source/auth/auth_server.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authenticate to a remote server
   4    Copyright (C) Andrew Tridgell 1992-1998
   5    Copyright (C) Andrew Bartlett 2001
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22
  23 /****************************************************************************
  24  Support for server level security.
  25 ****************************************************************************/
  26
  27 static struct smbcli_state *server_cryptkey(TALLOC_CTX *mem_ctx, bool unicode, int maxprotocol)
  28 {
  29         struct smbcli_state *cli = NULL;
  30         fstring desthost;
  31         struct in_addr dest_ip;
  32         const char *p;
  33         char *pserver;
  34         bool connected_ok = false;
  35
  36         if (!(cli = smbcli_initialise(cli)))
  37                 return NULL;
  38
  39         /* security = server just can't function with spnego */
  40         cli->use_spnego = false;
  41
  42         pserver = talloc_strdup(mem_ctx, lp_passwordserver());
  43         p = pserver;
  44
  45         while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
  46                 strupper(desthost);
  47
  48                 if(!resolve_name( desthost, &dest_ip, 0x20)) {
  49                         DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
  50                         continue;
  51                 }
  52
  53                 if (ismyip(dest_ip)) {
  54                         DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
  55                         continue;
  56                 }
  57
  58                 /* we use a mutex to prevent two connections at once - when a
  59                    Win2k PDC get two connections where one hasn't completed a
  60                    session setup yet it will send a TCP reset to the first
  61                    connection (tridge) */
  62
  63                 if (!grab_server_mutex(desthost)) {
  64                         return NULL;
  65                 }
  66
  67                 if (smbcli_connect(cli, desthost, &dest_ip)) {
  68                         DEBUG(3,("connected to password server %s\n",desthost));
  69                         connected_ok = true;
  70                         break;
  71                 }
  72         }
  73
  74         if (!connected_ok) {
  75                 release_server_mutex();
  76                 DEBUG(0,("password server not available\n"));
  77                 talloc_free(cli);
  78                 return NULL;
  79         }
  80
  81         if (!attempt_netbios_session_request(cli, lp_netbios_name(),
  82                                              desthost, &dest_ip)) {
  83                 release_server_mutex();
  84                 DEBUG(1,("password server fails session request\n"));
  85                 talloc_free(cli);
  86                 return NULL;
  87         }
  88
  89         if (strequal(desthost,myhostname(mem_ctx))) {
  90                 exit_server("Password server loop!");
  91         }
  92
  93         DEBUG(3,("got session\n"));
  94
  95         if (!smbcli_negprot(cli, unicode, maxprotocol)) {
  96                 DEBUG(1,("%s rejected the negprot\n",desthost));
  97                 release_server_mutex();
  98                 talloc_free(cli);
  99                 return NULL;
 100         }
 101
 102         if (cli->protocol < PROTOCOL_LANMAN2 ||
 103             !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
 104                 DEBUG(1,("%s isn't in user level security mode\n",desthost));
 105                 release_server_mutex();
 106                 talloc_free(cli);
 107                 return NULL;
 108         }
 109
 110         /* Get the first session setup done quickly, to avoid silly
 111            Win2k bugs.  (The next connection to the server will kill
 112            this one...
 113         */
 114
 115         if (!smbcli_session_setup(cli, "", "", 0, "", 0,
 116                                "")) {
 117                 DEBUG(0,("%s rejected the initial session setup (%s)\n",
 118                          desthost, smbcli_errstr(cli)));
 119                 release_server_mutex();
 120                 talloc_free(cli);
 121                 return NULL;
 122         }
 123
 124         release_server_mutex();
 125
 126         DEBUG(3,("password server OK\n"));
 127
 128         return cli;
 129 }
 130
 131 /****************************************************************************
 132  Clean up our allocated cli.
 133 ****************************************************************************/
 134
 135 static void free_server_private_data(void **private_data_pointer)
 136 {
 137         struct smbcli_state **cli = (struct smbcli_state **)private_data_pointer;
 138         if (*cli && (*cli)->initialised) {
 139                 talloc_free(*cli);
 140         }
 141 }
 142
 143 /****************************************************************************
 144  Get the challenge out of a password server.
 145 ****************************************************************************/
 146
 147 static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_context,
 148                                            void **my_private_data,
 149                                            TALLOC_CTX *mem_ctx)
 150 {
 151         struct smbcli_state *cli = server_cryptkey(mem_ctx, lp_cli_maxprotocol(auth_context->lp_ctx));
 152
 153         if (cli) {
 154                 DEBUG(3,("using password server validation\n"));
 155
 156                 if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
 157                         /* We can't work with unencrypted password servers
 158                            unless 'encrypt passwords = no' */
 159                         DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n"));
 160
 161                         /* However, it is still a perfectly fine connection
 162                            to pass that unencrypted password over */
 163                         *my_private_data = (void *)cli;
 164                         return data_blob(NULL, 0);
 165
 166                 } else if (cli->secblob.length < 8) {
 167                         /* We can't do much if we don't get a full challenge */
 168                         DEBUG(2,("make_auth_info_server: Didn't receive a full challenge from server\n"));
 169                         talloc_free(cli);
 170                         return data_blob(NULL, 0);
 171                 }
 172
 173                 *my_private_data = (void *)cli;
 174
 175                 /* The return must be allocated on the caller's mem_ctx, as our own will be
 176                    destoyed just after the call. */
 177                 return data_blob_talloc(auth_context->mem_ctx, cli->secblob.data,8);
 178         } else {
 179                 return data_blob(NULL, 0);
 180         }
 181 }
 182
 183
 184 /****************************************************************************
 185  Check for a valid username and password in security=server mode.
 186   - Validate a password with the password server.
 187 ****************************************************************************/
 188
 189 static NTSTATUS check_smbserver_security(const struct auth_context *auth_context,
 190                                          void *my_private_data,
 191                                          TALLOC_CTX *mem_ctx,
 192                                          const auth_usersupplied_info *user_info,
 193                                          auth_serversupplied_info **server_info)
 194 {
 195         struct smbcli_state *cli;
 196         static uint8_t badpass[24];
 197         static fstring baduser;
 198         static bool tested_password_server = false;
 199         static bool bad_password_server = false;
 200         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 201         bool locally_made_cli = false;
 202
 203         /*
 204          * Check that the requested domain is not our own machine name.
 205          * If it is, we should never check the PDC here, we use our own local
 206          * password file.
 207          */
 208
 209         if (lp_is_myname(auth_context->lp_ctx, user_info->domain.str)) {
 210                 DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n"));
 211                 return NT_STATUS_LOGON_FAILURE;
 212         }
 213
 214         cli = my_private_data;
 215
 216         if (cli) {
 217         } else {
 218                 cli = server_cryptkey(mem_ctx, lp_unicode(auth_context->lp_ctx), lp_cli_maxprotocol(auth_context->lp_ctx));
 219                 locally_made_cli = true;
 220         }
 221
 222         if (!cli || !cli->initialised) {
 223                 DEBUG(1,("password server is not connected (cli not initilised)\n"));
 224                 return NT_STATUS_LOGON_FAILURE;
 225         }
 226
 227         if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
 228                 if (user_info->encrypted) {
 229                         DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost));
 230                         return NT_STATUS_LOGON_FAILURE;
 231                 }
 232         } else {
 233                 if (memcmp(cli->secblob.data, auth_context->challenge.data, 8) != 0) {
 234                         DEBUG(1,("the challenge that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli->desthost));
 235                         return NT_STATUS_LOGON_FAILURE;
 236                 }
 237         }
 238
 239         if(badpass[0] == 0)
 240                 memset(badpass, 0x1f, sizeof(badpass));
 241
 242         if((user_info->nt_resp.length == sizeof(badpass)) &&
 243            !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) {
 244                 /*
 245                  * Very unlikely, our random bad password is the same as the users
 246                  * password.
 247                  */
 248                 memset(badpass, badpass[0]+1, sizeof(badpass));
 249         }
 250
 251         if(baduser[0] == 0) {
 252                 fstrcpy(baduser, INVALID_USER_PREFIX);
 253                 fstrcat(baduser, lp_netbios_name());
 254         }
 255
 256         /*
 257          * Attempt a session setup with a totally incorrect password.
 258          * If this succeeds with the guest bit *NOT* set then the password
 259          * server is broken and is not correctly setting the guest bit. We
 260          * need to detect this as some versions of NT4.x are broken. JRA.
 261          */
 262
 263         /* I sure as hell hope that there aren't servers out there that take
 264          * NTLMv2 and have this bug, as we don't test for that...
 265          *  - abartlet@samba.org
 266          */
 267
 268         if ((!tested_password_server) && (lp_paranoid_server_security())) {
 269                 if (smbcli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass),
 270                                         (char *)badpass, sizeof(badpass), user_info->domain.str)) {
 271
 272                         /*
 273                          * We connected to the password server so we
 274                          * can say we've tested it.
 275                          */
 276                         tested_password_server = true;
 277
 278                         if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
 279                                 DEBUG(0,("server_validate: password server %s allows users as non-guest \
 280 with a bad password.\n", cli->desthost));
 281                                 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
 282 use this machine as the password server.\n"));
 283                                 smbcli_ulogoff(cli);
 284
 285                                 /*
 286                                  * Password server has the bug.
 287                                  */
 288                                 bad_password_server = true;
 289                                 return NT_STATUS_LOGON_FAILURE;
 290                         }
 291                         smbcli_ulogoff(cli);
 292                 }
 293         } else {
 294
 295                 /*
 296                  * We have already tested the password server.
 297                  * Fail immediately if it has the bug.
 298                  */
 299
 300                 if(bad_password_server) {
 301                         DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
 302 with a bad password.\n", cli->desthost));
 303                         DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
 304 use this machine as the password server.\n"));
 305                         return NT_STATUS_LOGON_FAILURE;
 306                 }
 307         }
 308
 309         /*
 310          * Now we know the password server will correctly set the guest bit, or is
 311          * not guest enabled, we can try with the real password.
 312          */
 313
 314         if (!user_info->encrypted) {
 315                 /* Plaintext available */
 316                 if (!smbcli_session_setup(cli, user_info->smb_name.str,
 317                                        (char *)user_info->plaintext_password.data,
 318                                        user_info->plaintext_password.length,
 319                                        NULL, 0,
 320                                        user_info->domain.str)) {
 321                         DEBUG(1,("password server %s rejected the password\n", cli->desthost));
 322                         /* Make this smbcli_nt_error() when the conversion is in */
 323                         nt_status = smbcli_nt_error(cli);
 324                 } else {
 325                         nt_status = NT_STATUS_OK;
 326                 }
 327         } else {
 328                 if (!smbcli_session_setup(cli, user_info->smb_name.str,
 329                                        (char *)user_info->lm_resp.data,
 330                                        user_info->lm_resp.length,
 331                                        (char *)user_info->nt_resp.data,
 332                                        user_info->nt_resp.length,
 333                                        user_info->domain.str)) {
 334                         DEBUG(1,("password server %s rejected the password\n", cli->desthost));
 335                         /* Make this smbcli_nt_error() when the conversion is in */
 336                         nt_status = smbcli_nt_error(cli);
 337                 } else {
 338                         nt_status = NT_STATUS_OK;
 339                 }
 340         }
 341
 342         /* if logged in as guest then reject */
 343         if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
 344                 DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
 345                 nt_status = NT_STATUS_LOGON_FAILURE;
 346         }
 347
 348         smbcli_ulogoff(cli);
 349
 350         if NT_STATUS_IS_OK(nt_status) {
 351                 struct passwd *pass = Get_Pwnam(user_info->internal_username.str);
 352                 if (pass) {
 353                         nt_status = make_server_info_pw(auth_context, server_info, pass);
 354                 } else {
 355                         nt_status = NT_STATUS_NO_SUCH_USER;
 356                 }
 357         }
 358
 359         if (locally_made_cli) {
 360                 talloc_free(cli);
 361         }
 362
 363         return(nt_status);
 364 }
 365
 366 NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
 367 {
 368         if (!make_auth_methods(auth_context, auth_method)) {
 369                 return NT_STATUS_NO_MEMORY;
 370         }
 371         (*auth_method)->name = "smbserver";
 372         (*auth_method)->auth = check_smbserver_security;
 373         (*auth_method)->get_chal = auth_get_challenge_server;
 374         (*auth_method)->send_keepalive = send_server_keepalive;
 375         (*auth_method)->free_private_data = free_server_private_data;
 376         return NT_STATUS_OK;
 377 }