2024-03-15 12:41:19 +01:00
/*
2011-12-16 16:55:36 +11:00
Unix SMB / Netbios implementation .
Version 3.0
2011-12-31 22:57:18 +11:00
handle GENSEC authentication , server side
2011-12-16 16:55:36 +11:00
Copyright ( C ) Andrew Tridgell 2001
Copyright ( C ) Andrew Bartlett 2001 - 2003 , 2011
2011-12-31 22:57:18 +11:00
Copyright ( C ) Simo Sorce 2010.
2011-12-16 16:55:36 +11:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
2024-03-15 12:41:19 +01:00
2011-12-16 16:55:36 +11:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2024-03-15 12:41:19 +01:00
2011-12-16 16:55:36 +11:00
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
2017-06-16 17:18:17 +02:00
# include <tevent.h>
# include "../lib/util/tevent_ntstatus.h"
2011-12-16 16:55:36 +11:00
# include "auth.h"
# include "../lib/tsocket/tsocket.h"
# include "auth/gensec/gensec.h"
# include "lib/param/param.h"
2011-12-31 22:57:18 +11:00
# ifdef HAVE_KRB5
2024-04-11 10:29:18 +02:00
# include "librpc/gen_ndr/ndr_krb5pac.h"
2012-03-31 22:09:22 -04:00
# include "auth/kerberos/pac_utils.h"
2016-09-26 17:07:44 -07:00
# include "nsswitch/libwbclient/wbclient.h"
2011-12-31 22:57:18 +11:00
# endif
2012-01-02 13:06:29 +11:00
# include "librpc/crypto/gse.h"
2012-01-12 21:16:36 +11:00
# include "auth/credentials/credentials.h"
2012-07-23 12:47:01 +10:00
# include "lib/param/loadparm.h"
2013-09-18 18:23:40 +02:00
# include "librpc/gen_ndr/dcerpc.h"
2021-11-10 20:18:07 +01:00
# include "source3/lib/substitute.h"
2011-12-31 22:57:18 +11:00
2024-04-11 10:21:16 +02:00
static NTSTATUS generate_pac_session_info (
2024-04-12 14:36:32 +02:00
TALLOC_CTX * mem_ctx ,
const char * princ_name ,
2024-04-11 10:21:16 +02:00
const char * rhost ,
DATA_BLOB * pac_blob ,
struct auth_session_info * * psession_info )
2011-12-31 22:57:18 +11:00
{
NTSTATUS status ;
2024-04-11 10:21:16 +02:00
struct wbcAuthUserParams params = { 0 } ;
struct wbcAuthUserInfo * info = NULL ;
struct wbcAuthErrorInfo * err = NULL ;
struct auth_serversupplied_info * server_info = NULL ;
char * original_user_name = NULL ;
char * p = NULL ;
wbcErr wbc_err ;
/*
* Let winbind decode the PAC .
* This will also store the user
* data in the netsamlogon cache .
*
* This used to be a cache prime
* optimization , but now we delegate
* all logic to winbindd , as we require
* winbindd as domain member anyway .
*/
params . level = WBC_AUTH_USER_LEVEL_PAC ;
params . password . pac . data = pac_blob - > data ;
params . password . pac . length = pac_blob - > length ;
/* we are contacting the privileged pipe */
become_root ( ) ;
wbc_err = wbcAuthenticateUserEx ( & params , & info , & err ) ;
unbecome_root ( ) ;
/*
* As this is merely a cache prime
* WBC_ERR_WINBIND_NOT_AVAILABLE
* is not a fatal error , treat it
* as success .
*/
switch ( wbc_err ) {
case WBC_ERR_SUCCESS :
break ;
case WBC_ERR_WINBIND_NOT_AVAILABLE :
status = NT_STATUS_NO_LOGON_SERVERS ;
DBG_ERR ( " winbindd not running - "
" but required as domain member: %s \n " ,
nt_errstr ( status ) ) ;
return status ;
case WBC_ERR_AUTH_ERROR :
wbcFreeMemory ( err ) ;
return NT_STATUS ( err - > nt_status ) ;
case WBC_ERR_NO_MEMORY :
2011-12-31 22:57:18 +11:00
return NT_STATUS_NO_MEMORY ;
2024-04-11 10:21:16 +02:00
default :
return NT_STATUS_LOGON_FAILURE ;
2011-12-31 22:57:18 +11:00
}
2024-04-11 10:21:16 +02:00
status = make_server_info_wbcAuthUserInfo ( mem_ctx ,
info - > account_name ,
info - > domain_name ,
info ,
& server_info ) ;
wbcFreeMemory ( info ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 10 , ( " make_server_info_wbcAuthUserInfo failed: %s \n " ,
nt_errstr ( status ) ) ) ;
return status ;
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
}
2024-04-11 10:21:16 +02:00
/* We skip doing this step if the caller asked us not to */
if ( ! ( server_info - > guest ) ) {
const char * unix_username = server_info - > unix_name ;
2016-09-26 17:07:44 -07:00
2024-04-11 10:21:16 +02:00
/* We might not be root if we are an RPC call */
2016-09-26 17:07:44 -07:00
become_root ( ) ;
2024-04-11 10:21:16 +02:00
status = smb_pam_accountcheck ( unix_username , rhost ) ;
2016-09-26 17:07:44 -07:00
unbecome_root ( ) ;
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2024-04-11 10:21:16 +02:00
DEBUG ( 3 , ( " check_ntlm_password: PAM Account for user [%s] "
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
" FAILED with error %s \n " ,
unix_username , nt_errstr ( status ) ) ) ;
2024-04-11 10:21:16 +02:00
return status ;
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
}
2024-04-11 10:21:16 +02:00
DEBUG ( 5 , ( " check_ntlm_password: PAM Account for user [%s] "
" succeeded \n " , unix_username ) ) ;
}
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
2024-04-11 10:21:16 +02:00
DEBUG ( 3 , ( " Kerberos ticket principal name is [%s] \n " , princ_name ) ) ;
p = strchr_m ( princ_name , ' @ ' ) ;
if ( ! p ) {
DEBUG ( 3 , ( " [%s] Doesn't look like a valid principal \n " ,
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
princ_name ) ) ;
2024-04-11 10:21:16 +02:00
return NT_STATUS_LOGON_FAILURE ;
}
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
2024-04-11 10:21:16 +02:00
original_user_name = talloc_strndup ( mem_ctx ,
princ_name ,
p - princ_name ) ;
if ( original_user_name = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
2024-04-11 10:21:16 +02:00
status = create_local_token (
mem_ctx , server_info , NULL , original_user_name , psession_info ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 10 , ( " create_local_token failed: %s \n " ,
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
nt_errstr ( status ) ) ) ;
2024-04-11 10:21:16 +02:00
return status ;
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
}
2024-04-11 10:21:16 +02:00
return NT_STATUS_OK ;
}
static NTSTATUS generate_krb5_session_info (
TALLOC_CTX * mem_ctx ,
const char * princ_name ,
const char * rhost ,
DATA_BLOB * pac_blob ,
struct auth_session_info * * psession_info )
{
bool is_mapped = false ;
bool is_guest = false ;
char * ntuser = NULL ;
char * ntdomain = NULL ;
char * username = NULL ;
struct passwd * pw = NULL ;
NTSTATUS status ;
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
if ( pac_blob ! = NULL ) {
2024-04-11 10:29:18 +02:00
struct PAC_LOGON_NAME * logon_name = NULL ;
struct PAC_LOGON_INFO * logon_info = NULL ;
struct PAC_DATA * pac_data = NULL ;
enum ndr_err_code ndr_err ;
size_t i ;
pac_data = talloc_zero ( mem_ctx , struct PAC_DATA ) ;
if ( pac_data = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
ndr_err = ndr_pull_struct_blob ( pac_blob ,
pac_data ,
pac_data ,
( ndr_pull_flags_fn_t )
ndr_pull_PAC_DATA ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
status = ndr_map_error2ntstatus ( ndr_err ) ;
DBG_ERR ( " Can't parse the PAC: %s \n " , nt_errstr ( status ) ) ;
return status ;
}
if ( pac_data - > num_buffers < 4 ) {
DBG_ERR ( " We expect at least 4 PAC buffers. \n " ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
for ( i = 0 ; i < pac_data - > num_buffers ; i + + ) {
struct PAC_BUFFER * data_buf = & pac_data - > buffers [ i ] ;
switch ( data_buf - > type ) {
case PAC_TYPE_LOGON_NAME :
logon_name = & data_buf - > info - > logon_name ;
break ;
case PAC_TYPE_LOGON_INFO :
if ( ! data_buf - > info ) {
break ;
}
logon_info = data_buf - > info - > logon_info . info ;
break ;
default :
break ;
}
}
if ( logon_name = = NULL ) {
TALLOC_FREE ( pac_data ) ;
DBG_ERR ( " PAC without logon_name \n " ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
if ( logon_info ! = NULL ) {
/*
* In standalone mode we don ' t expect a MS - PAC !
* we only support MIT realms
*/
TALLOC_FREE ( pac_data ) ;
status = NT_STATUS_BAD_TOKEN_TYPE ;
DBG_WARNING ( " Unexpected PAC for [%s] in standalone mode - %s \n " ,
princ_name , nt_errstr ( status ) ) ;
return status ;
}
TALLOC_FREE ( pac_data ) ;
2011-12-31 22:57:18 +11:00
}
2024-04-11 10:21:16 +02:00
status = get_user_from_kerberos_info ( mem_ctx ,
2024-04-12 14:36:32 +02:00
rhost ,
2021-10-08 17:59:59 +02:00
princ_name ,
2024-04-12 14:36:32 +02:00
& is_mapped ,
& is_guest ,
& ntuser ,
& ntdomain ,
& username ,
& pw ) ;
2011-12-31 22:57:18 +11:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2015-11-03 10:09:13 +01:00
DBG_NOTICE ( " Failed to map kerberos principal to system user "
2024-04-11 10:21:16 +02:00
" (%s) \n " , nt_errstr ( status ) ) ;
return NT_STATUS_ACCESS_DENIED ;
2011-12-31 22:57:18 +11:00
}
status = make_session_info_krb5 ( mem_ctx ,
2024-04-12 14:36:32 +02:00
ntuser ,
ntdomain ,
username ,
pw ,
is_guest ,
is_mapped ,
2024-04-11 10:21:16 +02:00
psession_info ) ;
2011-12-31 22:57:18 +11:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " Failed to map kerberos pac to server info (%s) \n " ,
nt_errstr ( status ) ) ) ;
2021-10-08 19:57:18 +02:00
status = nt_status_squash ( status ) ;
2024-04-11 10:21:16 +02:00
return status ;
}
return NT_STATUS_OK ;
}
static NTSTATUS auth3_generate_session_info_pac (
struct auth4_context * auth_ctx ,
TALLOC_CTX * mem_ctx ,
struct smb_krb5_context * smb_krb5_context ,
DATA_BLOB * pac_blob ,
const char * princ_name ,
const struct tsocket_address * remote_address ,
uint32_t session_info_flags ,
struct auth_session_info * * psession_info )
{
enum server_role server_role = lp_server_role ( ) ;
struct auth_session_info * session_info = NULL ;
const char * rhost ;
NTSTATUS status ;
TALLOC_CTX * tmp_ctx = NULL ;
tmp_ctx = talloc_new ( mem_ctx ) ;
if ( tmp_ctx = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
if ( tsocket_address_is_inet ( remote_address , " ip " ) ) {
rhost = tsocket_address_inet_addr_string ( remote_address ,
tmp_ctx ) ;
if ( rhost = = NULL ) {
status = NT_STATUS_NO_MEMORY ;
goto done ;
}
} else {
rhost = " 127.0.0.1 " ;
}
switch ( server_role ) {
case ROLE_DOMAIN_MEMBER :
case ROLE_DOMAIN_BDC :
case ROLE_DOMAIN_PDC :
case ROLE_ACTIVE_DIRECTORY_DC :
case ROLE_IPA_DC :
/* This requires a complete MS-PAC including logon_info */
status = generate_pac_session_info (
tmp_ctx , princ_name , rhost , pac_blob , & session_info ) ;
break ;
case ROLE_STANDALONE :
2024-04-11 10:29:18 +02:00
/* This requires no PAC or a minimal PAC */
2024-04-11 10:21:16 +02:00
status = generate_krb5_session_info (
tmp_ctx , princ_name , rhost , pac_blob , & session_info ) ;
break ;
default :
status = NT_STATUS_INVALID_PARAMETER ;
2011-12-31 22:57:18 +11:00
goto done ;
}
2024-04-11 10:21:16 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto done ;
}
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
2020-01-18 08:06:45 +01:00
/* setup the string used by %U */
2024-04-11 10:21:16 +02:00
set_current_user_info ( session_info - > unix_info - > sanitized_username ,
session_info - > unix_info - > unix_name ,
session_info - > info - > domain_name ) ;
2020-01-18 08:06:45 +01:00
/* reload services so that the new %U is taken into account */
lp_load_with_shares ( get_dyn_CONFIGFILE ( ) ) ;
2011-12-31 22:57:18 +11:00
DEBUG ( 5 , ( __location__ " OK: user: %s domain: %s client: %s \n " ,
2024-04-11 10:21:16 +02:00
session_info - > info - > account_name ,
session_info - > info - > domain_name ,
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 19:42:20 +02:00
rhost ) ) ;
2011-12-31 22:57:18 +11:00
2024-04-11 10:21:16 +02:00
* psession_info = talloc_move ( mem_ctx , & session_info ) ;
2011-12-31 22:57:18 +11:00
2024-04-11 10:21:16 +02:00
status = NT_STATUS_OK ;
2011-12-31 22:57:18 +11:00
done :
TALLOC_FREE ( tmp_ctx ) ;
return status ;
}
2011-12-16 16:55:36 +11:00
2012-02-03 16:14:42 +11:00
static struct auth4_context * make_auth4_context_s3 ( TALLOC_CTX * mem_ctx , struct auth_context * auth_context )
{
struct auth4_context * auth4_context = talloc_zero ( mem_ctx , struct auth4_context ) ;
if ( auth4_context = = NULL ) {
DEBUG ( 10 , ( " failed to allocate auth4_context failed \n " ) ) ;
return NULL ;
}
auth4_context - > generate_session_info_pac = auth3_generate_session_info_pac ;
auth4_context - > generate_session_info = auth3_generate_session_info ;
2012-02-03 16:33:44 +11:00
auth4_context - > get_ntlm_challenge = auth3_get_challenge ;
auth4_context - > set_ntlm_challenge = auth3_set_challenge ;
2020-01-02 17:22:36 +01:00
auth4_context - > check_ntlm_password_send = auth3_check_password_send ;
auth4_context - > check_ntlm_password_recv = auth3_check_password_recv ;
2012-02-03 16:14:42 +11:00
auth4_context - > private_data = talloc_steal ( auth4_context , auth_context ) ;
return auth4_context ;
}
NTSTATUS make_auth4_context ( TALLOC_CTX * mem_ctx , struct auth4_context * * auth4_context_out )
{
struct auth_context * auth_context ;
NTSTATUS nt_status ;
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2017-03-17 09:17:45 +01:00
nt_status = make_auth3_context_for_ntlm ( tmp_ctx , & auth_context ) ;
2012-02-03 16:14:42 +11:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
TALLOC_FREE ( tmp_ctx ) ;
return nt_status ;
}
if ( auth_context - > make_auth4_context ) {
2014-05-16 14:29:43 +12:00
nt_status = auth_context - > make_auth4_context ( auth_context , mem_ctx , auth4_context_out ) ;
2012-02-03 16:14:42 +11:00
TALLOC_FREE ( tmp_ctx ) ;
return nt_status ;
} else {
struct auth4_context * auth4_context = make_auth4_context_s3 ( tmp_ctx , auth_context ) ;
if ( auth4_context = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
* auth4_context_out = talloc_steal ( mem_ctx , auth4_context ) ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
}
2011-12-26 12:13:21 +11:00
NTSTATUS auth_generic_prepare ( TALLOC_CTX * mem_ctx ,
const struct tsocket_address * remote_address ,
2017-02-23 14:31:52 +13:00
const struct tsocket_address * local_address ,
2017-02-20 14:17:34 +13:00
const char * service_description ,
2011-12-26 14:23:15 +11:00
struct gensec_security * * gensec_security_out )
2011-12-16 16:55:36 +11:00
{
2011-12-26 14:23:15 +11:00
struct gensec_security * gensec_security ;
2021-04-13 14:50:16 +00:00
struct auth_context * auth_context = NULL ;
2011-12-16 16:55:36 +11:00
NTSTATUS nt_status ;
2011-12-26 14:23:15 +11:00
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
2011-12-16 16:55:36 +11:00
2017-03-17 09:17:45 +01:00
nt_status = make_auth3_context_for_ntlm ( tmp_ctx , & auth_context ) ;
2011-12-16 16:55:36 +11:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2021-04-13 14:50:16 +00:00
goto done ;
2011-12-16 16:55:36 +11:00
}
if ( auth_context - > prepare_gensec ) {
2014-05-16 14:29:43 +12:00
nt_status = auth_context - > prepare_gensec ( auth_context , tmp_ctx ,
2011-12-26 14:23:15 +11:00
& gensec_security ) ;
2011-12-16 16:55:36 +11:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2021-04-13 14:50:16 +00:00
goto done ;
2011-12-16 16:55:36 +11:00
}
} else {
2013-08-05 11:20:21 +02:00
const struct gensec_security_ops * * backends = NULL ;
2011-12-16 16:55:36 +11:00
struct gensec_settings * gensec_settings ;
struct loadparm_context * lp_ctx ;
2012-01-12 16:12:02 +01:00
size_t idx = 0 ;
2012-01-12 21:16:36 +11:00
struct cli_credentials * server_credentials ;
2012-01-31 16:17:48 +11:00
const char * dns_name ;
const char * dns_domain ;
2021-05-04 11:05:27 +02:00
bool ok ;
2012-02-03 16:14:42 +11:00
struct auth4_context * auth4_context = make_auth4_context_s3 ( tmp_ctx , auth_context ) ;
2011-12-31 22:57:18 +11:00
if ( auth4_context = = NULL ) {
2021-04-13 14:50:16 +00:00
goto nomem ;
2011-12-31 22:57:18 +11:00
}
2012-06-27 23:24:39 +10:00
lp_ctx = loadparm_init_s3 ( tmp_ctx , loadparm_s3_helpers ( ) ) ;
2011-12-16 16:55:36 +11:00
if ( lp_ctx = = NULL ) {
DEBUG ( 10 , ( " loadparm_init_s3 failed \n " ) ) ;
2021-04-13 14:50:16 +00:00
nt_status = NT_STATUS_INVALID_SERVER_STATE ;
goto done ;
2011-12-16 16:55:36 +11:00
}
2011-12-26 14:23:15 +11:00
gensec_settings = lpcfg_gensec_settings ( tmp_ctx , lp_ctx ) ;
2011-12-16 16:55:36 +11:00
if ( lp_ctx = = NULL ) {
DEBUG ( 10 , ( " lpcfg_gensec_settings failed \n " ) ) ;
2021-04-13 14:50:16 +00:00
goto nomem ;
2011-12-16 16:55:36 +11:00
}
2012-01-31 16:17:48 +11:00
/*
* This should be a ' netbios domain - > DNS domain '
* mapping , and can currently validly return NULL on
* poorly configured systems .
*
* This is used for the NTLMSSP server
*
*/
dns_name = get_mydnsfullname ( ) ;
if ( dns_name = = NULL ) {
dns_name = " " ;
}
dns_domain = get_mydnsdomname ( tmp_ctx ) ;
if ( dns_domain = = NULL ) {
dns_domain = " " ;
}
gensec_settings - > server_dns_name = strlower_talloc ( gensec_settings , dns_name ) ;
if ( gensec_settings - > server_dns_name = = NULL ) {
2021-04-13 14:50:16 +00:00
goto nomem ;
2012-01-31 16:17:48 +11:00
}
gensec_settings - > server_dns_domain = strlower_talloc ( gensec_settings , dns_domain ) ;
if ( gensec_settings - > server_dns_domain = = NULL ) {
2021-04-13 14:50:16 +00:00
goto nomem ;
2012-01-31 16:17:48 +11:00
}
2013-08-05 11:20:21 +02:00
backends = talloc_zero_array ( gensec_settings ,
2014-04-17 12:02:45 +02:00
const struct gensec_security_ops * , 6 ) ;
2013-08-05 11:20:21 +02:00
if ( backends = = NULL ) {
2021-04-13 14:50:16 +00:00
goto nomem ;
2011-12-26 11:39:29 +11:00
}
2013-08-05 11:20:21 +02:00
gensec_settings - > backends = backends ;
2011-12-26 11:39:29 +11:00
2012-01-31 16:29:02 +11:00
gensec_init ( ) ;
2012-03-11 07:04:38 +11:00
/* These need to be in priority order, krb5 before NTLMSSP */
2012-03-11 06:44:17 +11:00
# if defined(HAVE_KRB5)
2024-04-25 15:51:40 +02:00
backends [ idx + + ] = gensec_gse_security_by_oid (
GENSEC_OID_KERBEROS5 ) ;
2012-01-02 13:06:29 +11:00
# endif
2013-08-05 11:20:21 +02:00
backends [ idx + + ] = gensec_security_by_oid ( NULL , GENSEC_OID_NTLMSSP ) ;
2012-03-11 07:04:38 +11:00
2013-08-05 11:20:21 +02:00
backends [ idx + + ] = gensec_security_by_oid ( NULL , GENSEC_OID_SPNEGO ) ;
2012-01-12 16:12:02 +01:00
2013-09-18 18:23:40 +02:00
backends [ idx + + ] = gensec_security_by_auth_type ( NULL , DCERPC_AUTH_TYPE_SCHANNEL ) ;
2014-04-17 12:02:45 +02:00
backends [ idx + + ] = gensec_security_by_auth_type ( NULL , DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM ) ;
2012-01-12 21:16:36 +11:00
/*
* This is anonymous for now , because we just use it
* to set the kerberos state at the moment
*/
server_credentials = cli_credentials_init_anon ( tmp_ctx ) ;
if ( ! server_credentials ) {
DEBUG ( 0 , ( " auth_generic_prepare: Failed to init server credentials \n " ) ) ;
2021-04-13 14:50:16 +00:00
goto nomem ;
2012-01-12 21:16:36 +11:00
}
2021-05-04 11:05:27 +02:00
ok = cli_credentials_set_conf ( server_credentials , lp_ctx ) ;
if ( ! ok ) {
DBG_ERR ( " Failed to set server credentials defaults "
" from smb.conf. \n " ) ;
goto nomem ;
}
2012-01-12 21:16:36 +11:00
if ( lp_security ( ) = = SEC_ADS | | USE_KERBEROS_KEYTAB ) {
2020-08-19 15:46:11 +02:00
cli_credentials_set_kerberos_state ( server_credentials ,
CRED_USE_KERBEROS_DESIRED ,
CRED_SPECIFIED ) ;
2012-01-12 21:16:36 +11:00
} else {
2020-08-19 15:46:11 +02:00
cli_credentials_set_kerberos_state ( server_credentials ,
CRED_USE_KERBEROS_DISABLED ,
CRED_SPECIFIED ) ;
2012-01-12 21:16:36 +11:00
}
2011-12-26 14:23:15 +11:00
nt_status = gensec_server_start ( tmp_ctx , gensec_settings ,
2011-12-31 22:57:18 +11:00
auth4_context , & gensec_security ) ;
2011-12-16 16:55:36 +11:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2021-04-13 14:50:16 +00:00
goto done ;
2011-12-16 16:55:36 +11:00
}
2012-01-12 21:16:36 +11:00
2021-04-14 20:42:27 +02:00
nt_status = gensec_set_credentials (
gensec_security , server_credentials ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
goto done ;
}
2011-12-16 16:55:36 +11:00
}
2011-12-26 14:23:15 +11:00
nt_status = gensec_set_remote_address ( gensec_security ,
2011-12-16 16:55:36 +11:00
remote_address ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2021-04-13 14:50:16 +00:00
goto done ;
2011-12-16 16:55:36 +11:00
}
2017-02-23 14:31:52 +13:00
nt_status = gensec_set_local_address ( gensec_security ,
local_address ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2021-04-13 14:50:16 +00:00
goto done ;
2017-02-23 14:31:52 +13:00
}
2017-02-20 14:17:34 +13:00
nt_status = gensec_set_target_service_description ( gensec_security ,
service_description ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2021-04-13 14:50:16 +00:00
goto done ;
2017-02-20 14:17:34 +13:00
}
2021-04-13 14:45:54 +00:00
* gensec_security_out = talloc_move ( mem_ctx , & gensec_security ) ;
2021-04-13 14:50:16 +00:00
nt_status = NT_STATUS_OK ;
goto done ;
nomem :
nt_status = NT_STATUS_NO_MEMORY ;
done :
2011-12-26 14:23:15 +11:00
TALLOC_FREE ( tmp_ctx ) ;
2021-04-13 14:50:16 +00:00
return nt_status ;
2011-12-16 16:55:36 +11:00
}
2012-02-03 23:32:26 +11:00
2017-03-01 16:27:51 +13:00
/*
* Check a username and password , and return the final session_info .
* We also log the authorization of the session here , just as
* gensec_session_info ( ) does .
*/
2012-02-03 23:32:26 +11:00
NTSTATUS auth_check_password_session_info ( struct auth4_context * auth_context ,
TALLOC_CTX * mem_ctx ,
struct auth_usersupplied_info * user_info ,
struct auth_session_info * * session_info )
{
NTSTATUS nt_status ;
void * server_info ;
2021-10-26 17:42:41 +02:00
uint8_t authoritative = 1 ;
2020-01-02 22:58:06 +01:00
struct tevent_context * ev = NULL ;
struct tevent_req * subreq = NULL ;
bool ok ;
2012-02-03 23:32:26 +11:00
2020-01-02 22:58:06 +01:00
ev = samba_tevent_context_init ( talloc_tos ( ) ) ;
if ( ev = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
2017-06-16 17:18:17 +02:00
2020-01-02 22:58:06 +01:00
subreq = auth_context - > check_ntlm_password_send ( ev , ev ,
auth_context ,
user_info ) ;
if ( subreq = = NULL ) {
2017-06-16 17:18:17 +02:00
TALLOC_FREE ( ev ) ;
2020-01-02 22:58:06 +01:00
return NT_STATUS_NO_MEMORY ;
}
ok = tevent_req_poll_ntstatus ( subreq , ev , & nt_status ) ;
if ( ! ok ) {
TALLOC_FREE ( ev ) ;
return nt_status ;
}
nt_status = auth_context - > check_ntlm_password_recv ( subreq ,
talloc_tos ( ) ,
& authoritative ,
& server_info ,
NULL , NULL ) ;
TALLOC_FREE ( ev ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
2012-02-03 23:32:26 +11:00
}
2017-03-01 16:27:51 +13:00
nt_status = auth_context - > generate_session_info ( auth_context ,
mem_ctx ,
server_info ,
user_info - > client . account_name ,
AUTH_SESSION_INFO_UNIX_TOKEN |
AUTH_SESSION_INFO_DEFAULT_GROUPS |
AUTH_SESSION_INFO_NTLM ,
session_info ) ;
TALLOC_FREE ( server_info ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
/*
* This is rather redundant ( the authentication has just been
* logged , with much the same details ) , but because we want to
* log all authorizations consistently ( be they NLTM , NTLMSSP
* or krb5 ) we log this info again as an authorization .
*/
2017-03-24 15:18:46 +13:00
log_successful_authz_event ( auth_context - > msg_ctx ,
auth_context - > lp_ctx ,
user_info - > remote_host ,
2017-03-01 16:27:51 +13:00
user_info - > local_host ,
user_info - > service_description ,
user_info - > auth_description ,
2017-03-06 14:10:17 +13:00
AUTHZ_TRANSPORT_PROTECTION_SMB ,
2023-06-15 17:07:05 +12:00
* session_info ,
NULL /* client_audit_info */ ,
NULL /* server_audit_info */ ) ;
2017-03-01 16:27:51 +13:00
2012-02-03 23:32:26 +11:00
return nt_status ;
}
