Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

416 lines
12 KiB

  1. #include "precomp.hpp"
  2. //#include <nt.h>
  3. //#include <ntrtl.h>
  4. //#include <nturtl.h>
  5. //#include <windows.h>
  6. #include <wincred.h>
  7. #include <align.h>
  8. #include <lm.h>
  9. #include <ntsecapi.h>
  10. #include <dsgetdc.h>
  11. #include <stdlib.h>
  12. //#include <stdio.h>
  13. #include <string.h>
  14. // !!!!!
  15. // this file is a duplicate of a nearly identical file in the keymgr project. It should be removed when
  16. // the implementation of NetUserChangePassword() is updated to handle unc names and MIT Kerberos
  17. // realms properly. For now, it wraps NetUserChangePassword() to handle the extra cases.
  18. // Dependent libraries:
  19. // secur32.lib, netapi32.lib
  20. // external fn: NET_API_STATUS NetUserChangePasswordEy(LPCWSTR,LPCWSTR,LPCWSTR,LPCWSTR)
  21. BOOL
  22. IsMITName (
  23. LPCWSTR UserName
  24. )
  25. {
  26. BOOL fReturn = FALSE;
  27. HKEY MitKey;
  28. DWORD Index;
  29. PWSTR Realms;
  30. DWORD RealmSize;
  31. int err;
  32. DWORD NumRealms;
  33. DWORD MaxRealmLength;
  34. FILETIME KeyTime;
  35. WCHAR *szUncTail;
  36. if (NULL == UserName) return FALSE;
  37. szUncTail = wcschr(UserName,'@');
  38. if (NULL == szUncTail) return FALSE;
  39. szUncTail++; // point to char following @
  40. err = RegOpenKeyEx(
  41. HKEY_LOCAL_MACHINE,
  42. TEXT("System\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Domains"),
  43. 0,
  44. KEY_READ,
  45. &MitKey );
  46. if ( err == 0 )
  47. {
  48. #ifdef LOUDLY
  49. OutputDebugString(L"Kerberos domains key opened\n");
  50. #endif
  51. err = RegQueryInfoKey( MitKey,
  52. NULL,
  53. NULL,
  54. NULL,
  55. &NumRealms,
  56. &MaxRealmLength,
  57. NULL,
  58. NULL,
  59. NULL,
  60. NULL,
  61. NULL,
  62. NULL );
  63. MaxRealmLength++ ;
  64. MaxRealmLength *= sizeof( WCHAR );
  65. Realms = (PWSTR) malloc(MaxRealmLength );
  66. if ( Realms)
  67. {
  68. #ifdef LOUDLY
  69. OutputDebugString(L"Kerberos realms found\n");
  70. #endif
  71. for ( Index = 0 ; Index < NumRealms ; Index++ )
  72. {
  73. RealmSize = MaxRealmLength ;
  74. err = RegEnumKeyEx( MitKey,
  75. Index,
  76. Realms,
  77. &RealmSize,
  78. NULL,
  79. NULL,
  80. NULL,
  81. &KeyTime );
  82. if (err == 0)
  83. {
  84. #ifdef LOUDLY
  85. OutputDebugString(L"Fetched realm: ");
  86. OutputDebugString(Realms);
  87. OutputDebugString(L"\n");
  88. OutputDebugString(L"Username suffix: ");
  89. OutputDebugString(szUncTail);
  90. OutputDebugString(L"\n");
  91. #endif
  92. if (0 == _wcsicmp(szUncTail, Realms))
  93. {
  94. #ifdef LOUDLY
  95. OutputDebugString(L"Username maps to an MIT realm\n");
  96. #endif
  97. fReturn = TRUE;
  98. break;
  99. }
  100. }
  101. }
  102. }
  103. free(Realms);
  104. }
  105. return fReturn;
  106. }
  107. NTSTATUS
  108. MitChangePasswordEy(
  109. LPCWSTR DomainName,
  110. LPCWSTR UserName,
  111. LPCWSTR OldPassword,
  112. LPCWSTR NewPassword,
  113. NTSTATUS *pSubStatus
  114. )
  115. {
  116. HANDLE hLsa = NULL;
  117. NTSTATUS Status;
  118. NTSTATUS SubStatus;
  119. STRING Name;
  120. ULONG PackageId;
  121. PVOID Response = NULL ;
  122. ULONG ResponseSize;
  123. PKERB_CHANGEPASSWORD_REQUEST ChangeRequest = NULL;
  124. ULONG ChangeSize;
  125. UNICODE_STRING User,Domain,OldPass,NewPass;
  126. Status = LsaConnectUntrusted(&hLsa);
  127. if (!SUCCEEDED(Status)) goto Cleanup;
  128. #ifdef LOUDLY
  129. OutputDebugString(L"We have an LSA handle\n");
  130. #endif
  131. RtlInitString(
  132. &Name,
  133. MICROSOFT_KERBEROS_NAME_A
  134. );
  135. Status = LsaLookupAuthenticationPackage(
  136. hLsa,
  137. &Name,
  138. &PackageId
  139. );
  140. if (!NT_SUCCESS(Status))
  141. {
  142. goto Cleanup;
  143. }
  144. #ifdef LOUDLY
  145. OutputDebugString(L"Authentication package found\n");
  146. #endif
  147. RtlInitUnicodeString(
  148. &User,
  149. UserName
  150. );
  151. RtlInitUnicodeString(
  152. &Domain,
  153. DomainName
  154. );
  155. RtlInitUnicodeString(
  156. &OldPass,
  157. OldPassword
  158. );
  159. RtlInitUnicodeString(
  160. &NewPass,
  161. NewPassword
  162. );
  163. ChangeSize = ROUND_UP_COUNT(sizeof(KERB_CHANGEPASSWORD_REQUEST),4)+
  164. User.Length +
  165. Domain.Length +
  166. OldPass.Length +
  167. NewPass.Length ;
  168. ChangeRequest = (PKERB_CHANGEPASSWORD_REQUEST) LocalAlloc(LMEM_ZEROINIT, ChangeSize );
  169. if ( ChangeRequest == NULL )
  170. {
  171. Status = STATUS_NO_MEMORY ;
  172. goto Cleanup ;
  173. }
  174. ChangeRequest->MessageType = KerbChangePasswordMessage;
  175. ChangeRequest->AccountName = User;
  176. ChangeRequest->AccountName.Buffer = (LPWSTR) ROUND_UP_POINTER(sizeof(KERB_CHANGEPASSWORD_REQUEST) + (PBYTE) ChangeRequest,4);
  177. RtlCopyMemory(
  178. ChangeRequest->AccountName.Buffer,
  179. User.Buffer,
  180. User.Length
  181. );
  182. ChangeRequest->DomainName = Domain;
  183. ChangeRequest->DomainName.Buffer = ChangeRequest->AccountName.Buffer + ChangeRequest->AccountName.Length / sizeof(WCHAR);
  184. RtlCopyMemory(
  185. ChangeRequest->DomainName.Buffer,
  186. Domain.Buffer,
  187. Domain.Length
  188. );
  189. ChangeRequest->OldPassword = OldPass;
  190. ChangeRequest->OldPassword.Buffer = ChangeRequest->DomainName.Buffer + ChangeRequest->DomainName.Length / sizeof(WCHAR);
  191. RtlCopyMemory(
  192. ChangeRequest->OldPassword.Buffer,
  193. OldPass.Buffer,
  194. OldPass.Length
  195. );
  196. ChangeRequest->NewPassword = NewPass;
  197. ChangeRequest->NewPassword.Buffer = ChangeRequest->OldPassword.Buffer + ChangeRequest->OldPassword.Length / sizeof(WCHAR);
  198. RtlCopyMemory(
  199. ChangeRequest->NewPassword.Buffer,
  200. NewPass.Buffer,
  201. NewPass.Length
  202. );
  203. //
  204. // We are running as the caller, so state we are impersonating
  205. //
  206. //ChangeRequest->Impersonating = TRUE;
  207. #ifdef LOUDLY
  208. OutputDebugString(L"Attempting to call the authentication package\n");
  209. #endif
  210. Status = LsaCallAuthenticationPackage(
  211. hLsa,
  212. PackageId,
  213. ChangeRequest,
  214. ChangeSize,
  215. &Response,
  216. &ResponseSize,
  217. &SubStatus
  218. );
  219. if (!NT_SUCCESS(Status) || !NT_SUCCESS(SubStatus))
  220. {
  221. #ifdef LOUDLY
  222. WCHAR szsz[200];
  223. swprintf(szsz,L"Call failed. Status %x SubStatus %x\n",Status, SubStatus);
  224. OutputDebugString(szsz);
  225. #endif
  226. if (NT_SUCCESS(Status))
  227. {
  228. Status = SubStatus;
  229. *pSubStatus = STATUS_UNSUCCESSFUL ;
  230. }
  231. else
  232. {
  233. *pSubStatus = SubStatus;
  234. }
  235. }
  236. Cleanup:
  237. if (hLsa) LsaDeregisterLogonProcess(hLsa);
  238. if (Response != NULL) LsaFreeReturnBuffer(Response);
  239. if (ChangeRequest != NULL) LocalFree(ChangeRequest);
  240. return(Status);
  241. }
  242. /*
  243. NetUserChangePasswordEy()
  244. A wrapper function to superset the functionality of NetUserChangePassword(), specifically
  245. by adding support for changing the account password for an MIT Kerberos principal.
  246. This routine accepts:
  247. 1. uncracked username, with NULL domain
  248. 2. cracked username, with domain portion routed to the domain argument
  249. In case 1, it handles all cases, including MIT realm password changes
  250. In case 2, it will not handle MIT realms.
  251. Case 2 is provided for backwards compatibility with NetUserChangePassword(). It is intended
  252. that callers should pass the uncracked name, and remove the cracking code from the client.
  253. */
  254. NET_API_STATUS
  255. NetUserChangePasswordEy (
  256. LPCWSTR domainname,
  257. LPCWSTR username,
  258. LPCWSTR oldpassword,
  259. LPCWSTR newpassword
  260. )
  261. {
  262. NTSTATUS ns; // status from call
  263. NET_API_STATUS nas;
  264. NTSTATUS ss; // substatus
  265. #ifdef LOUDLY
  266. OutputDebugString(L"NetUserChangePasswordEy called for ");
  267. OutputDebugString(username);
  268. OutputDebugString(L"\n");
  269. #endif
  270. // domainname may be a kerberos realm
  271. // If not a UNC name, call through to NetUserChangePassword
  272. // else
  273. // locate UNC suffix
  274. // search all domains returned by DsEnumerateDomainTrusts() for a match
  275. // On match, if is kerberos realm, call MitChangePasswordEy()
  276. // else call NetUserChangePassword
  277. if ((domainname == NULL) && IsMITName(username))
  278. {
  279. ns = MitChangePasswordEy(domainname, username, oldpassword, newpassword, &ss);
  280. // remap certain errors returned by MitChangePasswordEy to coincide with those of NetUserChangePassword
  281. if (NT_SUCCESS(ns)) nas = NERR_Success;
  282. else
  283. {
  284. switch (ns)
  285. {
  286. case STATUS_CANT_ACCESS_DOMAIN_INFO:
  287. case STATUS_NO_SUCH_DOMAIN:
  288. {
  289. nas = NERR_InvalidComputer;
  290. break;
  291. }
  292. case STATUS_NO_SUCH_USER:
  293. case STATUS_WRONG_PASSWORD_CORE:
  294. case STATUS_WRONG_PASSWORD:
  295. {
  296. nas = ERROR_INVALID_PASSWORD;
  297. break;
  298. }
  299. case STATUS_ACCOUNT_RESTRICTION:
  300. case STATUS_ACCESS_DENIED:
  301. case STATUS_BACKUP_CONTROLLER:
  302. {
  303. nas = ERROR_ACCESS_DENIED;
  304. break;
  305. }
  306. case STATUS_PASSWORD_RESTRICTION:
  307. {
  308. nas = NERR_PasswordTooShort;
  309. break;
  310. }
  311. default:
  312. nas = -1; // will produce omnibus error message when found (none of the above)
  313. break;
  314. }
  315. }
  316. }
  317. else if (NULL == domainname)
  318. {
  319. WCHAR RetUserName[CRED_MAX_USERNAME_LENGTH + 1];
  320. WCHAR RetDomainName[CRED_MAX_USERNAME_LENGTH + 1];
  321. RetDomainName[0] = 0;
  322. DWORD Status = CredUIParseUserNameW(
  323. username,
  324. RetUserName,
  325. CRED_MAX_USERNAME_LENGTH,
  326. RetDomainName,
  327. CRED_MAX_USERNAME_LENGTH);
  328. switch (Status)
  329. {
  330. case NO_ERROR:
  331. {
  332. #ifdef LOUDLY
  333. OutputDebugString(L"Non-MIT password change for ");
  334. OutputDebugString(RetUserName);
  335. OutputDebugString(L" of domain ");
  336. OutputDebugString(RetDomainName);
  337. OutputDebugString(L"\n");
  338. #endif
  339. nas = NetUserChangePassword(RetDomainName,RetUserName,oldpassword,newpassword);
  340. break;
  341. }
  342. case ERROR_INSUFFICIENT_BUFFER:
  343. nas = ERROR_INVALID_PARAMETER;
  344. break;
  345. case ERROR_INVALID_ACCOUNT_NAME:
  346. default:
  347. nas = NERR_UserNotFound;
  348. break;
  349. }
  350. }
  351. else
  352. {
  353. // both username and domainname passed.
  354. nas = NetUserChangePassword(domainname,username,oldpassword,newpassword);
  355. }
  356. #ifdef LOUDLY
  357. WCHAR szsz[200];
  358. swprintf(szsz,L"NUCPEy returns %x\n",nas);
  359. OutputDebugString(szsz);
  360. #endif
  361. return nas;
  362. }