diff options
| -rw-r--r-- | source3/auth/auth_domain.c | 3 | ||||
| -rw-r--r-- | source3/libsmb/trust_passwd.c | 4 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_cm.c | 6 | ||||
| -rw-r--r-- | source3/rpc_client/cli_netlogon.c | 109 | ||||
| -rw-r--r-- | source3/rpcclient/cmd_netlogon.c | 15 | ||||
| -rw-r--r-- | source3/rpcclient/samsync.c | 3 | ||||
| -rw-r--r-- | source3/utils/net_rpc_join.c | 3 | ||||
| -rw-r--r-- | source3/utils/net_rpc_samsync.c | 4 |
8 files changed, 119 insertions, 28 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index d48cec5b29..f7a268de1f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -131,6 +131,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; + uint32 neg_flags = 0x000001ff; if (lp_security() == SEC_ADS) { result = ads_resolve_dc(remote_machine, &dest_ip); @@ -206,7 +207,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd); + result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ diff --git a/source3/libsmb/trust_passwd.c b/source3/libsmb/trust_passwd.c index d500cb3ab7..4d7acd1988 100644 --- a/source3/libsmb/trust_passwd.c +++ b/source3/libsmb/trust_passwd.c @@ -35,7 +35,9 @@ static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ unsigned char new_trust_passwd_hash[16]) { NTSTATUS result; - result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash); + uint32 neg_flags = 0x000001ff; + + result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n", diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 997d5b665f..9ac392a6ba 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -864,6 +864,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, { NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; struct winbindd_cm_conn *conn; + uint32 neg_flags = 0x000001ff; if (!cli) { return NT_STATUS_INVALID_PARAMETER; @@ -875,7 +876,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, return result; } - result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd); + result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(0, ("error connecting to domain password server: %s\n", @@ -888,8 +889,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, } /* Try again */ - result = cli_nt_setup_creds( - conn->cli, get_sec_chan(),trust_passwd); + result = cli_nt_setup_creds( conn->cli, get_sec_chan(),trust_passwd, &neg_flags, 2); } if (!NT_STATUS_IS_OK(result)) { diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 58ba32eb2e..eaee3c26e7 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -152,6 +152,83 @@ password ?).\n", cli->desthost )); return result; } +/**************************************************************************** +LSA Authenticate 3 + +Send the client credential, receive back a server credential. +Ensure that the server credential returned matches the session key +encrypt of the server challenge originally received. JRA. +****************************************************************************/ + +NTSTATUS cli_net_auth3(struct cli_state *cli, + uint16 sec_chan, + uint32 *neg_flags, DOM_CHAL *srv_chal) +{ + prs_struct qbuf, rbuf; + NET_Q_AUTH_3 q; + NET_R_AUTH_3 r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + extern pstring global_myname; + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + + /* create and send a MSRPC command with api NET_AUTH2 */ + + DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + credstr(cli->clnt_cred.challenge.data), *neg_flags)); + + /* store the parameters */ + init_q_auth_3(&q, cli->srv_name_slash, cli->mach_acct, + sec_chan, global_myname, &cli->clnt_cred.challenge, + *neg_flags); + + /* turn parameters into data stream */ + + if (!net_io_q_auth_3("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_AUTH3, &qbuf, &rbuf)) { + goto done; + } + + /* Unmarshall response */ + + if (!net_io_r_auth_3("", &r, &rbuf, 0)) { + goto done; + } + + result = r.status; + *neg_flags = r.srv_flgs.neg_flags; + + if (NT_STATUS_IS_OK(result)) { + UTIME zerotime; + + /* + * Check the returned value using the initial + * server received challenge. + */ + + zerotime.time = 0; + if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, + zerotime) == 0) { + + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_auth3: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + result = NT_STATUS_ACCESS_DENIED; + goto done; + } + } + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + /* Return the secure channel type depending on the server role. */ uint16 get_sec_chan(void) @@ -174,7 +251,7 @@ uint16 get_sec_chan(void) NTSTATUS cli_nt_setup_creds(struct cli_state *cli, uint16 sec_chan, - const unsigned char mach_pwd[16]) + const unsigned char mach_pwd[16], uint32 *neg_flags, int level) { DOM_CHAL clnt_chal; DOM_CHAL srv_chal; @@ -200,24 +277,30 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, cli->sess_key); memset((char *)cli->sess_key+8, '\0', 8); - /******************* Authenticate 2 ********************/ + /******************* Authenticate 2/3 ********************/ - /* calculate auth-2 credentials */ + /* calculate auth-2/3 credentials */ zerotime.time = 0; - cred_create(cli->sess_key, &clnt_chal, zerotime, - &cli->clnt_cred.challenge); + cred_create(cli->sess_key, &clnt_chal, zerotime, &cli->clnt_cred.challenge); /* - * Send client auth-2 challenge. - * Receive an auth-2 challenge response and check it. + * Send client auth-2/3 challenge. + * Receive an auth-2/3 challenge response and check it. */ - - result = cli_net_auth2(cli, sec_chan, 0x000001ff, &srv_chal); + switch (level) { + case 2: + result = cli_net_auth2(cli, sec_chan, *neg_flags, &srv_chal); + break; + case 3: + result = cli_net_auth3(cli, sec_chan, neg_flags, &srv_chal); + break; + default: + DEBUG(1,("cli_nt_setup_creds: unsupported auth level: %d\n", level)); + break; + } - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed %s\n", - nt_errstr(result))); - } + if (!NT_STATUS_IS_OK(result)) + DEBUG(1,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result))); return result; } diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c index ffff1dab04..0f61eaaae8 100644 --- a/source3/rpcclient/cmd_netlogon.c +++ b/source3/rpcclient/cmd_netlogon.c @@ -151,6 +151,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli, SAM_DELTA_HDR *hdr_deltas; SAM_DELTA_CTR *deltas; DOM_CRED ret_creds; + uint32 neg_flags = 0x000001ff; if (argc > 2) { fprintf(stderr, "Usage: %s [database_id]\n", argv[0]); @@ -173,7 +174,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli, goto done; } - result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd); + result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { fprintf(stderr, "Error initialising session creds\n"); @@ -211,6 +212,7 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli, SAM_DELTA_HDR *hdr_deltas; SAM_DELTA_CTR *deltas; UINT64_S seqnum; + uint32 neg_flags = 0x000001ff; if (argc != 3) { fprintf(stderr, "Usage: %s database_id seqnum\n", argv[0]); @@ -236,7 +238,7 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli, goto done; } - result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd); + result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { fprintf(stderr, "Error initialising session creds\n"); @@ -270,6 +272,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; int logon_type = NET_LOGON_TYPE; char *username, *password; + uint32 neg_flags = 0x000001ff; /* Check arguments */ @@ -292,13 +295,12 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli, return result; } - if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, - NULL)) { + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, NULL)) { fprintf(stderr, "could not fetch trust account password\n"); goto done; } - result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd); + result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { fprintf(stderr, "Error initialising session creds\n"); @@ -307,8 +309,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli, /* Perform the sam logon */ - result = cli_netlogon_sam_logon(cli, mem_ctx, username, password, - logon_type); + result = cli_netlogon_sam_logon(cli, mem_ctx, username, password, logon_type); if (!NT_STATUS_IS_OK(result)) goto done; diff --git a/source3/rpcclient/samsync.c b/source3/rpcclient/samsync.c index 710614469e..7124f9416a 100644 --- a/source3/rpcclient/samsync.c +++ b/source3/rpcclient/samsync.c @@ -362,6 +362,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16], uint32 num_deltas_0, num_deltas_2; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; struct pdb_context *in; + uint32 neg_flags = 0x000001ff; DOM_CRED ret_creds; @@ -384,7 +385,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16], /* Request a challenge */ - if (!NT_STATUS_IS_OK(cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_passwd))) { + if (!NT_STATUS_IS_OK(cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_passwd, &neg_flags, 2))) { DEBUG(0, ("Error initialising session creds\n")); goto done; } diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index c8be93c39c..b08095f1cc 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -49,6 +49,7 @@ int net_rpc_join_ok(const char *domain) int retval = 1; uint32 channel; NTSTATUS result; + uint32 neg_flags = 0x000001ff; /* Connect to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { @@ -75,7 +76,7 @@ int net_rpc_join_ok(const char *domain) CHECK_RPC_ERR(cli_nt_setup_creds(cli, channel, - stored_md4_trust_password), + stored_md4_trust_password, &neg_flags, 2), "error in domain join verification"); retval = 0; /* Success! */ diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index a41eae40d1..4ddb931adb 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -143,6 +143,8 @@ int rpc_samdump(int argc, const char **argv) struct cli_state *cli = NULL; uchar trust_password[16]; DOM_CRED ret_creds; + uint32 neg_flags = 0x000001ff; + ZERO_STRUCT(ret_creds); @@ -161,7 +163,7 @@ int rpc_samdump(int argc, const char **argv) goto fail; } - result = cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_password); + result = cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_password, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { d_printf("Failed to setup BDC creds\n"); goto fail; |