da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER START
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The contents of this file are subject to the terms of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Common Development and Distribution License (the "License").
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You may not use this file except in compliance with the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * See the License for the specific language governing permissions
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and limitations under the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER END
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
12b65585e720714b31036daaa2b30eb76014048eGordon Ross * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NETR SamLogon and SamLogoff RPC client functions.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States#define NETLOGON_ATTEMPTS 2
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesstatic uint32_t netlogon_logon(smb_logon_t *, smb_token_t *);
7f667e74610492ddbce8ce60f52ece95d2401949jose borregostatic uint32_t netr_server_samlogon(mlsvc_handle_t *, netr_info_t *, char *,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_t *, smb_token_t *);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic void netr_invalidate_chain(void);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesstatic void netr_interactive_samlogon(netr_info_t *, smb_logon_t *,
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic void netr_network_samlogon(ndr_heap_t *, netr_info_t *,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_t *, struct netr_logon_info2 *);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesstatic void netr_setup_identity(ndr_heap_t *, smb_logon_t *,
7f667e74610492ddbce8ce60f52ece95d2401949jose borregostatic boolean_t netr_isadmin(struct netr_validation_info3 *);
7f667e74610492ddbce8ce60f52ece95d2401949jose borregostatic uint32_t netr_setup_domain_groups(struct netr_validation_info3 *,
12b65585e720714b31036daaa2b30eb76014048eGordon Rossstatic uint32_t netr_setup_token_info3(struct netr_validation_info3 *,
7f667e74610492ddbce8ce60f52ece95d2401949jose borregostatic uint32_t netr_setup_token_wingrps(struct netr_validation_info3 *,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Shared with netr_auth.c
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesstatic mutex_t netlogon_mutex;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesstatic cond_t netlogon_cv;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesstatic boolean_t netlogon_busy = B_FALSE;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesstatic boolean_t netlogon_abort = B_FALSE;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
12b65585e720714b31036daaa2b30eb76014048eGordon Ross * Helper for Kerberos authentication
12b65585e720714b31036daaa2b30eb76014048eGordon Rosssmb_decode_krb5_pac(smb_token_t *token, char *data, uint_t len)
12b65585e720714b31036daaa2b30eb76014048eGordon Ross /* Need to keep this until we're done with &info */
12b65585e720714b31036daaa2b30eb76014048eGordon Ross status = netr_setup_token_info3(&info.info3, token);
12b65585e720714b31036daaa2b30eb76014048eGordon Ross /* Deal with the "resource groups"? */
12b65585e720714b31036daaa2b30eb76014048eGordon Ross * Code factored out of netr_setup_token()
12b65585e720714b31036daaa2b30eb76014048eGordon Rossnetr_setup_token_info3(struct netr_validation_info3 *info3,
12b65585e720714b31036daaa2b30eb76014048eGordon Ross token->tkn_primary_grp.i_sid = smb_sid_splice(domsid,
12b65585e720714b31036daaa2b30eb76014048eGordon Ross return (netr_setup_token_wingrps(info3, token));
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States/*
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States * Abort impending domain logon requests.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States */
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesvoid
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statessmb_logon_abort(void)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States{
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) mutex_lock(&netlogon_mutex);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (netlogon_busy && !netlogon_abort)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, "logon abort");
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States netlogon_abort = B_TRUE;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) cond_broadcast(&netlogon_cv);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) mutex_unlock(&netlogon_mutex);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States}
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States * This is the entry point for authenticating domain users.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States * If we are not going to attempt to authenticate the user,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States * this function must return without updating the status.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States * If the user is successfully authenticated, we build an
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States * access token and the status will be NT_STATUS_SUCCESS.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States * Otherwise, the token contents are invalid.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesvoid
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statessmb_logon_domain(smb_logon_t *user_info, smb_token_t *token)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States uint32_t status;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States int i;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_secmode != SMB_SECMODE_DOMAIN)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States return;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_domain_type == SMB_DOMAIN_LOCAL)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States return;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States for (i = 0; i < NETLOGON_ATTEMPTS; ++i) {
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) mutex_lock(&netlogon_mutex);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States while (netlogon_busy && !netlogon_abort)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) cond_wait(&netlogon_cv, &netlogon_mutex);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (netlogon_abort) {
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) mutex_unlock(&netlogon_mutex);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_status = NT_STATUS_REQUEST_ABORTED;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States return;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States }
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States netlogon_busy = B_TRUE;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) mutex_unlock(&netlogon_mutex);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States status = netlogon_logon(user_info, token);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) mutex_lock(&netlogon_mutex);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States netlogon_busy = B_FALSE;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (netlogon_abort)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States status = NT_STATUS_REQUEST_ABORTED;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) cond_signal(&netlogon_cv);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States (void) mutex_unlock(&netlogon_mutex);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (status != NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States break;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States }
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (status != NT_STATUS_SUCCESS)
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States syslog(LOG_INFO, "logon[%s\\%s]: %s", user_info->lg_e_domain,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_username, xlate_nt_status(status));
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_status = status;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesnetlogon_logon(smb_logon_t *user_info, smb_token_t *token)
dc20a3024900c47dd2ee44b9707e6df38f7d62a5as (void) smb_getdomainname(resource_domain, SMB_PI_MAX_DOMAIN);
380acbbe9da7dc2cbab5b6db169ec6968dd927faGordon Ross /* Avoid interfering with DC discovery. */
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross if (netr_open(di.d_dci.dc_name, di.d_primary.di_nbname,
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh if ((netr_global_info.flags & NETR_FLG_VALID) == 0 ||
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross status = netlogon_auth(di.d_dci.dc_name, &netr_handle,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (status != 0) {
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross &netr_global_info, di.d_dci.dc_name, user_info, token);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw } while (status == NT_STATUS_INSUFFICIENT_LOGON_INFO && retries++ < 3);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesnetr_setup_token(struct netr_validation_info3 *info3, smb_logon_t *user_info,
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego token->tkn_user.i_sid = smb_sid_splice(domsid, info3->UserId);
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego token->tkn_primary_grp.i_sid = smb_sid_splice(domsid,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States ? (char *)info3->EffectiveName.str : user_info->lg_e_username;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States } else if (*user_info->lg_e_domain != '\0') {
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States domain = user_info->lg_e_domain;
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego (void) smb_getdomainname(nbdomain, sizeof (nbdomain));
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego if (token->tkn_account_name == NULL || token->tkn_domain_name == NULL)
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego status = netr_setup_token_wingrps(info3, token);
8c10a8659ac31335ed870a1711c0182623f72fd6as * The UserSessionKey in NetrSamLogon RPC is obfuscated using the
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * session key obtained in the NETLOGON credential chain.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * An 8 byte session key is zero extended to 16 bytes. This 16 byte
8c10a8659ac31335ed870a1711c0182623f72fd6as * key is the key to the RC4 algorithm. The RC4 byte stream is
8c10a8659ac31335ed870a1711c0182623f72fd6as * exclusively ored with the 16 byte UserSessionKey to recover
8c10a8659ac31335ed870a1711c0182623f72fd6as * the the clear form.
12b65585e720714b31036daaa2b30eb76014048eGordon Ross if ((token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ)) == NULL)
2c1b14e51525da2c09064641416fc4aed457c72fjose borrego bcopy(netr_info->session_key.key, rc4key, netr_info->session_key.len);
12b65585e720714b31036daaa2b30eb76014048eGordon Ross bcopy(info3->UserSessionKey.data, token->tkn_ssnkey.val,
12b65585e720714b31036daaa2b30eb76014048eGordon Ross rand_hash((unsigned char *)token->tkn_ssnkey.val,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * netr_server_samlogon
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NetrServerSamLogon RPC: interactive or network. It is assumed that
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * we have already authenticated with the PDC. If everything works,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * we build a user info structure and return it, where the caller will
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * probably build an access token.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns an NT status. There are numerous possibilities here.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * For example:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_INVALID_INFO_CLASS
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_INVALID_PARAMETER
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_ACCESS_DENIED
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_PASSWORD_MUST_CHANGE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_NO_SUCH_USER
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_WRONG_PASSWORD
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_LOGON_FAILURE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_ACCOUNT_RESTRICTION
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_INVALID_LOGON_HOURS
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_INVALID_WORKSTATION
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_INTERNAL_ERROR
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_PASSWORD_EXPIRED
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NT_STATUS_ACCOUNT_DISABLED
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwnetr_server_samlogon(mlsvc_handle_t *netr_handle, netr_info_t *netr_info,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States char *server, smb_logon_t *user_info, smb_token_t *token)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Should we get the server and hostname from netr_info?
8d7e41661dc4633488e93b13363137523ce59977jose borrego arg.servername = ndr_rpc_malloc(netr_handle, len);
8d7e41661dc4633488e93b13363137523ce59977jose borrego arg.hostname = ndr_rpc_malloc(netr_handle, NETBIOS_NAME_SZ);
8d7e41661dc4633488e93b13363137523ce59977jose borrego if (arg.servername == NULL || arg.hostname == NULL) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego (void) snprintf((char *)arg.servername, len, "\\\\%s", server);
8d7e41661dc4633488e93b13363137523ce59977jose borrego if (smb_getnetbiosname((char *)arg.hostname, NETBIOS_NAME_SZ) != 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw rc = netr_setup_authenticator(netr_info, &auth, &ret_auth);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States arg.logon_info.logon_level = user_info->lg_level;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States arg.logon_info.switch_value = user_info->lg_level;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States switch (user_info->lg_level) {
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States netr_setup_identity(heap, user_info, &info1.identity);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States netr_interactive_samlogon(netr_info, user_info, &info1);
f9bc6dadd79442185db5c8eb201c7475554fc7d7Dmitry.Savitsky@nexenta.com if (user_info->lg_challenge_key.len < 8 ||
f9bc6dadd79442185db5c8eb201c7475554fc7d7Dmitry.Savitsky@nexenta.com user_info->lg_challenge_key.val == NULL) {
f9bc6dadd79442185db5c8eb201c7475554fc7d7Dmitry.Savitsky@nexenta.com return (NT_STATUS_INVALID_PARAMETER);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States netr_setup_identity(heap, user_info, &info2.identity);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States netr_network_samlogon(heap, netr_info, user_info, &info2);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (rc != 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * We need to validate the chain even though we have
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * a non-zero status. If the status is ACCESS_DENIED
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * this will trigger a new credential chain. However,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * a valid credential is returned with some status
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * codes; for example, WRONG_PASSWORD.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States status = netr_setup_token(info3, user_info, netr_info, token);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * netr_interactive_samlogon
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Set things up for an interactive SamLogon. Copy the NT and LM
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * passwords to the logon structure and hash them with the session
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic void
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesnetr_interactive_samlogon(netr_info_t *netr_info, smb_logon_t *user_info,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_lm_password.val, sizeof (netr_owf_password_t));
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_nt_password.val, sizeof (netr_owf_password_t));
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * netr_network_samlogon
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Set things up for a network SamLogon. We provide a copy of the random
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * challenge, that we sent to the client, to the domain controller. This
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * is the key that the client will have used to encrypt the NT and LM
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * passwords. Note that Windows 9x clients may not provide both passwords.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*ARGSUSED*/
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic void
8d7e41661dc4633488e93b13363137523ce59977jose borregonetr_network_samlogon(ndr_heap_t *heap, netr_info_t *netr_info,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_t *user_info, struct netr_logon_info2 *info2)
f9bc6dadd79442185db5c8eb201c7475554fc7d7Dmitry.Savitsky@nexenta.com if (user_info->lg_challenge_key.len >= 8 &&
f9bc6dadd79442185db5c8eb201c7475554fc7d7Dmitry.Savitsky@nexenta.com user_info->lg_challenge_key.val != 0) {
f9bc6dadd79442185db5c8eb201c7475554fc7d7Dmitry.Savitsky@nexenta.com bcopy(user_info->lg_challenge_key.val,
f9bc6dadd79442185db5c8eb201c7475554fc7d7Dmitry.Savitsky@nexenta.com bzero(info2->lm_challenge.data, 8);
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if ((len = user_info->lg_nt_password.len) != 0) {
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States ndr_heap_mkvcb(heap, user_info->lg_nt_password.val, len,
2c1b14e51525da2c09064641416fc4aed457c72fjose borrego bzero(&info2->nt_response, sizeof (netr_vcbuf_t));
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if ((len = user_info->lg_lm_password.len) != 0) {
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States ndr_heap_mkvcb(heap, user_info->lg_lm_password.val, len,
2c1b14e51525da2c09064641416fc4aed457c72fjose borrego bzero(&info2->lm_response, sizeof (netr_vcbuf_t));
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * netr_setup_authenticator
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Set up the request and return authenticators. A new credential is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * generated from the session key, the current client credential and
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the current time, i.e.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NewCredential = Cred(SessionKey, OldCredential, time);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The timestamp, which is used as a random seed, is stored in both
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the request and return authenticators.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If any difficulties occur using the cryptographic framework, the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * function returns SMBAUTH_FAILURE. Otherwise SMBAUTH_SUCCESS is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * returned.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw struct netr_authenticator *auth, struct netr_authenticator *ret_auth)
2c1b14e51525da2c09064641416fc4aed457c72fjose borrego if (netr_gen_credentials(netr_info->session_key.key,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Validate the returned credentials and update the credential chain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The server returns an updated client credential rather than a new
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * server credential. The server uses (timestamp + 1) when generating
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the credential.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Generate the new seed for the credential chain. The new seed is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * formed by adding (timestamp + 1) to the current client credential.
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * The only quirk is the uint32_t style addition.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT_STATUS_INSUFFICIENT_LOGON_INFO if auth->credential is a
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * NULL pointer. The Authenticator field of the SamLogon response packet
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * sent by the Samba 3 PDC always return NULL pointer if the received
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * SamLogon request is not immediately followed by the ServerReqChallenge
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and ServerAuthenticate2 requests.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns NT_STATUS_SUCCESS if the server returned a valid credential.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Otherwise we retirm NT_STATUS_UNSUCCESSFUL.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwnetr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth)
2c1b14e51525da2c09064641416fc4aed457c72fjose borrego if (netr_gen_credentials(netr_info->session_key.key,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If the validation fails, destroy the credential chain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This should trigger a new authentication chain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw result = memcmp(&cred, &auth->credential, sizeof (netr_cred_t));
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw if (result != 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If the validation fails, destroy the credential chain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This should trigger a new authentication chain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Otherwise generate the next step in the chain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw /*LINTED E_BAD_PTR_CAST_ALIGN*/
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego dwp = (uint32_t *)&netr_info->client_credential;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * netr_invalidate_chain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Mark the credential chain as invalid so that it will be recreated
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * on the next attempt.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic void
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * netr_setup_identity
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Set up the client identity information. All of this information is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * specifically related to the client user and workstation attempting
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * to access this system. It may not be in our primary domain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * I don't know what logon_id is, it seems to be a unique identifier.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Increment it before each use.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic void
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statesnetr_setup_identity(ndr_heap_t *heap, smb_logon_t *user_info,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_logon_id = logon_id;
12b65585e720714b31036daaa2b30eb76014048eGordon Ross * [MS-APDS] 3.1.5.2 "NTLM Network Logon" says to set
12b65585e720714b31036daaa2b30eb76014048eGordon Ross * ParameterControl to the 'E' + 'K' bits. Those are:
12b65585e720714b31036daaa2b30eb76014048eGordon Ross * (1 << 5) | (1 << 11), a.k.a
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States ndr_heap_mkvcs(heap, user_info->lg_domain,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States ndr_heap_mkvcs(heap, user_info->lg_username,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Some systems prefix the client workstation name with \\.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * It doesn't seem to make any difference whether it's there
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States ndr_heap_mkvcs(heap, user_info->lg_workstation,
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * Sets up domain, local and well-known group membership for the given
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * token. Two assumptions have been made here:
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * a) token already contains a valid user SID so that group
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * memberships can be established
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * b) token belongs to a domain user
7f667e74610492ddbce8ce60f52ece95d2401949jose borregonetr_setup_token_wingrps(struct netr_validation_info3 *info3,
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego status = netr_setup_domain_groups(info3, &tkn_grps);
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * Converts groups information in the returned structure by domain controller
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * (info3) to an internal representation (gids)
7f667e74610492ddbce8ce60f52ece95d2401949jose borregonetr_setup_domain_groups(struct netr_validation_info3 *info3, smb_ids_t *gids)
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego gids->i_ids = realloc(gids->i_ids, total_cnt * sizeof (smb_id_t));
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego domain_sid = (smb_sid_t *)info3->LogonDomainId;
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego for (i = 0; i < info3->GroupCount; i++, gids->i_cnt++, ids++) {
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego ids->i_sid = smb_sid_splice(domain_sid, info3->GroupIds[i].rid);
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * if there's no global group should add the primary group.
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego ids->i_sid = smb_sid_splice(domain_sid, info3->PrimaryGroupId);
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego /* Add the extra SIDs */
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego for (i = 0; i < info3->SidCount; i++, gids->i_cnt++, ids++) {
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego ids->i_sid = smb_sid_dup((smb_sid_t *)info3->ExtraSids[i].sid);
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * Determines if the given user is the domain Administrator or a
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego * member of Domain Admins
7f667e74610492ddbce8ce60f52ece95d2401949jose borregonetr_isadmin(struct netr_validation_info3 *info3)
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright if (!smb_domain_lookup_sid((smb_sid_t *)info3->LogonDomainId, &di))
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego if ((info3->UserId == DOMAIN_USER_RID_ADMIN) ||
7f667e74610492ddbce8ce60f52ece95d2401949jose borrego (info3->PrimaryGroupId == DOMAIN_GROUP_RID_ADMINS))