1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

126 Commits

Author SHA1 Message Date
Stefan Metzmacher
1957bf11f1 s3:auth: make use of make_{server,session}_info_anonymous()
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).

When it's really an anonymous connection, we should reflect that in the
resulting session info.

This should fix a problem where Windows 10 tries to join
a Samba hosted NT4 domain and has SMB2/3 enabled.

We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
for true anonymous connections.

The commit message from a few commit before shows the resulting
auth_session_info change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144
2018-03-16 03:03:31 +01:00
Gary Lockyer
3bc5685445 rpc: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.

The local address allows us to know which interface an authentication is on

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
c048918959 auth: Fill in user_info->service_description from all callers
This will allow the logging code to make clear which protocol an authentication was for.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Stefan Metzmacher
541d687347 auth: let auth4_context->check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:10 +01:00
Stefan Metzmacher
65d5f845ed auth3: let auth_check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Andreas Schneider
109ff388fd s3-auth: Fix a possible null pointer dereference
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11404

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 17 14:04:01 CEST 2015 on sn-devel-104
2015-07-17 14:04:01 +02:00
Michael Adam
696ce368bd s3:auth: use lp_load_with_shares() in auth3_check_password()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-04-22 13:57:29 +02:00
Stefan Metzmacher
169c6d409f s3:auth: allow special SYSTEM and ANONYMOUS handling in auth3_generate_session_info()
auth_ctx->generate_session_info() will be used by the SCHANNEL and
NCALRPC_AS_SYSTEM gensec modules in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Andrew Bartlett
4d50c75159 s3-auth: Finally change make_user_info_*() use a parent talloc context
Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-04-02 11:05:46 +02:00
Andreas Schneider
79e2725f33 s3-auth: Pass mem_ctx to do_map_to_guest_server_info().
Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
2014-02-19 01:28:14 +01:00
Andreas Schneider
4d792db03f s3-auth: Pass mem_ctx to auth_check_ntlm_password().
Coverity-Id: 1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Andreas Schneider <asn@samba.org>

Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-02-19 11:29:29 +13:00
Andrew Bartlett
eba8799514 auth: Remove .get_challenge (only used for security=server)
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.

Now that security=server has been removed, we have no such module.

This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.

Andrew Bartlett
2012-07-03 08:13:01 +10:00
Andrew Bartlett
77602d877e s3-auth: Remove single-implementation plugin layer
The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context
were only ever initialised to a single value.  Make it easier to follow by
just calling the function directly.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
e786e8fef9 auth: Reorder arguments to generate_session_info
This matches check_ntlm_password() and generate_session_info_pac()

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-18 02:19:35 +01:00
Andrew Bartlett
6b573e73fc s3-auth: Use common gensec_ntlmssp
There is no longer any samba3-specific code left here.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:10 +01:00
Andrew Bartlett
27fb6f85e7 s3-auth: Use common gensec_ntlmssp_server_start
This is now identical code, so there is no need to duplicate it.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:10 +01:00
Andrew Bartlett
3767fd4255 s3-auth: Use the gensec-supplied DNS domain name and hostname.
Also have a reasonable fallback for when it is not set.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
c616ab0965 s3-auth: Allow NTLMSSP features to be disabled with smb.conf options for testing
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
93fed62543 s3-auth: Use the lpcfg_ wrapper calls to set some variables
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
db1ea56d8b s3-auth: Remove a layer of indirection and reorder to match gensec_ntlmssp_server_start() 2012-02-17 10:48:09 +01:00
Andrew Bartlett
98992b5b4e s3-auth: Only allow LM_KEY cryptography when extra options are set
This crypto is incredibly poor, and can technically be enabled on an otherwise more
secure connection that uses NTLM for the actual authentication leg.  Therefore
disable it by default.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
82e3098e84 s3-auth: Inline ntlmssp_server_start() into gensec_ntlmssp3_server_start()
This will help syncing this rotuine up with gensec_ntlmssp_server_start().

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
9b147ce26d s3-auth Use the common gensec_ntlmssp_update in gensec_ntlmssp3_server
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
9c5b26f864 s3-auth: Use common gensec_ntlmssp server functions for more of gensec_ntlmssp3_server
This is possible because we now supply the auth4_context abstraction that this
code is looking for.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
2f74f2f180 s3-auth: Add extra error messages on authentication or authorization failure
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
8adde1b46b s3-auth Hook checking passwords and generating session_info via the auth4_context
This avoids creating a second auth_context, as it is a private pointer
in the auth4_context that has already been passed in, and makes the
gensec_ntlmssp code agnostic to the type of authentication backend
behind it. This will in turn allow the ntlmssp server code to be
further merged.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Christopher R. Hertel (crh)
b5b204184a Rename obscure defined constants.
Replaced the undescriptive SMB_PORT1 and SMB_PORT2 defined constants
with the slightly more descriptive names NBT_SMB_PORT and TCP_SMB_PORT.
Also replaced several hard-coded references to the well-known port
numbers (139 and 445, respectively) as appropriate.

Small changes to clarify some comments regarding the two transport
types.

Signed-off-by: Simo Sorce <idra@samba.org>

Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Thu Feb 16 08:29:41 CET 2012 on sn-devel-104
2012-02-16 08:29:41 +01:00
Andrew Bartlett
959d13ac20 s3-auth: Remove duplicate check for NT_STATUS_IS_OK(nt_status)
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jan 30 09:38:47 CET 2012 on sn-devel-104
2012-01-30 09:38:46 +01:00
Andrew Bartlett
a647df4607 auth: Make check_password and generate_session_info hook generic
gensec_ntlmssp does not need to know the internal form of the
struct user_info_dc or auth_serversupplied_info.  This will allow the
calling logic to be put in common.

Andrew Bartlett
2012-01-30 08:05:14 +01:00
Andrew Bartlett
16e463e169 s3-auth Remove ntlmssp_wrap.h which is no longer required
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
e22b1b4f9e s3-auth re-create the auth context in the s3 ntlmssp server module
This removes the abstraction violation in auth_generic.c.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
5e038432f7 s3-auth split the auth_generic functions into a seperate file
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:11 +01:00
Andrew Bartlett
c17131685c s3-auth remove auth_ntlmssp_start(), call auth_generic_start() directly
This makes it clear that this can support more than just NTLMSSP.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
1100f6eca5 s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()
This function handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
6391fff9da s3-auth rename auth_ntlmssp_state -> auth_generic_state
This structure handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
915fe7981b s3-auth remove auth_ntlmssp_session_info()
Instead, call gensec_session_info() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:02 +02:00
Andrew Bartlett
94799db9b5 s3-auth move the s3 auth context onto gensec_ntlmssp once we start
We do not need it on the auth_ntlmssp_state any longer.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 18 13:54:36 CEST 2011 on sn-devel-104
2011-10-18 13:54:36 +02:00
Andrew Bartlett
e7d5f0a357 gensec: move event context from gensec_*_init() to gensec_update()
This avoids keeping the event context around on a the gensec_security
context structure long term.

In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Andrew Bartlett
5392491f77 s3-ntlmssp Implement the server-side auth_ntlmssp code as a GENSEC module
This uses the top level gensec_ntlmssp helper functions which are identical
to the parts of ntlmssp_wrap.c that are now not called.

(Includes formatting and correctness fixes from Metze)

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:32 +11:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Andrew Bartlett
d4d4f4e07f s3-auth Add my copyright
I have done plenty of work here, I deserve some of the blame :-)

Andrew Bartlett
2011-10-18 13:13:30 +11:00
Andrew Bartlett
1dbdddf223 s3-ntlmssp Remove a level of nesting in if/else statement 2011-08-03 18:48:05 +10:00
Andrew Bartlett
7b1d6a6a05 selftest: test plugin_s4_dc against all ncacn_np tests
Changes to the s3 epmapper behaviour seem to have fixed the rest of these
tests.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
7c4eb9e32e s3-ntlmssp clarify session key behaviour after create_local_token() changes 2011-08-03 18:48:05 +10:00
Andrew Bartlett
3f0b5d05b5 s3-ntlmssp Remove auth_ntlmssp_state_destructor, use the talloc tree instead 2011-08-03 18:48:05 +10:00
Andrew Bartlett
8fca9741fe s3-auth rename auth_ntlmssp_steal_session_info()
There is no longer any theft of memory as the underlying routines now
produce a new auth_session_info for this caller, allocating it
on the supplied memory context.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
9f663270fd s3-auth Add function to start any GENSEC mech by OID
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
9a45bf3952 s3-auth set session_info->sanitized_username in create_local_token()
Rather than passing this value around the callers, and eventually
setting it in register_existing_vuid(), we simply pass it to
create_local_token().  This also removes the need for
auth_ntlmssp_get_username().

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
8b983d2326 s3-ntlmssp Split auth_ntlmssp_start into two functions
This helps map on to the GENSEC semantics better, and ensures that the
full set of desired features are set before the mechanism starts.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
902df83680 s3-ntlmssp Split calls to gensec plugin into prepare and start
GENSEC has the concept of starting the GENSEC subsystem before starting the
actual mechansim.  Between these two stages is when most context methods
are called, to specify credentials and features.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00