source4/auth/system_session.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authentication utility functions
   4    Copyright (C) Andrew Tridgell 1992-1998
   5    Copyright (C) Andrew Bartlett 2001-2010
   6    Copyright (C) Jeremy Allison 2000-2001
   7    Copyright (C) Rafal Szczesniak 2002
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "libcli/security/security.h"
  26 #include "auth/credentials/credentials.h"
  27 #include "param/param.h"
  28 #include "auth/auth.h" /* for auth_user_info_dc */
  29 #include "auth/session.h"
  30 #include "auth/system_session_proto.h"
  31
  32
  33 /*
  34   prevent the static system session being freed
  35  */
  36 static int system_session_destructor(struct auth_session_info *info)
  37 {
  38         return -1;
  39 }
  40
  41 /* Create a security token for a session SYSTEM (the most
  42  * trusted/prvilaged account), including the local machine account as
  43  * the off-host credentials
  44  */
  45 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
  46 {
  47         static struct auth_session_info *static_session;
  48         NTSTATUS nt_status;
  49
  50         if (static_session) {
  51                 return static_session;
  52         }
  53
  54         nt_status = auth_system_session_info(talloc_autofree_context(),
  55                                              lp_ctx,
  56                                              &static_session);
  57         if (!NT_STATUS_IS_OK(nt_status)) {
  58                 talloc_free(static_session);
  59                 static_session = NULL;
  60                 return NULL;
  61         }
  62         talloc_set_destructor(static_session, system_session_destructor);
  63         return static_session;
  64 }
  65
  66 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
  67                                   struct loadparm_context *lp_ctx,
  68                                   struct auth_session_info **_session_info)
  69 {
  70         NTSTATUS nt_status;
  71         struct auth_user_info_dc *user_info_dc = NULL;
  72         struct auth_session_info *session_info = NULL;
  73         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
  74
  75         nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
  76                                             &user_info_dc);
  77         if (!NT_STATUS_IS_OK(nt_status)) {
  78                 talloc_free(mem_ctx);
  79                 return nt_status;
  80         }
  81
  82         /* references the user_info_dc into the session_info */
  83         nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
  84         talloc_free(mem_ctx);
  85
  86         NT_STATUS_NOT_OK_RETURN(nt_status);
  87
  88         session_info->credentials = cli_credentials_init(session_info);
  89         if (!session_info->credentials) {
  90                 return NT_STATUS_NO_MEMORY;
  91         }
  92
  93         cli_credentials_set_conf(session_info->credentials, lp_ctx);
  94
  95         cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
  96         *_session_info = session_info;
  97
  98         return NT_STATUS_OK;
  99 }
 100
 101 NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
 102                                  struct auth_user_info_dc **_user_info_dc)
 103 {
 104         struct auth_user_info_dc *user_info_dc;
 105         struct auth_user_info *info;
 106
 107         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
 108         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 109
 110         /* This returns a pointer to a struct dom_sid, which is the
 111          * same as a 1 element list of struct dom_sid */
 112         user_info_dc->num_sids = 1;
 113         user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
 114         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
 115
 116         /* annoying, but the Anonymous really does have a session key,
 117            and it is all zeros! */
 118         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 119         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
 120
 121         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 122         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
 123
 124         data_blob_clear(&user_info_dc->user_session_key);
 125         data_blob_clear(&user_info_dc->lm_session_key);
 126
 127         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
 128         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 129
 130         info->account_name = talloc_strdup(info, "SYSTEM");
 131         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
 132
 133         info->domain_name = talloc_strdup(info, "NT AUTHORITY");
 134         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
 135
 136         info->full_name = talloc_strdup(info, "System");
 137         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
 138
 139         info->logon_script = talloc_strdup(info, "");
 140         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
 141
 142         info->profile_path = talloc_strdup(info, "");
 143         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
 144
 145         info->home_directory = talloc_strdup(info, "");
 146         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
 147
 148         info->home_drive = talloc_strdup(info, "");
 149         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
 150
 151         info->logon_server = talloc_strdup(info, netbios_name);
 152         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
 153
 154         info->last_logon = 0;
 155         info->last_logoff = 0;
 156         info->acct_expiry = 0;
 157         info->last_password_change = 0;
 158         info->allow_password_change = 0;
 159         info->force_password_change = 0;
 160
 161         info->logon_count = 0;
 162         info->bad_password_count = 0;
 163
 164         info->acct_flags = ACB_NORMAL;
 165
 166         info->authenticated = true;
 167
 168         *_user_info_dc = user_info_dc;
 169
 170         return NT_STATUS_OK;
 171 }
 172
 173
 174 static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
 175                                               const char *netbios_name,
 176                                               const char *domain_name,
 177                                               struct dom_sid *domain_sid,
 178                                               struct auth_user_info_dc **_user_info_dc)
 179 {
 180         struct auth_user_info_dc *user_info_dc;
 181         struct auth_user_info *info;
 182
 183         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
 184         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 185
 186         user_info_dc->num_sids = 7;
 187         user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
 188
 189         user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
 190         sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
 191
 192         user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
 193         sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
 194
 195         user_info_dc->sids[2] = global_sid_Builtin_Administrators;
 196
 197         user_info_dc->sids[3] = *domain_sid;
 198         sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
 199         user_info_dc->sids[4] = *domain_sid;
 200         sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
 201         user_info_dc->sids[5] = *domain_sid;
 202         sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
 203         user_info_dc->sids[6] = *domain_sid;
 204         sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
 205
 206         /* What should the session key be?*/
 207         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 208         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
 209
 210         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 211         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
 212
 213         data_blob_clear(&user_info_dc->user_session_key);
 214         data_blob_clear(&user_info_dc->lm_session_key);
 215
 216         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
 217         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 218
 219         info->account_name = talloc_strdup(info, "Administrator");
 220         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
 221
 222         info->domain_name = talloc_strdup(info, domain_name);
 223         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
 224
 225         info->full_name = talloc_strdup(info, "Administrator");
 226         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
 227
 228         info->logon_script = talloc_strdup(info, "");
 229         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
 230
 231         info->profile_path = talloc_strdup(info, "");
 232         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
 233
 234         info->home_directory = talloc_strdup(info, "");
 235         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
 236
 237         info->home_drive = talloc_strdup(info, "");
 238         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
 239
 240         info->logon_server = talloc_strdup(info, netbios_name);
 241         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
 242
 243         info->last_logon = 0;
 244         info->last_logoff = 0;
 245         info->acct_expiry = 0;
 246         info->last_password_change = 0;
 247         info->allow_password_change = 0;
 248         info->force_password_change = 0;
 249
 250         info->logon_count = 0;
 251         info->bad_password_count = 0;
 252
 253         info->acct_flags = ACB_NORMAL;
 254
 255         info->authenticated = true;
 256
 257         *_user_info_dc = user_info_dc;
 258
 259         return NT_STATUS_OK;
 260 }
 261
 262 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
 263                                                struct loadparm_context *lp_ctx,
 264                                                struct dom_sid *domain_sid,
 265                                                struct auth_session_info **session_info)
 266 {
 267         NTSTATUS nt_status;
 268         struct auth_user_info_dc *user_info_dc = NULL;
 269         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 270
 271         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 272
 273         nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
 274                                                   lpcfg_workgroup(lp_ctx), domain_sid,
 275                                                   &user_info_dc);
 276         if (!NT_STATUS_IS_OK(nt_status)) {
 277                 talloc_free(mem_ctx);
 278                 return nt_status;
 279         }
 280
 281         nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
 282                                                AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
 283                                                session_info);
 284         /* There is already a reference between the sesion_info and user_info_dc */
 285         if (NT_STATUS_IS_OK(nt_status)) {
 286                 talloc_steal(parent_ctx, *session_info);
 287         }
 288         talloc_free(mem_ctx);
 289         return nt_status;
 290 }
 291
 292 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
 293 {
 294         NTSTATUS nt_status;
 295         struct auth_session_info *session_info = NULL;
 296         nt_status = auth_domain_admin_session_info(mem_ctx,
 297                                                    lp_ctx,
 298                                                    domain_sid,
 299                                                    &session_info);
 300         if (!NT_STATUS_IS_OK(nt_status)) {
 301                 return NULL;
 302         }
 303         return session_info;
 304 }
 305
 306 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
 307                                               struct loadparm_context *lp_ctx,
 308                                               struct auth_session_info **_session_info)
 309 {
 310         NTSTATUS nt_status;
 311         struct auth_user_info_dc *user_info_dc = NULL;
 312         struct auth_session_info *session_info = NULL;
 313         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 314
 315         nt_status = auth_anonymous_user_info_dc(mem_ctx,
 316                                                lpcfg_netbios_name(lp_ctx),
 317                                                &user_info_dc);
 318         if (!NT_STATUS_IS_OK(nt_status)) {
 319                 talloc_free(mem_ctx);
 320                 return nt_status;
 321         }
 322
 323         /* references the user_info_dc into the session_info */
 324         nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
 325         talloc_free(mem_ctx);
 326
 327         NT_STATUS_NOT_OK_RETURN(nt_status);
 328
 329         session_info->credentials = cli_credentials_init(session_info);
 330         if (!session_info->credentials) {
 331                 return NT_STATUS_NO_MEMORY;
 332         }
 333
 334         cli_credentials_set_conf(session_info->credentials, lp_ctx);
 335         cli_credentials_set_anonymous(session_info->credentials);
 336
 337         *_session_info = session_info;
 338
 339         return NT_STATUS_OK;
 340 }
 341
 342 _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
 343                                     const char *netbios_name,
 344                                     struct auth_user_info_dc **_user_info_dc)
 345 {
 346         struct auth_user_info_dc *user_info_dc;
 347         struct auth_user_info *info;
 348         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
 349         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 350
 351         /* This returns a pointer to a struct dom_sid, which is the
 352          * same as a 1 element list of struct dom_sid */
 353         user_info_dc->num_sids = 1;
 354         user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
 355         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
 356
 357         /* annoying, but the Anonymous really does have a session key... */
 358         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 359         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
 360
 361         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
 362         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
 363
 364         /*  and it is all zeros! */
 365         data_blob_clear(&user_info_dc->user_session_key);
 366         data_blob_clear(&user_info_dc->lm_session_key);
 367
 368         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
 369         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 370
 371         info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
 372         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
 373
 374         info->domain_name = talloc_strdup(info, "NT AUTHORITY");
 375         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
 376
 377         info->full_name = talloc_strdup(info, "Anonymous Logon");
 378         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
 379
 380         info->logon_script = talloc_strdup(info, "");
 381         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
 382
 383         info->profile_path = talloc_strdup(info, "");
 384         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
 385
 386         info->home_directory = talloc_strdup(info, "");
 387         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
 388
 389         info->home_drive = talloc_strdup(info, "");
 390         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
 391
 392         info->logon_server = talloc_strdup(info, netbios_name);
 393         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
 394
 395         info->last_logon = 0;
 396         info->last_logoff = 0;
 397         info->acct_expiry = 0;
 398         info->last_password_change = 0;
 399         info->allow_password_change = 0;
 400         info->force_password_change = 0;
 401
 402         info->logon_count = 0;
 403         info->bad_password_count = 0;
 404
 405         info->acct_flags = ACB_NORMAL;
 406
 407         info->authenticated = false;
 408
 409         *_user_info_dc = user_info_dc;
 410
 411         return NT_STATUS_OK;
 412 }
 413