ /* Using the sid for the account as the key, set the password */
+ nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
+ creds->sid,
+ new_pass, /* we have plaintext */
+ NULL, NULL,
+ False, /* This is not considered a password change */
+ False, /* don't restrict this password change (match w2k3) */
+ NULL, NULL);
+ return nt_status;
+}
+
/*
netr_LogonUasLogon
@@ -358,7 +457,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
struct netr_LogonSamLogonEx *r)
{
struct server_pipe_state *pipe_state = dce_call->context->private;
-
+ struct creds_CredentialState *creds = pipe_state->creds;
struct auth_context *auth_context;
struct auth_usersupplied_info *user_info;
struct auth_serversupplied_info *server_info;
@@ -383,15 +482,15 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
case 3:
case 5:
if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- creds_arcfour_crypt(pipe_state->creds,
+ creds_arcfour_crypt(creds,
r->in.logon.password->lmpassword.hash,
sizeof(r->in.logon.password->lmpassword.hash));
- creds_arcfour_crypt(pipe_state->creds,
+ creds_arcfour_crypt(creds,
r->in.logon.password->ntpassword.hash,
sizeof(r->in.logon.password->ntpassword.hash));
} else {
- creds_des_decrypt(pipe_state->creds, &r->in.logon.password->lmpassword);
- creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword);
+ creds_des_decrypt(creds, &r->in.logon.password->lmpassword);
+ creds_des_decrypt(creds, &r->in.logon.password->ntpassword);
}
/* TODO: we need to deny anonymous access here */
@@ -459,8 +558,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
sizeof(sam->key.key)) != 0) {
/* This key is sent unencrypted without the ARCFOUR flag set */
- if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- creds_arcfour_crypt(pipe_state->creds,
+ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ creds_arcfour_crypt(creds,
sam->key.key,
sizeof(sam->key.key));
}
@@ -471,12 +570,12 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
if ((r->in.validation_level != 6)
&& memcmp(sam->LMSessKey.key, zeros,
sizeof(sam->LMSessKey.key)) != 0) {
- if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
- creds_arcfour_crypt(pipe_state->creds,
+ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ creds_arcfour_crypt(creds,
sam->LMSessKey.key,
sizeof(sam->LMSessKey.key));
} else {
- creds_des_encrypt_LMKey(pipe_state->creds,
+ creds_des_encrypt_LMKey(creds,
&sam->LMSessKey);
}
}
@@ -535,7 +634,9 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call,
return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
- nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, return_authenticator);
+ nt_status = netr_creds_server_step_check(pipe_state, mem_ctx,
+ r->in.credential, return_authenticator,
+ NULL);
NT_STATUS_NOT_OK_RETURN(nt_status);
ZERO_STRUCT(r2);
@@ -844,8 +945,10 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL
const char *local_domain;
- status = netr_creds_server_step_check(pipe_state,
- r->in.credential, r->out.return_authenticator);
+ status = netr_creds_server_step_check(pipe_state, mem_ctx,
+ r->in.credential,
+ r->out.return_authenticator,
+ NULL);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -918,52 +1021,6 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL
}
-/*
- netr_ServerPasswordSet2
-*/
-static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct netr_ServerPasswordSet2 *r)
-{
- struct server_pipe_state *pipe_state = dce_call->context->private;
-
- struct ldb_context *sam_ctx;
- NTSTATUS nt_status;
- char new_pass[512];
- uint32_t new_pass_len;
- BOOL ret;
-
- struct samr_CryptPassword password_buf;
-
- nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
- if (sam_ctx == NULL) {
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
-
- memcpy(password_buf.data, r->in.new_password.data, 512);
- SIVAL(password_buf.data,512,r->in.new_password.length);
- creds_arcfour_crypt(pipe_state->creds, password_buf.data, 516);
-
- ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
- &new_pass_len, STR_UNICODE);
- if (!ret) {
- DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- /* Using the sid for the account as the key, set the password */
- nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
- pipe_state->creds->sid,
- new_pass, /* we have plaintext */
- NULL, NULL,
- False, /* This is not considered a password change */
- False, /* don't restrict this password change (match w2k3) */
- NULL, NULL);
- return nt_status;
-}
-
/*
netr_NETRSERVERPASSWORDGET