2010-09-01 15:50:06 -04:00
/*
* NTLMSSP Acceptor
* DCERPC Server functions
* Copyright ( C ) Simo Sorce 2010.
2011-12-16 13:19:06 +11:00
* Copyright ( C ) Andrew Bartlett 2011.
2010-09-01 15:50:06 -04:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 3 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
2011-12-21 15:09:29 +11:00
# include "rpc_server/dcesrv_auth_generic.h"
2011-03-24 12:08:15 +01:00
# include "auth.h"
2011-10-18 20:58:47 +11:00
# include "auth/gensec/gensec.h"
2010-09-01 15:50:06 -04:00
2013-05-02 16:29:21 +12:00
static NTSTATUS auth_generic_server_authtype_start_as_root ( TALLOC_CTX * mem_ctx ,
uint8_t auth_type , uint8_t auth_level ,
DATA_BLOB * token_in ,
DATA_BLOB * token_out ,
const struct tsocket_address * remote_address ,
struct gensec_security * * ctx )
2011-12-21 15:34:17 +11:00
{
2011-12-26 14:23:15 +11:00
struct gensec_security * gensec_security = NULL ;
2011-12-21 15:34:17 +11:00
NTSTATUS status ;
2011-12-26 14:23:15 +11:00
status = auth_generic_prepare ( talloc_tos ( ) , remote_address , & gensec_security ) ;
2011-12-21 15:34:17 +11:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : auth_generic_prepare failed: %s \n " ,
nt_errstr ( status ) ) ) ;
return status ;
}
2011-12-26 14:23:15 +11:00
status = gensec_start_mech_by_authtype ( gensec_security , auth_type , auth_level ) ;
2011-12-21 15:34:17 +11:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : auth_generic_start failed: %s \n " ,
nt_errstr ( status ) ) ) ;
2011-12-26 14:23:15 +11:00
TALLOC_FREE ( gensec_security ) ;
2011-12-21 15:34:17 +11:00
return status ;
}
2011-12-26 14:23:15 +11:00
status = gensec_update ( gensec_security , mem_ctx , NULL , * token_in , token_out ) ;
2011-12-21 15:34:17 +11:00
if ( ! NT_STATUS_IS_OK ( status ) & & ! NT_STATUS_EQUAL ( status , NT_STATUS_MORE_PROCESSING_REQUIRED ) ) {
DEBUG ( 2 , ( __location__ " : gensec_update failed: %s \n " ,
nt_errstr ( status ) ) ) ;
2011-12-26 14:23:15 +11:00
TALLOC_FREE ( gensec_security ) ;
return status ;
2011-12-21 15:34:17 +11:00
}
2011-12-26 14:23:15 +11:00
/* steal gensec context to the caller */
* ctx = talloc_move ( mem_ctx , & gensec_security ) ;
return NT_STATUS_OK ;
2010-09-01 15:50:06 -04:00
}
2013-05-02 16:29:21 +12:00
NTSTATUS auth_generic_server_authtype_start ( TALLOC_CTX * mem_ctx ,
uint8_t auth_type , uint8_t auth_level ,
DATA_BLOB * token_in ,
DATA_BLOB * token_out ,
const struct tsocket_address * remote_address ,
struct gensec_security * * ctx )
{
NTSTATUS status ;
become_root ( ) ;
/* this has to be done as root in order to create the messaging socket */
status = auth_generic_server_authtype_start_as_root ( mem_ctx ,
auth_type , auth_level ,
token_in ,
token_out ,
remote_address ,
ctx ) ;
unbecome_root ( ) ;
return status ;
}
2011-12-21 14:40:04 +11:00
NTSTATUS auth_generic_server_step ( struct gensec_security * gensec_security ,
2010-09-01 15:50:06 -04:00
TALLOC_CTX * mem_ctx ,
DATA_BLOB * token_in ,
DATA_BLOB * token_out )
{
NTSTATUS status ;
/* this has to be done as root in order to verify the password */
become_root ( ) ;
2011-10-19 18:39:27 +11:00
status = gensec_update ( gensec_security , mem_ctx , NULL , * token_in , token_out ) ;
2010-09-01 15:50:06 -04:00
unbecome_root ( ) ;
return status ;
}
2011-12-21 14:40:04 +11:00
NTSTATUS auth_generic_server_check_flags ( struct gensec_security * gensec_security ,
2010-09-01 15:50:06 -04:00
bool do_sign , bool do_seal )
{
2011-10-19 18:39:27 +11:00
if ( do_sign & & ! gensec_have_feature ( gensec_security , GENSEC_FEATURE_SIGN ) ) {
2010-09-01 15:50:06 -04:00
DEBUG ( 1 , ( __location__ " Integrity was requested but client "
" failed to negotiate signing. \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2011-10-19 18:39:27 +11:00
if ( do_seal & & ! gensec_have_feature ( gensec_security , GENSEC_FEATURE_SEAL ) ) {
2010-09-01 15:50:06 -04:00
DEBUG ( 1 , ( __location__ " Privacy was requested but client "
" failed to negotiate sealing. \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
return NT_STATUS_OK ;
}
2011-12-21 14:40:04 +11:00
NTSTATUS auth_generic_server_get_user_info ( struct gensec_security * gensec_security ,
2010-09-01 15:50:06 -04:00
TALLOC_CTX * mem_ctx ,
2011-07-18 13:06:47 +10:00
struct auth_session_info * * session_info )
2010-09-01 15:50:06 -04:00
{
NTSTATUS status ;
2013-05-02 16:29:21 +12:00
/* this has to be done as root in order to get to the
* messaging sockets for IDMAP and privilege . ldb in the AD
* DC */
become_root ( ) ;
2011-10-19 18:39:27 +11:00
status = gensec_session_info ( gensec_security , mem_ctx , session_info ) ;
2013-05-02 16:29:21 +12:00
unbecome_root ( ) ;
2010-09-01 15:50:06 -04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( __location__ " : Failed to get authenticated user "
" info: %s \n " , nt_errstr ( status ) ) ) ;
return status ;
}
2011-07-21 19:29:10 +10:00
DEBUG ( 5 , ( __location__ " OK: user: %s domain: %s \n " ,
( * session_info ) - > info - > account_name ,
( * session_info ) - > info - > domain_name ) ) ;
2010-09-01 15:50:06 -04:00
return NT_STATUS_OK ;
}