diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/libsmb/credentials.c | 45 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog.c | 48 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 120 |
3 files changed, 87 insertions, 126 deletions
diff --git a/source3/libsmb/credentials.c b/source3/libsmb/credentials.c index f03bf22df1..0043f4e6a9 100644 --- a/source3/libsmb/credentials.c +++ b/source3/libsmb/credentials.c @@ -225,6 +225,21 @@ bool creds_server_check(const struct dcinfo *dc, const DOM_CHAL *rcv_cli_chal_in return True; } +bool netlogon_creds_server_check(const struct dcinfo *dc, + const struct netr_Credential *rcv_cli_chal_in) +{ + if (memcmp(dc->clnt_chal.data, rcv_cli_chal_in->data, 8)) { + DEBUG(5,("netlogon_creds_server_check: challenge : %s\n", + credstr(rcv_cli_chal_in->data))); + DEBUG(5,("calculated: %s\n", credstr(dc->clnt_chal.data))); + DEBUG(2,("netlogon_creds_server_check: credentials check failed.\n")); + return false; + } + + DEBUG(10,("netlogon_creds_server_check: credentials check OK.\n")); + + return true; +} /**************************************************************************** Replace current seed chal. Internal function - due to split server step below. ****************************************************************************/ @@ -273,6 +288,36 @@ bool creds_server_step(struct dcinfo *dc, const DOM_CRED *received_cred, DOM_CRE return True; } +bool netlogon_creds_server_step(struct dcinfo *dc, + const struct netr_Authenticator *received_cred, + struct netr_Authenticator *cred_out) +{ + bool ret; + struct dcinfo tmp_dc = *dc; + + /* Do all operations on a temporary copy of the dc, + which we throw away if the checks fail. */ + + tmp_dc.sequence = received_cred->timestamp; + + creds_step(&tmp_dc); + + /* Create the outgoing credentials */ + cred_out->timestamp = tmp_dc.sequence + 1; + memcpy(&cred_out->cred, &tmp_dc.srv_chal, sizeof(cred_out->cred)); + + creds_reseed(&tmp_dc); + + ret = netlogon_creds_server_check(&tmp_dc, &received_cred->cred); + if (!ret) { + return false; + } + + /* creds step succeeded - replace the current creds. */ + *dc = tmp_dc; + return true; +} + /**************************************************************************** Create a client credential struct. ****************************************************************************/ diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c index 791752c5d0..7f67fe51f0 100644 --- a/source3/rpc_server/srv_netlog.c +++ b/source3/rpc_server/srv_netlog.c @@ -64,29 +64,7 @@ static bool api_net_req_chal(pipes_struct *p) static bool api_net_auth(pipes_struct *p) { - NET_Q_AUTH q_u; - NET_R_AUTH r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the challenge... */ - if(!net_io_q_auth("", &q_u, data, 0)) { - DEBUG(0,("api_net_auth: Failed to unmarshall NET_Q_AUTH.\n")); - return False; - } - - r_u.status = _net_auth(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_auth("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_auth: Failed to marshall NET_R_AUTH.\n")); - return False; - } - - return True; + return proxy_netr_call(p, NDR_NETR_SERVERAUTHENTICATE); } /************************************************************************* @@ -126,29 +104,7 @@ static bool api_net_auth_2(pipes_struct *p) static bool api_net_srv_pwset(pipes_struct *p) { - NET_Q_SRV_PWSET q_u; - NET_R_SRV_PWSET r_u; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - - ZERO_STRUCT(q_u); - ZERO_STRUCT(r_u); - - /* grab the challenge and encrypted password ... */ - if(!net_io_q_srv_pwset("", &q_u, data, 0)) { - DEBUG(0,("api_net_srv_pwset: Failed to unmarshall NET_Q_SRV_PWSET.\n")); - return False; - } - - r_u.status = _net_srv_pwset(p, &q_u, &r_u); - - /* store the response in the SMB stream */ - if(!net_io_r_srv_pwset("", &r_u, rdata, 0)) { - DEBUG(0,("api_net_srv_pwset: Failed to marshall NET_R_SRV_PWSET.\n")); - return False; - } - - return True; + return proxy_netr_call(p, NDR_NETR_SERVERPASSWORDSET); } /************************************************************************* diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 3cfab7843d..2b4921921f 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -255,26 +255,11 @@ WERROR _netr_NetrEnumerateTrustedDomains(pipes_struct *p, return WERR_OK; } -/*********************************************************************************** - init_net_r_srv_pwset: - ***********************************************************************************/ - -static void init_net_r_srv_pwset(NET_R_SRV_PWSET *r_s, - DOM_CRED *srv_cred, NTSTATUS status) -{ - DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__)); - - memcpy(&r_s->srv_cred, srv_cred, sizeof(r_s->srv_cred)); - r_s->status = status; - - DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__)); -} - /****************************************************************** gets a machine password entry. checks access rights of the host. ******************************************************************/ -static NTSTATUS get_md4pw(char *md4pw, char *mach_acct, uint16 sec_chan_type) +static NTSTATUS get_md4pw(char *md4pw, const char *mach_acct, uint16 sec_chan_type) { struct samu *sampass = NULL; const uint8 *pass; @@ -413,41 +398,30 @@ NTSTATUS _netr_ServerReqChallenge(pipes_struct *p, } /************************************************************************* - init_net_r_auth: + _netr_ServerAuthenticate + Create the initial credentials. *************************************************************************/ -static void init_net_r_auth(NET_R_AUTH *r_a, DOM_CHAL *resp_cred, NTSTATUS status) -{ - memcpy(r_a->srv_chal.data, resp_cred->data, sizeof(resp_cred->data)); - r_a->status = status; -} - -/************************************************************************* - _net_auth. Create the initial credentials. - *************************************************************************/ - -NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u) +NTSTATUS _netr_ServerAuthenticate(pipes_struct *p, + struct netr_ServerAuthenticate *r) { NTSTATUS status; - fstring mach_acct; - fstring remote_machine; DOM_CHAL srv_chal_out; if (!p->dc || !p->dc->challenge_sent) { return NT_STATUS_ACCESS_DENIED; } - rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring), - q_u->clnt_id.uni_acct_name.uni_str_len*2,0); - rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring), - q_u->clnt_id.uni_comp_name.uni_str_len*2,0); - - status = get_md4pw((char *)p->dc->mach_pw, mach_acct, q_u->clnt_id.sec_chan); + status = get_md4pw((char *)p->dc->mach_pw, + r->in.account_name, + r->in.secure_channel_type); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("_net_auth: creds_server_check failed. Failed to " + DEBUG(0,("_netr_ServerAuthenticate: get_md4pw failed. Failed to " "get password for machine account %s " "from client %s: %s\n", - mach_acct, remote_machine, nt_errstr(status) )); + r->in.account_name, + r->in.computer_name, + nt_errstr(status) )); /* always return NT_STATUS_ACCESS_DENIED */ return NT_STATUS_ACCESS_DENIED; } @@ -461,22 +435,25 @@ NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u) &srv_chal_out); /* Check client credentials are valid. */ - if (!creds_server_check(p->dc, &q_u->clnt_chal)) { - DEBUG(0,("_net_auth: creds_server_check failed. Rejecting auth " + if (!netlogon_creds_server_check(p->dc, r->in.credentials)) { + DEBUG(0,("_netr_ServerAuthenticate: netlogon_creds_server_check failed. Rejecting auth " "request from client %s machine account %s\n", - remote_machine, mach_acct )); + r->in.computer_name, + r->in.account_name)); return NT_STATUS_ACCESS_DENIED; } - fstrcpy(p->dc->mach_acct, mach_acct); - fstrcpy(p->dc->remote_machine, remote_machine); + fstrcpy(p->dc->mach_acct, r->in.account_name); + fstrcpy(p->dc->remote_machine, r->in.computer_name); p->dc->authenticated = True; /* set up the LSA AUTH response */ /* Return the server credentials. */ - init_net_r_auth(r_u, &srv_chal_out, NT_STATUS_OK); - return r_u->status; + memcpy(r->out.credentials->data, &srv_chal_out.data, + sizeof(r->out.credentials->data)); + + return NT_STATUS_OK; } /************************************************************************* @@ -577,31 +554,32 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u) } /************************************************************************* - _net_srv_pwset + _netr_ServerPasswordSet *************************************************************************/ -NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_u) +NTSTATUS _netr_ServerPasswordSet(pipes_struct *p, + struct netr_ServerPasswordSet *r) { + NTSTATUS status = NT_STATUS_OK; fstring remote_machine; struct samu *sampass=NULL; bool ret = False; unsigned char pwd[16]; int i; uint32 acct_ctrl; - DOM_CRED cred_out; + struct netr_Authenticator cred_out; const uchar *old_pw; - DEBUG(5,("_net_srv_pwset: %d\n", __LINE__)); + DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__)); /* We need the remote machine name for the creds lookup. */ - rpcstr_pull(remote_machine,q_u->clnt_id.login.uni_comp_name.buffer, - sizeof(remote_machine),q_u->clnt_id.login.uni_comp_name.uni_str_len*2,0); + fstrcpy(remote_machine, r->in.computer_name); if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) { /* 'server schannel = yes' should enforce use of schannel, the client did offer it in auth2, but obviously did not use it. */ - DEBUG(0,("_net_srv_pwset: client %s not using schannel for netlogon\n", + DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n", remote_machine )); return NT_STATUS_ACCESS_DENIED; } @@ -622,12 +600,12 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * return NT_STATUS_INVALID_HANDLE; } - DEBUG(3,("_net_srv_pwset: Server Password Set by remote machine:[%s] on account [%s]\n", + DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n", remote_machine, p->dc->mach_acct)); /* Step the creds chain forward. */ - if (!creds_server_step(p->dc, &q_u->clnt_id.cred, &cred_out)) { - DEBUG(2,("_net_srv_pwset: creds_server_step failed. Rejecting auth " + if (!netlogon_creds_server_step(p->dc, r->in.credential, &cred_out)) { + DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth " "request from client %s machine account %s\n", remote_machine, p->dc->mach_acct )); return NT_STATUS_INVALID_PARAMETER; @@ -668,9 +646,9 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * } /* Woah - what does this to to the credential chain ? JRA */ - cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0); + cred_hash3(pwd, r->in.new_password->hash, p->dc->sess_key, 0); - DEBUG(100,("Server password set : new given value was :\n")); + DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n")); for(i = 0; i < sizeof(pwd); i++) DEBUG(100,("%02X ", pwd[i])); DEBUG(100,("\n")); @@ -702,15 +680,17 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * } become_root(); - r_u->status = pdb_update_sam_account(sampass); + status = pdb_update_sam_account(sampass); unbecome_root(); } /* set up the LSA Server Password Set response */ - init_net_r_srv_pwset(r_u, &cred_out, r_u->status); + + memcpy(r->out.return_authenticator, &cred_out, + sizeof(r->out.return_authenticator)); TALLOC_FREE(sampass); - return r_u->status; + return status; } /************************************************************************* @@ -1273,26 +1253,6 @@ NTSTATUS _netr_LogonSamLogoff(pipes_struct *p, /**************************************************************** ****************************************************************/ -NTSTATUS _netr_ServerAuthenticate(pipes_struct *p, - struct netr_ServerAuthenticate *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - -NTSTATUS _netr_ServerPasswordSet(pipes_struct *p, - struct netr_ServerPasswordSet *r) -{ - p->rng_fault_state = true; - return NT_STATUS_NOT_IMPLEMENTED; -} - -/**************************************************************** -****************************************************************/ - NTSTATUS _netr_DatabaseDeltas(pipes_struct *p, struct netr_DatabaseDeltas *r) { |