sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
ef990a1701
samba-mirror/source3/smbd/smb2_sesssetup.c

915 lines
25 KiB
C
Raw Normal View History

s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
/*
Unix SMB/CIFS implementation.
Core SMB2 server
Copyright (C) Stefan Metzmacher 2009
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
Copyright (C) Jeremy Allison 2010
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "smbd/globals.h"
libcli: move some common SMB and SMB2 stuff into libcli/smb/ This will hold code that's shared between source3 and source4. metze
2009-08-12 19:52:55 +04:00
#include "../libcli/smb/smb_common.h"
spnego: share spnego_parse. Guenther
2009-09-17 02:21:01 +04:00
#include "../libcli/auth/spnego.h"
ntlmssp: Make the ntlmssp.h from source3/ a common header The code is not yet in common, but I hope to fix that soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-25 14:19:22 +04:00
#include "../libcli/auth/ntlmssp.h"
s3-auth: Move auth_ntlmssp wrappers in their own file Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 21:36:33 +04:00
#include "ntlmssp_wrap.h"
s3-krb5: include krb5pac.h where needed. Guenther
2010-08-03 01:12:16 +04:00
#include "../librpc/gen_ndr/krb5pac.h"
s3: avoid global include of ads.h. Guenther
2010-07-02 02:32:52 +04:00
#include "libads/kerberos_proto.h"
s3-build: only include asn1 headers where actually needed. Guenther
2011-02-24 14:27:29 +03:00
#include "../lib/util/asn1.h"
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
uint64_t in_session_id,
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
uint8_t in_security_mode,
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
DATA_BLOB in_security_buffer,
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
uint16_t *out_session_flags,
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req)
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
{
const uint8_t *inhdr;
const uint8_t *inbody;
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
int i = smb2req->current_idx;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
uint8_t *outhdr;
DATA_BLOB outbody;
DATA_BLOB outdyn;
size_t expected_body_size = 0x19;
size_t body_size;
uint64_t in_session_id;
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
uint8_t in_security_mode;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
uint16_t in_security_offset;
uint16_t in_security_length;
DATA_BLOB in_security_buffer;
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
uint16_t out_session_flags;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
uint64_t out_session_id;
uint16_t out_security_offset;
DATA_BLOB out_security_buffer;
NTSTATUS status;
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
body_size = SVAL(inbody, 0x00);
if (body_size != expected_body_size) {
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
in_security_offset = SVAL(inbody, 0x0C);
in_security_length = SVAL(inbody, 0x0E);
if (in_security_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
if (in_security_length > smb2req->in.vector[i+2].iov_len) {
return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
s3:smbd: SMB2 session ids are 64bit... We only grand ids up to 0x0000000000FFFFFF, because that's what our idtree implementation can handle. But also 16777215 sessions on one tcp connection should be enough:-) metze
2009-05-22 13:06:54 +04:00
in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
in_security_mode = CVAL(inbody, 0x03);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
in_security_buffer.data = (uint8_t *)smb2req->in.vector[i+2].iov_base;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
in_security_buffer.length = in_security_length;
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
status = smbd_smb2_session_setup(smb2req,
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
in_session_id,
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
in_security_mode,
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
in_security_buffer,
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
&out_session_flags,
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
&out_security_buffer,
&out_session_id);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
status = nt_status_squash(status);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
return smbd_smb2_request_error(smb2req, status);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
out_security_offset = SMB2_HDR_BODY + 0x08;
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
outhdr = (uint8_t *)smb2req->out.vector[i].iov_base;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
outbody = data_blob_talloc(smb2req->out.vector, NULL, 0x08);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
if (outbody.data == NULL) {
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
SBVAL(outhdr, SMB2_HDR_SESSION_ID, out_session_id);
SSVAL(outbody.data, 0x00, 0x08 + 1); /* struct size */
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
SSVAL(outbody.data, 0x02,
out_session_flags); /* session flags */
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
SSVAL(outbody.data, 0x04,
out_security_offset); /* security buffer offset */
SSVAL(outbody.data, 0x06,
out_security_buffer.length); /* security buffer length */
outdyn = out_security_buffer;
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
return smbd_smb2_request_done_ex(smb2req, status, outbody, &outdyn,
s3:smbd: implement smbd_smb2_request_error/done() as macros on top of the _ex() function metze
2009-06-05 13:05:03 +04:00
__location__);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
static int smbd_smb2_session_destructor(struct smbd_smb2_session *session)
{
s3:smbd: rename conn => sconn for smbd_server_connection structs This should avoid confusion between smbd_server_connection and connection_struct variables. metze
2009-08-07 17:21:07 +04:00
if (session->sconn == NULL) {
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
return 0;
}
s3:smbd: implement SMB2 Tree Connect For now this only checks if the share is present or not. metze
2009-05-15 13:50:20 +04:00
/* first free all tcons */
while (session->tcons.list) {
talloc_free(session->tcons.list);
}
s3:smbd: rename conn => sconn for smbd_server_connection structs This should avoid confusion between smbd_server_connection and connection_struct variables. metze
2009-08-07 17:21:07 +04:00
idr_remove(session->sconn->smb2.sessions.idtree, session->vuid);
DLIST_REMOVE(session->sconn->smb2.sessions.list, session);
s3:smbd: correctly invalidate vuids when SMB2 is used metze
2009-08-11 20:08:26 +04:00
invalidate_vuid(session->sconn, session->vuid);
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
s3:smbd: implement SMB2 Logoff metze
2009-05-15 13:40:19 +04:00
session->vuid = 0;
session->status = NT_STATUS_USER_SESSION_DELETED;
s3:smbd: rename conn => sconn for smbd_server_connection structs This should avoid confusion between smbd_server_connection and connection_struct variables. metze
2009-08-07 17:21:07 +04:00
session->sconn = NULL;
s3:smbd: implement SMB2 Logoff metze
2009-05-15 13:40:19 +04:00
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
return 0;
}
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
static NTSTATUS setup_ntlmssp_session_info(struct smbd_smb2_session *session,
Make the "map to guest" parameter work correctly with NTLMSSP (spnego and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-16 22:05:34 +04:00
NTSTATUS status)
{
if (NT_STATUS_IS_OK(status)) {
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
status = auth_ntlmssp_steal_session_info(session,
Make the "map to guest" parameter work correctly with NTLMSSP (spnego and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-16 22:05:34 +04:00
session->auth_ntlmssp_state,
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
&session->session_info);
Make the "map to guest" parameter work correctly with NTLMSSP (spnego and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-16 22:05:34 +04:00
} else {
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
/* Note that this session_info won't have a session
Make the "map to guest" parameter work correctly with NTLMSSP (spnego and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-16 22:05:34 +04:00
* key. But for map to guest, that's exactly the right
* thing - we can't reasonably guess the key the
* client wants, as the password was wrong */
status = do_map_to_guest(status,
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
&session->session_info,
Make the "map to guest" parameter work correctly with NTLMSSP (spnego and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-16 22:05:34 +04:00
auth_ntlmssp_get_username(session->auth_ntlmssp_state),
auth_ntlmssp_get_domain(session->auth_ntlmssp_state));
}
return status;
}
s3 smb2: Fix the build without kerberos Jeremy, please check
2010-05-20 13:29:03 +04:00
#ifdef HAVE_KRB5
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
uint8_t in_security_mode,
const DATA_BLOB *secblob,
const char *mechOID,
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
uint16_t *out_session_flags,
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id)
{
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
DATA_BLOB ap_rep = data_blob_null;
DATA_BLOB ap_rep_wrapped = data_blob_null;
DATA_BLOB ticket = data_blob_null;
DATA_BLOB session_key = data_blob_null;
DATA_BLOB secblob_out = data_blob_null;
uint8 tok_id[2];
struct PAC_LOGON_INFO *logon_info = NULL;
s3-smbd: User helper function to resolve kerberos user for smb2 Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 01:59:17 +04:00
char *principal = NULL;
char *user = NULL;
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
char *domain = NULL;
struct passwd *pw = NULL;
NTSTATUS status;
s3-smbd: User helper function to resolve kerberos user for smb2 Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 01:59:17 +04:00
char *real_username;
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
fstring tmp;
bool username_was_mapped = false;
bool map_domainuser_to_guest = false;
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
status = NT_STATUS_LOGON_FAILURE;
goto fail;
}
status = ads_verify_ticket(smb2req, lp_realm(), 0, &ticket,
s3-smbd: User helper function to resolve kerberos user for smb2 Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 01:59:17 +04:00
&principal, &logon_info, &ap_rep,
&session_key, true);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("smb2: Failed to verify incoming ticket with error %s!\n",
nt_errstr(status)));
if (!NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
status = NT_STATUS_LOGON_FAILURE;
}
goto fail;
}
s3-smbd: User helper function to resolve kerberos user for smb2 Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 01:59:17 +04:00
status = get_user_from_kerberos_info(talloc_tos(),
smb2req->sconn->client_id.name,
principal, logon_info,
&username_was_mapped,
&map_domainuser_to_guest,
&user, &domain,
&real_username, &pw);
if (!NT_STATUS_IS_OK(status)) {
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
goto fail;
}
/* save the PAC data if we have it */
if (logon_info) {
s3-smbd: User helper function to resolve kerberos user for smb2 Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 01:59:17 +04:00
netsamlogon_cache_store(user, &logon_info->info3);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
}
/* setup the string used by %U */
sub_set_smb_name(real_username);
s3-smbd: User helper function to resolve kerberos user for smb2 Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 01:59:17 +04:00
/* reload services so that the new %U is taken into account */
s3: Lift smbd_server_fd from reload_services()
2010-08-15 18:13:00 +04:00
reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
s3-smbd: use make_server_info_krb5() in smb2 too. Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 02:49:49 +04:00
status = make_server_info_krb5(session,
user, domain, real_username, pw,
logon_info, map_domainuser_to_guest,
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
&session->session_info);
s3-smbd: use make_server_info_krb5() in smb2 too. Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 02:49:49 +04:00
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
goto fail;
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
}
s3-smbd: use make_server_info_krb5() in smb2 too. Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 02:49:49 +04:00
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
session->session_info->nss_token |= username_was_mapped;
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
/* we need to build the token for the user. make_session_info_guest()
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
already does this */
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
if (!session->session_info->security_token ) {
status = create_local_token(session->session_info);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("smb2: failed to create local token: %s\n",
nt_errstr(status)));
goto fail;
}
}
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == Required) {
session->do_signing = true;
}
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
if (session->session_info->guest) {
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
/* force no signing */
session->do_signing = false;
}
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
data_blob_free(&session->session_info->user_session_key);
session->session_info->user_session_key =
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
data_blob_talloc(
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
session->session_info,
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
session_key.data,
session_key.length);
if (session_key.length > 0) {
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
if (session->session_info->user_session_key.data == NULL) {
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
status = NT_STATUS_NO_MEMORY;
goto fail;
}
}
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
session->session_key = session->session_info->user_session_key;
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
session->compat_vuser = talloc_zero(session, user_struct);
if (session->compat_vuser == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
session->compat_vuser->auth_ntlmssp_state = NULL;
session->compat_vuser->homes_snum = -1;
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
session->compat_vuser->session_info = session->session_info;
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
session->compat_vuser->session_keystr = NULL;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
/* This is a potentially untrusted username */
s3-smbd: User helper function to resolve kerberos user for smb2 Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-27 01:59:17 +04:00
alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
session->session_info->sanitized_username =
talloc_strdup(session->session_info, tmp);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
if (!session->session_info->guest) {
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
session->compat_vuser->homes_snum =
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
register_homes_share(session->session_info->unix_name);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
}
s3: Remove smbd_server_fd() from session_claim
2010-08-16 10:00:48 +04:00
if (!session_claim(session->sconn, session->compat_vuser)) {
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
DEBUG(1, ("smb2: Failed to claim session "
"for vuid=%d\n",
session->compat_vuser->vuid));
goto fail;
}
session->status = NT_STATUS_OK;
/*
* we attach the session to the request
* so that the response can be signed
*/
smb2req->session = session;
if (session->do_signing) {
smb2req->do_signing = true;
}
global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
status = NT_STATUS_OK;
/* wrap that up in a nice GSS-API wrapping */
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
TOK_ID_KRB_AP_REP);
secblob_out = spnego_gen_auth_response(
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
talloc_tos(),
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
&ap_rep_wrapped,
status,
mechOID);
*out_security_buffer = data_blob_talloc(smb2req,
secblob_out.data,
secblob_out.length);
if (secblob_out.data && out_security_buffer->data == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
data_blob_free(&ap_rep);
data_blob_free(&ap_rep_wrapped);
data_blob_free(&ticket);
data_blob_free(&session_key);
data_blob_free(&secblob_out);
*out_session_id = session->vuid;
return NT_STATUS_OK;
fail:
data_blob_free(&ap_rep);
data_blob_free(&ap_rep_wrapped);
data_blob_free(&ticket);
data_blob_free(&session_key);
data_blob_free(&secblob_out);
ap_rep_wrapped = data_blob_null;
secblob_out = spnego_gen_auth_response(
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
talloc_tos(),
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
&ap_rep_wrapped,
status,
mechOID);
*out_security_buffer = data_blob_talloc(smb2req,
secblob_out.data,
secblob_out.length);
data_blob_free(&secblob_out);
return status;
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
}
s3 smb2: Fix the build without kerberos Jeremy, please check
2010-05-20 13:29:03 +04:00
#endif
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
Make krb5 over SMB2 identical to the way we handle it in SMB1. Jeremy.
2010-05-21 23:08:18 +04:00
uint8_t in_security_mode,
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
DATA_BLOB in_security_buffer,
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
uint16_t *out_session_flags,
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id)
{
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
DATA_BLOB secblob_in = data_blob_null;
DATA_BLOB chal_out = data_blob_null;
char *kerb_mech = NULL;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
NTSTATUS status;
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
/* Ensure we have no old NTLM state around. */
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
s3:smbd: implement SMB2 Tree Connect For now this only checks if the share is present or not. metze
2009-05-15 13:50:20 +04:00
Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduce use of malloc, and data_blob(). Jeremy.
2010-07-21 00:35:43 +04:00
status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
&secblob_in, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
goto out;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
#ifdef HAVE_KRB5
if (kerb_mech && ((lp_security()==SEC_ADS) ||
USE_KERBEROS_KEYTAB) ) {
status = smbd_smb2_session_setup_krb5(session,
smb2req,
Make krb5 over SMB2 identical to the way we handle it in SMB1. Jeremy.
2010-05-21 23:08:18 +04:00
in_security_mode,
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
&secblob_in,
kerb_mech,
out_session_flags,
out_security_buffer,
out_session_id);
goto out;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
#endif
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
Found by Guenther - fix up our fallback paths from krb5 to NTLMSSP when using SMB2. Jeremy.
2010-06-03 22:18:11 +04:00
if (kerb_mech) {
/* The mechtoken is a krb5 ticket, but
* we need to fall back to NTLM. */
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
Found by Guenther - fix up our fallback paths from krb5 to NTLMSSP when using SMB2. Jeremy.
2010-06-03 22:18:11 +04:00
DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
"but set to downgrade to NTLMSSP\n"));
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
/* Fall back to NTLMSSP. */
status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
secblob_in,
&chal_out);
}
Add NTLMSSP SPNEGO to smb2 auth. Tested with Win7. Jeremy.
2009-06-04 22:14:20 +04:00
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
goto out;
}
Add NTLMSSP SPNEGO to smb2 auth. Tested with Win7. Jeremy.
2009-06-04 22:14:20 +04:00
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
*out_security_buffer = spnego_gen_auth_response(smb2req,
&chal_out,
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
status,
OID_NTLMSSP);
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
if (out_security_buffer->data == NULL) {
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
status = NT_STATUS_NO_MEMORY;
goto out;
}
*out_session_id = session->vuid;
Add NTLMSSP SPNEGO to smb2 auth. Tested with Win7. Jeremy.
2009-06-04 22:14:20 +04:00
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
out:
Add NTLMSSP SPNEGO to smb2 auth. Tested with Win7. Jeremy.
2009-06-04 22:14:20 +04:00
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
data_blob_free(&secblob_in);
data_blob_free(&chal_out);
Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduce use of malloc, and data_blob(). Jeremy.
2010-07-21 00:35:43 +04:00
TALLOC_FREE(kerb_mech);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
TALLOC_FREE(session);
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
}
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
return status;
}
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
uint8_t in_security_mode,
DATA_BLOB in_security_buffer,
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
uint16_t *out_session_flags,
uint64_t *out_session_id)
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
{
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
fstring tmp;
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == Required) {
session->do_signing = true;
}
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
if (session->session_info->guest) {
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
/* force no signing */
session->do_signing = false;
}
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
session->session_key = session->session_info->user_session_key;
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
s3:smbd: create a user_struct for compat in SMB2 Session Setup metze
2009-05-27 20:33:45 +04:00
session->compat_vuser = talloc_zero(session, user_struct);
if (session->compat_vuser == NULL) {
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
s3:smbd: create a user_struct for compat in SMB2 Session Setup metze
2009-05-27 20:33:45 +04:00
TALLOC_FREE(session);
return NT_STATUS_NO_MEMORY;
}
session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state;
session->compat_vuser->homes_snum = -1;
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
session->compat_vuser->session_info = session->session_info;
s3:smbd: create a user_struct for compat in SMB2 Session Setup metze
2009-05-27 20:33:45 +04:00
session->compat_vuser->session_keystr = NULL;
session->compat_vuser->vuid = session->vuid;
s3:smbd: rename conn => sconn for smbd_server_connection structs This should avoid confusion between smbd_server_connection and connection_struct variables. metze
2009-08-07 17:21:07 +04:00
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
s3:smbd: create a user_struct for compat in SMB2 Session Setup metze
2009-05-27 20:33:45 +04:00
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
/* This is a potentially untrusted username */
alpha_strcpy(tmp,
s3:auth Make AUTH_NTLMSSP_STATE a private structure. This makes it a little easier for it to writen in terms of GENSEC in future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-25 09:34:06 +04:00
auth_ntlmssp_get_username(session->auth_ntlmssp_state),
". _-$",
sizeof(tmp));
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
session->session_info->sanitized_username = talloc_strdup(
session->session_info, tmp);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
if (!session->compat_vuser->session_info->guest) {
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
session->compat_vuser->homes_snum =
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
register_homes_share(session->session_info->unix_name);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
}
s3: Remove smbd_server_fd() from session_claim
2010-08-16 10:00:48 +04:00
if (!session_claim(session->sconn, session->compat_vuser)) {
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
DEBUG(1, ("smb2: Failed to claim session "
"for vuid=%d\n",
session->compat_vuser->vuid));
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
TALLOC_FREE(session);
return NT_STATUS_LOGON_FAILURE;
}
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
session->status = NT_STATUS_OK;
/*
* we attach the session to the request
* so that the response can be signed
*/
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
smb2req->session = session;
s3:smbd: add support for SMB2 signing metze
2009-05-23 00:58:39 +04:00
if (session->do_signing) {
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
smb2req->do_signing = true;
}
global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
*out_session_id = session->vuid;
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
return NT_STATUS_OK;
}
static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
uint8_t in_security_mode,
DATA_BLOB in_security_buffer,
uint16_t *out_session_flags,
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id)
{
DATA_BLOB auth = data_blob_null;
DATA_BLOB auth_out = data_blob_null;
NTSTATUS status;
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
if (!spnego_parse_auth(talloc_tos(), in_security_buffer, &auth)) {
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
TALLOC_FREE(session);
return NT_STATUS_LOGON_FAILURE;
}
Make krb5 over SMB2 identical to the way we handle it in SMB1. Jeremy.
2010-05-21 23:08:18 +04:00
if (auth.data[0] == ASN1_APPLICATION(0)) {
/* Might be a second negTokenTarg packet */
DATA_BLOB secblob_in = data_blob_null;
char *kerb_mech = NULL;
Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduce use of malloc, and data_blob(). Jeremy.
2010-07-21 00:35:43 +04:00
status = parse_spnego_mechanisms(talloc_tos(),
in_security_buffer,
Make krb5 over SMB2 identical to the way we handle it in SMB1. Jeremy.
2010-05-21 23:08:18 +04:00
&secblob_in, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
#ifdef HAVE_KRB5
if (kerb_mech && ((lp_security()==SEC_ADS) ||
USE_KERBEROS_KEYTAB) ) {
status = smbd_smb2_session_setup_krb5(session,
smb2req,
in_security_mode,
&secblob_in,
kerb_mech,
out_session_flags,
out_security_buffer,
out_session_id);
data_blob_free(&secblob_in);
Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduce use of malloc, and data_blob(). Jeremy.
2010-07-21 00:35:43 +04:00
TALLOC_FREE(kerb_mech);
Make krb5 over SMB2 identical to the way we handle it in SMB1. Jeremy.
2010-05-21 23:08:18 +04:00
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
}
return status;
}
#endif
/* Can't blunder into NTLMSSP auth if we have
* a krb5 ticket. */
if (kerb_mech) {
DEBUG(3,("smb2: network "
"misconfiguration, client sent us a "
"krb5 ticket and kerberos security "
"not enabled\n"));
TALLOC_FREE(session);
data_blob_free(&secblob_in);
Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduce use of malloc, and data_blob(). Jeremy.
2010-07-21 00:35:43 +04:00
TALLOC_FREE(kerb_mech);
Make krb5 over SMB2 identical to the way we handle it in SMB1. Jeremy.
2010-05-21 23:08:18 +04:00
return NT_STATUS_LOGON_FAILURE;
}
Found by Guenther - fix up our fallback paths from krb5 to NTLMSSP when using SMB2. Jeremy.
2010-06-03 22:18:11 +04:00
data_blob_free(&secblob_in);
}
if (session->auth_ntlmssp_state == NULL) {
status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
return status;
}
Make krb5 over SMB2 identical to the way we handle it in SMB1. Jeremy.
2010-05-21 23:08:18 +04:00
}
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
auth,
&auth_out);
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
/* We need to call setup_ntlmssp_session_info() if status==NT_STATUS_OK,
Fix bug #7608 - Win7 SMB2 authentication causes smbd panic We need to call setup_ntlmssp_server_info() if status==NT_STATUS_OK, or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED, as this can trigger map to guest. Jeremy.
2010-08-10 03:16:24 +04:00
or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
as this can trigger map to guest. */
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
status = setup_ntlmssp_session_info(session, status);
Make the "map to guest" parameter work correctly with NTLMSSP (spnego and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-16 22:05:34 +04:00
}
Allow us to cope correctly with NT_STATUS_MORE_PROCESSING_REQUIRED when downgrading from krb5 to NTLMSSP over SMB2. Jeremy.
2010-06-03 22:50:08 +04:00
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
data_blob_free(&auth);
TALLOC_FREE(session);
return status;
}
data_blob_free(&auth);
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
*out_security_buffer = spnego_gen_auth_response(smb2req,
&auth_out, status, NULL);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts. Jeremy.
2010-07-21 03:17:58 +04:00
if (out_security_buffer->data == NULL) {
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
TALLOC_FREE(session);
return NT_STATUS_NO_MEMORY;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
*out_session_id = session->vuid;
SMB2 always have level2 oplock capability. Correct mapping from break messages to SMB2 oplock levels. Jeremy.
2010-05-11 01:23:44 +04:00
Allow us to cope correctly with NT_STATUS_MORE_PROCESSING_REQUIRED when downgrading from krb5 to NTLMSSP over SMB2. Jeremy.
2010-06-03 22:50:08 +04:00
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
/* We're done - claim the session. */
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
return smbd_smb2_common_ntlmssp_auth_return(session,
smb2req,
in_security_mode,
in_security_buffer,
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
out_session_flags,
out_session_id);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
}
static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
uint8_t in_security_mode,
DATA_BLOB in_security_buffer,
uint16_t *out_session_flags,
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id)
{
NTSTATUS status;
DATA_BLOB secblob_out = data_blob_null;
if (session->auth_ntlmssp_state == NULL) {
status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
}
/* RAW NTLMSSP */
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
in_security_buffer,
&secblob_out);
if (NT_STATUS_IS_OK(status) ||
NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
*out_security_buffer = data_blob_talloc(smb2req,
secblob_out.data,
secblob_out.length);
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
if (secblob_out.data && out_security_buffer->data == NULL) {
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
TALLOC_FREE(session);
return NT_STATUS_NO_MEMORY;
}
}
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
*out_session_id = session->vuid;
return status;
}
Make the "map to guest" parameter work correctly with NTLMSSP (spnego and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-16 22:05:34 +04:00
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
status = setup_ntlmssp_session_info(session, status);
Make the "map to guest" parameter work correctly with NTLMSSP (spnego and raw) under SMB2. Still need to investigate fixing this with krb5 auth (does this make sense ?). Jeremy.
2010-07-16 22:05:34 +04:00
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
if (!NT_STATUS_IS_OK(status)) {
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
TALLOC_FREE(session);
return status;
}
*out_session_id = session->vuid;
return smbd_smb2_common_ntlmssp_auth_return(session,
smb2req,
in_security_mode,
in_security_buffer,
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
out_session_flags,
out_session_id);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
}
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
uint64_t in_session_id,
uint8_t in_security_mode,
DATA_BLOB in_security_buffer,
uint16_t *out_session_flags,
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id)
{
struct smbd_smb2_session *session;
*out_session_flags = 0;
*out_session_id = 0;
if (in_session_id == 0) {
int id;
/* create a new session */
session = talloc_zero(smb2req->sconn, struct smbd_smb2_session);
if (session == NULL) {
return NT_STATUS_NO_MEMORY;
}
session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
id = idr_get_new_random(smb2req->sconn->smb2.sessions.idtree,
session,
smb2req->sconn->smb2.sessions.limit);
if (id == -1) {
return NT_STATUS_INSUFFICIENT_RESOURCES;
}
session->vuid = id;
session->tcons.idtree = idr_init(session);
if (session->tcons.idtree == NULL) {
return NT_STATUS_NO_MEMORY;
}
session->tcons.limit = 0x0000FFFE;
session->tcons.list = NULL;
DLIST_ADD_END(smb2req->sconn->smb2.sessions.list, session,
struct smbd_smb2_session *);
session->sconn = smb2req->sconn;
talloc_set_destructor(session, smbd_smb2_session_destructor);
} else {
void *p;
/* lookup an existing session */
p = idr_find(smb2req->sconn->smb2.sessions.idtree, in_session_id);
if (p == NULL) {
return NT_STATUS_USER_SESSION_DELETED;
}
session = talloc_get_type_abort(p, struct smbd_smb2_session);
}
if (NT_STATUS_IS_OK(session->status)) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
return smbd_smb2_spnego_negotiate(session,
smb2req,
Plumb in krb5 to the SMB2 sessionsetup code. First cut of this code. Jeremy.
2010-05-18 05:22:19 +04:00
in_security_mode,
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
} else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
return smbd_smb2_spnego_auth(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
} else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
return smbd_smb2_raw_ntlmssp_auth(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
}
/* Unknown packet type. */
DEBUG(1,("Unknown packet type %u in smb2 sessionsetup\n",
(unsigned int)in_security_buffer.data[0] ));
s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contexts Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-17 03:44:22 +04:00
TALLOC_FREE(session->auth_ntlmssp_state);
Refactor the sessionsetup SMB2 code to make it easy to add krb5. Fix a memory leak in returning security blobs. Jeremy
2010-05-18 00:05:22 +04:00
TALLOC_FREE(session);
return NT_STATUS_LOGON_FAILURE;
s3:smbd: implement SMB2 Session Setup with raw NTLMSSP metze
2009-05-15 13:20:34 +04:00
}
s3:smbd: check the incoming session id for SMB2 requests metze
2009-05-20 22:51:10 +04:00
NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
{
const uint8_t *inhdr;
On compound requests, MS-SMB2 says clients MAY use 0xFFFFFFFF for compound tid and 0xFFFFFFFFFFFFFFFF for compound sessionid values. Cope with this. Jeremy.
2010-04-07 21:32:01 +04:00
const uint8_t *outhdr;
s3:smbd: check the incoming session id for SMB2 requests metze
2009-05-20 22:51:10 +04:00
int i = req->current_idx;
uint64_t in_session_id;
void *p;
struct smbd_smb2_session *session;
On compound requests, MS-SMB2 says clients MAY use 0xFFFFFFFF for compound tid and 0xFFFFFFFFFFFFFFFF for compound sessionid values. Cope with this. Jeremy.
2010-04-07 21:32:01 +04:00
bool chained_fixup = false;
s3:smbd: check the incoming session id for SMB2 requests metze
2009-05-20 22:51:10 +04:00
inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
s3:smbd: SMB2 session ids are 64bit... We only grand ids up to 0x0000000000FFFFFF, because that's what our idtree implementation can handle. But also 16777215 sessions on one tcp connection should be enough:-) metze
2009-05-22 13:06:54 +04:00
in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
s3:smbd: check the incoming session id for SMB2 requests metze
2009-05-20 22:51:10 +04:00
First part of fix for bug #7331 - Compound async SMB 2 requests don't work right. Gets us handling SMB2 compound async requests similar to W2K8R2 (and triggers the same client bug in the Win7 redirector). Great thanks to Ira Cooper <samba@ira.wakeful.net> for helping with this and to Metze for the wonderful async framework. The one thing I need to fix to make us identical to W2K8R2 is that when a compound request goes async at the end W2K8R2 splits the replies up into a compound non-async reply followed by a separate async reply. Currently we're doing the whole thing in a compound reply. Jeremy.
2010-04-18 08:20:17 +04:00
if (in_session_id == (0xFFFFFFFFFFFFFFFFLL)) {
if (req->async) {
/*
* async request - fill in session_id from
* already setup request out.vector[].iov_base.
*/
outhdr = (const uint8_t *)req->out.vector[i].iov_base;
in_session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
} else if (i > 2) {
/*
* Chained request - fill in session_id from
* the previous request out.vector[].iov_base.
*/
outhdr = (const uint8_t *)req->out.vector[i-3].iov_base;
in_session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
chained_fixup = true;
}
On compound requests, MS-SMB2 says clients MAY use 0xFFFFFFFF for compound tid and 0xFFFFFFFFFFFFFFFF for compound sessionid values. Cope with this. Jeremy.
2010-04-07 21:32:01 +04:00
}
s3:smbd: check the incoming session id for SMB2 requests metze
2009-05-20 22:51:10 +04:00
/* lookup an existing session */
s3:smbd: rename conn => sconn for smbd_server_connection structs This should avoid confusion between smbd_server_connection and connection_struct variables. metze
2009-08-07 17:21:07 +04:00
p = idr_find(req->sconn->smb2.sessions.idtree, in_session_id);
s3:smbd: check the incoming session id for SMB2 requests metze
2009-05-20 22:51:10 +04:00
if (p == NULL) {
return NT_STATUS_USER_SESSION_DELETED;
}
session = talloc_get_type_abort(p, struct smbd_smb2_session);
if (!NT_STATUS_IS_OK(session->status)) {
return NT_STATUS_ACCESS_DENIED;
}
s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-21 12:25:52 +03:00
set_current_user_info(session->session_info->sanitized_username,
session->session_info->unix_name,
session->session_info->info3->base.domain.string);
s3:smbd: create a user_struct for compat in SMB2 Session Setup metze
2009-05-27 20:33:45 +04:00
s3:smbd: check the incoming session id for SMB2 requests metze
2009-05-20 22:51:10 +04:00
req->session = session;
On compound requests, MS-SMB2 says clients MAY use 0xFFFFFFFF for compound tid and 0xFFFFFFFFFFFFFFFF for compound sessionid values. Cope with this. Jeremy.
2010-04-07 21:32:01 +04:00
if (chained_fixup) {
/* Fix up our own outhdr. */
outhdr = (const uint8_t *)req->out.vector[i].iov_base;
SBVAL(outhdr, SMB2_HDR_SESSION_ID, in_session_id);
}
s3:smbd: check the incoming session id for SMB2 requests metze
2009-05-20 22:51:10 +04:00
return NT_STATUS_OK;
}
s3:smbd: implement SMB2 Logoff metze
2009-05-15 13:40:19 +04:00
NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
{
const uint8_t *inbody;
int i = req->current_idx;
DATA_BLOB outbody;
size_t expected_body_size = 0x04;
size_t body_size;
if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
}
inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
body_size = SVAL(inbody, 0x00);
if (body_size != expected_body_size) {
return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
}
/*
* TODO: cancel all outstanding requests on the session
* and delete all tree connections.
*/
smbd_smb2_session_destructor(req->session);
/*
* we may need to sign the response, so we need to keep
* the session until the response is sent to the wire.
*/
talloc_steal(req, req->session);
outbody = data_blob_talloc(req->out.vector, NULL, 0x04);
if (outbody.data == NULL) {
return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
}
SSVAL(outbody.data, 0x00, 0x04); /* struct size */
SSVAL(outbody.data, 0x02, 0); /* reserved */
return smbd_smb2_request_done(req, outbody, NULL);
}
Copy Permalink