getncchanges: fix highest_usn off by one calculation in get_nc_changes_add_links()
[sfrench/samba-autobuild/.git] / source4 / auth / system_session.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Authentication utility functions
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Andrew Bartlett 2001-2010
6    Copyright (C) Jeremy Allison 2000-2001
7    Copyright (C) Rafal Szczesniak 2002
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_user_info_dc */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
31
32
33 /*
34   prevent the static system session being freed
35  */
36 static int system_session_destructor(struct auth_session_info *info)
37 {
38         return -1;
39 }
40
41 /* Create a security token for a session SYSTEM (the most
42  * trusted/prvilaged account), including the local machine account as
43  * the off-host credentials
44  */ 
45 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
46 {
47         static struct auth_session_info *static_session;
48         NTSTATUS nt_status;
49
50         if (static_session) {
51                 return static_session;
52         }
53
54         nt_status = auth_system_session_info(talloc_autofree_context(),
55                                              lp_ctx,
56                                              &static_session);
57         if (!NT_STATUS_IS_OK(nt_status)) {
58                 talloc_free(static_session);
59                 static_session = NULL;
60                 return NULL;
61         }
62         talloc_set_destructor(static_session, system_session_destructor);
63         return static_session;
64 }
65
66 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, 
67                                   struct loadparm_context *lp_ctx,
68                                   struct auth_session_info **_session_info) 
69 {
70         NTSTATUS nt_status;
71         struct auth_user_info_dc *user_info_dc = NULL;
72         struct auth_session_info *session_info = NULL;
73         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
74         
75         nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
76                                             &user_info_dc);
77         if (!NT_STATUS_IS_OK(nt_status)) {
78                 talloc_free(mem_ctx);
79                 return nt_status;
80         }
81
82         /* references the user_info_dc into the session_info */
83         nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
84         talloc_free(mem_ctx);
85
86         NT_STATUS_NOT_OK_RETURN(nt_status);
87
88         session_info->credentials = cli_credentials_init(session_info);
89         if (!session_info->credentials) {
90                 return NT_STATUS_NO_MEMORY;
91         }
92
93         cli_credentials_set_conf(session_info->credentials, lp_ctx);
94
95         cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
96         *_session_info = session_info;
97
98         return NT_STATUS_OK;
99 }
100
101 NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
102                                  struct auth_user_info_dc **_user_info_dc)
103 {
104         struct auth_user_info_dc *user_info_dc;
105         struct auth_user_info *info;
106
107         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
108         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
109
110         /* This returns a pointer to a struct dom_sid, which is the
111          * same as a 1 element list of struct dom_sid */
112         user_info_dc->num_sids = 1;
113         user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
114         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
115
116         /* annoying, but the Anonymous really does have a session key, 
117            and it is all zeros! */
118         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
119         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
120
121         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
122         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
123
124         data_blob_clear(&user_info_dc->user_session_key);
125         data_blob_clear(&user_info_dc->lm_session_key);
126
127         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
128         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
129
130         info->account_name = talloc_strdup(info, "SYSTEM");
131         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
132
133         info->domain_name = talloc_strdup(info, "NT AUTHORITY");
134         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
135
136         info->full_name = talloc_strdup(info, "System");
137         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
138
139         info->logon_script = talloc_strdup(info, "");
140         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
141
142         info->profile_path = talloc_strdup(info, "");
143         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
144
145         info->home_directory = talloc_strdup(info, "");
146         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
147
148         info->home_drive = talloc_strdup(info, "");
149         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
150
151         info->logon_server = talloc_strdup(info, netbios_name);
152         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
153
154         info->last_logon = 0;
155         info->last_logoff = 0;
156         info->acct_expiry = 0;
157         info->last_password_change = 0;
158         info->allow_password_change = 0;
159         info->force_password_change = 0;
160
161         info->logon_count = 0;
162         info->bad_password_count = 0;
163
164         info->acct_flags = ACB_NORMAL;
165
166         info->authenticated = true;
167
168         *_user_info_dc = user_info_dc;
169
170         return NT_STATUS_OK;
171 }
172
173
174 static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
175                                               const char *netbios_name,
176                                               const char *domain_name,
177                                               struct dom_sid *domain_sid,
178                                               struct auth_user_info_dc **_user_info_dc)
179 {
180         struct auth_user_info_dc *user_info_dc;
181         struct auth_user_info *info;
182
183         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
184         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
185
186         user_info_dc->num_sids = 7;
187         user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
188
189         user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
190         sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
191
192         user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
193         sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
194
195         user_info_dc->sids[2] = global_sid_Builtin_Administrators;
196
197         user_info_dc->sids[3] = *domain_sid;
198         sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
199         user_info_dc->sids[4] = *domain_sid;
200         sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
201         user_info_dc->sids[5] = *domain_sid;
202         sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
203         user_info_dc->sids[6] = *domain_sid;
204         sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
205
206         /* What should the session key be?*/
207         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
208         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
209
210         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
211         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
212
213         data_blob_clear(&user_info_dc->user_session_key);
214         data_blob_clear(&user_info_dc->lm_session_key);
215
216         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
217         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
218
219         info->account_name = talloc_strdup(info, "Administrator");
220         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
221
222         info->domain_name = talloc_strdup(info, domain_name);
223         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
224
225         info->full_name = talloc_strdup(info, "Administrator");
226         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
227
228         info->logon_script = talloc_strdup(info, "");
229         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
230
231         info->profile_path = talloc_strdup(info, "");
232         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
233
234         info->home_directory = talloc_strdup(info, "");
235         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
236
237         info->home_drive = talloc_strdup(info, "");
238         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
239
240         info->logon_server = talloc_strdup(info, netbios_name);
241         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
242
243         info->last_logon = 0;
244         info->last_logoff = 0;
245         info->acct_expiry = 0;
246         info->last_password_change = 0;
247         info->allow_password_change = 0;
248         info->force_password_change = 0;
249
250         info->logon_count = 0;
251         info->bad_password_count = 0;
252
253         info->acct_flags = ACB_NORMAL;
254
255         info->authenticated = true;
256
257         *_user_info_dc = user_info_dc;
258
259         return NT_STATUS_OK;
260 }
261
262 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
263                                                struct loadparm_context *lp_ctx,
264                                                struct dom_sid *domain_sid,
265                                                struct auth_session_info **session_info)
266 {
267         NTSTATUS nt_status;
268         struct auth_user_info_dc *user_info_dc = NULL;
269         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
270
271         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
272
273         nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
274                                                   lpcfg_workgroup(lp_ctx), domain_sid,
275                                                   &user_info_dc);
276         if (!NT_STATUS_IS_OK(nt_status)) {
277                 talloc_free(mem_ctx);
278                 return nt_status;
279         }
280
281         nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
282                                                AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
283                                                session_info);
284         /* There is already a reference between the sesion_info and user_info_dc */
285         if (NT_STATUS_IS_OK(nt_status)) {
286                 talloc_steal(parent_ctx, *session_info);
287         }
288         talloc_free(mem_ctx);
289         return nt_status;
290 }
291
292 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
293 {
294         NTSTATUS nt_status;
295         struct auth_session_info *session_info = NULL;
296         nt_status = auth_domain_admin_session_info(mem_ctx,
297                                                    lp_ctx,
298                                                    domain_sid,
299                                                    &session_info);
300         if (!NT_STATUS_IS_OK(nt_status)) {
301                 return NULL;
302         }
303         return session_info;
304 }
305
306 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, 
307                                               struct loadparm_context *lp_ctx,
308                                               struct auth_session_info **_session_info) 
309 {
310         NTSTATUS nt_status;
311         struct auth_user_info_dc *user_info_dc = NULL;
312         struct auth_session_info *session_info = NULL;
313         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
314         
315         nt_status = auth_anonymous_user_info_dc(mem_ctx,
316                                                lpcfg_netbios_name(lp_ctx),
317                                                &user_info_dc);
318         if (!NT_STATUS_IS_OK(nt_status)) {
319                 talloc_free(mem_ctx);
320                 return nt_status;
321         }
322
323         /* references the user_info_dc into the session_info */
324         nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
325         talloc_free(mem_ctx);
326
327         NT_STATUS_NOT_OK_RETURN(nt_status);
328
329         session_info->credentials = cli_credentials_init(session_info);
330         if (!session_info->credentials) {
331                 return NT_STATUS_NO_MEMORY;
332         }
333
334         cli_credentials_set_conf(session_info->credentials, lp_ctx);
335         cli_credentials_set_anonymous(session_info->credentials);
336         
337         *_session_info = session_info;
338
339         return NT_STATUS_OK;
340 }
341
342 _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
343                                     const char *netbios_name,
344                                     struct auth_user_info_dc **_user_info_dc)
345 {
346         struct auth_user_info_dc *user_info_dc;
347         struct auth_user_info *info;
348         user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
349         NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
350
351         /* This returns a pointer to a struct dom_sid, which is the
352          * same as a 1 element list of struct dom_sid */
353         user_info_dc->num_sids = 1;
354         user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
355         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
356
357         /* annoying, but the Anonymous really does have a session key... */
358         user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
359         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
360
361         user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
362         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
363
364         /*  and it is all zeros! */
365         data_blob_clear(&user_info_dc->user_session_key);
366         data_blob_clear(&user_info_dc->lm_session_key);
367
368         user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
369         NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
370
371         info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
372         NT_STATUS_HAVE_NO_MEMORY(info->account_name);
373
374         info->domain_name = talloc_strdup(info, "NT AUTHORITY");
375         NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
376
377         info->full_name = talloc_strdup(info, "Anonymous Logon");
378         NT_STATUS_HAVE_NO_MEMORY(info->full_name);
379
380         info->logon_script = talloc_strdup(info, "");
381         NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
382
383         info->profile_path = talloc_strdup(info, "");
384         NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
385
386         info->home_directory = talloc_strdup(info, "");
387         NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
388
389         info->home_drive = talloc_strdup(info, "");
390         NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
391
392         info->logon_server = talloc_strdup(info, netbios_name);
393         NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
394
395         info->last_logon = 0;
396         info->last_logoff = 0;
397         info->acct_expiry = 0;
398         info->last_password_change = 0;
399         info->allow_password_change = 0;
400         info->force_password_change = 0;
401
402         info->logon_count = 0;
403         info->bad_password_count = 0;
404
405         info->acct_flags = ACB_NORMAL;
406
407         info->authenticated = false;
408
409         *_user_info_dc = user_info_dc;
410
411         return NT_STATUS_OK;
412 }
413