git.samba.org / metze / samba / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
debug auth_system_session
[metze/samba/wip.git] / source4 / auth / system_session.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Authentication utility functions
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Andrew Bartlett 2001-2010
6    Copyright (C) Jeremy Allison 2000-2001
7    Copyright (C) Rafal Szczesniak 2002
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_user_info_dc */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
31 #include "libds/common/roles.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_AUTH
35
36 /*
37   prevent the static system session being freed
38  */
39 static int system_session_destructor(struct auth_session_info *info)
40 {
41         return -1;
42 }
43
44 /* Create a security token for a session SYSTEM (the most
45  * trusted/privileged account), including the local machine account as
46  * the off-host credentials
47  */ 
48 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
49 {
50         static struct auth_session_info *static_session;
51         NTSTATUS nt_status;
52
53         if (static_session) {
54                 return static_session;
55         }
56
57         /*
58          * Use NULL here, not the autofree context for this
59          * static pointer. The destructor prevents freeing this
60          * memory anyway.
61          */
62         nt_status = auth_system_session_info(NULL,
63                                              lp_ctx,
64                                              &static_session);
65         if (!NT_STATUS_IS_OK(nt_status)) {
66                 TALLOC_FREE(static_session);
67                 return NULL;
68         }
69         talloc_set_destructor(static_session, system_session_destructor);
70         return static_session;
71 }
72
73 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, 
74                                   struct loadparm_context *lp_ctx,
75                                   struct auth_session_info **_session_info) 
76 {
77         NTSTATUS nt_status;
78         struct auth_user_info_dc *user_info_dc = NULL;
79         struct auth_session_info *session_info = NULL;
80         TALLOC_CTX *mem_ctx = NULL;
81
82         mem_ctx = talloc_new(parent_ctx);
83         if (mem_ctx == NULL) {
84                 return NT_STATUS_NO_MEMORY;
85         }
86         
87         nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
88                                             &user_info_dc);
89         if (!NT_STATUS_IS_OK(nt_status)) {
90                 talloc_free(mem_ctx);
91                 return nt_status;
92         }
93
94         /* references the user_info_dc into the session_info */
95         nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
96         talloc_free(mem_ctx);
97
98         NT_STATUS_NOT_OK_RETURN(nt_status);
99
100         if (lpcfg_server_role(lp_ctx) != ROLE_STANDALONE) {
101                 session_info->credentials = cli_credentials_init(session_info);
102                 if (!session_info->credentials) {
103                         return NT_STATUS_NO_MEMORY;
104                 }
105
106                 cli_credentials_set_conf(session_info->credentials, lp_ctx);
107
108                 log_stack_trace();
109                 //cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
110                 cli_credentials_set_machine_account(session_info->credentials, lp_ctx);
111         } else {
112                 session_info->credentials = cli_credentials_init_anon(session_info);
113                 if (!session_info->credentials) {
114                         return NT_STATUS_NO_MEMORY;
115                 }
116         }
117
118         *_session_info = session_info;
119
120         return NT_STATUS_OK;
121 }
122
123 NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
124                                  struct auth_user_info_dc **_user_info_dc)
125 {
126         struct auth_user_info_dc *user_info_dc;
127         struct auth_user_info *info;
128
129         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
130         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
131
132         /* This returns a pointer to a struct dom_sid, which is the
133          * same as a 1 element list of struct dom_sid */
134         user_info_dc->num_sids = 1;
135         user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
136         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
137
138         /* annoying, but the Anonymous really does have a session key, 
139            and it is all zeros! */
140         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
141         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
142
143         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
144         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
145
146         data_blob_clear(&user_info_dc->user_session_key);
147         data_blob_clear(&user_info_dc->lm_session_key);
148
149         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
150         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
151
152         info->account_name = talloc_strdup(info, "SYSTEM");
153         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
154
155         info->domain_name = talloc_strdup(info, "NT AUTHORITY");
156         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
157
158         info->full_name = talloc_strdup(info, "System");
159         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
160
161         info->logon_script = talloc_strdup(info, "");
162         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
163
164         info->profile_path = talloc_strdup(info, "");
165         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
166
167         info->home_directory = talloc_strdup(info, "");
168         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
169
170         info->home_drive = talloc_strdup(info, "");
171         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
172
173         info->logon_server = talloc_strdup(info, netbios_name);
174         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
175
176         info->last_logon = 0;
177         info->last_logoff = 0;
178         info->acct_expiry = 0;
179         info->last_password_change = 0;
180         info->allow_password_change = 0;
181         info->force_password_change = 0;
182
183         info->logon_count = 0;
184         info->bad_password_count = 0;
185
186         info->acct_flags = ACB_NORMAL;
187
188         info->authenticated = true;
189
190         *_user_info_dc = user_info_dc;
191
192         return NT_STATUS_OK;
193 }
194
195
196 static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
197                                               const char *netbios_name,
198                                               const char *domain_name,
199                                               struct dom_sid *domain_sid,
200                                               struct auth_user_info_dc **_user_info_dc)
201 {
202         struct auth_user_info_dc *user_info_dc;
203         struct auth_user_info *info;
204
205         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
206         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
207
208         user_info_dc->num_sids = 7;
209         user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
210
211         user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
212         sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
213
214         user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
215         sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
216
217         user_info_dc->sids[2] = global_sid_Builtin_Administrators;
218
219         user_info_dc->sids[3] = *domain_sid;
220         sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
221         user_info_dc->sids[4] = *domain_sid;
222         sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
223         user_info_dc->sids[5] = *domain_sid;
224         sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
225         user_info_dc->sids[6] = *domain_sid;
226         sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
227
228         /* What should the session key be?*/
229         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
230         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
231
232         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
233         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
234
235         data_blob_clear(&user_info_dc->user_session_key);
236         data_blob_clear(&user_info_dc->lm_session_key);
237
238         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
239         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
240
241         info->account_name = talloc_strdup(info, "Administrator");
242         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
243
244         info->domain_name = talloc_strdup(info, domain_name);
245         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
246
247         info->full_name = talloc_strdup(info, "Administrator");
248         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
249
250         info->logon_script = talloc_strdup(info, "");
251         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
252
253         info->profile_path = talloc_strdup(info, "");
254         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
255
256         info->home_directory = talloc_strdup(info, "");
257         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
258
259         info->home_drive = talloc_strdup(info, "");
260         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
261
262         info->logon_server = talloc_strdup(info, netbios_name);
263         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
264
265         info->last_logon = 0;
266         info->last_logoff = 0;
267         info->acct_expiry = 0;
268         info->last_password_change = 0;
269         info->allow_password_change = 0;
270         info->force_password_change = 0;
271
272         info->logon_count = 0;
273         info->bad_password_count = 0;
274
275         info->acct_flags = ACB_NORMAL;
276
277         info->authenticated = true;
278
279         *_user_info_dc = user_info_dc;
280
281         return NT_STATUS_OK;
282 }
283
284 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
285                                                struct loadparm_context *lp_ctx,
286                                                struct dom_sid *domain_sid,
287                                                struct auth_session_info **session_info)
288 {
289         NTSTATUS nt_status;
290         struct auth_user_info_dc *user_info_dc = NULL;
291         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
292
293         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
294
295         nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
296                                                   lpcfg_workgroup(lp_ctx), domain_sid,
297                                                   &user_info_dc);
298         if (!NT_STATUS_IS_OK(nt_status)) {
299                 talloc_free(mem_ctx);
300                 return nt_status;
301         }
302
303         nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
304                                                AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
305                                                session_info);
306         /* There is already a reference between the sesion_info and user_info_dc */
307         if (NT_STATUS_IS_OK(nt_status)) {
308                 talloc_steal(parent_ctx, *session_info);
309         }
310         talloc_free(mem_ctx);
311         return nt_status;
312 }
313
314 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
315 {
316         NTSTATUS nt_status;
317         struct auth_session_info *session_info = NULL;
318         nt_status = auth_domain_admin_session_info(mem_ctx,
319                                                    lp_ctx,
320                                                    domain_sid,
321                                                    &session_info);
322         if (!NT_STATUS_IS_OK(nt_status)) {
323                 return NULL;
324         }
325         return session_info;
326 }
327
328 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, 
329                                               struct loadparm_context *lp_ctx,
330                                               struct auth_session_info **_session_info) 
331 {
332         NTSTATUS nt_status;
333         struct auth_user_info_dc *user_info_dc = NULL;
334         struct auth_session_info *session_info = NULL;
335         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
336         
337         nt_status = auth_anonymous_user_info_dc(mem_ctx,
338                                                lpcfg_netbios_name(lp_ctx),
339                                                &user_info_dc);
340         if (!NT_STATUS_IS_OK(nt_status)) {
341                 talloc_free(mem_ctx);
342                 return nt_status;
343         }
344
345         /* references the user_info_dc into the session_info */
346         nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
347         talloc_free(mem_ctx);
348
349         NT_STATUS_NOT_OK_RETURN(nt_status);
350
351         session_info->credentials = cli_credentials_init(session_info);
352         if (!session_info->credentials) {
353                 return NT_STATUS_NO_MEMORY;
354         }
355
356         cli_credentials_set_conf(session_info->credentials, lp_ctx);
357         cli_credentials_set_anonymous(session_info->credentials);
358         
359         *_session_info = session_info;
360
361         return NT_STATUS_OK;
362 }
363
364 _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
365                                     const char *netbios_name,
366                                     struct auth_user_info_dc **_user_info_dc)
367 {
368         struct auth_user_info_dc *user_info_dc;
369         struct auth_user_info *info;
370         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
371         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
372
373         /* This returns a pointer to a struct dom_sid, which is the
374          * same as a 1 element list of struct dom_sid */
375         user_info_dc->num_sids = 1;
376         user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
377         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
378
379         /* annoying, but the Anonymous really does have a session key... */
380         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
381         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
382
383         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
384         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
385
386         /*  and it is all zeros! */
387         data_blob_clear(&user_info_dc->user_session_key);
388         data_blob_clear(&user_info_dc->lm_session_key);
389
390         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
391         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
392
393         info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
394         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
395
396         info->domain_name = talloc_strdup(info, "NT AUTHORITY");
397         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
398
399         info->full_name = talloc_strdup(info, "Anonymous Logon");
400         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
401
402         info->logon_script = talloc_strdup(info, "");
403         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
404
405         info->profile_path = talloc_strdup(info, "");
406         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
407
408         info->home_directory = talloc_strdup(info, "");
409         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
410
411         info->home_drive = talloc_strdup(info, "");
412         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
413
414         info->logon_server = talloc_strdup(info, netbios_name);
415         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
416
417         info->last_logon = 0;
418         info->last_logoff = 0;
419         info->acct_expiry = 0;
420         info->last_password_change = 0;
421         info->allow_password_change = 0;
422         info->force_password_change = 0;
423
424         info->logon_count = 0;
425         info->bad_password_count = 0;
426
427         info->acct_flags = ACB_NORMAL;
428
429         info->authenticated = false;
430
431         *_user_info_dc = user_info_dc;
432
433         return NT_STATUS_OK;
434 }
435
Work in progress branches