Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

5362 lines
163 KiB

  1. /*++
  2. Copyright (c) 1987-1996 Microsoft Corporation
  3. Module Name:
  4. lsrvutil.c
  5. Abstract:
  6. Utility functions for the netlogon service.
  7. Author:
  8. Ported from Lan Man 2.0
  9. Environment:
  10. User mode only.
  11. Contains NT-specific code.
  12. Requires ANSI C extensions: slash-slash comments, long external names.
  13. Revision History:
  14. 00-Jun-1989 (PradyM)
  15. modified lm10 code for new NETLOGON service
  16. 00-Feb-1990 (PradyM)
  17. bugfixes
  18. 00-Aug-1990 (t-RichE)
  19. added alerts for auth failure due to time slippage
  20. 11-Jul-1991 (cliffv)
  21. Ported to NT. Converted to NT style.
  22. 02-Jan-1992 (madana)
  23. added support for builtin/multidomain replication.
  24. --*/
  25. //
  26. // Common include files.
  27. //
  28. #include "logonsrv.h" // Include files common to entire service
  29. #pragma hdrstop
  30. //
  31. // Include files specific to this .c file
  32. //
  33. #include <accessp.h> // NetpAliasMemberToPriv
  34. #include <msgtext.h> // MTXT_* defines
  35. #include <netcan.h> // NetpwPathCompare()
  36. #include <ssiapi.h> // I_NetSamDeltas()
  37. /*lint -e740 */ /* don't complain about unusual cast */
  38. #define MAX_DC_AUTHENTICATION_WAIT (long) (45L*1000L) // 45 seconds
  39. //
  40. // We want to prevent too-frequent alerts from
  41. // being sent in case of Authentication failures.
  42. //
  43. #define MAX_ALERTS 10 // send one every 10 to 30 mins based on pulse
  44. VOID
  45. RaiseNetlogonAlert(
  46. IN DWORD alertNum,
  47. IN LPWSTR *AlertStrings,
  48. IN OUT DWORD *ptrAlertCount
  49. )
  50. /*++
  51. Routine Description:
  52. Raise an alert once per MAX_ALERTS occurances
  53. Arguments:
  54. alertNum -- RaiseAlert() alert number.
  55. AlertStrings -- RaiseAlert() arguments
  56. ptrAlertCount -- Points to the count of occurence of this particular
  57. alert. This routine increments it and will set it to that value
  58. modulo MAX_ALERTS.
  59. Return Value:
  60. NONE
  61. --*/
  62. {
  63. if (*ptrAlertCount == 0) {
  64. NetpRaiseAlert( SERVICE_NETLOGON, alertNum, AlertStrings);
  65. }
  66. (*ptrAlertCount)++;
  67. (*ptrAlertCount) %= MAX_ALERTS;
  68. }
  69. NTSTATUS
  70. NlOpenSecret(
  71. IN PCLIENT_SESSION ClientSession,
  72. IN ULONG DesiredAccess,
  73. OUT PLSAPR_HANDLE SecretHandle
  74. )
  75. /*++
  76. Routine Description:
  77. Open the Lsa Secret Object containing the password to be used for the
  78. specified client session.
  79. Arguments:
  80. ClientSession - Structure used to define the session.
  81. On Input, the following fields must be set:
  82. CsNetbiosDomainName
  83. CsSecureChannelType
  84. DesiredAccess - Access required to the secret.
  85. SecretHandle - Returns a handle to the secret.
  86. Return Value:
  87. Status of operation.
  88. --*/
  89. {
  90. NTSTATUS Status;
  91. UNICODE_STRING SecretNameString;
  92. NlAssert( ClientSession->CsReferenceCount > 0 );
  93. //
  94. // Only use secrets for workstation and BDC machine accounts.
  95. //
  96. switch ( ClientSession->CsSecureChannelType ) {
  97. case ServerSecureChannel:
  98. case WorkstationSecureChannel:
  99. RtlInitUnicodeString( &SecretNameString, SSI_SECRET_NAME );
  100. break;
  101. case TrustedDomainSecureChannel:
  102. case TrustedDnsDomainSecureChannel:
  103. default:
  104. Status = STATUS_INTERNAL_ERROR;
  105. NlPrint((NL_CRITICAL, "NlOpenSecret: Invalid account type\n"));
  106. return Status;
  107. }
  108. //
  109. // Get the Password of the account from LSA secret storage
  110. //
  111. Status = LsarOpenSecret(
  112. ClientSession->CsDomainInfo->DomLsaPolicyHandle,
  113. (PLSAPR_UNICODE_STRING)&SecretNameString,
  114. DesiredAccess,
  115. SecretHandle );
  116. return Status;
  117. }
  118. NTSTATUS
  119. NlGetOutgoingPassword(
  120. IN PCLIENT_SESSION ClientSession,
  121. OUT PUNICODE_STRING *CurrentValue,
  122. OUT PUNICODE_STRING *OldValue,
  123. OUT PDWORD CurrentVersionNumber,
  124. OUT PLARGE_INTEGER LastSetTime OPTIONAL
  125. )
  126. /*++
  127. Routine Description:
  128. Get the outgoing password to be used for the specified client session.
  129. Arguments:
  130. ClientSession - Structure used to define the session.
  131. On Input, the following fields must be set:
  132. CsNetbiosDomainName
  133. CsSecureChannelType
  134. CurrentValue - Current password for the client session.
  135. CurrentValue should be freed using LocalFree
  136. A NULL pointer is returned if there is no current password.
  137. OldValue - Previous password for the client session.
  138. OldValue should be freed using LocalFree
  139. A NULL pointer is returned if there is no old password.
  140. CurrentVersionNumber - Version number of the current password
  141. for interdomain trust account. Set to 0 on failure status
  142. or if this is not interdomain trust account.
  143. LastSetTime - Time when the password was last changed.
  144. Return Value:
  145. Status of operation.
  146. STATUS_NO_TRUST_LSA_SECRET: Secret object is not accessable
  147. STATUS_NO_MEMORY: Not enough memory to allocate password buffers
  148. --*/
  149. {
  150. NTSTATUS Status;
  151. LSAPR_HANDLE SecretHandle = NULL;
  152. PLSAPR_CR_CIPHER_VALUE CrCurrentPassword = NULL;
  153. PLSAPR_CR_CIPHER_VALUE CrOldPassword = NULL;
  154. PLSAPR_TRUSTED_DOMAIN_INFO TrustInfo = NULL;
  155. PLSAPR_AUTH_INFORMATION AuthInfo;
  156. PLSAPR_AUTH_INFORMATION OldAuthInfo;
  157. ULONG AuthInfoCount;
  158. ULONG i;
  159. BOOL PasswordFound = FALSE;
  160. BOOL PasswordVersionFound = FALSE;
  161. //
  162. // Initialization
  163. //
  164. *CurrentValue = NULL;
  165. *OldValue = NULL;
  166. *CurrentVersionNumber = 0;
  167. //
  168. // Workstation and BDC secure channels get their outgoing password from
  169. // an LSA secret.
  170. //
  171. switch ( ClientSession->CsSecureChannelType ) {
  172. case ServerSecureChannel:
  173. case WorkstationSecureChannel:
  174. //
  175. // Get the Password of the account from LSA secret storage
  176. //
  177. Status = NlOpenSecret( ClientSession, SECRET_QUERY_VALUE, &SecretHandle );
  178. if ( !NT_SUCCESS( Status ) ) {
  179. NlPrintCs((NL_CRITICAL, ClientSession,
  180. "NlGetOutgoingPassword: cannot NlOpenSecret 0x%lx\n",
  181. Status ));
  182. //
  183. // return more appropriate error.
  184. //
  185. if ( !NlpIsNtStatusResourceError( Status )) {
  186. Status = STATUS_NO_TRUST_LSA_SECRET;
  187. }
  188. goto Cleanup;
  189. }
  190. Status = LsarQuerySecret(
  191. SecretHandle,
  192. &CrCurrentPassword,
  193. LastSetTime,
  194. &CrOldPassword,
  195. NULL );
  196. if ( !NT_SUCCESS( Status ) ) {
  197. NlPrintCs((NL_CRITICAL, ClientSession,
  198. "NlGetOutgoingPassword: cannot LsaQuerySecret 0x%lx\n",
  199. Status ));
  200. //
  201. // return more appropriate error.
  202. //
  203. if ( !NlpIsNtStatusResourceError( Status )) {
  204. Status = STATUS_NO_TRUST_LSA_SECRET;
  205. }
  206. goto Cleanup;
  207. }
  208. //
  209. // Copy the current password back to the caller.
  210. //
  211. if ( CrCurrentPassword != NULL ) {
  212. *CurrentValue = LocalAlloc(0, sizeof(UNICODE_STRING)+CrCurrentPassword->Length+sizeof(WCHAR) );
  213. if ( *CurrentValue == NULL ) {
  214. Status = STATUS_NO_MEMORY;
  215. goto Cleanup;
  216. }
  217. (*CurrentValue)->Buffer = (LPWSTR)(((LPBYTE)(*CurrentValue))+sizeof(UNICODE_STRING));
  218. RtlCopyMemory( (*CurrentValue)->Buffer, CrCurrentPassword->Buffer, CrCurrentPassword->Length );
  219. (*CurrentValue)->Length = (USHORT)CrCurrentPassword->Length;
  220. (*CurrentValue)->MaximumLength = (USHORT)((*CurrentValue)->Length + sizeof(WCHAR));
  221. (*CurrentValue)->Buffer[(*CurrentValue)->Length/sizeof(WCHAR)] = L'\0';
  222. }
  223. //
  224. // Copy the Old password back to the caller.
  225. //
  226. if ( CrOldPassword != NULL ) {
  227. *OldValue = LocalAlloc(0, sizeof(UNICODE_STRING)+CrOldPassword->Length+sizeof(WCHAR) );
  228. if ( *OldValue == NULL ) {
  229. Status = STATUS_NO_MEMORY;
  230. goto Cleanup;
  231. }
  232. (*OldValue)->Buffer = (LPWSTR)(((LPBYTE)(*OldValue))+sizeof(UNICODE_STRING));
  233. RtlCopyMemory( (*OldValue)->Buffer, CrOldPassword->Buffer, CrOldPassword->Length );
  234. (*OldValue)->Length = (USHORT)CrOldPassword->Length;
  235. (*OldValue)->MaximumLength = (USHORT)((*OldValue)->Length + sizeof(WCHAR));
  236. (*OldValue)->Buffer[(*OldValue)->Length/sizeof(WCHAR)] = L'\0';
  237. }
  238. break;
  239. //
  240. // Trusted domain secure channels get their outgoing password from the trusted
  241. // domain object.
  242. //
  243. case TrustedDomainSecureChannel:
  244. case TrustedDnsDomainSecureChannel:
  245. //
  246. // Get the authentication information from the LSA.
  247. //
  248. Status = LsarQueryTrustedDomainInfoByName(
  249. ClientSession->CsDomainInfo->DomLsaPolicyHandle,
  250. (PLSAPR_UNICODE_STRING) ClientSession->CsTrustName,
  251. TrustedDomainAuthInformation,
  252. &TrustInfo );
  253. if (!NT_SUCCESS(Status)) {
  254. NlPrintCs((NL_CRITICAL, ClientSession,
  255. "NlGetOutgoingPassword: %wZ: cannot LsarQueryTrustedDomainInfoByName 0x%lx\n",
  256. ClientSession->CsTrustName,
  257. Status ));
  258. if ( !NlpIsNtStatusResourceError( Status )) {
  259. Status = STATUS_NO_TRUST_LSA_SECRET;
  260. }
  261. goto Cleanup;
  262. }
  263. AuthInfoCount = TrustInfo->TrustedAuthInfo.OutgoingAuthInfos;
  264. AuthInfo = TrustInfo->TrustedAuthInfo.OutgoingAuthenticationInformation;
  265. OldAuthInfo = TrustInfo->TrustedAuthInfo.OutgoingPreviousAuthenticationInformation;
  266. if (AuthInfoCount == 0 || AuthInfo == NULL) {
  267. NlPrintCs((NL_CRITICAL, ClientSession,
  268. "NlGetOutgoingPassword: %wZ: No auth info for this domain.\n",
  269. ClientSession->CsTrustName ));
  270. Status = STATUS_NO_TRUST_LSA_SECRET;
  271. goto Cleanup;
  272. }
  273. NlAssert( OldAuthInfo != NULL );
  274. //
  275. // Loop through the various auth infos looking for the cleartext password
  276. // and its version number.
  277. //
  278. for ( i=0; i<AuthInfoCount; i++ ) {
  279. //
  280. // Handle the cleartext password
  281. //
  282. if ( AuthInfo[i].AuthType == TRUST_AUTH_TYPE_CLEAR && !PasswordFound ) {
  283. //
  284. // Copy the current password back to the caller.
  285. //
  286. *CurrentValue = LocalAlloc(0, sizeof(UNICODE_STRING)+AuthInfo[i].AuthInfoLength+sizeof(WCHAR) );
  287. if ( *CurrentValue == NULL ) {
  288. Status = STATUS_NO_MEMORY;
  289. goto Cleanup;
  290. }
  291. (*CurrentValue)->Buffer = (LPWSTR)(((LPBYTE)(*CurrentValue))+sizeof(UNICODE_STRING));
  292. RtlCopyMemory( (*CurrentValue)->Buffer, AuthInfo[i].AuthInfo, AuthInfo[i].AuthInfoLength );
  293. (*CurrentValue)->Length = (USHORT)AuthInfo[i].AuthInfoLength;
  294. (*CurrentValue)->MaximumLength = (USHORT)((*CurrentValue)->Length + sizeof(WCHAR));
  295. (*CurrentValue)->Buffer[(*CurrentValue)->Length/sizeof(WCHAR)] = L'\0';
  296. //
  297. // Copy the password change time back to the caller.
  298. //
  299. if ( ARGUMENT_PRESENT( LastSetTime )) {
  300. *LastSetTime = AuthInfo[i].LastUpdateTime;
  301. }
  302. //
  303. // Only copy the old password if it is also clear.
  304. //
  305. if ( OldAuthInfo[i].AuthType == TRUST_AUTH_TYPE_CLEAR ) {
  306. //
  307. // Copy the Old password back to the caller.
  308. //
  309. *OldValue = LocalAlloc(0, sizeof(UNICODE_STRING)+OldAuthInfo[i].AuthInfoLength+sizeof(WCHAR) );
  310. if ( *OldValue == NULL ) {
  311. Status = STATUS_NO_MEMORY;
  312. goto Cleanup;
  313. }
  314. (*OldValue)->Buffer = (LPWSTR)(((LPBYTE)(*OldValue))+sizeof(UNICODE_STRING));
  315. RtlCopyMemory( (*OldValue)->Buffer, OldAuthInfo[i].AuthInfo, OldAuthInfo[i].AuthInfoLength );
  316. (*OldValue)->Length = (USHORT)OldAuthInfo[i].AuthInfoLength;
  317. (*OldValue)->MaximumLength = (USHORT)((*OldValue)->Length + sizeof(WCHAR));
  318. (*OldValue)->Buffer[(*OldValue)->Length/sizeof(WCHAR)] = L'\0';
  319. }
  320. PasswordFound = TRUE;
  321. if ( PasswordVersionFound ) {
  322. break;
  323. }
  324. //
  325. // Handle the version number of the cleartext password
  326. //
  327. } else if ( AuthInfo[i].AuthType == TRUST_AUTH_TYPE_VERSION && !PasswordVersionFound &&
  328. AuthInfo[i].AuthInfoLength == sizeof(*CurrentVersionNumber) ) {
  329. RtlCopyMemory( CurrentVersionNumber, AuthInfo[i].AuthInfo, AuthInfo[i].AuthInfoLength );
  330. PasswordVersionFound = TRUE;
  331. if ( PasswordFound ) {
  332. break;
  333. }
  334. }
  335. }
  336. //if ( i == AuthInfoCount ) {
  337. if ( !PasswordFound ) {
  338. NlPrintCs((NL_CRITICAL, ClientSession,
  339. "NlGetOutgoingPassword: %wZ: No clear password for this domain.\n",
  340. ClientSession->CsTrustName ));
  341. Status = STATUS_NO_TRUST_LSA_SECRET;
  342. goto Cleanup;
  343. }
  344. break;
  345. default:
  346. NlPrintCs((NL_CRITICAL, ClientSession,
  347. "NlGetOutgoingPassword: invalid secure channel type\n" ));
  348. Status = STATUS_NO_TRUST_LSA_SECRET;
  349. goto Cleanup;
  350. }
  351. Status = STATUS_SUCCESS;
  352. //
  353. // Free locally used resources.
  354. //
  355. Cleanup:
  356. if ( !NT_SUCCESS(Status) ) {
  357. if ( *CurrentValue != NULL ) {
  358. LocalFree( *CurrentValue );
  359. *CurrentValue = NULL;
  360. }
  361. if ( *OldValue != NULL ) {
  362. LocalFree( *OldValue );
  363. *OldValue = NULL;
  364. }
  365. *CurrentVersionNumber = 0;
  366. }
  367. if ( SecretHandle != NULL ) {
  368. (VOID) LsarClose( &SecretHandle );
  369. }
  370. if ( CrCurrentPassword != NULL ) {
  371. (VOID) LsaIFree_LSAPR_CR_CIPHER_VALUE ( CrCurrentPassword );
  372. }
  373. if ( CrOldPassword != NULL ) {
  374. (VOID) LsaIFree_LSAPR_CR_CIPHER_VALUE ( CrOldPassword );
  375. }
  376. if ( TrustInfo != NULL ) {
  377. LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO( TrustedDomainAuthInformation,
  378. TrustInfo );
  379. }
  380. return Status;
  381. }
  382. NTSTATUS
  383. NlSetOutgoingPassword(
  384. IN PCLIENT_SESSION ClientSession,
  385. IN PUNICODE_STRING CurrentValue OPTIONAL,
  386. IN PUNICODE_STRING OldValue OPTIONAL,
  387. IN DWORD CurrentVersionNumber,
  388. IN DWORD OldVersionNumber
  389. )
  390. /*++
  391. Routine Description:
  392. Set the outgoing password to be used for the specified client session.
  393. Arguments:
  394. ClientSession - Structure used to define the session.
  395. CurrentValue - Current password for the client session.
  396. A NULL pointer indicates there is no current password (blank password)
  397. OldValue - Previous password for the client session.
  398. A NULL pointer indicates there is no old password (blank password)
  399. CurrentVersionNumber - The version number of the Current password.
  400. Ignored if this is not an interdomain trust account.
  401. OldVersionNumber - The version number of the Old password.
  402. Ignored if this is not an interdomain trust account.
  403. Return Value:
  404. Status of operation.
  405. --*/
  406. {
  407. NTSTATUS Status;
  408. LSAPR_HANDLE SecretHandle = NULL;
  409. UNICODE_STRING LocalNullPassword;
  410. LSAPR_CR_CIPHER_VALUE CrCurrentPassword;
  411. LSAPR_CR_CIPHER_VALUE CrOldPassword;
  412. LSAPR_TRUSTED_DOMAIN_INFO TrustInfo;
  413. LSAPR_AUTH_INFORMATION CurrentAuthInfo[2];
  414. LSAPR_AUTH_INFORMATION OldAuthInfo[2];
  415. //
  416. // Initialization
  417. //
  418. if ( CurrentValue == NULL ) {
  419. CurrentValue = &LocalNullPassword;
  420. RtlInitUnicodeString( &LocalNullPassword, NULL );
  421. }
  422. if ( OldValue == NULL ) {
  423. OldValue = &LocalNullPassword;
  424. RtlInitUnicodeString( &LocalNullPassword, NULL );
  425. }
  426. //
  427. // Workstation and BDC secure channels get their outgoing password from
  428. // an LSA secret.
  429. //
  430. switch ( ClientSession->CsSecureChannelType ) {
  431. case ServerSecureChannel:
  432. case WorkstationSecureChannel:
  433. //
  434. // Open the LSA secret to set.
  435. //
  436. Status = NlOpenSecret( ClientSession, SECRET_SET_VALUE, &SecretHandle );
  437. if ( !NT_SUCCESS( Status ) ) {
  438. NlPrintCs((NL_CRITICAL, ClientSession,
  439. "NlSetOutgoiningPassword: cannot NlOpenSecret 0x%lx\n",
  440. Status ));
  441. goto Cleanup;
  442. }
  443. //
  444. // Convert the current password to LSA'ese.
  445. //
  446. CrCurrentPassword.Buffer = (LPBYTE)CurrentValue->Buffer;
  447. CrCurrentPassword.Length = CurrentValue->Length;
  448. CrCurrentPassword.MaximumLength = CurrentValue->MaximumLength;
  449. //
  450. // Convert the old password to LSA'ese.
  451. //
  452. CrOldPassword.Buffer = (LPBYTE)OldValue->Buffer;
  453. CrOldPassword.Length = OldValue->Length;
  454. CrOldPassword.MaximumLength = OldValue->MaximumLength;
  455. Status = LsarSetSecret(
  456. SecretHandle,
  457. &CrCurrentPassword,
  458. &CrOldPassword );
  459. if ( !NT_SUCCESS( Status ) ) {
  460. NlPrintCs((NL_CRITICAL, ClientSession,
  461. "NlSetOutgoingPassword: cannot LsarSetSecret 0x%lx\n",
  462. Status ));
  463. goto Cleanup;
  464. }
  465. break;
  466. //
  467. // Trusted domain secure channels get their outgoing password from the trusted
  468. // domain object.
  469. //
  470. case TrustedDomainSecureChannel:
  471. case TrustedDnsDomainSecureChannel:
  472. //
  473. // Fill in the trust information.
  474. //
  475. RtlZeroMemory( &TrustInfo, sizeof(TrustInfo) );
  476. TrustInfo.TrustedAuthInfo.OutgoingAuthInfos = 2;
  477. TrustInfo.TrustedAuthInfo.OutgoingAuthenticationInformation =
  478. CurrentAuthInfo;
  479. TrustInfo.TrustedAuthInfo.OutgoingPreviousAuthenticationInformation =
  480. OldAuthInfo;
  481. //
  482. // Fill in the current authentication information.
  483. //
  484. NlQuerySystemTime( &CurrentAuthInfo[0].LastUpdateTime );
  485. CurrentAuthInfo[0].AuthType = TRUST_AUTH_TYPE_CLEAR;
  486. CurrentAuthInfo[0].AuthInfoLength = CurrentValue->Length;
  487. CurrentAuthInfo[0].AuthInfo = (LPBYTE)CurrentValue->Buffer;
  488. //
  489. // Fill in the current password version number
  490. //
  491. CurrentAuthInfo[1].LastUpdateTime = CurrentAuthInfo[0].LastUpdateTime;
  492. CurrentAuthInfo[1].AuthType = TRUST_AUTH_TYPE_VERSION;
  493. CurrentAuthInfo[1].AuthInfoLength = sizeof( CurrentVersionNumber );
  494. CurrentAuthInfo[1].AuthInfo = (LPBYTE) &CurrentVersionNumber;
  495. //
  496. // Fill in the old authentication information.
  497. //
  498. OldAuthInfo[0].LastUpdateTime = CurrentAuthInfo[0].LastUpdateTime;
  499. OldAuthInfo[0].AuthType = TRUST_AUTH_TYPE_CLEAR;
  500. OldAuthInfo[0].AuthInfoLength = OldValue->Length;
  501. OldAuthInfo[0].AuthInfo = (LPBYTE)OldValue->Buffer;
  502. //
  503. // Fill in the old password version number.
  504. //
  505. OldAuthInfo[1].LastUpdateTime = CurrentAuthInfo[0].LastUpdateTime;
  506. OldAuthInfo[1].AuthType = TRUST_AUTH_TYPE_VERSION;
  507. OldAuthInfo[1].AuthInfoLength = sizeof( OldVersionNumber );
  508. OldAuthInfo[1].AuthInfo = (LPBYTE) &OldVersionNumber;
  509. //
  510. // Get the authentication information from the LSA.
  511. //
  512. Status = LsarSetTrustedDomainInfoByName(
  513. ClientSession->CsDomainInfo->DomLsaPolicyHandle,
  514. (PLSAPR_UNICODE_STRING) ClientSession->CsTrustName,
  515. TrustedDomainAuthInformation,
  516. &TrustInfo );
  517. if (!NT_SUCCESS(Status)) {
  518. NlPrintCs((NL_CRITICAL, ClientSession,
  519. "NlSetOutgoingPassword: %wZ: cannot LsarSetTrustedDomainInfoByName 0x%lx\n",
  520. ClientSession->CsTrustName,
  521. Status ));
  522. if ( !NlpIsNtStatusResourceError( Status )) {
  523. Status = STATUS_NO_TRUST_LSA_SECRET;
  524. }
  525. goto Cleanup;
  526. }
  527. //
  528. // Be verbose
  529. //
  530. NlPrint(( NL_SESSION_SETUP, "NlSetOutgoingPassword: Current Clear Text Password is: " ));
  531. NlpDumpBuffer(NL_SESSION_SETUP, CurrentAuthInfo[0].AuthInfo, CurrentAuthInfo[0].AuthInfoLength );
  532. NlPrint(( NL_SESSION_SETUP, "NlSetOutgoingPassword: Current Clear Password Version Number is: 0x%lx\n",
  533. CurrentVersionNumber ));
  534. NlPrint(( NL_SESSION_SETUP, "NlSetOutgoingPassword: Previous Clear Text Password is: " ));
  535. NlpDumpBuffer(NL_SESSION_SETUP, OldAuthInfo[0].AuthInfo, OldAuthInfo[0].AuthInfoLength );
  536. NlPrint(( NL_SESSION_SETUP, "NlSetOutgoingPassword: Previous Clear Password Version Number is: 0x%lx\n",
  537. OldVersionNumber ));
  538. break;
  539. default:
  540. NlPrintCs((NL_CRITICAL, ClientSession,
  541. "NlSetOutgoingPassword: invalid secure channel type\n" ));
  542. Status = STATUS_NO_TRUST_LSA_SECRET;
  543. goto Cleanup;
  544. }
  545. Status = STATUS_SUCCESS;
  546. //
  547. // Free locally used resources.
  548. //
  549. Cleanup:
  550. if ( SecretHandle != NULL ) {
  551. (VOID) LsarClose( &SecretHandle );
  552. }
  553. return Status;
  554. }
  555. NTSTATUS
  556. NlGetIncomingPassword(
  557. IN PDOMAIN_INFO DomainInfo,
  558. IN LPCWSTR AccountName,
  559. IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType,
  560. IN ULONG AllowableAccountControlBits,
  561. IN BOOL CheckAccountDisabled,
  562. OUT PNT_OWF_PASSWORD OwfPassword OPTIONAL,
  563. OUT PNT_OWF_PASSWORD OwfPreviousPassword OPTIONAL,
  564. OUT PULONG AccountRid OPTIONAL,
  565. OUT PULONG TrustAttributes OPTIONAL,
  566. OUT PBOOL IsDnsDomainTrustAccount OPTIONAL
  567. )
  568. /*++
  569. Routine Description:
  570. Get the incoming password for the specified AccountName and SecureChannelType
  571. Check the machine account:
  572. Ensure the SecureChannelType is valid,
  573. Verify that the account exists,
  574. Ensure the user account is the right account type.
  575. Arguments:
  576. DomainInfo - Emulated domain
  577. AccountName - Name of the account to authenticate with.
  578. SecureChannelType - The type of the account.
  579. Use NullSecureChannel if channel type is not known.
  580. AllowableAccountControlBits - The type of the account.
  581. Use 0 if AccountControlBits is not known.
  582. Typically only one of AllowableAccountControlBits or SecureChannelType
  583. will be specified.
  584. CheckAccountDisabled - TRUE if we should return an error if the account
  585. is disabled.
  586. OwfPassword - Returns the NT OWF of the incoming password for the named
  587. account. If NULL, the password is not returned.
  588. OwfPreviousPassword - Returns the NT OWF of the incoming previous password for
  589. the named interdomain trust account. If NULL, the password is not returned.
  590. If OwfPreviousPassword is not NULL, OwfPassword must not be NULL either;
  591. otherwise the function asserts. If OwfPreviousPassword is not NULL and the
  592. account is not interdomain, the function asserts. If both OwfPassword and
  593. OwfPreviousPassword are NULL, the account is only checked for validity.
  594. AccountRid - Returns the RID of AccountName
  595. TrustAttributes - Returns the TrustAttributes for the interdomain trust account.
  596. IsDnsDomainTrustAccount - Returns TRUE if the passed in account name is the
  597. DNS domain name of an uplevel domain trust. Set only if the account control
  598. bits (either passed directly or determined from the secure channel type)
  599. correspond to an interdomain trust account.
  600. Return Value:
  601. Status of operation.
  602. --*/
  603. {
  604. NTSTATUS Status;
  605. SAMPR_HANDLE UserHandle = NULL;
  606. PSAMPR_USER_INFO_BUFFER UserAllInfo = NULL;
  607. ULONG Length;
  608. PLSAPR_TRUSTED_DOMAIN_INFO TrustInfo = NULL;
  609. PLSAPR_AUTH_INFORMATION AuthInfo;
  610. ULONG AuthInfoCount;
  611. BOOL PasswordFound = FALSE;
  612. BOOL PreviousPasswordFound = FALSE;
  613. ULONG i;
  614. //
  615. // Initialization
  616. //
  617. if ( ARGUMENT_PRESENT(AccountRid) ) {
  618. *AccountRid = 0;
  619. }
  620. if ( ARGUMENT_PRESENT(TrustAttributes) ) {
  621. *TrustAttributes = 0;
  622. }
  623. if ( ARGUMENT_PRESENT(IsDnsDomainTrustAccount) ) {
  624. *IsDnsDomainTrustAccount = FALSE; // assume it's not and prove if otherwise
  625. }
  626. Length = wcslen( AccountName );
  627. if ( Length < 1 ) {
  628. return STATUS_INVALID_PARAMETER;
  629. }
  630. //
  631. // Convert the secure channel type to allowable account control bits.
  632. //
  633. switch (SecureChannelType) {
  634. case WorkstationSecureChannel:
  635. AllowableAccountControlBits |= USER_WORKSTATION_TRUST_ACCOUNT;
  636. break;
  637. case ServerSecureChannel:
  638. AllowableAccountControlBits |= USER_SERVER_TRUST_ACCOUNT;
  639. break;
  640. case TrustedDomainSecureChannel:
  641. AllowableAccountControlBits |= USER_INTERDOMAIN_TRUST_ACCOUNT;
  642. break;
  643. case TrustedDnsDomainSecureChannel:
  644. AllowableAccountControlBits |= USER_DNS_DOMAIN_TRUST_ACCOUNT;
  645. break;
  646. case NullSecureChannel:
  647. if ( AllowableAccountControlBits == 0 ) {
  648. NlPrintDom((NL_CRITICAL, DomainInfo,
  649. "NlGetIncomingPassword: Invalid AAC (%x) for %ws\n",
  650. AllowableAccountControlBits,
  651. AccountName ));
  652. return STATUS_INVALID_PARAMETER;
  653. }
  654. break;
  655. default:
  656. NlPrintDom((NL_CRITICAL, DomainInfo,
  657. "NlGetIncomingPassword: Invalid channel type (%x) for %ws\n",
  658. SecureChannelType,
  659. AccountName ));
  660. return STATUS_INVALID_PARAMETER;
  661. }
  662. //
  663. // If this is an interdomain trust account,
  664. // use an interdomain trust object.
  665. //
  666. if ( AllowableAccountControlBits == USER_DNS_DOMAIN_TRUST_ACCOUNT ||
  667. AllowableAccountControlBits == USER_INTERDOMAIN_TRUST_ACCOUNT ) {
  668. UNICODE_STRING AccountNameString;
  669. //
  670. // If this is a DNS trust account,
  671. // remove the optional . from the end of the account name.
  672. //
  673. RtlInitUnicodeString( &AccountNameString, AccountName );
  674. if ( AllowableAccountControlBits == USER_DNS_DOMAIN_TRUST_ACCOUNT ) {
  675. if ( Length != 0 && AccountName[Length-1] == '.' ) {
  676. AccountNameString.Length -= sizeof(WCHAR);
  677. }
  678. //
  679. // If this is an NT4-style interdomain trust,
  680. // remove the $ from the end of the account name.
  681. //
  682. } else {
  683. //
  684. // Ensure the account name has the correct postfix.
  685. //
  686. if ( Length <= SSI_ACCOUNT_NAME_POSTFIX_LENGTH ) {
  687. return STATUS_NO_SUCH_USER;
  688. }
  689. if ( _wcsicmp(&AccountName[Length - SSI_ACCOUNT_NAME_POSTFIX_LENGTH],
  690. SSI_ACCOUNT_NAME_POSTFIX) != 0 ) {
  691. return STATUS_NO_SUCH_USER;
  692. }
  693. AccountNameString.Length -= SSI_ACCOUNT_NAME_POSTFIX_LENGTH*sizeof(WCHAR);
  694. }
  695. //
  696. // Get the authentication information from the LSA.
  697. //
  698. Status = LsarQueryTrustedDomainInfoByName(
  699. DomainInfo->DomLsaPolicyHandle,
  700. (PLSAPR_UNICODE_STRING) &AccountNameString,
  701. TrustedDomainFullInformation,
  702. &TrustInfo );
  703. if (!NT_SUCCESS(Status)) {
  704. NlPrintDom((NL_CRITICAL, DomainInfo,
  705. "NlGetIncomingPassword: %wZ: cannot LsarQueryTrustedDomainInfoByName 0x%lx\n",
  706. &AccountNameString,
  707. Status ));
  708. if ( !NlpIsNtStatusResourceError( Status )) {
  709. Status = STATUS_NO_SUCH_USER;
  710. }
  711. goto Cleanup;
  712. }
  713. //
  714. // Ensure the attributes of the trust account are right.
  715. //
  716. if ( (TrustInfo->TrustedFullInfo.Information.TrustDirection & TRUST_DIRECTION_INBOUND) == 0 ) {
  717. NlPrintDom((NL_CRITICAL, DomainInfo,
  718. "NlGetIncomingPassword: %wZ: trust is not inbound\n",
  719. &AccountNameString ));
  720. Status = STATUS_NO_SUCH_USER;
  721. goto Cleanup;
  722. }
  723. if ( TrustInfo->TrustedFullInfo.Information.TrustType != TRUST_TYPE_DOWNLEVEL &&
  724. TrustInfo->TrustedFullInfo.Information.TrustType != TRUST_TYPE_UPLEVEL ) {
  725. NlPrintDom((NL_CRITICAL, DomainInfo,
  726. "NlGetIncomingPassword: %wZ: trust type doesn't match request type 0x%lx %ld\n",
  727. &AccountNameString,
  728. AllowableAccountControlBits,
  729. TrustInfo->TrustedFullInfo.Information.TrustType ));
  730. Status = STATUS_NO_SUCH_USER;
  731. goto Cleanup;
  732. }
  733. if ( TrustInfo->TrustedFullInfo.Information.TrustAttributes & TRUST_ATTRIBUTE_UPLEVEL_ONLY ) {
  734. NlPrintDom((NL_CRITICAL, DomainInfo,
  735. "NlGetIncomingPassword: %wZ: trust is KERB only\n",
  736. &AccountNameString ));
  737. Status = STATUS_NO_SUCH_USER;
  738. goto Cleanup;
  739. }
  740. //
  741. // Return the trust attributes to the caller
  742. //
  743. if ( ARGUMENT_PRESENT(TrustAttributes) ) {
  744. *TrustAttributes = TrustInfo->TrustedFullInfo.Information.TrustAttributes;
  745. }
  746. //
  747. // Determine whether the passed account is a DNS domain trust account
  748. //
  749. // Simply check if this is a uplevel trust and if the account name passed
  750. // is the Name of the trusted domain
  751. //
  752. if ( ARGUMENT_PRESENT(IsDnsDomainTrustAccount) ) {
  753. if ( TrustInfo->TrustedFullInfo.Information.TrustType == TRUST_TYPE_UPLEVEL &&
  754. TrustInfo->TrustedFullInfo.Information.Name.Length > 0 ) {
  755. LPWSTR DnsDomainNameString = NULL;
  756. DnsDomainNameString = LocalAlloc( 0,
  757. TrustInfo->TrustedFullInfo.Information.Name.Length + sizeof(WCHAR) );
  758. if ( DnsDomainNameString == NULL ) {
  759. Status = STATUS_NO_MEMORY;
  760. goto Cleanup;
  761. }
  762. RtlCopyMemory( DnsDomainNameString,
  763. TrustInfo->TrustedFullInfo.Information.Name.Buffer,
  764. TrustInfo->TrustedFullInfo.Information.Name.Length );
  765. DnsDomainNameString[ TrustInfo->TrustedFullInfo.Information.Name.Length/sizeof(WCHAR) ] = L'\0';
  766. //
  767. // Note that we don't have to remove the trailing dot
  768. // in AccountName if present because the DNS comprare
  769. // API ignores trailing dots.
  770. //
  771. *IsDnsDomainTrustAccount = NlEqualDnsName(DnsDomainNameString, AccountName);
  772. LocalFree( DnsDomainNameString );
  773. }
  774. }
  775. //
  776. // Only get the password if the caller really wants it.
  777. //
  778. if ( OwfPassword != NULL ) {
  779. AuthInfoCount = TrustInfo->TrustedFullInfo.AuthInformation.IncomingAuthInfos;
  780. AuthInfo = TrustInfo->TrustedFullInfo.AuthInformation.IncomingAuthenticationInformation;
  781. if (AuthInfoCount == 0 || AuthInfo == NULL) {
  782. NlPrintDom((NL_CRITICAL, DomainInfo,
  783. "NlGetIncomingPassword: %wZ: No auth info for this domain.\n",
  784. &AccountNameString ));
  785. Status = STATUS_NO_SUCH_USER;
  786. goto Cleanup;
  787. }
  788. //
  789. // Loop through the various auth infos looking for the cleartext password
  790. // or NT OWF password.
  791. //
  792. // If there is a clear text password, use it.
  793. // Otherwise, use the NT OWF password.
  794. //
  795. for ( i=0; i<AuthInfoCount; i++ ) {
  796. //
  797. // Handle an NT OWF password.
  798. //
  799. if ( AuthInfo[i].AuthType == TRUST_AUTH_TYPE_NT4OWF ) {
  800. //
  801. // Only use the OWF if it is valid
  802. //
  803. if ( AuthInfo[i].AuthInfoLength != sizeof(*OwfPassword) ) {
  804. NlPrintDom((NL_CRITICAL, DomainInfo,
  805. "NlGetIncomingPassword: %wZ: OWF password has bad length %ld\n",
  806. &AccountNameString,
  807. AuthInfo[i].AuthInfoLength ));
  808. } else {
  809. RtlCopyMemory( OwfPassword, AuthInfo[i].AuthInfo, sizeof(*OwfPassword) );
  810. PasswordFound = TRUE;
  811. }
  812. }
  813. //
  814. // Handle a cleartext password.
  815. //
  816. else if ( AuthInfo[i].AuthType == TRUST_AUTH_TYPE_CLEAR ) {
  817. UNICODE_STRING TempUnicodeString;
  818. TempUnicodeString.Buffer = (LPWSTR)AuthInfo[i].AuthInfo;
  819. TempUnicodeString.MaximumLength =
  820. TempUnicodeString.Length = (USHORT)AuthInfo[i].AuthInfoLength;
  821. NlPrint((NL_CHALLENGE_RES,"NlGetIncomingPassword: New Clear Password = " ));
  822. NlpDumpBuffer(NL_CHALLENGE_RES, TempUnicodeString.Buffer, TempUnicodeString.Length );
  823. NlpDumpTime( NL_CHALLENGE_RES, "NlGetIncomingPassword: New Password Changed: ", AuthInfo[i].LastUpdateTime );
  824. Status = RtlCalculateNtOwfPassword(&TempUnicodeString,
  825. OwfPassword);
  826. if ( !NT_SUCCESS(Status) ) {
  827. NlPrintDom((NL_CRITICAL, DomainInfo,
  828. "NlGetIncomingPassword: %wZ: cannot RtlCalculateNtOwfPassword 0x%lx\n",
  829. &AccountNameString,
  830. Status ));
  831. goto Cleanup;
  832. }
  833. PasswordFound = TRUE;
  834. //
  835. // Use this clear text password
  836. //
  837. break;
  838. }
  839. }
  840. }
  841. //
  842. // Only get the previous password if the caller really wants it.
  843. //
  844. if ( OwfPreviousPassword != NULL ) {
  845. // If OwfPreviousPassword is not NULL, OwfPassword must not be NULL either
  846. NlAssert( OwfPassword != NULL );
  847. AuthInfoCount = TrustInfo->TrustedFullInfo.AuthInformation.IncomingAuthInfos;
  848. AuthInfo = TrustInfo->TrustedFullInfo.AuthInformation.IncomingPreviousAuthenticationInformation;
  849. if (AuthInfoCount == 0 || AuthInfo == NULL) {
  850. NlPrintDom((NL_CRITICAL, DomainInfo,
  851. "NlGetIncomingPassword: %wZ: No previous auth info for this domain.\n",
  852. &AccountNameString ));
  853. Status = STATUS_NO_SUCH_USER;
  854. goto Cleanup;
  855. }
  856. //
  857. // Loop through the various auth infos looking for the previous cleartext password
  858. // or NT OWF password.
  859. //
  860. // If there is a clear text password, use it.
  861. // Otherwise, use the NT OWF password.
  862. //
  863. for ( i=0; i<AuthInfoCount; i++ ) {
  864. //
  865. // Handle an NT OWF password.
  866. //
  867. if ( AuthInfo[i].AuthType == TRUST_AUTH_TYPE_NT4OWF ) {
  868. //
  869. // Only use the OWF if it is valid
  870. //
  871. if ( AuthInfo[i].AuthInfoLength != sizeof(*OwfPreviousPassword) ) {
  872. NlPrintDom((NL_CRITICAL, DomainInfo,
  873. "NlGetIncomingPassword: %wZ: previous OWF password has bad length %ld\n",
  874. &AccountNameString,
  875. AuthInfo[i].AuthInfoLength ));
  876. } else {
  877. RtlCopyMemory( OwfPreviousPassword, AuthInfo[i].AuthInfo, sizeof(*OwfPreviousPassword) );
  878. PreviousPasswordFound = TRUE;
  879. }
  880. }
  881. //
  882. // Handle a cleartext password.
  883. //
  884. else if ( AuthInfo[i].AuthType == TRUST_AUTH_TYPE_CLEAR ) {
  885. UNICODE_STRING TempUnicodeString;
  886. TempUnicodeString.Buffer = (LPWSTR)AuthInfo[i].AuthInfo;
  887. TempUnicodeString.MaximumLength =
  888. TempUnicodeString.Length = (USHORT)AuthInfo[i].AuthInfoLength;
  889. NlPrint((NL_CHALLENGE_RES,"NlGetIncomingPassword: Old Clear Password = " ));
  890. NlpDumpBuffer(NL_CHALLENGE_RES, TempUnicodeString.Buffer, TempUnicodeString.Length );
  891. NlpDumpTime( NL_CHALLENGE_RES, "NlGetIncomingPassword: Old Password Changed: ", AuthInfo[i].LastUpdateTime );
  892. Status = RtlCalculateNtOwfPassword(&TempUnicodeString,
  893. OwfPreviousPassword);
  894. if ( !NT_SUCCESS(Status) ) {
  895. NlPrintDom((NL_CRITICAL, DomainInfo,
  896. "NlGetIncomingPassword: %wZ: cannot RtlCalculateNtOwfPassword 0x%lx\n",
  897. &AccountNameString,
  898. Status ));
  899. goto Cleanup;
  900. }
  901. PreviousPasswordFound = TRUE;
  902. //
  903. // Use this clear text password
  904. //
  905. break;
  906. }
  907. }
  908. }
  909. //
  910. // Only get the account RID if the caller really wants it.
  911. //
  912. if ( ARGUMENT_PRESENT( AccountRid) ) {
  913. PUNICODE_STRING FlatName;
  914. WCHAR SamAccountName[CNLEN+1+1];
  915. //
  916. // The name of the SAM account that corresponds to the inbound
  917. // trust is FlatName$.
  918. //
  919. FlatName = (PUNICODE_STRING) &TrustInfo->TrustedFullInfo.Information.FlatName;
  920. if ( FlatName->Length < sizeof(WCHAR) ||
  921. FlatName->Length > CNLEN * sizeof(WCHAR) ) {
  922. NlPrintDom((NL_CRITICAL, DomainInfo,
  923. "NlGetIncomingPassword: %wZ: Flat Name length is bad %ld\n",
  924. &AccountNameString,
  925. FlatName->Length ));
  926. } else {
  927. RtlCopyMemory( SamAccountName,
  928. FlatName->Buffer,
  929. FlatName->Length );
  930. SamAccountName[FlatName->Length/sizeof(WCHAR)] =
  931. SSI_ACCOUNT_NAME_POSTFIX_CHAR;
  932. SamAccountName[(FlatName->Length/sizeof(WCHAR))+1] = L'\0';
  933. //
  934. // Get the account RID from SAM.
  935. //
  936. // ??? This is a gross hack.
  937. // The LSA should return this RID to me directly.
  938. //
  939. Status = NlSamOpenNamedUser( DomainInfo, SamAccountName, NULL, AccountRid, NULL );
  940. if (!NT_SUCCESS(Status)) {
  941. NlPrintDom((NL_CRITICAL, DomainInfo,
  942. "NlGetIncomingPassword: Can't NlSamOpenNamedUser for %ws 0x%lx.\n",
  943. SamAccountName,
  944. Status ));
  945. goto Cleanup;
  946. }
  947. }
  948. }
  949. //
  950. // Othewise the account is a SAM user account.
  951. //
  952. } else {
  953. //
  954. // OwfPreviousPassword must be NULL for a SAM account
  955. //
  956. NlAssert( OwfPreviousPassword == NULL );
  957. //
  958. // Ensure the account name has the correct postfix.
  959. //
  960. if ( AllowableAccountControlBits == USER_SERVER_TRUST_ACCOUNT ||
  961. AllowableAccountControlBits == USER_WORKSTATION_TRUST_ACCOUNT ) {
  962. if ( Length <= SSI_ACCOUNT_NAME_POSTFIX_LENGTH ) {
  963. return STATUS_NO_SUCH_USER;
  964. }
  965. if ( _wcsicmp(&AccountName[Length - SSI_ACCOUNT_NAME_POSTFIX_LENGTH],
  966. SSI_ACCOUNT_NAME_POSTFIX) != 0 ) {
  967. return STATUS_NO_SUCH_USER;
  968. }
  969. }
  970. //
  971. // Open the user account.
  972. //
  973. Status = NlSamOpenNamedUser( DomainInfo, AccountName, &UserHandle, AccountRid, &UserAllInfo );
  974. if (!NT_SUCCESS(Status)) {
  975. NlPrintDom((NL_CRITICAL, DomainInfo,
  976. "NlGetIncomingPassword: Can't NlSamOpenNamedUser for %ws 0x%lx.\n",
  977. AccountName,
  978. Status ));
  979. goto Cleanup;
  980. }
  981. //
  982. // Ensure the Account type matches the account type on the account.
  983. //
  984. if ( (UserAllInfo->All.UserAccountControl &
  985. USER_ACCOUNT_TYPE_MASK &
  986. AllowableAccountControlBits ) == 0 ) {
  987. NlPrintDom((NL_CRITICAL, DomainInfo,
  988. "NlGetIncomingPassword: Invalid account type (%x) instead of %x for %ws\n",
  989. UserAllInfo->All.UserAccountControl & USER_ACCOUNT_TYPE_MASK,
  990. AllowableAccountControlBits,
  991. AccountName ));
  992. Status = STATUS_NO_SUCH_USER;
  993. goto Cleanup;
  994. }
  995. //
  996. // Check if the account is disabled.
  997. //
  998. if ( CheckAccountDisabled ) {
  999. if ( UserAllInfo->All.UserAccountControl & USER_ACCOUNT_DISABLED ) {
  1000. NlPrintDom((NL_CRITICAL, DomainInfo,
  1001. "NlGetIncomingPassword: %ws account is disabled\n",
  1002. AccountName ));
  1003. Status = STATUS_NO_SUCH_USER;
  1004. goto Cleanup;
  1005. }
  1006. }
  1007. //
  1008. // Return the password if the caller wants it.
  1009. //
  1010. if ( OwfPassword != NULL ) {
  1011. //
  1012. // Use the NT OWF Password,
  1013. //
  1014. if ( UserAllInfo->All.NtPasswordPresent &&
  1015. UserAllInfo->All.NtOwfPassword.Length == sizeof(*OwfPassword) ) {
  1016. RtlCopyMemory( OwfPassword,
  1017. UserAllInfo->All.NtOwfPassword.Buffer,
  1018. sizeof(*OwfPassword) );
  1019. PasswordFound = TRUE;
  1020. // Allow for the case that the account has no password at all.
  1021. } else if ( UserAllInfo->All.LmPasswordPresent ) {
  1022. NlPrint((NL_CRITICAL,
  1023. "NlGetIncomingPassword: No NT Password for %ws\n",
  1024. AccountName ));
  1025. Status = STATUS_ACCESS_DENIED;
  1026. goto Cleanup;
  1027. }
  1028. //
  1029. // Update the last time this account was used.
  1030. //
  1031. {
  1032. SAMPR_USER_INFO_BUFFER UserInfo;
  1033. NTSTATUS LogonStatus;
  1034. UserInfo.Internal2.StatisticsToApply = USER_LOGON_NET_SUCCESS_LOGON;
  1035. LogonStatus = SamrSetInformationUser(
  1036. UserHandle,
  1037. UserInternal2Information,
  1038. &UserInfo );
  1039. if ( !NT_SUCCESS(LogonStatus)) {
  1040. NlPrint((NL_CRITICAL,
  1041. "NlGetIncomingPassword: Cannot set last logon time %ws %lx\n",
  1042. AccountName,
  1043. LogonStatus ));
  1044. }
  1045. }
  1046. }
  1047. }
  1048. //
  1049. // If no password exists on the account,
  1050. // return a blank password.
  1051. //
  1052. if ( !PasswordFound && OwfPassword != NULL ) {
  1053. UNICODE_STRING TempUnicodeString;
  1054. RtlInitUnicodeString(&TempUnicodeString, NULL);
  1055. Status = RtlCalculateNtOwfPassword(&TempUnicodeString,
  1056. OwfPassword);
  1057. if ( !NT_SUCCESS(Status) ) {
  1058. NlPrintDom((NL_CRITICAL, DomainInfo,
  1059. "NlGetIncomingPassword: %ws: cannot RtlCalculateNtOwfPassword (NULL) 0x%lx\n",
  1060. AccountName,
  1061. Status ));
  1062. goto Cleanup;
  1063. }
  1064. }
  1065. //
  1066. // If no previous password exists on the account,
  1067. // return the current password.
  1068. //
  1069. if ( !PreviousPasswordFound && OwfPreviousPassword != NULL ) {
  1070. //
  1071. // If OwfPreviousPassword is not NULL, OwfPassword must not be NULL either.
  1072. //
  1073. NlAssert( OwfPassword != NULL );
  1074. //
  1075. // If previous password is not found, return the current one instead.
  1076. //
  1077. *OwfPreviousPassword = *OwfPassword;
  1078. }
  1079. Status = STATUS_SUCCESS;
  1080. //
  1081. // Free locally used resources.
  1082. //
  1083. Cleanup:
  1084. if ( UserAllInfo != NULL ) {
  1085. SamIFree_SAMPR_USER_INFO_BUFFER( UserAllInfo,
  1086. UserAllInformation);
  1087. }
  1088. if ( UserHandle != NULL ) {
  1089. SamrCloseHandle( &UserHandle );
  1090. }
  1091. if ( TrustInfo != NULL ) {
  1092. LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO( TrustedDomainFullInformation,
  1093. TrustInfo );
  1094. }
  1095. return Status;
  1096. }
  1097. NTSTATUS
  1098. NlSetIncomingPassword(
  1099. IN PDOMAIN_INFO DomainInfo,
  1100. IN LPWSTR AccountName,
  1101. IN NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType,
  1102. IN PUNICODE_STRING ClearTextPassword OPTIONAL,
  1103. IN DWORD ClearPasswordVersionNumber,
  1104. IN PNT_OWF_PASSWORD OwfPassword OPTIONAL
  1105. )
  1106. /*++
  1107. Routine Description:
  1108. Set the incoming password for the specified AccountName and SecureChannelType.
  1109. At the same time, update the previous password info.
  1110. Arguments:
  1111. DomainInfo - Emulated domain
  1112. AccountName - Name of the account to set the password on
  1113. SecureChannelType - The type of the account being used.
  1114. ClearTextPassword - The Clear text password for the named account.
  1115. ClearPasswordVersionNumber - The version number of the Clear text password.
  1116. Used only for interdomain trust account. Ignored if ClearTextPassword
  1117. is NULL.
  1118. OwfPassword - The NT OWF of the incoming password for the named
  1119. account. If both the clear text and OWF password are specified,
  1120. the OWF password is ignored.
  1121. Return Value:
  1122. Status of operation.
  1123. --*/
  1124. {
  1125. NTSTATUS Status;
  1126. UNICODE_STRING AccountNameString;
  1127. ULONG Length;
  1128. LSAPR_TRUSTED_DOMAIN_INFO TrustInfo;
  1129. PLSAPR_TRUSTED_DOMAIN_INFO TrustInfoOld = NULL;
  1130. LSAPR_AUTH_INFORMATION CurrentAuthInfo[3], PreviousAuthInfo[3], NoneAuthInfo;
  1131. ULONG iClear, iOWF, iVersion, i;
  1132. DWORD OldVersionNumber = 0;
  1133. //
  1134. // Workstation and BDC secure channels get their outgoing password from
  1135. // an LSA secret.
  1136. //
  1137. switch ( SecureChannelType ) {
  1138. case ServerSecureChannel:
  1139. case WorkstationSecureChannel:
  1140. NlPrint(( NL_SESSION_SETUP, "Setting Password of '%ws' to: ", AccountName ));
  1141. if ( ClearTextPassword != NULL ) {
  1142. NlpDumpBuffer( NL_SESSION_SETUP, ClearTextPassword->Buffer, ClearTextPassword->Length );
  1143. } else if (OwfPassword != NULL ) {
  1144. NlpDumpBuffer( NL_SESSION_SETUP, OwfPassword, sizeof(*OwfPassword) );
  1145. }
  1146. //
  1147. // Set the encrypted password in SAM.
  1148. //
  1149. Status = NlSamChangePasswordNamedUser( DomainInfo,
  1150. AccountName,
  1151. ClearTextPassword,
  1152. OwfPassword );
  1153. if ( !NT_SUCCESS(Status) ) {
  1154. NlPrintDom((NL_CRITICAL, DomainInfo,
  1155. "NlSetIncomingPassword: Cannot change password on local user account %lX\n",
  1156. Status));
  1157. goto Cleanup;
  1158. }
  1159. break;
  1160. //
  1161. // Trusted domain secure channels get their incoming password from the trusted
  1162. // domain object.
  1163. //
  1164. case TrustedDomainSecureChannel:
  1165. case TrustedDnsDomainSecureChannel:
  1166. //
  1167. // If this is a DNS trust account,
  1168. // remove the optional . from the end of the account name.
  1169. //
  1170. RtlInitUnicodeString( &AccountNameString, AccountName );
  1171. Length = AccountNameString.Length / sizeof(WCHAR);
  1172. if ( SecureChannelType == TrustedDnsDomainSecureChannel ) {
  1173. if ( Length != 0 && AccountName[Length-1] == '.' ) {
  1174. AccountNameString.Length -= sizeof(WCHAR);
  1175. }
  1176. //
  1177. // If this is an NT4-style interdomain trust,
  1178. // remove the $ from the end of the account name.
  1179. //
  1180. } else {
  1181. //
  1182. // Ensure the account name has the correct postfix.
  1183. //
  1184. if ( Length <= SSI_ACCOUNT_NAME_POSTFIX_LENGTH ) {
  1185. Status = STATUS_NO_SUCH_USER;
  1186. goto Cleanup;
  1187. }
  1188. if ( _wcsicmp(&AccountName[Length - SSI_ACCOUNT_NAME_POSTFIX_LENGTH],
  1189. SSI_ACCOUNT_NAME_POSTFIX) != 0 ) {
  1190. Status = STATUS_NO_SUCH_USER;
  1191. goto Cleanup;
  1192. }
  1193. AccountNameString.Length -= SSI_ACCOUNT_NAME_POSTFIX_LENGTH*sizeof(WCHAR);
  1194. }
  1195. //
  1196. // First get the current authentication information (that is old as far as
  1197. // the function is concerned) from the LSA.
  1198. //
  1199. Status = LsarQueryTrustedDomainInfoByName(
  1200. DomainInfo->DomLsaPolicyHandle,
  1201. (PLSAPR_UNICODE_STRING) &AccountNameString,
  1202. TrustedDomainAuthInformation,
  1203. &TrustInfoOld );
  1204. if (!NT_SUCCESS(Status)) {
  1205. NlPrintDom((NL_CRITICAL, DomainInfo,
  1206. "NlSetIncomingPassword: %wZ: cannot LsarQueryTrustedDomainInfoByName 0x%lx\n",
  1207. &AccountNameString,
  1208. Status ));
  1209. // if ( !NlpIsNtStatusResourceError( Status )) {
  1210. // Status = STATUS_NO_SUCH_USER;
  1211. // }
  1212. goto Cleanup;
  1213. }
  1214. //
  1215. // Fill in the trust information.
  1216. //
  1217. RtlZeroMemory( &TrustInfo, sizeof(TrustInfo) );
  1218. TrustInfo.TrustedAuthInfo.IncomingAuthInfos = 0;
  1219. TrustInfo.TrustedAuthInfo.IncomingAuthenticationInformation =
  1220. CurrentAuthInfo;
  1221. TrustInfo.TrustedAuthInfo.IncomingPreviousAuthenticationInformation =
  1222. PreviousAuthInfo;
  1223. //
  1224. // Fill in the current and previous authentication information.
  1225. //
  1226. NlQuerySystemTime( &CurrentAuthInfo[0].LastUpdateTime );
  1227. NlPrint(( NL_SESSION_SETUP, "Setting Password of '%ws' to: ", AccountName ));
  1228. if ( ClearTextPassword != NULL ) {
  1229. CurrentAuthInfo[0].AuthType = TRUST_AUTH_TYPE_CLEAR;
  1230. CurrentAuthInfo[0].AuthInfoLength = ClearTextPassword->Length;
  1231. CurrentAuthInfo[0].AuthInfo = (LPBYTE)ClearTextPassword->Buffer;
  1232. NlpDumpBuffer(NL_SESSION_SETUP, ClearTextPassword->Buffer, ClearTextPassword->Length );
  1233. CurrentAuthInfo[1].LastUpdateTime = CurrentAuthInfo[0].LastUpdateTime;
  1234. CurrentAuthInfo[1].AuthType = TRUST_AUTH_TYPE_VERSION;
  1235. CurrentAuthInfo[1].AuthInfoLength = sizeof(ClearPasswordVersionNumber);
  1236. CurrentAuthInfo[1].AuthInfo = (LPBYTE) &ClearPasswordVersionNumber;
  1237. NlPrint(( NL_SESSION_SETUP, "Password Version number is %lu\n",
  1238. ClearPasswordVersionNumber ));
  1239. } else {
  1240. CurrentAuthInfo[0].AuthType = TRUST_AUTH_TYPE_NT4OWF;
  1241. CurrentAuthInfo[0].AuthInfoLength = sizeof(*OwfPassword);
  1242. CurrentAuthInfo[0].AuthInfo = (LPBYTE)OwfPassword;
  1243. NlpDumpBuffer(NL_SESSION_SETUP, OwfPassword, sizeof(*OwfPassword) );
  1244. }
  1245. //
  1246. // The AuthType values of corresponding elements of IncomingAuthenticationInformation and
  1247. // IncomingPreviousAuthenticationInformation arrays must be the same for internal reasons.
  1248. // Thus, use NoneAuthInfo element to fill in missing counterparts in these arrays.
  1249. NoneAuthInfo.LastUpdateTime = CurrentAuthInfo[0].LastUpdateTime;
  1250. NoneAuthInfo.AuthType = TRUST_AUTH_TYPE_NONE;
  1251. NoneAuthInfo.AuthInfoLength = 0;
  1252. NoneAuthInfo.AuthInfo = NULL;
  1253. //
  1254. // Find first Clear and OWF passwords (if any) in the old password info.
  1255. //
  1256. for ( iClear = 0; iClear < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos; iClear++ ) {
  1257. if ( TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iClear].AuthType ==
  1258. TRUST_AUTH_TYPE_CLEAR ) {
  1259. break;
  1260. }
  1261. }
  1262. for ( iVersion = 0; iVersion < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos; iVersion++ ) {
  1263. if ( TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iVersion].AuthType ==
  1264. TRUST_AUTH_TYPE_VERSION &&
  1265. TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iVersion].AuthInfoLength ==
  1266. sizeof(OldVersionNumber) ) {
  1267. RtlCopyMemory( &OldVersionNumber,
  1268. TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iVersion].AuthInfo,
  1269. sizeof(OldVersionNumber) );
  1270. break;
  1271. }
  1272. }
  1273. for ( iOWF = 0; iOWF < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos; iOWF++ ) {
  1274. if ( TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iOWF].AuthType ==
  1275. TRUST_AUTH_TYPE_NT4OWF ) {
  1276. break;
  1277. }
  1278. }
  1279. //
  1280. // Update previous info using only first Clear and OWF passwords in the current info
  1281. // (that is old as far as this function is concerned). AuthTypes other than Clear,
  1282. // Version, and OWF are going to be lost.
  1283. //
  1284. if (ClearTextPassword != NULL) {
  1285. if (iClear < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos) {
  1286. PreviousAuthInfo[0] = TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iClear];
  1287. } else {
  1288. PreviousAuthInfo[0] = NoneAuthInfo;
  1289. }
  1290. //
  1291. // Preserve the old version number only if it is in accordance with the passed value
  1292. //
  1293. if ( iVersion < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos &&
  1294. ClearPasswordVersionNumber > 0 &&
  1295. OldVersionNumber == ClearPasswordVersionNumber - 1 ) {
  1296. PreviousAuthInfo[1] = TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iVersion];
  1297. } else {
  1298. PreviousAuthInfo[1] = NoneAuthInfo;
  1299. }
  1300. TrustInfo.TrustedAuthInfo.IncomingAuthInfos = 2;
  1301. //
  1302. // If there is a previous OWF password, preserve it
  1303. //
  1304. if (iOWF < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos) {
  1305. PreviousAuthInfo[2] = TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iOWF];
  1306. CurrentAuthInfo[2] = NoneAuthInfo;
  1307. TrustInfo.TrustedAuthInfo.IncomingAuthInfos = 3;
  1308. }
  1309. } else {
  1310. if (iOWF < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos) {
  1311. PreviousAuthInfo[0] = TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iOWF];
  1312. } else {
  1313. PreviousAuthInfo[0] = NoneAuthInfo;
  1314. }
  1315. TrustInfo.TrustedAuthInfo.IncomingAuthInfos = 1;
  1316. //
  1317. // If there is a previous clear text password, preserve it
  1318. //
  1319. if (iClear < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos) {
  1320. PreviousAuthInfo[1] = TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iClear];
  1321. CurrentAuthInfo[1] = NoneAuthInfo;
  1322. TrustInfo.TrustedAuthInfo.IncomingAuthInfos = 2;
  1323. }
  1324. //
  1325. // If there is a previous clear text password version number, preserve it
  1326. //
  1327. if (iVersion < TrustInfoOld->TrustedAuthInfo.IncomingAuthInfos) {
  1328. PreviousAuthInfo[2] = TrustInfoOld->TrustedAuthInfo.IncomingAuthenticationInformation[iVersion];
  1329. CurrentAuthInfo[2] = NoneAuthInfo;
  1330. TrustInfo.TrustedAuthInfo.IncomingAuthInfos = 3;
  1331. }
  1332. }
  1333. for ( i = 0; i < TrustInfo.TrustedAuthInfo.IncomingAuthInfos; i++ ) {
  1334. if ( CurrentAuthInfo[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
  1335. NlPrint(( NL_SESSION_SETUP, "Current Clear Text Password of '%ws' is: ", AccountName ));
  1336. NlpDumpBuffer(NL_SESSION_SETUP, CurrentAuthInfo[i].AuthInfo, CurrentAuthInfo[i].AuthInfoLength );
  1337. } else if ( CurrentAuthInfo[i].AuthType == TRUST_AUTH_TYPE_VERSION ) {
  1338. NlPrint(( NL_SESSION_SETUP, "Current Clear Password Version Number of '%ws' is: ", AccountName ));
  1339. NlpDumpBuffer(NL_SESSION_SETUP, CurrentAuthInfo[i].AuthInfo, CurrentAuthInfo[i].AuthInfoLength );
  1340. } else if ( CurrentAuthInfo[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
  1341. NlPrint(( NL_SESSION_SETUP, "Current OWF Password of '%ws' is: ", AccountName ));
  1342. NlpDumpBuffer(NL_SESSION_SETUP, CurrentAuthInfo[i].AuthInfo, CurrentAuthInfo[i].AuthInfoLength );
  1343. } else if ( CurrentAuthInfo[i].AuthType == TRUST_AUTH_TYPE_NONE) {
  1344. NlPrint(( NL_SESSION_SETUP, "Current Auth Info entry for '%ws' has no type\n", AccountName ));
  1345. }
  1346. if ( PreviousAuthInfo[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
  1347. NlPrint(( NL_SESSION_SETUP, "Previous Clear Text Password of '%ws' is: ", AccountName ));
  1348. NlpDumpBuffer(NL_SESSION_SETUP, PreviousAuthInfo[i].AuthInfo, PreviousAuthInfo[i].AuthInfoLength );
  1349. } else if ( PreviousAuthInfo[i].AuthType == TRUST_AUTH_TYPE_VERSION ) {
  1350. NlPrint(( NL_SESSION_SETUP, "Previous Clear Password Version Number of '%ws' is: ", AccountName ));
  1351. NlpDumpBuffer(NL_SESSION_SETUP, PreviousAuthInfo[i].AuthInfo, PreviousAuthInfo[i].AuthInfoLength );
  1352. } else if ( PreviousAuthInfo[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
  1353. NlPrint(( NL_SESSION_SETUP, "Previous OWF Text Password of '%ws' is: ", AccountName ));
  1354. NlpDumpBuffer(NL_SESSION_SETUP, PreviousAuthInfo[i].AuthInfo, PreviousAuthInfo[i].AuthInfoLength );
  1355. } else if ( PreviousAuthInfo[i].AuthType == TRUST_AUTH_TYPE_NONE) {
  1356. NlPrint(( NL_SESSION_SETUP, "Previous Auth Info entry for '%ws' has no type\n", AccountName ));
  1357. }
  1358. }
  1359. //
  1360. // Set the authentication information in the LSA.
  1361. //
  1362. Status = LsarSetTrustedDomainInfoByName(
  1363. DomainInfo->DomLsaPolicyHandle,
  1364. (PLSAPR_UNICODE_STRING) &AccountNameString,
  1365. TrustedDomainAuthInformation,
  1366. &TrustInfo );
  1367. if (!NT_SUCCESS(Status)) {
  1368. NlPrintDom((NL_CRITICAL, DomainInfo,
  1369. "NlSetIncomingPassword: %wZ: cannot LsarSetTrustedDomainInfoByName 0x%lx\n",
  1370. &AccountNameString,
  1371. Status ));
  1372. goto Cleanup;
  1373. }
  1374. break;
  1375. //
  1376. // We don't support any other secure channel type
  1377. //
  1378. default:
  1379. NlPrintDom((NL_CRITICAL, DomainInfo,
  1380. "NlSetIncomingPassword: %ws: invalid secure channel type: %ld\n",
  1381. AccountName,
  1382. SecureChannelType ));
  1383. Status = STATUS_ACCESS_DENIED;
  1384. goto Cleanup;
  1385. }
  1386. Status = STATUS_SUCCESS;
  1387. //
  1388. // Free locally used resources.
  1389. //
  1390. Cleanup:
  1391. if ( TrustInfoOld != NULL ) {
  1392. LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO( TrustedDomainAuthInformation,
  1393. TrustInfoOld );
  1394. }
  1395. return Status;
  1396. }
  1397. BOOLEAN
  1398. NlTimeToRediscover(
  1399. IN PCLIENT_SESSION ClientSession,
  1400. BOOLEAN WithAccount
  1401. )
  1402. /*++
  1403. Routine Description:
  1404. Determine if it is time to rediscover this Client Session.
  1405. If a session setup failure happens to a discovered DC,
  1406. rediscover the DC if the discovery happened a long time ago (more than 5 minutes).
  1407. Arguments:
  1408. ClientSession - Structure used to define the session.
  1409. WithAccount - If TRUE, the caller is going to attempt the discovery "with account".
  1410. Return Value:
  1411. TRUE -- iff it is time to re-discover
  1412. --*/
  1413. {
  1414. BOOLEAN ReturnBoolean;
  1415. EnterCriticalSection( &NlGlobalDcDiscoveryCritSect );
  1416. //
  1417. // If the last discovery was longer than 5 minutes ago,
  1418. // it's fine to rediscover regardless of the rediscovery
  1419. // type (with or without account)
  1420. //
  1421. ReturnBoolean = NetpLogonTimeHasElapsed(
  1422. ClientSession->CsLastDiscoveryTime,
  1423. MAX_DC_REAUTHENTICATION_WAIT );
  1424. //
  1425. // If it turns out that the last rediscovery was recent but
  1426. // the caller is going to attempt the discovery "with account"
  1427. // perhaps the last rediscovery with account wasn't recent
  1428. //
  1429. if ( !ReturnBoolean && WithAccount ) {
  1430. ReturnBoolean = NetpLogonTimeHasElapsed(
  1431. ClientSession->CsLastDiscoveryWithAccountTime,
  1432. MAX_DC_REAUTHENTICATION_WAIT );
  1433. }
  1434. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  1435. return ReturnBoolean;
  1436. }
  1437. NET_API_STATUS
  1438. NlCacheJoinDomainControllerInfo(
  1439. VOID
  1440. )
  1441. /*++
  1442. Routine Description:
  1443. This function reads from the registry and caches the DC information
  1444. that was previously written by the join process. This DC is bound
  1445. to have the correct password for this machine. If no info is
  1446. available in the registry, no action needs to be taken.
  1447. The join DC info is cached in the DsGetDcName cache. Netlogon will
  1448. then discover this DC and will set up a secure channel to it. Caching
  1449. the DC info in the DsGetDcName cache will ensure that not only Netlogon
  1450. but every other process will consistently talk to this DC.
  1451. Arguments:
  1452. None.
  1453. Return Value:
  1454. NO_ERROR - The DC info (if any) was read and the client session
  1455. strusture was successfully set.
  1456. Otherwise, some error occured during this operation.
  1457. --*/
  1458. {
  1459. ULONG WinError = ERROR_SUCCESS; // Registry reading errors
  1460. NET_API_STATUS NetStatus = NO_ERROR; // Netlogon API return codes
  1461. HKEY hJoinKey = NULL;
  1462. ULONG BytesRead = 0;
  1463. ULONG Type;
  1464. DWORD KerberosIsDone = 0;
  1465. LPWSTR DcName = NULL;
  1466. ULONG DcFlags = 0;
  1467. PDOMAIN_INFO DomainInfo = NULL;
  1468. PCLIENT_SESSION ClientSession = NULL;
  1469. PNL_DC_CACHE_ENTRY DcCacheEntry = NULL;
  1470. //
  1471. // Caching the join DC info is needed only for workstations
  1472. //
  1473. if ( !NlGlobalMemberWorkstation ) {
  1474. return NO_ERROR;
  1475. }
  1476. //
  1477. // Open the registry key
  1478. //
  1479. WinError = RegOpenKey( HKEY_LOCAL_MACHINE,
  1480. NETSETUPP_NETLOGON_JD_NAME,
  1481. &hJoinKey );
  1482. if ( WinError != ERROR_SUCCESS) {
  1483. goto Cleanup;
  1484. }
  1485. //
  1486. // Read DC name
  1487. //
  1488. WinError = RegQueryValueEx( hJoinKey,
  1489. NETSETUPP_NETLOGON_JD_DC,
  1490. 0,
  1491. &Type,
  1492. NULL,
  1493. &BytesRead);
  1494. if ( WinError != ERROR_SUCCESS ) {
  1495. goto Cleanup;
  1496. } else if ( Type != REG_SZ ) {
  1497. WinError = ERROR_DATATYPE_MISMATCH;
  1498. goto Cleanup;
  1499. }
  1500. DcName = LocalAlloc( LMEM_ZEROINIT, BytesRead );
  1501. if ( DcName == NULL ) {
  1502. WinError = ERROR_NOT_ENOUGH_MEMORY;
  1503. goto Cleanup;
  1504. }
  1505. WinError = RegQueryValueEx( hJoinKey,
  1506. NETSETUPP_NETLOGON_JD_DC,
  1507. 0,
  1508. &Type,
  1509. (PUCHAR) DcName,
  1510. &BytesRead);
  1511. if ( WinError != ERROR_SUCCESS) {
  1512. goto Cleanup;
  1513. }
  1514. //
  1515. // The name should include at least '\\' and one character
  1516. //
  1517. if ( wcslen(DcName) < 3 ) {
  1518. NlPrint(( NL_CRITICAL,
  1519. "NlCacheJoinDomainControllerInfo: DcName is too short.\n" ));
  1520. WinError = ERROR_DATATYPE_MISMATCH;
  1521. goto Cleanup;
  1522. }
  1523. //
  1524. // Read Flags
  1525. //
  1526. WinError = RegQueryValueEx( hJoinKey,
  1527. NETSETUPP_NETLOGON_JD_F,
  1528. 0,
  1529. &Type,
  1530. NULL,
  1531. &BytesRead);
  1532. if ( WinError != ERROR_SUCCESS ) {
  1533. goto Cleanup;
  1534. } else if ( Type != REG_DWORD ) {
  1535. WinError = ERROR_DATATYPE_MISMATCH;
  1536. goto Cleanup;
  1537. }
  1538. WinError = RegQueryValueEx( hJoinKey,
  1539. NETSETUPP_NETLOGON_JD_F,
  1540. 0,
  1541. &Type,
  1542. (PUCHAR)&DcFlags,
  1543. &BytesRead);
  1544. if ( WinError != ERROR_SUCCESS) {
  1545. goto Cleanup;
  1546. }
  1547. //
  1548. // If we've made it up to this point, the registry was successfully read
  1549. //
  1550. WinError = ERROR_SUCCESS;
  1551. NlPrint(( NL_INIT, "Join DC: %ws, Flags: 0x%lx\n", DcName, DcFlags ));
  1552. //
  1553. // If this is not NT5 DC, avoid caching it since it's a PDC.
  1554. // We don't want to overload the PDC by having all clients
  1555. // talking to it after they join the domain. We will just
  1556. // delete the reg key here because Kerberos won't use NT4 DC
  1557. // anyway.
  1558. //
  1559. if ( (DcFlags & DS_DS_FLAG) == 0 ) {
  1560. ULONG WinErrorTmp = ERROR_SUCCESS;
  1561. HKEY hJoinKeyTmp = NULL;
  1562. NlPrint(( NL_INIT, "NlCacheJoinDomainControllerInfo: Join DC is not NT5, deleting it\n" ));
  1563. WinErrorTmp = RegOpenKeyEx( HKEY_LOCAL_MACHINE,
  1564. NETSETUPP_NETLOGON_JD_PATH,
  1565. 0,
  1566. KEY_ALL_ACCESS,
  1567. &hJoinKeyTmp );
  1568. if ( WinErrorTmp == ERROR_SUCCESS ) {
  1569. WinErrorTmp = RegDeleteKey( hJoinKeyTmp,
  1570. NETSETUPP_NETLOGON_JD );
  1571. if ( WinErrorTmp != ERROR_SUCCESS ) {
  1572. NlPrint(( NL_CRITICAL,
  1573. "NlCacheJoinDomainControllerInfo: Couldn't deleted JoinDomain 0x%lx\n",
  1574. WinErrorTmp ));
  1575. }
  1576. RegCloseKey( hJoinKeyTmp );
  1577. } else {
  1578. NlPrint(( NL_CRITICAL,
  1579. "NlCacheJoinDomainControllerInfo: RegOpenKeyEx failed 0x%lx\n",
  1580. WinErrorTmp ));
  1581. }
  1582. //
  1583. // Treat this as error
  1584. //
  1585. NetStatus = ERROR_INVALID_DATA;
  1586. goto Cleanup;
  1587. }
  1588. //
  1589. // Now get the client session to the primary domain
  1590. //
  1591. DomainInfo = NlFindNetbiosDomain( NULL, TRUE ); // Primary domain
  1592. if ( DomainInfo == NULL ) {
  1593. NlPrint(( NL_CRITICAL,
  1594. "NlCacheJoinDomainControllerInfo: Cannot NlFindNetbiosDomain\n" ));
  1595. NetStatus = ERROR_NO_SUCH_DOMAIN;
  1596. goto Cleanup;
  1597. }
  1598. ClientSession = NlRefDomClientSession( DomainInfo );
  1599. if ( ClientSession == NULL ) {
  1600. NlPrint(( NL_CRITICAL,
  1601. "NlCacheJoinDomainControllerInfo: Cannot NlRefDomClientSession\n" ));
  1602. NetStatus = ERROR_NO_SUCH_DOMAIN;
  1603. goto Cleanup;
  1604. }
  1605. //
  1606. // If we are started after a domain join,
  1607. // the browser has been notified about the
  1608. // domain rename by a change log worker.
  1609. // Wait until the change log worker exits.
  1610. // Otherwise, the browser will reject the
  1611. // datagram send when we pass the new emulated
  1612. // domain name.
  1613. //
  1614. NlWaitForChangeLogBrowserNotify();
  1615. //
  1616. // Finally ping the DC given this info. Cache the response.
  1617. //
  1618. NetStatus = NlPingDcName( ClientSession,
  1619. (DcFlags & DS_DNS_CONTROLLER_FLAG) ?
  1620. DS_PING_DNS_HOST :
  1621. DS_PING_NETBIOS_HOST,
  1622. TRUE, // Cache this DC
  1623. FALSE, // Do not require IP
  1624. TRUE, // Ensure the DC has our account
  1625. FALSE, // Do not refresh the session
  1626. DcName+2, // Skip '\\' in the name
  1627. &DcCacheEntry );
  1628. if ( NetStatus == NO_ERROR ) {
  1629. NlPrint(( NL_INIT, "Join DC cached successfully\n" ));
  1630. //
  1631. // Also set the site name
  1632. //
  1633. if ( DcCacheEntry->UnicodeClientSiteName != NULL ) {
  1634. NlSetDynamicSiteName( DcCacheEntry->UnicodeClientSiteName );
  1635. }
  1636. } else {
  1637. NlPrint(( NL_CRITICAL, "Failed to cache join DC: 0x%lx\n", NetStatus ));
  1638. }
  1639. Cleanup:
  1640. //
  1641. // Free up locally used resources
  1642. //
  1643. if ( DcName != NULL ) {
  1644. LocalFree( DcName );
  1645. }
  1646. if ( DcCacheEntry != NULL ) {
  1647. NetpDcDerefCacheEntry( DcCacheEntry );
  1648. }
  1649. if ( hJoinKey != NULL ) {
  1650. RegCloseKey( hJoinKey );
  1651. }
  1652. if ( ClientSession != NULL ) {
  1653. NlUnrefClientSession( ClientSession );
  1654. }
  1655. if ( DomainInfo != NULL ) {
  1656. NlDereferenceDomain( DomainInfo );
  1657. }
  1658. //
  1659. // If everything is successful return NO_ERROR.
  1660. // Otherwise, if Netlogon API failed, return its error code.
  1661. // Otherwise, return registry reading error.
  1662. //
  1663. if ( WinError == ERROR_SUCCESS && NetStatus == NO_ERROR ) {
  1664. return NO_ERROR;
  1665. } else if ( NetStatus != NO_ERROR ) {
  1666. return NetStatus;
  1667. } else {
  1668. return WinError;
  1669. }
  1670. }
  1671. NTSTATUS
  1672. NlGetPasswordFromPdc(
  1673. IN PDOMAIN_INFO DomainInfo,
  1674. IN LPWSTR AccountName,
  1675. IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
  1676. OUT PNT_OWF_PASSWORD NtOwfPassword
  1677. )
  1678. /*++
  1679. Routine Description:
  1680. This function is used to by a BDC to get a machine account password
  1681. from the PDC in the doamin.
  1682. Arguments:
  1683. DomainInfo - Identifies the domain the account is in.
  1684. AccountName -- Name of the account to get the password for.
  1685. AccountType -- The type of account being accessed.
  1686. EncryptedNtOwfPassword -- Returns the OWF password of the account.
  1687. Return Value:
  1688. NT status code.
  1689. --*/
  1690. {
  1691. NTSTATUS Status;
  1692. NETLOGON_AUTHENTICATOR OurAuthenticator;
  1693. NETLOGON_AUTHENTICATOR ReturnAuthenticator;
  1694. PCLIENT_SESSION ClientSession = NULL;
  1695. SESSION_INFO SessionInfo;
  1696. BOOLEAN FirstTry = TRUE;
  1697. BOOLEAN AmWriter = FALSE;
  1698. ENCRYPTED_LM_OWF_PASSWORD SessKeyEncrPassword;
  1699. NlPrintDom((NL_SESSION_SETUP, DomainInfo,
  1700. "NlGetPasswordFromPdc: Getting password for %ws from PDC.\n",
  1701. AccountName ));
  1702. //
  1703. // Reference the client session.
  1704. //
  1705. ClientSession = NlRefDomClientSession( DomainInfo );
  1706. if ( ClientSession == NULL ) {
  1707. NlPrintDom((NL_CRITICAL, DomainInfo,
  1708. "NlGetPasswordFromPdc: This BDC has no client session with the PDC.\n"));
  1709. Status = STATUS_NO_LOGON_SERVERS;
  1710. goto Cleanup;
  1711. }
  1712. //
  1713. // Become a Writer of the ClientSession.
  1714. //
  1715. if ( !NlTimeoutSetWriterClientSession( ClientSession, WRITER_WAIT_PERIOD ) ) {
  1716. NlPrintDom((NL_CRITICAL, DomainInfo,
  1717. "NlGetPasswordFromPdc: Can't become writer of client session.\n"));
  1718. Status = STATUS_NO_LOGON_SERVERS;
  1719. goto Cleanup;
  1720. }
  1721. AmWriter = TRUE;
  1722. //
  1723. // If the session isn't authenticated,
  1724. // do so now.
  1725. //
  1726. FirstTryFailed:
  1727. Status = NlEnsureSessionAuthenticated( ClientSession, 0 );
  1728. if ( !NT_SUCCESS(Status) ) {
  1729. goto Cleanup;
  1730. }
  1731. SessionInfo.SessionKey = ClientSession->CsSessionKey;
  1732. // SessionInfo.NegotiatedFlags = ClientSession->CsNegotiatedFlags;
  1733. //
  1734. // Build the Authenticator for this request to the PDC.
  1735. //
  1736. NlBuildAuthenticator(
  1737. &ClientSession->CsAuthenticationSeed,
  1738. &ClientSession->CsSessionKey,
  1739. &OurAuthenticator);
  1740. //
  1741. // Get the password from the PDC
  1742. //
  1743. NL_API_START( Status, ClientSession, TRUE ) {
  1744. NlAssert( ClientSession->CsUncServerName != NULL );
  1745. Status = I_NetServerPasswordGet( ClientSession->CsUncServerName,
  1746. AccountName,
  1747. AccountType,
  1748. ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  1749. &OurAuthenticator,
  1750. &ReturnAuthenticator,
  1751. &SessKeyEncrPassword);
  1752. // NOTE: This call may drop the secure channel behind our back
  1753. } NL_API_ELSE( Status, ClientSession, TRUE ) {
  1754. } NL_API_END;
  1755. //
  1756. // Now verify primary's authenticator and update our seed
  1757. //
  1758. if ( Status == STATUS_ACCESS_DENIED ||
  1759. !NlUpdateSeed( &ClientSession->CsAuthenticationSeed,
  1760. &ReturnAuthenticator.Credential,
  1761. &ClientSession->CsSessionKey) ) {
  1762. NlPrintCs(( NL_CRITICAL, ClientSession,
  1763. "NlGetPasswordFromPdc: denying access after status: 0x%lx\n",
  1764. Status ));
  1765. //
  1766. // Preserve any status indicating a communication error.
  1767. //
  1768. if ( NT_SUCCESS(Status) ) {
  1769. Status = STATUS_ACCESS_DENIED;
  1770. }
  1771. NlSetStatusClientSession( ClientSession, Status );
  1772. //
  1773. // Perhaps the netlogon service on the server has just restarted.
  1774. // Try just once to set up a session to the server again.
  1775. //
  1776. if ( FirstTry ) {
  1777. FirstTry = FALSE;
  1778. goto FirstTryFailed;
  1779. }
  1780. }
  1781. if ( !NT_SUCCESS(Status) ) {
  1782. goto Cleanup;
  1783. }
  1784. //
  1785. // Decrypt the password returned from the PDC.
  1786. //
  1787. Status = RtlDecryptNtOwfPwdWithNtOwfPwd(
  1788. &SessKeyEncrPassword,
  1789. (PNT_OWF_PASSWORD) &SessionInfo.SessionKey,
  1790. NtOwfPassword );
  1791. NlAssert( NT_SUCCESS(Status) );
  1792. //
  1793. // Common exit
  1794. //
  1795. Cleanup:
  1796. if ( ClientSession != NULL ) {
  1797. if ( AmWriter ) {
  1798. NlResetWriterClientSession( ClientSession );
  1799. }
  1800. NlUnrefClientSession( ClientSession );
  1801. }
  1802. if ( !NT_SUCCESS(Status) ) {
  1803. NlPrintDom((NL_CRITICAL, DomainInfo,
  1804. "NlGetPasswordFromPdc: %ws: failed %lX\n",
  1805. AccountName,
  1806. Status));
  1807. }
  1808. return Status;
  1809. }
  1810. NTSTATUS
  1811. NlSessionSetup(
  1812. IN OUT PCLIENT_SESSION ClientSession
  1813. )
  1814. /*++
  1815. Routine Description:
  1816. Verify that the requestor (this machine) has a valid account at
  1817. Primary Domain Controller (primary). The authentication
  1818. is done via an elaborate protocol. This routine will be
  1819. used only when NETLOGON service starts with role != primary.
  1820. The requestor (i.e. this machine) will generate a challenge
  1821. and send it to the Primary Domain Controller and will receive
  1822. a challenge from the primary in response. Now we will compute
  1823. credentials using primary's challenge and send it across and
  1824. wait for credentials, computed at primary using our initial
  1825. challenge, to be returned by PDC. Before computing credentials
  1826. a sessionkey will be built which uniquely identifies this
  1827. session and it will be returned to caller for future use.
  1828. If both machines authenticate then they keep the
  1829. ClientCredential and the session key for future use.
  1830. ?? If multiple domains are supported on a single DC, what mechanism
  1831. do I use to short circuit discovery? What mechanism do I use to short
  1832. circuit API calls (e.g., pass through authentication) to a DC in that
  1833. domain? Do Ihave to worry about lock contention across such API calls?
  1834. Can I avoid authentication/encryption acress such a secure channel?
  1835. Arguments:
  1836. ClientSession - Structure used to define the session.
  1837. On Input the following fields must be set:
  1838. CsState
  1839. CsNetbiosDomainName
  1840. CsUncServerName (May be NULL string depending on SecureChannelType)
  1841. CsAccountName
  1842. CsSecureChannelType
  1843. The caller must be a writer of the ClientSession.
  1844. On Output, the following fields will be set
  1845. CsConnectionStatus
  1846. CsState
  1847. CsSessionKey
  1848. CsAuthenticationSeed
  1849. Return Value:
  1850. Status of operation.
  1851. --*/
  1852. {
  1853. NTSTATUS Status;
  1854. NETLOGON_CREDENTIAL ServerChallenge;
  1855. NETLOGON_CREDENTIAL ClientChallenge;
  1856. NETLOGON_CREDENTIAL ComputedServerCredential;
  1857. NETLOGON_CREDENTIAL ReturnedServerCredential;
  1858. BOOLEAN WeDidDiscovery = FALSE;
  1859. BOOLEAN WeDidDiscoveryWithAccount = FALSE;
  1860. BOOLEAN ErrorFromDiscoveredServer = FALSE;
  1861. BOOLEAN SignOrSealError = FALSE;
  1862. BOOLEAN GotNonDsDc = FALSE;
  1863. BOOLEAN DomainDowngraded = FALSE;
  1864. NT_OWF_PASSWORD NtOwfPassword;
  1865. DWORD NegotiatedFlags;
  1866. PUNICODE_STRING NewPassword = NULL;
  1867. PUNICODE_STRING OldPassword = NULL;
  1868. LARGE_INTEGER PasswordChangeTime;
  1869. NT_OWF_PASSWORD NewOwfPassword;
  1870. PNT_OWF_PASSWORD PNewOwfPassword = NULL;
  1871. NT_OWF_PASSWORD OldOwfPassword;
  1872. PNT_OWF_PASSWORD POldOwfPassword = NULL;
  1873. NT_OWF_PASSWORD PdcOwfPassword;
  1874. ULONG i;
  1875. ULONG KeyStrength;
  1876. DWORD DummyPasswordVersionNumber;
  1877. //
  1878. // Used to indicate whether the current or the old password is being
  1879. // tried to access the DC.
  1880. // 0: implies the current password
  1881. // 1: implies the old password
  1882. // 2: implies both failed
  1883. //
  1884. DWORD State;
  1885. //
  1886. // Ensure we're a writer.
  1887. //
  1888. NlAssert( ClientSession->CsReferenceCount > 0 );
  1889. NlAssert( ClientSession->CsFlags & CS_WRITER );
  1890. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  1891. "NlSessionSetup: Try Session setup\n" ));
  1892. //
  1893. // Start the WMI trace of secure channel setup
  1894. //
  1895. NlpTraceEvent( EVENT_TRACE_TYPE_START, NlpGuidSecureChannelSetup );
  1896. //
  1897. // If we're free to pick the DC which services our request,
  1898. // do so.
  1899. //
  1900. // Apparently there was a problem with the previously chosen DC
  1901. // so we pick again here. (There is a chance we'll pick the same server.)
  1902. //
  1903. NlPrint(( NL_SESSION_MORE, "NlSessionSetup: ClientSession->CsState = 0x%lx\n",
  1904. ClientSession->CsState));
  1905. if ( ClientSession->CsState == CS_IDLE ) {
  1906. NlAssert( ClientSession->CsUncServerName == NULL );
  1907. WeDidDiscovery = TRUE;
  1908. //
  1909. // Pick the name of a DC in the domain.
  1910. //
  1911. // On the first try do not specify the account in
  1912. // the discovery attempt as discoveries with account
  1913. // are much more costly than plain discoveries on the
  1914. // server side. If we fail session setup because the
  1915. // discovered server doesn't have our account, we will
  1916. // retry the discovery with account below.
  1917. //
  1918. Status = NlDiscoverDc( ClientSession,
  1919. DT_Synchronous,
  1920. FALSE,
  1921. FALSE ) ; // without account
  1922. if ( !NT_SUCCESS(Status) ) {
  1923. NlPrintCs((NL_CRITICAL, ClientSession,
  1924. "NlSessionSetup: Session setup: cannot pick trusted DC\n" ));
  1925. goto Cleanup;
  1926. }
  1927. }
  1928. NlAssert( ClientSession->CsState != CS_IDLE );
  1929. FirstTryFailed:
  1930. //
  1931. // If this is a workstation in an NT5 domain, we should not use NT4 DC.
  1932. // Indeed, Negotiate will not use an NT4 DC in a mixed mode domain to
  1933. // prevent a downgrade attack.
  1934. //
  1935. if ( NlGlobalMemberWorkstation &&
  1936. (ClientSession->CsDiscoveryFlags & CS_DISCOVERY_HAS_DS) == 0 &&
  1937. (ClientSession->CsFlags & CS_NT5_DOMAIN_TRUST) != 0 ) {
  1938. NET_API_STATUS NetStatus;
  1939. PDOMAIN_CONTROLLER_INFOW DomainControllerInfo = NULL;
  1940. GotNonDsDc = TRUE;
  1941. NlPrintCs(( NL_CRITICAL, ClientSession, "NlSessionSetup: Only downlevel DC available\n" ));
  1942. //
  1943. // Determine whether the domain has been downgraded (just to warn
  1944. // the user). To determine this, try to discover a PDC and if the
  1945. // PDC is available and it is NT4, the domain has been indeed
  1946. // downgraded. In such case, this workstation should rejoin the
  1947. // domain.
  1948. //
  1949. NetStatus = DsrGetDcNameEx2( NULL,
  1950. NULL,
  1951. 0,
  1952. NULL,
  1953. NULL,
  1954. NULL,
  1955. DS_PDC_REQUIRED | DS_FORCE_REDISCOVERY,
  1956. &DomainControllerInfo );
  1957. if ( NetStatus == NO_ERROR &&
  1958. (DomainControllerInfo->Flags & DS_DS_FLAG) == 0 ) {
  1959. DomainDowngraded = TRUE; // Domain has been downgraded (rejoin needed)
  1960. NlPrintCs(( NL_CRITICAL, ClientSession,
  1961. "NlSessionSetup: NT5 domain has been downgraded.\n" ));
  1962. }
  1963. if ( DomainControllerInfo != NULL ) {
  1964. NetApiBufferFree( DomainControllerInfo );
  1965. }
  1966. Status = STATUS_NO_LOGON_SERVERS;
  1967. ErrorFromDiscoveredServer = TRUE;
  1968. goto Cleanup;
  1969. }
  1970. //
  1971. // Prepare our challenge
  1972. //
  1973. NlComputeChallenge( &ClientChallenge );
  1974. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: ClientChallenge = " ));
  1975. NlpDumpBuffer(NL_CHALLENGE_RES, &ClientChallenge, sizeof(ClientChallenge) );
  1976. //
  1977. // Get the Password of the account from LSA secret storage
  1978. //
  1979. Status = NlGetOutgoingPassword( ClientSession,
  1980. &NewPassword,
  1981. &OldPassword,
  1982. &DummyPasswordVersionNumber,
  1983. &PasswordChangeTime );
  1984. if ( !NT_SUCCESS( Status ) ) {
  1985. NlPrintCs((NL_CRITICAL, ClientSession,
  1986. "NlSessionSetup: cannot NlGetOutgoingPassword 0x%lx\n",
  1987. Status ));
  1988. //
  1989. // return more appropriate error.
  1990. //
  1991. if ( !NlpIsNtStatusResourceError( Status )) {
  1992. Status = STATUS_NO_TRUST_LSA_SECRET;
  1993. }
  1994. goto Cleanup;
  1995. }
  1996. //
  1997. // Try setting up a secure channel first using the CurrentPassword.
  1998. // If that fails, try using the OldPassword
  1999. // If that fails, for interdomain trusts, try the password from our PDC
  2000. //
  2001. for ( State = 0; ; State++ ) {
  2002. //
  2003. // Use the right password for this iteration
  2004. //
  2005. if ( State == 0 ) {
  2006. //
  2007. // If the new password isn't present in the LSA,
  2008. // just ignore it.
  2009. //
  2010. if ( NewPassword == NULL ) {
  2011. continue;
  2012. }
  2013. //
  2014. // Compute the NT OWF password
  2015. //
  2016. Status = RtlCalculateNtOwfPassword( NewPassword,
  2017. &NewOwfPassword );
  2018. if ( !NT_SUCCESS( Status ) ) {
  2019. //
  2020. // return more appropriate error.
  2021. //
  2022. if ( !NlpIsNtStatusResourceError( Status )) {
  2023. Status = STATUS_NO_TRUST_LSA_SECRET;
  2024. }
  2025. goto Cleanup;
  2026. }
  2027. //
  2028. // Try this password
  2029. //
  2030. PNewOwfPassword = &NewOwfPassword;
  2031. NtOwfPassword = NewOwfPassword;
  2032. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: Clear New Password = " ));
  2033. NlpDumpBuffer(NL_CHALLENGE_RES, NewPassword->Buffer, NewPassword->Length );
  2034. NlpDumpTime( NL_CHALLENGE_RES, "NlSessionSetup: Password Changed: ", PasswordChangeTime );
  2035. //
  2036. // On the second iteration, use the old password
  2037. //
  2038. } else if ( State == 1 ) {
  2039. //
  2040. // If the old password isn't present in the LSA,
  2041. // just ignore it.
  2042. //
  2043. if ( OldPassword == NULL ) {
  2044. continue;
  2045. }
  2046. //
  2047. // Check if the old password is the same as the new one
  2048. //
  2049. if ( NewPassword != NULL && OldPassword != NULL &&
  2050. NewPassword->Length == OldPassword->Length &&
  2051. RtlEqualMemory( NewPassword->Buffer,
  2052. OldPassword->Buffer,
  2053. OldPassword->Length ) ) {
  2054. NlPrintCs((NL_CRITICAL, ClientSession,
  2055. "NlSessionSetup: new password is bad. Old password is same as new password.\n" ));
  2056. continue; // Try the password from our PDC
  2057. }
  2058. //
  2059. // Compute the NT OWF password
  2060. //
  2061. Status = RtlCalculateNtOwfPassword( OldPassword,
  2062. &OldOwfPassword );
  2063. if ( !NT_SUCCESS( Status ) ) {
  2064. //
  2065. // return more appropriate error.
  2066. //
  2067. if ( !NlpIsNtStatusResourceError( Status )) {
  2068. Status = STATUS_NO_TRUST_LSA_SECRET;
  2069. }
  2070. goto Cleanup;
  2071. }
  2072. //
  2073. // Try this password
  2074. //
  2075. POldOwfPassword = &OldOwfPassword;
  2076. NtOwfPassword = OldOwfPassword;
  2077. NlPrintCs((NL_CRITICAL, ClientSession,
  2078. "NlSessionSetup: new password is bad, try old one\n" ));
  2079. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: Clear Old Password = " ));
  2080. NlpDumpBuffer(NL_CHALLENGE_RES, OldPassword->Buffer, OldPassword->Length );
  2081. NlpDumpTime( NL_CHALLENGE_RES, "NlSessionSetup: Password Changed: ", PasswordChangeTime );
  2082. //
  2083. // On the third iteration, for an interdomain trust account,
  2084. // use the password from the PDC. We actually think this is
  2085. // useful only for NT4 trusted side that keeps only one
  2086. // password. For NT5 or later, one of the passwords above
  2087. // should work, but ...
  2088. //
  2089. } else if ( State == 2 &&
  2090. ClientSession->CsDomainInfo->DomRole == RoleBackup &&
  2091. IsDomainSecureChannelType(ClientSession->CsSecureChannelType) ) {
  2092. Status = NlGetPasswordFromPdc(
  2093. ClientSession->CsDomainInfo,
  2094. ClientSession->CsAccountName,
  2095. ClientSession->CsSecureChannelType,
  2096. &PdcOwfPassword );
  2097. if ( !NT_SUCCESS(Status) ) {
  2098. NlPrintDom(( NL_CRITICAL, ClientSession->CsDomainInfo,
  2099. "NlSessionSetup: Can't NlGetPasswordFromPdc %ws 0x%lx.\n",
  2100. ClientSession->CsAccountName,
  2101. Status ));
  2102. // Ignore the particular status from the PDC
  2103. Status = STATUS_ACCESS_DENIED;
  2104. goto Cleanup;
  2105. }
  2106. //
  2107. // Check if this password is the same as the new one we have
  2108. //
  2109. if ( PNewOwfPassword != NULL &&
  2110. RtlEqualNtOwfPassword(&PdcOwfPassword, PNewOwfPassword) ) {
  2111. NlPrintCs(( NL_CRITICAL, ClientSession,
  2112. "NlSessionSetup: PDC password is same as new password.\n" ));
  2113. Status = STATUS_ACCESS_DENIED;
  2114. goto Cleanup;
  2115. }
  2116. //
  2117. // Check if this password is the same as the old one we have
  2118. //
  2119. if ( POldOwfPassword != NULL &&
  2120. RtlEqualNtOwfPassword(&PdcOwfPassword, POldOwfPassword) ) {
  2121. NlPrintCs(( NL_CRITICAL, ClientSession,
  2122. "NlSessionSetup: PDC password is same as old password.\n" ));
  2123. Status = STATUS_ACCESS_DENIED;
  2124. goto Cleanup;
  2125. }
  2126. //
  2127. // Try this password
  2128. //
  2129. NtOwfPassword = PdcOwfPassword;
  2130. NlPrintCs((NL_CRITICAL, ClientSession,
  2131. "NlSessionSetup: try password from the PDC\n" ));
  2132. //
  2133. // We tried our best but nothing worked
  2134. //
  2135. } else {
  2136. Status = STATUS_ACCESS_DENIED;
  2137. goto Cleanup;
  2138. }
  2139. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: Password = " ));
  2140. NlpDumpBuffer(NL_CHALLENGE_RES, &NtOwfPassword, sizeof(NtOwfPassword) );
  2141. //
  2142. // Get the primary's challenge
  2143. //
  2144. NlAssert( ClientSession->CsState != CS_IDLE );
  2145. NL_API_START( Status, ClientSession, TRUE ) {
  2146. NlAssert( ClientSession->CsUncServerName != NULL );
  2147. Status = I_NetServerReqChallenge(ClientSession->CsUncServerName,
  2148. ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  2149. &ClientChallenge,
  2150. &ServerChallenge );
  2151. } NL_API_ELSE ( Status, ClientSession, FALSE ) {
  2152. NlPrintCs((NL_CRITICAL, ClientSession,
  2153. "NlSessionSetup: Session setup: "
  2154. "cannot FinishApiClientSession for I_NetServerReqChallenge 0x%lx\n",
  2155. Status ));
  2156. // Failure here indicates that the discovered server is really slow.
  2157. // Let the "ErrorFromDiscoveredServer" logic do the rediscovery.
  2158. if ( NT_SUCCESS(Status) ) {
  2159. // We're dropping the secure channel so
  2160. // ensure we don't use any successful status from the DC
  2161. Status = STATUS_NO_LOGON_SERVERS;
  2162. }
  2163. ErrorFromDiscoveredServer = TRUE;
  2164. goto Cleanup;
  2165. } NL_API_END;
  2166. if ( !NT_SUCCESS( Status ) ) {
  2167. NlPrintCs((NL_CRITICAL, ClientSession,
  2168. "NlSessionSetup: Session setup: "
  2169. "cannot I_NetServerReqChallenge 0x%lx\n",
  2170. Status ));
  2171. //
  2172. // If access is denied, it might be because we weren't able to
  2173. // authenticate with the new password, try the old password.
  2174. //
  2175. // Between NT 5 machines, we use Kerberos (and the machine account) to
  2176. // authenticate this machine.
  2177. if ( Status == STATUS_ACCESS_DENIED && State == 0 ) {
  2178. continue;
  2179. }
  2180. ErrorFromDiscoveredServer = TRUE;
  2181. goto Cleanup;
  2182. }
  2183. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: ServerChallenge = " ));
  2184. NlpDumpBuffer(NL_CHALLENGE_RES, &ServerChallenge, sizeof(ServerChallenge) );
  2185. //
  2186. // For NT 5 to NT 5,
  2187. // use a stronger session key.
  2188. //
  2189. if ( (ClientSession->CsDiscoveryFlags & CS_DISCOVERY_HAS_DS) != 0 ||
  2190. NlGlobalParameters.RequireStrongKey ) {
  2191. KeyStrength = NETLOGON_SUPPORTS_STRONG_KEY;
  2192. } else {
  2193. KeyStrength = 0;
  2194. }
  2195. //
  2196. // Actually compute the session key given the two challenges and the
  2197. // password.
  2198. //
  2199. Status = NlMakeSessionKey(
  2200. KeyStrength,
  2201. &NtOwfPassword,
  2202. &ClientChallenge,
  2203. &ServerChallenge,
  2204. &ClientSession->CsSessionKey );
  2205. if ( !NT_SUCCESS( Status ) ) {
  2206. NlPrintCs((NL_CRITICAL, ClientSession,
  2207. "NlSessionSetup: Session setup: cannot NlMakeSessionKey 0x%lx\n",
  2208. Status ));
  2209. goto Cleanup;
  2210. }
  2211. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: SessionKey = " ));
  2212. NlpDumpBuffer(NL_CHALLENGE_RES, &ClientSession->CsSessionKey, sizeof(ClientSession->CsSessionKey) );
  2213. //
  2214. // Prepare credentials using our challenge.
  2215. //
  2216. NlComputeCredentials( &ClientChallenge,
  2217. &ClientSession->CsAuthenticationSeed,
  2218. &ClientSession->CsSessionKey );
  2219. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: Authentication Seed = " ));
  2220. NlpDumpBuffer(NL_CHALLENGE_RES, &ClientSession->CsAuthenticationSeed, sizeof(ClientSession->CsAuthenticationSeed) );
  2221. //
  2222. // Send these credentials to primary. The primary will compute
  2223. // credentials using the challenge supplied by us and compare
  2224. // with these. If both match then it will compute credentials
  2225. // using its challenge and return it to us for verification
  2226. //
  2227. NL_API_START( Status, ClientSession, TRUE ) {
  2228. NegotiatedFlags = NETLOGON_SUPPORTS_MASK |
  2229. KeyStrength |
  2230. (NlGlobalParameters.AvoidSamRepl ? NETLOGON_SUPPORTS_AVOID_SAM_REPL : 0) |
  2231. #ifdef ENABLE_AUTH_RPC
  2232. ((NlGlobalParameters.SignSecureChannel||NlGlobalParameters.SealSecureChannel) ? (NETLOGON_SUPPORTS_AUTH_RPC|NETLOGON_SUPPORTS_LSA_AUTH_RPC) : 0) |
  2233. #endif // ENABLE_AUTH_RPC
  2234. (NlGlobalParameters.AvoidLsaRepl ? NETLOGON_SUPPORTS_AVOID_LSA_REPL : 0) |
  2235. (NlGlobalParameters.NeutralizeNt4Emulator ? NETLOGON_SUPPORTS_NT4EMULATOR_NEUTRALIZER : 0);
  2236. NlAssert( ClientSession->CsUncServerName != NULL );
  2237. ClientSession->CsNegotiatedFlags = NegotiatedFlags;
  2238. Status = I_NetServerAuthenticate3( ClientSession->CsUncServerName,
  2239. ClientSession->CsAccountName,
  2240. ClientSession->CsSecureChannelType,
  2241. ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  2242. &ClientSession->CsAuthenticationSeed,
  2243. &ReturnedServerCredential,
  2244. &ClientSession->CsNegotiatedFlags,
  2245. &ClientSession->CsAccountRid );
  2246. //
  2247. // Releases older then NT 5.0 used older authentication API.
  2248. //
  2249. if ( Status == RPC_NT_PROCNUM_OUT_OF_RANGE ) {
  2250. NlPrint((NL_CRITICAL,"NlSessionSetup: Fall back to Authenticate2\n" ));
  2251. ClientSession->CsNegotiatedFlags = NegotiatedFlags;
  2252. ClientSession->CsAccountRid = 0;
  2253. Status = I_NetServerAuthenticate2( ClientSession->CsUncServerName,
  2254. ClientSession->CsAccountName,
  2255. ClientSession->CsSecureChannelType,
  2256. ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  2257. &ClientSession->CsAuthenticationSeed,
  2258. &ReturnedServerCredential,
  2259. &ClientSession->CsNegotiatedFlags );
  2260. if ( Status == RPC_NT_PROCNUM_OUT_OF_RANGE ) {
  2261. ClientSession->CsNegotiatedFlags = 0;
  2262. Status = I_NetServerAuthenticate( ClientSession->CsUncServerName,
  2263. ClientSession->CsAccountName,
  2264. ClientSession->CsSecureChannelType,
  2265. ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  2266. &ClientSession->CsAuthenticationSeed,
  2267. &ReturnedServerCredential );
  2268. }
  2269. }
  2270. } NL_API_ELSE( Status, ClientSession, FALSE ) {
  2271. NlPrintCs((NL_CRITICAL, ClientSession,
  2272. "NlSessionSetup: Session setup: "
  2273. "cannot FinishApiClientSession for I_NetServerAuthenticate 0x%lx\n",
  2274. Status ));
  2275. // Failure here indicates that the discovered server is really slow.
  2276. // Let the "ErrorFromDiscoveredServer" logic do the rediscovery.
  2277. if ( NT_SUCCESS(Status) ) {
  2278. // We're dropping the secure channel so
  2279. // ensure we don't use any successful status from the DC
  2280. Status = STATUS_NO_LOGON_SERVERS;
  2281. }
  2282. ErrorFromDiscoveredServer = TRUE;
  2283. goto Cleanup;
  2284. } NL_API_END;
  2285. if ( !NT_SUCCESS( Status ) ) {
  2286. NlPrintCs((NL_CRITICAL, ClientSession,
  2287. "NlSessionSetup: Session setup: "
  2288. "cannot I_NetServerAuthenticate 0x%lx\n",
  2289. Status ));
  2290. //
  2291. // If access is denied, it might be because we weren't able to
  2292. // authenticate with the new password, try the old password.
  2293. //
  2294. if ( Status == STATUS_ACCESS_DENIED && State == 0 ) {
  2295. continue;
  2296. }
  2297. ErrorFromDiscoveredServer = TRUE;
  2298. goto Cleanup;
  2299. }
  2300. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: ServerCredential GOT = " ));
  2301. NlpDumpBuffer(NL_CHALLENGE_RES, &ReturnedServerCredential, sizeof(ReturnedServerCredential) );
  2302. //
  2303. // The DC returned a server credential to us,
  2304. // ensure the server credential matches the one we would compute.
  2305. //
  2306. NlComputeCredentials( &ServerChallenge,
  2307. &ComputedServerCredential,
  2308. &ClientSession->CsSessionKey);
  2309. NlPrint((NL_CHALLENGE_RES,"NlSessionSetup: ServerCredential MADE = " ));
  2310. NlpDumpBuffer(NL_CHALLENGE_RES, &ComputedServerCredential, sizeof(ComputedServerCredential) );
  2311. if ( !RtlEqualMemory( &ReturnedServerCredential,
  2312. &ComputedServerCredential,
  2313. sizeof(ReturnedServerCredential)) ) {
  2314. Status = STATUS_ACCESS_DENIED;
  2315. NlPrintCs((NL_CRITICAL, ClientSession,
  2316. "NlSessionSetup: Session setup: "
  2317. "Servercredential don't match ours 0x%lx\n",
  2318. Status));
  2319. goto Cleanup;
  2320. }
  2321. //
  2322. // If we require signing or sealing and didn't negotiate it,
  2323. // fail now.
  2324. //
  2325. if ( NlGlobalParameters.RequireSignOrSeal &&
  2326. (ClientSession->CsNegotiatedFlags & NETLOGON_SUPPORTS_AUTH_RPC) == 0 ) {
  2327. NlPrintCs((NL_CRITICAL, ClientSession,
  2328. "NlSessionSetup: SignOrSeal required and DC doesn't support it\n" ));
  2329. SignOrSealError = TRUE;
  2330. Status = STATUS_ACCESS_DENIED;
  2331. ErrorFromDiscoveredServer = TRUE; // Highly unlikely that retrying will work, but ...
  2332. goto Cleanup;
  2333. }
  2334. //
  2335. // If we require signing or sealing and didn't negotiate it,
  2336. // fail now.
  2337. //
  2338. // We'll never really get this far. Since we used a strong key,
  2339. // we'll get ACCESS_DENIED above.
  2340. //
  2341. if ( NlGlobalParameters.RequireStrongKey &&
  2342. (ClientSession->CsNegotiatedFlags & NETLOGON_SUPPORTS_STRONG_KEY) == 0 ) {
  2343. NlPrintCs((NL_CRITICAL, ClientSession,
  2344. "NlSessionSetup: StrongKey required and DC doesn't support it\n" ));
  2345. SignOrSealError = TRUE;
  2346. Status = STATUS_ACCESS_DENIED;
  2347. ErrorFromDiscoveredServer = TRUE; // Highly unlikely that retrying will work, but ...
  2348. goto Cleanup;
  2349. }
  2350. //
  2351. // If we've made it this far, we've successfully authenticated
  2352. // with the DC, drop out of the loop.
  2353. //
  2354. break;
  2355. }
  2356. //
  2357. // If the new DC is an NT 5 DC,
  2358. // mark it so.
  2359. //
  2360. if ((ClientSession->CsNegotiatedFlags & NETLOGON_SUPPORTS_GENERIC_PASSTHRU) != 0 ) {
  2361. NlPrintCs(( NL_SESSION_MORE, ClientSession,
  2362. "NlSessionSetup: DC is an NT 5 DC: %ws\n",
  2363. ClientSession->CsUncServerName ));
  2364. //
  2365. // This flag would have been set during discovery if real discovery was
  2366. // done. However, if NlSetServerClientSession was called from anywhere
  2367. // else other than discovery, the flag may not yet be set.
  2368. //
  2369. EnterCriticalSection( &NlGlobalDcDiscoveryCritSect );
  2370. ClientSession->CsDiscoveryFlags |= CS_DISCOVERY_HAS_DS;
  2371. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  2372. //
  2373. // This flag would be set during client session creation if the domain
  2374. // was an NT 5 domain at that time. If we happened to stumble on an
  2375. // NT 5 DC after the fact, mark it now.
  2376. //
  2377. if ( ClientSession->CsSecureChannelType == WorkstationSecureChannel ) {
  2378. LOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  2379. ClientSession->CsFlags |= CS_NT5_DOMAIN_TRUST;
  2380. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  2381. }
  2382. }
  2383. //
  2384. // If we used the old password to authenticate,
  2385. // update the DC to the current password ASAP.
  2386. //
  2387. if ( State == 1 ) {
  2388. NlPrintCs((NL_CRITICAL, ClientSession,
  2389. "NlSessionSetup: old password succeeded\n" ));
  2390. LOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  2391. ClientSession->CsFlags |= CS_UPDATE_PASSWORD;
  2392. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  2393. }
  2394. //
  2395. // Save the password for our own future reference.
  2396. //
  2397. RtlCopyMemory( &ClientSession->CsNtOwfPassword, &NtOwfPassword, sizeof( NtOwfPassword ));
  2398. //
  2399. // If this is a workstation,
  2400. // grab useful information about the domain.
  2401. //
  2402. NlSetStatusClientSession( ClientSession, STATUS_SUCCESS ); // Mark session as authenticated
  2403. if ( NlGlobalMemberWorkstation ) {
  2404. Status = NlUpdateDomainInfo( ClientSession );
  2405. if ( !NT_SUCCESS(Status) ) {
  2406. NlPrintCs((NL_CRITICAL, ClientSession,
  2407. "NlSessionSetup: NlUpdateDomainInfo failed 0x%lX\n",
  2408. Status ));
  2409. ErrorFromDiscoveredServer = TRUE;
  2410. goto Cleanup;
  2411. }
  2412. //
  2413. // If this is a DC,
  2414. // determine if we should get the FTinfo from the trusted domain.
  2415. //
  2416. } else {
  2417. PLSA_FOREST_TRUST_INFORMATION ForestTrustInfo;
  2418. //
  2419. // If this is the PDC,
  2420. // and the trusted domain is a cross forest trust,
  2421. // get the FTinfo from the trusted domain and write it to our TDO.
  2422. //
  2423. // Ignore failures.
  2424. //
  2425. if ( ClientSession->CsDomainInfo->DomRole == RolePrimary &&
  2426. (ClientSession->CsTrustAttributes & TRUST_ATTRIBUTE_FOREST_TRANSITIVE) != 0 ) {
  2427. Status = NlpGetForestTrustInfoHigher(
  2428. ClientSession,
  2429. DS_GFTI_UPDATE_TDO,
  2430. FALSE, // Don't impersonate caller
  2431. &ForestTrustInfo );
  2432. if ( NT_SUCCESS(Status) ) {
  2433. NetApiBufferFree( ForestTrustInfo );
  2434. }
  2435. }
  2436. }
  2437. Status = STATUS_SUCCESS;
  2438. //
  2439. // Cleanup
  2440. //
  2441. Cleanup:
  2442. //
  2443. // Free locally used resources
  2444. //
  2445. if ( NewPassword != NULL ) {
  2446. LocalFree( NewPassword );
  2447. }
  2448. if ( OldPassword != NULL ) {
  2449. LocalFree( OldPassword );
  2450. }
  2451. //
  2452. // Upon success, save the status and reset counters.
  2453. //
  2454. if ( NT_SUCCESS(Status) ) {
  2455. NlSetStatusClientSession( ClientSession, Status );
  2456. ClientSession->CsAuthAlertCount = 0;
  2457. ClientSession->CsTimeoutCount = 0;
  2458. ClientSession->CsFastCallCount = 0;
  2459. #if NETLOGONDBG
  2460. if ( ClientSession->CsNegotiatedFlags != NegotiatedFlags ) {
  2461. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  2462. "NlSessionSetup: negotiated %lx flags rather than %lx\n",
  2463. ClientSession->CsNegotiatedFlags,
  2464. NegotiatedFlags ));
  2465. }
  2466. #endif // NETLOGONDBG
  2467. //
  2468. // write event log and raise alert
  2469. //
  2470. } else {
  2471. BOOLEAN RetryDiscovery = FALSE;
  2472. BOOLEAN RetryDiscoveryWithAccount = FALSE;
  2473. WCHAR PreviouslyDiscoveredServer[NL_MAX_DNS_LENGTH+3];
  2474. LPWSTR MsgStrings[4];
  2475. //
  2476. // Save the name of the discovered server.
  2477. //
  2478. if ( ClientSession->CsUncServerName != NULL ) {
  2479. wcscpy( PreviouslyDiscoveredServer, ClientSession->CsUncServerName );
  2480. } else {
  2481. wcscpy( PreviouslyDiscoveredServer, L"<Unknown>" );
  2482. }
  2483. //
  2484. // If the failure came from the discovered server,
  2485. // decide whether we should retry the session setup
  2486. // to a different server
  2487. //
  2488. if ( ErrorFromDiscoveredServer ) {
  2489. //
  2490. // If we didn't do the plain discovery (without account) just now,
  2491. // try the discovery again and redo the session setup.
  2492. //
  2493. if ( !WeDidDiscovery && NlTimeToRediscover(ClientSession, FALSE) ) {
  2494. RetryDiscovery = TRUE;
  2495. }
  2496. //
  2497. // If we didn't do the discovery with account and
  2498. // the session setup failed because the server didn't have our account and
  2499. // we didn't try a discovery with account recently,
  2500. // try the discovery again (with account) and redo the session setup.
  2501. //
  2502. if ( !WeDidDiscoveryWithAccount &&
  2503. (Status == STATUS_NO_SUCH_USER || Status == STATUS_NO_TRUST_SAM_ACCOUNT) &&
  2504. NlTimeToRediscover(ClientSession, TRUE) ) {
  2505. RetryDiscoveryWithAccount = TRUE;
  2506. }
  2507. }
  2508. //
  2509. // If we are to retry the discovery, do so
  2510. //
  2511. if ( RetryDiscovery || RetryDiscoveryWithAccount ) {
  2512. NTSTATUS TempStatus;
  2513. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  2514. "NlSessionSetup: Retry failed session setup (%s account) since discovery wasn't recent.\n",
  2515. (RetryDiscoveryWithAccount ? "with" : "without") ));
  2516. //
  2517. // Pick the name of a new DC in the domain.
  2518. //
  2519. NlSetStatusClientSession( ClientSession, STATUS_NO_LOGON_SERVERS );
  2520. TempStatus = NlDiscoverDc( ClientSession,
  2521. DT_Synchronous,
  2522. FALSE,
  2523. RetryDiscoveryWithAccount ); // retry with account as needed
  2524. if ( NT_SUCCESS(TempStatus) ) {
  2525. //
  2526. // Don't bother redoing the session setup if we picked the same DC.
  2527. // In particular, if we retried because the previously found DC
  2528. // didn't have our account, we retried the discovery with account
  2529. // above but may have got the same DC (shouldn't really happen, but...)
  2530. //
  2531. if ( _wcsicmp( ClientSession->CsUncServerName,
  2532. PreviouslyDiscoveredServer ) != 0 ) {
  2533. //
  2534. // We certainly did a discovery here,
  2535. // but it may or may not be with account
  2536. //
  2537. WeDidDiscovery = TRUE;
  2538. WeDidDiscoveryWithAccount = RetryDiscoveryWithAccount;
  2539. goto FirstTryFailed;
  2540. } else {
  2541. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  2542. "NlSessionSetup: Skip retry failed session setup since same DC discovered.\n" ));
  2543. }
  2544. } else {
  2545. NlPrintCs((NL_CRITICAL, ClientSession,
  2546. "NlSessionSetup: Session setup: cannot re-pick trusted DC\n" ));
  2547. }
  2548. }
  2549. switch(Status) {
  2550. case STATUS_NO_TRUST_LSA_SECRET:
  2551. MsgStrings[0] = PreviouslyDiscoveredServer;
  2552. MsgStrings[1] = ClientSession->CsDebugDomainName;
  2553. MsgStrings[2] = ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  2554. MsgStrings[3] = NULL; // RaiseNetlogonAlert
  2555. NlpWriteEventlog (NELOG_NetlogonAuthNoTrustLsaSecret,
  2556. EVENTLOG_ERROR_TYPE,
  2557. (LPBYTE) &Status,
  2558. sizeof(Status),
  2559. MsgStrings,
  2560. 3 );
  2561. RaiseNetlogonAlert( NELOG_NetlogonAuthNoTrustLsaSecret,
  2562. MsgStrings,
  2563. &ClientSession->CsAuthAlertCount);
  2564. break;
  2565. case STATUS_NO_TRUST_SAM_ACCOUNT:
  2566. MsgStrings[0] = PreviouslyDiscoveredServer;
  2567. MsgStrings[1] = ClientSession->CsDebugDomainName;
  2568. MsgStrings[2] = ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  2569. MsgStrings[3] = NULL; // RaiseNetlogonAlert
  2570. NlpWriteEventlog (NELOG_NetlogonAuthNoTrustSamAccount,
  2571. EVENTLOG_ERROR_TYPE,
  2572. (LPBYTE) &Status,
  2573. sizeof(Status),
  2574. MsgStrings,
  2575. 3 );
  2576. RaiseNetlogonAlert( NELOG_NetlogonAuthNoTrustSamAccount,
  2577. MsgStrings,
  2578. &ClientSession->CsAuthAlertCount);
  2579. break;
  2580. case STATUS_ACCESS_DENIED:
  2581. if ( SignOrSealError ) {
  2582. MsgStrings[0] = PreviouslyDiscoveredServer;
  2583. MsgStrings[1] = ClientSession->CsDebugDomainName;
  2584. MsgStrings[2] = NULL; // RaiseNetlogonAlert
  2585. NlpWriteEventlog (NELOG_NetlogonRequireSignOrSealError,
  2586. EVENTLOG_ERROR_TYPE,
  2587. NULL,
  2588. 0,
  2589. MsgStrings,
  2590. 2 );
  2591. RaiseNetlogonAlert( NELOG_NetlogonRequireSignOrSealError,
  2592. MsgStrings,
  2593. &ClientSession->CsAuthAlertCount);
  2594. } else {
  2595. MsgStrings[0] = ClientSession->CsDebugDomainName;
  2596. MsgStrings[1] = PreviouslyDiscoveredServer;
  2597. MsgStrings[2] = NULL; // RaiseNetlogonAlert
  2598. NlpWriteEventlog (NELOG_NetlogonAuthDCFail,
  2599. EVENTLOG_ERROR_TYPE,
  2600. (LPBYTE) &Status,
  2601. sizeof(Status),
  2602. MsgStrings,
  2603. 2 );
  2604. RaiseNetlogonAlert( NELOG_NetlogonAuthDCFail,
  2605. MsgStrings,
  2606. &ClientSession->CsAuthAlertCount);
  2607. }
  2608. break;
  2609. case STATUS_NO_LOGON_SERVERS:
  2610. default:
  2611. MsgStrings[0] = ClientSession->CsDebugDomainName;
  2612. MsgStrings[1] = (LPWSTR) LongToPtr( Status );
  2613. // The order of checks is important
  2614. if ( DomainDowngraded ) {
  2615. NlpWriteEventlog (NELOG_NetlogonAuthDomainDowngraded,
  2616. EVENTLOG_ERROR_TYPE,
  2617. (LPBYTE) &Status,
  2618. sizeof(Status),
  2619. MsgStrings,
  2620. 2 | NETP_LAST_MESSAGE_IS_NTSTATUS );
  2621. } else if ( GotNonDsDc ) {
  2622. NlpWriteEventlog (NELOG_NetlogonAuthNoUplevelDomainController,
  2623. EVENTLOG_ERROR_TYPE,
  2624. (LPBYTE) &Status,
  2625. sizeof(Status),
  2626. MsgStrings,
  2627. 2 | NETP_LAST_MESSAGE_IS_NTSTATUS );
  2628. } else {
  2629. NlpWriteEventlog (NELOG_NetlogonAuthNoDomainController,
  2630. EVENTLOG_ERROR_TYPE,
  2631. (LPBYTE) &Status,
  2632. sizeof(Status),
  2633. MsgStrings,
  2634. 2 | NETP_LAST_MESSAGE_IS_NTSTATUS );
  2635. }
  2636. MsgStrings[0] = ClientSession->CsDebugDomainName;
  2637. MsgStrings[1] = PreviouslyDiscoveredServer;
  2638. MsgStrings[2] = NULL; // RaiseNetlogonAlert
  2639. RaiseNetlogonAlert( ALERT_NetlogonAuthDCFail,
  2640. MsgStrings,
  2641. &ClientSession->CsAuthAlertCount);
  2642. break;
  2643. }
  2644. //
  2645. // ??: Is this how to handle failure for all account types.
  2646. //
  2647. switch(Status) {
  2648. case STATUS_NO_TRUST_LSA_SECRET:
  2649. case STATUS_NO_TRUST_SAM_ACCOUNT:
  2650. case STATUS_ACCESS_DENIED:
  2651. NlSetStatusClientSession( ClientSession, Status );
  2652. break;
  2653. default:
  2654. NlSetStatusClientSession( ClientSession, STATUS_NO_LOGON_SERVERS );
  2655. break;
  2656. }
  2657. }
  2658. //
  2659. // Mark the time we last tried to authenticate.
  2660. //
  2661. // We need to do this after NlSetStatusClientSession which zeros
  2662. // CsLastAuthenticationTry.
  2663. //
  2664. EnterCriticalSection( &NlGlobalDcDiscoveryCritSect );
  2665. NlQuerySystemTime( &ClientSession->CsLastAuthenticationTry );
  2666. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  2667. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  2668. "NlSessionSetup: Session setup %s\n",
  2669. (NT_SUCCESS(ClientSession->CsConnectionStatus)) ? "Succeeded" : "Failed" ));
  2670. //
  2671. // End the WMI trace of secure channel setup
  2672. //
  2673. NlpTraceEvent( EVENT_TRACE_TYPE_END, NlpGuidSecureChannelSetup );
  2674. return Status;
  2675. }
  2676. BOOLEAN
  2677. NlTimeHasElapsedEx(
  2678. IN PLARGE_INTEGER StartTime,
  2679. IN PLARGE_INTEGER Period,
  2680. OUT PULONG TimeInterval OPTIONAL
  2681. )
  2682. /*++
  2683. Routine Description:
  2684. Determine if "Timeout" milliseconds has has elapsed since StartTime.
  2685. Arguments:
  2686. StartTime - Specifies an absolute time when the event started (100ns units).
  2687. Period - Specifies a relative time in 100ns units.
  2688. TimeInterval - If specified and time has elapsed, returns the amount of time
  2689. (in milliseconds) passed since the timeout. If specified and time
  2690. has not elapsed, returns the amount of time (in milliseconds) left until
  2691. Period elapses.
  2692. Return Value:
  2693. TRUE -- iff Period 100nano-seconds have elapsed since StartTime.
  2694. --*/
  2695. {
  2696. LARGE_INTEGER TimeNow;
  2697. LARGE_INTEGER ElapsedTime;
  2698. BOOLEAN Result = FALSE;
  2699. //
  2700. //
  2701. // Compute the elapsed time since we last authenticated
  2702. //
  2703. // NlpDumpTime( NL_MISC, "StartTime: ", *StartTime );
  2704. NlQuerySystemTime( &TimeNow );
  2705. // NlpDumpTime( NL_MISC, "TimeNow: ", TimeNow );
  2706. ElapsedTime.QuadPart = TimeNow.QuadPart - StartTime->QuadPart;
  2707. // NlpDumpTime( NL_MISC, "ElapsedTime: ", ElapsedTime );
  2708. // NlpDumpTime( NL_MISC, "Period: ", *Period );
  2709. //
  2710. // If the elapsed time is negative (totally bogus) or greater than the
  2711. // maximum allowed, indicate that enough time has passed.
  2712. //
  2713. //
  2714. if ( ElapsedTime.QuadPart < 0 ) {
  2715. if ( ARGUMENT_PRESENT( TimeInterval )) {
  2716. *TimeInterval = 0; // pretend it just elapsed
  2717. }
  2718. return TRUE;
  2719. }
  2720. if ( ElapsedTime.QuadPart > Period->QuadPart ) {
  2721. Result = TRUE;
  2722. } else {
  2723. Result = FALSE;
  2724. }
  2725. //
  2726. // If the caller want to know the amount of time left,
  2727. // compute it.
  2728. //
  2729. if ( ARGUMENT_PRESENT( TimeInterval )) {
  2730. LARGE_INTEGER TimeRemaining;
  2731. LARGE_INTEGER MillisecondsRemaining;
  2732. /*lint -e569 */ /* don't complain about 32-bit to 31-bit initialize */
  2733. LARGE_INTEGER BaseGetTickMagicDivisor = { 0xe219652c, 0xd1b71758 };
  2734. /*lint +e569 */ /* don't complain about 32-bit to 31-bit initialize */
  2735. CCHAR BaseGetTickMagicShiftCount = 13;
  2736. //
  2737. // Compute the Time remaining/passed on the timer.
  2738. //
  2739. if ( Result == FALSE ) {
  2740. TimeRemaining.QuadPart = Period->QuadPart - ElapsedTime.QuadPart;
  2741. } else {
  2742. TimeRemaining.QuadPart = ElapsedTime.QuadPart - Period->QuadPart;
  2743. }
  2744. // NlpDumpTime( NL_MISC, "TimeRemaining: ", TimeRemaining );
  2745. //
  2746. // Compute the number of milliseconds remaining/passed.
  2747. //
  2748. MillisecondsRemaining = RtlExtendedMagicDivide(
  2749. TimeRemaining,
  2750. BaseGetTickMagicDivisor,
  2751. BaseGetTickMagicShiftCount );
  2752. // NlpDumpTime( NL_MISC, "MillisecondsRemaining: ", MillisecondsRemaining );
  2753. //
  2754. // If the time is in the far distant future/past,
  2755. // round it down.
  2756. //
  2757. if ( MillisecondsRemaining.HighPart != 0 ||
  2758. MillisecondsRemaining.LowPart > TIMER_MAX_PERIOD ) {
  2759. *TimeInterval = TIMER_MAX_PERIOD;
  2760. } else {
  2761. *TimeInterval = MillisecondsRemaining.LowPart;
  2762. }
  2763. }
  2764. return Result;
  2765. }
  2766. BOOLEAN
  2767. NlTimeToReauthenticate(
  2768. IN PCLIENT_SESSION ClientSession
  2769. )
  2770. /*++
  2771. Routine Description:
  2772. Determine if it is time to reauthenticate this Client Session.
  2773. To reduce the number of re-authentication attempts, we try
  2774. to re-authenticate only on demand and then only at most every 45
  2775. seconds.
  2776. Arguments:
  2777. ClientSession - Structure used to define the session.
  2778. Return Value:
  2779. TRUE -- iff it is time to re-authenticate
  2780. --*/
  2781. {
  2782. BOOLEAN ReturnBoolean;
  2783. EnterCriticalSection( &NlGlobalDcDiscoveryCritSect );
  2784. ReturnBoolean = NetpLogonTimeHasElapsed(
  2785. ClientSession->CsLastAuthenticationTry,
  2786. MAX_DC_AUTHENTICATION_WAIT );
  2787. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  2788. return ReturnBoolean;
  2789. }
  2790. NET_API_STATUS
  2791. NlCreateShare(
  2792. LPWSTR SharePath,
  2793. LPWSTR ShareName,
  2794. BOOLEAN AllowAuthenticatedUsers
  2795. )
  2796. /*++
  2797. Routine Description:
  2798. Share the netlogon scripts directory.
  2799. Arguments:
  2800. SharePath - Path that the new share should be point to.
  2801. ShareName - Name of the share.
  2802. AllowAuthenticatedUsers - TRUE if AuthenticatedUsers should have
  2803. Full Control on this share.
  2804. Return Value:
  2805. TRUE: if successful
  2806. FALSE: if error (NlExit was called)
  2807. --*/
  2808. {
  2809. NTSTATUS Status;
  2810. NET_API_STATUS NetStatus;
  2811. SHARE_INFO_502 ShareInfo502;
  2812. WORD AnsiSize;
  2813. CHAR AnsiRemark[NNLEN+1];
  2814. TCHAR Remark[NNLEN+1];
  2815. ACE_DATA AceData[] = {
  2816. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  2817. GENERIC_EXECUTE | GENERIC_READ, &WorldSid},
  2818. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  2819. GENERIC_ALL, &AliasAdminsSid},
  2820. // Must be the last ACE
  2821. {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
  2822. GENERIC_ALL, &AuthenticatedUserSid}
  2823. };
  2824. ULONG AceCount = (sizeof(AceData)/sizeof(AceData[0]));
  2825. //
  2826. // If Authenticated Users shouldn't be allowed full control,
  2827. // remove the authenticated user ACE.
  2828. //
  2829. if ( !AllowAuthenticatedUsers ) {
  2830. AceCount --;
  2831. }
  2832. //
  2833. // Build the structure describing the share.
  2834. //
  2835. ShareInfo502.shi502_path = SharePath;
  2836. ShareInfo502.shi502_security_descriptor = NULL;
  2837. NlPrint((NL_INIT, "'%ws' share is to '%ws'\n",
  2838. ShareName,
  2839. SharePath));
  2840. NetStatus = (NET_API_STATUS) DosGetMessage(
  2841. NULL, // No insertion strings
  2842. 0, // No insertion strings
  2843. AnsiRemark,
  2844. sizeof(AnsiRemark),
  2845. MTXT_LOGON_SRV_SHARE_REMARK,
  2846. MESSAGE_FILENAME,
  2847. &AnsiSize );
  2848. if ( NetStatus == NERR_Success ) {
  2849. NetpCopyStrToTStr( Remark, AnsiRemark );
  2850. ShareInfo502.shi502_remark = Remark;
  2851. } else {
  2852. ShareInfo502.shi502_remark = TEXT( "" );
  2853. }
  2854. ShareInfo502.shi502_netname = ShareName;
  2855. ShareInfo502.shi502_type = STYPE_DISKTREE;
  2856. ShareInfo502.shi502_permissions = ACCESS_READ;
  2857. ShareInfo502.shi502_max_uses = 0xffffffff;
  2858. ShareInfo502.shi502_passwd = TEXT("");
  2859. //
  2860. // Set the security descriptor on the share
  2861. //
  2862. //
  2863. // Create a security descriptor containing the DACL.
  2864. //
  2865. Status = NetpCreateSecurityDescriptor(
  2866. AceData,
  2867. AceCount,
  2868. NULL, // Default the owner Sid
  2869. NULL, // Default the primary group
  2870. &ShareInfo502.shi502_security_descriptor );
  2871. if ( !NT_SUCCESS( Status ) ) {
  2872. NlPrint((NL_CRITICAL,
  2873. "'%ws' share: Cannot create security descriptor 0x%lx\n",
  2874. SharePath, Status ));
  2875. NetStatus = NetpNtStatusToApiStatus( Status );
  2876. return NetStatus;
  2877. }
  2878. //
  2879. // Create the share.
  2880. //
  2881. NetStatus = NetShareAdd(NULL, 502, (LPBYTE) &ShareInfo502, NULL);
  2882. if (NetStatus == NERR_DuplicateShare) {
  2883. PSHARE_INFO_2 ShareInfo2 = NULL;
  2884. NlPrint((NL_INIT, "'%ws' share already exists. \n", ShareName));
  2885. //
  2886. // check to see the shared path is same.
  2887. //
  2888. NetStatus = NetShareGetInfo( NULL,
  2889. ShareName,
  2890. 2,
  2891. (LPBYTE *) &ShareInfo2 );
  2892. if ( NetStatus == NERR_Success ) {
  2893. //
  2894. // compare path names.
  2895. //
  2896. // ShareName is path canonicalized already.
  2897. //
  2898. //
  2899. NlPrint((NL_INIT, "'%ws' share current path is %ws\n", ShareName, ShareInfo2->shi2_path));
  2900. if( NetpwPathCompare(
  2901. SharePath,
  2902. ShareInfo2->shi2_path, 0, 0 ) != 0 ) {
  2903. //
  2904. // delete share.
  2905. //
  2906. NetStatus = NetShareDel( NULL, ShareName, 0);
  2907. if( NetStatus == NERR_Success ) {
  2908. //
  2909. // Recreate share.
  2910. //
  2911. NetStatus = NetShareAdd(
  2912. NULL,
  2913. 502,
  2914. (LPBYTE) &ShareInfo502,
  2915. NULL);
  2916. if( NetStatus == NERR_Success ) {
  2917. NlPrint((NL_INIT,
  2918. "'%ws' share was recreated with new path %ws\n",
  2919. ShareName, SharePath ));
  2920. }
  2921. }
  2922. }
  2923. }
  2924. if( ShareInfo2 != NULL ) {
  2925. NetpMemoryFree( ShareInfo2 );
  2926. }
  2927. }
  2928. //
  2929. // Free the security descriptor
  2930. //
  2931. NetpMemoryFree( ShareInfo502.shi502_security_descriptor );
  2932. if ( NetStatus != NERR_Success ) {
  2933. NlPrint((NL_CRITICAL,
  2934. "'%ws' share: Error attempting to create-share: %ld\n",
  2935. ShareName,
  2936. NetStatus ));
  2937. return NetStatus;
  2938. }
  2939. return NERR_Success;
  2940. }
  2941. NTSTATUS
  2942. NlSamOpenNamedUser(
  2943. IN PDOMAIN_INFO DomainInfo,
  2944. IN LPCWSTR UserName,
  2945. OUT SAMPR_HANDLE *UserHandle OPTIONAL,
  2946. OUT PULONG UserId OPTIONAL,
  2947. OUT PSAMPR_USER_INFO_BUFFER *UserAllInfo OPTIONAL
  2948. )
  2949. /*++
  2950. Routine Description:
  2951. Utility routine to open a Sam user given the username.
  2952. Arguments:
  2953. DomainInfo - Domain the user is in.
  2954. UserName - Name of user to open
  2955. UserHandle - Optionally returns a handle to the opened user.
  2956. UserId - Optionally returns the relative ID of the opened user.
  2957. UserAllInfo - Optionally returns ALL of the information about the
  2958. named user. Free the returned information using
  2959. SamIFree_SAMPR_USER_INFO_BUFFER( UserAllInfo, UserAllInformation );
  2960. Return Value:
  2961. STATUS_NO_SUCH_USER: if the account doesn't exist
  2962. --*/
  2963. {
  2964. NTSTATUS Status;
  2965. UNICODE_STRING UserNameString;
  2966. PSAMPR_USER_INFO_BUFFER LocalUserAllInfo = NULL;
  2967. SID_AND_ATTRIBUTES_LIST ReverseMembership;
  2968. //
  2969. // Initialization.
  2970. //
  2971. if ( ARGUMENT_PRESENT( UserHandle) ) {
  2972. *UserHandle = NULL;
  2973. }
  2974. if ( ARGUMENT_PRESENT( UserAllInfo) ) {
  2975. *UserAllInfo = NULL;
  2976. }
  2977. //
  2978. // Get the info about the user.
  2979. //
  2980. // Use SamIGetUserLogonInformation instead of SamrLookupNamesInDomain and
  2981. // SamrOpen user. The former is more efficient (since it only does one
  2982. // DirSearch and doesn't lock the global SAM lock) and more powerful
  2983. // (since it returns UserAllInformation).
  2984. //
  2985. RtlInitUnicodeString( &UserNameString, UserName );
  2986. Status = SamIGetUserLogonInformation(
  2987. DomainInfo->DomSamAccountDomainHandle,
  2988. SAM_NO_MEMBERSHIPS, // Don't need group memberships
  2989. &UserNameString,
  2990. &LocalUserAllInfo,
  2991. &ReverseMembership,
  2992. UserHandle );
  2993. if ( !NT_SUCCESS(Status) ) {
  2994. if ( Status == STATUS_NOT_FOUND ) {
  2995. Status = STATUS_NO_SUCH_USER;
  2996. }
  2997. goto Cleanup;
  2998. }
  2999. //
  3000. // Return information to the caller.
  3001. //
  3002. if ( ARGUMENT_PRESENT(UserId) ) {
  3003. *UserId = LocalUserAllInfo->All.UserId;
  3004. }
  3005. if ( ARGUMENT_PRESENT( UserAllInfo) ) {
  3006. *UserAllInfo = LocalUserAllInfo;
  3007. LocalUserAllInfo = NULL;
  3008. }
  3009. //
  3010. // Free locally used resources.
  3011. //
  3012. Cleanup:
  3013. if ( LocalUserAllInfo != NULL ) {
  3014. SamIFree_SAMPR_USER_INFO_BUFFER( LocalUserAllInfo, UserAllInformation );
  3015. }
  3016. return Status;
  3017. }
  3018. NTSTATUS
  3019. NlSamChangePasswordNamedUser(
  3020. IN PDOMAIN_INFO DomainInfo,
  3021. IN LPCWSTR UserName,
  3022. IN PUNICODE_STRING ClearTextPassword OPTIONAL,
  3023. IN PNT_OWF_PASSWORD OwfPassword OPTIONAL
  3024. )
  3025. /*++
  3026. Routine Description:
  3027. Utility routine to set the OWF password on a user given the username.
  3028. Arguments:
  3029. DomainInfo - Domain the user is in.
  3030. UserName - Name of user to open
  3031. ClearTextPassword - Clear text password to set on the account
  3032. OwfPassword - OWF password to set on the account
  3033. Return Value:
  3034. --*/
  3035. {
  3036. NTSTATUS Status;
  3037. SAMPR_HANDLE UserHandle = NULL;
  3038. //
  3039. // Open the user that represents this server.
  3040. //
  3041. Status = NlSamOpenNamedUser( DomainInfo, UserName, &UserHandle, NULL, NULL );
  3042. if ( !NT_SUCCESS(Status) ) {
  3043. goto Cleanup;
  3044. }
  3045. //
  3046. // If Clear text password isn't NULL, use it.
  3047. // Otherwise use OWF password.
  3048. //
  3049. if ( ClearTextPassword != NULL ) {
  3050. UNICODE_STRING UserNameString;
  3051. RtlInitUnicodeString( &UserNameString, UserName );
  3052. Status = SamIChangePasswordForeignUser(
  3053. &UserNameString,
  3054. ClearTextPassword,
  3055. NULL,
  3056. 0 );
  3057. if ( !NT_SUCCESS(Status) ) {
  3058. NlPrint(( NL_CRITICAL,
  3059. "NlSamChangePasswordNamedUser: Can't SamIChangePasswordForeignUser %lX\n",
  3060. Status ));
  3061. goto Cleanup;
  3062. }
  3063. //
  3064. // Use the NT OWF Password,
  3065. //
  3066. } else if ( OwfPassword != NULL ) {
  3067. SAMPR_USER_INFO_BUFFER UserInfo;
  3068. UserInfo.Internal1.PasswordExpired = FALSE;
  3069. UserInfo.Internal1.LmPasswordPresent = FALSE;
  3070. UserInfo.Internal1.NtPasswordPresent = TRUE;
  3071. UserInfo.Internal1.EncryptedNtOwfPassword =
  3072. *((PENCRYPTED_NT_OWF_PASSWORD)(OwfPassword));
  3073. Status = SamrSetInformationUser(
  3074. UserHandle,
  3075. UserInternal1Information,
  3076. &UserInfo );
  3077. if (!NT_SUCCESS(Status)) {
  3078. NlPrint(( NL_CRITICAL,
  3079. "NlSamChangePasswordNamedUser: Can't SamrSetInformationUser %lX\n",
  3080. Status ));
  3081. goto Cleanup;
  3082. }
  3083. }
  3084. Cleanup:
  3085. if ( UserHandle != NULL ) {
  3086. (VOID) SamrCloseHandle( &UserHandle );
  3087. }
  3088. return Status;
  3089. }
  3090. NTSTATUS
  3091. NlChangePassword(
  3092. IN PCLIENT_SESSION ClientSession,
  3093. IN BOOLEAN ForcePasswordChange,
  3094. OUT PULONG RetCallAgainPeriod OPTIONAL
  3095. )
  3096. /*++
  3097. Routine Description:
  3098. Change this machine's password at the primary.
  3099. Also update password locally if the call succeeded.
  3100. To determine if the password of "machine account"
  3101. needs to be changed. If the password is older than
  3102. 7 days then it must be changed asap. We will defer
  3103. changing the password if we know before hand that
  3104. primary dc is down since our call will fail anyway.
  3105. Arguments:
  3106. ClientSession - Structure describing the session to change the password
  3107. for. The specified structure must be referenced.
  3108. ForcePasswordChange - TRUE if the password should be changed even if
  3109. the password hasn't expired yet.
  3110. RetCallAgainPeriod - Returns the amount of time (in milliseconds) that should elapse
  3111. before the caller should call this routine again.
  3112. 0: After a period of time determined by the caller.
  3113. MAILSLOT_WAIT_FOREVER: never
  3114. other: After at least this amount of time.
  3115. Return Value:
  3116. NT Status code
  3117. --*/
  3118. {
  3119. NTSTATUS Status;
  3120. NETLOGON_AUTHENTICATOR OurAuthenticator;
  3121. NETLOGON_AUTHENTICATOR ReturnAuthenticator;
  3122. LM_OWF_PASSWORD OwfPassword;
  3123. LARGE_INTEGER CurrentPasswordTime;
  3124. PUNICODE_STRING CurrentPassword = NULL;
  3125. PUNICODE_STRING OldPassword = NULL;
  3126. DWORD PasswordVersion;
  3127. WCHAR ClearTextPassword[LM20_PWLEN+1];
  3128. UNICODE_STRING NewPassword;
  3129. BOOL PasswordChangedOnServer = FALSE;
  3130. BOOL LsaSecretChanged = FALSE;
  3131. BOOL DefaultCurrentPasswordBeingChanged = FALSE;
  3132. BOOL DefaultOldPasswordBeingChanged = FALSE;
  3133. BOOLEAN AmWriter = FALSE;
  3134. ULONG CallAgainPeriod = 0;
  3135. //
  3136. // Initialization
  3137. //
  3138. NlAssert( ClientSession->CsReferenceCount > 0 );
  3139. //
  3140. // If the password change was refused by the DC,
  3141. // Don't ever try to change the password again (until the next reboot).
  3142. //
  3143. // This could have been written to try every MaximumPasswordAge. However,
  3144. // that gets complex if you take into consideration the CS_UPDATE_PASSWORD
  3145. // case where the time stamp on the LSA Secret doesn't get changed.
  3146. //
  3147. LOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3148. if ( ClientSession->CsFlags & CS_PASSWORD_REFUSED ) {
  3149. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3150. CallAgainPeriod = MAILSLOT_WAIT_FOREVER;
  3151. Status = STATUS_SUCCESS;
  3152. goto Cleanup;
  3153. }
  3154. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3155. //
  3156. // Become a writer of the ClientSession.
  3157. //
  3158. if ( !NlTimeoutSetWriterClientSession( ClientSession, WRITER_WAIT_PERIOD ) ) {
  3159. NlPrintCs((NL_CRITICAL, ClientSession,
  3160. "NlChangePassword: Can't become writer of client session.\n" ));
  3161. Status = STATUS_NO_LOGON_SERVERS;
  3162. goto Cleanup;
  3163. }
  3164. AmWriter = TRUE;
  3165. //
  3166. // Get the outgoing password and the time the password was last changed
  3167. //
  3168. Status = NlGetOutgoingPassword( ClientSession,
  3169. &CurrentPassword,
  3170. &OldPassword,
  3171. &PasswordVersion,
  3172. &CurrentPasswordTime );
  3173. if ( !NT_SUCCESS( Status ) ) {
  3174. NlPrintCs((NL_CRITICAL, ClientSession,
  3175. "NlChangePassword: Cannot NlGetOutgoingPassword %lX\n",
  3176. Status));
  3177. goto Cleanup;
  3178. }
  3179. //
  3180. // If the (old or new) password is still the default password
  3181. // (lower case computer name),
  3182. // or the password is null (a convenient default for domain trust),
  3183. // Flag that fact.
  3184. //
  3185. if ( CurrentPassword == NULL ||
  3186. CurrentPassword->Length == 0 ||
  3187. RtlEqualComputerName( &ClientSession->CsDomainInfo->DomUnicodeComputerNameString,
  3188. CurrentPassword ) ) {
  3189. DefaultCurrentPasswordBeingChanged = TRUE;
  3190. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3191. "NlChangePassword: New LsaSecret is default value.\n" ));
  3192. }
  3193. if ( OldPassword == NULL ||
  3194. OldPassword->Length == 0 ||
  3195. RtlEqualComputerName( &ClientSession->CsDomainInfo->DomUnicodeComputerNameString,
  3196. OldPassword ) ) {
  3197. DefaultOldPasswordBeingChanged = TRUE;
  3198. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3199. "NlChangePassword: Old LsaSecret is default value.\n" ));
  3200. }
  3201. //
  3202. // If the password has not yet expired,
  3203. // and the password is not the default,
  3204. // and the password change isn't forced,
  3205. // just return.
  3206. //
  3207. LOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3208. if ( (ClientSession->CsFlags & CS_UPDATE_PASSWORD) == 0 &&
  3209. !NlTimeHasElapsedEx( &CurrentPasswordTime,
  3210. &NlGlobalParameters.MaximumPasswordAge_100ns,
  3211. &CallAgainPeriod ) &&
  3212. !DefaultCurrentPasswordBeingChanged &&
  3213. !DefaultOldPasswordBeingChanged &&
  3214. !ForcePasswordChange ) {
  3215. //
  3216. // Note that, since NlTimeHasElapsedEx returned FALSE,
  3217. // CallAgainPeriod is the time left until the next
  3218. // password change.
  3219. //
  3220. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3221. Status = STATUS_SUCCESS;
  3222. goto Cleanup;
  3223. }
  3224. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3225. CallAgainPeriod = 0; // Let the caller determine the frequency for retries.
  3226. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3227. "NlChangePassword: Doing it.\n" ));
  3228. //
  3229. // If the session isn't authenticated,
  3230. // do so now.
  3231. //
  3232. // We're careful to not force this authentication unless the password
  3233. // needs to be changed.
  3234. //
  3235. // If this is the PDC changing its own password,
  3236. // there's no need to authenticate.
  3237. //
  3238. if ( ClientSession->CsState != CS_AUTHENTICATED &&
  3239. !( ClientSession->CsSecureChannelType == ServerSecureChannel &&
  3240. ClientSession->CsDomainInfo->DomRole == RolePrimary ) ) {
  3241. //
  3242. // If we've tried to authenticate recently,
  3243. // don't bother trying again.
  3244. //
  3245. if ( !NlTimeToReauthenticate( ClientSession ) ) {
  3246. Status = ClientSession->CsConnectionStatus;
  3247. goto Cleanup;
  3248. }
  3249. //
  3250. // Try to set up the session.
  3251. //
  3252. Status = NlSessionSetup( ClientSession );
  3253. if ( !NT_SUCCESS(Status) ) {
  3254. goto Cleanup;
  3255. }
  3256. }
  3257. //
  3258. // Once we change the password in LsaSecret storage,
  3259. // all future attempts to change the password should use the value
  3260. // from LsaSecret storage. The secure channel is using the old
  3261. // value of the password.
  3262. //
  3263. LOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3264. if (ClientSession->CsFlags & CS_UPDATE_PASSWORD) {
  3265. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3266. "NlChangePassword: Password already updated in secret\n" ));
  3267. if ( CurrentPassword == NULL ) {
  3268. RtlInitUnicodeString( &NewPassword, NULL );
  3269. } else {
  3270. NewPassword = *CurrentPassword;
  3271. }
  3272. //
  3273. // Handle the case where LsaSecret storage has not yet been updated.
  3274. //
  3275. } else {
  3276. ULONG i;
  3277. //
  3278. // Build a new clear text password using:
  3279. // Entirely random bits.
  3280. // Srvmgr later uses this password as a zero terminated unicode string
  3281. // so ensure there aren't any zero chars in the middle
  3282. //
  3283. if ( !NlGenerateRandomBits( (LPBYTE)ClearTextPassword, sizeof(ClearTextPassword))) {
  3284. NlPrint((NL_CRITICAL, "Can't NlGenerateRandomBits for clear password\n" ));
  3285. }
  3286. for (i = 0; i < sizeof(ClearTextPassword)/sizeof(WCHAR); i++) {
  3287. if ( ClearTextPassword[i] == '\0') {
  3288. ClearTextPassword[i] = 1;
  3289. }
  3290. }
  3291. ClearTextPassword[LM20_PWLEN] = L'\0';
  3292. RtlInitUnicodeString( &NewPassword, ClearTextPassword );
  3293. //
  3294. //
  3295. // Set the new outgoing password locally.
  3296. //
  3297. // Set the OldValue to the perviously obtained CurrentValue.
  3298. // Increment the password version number.
  3299. //
  3300. PasswordVersion++;
  3301. Status = NlSetOutgoingPassword(
  3302. ClientSession,
  3303. &NewPassword,
  3304. CurrentPassword,
  3305. PasswordVersion,
  3306. PasswordVersion-1 );
  3307. if ( !NT_SUCCESS( Status ) ) {
  3308. NlPrintCs((NL_CRITICAL, ClientSession,
  3309. "NlChangePassword: Cannot NlSetOutgoingPassword %lX\n",
  3310. Status));
  3311. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3312. goto Cleanup;
  3313. }
  3314. //
  3315. // Flag that we've updated the password in LsaSecret storage.
  3316. //
  3317. LsaSecretChanged = TRUE;
  3318. ClientSession->CsFlags |= CS_UPDATE_PASSWORD;
  3319. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3320. "NlChangePassword: Flag password changed in LsaSecret\n" ));
  3321. }
  3322. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3323. //
  3324. // Perform the initial encryption.
  3325. //
  3326. Status = RtlCalculateNtOwfPassword( &NewPassword, &OwfPassword);
  3327. if ( !NT_SUCCESS( Status )) {
  3328. NlPrintCs((NL_CRITICAL, ClientSession,
  3329. "NlChangePassword: Cannot RtlCalculateNtOwfPassword %lX\n",
  3330. Status));
  3331. goto Cleanup;
  3332. }
  3333. //
  3334. // If this is a PDC, all we need to do is change the local account password
  3335. //
  3336. if ( ClientSession->CsSecureChannelType == ServerSecureChannel &&
  3337. ClientSession->CsDomainInfo->DomRole == RolePrimary ) {
  3338. Status = NlSamChangePasswordNamedUser( ClientSession->CsDomainInfo,
  3339. ClientSession->CsAccountName,
  3340. &NewPassword,
  3341. &OwfPassword );
  3342. if ( NT_SUCCESS(Status) ) {
  3343. PasswordChangedOnServer = TRUE;
  3344. } else {
  3345. NlPrintCs((NL_CRITICAL, ClientSession,
  3346. "NlChangePassword: Cannot change password on PDC local user account 0x%lx\n",
  3347. Status));
  3348. }
  3349. goto Cleanup;
  3350. }
  3351. //
  3352. // Change the password on the PDC
  3353. //
  3354. Status = NlChangePasswordHigher( ClientSession,
  3355. ClientSession->CsAccountName,
  3356. ClientSession->CsSecureChannelType,
  3357. &OwfPassword,
  3358. &NewPassword,
  3359. &PasswordVersion );
  3360. if ( Status != STATUS_ACCESS_DENIED ) {
  3361. PasswordChangedOnServer = TRUE;
  3362. }
  3363. //
  3364. // If the server refused the change,
  3365. // put the lsa secret back the way it was.
  3366. // pretend the change was successful.
  3367. //
  3368. if ( Status == STATUS_WRONG_PASSWORD ) {
  3369. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3370. "NlChangePassword: PDC refused to change password\n" ));
  3371. //
  3372. // If we changed the LSA secret,
  3373. // put it back.
  3374. //
  3375. LOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3376. if ( LsaSecretChanged ) {
  3377. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3378. "NlChangePassword: undoing LSA secret change.\n" ));
  3379. PasswordVersion--;
  3380. Status = NlSetOutgoingPassword(
  3381. ClientSession,
  3382. CurrentPassword,
  3383. OldPassword,
  3384. PasswordVersion,
  3385. PasswordVersion > 0 ? PasswordVersion-1 : 0 );
  3386. if ( !NT_SUCCESS( Status ) ) {
  3387. NlPrintCs((NL_CRITICAL, ClientSession,
  3388. "NlChangePassword: Cannot undo NlSetOutgoingPassword %lX\n",
  3389. Status));
  3390. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3391. goto Cleanup;
  3392. }
  3393. //
  3394. // Undo what we've done above.
  3395. //
  3396. ClientSession->CsFlags &= ~CS_UPDATE_PASSWORD;
  3397. }
  3398. //
  3399. // Prevent us from trying too frequently.
  3400. //
  3401. ClientSession->CsFlags |= CS_PASSWORD_REFUSED;
  3402. CallAgainPeriod = MAILSLOT_WAIT_FOREVER;
  3403. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3404. //
  3405. // Avoid special cleanup below.
  3406. //
  3407. PasswordChangedOnServer = FALSE;
  3408. Status = STATUS_SUCCESS;
  3409. }
  3410. //
  3411. // Common exit
  3412. //
  3413. Cleanup:
  3414. if ( PasswordChangedOnServer ) {
  3415. //
  3416. // On success,
  3417. // Indicate that the password has now been updated on the
  3418. // PDC so the old password is no longer in use.
  3419. //
  3420. if ( NT_SUCCESS( Status ) ) {
  3421. LOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3422. ClientSession->CsFlags &= ~CS_UPDATE_PASSWORD;
  3423. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3424. "NlChangePassword: Flag password updated on PDC\n" ));
  3425. //
  3426. // If the default current password was changed,
  3427. // avoid leaving the default password around as the old
  3428. // password. Otherwise, a bogus DC could convince us to use
  3429. // the bogus DC via the default password. Set both current
  3430. // and old version numbers to the new value.
  3431. //
  3432. if ( DefaultCurrentPasswordBeingChanged ) {
  3433. NlPrintCs((NL_SESSION_SETUP, ClientSession,
  3434. "NlChangePassword: Setting LsaSecret old password to same as new password\n" ));
  3435. Status = NlSetOutgoingPassword(
  3436. ClientSession,
  3437. &NewPassword,
  3438. &NewPassword,
  3439. PasswordVersion,
  3440. PasswordVersion );
  3441. if ( !NT_SUCCESS( Status ) ) {
  3442. NlPrintCs((NL_CRITICAL, ClientSession,
  3443. "NlChangePassword: Cannot LsarSetSecret to set old password %lX\n",
  3444. Status));
  3445. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3446. goto Cleanup;
  3447. }
  3448. }
  3449. //
  3450. // Save the password for our own future reference.
  3451. //
  3452. // CsNtOwfPassword is the most recent known good password
  3453. //
  3454. RtlCopyMemory( &ClientSession->CsNtOwfPassword, &OwfPassword, sizeof( OwfPassword ));
  3455. UNLOCK_TRUST_LIST( ClientSession->CsDomainInfo );
  3456. //
  3457. // Indicate we don't need to call change the password again for awhile
  3458. //
  3459. if ( NlGlobalParameters.MaximumPasswordAge > (TIMER_MAX_PERIOD/NL_MILLISECONDS_PER_DAY) ) {
  3460. CallAgainPeriod = TIMER_MAX_PERIOD;
  3461. } else {
  3462. CallAgainPeriod = NlGlobalParameters.MaximumPasswordAge * NL_MILLISECONDS_PER_DAY;
  3463. }
  3464. //
  3465. // Notify the Admin that he'll have to manually set this server's
  3466. // password on both this server and the PDC.
  3467. //
  3468. } else {
  3469. LPWSTR MsgStrings[2];
  3470. //
  3471. // Drop the secure channel
  3472. //
  3473. NlSetStatusClientSession( ClientSession, Status );
  3474. //
  3475. // write event log
  3476. //
  3477. MsgStrings[0] = ClientSession->CsAccountName;
  3478. MsgStrings[1] = (LPWSTR) LongToPtr( Status );
  3479. NlpWriteEventlog (
  3480. NELOG_NetlogonPasswdSetFailed,
  3481. EVENTLOG_ERROR_TYPE,
  3482. (LPBYTE) & Status,
  3483. sizeof(Status),
  3484. MsgStrings,
  3485. 2 | NETP_LAST_MESSAGE_IS_NTSTATUS );
  3486. }
  3487. }
  3488. //
  3489. // Clean up locally used resources.
  3490. //
  3491. if ( CurrentPassword != NULL ) {
  3492. LocalFree( CurrentPassword );
  3493. }
  3494. if ( OldPassword != NULL ) {
  3495. LocalFree( OldPassword );
  3496. }
  3497. if ( AmWriter ) {
  3498. NlResetWriterClientSession( ClientSession );
  3499. }
  3500. //
  3501. // Tell the caller when he should call us again
  3502. //
  3503. if ( ARGUMENT_PRESENT( RetCallAgainPeriod) ) {
  3504. *RetCallAgainPeriod = CallAgainPeriod;
  3505. }
  3506. return Status;
  3507. }
  3508. NTSTATUS
  3509. NlRefreshClientSession(
  3510. IN PCLIENT_SESSION ClientSession
  3511. )
  3512. /*++
  3513. Routine Description:
  3514. Refresh the client session info. The info that we intend
  3515. to refresh is:
  3516. * Server name (the DC can be renamed in Whistler).
  3517. * Discovery flags, in particular whether the server
  3518. is still close.
  3519. * The server IP address.
  3520. We will also refresh our site name (on workstation).
  3521. The caller must be a writer of the ClientSession.
  3522. Arguments:
  3523. ClientSession - Structure describing the session.
  3524. Return Value:
  3525. NT Status code
  3526. --*/
  3527. {
  3528. NTSTATUS Status = STATUS_SUCCESS;
  3529. NET_API_STATUS NetStatus = NO_ERROR;
  3530. PNL_DC_CACHE_ENTRY NlDcCacheEntry = NULL;
  3531. BOOLEAN DcRediscovered = FALSE;
  3532. //
  3533. // If the client session is idle,
  3534. // there is nothing to refresh
  3535. //
  3536. if ( ClientSession->CsState == CS_IDLE ) {
  3537. Status = STATUS_SUCCESS;
  3538. goto Cleanup;
  3539. }
  3540. //
  3541. // If the server (DC) is NT4.0, there is no need for refresh.
  3542. // (The only info that can potentially change for NT4.0 DC
  3543. // is its IP address which is not worth refreshing)
  3544. //
  3545. if ( (ClientSession->CsDiscoveryFlags & CS_DISCOVERY_HAS_DS) == 0 ) {
  3546. Status = STATUS_SUCCESS;
  3547. goto Cleanup;
  3548. }
  3549. //
  3550. // If it's not yet time to refresh the info,
  3551. // we don't need to do anything
  3552. //
  3553. EnterCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3554. if ( !NetpLogonTimeHasElapsed(ClientSession->CsLastRefreshTime,
  3555. MAX_DC_REFRESH_TIMEOUT) ) {
  3556. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3557. Status = STATUS_SUCCESS;
  3558. goto Cleanup;
  3559. }
  3560. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3561. //
  3562. // Get the up to date server info
  3563. //
  3564. Status = NlGetAnyDCName( ClientSession,
  3565. FALSE, // Do not require IP
  3566. FALSE, // Don't do with-account discovery
  3567. &NlDcCacheEntry,
  3568. &DcRediscovered );
  3569. if ( !NT_SUCCESS(Status) ) {
  3570. goto Cleanup;
  3571. }
  3572. //
  3573. // Use this opportunity to update our site on a workstation
  3574. //
  3575. if ( NlGlobalMemberWorkstation ) {
  3576. //
  3577. // Only Win2K or newer DCs undestand the site concept
  3578. //
  3579. if ( (NlDcCacheEntry->ReturnFlags & DS_DS_FLAG) != 0 ) {
  3580. NlSetDynamicSiteName( NlDcCacheEntry->UnicodeClientSiteName );
  3581. } else {
  3582. NlPrint(( NL_SITE,
  3583. "NlRefreshClientSession: NlGetAnyDCName returned NT4 DC\n" ));
  3584. }
  3585. }
  3586. Cleanup:
  3587. if ( NlDcCacheEntry != NULL ) {
  3588. NetpDcDerefCacheEntry( NlDcCacheEntry );
  3589. }
  3590. return Status;
  3591. }
  3592. NTSTATUS
  3593. NlEnsureSessionAuthenticated(
  3594. IN PCLIENT_SESSION ClientSession,
  3595. IN DWORD DesiredFlags
  3596. )
  3597. /*++
  3598. Routine Description:
  3599. Ensure there is an authenticated session for the specified ClientSession.
  3600. If the authenticated DC does not have the characteristics specified by
  3601. DesiredFlags, attempt to find a DC that does.
  3602. The caller must be a writer of the ClientSession.
  3603. Arguments:
  3604. ClientSession - Structure describing the session.
  3605. DesiredFlags - characteristics that the authenticated DC should have.
  3606. Can be one or more of the following:
  3607. CS_DISCOVERY_HAS_DS // Discovered DS has a DS
  3608. CS_DISCOVERY_IS_CLOSE // Discovered DS is in a close site
  3609. It is the callers responsibility to ensure that the DC really DOES
  3610. have those characteristics.
  3611. Return Value:
  3612. NT Status code
  3613. --*/
  3614. {
  3615. NTSTATUS Status;
  3616. //
  3617. // First refresh the client session
  3618. //
  3619. Status = NlRefreshClientSession( ClientSession );
  3620. if ( !NT_SUCCESS(Status) ) {
  3621. NlPrintCs(( NL_CRITICAL, ClientSession,
  3622. "NlpEnsureSessionAuthenticated: Can't refresh the session: 0x%lx\n",
  3623. Status ));
  3624. goto Cleanup;
  3625. }
  3626. //
  3627. // If this secure channel is from a BDC to the PDC,
  3628. // there is only ONE PDC so don't ask for special characteristics.
  3629. //
  3630. if ( ClientSession->CsSecureChannelType == ServerSecureChannel ) {
  3631. DesiredFlags = 0;
  3632. //
  3633. // If this secure channel isn't expected to have NT 5 DCs,
  3634. // don't try to find one.
  3635. //
  3636. } else if ((ClientSession->CsFlags & CS_NT5_DOMAIN_TRUST) == 0 ) {
  3637. DesiredFlags = 0;
  3638. //
  3639. // If we don't have a close DC,
  3640. // and it has been a long time since we've tried to find a close DC,
  3641. // do it now.
  3642. //
  3643. } else if ( (ClientSession->CsDiscoveryFlags & CS_DISCOVERY_IS_CLOSE) == 0 ) {
  3644. BOOLEAN ReturnBoolean;
  3645. EnterCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3646. if ( NetpLogonTimeHasElapsed(
  3647. ClientSession->CsLastDiscoveryTime,
  3648. NlGlobalParameters.CloseSiteTimeout * 1000 ) ) {
  3649. DesiredFlags |= CS_DISCOVERY_IS_CLOSE;
  3650. }
  3651. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3652. }
  3653. //
  3654. // If a DC has already been detected,
  3655. // and the caller wants special characteristics,
  3656. // try for them now.
  3657. //
  3658. if ( ClientSession->CsState != CS_IDLE &&
  3659. DesiredFlags != 0 ) {
  3660. //
  3661. // If the DC doesn't have the required characteristics,
  3662. // try to find a new one now
  3663. //
  3664. EnterCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3665. if ( (ClientSession->CsDiscoveryFlags & DesiredFlags) != DesiredFlags ) {
  3666. //
  3667. // Avoid discovery if we've done it recently.
  3668. //
  3669. // All discoveries prefer a DC that has all of the desired characteristics.
  3670. // So if we didn't find one, don't try again.
  3671. //
  3672. if ( NlTimeToRediscover(ClientSession, FALSE) ) { // we'll do discovery without account
  3673. NlPrintCs(( NL_SESSION_SETUP, ClientSession,
  3674. "NlpEnsureSessionAuthenticated: Try to find a better DC for this operation. 0x%lx\n", DesiredFlags ));
  3675. //
  3676. // Discovering a DC when the session is not idle tries to find a
  3677. // "better" DC.
  3678. //
  3679. // Ignore failures.
  3680. //
  3681. // Call without the any locks locked to prevent doing network I/O
  3682. // with the lock held.
  3683. //
  3684. // Don't ask for with-account discovery as it's too costly on the
  3685. // server side. If the discovered server doesn't have our account,
  3686. // the session setup logic will attempt with-account discovery.
  3687. //
  3688. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3689. Status = NlDiscoverDc ( ClientSession,
  3690. DT_Synchronous,
  3691. FALSE ,
  3692. FALSE ); // without account
  3693. EnterCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3694. }
  3695. }
  3696. LeaveCriticalSection( &NlGlobalDcDiscoveryCritSect );
  3697. }
  3698. //
  3699. // If we haven't yet authenticated,
  3700. // do so now.
  3701. //
  3702. if ( ClientSession->CsState != CS_AUTHENTICATED ) {
  3703. //
  3704. // If we've tried to authenticate recently,
  3705. // don't bother trying again.
  3706. //
  3707. if ( !NlTimeToReauthenticate( ClientSession ) ) {
  3708. Status = ClientSession->CsConnectionStatus;
  3709. NlAssert( !NT_SUCCESS( Status ));
  3710. if ( NT_SUCCESS( Status )) {
  3711. Status = STATUS_NO_LOGON_SERVERS;
  3712. }
  3713. goto Cleanup;
  3714. }
  3715. //
  3716. // Try to set up the session.
  3717. //
  3718. Status = NlSessionSetup( ClientSession );
  3719. if ( !NT_SUCCESS(Status) ) {
  3720. goto Cleanup;
  3721. }
  3722. }
  3723. Status = STATUS_SUCCESS;
  3724. Cleanup:
  3725. return Status;
  3726. }
  3727. NTSTATUS
  3728. NlChangePasswordHigher(
  3729. IN PCLIENT_SESSION ClientSession,
  3730. IN LPWSTR AccountName,
  3731. IN NETLOGON_SECURE_CHANNEL_TYPE AccountType,
  3732. IN PLM_OWF_PASSWORD NewOwfPassword OPTIONAL,
  3733. IN PUNICODE_STRING NewClearPassword OPTIONAL,
  3734. IN PDWORD ClearPasswordVersionNumber OPTIONAL
  3735. )
  3736. /*++
  3737. Routine Description:
  3738. Pass the new password to the machine specified by the ClientSession.
  3739. The caller must be a writer of the ClientSession.
  3740. Arguments:
  3741. ClientSession - Structure describing the session to change the password
  3742. for. The specified structure must be referenced.
  3743. AccountName - Name of the account whose password is being changed.
  3744. AccountType - Type of account whose password is being changed.
  3745. NewOwfPassword - Owf password to pass to ClientSession
  3746. NewClearPassword - Clear password to pass to client session
  3747. ClearPasswordVersionNumber - Version number of the clear password. Must
  3748. be present if NewClearPassword is present.
  3749. Return Value:
  3750. NT Status code
  3751. --*/
  3752. {
  3753. NTSTATUS Status;
  3754. NETLOGON_AUTHENTICATOR OurAuthenticator;
  3755. NETLOGON_AUTHENTICATOR ReturnAuthenticator;
  3756. SESSION_INFO SessionInfo;
  3757. BOOLEAN FirstTry = TRUE;
  3758. //
  3759. // Initialization
  3760. //
  3761. NlAssert( ClientSession->CsReferenceCount > 0 );
  3762. NlAssert( ClientSession->CsFlags & CS_WRITER );
  3763. //
  3764. // If the session isn't authenticated,
  3765. // do so now.
  3766. //
  3767. // We're careful to not force this authentication unless the password
  3768. // needs to be changed.
  3769. //
  3770. FirstTryFailed:
  3771. Status = NlEnsureSessionAuthenticated( ClientSession, 0 );
  3772. if ( !NT_SUCCESS(Status) ) {
  3773. goto Cleanup;
  3774. }
  3775. SessionInfo.SessionKey = ClientSession->CsSessionKey;
  3776. SessionInfo.NegotiatedFlags = ClientSession->CsNegotiatedFlags;
  3777. //
  3778. // Build the Authenticator for this request to the PDC.
  3779. //
  3780. NlBuildAuthenticator(
  3781. &ClientSession->CsAuthenticationSeed,
  3782. &ClientSession->CsSessionKey,
  3783. &OurAuthenticator);
  3784. //
  3785. // If the other side will accept a clear text password,
  3786. // send it.
  3787. //
  3788. if ( NewClearPassword != NULL &&
  3789. (SessionInfo.NegotiatedFlags & NETLOGON_SUPPORTS_PASSWORD_SET_2) != 0 ) {
  3790. NL_TRUST_PASSWORD NlTrustPassword;
  3791. NL_PASSWORD_VERSION PasswordVersion;
  3792. //
  3793. // Copy the new password to the end of the buffer.
  3794. //
  3795. RtlCopyMemory( ((LPBYTE)NlTrustPassword.Buffer) +
  3796. NL_MAX_PASSWORD_LENGTH * sizeof(WCHAR) -
  3797. NewClearPassword->Length,
  3798. NewClearPassword->Buffer,
  3799. NewClearPassword->Length );
  3800. NlTrustPassword.Length = NewClearPassword->Length;
  3801. //
  3802. // For an interdomain trust account,
  3803. // indicate that we pass the password version number by prefixing
  3804. // a DWORD equal to PASSWORD_VERSION_NUMBER_PRESENT right before
  3805. // the password in NewClearPassword->Buffer. An old server (RC0)
  3806. // not supporting version numbers will simply ignore these bits.
  3807. // A server supporting version numbers will examine these bits
  3808. // and if they are equal to PASSWORD_VERSION_NUMBER_PRESENT then
  3809. // that will be an indication that a version number is passed. An
  3810. // old client not supporting version numbers will generate random
  3811. // bits in place of PASSWORD_VERSION_NUMBER_PRESENT. It is highly
  3812. // unlikely that an old client will generate random bits equal to
  3813. // PASSWORD_VERSION_NUMBER_PRESENT. The
  3814. // version number will be a DWORD preceeding the DWORD equal to
  3815. // PASSWORD_VERSION_NUMBER_PRESENT. Another DWORD equal to 0 will
  3816. // preceed the version number. Its purpose is to allow any future
  3817. // additions to the buffer. The value of this DWORD different from
  3818. // 0 will indicate without any uncertainty that some additional
  3819. // info is passed preceding this DWORD. The 3 new DWORDs are packed
  3820. // in a struct to avoid unalingment problems.
  3821. //
  3822. if ( IsDomainSecureChannelType( AccountType ) ) {
  3823. NlAssert( ClearPasswordVersionNumber != NULL );
  3824. NlAssert( NL_MAX_PASSWORD_LENGTH * sizeof(WCHAR) -
  3825. NewClearPassword->Length -
  3826. sizeof(PasswordVersion) > 0 );
  3827. PasswordVersion.ReservedField = 0;
  3828. PasswordVersion.PasswordVersionNumber = *ClearPasswordVersionNumber;
  3829. PasswordVersion.PasswordVersionPresent = PASSWORD_VERSION_NUMBER_PRESENT;
  3830. RtlCopyMemory( ((LPBYTE)NlTrustPassword.Buffer) +
  3831. NL_MAX_PASSWORD_LENGTH * sizeof(WCHAR) -
  3832. NewClearPassword->Length -
  3833. sizeof(PasswordVersion),
  3834. &PasswordVersion,
  3835. sizeof(PasswordVersion) );
  3836. }
  3837. //
  3838. // Fill the rest of the buffer with random bytes
  3839. //
  3840. if ( !NlGenerateRandomBits( (LPBYTE)NlTrustPassword.Buffer,
  3841. (NL_MAX_PASSWORD_LENGTH * sizeof(WCHAR)) -
  3842. NewClearPassword->Length -
  3843. sizeof(PasswordVersion) ) ) {
  3844. NlPrint((NL_CRITICAL, "Can't NlGenerateRandomBits for clear password prefix\n" ));
  3845. }
  3846. //
  3847. // Encrypt the whole buffer.
  3848. //
  3849. NlEncryptRC4( &NlTrustPassword,
  3850. sizeof( NlTrustPassword ),
  3851. &SessionInfo );
  3852. //
  3853. // Change the password on the machine our connection is to.
  3854. //
  3855. NL_API_START( Status, ClientSession, TRUE ) {
  3856. NlAssert( ClientSession->CsUncServerName != NULL );
  3857. Status = I_NetServerPasswordSet2( ClientSession->CsUncServerName,
  3858. AccountName,
  3859. AccountType,
  3860. ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  3861. &OurAuthenticator,
  3862. &ReturnAuthenticator,
  3863. &NlTrustPassword);
  3864. // NOTE: This call may drop the secure channel behind our back
  3865. } NL_API_ELSE( Status, ClientSession, TRUE ) {
  3866. } NL_API_END;
  3867. //
  3868. // If the other side needs an OWF password,
  3869. // send it.
  3870. //
  3871. } else {
  3872. ENCRYPTED_LM_OWF_PASSWORD SessKeyEncrPassword;
  3873. LM_OWF_PASSWORD LocalOwfPassword;
  3874. //
  3875. // If the caller doesn't know the OWF password,
  3876. // compute the owf.
  3877. //
  3878. if ( NewOwfPassword == NULL ) {
  3879. //
  3880. // Perform the initial encryption.
  3881. //
  3882. Status = RtlCalculateNtOwfPassword( NewClearPassword, &LocalOwfPassword);
  3883. if ( !NT_SUCCESS( Status )) {
  3884. NlPrintCs((NL_CRITICAL, ClientSession,
  3885. "NlChangePasswordHigher: Cannot RtlCalculateNtOwfPassword %lX\n",
  3886. Status));
  3887. goto Cleanup;
  3888. }
  3889. NewOwfPassword = &LocalOwfPassword;
  3890. }
  3891. //
  3892. // Encrypt the password again with the session key.
  3893. // The PDC will decrypt it on the other side.
  3894. //
  3895. Status = RtlEncryptNtOwfPwdWithNtOwfPwd(
  3896. NewOwfPassword,
  3897. (PNT_OWF_PASSWORD) &ClientSession->CsSessionKey,
  3898. &SessKeyEncrPassword) ;
  3899. if ( !NT_SUCCESS( Status )) {
  3900. NlPrintCs((NL_CRITICAL, ClientSession,
  3901. "NlChangePasswordHigher: Cannot RtlEncryptNtOwfPwdWithNtOwfPwd %lX\n",
  3902. Status));
  3903. goto Cleanup;
  3904. }
  3905. //
  3906. // Change the password on the machine our connection is to.
  3907. //
  3908. NL_API_START( Status, ClientSession, TRUE ) {
  3909. NlAssert( ClientSession->CsUncServerName != NULL );
  3910. Status = I_NetServerPasswordSet( ClientSession->CsUncServerName,
  3911. AccountName,
  3912. AccountType,
  3913. ClientSession->CsDomainInfo->DomUnicodeComputerNameString.Buffer,
  3914. &OurAuthenticator,
  3915. &ReturnAuthenticator,
  3916. &SessKeyEncrPassword);
  3917. // NOTE: This call may drop the secure channel behind our back
  3918. } NL_API_ELSE( Status, ClientSession, TRUE ) {
  3919. } NL_API_END;
  3920. }
  3921. //
  3922. // Now verify primary's authenticator and update our seed
  3923. //
  3924. if ( NlpDidDcFail( Status ) ||
  3925. !NlUpdateSeed( &ClientSession->CsAuthenticationSeed,
  3926. &ReturnAuthenticator.Credential,
  3927. &ClientSession->CsSessionKey) ) {
  3928. NlPrintCs(( NL_CRITICAL, ClientSession,
  3929. "NlChangePasswordHigher: denying access after status: 0x%lx\n",
  3930. Status ));
  3931. //
  3932. // Preserve any status indicating a communication error.
  3933. //
  3934. if ( NT_SUCCESS(Status) ) {
  3935. Status = STATUS_ACCESS_DENIED;
  3936. }
  3937. NlSetStatusClientSession( ClientSession, Status );
  3938. //
  3939. // Perhaps the netlogon service on the server has just restarted.
  3940. // Try just once to set up a session to the server again.
  3941. //
  3942. if ( FirstTry ) {
  3943. FirstTry = FALSE;
  3944. goto FirstTryFailed;
  3945. }
  3946. }
  3947. //
  3948. // Common exit
  3949. //
  3950. Cleanup:
  3951. if ( !NT_SUCCESS(Status) ) {
  3952. NlPrintCs((NL_CRITICAL, ClientSession,
  3953. "NlChangePasswordHigher: %ws: failed %lX\n",
  3954. AccountName,
  3955. Status));
  3956. }
  3957. return Status;
  3958. }
  3959. NTSTATUS
  3960. NlGetUserPriv(
  3961. IN PDOMAIN_INFO DomainInfo,
  3962. IN ULONG GroupCount,
  3963. IN PGROUP_MEMBERSHIP Groups,
  3964. IN ULONG UserRelativeId,
  3965. OUT LPDWORD Priv,
  3966. OUT LPDWORD AuthFlags
  3967. )
  3968. /*++
  3969. Routine Description:
  3970. Determines the Priv and AuthFlags for the specified user.
  3971. Arguments:
  3972. DomainInfo - Hosted domain the user account is in.
  3973. GroupCount - Number of groups this user is a member of
  3974. Groups - Array of groups this user is a member of.
  3975. UserRelativeId - Relative ID of the user to query.
  3976. Priv - Returns the Lanman 2.0 Privilege level for the specified user.
  3977. AuthFlags - Returns the Lanman 2.0 Authflags for the specified user.
  3978. Return Value:
  3979. Status of the operation.
  3980. --*/
  3981. {
  3982. NET_API_STATUS NetStatus;
  3983. NTSTATUS Status;
  3984. ULONG GroupIndex;
  3985. PSID *UserSids = NULL;
  3986. ULONG UserSidCount = 0;
  3987. SAMPR_PSID_ARRAY SamSidArray;
  3988. SAMPR_ULONG_ARRAY Aliases;
  3989. //
  3990. // Initialization
  3991. //
  3992. Aliases.Element = NULL;
  3993. //
  3994. // Allocate a buffer to point to the SIDs we're interested in
  3995. // alias membership for.
  3996. //
  3997. UserSids = (PSID *)
  3998. NetpMemoryAllocate( (GroupCount+1) * sizeof(PSID) );
  3999. if ( UserSids == NULL ) {
  4000. Status = STATUS_NO_MEMORY;
  4001. goto Cleanup;
  4002. }
  4003. //
  4004. // Add the User's Sid to the Array of Sids.
  4005. //
  4006. NetStatus = NetpDomainIdToSid( DomainInfo->DomAccountDomainId,
  4007. UserRelativeId,
  4008. &UserSids[0] );
  4009. if ( NetStatus != NERR_Success ) {
  4010. Status = NetpApiStatusToNtStatus( NetStatus );
  4011. goto Cleanup;
  4012. }
  4013. UserSidCount ++;
  4014. //
  4015. // Add each group the user is a member of to the array of Sids.
  4016. //
  4017. for ( GroupIndex = 0; GroupIndex < GroupCount; GroupIndex ++ ){
  4018. NetStatus = NetpDomainIdToSid( DomainInfo->DomAccountDomainId,
  4019. Groups[GroupIndex].RelativeId,
  4020. &UserSids[GroupIndex+1] );
  4021. if ( NetStatus != NERR_Success ) {
  4022. Status = NetpApiStatusToNtStatus( NetStatus );
  4023. goto Cleanup;
  4024. }
  4025. UserSidCount ++;
  4026. }
  4027. //
  4028. // Find out which aliases in the builtin domain this user is a member of.
  4029. //
  4030. SamSidArray.Count = UserSidCount;
  4031. SamSidArray.Sids = (PSAMPR_SID_INFORMATION) UserSids;
  4032. Status = SamrGetAliasMembership( DomainInfo->DomSamBuiltinDomainHandle,
  4033. &SamSidArray,
  4034. &Aliases );
  4035. if ( !NT_SUCCESS(Status) ) {
  4036. Aliases.Element = NULL;
  4037. NlPrint((NL_CRITICAL,
  4038. "NlGetUserPriv: SamGetAliasMembership returns %lX\n",
  4039. Status ));
  4040. goto Cleanup;
  4041. }
  4042. //
  4043. // Convert the alias membership to priv and auth flags
  4044. //
  4045. NetpAliasMemberToPriv(
  4046. Aliases.Count,
  4047. Aliases.Element,
  4048. Priv,
  4049. AuthFlags );
  4050. Status = STATUS_SUCCESS;
  4051. //
  4052. // Free Locally used resources.
  4053. //
  4054. Cleanup:
  4055. if ( Aliases.Element != NULL ) {
  4056. SamIFree_SAMPR_ULONG_ARRAY ( &Aliases );
  4057. }
  4058. if ( UserSids != NULL ) {
  4059. for ( GroupIndex = 0; GroupIndex < UserSidCount; GroupIndex ++ ) {
  4060. NetpMemoryFree( UserSids[GroupIndex] );
  4061. }
  4062. NetpMemoryFree( UserSids );
  4063. }
  4064. return Status;
  4065. }
  4066. /*lint +e740 */ /* don't complain about unusual cast */