From fdeea341ed1bae670382e45eb731db1b5838ad21 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 11 Mar 1998 21:11:04 +0000 Subject: "For I have laboured mightily on Luke's code, and hath broken all I saw" - the book of Jeremy, chapter 1 :-). So here is the mega-merge of the NTDOM branch server code. It doesn't include the new client side pieces, we'll look at that later. This should give the same functionality, server wise, as the NTDOM branch does, only merged into the main branch. Any fixes to domain controler functionality should be added to the main branch, not the NTDOM branch. This code compiles without warnings on gcc2.8, but will need further testing before we are sure all the working functionality of the NTDOM server branch has been correctly carried over. I hereby declare the server side of the NTDOM branch dead (and all who sail in her :-). Jeremy. (This used to be commit 118ba4d77a33248e762a2cf843fb7cbc906ee6e7) --- source3/rpc_client/cli_netlogon.c | 461 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 461 insertions(+) create mode 100644 source3/rpc_client/cli_netlogon.c (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c new file mode 100644 index 0000000000..aafde8d775 --- /dev/null +++ b/source3/rpc_client/cli_netlogon.c @@ -0,0 +1,461 @@ + +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * RPC Pipe client / server routines + * Copyright (C) Andrew Tridgell 1992-1997, + * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, + * Copyright (C) Paul Ashton 1997. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + + +#ifdef SYSLOG +#undef SYSLOG +#endif + +#include "includes.h" + +extern int DEBUGLEVEL; +extern pstring username; +extern pstring workgroup; + +#define CLIENT_TIMEOUT (30*1000) + + +/**************************************************************************** +do a LSA Logon Control2 +****************************************************************************/ +BOOL do_net_logon_ctrl2(struct cli_state *cli, int t_idx, uint16 fnum, + char *host_name, uint32 status_level) +{ + prs_struct rbuf; + prs_struct buf; + NET_Q_LOGON_CTRL2 q_l; + BOOL valid_ctrl2 = False; + fstring acct_name; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + + if (host_name == NULL) return False; + + strcpy(acct_name, "\\\\"); + strcat(acct_name, host_name); + + /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ + + DEBUG(4,("LSA Logon Control2 from %s status level:%x\n", + host_name, status_level)); + + /* store the parameters */ + make_q_logon_ctrl2(&q_l, acct_name, status_level); + + /* turn parameters into data stream */ + net_io_q_logon_ctrl2("", &q_l, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, t_idx, fnum, NET_LOGON_CTRL2, &buf, &rbuf)) + { + NET_R_LOGON_CTRL2 r_l; + BOOL p; + + net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r_l.status != 0) + { + /* report error code */ + DEBUG(0,("NET_R_LOGON_CTRL: %s\n", get_nt_error_msg(r_l.status))); + p = False; + } + + if (p) + { + valid_ctrl2 = True; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + + return valid_ctrl2; +} + +/**************************************************************************** +do a LSA Authenticate 2 +****************************************************************************/ +BOOL do_net_auth2(struct cli_state *cli, int t_idx, uint16 fnum, + char *logon_srv, char *acct_name, uint16 sec_chan, char *comp_name, + DOM_CHAL *clnt_chal, uint32 neg_flags, DOM_CHAL *srv_chal) +{ + prs_struct rbuf; + prs_struct buf; + NET_Q_AUTH_2 q_a; + BOOL valid_chal = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + + if (srv_chal == NULL || clnt_chal == NULL) return False; + + /* create and send a MSRPC command with api NET_AUTH2 */ + + DEBUG(4,("LSA Authenticate 2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %lx\n", + logon_srv, acct_name, sec_chan, comp_name, + credstr(clnt_chal->data), neg_flags)); + + /* store the parameters */ + make_q_auth_2(&q_a, logon_srv, acct_name, sec_chan, comp_name, + clnt_chal, neg_flags); + + /* turn parameters into data stream */ + net_io_q_auth_2("", &q_a, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, t_idx, fnum, NET_AUTH2, &buf, &rbuf)) + { + NET_R_AUTH_2 r_a; + BOOL p; + + net_io_r_auth_2("", &r_a, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r_a.status != 0) + { + /* report error code */ + DEBUG(0,("NET_AUTH2: %s\n", get_nt_error_msg(r_a.status))); + p = False; + } + + if (p && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) + { + /* report different neg_flags */ + DEBUG(0,("NET_AUTH2: error neg_flags (q,r) differ - (%lx,%lx)\n", + q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); + p = False; + } + + if (p) + { + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_chal, r_a.srv_chal.data, sizeof(srv_chal->data)); + valid_chal = True; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + + return valid_chal; +} + +/**************************************************************************** +do a LSA Request Challenge +****************************************************************************/ +BOOL do_net_req_chal(struct cli_state *cli, int t_idx, uint16 fnum, + char *desthost, char *myhostname, + DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) +{ + prs_struct rbuf; + prs_struct buf; + NET_Q_REQ_CHAL q_c; + BOOL valid_chal = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + + if (srv_chal == NULL || clnt_chal == NULL) return False; + + /* create and send a MSRPC command with api NET_REQCHAL */ + + DEBUG(4,("LSA Request Challenge from %s to %s: %s\n", + desthost, myhostname, credstr(clnt_chal->data))); + + /* store the parameters */ + make_q_req_chal(&q_c, desthost, myhostname, clnt_chal); + + /* turn parameters into data stream */ + net_io_q_req_chal("", &q_c, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, t_idx, fnum, NET_REQCHAL, &buf, &rbuf)) + { + NET_R_REQ_CHAL r_c; + BOOL p; + + net_io_r_req_chal("", &r_c, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r_c.status != 0) + { + /* report error code */ + DEBUG(0,("NET_REQ_CHAL: %s\n", get_nt_error_msg(r_c.status))); + p = False; + } + + if (p) + { + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_chal, r_c.srv_chal.data, sizeof(srv_chal->data)); + valid_chal = True; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + + return valid_chal; +} + +/*************************************************************************** +do a LSA Server Password Set +****************************************************************************/ +BOOL do_net_srv_pwset(struct cli_state *cli, int t_idx, uint16 fnum, + uchar sess_key[16], DOM_CRED *sto_clnt_cred, + char *logon_srv, char *mach_acct, uint16 sec_chan_type, char *comp_name, + DOM_CRED *clnt_cred, DOM_CRED *srv_cred, + uint8 nt_owf_new_mach_pwd[16]) +{ + prs_struct rbuf; + prs_struct buf; + NET_Q_SRV_PWSET q_s; + BOOL valid_cred = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + + if (srv_cred == NULL || clnt_cred == NULL) return False; + + /* create and send a MSRPC command with api NET_SRV_PWSET */ + + DEBUG(4,("LSA Server Password Set: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n", + logon_srv, mach_acct, sec_chan_type, comp_name, + credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time)); + + /* store the parameters */ + make_q_srv_pwset(&q_s, + sess_key, + logon_srv, mach_acct, sec_chan_type, comp_name, + clnt_cred, + nt_owf_new_mach_pwd); + + /* turn parameters into data stream */ + net_io_q_srv_pwset("", &q_s, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, t_idx, fnum, NET_SRVPWSET, &buf, &rbuf)) + { + NET_R_SRV_PWSET r_s; + BOOL p; + + net_io_r_srv_pwset("", &r_s, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r_s.status != 0) + { + /* report error code */ + DEBUG(0,("NET_R_SRV_PWSET: %s\n", get_nt_error_msg(r_s.status))); + p = False; + } + + if (p) + { + if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_cred))) + { + DEBUG(5, ("do_net_srv_pwset: server credential check OK\n")); + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_cred, &(r_s.srv_cred), sizeof(r_s.srv_cred)); + valid_cred = True; + } + else + { + DEBUG(5, ("do_net_srv_pwset: server credential check failed\n")); + } + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + + return valid_cred; +} + +/*************************************************************************** +do a LSA SAM Logon +****************************************************************************/ +BOOL do_net_sam_logon(struct cli_state *cli, int t_idx, uint16 fnum, + uchar sess_key[8], DOM_CRED *sto_clnt_cred, + char *logon_srv, char *comp_name, + DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, + uint16 logon_level, NET_ID_INFO_CTR *ctr, uint16 validation_level, + NET_USER_INFO_3 *user_info3, + DOM_CRED *srv_cred) +{ + prs_struct rbuf; + prs_struct buf; + NET_Q_SAM_LOGON q_s; + BOOL valid_cred = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + + if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL || user_info3 == NULL) return False; + + /* create and send a MSRPC command with api NET_SAMLOGON */ + + DEBUG(4,("LSA SAM Logon: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", + logon_srv, comp_name, + credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time, + credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, + logon_level)); + + /* store the parameters */ + make_sam_info(&(q_s.sam_id), logon_srv, comp_name, + clnt_cred, rtn_cred, + logon_level, ctr, validation_level); + + /* turn parameters into data stream */ + net_io_q_sam_logon("", &q_s, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, t_idx, fnum, NET_SAMLOGON, &buf, &rbuf)) + { + NET_R_SAM_LOGON r_s; + BOOL p; + + r_s.user = user_info3; + + net_io_r_sam_logon("", &r_s, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r_s.status != 0) + { + /* report error code */ + DEBUG(0,("NET_SAMLOGON: %s\n", get_nt_error_msg(r_s.status))); + p = False; + } + + if (p && r_s.switch_value != 3) + { + /* report different switch_value */ + DEBUG(0,("NET_SAMLOGON: switch_value of 3 expected %x\n", + r_s.switch_value)); + p = False; + } + + if (p) + { + if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_creds))) + { + DEBUG(5, ("do_net_sam_logon: server credential check OK\n")); + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_cred, &(r_s.srv_creds), sizeof(r_s.srv_creds)); + valid_cred = True; + } + else + { + DEBUG(5, ("do_net_sam_logon: server credential check failed\n")); + } + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return valid_cred; +} + +/*************************************************************************** +do a LSA SAM Logoff +****************************************************************************/ +BOOL do_net_sam_logoff(struct cli_state *cli, int t_idx, uint16 fnum, + uchar sess_key[8], DOM_CRED *sto_clnt_cred, + char *logon_srv, char *comp_name, + DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, + uint16 logon_level, NET_ID_INFO_CTR *ctr, uint16 validation_level, + DOM_CRED *srv_cred) +{ + prs_struct rbuf; + prs_struct buf; + NET_Q_SAM_LOGOFF q_s; + BOOL valid_cred = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + + if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL) return False; + + /* create and send a MSRPC command with api NET_SAMLOGON */ + + DEBUG(4,("LSA SAM Logoff: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", + logon_srv, comp_name, + credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time, + credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, + logon_level)); + + /* store the parameters */ + make_sam_info(&(q_s.sam_id), logon_srv, comp_name, + clnt_cred, rtn_cred, + logon_level, ctr, validation_level); + + /* turn parameters into data stream */ + net_io_q_sam_logoff("", &q_s, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, t_idx, fnum, NET_SAMLOGOFF, &buf, &rbuf)) + { + NET_R_SAM_LOGOFF r_s; + BOOL p; + + net_io_r_sam_logoff("", &r_s, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r_s.status != 0) + { + /* report error code */ + DEBUG(0,("NET_SAMLOGOFF: %s\n", get_nt_error_msg(r_s.status))); + p = False; + } + + if (p) + { + if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_creds))) + { + DEBUG(5, ("do_net_sam_logoff: server credential check OK\n")); + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_cred, &(r_s.srv_creds), sizeof(r_s.srv_creds)); + valid_cred = True; + } + else + { + DEBUG(5, ("do_net_sam_logoff: server credential check failed\n")); + } + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + + return valid_cred; +} + + -- cgit From d5114f624591c55a75d86a1efec3378fd4c9ef5a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 23 Apr 1998 22:45:53 +0000 Subject: These don't compile yet - but they are the core code in what will be DOMAIN_CLIENT called code. Jeremy. (This used to be commit ad81735fa1ce02937f6aae3d6518c1cd6156b090) --- source3/rpc_client/cli_netlogon.c | 674 +++++++++++++++++++------------------- 1 file changed, 337 insertions(+), 337 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index aafde8d775..a1a868ce96 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -30,432 +30,432 @@ #include "includes.h" extern int DEBUGLEVEL; -extern pstring username; -extern pstring workgroup; - -#define CLIENT_TIMEOUT (30*1000) - /**************************************************************************** do a LSA Logon Control2 ****************************************************************************/ -BOOL do_net_logon_ctrl2(struct cli_state *cli, int t_idx, uint16 fnum, - char *host_name, uint32 status_level) + +BOOL do_net_logon_ctrl2(struct cli_state *cli, uint16 fnum, + char *host_name, uint32 status_level) { - prs_struct rbuf; - prs_struct buf; - NET_Q_LOGON_CTRL2 q_l; - BOOL valid_ctrl2 = False; - fstring acct_name; + prs_struct rbuf; + prs_struct buf; + NET_Q_LOGON_CTRL2 q_l; + BOOL valid_ctrl2 = False; + fstring acct_name; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + if (host_name == NULL) + return False; - if (host_name == NULL) return False; + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - strcpy(acct_name, "\\\\"); - strcat(acct_name, host_name); + strcpy(acct_name, "\\\\"); + strcat(acct_name, host_name); - /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ + /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ - DEBUG(4,("LSA Logon Control2 from %s status level:%x\n", - host_name, status_level)); + DEBUG(4,("LSA Logon Control2 from %s status level:%x\n", + host_name, status_level)); - /* store the parameters */ - make_q_logon_ctrl2(&q_l, acct_name, status_level); + /* store the parameters */ + make_q_logon_ctrl2(&q_l, acct_name, status_level); - /* turn parameters into data stream */ - net_io_q_logon_ctrl2("", &q_l, &buf, 0); + /* turn parameters into data stream */ + net_io_q_logon_ctrl2("", &q_l, &buf, 0); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, t_idx, fnum, NET_LOGON_CTRL2, &buf, &rbuf)) - { - NET_R_LOGON_CTRL2 r_l; - BOOL p; + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, NET_LOGON_CTRL2, &buf, &rbuf)) + { + NET_R_LOGON_CTRL2 r_l; + BOOL ok; - net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); - p = rbuf.offset != 0; + net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); + ok = (rbuf.offset != 0); - if (p && r_l.status != 0) - { - /* report error code */ - DEBUG(0,("NET_R_LOGON_CTRL: %s\n", get_nt_error_msg(r_l.status))); - p = False; - } - - if (p) - { - valid_ctrl2 = True; - } - } - - prs_mem_free(&rbuf); - prs_mem_free(&buf ); - - - return valid_ctrl2; + if (ok && r_l.status != 0) + { + /* report error code */ + DEBUG(0,("NET_R_LOGON_CTRL: %s\n", get_nt_error_msg(r_l.status))); + ok = False; + } + + if (ok) + { + valid_ctrl2 = True; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return valid_ctrl2; } /**************************************************************************** do a LSA Authenticate 2 ****************************************************************************/ -BOOL do_net_auth2(struct cli_state *cli, int t_idx, uint16 fnum, - char *logon_srv, char *acct_name, uint16 sec_chan, char *comp_name, - DOM_CHAL *clnt_chal, uint32 neg_flags, DOM_CHAL *srv_chal) + +BOOL do_net_auth2(struct cli_state *cli, uint16 fnum, + char *logon_srv, char *acct_name, uint16 sec_chan, + char *comp_name, DOM_CHAL *clnt_chal, uint32 neg_flags, + DOM_CHAL *srv_chal) { - prs_struct rbuf; - prs_struct buf; - NET_Q_AUTH_2 q_a; - BOOL valid_chal = False; + prs_struct rbuf; + prs_struct buf; + NET_Q_AUTH_2 q_a; + BOOL valid_chal = False; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + if (srv_chal == NULL || clnt_chal == NULL) + return False; - if (srv_chal == NULL || clnt_chal == NULL) return False; + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* create and send a MSRPC command with api NET_AUTH2 */ - DEBUG(4,("LSA Authenticate 2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %lx\n", - logon_srv, acct_name, sec_chan, comp_name, - credstr(clnt_chal->data), neg_flags)); + /* create and send a MSRPC command with api NET_AUTH2 */ - /* store the parameters */ - make_q_auth_2(&q_a, logon_srv, acct_name, sec_chan, comp_name, - clnt_chal, neg_flags); + DEBUG(4,("LSA Authenticate 2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %lx\n", + logon_srv, acct_name, sec_chan, comp_name, + credstr(clnt_chal->data), neg_flags)); - /* turn parameters into data stream */ - net_io_q_auth_2("", &q_a, &buf, 0); + /* store the parameters */ + make_q_auth_2(&q_a, logon_srv, acct_name, sec_chan, comp_name, + clnt_chal, neg_flags); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, t_idx, fnum, NET_AUTH2, &buf, &rbuf)) - { - NET_R_AUTH_2 r_a; - BOOL p; + /* turn parameters into data stream */ + net_io_q_auth_2("", &q_a, &buf, 0); - net_io_r_auth_2("", &r_a, &rbuf, 0); - p = rbuf.offset != 0; + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, NET_AUTH2, &buf, &rbuf)) + { + NET_R_AUTH_2 r_a; + BOOL ok; + + net_io_r_auth_2("", &r_a, &rbuf, 0); + ok = (rbuf.offset != 0); - if (p && r_a.status != 0) - { - /* report error code */ - DEBUG(0,("NET_AUTH2: %s\n", get_nt_error_msg(r_a.status))); - p = False; - } - - if (p && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) - { - /* report different neg_flags */ - DEBUG(0,("NET_AUTH2: error neg_flags (q,r) differ - (%lx,%lx)\n", - q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); - p = False; - } - - if (p) - { - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_chal, r_a.srv_chal.data, sizeof(srv_chal->data)); - valid_chal = True; - } - } - - prs_mem_free(&rbuf); - prs_mem_free(&buf ); - - - return valid_chal; + if (ok && r_a.status != 0) + { + /* report error code */ + DEBUG(0,("NET_AUTH2: %s\n", get_nt_error_msg(r_a.status))); + ok = False; + } + + if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) + { + /* report different neg_flags */ + DEBUG(0,("NET_AUTH2: error neg_flags (q,r) differ - (%lx,%lx)\n", + q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); + ok = False; + } + + if (ok) + { + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_chal, r_a.srv_chal.data, sizeof(srv_chal->data)); + valid_chal = True; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return valid_chal; } /**************************************************************************** do a LSA Request Challenge ****************************************************************************/ -BOOL do_net_req_chal(struct cli_state *cli, int t_idx, uint16 fnum, - char *desthost, char *myhostname, - DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) + +BOOL do_net_req_chal(struct cli_state *cli, uint16 fnum, + char *desthost, char *myhostname, + DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) { - prs_struct rbuf; - prs_struct buf; - NET_Q_REQ_CHAL q_c; - BOOL valid_chal = False; + prs_struct rbuf; + prs_struct buf; + NET_Q_REQ_CHAL q_c; + BOOL valid_chal = False; + + if (srv_chal == NULL || clnt_chal == NULL) + return False; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - if (srv_chal == NULL || clnt_chal == NULL) return False; - /* create and send a MSRPC command with api NET_REQCHAL */ + /* create and send a MSRPC command with api NET_REQCHAL */ - DEBUG(4,("LSA Request Challenge from %s to %s: %s\n", - desthost, myhostname, credstr(clnt_chal->data))); + DEBUG(4,("LSA Request Challenge from %s to %s: %s\n", + desthost, myhostname, credstr(clnt_chal->data))); - /* store the parameters */ - make_q_req_chal(&q_c, desthost, myhostname, clnt_chal); + /* store the parameters */ + make_q_req_chal(&q_c, desthost, myhostname, clnt_chal); - /* turn parameters into data stream */ - net_io_q_req_chal("", &q_c, &buf, 0); + /* turn parameters into data stream */ + net_io_q_req_chal("", &q_c, &buf, 0); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, t_idx, fnum, NET_REQCHAL, &buf, &rbuf)) - { - NET_R_REQ_CHAL r_c; - BOOL p; + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, NET_REQCHAL, &buf, &rbuf)) + { + NET_R_REQ_CHAL r_c; + BOOL ok; - net_io_r_req_chal("", &r_c, &rbuf, 0); - p = rbuf.offset != 0; + net_io_r_req_chal("", &r_c, &rbuf, 0); + ok = (rbuf.offset != 0); - if (p && r_c.status != 0) - { - /* report error code */ - DEBUG(0,("NET_REQ_CHAL: %s\n", get_nt_error_msg(r_c.status))); - p = False; - } - - if (p) - { - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_chal, r_c.srv_chal.data, sizeof(srv_chal->data)); - valid_chal = True; - } - } - - prs_mem_free(&rbuf); - prs_mem_free(&buf ); - - - return valid_chal; + if (ok && r_c.status != 0) + { + /* report error code */ + DEBUG(0,("NET_REQ_CHAL: %s\n", get_nt_error_msg(r_c.status))); + ok = False; + } + + if (ok) + { + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_chal, r_c.srv_chal.data, sizeof(srv_chal->data)); + valid_chal = True; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return valid_chal; } /*************************************************************************** do a LSA Server Password Set ****************************************************************************/ -BOOL do_net_srv_pwset(struct cli_state *cli, int t_idx, uint16 fnum, - uchar sess_key[16], DOM_CRED *sto_clnt_cred, - char *logon_srv, char *mach_acct, uint16 sec_chan_type, char *comp_name, - DOM_CRED *clnt_cred, DOM_CRED *srv_cred, - uint8 nt_owf_new_mach_pwd[16]) + +BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, + uchar sess_key[16], DOM_CRED *sto_clnt_cred, + char *logon_srv, char *mach_acct, uint16 sec_chan_type, + char *comp_name, DOM_CRED *clnt_cred, DOM_CRED *srv_cred, + uint8 nt_owf_new_mach_pwd[16]) { - prs_struct rbuf; - prs_struct buf; - NET_Q_SRV_PWSET q_s; - BOOL valid_cred = False; + prs_struct rbuf; + prs_struct buf; + NET_Q_SRV_PWSET q_s; + BOOL valid_cred = False; + + if (srv_cred == NULL || clnt_cred == NULL) + return False; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - if (srv_cred == NULL || clnt_cred == NULL) return False; - /* create and send a MSRPC command with api NET_SRV_PWSET */ + /* create and send a MSRPC command with api NET_SRV_PWSET */ - DEBUG(4,("LSA Server Password Set: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n", - logon_srv, mach_acct, sec_chan_type, comp_name, - credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time)); + DEBUG(4,("LSA Server Password Set: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n", + logon_srv, mach_acct, sec_chan_type, comp_name, + credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time)); - /* store the parameters */ - make_q_srv_pwset(&q_s, - sess_key, - logon_srv, mach_acct, sec_chan_type, comp_name, - clnt_cred, - nt_owf_new_mach_pwd); + /* store the parameters */ + make_q_srv_pwset(&q_s, sess_key, logon_srv, mach_acct, sec_chan_type, + comp_name, clnt_cred, nt_owf_new_mach_pwd); - /* turn parameters into data stream */ - net_io_q_srv_pwset("", &q_s, &buf, 0); + /* turn parameters into data stream */ + net_io_q_srv_pwset("", &q_s, &buf, 0); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, t_idx, fnum, NET_SRVPWSET, &buf, &rbuf)) - { - NET_R_SRV_PWSET r_s; - BOOL p; + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, NET_SRVPWSET, &buf, &rbuf)) + { + NET_R_SRV_PWSET r_s; + BOOL ok; - net_io_r_srv_pwset("", &r_s, &rbuf, 0); - p = rbuf.offset != 0; + net_io_r_srv_pwset("", &r_s, &rbuf, 0); + ok = (rbuf.offset != 0); - if (p && r_s.status != 0) - { - /* report error code */ - DEBUG(0,("NET_R_SRV_PWSET: %s\n", get_nt_error_msg(r_s.status))); - p = False; - } - - if (p) - { - if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_cred))) - { - DEBUG(5, ("do_net_srv_pwset: server credential check OK\n")); - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_cred, &(r_s.srv_cred), sizeof(r_s.srv_cred)); - valid_cred = True; - } - else - { - DEBUG(5, ("do_net_srv_pwset: server credential check failed\n")); - } - } - } - - prs_mem_free(&rbuf); - prs_mem_free(&buf ); - - - return valid_cred; + if (ok && r_s.status != 0) + { + /* report error code */ + DEBUG(0,("NET_R_SRV_PWSET: %s\n", get_nt_error_msg(r_s.status))); + ok = False; + } + + if (ok) + { + if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_cred))) + { + DEBUG(5, ("do_net_srv_pwset: server credential check OK\n")); + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_cred, &(r_s.srv_cred), sizeof(r_s.srv_cred)); + valid_cred = True; + } + else + { + DEBUG(5, ("do_net_srv_pwset: server credential check failed\n")); + } + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return valid_cred; } /*************************************************************************** do a LSA SAM Logon ****************************************************************************/ -BOOL do_net_sam_logon(struct cli_state *cli, int t_idx, uint16 fnum, - uchar sess_key[8], DOM_CRED *sto_clnt_cred, - char *logon_srv, char *comp_name, - DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, - uint16 logon_level, NET_ID_INFO_CTR *ctr, uint16 validation_level, - NET_USER_INFO_3 *user_info3, - DOM_CRED *srv_cred) + +BOOL do_net_sam_logon(struct cli_state *cli, uint16 fnum, + uchar sess_key[8], DOM_CRED *sto_clnt_cred, + char *logon_srv, char *comp_name, + DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, + uint16 logon_level, NET_ID_INFO_CTR *ctr, + uint16 validation_level, NET_USER_INFO_3 *user_info3, + DOM_CRED *srv_cred) { - prs_struct rbuf; - prs_struct buf; - NET_Q_SAM_LOGON q_s; - BOOL valid_cred = False; + prs_struct rbuf; + prs_struct buf; + NET_Q_SAM_LOGON q_s; + BOOL valid_cred = False; + + if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL || user_info3 == NULL) + return False; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL || user_info3 == NULL) return False; - /* create and send a MSRPC command with api NET_SAMLOGON */ + /* create and send a MSRPC command with api NET_SAMLOGON */ - DEBUG(4,("LSA SAM Logon: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", - logon_srv, comp_name, - credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time, - credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, - logon_level)); + DEBUG(4,("LSA SAM Logon: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", + logon_srv, comp_name, + credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time, + credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, + logon_level)); - /* store the parameters */ - make_sam_info(&(q_s.sam_id), logon_srv, comp_name, - clnt_cred, rtn_cred, - logon_level, ctr, validation_level); + /* store the parameters */ + make_sam_info(&(q_s.sam_id), logon_srv, comp_name, + clnt_cred, rtn_cred, logon_level, ctr, validation_level); - /* turn parameters into data stream */ - net_io_q_sam_logon("", &q_s, &buf, 0); + /* turn parameters into data stream */ + net_io_q_sam_logon("", &q_s, &buf, 0); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, t_idx, fnum, NET_SAMLOGON, &buf, &rbuf)) - { - NET_R_SAM_LOGON r_s; - BOOL p; + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, NET_SAMLOGON, &buf, &rbuf)) + { + NET_R_SAM_LOGON r_s; + BOOL ok; - r_s.user = user_info3; + r_s.user = user_info3; - net_io_r_sam_logon("", &r_s, &rbuf, 0); - p = rbuf.offset != 0; + net_io_r_sam_logon("", &r_s, &rbuf, 0); + ok = (rbuf.offset != 0); - if (p && r_s.status != 0) - { - /* report error code */ - DEBUG(0,("NET_SAMLOGON: %s\n", get_nt_error_msg(r_s.status))); - p = False; - } - - if (p && r_s.switch_value != 3) - { - /* report different switch_value */ - DEBUG(0,("NET_SAMLOGON: switch_value of 3 expected %x\n", - r_s.switch_value)); - p = False; - } - - if (p) - { - if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_creds))) - { - DEBUG(5, ("do_net_sam_logon: server credential check OK\n")); - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_cred, &(r_s.srv_creds), sizeof(r_s.srv_creds)); - valid_cred = True; - } - else - { - DEBUG(5, ("do_net_sam_logon: server credential check failed\n")); - } - } - } - - prs_mem_free(&rbuf); - prs_mem_free(&buf ); - - return valid_cred; + if (ok && r_s.status != 0) + { + /* report error code */ + DEBUG(0,("NET_SAMLOGON: %s\n", get_nt_error_msg(r_s.status))); + ok = False; + } + + if (ok && r_s.switch_value != 3) + { + /* report different switch_value */ + DEBUG(0,("NET_SAMLOGON: switch_value of 3 expected %x\n", + r_s.switch_value)); + ok = False; + } + + if (ok) + { + if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_creds))) + { + DEBUG(5, ("do_net_sam_logon: server credential check OK\n")); + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_cred, &(r_s.srv_creds), sizeof(r_s.srv_creds)); + valid_cred = True; + } + else + { + DEBUG(5, ("do_net_sam_logon: server credential check failed\n")); + } + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return valid_cred; } /*************************************************************************** do a LSA SAM Logoff ****************************************************************************/ -BOOL do_net_sam_logoff(struct cli_state *cli, int t_idx, uint16 fnum, - uchar sess_key[8], DOM_CRED *sto_clnt_cred, - char *logon_srv, char *comp_name, - DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, - uint16 logon_level, NET_ID_INFO_CTR *ctr, uint16 validation_level, - DOM_CRED *srv_cred) + +BOOL do_net_sam_logoff(struct cli_state *cli, uint16 fnum, + uchar sess_key[8], DOM_CRED *sto_clnt_cred, + char *logon_srv, char *comp_name, + DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, + uint16 logon_level, NET_ID_INFO_CTR *ctr, + uint16 validation_level, DOM_CRED *srv_cred) { - prs_struct rbuf; - prs_struct buf; - NET_Q_SAM_LOGOFF q_s; - BOOL valid_cred = False; + prs_struct rbuf; + prs_struct buf; + NET_Q_SAM_LOGOFF q_s; + BOOL valid_cred = False; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL) + return False; - if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL) return False; + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* create and send a MSRPC command with api NET_SAMLOGON */ + /* create and send a MSRPC command with api NET_SAMLOGON */ - DEBUG(4,("LSA SAM Logoff: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", - logon_srv, comp_name, - credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time, - credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, - logon_level)); + DEBUG(4,("LSA SAM Logoff: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", + logon_srv, comp_name, + credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time, + credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, + logon_level)); - /* store the parameters */ - make_sam_info(&(q_s.sam_id), logon_srv, comp_name, - clnt_cred, rtn_cred, - logon_level, ctr, validation_level); + /* store the parameters */ + make_sam_info(&(q_s.sam_id), logon_srv, comp_name, + clnt_cred, rtn_cred, logon_level, ctr, validation_level); - /* turn parameters into data stream */ - net_io_q_sam_logoff("", &q_s, &buf, 0); + /* turn parameters into data stream */ + net_io_q_sam_logoff("", &q_s, &buf, 0); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, t_idx, fnum, NET_SAMLOGOFF, &buf, &rbuf)) - { - NET_R_SAM_LOGOFF r_s; - BOOL p; + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, NET_SAMLOGOFF, &buf, &rbuf)) + { + NET_R_SAM_LOGOFF r_s; + BOOL ok; - net_io_r_sam_logoff("", &r_s, &rbuf, 0); - p = rbuf.offset != 0; + net_io_r_sam_logoff("", &r_s, &rbuf, 0); + ok = (rbuf.offset != 0); - if (p && r_s.status != 0) - { - /* report error code */ - DEBUG(0,("NET_SAMLOGOFF: %s\n", get_nt_error_msg(r_s.status))); - p = False; - } - - if (p) - { - if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_creds))) - { - DEBUG(5, ("do_net_sam_logoff: server credential check OK\n")); - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_cred, &(r_s.srv_creds), sizeof(r_s.srv_creds)); - valid_cred = True; - } - else - { - DEBUG(5, ("do_net_sam_logoff: server credential check failed\n")); - } - } - } - - prs_mem_free(&rbuf); - prs_mem_free(&buf ); - - - return valid_cred; + if (ok && r_s.status != 0) + { + /* report error code */ + DEBUG(0,("NET_SAMLOGOFF: %s\n", get_nt_error_msg(r_s.status))); + ok = False; + } + + if (ok) + { + if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_creds))) + { + DEBUG(5, ("do_net_sam_logoff: server credential check OK\n")); + /* ok, at last: we're happy. return the challenge */ + memcpy(srv_cred, &(r_s.srv_creds), sizeof(r_s.srv_creds)); + valid_cred = True; + } + else + { + DEBUG(5, ("do_net_sam_logoff: server credential check failed\n")); + } + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return valid_cred; } - - -- cgit From e7ac86607c80912e55ac7179b100cea22749c16f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 25 Apr 1998 01:12:08 +0000 Subject: This looks like a big change but really isn't. It is changing the global variables "myname" and "myworkgroup" to "global_myname" and "global_myworkgroup" respectively. This is to make it very explicit when we are messing with a global (don't ask - it makes the domain client code much clearer :-). Jeremy. (This used to be commit 866406bfe399cf757c8275093dacd5ce4843afa0) --- source3/rpc_client/cli_netlogon.c | 57 ++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 31 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index a1a868ce96..654445b31d 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -65,7 +65,7 @@ BOOL do_net_logon_ctrl2(struct cli_state *cli, uint16 fnum, net_io_q_logon_ctrl2("", &q_l, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, fnum, NET_LOGON_CTRL2, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &buf, &rbuf)) { NET_R_LOGON_CTRL2 r_l; BOOL ok; @@ -77,6 +77,7 @@ BOOL do_net_logon_ctrl2(struct cli_state *cli, uint16 fnum, { /* report error code */ DEBUG(0,("NET_R_LOGON_CTRL: %s\n", get_nt_error_msg(r_l.status))); + cli->nt_error = r_l.status; ok = False; } @@ -96,38 +97,32 @@ BOOL do_net_logon_ctrl2(struct cli_state *cli, uint16 fnum, do a LSA Authenticate 2 ****************************************************************************/ -BOOL do_net_auth2(struct cli_state *cli, uint16 fnum, - char *logon_srv, char *acct_name, uint16 sec_chan, - char *comp_name, DOM_CHAL *clnt_chal, uint32 neg_flags, - DOM_CHAL *srv_chal) +BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, + uint32 neg_flags, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; NET_Q_AUTH_2 q_a; BOOL valid_chal = False; - if (srv_chal == NULL || clnt_chal == NULL) - return False; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("LSA Authenticate 2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %lx\n", - logon_srv, acct_name, sec_chan, comp_name, + cli->srv_name, cli->mach_acct, sec_chan, global_myname, credstr(clnt_chal->data), neg_flags)); /* store the parameters */ - make_q_auth_2(&q_a, logon_srv, acct_name, sec_chan, comp_name, + make_q_auth_2(&q_a, cli->srv_name, cli->mach_acct, sec_chan, global_myname, clnt_chal, neg_flags); /* turn parameters into data stream */ net_io_q_auth_2("", &q_a, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, fnum, NET_AUTH2, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_AUTH2, &buf, &rbuf)) { NET_R_AUTH_2 r_a; BOOL ok; @@ -139,6 +134,7 @@ BOOL do_net_auth2(struct cli_state *cli, uint16 fnum, { /* report error code */ DEBUG(0,("NET_AUTH2: %s\n", get_nt_error_msg(r_a.status))); + cli->nt_error = r_a.status; ok = False; } @@ -168,9 +164,7 @@ BOOL do_net_auth2(struct cli_state *cli, uint16 fnum, do a LSA Request Challenge ****************************************************************************/ -BOOL do_net_req_chal(struct cli_state *cli, uint16 fnum, - char *desthost, char *myhostname, - DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) +BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; @@ -183,20 +177,19 @@ BOOL do_net_req_chal(struct cli_state *cli, uint16 fnum, prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* create and send a MSRPC command with api NET_REQCHAL */ - DEBUG(4,("LSA Request Challenge from %s to %s: %s\n", - desthost, myhostname, credstr(clnt_chal->data))); + DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n", + cli->desthost, global_myname, credstr(clnt_chal->data))); /* store the parameters */ - make_q_req_chal(&q_c, desthost, myhostname, clnt_chal); + make_q_req_chal(&q_c, desthost, global_myname, clnt_chal); /* turn parameters into data stream */ net_io_q_req_chal("", &q_c, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, fnum, NET_REQCHAL, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_REQCHAL, &buf, &rbuf)) { NET_R_REQ_CHAL r_c; BOOL ok; @@ -208,6 +201,7 @@ BOOL do_net_req_chal(struct cli_state *cli, uint16 fnum, { /* report error code */ DEBUG(0,("NET_REQ_CHAL: %s\n", get_nt_error_msg(r_c.status))); + cli->nt_error = r_a.status; ok = False; } @@ -261,7 +255,7 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, net_io_q_srv_pwset("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, fnum, NET_SRVPWSET, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf)) { NET_R_SRV_PWSET r_s; BOOL ok; @@ -273,6 +267,7 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, { /* report error code */ DEBUG(0,("NET_R_SRV_PWSET: %s\n", get_nt_error_msg(r_s.status))); + cli->nt_error = r_s.status; ok = False; } @@ -302,8 +297,7 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, do a LSA SAM Logon ****************************************************************************/ -BOOL do_net_sam_logon(struct cli_state *cli, uint16 fnum, - uchar sess_key[8], DOM_CRED *sto_clnt_cred, +BOOL cli_net_sam_logon(struct cli_state *cli, DOM_CRED *sto_clnt_cred, char *logon_srv, char *comp_name, DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, uint16 logon_level, NET_ID_INFO_CTR *ctr, @@ -321,24 +315,23 @@ BOOL do_net_sam_logon(struct cli_state *cli, uint16 fnum, prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* create and send a MSRPC command with api NET_SAMLOGON */ DEBUG(4,("LSA SAM Logon: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", - logon_srv, comp_name, - credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time, + cli->srv_name, global_myname, + credstr(cli->clnt_cred->challenge.data), cli->clnt_cred->timestamp.time, credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, logon_level)); /* store the parameters */ - make_sam_info(&(q_s.sam_id), logon_srv, comp_name, - clnt_cred, rtn_cred, logon_level, ctr, validation_level); + make_sam_info(&(q_s.sam_id), cli->srv_name, global_myname, + cli->clnt_cred, rtn_cred, logon_level, ctr, validation_level); /* turn parameters into data stream */ net_io_q_sam_logon("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, fnum, NET_SAMLOGON, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { NET_R_SAM_LOGON r_s; BOOL ok; @@ -352,6 +345,7 @@ BOOL do_net_sam_logon(struct cli_state *cli, uint16 fnum, { /* report error code */ DEBUG(0,("NET_SAMLOGON: %s\n", get_nt_error_msg(r_s.status))); + cli->nt_error = r_s.status; ok = False; } @@ -365,7 +359,7 @@ BOOL do_net_sam_logon(struct cli_state *cli, uint16 fnum, if (ok) { - if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_creds))) + if (clnt_deal_with_creds(cli->sess_key, sto_clnt_cred, &(r_s.srv_creds))) { DEBUG(5, ("do_net_sam_logon: server credential check OK\n")); /* ok, at last: we're happy. return the challenge */ @@ -423,7 +417,7 @@ BOOL do_net_sam_logoff(struct cli_state *cli, uint16 fnum, net_io_q_sam_logoff("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, fnum, NET_SAMLOGOFF, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_SAMLOGOFF, &buf, &rbuf)) { NET_R_SAM_LOGOFF r_s; BOOL ok; @@ -435,6 +429,7 @@ BOOL do_net_sam_logoff(struct cli_state *cli, uint16 fnum, { /* report error code */ DEBUG(0,("NET_SAMLOGOFF: %s\n", get_nt_error_msg(r_s.status))); + cli->nt_error = r_s.status; ok = False; } -- cgit From 22abe47e29bf25a52e39026d03e38b49bab25ac9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 28 Apr 1998 01:24:40 +0000 Subject: First version that compiles. Much more to do..... Jeremy. (This used to be commit 45393a19adb31820725fbdfaaf7ab64793fc9bc5) --- source3/rpc_client/cli_netlogon.c | 238 ++++++++++++++++++++------------------ 1 file changed, 123 insertions(+), 115 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 654445b31d..91dbd27421 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -1,4 +1,3 @@ - /* * Unix SMB/Netbios implementation. * Version 1.9. @@ -6,7 +5,8 @@ * Copyright (C) Andrew Tridgell 1992-1997, * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, * Copyright (C) Paul Ashton 1997. - * + * Copyright (C) Jeremy Allison 1998. + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or @@ -30,36 +30,30 @@ #include "includes.h" extern int DEBUGLEVEL; +extern pstring global_myname; +extern fstring global_myworkgroup; /**************************************************************************** do a LSA Logon Control2 ****************************************************************************/ -BOOL do_net_logon_ctrl2(struct cli_state *cli, uint16 fnum, - char *host_name, uint32 status_level) +BOOL do_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) { prs_struct rbuf; prs_struct buf; NET_Q_LOGON_CTRL2 q_l; - BOOL valid_ctrl2 = False; - fstring acct_name; - - if (host_name == NULL) - return False; + BOOL ok = False; prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - strcpy(acct_name, "\\\\"); - strcat(acct_name, host_name); - /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ - DEBUG(4,("LSA Logon Control2 from %s status level:%x\n", - host_name, status_level)); + DEBUG(4,("do_net_logon_ctrl2 from %s status level:%x\n", + global_myname, status_level)); /* store the parameters */ - make_q_logon_ctrl2(&q_l, acct_name, status_level); + make_q_logon_ctrl2(&q_l, cli->srv_name_slash, status_level); /* turn parameters into data stream */ net_io_q_logon_ctrl2("", &q_l, &buf, 0); @@ -68,7 +62,6 @@ BOOL do_net_logon_ctrl2(struct cli_state *cli, uint16 fnum, if (rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &buf, &rbuf)) { NET_R_LOGON_CTRL2 r_l; - BOOL ok; net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); ok = (rbuf.offset != 0); @@ -76,47 +69,46 @@ BOOL do_net_logon_ctrl2(struct cli_state *cli, uint16 fnum, if (ok && r_l.status != 0) { /* report error code */ - DEBUG(0,("NET_R_LOGON_CTRL: %s\n", get_nt_error_msg(r_l.status))); + DEBUG(0,("do_net_logon_ctrl2: Error %s\n", get_nt_error_msg(r_l.status))); cli->nt_error = r_l.status; ok = False; } - - if (ok) - { - valid_ctrl2 = True; - } } prs_mem_free(&rbuf); prs_mem_free(&buf ); - return valid_ctrl2; + return ok; } /**************************************************************************** -do a LSA Authenticate 2 +LSA Authenticate 2 + +Send the client credential, receive back a server credential. +Ensure that the server credential returned matches the session key +encrypt of the server challenge originally received. JRA. ****************************************************************************/ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, - uint32 neg_flags, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) + uint32 neg_flags, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; NET_Q_AUTH_2 q_a; - BOOL valid_chal = False; + BOOL ok = False; prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); /* create and send a MSRPC command with api NET_AUTH2 */ - DEBUG(4,("LSA Authenticate 2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %lx\n", - cli->srv_name, cli->mach_acct, sec_chan, global_myname, - credstr(clnt_chal->data), neg_flags)); + DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %lx\n", + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + credstr(cli->clnt_cred.challenge.data), neg_flags)); /* store the parameters */ - make_q_auth_2(&q_a, cli->srv_name, cli->mach_acct, sec_chan, global_myname, - clnt_chal, neg_flags); + make_q_auth_2(&q_a, cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + &cli->clnt_cred.challenge, neg_flags); /* turn parameters into data stream */ net_io_q_auth_2("", &q_a, &buf, 0); @@ -125,7 +117,6 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, if (rpc_api_pipe_req(cli, NET_AUTH2, &buf, &rbuf)) { NET_R_AUTH_2 r_a; - BOOL ok; net_io_r_auth_2("", &r_a, &rbuf, 0); ok = (rbuf.offset != 0); @@ -133,35 +124,49 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, if (ok && r_a.status != 0) { /* report error code */ - DEBUG(0,("NET_AUTH2: %s\n", get_nt_error_msg(r_a.status))); + DEBUG(0,("cli_net_auth2: Error %s\n", get_nt_error_msg(r_a.status))); cli->nt_error = r_a.status; ok = False; } + if (ok) + { + /* + * Check the returned value using the initial + * server received challenge. + */ + UTIME zerotime; + + zerotime.time = 0; + if(cred_assert( &r_a.srv_chal, cli->sess_key, srv_chal, zerotime) == 0) { + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + ok = False; + } + } + if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) { /* report different neg_flags */ - DEBUG(0,("NET_AUTH2: error neg_flags (q,r) differ - (%lx,%lx)\n", + DEBUG(0,("cli_net_auth2: error neg_flags (q,r) differ - (%lx,%lx)\n", q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); ok = False; } - if (ok) - { - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_chal, r_a.srv_chal.data, sizeof(srv_chal->data)); - valid_chal = True; - } } prs_mem_free(&rbuf); prs_mem_free(&buf ); - return valid_chal; + return ok; } /**************************************************************************** -do a LSA Request Challenge +LSA Request Challenge. Sends our challenge to server, then gets +server response. These are used to generate the credentials. ****************************************************************************/ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) @@ -183,7 +188,7 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ cli->desthost, global_myname, credstr(clnt_chal->data))); /* store the parameters */ - make_q_req_chal(&q_c, desthost, global_myname, clnt_chal); + make_q_req_chal(&q_c, cli->srv_name_slash, global_myname, clnt_chal); /* turn parameters into data stream */ net_io_q_req_chal("", &q_c, &buf, 0); @@ -200,8 +205,8 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ if (ok && r_c.status != 0) { /* report error code */ - DEBUG(0,("NET_REQ_CHAL: %s\n", get_nt_error_msg(r_c.status))); - cli->nt_error = r_a.status; + DEBUG(0,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); + cli->nt_error = r_c.status; ok = False; } @@ -219,6 +224,7 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ return valid_chal; } +#if 0 /*************************************************************************** do a LSA Server Password Set ****************************************************************************/ @@ -244,7 +250,7 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, /* create and send a MSRPC command with api NET_SRV_PWSET */ DEBUG(4,("LSA Server Password Set: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n", - logon_srv, mach_acct, sec_chan_type, comp_name, + cli->srv_name_slash, mach_acct, sec_chan_type, comp_name, credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time)); /* store the parameters */ @@ -292,40 +298,47 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, return valid_cred; } +#endif /*************************************************************************** -do a LSA SAM Logon +LSA SAM Logon. ****************************************************************************/ -BOOL cli_net_sam_logon(struct cli_state *cli, DOM_CRED *sto_clnt_cred, - char *logon_srv, char *comp_name, - DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, - uint16 logon_level, NET_ID_INFO_CTR *ctr, - uint16 validation_level, NET_USER_INFO_3 *user_info3, - DOM_CRED *srv_cred) +BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, + NET_USER_INFO_3 *user_info3) { + DOM_CRED new_clnt_cred; prs_struct rbuf; prs_struct buf; + uint16 validation_level = 3; NET_Q_SAM_LOGON q_s; - BOOL valid_cred = False; + BOOL ok = False; - if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL || user_info3 == NULL) - return False; + /* + * Create the new client credentials. + */ + + cli->clnt_cred.timestamp.time = time(NULL); + + memcpy(&new_clnt_cred, &cli->clnt_cred, sizeof(new_clnt_cred)); + + /* Calculate the new credentials. */ + cred_create(cli->sess_key, &(cli->clnt_cred.challenge), + new_clnt_cred.timestamp, &(new_clnt_cred.challenge)); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); /* create and send a MSRPC command with api NET_SAMLOGON */ - DEBUG(4,("LSA SAM Logon: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", - cli->srv_name, global_myname, - credstr(cli->clnt_cred->challenge.data), cli->clnt_cred->timestamp.time, - credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, - logon_level)); + DEBUG(4,("cli_net_sam_logon: srv:%s mc:%s clnt %s %lx ll: %d\n", + cli->srv_name_slash, global_myname, + credstr(new_clnt_cred.challenge.data), cli->clnt_cred.timestamp.time, + ctr->switch_value)); /* store the parameters */ - make_sam_info(&(q_s.sam_id), cli->srv_name, global_myname, - cli->clnt_cred, rtn_cred, logon_level, ctr, validation_level); + make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname, + &new_clnt_cred, NULL, ctr->switch_value, ctr, validation_level); /* turn parameters into data stream */ net_io_q_sam_logon("", &q_s, &buf, 0); @@ -334,7 +347,6 @@ BOOL cli_net_sam_logon(struct cli_state *cli, DOM_CRED *sto_clnt_cred, if (rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { NET_R_SAM_LOGON r_s; - BOOL ok; r_s.user = user_info3; @@ -344,74 +356,75 @@ BOOL cli_net_sam_logon(struct cli_state *cli, DOM_CRED *sto_clnt_cred, if (ok && r_s.status != 0) { /* report error code */ - DEBUG(0,("NET_SAMLOGON: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(0,("cli_net_sam_logon: %s\n", get_nt_error_msg(r_s.status))); cli->nt_error = r_s.status; ok = False; } + /* Update the credentials. */ + if (clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds)) == 0) + { + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_sam_logon: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + ok = False; + } + if (ok && r_s.switch_value != 3) { /* report different switch_value */ - DEBUG(0,("NET_SAMLOGON: switch_value of 3 expected %x\n", + DEBUG(0,("cli_net_sam_logon: switch_value of 3 expected %x\n", r_s.switch_value)); ok = False; } - - if (ok) - { - if (clnt_deal_with_creds(cli->sess_key, sto_clnt_cred, &(r_s.srv_creds))) - { - DEBUG(5, ("do_net_sam_logon: server credential check OK\n")); - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_cred, &(r_s.srv_creds), sizeof(r_s.srv_creds)); - valid_cred = True; - } - else - { - DEBUG(5, ("do_net_sam_logon: server credential check failed\n")); - } - } } prs_mem_free(&rbuf); prs_mem_free(&buf ); - return valid_cred; + return ok; } /*************************************************************************** -do a LSA SAM Logoff +LSA SAM Logoff. ****************************************************************************/ -BOOL do_net_sam_logoff(struct cli_state *cli, uint16 fnum, - uchar sess_key[8], DOM_CRED *sto_clnt_cred, - char *logon_srv, char *comp_name, - DOM_CRED *clnt_cred, DOM_CRED *rtn_cred, - uint16 logon_level, NET_ID_INFO_CTR *ctr, - uint16 validation_level, DOM_CRED *srv_cred) +BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) { + DOM_CRED new_clnt_cred; prs_struct rbuf; prs_struct buf; NET_Q_SAM_LOGOFF q_s; - BOOL valid_cred = False; + uint16 validation_level = 3; + BOOL ok = False; - if (srv_cred == NULL || clnt_cred == NULL || rtn_cred == NULL) - return False; + /* + * Create the new client credentials. + */ + + cli->clnt_cred.timestamp.time = time(NULL); + + memcpy(&new_clnt_cred, &cli->clnt_cred, sizeof(new_clnt_cred)); + + /* Calculate the new credentials. */ + cred_create(cli->sess_key, &(cli->clnt_cred.challenge), + new_clnt_cred.timestamp, &(new_clnt_cred.challenge)); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* create and send a MSRPC command with api NET_SAMLOGON */ + /* create and send a MSRPC command with api NET_SAMLOGOFF */ - DEBUG(4,("LSA SAM Logoff: srv:%s mc:%s clnt %s %lx rtn: %s %lx ll: %d\n", - logon_srv, comp_name, - credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time, - credstr(rtn_cred->challenge.data), rtn_cred ->timestamp.time, - logon_level)); + DEBUG(4,("cli_net_sam_logoff: srv:%s mc:%s clnt %s %lx ll: %d\n", + cli->srv_name_slash, global_myname, + credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time, + ctr->switch_value)); /* store the parameters */ - make_sam_info(&(q_s.sam_id), logon_srv, comp_name, - clnt_cred, rtn_cred, logon_level, ctr, validation_level); + make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname, + &new_clnt_cred, NULL, ctr->switch_value, ctr, validation_level); /* turn parameters into data stream */ net_io_q_sam_logoff("", &q_s, &buf, 0); @@ -420,7 +433,6 @@ BOOL do_net_sam_logoff(struct cli_state *cli, uint16 fnum, if (rpc_api_pipe_req(cli, NET_SAMLOGOFF, &buf, &rbuf)) { NET_R_SAM_LOGOFF r_s; - BOOL ok; net_io_r_sam_logoff("", &r_s, &rbuf, 0); ok = (rbuf.offset != 0); @@ -428,29 +440,25 @@ BOOL do_net_sam_logoff(struct cli_state *cli, uint16 fnum, if (ok && r_s.status != 0) { /* report error code */ - DEBUG(0,("NET_SAMLOGOFF: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(0,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); cli->nt_error = r_s.status; ok = False; } - if (ok) + /* Update the credentials. */ + if (clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds)) == 0) { - if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_creds))) - { - DEBUG(5, ("do_net_sam_logoff: server credential check OK\n")); - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_cred, &(r_s.srv_creds), sizeof(r_s.srv_creds)); - valid_cred = True; - } - else - { - DEBUG(5, ("do_net_sam_logoff: server credential check failed\n")); - } + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_sam_logoff: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + ok = False; } } prs_mem_free(&rbuf); prs_mem_free(&buf ); - return valid_cred; + return ok; } -- cgit From d3832506b2583130c4f4ba4b3edeabca987b7cbb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 29 Apr 1998 00:02:57 +0000 Subject: This is the checkin that adds the security=domain functionality. WARNING - so far this has only been tested against a Samba PDC (still waiting for IS to add me the machine accounts :-). Still missing is the code in smbpasswd that will add a machine account password and change it on the domain controller, but this is not hard, and I will check it in soon. Jeremy. (This used to be commit 17b94a7084621b3f0106dd4d3386f05cdfc56d19) --- source3/rpc_client/cli_netlogon.c | 100 +++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 56 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 91dbd27421..a8aba1c5dc 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -33,11 +33,30 @@ extern int DEBUGLEVEL; extern pstring global_myname; extern fstring global_myworkgroup; +/**************************************************************************** +Generate the next creds to use. +****************************************************************************/ + +static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) +{ + /* + * Create the new client credentials. + */ + + cli->clnt_cred.timestamp.time = time(NULL); + + memcpy(new_clnt_cred, &cli->clnt_cred, sizeof(*new_clnt_cred)); + + /* Calculate the new credentials. */ + cred_create(cli->sess_key, &(cli->clnt_cred.challenge), + new_clnt_cred->timestamp, &(new_clnt_cred->challenge)); +} + /**************************************************************************** do a LSA Logon Control2 ****************************************************************************/ -BOOL do_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) +BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) { prs_struct rbuf; prs_struct buf; @@ -224,38 +243,33 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ return valid_chal; } -#if 0 /*************************************************************************** -do a LSA Server Password Set +LSA Server Password Set. ****************************************************************************/ -BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, - uchar sess_key[16], DOM_CRED *sto_clnt_cred, - char *logon_srv, char *mach_acct, uint16 sec_chan_type, - char *comp_name, DOM_CRED *clnt_cred, DOM_CRED *srv_cred, - uint8 nt_owf_new_mach_pwd[16]) +BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) { prs_struct rbuf; prs_struct buf; + DOM_CRED new_clnt_cred; NET_Q_SRV_PWSET q_s; - BOOL valid_cred = False; + BOOL ok = False; + uint16 sec_chan_type = 2; - if (srv_cred == NULL || clnt_cred == NULL) - return False; + gen_next_creds( cli, &new_clnt_cred); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* create and send a MSRPC command with api NET_SRV_PWSET */ - DEBUG(4,("LSA Server Password Set: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n", - cli->srv_name_slash, mach_acct, sec_chan_type, comp_name, - credstr(clnt_cred->challenge.data), clnt_cred->timestamp.time)); + DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n", + cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname, + credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); /* store the parameters */ - make_q_srv_pwset(&q_s, sess_key, logon_srv, mach_acct, sec_chan_type, - comp_name, clnt_cred, nt_owf_new_mach_pwd); + make_q_srv_pwset(&q_s, cli->srv_name_slash, cli->mach_acct, sec_chan_type, + global_myname, &new_clnt_cred, hashed_mach_pwd); /* turn parameters into data stream */ net_io_q_srv_pwset("", &q_s, &buf, 0); @@ -264,7 +278,6 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf)) { NET_R_SRV_PWSET r_s; - BOOL ok; net_io_r_srv_pwset("", &r_s, &rbuf, 0); ok = (rbuf.offset != 0); @@ -277,31 +290,26 @@ BOOL do_net_srv_pwset(struct cli_state *cli, uint16 fnum, ok = False; } - if (ok) + /* Update the credentials. */ + if (clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred)) == 0) { - if (clnt_deal_with_creds(sess_key, sto_clnt_cred, &(r_s.srv_cred))) - { - DEBUG(5, ("do_net_srv_pwset: server credential check OK\n")); - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_cred, &(r_s.srv_cred), sizeof(r_s.srv_cred)); - valid_cred = True; - } - else - { - DEBUG(5, ("do_net_srv_pwset: server credential check failed\n")); - } + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + ok = False; } } prs_mem_free(&rbuf); prs_mem_free(&buf ); - return valid_cred; + return ok; } -#endif /*************************************************************************** -LSA SAM Logon. +LSA SAM Logon - interactive or network. ****************************************************************************/ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, @@ -314,17 +322,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, NET_Q_SAM_LOGON q_s; BOOL ok = False; - /* - * Create the new client credentials. - */ - - cli->clnt_cred.timestamp.time = time(NULL); - - memcpy(&new_clnt_cred, &cli->clnt_cred, sizeof(new_clnt_cred)); - - /* Calculate the new credentials. */ - cred_create(cli->sess_key, &(cli->clnt_cred.challenge), - new_clnt_cred.timestamp, &(new_clnt_cred.challenge)); + gen_next_creds( cli, &new_clnt_cred); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); @@ -400,17 +398,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) uint16 validation_level = 3; BOOL ok = False; - /* - * Create the new client credentials. - */ - - cli->clnt_cred.timestamp.time = time(NULL); - - memcpy(&new_clnt_cred, &cli->clnt_cred, sizeof(new_clnt_cred)); - - /* Calculate the new credentials. */ - cred_create(cli->sess_key, &(cli->clnt_cred.challenge), - new_clnt_cred.timestamp, &(new_clnt_cred.challenge)); + gen_next_creds( cli, &new_clnt_cred); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); @@ -453,7 +441,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) */ DEBUG(0,("cli_net_sam_logoff: server %s replied with bad credential (bad machine \ password ?).\n", cli->desthost )); - ok = False; + ok = False; } } -- cgit From e305c2c9e2e657974d34d1d58a8f9372921fdae2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 29 Apr 1998 19:22:01 +0000 Subject: clientgen.c: Fixed null session setup bug. password.c: Stopped cli_nt_logout call (we don't have it correct yet). Added Luke object-orientation fix :-). smb.h: Added clnt_name_slash to cli_state. lib/rpc/client/cli_login.c: Changed global_myname to clnt_name_slash where needed. lib/rpc/client/cli_netlogon.c: Fixed debug messages, don't check creds on error. lib/rpc/client/cli_pipe.c: Fixed debug messages, Added Luke object-orientation fix. lib/rpc/parse/parse_misc.c: Fixed STRING2 linearization bug that was adding 1. Jeremy. (This used to be commit c6c22df20196cb7f0ae84b1a1dd202a87adb8d4e) --- source3/rpc_client/cli_netlogon.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index a8aba1c5dc..da74bc6bc6 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -50,6 +50,7 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) /* Calculate the new credentials. */ cred_create(cli->sess_key, &(cli->clnt_cred.challenge), new_clnt_cred->timestamp, &(new_clnt_cred->challenge)); + } /**************************************************************************** @@ -285,13 +286,13 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) if (ok && r_s.status != 0) { /* report error code */ - DEBUG(0,("NET_R_SRV_PWSET: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); cli->nt_error = r_s.status; ok = False; } /* Update the credentials. */ - if (clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred)) == 0) + if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred))) { /* * Server replied with bad credential. Fail. @@ -316,6 +317,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) { DOM_CRED new_clnt_cred; + DOM_CRED dummy_rtn_creds; prs_struct rbuf; prs_struct buf; uint16 validation_level = 3; @@ -334,9 +336,11 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, credstr(new_clnt_cred.challenge.data), cli->clnt_cred.timestamp.time, ctr->switch_value)); + memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); + /* store the parameters */ make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname, - &new_clnt_cred, NULL, ctr->switch_value, ctr, validation_level); + &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr, validation_level); /* turn parameters into data stream */ net_io_q_sam_logon("", &q_s, &buf, 0); @@ -360,7 +364,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, } /* Update the credentials. */ - if (clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds)) == 0) + if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) { /* * Server replied with bad credential. Fail. @@ -387,11 +391,18 @@ password ?).\n", cli->desthost )); /*************************************************************************** LSA SAM Logoff. + +This currently doesnt work correctly as the domain controller +returns NT_STATUS_INVALID_INFO_CLASS - we obviously need to +send a different info level. Right now though, I'm not sure +what that needs to be (I need to see one on the wire before +I can be sure). JRA. ****************************************************************************/ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) { DOM_CRED new_clnt_cred; + DOM_CRED dummy_rtn_creds; prs_struct rbuf; prs_struct buf; NET_Q_SAM_LOGOFF q_s; @@ -410,9 +421,11 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time, ctr->switch_value)); + memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); + /* store the parameters */ make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname, - &new_clnt_cred, NULL, ctr->switch_value, ctr, validation_level); + &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr, validation_level); /* turn parameters into data stream */ net_io_q_sam_logoff("", &q_s, &buf, 0); @@ -434,7 +447,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) } /* Update the credentials. */ - if (clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds)) == 0) + if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) { /* * Server replied with bad credential. Fail. -- cgit From 3dfc0c847240ac7e12c39f4ed9c31a888949ade1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 11 May 1998 06:38:36 +0000 Subject: changed to use slprintf() instead of sprintf() just about everywhere. I've implemented slprintf() as a bounds checked sprintf() using mprotect() and a non-writeable page. This should prevent any sprintf based security holes. (This used to be commit ee09e9dadb69aaba5a751dd20ccc6d587d841bd6) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index da74bc6bc6..6f96f392fb 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -270,7 +270,7 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) /* store the parameters */ make_q_srv_pwset(&q_s, cli->srv_name_slash, cli->mach_acct, sec_chan_type, - global_myname, &new_clnt_cred, hashed_mach_pwd); + global_myname, &new_clnt_cred, (char *)hashed_mach_pwd); /* turn parameters into data stream */ net_io_q_srv_pwset("", &q_s, &buf, 0); -- cgit From 9bd7e1e8870da87ea6f3c9e78933beeb08b65a0c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 27 May 1998 00:30:52 +0000 Subject: loadparm.c: Added machine password timeout parameter - set to 7 days be default. password.c: Added code to tell server.c when machine password needs changing. server.c: Change machine password in idle cycles if it needs it. smbpassfile.c: Fixed up length calculations for machine password file. smbpasswd.c: Moved domain joining code/machine password changing code. lib/rpc/client/cli_netlogon.c: And this is where it now lives. Jeremy. (This used to be commit b8fedca6191de96159df0d1d17082d82e8e44773) --- source3/rpc_client/cli_netlogon.c | 165 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 165 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 6f96f392fb..7d79d88c46 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -463,3 +463,168 @@ password ?).\n", cli->desthost )); return ok; } + +/********************************************************* + Change the domain password on the PDC. +**********************************************************/ + +static BOOL modify_trust_password( char *domain, char *remote_machine, + unsigned char orig_trust_passwd_hash[16], + unsigned char new_trust_passwd_hash[16]) +{ + struct in_addr dest_ip; + struct cli_state cli; + + memset(&cli, '\0', sizeof(struct cli_state)); + if(cli_initialise(&cli) == False) { + DEBUG(0,("modify_trust_password: unable to initialize client connection.\n")); + return False; + } + + if(!resolve_name( remote_machine, &dest_ip)) { + DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); + return False; + } + + if (ismyip(dest_ip)) { + DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ +to ourselves.\n", remote_machine)); + return False; + } + + if (!cli_connect(&cli, remote_machine, &dest_ip)) { + DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + return False; + } + + if (!cli_session_request(&cli, remote_machine, 0x20, global_myname)) { + DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + cli.protocol = PROTOCOL_NT1; + + if (!cli_negprot(&cli)) { + DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + if (cli.protocol != PROTOCOL_NT1) { + DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(&cli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { + DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + if (!(cli.sec_mode & 1)) { + DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(&cli); + return False; + } + + if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + /* + * Ok - we have an anonymous connection to the IPC$ share. + * Now start the NT Domain stuff :-). + */ + + if(cli_nt_session_open(&cli, PIPE_NETLOGON, False) == False) { + DEBUG(0,("modify_trust_password: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) { + DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { + DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ +%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, + cli_errstr(&cli))); + cli_close(&cli, cli.nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + + return True; +} + +/************************************************************************ + Change the trust account password for a domain. + The user of this function must have locked the trust password file for + update. +************************************************************************/ + +BOOL change_trust_account_password( char *domain, char *remote_machine_list) +{ + fstring remote_machine; + unsigned char old_trust_passwd_hash[16]; + unsigned char new_trust_passwd_hash[16]; + time_t lct; + + if(!get_trust_account_password( old_trust_passwd_hash, &lct)) { + DEBUG(0,("change_trust_account_password: unable to read the machine \ +account password for domain %s.\n", domain)); + return False; + } + + /* + * Create the new (random) password. + */ + generate_random_buffer( new_trust_passwd_hash, 16, True); + + while(remote_machine_list && next_token( &remote_machine_list, + remote_machine, LIST_SEP)) { + strupper(remote_machine); + if(modify_trust_password( domain, remote_machine, + old_trust_passwd_hash, new_trust_passwd_hash)) { + DEBUG(0,("%s : change_trust_account_password: Changed password for \ +domain %s.\n", timestring(), domain)); + /* + * Return the result of trying to write the new password + * back into the trust account file. + */ + return set_trust_account_password(new_trust_passwd_hash); + } + } + + DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ +domain %s.\n", timestring(), domain)); + return False; +} -- cgit From b9623ab59e813131b1ed3f51616a46e719d59c21 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 14 Aug 1998 17:38:29 +0000 Subject: this is the bug change to using connection_struct* instead of cnum. Connections[] is now a local array in server.c I might have broken something with this change. In particular the oplock code is suspect and some .dll files aren't being oplocked when I expected them to be. I'll look at it after I've got some sleep. (This used to be commit c7ee025ead4a85b6fa44a832047b878451845fb6) --- source3/rpc_client/cli_netlogon.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 7d79d88c46..ebe35abbcb 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -122,7 +122,7 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, /* create and send a MSRPC command with api NET_AUTH2 */ - DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %lx\n", + DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, credstr(cli->clnt_cred.challenge.data), neg_flags)); @@ -171,7 +171,7 @@ password ?).\n", cli->desthost )); if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) { /* report different neg_flags */ - DEBUG(0,("cli_net_auth2: error neg_flags (q,r) differ - (%lx,%lx)\n", + DEBUG(0,("cli_net_auth2: error neg_flags (q,r) differ - (%x,%x)\n", q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); ok = False; } @@ -264,7 +264,7 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) /* create and send a MSRPC command with api NET_SRV_PWSET */ - DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %lx\n", + DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n", cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname, credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); @@ -331,7 +331,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, /* create and send a MSRPC command with api NET_SAMLOGON */ - DEBUG(4,("cli_net_sam_logon: srv:%s mc:%s clnt %s %lx ll: %d\n", + DEBUG(4,("cli_net_sam_logon: srv:%s mc:%s clnt %s %x ll: %d\n", cli->srv_name_slash, global_myname, credstr(new_clnt_cred.challenge.data), cli->clnt_cred.timestamp.time, ctr->switch_value)); @@ -416,7 +416,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) /* create and send a MSRPC command with api NET_SAMLOGOFF */ - DEBUG(4,("cli_net_sam_logoff: srv:%s mc:%s clnt %s %lx ll: %d\n", + DEBUG(4,("cli_net_sam_logoff: srv:%s mc:%s clnt %s %x ll: %d\n", cli->srv_name_slash, global_myname, credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time, ctr->switch_value)); -- cgit From 61b5fd6f32e9ccb612df1354a3e3b3bed5f2b808 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 31 Aug 1998 03:11:42 +0000 Subject: bounds check next_token() to prevent possible buffer overflows (This used to be commit 3eade55dc7c842bdc50205c330802d211fae54d3) --- source3/rpc_client/cli_netlogon.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ebe35abbcb..59d85db675 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -609,8 +609,9 @@ account password for domain %s.\n", domain)); */ generate_random_buffer( new_trust_passwd_hash, 16, True); - while(remote_machine_list && next_token( &remote_machine_list, - remote_machine, LIST_SEP)) { + while(remote_machine_list && + next_token(&remote_machine_list, remote_machine, + LIST_SEP, sizeof(remote_machine))) { strupper(remote_machine); if(modify_trust_password( domain, remote_machine, old_trust_passwd_hash, new_trust_passwd_hash)) { -- cgit From e9ea36e4d2270bd7d32da12ef6d6e2299641582d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 5 Sep 1998 05:07:05 +0000 Subject: tridge the destroyer returns! prompted by the interpret_security() dead code that Jean-Francois pointed out I added a make target "finddead" that finds potentially dead (ie. unused) code. It spat out 304 function names ... I went through these are deleted many of them, making others static (finddead also reports functions that are used only in the local file). in doing this I have almost certainly deleted some useful code. I may have even prevented compilation with some compile options. I apologise. I decided it was better to get rid of this code now and add back the one or two functions that are needed than to keep all this baggage. So, if I have done a bit too much "destroying" then let me know. Keep the swearing to a minimum :) One bit I didn't do is the ubibt code. Chris, can you look at that? Heaps of unused functions there. Can they be made static? (This used to be commit 2204475c87f3024ea8fd1fbd7385b2def617a46f) --- source3/rpc_client/cli_netlogon.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 59d85db675..9d1fde50c0 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -53,10 +53,10 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) } +#if UNUSED_CODE /**************************************************************************** do a LSA Logon Control2 ****************************************************************************/ - BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) { prs_struct rbuf; @@ -100,6 +100,7 @@ BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) return ok; } +#endif /**************************************************************************** LSA Authenticate 2 @@ -389,6 +390,7 @@ password ?).\n", cli->desthost )); return ok; } +#if UNUSED_CODE /*************************************************************************** LSA SAM Logoff. @@ -398,7 +400,6 @@ send a different info level. Right now though, I'm not sure what that needs to be (I need to see one on the wire before I can be sure). JRA. ****************************************************************************/ - BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) { DOM_CRED new_clnt_cred; @@ -463,6 +464,7 @@ password ?).\n", cli->desthost )); return ok; } +#endif /********************************************************* Change the domain password on the PDC. -- cgit From f6044c87c021342d68d614d59bc8dacd32d223b9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 5 Sep 1998 13:24:20 +0000 Subject: some cleanups to use ZERO_STRUCT() and friends (This used to be commit 7b154dc4313324dfad6cf0117b8ce246bf12bf16) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 9d1fde50c0..757c5166e8 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -477,7 +477,7 @@ static BOOL modify_trust_password( char *domain, char *remote_machine, struct in_addr dest_ip; struct cli_state cli; - memset(&cli, '\0', sizeof(struct cli_state)); + ZERO_STRUCT(cli); if(cli_initialise(&cli) == False) { DEBUG(0,("modify_trust_password: unable to initialize client connection.\n")); return False; -- cgit From 66d5d73a5d75e88a77970f7b27687b8354ab2e80 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Fri, 25 Sep 1998 21:01:52 +0000 Subject: added rpcclient program (This used to be commit aa38f39d67fade4dfd7badb7a9b39c833a1dd1ca) --- source3/rpc_client/cli_netlogon.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 757c5166e8..9af2a05f27 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -30,6 +30,7 @@ #include "includes.h" extern int DEBUGLEVEL; +extern pstring scope; extern pstring global_myname; extern fstring global_myworkgroup; @@ -474,8 +475,8 @@ static BOOL modify_trust_password( char *domain, char *remote_machine, unsigned char orig_trust_passwd_hash[16], unsigned char new_trust_passwd_hash[16]) { - struct in_addr dest_ip; struct cli_state cli; + struct nmb_name calling, called; ZERO_STRUCT(cli); if(cli_initialise(&cli) == False) { @@ -483,24 +484,29 @@ static BOOL modify_trust_password( char *domain, char *remote_machine, return False; } - if(!resolve_name( remote_machine, &dest_ip)) { + if(!resolve_name( remote_machine, &cli.dest_ip)) { DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); return False; } - if (ismyip(dest_ip)) { + if (ismyip(cli.dest_ip)) { DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ to ourselves.\n", remote_machine)); return False; } - if (!cli_connect(&cli, remote_machine, &dest_ip)) { + if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); return False; } - if (!cli_session_request(&cli, remote_machine, 0x20, global_myname)) { + + make_nmb_name(&calling, global_myname , 0x0 , scope); + make_nmb_name(&called , remote_machine, 0x20, scope); + + if (!cli_session_request(&cli, &calling, &called)) + { DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); cli_shutdown(&cli); -- cgit From 40984f6b55212c710f6a7c7b940a785b2b607985 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 4 Oct 1998 12:00:40 +0000 Subject: - modified resolve_name() to take a name_type - cleaned up resolve_name() (split into separate functions for each resolver) - if can't find local master then use #1B name - support listing of foreign workgroups in /smb/ (This used to be commit a4e607c17d1119925c9d0e1d05e0fe81e9a2d1aa) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 9af2a05f27..2671bac773 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -484,7 +484,7 @@ static BOOL modify_trust_password( char *domain, char *remote_machine, return False; } - if(!resolve_name( remote_machine, &cli.dest_ip)) { + if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) { DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); return False; } -- cgit From c404bb775414139a4b07a73f79cf069a083acb26 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Thu, 15 Oct 1998 23:51:07 +0000 Subject: rpcclient interactive login (with trust account changing if you are root) cli_session_setup handles null sessions correctly (This used to be commit 60c0f22a4e84703467006dfe1971384a6294a9aa) --- source3/rpc_client/cli_netlogon.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 2671bac773..9c81b73692 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -391,7 +391,6 @@ password ?).\n", cli->desthost )); return ok; } -#if UNUSED_CODE /*************************************************************************** LSA SAM Logoff. @@ -465,7 +464,6 @@ password ?).\n", cli->desthost )); return ok; } -#endif /********************************************************* Change the domain password on the PDC. @@ -605,6 +603,7 @@ BOOL change_trust_account_password( char *domain, char *remote_machine_list) unsigned char old_trust_passwd_hash[16]; unsigned char new_trust_passwd_hash[16]; time_t lct; + BOOL res; if(!get_trust_account_password( old_trust_passwd_hash, &lct)) { DEBUG(0,("change_trust_account_password: unable to read the machine \ @@ -629,10 +628,16 @@ domain %s.\n", timestring(), domain)); * Return the result of trying to write the new password * back into the trust account file. */ - return set_trust_account_password(new_trust_passwd_hash); + res = set_trust_account_password(new_trust_passwd_hash); + memset(new_trust_passwd_hash, 0, 16); + memset(old_trust_passwd_hash, 0, 16); + return res; } } + memset(new_trust_passwd_hash, 0, 16); + memset(old_trust_passwd_hash, 0, 16); + DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ domain %s.\n", timestring(), domain)); return False; -- cgit From d4a82ea26d5b9501f210a5c441b1ac09c256a187 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Fri, 16 Oct 1998 20:07:02 +0000 Subject: rpc client mods (ntlmssp flags) (This used to be commit 16256f86bf451535c7955b8f51a9b88fc33a8e4d) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 9c81b73692..721e261359 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -556,7 +556,7 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); * Now start the NT Domain stuff :-). */ - if(cli_nt_session_open(&cli, PIPE_NETLOGON, False) == False) { + if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { DEBUG(0,("modify_trust_password: unable to open the domain client session to \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); cli_nt_session_close(&cli); -- cgit From 528c3d3e682ce85d8b041a1396e59f5229716e71 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 27 Oct 1998 15:03:47 +0000 Subject: amazing. the improvements to NT continue, evidence for which shows up now as "RPC fault" if the UNIHDR structure lengths do not exactly match up to the length of the data stream. so, all versions of samba prior to this one have an off-by-one bug in unicode string lengths. all versions of NT prior to NT 5 beta 2 could possibly have buffer problems when receiving badly formatted UNICODE strings. (This used to be commit 161eb6f511e161b63c1fa90a08c562fcf208344a) --- source3/rpc_client/cli_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 721e261359..d75ad6947f 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -339,6 +339,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, ctr->switch_value)); memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); + dummy_rtn_creds.timestamp.time = time(NULL); /* store the parameters */ make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname, -- cgit From 74d539f5573a3ed3ff1b96c54752a389da4c3e14 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 17 Nov 1998 16:19:04 +0000 Subject: - group database API. oops and oh dear, the threat has been carried out: the pre-alpha "domain group" etc parameters have disappeared. - interactive debug detection - re-added mem_man (andrew's memory management, detects memory corruption) - american spellings of "initialise" replaced with english spelling of "initialise". - started on "lookup_name()" and "lookup_sid()" functions. proper ones. - moved lots of functions around. created some modules of commonly used code. e.g the password file locking code, which is used in groupfile.c and aliasfile.c and smbpass.c - moved RID_TYPE_MASK up another bit. this is really unfortunate, but there is no other "fast" way to identify users from groups from aliases. i do not believe that this code saves us anything (the multipliers) and puts us at a disadvantage (reduces the useable rid space). the designers of NT aren't silly: if they can get away with a user- interface-speed LsaLookupNames / LsaLookupSids, then so can we. i spoke with isaac at the cifs conference, the only time for example that they do a security context check is on file create. certainly not on individual file reads / writes, which would drastically hit their performance and ours, too. - renamed myworkgroup to global_sam_name, amongst other things, when used in the rpc code. there is also a global_member_name, as we are always responsible for a SAM database, the scope of which is limited by the role of the machine (e.g if a member of a workgroup, your SAM is for _local_ logins only, and its name is the name of your server. you even still have a SID. see LsaQueryInfoPolicy, levels 3 and 5). - updated functionality of groupname.c to be able to cope with names like DOMAIN\group and SERVER\alias. used this code to be able to do aliases as well as groups. this code may actually be better off being used in username mapping, too. - created a connect to serverlist function in clientgen.c and used it in password.c - initialisation in server.c depends on the role of the server. well, it does now. - rpctorture. smbtorture. EXERCISE EXTREME CAUTION. (This used to be commit 0d21e1e6090b933f396c764af535ca3388a562db) --- source3/rpc_client/cli_netlogon.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index d75ad6947f..ed2f391256 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -32,7 +32,6 @@ extern int DEBUGLEVEL; extern pstring scope; extern pstring global_myname; -extern fstring global_myworkgroup; /**************************************************************************** Generate the next creds to use. -- cgit From f22b817d3fdac2c6a98b3297f758aea554785513 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 20 Nov 1998 20:44:21 +0000 Subject: acconfig.h configure configure.in include/config.h.in: Added -lsec and -lsecurity checks in a more sane way. rpc_client/cli_netlogon.c: Removed correct bits check to see if this works with an NT3.51 PDC. rpc_parse/parse_samr.c: Fixed compile warnings. Jeremy. (This used to be commit 34d8f4b1c4d59ab3c009360fc67eef9361dd859b) --- source3/rpc_client/cli_netlogon.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ed2f391256..099c81496a 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -169,6 +169,12 @@ password ?).\n", cli->desthost )); } } +#if 0 + /* + * Try commenting this out to see if this makes the connect + * work for a NT 3.51 PDC. JRA. + */ + if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) { /* report different neg_flags */ @@ -176,6 +182,7 @@ password ?).\n", cli->desthost )); q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); ok = False; } +#endif } -- cgit From 9c848ec329a6ce86cffb2304746590116d9292f0 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 7 Dec 1998 20:23:41 +0000 Subject: removed nt_pipe_fnum from struct cli_state. need to be able to call LsaLookupSids etc from within SamrQueryAliasMembers, for example. fnum is now a parameter to client functions. thanks to mike black for starting the ball rolling. (This used to be commit bee8f7fa6b0f7f995f71303f4e14a4aaed0c2437) --- source3/rpc_client/cli_netlogon.c | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 099c81496a..750265483c 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -57,7 +57,7 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) /**************************************************************************** do a LSA Logon Control2 ****************************************************************************/ -BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) +BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 status_level) { prs_struct rbuf; prs_struct buf; @@ -79,7 +79,7 @@ BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) net_io_q_logon_ctrl2("", &q_l, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_LOGON_CTRL2, &buf, &rbuf)) { NET_R_LOGON_CTRL2 r_l; @@ -110,7 +110,7 @@ Ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ -BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, +BOOL cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, uint16 sec_chan, uint32 neg_flags, DOM_CHAL *srv_chal) { prs_struct rbuf; @@ -135,7 +135,7 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, net_io_q_auth_2("", &q_a, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_AUTH2, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_AUTH2, &buf, &rbuf)) { NET_R_AUTH_2 r_a; @@ -197,7 +197,7 @@ LSA Request Challenge. Sends our challenge to server, then gets server response. These are used to generate the credentials. ****************************************************************************/ -BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) +BOOL cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; @@ -222,7 +222,7 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ net_io_q_req_chal("", &q_c, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_REQCHAL, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_REQCHAL, &buf, &rbuf)) { NET_R_REQ_CHAL r_c; BOOL ok; @@ -256,7 +256,7 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ LSA Server Password Set. ****************************************************************************/ -BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) +BOOL cli_net_srv_pwset(struct cli_state *cli, uint16 nt_pipe_fnum, uint8 hashed_mach_pwd[16]) { prs_struct rbuf; prs_struct buf; @@ -284,7 +284,7 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) net_io_q_srv_pwset("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SRVPWSET, &buf, &rbuf)) { NET_R_SRV_PWSET r_s; @@ -321,7 +321,7 @@ password ?).\n", cli->desthost )); LSA SAM Logon - interactive or network. ****************************************************************************/ -BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, +BOOL cli_net_sam_logon(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) { DOM_CRED new_clnt_cred; @@ -355,7 +355,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, net_io_q_sam_logon("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SAMLOGON, &buf, &rbuf)) { NET_R_SAM_LOGON r_s; @@ -407,7 +407,7 @@ send a different info level. Right now though, I'm not sure what that needs to be (I need to see one on the wire before I can be sure). JRA. ****************************************************************************/ -BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) +BOOL cli_net_sam_logoff(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_CTR *ctr) { DOM_CRED new_clnt_cred; DOM_CRED dummy_rtn_creds; @@ -439,7 +439,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) net_io_q_sam_logoff("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_SAMLOGOFF, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SAMLOGOFF, &buf, &rbuf)) { NET_R_SAM_LOGOFF r_s; @@ -480,6 +480,7 @@ static BOOL modify_trust_password( char *domain, char *remote_machine, unsigned char orig_trust_passwd_hash[16], unsigned char new_trust_passwd_hash[16]) { + uint16 nt_pipe_fnum; struct cli_state cli; struct nmb_name calling, called; @@ -563,35 +564,35 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); * Now start the NT Domain stuff :-). */ - if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { + if(cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum) == False) { DEBUG(0,("modify_trust_password: unable to open the domain client session to \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); + cli_nt_session_close(&cli, nt_pipe_fnum); cli_ulogoff(&cli); cli_shutdown(&cli); return False; } - if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) { + if(cli_nt_setup_creds(&cli, nt_pipe_fnum, orig_trust_passwd_hash) == False) { DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); + cli_nt_session_close(&cli, nt_pipe_fnum); cli_ulogoff(&cli); cli_shutdown(&cli); return False; } - if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { + if( cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash ) == False) { DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ %s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, cli_errstr(&cli))); - cli_close(&cli, cli.nt_pipe_fnum); + cli_nt_session_close(&cli, nt_pipe_fnum); cli_ulogoff(&cli); cli_shutdown(&cli); return False; } - cli_nt_session_close(&cli); + cli_nt_session_close(&cli, nt_pipe_fnum); cli_ulogoff(&cli); cli_shutdown(&cli); -- cgit From 6e88171bace32ea2f01367e86d87e1c70892084b Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Fri, 12 Mar 1999 05:47:06 +0000 Subject: new "domtrust" test command. r&d into inter-domain trust accounts. (This used to be commit 65b0abe8b7594ff6c662da86dc2e35bd83a2d13d) --- source3/rpc_client/cli_netlogon.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 750265483c..ff9fc3c5ed 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -110,8 +110,9 @@ Ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ -BOOL cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, uint16 sec_chan, - uint32 neg_flags, DOM_CHAL *srv_chal) +BOOL cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, + const char *trust_acct, uint16 sec_chan, + uint32 neg_flags, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; @@ -128,7 +129,7 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, uint16 sec_chan, credstr(cli->clnt_cred.challenge.data), neg_flags)); /* store the parameters */ - make_q_auth_2(&q_a, cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + make_q_auth_2(&q_a, cli->srv_name_slash, trust_acct, sec_chan, global_myname, &cli->clnt_cred.challenge, neg_flags); /* turn parameters into data stream */ @@ -573,7 +574,8 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); return False; } - if(cli_nt_setup_creds(&cli, nt_pipe_fnum, orig_trust_passwd_hash) == False) { + if(cli_nt_setup_creds(&cli, nt_pipe_fnum, + cli.mach_acct, orig_trust_passwd_hash, SEC_CHAN_WKSTA) == False) { DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); cli_nt_session_close(&cli, nt_pipe_fnum); -- cgit From 373ea639e03e72bef8242133abbf678cf90ed0d9 Mon Sep 17 00:00:00 2001 From: Matthew Chapman Date: Thu, 8 Apr 1999 05:36:15 +0000 Subject: Mainly BDC-related changes. * Added SEC_CHAN_BDC * Propagate sec_chan into the various functions which change trust account passwords, so they can be used for domain control and inter-domain trusts. * Fix for endianness problem reported by Edan Idzerda . A BUFFER2 is really a "unibuf" in my terminology and we should treat it as such. * Added some more common NT structures (BIGINT, BUFHDR2, BUFFER4). * Added NET_SAM_SYNC (-> NetDatabaseSync2) RPC for account replication. Still experimental and incomplete, with a few too many NULL security descriptors lying around (must go look at Jeremy's SD code). Haven't worked out password encryption yet either. However, the XXX_INFO structures I've added to rpc_netlogon.h are quite nice as they give some insight into how these objects are stored in the SAM. (This used to be commit 7b830350eb54dc9d357c115e12ddf9a0633527ac) --- source3/rpc_client/cli_netlogon.c | 70 +++++++++++++++++++++++++++++++++++---- 1 file changed, 63 insertions(+), 7 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ff9fc3c5ed..9bd7d695d2 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -257,14 +257,14 @@ BOOL cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, DOM_CHAL *clnt LSA Server Password Set. ****************************************************************************/ -BOOL cli_net_srv_pwset(struct cli_state *cli, uint16 nt_pipe_fnum, uint8 hashed_mach_pwd[16]) +BOOL cli_net_srv_pwset(struct cli_state *cli, uint16 nt_pipe_fnum, + uint8 hashed_mach_pwd[16], uint16 sec_chan_type) { prs_struct rbuf; prs_struct buf; DOM_CRED new_clnt_cred; NET_Q_SRV_PWSET q_s; BOOL ok = False; - uint16 sec_chan_type = 2; gen_next_creds( cli, &new_clnt_cred); @@ -473,13 +473,68 @@ password ?).\n", cli->desthost )); return ok; } +/*************************************************************************** +Synchronise SAM Database (requires SEC_CHAN_BDC). +****************************************************************************/ +BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 database_id) +{ + NET_Q_SAM_SYNC q_s; + prs_struct rbuf; + prs_struct buf; + DOM_CRED new_clnt_cred; + BOOL ok = False; + + gen_next_creds(cli, &new_clnt_cred); + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + + /* create and send a MSRPC command with api NET_SAM_SYNC */ + + make_q_sam_sync(&q_s, cli->srv_name_slash, global_myname, + &new_clnt_cred, database_id); + + /* turn parameters into data stream */ + net_io_q_sam_sync("", &q_s, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SAM_SYNC, &buf, &rbuf)) + { + NET_R_SAM_SYNC r_s; + + net_io_r_sam_sync("", &r_s, &rbuf, 0); + ok = (rbuf.offset != 0); + + if (ok && r_s.status != 0) + { + /* report error code */ + DEBUG(0,("cli_net_sam_sync: %s\n", get_nt_error_msg(r_s.status))); + cli->nt_error = r_s.status; + ok = False; + } + + /* Update the credentials. */ + if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) + { + DEBUG(0,("cli_net_sam_sync: server %s replied with bad credential (bad machine password ?).\n", cli->desthost)); + ok = False; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return ok; +} + /********************************************************* Change the domain password on the PDC. **********************************************************/ static BOOL modify_trust_password( char *domain, char *remote_machine, unsigned char orig_trust_passwd_hash[16], - unsigned char new_trust_passwd_hash[16]) + unsigned char new_trust_passwd_hash[16], + uint16 sec_chan) { uint16 nt_pipe_fnum; struct cli_state cli; @@ -575,7 +630,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); } if(cli_nt_setup_creds(&cli, nt_pipe_fnum, - cli.mach_acct, orig_trust_passwd_hash, SEC_CHAN_WKSTA) == False) { + cli.mach_acct, orig_trust_passwd_hash, sec_chan) == False) { DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); cli_nt_session_close(&cli, nt_pipe_fnum); @@ -584,7 +639,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); return False; } - if( cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash ) == False) { + if( cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash, sec_chan ) == False) { DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ %s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, cli_errstr(&cli))); @@ -607,7 +662,8 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); update. ************************************************************************/ -BOOL change_trust_account_password( char *domain, char *remote_machine_list) +BOOL change_trust_account_password(char *domain, char *remote_machine_list, + uint16 sec_chan) { fstring remote_machine; unsigned char old_trust_passwd_hash[16]; @@ -631,7 +687,7 @@ account password for domain %s.\n", domain)); LIST_SEP, sizeof(remote_machine))) { strupper(remote_machine); if(modify_trust_password( domain, remote_machine, - old_trust_passwd_hash, new_trust_passwd_hash)) { + old_trust_passwd_hash, new_trust_passwd_hash, sec_chan)) { DEBUG(0,("%s : change_trust_account_password: Changed password for \ domain %s.\n", timestring(), domain)); /* -- cgit From 99e42c0656d3e1e3b8e06437a8a9082c12df22d2 Mon Sep 17 00:00:00 2001 From: Matthew Chapman Date: Wed, 2 Jun 1999 03:19:20 +0000 Subject: Some more BDC-related fixes, mainly to the NET_SAM_SYNC RPC with respect to alignment, missing fields, etc. - it should now work correctly. There is still the problem of decoding the private data field. (This used to be commit c3c25e762fbc30d5663323f23449c913f2ce4b0e) --- source3/rpc_client/cli_netlogon.c | 89 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 85 insertions(+), 4 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 9bd7d695d2..e9a8582d10 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -476,7 +476,7 @@ password ?).\n", cli->desthost )); /*************************************************************************** Synchronise SAM Database (requires SEC_CHAN_BDC). ****************************************************************************/ -BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 database_id) +BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 database_id, uint32 *num_deltas, SAM_DELTA_HDR *hdr_deltas, SAM_DELTA_CTR *deltas) { NET_Q_SAM_SYNC q_s; prs_struct rbuf; @@ -501,11 +501,14 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SAM_SYNC, &buf, &rbuf)) { NET_R_SAM_SYNC r_s; - + + r_s.hdr_deltas = hdr_deltas; + r_s.deltas = deltas; + net_io_r_sam_sync("", &r_s, &rbuf, 0); ok = (rbuf.offset != 0); - - if (ok && r_s.status != 0) + + if (ok && r_s.status != 0 && r_s.status != NT_STATUS_MORE_ENTRIES) { /* report error code */ DEBUG(0,("cli_net_sam_sync: %s\n", get_nt_error_msg(r_s.status))); @@ -519,6 +522,16 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas DEBUG(0,("cli_net_sam_sync: server %s replied with bad credential (bad machine password ?).\n", cli->desthost)); ok = False; } + + if (ok) + { + *num_deltas = r_s.num_deltas2; + + if (r_s.status == NT_STATUS_MORE_ENTRIES) + { + DEBUG(2, ("(More entries)\n")); + } + } } prs_mem_free(&rbuf); @@ -708,3 +721,71 @@ domain %s.\n", timestring(), domain)); domain %s.\n", timestring(), domain)); return False; } + +BOOL do_sam_sync(struct cli_state *cli) +{ + uint16 nt_pipe_fnum; + BOOL res = True; + unsigned char trust_passwd[16]; + int i, j; + + SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS]; + SAM_DELTA_CTR deltas[MAX_SAM_DELTAS]; + uint32 num_deltas; + fstring name; + char *data; + + DEBUG(2,("Attempting SAM synchronisation with PDC\n")); + + res = res ? trust_get_passwd(trust_passwd, cli->domain, global_myname) : False; + + /* open NETLOGON session. negotiate credentials */ + res = res ? cli_nt_session_open(cli, PIPE_NETLOGON, &nt_pipe_fnum) : False; + + res = res ? cli_nt_setup_creds(cli, nt_pipe_fnum, cli->mach_acct, + trust_passwd, SEC_CHAN_BDC) : False; + + res = res ? cli_net_sam_sync(cli, nt_pipe_fnum, 0, &num_deltas, hdr_deltas, deltas) : False; + + memset(trust_passwd, 0, 16); + + /* close the session */ + cli_nt_session_close(cli, nt_pipe_fnum); + + if (!res) + { + DEBUG(0, ("SAM synchronisation FAILED\n")); + return False; + } + + DEBUG(0, ("SAM synchronisation returned %d entries\n", num_deltas)); + + for (i = 0; i < num_deltas; i++) + { + switch (hdr_deltas[i].type) + { + case 1: + unistr2_to_ascii(name, &(deltas[i].domain_info.uni_dom_name), sizeof(fstring)-1); + DEBUG(0, ("Domain: %s\n", name)); + break; + + case 2: + unistr2_to_ascii(name, &(deltas[i].group_info.uni_grp_name), sizeof(fstring)-1); + DEBUG(0, ("Group: %s\n", name)); + break; + + case 5: + unistr2_to_ascii(name, &(deltas[i].account_info.uni_acct_name), sizeof(fstring)-1); + DEBUG(0, ("Account: %s\n", name)); + + data = deltas[i].account_info.buf_priv_data.buffer; + for (j = 0; j < deltas[i].account_info.buf_priv_data.buf_len; j++) + { + snprintf(&name[2*j], 3, "%02X", data[j]); + } + DEBUG(0, ("Private Data: %s\n", name)); + } + } + + return True; +} -- cgit From cae3620b2e8abbe35f0369a82d5461cb596475a3 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Thu, 24 Jun 1999 18:58:08 +0000 Subject: safe string error reporting functions (found a potential buffer overflow of a pstrcpy into an fstring). (This used to be commit ac0060443de800fec9042b69b299ff2e9128a31c) --- source3/rpc_client/cli_netlogon.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index e9a8582d10..d385011bac 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -571,8 +571,10 @@ to ourselves.\n", remote_machine)); } if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); +machine %s. Error was : %s.\n", remote_machine, errstr )); return False; } @@ -582,8 +584,10 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); if (!cli_session_request(&cli, &calling, &called)) { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); +Error was : %s.\n", remote_machine, errstr )); cli_shutdown(&cli); return False; } @@ -591,8 +595,10 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); cli.protocol = PROTOCOL_NT1; if (!cli_negprot(&cli)) { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); +Error was : %s.\n", remote_machine, errstr )); cli_shutdown(&cli); return False; } @@ -608,8 +614,10 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); */ if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); +Error was : %s.\n", remote_machine, errstr )); cli_shutdown(&cli); return False; } @@ -622,8 +630,10 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); } if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); +Error was : %s.\n", remote_machine, errstr )); cli_shutdown(&cli); return False; } @@ -634,8 +644,10 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); */ if(cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum) == False) { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); DEBUG(0,("modify_trust_password: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); +machine %s. Error was : %s.\n", remote_machine, errstr )); cli_nt_session_close(&cli, nt_pipe_fnum); cli_ulogoff(&cli); cli_shutdown(&cli); @@ -644,8 +656,10 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); if(cli_nt_setup_creds(&cli, nt_pipe_fnum, cli.mach_acct, orig_trust_passwd_hash, sec_chan) == False) { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); +%s. Error was : %s.\n", remote_machine, errstr )); cli_nt_session_close(&cli, nt_pipe_fnum); cli_ulogoff(&cli); cli_shutdown(&cli); @@ -653,9 +667,11 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); } if( cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash, sec_chan ) == False) { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ %s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, - cli_errstr(&cli))); + errstr )); cli_nt_session_close(&cli, nt_pipe_fnum); cli_ulogoff(&cli); cli_shutdown(&cli); -- cgit From 7672761567005733cd0c82ac44a5973b6ff8ccd1 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 6 Jul 1999 21:29:54 +0000 Subject: use of safe_cli_errstr() and cli_establish_connection(). (This used to be commit b60eb8c9fc61bf207ab3600eec3ca722403c4d19) --- source3/rpc_client/cli_netlogon.c | 223 +++++++++++++++++--------------------- 1 file changed, 99 insertions(+), 124 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index d385011bac..c7483677f0 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -549,140 +549,115 @@ static BOOL modify_trust_password( char *domain, char *remote_machine, unsigned char new_trust_passwd_hash[16], uint16 sec_chan) { - uint16 nt_pipe_fnum; - struct cli_state cli; - struct nmb_name calling, called; + uint16 nt_pipe_fnum; + struct cli_state cli; + struct nmb_name calling, called; - ZERO_STRUCT(cli); - if(cli_initialise(&cli) == False) { - DEBUG(0,("modify_trust_password: unable to initialize client connection.\n")); - return False; - } + make_nmb_name(&calling, global_myname , 0x0 , scope); + make_nmb_name(&called , remote_machine, 0x20, scope); - if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) { - DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); - return False; - } + ZERO_STRUCT(cli); + if(cli_initialise(&cli) == NULL) + { + DEBUG(0,("modify_trust_password: unable to initialize client \ +connection.\n")); + return False; + } - if (ismyip(cli.dest_ip)) { - DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ -to ourselves.\n", remote_machine)); - return False; - } + if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) + { + DEBUG(0,("modify_trust_password: Can't resolve address for \ +%s\n", remote_machine)); + return False; + } - if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, errstr )); - return False; - } - - - make_nmb_name(&calling, global_myname , 0x0 , scope); - make_nmb_name(&called , remote_machine, 0x20, scope); + if (ismyip(cli.dest_ip)) + { + DEBUG(0,("modify_trust_password: Machine %s is one of our \ +addresses. Cannot add to ourselves.\n", remote_machine)); + return False; + } - if (!cli_session_request(&cli, &calling, &called)) + cli.protocol = PROTOCOL_NT1; + + if (!cli_establish_connection(&cli, remote_machine, &cli.dest_ip, + &calling, &called, + "IPC$", "IPC", False, True)) { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, errstr )); - cli_shutdown(&cli); - return False; - } + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); + DEBUG(0,("modify_trust_password: machine %s rejected the SMB \ +session. Error was : %s.\n", remote_machine, errstr )); + cli_shutdown(&cli); + return False; + } - cli.protocol = PROTOCOL_NT1; - - if (!cli_negprot(&cli)) { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, errstr )); - cli_shutdown(&cli); - return False; - } - if (cli.protocol != PROTOCOL_NT1) { - DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(&cli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, errstr )); - cli_shutdown(&cli); - return False; - } - - if (!(cli.sec_mode & 1)) { - DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, errstr )); - cli_shutdown(&cli); - return False; - } - /* - * Ok - we have an anonymous connection to the IPC$ share. - * Now start the NT Domain stuff :-). - */ - - if(cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum) == False) { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, errstr )); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if(cli_nt_setup_creds(&cli, nt_pipe_fnum, - cli.mach_acct, orig_trust_passwd_hash, sec_chan) == False) { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, errstr )); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if( cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash, sec_chan ) == False) { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ -%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, - errstr )); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } + if (cli.protocol != PROTOCOL_NT1) + { + DEBUG(0,("modify_trust_password: machine %s didn't negotiate \ +NT protocol.\n", remote_machine)); + cli_shutdown(&cli); + return False; + } - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); + if (!(IS_BITS_SET_ALL(cli.sec_mode, 1))) + { + DEBUG(0,("modify_trust_password: machine %s isn't in user \ +level security mode\n", remote_machine)); + cli_shutdown(&cli); + return False; + } + + /* + * Ok - we have an anonymous connection to the IPC$ share. + * Now start the NT Domain stuff :-). + */ + + if (!cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum)) + { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); + DEBUG(0,("modify_trust_password: unable to open the domain \ +client session to server %s. Error was : %s.\n", remote_machine, errstr )); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if (!cli_nt_setup_creds(&cli, nt_pipe_fnum, + cli.mach_acct, orig_trust_passwd_hash, sec_chan)) + { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); + DEBUG(0,("modify_trust_password: unable to setup the PDC \ +credentials to server %s. Error was : %s.\n", remote_machine, errstr )); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if (!cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash, + sec_chan ) ) + { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); + DEBUG(0,("modify_trust_password: unable to change password for \ +workstation %s in domain %s to Domain controller %s. Error was %s.\n", + global_myname, domain, remote_machine, errstr )); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } - return True; + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + + return True; } /************************************************************************ -- cgit From 6a5a4e818684a616306d2954d1a2612113b314a6 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 21 Jul 1999 00:32:09 +0000 Subject: BDC support. (This used to be commit 2331aa32ab36c3ee5fd8cfbe972e57299939e33d) --- source3/rpc_client/cli_netlogon.c | 50 +++++++++------------------------------ 1 file changed, 11 insertions(+), 39 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index c7483677f0..188390ae54 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -505,7 +505,7 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas r_s.hdr_deltas = hdr_deltas; r_s.deltas = deltas; - net_io_r_sam_sync("", &r_s, &rbuf, 0); + net_io_r_sam_sync("", cli->sess_key, &r_s, &rbuf, 0); ok = (rbuf.offset != 0); if (ok && r_s.status != 0 && r_s.status != NT_STATUS_MORE_ENTRIES) @@ -713,20 +713,19 @@ domain %s.\n", timestring(), domain)); return False; } -BOOL do_sam_sync(struct cli_state *cli) +BOOL do_sam_sync(struct cli_state *cli, + SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS], + SAM_DELTA_CTR deltas [MAX_SAM_DELTAS], + uint32 *num_deltas) { uint16 nt_pipe_fnum; BOOL res = True; unsigned char trust_passwd[16]; - int i, j; - SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS]; - SAM_DELTA_CTR deltas[MAX_SAM_DELTAS]; - uint32 num_deltas; - fstring name; - char *data; + *num_deltas = 0; - DEBUG(2,("Attempting SAM synchronisation with PDC\n")); + DEBUG(2,("Attempting SAM sync with PDC, domain: %s name: %s\n", + cli->domain, global_myname)); res = res ? trust_get_passwd(trust_passwd, cli->domain, global_myname) : False; @@ -736,10 +735,10 @@ BOOL do_sam_sync(struct cli_state *cli) res = res ? cli_nt_setup_creds(cli, nt_pipe_fnum, cli->mach_acct, trust_passwd, SEC_CHAN_BDC) : False; - res = res ? cli_net_sam_sync(cli, nt_pipe_fnum, 0, &num_deltas, hdr_deltas, deltas) : False; - memset(trust_passwd, 0, 16); + res = res ? cli_net_sam_sync(cli, nt_pipe_fnum, 0, num_deltas, hdr_deltas, deltas) : False; + /* close the session */ cli_nt_session_close(cli, nt_pipe_fnum); @@ -749,34 +748,7 @@ BOOL do_sam_sync(struct cli_state *cli) return False; } - DEBUG(0, ("SAM synchronisation returned %d entries\n", num_deltas)); - - for (i = 0; i < num_deltas; i++) - { - switch (hdr_deltas[i].type) - { - case 1: - unistr2_to_ascii(name, &(deltas[i].domain_info.uni_dom_name), sizeof(fstring)-1); - DEBUG(0, ("Domain: %s\n", name)); - break; - - case 2: - unistr2_to_ascii(name, &(deltas[i].group_info.uni_grp_name), sizeof(fstring)-1); - DEBUG(0, ("Group: %s\n", name)); - break; - - case 5: - unistr2_to_ascii(name, &(deltas[i].account_info.uni_acct_name), sizeof(fstring)-1); - DEBUG(0, ("Account: %s\n", name)); - - data = deltas[i].account_info.buf_priv_data.buffer; - for (j = 0; j < deltas[i].account_info.buf_priv_data.buf_len; j++) - { - snprintf(&name[2*j], 3, "%02X", data[j]); - } - DEBUG(0, ("Private Data: %s\n", name)); - } - } + DEBUG(0, ("SAM synchronisation returned %d entries\n", *num_deltas)); return True; } -- cgit From 30beb2dd109e26abbe4d773671909b1fdf3a0e62 Mon Sep 17 00:00:00 2001 From: Matthew Chapman Date: Thu, 22 Jul 1999 10:54:49 +0000 Subject: BDC support. Added synchronise_passdb function to update accounts in a BDC's smbpasswd. Improved rpc_read, which was still somewhat broken for multiple PDU's. modify_trust_password must initialise cli.pwd (pwd_set_nullpwd). (This used to be commit 4783ac3968df1c5c8aa0b6ba9144df8b01ae0b99) --- source3/rpc_client/cli_netlogon.c | 72 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 188390ae54..6f0d7e1c3a 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -580,6 +580,8 @@ addresses. Cannot add to ourselves.\n", remote_machine)); cli.protocol = PROTOCOL_NT1; + pwd_set_nullpwd(&cli.pwd); + if (!cli_establish_connection(&cli, remote_machine, &cli.dest_ip, &calling, &called, "IPC$", "IPC", False, True)) @@ -752,3 +754,73 @@ BOOL do_sam_sync(struct cli_state *cli, return True; } + +BOOL synchronise_passdb(void) +{ + struct cli_state cli; + SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS]; + SAM_DELTA_CTR deltas[MAX_SAM_DELTAS]; + uint32 num; + + SAM_ACCOUNT_INFO *acc; + struct smb_passwd pwd; + fstring nt_name; + unsigned char smb_passwd[16]; + unsigned char smb_nt_passwd[16]; + + char *mode; + BOOL success; + BOOL ret; + int i; + + if (!cli_connect_serverlist(&cli, lp_passwordserver())) + { + return False; + } + + pstrcpy(cli.domain, lp_workgroup()); + + ret = do_sam_sync(&cli, hdr_deltas, deltas, &num); + + if (ret) + { + for (i = 0; i < num; i++) + { + /* Currently only interested in accounts */ + if (hdr_deltas[i].type != 5) + { + continue; + } + + acc = &deltas[i].account_info; + pwdb_init_smb(&pwd); + + pwd.user_rid = acc->user_rid; + unistr2_to_ascii(nt_name, &(acc->uni_acct_name), sizeof(fstring)-1); + pwd.nt_name = nt_name; + pwd.acct_ctrl = acc->acb_info; + pwd.pass_last_set_time = nt_time_to_unix(&(acc->pwd_last_set_time)); + + sam_pwd_hash(acc->user_rid, smb_passwd, acc->pass.buf_lm_pwd, 0); + sam_pwd_hash(acc->user_rid, smb_nt_passwd, acc->pass.buf_nt_pwd, 0); + pwd.smb_passwd = smb_passwd; + pwd.smb_nt_passwd = smb_nt_passwd; + + mode = "modify"; + success = mod_smbpwd_entry(&pwd, True); + + if (!success) + { + mode = "add"; + success = add_smbpwd_entry(&pwd); + } + + DEBUG(0, ("Attempted to %s account for %s: %s\n", mode, + nt_name, success ? "OK" : "FAILED")); + } + } + + cli_ulogoff(&cli); + cli_shutdown(&cli); + return ret; +} -- cgit From f1c2fdb2704e04b05fe3247c53162006a25e75fb Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 21 Sep 1999 21:28:27 +0000 Subject: split matthew's sync command (only currently called from smbpasswd) into a separate module (This used to be commit d99eca020a255022dbc71f3671127343d75db59e) --- source3/rpc_client/cli_netlogon.c | 74 +-------------------------------------- 1 file changed, 1 insertion(+), 73 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 6f0d7e1c3a..6b7db8ff6e 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -715,22 +715,19 @@ domain %s.\n", timestring(), domain)); return False; } -BOOL do_sam_sync(struct cli_state *cli, +BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS], SAM_DELTA_CTR deltas [MAX_SAM_DELTAS], uint32 *num_deltas) { uint16 nt_pipe_fnum; BOOL res = True; - unsigned char trust_passwd[16]; *num_deltas = 0; DEBUG(2,("Attempting SAM sync with PDC, domain: %s name: %s\n", cli->domain, global_myname)); - res = res ? trust_get_passwd(trust_passwd, cli->domain, global_myname) : False; - /* open NETLOGON session. negotiate credentials */ res = res ? cli_nt_session_open(cli, PIPE_NETLOGON, &nt_pipe_fnum) : False; @@ -755,72 +752,3 @@ BOOL do_sam_sync(struct cli_state *cli, return True; } -BOOL synchronise_passdb(void) -{ - struct cli_state cli; - SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS]; - SAM_DELTA_CTR deltas[MAX_SAM_DELTAS]; - uint32 num; - - SAM_ACCOUNT_INFO *acc; - struct smb_passwd pwd; - fstring nt_name; - unsigned char smb_passwd[16]; - unsigned char smb_nt_passwd[16]; - - char *mode; - BOOL success; - BOOL ret; - int i; - - if (!cli_connect_serverlist(&cli, lp_passwordserver())) - { - return False; - } - - pstrcpy(cli.domain, lp_workgroup()); - - ret = do_sam_sync(&cli, hdr_deltas, deltas, &num); - - if (ret) - { - for (i = 0; i < num; i++) - { - /* Currently only interested in accounts */ - if (hdr_deltas[i].type != 5) - { - continue; - } - - acc = &deltas[i].account_info; - pwdb_init_smb(&pwd); - - pwd.user_rid = acc->user_rid; - unistr2_to_ascii(nt_name, &(acc->uni_acct_name), sizeof(fstring)-1); - pwd.nt_name = nt_name; - pwd.acct_ctrl = acc->acb_info; - pwd.pass_last_set_time = nt_time_to_unix(&(acc->pwd_last_set_time)); - - sam_pwd_hash(acc->user_rid, smb_passwd, acc->pass.buf_lm_pwd, 0); - sam_pwd_hash(acc->user_rid, smb_nt_passwd, acc->pass.buf_nt_pwd, 0); - pwd.smb_passwd = smb_passwd; - pwd.smb_nt_passwd = smb_nt_passwd; - - mode = "modify"; - success = mod_smbpwd_entry(&pwd, True); - - if (!success) - { - mode = "add"; - success = add_smbpwd_entry(&pwd); - } - - DEBUG(0, ("Attempted to %s account for %s: %s\n", mode, - nt_name, success ? "OK" : "FAILED")); - } - } - - cli_ulogoff(&cli); - cli_shutdown(&cli); - return ret; -} -- cgit From 87d92a1f1182a6b4e4dbe91d7f574c7ac8aecb21 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 19 Oct 1999 19:55:43 +0000 Subject: need status codes from cli_net_req_chal() and cli_net_auth2(). this format is what i would like _all_ these functions to be (returning status codes, not BOOL) but that's a horrendous amount of work at the moment :) (This used to be commit 02f240604241367f146b26934ad1a1b2563430de) --- source3/rpc_client/cli_netlogon.c | 173 ++++++++++++++++++++------------------ 1 file changed, 93 insertions(+), 80 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 6b7db8ff6e..2693dece75 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -110,87 +110,94 @@ Ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ -BOOL cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, - const char *trust_acct, uint16 sec_chan, +uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, + const char *trust_acct, + const char *srv_name, uint16 sec_chan, uint32 neg_flags, DOM_CHAL *srv_chal) { - prs_struct rbuf; - prs_struct buf; - NET_Q_AUTH_2 q_a; - BOOL ok = False; + prs_struct rbuf; + prs_struct buf; + NET_Q_AUTH_2 q_a; + uint32 status = 0x0; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* create and send a MSRPC command with api NET_AUTH2 */ + /* create and send a MSRPC command with api NET_AUTH2 */ - DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, - credstr(cli->clnt_cred.challenge.data), neg_flags)); + DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", + cli->srv_name_slash, cli->mach_acct, sec_chan, srv_name, + credstr(cli->clnt_cred.challenge.data), neg_flags)); - /* store the parameters */ - make_q_auth_2(&q_a, cli->srv_name_slash, trust_acct, sec_chan, global_myname, - &cli->clnt_cred.challenge, neg_flags); + /* store the parameters */ + make_q_auth_2(&q_a, cli->srv_name_slash, trust_acct, sec_chan, srv_name, + &cli->clnt_cred.challenge, neg_flags); - /* turn parameters into data stream */ - net_io_q_auth_2("", &q_a, &buf, 0); + /* turn parameters into data stream */ + net_io_q_auth_2("", &q_a, &buf, 0); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_AUTH2, &buf, &rbuf)) - { - NET_R_AUTH_2 r_a; + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_AUTH2, &buf, &rbuf)) + { + NET_R_AUTH_2 r_a; - net_io_r_auth_2("", &r_a, &rbuf, 0); - ok = (rbuf.offset != 0); - - if (ok && r_a.status != 0) - { - /* report error code */ - DEBUG(0,("cli_net_auth2: Error %s\n", get_nt_error_msg(r_a.status))); - cli->nt_error = r_a.status; - ok = False; - } + net_io_r_auth_2("", &r_a, &rbuf, 0); + status = (rbuf.offset == 0) ? 0xC0000000 | NT_STATUS_INVALID_PARAMETER : 0; - if (ok) - { - /* - * Check the returned value using the initial - * server received challenge. - */ - UTIME zerotime; - - zerotime.time = 0; - if(cred_assert( &r_a.srv_chal, cli->sess_key, srv_chal, zerotime) == 0) { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); - ok = False; - } - } + if (status == 0x0 && r_a.status != 0) + { + /* report error code */ + DEBUG(0,("cli_net_auth2: Error %s\n", + get_nt_error_msg(r_a.status))); + cli->nt_error = r_a.status; + status = r_a.status; + } + + if (status == 0x0) + { + /* + * Check the returned value using the initial + * server received challenge. + */ + UTIME zerotime; + + zerotime.time = 0; + if(cred_assert( &r_a.srv_chal, cli->sess_key, srv_chal, zerotime) == 0) + { + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ + password ?).\n", cli->desthost )); + status = NT_STATUS_NETWORK_CREDENTIAL_CONFLICT | 0xC0000000; + } + } #if 0 - /* - * Try commenting this out to see if this makes the connect - * work for a NT 3.51 PDC. JRA. - */ + /* + * Try commenting this out to see if this makes the connect + * work for a NT 3.51 PDC. JRA. + */ - if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) - { - /* report different neg_flags */ - DEBUG(0,("cli_net_auth2: error neg_flags (q,r) differ - (%x,%x)\n", - q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); - ok = False; - } + if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) + { + /* report different neg_flags */ + DEBUG(0,("cli_net_auth2: error neg_flags (q,r) differ - (%x,%x)\n", + q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); + ok = False; + } #endif - } + } + else + { + status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; + } - prs_mem_free(&rbuf); - prs_mem_free(&buf ); + prs_mem_free(&rbuf); + prs_mem_free(&buf ); - return ok; + return status; } /**************************************************************************** @@ -198,15 +205,17 @@ LSA Request Challenge. Sends our challenge to server, then gets server response. These are used to generate the credentials. ****************************************************************************/ -BOOL cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) +uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, + const char *srv_name, + DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; NET_Q_REQ_CHAL q_c; - BOOL valid_chal = False; + uint32 status = 0x0; if (srv_chal == NULL || clnt_chal == NULL) - return False; + return 0xC0000000 | NT_STATUS_INVALID_PARAMETER; prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); @@ -214,10 +223,10 @@ BOOL cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, DOM_CHAL *clnt /* create and send a MSRPC command with api NET_REQCHAL */ DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n", - cli->desthost, global_myname, credstr(clnt_chal->data))); + cli->desthost, srv_name, credstr(clnt_chal->data))); /* store the parameters */ - make_q_req_chal(&q_c, cli->srv_name_slash, global_myname, clnt_chal); + make_q_req_chal(&q_c, cli->srv_name_slash, srv_name, clnt_chal); /* turn parameters into data stream */ net_io_q_req_chal("", &q_c, &buf, 0); @@ -226,31 +235,33 @@ BOOL cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, DOM_CHAL *clnt if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_REQCHAL, &buf, &rbuf)) { NET_R_REQ_CHAL r_c; - BOOL ok; net_io_r_req_chal("", &r_c, &rbuf, 0); - ok = (rbuf.offset != 0); + status = (rbuf.offset == 0) ? 0xC0000000 | NT_STATUS_INVALID_PARAMETER : 0; - if (ok && r_c.status != 0) + if (status == 0x0 && r_c.status != 0) { /* report error code */ DEBUG(0,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); cli->nt_error = r_c.status; - ok = False; + status = r_c.status; } - if (ok) + if (status == 0x0) { /* ok, at last: we're happy. return the challenge */ memcpy(srv_chal, r_c.srv_chal.data, sizeof(srv_chal->data)); - valid_chal = True; } } + else + { + status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; + } prs_mem_free(&rbuf); prs_mem_free(&buf ); - return valid_chal; + return status; } /*************************************************************************** @@ -628,8 +639,9 @@ client session to server %s. Error was : %s.\n", remote_machine, errstr )); return False; } - if (!cli_nt_setup_creds(&cli, nt_pipe_fnum, - cli.mach_acct, orig_trust_passwd_hash, sec_chan)) + if (cli_nt_setup_creds(&cli, nt_pipe_fnum, + cli.mach_acct, global_myname, + orig_trust_passwd_hash, sec_chan) != 0x0) { fstring errstr; cli_safe_errstr(&cli, errstr, sizeof(errstr)); @@ -731,8 +743,9 @@ BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], /* open NETLOGON session. negotiate credentials */ res = res ? cli_nt_session_open(cli, PIPE_NETLOGON, &nt_pipe_fnum) : False; - res = res ? cli_nt_setup_creds(cli, nt_pipe_fnum, cli->mach_acct, - trust_passwd, SEC_CHAN_BDC) : False; + res = res ? cli_nt_setup_creds(cli, nt_pipe_fnum, + cli->mach_acct, global_myname, + trust_passwd, SEC_CHAN_BDC) == 0x0 : False; memset(trust_passwd, 0, 16); -- cgit From 6f9105c853020fde1691a28cd707d6d3f6561b4d Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Thu, 21 Oct 1999 16:53:50 +0000 Subject: various. debug levels changed. nmbd doesn't need libsmb/clienttrust.c. samr_lookup_rids() moved to a dynamic memory structure not a static one limited to 32 RIDs. cli_pipe.c reading wasn't checking ERRmoredata when DOS error codes negotiated (this terminates MSRPC code with prejudice). (This used to be commit 8976eca2db43576c32069dcda017e8777048e007) --- source3/rpc_client/cli_netlogon.c | 221 +++++--------------------------------- 1 file changed, 25 insertions(+), 196 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 2693dece75..e5b028f987 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -30,7 +30,6 @@ #include "includes.h" extern int DEBUGLEVEL; -extern pstring scope; extern pstring global_myname; /**************************************************************************** @@ -89,7 +88,7 @@ BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 stat if (ok && r_l.status != 0) { /* report error code */ - DEBUG(0,("do_net_logon_ctrl2: Error %s\n", get_nt_error_msg(r_l.status))); + DEBUG(5,("do_net_logon_ctrl2: Error %s\n", get_nt_error_msg(r_l.status))); cli->nt_error = r_l.status; ok = False; } @@ -147,7 +146,7 @@ uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, if (status == 0x0 && r_a.status != 0) { /* report error code */ - DEBUG(0,("cli_net_auth2: Error %s\n", + DEBUG(5,("cli_net_auth2: Error %s\n", get_nt_error_msg(r_a.status))); cli->nt_error = r_a.status; status = r_a.status; @@ -167,7 +166,7 @@ uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, /* * Server replied with bad credential. Fail. */ - DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ + DEBUG(5,("cli_net_auth2: server %s replied with bad credential (bad machine \ password ?).\n", cli->desthost )); status = NT_STATUS_NETWORK_CREDENTIAL_CONFLICT | 0xC0000000; } @@ -182,7 +181,7 @@ uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) { /* report different neg_flags */ - DEBUG(0,("cli_net_auth2: error neg_flags (q,r) differ - (%x,%x)\n", + DEBUG(5,("cli_net_auth2: error neg_flags (q,r) differ - (%x,%x)\n", q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); ok = False; } @@ -191,9 +190,12 @@ uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, } else { + DEBUG(5,("rpc_api_pipe_req FAILED\n")); status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; } + DEBUG(5,("cli_net_auth2 status: %x\n", status)); + prs_mem_free(&rbuf); prs_mem_free(&buf ); @@ -242,7 +244,7 @@ uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, if (status == 0x0 && r_c.status != 0) { /* report error code */ - DEBUG(0,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); + DEBUG(5,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); cli->nt_error = r_c.status; status = r_c.status; } @@ -255,6 +257,7 @@ uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, } else { + DEBUG(5,("rpc_api_pipe_req FAILED\n")); status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; } @@ -306,7 +309,7 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint16 nt_pipe_fnum, if (ok && r_s.status != 0) { /* report error code */ - DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(5,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); cli->nt_error = r_s.status; ok = False; } @@ -317,7 +320,7 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint16 nt_pipe_fnum, /* * Server replied with bad credential. Fail. */ - DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ + DEBUG(5,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ password ?).\n", cli->desthost )); ok = False; } @@ -379,7 +382,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_C if (ok && r_s.status != 0) { /* report error code */ - DEBUG(0,("cli_net_sam_logon: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(5,("cli_net_sam_logon: %s\n", get_nt_error_msg(r_s.status))); cli->nt_error = r_s.status; ok = False; } @@ -390,7 +393,7 @@ BOOL cli_net_sam_logon(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_C /* * Server replied with bad credential. Fail. */ - DEBUG(0,("cli_net_sam_logon: server %s replied with bad credential (bad machine \ + DEBUG(5,("cli_net_sam_logon: server %s replied with bad credential (bad machine \ password ?).\n", cli->desthost )); ok = False; } @@ -398,7 +401,7 @@ password ?).\n", cli->desthost )); if (ok && r_s.switch_value != 3) { /* report different switch_value */ - DEBUG(0,("cli_net_sam_logon: switch_value of 3 expected %x\n", + DEBUG(5,("cli_net_sam_logon: switch_value of 3 expected %x\n", r_s.switch_value)); ok = False; } @@ -461,7 +464,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_ if (ok && r_s.status != 0) { /* report error code */ - DEBUG(0,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(5,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); cli->nt_error = r_s.status; ok = False; } @@ -472,7 +475,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_ /* * Server replied with bad credential. Fail. */ - DEBUG(0,("cli_net_sam_logoff: server %s replied with bad credential (bad machine \ + DEBUG(5,("cli_net_sam_logoff: server %s replied with bad credential (bad machine \ password ?).\n", cli->desthost )); ok = False; } @@ -522,7 +525,7 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas if (ok && r_s.status != 0 && r_s.status != NT_STATUS_MORE_ENTRIES) { /* report error code */ - DEBUG(0,("cli_net_sam_sync: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(5,("cli_net_sam_sync: %s\n", get_nt_error_msg(r_s.status))); cli->nt_error = r_s.status; ok = False; } @@ -530,7 +533,7 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas /* Update the credentials. */ if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) { - DEBUG(0,("cli_net_sam_sync: server %s replied with bad credential (bad machine password ?).\n", cli->desthost)); + DEBUG(5,("cli_net_sam_sync: server %s replied with bad credential (bad machine password ?).\n", cli->desthost)); ok = False; } @@ -540,7 +543,7 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas if (r_s.status == NT_STATUS_MORE_ENTRIES) { - DEBUG(2, ("(More entries)\n")); + DEBUG(5, ("(More entries)\n")); } } } @@ -551,183 +554,9 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas return ok; } -/********************************************************* - Change the domain password on the PDC. -**********************************************************/ - -static BOOL modify_trust_password( char *domain, char *remote_machine, - unsigned char orig_trust_passwd_hash[16], - unsigned char new_trust_passwd_hash[16], - uint16 sec_chan) -{ - uint16 nt_pipe_fnum; - struct cli_state cli; - struct nmb_name calling, called; - - make_nmb_name(&calling, global_myname , 0x0 , scope); - make_nmb_name(&called , remote_machine, 0x20, scope); - - ZERO_STRUCT(cli); - if(cli_initialise(&cli) == NULL) - { - DEBUG(0,("modify_trust_password: unable to initialize client \ -connection.\n")); - return False; - } - - if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) - { - DEBUG(0,("modify_trust_password: Can't resolve address for \ -%s\n", remote_machine)); - return False; - } - - if (ismyip(cli.dest_ip)) - { - DEBUG(0,("modify_trust_password: Machine %s is one of our \ -addresses. Cannot add to ourselves.\n", remote_machine)); - return False; - } - - cli.protocol = PROTOCOL_NT1; - - pwd_set_nullpwd(&cli.pwd); - - if (!cli_establish_connection(&cli, remote_machine, &cli.dest_ip, - &calling, &called, - "IPC$", "IPC", False, True)) - { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: machine %s rejected the SMB \ -session. Error was : %s.\n", remote_machine, errstr )); - cli_shutdown(&cli); - return False; - } - - - if (cli.protocol != PROTOCOL_NT1) - { - DEBUG(0,("modify_trust_password: machine %s didn't negotiate \ -NT protocol.\n", remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (!(IS_BITS_SET_ALL(cli.sec_mode, 1))) - { - DEBUG(0,("modify_trust_password: machine %s isn't in user \ -level security mode\n", remote_machine)); - cli_shutdown(&cli); - return False; - } - - /* - * Ok - we have an anonymous connection to the IPC$ share. - * Now start the NT Domain stuff :-). - */ - - if (!cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum)) - { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: unable to open the domain \ -client session to server %s. Error was : %s.\n", remote_machine, errstr )); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if (cli_nt_setup_creds(&cli, nt_pipe_fnum, - cli.mach_acct, global_myname, - orig_trust_passwd_hash, sec_chan) != 0x0) - { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: unable to setup the PDC \ -credentials to server %s. Error was : %s.\n", remote_machine, errstr )); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if (!cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash, - sec_chan ) ) - { - fstring errstr; - cli_safe_errstr(&cli, errstr, sizeof(errstr)); - DEBUG(0,("modify_trust_password: unable to change password for \ -workstation %s in domain %s to Domain controller %s. Error was %s.\n", - global_myname, domain, remote_machine, errstr )); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - - return True; -} - -/************************************************************************ - Change the trust account password for a domain. - The user of this function must have locked the trust password file for - update. -************************************************************************/ - -BOOL change_trust_account_password(char *domain, char *remote_machine_list, - uint16 sec_chan) -{ - fstring remote_machine; - unsigned char old_trust_passwd_hash[16]; - unsigned char new_trust_passwd_hash[16]; - time_t lct; - BOOL res; - - if(!get_trust_account_password( old_trust_passwd_hash, &lct)) { - DEBUG(0,("change_trust_account_password: unable to read the machine \ -account password for domain %s.\n", domain)); - return False; - } - - /* - * Create the new (random) password. - */ - generate_random_buffer( new_trust_passwd_hash, 16, True); - - while(remote_machine_list && - next_token(&remote_machine_list, remote_machine, - LIST_SEP, sizeof(remote_machine))) { - strupper(remote_machine); - if(modify_trust_password( domain, remote_machine, - old_trust_passwd_hash, new_trust_passwd_hash, sec_chan)) { - DEBUG(0,("%s : change_trust_account_password: Changed password for \ -domain %s.\n", timestring(), domain)); - /* - * Return the result of trying to write the new password - * back into the trust account file. - */ - res = set_trust_account_password(new_trust_passwd_hash); - memset(new_trust_passwd_hash, 0, 16); - memset(old_trust_passwd_hash, 0, 16); - return res; - } - } - - memset(new_trust_passwd_hash, 0, 16); - memset(old_trust_passwd_hash, 0, 16); - - DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ -domain %s.\n", timestring(), domain)); - return False; -} BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], + const char* srv_name, SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS], SAM_DELTA_CTR deltas [MAX_SAM_DELTAS], uint32 *num_deltas) @@ -737,14 +566,14 @@ BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], *num_deltas = 0; - DEBUG(2,("Attempting SAM sync with PDC, domain: %s name: %s\n", - cli->domain, global_myname)); + DEBUG(5,("Attempting SAM sync with PDC, domain: %s name: %s\n", + cli->domain, srv_name)); /* open NETLOGON session. negotiate credentials */ res = res ? cli_nt_session_open(cli, PIPE_NETLOGON, &nt_pipe_fnum) : False; res = res ? cli_nt_setup_creds(cli, nt_pipe_fnum, - cli->mach_acct, global_myname, + cli->mach_acct, srv_name, trust_passwd, SEC_CHAN_BDC) == 0x0 : False; memset(trust_passwd, 0, 16); @@ -756,11 +585,11 @@ BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], if (!res) { - DEBUG(0, ("SAM synchronisation FAILED\n")); + DEBUG(5, ("SAM synchronisation FAILED\n")); return False; } - DEBUG(0, ("SAM synchronisation returned %d entries\n", *num_deltas)); + DEBUG(5, ("SAM synchronisation returned %d entries\n", *num_deltas)); return True; } -- cgit From 8e1f542ddf97fef925a88e2c3d9c1e82fb2f6683 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 25 Oct 1999 16:22:08 +0000 Subject: one of those wonderful moments when running against a different MSRPC implementation (NT5) when you discover that your code is trash. samr_enum_dom_users(), samr_enum_dom_aliases() and samr_enum_dom_groups() all take a HANDLE for multiple-call enumeration purposes. (This used to be commit 19490d8b4fb8a103f3df4e6104f6f22937b0c518) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index e5b028f987..a91a448994 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -522,7 +522,7 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas net_io_r_sam_sync("", cli->sess_key, &r_s, &rbuf, 0); ok = (rbuf.offset != 0); - if (ok && r_s.status != 0 && r_s.status != NT_STATUS_MORE_ENTRIES) + if (ok && r_s.status != 0 && r_s.status != STATUS_MORE_ENTRIES) { /* report error code */ DEBUG(5,("cli_net_sam_sync: %s\n", get_nt_error_msg(r_s.status))); @@ -541,7 +541,7 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas { *num_deltas = r_s.num_deltas2; - if (r_s.status == NT_STATUS_MORE_ENTRIES) + if (r_s.status == STATUS_MORE_ENTRIES) { DEBUG(5, ("(More entries)\n")); } -- cgit From ea6592046f40ca21c689bff6472b4dd764850e43 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 26 Oct 1999 16:46:45 +0000 Subject: adding extra parameter back in to trust account functions (trust account name). restoring opening S-1-5-20 in sam enum users code. (This used to be commit 1be877114e2e958c59e6516dacf22d3fb5a4240f) --- source3/rpc_client/cli_netlogon.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index a91a448994..0a9228a3b2 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -490,7 +490,12 @@ password ?).\n", cli->desthost )); /*************************************************************************** Synchronise SAM Database (requires SEC_CHAN_BDC). ****************************************************************************/ -BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 database_id, uint32 *num_deltas, SAM_DELTA_HDR *hdr_deltas, SAM_DELTA_CTR *deltas) +BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, + const char* srv_name, + uint32 database_id, + uint32 *num_deltas, + SAM_DELTA_HDR *hdr_deltas, + SAM_DELTA_CTR *deltas) { NET_Q_SAM_SYNC q_s; prs_struct rbuf; @@ -505,7 +510,7 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas /* create and send a MSRPC command with api NET_SAM_SYNC */ - make_q_sam_sync(&q_s, cli->srv_name_slash, global_myname, + make_q_sam_sync(&q_s, cli->srv_name_slash, srv_name, &new_clnt_cred, database_id); /* turn parameters into data stream */ @@ -556,6 +561,7 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 databas BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], + const char* acct_name, const char* srv_name, SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS], SAM_DELTA_CTR deltas [MAX_SAM_DELTAS], @@ -573,12 +579,13 @@ BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], res = res ? cli_nt_session_open(cli, PIPE_NETLOGON, &nt_pipe_fnum) : False; res = res ? cli_nt_setup_creds(cli, nt_pipe_fnum, - cli->mach_acct, srv_name, + acct_name, srv_name, trust_passwd, SEC_CHAN_BDC) == 0x0 : False; memset(trust_passwd, 0, 16); - res = res ? cli_net_sam_sync(cli, nt_pipe_fnum, 0, num_deltas, hdr_deltas, deltas) : False; + res = res ? cli_net_sam_sync(cli, nt_pipe_fnum, srv_name, + 0, num_deltas, hdr_deltas, deltas) : False; /* close the session */ cli_nt_session_close(cli, nt_pipe_fnum); -- cgit From 2803a72751cf511aa0b5e6745e1b169faa66f68a Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 24 Nov 1999 22:45:09 +0000 Subject: ok. *whew*. this is the first completed part of the restructure. verified that lsaquery, lsalookupsids work, and found some bugs in the parameters of these commands :-) soo... we now have an lsa_* api that has the same arguments as the nt Lsa* api! cool! the only significant coding difference is the introduction of a user_credentials structure, containing user, domain, pass and ntlmssp flags. (This used to be commit 57bff6fe82d777e599d535f076efb2328ba1188b) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 0a9228a3b2..d6db75f243 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -572,8 +572,8 @@ BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], *num_deltas = 0; - DEBUG(5,("Attempting SAM sync with PDC, domain: %s name: %s\n", - cli->domain, srv_name)); + DEBUG(5,("Attempting SAM sync with PDC: %s\n", + srv_name)); /* open NETLOGON session. negotiate credentials */ res = res ? cli_nt_session_open(cli, PIPE_NETLOGON, &nt_pipe_fnum) : False; -- cgit From e302cb2b189f679bcf7efe60d5ae9fb4218c1411 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 29 Nov 1999 19:46:57 +0000 Subject: first attempt at getting \PIPE\NETLOGON working. it's pretty horrible. (This used to be commit 44dd3efa6380544e9a515e91960f9271498cefaf) --- source3/rpc_client/cli_netlogon.c | 306 +++++++++++++++++++++----------------- 1 file changed, 166 insertions(+), 140 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index d6db75f243..1231c706d0 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -30,13 +30,12 @@ #include "includes.h" extern int DEBUGLEVEL; -extern pstring global_myname; /**************************************************************************** Generate the next creds to use. ****************************************************************************/ -static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) +void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) { /* * Create the new client credentials. @@ -52,54 +51,58 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) } -#if UNUSED_CODE /**************************************************************************** do a LSA Logon Control2 ****************************************************************************/ -BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint16 nt_pipe_fnum, uint32 status_level) +BOOL cli_net_logon_ctrl2(const char* srv_name, uint32 status_level) { - prs_struct rbuf; - prs_struct buf; - NET_Q_LOGON_CTRL2 q_l; - BOOL ok = False; + prs_struct rbuf; + prs_struct buf; + NET_Q_LOGON_CTRL2 q_l; + BOOL ok = False; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + struct cli_connection *con = NULL; - /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ + if (!cli_connection_init(srv_name, PIPE_NETLOGON, &con)) + { + return False; + } - DEBUG(4,("do_net_logon_ctrl2 from %s status level:%x\n", - global_myname, status_level)); + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - /* store the parameters */ - make_q_logon_ctrl2(&q_l, cli->srv_name_slash, status_level); + /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ - /* turn parameters into data stream */ - net_io_q_logon_ctrl2("", &q_l, &buf, 0); + DEBUG(4,("net_logon_ctrl2 status level:%x\n", status_level)); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_LOGON_CTRL2, &buf, &rbuf)) - { - NET_R_LOGON_CTRL2 r_l; + /* store the parameters */ + make_q_logon_ctrl2(&q_l, srv_name, 0, 0, status_level); - net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); - ok = (rbuf.offset != 0); - - if (ok && r_l.status != 0) - { - /* report error code */ - DEBUG(5,("do_net_logon_ctrl2: Error %s\n", get_nt_error_msg(r_l.status))); - cli->nt_error = r_l.status; - ok = False; - } - } + /* turn parameters into data stream */ + net_io_q_logon_ctrl2("", &q_l, &buf, 0); - prs_mem_free(&rbuf); - prs_mem_free(&buf ); + /* send the data on \PIPE\ */ + if (rpc_con_pipe_req(con, NET_LOGON_CTRL2, &buf, &rbuf)) + { + NET_R_LOGON_CTRL2 r_l; - return ok; + net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); + ok = (rbuf.offset != 0); + + if (ok && r_l.status != 0) + { + /* report error code */ + DEBUG(5,("net_logon_ctrl2: Error %s\n", get_nt_error_msg(r_l.status))); + ok = False; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + cli_connection_unlink(con); + return ok; } -#endif /**************************************************************************** LSA Authenticate 2 @@ -109,34 +112,50 @@ Ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ -uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, +uint32 cli_net_auth2(const char *srv_name, const char *trust_acct, - const char *srv_name, uint16 sec_chan, + uint16 sec_chan, uint32 neg_flags, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; NET_Q_AUTH_2 q_a; uint32 status = 0x0; + uint8 sess_key[16]; + DOM_CRED clnt_cred; + + struct cli_connection *con = NULL; + + if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) + { + return False; + } + + if (!cli_get_con_sesskey(con, sess_key)) + { + return False; + } prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); /* create and send a MSRPC command with api NET_AUTH2 */ - DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan, srv_name, - credstr(cli->clnt_cred.challenge.data), neg_flags)); + DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s neg: %x\n", + srv_name, trust_acct, sec_chan, srv_name, + neg_flags)); + + cli_con_get_cli_cred(con, &clnt_cred); /* store the parameters */ - make_q_auth_2(&q_a, cli->srv_name_slash, trust_acct, sec_chan, srv_name, - &cli->clnt_cred.challenge, neg_flags); + make_q_auth_2(&q_a, srv_name, trust_acct, sec_chan, srv_name, + &clnt_cred.challenge, neg_flags); /* turn parameters into data stream */ net_io_q_auth_2("", &q_a, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_AUTH2, &buf, &rbuf)) + if (rpc_con_pipe_req(con, NET_AUTH2, &buf, &rbuf)) { NET_R_AUTH_2 r_a; @@ -148,7 +167,6 @@ uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, /* report error code */ DEBUG(5,("cli_net_auth2: Error %s\n", get_nt_error_msg(r_a.status))); - cli->nt_error = r_a.status; status = r_a.status; } @@ -161,13 +179,14 @@ uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, UTIME zerotime; zerotime.time = 0; - if(cred_assert( &r_a.srv_chal, cli->sess_key, srv_chal, zerotime) == 0) + if(cred_assert( &r_a.srv_chal, sess_key, + srv_chal, zerotime) == 0) { /* * Server replied with bad credential. Fail. */ - DEBUG(5,("cli_net_auth2: server %s replied with bad credential (bad machine \ - password ?).\n", cli->desthost )); + DEBUG(5,("cli_net_auth2: server %s replied \ +with bad credential (bad trust account password ?).\n", srv_name)); status = NT_STATUS_NETWORK_CREDENTIAL_CONFLICT | 0xC0000000; } } @@ -190,7 +209,7 @@ uint32 cli_net_auth2(struct cli_state *cli, uint16 nt_pipe_fnum, } else { - DEBUG(5,("rpc_api_pipe_req FAILED\n")); + DEBUG(5,("rpc_con_pipe_req FAILED\n")); status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; } @@ -207,8 +226,7 @@ LSA Request Challenge. Sends our challenge to server, then gets server response. These are used to generate the credentials. ****************************************************************************/ -uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, - const char *srv_name, +uint32 cli_net_req_chal( const char *srv_name, const char* myhostname, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) { prs_struct rbuf; @@ -216,6 +234,13 @@ uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, NET_Q_REQ_CHAL q_c; uint32 status = 0x0; + struct cli_connection *con = NULL; + + if (!cli_connection_init(srv_name, PIPE_NETLOGON, &con)) + { + return False; + } + if (srv_chal == NULL || clnt_chal == NULL) return 0xC0000000 | NT_STATUS_INVALID_PARAMETER; @@ -225,16 +250,16 @@ uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, /* create and send a MSRPC command with api NET_REQCHAL */ DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n", - cli->desthost, srv_name, credstr(clnt_chal->data))); + srv_name, myhostname, credstr(clnt_chal->data))); /* store the parameters */ - make_q_req_chal(&q_c, cli->srv_name_slash, srv_name, clnt_chal); + make_q_req_chal(&q_c, srv_name, myhostname, clnt_chal); /* turn parameters into data stream */ net_io_q_req_chal("", &q_c, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_REQCHAL, &buf, &rbuf)) + if (rpc_con_pipe_req(con, NET_REQCHAL, &buf, &rbuf)) { NET_R_REQ_CHAL r_c; @@ -245,7 +270,6 @@ uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, { /* report error code */ DEBUG(5,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); - cli->nt_error = r_c.status; status = r_c.status; } @@ -257,7 +281,7 @@ uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, } else { - DEBUG(5,("rpc_api_pipe_req FAILED\n")); + DEBUG(5,("rpc_con_pipe_req FAILED\n")); status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; } @@ -271,16 +295,37 @@ uint32 cli_net_req_chal(struct cli_state *cli, uint16 nt_pipe_fnum, LSA Server Password Set. ****************************************************************************/ -BOOL cli_net_srv_pwset(struct cli_state *cli, uint16 nt_pipe_fnum, - uint8 hashed_mach_pwd[16], uint16 sec_chan_type) +BOOL cli_net_srv_pwset(const char* srv_name, + const char* myhostname, + const char* trust_acct, + uint8 hashed_trust_pwd[16], + uint16 sec_chan_type) { prs_struct rbuf; prs_struct buf; DOM_CRED new_clnt_cred; NET_Q_SRV_PWSET q_s; BOOL ok = False; + unsigned char processed_new_pwd[16]; + /* Process the new password. */ + + uint8 sess_key[16]; + + struct cli_connection *con = NULL; - gen_next_creds( cli, &new_clnt_cred); + if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) + { + return False; + } + + if (!cli_get_con_sesskey(con, sess_key)) + { + return False; + } + + cred_hash3( processed_new_pwd, hashed_trust_pwd, sess_key, 1); + + cli_con_gen_next_creds( con, &new_clnt_cred); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); @@ -288,18 +333,18 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint16 nt_pipe_fnum, /* create and send a MSRPC command with api NET_SRV_PWSET */ DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname, + srv_name, trust_acct, sec_chan_type, myhostname, credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); /* store the parameters */ - make_q_srv_pwset(&q_s, cli->srv_name_slash, cli->mach_acct, sec_chan_type, - global_myname, &new_clnt_cred, (char *)hashed_mach_pwd); + make_q_srv_pwset(&q_s, srv_name, trust_acct, sec_chan_type, + myhostname, &new_clnt_cred, (char *)processed_new_pwd); /* turn parameters into data stream */ net_io_q_srv_pwset("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SRVPWSET, &buf, &rbuf)) + if (rpc_con_pipe_req(con, NET_SRVPWSET, &buf, &rbuf)) { NET_R_SRV_PWSET r_s; @@ -310,18 +355,17 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint16 nt_pipe_fnum, { /* report error code */ DEBUG(5,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); - cli->nt_error = r_s.status; ok = False; } /* Update the credentials. */ - if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred))) + if (ok && !cli_con_deal_with_creds(con, &(r_s.srv_cred))) { /* * Server replied with bad credential. Fail. */ - DEBUG(5,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); + DEBUG(5,("cli_net_srv_pwset: server %s replied with bad credential \ +(bad trust account password ?).\n", srv_name)); ok = False; } } @@ -336,8 +380,9 @@ password ?).\n", cli->desthost )); LSA SAM Logon - interactive or network. ****************************************************************************/ -BOOL cli_net_sam_logon(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_CTR *ctr, - NET_USER_INFO_3 *user_info3) +BOOL cli_net_sam_logon(const char* srv_name, const char* myhostname, + NET_ID_INFO_CTR *ctr, + NET_USER_INFO_3 *user_info3) { DOM_CRED new_clnt_cred; DOM_CRED dummy_rtn_creds; @@ -347,30 +392,36 @@ BOOL cli_net_sam_logon(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_C NET_Q_SAM_LOGON q_s; BOOL ok = False; - gen_next_creds( cli, &new_clnt_cred); + struct cli_connection *con = NULL; + + if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) + { + return False; + } + + cli_con_gen_next_creds( con, &new_clnt_cred); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); /* create and send a MSRPC command with api NET_SAMLOGON */ - DEBUG(4,("cli_net_sam_logon: srv:%s mc:%s clnt %s %x ll: %d\n", - cli->srv_name_slash, global_myname, - credstr(new_clnt_cred.challenge.data), cli->clnt_cred.timestamp.time, + DEBUG(4,("cli_net_sam_logon: srv:%s mc:%s ll: %d\n", + srv_name, myhostname, ctr->switch_value)); memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); dummy_rtn_creds.timestamp.time = time(NULL); /* store the parameters */ - make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname, + make_sam_info(&(q_s.sam_id), srv_name, myhostname, &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr, validation_level); /* turn parameters into data stream */ net_io_q_sam_logon("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SAMLOGON, &buf, &rbuf)) + if (rpc_con_pipe_req(con, NET_SAMLOGON, &buf, &rbuf)) { NET_R_SAM_LOGON r_s; @@ -383,18 +434,17 @@ BOOL cli_net_sam_logon(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_C { /* report error code */ DEBUG(5,("cli_net_sam_logon: %s\n", get_nt_error_msg(r_s.status))); - cli->nt_error = r_s.status; ok = False; } /* Update the credentials. */ - if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) + if (ok && !cli_con_deal_with_creds(con, &(r_s.srv_creds))) { /* * Server replied with bad credential. Fail. */ - DEBUG(5,("cli_net_sam_logon: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); + DEBUG(5,("cli_net_sam_logon: server %s replied with bad credential \ +(bad trust account password ?).\n", srv_name)); ok = False; } @@ -422,7 +472,8 @@ send a different info level. Right now though, I'm not sure what that needs to be (I need to see one on the wire before I can be sure). JRA. ****************************************************************************/ -BOOL cli_net_sam_logoff(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_CTR *ctr) +BOOL cli_net_sam_logoff(const char* srv_name, const char* myhostname, + NET_ID_INFO_CTR *ctr) { DOM_CRED new_clnt_cred; DOM_CRED dummy_rtn_creds; @@ -432,7 +483,14 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_ uint16 validation_level = 3; BOOL ok = False; - gen_next_creds( cli, &new_clnt_cred); + struct cli_connection *con = NULL; + + if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) + { + return False; + } + + cli_con_gen_next_creds( con, &new_clnt_cred); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); @@ -440,21 +498,21 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_ /* create and send a MSRPC command with api NET_SAMLOGOFF */ DEBUG(4,("cli_net_sam_logoff: srv:%s mc:%s clnt %s %x ll: %d\n", - cli->srv_name_slash, global_myname, + srv_name, myhostname, credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time, ctr->switch_value)); memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); /* store the parameters */ - make_sam_info(&(q_s.sam_id), cli->srv_name_slash, global_myname, + make_sam_info(&(q_s.sam_id), srv_name, myhostname, &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr, validation_level); /* turn parameters into data stream */ net_io_q_sam_logoff("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SAMLOGOFF, &buf, &rbuf)) + if (rpc_con_pipe_req(con, NET_SAMLOGOFF, &buf, &rbuf)) { NET_R_SAM_LOGOFF r_s; @@ -465,18 +523,17 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, uint16 nt_pipe_fnum, NET_ID_INFO_ { /* report error code */ DEBUG(5,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); - cli->nt_error = r_s.status; ok = False; } /* Update the credentials. */ - if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) + if (ok && !cli_con_deal_with_creds(con, &(r_s.srv_creds))) { /* * Server replied with bad credential. Fail. */ - DEBUG(5,("cli_net_sam_logoff: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); + DEBUG(5,("cli_net_sam_logoff: server %s replied with bad credential \ +(bad trust account password ?).\n", srv_name )); ok = False; } } @@ -490,8 +547,7 @@ password ?).\n", cli->desthost )); /*************************************************************************** Synchronise SAM Database (requires SEC_CHAN_BDC). ****************************************************************************/ -BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, - const char* srv_name, +BOOL cli_net_sam_sync( const char* srv_name, const char* myhostname, uint32 database_id, uint32 *num_deltas, SAM_DELTA_HDR *hdr_deltas, @@ -502,43 +558,56 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, prs_struct buf; DOM_CRED new_clnt_cred; BOOL ok = False; + uint8 sess_key[16]; - gen_next_creds(cli, &new_clnt_cred); + struct cli_connection *con = NULL; + + if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) + { + return False; + } + + if (!cli_get_con_sesskey(con, sess_key)) + { + return False; + } + + cli_con_gen_next_creds(con, &new_clnt_cred); prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); /* create and send a MSRPC command with api NET_SAM_SYNC */ - make_q_sam_sync(&q_s, cli->srv_name_slash, srv_name, + make_q_sam_sync(&q_s, srv_name, myhostname, &new_clnt_cred, database_id); /* turn parameters into data stream */ net_io_q_sam_sync("", &q_s, &buf, 0); /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, nt_pipe_fnum, NET_SAM_SYNC, &buf, &rbuf)) + if (rpc_con_pipe_req(con, NET_SAM_SYNC, &buf, &rbuf)) { NET_R_SAM_SYNC r_s; r_s.hdr_deltas = hdr_deltas; r_s.deltas = deltas; - net_io_r_sam_sync("", cli->sess_key, &r_s, &rbuf, 0); + net_io_r_sam_sync("", sess_key, &r_s, &rbuf, 0); ok = (rbuf.offset != 0); if (ok && r_s.status != 0 && r_s.status != STATUS_MORE_ENTRIES) { /* report error code */ DEBUG(5,("cli_net_sam_sync: %s\n", get_nt_error_msg(r_s.status))); - cli->nt_error = r_s.status; ok = False; } /* Update the credentials. */ - if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) + if (ok && !cli_con_deal_with_creds(con, &(r_s.srv_creds))) { - DEBUG(5,("cli_net_sam_sync: server %s replied with bad credential (bad machine password ?).\n", cli->desthost)); + DEBUG(5,("cli_net_sam_sync: server %s replied with bad \ +credential (bad trust account password ?).\n", srv_name)); ok = False; } @@ -558,46 +627,3 @@ BOOL cli_net_sam_sync(struct cli_state *cli, uint16 nt_pipe_fnum, return ok; } - - -BOOL do_sam_sync(struct cli_state *cli, uchar trust_passwd[16], - const char* acct_name, - const char* srv_name, - SAM_DELTA_HDR hdr_deltas[MAX_SAM_DELTAS], - SAM_DELTA_CTR deltas [MAX_SAM_DELTAS], - uint32 *num_deltas) -{ - uint16 nt_pipe_fnum; - BOOL res = True; - - *num_deltas = 0; - - DEBUG(5,("Attempting SAM sync with PDC: %s\n", - srv_name)); - - /* open NETLOGON session. negotiate credentials */ - res = res ? cli_nt_session_open(cli, PIPE_NETLOGON, &nt_pipe_fnum) : False; - - res = res ? cli_nt_setup_creds(cli, nt_pipe_fnum, - acct_name, srv_name, - trust_passwd, SEC_CHAN_BDC) == 0x0 : False; - - memset(trust_passwd, 0, 16); - - res = res ? cli_net_sam_sync(cli, nt_pipe_fnum, srv_name, - 0, num_deltas, hdr_deltas, deltas) : False; - - /* close the session */ - cli_nt_session_close(cli, nt_pipe_fnum); - - if (!res) - { - DEBUG(5, ("SAM synchronisation FAILED\n")); - return False; - } - - DEBUG(5, ("SAM synchronisation returned %d entries\n", *num_deltas)); - - return True; -} - -- cgit From 86ac6fa9389532bc0e39b4da2fb73766cf29aeb9 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 1 Dec 1999 19:25:51 +0000 Subject: fixing joining to domain plus something weird going down with nt logins... (This used to be commit cef258f1c931ecb7c2dda9d5c9977153e4c1dc73) --- source3/rpc_client/cli_netlogon.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 1231c706d0..fd6242c996 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -114,6 +114,7 @@ encrypt of the server challenge originally received. JRA. uint32 cli_net_auth2(const char *srv_name, const char *trust_acct, + const char *acct_name, uint16 sec_chan, uint32 neg_flags, DOM_CHAL *srv_chal) { @@ -142,13 +143,13 @@ uint32 cli_net_auth2(const char *srv_name, /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s neg: %x\n", - srv_name, trust_acct, sec_chan, srv_name, + srv_name, trust_acct, sec_chan, acct_name, neg_flags)); cli_con_get_cli_cred(con, &clnt_cred); /* store the parameters */ - make_q_auth_2(&q_a, srv_name, trust_acct, sec_chan, srv_name, + make_q_auth_2(&q_a, srv_name, trust_acct, sec_chan, acct_name, &clnt_cred.challenge, neg_flags); /* turn parameters into data stream */ -- cgit From f6c5f755681a5b595b7d5f5fefc6394e9001a3e4 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 1 Dec 1999 20:18:21 +0000 Subject: damn, that took a while. nt login password was being stored incorrectly in private .mac file (oops). ntlogin test now works. (This used to be commit c98c66690683965612e9631d77c2dff91ec8a872) --- source3/rpc_client/cli_netlogon.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index fd6242c996..147578f448 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -416,7 +416,9 @@ BOOL cli_net_sam_logon(const char* srv_name, const char* myhostname, /* store the parameters */ make_sam_info(&(q_s.sam_id), srv_name, myhostname, - &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr, validation_level); + &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); + + q_s.validation_level = validation_level; /* turn parameters into data stream */ net_io_q_sam_logon("", &q_s, &buf, 0); @@ -481,7 +483,6 @@ BOOL cli_net_sam_logoff(const char* srv_name, const char* myhostname, prs_struct rbuf; prs_struct buf; NET_Q_SAM_LOGOFF q_s; - uint16 validation_level = 3; BOOL ok = False; struct cli_connection *con = NULL; @@ -507,7 +508,7 @@ BOOL cli_net_sam_logoff(const char* srv_name, const char* myhostname, /* store the parameters */ make_sam_info(&(q_s.sam_id), srv_name, myhostname, - &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr, validation_level); + &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); /* turn parameters into data stream */ net_io_q_sam_logoff("", &q_s, &buf, 0); -- cgit From 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 13 Dec 1999 13:27:58 +0000 Subject: first pass at updating head branch to be to be the same as the SAMBA_2_0 branch (This used to be commit 453a822a76780063dff23526c35408866d0c0154) --- source3/rpc_client/cli_netlogon.c | 758 +++++++++++++++++++++----------------- 1 file changed, 415 insertions(+), 343 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 147578f448..8202960089 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -30,12 +30,15 @@ #include "includes.h" extern int DEBUGLEVEL; +extern pstring scope; +extern pstring global_myname; +extern fstring global_myworkgroup; /**************************************************************************** Generate the next creds to use. ****************************************************************************/ -void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) +static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) { /* * Create the new client credentials. @@ -51,58 +54,61 @@ void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) } +#if UNUSED_CODE /**************************************************************************** do a LSA Logon Control2 ****************************************************************************/ -BOOL cli_net_logon_ctrl2(const char* srv_name, uint32 status_level) +BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) { - prs_struct rbuf; - prs_struct buf; - NET_Q_LOGON_CTRL2 q_l; - BOOL ok = False; - - struct cli_connection *con = NULL; - - if (!cli_connection_init(srv_name, PIPE_NETLOGON, &con)) - { - return False; - } - - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_struct rbuf; + prs_struct buf; + NET_Q_LOGON_CTRL2 q_l; + BOOL ok = False; - /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ + prs_init(&buf , 1024, 4, False); + prs_init(&rbuf, 0, 4, True ); - DEBUG(4,("net_logon_ctrl2 status level:%x\n", status_level)); + /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ - /* store the parameters */ - make_q_logon_ctrl2(&q_l, srv_name, 0, 0, status_level); + DEBUG(4,("do_net_logon_ctrl2 from %s status level:%x\n", + global_myname, status_level)); - /* turn parameters into data stream */ - net_io_q_logon_ctrl2("", &q_l, &buf, 0); + /* store the parameters */ + init_q_logon_ctrl2(&q_l, cli->srv_name_slash, status_level); - /* send the data on \PIPE\ */ - if (rpc_con_pipe_req(con, NET_LOGON_CTRL2, &buf, &rbuf)) - { - NET_R_LOGON_CTRL2 r_l; + /* turn parameters into data stream */ + if(!net_io_q_logon_ctrl2("", &q_l, &buf, 0)) { + DEBUG(0,("cli_net_logon_ctrl2: Error : failed to marshall NET_Q_LOGON_CTRL2 struct.\n")); + prs_mem_free(&buf); + prs_mem_free(&rbuf); + return False; + } - net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); - ok = (rbuf.offset != 0); + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &buf, &rbuf)) + { + NET_R_LOGON_CTRL2 r_l; - if (ok && r_l.status != 0) - { - /* report error code */ - DEBUG(5,("net_logon_ctrl2: Error %s\n", get_nt_error_msg(r_l.status))); - ok = False; - } - } + /* + * Unmarshall the return buffer. + */ + ok = net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); + + if (ok && r_l.status != 0) + { + /* report error code */ + DEBUG(0,("do_net_logon_ctrl2: Error %s\n", get_nt_error_msg(r_l.status))); + cli->nt_error = r_l.status; + ok = False; + } + } - prs_mem_free(&rbuf); - prs_mem_free(&buf ); + prs_mem_free(&buf); + prs_mem_free(&rbuf); - cli_connection_unlink(con); - return ok; + return ok; } +#endif /**************************************************************************** LSA Authenticate 2 @@ -112,114 +118,90 @@ Ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ -uint32 cli_net_auth2(const char *srv_name, - const char *trust_acct, - const char *acct_name, - uint16 sec_chan, - uint32 neg_flags, DOM_CHAL *srv_chal) +BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, + uint32 neg_flags, DOM_CHAL *srv_chal) { - prs_struct rbuf; - prs_struct buf; - NET_Q_AUTH_2 q_a; - uint32 status = 0x0; - uint8 sess_key[16]; - DOM_CRED clnt_cred; - - struct cli_connection *con = NULL; - - if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) - { - return False; - } - - if (!cli_get_con_sesskey(con, sess_key)) - { - return False; - } - - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - - /* create and send a MSRPC command with api NET_AUTH2 */ - - DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s neg: %x\n", - srv_name, trust_acct, sec_chan, acct_name, - neg_flags)); - - cli_con_get_cli_cred(con, &clnt_cred); - - /* store the parameters */ - make_q_auth_2(&q_a, srv_name, trust_acct, sec_chan, acct_name, - &clnt_cred.challenge, neg_flags); - - /* turn parameters into data stream */ - net_io_q_auth_2("", &q_a, &buf, 0); - - /* send the data on \PIPE\ */ - if (rpc_con_pipe_req(con, NET_AUTH2, &buf, &rbuf)) - { - NET_R_AUTH_2 r_a; - - net_io_r_auth_2("", &r_a, &rbuf, 0); - status = (rbuf.offset == 0) ? 0xC0000000 | NT_STATUS_INVALID_PARAMETER : 0; - - if (status == 0x0 && r_a.status != 0) - { - /* report error code */ - DEBUG(5,("cli_net_auth2: Error %s\n", - get_nt_error_msg(r_a.status))); - status = r_a.status; - } - - if (status == 0x0) - { - /* - * Check the returned value using the initial - * server received challenge. - */ - UTIME zerotime; - - zerotime.time = 0; - if(cred_assert( &r_a.srv_chal, sess_key, - srv_chal, zerotime) == 0) - { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(5,("cli_net_auth2: server %s replied \ -with bad credential (bad trust account password ?).\n", srv_name)); - status = NT_STATUS_NETWORK_CREDENTIAL_CONFLICT | 0xC0000000; - } - } + prs_struct rbuf; + prs_struct buf; + NET_Q_AUTH_2 q_a; + BOOL ok = False; + + prs_init(&buf , 1024, 4, False); + prs_init(&rbuf, 0, 4, True ); + + /* create and send a MSRPC command with api NET_AUTH2 */ + + DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + credstr(cli->clnt_cred.challenge.data), neg_flags)); + + /* store the parameters */ + init_q_auth_2(&q_a, cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + &cli->clnt_cred.challenge, neg_flags); + + /* turn parameters into data stream */ + if(!net_io_q_auth_2("", &q_a, &buf, 0)) { + DEBUG(0,("cli_net_auth2: Error : failed to marshall NET_Q_AUTH_2 struct.\n")); + prs_mem_free(&buf); + prs_mem_free(&rbuf); + return False; + } + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, NET_AUTH2, &buf, &rbuf)) + { + NET_R_AUTH_2 r_a; + + ok = net_io_r_auth_2("", &r_a, &rbuf, 0); + + if (ok && r_a.status != 0) + { + /* report error code */ + DEBUG(0,("cli_net_auth2: Error %s\n", get_nt_error_msg(r_a.status))); + cli->nt_error = r_a.status; + ok = False; + } + + if (ok) + { + /* + * Check the returned value using the initial + * server received challenge. + */ + UTIME zerotime; + + zerotime.time = 0; + if(cred_assert( &r_a.srv_chal, cli->sess_key, srv_chal, zerotime) == 0) { + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + ok = False; + } + } #if 0 - /* - * Try commenting this out to see if this makes the connect - * work for a NT 3.51 PDC. JRA. - */ - - if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) - { - /* report different neg_flags */ - DEBUG(5,("cli_net_auth2: error neg_flags (q,r) differ - (%x,%x)\n", - q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); - ok = False; - } -#endif + /* + * Try commenting this out to see if this makes the connect + * work for a NT 3.51 PDC. JRA. + */ - } - else - { - DEBUG(5,("rpc_con_pipe_req FAILED\n")); - status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; - } + if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) + { + /* report different neg_flags */ + DEBUG(0,("cli_net_auth2: error neg_flags (q,r) differ - (%x,%x)\n", + q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); + ok = False; + } +#endif - DEBUG(5,("cli_net_auth2 status: %x\n", status)); + } - prs_mem_free(&rbuf); - prs_mem_free(&buf ); + prs_mem_free(&buf); + prs_mem_free(&rbuf); - return status; + return ok; } /**************************************************************************** @@ -227,152 +209,127 @@ LSA Request Challenge. Sends our challenge to server, then gets server response. These are used to generate the credentials. ****************************************************************************/ -uint32 cli_net_req_chal( const char *srv_name, const char* myhostname, - DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) +BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; NET_Q_REQ_CHAL q_c; - uint32 status = 0x0; - - struct cli_connection *con = NULL; - - if (!cli_connection_init(srv_name, PIPE_NETLOGON, &con)) - { - return False; - } - - if (srv_chal == NULL || clnt_chal == NULL) - return 0xC0000000 | NT_STATUS_INVALID_PARAMETER; + BOOL valid_chal = False; - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_init(&buf , 1024, 4, False); + prs_init(&rbuf, 0, 4, True ); /* create and send a MSRPC command with api NET_REQCHAL */ DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n", - srv_name, myhostname, credstr(clnt_chal->data))); + cli->desthost, global_myname, credstr(clnt_chal->data))); /* store the parameters */ - make_q_req_chal(&q_c, srv_name, myhostname, clnt_chal); + init_q_req_chal(&q_c, cli->srv_name_slash, global_myname, clnt_chal); /* turn parameters into data stream */ - net_io_q_req_chal("", &q_c, &buf, 0); + if(!net_io_q_req_chal("", &q_c, &buf, 0)) { + DEBUG(0,("cli_net_req_chal: Error : failed to marshall NET_Q_REQ_CHAL struct.\n")); + prs_mem_free(&buf); + prs_mem_free(&rbuf); + return False; + } /* send the data on \PIPE\ */ - if (rpc_con_pipe_req(con, NET_REQCHAL, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_REQCHAL, &buf, &rbuf)) { NET_R_REQ_CHAL r_c; + BOOL ok; - net_io_r_req_chal("", &r_c, &rbuf, 0); - status = (rbuf.offset == 0) ? 0xC0000000 | NT_STATUS_INVALID_PARAMETER : 0; + ok = net_io_r_req_chal("", &r_c, &rbuf, 0); - if (status == 0x0 && r_c.status != 0) + if (ok && r_c.status != 0) { /* report error code */ - DEBUG(5,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); - status = r_c.status; + DEBUG(0,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); + cli->nt_error = r_c.status; + ok = False; } - if (status == 0x0) + if (ok) { /* ok, at last: we're happy. return the challenge */ memcpy(srv_chal, r_c.srv_chal.data, sizeof(srv_chal->data)); + valid_chal = True; } } - else - { - DEBUG(5,("rpc_con_pipe_req FAILED\n")); - status = 0xC0000000 | NT_STATUS_ACCESS_DENIED; - } + prs_mem_free(&buf); prs_mem_free(&rbuf); - prs_mem_free(&buf ); - return status; + return valid_chal; } /*************************************************************************** LSA Server Password Set. ****************************************************************************/ -BOOL cli_net_srv_pwset(const char* srv_name, - const char* myhostname, - const char* trust_acct, - uint8 hashed_trust_pwd[16], - uint16 sec_chan_type) +BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) { prs_struct rbuf; prs_struct buf; DOM_CRED new_clnt_cred; NET_Q_SRV_PWSET q_s; BOOL ok = False; - unsigned char processed_new_pwd[16]; - /* Process the new password. */ - - uint8 sess_key[16]; - - struct cli_connection *con = NULL; - - if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) - { - return False; - } - - if (!cli_get_con_sesskey(con, sess_key)) - { - return False; - } - - cred_hash3( processed_new_pwd, hashed_trust_pwd, sess_key, 1); + uint16 sec_chan_type = 2; - cli_con_gen_next_creds( con, &new_clnt_cred); + gen_next_creds( cli, &new_clnt_cred); - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_init(&buf , 1024, 4, False); + prs_init(&rbuf, 0, 4, True ); /* create and send a MSRPC command with api NET_SRV_PWSET */ DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n", - srv_name, trust_acct, sec_chan_type, myhostname, + cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname, credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); /* store the parameters */ - make_q_srv_pwset(&q_s, srv_name, trust_acct, sec_chan_type, - myhostname, &new_clnt_cred, (char *)processed_new_pwd); + init_q_srv_pwset(&q_s, cli->srv_name_slash, cli->mach_acct, sec_chan_type, + global_myname, &new_clnt_cred, (char *)hashed_mach_pwd); /* turn parameters into data stream */ - net_io_q_srv_pwset("", &q_s, &buf, 0); + if(!net_io_q_srv_pwset("", &q_s, &buf, 0)) { + DEBUG(0,("cli_net_srv_pwset: Error : failed to marshall NET_Q_SRV_PWSET struct.\n")); + prs_mem_free(&buf); + prs_mem_free(&rbuf); + return False; + } /* send the data on \PIPE\ */ - if (rpc_con_pipe_req(con, NET_SRVPWSET, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf)) { NET_R_SRV_PWSET r_s; - net_io_r_srv_pwset("", &r_s, &rbuf, 0); - ok = (rbuf.offset != 0); + ok = net_io_r_srv_pwset("", &r_s, &rbuf, 0); if (ok && r_s.status != 0) { /* report error code */ - DEBUG(5,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); + cli->nt_error = r_s.status; ok = False; } /* Update the credentials. */ - if (ok && !cli_con_deal_with_creds(con, &(r_s.srv_cred))) + if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred))) { /* * Server replied with bad credential. Fail. */ - DEBUG(5,("cli_net_srv_pwset: server %s replied with bad credential \ -(bad trust account password ?).\n", srv_name)); + DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); ok = False; } } + prs_mem_free(&buf); prs_mem_free(&rbuf); - prs_mem_free(&buf ); return ok; } @@ -381,9 +338,8 @@ BOOL cli_net_srv_pwset(const char* srv_name, LSA SAM Logon - interactive or network. ****************************************************************************/ -BOOL cli_net_sam_logon(const char* srv_name, const char* myhostname, - NET_ID_INFO_CTR *ctr, - NET_USER_INFO_3 *user_info3) +BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, + NET_USER_INFO_3 *user_info3) { DOM_CRED new_clnt_cred; DOM_CRED dummy_rtn_creds; @@ -393,75 +349,73 @@ BOOL cli_net_sam_logon(const char* srv_name, const char* myhostname, NET_Q_SAM_LOGON q_s; BOOL ok = False; - struct cli_connection *con = NULL; - - if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) - { - return False; - } + gen_next_creds( cli, &new_clnt_cred); - cli_con_gen_next_creds( con, &new_clnt_cred); - - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_init(&buf , 1024, 4, False); + prs_init(&rbuf, 0, 4, True ); /* create and send a MSRPC command with api NET_SAMLOGON */ - DEBUG(4,("cli_net_sam_logon: srv:%s mc:%s ll: %d\n", - srv_name, myhostname, + DEBUG(4,("cli_net_sam_logon: srv:%s mc:%s clnt %s %x ll: %d\n", + cli->srv_name_slash, global_myname, + credstr(new_clnt_cred.challenge.data), cli->clnt_cred.timestamp.time, ctr->switch_value)); memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); dummy_rtn_creds.timestamp.time = time(NULL); /* store the parameters */ - make_sam_info(&(q_s.sam_id), srv_name, myhostname, + q_s.validation_level = validation_level; + init_sam_info(&q_s.sam_id, cli->srv_name_slash, global_myname, &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); - q_s.validation_level = validation_level; - /* turn parameters into data stream */ - net_io_q_sam_logon("", &q_s, &buf, 0); + if(!net_io_q_sam_logon("", &q_s, &buf, 0)) { + DEBUG(0,("cli_net_sam_logon: Error : failed to marshall NET_Q_SAM_LOGON struct.\n")); + prs_mem_free(&buf); + prs_mem_free(&rbuf); + return False; + } /* send the data on \PIPE\ */ - if (rpc_con_pipe_req(con, NET_SAMLOGON, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { NET_R_SAM_LOGON r_s; r_s.user = user_info3; - net_io_r_sam_logon("", &r_s, &rbuf, 0); - ok = (rbuf.offset != 0); + ok = net_io_r_sam_logon("", &r_s, &rbuf, 0); if (ok && r_s.status != 0) { /* report error code */ - DEBUG(5,("cli_net_sam_logon: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(0,("cli_net_sam_logon: %s\n", get_nt_error_msg(r_s.status))); + cli->nt_error = r_s.status; ok = False; } /* Update the credentials. */ - if (ok && !cli_con_deal_with_creds(con, &(r_s.srv_creds))) + if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) { /* * Server replied with bad credential. Fail. */ - DEBUG(5,("cli_net_sam_logon: server %s replied with bad credential \ -(bad trust account password ?).\n", srv_name)); + DEBUG(0,("cli_net_sam_logon: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); ok = False; } if (ok && r_s.switch_value != 3) { /* report different switch_value */ - DEBUG(5,("cli_net_sam_logon: switch_value of 3 expected %x\n", + DEBUG(0,("cli_net_sam_logon: switch_value of 3 expected %x\n", r_s.switch_value)); ok = False; } } + prs_mem_free(&buf); prs_mem_free(&rbuf); - prs_mem_free(&buf ); return ok; } @@ -475,8 +429,7 @@ send a different info level. Right now though, I'm not sure what that needs to be (I need to see one on the wire before I can be sure). JRA. ****************************************************************************/ -BOOL cli_net_sam_logoff(const char* srv_name, const char* myhostname, - NET_ID_INFO_CTR *ctr) +BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) { DOM_CRED new_clnt_cred; DOM_CRED dummy_rtn_creds; @@ -485,147 +438,266 @@ BOOL cli_net_sam_logoff(const char* srv_name, const char* myhostname, NET_Q_SAM_LOGOFF q_s; BOOL ok = False; - struct cli_connection *con = NULL; - - if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) - { - return False; - } + gen_next_creds( cli, &new_clnt_cred); - cli_con_gen_next_creds( con, &new_clnt_cred); - - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); + prs_init(&buf , 1024, 4, False); + prs_init(&rbuf, 0, 4, True ); /* create and send a MSRPC command with api NET_SAMLOGOFF */ DEBUG(4,("cli_net_sam_logoff: srv:%s mc:%s clnt %s %x ll: %d\n", - srv_name, myhostname, + cli->srv_name_slash, global_myname, credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time, ctr->switch_value)); memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); - /* store the parameters */ - make_sam_info(&(q_s.sam_id), srv_name, myhostname, + init_sam_info(&q_s.sam_id, cli->srv_name_slash, global_myname, &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); /* turn parameters into data stream */ - net_io_q_sam_logoff("", &q_s, &buf, 0); + if(!net_io_q_sam_logoff("", &q_s, &buf, 0)) { + DEBUG(0,("cli_net_sam_logoff: Error : failed to marshall NET_Q_SAM_LOGOFF struct.\n")); + prs_mem_free(&buf); + prs_mem_free(&rbuf); + return False; + } /* send the data on \PIPE\ */ - if (rpc_con_pipe_req(con, NET_SAMLOGOFF, &buf, &rbuf)) + if (rpc_api_pipe_req(cli, NET_SAMLOGOFF, &buf, &rbuf)) { NET_R_SAM_LOGOFF r_s; - net_io_r_sam_logoff("", &r_s, &rbuf, 0); - ok = (rbuf.offset != 0); + ok = net_io_r_sam_logoff("", &r_s, &rbuf, 0); if (ok && r_s.status != 0) { /* report error code */ - DEBUG(5,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(0,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); + cli->nt_error = r_s.status; ok = False; } /* Update the credentials. */ - if (ok && !cli_con_deal_with_creds(con, &(r_s.srv_creds))) + if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) { /* * Server replied with bad credential. Fail. */ - DEBUG(5,("cli_net_sam_logoff: server %s replied with bad credential \ -(bad trust account password ?).\n", srv_name )); + DEBUG(0,("cli_net_sam_logoff: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); ok = False; } } + prs_mem_free(&buf); prs_mem_free(&rbuf); - prs_mem_free(&buf ); return ok; } -/*************************************************************************** -Synchronise SAM Database (requires SEC_CHAN_BDC). -****************************************************************************/ -BOOL cli_net_sam_sync( const char* srv_name, const char* myhostname, - uint32 database_id, - uint32 *num_deltas, - SAM_DELTA_HDR *hdr_deltas, - SAM_DELTA_CTR *deltas) +/********************************************************* + Change the domain password on the PDC. +**********************************************************/ + +static BOOL modify_trust_password( char *domain, char *remote_machine, + unsigned char orig_trust_passwd_hash[16], + unsigned char new_trust_passwd_hash[16]) { - NET_Q_SAM_SYNC q_s; - prs_struct rbuf; - prs_struct buf; - DOM_CRED new_clnt_cred; - BOOL ok = False; - uint8 sess_key[16]; - - struct cli_connection *con = NULL; - - if (!cli_connection_getsrv(srv_name, PIPE_NETLOGON, &con)) - { - return False; - } - - if (!cli_get_con_sesskey(con, sess_key)) - { - return False; - } - - cli_con_gen_next_creds(con, &new_clnt_cred); - - prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); - prs_init(&rbuf, 0, 4, SAFETY_MARGIN, True ); - - /* create and send a MSRPC command with api NET_SAM_SYNC */ - - make_q_sam_sync(&q_s, srv_name, myhostname, - &new_clnt_cred, database_id); - - /* turn parameters into data stream */ - net_io_q_sam_sync("", &q_s, &buf, 0); - - /* send the data on \PIPE\ */ - if (rpc_con_pipe_req(con, NET_SAM_SYNC, &buf, &rbuf)) - { - NET_R_SAM_SYNC r_s; - - r_s.hdr_deltas = hdr_deltas; - r_s.deltas = deltas; - - net_io_r_sam_sync("", sess_key, &r_s, &rbuf, 0); - ok = (rbuf.offset != 0); - - if (ok && r_s.status != 0 && r_s.status != STATUS_MORE_ENTRIES) - { - /* report error code */ - DEBUG(5,("cli_net_sam_sync: %s\n", get_nt_error_msg(r_s.status))); - ok = False; - } - - /* Update the credentials. */ - if (ok && !cli_con_deal_with_creds(con, &(r_s.srv_creds))) - { - DEBUG(5,("cli_net_sam_sync: server %s replied with bad \ -credential (bad trust account password ?).\n", srv_name)); - ok = False; - } - - if (ok) - { - *num_deltas = r_s.num_deltas2; - - if (r_s.status == STATUS_MORE_ENTRIES) - { - DEBUG(5, ("(More entries)\n")); - } - } - } - - prs_mem_free(&rbuf); - prs_mem_free(&buf ); - - return ok; + struct cli_state cli; + + ZERO_STRUCT(cli); + if(cli_initialise(&cli) == False) { + DEBUG(0,("modify_trust_password: unable to initialize client connection.\n")); + return False; + } + + if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) { + DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); + return False; + } + + if (ismyip(cli.dest_ip)) { + DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ +to ourselves.\n", remote_machine)); + return False; + } + + if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { + DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + return False; + } + + if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) { + DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \ +session request. Error was %s\n", remote_machine, cli_errstr(&cli) )); + return False; + } + + cli.protocol = PROTOCOL_NT1; + + if (!cli_negprot(&cli)) { + DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + if (cli.protocol != PROTOCOL_NT1) { + DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(&cli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { + DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + if (!(cli.sec_mode & 1)) { + DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(&cli); + return False; + } + + if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + /* + * Ok - we have an anonymous connection to the IPC$ share. + * Now start the NT Domain stuff :-). + */ + + if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { + DEBUG(0,("modify_trust_password: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) { + DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { + DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ +%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, + cli_errstr(&cli))); + cli_close(&cli, cli.nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + + return True; +} + +/************************************************************************ + Change the trust account password for a domain. + The user of this function must have locked the trust password file for + update. +************************************************************************/ + +BOOL change_trust_account_password( char *domain, char *remote_machine_list) +{ + fstring remote_machine; + unsigned char old_trust_passwd_hash[16]; + unsigned char new_trust_passwd_hash[16]; + time_t lct; + BOOL res; + + if(!get_trust_account_password( old_trust_passwd_hash, &lct)) { + DEBUG(0,("change_trust_account_password: unable to read the machine \ +account password for domain %s.\n", domain)); + return False; + } + + /* + * Create the new (random) password. + */ + generate_random_buffer( new_trust_passwd_hash, 16, True); + + while(remote_machine_list && + next_token(&remote_machine_list, remote_machine, + LIST_SEP, sizeof(remote_machine))) { + strupper(remote_machine); + if(strequal(remote_machine, "*")) { + + /* + * We have been asked to dynamcially determine the IP addresses of the PDC. + */ + + struct in_addr *ip_list = NULL; + int count = 0; + int i; + + if(!get_dc_list(domain, &ip_list, &count)) + continue; + + /* + * Try and connect to the PDC/BDC list in turn as an IP + * address used as a string. + */ + + for(i = 0; i < count; i++) { + fstring dc_name; + if(!lookup_pdc_name(global_myname, domain, &ip_list[i], dc_name)) + continue; + if((res = modify_trust_password( domain, dc_name, + old_trust_passwd_hash, new_trust_passwd_hash))) + break; + } + + if(ip_list != NULL) + free((char *)ip_list); + + } else { + res = modify_trust_password( domain, remote_machine, + old_trust_passwd_hash, new_trust_passwd_hash); + } + + if(res) { + DEBUG(0,("%s : change_trust_account_password: Changed password for \ +domain %s.\n", timestring(False), domain)); + /* + * Return the result of trying to write the new password + * back into the trust account file. + */ + res = set_trust_account_password(new_trust_passwd_hash); + memset(new_trust_passwd_hash, 0, 16); + memset(old_trust_passwd_hash, 0, 16); + return res; + } + } + + memset(new_trust_passwd_hash, 0, 16); + memset(old_trust_passwd_hash, 0, 16); + + DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ +domain %s.\n", timestring(False), domain)); + return False; } -- cgit From 4e1291a83f61a72989045879763d9ef05fd38f71 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 21 Dec 1999 09:25:59 +0000 Subject: converted all our existing shared memory code to use a tdb database instead of either sysv or mmap shared memory or lock files. this means we can now completely remove locking_shm.c locking_slow.c shmem.c shmem_sysv.c and lots of other things also got simpler locking.c got a bit larger, but is much better compartmentalised now (This used to be commit e48c2d9937eea0667b8cd3332e49c06314ef31e7) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 8202960089..583b4bb4b8 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -628,7 +628,7 @@ BOOL change_trust_account_password( char *domain, char *remote_machine_list) unsigned char old_trust_passwd_hash[16]; unsigned char new_trust_passwd_hash[16]; time_t lct; - BOOL res; + BOOL res = False; if(!get_trust_account_password( old_trust_passwd_hash, &lct)) { DEBUG(0,("change_trust_account_password: unable to read the machine \ -- cgit From 171da4d78736730557a94b44af9f2d62081b80ba Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 7 Jan 2000 06:55:36 +0000 Subject: this looks like a big commit, but it isn't really :) This fixes our netbios scope handling. We now have a 'netbios scope' option in smb.conf and the scope option is removed from make_nmb_name() this was prompted by a bug in our PDC finding code where it didn't append the scope to the query of the '*' name. (This used to be commit b563be824b8c3141c49558eced7829b48d4ab26f) --- source3/rpc_client/cli_netlogon.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 583b4bb4b8..dab4aa7ad5 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -30,7 +30,6 @@ #include "includes.h" extern int DEBUGLEVEL; -extern pstring scope; extern pstring global_myname; extern fstring global_myworkgroup; -- cgit From b89b75a368c5245c38ebe467b2d3820b3df59c6a Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 22 Mar 2000 10:26:09 +0000 Subject: added the following message to all dce/rpc client/server code, except the spoolss code (it's cut from TNG) and the smb-dce/rpc interface code that jeremy has been working up to TNG-functionality. i also want this message to go into SAMBA_2_0 and SAMBA_2_0_RELEASE, because it is intolerable that potentially good modifications be made to code that is going to be thrown away, and people waste their time fixing bugs and adding enhancements that have already been carried out already, up to two years ago in the TNG branch. /* * THIS CODE IS OUT-OF-DATE BY TWO YEARS, IS LEGACY DESIGN AND VERY, VERY, * INCOMPLETE. PLEASE DO NOT MAKE ANY FURTHER ENHANCEMENTS TO THIS CODE * UNLESS THEY ARE ALSO CARRIED OUT IN THE SAMBA_TNG BRANCH. * * PLEASE DO NOT TREAT THIS CODE AS AUTHORITATIVE IN *ANY* WAY. * * REPEAT, PLEASE DO NOT MAKE ANY MODIFICATIONS TO THIS CODE WITHOUT * FIRST CHECKING THE EQUIVALENT MODULE IN SAMBA_TNG, UPDATING THAT * FIRST, *THEN* CONSIDER MAKING THE SAME MODIFICATION IN THIS BRANCH * * YOU WILL, ALMOST GUARANTEED, FIND THAT THE BUG-FIX OR ENHANCEMENT THAT * YOU THINK IS NECESSARY, HAS ALREADY BEEN IMPLEMENTED IN SAMBA_TNG. * IF IT HAS NOT, YOUR BUG-FIX OR ENHANCEMENT *MUST* GO INTO SAMBA_TNG * AS THE SAMBA_TNG CODE WILL REPLACE THIS MODULE WITHOUT REFERENCE TO * ANYTHING IN IT, WITH THE POSSIBLE RISK THAT THE BUG-FIX OR ENHANCEMENT * MAY BE LOST. * * PLEASE OBSERVE AND RESPECT THIS SIMPLE REQUEST. * * THANK YOU. * * lkcl@samba.org */ (This used to be commit cfaea90529be222f8df0e20a7ca1289f99c29e09) --- source3/rpc_client/cli_netlogon.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index dab4aa7ad5..ad66ee4e14 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -1,3 +1,29 @@ + +/* + * THIS CODE IS OUT-OF-DATE BY TWO YEARS, IS LEGACY DESIGN AND VERY, VERY, + * INCOMPLETE. PLEASE DO NOT MAKE ANY FURTHER ENHANCEMENTS TO THIS CODE + * UNLESS THEY ARE ALSO CARRIED OUT IN THE SAMBA_TNG BRANCH. + * + * PLEASE DO NOT TREAT THIS CODE AS AUTHORITATIVE IN *ANY* WAY. + * + * REPEAT, PLEASE DO NOT MAKE ANY MODIFICATIONS TO THIS CODE WITHOUT + * FIRST CHECKING THE EQUIVALENT MODULE IN SAMBA_TNG, UPDATING THAT + * FIRST, *THEN* CONSIDER MAKING THE SAME MODIFICATION IN THIS BRANCH + * + * YOU WILL, ALMOST GUARANTEED, FIND THAT THE BUG-FIX OR ENHANCEMENT THAT + * YOU THINK IS NECESSARY, HAS ALREADY BEEN IMPLEMENTED IN SAMBA_TNG. + * IF IT HAS NOT, YOUR BUG-FIX OR ENHANCEMENT *MUST* GO INTO SAMBA_TNG + * AS THE SAMBA_TNG CODE WILL REPLACE THIS MODULE WITHOUT REFERENCE TO + * ANYTHING IN IT, WITH THE POSSIBLE RISK THAT THE BUG-FIX OR ENHANCEMENT + * MAY BE LOST. + * + * PLEASE OBSERVE AND RESPECT THIS SIMPLE REQUEST. + * + * THANK YOU. + * + * lkcl@samba.org + */ + /* * Unix SMB/Netbios implementation. * Version 1.9. -- cgit From 8f1620125dcb9c29c223f4efb6485528ece70f11 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 22 Mar 2000 19:03:12 +0000 Subject: acconfig.h configure configure.in: Added check for UT_SYSLEN for utmp code. include/byteorder.h: Added alignment macros. include/nameserv.h: Added defines for msg_type field options - from rfc1002. lib/time.c: Typo fix. lib/util_unistr.c: Updates from UNICODE branch. printing/nt_printing.c: bzero -> memset. smbd/connection.c: Added check for UT_SYSLEN for utmp code. Other fixes : Rollback of unapproved commit from Luke. Please *ask* next time before doing large changes to HEAD. Jeremy. (This used to be commit f02999dbf7971b4ea05050d7206205d7737a78b2) --- source3/rpc_client/cli_netlogon.c | 26 -------------------------- 1 file changed, 26 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ad66ee4e14..dab4aa7ad5 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -1,29 +1,3 @@ - -/* - * THIS CODE IS OUT-OF-DATE BY TWO YEARS, IS LEGACY DESIGN AND VERY, VERY, - * INCOMPLETE. PLEASE DO NOT MAKE ANY FURTHER ENHANCEMENTS TO THIS CODE - * UNLESS THEY ARE ALSO CARRIED OUT IN THE SAMBA_TNG BRANCH. - * - * PLEASE DO NOT TREAT THIS CODE AS AUTHORITATIVE IN *ANY* WAY. - * - * REPEAT, PLEASE DO NOT MAKE ANY MODIFICATIONS TO THIS CODE WITHOUT - * FIRST CHECKING THE EQUIVALENT MODULE IN SAMBA_TNG, UPDATING THAT - * FIRST, *THEN* CONSIDER MAKING THE SAME MODIFICATION IN THIS BRANCH - * - * YOU WILL, ALMOST GUARANTEED, FIND THAT THE BUG-FIX OR ENHANCEMENT THAT - * YOU THINK IS NECESSARY, HAS ALREADY BEEN IMPLEMENTED IN SAMBA_TNG. - * IF IT HAS NOT, YOUR BUG-FIX OR ENHANCEMENT *MUST* GO INTO SAMBA_TNG - * AS THE SAMBA_TNG CODE WILL REPLACE THIS MODULE WITHOUT REFERENCE TO - * ANYTHING IN IT, WITH THE POSSIBLE RISK THAT THE BUG-FIX OR ENHANCEMENT - * MAY BE LOST. - * - * PLEASE OBSERVE AND RESPECT THIS SIMPLE REQUEST. - * - * THANK YOU. - * - * lkcl@samba.org - */ - /* * Unix SMB/Netbios implementation. * Version 1.9. -- cgit From 2958dfcdf87d5169fe1152806be6ad03acb04d88 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 8 May 2000 10:42:21 +0000 Subject: added secrets.tdb and changed storage of trust account password to use it (This used to be commit 88ad00b82acc4636ab57dfe710af08ea85b82ff1) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index dab4aa7ad5..ce4468d112 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -629,7 +629,7 @@ BOOL change_trust_account_password( char *domain, char *remote_machine_list) time_t lct; BOOL res = False; - if(!get_trust_account_password( old_trust_passwd_hash, &lct)) { + if(!get_trust_account_password(domain, old_trust_passwd_hash, &lct)) { DEBUG(0,("change_trust_account_password: unable to read the machine \ account password for domain %s.\n", domain)); return False; @@ -686,7 +686,7 @@ domain %s.\n", timestring(False), domain)); * Return the result of trying to write the new password * back into the trust account file. */ - res = set_trust_account_password(new_trust_passwd_hash); + res = set_trust_account_password(domain, new_trust_passwd_hash); memset(new_trust_passwd_hash, 0, 16); memset(old_trust_passwd_hash, 0, 16); return res; -- cgit From badb7fc0d21267110e39287c897c0f956f43bb16 Mon Sep 17 00:00:00 2001 From: Matthew Chapman Date: Mon, 29 May 2000 01:23:48 +0000 Subject: Fixed LsaQueryInformationPolicy level 3 to return primary domain info. Domain SID is saved in secrets.tdb upon joining domain. Added "Authenticated Users" and "SYSTEM" well-known SIDs (under NT Authority). (This used to be commit 7710b4f48d3e8532df5e37f99a779758f750efdb) --- source3/rpc_client/cli_netlogon.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ce4468d112..0043a1894e 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -579,7 +579,14 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) )); * Ok - we have an anonymous connection to the IPC$ share. * Now start the NT Domain stuff :-). */ - + + if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) { + DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { DEBUG(0,("modify_trust_password: unable to open the domain client session to \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); -- cgit From da44845a0907bc6c9da9aabc0374b8280a85017f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 3 Jun 2000 06:22:19 +0000 Subject: moved secrets fns into secrets.c (This used to be commit f890bcf06786e7c63bf76fad2fd46d287a99a270) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 0043a1894e..065bd57649 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -636,7 +636,7 @@ BOOL change_trust_account_password( char *domain, char *remote_machine_list) time_t lct; BOOL res = False; - if(!get_trust_account_password(domain, old_trust_passwd_hash, &lct)) { + if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) { DEBUG(0,("change_trust_account_password: unable to read the machine \ account password for domain %s.\n", domain)); return False; @@ -693,7 +693,7 @@ domain %s.\n", timestring(False), domain)); * Return the result of trying to write the new password * back into the trust account file. */ - res = set_trust_account_password(domain, new_trust_passwd_hash); + res = secrets_store_trust_account_password(domain, new_trust_passwd_hash); memset(new_trust_passwd_hash, 0, 16); memset(old_trust_passwd_hash, 0, 16); return res; -- cgit From a4243b3d9996738ff575d08fbdff5e3a3ba8adb3 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 26 Jul 2000 03:04:01 +0000 Subject: Fixed memory leak in modify_trust_password() (This used to be commit 7145689bf55b9f3100632badac486fde30ee4972) --- source3/rpc_client/cli_netlogon.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 065bd57649..6437685ed8 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -513,24 +513,28 @@ static BOOL modify_trust_password( char *domain, char *remote_machine, if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) { DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); + cli_shutdown(&cli); return False; } if (ismyip(cli.dest_ip)) { DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ to ourselves.\n", remote_machine)); + cli_shutdown(&cli); return False; } if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); return False; } if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) { DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \ session request. Error was %s\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); return False; } -- cgit From 5ec1642809d9de83da8c88c65d6595c6eb0270f5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 27 Jul 2000 00:47:19 +0000 Subject: Ok - this is a *BIG* change - but it fixes the problems with static strings in the RPC code. This change was prompted by trying to save a long (>256) character comment in the printer properties page. The new system associates a TALLOC_CTX with the pipe struct, and frees the pool on return of a complete PDU. A global TALLOC_CTX is used for the odd buffer allocated in the BUFFERxx code, and is freed in the main loop. This code works with insure, and seems to be free of memory leaks and crashes (so far) but there are probably the occasional problem with code that uses UNISTRxx structs on the stack and expects them to contain storage without doing a init_unistrXX(). This means that rpcclient will probably be horribly broken. A TALLOC_CTX also needed associating with the struct cli_state also, to make the prs_xx code there work. The main interface change is the addition of a TALLOC_CTX to the prs_init calls - used for dynamic allocation in the prs_XXX calls. Now this is in place it should make dynamic allocation of all RPC memory on unmarshall *much* easier to fix. Jeremy. (This used to be commit 0ff2ce543ee54f7364e6d839db6d06e7ef1edcf4) --- source3/rpc_client/cli_netlogon.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 6437685ed8..63461c5023 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -64,8 +64,8 @@ BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) NET_Q_LOGON_CTRL2 q_l; BOOL ok = False; - prs_init(&buf , 1024, 4, False); - prs_init(&rbuf, 0, 4, True ); + prs_init(&buf , 1024, 4, cli->mem_ctx, False); + prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ @@ -125,8 +125,8 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, NET_Q_AUTH_2 q_a; BOOL ok = False; - prs_init(&buf , 1024, 4, False); - prs_init(&rbuf, 0, 4, True ); + prs_init(&buf , 1024, 4, cli->mem_ctx, False); + prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); /* create and send a MSRPC command with api NET_AUTH2 */ @@ -215,8 +215,8 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ NET_Q_REQ_CHAL q_c; BOOL valid_chal = False; - prs_init(&buf , 1024, 4, False); - prs_init(&rbuf, 0, 4, True ); + prs_init(&buf , 1024, 4, cli->mem_ctx, False); + prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); /* create and send a MSRPC command with api NET_REQCHAL */ @@ -279,8 +279,8 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) gen_next_creds( cli, &new_clnt_cred); - prs_init(&buf , 1024, 4, False); - prs_init(&rbuf, 0, 4, True ); + prs_init(&buf , 1024, 4, cli->mem_ctx, False); + prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); /* create and send a MSRPC command with api NET_SRV_PWSET */ @@ -350,8 +350,8 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, gen_next_creds( cli, &new_clnt_cred); - prs_init(&buf , 1024, 4, False); - prs_init(&rbuf, 0, 4, True ); + prs_init(&buf , 1024, 4, cli->mem_ctx, False); + prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); /* create and send a MSRPC command with api NET_SAMLOGON */ @@ -439,8 +439,8 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) gen_next_creds( cli, &new_clnt_cred); - prs_init(&buf , 1024, 4, False); - prs_init(&rbuf, 0, 4, True ); + prs_init(&buf , 1024, 4, cli->mem_ctx, False); + prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); /* create and send a MSRPC command with api NET_SAMLOGOFF */ -- cgit From 7bf9d8ce4bb7e96a4c72f674e21d015b1ef1481e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 19 Dec 2000 23:57:48 +0000 Subject: Fixed bug found by Gerald. If a Samba server joins a domain and is set to search for a DC to authenticate to using the "*" syntax than ensure that for the first hour after the password change is searches for the PDC using the 1B name not the 1C name as domain replication may not have occured. Jeremy. (This used to be commit c25533de9918ed9b0c79fd039e11d1b79f513db0) --- source3/rpc_client/cli_netlogon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 63461c5023..3e24e74a59 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -665,7 +665,8 @@ account password for domain %s.\n", domain)); int count = 0; int i; - if(!get_dc_list(domain, &ip_list, &count)) + /* Use the PDC *only* for this. */ + if(!get_dc_list(True, domain, &ip_list, &count)) continue; /* -- cgit From 64172d82fcf1762a8bc938282919f9e3bd39675d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 14 Feb 2001 05:34:50 +0000 Subject: Merge of i18n fixes from appliance branch. Samba can now talk to a network with a PDC that has international netbios name and domain name. There's still quite a bit of i18n stuff to fix though... (This used to be commit 79045bd72ace9144e7dd73785b1d10a71b0d15aa) --- source3/rpc_client/cli_netlogon.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 3e24e74a59..209b38c4fa 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -73,7 +73,8 @@ BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) global_myname, status_level)); /* store the parameters */ - init_q_logon_ctrl2(&q_l, cli->srv_name_slash, status_level); + init_q_logon_ctrl2(&q_l, unix_to_dos(cli->srv_name_slash,False), + status_level); /* turn parameters into data stream */ if(!net_io_q_logon_ctrl2("", &q_l, &buf, 0)) { @@ -131,12 +132,12 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, - credstr(cli->clnt_cred.challenge.data), neg_flags)); + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + credstr(cli->clnt_cred.challenge.data), neg_flags)); /* store the parameters */ - init_q_auth_2(&q_a, cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, - &cli->clnt_cred.challenge, neg_flags); + init_q_auth_2(&q_a, unix_to_dos(cli->srv_name_slash,False), cli->mach_acct, + sec_chan, global_myname, &cli->clnt_cred.challenge, neg_flags); /* turn parameters into data stream */ if(!net_io_q_auth_2("", &q_a, &buf, 0)) { @@ -224,7 +225,8 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ cli->desthost, global_myname, credstr(clnt_chal->data))); /* store the parameters */ - init_q_req_chal(&q_c, cli->srv_name_slash, global_myname, clnt_chal); + init_q_req_chal(&q_c, unix_to_dos(cli->srv_name_slash,False), + global_myname, clnt_chal); /* turn parameters into data stream */ if(!net_io_q_req_chal("", &q_c, &buf, 0)) { @@ -289,8 +291,9 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); /* store the parameters */ - init_q_srv_pwset(&q_s, cli->srv_name_slash, cli->mach_acct, sec_chan_type, - global_myname, &new_clnt_cred, (char *)hashed_mach_pwd); + init_q_srv_pwset(&q_s, unix_to_dos(cli->srv_name_slash,False), + cli->mach_acct, sec_chan_type, global_myname, + &new_clnt_cred, (char *)hashed_mach_pwd); /* turn parameters into data stream */ if(!net_io_q_srv_pwset("", &q_s, &buf, 0)) { @@ -365,8 +368,9 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, /* store the parameters */ q_s.validation_level = validation_level; - init_sam_info(&q_s.sam_id, cli->srv_name_slash, global_myname, - &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); + init_sam_info(&q_s.sam_id, unix_to_dos(cli->srv_name_slash,False), + global_myname, &new_clnt_cred, &dummy_rtn_creds, + ctr->switch_value, ctr); /* turn parameters into data stream */ if(!net_io_q_sam_logon("", &q_s, &buf, 0)) { @@ -451,8 +455,9 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); - init_sam_info(&q_s.sam_id, cli->srv_name_slash, global_myname, - &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); + init_sam_info(&q_s.sam_id, unix_to_dos(cli->srv_name_slash,False), + global_myname, &new_clnt_cred, &dummy_rtn_creds, + ctr->switch_value, ctr); /* turn parameters into data stream */ if(!net_io_q_sam_logoff("", &q_s, &buf, 0)) { -- cgit From 3699948e97bc2a8d108bb4343d382b4c9ead5533 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 24 Feb 2001 00:42:41 +0000 Subject: This patch (donated by Marc Jacobsen of HP) should make Sun and HP very happy :-). Probably Veritas too... :-). It allows Samba as a domain member to authenticate against an AS/U server such as the older HP PDC product or PD Netlink. It does this by trying a netlogon with info level 3 and then falling back to info level 2 if the PDC returns invalid info level. Jeremy. (This used to be commit bda1d6d4a4b3d2cfc260549280a2ce3e57fd0f86) --- source3/rpc_client/cli_netlogon.c | 170 +++++++++++++++++++++++++------------- 1 file changed, 112 insertions(+), 58 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 209b38c4fa..35238b9467 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -337,90 +337,144 @@ password ?).\n", cli->desthost )); } /*************************************************************************** -LSA SAM Logon - interactive or network. + LSA SAM Logon internal - interactive or network. Does level 2 or 3 but always + returns level 3. ****************************************************************************/ -BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, - NET_USER_INFO_3 *user_info3) +static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR *ctr, + NET_USER_INFO_3 *user_info3, uint16 validation_level) { - DOM_CRED new_clnt_cred; - DOM_CRED dummy_rtn_creds; - prs_struct rbuf; - prs_struct buf; - uint16 validation_level = 3; - NET_Q_SAM_LOGON q_s; - BOOL ok = False; + DOM_CRED new_clnt_cred; + DOM_CRED dummy_rtn_creds; + prs_struct rbuf; + prs_struct buf; + NET_Q_SAM_LOGON q_s; + NET_R_SAM_LOGON r_s; + uint32 retval; - gen_next_creds( cli, &new_clnt_cred); + gen_next_creds( cli, &new_clnt_cred); - prs_init(&buf , 1024, 4, cli->mem_ctx, False); - prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); + prs_init(&buf , 1024, 4, cli->mem_ctx, False); + prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); - /* create and send a MSRPC command with api NET_SAMLOGON */ + /* create and send a MSRPC command with api NET_SAMLOGON */ - DEBUG(4,("cli_net_sam_logon: srv:%s mc:%s clnt %s %x ll: %d\n", + DEBUG(4,("cli_net_sam_logon_internal: srv:%s mc:%s clnt %s %x ll: %d\n", cli->srv_name_slash, global_myname, credstr(new_clnt_cred.challenge.data), cli->clnt_cred.timestamp.time, ctr->switch_value)); - memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); + memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); dummy_rtn_creds.timestamp.time = time(NULL); - /* store the parameters */ - q_s.validation_level = validation_level; - init_sam_info(&q_s.sam_id, unix_to_dos(cli->srv_name_slash,False), + /* store the parameters */ + q_s.validation_level = validation_level; + init_sam_info(&q_s.sam_id, unix_to_dos(cli->srv_name_slash,False), global_myname, &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); - /* turn parameters into data stream */ - if(!net_io_q_sam_logon("", &q_s, &buf, 0)) { - DEBUG(0,("cli_net_sam_logon: Error : failed to marshall NET_Q_SAM_LOGON struct.\n")); - prs_mem_free(&buf); - prs_mem_free(&rbuf); - return False; - } - - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) - { - NET_R_SAM_LOGON r_s; - - r_s.user = user_info3; - - ok = net_io_r_sam_logon("", &r_s, &rbuf, 0); + /* turn parameters into data stream */ + if(!net_io_q_sam_logon("", &q_s, &buf, 0)) { + DEBUG(0,("cli_net_sam_logon_internal: Error : failed to marshall NET_Q_SAM_LOGON struct.\n")); + retval = NT_STATUS_NO_MEMORY; + goto out; + } + + /* send the data on \PIPE\ */ + if (!rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { + DEBUG(0,("cli_net_sam_logon_internal: Erro rpc_api_pipe_req failed.\n")); + retval = cli->nt_error; + goto out; + } + + r_s.user = user_info3; + + if(!net_io_r_sam_logon("", &r_s, &rbuf, 0)) { + DEBUG(0,("cli_net_sam_logon_internal: Error : failed to unmarshal NET_R_SAM_LOGON struct.\n")); + retval = NT_STATUS_NO_MEMORY; + goto out; + } - if (ok && r_s.status != 0) - { - /* report error code */ - DEBUG(0,("cli_net_sam_logon: %s\n", get_nt_error_msg(r_s.status))); - cli->nt_error = r_s.status; - ok = False; + retval = r_s.status; + + /* + * Don't treat NT_STATUS_INVALID_INFO_CLASS as an error - we will re-issue + * the call. + */ + + if (retval == NT_STATUS_INVALID_INFO_CLASS) { + goto out; + } + + if (retval != 0) { + /* report error code */ + DEBUG(0,("cli_net_sam_logon_internal: %s\n", get_nt_error_msg(r_s.status))); + cli->nt_error = r_s.status; + goto out; } /* Update the credentials. */ - if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) - { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_sam_logon: server %s replied with bad credential (bad machine \ + if (!clnt_deal_with_creds(cli->sess_key, &cli->clnt_cred, &r_s.srv_creds)) { + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_sam_logon_internal: server %s replied with bad credential (bad machine \ password ?).\n", cli->desthost )); - ok = False; + retval = NT_STATUS_WRONG_PASSWORD; } - if (ok && r_s.switch_value != 3) - { - /* report different switch_value */ - DEBUG(0,("cli_net_sam_logon: switch_value of 3 expected %x\n", - r_s.switch_value)); - ok = False; + if (r_s.switch_value != validation_level) { + /* report different switch_value */ + DEBUG(0,("cli_net_sam_logon: switch_value of %u expected %x\n", r_s.switch_value)); + retval = NT_STATUS_INVALID_PARAMETER; } - } - prs_mem_free(&buf); - prs_mem_free(&rbuf); + out: - return ok; + prs_mem_free(&buf); + prs_mem_free(&rbuf); + + return retval; +} + +/*************************************************************************** +LSA SAM Logon - interactive or network. +****************************************************************************/ + +BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) +{ + BOOL ok = True; +#if 0 /* JRATEST */ + uint16 validation_level=2; +#else + uint16 validation_level=3; +#endif + uint32 ret_err_code; + + ret_err_code = cli_net_sam_logon_internal(cli, ctr, user_info3, validation_level); + + if(ret_err_code == NT_STATUS_NOPROBLEMO) { + DEBUG(10,("cli_net_sam_logon: Success \n")); + ok = True; + } else if (ret_err_code == NT_STATUS_INVALID_INFO_CLASS) { + DEBUG(10,("cli_net_sam_logon: STATUS INVALID INFO CLASS \n")); + + validation_level=2; + + /* + * Since this is the second time we call this function, don't care + * for the error. If its error, return False. + */ + + if(cli_net_sam_logon_internal(cli, ctr, user_info3, validation_level) != 0) + ok = False; + + } else { + DEBUG(10,("cli_net_sam_logon: Error\n")); + ok = False; + } + + return ok; } /*************************************************************************** -- cgit From f93bb0801ccd66a6a3709ad98afb3758ffd0c1d4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 25 Feb 2001 00:24:54 +0000 Subject: rpc_client/cli_netlogon.c: Fixed incorrect printf. Added Solaris ACL support. Jeremy. (This used to be commit f0d11b6997cc46a0210adef8cf572cf8b7e2467a) --- source3/rpc_client/cli_netlogon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 35238b9467..1ed1db4d0a 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -425,7 +425,8 @@ password ?).\n", cli->desthost )); if (r_s.switch_value != validation_level) { /* report different switch_value */ - DEBUG(0,("cli_net_sam_logon: switch_value of %u expected %x\n", r_s.switch_value)); + DEBUG(0,("cli_net_sam_logon: switch_value of %x expected %x\n", (unsigned int)validation_level, + (unsigned int)r_s.switch_value)); retval = NT_STATUS_INVALID_PARAMETER; } -- cgit From 00ab9021b0cc5fe2667d383eb9cc2973072cdaaa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 9 Mar 2001 23:48:58 +0000 Subject: Serious (and I *mean* serious) attempt to fix little/bigendian RPC issues. We were reading the endainness in the RPC header and then never propagating it to the internal parse_structs used to parse the data. Also removed the "align" argument to prs_init as it was *always* set to 4, and if needed can be set differently on a case by case basis. Now ready for AS/U testing when Herb gets it set up :-). Jeremy. (This used to be commit 0cd37c831d79a12a10e479bf4fa89ffe64c1292a) --- source3/rpc_client/cli_netlogon.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 1ed1db4d0a..493e5ac152 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -64,8 +64,8 @@ BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) NET_Q_LOGON_CTRL2 q_l; BOOL ok = False; - prs_init(&buf , 1024, 4, cli->mem_ctx, False); - prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); + prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ @@ -126,8 +126,8 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, NET_Q_AUTH_2 q_a; BOOL ok = False; - prs_init(&buf , 1024, 4, cli->mem_ctx, False); - prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); + prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); /* create and send a MSRPC command with api NET_AUTH2 */ @@ -216,8 +216,8 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ NET_Q_REQ_CHAL q_c; BOOL valid_chal = False; - prs_init(&buf , 1024, 4, cli->mem_ctx, False); - prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); + prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); /* create and send a MSRPC command with api NET_REQCHAL */ @@ -281,8 +281,8 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) gen_next_creds( cli, &new_clnt_cred); - prs_init(&buf , 1024, 4, cli->mem_ctx, False); - prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); + prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); /* create and send a MSRPC command with api NET_SRV_PWSET */ @@ -354,8 +354,8 @@ static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR gen_next_creds( cli, &new_clnt_cred); - prs_init(&buf , 1024, 4, cli->mem_ctx, False); - prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); + prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); /* create and send a MSRPC command with api NET_SAMLOGON */ @@ -498,8 +498,8 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) gen_next_creds( cli, &new_clnt_cred); - prs_init(&buf , 1024, 4, cli->mem_ctx, False); - prs_init(&rbuf, 0, 4, cli->mem_ctx, True ); + prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); /* create and send a MSRPC command with api NET_SAMLOGOFF */ -- cgit From 02fe94f86543dcaa068de59eb4b1928e6f4086e4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 11 Mar 2001 22:03:42 +0000 Subject: Removed JRATEST line. Jeremy. (This used to be commit be9933ce353d0ad607c55e6e02aae09627bf9dd9) --- source3/rpc_client/cli_netlogon.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 493e5ac152..cc79425eed 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -445,11 +445,7 @@ LSA SAM Logon - interactive or network. BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) { BOOL ok = True; -#if 0 /* JRATEST */ - uint16 validation_level=2; -#else uint16 validation_level=3; -#endif uint32 ret_err_code; ret_err_code = cli_net_sam_logon_internal(cli, ctr, user_info3, validation_level); -- cgit From dd0cca5c2194448753483c50b44eb6c3ca305cbe Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 17 May 2001 02:52:45 +0000 Subject: Broke out change trust account password routines into separate file since they're only used in one place anyway (timeout_processing() in process.c) (This used to be commit d1e5d5d62fcb5da30e3f2619721c5146db753f3c) --- source3/rpc_client/cli_netlogon.c | 218 -------------------------------------- 1 file changed, 218 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index cc79425eed..2c9d38166d 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -550,221 +550,3 @@ password ?).\n", cli->desthost )); return ok; } - -/********************************************************* - Change the domain password on the PDC. -**********************************************************/ - -static BOOL modify_trust_password( char *domain, char *remote_machine, - unsigned char orig_trust_passwd_hash[16], - unsigned char new_trust_passwd_hash[16]) -{ - struct cli_state cli; - - ZERO_STRUCT(cli); - if(cli_initialise(&cli) == False) { - DEBUG(0,("modify_trust_password: unable to initialize client connection.\n")); - return False; - } - - if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) { - DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (ismyip(cli.dest_ip)) { - DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ -to ourselves.\n", remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { - DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) { - DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \ -session request. Error was %s\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - cli.protocol = PROTOCOL_NT1; - - if (!cli_negprot(&cli)) { - DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - if (cli.protocol != PROTOCOL_NT1) { - DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(&cli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { - DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - if (!(cli.sec_mode & 1)) { - DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - /* - * Ok - we have an anonymous connection to the IPC$ share. - * Now start the NT Domain stuff :-). - */ - - if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) { - DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { - DEBUG(0,("modify_trust_password: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) { - DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { - DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ -%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, - cli_errstr(&cli))); - cli_close(&cli, cli.nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - - return True; -} - -/************************************************************************ - Change the trust account password for a domain. - The user of this function must have locked the trust password file for - update. -************************************************************************/ - -BOOL change_trust_account_password( char *domain, char *remote_machine_list) -{ - fstring remote_machine; - unsigned char old_trust_passwd_hash[16]; - unsigned char new_trust_passwd_hash[16]; - time_t lct; - BOOL res = False; - - if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) { - DEBUG(0,("change_trust_account_password: unable to read the machine \ -account password for domain %s.\n", domain)); - return False; - } - - /* - * Create the new (random) password. - */ - generate_random_buffer( new_trust_passwd_hash, 16, True); - - while(remote_machine_list && - next_token(&remote_machine_list, remote_machine, - LIST_SEP, sizeof(remote_machine))) { - strupper(remote_machine); - if(strequal(remote_machine, "*")) { - - /* - * We have been asked to dynamcially determine the IP addresses of the PDC. - */ - - struct in_addr *ip_list = NULL; - int count = 0; - int i; - - /* Use the PDC *only* for this. */ - if(!get_dc_list(True, domain, &ip_list, &count)) - continue; - - /* - * Try and connect to the PDC/BDC list in turn as an IP - * address used as a string. - */ - - for(i = 0; i < count; i++) { - fstring dc_name; - if(!lookup_pdc_name(global_myname, domain, &ip_list[i], dc_name)) - continue; - if((res = modify_trust_password( domain, dc_name, - old_trust_passwd_hash, new_trust_passwd_hash))) - break; - } - - if(ip_list != NULL) - free((char *)ip_list); - - } else { - res = modify_trust_password( domain, remote_machine, - old_trust_passwd_hash, new_trust_passwd_hash); - } - - if(res) { - DEBUG(0,("%s : change_trust_account_password: Changed password for \ -domain %s.\n", timestring(False), domain)); - /* - * Return the result of trying to write the new password - * back into the trust account file. - */ - res = secrets_store_trust_account_password(domain, new_trust_passwd_hash); - memset(new_trust_passwd_hash, 0, 16); - memset(old_trust_passwd_hash, 0, 16); - return res; - } - } - - memset(new_trust_passwd_hash, 0, 16); - memset(old_trust_passwd_hash, 0, 16); - - DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ -domain %s.\n", timestring(False), domain)); - return False; -} -- cgit From 87fbb7092b8f8b2f0db0f361c3d625e19de57cd9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 4 Jul 2001 07:15:53 +0000 Subject: The big character set handling changeover! This commit gets rid of all our old codepage handling and replaces it with iconv. All internal strings in Samba are now in "unix" charset, which may be multi-byte. See internals.doc and my posting to samba-technical for a more complete explanation. (This used to be commit debb471267960e56005a741817ebd227ecfc512a) --- source3/rpc_client/cli_netlogon.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 2c9d38166d..5b96c8300f 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -73,7 +73,7 @@ BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) global_myname, status_level)); /* store the parameters */ - init_q_logon_ctrl2(&q_l, unix_to_dos(cli->srv_name_slash,False), + init_q_logon_ctrl2(&q_l, cli->srv_name_slash, status_level); /* turn parameters into data stream */ @@ -136,7 +136,7 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, credstr(cli->clnt_cred.challenge.data), neg_flags)); /* store the parameters */ - init_q_auth_2(&q_a, unix_to_dos(cli->srv_name_slash,False), cli->mach_acct, + init_q_auth_2(&q_a, cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, &cli->clnt_cred.challenge, neg_flags); /* turn parameters into data stream */ @@ -225,7 +225,7 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ cli->desthost, global_myname, credstr(clnt_chal->data))); /* store the parameters */ - init_q_req_chal(&q_c, unix_to_dos(cli->srv_name_slash,False), + init_q_req_chal(&q_c, cli->srv_name_slash, global_myname, clnt_chal); /* turn parameters into data stream */ @@ -291,7 +291,7 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); /* store the parameters */ - init_q_srv_pwset(&q_s, unix_to_dos(cli->srv_name_slash,False), + init_q_srv_pwset(&q_s, cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname, &new_clnt_cred, (char *)hashed_mach_pwd); @@ -369,7 +369,7 @@ static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR /* store the parameters */ q_s.validation_level = validation_level; - init_sam_info(&q_s.sam_id, unix_to_dos(cli->srv_name_slash,False), + init_sam_info(&q_s.sam_id, cli->srv_name_slash, global_myname, &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); @@ -506,7 +506,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); - init_sam_info(&q_s.sam_id, unix_to_dos(cli->srv_name_slash,False), + init_sam_info(&q_s.sam_id, cli->srv_name_slash, global_myname, &new_clnt_cred, &dummy_rtn_creds, ctr->switch_value, ctr); -- cgit From af0af3d42a9a3f80af5db0efb57692fc87f81763 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 10 Aug 2001 05:50:20 +0000 Subject: Removed nt_error field from cli_state as it was not used anywhere. (This used to be commit 589aaa5fb1ac55d8b0d5ae95921f071eb6ddacf6) --- source3/rpc_client/cli_netlogon.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 5b96c8300f..0568c04ed8 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -158,7 +158,6 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, { /* report error code */ DEBUG(0,("cli_net_auth2: Error %s\n", get_nt_error_msg(r_a.status))); - cli->nt_error = r_a.status; ok = False; } @@ -248,7 +247,6 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ { /* report error code */ DEBUG(0,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); - cli->nt_error = r_c.status; ok = False; } @@ -314,7 +312,6 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) { /* report error code */ DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); - cli->nt_error = r_s.status; ok = False; } @@ -350,7 +347,7 @@ static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR prs_struct buf; NET_Q_SAM_LOGON q_s; NET_R_SAM_LOGON r_s; - uint32 retval; + uint32 retval = 0; gen_next_creds( cli, &new_clnt_cred); @@ -383,7 +380,6 @@ static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR /* send the data on \PIPE\ */ if (!rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { DEBUG(0,("cli_net_sam_logon_internal: Erro rpc_api_pipe_req failed.\n")); - retval = cli->nt_error; goto out; } @@ -409,7 +405,6 @@ static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR if (retval != 0) { /* report error code */ DEBUG(0,("cli_net_sam_logon_internal: %s\n", get_nt_error_msg(r_s.status))); - cli->nt_error = r_s.status; goto out; } @@ -529,7 +524,6 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) { /* report error code */ DEBUG(0,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); - cli->nt_error = r_s.status; ok = False; } -- cgit From f3aeaa8c90728c47552f14da8c5e30d6a441bdca Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 24 Aug 2001 18:37:06 +0000 Subject: Fixed typo in debug message. (This used to be commit ea8c0a75affe56f8fbcb987cd6f8cdcd24e8a537) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 0568c04ed8..18266739ac 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -379,7 +379,7 @@ static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR /* send the data on \PIPE\ */ if (!rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { - DEBUG(0,("cli_net_sam_logon_internal: Erro rpc_api_pipe_req failed.\n")); + DEBUG(0,("cli_net_sam_logon_internal: Error pc_api_pipe_req failed.\n")); goto out; } -- cgit From b9e7eeaf4fc13fb9e2dbee69e07bc6800f6e427a Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 24 Aug 2001 20:31:00 +0000 Subject: More status32 conversions. (This used to be commit 031a19639ce862bd01c1a72d8b5ff21b0eae99d2) --- source3/rpc_client/cli_netlogon.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 18266739ac..2dd9eb0141 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -437,18 +437,18 @@ password ?).\n", cli->desthost )); LSA SAM Logon - interactive or network. ****************************************************************************/ -BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) +uint32 cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, + NET_USER_INFO_3 *user_info3) { - BOOL ok = True; uint16 validation_level=3; - uint32 ret_err_code; + uint32 result; - ret_err_code = cli_net_sam_logon_internal(cli, ctr, user_info3, validation_level); + result = cli_net_sam_logon_internal(cli, ctr, user_info3, + validation_level); - if(ret_err_code == NT_STATUS_NOPROBLEMO) { + if(result == NT_STATUS_NOPROBLEMO) { DEBUG(10,("cli_net_sam_logon: Success \n")); - ok = True; - } else if (ret_err_code == NT_STATUS_INVALID_INFO_CLASS) { + } else if (result == NT_STATUS_INVALID_INFO_CLASS) { DEBUG(10,("cli_net_sam_logon: STATUS INVALID INFO CLASS \n")); validation_level=2; @@ -458,15 +458,13 @@ BOOL cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, NET_USER_INF * for the error. If its error, return False. */ - if(cli_net_sam_logon_internal(cli, ctr, user_info3, validation_level) != 0) - ok = False; - + result = cli_net_sam_logon_internal(cli, ctr, user_info3, + validation_level); } else { DEBUG(10,("cli_net_sam_logon: Error\n")); - ok = False; } - return ok; + return result; } /*************************************************************************** -- cgit From b031af348c7dcc8c74bf49945211c466b8eca079 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 27 Aug 2001 19:46:22 +0000 Subject: converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 2dd9eb0141..2c30e5ba47 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -57,7 +57,7 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) /**************************************************************************** do a LSA Logon Control2 ****************************************************************************/ -BOOL cli_net_logon_ctrl2(struct cli_state *cli, uint32 status_level) +BOOL cli_net_logon_ctrl2(struct cli_state *cli, NTSTATUS status_level) { prs_struct rbuf; prs_struct buf; @@ -446,7 +446,7 @@ uint32 cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, result = cli_net_sam_logon_internal(cli, ctr, user_info3, validation_level); - if(result == NT_STATUS_NOPROBLEMO) { + if(result == NT_STATUS_OK) { DEBUG(10,("cli_net_sam_logon: Success \n")); } else if (result == NT_STATUS_INVALID_INFO_CLASS) { DEBUG(10,("cli_net_sam_logon: STATUS INVALID INFO CLASS \n")); -- cgit From 19fea3242cf6234786b6cbb60631e0071f31ff9f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Sep 2001 07:13:01 +0000 Subject: the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but the client code still needs some work (This used to be commit dcd6e735f709a9231860ceb9682db40ff26c9a66) --- source3/rpc_client/cli_netlogon.c | 47 ++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 23 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 2c30e5ba47..b1f4fe0257 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -154,7 +154,7 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, ok = net_io_r_auth_2("", &r_a, &rbuf, 0); - if (ok && r_a.status != 0) + if (ok && !NT_STATUS_IS_OK(r_a.status)) { /* report error code */ DEBUG(0,("cli_net_auth2: Error %s\n", get_nt_error_msg(r_a.status))); @@ -243,7 +243,7 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ ok = net_io_r_req_chal("", &r_c, &rbuf, 0); - if (ok && r_c.status != 0) + if (ok && !NT_STATUS_IS_OK(r_c.status)) { /* report error code */ DEBUG(0,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); @@ -308,7 +308,7 @@ BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) ok = net_io_r_srv_pwset("", &r_s, &rbuf, 0); - if (ok && r_s.status != 0) + if (ok && !NT_STATUS_IS_OK(r_s.status)) { /* report error code */ DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); @@ -338,8 +338,9 @@ password ?).\n", cli->desthost )); returns level 3. ****************************************************************************/ -static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR *ctr, - NET_USER_INFO_3 *user_info3, uint16 validation_level) +static NTSTATUS cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR *ctr, + NET_USER_INFO_3 *user_info3, + uint16 validation_level) { DOM_CRED new_clnt_cred; DOM_CRED dummy_rtn_creds; @@ -347,7 +348,7 @@ static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR prs_struct buf; NET_Q_SAM_LOGON q_s; NET_R_SAM_LOGON r_s; - uint32 retval = 0; + NTSTATUS retval = NT_STATUS_OK; gen_next_creds( cli, &new_clnt_cred); @@ -398,38 +399,38 @@ static uint32 cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR * the call. */ - if (retval == NT_STATUS_INVALID_INFO_CLASS) { + if (NT_STATUS_V(retval) == NT_STATUS_V(NT_STATUS_INVALID_INFO_CLASS)) { goto out; } - if (retval != 0) { + if (!NT_STATUS_IS_OK(retval)) { /* report error code */ DEBUG(0,("cli_net_sam_logon_internal: %s\n", get_nt_error_msg(r_s.status))); goto out; - } + } - /* Update the credentials. */ - if (!clnt_deal_with_creds(cli->sess_key, &cli->clnt_cred, &r_s.srv_creds)) { + /* Update the credentials. */ + if (!clnt_deal_with_creds(cli->sess_key, &cli->clnt_cred, &r_s.srv_creds)) { /* * Server replied with bad credential. Fail. */ DEBUG(0,("cli_net_sam_logon_internal: server %s replied with bad credential (bad machine \ password ?).\n", cli->desthost )); retval = NT_STATUS_WRONG_PASSWORD; - } - - if (r_s.switch_value != validation_level) { + } + + if (r_s.switch_value != validation_level) { /* report different switch_value */ DEBUG(0,("cli_net_sam_logon: switch_value of %x expected %x\n", (unsigned int)validation_level, - (unsigned int)r_s.switch_value)); + (unsigned int)r_s.switch_value)); retval = NT_STATUS_INVALID_PARAMETER; - } + } - out: +out: prs_mem_free(&buf); prs_mem_free(&rbuf); - + return retval; } @@ -437,18 +438,18 @@ password ?).\n", cli->desthost )); LSA SAM Logon - interactive or network. ****************************************************************************/ -uint32 cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, +NTSTATUS cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) { uint16 validation_level=3; - uint32 result; + NTSTATUS result; result = cli_net_sam_logon_internal(cli, ctr, user_info3, validation_level); - if(result == NT_STATUS_OK) { + if (NT_STATUS_IS_OK(result)) { DEBUG(10,("cli_net_sam_logon: Success \n")); - } else if (result == NT_STATUS_INVALID_INFO_CLASS) { + } else if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_INVALID_INFO_CLASS)) { DEBUG(10,("cli_net_sam_logon: STATUS INVALID INFO CLASS \n")); validation_level=2; @@ -518,7 +519,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) ok = net_io_r_sam_logoff("", &r_s, &rbuf, 0); - if (ok && r_s.status != 0) + if (ok && !NT_STATUS_IS_OK(r_s.status)) { /* report error code */ DEBUG(0,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); -- cgit From 15a6649c01195f2b385fbfd7e54279c1acc3a878 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 18 Sep 2001 02:49:35 +0000 Subject: Converted cli_net_auth2() and cli_nt_setup_creds() to return NTSTATUS. (This used to be commit e0bdcbc5994345fdc76f7590dba7bce5f0127d58) --- source3/rpc_client/cli_netlogon.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index b1f4fe0257..324f5dc90f 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -118,13 +118,14 @@ Ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ -BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, - uint32 neg_flags, DOM_CHAL *srv_chal) +NTSTATUS cli_net_auth2(struct cli_state *cli, uint16 sec_chan, + uint32 neg_flags, DOM_CHAL *srv_chal) { prs_struct rbuf; prs_struct buf; NET_Q_AUTH_2 q_a; BOOL ok = False; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); @@ -144,7 +145,7 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, DEBUG(0,("cli_net_auth2: Error : failed to marshall NET_Q_AUTH_2 struct.\n")); prs_mem_free(&buf); prs_mem_free(&rbuf); - return False; + return result; } /* send the data on \PIPE\ */ @@ -153,11 +154,12 @@ BOOL cli_net_auth2(struct cli_state *cli, uint16 sec_chan, NET_R_AUTH_2 r_a; ok = net_io_r_auth_2("", &r_a, &rbuf, 0); - - if (ok && !NT_STATUS_IS_OK(r_a.status)) + result = r_a.status; + + if (ok && !NT_STATUS_IS_OK(result)) { /* report error code */ - DEBUG(0,("cli_net_auth2: Error %s\n", get_nt_error_msg(r_a.status))); + DEBUG(0,("cli_net_auth2: Error %s\n", get_nt_error_msg(result))); ok = False; } @@ -200,7 +202,7 @@ password ?).\n", cli->desthost )); prs_mem_free(&buf); prs_mem_free(&rbuf); - return ok; + return result; } /**************************************************************************** -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/rpc_client/cli_netlogon.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 324f5dc90f..f67a7175bf 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -29,7 +29,6 @@ #include "includes.h" -extern int DEBUGLEVEL; extern pstring global_myname; extern fstring global_myworkgroup; -- cgit From a689b24db14436ab1faa2f2f79b9f27b777b1fdb Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 14 Oct 2001 12:10:29 +0000 Subject: the next step in the intl changeover. This should get us compiling agian, and also completes the switch to lang_tdb.c. SWAT should now work with a po file in the lib/ directory also removed useless SYSLOG defines in many files (This used to be commit 5296b20ad85d7519c870768455cb4d8df048c55a) --- source3/rpc_client/cli_netlogon.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index f67a7175bf..8fcfab00ab 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -23,10 +23,6 @@ */ -#ifdef SYSLOG -#undef SYSLOG -#endif - #include "includes.h" extern pstring global_myname; -- cgit From d16ce1910bfa5836b99b1fcb75c86d008f7bf666 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 30 Oct 2001 00:19:43 +0000 Subject: Fixed typo in debug message. (This used to be commit 26fa0374bb5894ece460899ca37cf512c4424b2f) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 8fcfab00ab..50f68e19f0 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -377,7 +377,7 @@ static NTSTATUS cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CT /* send the data on \PIPE\ */ if (!rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { - DEBUG(0,("cli_net_sam_logon_internal: Error pc_api_pipe_req failed.\n")); + DEBUG(0,("cli_net_sam_logon_internal: Error rpc_api_pipe_req failed.\n")); goto out; } -- cgit From d607fe04743b6ca20172d3a4156e5fa855054e99 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 31 Oct 2001 04:42:16 +0000 Subject: Don't accidentally return success when sending a broken NET_SAMLOGON request. This exposes a domain authentication bug with win2k where a rpc fault is returned but not propagated up as an error. (This used to be commit 27cd7ac85779bbc1e9488ee06e87b0c743c5b29c) --- source3/rpc_client/cli_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 50f68e19f0..c18d2ae23d 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -378,6 +378,7 @@ static NTSTATUS cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CT /* send the data on \PIPE\ */ if (!rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { DEBUG(0,("cli_net_sam_logon_internal: Error rpc_api_pipe_req failed.\n")); + retval = NT_STATUS_UNSUCCESSFUL; goto out; } -- cgit From c87c3526992212096d4ecdf200a5346e05bfb328 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 5 Nov 2001 00:12:23 +0000 Subject: Removed duplicate debug. (This used to be commit 5c3521c937f9ba3c4c586495f54dc69a664c392a) --- source3/rpc_client/cli_netlogon.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index c18d2ae23d..869de91c80 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -459,8 +459,6 @@ NTSTATUS cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, result = cli_net_sam_logon_internal(cli, ctr, user_info3, validation_level); - } else { - DEBUG(10,("cli_net_sam_logon: Error\n")); } return result; -- cgit From 8ba00d147bbdb705b411e182433632c81a036188 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 5 Dec 2001 11:00:26 +0000 Subject: OK. Smbpasswd -j is DEAD. This moves the rest of the functionality into the 'net rpc join' code. Futhermore, this moves that entire area over to the libsmb codebase, rather than the crufty old rpc_client stuff. I have also fixed up the smbpasswd -a -m bug in the process. We also have a new 'net rpc changetrustpw' that can be called from a cron-job to regularly change the trust account password, for sites that run winbind but not smbd. With a little more work, we can kill rpc_client from smbd entirly! (It is mostly the domain auth stuff - which I can rework - and the spoolss stuff that sombody else will need to look over). Andrew Bartlett (This used to be commit 575897e879fc175ba702adf245384033342c903d) --- source3/rpc_client/cli_netlogon.c | 70 --------------------------------------- 1 file changed, 70 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 869de91c80..8a2d8e28cc 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -260,76 +260,6 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ return valid_chal; } - -/*************************************************************************** -LSA Server Password Set. -****************************************************************************/ - -BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) -{ - prs_struct rbuf; - prs_struct buf; - DOM_CRED new_clnt_cred; - NET_Q_SRV_PWSET q_s; - BOOL ok = False; - uint16 sec_chan_type = 2; - - gen_next_creds( cli, &new_clnt_cred); - - prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - - /* create and send a MSRPC command with api NET_SRV_PWSET */ - - DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname, - credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); - - /* store the parameters */ - init_q_srv_pwset(&q_s, cli->srv_name_slash, - cli->mach_acct, sec_chan_type, global_myname, - &new_clnt_cred, (char *)hashed_mach_pwd); - - /* turn parameters into data stream */ - if(!net_io_q_srv_pwset("", &q_s, &buf, 0)) { - DEBUG(0,("cli_net_srv_pwset: Error : failed to marshall NET_Q_SRV_PWSET struct.\n")); - prs_mem_free(&buf); - prs_mem_free(&rbuf); - return False; - } - - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf)) - { - NET_R_SRV_PWSET r_s; - - ok = net_io_r_srv_pwset("", &r_s, &rbuf, 0); - - if (ok && !NT_STATUS_IS_OK(r_s.status)) - { - /* report error code */ - DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); - ok = False; - } - - /* Update the credentials. */ - if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred))) - { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); - ok = False; - } - } - - prs_mem_free(&buf); - prs_mem_free(&rbuf); - - return ok; -} - /*************************************************************************** LSA SAM Logon internal - interactive or network. Does level 2 or 3 but always returns level 3. -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/rpc_client/cli_netlogon.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 8a2d8e28cc..5b59e5b543 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -1,6 +1,5 @@ /* - * Unix SMB/Netbios implementation. - * Version 1.9. + * Unix SMB/CIFS implementation. * RPC Pipe client / server routines * Copyright (C) Andrew Tridgell 1992-1997, * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, -- cgit From ab13654dc9ac23872e4d1384e1c54e336f113009 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 17 Mar 2002 04:36:35 +0000 Subject: Renamed get_nt_error_msg() to nt_errstr(). (This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302) --- source3/rpc_client/cli_netlogon.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 5b59e5b543..90c8a34c21 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -91,7 +91,7 @@ BOOL cli_net_logon_ctrl2(struct cli_state *cli, NTSTATUS status_level) if (ok && r_l.status != 0) { /* report error code */ - DEBUG(0,("do_net_logon_ctrl2: Error %s\n", get_nt_error_msg(r_l.status))); + DEBUG(0,("do_net_logon_ctrl2: Error %s\n", nt_errstr(r_l.status))); cli->nt_error = r_l.status; ok = False; } @@ -153,7 +153,7 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, uint16 sec_chan, if (ok && !NT_STATUS_IS_OK(result)) { /* report error code */ - DEBUG(0,("cli_net_auth2: Error %s\n", get_nt_error_msg(result))); + DEBUG(0,("cli_net_auth2: Error %s\n", nt_errstr(result))); ok = False; } @@ -242,7 +242,7 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ if (ok && !NT_STATUS_IS_OK(r_c.status)) { /* report error code */ - DEBUG(0,("cli_net_req_chal: Error %s\n", get_nt_error_msg(r_c.status))); + DEBUG(0,("cli_net_req_chal: Error %s\n", nt_errstr(r_c.status))); ok = False; } @@ -332,7 +332,7 @@ static NTSTATUS cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CT if (!NT_STATUS_IS_OK(retval)) { /* report error code */ - DEBUG(0,("cli_net_sam_logon_internal: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(0,("cli_net_sam_logon_internal: %s\n", nt_errstr(r_s.status))); goto out; } @@ -447,7 +447,7 @@ BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) if (ok && !NT_STATUS_IS_OK(r_s.status)) { /* report error code */ - DEBUG(0,("cli_net_sam_logoff: %s\n", get_nt_error_msg(r_s.status))); + DEBUG(0,("cli_net_sam_logoff: %s\n", nt_errstr(r_s.status))); ok = False; } -- cgit From 1f7d18a99c6db90b2c5efb740af02ca279b9445d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 16:05:44 +0000 Subject: Sync 3.0 branch with HEAD (This used to be commit 3823a2ff5a3c6edf325e2ac31bab50175420f0b1) --- source3/rpc_client/cli_netlogon.c | 978 +++++++++++++++++++++++--------------- 1 file changed, 586 insertions(+), 392 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 90c8a34c21..acc9135542 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -1,34 +1,258 @@ /* - * Unix SMB/CIFS implementation. - * RPC Pipe client / server routines - * Copyright (C) Andrew Tridgell 1992-1997, - * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, - * Copyright (C) Paul Ashton 1997. - * Copyright (C) Jeremy Allison 1998. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - + Unix SMB/CIFS implementation. + NT Domain Authentication SMB / MSRPC client + Copyright (C) Andrew Tridgell 1992-2000 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + Copyright (C) Tim Potter 2001 + Copyright (C) Paul Ashton 1997. + Copyright (C) Jeremy Allison 1998. + Copyright (C) Andrew Bartlett 2001. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ #include "includes.h" -extern pstring global_myname; -extern fstring global_myworkgroup; +/* LSA Request Challenge. Sends our challenge to server, then gets + server response. These are used to generate the credentials. */ + +NTSTATUS cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, + DOM_CHAL *srv_chal) +{ + prs_struct qbuf, rbuf; + NET_Q_REQ_CHAL q; + NET_R_REQ_CHAL r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + extern pstring global_myname; + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + + /* create and send a MSRPC command with api NET_REQCHAL */ + + DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n", + global_myname, cli->desthost, credstr(clnt_chal->data))); + + /* store the parameters */ + init_q_req_chal(&q, cli->srv_name_slash, global_myname, clnt_chal); + + /* Marshall data and send request */ + + if (!net_io_q_req_chal("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_REQCHAL, &qbuf, &rbuf)) { + goto done; + } + + /* Unmarhall response */ + + if (!net_io_r_req_chal("", &r, &rbuf, 0)) { + goto done; + } + + result = r.status; + + /* Return result */ + + if (NT_STATUS_IS_OK(result)) { + memcpy(srv_chal, r.srv_chal.data, sizeof(srv_chal->data)); + } + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + +/**************************************************************************** +LSA Authenticate 2 + +Send the client credential, receive back a server credential. +Ensure that the server credential returned matches the session key +encrypt of the server challenge originally received. JRA. +****************************************************************************/ + +NTSTATUS cli_net_auth2(struct cli_state *cli, + uint16 sec_chan, + uint32 neg_flags, DOM_CHAL *srv_chal) +{ + prs_struct qbuf, rbuf; + NET_Q_AUTH_2 q; + NET_R_AUTH_2 r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + extern pstring global_myname; + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + + /* create and send a MSRPC command with api NET_AUTH2 */ + + DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + credstr(cli->clnt_cred.challenge.data), neg_flags)); + + /* store the parameters */ + init_q_auth_2(&q, cli->srv_name_slash, cli->mach_acct, + sec_chan, global_myname, &cli->clnt_cred.challenge, + neg_flags); + + /* turn parameters into data stream */ + + if (!net_io_q_auth_2("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_AUTH2, &qbuf, &rbuf)) { + goto done; + } + + /* Unmarshall response */ + + if (!net_io_r_auth_2("", &r, &rbuf, 0)) { + goto done; + } + + result = r.status; + + if (NT_STATUS_IS_OK(result)) { + UTIME zerotime; + + /* + * Check the returned value using the initial + * server received challenge. + */ + + zerotime.time = 0; + if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, + zerotime) == 0) { + + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + result = NT_STATUS_ACCESS_DENIED; + goto done; + } + } + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + +/* Initialize domain session credentials */ + +NTSTATUS cli_nt_setup_creds(struct cli_state *cli, + uint16 sec_chan, + const unsigned char mach_pwd[16]) +{ + DOM_CHAL clnt_chal; + DOM_CHAL srv_chal; + UTIME zerotime; + NTSTATUS result; + + /******************* Request Challenge ********************/ + + generate_random_buffer(clnt_chal.data, 8, False); + + /* send a client challenge; receive a server challenge */ + result = cli_net_req_chal(cli, &clnt_chal, &srv_chal); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0,("cli_nt_setup_creds: request challenge failed\n")); + return result; + } + + /**************** Long-term Session key **************/ + + /* calculate the session key */ + cred_session_key(&clnt_chal, &srv_chal, mach_pwd, + cli->sess_key); + memset((char *)cli->sess_key+8, '\0', 8); + + /******************* Authenticate 2 ********************/ + + /* calculate auth-2 credentials */ + zerotime.time = 0; + cred_create(cli->sess_key, &clnt_chal, zerotime, + &cli->clnt_cred.challenge); + + /* + * Send client auth-2 challenge. + * Receive an auth-2 challenge response and check it. + */ + + result = cli_net_auth2(cli, sec_chan, 0x000001ff, &srv_chal); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed %s\n", + nt_errstr(result))); + } + + return result; +} + +/* Logon Control 2 */ + +NTSTATUS cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx, + uint32 query_level) +{ + prs_struct qbuf, rbuf; + NET_Q_LOGON_CTRL2 q; + NET_R_LOGON_CTRL2 r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Initialise parse structures */ + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); + prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + + /* Initialise input parameters */ + + init_net_q_logon_ctrl2(&q, cli->srv_name_slash, query_level); + + /* Marshall data and send request */ + + if (!net_io_q_logon_ctrl2("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &qbuf, &rbuf)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + /* Unmarshall response */ + + if (!net_io_r_logon_ctrl2("", &r, &rbuf, 0)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + result = r.status; + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} /**************************************************************************** -Generate the next creds to use. +Generate the next creds to use. Yuck - this is a cut&paste from another +file. They should be combined at some stage. )-: ****************************************************************************/ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) @@ -47,424 +271,394 @@ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) } -#if UNUSED_CODE -/**************************************************************************** -do a LSA Logon Control2 -****************************************************************************/ -BOOL cli_net_logon_ctrl2(struct cli_state *cli, NTSTATUS status_level) +/* Sam synchronisation */ + +NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_CRED *ret_creds, + uint32 database_id, uint32 *num_deltas, + SAM_DELTA_HDR **hdr_deltas, + SAM_DELTA_CTR **deltas) { - prs_struct rbuf; - prs_struct buf; - NET_Q_LOGON_CTRL2 q_l; - BOOL ok = False; - - prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - - /* create and send a MSRPC command with api NET_LOGON_CTRL2 */ - - DEBUG(4,("do_net_logon_ctrl2 from %s status level:%x\n", - global_myname, status_level)); - - /* store the parameters */ - init_q_logon_ctrl2(&q_l, cli->srv_name_slash, - status_level); - - /* turn parameters into data stream */ - if(!net_io_q_logon_ctrl2("", &q_l, &buf, 0)) { - DEBUG(0,("cli_net_logon_ctrl2: Error : failed to marshall NET_Q_LOGON_CTRL2 struct.\n")); - prs_mem_free(&buf); - prs_mem_free(&rbuf); - return False; - } - - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &buf, &rbuf)) - { - NET_R_LOGON_CTRL2 r_l; - - /* - * Unmarshall the return buffer. - */ - ok = net_io_r_logon_ctrl2("", &r_l, &rbuf, 0); - - if (ok && r_l.status != 0) - { - /* report error code */ - DEBUG(0,("do_net_logon_ctrl2: Error %s\n", nt_errstr(r_l.status))); - cli->nt_error = r_l.status; - ok = False; - } - } - - prs_mem_free(&buf); - prs_mem_free(&rbuf); - - return ok; -} -#endif + prs_struct qbuf, rbuf; + NET_Q_SAM_SYNC q; + NET_R_SAM_SYNC r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + DOM_CRED clnt_creds; -/**************************************************************************** -LSA Authenticate 2 + ZERO_STRUCT(q); + ZERO_STRUCT(r); -Send the client credential, receive back a server credential. -Ensure that the server credential returned matches the session key -encrypt of the server challenge originally received. JRA. -****************************************************************************/ + /* Initialise parse structures */ -NTSTATUS cli_net_auth2(struct cli_state *cli, uint16 sec_chan, - uint32 neg_flags, DOM_CHAL *srv_chal) -{ - prs_struct rbuf; - prs_struct buf; - NET_Q_AUTH_2 q_a; - BOOL ok = False; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - - /* create and send a MSRPC command with api NET_AUTH2 */ - - DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, - credstr(cli->clnt_cred.challenge.data), neg_flags)); - - /* store the parameters */ - init_q_auth_2(&q_a, cli->srv_name_slash, cli->mach_acct, - sec_chan, global_myname, &cli->clnt_cred.challenge, neg_flags); - - /* turn parameters into data stream */ - if(!net_io_q_auth_2("", &q_a, &buf, 0)) { - DEBUG(0,("cli_net_auth2: Error : failed to marshall NET_Q_AUTH_2 struct.\n")); - prs_mem_free(&buf); - prs_mem_free(&rbuf); - return result; - } - - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_AUTH2, &buf, &rbuf)) - { - NET_R_AUTH_2 r_a; - - ok = net_io_r_auth_2("", &r_a, &rbuf, 0); - result = r_a.status; - - if (ok && !NT_STATUS_IS_OK(result)) - { - /* report error code */ - DEBUG(0,("cli_net_auth2: Error %s\n", nt_errstr(result))); - ok = False; - } - - if (ok) - { - /* - * Check the returned value using the initial - * server received challenge. - */ - UTIME zerotime; - - zerotime.time = 0; - if(cred_assert( &r_a.srv_chal, cli->sess_key, srv_chal, zerotime) == 0) { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); - ok = False; - } - } - -#if 0 - /* - * Try commenting this out to see if this makes the connect - * work for a NT 3.51 PDC. JRA. - */ - - if (ok && r_a.srv_flgs.neg_flags != q_a.clnt_flgs.neg_flags) - { - /* report different neg_flags */ - DEBUG(0,("cli_net_auth2: error neg_flags (q,r) differ - (%x,%x)\n", - q_a.clnt_flgs.neg_flags, r_a.srv_flgs.neg_flags)); - ok = False; - } -#endif - - } - - prs_mem_free(&buf); - prs_mem_free(&rbuf); - - return result; -} + prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); + prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); -/**************************************************************************** -LSA Request Challenge. Sends our challenge to server, then gets -server response. These are used to generate the credentials. -****************************************************************************/ + /* Initialise input parameters */ -BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) -{ - prs_struct rbuf; - prs_struct buf; - NET_Q_REQ_CHAL q_c; - BOOL valid_chal = False; - - prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - - /* create and send a MSRPC command with api NET_REQCHAL */ - - DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n", - cli->desthost, global_myname, credstr(clnt_chal->data))); - - /* store the parameters */ - init_q_req_chal(&q_c, cli->srv_name_slash, - global_myname, clnt_chal); - - /* turn parameters into data stream */ - if(!net_io_q_req_chal("", &q_c, &buf, 0)) { - DEBUG(0,("cli_net_req_chal: Error : failed to marshall NET_Q_REQ_CHAL struct.\n")); - prs_mem_free(&buf); - prs_mem_free(&rbuf); - return False; - } - - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_REQCHAL, &buf, &rbuf)) - { - NET_R_REQ_CHAL r_c; - BOOL ok; - - ok = net_io_r_req_chal("", &r_c, &rbuf, 0); - - if (ok && !NT_STATUS_IS_OK(r_c.status)) - { - /* report error code */ - DEBUG(0,("cli_net_req_chal: Error %s\n", nt_errstr(r_c.status))); - ok = False; - } - - if (ok) - { - /* ok, at last: we're happy. return the challenge */ - memcpy(srv_chal, r_c.srv_chal.data, sizeof(srv_chal->data)); - valid_chal = True; - } - } - - prs_mem_free(&buf); - prs_mem_free(&rbuf); - - return valid_chal; + gen_next_creds(cli, &clnt_creds); + + init_net_q_sam_sync(&q, cli->srv_name_slash, cli->clnt_name_slash + 2, + &clnt_creds, ret_creds, database_id); + + /* Marshall data and send request */ + + if (!net_io_q_sam_sync("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_SAM_SYNC, &qbuf, &rbuf)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + /* Unmarshall response */ + + if (!net_io_r_sam_sync("", cli->sess_key, &r, &rbuf, 0)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + /* Return results */ + + result = r.status; + *num_deltas = r.num_deltas2; + *hdr_deltas = r.hdr_deltas; + *deltas = r.deltas; + + memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds)); + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; } -/*************************************************************************** - LSA SAM Logon internal - interactive or network. Does level 2 or 3 but always - returns level 3. -****************************************************************************/ -static NTSTATUS cli_net_sam_logon_internal(struct cli_state *cli, NET_ID_INFO_CTR *ctr, - NET_USER_INFO_3 *user_info3, - uint16 validation_level) +/* Sam synchronisation */ + +NTSTATUS cli_netlogon_sam_deltas(struct cli_state *cli, TALLOC_CTX *mem_ctx, + uint32 database_id, UINT64_S seqnum, + uint32 *num_deltas, + SAM_DELTA_HDR **hdr_deltas, + SAM_DELTA_CTR **deltas) { - DOM_CRED new_clnt_cred; - DOM_CRED dummy_rtn_creds; - prs_struct rbuf; - prs_struct buf; - NET_Q_SAM_LOGON q_s; - NET_R_SAM_LOGON r_s; - NTSTATUS retval = NT_STATUS_OK; + prs_struct qbuf, rbuf; + NET_Q_SAM_DELTAS q; + NET_R_SAM_DELTAS r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + DOM_CRED clnt_creds; - gen_next_creds( cli, &new_clnt_cred); + ZERO_STRUCT(q); + ZERO_STRUCT(r); - prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + /* Initialise parse structures */ - /* create and send a MSRPC command with api NET_SAMLOGON */ + prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); + prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); - DEBUG(4,("cli_net_sam_logon_internal: srv:%s mc:%s clnt %s %x ll: %d\n", - cli->srv_name_slash, global_myname, - credstr(new_clnt_cred.challenge.data), cli->clnt_cred.timestamp.time, - ctr->switch_value)); + /* Initialise input parameters */ - memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); - dummy_rtn_creds.timestamp.time = time(NULL); + gen_next_creds(cli, &clnt_creds); - /* store the parameters */ - q_s.validation_level = validation_level; - init_sam_info(&q_s.sam_id, cli->srv_name_slash, - global_myname, &new_clnt_cred, &dummy_rtn_creds, - ctr->switch_value, ctr); + init_net_q_sam_deltas(&q, cli->srv_name_slash, + cli->clnt_name_slash + 2, &clnt_creds, + database_id, seqnum); - /* turn parameters into data stream */ - if(!net_io_q_sam_logon("", &q_s, &buf, 0)) { - DEBUG(0,("cli_net_sam_logon_internal: Error : failed to marshall NET_Q_SAM_LOGON struct.\n")); - retval = NT_STATUS_NO_MEMORY; - goto out; - } + /* Marshall data and send request */ - /* send the data on \PIPE\ */ - if (!rpc_api_pipe_req(cli, NET_SAMLOGON, &buf, &rbuf)) { - DEBUG(0,("cli_net_sam_logon_internal: Error rpc_api_pipe_req failed.\n")); - retval = NT_STATUS_UNSUCCESSFUL; - goto out; + if (!net_io_q_sam_deltas("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_SAM_DELTAS, &qbuf, &rbuf)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; } - r_s.user = user_info3; + /* Unmarshall response */ - if(!net_io_r_sam_logon("", &r_s, &rbuf, 0)) { - DEBUG(0,("cli_net_sam_logon_internal: Error : failed to unmarshal NET_R_SAM_LOGON struct.\n")); - retval = NT_STATUS_NO_MEMORY; - goto out; + if (!net_io_r_sam_deltas("", cli->sess_key, &r, &rbuf, 0)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; } - - retval = r_s.status; - /* - * Don't treat NT_STATUS_INVALID_INFO_CLASS as an error - we will re-issue - * the call. - */ - - if (NT_STATUS_V(retval) == NT_STATUS_V(NT_STATUS_INVALID_INFO_CLASS)) { - goto out; - } + /* Return results */ - if (!NT_STATUS_IS_OK(retval)) { - /* report error code */ - DEBUG(0,("cli_net_sam_logon_internal: %s\n", nt_errstr(r_s.status))); - goto out; - } + result = r.status; + *num_deltas = r.num_deltas2; + *hdr_deltas = r.hdr_deltas; + *deltas = r.deltas; - /* Update the credentials. */ - if (!clnt_deal_with_creds(cli->sess_key, &cli->clnt_cred, &r_s.srv_creds)) { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_sam_logon_internal: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); - retval = NT_STATUS_WRONG_PASSWORD; + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + +/* Logon domain user */ + +NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, + char *username, char *password, + int logon_type) +{ + prs_struct qbuf, rbuf; + NET_Q_SAM_LOGON q; + NET_R_SAM_LOGON r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + DOM_CRED clnt_creds, dummy_rtn_creds; + extern pstring global_myname; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 user; + int validation_level = 3; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Initialise parse structures */ + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); + prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + + /* Initialise input parameters */ + + gen_next_creds(cli, &clnt_creds); + + q.validation_level = validation_level; + + memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); + dummy_rtn_creds.timestamp.time = time(NULL); + + ctr.switch_value = logon_type; + + switch (logon_type) { + case INTERACTIVE_LOGON_TYPE: { + unsigned char lm_owf_user_pwd[16], nt_owf_user_pwd[16]; + + nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); + + init_id_info1(&ctr.auth.id1, lp_workgroup(), + 0, /* param_ctrl */ + 0xdead, 0xbeef, /* LUID? */ + username, cli->clnt_name_slash, + cli->sess_key, lm_owf_user_pwd, + nt_owf_user_pwd); + + break; + } + case NET_LOGON_TYPE: { + uint8 chal[8]; + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + + generate_random_buffer(chal, 8, False); + + SMBencrypt(password, chal, local_lm_response); + SMBNTencrypt(password, chal, local_nt_response); + + init_id_info2(&ctr.auth.id2, lp_workgroup(), + 0, /* param_ctrl */ + 0xdead, 0xbeef, /* LUID? */ + username, cli->clnt_name_slash, chal, + local_lm_response, 24, local_nt_response, 24); + break; + } + default: + DEBUG(0, ("switch value %d not supported\n", + ctr.switch_value)); + goto done; + } + + init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname, + &clnt_creds, &dummy_rtn_creds, logon_type, + &ctr); + + /* Marshall data and send request */ + + if (!net_io_q_sam_logon("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_SAMLOGON, &qbuf, &rbuf)) { + goto done; } - - if (r_s.switch_value != validation_level) { - /* report different switch_value */ - DEBUG(0,("cli_net_sam_logon: switch_value of %x expected %x\n", (unsigned int)validation_level, - (unsigned int)r_s.switch_value)); - retval = NT_STATUS_INVALID_PARAMETER; + + /* Unmarshall response */ + + r.user = &user; + + if (!net_io_r_sam_logon("", &r, &rbuf, 0)) { + goto done; } -out: + /* Return results */ + + result = r.status; - prs_mem_free(&buf); + done: + prs_mem_free(&qbuf); prs_mem_free(&rbuf); - - return retval; + + return result; } -/*************************************************************************** -LSA SAM Logon - interactive or network. -****************************************************************************/ -NTSTATUS cli_net_sam_logon(struct cli_state *cli, NET_ID_INFO_CTR *ctr, - NET_USER_INFO_3 *user_info3) +/** + * Logon domain user with an 'network' SAM logon + * + * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller. + **/ + +NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, + const char *username, const char *domain, const char *workstation, + const uint8 chal[8], + DATA_BLOB lm_response, DATA_BLOB nt_response, + NET_USER_INFO_3 *info3) + { - uint16 validation_level=3; - NTSTATUS result; + prs_struct qbuf, rbuf; + NET_Q_SAM_LOGON q; + NET_R_SAM_LOGON r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + DOM_CRED clnt_creds, dummy_rtn_creds; + NET_ID_INFO_CTR ctr; + extern pstring global_myname; + int validation_level = 3; + char *workstation_name_slash; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); - result = cli_net_sam_logon_internal(cli, ctr, user_info3, - validation_level); + workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation); + + if (!workstation_name_slash) { + DEBUG(0, ("talloc_asprintf failed!\n")); + return NT_STATUS_NO_MEMORY; + } - if (NT_STATUS_IS_OK(result)) { - DEBUG(10,("cli_net_sam_logon: Success \n")); - } else if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_INVALID_INFO_CLASS)) { - DEBUG(10,("cli_net_sam_logon: STATUS INVALID INFO CLASS \n")); + /* Initialise parse structures */ - validation_level=2; + prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); + prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); - /* - * Since this is the second time we call this function, don't care - * for the error. If its error, return False. - */ + /* Initialise input parameters */ - result = cli_net_sam_logon_internal(cli, ctr, user_info3, - validation_level); - } + gen_next_creds(cli, &clnt_creds); - return result; -} + q.validation_level = validation_level; -/*************************************************************************** -LSA SAM Logoff. + memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); + dummy_rtn_creds.timestamp.time = time(NULL); -This currently doesnt work correctly as the domain controller -returns NT_STATUS_INVALID_INFO_CLASS - we obviously need to -send a different info level. Right now though, I'm not sure -what that needs to be (I need to see one on the wire before -I can be sure). JRA. -****************************************************************************/ -BOOL cli_net_sam_logoff(struct cli_state *cli, NET_ID_INFO_CTR *ctr) -{ - DOM_CRED new_clnt_cred; - DOM_CRED dummy_rtn_creds; - prs_struct rbuf; - prs_struct buf; - NET_Q_SAM_LOGOFF q_s; - BOOL ok = False; + ctr.switch_value = NET_LOGON_TYPE; - gen_next_creds( cli, &new_clnt_cred); + init_id_info2(&ctr.auth.id2, domain, + 0, /* param_ctrl */ + 0xdead, 0xbeef, /* LUID? */ + username, workstation_name_slash, (const uchar*)chal, + lm_response.data, lm_response.length, nt_response.data, nt_response.length); + + init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname, + &clnt_creds, &dummy_rtn_creds, NET_LOGON_TYPE, + &ctr); - prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + /* Marshall data and send request */ - /* create and send a MSRPC command with api NET_SAMLOGOFF */ + if (!net_io_q_sam_logon("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_SAMLOGON, &qbuf, &rbuf)) { + goto done; + } - DEBUG(4,("cli_net_sam_logoff: srv:%s mc:%s clnt %s %x ll: %d\n", - cli->srv_name_slash, global_myname, - credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time, - ctr->switch_value)); + /* Unmarshall response */ - memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); + r.user = info3; - init_sam_info(&q_s.sam_id, cli->srv_name_slash, - global_myname, &new_clnt_cred, &dummy_rtn_creds, - ctr->switch_value, ctr); + if (!net_io_r_sam_logon("", &r, &rbuf, 0)) { + goto done; + } + + /* Return results */ + + result = r.status; + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + +/*************************************************************************** +LSA Server Password Set. +****************************************************************************/ - /* turn parameters into data stream */ - if(!net_io_q_sam_logoff("", &q_s, &buf, 0)) { - DEBUG(0,("cli_net_sam_logoff: Error : failed to marshall NET_Q_SAM_LOGOFF struct.\n")); - prs_mem_free(&buf); - prs_mem_free(&rbuf); - return False; - } +NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx, + char* machine_name, uint8 hashed_mach_pwd[16]) +{ + prs_struct rbuf; + prs_struct qbuf; + DOM_CRED new_clnt_cred; + NET_Q_SRV_PWSET q_s; + uint16 sec_chan_type = 2; + NTSTATUS nt_status; + char *mach_acct; - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_SAMLOGOFF, &buf, &rbuf)) - { - NET_R_SAM_LOGOFF r_s; + gen_next_creds( cli, &new_clnt_cred); + + prs_init(&qbuf , 1024, mem_ctx, MARSHALL); + prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + + /* create and send a MSRPC command with api NET_SRV_PWSET */ + + mach_acct = talloc_asprintf(mem_ctx, "%s$", machine_name); + + if (!mach_acct) { + DEBUG(0,("talloc_asprintf failed!\n")); + nt_status = NT_STATUS_NO_MEMORY; + goto done; + } - ok = net_io_r_sam_logoff("", &r_s, &rbuf, 0); + DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n", + cli->srv_name_slash, mach_acct, sec_chan_type, machine_name, + credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); + + /* store the parameters */ + init_q_srv_pwset(&q_s, cli->srv_name_slash, cli->sess_key, + mach_acct, sec_chan_type, machine_name, + &new_clnt_cred, (char *)hashed_mach_pwd); + + /* turn parameters into data stream */ + if(!net_io_q_srv_pwset("", &q_s, &qbuf, 0)) { + DEBUG(0,("cli_net_srv_pwset: Error : failed to marshall NET_Q_SRV_PWSET struct.\n")); + nt_status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, NET_SRVPWSET, &qbuf, &rbuf)) + { + NET_R_SRV_PWSET r_s; + + if (!net_io_r_srv_pwset("", &r_s, &rbuf, 0)) { + nt_status = NT_STATUS_UNSUCCESSFUL; + goto done; + } - if (ok && !NT_STATUS_IS_OK(r_s.status)) - { - /* report error code */ - DEBUG(0,("cli_net_sam_logoff: %s\n", nt_errstr(r_s.status))); - ok = False; - } - - /* Update the credentials. */ - if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_creds))) - { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_sam_logoff: server %s replied with bad credential (bad machine \ + nt_status = r_s.status; + + if (!NT_STATUS_IS_OK(r_s.status)) + { + /* report error code */ + DEBUG(0,("cli_net_srv_pwset: %s\n", nt_errstr(nt_status))); + goto done; + } + + /* Update the credentials. */ + if (!clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred))) + { + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ password ?).\n", cli->desthost )); - ok = False; - } - } - - prs_mem_free(&buf); - prs_mem_free(&rbuf); + nt_status = NT_STATUS_UNSUCCESSFUL; + } + } - return ok; + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return nt_status; } + -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/rpc_client/cli_netlogon.c | 152 +++++++++++++++++++++++++++++++------- 1 file changed, 126 insertions(+), 26 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index acc9135542..eaee3c26e7 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -152,11 +152,106 @@ password ?).\n", cli->desthost )); return result; } +/**************************************************************************** +LSA Authenticate 3 + +Send the client credential, receive back a server credential. +Ensure that the server credential returned matches the session key +encrypt of the server challenge originally received. JRA. +****************************************************************************/ + +NTSTATUS cli_net_auth3(struct cli_state *cli, + uint16 sec_chan, + uint32 *neg_flags, DOM_CHAL *srv_chal) +{ + prs_struct qbuf, rbuf; + NET_Q_AUTH_3 q; + NET_R_AUTH_3 r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + extern pstring global_myname; + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + + /* create and send a MSRPC command with api NET_AUTH2 */ + + DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + credstr(cli->clnt_cred.challenge.data), *neg_flags)); + + /* store the parameters */ + init_q_auth_3(&q, cli->srv_name_slash, cli->mach_acct, + sec_chan, global_myname, &cli->clnt_cred.challenge, + *neg_flags); + + /* turn parameters into data stream */ + + if (!net_io_q_auth_3("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_AUTH3, &qbuf, &rbuf)) { + goto done; + } + + /* Unmarshall response */ + + if (!net_io_r_auth_3("", &r, &rbuf, 0)) { + goto done; + } + + result = r.status; + *neg_flags = r.srv_flgs.neg_flags; + + if (NT_STATUS_IS_OK(result)) { + UTIME zerotime; + + /* + * Check the returned value using the initial + * server received challenge. + */ + + zerotime.time = 0; + if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, + zerotime) == 0) { + + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("cli_net_auth3: server %s replied with bad credential (bad machine \ +password ?).\n", cli->desthost )); + result = NT_STATUS_ACCESS_DENIED; + goto done; + } + } + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + +/* Return the secure channel type depending on the server role. */ + +uint16 get_sec_chan(void) +{ + uint16 sec_chan = SEC_CHAN_WKSTA; + + switch (lp_server_role()) { + case ROLE_DOMAIN_PDC: + sec_chan = SEC_CHAN_DOMAIN; + break; + case ROLE_DOMAIN_BDC: + sec_chan = SEC_CHAN_BDC; + break; + } + + return sec_chan; +} + /* Initialize domain session credentials */ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, uint16 sec_chan, - const unsigned char mach_pwd[16]) + const unsigned char mach_pwd[16], uint32 *neg_flags, int level) { DOM_CHAL clnt_chal; DOM_CHAL srv_chal; @@ -182,24 +277,30 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, cli->sess_key); memset((char *)cli->sess_key+8, '\0', 8); - /******************* Authenticate 2 ********************/ + /******************* Authenticate 2/3 ********************/ - /* calculate auth-2 credentials */ + /* calculate auth-2/3 credentials */ zerotime.time = 0; - cred_create(cli->sess_key, &clnt_chal, zerotime, - &cli->clnt_cred.challenge); + cred_create(cli->sess_key, &clnt_chal, zerotime, &cli->clnt_cred.challenge); /* - * Send client auth-2 challenge. - * Receive an auth-2 challenge response and check it. + * Send client auth-2/3 challenge. + * Receive an auth-2/3 challenge response and check it. */ - - result = cli_net_auth2(cli, sec_chan, 0x000001ff, &srv_chal); + switch (level) { + case 2: + result = cli_net_auth2(cli, sec_chan, *neg_flags, &srv_chal); + break; + case 3: + result = cli_net_auth3(cli, sec_chan, neg_flags, &srv_chal); + break; + default: + DEBUG(1,("cli_nt_setup_creds: unsupported auth level: %d\n", level)); + break; + } - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed %s\n", - nt_errstr(result))); - } + if (!NT_STATUS_IS_OK(result)) + DEBUG(1,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result))); return result; } @@ -257,24 +358,23 @@ file. They should be combined at some stage. )-: static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) { - /* - * Create the new client credentials. - */ - - cli->clnt_cred.timestamp.time = time(NULL); - - memcpy(new_clnt_cred, &cli->clnt_cred, sizeof(*new_clnt_cred)); - - /* Calculate the new credentials. */ - cred_create(cli->sess_key, &(cli->clnt_cred.challenge), - new_clnt_cred->timestamp, &(new_clnt_cred->challenge)); + /* + * Create the new client credentials. + */ + + cli->clnt_cred.timestamp.time = time(NULL); + + memcpy(new_clnt_cred, &cli->clnt_cred, sizeof(*new_clnt_cred)); + /* Calculate the new credentials. */ + cred_create(cli->sess_key, &(cli->clnt_cred.challenge), + new_clnt_cred->timestamp, &(new_clnt_cred->challenge)); } /* Sam synchronisation */ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_CRED *ret_creds, - uint32 database_id, uint32 *num_deltas, + uint32 database_id, uint32 next_rid, uint32 *num_deltas, SAM_DELTA_HDR **hdr_deltas, SAM_DELTA_CTR **deltas) { @@ -297,7 +397,7 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_C gen_next_creds(cli, &clnt_creds); init_net_q_sam_sync(&q, cli->srv_name_slash, cli->clnt_name_slash + 2, - &clnt_creds, ret_creds, database_id); + &clnt_creds, ret_creds, database_id, next_rid); /* Marshall data and send request */ -- cgit From 2f194322d419350f35a48dff750066894d68eccf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:20:50 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89) --- source3/rpc_client/cli_netlogon.c | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index eaee3c26e7..b5ad798755 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -35,7 +35,6 @@ NTSTATUS cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, NET_Q_REQ_CHAL q; NET_R_REQ_CHAL r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - extern pstring global_myname; prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); @@ -43,10 +42,10 @@ NTSTATUS cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, /* create and send a MSRPC command with api NET_REQCHAL */ DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n", - global_myname, cli->desthost, credstr(clnt_chal->data))); + global_myname(), cli->desthost, credstr(clnt_chal->data))); /* store the parameters */ - init_q_req_chal(&q, cli->srv_name_slash, global_myname, clnt_chal); + init_q_req_chal(&q, cli->srv_name_slash, global_myname(), clnt_chal); /* Marshall data and send request */ @@ -92,7 +91,6 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, NET_Q_AUTH_2 q; NET_R_AUTH_2 r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - extern pstring global_myname; prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); @@ -100,12 +98,12 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname(), credstr(cli->clnt_cred.challenge.data), neg_flags)); /* store the parameters */ init_q_auth_2(&q, cli->srv_name_slash, cli->mach_acct, - sec_chan, global_myname, &cli->clnt_cred.challenge, + sec_chan, global_myname(), &cli->clnt_cred.challenge, neg_flags); /* turn parameters into data stream */ @@ -168,7 +166,6 @@ NTSTATUS cli_net_auth3(struct cli_state *cli, NET_Q_AUTH_3 q; NET_R_AUTH_3 r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - extern pstring global_myname; prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); @@ -176,12 +173,12 @@ NTSTATUS cli_net_auth3(struct cli_state *cli, /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname, + cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname(), credstr(cli->clnt_cred.challenge.data), *neg_flags)); /* store the parameters */ init_q_auth_3(&q, cli->srv_name_slash, cli->mach_acct, - sec_chan, global_myname, &cli->clnt_cred.challenge, + sec_chan, global_myname(), &cli->clnt_cred.challenge, *neg_flags); /* turn parameters into data stream */ @@ -500,7 +497,6 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, NET_R_SAM_LOGON r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; DOM_CRED clnt_creds, dummy_rtn_creds; - extern pstring global_myname; NET_ID_INFO_CTR ctr; NET_USER_INFO_3 user; int validation_level = 3; @@ -562,7 +558,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, goto done; } - init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname, + init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname(), &clnt_creds, &dummy_rtn_creds, logon_type, &ctr); @@ -612,7 +608,6 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c NTSTATUS result = NT_STATUS_UNSUCCESSFUL; DOM_CRED clnt_creds, dummy_rtn_creds; NET_ID_INFO_CTR ctr; - extern pstring global_myname; int validation_level = 3; char *workstation_name_slash; @@ -648,7 +643,7 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c username, workstation_name_slash, (const uchar*)chal, lm_response.data, lm_response.length, nt_response.data, nt_response.length); - init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname, + init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname(), &clnt_creds, &dummy_rtn_creds, NET_LOGON_TYPE, &ctr); @@ -683,7 +678,7 @@ LSA Server Password Set. ****************************************************************************/ NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx, - char* machine_name, uint8 hashed_mach_pwd[16]) + const char *machine_name, uint8 hashed_mach_pwd[16]) { prs_struct rbuf; prs_struct qbuf; -- cgit From 1788f806e7655aa37cff22eaa6f3f424fb779274 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 25 Feb 2003 23:51:56 +0000 Subject: Merge: const fixes. (This used to be commit a20aba09996e470425a151271237f2d48a8302af) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index b5ad798755..cbb09803af 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -489,7 +489,7 @@ NTSTATUS cli_netlogon_sam_deltas(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Logon domain user */ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, - char *username, char *password, + const char *username, const char *password, int logon_type) { prs_struct qbuf, rbuf; -- cgit From 53beee9e5675a59c67d9ecfbaec50dca4ac01750 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Mar 2003 09:54:13 +0000 Subject: (merge from HEAD) NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664) --- source3/rpc_client/cli_netlogon.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index cbb09803af..f83571af03 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -597,7 +597,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, const char *username, const char *domain, const char *workstation, - const uint8 chal[8], + const uint8 chal[8], DATA_BLOB lm_response, DATA_BLOB nt_response, NET_USER_INFO_3 *info3) @@ -610,6 +610,8 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c NET_ID_INFO_CTR ctr; int validation_level = 3; char *workstation_name_slash; + uint8 netlogon_sess_key[16]; + static uint8 zeros[16]; ZERO_STRUCT(q); ZERO_STRUCT(r); @@ -662,6 +664,15 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c goto done; } + ZERO_STRUCT(netlogon_sess_key); + memcpy(netlogon_sess_key, cli->sess_key, 8); + + if (memcmp(zeros, info3->user_sess_key, 16) != 0) + SamOEMhash(info3->user_sess_key, netlogon_sess_key, 16); + + if (memcmp(zeros, info3->padding, 16) != 0) + SamOEMhash(info3->padding, netlogon_sess_key, 16); + /* Return results */ result = r.status; -- cgit From f88a3ebde4cbe75159d04b4fcd074ebf99c09794 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 9 Apr 2003 10:10:13 +0000 Subject: Auth2, not also Auth3 sends us flags back, although all the callers ignore it. Volker (This used to be commit 1e03e955450af7f05e564793e95258e45e08dabd) --- source3/rpc_client/cli_netlogon.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index f83571af03..ae76e46c6d 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -85,7 +85,7 @@ encrypt of the server challenge originally received. JRA. NTSTATUS cli_net_auth2(struct cli_state *cli, uint16 sec_chan, - uint32 neg_flags, DOM_CHAL *srv_chal) + uint32 *neg_flags, DOM_CHAL *srv_chal) { prs_struct qbuf, rbuf; NET_Q_AUTH_2 q; @@ -104,7 +104,7 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, /* store the parameters */ init_q_auth_2(&q, cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname(), &cli->clnt_cred.challenge, - neg_flags); + *neg_flags); /* turn parameters into data stream */ @@ -141,6 +141,7 @@ password ?).\n", cli->desthost )); result = NT_STATUS_ACCESS_DENIED; goto done; } + *neg_flags = r.srv_flgs.neg_flags; } done: @@ -195,7 +196,6 @@ NTSTATUS cli_net_auth3(struct cli_state *cli, } result = r.status; - *neg_flags = r.srv_flgs.neg_flags; if (NT_STATUS_IS_OK(result)) { UTIME zerotime; @@ -217,6 +217,7 @@ password ?).\n", cli->desthost )); result = NT_STATUS_ACCESS_DENIED; goto done; } + *neg_flags = r.srv_flgs.neg_flags; } done: @@ -286,7 +287,7 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, */ switch (level) { case 2: - result = cli_net_auth2(cli, sec_chan, *neg_flags, &srv_chal); + result = cli_net_auth2(cli, sec_chan, neg_flags, &srv_chal); break; case 3: result = cli_net_auth3(cli, sec_chan, neg_flags, &srv_chal); -- cgit From 19164790b0c56dbae2997c477ce733efd45913b0 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 14 Apr 2003 05:24:59 +0000 Subject: Merge: incorrect arg to debug. (This used to be commit 800b79e8364d761bbd8c99016211dfe199eee080) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ae76e46c6d..61d4b59723 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -99,7 +99,7 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname(), - credstr(cli->clnt_cred.challenge.data), neg_flags)); + credstr(cli->clnt_cred.challenge.data), *neg_flags)); /* store the parameters */ init_q_auth_2(&q, cli->srv_name_slash, cli->mach_acct, -- cgit From f071020f5e49837154581c97c5af5f84d0e2de89 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 21 Apr 2003 14:09:03 +0000 Subject: Merge from HEAD - save the type of channel used to contact the DC. This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a) --- source3/rpc_client/cli_netlogon.c | 18 ------------------ 1 file changed, 18 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 61d4b59723..ce0dd95e94 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -227,24 +227,6 @@ password ?).\n", cli->desthost )); return result; } -/* Return the secure channel type depending on the server role. */ - -uint16 get_sec_chan(void) -{ - uint16 sec_chan = SEC_CHAN_WKSTA; - - switch (lp_server_role()) { - case ROLE_DOMAIN_PDC: - sec_chan = SEC_CHAN_DOMAIN; - break; - case ROLE_DOMAIN_BDC: - sec_chan = SEC_CHAN_BDC; - break; - } - - return sec_chan; -} - /* Initialize domain session credentials */ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, -- cgit From aa79f23d9ba93e976781ae484639a321268c8705 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 May 2003 02:51:49 +0000 Subject: Turn down some DEBUG()s and remove some duplicate code spotted by dfenwick. Andrew Bartlett (This used to be commit 542a8b1817d3930e03e08e16e9711cacceb6df61) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ce0dd95e94..72240ca7d2 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -280,7 +280,7 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, } if (!NT_STATUS_IS_OK(result)) - DEBUG(1,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result))); + DEBUG(3,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result))); return result; } -- cgit From d1da999e0a84939e372ebe590861376e2c0075b3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 8 May 2003 08:02:52 +0000 Subject: This puts real netlogon connection caching to winbind. This becomes important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e) --- source3/rpc_client/cli_netlogon.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 72240ca7d2..831101ed81 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -472,6 +472,7 @@ NTSTATUS cli_netlogon_sam_deltas(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Logon domain user */ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, + DOM_CRED *ret_creds, const char *username, const char *password, int logon_type) { @@ -486,6 +487,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, ZERO_STRUCT(q); ZERO_STRUCT(r); + ZERO_STRUCT(dummy_rtn_creds); /* Initialise parse structures */ @@ -498,8 +500,8 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, q.validation_level = validation_level; - memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); - dummy_rtn_creds.timestamp.time = time(NULL); + if (ret_creds == NULL) + ret_creds = &dummy_rtn_creds; ctr.switch_value = logon_type; @@ -542,7 +544,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, } init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname(), - &clnt_creds, &dummy_rtn_creds, logon_type, + &clnt_creds, ret_creds, logon_type, &ctr); /* Marshall data and send request */ @@ -563,6 +565,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Return results */ result = r.status; + memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds)); done: prs_mem_free(&qbuf); @@ -579,6 +582,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, **/ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, + DOM_CRED *ret_creds, const char *username, const char *domain, const char *workstation, const uint8 chal[8], DATA_BLOB lm_response, DATA_BLOB nt_response, @@ -598,6 +602,7 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c ZERO_STRUCT(q); ZERO_STRUCT(r); + ZERO_STRUCT(dummy_rtn_creds); workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation); @@ -617,8 +622,8 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c q.validation_level = validation_level; - memset(&dummy_rtn_creds, '\0', sizeof(dummy_rtn_creds)); - dummy_rtn_creds.timestamp.time = time(NULL); + if (ret_creds == NULL) + ret_creds = &dummy_rtn_creds; ctr.switch_value = NET_LOGON_TYPE; @@ -629,7 +634,7 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c lm_response.data, lm_response.length, nt_response.data, nt_response.length); init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname(), - &clnt_creds, &dummy_rtn_creds, NET_LOGON_TYPE, + &clnt_creds, ret_creds, NET_LOGON_TYPE, &ctr); /* Marshall data and send request */ @@ -659,6 +664,7 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c /* Return results */ result = r.status; + memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds)); done: prs_mem_free(&qbuf); -- cgit From 3f3e2a8f49e05986eca28fe5c33dc75ec93dab2e Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 23 Jul 2003 07:14:33 +0000 Subject: Fix out of date comment. (This used to be commit 2e5bd1665430768b06da99beba5ac11a59c9bf07) --- source3/rpc_client/cli_netlogon.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 831101ed81..7b8cd19174 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -332,8 +332,7 @@ NTSTATUS cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx, } /**************************************************************************** -Generate the next creds to use. Yuck - this is a cut&paste from another -file. They should be combined at some stage. )-: +Generate the next creds to use. ****************************************************************************/ static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) -- cgit From aa39cc37dab9c4f8c3295d872bb8cc143890b378 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 15 Aug 2003 04:42:05 +0000 Subject: get rid of more compiler warnings (This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669) --- source3/rpc_client/cli_netlogon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 7b8cd19174..2de830e558 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -514,7 +514,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, 0, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ username, cli->clnt_name_slash, - cli->sess_key, lm_owf_user_pwd, + (const char *)cli->sess_key, lm_owf_user_pwd, nt_owf_user_pwd); break; @@ -707,9 +707,9 @@ NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx, credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); /* store the parameters */ - init_q_srv_pwset(&q_s, cli->srv_name_slash, cli->sess_key, + init_q_srv_pwset(&q_s, cli->srv_name_slash, (const char *)cli->sess_key, mach_acct, sec_chan_type, machine_name, - &new_clnt_cred, (char *)hashed_mach_pwd); + &new_clnt_cred, hashed_mach_pwd); /* turn parameters into data stream */ if(!net_io_q_srv_pwset("", &q_s, &qbuf, 0)) { -- cgit From f0cd6b35e551cdb2acb088f52edb0746da251b73 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 19 Aug 2003 20:39:32 +0000 Subject: - Fix the kerberos downgrade problem: - When connecting to the NETOGON pipe, we make a call to auth2, in order to verify our identity. This call was being made with negotiation flags of 0x1ff. This caused our account to be downgraded. If we instead make the call with flags > 1ff (such as 0x701ff), then this does not occour. - This is *not* related to the use of kerberos for the CIFS-level connection My theory is that Win2k has a test to see if we are sending *exactly* what NT4 sent - setting any other flags seems to cause us to remain intact. Also ensure that we only have 'setup schannel' code in a few places, not scattered around cmd_netlogon too. Andrew Bartlett (This used to be commit e10f0529fe9d8d245b3cd001cce6a9a86896679c) --- source3/rpc_client/cli_netlogon.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 2de830e558..97bc4c65b7 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -685,30 +685,19 @@ NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx, NET_Q_SRV_PWSET q_s; uint16 sec_chan_type = 2; NTSTATUS nt_status; - char *mach_acct; gen_next_creds( cli, &new_clnt_cred); prs_init(&qbuf , 1024, mem_ctx, MARSHALL); prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); - /* create and send a MSRPC command with api NET_SRV_PWSET */ - - mach_acct = talloc_asprintf(mem_ctx, "%s$", machine_name); - - if (!mach_acct) { - DEBUG(0,("talloc_asprintf failed!\n")); - nt_status = NT_STATUS_NO_MEMORY; - goto done; - } - DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n", - cli->srv_name_slash, mach_acct, sec_chan_type, machine_name, + cli->srv_name_slash, cli->mach_acct, sec_chan_type, machine_name, credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); /* store the parameters */ init_q_srv_pwset(&q_s, cli->srv_name_slash, (const char *)cli->sess_key, - mach_acct, sec_chan_type, machine_name, + cli->mach_acct, sec_chan_type, machine_name, &new_clnt_cred, hashed_mach_pwd); /* turn parameters into data stream */ -- cgit From fcbfc7ad0669009957c65fa61bb20df75a9701b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 22 Nov 2003 13:19:38 +0000 Subject: Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc) --- source3/rpc_client/cli_netlogon.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 97bc4c65b7..70ac460303 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -654,11 +654,17 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c ZERO_STRUCT(netlogon_sess_key); memcpy(netlogon_sess_key, cli->sess_key, 8); - if (memcmp(zeros, info3->user_sess_key, 16) != 0) + if (memcmp(zeros, info3->user_sess_key, 16) != 0) { SamOEMhash(info3->user_sess_key, netlogon_sess_key, 16); - - if (memcmp(zeros, info3->padding, 16) != 0) + } else { + memset(info3->user_sess_key, '\0', 16); + } + + if (memcmp(zeros, info3->padding, 16) != 0) { SamOEMhash(info3->padding, netlogon_sess_key, 16); + } else { + memset(info3->padding, '\0', 16); + } /* Return results */ -- cgit From 044c6f513dca21d4fc01db4a686c75d43d4952d2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 2 Apr 2004 12:56:18 +0000 Subject: Implement NETLOGON GetDCName client side. You can ask a DC for the name of a DC it trusts. Volker (This used to be commit ae6840320ff47827c2817549fe3133a57e3fe77f) --- source3/rpc_client/cli_netlogon.c | 49 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 70ac460303..f6d88a1950 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -331,6 +331,55 @@ NTSTATUS cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx, return result; } +/* GetDCName */ + +NTSTATUS cli_netlogon_getdcname(struct cli_state *cli, TALLOC_CTX *mem_ctx, + const char *domainname, fstring dcname) +{ + prs_struct qbuf, rbuf; + NET_Q_GETDCNAME q; + NET_R_GETDCNAME r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Initialise parse structures */ + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); + prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + + /* Initialise input parameters */ + + init_net_q_getdcname(&q, cli->srv_name_slash, domainname); + + /* Marshall data and send request */ + + if (!net_io_q_getdcname("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, NET_GETDCNAME, &qbuf, &rbuf)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + /* Unmarshall response */ + + if (!net_io_r_getdcname("", &r, &rbuf, 0)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + result = r.status; + + if (NT_STATUS_IS_OK(result)) + rpcstr_pull_unistr2_fstring(dcname, &r.uni_dcname); + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + /**************************************************************************** Generate the next creds to use. ****************************************************************************/ -- cgit From 9dbf2e2419e2ba0f2293b4a7a5971123f34a09ad Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 3 Jun 2004 18:00:22 +0000 Subject: r991: Allow winbindd to use the domain trust account password for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea) --- source3/rpc_client/cli_netlogon.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index f6d88a1950..02d2611d88 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -91,18 +91,25 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, NET_Q_AUTH_2 q; NET_R_AUTH_2 r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + fstring machine_acct; prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + if ( sec_chan == SEC_CHAN_DOMAIN ) + fstr_sprintf( machine_acct, "%s$", lp_workgroup() ); + else + fstrcpy( machine_acct, cli->mach_acct ); + /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname(), + cli->srv_name_slash, machine_acct, sec_chan, global_myname(), credstr(cli->clnt_cred.challenge.data), *neg_flags)); /* store the parameters */ - init_q_auth_2(&q, cli->srv_name_slash, cli->mach_acct, + + init_q_auth_2(&q, cli->srv_name_slash, machine_acct, sec_chan, global_myname(), &cli->clnt_cred.challenge, *neg_flags); -- cgit From 9d0783bf211dffe58845b36b0669f05bf8bf25b5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Jul 2004 04:36:01 +0000 Subject: r1492: Rework our random number generation system. On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 02d2611d88..3fb032234f 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -247,7 +247,7 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, /******************* Request Challenge ********************/ - generate_random_buffer(clnt_chal.data, 8, False); + generate_random_buffer(clnt_chal.data, 8); /* send a client challenge; receive a server challenge */ result = cli_net_req_chal(cli, &clnt_chal, &srv_chal); @@ -580,7 +580,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; - generate_random_buffer(chal, 8, False); + generate_random_buffer(chal, 8); SMBencrypt(password, chal, local_lm_response); SMBNTencrypt(password, chal, local_nt_response); -- cgit From 992ad2848522e5219291d6b9b7a6be982c147a12 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 20 Dec 2004 11:36:39 +0000 Subject: r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply. The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660) --- source3/rpc_client/cli_netlogon.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 3fb032234f..b88753a7ed 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -654,6 +654,7 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c char *workstation_name_slash; uint8 netlogon_sess_key[16]; static uint8 zeros[16]; + int i; ZERO_STRUCT(q); ZERO_STRUCT(r); @@ -716,10 +717,15 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c memset(info3->user_sess_key, '\0', 16); } - if (memcmp(zeros, info3->padding, 16) != 0) { - SamOEMhash(info3->padding, netlogon_sess_key, 16); + if (memcmp(zeros, info3->lm_sess_key, 8) != 0) { + SamOEMhash(info3->lm_sess_key, netlogon_sess_key, 8); } else { - memset(info3->padding, '\0', 16); + memset(info3->lm_sess_key, '\0', 8); + } + + memset(&info3->acct_flags, '\0', 4); + for (i=0; i < 7; i++) { + memset(&info3->unknown[i], '\0', 4); } /* Return results */ -- cgit From f4ec52a0978dca900942e6001947e3b3d58eccd2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 6 Jan 2005 11:42:40 +0000 Subject: r4561: This looks a lot larger than it is, this is to reduce the clutter on future patches. Pass down the pipe_idx down to all functions in cli_pipe where nt_pipe_fnum is referenced. First step towards having multiple pipes on a cli_struct. The idea is to not have a single nt_pipe_fnum but an array for the pipes we support. Volker (This used to be commit 93eab050201d4e55096a8820226749f001597b5d) --- source3/rpc_client/cli_netlogon.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index b88753a7ed..08b52fa718 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -50,7 +50,7 @@ NTSTATUS cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, /* Marshall data and send request */ if (!net_io_q_req_chal("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_REQCHAL, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_REQCHAL, &qbuf, &rbuf)) { goto done; } @@ -116,7 +116,7 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, /* turn parameters into data stream */ if (!net_io_q_auth_2("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_AUTH2, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_AUTH2, &qbuf, &rbuf)) { goto done; } @@ -192,7 +192,7 @@ NTSTATUS cli_net_auth3(struct cli_state *cli, /* turn parameters into data stream */ if (!net_io_q_auth_3("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_AUTH3, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_AUTH3, &qbuf, &rbuf)) { goto done; } @@ -317,7 +317,7 @@ NTSTATUS cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Marshall data and send request */ if (!net_io_q_logon_ctrl2("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_LOGON_CTRL2, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_LOGON_CTRL2, &qbuf, &rbuf)) { result = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -363,7 +363,7 @@ NTSTATUS cli_netlogon_getdcname(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Marshall data and send request */ if (!net_io_q_getdcname("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_GETDCNAME, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_GETDCNAME, &qbuf, &rbuf)) { result = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -437,7 +437,7 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_C /* Marshall data and send request */ if (!net_io_q_sam_sync("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_SAM_SYNC, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_SAM_SYNC, &qbuf, &rbuf)) { result = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -498,7 +498,7 @@ NTSTATUS cli_netlogon_sam_deltas(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Marshall data and send request */ if (!net_io_q_sam_deltas("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_SAM_DELTAS, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_SAM_DELTAS, &qbuf, &rbuf)) { result = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -605,7 +605,7 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Marshall data and send request */ if (!net_io_q_sam_logon("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_SAMLOGON, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_SAMLOGON, &qbuf, &rbuf)) { goto done; } @@ -696,7 +696,7 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c /* Marshall data and send request */ if (!net_io_q_sam_logon("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, NET_SAMLOGON, &qbuf, &rbuf)) { + !rpc_api_pipe_req(cli, PI_NETLOGON, NET_SAMLOGON, &qbuf, &rbuf)) { goto done; } @@ -776,7 +776,7 @@ NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx, } /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_SRVPWSET, &qbuf, &rbuf)) + if (rpc_api_pipe_req(cli, PI_NETLOGON, NET_SRVPWSET, &qbuf, &rbuf)) { NET_R_SRV_PWSET r_s; -- cgit From fed660877c16562265327c6093ea645cf4176b5c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Jun 2005 22:10:34 +0000 Subject: r7415: * big change -- volker's new async winbindd from trunk (This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8) --- source3/rpc_client/cli_netlogon.c | 180 +++++++++++++++++++++++++++++++++----- 1 file changed, 160 insertions(+), 20 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 08b52fa718..1474c94513 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -75,6 +75,55 @@ NTSTATUS cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, return result; } +NTSTATUS rpccli_net_req_chal(struct rpc_pipe_client *cli, + const char *server_name, + const char *computer_name, + DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) +{ + prs_struct qbuf, rbuf; + NET_Q_REQ_CHAL q; + NET_R_REQ_CHAL r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->cli->mem_ctx, UNMARSHALL); + + /* create and send a MSRPC command with api NET_REQCHAL */ + + DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s\n", + computer_name, server_name)); + + /* store the parameters */ + init_q_req_chal(&q, server_name, computer_name, clnt_chal); + + /* Marshall data and send request */ + + if (!net_io_q_req_chal("", &q, &qbuf, 0) || + !rpc_api_pipe_req_int(cli, NET_REQCHAL, &qbuf, &rbuf)) { + goto done; + } + + /* Unmarhall response */ + + if (!net_io_r_req_chal("", &r, &rbuf, 0)) { + goto done; + } + + result = r.status; + + /* Return result */ + + if (NT_STATUS_IS_OK(result)) { + memcpy(srv_chal, r.srv_chal.data, sizeof(srv_chal->data)); + } + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + /**************************************************************************** LSA Authenticate 2 @@ -158,6 +207,61 @@ password ?).\n", cli->desthost )); return result; } +NTSTATUS rpccli_net_auth2(struct rpc_pipe_client *cli, + const char *server_name, + const char *account_name, + uint16 sec_chan_type, + const char *computer_name, + const DOM_CHAL *credentials, + uint32 *neg_flags, + DOM_CHAL *srv_chal) +{ + prs_struct qbuf, rbuf; + NET_Q_AUTH_2 q; + NET_R_AUTH_2 r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); + prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); + + /* create and send a MSRPC command with api NET_AUTH2 */ + + DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s neg: %x\n", + server_name, account_name, sec_chan_type, computer_name, + *neg_flags)); + + /* store the parameters */ + + init_q_auth_2(&q, server_name, account_name, sec_chan_type, + computer_name, credentials, *neg_flags); + + /* turn parameters into data stream */ + + if (!net_io_q_auth_2("", &q, &qbuf, 0) || + !rpc_api_pipe_req_int(cli, NET_AUTH2, &qbuf, &rbuf)) { + goto done; + } + + /* Unmarshall response */ + + if (!net_io_r_auth_2("", &r, &rbuf, 0)) { + goto done; + } + + result = r.status; + + if (NT_STATUS_IS_OK(result)) { + *srv_chal = r.srv_chal; + *neg_flags = r.srv_flgs.neg_flags; + } + + done: + prs_mem_free(&qbuf); + prs_mem_free(&rbuf); + + return result; +} + /**************************************************************************** LSA Authenticate 3 @@ -340,8 +444,9 @@ NTSTATUS cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* GetDCName */ -NTSTATUS cli_netlogon_getdcname(struct cli_state *cli, TALLOC_CTX *mem_ctx, - const char *domainname, fstring dcname) +NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, const char *mydcname, + const char *domainname, fstring newdcname) { prs_struct qbuf, rbuf; NET_Q_GETDCNAME q; @@ -358,12 +463,12 @@ NTSTATUS cli_netlogon_getdcname(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Initialise input parameters */ - init_net_q_getdcname(&q, cli->srv_name_slash, domainname); + init_net_q_getdcname(&q, mydcname, domainname); /* Marshall data and send request */ if (!net_io_q_getdcname("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_GETDCNAME, &qbuf, &rbuf)) { + !rpc_api_pipe_req_int(cli, NET_GETDCNAME, &qbuf, &rbuf)) { result = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -378,7 +483,7 @@ NTSTATUS cli_netlogon_getdcname(struct cli_state *cli, TALLOC_CTX *mem_ctx, result = r.status; if (NT_STATUS_IS_OK(result)) - rpcstr_pull_unistr2_fstring(dcname, &r.uni_dcname); + rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); done: prs_mem_free(&qbuf); @@ -387,6 +492,14 @@ NTSTATUS cli_netlogon_getdcname(struct cli_state *cli, TALLOC_CTX *mem_ctx, return result; } +NTSTATUS cli_netlogon_getdcname(struct cli_state *cli, TALLOC_CTX *mem_ctx, + const char *domainname, fstring dcname) +{ + return rpccli_netlogon_getdcname(&cli->pipes[PI_NETLOGON], mem_ctx, + cli->srv_name_slash, domainname, + dcname); +} + /**************************************************************************** Generate the next creds to use. ****************************************************************************/ @@ -636,19 +749,25 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller. **/ -NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, - DOM_CRED *ret_creds, - const char *username, const char *domain, const char *workstation, - const uint8 chal[8], - DATA_BLOB lm_response, DATA_BLOB nt_response, - NET_USER_INFO_3 *info3) - +NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *server_name_slash, + DOM_CRED *clnt_creds, + DOM_CRED *ret_creds, + const char *username, + const char *domain, + const char *workstation, + const uint8 chal[8], + DATA_BLOB lm_response, + DATA_BLOB nt_response, + NET_USER_INFO_3 *info3, + const uint8 *session_key) { prs_struct qbuf, rbuf; NET_Q_SAM_LOGON q; NET_R_SAM_LOGON r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - DOM_CRED clnt_creds, dummy_rtn_creds; + DOM_CRED dummy_rtn_creds; NET_ID_INFO_CTR ctr; int validation_level = 3; char *workstation_name_slash; @@ -661,7 +780,6 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c ZERO_STRUCT(dummy_rtn_creds); workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation); - if (!workstation_name_slash) { DEBUG(0, ("talloc_asprintf failed!\n")); return NT_STATUS_NO_MEMORY; @@ -674,8 +792,6 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c /* Initialise input parameters */ - gen_next_creds(cli, &clnt_creds); - q.validation_level = validation_level; if (ret_creds == NULL) @@ -689,14 +805,14 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c username, workstation_name_slash, (const uchar*)chal, lm_response.data, lm_response.length, nt_response.data, nt_response.length); - init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname(), - &clnt_creds, ret_creds, NET_LOGON_TYPE, + init_sam_info(&q.sam_id, server_name_slash, global_myname(), + clnt_creds, ret_creds, NET_LOGON_TYPE, &ctr); /* Marshall data and send request */ if (!net_io_q_sam_logon("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_SAMLOGON, &qbuf, &rbuf)) { + !rpc_api_pipe_req_int(cli, NET_SAMLOGON, &qbuf, &rbuf)) { goto done; } @@ -709,7 +825,7 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c } ZERO_STRUCT(netlogon_sess_key); - memcpy(netlogon_sess_key, cli->sess_key, 8); + memcpy(netlogon_sess_key, session_key, 8); if (memcmp(zeros, info3->user_sess_key, 16) != 0) { SamOEMhash(info3->user_sess_key, netlogon_sess_key, 16); @@ -740,6 +856,30 @@ NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, TALLOC_CTX *mem_c return result; } +NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, + TALLOC_CTX *mem_ctx, + DOM_CRED *ret_creds, + const char *username, + const char *domain, + const char *workstation, + const uint8 chal[8], + DATA_BLOB lm_response, + DATA_BLOB nt_response, + NET_USER_INFO_3 *info3) +{ + DOM_CRED clnt_creds; + + gen_next_creds(cli, &clnt_creds); + + return rpccli_netlogon_sam_network_logon(&cli->pipes[PI_NETLOGON], + mem_ctx, cli->srv_name_slash, + &clnt_creds, + ret_creds, username, + domain, workstation, chal, + lm_response, nt_response, + info3, cli->sess_key); +} + /*************************************************************************** LSA Server Password Set. ****************************************************************************/ -- cgit From c2e5ce15017270cfc62ea4fed23976115305b0d5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Sep 2005 16:20:48 +0000 Subject: r10269: Server-side fix for creds change - revert jcmd's change. Jeremy. (This used to be commit e1c9813d63a441037bc71622a29acda099d72f71) --- source3/rpc_client/cli_netlogon.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 1474c94513..fad60dbc20 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -931,7 +931,6 @@ NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx, { /* report error code */ DEBUG(0,("cli_net_srv_pwset: %s\n", nt_errstr(nt_status))); - goto done; } /* Update the credentials. */ -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/rpc_client/cli_netlogon.c | 860 +++++++++++++++----------------------- 1 file changed, 345 insertions(+), 515 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index fad60dbc20..88b6c792eb 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -2,12 +2,9 @@ Unix SMB/CIFS implementation. NT Domain Authentication SMB / MSRPC client Copyright (C) Andrew Tridgell 1992-2000 - Copyright (C) Luke Kenneth Casson Leighton 1996-2000 - Copyright (C) Tim Potter 2001 - Copyright (C) Paul Ashton 1997. Copyright (C) Jeremy Allison 1998. - Copyright (C) Andrew Bartlett 2001. - + Largely re-written by Jeremy Allison (C) 2005. + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -26,104 +23,52 @@ #include "includes.h" /* LSA Request Challenge. Sends our challenge to server, then gets - server response. These are used to generate the credentials. */ - -NTSTATUS cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, - DOM_CHAL *srv_chal) -{ - prs_struct qbuf, rbuf; - NET_Q_REQ_CHAL q; - NET_R_REQ_CHAL r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - - /* create and send a MSRPC command with api NET_REQCHAL */ - - DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s: %s\n", - global_myname(), cli->desthost, credstr(clnt_chal->data))); - - /* store the parameters */ - init_q_req_chal(&q, cli->srv_name_slash, global_myname(), clnt_chal); - - /* Marshall data and send request */ - - if (!net_io_q_req_chal("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_REQCHAL, &qbuf, &rbuf)) { - goto done; - } - - /* Unmarhall response */ - - if (!net_io_r_req_chal("", &r, &rbuf, 0)) { - goto done; - } - - result = r.status; - - /* Return result */ - - if (NT_STATUS_IS_OK(result)) { - memcpy(srv_chal, r.srv_chal.data, sizeof(srv_chal->data)); - } - - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - - return result; -} + server response. These are used to generate the credentials. + The sent and received challenges are stored in the netlog pipe + private data. Only call this via rpccli_netlogon_setup_creds(). JRA. +*/ -NTSTATUS rpccli_net_req_chal(struct rpc_pipe_client *cli, - const char *server_name, - const char *computer_name, - DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal) +static NTSTATUS rpccli_net_req_chal(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *server_name, + const char *clnt_name, + const DOM_CHAL *clnt_chal_in, + DOM_CHAL *srv_chal_out) { - prs_struct qbuf, rbuf; - NET_Q_REQ_CHAL q; - NET_R_REQ_CHAL r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + prs_struct qbuf, rbuf; + NET_Q_REQ_CHAL q; + NET_R_REQ_CHAL r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->cli->mem_ctx, UNMARSHALL); - - /* create and send a MSRPC command with api NET_REQCHAL */ + /* create and send a MSRPC command with api NET_REQCHAL */ - DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s\n", - computer_name, server_name)); - - /* store the parameters */ - init_q_req_chal(&q, server_name, computer_name, clnt_chal); + DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s\n", + clnt_name, server_name)); - /* Marshall data and send request */ + /* store the parameters */ + init_q_req_chal(&q, server_name, clnt_name, clnt_chal_in); - if (!net_io_q_req_chal("", &q, &qbuf, 0) || - !rpc_api_pipe_req_int(cli, NET_REQCHAL, &qbuf, &rbuf)) { - goto done; - } + /* Marshall data and send request */ + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_REQCHAL, + q, r, + qbuf, rbuf, + net_io_q_req_chal, + net_io_r_req_chal, + NT_STATUS_UNSUCCESSFUL); - /* Unmarhall response */ + result = r.status; - if (!net_io_r_req_chal("", &r, &rbuf, 0)) { - goto done; - } + /* Return result */ - result = r.status; - - /* Return result */ + if (NT_STATUS_IS_OK(result)) { + /* Store the returned server challenge. */ + *srv_chal_out = r.srv_chal; + } - if (NT_STATUS_IS_OK(result)) { - memcpy(srv_chal, r.srv_chal.data, sizeof(srv_chal->data)); - } - - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - - return result; + return result; } +#if 0 /**************************************************************************** LSA Authenticate 2 @@ -132,7 +77,7 @@ Ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ -NTSTATUS cli_net_auth2(struct cli_state *cli, + NTSTATUS rpccli_net_auth2(struct rpc_pipe_client *cli, uint16 sec_chan, uint32 *neg_flags, DOM_CHAL *srv_chal) { @@ -142,9 +87,6 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; fstring machine_acct; - prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - if ( sec_chan == SEC_CHAN_DOMAIN ) fstr_sprintf( machine_acct, "%s$", lp_workgroup() ); else @@ -164,16 +106,12 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, /* turn parameters into data stream */ - if (!net_io_q_auth_2("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_AUTH2, &qbuf, &rbuf)) { - goto done; - } - - /* Unmarshall response */ - - if (!net_io_r_auth_2("", &r, &rbuf, 0)) { - goto done; - } + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_AUTH2, + q, r, + qbuf, rbuf, + net_io_q_auth_2, + net_io_r_auth_2, + NT_STATUS_UNSUCCESSFUL); result = r.status; @@ -186,259 +124,257 @@ NTSTATUS cli_net_auth2(struct cli_state *cli, */ zerotime.time = 0; - if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, - zerotime) == 0) { + if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, zerotime) == 0) { /* * Server replied with bad credential. Fail. */ DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); - result = NT_STATUS_ACCESS_DENIED; - goto done; +password ?).\n", cli->cli->desthost )); + return NT_STATUS_ACCESS_DENIED; } *neg_flags = r.srv_flgs.neg_flags; } - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - return result; } +#endif + +/**************************************************************************** + LSA Authenticate 2 -NTSTATUS rpccli_net_auth2(struct rpc_pipe_client *cli, - const char *server_name, - const char *account_name, - uint16 sec_chan_type, - const char *computer_name, - const DOM_CHAL *credentials, - uint32 *neg_flags, - DOM_CHAL *srv_chal) + Send the client credential, receive back a server credential. + The caller *must* ensure that the server credential returned matches the session key + encrypt of the server challenge originally received. JRA. +****************************************************************************/ + +static NTSTATUS rpccli_net_auth2(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *server_name, + const char *account_name, + uint16 sec_chan_type, + const char *computer_name, + uint32 *neg_flags_inout, + const DOM_CHAL *clnt_chal_in, + DOM_CHAL *srv_chal_out) { prs_struct qbuf, rbuf; NET_Q_AUTH_2 q; NET_R_AUTH_2 r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s neg: %x\n", server_name, account_name, sec_chan_type, computer_name, - *neg_flags)); + *neg_flags_inout)); /* store the parameters */ init_q_auth_2(&q, server_name, account_name, sec_chan_type, - computer_name, credentials, *neg_flags); + computer_name, clnt_chal_in, *neg_flags_inout); /* turn parameters into data stream */ - if (!net_io_q_auth_2("", &q, &qbuf, 0) || - !rpc_api_pipe_req_int(cli, NET_AUTH2, &qbuf, &rbuf)) { - goto done; - } - - /* Unmarshall response */ - - if (!net_io_r_auth_2("", &r, &rbuf, 0)) { - goto done; - } + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_AUTH2, + q, r, + qbuf, rbuf, + net_io_q_auth_2, + net_io_r_auth_2, + NT_STATUS_UNSUCCESSFUL); result = r.status; if (NT_STATUS_IS_OK(result)) { - *srv_chal = r.srv_chal; - *neg_flags = r.srv_flgs.neg_flags; + *srv_chal_out = r.srv_chal; + *neg_flags_inout = r.srv_flgs.neg_flags; } - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - return result; } +#if 0 /* not currebntly used */ /**************************************************************************** -LSA Authenticate 3 + LSA Authenticate 3 -Send the client credential, receive back a server credential. -Ensure that the server credential returned matches the session key -encrypt of the server challenge originally received. JRA. + Send the client credential, receive back a server credential. + The caller *must* ensure that the server credential returned matches the session key + encrypt of the server challenge originally received. JRA. ****************************************************************************/ -NTSTATUS cli_net_auth3(struct cli_state *cli, - uint16 sec_chan, - uint32 *neg_flags, DOM_CHAL *srv_chal) +static NTSTATUS rpccli_net_auth3(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *server_name, + const char *account_name, + uint16 sec_chan_type, + const char *computer_name, + uint32 *neg_flags_inout, + const DOM_CHAL *clnt_chal_in, + DOM_CHAL *srv_chal_out) { prs_struct qbuf, rbuf; NET_Q_AUTH_3 q; NET_R_AUTH_3 r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname(), - credstr(cli->clnt_cred.challenge.data), *neg_flags)); + server_name, account_name, sec_chan_type, computer_name, + credstr(clnt_chal_in->data), *neg_flags_inout)); /* store the parameters */ - init_q_auth_3(&q, cli->srv_name_slash, cli->mach_acct, - sec_chan, global_myname(), &cli->clnt_cred.challenge, - *neg_flags); + init_q_auth_3(&q, server_name, account_name, sec_chan_type, + computer_name, clnt_chal_in, *neg_flags_inout); /* turn parameters into data stream */ - if (!net_io_q_auth_3("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_AUTH3, &qbuf, &rbuf)) { - goto done; - } - - /* Unmarshall response */ - - if (!net_io_r_auth_3("", &r, &rbuf, 0)) { - goto done; - } - - result = r.status; + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_AUTH3, + q, r, + qbuf, rbuf, + net_io_q_auth_3, + net_io_r_auth_3, + NT_STATUS_UNSUCCESSFUL); if (NT_STATUS_IS_OK(result)) { - UTIME zerotime; - - /* - * Check the returned value using the initial - * server received challenge. - */ - - zerotime.time = 0; - if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, - zerotime) == 0) { - - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_auth3: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); - result = NT_STATUS_ACCESS_DENIED; - goto done; - } - *neg_flags = r.srv_flgs.neg_flags; + *srv_chal_out = r.srv_chal; + *neg_flags_inout = r.srv_flgs.neg_flags; } - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - return result; } +#endif /* not currebntly used */ -/* Initialize domain session credentials */ +/**************************************************************************** + Wrapper function that uses the auth and auth2 calls to set up a NETLOGON + credentials chain. Stores the credentials in the struct dcinfo in the + netlogon pipe struct. +****************************************************************************/ -NTSTATUS cli_nt_setup_creds(struct cli_state *cli, - uint16 sec_chan, - const unsigned char mach_pwd[16], uint32 *neg_flags, int level) +NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, + const char *server_name, + const char *domain, + const char *machine_account, + const char machine_pwd[16], + uint32 sec_chan_type, + uint32 *neg_flags_inout) { - DOM_CHAL clnt_chal; - DOM_CHAL srv_chal; - UTIME zerotime; - NTSTATUS result; + NTSTATUS result; + DOM_CHAL clnt_chal_send; + DOM_CHAL srv_chal_recv; + struct dcinfo *dc; - /******************* Request Challenge ********************/ + SMB_ASSERT(cli->pipe_idx == PI_NETLOGON); - generate_random_buffer(clnt_chal.data, 8); - - /* send a client challenge; receive a server challenge */ - result = cli_net_req_chal(cli, &clnt_chal, &srv_chal); + dc = cli->dc; + if (!dc) { + return NT_STATUS_INVALID_PARAMETER; + } - if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("cli_nt_setup_creds: request challenge failed\n")); - return result; - } - - /**************** Long-term Session key **************/ + /* Ensure we don't reuse any of this state. */ + ZERO_STRUCTP(dc); + + /* Store the machine account password we're going to use. */ + memcpy(dc->mach_pw, machine_pwd, 16); - /* calculate the session key */ - cred_session_key(&clnt_chal, &srv_chal, mach_pwd, - cli->sess_key); - memset((char *)cli->sess_key+8, '\0', 8); + fstrcpy(dc->remote_machine, "\\\\"); + fstrcat(dc->remote_machine, server_name); - /******************* Authenticate 2/3 ********************/ + fstrcpy(dc->domain, domain); - /* calculate auth-2/3 credentials */ - zerotime.time = 0; - cred_create(cli->sess_key, &clnt_chal, zerotime, &cli->clnt_cred.challenge); + fstr_sprintf( dc->mach_acct, "%s$", machine_account); + + /* Create the client challenge. */ + generate_random_buffer(clnt_chal_send.data, 8); + + /* Get the server challenge. */ + result = rpccli_net_req_chal(cli, + cli->mem_ctx, + dc->remote_machine, + machine_account, + &clnt_chal_send, + &srv_chal_recv); + + if (!NT_STATUS_IS_OK(result)) { + return result; + } + + /* Calculate the session key and client credentials */ + creds_client_init(dc, + &clnt_chal_send, + &srv_chal_recv, + machine_pwd, + &clnt_chal_send); /* - * Send client auth-2/3 challenge. - * Receive an auth-2/3 challenge response and check it. + * Send client auth-2 challenge and receive server repy. */ - switch (level) { - case 2: - result = cli_net_auth2(cli, sec_chan, neg_flags, &srv_chal); - break; - case 3: - result = cli_net_auth3(cli, sec_chan, neg_flags, &srv_chal); - break; - default: - DEBUG(1,("cli_nt_setup_creds: unsupported auth level: %d\n", level)); - break; + + result = rpccli_net_auth2(cli, + cli->mem_ctx, + dc->remote_machine, + dc->mach_acct, + sec_chan_type, + machine_account, + neg_flags_inout, + &clnt_chal_send, /* input. */ + &srv_chal_recv); /* output */ + + if (!NT_STATUS_IS_OK(result)) { + return result; } - if (!NT_STATUS_IS_OK(result)) - DEBUG(3,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result))); + /* + * Check the returned value using the initial + * server received challenge. + */ - return result; + if (!creds_client_check(dc, &srv_chal_recv)) { + /* + * Server replied with bad credential. Fail. + */ + DEBUG(0,("rpccli_netlogon_setup_creds: server %s " + "replied with bad credential\n", + cli->cli->desthost )); + return NT_STATUS_ACCESS_DENIED; + } + + DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential " + "chain established.\n", + cli->cli->desthost )); + + return NT_STATUS_OK; } /* Logon Control 2 */ -NTSTATUS cli_netlogon_logon_ctrl2(struct cli_state *cli, TALLOC_CTX *mem_ctx, +NTSTATUS rpccli_netlogon_logon_ctrl2(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint32 query_level) { prs_struct qbuf, rbuf; NET_Q_LOGON_CTRL2 q; NET_R_LOGON_CTRL2 r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + fstring server; ZERO_STRUCT(q); ZERO_STRUCT(r); - /* Initialise parse structures */ - - prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); - /* Initialise input parameters */ - init_net_q_logon_ctrl2(&q, cli->srv_name_slash, query_level); + slprintf(server, sizeof(fstring)-1, "\\\\%s", cli->cli->desthost); + init_net_q_logon_ctrl2(&q, server, query_level); /* Marshall data and send request */ - if (!net_io_q_logon_ctrl2("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_LOGON_CTRL2, &qbuf, &rbuf)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* Unmarshall response */ - - if (!net_io_r_logon_ctrl2("", &r, &rbuf, 0)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_LOGON_CTRL2, + q, r, + qbuf, rbuf, + net_io_q_logon_ctrl2, + net_io_r_logon_ctrl2, + NT_STATUS_UNSUCCESSFUL); result = r.status; - - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - return result; } @@ -456,72 +392,29 @@ NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, ZERO_STRUCT(q); ZERO_STRUCT(r); - /* Initialise parse structures */ - - prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); - /* Initialise input parameters */ init_net_q_getdcname(&q, mydcname, domainname); /* Marshall data and send request */ - if (!net_io_q_getdcname("", &q, &qbuf, 0) || - !rpc_api_pipe_req_int(cli, NET_GETDCNAME, &qbuf, &rbuf)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* Unmarshall response */ - - if (!net_io_r_getdcname("", &r, &rbuf, 0)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - result = r.status; + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_GETDCNAME, + q, r, + qbuf, rbuf, + net_io_q_getdcname, + net_io_r_getdcname, + NT_STATUS_UNSUCCESSFUL); - if (NT_STATUS_IS_OK(result)) + if (NT_STATUS_IS_OK(result)) { rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); - - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); + } return result; } -NTSTATUS cli_netlogon_getdcname(struct cli_state *cli, TALLOC_CTX *mem_ctx, - const char *domainname, fstring dcname) -{ - return rpccli_netlogon_getdcname(&cli->pipes[PI_NETLOGON], mem_ctx, - cli->srv_name_slash, domainname, - dcname); -} - -/**************************************************************************** -Generate the next creds to use. -****************************************************************************/ - -static void gen_next_creds( struct cli_state *cli, DOM_CRED *new_clnt_cred) -{ - /* - * Create the new client credentials. - */ - - cli->clnt_cred.timestamp.time = time(NULL); - - memcpy(new_clnt_cred, &cli->clnt_cred, sizeof(*new_clnt_cred)); - - /* Calculate the new credentials. */ - cred_create(cli->sess_key, &(cli->clnt_cred.challenge), - new_clnt_cred->timestamp, &(new_clnt_cred->challenge)); -} - /* Sam synchronisation */ -NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_CRED *ret_creds, +NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint32 database_id, uint32 next_rid, uint32 *num_deltas, SAM_DELTA_HDR **hdr_deltas, SAM_DELTA_CTR **deltas) @@ -531,36 +424,31 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_C NET_R_SAM_SYNC r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; DOM_CRED clnt_creds; + DOM_CRED ret_creds; ZERO_STRUCT(q); ZERO_STRUCT(r); - /* Initialise parse structures */ - - prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + ZERO_STRUCT(ret_creds); /* Initialise input parameters */ - gen_next_creds(cli, &clnt_creds); + creds_client_step(cli->dc, &clnt_creds); - init_net_q_sam_sync(&q, cli->srv_name_slash, cli->clnt_name_slash + 2, - &clnt_creds, ret_creds, database_id, next_rid); + prs_set_session_key(&qbuf, cli->dc->sess_key); + prs_set_session_key(&rbuf, cli->dc->sess_key); - /* Marshall data and send request */ - - if (!net_io_q_sam_sync("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_SAM_SYNC, &qbuf, &rbuf)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } + init_net_q_sam_sync(&q, cli->dc->remote_machine, global_myname(), + &clnt_creds, &ret_creds, database_id, next_rid); - /* Unmarshall response */ + /* Marshall data and send request */ - if (!net_io_r_sam_sync("", cli->sess_key, &r, &rbuf, 0)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAM_SYNC, + q, r, + qbuf, rbuf, + net_io_q_sam_sync, + net_io_r_sam_sync, + NT_STATUS_UNSUCCESSFUL); /* Return results */ @@ -569,18 +457,20 @@ NTSTATUS cli_netlogon_sam_sync(struct cli_state *cli, TALLOC_CTX *mem_ctx, DOM_C *hdr_deltas = r.hdr_deltas; *deltas = r.deltas; - memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds)); - - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); + if (!NT_STATUS_IS_ERR(result)) { + /* Check returned credentials. */ + if (!creds_client_check(cli->dc, &r.srv_creds.challenge)) { + DEBUG(0,("cli_netlogon_sam_sync: credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + } return result; } /* Sam synchronisation */ -NTSTATUS cli_netlogon_sam_deltas(struct cli_state *cli, TALLOC_CTX *mem_ctx, +NTSTATUS rpccli_netlogon_sam_deltas(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, uint32 database_id, UINT64_S seqnum, uint32 *num_deltas, SAM_DELTA_HDR **hdr_deltas, @@ -595,33 +485,22 @@ NTSTATUS cli_netlogon_sam_deltas(struct cli_state *cli, TALLOC_CTX *mem_ctx, ZERO_STRUCT(q); ZERO_STRUCT(r); - /* Initialise parse structures */ - - prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); - /* Initialise input parameters */ - gen_next_creds(cli, &clnt_creds); + creds_client_step(cli->dc, &clnt_creds); - init_net_q_sam_deltas(&q, cli->srv_name_slash, - cli->clnt_name_slash + 2, &clnt_creds, + init_net_q_sam_deltas(&q, cli->dc->remote_machine, + global_myname(), &clnt_creds, database_id, seqnum); /* Marshall data and send request */ - if (!net_io_q_sam_deltas("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_SAM_DELTAS, &qbuf, &rbuf)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - /* Unmarshall response */ - - if (!net_io_r_sam_deltas("", cli->sess_key, &r, &rbuf, 0)) { - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAM_DELTAS, + q, r, + qbuf, rbuf, + net_io_q_sam_deltas, + net_io_r_sam_deltas, + NT_STATUS_UNSUCCESSFUL); /* Return results */ @@ -630,47 +509,49 @@ NTSTATUS cli_netlogon_sam_deltas(struct cli_state *cli, TALLOC_CTX *mem_ctx, *hdr_deltas = r.hdr_deltas; *deltas = r.deltas; - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); + if (!NT_STATUS_IS_ERR(result)) { + /* Check returned credentials. */ + if (!creds_client_check(cli->dc, &r.srv_creds.challenge)) { + DEBUG(0,("cli_netlogon_sam_sync: credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + } return result; } /* Logon domain user */ -NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, - DOM_CRED *ret_creds, - const char *username, const char *password, +NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *domain, + const char *username, + const char *password, int logon_type) { prs_struct qbuf, rbuf; NET_Q_SAM_LOGON q; NET_R_SAM_LOGON r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - DOM_CRED clnt_creds, dummy_rtn_creds; + DOM_CRED clnt_creds; + DOM_CRED ret_creds; NET_ID_INFO_CTR ctr; NET_USER_INFO_3 user; int validation_level = 3; + fstring clnt_name_slash; ZERO_STRUCT(q); ZERO_STRUCT(r); - ZERO_STRUCT(dummy_rtn_creds); - - /* Initialise parse structures */ + ZERO_STRUCT(ret_creds); - prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + fstr_sprintf( clnt_name_slash, "\\\\%s", global_myname() ); /* Initialise input parameters */ - gen_next_creds(cli, &clnt_creds); + creds_client_step(cli->dc, &clnt_creds); q.validation_level = validation_level; - if (ret_creds == NULL) - ret_creds = &dummy_rtn_creds; - ctr.switch_value = logon_type; switch (logon_type) { @@ -679,11 +560,11 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); - init_id_info1(&ctr.auth.id1, lp_workgroup(), + init_id_info1(&ctr.auth.id1, domain, 0, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ - username, cli->clnt_name_slash, - (const char *)cli->sess_key, lm_owf_user_pwd, + username, clnt_name_slash, + cli->dc->sess_key, lm_owf_user_pwd, nt_owf_user_pwd); break; @@ -698,46 +579,45 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, SMBencrypt(password, chal, local_lm_response); SMBNTencrypt(password, chal, local_nt_response); - init_id_info2(&ctr.auth.id2, lp_workgroup(), + init_id_info2(&ctr.auth.id2, domain, 0, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ - username, cli->clnt_name_slash, chal, + username, clnt_name_slash, chal, local_lm_response, 24, local_nt_response, 24); break; } default: DEBUG(0, ("switch value %d not supported\n", ctr.switch_value)); - goto done; + return NT_STATUS_INVALID_INFO_CLASS; } - init_sam_info(&q.sam_id, cli->srv_name_slash, global_myname(), - &clnt_creds, ret_creds, logon_type, + r.user = &user; + + init_sam_info(&q.sam_id, cli->dc->remote_machine, global_myname(), + &clnt_creds, &ret_creds, logon_type, &ctr); /* Marshall data and send request */ - if (!net_io_q_sam_logon("", &q, &qbuf, 0) || - !rpc_api_pipe_req(cli, PI_NETLOGON, NET_SAMLOGON, &qbuf, &rbuf)) { - goto done; - } - - /* Unmarshall response */ - - r.user = &user; - - if (!net_io_r_sam_logon("", &r, &rbuf, 0)) { - goto done; - } + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAMLOGON, + q, r, + qbuf, rbuf, + net_io_q_sam_logon, + net_io_r_sam_logon, + NT_STATUS_UNSUCCESSFUL); /* Return results */ result = r.status; - memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds)); - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); + if (r.buffer_creds) { + /* Check returned credentials if present. */ + if (!creds_client_check(cli->dc, &r.srv_creds.challenge)) { + DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + } return result; } @@ -751,52 +631,55 @@ NTSTATUS cli_netlogon_sam_logon(struct cli_state *cli, TALLOC_CTX *mem_ctx, NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - const char *server_name_slash, - DOM_CRED *clnt_creds, - DOM_CRED *ret_creds, + const char *server, const char *username, const char *domain, const char *workstation, const uint8 chal[8], DATA_BLOB lm_response, DATA_BLOB nt_response, - NET_USER_INFO_3 *info3, - const uint8 *session_key) + NET_USER_INFO_3 *info3) { prs_struct qbuf, rbuf; NET_Q_SAM_LOGON q; NET_R_SAM_LOGON r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - DOM_CRED dummy_rtn_creds; NET_ID_INFO_CTR ctr; int validation_level = 3; - char *workstation_name_slash; - uint8 netlogon_sess_key[16]; + const char *workstation_name_slash; + const char *server_name_slash; static uint8 zeros[16]; + DOM_CRED clnt_creds; + DOM_CRED ret_creds; int i; ZERO_STRUCT(q); ZERO_STRUCT(r); - ZERO_STRUCT(dummy_rtn_creds); + ZERO_STRUCT(ret_creds); - workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation); - if (!workstation_name_slash) { - DEBUG(0, ("talloc_asprintf failed!\n")); - return NT_STATUS_NO_MEMORY; + creds_client_step(cli->dc, &clnt_creds); + + if (server[0] != '\\' && server[1] != '\\') { + server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server); + } else { + server_name_slash = server; } - /* Initialise parse structures */ + if (workstation[0] != '\\' && workstation[1] != '\\') { + workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation); + } else { + workstation_name_slash = workstation; + } - prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + if (!workstation_name_slash || !server_name_slash) { + DEBUG(0, ("talloc_asprintf failed!\n")); + return NT_STATUS_NO_MEMORY; + } /* Initialise input parameters */ q.validation_level = validation_level; - if (ret_creds == NULL) - ret_creds = &dummy_rtn_creds; - ctr.switch_value = NET_LOGON_TYPE; init_id_info2(&ctr.auth.id2, domain, @@ -806,35 +689,28 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, lm_response.data, lm_response.length, nt_response.data, nt_response.length); init_sam_info(&q.sam_id, server_name_slash, global_myname(), - clnt_creds, ret_creds, NET_LOGON_TYPE, + &clnt_creds, &ret_creds, NET_LOGON_TYPE, &ctr); - /* Marshall data and send request */ - - if (!net_io_q_sam_logon("", &q, &qbuf, 0) || - !rpc_api_pipe_req_int(cli, NET_SAMLOGON, &qbuf, &rbuf)) { - goto done; - } - - /* Unmarshall response */ - r.user = info3; - if (!net_io_r_sam_logon("", &r, &rbuf, 0)) { - goto done; - } + /* Marshall data and send request */ + + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAMLOGON, + q, r, + qbuf, rbuf, + net_io_q_sam_logon, + net_io_r_sam_logon, + NT_STATUS_UNSUCCESSFUL); - ZERO_STRUCT(netlogon_sess_key); - memcpy(netlogon_sess_key, session_key, 8); - if (memcmp(zeros, info3->user_sess_key, 16) != 0) { - SamOEMhash(info3->user_sess_key, netlogon_sess_key, 16); + SamOEMhash(info3->user_sess_key, cli->dc->sess_key, 16); } else { memset(info3->user_sess_key, '\0', 16); } if (memcmp(zeros, info3->lm_sess_key, 8) != 0) { - SamOEMhash(info3->lm_sess_key, netlogon_sess_key, 8); + SamOEMhash(info3->lm_sess_key, cli->dc->sess_key, 8); } else { memset(info3->lm_sess_key, '\0', 8); } @@ -847,108 +723,62 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, /* Return results */ result = r.status; - memcpy(ret_creds, &r.srv_creds, sizeof(*ret_creds)); - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); + if (r.buffer_creds) { + /* Check returned credentials if present. */ + if (!creds_client_check(cli->dc, &r.srv_creds.challenge)) { + DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + } return result; } -NTSTATUS cli_netlogon_sam_network_logon(struct cli_state *cli, - TALLOC_CTX *mem_ctx, - DOM_CRED *ret_creds, - const char *username, - const char *domain, - const char *workstation, - const uint8 chal[8], - DATA_BLOB lm_response, - DATA_BLOB nt_response, - NET_USER_INFO_3 *info3) -{ - DOM_CRED clnt_creds; - - gen_next_creds(cli, &clnt_creds); - - return rpccli_netlogon_sam_network_logon(&cli->pipes[PI_NETLOGON], - mem_ctx, cli->srv_name_slash, - &clnt_creds, - ret_creds, username, - domain, workstation, chal, - lm_response, nt_response, - info3, cli->sess_key); -} - /*************************************************************************** LSA Server Password Set. ****************************************************************************/ -NTSTATUS cli_net_srv_pwset(struct cli_state *cli, TALLOC_CTX *mem_ctx, +NTSTATUS rpccli_net_srv_pwset(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *machine_name, uint8 hashed_mach_pwd[16]) { prs_struct rbuf; prs_struct qbuf; - DOM_CRED new_clnt_cred; - NET_Q_SRV_PWSET q_s; + DOM_CRED clnt_creds; + NET_Q_SRV_PWSET q; + NET_R_SRV_PWSET r; uint16 sec_chan_type = 2; - NTSTATUS nt_status; + NTSTATUS result; - gen_next_creds( cli, &new_clnt_cred); - - prs_init(&qbuf , 1024, mem_ctx, MARSHALL); - prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + creds_client_step(cli->dc, &clnt_creds); - DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan_type, machine_name, - credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); + DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s\n", + cli->dc->remote_machine, cli->dc->mach_acct, sec_chan_type, machine_name)); /* store the parameters */ - init_q_srv_pwset(&q_s, cli->srv_name_slash, (const char *)cli->sess_key, - cli->mach_acct, sec_chan_type, machine_name, - &new_clnt_cred, hashed_mach_pwd); - - /* turn parameters into data stream */ - if(!net_io_q_srv_pwset("", &q_s, &qbuf, 0)) { - DEBUG(0,("cli_net_srv_pwset: Error : failed to marshall NET_Q_SRV_PWSET struct.\n")); - nt_status = NT_STATUS_UNSUCCESSFUL; - goto done; - } + init_q_srv_pwset(&q, cli->dc->remote_machine, (const char *)cli->dc->sess_key, + cli->dc->mach_acct, sec_chan_type, machine_name, + &clnt_creds, hashed_mach_pwd); - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, PI_NETLOGON, NET_SRVPWSET, &qbuf, &rbuf)) - { - NET_R_SRV_PWSET r_s; - - if (!net_io_r_srv_pwset("", &r_s, &rbuf, 0)) { - nt_status = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - nt_status = r_s.status; + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SRVPWSET, + q, r, + qbuf, rbuf, + net_io_q_srv_pwset, + net_io_r_srv_pwset, + NT_STATUS_UNSUCCESSFUL); - if (!NT_STATUS_IS_OK(r_s.status)) - { - /* report error code */ - DEBUG(0,("cli_net_srv_pwset: %s\n", nt_errstr(nt_status))); - } + result = r.status; - /* Update the credentials. */ - if (!clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred))) - { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); - nt_status = NT_STATUS_UNSUCCESSFUL; - } + if (!NT_STATUS_IS_OK(result)) { + /* report error code */ + DEBUG(0,("cli_net_srv_pwset: %s\n", nt_errstr(result))); } - done: - prs_mem_free(&qbuf); - prs_mem_free(&rbuf); - - return nt_status; -} + /* Always check returned credentials. */ + if (!creds_client_check(cli->dc, &r.srv_cred.challenge)) { + DEBUG(0,("rpccli_net_srv_pwset: credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + return result; +} -- cgit From 8d7c88667190fe286971ac4fffb64ee5bd9eeeb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Oct 2005 03:24:00 +0000 Subject: r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208) --- source3/rpc_client/cli_netlogon.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 88b6c792eb..968c2182be 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -255,7 +255,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, const char *server_name, const char *domain, const char *machine_account, - const char machine_pwd[16], + const unsigned char machine_pwd[16], uint32 sec_chan_type, uint32 *neg_flags_inout) { @@ -435,8 +435,8 @@ NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_c creds_client_step(cli->dc, &clnt_creds); - prs_set_session_key(&qbuf, cli->dc->sess_key); - prs_set_session_key(&rbuf, cli->dc->sess_key); + prs_set_session_key(&qbuf, (const char *)cli->dc->sess_key); + prs_set_session_key(&rbuf, (const char *)cli->dc->sess_key); init_net_q_sam_sync(&q, cli->dc->remote_machine, global_myname(), &clnt_creds, &ret_creds, database_id, next_rid); @@ -564,7 +564,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, 0, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ username, clnt_name_slash, - cli->dc->sess_key, lm_owf_user_pwd, + (const char *)cli->dc->sess_key, lm_owf_user_pwd, nt_owf_user_pwd); break; @@ -740,7 +740,7 @@ LSA Server Password Set. ****************************************************************************/ NTSTATUS rpccli_net_srv_pwset(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - const char *machine_name, uint8 hashed_mach_pwd[16]) + const char *machine_name, const uint8 hashed_mach_pwd[16]) { prs_struct rbuf; prs_struct qbuf; -- cgit From 3321531e74bc122b9bfa11a072497e8d738ef841 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 27 Oct 2005 08:27:48 +0000 Subject: r11320: Fix error handling for rpccli_netlogon_getdcname. Jeremy, the other functions in cli_netlogon look similarly suspicious. Volker (This used to be commit 8d7713431efd80bd358daffcbbc4d715611b8b4b) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 968c2182be..015b28c16f 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -387,7 +387,7 @@ NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, prs_struct qbuf, rbuf; NET_Q_GETDCNAME q; NET_R_GETDCNAME r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + NTSTATUS result; ZERO_STRUCT(q); ZERO_STRUCT(r); @@ -405,7 +405,7 @@ NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, net_io_r_getdcname, NT_STATUS_UNSUCCESSFUL); - if (NT_STATUS_IS_OK(result)) { + if (NT_STATUS_IS_OK(result = r.status)) { rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); } -- cgit From ca551d55a894dc88c9374eb1ca0ce4b4005a22a2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 27 Oct 2005 18:06:29 +0000 Subject: r11336: Start to get my control back :-). Volker, I think Andrew Bartlett is right - making lsa code do it the netlogon way, not vica-versa. Jeremy. (This used to be commit f313757e36215cb3dd956e4a73de6d30258a6974) --- source3/rpc_client/cli_netlogon.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 015b28c16f..78e682d12a 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -259,7 +259,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, uint32 sec_chan_type, uint32 *neg_flags_inout) { - NTSTATUS result; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; DOM_CHAL clnt_chal_send; DOM_CHAL srv_chal_recv; struct dcinfo *dc; @@ -405,7 +405,9 @@ NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, net_io_r_getdcname, NT_STATUS_UNSUCCESSFUL); - if (NT_STATUS_IS_OK(result = r.status)) { + result = r.status; + + if (NT_STATUS_IS_OK(result)) { rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); } -- cgit From 7aecd20c00b81aa2b7a20e75e9cc653ae243500b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 27 Oct 2005 18:25:41 +0000 Subject: r11338: Move knowledge of \\ needed into rpc_client/cli_netlogon (this is the way it's been done in other functions). Instead of moving this into the IDL, I think the best solution would be to write a wrapper function around any call that needs this (this is what we already do for many of the calls). Jeremy. (This used to be commit aeca4efa11728be53b81967bb5442b5b09d1a975) --- source3/rpc_client/cli_netlogon.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 78e682d12a..ee45331975 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -388,13 +388,15 @@ NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, NET_Q_GETDCNAME q; NET_R_GETDCNAME r; NTSTATUS result; + fstring mydcname_slash; ZERO_STRUCT(q); ZERO_STRUCT(r); /* Initialise input parameters */ - init_net_q_getdcname(&q, mydcname, domainname); + slprintf(mydcname_slash, sizeof(fstring)-1, "\\\\%s", mydcname); + init_net_q_getdcname(&q, mydcname_slash, domainname); /* Marshall data and send request */ -- cgit From 5678e4abb04e546735bff4907854ca32094a5b71 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Nov 2005 00:03:55 +0000 Subject: r11492: Fix bug #3224 (I hope). Correctly use machine_account_name and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb) --- source3/rpc_client/cli_netlogon.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ee45331975..85b557471b 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -254,6 +254,7 @@ static NTSTATUS rpccli_net_auth3(struct rpc_pipe_client *cli, NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, const char *server_name, const char *domain, + const char *clnt_name, const char *machine_account, const unsigned char machine_pwd[16], uint32 sec_chan_type, @@ -291,7 +292,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, result = rpccli_net_req_chal(cli, cli->mem_ctx, dc->remote_machine, - machine_account, + clnt_name, &clnt_chal_send, &srv_chal_recv); @@ -315,7 +316,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, dc->remote_machine, dc->mach_acct, sec_chan_type, - machine_account, + clnt_name, neg_flags_inout, &clnt_chal_send, /* input. */ &srv_chal_recv); /* output */ -- cgit From fcceedd67c29bae6941949a16ebef37e95dab601 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Nov 2005 06:19:34 +0000 Subject: r11573: Adding Andrew Bartlett's patch to make machine account logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8) --- source3/rpc_client/cli_netlogon.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 85b557471b..af0062f2b3 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -528,11 +528,12 @@ NTSTATUS rpccli_netlogon_sam_deltas(struct rpc_pipe_client *cli, TALLOC_CTX *mem /* Logon domain user */ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *domain, - const char *username, - const char *password, - int logon_type) + TALLOC_CTX *mem_ctx, + uint32 logon_parameters, + const char *domain, + const char *username, + const char *password, + int logon_type) { prs_struct qbuf, rbuf; NET_Q_SAM_LOGON q; @@ -566,7 +567,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); init_id_info1(&ctr.auth.id1, domain, - 0, /* param_ctrl */ + logon_parameters, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ username, clnt_name_slash, (const char *)cli->dc->sess_key, lm_owf_user_pwd, @@ -585,7 +586,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, SMBNTencrypt(password, chal, local_nt_response); init_id_info2(&ctr.auth.id2, domain, - 0, /* param_ctrl */ + logon_parameters, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ username, clnt_name_slash, chal, local_lm_response, 24, local_nt_response, 24); @@ -636,6 +637,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, + uint32 logon_parameters, const char *server, const char *username, const char *domain, @@ -688,7 +690,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, ctr.switch_value = NET_LOGON_TYPE; init_id_info2(&ctr.auth.id2, domain, - 0, /* param_ctrl */ + logon_parameters, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ username, workstation_name_slash, (const uchar*)chal, lm_response.data, lm_response.length, nt_response.data, nt_response.length); -- cgit From 32cf16f3cfaf52414c324c0a333ff29cb9a326aa Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 13 Nov 2005 11:38:17 +0000 Subject: r11706: Implement dsr_getdcname client code. It's handy: It not only gives you the IP address but also the fqdn of the remote dc and site info. Volker (This used to be commit 62d01ce7e6c14971084c208ab61f379cb172cb22) --- source3/rpc_client/cli_netlogon.c | 123 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index af0062f2b3..f12f7d09fa 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -417,6 +417,129 @@ NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, return result; } +/* Dsr_GetDCName */ + +WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *server_name, + const char *domain_name, + struct uuid *domain_guid, + struct uuid *site_guid, + uint32_t flags, + char **dc_unc, char **dc_address, + int32 *dc_address_type, + struct uuid *domain_guid_out, + char **domain_name_out, + char **forest_name, + uint32 *dc_flags, + char **dc_site_name, + char **client_site_name) +{ + prs_struct qbuf, rbuf; + NET_Q_DSR_GETDCNAME q; + NET_R_DSR_GETDCNAME r; + char *tmp_str; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Initialize input parameters */ + + tmp_str = talloc_asprintf(mem_ctx, "\\\\%s", server_name); + if (tmp_str == NULL) { + return WERR_NOMEM; + } + + init_net_q_dsr_getdcname(&q, tmp_str, domain_name, domain_guid, + site_guid, flags); + + /* Marshall data and send request */ + + CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_DSR_GETDCNAME, + q, r, + qbuf, rbuf, + net_io_q_dsr_getdcname, + net_io_r_dsr_getdcname, + WERR_GENERAL_FAILURE); + + if (!W_ERROR_IS_OK(r.result)) { + return r.result; + } + + if (dc_unc != NULL) { + char *tmp; + if (rpcstr_pull_unistr2_talloc(mem_ctx, &tmp, + &r.uni_dc_unc) < 0) { + return WERR_GENERAL_FAILURE; + } + if (*tmp == '\\') tmp += 1; + if (*tmp == '\\') tmp += 1; + + /* We have to talloc_strdup, otherwise a talloc_steal would + fail */ + *dc_unc = talloc_strdup(mem_ctx, tmp); + if (*dc_unc == NULL) { + return WERR_NOMEM; + } + } + + if (dc_address != NULL) { + char *tmp; + if (rpcstr_pull_unistr2_talloc(mem_ctx, &tmp, + &r.uni_dc_address) < 0) { + return WERR_GENERAL_FAILURE; + } + if (*tmp == '\\') tmp += 1; + if (*tmp == '\\') tmp += 1; + + /* We have to talloc_strdup, otherwise a talloc_steal would + fail */ + *dc_address = talloc_strdup(mem_ctx, tmp); + if (*dc_address == NULL) { + return WERR_NOMEM; + } + } + + if (dc_address_type != NULL) { + *dc_address_type = r.dc_address_type; + } + + if (domain_guid_out != NULL) { + *domain_guid_out = r.domain_guid; + } + + if ((domain_name_out != NULL) && + (rpcstr_pull_unistr2_talloc(mem_ctx, domain_name_out, + &r.uni_domain_name) < 1)) { + return WERR_GENERAL_FAILURE; + } + + if ((forest_name != NULL) && + (rpcstr_pull_unistr2_talloc(mem_ctx, forest_name, + &r.uni_forest_name) < 1)) { + return WERR_GENERAL_FAILURE; + } + + if (dc_flags != NULL) { + *dc_flags = r.dc_flags; + } + + if ((dc_site_name != NULL) && + (rpcstr_pull_unistr2_talloc(mem_ctx, dc_site_name, + &r.uni_dc_site_name) < 1)) { + return WERR_GENERAL_FAILURE; + } + + if ((client_site_name != NULL) && + (rpcstr_pull_unistr2_talloc(mem_ctx, client_site_name, + &r.uni_client_site_name) < 1)) { + return WERR_GENERAL_FAILURE; + } + + return WERR_OK; +} + + /* Sam synchronisation */ NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, -- cgit From 63addcb4d7c9c13446d91a0972fe29542a7e1bad Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 22 Nov 2005 14:10:49 +0000 Subject: r11853: Add Dsr_GetSiteName (handy for experimenting with GPOs). Guenther (This used to be commit c54430a7b5e40d3bdf8afdc813eb722c0a3b861e) --- source3/rpc_client/cli_netlogon.c | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index f12f7d09fa..e3cc97cdc6 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -539,6 +539,47 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, return WERR_OK; } +/* Dsr_GetSiteName */ + +WERROR rpccli_netlogon_dsr_getsitename(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *computer_name, + char **site_name) +{ + prs_struct qbuf, rbuf; + NET_Q_DSR_GETSITENAME q; + NET_R_DSR_GETSITENAME r; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Initialize input parameters */ + + init_net_q_dsr_getsitename(&q, computer_name); + + /* Marshall data and send request */ + + CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_DSR_GETSITENAME, + q, r, + qbuf, rbuf, + net_io_q_dsr_getsitename, + net_io_r_dsr_getsitename, + WERR_GENERAL_FAILURE); + + if (!W_ERROR_IS_OK(r.result)) { + return r.result; + } + + if ((site_name != NULL) && + (rpcstr_pull_unistr2_talloc(mem_ctx, site_name, + &r.uni_site_name) < 1)) { + return WERR_GENERAL_FAILURE; + } + + return WERR_OK; +} + + /* Sam synchronisation */ -- cgit From 54b1c585bbe2e60e9251fcaaf4d95b68b31e2618 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 11 Jan 2006 19:18:40 +0000 Subject: r12853: Fix segfault in "net rpc vampire|samdump" (Bugzilla #3390). The session key, after beeing set, was zeroed later on by the prs_init in the CLI_DO_RPC macro. Guenther (This used to be commit eaaeaa767e86151886964dcdd9f3186f0b31ed53) --- source3/rpc_client/cli_netlogon.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index e3cc97cdc6..b5addf3375 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -604,15 +604,12 @@ NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_c creds_client_step(cli->dc, &clnt_creds); - prs_set_session_key(&qbuf, (const char *)cli->dc->sess_key); - prs_set_session_key(&rbuf, (const char *)cli->dc->sess_key); - init_net_q_sam_sync(&q, cli->dc->remote_machine, global_myname(), &clnt_creds, &ret_creds, database_id, next_rid); /* Marshall data and send request */ - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAM_SYNC, + CLI_DO_RPC_COPY_SESS_KEY(cli, mem_ctx, PI_NETLOGON, NET_SAM_SYNC, q, r, qbuf, rbuf, net_io_q_sam_sync, -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/rpc_client/cli_netlogon.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index b5addf3375..3dc26f61c9 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -468,8 +468,8 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, if (dc_unc != NULL) { char *tmp; - if (rpcstr_pull_unistr2_talloc(mem_ctx, &tmp, - &r.uni_dc_unc) < 0) { + tmp = rpcstr_pull_unistr2_talloc(mem_ctx, &r.uni_dc_unc); + if (tmp == NULL) { return WERR_GENERAL_FAILURE; } if (*tmp == '\\') tmp += 1; @@ -485,8 +485,8 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, if (dc_address != NULL) { char *tmp; - if (rpcstr_pull_unistr2_talloc(mem_ctx, &tmp, - &r.uni_dc_address) < 0) { + tmp = rpcstr_pull_unistr2_talloc(mem_ctx, &r.uni_dc_address); + if (tmp == NULL) { return WERR_GENERAL_FAILURE; } if (*tmp == '\\') tmp += 1; @@ -509,14 +509,14 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, } if ((domain_name_out != NULL) && - (rpcstr_pull_unistr2_talloc(mem_ctx, domain_name_out, - &r.uni_domain_name) < 1)) { + ((*domain_name_out = rpcstr_pull_unistr2_talloc( + mem_ctx, &r.uni_domain_name)) == NULL)) { return WERR_GENERAL_FAILURE; } if ((forest_name != NULL) && - (rpcstr_pull_unistr2_talloc(mem_ctx, forest_name, - &r.uni_forest_name) < 1)) { + ((*forest_name = rpcstr_pull_unistr2_talloc( + mem_ctx, &r.uni_forest_name)) == NULL)) { return WERR_GENERAL_FAILURE; } @@ -525,14 +525,14 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, } if ((dc_site_name != NULL) && - (rpcstr_pull_unistr2_talloc(mem_ctx, dc_site_name, - &r.uni_dc_site_name) < 1)) { + ((*dc_site_name = rpcstr_pull_unistr2_talloc( + mem_ctx, &r.uni_dc_site_name)) == NULL)) { return WERR_GENERAL_FAILURE; } if ((client_site_name != NULL) && - (rpcstr_pull_unistr2_talloc(mem_ctx, client_site_name, - &r.uni_client_site_name) < 1)) { + ((*client_site_name = rpcstr_pull_unistr2_talloc( + mem_ctx, &r.uni_client_site_name)) == NULL)) { return WERR_GENERAL_FAILURE; } @@ -571,8 +571,8 @@ WERROR rpccli_netlogon_dsr_getsitename(struct rpc_pipe_client *cli, } if ((site_name != NULL) && - (rpcstr_pull_unistr2_talloc(mem_ctx, site_name, - &r.uni_site_name) < 1)) { + ((*site_name = rpcstr_pull_unistr2_talloc( + mem_ctx, &r.uni_site_name)) == NULL)) { return WERR_GENERAL_FAILURE; } -- cgit From 39a572e0106696e24540d9829812917635c1fd06 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 17 Feb 2006 04:22:32 +0000 Subject: r13539: Add 128 bit creds processing client and server. Thanks to Andrew Bartlett's Samba4 code. Jeremy. (This used to be commit a2fb436fc5dd536cfe860be93f55f9cb58139a0e) --- source3/rpc_client/cli_netlogon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 3dc26f61c9..7798519103 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -301,7 +301,8 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, } /* Calculate the session key and client credentials */ - creds_client_init(dc, + creds_client_init(*neg_flags_inout, + dc, &clnt_chal_send, &srv_chal_recv, machine_pwd, -- cgit From fd5ecef41ce3dd6acff1ed0fc17529fa8459a66f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 22 Feb 2006 20:40:24 +0000 Subject: r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon(). Guenther (This used to be commit c201e51de387d3d49880ed519eb9d825df92f5af) --- source3/rpc_client/cli_netlogon.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 7798519103..33f1d1d25b 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -884,7 +884,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, memset(info3->lm_sess_key, '\0', 8); } - memset(&info3->acct_flags, '\0', 4); for (i=0; i < 7; i++) { memset(&info3->unknown[i], '\0', 4); } -- cgit From 995205fc60f87e1a02aa1c6f309db55ae18e908a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 6 Sep 2006 18:32:20 +0000 Subject: r18188: merge 3.0-libndr branch (This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 33f1d1d25b..85e56465b4 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -638,7 +638,7 @@ NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_c /* Sam synchronisation */ NTSTATUS rpccli_netlogon_sam_deltas(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - uint32 database_id, UINT64_S seqnum, + uint32 database_id, uint64 seqnum, uint32 *num_deltas, SAM_DELTA_HDR **hdr_deltas, SAM_DELTA_CTR **deltas) -- cgit From 4e7d11449ad419f4fa791e26e059a9f73d6d4042 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 19 Sep 2006 00:12:11 +0000 Subject: r18654: Rename "struct uuid" => "struct GUID" for consistency. (This used to be commit 5de76767e857e9d159ea46e2ded612ccd6d6bf19) --- source3/rpc_client/cli_netlogon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 85e56465b4..faecf9f3fe 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -424,12 +424,12 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *server_name, const char *domain_name, - struct uuid *domain_guid, - struct uuid *site_guid, + struct GUID *domain_guid, + struct GUID *site_guid, uint32_t flags, char **dc_unc, char **dc_address, int32 *dc_address_type, - struct uuid *domain_guid_out, + struct GUID *domain_guid_out, char **domain_name_out, char **forest_name, uint32 *dc_flags, -- cgit From adc299bd0863a42f699874f1933dbace3abea316 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 6 Oct 2006 16:13:10 +0000 Subject: r19143: getdcname on the NETLOGON pipe returns WERROR, not NTSTATUS. Guenther (This used to be commit 44e228ac796fca2db8509915067511ed705032bf) --- source3/rpc_client/cli_netlogon.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index faecf9f3fe..5396de9bf0 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -382,14 +382,14 @@ NTSTATUS rpccli_netlogon_logon_ctrl2(struct rpc_pipe_client *cli, TALLOC_CTX *me /* GetDCName */ -NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, const char *mydcname, - const char *domainname, fstring newdcname) +WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, const char *mydcname, + const char *domainname, fstring newdcname) { prs_struct qbuf, rbuf; NET_Q_GETDCNAME q; NET_R_GETDCNAME r; - NTSTATUS result; + WERROR result; fstring mydcname_slash; ZERO_STRUCT(q); @@ -402,16 +402,16 @@ NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, /* Marshall data and send request */ - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_GETDCNAME, + CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_GETDCNAME, q, r, qbuf, rbuf, net_io_q_getdcname, net_io_r_getdcname, - NT_STATUS_UNSUCCESSFUL); + WERR_GENERAL_FAILURE); result = r.status; - if (NT_STATUS_IS_OK(result)) { + if (W_ERROR_IS_OK(result)) { rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); } -- cgit From 7b84b133fe375e69817fe5c76089f67280507809 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 7 Oct 2006 05:26:21 +0000 Subject: r19161: Add NET_GETANYDCNAME (getdcname only gives the PDC while getanydcname gives just any DC), also make sure to set timeouts in rpcclient accordingly so that we actually get the DC's reply. Guenther (This used to be commit 6091c8152a3998d2503cb0911a217ee904509633) --- source3/rpc_client/cli_netlogon.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 5396de9bf0..28395de067 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -418,6 +418,44 @@ WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, return result; } +/* GetAnyDCName */ + +WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, const char *mydcname, + const char *domainname, fstring newdcname) +{ + prs_struct qbuf, rbuf; + NET_Q_GETANYDCNAME q; + NET_R_GETANYDCNAME r; + WERROR result; + fstring mydcname_slash; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Initialise input parameters */ + + slprintf(mydcname_slash, sizeof(fstring)-1, "\\\\%s", mydcname); + init_net_q_getanydcname(&q, mydcname_slash, domainname); + + /* Marshall data and send request */ + + CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_GETANYDCNAME, + q, r, + qbuf, rbuf, + net_io_q_getanydcname, + net_io_r_getanydcname, + WERR_GENERAL_FAILURE); + + result = r.status; + + if (W_ERROR_IS_OK(result)) { + rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); + } + + return result; +} + /* Dsr_GetDCName */ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, -- cgit From aeb834036d5cc576df6b284cebf6f4afcce4dfcc Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 23 Jan 2007 10:51:35 +0000 Subject: r20970: Allow to define workstation for samlogon in rpcclient (for testing). Guenther (This used to be commit 5d4747fdf2e5874cb5d2238ee62e4fcac1676134) --- source3/rpc_client/cli_netlogon.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 28395de067..0fdc476775 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -733,6 +733,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, const char *domain, const char *username, const char *password, + const char *workstation, int logon_type) { prs_struct qbuf, rbuf; @@ -750,7 +751,11 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, ZERO_STRUCT(r); ZERO_STRUCT(ret_creds); - fstr_sprintf( clnt_name_slash, "\\\\%s", global_myname() ); + if (workstation) { + fstr_sprintf( clnt_name_slash, "\\\\%s", workstation ); + } else { + fstr_sprintf( clnt_name_slash, "\\\\%s", global_myname() ); + } /* Initialise input parameters */ -- cgit From 2945490a0fb3dbcd6088a8825a3cd46d9f91ebf7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 23 May 2007 15:17:49 +0000 Subject: r23091: Add rpccli_netlogon_sam_network_logon_ex, fix its parsing. This does not use the credential chain and only works over netlogon, but it would allow multiple outstanding auth requests for a single workstation account. (This used to be commit 123290d0947191abca4a3b3d81718c823c1bc4a0) --- source3/rpc_client/cli_netlogon.c | 92 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 0fdc476775..6fc2f692fc 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -946,6 +946,98 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, return result; } +NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + uint32 logon_parameters, + const char *server, + const char *username, + const char *domain, + const char *workstation, + const uint8 chal[8], + DATA_BLOB lm_response, + DATA_BLOB nt_response, + NET_USER_INFO_3 *info3) +{ + prs_struct qbuf, rbuf; + NET_Q_SAM_LOGON_EX q; + NET_R_SAM_LOGON_EX r; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + NET_ID_INFO_CTR ctr; + int validation_level = 3; + const char *workstation_name_slash; + const char *server_name_slash; + static uint8 zeros[16]; + int i; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + if (server[0] != '\\' && server[1] != '\\') { + server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server); + } else { + server_name_slash = server; + } + + if (workstation[0] != '\\' && workstation[1] != '\\') { + workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation); + } else { + workstation_name_slash = workstation; + } + + if (!workstation_name_slash || !server_name_slash) { + DEBUG(0, ("talloc_asprintf failed!\n")); + return NT_STATUS_NO_MEMORY; + } + + /* Initialise input parameters */ + + q.validation_level = validation_level; + + ctr.switch_value = NET_LOGON_TYPE; + + init_id_info2(&ctr.auth.id2, domain, + logon_parameters, /* param_ctrl */ + 0xdead, 0xbeef, /* LUID? */ + username, workstation_name_slash, (const uchar*)chal, + lm_response.data, lm_response.length, nt_response.data, + nt_response.length); + + init_sam_info_ex(&q.sam_id, server_name_slash, global_myname(), + NET_LOGON_TYPE, &ctr); + + r.user = info3; + + /* Marshall data and send request */ + + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAMLOGON_EX, + q, r, qbuf, rbuf, + net_io_q_sam_logon_ex, + net_io_r_sam_logon_ex, + NT_STATUS_UNSUCCESSFUL); + + if (memcmp(zeros, info3->user_sess_key, 16) != 0) { + SamOEMhash(info3->user_sess_key, cli->dc->sess_key, 16); + } else { + memset(info3->user_sess_key, '\0', 16); + } + + if (memcmp(zeros, info3->lm_sess_key, 8) != 0) { + SamOEMhash(info3->lm_sess_key, cli->dc->sess_key, 8); + } else { + memset(info3->lm_sess_key, '\0', 8); + } + + for (i=0; i < 7; i++) { + memset(&info3->unknown[i], '\0', 4); + } + + /* Return results */ + + result = r.status; + + return result; +} + /*************************************************************************** LSA Server Password Set. ****************************************************************************/ -- cgit From 94e4a468f02bc243b72c7e1ddd5a15facf661ae5 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 24 May 2007 23:11:11 +0000 Subject: r23127: Fill in some more netlogon dsgetdcname flavours (netr_DsRGetDCNameEx, netr_DsRGetDCNameEx2) and add new ds request and reply flags, also add some more WERROR codes. Guenther (This used to be commit 37ae7f419702c563bcd0d9c27c02bde7efd34dd7) --- source3/rpc_client/cli_netlogon.c | 238 ++++++++++++++++++++++++++++---------- 1 file changed, 177 insertions(+), 61 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 6fc2f692fc..eaa398087b 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -456,6 +456,91 @@ WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, return result; } +static WERROR pull_domain_controller_info_from_getdcname_reply(TALLOC_CTX *mem_ctx, + struct DS_DOMAIN_CONTROLLER_INFO **info_out, + NET_R_DSR_GETDCNAME *r) +{ + struct DS_DOMAIN_CONTROLLER_INFO *info; + + info = TALLOC_ZERO_P(mem_ctx, struct DS_DOMAIN_CONTROLLER_INFO); + if (!info) { + return WERR_NOMEM; + } + + if (&r->uni_dc_unc) { + + char *tmp; + tmp = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_dc_unc); + if (tmp == NULL) { + return WERR_GENERAL_FAILURE; + } + if (*tmp == '\\') tmp += 1; + if (*tmp == '\\') tmp += 1; + + info->domain_controller_name = talloc_strdup(mem_ctx, tmp); + if (info->domain_controller_name == NULL) { + return WERR_GENERAL_FAILURE; + } + } + + if (&r->uni_dc_address) { + + char *tmp; + tmp = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_dc_address); + if (tmp == NULL) { + return WERR_GENERAL_FAILURE; + } + if (*tmp == '\\') tmp += 1; + if (*tmp == '\\') tmp += 1; + + info->domain_controller_address = talloc_strdup(mem_ctx, tmp); + if (info->domain_controller_address == NULL) { + return WERR_GENERAL_FAILURE; + } + } + + info->domain_controller_address_type = r->dc_address_type; + + info->domain_guid = talloc_memdup(mem_ctx, &r->domain_guid, sizeof(struct GUID)); + if (!info->domain_guid) { + return WERR_GENERAL_FAILURE; + } + + if (&r->uni_domain_name) { + info->domain_name = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_domain_name); + if (!info->domain_name) { + return WERR_GENERAL_FAILURE; + } + } + + if (&r->uni_forest_name) { + info->dns_forest_name = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_forest_name); + if (!info->dns_forest_name) { + return WERR_GENERAL_FAILURE; + } + } + + info->flags = r->dc_flags; + + if (&r->uni_dc_site_name) { + info->dc_site_name = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_dc_site_name); + if (!info->dc_site_name) { + return WERR_GENERAL_FAILURE; + } + } + + if (&r->uni_client_site_name) { + info->client_site_name = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_client_site_name); + if (!info->client_site_name) { + return WERR_GENERAL_FAILURE; + } + } + + *info_out = info; + + return WERR_OK; +} + /* Dsr_GetDCName */ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, @@ -465,14 +550,7 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, struct GUID *domain_guid, struct GUID *site_guid, uint32_t flags, - char **dc_unc, char **dc_address, - int32 *dc_address_type, - struct GUID *domain_guid_out, - char **domain_name_out, - char **forest_name, - uint32 *dc_flags, - char **dc_site_name, - char **client_site_name) + struct DS_DOMAIN_CONTROLLER_INFO **info_out) { prs_struct qbuf, rbuf; NET_Q_DSR_GETDCNAME q; @@ -505,79 +583,117 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, return r.result; } - if (dc_unc != NULL) { - char *tmp; - tmp = rpcstr_pull_unistr2_talloc(mem_ctx, &r.uni_dc_unc); - if (tmp == NULL) { - return WERR_GENERAL_FAILURE; - } - if (*tmp == '\\') tmp += 1; - if (*tmp == '\\') tmp += 1; - - /* We have to talloc_strdup, otherwise a talloc_steal would - fail */ - *dc_unc = talloc_strdup(mem_ctx, tmp); - if (*dc_unc == NULL) { - return WERR_NOMEM; - } + r.result = pull_domain_controller_info_from_getdcname_reply(mem_ctx, info_out, &r); + if (!W_ERROR_IS_OK(r.result)) { + return r.result; } - if (dc_address != NULL) { - char *tmp; - tmp = rpcstr_pull_unistr2_talloc(mem_ctx, &r.uni_dc_address); - if (tmp == NULL) { - return WERR_GENERAL_FAILURE; - } - if (*tmp == '\\') tmp += 1; - if (*tmp == '\\') tmp += 1; + return WERR_OK; +} - /* We have to talloc_strdup, otherwise a talloc_steal would - fail */ - *dc_address = talloc_strdup(mem_ctx, tmp); - if (*dc_address == NULL) { - return WERR_NOMEM; - } - } +/* Dsr_GetDCNameEx */ - if (dc_address_type != NULL) { - *dc_address_type = r.dc_address_type; - } +WERROR rpccli_netlogon_dsr_getdcnameex(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *server_name, + const char *domain_name, + struct GUID *domain_guid, + const char *site_name, + uint32_t flags, + struct DS_DOMAIN_CONTROLLER_INFO **info_out) +{ + prs_struct qbuf, rbuf; + NET_Q_DSR_GETDCNAMEEX q; + NET_R_DSR_GETDCNAME r; + char *tmp_str; - if (domain_guid_out != NULL) { - *domain_guid_out = r.domain_guid; + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Initialize input parameters */ + + tmp_str = talloc_asprintf(mem_ctx, "\\\\%s", server_name); + if (tmp_str == NULL) { + return WERR_NOMEM; } - if ((domain_name_out != NULL) && - ((*domain_name_out = rpcstr_pull_unistr2_talloc( - mem_ctx, &r.uni_domain_name)) == NULL)) { - return WERR_GENERAL_FAILURE; + init_net_q_dsr_getdcnameex(&q, server_name, domain_name, domain_guid, + site_name, flags); + + /* Marshall data and send request */ + + CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_DSR_GETDCNAMEEX, + q, r, + qbuf, rbuf, + net_io_q_dsr_getdcnameex, + net_io_r_dsr_getdcname, + WERR_GENERAL_FAILURE); + + if (!W_ERROR_IS_OK(r.result)) { + return r.result; } - if ((forest_name != NULL) && - ((*forest_name = rpcstr_pull_unistr2_talloc( - mem_ctx, &r.uni_forest_name)) == NULL)) { - return WERR_GENERAL_FAILURE; + r.result = pull_domain_controller_info_from_getdcname_reply(mem_ctx, info_out, &r); + if (!W_ERROR_IS_OK(r.result)) { + return r.result; } - if (dc_flags != NULL) { - *dc_flags = r.dc_flags; + return WERR_OK; +} + +/* Dsr_GetDCNameEx */ + +WERROR rpccli_netlogon_dsr_getdcnameex2(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *server_name, + const char *client_account, + uint32 mask, + const char *domain_name, + struct GUID *domain_guid, + const char *site_name, + uint32_t flags, + struct DS_DOMAIN_CONTROLLER_INFO **info_out) +{ + prs_struct qbuf, rbuf; + NET_Q_DSR_GETDCNAMEEX2 q; + NET_R_DSR_GETDCNAME r; + char *tmp_str; + + ZERO_STRUCT(q); + ZERO_STRUCT(r); + + /* Initialize input parameters */ + + tmp_str = talloc_asprintf(mem_ctx, "\\\\%s", server_name); + if (tmp_str == NULL) { + return WERR_NOMEM; } - if ((dc_site_name != NULL) && - ((*dc_site_name = rpcstr_pull_unistr2_talloc( - mem_ctx, &r.uni_dc_site_name)) == NULL)) { - return WERR_GENERAL_FAILURE; + init_net_q_dsr_getdcnameex2(&q, server_name, domain_name, client_account, + mask, domain_guid, site_name, flags); + + /* Marshall data and send request */ + + CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_DSR_GETDCNAMEEX2, + q, r, + qbuf, rbuf, + net_io_q_dsr_getdcnameex2, + net_io_r_dsr_getdcname, + WERR_GENERAL_FAILURE); + + if (!W_ERROR_IS_OK(r.result)) { + return r.result; } - if ((client_site_name != NULL) && - ((*client_site_name = rpcstr_pull_unistr2_talloc( - mem_ctx, &r.uni_client_site_name)) == NULL)) { - return WERR_GENERAL_FAILURE; + r.result = pull_domain_controller_info_from_getdcname_reply(mem_ctx, info_out, &r); + if (!W_ERROR_IS_OK(r.result)) { + return r.result; } return WERR_OK; } + /* Dsr_GetSiteName */ WERROR rpccli_netlogon_dsr_getsitename(struct rpc_pipe_client *cli, -- cgit From d8e454664a97385d798ad53633856044f928a491 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 29 May 2007 15:27:13 +0000 Subject: r23210: Very funny, we thought to use netr_GetDcName (e.g. in winbind) but were using netr_GetDcAnyName all the time (which is the correct thing to do). Fix the naming and opcode mixup in all branches. Guenther (This used to be commit def6464c872a5939f0028837254f2c019d2d71c8) --- source3/rpc_client/cli_netlogon.c | 46 +++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 23 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index eaa398087b..f155c736e9 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -380,15 +380,15 @@ NTSTATUS rpccli_netlogon_logon_ctrl2(struct rpc_pipe_client *cli, TALLOC_CTX *me return result; } -/* GetDCName */ +/* GetAnyDCName */ -WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, const char *mydcname, - const char *domainname, fstring newdcname) +WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, const char *mydcname, + const char *domainname, fstring newdcname) { prs_struct qbuf, rbuf; - NET_Q_GETDCNAME q; - NET_R_GETDCNAME r; + NET_Q_GETANYDCNAME q; + NET_R_GETANYDCNAME r; WERROR result; fstring mydcname_slash; @@ -398,15 +398,15 @@ WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, /* Initialise input parameters */ slprintf(mydcname_slash, sizeof(fstring)-1, "\\\\%s", mydcname); - init_net_q_getdcname(&q, mydcname_slash, domainname); + init_net_q_getanydcname(&q, mydcname_slash, domainname); /* Marshall data and send request */ - CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_GETDCNAME, + CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_GETANYDCNAME, q, r, qbuf, rbuf, - net_io_q_getdcname, - net_io_r_getdcname, + net_io_q_getanydcname, + net_io_r_getanydcname, WERR_GENERAL_FAILURE); result = r.status; @@ -418,16 +418,16 @@ WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, return result; } -/* GetAnyDCName */ +/* GetDCName */ -WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, const char *mydcname, - const char *domainname, fstring newdcname) +NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, const char *mydcname, + const char *domainname, fstring newdcname) { prs_struct qbuf, rbuf; - NET_Q_GETANYDCNAME q; - NET_R_GETANYDCNAME r; - WERROR result; + NET_Q_GETDCNAME q; + NET_R_GETDCNAME r; + NTSTATUS result; fstring mydcname_slash; ZERO_STRUCT(q); @@ -436,20 +436,20 @@ WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, /* Initialise input parameters */ slprintf(mydcname_slash, sizeof(fstring)-1, "\\\\%s", mydcname); - init_net_q_getanydcname(&q, mydcname_slash, domainname); + init_net_q_getdcname(&q, mydcname_slash, domainname); /* Marshall data and send request */ - CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_GETANYDCNAME, + CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_GETDCNAME, q, r, qbuf, rbuf, - net_io_q_getanydcname, - net_io_r_getanydcname, - WERR_GENERAL_FAILURE); + net_io_q_getdcname, + net_io_r_getdcname, + NT_STATUS_UNSUCCESSFUL); result = r.status; - if (W_ERROR_IS_OK(result)) { + if (NT_STATUS_IS_OK(result)) { rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); } -- cgit From d807dec0f465c8735bd4964b196ff6109d8df408 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 29 May 2007 17:57:52 +0000 Subject: r23219: Two warnings (This used to be commit eccd50abdaed3e4e06cc5da5473ca1beeb3fc49a) --- source3/rpc_client/cli_netlogon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index f155c736e9..1123daaeec 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -501,7 +501,8 @@ static WERROR pull_domain_controller_info_from_getdcname_reply(TALLOC_CTX *mem_c info->domain_controller_address_type = r->dc_address_type; - info->domain_guid = talloc_memdup(mem_ctx, &r->domain_guid, sizeof(struct GUID)); + info->domain_guid = (struct GUID *)talloc_memdup( + mem_ctx, &r->domain_guid, sizeof(struct GUID)); if (!info->domain_guid) { return WERR_GENERAL_FAILURE; } -- cgit From 1ea5dfae043da76183191c10bcadbd77e14d1fff Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Jun 2007 10:29:46 +0000 Subject: r23380: netr_getdcname returns WERROR not NTSTATUS. Guenther (This used to be commit 5e75ea7f2b568d76c8ced5f43171741532cc97c2) --- source3/rpc_client/cli_netlogon.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 1123daaeec..e6695f647e 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -420,14 +420,14 @@ WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, /* GetDCName */ -NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, const char *mydcname, - const char *domainname, fstring newdcname) +WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, const char *mydcname, + const char *domainname, fstring newdcname) { prs_struct qbuf, rbuf; NET_Q_GETDCNAME q; NET_R_GETDCNAME r; - NTSTATUS result; + WERROR result; fstring mydcname_slash; ZERO_STRUCT(q); @@ -440,16 +440,16 @@ NTSTATUS rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, /* Marshall data and send request */ - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_GETDCNAME, + CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_GETDCNAME, q, r, qbuf, rbuf, net_io_q_getdcname, net_io_r_getdcname, - NT_STATUS_UNSUCCESSFUL); + WERR_GENERAL_FAILURE); result = r.status; - if (NT_STATUS_IS_OK(result)) { + if (W_ERROR_IS_OK(result)) { rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); } -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index e6695f647e..0b244192a1 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -7,7 +7,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/rpc_client/cli_netlogon.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 0b244192a1..3cb5827e73 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -16,8 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 8ded1df76739363259edce0515b097510e342595 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 21 Dec 2007 15:12:40 +0100 Subject: Kill fstring in getdcname & getanydcname return. Guenther (This used to be commit b7383818168863a7ba43c2456f8c44e96e76707a) --- source3/rpc_client/cli_netlogon.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 3cb5827e73..26d2124da0 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -383,7 +383,7 @@ NTSTATUS rpccli_netlogon_logon_ctrl2(struct rpc_pipe_client *cli, TALLOC_CTX *me WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *mydcname, - const char *domainname, fstring newdcname) + const char *domainname, char **newdcname) { prs_struct qbuf, rbuf; NET_Q_GETANYDCNAME q; @@ -410,8 +410,9 @@ WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, result = r.status; - if (W_ERROR_IS_OK(result)) { - rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); + if (W_ERROR_IS_OK(result) && newdcname) { + *newdcname = rpcstr_pull_unistr2_talloc(mem_ctx, &r.uni_dcname); + W_ERROR_HAVE_NO_MEMORY(*newdcname); } return result; @@ -421,7 +422,7 @@ WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *mydcname, - const char *domainname, fstring newdcname) + const char *domainname, char **newdcname) { prs_struct qbuf, rbuf; NET_Q_GETDCNAME q; @@ -448,8 +449,9 @@ WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, result = r.status; - if (W_ERROR_IS_OK(result)) { - rpcstr_pull_unistr2_fstring(newdcname, &r.uni_dcname); + if (W_ERROR_IS_OK(result) && newdcname) { + *newdcname = rpcstr_pull_unistr2_talloc(mem_ctx, &r.uni_dcname); + W_ERROR_HAVE_NO_MEMORY(*newdcname); } return result; -- cgit From 533d6f617efc4dfe1e145785cb9736df07671bdf Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Dec 2007 17:02:34 +0100 Subject: Remove static zeros (This used to be commit dbcc213710a9af31b6094d4741a6f68f573dcdad) --- source3/rpc_client/cli_netlogon.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 26d2124da0..e192e4ca26 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -978,11 +978,12 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, int validation_level = 3; const char *workstation_name_slash; const char *server_name_slash; - static uint8 zeros[16]; + uint8 zeros[16]; DOM_CRED clnt_creds; DOM_CRED ret_creds; int i; - + + ZERO_STRUCT(zeros); ZERO_STRUCT(q); ZERO_STRUCT(r); ZERO_STRUCT(ret_creds); @@ -1084,9 +1085,10 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, int validation_level = 3; const char *workstation_name_slash; const char *server_name_slash; - static uint8 zeros[16]; + uint8 zeros[16]; int i; - + + ZERO_STRUCT(zeros); ZERO_STRUCT(q); ZERO_STRUCT(r); -- cgit From a6ce6c56492a22b5d6b9ddecd3ae229d5b03c8c2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 25 Jan 2008 21:19:39 +0100 Subject: Remove hand-written rpccli_netlogon_dsr_getdcnameex[2]. Guenther (This used to be commit 3ded8b9b7eee18a3f903e264adfb7fea6a3c0c5f) --- source3/rpc_client/cli_netlogon.c | 103 -------------------------------------- 1 file changed, 103 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index e192e4ca26..54c6c7f23e 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -593,109 +593,6 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, return WERR_OK; } -/* Dsr_GetDCNameEx */ - -WERROR rpccli_netlogon_dsr_getdcnameex(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *server_name, - const char *domain_name, - struct GUID *domain_guid, - const char *site_name, - uint32_t flags, - struct DS_DOMAIN_CONTROLLER_INFO **info_out) -{ - prs_struct qbuf, rbuf; - NET_Q_DSR_GETDCNAMEEX q; - NET_R_DSR_GETDCNAME r; - char *tmp_str; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialize input parameters */ - - tmp_str = talloc_asprintf(mem_ctx, "\\\\%s", server_name); - if (tmp_str == NULL) { - return WERR_NOMEM; - } - - init_net_q_dsr_getdcnameex(&q, server_name, domain_name, domain_guid, - site_name, flags); - - /* Marshall data and send request */ - - CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_DSR_GETDCNAMEEX, - q, r, - qbuf, rbuf, - net_io_q_dsr_getdcnameex, - net_io_r_dsr_getdcname, - WERR_GENERAL_FAILURE); - - if (!W_ERROR_IS_OK(r.result)) { - return r.result; - } - - r.result = pull_domain_controller_info_from_getdcname_reply(mem_ctx, info_out, &r); - if (!W_ERROR_IS_OK(r.result)) { - return r.result; - } - - return WERR_OK; -} - -/* Dsr_GetDCNameEx */ - -WERROR rpccli_netlogon_dsr_getdcnameex2(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *server_name, - const char *client_account, - uint32 mask, - const char *domain_name, - struct GUID *domain_guid, - const char *site_name, - uint32_t flags, - struct DS_DOMAIN_CONTROLLER_INFO **info_out) -{ - prs_struct qbuf, rbuf; - NET_Q_DSR_GETDCNAMEEX2 q; - NET_R_DSR_GETDCNAME r; - char *tmp_str; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialize input parameters */ - - tmp_str = talloc_asprintf(mem_ctx, "\\\\%s", server_name); - if (tmp_str == NULL) { - return WERR_NOMEM; - } - - init_net_q_dsr_getdcnameex2(&q, server_name, domain_name, client_account, - mask, domain_guid, site_name, flags); - - /* Marshall data and send request */ - - CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_DSR_GETDCNAMEEX2, - q, r, - qbuf, rbuf, - net_io_q_dsr_getdcnameex2, - net_io_r_dsr_getdcname, - WERR_GENERAL_FAILURE); - - if (!W_ERROR_IS_OK(r.result)) { - return r.result; - } - - r.result = pull_domain_controller_info_from_getdcname_reply(mem_ctx, info_out, &r); - if (!W_ERROR_IS_OK(r.result)) { - return r.result; - } - - return WERR_OK; -} - - /* Dsr_GetSiteName */ WERROR rpccli_netlogon_dsr_getsitename(struct rpc_pipe_client *cli, -- cgit From f79051fe19a6f435b1ca51904dfa084031ede49f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 7 Feb 2008 10:28:56 +0100 Subject: Remove unused marshalling for NET_GETANYDCNAME and NET_GETANYDCNAME. Guenther (This used to be commit a495e0e7c1eb91dd700a7d0fe9832fd0811cb2bb) --- source3/rpc_client/cli_netlogon.c | 78 --------------------------------------- 1 file changed, 78 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 54c6c7f23e..33c0e416bc 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -379,84 +379,6 @@ NTSTATUS rpccli_netlogon_logon_ctrl2(struct rpc_pipe_client *cli, TALLOC_CTX *me return result; } -/* GetAnyDCName */ - -WERROR rpccli_netlogon_getanydcname(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, const char *mydcname, - const char *domainname, char **newdcname) -{ - prs_struct qbuf, rbuf; - NET_Q_GETANYDCNAME q; - NET_R_GETANYDCNAME r; - WERROR result; - fstring mydcname_slash; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialise input parameters */ - - slprintf(mydcname_slash, sizeof(fstring)-1, "\\\\%s", mydcname); - init_net_q_getanydcname(&q, mydcname_slash, domainname); - - /* Marshall data and send request */ - - CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_GETANYDCNAME, - q, r, - qbuf, rbuf, - net_io_q_getanydcname, - net_io_r_getanydcname, - WERR_GENERAL_FAILURE); - - result = r.status; - - if (W_ERROR_IS_OK(result) && newdcname) { - *newdcname = rpcstr_pull_unistr2_talloc(mem_ctx, &r.uni_dcname); - W_ERROR_HAVE_NO_MEMORY(*newdcname); - } - - return result; -} - -/* GetDCName */ - -WERROR rpccli_netlogon_getdcname(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, const char *mydcname, - const char *domainname, char **newdcname) -{ - prs_struct qbuf, rbuf; - NET_Q_GETDCNAME q; - NET_R_GETDCNAME r; - WERROR result; - fstring mydcname_slash; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialise input parameters */ - - slprintf(mydcname_slash, sizeof(fstring)-1, "\\\\%s", mydcname); - init_net_q_getdcname(&q, mydcname_slash, domainname); - - /* Marshall data and send request */ - - CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_GETDCNAME, - q, r, - qbuf, rbuf, - net_io_q_getdcname, - net_io_r_getdcname, - WERR_GENERAL_FAILURE); - - result = r.status; - - if (W_ERROR_IS_OK(result) && newdcname) { - *newdcname = rpcstr_pull_unistr2_talloc(mem_ctx, &r.uni_dcname); - W_ERROR_HAVE_NO_MEMORY(*newdcname); - } - - return result; -} - static WERROR pull_domain_controller_info_from_getdcname_reply(TALLOC_CTX *mem_ctx, struct DS_DOMAIN_CONTROLLER_INFO **info_out, NET_R_DSR_GETDCNAME *r) -- cgit From 44f1485f0b10fdbb1f9adf833e0255affd56360c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 7 Feb 2008 10:41:04 +0100 Subject: Remove unused marshalling for NET_DSR_GESITENAME. Guenther (This used to be commit c2682273fdbe35dce0a9caffb829c8693e3cd845) --- source3/rpc_client/cli_netlogon.c | 42 --------------------------------------- 1 file changed, 42 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 33c0e416bc..5a0c5816e6 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -515,48 +515,6 @@ WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, return WERR_OK; } -/* Dsr_GetSiteName */ - -WERROR rpccli_netlogon_dsr_getsitename(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *computer_name, - char **site_name) -{ - prs_struct qbuf, rbuf; - NET_Q_DSR_GETSITENAME q; - NET_R_DSR_GETSITENAME r; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialize input parameters */ - - init_net_q_dsr_getsitename(&q, computer_name); - - /* Marshall data and send request */ - - CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_DSR_GETSITENAME, - q, r, - qbuf, rbuf, - net_io_q_dsr_getsitename, - net_io_r_dsr_getsitename, - WERR_GENERAL_FAILURE); - - if (!W_ERROR_IS_OK(r.result)) { - return r.result; - } - - if ((site_name != NULL) && - ((*site_name = rpcstr_pull_unistr2_talloc( - mem_ctx, &r.uni_site_name)) == NULL)) { - return WERR_GENERAL_FAILURE; - } - - return WERR_OK; -} - - - /* Sam synchronisation */ NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, -- cgit From 5da927716a857ce686f3b75476671d32f047d2c0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Feb 2008 23:33:52 +0100 Subject: Remove unused marshalling for NET_DSR_GETDCNAME. Guenther (This used to be commit 65c2aa344e45064cbfddd87715862d60f7ac2a8a) --- source3/rpc_client/cli_netlogon.c | 136 -------------------------------------- 1 file changed, 136 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 5a0c5816e6..a6167bb851 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -379,142 +379,6 @@ NTSTATUS rpccli_netlogon_logon_ctrl2(struct rpc_pipe_client *cli, TALLOC_CTX *me return result; } -static WERROR pull_domain_controller_info_from_getdcname_reply(TALLOC_CTX *mem_ctx, - struct DS_DOMAIN_CONTROLLER_INFO **info_out, - NET_R_DSR_GETDCNAME *r) -{ - struct DS_DOMAIN_CONTROLLER_INFO *info; - - info = TALLOC_ZERO_P(mem_ctx, struct DS_DOMAIN_CONTROLLER_INFO); - if (!info) { - return WERR_NOMEM; - } - - if (&r->uni_dc_unc) { - - char *tmp; - tmp = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_dc_unc); - if (tmp == NULL) { - return WERR_GENERAL_FAILURE; - } - if (*tmp == '\\') tmp += 1; - if (*tmp == '\\') tmp += 1; - - info->domain_controller_name = talloc_strdup(mem_ctx, tmp); - if (info->domain_controller_name == NULL) { - return WERR_GENERAL_FAILURE; - } - } - - if (&r->uni_dc_address) { - - char *tmp; - tmp = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_dc_address); - if (tmp == NULL) { - return WERR_GENERAL_FAILURE; - } - if (*tmp == '\\') tmp += 1; - if (*tmp == '\\') tmp += 1; - - info->domain_controller_address = talloc_strdup(mem_ctx, tmp); - if (info->domain_controller_address == NULL) { - return WERR_GENERAL_FAILURE; - } - } - - info->domain_controller_address_type = r->dc_address_type; - - info->domain_guid = (struct GUID *)talloc_memdup( - mem_ctx, &r->domain_guid, sizeof(struct GUID)); - if (!info->domain_guid) { - return WERR_GENERAL_FAILURE; - } - - if (&r->uni_domain_name) { - info->domain_name = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_domain_name); - if (!info->domain_name) { - return WERR_GENERAL_FAILURE; - } - } - - if (&r->uni_forest_name) { - info->dns_forest_name = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_forest_name); - if (!info->dns_forest_name) { - return WERR_GENERAL_FAILURE; - } - } - - info->flags = r->dc_flags; - - if (&r->uni_dc_site_name) { - info->dc_site_name = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_dc_site_name); - if (!info->dc_site_name) { - return WERR_GENERAL_FAILURE; - } - } - - if (&r->uni_client_site_name) { - info->client_site_name = rpcstr_pull_unistr2_talloc(mem_ctx, &r->uni_client_site_name); - if (!info->client_site_name) { - return WERR_GENERAL_FAILURE; - } - } - - *info_out = info; - - return WERR_OK; -} - -/* Dsr_GetDCName */ - -WERROR rpccli_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *server_name, - const char *domain_name, - struct GUID *domain_guid, - struct GUID *site_guid, - uint32_t flags, - struct DS_DOMAIN_CONTROLLER_INFO **info_out) -{ - prs_struct qbuf, rbuf; - NET_Q_DSR_GETDCNAME q; - NET_R_DSR_GETDCNAME r; - char *tmp_str; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialize input parameters */ - - tmp_str = talloc_asprintf(mem_ctx, "\\\\%s", server_name); - if (tmp_str == NULL) { - return WERR_NOMEM; - } - - init_net_q_dsr_getdcname(&q, tmp_str, domain_name, domain_guid, - site_guid, flags); - - /* Marshall data and send request */ - - CLI_DO_RPC_WERR(cli, mem_ctx, PI_NETLOGON, NET_DSR_GETDCNAME, - q, r, - qbuf, rbuf, - net_io_q_dsr_getdcname, - net_io_r_dsr_getdcname, - WERR_GENERAL_FAILURE); - - if (!W_ERROR_IS_OK(r.result)) { - return r.result; - } - - r.result = pull_domain_controller_info_from_getdcname_reply(mem_ctx, info_out, &r); - if (!W_ERROR_IS_OK(r.result)) { - return r.result; - } - - return WERR_OK; -} - /* Sam synchronisation */ NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, -- cgit From d134bd3c27ba3317e323a2c37d43f80c0ec58cbc Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 13 Feb 2008 23:12:42 +0100 Subject: Remove unused marshalling for NET_LOGON_CTRL and NET_LOGON_CTRL2. Guenther (This used to be commit c94538e742e469e4afc6e30d9d99951fda6dd219) --- source3/rpc_client/cli_netlogon.c | 32 -------------------------------- 1 file changed, 32 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index a6167bb851..d28df3c164 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -347,38 +347,6 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, return NT_STATUS_OK; } -/* Logon Control 2 */ - -NTSTATUS rpccli_netlogon_logon_ctrl2(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - uint32 query_level) -{ - prs_struct qbuf, rbuf; - NET_Q_LOGON_CTRL2 q; - NET_R_LOGON_CTRL2 r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - fstring server; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialise input parameters */ - - slprintf(server, sizeof(fstring)-1, "\\\\%s", cli->cli->desthost); - init_net_q_logon_ctrl2(&q, server, query_level); - - /* Marshall data and send request */ - - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_LOGON_CTRL2, - q, r, - qbuf, rbuf, - net_io_q_logon_ctrl2, - net_io_r_logon_ctrl2, - NT_STATUS_UNSUCCESSFUL); - - result = r.status; - return result; -} - /* Sam synchronisation */ NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, -- cgit From 99f1806af994dad5923c9e94b4a83ca094f991a4 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 15 Feb 2008 02:59:48 +0100 Subject: Remove unused marshalling for NET_SAM_DELTAS. Guenther (This used to be commit 2dd01f07411744f1f8fec0bff7af554db08ab960) --- source3/rpc_client/cli_netlogon.c | 52 --------------------------------------- 1 file changed, 52 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index d28df3c164..0da482c9ef 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -400,58 +400,6 @@ NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_c return result; } -/* Sam synchronisation */ - -NTSTATUS rpccli_netlogon_sam_deltas(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - uint32 database_id, uint64 seqnum, - uint32 *num_deltas, - SAM_DELTA_HDR **hdr_deltas, - SAM_DELTA_CTR **deltas) -{ - prs_struct qbuf, rbuf; - NET_Q_SAM_DELTAS q; - NET_R_SAM_DELTAS r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - DOM_CRED clnt_creds; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - /* Initialise input parameters */ - - creds_client_step(cli->dc, &clnt_creds); - - init_net_q_sam_deltas(&q, cli->dc->remote_machine, - global_myname(), &clnt_creds, - database_id, seqnum); - - /* Marshall data and send request */ - - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAM_DELTAS, - q, r, - qbuf, rbuf, - net_io_q_sam_deltas, - net_io_r_sam_deltas, - NT_STATUS_UNSUCCESSFUL); - - /* Return results */ - - result = r.status; - *num_deltas = r.num_deltas2; - *hdr_deltas = r.hdr_deltas; - *deltas = r.deltas; - - if (!NT_STATUS_IS_ERR(result)) { - /* Check returned credentials. */ - if (!creds_client_check(cli->dc, &r.srv_creds.challenge)) { - DEBUG(0,("cli_netlogon_sam_sync: credentials chain check failed\n")); - return NT_STATUS_ACCESS_DENIED; - } - } - - return result; -} - /* Logon domain user */ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, -- cgit From 34df32446df1167cddea2dd9a3fb3240e817f731 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 15 Feb 2008 14:24:31 +0100 Subject: Remove unused marshalling for NET_SAM_SYNC. Guenther (This used to be commit a94d93725a649c7a0ac1fcd61ea07579f65596da) --- source3/rpc_client/cli_netlogon.c | 53 --------------------------------------- 1 file changed, 53 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 0da482c9ef..f15340ffec 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -347,59 +347,6 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, return NT_STATUS_OK; } -/* Sam synchronisation */ - -NTSTATUS rpccli_netlogon_sam_sync(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - uint32 database_id, uint32 next_rid, uint32 *num_deltas, - SAM_DELTA_HDR **hdr_deltas, - SAM_DELTA_CTR **deltas) -{ - prs_struct qbuf, rbuf; - NET_Q_SAM_SYNC q; - NET_R_SAM_SYNC r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - DOM_CRED clnt_creds; - DOM_CRED ret_creds; - - ZERO_STRUCT(q); - ZERO_STRUCT(r); - - ZERO_STRUCT(ret_creds); - - /* Initialise input parameters */ - - creds_client_step(cli->dc, &clnt_creds); - - init_net_q_sam_sync(&q, cli->dc->remote_machine, global_myname(), - &clnt_creds, &ret_creds, database_id, next_rid); - - /* Marshall data and send request */ - - CLI_DO_RPC_COPY_SESS_KEY(cli, mem_ctx, PI_NETLOGON, NET_SAM_SYNC, - q, r, - qbuf, rbuf, - net_io_q_sam_sync, - net_io_r_sam_sync, - NT_STATUS_UNSUCCESSFUL); - - /* Return results */ - - result = r.status; - *num_deltas = r.num_deltas2; - *hdr_deltas = r.hdr_deltas; - *deltas = r.deltas; - - if (!NT_STATUS_IS_ERR(result)) { - /* Check returned credentials. */ - if (!creds_client_check(cli->dc, &r.srv_creds.challenge)) { - DEBUG(0,("cli_netlogon_sam_sync: credentials chain check failed\n")); - return NT_STATUS_ACCESS_DENIED; - } - } - - return result; -} - /* Logon domain user */ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, -- cgit From 3f24ef18481417fd7d52856b3d68bec099a7b643 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 15 Feb 2008 23:57:19 +0100 Subject: Replace DOM_CHAL with "struct netr_Credential" where we can right now. This allows to remove some more old netlogon client calls. Guenther (This used to be commit c0b1a876583230a5130f5df1965d6c742961bcdc) --- source3/rpc_client/cli_netlogon.c | 52 ++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 28 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index f15340ffec..5d6f32980d 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -251,17 +251,17 @@ static NTSTATUS rpccli_net_auth3(struct rpc_pipe_client *cli, ****************************************************************************/ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, - const char *server_name, - const char *domain, - const char *clnt_name, - const char *machine_account, - const unsigned char machine_pwd[16], - uint32 sec_chan_type, - uint32 *neg_flags_inout) + const char *server_name, + const char *domain, + const char *clnt_name, + const char *machine_account, + const unsigned char machine_pwd[16], + enum netr_SchannelType sec_chan_type, + uint32_t *neg_flags_inout) { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - DOM_CHAL clnt_chal_send; - DOM_CHAL srv_chal_recv; + struct netr_Credential clnt_chal_send; + struct netr_Credential srv_chal_recv; struct dcinfo *dc; SMB_ASSERT(cli->pipe_idx == PI_NETLOGON); @@ -288,13 +288,11 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, generate_random_buffer(clnt_chal_send.data, 8); /* Get the server challenge. */ - result = rpccli_net_req_chal(cli, - cli->mem_ctx, - dc->remote_machine, - clnt_name, - &clnt_chal_send, - &srv_chal_recv); - + result = rpccli_netr_ServerReqChallenge(cli, cli->mem_ctx, + dc->remote_machine, + clnt_name, + &clnt_chal_send, + &srv_chal_recv); if (!NT_STATUS_IS_OK(result)) { return result; } @@ -307,20 +305,18 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, machine_pwd, &clnt_chal_send); - /* + /* * Send client auth-2 challenge and receive server repy. */ - result = rpccli_net_auth2(cli, - cli->mem_ctx, - dc->remote_machine, - dc->mach_acct, - sec_chan_type, - clnt_name, - neg_flags_inout, - &clnt_chal_send, /* input. */ - &srv_chal_recv); /* output */ - + result = rpccli_netr_ServerAuthenticate2(cli, cli->mem_ctx, + dc->remote_machine, + dc->mach_acct, + sec_chan_type, + clnt_name, + &clnt_chal_send, /* input. */ + &srv_chal_recv, /* output. */ + neg_flags_inout); if (!NT_STATUS_IS_OK(result)) { return result; } @@ -330,7 +326,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, * server received challenge. */ - if (!creds_client_check(dc, &srv_chal_recv)) { + if (!netlogon_creds_client_check(dc, &srv_chal_recv)) { /* * Server replied with bad credential. Fail. */ -- cgit From 26106d2e39bd09e85aab81735bd901b2c438f155 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 16 Feb 2008 00:05:45 +0100 Subject: Remove unused marshalling for NET_REQ_CHAL and NET_AUTH2. Guenther (This used to be commit 2123aff75c8db431cb37d132058902287e740a85) --- source3/rpc_client/cli_netlogon.c | 84 +-------------------------------------- 1 file changed, 2 insertions(+), 82 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 5d6f32980d..d84eb0173d 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -27,45 +27,7 @@ private data. Only call this via rpccli_netlogon_setup_creds(). JRA. */ -static NTSTATUS rpccli_net_req_chal(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *server_name, - const char *clnt_name, - const DOM_CHAL *clnt_chal_in, - DOM_CHAL *srv_chal_out) -{ - prs_struct qbuf, rbuf; - NET_Q_REQ_CHAL q; - NET_R_REQ_CHAL r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - /* create and send a MSRPC command with api NET_REQCHAL */ - - DEBUG(4,("cli_net_req_chal: LSA Request Challenge from %s to %s\n", - clnt_name, server_name)); - - /* store the parameters */ - init_q_req_chal(&q, server_name, clnt_name, clnt_chal_in); - - /* Marshall data and send request */ - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_REQCHAL, - q, r, - qbuf, rbuf, - net_io_q_req_chal, - net_io_r_req_chal, - NT_STATUS_UNSUCCESSFUL); - - result = r.status; - - /* Return result */ - - if (NT_STATUS_IS_OK(result)) { - /* Store the returned server challenge. */ - *srv_chal_out = r.srv_chal; - } - - return result; -} +/* instead of rpccli_net_req_chal() we use rpccli_netr_ServerReqChallenge() now - gd */ #if 0 /**************************************************************************** @@ -147,50 +109,8 @@ password ?).\n", cli->cli->desthost )); encrypt of the server challenge originally received. JRA. ****************************************************************************/ -static NTSTATUS rpccli_net_auth2(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *server_name, - const char *account_name, - uint16 sec_chan_type, - const char *computer_name, - uint32 *neg_flags_inout, - const DOM_CHAL *clnt_chal_in, - DOM_CHAL *srv_chal_out) -{ - prs_struct qbuf, rbuf; - NET_Q_AUTH_2 q; - NET_R_AUTH_2 r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - /* create and send a MSRPC command with api NET_AUTH2 */ - - DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s neg: %x\n", - server_name, account_name, sec_chan_type, computer_name, - *neg_flags_inout)); - - /* store the parameters */ - - init_q_auth_2(&q, server_name, account_name, sec_chan_type, - computer_name, clnt_chal_in, *neg_flags_inout); - - /* turn parameters into data stream */ +/* instead of rpccli_net_auth2() we use rpccli_netr_ServerAuthenticate2() now - gd */ - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_AUTH2, - q, r, - qbuf, rbuf, - net_io_q_auth_2, - net_io_r_auth_2, - NT_STATUS_UNSUCCESSFUL); - - result = r.status; - - if (NT_STATUS_IS_OK(result)) { - *srv_chal_out = r.srv_chal; - *neg_flags_inout = r.srv_flgs.neg_flags; - } - - return result; -} #if 0 /* not currebntly used */ /**************************************************************************** -- cgit From 697f8904e7ec90aa5817c7903bf266e8d04c96b0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 16 Feb 2008 16:06:55 +0100 Subject: Remove unused marshalling for NET_SRV_PWSET. Guenther (This used to be commit e48737f04d2324b604f3290904ec6163a6242ae5) --- source3/rpc_client/cli_netlogon.c | 48 --------------------------------------- 1 file changed, 48 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index d84eb0173d..b50a03359e 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -577,51 +577,3 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, return result; } - -/*************************************************************************** -LSA Server Password Set. -****************************************************************************/ - -NTSTATUS rpccli_net_srv_pwset(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - const char *machine_name, const uint8 hashed_mach_pwd[16]) -{ - prs_struct rbuf; - prs_struct qbuf; - DOM_CRED clnt_creds; - NET_Q_SRV_PWSET q; - NET_R_SRV_PWSET r; - uint16 sec_chan_type = 2; - NTSTATUS result; - - creds_client_step(cli->dc, &clnt_creds); - - DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s\n", - cli->dc->remote_machine, cli->dc->mach_acct, sec_chan_type, machine_name)); - - /* store the parameters */ - init_q_srv_pwset(&q, cli->dc->remote_machine, (const char *)cli->dc->sess_key, - cli->dc->mach_acct, sec_chan_type, machine_name, - &clnt_creds, hashed_mach_pwd); - - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SRVPWSET, - q, r, - qbuf, rbuf, - net_io_q_srv_pwset, - net_io_r_srv_pwset, - NT_STATUS_UNSUCCESSFUL); - - result = r.status; - - if (!NT_STATUS_IS_OK(result)) { - /* report error code */ - DEBUG(0,("cli_net_srv_pwset: %s\n", nt_errstr(result))); - } - - /* Always check returned credentials. */ - if (!creds_client_check(cli->dc, &r.srv_cred.challenge)) { - DEBUG(0,("rpccli_net_srv_pwset: credentials chain check failed\n")); - return NT_STATUS_ACCESS_DENIED; - } - - return result; -} -- cgit From 9f8f9c1483207b8cf265fefb2a31fc65bdcc416e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sun, 17 Feb 2008 02:10:43 +0100 Subject: Finally let our samlogon routines call rpccli_netr_LogonSamLogon internally and return netr_SamInfo3. Guenther (This used to be commit 9e5b732d451f6a2f09d2a71e5a3aec59c771db01) --- source3/rpc_client/cli_netlogon.c | 353 +++++++++++++++++++++++--------------- 1 file changed, 213 insertions(+), 140 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index b50a03359e..c3d1360ed8 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. NT Domain Authentication SMB / MSRPC client Copyright (C) Andrew Tridgell 1992-2000 @@ -9,12 +9,12 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ @@ -34,12 +34,12 @@ LSA Authenticate 2 Send the client credential, receive back a server credential. -Ensure that the server credential returned matches the session key +Ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ - NTSTATUS rpccli_net_auth2(struct rpc_pipe_client *cli, - uint16 sec_chan, + NTSTATUS rpccli_net_auth2(struct rpc_pipe_client *cli, + uint16 sec_chan, uint32 *neg_flags, DOM_CHAL *srv_chal) { prs_struct qbuf, rbuf; @@ -52,7 +52,7 @@ encrypt of the server challenge originally received. JRA. fstr_sprintf( machine_acct, "%s$", lp_workgroup() ); else fstrcpy( machine_acct, cli->mach_acct ); - + /* create and send a MSRPC command with api NET_AUTH2 */ DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", @@ -61,8 +61,8 @@ encrypt of the server challenge originally received. JRA. /* store the parameters */ - init_q_auth_2(&q, cli->srv_name_slash, machine_acct, - sec_chan, global_myname(), &cli->clnt_cred.challenge, + init_q_auth_2(&q, cli->srv_name_slash, machine_acct, + sec_chan, global_myname(), &cli->clnt_cred.challenge, *neg_flags); /* turn parameters into data stream */ @@ -78,7 +78,7 @@ encrypt of the server challenge originally received. JRA. if (NT_STATUS_IS_OK(result)) { UTIME zerotime; - + /* * Check the returned value using the initial * server received challenge. @@ -105,7 +105,7 @@ password ?).\n", cli->cli->desthost )); LSA Authenticate 2 Send the client credential, receive back a server credential. - The caller *must* ensure that the server credential returned matches the session key + The caller *must* ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ @@ -117,11 +117,11 @@ password ?).\n", cli->cli->desthost )); LSA Authenticate 3 Send the client credential, receive back a server credential. - The caller *must* ensure that the server credential returned matches the session key + The caller *must* ensure that the server credential returned matches the session key encrypt of the server challenge originally received. JRA. ****************************************************************************/ -static NTSTATUS rpccli_net_auth3(struct rpc_pipe_client *cli, +static NTSTATUS rpccli_net_auth3(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *server_name, const char *account_name, @@ -225,9 +225,9 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, machine_pwd, &clnt_chal_send); - /* - * Send client auth-2 challenge and receive server repy. - */ + /* + * Send client auth-2 challenge and receive server repy. + */ result = rpccli_netr_ServerAuthenticate2(cli, cli->mem_ctx, dc->remote_machine, @@ -274,20 +274,23 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, const char *workstation, int logon_type) { - prs_struct qbuf, rbuf; - NET_Q_SAM_LOGON q; - NET_R_SAM_LOGON r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - DOM_CRED clnt_creds; - DOM_CRED ret_creds; - NET_ID_INFO_CTR ctr; - NET_USER_INFO_3 user; - int validation_level = 3; + struct netr_Authenticator clnt_creds; + struct netr_Authenticator ret_creds; + union netr_LogonLevel *logon; + union netr_Validation validation; + uint8_t authoritative; + int validation_level = 3; fstring clnt_name_slash; + uint8 zeros[16]; - ZERO_STRUCT(q); - ZERO_STRUCT(r); ZERO_STRUCT(ret_creds); + ZERO_STRUCT(zeros); + + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); + if (!logon) { + return NT_STATUS_NO_MEMORY; + } if (workstation) { fstr_sprintf( clnt_name_slash, "\\\\%s", workstation ); @@ -295,85 +298,140 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, fstr_sprintf( clnt_name_slash, "\\\\%s", global_myname() ); } - /* Initialise input parameters */ + /* Initialise input parameters */ - creds_client_step(cli->dc, &clnt_creds); + netlogon_creds_client_step(cli->dc, &clnt_creds); - q.validation_level = validation_level; + switch (logon_type) { + case INTERACTIVE_LOGON_TYPE: { - ctr.switch_value = logon_type; + struct netr_PasswordInfo *password_info; - switch (logon_type) { - case INTERACTIVE_LOGON_TYPE: { - unsigned char lm_owf_user_pwd[16], nt_owf_user_pwd[16]; + struct samr_Password lmpassword; + struct samr_Password ntpassword; - nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); + unsigned char lm_owf_user_pwd[16], nt_owf_user_pwd[16]; - init_id_info1(&ctr.auth.id1, domain, - logon_parameters, /* param_ctrl */ - 0xdead, 0xbeef, /* LUID? */ - username, clnt_name_slash, - (const char *)cli->dc->sess_key, lm_owf_user_pwd, - nt_owf_user_pwd); + unsigned char lm_owf[16]; + unsigned char nt_owf[16]; + unsigned char key[16]; - break; - } - case NET_LOGON_TYPE: { - uint8 chal[8]; - unsigned char local_lm_response[24]; - unsigned char local_nt_response[24]; - - generate_random_buffer(chal, 8); - - SMBencrypt(password, chal, local_lm_response); - SMBNTencrypt(password, chal, local_nt_response); - - init_id_info2(&ctr.auth.id2, domain, - logon_parameters, /* param_ctrl */ - 0xdead, 0xbeef, /* LUID? */ - username, clnt_name_slash, chal, - local_lm_response, 24, local_nt_response, 24); - break; - } - default: - DEBUG(0, ("switch value %d not supported\n", - ctr.switch_value)); - return NT_STATUS_INVALID_INFO_CLASS; - } + password_info = TALLOC_ZERO_P(mem_ctx, struct netr_PasswordInfo); + if (!password_info) { + return NT_STATUS_NO_MEMORY; + } - r.user = &user; + nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); - init_sam_info(&q.sam_id, cli->dc->remote_machine, global_myname(), - &clnt_creds, &ret_creds, logon_type, - &ctr); +#ifdef DEBUG_PASSWORD + DEBUG(100,("lm cypher:")); + dump_data(100, lm_owf_user_pwd, 16); - /* Marshall data and send request */ + DEBUG(100,("nt cypher:")); + dump_data(100, nt_owf_user_pwd, 16); +#endif + memset(key, 0, 16); + memcpy(key, cli->dc->sess_key, 8); - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAMLOGON, - q, r, - qbuf, rbuf, - net_io_q_sam_logon, - net_io_r_sam_logon, - NT_STATUS_UNSUCCESSFUL); + memcpy(lm_owf, lm_owf_user_pwd, 16); + SamOEMhash(lm_owf, key, 16); + memcpy(nt_owf, nt_owf_user_pwd, 16); + SamOEMhash(nt_owf, key, 16); - /* Return results */ +#ifdef DEBUG_PASSWORD + DEBUG(100,("encrypt of lm owf password:")); + dump_data(100, lm_owf, 16); - result = r.status; + DEBUG(100,("encrypt of nt owf password:")); + dump_data(100, nt_owf, 16); +#endif + memcpy(lmpassword.hash, lm_owf, 16); + memcpy(ntpassword.hash, nt_owf, 16); + + init_netr_PasswordInfo(password_info, + domain, + logon_parameters, + 0xdead, + 0xbeef, + username, + clnt_name_slash, + lmpassword, + ntpassword); + + logon->password = password_info; + + break; + } + case NET_LOGON_TYPE: { + struct netr_NetworkInfo *network_info; + uint8 chal[8]; + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + struct netr_ChallengeResponse lm; + struct netr_ChallengeResponse nt; + + network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo); + if (!network_info) { + return NT_STATUS_NO_MEMORY; + } + + generate_random_buffer(chal, 8); + + SMBencrypt(password, chal, local_lm_response); + SMBNTencrypt(password, chal, local_nt_response); + + lm.length = 24; + lm.data = local_lm_response; - if (r.buffer_creds) { + nt.length = 24; + nt.data = local_nt_response; + + init_netr_NetworkInfo(network_info, + domain, + logon_parameters, + 0xdead, + 0xbeef, + username, + clnt_name_slash, + chal, + nt, + lm); + + logon->network = network_info; + + break; + } + default: + DEBUG(0, ("switch value %d not supported\n", + logon_type)); + return NT_STATUS_INVALID_INFO_CLASS; + } + + result = rpccli_netr_LogonSamLogon(cli, mem_ctx, + cli->dc->remote_machine, + global_myname(), + &clnt_creds, + &ret_creds, + logon_type, + logon, + validation_level, + &validation, + &authoritative); + + if (memcmp(zeros, &ret_creds.cred.data, sizeof(ret_creds.cred.data)) != 0) { /* Check returned credentials if present. */ - if (!creds_client_check(cli->dc, &r.srv_creds.challenge)) { + if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) { DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n")); return NT_STATUS_ACCESS_DENIED; } } - return result; + return result; } -/** - * Logon domain user with an 'network' SAM logon +/** + * Logon domain user with an 'network' SAM logon * * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller. **/ @@ -384,31 +442,44 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, const char *server, const char *username, const char *domain, - const char *workstation, - const uint8 chal[8], + const char *workstation, + const uint8 chal[8], DATA_BLOB lm_response, DATA_BLOB nt_response, - NET_USER_INFO_3 *info3) + struct netr_SamInfo3 **info3) { - prs_struct qbuf, rbuf; - NET_Q_SAM_LOGON q; - NET_R_SAM_LOGON r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - NET_ID_INFO_CTR ctr; int validation_level = 3; const char *workstation_name_slash; const char *server_name_slash; uint8 zeros[16]; - DOM_CRED clnt_creds; - DOM_CRED ret_creds; - int i; + struct netr_Authenticator clnt_creds; + struct netr_Authenticator ret_creds; + union netr_LogonLevel *logon = NULL; + struct netr_NetworkInfo *network_info; + uint8_t authoritative; + union netr_Validation validation; + struct netr_ChallengeResponse lm; + struct netr_ChallengeResponse nt; + struct netr_UserSessionKey user_session_key; + struct netr_LMSessionKey lmsesskey; + + *info3 = NULL; ZERO_STRUCT(zeros); - ZERO_STRUCT(q); - ZERO_STRUCT(r); ZERO_STRUCT(ret_creds); - creds_client_step(cli->dc, &clnt_creds); + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); + if (!logon) { + return NT_STATUS_NO_MEMORY; + } + + network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo); + if (!network_info) { + return NT_STATUS_NO_MEMORY; + } + + netlogon_creds_client_step(cli->dc, &clnt_creds); if (server[0] != '\\' && server[1] != '\\') { server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server); @@ -429,60 +500,62 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, /* Initialise input parameters */ - q.validation_level = validation_level; - - ctr.switch_value = NET_LOGON_TYPE; - - init_id_info2(&ctr.auth.id2, domain, - logon_parameters, /* param_ctrl */ - 0xdead, 0xbeef, /* LUID? */ - username, workstation_name_slash, (const uchar*)chal, - lm_response.data, lm_response.length, nt_response.data, nt_response.length); - - init_sam_info(&q.sam_id, server_name_slash, global_myname(), - &clnt_creds, &ret_creds, NET_LOGON_TYPE, - &ctr); - - r.user = info3; - - /* Marshall data and send request */ - - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAMLOGON, - q, r, - qbuf, rbuf, - net_io_q_sam_logon, - net_io_r_sam_logon, - NT_STATUS_UNSUCCESSFUL); - - if (memcmp(zeros, info3->user_sess_key, 16) != 0) { - SamOEMhash(info3->user_sess_key, cli->dc->sess_key, 16); - } else { - memset(info3->user_sess_key, '\0', 16); + lm.data = lm_response.data; + lm.length = lm_response.length; + nt.data = nt_response.data; + nt.length = nt_response.length; + + init_netr_NetworkInfo(network_info, + domain, + logon_parameters, + 0xdead, + 0xbeef, + username, + workstation_name_slash, + (uint8_t *) chal, + nt, + lm); + + logon->network = network_info; + + /* Marshall data and send request */ + + result = rpccli_netr_LogonSamLogon(cli, mem_ctx, + server_name_slash, + global_myname(), + &clnt_creds, + &ret_creds, + NET_LOGON_TYPE, + logon, + validation_level, + &validation, + &authoritative); + if (!NT_STATUS_IS_OK(result)) { + return result; } - if (memcmp(zeros, info3->lm_sess_key, 8) != 0) { - SamOEMhash(info3->lm_sess_key, cli->dc->sess_key, 8); - } else { - memset(info3->lm_sess_key, '\0', 8); - } + user_session_key = validation.sam3->base.key; + lmsesskey = validation.sam3->base.LMSessKey; - for (i=0; i < 7; i++) { - memset(&info3->unknown[i], '\0', 4); + if (memcmp(zeros, user_session_key.key, 16) != 0) { + SamOEMhash(user_session_key.key, cli->dc->sess_key, 16); } - /* Return results */ - - result = r.status; + if (memcmp(zeros, lmsesskey.key, 8) != 0) { + SamOEMhash(lmsesskey.key, cli->dc->sess_key, 8); + } - if (r.buffer_creds) { + if (memcmp(zeros, ret_creds.cred.data, sizeof(ret_creds.cred.data)) != 0) { /* Check returned credentials if present. */ - if (!creds_client_check(cli->dc, &r.srv_creds.challenge)) { + if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) { DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n")); return NT_STATUS_ACCESS_DENIED; } } - return result; + *info3 = validation.sam3; + + return result; } NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, @@ -491,8 +564,8 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, const char *server, const char *username, const char *domain, - const char *workstation, - const uint8 chal[8], + const char *workstation, + const uint8 chal[8], DATA_BLOB lm_response, DATA_BLOB nt_response, NET_USER_INFO_3 *info3) @@ -541,7 +614,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, username, workstation_name_slash, (const uchar*)chal, lm_response.data, lm_response.length, nt_response.data, nt_response.length); - + init_sam_info_ex(&q.sam_id, server_name_slash, global_myname(), NET_LOGON_TYPE, &ctr); -- cgit From 9519d95c4adbcc44abaf1288bcda0972d625036c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sun, 17 Feb 2008 02:37:12 +0100 Subject: Use rpccli_netr_LogonSamLogonEx in rpccli wrapping function. Guenther (This used to be commit 51a664cd5fc1cecc21a8a515bb959cac87296bcb) --- source3/rpc_client/cli_netlogon.c | 96 +++++++++++++++++++++++---------------- 1 file changed, 57 insertions(+), 39 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index c3d1360ed8..064de5e4ea 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -568,22 +568,36 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, const uint8 chal[8], DATA_BLOB lm_response, DATA_BLOB nt_response, - NET_USER_INFO_3 *info3) + struct netr_SamInfo3 **info3) { - prs_struct qbuf, rbuf; - NET_Q_SAM_LOGON_EX q; - NET_R_SAM_LOGON_EX r; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - NET_ID_INFO_CTR ctr; int validation_level = 3; const char *workstation_name_slash; const char *server_name_slash; uint8 zeros[16]; - int i; + union netr_LogonLevel *logon = NULL; + struct netr_NetworkInfo *network_info; + uint8_t authoritative; + union netr_Validation validation; + struct netr_ChallengeResponse lm; + struct netr_ChallengeResponse nt; + struct netr_UserSessionKey user_session_key; + struct netr_LMSessionKey lmsesskey; + uint32_t flags = 0; + + *info3 = NULL; ZERO_STRUCT(zeros); - ZERO_STRUCT(q); - ZERO_STRUCT(r); + + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); + if (!logon) { + return NT_STATUS_NO_MEMORY; + } + + network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo); + if (!network_info) { + return NT_STATUS_NO_MEMORY; + } if (server[0] != '\\' && server[1] != '\\') { server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server); @@ -604,49 +618,53 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, /* Initialise input parameters */ - q.validation_level = validation_level; - - ctr.switch_value = NET_LOGON_TYPE; - - init_id_info2(&ctr.auth.id2, domain, - logon_parameters, /* param_ctrl */ - 0xdead, 0xbeef, /* LUID? */ - username, workstation_name_slash, (const uchar*)chal, - lm_response.data, lm_response.length, nt_response.data, - nt_response.length); + lm.data = lm_response.data; + lm.length = lm_response.length; + nt.data = nt_response.data; + nt.length = nt_response.length; - init_sam_info_ex(&q.sam_id, server_name_slash, global_myname(), - NET_LOGON_TYPE, &ctr); + init_netr_NetworkInfo(network_info, + domain, + logon_parameters, + 0xdead, + 0xbeef, + username, + workstation_name_slash, + (uint8_t *) chal, + nt, + lm); - r.user = info3; + logon->network = network_info; /* Marshall data and send request */ - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SAMLOGON_EX, - q, r, qbuf, rbuf, - net_io_q_sam_logon_ex, - net_io_r_sam_logon_ex, - NT_STATUS_UNSUCCESSFUL); - - if (memcmp(zeros, info3->user_sess_key, 16) != 0) { - SamOEMhash(info3->user_sess_key, cli->dc->sess_key, 16); - } else { - memset(info3->user_sess_key, '\0', 16); + result = rpccli_netr_LogonSamLogonEx(cli, mem_ctx, + server_name_slash, + global_myname(), + NET_LOGON_TYPE, + logon, + validation_level, + &validation, + &authoritative, + &flags); + if (!NT_STATUS_IS_OK(result)) { + return result; } - if (memcmp(zeros, info3->lm_sess_key, 8) != 0) { - SamOEMhash(info3->lm_sess_key, cli->dc->sess_key, 8); - } else { - memset(info3->lm_sess_key, '\0', 8); + user_session_key = validation.sam3->base.key; + lmsesskey = validation.sam3->base.LMSessKey; + + if (memcmp(zeros, user_session_key.key, 16) != 0) { + SamOEMhash(user_session_key.key, cli->dc->sess_key, 16); } - for (i=0; i < 7; i++) { - memset(&info3->unknown[i], '\0', 4); + if (memcmp(zeros, lmsesskey.key, 8) != 0) { + SamOEMhash(lmsesskey.key, cli->dc->sess_key, 8); } - /* Return results */ + *info3 = validation.sam3; - result = r.status; + return result; return result; } -- cgit From 95cd28299ec3764cc12c7ffb29b764d1a7cc4bee Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sun, 17 Feb 2008 02:53:23 +0100 Subject: Remove unused marshalling for NET_AUTH3. Guenther (This used to be commit ccf3ba0f5ce30d45a3d644552d1245391bf01754) --- source3/rpc_client/cli_netlogon.c | 52 --------------------------------------- 1 file changed, 52 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 064de5e4ea..cdf51c6241 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -112,58 +112,6 @@ password ?).\n", cli->cli->desthost )); /* instead of rpccli_net_auth2() we use rpccli_netr_ServerAuthenticate2() now - gd */ -#if 0 /* not currebntly used */ -/**************************************************************************** - LSA Authenticate 3 - - Send the client credential, receive back a server credential. - The caller *must* ensure that the server credential returned matches the session key - encrypt of the server challenge originally received. JRA. -****************************************************************************/ - -static NTSTATUS rpccli_net_auth3(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *server_name, - const char *account_name, - uint16 sec_chan_type, - const char *computer_name, - uint32 *neg_flags_inout, - const DOM_CHAL *clnt_chal_in, - DOM_CHAL *srv_chal_out) -{ - prs_struct qbuf, rbuf; - NET_Q_AUTH_3 q; - NET_R_AUTH_3 r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - /* create and send a MSRPC command with api NET_AUTH2 */ - - DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - server_name, account_name, sec_chan_type, computer_name, - credstr(clnt_chal_in->data), *neg_flags_inout)); - - /* store the parameters */ - init_q_auth_3(&q, server_name, account_name, sec_chan_type, - computer_name, clnt_chal_in, *neg_flags_inout); - - /* turn parameters into data stream */ - - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_AUTH3, - q, r, - qbuf, rbuf, - net_io_q_auth_3, - net_io_r_auth_3, - NT_STATUS_UNSUCCESSFUL); - - if (NT_STATUS_IS_OK(result)) { - *srv_chal_out = r.srv_chal; - *neg_flags_inout = r.srv_flgs.neg_flags; - } - - return result; -} -#endif /* not currebntly used */ - /**************************************************************************** Wrapper function that uses the auth and auth2 calls to set up a NETLOGON credentials chain. Stores the credentials in the struct dcinfo in the -- cgit From bdd5f1cb2a3edc8c654116bc602bef743f6a0a10 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 19 Feb 2008 01:48:58 +0100 Subject: Fix some uninitialized data in new netlogon client. Guenther (This used to be commit bd6e2fcf3b3ab15736584edbbfb941b381988499) --- source3/rpc_client/cli_netlogon.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index cdf51c6241..91e27c5d85 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -318,6 +318,9 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, struct netr_ChallengeResponse lm; struct netr_ChallengeResponse nt; + ZERO_STRUCT(lm); + ZERO_STRUCT(nt); + network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo); if (!network_info) { return NT_STATUS_NO_MEMORY; @@ -417,6 +420,9 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, ZERO_STRUCT(zeros); ZERO_STRUCT(ret_creds); + ZERO_STRUCT(lm); + ZERO_STRUCT(nt); + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); if (!logon) { return NT_STATUS_NO_MEMORY; @@ -537,6 +543,9 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, ZERO_STRUCT(zeros); + ZERO_STRUCT(lm); + ZERO_STRUCT(nt); + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); if (!logon) { return NT_STATUS_NO_MEMORY; -- cgit From 7269a504fdd06fbbe24c2df8e084b41382d71269 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 27 Feb 2008 19:38:48 +0100 Subject: Add my copyright. Guenther (This used to be commit d078a8757182d84dfd3307a2e1b751cf173aaa97) --- source3/rpc_client/cli_netlogon.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 91e27c5d85..2af514320e 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -4,6 +4,7 @@ Copyright (C) Andrew Tridgell 1992-2000 Copyright (C) Jeremy Allison 1998. Largely re-written by Jeremy Allison (C) 2005. + Copyright (C) Guenther Deschner 2008. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- cgit From d8d1eea13663ceb28aefdf734592b90a108891b0 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 26 Mar 2008 22:25:51 +0100 Subject: Fix typo. Guenther (This used to be commit ffe77dc8b0476b7a5d81d63c3cf67f81033df12e) --- source3/rpc_client/cli_netlogon.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 2af514320e..4cd55dc5aa 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -623,6 +623,4 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, *info3 = validation.sam3; return result; - - return result; } -- cgit From b1198fc9fdc086f025ee05f3b2a382947d037b68 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 27 Mar 2008 13:03:12 +0100 Subject: Fix samlogon rpc client & server. Guenther (This used to be commit 0aaf975560dce3b4e58ab71687c3412c0c2a72cf) --- source3/rpc_client/cli_netlogon.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 4cd55dc5aa..ec16186462 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -226,7 +226,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; struct netr_Authenticator clnt_creds; struct netr_Authenticator ret_creds; - union netr_LogonLevel *logon; + union netr_LogonInfo *logon; union netr_Validation validation; uint8_t authoritative; int validation_level = 3; @@ -236,7 +236,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, ZERO_STRUCT(ret_creds); ZERO_STRUCT(zeros); - logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonInfo); if (!logon) { return NT_STATUS_NO_MEMORY; } @@ -407,7 +407,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, uint8 zeros[16]; struct netr_Authenticator clnt_creds; struct netr_Authenticator ret_creds; - union netr_LogonLevel *logon = NULL; + union netr_LogonInfo *logon = NULL; struct netr_NetworkInfo *network_info; uint8_t authoritative; union netr_Validation validation; @@ -424,7 +424,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, ZERO_STRUCT(lm); ZERO_STRUCT(nt); - logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonInfo); if (!logon) { return NT_STATUS_NO_MEMORY; } @@ -530,7 +530,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, const char *workstation_name_slash; const char *server_name_slash; uint8 zeros[16]; - union netr_LogonLevel *logon = NULL; + union netr_LogonInfo *logon = NULL; struct netr_NetworkInfo *network_info; uint8_t authoritative; union netr_Validation validation; @@ -547,7 +547,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, ZERO_STRUCT(lm); ZERO_STRUCT(nt); - logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonInfo); if (!logon) { return NT_STATUS_NO_MEMORY; } -- cgit From 99d35904552b01ef9f2adc40e16887da9eb4de69 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 2 Apr 2008 02:29:48 +0200 Subject: Fix NETLOGON credential chain with Windows 2008 all over the place. In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0) --- source3/rpc_client/cli_netlogon.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index ec16186462..851a4a8da8 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -132,6 +132,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, struct netr_Credential clnt_chal_send; struct netr_Credential srv_chal_recv; struct dcinfo *dc; + bool retried = false; SMB_ASSERT(cli->pipe_idx == PI_NETLOGON); @@ -153,6 +154,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, fstr_sprintf( dc->mach_acct, "%s$", machine_account); + again: /* Create the client challenge. */ generate_random_buffer(clnt_chal_send.data, 8); @@ -186,6 +188,15 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, &clnt_chal_send, /* input. */ &srv_chal_recv, /* output. */ neg_flags_inout); + + /* we might be talking to NT4, so let's downgrade in that case and retry + * with the returned neg_flags - gd */ + + if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) { + retried = true; + goto again; + } + if (!NT_STATUS_IS_OK(result)) { return result; } -- cgit From b46d340fd5d7e88684ac77000e17c1899ff608b2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 19 Apr 2008 18:17:13 +0200 Subject: Refactoring: Make struct rpc_pipe_client its own talloc parent (This used to be commit a6d74a5a562b54f0b36934965f545fdeb1e8b34a) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 851a4a8da8..478a855882 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -159,7 +159,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, generate_random_buffer(clnt_chal_send.data, 8); /* Get the server challenge. */ - result = rpccli_netr_ServerReqChallenge(cli, cli->mem_ctx, + result = rpccli_netr_ServerReqChallenge(cli, talloc_tos(), dc->remote_machine, clnt_name, &clnt_chal_send, @@ -180,7 +180,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, * Send client auth-2 challenge and receive server repy. */ - result = rpccli_netr_ServerAuthenticate2(cli, cli->mem_ctx, + result = rpccli_netr_ServerAuthenticate2(cli, talloc_tos(), dc->remote_machine, dc->mach_acct, sec_chan_type, -- cgit From 2a2188591b5ed922d09dc723adcf10f8b8f5e5a0 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 19 Apr 2008 21:56:43 +0200 Subject: Add "desthost" to rpc_pipe_client This reduces the dependency on cli_state (This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b) --- source3/rpc_client/cli_netlogon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 478a855882..bf1e161957 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -212,13 +212,13 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, */ DEBUG(0,("rpccli_netlogon_setup_creds: server %s " "replied with bad credential\n", - cli->cli->desthost )); + cli->desthost )); return NT_STATUS_ACCESS_DENIED; } DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential " "chain established.\n", - cli->cli->desthost )); + cli->desthost )); return NT_STATUS_OK; } -- cgit From f56eedb95c64593ceff0ef91b99729c5071aa7ac Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Apr 2008 11:45:41 +0200 Subject: Remove the pipe_idx variable from rpc_pipe_client (This used to be commit 4840febcd481563c3d9b2fabc1fe1b2ae5a76cf6) --- source3/rpc_client/cli_netlogon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index bf1e161957..cb1d93e9c1 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -134,7 +134,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, struct dcinfo *dc; bool retried = false; - SMB_ASSERT(cli->pipe_idx == PI_NETLOGON); + SMB_ASSERT(rpccli_is_pipe_idx(cli, PI_NETLOGON)); dc = cli->dc; if (!dc) { -- cgit From 2e905d2cd14b96af4ed8a912cc1f46c661e31756 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 10:40:43 +0200 Subject: Allocate rpc_cli->dc in rpccli_netlogon_setup_creds() The general cli_pipe routines should not have to know about this NETLOGON speciality. (This used to be commit d30237598d0c55b73e202c1de3a020194b67a7e6) --- source3/rpc_client/cli_netlogon.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index cb1d93e9c1..7beaae2e22 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -136,13 +136,12 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, SMB_ASSERT(rpccli_is_pipe_idx(cli, PI_NETLOGON)); - dc = cli->dc; - if (!dc) { - return NT_STATUS_INVALID_PARAMETER; + TALLOC_FREE(cli->dc); + cli->dc = talloc_zero(cli, struct dcinfo); + if (cli->dc == NULL) { + return NT_STATUS_NO_MEMORY; } - - /* Ensure we don't reuse any of this state. */ - ZERO_STRUCTP(dc); + dc = cli->dc; /* Store the machine account password we're going to use. */ memcpy(dc->mach_pw, machine_pwd, 16); -- cgit From d460ead4680780acb5fded5b33124711de23e536 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 21 Jul 2008 12:04:44 +0200 Subject: Remove one reference to PI_NETLOGON (This used to be commit e89bbab1b875a0b55b70913dcc1e3e73137c8b90) --- source3/rpc_client/cli_netlogon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 7beaae2e22..8b905e95fa 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -134,7 +134,8 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, struct dcinfo *dc; bool retried = false; - SMB_ASSERT(rpccli_is_pipe_idx(cli, PI_NETLOGON)); + SMB_ASSERT(ndr_syntax_id_equal(&cli->abstract_syntax, + &ndr_table_netlogon.syntax_id)); TALLOC_FREE(cli->dc); cli->dc = talloc_zero(cli, struct dcinfo); -- cgit From abce3cdf56e635465e3c5f0bf7340e101c743ed2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 21 Jul 2008 12:05:46 +0200 Subject: Remove some unused code (This used to be commit b60a681dd09349426aa522d697abacf62ebfdaf2) --- source3/rpc_client/cli_netlogon.c | 91 --------------------------------------- 1 file changed, 91 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 8b905e95fa..fcce18dfc0 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -22,97 +22,6 @@ #include "includes.h" -/* LSA Request Challenge. Sends our challenge to server, then gets - server response. These are used to generate the credentials. - The sent and received challenges are stored in the netlog pipe - private data. Only call this via rpccli_netlogon_setup_creds(). JRA. -*/ - -/* instead of rpccli_net_req_chal() we use rpccli_netr_ServerReqChallenge() now - gd */ - -#if 0 -/**************************************************************************** -LSA Authenticate 2 - -Send the client credential, receive back a server credential. -Ensure that the server credential returned matches the session key -encrypt of the server challenge originally received. JRA. -****************************************************************************/ - - NTSTATUS rpccli_net_auth2(struct rpc_pipe_client *cli, - uint16 sec_chan, - uint32 *neg_flags, DOM_CHAL *srv_chal) -{ - prs_struct qbuf, rbuf; - NET_Q_AUTH_2 q; - NET_R_AUTH_2 r; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - fstring machine_acct; - - if ( sec_chan == SEC_CHAN_DOMAIN ) - fstr_sprintf( machine_acct, "%s$", lp_workgroup() ); - else - fstrcpy( machine_acct, cli->mach_acct ); - - /* create and send a MSRPC command with api NET_AUTH2 */ - - DEBUG(4,("cli_net_auth2: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n", - cli->srv_name_slash, machine_acct, sec_chan, global_myname(), - credstr(cli->clnt_cred.challenge.data), *neg_flags)); - - /* store the parameters */ - - init_q_auth_2(&q, cli->srv_name_slash, machine_acct, - sec_chan, global_myname(), &cli->clnt_cred.challenge, - *neg_flags); - - /* turn parameters into data stream */ - - CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_AUTH2, - q, r, - qbuf, rbuf, - net_io_q_auth_2, - net_io_r_auth_2, - NT_STATUS_UNSUCCESSFUL); - - result = r.status; - - if (NT_STATUS_IS_OK(result)) { - UTIME zerotime; - - /* - * Check the returned value using the initial - * server received challenge. - */ - - zerotime.time = 0; - if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, zerotime) == 0) { - - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_auth2: server %s replied with bad credential (bad machine \ -password ?).\n", cli->cli->desthost )); - return NT_STATUS_ACCESS_DENIED; - } - *neg_flags = r.srv_flgs.neg_flags; - } - - return result; -} -#endif - -/**************************************************************************** - LSA Authenticate 2 - - Send the client credential, receive back a server credential. - The caller *must* ensure that the server credential returned matches the session key - encrypt of the server challenge originally received. JRA. -****************************************************************************/ - -/* instead of rpccli_net_auth2() we use rpccli_netr_ServerAuthenticate2() now - gd */ - - /**************************************************************************** Wrapper function that uses the auth and auth2 calls to set up a NETLOGON credentials chain. Stores the credentials in the struct dcinfo in the -- cgit From 91df5551a416d59756e7110247b0155621580bae Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 28 Jul 2008 17:52:35 +0200 Subject: Attempt to fix bug 5616 We were calculating the session key but did not return it to the caller... (cherry picked from commit 8ab79b1d009d53e414b90e4a0ab8fc7a4889b6df) (This used to be commit b63a6a1fd6a96bbafd88cacb9493bfea9944d404) --- source3/rpc_client/cli_netlogon.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index fcce18dfc0..e96d724ee9 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -333,8 +333,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, union netr_Validation validation; struct netr_ChallengeResponse lm; struct netr_ChallengeResponse nt; - struct netr_UserSessionKey user_session_key; - struct netr_LMSessionKey lmsesskey; *info3 = NULL; @@ -409,15 +407,14 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, return result; } - user_session_key = validation.sam3->base.key; - lmsesskey = validation.sam3->base.LMSessKey; - - if (memcmp(zeros, user_session_key.key, 16) != 0) { - SamOEMhash(user_session_key.key, cli->dc->sess_key, 16); + if (memcmp(zeros, validation.sam3->base.key.key, 16) != 0) { + SamOEMhash(validation.sam3->base.key.key, + cli->dc->sess_key, 16); } - if (memcmp(zeros, lmsesskey.key, 8) != 0) { - SamOEMhash(lmsesskey.key, cli->dc->sess_key, 8); + if (memcmp(zeros, validation.sam3->base.LMSessKey.key, 8) != 0) { + SamOEMhash(validation.sam3->base.LMSessKey.key, + cli->dc->sess_key, 8); } if (memcmp(zeros, ret_creds.cred.data, sizeof(ret_creds.cred.data)) != 0) { -- cgit From 84bc4ff5469b17ab2714f3fad40ba521bc7b9865 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 30 Jul 2008 19:03:13 +0200 Subject: rpc_client: Bug 5616 - fix session keys also in rpccli_netr_LogonSamLogonEx wrapper. Guenther (This used to be commit fef58091408cce0d7870c86f28f78cf9400cf2b6) --- source3/rpc_client/cli_netlogon.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'source3/rpc_client/cli_netlogon.c') diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index e96d724ee9..df87ed13d1 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -453,8 +453,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, union netr_Validation validation; struct netr_ChallengeResponse lm; struct netr_ChallengeResponse nt; - struct netr_UserSessionKey user_session_key; - struct netr_LMSessionKey lmsesskey; uint32_t flags = 0; *info3 = NULL; @@ -526,15 +524,14 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli, return result; } - user_session_key = validation.sam3->base.key; - lmsesskey = validation.sam3->base.LMSessKey; - - if (memcmp(zeros, user_session_key.key, 16) != 0) { - SamOEMhash(user_session_key.key, cli->dc->sess_key, 16); + if (memcmp(zeros, validation.sam3->base.key.key, 16) != 0) { + SamOEMhash(validation.sam3->base.key.key, + cli->dc->sess_key, 16); } - if (memcmp(zeros, lmsesskey.key, 8) != 0) { - SamOEMhash(lmsesskey.key, cli->dc->sess_key, 8); + if (memcmp(zeros, validation.sam3->base.LMSessKey.key, 8) != 0) { + SamOEMhash(validation.sam3->base.LMSessKey.key, + cli->dc->sess_key, 8); } *info3 = validation.sam3; -- cgit