source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth.h"
  25 #include "../libcli/auth/ntlmssp.h"
  26 #include "ntlmssp_wrap.h"
  27 #include "../librpc/gen_ndr/netlogon.h"
  28 #include "../lib/tsocket/tsocket.h"
  29 #include "auth/gensec/gensec.h"
  30
  31 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
  32                                         struct auth_ntlmssp_state *auth_ntlmssp_state,
  33                                         struct auth_session_info **session_info)
  34 {
  35         NTSTATUS nt_status;
  36         if (auth_ntlmssp_state->gensec_security) {
  37
  38                 nt_status = gensec_session_info(auth_ntlmssp_state->gensec_security,
  39                                                 mem_ctx,
  40                                                 session_info);
  41                 return nt_status;
  42         }
  43
  44         nt_status = create_local_token(mem_ctx,
  45                                        auth_ntlmssp_state->server_info,
  46                                        &auth_ntlmssp_state->ntlmssp_state->session_key,
  47                                        session_info);
  48
  49         if (!NT_STATUS_IS_OK(nt_status)) {
  50                 DEBUG(10, ("create_local_token failed: %s\n",
  51                            nt_errstr(nt_status)));
  52         }
  53         return nt_status;
  54 }
  55
  56 /**
  57  * Return the challenge as determined by the authentication subsystem
  58  * @return an 8 byte random challenge
  59  */
  60
  61 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
  62                                            uint8_t chal[8])
  63 {
  64         struct auth_ntlmssp_state *auth_ntlmssp_state =
  65                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  66         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
  67                 auth_ntlmssp_state->auth_context, chal);
  68         return NT_STATUS_OK;
  69 }
  70
  71 /**
  72  * Some authentication methods 'fix' the challenge, so we may not be able to set it
  73  *
  74  * @return If the effective challenge used by the auth subsystem may be modified
  75  */
  76 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
  77 {
  78         struct auth_ntlmssp_state *auth_ntlmssp_state =
  79                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  80         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  81
  82         return auth_context->challenge_may_be_modified;
  83 }
  84
  85 /**
  86  * NTLM2 authentication modifies the effective challenge,
  87  * @param challenge The new challenge value
  88  */
  89 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
  90 {
  91         struct auth_ntlmssp_state *auth_ntlmssp_state =
  92                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  93         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  94
  95         SMB_ASSERT(challenge->length == 8);
  96
  97         auth_context->challenge = data_blob_talloc(auth_context,
  98                                                    challenge->data, challenge->length);
  99
 100         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
 101
 102         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
 103         DEBUG(5, ("challenge is: \n"));
 104         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 105         return NT_STATUS_OK;
 106 }
 107
 108 /**
 109  * Check the password on an NTLMSSP login.
 110  *
 111  * Return the session keys used on the connection.
 112  */
 113
 114 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 115                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 116 {
 117         struct auth_ntlmssp_state *auth_ntlmssp_state =
 118                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 119         struct auth_usersupplied_info *user_info = NULL;
 120         NTSTATUS nt_status;
 121         bool username_was_mapped;
 122
 123         /* the client has given us its machine name (which we otherwise would not get on port 445).
 124            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
 125
 126         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
 127
 128         /* setup the string used by %U */
 129         /* sub_set_smb_name checks for weird internally */
 130         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 131
 132         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 133
 134         nt_status = make_user_info_map(&user_info,
 135                                        auth_ntlmssp_state->ntlmssp_state->user,
 136                                        auth_ntlmssp_state->ntlmssp_state->domain,
 137                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
 138                                        auth_ntlmssp_state->remote_address,
 139                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
 140                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
 141                                        NULL, NULL, NULL,
 142                                        AUTH_PASSWORD_RESPONSE);
 143
 144         if (!NT_STATUS_IS_OK(nt_status)) {
 145                 return nt_status;
 146         }
 147
 148         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 149
 150         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
 151                                                                           user_info, &auth_ntlmssp_state->server_info);
 152
 153         username_was_mapped = user_info->was_mapped;
 154
 155         free_user_info(&user_info);
 156
 157         if (!NT_STATUS_IS_OK(nt_status)) {
 158                 nt_status = do_map_to_guest_server_info(nt_status,
 159                                                         &auth_ntlmssp_state->server_info,
 160                                                         auth_ntlmssp_state->ntlmssp_state->user,
 161                                                         auth_ntlmssp_state->ntlmssp_state->domain);
 162                 return nt_status;
 163         }
 164
 165         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 166
 167         /* Clear out the session keys, and pass them to the caller.
 168          * They will not be used in this form again - instead the
 169          * NTLMSSP code will decide on the final correct session key,
 170          * and put it back here at the end of
 171          * auth_ntlmssp_steal_server_info */
 172         if (auth_ntlmssp_state->server_info->session_key.length) {
 173                 DEBUG(10, ("Got NT session key of length %u\n",
 174                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
 175                 *session_key = auth_ntlmssp_state->server_info->session_key;
 176                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
 177                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
 178         }
 179         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
 180                 DEBUG(10, ("Got LM session key of length %u\n",
 181                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
 182                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
 183                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
 184                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
 185         }
 186         return nt_status;
 187 }
 188
 189 static int auth_ntlmssp_state_destructor(void *ptr);
 190
 191 NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
 192                             struct auth_ntlmssp_state **auth_ntlmssp_state)
 193 {
 194         NTSTATUS nt_status;
 195         bool is_standalone;
 196         const char *netbios_name;
 197         const char *netbios_domain;
 198         const char *dns_name;
 199         char *dns_domain;
 200         struct auth_ntlmssp_state *ans;
 201         struct auth_context *auth_context;
 202
 203         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
 204         if (!ans) {
 205                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 206                 return NT_STATUS_NO_MEMORY;
 207         }
 208
 209         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
 210         if (!NT_STATUS_IS_OK(nt_status)) {
 211                 TALLOC_FREE(ans);
 212                 return nt_status;
 213         }
 214
 215         if (auth_context->prepare_gensec) {
 216                 nt_status = auth_context->prepare_gensec(ans, &ans->gensec_security);
 217                 if (!NT_STATUS_IS_OK(nt_status)) {
 218                         TALLOC_FREE(ans);
 219                         return nt_status;
 220                 } else {
 221                         nt_status = auth_context->gensec_start_mech_by_oid(ans->gensec_security, GENSEC_OID_NTLMSSP);
 222                         if (!NT_STATUS_IS_OK(nt_status)) {
 223                                 TALLOC_FREE(ans);
 224                                 return nt_status;
 225                         } else {
 226                                 *auth_ntlmssp_state = ans;
 227                                 return NT_STATUS_OK;
 228                         }
 229                 }
 230         }
 231
 232         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 233                 is_standalone = true;
 234         } else {
 235                 is_standalone = false;
 236         }
 237
 238         netbios_name = lp_netbios_name();
 239         netbios_domain = lp_workgroup();
 240         /* This should be a 'netbios domain -> DNS domain' mapping */
 241         dns_domain = get_mydnsdomname(talloc_tos());
 242         if (dns_domain) {
 243                 strlower_m(dns_domain);
 244         }
 245         dns_name = get_mydnsfullname();
 246
 247         ans->remote_address = tsocket_address_copy(remote_address, ans);
 248         if (ans->remote_address == NULL) {
 249                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 250                 return NT_STATUS_NO_MEMORY;
 251         }
 252
 253         nt_status = ntlmssp_server_start(ans,
 254                                          is_standalone,
 255                                          netbios_name,
 256                                          netbios_domain,
 257                                          dns_name,
 258                                          dns_domain,
 259                                          &ans->ntlmssp_state);
 260         if (!NT_STATUS_IS_OK(nt_status)) {
 261                 return nt_status;
 262         }
 263
 264         ans->auth_context = talloc_steal(ans, auth_context);
 265
 266         ans->ntlmssp_state->callback_private = ans;
 267         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 268         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 269         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 270         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 271
 272         talloc_set_destructor((TALLOC_CTX *)ans, auth_ntlmssp_state_destructor);
 273
 274         *auth_ntlmssp_state = ans;
 275         return NT_STATUS_OK;
 276 }
 277
 278 static int auth_ntlmssp_state_destructor(void *ptr)
 279 {
 280         struct auth_ntlmssp_state *ans;
 281
 282         ans = talloc_get_type(ptr, struct auth_ntlmssp_state);
 283
 284         TALLOC_FREE(ans->remote_address);
 285         TALLOC_FREE(ans->server_info);
 286         TALLOC_FREE(ans->ntlmssp_state);
 287         return 0;
 288 }