#include "includes.h"
#include "auth/auth.h"
-#include "auth/auth_proto.h"
-#include "libcli/security/security.h"
#include "libcli/auth/libcli_auth.h"
-#include "dsdb/samdb/samdb.h"
-#include "auth/credentials/credentials.h"
#include "param/param.h"
+#include "auth/ntlm/auth_proto.h"
+#include "librpc/gen_ndr/drsuapi.h"
+#include "dsdb/samdb/samdb.h"
/* this default function can be used by mostly all backends
* which don't want to set a challenge
*/
-NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge)
+NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8])
{
/* we don't want to set a challenge */
return NT_STATUS_NOT_IMPLEMENTED;
/****************************************************************************
Create an auth_usersupplied_data structure after appropriate mapping.
****************************************************************************/
+static NTSTATUS map_user_info_cracknames(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
+ const char *default_domain,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_usersupplied_info **user_info_mapped)
+{
+ char *domain;
+ char *account_name;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ WERROR werr;
+ struct drsuapi_DsNameInfo1 info1;
+
+ DEBUG(5,("map_user_info_cracknames: Mapping user [%s]\\[%s] from workstation [%s]\n",
+ user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
+
+ account_name = talloc_strdup(tmp_ctx, user_info->client.account_name);
+ if (!account_name) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
-NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
+ /* use cracknames to work out what domain is being
+ asked for */
+ if (strchr_m(user_info->client.account_name, '@') != NULL) {
+ werr = DsCrackNameOneName(sam_ctx, tmp_ctx, 0,
+ DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
+ DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
+ user_info->client.account_name,
+ &info1);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(2,("map_user_info: Failed cracknames of account '%s'\n",
+ user_info->client.account_name));
+ talloc_free(tmp_ctx);
+ return werror_to_ntstatus(werr);
+ }
+ switch (info1.status) {
+ case DRSUAPI_DS_NAME_STATUS_OK:
+ break;
+ case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
+ DEBUG(2,("map_user_info: Cracknames of account '%s' -> NOT_FOUND\n",
+ user_info->client.account_name));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
+ DEBUG(2,("map_user_info: Cracknames of account '%s' -> DOMAIN_ONLY\n",
+ user_info->client.account_name));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
+ DEBUG(2,("map_user_info: Cracknames of account '%s' -> NOT_UNIQUE\n",
+ user_info->client.account_name));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
+ DEBUG(2,("map_user_info: Cracknames of account '%s' -> RESOLVE_ERROR\n",
+ user_info->client.account_name));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ default:
+ DEBUG(2,("map_user_info: Cracknames of account '%s' -> unknown error %u\n",
+ user_info->client.account_name, info1.status));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ /* info1.result_name is in DOMAIN\username
+ * form, which we need to split up into the
+ * user_info_mapped structure
+ */
+ domain = talloc_strdup(tmp_ctx, info1.result_name);
+ if (domain == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ account_name = strchr_m(domain, '\\');
+ if (account_name == NULL) {
+ DEBUG(2,("map_user_info: Cracknames of account '%s' gave invalid result '%s'\n",
+ user_info->client.account_name, info1.result_name));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ *account_name = 0;
+ account_name = talloc_strdup(tmp_ctx, account_name+1);
+ if (account_name == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ char *domain_name;
+ if (user_info->client.domain_name && *user_info->client.domain_name) {
+ domain_name = talloc_asprintf(tmp_ctx, "%s\\", user_info->client.domain_name);
+ } else {
+ domain_name = talloc_strdup(tmp_ctx, default_domain);
+ }
+ if (domain_name == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
+ DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
+ DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
+ domain_name,
+ &info1);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(2,("map_user_info: Failed cracknames of domain '%s'\n",
+ domain_name));
+ talloc_free(tmp_ctx);
+ return werror_to_ntstatus(werr);
+ }
+
+ /* we use the account_name as-is, but get the
+ * domain name from cracknames if possible */
+ account_name = talloc_strdup(mem_ctx, user_info->client.account_name);
+ if (account_name == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ switch (info1.status) {
+ case DRSUAPI_DS_NAME_STATUS_OK:
+ case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
+ domain = talloc_strdup(tmp_ctx, info1.result_name);
+ if (domain == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ if (domain[strlen_m(domain)-1] == '\\') {
+ domain[strlen_m(domain)-1] = 0;
+ }
+ break;
+ case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
+ /* the domain is unknown - use the
+ default domain */
+ domain = talloc_strdup(tmp_ctx, default_domain);
+ break;
+ case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
+ DEBUG(2,("map_user_info: Cracknames of domain '%s' -> NOT_UNIQUE\n",
+ domain_name));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
+ DEBUG(2,("map_user_info: Cracknames of domain '%s' -> RESOLVE_ERROR\n",
+ domain_name));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ default:
+ DEBUG(2,("map_user_info: Cracknames of account '%s' -> unknown error %u\n",
+ domain_name, info1.status));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ /* domain and account_name are filled in above */
+ }
+
+ *user_info_mapped = talloc_zero(mem_ctx, struct auth_usersupplied_info);
+ if (!*user_info_mapped) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ if (!talloc_reference(*user_info_mapped, user_info)) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ **user_info_mapped = *user_info;
+ (*user_info_mapped)->mapped_state = true;
+ (*user_info_mapped)->mapped.domain_name = talloc_strdup(*user_info_mapped, domain);
+ (*user_info_mapped)->mapped.account_name = talloc_strdup(*user_info_mapped, account_name);
+ talloc_free(tmp_ctx);
+ if (!(*user_info_mapped)->mapped.domain_name
+ || !(*user_info_mapped)->mapped.account_name) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+
+/****************************************************************************
+ Create an auth_usersupplied_data structure after appropriate mapping.
+****************************************************************************/
+NTSTATUS map_user_info(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx,
const char *default_domain,
const struct auth_usersupplied_info *user_info,
struct auth_usersupplied_info **user_info_mapped)
{
- const char *domain;
+ char *domain;
char *account_name;
char *d;
- DEBUG(5,("map_user_info: Mapping user [%s]\\[%s] from workstation [%s]\n",
- user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
+ TALLOC_CTX *tmp_ctx;
+
+ if (sam_ctx != NULL) {
+ /* if possible, use cracknames to parse the
+ domain/account */
+ return map_user_info_cracknames(sam_ctx, mem_ctx, default_domain, user_info, user_info_mapped);
+ }
+
+ DEBUG(0,("map_user_info: Mapping user [%s]\\[%s] from workstation [%s] default_domain=%s\n",
+ user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name,
+ default_domain));
+
+ tmp_ctx = talloc_new(mem_ctx);
- account_name = talloc_strdup(mem_ctx, user_info->client.account_name);
+ account_name = talloc_strdup(tmp_ctx, user_info->client.account_name);
if (!account_name) {
+ talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- /* don't allow "" as a domain, fixes a Win9X bug
- where it doesn't supply a domain for logon script
- 'net use' commands. */
+ /* don't allow "" as a domain, fixes a Win9X bug where it
+ doesn't supply a domain for logon script 'net use'
+ commands. */
- /* Split user@realm names into user and realm components. This is TODO to fix with proper userprincipalname support */
+ /* Split user@realm names into user and realm components.
+ * This is TODO to fix with proper userprincipalname
+ * support */
if (user_info->client.domain_name && *user_info->client.domain_name) {
- domain = user_info->client.domain_name;
+ domain = talloc_strdup(tmp_ctx, user_info->client.domain_name);
} else if (strchr_m(user_info->client.account_name, '@')) {
d = strchr_m(account_name, '@');
if (!d) {
+ talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
d[0] = '\0';
d++;
domain = d;
} else {
- domain = default_domain;
+ domain = talloc_strdup(tmp_ctx, default_domain);
}
- *user_info_mapped = talloc(mem_ctx, struct auth_usersupplied_info);
+ if (domain == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ *user_info_mapped = talloc_zero(mem_ctx, struct auth_usersupplied_info);
if (!*user_info_mapped) {
+ talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
if (!talloc_reference(*user_info_mapped, user_info)) {
+ talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
**user_info_mapped = *user_info;
(*user_info_mapped)->mapped_state = true;
(*user_info_mapped)->mapped.domain_name = talloc_strdup(*user_info_mapped, domain);
(*user_info_mapped)->mapped.account_name = talloc_strdup(*user_info_mapped, account_name);
- talloc_free(account_name);
+ talloc_free(tmp_ctx);
if (!(*user_info_mapped)->mapped.domain_name
|| !(*user_info_mapped)->mapped.account_name) {
return NT_STATUS_NO_MEMORY;
Create an auth_usersupplied_data structure after appropriate mapping.
****************************************************************************/
-NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
+NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context,
enum auth_password_state to_state,
const struct auth_usersupplied_info *user_info_in,
const struct auth_usersupplied_info **user_info_encrypted)
}
case AUTH_PASSWORD_HASH:
{
- const uint8_t *challenge;
+ uint8_t chal[8];
DATA_BLOB chall_blob;
- user_info_temp = talloc(mem_ctx, struct auth_usersupplied_info);
+ user_info_temp = talloc_zero(mem_ctx, struct auth_usersupplied_info);
if (!user_info_temp) {
return NT_STATUS_NO_MEMORY;
}
*user_info_temp = *user_info_in;
user_info_temp->mapped_state = to_state;
- nt_status = auth_get_challenge(auth_context, &challenge);
+ nt_status = auth_get_challenge(auth_context, chal);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- chall_blob = data_blob_talloc(mem_ctx, challenge, 8);
- if (lp_client_ntlmv2_auth(auth_context->lp_ctx)) {
- DATA_BLOB names_blob = NTLMv2_generate_names_blob(mem_ctx, lp_iconv_convenience(auth_context->lp_ctx), lp_netbios_name(auth_context->lp_ctx), lp_workgroup(auth_context->lp_ctx));
+ chall_blob = data_blob_talloc(mem_ctx, chal, 8);
+ if (lpcfg_client_ntlmv2_auth(auth_context->lp_ctx)) {
+ DATA_BLOB names_blob = NTLMv2_generate_names_blob(mem_ctx, lpcfg_netbios_name(auth_context->lp_ctx), lpcfg_workgroup(auth_context->lp_ctx));
DATA_BLOB lmv2_response, ntlmv2_response, lmv2_session_key, ntlmv2_session_key;
if (!SMBNTLMv2encrypt_hash(user_info_temp,
user_info_in->client.account_name,
user_info_in->client.domain_name,
- user_info_in->password.hash.nt->hash, &chall_blob,
+ user_info_in->password.hash.nt->hash,
+ &chall_blob,
+ NULL, /* server_timestamp */
&names_blob,
&lmv2_response, &ntlmv2_response,
&lmv2_session_key, &ntlmv2_session_key)) {
data_blob_free(&ntlmv2_session_key);
} else {
DATA_BLOB blob = data_blob_talloc(mem_ctx, NULL, 24);
- SMBOWFencrypt(user_info_in->password.hash.nt->hash, challenge, blob.data);
+ SMBOWFencrypt(user_info_in->password.hash.nt->hash, chal, blob.data);
user_info_temp->password.response.nt = blob;
- if (lp_client_lanman_auth(auth_context->lp_ctx) && user_info_in->password.hash.lanman) {
+ if (lpcfg_client_lanman_auth(auth_context->lp_ctx) && user_info_in->password.hash.lanman) {
DATA_BLOB lm_blob = data_blob_talloc(mem_ctx, NULL, 24);
- SMBOWFencrypt(user_info_in->password.hash.lanman->hash, challenge, blob.data);
+ SMBOWFencrypt(user_info_in->password.hash.lanman->hash, chal, blob.data);
user_info_temp->password.response.lanman = lm_blob;
} else {
/* if not sending the LM password, send the NT password twice */
struct samr_Password lanman;
struct samr_Password nt;
- user_info_temp = talloc(mem_ctx, struct auth_usersupplied_info);
+ user_info_temp = talloc_zero(mem_ctx, struct auth_usersupplied_info);
if (!user_info_temp) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
-
-
-/**
- * Squash an NT_STATUS in line with security requirements.
- * In an attempt to avoid giving the whole game away when users
- * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and
- * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
- * (session setups in particular).
- *
- * @param nt_status NTSTATUS input for squashing.
- * @return the 'squashed' nt_status
- **/
-_PUBLIC_ NTSTATUS auth_nt_status_squash(NTSTATUS nt_status)
-{
- if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
- /* Match WinXP and don't give the game away */
- return NT_STATUS_LOGON_FAILURE;
- } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
- /* Match WinXP and don't give the game away */
- return NT_STATUS_LOGON_FAILURE;
- }
-
- return nt_status;
-}