s3-auth Move map to guest to directly after the check_password calls
[amitay/samba.git] / source3 / auth / auth_ntlmssp.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, server side
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett 2001-2003
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth.h"
25 #include "../libcli/auth/ntlmssp.h"
26 #include "ntlmssp_wrap.h"
27 #include "../librpc/gen_ndr/netlogon.h"
28 #include "../lib/tsocket/tsocket.h"
29
30 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
31                                         struct auth_ntlmssp_state *auth_ntlmssp_state,
32                                         struct auth_session_info **session_info)
33 {
34         NTSTATUS nt_status = create_local_token(mem_ctx,
35                                                 auth_ntlmssp_state->server_info,
36                                                 &auth_ntlmssp_state->ntlmssp_state->session_key,
37                                                 session_info);
38
39         if (!NT_STATUS_IS_OK(nt_status)) {
40                 DEBUG(10, ("create_local_token failed: %s\n",
41                            nt_errstr(nt_status)));
42         }
43         return nt_status;
44 }
45
46 /**
47  * Return the challenge as determined by the authentication subsystem 
48  * @return an 8 byte random challenge
49  */
50
51 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
52                                            uint8_t chal[8])
53 {
54         struct auth_ntlmssp_state *auth_ntlmssp_state =
55                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
56         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
57                 auth_ntlmssp_state->auth_context, chal);
58         return NT_STATUS_OK;
59 }
60
61 /**
62  * Some authentication methods 'fix' the challenge, so we may not be able to set it
63  *
64  * @return If the effective challenge used by the auth subsystem may be modified
65  */
66 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
67 {
68         struct auth_ntlmssp_state *auth_ntlmssp_state =
69                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
70         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
71
72         return auth_context->challenge_may_be_modified;
73 }
74
75 /**
76  * NTLM2 authentication modifies the effective challenge, 
77  * @param challenge The new challenge value
78  */
79 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
80 {
81         struct auth_ntlmssp_state *auth_ntlmssp_state =
82                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
83         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
84
85         SMB_ASSERT(challenge->length == 8);
86
87         auth_context->challenge = data_blob_talloc(auth_context,
88                                                    challenge->data, challenge->length);
89
90         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
91
92         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
93         DEBUG(5, ("challenge is: \n"));
94         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
95         return NT_STATUS_OK;
96 }
97
98 /**
99  * Check the password on an NTLMSSP login.  
100  *
101  * Return the session keys used on the connection.
102  */
103
104 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
105                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
106 {
107         struct auth_ntlmssp_state *auth_ntlmssp_state =
108                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
109         struct auth_usersupplied_info *user_info = NULL;
110         NTSTATUS nt_status;
111         bool username_was_mapped;
112
113         /* the client has given us its machine name (which we otherwise would not get on port 445).
114            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
115
116         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
117
118         /* setup the string used by %U */
119         /* sub_set_smb_name checks for weird internally */
120         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
121
122         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
123
124         nt_status = make_user_info_map(&user_info,
125                                        auth_ntlmssp_state->ntlmssp_state->user, 
126                                        auth_ntlmssp_state->ntlmssp_state->domain, 
127                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
128                                        auth_ntlmssp_state->remote_address,
129                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, 
130                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, 
131                                        NULL, NULL, NULL,
132                                        AUTH_PASSWORD_RESPONSE);
133
134         if (!NT_STATUS_IS_OK(nt_status)) {
135                 return nt_status;
136         }
137
138         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
139
140         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, 
141                                                                           user_info, &auth_ntlmssp_state->server_info); 
142
143         username_was_mapped = user_info->was_mapped;
144
145         free_user_info(&user_info);
146
147         if (!NT_STATUS_IS_OK(nt_status)) {
148                 nt_status = do_map_to_guest_server_info(nt_status,
149                                                         &auth_ntlmssp_state->server_info,
150                                                         auth_ntlmssp_state->ntlmssp_state->user,
151                                                         auth_ntlmssp_state->ntlmssp_state->domain);
152                 return nt_status;
153         }
154
155         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
156
157         /* Clear out the session keys, and pass them to the caller.
158          * They will not be used in this form again - instead the
159          * NTLMSSP code will decide on the final correct session key,
160          * and put it back here at the end of
161          * auth_ntlmssp_steal_server_info */
162         if (auth_ntlmssp_state->server_info->session_key.length) {
163                 DEBUG(10, ("Got NT session key of length %u\n",
164                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
165                 *session_key = auth_ntlmssp_state->server_info->session_key;
166                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
167                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
168         }
169         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
170                 DEBUG(10, ("Got LM session key of length %u\n",
171                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
172                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
173                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
174                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
175         }
176         return nt_status;
177 }
178
179 static int auth_ntlmssp_state_destructor(void *ptr);
180
181 NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
182                             struct auth_ntlmssp_state **auth_ntlmssp_state)
183 {
184         NTSTATUS nt_status;
185         bool is_standalone;
186         const char *netbios_name;
187         const char *netbios_domain;
188         const char *dns_name;
189         char *dns_domain;
190         struct auth_ntlmssp_state *ans;
191         struct auth_context *auth_context;
192
193         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
194                 is_standalone = true;
195         } else {
196                 is_standalone = false;
197         }
198
199         netbios_name = lp_netbios_name();
200         netbios_domain = lp_workgroup();
201         /* This should be a 'netbios domain -> DNS domain' mapping */
202         dns_domain = get_mydnsdomname(talloc_tos());
203         if (dns_domain) {
204                 strlower_m(dns_domain);
205         }
206         dns_name = get_mydnsfullname();
207
208         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
209         if (!ans) {
210                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
211                 return NT_STATUS_NO_MEMORY;
212         }
213
214         ans->remote_address = tsocket_address_copy(remote_address, ans);
215         if (ans->remote_address == NULL) {
216                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
217                 return NT_STATUS_NO_MEMORY;
218         }
219
220         nt_status = ntlmssp_server_start(ans,
221                                          is_standalone,
222                                          netbios_name,
223                                          netbios_domain,
224                                          dns_name,
225                                          dns_domain,
226                                          &ans->ntlmssp_state);
227         if (!NT_STATUS_IS_OK(nt_status)) {
228                 return nt_status;
229         }
230
231         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
232         if (!NT_STATUS_IS_OK(nt_status)) {
233                 return nt_status;
234         }
235         ans->auth_context = talloc_steal(ans, auth_context);
236
237         ans->ntlmssp_state->callback_private = ans;
238         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
239         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
240         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
241         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
242
243         talloc_set_destructor((TALLOC_CTX *)ans, auth_ntlmssp_state_destructor);
244
245         *auth_ntlmssp_state = ans;
246         return NT_STATUS_OK;
247 }
248
249 static int auth_ntlmssp_state_destructor(void *ptr)
250 {
251         struct auth_ntlmssp_state *ans;
252
253         ans = talloc_get_type(ptr, struct auth_ntlmssp_state);
254
255         TALLOC_FREE(ans->remote_address);
256         TALLOC_FREE(ans->server_info);
257         TALLOC_FREE(ans->ntlmssp_state);
258         return 0;
259 }