NTSTATUS rpccli_create_netlogon_creds_with_creds(struct cli_credentials *creds,
const char *server_computer,
struct messaging_context *msg_ctx,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **netlogon_creds)
{
enum netr_SchannelType sec_chan_type;
const char *server_netbios_domain;
const char *client_account;
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
if (sec_chan_type == SEC_CHAN_NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
client_account = cli_credentials_get_username(creds);
server_netbios_domain = cli_credentials_get_domain(creds);
return rpccli_create_netlogon_creds(server_computer,
server_netbios_domain,
client_account,
sec_chan_type,
msg_ctx, mem_ctx,
netlogon_creds);
}
/**
* Obtain the client principal for this credentials context.
* @param cred credentials context
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred);
}
if (cred->principal_obtained == CRED_CALLBACK &&
!cred->callback_running) {
cred->callback_running = True;
cred->principal = cred->principal_cb(cred);
cred->callback_running = False;
cred->principal_obtained = CRED_SPECIFIED;
}
if (cred->principal_obtained < cred->username_obtained) {
if (cred->domain_obtained > cred->realm_obtained) {
return talloc_asprintf(mem_ctx, "%s@%s",
cli_credentials_get_username(cred),
cli_credentials_get_domain(cred));
} else {
return talloc_asprintf(mem_ctx, "%s@%s",
cli_credentials_get_username(cred),
cli_credentials_get_realm(cred));
}
}
return talloc_reference(mem_ctx, cred->principal);
}
NTSTATUS rpccli_create_netlogon_creds_ctx(
struct cli_credentials *creds,
const char *server_computer,
struct messaging_context *msg_ctx,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **creds_ctx)
{
enum netr_SchannelType sec_chan_type;
const char *server_netbios_domain;
const char *server_dns_domain;
const char *client_account;
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
client_account = cli_credentials_get_username(creds);
server_netbios_domain = cli_credentials_get_domain(creds);
server_dns_domain = cli_credentials_get_realm(creds);
return rpccli_create_netlogon_creds(server_computer,
server_netbios_domain,
server_dns_domain,
client_account,
sec_chan_type,
msg_ctx, mem_ctx,
creds_ctx);
}
/**
* Fill in credentials for a particular principal, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
const char *serviceprincipal)
{
NTSTATUS status;
char *filter;
char *error_string = NULL;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter,
0, NULL, &error_string);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find %s principal in secrets database: %s: %s\n",
serviceprincipal, nt_errstr(status),
error_string ? error_string : "<no error>"));
}
return status;
}
/**
* Obtain the client principal for this credentials context.
* @param cred credentials context
* @retval The username set on this context.
* @note Return value will never be NULL except by programmer error.
*/
_PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, enum credentials_obtained *obtained)
{
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred,
cred->machine_account_pending_lp_ctx);
}
if (cred->principal_obtained == CRED_CALLBACK &&
!cred->callback_running) {
cred->callback_running = true;
cred->principal = cred->principal_cb(cred);
cred->callback_running = false;
if (cred->principal_obtained == CRED_CALLBACK) {
cred->principal_obtained = CRED_CALLBACK_RESULT;
cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
}
}
if (cred->principal_obtained < cred->username_obtained
|| cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) {
if (cred->domain_obtained > cred->realm_obtained) {
*obtained = MIN(cred->domain_obtained, cred->username_obtained);
return talloc_asprintf(mem_ctx, "%s@%s",
cli_credentials_get_username(cred),
cli_credentials_get_domain(cred));
} else {
*obtained = MIN(cred->domain_obtained, cred->username_obtained);
return talloc_asprintf(mem_ctx, "%s@%s",
cli_credentials_get_username(cred),
cli_credentials_get_realm(cred));
}
}
*obtained = cred->principal_obtained;
return talloc_strdup(mem_ctx, cred->principal);
}
static int ejs_net_join_domain(MprVarHandle eid, int argc, struct MprVar **argv)
{
TALLOC_CTX *mem_ctx;
struct libnet_context *ctx;
struct libnet_Join *join;
NTSTATUS status;
ctx = mprGetThisPtr(eid, "ctx");
mem_ctx = talloc_new(mprMemCtx());
join = talloc(mem_ctx, struct libnet_Join);
if (!join) {
talloc_free(mem_ctx);
return -1;
}
/* prepare parameters for the join */
join->in.netbios_name = NULL;
join->in.join_type = SEC_CHAN_WKSTA;
join->in.domain_name = cli_credentials_get_domain(ctx->cred);
join->in.level = LIBNET_JOIN_AUTOMATIC;
join->out.error_string = NULL;
if (argc == 1 && argv[0]->type == MPR_TYPE_OBJECT) {
MprVar *netbios_name = mprGetProperty(argv[0], "netbios_name", NULL);
MprVar *domain_name = mprGetProperty(argv[0], "domain_name", NULL);
MprVar *join_type = mprGetProperty(argv[0], "join_type", NULL);
if (netbios_name) {
join->in.netbios_name = mprToString(netbios_name);
}
if (domain_name) {
join->in.domain_name = mprToString(domain_name);
}
if (join_type) {
join->in.join_type = mprToInt(join_type);
}
}
if (!join->in.domain_name) {
ejsSetErrorMsg(eid, "a domain must be specified for to join");
talloc_free(mem_ctx);
return -1;
}
/* do the domain join */
status = libnet_Join(ctx, join, join);
if (!NT_STATUS_IS_OK(status)) {
MprVar error_string = mprString(join->out.error_string);
mprSetPropertyValue(argv[0], "error_string", error_string);
mpr_Return(eid, mprCreateBoolVar(False));
} else {
mpr_Return(eid, mprCreateBoolVar(True));
}
talloc_free(mem_ctx);
return 0;
}
BOOL lsa_domain_opened(struct libnet_context *ctx, const char *domain_name,
struct composite_context **parent_ctx,
struct libnet_DomainOpen *domain_open,
void (*continue_fn)(struct composite_context*),
void (*monitor)(struct monitor_msg*))
{
struct composite_context *domopen_req;
if (parent_ctx == NULL || *parent_ctx == NULL) return False;
if (domain_name == NULL) {
/*
* Try to guess the domain name from credentials,
* if it's not been explicitly specified.
*/
if (policy_handle_empty(&ctx->lsa.handle)) {
domain_open->in.type = DOMAIN_LSA;
domain_open->in.domain_name = cli_credentials_get_domain(ctx->cred);
domain_open->in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
} else {
composite_error(*parent_ctx, NT_STATUS_INVALID_PARAMETER);
/* this ensures the calling function exits and composite function error
gets noticed quickly */
return True;
}
} else {
/*
* The domain name has been specified, so check whether the same
* domain is already opened. If it is - just return NULL. Start
* opening a new domain otherwise.
*/
if (policy_handle_empty(&ctx->lsa.handle) ||
!strequal(domain_name, ctx->lsa.name)) {
domain_open->in.type = DOMAIN_LSA;
domain_open->in.domain_name = domain_name;
domain_open->in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
} else {
/* domain has already been opened and it's the same domain
as requested */
return True;
}
}
/* send request to open the domain */
domopen_req = libnet_DomainOpen_send(ctx, domain_open, monitor);
/* see the comment above to find out why true is returned here */
if (composite_nomem(domopen_req, *parent_ctx)) return True;
composite_continue(*parent_ctx, domopen_req, continue_fn, *parent_ctx);
return False;
}
static bool test_parse_string(struct torture_context *tctx)
{
struct cli_credentials *creds = cli_credentials_init_anon(tctx);
/* anonymous */
cli_credentials_parse_string(creds, "%", CRED_SPECIFIED);
torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
"", "domain");
torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
"", "username");
torture_assert(tctx, cli_credentials_get_password(creds) == NULL,
"password");
/* username + password */
cli_credentials_parse_string(creds, "somebody%secret",
CRED_SPECIFIED);
torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
"", "domain");
torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
"somebody", "username");
torture_assert_str_equal(tctx, cli_credentials_get_password(creds),
"secret", "password");
/* principal */
cli_credentials_parse_string(creds, "prin@styx",
CRED_SPECIFIED);
torture_assert_str_equal(tctx, cli_credentials_get_realm(creds),
"STYX", "realm");
torture_assert_str_equal(tctx,
cli_credentials_get_principal(creds, tctx),
"prin@styx", "principal");
return true;
}
static int net_password_change(struct net_context *ctx, int argc, const char **argv)
{
NTSTATUS status;
struct libnet_context *libnetctx;
union libnet_ChangePassword r;
char *password_prompt = NULL;
const char *new_password;
if (argc > 0 && argv[0]) {
new_password = argv[0];
} else {
password_prompt = talloc_asprintf(ctx, "Enter new password for account [%s\\%s]:",
cli_credentials_get_domain(ctx->credentials),
cli_credentials_get_username(ctx->credentials));
new_password = getpass(password_prompt);
}
libnetctx = libnet_context_init(ctx->event_ctx, ctx->lp_ctx);
if (!libnetctx) {
return -1;
}
libnetctx->cred = ctx->credentials;
/* prepare password change */
r.generic.level = LIBNET_CHANGE_PASSWORD_GENERIC;
r.generic.in.account_name = cli_credentials_get_username(ctx->credentials);
r.generic.in.domain_name = cli_credentials_get_domain(ctx->credentials);
r.generic.in.oldpassword = cli_credentials_get_password(ctx->credentials);
r.generic.in.newpassword = new_password;
/* do password change */
status = libnet_ChangePassword(libnetctx, ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("net_password_change: %s\n",r.generic.out.error_string));
return -1;
}
talloc_free(libnetctx);
return 0;
}
_PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
const char **username,
const char **domain)
{
if (cred->principal_obtained > cred->username_obtained) {
*domain = talloc_strdup(mem_ctx, "");
*username = cli_credentials_get_principal(cred, mem_ctx);
} else {
*domain = cli_credentials_get_domain(cred);
*username = cli_credentials_get_username(cred);
}
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
{
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = False;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN,
filter);
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred)
{
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = False;
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
filter);
}
static bool test_init_anonymous(struct torture_context *tctx)
{
struct cli_credentials *creds = cli_credentials_init_anon(tctx);
torture_assert_str_equal(tctx, cli_credentials_get_domain(creds),
"", "domain");
torture_assert_str_equal(tctx, cli_credentials_get_username(creds),
"", "username");
torture_assert(tctx, cli_credentials_get_password(creds) == NULL,
"password");
return true;
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status)));
}
return status;
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN,
filter);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status)));
}
return status;
}
static int net_user_delete(struct net_context *ctx, int argc, const char **argv)
{
NTSTATUS status;
struct libnet_context *lnet_ctx;
struct libnet_DeleteUser r;
char *user_name;
/* command line argument preparation */
switch (argc) {
case 0:
return net_user_usage(ctx, argc, argv);
break;
case 1:
user_name = talloc_strdup(ctx, argv[0]);
break;
default:
return net_user_usage(ctx, argc, argv);
}
/* libnet context init and its params */
lnet_ctx = libnet_context_init(ctx->event_ctx, ctx->lp_ctx);
if (!lnet_ctx) return -1;
lnet_ctx->cred = ctx->credentials;
/* calling DeleteUser function */
r.in.user_name = user_name;
r.in.domain_name = cli_credentials_get_domain(lnet_ctx->cred);
status = libnet_DeleteUser(lnet_ctx, ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to delete user account: %s\n",
r.out.error_string));
return -1;
}
talloc_free(lnet_ctx);
return 0;
}
static bool test_init(struct torture_context *tctx)
{
struct cli_credentials *creds = cli_credentials_init(tctx);
cli_credentials_set_domain(creds, "bla", CRED_SPECIFIED);
torture_assert_str_equal(tctx, "BLA", cli_credentials_get_domain(creds),
"domain");
cli_credentials_set_username(creds, "someuser", CRED_SPECIFIED);
torture_assert_str_equal(tctx, "someuser",
cli_credentials_get_username(creds),
"username");
cli_credentials_set_password(creds, "p4ssw0rd", CRED_SPECIFIED);
torture_assert_str_equal(tctx, "p4ssw0rd",
cli_credentials_get_password(creds),
"password");
return true;
}
/*
try a netlogon SamLogon
*/
BOOL test_netlogon_ex_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
struct cli_credentials *credentials,
struct creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_LogonSamLogonEx r;
struct netr_NetworkInfo ninfo;
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
int i;
BOOL ret = True;
int flags = CLI_CRED_NTLM_AUTH;
if (lp_client_lanman_auth()) {
flags |= CLI_CRED_LANMAN_AUTH;
}
if (lp_client_ntlmv2_auth()) {
flags |= CLI_CRED_NTLMv2_AUTH;
}
cli_credentials_get_ntlm_username_domain(cmdline_credentials, mem_ctx,
&ninfo.identity_info.account_name.string,
&ninfo.identity_info.domain_name.string);
generate_random_buffer(ninfo.challenge,
sizeof(ninfo.challenge));
chal = data_blob_const(ninfo.challenge,
sizeof(ninfo.challenge));
names_blob = NTLMv2_generate_names_blob(mem_ctx, cli_credentials_get_workstation(credentials),
cli_credentials_get_domain(credentials));
status = cli_credentials_get_ntlm_response(cmdline_credentials, mem_ctx,
&flags,
chal,
names_blob,
&lm_resp, &nt_resp,
NULL, NULL);
if (!NT_STATUS_IS_OK(status)) {
printf("cli_credentials_get_ntlm_response failed: %s\n",
nt_errstr(status));
return False;
}
ninfo.lm.data = lm_resp.data;
ninfo.lm.length = lm_resp.length;
ninfo.nt.data = nt_resp.data;
ninfo.nt.length = nt_resp.length;
ninfo.identity_info.parameter_control = 0;
ninfo.identity_info.logon_id_low = 0;
ninfo.identity_info.logon_id_high = 0;
ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(credentials);
r.in.logon_level = 2;
r.in.logon.network = &ninfo;
r.in.flags = 0;
printf("Testing LogonSamLogonEx with name %s\n", ninfo.identity_info.account_name.string);
for (i=2;i<3;i++) {
r.in.validation_level = i;
status = dcerpc_netr_LogonSamLogonEx(p, mem_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
printf("LogonSamLogon failed: %s\n",
nt_errstr(status));
return False;
}
}
return ret;
}
static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
const DATA_BLOB in, DATA_BLOB *out)
{
struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
NTSTATUS status;
enum ndr_err_code ndr_err;
struct NL_AUTH_MESSAGE bind_schannel;
struct NL_AUTH_MESSAGE bind_schannel_ack;
struct netlogon_creds_CredentialState *creds;
const char *workstation;
const char *domain;
*out = data_blob(NULL, 0);
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
if (state->state != SCHANNEL_STATE_START) {
/* we could parse the bind ack, but we don't know what it is yet */
return NT_STATUS_OK;
}
state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
if (state->creds == NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
/*
* We need to create a reference here or we don't get
* updates performed on the credentials if we create a
* copy.
*/
state->creds = talloc_reference(state, state->creds);
if (state->creds == NULL) {
return NT_STATUS_NO_MEMORY;
}
bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
#if 0
/* to support this we'd need to have access to the full domain name */
/* 0x17, 23 */
bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
NL_FLAG_UTF8_DNS_DOMAIN_NAME |
NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
/* w2k3 refuses us if we use the full DNS workstation?
why? perhaps because we don't fill in the dNSHostName
attribute in the machine account? */
bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
#else
bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
#endif
ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
(ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(3, ("Could not create schannel bind: %s\n",
nt_errstr(status)));
return status;
}
state->state = SCHANNEL_STATE_UPDATE_1;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
case GENSEC_SERVER:
if (state->state != SCHANNEL_STATE_START) {
/* no third leg on this protocol */
return NT_STATUS_INVALID_PARAMETER;
}
/* parse the schannel startup blob */
ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
(ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
nt_errstr(status)));
return status;
}
if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
domain = bind_schannel.oem_netbios_domain.a;
if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
return NT_STATUS_LOGON_FAILURE;
}
} else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
domain = bind_schannel.utf8_dns_domain.u;
if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
return NT_STATUS_LOGON_FAILURE;
}
} else {
DEBUG(3, ("Request for schannel to without domain\n"));
return NT_STATUS_LOGON_FAILURE;
}
if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
workstation = bind_schannel.oem_netbios_computer.a;
} else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
workstation = bind_schannel.utf8_netbios_computer.u;
} else {
DEBUG(3, ("Request for schannel to without netbios workstation\n"));
return NT_STATUS_LOGON_FAILURE;
}
status = schannel_get_creds_state(out_mem_ctx,
gensec_security->settings->lp_ctx,
workstation, &creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
workstation, nt_errstr(status)));
if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
return NT_STATUS_LOGON_FAILURE;
}
return status;
}
state->creds = talloc_steal(state, creds);
bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
bind_schannel_ack.Flags = 0;
bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
* this does not have
* any meaning here
* - gd */
ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
(ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
workstation, nt_errstr(status)));
return status;
}
state->state = SCHANNEL_STATE_UPDATE_1;
return NT_STATUS_OK;
}
return NT_STATUS_INVALID_PARAMETER;
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
const char *base,
const char *filter)
{
TALLOC_CTX *mem_ctx;
struct ldb_context *ldb;
int ldb_ret;
struct ldb_message **msgs;
const char *attrs[] = {
"secret",
"priorSecret",
"samAccountName",
"flatname",
"realm",
"secureChannelType",
"ntPwdHash",
"msDS-KeyVersionNumber",
"saltPrincipal",
"privateKeytab",
"krb5Keytab",
NULL
};
const char *machine_account;
const char *password;
const char *old_password;
const char *domain;
const char *realm;
enum netr_SchannelType sct;
const char *salt_principal;
const char *keytab;
/* ok, we are going to get it now, don't recurse back here */
cred->machine_account_pending = False;
/* some other parts of the system will key off this */
cred->machine_account = True;
mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx);
if (!ldb) {
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
DEBUG(1, ("Could not open secrets.ldb\n"));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
/* search for the secret record */
ldb_ret = gendb_search(ldb,
mem_ctx, ldb_dn_new(mem_ctx, ldb, base),
&msgs, attrs,
"%s", filter);
if (ldb_ret == 0) {
DEBUG(1, ("Could not find entry to match filter: %s\n",
filter));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else if (ldb_ret != 1) {
DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n",
ldb_ret, filter));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
password = ldb_msg_find_attr_as_string(msgs[0], "secret", NULL);
old_password = ldb_msg_find_attr_as_string(msgs[0], "priorSecret", NULL);
machine_account = ldb_msg_find_attr_as_string(msgs[0], "samAccountName", NULL);
if (!machine_account) {
DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n",
cli_credentials_get_domain(cred)));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
salt_principal = ldb_msg_find_attr_as_string(msgs[0], "saltPrincipal", NULL);
cli_credentials_set_salt_principal(cred, salt_principal);
sct = ldb_msg_find_attr_as_int(msgs[0], "secureChannelType", 0);
if (sct) {
cli_credentials_set_secure_channel_type(cred, sct);
}
if (!password) {
const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msgs[0], "ntPwdHash");
struct samr_Password hash;
ZERO_STRUCT(hash);
if (nt_password_hash) {
memcpy(hash.hash, nt_password_hash->data,
MIN(nt_password_hash->length, sizeof(hash.hash)));
cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
} else {
cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
}
} else {
cli_credentials_set_password(cred, password, CRED_SPECIFIED);
}
domain = ldb_msg_find_attr_as_string(msgs[0], "flatname", NULL);
if (domain) {
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
}
realm = ldb_msg_find_attr_as_string(msgs[0], "realm", NULL);
if (realm) {
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
}
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0));
/* If there was an external keytab specified by reference in
* the LDB, then use this. Otherwise we will make one up
* (chewing CPU time) from the password */
keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL);
if (keytab) {
cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
} else {
keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL);
if (keytab) {
keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab));
if (keytab) {
cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
}
}
}
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
/*
old style session setup (pre NT1 protocol level)
*/
static NTSTATUS session_setup_old(struct composite_context *c,
struct smbcli_session *session,
struct smb_composite_sesssetup *io,
struct smbcli_request **req)
{
NTSTATUS nt_status;
struct sesssetup_state *state = talloc_get_type(c->private_data,
struct sesssetup_state);
const char *password = cli_credentials_get_password(io->in.credentials);
const char *domain = cli_credentials_get_domain(io->in.credentials);
/*
* domain controllers tend to reject the NTLM v2 blob
* if the netbiosname is not valid (e.g. IP address or FQDN)
* so just leave it away (as Windows client do)
*/
DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, NULL, domain);
DATA_BLOB session_key;
int flags = 0;
if (session->options.lanman_auth) {
flags |= CLI_CRED_LANMAN_AUTH;
}
if (session->options.ntlmv2_auth) {
flags |= CLI_CRED_NTLMv2_AUTH;
}
state->setup.old.level = RAW_SESSSETUP_OLD;
state->setup.old.in.bufsize = session->transport->options.max_xmit;
state->setup.old.in.mpx_max = session->transport->options.max_mux;
state->setup.old.in.vc_num = 1;
state->setup.old.in.sesskey = io->in.sesskey;
state->setup.old.in.os = "Unix";
state->setup.old.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
cli_credentials_get_ntlm_username_domain(io->in.credentials, state,
&state->setup.old.in.user,
&state->setup.old.in.domain);
if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state,
&flags,
session->transport->negotiate.secblob,
names_blob,
&state->setup.old.in.password,
NULL,
NULL, &session_key);
NT_STATUS_NOT_OK_RETURN(nt_status);
nt_status = smb1cli_session_set_session_key(session->smbXcli,
session_key);
data_blob_free(&session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
} else if (session->options.plaintext_auth) {
state->setup.old.in.password = data_blob_talloc(state, password, strlen(password));
} else {
/* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
return NT_STATUS_INVALID_PARAMETER;
}
*req = smb_raw_sesssetup_send(session, &state->setup);
if (!*req) {
return NT_STATUS_NO_MEMORY;
}
return (*req)->status;
}
/**
* Fill in credentials for the machine trust account, from the
* secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
*
* This version is used in parts of the code that can link in the
* CTDB dbwrap backend, by passing down the already open handle.
*
* @param cred Credentials structure to fill in
* @param db_ctx dbwrap context for secrets.tdb
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct db_context *db_ctx)
{
NTSTATUS status;
char *filter;
char *error_string = NULL;
const char *domain;
bool secrets_tdb_password_more_recent;
time_t secrets_tdb_lct = 0;
char *secrets_tdb_password = NULL;
char *secrets_tdb_old_password = NULL;
uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
char *keystr;
char *keystr_upper = NULL;
TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = false;
/* We have to do this, as the fallback in
* cli_credentials_set_secrets is to run as anonymous, so the domain is wiped */
domain = cli_credentials_get_domain(cred);
if (db_ctx) {
TDB_DATA dbuf;
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_LAST_CHANGE_TIME,
domain);
keystr_upper = strupper_talloc(tmp_ctx, keystr);
status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
secrets_tdb_lct = IVAL(dbuf.dptr,0);
}
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_PASSWORD,
domain);
keystr_upper = strupper_talloc(tmp_ctx, keystr);
status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_password = (char *)dbuf.dptr;
}
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_PASSWORD_PREV,
domain);
keystr_upper = strupper_talloc(tmp_ctx, keystr);
status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_old_password = (char *)dbuf.dptr;
}
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_SEC_CHANNEL_TYPE,
domain);
keystr_upper = strupper_talloc(tmp_ctx, keystr);
status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
secrets_tdb_secure_channel_type = IVAL(dbuf.dptr,0);
}
}
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
domain);
status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter, secrets_tdb_lct, secrets_tdb_password, &error_string);
if (secrets_tdb_password == NULL) {
secrets_tdb_password_more_recent = false;
} else if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
|| NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) {
secrets_tdb_password_more_recent = true;
} else if (secrets_tdb_lct > cli_credentials_get_password_last_changed_time(cred)) {
secrets_tdb_password_more_recent = true;
} else if (secrets_tdb_lct == cli_credentials_get_password_last_changed_time(cred)) {
secrets_tdb_password_more_recent = strcmp(secrets_tdb_password, cli_credentials_get_password(cred)) != 0;
} else {
secrets_tdb_password_more_recent = false;
}
if (secrets_tdb_password_more_recent) {
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
}
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
status = NT_STATUS_OK;
} else if (!NT_STATUS_IS_OK(status)) {
if (db_ctx) {
error_string
= talloc_asprintf(cred,
"Failed to fetch machine account password for %s from both "
"secrets.ldb (%s) and from %s",
domain,
error_string == NULL ? "error" : error_string,
dbwrap_name(db_ctx));
} else {
char *secrets_tdb_path;
secrets_tdb_path = lpcfg_private_db_path(tmp_ctx,
lp_ctx,
"secrets");
if (secrets_tdb_path == NULL) {
return NT_STATUS_NO_MEMORY;
}
error_string = talloc_asprintf(cred,
"Failed to fetch machine account password from "
"secrets.ldb: %s and failed to open %s",
error_string == NULL ? "error" : error_string,
secrets_tdb_path);
}
DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n",
error_string == NULL ? "error" : error_string,
nt_errstr(status)));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
}
TALLOC_FREE(tmp_ctx);
return status;
}
/*
try a netlogon SamLogon
*/
bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
struct cli_credentials *credentials,
struct netlogon_creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_LogonSamLogonEx r;
struct netr_NetworkInfo ninfo;
union netr_LogonLevel logon;
union netr_Validation validation;
uint8_t authoritative = 0;
uint32_t _flags = 0;
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
int i;
int flags = CLI_CRED_NTLM_AUTH;
struct dcerpc_binding_handle *b = p->binding_handle;
struct netr_UserSessionKey key;
struct netr_LMSessionKey LMSessKey;
uint32_t validation_levels[] = { 2, 3 };
struct netr_SamBaseInfo *base = NULL;
const char *crypto_alg = "";
bool can_do_validation_6 = true;
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
flags |= CLI_CRED_LANMAN_AUTH;
}
if (lpcfg_client_ntlmv2_auth(tctx->lp_ctx)) {
flags |= CLI_CRED_NTLMv2_AUTH;
}
cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
&ninfo.identity_info.account_name.string,
&ninfo.identity_info.domain_name.string);
generate_random_buffer(ninfo.challenge,
sizeof(ninfo.challenge));
chal = data_blob_const(ninfo.challenge,
sizeof(ninfo.challenge));
names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
cli_credentials_get_domain(credentials));
status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
&flags,
chal,
names_blob,
&lm_resp, &nt_resp,
NULL, NULL);
torture_assert_ntstatus_ok(tctx, status,
"cli_credentials_get_ntlm_response failed");
ninfo.lm.data = lm_resp.data;
ninfo.lm.length = lm_resp.length;
ninfo.nt.data = nt_resp.data;
ninfo.nt.length = nt_resp.length;
ninfo.identity_info.parameter_control = 0;
ninfo.identity_info.logon_id_low = 0;
ninfo.identity_info.logon_id_high = 0;
ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
logon.network = &ninfo;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(credentials);
r.in.logon_level = NetlogonNetworkInformation;
r.in.logon= &logon;
r.in.flags = &_flags;
r.out.validation = &validation;
r.out.authoritative = &authoritative;
r.out.flags = &_flags;
/*
- retrieve level6
- save usrsession and lmsession key
- retrieve level 2
- calculate, compare
- retrieve level 3
- calculate, compare
*/
if (creds) {
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
crypto_alg = "AES";
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
crypto_alg = "ARCFOUR";
}
}
dcerpc_binding_handle_auth_info(b, NULL, &auth_level);
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
r.in.validation_level = 6;
torture_comment(tctx,
"Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n",
ninfo.identity_info.account_name.string, crypto_alg,
r.in.validation_level);
torture_assert_ntstatus_ok(tctx,
dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r),
"LogonSamLogonEx failed");
} else {
torture_comment(tctx,
"Skip auth_level[%u] Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n",
auth_level, ninfo.identity_info.account_name.string, crypto_alg,
r.in.validation_level);
r.out.result = NT_STATUS_INVALID_INFO_CLASS;
}
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {
can_do_validation_6 = false;
} else {
torture_assert_ntstatus_ok(tctx, r.out.result,
"LogonSamLogonEx failed");
key = r.out.validation->sam6->base.key;
LMSessKey = r.out.validation->sam6->base.LMSessKey;
DEBUG(1,("unencrypted session keys from validation_level 6:\n"));
dump_data(1, r.out.validation->sam6->base.key.key, 16);
dump_data(1, r.out.validation->sam6->base.LMSessKey.key, 8);
}
for (i=0; i < ARRAY_SIZE(validation_levels); i++) {
r.in.validation_level = validation_levels[i];
torture_comment(tctx,
"Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n",
ninfo.identity_info.account_name.string, crypto_alg,
r.in.validation_level);
torture_assert_ntstatus_ok(tctx,
dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r),
"LogonSamLogonEx failed");
torture_assert_ntstatus_ok(tctx, r.out.result,
"LogonSamLogonEx failed");
if (creds == NULL) {
/* when this test is called without creds no point in
* testing the session keys */
continue;
}
switch (validation_levels[i]) {
case 2:
base = &r.out.validation->sam2->base;
break;
case 3:
base = &r.out.validation->sam3->base;
break;
default:
break;
}
DEBUG(1,("encrypted keys validation_level %d:\n",
validation_levels[i]));
dump_data(1, base->key.key, 16);
dump_data(1, base->LMSessKey.key, 8);
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
netlogon_creds_aes_decrypt(creds, base->key.key, 16);
netlogon_creds_aes_decrypt(creds, base->LMSessKey.key, 8);
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
netlogon_creds_arcfour_crypt(creds, base->key.key, 16);
netlogon_creds_arcfour_crypt(creds, base->LMSessKey.key, 8);
}
DEBUG(1,("decryped keys validation_level %d\n",
validation_levels[i]));
dump_data(1, base->key.key, 16);
dump_data(1, base->LMSessKey.key, 8);
if (!can_do_validation_6) {
/* we cant compare against unencrypted keys */
continue;
}
torture_assert_mem_equal(tctx,
base->key.key,
key.key,
16,
"unexpected user session key\n");
torture_assert_mem_equal(tctx,
base->LMSessKey.key,
LMSessKey.key,
8,
"unexpected LM session key\n");
}
return true;
}
/* Get the SID from a user */
static const struct dom_sid *get_user_sid(struct torture_context *tctx,
struct dcerpc_pipe *p,
TALLOC_CTX *mem_ctx,
const char *user)
{
struct lsa_ObjectAttribute attr;
struct lsa_QosInfo qos;
struct lsa_OpenPolicy2 r;
struct lsa_Close c;
NTSTATUS status;
struct policy_handle handle;
struct lsa_LookupNames l;
struct lsa_TransSidArray sids;
struct lsa_RefDomainList *domains = NULL;
struct lsa_String lsa_name;
uint32_t count = 0;
struct dom_sid *result;
TALLOC_CTX *tmp_ctx;
struct dcerpc_pipe *p2;
struct dcerpc_binding_handle *b;
const char *domain = cli_credentials_get_domain(cmdline_credentials);
torture_assert_ntstatus_ok(tctx,
torture_rpc_connection(tctx, &p2, &ndr_table_lsarpc),
"could not open lsarpc pipe");
b = p2->binding_handle;
if (!(tmp_ctx = talloc_new(mem_ctx))) {
return NULL;
}
qos.len = 0;
qos.impersonation_level = 2;
qos.context_mode = 1;
qos.effective_only = 0;
attr.len = 0;
attr.root_dir = NULL;
attr.object_name = NULL;
attr.attributes = 0;
attr.sec_desc = NULL;
attr.sec_qos = &qos;
r.in.system_name = "\\";
r.in.attr = &attr;
r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
r.out.handle = &handle;
status = dcerpc_lsa_OpenPolicy2_r(b, tmp_ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
torture_comment(tctx,
"OpenPolicy2 failed - %s\n",
nt_errstr(status));
talloc_free(tmp_ctx);
return NULL;
}
if (!NT_STATUS_IS_OK(r.out.result)) {
torture_comment(tctx,
"OpenPolicy2_ failed - %s\n",
nt_errstr(r.out.result));
talloc_free(tmp_ctx);
return NULL;
}
sids.count = 0;
sids.sids = NULL;
lsa_name.string = talloc_asprintf(tmp_ctx, "%s\\%s", domain, user);
l.in.handle = &handle;
l.in.num_names = 1;
l.in.names = &lsa_name;
l.in.sids = &sids;
l.in.level = 1;
l.in.count = &count;
l.out.count = &count;
l.out.sids = &sids;
l.out.domains = &domains;
status = dcerpc_lsa_LookupNames_r(b, tmp_ctx, &l);
if (!NT_STATUS_IS_OK(status)) {
torture_comment(tctx,
"LookupNames of %s failed - %s\n",
lsa_name.string,
nt_errstr(status));
talloc_free(tmp_ctx);
return NULL;
}
if (domains->count == 0) {
return NULL;
}
result = dom_sid_add_rid(mem_ctx,
domains->domains[0].sid,
l.out.sids->sids[0].rid);
c.in.handle = &handle;
c.out.handle = &handle;
status = dcerpc_lsa_Close_r(b, tmp_ctx, &c);
if (!NT_STATUS_IS_OK(status)) {
torture_comment(tctx,
"dcerpc_lsa_Close failed - %s\n",
nt_errstr(status));
talloc_free(tmp_ctx);
return NULL;
}
if (!NT_STATUS_IS_OK(c.out.result)) {
torture_comment(tctx,
"dcerpc_lsa_Close failed - %s\n",
nt_errstr(c.out.result));
talloc_free(tmp_ctx);
return NULL;
}
talloc_free(tmp_ctx);
talloc_free(p2);
torture_comment(tctx, "Get_user_sid finished\n");
return result;
}
static PyObject *py_creds_get_domain(PyObject *self, PyObject *unused)
{
return PyString_FromStringOrNULL(cli_credentials_get_domain(PyCredentials_AsCliCredentials(self)));
}
NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamSync *r)
{
NTSTATUS nt_status, dbsync_nt_status;
TALLOC_CTX *samsync_ctx, *loop_ctx, *delta_ctx;
struct netlogon_creds_CredentialState *creds;
struct netr_DatabaseSync dbsync;
struct netr_Authenticator credential, return_authenticator;
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
struct cli_credentials *machine_account;
struct dcerpc_pipe *p;
struct libnet_context *machine_net_ctx;
struct libnet_RpcConnect *c;
struct libnet_SamSync_state *state;
const enum netr_SamDatabaseID database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS};
unsigned int i;
samsync_ctx = talloc_named(mem_ctx, 0, "SamSync top context");
if (!r->in.machine_account) {
machine_account = cli_credentials_init(samsync_ctx);
if (!machine_account) {
talloc_free(samsync_ctx);
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(machine_account, ctx->lp_ctx);
nt_status = cli_credentials_set_machine_account(machine_account, ctx->lp_ctx);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain machine account password - are we joined to the domain?");
talloc_free(samsync_ctx);
return nt_status;
}
} else {
machine_account = r->in.machine_account;
}
/* We cannot do this unless we are a BDC. Check, before we get odd errors later */
if (cli_credentials_get_secure_channel_type(machine_account) != SEC_CHAN_BDC) {
r->out.error_string
= talloc_asprintf(mem_ctx,
"Our join to domain %s is not as a BDC (%d), please rejoin as a BDC",
cli_credentials_get_domain(machine_account),
cli_credentials_get_secure_channel_type(machine_account));
talloc_free(samsync_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
c = talloc_zero(samsync_ctx, struct libnet_RpcConnect);
if (!c) {
r->out.error_string = NULL;
talloc_free(samsync_ctx);
return NT_STATUS_NO_MEMORY;
}
c->level = LIBNET_RPC_CONNECT_DC_INFO;
if (r->in.binding_string) {
c->in.binding = r->in.binding_string;
c->in.name = NULL;
} else {
c->in.binding = NULL;
c->in.name = cli_credentials_get_domain(machine_account);
}
/* prepare connect to the NETLOGON pipe of PDC */
c->in.dcerpc_iface = &ndr_table_netlogon;
/* We must do this as the machine, not as any command-line
* user. So we override the credentials in the
* libnet_context */
machine_net_ctx = talloc(samsync_ctx, struct libnet_context);
if (!machine_net_ctx) {
r->out.error_string = NULL;
talloc_free(samsync_ctx);
return NT_STATUS_NO_MEMORY;
}
*machine_net_ctx = *ctx;
machine_net_ctx->cred = machine_account;
/* connect to the NETLOGON pipe of the PDC */
nt_status = libnet_RpcConnect(machine_net_ctx, samsync_ctx, c);
if (!NT_STATUS_IS_OK(nt_status)) {
if (r->in.binding_string) {
r->out.error_string = talloc_asprintf(mem_ctx,
"Connection to NETLOGON pipe of DC %s failed: %s",
r->in.binding_string, c->out.error_string);
} else {
r->out.error_string = talloc_asprintf(mem_ctx,
"Connection to NETLOGON pipe of DC for %s failed: %s",
c->in.name, c->out.error_string);
}
talloc_free(samsync_ctx);
return nt_status;
}
/* This makes a new pipe, on which we can do schannel. We
* should do this in the RpcConnect code, but the abstaction
* layers do not suit yet */
nt_status = dcerpc_secondary_connection(c->out.dcerpc_pipe, &p,
c->out.dcerpc_pipe->binding);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.error_string = talloc_asprintf(mem_ctx,
"Secondary connection to NETLOGON pipe of DC %s failed: %s",
dcerpc_server_name(p), nt_errstr(nt_status));
talloc_free(samsync_ctx);
return nt_status;
}
nt_status = dcerpc_bind_auth_schannel(samsync_ctx, p, &ndr_table_netlogon,
machine_account, ctx->lp_ctx, DCERPC_AUTH_LEVEL_PRIVACY);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.error_string = talloc_asprintf(mem_ctx,
"SCHANNEL authentication to NETLOGON pipe of DC %s failed: %s",
dcerpc_server_name(p), nt_errstr(nt_status));
talloc_free(samsync_ctx);
return nt_status;
}
state = talloc(samsync_ctx, struct libnet_SamSync_state);
if (!state) {
r->out.error_string = NULL;
talloc_free(samsync_ctx);
return nt_status;
}
state->domain_name = c->out.domain_name;
state->domain_sid = c->out.domain_sid;
state->realm = c->out.realm;
state->domain_guid = c->out.guid;
state->machine_net_ctx = machine_net_ctx;
state->netlogon_pipe = p;
/* initialise the callback layer. It may wish to contact the
* server with ldap, now we know the name */
if (r->in.init_fn) {
char *error_string;
nt_status = r->in.init_fn(samsync_ctx,
r->in.fn_ctx,
state,
&error_string);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.error_string = talloc_steal(mem_ctx, error_string);
talloc_free(samsync_ctx);
return nt_status;
}
}
/* get NETLOGON credentials */
nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
talloc_free(samsync_ctx);
return nt_status;
}
/* Setup details for the synchronisation */
ZERO_STRUCT(return_authenticator);
dbsync.in.logon_server = talloc_asprintf(samsync_ctx, "\\\\%s", dcerpc_server_name(p));
dbsync.in.computername = cli_credentials_get_workstation(machine_account);
dbsync.in.preferredmaximumlength = (uint32_t)-1;
dbsync.in.return_authenticator = &return_authenticator;
dbsync.out.return_authenticator = &return_authenticator;
dbsync.out.delta_enum_array = &delta_enum_array;
for (i=0;i< ARRAY_SIZE(database_ids); i++) {
uint32_t sync_context = 0;
dbsync.in.database_id = database_ids[i];
dbsync.in.sync_context = &sync_context;
dbsync.out.sync_context = &sync_context;
do {
uint32_t d;
loop_ctx = talloc_named(samsync_ctx, 0, "DatabaseSync loop context");
netlogon_creds_client_authenticator(creds, &credential);
dbsync.in.credential = &credential;
dbsync_nt_status = dcerpc_netr_DatabaseSync_r(p->binding_handle, loop_ctx, &dbsync);
if (NT_STATUS_IS_OK(dbsync_nt_status) && !NT_STATUS_IS_OK(dbsync.out.result)) {
dbsync_nt_status = dbsync.out.result;
}
if (!NT_STATUS_IS_OK(dbsync_nt_status) &&
!NT_STATUS_EQUAL(dbsync_nt_status, STATUS_MORE_ENTRIES)) {
r->out.error_string = talloc_asprintf(mem_ctx, "DatabaseSync failed - %s", nt_errstr(nt_status));
talloc_free(samsync_ctx);
return nt_status;
}
if (!netlogon_creds_client_check(creds, &dbsync.out.return_authenticator->cred)) {
r->out.error_string = talloc_strdup(mem_ctx, "Credential chaining on incoming DatabaseSync failed");
talloc_free(samsync_ctx);
return NT_STATUS_ACCESS_DENIED;
}
dbsync.in.sync_context = dbsync.out.sync_context;
/* For every single remote 'delta' entry: */
for (d=0; d < delta_enum_array->num_deltas; d++) {
char *error_string = NULL;
delta_ctx = talloc_named(loop_ctx, 0, "DatabaseSync delta context");
/* 'Fix' elements, by decrypting and
* de-obfuscating the data */
nt_status = samsync_fix_delta(delta_ctx,
creds,
dbsync.in.database_id,
&delta_enum_array->delta_enum[d]);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.error_string = talloc_steal(mem_ctx, error_string);
talloc_free(samsync_ctx);
return nt_status;
}
/* Now call the callback. This will
* do something like print the data or
* write to an ldb */
nt_status = r->in.delta_fn(delta_ctx,
r->in.fn_ctx,
dbsync.in.database_id,
&delta_enum_array->delta_enum[d],
&error_string);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.error_string = talloc_steal(mem_ctx, error_string);
talloc_free(samsync_ctx);
return nt_status;
}
talloc_free(delta_ctx);
}
talloc_free(loop_ctx);
} while (NT_STATUS_EQUAL(dbsync_nt_status, STATUS_MORE_ENTRIES));
if (!NT_STATUS_IS_OK(dbsync_nt_status)) {
r->out.error_string = talloc_asprintf(mem_ctx, "libnet_SamSync_netlogon failed: unexpected inconsistancy. Should not get error %s here", nt_errstr(nt_status));
talloc_free(samsync_ctx);
return dbsync_nt_status;
}
nt_status = NT_STATUS_OK;
}
talloc_free(samsync_ctx);
return nt_status;
}
/*
send a nt1 style session setup
*/
static NTSTATUS session_setup_nt1(struct composite_context *c,
struct smbcli_session *session,
struct smb_composite_sesssetup *io,
struct smbcli_request **req)
{
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, cli_credentials_get_domain(io->in.credentials));
DATA_BLOB session_key = data_blob(NULL, 0);
int flags = CLI_CRED_NTLM_AUTH;
smbcli_temp_set_signing(session->transport);
if (session->options.lanman_auth) {
flags |= CLI_CRED_LANMAN_AUTH;
}
if (session->options.ntlmv2_auth) {
flags |= CLI_CRED_NTLMv2_AUTH;
}
state->setup.nt1.level = RAW_SESSSETUP_NT1;
state->setup.nt1.in.bufsize = session->transport->options.max_xmit;
state->setup.nt1.in.mpx_max = session->transport->options.max_mux;
state->setup.nt1.in.vc_num = 1;
state->setup.nt1.in.sesskey = io->in.sesskey;
state->setup.nt1.in.capabilities = io->in.capabilities;
state->setup.nt1.in.os = "Unix";
state->setup.nt1.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
cli_credentials_get_ntlm_username_domain(io->in.credentials, state,
&state->setup.nt1.in.user,
&state->setup.nt1.in.domain);
if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state,
&flags,
session->transport->negotiate.secblob,
names_blob,
&state->setup.nt1.in.password1,
&state->setup.nt1.in.password2,
NULL, &session_key);
NT_STATUS_NOT_OK_RETURN(nt_status);
} else if (session->options.plaintext_auth) {
const char *password = cli_credentials_get_password(io->in.credentials);
state->setup.nt1.in.password1 = data_blob_talloc(state, password, strlen(password));
state->setup.nt1.in.password2 = data_blob(NULL, 0);
} else {
/* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
return NT_STATUS_INVALID_PARAMETER;
}
*req = smb_raw_sesssetup_send(session, &state->setup);
if (!*req) {
return NT_STATUS_NO_MEMORY;
}
if (NT_STATUS_IS_OK(nt_status)) {
smbcli_transport_simple_set_signing(session->transport, session_key,
state->setup.nt1.in.password2);
set_user_session_key(session, &session_key);
data_blob_free(&session_key);
}
return (*req)->status;
}
static int net_password_set(struct net_context *ctx, int argc, const char **argv)
{
NTSTATUS status;
struct libnet_context *libnetctx;
union libnet_SetPassword r;
char *password_prompt = NULL;
char *p;
char *tmp;
const char *account_name;
const char *domain_name;
const char *new_password = NULL;
switch (argc) {
case 0: /* no args -> fail */
return net_password_set_usage(ctx, argc, argv);
case 1: /* only DOM\\user; prompt for password */
tmp = talloc_strdup(ctx, argv[0]);
break;
case 2: /* DOM\\USER and password */
tmp = talloc_strdup(ctx, argv[0]);
new_password = argv[1];
break;
default: /* too mayn args -> fail */
DEBUG(0,("net_password_set: too many args [%d]\n",argc));
return net_password_usage(ctx, argc, argv);
}
if ((p = strchr_m(tmp,'\\'))) {
*p = 0;
domain_name = tmp;
account_name = talloc_strdup(ctx, p+1);
} else {
account_name = tmp;
domain_name = cli_credentials_get_domain(ctx->credentials);
}
if (!new_password) {
password_prompt = talloc_asprintf(ctx, "Enter new password for account [%s\\%s]:",
domain_name, account_name);
new_password = getpass(password_prompt);
}
libnetctx = libnet_context_init(ctx->event_ctx, ctx->lp_ctx);
if (!libnetctx) {
return -1;
}
libnetctx->cred = ctx->credentials;
/* prepare password change */
r.generic.level = LIBNET_SET_PASSWORD_GENERIC;
r.generic.in.account_name = account_name;
r.generic.in.domain_name = domain_name;
r.generic.in.newpassword = new_password;
/* do password change */
status = libnet_SetPassword(libnetctx, ctx, &r);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("net_password_set: %s\n",r.generic.out.error_string));
return -1;
}
talloc_free(libnetctx);
return 0;
}
/*
try a netlogon SamLogon
*/
bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
struct cli_credentials *credentials,
struct netlogon_creds_CredentialState *creds)
{
NTSTATUS status;
struct netr_LogonSamLogonEx r;
struct netr_NetworkInfo ninfo;
union netr_LogonLevel logon;
union netr_Validation validation;
uint8_t authoritative = 0;
uint32_t _flags = 0;
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
int i;
int flags = CLI_CRED_NTLM_AUTH;
struct dcerpc_binding_handle *b = p->binding_handle;
if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
flags |= CLI_CRED_LANMAN_AUTH;
}
if (lpcfg_client_ntlmv2_auth(tctx->lp_ctx)) {
flags |= CLI_CRED_NTLMv2_AUTH;
}
cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
&ninfo.identity_info.account_name.string,
&ninfo.identity_info.domain_name.string);
generate_random_buffer(ninfo.challenge,
sizeof(ninfo.challenge));
chal = data_blob_const(ninfo.challenge,
sizeof(ninfo.challenge));
names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(credentials),
cli_credentials_get_domain(credentials));
status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
&flags,
chal,
names_blob,
&lm_resp, &nt_resp,
NULL, NULL);
torture_assert_ntstatus_ok(tctx, status,
"cli_credentials_get_ntlm_response failed");
ninfo.lm.data = lm_resp.data;
ninfo.lm.length = lm_resp.length;
ninfo.nt.data = nt_resp.data;
ninfo.nt.length = nt_resp.length;
ninfo.identity_info.parameter_control = 0;
ninfo.identity_info.logon_id_low = 0;
ninfo.identity_info.logon_id_high = 0;
ninfo.identity_info.workstation.string = cli_credentials_get_workstation(credentials);
logon.network = &ninfo;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(credentials);
r.in.logon_level = 2;
r.in.logon= &logon;
r.in.flags = &_flags;
r.out.validation = &validation;
r.out.authoritative = &authoritative;
r.out.flags = &_flags;
torture_comment(tctx,
"Testing LogonSamLogonEx with name %s\n",
ninfo.identity_info.account_name.string);
for (i=2;i<3;i++) {
r.in.validation_level = i;
torture_assert_ntstatus_ok(tctx, dcerpc_netr_LogonSamLogonEx_r(b, tctx, &r),
"LogonSamLogon failed");
torture_assert_ntstatus_ok(tctx, r.out.result, "LogonSamLogon failed");
}
return true;
}
static bool test_wbc_change_password(struct torture_context *tctx)
{
wbcErr ret;
const char *oldpass = cli_credentials_get_password(cmdline_credentials);
const char *newpass = "******";
struct samr_CryptPassword new_nt_password;
struct samr_CryptPassword new_lm_password;
struct samr_Password old_nt_hash_enc;
struct samr_Password old_lanman_hash_enc;
uint8_t old_nt_hash[16];
uint8_t old_lanman_hash[16];
uint8_t new_nt_hash[16];
uint8_t new_lanman_hash[16];
struct wbcChangePasswordParams params;
if (oldpass == NULL) {
torture_skip(tctx,
"skipping wbcChangeUserPassword test as old password cannot be retrieved\n");
}
ZERO_STRUCT(params);
E_md4hash(oldpass, old_nt_hash);
E_md4hash(newpass, new_nt_hash);
if (lpcfg_client_lanman_auth(tctx->lp_ctx) &&
E_deshash(newpass, new_lanman_hash) &&
E_deshash(oldpass, old_lanman_hash)) {
/* E_deshash returns false for 'long' passwords (> 14
DOS chars). This allows us to match Win2k, which
does not store a LM hash for these passwords (which
would reduce the effective password length to 14) */
encode_pw_buffer(new_lm_password.data, newpass, STR_UNICODE);
arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_lanman_hash,
old_lanman_hash_enc.hash);
params.old_password.response.old_lm_hash_enc_length =
sizeof(old_lanman_hash_enc.hash);
params.old_password.response.old_lm_hash_enc_data =
old_lanman_hash_enc.hash;
params.new_password.response.lm_length =
sizeof(new_lm_password.data);
params.new_password.response.lm_data =
new_lm_password.data;
} else {
ZERO_STRUCT(new_lm_password);
ZERO_STRUCT(old_lanman_hash_enc);
}
encode_pw_buffer(new_nt_password.data, newpass, STR_UNICODE);
arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
params.old_password.response.old_nt_hash_enc_length =
sizeof(old_nt_hash_enc.hash);
params.old_password.response.old_nt_hash_enc_data =
old_nt_hash_enc.hash;
params.new_password.response.nt_length = sizeof(new_nt_password.data);
params.new_password.response.nt_data = new_nt_password.data;
params.level = WBC_CHANGE_PASSWORD_LEVEL_RESPONSE;
params.account_name = cli_credentials_get_username(cmdline_credentials);
params.domain_name = cli_credentials_get_domain(cmdline_credentials);
ret = wbcChangeUserPasswordEx(¶ms, NULL, NULL, NULL);
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcChangeUserPassword for %s failed", params.account_name);
if (!test_wbc_authenticate_user_int(tctx, newpass)) {
return false;
}
ret = wbcChangeUserPassword(cli_credentials_get_username(cmdline_credentials), newpass,
cli_credentials_get_password(cmdline_credentials));
torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
"wbcChangeUserPassword for %s failed", params.account_name);
return test_wbc_authenticate_user_int(tctx, cli_credentials_get_password(cmdline_credentials));
}
