2010-09-01 23:50:06 +04:00
/*
* NTLMSSP Acceptor
* DCERPC Server functions
* Copyright ( C ) Simo Sorce 2010.
2011-12-16 06:19:06 +04:00
* Copyright ( C ) Andrew Bartlett 2011.
2010-09-01 23:50:06 +04:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 3 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
2011-12-21 08:09:29 +04:00
# include "rpc_server/dcesrv_auth_generic.h"
2011-03-24 14:08:15 +03:00
# include "auth.h"
2011-10-18 13:58:47 +04:00
# include "auth/gensec/gensec.h"
2010-09-01 23:50:06 +04:00
2013-05-02 08:29:21 +04:00
static NTSTATUS auth_generic_server_authtype_start_as_root ( TALLOC_CTX * mem_ctx ,
uint8_t auth_type , uint8_t auth_level ,
const struct tsocket_address * remote_address ,
2017-02-23 04:31:52 +03:00
const struct tsocket_address * local_address ,
2017-02-20 04:17:34 +03:00
const char * service_description ,
2013-05-02 08:29:21 +04:00
struct gensec_security * * ctx )
2011-12-21 08:34:17 +04:00
{
2011-12-26 07:23:15 +04:00
struct gensec_security * gensec_security = NULL ;
2011-12-21 08:34:17 +04:00
NTSTATUS status ;
2017-02-23 04:31:52 +03:00
status = auth_generic_prepare ( talloc_tos ( ) ,
remote_address ,
local_address ,
2017-02-20 04:17:34 +03:00
service_description ,
& gensec_security ) ;
2011-12-21 08:34:17 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : auth_generic_prepare failed: %s \n " ,
nt_errstr ( status ) ) ) ;
return status ;
}
2011-12-26 07:23:15 +04:00
status = gensec_start_mech_by_authtype ( gensec_security , auth_type , auth_level ) ;
2011-12-21 08:34:17 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( __location__ " : auth_generic_start failed: %s \n " ,
nt_errstr ( status ) ) ) ;
2011-12-26 07:23:15 +04:00
TALLOC_FREE ( gensec_security ) ;
2011-12-21 08:34:17 +04:00
return status ;
}
2011-12-26 07:23:15 +04:00
/* steal gensec context to the caller */
* ctx = talloc_move ( mem_ctx , & gensec_security ) ;
2014-04-23 12:40:27 +04:00
return status ;
2010-09-01 23:50:06 +04:00
}
2013-05-02 08:29:21 +04:00
NTSTATUS auth_generic_server_authtype_start ( TALLOC_CTX * mem_ctx ,
uint8_t auth_type , uint8_t auth_level ,
const struct tsocket_address * remote_address ,
2017-02-23 04:31:52 +03:00
const struct tsocket_address * local_address ,
2017-02-20 04:17:34 +03:00
const char * service_description ,
2013-05-02 08:29:21 +04:00
struct gensec_security * * ctx )
{
NTSTATUS status ;
become_root ( ) ;
/* this has to be done as root in order to create the messaging socket */
status = auth_generic_server_authtype_start_as_root ( mem_ctx ,
auth_type , auth_level ,
remote_address ,
2017-02-23 04:31:52 +03:00
local_address ,
2017-02-20 04:17:34 +03:00
service_description ,
2013-05-02 08:29:21 +04:00
ctx ) ;
unbecome_root ( ) ;
return status ;
}
2011-12-21 07:40:04 +04:00
NTSTATUS auth_generic_server_step ( struct gensec_security * gensec_security ,
2010-09-01 23:50:06 +04:00
TALLOC_CTX * mem_ctx ,
DATA_BLOB * token_in ,
DATA_BLOB * token_out )
{
NTSTATUS status ;
2014-04-23 15:02:35 +04:00
if ( gensec_security = = NULL ) {
return NT_STATUS_INTERNAL_ERROR ;
}
2010-09-01 23:50:06 +04:00
/* this has to be done as root in order to verify the password */
become_root ( ) ;
2013-12-13 22:56:13 +04:00
status = gensec_update ( gensec_security , mem_ctx , * token_in , token_out ) ;
2010-09-01 23:50:06 +04:00
unbecome_root ( ) ;
return status ;
}
2011-12-21 07:40:04 +04:00
NTSTATUS auth_generic_server_check_flags ( struct gensec_security * gensec_security ,
2010-09-01 23:50:06 +04:00
bool do_sign , bool do_seal )
{
2011-10-19 11:39:27 +04:00
if ( do_sign & & ! gensec_have_feature ( gensec_security , GENSEC_FEATURE_SIGN ) ) {
2010-09-01 23:50:06 +04:00
DEBUG ( 1 , ( __location__ " Integrity was requested but client "
" failed to negotiate signing. \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
2011-10-19 11:39:27 +04:00
if ( do_seal & & ! gensec_have_feature ( gensec_security , GENSEC_FEATURE_SEAL ) ) {
2010-09-01 23:50:06 +04:00
DEBUG ( 1 , ( __location__ " Privacy was requested but client "
" failed to negotiate sealing. \n " ) ) ;
return NT_STATUS_ACCESS_DENIED ;
}
return NT_STATUS_OK ;
}
2011-12-21 07:40:04 +04:00
NTSTATUS auth_generic_server_get_user_info ( struct gensec_security * gensec_security ,
2010-09-01 23:50:06 +04:00
TALLOC_CTX * mem_ctx ,
2011-07-18 07:06:47 +04:00
struct auth_session_info * * session_info )
2010-09-01 23:50:06 +04:00
{
NTSTATUS status ;
2013-05-02 08:29:21 +04:00
/* this has to be done as root in order to get to the
* messaging sockets for IDMAP and privilege . ldb in the AD
* DC */
become_root ( ) ;
2011-10-19 11:39:27 +04:00
status = gensec_session_info ( gensec_security , mem_ctx , session_info ) ;
2013-05-02 08:29:21 +04:00
unbecome_root ( ) ;
2010-09-01 23:50:06 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( __location__ " : Failed to get authenticated user "
" info: %s \n " , nt_errstr ( status ) ) ) ;
return status ;
}
2011-07-21 13:29:10 +04:00
DEBUG ( 5 , ( __location__ " OK: user: %s domain: %s \n " ,
( * session_info ) - > info - > account_name ,
( * session_info ) - > info - > domain_name ) ) ;
2010-09-01 23:50:06 +04:00
return NT_STATUS_OK ;
}