static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_info, struct auth_serversupplied_info **server_info)
{
static const char zeros[16] = {0};
const char *guest_account = lp_guestaccount();
const char *domain = lp_netbios_name();
struct netr_SamInfo3 info3;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCT(info3);
status = get_guest_info3(tmp_ctx, &info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("get_guest_info3 failed with %s\n",
nt_errstr(status)));
goto done;
}
status = make_server_info_info3(tmp_ctx,
guest_account,
domain,
server_info,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("make_server_info_info3 failed with %s\n",
nt_errstr(status)));
goto done;
}
(*server_info)->guest = true;
/* This should not be done here (we should produce a server
* info, and later construct a session info from it), but for
* now this does not change the previous behavior */
status = create_local_token(tmp_ctx, *server_info, NULL,
(*server_info)->info3->base.account_name.string,
session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
talloc_steal(NULL, *session_info);
talloc_steal(NULL, *server_info);
/* annoying, but the Guest really does have a session key, and it is
all zeros! */
(*session_info)->session_key = data_blob(zeros, sizeof(zeros));
status = NT_STATUS_OK;
done:
TALLOC_FREE(tmp_ctx);
return status;
}
static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
{
static const char zeros[16] = {0};
const char *guest_account = lp_guestaccount();
const char *domain = global_myname();
struct netr_SamInfo3 info3;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
fstring tmp;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCT(info3);
status = get_guest_info3(tmp_ctx, &info3);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = make_server_info_info3(tmp_ctx,
guest_account,
domain,
server_info,
&info3);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
(*server_info)->guest = True;
status = create_local_token(*server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
/* annoying, but the Guest really does have a session key, and it is
all zeros! */
(*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
(*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
". _-$", sizeof(tmp));
(*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
status = NT_STATUS_OK;
done:
TALLOC_FREE(tmp_ctx);
return status;
}
static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,
struct passwd *pwd,
struct auth_serversupplied_info **server_info)
{
const char *domain = global_myname();
struct netr_SamInfo3 info3;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCT(info3);
status = get_system_info3(tmp_ctx, pwd, &info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed creating system info3 with %s\n",
nt_errstr(status)));
goto done;
}
status = make_server_info_info3(mem_ctx,
pwd->pw_name,
domain,
server_info,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("make_server_info_info3 failed with %s\n",
nt_errstr(status)));
goto done;
}
(*server_info)->nss_token = true;
/* Now turn the server_info into a session_info with the full token etc */
status = create_local_token(*server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
status = NT_STATUS_OK;
done:
TALLOC_FREE(tmp_ctx);
return status;
}
NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
const struct wbcAuthUserInfo *info,
struct auth_serversupplied_info **server_info)
{
struct netr_SamInfo3 *info3;
info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
if (!info3) {
return NT_STATUS_NO_MEMORY;
}
return make_server_info_info3(mem_ctx,
sent_nt_username, domain,
server_info, info3);
}
NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
const struct wbcAuthUserInfo *info,
struct auth_serversupplied_info **server_info)
{
struct netr_SamInfo3 info3;
struct netr_SamInfo6 *info6;
info6 = wbcAuthUserInfo_to_netr_SamInfo6(mem_ctx, info);
if (!info6) {
return NT_STATUS_NO_MEMORY;
}
info3.base = info6->base;
info3.sidcount = info6->sidcount;
info3.sids = info6->sids;
return make_server_info_info3(mem_ctx,
sent_nt_username, domain,
server_info, &info3);
}
static NTSTATUS check_netlogond_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
TALLOC_CTX *frame = talloc_stackframe();
struct netr_SamInfo3 *info3 = NULL;
struct rpc_pipe_client *p = NULL;
struct pipe_auth_data *auth = NULL;
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
uint8_t machine_password[16];
struct netlogon_creds_CredentialState *creds;
NTSTATUS schannel_bind_result, status;
struct named_mutex *mutex = NULL;
const char *ncalrpcsock;
DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
ncalrpcsock = lp_parm_const_string(
GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL);
if (ncalrpcsock == NULL) {
ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s",
get_dyn_NCALRPCDIR(), "DEFAULT");
}
if (ncalrpcsock == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
creds = secrets_fetch_local_schannel_creds(talloc_tos());
if (creds == NULL) {
goto new_key;
}
status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
creds, user_info, &info3,
&schannel_bind_result);
DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
if (NT_STATUS_IS_OK(status)) {
goto okay;
}
if (NT_STATUS_IS_OK(schannel_bind_result)) {
/*
* This is a real failure from the DC
*/
goto done;
}
new_key:
mutex = grab_named_mutex(talloc_tos(), "LOCAL_SCHANNEL_KEY", 60);
if (mutex == NULL) {
DEBUG(10, ("Could not get mutex LOCAL_SCHANNEL_KEY\n"));
status = NT_STATUS_ACCESS_DENIED;
goto done;
}
DEBUG(10, ("schannel bind failed, setting up new key\n"));
status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpcsock,
&ndr_table_netlogon.syntax_id, &p);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
nt_errstr(status)));
goto done;
}
status = rpccli_anon_bind_data(p, &auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("rpccli_anon_bind_data failed: %s\n",
nt_errstr(status)));
goto done;
}
status = rpc_pipe_bind(p, auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
goto done;
}
status = mymachinepw(machine_password);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("mymachinepw failed: %s\n", nt_errstr(status)));
goto done;
}
DEBUG(10, ("machinepw "));
dump_data(10, machine_password, 16);
status = rpccli_netlogon_setup_creds(
p, global_myname(), lp_workgroup(), global_myname(),
global_myname(), machine_password, SEC_CHAN_BDC, &neg_flags);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("rpccli_netlogon_setup_creds failed: %s\n",
nt_errstr(status)));
goto done;
}
secrets_store_local_schannel_creds(p->dc);
/*
* Retry the authentication with the mutex held. This way nobody else
* can step on our toes.
*/
status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
p->dc, user_info, &info3,
&schannel_bind_result);
TALLOC_FREE(p);
DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
okay:
status = make_server_info_info3(mem_ctx, user_info->client.account_name,
user_info->mapped.domain_name, server_info,
info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("make_server_info_info3 failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(frame);
return status;
}
status = NT_STATUS_OK;
done:
TALLOC_FREE(frame);
return status;
}
static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
TALLOC_CTX *frame = talloc_stackframe();
struct netr_SamInfo3 *info3 = NULL;
NTSTATUS nt_status;
struct auth_user_info_dc *user_info_dc;
struct auth4_context *auth4_context;
struct loadparm_context *lp_ctx;
lp_ctx = loadparm_init_s3(frame, loadparm_s3_context());
if (lp_ctx == NULL) {
DEBUG(10, ("loadparm_init_s3 failed\n"));
talloc_free(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
/* We create a private tevent context here to avoid nested loops in
* the s3 one, as that may not be expected */
nt_status = auth_context_create(mem_ctx,
s4_event_context_init(frame), NULL,
lp_ctx,
&auth4_context);
NT_STATUS_NOT_OK_RETURN(nt_status);
nt_status = auth_context_set_challenge(auth4_context, auth_context->challenge.data, "auth_samba4");
NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, auth4_context);
nt_status = auth_check_password(auth4_context, auth4_context, user_info, &user_info_dc);
NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, auth4_context);
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
user_info_dc,
&info3);
if (NT_STATUS_IS_OK(nt_status)) {
/* We need the strings from the server_info to be valid as long as the info3 is around */
talloc_steal(info3, user_info_dc);
}
talloc_free(auth4_context);
if (!NT_STATUS_IS_OK(nt_status)) {
goto done;
}
nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name,
user_info->mapped.domain_name, server_info,
info3);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("make_server_info_info3 failed: %s\n",
nt_errstr(nt_status)));
TALLOC_FREE(frame);
return nt_status;
}
nt_status = NT_STATUS_OK;
done:
TALLOC_FREE(frame);
return nt_status;
}
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
struct messaging_context *msg_ctx,
const char *pipe_name,
enum dcerpc_transport_t transport,
bool ncalrpc_as_system,
const struct tsocket_address *local_address,
const struct tsocket_address *remote_address,
struct auth_session_info *session_info,
struct pipes_struct **_p,
int *perrno)
{
struct pipes_struct *p;
NTSTATUS status;
int ret;
ret = make_base_pipes_struct(mem_ctx, msg_ctx, pipe_name,
transport, RPC_LITTLE_ENDIAN,
ncalrpc_as_system,
remote_address, local_address, &p);
if (ret) {
*perrno = ret;
return -1;
}
if (session_info->unix_token && session_info->unix_info && session_info->security_token) {
/* Don't call create_local_token(), we already have the full details here */
p->session_info = talloc_steal(p, session_info);
} else {
struct auth_user_info_dc *auth_user_info_dc;
struct auth_serversupplied_info *server_info;
struct netr_SamInfo3 *info3;
/* Fake up an auth_user_info_dc for now, to make an info3, to make the session_info structure */
auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc);
if (!auth_user_info_dc) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
auth_user_info_dc->num_sids = session_info->security_token->num_sids;
auth_user_info_dc->sids = session_info->security_token->sids;
auth_user_info_dc->info = session_info->info;
auth_user_info_dc->user_session_key = session_info->session_key;
/* This creates the input structure that make_server_info_info3 is looking for */
status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
status = make_server_info_info3(p,
info3->base.account_name.string,
info3->base.logon_domain.string,
&server_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init server info\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/*
* Some internal functions need a local token to determine access to
* resources.
*/
status = create_local_token(p, server_info, &session_info->session_key, info3->base.account_name.string,
&p->session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init local auth token\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
}
*_p = p;
return 0;
}
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
const char *pipe_name,
const struct ndr_syntax_id id,
enum dcerpc_transport_t transport,
bool ncalrpc_as_system,
const char *client_address,
const char *server_address,
struct auth_session_info_transport *session_info,
struct pipes_struct **_p,
int *perrno)
{
struct netr_SamInfo3 *info3;
struct auth_user_info_dc *auth_user_info_dc;
struct pipes_struct *p;
NTSTATUS status;
bool ok;
p = talloc_zero(mem_ctx, struct pipes_struct);
if (!p) {
*perrno = ENOMEM;
return -1;
}
p->syntax = id;
p->transport = transport;
p->ncalrpc_as_system = ncalrpc_as_system;
p->allow_bind = true;
p->mem_ctx = talloc_named(p, 0, "pipe %s %p", pipe_name, p);
if (!p->mem_ctx) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
ok = init_pipe_handles(p, &id);
if (!ok) {
DEBUG(1, ("Failed to init handles\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
data_blob_free(&p->in_data.data);
data_blob_free(&p->in_data.pdu);
p->endian = RPC_LITTLE_ENDIAN;
/* Fake up an auth_user_info_dc for now, to make an info3, to make the session_info structure */
auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc);
if (!auth_user_info_dc) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
auth_user_info_dc->num_sids = session_info->security_token->num_sids;
auth_user_info_dc->sids = session_info->security_token->sids;
auth_user_info_dc->info = session_info->info;
auth_user_info_dc->user_session_key = session_info->session_key;
/* This creates the input structure that make_server_info_info3 is looking for */
status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
status = make_server_info_info3(p,
info3->base.account_name.string,
info3->base.domain.string,
&p->session_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init server info\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/*
* Some internal functions need a local token to determine access to
* resoutrces.
*/
status = create_local_token(p->session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init local auth token\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/* Now override the session_info->security_token with the exact
* security_token we were given from the other side,
* regardless of what we just calculated */
p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token);
/* Also set the session key to the correct value */
p->session_info->user_session_key = session_info->session_key;
p->session_info->user_session_key.data = talloc_move(p->session_info, &session_info->session_key.data);
p->client_id = talloc_zero(p, struct client_address);
if (!p->client_id) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
strlcpy(p->client_id->addr,
client_address, sizeof(p->client_id->addr));
p->client_id->name = talloc_strdup(p->client_id, client_address);
if (p->client_id->name == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
if (server_address != NULL) {
p->server_id = talloc_zero(p, struct client_address);
if (p->client_id == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
strlcpy(p->server_id->addr,
server_address,
sizeof(p->server_id->addr));
p->server_id->name = talloc_strdup(p->server_id,
server_address);
if (p->server_id->name == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
}
static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
struct winbindd_request request;
struct winbindd_response response;
NSS_STATUS result;
NTSTATUS nt_status;
NET_USER_INFO_3 info3;
if (!user_info) {
return NT_STATUS_INVALID_PARAMETER;
}
if (!auth_context) {
DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n",
user_info->internal_username.str));
return NT_STATUS_INVALID_PARAMETER;
}
if (strequal(user_info->domain.str, get_global_sam_name())) {
DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
user_info->domain.str));
return NT_STATUS_NOT_IMPLEMENTED;
}
/* Send off request */
ZERO_STRUCT(request);
ZERO_STRUCT(response);
request.flags = WBFLAG_PAM_INFO3_NDR;
fstrcpy(request.data.auth_crap.user,
user_info->smb_name.str);
fstrcpy(request.data.auth_crap.domain,
user_info->domain.str);
fstrcpy(request.data.auth_crap.workstation,
user_info->wksta_name.str);
memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal));
request.data.auth_crap.lm_resp_len = MIN(user_info->lm_resp.length,
sizeof(request.data.auth_crap.lm_resp));
request.data.auth_crap.nt_resp_len = MIN(user_info->nt_resp.length,
sizeof(request.data.auth_crap.nt_resp));
memcpy(request.data.auth_crap.lm_resp, user_info->lm_resp.data,
request.data.auth_crap.lm_resp_len);
memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data,
request.data.auth_crap.nt_resp_len);
/* we are contacting the privileged pipe */
become_root();
result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
unbecome_root();
if ( result == NSS_STATUS_UNAVAIL ) {
struct auth_methods *auth_method = my_private_data;
if ( auth_method )
return auth_method->auth(auth_context, auth_method->private_data,
mem_ctx, user_info, server_info);
else
/* log an error since this should not happen */
DEBUG(0,("check_winbind_security: ERROR! my_private_data == NULL!\n"));
}
nt_status = NT_STATUS(response.data.auth.nt_status);
if (result == NSS_STATUS_SUCCESS && response.extra_data) {
if (NT_STATUS_IS_OK(nt_status)) {
if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) {
nt_status = make_server_info_info3(mem_ctx,
user_info->internal_username.str,
user_info->smb_name.str, user_info->domain.str,
server_info, &info3);
}
}
} else if (NT_STATUS_IS_OK(nt_status)) {
nt_status = NT_STATUS_NO_LOGON_SERVERS;
}
SAFE_FREE(response.extra_data);
return nt_status;
}
NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntuser,
char *ntdomain,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info)
{
NTSTATUS status;
struct auth_serversupplied_info *server_info;
if (mapped_to_guest) {
status = make_server_info_guest(mem_ctx, &server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_guest failed: %s!\n",
nt_errstr(status)));
return status;
}
} else if (logon_info) {
/* pass the unmapped username here since map_username()
will be called again in make_server_info_info3() */
status = make_server_info_info3(mem_ctx,
ntuser, ntdomain,
&server_info,
&logon_info->info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_info3 failed: %s!\n",
nt_errstr(status)));
return status;
}
} else {
/*
* We didn't get a PAC, we have to make up the user
* ourselves. Try to ask the pdb backend to provide
* SID consistency with ntlmssp session setup
*/
struct samu *sampass;
/* The stupid make_server_info_XX functions here
don't take a talloc context. */
struct auth_serversupplied_info *tmp = NULL;
sampass = samu_new(talloc_tos());
if (sampass == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (pdb_getsampwnam(sampass, username)) {
DEBUG(10, ("found user %s in passdb, calling "
"make_server_info_sam\n", username));
status = make_server_info_sam(&tmp, sampass);
} else {
/*
* User not in passdb, make it up artificially
*/
DEBUG(10, ("didn't find user %s in passdb, calling "
"make_server_info_pw\n", username));
status = make_server_info_pw(&tmp, username, pw);
}
TALLOC_FREE(sampass);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_[sam|pw] failed: %s!\n",
nt_errstr(status)));
return status;
}
/* make_server_info_pw does not set the domain. Without this
* we end up with the local netbios name in substitutions for
* %D. */
if (server_info->info3 != NULL) {
server_info->info3->base.domain.string =
talloc_strdup(server_info->info3, ntdomain);
}
}
server_info->nss_token |= username_was_mapped;
status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("failed to create local token: %s\n",
nt_errstr(status)));
return status;
}
return NT_STATUS_OK;
}
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
const char *pipe_name,
enum dcerpc_transport_t transport,
bool ncalrpc_as_system,
const struct tsocket_address *local_address,
const struct tsocket_address *remote_address,
struct auth_session_info *session_info,
struct pipes_struct **_p,
int *perrno)
{
struct netr_SamInfo3 *info3;
struct auth_user_info_dc *auth_user_info_dc;
struct pipes_struct *p;
struct auth_serversupplied_info *server_info;
NTSTATUS status;
p = talloc_zero(mem_ctx, struct pipes_struct);
if (!p) {
*perrno = ENOMEM;
return -1;
}
p->transport = transport;
p->ncalrpc_as_system = ncalrpc_as_system;
p->mem_ctx = talloc_named(p, 0, "pipe %s %p", pipe_name, p);
if (!p->mem_ctx) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
data_blob_free(&p->in_data.data);
data_blob_free(&p->in_data.pdu);
p->endian = RPC_LITTLE_ENDIAN;
/* Fake up an auth_user_info_dc for now, to make an info3, to make the session_info structure */
auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc);
if (!auth_user_info_dc) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
auth_user_info_dc->num_sids = session_info->security_token->num_sids;
auth_user_info_dc->sids = session_info->security_token->sids;
auth_user_info_dc->info = session_info->info;
auth_user_info_dc->user_session_key = session_info->session_key;
/* This creates the input structure that make_server_info_info3 is looking for */
status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
status = make_server_info_info3(p,
info3->base.account_name.string,
info3->base.domain.string,
&server_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init server info\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/*
* Some internal functions need a local token to determine access to
* resoutrces.
*/
status = create_local_token(p, server_info, &session_info->session_key, &p->session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init local auth token\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/* Now override the session_info->security_token with the exact
* security_token we were given from the other side,
* regardless of what we just calculated */
p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token);
p->remote_address = tsocket_address_copy(remote_address, p);
if (p->remote_address == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
if (local_address != NULL) {
p->local_address = tsocket_address_copy(local_address, p);
if (p->local_address == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
}
talloc_set_destructor(p, close_internal_rpc_pipe_hnd);
*_p = p;
return 0;
}
static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
const char *domain,
uchar chal[8],
struct auth_serversupplied_info **server_info,
const char *dc_name,
const struct sockaddr_storage *dc_ss)
{
TALLOC_CTX *frame = talloc_stackframe();
struct netr_SamInfo3 *info3 = NULL;
struct cli_state *cli = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
struct netlogon_creds_cli_context *netlogon_creds = NULL;
NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
int i;
uint8_t authoritative = 0;
uint32_t flags = 0;
/*
* At this point, smb_apasswd points to the lanman response to
* the challenge in local_challenge, and smb_ntpasswd points to
* the NT response to the challenge in local_challenge. Ship
* these over the secure channel to a domain controller and
* see if they were valid.
*/
/* rety loop for robustness */
for (i = 0; !NT_STATUS_IS_OK(nt_status) && (i < 3); i++) {
nt_status = connect_to_domain_password_server(&cli,
domain,
dc_name,
dc_ss,
&netlogon_pipe,
frame,
&netlogon_creds);
}
if ( !NT_STATUS_IS_OK(nt_status) ) {
DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
TALLOC_FREE(frame);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
}
return nt_status;
}
/* store a successful connection */
saf_store(domain, dc_name);
/*
* If this call succeeds, we now have lots of info about the user
* in the info3 structure.
*/
nt_status = rpccli_netlogon_network_logon(netlogon_creds,
netlogon_pipe->binding_handle,
mem_ctx,
user_info->logon_parameters, /* flags such as 'allow workstation logon' */
user_info->client.account_name, /* user name logging on. */
user_info->client.domain_name, /* domain name */
user_info->workstation_name, /* workstation name */
chal, /* 8 byte challenge. */
user_info->password.response.lanman, /* lanman 24 byte response */
user_info->password.response.nt, /* nt 24 byte response */
&authoritative,
&flags,
&info3); /* info3 out */
/* Let go as soon as possible so we avoid any potential deadlocks
with winbind lookup up users or groups. */
TALLOC_FREE(mutex);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("domain_client_validate: unable to validate password "
"for user %s in domain %s to Domain controller %s. "
"Error was %s.\n", user_info->client.account_name,
user_info->client.domain_name, dc_name,
nt_errstr(nt_status)));
/* map to something more useful */
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
nt_status = NT_STATUS_NO_LOGON_SERVERS;
}
} else {
nt_status = make_server_info_info3(mem_ctx,
user_info->client.account_name,
domain,
server_info,
info3);
if (NT_STATUS_IS_OK(nt_status)) {
(*server_info)->nss_token |= user_info->was_mapped;
netsamlogon_cache_store(user_info->client.account_name, info3);
TALLOC_FREE(info3);
}
}
/* Note - once the cli stream is shutdown the mem_ctx used
to allocate the other_sids and gids structures has been deleted - so
these pointers are no longer valid..... */
cli_shutdown(cli);
TALLOC_FREE(frame);
return nt_status;
}
static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
TALLOC_CTX *frame = talloc_stackframe();
struct netr_SamInfo3 *info3 = NULL;
NTSTATUS nt_status;
struct auth_user_info_dc *user_info_dc;
struct auth4_context *auth4_context;
nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(frame);
goto done;
}
nt_status = auth_context_set_challenge(auth4_context, auth_context->challenge.data, "auth_samba4");
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(auth4_context);
TALLOC_FREE(frame);
return nt_status;
}
nt_status = auth_check_password(auth4_context, auth4_context, user_info, &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(auth4_context);
TALLOC_FREE(frame);
return nt_status;
}
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
user_info_dc,
&info3);
if (NT_STATUS_IS_OK(nt_status)) {
/* We need the strings from the server_info to be valid as long as the info3 is around */
talloc_steal(info3, user_info_dc);
}
talloc_free(auth4_context);
if (!NT_STATUS_IS_OK(nt_status)) {
goto done;
}
if (user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) {
*server_info = make_server_info(mem_ctx);
if (*server_info == NULL) {
nt_status = NT_STATUS_NO_MEMORY;
goto done;
}
(*server_info)->info3 = talloc_steal(*server_info, info3);
} else {
nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name,
user_info->mapped.domain_name, server_info,
info3);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("make_server_info_info3 failed: %s\n",
nt_errstr(nt_status)));
goto done;
}
}
nt_status = NT_STATUS_OK;
done:
TALLOC_FREE(frame);
return nt_status;
}
static int reply_spnego_kerberos(connection_struct *conn,
char *inbuf, char *outbuf,
int length, int bufsize,
DATA_BLOB *secblob,
BOOL *p_invalidate_vuid)
{
TALLOC_CTX *mem_ctx;
DATA_BLOB ticket;
char *client, *p, *domain;
fstring netbios_domain_name;
struct passwd *pw;
fstring user;
int sess_vuid;
NTSTATUS ret;
PAC_DATA *pac_data;
DATA_BLOB ap_rep, ap_rep_wrapped, response;
auth_serversupplied_info *server_info = NULL;
DATA_BLOB session_key = data_blob(NULL, 0);
uint8 tok_id[2];
DATA_BLOB nullblob = data_blob(NULL, 0);
fstring real_username;
BOOL map_domainuser_to_guest = False;
BOOL username_was_mapped;
PAC_LOGON_INFO *logon_info = NULL;
ZERO_STRUCT(ticket);
ZERO_STRUCT(pac_data);
ZERO_STRUCT(ap_rep);
ZERO_STRUCT(ap_rep_wrapped);
ZERO_STRUCT(response);
/* Normally we will always invalidate the intermediate vuid. */
*p_invalidate_vuid = True;
mem_ctx = talloc_init("reply_spnego_kerberos");
if (mem_ctx == NULL) {
return ERROR_NT(nt_status_squash(NT_STATUS_NO_MEMORY));
}
if (!spnego_parse_krb5_wrap(*secblob, &ticket, tok_id)) {
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, &client, &pac_data, &ap_rep, &session_key);
data_blob_free(&ticket);
if (!NT_STATUS_IS_OK(ret)) {
#if 0
/* Experiment that failed. See "only happens with a KDC" comment below. */
if (NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
/*
* Windows in this case returns NT_STATUS_MORE_PROCESSING_REQUIRED
* with a negTokenTarg blob containing an krb5_error struct ASN1 encoded
* containing KRB5KRB_AP_ERR_SKEW. The client then fixes its
* clock and continues rather than giving an error. JRA.
* -- Looks like this only happens with a KDC. JRA.
*/
BOOL ok = make_krb5_skew_error(&ap_rep);
if (!ok) {
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep, TOK_ID_KRB_ERROR);
response = spnego_gen_auth_response(&ap_rep_wrapped, ret, OID_KERBEROS5_OLD);
reply_sesssetup_blob(conn, outbuf, response, NT_STATUS_MORE_PROCESSING_REQUIRED);
/*
* In this one case we don't invalidate the intermediate vuid.
* as we're expecting the client to re-use it for the next
* sessionsetupX packet. JRA.
*/
*p_invalidate_vuid = False;
data_blob_free(&ap_rep);
data_blob_free(&ap_rep_wrapped);
data_blob_free(&response);
talloc_destroy(mem_ctx);
return -1; /* already replied */
}
#else
if (!NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
ret = NT_STATUS_LOGON_FAILURE;
}
#endif
DEBUG(1,("Failed to verify incoming ticket with error %s!\n", nt_errstr(ret)));
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(ret));
}
DEBUG(3,("Ticket name is [%s]\n", client));
p = strchr_m(client, '@');
if (!p) {
DEBUG(3,("Doesn't look like a valid principal\n"));
data_blob_free(&ap_rep);
data_blob_free(&session_key);
SAFE_FREE(client);
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
*p = 0;
/* save the PAC data if we have it */
if (pac_data) {
logon_info = get_logon_info_from_pac(pac_data);
if (logon_info) {
netsamlogon_cache_store( client, &logon_info->info3 );
}
}
if (!strequal(p+1, lp_realm())) {
DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
if (!lp_allow_trusted_domains()) {
data_blob_free(&ap_rep);
data_blob_free(&session_key);
SAFE_FREE(client);
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
}
/* this gives a fully qualified user name (ie. with full realm).
that leads to very long usernames, but what else can we do? */
domain = p+1;
if (logon_info && logon_info->info3.hdr_logon_dom.uni_str_len) {
unistr2_to_ascii(netbios_domain_name, &logon_info->info3.uni_logon_dom, -1);
domain = netbios_domain_name;
DEBUG(10, ("Mapped to [%s] (using PAC)\n", domain));
} else {
/* If we have winbind running, we can (and must) shorten the
username by using the short netbios name. Otherwise we will
have inconsistent user names. With Kerberos, we get the
fully qualified realm, with ntlmssp we get the short
name. And even w2k3 does use ntlmssp if you for example
connect to an ip address. */
struct winbindd_request wb_request;
struct winbindd_response wb_response;
NSS_STATUS wb_result;
ZERO_STRUCT(wb_request);
ZERO_STRUCT(wb_response);
DEBUG(10, ("Mapping [%s] to short name\n", domain));
fstrcpy(wb_request.domain_name, domain);
wb_result = winbindd_request_response(WINBINDD_DOMAIN_INFO,
&wb_request, &wb_response);
if (wb_result == NSS_STATUS_SUCCESS) {
fstrcpy(netbios_domain_name,
wb_response.data.domain_info.name);
domain = netbios_domain_name;
DEBUG(10, ("Mapped to [%s] (using Winbind)\n", domain));
} else {
DEBUG(3, ("Could not find short name -- winbind "
"not running?\n"));
}
}
fstr_sprintf(user, "%s%c%s", domain, *lp_winbind_separator(), client);
/* lookup the passwd struct, create a new user if necessary */
username_was_mapped = map_username( user );
pw = smb_getpwnam( mem_ctx, user, real_username, True );
if (pw) {
/* if a real user check pam account restrictions */
/* only really perfomed if "obey pam restriction" is true */
/* do this before an eventual mappign to guest occurs */
ret = smb_pam_accountcheck(pw->pw_name);
if ( !NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("PAM account restriction prevents user login\n"));
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
return ERROR_NT(nt_status_squash(ret));
}
}
if (!pw) {
/* this was originally the behavior of Samba 2.2, if a user
did not have a local uid but has been authenticated, then
map them to a guest account */
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){
map_domainuser_to_guest = True;
fstrcpy(user,lp_guestaccount());
pw = smb_getpwnam( mem_ctx, user, real_username, True );
}
/* extra sanity check that the guest account is valid */
if ( !pw ) {
DEBUG(1,("Username %s is invalid on this system\n", user));
SAFE_FREE(client);
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
}
/* setup the string used by %U */
sub_set_smb_name( real_username );
reload_services(True);
if ( map_domainuser_to_guest ) {
make_server_info_guest(&server_info);
} else if (logon_info) {
/* pass the unmapped username here since map_username()
will be called again from inside make_server_info_info3() */
ret = make_server_info_info3(mem_ctx, client, domain,
&server_info, &logon_info->info3);
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("make_server_info_info3 failed: %s!\n",
nt_errstr(ret)));
SAFE_FREE(client);
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
return ERROR_NT(nt_status_squash(ret));
}
} else {
ret = make_server_info_pw(&server_info, real_username, pw);
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("make_server_info_pw failed: %s!\n",
nt_errstr(ret)));
SAFE_FREE(client);
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
return ERROR_NT(nt_status_squash(ret));
}
/* make_server_info_pw does not set the domain. Without this
* we end up with the local netbios name in substitutions for
* %D. */
if (server_info->sam_account != NULL) {
pdb_set_domain(server_info->sam_account, domain, PDB_SET);
}
}
server_info->was_mapped |= username_was_mapped;
/* we need to build the token for the user. make_server_info_guest()
already does this */
if ( !server_info->ptok ) {
ret = create_local_token( server_info );
if ( !NT_STATUS_IS_OK(ret) ) {
SAFE_FREE(client);
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE( mem_ctx );
TALLOC_FREE( server_info );
return ERROR_NT(nt_status_squash(ret));
}
}
/* register_vuid keeps the server info */
/* register_vuid takes ownership of session_key, no need to free after this.
A better interface would copy it.... */
sess_vuid = register_vuid(server_info, session_key, nullblob, client);
SAFE_FREE(client);
if (sess_vuid == UID_FIELD_INVALID ) {
ret = NT_STATUS_LOGON_FAILURE;
} else {
/* current_user_info is changed on new vuid */
reload_services( True );
set_message(outbuf,4,0,True);
SSVAL(outbuf, smb_vwv3, 0);
if (server_info->guest) {
SSVAL(outbuf,smb_vwv2,1);
}
SSVAL(outbuf, smb_uid, sess_vuid);
sessionsetup_start_signing_engine(server_info, inbuf);
}
/* wrap that up in a nice GSS-API wrapping */
if (NT_STATUS_IS_OK(ret)) {
ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep, TOK_ID_KRB_AP_REP);
} else {
ap_rep_wrapped = data_blob(NULL, 0);
}
response = spnego_gen_auth_response(&ap_rep_wrapped, ret, OID_KERBEROS5_OLD);
reply_sesssetup_blob(conn, outbuf, response, ret);
data_blob_free(&ap_rep);
data_blob_free(&ap_rep_wrapped);
data_blob_free(&response);
TALLOC_FREE(mem_ctx);
return -1; /* already replied */
}
