source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth.h"
  25 #include "../libcli/auth/ntlmssp.h"
  26 #include "ntlmssp_wrap.h"
  27 #include "../librpc/gen_ndr/netlogon.h"
  28 #include "../lib/tsocket/tsocket.h"
  29 #include "auth/gensec/gensec.h"
  30
  31 NTSTATUS auth_ntlmssp_session_info(TALLOC_CTX *mem_ctx,
  32                                    struct auth_ntlmssp_state *auth_ntlmssp_state,
  33                                    struct auth_session_info **session_info)
  34 {
  35         NTSTATUS nt_status;
  36         if (auth_ntlmssp_state->gensec_security) {
  37
  38                 nt_status = gensec_session_info(auth_ntlmssp_state->gensec_security,
  39                                                 mem_ctx,
  40                                                 session_info);
  41                 return nt_status;
  42         }
  43
  44         nt_status = create_local_token(mem_ctx,
  45                                        auth_ntlmssp_state->server_info,
  46                                        &auth_ntlmssp_state->ntlmssp_state->session_key,
  47                                        auth_ntlmssp_state->ntlmssp_state->user,
  48                                        session_info);
  49
  50         if (!NT_STATUS_IS_OK(nt_status)) {
  51                 DEBUG(10, ("create_local_token failed: %s\n",
  52                            nt_errstr(nt_status)));
  53         }
  54         return nt_status;
  55 }
  56
  57 /**
  58  * Return the challenge as determined by the authentication subsystem
  59  * @return an 8 byte random challenge
  60  */
  61
  62 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
  63                                            uint8_t chal[8])
  64 {
  65         struct auth_ntlmssp_state *auth_ntlmssp_state =
  66                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  67         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
  68                 auth_ntlmssp_state->auth_context, chal);
  69         return NT_STATUS_OK;
  70 }
  71
  72 /**
  73  * Some authentication methods 'fix' the challenge, so we may not be able to set it
  74  *
  75  * @return If the effective challenge used by the auth subsystem may be modified
  76  */
  77 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
  78 {
  79         struct auth_ntlmssp_state *auth_ntlmssp_state =
  80                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  81         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  82
  83         return auth_context->challenge_may_be_modified;
  84 }
  85
  86 /**
  87  * NTLM2 authentication modifies the effective challenge,
  88  * @param challenge The new challenge value
  89  */
  90 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
  91 {
  92         struct auth_ntlmssp_state *auth_ntlmssp_state =
  93                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  94         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  95
  96         SMB_ASSERT(challenge->length == 8);
  97
  98         auth_context->challenge = data_blob_talloc(auth_context,
  99                                                    challenge->data, challenge->length);
 100
 101         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
 102
 103         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
 104         DEBUG(5, ("challenge is: \n"));
 105         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 106         return NT_STATUS_OK;
 107 }
 108
 109 /**
 110  * Check the password on an NTLMSSP login.
 111  *
 112  * Return the session keys used on the connection.
 113  */
 114
 115 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 116                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 117 {
 118         struct auth_ntlmssp_state *auth_ntlmssp_state =
 119                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 120         struct auth_usersupplied_info *user_info = NULL;
 121         NTSTATUS nt_status;
 122         bool username_was_mapped;
 123
 124         /* the client has given us its machine name (which we otherwise would not get on port 445).
 125            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
 126
 127         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
 128
 129         /* setup the string used by %U */
 130         /* sub_set_smb_name checks for weird internally */
 131         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 132
 133         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 134
 135         nt_status = make_user_info_map(&user_info,
 136                                        auth_ntlmssp_state->ntlmssp_state->user,
 137                                        auth_ntlmssp_state->ntlmssp_state->domain,
 138                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
 139                                        auth_ntlmssp_state->remote_address,
 140                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
 141                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
 142                                        NULL, NULL, NULL,
 143                                        AUTH_PASSWORD_RESPONSE);
 144
 145         if (!NT_STATUS_IS_OK(nt_status)) {
 146                 return nt_status;
 147         }
 148
 149         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 150
 151         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
 152                                                                           user_info, &auth_ntlmssp_state->server_info);
 153
 154         username_was_mapped = user_info->was_mapped;
 155
 156         free_user_info(&user_info);
 157
 158         if (!NT_STATUS_IS_OK(nt_status)) {
 159                 nt_status = do_map_to_guest_server_info(nt_status,
 160                                                         &auth_ntlmssp_state->server_info,
 161                                                         auth_ntlmssp_state->ntlmssp_state->user,
 162                                                         auth_ntlmssp_state->ntlmssp_state->domain);
 163         }
 164
 165         if (!NT_STATUS_IS_OK(nt_status)) {
 166                 return nt_status;
 167         }
 168
 169         talloc_steal(auth_ntlmssp_state, auth_ntlmssp_state->server_info);
 170
 171         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 172
 173         /* Clear out the session keys, and pass them to the caller.
 174          * They will not be used in this form again - instead the
 175          * NTLMSSP code will decide on the final correct session key,
 176          * and put it back here at the end of
 177          * auth_ntlmssp_steal_server_info */
 178         if (auth_ntlmssp_state->server_info->session_key.length) {
 179                 DEBUG(10, ("Got NT session key of length %u\n",
 180                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
 181                 *session_key = auth_ntlmssp_state->server_info->session_key;
 182                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
 183                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
 184         }
 185         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
 186                 DEBUG(10, ("Got LM session key of length %u\n",
 187                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
 188                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
 189                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
 190                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
 191         }
 192         return nt_status;
 193 }
 194
 195 NTSTATUS auth_ntlmssp_prepare(const struct tsocket_address *remote_address,
 196                               struct auth_ntlmssp_state **auth_ntlmssp_state)
 197 {
 198         NTSTATUS nt_status;
 199         bool is_standalone;
 200         const char *netbios_name;
 201         const char *netbios_domain;
 202         const char *dns_name;
 203         char *dns_domain;
 204         struct auth_ntlmssp_state *ans;
 205         struct auth_context *auth_context;
 206
 207         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
 208         if (!ans) {
 209                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 210                 return NT_STATUS_NO_MEMORY;
 211         }
 212
 213         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
 214         if (!NT_STATUS_IS_OK(nt_status)) {
 215                 TALLOC_FREE(ans);
 216                 return nt_status;
 217         }
 218
 219         ans->auth_context = talloc_steal(ans, auth_context);
 220
 221         if (auth_context->prepare_gensec) {
 222                 nt_status = auth_context->prepare_gensec(ans, &ans->gensec_security);
 223                 if (!NT_STATUS_IS_OK(nt_status)) {
 224                         TALLOC_FREE(ans);
 225                         return nt_status;
 226                 } else {
 227                         *auth_ntlmssp_state = ans;
 228                         return NT_STATUS_OK;
 229                 }
 230         }
 231
 232         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 233                 is_standalone = true;
 234         } else {
 235                 is_standalone = false;
 236         }
 237
 238         netbios_name = lp_netbios_name();
 239         netbios_domain = lp_workgroup();
 240         /* This should be a 'netbios domain -> DNS domain' mapping */
 241         dns_domain = get_mydnsdomname(talloc_tos());
 242         if (dns_domain) {
 243                 strlower_m(dns_domain);
 244         }
 245         dns_name = get_mydnsfullname();
 246
 247         ans->remote_address = tsocket_address_copy(remote_address, ans);
 248         if (ans->remote_address == NULL) {
 249                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 250                 return NT_STATUS_NO_MEMORY;
 251         }
 252
 253         nt_status = ntlmssp_server_start(ans,
 254                                          is_standalone,
 255                                          netbios_name,
 256                                          netbios_domain,
 257                                          dns_name,
 258                                          dns_domain,
 259                                          &ans->ntlmssp_state);
 260         if (!NT_STATUS_IS_OK(nt_status)) {
 261                 return nt_status;
 262         }
 263
 264         ans->ntlmssp_state->callback_private = ans;
 265         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 266         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 267         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 268         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 269
 270         *auth_ntlmssp_state = ans;
 271         return NT_STATUS_OK;
 272 }
 273
 274 NTSTATUS auth_generic_start(struct auth_ntlmssp_state *auth_ntlmssp_state, const char *oid)
 275 {
 276         if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid) {
 277                 return auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid(auth_ntlmssp_state->gensec_security, oid);
 278         }
 279
 280         if (strcmp(oid, GENSEC_OID_NTLMSSP) != 0) {
 281                 /* The caller will then free the auth_ntlmssp_state,
 282                  * undoing what was done in auth_ntlmssp_prepare().
 283                  *
 284                  * We can't do that logic here, as
 285                  * auth_ntlmssp_want_feature() may have been called in
 286                  * between.
 287                  */
 288                 return NT_STATUS_NOT_IMPLEMENTED;
 289         }
 290
 291         return NT_STATUS_OK;
 292 }
 293
 294 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state)
 295 {
 296         return auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
 297 }