archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/net/diagnostics/netdiag/kerberos.c

380 lines
11 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //++
  2. //
  3. // Copyright (C) Microsoft Corporation, 1987 - 1999
  4. //
  5. // Module Name:
  6. //
  7. // kerberos.c
  8. //
  9. // Abstract:
  10. //
  11. // Queries into network drivers
  12. //
  13. // Author:
  14. //
  15. // Anilth - 4-20-1998
  16. //
  17. // Environment:
  18. //
  19. // User mode only.
  20. // Contains NT-specific code.
  21. //
  22. // Revision History:
  23. //
  24. //--
  26. #include "precomp.h"
  28. HRESULT KerberosTest( NETDIAG_PARAMS* pParams, NETDIAG_RESULT* pResults)
  29. {
  30. HRESULT hr = S_OK;
  31. PTESTED_DOMAIN Context = pParams->pDomain;
  33. NET_API_STATUS NetStatus;
  34. NTSTATUS Status;
  35. BOOL RetVal = TRUE;
  37. HANDLE LogonHandle = NULL;
  38. STRING Name;
  39. ULONG PackageId;
  40. KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
  41. PKERB_QUERY_TKT_CACHE_RESPONSE CacheResponse = NULL;
  42. ULONG ResponseSize;
  43. NTSTATUS SubStatus;
  44. ULONG Index;
  46. WCHAR KrbtgtOldTicketName[MAX_PATH+1];
  47. UNICODE_STRING KrbtgtOldTicketNameString;
  48. WCHAR KrbtgtTicketName[MAX_PATH+1];
  49. UNICODE_STRING KrbtgtTicketNameString;
  50. BOOLEAN KrbtgtTicketFound = FALSE;
  51. WCHAR OurMachineOldTicketName[MAX_PATH+1];
  52. UNICODE_STRING OurMachineOldTicketNameString;
  53. WCHAR OurMachineTicketName[MAX_PATH+1];
  54. UNICODE_STRING OurMachineTicketNameString;
  55. BOOLEAN OurMachineTicketFound = FALSE;
  56. TCHAR endTime[MAX_PATH]; // though MAX_PATH is not directly related to time, it's sufficient
  57. TCHAR renewTime[MAX_PATH];
  58. PTESTED_DOMAIN TestedDomain;
  61. LPWSTR pwszDnsHostName;
  64. InitializeListHead(&pResults->Kerberos.lmsgOutput);
  66. PrintStatusMessage(pParams, 4, IDS_KERBEROS_STATUS_MSG);
  69. //
  70. // Only Members and Domain controllers use Kerberos.
  71. //
  73. if (!( pResults->Global.pPrimaryDomainInfo->MachineRole == DsRole_RoleMemberWorkstation ||
  74. pResults->Global.pPrimaryDomainInfo->MachineRole == DsRole_RoleMemberServer ||
  75. pResults->Global.pPrimaryDomainInfo->MachineRole == DsRole_RoleBackupDomainController ||
  76. pResults->Global.pPrimaryDomainInfo->MachineRole == DsRole_RolePrimaryDomainController ))
  77. {
  78. PrintStatusMessage(pParams, 0, IDS_GLOBAL_SKIP_NL);
  79. pResults->Kerberos.fPerformed = FALSE;
  80. return hr;
  81. }
  83. //if there is no GUID for the primary domain, then it is NOT W2k domain
  84. if (! (pResults->Global.pPrimaryDomainInfo->Flags & DSROLE_PRIMARY_DOMAIN_GUID_PRESENT))
  86. {
  87. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_NOT_W2K_PRIMARY_DOMAIN);
  88. goto L_ERR;
  89. }
  91. //
  92. // If we're logged onto a local account,
  93. // we can't test kerberos.
  94. //
  95. if ( pResults->Global.pLogonDomain == NULL )
  96. {
  97. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_LOCALUSER);
  98. goto L_ERR;
  99. }
  101. TestedDomain = pResults->Global.pLogonDomain;
  103. //
  104. // If we're logged with cached credentials,
  105. // we can't test kerberos.
  106. //
  107. if ( pResults->Global.fLogonWithCachedCredentials )
  108. {
  109. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_CACHED);
  110. goto L_ERR;
  111. }
  114. //
  115. // If a DC hasn't been discovered yet,
  116. // find one.
  117. //
  118. if ( TestedDomain->DcInfo == NULL )
  119. {
  120. LPTSTR pszDcType;
  122. if ( TestedDomain->fTriedToFindDcInfo ) {
  123. RetVal = FALSE;
  124. //IDS_DCLIST_NO_DC " '%ws': Cannot find DC to get DC list from (Test skipped).\n"
  125. AddMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet,
  126. IDS_DCLIST_NO_DC, TestedDomain->PrintableDomainName);
  127. goto L_ERR;
  128. }
  130. pszDcType = LoadAndAllocString(IDS_DCTYPE_DC);
  132. NetStatus = DoDsGetDcName( pParams,
  133. pResults,
  134. &pResults->Kerberos.lmsgOutput,
  135. TestedDomain,
  136. DS_DIRECTORY_SERVICE_PREFERRED,
  137. pszDcType, //"DC",
  138. FALSE,
  139. &TestedDomain->DcInfo );
  141. Free(pszDcType);
  143. TestedDomain->fTriedToFindDcInfo = TRUE;
  145. if ( NetStatus != NO_ERROR )
  146. {
  147. RetVal = FALSE;
  148. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_NODC);
  149. CHK_HR_CONTEXT(pResults->Kerberos, hr = HRESULT_FROM_WIN32(NetStatus), 0);
  150. }
  151. }
  154. //
  155. // If we're logged onto an account in an NT 4 domain,
  156. // we can't test kerberos.
  157. //
  158. if ( (TestedDomain->DcInfo->Flags & DS_KDC_FLAG) == 0 )
  159. {
  160. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_NOKDC, pResults->Global.pLogonDomainName, pResults->Global.pLogonUser );
  161. goto L_ERR;
  162. }
  165. pResults->Kerberos.fPerformed = TRUE;
  167. //
  168. // Connect to the LSA.
  169. //
  171. Status = LsaConnectUntrusted( &LogonHandle );
  173. if (!NT_SUCCESS(Status)) {
  174. RetVal = FALSE;
  175. CHK_HR_CONTEXT(pResults->Kerberos, hr = HRESULT_FROM_WIN32(Status), IDS_KERBEROS_NOLSA);
  176. }
  178. RtlInitString( &Name, MICROSOFT_KERBEROS_NAME_A );
  180. Status = LsaLookupAuthenticationPackage(
  181. LogonHandle,
  182. &Name,
  183. &PackageId );
  185. if (!NT_SUCCESS(Status)) {
  186. RetVal = FALSE;
  187. //IDS_KERBEROS_NOPACKAGE " [FATAL] Cannot lookup package %Z.\n"
  188. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_NOPACKAGE, &Name);
  189. CHK_HR_CONTEXT(pResults->Kerberos, hr = HRESULT_FROM_WIN32(Status), IDS_KERBEROS_HRERROR);
  190. }
  192. //
  193. // Get the ticket cache from Kerberos.
  194. //
  196. CacheRequest.MessageType = KerbQueryTicketCacheMessage;
  197. CacheRequest.LogonId.LowPart = 0;
  198. CacheRequest.LogonId.HighPart = 0;
  200. Status = LsaCallAuthenticationPackage(
  201. LogonHandle,
  202. PackageId,
  203. &CacheRequest,
  204. sizeof(CacheRequest),
  205. (PVOID *) &CacheResponse,
  206. &ResponseSize,
  207. &SubStatus
  208. );
  210. if (!NT_SUCCESS(Status) || !NT_SUCCESS(SubStatus)) {
  211. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_NOCACHE, &Name);
  212. RetVal = FALSE;
  213. if(!NT_SUCCESS(Status))
  214. {
  215. CHK_HR_CONTEXT(pResults->Kerberos, hr = HRESULT_FROM_WIN32(Status), IDS_KERBEROS_HRERROR);
  216. }
  217. else
  218. {
  219. CHK_HR_CONTEXT(pResults->Kerberos, hr = HRESULT_FROM_WIN32(SubStatus), IDS_KERBEROS_HRERROR);
  220. }
  221. }
  223. //
  224. // Build the names of some mandatory tickets.
  225. //
  228. wcscpy( KrbtgtOldTicketName, GetSafeStringW(pResults->Global.pPrimaryDomainInfo->DomainNameFlat) );
  229. wcscat( KrbtgtOldTicketName, L"\\krbtgt" );
  230. RtlInitUnicodeString( &KrbtgtOldTicketNameString, KrbtgtOldTicketName );
  232. wcscpy(KrbtgtTicketName, L"krbtgt" );
  233. wcscat(KrbtgtTicketName, L"/" );
  234. wcscat(KrbtgtTicketName, GetSafeStringW(pResults->Global.pPrimaryDomainInfo->DomainNameDns) );
  235. RtlInitUnicodeString( &KrbtgtTicketNameString, KrbtgtTicketName );
  237. wcscpy( OurMachineOldTicketName, GetSafeStringW(pResults->Global.pPrimaryDomainInfo->DomainNameFlat) );
  238. wcscat( OurMachineOldTicketName, L"\\" );
  239. wcscat( OurMachineOldTicketName, GetSafeStringW(pResults->Global.swzNetBiosName) );
  240. wcscat( OurMachineOldTicketName, L"$" );
  241. RtlInitUnicodeString( &OurMachineOldTicketNameString, OurMachineOldTicketName );
  244. // russw
  245. // Need to convert szDnsHostName from TCHAR to WCHAR
  246. pwszDnsHostName = StrDupWFromT(pResults->Global.szDnsHostName);
  248. wcscpy( OurMachineTicketName, L"host/");
  249. wcscat( OurMachineTicketName, GetSafeStringW(pwszDnsHostName));
  251. RtlInitUnicodeString( &OurMachineTicketNameString, OurMachineTicketName );
  253. Free (pwszDnsHostName);
  256. // old
  257. //wcscpy( OurMachineTicketName, GetSafeStringW(pResults->Global.szDnsHostName) );
  258. // wcscat( OurMachineTicketName, L"$" )
  260. //
  261. // Ensure those tickets are defined.
  262. //
  265. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_ReallyVerbose, 0, IDS_KERBEROS_CACHEDTICKER);
  267. for (Index = 0; Index < CacheResponse->CountOfTickets ; Index++ )
  268. {
  270. if ( RtlEqualUnicodeString( &CacheResponse->Tickets[Index].ServerName,
  271. &KrbtgtOldTicketNameString, TRUE )
  272. || RtlEqualUnicodeString( &CacheResponse->Tickets[Index].ServerName,
  273. &KrbtgtTicketNameString, TRUE ))
  274. {
  275. KrbtgtTicketFound = TRUE;
  276. }
  278. if ( RtlEqualUnicodeString( &CacheResponse->Tickets[Index].ServerName,
  279. &OurMachineOldTicketNameString, TRUE )
  280. || RtlEqualUnicodeString( &CacheResponse->Tickets[Index].ServerName,
  281. &OurMachineTicketNameString, TRUE ))
  282. {
  283. OurMachineTicketFound = TRUE;
  284. }
  286. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_ReallyVerbose, 0, IDS_KERBEROS_SERVER, &CacheResponse->Tickets[Index].ServerName);
  288. sPrintTime(endTime, CacheResponse->Tickets[Index].EndTime);
  289. sPrintTime(renewTime, CacheResponse->Tickets[Index].RenewTime);
  290. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_ReallyVerbose, 0, IDS_KERBEROS_ENDTIME, endTime);
  291. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_ReallyVerbose, 0, IDS_KERBEROS_RENEWTIME, renewTime);
  293. //
  294. // Complain if required tickets were not found.
  295. //
  296. }
  298. if ( !KrbtgtTicketFound )
  299. {
  300. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_NOTICKET, KrbtgtTicketName);
  301. RetVal = FALSE;
  302. }
  304. if ( !OurMachineTicketFound )
  305. {
  306. AddIMessageToList(&pResults->Kerberos.lmsgOutput, Nd_Quiet, 0, IDS_KERBEROS_NOTICKET, OurMachineTicketName);
  307. RetVal = FALSE;
  308. }
  310. //
  311. // Let subsequent tests know that kerberos is working.
  312. //
  313. if ( RetVal )
  314. {
  315. pResults->Global.fKerberosIsWorking = TRUE;
  316. }
  319. L_ERR:
  321. if (LogonHandle != NULL)
  322. {
  323. LsaDeregisterLogonProcess(LogonHandle);
  324. }
  326. if (CacheResponse != NULL)
  327. {
  328. LsaFreeReturnBuffer(CacheResponse);
  329. }
  331. if (!RetVal && hr == S_OK)
  332. {
  333. pResults->Kerberos.hr = hr = E_FAIL;
  334. PrintStatusMessage(pParams, 0, IDS_GLOBAL_FAIL_NL);
  335. }
  336. else
  337. {
  338. PrintStatusMessage(pParams, 0, IDS_GLOBAL_PASS_NL);
  339. }
  341. return S_OK;
  342. }
  344. void KerberosGlobalPrint(IN NETDIAG_PARAMS *pParams, IN OUT NETDIAG_RESULT *pResults)
  345. {
  346. if (pParams->fVerbose || !FHrOK(pResults->Kerberos.hr))
  347. {
  348. PrintNewLine(pParams, 2);
  349. PrintTestTitleResult(pParams, IDS_KERBEROS_LONG, IDS_KERBEROS_SHORT, pResults->Kerberos.fPerformed,
  350. pResults->Kerberos.hr, 0);
  352. if (pParams->fReallyVerbose || !FHrOK(pResults->Kerberos.hr))
  353. PrintMessageList(pParams, &pResults->Kerberos.lmsgOutput);
  355. if (!FHrOK(pResults->Kerberos.hr))
  356. {
  357. if(pResults->Kerberos.idsContext)
  358. PrintError(pParams, pResults->Kerberos.idsContext, pResults->Kerberos.hr);
  359. }
  360. }
  362. }
  364. void KerberosPerInterfacePrint(IN NETDIAG_PARAMS *pParams,
  365. IN OUT NETDIAG_RESULT *pResults,
  366. IN INTERFACE_RESULT *pIfResult)
  367. {
  368. // no perinterface information
  369. }
  371. void KerberosCleanup(IN NETDIAG_PARAMS *pParams,
  372. IN OUT NETDIAG_RESULT *pResults)
  373. {
  374. MessageListCleanUp(&pResults->Kerberos.lmsgOutput);
  376. }