summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/libsmb/credentials.c45
-rw-r--r--source3/rpc_server/srv_netlog.c48
-rw-r--r--source3/rpc_server/srv_netlog_nt.c120
3 files changed, 87 insertions, 126 deletions
diff --git a/source3/libsmb/credentials.c b/source3/libsmb/credentials.c
index f03bf22df1..0043f4e6a9 100644
--- a/source3/libsmb/credentials.c
+++ b/source3/libsmb/credentials.c
@@ -225,6 +225,21 @@ bool creds_server_check(const struct dcinfo *dc, const DOM_CHAL *rcv_cli_chal_in
return True;
}
+bool netlogon_creds_server_check(const struct dcinfo *dc,
+ const struct netr_Credential *rcv_cli_chal_in)
+{
+ if (memcmp(dc->clnt_chal.data, rcv_cli_chal_in->data, 8)) {
+ DEBUG(5,("netlogon_creds_server_check: challenge : %s\n",
+ credstr(rcv_cli_chal_in->data)));
+ DEBUG(5,("calculated: %s\n", credstr(dc->clnt_chal.data)));
+ DEBUG(2,("netlogon_creds_server_check: credentials check failed.\n"));
+ return false;
+ }
+
+ DEBUG(10,("netlogon_creds_server_check: credentials check OK.\n"));
+
+ return true;
+}
/****************************************************************************
Replace current seed chal. Internal function - due to split server step below.
****************************************************************************/
@@ -273,6 +288,36 @@ bool creds_server_step(struct dcinfo *dc, const DOM_CRED *received_cred, DOM_CRE
return True;
}
+bool netlogon_creds_server_step(struct dcinfo *dc,
+ const struct netr_Authenticator *received_cred,
+ struct netr_Authenticator *cred_out)
+{
+ bool ret;
+ struct dcinfo tmp_dc = *dc;
+
+ /* Do all operations on a temporary copy of the dc,
+ which we throw away if the checks fail. */
+
+ tmp_dc.sequence = received_cred->timestamp;
+
+ creds_step(&tmp_dc);
+
+ /* Create the outgoing credentials */
+ cred_out->timestamp = tmp_dc.sequence + 1;
+ memcpy(&cred_out->cred, &tmp_dc.srv_chal, sizeof(cred_out->cred));
+
+ creds_reseed(&tmp_dc);
+
+ ret = netlogon_creds_server_check(&tmp_dc, &received_cred->cred);
+ if (!ret) {
+ return false;
+ }
+
+ /* creds step succeeded - replace the current creds. */
+ *dc = tmp_dc;
+ return true;
+}
+
/****************************************************************************
Create a client credential struct.
****************************************************************************/
diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c
index 791752c5d0..7f67fe51f0 100644
--- a/source3/rpc_server/srv_netlog.c
+++ b/source3/rpc_server/srv_netlog.c
@@ -64,29 +64,7 @@ static bool api_net_req_chal(pipes_struct *p)
static bool api_net_auth(pipes_struct *p)
{
- NET_Q_AUTH q_u;
- NET_R_AUTH r_u;
- prs_struct *data = &p->in_data.data;
- prs_struct *rdata = &p->out_data.rdata;
-
- ZERO_STRUCT(q_u);
- ZERO_STRUCT(r_u);
-
- /* grab the challenge... */
- if(!net_io_q_auth("", &q_u, data, 0)) {
- DEBUG(0,("api_net_auth: Failed to unmarshall NET_Q_AUTH.\n"));
- return False;
- }
-
- r_u.status = _net_auth(p, &q_u, &r_u);
-
- /* store the response in the SMB stream */
- if(!net_io_r_auth("", &r_u, rdata, 0)) {
- DEBUG(0,("api_net_auth: Failed to marshall NET_R_AUTH.\n"));
- return False;
- }
-
- return True;
+ return proxy_netr_call(p, NDR_NETR_SERVERAUTHENTICATE);
}
/*************************************************************************
@@ -126,29 +104,7 @@ static bool api_net_auth_2(pipes_struct *p)
static bool api_net_srv_pwset(pipes_struct *p)
{
- NET_Q_SRV_PWSET q_u;
- NET_R_SRV_PWSET r_u;
- prs_struct *data = &p->in_data.data;
- prs_struct *rdata = &p->out_data.rdata;
-
- ZERO_STRUCT(q_u);
- ZERO_STRUCT(r_u);
-
- /* grab the challenge and encrypted password ... */
- if(!net_io_q_srv_pwset("", &q_u, data, 0)) {
- DEBUG(0,("api_net_srv_pwset: Failed to unmarshall NET_Q_SRV_PWSET.\n"));
- return False;
- }
-
- r_u.status = _net_srv_pwset(p, &q_u, &r_u);
-
- /* store the response in the SMB stream */
- if(!net_io_r_srv_pwset("", &r_u, rdata, 0)) {
- DEBUG(0,("api_net_srv_pwset: Failed to marshall NET_R_SRV_PWSET.\n"));
- return False;
- }
-
- return True;
+ return proxy_netr_call(p, NDR_NETR_SERVERPASSWORDSET);
}
/*************************************************************************
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 3cfab7843d..2b4921921f 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -255,26 +255,11 @@ WERROR _netr_NetrEnumerateTrustedDomains(pipes_struct *p,
return WERR_OK;
}
-/***********************************************************************************
- init_net_r_srv_pwset:
- ***********************************************************************************/
-
-static void init_net_r_srv_pwset(NET_R_SRV_PWSET *r_s,
- DOM_CRED *srv_cred, NTSTATUS status)
-{
- DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__));
-
- memcpy(&r_s->srv_cred, srv_cred, sizeof(r_s->srv_cred));
- r_s->status = status;
-
- DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__));
-}
-
/******************************************************************
gets a machine password entry. checks access rights of the host.
******************************************************************/
-static NTSTATUS get_md4pw(char *md4pw, char *mach_acct, uint16 sec_chan_type)
+static NTSTATUS get_md4pw(char *md4pw, const char *mach_acct, uint16 sec_chan_type)
{
struct samu *sampass = NULL;
const uint8 *pass;
@@ -413,41 +398,30 @@ NTSTATUS _netr_ServerReqChallenge(pipes_struct *p,
}
/*************************************************************************
- init_net_r_auth:
+ _netr_ServerAuthenticate
+ Create the initial credentials.
*************************************************************************/
-static void init_net_r_auth(NET_R_AUTH *r_a, DOM_CHAL *resp_cred, NTSTATUS status)
-{
- memcpy(r_a->srv_chal.data, resp_cred->data, sizeof(resp_cred->data));
- r_a->status = status;
-}
-
-/*************************************************************************
- _net_auth. Create the initial credentials.
- *************************************************************************/
-
-NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u)
+NTSTATUS _netr_ServerAuthenticate(pipes_struct *p,
+ struct netr_ServerAuthenticate *r)
{
NTSTATUS status;
- fstring mach_acct;
- fstring remote_machine;
DOM_CHAL srv_chal_out;
if (!p->dc || !p->dc->challenge_sent) {
return NT_STATUS_ACCESS_DENIED;
}
- rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),
- q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
- rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring),
- q_u->clnt_id.uni_comp_name.uni_str_len*2,0);
-
- status = get_md4pw((char *)p->dc->mach_pw, mach_acct, q_u->clnt_id.sec_chan);
+ status = get_md4pw((char *)p->dc->mach_pw,
+ r->in.account_name,
+ r->in.secure_channel_type);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("_net_auth: creds_server_check failed. Failed to "
+ DEBUG(0,("_netr_ServerAuthenticate: get_md4pw failed. Failed to "
"get password for machine account %s "
"from client %s: %s\n",
- mach_acct, remote_machine, nt_errstr(status) ));
+ r->in.account_name,
+ r->in.computer_name,
+ nt_errstr(status) ));
/* always return NT_STATUS_ACCESS_DENIED */
return NT_STATUS_ACCESS_DENIED;
}
@@ -461,22 +435,25 @@ NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u)
&srv_chal_out);
/* Check client credentials are valid. */
- if (!creds_server_check(p->dc, &q_u->clnt_chal)) {
- DEBUG(0,("_net_auth: creds_server_check failed. Rejecting auth "
+ if (!netlogon_creds_server_check(p->dc, r->in.credentials)) {
+ DEBUG(0,("_netr_ServerAuthenticate: netlogon_creds_server_check failed. Rejecting auth "
"request from client %s machine account %s\n",
- remote_machine, mach_acct ));
+ r->in.computer_name,
+ r->in.account_name));
return NT_STATUS_ACCESS_DENIED;
}
- fstrcpy(p->dc->mach_acct, mach_acct);
- fstrcpy(p->dc->remote_machine, remote_machine);
+ fstrcpy(p->dc->mach_acct, r->in.account_name);
+ fstrcpy(p->dc->remote_machine, r->in.computer_name);
p->dc->authenticated = True;
/* set up the LSA AUTH response */
/* Return the server credentials. */
- init_net_r_auth(r_u, &srv_chal_out, NT_STATUS_OK);
- return r_u->status;
+ memcpy(r->out.credentials->data, &srv_chal_out.data,
+ sizeof(r->out.credentials->data));
+
+ return NT_STATUS_OK;
}
/*************************************************************************
@@ -577,31 +554,32 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u)
}
/*************************************************************************
- _net_srv_pwset
+ _netr_ServerPasswordSet
*************************************************************************/
-NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_u)
+NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
+ struct netr_ServerPasswordSet *r)
{
+ NTSTATUS status = NT_STATUS_OK;
fstring remote_machine;
struct samu *sampass=NULL;
bool ret = False;
unsigned char pwd[16];
int i;
uint32 acct_ctrl;
- DOM_CRED cred_out;
+ struct netr_Authenticator cred_out;
const uchar *old_pw;
- DEBUG(5,("_net_srv_pwset: %d\n", __LINE__));
+ DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
/* We need the remote machine name for the creds lookup. */
- rpcstr_pull(remote_machine,q_u->clnt_id.login.uni_comp_name.buffer,
- sizeof(remote_machine),q_u->clnt_id.login.uni_comp_name.uni_str_len*2,0);
+ fstrcpy(remote_machine, r->in.computer_name);
if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) {
/* 'server schannel = yes' should enforce use of
schannel, the client did offer it in auth2, but
obviously did not use it. */
- DEBUG(0,("_net_srv_pwset: client %s not using schannel for netlogon\n",
+ DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n",
remote_machine ));
return NT_STATUS_ACCESS_DENIED;
}
@@ -622,12 +600,12 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
return NT_STATUS_INVALID_HANDLE;
}
- DEBUG(3,("_net_srv_pwset: Server Password Set by remote machine:[%s] on account [%s]\n",
+ DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
remote_machine, p->dc->mach_acct));
/* Step the creds chain forward. */
- if (!creds_server_step(p->dc, &q_u->clnt_id.cred, &cred_out)) {
- DEBUG(2,("_net_srv_pwset: creds_server_step failed. Rejecting auth "
+ if (!netlogon_creds_server_step(p->dc, r->in.credential, &cred_out)) {
+ DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
"request from client %s machine account %s\n",
remote_machine, p->dc->mach_acct ));
return NT_STATUS_INVALID_PARAMETER;
@@ -668,9 +646,9 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
}
/* Woah - what does this to to the credential chain ? JRA */
- cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0);
+ cred_hash3(pwd, r->in.new_password->hash, p->dc->sess_key, 0);
- DEBUG(100,("Server password set : new given value was :\n"));
+ DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
for(i = 0; i < sizeof(pwd); i++)
DEBUG(100,("%02X ", pwd[i]));
DEBUG(100,("\n"));
@@ -702,15 +680,17 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
}
become_root();
- r_u->status = pdb_update_sam_account(sampass);
+ status = pdb_update_sam_account(sampass);
unbecome_root();
}
/* set up the LSA Server Password Set response */
- init_net_r_srv_pwset(r_u, &cred_out, r_u->status);
+
+ memcpy(r->out.return_authenticator, &cred_out,
+ sizeof(r->out.return_authenticator));
TALLOC_FREE(sampass);
- return r_u->status;
+ return status;
}
/*************************************************************************
@@ -1273,26 +1253,6 @@ NTSTATUS _netr_LogonSamLogoff(pipes_struct *p,
/****************************************************************
****************************************************************/
-NTSTATUS _netr_ServerAuthenticate(pipes_struct *p,
- struct netr_ServerAuthenticate *r)
-{
- p->rng_fault_state = true;
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************
-****************************************************************/
-
-NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
- struct netr_ServerPasswordSet *r)
-{
- p->rng_fault_state = true;
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************
-****************************************************************/
-
NTSTATUS _netr_DatabaseDeltas(pipes_struct *p,
struct netr_DatabaseDeltas *r)
{