2 Unix SMB/Netbios implementation.
4 handle NLTMSSP, server side
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "../libcli/auth/ntlmssp.h"
26 struct auth_ntlmssp_state {
28 struct auth_context *auth_context;
29 struct auth_serversupplied_info *server_info;
30 struct ntlmssp_state *ntlmssp_state;
33 NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
34 TALLOC_CTX *sig_mem_ctx,
35 const uint8_t *data, size_t length,
36 const uint8_t *whole_pdu, size_t pdu_length,
39 return ntlmssp_sign_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
42 NTSTATUS auth_ntlmssp_check_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
43 const uint8_t *data, size_t length,
44 const uint8_t *whole_pdu, size_t pdu_length,
47 return ntlmssp_check_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
50 NTSTATUS auth_ntlmssp_seal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
51 TALLOC_CTX *sig_mem_ctx,
52 uint8_t *data, size_t length,
53 const uint8_t *whole_pdu, size_t pdu_length,
56 return ntlmssp_seal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
59 NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
60 uint8_t *data, size_t length,
61 const uint8_t *whole_pdu, size_t pdu_length,
64 return ntlmssp_unseal_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
67 bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
69 return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN;
72 bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
74 return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
77 void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
82 void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
87 NTSTATUS auth_ntlmssp_server_info(TALLOC_CTX *mem_ctx,
88 struct auth_ntlmssp_state *auth_ntlmssp_state,
89 struct auth_serversupplied_info **_server_info)
91 struct auth_serversupplied_info *server_info = auth_ntlmssp_state->server_info;
92 data_blob_free(&server_info->user_session_key);
93 server_info->user_session_key =
96 auth_ntlmssp_state->ntlmssp_state->session_key.data,
97 auth_ntlmssp_state->ntlmssp_state->session_key.length);
98 if (auth_ntlmssp_state->ntlmssp_state->session_key.length && !server_info->user_session_key.data) {
100 return NT_STATUS_NO_MEMORY;
102 auth_ntlmssp_state->server_info = NULL;
103 *_server_info = talloc_steal(mem_ctx, server_info);
107 struct ntlmssp_state *auth_ntlmssp_get_ntlmssp_state(struct auth_ntlmssp_state *auth_ntlmssp_state)
109 return auth_ntlmssp_state->ntlmssp_state;
112 /* Needed for 'map to guest' and 'smb username' processing */
113 const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *auth_ntlmssp_state)
115 return auth_ntlmssp_state->ntlmssp_state->user;
118 const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *auth_ntlmssp_state)
120 return auth_ntlmssp_state->ntlmssp_state->domain;
123 const char *auth_ntlmssp_get_client(struct auth_ntlmssp_state *auth_ntlmssp_state)
125 return auth_ntlmssp_state->ntlmssp_state->client.netbios_name;
129 * Return the challenge as determined by the authentication subsystem
130 * @return an 8 byte random challenge
133 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
136 struct auth_ntlmssp_state *auth_ntlmssp_state =
137 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
138 auth_ntlmssp_state->auth_context->get_ntlm_challenge(
139 auth_ntlmssp_state->auth_context, chal);
144 * Some authentication methods 'fix' the challenge, so we may not be able to set it
146 * @return If the effective challenge used by the auth subsystem may be modified
148 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
150 struct auth_ntlmssp_state *auth_ntlmssp_state =
151 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
152 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
154 return auth_context->challenge_may_be_modified;
158 * NTLM2 authentication modifies the effective challenge,
159 * @param challenge The new challenge value
161 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
163 struct auth_ntlmssp_state *auth_ntlmssp_state =
164 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
165 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
167 SMB_ASSERT(challenge->length == 8);
169 auth_context->challenge = data_blob_talloc(auth_context,
170 challenge->data, challenge->length);
172 auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
174 DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
175 DEBUG(5, ("challenge is: \n"));
176 dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
181 * Check the password on an NTLMSSP login.
183 * Return the session keys used on the connection.
186 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
188 struct auth_ntlmssp_state *auth_ntlmssp_state =
189 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
190 struct auth_usersupplied_info *user_info = NULL;
192 bool username_was_mapped;
194 /* the client has given us its machine name (which we otherwise would not get on port 445).
195 we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
197 set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
199 /* setup the string used by %U */
200 /* sub_set_smb_name checks for weird internally */
201 sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
203 reload_services(True);
205 nt_status = make_user_info_map(&user_info,
206 auth_ntlmssp_state->ntlmssp_state->user,
207 auth_ntlmssp_state->ntlmssp_state->domain,
208 auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
209 auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
210 auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
214 user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
216 if (!NT_STATUS_IS_OK(nt_status)) {
220 nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
221 user_info, &auth_ntlmssp_state->server_info);
223 username_was_mapped = user_info->was_mapped;
225 free_user_info(&user_info);
227 if (!NT_STATUS_IS_OK(nt_status)) {
231 auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
233 nt_status = create_local_token(auth_ntlmssp_state->server_info);
235 if (!NT_STATUS_IS_OK(nt_status)) {
236 DEBUG(10, ("create_local_token failed: %s\n",
237 nt_errstr(nt_status)));
241 if (auth_ntlmssp_state->server_info->user_session_key.length) {
242 DEBUG(10, ("Got NT session key of length %u\n",
243 (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
244 *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
245 auth_ntlmssp_state->server_info->user_session_key.data,
246 auth_ntlmssp_state->server_info->user_session_key.length);
248 if (auth_ntlmssp_state->server_info->lm_session_key.length) {
249 DEBUG(10, ("Got LM session key of length %u\n",
250 (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
251 *lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
252 auth_ntlmssp_state->server_info->lm_session_key.data,
253 auth_ntlmssp_state->server_info->lm_session_key.length);
258 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
263 const char *netbios_name;
264 const char *netbios_domain;
265 const char *dns_name;
268 if ((enum server_types)lp_server_role() == ROLE_STANDALONE) {
269 is_standalone = true;
271 is_standalone = false;
274 netbios_name = global_myname();
275 netbios_domain = lp_workgroup();
276 /* This should be a 'netbios domain -> DNS domain' mapping */
277 dns_domain = get_mydnsdomname(talloc_tos());
279 strlower_m(dns_domain);
281 dns_name = get_mydnsfullname();
283 mem_ctx = talloc_init("AUTH NTLMSSP context");
285 *auth_ntlmssp_state = TALLOC_ZERO_P(mem_ctx, struct auth_ntlmssp_state);
286 if (!*auth_ntlmssp_state) {
287 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
288 talloc_destroy(mem_ctx);
289 return NT_STATUS_NO_MEMORY;
292 ZERO_STRUCTP(*auth_ntlmssp_state);
294 (*auth_ntlmssp_state)->mem_ctx = mem_ctx;
296 nt_status = ntlmssp_server_start(NULL,
302 &(*auth_ntlmssp_state)->ntlmssp_state);
303 if (!NT_STATUS_IS_OK(nt_status)) {
307 if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*auth_ntlmssp_state)->auth_context))) {
311 (*auth_ntlmssp_state)->ntlmssp_state->callback_private = (*auth_ntlmssp_state);
312 (*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
313 (*auth_ntlmssp_state)->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
314 (*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
315 (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password;
320 void auth_ntlmssp_end(struct auth_ntlmssp_state **auth_ntlmssp_state)
324 if (*auth_ntlmssp_state == NULL) {
328 mem_ctx = (*auth_ntlmssp_state)->mem_ctx;
329 if ((*auth_ntlmssp_state)->ntlmssp_state) {
330 ntlmssp_end(&(*auth_ntlmssp_state)->ntlmssp_state);
332 if ((*auth_ntlmssp_state)->auth_context) {
333 ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context);
335 if ((*auth_ntlmssp_state)->server_info) {
336 TALLOC_FREE((*auth_ntlmssp_state)->server_info);
338 talloc_destroy(mem_ctx);
339 *auth_ntlmssp_state = NULL;
342 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *auth_ntlmssp_state,
343 const DATA_BLOB request, DATA_BLOB *reply)
345 return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply);