/*++ Copyright (c) 1989 Microsoft Corporation Module Name: nlp.h Abstract: NETLOGON private definitions. Author: Jim Kelly 11-Apr-1991 Revision History: Chandana Surlu 21-Jul-96 Stolen from \\kernel\razzle3\src\security\msv1_0\nlp.h --*/ #ifndef _NLP_ #define _NLP_ #include #include #include #include #include #include #include #include #include #include #include #ifdef __cplusplus extern "C" { #endif // __cplusplus // // nlmain.c will #include this file with NLP_ALLOCATE defined. // That will cause each of these variables to be allocated. // #ifdef EXTERN #undef EXTERN #endif #ifdef NLP_ALLOCATE #define EXTERN #define INIT(_X) = _X #else #define EXTERN extern #define INIT(_X) #endif // // Amount of time to wait for netlogon to start. // Do this AFTER waiting for SAM to start. // Since Netlogon depends on SAM, don't timeout too soon. #define NETLOGON_STARTUP_TIME 45 // 45 seconds // // Amount of time to wait for SAM to start. // DS recovery can take a very long time. #define SAM_STARTUP_TIME (20*60) // 20 minutes /////////////////////////////////////////////////////////////////////////////// // // // Private data structures // // // /////////////////////////////////////////////////////////////////////////////// // // Magic values to protect ourselves from mean spirited packages "NTLM" // #define NTLM_ACTIVE_LOGON_MAGIC_SIGNATURE 0x4D4C544E // // Structure used to keep track of all private information related to a // particular LogonId. // typedef struct _ACTIVE_LOGON { LIST_ENTRY ListEntry; ULONG Signature; LUID LogonId; // The logon Id of this logon session ULONG EnumHandle; // The enumeration handle of this logon session SECURITY_LOGON_TYPE LogonType; // Type of logon (interactive or service) PSID UserSid; // Sid of the logged on user UNICODE_STRING UserName; // SAM Account name of the logged on user (Required) UNICODE_STRING LogonDomainName; // Netbios name of the domain logged onto (Required) UNICODE_STRING LogonServer; // Name of the server which logged this user on ULONG Flags; // Attributes of this entry. #define LOGON_BY_NETLOGON 0x01 // Entry was validated by NETLOGON service #define LOGON_BY_CACHE 0x02 // Entry was validated by local cache #define LOGON_BY_OTHER_PACKAGE 0x04 // Entry was validated by another authentication package #define LOGON_BY_LOCAL 0x08 // Entry was validated by local sam #define LOGON_BY_NTLM3_DC 0x10 // Entry was validated by DC that understands NTLM3 } ACTIVE_LOGON, *PACTIVE_LOGON; /////////////////////////////////////////////////////////////////////////////// // // // CREDENTIAL Related Data Structures // // // /////////////////////////////////////////////////////////////////////////////// // // Following is a description of the content and format of each type // of credential maintained by the MsV1_0 authentication package. // // The MsV1_0 authentication package defines the following credential // primary key string values: // // "Primary" - Is used to hold the primary credentials provided at // initial logon time. This includes the username and both // case-sensitive and case-insensitive forms of the user's // password. // // NOTE: All poitners stored in credentials must be // changed to be an offset to the body rather than a pointer. This is // because credential fields are copied by the LSA and so the pointer // would become invalid. // // // MsV1_0 Primary Credentials // // // The PrimaryKeyValue string of this type of credential contains the // following string: // // "Primary" // // The Credential string of a Primary credential contains the following // values: // // o The user's username // // o A one-way function of the user's password as typed. // // o A one-way function of the user's password upper-cased. // // These values are structured as follows: // #define MSV1_0_PRIMARY_KEY "Primary" // // move the SHA stuff to crypt.h when possible. // typedef UNICODE_STRING SHA_PASSWORD; typedef SHA_PASSWORD * PSHA_PASSWORD; #define SHA_OWF_PASSWORD_LENGTH (20) typedef struct { CHAR Data[ SHA_OWF_PASSWORD_LENGTH ]; } SHA_OWF_PASSWORD, *PSHA_OWF_PASSWORD; NTSTATUS RtlCalculateShaOwfPassword( IN PSHA_PASSWORD ShaPassword, OUT PSHA_OWF_PASSWORD ShaOwfPassword ); typedef struct _MSV1_0_PRIMARY_CREDENTIAL { UNICODE_STRING LogonDomainName; UNICODE_STRING UserName; NT_OWF_PASSWORD NtOwfPassword; LM_OWF_PASSWORD LmOwfPassword; SHA_OWF_PASSWORD ShaOwfPassword; BOOLEAN NtPasswordPresent; BOOLEAN LmPasswordPresent; BOOLEAN ShaPasswordPresent; } MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; // // Structure describing a buffer in the clients address space. // typedef struct _CLIENT_BUFFER_DESC { PLSA_CLIENT_REQUEST ClientRequest; LPBYTE UserBuffer; // Address of buffer in client's address space LPBYTE MsvBuffer; // Address of mirror buffer in MSV's address space ULONG StringOffset; // Current offset to variable length data ULONG TotalSize; // Size (in bytes) of buffer } CLIENT_BUFFER_DESC, *PCLIENT_BUFFER_DESC; /////////////////////////////////////////////////////////////////////////////// // // // Internal routine definitions // // // /////////////////////////////////////////////////////////////////////////////// // // From nlmain.c. // NTSTATUS NlSamInitialize( ULONG Timeout ); // // From nlp.c. // VOID NlpPutString( IN PUNICODE_STRING OutString, IN PUNICODE_STRING InString, IN PUCHAR *Where ); VOID NlpInitClientBuffer( OUT PCLIENT_BUFFER_DESC ClientBufferDesc, IN PLSA_CLIENT_REQUEST ClientRequest ); NTSTATUS NlpAllocateClientBuffer( IN OUT PCLIENT_BUFFER_DESC ClientBufferDesc, IN ULONG FixedSize, IN ULONG TotalSize ); NTSTATUS NlpFlushClientBuffer( IN OUT PCLIENT_BUFFER_DESC ClientBufferDesc, OUT PVOID* UserBuffer ); VOID NlpFreeClientBuffer( IN OUT PCLIENT_BUFFER_DESC ClientBufferDesc ); VOID NlpPutClientString( IN OUT PCLIENT_BUFFER_DESC ClientBufferDesc, IN PUNICODE_STRING OutString, IN PUNICODE_STRING InString ); VOID NlpMakeRelativeString( IN PUCHAR BaseAddress, IN OUT PUNICODE_STRING String ); VOID NlpRelativeToAbsolute( IN PVOID BaseAddress, IN OUT PULONG_PTR RelativeValue ); ACTIVE_LOGON* NlpFindActiveLogon( IN LUID* pLogonId ); ULONG NlpCountActiveLogon( IN PUNICODE_STRING LogonDomainName, IN PUNICODE_STRING UserName ); NTSTATUS NlpAllocateInteractiveProfile ( IN PLSA_CLIENT_REQUEST ClientRequest, OUT PMSV1_0_INTERACTIVE_PROFILE *ProfileBuffer, OUT PULONG ProfileBufferSize, IN PNETLOGON_VALIDATION_SAM_INFO4 NlpUser ); NTSTATUS NlpAllocateNetworkProfile ( IN PLSA_CLIENT_REQUEST ClientRequest, OUT PMSV1_0_LM20_LOGON_PROFILE *ProfileBuffer, OUT PULONG ProfileBufferSize, IN PNETLOGON_VALIDATION_SAM_INFO4 NlpUser, IN ULONG ParameterControl ); PSID NlpMakeDomainRelativeSid( IN PSID DomainId, IN ULONG RelativeId ); NTSTATUS NlpMakeTokenInformationV2( IN PNETLOGON_VALIDATION_SAM_INFO4 NlpUser, OUT PLSA_TOKEN_INFORMATION_V1 *TokenInformation ); VOID NlpPutOwfsInPrimaryCredential( IN PUNICODE_STRING CleartextPassword, IN BOOLEAN bIsOwfPassword, OUT PMSV1_0_PRIMARY_CREDENTIAL Credential ); NTSTATUS NlpMakePrimaryCredential( IN PUNICODE_STRING LogonDomainName, IN PUNICODE_STRING UserName, IN PUNICODE_STRING CleartextPassword, OUT PMSV1_0_PRIMARY_CREDENTIAL *CredentialBuffer, OUT PULONG CredentialSize ); NTSTATUS NlpMakePrimaryCredentialFromMsvCredential( IN PUNICODE_STRING LogonDomainName, IN PUNICODE_STRING UserName, IN PMSV1_0_SUPPLEMENTAL_CREDENTIAL MsvCredential, OUT PMSV1_0_PRIMARY_CREDENTIAL *CredentialBuffer, OUT PULONG CredentialSize ); NTSTATUS NlpAddPrimaryCredential( IN PLUID LogonId, IN PMSV1_0_PRIMARY_CREDENTIAL Credential, IN ULONG CredentialSize ); NTSTATUS NlpGetPrimaryCredential( IN PLUID LogonId, OUT PMSV1_0_PRIMARY_CREDENTIAL *CredentialBuffer, OUT PULONG CredentialSize ); NTSTATUS NlpGetPrimaryCredentialByUserSid( IN PSID pSid, OUT PMSV1_0_PRIMARY_CREDENTIAL *CredentialBuffer, OUT PULONG CredentialSize OPTIONAL ); NTSTATUS NlpDeletePrimaryCredential( IN PLUID LogonId ); NTSTATUS NlpChangePassword( IN BOOLEAN Validated, IN PUNICODE_STRING DomainName, IN PUNICODE_STRING UserName, IN PUNICODE_STRING Password ); NTSTATUS NlpChangePwdCredByLogonId( IN PLUID pLogonId, IN PMSV1_0_PRIMARY_CREDENTIAL pNewCredential, IN BOOL bNotify ); VOID NlpGetAccountNames( IN PNETLOGON_LOGON_IDENTITY_INFO LogonInfo, IN PNETLOGON_VALIDATION_SAM_INFO4 NlpUser, OUT PUNICODE_STRING SamAccountName, OUT PUNICODE_STRING NetbiosDomainName, OUT PUNICODE_STRING DnsDomainName, OUT PUNICODE_STRING Upn ); // // msvsam.c // BOOLEAN MsvpPasswordValidate ( IN BOOLEAN UasCompatibilityRequired, IN NETLOGON_LOGON_INFO_CLASS LogonLevel, IN PVOID LogonInformation, IN PUSER_INTERNAL1_INFORMATION Passwords, OUT PULONG UserFlags, OUT PUSER_SESSION_KEY UserSessionKey, OUT PLM_SESSION_KEY LmSessionKey ); // // nlnetapi.c // VOID NlpLoadNetapiDll ( VOID ); VOID NlpLoadNetlogonDll ( VOID ); // // subauth.c // VOID Msv1_0SubAuthenticationInitialization( VOID ); /////////////////////////////////////////////////////////////////////// // // // Global variables // // // /////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// // // // READ ONLY Variables // // // //////////////////////////////////////////////////////////////////////// // // Null copies of Lanman and NT OWF password. // // EXTERN LM_OWF_PASSWORD NlpNullLmOwfPassword; EXTERN NT_OWF_PASSWORD NlpNullNtOwfPassword; // // Flag indicating our support for the LM challenge response protocol. // If the flag is set to NoLm, MSV1_0 will not ever compute a LM // challenge response. If it is set to AllowLm, MSV1_0 will not return // it unless requested. Otherwise it will do the normal behaviour of // returning both NT and LM challenge responses // typedef enum _LM_PROTOCOL_SUPPORT { UseLm, // send LM response, NTLM response AllowLm, // same as UseLm; for b/w compat w/lsa2-fix NoLm, //UseNtlm, // Send NTLM response only; for b/w compat w/lsa2-fix UseNtlm3, // Send NTLM3 response even if no target domain\server specified RefuseLm, // Refuse LM responses (no Win9x clients) -- unsupported, reserved RefuseNtlm, // Refuse LM and NTLM responses (require all clients are upgraded) RefuseNtlm3NoTarget // Refuse NTLM3 response witout domain and server info } LM_PROTOCOL_SUPPORT, *PLM_PROTOCOL_SUPPORT; #if 0 // // This macro determines whether or not to return an LM challenge response. // If NlpProtocolSupport == UseLm, we always return it. If it is // AllowLm, only return it if the RETURN_LM_RESPONSE flag is set. Otherwise // don't return it ever. // #define NlpReturnLmResponse(_Flags_) \ ((NlpLmProtocolSupport == UseLm) || \ ((NlpLmProtocolSupport == AllowLm) && \ (((_Flags_) & RETURN_NON_NT_USER_SESSION_KEY) != 0))) #define NlpChallengeResponseRequestSupported( _Flags_ ) \ ((((_Flags_) & RETURN_NON_NT_USER_SESSION_KEY) == 0) || (NlpLmProtocolSupport != NoLm)) #endif NET_API_STATUS NET_API_FUNCTION RxNetUserPasswordSet(LPWSTR, LPWSTR, LPWSTR, LPWSTR); NTSTATUS NetpApiStatusToNtStatus( NET_API_STATUS ); // // Routines in netlogon.dll // EXTERN HANDLE NlpNetlogonDllHandle; EXTERN PNETLOGON_SAM_LOGON_PROCEDURE NlpNetLogonSamLogon; typedef NTSTATUS (*PNETLOGON_MIXED_DOMAIN_PROCEDURE)( OUT PBOOL MixedMode ); EXTERN PNETLOGON_MIXED_DOMAIN_PROCEDURE NlpNetLogonMixedDomain; // // TRUE if package is initialized // EXTERN BOOLEAN NlpMsvInitialized INIT(FALSE); // // TRUE if this is a workstation. // EXTERN BOOLEAN NlpWorkstation INIT(TRUE); // // TRUE once the MSV AP has initialized its connection to SAM. // EXTERN BOOLEAN NlpSamInitialized INIT(FALSE); // // TRUE if the MSV AP has initialized its connection to the NETLOGON service // EXTERN BOOLEAN NlpNetlogonInitialized INIT(FALSE); // // TRUE if LanMan is installed. // EXTERN BOOLEAN NlpLanmanInstalled INIT(FALSE); // // Computername of this computer. // EXTERN UNICODE_STRING NlpComputerName; // // Domain of which I am a member. // EXTERN UNICODE_STRING NlpPrimaryDomainName; // // Name of the MSV1_0 package // EXTERN UNICODE_STRING NlpMsv1_0PackageName; // // Name and domain id of the SAM account database. // EXTERN UNICODE_STRING NlpSamDomainName; EXTERN PSID NlpSamDomainId; EXTERN SAMPR_HANDLE NlpSamDomainHandle; EXTERN BOOLEAN NlpUasCompatibilityRequired INIT(TRUE); // // TRUE if there is a subauthentication package zero // EXTERN BOOLEAN NlpSubAuthZeroExists INIT(TRUE); //////////////////////////////////////////////////////////////////////// // // // READ/WRITE Variables // // // //////////////////////////////////////////////////////////////////////// // // Define the list of active interactive logons. // // The NlpActiveLogonLock must be locked while referencing the list or // any of its elements. // #define NlpLockActiveLogonsRead() RtlAcquireResourceShared(&NlpActiveLogonLock,TRUE) #define NlpLockActiveLogonsWrite() RtlAcquireResourceExclusive(&NlpActiveLogonLock,TRUE) #define NlpLockActiveLogonsReadToWrite() RtlConvertSharedToExclusive(&NlpActiveLogonLock) #define NlpUnlockActiveLogons() RtlReleaseResource(&NlpActiveLogonLock) EXTERN RTL_RESOURCE NlpActiveLogonLock; EXTERN LIST_ENTRY NlpActiveLogonListAnchor; // // Define the running enumeration handle. // // This variable defines the enumeration handle to assign to a logon // session. It will be incremented prior to assigning it value to // the next created logon session. Access is serialize using // the interlocked primitives. EXTERN ULONG NlpEnumerationHandle; EXTERN ULONG NlpLogonAttemptCount; NTSTATUS NlWaitForNetlogon( IN ULONG Timeout ); #undef EXTERN #undef INIT #ifdef __cplusplus } #endif // __cplusplus #endif _NLP_