static NTSTATUS share_sanity_checks(const struct tsocket_address *remote_address,
const char *rhost,
int snum,
fstring dev)
{
char *raddr;
raddr = tsocket_address_inet_addr_string(remote_address,
talloc_tos());
if (raddr == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (!lp_snum_ok(snum) ||
!allow_access(lp_hosts_deny(snum), lp_hosts_allow(snum),
rhost, raddr)) {
return NT_STATUS_ACCESS_DENIED;
}
if (dev[0] == '?' || !dev[0]) {
if (lp_printable(snum)) {
fstrcpy(dev,"LPT1:");
} else if (strequal(lp_fstype(snum), "IPC")) {
fstrcpy(dev, "IPC");
} else {
fstrcpy(dev,"A:");
}
}
if (!strupper_m(dev)) {
DEBUG(2,("strupper_m %s failed\n", dev));
return NT_STATUS_INVALID_PARAMETER;
}
if (lp_printable(snum)) {
if (!strequal(dev, "LPT1:")) {
return NT_STATUS_BAD_DEVICE_TYPE;
}
} else if (strequal(lp_fstype(snum), "IPC")) {
if (!strequal(dev, "IPC")) {
return NT_STATUS_BAD_DEVICE_TYPE;
}
} else if (!strequal(dev, "A:")) {
return NT_STATUS_BAD_DEVICE_TYPE;
}
/* Behave as a printer if we are supposed to */
if (lp_printable(snum) && (strcmp(dev, "A:") == 0)) {
fstrcpy(dev, "LPT1:");
}
return NT_STATUS_OK;
}
/*
handler for NT1 style session setup
*/
static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess)
{
NTSTATUS status;
struct auth_usersupplied_info *user_info = NULL;
struct tsocket_address *remote_address;
const char *remote_machine = NULL;
struct tevent_req *subreq;
struct sesssetup_context *state;
sess->nt1.out.vuid = 0;
sess->nt1.out.action = 0;
sesssetup_common_strings(req,
&sess->nt1.out.os,
&sess->nt1.out.lanman,
&sess->nt1.out.domain);
if (!req->smb_conn->negotiate.done_sesssetup) {
req->smb_conn->negotiate.max_send = sess->nt1.in.bufsize;
req->smb_conn->negotiate.client_caps = sess->nt1.in.capabilities;
}
state = talloc(req, struct sesssetup_context);
if (!state) goto nomem;
state->req = req;
if (req->smb_conn->negotiate.oid) {
if (sess->nt1.in.user && *sess->nt1.in.user) {
/* We can't accept a normal login, because we
* don't have a challenge */
status = NT_STATUS_LOGON_FAILURE;
goto failed;
}
/* TODO: should we use just "anonymous" here? */
status = auth_context_create(state,
req->smb_conn->connection->event.ctx,
req->smb_conn->connection->msg_ctx,
req->smb_conn->lp_ctx,
&state->auth_context);
if (!NT_STATUS_IS_OK(status)) goto failed;
} else if (req->smb_conn->negotiate.auth_context) {
state->auth_context = req->smb_conn->negotiate.auth_context;
} else {
/* TODO: should we use just "anonymous" here? */
status = auth_context_create(state,
req->smb_conn->connection->event.ctx,
req->smb_conn->connection->msg_ctx,
req->smb_conn->lp_ctx,
&state->auth_context);
if (!NT_STATUS_IS_OK(status)) goto failed;
}
if (req->smb_conn->negotiate.calling_name) {
remote_machine = req->smb_conn->negotiate.calling_name->name;
}
remote_address = socket_get_remote_addr(req->smb_conn->connection->socket, req);
if (!remote_address) goto nomem;
if (!remote_machine) {
remote_machine = tsocket_address_inet_addr_string(remote_address, req);
if (!remote_machine) goto nomem;
}
user_info = talloc_zero(req, struct auth_usersupplied_info);
if (!user_info) goto nomem;
user_info->mapped_state = false;
user_info->logon_parameters = 0;
user_info->flags = 0;
user_info->client.account_name = sess->nt1.in.user;
user_info->client.domain_name = sess->nt1.in.domain;
user_info->workstation_name = remote_machine;
user_info->remote_host = talloc_steal(user_info, remote_address);
user_info->password_state = AUTH_PASSWORD_RESPONSE;
user_info->password.response.lanman = sess->nt1.in.password1;
user_info->password.response.lanman.data = talloc_steal(user_info, sess->nt1.in.password1.data);
user_info->password.response.nt = sess->nt1.in.password2;
user_info->password.response.nt.data = talloc_steal(user_info, sess->nt1.in.password2.data);
subreq = auth_check_password_send(state,
req->smb_conn->connection->event.ctx,
state->auth_context,
user_info);
if (!subreq) goto nomem;
tevent_req_set_callback(subreq, sesssetup_nt1_send, state);
return;
nomem:
status = NT_STATUS_NO_MEMORY;
failed:
status = nt_status_squash(status);
smbsrv_sesssetup_backend_send(req, sess, status);
}
/*
handler for old style session setup
*/
static void sesssetup_old(struct smbsrv_request *req, union smb_sesssetup *sess)
{
struct auth_usersupplied_info *user_info = NULL;
struct tsocket_address *remote_address;
const char *remote_machine = NULL;
struct tevent_req *subreq;
struct sesssetup_context *state;
sess->old.out.vuid = 0;
sess->old.out.action = 0;
sesssetup_common_strings(req,
&sess->old.out.os,
&sess->old.out.lanman,
&sess->old.out.domain);
if (!req->smb_conn->negotiate.done_sesssetup) {
req->smb_conn->negotiate.max_send = sess->old.in.bufsize;
}
if (req->smb_conn->negotiate.calling_name) {
remote_machine = req->smb_conn->negotiate.calling_name->name;
}
remote_address = socket_get_remote_addr(req->smb_conn->connection->socket, req);
if (!remote_address) goto nomem;
if (!remote_machine) {
remote_machine = tsocket_address_inet_addr_string(remote_address, req);
if (!remote_machine) goto nomem;
}
user_info = talloc_zero(req, struct auth_usersupplied_info);
if (!user_info) goto nomem;
user_info->mapped_state = false;
user_info->logon_parameters = 0;
user_info->flags = 0;
user_info->client.account_name = sess->old.in.user;
user_info->client.domain_name = sess->old.in.domain;
user_info->workstation_name = remote_machine;
user_info->remote_host = talloc_steal(user_info, remote_address);
user_info->password_state = AUTH_PASSWORD_RESPONSE;
user_info->password.response.lanman = sess->old.in.password;
user_info->password.response.lanman.data = talloc_steal(user_info, sess->old.in.password.data);
user_info->password.response.nt = data_blob(NULL, 0);
state = talloc(req, struct sesssetup_context);
if (!state) goto nomem;
if (req->smb_conn->negotiate.auth_context) {
state->auth_context = req->smb_conn->negotiate.auth_context;
} else {
/* TODO: should we use just "anonymous" here? */
NTSTATUS status = auth_context_create(state,
req->smb_conn->connection->event.ctx,
req->smb_conn->connection->msg_ctx,
req->smb_conn->lp_ctx,
&state->auth_context);
if (!NT_STATUS_IS_OK(status)) {
smbsrv_sesssetup_backend_send(req, sess, status);
return;
}
}
state->req = req;
subreq = auth_check_password_send(state,
req->smb_conn->connection->event.ctx,
req->smb_conn->negotiate.auth_context,
user_info);
if (!subreq) goto nomem;
tevent_req_set_callback(subreq, sesssetup_old_send, state);
return;
nomem:
smbsrv_sesssetup_backend_send(req, sess, NT_STATUS_NO_MEMORY);
}
NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
const char *unix_username;
auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
if (!user_info || !auth_context || !server_info)
return NT_STATUS_LOGON_FAILURE;
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n",
user_info->mapped.domain_name, user_info->mapped.account_name, user_info->workstation_name));
if (auth_context->challenge.length != 8) {
DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n"));
return NT_STATUS_LOGON_FAILURE;
}
if (auth_context->challenge_set_by)
DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n",
auth_context->challenge_set_by));
DEBUG(10, ("challenge is: \n"));
dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
#ifdef DEBUG_PASSWORD
DEBUG(100, ("user_info has passwords of length %d and %d\n",
(int)user_info->password.response.lanman.length, (int)user_info->password.response.nt.length));
DEBUG(100, ("lm:\n"));
dump_data(100, user_info->password.response.lanman.data, user_info->password.response.lanman.length);
DEBUG(100, ("nt:\n"));
dump_data(100, user_info->password.response.nt.data, user_info->password.response.nt.length);
#endif
/* This needs to be sorted: If it doesn't match, what should we do? */
if (!check_domain_match(user_info->client.account_name, user_info->mapped.domain_name))
return NT_STATUS_LOGON_FAILURE;
for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
NTSTATUS result;
mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
user_info->mapped.domain_name, user_info->client.account_name);
result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
/* check if the module did anything */
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
talloc_destroy(mem_ctx);
continue;
}
nt_status = result;
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n",
auth_method->name, user_info->client.account_name));
} else {
DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n",
auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
}
talloc_destroy(mem_ctx);
if ( NT_STATUS_IS_OK(nt_status))
{
break;
}
}
/* successful authentication */
if (NT_STATUS_IS_OK(nt_status)) {
unix_username = (*server_info)->unix_name;
if (!(*server_info)->guest) {
const char *rhost;
if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
rhost = tsocket_address_inet_addr_string(user_info->remote_host,
talloc_tos());
if (rhost == NULL) {
return NT_STATUS_NO_MEMORY;
}
} else {
rhost = "127.0.0.1";
}
/* We might not be root if we are an RPC call */
become_root();
nt_status = smb_pam_accountcheck(unix_username,
rhost);
unbecome_root();
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n",
unix_username));
} else {
DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n",
unix_username, nt_errstr(nt_status)));
}
}
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG((*server_info)->guest ? 5 : 2,
("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
(*server_info)->guest ? "guest " : "",
user_info->client.account_name,
user_info->mapped.account_name,
unix_username));
}
return nt_status;
}
/* failed authentication; check for guest lapping */
DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
user_info->client.account_name, user_info->mapped.account_name,
nt_errstr(nt_status)));
ZERO_STRUCTP(server_info);
return nt_status;
}
static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
struct smb_krb5_context *smb_krb5_context,
DATA_BLOB *pac_blob,
const char *princ_name,
const struct tsocket_address *remote_address,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
TALLOC_CTX *tmp_ctx;
struct PAC_LOGON_INFO *logon_info = NULL;
struct netr_SamInfo3 *info3_copy = NULL;
bool is_mapped;
bool is_guest;
char *ntuser;
char *ntdomain;
char *username;
char *rhost;
struct passwd *pw;
NTSTATUS status;
int rc;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
if (pac_blob) {
#ifdef HAVE_KRB5
status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
NULL, NULL, 0, &logon_info);
#else
status = NT_STATUS_ACCESS_DENIED;
#endif
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
rc = get_remote_hostname(remote_address,
&rhost,
tmp_ctx);
if (rc < 0) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (strequal(rhost, "UNKNOWN")) {
rhost = tsocket_address_inet_addr_string(remote_address,
tmp_ctx);
if (rhost == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
}
status = get_user_from_kerberos_info(tmp_ctx, rhost,
princ_name, logon_info,
&is_mapped, &is_guest,
&ntuser, &ntdomain,
&username, &pw);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos principal to system user "
"(%s)\n", nt_errstr(status)));
status = NT_STATUS_ACCESS_DENIED;
goto done;
}
/* save the PAC data if we have it */
if (logon_info) {
status = create_info3_from_pac_logon_info(tmp_ctx,
logon_info,
&info3_copy);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
netsamlogon_cache_store(ntuser, info3_copy);
}
/* setup the string used by %U */
sub_set_smb_name(username);
/* reload services so that the new %U is taken into account */
lp_load_with_shares(get_dyn_CONFIGFILE());
status = make_session_info_krb5(mem_ctx,
ntuser, ntdomain, username, pw,
info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
nt_errstr(status)));
status = NT_STATUS_ACCESS_DENIED;
goto done;
}
DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
ntuser, ntdomain, rhost));
status = NT_STATUS_OK;
done:
TALLOC_FREE(tmp_ctx);
return status;
}
/*
handle incoming cldap requests
*/
void cldapd_netlogon_request(struct cldap_socket *cldap,
struct cldapd_server *cldapd,
TALLOC_CTX *tmp_ctx,
uint32_t message_id,
struct ldb_parse_tree *tree,
struct tsocket_address *src)
{
unsigned int i;
const char *domain = NULL;
const char *host = NULL;
const char *user = NULL;
const char *domain_guid = NULL;
struct dom_sid *domain_sid = NULL;
int acct_control = -1;
int version = -1;
struct netlogon_samlogon_response netlogon;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
if (tree->operation != LDB_OP_AND) goto failed;
/* extract the query elements */
for (i=0;i<tree->u.list.num_elements;i++) {
struct ldb_parse_tree *t = tree->u.list.elements[i];
if (t->operation != LDB_OP_EQUALITY) goto failed;
if (strcasecmp(t->u.equality.attr, "DnsDomain") == 0) {
domain = talloc_strndup(tmp_ctx,
(const char *)t->u.equality.value.data,
t->u.equality.value.length);
}
if (strcasecmp(t->u.equality.attr, "Host") == 0) {
host = talloc_strndup(tmp_ctx,
(const char *)t->u.equality.value.data,
t->u.equality.value.length);
}
if (strcasecmp(t->u.equality.attr, "DomainGuid") == 0) {
NTSTATUS enc_status;
struct GUID guid;
enc_status = ldap_decode_ndr_GUID(tmp_ctx,
t->u.equality.value, &guid);
if (NT_STATUS_IS_OK(enc_status)) {
domain_guid = GUID_string(tmp_ctx, &guid);
}
}
if (strcasecmp(t->u.equality.attr, "DomainSid") == 0) {
enum ndr_err_code ndr_err;
domain_sid = talloc(tmp_ctx, struct dom_sid);
if (domain_sid == NULL) {
goto failed;
}
ndr_err = ndr_pull_struct_blob(&t->u.equality.value,
domain_sid, domain_sid,
(ndr_pull_flags_fn_t)ndr_pull_dom_sid);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
talloc_free(domain_sid);
goto failed;
}
}
if (strcasecmp(t->u.equality.attr, "User") == 0) {
user = talloc_strndup(tmp_ctx,
(const char *)t->u.equality.value.data,
t->u.equality.value.length);
}
if (strcasecmp(t->u.equality.attr, "NtVer") == 0 &&
t->u.equality.value.length == 4) {
version = IVAL(t->u.equality.value.data, 0);
}
if (strcasecmp(t->u.equality.attr, "AAC") == 0 &&
t->u.equality.value.length == 4) {
acct_control = IVAL(t->u.equality.value.data, 0);
}
}
if ((domain == NULL) && (domain_guid == NULL) && (domain_sid == NULL)) {
domain = lpcfg_dnsdomain(cldapd->task->lp_ctx);
}
if (version == -1) {
goto failed;
}
DEBUG(5,("cldap netlogon query domain=%s host=%s user=%s version=%d guid=%s\n",
domain, host, user, version, domain_guid));
status = fill_netlogon_samlogon_response(cldapd->samctx, tmp_ctx,
domain, NULL, domain_sid,
domain_guid,
user, acct_control,
tsocket_address_inet_addr_string(src, tmp_ctx),
version, cldapd->task->lp_ctx,
&netlogon, false);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
status = cldap_netlogon_reply(cldap, message_id, src, version, &netlogon);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
return;
failed:
DEBUG(2,("cldap netlogon query failed domain=%s host=%s version=%d - %s\n",
domain, host, version, nt_errstr(status)));
cldap_empty_reply(cldap, message_id, src);
}
NTSTATUS make_internal_rpc_pipe_socketpair(
TALLOC_CTX *mem_ctx,
struct tevent_context *ev_ctx,
struct messaging_context *msg_ctx,
const char *pipe_name,
const struct ndr_syntax_id *syntax,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
const struct auth_session_info *session_info,
struct npa_state **pnpa)
{
TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct named_pipe_client *npc;
struct tevent_req *subreq;
struct npa_state *npa;
NTSTATUS status;
int error;
int rc;
DEBUG(4, ("Create of internal pipe %s requested\n", pipe_name));
npa = npa_state_init(tmp_ctx);
if (npa == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
npa->file_type = FILE_TYPE_MESSAGE_MODE_PIPE;
npa->device_state = 0xff | 0x0400 | 0x0100;
npa->allocation_size = 4096;
npc = named_pipe_client_init(npa,
ev_ctx,
msg_ctx,
pipe_name,
NULL, /* term_fn */
npa->file_type,
npa->device_state,
npa->allocation_size,
NULL); /* private_data */
if (npc == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
npa->private_data = (void*) npc;
rc = tstream_npa_socketpair(npa->file_type,
npa,
&npa->stream,
npc,
&npc->tstream);
if (rc == -1) {
status = map_nt_error_from_unix(errno);
goto out;
}
npc->remote_client_addr = tsocket_address_copy(remote_address, npc);
if (npc->remote_client_addr == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
npc->remote_client_name = tsocket_address_inet_addr_string(npc->remote_client_addr,
npc);
if (npc->remote_client_name == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
npc->local_server_addr = tsocket_address_copy(local_address, npc);
if (npc->local_server_addr == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
npc->local_server_name = tsocket_address_inet_addr_string(
npc->local_server_addr, npc);
if (npc->local_server_name == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
npc->session_info = copy_session_info(npc, session_info);
if (npc->session_info == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
rc = make_server_pipes_struct(npc,
npc->msg_ctx,
npc->pipe_name,
NCACN_NP,
npc->remote_client_addr,
npc->local_server_addr,
npc->session_info,
&npc->p,
&error);
if (rc == -1) {
status = map_nt_error_from_unix(error);
goto out;
}
npc->write_queue = tevent_queue_create(npc, "npa_server_write_queue");
if (npc->write_queue == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
subreq = dcerpc_read_ncacn_packet_send(npc, npc->ev, npc->tstream);
if (subreq == NULL) {
DEBUG(2, ("Failed to start receiving packets\n"));
status = NT_STATUS_PIPE_BROKEN;
goto out;
}
tevent_req_set_callback(subreq, named_pipe_packet_process, npc);
*pnpa = talloc_steal(mem_ctx, npa);
status = NT_STATUS_OK;
out:
talloc_free(tmp_ctx);
return status;
}
/*
called when we get a new connection
*/
static void wreplsrv_accept(struct stream_connection *conn)
{
struct wreplsrv_service *service = talloc_get_type(conn->private_data, struct wreplsrv_service);
struct wreplsrv_in_connection *wrepl_conn;
struct tsocket_address *peer_addr;
char *peer_ip;
struct tevent_req *subreq;
int rc;
wrepl_conn = talloc_zero(conn, struct wreplsrv_in_connection);
if (wrepl_conn == NULL) {
stream_terminate_connection(conn,
"wreplsrv_accept: out of memory");
return;
}
wrepl_conn->send_queue = tevent_queue_create(conn, "wrepl_accept");
if (wrepl_conn->send_queue == NULL) {
stream_terminate_connection(conn,
"wrepl_accept: out of memory");
return;
}
TALLOC_FREE(conn->event.fde);
rc = tstream_bsd_existing_socket(wrepl_conn,
socket_get_fd(conn->socket),
&wrepl_conn->tstream);
if (rc < 0) {
stream_terminate_connection(conn,
"wrepl_accept: out of memory");
return;
}
socket_set_flags(conn->socket, SOCKET_FLAG_NOCLOSE);
wrepl_conn->conn = conn;
wrepl_conn->service = service;
peer_addr = conn->remote_address;
if (!tsocket_address_is_inet(peer_addr, "ipv4")) {
DEBUG(0,("wreplsrv_accept: non ipv4 peer addr '%s'\n",
tsocket_address_string(peer_addr, wrepl_conn)));
wreplsrv_terminate_in_connection(wrepl_conn, "wreplsrv_accept: "
"invalid peer IP");
return;
}
peer_ip = tsocket_address_inet_addr_string(peer_addr, wrepl_conn);
if (peer_ip == NULL) {
wreplsrv_terminate_in_connection(wrepl_conn, "wreplsrv_accept: "
"could not convert peer IP into a string");
return;
}
wrepl_conn->partner = wreplsrv_find_partner(service, peer_ip);
irpc_add_name(conn->msg_ctx, "wreplsrv_connection");
/*
* The wrepl pdu's has the length as 4 byte (initial_read_size),
* packet_full_request_u32 provides the pdu length then.
*/
subreq = tstream_read_pdu_blob_send(wrepl_conn,
wrepl_conn->conn->event.ctx,
wrepl_conn->tstream,
4, /* initial_read_size */
packet_full_request_u32,
wrepl_conn);
if (subreq == NULL) {
wreplsrv_terminate_in_connection(wrepl_conn, "wrepl_accept: "
"no memory for tstream_read_pdu_blob_send");
return;
}
tevent_req_set_callback(subreq, wreplsrv_call_loop, wrepl_conn);
}
krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
void *data,
krb5_krbhst_info *hi,
time_t timeout,
const krb5_data *send_buf,
krb5_data *recv_buf)
{
krb5_error_code ret;
NTSTATUS status;
const char *name;
struct addrinfo *ai, *a;
struct smb_krb5_socket *smb_krb5;
DATA_BLOB send_blob;
struct tevent_context *ev;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
return ENOMEM;
}
if (!data) {
/* If no event context was available, then create one for this loop */
ev = samba_tevent_context_init(tmp_ctx);
if (!ev) {
talloc_free(tmp_ctx);
return ENOMEM;
}
} else {
ev = talloc_get_type_abort(data, struct tevent_context);
}
send_blob = data_blob_const(send_buf->data, send_buf->length);
ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
if (ret) {
talloc_free(tmp_ctx);
return ret;
}
for (a = ai; a; a = a->ai_next) {
struct socket_address *remote_addr;
smb_krb5 = talloc(tmp_ctx, struct smb_krb5_socket);
if (!smb_krb5) {
talloc_free(tmp_ctx);
return ENOMEM;
}
smb_krb5->hi = hi;
switch (a->ai_family) {
case PF_INET:
name = "ipv4";
break;
#ifdef HAVE_IPV6
case PF_INET6:
name = "ipv6";
break;
#endif
default:
talloc_free(tmp_ctx);
return EINVAL;
}
status = NT_STATUS_INVALID_PARAMETER;
switch (hi->proto) {
case KRB5_KRBHST_UDP:
status = socket_create(name, SOCKET_TYPE_DGRAM, &smb_krb5->sock, 0);
break;
case KRB5_KRBHST_TCP:
status = socket_create(name, SOCKET_TYPE_STREAM, &smb_krb5->sock, 0);
break;
case KRB5_KRBHST_HTTP:
talloc_free(tmp_ctx);
return EINVAL;
}
if (!NT_STATUS_IS_OK(status)) {
talloc_free(smb_krb5);
continue;
}
talloc_steal(smb_krb5, smb_krb5->sock);
remote_addr = socket_address_from_sockaddr(smb_krb5, a->ai_addr, a->ai_addrlen);
if (!remote_addr) {
talloc_free(smb_krb5);
continue;
}
status = socket_connect_ev(smb_krb5->sock, NULL, remote_addr, 0, ev);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(smb_krb5);
continue;
}
/* Setup the FDE, start listening for read events
* from the start (otherwise we may miss a socket
* drop) and mark as AUTOCLOSE along with the fde */
/* Ths is equivilant to EVENT_FD_READABLE(smb_krb5->fde) */
smb_krb5->fde = tevent_add_fd(ev, smb_krb5->sock,
socket_get_fd(smb_krb5->sock),
TEVENT_FD_READ,
smb_krb5_socket_handler, smb_krb5);
/* its now the job of the event layer to close the socket */
tevent_fd_set_close_fn(smb_krb5->fde, socket_tevent_fd_close_fn);
socket_set_flags(smb_krb5->sock, SOCKET_FLAG_NOCLOSE);
tevent_add_timer(ev, smb_krb5,
timeval_current_ofs(timeout, 0),
smb_krb5_request_timeout, smb_krb5);
smb_krb5->status = NT_STATUS_OK;
smb_krb5->reply = data_blob(NULL, 0);
switch (hi->proto) {
case KRB5_KRBHST_UDP:
TEVENT_FD_WRITEABLE(smb_krb5->fde);
smb_krb5->request = send_blob;
break;
case KRB5_KRBHST_TCP:
smb_krb5->packet = packet_init(smb_krb5);
if (smb_krb5->packet == NULL) {
talloc_free(smb_krb5);
return ENOMEM;
}
packet_set_private(smb_krb5->packet, smb_krb5);
packet_set_socket(smb_krb5->packet, smb_krb5->sock);
packet_set_callback(smb_krb5->packet, smb_krb5_full_packet);
packet_set_full_request(smb_krb5->packet, packet_full_request_u32);
packet_set_error_handler(smb_krb5->packet, smb_krb5_error_handler);
packet_set_event_context(smb_krb5->packet, ev);
packet_set_fde(smb_krb5->packet, smb_krb5->fde);
smb_krb5->request = data_blob_talloc(smb_krb5, NULL, send_blob.length + 4);
RSIVAL(smb_krb5->request.data, 0, send_blob.length);
memcpy(smb_krb5->request.data+4, send_blob.data, send_blob.length);
packet_send(smb_krb5->packet, smb_krb5->request);
break;
case KRB5_KRBHST_HTTP:
talloc_free(tmp_ctx);
return EINVAL;
}
while ((NT_STATUS_IS_OK(smb_krb5->status)) && !smb_krb5->reply.length) {
if (tevent_loop_once(ev) != 0) {
talloc_free(tmp_ctx);
return EINVAL;
}
/* After each and every event loop, reset the
* send_to_kdc pointers to what they were when
* we entered this loop. That way, if a
* nested event has invalidated them, we put
* it back before we return to the heimdal
* code */
ret = krb5_set_send_to_kdc_func(context,
smb_krb5_send_and_recv_func,
data);
if (ret != 0) {
talloc_free(tmp_ctx);
return ret;
}
}
if (NT_STATUS_EQUAL(smb_krb5->status, NT_STATUS_IO_TIMEOUT)) {
talloc_free(smb_krb5);
continue;
}
if (!NT_STATUS_IS_OK(smb_krb5->status)) {
struct tsocket_address *addr = socket_address_to_tsocket_address(smb_krb5, remote_addr);
const char *addr_string = NULL;
if (addr) {
addr_string = tsocket_address_inet_addr_string(addr, smb_krb5);
} else {
addr_string = NULL;
}
DEBUG(2,("Error reading smb_krb5 reply packet: %s from %s\n", nt_errstr(smb_krb5->status),
addr_string));
talloc_free(smb_krb5);
continue;
}
ret = krb5_data_copy(recv_buf, smb_krb5->reply.data, smb_krb5->reply.length);
if (ret) {
talloc_free(tmp_ctx);
return ret;
}
talloc_free(smb_krb5);
break;
}
talloc_free(tmp_ctx);
if (a) {
return 0;
}
return KRB5_KDC_UNREACH;
}
/**
* Check a user's Plaintext, LM or NTLM password.
*
* Check a user's password, as given in the user_info struct and return various
* interesting details in the server_info struct.
*
* This function does NOT need to be in a become_root()/unbecome_root() pair
* as it makes the calls itself when needed.
*
* The return value takes precedence over the contents of the server_info
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
* @param user_info Contains the user supplied components, including the passwords.
* Must be created with make_user_info() or one of its wrappers.
*
* @param auth_context Supplies the challenges and some other data.
* Must be created with make_auth_context(), and the challenges should be
* filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge().
*
* @param pserver_info If successful, contains information about the authentication,
* including a struct samu struct describing the user.
*
* @param pauthoritative Indicates if the result should be treated as final
* result.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
**/
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **pserver_info,
uint8_t *pauthoritative)
{
TALLOC_CTX *frame;
const char *auth_method_name = "";
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
const char *unix_username;
auth_methods *auth_method;
struct auth_serversupplied_info *server_info = NULL;
struct dom_sid sid = {0};
if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
return NT_STATUS_LOGON_FAILURE;
}
frame = talloc_stackframe();
*pauthoritative = 1;
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n",
user_info->mapped.domain_name, user_info->mapped.account_name, user_info->workstation_name));
if (auth_context->challenge.length != 8) {
DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n"));
nt_status = NT_STATUS_LOGON_FAILURE;
goto fail;
}
if (auth_context->challenge_set_by)
DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n",
auth_context->challenge_set_by));
DEBUG(10, ("challenge is: \n"));
dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
#ifdef DEBUG_PASSWORD
DEBUG(100, ("user_info has passwords of length %d and %d\n",
(int)user_info->password.response.lanman.length, (int)user_info->password.response.nt.length));
DEBUG(100, ("lm:\n"));
dump_data(100, user_info->password.response.lanman.data, user_info->password.response.lanman.length);
DEBUG(100, ("nt:\n"));
dump_data(100, user_info->password.response.nt.data, user_info->password.response.nt.length);
#endif
/* This needs to be sorted: If it doesn't match, what should we do? */
if (!check_domain_match(user_info->client.account_name,
user_info->mapped.domain_name)) {
nt_status = NT_STATUS_LOGON_FAILURE;
goto fail;
}
for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
auth_method_name = auth_method->name;
nt_status = auth_method->auth(auth_context,
auth_method->private_data,
talloc_tos(),
user_info,
&server_info);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
break;
}
DBG_DEBUG("%s had nothing to say\n", auth_method->name);
}
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
*pauthoritative = 0;
nt_status = NT_STATUS_NO_SUCH_USER;
}
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_INFO("%s authentication for user [%s] FAILED with "
"error %s, authoritative=%u\n",
auth_method_name,
user_info->client.account_name,
nt_errstr(nt_status),
*pauthoritative);
goto fail;
}
DBG_NOTICE("%s authentication for user [%s] succeeded\n",
auth_method_name, user_info->client.account_name);
unix_username = server_info->unix_name;
/* We skip doing this step if the caller asked us not to */
if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ)
&& !(server_info->guest)) {
const char *rhost;
if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
rhost = tsocket_address_inet_addr_string(
user_info->remote_host, talloc_tos());
if (rhost == NULL) {
nt_status = NT_STATUS_NO_MEMORY;
goto fail;
}
} else {
rhost = "127.0.0.1";
}
/* We might not be root if we are an RPC call */
become_root();
nt_status = smb_pam_accountcheck(unix_username, rhost);
unbecome_root();
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] "
"succeeded\n", unix_username));
} else {
DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] "
"FAILED with error %s\n",
unix_username, nt_errstr(nt_status)));
}
}
if (!NT_STATUS_IS_OK(nt_status)) {
goto fail;
}
nt_status = get_user_sid_info3_and_extra(server_info->info3,
&server_info->extra,
&sid);
if (!NT_STATUS_IS_OK(nt_status)) {
sid = (struct dom_sid) {0};
}
log_authentication_event(NULL, NULL,
user_info, nt_status,
server_info->info3->base.logon_domain.string,
server_info->info3->base.account_name.string,
unix_username, &sid);
DEBUG(server_info->guest ? 5 : 2,
("check_ntlm_password: %sauthentication for user "
"[%s] -> [%s] -> [%s] succeeded\n",
server_info->guest ? "guest " : "",
user_info->client.account_name,
user_info->mapped.account_name,
unix_username));
*pserver_info = talloc_move(mem_ctx, &server_info);
TALLOC_FREE(frame);
return NT_STATUS_OK;
fail:
/* failed authentication; check for guest lapping */
/*
* Please try not to change this string, it is probably in use
* in audit logging tools
*/
DEBUG(2, ("check_ntlm_password: Authentication for user "
"[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
user_info->client.account_name, user_info->mapped.account_name,
nt_errstr(nt_status), *pauthoritative));
log_authentication_event(NULL, NULL, user_info, nt_status, NULL, NULL, NULL, NULL);
ZERO_STRUCTP(pserver_info);
TALLOC_FREE(frame);
return nt_status;
}
/*
* Check server_name is:
* - "" , functions that don't allow "",
* should check that on their own, before calling this function
* - our name (only netbios yet, TODO: need to test dns name!)
* - our ip address of the current use socket
* otherwise return WERR_INVALID_PRINTER_NAME
*/
static WERROR dcesrv_spoolss_check_server_name(struct dcesrv_call_state *dce_call,
TALLOC_CTX *mem_ctx,
const char *server_name)
{
bool ret;
const struct tsocket_address *local_address;
char *myaddr;
const char **aliases;
const char *dnsdomain;
unsigned int i;
/* NULL is ok */
if (!server_name) return WERR_OK;
/* "" is ok */
ret = strequal("",server_name);
if (ret) return WERR_OK;
/* just "\\" is invalid */
if (strequal("\\\\", server_name)) {
return WERR_INVALID_PRINTER_NAME;
}
/* then we need "\\" */
if (strncmp("\\\\", server_name, 2) != 0) {
return WERR_INVALID_PRINTER_NAME;
}
server_name += 2;
/* NETBIOS NAME is ok */
ret = strequal(lpcfg_netbios_name(dce_call->conn->dce_ctx->lp_ctx), server_name);
if (ret) return WERR_OK;
aliases = lpcfg_netbios_aliases(dce_call->conn->dce_ctx->lp_ctx);
for (i=0; aliases && aliases[i]; i++) {
if (strequal(aliases[i], server_name)) {
return WERR_OK;
}
}
/* DNS NAME is ok
* TODO: we need to check if aliases are also ok
*/
dnsdomain = lpcfg_dnsdomain(dce_call->conn->dce_ctx->lp_ctx);
if (dnsdomain != NULL) {
char *str;
str = talloc_asprintf(mem_ctx, "%s.%s",
lpcfg_netbios_name(dce_call->conn->dce_ctx->lp_ctx),
dnsdomain);
W_ERROR_HAVE_NO_MEMORY(str);
ret = strequal(str, server_name);
talloc_free(str);
if (ret) return WERR_OK;
}
local_address = dcesrv_connection_get_local_address(dce_call->conn);
myaddr = tsocket_address_inet_addr_string(local_address, mem_ctx);
W_ERROR_HAVE_NO_MEMORY(myaddr);
ret = strequal(myaddr, server_name);
talloc_free(myaddr);
if (ret) return WERR_OK;
return WERR_INVALID_PRINTER_NAME;
}
