source4/auth/system_session.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authentication utility functions
   4    Copyright (C) Andrew Tridgell 1992-1998
   5    Copyright (C) Andrew Bartlett 2001-2010
   6    Copyright (C) Jeremy Allison 2000-2001
   7    Copyright (C) Rafal Szczesniak 2002
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "libcli/security/security.h"
  26 #include "auth/credentials/credentials.h"
  27 #include "param/param.h"
  28 #include "auth/auth.h" /* for auth_serversupplied_info */
  29 #include "auth/session.h"
  30 #include "auth/system_session_proto.h"
  31
  32 /**
  33  * Create the SID list for this user.
  34  *
  35  * @note Specialised version for system sessions that doesn't use the SAM.
  36  */
  37 static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
  38                              struct dom_sid *user_sid,
  39                              struct dom_sid *group_sid,
  40                              unsigned int n_groupSIDs,
  41                              struct dom_sid **groupSIDs,
  42                              bool is_authenticated,
  43                              struct security_token **token)
  44 {
  45         struct security_token *ptoken;
  46         unsigned int i;
  47
  48         ptoken = security_token_initialise(mem_ctx);
  49         NT_STATUS_HAVE_NO_MEMORY(ptoken);
  50
  51         ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5);
  52         NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
  53
  54         ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
  55         ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
  56         ptoken->privilege_mask = 0;
  57
  58         /*
  59          * Finally add the "standard" SIDs.
  60          * The only difference between guest and "anonymous"
  61          * is the addition of Authenticated_Users.
  62          */
  63         ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD);
  64         NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]);
  65         ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK);
  66         NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]);
  67         ptoken->num_sids = 4;
  68
  69         if (is_authenticated) {
  70                 ptoken->sids[4] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS);
  71                 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]);
  72                 ptoken->num_sids++;
  73         }
  74
  75         for (i = 0; i < n_groupSIDs; i++) {
  76                 size_t check_sid_idx;
  77                 for (check_sid_idx = 1;
  78                      check_sid_idx < ptoken->num_sids;
  79                      check_sid_idx++) {
  80                         if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
  81                                 break;
  82                         }
  83                 }
  84
  85                 if (check_sid_idx == ptoken->num_sids) {
  86                         ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]);
  87                 }
  88         }
  89
  90         *token = ptoken;
  91
  92         /* Shortcuts to prevent recursion and avoid lookups */
  93         if (ptoken->sids == NULL) {
  94                 ptoken->privilege_mask = 0;
  95                 return NT_STATUS_OK;
  96         }
  97
  98         if (security_token_is_system(ptoken)) {
  99                 ptoken->privilege_mask = ~0;
 100         } else if (security_token_is_anonymous(ptoken)) {
 101                 ptoken->privilege_mask = 0;
 102         } else if (security_token_has_builtin_administrators(ptoken)) {
 103                 ptoken->privilege_mask = ~0;
 104         } else {
 105                 /* All other 'users' get a empty priv set so far */
 106                 ptoken->privilege_mask = 0;
 107         }
 108         return NT_STATUS_OK;
 109 }
 110
 111 NTSTATUS auth_generate_simple_session_info(TALLOC_CTX *mem_ctx,
 112                                            struct auth_serversupplied_info *server_info,
 113                                            struct auth_session_info **_session_info)
 114 {
 115         struct auth_session_info *session_info;
 116         NTSTATUS nt_status;
 117
 118         session_info = talloc(mem_ctx, struct auth_session_info);
 119         NT_STATUS_HAVE_NO_MEMORY(session_info);
 120
 121         session_info->server_info = talloc_reference(session_info, server_info);
 122
 123         /* unless set otherwise, the session key is the user session
 124          * key from the auth subsystem */
 125         session_info->session_key = server_info->user_session_key;
 126
 127         nt_status = create_token(session_info,
 128                                           server_info->account_sid,
 129                                           server_info->primary_group_sid,
 130                                           server_info->n_domain_groups,
 131                                           server_info->domain_groups,
 132                                           server_info->authenticated,
 133                                           &session_info->security_token);
 134         NT_STATUS_NOT_OK_RETURN(nt_status);
 135
 136         session_info->credentials = NULL;
 137
 138         *_session_info = session_info;
 139         return NT_STATUS_OK;
 140 }
 141
 142
 143 /*
 144   prevent the static system session being freed
 145  */
 146 static int system_session_destructor(struct auth_session_info *info)
 147 {
 148         return -1;
 149 }
 150
 151 /* Create a security token for a session SYSTEM (the most
 152  * trusted/prvilaged account), including the local machine account as
 153  * the off-host credentials
 154  */
 155 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
 156 {
 157         static struct auth_session_info *static_session;
 158         NTSTATUS nt_status;
 159
 160         if (static_session) {
 161                 return static_session;
 162         }
 163
 164         nt_status = auth_system_session_info(talloc_autofree_context(),
 165                                              lp_ctx,
 166                                              &static_session);
 167         if (!NT_STATUS_IS_OK(nt_status)) {
 168                 talloc_free(static_session);
 169                 static_session = NULL;
 170                 return NULL;
 171         }
 172         talloc_set_destructor(static_session, system_session_destructor);
 173         return static_session;
 174 }
 175
 176 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
 177                                   struct loadparm_context *lp_ctx,
 178                                   struct auth_session_info **_session_info)
 179 {
 180         NTSTATUS nt_status;
 181         struct auth_serversupplied_info *server_info = NULL;
 182         struct auth_session_info *session_info = NULL;
 183         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 184
 185         nt_status = auth_system_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
 186                                             &server_info);
 187         if (!NT_STATUS_IS_OK(nt_status)) {
 188                 talloc_free(mem_ctx);
 189                 return nt_status;
 190         }
 191
 192         /* references the server_info into the session_info */
 193         nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
 194         talloc_free(mem_ctx);
 195
 196         NT_STATUS_NOT_OK_RETURN(nt_status);
 197
 198         session_info->credentials = cli_credentials_init(session_info);
 199         if (!session_info->credentials) {
 200                 return NT_STATUS_NO_MEMORY;
 201         }
 202
 203         cli_credentials_set_conf(session_info->credentials, lp_ctx);
 204
 205         cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
 206         *_session_info = session_info;
 207
 208         return NT_STATUS_OK;
 209 }
 210
 211 NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
 212                                  struct auth_serversupplied_info **_server_info)
 213 {
 214         struct auth_serversupplied_info *server_info;
 215
 216         server_info = talloc(mem_ctx, struct auth_serversupplied_info);
 217         NT_STATUS_HAVE_NO_MEMORY(server_info);
 218
 219         server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
 220         NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
 221
 222         /* is this correct? */
 223         server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
 224         NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
 225
 226         server_info->n_domain_groups = 0;
 227         server_info->domain_groups = NULL;
 228
 229         /* annoying, but the Anonymous really does have a session key,
 230            and it is all zeros! */
 231         server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
 232         NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
 233
 234         server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
 235         NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
 236
 237         data_blob_clear(&server_info->user_session_key);
 238         data_blob_clear(&server_info->lm_session_key);
 239
 240         server_info->account_name = talloc_strdup(server_info, "SYSTEM");
 241         NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
 242
 243         server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
 244         NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
 245
 246         server_info->full_name = talloc_strdup(server_info, "System");
 247         NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
 248
 249         server_info->logon_script = talloc_strdup(server_info, "");
 250         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
 251
 252         server_info->profile_path = talloc_strdup(server_info, "");
 253         NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
 254
 255         server_info->home_directory = talloc_strdup(server_info, "");
 256         NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
 257
 258         server_info->home_drive = talloc_strdup(server_info, "");
 259         NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
 260
 261         server_info->logon_server = talloc_strdup(server_info, netbios_name);
 262         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
 263
 264         server_info->last_logon = 0;
 265         server_info->last_logoff = 0;
 266         server_info->acct_expiry = 0;
 267         server_info->last_password_change = 0;
 268         server_info->allow_password_change = 0;
 269         server_info->force_password_change = 0;
 270
 271         server_info->logon_count = 0;
 272         server_info->bad_password_count = 0;
 273
 274         server_info->acct_flags = ACB_NORMAL;
 275
 276         server_info->authenticated = true;
 277
 278         *_server_info = server_info;
 279
 280         return NT_STATUS_OK;
 281 }
 282
 283
 284 static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
 285                                               const char *netbios_name,
 286                                               const char *domain_name,
 287                                               struct dom_sid *domain_sid,
 288                                               struct auth_serversupplied_info **_server_info)
 289 {
 290         struct auth_serversupplied_info *server_info;
 291
 292         server_info = talloc(mem_ctx, struct auth_serversupplied_info);
 293         NT_STATUS_HAVE_NO_MEMORY(server_info);
 294
 295         server_info->account_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINISTRATOR);
 296         NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
 297
 298         server_info->primary_group_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
 299         NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
 300
 301         server_info->n_domain_groups = 6;
 302         server_info->domain_groups = talloc_array(server_info, struct dom_sid *, server_info->n_domain_groups);
 303
 304         server_info->domain_groups[0] = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
 305         server_info->domain_groups[1] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINS);
 306         server_info->domain_groups[2] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
 307         server_info->domain_groups[3] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
 308         server_info->domain_groups[4] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_POLICY_ADMINS);
 309         server_info->domain_groups[5] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
 310
 311         /* What should the session key be?*/
 312         server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
 313         NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
 314
 315         server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
 316         NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
 317
 318         data_blob_clear(&server_info->user_session_key);
 319         data_blob_clear(&server_info->lm_session_key);
 320
 321         server_info->account_name = talloc_strdup(server_info, "Administrator");
 322         NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
 323
 324         server_info->domain_name = talloc_strdup(server_info, domain_name);
 325         NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
 326
 327         server_info->full_name = talloc_strdup(server_info, "Administrator");
 328         NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
 329
 330         server_info->logon_script = talloc_strdup(server_info, "");
 331         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
 332
 333         server_info->profile_path = talloc_strdup(server_info, "");
 334         NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
 335
 336         server_info->home_directory = talloc_strdup(server_info, "");
 337         NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
 338
 339         server_info->home_drive = talloc_strdup(server_info, "");
 340         NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
 341
 342         server_info->logon_server = talloc_strdup(server_info, netbios_name);
 343         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
 344
 345         server_info->last_logon = 0;
 346         server_info->last_logoff = 0;
 347         server_info->acct_expiry = 0;
 348         server_info->last_password_change = 0;
 349         server_info->allow_password_change = 0;
 350         server_info->force_password_change = 0;
 351
 352         server_info->logon_count = 0;
 353         server_info->bad_password_count = 0;
 354
 355         server_info->acct_flags = ACB_NORMAL;
 356
 357         server_info->authenticated = true;
 358
 359         *_server_info = server_info;
 360
 361         return NT_STATUS_OK;
 362 }
 363
 364 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
 365                                                struct loadparm_context *lp_ctx,
 366                                                struct dom_sid *domain_sid,
 367                                                struct auth_session_info **_session_info)
 368 {
 369         NTSTATUS nt_status;
 370         struct auth_serversupplied_info *server_info = NULL;
 371         struct auth_session_info *session_info = NULL;
 372         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 373
 374         nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
 375                                                   lpcfg_workgroup(lp_ctx), domain_sid,
 376                                                   &server_info);
 377         if (!NT_STATUS_IS_OK(nt_status)) {
 378                 talloc_free(mem_ctx);
 379                 return nt_status;
 380         }
 381
 382         session_info = talloc(mem_ctx, struct auth_session_info);
 383         NT_STATUS_HAVE_NO_MEMORY(session_info);
 384
 385         session_info->server_info = talloc_reference(session_info, server_info);
 386
 387         /* unless set otherwise, the session key is the user session
 388          * key from the auth subsystem */
 389         session_info->session_key = server_info->user_session_key;
 390
 391         nt_status = create_token(session_info,
 392                                  server_info->account_sid,
 393                                  server_info->primary_group_sid,
 394                                  server_info->n_domain_groups,
 395                                  server_info->domain_groups,
 396                                  true,
 397                                  &session_info->security_token);
 398         NT_STATUS_NOT_OK_RETURN(nt_status);
 399
 400         session_info->credentials = cli_credentials_init(session_info);
 401         if (!session_info->credentials) {
 402                 return NT_STATUS_NO_MEMORY;
 403         }
 404
 405         cli_credentials_set_conf(session_info->credentials, lp_ctx);
 406
 407         *_session_info = session_info;
 408
 409         return NT_STATUS_OK;
 410 }
 411
 412 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
 413 {
 414         NTSTATUS nt_status;
 415         struct auth_session_info *session_info = NULL;
 416         nt_status = auth_domain_admin_session_info(mem_ctx,
 417                                                    lp_ctx,
 418                                                    domain_sid,
 419                                                    &session_info);
 420         if (!NT_STATUS_IS_OK(nt_status)) {
 421                 return NULL;
 422         }
 423         return session_info;
 424 }
 425
 426 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
 427                                               struct loadparm_context *lp_ctx,
 428                                               struct auth_session_info **_session_info)
 429 {
 430         NTSTATUS nt_status;
 431         struct auth_serversupplied_info *server_info = NULL;
 432         struct auth_session_info *session_info = NULL;
 433         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 434
 435         nt_status = auth_anonymous_server_info(mem_ctx,
 436                                                lpcfg_netbios_name(lp_ctx),
 437                                                &server_info);
 438         if (!NT_STATUS_IS_OK(nt_status)) {
 439                 talloc_free(mem_ctx);
 440                 return nt_status;
 441         }
 442
 443         /* references the server_info into the session_info */
 444         nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
 445         talloc_free(mem_ctx);
 446
 447         NT_STATUS_NOT_OK_RETURN(nt_status);
 448
 449         session_info->credentials = cli_credentials_init(session_info);
 450         if (!session_info->credentials) {
 451                 return NT_STATUS_NO_MEMORY;
 452         }
 453
 454         cli_credentials_set_conf(session_info->credentials, lp_ctx);
 455         cli_credentials_set_anonymous(session_info->credentials);
 456
 457         *_session_info = session_info;
 458
 459         return NT_STATUS_OK;
 460 }
 461
 462 _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
 463                                     const char *netbios_name,
 464                                     struct auth_serversupplied_info **_server_info)
 465 {
 466         struct auth_serversupplied_info *server_info;
 467         server_info = talloc(mem_ctx, struct auth_serversupplied_info);
 468         NT_STATUS_HAVE_NO_MEMORY(server_info);
 469
 470         server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
 471         NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
 472
 473         /* The anonymous user has only one SID in it's token, but we need to fill something in here */
 474         server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
 475         NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
 476
 477         server_info->n_domain_groups = 0;
 478         server_info->domain_groups = NULL;
 479
 480         /* annoying, but the Anonymous really does have a session key... */
 481         server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
 482         NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
 483
 484         server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
 485         NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
 486
 487         /*  and it is all zeros! */
 488         data_blob_clear(&server_info->user_session_key);
 489         data_blob_clear(&server_info->lm_session_key);
 490
 491         server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
 492         NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
 493
 494         server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
 495         NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
 496
 497         server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
 498         NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
 499
 500         server_info->logon_script = talloc_strdup(server_info, "");
 501         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
 502
 503         server_info->profile_path = talloc_strdup(server_info, "");
 504         NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
 505
 506         server_info->home_directory = talloc_strdup(server_info, "");
 507         NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
 508
 509         server_info->home_drive = talloc_strdup(server_info, "");
 510         NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
 511
 512         server_info->logon_server = talloc_strdup(server_info, netbios_name);
 513         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
 514
 515         server_info->last_logon = 0;
 516         server_info->last_logoff = 0;
 517         server_info->acct_expiry = 0;
 518         server_info->last_password_change = 0;
 519         server_info->allow_password_change = 0;
 520         server_info->force_password_change = 0;
 521
 522         server_info->logon_count = 0;
 523         server_info->bad_password_count = 0;
 524
 525         server_info->acct_flags = ACB_NORMAL;
 526
 527         server_info->authenticated = false;
 528
 529         *_server_info = server_info;
 530
 531         return NT_STATUS_OK;
 532 }
 533