source4/auth/system_session.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authentication utility functions
   4    Copyright (C) Andrew Tridgell 1992-1998
   5    Copyright (C) Andrew Bartlett 2001-2010
   6    Copyright (C) Jeremy Allison 2000-2001
   7    Copyright (C) Rafal Szczesniak 2002
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "libcli/security/security.h"
  26 #include "auth/credentials/credentials.h"
  27 #include "param/param.h"
  28 #include "auth/auth.h" /* for auth_user_info_dc */
  29 #include "auth/session.h"
  30 #include "auth/system_session_proto.h"
  31
  32
  33 /*
  34   prevent the static system session being freed
  35  */
  36 static int system_session_destructor(struct auth_session_info *info)
  37 {
  38         return -1;
  39 }
  40
  41 /* Create a security token for a session SYSTEM (the most
  42  * trusted/prvilaged account), including the local machine account as
  43  * the off-host credentials
  44  */
  45 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
  46 {
  47         static struct auth_session_info *static_session;
  48         NTSTATUS nt_status;
  49
  50         if (static_session) {
  51                 return static_session;
  52         }
  53
  54         /*
  55          * Use NULL here, not the autofree context for this
  56          * static pointer. The destructor prevents freeing this
  57          * memory anyway.
  58          */
  59         nt_status = auth_system_session_info(NULL,
  60                                              lp_ctx,
  61                                              &static_session);
  62         if (!NT_STATUS_IS_OK(nt_status)) {
  63                 talloc_free(static_session);
  64                 static_session = NULL;
  65                 return NULL;
  66         }
  67         talloc_set_destructor(static_session, system_session_destructor);
  68         return static_session;
  69 }
  70
  71 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
  72                                   struct loadparm_context *lp_ctx,
  73                                   struct auth_session_info **_session_info)
  74 {
  75         NTSTATUS nt_status;
  76         struct auth_user_info_dc *user_info_dc = NULL;
  77         struct auth_session_info *session_info = NULL;
  78         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
  79
  80         nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
  81                                             &user_info_dc);
  82         if (!NT_STATUS_IS_OK(nt_status)) {
  83                 talloc_free(mem_ctx);
  84                 return nt_status;
  85         }
  86
  87         /* references the user_info_dc into the session_info */
  88         nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
  89         talloc_free(mem_ctx);
  90
  91         NT_STATUS_NOT_OK_RETURN(nt_status);
  92
  93         session_info->credentials = cli_credentials_init(session_info);
  94         if (!session_info->credentials) {
  95                 return NT_STATUS_NO_MEMORY;
  96         }
  97
  98         cli_credentials_set_conf(session_info->credentials, lp_ctx);
  99
 100         cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
 101         *_session_info = session_info;
 102
 103         return NT_STATUS_OK;
 104 }
 105
 106 NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
 107                                  struct auth_user_info_dc **_user_info_dc)
 108 {
 109         struct auth_user_info_dc *user_info_dc;
 110         struct auth_user_info *info;
 111
 112         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
 113         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 114
 115         /* This returns a pointer to a struct dom_sid, which is the
 116          * same as a 1 element list of struct dom_sid */
 117         user_info_dc->num_sids = 1;
 118         user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
 119         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
 120
 121         /* annoying, but the Anonymous really does have a session key,
 122            and it is all zeros! */
 123         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 124         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
 125
 126         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 127         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
 128
 129         data_blob_clear(&user_info_dc->user_session_key);
 130         data_blob_clear(&user_info_dc->lm_session_key);
 131
 132         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
 133         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 134
 135         info->account_name = talloc_strdup(info, "SYSTEM");
 136         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
 137
 138         info->domain_name = talloc_strdup(info, "NT AUTHORITY");
 139         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
 140
 141         info->full_name = talloc_strdup(info, "System");
 142         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
 143
 144         info->logon_script = talloc_strdup(info, "");
 145         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
 146
 147         info->profile_path = talloc_strdup(info, "");
 148         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
 149
 150         info->home_directory = talloc_strdup(info, "");
 151         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
 152
 153         info->home_drive = talloc_strdup(info, "");
 154         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
 155
 156         info->logon_server = talloc_strdup(info, netbios_name);
 157         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
 158
 159         info->last_logon = 0;
 160         info->last_logoff = 0;
 161         info->acct_expiry = 0;
 162         info->last_password_change = 0;
 163         info->allow_password_change = 0;
 164         info->force_password_change = 0;
 165
 166         info->logon_count = 0;
 167         info->bad_password_count = 0;
 168
 169         info->acct_flags = ACB_NORMAL;
 170
 171         info->authenticated = true;
 172
 173         *_user_info_dc = user_info_dc;
 174
 175         return NT_STATUS_OK;
 176 }
 177
 178
 179 static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
 180                                               const char *netbios_name,
 181                                               const char *domain_name,
 182                                               struct dom_sid *domain_sid,
 183                                               struct auth_user_info_dc **_user_info_dc)
 184 {
 185         struct auth_user_info_dc *user_info_dc;
 186         struct auth_user_info *info;
 187
 188         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
 189         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 190
 191         user_info_dc->num_sids = 7;
 192         user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
 193
 194         user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
 195         sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
 196
 197         user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
 198         sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
 199
 200         user_info_dc->sids[2] = global_sid_Builtin_Administrators;
 201
 202         user_info_dc->sids[3] = *domain_sid;
 203         sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
 204         user_info_dc->sids[4] = *domain_sid;
 205         sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
 206         user_info_dc->sids[5] = *domain_sid;
 207         sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
 208         user_info_dc->sids[6] = *domain_sid;
 209         sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
 210
 211         /* What should the session key be?*/
 212         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 213         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
 214
 215         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 216         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
 217
 218         data_blob_clear(&user_info_dc->user_session_key);
 219         data_blob_clear(&user_info_dc->lm_session_key);
 220
 221         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
 222         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 223
 224         info->account_name = talloc_strdup(info, "Administrator");
 225         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
 226
 227         info->domain_name = talloc_strdup(info, domain_name);
 228         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
 229
 230         info->full_name = talloc_strdup(info, "Administrator");
 231         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
 232
 233         info->logon_script = talloc_strdup(info, "");
 234         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
 235
 236         info->profile_path = talloc_strdup(info, "");
 237         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
 238
 239         info->home_directory = talloc_strdup(info, "");
 240         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
 241
 242         info->home_drive = talloc_strdup(info, "");
 243         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
 244
 245         info->logon_server = talloc_strdup(info, netbios_name);
 246         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
 247
 248         info->last_logon = 0;
 249         info->last_logoff = 0;
 250         info->acct_expiry = 0;
 251         info->last_password_change = 0;
 252         info->allow_password_change = 0;
 253         info->force_password_change = 0;
 254
 255         info->logon_count = 0;
 256         info->bad_password_count = 0;
 257
 258         info->acct_flags = ACB_NORMAL;
 259
 260         info->authenticated = true;
 261
 262         *_user_info_dc = user_info_dc;
 263
 264         return NT_STATUS_OK;
 265 }
 266
 267 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
 268                                                struct loadparm_context *lp_ctx,
 269                                                struct dom_sid *domain_sid,
 270                                                struct auth_session_info **session_info)
 271 {
 272         NTSTATUS nt_status;
 273         struct auth_user_info_dc *user_info_dc = NULL;
 274         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 275
 276         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 277
 278         nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
 279                                                   lpcfg_workgroup(lp_ctx), domain_sid,
 280                                                   &user_info_dc);
 281         if (!NT_STATUS_IS_OK(nt_status)) {
 282                 talloc_free(mem_ctx);
 283                 return nt_status;
 284         }
 285
 286         nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
 287                                                AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
 288                                                session_info);
 289         /* There is already a reference between the sesion_info and user_info_dc */
 290         if (NT_STATUS_IS_OK(nt_status)) {
 291                 talloc_steal(parent_ctx, *session_info);
 292         }
 293         talloc_free(mem_ctx);
 294         return nt_status;
 295 }
 296
 297 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
 298 {
 299         NTSTATUS nt_status;
 300         struct auth_session_info *session_info = NULL;
 301         nt_status = auth_domain_admin_session_info(mem_ctx,
 302                                                    lp_ctx,
 303                                                    domain_sid,
 304                                                    &session_info);
 305         if (!NT_STATUS_IS_OK(nt_status)) {
 306                 return NULL;
 307         }
 308         return session_info;
 309 }
 310
 311 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
 312                                               struct loadparm_context *lp_ctx,
 313                                               struct auth_session_info **_session_info)
 314 {
 315         NTSTATUS nt_status;
 316         struct auth_user_info_dc *user_info_dc = NULL;
 317         struct auth_session_info *session_info = NULL;
 318         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 319
 320         nt_status = auth_anonymous_user_info_dc(mem_ctx,
 321                                                lpcfg_netbios_name(lp_ctx),
 322                                                &user_info_dc);
 323         if (!NT_STATUS_IS_OK(nt_status)) {
 324                 talloc_free(mem_ctx);
 325                 return nt_status;
 326         }
 327
 328         /* references the user_info_dc into the session_info */
 329         nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
 330         talloc_free(mem_ctx);
 331
 332         NT_STATUS_NOT_OK_RETURN(nt_status);
 333
 334         session_info->credentials = cli_credentials_init(session_info);
 335         if (!session_info->credentials) {
 336                 return NT_STATUS_NO_MEMORY;
 337         }
 338
 339         cli_credentials_set_conf(session_info->credentials, lp_ctx);
 340         cli_credentials_set_anonymous(session_info->credentials);
 341
 342         *_session_info = session_info;
 343
 344         return NT_STATUS_OK;
 345 }
 346
 347 _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
 348                                     const char *netbios_name,
 349                                     struct auth_user_info_dc **_user_info_dc)
 350 {
 351         struct auth_user_info_dc *user_info_dc;
 352         struct auth_user_info *info;
 353         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
 354         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 355
 356         /* This returns a pointer to a struct dom_sid, which is the
 357          * same as a 1 element list of struct dom_sid */
 358         user_info_dc->num_sids = 1;
 359         user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
 360         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
 361
 362         /* annoying, but the Anonymous really does have a session key... */
 363         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 364         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
 365
 366         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 367         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
 368
 369         /*  and it is all zeros! */
 370         data_blob_clear(&user_info_dc->user_session_key);
 371         data_blob_clear(&user_info_dc->lm_session_key);
 372
 373         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
 374         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 375
 376         info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
 377         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
 378
 379         info->domain_name = talloc_strdup(info, "NT AUTHORITY");
 380         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
 381
 382         info->full_name = talloc_strdup(info, "Anonymous Logon");
 383         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
 384
 385         info->logon_script = talloc_strdup(info, "");
 386         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
 387
 388         info->profile_path = talloc_strdup(info, "");
 389         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
 390
 391         info->home_directory = talloc_strdup(info, "");
 392         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
 393
 394         info->home_drive = talloc_strdup(info, "");
 395         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
 396
 397         info->logon_server = talloc_strdup(info, netbios_name);
 398         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
 399
 400         info->last_logon = 0;
 401         info->last_logoff = 0;
 402         info->acct_expiry = 0;
 403         info->last_password_change = 0;
 404         info->allow_password_change = 0;
 405         info->force_password_change = 0;
 406
 407         info->logon_count = 0;
 408         info->bad_password_count = 0;
 409
 410         info->acct_flags = ACB_NORMAL;
 411
 412         info->authenticated = false;
 413
 414         *_user_info_dc = user_info_dc;
 415
 416         return NT_STATUS_OK;
 417 }
 418