2003-08-13 01:53:07 +00:00
/*
Unix SMB / CIFS implementation .
Authentication utility functions
Copyright ( C ) Andrew Tridgell 1992 - 1998
Copyright ( C ) Andrew Bartlett 2001
Copyright ( C ) Jeremy Allison 2000 - 2001
Copyright ( C ) Rafal Szczesniak 2002
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2004-11-01 10:30:34 +00:00
# include "librpc/gen_ndr/ndr_samr.h"
# include "librpc/gen_ndr/ndr_netlogon.h"
2004-11-02 02:57:18 +00:00
# include "auth/auth.h"
2003-08-13 01:53:07 +00:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_AUTH
/****************************************************************************
Create an auth_usersupplied_data structure
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-26 23:39:18 +00:00
static NTSTATUS make_user_info ( TALLOC_CTX * mem_ctx ,
struct auth_usersupplied_info * * user_info ,
2003-08-13 01:53:07 +00:00
const char * smb_name ,
const char * internal_username ,
const char * client_domain ,
const char * domain ,
const char * wksta_name ,
2004-06-05 03:43:00 +00:00
DATA_BLOB * lm_password , DATA_BLOB * nt_password ,
DATA_BLOB * lm_interactive_password , DATA_BLOB * nt_interactive_password ,
2004-05-02 08:45:00 +00:00
DATA_BLOB * plaintext ,
BOOL encrypted )
2003-08-13 01:53:07 +00:00
{
DEBUG ( 5 , ( " attempting to make a user_info for %s (%s) \n " , internal_username , smb_name ) ) ;
2004-09-26 23:39:18 +00:00
* user_info = talloc_p ( mem_ctx , struct auth_usersupplied_info ) ;
2003-08-13 01:53:07 +00:00
if ( ! user_info ) {
return NT_STATUS_NO_MEMORY ;
}
ZERO_STRUCTP ( * user_info ) ;
DEBUG ( 5 , ( " making strings for %s's user_info struct \n " , internal_username ) ) ;
2004-09-26 23:39:18 +00:00
( * user_info ) - > smb_name . str = talloc_strdup ( * user_info , smb_name ) ;
2003-08-13 01:53:07 +00:00
if ( ( * user_info ) - > smb_name . str ) {
( * user_info ) - > smb_name . len = strlen ( smb_name ) ;
} else {
free_user_info ( user_info ) ;
return NT_STATUS_NO_MEMORY ;
}
2004-09-26 23:39:18 +00:00
( * user_info ) - > internal_username . str = talloc_strdup ( * user_info , internal_username ) ;
2003-08-13 01:53:07 +00:00
if ( ( * user_info ) - > internal_username . str ) {
( * user_info ) - > internal_username . len = strlen ( internal_username ) ;
} else {
free_user_info ( user_info ) ;
return NT_STATUS_NO_MEMORY ;
}
2004-09-26 23:39:18 +00:00
( * user_info ) - > domain . str = talloc_strdup ( * user_info , domain ) ;
2003-08-13 01:53:07 +00:00
if ( ( * user_info ) - > domain . str ) {
( * user_info ) - > domain . len = strlen ( domain ) ;
} else {
free_user_info ( user_info ) ;
return NT_STATUS_NO_MEMORY ;
}
2004-09-26 23:39:18 +00:00
( * user_info ) - > client_domain . str = talloc_strdup ( * user_info , client_domain ) ;
2003-08-13 01:53:07 +00:00
if ( ( * user_info ) - > client_domain . str ) {
( * user_info ) - > client_domain . len = strlen ( client_domain ) ;
} else {
free_user_info ( user_info ) ;
return NT_STATUS_NO_MEMORY ;
}
2004-09-26 23:39:18 +00:00
( * user_info ) - > wksta_name . str = talloc_strdup ( * user_info , wksta_name ) ;
2003-08-13 01:53:07 +00:00
if ( ( * user_info ) - > wksta_name . str ) {
( * user_info ) - > wksta_name . len = strlen ( wksta_name ) ;
} else {
free_user_info ( user_info ) ;
return NT_STATUS_NO_MEMORY ;
}
DEBUG ( 5 , ( " making blobs for %s's user_info struct \n " , internal_username ) ) ;
2004-06-05 03:43:00 +00:00
if ( lm_password )
2004-09-26 23:39:18 +00:00
( * user_info ) - > lm_resp = data_blob_talloc ( * user_info ,
lm_password - > data ,
lm_password - > length ) ;
2004-06-05 03:43:00 +00:00
if ( nt_password )
2004-09-26 23:39:18 +00:00
( * user_info ) - > nt_resp = data_blob_talloc ( * user_info ,
nt_password - > data ,
nt_password - > length ) ;
2004-06-05 03:43:00 +00:00
if ( lm_interactive_password )
2004-09-26 23:39:18 +00:00
( * user_info ) - > lm_interactive_password =
data_blob_talloc ( * user_info ,
lm_interactive_password - > data ,
lm_interactive_password - > length ) ;
2004-06-05 03:43:00 +00:00
if ( nt_interactive_password )
2004-09-26 23:39:18 +00:00
( * user_info ) - > nt_interactive_password =
data_blob_talloc ( * user_info ,
nt_interactive_password - > data ,
nt_interactive_password - > length ) ;
2004-05-02 08:45:00 +00:00
if ( plaintext )
2004-09-26 23:39:18 +00:00
( * user_info ) - > plaintext_password =
data_blob_talloc ( * user_info ,
plaintext - > data ,
plaintext - > length ) ;
2003-08-13 01:53:07 +00:00
( * user_info ) - > encrypted = encrypted ;
DEBUG ( 10 , ( " made an %sencrypted user_info for %s (%s) \n " , encrypted ? " " : " un " , internal_username , smb_name ) ) ;
return NT_STATUS_OK ;
}
/****************************************************************************
Create an auth_usersupplied_data structure after appropriate mapping .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-26 23:39:18 +00:00
NTSTATUS make_user_info_map ( TALLOC_CTX * mem_ctx ,
struct auth_usersupplied_info * * user_info ,
2003-08-13 01:53:07 +00:00
const char * smb_name ,
const char * client_domain ,
const char * wksta_name ,
2004-06-05 03:43:00 +00:00
DATA_BLOB * lm_password , DATA_BLOB * nt_password ,
DATA_BLOB * lm_interactive_password , DATA_BLOB * nt_interactive_password ,
2004-05-02 08:45:00 +00:00
DATA_BLOB * plaintext ,
BOOL encrypted )
2003-08-13 01:53:07 +00:00
{
const char * domain ;
DEBUG ( 5 , ( " make_user_info_map: Mapping user [%s] \\ [%s] from workstation [%s] \n " ,
client_domain , smb_name , wksta_name ) ) ;
2004-05-02 08:45:00 +00:00
/* don't allow "" as a domain, fixes a Win9X bug
where it doens ' t supply a domain for logon script
' net use ' commands . */
2003-08-13 01:53:07 +00:00
2004-05-02 08:45:00 +00:00
if ( * client_domain )
2003-08-13 01:53:07 +00:00
domain = client_domain ;
2004-05-02 08:45:00 +00:00
else
2003-08-13 01:53:07 +00:00
domain = lp_workgroup ( ) ;
2004-05-02 08:45:00 +00:00
2004-09-26 23:39:18 +00:00
/* we know that it is a trusted domain (and we are allowing
them ) or it is our domain */
2003-08-13 01:53:07 +00:00
2004-09-26 23:39:18 +00:00
return make_user_info ( mem_ctx ,
user_info , smb_name , smb_name ,
2004-05-02 08:45:00 +00:00
client_domain , domain , wksta_name ,
2004-06-05 03:43:00 +00:00
lm_password , nt_password ,
lm_interactive_password , nt_interactive_password ,
2004-05-02 08:45:00 +00:00
plaintext , encrypted ) ;
2003-08-13 01:53:07 +00:00
}
/****************************************************************************
Create an auth_usersupplied_data , making the DATA_BLOBs here .
Decrypt and encrypt the passwords .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-26 23:39:18 +00:00
NTSTATUS make_user_info_netlogon_network ( TALLOC_CTX * mem_ctx ,
struct auth_usersupplied_info * * user_info ,
const char * smb_name ,
const char * client_domain ,
const char * wksta_name ,
const uint8_t * lm_network_password , int lm_password_len ,
const uint8_t * nt_network_password , int nt_password_len )
2003-08-13 01:53:07 +00:00
{
NTSTATUS nt_status ;
2004-06-05 03:43:00 +00:00
DATA_BLOB lm_blob = data_blob ( lm_network_password , lm_password_len ) ;
DATA_BLOB nt_blob = data_blob ( nt_network_password , nt_password_len ) ;
2003-08-13 01:53:07 +00:00
2004-09-26 23:39:18 +00:00
nt_status = make_user_info_map ( mem_ctx ,
user_info ,
2004-05-02 08:45:00 +00:00
smb_name , client_domain ,
wksta_name ,
2004-06-05 03:43:00 +00:00
lm_password_len ? & lm_blob : NULL ,
nt_password_len ? & nt_blob : NULL ,
2004-05-02 08:45:00 +00:00
NULL , NULL , NULL ,
True ) ;
2003-08-13 01:53:07 +00:00
data_blob_free ( & lm_blob ) ;
data_blob_free ( & nt_blob ) ;
2004-06-07 03:46:32 +00:00
return nt_status ;
2003-08-13 01:53:07 +00:00
}
/****************************************************************************
Create an auth_usersupplied_data , making the DATA_BLOBs here .
Decrypt and encrypt the passwords .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-26 23:39:18 +00:00
NTSTATUS make_user_info_netlogon_interactive ( TALLOC_CTX * mem_ctx ,
struct auth_usersupplied_info * * user_info ,
2004-06-07 03:46:32 +00:00
const char * smb_name ,
const char * client_domain ,
const char * wksta_name ,
const uint8_t chal [ 8 ] ,
const struct samr_Password * lm_interactive_password ,
const struct samr_Password * nt_interactive_password )
2003-08-13 01:53:07 +00:00
{
2004-06-07 03:46:32 +00:00
NTSTATUS nt_status ;
DATA_BLOB local_lm_blob ;
DATA_BLOB local_nt_blob ;
DATA_BLOB lm_interactive_blob ;
DATA_BLOB nt_interactive_blob ;
2004-05-29 08:11:46 +00:00
uint8_t local_lm_response [ 24 ] ;
uint8_t local_nt_response [ 24 ] ;
2003-08-13 01:53:07 +00:00
2004-06-07 03:46:32 +00:00
SMBOWFencrypt ( lm_interactive_password - > hash , chal , local_lm_response ) ;
SMBOWFencrypt ( nt_interactive_password - > hash , chal , local_nt_response ) ;
2003-08-13 01:53:07 +00:00
2004-06-07 03:46:32 +00:00
local_lm_blob = data_blob ( local_lm_response ,
sizeof ( local_lm_response ) ) ;
2004-06-14 12:31:04 +00:00
lm_interactive_blob = data_blob ( lm_interactive_password - > hash ,
sizeof ( lm_interactive_password - > hash ) ) ;
2003-08-13 01:53:07 +00:00
2004-06-07 03:46:32 +00:00
local_nt_blob = data_blob ( local_nt_response ,
sizeof ( local_nt_response ) ) ;
2004-06-14 12:31:04 +00:00
nt_interactive_blob = data_blob ( nt_interactive_password - > hash ,
sizeof ( nt_interactive_password - > hash ) ) ;
2003-08-13 01:53:07 +00:00
2004-09-26 23:39:18 +00:00
nt_status = make_user_info_map ( mem_ctx ,
user_info ,
2004-06-07 03:46:32 +00:00
smb_name , client_domain ,
wksta_name ,
& local_lm_blob ,
& local_nt_blob ,
& lm_interactive_blob ,
& nt_interactive_blob ,
NULL ,
True ) ;
2003-08-13 01:53:07 +00:00
2004-06-07 03:46:32 +00:00
data_blob_free ( & local_lm_blob ) ;
data_blob_free ( & local_nt_blob ) ;
data_blob_free ( & lm_interactive_blob ) ;
data_blob_free ( & nt_interactive_blob ) ;
return nt_status ;
2003-08-13 01:53:07 +00:00
}
/****************************************************************************
Create an auth_usersupplied_data structure
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-26 23:39:18 +00:00
NTSTATUS make_user_info_for_reply_enc ( TALLOC_CTX * mem_ctx ,
struct auth_usersupplied_info * * user_info ,
2003-08-13 01:53:07 +00:00
const char * smb_name ,
const char * client_domain ,
2004-09-22 23:51:17 +00:00
const char * remote_machine ,
2003-08-13 01:53:07 +00:00
DATA_BLOB lm_resp , DATA_BLOB nt_resp )
{
2004-09-26 23:39:18 +00:00
return make_user_info_map ( mem_ctx ,
user_info , smb_name ,
2003-08-13 01:53:07 +00:00
client_domain ,
2004-09-22 23:51:17 +00:00
remote_machine ,
2004-05-02 08:45:00 +00:00
lm_resp . data ? & lm_resp : NULL ,
nt_resp . data ? & nt_resp : NULL ,
NULL , NULL , NULL ,
True ) ;
2003-08-13 01:53:07 +00:00
}
/****************************************************************************
Create a guest user_info blob , for anonymous authenticaion .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-26 23:39:18 +00:00
BOOL make_user_info_guest ( TALLOC_CTX * mem_ctx ,
struct auth_usersupplied_info * * user_info )
2003-08-13 01:53:07 +00:00
{
NTSTATUS nt_status ;
2004-09-26 23:39:18 +00:00
nt_status = make_user_info ( mem_ctx ,
user_info ,
2004-05-02 08:45:00 +00:00
" " , " " ,
" " , " " ,
" " ,
NULL , NULL ,
NULL , NULL ,
NULL ,
True ) ;
2003-08-13 01:53:07 +00:00
return NT_STATUS_IS_OK ( nt_status ) ? True : False ;
}
/****************************************************************************
prints a NT_USER_TOKEN to debug output .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-07 21:34:32 +00:00
void debug_nt_user_token ( int dbg_class , int dbg_lev , const NT_USER_TOKEN * token )
2003-08-13 01:53:07 +00:00
{
2004-05-22 07:55:48 +00:00
TALLOC_CTX * mem_ctx ;
2003-08-13 01:53:07 +00:00
size_t i ;
if ( ! token ) {
DEBUGC ( dbg_class , dbg_lev , ( " NT user token: (NULL) \n " ) ) ;
return ;
}
2004-05-22 07:55:48 +00:00
mem_ctx = talloc_init ( " debug_nt_user_token() " ) ;
if ( ! mem_ctx ) {
return ;
}
2003-08-13 01:53:07 +00:00
DEBUGC ( dbg_class , dbg_lev , ( " NT user token of user %s \n " ,
2004-05-22 07:55:48 +00:00
dom_sid_string ( mem_ctx , token - > user_sids [ 0 ] ) ) ) ;
2004-05-02 08:45:00 +00:00
DEBUGADDC ( dbg_class , dbg_lev , ( " contains %lu SIDs \n " , ( unsigned long ) token - > num_sids ) ) ;
2003-08-13 01:53:07 +00:00
for ( i = 0 ; i < token - > num_sids ; i + + )
2004-05-02 08:45:00 +00:00
DEBUGADDC ( dbg_class , dbg_lev , ( " SID[%3lu]: %s \n " , ( unsigned long ) i ,
2004-05-22 07:55:48 +00:00
dom_sid_string ( mem_ctx , token - > user_sids [ i ] ) ) ) ;
talloc_destroy ( mem_ctx ) ;
2003-08-13 01:53:07 +00:00
}
2004-06-07 21:34:32 +00:00
/****************************************************************************
prints a NT_USER_TOKEN to debug output .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void debug_session_info ( int dbg_class , int dbg_lev , const struct auth_session_info * session_info )
{
if ( ! session_info ) {
DEBUGC ( dbg_class , dbg_lev , ( " Session Info: (NULL) \n " ) ) ;
return ;
}
debug_nt_user_token ( dbg_class , dbg_lev , session_info - > nt_user_token ) ;
}
2003-08-13 01:53:07 +00:00
/****************************************************************************
Create the SID list for this user .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-05-13 15:34:56 +00:00
NTSTATUS create_nt_user_token ( TALLOC_CTX * mem_ctx ,
struct dom_sid * user_sid , struct dom_sid * group_sid ,
int n_groupSIDs , struct dom_sid * * groupSIDs ,
BOOL is_guest , struct nt_user_token * * token )
2003-08-13 01:53:07 +00:00
{
NTSTATUS nt_status = NT_STATUS_OK ;
2004-05-13 15:34:56 +00:00
struct nt_user_token * ptoken ;
2003-08-13 01:53:07 +00:00
int i ;
int sid_ndx ;
2004-05-13 15:34:56 +00:00
if ( ! ( ptoken = talloc_p ( mem_ctx , struct nt_user_token ) ) ) {
2003-08-13 01:53:07 +00:00
DEBUG ( 0 , ( " create_nt_token: Out of memory allocating token \n " ) ) ;
nt_status = NT_STATUS_NO_MEMORY ;
return nt_status ;
}
2004-05-13 15:34:56 +00:00
ptoken - > num_sids = 0 ;
2003-08-13 01:53:07 +00:00
2004-05-13 15:34:56 +00:00
if ( ! ( ptoken - > user_sids = talloc_array_p ( mem_ctx , struct dom_sid * , n_groupSIDs + 5 ) ) ) {
2003-08-13 01:53:07 +00:00
DEBUG ( 0 , ( " create_nt_token: Out of memory allocating SIDs \n " ) ) ;
nt_status = NT_STATUS_NO_MEMORY ;
return nt_status ;
}
/*
* Note - user SID * MUST * be first in token !
* se_access_check depends on this .
*
* Primary group SID is second in token . Convention .
*/
2004-05-13 15:34:56 +00:00
ptoken - > user_sids [ PRIMARY_USER_SID_INDEX ] = user_sid ;
ptoken - > num_sids + + ;
ptoken - > user_sids [ PRIMARY_GROUP_SID_INDEX ] = group_sid ;
ptoken - > num_sids + + ;
2003-08-13 01:53:07 +00:00
/*
* Finally add the " standard " SIDs .
* The only difference between guest and " anonymous " ( which we
* don ' t really support ) is the addition of Authenticated_Users .
*/
2004-05-27 13:21:35 +00:00
ptoken - > user_sids [ 2 ] = dom_sid_parse_talloc ( mem_ctx , SID_WORLD ) ;
ptoken - > user_sids [ 3 ] = dom_sid_parse_talloc ( mem_ctx , SID_NETWORK ) ;
2004-05-13 15:34:56 +00:00
if ( is_guest ) {
2004-05-27 13:21:35 +00:00
ptoken - > user_sids [ 4 ] = dom_sid_parse_talloc ( mem_ctx , SID_BUILTIN_GUESTS ) ;
2004-05-13 15:34:56 +00:00
ptoken - > num_sids + + ;
} else {
2004-05-27 13:21:35 +00:00
ptoken - > user_sids [ 4 ] = dom_sid_parse_talloc ( mem_ctx , SID_AUTHENTICATED_USERS ) ;
2004-05-13 15:34:56 +00:00
ptoken - > num_sids + + ;
}
2003-08-13 01:53:07 +00:00
sid_ndx = 5 ; /* next available spot */
for ( i = 0 ; i < n_groupSIDs ; i + + ) {
size_t check_sid_idx ;
for ( check_sid_idx = 1 ; check_sid_idx < ptoken - > num_sids ; check_sid_idx + + ) {
2004-05-13 15:34:56 +00:00
if ( sid_equal ( ptoken - > user_sids [ check_sid_idx ] ,
groupSIDs [ i ] ) ) {
2003-08-13 01:53:07 +00:00
break ;
}
}
if ( check_sid_idx > = ptoken - > num_sids ) /* Not found already */ {
2004-05-13 15:34:56 +00:00
ptoken - > user_sids [ sid_ndx + + ] = groupSIDs [ i ] ;
ptoken - > num_sids + + ;
2003-08-13 01:53:07 +00:00
}
}
debug_nt_user_token ( DBGC_AUTH , 10 , ptoken ) ;
* token = ptoken ;
return nt_status ;
}
/***************************************************************************
Make a user_info struct
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-27 04:20:18 +00:00
NTSTATUS make_server_info ( const TALLOC_CTX * mem_ctx ,
2004-09-26 05:38:45 +00:00
struct auth_serversupplied_info * * server_info ,
2004-06-05 01:39:08 +00:00
const char * username )
2003-08-13 01:53:07 +00:00
{
2004-09-26 05:38:45 +00:00
* server_info = talloc_p ( mem_ctx , struct auth_serversupplied_info ) ;
2003-08-13 01:53:07 +00:00
if ( ! * server_info ) {
return NT_STATUS_NO_MEMORY ;
}
2004-06-14 13:22:03 +00:00
ZERO_STRUCTP ( * server_info ) ;
2003-08-13 01:53:07 +00:00
2004-05-13 15:34:56 +00:00
return NT_STATUS_OK ;
2003-08-13 01:53:07 +00:00
}
/***************************************************************************
Make ( and fill ) a user_info struct for a guest login .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-10-29 09:15:41 +00:00
NTSTATUS make_server_info_guest ( TALLOC_CTX * mem_ctx , struct auth_serversupplied_info * * server_info )
2003-08-13 01:53:07 +00:00
{
NTSTATUS nt_status ;
2004-09-26 05:38:45 +00:00
nt_status = make_server_info ( mem_ctx , server_info , " " ) ;
2003-08-13 01:53:07 +00:00
2004-05-13 15:34:56 +00:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
2003-08-13 01:53:07 +00:00
}
2004-05-13 15:34:56 +00:00
( * server_info ) - > guest = True ;
2004-05-27 13:21:35 +00:00
2004-09-26 01:43:05 +00:00
( * server_info ) - > user_sid = dom_sid_parse_talloc ( ( * server_info ) , SID_ANONYMOUS ) ;
( * server_info ) - > primary_group_sid = dom_sid_parse_talloc ( ( * server_info ) , SID_BUILTIN_GUESTS ) ;
2004-06-05 01:39:08 +00:00
( * server_info ) - > n_domain_groups = 0 ;
( * server_info ) - > domain_groups = NULL ;
2004-05-13 15:34:56 +00:00
/* annoying, but the Guest really does have a session key,
and it is all zeros ! */
2004-10-03 07:32:40 +00:00
( * server_info ) - > user_session_key = data_blob_talloc ( * server_info , NULL , 16 ) ;
( * server_info ) - > lm_session_key = data_blob_talloc ( * server_info , NULL , 16 ) ;
data_blob_clear ( & ( * server_info ) - > user_session_key ) ;
data_blob_clear ( & ( * server_info ) - > lm_session_key ) ;
2004-05-02 08:45:00 +00:00
2004-06-07 03:46:32 +00:00
( * server_info ) - > account_name = " " ;
( * server_info ) - > domain = " " ;
( * server_info ) - > full_name = " Anonymous " ;
( * server_info ) - > logon_script = " " ;
( * server_info ) - > profile_path = " " ;
( * server_info ) - > home_directory = " " ;
( * server_info ) - > home_drive = " " ;
( * server_info ) - > last_logon = 0 ;
( * server_info ) - > last_logoff = 0 ;
( * server_info ) - > acct_expiry = 0 ;
( * server_info ) - > last_password_change = 0 ;
( * server_info ) - > allow_password_change = 0 ;
( * server_info ) - > force_password_change = 0 ;
( * server_info ) - > logon_count = 0 ;
( * server_info ) - > bad_password_count = 0 ;
( * server_info ) - > acct_flags = ACB_NORMAL ;
2003-08-13 01:53:07 +00:00
return nt_status ;
}
2004-10-29 09:15:41 +00:00
/***************************************************************************
Make a server_info struct from the info3 returned by a domain logon
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS make_server_info_info3 ( TALLOC_CTX * mem_ctx ,
const char * internal_username ,
struct auth_serversupplied_info * * server_info ,
struct netr_SamInfo3 * info3 )
{
NTSTATUS nt_status ;
nt_status = make_server_info ( mem_ctx , server_info , internal_username ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
( * server_info ) - > guest = False ;
/*
Here is where we should check the list of
trusted domains , and verify that the SID
matches .
*/
( * server_info ) - > user_sid = dom_sid_add_rid ( * server_info , dom_sid_dup ( * server_info , info3 - > base . domain_sid ) , info3 - > base . rid ) ;
( * server_info ) - > primary_group_sid = dom_sid_add_rid ( * server_info , dom_sid_dup ( * server_info , info3 - > base . domain_sid ) , info3 - > base . primary_gid ) ;
/* TODO: pull in other groups: */
( * server_info ) - > domain_groups = talloc_array_p ( ( * server_info ) , struct dom_sid * , info3 - > base . group_count ) ;
if ( ! ( * server_info ) - > domain_groups ) {
return NT_STATUS_NO_MEMORY ;
}
for ( ( * server_info ) - > n_domain_groups = 0 ;
( * server_info ) - > n_domain_groups < info3 - > base . group_count ;
( * server_info ) - > n_domain_groups + + ) {
struct dom_sid * sid ;
sid = dom_sid_dup ( * server_info , info3 - > base . domain_sid ) ;
if ( ! sid ) {
return NT_STATUS_NO_MEMORY ;
}
( * server_info ) - > domain_groups [ ( * server_info ) - > n_domain_groups ]
= dom_sid_add_rid ( * server_info , sid ,
info3 - > base . groupids [ ( * server_info ) - > n_domain_groups ] . rid ) ;
if ( ! ( * server_info ) - > domain_groups [ ( * server_info ) - > n_domain_groups ] ) {
return NT_STATUS_NO_MEMORY ;
}
}
if ( info3 - > base . account_name . string ) {
( * server_info ) - > account_name = talloc_reference ( * server_info , info3 - > base . account_name . string ) ;
} else {
( * server_info ) - > account_name = talloc_strdup ( * server_info , internal_username ) ;
}
if ( info3 - > base . domain . string ) {
( * server_info ) - > domain = talloc_reference ( * server_info , info3 - > base . domain . string ) ;
} else {
( * server_info ) - > domain = NULL ;
}
if ( info3 - > base . full_name . string ) {
( * server_info ) - > full_name = talloc_reference ( * server_info , info3 - > base . full_name . string ) ;
} else {
( * server_info ) - > full_name = NULL ;
}
if ( info3 - > base . logon_script . string ) {
( * server_info ) - > logon_script = talloc_reference ( * server_info , info3 - > base . logon_script . string ) ;
} else {
( * server_info ) - > logon_script = NULL ;
}
if ( info3 - > base . profile_path . string ) {
( * server_info ) - > profile_path = talloc_reference ( * server_info , info3 - > base . profile_path . string ) ;
} else {
( * server_info ) - > profile_path = NULL ;
}
if ( info3 - > base . home_directory . string ) {
( * server_info ) - > home_directory = talloc_reference ( * server_info , info3 - > base . home_directory . string ) ;
} else {
( * server_info ) - > home_directory = NULL ;
}
if ( info3 - > base . home_drive . string ) {
( * server_info ) - > home_drive = talloc_reference ( * server_info , info3 - > base . home_drive . string ) ;
} else {
( * server_info ) - > home_drive = NULL ;
}
( * server_info ) - > last_logon = info3 - > base . last_logon ;
( * server_info ) - > last_logoff = info3 - > base . last_logoff ;
( * server_info ) - > acct_expiry = info3 - > base . acct_expiry ;
( * server_info ) - > last_password_change = info3 - > base . last_password_change ;
( * server_info ) - > allow_password_change = info3 - > base . allow_password_change ;
( * server_info ) - > force_password_change = info3 - > base . force_password_change ;
( * server_info ) - > logon_count = info3 - > base . logon_count ;
( * server_info ) - > bad_password_count = info3 - > base . bad_password_count ;
( * server_info ) - > acct_flags = info3 - > base . acct_flags ;
/* ensure we are never given NULL session keys */
if ( all_zero ( info3 - > base . key . key , sizeof ( info3 - > base . key . key ) ) ) {
( * server_info ) - > user_session_key = data_blob ( NULL , 0 ) ;
} else {
( * server_info ) - > user_session_key = data_blob_talloc ( ( * server_info ) , info3 - > base . key . key , sizeof ( info3 - > base . key . key ) ) ;
}
if ( all_zero ( info3 - > base . LMSessKey . key , sizeof ( info3 - > base . LMSessKey . key ) ) ) {
( * server_info ) - > lm_session_key = data_blob ( NULL , 0 ) ;
} else {
( * server_info ) - > lm_session_key = data_blob_talloc ( ( * server_info ) , info3 - > base . LMSessKey . key , sizeof ( info3 - > base . LMSessKey . key ) ) ;
}
return NT_STATUS_OK ;
}
2003-08-13 01:53:07 +00:00
/***************************************************************************
Free a user_info struct
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-05 01:39:08 +00:00
void free_user_info ( struct auth_usersupplied_info * * user_info )
2003-08-13 01:53:07 +00:00
{
DEBUG ( 5 , ( " attempting to free (and zero) a user_info structure \n " ) ) ;
2004-09-26 23:39:18 +00:00
if ( * user_info ) {
data_blob_clear ( & ( * user_info ) - > plaintext_password ) ;
2003-08-13 01:53:07 +00:00
}
2004-09-26 23:39:18 +00:00
talloc_free ( * user_info ) ;
* user_info = NULL ;
2003-08-13 01:53:07 +00:00
}
/***************************************************************************
Clear out a server_info struct that has been allocated
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-05 01:39:08 +00:00
void free_server_info ( struct auth_serversupplied_info * * server_info )
2003-08-13 01:53:07 +00:00
{
2004-05-13 15:34:56 +00:00
DEBUG ( 5 , ( " attempting to free a server_info structure \n " ) ) ;
2004-09-26 23:39:18 +00:00
talloc_free ( * server_info ) ;
2004-05-13 15:34:56 +00:00
* server_info = NULL ;
2003-08-13 01:53:07 +00:00
}
/***************************************************************************
Make an auth_methods struct
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-05 01:39:08 +00:00
BOOL make_auth_methods ( struct auth_context * auth_context , struct auth_methods * * auth_method )
2003-08-13 01:53:07 +00:00
{
if ( ! auth_context ) {
smb_panic ( " no auth_context supplied to make_auth_methods()! \n " ) ;
}
if ( ! auth_method ) {
smb_panic ( " make_auth_methods: pointer to auth_method pointer is NULL! \n " ) ;
}
2004-09-26 03:50:24 +00:00
* auth_method = talloc_p ( auth_context , struct auth_methods ) ;
2003-08-13 01:53:07 +00:00
if ( ! * auth_method ) {
return False ;
}
ZERO_STRUCTP ( * auth_method ) ;
return True ;
}
2004-10-25 04:19:02 +00:00
NTSTATUS make_session_info ( TALLOC_CTX * mem_ctx ,
struct auth_serversupplied_info * server_info ,
2004-06-05 01:39:08 +00:00
struct auth_session_info * * session_info )
2003-08-13 01:53:07 +00:00
{
2004-06-05 01:39:08 +00:00
NTSTATUS nt_status ;
2004-10-25 04:19:02 +00:00
* session_info = talloc_p ( mem_ctx , struct auth_session_info ) ;
2004-06-05 01:39:08 +00:00
if ( ! * session_info ) {
return NT_STATUS_NO_MEMORY ;
}
( * session_info ) - > server_info = server_info ;
2004-10-29 09:15:41 +00:00
talloc_reference ( * session_info , ( * session_info ) - > server_info ) ;
2004-06-05 01:39:08 +00:00
/* unless set otherwise, the session key is the user session
* key from the auth subsystem */
( * session_info ) - > session_key = server_info - > user_session_key ;
2004-09-26 01:43:05 +00:00
nt_status = create_nt_user_token ( ( * session_info ) ,
2004-06-05 01:39:08 +00:00
server_info - > user_sid ,
server_info - > primary_group_sid ,
server_info - > n_domain_groups ,
server_info - > domain_groups ,
False ,
& ( * session_info ) - > nt_user_token ) ;
return nt_status ;
2003-08-13 01:53:07 +00:00
}
r1294: A nice, large, commit...
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.
This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal). This causes
changes in all the existing gensec users.
Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.
Gensec has also taken over the role of auth/auth_ntlmssp.c
An important part of gensec, is the output of the 'session_info'
struct. This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.
The schannel code is reworked, to be in the same file for client and
server.
ntlm_auth is reworked to use gensec.
The major problem with this code is the way it relies on subsystem
auto-initialisation. The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.
There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.
Andrew Bartlett
(This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
2004-06-29 09:40:10 +00:00
/***************************************************************************
Clear out a server_info struct that has been allocated
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void free_session_info ( struct auth_session_info * * session_info )
{
DEBUG ( 5 , ( " attempting to free a session_info structure \n " ) ) ;
2004-10-25 04:19:02 +00:00
talloc_free ( ( * session_info ) ) ;
r1294: A nice, large, commit...
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.
This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal). This causes
changes in all the existing gensec users.
Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.
Gensec has also taken over the role of auth/auth_ntlmssp.c
An important part of gensec, is the output of the 'session_info'
struct. This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.
The schannel code is reworked, to be in the same file for client and
server.
ntlm_auth is reworked to use gensec.
The major problem with this code is the way it relies on subsystem
auto-initialisation. The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.
There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.
Andrew Bartlett
(This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
2004-06-29 09:40:10 +00:00
* session_info = NULL ;
}
2003-08-13 01:53:07 +00:00
/**
* Squash an NT_STATUS in line with security requirements .
* In an attempt to avoid giving the whole game away when users
* are authenticating , NT replaces both NT_STATUS_NO_SUCH_USER and
* NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
* ( session setups in particular ) .
*
* @ param nt_status NTSTATUS input for squashing .
* @ return the ' squashed ' nt_status
* */
NTSTATUS nt_status_squash ( NTSTATUS nt_status )
{
if NT_STATUS_IS_OK ( nt_status ) {
return nt_status ;
} else if NT_STATUS_EQUAL ( nt_status , NT_STATUS_NO_SUCH_USER ) {
/* Match WinXP and don't give the game away */
return NT_STATUS_LOGON_FAILURE ;
} else if NT_STATUS_EQUAL ( nt_status , NT_STATUS_WRONG_PASSWORD ) {
/* Match WinXP and don't give the game away */
return NT_STATUS_LOGON_FAILURE ;
} else {
return nt_status ;
}
}
