summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/auth/auth_domain.c3
-rw-r--r--source3/libsmb/trust_passwd.c4
-rw-r--r--source3/nsswitch/winbindd_cm.c6
-rw-r--r--source3/rpc_client/cli_netlogon.c109
-rw-r--r--source3/rpcclient/cmd_netlogon.c15
-rw-r--r--source3/rpcclient/samsync.c3
-rw-r--r--source3/utils/net_rpc_join.c3
-rw-r--r--source3/utils/net_rpc_samsync.c4
8 files changed, 119 insertions, 28 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index d48cec5b29..f7a268de1f 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -131,6 +131,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
struct in_addr dest_ip;
fstring remote_machine;
NTSTATUS result;
+ uint32 neg_flags = 0x000001ff;
if (lp_security() == SEC_ADS) {
result = ads_resolve_dc(remote_machine, &dest_ip);
@@ -206,7 +207,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli)));
return NT_STATUS_NO_MEMORY;
}
- result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd);
+ result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
diff --git a/source3/libsmb/trust_passwd.c b/source3/libsmb/trust_passwd.c
index d500cb3ab7..4d7acd1988 100644
--- a/source3/libsmb/trust_passwd.c
+++ b/source3/libsmb/trust_passwd.c
@@ -35,7 +35,9 @@ static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_
unsigned char new_trust_passwd_hash[16])
{
NTSTATUS result;
- result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash);
+ uint32 neg_flags = 0x000001ff;
+
+ result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash, &neg_flags, 2);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n",
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 997d5b665f..9ac392a6ba 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -864,6 +864,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
{
NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
struct winbindd_cm_conn *conn;
+ uint32 neg_flags = 0x000001ff;
if (!cli) {
return NT_STATUS_INVALID_PARAMETER;
@@ -875,7 +876,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
return result;
}
- result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd);
+ result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("error connecting to domain password server: %s\n",
@@ -888,8 +889,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
}
/* Try again */
- result = cli_nt_setup_creds(
- conn->cli, get_sec_chan(),trust_passwd);
+ result = cli_nt_setup_creds( conn->cli, get_sec_chan(),trust_passwd, &neg_flags, 2);
}
if (!NT_STATUS_IS_OK(result)) {
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 58ba32eb2e..eaee3c26e7 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -152,6 +152,83 @@ password ?).\n", cli->desthost ));
return result;
}
+/****************************************************************************
+LSA Authenticate 3
+
+Send the client credential, receive back a server credential.
+Ensure that the server credential returned matches the session key
+encrypt of the server challenge originally received. JRA.
+****************************************************************************/
+
+NTSTATUS cli_net_auth3(struct cli_state *cli,
+ uint16 sec_chan,
+ uint32 *neg_flags, DOM_CHAL *srv_chal)
+{
+ prs_struct qbuf, rbuf;
+ NET_Q_AUTH_3 q;
+ NET_R_AUTH_3 r;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ extern pstring global_myname;
+
+ prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL);
+ prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL);
+
+ /* create and send a MSRPC command with api NET_AUTH2 */
+
+ DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n",
+ cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname,
+ credstr(cli->clnt_cred.challenge.data), *neg_flags));
+
+ /* store the parameters */
+ init_q_auth_3(&q, cli->srv_name_slash, cli->mach_acct,
+ sec_chan, global_myname, &cli->clnt_cred.challenge,
+ *neg_flags);
+
+ /* turn parameters into data stream */
+
+ if (!net_io_q_auth_3("", &q, &qbuf, 0) ||
+ !rpc_api_pipe_req(cli, NET_AUTH3, &qbuf, &rbuf)) {
+ goto done;
+ }
+
+ /* Unmarshall response */
+
+ if (!net_io_r_auth_3("", &r, &rbuf, 0)) {
+ goto done;
+ }
+
+ result = r.status;
+ *neg_flags = r.srv_flgs.neg_flags;
+
+ if (NT_STATUS_IS_OK(result)) {
+ UTIME zerotime;
+
+ /*
+ * Check the returned value using the initial
+ * server received challenge.
+ */
+
+ zerotime.time = 0;
+ if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal,
+ zerotime) == 0) {
+
+ /*
+ * Server replied with bad credential. Fail.
+ */
+ DEBUG(0,("cli_net_auth3: server %s replied with bad credential (bad machine \
+password ?).\n", cli->desthost ));
+ result = NT_STATUS_ACCESS_DENIED;
+ goto done;
+ }
+ }
+
+ done:
+ prs_mem_free(&qbuf);
+ prs_mem_free(&rbuf);
+
+ return result;
+}
+
/* Return the secure channel type depending on the server role. */
uint16 get_sec_chan(void)
@@ -174,7 +251,7 @@ uint16 get_sec_chan(void)
NTSTATUS cli_nt_setup_creds(struct cli_state *cli,
uint16 sec_chan,
- const unsigned char mach_pwd[16])
+ const unsigned char mach_pwd[16], uint32 *neg_flags, int level)
{
DOM_CHAL clnt_chal;
DOM_CHAL srv_chal;
@@ -200,24 +277,30 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli,
cli->sess_key);
memset((char *)cli->sess_key+8, '\0', 8);
- /******************* Authenticate 2 ********************/
+ /******************* Authenticate 2/3 ********************/
- /* calculate auth-2 credentials */
+ /* calculate auth-2/3 credentials */
zerotime.time = 0;
- cred_create(cli->sess_key, &clnt_chal, zerotime,
- &cli->clnt_cred.challenge);
+ cred_create(cli->sess_key, &clnt_chal, zerotime, &cli->clnt_cred.challenge);
/*
- * Send client auth-2 challenge.
- * Receive an auth-2 challenge response and check it.
+ * Send client auth-2/3 challenge.
+ * Receive an auth-2/3 challenge response and check it.
*/
-
- result = cli_net_auth2(cli, sec_chan, 0x000001ff, &srv_chal);
+ switch (level) {
+ case 2:
+ result = cli_net_auth2(cli, sec_chan, *neg_flags, &srv_chal);
+ break;
+ case 3:
+ result = cli_net_auth3(cli, sec_chan, neg_flags, &srv_chal);
+ break;
+ default:
+ DEBUG(1,("cli_nt_setup_creds: unsupported auth level: %d\n", level));
+ break;
+ }
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed %s\n",
- nt_errstr(result)));
- }
+ if (!NT_STATUS_IS_OK(result))
+ DEBUG(1,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result)));
return result;
}
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index ffff1dab04..0f61eaaae8 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -151,6 +151,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
SAM_DELTA_HDR *hdr_deltas;
SAM_DELTA_CTR *deltas;
DOM_CRED ret_creds;
+ uint32 neg_flags = 0x000001ff;
if (argc > 2) {
fprintf(stderr, "Usage: %s [database_id]\n", argv[0]);
@@ -173,7 +174,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
goto done;
}
- result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd);
+ result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
if (!NT_STATUS_IS_OK(result)) {
fprintf(stderr, "Error initialising session creds\n");
@@ -211,6 +212,7 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli,
SAM_DELTA_HDR *hdr_deltas;
SAM_DELTA_CTR *deltas;
UINT64_S seqnum;
+ uint32 neg_flags = 0x000001ff;
if (argc != 3) {
fprintf(stderr, "Usage: %s database_id seqnum\n", argv[0]);
@@ -236,7 +238,7 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli,
goto done;
}
- result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd);
+ result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
if (!NT_STATUS_IS_OK(result)) {
fprintf(stderr, "Error initialising session creds\n");
@@ -270,6 +272,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
int logon_type = NET_LOGON_TYPE;
char *username, *password;
+ uint32 neg_flags = 0x000001ff;
/* Check arguments */
@@ -292,13 +295,12 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
return result;
}
- if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
- NULL)) {
+ if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, NULL)) {
fprintf(stderr, "could not fetch trust account password\n");
goto done;
}
- result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd);
+ result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
if (!NT_STATUS_IS_OK(result)) {
fprintf(stderr, "Error initialising session creds\n");
@@ -307,8 +309,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
/* Perform the sam logon */
- result = cli_netlogon_sam_logon(cli, mem_ctx, username, password,
- logon_type);
+ result = cli_netlogon_sam_logon(cli, mem_ctx, username, password, logon_type);
if (!NT_STATUS_IS_OK(result))
goto done;
diff --git a/source3/rpcclient/samsync.c b/source3/rpcclient/samsync.c
index 710614469e..7124f9416a 100644
--- a/source3/rpcclient/samsync.c
+++ b/source3/rpcclient/samsync.c
@@ -362,6 +362,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
uint32 num_deltas_0, num_deltas_2;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct pdb_context *in;
+ uint32 neg_flags = 0x000001ff;
DOM_CRED ret_creds;
@@ -384,7 +385,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
/* Request a challenge */
- if (!NT_STATUS_IS_OK(cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_passwd))) {
+ if (!NT_STATUS_IS_OK(cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_passwd, &neg_flags, 2))) {
DEBUG(0, ("Error initialising session creds\n"));
goto done;
}
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index c8be93c39c..b08095f1cc 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -49,6 +49,7 @@ int net_rpc_join_ok(const char *domain)
int retval = 1;
uint32 channel;
NTSTATUS result;
+ uint32 neg_flags = 0x000001ff;
/* Connect to remote machine */
if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) {
@@ -75,7 +76,7 @@ int net_rpc_join_ok(const char *domain)
CHECK_RPC_ERR(cli_nt_setup_creds(cli,
channel,
- stored_md4_trust_password),
+ stored_md4_trust_password, &neg_flags, 2),
"error in domain join verification");
retval = 0; /* Success! */
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index a41eae40d1..4ddb931adb 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -143,6 +143,8 @@ int rpc_samdump(int argc, const char **argv)
struct cli_state *cli = NULL;
uchar trust_password[16];
DOM_CRED ret_creds;
+ uint32 neg_flags = 0x000001ff;
+
ZERO_STRUCT(ret_creds);
@@ -161,7 +163,7 @@ int rpc_samdump(int argc, const char **argv)
goto fail;
}
- result = cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_password);
+ result = cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_password, &neg_flags, 2);
if (!NT_STATUS_IS_OK(result)) {
d_printf("Failed to setup BDC creds\n");
goto fail;