From 5095d7b1c84e7e37f553867d699a1983f74d4314 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 6 Apr 2009 22:54:44 +1000 Subject: Rework Samba4 to use the new common libcli/auth code In particular, this is the rename from creds_ to netlogon_creds_, as well as other links to use the new common crypto. Andrew Bartlett --- source4/auth/credentials/credentials.c | 4 +- source4/auth/credentials/credentials.h | 6 +- source4/auth/gensec/gensec.h | 4 +- source4/auth/gensec/schannel.c | 29 ++-- source4/auth/gensec/schannel.h | 6 +- source4/auth/ntlmssp/ntlmssp.h | 5 - source4/libnet/config.mk | 2 +- source4/libnet/libnet_samdump.c | 1 - source4/libnet/libnet_samdump_keytab.c | 1 - source4/libnet/libnet_samsync.c | 18 ++- source4/libnet/libnet_samsync.h | 1 - source4/libnet/libnet_samsync_ldb.c | 1 - source4/librpc/rpc/dcerpc_schannel.c | 18 +-- source4/rpc_server/netlogon/dcerpc_netlogon.c | 190 ++++++++++++-------------- source4/torture/rpc/netlogon.c | 173 +++++++++++------------ source4/torture/rpc/netlogon.h | 2 +- source4/torture/rpc/remote_pac.c | 27 ++-- source4/torture/rpc/samba3rpc.c | 51 +++---- source4/torture/rpc/samlogon.c | 34 ++--- source4/torture/rpc/samr.c | 8 +- source4/torture/rpc/samsync.c | 30 ++-- source4/torture/rpc/schannel.c | 12 +- source4/winbind/wb_sam_logon.c | 14 +- 23 files changed, 316 insertions(+), 321 deletions(-) (limited to 'source4') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 5fb180d7b1..83901db6a5 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -668,7 +668,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred, */ _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, - struct creds_CredentialState *netlogon_creds) + struct netlogon_creds_CredentialState *netlogon_creds) { cred->netlogon_creds = talloc_reference(cred, netlogon_creds); } @@ -677,7 +677,7 @@ _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, * Return attached NETLOGON credentials */ -struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred) +struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred) { return cred->netlogon_creds; } diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 3c2fb8f2e6..311cdc2450 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -102,7 +102,7 @@ struct cli_credentials { /* Private handle for the callback routines to use */ void *priv_data; - struct creds_CredentialState *netlogon_creds; + struct netlogon_creds_CredentialState *netlogon_creds; enum netr_SchannelType secure_channel_type; int kvno; @@ -167,7 +167,7 @@ int cli_credentials_get_keytab(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct keytab_container **_ktc); const char *cli_credentials_get_domain(struct cli_credentials *cred); -struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); +struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, struct loadparm_context *lp_ctx); void cli_credentials_set_conf(struct cli_credentials *cred, @@ -210,7 +210,7 @@ bool cli_credentials_set_realm(struct cli_credentials *cred, void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, enum netr_SchannelType secure_channel_type); void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, - struct creds_CredentialState *netlogon_creds); + struct netlogon_creds_CredentialState *netlogon_creds); NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, struct smb_krb5_context *smb_krb5_context); NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index c4e93ee97b..3b27e0f733 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -284,10 +284,10 @@ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, NTSTATUS gensec_session_info(struct gensec_security *gensec_security, struct auth_session_info **session_info); NTSTATUS auth_nt_status_squash(NTSTATUS nt_status); -struct creds_CredentialState; +struct netlogon_creds_CredentialState; NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, - struct creds_CredentialState **creds); + struct netlogon_creds_CredentialState **creds); NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr); NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr); diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index e6d38c14a3..b71748943b 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -27,8 +27,6 @@ #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" #include "auth/gensec/schannel.h" -#include "auth/gensec/schannel_state.h" -#include "auth/gensec/schannel_proto.h" #include "librpc/rpc/dcerpc.h" #include "param/param.h" #include "auth/session_proto.h" @@ -52,8 +50,8 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ enum ndr_err_code ndr_err; struct schannel_bind bind_schannel; struct schannel_bind_ack bind_schannel_ack; - struct creds_CredentialState *creds; - + struct netlogon_creds_CredentialState *creds; + struct ldb_context *schannel_ldb; const char *workstation; const char *domain; *out = data_blob(NULL, 0); @@ -124,10 +122,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ domain = bind_schannel.u.info3.domain; } + if (strcasecmp_m(domain, lp_workgroup(gensec_security->settings->lp_ctx)) != 0) { + DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n", + domain, lp_workgroup(gensec_security->settings->lp_ctx))); + + return NT_STATUS_LOGON_FAILURE; + } + + schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx, + gensec_security->settings->lp_ctx); + if (!schannel_ldb) { + return NT_STATUS_ACCESS_DENIED; + } /* pull the session key for this client */ - status = schannel_fetch_session_key(out_mem_ctx, gensec_security->event_ctx, - gensec_security->settings->lp_ctx, workstation, - domain, &creds); + status = schannel_fetch_session_key(schannel_ldb, + out_mem_ctx, workstation, &creds); + talloc_free(schannel_ldb); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n", workstation, nt_errstr(status))); @@ -167,9 +177,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ */ /* TODO: make this non-public */ + _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct creds_CredentialState **creds) + TALLOC_CTX *mem_ctx, + struct netlogon_creds_CredentialState **creds) { struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h index 2ddea29006..ee841ef639 100644 --- a/source4/auth/gensec/schannel.h +++ b/source4/auth/gensec/schannel.h @@ -20,7 +20,9 @@ along with this program. If not, see . */ -#include "libcli/auth/credentials.h" +#include "auth/gensec/schannel_proto.h" +#include "auth/gensec/schannel_state.h" +#include "libcli/auth/schannel_state.h" enum schannel_position { SCHANNEL_STATE_START = 0, @@ -31,6 +33,6 @@ struct schannel_state { enum schannel_position state; uint32_t seq_num; bool initiator; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; }; diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h index df950e4756..ff7225bb3c 100644 --- a/source4/auth/ntlmssp/ntlmssp.h +++ b/source4/auth/ntlmssp/ntlmssp.h @@ -66,11 +66,6 @@ enum ntlmssp_message_type #define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000 #define NTLMSSP_NEGOTIATE_56 0x80000000 -#define NTLMSSP_NAME_TYPE_SERVER 0x01 -#define NTLMSSP_NAME_TYPE_DOMAIN 0x02 -#define NTLMSSP_NAME_TYPE_SERVER_DNS 0x03 -#define NTLMSSP_NAME_TYPE_DOMAIN_DNS 0x04 - #define NTLMSSP_SIGN_VERSION 1 #define NTLMSSP_SIG_SIZE 16 diff --git a/source4/libnet/config.mk b/source4/libnet/config.mk index fac8af18b7..07d5434ebf 100644 --- a/source4/libnet/config.mk +++ b/source4/libnet/config.mk @@ -1,5 +1,5 @@ [SUBSYSTEM::LIBSAMBA-NET] -PUBLIC_DEPENDENCIES = CREDENTIALS dcerpc dcerpc_samr RPC_NDR_LSA RPC_NDR_SRVSVC RPC_NDR_DRSUAPI LIBCLI_COMPOSITE LIBCLI_RESOLVE LIBCLI_FINDDCS LIBCLI_CLDAP LIBCLI_FINDDCS gensec_schannel LIBCLI_AUTH LIBNDR SMBPASSWD PROVISION +PUBLIC_DEPENDENCIES = CREDENTIALS dcerpc dcerpc_samr RPC_NDR_LSA RPC_NDR_SRVSVC RPC_NDR_DRSUAPI LIBCLI_COMPOSITE LIBCLI_RESOLVE LIBCLI_FINDDCS LIBCLI_CLDAP LIBCLI_FINDDCS gensec_schannel LIBCLI_AUTH LIBNDR SMBPASSWD PROVISION LIBCLI_SAMSYNC LIBSAMBA-NET_OBJ_FILES = $(addprefix $(libnetsrcdir)/, \ libnet.o libnet_passwd.o libnet_time.o libnet_rpc.o \ diff --git a/source4/libnet/libnet_samdump.c b/source4/libnet/libnet_samdump.c index 10a14655f3..08a2295169 100644 --- a/source4/libnet/libnet_samdump.c +++ b/source4/libnet/libnet_samdump.c @@ -163,7 +163,6 @@ NTSTATUS libnet_SamDump(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, r2.out.error_string = NULL; r2.in.binding_string = r->in.binding_string; - r2.in.rid_crypt = lp_parm_bool(ctx->lp_ctx, NULL, "vampire", "rid decrypt", true); r2.in.init_fn = NULL; r2.in.delta_fn = libnet_samdump_fn; r2.in.fn_ctx = samdump_state; diff --git a/source4/libnet/libnet_samdump_keytab.c b/source4/libnet/libnet_samdump_keytab.c index a1846b81da..7749aa996c 100644 --- a/source4/libnet/libnet_samdump_keytab.c +++ b/source4/libnet/libnet_samdump_keytab.c @@ -115,7 +115,6 @@ NTSTATUS libnet_SamDump_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, r2.out.error_string = NULL; r2.in.binding_string = r->in.binding_string; - r2.in.rid_crypt = true; r2.in.init_fn = NULL; r2.in.delta_fn = libnet_samdump_keytab_fn; r2.in.fn_ctx = &data; diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c index 80111fe757..4d512d6034 100644 --- a/source4/libnet/libnet_samsync.c +++ b/source4/libnet/libnet_samsync.c @@ -35,7 +35,7 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx { NTSTATUS nt_status, dbsync_nt_status; TALLOC_CTX *samsync_ctx, *loop_ctx, *delta_ctx; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_DatabaseSync dbsync; struct netr_Authenticator credential, return_authenticator; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; @@ -45,7 +45,7 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx struct libnet_RpcConnect *c; struct libnet_SamSync_state *state; const enum netr_SamDatabaseID database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; -f int i; + int i; samsync_ctx = talloc_named(mem_ctx, 0, "SamSync top context"); @@ -211,7 +211,7 @@ f int i; do { int d; loop_ctx = talloc_named(samsync_ctx, 0, "DatabaseSync loop context"); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); dbsync.in.credential = &credential; @@ -223,7 +223,7 @@ f int i; return nt_status; } - if (!creds_client_check(creds, &dbsync.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &dbsync.out.return_authenticator->cred)) { r->out.error_string = talloc_strdup(mem_ctx, "Credential chaining on incoming DatabaseSync failed"); talloc_free(samsync_ctx); return NT_STATUS_ACCESS_DENIED; @@ -237,12 +237,10 @@ f int i; delta_ctx = talloc_named(loop_ctx, 0, "DatabaseSync delta context"); /* 'Fix' elements, by decrypting and * de-obfuscating the data */ - nt_status = fix_delta(delta_ctx, - creds, - r->in.rid_crypt, - dbsync.in.database_id, - &delta_enum_array->delta_enum[d], - &error_string); + nt_status = samsync_fix_delta(delta_ctx, + creds, + dbsync.in.database_id, + &delta_enum_array->delta_enum[d]); if (!NT_STATUS_IS_OK(nt_status)) { r->out.error_string = talloc_steal(mem_ctx, error_string); talloc_free(samsync_ctx); diff --git a/source4/libnet/libnet_samsync.h b/source4/libnet/libnet_samsync.h index c2295f3957..439c3ba162 100644 --- a/source4/libnet/libnet_samsync.h +++ b/source4/libnet/libnet_samsync.h @@ -32,7 +32,6 @@ struct libnet_SamSync_state { struct libnet_SamSync { struct { const char *binding_string; - bool rid_crypt; NTSTATUS (*init_fn)(TALLOC_CTX *mem_ctx, void *private_data, struct libnet_SamSync_state *samsync_state, diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c index e24c54a8c2..5bb75ca30d 100644 --- a/source4/libnet/libnet_samsync_ldb.c +++ b/source4/libnet/libnet_samsync_ldb.c @@ -1233,7 +1233,6 @@ NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, str r2.out.error_string = NULL; r2.in.binding_string = r->in.binding_string; - r2.in.rid_crypt = true; r2.in.init_fn = libnet_samsync_ldb_init; r2.in.delta_fn = libnet_samsync_ldb_fn; r2.in.fn_ctx = state; diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index e3add82bf2..c678a674c1 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -36,7 +36,7 @@ struct schannel_key_state { struct dcerpc_pipe *pipe2; struct dcerpc_binding *binding; struct cli_credentials *credentials; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; uint32_t negotiate_flags; struct netr_Credential credentials1; struct netr_Credential credentials2; @@ -167,9 +167,6 @@ static void continue_srv_challenge(struct rpc_request *req) /* prepare credentials for auth2 request */ s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c); - creds_client_init(s->creds, &s->credentials1, &s->credentials2, - s->mach_pwd, &s->credentials3, s->negotiate_flags); - /* auth2 request arguments */ s->a.in.server_name = s->r.in.server_name; s->a.in.account_name = cli_credentials_get_username(s->credentials); @@ -181,6 +178,14 @@ static void continue_srv_challenge(struct rpc_request *req) s->a.out.negotiate_flags = &s->negotiate_flags; s->a.out.return_credentials = &s->credentials3; + s->creds = netlogon_creds_client_init(s, + s->a.in.account_name, + s->a.in.computer_name, + &s->credentials1, &s->credentials2, + s->mach_pwd, &s->credentials3, s->negotiate_flags); + if (composite_nomem(s->creds, c)) { + return; + } /* authenticate on the netlogon pipe - a rpc request over secondary pipe */ @@ -208,7 +213,7 @@ static void continue_srv_auth2(struct rpc_request *req) if (!composite_is_ok(c)) return; /* verify credentials */ - if (!creds_client_check(s->creds, s->a.out.return_credentials)) { + if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) { composite_error(c, NT_STATUS_UNSUCCESSFUL); return; } @@ -246,9 +251,6 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, s->credentials = credentials; /* allocate credentials */ - s->creds = talloc(c, struct creds_CredentialState); - if (composite_nomem(s->creds, c)) return c; - /* type of authentication depends on schannel type */ if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) { s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 2efddc74fc..05f39f7817 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -31,14 +31,14 @@ #include "rpc_server/samr/proto.h" #include "../lib/util/util_ldb.h" #include "libcli/auth/libcli_auth.h" -#include "auth/gensec/schannel_state.h" +#include "auth/gensec/schannel.h" #include "libcli/security/security.h" #include "param/param.h" #include "lib/messaging/irpc.h" #include "librpc/gen_ndr/ndr_irpc.h" #include "librpc/gen_ndr/ndr_netlogon.h" -struct server_pipe_state { +struct netlogon_server_pipe_state { struct netr_Credential client_challenge; struct netr_Credential server_challenge; }; @@ -47,8 +47,8 @@ struct server_pipe_state { static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerReqChallenge *r) { - struct server_pipe_state *pipe_state = - (struct server_pipe_state *)dce_call->context->private_data; + struct netlogon_server_pipe_state *pipe_state = + talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state); ZERO_STRUCTP(r->out.return_credentials); @@ -59,7 +59,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal dce_call->context->private_data = NULL; } - pipe_state = talloc(dce_call->context, struct server_pipe_state); + pipe_state = talloc(dce_call->context, struct netlogon_server_pipe_state); NT_STATUS_HAVE_NO_MEMORY(pipe_state); pipe_state->client_challenge = *r->in.credentials; @@ -77,10 +77,11 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate3 *r) { - struct server_pipe_state *pipe_state = - (struct server_pipe_state *)dce_call->context->private_data; - struct creds_CredentialState *creds; - void *sam_ctx; + struct netlogon_server_pipe_state *pipe_state = + talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state); + struct netlogon_creds_CredentialState *creds; + struct ldb_context *schannel_ldb; + struct ldb_context *sam_ctx; struct samr_Password *mach_pwd; uint32_t user_account_control; int num_records; @@ -238,31 +239,30 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca return NT_STATUS_ACCESS_DENIED; } - creds = talloc(mem_ctx, struct creds_CredentialState); - NT_STATUS_HAVE_NO_MEMORY(creds); - - creds_server_init(creds, &pipe_state->client_challenge, - &pipe_state->server_challenge, mach_pwd, - r->out.return_credentials, - *r->in.negotiate_flags); + creds = netlogon_creds_server_init(mem_ctx, + r->in.computer_name, + r->in.account_name, + r->in.secure_channel_type, + &pipe_state->client_challenge, + &pipe_state->server_challenge, + mach_pwd, + r->in.credentials, + r->out.return_credentials, + *r->in.negotiate_flags); - if (!creds_server_check(creds, r->in.credentials)) { - talloc_free(creds); + if (!creds) { return NT_STATUS_ACCESS_DENIED; } - creds->account_name = talloc_steal(creds, r->in.account_name); - - creds->computer_name = talloc_steal(creds, r->in.computer_name); - creds->domain = talloc_strdup(creds, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx)); - - creds->secure_channel_type = r->in.secure_channel_type; - creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid"); + schannel_ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx); + if (!schannel_ldb) { + return NT_STATUS_ACCESS_DENIED; + } - /* remember this session key state */ - nt_status = schannel_store_session_key(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, creds); + nt_status = schannel_store_session_key(schannel_ldb, mem_ctx, creds); + talloc_free(schannel_ldb); return nt_status; } @@ -270,8 +270,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerAuthenticate *r) { - struct netr_ServerAuthenticate3 r3; - uint32_t rid = 0; + struct netr_ServerAuthenticate3 a; + uint32_t rid; /* TODO: * negotiate_flags is used as an [in] parameter * so it need to be initialised. @@ -281,17 +281,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_cal uint32_t negotiate_flags_in = 0; uint32_t negotiate_flags_out = 0; - r3.in.server_name = r->in.server_name; - r3.in.account_name = r->in.account_name; - r3.in.secure_channel_type = r->in.secure_channel_type; - r3.in.computer_name = r->in.computer_name; - r3.in.credentials = r->in.credentials; - r3.out.return_credentials = r->out.return_credentials; - r3.in.negotiate_flags = &negotiate_flags_in; - r3.out.negotiate_flags = &negotiate_flags_out; - r3.out.rid = &rid; - - return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); + a.in.server_name = r->in.server_name; + a.in.account_name = r->in.account_name; + a.in.secure_channel_type = r->in.secure_channel_type; + a.in.computer_name = r->in.computer_name; + a.in.credentials = r->in.credentials; + a.in.negotiate_flags = &negotiate_flags_in; + + a.out.return_credentials = r->out.return_credentials; + a.out.rid = &rid; + a.out.negotiate_flags = &negotiate_flags_out; + + return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &a); } static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, @@ -323,55 +324,29 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca the caller needs some of that information. */ -static NTSTATUS dcesrv_netr_creds_server_step_check(struct tevent_context *event_ctx, - struct loadparm_context *lp_ctx, +static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, const char *computer_name, - TALLOC_CTX *mem_ctx, - struct netr_Authenticator *received_authenticator, - struct netr_Authenticator *return_authenticator, - struct creds_CredentialState **creds_out) + TALLOC_CTX *mem_ctx, + struct netr_Authenticator *received_authenticator, + struct netr_Authenticator *return_authenticator, + struct netlogon_creds_CredentialState **creds_out) { - struct creds_CredentialState *creds; NTSTATUS nt_status; struct ldb_context *ldb; - int ret; + bool schannel_in_use = dce_call->conn->auth_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL + && (dce_call->conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY + || dce_call->conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY); - ldb = schannel_db_connect(mem_ctx, event_ctx, lp_ctx); + ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx); if (!ldb) { return NT_STATUS_ACCESS_DENIED; } - - ret = ldb_transaction_start(ldb); - if (ret != 0) { - talloc_free(ldb); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - /* Because this is a shared structure (even across - * disconnects) we must update the database every time we - * update the structure */ - nt_status = schannel_fetch_session_key_ldb(ldb, ldb, computer_name, - lp_workgroup(lp_ctx), - &creds); - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = creds_server_step_check(creds, - received_authenticator, - return_authenticator); - } - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = schannel_store_session_key_ldb(ldb, ldb, creds); - } - - if (NT_STATUS_IS_OK(nt_status)) { - ldb_transaction_commit(ldb); - if (creds_out) { - *creds_out = creds; - talloc_steal(mem_ctx, creds); - } - } else { - ldb_transaction_cancel(ldb); - } + nt_status = schannel_creds_server_step_check(ldb, mem_ctx, + schannel_in_use, + computer_name, + received_authenticator, + return_authenticator, creds_out); talloc_free(ldb); return nt_status; } @@ -384,14 +359,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct tevent_context *event static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet *r) { - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct ldb_context *sam_ctx; NTSTATUS nt_status; - nt_status = dcesrv_netr_creds_server_step_check(dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call, r->in.computer_name, mem_ctx, - r->in.credential, r->out.return_authenticator, - &creds); + r->in.credential, r->out.return_authenticator, + &creds); NT_STATUS_NOT_OK_RETURN(nt_status); sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx)); @@ -399,7 +374,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call return NT_STATUS_INVALID_SYSTEM_SERVICE; } - creds_des_decrypt(creds, r->in.new_password); + netlogon_creds_des_decrypt(creds, r->in.new_password); /* Using the sid for the account as the key, set the password */ nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, @@ -418,14 +393,14 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct netr_ServerPasswordSet2 *r) { - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct ldb_context *sam_ctx; NTSTATUS nt_status; DATA_BLOB new_password; struct samr_CryptPassword password_buf; - nt_status = dcesrv_netr_creds_server_step_check(dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call, r->in.computer_name, mem_ctx, r->in.credential, r->out.return_authenticator, &creds); @@ -438,7 +413,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal memcpy(password_buf.data, r->in.new_password->data, 512); SIVAL(password_buf.data, 512, r->in.new_password->length); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); if (!extract_pw_from_buffer(mem_ctx, password_buf.data, &new_password)) { DEBUG(3,("samr: failed to decode password buffer\n")); @@ -484,7 +459,7 @@ static WERROR dcesrv_netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TAL We can't do the traditional 'wrapping' format completly, as this function must only run under schannel */ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, - struct netr_LogonSamLogonEx *r, struct creds_CredentialState *creds) + struct netr_LogonSamLogonEx *r, struct netlogon_creds_CredentialState *creds) { struct auth_context *auth_context; struct auth_usersupplied_info *user_info; @@ -509,15 +484,15 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal case NetlogonInteractiveTransitiveInformation: case NetlogonServiceTransitiveInformation: if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(creds, + netlogon_creds_arcfour_crypt(creds, r->in.logon->password->lmpassword.hash, sizeof(r->in.logon->password->lmpassword.hash)); - creds_arcfour_crypt(creds, + netlogon_creds_arcfour_crypt(creds, r->in.logon->password->ntpassword.hash, sizeof(r->in.logon->password->ntpassword.hash)); } else { - creds_des_decrypt(creds, &r->in.logon->password->lmpassword); - creds_des_decrypt(creds, &r->in.logon->password->ntpassword); + netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword); + netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword); } /* TODO: we need to deny anonymous access here */ @@ -572,7 +547,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal case NetlogonGenericInformation: { if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(creds, + netlogon_creds_arcfour_crypt(creds, r->in.logon->generic->data, r->in.logon->generic->length); } else { /* Using DES to verify kerberos tickets makes no sense */ @@ -631,7 +606,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal memcmp(sam->key.key, zeros, sizeof(sam->key.key)) != 0) { /* This key is sent unencrypted without the ARCFOUR flag set */ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(creds, + netlogon_creds_arcfour_crypt(creds, sam->key.key, sizeof(sam->key.key)); } @@ -642,11 +617,11 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal if ((r->in.validation_level != 6) && memcmp(sam->LMSessKey.key, zeros, sizeof(sam->LMSessKey.key)) != 0) { if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(creds, + netlogon_creds_arcfour_crypt(creds, sam->LMSessKey.key, sizeof(sam->LMSessKey.key)); } else { - creds_des_encrypt_LMKey(creds, + netlogon_creds_des_encrypt_LMKey(creds, &sam->LMSessKey); } } @@ -693,15 +668,20 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, struct netr_LogonSamLogonEx *r) { NTSTATUS nt_status; - struct creds_CredentialState *creds; - nt_status = schannel_fetch_session_key(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, lp_workgroup(dce_call->conn->dce_ctx->lp_ctx), &creds); + struct netlogon_creds_CredentialState *creds; + struct ldb_context *ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx); + if (!ldb) { + return NT_STATUS_ACCESS_DENIED; + } + + nt_status = schannel_fetch_session_key(ldb, mem_ctx, r->in.computer_name, &creds); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } if (!dce_call->conn->auth_state.auth_info || dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { - return NT_STATUS_INTERNAL_ERROR; + return NT_STATUS_ACCESS_DENIED; } return dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds); } @@ -714,7 +694,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce struct netr_LogonSamLogonWithFlags *r) { NTSTATUS nt_status; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_LogonSamLogonEx r2; struct netr_Authenticator *return_authenticator; @@ -722,10 +702,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce return_authenticator = talloc(mem_ctx, struct netr_Authenticator); NT_STATUS_HAVE_NO_MEMORY(return_authenticator); - nt_status = dcesrv_netr_creds_server_step_check(dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, + nt_status = dcesrv_netr_creds_server_step_check(dce_call, r->in.computer_name, mem_ctx, - r->in.credential, return_authenticator, - &creds); + r->in.credential, return_authenticator, + &creds); NT_STATUS_NOT_OK_RETURN(nt_status); ZERO_STRUCT(r2); @@ -1089,7 +1069,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal const char *local_domain; - status = dcesrv_netr_creds_server_step_check(dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, + status = dcesrv_netr_creds_server_step_check(dce_call, r->in.computer_name, mem_ctx, r->in.credential, r->out.return_authenticator, diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index ad94add071..23443cc9d1 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -77,13 +77,13 @@ static bool test_LogonUasLogoff(struct torture_context *tctx, bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, struct cli_credentials *credentials, - struct creds_CredentialState **creds_out) + struct netlogon_creds_CredentialState **creds_out) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate a; struct netr_Credential credentials1, credentials2, credentials3; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; const struct samr_Password *mach_password; const char *machine_name; @@ -92,9 +92,6 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, torture_comment(tctx, "Testing ServerReqChallenge\n"); - creds = talloc(tctx, struct creds_CredentialState); - torture_assert(tctx, creds != NULL, "memory allocation"); - r.in.server_name = NULL; r.in.computer_name = machine_name; r.in.credentials = &credentials1; @@ -112,9 +109,13 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, a.in.credentials = &credentials3; a.out.return_credentials = &credentials3; - creds_client_init(creds, &credentials1, &credentials2, - mach_password, &credentials3, - 0); + creds = netlogon_creds_client_init(tctx, a.in.account_name, + a.in.computer_name, + &credentials1, &credentials2, + mach_password, &credentials3, + 0); + torture_assert(tctx, creds != NULL, "memory allocation"); + torture_comment(tctx, "Testing ServerAuthenticate\n"); @@ -128,7 +129,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate"); - torture_assert(tctx, creds_client_check(creds, &credentials3), + torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); *creds_out = creds; @@ -139,13 +140,13 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, uint32_t negotiate_flags, struct cli_credentials *machine_credentials, int sec_chan_type, - struct creds_CredentialState **creds_out) + struct netlogon_creds_CredentialState **creds_out) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate2 a; struct netr_Credential credentials1, credentials2, credentials3; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; const struct samr_Password *mach_password; const char *machine_name; @@ -154,8 +155,6 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, torture_comment(tctx, "Testing ServerReqChallenge\n"); - creds = talloc(tctx, struct creds_CredentialState); - torture_assert(tctx, creds != NULL, "memory allocation"); r.in.server_name = NULL; r.in.computer_name = machine_name; @@ -176,16 +175,20 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, a.in.credentials = &credentials3; a.out.return_credentials = &credentials3; - creds_client_init(creds, &credentials1, &credentials2, - mach_password, &credentials3, - negotiate_flags); + creds = netlogon_creds_client_init(tctx, a.in.account_name, + a.in.computer_name, + &credentials1, &credentials2, + mach_password, &credentials3, + negotiate_flags); + + torture_assert(tctx, creds != NULL, "memory allocation"); torture_comment(tctx, "Testing ServerAuthenticate2\n"); status = dcerpc_netr_ServerAuthenticate2(p, tctx, &a); torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate2"); - torture_assert(tctx, creds_client_check(creds, &credentials3), + torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags); @@ -198,13 +201,13 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, uint32_t negotiate_flags, struct cli_credentials *machine_credentials, - struct creds_CredentialState **creds_out) + struct netlogon_creds_CredentialState **creds_out) { NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_ServerAuthenticate3 a; struct netr_Credential credentials1, credentials2, credentials3; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct samr_Password mach_password; uint32_t rid; const char *machine_name; @@ -215,9 +218,6 @@ static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context torture_comment(tctx, "Testing ServerReqChallenge\n"); - creds = talloc(tctx, struct creds_CredentialState); - torture_assert(tctx, creds != NULL, "memory allocation"); - r.in.server_name = NULL; r.in.computer_name = machine_name; r.in.credentials = &credentials1; @@ -240,15 +240,19 @@ static bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context a.out.negotiate_flags = &negotiate_flags; a.out.rid = &rid; - creds_client_init(creds, &credentials1, &credentials2, - &mach_password, &credentials3, - negotiate_flags); + creds = netlogon_creds_client_init(tctx, a.in.account_name, + a.in.computer_name, + &credentials1, &credentials2, + &mach_password, &credentials3, + negotiate_flags); + + torture_assert(tctx, creds != NULL, "memory allocation"); torture_comment(tctx, "Testing ServerAuthenticate3\n"); status = dcerpc_netr_ServerAuthenticate3(p, tctx, &a); torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3"); - torture_assert(tctx, creds_client_check(creds, &credentials3), "Credential chaining failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed"); torture_comment(tctx, "negotiate_flags=0x%08x\n", negotiate_flags); @@ -270,7 +274,7 @@ static bool test_SetPassword(struct torture_context *tctx, NTSTATUS status; struct netr_ServerPasswordSet r; const char *password; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; @@ -289,18 +293,18 @@ static bool test_SetPassword(struct torture_context *tctx, password = generate_random_str(tctx, 8); E_md4hash(password, new_password.hash); - creds_des_encrypt(creds, &new_password); + netlogon_creds_des_encrypt(creds, &new_password); torture_comment(tctx, "Testing ServerPasswordSet on machine account\n"); torture_comment(tctx, "Changing machine account password to '%s'\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -313,12 +317,12 @@ static bool test_SetPassword(struct torture_context *tctx, torture_comment(tctx, "Changing machine account password to '%s' (same as previous run)\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (2)"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -360,7 +364,7 @@ static bool test_SetPassword2(struct torture_context *tctx, struct netr_ServerPasswordSet2 r; const char *password; DATA_BLOB new_random_pass; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct samr_CryptPassword password_buf; struct samr_Password nt_hash; struct netr_Authenticator credential, return_authenticator; @@ -380,7 +384,7 @@ static bool test_SetPassword2(struct torture_context *tctx, password = generate_random_str(tctx, 8); encode_pw_buffer(password_buf.data, password, STR_UNICODE); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -388,12 +392,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Testing ServerPasswordSet2 on machine account\n"); torture_comment(tctx, "Changing machine account password to '%s'\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -410,7 +414,7 @@ static bool test_SetPassword2(struct torture_context *tctx, */ password = ""; encode_pw_buffer(password_buf.data, password, STR_UNICODE); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -420,12 +424,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Changing machine account password to '%s'\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -438,7 +442,7 @@ static bool test_SetPassword2(struct torture_context *tctx, /* now try a random password */ password = generate_random_str(tctx, 8); encode_pw_buffer(password_buf.data, password, STR_UNICODE); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -446,12 +450,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Testing second ServerPasswordSet2 on machine account\n"); torture_comment(tctx, "Changing machine account password to '%s'\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet2 (2)"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -464,12 +468,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Changing machine account password to '%s' (same as previous run)\n", password); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -484,7 +488,7 @@ static bool test_SetPassword2(struct torture_context *tctx, /* now try a random stream of bytes for a password */ set_pw_in_buffer(password_buf.data, &new_random_pass); - creds_arcfour_crypt(creds, password_buf.data, 516); + netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); memcpy(new_password.data, password_buf.data, 512); new_password.length = IVAL(password_buf.data, 512); @@ -492,12 +496,12 @@ static bool test_SetPassword2(struct torture_context *tctx, torture_comment(tctx, "Testing a third ServerPasswordSet2 on machine account, with a compleatly random password\n"); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_ServerPasswordSet2(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "ServerPasswordSet (3)"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -518,7 +522,7 @@ static bool test_GetPassword(struct torture_context *tctx, struct cli_credentials *machine_credentials) { struct netr_ServerPasswordGet r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential; NTSTATUS status; struct netr_Authenticator return_authenticator; @@ -528,7 +532,7 @@ static bool test_GetPassword(struct torture_context *tctx, return false; } - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); @@ -549,7 +553,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx, struct cli_credentials *machine_credentials) { struct netr_ServerTrustPasswordsGet r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential; NTSTATUS status; struct netr_Authenticator return_authenticator; @@ -559,7 +563,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx, return false; } - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); @@ -581,7 +585,7 @@ static bool test_GetTrustPasswords(struct torture_context *tctx, */ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx, struct cli_credentials *credentials, - struct creds_CredentialState *creds) + struct netlogon_creds_CredentialState *creds) { NTSTATUS status; struct netr_LogonSamLogon r; @@ -647,14 +651,15 @@ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx, for (i=2;i<3;i++) { ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.validation_level = i; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), "Credential chaining failed"); } @@ -682,7 +687,7 @@ static bool test_SamLogon(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials) { - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; if (!test_SetupCredentials(p, tctx, credentials, &creds)) { return false; @@ -703,7 +708,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, { NTSTATUS status; struct netr_DatabaseSync r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; const uint32_t database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; int i; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; @@ -733,7 +738,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, torture_comment(tctx, "Testing DatabaseSync of id %d\n", r.in.database_id); do { - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.credential = &credential; @@ -747,7 +752,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, } torture_assert_ntstatus_ok(tctx, status, "DatabaseSync"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -777,7 +782,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, { NTSTATUS status; struct netr_DatabaseDeltas r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential; struct netr_Authenticator return_authenticator; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; @@ -807,7 +812,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, r.in.database_id, (unsigned long long)*r.in.sequence_num); do { - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_DatabaseDeltas(p, tctx, &r); if (NT_STATUS_EQUAL(status, @@ -821,7 +826,7 @@ static bool test_DatabaseDeltas(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "DatabaseDeltas"); - if (!creds_client_check(creds, &return_authenticator.cred)) { + if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -838,7 +843,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx, { NTSTATUS status; struct netr_DatabaseRedo r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_Authenticator credential; struct netr_Authenticator return_authenticator; struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; @@ -1300,7 +1305,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx, continue; } - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.credential = &credential; @@ -1352,7 +1357,7 @@ static bool test_DatabaseRedo(struct torture_context *tctx, } } - if (!creds_client_check(creds, &return_authenticator.cred)) { + if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) { torture_comment(tctx, "Credential chaining failed\n"); if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { return false; @@ -1374,7 +1379,7 @@ static bool test_AccountDeltas(struct torture_context *tctx, { NTSTATUS status; struct netr_AccountDeltas r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_AccountBuffer buffer; uint32_t count_returned = 0; @@ -1391,7 +1396,7 @@ static bool test_AccountDeltas(struct torture_context *tctx, r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computername = TEST_MACHINE_NAME; r.in.return_authenticator = &return_authenticator; - creds_client_authenticator(creds, &r.in.credential); + netlogon_creds_client_authenticator(creds, &r.in.credential); ZERO_STRUCT(r.in.uas); r.in.count=10; r.in.level=0; @@ -1417,7 +1422,7 @@ static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p { NTSTATUS status; struct netr_AccountSync r; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct netr_AccountBuffer buffer; uint32_t count_returned = 0; @@ -1436,7 +1441,7 @@ static bool test_AccountSync(struct torture_context *tctx, struct dcerpc_pipe *p r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computername = TEST_MACHINE_NAME; r.in.return_authenticator = &return_authenticator; - creds_client_authenticator(creds, &r.in.credential); + netlogon_creds_client_authenticator(creds, &r.in.credential); r.in.recordid = &recordid; r.in.reference=0; r.in.level=0; @@ -1622,7 +1627,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; struct netr_Authenticator return_authenticator, credential; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; const uint32_t database_ids[] = {0, 1, 2}; int i; @@ -1653,7 +1658,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, torture_comment(tctx, "Testing DatabaseSync2 of id %d\n", r.in.database_id); do { - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.credential = &credential; @@ -1668,7 +1673,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "DatabaseSync2"); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { torture_comment(tctx, "Credential chaining failed\n"); } @@ -2072,14 +2077,14 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, struct samr_Password old_owf_password; struct netr_TrustInfo *trust_info; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, machine_credentials, &creds)) { return false; } - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.account_name = talloc_asprintf(tctx, "%s$", TEST_MACHINE_NAME); @@ -2094,7 +2099,7 @@ static bool test_netr_ServerGetTrustInfo(struct torture_context *tctx, status = dcerpc_netr_ServerGetTrustInfo(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "failed"); - torture_assert(tctx, creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &return_authenticator.cred), "Credential chaining failed"); return true; } @@ -2108,7 +2113,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, struct netr_LogonGetDomainInfo r; struct netr_DomainQuery1 q1; struct netr_Authenticator a; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; union netr_DomainInfo info; if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, @@ -2118,7 +2123,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, ZERO_STRUCT(r); - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = TEST_MACHINE_NAME; @@ -2143,14 +2148,14 @@ static bool test_GetDomainInfo(struct torture_context *tctx, status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo"); - torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed"); torture_comment(tctx, "Testing netr_LogonGetDomainInfo 2nd call\n"); - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); status = dcerpc_netr_LogonGetDomainInfo(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo"); - torture_assert(tctx, creds_client_check(creds, &a.cred), "Credential chaining failed"); + torture_assert(tctx, netlogon_creds_client_check(creds, &a.cred), "Credential chaining failed"); return true; } @@ -2173,8 +2178,8 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, struct netr_DomainQuery1 q1; struct netr_Authenticator a; #define ASYNC_COUNT 100 - struct creds_CredentialState *creds; - struct creds_CredentialState *creds_async[ASYNC_COUNT]; + struct netlogon_creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds_async[ASYNC_COUNT]; struct rpc_request *req[ASYNC_COUNT]; int i; int *async_counter = talloc(tctx, int); @@ -2210,9 +2215,9 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, *async_counter = 0; for (i=0;iasync.callback = async_callback; @@ -2230,7 +2235,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, torture_assert_ntstatus_ok(tctx, status, "netr_LogonGetDomainInfo_async"); torture_assert_ntstatus_ok(tctx, r.out.result, "netr_LogonGetDomainInfo_async"); - torture_assert(tctx, creds_client_check(creds_async[i], &a.cred), + torture_assert(tctx, netlogon_creds_client_check(creds_async[i], &a.cred), "Credential chaining failed at async"); } diff --git a/source4/torture/rpc/netlogon.h b/source4/torture/rpc/netlogon.h index 92d366b46a..9038286ded 100644 --- a/source4/torture/rpc/netlogon.h +++ b/source4/torture/rpc/netlogon.h @@ -3,4 +3,4 @@ bool test_SetupCredentials2(struct dcerpc_pipe *p, struct torture_context *tctx, uint32_t negotiate_flags, struct cli_credentials *machine_credentials, int sec_chan_type, - struct creds_CredentialState **creds_out); + struct netlogon_creds_CredentialState **creds_out); diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 53754e02af..6d638d1868 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -57,7 +57,7 @@ static bool test_PACVerify(struct torture_context *tctx, struct netr_Authenticator auth, auth2; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct gensec_security *gensec_client_context; struct gensec_security *gensec_server_context; @@ -149,7 +149,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -168,7 +168,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon = &logon; @@ -190,7 +190,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; @@ -203,7 +203,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */ @@ -212,7 +212,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; @@ -225,7 +225,8 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; @@ -251,7 +252,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -259,7 +260,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; @@ -272,7 +273,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; @@ -298,7 +299,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); - creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); + netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; @@ -306,7 +307,7 @@ static bool test_PACVerify(struct torture_context *tctx, logon.generic = &generic; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; @@ -319,7 +320,7 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); return true; } diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index fe128fea52..e31135c0de 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -904,7 +904,7 @@ static bool auth2(struct smbcli_state *cli, struct netr_Credential netr_srv_creds; uint32_t negotiate_flags; struct netr_ServerAuthenticate2 a; - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Credential netr_cred; struct samr_Password mach_pw; @@ -958,11 +958,6 @@ static bool auth2(struct smbcli_state *cli, negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS; E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash); - creds_state = talloc(mem_ctx, struct creds_CredentialState); - creds_client_init(creds_state, r.in.credentials, - r.out.return_credentials, &mach_pw, - &netr_cred, negotiate_flags); - a.in.server_name = talloc_asprintf( mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe)); a.in.account_name = talloc_asprintf( @@ -974,6 +969,13 @@ static bool auth2(struct smbcli_state *cli, a.in.credentials = &netr_cred; a.out.return_credentials = &netr_cred; + creds_state = netlogon_creds_client_init(mem_ctx, + a.in.account_name, + a.in.computer_name, + r.in.credentials, + r.out.return_credentials, &mach_pw, + &netr_cred, negotiate_flags); + status = dcerpc_netr_ServerAuthenticate2(net_pipe, mem_ctx, &a); if (!NT_STATUS_IS_OK(status)) { d_printf("netr_ServerServerAuthenticate2 failed: %s\n", @@ -981,7 +983,7 @@ static bool auth2(struct smbcli_state *cli, goto done; } - if (!creds_client_check(creds_state, a.out.return_credentials)) { + if (!netlogon_creds_client_check(creds_state, a.out.return_credentials)) { d_printf("creds_client_check failed\n"); goto done; } @@ -1054,7 +1056,7 @@ static bool schan(struct smbcli_state *cli, for (i=2; i<4; i++) { int flags; DATA_BLOB chal, nt_resp, lm_resp, names_blob, session_key; - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Authenticator netr_auth, netr_auth2; struct netr_NetworkInfo ninfo; struct netr_PasswordInfo pinfo; @@ -1088,7 +1090,7 @@ static bool schan(struct smbcli_state *cli, } creds_state = cli_credentials_get_netlogon_creds(wks_creds); - creds_client_authenticator(creds_state, &netr_auth); + netlogon_creds_client_authenticator(creds_state, &netr_auth); ninfo.identity_info.account_name.string = cli_credentials_get_username(user_creds); @@ -1129,13 +1131,13 @@ static bool schan(struct smbcli_state *cli, } if ((r.out.return_authenticator == NULL) || - (!creds_client_check(creds_state, + (!netlogon_creds_client_check(creds_state, &r.out.return_authenticator->cred))) { d_printf("Credentials check failed!\n"); goto done; } - creds_client_authenticator(creds_state, &netr_auth); + netlogon_creds_client_authenticator(creds_state, &netr_auth); pinfo.identity_info = ninfo.identity_info; ZERO_STRUCT(pinfo.lmpassword.hash); @@ -1161,7 +1163,7 @@ static bool schan(struct smbcli_state *cli, } if ((r.out.return_authenticator == NULL) || - (!creds_client_check(creds_state, + (!netlogon_creds_client_check(creds_state, &r.out.return_authenticator->cred))) { d_printf("Credentials check failed!\n"); goto done; @@ -1171,7 +1173,7 @@ static bool schan(struct smbcli_state *cli, { struct netr_ServerPasswordSet s; char *password = generate_random_str(wks_creds, 8); - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; @@ -1188,8 +1190,8 @@ static bool schan(struct smbcli_state *cli, E_md4hash(password, new_password.hash); creds_state = cli_credentials_get_netlogon_creds(wks_creds); - creds_des_encrypt(creds_state, &new_password); - creds_client_authenticator(creds_state, &credential); + netlogon_creds_des_encrypt(creds_state, &new_password); + netlogon_creds_client_authenticator(creds_state, &credential); status = dcerpc_netr_ServerPasswordSet(net_pipe, mem_ctx, &s); if (!NT_STATUS_IS_OK(status)) { @@ -1197,8 +1199,8 @@ static bool schan(struct smbcli_state *cli, goto done; } - if (!creds_client_check(creds_state, - &s.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds_state, + &s.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } @@ -2088,7 +2090,7 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture) struct netr_Credential netr_srv_creds; uint32_t negotiate_flags; struct netr_ServerAuthenticate2 a; - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Credential netr_cred; struct samr_Password mach_pw; struct smbcli_state *cli; @@ -2155,11 +2157,6 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture) negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS; E_md4hash("foobar", mach_pw.hash); - creds_state = talloc(mem_ctx, struct creds_CredentialState); - creds_client_init(creds_state, r.in.credentials, - r.out.return_credentials, &mach_pw, - &netr_cred, negotiate_flags); - a.in.server_name = talloc_asprintf( mem_ctx, "\\\\%s", dcerpc_server_name(net_pipe)); a.in.account_name = talloc_asprintf( @@ -2171,6 +2168,14 @@ bool torture_samba3_rpc_randomauth2(struct torture_context *torture) a.in.credentials = &netr_cred; a.out.return_credentials = &netr_cred; + creds_state = netlogon_creds_client_init(mem_ctx, + a.in.account_name, + a.in.computer_name, + r.in.credentials, + r.out.return_credentials, &mach_pw, + &netr_cred, negotiate_flags); + + status = dcerpc_netr_ServerAuthenticate2(net_pipe, mem_ctx, &a); if (!NT_STATUS_EQUAL(status, NT_STATUS_NO_TRUST_SAM_ACCOUNT)) { diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index ce9bf5ea6e..8318930989 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -63,7 +63,7 @@ struct samlogon_state { struct netr_LogonSamLogonEx r_ex; struct netr_LogonSamLogonWithFlags r_flags; struct netr_Authenticator auth, auth2; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; NTSTATUS expected_error; bool old_password; /* Allow an old password to be accepted or rejected without error, as well as session key bugs */ DATA_BLOB chall; @@ -153,12 +153,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, switch (samlogon_state->function_level) { case NDR_NETR_LOGONSAMLOGON: ZERO_STRUCT(samlogon_state->auth2); - creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); + netlogon_creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); r->out.return_authenticator = NULL; status = dcerpc_netr_LogonSamLogon(samlogon_state->p, samlogon_state->mem_ctx, r); if (!r->out.return_authenticator || - !creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) { + !netlogon_creds_client_check(samlogon_state->creds, &r->out.return_authenticator->cred)) { d_printf("Credential chaining failed\n"); } if (!NT_STATUS_IS_OK(status)) { @@ -170,7 +170,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r->in.validation_level; - creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation); + netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r->out.validation); switch (validation_level) { case 2: @@ -195,7 +195,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r_ex->in.validation_level; - creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation); + netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_ex->out.validation); switch (validation_level) { case 2: @@ -211,12 +211,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, break; case NDR_NETR_LOGONSAMLOGONWITHFLAGS: ZERO_STRUCT(samlogon_state->auth2); - creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); + netlogon_creds_client_authenticator(samlogon_state->creds, &samlogon_state->auth); r_flags->out.return_authenticator = NULL; status = dcerpc_netr_LogonSamLogonWithFlags(samlogon_state->p, samlogon_state->mem_ctx, r_flags); if (!r_flags->out.return_authenticator || - !creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) { + !netlogon_creds_client_check(samlogon_state->creds, &r_flags->out.return_authenticator->cred)) { d_printf("Credential chaining failed\n"); } if (!NT_STATUS_IS_OK(status)) { @@ -228,7 +228,7 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, validation_level = r_flags->in.validation_level; - creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation); + netlogon_creds_decrypt_samlogon(samlogon_state->creds, validation_level, r_flags->out.validation); switch (validation_level) { case 2: @@ -1314,7 +1314,7 @@ static const struct ntlm_tests { */ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, struct torture_context *tctx, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, const char *comment, const char *account_domain, const char *account_name, const char *plain_pass, uint32_t parameter_control, @@ -1429,7 +1429,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, test an ADS style interactive domain logon */ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, const char *comment, const char *workstation_name, const char *account_domain, const char *account_name, @@ -1454,7 +1454,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, ZERO_STRUCT(logon); ZERO_STRUCT(validation); - creds_client_authenticator(creds, &a); + netlogon_creds_client_authenticator(creds, &a); logon.password = &pinfo; @@ -1483,18 +1483,18 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, E_md4hash(plain_pass, pinfo.ntpassword.hash); if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { - creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); - creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); + netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16); + netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16); } else { - creds_des_encrypt(creds, &pinfo.lmpassword); - creds_des_encrypt(creds, &pinfo.ntpassword); + netlogon_creds_des_encrypt(creds, &pinfo.lmpassword); + netlogon_creds_des_encrypt(creds, &pinfo.ntpassword); } d_printf("Testing netr_LogonSamLogonWithFlags '%s' (Interactive Logon)\n", comment); status = dcerpc_netr_LogonSamLogonWithFlags(p, fn_ctx, &r); if (!r.out.return_authenticator - || !creds_client_check(creds, &r.out.return_authenticator->cred)) { + || !netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { d_printf("Credential chaining failed\n"); talloc_free(fn_ctx); return false; @@ -1540,7 +1540,7 @@ bool torture_rpc_samlogon(struct torture_context *torture) 0 /* yes, this is a valid flag, causes the use of DES */ }; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; test_machine_account = talloc_asprintf(mem_ctx, "%s$", TEST_MACHINE_NAME); /* We only need to join as a workstation here, and in future, diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 8af9867528..7b4e85195b 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -2632,7 +2632,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_pipe *p, static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *tctx, struct cli_credentials *machine_credentials, struct cli_credentials *test_credentials, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, NTSTATUS expected_result) { NTSTATUS status; @@ -2700,7 +2700,7 @@ static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *t d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string); ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.validation_level = 2; @@ -2712,7 +2712,7 @@ static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *t torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed"); } - torture_assert(tctx, creds_client_check(creds, &r.out.return_authenticator->cred), + torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); return true; @@ -2724,7 +2724,7 @@ static bool test_SamLogon(struct torture_context *tctx, struct cli_credentials *test_credentials, NTSTATUS expected_result) { - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) { return false; diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c index 00798214f3..ee11ede83f 100644 --- a/source4/torture/rpc/samsync.c +++ b/source4/torture/rpc/samsync.c @@ -47,7 +47,7 @@ try a netlogon SamLogon */ static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds, + struct netlogon_creds_CredentialState *creds, const char *domain, const char *account_name, const char *workstation, struct samr_Password *lm_hash, @@ -100,13 +100,13 @@ static NTSTATUS test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, r.out.authoritative = &authoritative; ZERO_STRUCT(auth2); - creds_client_authenticator(creds, &auth); + netlogon_creds_client_authenticator(creds, &auth); r.in.validation_level = 3; status = dcerpc_netr_LogonSamLogon(p, mem_ctx, &r); - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } @@ -123,8 +123,8 @@ struct samsync_state { const char *domain_name[2]; struct samsync_secret *secrets; struct samsync_trusted_domain *trusted_domains; - struct creds_CredentialState *creds; - struct creds_CredentialState *creds_netlogon_wksta; + struct netlogon_creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds_netlogon_wksta; struct policy_handle *connect_handle; struct policy_handle *domain_handle[2]; struct dom_sid *sid[2]; @@ -578,7 +578,7 @@ static bool samsync_handle_user(struct torture_context *tctx, TALLOC_CTX *mem_ct enum ndr_err_code ndr_err; data.data = user->user_private_info.SensitiveData; data.length = user->user_private_info.DataLength; - creds_arcfour_crypt(samsync_state->creds, data.data, data.length); + netlogon_creds_arcfour_crypt(samsync_state->creds, data.data, data.length); ndr_err = ndr_pull_struct_blob(&data, mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &keys, (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS); if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { if (keys.keys.keys2.lmpassword.length == 16) { @@ -843,10 +843,10 @@ static bool samsync_handle_secret(TALLOC_CTX *mem_ctx, struct samsync_state *sam DATA_BLOB lsa_blob1, lsa_blob_out, session_key; NTSTATUS status; - creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data, + netlogon_creds_arcfour_crypt(samsync_state->creds, secret->current_cipher.cipher_data, secret->current_cipher.maxlen); - creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data, + netlogon_creds_arcfour_crypt(samsync_state->creds, secret->old_cipher.cipher_data, secret->old_cipher.maxlen); nsec->name = talloc_reference(nsec, name); @@ -1182,7 +1182,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, do { loop_ctx = talloc_named(mem_ctx, 0, "DatabaseSync loop context"); - creds_client_authenticator(samsync_state->creds, &credential); + netlogon_creds_client_authenticator(samsync_state->creds, &credential); r.in.credential = &credential; @@ -1194,7 +1194,7 @@ static bool test_DatabaseSync(struct torture_context *tctx, break; } - if (!creds_client_check(samsync_state->creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(samsync_state->creds, &r.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } @@ -1395,7 +1395,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX do { loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseDeltas loop context"); - creds_client_authenticator(samsync_state->creds, &credential); + netlogon_creds_client_authenticator(samsync_state->creds, &credential); status = dcerpc_netr_DatabaseDeltas(samsync_state->p, loop_ctx, &r); if (!NT_STATUS_IS_OK(status) && @@ -1405,7 +1405,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX ret = false; } - if (!creds_client_check(samsync_state->creds, &return_authenticator.cred)) { + if (!netlogon_creds_client_check(samsync_state->creds, &return_authenticator.cred)) { printf("Credential chaining failed\n"); } @@ -1422,7 +1422,7 @@ static bool test_DatabaseDeltas(struct samsync_state *samsync_state, TALLOC_CTX try a netlogon DatabaseSync2 */ static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) + struct netlogon_creds_CredentialState *creds) { NTSTATUS status; TALLOC_CTX *loop_ctx; @@ -1455,7 +1455,7 @@ static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, do { loop_ctx = talloc_named(mem_ctx, 0, "test_DatabaseSync2 loop context"); - creds_client_authenticator(creds, &credential); + netlogon_creds_client_authenticator(creds, &credential); r.in.credential = &credential; @@ -1466,7 +1466,7 @@ static bool test_DatabaseSync2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, ret = false; } - if (!creds_client_check(creds, &r.out.return_authenticator->cred)) { + if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index bc3cbeac3b..fc0087e4d3 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -43,7 +43,7 @@ */ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, struct cli_credentials *credentials, - struct creds_CredentialState *creds) + struct netlogon_creds_CredentialState *creds) { NTSTATUS status; struct netr_LogonSamLogonEx r; @@ -259,7 +259,7 @@ static bool test_schannel(struct torture_context *tctx, struct dcerpc_pipe *p_netlogon3 = NULL; struct dcerpc_pipe *p_samr2 = NULL; struct dcerpc_pipe *p_lsa = NULL; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; struct cli_credentials *credentials; join_ctx = torture_join_domain(tctx, @@ -765,7 +765,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture) { struct netr_ServerPasswordSet pwset; char *password = generate_random_str(s->join_ctx1, 8); - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct dcerpc_pipe *net_pipe; struct netr_Authenticator credential, return_authenticator; struct samr_Password new_password; @@ -793,14 +793,14 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture) creds_state = cli_credentials_get_netlogon_creds( s->wks_creds1); - creds_des_encrypt(creds_state, &new_password); - creds_client_authenticator(creds_state, &credential); + netlogon_creds_des_encrypt(creds_state, &new_password); + netlogon_creds_client_authenticator(creds_state, &credential); status = dcerpc_netr_ServerPasswordSet(net_pipe, torture, &pwset); torture_assert_ntstatus_ok(torture, status, "ServerPasswordSet failed"); - if (!creds_client_check(creds_state, + if (!netlogon_creds_client_check(creds_state, &pwset.out.return_authenticator->cred)) { printf("Credential chaining failed\n"); } diff --git a/source4/winbind/wb_sam_logon.c b/source4/winbind/wb_sam_logon.c index 5ceb6e4af0..fa3d6032c8 100644 --- a/source4/winbind/wb_sam_logon.c +++ b/source4/winbind/wb_sam_logon.c @@ -36,7 +36,7 @@ struct wb_sam_logon_state { struct winbind_SamLogon *req; - struct creds_CredentialState *creds_state; + struct netlogon_creds_CredentialState *creds_state; struct netr_Authenticator auth1, auth2; TALLOC_CTX *r_mem_ctx; @@ -86,7 +86,7 @@ static void wb_sam_logon_recv_domain(struct composite_context *creq) if (!composite_is_ok(s->ctx)) return; s->creds_state = cli_credentials_get_netlogon_creds(domain->libnet_ctx->cred); - creds_client_authenticator(s->creds_state, &s->auth1); + netlogon_creds_client_authenticator(s->creds_state, &s->auth1); s->r.in.server_name = talloc_asprintf(s, "\\\\%s", dcerpc_server_name(domain->netlogon_pipe)); @@ -135,8 +135,8 @@ static void wb_sam_logon_recv_samlogon(struct rpc_request *req) if (!composite_is_ok(s->ctx)) return; if ((s->r.out.return_authenticator == NULL) || - (!creds_client_check(s->creds_state, - &s->r.out.return_authenticator->cred))) { + (!netlogon_creds_client_check(s->creds_state, + &s->r.out.return_authenticator->cred))) { DEBUG(0, ("Credentials check failed!\n")); composite_error(s->ctx, NT_STATUS_ACCESS_DENIED); return; @@ -145,9 +145,9 @@ static void wb_sam_logon_recv_samlogon(struct rpc_request *req) /* Decrypt the session keys before we reform the info3, so the * person on the other end of winbindd pipe doesn't have to. * They won't have the encryption key anyway */ - creds_decrypt_samlogon(s->creds_state, - s->r.in.validation_level, - s->r.out.validation); + netlogon_creds_decrypt_samlogon(s->creds_state, + s->r.in.validation_level, + s->r.out.validation); composite_done(s->ctx); } -- cgit