diff options
Diffstat (limited to 'source3/rpc_client/cli_login.c')
-rw-r--r-- | source3/rpc_client/cli_login.c | 227 |
1 files changed, 142 insertions, 85 deletions
diff --git a/source3/rpc_client/cli_login.c b/source3/rpc_client/cli_login.c index 45345cf4ac..6bb9fed063 100644 --- a/source3/rpc_client/cli_login.c +++ b/source3/rpc_client/cli_login.c @@ -29,76 +29,80 @@ extern int DEBUGLEVEL; Initialize domain session credentials. ****************************************************************************/ -uint32 cli_nt_setup_creds(struct cli_state *cli, uint16 fnum, +uint32 cli_nt_setup_creds( const char* srv_name, const char* myhostname, const char* trust_acct, - const char* srv_name, unsigned char trust_pwd[16], uint16 sec_chan) { - DOM_CHAL clnt_chal; - DOM_CHAL srv_chal; + DOM_CHAL clnt_chal; + DOM_CHAL srv_chal; uint32 ret; - UTIME zerotime; + UTIME zerotime; + uint8 sess_key[16]; + DOM_CRED clnt_cred; - /******************* Request Challenge ********************/ + /******************* Request Challenge ********************/ - generate_random_buffer( clnt_chal.data, 8, False); - - /* send a client challenge; receive a server challenge */ - ret = cli_net_req_chal(cli, fnum, srv_name, &clnt_chal, &srv_chal); - if (ret != 0) - { - DEBUG(1,("cli_nt_setup_creds: request challenge failed\n")); - return ret; - } + generate_random_buffer( clnt_chal.data, 8, False); - /**************** Long-term Session key **************/ + /* send a client challenge; receive a server challenge */ + ret = cli_net_req_chal(srv_name, myhostname, &clnt_chal, &srv_chal); + if (ret != 0) + { + DEBUG(1,("cli_nt_setup_creds: request challenge failed\n")); + return ret; + } - /* calculate the session key */ - cred_session_key(&clnt_chal, &srv_chal, (char *)trust_pwd, cli->sess_key); - bzero(cli->sess_key+8, 8); + /**************** Long-term Session key **************/ - /******************* Authenticate 2 ********************/ + /* calculate the session key */ + cred_session_key(&clnt_chal, &srv_chal, (char *)trust_pwd, sess_key); + bzero(sess_key+8, 8); - /* calculate auth-2 credentials */ - zerotime.time = 0; - cred_create(cli->sess_key, &clnt_chal, zerotime, &(cli->clnt_cred.challenge)); + /******************* Authenticate 2 ********************/ - /* - * Send client auth-2 challenge. - * Receive an auth-2 challenge response and check it. - */ + /* calculate auth-2 credentials */ + zerotime.time = 0; + cred_create(sess_key, &clnt_chal, zerotime, &clnt_cred.challenge); - ret = cli_net_auth2(cli, fnum, trust_acct, srv_name, - sec_chan, 0x000001ff, &srv_chal); - if (ret != 0x0) - { - DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed. status: %x\n", ret)); - } + if (!cli_con_set_creds(srv_name, sess_key, &clnt_cred)) + { + return NT_STATUS_ACCESS_DENIED | 0xC0000000; + } - return ret; + /* + * Send client auth-2 challenge. + * Receive an auth-2 challenge response and check it. + */ + + ret = cli_net_auth2(srv_name, trust_acct, + sec_chan, 0x000001ff, &srv_chal); + if (ret != 0x0) + { + DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed. status: %x\n", ret)); + } + + return ret; } /**************************************************************************** Set machine password. ****************************************************************************/ -BOOL cli_nt_srv_pwset(struct cli_state *cli, uint16 fnum, - unsigned char *new_hashof_trust_pwd, uint16 sec_chan) +BOOL cli_nt_srv_pwset(const char* srv_name, const char* myhostname, + const char* trust_acct, + unsigned char *new_hashof_trust_pwd, + uint16 sec_chan) { - unsigned char processed_new_pwd[16]; - DEBUG(5,("cli_nt_srv_pwset: %d\n", __LINE__)); #ifdef DEBUG_PASSWORD dump_data(6, new_hashof_trust_pwd, 16); #endif - /* Process the new password. */ - cred_hash3( processed_new_pwd, new_hashof_trust_pwd, cli->sess_key, 1); - /* send client srv_pwset challenge */ - return cli_net_srv_pwset(cli, fnum, processed_new_pwd, sec_chan); + return cli_net_srv_pwset(srv_name, myhostname, trust_acct, + new_hashof_trust_pwd, sec_chan); } /**************************************************************************** @@ -107,51 +111,59 @@ NT login - interactive. password equivalents, protected by the session key) is inherently insecure given the current design of the NT Domain system. JRA. ****************************************************************************/ -BOOL cli_nt_login_interactive(struct cli_state *cli, uint16 fnum, char *domain, char *username, - uint32 luid_low, char *password, - NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) +BOOL cli_nt_login_interactive(const char* srv_name, const char* myhostname, + const char *domain, const char *username, + uint32 luid_low, char *password, + NET_ID_INFO_CTR *ctr, + NET_USER_INFO_3 *user_info3) { - uchar lm_owf_user_pwd[16]; - uchar nt_owf_user_pwd[16]; - BOOL ret; + uchar lm_owf_user_pwd[16]; + uchar nt_owf_user_pwd[16]; + BOOL ret; + uint8 sess_key[16]; - DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__)); + DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__)); - nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); + nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); #ifdef DEBUG_PASSWORD - DEBUG(100,("nt owf of user password: ")); - dump_data(100, lm_owf_user_pwd, 16); + DEBUG(100,("nt owf of user password: ")); + dump_data(100, lm_owf_user_pwd, 16); - DEBUG(100,("nt owf of user password: ")); - dump_data(100, nt_owf_user_pwd, 16); + DEBUG(100,("nt owf of user password: ")); + dump_data(100, nt_owf_user_pwd, 16); #endif - DEBUG(5,("cli_nt_login_interactive: %d\n", __LINE__)); + if (!cli_get_sesskey_srv(srv_name, sess_key)) + { + DEBUG(1,("could not obtain session key for %s\n", srv_name)); + return False; + } - /* indicate an "interactive" login */ - ctr->switch_value = INTERACTIVE_LOGON_TYPE; + /* indicate an "interactive" login */ + ctr->switch_value = INTERACTIVE_LOGON_TYPE; - /* Create the structure needed for SAM logon. */ - make_id_info1(&ctr->auth.id1, domain, 0, - luid_low, 0, - username, cli->clnt_name_slash, - (char *)cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd); + /* Create the structure needed for SAM logon. */ + make_id_info1(&ctr->auth.id1, domain, 0, + luid_low, 0, + username, myhostname, + (char *)sess_key, + lm_owf_user_pwd, nt_owf_user_pwd); - /* Ensure we overwrite all the plaintext password - equivalents. */ - memset(lm_owf_user_pwd, '\0', sizeof(lm_owf_user_pwd)); - memset(nt_owf_user_pwd, '\0', sizeof(nt_owf_user_pwd)); + /* Ensure we overwrite all the plaintext password + equivalents. */ + memset(lm_owf_user_pwd, '\0', sizeof(lm_owf_user_pwd)); + memset(nt_owf_user_pwd, '\0', sizeof(nt_owf_user_pwd)); - /* Send client sam-logon request - update credentials on success. */ - ret = cli_net_sam_logon(cli, fnum, ctr, user_info3); + /* Send client sam-logon request - update credentials on success. */ + ret = cli_net_sam_logon(srv_name, myhostname, ctr, user_info3); - memset(ctr->auth.id1.lm_owf.data, '\0', sizeof(lm_owf_user_pwd)); - memset(ctr->auth.id1.nt_owf.data, '\0', sizeof(nt_owf_user_pwd)); + memset(ctr->auth.id1.lm_owf.data, '\0', sizeof(lm_owf_user_pwd)); + memset(ctr->auth.id1.nt_owf.data, '\0', sizeof(nt_owf_user_pwd)); - return ret; + return ret; } /**************************************************************************** @@ -160,38 +172,44 @@ NT login - network. password equivalents over the network. JRA. ****************************************************************************/ -BOOL cli_nt_login_network(struct cli_state *cli, uint16 fnum, char *domain, char *username, - uint32 luid_low, char lm_chal[8], char lm_chal_resp[24], - char nt_chal_resp[24], - NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) +BOOL cli_nt_login_network(const char* srv_name, const char* myhostname, + const char *domain, const char *username, + uint32 luid_low, char lm_chal[8], + char lm_chal_resp[24], + char nt_chal_resp[24], + NET_ID_INFO_CTR *ctr, + NET_USER_INFO_3 *user_info3) { - uchar key[16]; + uint8 sess_key[16]; BOOL ret; DEBUG(5,("cli_nt_login_network: %d\n", __LINE__)); + if (!cli_get_sesskey_srv(srv_name, sess_key)) + { + DEBUG(1,("could not obtain session key for %s\n", srv_name)); + return False; + } + /* indicate a "network" login */ ctr->switch_value = NET_LOGON_TYPE; /* Create the structure needed for SAM logon. */ make_id_info2(&ctr->auth.id2, domain, 0, luid_low, 0, - username, cli->clnt_name_slash, + username, myhostname, (uchar *)lm_chal, (uchar *)lm_chal_resp, (uchar *)nt_chal_resp); /* Send client sam-logon request - update credentials on success. */ - ret = cli_net_sam_logon(cli, fnum, ctr, user_info3); + ret = cli_net_sam_logon(srv_name, myhostname, ctr, user_info3); #ifdef DEBUG_PASSWORD DEBUG(100,("cli sess key:")); - dump_data(100, cli->sess_key, 8); + dump_data(100, sess_key, 8); DEBUG(100,("enc user sess key:")); dump_data(100, user_info3->user_sess_key, 16); #endif - memset(key, 0, 16); - memcpy(key, (char*)cli->sess_key, 8); - - SamOEMhash(user_info3->user_sess_key, key, False); + SamOEMhash(user_info3->user_sess_key, sess_key, False); #ifdef DEBUG_PASSWORD DEBUG(100,("dec user sess key:")); @@ -203,10 +221,49 @@ BOOL cli_nt_login_network(struct cli_state *cli, uint16 fnum, char *domain, char /**************************************************************************** NT Logoff. ****************************************************************************/ -BOOL cli_nt_logoff(struct cli_state *cli, uint16 fnum, NET_ID_INFO_CTR *ctr) +BOOL cli_nt_logoff(const char* srv_name, const char* myhostname, + NET_ID_INFO_CTR *ctr) { DEBUG(5,("cli_nt_logoff: %d\n", __LINE__)); /* Send client sam-logoff request - update credentials on success. */ - return cli_net_sam_logoff(cli, fnum, ctr); + return cli_net_sam_logoff(srv_name, myhostname, ctr); +} + +/**************************************************************************** +NT SAM database sync +****************************************************************************/ +BOOL net_sam_sync(const char* srv_name, const char* myhostname, + const char* trust_acct, + uchar trust_passwd[16], + SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS], + SAM_DELTA_CTR deltas [MAX_SAM_DELTAS], + uint32 *num_deltas) +{ + BOOL res = True; + + *num_deltas = 0; + + DEBUG(5,("Attempting SAM sync with PDC: %s\n", + srv_name)); + + res = res ? cli_nt_setup_creds( srv_name, myhostname, + trust_acct, + trust_passwd, SEC_CHAN_BDC) == 0x0 : False; + + memset(trust_passwd, 0, 16); + + res = res ? cli_net_sam_sync(srv_name, myhostname, + 0, num_deltas, hdr_deltas, deltas) : False; + + if (!res) + { + DEBUG(5, ("SAM synchronisation FAILED\n")); + return False; + } + + DEBUG(5, ("SAM synchronisation returned %d entries\n", *num_deltas)); + + return True; } + |