2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_serversupplied_info */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
34 prevent the static system session being freed
36 static int system_session_destructor(struct auth_session_info *info)
41 /* Create a security token for a session SYSTEM (the most
42 * trusted/prvilaged account), including the local machine account as
43 * the off-host credentials
45 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
47 static struct auth_session_info *static_session;
51 return static_session;
54 nt_status = auth_system_session_info(talloc_autofree_context(),
57 if (!NT_STATUS_IS_OK(nt_status)) {
58 talloc_free(static_session);
59 static_session = NULL;
62 talloc_set_destructor(static_session, system_session_destructor);
63 return static_session;
66 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
67 struct loadparm_context *lp_ctx,
68 struct auth_session_info **_session_info)
71 struct auth_serversupplied_info *server_info = NULL;
72 struct auth_session_info *session_info = NULL;
73 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
75 nt_status = auth_system_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
77 if (!NT_STATUS_IS_OK(nt_status)) {
82 /* references the server_info into the session_info */
83 nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
86 NT_STATUS_NOT_OK_RETURN(nt_status);
88 session_info->credentials = cli_credentials_init(session_info);
89 if (!session_info->credentials) {
90 return NT_STATUS_NO_MEMORY;
93 cli_credentials_set_conf(session_info->credentials, lp_ctx);
95 cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
96 *_session_info = session_info;
101 NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
102 struct auth_serversupplied_info **_server_info)
104 struct auth_serversupplied_info *server_info;
106 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
107 NT_STATUS_HAVE_NO_MEMORY(server_info);
109 /* This returns a pointer to a struct dom_sid, which is the
110 * same as a 1 element list of struct dom_sid */
111 server_info->num_sids = 1;
112 server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
113 NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
115 /* annoying, but the Anonymous really does have a session key,
116 and it is all zeros! */
117 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
118 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
120 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
121 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
123 data_blob_clear(&server_info->user_session_key);
124 data_blob_clear(&server_info->lm_session_key);
126 server_info->account_name = talloc_strdup(server_info, "SYSTEM");
127 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
129 server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
130 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
132 server_info->full_name = talloc_strdup(server_info, "System");
133 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
135 server_info->logon_script = talloc_strdup(server_info, "");
136 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
138 server_info->profile_path = talloc_strdup(server_info, "");
139 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
141 server_info->home_directory = talloc_strdup(server_info, "");
142 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
144 server_info->home_drive = talloc_strdup(server_info, "");
145 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
147 server_info->logon_server = talloc_strdup(server_info, netbios_name);
148 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
150 server_info->last_logon = 0;
151 server_info->last_logoff = 0;
152 server_info->acct_expiry = 0;
153 server_info->last_password_change = 0;
154 server_info->allow_password_change = 0;
155 server_info->force_password_change = 0;
157 server_info->logon_count = 0;
158 server_info->bad_password_count = 0;
160 server_info->acct_flags = ACB_NORMAL;
162 server_info->authenticated = true;
164 *_server_info = server_info;
170 static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
171 const char *netbios_name,
172 const char *domain_name,
173 struct dom_sid *domain_sid,
174 struct auth_serversupplied_info **_server_info)
176 struct auth_serversupplied_info *server_info;
178 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
179 NT_STATUS_HAVE_NO_MEMORY(server_info);
181 server_info->num_sids = 7;
182 server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids);
184 server_info->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
185 sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
187 server_info->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
188 sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS);
190 server_info->sids[2] = global_sid_Builtin_Administrators;
192 server_info->sids[3] = *domain_sid;
193 sid_append_rid(&server_info->sids[3], DOMAIN_RID_ADMINS);
194 server_info->sids[4] = *domain_sid;
195 sid_append_rid(&server_info->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
196 server_info->sids[5] = *domain_sid;
197 sid_append_rid(&server_info->sids[5], DOMAIN_RID_POLICY_ADMINS);
198 server_info->sids[6] = *domain_sid;
199 sid_append_rid(&server_info->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
201 /* What should the session key be?*/
202 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
203 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
205 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
206 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
208 data_blob_clear(&server_info->user_session_key);
209 data_blob_clear(&server_info->lm_session_key);
211 server_info->account_name = talloc_strdup(server_info, "Administrator");
212 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
214 server_info->domain_name = talloc_strdup(server_info, domain_name);
215 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
217 server_info->full_name = talloc_strdup(server_info, "Administrator");
218 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
220 server_info->logon_script = talloc_strdup(server_info, "");
221 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
223 server_info->profile_path = talloc_strdup(server_info, "");
224 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
226 server_info->home_directory = talloc_strdup(server_info, "");
227 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
229 server_info->home_drive = talloc_strdup(server_info, "");
230 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
232 server_info->logon_server = talloc_strdup(server_info, netbios_name);
233 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
235 server_info->last_logon = 0;
236 server_info->last_logoff = 0;
237 server_info->acct_expiry = 0;
238 server_info->last_password_change = 0;
239 server_info->allow_password_change = 0;
240 server_info->force_password_change = 0;
242 server_info->logon_count = 0;
243 server_info->bad_password_count = 0;
245 server_info->acct_flags = ACB_NORMAL;
247 server_info->authenticated = true;
249 *_server_info = server_info;
254 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
255 struct loadparm_context *lp_ctx,
256 struct dom_sid *domain_sid,
257 struct auth_session_info **session_info)
260 struct auth_serversupplied_info *server_info = NULL;
261 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
263 nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
264 lpcfg_workgroup(lp_ctx), domain_sid,
266 if (!NT_STATUS_IS_OK(nt_status)) {
267 talloc_free(mem_ctx);
271 nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, server_info,
272 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
274 /* There is already a reference between the sesion_info and server_info */
275 if (NT_STATUS_IS_OK(nt_status)) {
276 talloc_steal(parent_ctx, *session_info);
278 talloc_free(mem_ctx);
282 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
285 struct auth_session_info *session_info = NULL;
286 nt_status = auth_domain_admin_session_info(mem_ctx,
290 if (!NT_STATUS_IS_OK(nt_status)) {
296 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
297 struct loadparm_context *lp_ctx,
298 struct auth_session_info **_session_info)
301 struct auth_serversupplied_info *server_info = NULL;
302 struct auth_session_info *session_info = NULL;
303 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
305 nt_status = auth_anonymous_server_info(mem_ctx,
306 lpcfg_netbios_name(lp_ctx),
308 if (!NT_STATUS_IS_OK(nt_status)) {
309 talloc_free(mem_ctx);
313 /* references the server_info into the session_info */
314 nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
315 talloc_free(mem_ctx);
317 NT_STATUS_NOT_OK_RETURN(nt_status);
319 session_info->credentials = cli_credentials_init(session_info);
320 if (!session_info->credentials) {
321 return NT_STATUS_NO_MEMORY;
324 cli_credentials_set_conf(session_info->credentials, lp_ctx);
325 cli_credentials_set_anonymous(session_info->credentials);
327 *_session_info = session_info;
332 _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
333 const char *netbios_name,
334 struct auth_serversupplied_info **_server_info)
336 struct auth_serversupplied_info *server_info;
337 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
338 NT_STATUS_HAVE_NO_MEMORY(server_info);
340 /* This returns a pointer to a struct dom_sid, which is the
341 * same as a 1 element list of struct dom_sid */
342 server_info->num_sids = 1;
343 server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
344 NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
346 /* annoying, but the Anonymous really does have a session key... */
347 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
348 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
350 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
351 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
353 /* and it is all zeros! */
354 data_blob_clear(&server_info->user_session_key);
355 data_blob_clear(&server_info->lm_session_key);
357 server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
358 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
360 server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
361 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
363 server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
364 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
366 server_info->logon_script = talloc_strdup(server_info, "");
367 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
369 server_info->profile_path = talloc_strdup(server_info, "");
370 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
372 server_info->home_directory = talloc_strdup(server_info, "");
373 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
375 server_info->home_drive = talloc_strdup(server_info, "");
376 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
378 server_info->logon_server = talloc_strdup(server_info, netbios_name);
379 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
381 server_info->last_logon = 0;
382 server_info->last_logoff = 0;
383 server_info->acct_expiry = 0;
384 server_info->last_password_change = 0;
385 server_info->allow_password_change = 0;
386 server_info->force_password_change = 0;
388 server_info->logon_count = 0;
389 server_info->bad_password_count = 0;
391 server_info->acct_flags = ACB_NORMAL;
393 server_info->authenticated = false;
395 *_server_info = server_info;