source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth.h"
  25 #include "../libcli/auth/ntlmssp.h"
  26 #include "ntlmssp_wrap.h"
  27 #include "../librpc/gen_ndr/netlogon.h"
  28 #include "../lib/tsocket/tsocket.h"
  29
  30 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
  31                                         struct auth_ntlmssp_state *auth_ntlmssp_state,
  32                                         struct auth_session_info **session_info)
  33 {
  34         NTSTATUS nt_status = create_local_token(mem_ctx,
  35                                                 auth_ntlmssp_state->server_info,
  36                                                 &auth_ntlmssp_state->ntlmssp_state->session_key,
  37                                                 session_info);
  38
  39         if (!NT_STATUS_IS_OK(nt_status)) {
  40                 DEBUG(10, ("create_local_token failed: %s\n",
  41                            nt_errstr(nt_status)));
  42         }
  43         return nt_status;
  44 }
  45
  46 /**
  47  * Return the challenge as determined by the authentication subsystem
  48  * @return an 8 byte random challenge
  49  */
  50
  51 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
  52                                            uint8_t chal[8])
  53 {
  54         struct auth_ntlmssp_state *auth_ntlmssp_state =
  55                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  56         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
  57                 auth_ntlmssp_state->auth_context, chal);
  58         return NT_STATUS_OK;
  59 }
  60
  61 /**
  62  * Some authentication methods 'fix' the challenge, so we may not be able to set it
  63  *
  64  * @return If the effective challenge used by the auth subsystem may be modified
  65  */
  66 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
  67 {
  68         struct auth_ntlmssp_state *auth_ntlmssp_state =
  69                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  70         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  71
  72         return auth_context->challenge_may_be_modified;
  73 }
  74
  75 /**
  76  * NTLM2 authentication modifies the effective challenge,
  77  * @param challenge The new challenge value
  78  */
  79 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
  80 {
  81         struct auth_ntlmssp_state *auth_ntlmssp_state =
  82                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  83         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  84
  85         SMB_ASSERT(challenge->length == 8);
  86
  87         auth_context->challenge = data_blob_talloc(auth_context,
  88                                                    challenge->data, challenge->length);
  89
  90         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
  91
  92         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
  93         DEBUG(5, ("challenge is: \n"));
  94         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
  95         return NT_STATUS_OK;
  96 }
  97
  98 /**
  99  * Check the password on an NTLMSSP login.
 100  *
 101  * Return the session keys used on the connection.
 102  */
 103
 104 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 105                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 106 {
 107         struct auth_ntlmssp_state *auth_ntlmssp_state =
 108                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 109         struct auth_usersupplied_info *user_info = NULL;
 110         NTSTATUS nt_status;
 111         bool username_was_mapped;
 112
 113         /* the client has given us its machine name (which we otherwise would not get on port 445).
 114            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
 115
 116         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
 117
 118         /* setup the string used by %U */
 119         /* sub_set_smb_name checks for weird internally */
 120         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 121
 122         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 123
 124         nt_status = make_user_info_map(&user_info,
 125                                        auth_ntlmssp_state->ntlmssp_state->user,
 126                                        auth_ntlmssp_state->ntlmssp_state->domain,
 127                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
 128                                        auth_ntlmssp_state->remote_address,
 129                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
 130                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
 131                                        NULL, NULL, NULL,
 132                                        AUTH_PASSWORD_RESPONSE);
 133
 134         if (!NT_STATUS_IS_OK(nt_status)) {
 135                 return nt_status;
 136         }
 137
 138         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 139
 140         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
 141                                                                           user_info, &auth_ntlmssp_state->server_info);
 142
 143         username_was_mapped = user_info->was_mapped;
 144
 145         free_user_info(&user_info);
 146
 147         if (!NT_STATUS_IS_OK(nt_status)) {
 148                 nt_status = do_map_to_guest_server_info(nt_status,
 149                                                         &auth_ntlmssp_state->server_info,
 150                                                         auth_ntlmssp_state->ntlmssp_state->user,
 151                                                         auth_ntlmssp_state->ntlmssp_state->domain);
 152                 return nt_status;
 153         }
 154
 155         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 156
 157         /* Clear out the session keys, and pass them to the caller.
 158          * They will not be used in this form again - instead the
 159          * NTLMSSP code will decide on the final correct session key,
 160          * and put it back here at the end of
 161          * auth_ntlmssp_steal_server_info */
 162         if (auth_ntlmssp_state->server_info->session_key.length) {
 163                 DEBUG(10, ("Got NT session key of length %u\n",
 164                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
 165                 *session_key = auth_ntlmssp_state->server_info->session_key;
 166                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
 167                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
 168         }
 169         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
 170                 DEBUG(10, ("Got LM session key of length %u\n",
 171                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
 172                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
 173                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
 174                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
 175         }
 176         return nt_status;
 177 }
 178
 179 static int auth_ntlmssp_state_destructor(void *ptr);
 180
 181 NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
 182                             struct auth_ntlmssp_state **auth_ntlmssp_state)
 183 {
 184         NTSTATUS nt_status;
 185         bool is_standalone;
 186         const char *netbios_name;
 187         const char *netbios_domain;
 188         const char *dns_name;
 189         char *dns_domain;
 190         struct auth_ntlmssp_state *ans;
 191         struct auth_context *auth_context;
 192
 193         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 194                 is_standalone = true;
 195         } else {
 196                 is_standalone = false;
 197         }
 198
 199         netbios_name = lp_netbios_name();
 200         netbios_domain = lp_workgroup();
 201         /* This should be a 'netbios domain -> DNS domain' mapping */
 202         dns_domain = get_mydnsdomname(talloc_tos());
 203         if (dns_domain) {
 204                 strlower_m(dns_domain);
 205         }
 206         dns_name = get_mydnsfullname();
 207
 208         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
 209         if (!ans) {
 210                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 211                 return NT_STATUS_NO_MEMORY;
 212         }
 213
 214         ans->remote_address = tsocket_address_copy(remote_address, ans);
 215         if (ans->remote_address == NULL) {
 216                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 217                 return NT_STATUS_NO_MEMORY;
 218         }
 219
 220         nt_status = ntlmssp_server_start(ans,
 221                                          is_standalone,
 222                                          netbios_name,
 223                                          netbios_domain,
 224                                          dns_name,
 225                                          dns_domain,
 226                                          &ans->ntlmssp_state);
 227         if (!NT_STATUS_IS_OK(nt_status)) {
 228                 return nt_status;
 229         }
 230
 231         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
 232         if (!NT_STATUS_IS_OK(nt_status)) {
 233                 return nt_status;
 234         }
 235         ans->auth_context = talloc_steal(ans, auth_context);
 236
 237         ans->ntlmssp_state->callback_private = ans;
 238         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 239         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 240         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 241         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 242
 243         talloc_set_destructor((TALLOC_CTX *)ans, auth_ntlmssp_state_destructor);
 244
 245         *auth_ntlmssp_state = ans;
 246         return NT_STATUS_OK;
 247 }
 248
 249 static int auth_ntlmssp_state_destructor(void *ptr)
 250 {
 251         struct auth_ntlmssp_state *ans;
 252
 253         ans = talloc_get_type(ptr, struct auth_ntlmssp_state);
 254
 255         TALLOC_FREE(ans->remote_address);
 256         TALLOC_FREE(ans->server_info);
 257         TALLOC_FREE(ans->ntlmssp_state);
 258         return 0;
 259 }