027666fb0a368a9414af9d63cd6aff56d6a3858d
[kai/samba.git] / source3 / auth / auth_ntlmssp.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4    handle NLTMSSP, server side
5
6    Copyright (C) Andrew Tridgell      2001
7    Copyright (C) Andrew Bartlett 2001-2005,2011
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "auth.h"
26 #include "../auth/ntlmssp/ntlmssp.h"
27 #include "../auth/ntlmssp/ntlmssp_private.h"
28 #include "../librpc/gen_ndr/netlogon.h"
29 #include "../librpc/gen_ndr/dcerpc.h"
30 #include "../lib/tsocket/tsocket.h"
31 #include "auth/gensec/gensec.h"
32 #include "librpc/rpc/dcerpc.h"
33 #include "lib/param/param.h"
34
35 NTSTATUS auth3_generate_session_info(TALLOC_CTX *mem_ctx,
36                                      struct auth4_context *auth_context,
37                                      void *server_returned_info,
38                                      const char *original_user_name,
39                                      uint32_t session_info_flags,
40                                      struct auth_session_info **session_info)
41 {
42         struct auth_serversupplied_info *server_info = talloc_get_type_abort(server_returned_info,
43                                                                              struct auth_serversupplied_info);
44         NTSTATUS nt_status;
45
46         nt_status = create_local_token(mem_ctx,
47                                        server_info,
48                                        NULL,
49                                        original_user_name,
50                                        session_info);
51         if (!NT_STATUS_IS_OK(nt_status)) {
52                 DEBUG(10, ("create_local_token failed: %s\n",
53                            nt_errstr(nt_status)));
54                 return nt_status;
55         }
56
57         return NT_STATUS_OK;
58 }
59
60 /**
61  * Return the challenge as determined by the authentication subsystem 
62  * @return an 8 byte random challenge
63  */
64
65 NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context,
66                                            uint8_t chal[8])
67 {
68         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
69                                                                   struct auth_context);
70         auth_context->get_ntlm_challenge(auth_context, chal);
71         return NT_STATUS_OK;
72 }
73
74 /**
75  * Some authentication methods 'fix' the challenge, so we may not be able to set it
76  *
77  * @return If the effective challenge used by the auth subsystem may be modified
78  */
79 bool auth3_may_set_challenge(struct auth4_context *auth4_context)
80 {
81         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
82                                                                   struct auth_context);
83         return auth_context->challenge_may_be_modified;
84 }
85
86 /**
87  * NTLM2 authentication modifies the effective challenge, 
88  * @param challenge The new challenge value
89  */
90 NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t *chal,
91                              const char *challenge_set_by)
92 {
93         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
94                                                                   struct auth_context);
95
96         auth_context->challenge = data_blob_talloc(auth_context,
97                                                    chal, 8);
98         NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge.data);
99
100         auth_context->challenge_set_by = talloc_strdup(auth_context, challenge_set_by);
101         NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge_set_by);
102
103         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
104         DEBUG(5, ("challenge is: \n"));
105         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
106         return NT_STATUS_OK;
107 }
108
109 /**
110  * Check the password on an NTLMSSP login.  
111  *
112  * Return the session keys used on the connection.
113  */
114
115 NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
116                               TALLOC_CTX *mem_ctx,
117                               const struct auth_usersupplied_info *user_info,
118                               void **server_returned_info,
119                               DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
120 {
121         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
122                                                                   struct auth_context);
123         struct auth_usersupplied_info *mapped_user_info = NULL;
124         struct auth_serversupplied_info *server_info;
125         NTSTATUS nt_status;
126         bool username_was_mapped;
127
128         /* The client has given us its machine name (which we only get over NBT transport).
129            We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
130
131         set_remote_machine_name(user_info->workstation_name, True);
132
133         /* setup the string used by %U */
134         /* sub_set_smb_name checks for weird internally */
135         sub_set_smb_name(user_info->client.account_name);
136
137         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
138
139         nt_status = make_user_info_map(&mapped_user_info,
140                                        user_info->client.account_name,
141                                        user_info->client.domain_name,
142                                        user_info->workstation_name,
143                                        user_info->remote_host,
144                                        user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL,
145                                        user_info->password.response.nt.data ? &user_info->password.response.nt : NULL,
146                                        NULL, NULL, NULL,
147                                        AUTH_PASSWORD_RESPONSE);
148
149         if (!NT_STATUS_IS_OK(nt_status)) {
150                 return nt_status;
151         }
152
153         mapped_user_info->logon_parameters = user_info->logon_parameters;
154
155         mapped_user_info->flags = user_info->flags;
156
157         nt_status = auth_context->check_ntlm_password(auth_context,
158                                                       mapped_user_info, &server_info);
159
160         if (!NT_STATUS_IS_OK(nt_status)) {
161                 DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
162                          user_info->client.domain_name,
163                          user_info->client.account_name,
164                          nt_errstr(nt_status)));
165         }
166
167         username_was_mapped = mapped_user_info->was_mapped;
168
169         free_user_info(&mapped_user_info);
170
171         if (!NT_STATUS_IS_OK(nt_status)) {
172                 nt_status = do_map_to_guest_server_info(nt_status,
173                                                         &server_info,
174                                                         user_info->client.account_name,
175                                                         user_info->client.domain_name);
176                 *server_returned_info = talloc_steal(mem_ctx, server_info);
177                 return nt_status;
178         }
179
180         server_info->nss_token |= username_was_mapped;
181
182         /* Clear out the session keys, and pass them to the caller.
183          * They will not be used in this form again - instead the
184          * NTLMSSP code will decide on the final correct session key,
185          * and supply it to create_local_token() */
186         if (session_key) {
187                 DEBUG(10, ("Got NT session key of length %u\n",
188                         (unsigned int)server_info->session_key.length));
189                 *session_key = server_info->session_key;
190                 talloc_steal(mem_ctx, server_info->session_key.data);
191                 server_info->session_key = data_blob_null;
192         }
193         if (lm_session_key) {
194                 DEBUG(10, ("Got LM session key of length %u\n",
195                         (unsigned int)server_info->lm_session_key.length));
196                 *lm_session_key = server_info->lm_session_key;
197                 talloc_steal(mem_ctx, server_info->lm_session_key.data);
198                 server_info->lm_session_key = data_blob_null;
199         }
200
201         *server_returned_info = talloc_steal(mem_ctx, server_info);
202         return nt_status;
203 }
204
205 static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_security)
206 {
207         NTSTATUS nt_status;
208         bool is_standalone;
209         const char *netbios_name;
210         const char *netbios_domain;
211         const char *dns_name;
212         char *dns_domain;
213         struct gensec_ntlmssp_context *gensec_ntlmssp;
214
215         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
216                 is_standalone = true;
217         } else {
218                 is_standalone = false;
219         }
220
221         netbios_name = lp_netbios_name();
222         netbios_domain = lp_workgroup();
223         /* This should be a 'netbios domain -> DNS domain' mapping */
224         dns_domain = get_mydnsdomname(talloc_tos());
225         if (dns_domain) {
226                 strlower_m(dns_domain);
227         }
228         dns_name = get_mydnsfullname();
229
230         nt_status = gensec_ntlmssp_start(gensec_security);
231         NT_STATUS_NOT_OK_RETURN(nt_status);
232
233         gensec_ntlmssp =
234                 talloc_get_type_abort(gensec_security->private_data,
235                                       struct gensec_ntlmssp_context);
236
237         nt_status = ntlmssp_server_start(gensec_ntlmssp,
238                                          is_standalone,
239                                          netbios_name,
240                                          netbios_domain,
241                                          dns_name,
242                                          dns_domain,
243                                          &gensec_ntlmssp->ntlmssp_state);
244         if (!NT_STATUS_IS_OK(nt_status)) {
245                 return nt_status;
246         }
247
248         gensec_ntlmssp->ntlmssp_state->callback_private = gensec_ntlmssp;
249
250         gensec_ntlmssp->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
251         gensec_ntlmssp->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
252         gensec_ntlmssp->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
253         gensec_ntlmssp->ntlmssp_state->check_password = auth_ntlmssp_check_password;
254
255         if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
256                 gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
257         }
258         if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SIGN) {
259                 gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
260         }
261         if (gensec_ntlmssp->gensec_security->want_features & GENSEC_FEATURE_SEAL) {
262                 gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
263                 gensec_ntlmssp->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
264         }
265
266         return NT_STATUS_OK;
267 }
268
269 static const char *gensec_ntlmssp3_server_oids[] = {
270         GENSEC_OID_NTLMSSP,
271         NULL
272 };
273
274 const struct gensec_security_ops gensec_ntlmssp3_server_ops = {
275         .name           = "ntlmssp3_server",
276         .sasl_name      = GENSEC_SASL_NAME_NTLMSSP, /* "NTLM" */
277         .auth_type      = DCERPC_AUTH_TYPE_NTLMSSP,
278         .oid            = gensec_ntlmssp3_server_oids,
279         .server_start   = gensec_ntlmssp3_server_start,
280         .magic          = gensec_ntlmssp_magic,
281         .update         = gensec_ntlmssp_update,
282         .sig_size       = gensec_ntlmssp_sig_size,
283         .sign_packet    = gensec_ntlmssp_sign_packet,
284         .check_packet   = gensec_ntlmssp_check_packet,
285         .seal_packet    = gensec_ntlmssp_seal_packet,
286         .unseal_packet  = gensec_ntlmssp_unseal_packet,
287         .wrap           = gensec_ntlmssp_wrap,
288         .unwrap         = gensec_ntlmssp_unwrap,
289         .session_key    = gensec_ntlmssp_session_key,
290         .session_info   = gensec_ntlmssp_session_info,
291         .have_feature   = gensec_ntlmssp_have_feature,
292         .enabled        = true,
293         .priority       = GENSEC_NTLMSSP
294 };
295