source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003,2011
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth.h"
  25 #include "../auth/ntlmssp/ntlmssp.h"
  26 #include "ntlmssp_wrap.h"
  27 #include "../librpc/gen_ndr/netlogon.h"
  28 #include "../lib/tsocket/tsocket.h"
  29 #include "auth/gensec/gensec.h"
  30 #include "librpc/rpc/dcerpc.h"
  31
  32 NTSTATUS auth_ntlmssp_session_info(TALLOC_CTX *mem_ctx,
  33                                    struct auth_ntlmssp_state *auth_ntlmssp_state,
  34                                    struct auth_session_info **session_info)
  35 {
  36         NTSTATUS nt_status;
  37         if (auth_ntlmssp_state->gensec_security) {
  38
  39                 nt_status = gensec_session_info(auth_ntlmssp_state->gensec_security,
  40                                                 mem_ctx,
  41                                                 session_info);
  42                 return nt_status;
  43         }
  44
  45         nt_status = create_local_token(mem_ctx,
  46                                        auth_ntlmssp_state->server_info,
  47                                        &auth_ntlmssp_state->ntlmssp_state->session_key,
  48                                        auth_ntlmssp_state->ntlmssp_state->user,
  49                                        session_info);
  50
  51         if (!NT_STATUS_IS_OK(nt_status)) {
  52                 DEBUG(10, ("create_local_token failed: %s\n",
  53                            nt_errstr(nt_status)));
  54         }
  55         return nt_status;
  56 }
  57
  58 /**
  59  * Return the challenge as determined by the authentication subsystem
  60  * @return an 8 byte random challenge
  61  */
  62
  63 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
  64                                            uint8_t chal[8])
  65 {
  66         struct auth_ntlmssp_state *auth_ntlmssp_state =
  67                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  68         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
  69                 auth_ntlmssp_state->auth_context, chal);
  70         return NT_STATUS_OK;
  71 }
  72
  73 /**
  74  * Some authentication methods 'fix' the challenge, so we may not be able to set it
  75  *
  76  * @return If the effective challenge used by the auth subsystem may be modified
  77  */
  78 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
  79 {
  80         struct auth_ntlmssp_state *auth_ntlmssp_state =
  81                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  82         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  83
  84         return auth_context->challenge_may_be_modified;
  85 }
  86
  87 /**
  88  * NTLM2 authentication modifies the effective challenge,
  89  * @param challenge The new challenge value
  90  */
  91 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
  92 {
  93         struct auth_ntlmssp_state *auth_ntlmssp_state =
  94                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  95         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  96
  97         SMB_ASSERT(challenge->length == 8);
  98
  99         auth_context->challenge = data_blob_talloc(auth_context,
 100                                                    challenge->data, challenge->length);
 101
 102         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
 103
 104         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
 105         DEBUG(5, ("challenge is: \n"));
 106         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 107         return NT_STATUS_OK;
 108 }
 109
 110 /**
 111  * Check the password on an NTLMSSP login.
 112  *
 113  * Return the session keys used on the connection.
 114  */
 115
 116 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 117                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 118 {
 119         struct auth_ntlmssp_state *auth_ntlmssp_state =
 120                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 121         struct auth_usersupplied_info *user_info = NULL;
 122         NTSTATUS nt_status;
 123         bool username_was_mapped;
 124
 125         /* the client has given us its machine name (which we otherwise would not get on port 445).
 126            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
 127
 128         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
 129
 130         /* setup the string used by %U */
 131         /* sub_set_smb_name checks for weird internally */
 132         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 133
 134         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 135
 136         nt_status = make_user_info_map(&user_info,
 137                                        auth_ntlmssp_state->ntlmssp_state->user,
 138                                        auth_ntlmssp_state->ntlmssp_state->domain,
 139                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
 140                                        auth_ntlmssp_state->remote_address,
 141                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
 142                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
 143                                        NULL, NULL, NULL,
 144                                        AUTH_PASSWORD_RESPONSE);
 145
 146         if (!NT_STATUS_IS_OK(nt_status)) {
 147                 return nt_status;
 148         }
 149
 150         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 151
 152         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
 153                                                                           user_info, &auth_ntlmssp_state->server_info);
 154
 155         username_was_mapped = user_info->was_mapped;
 156
 157         free_user_info(&user_info);
 158
 159         if (!NT_STATUS_IS_OK(nt_status)) {
 160                 nt_status = do_map_to_guest_server_info(nt_status,
 161                                                         &auth_ntlmssp_state->server_info,
 162                                                         auth_ntlmssp_state->ntlmssp_state->user,
 163                                                         auth_ntlmssp_state->ntlmssp_state->domain);
 164         }
 165
 166         if (!NT_STATUS_IS_OK(nt_status)) {
 167                 return nt_status;
 168         }
 169
 170         talloc_steal(auth_ntlmssp_state, auth_ntlmssp_state->server_info);
 171
 172         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 173
 174         /* Clear out the session keys, and pass them to the caller.
 175          * They will not be used in this form again - instead the
 176          * NTLMSSP code will decide on the final correct session key,
 177          * and supply it to create_local_token() */
 178         if (auth_ntlmssp_state->server_info->session_key.length) {
 179                 DEBUG(10, ("Got NT session key of length %u\n",
 180                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
 181                 *session_key = auth_ntlmssp_state->server_info->session_key;
 182                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
 183                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
 184         }
 185         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
 186                 DEBUG(10, ("Got LM session key of length %u\n",
 187                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
 188                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
 189                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
 190                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
 191         }
 192         return nt_status;
 193 }
 194
 195 NTSTATUS auth_ntlmssp_prepare(const struct tsocket_address *remote_address,
 196                               struct auth_ntlmssp_state **auth_ntlmssp_state)
 197 {
 198         NTSTATUS nt_status;
 199         bool is_standalone;
 200         const char *netbios_name;
 201         const char *netbios_domain;
 202         const char *dns_name;
 203         char *dns_domain;
 204         struct auth_ntlmssp_state *ans;
 205         struct auth_context *auth_context;
 206
 207         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
 208         if (!ans) {
 209                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 210                 return NT_STATUS_NO_MEMORY;
 211         }
 212
 213         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
 214         if (!NT_STATUS_IS_OK(nt_status)) {
 215                 TALLOC_FREE(ans);
 216                 return nt_status;
 217         }
 218
 219         ans->auth_context = talloc_steal(ans, auth_context);
 220
 221         if (auth_context->prepare_gensec) {
 222                 nt_status = auth_context->prepare_gensec(ans, &ans->gensec_security);
 223                 if (!NT_STATUS_IS_OK(nt_status)) {
 224                         TALLOC_FREE(ans);
 225                         return nt_status;
 226                 }
 227                 *auth_ntlmssp_state = ans;
 228                 return NT_STATUS_OK;
 229         }
 230
 231         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 232                 is_standalone = true;
 233         } else {
 234                 is_standalone = false;
 235         }
 236
 237         netbios_name = lp_netbios_name();
 238         netbios_domain = lp_workgroup();
 239         /* This should be a 'netbios domain -> DNS domain' mapping */
 240         dns_domain = get_mydnsdomname(talloc_tos());
 241         if (dns_domain) {
 242                 strlower_m(dns_domain);
 243         }
 244         dns_name = get_mydnsfullname();
 245
 246         ans->remote_address = tsocket_address_copy(remote_address, ans);
 247         if (ans->remote_address == NULL) {
 248                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 249                 return NT_STATUS_NO_MEMORY;
 250         }
 251
 252         nt_status = ntlmssp_server_start(ans,
 253                                          is_standalone,
 254                                          netbios_name,
 255                                          netbios_domain,
 256                                          dns_name,
 257                                          dns_domain,
 258                                          &ans->ntlmssp_state);
 259         if (!NT_STATUS_IS_OK(nt_status)) {
 260                 return nt_status;
 261         }
 262
 263         ans->ntlmssp_state->callback_private = ans;
 264         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 265         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 266         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 267         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 268
 269         *auth_ntlmssp_state = ans;
 270         return NT_STATUS_OK;
 271 }
 272
 273 NTSTATUS auth_generic_start(struct auth_ntlmssp_state *auth_ntlmssp_state, const char *oid)
 274 {
 275         if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid) {
 276                 return auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid(auth_ntlmssp_state->gensec_security, oid);
 277         }
 278
 279         if (strcmp(oid, GENSEC_OID_NTLMSSP) != 0) {
 280                 /* The caller will then free the auth_ntlmssp_state,
 281                  * undoing what was done in auth_ntlmssp_prepare().
 282                  *
 283                  * We can't do that logic here, as
 284                  * auth_ntlmssp_want_feature() may have been called in
 285                  * between.
 286                  */
 287                 return NT_STATUS_NOT_IMPLEMENTED;
 288         }
 289
 290         return NT_STATUS_OK;
 291 }
 292
 293 NTSTATUS auth_generic_authtype_start(struct auth_ntlmssp_state *auth_ntlmssp_state,
 294                                      uint8_t auth_type, uint8_t auth_level)
 295 {
 296         if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype) {
 297                 return auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype(auth_ntlmssp_state->gensec_security,
 298                                                                                        auth_type, auth_level);
 299         }
 300
 301         if (auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
 302                 /* The caller will then free the auth_ntlmssp_state,
 303                  * undoing what was done in auth_ntlmssp_prepare().
 304                  *
 305                  * We can't do that logic here, as
 306                  * auth_ntlmssp_want_feature() may have been called in
 307                  * between.
 308                  */
 309                 return NT_STATUS_NOT_IMPLEMENTED;
 310         }
 311
 312         if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
 313                 auth_ntlmssp_want_feature(auth_ntlmssp_state, NTLMSSP_FEATURE_SIGN);
 314         } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
 315                 /* Always implies both sign and seal for ntlmssp */
 316                 auth_ntlmssp_want_feature(auth_ntlmssp_state, NTLMSSP_FEATURE_SEAL);
 317         } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
 318                 /* Default features */
 319         } else {
 320                 DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
 321                          auth_level));
 322                 return NT_STATUS_INVALID_PARAMETER;
 323         }
 324
 325         return NT_STATUS_OK;
 326 }
 327
 328 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state)
 329 {
 330         return auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
 331 }