source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2005,2011
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "auth.h"
  26 #include "../auth/ntlmssp/ntlmssp.h"
  27 #include "../librpc/gen_ndr/netlogon.h"
  28 #include "../librpc/gen_ndr/dcerpc.h"
  29 #include "../lib/tsocket/tsocket.h"
  30 #include "auth/gensec/gensec.h"
  31 #include "librpc/rpc/dcerpc.h"
  32 #include "lib/param/param.h"
  33
  34 NTSTATUS auth3_generate_session_info(TALLOC_CTX *mem_ctx,
  35                                      struct auth4_context *auth_context,
  36                                      void *server_returned_info,
  37                                      const char *original_user_name,
  38                                      uint32_t session_info_flags,
  39                                      struct auth_session_info **session_info)
  40 {
  41         struct auth_serversupplied_info *server_info = talloc_get_type_abort(server_returned_info,
  42                                                                              struct auth_serversupplied_info);
  43         NTSTATUS nt_status;
  44
  45         nt_status = create_local_token(mem_ctx,
  46                                        server_info,
  47                                        NULL,
  48                                        original_user_name,
  49                                        session_info);
  50         if (!NT_STATUS_IS_OK(nt_status)) {
  51                 DEBUG(10, ("create_local_token failed: %s\n",
  52                            nt_errstr(nt_status)));
  53                 return nt_status;
  54         }
  55
  56         return NT_STATUS_OK;
  57 }
  58
  59 static NTSTATUS gensec_ntlmssp3_server_update(struct gensec_security *gensec_security,
  60                                               TALLOC_CTX *out_mem_ctx,
  61                                               struct tevent_context *ev,
  62                                               const DATA_BLOB request,
  63                                               DATA_BLOB *reply)
  64 {
  65         NTSTATUS status;
  66         struct gensec_ntlmssp_context *gensec_ntlmssp =
  67                 talloc_get_type_abort(gensec_security->private_data,
  68                                       struct gensec_ntlmssp_context);
  69
  70         status = ntlmssp_update(gensec_ntlmssp->ntlmssp_state, request, reply);
  71         if (NT_STATUS_IS_OK(status) ||
  72             NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
  73                 talloc_steal(out_mem_ctx, reply->data);
  74         }
  75
  76         return status;
  77 }
  78
  79 /**
  80  * Return the challenge as determined by the authentication subsystem
  81  * @return an 8 byte random challenge
  82  */
  83
  84 NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context,
  85                                            uint8_t chal[8])
  86 {
  87         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
  88                                                                   struct auth_context);
  89         auth_context->get_ntlm_challenge(auth_context, chal);
  90         return NT_STATUS_OK;
  91 }
  92
  93 /**
  94  * Some authentication methods 'fix' the challenge, so we may not be able to set it
  95  *
  96  * @return If the effective challenge used by the auth subsystem may be modified
  97  */
  98 bool auth3_may_set_challenge(struct auth4_context *auth4_context)
  99 {
 100         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
 101                                                                   struct auth_context);
 102         return auth_context->challenge_may_be_modified;
 103 }
 104
 105 /**
 106  * NTLM2 authentication modifies the effective challenge,
 107  * @param challenge The new challenge value
 108  */
 109 NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t *chal,
 110                              const char *challenge_set_by)
 111 {
 112         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
 113                                                                   struct auth_context);
 114
 115         auth_context->challenge = data_blob_talloc(auth_context,
 116                                                    chal, 8);
 117         NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge.data);
 118
 119         auth_context->challenge_set_by = talloc_strdup(auth_context, challenge_set_by);
 120         NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge_set_by);
 121
 122         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
 123         DEBUG(5, ("challenge is: \n"));
 124         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 125         return NT_STATUS_OK;
 126 }
 127
 128 /**
 129  * Check the password on an NTLMSSP login.
 130  *
 131  * Return the session keys used on the connection.
 132  */
 133
 134 NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 135                               TALLOC_CTX *mem_ctx,
 136                               const struct auth_usersupplied_info *user_info,
 137                               void **server_returned_info,
 138                               DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 139 {
 140         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
 141                                                                   struct auth_context);
 142         struct auth_usersupplied_info *mapped_user_info = NULL;
 143         struct auth_serversupplied_info *server_info;
 144         NTSTATUS nt_status;
 145         bool username_was_mapped;
 146
 147         /* The client has given us its machine name (which we only get over NBT transport).
 148            We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
 149
 150         set_remote_machine_name(user_info->workstation_name, True);
 151
 152         /* setup the string used by %U */
 153         /* sub_set_smb_name checks for weird internally */
 154         sub_set_smb_name(user_info->client.account_name);
 155
 156         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 157
 158         nt_status = make_user_info_map(&mapped_user_info,
 159                                        user_info->client.account_name,
 160                                        user_info->client.domain_name,
 161                                        user_info->workstation_name,
 162                                        user_info->remote_host,
 163                                        user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL,
 164                                        user_info->password.response.nt.data ? &user_info->password.response.nt : NULL,
 165                                        NULL, NULL, NULL,
 166                                        AUTH_PASSWORD_RESPONSE);
 167
 168         if (!NT_STATUS_IS_OK(nt_status)) {
 169                 return nt_status;
 170         }
 171
 172         mapped_user_info->logon_parameters = user_info->logon_parameters;
 173
 174         mapped_user_info->flags = user_info->flags;
 175
 176         nt_status = auth_context->check_ntlm_password(auth_context,
 177                                                       mapped_user_info, &server_info);
 178
 179         username_was_mapped = mapped_user_info->was_mapped;
 180
 181         free_user_info(&mapped_user_info);
 182
 183         if (!NT_STATUS_IS_OK(nt_status)) {
 184                 nt_status = do_map_to_guest_server_info(nt_status,
 185                                                         &server_info,
 186                                                         user_info->client.account_name,
 187                                                         user_info->client.domain_name);
 188                 *server_returned_info = talloc_steal(mem_ctx, server_info);
 189                 return nt_status;
 190         }
 191
 192         server_info->nss_token |= username_was_mapped;
 193
 194         /* Clear out the session keys, and pass them to the caller.
 195          * They will not be used in this form again - instead the
 196          * NTLMSSP code will decide on the final correct session key,
 197          * and supply it to create_local_token() */
 198         if (session_key) {
 199                 DEBUG(10, ("Got NT session key of length %u\n",
 200                         (unsigned int)server_info->session_key.length));
 201                 *session_key = server_info->session_key;
 202                 talloc_steal(mem_ctx, server_info->session_key.data);
 203                 server_info->session_key = data_blob_null;
 204         }
 205         if (lm_session_key) {
 206                 DEBUG(10, ("Got LM session key of length %u\n",
 207                         (unsigned int)server_info->lm_session_key.length));
 208                 *lm_session_key = server_info->lm_session_key;
 209                 talloc_steal(mem_ctx, server_info->lm_session_key.data);
 210                 server_info->lm_session_key = data_blob_null;
 211         }
 212
 213         *server_returned_info = talloc_steal(mem_ctx, server_info);
 214         return nt_status;
 215 }
 216
 217 /**
 218  * Return the challenge as determined by the authentication subsystem
 219  * @return an 8 byte random challenge
 220  */
 221
 222 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
 223                                            uint8_t chal[8])
 224 {
 225         struct gensec_ntlmssp_context *gensec_ntlmssp =
 226                 talloc_get_type_abort(ntlmssp_state->callback_private,
 227                                       struct gensec_ntlmssp_context);
 228         struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
 229         NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
 230
 231         if (auth_context->get_challenge) {
 232                 status = auth_context->get_challenge(auth_context, chal);
 233                 if (!NT_STATUS_IS_OK(status)) {
 234                         DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
 235                                   nt_errstr(status)));
 236                         return status;
 237                 }
 238         }
 239
 240         return status;
 241 }
 242
 243 /**
 244  * Some authentication methods 'fix' the challenge, so we may not be able to set it
 245  *
 246  * @return If the effective challenge used by the auth subsystem may be modified
 247  */
 248 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
 249 {
 250         struct gensec_ntlmssp_context *gensec_ntlmssp =
 251                 talloc_get_type_abort(ntlmssp_state->callback_private,
 252                                       struct gensec_ntlmssp_context);
 253         struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
 254
 255         if (auth_context->challenge_may_be_modified) {
 256                 return auth_context->challenge_may_be_modified(auth_context);
 257         }
 258         return false;
 259 }
 260
 261 /**
 262  * NTLM2 authentication modifies the effective challenge,
 263  * @param challenge The new challenge value
 264  */
 265 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
 266 {
 267         struct gensec_ntlmssp_context *gensec_ntlmssp =
 268                 talloc_get_type_abort(ntlmssp_state->callback_private,
 269                                       struct gensec_ntlmssp_context);
 270         struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
 271         NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
 272         const uint8_t *chal;
 273
 274         if (challenge->length != 8) {
 275                 return NT_STATUS_INVALID_PARAMETER;
 276         }
 277
 278         chal = challenge->data;
 279
 280         if (auth_context->set_challenge) {
 281                 nt_status = auth_context->set_challenge(auth_context,
 282                                                         chal,
 283                                                         "NTLMSSP callback (NTLM2)");
 284         }
 285         return nt_status;
 286 }
 287
 288 /**
 289  * Check the password on an NTLMSSP login.
 290  *
 291  * Return the session keys used on the connection.
 292  */
 293
 294 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 295                                             TALLOC_CTX *mem_ctx,
 296                                             DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 297 {
 298         struct gensec_ntlmssp_context *gensec_ntlmssp =
 299                 talloc_get_type_abort(ntlmssp_state->callback_private,
 300                                       struct gensec_ntlmssp_context);
 301         struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
 302         NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
 303         struct auth_usersupplied_info *user_info;
 304
 305         user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
 306         if (!user_info) {
 307                 return NT_STATUS_NO_MEMORY;
 308         }
 309
 310         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 311         user_info->flags = 0;
 312         user_info->mapped_state = false;
 313         user_info->client.account_name = ntlmssp_state->user;
 314         user_info->client.domain_name = ntlmssp_state->domain;
 315         user_info->workstation_name = ntlmssp_state->client.netbios_name;
 316         user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
 317
 318         user_info->password_state = AUTH_PASSWORD_RESPONSE;
 319         user_info->password.response.lanman = ntlmssp_state->lm_resp;
 320         user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
 321         user_info->password.response.nt = ntlmssp_state->nt_resp;
 322         user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
 323
 324         if (auth_context->check_password) {
 325                 nt_status = auth_context->check_password(auth_context,
 326                                                          gensec_ntlmssp,
 327                                                          user_info,
 328                                                          &gensec_ntlmssp->server_returned_info,
 329                                                          user_session_key, lm_session_key);
 330         }
 331         talloc_free(user_info);
 332         NT_STATUS_NOT_OK_RETURN(nt_status);
 333
 334         talloc_steal(mem_ctx, user_session_key->data);
 335         talloc_steal(mem_ctx, lm_session_key->data);
 336
 337         return nt_status;
 338 }
 339
 340 /**
 341  * Return the credentials of a logged on user, including session keys
 342  * etc.
 343  *
 344  * Only valid after a successful authentication
 345  *
 346  * May only be called once per authentication.
 347  *
 348  */
 349
 350 static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gensec_security,
 351                                                     TALLOC_CTX *mem_ctx,
 352                                                     struct auth_session_info **session_info)
 353 {
 354         NTSTATUS nt_status;
 355         struct gensec_ntlmssp_context *gensec_ntlmssp =
 356                 talloc_get_type_abort(gensec_security->private_data,
 357                                       struct gensec_ntlmssp_context);
 358         uint32_t session_info_flags = 0;
 359
 360         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
 361                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
 362         }
 363
 364         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
 365
 366         if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
 367                 nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
 368                                                                                  gensec_ntlmssp->server_returned_info,
 369                                                                                  gensec_ntlmssp->ntlmssp_state->user,
 370                                                                                  session_info_flags,
 371                                                                                  session_info);
 372         } else {
 373                 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
 374                 return NT_STATUS_INTERNAL_ERROR;
 375         }
 376
 377         NT_STATUS_NOT_OK_RETURN(nt_status);
 378
 379         nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info,
 380                                           &(*session_info)->session_key);
 381
 382         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
 383                 (*session_info)->session_key = data_blob_null;
 384                 nt_status = NT_STATUS_OK;
 385         }
 386         return nt_status;
 387 }
 388
 389 static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_security)
 390 {
 391         NTSTATUS nt_status;
 392         bool is_standalone;
 393         const char *netbios_name;
 394         const char *netbios_domain;
 395         const char *dns_name;
 396         char *dns_domain;
 397         struct gensec_ntlmssp_context *gensec_ntlmssp;
 398
 399         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 400                 is_standalone = true;
 401         } else {
 402                 is_standalone = false;
 403         }
 404
 405         netbios_name = lp_netbios_name();
 406         netbios_domain = lp_workgroup();
 407         /* This should be a 'netbios domain -> DNS domain' mapping */
 408         dns_domain = get_mydnsdomname(talloc_tos());
 409         if (dns_domain) {
 410                 strlower_m(dns_domain);
 411         }
 412         dns_name = get_mydnsfullname();
 413
 414         nt_status = gensec_ntlmssp_start(gensec_security);
 415         NT_STATUS_NOT_OK_RETURN(nt_status);
 416
 417         gensec_ntlmssp =
 418                 talloc_get_type_abort(gensec_security->private_data,
 419                                       struct gensec_ntlmssp_context);
 420
 421         nt_status = ntlmssp_server_start(gensec_ntlmssp,
 422                                          is_standalone,
 423                                          netbios_name,
 424                                          netbios_domain,
 425                                          dns_name,
 426                                          dns_domain,
 427                                          &gensec_ntlmssp->ntlmssp_state);
 428         if (!NT_STATUS_IS_OK(nt_status)) {
 429                 return nt_status;
 430         }
 431
 432         gensec_ntlmssp->ntlmssp_state->callback_private = gensec_ntlmssp;
 433
 434         gensec_ntlmssp->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 435         gensec_ntlmssp->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 436         gensec_ntlmssp->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 437         gensec_ntlmssp->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 438
 439         if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
 440                 gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 441         }
 442         if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 443                 gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 444         }
 445         if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 446                 gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 447                 gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
 448         }
 449
 450         return NT_STATUS_OK;
 451 }
 452
 453 static const char *gensec_ntlmssp3_server_oids[] = {
 454         GENSEC_OID_NTLMSSP,
 455         NULL
 456 };
 457
 458 const struct gensec_security_ops gensec_ntlmssp3_server_ops = {
 459         .name           = "ntlmssp3_server",
 460         .sasl_name      = GENSEC_SASL_NAME_NTLMSSP, /* "NTLM" */
 461         .auth_type      = DCERPC_AUTH_TYPE_NTLMSSP,
 462         .oid            = gensec_ntlmssp3_server_oids,
 463         .server_start   = gensec_ntlmssp3_server_start,
 464         .magic          = gensec_ntlmssp_magic,
 465         .update         = gensec_ntlmssp3_server_update,
 466         .sig_size       = gensec_ntlmssp_sig_size,
 467         .sign_packet    = gensec_ntlmssp_sign_packet,
 468         .check_packet   = gensec_ntlmssp_check_packet,
 469         .seal_packet    = gensec_ntlmssp_seal_packet,
 470         .unseal_packet  = gensec_ntlmssp_unseal_packet,
 471         .wrap           = gensec_ntlmssp_wrap,
 472         .unwrap         = gensec_ntlmssp_unwrap,
 473         .session_key    = gensec_ntlmssp_session_key,
 474         .session_info   = gensec_ntlmssp3_server_session_info,
 475         .have_feature   = gensec_ntlmssp_have_feature,
 476         .enabled        = true,
 477         .priority       = GENSEC_NTLMSSP
 478 };
 479