2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_user_info_dc */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
31 #include "libds/common/roles.h"
34 #define DBGC_CLASS DBGC_AUTH
37 prevent the static system session being freed
39 static int system_session_destructor(struct auth_session_info *info)
44 /* Create a security token for a session SYSTEM (the most
45 * trusted/privileged account), including the local machine account as
46 * the off-host credentials
48 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
50 static struct auth_session_info *static_session;
54 return static_session;
58 * Use NULL here, not the autofree context for this
59 * static pointer. The destructor prevents freeing this
62 nt_status = auth_system_session_info(NULL,
65 if (!NT_STATUS_IS_OK(nt_status)) {
66 TALLOC_FREE(static_session);
69 talloc_set_destructor(static_session, system_session_destructor);
70 return static_session;
73 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
74 struct loadparm_context *lp_ctx,
75 struct auth_session_info **_session_info)
78 struct auth_user_info_dc *user_info_dc = NULL;
79 struct auth_session_info *session_info = NULL;
80 TALLOC_CTX *mem_ctx = NULL;
82 mem_ctx = talloc_new(parent_ctx);
83 if (mem_ctx == NULL) {
84 return NT_STATUS_NO_MEMORY;
87 nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
89 if (!NT_STATUS_IS_OK(nt_status)) {
94 /* references the user_info_dc into the session_info */
95 nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
98 NT_STATUS_NOT_OK_RETURN(nt_status);
100 if (lpcfg_server_role(lp_ctx) != ROLE_STANDALONE) {
101 session_info->credentials = cli_credentials_init(session_info);
102 if (!session_info->credentials) {
103 return NT_STATUS_NO_MEMORY;
106 cli_credentials_set_conf(session_info->credentials, lp_ctx);
109 //cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
110 cli_credentials_set_machine_account(session_info->credentials, lp_ctx);
112 session_info->credentials = cli_credentials_init_anon(session_info);
113 if (!session_info->credentials) {
114 return NT_STATUS_NO_MEMORY;
118 *_session_info = session_info;
123 NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
124 struct auth_user_info_dc **_user_info_dc)
126 struct auth_user_info_dc *user_info_dc;
127 struct auth_user_info *info;
129 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
130 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
132 /* This returns a pointer to a struct dom_sid, which is the
133 * same as a 1 element list of struct dom_sid */
134 user_info_dc->num_sids = 1;
135 user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
136 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
138 /* annoying, but the Anonymous really does have a session key,
139 and it is all zeros! */
140 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
141 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
143 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
144 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
146 data_blob_clear(&user_info_dc->user_session_key);
147 data_blob_clear(&user_info_dc->lm_session_key);
149 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
150 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
152 info->account_name = talloc_strdup(info, "SYSTEM");
153 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
155 info->domain_name = talloc_strdup(info, "NT AUTHORITY");
156 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
158 info->full_name = talloc_strdup(info, "System");
159 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
161 info->logon_script = talloc_strdup(info, "");
162 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
164 info->profile_path = talloc_strdup(info, "");
165 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
167 info->home_directory = talloc_strdup(info, "");
168 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
170 info->home_drive = talloc_strdup(info, "");
171 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
173 info->logon_server = talloc_strdup(info, netbios_name);
174 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
176 info->last_logon = 0;
177 info->last_logoff = 0;
178 info->acct_expiry = 0;
179 info->last_password_change = 0;
180 info->allow_password_change = 0;
181 info->force_password_change = 0;
183 info->logon_count = 0;
184 info->bad_password_count = 0;
186 info->acct_flags = ACB_NORMAL;
188 info->authenticated = true;
190 *_user_info_dc = user_info_dc;
196 static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
197 const char *netbios_name,
198 const char *domain_name,
199 struct dom_sid *domain_sid,
200 struct auth_user_info_dc **_user_info_dc)
202 struct auth_user_info_dc *user_info_dc;
203 struct auth_user_info *info;
205 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
206 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
208 user_info_dc->num_sids = 7;
209 user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
211 user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
212 sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
214 user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
215 sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
217 user_info_dc->sids[2] = global_sid_Builtin_Administrators;
219 user_info_dc->sids[3] = *domain_sid;
220 sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
221 user_info_dc->sids[4] = *domain_sid;
222 sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
223 user_info_dc->sids[5] = *domain_sid;
224 sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
225 user_info_dc->sids[6] = *domain_sid;
226 sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
228 /* What should the session key be?*/
229 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
230 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
232 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
233 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
235 data_blob_clear(&user_info_dc->user_session_key);
236 data_blob_clear(&user_info_dc->lm_session_key);
238 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
239 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
241 info->account_name = talloc_strdup(info, "Administrator");
242 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
244 info->domain_name = talloc_strdup(info, domain_name);
245 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
247 info->full_name = talloc_strdup(info, "Administrator");
248 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
250 info->logon_script = talloc_strdup(info, "");
251 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
253 info->profile_path = talloc_strdup(info, "");
254 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
256 info->home_directory = talloc_strdup(info, "");
257 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
259 info->home_drive = talloc_strdup(info, "");
260 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
262 info->logon_server = talloc_strdup(info, netbios_name);
263 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
265 info->last_logon = 0;
266 info->last_logoff = 0;
267 info->acct_expiry = 0;
268 info->last_password_change = 0;
269 info->allow_password_change = 0;
270 info->force_password_change = 0;
272 info->logon_count = 0;
273 info->bad_password_count = 0;
275 info->acct_flags = ACB_NORMAL;
277 info->authenticated = true;
279 *_user_info_dc = user_info_dc;
284 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
285 struct loadparm_context *lp_ctx,
286 struct dom_sid *domain_sid,
287 struct auth_session_info **session_info)
290 struct auth_user_info_dc *user_info_dc = NULL;
291 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
293 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
295 nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
296 lpcfg_workgroup(lp_ctx), domain_sid,
298 if (!NT_STATUS_IS_OK(nt_status)) {
299 talloc_free(mem_ctx);
303 nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
304 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
306 /* There is already a reference between the sesion_info and user_info_dc */
307 if (NT_STATUS_IS_OK(nt_status)) {
308 talloc_steal(parent_ctx, *session_info);
310 talloc_free(mem_ctx);
314 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
317 struct auth_session_info *session_info = NULL;
318 nt_status = auth_domain_admin_session_info(mem_ctx,
322 if (!NT_STATUS_IS_OK(nt_status)) {
328 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
329 struct loadparm_context *lp_ctx,
330 struct auth_session_info **_session_info)
333 struct auth_user_info_dc *user_info_dc = NULL;
334 struct auth_session_info *session_info = NULL;
335 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
337 nt_status = auth_anonymous_user_info_dc(mem_ctx,
338 lpcfg_netbios_name(lp_ctx),
340 if (!NT_STATUS_IS_OK(nt_status)) {
341 talloc_free(mem_ctx);
345 /* references the user_info_dc into the session_info */
346 nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
347 talloc_free(mem_ctx);
349 NT_STATUS_NOT_OK_RETURN(nt_status);
351 session_info->credentials = cli_credentials_init(session_info);
352 if (!session_info->credentials) {
353 return NT_STATUS_NO_MEMORY;
356 cli_credentials_set_conf(session_info->credentials, lp_ctx);
357 cli_credentials_set_anonymous(session_info->credentials);
359 *_session_info = session_info;
364 _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
365 const char *netbios_name,
366 struct auth_user_info_dc **_user_info_dc)
368 struct auth_user_info_dc *user_info_dc;
369 struct auth_user_info *info;
370 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
371 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
373 /* This returns a pointer to a struct dom_sid, which is the
374 * same as a 1 element list of struct dom_sid */
375 user_info_dc->num_sids = 1;
376 user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
377 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
379 /* annoying, but the Anonymous really does have a session key... */
380 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
381 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
383 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
384 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
386 /* and it is all zeros! */
387 data_blob_clear(&user_info_dc->user_session_key);
388 data_blob_clear(&user_info_dc->lm_session_key);
390 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
391 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
393 info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
394 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
396 info->domain_name = talloc_strdup(info, "NT AUTHORITY");
397 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
399 info->full_name = talloc_strdup(info, "Anonymous Logon");
400 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
402 info->logon_script = talloc_strdup(info, "");
403 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
405 info->profile_path = talloc_strdup(info, "");
406 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
408 info->home_directory = talloc_strdup(info, "");
409 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
411 info->home_drive = talloc_strdup(info, "");
412 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
414 info->logon_server = talloc_strdup(info, netbios_name);
415 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
417 info->last_logon = 0;
418 info->last_logoff = 0;
419 info->acct_expiry = 0;
420 info->last_password_change = 0;
421 info->allow_password_change = 0;
422 info->force_password_change = 0;
424 info->logon_count = 0;
425 info->bad_password_count = 0;
427 info->acct_flags = ACB_NORMAL;
429 info->authenticated = false;
431 *_user_info_dc = user_info_dc;