/*
* Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side
*
*/
static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech)
{
NTSTATUS status;
struct gensec_security *gensec_client_context;
DATA_BLOB client_to_server, server_to_client;
void *dbdata;
const char *argv[] = {
"samba_dlz",
"-H",
lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
NULL
};
tctx_static = tctx;
torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata,
"log", dlz_bind9_log_wrapper,
"writeable_zone", dlz_bind9_writeable_zone_hook, NULL),
ISC_R_SUCCESS,
"Failed to create samba_dlz");
torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
ISC_R_SUCCESS,
"Failed to configure samba_dlz");
status = gensec_client_start(tctx, &gensec_client_context,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL));
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
status = gensec_start_mech_by_sasl_name(gensec_client_context, mech);
torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
server_to_client = data_blob(NULL, 0);
/* Do one step of the client-server update dance */
status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
}
torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
lpcfg_dnsdomain(tctx->lp_ctx),
"127.0.0.1", "type", "key",
client_to_server.length,
client_to_server.data,
dbdata),
ISC_R_SUCCESS,
"Failed to check key for update rights samba_dlz");
dlz_destroy(dbdata);
return true;
}
static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB *_blob)
{
struct gensec_security *gensec_security;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
DATA_BLOB blob;
NTSTATUS nt_status;
struct cli_credentials *server_credentials;
server_credentials = cli_credentials_init(req);
if (!server_credentials) {
smbsrv_terminate_connection(req->smb_conn, "Failed to init server credentials\n");
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(server_credentials, req->smb_conn->lp_ctx);
nt_status = cli_credentials_set_machine_account(server_credentials, req->smb_conn->lp_ctx);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(nt_status)));
talloc_free(server_credentials);
server_credentials = NULL;
}
req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials);
nt_status = samba_server_gensec_start(req,
req->smb_conn->connection->event.ctx,
req->smb_conn->connection->msg_ctx,
req->smb_conn->lp_ctx,
server_credentials,
"cifs",
&gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status)));
smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n");
return nt_status;
}
gensec_set_target_service(gensec_security, "cifs");
gensec_set_credentials(gensec_security, server_credentials);
nt_status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Failed to start SPNEGO: %s\n", nt_errstr(nt_status)));
smbsrv_terminate_connection(req->smb_conn, "Failed to start SPNEGO\n");
return nt_status;
}
nt_status = gensec_update(gensec_security, req, req->smb_conn->connection->event.ctx, null_data_blob, &blob);
if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0, ("Failed to get SPNEGO to give us the first token: %s\n", nt_errstr(nt_status)));
smbsrv_terminate_connection(req->smb_conn, "Failed to start SPNEGO - no first token\n");
return nt_status;
}
*_blob = blob;
return NT_STATUS_OK;
}
NTSTATUS auth_generic_server_start(TALLOC_CTX *mem_ctx,
const char *oid,
bool do_sign,
bool do_seal,
bool is_dcerpc,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
struct gensec_security **ctx)
{
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
nt_errstr(status)));
return status;
}
if (do_sign) {
gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
}
if (do_seal) {
gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
}
if (is_dcerpc) {
gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
}
status = gensec_start_mech_by_oid(gensec_security, oid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_start failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(2, (__location__ ": gensec_update failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
/* steal gensec context to the caller */
*ctx = talloc_move(mem_ctx, &gensec_security);
return NT_STATUS_OK;
}
NTSTATUS auth_generic_server_step(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
DATA_BLOB *token_in,
DATA_BLOB *token_out)
{
NTSTATUS status;
/* this has to be done as root in order to verify the password */
become_root();
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
unbecome_root();
return status;
}
/*
add any auth information needed in a alter ack, and process the authentication
information found in the alter.
*/
NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
{
struct dcesrv_connection *dce_conn = call->conn;
NTSTATUS status;
/* on a pure interface change there is no auth_info structure
setup */
if (!call->conn->auth_state.auth_info ||
dce_conn->auth_state.auth_info->credentials.length == 0) {
return NT_STATUS_OK;
}
if (!call->conn->auth_state.gensec_security) {
return NT_STATUS_INVALID_PARAMETER;
}
status = gensec_update(dce_conn->auth_state.gensec_security,
call, call->event_ctx,
dce_conn->auth_state.auth_info->credentials,
&dce_conn->auth_state.auth_info->credentials);
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(dce_conn->auth_state.gensec_security,
dce_conn,
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return status;
}
/* Now that we are authenticated, got back to the generic session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return NT_STATUS_OK;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
dce_conn->auth_state.auth_info->auth_pad_length = 0;
dce_conn->auth_state.auth_info->auth_reserved = 0;
return NT_STATUS_OK;
}
DEBUG(4, ("GENSEC mech rejected the incoming authentication at auth alter_ack: %s\n",
nt_errstr(status)));
return status;
}
/*
process the final stage of a auth request
*/
bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
{
struct ncacn_packet *pkt = &call->pkt;
struct dcesrv_connection *dce_conn = call->conn;
NTSTATUS status;
uint32_t auth_length;
/* We can't work without an existing gensec state, and an new blob to feed it */
if (!dce_conn->auth_state.auth_info ||
!dce_conn->auth_state.gensec_security ||
pkt->u.auth3.auth_info.length == 0) {
return false;
}
status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
dce_conn->auth_state.auth_info, &auth_length, true);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
/* Pass the extra data we got from the client down to gensec for processing */
status = gensec_update(dce_conn->auth_state.gensec_security,
call, call->event_ctx,
dce_conn->auth_state.auth_info->credentials,
&dce_conn->auth_state.auth_info->credentials);
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(dce_conn->auth_state.gensec_security,
dce_conn,
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return false;
}
/* Now that we are authenticated, go back to the generic session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return true;
} else {
DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
nt_errstr(status)));
return false;
}
}
/*
add any auth information needed in a bind ack, and process the authentication
information found in the bind.
*/
NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
{
struct dcesrv_connection *dce_conn = call->conn;
NTSTATUS status;
if (!call->conn->auth_state.gensec_security) {
return NT_STATUS_OK;
}
status = gensec_update(dce_conn->auth_state.gensec_security,
call,
dce_conn->auth_state.auth_info->credentials,
&dce_conn->auth_state.auth_info->credentials);
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(dce_conn->auth_state.gensec_security,
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return status;
}
if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
gensec_want_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER);
}
/* Now that we are authenticated, go back to the generic session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return NT_STATUS_OK;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
dce_conn->auth_state.auth_info->auth_pad_length = 0;
dce_conn->auth_state.auth_info->auth_reserved = 0;
return NT_STATUS_OK;
} else {
DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
nt_errstr(status)));
return status;
}
}
static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
uint8_t auth_type, uint8_t auth_level,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
struct gensec_security **ctx)
{
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_start_mech_by_authtype(gensec_security, auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_start failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(2, (__location__ ": gensec_update failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
/* steal gensec context to the caller */
*ctx = talloc_move(mem_ctx, &gensec_security);
return NT_STATUS_OK;
}
static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username,
const char *domain,
const char *password,
const DATA_BLOB initial_msg,
const DATA_BLOB challenge_msg,
DATA_BLOB *auth_msg,
uint8_t session_key[16])
{
NTSTATUS status;
struct auth_generic_state *auth_generic_state = NULL;
DATA_BLOB dummy_msg, reply, session_key_blob;
status = auth_generic_client_prepare(NULL, &auth_generic_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not start NTLMSSP client: %s\n",
nt_errstr(status)));
goto done;
}
status = auth_generic_set_username(auth_generic_state, username);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set username: %s\n",
nt_errstr(status)));
goto done;
}
status = auth_generic_set_domain(auth_generic_state, domain);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set domain: %s\n",
nt_errstr(status)));
goto done;
}
status = auth_generic_set_password(auth_generic_state, password);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set password: %s\n",
nt_errstr(status)));
goto done;
}
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
status = auth_generic_client_start(auth_generic_state, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not start NTLMSSP mech: %s\n",
nt_errstr(status)));
goto done;
}
/* We need to get our protocol handler into the right state. So first
we ask it to generate the initial message. Actually the client has already
sent its own initial message, so we're going to drop this one on the floor.
The client might have sent a different message, for example with different
negotiation options, but as far as I can tell this won't hurt us. (Unless
the client sent a different username or domain, in which case that's their
problem for telling us the wrong username or domain.)
Since we have a copy of the initial message that the client sent, we could
resolve any discrepancies if we had to.
*/
dummy_msg = data_blob_null;
reply = data_blob_null;
status = gensec_update(auth_generic_state->gensec_security,
talloc_tos(), dummy_msg, &reply);
data_blob_free(&reply);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(1, ("Failed to create initial message! [%s]\n",
nt_errstr(status)));
goto done;
}
/* Now we are ready to handle the server's actual response. */
status = gensec_update(auth_generic_state->gensec_security,
NULL, challenge_msg, &reply);
if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
DEBUG(1, ("We didn't get a response to the challenge! [%s]\n",
nt_errstr(status)));
data_blob_free(&reply);
goto done;
}
status = gensec_session_key(auth_generic_state->gensec_security,
talloc_tos(), &session_key_blob);
if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
DEBUG(1, ("We didn't get the session key we requested! [%s]\n",
nt_errstr(status)));
data_blob_free(&reply);
goto done;
}
if (session_key_blob.length != 16) {
DEBUG(1, ("invalid session key length %d\n",
(int)session_key_blob.length));
data_blob_free(&reply);
goto done;
}
memcpy(session_key, session_key_blob.data, 16);
data_blob_free(&session_key_blob);
*auth_msg = reply;
status = NT_STATUS_OK;
done:
TALLOC_FREE(auth_generic_state);
return status;
}
DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
{
DATA_BLOB blob = data_blob_null;
DATA_BLOB blob_out = data_blob_null;
nstring dos_name;
fstring unix_name;
NTSTATUS status;
#ifdef DEVELOPER
size_t slen;
#endif
struct gensec_security *gensec_security;
/* See if we can get an SPNEGO blob */
status = auth_generic_prepare(talloc_tos(),
sconn->remote_address,
&gensec_security);
if (NT_STATUS_IS_OK(status)) {
status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
if (NT_STATUS_IS_OK(status)) {
status = gensec_update(gensec_security, ctx,
NULL, data_blob_null, &blob);
/* If we get the list of OIDs, the 'OK' answer
* is NT_STATUS_MORE_PROCESSING_REQUIRED */
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
blob = data_blob_null;
}
}
TALLOC_FREE(gensec_security);
}
sconn->smb1.negprot.spnego = true;
/* strangely enough, NT does not sent the single OID NTLMSSP when
not a ADS member, it sends no OIDs at all
OLD COMMENT : "we can't do this until we teach our sesssion setup parser to know
about raw NTLMSSP (clients send no ASN.1 wrapping if we do this)"
Our sessionsetup code now handles raw NTLMSSP connects, so we can go
back to doing what W2K3 does here. This is needed to make PocketPC 2003
CIFS connections work with SPNEGO. See bugzilla bugs #1828 and #3133
for details. JRA.
*/
if (blob.length == 0 || blob.data == NULL) {
return data_blob_null;
}
blob_out = data_blob_talloc(ctx, NULL, 16 + blob.length);
if (blob_out.data == NULL) {
data_blob_free(&blob);
return data_blob_null;
}
memset(blob_out.data, '\0', 16);
checked_strlcpy(unix_name, lp_netbios_name(), sizeof(unix_name));
(void)strlower_m(unix_name);
push_ascii_nstring(dos_name, unix_name);
strlcpy((char *)blob_out.data, dos_name, 17);
#ifdef DEVELOPER
/* Fix valgrind 'uninitialized bytes' issue. */
slen = strlen(dos_name);
if (slen < 16) {
memset(blob_out.data+slen, '\0', 16 - slen);
}
#endif
memcpy(&blob_out.data[16], blob.data, blob.length);
data_blob_free(&blob);
return blob_out;
}
/*
authorize a zone update
*/
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
const char *type, const char *key, uint32_t keydatalen, uint8_t *keydata,
void *dbdata)
{
struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
TALLOC_CTX *tmp_ctx;
DATA_BLOB ap_req;
struct cli_credentials *server_credentials;
char *keytab_name;
int ret;
int ldb_ret;
NTSTATUS nt_status;
struct gensec_security *gensec_ctx;
struct auth_session_info *session_info;
struct ldb_dn *dn;
isc_result_t result;
struct ldb_result *res;
const char * attrs[] = { NULL };
uint32_t access_mask;
/* Remove cached credentials, if any */
if (state->session_info) {
talloc_free(state->session_info);
state->session_info = NULL;
}
if (state->update_name) {
talloc_free(state->update_name);
state->update_name = NULL;
}
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
state->log(ISC_LOG_ERROR, "samba_dlz: no memory");
return ISC_FALSE;
}
ap_req = data_blob_const(keydata, keydatalen);
server_credentials = cli_credentials_init(tmp_ctx);
if (!server_credentials) {
state->log(ISC_LOG_ERROR, "samba_dlz: failed to init server credentials");
talloc_free(tmp_ctx);
return ISC_FALSE;
}
cli_credentials_set_krb5_context(server_credentials, state->smb_krb5_ctx);
cli_credentials_set_conf(server_credentials, state->lp);
keytab_name = talloc_asprintf(tmp_ctx, "file:%s/dns.keytab",
lpcfg_private_dir(state->lp));
ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name,
CRED_SPECIFIED);
if (ret != 0) {
state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials from %s",
keytab_name);
talloc_free(tmp_ctx);
return ISC_FALSE;
}
talloc_free(keytab_name);
nt_status = gensec_server_start(tmp_ctx,
lpcfg_gensec_settings(tmp_ctx, state->lp),
state->auth_context, &gensec_ctx);
if (!NT_STATUS_IS_OK(nt_status)) {
state->log(ISC_LOG_ERROR, "samba_dlz: failed to start gensec server");
talloc_free(tmp_ctx);
return ISC_FALSE;
}
gensec_set_credentials(gensec_ctx, server_credentials);
nt_status = gensec_start_mech_by_name(gensec_ctx, "spnego");
if (!NT_STATUS_IS_OK(nt_status)) {
state->log(ISC_LOG_ERROR, "samba_dlz: failed to start spnego");
talloc_free(tmp_ctx);
return ISC_FALSE;
}
nt_status = gensec_update(gensec_ctx, tmp_ctx, state->ev_ctx, ap_req, &ap_req);
if (!NT_STATUS_IS_OK(nt_status)) {
state->log(ISC_LOG_ERROR, "samba_dlz: spnego update failed");
talloc_free(tmp_ctx);
return ISC_FALSE;
}
nt_status = gensec_session_info(gensec_ctx, tmp_ctx, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
state->log(ISC_LOG_ERROR, "samba_dlz: failed to create session info");
talloc_free(tmp_ctx);
return ISC_FALSE;
}
/* Get the DN from name */
result = b9_find_name_dn(state, name, tmp_ctx, &dn);
if (result != ISC_R_SUCCESS) {
state->log(ISC_LOG_ERROR, "samba_dlz: failed to find name %s", name);
talloc_free(tmp_ctx);
return ISC_FALSE;
}
/* make sure the dn exists, or find parent dn in case new object is being added */
ldb_ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, "objectClass=dnsNode");
if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT) {
ldb_dn_remove_child_components(dn, 1);
access_mask = SEC_ADS_CREATE_CHILD;
talloc_free(res);
} else if (ldb_ret == LDB_SUCCESS) {
access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE;
talloc_free(res);
} else {
talloc_free(tmp_ctx);
return ISC_FALSE;
}
/* Do ACL check */
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn,
session_info->security_token,
access_mask, NULL);
if (ldb_ret != LDB_SUCCESS) {
state->log(ISC_LOG_INFO,
"samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s",
signer, name, type, ldb_strerror(ldb_ret));
talloc_free(tmp_ctx);
return ISC_FALSE;
}
/* Cache session_info, so it can be used in the actual add/delete operation */
state->update_name = talloc_strdup(state, name);
if (state->update_name == NULL) {
state->log(ISC_LOG_ERROR, "samba_dlz: memory allocation error");
talloc_free(tmp_ctx);
return ISC_FALSE;
}
state->session_info = talloc_steal(state, session_info);
state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s",
signer, name, tcpaddr, type, key);
talloc_free(tmp_ctx);
return ISC_TRUE;
}
/*
* Test some updates
*/
static bool test_dlz_bind9_update01(struct torture_context *tctx)
{
NTSTATUS status;
struct gensec_security *gensec_client_context;
DATA_BLOB client_to_server, server_to_client;
void *dbdata;
void *version = NULL;
const char *argv[] = {
"samba_dlz",
"-H",
lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"),
NULL
};
struct test_expected_rr *expected1 = NULL;
char *name = NULL;
char *data0 = NULL;
char *data1 = NULL;
char *data2 = NULL;
bool ret = false;
tctx_static = tctx;
torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata,
"log", dlz_bind9_log_wrapper,
"writeable_zone", dlz_bind9_writeable_zone_hook,
"putrr", dlz_bind9_putrr_hook,
"putnamedrr", dlz_bind9_putnamedrr_hook,
NULL),
ISC_R_SUCCESS,
"Failed to create samba_dlz");
torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata),
ISC_R_SUCCESS,
"Failed to configure samba_dlz");
expected1 = talloc_zero(tctx, struct test_expected_rr);
torture_assert(tctx, expected1 != NULL, "talloc failed");
expected1->tctx = tctx;
expected1->query_name = __func__;
name = talloc_asprintf(expected1, "%s.%s",
expected1->query_name,
lpcfg_dnsdomain(tctx->lp_ctx));
torture_assert(tctx, name != NULL, "talloc failed");
expected1->num_records = 2;
expected1->records = talloc_zero_array(expected1,
struct test_expected_record,
expected1->num_records);
torture_assert(tctx, expected1->records != NULL, "talloc failed");
expected1->records[0].name = expected1->query_name;
expected1->records[0].type = "a";
expected1->records[0].ttl = 3600;
expected1->records[0].data = "127.1.2.3";
expected1->records[0].printed = false;
data0 = talloc_asprintf(expected1,
"%s.\t" "%u\t" "%s\t" "%s\t" "%s",
name,
(unsigned)expected1->records[0].ttl,
"in",
expected1->records[0].type,
expected1->records[0].data);
torture_assert(tctx, data0 != NULL, "talloc failed");
expected1->records[1].name = expected1->query_name;
expected1->records[1].type = "a";
expected1->records[1].ttl = 3600;
expected1->records[1].data = "127.3.2.1";
expected1->records[1].printed = false;
data1 = talloc_asprintf(expected1,
"%s.\t" "%u\t" "%s\t" "%s\t" "%s",
name,
(unsigned)expected1->records[1].ttl,
"in",
expected1->records[1].type,
expected1->records[1].data);
torture_assert(tctx, data1 != NULL, "talloc failed");
data2 = talloc_asprintf(expected1,
"%s.\t" "0\t" "in\t" "a\t" "127.3.3.3",
name);
torture_assert(tctx, data2 != NULL, "talloc failed");
/*
* Prepare session info
*/
status = gensec_client_start(tctx, &gensec_client_context,
lpcfg_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
/*
* dlz_bind9 use the special dns/host.domain account
*/
status = gensec_set_target_hostname(gensec_client_context,
talloc_asprintf(tctx,
"%s.%s",
torture_setting_string(tctx, "host", NULL),
lpcfg_dnsdomain(tctx->lp_ctx)));
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed");
status = gensec_set_target_service(gensec_client_context, "dns");
torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_service failed");
status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSS-SPNEGO");
torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
server_to_client = data_blob(NULL, 0);
/* Do one step of the client-server update dance */
status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {;
torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
}
torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials),
name,
"127.0.0.1",
expected1->records[0].type,
"key",
client_to_server.length,
client_to_server.data,
dbdata),
ISC_TRUE,
"Failed to check key for update rights samba_dlz");
/*
* We test the following:
*
* 1. lookup the records => NOT_FOUND
* 2. delete all records => NOT_FOUND
* 3. delete 1st record => NOT_FOUND
* 4. create 1st record => SUCCESS
* 5. lookup the records => found 1st
* 6. create 2nd record => SUCCESS
* 7. lookup the records => found 1st and 2nd
* 8. delete unknown record => NOT_FOUND
* 9. lookup the records => found 1st and 2nd
* 10. delete 1st record => SUCCESS
* 11. lookup the records => found 2nd
* 12. delete 2nd record => SUCCESS
* 13. lookup the records => NOT_FOUND
* 14. create 1st record => SUCCESS
* 15. lookup the records => found 1st
* 16. create 2nd record => SUCCESS
* 17. lookup the records => found 1st and 2nd
* 18. update 1st record => SUCCESS
* 19. lookup the records => found 1st and 2nd
* 20. delete all unknown type records => NOT_FOUND
* 21. lookup the records => found 1st and 2nd
* 22. delete all records => SUCCESS
* 23. lookup the records => NOT_FOUND
*/
/* Step 1. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
/* Step 2. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name,
expected1->records[0].type,
dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n",
name, expected1->records[0].type));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 3. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data0, dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 4. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 5. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 6. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 7. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 8. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data2, dbdata, version),
ISC_R_NOTFOUND, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n",
name, data2));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 9. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 10. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 11. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 12. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_subrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 13. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
/* Step 14. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 15. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert_int_equal(tctx, expected1->num_rr, 1,
"Got wrong record count");
/* Step 16. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data1, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n",
name, data1));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 17. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 18. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_addrdataset(name, data0, dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to update name[%s] data[%s]\n",
name, data0));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 19. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 20. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name, "txt", dbdata, version),
ISC_R_FAILURE, ret, cancel_version,
talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n",
name, "txt"));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
/* Step 21. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_SUCCESS,
"Not found hostname");
torture_assert(tctx, expected1->records[0].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[0].name,
expected1->records[0].type));
torture_assert(tctx, expected1->records[1].printed,
talloc_asprintf(tctx,
"Failed to have putrr callback run name[%s] for type %s",
expected1->records[1].name,
expected1->records[1].type));
torture_assert_int_equal(tctx, expected1->num_rr, 2,
"Got wrong record count");
/* Step 22. */
torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx),
dbdata, &version),
ISC_R_SUCCESS,
"Failed to start transaction");
torture_assert_int_equal_goto(tctx,
dlz_delrdataset(name,
expected1->records[0].type,
dbdata, version),
ISC_R_SUCCESS, ret, cancel_version,
talloc_asprintf(tctx, "Failed to delete name[%s] type[%s]\n",
name, expected1->records[0].type));
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version);
/* Step 23. */
expected1->num_rr = 0;
expected1->records[0].printed = false;
expected1->records[1].printed = false;
torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx),
expected1->query_name, dbdata,
(dns_sdlzlookup_t *)expected1),
ISC_R_NOTFOUND,
"Found hostname");
torture_assert_int_equal(tctx, expected1->num_rr, 0,
"Got wrong record count");
dlz_destroy(dbdata);
return true;
cancel_version:
dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version);
return ret;
}
/*
* Given the username/password, do a kinit, store the ticket in
* cache_name if specified, and return the PAC_LOGON_INFO (the
* structure containing the important user information such as
* groups).
*/
NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
const char *name,
const char *pass,
time_t time_offset,
time_t *expire_time,
time_t *renew_till_time,
const char *cache_name,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
struct PAC_LOGON_INFO **_logon_info)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
const char *auth_princ = NULL;
const char *local_service = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
struct gensec_security *gensec_server_context;
struct gensec_settings *gensec_settings;
size_t idx = 0;
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_LOGON_INFO *logon_info = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
ZERO_STRUCT(tkt);
ZERO_STRUCT(ap_rep);
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
return NT_STATUS_INVALID_PARAMETER;
}
if (cache_name) {
cc = cache_name;
}
if (!strchr_m(name, '@')) {
auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
lp_realm());
} else {
auth_princ = name;
}
NT_STATUS_HAVE_NO_MEMORY(auth_princ);
local_service = talloc_asprintf(mem_ctx, "%s$@%s",
lp_netbios_name(), lp_realm());
NT_STATUS_HAVE_NO_MEMORY(local_service);
ret = kerberos_kinit_password_ext(auth_princ,
pass,
time_offset,
expire_time,
renew_till_time,
cc,
request_pac,
add_netbios_addr,
renewable_time,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
auth_princ, error_message(ret), ret));
/* status already set */
goto out;
}
DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
if (expire_time) {
DEBUGADD(10,("\tvalid until: %s (%d)\n",
http_timestring(talloc_tos(), *expire_time),
(int)*expire_time));
}
if (renew_till_time) {
DEBUGADD(10,("\trenewable till: %s (%d)\n",
http_timestring(talloc_tos(), *renew_till_time),
(int)*renew_till_time));
}
/* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
* in that case fallback to NTLM - gd */
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
return NT_STATUS_INVALID_LOGON_TYPE;
}
ret = cli_krb5_get_ticket(mem_ctx,
local_service,
time_offset,
&tkt,
&sesskey1,
0,
cc,
NULL,
impersonate_princ_s);
if (ret) {
DEBUG(1,("failed to get ticket for %s: %s\n",
local_service, error_message(ret)));
if (impersonate_princ_s) {
DEBUGADD(1,("tried S4U2SELF impersonation as: %s\n",
impersonate_princ_s));
}
status = krb5_to_nt_status(ret);
goto out;
}
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(tmp_ctx, tkt, TOK_ID_KRB_AP_REQ);
if (tkt_wrapped.data == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
auth_context = talloc_zero(tmp_ctx, struct auth4_context);
if (auth_context == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
auth_context->generate_session_info_pac = kerberos_fetch_pac;
lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_context());
if (lp_ctx == NULL) {
status = NT_STATUS_INVALID_SERVER_STATE;
DEBUG(10, ("loadparm_init_s3 failed\n"));
goto out;
}
gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx);
if (lp_ctx == NULL) {
status = NT_STATUS_NO_MEMORY;
DEBUG(10, ("lpcfg_gensec_settings failed\n"));
goto out;
}
gensec_settings->backends = talloc_zero_array(gensec_settings,
struct gensec_security_ops *, 2);
if (gensec_settings->backends == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
gensec_init();
gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
status = gensec_server_start(tmp_ctx, gensec_settings,
auth_context, &gensec_server_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ "Failed to start server-side GENSEC to validate a Kerberos ticket: %s\n", nt_errstr(status)));
goto out;
}
talloc_unlink(tmp_ctx, lp_ctx);
talloc_unlink(tmp_ctx, gensec_settings);
talloc_unlink(tmp_ctx, auth_context);
status = gensec_start_mech_by_oid(gensec_server_context, GENSEC_OID_KERBEROS5);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ "Failed to start server-side GENSEC krb5 to validate a Kerberos ticket: %s\n", nt_errstr(status)));
goto out;
}
/* Do a client-server update dance */
status = gensec_update(gensec_server_context, tmp_ctx, NULL, tkt_wrapped, &ap_rep);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("gensec_update() failed: %s\n", nt_errstr(status)));
goto out;
}
/* Now return the PAC information to the callers. We ingore
* the session_info and instead pick out the PAC via the
* private_data on the auth_context */
status = gensec_session_info(gensec_server_context, tmp_ctx, &session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Unable to obtain PAC via gensec_session_info\n"));
goto out;
}
logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
struct PAC_LOGON_INFO);
if (logon_info == NULL) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
*_logon_info = talloc_move(mem_ctx, &logon_info);
out:
talloc_free(tmp_ctx);
if (cc != cache_name) {
ads_kdestroy(cc);
}
data_blob_free(&tkt);
data_blob_free(&ap_rep);
data_blob_free(&sesskey1);
return status;
}
/*
perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
we fit on one socket??)
*/
static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
{
DATA_BLOB msg1 = data_blob_null;
DATA_BLOB blob = data_blob_null;
DATA_BLOB blob_in = data_blob_null;
DATA_BLOB blob_out = data_blob_null;
struct berval cred, *scred = NULL;
int rc;
NTSTATUS nt_status;
ADS_STATUS status;
int turn = 1;
struct auth_generic_state *auth_generic_state;
nt_status = auth_generic_client_prepare(NULL, &auth_generic_state);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) {
return ADS_ERROR_NT(nt_status);
}
switch (ads->ldap.wrap_type) {
case ADS_SASLWRAP_TYPE_SEAL:
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
break;
case ADS_SASLWRAP_TYPE_SIGN:
if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
} else {
/*
* windows servers are broken with sign only,
* so we need to use seal here too
*/
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SEAL;
}
break;
case ADS_SASLWRAP_TYPE_PLAIN:
break;
}
nt_status = auth_generic_client_start(auth_generic_state, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
blob_in = data_blob_null;
do {
nt_status = gensec_update(auth_generic_state->gensec_security,
talloc_tos(), NULL, blob_in, &blob_out);
data_blob_free(&blob_in);
if ((NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
|| NT_STATUS_IS_OK(nt_status))
&& blob_out.length) {
if (turn == 1) {
const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL};
/* and wrap it in a SPNEGO wrapper */
msg1 = spnego_gen_negTokenInit(talloc_tos(),
OIDs_ntlm, &blob_out, NULL);
} else {
/* wrap it in SPNEGO */
msg1 = spnego_gen_auth(talloc_tos(), blob_out);
}
data_blob_free(&blob_out);
cred.bv_val = (char *)msg1.data;
cred.bv_len = msg1.length;
scred = NULL;
rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
data_blob_free(&msg1);
if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) {
if (scred) {
ber_bvfree(scred);
}
TALLOC_FREE(auth_generic_state);
return ADS_ERROR(rc);
}
if (scred) {
blob = data_blob(scred->bv_val, scred->bv_len);
ber_bvfree(scred);
} else {
blob = data_blob_null;
}
} else {
TALLOC_FREE(auth_generic_state);
data_blob_free(&blob_out);
return ADS_ERROR_NT(nt_status);
}
if ((turn == 1) &&
(rc == LDAP_SASL_BIND_IN_PROGRESS)) {
DATA_BLOB tmp_blob = data_blob_null;
/* the server might give us back two challenges */
if (!spnego_parse_challenge(talloc_tos(), blob, &blob_in,
&tmp_blob)) {
TALLOC_FREE(auth_generic_state);
data_blob_free(&blob);
DEBUG(3,("Failed to parse challenges\n"));
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
data_blob_free(&tmp_blob);
} else if (rc == LDAP_SASL_BIND_IN_PROGRESS) {
if (!spnego_parse_auth_response(talloc_tos(), blob, nt_status, OID_NTLMSSP,
&blob_in)) {
TALLOC_FREE(auth_generic_state);
data_blob_free(&blob);
DEBUG(3,("Failed to parse auth response\n"));
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
}
data_blob_free(&blob);
data_blob_free(&blob_out);
turn++;
} while (rc == LDAP_SASL_BIND_IN_PROGRESS && !NT_STATUS_IS_OK(nt_status));
if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
uint32_t sig_size = gensec_sig_size(auth_generic_state->gensec_security, 0);
ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - sig_size;
ads->ldap.out.sig_size = sig_size;
ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED;
status = ads_setup_sasl_wrapping(ads, &ads_sasl_ntlmssp_ops, auth_generic_state->gensec_security);
if (!ADS_ERR_OK(status)) {
DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
ads_errstr(status)));
TALLOC_FREE(auth_generic_state);
return status;
}
/* Only keep the gensec_security element around long-term */
talloc_steal(NULL, auth_generic_state->gensec_security);
}
TALLOC_FREE(auth_generic_state);
return ADS_ERROR(rc);
}
/*
handler for completion of a smbcli_request sub-request
*/
static void request_handler(struct smbcli_request *req)
{
struct composite_context *c = (struct composite_context *)req->async.private_data;
struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
struct smbcli_session *session = req->session;
DATA_BLOB session_key = data_blob(NULL, 0);
DATA_BLOB null_data_blob = data_blob(NULL, 0);
NTSTATUS session_key_err, nt_status;
struct smbcli_request *check_req = NULL;
const char *os = NULL;
const char *lanman = NULL;
if (req->sign_caller_checks) {
req->do_not_free = true;
check_req = req;
}
state->remote_status = smb_raw_sesssetup_recv(req, state, &state->setup);
c->status = state->remote_status;
state->req = NULL;
/*
* we only need to check the signature if the
* NT_STATUS_OK is returned
*/
if (!NT_STATUS_IS_OK(state->remote_status)) {
talloc_free(check_req);
check_req = NULL;
}
switch (state->setup.old.level) {
case RAW_SESSSETUP_OLD:
state->io->out.vuid = state->setup.old.out.vuid;
/* This doesn't work, as this only happens on old
* protocols, where this comparison won't match. */
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
/* we neet to reset the vuid for a new try */
session->vuid = 0;
if (cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_old(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
os = state->setup.old.out.os;
lanman = state->setup.old.out.lanman;
break;
case RAW_SESSSETUP_NT1:
state->io->out.vuid = state->setup.nt1.out.vuid;
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
/* we neet to reset the vuid for a new try */
session->vuid = 0;
if (cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_nt1(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
os = state->setup.nt1.out.os;
lanman = state->setup.nt1.out.lanman;
break;
case RAW_SESSSETUP_SPNEGO:
state->io->out.vuid = state->setup.spnego.out.vuid;
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
/* we need to reset the vuid for a new try */
session->vuid = 0;
if (cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_spnego(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(c->status)) {
break;
}
if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* The status value here, from the earlier pass at GENSEC is
* vital to the security of the system. Even if the other end
* accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
* you must keep feeding it blobs, or else the remote
* host/attacker might avoid mutal authentication
* requirements */
state->gensec_status = gensec_update(session->gensec, state,
state->setup.spnego.out.secblob,
&state->setup.spnego.in.secblob);
c->status = state->gensec_status;
if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(c->status)) {
break;
}
} else {
state->setup.spnego.in.secblob = data_blob(NULL, 0);
}
if (NT_STATUS_IS_OK(state->remote_status)) {
if (state->setup.spnego.in.secblob.length) {
c->status = NT_STATUS_INTERNAL_ERROR;
break;
}
session_key_err = gensec_session_key(session->gensec, session, &session->user_session_key);
if (NT_STATUS_IS_OK(session_key_err)) {
smbcli_transport_simple_set_signing(session->transport, session->user_session_key, null_data_blob);
}
}
if (state->setup.spnego.in.secblob.length) {
/*
* set the session->vuid value only for calling
* smb_raw_sesssetup_send()
*/
uint16_t vuid = session->vuid;
session->vuid = state->io->out.vuid;
state->req = smb_raw_sesssetup_send(session, &state->setup);
session->vuid = vuid;
if (state->req) {
state->req->sign_caller_checks = true;
}
composite_continue_smb(c, state->req, request_handler, c);
return;
}
os = state->setup.spnego.out.os;
lanman = state->setup.spnego.out.lanman;
break;
case RAW_SESSSETUP_SMB2:
c->status = NT_STATUS_INTERNAL_ERROR;
break;
}
if (check_req) {
check_req->sign_caller_checks = false;
if (!smbcli_request_check_sign_mac(check_req)) {
c->status = NT_STATUS_ACCESS_DENIED;
}
talloc_free(check_req);
check_req = NULL;
}
/* enforce the local signing required flag */
if (NT_STATUS_IS_OK(c->status) && !cli_credentials_is_anonymous(state->io->in.credentials)) {
if (!session->transport->negotiate.sign_info.doing_signing
&& session->transport->negotiate.sign_info.mandatory_signing) {
DEBUG(0, ("SMB signing required, but server does not support it\n"));
c->status = NT_STATUS_ACCESS_DENIED;
}
}
if (!NT_STATUS_IS_OK(c->status)) {
composite_error(c, c->status);
return;
}
if (os) {
session->os = talloc_strdup(session, os);
if (composite_nomem(session->os, c)) return;
} else {
session->os = NULL;
}
if (lanman) {
session->lanman = talloc_strdup(session, lanman);
if (composite_nomem(session->lanman, c)) return;
} else {
session->lanman = NULL;
}
composite_done(c);
}
/*
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
we fit on one socket??)
*/
static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
const char *sasl,
enum credentials_use_kerberos krb5_state,
const char *target_service,
const char *target_hostname,
const DATA_BLOB server_blob)
{
DATA_BLOB blob_in = data_blob_null;
DATA_BLOB blob_out = data_blob_null;
int rc;
NTSTATUS nt_status;
ADS_STATUS status;
struct auth_generic_state *auth_generic_state;
bool use_spnego_principal = lp_client_use_spnego_principal();
const char *sasl_list[] = { sasl, NULL };
nt_status = auth_generic_client_prepare(NULL, &auth_generic_state);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) {
return ADS_ERROR_NT(nt_status);
}
if (server_blob.length == 0) {
use_spnego_principal = false;
}
if (krb5_state == CRED_DONT_USE_KERBEROS) {
use_spnego_principal = false;
}
cli_credentials_set_kerberos_state(auth_generic_state->credentials,
krb5_state);
if (target_service != NULL) {
nt_status = gensec_set_target_service(
auth_generic_state->gensec_security,
target_service);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
}
if (target_hostname != NULL) {
nt_status = gensec_set_target_hostname(
auth_generic_state->gensec_security,
target_hostname);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
}
if (target_service != NULL && target_hostname != NULL) {
use_spnego_principal = false;
}
switch (ads->ldap.wrap_type) {
case ADS_SASLWRAP_TYPE_SEAL:
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
break;
case ADS_SASLWRAP_TYPE_SIGN:
if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
} else {
/*
* windows servers are broken with sign only,
* so we let the NTLMSSP backend to seal here,
* via GENSEC_FEATURE_LDAP_STYLE.
*/
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_LDAP_STYLE);
}
break;
case ADS_SASLWRAP_TYPE_PLAIN:
break;
}
nt_status = auth_generic_client_start_by_sasl(auth_generic_state,
sasl_list);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
rc = LDAP_SASL_BIND_IN_PROGRESS;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
if (use_spnego_principal) {
blob_in = data_blob_dup_talloc(talloc_tos(), server_blob);
if (blob_in.length == 0) {
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
} else {
blob_in = data_blob_null;
}
blob_out = data_blob_null;
while (true) {
struct berval cred, *scred = NULL;
nt_status = gensec_update(auth_generic_state->gensec_security,
talloc_tos(), blob_in, &blob_out);
data_blob_free(&blob_in);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status))
{
TALLOC_FREE(auth_generic_state);
data_blob_free(&blob_out);
return ADS_ERROR_NT(nt_status);
}
if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_out.length == 0) {
break;
}
cred.bv_val = (char *)blob_out.data;
cred.bv_len = blob_out.length;
scred = NULL;
rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, sasl, &cred, NULL, NULL, &scred);
data_blob_free(&blob_out);
if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) {
if (scred) {
ber_bvfree(scred);
}
TALLOC_FREE(auth_generic_state);
return ADS_ERROR(rc);
}
if (scred) {
blob_in = data_blob_talloc(talloc_tos(),
scred->bv_val,
scred->bv_len);
if (blob_in.length != scred->bv_len) {
ber_bvfree(scred);
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
ber_bvfree(scred);
} else {
blob_in = data_blob_null;
}
if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_in.length == 0) {
break;
}
}
data_blob_free(&blob_in);
data_blob_free(&blob_out);
if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
size_t max_wrapped = gensec_max_wrapped_size(auth_generic_state->gensec_security);
ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);
ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped;
ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
ads->ldap.in.max_wrapped = max_wrapped;
status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security);
if (!ADS_ERR_OK(status)) {
DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
ads_errstr(status)));
TALLOC_FREE(auth_generic_state);
return status;
}
/* Only keep the gensec_security element around long-term */
talloc_steal(NULL, auth_generic_state->gensec_security);
}
TALLOC_FREE(auth_generic_state);
return ADS_ERROR(rc);
}
/*
Modern, all singing, all dancing extended security (and possibly SPNEGO) request
*/
static NTSTATUS session_setup_spnego(struct composite_context *c,
struct smbcli_session *session,
struct smb_composite_sesssetup *io,
struct smbcli_request **req)
{
struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
NTSTATUS status;
const char *chosen_oid = NULL;
state->setup.spnego.level = RAW_SESSSETUP_SPNEGO;
state->setup.spnego.in.bufsize = session->transport->options.max_xmit;
state->setup.spnego.in.mpx_max = session->transport->options.max_mux;
state->setup.spnego.in.vc_num = 1;
state->setup.spnego.in.sesskey = io->in.sesskey;
state->setup.spnego.in.capabilities = io->in.capabilities;
state->setup.spnego.in.os = "Unix";
state->setup.spnego.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
state->setup.spnego.in.workgroup = io->in.workgroup;
status = gensec_client_start(session, &session->gensec,
io->in.gensec_settings);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
return status;
}
gensec_want_feature(session->gensec, GENSEC_FEATURE_SESSION_KEY);
status = gensec_set_credentials(session->gensec, io->in.credentials);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_set_target_hostname(session->gensec,
smbXcli_conn_remote_name(session->transport->conn));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_set_target_service(session->gensec, "cifs");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
nt_errstr(status)));
return status;
}
if (session->transport->negotiate.secblob.length) {
chosen_oid = GENSEC_OID_SPNEGO;
status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
gensec_get_name_by_oid(session->gensec, chosen_oid), nt_errstr(status)));
chosen_oid = GENSEC_OID_NTLMSSP;
status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
gensec_get_name_by_oid(session->gensec, chosen_oid),
nt_errstr(status)));
return status;
}
}
} else {
/* without a sec blob, means raw NTLMSSP */
chosen_oid = GENSEC_OID_NTLMSSP;
status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
gensec_get_name_by_oid(session->gensec, chosen_oid), nt_errstr(status)));
}
}
if (strequal(chosen_oid, GENSEC_OID_SPNEGO)) {
status = gensec_update(session->gensec, state,
c->event_ctx,
session->transport->negotiate.secblob,
&state->setup.spnego.in.secblob);
} else {
status = gensec_update(session->gensec, state,
c->event_ctx,
data_blob(NULL, 0),
&state->setup.spnego.in.secblob);
}
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
gensec_get_name_by_oid(session->gensec, chosen_oid),
nt_errstr(status)));
return status;
}
state->gensec_status = status;
*req = smb_raw_sesssetup_send(session, &state->setup);
if (!*req) {
return NT_STATUS_NO_MEMORY;
}
/*
* we need to check the signature ourself
* as the session key might be the acceptor subkey
* which comes within the response itself
*/
if (!smb1cli_conn_signing_is_active((*req)->transport->conn)) {
(*req)->sign_caller_checks = true;
}
return (*req)->status;
}
static bool test_PACVerify(struct torture_context *tctx,
struct dcerpc_pipe *p,
struct cli_credentials *credentials)
{
NTSTATUS status;
struct netr_LogonSamLogon r;
union netr_LogonLevel logon;
union netr_Validation validation;
uint8_t authoritative;
struct netr_Authenticator return_authenticator;
struct netr_GenericInfo generic;
struct netr_Authenticator auth, auth2;
struct netlogon_creds_CredentialState *creds;
struct gensec_security *gensec_client_context;
struct gensec_security *gensec_server_context;
DATA_BLOB client_to_server, server_to_client, pac_wrapped, payload;
struct PAC_Validate pac_wrapped_struct;
enum ndr_err_code ndr_err;
struct auth_session_info *session_info;
char *tmp_dir;
TALLOC_CTX *tmp_ctx = talloc_new(tctx);
torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
credentials, SEC_CHAN_BDC,
&creds)) {
return false;
}
status = torture_temp_dir(tctx, "PACVerify", &tmp_dir);
torture_assert_ntstatus_ok(tctx, status, "torture_temp_dir failed");
status = gensec_client_start(tctx, &gensec_client_context, tctx->ev,
lp_gensec_settings(tctx, tctx->lp_ctx));
torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed");
status = gensec_set_target_hostname(gensec_client_context, TEST_MACHINE_NAME);
status = gensec_set_credentials(gensec_client_context, cmdline_credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed");
status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI");
torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed");
status = gensec_server_start(tctx, tctx->ev,
lp_gensec_settings(tctx, tctx->lp_ctx),
NULL, &gensec_server_context);
torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
status = gensec_set_credentials(gensec_server_context, credentials);
torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed");
status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI");
torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed");
server_to_client = data_blob(NULL, 0);
do {
/* Do a client-server update dance */
status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
;
torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed");
}
status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
;
torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed");
}
if (NT_STATUS_IS_OK(status)) {
break;
}
} while (1);
/* Extract the PAC using Samba's code */
status = gensec_session_info(gensec_server_context, &session_info);
torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
pac_wrapped_struct.ChecksumAndSignature = payload
= data_blob_talloc(tmp_ctx, NULL,
pac_wrapped_struct.ChecksumLength
+ pac_wrapped_struct.SignatureLength);
memcpy(&payload.data[0],
session_info->server_info->pac_srv_sig.signature.data,
pac_wrapped_struct.ChecksumLength);
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
session_info->server_info->pac_kdc_sig.signature.data,
pac_wrapped_struct.SignatureLength);
ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct,
(ndr_push_flags_fn_t)ndr_push_PAC_Validate);
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data;
/* Validate it over the netlogon pipe */
generic.identity_info.parameter_control = 0;
generic.identity_info.logon_id_high = 0;
generic.identity_info.logon_id_low = 0;
generic.identity_info.domain_name.string = session_info->server_info->domain_name;
generic.identity_info.account_name.string = session_info->server_info->account_name;
generic.identity_info.workstation.string = TEST_MACHINE_NAME;
generic.package_name.string = "Kerberos";
logon.generic = &generic;
ZERO_STRUCT(auth2);
netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon = &logon;
r.in.logon_level = NetlogonGenericInformation;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(credentials);
r.in.validation_level = NetlogonValidationGenericInfo2;
r.out.validation = &validation;
r.out.authoritative = &authoritative;
r.out.return_authenticator = &return_authenticator;
status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
/* This will break the signature nicely (even in the crypto wrapping), check we get a logon failure */
generic.data[generic.length-1]++;
logon.generic = &generic;
ZERO_STRUCT(auth2);
netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = NetlogonGenericInformation;
r.in.logon = &logon;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(credentials);
r.in.validation_level = NetlogonValidationGenericInfo2;
status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
"Credential chaining failed");
/* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */
generic.length--;
logon.generic = &generic;
ZERO_STRUCT(auth2);
netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = NetlogonGenericInformation;
r.in.logon = &logon;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(credentials);
r.in.validation_level = NetlogonValidationGenericInfo2;
status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
torture_assert(tctx, netlogon_creds_client_check(creds,
&r.out.return_authenticator->cred),
"Credential chaining failed");
pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
/* Break the SignatureType */
pac_wrapped_struct.SignatureType++;
pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
pac_wrapped_struct.ChecksumAndSignature = payload
= data_blob_talloc(tmp_ctx, NULL,
pac_wrapped_struct.ChecksumLength
+ pac_wrapped_struct.SignatureLength);
memcpy(&payload.data[0],
session_info->server_info->pac_srv_sig.signature.data,
pac_wrapped_struct.ChecksumLength);
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
session_info->server_info->pac_kdc_sig.signature.data,
pac_wrapped_struct.SignatureLength);
ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct,
(ndr_push_flags_fn_t)ndr_push_PAC_Validate);
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data;
logon.generic = &generic;
ZERO_STRUCT(auth2);
netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = NetlogonGenericInformation;
r.in.logon = &logon;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(credentials);
r.in.validation_level = NetlogonValidationGenericInfo2;
status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed");
torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
"Credential chaining failed");
pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
pac_wrapped_struct.ChecksumAndSignature = payload
= data_blob_talloc(tmp_ctx, NULL,
pac_wrapped_struct.ChecksumLength
+ pac_wrapped_struct.SignatureLength);
memcpy(&payload.data[0],
session_info->server_info->pac_srv_sig.signature.data,
pac_wrapped_struct.ChecksumLength);
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
session_info->server_info->pac_kdc_sig.signature.data,
pac_wrapped_struct.SignatureLength);
/* Break the signature length */
pac_wrapped_struct.SignatureLength++;
ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct,
(ndr_push_flags_fn_t)ndr_push_PAC_Validate);
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed");
torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption");
netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length);
generic.length = pac_wrapped.length;
generic.data = pac_wrapped.data;
logon.generic = &generic;
ZERO_STRUCT(auth2);
netlogon_creds_client_authenticator(creds, &auth);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = NetlogonGenericInformation;
r.in.logon = &logon;
r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
r.in.computer_name = cli_credentials_get_workstation(credentials);
r.in.validation_level = NetlogonValidationGenericInfo2;
status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed");
torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
"Credential chaining failed");
return true;
}
static void reply_sesssetup_and_X_spnego(struct smb_request *req)
{
const uint8_t *p;
DATA_BLOB in_blob;
DATA_BLOB out_blob = data_blob_null;
size_t bufrem;
char *tmp;
const char *native_os;
const char *native_lanman;
const char *primary_domain;
uint16_t data_blob_len = SVAL(req->vwv+7, 0);
enum remote_arch_types ra_type = get_remote_arch();
uint64_t vuid = req->vuid;
NTSTATUS status = NT_STATUS_OK;
struct smbXsrv_connection *xconn = req->xconn;
struct smbd_server_connection *sconn = req->sconn;
uint16_t action = 0;
bool is_authenticated = false;
NTTIME now = timeval_to_nttime(&req->request_time);
struct smbXsrv_session *session = NULL;
uint16_t smb_bufsize = SVAL(req->vwv+2, 0);
uint32_t client_caps = IVAL(req->vwv+10, 0);
struct smbXsrv_session_auth0 *auth;
DEBUG(3,("Doing spnego session setup\n"));
if (!xconn->smb1.sessions.done_sesssetup) {
global_client_caps = client_caps;
if (!(global_client_caps & CAP_STATUS32)) {
remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
}
}
p = req->buf;
if (data_blob_len == 0) {
/* an invalid request */
reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
return;
}
bufrem = smbreq_bufrem(req, p);
/* pull the spnego blob */
in_blob = data_blob_const(p, MIN(bufrem, data_blob_len));
#if 0
file_save("negotiate.dat", in_blob.data, in_blob.length);
#endif
p = req->buf + in_blob.length;
p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
STR_TERMINATE);
native_os = tmp ? tmp : "";
p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
STR_TERMINATE);
native_lanman = tmp ? tmp : "";
p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
STR_TERMINATE);
primary_domain = tmp ? tmp : "";
DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n",
native_os, native_lanman, primary_domain));
if ( ra_type == RA_WIN2K ) {
/* Vista sets neither the OS or lanman strings */
if ( !strlen(native_os) && !strlen(native_lanman) )
set_remote_arch(RA_VISTA);
/* Windows 2003 doesn't set the native lanman string,
but does set primary domain which is a bug I think */
if ( !strlen(native_lanman) ) {
ra_lanman_string( primary_domain );
} else {
ra_lanman_string( native_lanman );
}
} else if ( ra_type == RA_VISTA ) {
if ( strncmp(native_os, "Mac OS X", 8) == 0 ) {
set_remote_arch(RA_OSX);
}
}
if (vuid != 0) {
status = smb1srv_session_lookup(xconn,
vuid, now,
&session);
if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
reply_force_doserror(req, ERRSRV, ERRbaduid);
return;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
status = NT_STATUS_OK;
}
if (NT_STATUS_IS_OK(status)) {
session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
TALLOC_FREE(session->pending_auth);
}
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
reply_nterror(req, nt_status_squash(status));
return;
}
}
if (session == NULL) {
/* create a new session */
status = smbXsrv_session_create(xconn,
now, &session);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, nt_status_squash(status));
return;
}
}
status = smbXsrv_session_find_auth(session, xconn, now, &auth);
if (!NT_STATUS_IS_OK(status)) {
status = smbXsrv_session_create_auth(session, xconn, now,
0, /* flags */
0, /* security */
&auth);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, nt_status_squash(status));
return;
}
}
if (auth->gensec == NULL) {
status = auth_generic_prepare(session,
xconn->remote_address,
xconn->local_address,
"SMB",
&auth->gensec);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
reply_nterror(req, nt_status_squash(status));
return;
}
gensec_want_feature(auth->gensec, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(auth->gensec, GENSEC_FEATURE_UNIX_TOKEN);
gensec_want_feature(auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT);
status = gensec_start_mech_by_oid(auth->gensec,
GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to start SPNEGO handler!\n"));
TALLOC_FREE(session);;
reply_nterror(req, nt_status_squash(status));
return;
}
}
become_root();
status = gensec_update(auth->gensec,
talloc_tos(),
in_blob, &out_blob);
unbecome_root();
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
TALLOC_FREE(session);
reply_nterror(req, nt_status_squash(status));
return;
}
if (NT_STATUS_IS_OK(status) && session->global->auth_session_info == NULL) {
struct auth_session_info *session_info = NULL;
status = gensec_session_info(auth->gensec,
session,
&session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("Failed to generate session_info "
"(user and group token) for session setup: %s\n",
nt_errstr(status)));
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, nt_status_squash(status));
return;
}
if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) {
action |= SMB_SETUP_GUEST;
}
if (session_info->session_key.length > 0) {
struct smbXsrv_session *x = session;
/*
* Note: the SMB1 signing key is not truncated to 16 byte!
*/
x->global->signing_key =
data_blob_dup_talloc(x->global,
session_info->session_key);
if (x->global->signing_key.data == NULL) {
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
/*
* clear the session key
* the first tcon will add setup the application key
*/
data_blob_clear_free(&session_info->session_key);
}
session->compat = talloc_zero(session, struct user_struct);
if (session->compat == NULL) {
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
session->compat->session = session;
session->compat->homes_snum = -1;
session->compat->session_info = session_info;
session->compat->session_keystr = NULL;
session->compat->vuid = session->global->session_wire_id;
DLIST_ADD(sconn->users, session->compat);
sconn->num_users++;
if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
is_authenticated = true;
session->compat->homes_snum =
register_homes_share(session_info->unix_info->unix_name);
}
if (srv_is_signing_negotiated(xconn) &&
is_authenticated &&
session->global->signing_key.length > 0)
{
/*
* Try and turn on server signing on the first non-guest
* sessionsetup.
*/
srv_set_signing(xconn,
session->global->signing_key,
data_blob_null);
}
set_current_user_info(session_info->unix_info->sanitized_username,
session_info->unix_info->unix_name,
session_info->info->domain_name);
session->status = NT_STATUS_OK;
session->global->auth_session_info = talloc_move(session->global,
&session_info);
session->global->auth_session_info_seqnum += 1;
session->global->channels[0].auth_session_info_seqnum =
session->global->auth_session_info_seqnum;
session->global->auth_time = now;
if (client_caps & CAP_DYNAMIC_REAUTH) {
session->global->expiration_time =
gensec_expire_time(auth->gensec);
} else {
session->global->expiration_time =
GENSEC_EXPIRE_TIME_INFINITY;
}
if (!session_claim(session)) {
DEBUG(1, ("smb1: Failed to claim session for vuid=%llu\n",
(unsigned long long)session->compat->vuid));
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, NT_STATUS_LOGON_FAILURE);
return;
}
status = smbXsrv_session_update(session);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smb1: Failed to update session for vuid=%llu - %s\n",
(unsigned long long)session->compat->vuid,
nt_errstr(status)));
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, NT_STATUS_LOGON_FAILURE);
return;
}
if (!xconn->smb1.sessions.done_sesssetup) {
if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
reply_force_doserror(req, ERRSRV, ERRerror);
return;
}
xconn->smb1.sessions.max_send = smb_bufsize;
xconn->smb1.sessions.done_sesssetup = true;
}
/* current_user_info is changed on new vuid */
reload_services(sconn, conn_snum_used, true);
} else if (NT_STATUS_IS_OK(status)) {
static NTSTATUS smbd_smb2_auth_generic(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
uint8_t in_security_mode,
DATA_BLOB in_security_buffer,
uint16_t *out_session_flags,
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id)
{
NTSTATUS status;
*out_security_buffer = data_blob_null;
if (session->gensec_security == NULL) {
status = auth_generic_prepare(session, session->sconn->remote_address,
&session->gensec_security);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(session->gensec_security, GENSEC_FEATURE_UNIX_TOKEN);
status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
}
become_root();
status = gensec_update(session->gensec_security,
smb2req, NULL,
in_security_buffer,
out_security_buffer);
unbecome_root();
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return nt_status_squash(status);
}
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
*out_session_id = session->vuid;
return status;
}
status = gensec_session_info(session->gensec_security,
session,
&session->session_info);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
*out_session_id = session->vuid;
return smbd_smb2_auth_generic_return(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_session_id);
}
static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username,
const char *domain,
const char *password,
const DATA_BLOB initial_msg,
const DATA_BLOB challenge_msg,
TALLOC_CTX *mem_ctx,
DATA_BLOB *auth_msg,
uint8_t session_key[16])
{
NTSTATUS status;
struct auth_generic_state *auth_generic_state = NULL;
DATA_BLOB reply, session_key_blob;
status = auth_generic_client_prepare(mem_ctx, &auth_generic_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not start NTLMSSP client: %s\n",
nt_errstr(status)));
goto done;
}
status = auth_generic_set_username(auth_generic_state, username);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set username: %s\n",
nt_errstr(status)));
goto done;
}
status = auth_generic_set_domain(auth_generic_state, domain);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set domain: %s\n",
nt_errstr(status)));
goto done;
}
status = auth_generic_set_password(auth_generic_state, password);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set password: %s\n",
nt_errstr(status)));
goto done;
}
if (initial_msg.length == 0) {
gensec_want_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SESSION_KEY);
}
status = auth_generic_client_start_by_name(auth_generic_state,
"ntlmssp_resume_ccache");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not start NTLMSSP resume mech: %s\n",
nt_errstr(status)));
goto done;
}
/*
* We inject the inital NEGOTIATE message our caller used
* in order to get the state machine into the correct possition.
*/
reply = data_blob_null;
status = gensec_update(auth_generic_state->gensec_security,
talloc_tos(), initial_msg, &reply);
data_blob_free(&reply);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(1, ("Failed to create initial message! [%s]\n",
nt_errstr(status)));
goto done;
}
/* Now we are ready to handle the server's actual response. */
status = gensec_update(auth_generic_state->gensec_security,
mem_ctx, challenge_msg, &reply);
if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
DEBUG(1, ("We didn't get a response to the challenge! [%s]\n",
nt_errstr(status)));
data_blob_free(&reply);
goto done;
}
status = gensec_session_key(auth_generic_state->gensec_security,
talloc_tos(), &session_key_blob);
if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
DEBUG(1, ("We didn't get the session key we requested! [%s]\n",
nt_errstr(status)));
data_blob_free(&reply);
goto done;
}
if (session_key_blob.length != 16) {
DEBUG(1, ("invalid session key length %d\n",
(int)session_key_blob.length));
data_blob_free(&reply);
goto done;
}
memcpy(session_key, session_key_blob.data, 16);
data_blob_free(&session_key_blob);
*auth_msg = reply;
status = NT_STATUS_OK;
done:
TALLOC_FREE(auth_generic_state);
return status;
}
/*
add any auth information needed in a bind ack, and process the authentication
information found in the bind.
*/
NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
{
struct dcesrv_connection *dce_conn = call->conn;
NTSTATUS status;
bool want_header_signing = false;
if (!call->conn->auth_state.gensec_security) {
return NT_STATUS_OK;
}
if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
dce_conn->auth_state.client_hdr_signing = true;
want_header_signing = true;
}
if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
want_header_signing = false;
}
status = gensec_update(dce_conn->auth_state.gensec_security,
call, call->event_ctx,
dce_conn->auth_state.auth_info->credentials,
&dce_conn->auth_state.auth_info->credentials);
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(dce_conn->auth_state.gensec_security,
dce_conn,
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return status;
}
if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER))
{
want_header_signing = false;
}
if (want_header_signing) {
gensec_want_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER);
dce_conn->auth_state.hdr_signing = true;
pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
}
/* Now that we are authenticated, go back to the generic session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return NT_STATUS_OK;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
dce_conn->auth_state.auth_info->auth_pad_length = 0;
dce_conn->auth_state.auth_info->auth_reserved = 0;
if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER))
{
want_header_signing = false;
}
if (want_header_signing) {
gensec_want_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER);
dce_conn->auth_state.hdr_signing = true;
pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
}
return NT_STATUS_OK;
} else {
DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
nt_errstr(status)));
return status;
}
}
bool kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
struct tsocket_address *peer_addr,
struct tsocket_address *my_addr,
int datagram_reply)
{
bool ret;
const uint16_t header_len = 6;
uint16_t len;
uint16_t ap_req_len;
uint16_t krb_priv_len;
uint16_t version;
NTSTATUS nt_status;
DATA_BLOB ap_req, krb_priv_req;
DATA_BLOB krb_priv_rep = data_blob(NULL, 0);
DATA_BLOB ap_rep = data_blob(NULL, 0);
DATA_BLOB kpasswd_req, kpasswd_rep;
struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
char *keytab_name;
if (!tmp_ctx) {
return false;
}
/* Be parinoid. We need to ensure we don't just let the
* caller lead us into a buffer overflow */
if (input->length <= header_len) {
talloc_free(tmp_ctx);
return false;
}
len = RSVAL(input->data, 0);
if (input->length != len) {
talloc_free(tmp_ctx);
return false;
}
/* There are two different versions of this protocol so far,
* plus others in the standards pipe. Fortunetly they all
* take a very similar framing */
version = RSVAL(input->data, 2);
ap_req_len = RSVAL(input->data, 4);
if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
talloc_free(tmp_ctx);
return false;
}
krb_priv_len = len - ap_req_len;
ap_req = data_blob_const(&input->data[header_len], ap_req_len);
krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
server_credentials = cli_credentials_init(tmp_ctx);
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials\n"));
return false;
}
/* We want the credentials subsystem to use the krb5 context
* we already have, rather than a new context */
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->base_ctx);
cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
if (ret != 0) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
"Failed to obtain server credentials for kadmin/changepw: %s\n",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
/* We don't strictly need to call this wrapper, and could call
* gensec_server_start directly, as we have no need for NTLM
* and we have a PAC, but this ensures that the wrapper can be
* safely extended for other helpful things in future */
nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx,
kdc->task->msg_ctx,
kdc->task->lp_ctx,
server_credentials,
"kpasswd",
&gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;
}
/* The kerberos PRIV packets include these addresses. MIT
* clients check that they are present */
#if 0
/* Skip this part for now, it breaks with a NetAPP filer and
* in any case where the client address is behind NAT. If
* older MIT clients need this, we might have to insert more
* complex code */
nt_status = gensec_set_local_address(gensec_security, peer_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;
}
#endif
nt_status = gensec_set_local_address(gensec_security, my_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;
}
/* We want the GENSEC wrap calls to generate PRIV tokens */
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;
}
/* Accept the AP-REQ and generate teh AP-REP we need for the reply */
nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
"gensec_update failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
/* Extract the data from the KRB-PRIV half of the message */
nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
if (!NT_STATUS_IS_OK(nt_status)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
"gensec_unwrap failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
/* Figure out something to do with it (probably changing a password...) */
ret = kpasswd_process_request(kdc, tmp_ctx,
gensec_security,
version,
&kpasswd_req, &kpasswd_rep);
if (!ret) {
/* Argh! */
return false;
}
/* And wrap up the reply: This ensures that the error message
* or success can be verified by the client */
nt_status = gensec_wrap(gensec_security, tmp_ctx,
&kpasswd_rep, &krb_priv_rep);
if (!NT_STATUS_IS_OK(nt_status)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
"gensec_wrap failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
reply:
*reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
if (!reply->data) {
return false;
}
RSSVAL(reply->data, 0, reply->length);
RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */
RSSVAL(reply->data, 4, ap_rep.length);
memcpy(reply->data + header_len,
ap_rep.data,
ap_rep.length);
memcpy(reply->data + header_len + ap_rep.length,
krb_priv_rep.data,
krb_priv_rep.length);
talloc_free(tmp_ctx);
return ret;
}
/*
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
we fit on one socket??)
*/
static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
const char *sasl,
enum credentials_use_kerberos krb5_state,
const char *target_service,
const char *target_hostname,
const DATA_BLOB server_blob)
{
DATA_BLOB blob_in = data_blob_null;
DATA_BLOB blob_out = data_blob_null;
int rc;
NTSTATUS nt_status;
ADS_STATUS status;
struct auth_generic_state *auth_generic_state;
bool use_spnego_principal = lp_client_use_spnego_principal();
const char *sasl_list[] = { sasl, NULL };
NTTIME end_nt_time;
struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
nt_status = auth_generic_client_prepare(NULL, &auth_generic_state);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) {
return ADS_ERROR_NT(nt_status);
}
if (server_blob.length == 0) {
use_spnego_principal = false;
}
if (krb5_state == CRED_DONT_USE_KERBEROS) {
use_spnego_principal = false;
}
cli_credentials_set_kerberos_state(auth_generic_state->credentials,
krb5_state);
if (target_service != NULL) {
nt_status = gensec_set_target_service(
auth_generic_state->gensec_security,
target_service);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
}
if (target_hostname != NULL) {
nt_status = gensec_set_target_hostname(
auth_generic_state->gensec_security,
target_hostname);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
}
if (target_service != NULL && target_hostname != NULL) {
use_spnego_principal = false;
}
switch (wrap->wrap_type) {
case ADS_SASLWRAP_TYPE_SEAL:
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
break;
case ADS_SASLWRAP_TYPE_SIGN:
if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
} else {
/*
* windows servers are broken with sign only,
* so we let the NTLMSSP backend to seal here,
* via GENSEC_FEATURE_LDAP_STYLE.
*/
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_LDAP_STYLE);
}
break;
case ADS_SASLWRAP_TYPE_PLAIN:
break;
}
nt_status = auth_generic_client_start_by_sasl(auth_generic_state,
sasl_list);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
rc = LDAP_SASL_BIND_IN_PROGRESS;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
if (use_spnego_principal) {
blob_in = data_blob_dup_talloc(talloc_tos(), server_blob);
if (blob_in.length == 0) {
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
} else {
blob_in = data_blob_null;
}
blob_out = data_blob_null;
while (true) {
struct berval cred, *scred = NULL;
nt_status = gensec_update(auth_generic_state->gensec_security,
talloc_tos(), blob_in, &blob_out);
data_blob_free(&blob_in);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status))
{
TALLOC_FREE(auth_generic_state);
data_blob_free(&blob_out);
return ADS_ERROR_NT(nt_status);
}
if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_out.length == 0) {
break;
}
cred.bv_val = (char *)blob_out.data;
cred.bv_len = blob_out.length;
scred = NULL;
rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, sasl, &cred, NULL, NULL, &scred);
data_blob_free(&blob_out);
if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) {
if (scred) {
ber_bvfree(scred);
}
TALLOC_FREE(auth_generic_state);
return ADS_ERROR(rc);
}
if (scred) {
blob_in = data_blob_talloc(talloc_tos(),
scred->bv_val,
scred->bv_len);
if (blob_in.length != scred->bv_len) {
ber_bvfree(scred);
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
ber_bvfree(scred);
} else {
blob_in = data_blob_null;
}
if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_in.length == 0) {
break;
}
}
data_blob_free(&blob_in);
data_blob_free(&blob_out);
if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
bool ok;
ok = gensec_have_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SEAL);
if (!ok) {
DEBUG(0,("The gensec feature sealing request, but unavailable\n"));
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
}
ok = gensec_have_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SIGN);
if (!ok) {
DEBUG(0,("The gensec feature signing request, but unavailable\n"));
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
}
} else if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
bool ok;
ok = gensec_have_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SIGN);
if (!ok) {
DEBUG(0,("The gensec feature signing request, but unavailable\n"));
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
}
}
ads->auth.tgs_expire = LONG_MAX;
end_nt_time = gensec_expire_time(auth_generic_state->gensec_security);
if (end_nt_time != GENSEC_EXPIRE_TIME_INFINITY) {
struct timeval tv;
nttime_to_timeval(&tv, end_nt_time);
ads->auth.tgs_expire = tv.tv_sec;
}
if (wrap->wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
size_t max_wrapped =
gensec_max_wrapped_size(auth_generic_state->gensec_security);
wrap->out.max_unwrapped =
gensec_max_input_size(auth_generic_state->gensec_security);
wrap->out.sig_size = max_wrapped - wrap->out.max_unwrapped;
/*
* Note that we have to truncate this to 0x2C
* (taken from a capture with LDAP unbind), as the
* signature size is not constant for Kerberos with
* arcfour-hmac-md5.
*/
wrap->in.min_wrapped = MIN(wrap->out.sig_size, 0x2C);
wrap->in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED;
status = ads_setup_sasl_wrapping(wrap, ads->ldap.ld,
&ads_sasl_gensec_ops,
auth_generic_state->gensec_security);
if (!ADS_ERR_OK(status)) {
DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
ads_errstr(status)));
TALLOC_FREE(auth_generic_state);
return status;
}
/* Only keep the gensec_security element around long-term */
talloc_steal(NULL, auth_generic_state->gensec_security);
}
TALLOC_FREE(auth_generic_state);
return ADS_ERROR(rc);
}
/*
perform a sasl bind using the given credentials
*/
_PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
struct cli_credentials *creds,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
TALLOC_CTX *tmp_ctx = NULL;
DATA_BLOB input = data_blob(NULL, 0);
DATA_BLOB output = data_blob(NULL, 0);
struct ldap_message **sasl_mechs_msgs;
struct ldap_SearchResEntry *search;
int count, i;
const char **sasl_names;
uint32_t old_gensec_features;
static const char *supported_sasl_mech_attrs[] = {
"supportedSASLMechanisms",
NULL
};
unsigned int logon_retries = 0;
status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
false, NULL, NULL, &sasl_mechs_msgs);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
nt_errstr(status)));
goto failed;
}
count = ildap_count_entries(conn, sasl_mechs_msgs);
if (count != 1) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
count));
goto failed;
}
tmp_ctx = talloc_new(conn);
if (tmp_ctx == NULL) goto failed;
search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
if (search->num_attributes != 1) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n",
search->num_attributes));
goto failed;
}
sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
if (!sasl_names) {
DEBUG(1, ("talloc_arry(char *, %d) failed\n",
count));
goto failed;
}
for (i=0; i<search->attributes[0].num_values; i++) {
sasl_names[i] = (const char *)search->attributes[0].values[i].data;
}
sasl_names[i] = NULL;
gensec_init();
try_logon_again:
/*
we loop back here on a logon failure, and re-create the
gensec session. The logon_retries counter ensures we don't
loop forever.
*/
status = gensec_client_start(conn, &conn->gensec,
lpcfg_gensec_settings(conn, lp_ctx));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
goto failed;
}
/* require Kerberos SIGN/SEAL only if we don't use SSL
* Windows seem not to like double encryption */
old_gensec_features = cli_credentials_get_gensec_features(creds);
if (tls_enabled(conn->sock)) {
cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
}
/* this call also sets the gensec_want_features */
status = gensec_set_credentials(conn->gensec, creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC creds: %s\n",
nt_errstr(status)));
goto failed;
}
/* reset the original gensec_features (on the credentials
* context, so we don't tatoo it ) */
cli_credentials_set_gensec_features(creds, old_gensec_features);
if (conn->host) {
status = gensec_set_target_hostname(conn->gensec, conn->host);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
nt_errstr(status)));
goto failed;
}
}
status = gensec_set_target_service(conn->gensec, "ldap");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC target service: %s\n",
nt_errstr(status)));
goto failed;
}
status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
count, nt_errstr(status)));
goto failed;
}
while (1) {
NTSTATUS gensec_status;
struct ldap_message *response;
struct ldap_message *msg;
struct ldap_request *req;
int result = LDAP_OTHER;
status = gensec_update(conn->gensec, tmp_ctx,
conn->event.event_ctx,
input,
&output);
/* The status value here, from GENSEC is vital to the security
* of the system. Even if the other end accepts, if GENSEC
* claims 'MORE_PROCESSING_REQUIRED' then you must keep
* feeding it blobs, or else the remote host/attacker might
* avoid mutal authentication requirements.
*
* Likewise, you must not feed GENSEC too much (after the OK),
* it doesn't like that either
*/
gensec_status = status;
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(status)) {
break;
}
if (NT_STATUS_IS_OK(status) && output.length == 0) {
break;
}
/* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
if (msg == NULL) {
status = NT_STATUS_NO_MEMORY;
goto failed;
}
req = ldap_request_send(conn, msg);
if (req == NULL) {
status = NT_STATUS_NO_MEMORY;
goto failed;
}
talloc_reparent(conn, tmp_ctx, req);
status = ldap_result_n(req, 0, &response);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
if (response->type != LDAP_TAG_BindResponse) {
status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
goto failed;
}
result = response->r.BindResponse.response.resultcode;
if (result == LDAP_INVALID_CREDENTIALS) {
/*
try a second time on invalid credentials, to
give the user a chance to re-enter the
password and to handle the case where our
kerberos ticket is invalid as the server
password has changed
*/
const char *principal;
principal = gensec_get_target_principal(conn->gensec);
if (principal == NULL) {
const char *hostname = gensec_get_target_hostname(conn->gensec);
const char *service = gensec_get_target_service(conn->gensec);
if (hostname != NULL && service != NULL) {
principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname);
}
}
if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) ||
cli_credentials_wrong_password(creds)) {
/*
destroy our gensec session and loop
back up to the top to retry,
offering the user a chance to enter
new credentials, or get a new ticket
if using kerberos
*/
talloc_free(conn->gensec);
conn->gensec = NULL;
goto try_logon_again;
}
}
if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
status = ldap_check_response(conn,
&response->r.BindResponse.response);
break;
}
/* This is where we check if GENSEC wanted to be fed more data */
if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
break;
}
if (response->r.BindResponse.SASL.secblob) {
input = *response->r.BindResponse.SASL.secblob;
} else {
input = data_blob(NULL, 0);
}
}
talloc_free(tmp_ctx);
if (NT_STATUS_IS_OK(status)) {
struct socket_context *sasl_socket;
status = gensec_socket_init(conn->gensec,
conn,
conn->sock,
conn->event.event_ctx,
ldap_read_io_handler,
conn,
&sasl_socket);
if (!NT_STATUS_IS_OK(status)) goto failed;
conn->sock = sasl_socket;
packet_set_socket(conn->packet, conn->sock);
conn->bind.type = LDAP_BIND_SASL;
conn->bind.creds = creds;
}
return status;
failed:
talloc_free(tmp_ctx);
talloc_free(conn->gensec);
conn->gensec = NULL;
return status;
}
/*
handler for completion of a smbcli_request sub-request
*/
static void request_handler(struct smbcli_request *req)
{
struct composite_context *c = (struct composite_context *)req->async.private_data;
struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
struct smbcli_session *session = req->session;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
NTSTATUS session_key_err, nt_status;
struct smbcli_request *check_req = NULL;
const char *os = NULL;
const char *lanman = NULL;
if (req->sign_caller_checks) {
req->do_not_free = true;
check_req = req;
}
state->remote_status = smb_raw_sesssetup_recv(req, state, &state->setup);
c->status = state->remote_status;
state->req = NULL;
/*
* we only need to check the signature if the
* NT_STATUS_OK is returned
*/
if (!NT_STATUS_IS_OK(state->remote_status)) {
talloc_free(check_req);
check_req = NULL;
}
switch (state->setup.old.level) {
case RAW_SESSSETUP_OLD:
state->io->out.vuid = state->setup.old.out.vuid;
/* This doesn't work, as this only happens on old
* protocols, where this comparison won't match. */
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
/* we neet to reset the vuid for a new try */
session->vuid = 0;
if (cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_old(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
os = state->setup.old.out.os;
lanman = state->setup.old.out.lanman;
break;
case RAW_SESSSETUP_NT1:
state->io->out.vuid = state->setup.nt1.out.vuid;
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
/* we need to reset the vuid for a new try */
session->vuid = 0;
if (cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_nt1(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
os = state->setup.nt1.out.os;
lanman = state->setup.nt1.out.lanman;
break;
case RAW_SESSSETUP_SPNEGO:
state->io->out.vuid = state->setup.spnego.out.vuid;
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
const char *principal;
/* we need to reset the vuid for a new try */
session->vuid = 0;
principal = gensec_get_target_principal(session->gensec);
if (principal == NULL) {
const char *hostname = gensec_get_target_hostname(session->gensec);
const char *service = gensec_get_target_service(session->gensec);
if (hostname != NULL && service != NULL) {
principal = talloc_asprintf(state, "%s/%s", service, hostname);
}
}
if (cli_credentials_failed_kerberos_login(state->io->in.credentials, principal, &state->logon_retries) ||
cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_spnego(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(c->status)) {
break;
}
if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* The status value here, from the earlier pass at GENSEC is
* vital to the security of the system. Even if the other end
* accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
* you must keep feeding it blobs, or else the remote
* host/attacker might avoid mutal authentication
* requirements */
state->gensec_status = gensec_update(session->gensec, state, c->event_ctx,
state->setup.spnego.out.secblob,
&state->setup.spnego.in.secblob);
c->status = state->gensec_status;
if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(c->status)) {
break;
}
} else {
state->setup.spnego.in.secblob = data_blob(NULL, 0);
}
if (NT_STATUS_IS_OK(state->remote_status)) {
DATA_BLOB session_key;
if (state->setup.spnego.in.secblob.length) {
c->status = NT_STATUS_INTERNAL_ERROR;
break;
}
session_key_err = gensec_session_key(session->gensec, session, &session_key);
if (NT_STATUS_IS_OK(session_key_err)) {
smb1cli_conn_activate_signing(session->transport->conn,
session_key,
null_data_blob);
}
c->status = smb1cli_session_set_session_key(session->smbXcli,
session_key);
data_blob_free(&session_key);
if (!NT_STATUS_IS_OK(c->status)) {
break;
}
}
if (state->setup.spnego.in.secblob.length) {
/*
* set the session->vuid value only for calling
* smb_raw_sesssetup_send()
*/
uint16_t vuid = session->vuid;
session->vuid = state->io->out.vuid;
state->req = smb_raw_sesssetup_send(session, &state->setup);
session->vuid = vuid;
if (state->req &&
!smb1cli_conn_signing_is_active(state->req->transport->conn)) {
state->req->sign_caller_checks = true;
}
composite_continue_smb(c, state->req, request_handler, c);
return;
}
os = state->setup.spnego.out.os;
lanman = state->setup.spnego.out.lanman;
break;
case RAW_SESSSETUP_SMB2:
c->status = NT_STATUS_INTERNAL_ERROR;
break;
}
if (check_req) {
bool ok;
check_req->sign_caller_checks = false;
ok = smb1cli_conn_check_signing(check_req->transport->conn,
check_req->in.buffer, 1);
if (!ok) {
c->status = NT_STATUS_ACCESS_DENIED;
}
talloc_free(check_req);
check_req = NULL;
}
if (!NT_STATUS_IS_OK(c->status)) {
composite_error(c, c->status);
return;
}
if (os) {
session->os = talloc_strdup(session, os);
if (composite_nomem(session->os, c)) return;
} else {
session->os = NULL;
}
if (lanman) {
session->lanman = talloc_strdup(session, lanman);
if (composite_nomem(session->lanman, c)) return;
} else {
session->lanman = NULL;
}
composite_done(c);
}
static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
struct loadparm_context *lp_ctx,
char *buf, int length, void **private1,
unsigned int mux_id, void **private2)
{
DATA_BLOB in;
DATA_BLOB out = data_blob(NULL, 0);
char *out_base64 = NULL;
const char *reply_arg = NULL;
struct gensec_ntlm_state {
struct gensec_security *gensec_state;
const char *set_password;
};
struct gensec_ntlm_state *state;
struct tevent_context *ev;
struct imessaging_context *msg;
NTSTATUS nt_status;
bool first = false;
const char *reply_code;
struct cli_credentials *creds;
static char *want_feature_list = NULL;
static DATA_BLOB session_key;
TALLOC_CTX *mem_ctx;
if (*private1) {
state = (struct gensec_ntlm_state *)*private1;
} else {
state = talloc_zero(NULL, struct gensec_ntlm_state);
if (!state) {
mux_printf(mux_id, "BH No Memory\n");
exit(1);
}
*private1 = state;
if (opt_password) {
state->set_password = opt_password;
}
}
if (strlen(buf) < 2) {
DEBUG(1, ("query [%s] invalid", buf));
mux_printf(mux_id, "BH Query invalid\n");
return;
}
if (strlen(buf) > 3) {
if(strncmp(buf, "SF ", 3) == 0) {
DEBUG(10, ("Setting flags to negotiate\n"));
talloc_free(want_feature_list);
want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3);
mux_printf(mux_id, "OK\n");
return;
}
in = base64_decode_data_blob(buf + 3);
} else {
in = data_blob(NULL, 0);
}
if (strncmp(buf, "YR", 2) == 0) {
if (state->gensec_state) {
talloc_free(state->gensec_state);
state->gensec_state = NULL;
}
} else if ( (strncmp(buf, "OK", 2) == 0)) {
/* Just return BH, like ntlm_auth from Samba 3 does. */
mux_printf(mux_id, "BH Command expected\n");
data_blob_free(&in);
return;
} else if ( (strncmp(buf, "TT ", 3) != 0) &&
(strncmp(buf, "KK ", 3) != 0) &&
(strncmp(buf, "AF ", 3) != 0) &&
(strncmp(buf, "NA ", 3) != 0) &&
(strncmp(buf, "UG", 2) != 0) &&
(strncmp(buf, "PW ", 3) != 0) &&
(strncmp(buf, "GK", 2) != 0) &&
(strncmp(buf, "GF", 2) != 0)) {
DEBUG(1, ("SPNEGO request [%s] invalid\n", buf));
mux_printf(mux_id, "BH SPNEGO request invalid\n");
data_blob_free(&in);
return;
}
ev = s4_event_context_init(state);
if (!ev) {
exit(1);
}
mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
/* setup gensec */
if (!(state->gensec_state)) {
switch (stdio_helper_mode) {
case GSS_SPNEGO_CLIENT:
case NTLMSSP_CLIENT_1:
/* setup the client side */
nt_status = gensec_client_start(NULL, &state->gensec_state, ev,
lpcfg_gensec_settings(NULL, lp_ctx));
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
exit(1);
}
break;
case GSS_SPNEGO_SERVER:
case SQUID_2_5_NTLMSSP:
{
const char *winbind_method[] = { "winbind", NULL };
struct auth4_context *auth_context;
msg = imessaging_client_init(state, lpcfg_imessaging_path(state, lp_ctx), ev);
if (!msg) {
talloc_free(mem_ctx);
exit(1);
}
nt_status = auth_context_create_methods(mem_ctx,
winbind_method,
ev,
msg,
lp_ctx,
NULL,
&auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
exit(1);
}
if (!NT_STATUS_IS_OK(gensec_server_start(state, ev,
lpcfg_gensec_settings(state, lp_ctx),
auth_context, &state->gensec_state))) {
talloc_free(mem_ctx);
exit(1);
}
break;
}
default:
talloc_free(mem_ctx);
abort();
}
creds = cli_credentials_init(state->gensec_state);
cli_credentials_set_conf(creds, lp_ctx);
if (opt_username) {
cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED);
}
if (opt_domain) {
cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED);
}
if (state->set_password) {
cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
} else {
cli_credentials_set_password_callback(creds, get_password);
creds->priv_data = (void*)(uintptr_t)mux_id;
}
if (opt_workstation) {
cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
}
switch (stdio_helper_mode) {
case GSS_SPNEGO_SERVER:
case SQUID_2_5_NTLMSSP:
cli_credentials_set_machine_account(creds, lp_ctx);
break;
default:
break;
}
gensec_set_credentials(state->gensec_state, creds);
gensec_want_feature_list(state->gensec_state, want_feature_list);
switch (stdio_helper_mode) {
case GSS_SPNEGO_CLIENT:
case GSS_SPNEGO_SERVER:
nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_SPNEGO);
if (!in.length) {
first = true;
}
break;
case NTLMSSP_CLIENT_1:
if (!in.length) {
first = true;
}
/* fall through */
case SQUID_2_5_NTLMSSP:
nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP);
break;
default:
talloc_free(mem_ctx);
abort();
}
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status)));
mux_printf(mux_id, "BH GENSEC mech failed to start\n");
talloc_free(mem_ctx);
return;
}
}
/* update */
if (strncmp(buf, "PW ", 3) == 0) {
state->set_password = talloc_strndup(state,
(const char *)in.data,
in.length);
cli_credentials_set_password(gensec_get_credentials(state->gensec_state),
state->set_password,
CRED_SPECIFIED);
mux_printf(mux_id, "OK\n");
data_blob_free(&in);
talloc_free(mem_ctx);
return;
}
if (strncmp(buf, "UG", 2) == 0) {
int i;
char *grouplist = NULL;
struct auth_session_info *session_info;
nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status)));
mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status));
data_blob_free(&in);
talloc_free(mem_ctx);
return;
}
/* get the string onto the context */
grouplist = talloc_strdup(mem_ctx, "");
for (i=0; i<session_info->security_token->num_sids; i++) {
struct security_token *token = session_info->security_token;
const char *sidstr = dom_sid_string(session_info,
&token->sids[i]);
grouplist = talloc_asprintf_append_buffer(grouplist, "%s,", sidstr);
}
mux_printf(mux_id, "GL %s\n", grouplist);
talloc_free(session_info);
data_blob_free(&in);
talloc_free(mem_ctx);
return;
}
if (strncmp(buf, "GK", 2) == 0) {
char *base64_key;
DEBUG(10, ("Requested session key\n"));
nt_status = gensec_session_key(state->gensec_state, mem_ctx, &session_key);
if(!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status)));
mux_printf(mux_id, "BH No session key\n");
talloc_free(mem_ctx);
return;
} else {
base64_key = base64_encode_data_blob(state, session_key);
mux_printf(mux_id, "GK %s\n", base64_key);
talloc_free(base64_key);
}
talloc_free(mem_ctx);
return;
}
if (strncmp(buf, "GF", 2) == 0) {
struct ntlmssp_state *ntlmssp_state;
uint32_t neg_flags;
ntlmssp_state = talloc_get_type(state->gensec_state->private_data,
struct ntlmssp_state);
neg_flags = ntlmssp_state->neg_flags;
DEBUG(10, ("Requested negotiated feature flags\n"));
mux_printf(mux_id, "GF 0x%08x\n", neg_flags);
return;
}
nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out);
/* don't leak 'bad password'/'no such user' info to the network client */
nt_status = nt_status_squash(nt_status);
if (out.length) {
out_base64 = base64_encode_data_blob(mem_ctx, out);
} else {
out_base64 = NULL;
}
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
reply_arg = "*";
if (first) {
reply_code = "YR";
} else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
reply_code = "KK";
} else if (state->gensec_state->gensec_role == GENSEC_SERVER) {
reply_code = "TT";
} else {
abort();
}
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
reply_code = "BH NT_STATUS_ACCESS_DENIED";
reply_arg = nt_errstr(nt_status);
DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
reply_code = "BH NT_STATUS_UNSUCCESSFUL";
reply_arg = nt_errstr(nt_status);
DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
} else if (!NT_STATUS_IS_OK(nt_status)) {
reply_code = "NA";
reply_arg = nt_errstr(nt_status);
DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
} else if /* OK */ (state->gensec_state->gensec_role == GENSEC_SERVER) {
struct auth_session_info *session_info;
nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
reply_code = "BH Failed to retrive session info";
reply_arg = nt_errstr(nt_status);
DEBUG(1, ("GENSEC failed to retrieve the session info: %s\n", nt_errstr(nt_status)));
} else {
reply_code = "AF";
reply_arg = talloc_asprintf(state->gensec_state,
"%s%s%s", session_info->info->domain_name,
lpcfg_winbind_separator(lp_ctx), session_info->info->account_name);
talloc_free(session_info);
}
} else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
reply_code = "AF";
reply_arg = out_base64;
} else {
abort();
}
switch (stdio_helper_mode) {
case GSS_SPNEGO_SERVER:
mux_printf(mux_id, "%s %s %s\n", reply_code,
out_base64 ? out_base64 : "*",
reply_arg ? reply_arg : "*");
break;
default:
if (out_base64) {
mux_printf(mux_id, "%s %s\n", reply_code, out_base64);
} else if (reply_arg) {
mux_printf(mux_id, "%s %s\n", reply_code, reply_arg);
} else {
mux_printf(mux_id, "%s\n", reply_code);
}
}
talloc_free(mem_ctx);
return;
}
