2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 1998-2001
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jim McDonough 2002
7 Copyright (C) Luke Howard 2003
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 setup the OS, Lanman and domain portions of a session setup reply
29 static void sesssetup_common_strings(struct smbsrv_request *req,
30 char **os, char **lanman, char **domain)
32 (*os) = talloc_asprintf(req, "Unix");
33 (*lanman) = talloc_asprintf(req, "Samba %s", SAMBA_VERSION_STRING);
34 (*domain) = talloc_asprintf(req, "%s", lp_workgroup());
39 handler for old style session setup
41 static NTSTATUS sesssetup_old(struct smbsrv_request *req, union smb_sesssetup *sess)
44 struct auth_usersupplied_info *user_info = NULL;
45 struct auth_serversupplied_info *server_info = NULL;
46 struct auth_session_info *session_info;
48 if (!req->smb_conn->negotiate.done_sesssetup) {
49 req->smb_conn->negotiate.max_send = sess->old.in.bufsize;
52 status = make_user_info_for_reply_enc(&user_info,
53 sess->old.in.user, sess->old.in.domain,
54 sess->old.in.password,
56 if (!NT_STATUS_IS_OK(status)) {
57 return NT_STATUS_ACCESS_DENIED;
60 status = req->smb_conn->negotiate.auth_context->check_ntlm_password(req->smb_conn->negotiate.auth_context,
63 if (!NT_STATUS_IS_OK(status)) {
64 return nt_status_squash(status);
67 status = make_session_info(server_info, &session_info);
68 if (!NT_STATUS_IS_OK(status)) {
69 return nt_status_squash(status);
72 sess->old.out.action = 0;
73 sess->old.out.vuid = smbsrv_register_session(req->smb_conn, session_info, NULL);
74 if (sess->old.out.vuid == UID_FIELD_INVALID) {
75 return NT_STATUS_ACCESS_DENIED;
77 sesssetup_common_strings(req,
79 &sess->old.out.lanman,
80 &sess->old.out.domain);
82 req->session = smbsrv_session_find(req->smb_conn, sess->old.out.vuid);
89 handler for NT1 style session setup
91 static NTSTATUS sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess)
94 struct auth_usersupplied_info *user_info = NULL;
95 struct auth_serversupplied_info *server_info = NULL;
96 struct auth_session_info *session_info;
98 if (!req->smb_conn->negotiate.done_sesssetup) {
99 req->smb_conn->negotiate.max_send = sess->nt1.in.bufsize;
100 req->smb_conn->negotiate.client_caps = sess->nt1.in.capabilities;
103 if (req->smb_conn->negotiate.spnego_negotiated) {
104 struct auth_context *auth_context;
106 if (sess->nt1.in.user && *sess->nt1.in.user) {
107 return NT_STATUS_ACCESS_DENIED;
109 make_user_info_guest(&user_info);
112 status = make_auth_context_subsystem(&auth_context);
114 if (!NT_STATUS_IS_OK(status)) {
118 status = auth_context->check_ntlm_password(auth_context,
122 free_auth_context(&auth_context);
125 status = make_user_info_for_reply_enc(&user_info,
126 sess->nt1.in.user, sess->nt1.in.domain,
127 sess->nt1.in.password1,
128 sess->nt1.in.password2);
129 if (!NT_STATUS_IS_OK(status)) {
130 return NT_STATUS_ACCESS_DENIED;
133 status = req->smb_conn->negotiate
134 .auth_context->check_ntlm_password(req->smb_conn->negotiate
140 if (!NT_STATUS_IS_OK(status)) {
141 return nt_status_squash(status);
144 status = make_session_info(server_info, &session_info);
145 if (!NT_STATUS_IS_OK(status)) {
146 return nt_status_squash(status);
149 sess->nt1.out.action = 0;
150 sess->nt1.out.vuid = smbsrv_register_session(req->smb_conn, session_info, NULL);
151 if (sess->nt1.out.vuid == UID_FIELD_INVALID) {
152 return NT_STATUS_ACCESS_DENIED;
154 sesssetup_common_strings(req,
156 &sess->nt1.out.lanman,
157 &sess->nt1.out.domain);
159 req->session = smbsrv_session_find(req->smb_conn, sess->nt1.out.vuid);
160 if (session_info->server_info->guest) {
163 if (!srv_setup_signing(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2)) {
164 /* Already signing, or disabled */
168 /* Force check of the request packet, now we know the session key */
169 req_signing_check_incoming(req);
171 srv_signing_restart(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2);
178 handler for SPNEGO style session setup
180 static NTSTATUS sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *sess)
182 NTSTATUS status = NT_STATUS_ACCESS_DENIED;
183 struct smbsrv_session *smb_sess;
184 struct gensec_security *gensec_ctx = NULL;
185 struct auth_session_info *session_info = NULL;
188 if (!req->smb_conn->negotiate.done_sesssetup) {
189 req->smb_conn->negotiate.max_send = sess->nt1.in.bufsize;
190 req->smb_conn->negotiate.client_caps = sess->nt1.in.capabilities;
193 vuid = SVAL(req->in.hdr,HDR_UID);
194 smb_sess = smbsrv_session_find(req->smb_conn, vuid);
196 if (!smb_sess->gensec_ctx) {
197 return NT_STATUS_INVALID_HANDLE;
200 /* what is when the client is already successful authentificated? */
201 if (smb_sess->session_info) {
202 return NT_STATUS_ACCESS_DENIED;
205 status = gensec_update(smb_sess->gensec_ctx, req, sess->spnego.in.secblob, &sess->spnego.out.secblob);
207 status = gensec_server_start(&gensec_ctx);
208 if (!NT_STATUS_IS_OK(status)) {
209 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
213 gensec_want_feature(gensec_ctx, GENSEC_WANT_SESSION_KEY);
215 status = gensec_start_mech_by_oid(gensec_ctx, OID_SPNEGO);
216 if (!NT_STATUS_IS_OK(status)) {
217 DEBUG(1, ("Failed to start GENSEC SPNEGO server code: %s\n", nt_errstr(status)));
221 status = gensec_update(gensec_ctx, req, sess->spnego.in.secblob, &sess->spnego.out.secblob);
226 vuid = smbsrv_register_session(req->smb_conn, session_info, gensec_ctx);
227 if (vuid == UID_FIELD_INVALID) {
228 return NT_STATUS_ACCESS_DENIED;
230 smb_sess = smbsrv_session_find(req->smb_conn, vuid);
232 return NT_STATUS_FOOBAR;
236 if (NT_STATUS_IS_OK(status)) {
237 DATA_BLOB session_key;
239 status = gensec_session_info(smb_sess->gensec_ctx, &smb_sess->session_info);
240 if (!NT_STATUS_IS_OK(status)) {
244 status = gensec_session_key(smb_sess->gensec_ctx,
246 if (NT_STATUS_IS_OK(status)
247 && !smb_sess->session_info->server_info->guest
248 && srv_setup_signing(req->smb_conn, &session_key, NULL)) {
249 /* Force check of the request packet, now we know the session key */
250 req_signing_check_incoming(req);
252 srv_signing_restart(req->smb_conn, &session_key, NULL);
256 status = nt_status_squash(status);
259 sess->spnego.out.action = 0;
260 sess->spnego.out.vuid = vuid;
261 sesssetup_common_strings(req,
262 &sess->spnego.out.os,
263 &sess->spnego.out.lanman,
264 &sess->spnego.out.domain);
270 backend for sessionsetup call - this takes all 3 variants of the call
272 NTSTATUS sesssetup_backend(struct smbsrv_request *req,
273 union smb_sesssetup *sess)
275 NTSTATUS status = NT_STATUS_INVALID_LEVEL;
277 switch (sess->generic.level) {
278 case RAW_SESSSETUP_GENERIC:
279 status = NT_STATUS_INVALID_LEVEL;
281 case RAW_SESSSETUP_OLD:
282 status = sesssetup_old(req, sess);
284 case RAW_SESSSETUP_NT1:
285 status = sesssetup_nt1(req, sess);
287 case RAW_SESSSETUP_SPNEGO:
288 status = sesssetup_spnego(req, sess);
292 if (NT_STATUS_IS_OK(status)) {
293 req->smb_conn->negotiate.done_sesssetup = True;