git.samba.org / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
s4:auth Remove the system:anonymous parameter used for the LDAP backend
[samba.git] / source4 / auth / system_session.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Authentication utility functions
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Andrew Bartlett 2001-2010
6    Copyright (C) Jeremy Allison 2000-2001
7    Copyright (C) Rafal Szczesniak 2002
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_serversupplied_info */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
31
32 /**
33  * Create the SID list for this user. 
34  *
35  * @note Specialised version for system sessions that doesn't use the SAM.
36  */
37 static NTSTATUS create_token(TALLOC_CTX *mem_ctx, 
38                              struct dom_sid *user_sid,
39                              struct dom_sid *group_sid,
40                              unsigned int n_groupSIDs,
41                              struct dom_sid **groupSIDs,
42                              bool is_authenticated,
43                              struct security_token **token)
44 {
45         struct security_token *ptoken;
46         unsigned int i;
47
48         ptoken = security_token_initialise(mem_ctx);
49         NT_STATUS_HAVE_NO_MEMORY(ptoken);
50
51         ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5);
52         NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
53
54         ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
55         ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
56         ptoken->privilege_mask = 0;
57
58         /*
59          * Finally add the "standard" SIDs.
60          * The only difference between guest and "anonymous"
61          * is the addition of Authenticated_Users.
62          */
63         ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD);
64         NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]);
65         ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK);
66         NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]);
67         ptoken->num_sids = 4;
68
69         if (is_authenticated) {
70                 ptoken->sids[4] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS);
71                 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]);
72                 ptoken->num_sids++;
73         }
74
75         for (i = 0; i < n_groupSIDs; i++) {
76                 size_t check_sid_idx;
77                 for (check_sid_idx = 1; 
78                      check_sid_idx < ptoken->num_sids; 
79                      check_sid_idx++) {
80                         if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
81                                 break;
82                         }
83                 }
84
85                 if (check_sid_idx == ptoken->num_sids) {
86                         ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]);
87                 }
88         }
89
90         *token = ptoken;
91
92         /* Shortcuts to prevent recursion and avoid lookups */
93         if (ptoken->sids == NULL) {
94                 ptoken->privilege_mask = 0;
95                 return NT_STATUS_OK;
96         } 
97         
98         if (security_token_is_system(ptoken)) {
99                 ptoken->privilege_mask = ~0;
100         } else if (security_token_is_anonymous(ptoken)) {
101                 ptoken->privilege_mask = 0;
102         } else if (security_token_has_builtin_administrators(ptoken)) {
103                 ptoken->privilege_mask = ~0;
104         } else {
105                 /* All other 'users' get a empty priv set so far */
106                 ptoken->privilege_mask = 0;
107         }
108         return NT_STATUS_OK;
109 }
110
111 NTSTATUS auth_generate_simple_session_info(TALLOC_CTX *mem_ctx,
112                                            struct auth_serversupplied_info *server_info,
113                                            struct auth_session_info **_session_info)
114 {
115         struct auth_session_info *session_info;
116         NTSTATUS nt_status;
117
118         session_info = talloc(mem_ctx, struct auth_session_info);
119         NT_STATUS_HAVE_NO_MEMORY(session_info);
120
121         session_info->server_info = talloc_reference(session_info, server_info);
122
123         /* unless set otherwise, the session key is the user session
124          * key from the auth subsystem */ 
125         session_info->session_key = server_info->user_session_key;
126
127         nt_status = create_token(session_info,
128                                           server_info->account_sid,
129                                           server_info->primary_group_sid,
130                                           server_info->n_domain_groups,
131                                           server_info->domain_groups,
132                                           server_info->authenticated,
133                                           &session_info->security_token);
134         NT_STATUS_NOT_OK_RETURN(nt_status);
135
136         session_info->credentials = NULL;
137
138         *_session_info = session_info;
139         return NT_STATUS_OK;
140 }
141
142
143 /*
144   prevent the static system session being freed
145  */
146 static int system_session_destructor(struct auth_session_info *info)
147 {
148         return -1;
149 }
150
151 /* Create a security token for a session SYSTEM (the most
152  * trusted/prvilaged account), including the local machine account as
153  * the off-host credentials
154  */ 
155 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
156 {
157         static struct auth_session_info *static_session;
158         NTSTATUS nt_status;
159
160         if (static_session) {
161                 return static_session;
162         }
163
164         nt_status = auth_system_session_info(talloc_autofree_context(),
165                                              lp_ctx,
166                                              &static_session);
167         if (!NT_STATUS_IS_OK(nt_status)) {
168                 talloc_free(static_session);
169                 static_session = NULL;
170                 return NULL;
171         }
172         talloc_set_destructor(static_session, system_session_destructor);
173         return static_session;
174 }
175
176 static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx, 
177                                           struct loadparm_context *lp_ctx,
178                                           struct auth_session_info **_session_info) 
179 {
180         NTSTATUS nt_status;
181         struct auth_serversupplied_info *server_info = NULL;
182         struct auth_session_info *session_info = NULL;
183         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
184         
185         nt_status = auth_system_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
186                                             &server_info);
187         if (!NT_STATUS_IS_OK(nt_status)) {
188                 talloc_free(mem_ctx);
189                 return nt_status;
190         }
191
192         /* references the server_info into the session_info */
193         nt_status = auth_generate_simple_session_info(parent_ctx, server_info, &session_info);
194         talloc_free(mem_ctx);
195
196         NT_STATUS_NOT_OK_RETURN(nt_status);
197
198         session_info->credentials = cli_credentials_init(session_info);
199         if (!session_info->credentials) {
200                 return NT_STATUS_NO_MEMORY;
201         }
202
203         cli_credentials_set_conf(session_info->credentials, lp_ctx);
204
205         cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
206         *_session_info = session_info;
207
208         return NT_STATUS_OK;
209 }
210
211 /*
212   Create a system session, but with anonymous credentials (so we do not need to open secrets.ldb)
213 */
214 _PUBLIC_ struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
215 {
216         NTSTATUS nt_status;
217         struct auth_session_info *session_info = NULL;
218         nt_status = _auth_system_session_info(mem_ctx, lp_ctx, &session_info);
219         if (!NT_STATUS_IS_OK(nt_status)) {
220                 return NULL;
221         }
222         return session_info;
223 }
224
225
226
227 _PUBLIC_ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, 
228                                            struct loadparm_context *lp_ctx,
229                                            struct auth_session_info **_session_info) 
230 {
231         return _auth_system_session_info(parent_ctx, 
232                                          lp_ctx,
233                                          _session_info);
234 }
235
236 NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, 
237                                  struct auth_serversupplied_info **_server_info) 
238 {
239         struct auth_serversupplied_info *server_info;
240
241         server_info = talloc(mem_ctx, struct auth_serversupplied_info);
242         NT_STATUS_HAVE_NO_MEMORY(server_info);
243
244         server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
245         NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
246
247         /* is this correct? */
248         server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
249         NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
250
251         server_info->n_domain_groups = 0;
252         server_info->domain_groups = NULL;
253
254         /* annoying, but the Anonymous really does have a session key, 
255            and it is all zeros! */
256         server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
257         NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
258
259         server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
260         NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
261
262         data_blob_clear(&server_info->user_session_key);
263         data_blob_clear(&server_info->lm_session_key);
264
265         server_info->account_name = talloc_strdup(server_info, "SYSTEM");
266         NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
267
268         server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
269         NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
270
271         server_info->full_name = talloc_strdup(server_info, "System");
272         NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
273
274         server_info->logon_script = talloc_strdup(server_info, "");
275         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
276
277         server_info->profile_path = talloc_strdup(server_info, "");
278         NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
279
280         server_info->home_directory = talloc_strdup(server_info, "");
281         NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
282
283         server_info->home_drive = talloc_strdup(server_info, "");
284         NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
285
286         server_info->logon_server = talloc_strdup(server_info, netbios_name);
287         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
288
289         server_info->last_logon = 0;
290         server_info->last_logoff = 0;
291         server_info->acct_expiry = 0;
292         server_info->last_password_change = 0;
293         server_info->allow_password_change = 0;
294         server_info->force_password_change = 0;
295
296         server_info->logon_count = 0;
297         server_info->bad_password_count = 0;
298
299         server_info->acct_flags = ACB_NORMAL;
300
301         server_info->authenticated = true;
302
303         *_server_info = server_info;
304
305         return NT_STATUS_OK;
306 }
307
308
309 static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
310                                               const char *netbios_name,
311                                               const char *domain_name,
312                                               struct dom_sid *domain_sid,
313                                               struct auth_serversupplied_info **_server_info)
314 {
315         struct auth_serversupplied_info *server_info;
316
317         server_info = talloc(mem_ctx, struct auth_serversupplied_info);
318         NT_STATUS_HAVE_NO_MEMORY(server_info);
319
320         server_info->account_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINISTRATOR);
321         NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
322
323         server_info->primary_group_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
324         NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
325
326         server_info->n_domain_groups = 6;
327         server_info->domain_groups = talloc_array(server_info, struct dom_sid *, server_info->n_domain_groups);
328
329         server_info->domain_groups[0] = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
330         server_info->domain_groups[1] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINS);
331         server_info->domain_groups[2] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
332         server_info->domain_groups[3] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
333         server_info->domain_groups[4] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_POLICY_ADMINS);
334         server_info->domain_groups[5] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
335
336         /* What should the session key be?*/
337         server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
338         NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
339
340         server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
341         NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
342
343         data_blob_clear(&server_info->user_session_key);
344         data_blob_clear(&server_info->lm_session_key);
345
346         server_info->account_name = talloc_strdup(server_info, "Administrator");
347         NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
348
349         server_info->domain_name = talloc_strdup(server_info, domain_name);
350         NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
351
352         server_info->full_name = talloc_strdup(server_info, "Administrator");
353         NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
354
355         server_info->logon_script = talloc_strdup(server_info, "");
356         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
357
358         server_info->profile_path = talloc_strdup(server_info, "");
359         NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
360
361         server_info->home_directory = talloc_strdup(server_info, "");
362         NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
363
364         server_info->home_drive = talloc_strdup(server_info, "");
365         NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
366
367         server_info->logon_server = talloc_strdup(server_info, netbios_name);
368         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
369
370         server_info->last_logon = 0;
371         server_info->last_logoff = 0;
372         server_info->acct_expiry = 0;
373         server_info->last_password_change = 0;
374         server_info->allow_password_change = 0;
375         server_info->force_password_change = 0;
376
377         server_info->logon_count = 0;
378         server_info->bad_password_count = 0;
379
380         server_info->acct_flags = ACB_NORMAL;
381
382         server_info->authenticated = true;
383
384         *_server_info = server_info;
385
386         return NT_STATUS_OK;
387 }
388
389 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
390                                                struct loadparm_context *lp_ctx,
391                                                struct dom_sid *domain_sid,
392                                                struct auth_session_info **_session_info)
393 {
394         NTSTATUS nt_status;
395         struct auth_serversupplied_info *server_info = NULL;
396         struct auth_session_info *session_info = NULL;
397         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
398
399         nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
400                                                   lpcfg_workgroup(lp_ctx), domain_sid,
401                                                   &server_info);
402         if (!NT_STATUS_IS_OK(nt_status)) {
403                 talloc_free(mem_ctx);
404                 return nt_status;
405         }
406
407         session_info = talloc(mem_ctx, struct auth_session_info);
408         NT_STATUS_HAVE_NO_MEMORY(session_info);
409
410         session_info->server_info = talloc_reference(session_info, server_info);
411
412         /* unless set otherwise, the session key is the user session
413          * key from the auth subsystem */
414         session_info->session_key = server_info->user_session_key;
415
416         nt_status = create_token(session_info,
417                                  server_info->account_sid,
418                                  server_info->primary_group_sid,
419                                  server_info->n_domain_groups,
420                                  server_info->domain_groups,
421                                  true,
422                                  &session_info->security_token);
423         NT_STATUS_NOT_OK_RETURN(nt_status);
424
425         session_info->credentials = cli_credentials_init(session_info);
426         if (!session_info->credentials) {
427                 return NT_STATUS_NO_MEMORY;
428         }
429
430         cli_credentials_set_conf(session_info->credentials, lp_ctx);
431
432         *_session_info = session_info;
433
434         return NT_STATUS_OK;
435 }
436
437 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
438 {
439         NTSTATUS nt_status;
440         struct auth_session_info *session_info = NULL;
441         nt_status = auth_domain_admin_session_info(mem_ctx,
442                                                    lp_ctx,
443                                                    domain_sid,
444                                                    &session_info);
445         if (!NT_STATUS_IS_OK(nt_status)) {
446                 return NULL;
447         }
448         return session_info;
449 }
450
451 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, 
452                                               struct loadparm_context *lp_ctx,
453                                               struct auth_session_info **_session_info) 
454 {
455         NTSTATUS nt_status;
456         struct auth_serversupplied_info *server_info = NULL;
457         struct auth_session_info *session_info = NULL;
458         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
459         
460         nt_status = auth_anonymous_server_info(mem_ctx,
461                                                lpcfg_netbios_name(lp_ctx),
462                                                &server_info);
463         if (!NT_STATUS_IS_OK(nt_status)) {
464                 talloc_free(mem_ctx);
465                 return nt_status;
466         }
467
468         /* references the server_info into the session_info */
469         nt_status = auth_generate_simple_session_info(parent_ctx, server_info, &session_info);
470         talloc_free(mem_ctx);
471
472         NT_STATUS_NOT_OK_RETURN(nt_status);
473
474         session_info->credentials = cli_credentials_init(session_info);
475         if (!session_info->credentials) {
476                 return NT_STATUS_NO_MEMORY;
477         }
478
479         cli_credentials_set_conf(session_info->credentials, lp_ctx);
480         cli_credentials_set_anonymous(session_info->credentials);
481         
482         *_session_info = session_info;
483
484         return NT_STATUS_OK;
485 }
486
487 _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, 
488                                     const char *netbios_name,
489                                     struct auth_serversupplied_info **_server_info) 
490 {
491         struct auth_serversupplied_info *server_info;
492         server_info = talloc(mem_ctx, struct auth_serversupplied_info);
493         NT_STATUS_HAVE_NO_MEMORY(server_info);
494
495         server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
496         NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
497
498         /* is this correct? */
499         server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS);
500         NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
501
502         server_info->n_domain_groups = 0;
503         server_info->domain_groups = NULL;
504
505         /* annoying, but the Anonymous really does have a session key... */
506         server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
507         NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
508
509         server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
510         NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
511
512         /*  and it is all zeros! */
513         data_blob_clear(&server_info->user_session_key);
514         data_blob_clear(&server_info->lm_session_key);
515
516         server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
517         NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
518
519         server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
520         NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
521
522         server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
523         NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
524
525         server_info->logon_script = talloc_strdup(server_info, "");
526         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
527
528         server_info->profile_path = talloc_strdup(server_info, "");
529         NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
530
531         server_info->home_directory = talloc_strdup(server_info, "");
532         NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
533
534         server_info->home_drive = talloc_strdup(server_info, "");
535         NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
536
537         server_info->logon_server = talloc_strdup(server_info, netbios_name);
538         NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
539
540         server_info->last_logon = 0;
541         server_info->last_logoff = 0;
542         server_info->acct_expiry = 0;
543         server_info->last_password_change = 0;
544         server_info->allow_password_change = 0;
545         server_info->force_password_change = 0;
546
547         server_info->logon_count = 0;
548         server_info->bad_password_count = 0;
549
550         server_info->acct_flags = ACB_NORMAL;
551
552         server_info->authenticated = false;
553
554         *_server_info = server_info;
555
556         return NT_STATUS_OK;
557 }
558
Samba Shared Repository