summaryrefslogtreecommitdiff
path: root/source3/rpc_client/cli_netlogon.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpc_client/cli_netlogon.c')
-rw-r--r--source3/rpc_client/cli_netlogon.c109
1 files changed, 96 insertions, 13 deletions
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 58ba32eb2e..eaee3c26e7 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -152,6 +152,83 @@ password ?).\n", cli->desthost ));
return result;
}
+/****************************************************************************
+LSA Authenticate 3
+
+Send the client credential, receive back a server credential.
+Ensure that the server credential returned matches the session key
+encrypt of the server challenge originally received. JRA.
+****************************************************************************/
+
+NTSTATUS cli_net_auth3(struct cli_state *cli,
+ uint16 sec_chan,
+ uint32 *neg_flags, DOM_CHAL *srv_chal)
+{
+ prs_struct qbuf, rbuf;
+ NET_Q_AUTH_3 q;
+ NET_R_AUTH_3 r;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ extern pstring global_myname;
+
+ prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL);
+ prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL);
+
+ /* create and send a MSRPC command with api NET_AUTH2 */
+
+ DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n",
+ cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname,
+ credstr(cli->clnt_cred.challenge.data), *neg_flags));
+
+ /* store the parameters */
+ init_q_auth_3(&q, cli->srv_name_slash, cli->mach_acct,
+ sec_chan, global_myname, &cli->clnt_cred.challenge,
+ *neg_flags);
+
+ /* turn parameters into data stream */
+
+ if (!net_io_q_auth_3("", &q, &qbuf, 0) ||
+ !rpc_api_pipe_req(cli, NET_AUTH3, &qbuf, &rbuf)) {
+ goto done;
+ }
+
+ /* Unmarshall response */
+
+ if (!net_io_r_auth_3("", &r, &rbuf, 0)) {
+ goto done;
+ }
+
+ result = r.status;
+ *neg_flags = r.srv_flgs.neg_flags;
+
+ if (NT_STATUS_IS_OK(result)) {
+ UTIME zerotime;
+
+ /*
+ * Check the returned value using the initial
+ * server received challenge.
+ */
+
+ zerotime.time = 0;
+ if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal,
+ zerotime) == 0) {
+
+ /*
+ * Server replied with bad credential. Fail.
+ */
+ DEBUG(0,("cli_net_auth3: server %s replied with bad credential (bad machine \
+password ?).\n", cli->desthost ));
+ result = NT_STATUS_ACCESS_DENIED;
+ goto done;
+ }
+ }
+
+ done:
+ prs_mem_free(&qbuf);
+ prs_mem_free(&rbuf);
+
+ return result;
+}
+
/* Return the secure channel type depending on the server role. */
uint16 get_sec_chan(void)
@@ -174,7 +251,7 @@ uint16 get_sec_chan(void)
NTSTATUS cli_nt_setup_creds(struct cli_state *cli,
uint16 sec_chan,
- const unsigned char mach_pwd[16])
+ const unsigned char mach_pwd[16], uint32 *neg_flags, int level)
{
DOM_CHAL clnt_chal;
DOM_CHAL srv_chal;
@@ -200,24 +277,30 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli,
cli->sess_key);
memset((char *)cli->sess_key+8, '\0', 8);
- /******************* Authenticate 2 ********************/
+ /******************* Authenticate 2/3 ********************/
- /* calculate auth-2 credentials */
+ /* calculate auth-2/3 credentials */
zerotime.time = 0;
- cred_create(cli->sess_key, &clnt_chal, zerotime,
- &cli->clnt_cred.challenge);
+ cred_create(cli->sess_key, &clnt_chal, zerotime, &cli->clnt_cred.challenge);
/*
- * Send client auth-2 challenge.
- * Receive an auth-2 challenge response and check it.
+ * Send client auth-2/3 challenge.
+ * Receive an auth-2/3 challenge response and check it.
*/
-
- result = cli_net_auth2(cli, sec_chan, 0x000001ff, &srv_chal);
+ switch (level) {
+ case 2:
+ result = cli_net_auth2(cli, sec_chan, *neg_flags, &srv_chal);
+ break;
+ case 3:
+ result = cli_net_auth3(cli, sec_chan, neg_flags, &srv_chal);
+ break;
+ default:
+ DEBUG(1,("cli_nt_setup_creds: unsupported auth level: %d\n", level));
+ break;
+ }
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed %s\n",
- nt_errstr(result)));
- }
+ if (!NT_STATUS_IS_OK(result))
+ DEBUG(1,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result)));
return result;
}