source3/smbd/auth_server.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    Authenticate to a remote server
   5    Copyright (C) Andrew Tridgell 1992-1998
   6    Copyright (C) Andrew Bartlett 2001
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24
  25 extern int DEBUGLEVEL;
  26
  27 extern pstring global_myname;
  28
  29 /****************************************************************************
  30  Return the client state structure.
  31 ****************************************************************************/
  32
  33 struct cli_state *server_client(void)
  34 {
  35         static struct cli_state pw_cli;
  36         return &pw_cli;
  37 }
  38
  39 /****************************************************************************
  40  Support for server level security.
  41 ****************************************************************************/
  42
  43 struct cli_state *server_cryptkey(void)
  44 {
  45         struct cli_state *cli;
  46         fstring desthost;
  47         struct in_addr dest_ip;
  48         char *p, *pserver;
  49         BOOL connected_ok = False;
  50
  51         cli = server_client();
  52
  53         if (!cli_initialise(cli))
  54                 return NULL;
  55
  56         pserver = strdup(lp_passwordserver());
  57         p = pserver;
  58
  59         while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) {
  60                 standard_sub_basic(desthost);
  61                 strupper(desthost);
  62
  63                 if(!resolve_name( desthost, &dest_ip, 0x20)) {
  64                         DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
  65                         continue;
  66                 }
  67
  68                 if (ismyip(dest_ip)) {
  69                         DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
  70                         continue;
  71                 }
  72
  73                 if (cli_connect(cli, desthost, &dest_ip)) {
  74                         DEBUG(3,("connected to password server %s\n",desthost));
  75                         connected_ok = True;
  76                         break;
  77                 }
  78         }
  79
  80         SAFE_FREE(pserver);
  81
  82         if (!connected_ok) {
  83                 DEBUG(0,("password server not available\n"));
  84                 cli_shutdown(cli);
  85                 return NULL;
  86         }
  87
  88         if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip))
  89                 return NULL;
  90
  91         DEBUG(3,("got session\n"));
  92
  93         if (!cli_negprot(cli)) {
  94                 DEBUG(1,("%s rejected the negprot\n",desthost));
  95                 cli_shutdown(cli);
  96                 return NULL;
  97         }
  98
  99         if (cli->protocol < PROTOCOL_LANMAN2 ||
 100             !(cli->sec_mode & 1)) {
 101                 DEBUG(1,("%s isn't in user level security mode\n",desthost));
 102                 cli_shutdown(cli);
 103                 return NULL;
 104         }
 105
 106         DEBUG(3,("password server OK\n"));
 107
 108         return cli;
 109 }
 110
 111
 112 /****************************************************************************
 113  Check for a valid username and password in security=server mode.
 114   - Validate a password with the password server.
 115 ****************************************************************************/
 116
 117 NTSTATUS check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
 118 {
 119         struct cli_state *cli;
 120         static unsigned char badpass[24];
 121         static fstring baduser;
 122         static BOOL tested_password_server = False;
 123         static BOOL bad_password_server = False;
 124         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 125
 126         cli = server_client();
 127
 128         if (!cli->initialised) {
 129                 DEBUG(1,("password server %s is not connected\n", cli->desthost));
 130                 return(NT_STATUS_LOGON_FAILURE);
 131         }
 132
 133         if(badpass[0] == 0)
 134                 memset(badpass, 0x1f, sizeof(badpass));
 135
 136         if((user_info->nt_resp.len == sizeof(badpass)) &&
 137            !memcmp(badpass, user_info->nt_resp.buffer, sizeof(badpass))) {
 138                 /*
 139                  * Very unlikely, our random bad password is the same as the users
 140                  * password.
 141                  */
 142                 memset(badpass, badpass[0]+1, sizeof(badpass));
 143         }
 144
 145         if(baduser[0] == 0) {
 146                 fstrcpy(baduser, INVALID_USER_PREFIX);
 147                 fstrcat(baduser, global_myname);
 148         }
 149
 150         /*
 151          * Attempt a session setup with a totally incorrect password.
 152          * If this succeeds with the guest bit *NOT* set then the password
 153          * server is broken and is not correctly setting the guest bit. We
 154          * need to detect this as some versions of NT4.x are broken. JRA.
 155          */
 156
 157         /* I sure as hell hope that there arn't servers out there that take
 158          * NTLMv2 and have this bug, as we don't test for that...
 159          *  - abartlet@samba.org
 160          */
 161
 162         if ((!tested_password_server) && (lp_paranoid_server_security())) {
 163                 if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass),
 164                                         (char *)badpass, sizeof(badpass), user_info->domain.str)) {
 165
 166                         /*
 167                          * We connected to the password server so we
 168                          * can say we've tested it.
 169                          */
 170                         tested_password_server = True;
 171
 172                         if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
 173                                 DEBUG(0,("server_validate: password server %s allows users as non-guest \
 174 with a bad password.\n", cli->desthost));
 175                                 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
 176 use this machine as the password server.\n"));
 177                                 cli_ulogoff(cli);
 178
 179                                 /*
 180                                  * Password server has the bug.
 181                                  */
 182                                 bad_password_server = True;
 183                                 return NT_STATUS_LOGON_FAILURE;
 184                         }
 185                         cli_ulogoff(cli);
 186                 }
 187         } else {
 188
 189                 /*
 190                  * We have already tested the password server.
 191                  * Fail immediately if it has the bug.
 192                  */
 193
 194                 if(bad_password_server) {
 195                         DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
 196 with a bad password.\n", cli->desthost));
 197                         DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
 198 use this machine as the password server.\n"));
 199                         return NT_STATUS_LOGON_FAILURE;
 200                 }
 201         }
 202
 203         /*
 204          * Now we know the password server will correctly set the guest bit, or is
 205          * not guest enabled, we can try with the real password.
 206          */
 207
 208         if (!cli_session_setup(cli, user_info->smb_username.str,
 209                                (char *)user_info->lm_resp.buffer,
 210                                user_info->lm_resp.len,
 211                                (char *)user_info->nt_resp.buffer,
 212                                user_info->nt_resp.len,
 213                                user_info->domain.str)) {
 214                 DEBUG(1,("password server %s rejected the password\n", cli->desthost));
 215                 /* Make this cli_nt_error() when the conversion is in */
 216                 nt_status = cli_nt_error(cli);
 217         } else {
 218                 nt_status = NT_STATUS_OK;
 219         }
 220
 221         /* if logged in as guest then reject */
 222         if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
 223                 DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
 224                 nt_status = NT_STATUS_LOGON_FAILURE;
 225         }
 226
 227         cli_ulogoff(cli);
 228
 229         return(nt_status);
 230 }
 231
 232