void invalidate_vuid(uint16 vuid)
{
user_struct *vuser = NULL;
vuser = get_valid_user_struct_internal(vuid,
SERVER_ALLOCATED_REQUIRED_ANY);
if (vuser == NULL) {
return;
}
session_yield(vuser);
if (vuser->auth_ntlmssp_state) {
auth_ntlmssp_end(&vuser->auth_ntlmssp_state);
}
DLIST_REMOVE(validated_users, vuser);
/* clear the vuid from the 'cache' on each connection, and
from the vuid 'owner' of connections */
conn_clear_vuid_caches(vuid);
TALLOC_FREE(vuser);
num_validated_vuids--;
}
static int reply_spnego_negotiate(connection_struct *conn,
char *inbuf,
char *outbuf,
uint16 vuid,
int length, int bufsize,
DATA_BLOB blob1,
AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
{
DATA_BLOB secblob;
DATA_BLOB chal;
BOOL got_kerberos_mechanism = False;
NTSTATUS status;
status = parse_spnego_mechanisms(blob1, &secblob, &got_kerberos_mechanism);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(vuid);
return ERROR_NT(nt_status_squash(status));
}
DEBUG(3,("reply_spnego_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
#ifdef HAVE_KRB5
if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
BOOL destroy_vuid = True;
int ret = reply_spnego_kerberos(conn, inbuf, outbuf,
length, bufsize, &secblob, &destroy_vuid);
data_blob_free(&secblob);
if (destroy_vuid) {
/* Kill the intermediate vuid */
invalidate_vuid(vuid);
}
return ret;
}
#endif
if (*auth_ntlmssp_state) {
auth_ntlmssp_end(auth_ntlmssp_state);
}
status = auth_ntlmssp_start(auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(vuid);
return ERROR_NT(nt_status_squash(status));
}
status = auth_ntlmssp_update(*auth_ntlmssp_state,
secblob, &chal);
data_blob_free(&secblob);
reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, auth_ntlmssp_state,
&chal, status, True);
data_blob_free(&chal);
/* already replied */
return -1;
}
static int reply_spnego_negotiate(connection_struct *conn,
char *inbuf,
char *outbuf,
int length, int bufsize,
DATA_BLOB blob1)
{
char *OIDs[ASN1_MAX_OIDS];
DATA_BLOB secblob;
int i;
DATA_BLOB chal;
BOOL got_kerberos = False;
NTSTATUS nt_status;
/* parse out the OIDs and the first sec blob */
if (!parse_negTokenTarg(blob1, OIDs, &secblob)) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
/* only look at the first OID for determining the mechToken --
accoirding to RFC2478, we should choose the one we want
and renegotiate, but i smell a client bug here..
Problem observed when connecting to a member (samba box)
of an AD domain as a user in a Samba domain. Samba member
server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
NTLMSSP mechtoken. --jerry */
if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 ||
strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
got_kerberos = True;
}
for (i=0;OIDs[i];i++) {
DEBUG(3,("Got OID %s\n", OIDs[i]));
free(OIDs[i]);
}
DEBUG(3,("Got secblob of size %lu\n", (unsigned long)secblob.length));
#ifdef HAVE_KRB5
if (got_kerberos && (SEC_ADS == lp_security())) {
int ret = reply_spnego_kerberos(conn, inbuf, outbuf,
length, bufsize, &secblob);
data_blob_free(&secblob);
return ret;
}
#endif
if (global_ntlmssp_state) {
auth_ntlmssp_end(&global_ntlmssp_state);
}
nt_status = auth_ntlmssp_start(&global_ntlmssp_state);
if (!NT_STATUS_IS_OK(nt_status)) {
return ERROR_NT(nt_status);
}
nt_status = auth_ntlmssp_update(global_ntlmssp_state,
secblob, &chal);
data_blob_free(&secblob);
reply_spnego_ntlmssp(conn, inbuf, outbuf, &global_ntlmssp_state,
&chal, nt_status);
data_blob_free(&chal);
/* already replied */
return -1;
}
static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *inbuf, char *outbuf,
uint16 vuid,
AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status,
BOOL wrap)
{
BOOL ret;
DATA_BLOB response;
struct auth_serversupplied_info *server_info = NULL;
if (NT_STATUS_IS_OK(nt_status)) {
server_info = (*auth_ntlmssp_state)->server_info;
} else {
nt_status = do_map_to_guest(nt_status,
&server_info,
(*auth_ntlmssp_state)->ntlmssp_state->user,
(*auth_ntlmssp_state)->ntlmssp_state->domain);
}
if (NT_STATUS_IS_OK(nt_status)) {
int sess_vuid;
DATA_BLOB nullblob = data_blob(NULL, 0);
DATA_BLOB session_key = data_blob((*auth_ntlmssp_state)->ntlmssp_state->session_key.data, (*auth_ntlmssp_state)->ntlmssp_state->session_key.length);
/* register_vuid keeps the server info */
sess_vuid = register_vuid(server_info, session_key, nullblob, (*auth_ntlmssp_state)->ntlmssp_state->user);
(*auth_ntlmssp_state)->server_info = NULL;
if (sess_vuid == UID_FIELD_INVALID ) {
nt_status = NT_STATUS_LOGON_FAILURE;
} else {
/* current_user_info is changed on new vuid */
reload_services( True );
set_message(outbuf,4,0,True);
SSVAL(outbuf, smb_vwv3, 0);
if (server_info->guest) {
SSVAL(outbuf,smb_vwv2,1);
}
SSVAL(outbuf,smb_uid,sess_vuid);
sessionsetup_start_signing_engine(server_info, inbuf);
}
}
if (wrap) {
response = spnego_gen_auth_response(ntlmssp_blob, nt_status, OID_NTLMSSP);
} else {
response = *ntlmssp_blob;
}
ret = reply_sesssetup_blob(conn, outbuf, response, nt_status);
if (wrap) {
data_blob_free(&response);
}
/* NT_STATUS_MORE_PROCESSING_REQUIRED from our NTLMSSP code tells us,
and the other end, that we are not finished yet. */
if (!ret || !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* NB. This is *NOT* an error case. JRA */
auth_ntlmssp_end(auth_ntlmssp_state);
/* Kill the intermediate vuid */
invalidate_vuid(vuid);
}
return ret;
}
static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *inbuf, char *outbuf,
AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status)
{
BOOL ret;
DATA_BLOB response;
struct auth_serversupplied_info *server_info = NULL;
if (NT_STATUS_IS_OK(nt_status)) {
server_info = (*auth_ntlmssp_state)->server_info;
} else {
nt_status = do_map_to_guest(nt_status,
&server_info,
(*auth_ntlmssp_state)->ntlmssp_state->user,
(*auth_ntlmssp_state)->ntlmssp_state->domain);
}
if (NT_STATUS_IS_OK(nt_status)) {
int sess_vuid;
DATA_BLOB nullblob = data_blob(NULL, 0);
DATA_BLOB session_key = data_blob((*auth_ntlmssp_state)->ntlmssp_state->session_key.data, (*auth_ntlmssp_state)->ntlmssp_state->session_key.length);
/* register_vuid keeps the server info */
sess_vuid = register_vuid(server_info, session_key, nullblob, (*auth_ntlmssp_state)->ntlmssp_state->user);
(*auth_ntlmssp_state)->server_info = NULL;
if (sess_vuid == -1) {
nt_status = NT_STATUS_LOGON_FAILURE;
} else {
/* current_user_info is changed on new vuid */
reload_services( True );
set_message(outbuf,4,0,True);
SSVAL(outbuf, smb_vwv3, 0);
if (server_info->guest) {
SSVAL(outbuf,smb_vwv2,1);
}
SSVAL(outbuf,smb_uid,sess_vuid);
if (!server_info->guest && !srv_signing_started()) {
/* We need to start the signing engine
* here but a W2K client sends the old
* "BSRSPYL " signature instead of the
* correct one. Subsequent packets will
* be correct.
*/
srv_check_sign_mac(inbuf, False);
}
}
}
response = spnego_gen_auth_response(ntlmssp_blob, nt_status, OID_NTLMSSP);
ret = reply_sesssetup_blob(conn, outbuf, response, nt_status);
data_blob_free(&response);
/* NT_STATUS_MORE_PROCESSING_REQUIRED from our NTLMSSP code tells us,
and the other end, that we are not finished yet. */
if (!ret || !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
auth_ntlmssp_end(auth_ntlmssp_state);
}
return ret;
}
