source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2005,2011
   8    Copyright (C) Stefan Metzmacher 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "auth.h"
  26 #include "libcli/security/security.h"
  27
  28 NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
  29                                      TALLOC_CTX *mem_ctx,
  30                                      void *server_returned_info,
  31                                      const char *original_user_name,
  32                                      uint32_t session_info_flags,
  33                                      struct auth_session_info **session_info)
  34 {
  35         struct auth_user_info_dc *user_info = NULL;
  36         struct auth_serversupplied_info *server_info = NULL;
  37         NTSTATUS nt_status;
  38
  39         /*
  40          * This is a hack, some callers...
  41          *
  42          * Some callers pass auth_user_info_dc, the SCHANNEL and
  43          * NCALRPC_AS_SYSTEM gensec modules.
  44          *
  45          * While the reset passes auth3_check_password() returned.
  46          */
  47         user_info = talloc_get_type(server_returned_info,
  48                                     struct auth_user_info_dc);
  49         if (user_info != NULL) {
  50                 const struct dom_sid *sid;
  51                 int cmp;
  52
  53                 /*
  54                  * This should only be called from SCHANNEL or NCALRPC_AS_SYSTEM
  55                  */
  56                 if (user_info->num_sids != 1) {
  57                         return NT_STATUS_INTERNAL_ERROR;
  58                 }
  59                 sid = &user_info->sids[PRIMARY_USER_SID_INDEX];
  60
  61                 cmp = dom_sid_compare(sid, &global_sid_System);
  62                 if (cmp == 0) {
  63                         return make_session_info_system(mem_ctx, session_info);
  64                 }
  65
  66                 cmp = dom_sid_compare(sid, &global_sid_Anonymous);
  67                 if (cmp == 0) {
  68                         /*
  69                          * TODO: use auth_anonymous_session_info() here?
  70                          */
  71                         return make_session_info_guest(mem_ctx, session_info);
  72                 }
  73
  74                 return NT_STATUS_INTERNAL_ERROR;
  75         }
  76
  77         server_info = talloc_get_type_abort(server_returned_info,
  78                                             struct auth_serversupplied_info);
  79         nt_status = create_local_token(mem_ctx,
  80                                        server_info,
  81                                        NULL,
  82                                        original_user_name,
  83                                        session_info);
  84         if (!NT_STATUS_IS_OK(nt_status)) {
  85                 DEBUG(10, ("create_local_token failed: %s\n",
  86                            nt_errstr(nt_status)));
  87                 return nt_status;
  88         }
  89
  90         return NT_STATUS_OK;
  91 }
  92
  93 /**
  94  * Return the challenge as determined by the authentication subsystem
  95  * @return an 8 byte random challenge
  96  */
  97
  98 NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context,
  99                                            uint8_t chal[8])
 100 {
 101         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
 102                                                                   struct auth_context);
 103         auth_get_ntlm_challenge(auth_context, chal);
 104         return NT_STATUS_OK;
 105 }
 106
 107 /**
 108  * NTLM2 authentication modifies the effective challenge,
 109  * @param challenge The new challenge value
 110  */
 111 NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t *chal,
 112                              const char *challenge_set_by)
 113 {
 114         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
 115                                                                   struct auth_context);
 116
 117         auth_context->challenge = data_blob_talloc(auth_context,
 118                                                    chal, 8);
 119         NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge.data);
 120
 121         auth_context->challenge_set_by = talloc_strdup(auth_context, challenge_set_by);
 122         NT_STATUS_HAVE_NO_MEMORY(auth_context->challenge_set_by);
 123
 124         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
 125         DEBUG(5, ("challenge is: \n"));
 126         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 127         return NT_STATUS_OK;
 128 }
 129
 130 /**
 131  * Check the password on an NTLMSSP login.
 132  *
 133  * Return the session keys used on the connection.
 134  */
 135
 136 NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 137                               TALLOC_CTX *mem_ctx,
 138                               const struct auth_usersupplied_info *user_info,
 139                               void **server_returned_info,
 140                               DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 141 {
 142         struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
 143                                                                   struct auth_context);
 144         struct auth_usersupplied_info *mapped_user_info = NULL;
 145         struct auth_serversupplied_info *server_info;
 146         NTSTATUS nt_status;
 147         bool username_was_mapped;
 148
 149         /* The client has given us its machine name (which we only get over NBT transport).
 150            We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
 151
 152         set_remote_machine_name(user_info->workstation_name, True);
 153
 154         /* setup the string used by %U */
 155         /* sub_set_smb_name checks for weird internally */
 156         sub_set_smb_name(user_info->client.account_name);
 157
 158         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 159
 160         nt_status = make_user_info_map(talloc_tos(),
 161                                        &mapped_user_info,
 162                                        user_info->client.account_name,
 163                                        user_info->client.domain_name,
 164                                        user_info->workstation_name,
 165                                        user_info->remote_host,
 166                                        user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL,
 167                                        user_info->password.response.nt.data ? &user_info->password.response.nt : NULL,
 168                                        NULL, NULL, NULL,
 169                                        AUTH_PASSWORD_RESPONSE);
 170
 171         if (!NT_STATUS_IS_OK(nt_status)) {
 172                 return nt_status;
 173         }
 174
 175         mapped_user_info->logon_parameters = user_info->logon_parameters;
 176
 177         mapped_user_info->flags = user_info->flags;
 178
 179         nt_status = auth_check_ntlm_password(mem_ctx,
 180                                              auth_context,
 181                                              mapped_user_info,
 182                                              &server_info);
 183
 184         if (!NT_STATUS_IS_OK(nt_status)) {
 185                 DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
 186                          user_info->client.domain_name,
 187                          user_info->client.account_name,
 188                          nt_errstr(nt_status)));
 189         }
 190
 191         username_was_mapped = mapped_user_info->was_mapped;
 192
 193         TALLOC_FREE(mapped_user_info);
 194
 195         if (!NT_STATUS_IS_OK(nt_status)) {
 196                 nt_status = do_map_to_guest_server_info(mem_ctx,
 197                                                         nt_status,
 198                                                         user_info->client.account_name,
 199                                                         user_info->client.domain_name,
 200                                                         &server_info);
 201                 *server_returned_info = talloc_steal(mem_ctx, server_info);
 202                 return nt_status;
 203         }
 204
 205         server_info->nss_token |= username_was_mapped;
 206
 207         /* Clear out the session keys, and pass them to the caller.
 208          * They will not be used in this form again - instead the
 209          * NTLMSSP code will decide on the final correct session key,
 210          * and supply it to create_local_token() */
 211         if (session_key) {
 212                 DEBUG(10, ("Got NT session key of length %u\n",
 213                         (unsigned int)server_info->session_key.length));
 214                 *session_key = server_info->session_key;
 215                 talloc_steal(mem_ctx, server_info->session_key.data);
 216                 server_info->session_key = data_blob_null;
 217         }
 218         if (lm_session_key) {
 219                 DEBUG(10, ("Got LM session key of length %u\n",
 220                         (unsigned int)server_info->lm_session_key.length));
 221                 *lm_session_key = server_info->lm_session_key;
 222                 talloc_steal(mem_ctx, server_info->lm_session_key.data);
 223                 server_info->lm_session_key = data_blob_null;
 224         }
 225
 226         *server_returned_info = talloc_steal(mem_ctx, server_info);
 227         return nt_status;
 228 }