#include "smbd/globals.h"
#include "../libcli/smb/smb_common.h"
#include "../libcli/auth/spnego.h"
-#include "ntlmssp.h"
+#include "../libcli/auth/ntlmssp.h"
+#include "ntlmssp_wrap.h"
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
uint64_t in_session_id,
return 0;
}
+static NTSTATUS setup_ntlmssp_server_info(struct smbd_smb2_session *session,
+ NTSTATUS status)
+{
+ if (NT_STATUS_IS_OK(status)) {
+ status = auth_ntlmssp_steal_server_info(session,
+ session->auth_ntlmssp_state,
+ &session->server_info);
+ } else {
+ /* Note that this server_info won't have a session
+ * key. But for map to guest, that's exactly the right
+ * thing - we can't reasonably guess the key the
+ * client wants, as the password was wrong */
+ status = do_map_to_guest(status,
+ &session->server_info,
+ auth_ntlmssp_get_username(session->auth_ntlmssp_state),
+ auth_ntlmssp_get_domain(session->auth_ntlmssp_state));
+ }
+ return status;
+}
+
#ifdef HAVE_KRB5
static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
fstring tmp;
bool username_was_mapped = false;
bool map_domainuser_to_guest = false;
- struct smbd_server_connection *sconn = smbd_server_conn;
- if (!spnego_parse_krb5_wrap(*secblob, &ticket, tok_id)) {
+ if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
status = NT_STATUS_LOGON_FAILURE;
goto fail;
}
/* lookup the passwd struct, create a new user if necessary */
- username_was_mapped = map_username(sconn, user);
+ username_was_mapped = map_username(user);
pw = smb_getpwnam(talloc_tos(), user, real_username, true );
if (pw) {
DEBUG(10, ("smb2: found user %s in passdb, calling "
"make_server_info_sam\n", real_username));
status = make_server_info_sam(&tmp_server_info, sampass);
+ TALLOC_FREE(sampass);
} else {
/*
* User not in passdb, make it up artificially
register_homes_share(session->server_info->unix_name);
}
- if (!session_claim(session->compat_vuser)) {
+ if (!session_claim(sconn_server_id(session->sconn),
+ session->compat_vuser)) {
DEBUG(1, ("smb2: Failed to claim session "
"for vuid=%d\n",
session->compat_vuser->vuid));
status = NT_STATUS_OK;
/* wrap that up in a nice GSS-API wrapping */
- ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep,
+ ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
TOK_ID_KRB_AP_REP);
secblob_out = spnego_gen_auth_response(
+ talloc_tos(),
&ap_rep_wrapped,
status,
mechOID);
ap_rep_wrapped = data_blob_null;
secblob_out = spnego_gen_auth_response(
+ talloc_tos(),
&ap_rep_wrapped,
status,
mechOID);
{
DATA_BLOB secblob_in = data_blob_null;
DATA_BLOB chal_out = data_blob_null;
- DATA_BLOB secblob_out = data_blob_null;
char *kerb_mech = NULL;
NTSTATUS status;
/* Ensure we have no old NTLM state around. */
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ TALLOC_FREE(session->auth_ntlmssp_state);
- status = parse_spnego_mechanisms(in_security_buffer,
+ status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
&secblob_in, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
#endif
- /* Fall back to NTLMSSP. */
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
+ if (kerb_mech) {
+ /* The mechtoken is a krb5 ticket, but
+ * we need to fall back to NTLM. */
- status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- secblob_in,
- &chal_out);
+ DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
+ "but set to downgrade to NTLMSSP\n"));
+
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+ /* Fall back to NTLMSSP. */
+ status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+ secblob_in,
+ &chal_out);
+ }
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status,
goto out;
}
- secblob_out = spnego_gen_auth_response(&chal_out,
+ *out_security_buffer = spnego_gen_auth_response(smb2req,
+ &chal_out,
status,
OID_NTLMSSP);
- *out_security_buffer = data_blob_talloc(smb2req,
- secblob_out.data,
- secblob_out.length);
- if (secblob_out.data && out_security_buffer->data == NULL) {
+ if (out_security_buffer->data == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
out:
data_blob_free(&secblob_in);
- data_blob_free(&secblob_out);
data_blob_free(&chal_out);
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ TALLOC_FREE(session->auth_ntlmssp_state);
TALLOC_FREE(session);
}
return status;
session->do_signing = true;
}
- if (session->auth_ntlmssp_state->server_info->guest) {
+ if (session->server_info->guest) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
session->do_signing = false;
}
- session->server_info = session->auth_ntlmssp_state->server_info;
- data_blob_free(&session->server_info->user_session_key);
- session->server_info->user_session_key =
- data_blob_talloc(
- session->server_info,
- session->auth_ntlmssp_state->ntlmssp_state->session_key.data,
- session->auth_ntlmssp_state->ntlmssp_state->session_key.length);
- if (session->auth_ntlmssp_state->ntlmssp_state->session_key.length > 0) {
- if (session->server_info->user_session_key.data == NULL) {
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
- TALLOC_FREE(session);
- return NT_STATUS_NO_MEMORY;
- }
- }
session->session_key = session->server_info->user_session_key;
session->compat_vuser = talloc_zero(session, user_struct);
if (session->compat_vuser == NULL) {
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ TALLOC_FREE(session->auth_ntlmssp_state);
TALLOC_FREE(session);
return NT_STATUS_NO_MEMORY;
}
/* This is a potentially untrusted username */
alpha_strcpy(tmp,
- session->auth_ntlmssp_state->ntlmssp_state->user,
- ". _-$",
- sizeof(tmp));
+ auth_ntlmssp_get_username(session->auth_ntlmssp_state),
+ ". _-$",
+ sizeof(tmp));
session->server_info->sanitized_username = talloc_strdup(
- session->server_info, tmp);
+ session->server_info, tmp);
if (!session->compat_vuser->server_info->guest) {
session->compat_vuser->homes_snum =
register_homes_share(session->server_info->unix_name);
}
- if (!session_claim(session->compat_vuser)) {
+ if (!session_claim(sconn_server_id(session->sconn),
+ session->compat_vuser)) {
DEBUG(1, ("smb2: Failed to claim session "
"for vuid=%d\n",
session->compat_vuser->vuid));
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ TALLOC_FREE(session->auth_ntlmssp_state);
TALLOC_FREE(session);
return NT_STATUS_LOGON_FAILURE;
}
{
DATA_BLOB auth = data_blob_null;
DATA_BLOB auth_out = data_blob_null;
- DATA_BLOB secblob_out = data_blob_null;
NTSTATUS status;
- if (!spnego_parse_auth(in_security_buffer, &auth)) {
+ if (!spnego_parse_auth(talloc_tos(), in_security_buffer, &auth)) {
TALLOC_FREE(session);
return NT_STATUS_LOGON_FAILURE;
}
DATA_BLOB secblob_in = data_blob_null;
char *kerb_mech = NULL;
- status = parse_spnego_mechanisms(in_security_buffer,
+ status = parse_spnego_mechanisms(talloc_tos(),
+ in_security_buffer,
&secblob_in, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
out_session_id);
data_blob_free(&secblob_in);
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
}
"not enabled\n"));
TALLOC_FREE(session);
data_blob_free(&secblob_in);
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
return NT_STATUS_LOGON_FAILURE;
}
+
+ data_blob_free(&secblob_in);
+ }
+
+ if (session->auth_ntlmssp_state == NULL) {
+ status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth);
+ TALLOC_FREE(session);
+ return status;
+ }
}
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
auth,
&auth_out);
- if (!NT_STATUS_IS_OK(status)) {
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ status = setup_ntlmssp_server_info(session, status);
+ }
+
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ TALLOC_FREE(session->auth_ntlmssp_state);
data_blob_free(&auth);
TALLOC_FREE(session);
return status;
data_blob_free(&auth);
- secblob_out = spnego_gen_auth_response(&auth_out,
- status, NULL);
+ *out_security_buffer = spnego_gen_auth_response(smb2req,
+ &auth_out, status, NULL);
- *out_security_buffer = data_blob_talloc(smb2req,
- secblob_out.data,
- secblob_out.length);
- if (secblob_out.data && out_security_buffer->data == NULL) {
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ if (out_security_buffer->data == NULL) {
+ TALLOC_FREE(session->auth_ntlmssp_state);
TALLOC_FREE(session);
return NT_STATUS_NO_MEMORY;
}
*out_session_id = session->vuid;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
+ /* We're done - claim the session. */
return smbd_smb2_common_ntlmssp_auth_return(session,
smb2req,
in_security_mode,
secblob_out.data,
secblob_out.length);
if (secblob_out.data && out_security_buffer->data == NULL) {
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ TALLOC_FREE(session->auth_ntlmssp_state);
TALLOC_FREE(session);
return NT_STATUS_NO_MEMORY;
}
*out_session_id = session->vuid;
return status;
}
+
+ status = setup_ntlmssp_server_info(session, status);
+
if (!NT_STATUS_IS_OK(status)) {
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ TALLOC_FREE(session->auth_ntlmssp_state);
TALLOC_FREE(session);
return status;
}
/* Unknown packet type. */
DEBUG(1,("Unknown packet type %u in smb2 sessionsetup\n",
(unsigned int)in_security_buffer.data[0] ));
- auth_ntlmssp_end(&session->auth_ntlmssp_state);
+ TALLOC_FREE(session->auth_ntlmssp_state);
TALLOC_FREE(session);
return NT_STATUS_LOGON_FAILURE;
}