source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth.h"
  25 #include "../libcli/auth/ntlmssp.h"
  26 #include "ntlmssp_wrap.h"
  27 #include "../librpc/gen_ndr/netlogon.h"
  28 #include "../lib/tsocket/tsocket.h"
  29 #include "auth/gensec/gensec.h"
  30
  31 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
  32                                         struct auth_ntlmssp_state *auth_ntlmssp_state,
  33                                         struct auth_session_info **session_info)
  34 {
  35         NTSTATUS nt_status;
  36         if (auth_ntlmssp_state->gensec_security) {
  37
  38                 nt_status = gensec_session_info(auth_ntlmssp_state->gensec_security,
  39                                                 mem_ctx,
  40                                                 session_info);
  41                 return nt_status;
  42         }
  43
  44         nt_status = create_local_token(mem_ctx,
  45                                        auth_ntlmssp_state->server_info,
  46                                        &auth_ntlmssp_state->ntlmssp_state->session_key,
  47                                        session_info);
  48
  49         if (!NT_STATUS_IS_OK(nt_status)) {
  50                 DEBUG(10, ("create_local_token failed: %s\n",
  51                            nt_errstr(nt_status)));
  52         }
  53         return nt_status;
  54 }
  55
  56 /**
  57  * Return the challenge as determined by the authentication subsystem
  58  * @return an 8 byte random challenge
  59  */
  60
  61 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
  62                                            uint8_t chal[8])
  63 {
  64         struct auth_ntlmssp_state *auth_ntlmssp_state =
  65                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  66         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
  67                 auth_ntlmssp_state->auth_context, chal);
  68         return NT_STATUS_OK;
  69 }
  70
  71 /**
  72  * Some authentication methods 'fix' the challenge, so we may not be able to set it
  73  *
  74  * @return If the effective challenge used by the auth subsystem may be modified
  75  */
  76 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
  77 {
  78         struct auth_ntlmssp_state *auth_ntlmssp_state =
  79                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  80         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  81
  82         return auth_context->challenge_may_be_modified;
  83 }
  84
  85 /**
  86  * NTLM2 authentication modifies the effective challenge,
  87  * @param challenge The new challenge value
  88  */
  89 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
  90 {
  91         struct auth_ntlmssp_state *auth_ntlmssp_state =
  92                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  93         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  94
  95         SMB_ASSERT(challenge->length == 8);
  96
  97         auth_context->challenge = data_blob_talloc(auth_context,
  98                                                    challenge->data, challenge->length);
  99
 100         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
 101
 102         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
 103         DEBUG(5, ("challenge is: \n"));
 104         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 105         return NT_STATUS_OK;
 106 }
 107
 108 /**
 109  * Check the password on an NTLMSSP login.
 110  *
 111  * Return the session keys used on the connection.
 112  */
 113
 114 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 115                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 116 {
 117         struct auth_ntlmssp_state *auth_ntlmssp_state =
 118                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 119         struct auth_usersupplied_info *user_info = NULL;
 120         NTSTATUS nt_status;
 121         bool username_was_mapped;
 122
 123         /* the client has given us its machine name (which we otherwise would not get on port 445).
 124            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
 125
 126         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
 127
 128         /* setup the string used by %U */
 129         /* sub_set_smb_name checks for weird internally */
 130         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 131
 132         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 133
 134         nt_status = make_user_info_map(&user_info,
 135                                        auth_ntlmssp_state->ntlmssp_state->user,
 136                                        auth_ntlmssp_state->ntlmssp_state->domain,
 137                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
 138                                        auth_ntlmssp_state->remote_address,
 139                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
 140                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
 141                                        NULL, NULL, NULL,
 142                                        AUTH_PASSWORD_RESPONSE);
 143
 144         if (!NT_STATUS_IS_OK(nt_status)) {
 145                 return nt_status;
 146         }
 147
 148         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 149
 150         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
 151                                                                           user_info, &auth_ntlmssp_state->server_info);
 152
 153         username_was_mapped = user_info->was_mapped;
 154
 155         free_user_info(&user_info);
 156
 157         if (!NT_STATUS_IS_OK(nt_status)) {
 158                 nt_status = do_map_to_guest_server_info(nt_status,
 159                                                         &auth_ntlmssp_state->server_info,
 160                                                         auth_ntlmssp_state->ntlmssp_state->user,
 161                                                         auth_ntlmssp_state->ntlmssp_state->domain);
 162                 return nt_status;
 163         }
 164
 165         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 166
 167         /* Clear out the session keys, and pass them to the caller.
 168          * They will not be used in this form again - instead the
 169          * NTLMSSP code will decide on the final correct session key,
 170          * and put it back here at the end of
 171          * auth_ntlmssp_steal_server_info */
 172         if (auth_ntlmssp_state->server_info->session_key.length) {
 173                 DEBUG(10, ("Got NT session key of length %u\n",
 174                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
 175                 *session_key = auth_ntlmssp_state->server_info->session_key;
 176                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
 177                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
 178         }
 179         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
 180                 DEBUG(10, ("Got LM session key of length %u\n",
 181                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
 182                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
 183                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
 184                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
 185         }
 186         return nt_status;
 187 }
 188
 189 static int auth_ntlmssp_state_destructor(void *ptr);
 190
 191 NTSTATUS auth_ntlmssp_prepare(const struct tsocket_address *remote_address,
 192                               struct auth_ntlmssp_state **auth_ntlmssp_state)
 193 {
 194         NTSTATUS nt_status;
 195         bool is_standalone;
 196         const char *netbios_name;
 197         const char *netbios_domain;
 198         const char *dns_name;
 199         char *dns_domain;
 200         struct auth_ntlmssp_state *ans;
 201         struct auth_context *auth_context;
 202
 203         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
 204         if (!ans) {
 205                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 206                 return NT_STATUS_NO_MEMORY;
 207         }
 208
 209         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
 210         if (!NT_STATUS_IS_OK(nt_status)) {
 211                 TALLOC_FREE(ans);
 212                 return nt_status;
 213         }
 214
 215         ans->auth_context = talloc_steal(ans, auth_context);
 216
 217         if (auth_context->prepare_gensec) {
 218                 nt_status = auth_context->prepare_gensec(ans, &ans->gensec_security);
 219                 if (!NT_STATUS_IS_OK(nt_status)) {
 220                         TALLOC_FREE(ans);
 221                         return nt_status;
 222                 } else {
 223                         *auth_ntlmssp_state = ans;
 224                         return NT_STATUS_OK;
 225                 }
 226         }
 227
 228         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 229                 is_standalone = true;
 230         } else {
 231                 is_standalone = false;
 232         }
 233
 234         netbios_name = lp_netbios_name();
 235         netbios_domain = lp_workgroup();
 236         /* This should be a 'netbios domain -> DNS domain' mapping */
 237         dns_domain = get_mydnsdomname(talloc_tos());
 238         if (dns_domain) {
 239                 strlower_m(dns_domain);
 240         }
 241         dns_name = get_mydnsfullname();
 242
 243         ans->remote_address = tsocket_address_copy(remote_address, ans);
 244         if (ans->remote_address == NULL) {
 245                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 246                 return NT_STATUS_NO_MEMORY;
 247         }
 248
 249         nt_status = ntlmssp_server_start(ans,
 250                                          is_standalone,
 251                                          netbios_name,
 252                                          netbios_domain,
 253                                          dns_name,
 254                                          dns_domain,
 255                                          &ans->ntlmssp_state);
 256         if (!NT_STATUS_IS_OK(nt_status)) {
 257                 return nt_status;
 258         }
 259
 260         ans->ntlmssp_state->callback_private = ans;
 261         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 262         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 263         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 264         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 265
 266         talloc_set_destructor((TALLOC_CTX *)ans, auth_ntlmssp_state_destructor);
 267
 268         *auth_ntlmssp_state = ans;
 269         return NT_STATUS_OK;
 270 }
 271
 272 static int auth_ntlmssp_state_destructor(void *ptr)
 273 {
 274         struct auth_ntlmssp_state *ans;
 275
 276         ans = talloc_get_type(ptr, struct auth_ntlmssp_state);
 277
 278         TALLOC_FREE(ans->remote_address);
 279         TALLOC_FREE(ans->server_info);
 280         TALLOC_FREE(ans->ntlmssp_state);
 281         return 0;
 282 }
 283
 284 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state)
 285 {
 286         if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid) {
 287                 return auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid(auth_ntlmssp_state->gensec_security, GENSEC_OID_NTLMSSP);
 288         }
 289
 290         return NT_STATUS_OK;
 291 }