2012-01-30 22:42:39 +11:00
/*
2005-04-25 05:03:50 +00:00
Unix SMB / Netbios implementation .
Version 3.0
handle NLTMSSP , client server side parsing
Copyright ( C ) Andrew Tridgell 2001
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2001 - 2005
Copyright ( C ) Stefan Metzmacher 2005
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
2005-04-25 05:03:50 +00:00
( at your option ) any later version .
2012-01-30 22:42:39 +11:00
2005-04-25 05:03:50 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2012-01-30 22:42:39 +11:00
2005-04-25 05:03:50 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-04-25 05:03:50 +00:00
*/
# include "includes.h"
2009-01-31 11:34:12 +01:00
# include "system/network.h"
2009-12-16 16:41:21 +01:00
# include "lib/tsocket/tsocket.h"
2005-04-25 05:03:50 +00:00
# include "auth/ntlmssp/ntlmssp.h"
2010-05-24 11:03:42 -07:00
# include "../librpc/gen_ndr/ndr_ntlmssp.h"
2011-07-25 16:04:38 +10:00
# include "auth/ntlmssp/ntlmssp_ndr.h"
# include "auth/ntlmssp/ntlmssp_private.h"
2009-04-16 10:17:17 +10:00
# include "../libcli/auth/libcli_auth.h"
2008-09-24 15:30:23 +02:00
# include "../lib/crypto/crypto.h"
2006-11-07 00:48:36 +00:00
# include "auth/gensec/gensec.h"
2013-08-05 07:12:01 +02:00
# include "auth/gensec/gensec_internal.h"
2012-01-30 22:42:39 +11:00
# include "auth/common_auth.h"
2007-09-08 12:42:09 +00:00
# include "param/param.h"
2015-11-19 16:02:58 +01:00
# include "param/loadparm.h"
2015-12-28 19:01:54 +00:00
# include "libds/common/roles.h"
2005-04-25 05:03:50 +00:00
2017-12-19 10:49:10 +01:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_AUTH
2012-01-30 22:42:39 +11:00
/**
2005-04-25 05:03:50 +00:00
* Return the credentials of a logged on user , including session keys
* etc .
*
* Only valid after a successful authentication
*
* May only be called once per authentication .
*
*/
NTSTATUS gensec_ntlmssp_session_info ( struct gensec_security * gensec_security ,
2011-08-01 15:39:01 +10:00
TALLOC_CTX * mem_ctx ,
2012-01-30 22:42:39 +11:00
struct auth_session_info * * session_info )
2005-04-25 05:03:50 +00:00
{
NTSTATUS nt_status ;
2009-12-29 17:56:56 +01:00
struct gensec_ntlmssp_context * gensec_ntlmssp =
2009-12-30 08:23:13 +01:00
talloc_get_type_abort ( gensec_security - > private_data ,
2009-12-29 17:56:56 +01:00
struct gensec_ntlmssp_context ) ;
2012-01-30 11:53:04 +11:00
uint32_t session_info_flags = 0 ;
if ( gensec_security - > want_features & GENSEC_FEATURE_UNIX_TOKEN ) {
session_info_flags | = AUTH_SESSION_INFO_UNIX_TOKEN ;
}
session_info_flags | = AUTH_SESSION_INFO_DEFAULT_GROUPS ;
2017-03-06 12:11:18 +13:00
session_info_flags | = AUTH_SESSION_INFO_NTLM ;
2012-01-30 11:53:04 +11:00
if ( gensec_security - > auth_context & & gensec_security - > auth_context - > generate_session_info ) {
2012-02-04 17:49:49 +11:00
nt_status = gensec_security - > auth_context - > generate_session_info ( gensec_security - > auth_context , mem_ctx ,
2012-01-30 11:53:04 +11:00
gensec_ntlmssp - > server_returned_info ,
2012-01-30 21:49:33 +11:00
gensec_ntlmssp - > ntlmssp_state - > user ,
2012-01-30 11:53:04 +11:00
session_info_flags ,
session_info ) ;
} else {
DEBUG ( 0 , ( " Cannot generate a session_info without the auth_context \n " ) ) ;
return NT_STATUS_INTERNAL_ERROR ;
}
2012-01-30 22:42:39 +11:00
2005-04-25 05:03:50 +00:00
NT_STATUS_NOT_OK_RETURN ( nt_status ) ;
2012-01-31 18:14:19 +11:00
nt_status = gensec_ntlmssp_session_key ( gensec_security , * session_info ,
& ( * session_info ) - > session_key ) ;
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NO_USER_SESSION_KEY ) ) {
( * session_info ) - > session_key = data_blob_null ;
nt_status = NT_STATUS_OK ;
}
return nt_status ;
2005-04-25 10:33:00 +00:00
}
/**
2012-01-30 22:42:39 +11:00
* Start NTLMSSP on the server side
2005-04-25 10:33:00 +00:00
*
*/
NTSTATUS gensec_ntlmssp_server_start ( struct gensec_security * gensec_security )
{
NTSTATUS nt_status ;
2009-12-30 17:57:54 +01:00
struct ntlmssp_state * ntlmssp_state ;
2009-12-29 17:56:56 +01:00
struct gensec_ntlmssp_context * gensec_ntlmssp ;
2012-01-31 16:17:04 +11:00
const char * netbios_name ;
const char * netbios_domain ;
const char * dns_name ;
const char * dns_domain ;
2015-11-19 16:02:58 +01:00
enum server_role role ;
role = lpcfg_server_role ( gensec_security - > settings - > lp_ctx ) ;
2005-04-25 10:33:00 +00:00
nt_status = gensec_ntlmssp_start ( gensec_security ) ;
NT_STATUS_NOT_OK_RETURN ( nt_status ) ;
2011-07-26 12:32:08 +10:00
gensec_ntlmssp =
talloc_get_type_abort ( gensec_security - > private_data ,
struct gensec_ntlmssp_context ) ;
ntlmssp_state = talloc_zero ( gensec_ntlmssp ,
struct ntlmssp_state ) ;
if ( ! ntlmssp_state ) {
return NT_STATUS_NO_MEMORY ;
}
gensec_ntlmssp - > ntlmssp_state = ntlmssp_state ;
2009-12-30 17:57:54 +01:00
ntlmssp_state - > role = NTLMSSP_SERVER ;
2005-04-25 10:33:00 +00:00
2009-12-30 17:57:54 +01:00
ntlmssp_state - > expected_state = NTLMSSP_NEGOTIATE ;
2005-04-25 10:33:00 +00:00
2015-12-01 14:58:19 +01:00
ntlmssp_state - > allow_lm_response =
lpcfg_lanman_auth ( gensec_security - > settings - > lp_ctx ) ;
if ( ntlmssp_state - > allow_lm_response & &
2012-01-31 15:57:06 +11:00
gensec_setting_bool ( gensec_security - > settings ,
" ntlmssp_server " , " allow_lm_key " , false ) )
{
ntlmssp_state - > allow_lm_key = true ;
}
2005-04-25 10:33:00 +00:00
2016-04-20 18:27:34 +02:00
ntlmssp_state - > force_old_spnego = false ;
2015-11-19 16:02:58 +01:00
2016-04-25 15:58:27 +02:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_server " , " force_old_spnego " , false ) ) {
/*
* For testing Windows 2000 mode
*/
ntlmssp_state - > force_old_spnego = true ;
}
2009-12-30 17:57:54 +01:00
ntlmssp_state - > neg_flags =
2009-08-25 12:12:59 +02:00
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION ;
2005-04-25 10:33:00 +00:00
2008-11-02 02:05:48 +01:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_server " , " 128bit " , true ) ) {
2009-12-30 17:57:54 +01:00
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_128 ;
2005-04-25 10:33:00 +00:00
}
2008-11-02 02:05:48 +01:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_server " , " 56bit " , true ) ) {
2009-12-30 17:57:54 +01:00
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_56 ;
2006-07-12 00:02:50 +00:00
}
2008-11-02 02:05:48 +01:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_server " , " keyexchange " , true ) ) {
2009-12-30 17:57:54 +01:00
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_KEY_EXCH ;
2005-04-25 10:33:00 +00:00
}
2008-11-02 02:05:48 +01:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_server " , " alwayssign " , true ) ) {
2009-12-30 17:57:54 +01:00
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_ALWAYS_SIGN ;
2006-11-20 20:58:00 +00:00
}
2008-11-02 02:05:48 +01:00
if ( gensec_setting_bool ( gensec_security - > settings , " ntlmssp_server " , " ntlm2 " , true ) ) {
2009-12-30 17:57:54 +01:00
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_NTLM2 ;
2005-04-25 10:33:00 +00:00
}
2015-12-01 15:06:09 +01:00
if ( ntlmssp_state - > allow_lm_key ) {
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_LM_KEY ;
}
2016-09-01 10:56:57 +02:00
/*
* We always allow NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL .
*
* These will be removed if the client doesn ' t want them .
*/
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SIGN ;
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SEAL ;
2012-01-31 15:40:53 +11:00
if ( gensec_security - > want_features & GENSEC_FEATURE_SESSION_KEY ) {
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SIGN ;
}
2005-04-25 10:33:00 +00:00
if ( gensec_security - > want_features & GENSEC_FEATURE_SIGN ) {
2009-12-30 17:57:54 +01:00
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SIGN ;
2015-12-09 14:48:14 +01:00
if ( gensec_security - > want_features & GENSEC_FEATURE_LDAP_STYLE ) {
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested .
*/
ntlmssp_state - > force_wrap_seal = true ;
}
2005-04-25 10:33:00 +00:00
}
if ( gensec_security - > want_features & GENSEC_FEATURE_SEAL ) {
2011-10-15 13:19:41 +11:00
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SIGN ;
2009-12-30 17:57:54 +01:00
ntlmssp_state - > neg_flags | = NTLMSSP_NEGOTIATE_SEAL ;
2005-04-25 10:33:00 +00:00
}
2015-11-19 16:02:58 +01:00
if ( role = = ROLE_STANDALONE ) {
2009-12-30 17:57:54 +01:00
ntlmssp_state - > server . is_standalone = true ;
2009-12-30 10:14:07 +01:00
} else {
2009-12-30 17:57:54 +01:00
ntlmssp_state - > server . is_standalone = false ;
2009-12-30 10:14:07 +01:00
}
2005-04-25 05:03:50 +00:00
2012-02-06 18:02:11 +11:00
if ( gensec_security - > settings - > server_netbios_name ) {
netbios_name = gensec_security - > settings - > server_netbios_name ;
} else {
netbios_name = lpcfg_netbios_name ( gensec_security - > settings - > lp_ctx ) ;
}
if ( gensec_security - > settings - > server_netbios_domain ) {
netbios_domain = gensec_security - > settings - > server_netbios_domain ;
} else {
netbios_domain = lpcfg_workgroup ( gensec_security - > settings - > lp_ctx ) ;
}
2009-12-30 15:14:38 +01:00
2012-01-31 16:17:04 +11:00
if ( gensec_security - > settings - > server_dns_name ) {
dns_name = gensec_security - > settings - > server_dns_name ;
} else {
2011-05-07 10:37:24 +02:00
const char * dnsdomain = lpcfg_dnsdomain ( gensec_security - > settings - > lp_ctx ) ;
2012-01-31 16:17:04 +11:00
char * lower_netbiosname ;
lower_netbiosname = strlower_talloc ( ntlmssp_state , netbios_name ) ;
NT_STATUS_HAVE_NO_MEMORY ( lower_netbiosname ) ;
2009-12-30 15:14:38 +01:00
/* Find out the DNS host name */
2011-05-03 12:16:16 +10:00
if ( dnsdomain & & dnsdomain [ 0 ] ! = ' \0 ' ) {
2012-01-31 16:17:04 +11:00
dns_name = talloc_asprintf ( ntlmssp_state , " %s.%s " ,
lower_netbiosname ,
dnsdomain ) ;
2011-05-03 12:16:16 +10:00
talloc_free ( lower_netbiosname ) ;
2012-01-31 16:17:04 +11:00
NT_STATUS_HAVE_NO_MEMORY ( dns_name ) ;
2011-05-03 12:16:16 +10:00
} else {
2012-01-31 16:17:04 +11:00
dns_name = lower_netbiosname ;
2009-12-30 15:14:38 +01:00
}
2012-01-31 16:17:04 +11:00
}
2009-12-30 15:14:38 +01:00
2012-01-31 16:17:04 +11:00
if ( gensec_security - > settings - > server_dns_domain ) {
dns_domain = gensec_security - > settings - > server_dns_domain ;
} else {
dns_domain = lpcfg_dnsdomain ( gensec_security - > settings - > lp_ctx ) ;
2009-12-30 15:14:38 +01:00
}
2012-01-31 16:17:04 +11:00
ntlmssp_state - > server . netbios_name = talloc_strdup ( ntlmssp_state , netbios_name ) ;
NT_STATUS_HAVE_NO_MEMORY ( ntlmssp_state - > server . netbios_name ) ;
ntlmssp_state - > server . netbios_domain = talloc_strdup ( ntlmssp_state , netbios_domain ) ;
NT_STATUS_HAVE_NO_MEMORY ( ntlmssp_state - > server . netbios_domain ) ;
ntlmssp_state - > server . dns_name = talloc_strdup ( ntlmssp_state , dns_name ) ;
NT_STATUS_HAVE_NO_MEMORY ( ntlmssp_state - > server . dns_name ) ;
ntlmssp_state - > server . dns_domain = talloc_strdup ( ntlmssp_state , dns_domain ) ;
NT_STATUS_HAVE_NO_MEMORY ( ntlmssp_state - > server . dns_domain ) ;
2015-12-01 11:01:24 +01:00
ntlmssp_state - > neg_flags | = ntlmssp_state - > required_flags ;
ntlmssp_state - > conf_flags = ntlmssp_state - > neg_flags ;
2005-04-25 05:03:50 +00:00
return NT_STATUS_OK ;
}
2012-01-31 16:17:04 +11:00