git.samba.org / amitay / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ntlmssp: Add ntlmssp_blob_matches_magic()
[amitay/samba.git] / source3 / smbd / sesssetup.c
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index dda4ef296e47e802c56cb6df8edaa9d44d0a1b3b..6dc8609071d0f3bae3f2541a83baee0a6e53ea80 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -35,6 +35,8 @@
 #include "auth.h"
 #include "messages.h"
 #include "smbprofile.h"
+#include "../libcli/security/security.h"
+#include "auth/gensec/gensec.h"
 
 /* For split krb5 SPNEGO blobs. */
 struct pending_auth_data {
@@ -45,37 +47,6 @@ struct pending_auth_data {
        DATA_BLOB partial_data;
 };
 
-/*
-  on a logon error possibly map the error to success if "map to guest"
-  is set approriately
-*/
-NTSTATUS do_map_to_guest(NTSTATUS status,
-                       struct auth_serversupplied_info **server_info,
-                       const char *user, const char *domain)
-{
-       user = user ? user : "";
-       domain = domain ? domain : "";
-
-       if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
-               if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
-                   (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
-                       DEBUG(3,("No such user %s [%s] - using guest account\n",
-                                user, domain));
-                       status = make_server_info_guest(NULL, server_info);
-               }
-       }
-
-       if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
-                       DEBUG(3,("Registered username %s for guest access\n",
-                               user));
-                       status = make_server_info_guest(NULL, server_info);
-               }
-       }
-
-       return status;
-}
-
 /****************************************************************************
  Add the standard 'Samba' signature to the end of the session setup.
 ****************************************************************************/
@@ -140,7 +111,8 @@ static void reply_sesssetup_blob(struct smb_request *req,
  Do a 'guest' logon, getting back the
 ****************************************************************************/
 
-static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_info)
+static NTSTATUS check_guest_password(const struct tsocket_address *remote_address,
+                                    struct auth_serversupplied_info **server_info)
 {
        struct auth_context *auth_context;
        struct auth_usersupplied_info *user_info = NULL;
@@ -155,7 +127,7 @@ static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_in
                return nt_status;
        }
 
-       if (!make_user_info_guest(&user_info)) {
+       if (!make_user_info_guest(remote_address, &user_info)) {
                TALLOC_FREE(auth_context);
                return NT_STATUS_NO_MEMORY;
        }
@@ -250,7 +222,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
        int sess_vuid = req->vuid;
        NTSTATUS ret = NT_STATUS_OK;
        DATA_BLOB ap_rep, ap_rep_wrapped, response;
-       struct auth_serversupplied_info *session_info = NULL;
+       struct auth_session_info *session_info = NULL;
        DATA_BLOB session_key = data_blob_null;
        uint8 tok_id[2];
        DATA_BLOB nullblob = data_blob_null;
@@ -346,7 +318,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
        }
 
        ret = get_user_from_kerberos_info(talloc_tos(),
-                                         sconn->client_id.name,
+                                         sconn->remote_hostname,
                                          principal, logon_info,
                                          &username_was_mapped,
                                          &map_domainuser_to_guest,
@@ -396,7 +368,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
         * it.... */
 
        sess_vuid = register_existing_vuid(sconn, sess_vuid,
-                                          session_info, nullblob, user);
+                                          session_info, nullblob);
 
        reply_outbuf(req, 4, 0);
        SSVAL(req->outbuf,smb_uid,sess_vuid);
@@ -409,7 +381,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 
                SSVAL(req->outbuf, smb_vwv3, 0);
 
-               if (session_info->guest) {
+               if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
                        SSVAL(req->outbuf,smb_vwv2,1);
                }
 
@@ -455,21 +427,12 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 {
        bool do_invalidate = true;
        DATA_BLOB response;
-       struct auth_serversupplied_info *session_info = NULL;
+       struct auth_session_info *session_info = NULL;
        struct smbd_server_connection *sconn = req->sconn;
 
        if (NT_STATUS_IS_OK(nt_status)) {
-               nt_status = auth_ntlmssp_steal_session_info(talloc_tos(),
+               nt_status = auth_ntlmssp_session_info(talloc_tos(),
                                        (*auth_ntlmssp_state), &session_info);
-       } else {
-               /* Note that this session_info won't have a session
-                * key.  But for map to guest, that's exactly the right
-                * thing - we can't reasonably guess the key the
-                * client wants, as the password was wrong */
-               nt_status = do_map_to_guest(nt_status,
-                                           &session_info,
-                                           auth_ntlmssp_get_username(*auth_ntlmssp_state),
-                                           auth_ntlmssp_get_domain(*auth_ntlmssp_state));
        }
 
        reply_outbuf(req, 4, 0);
@@ -486,8 +449,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 
                /* register_existing_vuid keeps the server info */
                if (register_existing_vuid(sconn, vuid,
-                                          session_info, nullblob,
-                                          auth_ntlmssp_get_username(*auth_ntlmssp_state)) !=
+                                          session_info, nullblob) !=
                                           vuid) {
                        /* The problem is, *auth_ntlmssp_state points
                         * into the vuser this will have
@@ -503,7 +465,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 
                SSVAL(req->outbuf, smb_vwv3, 0);
 
-               if (session_info->guest) {
+               if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
                        SSVAL(req->outbuf,smb_vwv2,1);
                }
        }
@@ -662,7 +624,18 @@ static void reply_spnego_negotiate(struct smb_request *req,
                return;
        }
 
-       status = auth_ntlmssp_start(auth_ntlmssp_state);
+       status = auth_ntlmssp_prepare(sconn->remote_address,
+                                     auth_ntlmssp_state);
+       if (!NT_STATUS_IS_OK(status)) {
+               /* Kill the intermediate vuid */
+               invalidate_vuid(sconn, vuid);
+               reply_nterror(req, nt_status_squash(status));
+               return;
+       }
+
+       auth_ntlmssp_want_feature(*auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+       status = auth_ntlmssp_start(*auth_ntlmssp_state);
        if (!NT_STATUS_IS_OK(status)) {
                /* Kill the intermediate vuid */
                invalidate_vuid(sconn, vuid);
@@ -670,7 +643,7 @@ static void reply_spnego_negotiate(struct smb_request *req,
                return;
        }
 
-       status = auth_ntlmssp_update(*auth_ntlmssp_state,
+       status = auth_ntlmssp_update(*auth_ntlmssp_state, talloc_tos(),
                                        secblob, &chal);
 
        data_blob_free(&secblob);
@@ -763,7 +736,18 @@ static void reply_spnego_auth(struct smb_request *req,
        data_blob_free(&secblob);
 
        if (!*auth_ntlmssp_state) {
-               status = auth_ntlmssp_start(auth_ntlmssp_state);
+               status = auth_ntlmssp_prepare(sconn->remote_address,
+                                             auth_ntlmssp_state);
+               if (!NT_STATUS_IS_OK(status)) {
+                       /* Kill the intermediate vuid */
+                       invalidate_vuid(sconn, vuid);
+                       reply_nterror(req, nt_status_squash(status));
+                       return;
+               }
+
+               auth_ntlmssp_want_feature(*auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+               status = auth_ntlmssp_start(*auth_ntlmssp_state);
                if (!NT_STATUS_IS_OK(status)) {
                        /* Kill the intermediate vuid */
                        invalidate_vuid(sconn, vuid);
@@ -772,8 +756,8 @@ static void reply_spnego_auth(struct smb_request *req,
                }
        }
 
-       status = auth_ntlmssp_update(*auth_ntlmssp_state,
-                                       auth, &auth_reply);
+       status = auth_ntlmssp_update(*auth_ntlmssp_state, talloc_tos(),
+                                    auth, &auth_reply);
 
        data_blob_free(&auth);
 
@@ -1151,31 +1135,32 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
                return;
        }
 
-       if (blob1.data[0] == ASN1_APPLICATION(0)) {
-
-               /* its a negTokenTarg packet */
-
-               reply_spnego_negotiate(req, vuid, blob1,
-                                      &vuser->auth_ntlmssp_state);
-               data_blob_free(&blob1);
-               return;
-       }
-
-       if (blob1.data[0] == ASN1_CONTEXT(1)) {
-
-               /* its a auth packet */
-
-               reply_spnego_auth(req, vuid, blob1,
-                                 &vuser->auth_ntlmssp_state);
-               data_blob_free(&blob1);
-               return;
-       }
-
-       if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) {
+       /* Handle either raw NTLMSSP or hand off the whole blob to
+        * GENSEC.  The processing at this layer is essentially
+        * identical regardless.  In particular, both rely only on the
+        * status code (not the contents of the packet) and do not
+        * wrap the result */
+       if (sconn->use_gensec_hook || ntlmssp_blob_matches_magic(&blob1)) {
                DATA_BLOB chal;
 
                if (!vuser->auth_ntlmssp_state) {
-                       status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state);
+                       status = auth_ntlmssp_prepare(sconn->remote_address,
+                                                     &vuser->auth_ntlmssp_state);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               /* Kill the intermediate vuid */
+                               invalidate_vuid(sconn, vuid);
+                               data_blob_free(&blob1);
+                               reply_nterror(req, nt_status_squash(status));
+                               return;
+                       }
+
+                       auth_ntlmssp_want_feature(vuser->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+                       if (sconn->use_gensec_hook) {
+                               status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+                       } else {
+                               status = auth_ntlmssp_start(vuser->auth_ntlmssp_state);
+                       }
                        if (!NT_STATUS_IS_OK(status)) {
                                /* Kill the intermediate vuid */
                                invalidate_vuid(sconn, vuid);
@@ -1186,17 +1171,38 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
                }
 
                status = auth_ntlmssp_update(vuser->auth_ntlmssp_state,
-                                               blob1, &chal);
+                                            talloc_tos(),
+                                            blob1, &chal);
 
                data_blob_free(&blob1);
 
                reply_spnego_ntlmssp(req, vuid,
                                     &vuser->auth_ntlmssp_state,
-                                    &chal, status, OID_NTLMSSP, false);
+                                    &chal, status, NULL, false);
                data_blob_free(&chal);
                return;
        }
 
+       if (blob1.data[0] == ASN1_APPLICATION(0)) {
+
+               /* its a negTokenTarg packet */
+
+               reply_spnego_negotiate(req, vuid, blob1,
+                                      &vuser->auth_ntlmssp_state);
+               data_blob_free(&blob1);
+               return;
+       }
+
+       if (blob1.data[0] == ASN1_CONTEXT(1)) {
+
+               /* its a auth packet */
+
+               reply_spnego_auth(req, vuid, blob1,
+                                 &vuser->auth_ntlmssp_state);
+               data_blob_free(&blob1);
+               return;
+       }
+
        /* what sort of packet is this? */
        DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n"));
 
@@ -1293,7 +1299,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
        const char *primary_domain;
        struct auth_usersupplied_info *user_info = NULL;
        struct auth_serversupplied_info *server_info = NULL;
-       struct auth_serversupplied_info *session_info = NULL;
+       struct auth_session_info *session_info = NULL;
        uint16 smb_flag2 = req->flags2;
 
        NTSTATUS nt_status;
@@ -1544,7 +1550,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
                }
                fstrcpy(sub_user, user);
        } else {
-               fstrcpy(sub_user, lp_guestaccount());
+               fstrcpy(sub_user, "");
        }
 
        sub_set_smb_name(sub_user);
@@ -1574,7 +1580,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
 
        if (!*user) {
 
-               nt_status = check_guest_password(&server_info);
+               nt_status = check_guest_password(sconn->remote_address, &server_info);
 
        } else if (doencrypt) {
                struct auth_context *negprot_auth_context = NULL;
@@ -1589,6 +1595,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
                }
                nt_status = make_user_info_for_reply_enc(&user_info, user,
                                                domain,
+                                               sconn->remote_address,
                                                lm_resp, nt_resp);
                if (NT_STATUS_IS_OK(nt_status)) {
                        nt_status = negprot_auth_context->check_ntlm_password(
@@ -1609,7 +1616,9 @@ void reply_sesssetup_and_X(struct smb_request *req)
                                        plaintext_auth_context, chal);
 
                        if (!make_user_info_for_reply(&user_info,
-                                                     user, domain, chal,
+                                                     user, domain,
+                                                     sconn->remote_address,
+                                                     chal,
                                                      plaintext_password)) {
                                nt_status = NT_STATUS_NO_MEMORY;
                        }
@@ -1628,8 +1637,8 @@ void reply_sesssetup_and_X(struct smb_request *req)
        free_user_info(&user_info);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
-               nt_status = do_map_to_guest(nt_status, &server_info,
-                               user, domain);
+               nt_status = do_map_to_guest_server_info(nt_status, &server_info,
+                                                       user, domain);
        }
 
        if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1641,7 +1650,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
                return;
        }
 
-       nt_status = create_local_token(req, server_info, NULL, &session_info);
+       nt_status = create_local_token(req, server_info, NULL, sub_user, &session_info);
        TALLOC_FREE(server_info);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1664,7 +1673,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
                /* perhaps grab OS version here?? */
        }
 
-       if (session_info->guest) {
+       if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
                SSVAL(req->outbuf,smb_vwv2,1);
        }
 
@@ -1688,8 +1697,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
                /* register_existing_vuid keeps the session_info */
                sess_vuid = register_existing_vuid(sconn, sess_vuid,
                                        session_info,
-                                       nt_resp.data ? nt_resp : lm_resp,
-                                       sub_user);
+                                       nt_resp.data ? nt_resp : lm_resp);
                if (sess_vuid == UID_FIELD_INVALID) {
                        data_blob_free(&nt_resp);
                        data_blob_free(&lm_resp);
Amitay's Samba development tree