#include "../libcli/smb/smb_common.h"
#include "../libcli/auth/spnego.h"
#include "../libcli/auth/ntlmssp.h"
+#include "../auth/gensec/gensec.h"
#include "ntlmssp_wrap.h"
#include "../librpc/gen_ndr/krb5pac.h"
#include "libads/kerberos_proto.h"
#include "../lib/util/asn1.h"
#include "auth.h"
+#include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
uint64_t in_session_id,
return 0;
}
-static NTSTATUS setup_ntlmssp_session_info(struct smbd_smb2_session *session,
- NTSTATUS status)
-{
- if (NT_STATUS_IS_OK(status)) {
- status = auth_ntlmssp_steal_session_info(session,
- session->auth_ntlmssp_state,
- &session->session_info);
- } else {
- /* Note that this session_info won't have a session
- * key. But for map to guest, that's exactly the right
- * thing - we can't reasonably guess the key the
- * client wants, as the password was wrong */
- status = do_map_to_guest(status,
- &session->session_info,
- auth_ntlmssp_get_username(session->auth_ntlmssp_state),
- auth_ntlmssp_get_domain(session->auth_ntlmssp_state));
- }
- return status;
-}
-
#ifdef HAVE_KRB5
static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
struct passwd *pw = NULL;
NTSTATUS status;
char *real_username;
- fstring tmp;
bool username_was_mapped = false;
bool map_domainuser_to_guest = false;
}
status = get_user_from_kerberos_info(talloc_tos(),
- smb2req->sconn->client_id.name,
+ session->sconn->remote_hostname,
principal, logon_info,
&username_was_mapped,
&map_domainuser_to_guest,
session->do_signing = true;
}
- if (session->session_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
- session->session_info->sanitized_username =
- talloc_strdup(session->session_info, tmp);
-
- if (!session->session_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
- register_homes_share(session->session_info->unix_name);
+ register_homes_share(session->session_info->unix_info->unix_name);
}
if (!session_claim(session->sconn, session->compat_vuser)) {
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
/* Fall back to NTLMSSP. */
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+ talloc_tos(),
secblob_in,
&chal_out);
}
uint16_t *out_session_flags,
uint64_t *out_session_id)
{
- fstring tmp;
-
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == Required) {
session->do_signing = true;
}
- if (session->session_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp,
- auth_ntlmssp_get_username(session->auth_ntlmssp_state),
- ". _-$",
- sizeof(tmp));
- session->session_info->sanitized_username = talloc_strdup(
- session->session_info, tmp);
-
- if (!session->compat_vuser->session_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
- register_homes_share(session->session_info->unix_name);
+ register_homes_share(session->session_info->unix_info->unix_name);
}
if (!session_claim(session->sconn, session->compat_vuser)) {
}
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth);
+ TALLOC_FREE(session);
+ return status;
+ }
+
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
}
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- auth,
+ talloc_tos(), auth,
&auth_out);
- /* We need to call setup_ntlmssp_session_info() if status==NT_STATUS_OK,
- or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
- as this can trigger map to guest. */
- if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- status = setup_ntlmssp_session_info(session, status);
+ /* If status is NT_STATUS_OK then we need to get the token.
+ * Map to guest is now internal to auth_ntlmssp */
+ if (NT_STATUS_IS_OK(status)) {
+ status = auth_ntlmssp_session_info(session,
+ session->auth_ntlmssp_state,
+ &session->session_info);
}
if (!NT_STATUS_IS_OK(status) &&
uint64_t *out_session_id)
{
NTSTATUS status;
- DATA_BLOB secblob_out = data_blob_null;
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
- }
- /* RAW NTLMSSP */
- status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- in_security_buffer,
- &secblob_out);
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
- if (NT_STATUS_IS_OK(status) ||
- NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- *out_security_buffer = data_blob_talloc(smb2req,
- secblob_out.data,
- secblob_out.length);
- if (secblob_out.data && out_security_buffer->data == NULL) {
- TALLOC_FREE(session->auth_ntlmssp_state);
+ if (session->sconn->use_gensec_hook) {
+ status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+ } else {
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
- return NT_STATUS_NO_MEMORY;
+ return status;
}
}
+ /* RAW NTLMSSP */
+ status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+ smb2req,
+ in_security_buffer,
+ out_security_buffer);
+
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
*out_session_id = session->vuid;
return status;
}
- status = setup_ntlmssp_session_info(session, status);
+ status = auth_ntlmssp_session_info(session,
+ session->auth_ntlmssp_state,
+ &session->session_info);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session->auth_ntlmssp_state);
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
- return smbd_smb2_spnego_negotiate(session,
+ /* Handle either raw NTLMSSP or hand off the whole blob to
+ * GENSEC. The processing at this layer is essentially
+ * identical regardless. In particular, both rely only on the
+ * status code (not the contents of the packet) and do not
+ * wrap the result */
+ if (session->sconn->use_gensec_hook
+ || ntlmssp_blob_matches_magic(&in_security_buffer)) {
+ return smbd_smb2_raw_ntlmssp_auth(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
- } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
- return smbd_smb2_spnego_auth(session,
+ } else if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
+ return smbd_smb2_spnego_negotiate(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
- } else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
- return smbd_smb2_raw_ntlmssp_auth(session,
+ } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
+ return smbd_smb2_spnego_auth(session,
smb2req,
in_security_mode,
in_security_buffer,
return NT_STATUS_LOGON_FAILURE;
}
-NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
-{
- const uint8_t *inhdr;
- const uint8_t *outhdr;
- int i = req->current_idx;
- uint64_t in_session_id;
- void *p;
- struct smbd_smb2_session *session;
- bool chained_fixup = false;
-
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
-
- in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
-
- if (in_session_id == (0xFFFFFFFFFFFFFFFFLL)) {
- if (req->async) {
- /*
- * async request - fill in session_id from
- * already setup request out.vector[].iov_base.
- */
- outhdr = (const uint8_t *)req->out.vector[i].iov_base;
- in_session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
- } else if (i > 2) {
- /*
- * Chained request - fill in session_id from
- * the previous request out.vector[].iov_base.
- */
- outhdr = (const uint8_t *)req->out.vector[i-3].iov_base;
- in_session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
- chained_fixup = true;
- }
- }
-
- /* lookup an existing session */
- p = idr_find(req->sconn->smb2.sessions.idtree, in_session_id);
- if (p == NULL) {
- return NT_STATUS_USER_SESSION_DELETED;
- }
- session = talloc_get_type_abort(p, struct smbd_smb2_session);
-
- if (!NT_STATUS_IS_OK(session->status)) {
- return NT_STATUS_ACCESS_DENIED;
- }
-
- set_current_user_info(session->session_info->sanitized_username,
- session->session_info->unix_name,
- session->session_info->info3->base.domain.string);
-
- req->session = session;
-
- if (chained_fixup) {
- /* Fix up our own outhdr. */
- outhdr = (const uint8_t *)req->out.vector[i].iov_base;
- SBVAL(discard_const_p(uint8_t, outhdr), SMB2_HDR_SESSION_ID, in_session_id);
- }
- return NT_STATUS_OK;
-}
-
NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
{
const uint8_t *inbody;