handle NLTMSSP, server side
Copyright (C) Andrew Tridgell 2001
- Copyright (C) Andrew Bartlett 2001-2003
+ Copyright (C) Andrew Bartlett 2001-2005,2011
+ Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
*/
#include "includes.h"
-#include "ntlmssp.h"
+#include "auth.h"
+#include "libcli/security/security.h"
+
+NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
+ TALLOC_CTX *mem_ctx,
+ void *server_returned_info,
+ const char *original_user_name,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ struct auth_user_info_dc *user_info = NULL;
+ struct auth_serversupplied_info *server_info = NULL;
+ NTSTATUS nt_status;
+
+ /*
+ * This is a hack, some callers...
+ *
+ * Some callers pass auth_user_info_dc, the SCHANNEL and
+ * NCALRPC_AS_SYSTEM gensec modules.
+ *
+ * While the reset passes auth3_check_password() returned.
+ */
+ user_info = talloc_get_type(server_returned_info,
+ struct auth_user_info_dc);
+ if (user_info != NULL) {
+ const struct dom_sid *sid;
+ int cmp;
+
+ /*
+ * This should only be called from SCHANNEL or NCALRPC_AS_SYSTEM
+ */
+ if (user_info->num_sids != 1) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ sid = &user_info->sids[PRIMARY_USER_SID_INDEX];
+
+ cmp = dom_sid_compare(sid, &global_sid_System);
+ if (cmp == 0) {
+ return make_session_info_system(mem_ctx, session_info);
+ }
+
+ cmp = dom_sid_compare(sid, &global_sid_Anonymous);
+ if (cmp == 0) {
+ /*
+ * TODO: use auth_anonymous_session_info() here?
+ */
+ return make_session_info_guest(mem_ctx, session_info);
+ }
+
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ server_info = talloc_get_type_abort(server_returned_info,
+ struct auth_serversupplied_info);
+ nt_status = create_local_token(mem_ctx,
+ server_info,
+ NULL,
+ original_user_name,
+ session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(10, ("create_local_token failed: %s\n",
+ nt_errstr(nt_status)));
+ return nt_status;
+ }
+
+ return NT_STATUS_OK;
+}
/**
* Return the challenge as determined by the authentication subsystem
* @return an 8 byte random challenge
*/
-static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
+NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context,
uint8_t chal[8])
{
- AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
- (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
- auth_ntlmssp_state->auth_context->get_ntlm_challenge(
- auth_ntlmssp_state->auth_context, chal);
+ struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
+ struct auth_context);
+ auth_get_ntlm_challenge(auth_context, chal);
return NT_STATUS_OK;
}
-/**
- * Some authentication methods 'fix' the challenge, so we may not be able to set it
- *
- * @return If the effective challenge used by the auth subsystem may be modified
- */
-static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
-{
- AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
- (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
- struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
-
- return auth_context->challenge_may_be_modified;
-}
-
/**
* NTLM2 authentication modifies the effective challenge,
* @param challenge The new challenge value
*/
-static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
+NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t *chal,
+ const char *challenge_set_by)
{
- AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
- (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
- struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
-
- SMB_ASSERT(challenge->length == 8);
+ struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
+ struct auth_context);
- auth_context->challenge = data_blob_talloc(auth_context->mem_ctx,
- challenge->data, challenge->length);
+ auth_context->challenge = data_blob_talloc(auth_context,
+ chal, 8);
+ NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge.data);
- auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
+ auth_context->challenge_set_by = talloc_strdup(auth_context, challenge_set_by);
+ NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge_set_by);
DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
DEBUG(5, ("challenge is: \n"));
* Return the session keys used on the connection.
*/
-static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
+NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ void **server_returned_info,
+ DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
{
- AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
- (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
- struct auth_usersupplied_info *user_info = NULL;
+ struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
+ struct auth_context);
+ struct auth_usersupplied_info *mapped_user_info = NULL;
+ struct auth_serversupplied_info *server_info;
NTSTATUS nt_status;
bool username_was_mapped;
- /* the client has given us its machine name (which we otherwise would not get on port 445).
- we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
+ /* The client has given us its machine name (which we only get over NBT transport).
+ We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
- set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->workstation, True);
+ set_remote_machine_name(user_info->workstation_name, True);
/* setup the string used by %U */
/* sub_set_smb_name checks for weird internally */
- sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
-
- reload_services(True);
-
- nt_status = make_user_info_map(&user_info,
- auth_ntlmssp_state->ntlmssp_state->user,
- auth_ntlmssp_state->ntlmssp_state->domain,
- auth_ntlmssp_state->ntlmssp_state->workstation,
- auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
- auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
+ sub_set_smb_name(user_info->client.account_name);
+
+ lp_load_with_shares(get_dyn_CONFIGFILE());
+
+ nt_status = make_user_info_map(talloc_tos(),
+ &mapped_user_info,
+ user_info->client.account_name,
+ user_info->client.domain_name,
+ user_info->workstation_name,
+ user_info->remote_host,
+ user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL,
+ user_info->password.response.nt.data ? &user_info->password.response.nt : NULL,
NULL, NULL, NULL,
- True);
-
- user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+ AUTH_PASSWORD_RESPONSE);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
- user_info, &auth_ntlmssp_state->server_info);
+ mapped_user_info->logon_parameters = user_info->logon_parameters;
- username_was_mapped = user_info->was_mapped;
+ mapped_user_info->flags = user_info->flags;
- free_user_info(&user_info);
+ nt_status = auth_check_ntlm_password(mem_ctx,
+ auth_context,
+ mapped_user_info,
+ &server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
+ DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
+ user_info->client.domain_name,
+ user_info->client.account_name,
+ nt_errstr(nt_status)));
}
- auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
+ username_was_mapped = mapped_user_info->was_mapped;
- nt_status = create_local_token(auth_ntlmssp_state->server_info);
+ TALLOC_FREE(mapped_user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(10, ("create_local_token failed: %s\n",
- nt_errstr(nt_status)));
+ nt_status = do_map_to_guest_server_info(mem_ctx,
+ nt_status,
+ user_info->client.account_name,
+ user_info->client.domain_name,
+ &server_info);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ *server_returned_info = talloc_steal(mem_ctx, server_info);
+ }
return nt_status;
}
- if (auth_ntlmssp_state->server_info->user_session_key.length) {
+ server_info->nss_token |= username_was_mapped;
+
+ /* Clear out the session keys, and pass them to the caller.
+ * They will not be used in this form again - instead the
+ * NTLMSSP code will decide on the final correct session key,
+ * and supply it to create_local_token() */
+ if (session_key) {
DEBUG(10, ("Got NT session key of length %u\n",
- (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
- *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
- auth_ntlmssp_state->server_info->user_session_key.data,
- auth_ntlmssp_state->server_info->user_session_key.length);
+ (unsigned int)server_info->session_key.length));
+ *session_key = server_info->session_key;
+ talloc_steal(mem_ctx, server_info->session_key.data);
+ server_info->session_key = data_blob_null;
}
- if (auth_ntlmssp_state->server_info->lm_session_key.length) {
+ if (lm_session_key) {
DEBUG(10, ("Got LM session key of length %u\n",
- (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
- *lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
- auth_ntlmssp_state->server_info->lm_session_key.data,
- auth_ntlmssp_state->server_info->lm_session_key.length);
+ (unsigned int)server_info->lm_session_key.length));
+ *lm_session_key = server_info->lm_session_key;
+ talloc_steal(mem_ctx, server_info->lm_session_key.data);
+ server_info->lm_session_key = data_blob_null;
}
- return nt_status;
-}
-NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
-{
- NTSTATUS nt_status;
- TALLOC_CTX *mem_ctx;
-
- mem_ctx = talloc_init("AUTH NTLMSSP context");
-
- *auth_ntlmssp_state = TALLOC_ZERO_P(mem_ctx, AUTH_NTLMSSP_STATE);
- if (!*auth_ntlmssp_state) {
- DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
- talloc_destroy(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- ZERO_STRUCTP(*auth_ntlmssp_state);
-
- (*auth_ntlmssp_state)->mem_ctx = mem_ctx;
-
- if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_start(&(*auth_ntlmssp_state)->ntlmssp_state))) {
- return nt_status;
- }
-
- if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*auth_ntlmssp_state)->auth_context))) {
- return nt_status;
- }
-
- (*auth_ntlmssp_state)->ntlmssp_state->auth_context = (*auth_ntlmssp_state);
- (*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
- (*auth_ntlmssp_state)->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
- (*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
- (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password;
- (*auth_ntlmssp_state)->ntlmssp_state->server_role = (enum server_types)lp_server_role();
-
- return NT_STATUS_OK;
-}
-
-void auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
-{
- TALLOC_CTX *mem_ctx;
-
- if (*auth_ntlmssp_state == NULL) {
- return;
- }
-
- mem_ctx = (*auth_ntlmssp_state)->mem_ctx;
- if ((*auth_ntlmssp_state)->ntlmssp_state) {
- ntlmssp_end(&(*auth_ntlmssp_state)->ntlmssp_state);
- }
- if ((*auth_ntlmssp_state)->auth_context) {
- ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context);
- }
- if ((*auth_ntlmssp_state)->server_info) {
- TALLOC_FREE((*auth_ntlmssp_state)->server_info);
- }
- talloc_destroy(mem_ctx);
- *auth_ntlmssp_state = NULL;
-}
-
-NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state,
- const DATA_BLOB request, DATA_BLOB *reply)
-{
- return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
+ *server_returned_info = talloc_steal(mem_ctx, server_info);
+ return nt_status;
}