2 Unix SMB/Netbios implementation.
4 handle NLTMSSP, server side
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "../libcli/auth/ntlmssp.h"
26 struct auth_ntlmssp_state {
28 struct auth_context *auth_context;
29 struct auth_serversupplied_info *server_info;
30 struct ntlmssp_state *ntlmssp_state;
33 NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
34 TALLOC_CTX *sig_mem_ctx,
35 const uint8_t *data, size_t length,
36 const uint8_t *whole_pdu, size_t pdu_length,
39 return ntlmssp_sign_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
42 NTSTATUS auth_ntlmssp_check_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
43 const uint8_t *data, size_t length,
44 const uint8_t *whole_pdu, size_t pdu_length,
47 return ntlmssp_check_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
50 NTSTATUS auth_ntlmssp_seal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
51 TALLOC_CTX *sig_mem_ctx,
52 uint8_t *data, size_t length,
53 const uint8_t *whole_pdu, size_t pdu_length,
56 return ntlmssp_seal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
59 NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
60 uint8_t *data, size_t length,
61 const uint8_t *whole_pdu, size_t pdu_length,
64 return ntlmssp_unseal_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
67 bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
69 return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN;
72 bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
74 return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
77 void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
82 void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
87 NTSTATUS auth_ntlmssp_server_info(TALLOC_CTX *mem_ctx,
88 struct auth_ntlmssp_state *auth_ntlmssp_state,
89 struct auth_serversupplied_info **_server_info)
91 struct auth_serversupplied_info *server_info = auth_ntlmssp_state->server_info;
92 data_blob_free(&server_info->user_session_key);
93 server_info->user_session_key =
96 auth_ntlmssp_state->ntlmssp_state->session_key.data,
97 auth_ntlmssp_state->ntlmssp_state->session_key.length);
98 if (auth_ntlmssp_state->ntlmssp_state->session_key.length && !server_info->user_session_key.data) {
100 return NT_STATUS_NO_MEMORY;
102 auth_ntlmssp_state->server_info = NULL;
103 *_server_info = talloc_steal(mem_ctx, server_info);
107 struct ntlmssp_state *auth_ntlmssp_get_ntlmssp_state(struct auth_ntlmssp_state *auth_ntlmssp_state)
109 return auth_ntlmssp_state->ntlmssp_state;
112 /* Needed for 'map to guest' and 'smb username' processing */
113 const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *auth_ntlmssp_state)
115 return auth_ntlmssp_state->ntlmssp_state->user;
118 const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *auth_ntlmssp_state)
120 return auth_ntlmssp_state->ntlmssp_state->domain;
123 const char *auth_ntlmssp_get_client(struct auth_ntlmssp_state *auth_ntlmssp_state)
125 return auth_ntlmssp_state->ntlmssp_state->client.netbios_name;
129 * Return the challenge as determined by the authentication subsystem
130 * @return an 8 byte random challenge
133 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
136 struct auth_ntlmssp_state *auth_ntlmssp_state =
137 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
138 auth_ntlmssp_state->auth_context->get_ntlm_challenge(
139 auth_ntlmssp_state->auth_context, chal);
144 * Some authentication methods 'fix' the challenge, so we may not be able to set it
146 * @return If the effective challenge used by the auth subsystem may be modified
148 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
150 struct auth_ntlmssp_state *auth_ntlmssp_state =
151 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
152 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
154 return auth_context->challenge_may_be_modified;
158 * NTLM2 authentication modifies the effective challenge,
159 * @param challenge The new challenge value
161 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
163 struct auth_ntlmssp_state *auth_ntlmssp_state =
164 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
165 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
167 SMB_ASSERT(challenge->length == 8);
169 auth_context->challenge = data_blob_talloc(auth_context,
170 challenge->data, challenge->length);
172 auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
174 DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
175 DEBUG(5, ("challenge is: \n"));
176 dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
181 * Check the password on an NTLMSSP login.
183 * Return the session keys used on the connection.
186 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
188 struct auth_ntlmssp_state *auth_ntlmssp_state =
189 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
190 struct auth_usersupplied_info *user_info = NULL;
192 bool username_was_mapped;
194 /* the client has given us its machine name (which we otherwise would not get on port 445).
195 we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
197 set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
199 /* setup the string used by %U */
200 /* sub_set_smb_name checks for weird internally */
201 sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
203 reload_services(True);
205 nt_status = make_user_info_map(&user_info,
206 auth_ntlmssp_state->ntlmssp_state->user,
207 auth_ntlmssp_state->ntlmssp_state->domain,
208 auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
209 auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
210 auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
214 user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
216 if (!NT_STATUS_IS_OK(nt_status)) {
220 nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
221 user_info, &auth_ntlmssp_state->server_info);
223 username_was_mapped = user_info->was_mapped;
225 free_user_info(&user_info);
227 if (!NT_STATUS_IS_OK(nt_status)) {
231 auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
233 nt_status = create_local_token(auth_ntlmssp_state->server_info);
235 if (!NT_STATUS_IS_OK(nt_status)) {
236 DEBUG(10, ("create_local_token failed: %s\n",
237 nt_errstr(nt_status)));
241 if (auth_ntlmssp_state->server_info->user_session_key.length) {
242 DEBUG(10, ("Got NT session key of length %u\n",
243 (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
244 *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
245 auth_ntlmssp_state->server_info->user_session_key.data,
246 auth_ntlmssp_state->server_info->user_session_key.length);
248 if (auth_ntlmssp_state->server_info->lm_session_key.length) {
249 DEBUG(10, ("Got LM session key of length %u\n",
250 (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
251 *lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
252 auth_ntlmssp_state->server_info->lm_session_key.data,
253 auth_ntlmssp_state->server_info->lm_session_key.length);
258 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
263 const char *netbios_name;
264 const char *netbios_domain;
265 const char *dns_name;
267 struct auth_ntlmssp_state *ans;
269 if ((enum server_types)lp_server_role() == ROLE_STANDALONE) {
270 is_standalone = true;
272 is_standalone = false;
275 netbios_name = global_myname();
276 netbios_domain = lp_workgroup();
277 /* This should be a 'netbios domain -> DNS domain' mapping */
278 dns_domain = get_mydnsdomname(talloc_tos());
280 strlower_m(dns_domain);
282 dns_name = get_mydnsfullname();
284 mem_ctx = talloc_init("AUTH NTLMSSP context");
286 ans = talloc_zero(mem_ctx, struct auth_ntlmssp_state);
288 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
289 talloc_destroy(mem_ctx);
290 return NT_STATUS_NO_MEMORY;
293 ans->mem_ctx = mem_ctx;
295 nt_status = ntlmssp_server_start(NULL,
301 &ans->ntlmssp_state);
302 if (!NT_STATUS_IS_OK(nt_status)) {
306 nt_status = make_auth_context_subsystem(&ans->auth_context);
307 if (!NT_STATUS_IS_OK(nt_status)) {
311 ans->ntlmssp_state->callback_private = ans;
312 ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
313 ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
314 ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
315 ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
317 *auth_ntlmssp_state = ans;
321 void auth_ntlmssp_end(struct auth_ntlmssp_state **auth_ntlmssp_state)
323 struct auth_ntlmssp_state *ans = *auth_ntlmssp_state;
330 mem_ctx = ans->mem_ctx;
331 if (ans->ntlmssp_state) {
332 TALLOC_FREE(ans->ntlmssp_state);
334 if (ans->auth_context) {
335 TALLOC_FREE(ans->auth_context);
337 if (ans->server_info) {
338 TALLOC_FREE(ans->server_info);
340 talloc_destroy(mem_ctx);
341 *auth_ntlmssp_state = NULL;
344 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *auth_ntlmssp_state,
345 const DATA_BLOB request, DATA_BLOB *reply)
347 return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply);