From 02bb4e1b8ae931d9eefa2fbd4a6f5456aca99b2b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 4 Apr 2003 15:21:04 +0000 Subject: This is a merge of the NETLOGON schannel server code from Samba TNG. Actually, it exists in the main Samba cvs tree in APPLIANCE_TNG as I found out later :-) It adds a new parameter: server schannel = yes/auto/no defaulting to auto. What does this mean to the user: No requireSignOrSeal registry patch for XP anymore. Many thanks for this code to Luke Leighton, Elrond and anybody else I forgot to mention. My next thing will be to see if this applies cleanly to 3_0. Please test and comment! Volker (This used to be commit e1f953241eb020f19fe657f29afdae28dcf5a03b) --- source3/include/ntdomain.h | 7 +++++++ source3/include/rpc_dce.h | 39 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) (limited to 'source3/include') diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index cf5bb5046c..d02195b378 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -192,6 +192,13 @@ typedef struct pipes_struct uint32 ntlmssp_seq_num; struct dcinfo dc; /* Keeps the creds data. */ + /* Hmm. In my understanding the authentication happens + implicitly later, so there are no two stages for + schannel. */ + + BOOL netsec_auth_validated; + struct netsec_auth_struct netsec_auth; + /* * Windows user info. */ diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h index 6a8c650650..7e8bc3949e 100644 --- a/source3/include/rpc_dce.h +++ b/source3/include/rpc_dce.h @@ -55,6 +55,13 @@ enum RPC_PKT_TYPE #define NTLMSSP_AUTH_TYPE 0xa #define NTLMSSP_AUTH_LEVEL 0x6 +/* Netlogon schannel auth type and level */ +#define NETSEC_AUTH_TYPE 0x44 +#define NETSEC_AUTH_LEVEL 0x6 +#define NETSEC_SIGNATURE { 0x77, 0x00, 0x7a, 0x00, 0xff, 0xff, 0x00, 0x00 } +#define RPC_AUTH_NETSEC_CHK_LEN 0x20 +#define NETLOGON_NEG_SCHANNEL 0x40000000 + /* Maximum PDU fragment size. */ #define MAX_PDU_FRAG_LEN 0x1630 /* #define MAX_PDU_FRAG_LEN 0x10b8 this is what w2k sets */ @@ -199,6 +206,34 @@ typedef struct rpc_hdr_auth_info #define RPC_HDR_AUTH_LEN 8 +/* this is TEMPORARILY coded up as a specific structure */ +/* this structure comes after the bind request */ +/* RPC_AUTH_NETSEC_NEG */ +typedef struct rpc_auth_netsec_neg_info +{ + uint32 unknown1; + uint32 unknown2; + fstring domain; /* calling workstations's domain */ + fstring myname; /* calling workstation's name */ +} RPC_AUTH_NETSEC_NEG; + +/* attached to the end of encrypted rpc requests and responses */ +/* RPC_AUTH_NETSEC_CHK */ +typedef struct rpc_auth_netsec_chk_info +{ + uint8 sig [8]; /* 77 00 7a 00 ff ff 00 00 */ + uint8 data1[8]; + uint8 data3[8]; /* verifier, seq num */ + uint8 data8[8]; /* random 8-byte nonce */ +} RPC_AUTH_NETSEC_CHK; + +struct netsec_auth_struct +{ + RPC_AUTH_NETSEC_NEG netsec_neg; + uchar sess_key[16]; + uint32 seq_num; +}; + /* RPC_BIND_REQ - ms req bind */ typedef struct rpc_bind_req_info { @@ -248,8 +283,8 @@ typedef struct rpc_hdr_ba_info /* RPC_AUTH_VERIFIER */ typedef struct rpc_auth_verif_info { - fstring signature; /* "NTLMSSP" */ - uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) */ + fstring signature; /* "NTLMSSP".. Ok, not quite anymore */ + uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) and 5 for schannel */ } RPC_AUTH_VERIFIER; -- cgit