From 9d1954c25d646c46daa38c3f96f4c4029b9bb417 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Feb 2006 00:07:59 +0000 Subject: r13583: Realise that the member server name appears in all calls that use the credentials. Consistantly rename these elements in the IDL to computer_name. Fix the server-side code to always lookup by this name. Add new, even nastier tests to RPC-SCHANNEL to prove this. Andrew Bartlett (This used to be commit 341a0abeb4a9f88d64ffd4681249cb1f643a7a5a) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 132 +++++++------------------- 1 file changed, 35 insertions(+), 97 deletions(-) (limited to 'source4/rpc_server') diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 176246901b..d506d9192d 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -31,72 +31,9 @@ struct server_pipe_state { struct netr_Credential client_challenge; struct netr_Credential server_challenge; - - /* This is a bit (dangeroursly?) tricky: - - The session key, computer name and domain elements are - valid. - - However the credentials chaining (seed, client, server etc) - should be obtained from the database at runtime */ - struct creds_CredentialState *creds; }; -/* - a client has connected to the netlogon server using schannel, so we need - to re-establish the credentials state -*/ -static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call) -{ - struct server_pipe_state *state; - NTSTATUS status; - - /* We want the client and server challenge zero */ - state = talloc_zero(dce_call->conn, struct server_pipe_state); - if (state == NULL) { - return NT_STATUS_NO_MEMORY; - } - - status = dcerpc_schannel_creds(dce_call->conn->auth_state.gensec_security, - state, - &state->creds); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("getting schannel credentials failed with %s\n", nt_errstr(status))); - talloc_free(state); - return status; - } - - dce_call->context->private = state; - - return NT_STATUS_OK; -} - -/* - a hook for bind on the netlogon pipe -*/ -static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *di) -{ - dce_call->context->private = NULL; - - /* if this is a schannel bind then we need to reconstruct the pipe state */ - if (dce_call->conn->auth_state.auth_info && - dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - NTSTATUS status; - - DEBUG(5, ("schannel bind on netlogon\n")); - - status = netlogon_schannel_setup(dce_call); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("schannel bind on netlogon failed with %s\n", nt_errstr(status))); - return status; - } - } - - return NT_STATUS_OK; -} - -#define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind - static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerReqChallenge *r) { @@ -116,8 +53,6 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL return NT_STATUS_NO_MEMORY; } - pipe_state->creds = NULL; - pipe_state->client_challenge = *r->in.credentials; generate_random_buffer(pipe_state->server_challenge.data, @@ -238,12 +173,6 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL /* remember this session key state */ nt_status = schannel_store_session_key(mem_ctx, creds); - if (pipe_state->creds) { - talloc_free(pipe_state->creds); - } - talloc_steal(pipe_state, creds); - pipe_state->creds = creds; - return nt_status; } @@ -302,7 +231,7 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL the caller needs some of that information. */ -static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state, +static NTSTATUS netr_creds_server_step_check(const char *computer_name, TALLOC_CTX *mem_ctx, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, @@ -313,11 +242,6 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat struct ldb_context *ldb; int ret; - if (!pipe_state) { - DEBUG(1, ("No challenge requested by client, cannot authenticate\n")); - return NT_STATUS_ACCESS_DENIED; - } - ldb = schannel_db_connect(mem_ctx); if (!ldb) { return NT_STATUS_ACCESS_DENIED; @@ -333,8 +257,8 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat * disconnects) we must update the database every time we * update the structure */ - nt_status = schannel_fetch_session_key_ldb(ldb, ldb, pipe_state->creds->computer_name, - pipe_state->creds->domain, &creds); + nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, lp_workgroup(), + &creds); if (NT_STATUS_IS_OK(nt_status)) { nt_status = creds_server_step_check(creds, received_authenticator, @@ -365,12 +289,11 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet *r) { - struct server_pipe_state *pipe_state = dce_call->context->private; struct creds_CredentialState *creds; struct ldb_context *sam_ctx; NTSTATUS nt_status; - nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -400,7 +323,6 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet2 *r) { - struct server_pipe_state *pipe_state = dce_call->context->private; struct creds_CredentialState *creds; struct ldb_context *sam_ctx; NTSTATUS nt_status; @@ -410,7 +332,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL struct samr_CryptPassword password_buf; - nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, &r->in.credential, &r->out.return_authenticator, &creds); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -464,15 +386,15 @@ static WERROR netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TALLOC_CTX /* - netr_LogonSamLogonEx + netr_LogonSamLogon_base This version of the function allows other wrappers to say 'do not check the credentials' + + We can't do the traditional 'wrapping' format completly, as this function must only run under schannel */ -static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonSamLogonEx *r) +static NTSTATUS netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonEx *r, struct creds_CredentialState *creds) { - struct server_pipe_state *pipe_state = dce_call->context->private; - struct creds_CredentialState *creds = pipe_state->creds; struct auth_context *auth_context; struct auth_usersupplied_info *user_info; struct auth_serversupplied_info *server_info; @@ -496,7 +418,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ case 1: case 3: case 5: - if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { creds_arcfour_crypt(creds, r->in.logon.password->lmpassword.hash, sizeof(r->in.logon.password->lmpassword.hash)); @@ -633,6 +555,23 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ return NT_STATUS_OK; } +static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonEx *r) +{ + NTSTATUS nt_status; + struct creds_CredentialState *creds; + nt_status = schannel_fetch_session_key(mem_ctx, r->in.computer_name, lp_workgroup(), &creds); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (!dce_call->conn->auth_state.auth_info + || dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + return NT_STATUS_INTERNAL_ERROR; + } + return netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds); +} + /* netr_LogonSamLogonWithFlags @@ -640,8 +579,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonSamLogonWithFlags *r) { - struct server_pipe_state *pipe_state = dce_call->context->private; NTSTATUS nt_status; + struct creds_CredentialState *creds; struct netr_LogonSamLogonEx r2; struct netr_Authenticator *return_authenticator; @@ -649,21 +588,21 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call, return_authenticator = talloc(mem_ctx, struct netr_Authenticator); NT_STATUS_HAVE_NO_MEMORY(return_authenticator); - nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, + nt_status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, r->in.credential, return_authenticator, - NULL); + &creds); NT_STATUS_NOT_OK_RETURN(nt_status); ZERO_STRUCT(r2); r2.in.server_name = r->in.server_name; - r2.in.workstation = r->in.workstation; + r2.in.computer_name = r->in.computer_name; r2.in.logon_level = r->in.logon_level; r2.in.logon = r->in.logon; r2.in.validation_level = r->in.validation_level; r2.in.flags = r->in.flags; - nt_status = netr_LogonSamLogonEx(dce_call, mem_ctx, &r2); + nt_status = netr_LogonSamLogon_base(dce_call, mem_ctx, &r2, creds); r->out.return_authenticator = return_authenticator; r->out.validation = r2.out.validation; @@ -685,7 +624,7 @@ static NTSTATUS netr_LogonSamLogon(struct dcesrv_call_state *dce_call, TALLOC_CT ZERO_STRUCT(r2); r2.in.server_name = r->in.server_name; - r2.in.workstation = r->in.workstation; + r2.in.computer_name = r->in.computer_name; r2.in.credential = r->in.credential; r2.in.return_authenticator = r->in.return_authenticator; r2.in.logon_level = r->in.logon_level; @@ -947,7 +886,6 @@ static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message * static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_LogonGetDomainInfo *r) { - struct server_pipe_state *pipe_state = dce_call->context->private; const char * const attrs[] = { "dnsDomain", "objectSid", "objectGUID", "flatName", "securityIdentifier", NULL }; @@ -960,7 +898,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL const char *local_domain; - status = netr_creds_server_step_check(pipe_state, mem_ctx, + status = netr_creds_server_step_check(r->in.computer_name, mem_ctx, r->in.credential, r->out.return_authenticator, NULL); -- cgit