source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth.h"
  25 #include "../libcli/auth/ntlmssp.h"
  26 #include "ntlmssp_wrap.h"
  27 #include "../librpc/gen_ndr/netlogon.h"
  28 #include "../lib/tsocket/tsocket.h"
  29 #include "auth/gensec/gensec.h"
  30 #include "librpc/rpc/dcerpc.h"
  31
  32 NTSTATUS auth_ntlmssp_session_info(TALLOC_CTX *mem_ctx,
  33                                    struct auth_ntlmssp_state *auth_ntlmssp_state,
  34                                    struct auth_session_info **session_info)
  35 {
  36         NTSTATUS nt_status;
  37         if (auth_ntlmssp_state->gensec_security) {
  38
  39                 nt_status = gensec_session_info(auth_ntlmssp_state->gensec_security,
  40                                                 mem_ctx,
  41                                                 session_info);
  42                 return nt_status;
  43         }
  44
  45         nt_status = create_local_token(mem_ctx,
  46                                        auth_ntlmssp_state->server_info,
  47                                        &auth_ntlmssp_state->ntlmssp_state->session_key,
  48                                        auth_ntlmssp_state->ntlmssp_state->user,
  49                                        session_info);
  50
  51         if (!NT_STATUS_IS_OK(nt_status)) {
  52                 DEBUG(10, ("create_local_token failed: %s\n",
  53                            nt_errstr(nt_status)));
  54         }
  55         return nt_status;
  56 }
  57
  58 /**
  59  * Return the challenge as determined by the authentication subsystem
  60  * @return an 8 byte random challenge
  61  */
  62
  63 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
  64                                            uint8_t chal[8])
  65 {
  66         struct auth_ntlmssp_state *auth_ntlmssp_state =
  67                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  68         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
  69                 auth_ntlmssp_state->auth_context, chal);
  70         return NT_STATUS_OK;
  71 }
  72
  73 /**
  74  * Some authentication methods 'fix' the challenge, so we may not be able to set it
  75  *
  76  * @return If the effective challenge used by the auth subsystem may be modified
  77  */
  78 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
  79 {
  80         struct auth_ntlmssp_state *auth_ntlmssp_state =
  81                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  82         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  83
  84         return auth_context->challenge_may_be_modified;
  85 }
  86
  87 /**
  88  * NTLM2 authentication modifies the effective challenge,
  89  * @param challenge The new challenge value
  90  */
  91 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
  92 {
  93         struct auth_ntlmssp_state *auth_ntlmssp_state =
  94                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  95         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  96
  97         SMB_ASSERT(challenge->length == 8);
  98
  99         auth_context->challenge = data_blob_talloc(auth_context,
 100                                                    challenge->data, challenge->length);
 101
 102         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
 103
 104         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
 105         DEBUG(5, ("challenge is: \n"));
 106         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 107         return NT_STATUS_OK;
 108 }
 109
 110 /**
 111  * Check the password on an NTLMSSP login.
 112  *
 113  * Return the session keys used on the connection.
 114  */
 115
 116 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 117                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 118 {
 119         struct auth_ntlmssp_state *auth_ntlmssp_state =
 120                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 121         struct auth_usersupplied_info *user_info = NULL;
 122         NTSTATUS nt_status;
 123         bool username_was_mapped;
 124
 125         /* the client has given us its machine name (which we otherwise would not get on port 445).
 126            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
 127
 128         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
 129
 130         /* setup the string used by %U */
 131         /* sub_set_smb_name checks for weird internally */
 132         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 133
 134         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 135
 136         nt_status = make_user_info_map(&user_info,
 137                                        auth_ntlmssp_state->ntlmssp_state->user,
 138                                        auth_ntlmssp_state->ntlmssp_state->domain,
 139                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
 140                                        auth_ntlmssp_state->remote_address,
 141                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
 142                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
 143                                        NULL, NULL, NULL,
 144                                        AUTH_PASSWORD_RESPONSE);
 145
 146         if (!NT_STATUS_IS_OK(nt_status)) {
 147                 return nt_status;
 148         }
 149
 150         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 151
 152         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
 153                                                                           user_info, &auth_ntlmssp_state->server_info);
 154
 155         username_was_mapped = user_info->was_mapped;
 156
 157         free_user_info(&user_info);
 158
 159         if (!NT_STATUS_IS_OK(nt_status)) {
 160                 nt_status = do_map_to_guest_server_info(nt_status,
 161                                                         &auth_ntlmssp_state->server_info,
 162                                                         auth_ntlmssp_state->ntlmssp_state->user,
 163                                                         auth_ntlmssp_state->ntlmssp_state->domain);
 164         }
 165
 166         if (!NT_STATUS_IS_OK(nt_status)) {
 167                 return nt_status;
 168         }
 169
 170         talloc_steal(auth_ntlmssp_state, auth_ntlmssp_state->server_info);
 171
 172         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 173
 174         /* Clear out the session keys, and pass them to the caller.
 175          * They will not be used in this form again - instead the
 176          * NTLMSSP code will decide on the final correct session key,
 177          * and supply it to create_local_token() */
 178         if (auth_ntlmssp_state->server_info->session_key.length) {
 179                 DEBUG(10, ("Got NT session key of length %u\n",
 180                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
 181                 *session_key = auth_ntlmssp_state->server_info->session_key;
 182                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
 183                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
 184         }
 185         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
 186                 DEBUG(10, ("Got LM session key of length %u\n",
 187                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
 188                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
 189                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
 190                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
 191         }
 192         return nt_status;
 193 }
 194
 195 NTSTATUS auth_ntlmssp_prepare(const struct tsocket_address *remote_address,
 196                               struct auth_ntlmssp_state **auth_ntlmssp_state)
 197 {
 198         NTSTATUS nt_status;
 199         bool is_standalone;
 200         const char *netbios_name;
 201         const char *netbios_domain;
 202         const char *dns_name;
 203         char *dns_domain;
 204         struct auth_ntlmssp_state *ans;
 205         struct auth_context *auth_context;
 206
 207         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
 208         if (!ans) {
 209                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 210                 return NT_STATUS_NO_MEMORY;
 211         }
 212
 213         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
 214         if (!NT_STATUS_IS_OK(nt_status)) {
 215                 TALLOC_FREE(ans);
 216                 return nt_status;
 217         }
 218
 219         ans->auth_context = talloc_steal(ans, auth_context);
 220
 221         if (auth_context->prepare_gensec) {
 222                 nt_status = auth_context->prepare_gensec(ans, &ans->gensec_security);
 223                 if (!NT_STATUS_IS_OK(nt_status)) {
 224                         TALLOC_FREE(ans);
 225                         return nt_status;
 226                 } else {
 227                         *auth_ntlmssp_state = ans;
 228                         return NT_STATUS_OK;
 229                 }
 230         }
 231
 232         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 233                 is_standalone = true;
 234         } else {
 235                 is_standalone = false;
 236         }
 237
 238         netbios_name = lp_netbios_name();
 239         netbios_domain = lp_workgroup();
 240         /* This should be a 'netbios domain -> DNS domain' mapping */
 241         dns_domain = get_mydnsdomname(talloc_tos());
 242         if (dns_domain) {
 243                 strlower_m(dns_domain);
 244         }
 245         dns_name = get_mydnsfullname();
 246
 247         ans->remote_address = tsocket_address_copy(remote_address, ans);
 248         if (ans->remote_address == NULL) {
 249                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 250                 return NT_STATUS_NO_MEMORY;
 251         }
 252
 253         nt_status = ntlmssp_server_start(ans,
 254                                          is_standalone,
 255                                          netbios_name,
 256                                          netbios_domain,
 257                                          dns_name,
 258                                          dns_domain,
 259                                          &ans->ntlmssp_state);
 260         if (!NT_STATUS_IS_OK(nt_status)) {
 261                 return nt_status;
 262         }
 263
 264         ans->ntlmssp_state->callback_private = ans;
 265         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 266         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 267         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 268         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 269
 270         *auth_ntlmssp_state = ans;
 271         return NT_STATUS_OK;
 272 }
 273
 274 NTSTATUS auth_generic_start(struct auth_ntlmssp_state *auth_ntlmssp_state, const char *oid)
 275 {
 276         if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid) {
 277                 return auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid(auth_ntlmssp_state->gensec_security, oid);
 278         }
 279
 280         if (strcmp(oid, GENSEC_OID_NTLMSSP) != 0) {
 281                 /* The caller will then free the auth_ntlmssp_state,
 282                  * undoing what was done in auth_ntlmssp_prepare().
 283                  *
 284                  * We can't do that logic here, as
 285                  * auth_ntlmssp_want_feature() may have been called in
 286                  * between.
 287                  */
 288                 return NT_STATUS_NOT_IMPLEMENTED;
 289         }
 290
 291         return NT_STATUS_OK;
 292 }
 293
 294 NTSTATUS auth_generic_authtype_start(struct auth_ntlmssp_state *auth_ntlmssp_state,
 295                                      uint8_t auth_type, uint8_t auth_level)
 296 {
 297         if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype) {
 298                 return auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype(auth_ntlmssp_state->gensec_security,
 299                                                                                        auth_type, auth_level);
 300         }
 301
 302         if (auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
 303                 /* The caller will then free the auth_ntlmssp_state,
 304                  * undoing what was done in auth_ntlmssp_prepare().
 305                  *
 306                  * We can't do that logic here, as
 307                  * auth_ntlmssp_want_feature() may have been called in
 308                  * between.
 309                  */
 310                 return NT_STATUS_NOT_IMPLEMENTED;
 311         }
 312
 313         if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
 314                 auth_ntlmssp_want_feature(auth_ntlmssp_state, NTLMSSP_FEATURE_SIGN);
 315         } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
 316                 /* Always implies both sign and seal for ntlmssp */
 317                 auth_ntlmssp_want_feature(auth_ntlmssp_state, NTLMSSP_FEATURE_SEAL);
 318         } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
 319                 /* Default features */
 320         } else {
 321                 DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
 322                          auth_level));
 323                 return NT_STATUS_INVALID_PARAMETER;
 324         }
 325
 326         return NT_STATUS_OK;
 327 }
 328
 329 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state)
 330 {
 331         return auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
 332 }