/*
* Hook to allow handling of NTLM authentication for AD operation
* without directly linking the s4 auth stack
*
* This ensures we use the source4 authentication stack, as well as
* the authorization stack to create the user's token. This ensures
* consistency between NTLM logins and NTLMSSP logins, as NTLMSSP is
* handled by the hook above.
*/
static NTSTATUS make_auth4_context_s4(TALLOC_CTX *mem_ctx,
struct auth4_context **auth4_context)
{
NTSTATUS status;
struct loadparm_context *lp_ctx;
struct tevent_context *event_ctx;
TALLOC_CTX *frame = talloc_stackframe();
struct imessaging_context *msg_ctx;
struct server_id *server_id;
lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
if (lp_ctx == NULL) {
DEBUG(1, ("loadparm_init_s3 failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
event_ctx = s4_event_context_init(frame);
if (event_ctx == NULL) {
DEBUG(1, ("s4_event_context_init failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
server_id = new_server_id_task(frame);
if (server_id == NULL) {
DEBUG(1, ("new_server_id_task failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
msg_ctx = imessaging_init(frame,
lp_ctx,
*server_id,
event_ctx, true);
if (msg_ctx == NULL) {
DEBUG(1, ("imessaging_init failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
talloc_reparent(frame, msg_ctx, server_id);
status = auth_context_create(mem_ctx,
event_ctx,
msg_ctx,
lp_ctx,
auth4_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start auth server code: %s\n", nt_errstr(status)));
TALLOC_FREE(frame);
return status;
}
talloc_reparent(frame, *auth4_context, msg_ctx);
talloc_reparent(frame, *auth4_context, event_ctx);
talloc_reparent(frame, *auth4_context, lp_ctx);
TALLOC_FREE(frame);
return status;
}
void cbuf_swap(cbuf* b1, cbuf* b2)
{
if (b1 == b2) {
return;
}
talloc_reparent(b1, b2, b1->buf);
talloc_reparent(b2, b1, b2->buf);
SWAP(b1->buf, b2->buf, char*);
SWAP(b1->pos, b2->pos, size_t);
SWAP(b1->size, b2->size, size_t);
}
/* Having make a netlogon connection (possibly secured with schannel),
* make an LSA connection to the same DC, on the same IPC$ share */
static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
{
struct init_domain_state *state =
talloc_get_type(ctx->async.private_data,
struct init_domain_state);
state->ctx->status = dcerpc_pipe_connect_b_recv(ctx, state->domain,
&state->domain->netlogon_pipe);
if (!composite_is_ok(state->ctx)) {
return;
}
talloc_reparent(state, state->domain->netlogon_pipe, state->domain->netlogon_binding);
state->domain->lsa_binding = init_domain_binding(state, &ndr_table_lsarpc);
/* For debugging, it can be a real pain if all the traffic is encrypted */
if (lp_winbind_sealed_pipes(state->service->task->lp_ctx)) {
state->domain->lsa_binding->flags |= (DCERPC_SIGN | DCERPC_SEAL );
} else {
state->domain->lsa_binding->flags |= (DCERPC_SIGN);
}
state->domain->libnet_ctx->lsa.pipe = NULL;
/* this will make the secondary connection on the same IPC$ share,
secured with SPNEGO or NTLMSSP */
ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe,
state->domain->lsa_binding,
&ndr_table_lsarpc,
state->domain->libnet_ctx->cred,
state->domain->libnet_ctx->lp_ctx
);
composite_continue(state->ctx, ctx, init_domain_recv_lsa_pipe, state);
}
cbuf* cbuf_takeover(cbuf* b1, cbuf* b2)
{
talloc_reparent(b2, b1, b2->buf);
b1->buf = b2->buf;
b1->pos = b2->pos;
b1->size = b2->size;
cbuf_delete(b2);
return b1;
}
static int cli_trans_state_ptr_destructor(struct cli_trans_state **ptr)
{
struct cli_trans_state *state = *ptr;
void *parent = talloc_parent(state);
talloc_set_destructor(state, NULL);
talloc_reparent(state, parent, state->req);
talloc_free(state);
return 0;
}
/**
* Bind content of @vectors over /proc/{@ptracee->pid}/auxv. This
* function returns -1 if an error occurred, otherwise 0.
*/
static int bind_proc_pid_auxv(const Tracee *ptracee)
{
word_t vectors_address;
ElfAuxVector *vectors;
const char *guest_path;
const char *host_path;
Binding *binding;
int status;
vectors_address = get_elf_aux_vectors_address(ptracee);
if (vectors_address == 0)
return -1;
vectors = fetch_elf_aux_vectors(ptracee, vectors_address);
if (vectors == NULL)
return -1;
/* Path to these ELF auxiliary vectors. */
guest_path = talloc_asprintf(ptracee->ctx, "/proc/%d/auxv", ptracee->pid);
if (guest_path == NULL)
return -1;
/* Remove binding to this path, if any. It contains ELF
* auxiliary vectors of the previous execve(2). */
binding = get_binding(ptracee, GUEST, guest_path);
if (binding != NULL && compare_paths(binding->guest.path, guest_path) == PATHS_ARE_EQUAL) {
remove_binding_from_all_lists(ptracee, binding);
TALLOC_FREE(binding);
}
host_path = create_temp_file(ptracee->ctx, "auxv");
if (host_path == NULL)
return -1;
status = fill_file_with_auxv(ptracee, host_path, vectors);
if (status < 0)
return -1;
/* Note: this binding will be removed once ptracee gets freed. */
binding = insort_binding3(ptracee, ptracee->life_context, host_path, guest_path);
if (binding == NULL)
return -1;
/* This temporary file (host_path) will be removed once the
* binding is freed. */
talloc_reparent(ptracee->ctx, binding, host_path);
return 0;
}
struct tevent_req *cli_trans_send(
TALLOC_CTX *mem_ctx, struct tevent_context *ev,
struct cli_state *cli, uint8_t cmd,
const char *pipe_name, uint16_t fid, uint16_t function, int flags,
uint16_t *setup, uint8_t num_setup, uint8_t max_setup,
uint8_t *param, uint32_t num_param, uint32_t max_param,
uint8_t *data, uint32_t num_data, uint32_t max_data)
{
struct cli_trans_state *state;
uint8_t additional_flags = 0;
uint8_t clear_flags = 0;
uint16_t additional_flags2 = 0;
uint16_t clear_flags2 = 0;
state = talloc_zero(mem_ctx, struct cli_trans_state);
if (state == NULL) {
return NULL;
}
state->cli = cli;
state->ptr = talloc(state, struct cli_trans_state *);
if (state->ptr == NULL) {
talloc_free(state);
return NULL;
}
*state->ptr = state;
state->req = smb1cli_trans_send(state, ev,
cli->conn, cmd,
additional_flags, clear_flags,
additional_flags2, clear_flags2,
cli->timeout,
cli->smb1.pid,
cli->smb1.tcon,
cli->smb1.session,
pipe_name, fid, function, flags,
setup, num_setup, max_setup,
param, num_param, max_param,
data, num_data, max_data);
if (state->req == NULL) {
talloc_free(state);
return NULL;
}
talloc_reparent(state, state->req, state->ptr);
talloc_set_destructor(state, cli_trans_state_destructor);
talloc_set_destructor(state->ptr, cli_trans_state_ptr_destructor);
return state->req;
}
void dsdb_make_schema_global(struct ldb_context *ldb, struct dsdb_schema *schema)
{
if (!schema) {
return;
}
if (global_schema) {
talloc_unlink(talloc_autofree_context(), global_schema);
}
/* we want the schema to be around permanently */
talloc_reparent(ldb, talloc_autofree_context(), schema);
global_schema = schema;
/* This calls the talloc_reference() of the global schema back onto the ldb */
dsdb_set_global_schema(ldb);
}
void dsdb_make_schema_global(struct ldb_context *ldb)
{
struct dsdb_schema *schema = dsdb_get_schema(ldb);
if (!schema) {
return;
}
if (global_schema) {
talloc_unlink(talloc_autofree_context(), global_schema);
}
/* we want the schema to be around permanently */
talloc_reparent(talloc_parent(schema), talloc_autofree_context(), schema);
global_schema = schema;
dsdb_set_global_schema(ldb);
}
/* We should now have either an authenticated LSA pipe, or an error.
* On success, open a policy handle
*/
static void init_domain_recv_lsa_pipe(struct composite_context *ctx)
{
struct init_domain_state *state =
talloc_get_type(ctx->async.private_data,
struct init_domain_state);
struct tevent_req *subreq;
state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state->domain,
&state->domain->libnet_ctx->lsa.pipe);
if (NT_STATUS_EQUAL(state->ctx->status, NT_STATUS_LOGON_FAILURE)) {
if (retry_with_schannel(state, state->domain->lsa_binding,
&ndr_table_lsarpc,
init_domain_recv_lsa_pipe)) {
return;
}
}
if (!composite_is_ok(state->ctx)) return;
talloc_steal(state->domain->libnet_ctx, state->domain->libnet_ctx->lsa.pipe);
talloc_reparent(state, state->domain->libnet_ctx->lsa.pipe, state->domain->lsa_binding);
state->domain->libnet_ctx->lsa.lsa_handle =
state->domain->libnet_ctx->lsa.pipe->binding_handle;
state->domain->libnet_ctx->lsa.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
state->domain->libnet_ctx->lsa.name = state->domain->info->name;
ZERO_STRUCT(state->domain->libnet_ctx->lsa.handle);
state->lsa_openpolicy.in.system_name =
talloc_asprintf(state, "\\\\%s",
dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe));
ZERO_STRUCT(state->objectattr);
state->lsa_openpolicy.in.attr = &state->objectattr;
state->lsa_openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
state->lsa_openpolicy.out.handle = &state->domain->libnet_ctx->lsa.handle;
subreq = dcerpc_lsa_OpenPolicy2_r_send(state,
state->ctx->event_ctx,
state->domain->libnet_ctx->lsa.pipe->binding_handle,
&state->lsa_openpolicy);
if (composite_nomem(subreq, state->ctx)) return;
tevent_req_set_callback(subreq, init_domain_recv_lsa_policy, state);
}
/* Recv the SAMR details (SamrConnect and SamrOpenDomain handle) and
* open an LDAP connection */
static void init_domain_recv_samr(struct composite_context *ctx)
{
struct init_domain_state *state =
talloc_get_type(ctx->async.private_data,
struct init_domain_state);
state->ctx->status = wb_connect_samr_recv(
ctx, state->domain,
&state->domain->libnet_ctx->samr.pipe,
&state->domain->libnet_ctx->samr.connect_handle,
&state->domain->libnet_ctx->samr.handle);
if (!composite_is_ok(state->ctx)) return;
talloc_reparent(state, state->domain->libnet_ctx->samr.pipe, state->domain->samr_binding);
state->domain->libnet_ctx->samr.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
state->domain->libnet_ctx->samr.name = state->domain->info->name;
state->domain->libnet_ctx->samr.sid = dom_sid_dup(
state->domain->libnet_ctx,
state->domain->info->sid);
composite_done(state->ctx);
}
/*
perform a sasl bind using the given credentials
*/
_PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
struct cli_credentials *creds,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
TALLOC_CTX *tmp_ctx = NULL;
DATA_BLOB input = data_blob(NULL, 0);
DATA_BLOB output = data_blob(NULL, 0);
struct ldap_message **sasl_mechs_msgs;
struct ldap_SearchResEntry *search;
int count, i;
const char **sasl_names;
uint32_t old_gensec_features;
static const char *supported_sasl_mech_attrs[] = {
"supportedSASLMechanisms",
NULL
};
unsigned int logon_retries = 0;
status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
false, NULL, NULL, &sasl_mechs_msgs);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
nt_errstr(status)));
goto failed;
}
count = ildap_count_entries(conn, sasl_mechs_msgs);
if (count != 1) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
count));
goto failed;
}
tmp_ctx = talloc_new(conn);
if (tmp_ctx == NULL) goto failed;
search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
if (search->num_attributes != 1) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n",
search->num_attributes));
goto failed;
}
sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
if (!sasl_names) {
DEBUG(1, ("talloc_arry(char *, %d) failed\n",
count));
goto failed;
}
for (i=0; i<search->attributes[0].num_values; i++) {
sasl_names[i] = (const char *)search->attributes[0].values[i].data;
}
sasl_names[i] = NULL;
gensec_init();
try_logon_again:
/*
we loop back here on a logon failure, and re-create the
gensec session. The logon_retries counter ensures we don't
loop forever.
*/
status = gensec_client_start(conn, &conn->gensec,
lpcfg_gensec_settings(conn, lp_ctx));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
goto failed;
}
/* require Kerberos SIGN/SEAL only if we don't use SSL
* Windows seem not to like double encryption */
old_gensec_features = cli_credentials_get_gensec_features(creds);
if (tls_enabled(conn->sock)) {
cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
}
/* this call also sets the gensec_want_features */
status = gensec_set_credentials(conn->gensec, creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC creds: %s\n",
nt_errstr(status)));
goto failed;
}
/* reset the original gensec_features (on the credentials
* context, so we don't tatoo it ) */
cli_credentials_set_gensec_features(creds, old_gensec_features);
if (conn->host) {
status = gensec_set_target_hostname(conn->gensec, conn->host);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
nt_errstr(status)));
goto failed;
}
}
status = gensec_set_target_service(conn->gensec, "ldap");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC target service: %s\n",
nt_errstr(status)));
goto failed;
}
status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
count, nt_errstr(status)));
goto failed;
}
while (1) {
NTSTATUS gensec_status;
struct ldap_message *response;
struct ldap_message *msg;
struct ldap_request *req;
int result = LDAP_OTHER;
status = gensec_update(conn->gensec, tmp_ctx,
conn->event.event_ctx,
input,
&output);
/* The status value here, from GENSEC is vital to the security
* of the system. Even if the other end accepts, if GENSEC
* claims 'MORE_PROCESSING_REQUIRED' then you must keep
* feeding it blobs, or else the remote host/attacker might
* avoid mutal authentication requirements.
*
* Likewise, you must not feed GENSEC too much (after the OK),
* it doesn't like that either
*/
gensec_status = status;
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(status)) {
break;
}
if (NT_STATUS_IS_OK(status) && output.length == 0) {
break;
}
/* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
if (msg == NULL) {
status = NT_STATUS_NO_MEMORY;
goto failed;
}
req = ldap_request_send(conn, msg);
if (req == NULL) {
status = NT_STATUS_NO_MEMORY;
goto failed;
}
talloc_reparent(conn, tmp_ctx, req);
status = ldap_result_n(req, 0, &response);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
if (response->type != LDAP_TAG_BindResponse) {
status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
goto failed;
}
result = response->r.BindResponse.response.resultcode;
if (result == LDAP_INVALID_CREDENTIALS) {
/*
try a second time on invalid credentials, to
give the user a chance to re-enter the
password and to handle the case where our
kerberos ticket is invalid as the server
password has changed
*/
const char *principal;
principal = gensec_get_target_principal(conn->gensec);
if (principal == NULL) {
const char *hostname = gensec_get_target_hostname(conn->gensec);
const char *service = gensec_get_target_service(conn->gensec);
if (hostname != NULL && service != NULL) {
principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname);
}
}
if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) ||
cli_credentials_wrong_password(creds)) {
/*
destroy our gensec session and loop
back up to the top to retry,
offering the user a chance to enter
new credentials, or get a new ticket
if using kerberos
*/
talloc_free(conn->gensec);
conn->gensec = NULL;
goto try_logon_again;
}
}
if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
status = ldap_check_response(conn,
&response->r.BindResponse.response);
break;
}
/* This is where we check if GENSEC wanted to be fed more data */
if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
break;
}
if (response->r.BindResponse.SASL.secblob) {
input = *response->r.BindResponse.SASL.secblob;
} else {
input = data_blob(NULL, 0);
}
}
talloc_free(tmp_ctx);
if (NT_STATUS_IS_OK(status)) {
struct socket_context *sasl_socket;
status = gensec_socket_init(conn->gensec,
conn,
conn->sock,
conn->event.event_ctx,
ldap_read_io_handler,
conn,
&sasl_socket);
if (!NT_STATUS_IS_OK(status)) goto failed;
conn->sock = sasl_socket;
packet_set_socket(conn->packet, conn->sock);
conn->bind.type = LDAP_BIND_SASL;
conn->bind.creds = creds;
}
return status;
failed:
talloc_free(tmp_ctx);
talloc_free(conn->gensec);
conn->gensec = NULL;
return status;
}
/**
* Translate the pathname of the struct sockaddr_un currently stored
* in the @tracee memory at the given @address. See the documentation
* of read_sockaddr_un() for the meaning of the @size parameter.
* Also, the new address of the translated sockaddr_un is put in the
* @address parameter. This function returns -errno if an error
* occurred, otherwise 0.
*/
int translate_socketcall_enter(Tracee *tracee, word_t *address, int size)
{
struct sockaddr_un sockaddr;
char user_path[PATH_MAX];
char host_path[PATH_MAX];
int status;
if (*address == 0)
return 0;
status = read_sockaddr_un(tracee, &sockaddr, sizeof(sockaddr), user_path, *address, size);
if (status <= 0)
return status;
status = translate_path(tracee, host_path, AT_FDCWD, user_path, true);
if (status < 0)
return status;
/* Be careful: sun_path doesn't have to be null-terminated. */
if (strlen(host_path) > sizeof_path) {
char *shorter_host_path;
Binding *binding;
/* The translated path is too long to fit the sun_path
* array, so let's bind it to a shorter path. */
shorter_host_path = create_temp_name(tracee->ctx, "proot");
if (shorter_host_path == NULL || strlen(shorter_host_path) > sizeof_path)
return -EINVAL;
(void) mktemp(shorter_host_path);
if (strlen(shorter_host_path) > sizeof_path)
return -EINVAL;
/* Ensure the guest path of this new binding is
* canonicalized, as it is always assumed. */
strcpy(user_path, host_path);
status = detranslate_path(tracee, user_path, NULL);
if (status < 0)
return -EINVAL;
/* Bing the guest path to a shorter host path. */
binding = insort_binding3(tracee, tracee->ctx, shorter_host_path, user_path);
if (binding == NULL)
return -EINVAL;
/* This temporary file (shorter_host_path) will be removed once the
* binding is destroyed. */
talloc_reparent(tracee->ctx, binding, shorter_host_path);
/* Let's use this shorter path now. */
strcpy(host_path, shorter_host_path);
}
strncpy(sockaddr.sun_path, host_path, sizeof_path);
/* Push the updated sockaddr to a newly allocated space. */
*address = alloc_mem(tracee, sizeof(sockaddr));
if (*address == 0)
return -EFAULT;
status = write_data(tracee, *address, &sockaddr, sizeof(sockaddr));
if (status < 0)
return status;
return 1;
}
void *_talloc_steal(const void *new_ctx, const void *ptr)
{
return talloc_reparent(talloc_parent(ptr), new_ctx, ptr);
}
/*
* Hook to allow handling of NTLM authentication for AD operation
* without directly linking the s4 auth stack
*
* This ensures we use the source4 authentication stack, as well as
* the authorization stack to create the user's token. This ensures
* consistency between NTLM logins and NTLMSSP logins, as NTLMSSP is
* handled by the hook above.
*/
static NTSTATUS make_auth4_context_s4(const struct auth_context *auth_context,
TALLOC_CTX *mem_ctx,
struct auth4_context **auth4_context)
{
NTSTATUS status;
struct loadparm_context *lp_ctx;
struct tevent_context *event_ctx;
TALLOC_CTX *frame = talloc_stackframe();
struct imessaging_context *msg_ctx;
struct server_id *server_id;
lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
if (lp_ctx == NULL) {
DEBUG(1, ("loadparm_init_s3 failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
event_ctx = s4_event_context_init(frame);
if (event_ctx == NULL) {
DEBUG(1, ("s4_event_context_init failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
server_id = new_server_id_task(frame);
if (server_id == NULL) {
DEBUG(1, ("new_server_id_task failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
msg_ctx = imessaging_init(frame,
lp_ctx,
*server_id,
event_ctx, true);
if (msg_ctx == NULL) {
DEBUG(1, ("imessaging_init failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
talloc_reparent(frame, msg_ctx, server_id);
/* Allow forcing a specific auth4 module */
if (!auth_context->forced_samba4_methods) {
status = auth_context_create(mem_ctx,
event_ctx,
msg_ctx,
lp_ctx,
auth4_context);
} else {
const char * const *forced_auth_methods = (const char * const *)str_list_make(mem_ctx, auth_context->forced_samba4_methods, NULL);
status = auth_context_create_methods(mem_ctx, forced_auth_methods, event_ctx, msg_ctx, lp_ctx, NULL, auth4_context);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start auth server code: %s\n", nt_errstr(status)));
TALLOC_FREE(frame);
return status;
}
talloc_reparent(frame, *auth4_context, msg_ctx);
talloc_reparent(frame, *auth4_context, event_ctx);
talloc_reparent(frame, *auth4_context, lp_ctx);
TALLOC_FREE(frame);
return status;
}
/* Hook to allow GENSEC to handle blob-based authentication
* mechanisms, without directly linking the mechansim code */
static NTSTATUS prepare_gensec(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_context)
{
NTSTATUS status;
struct loadparm_context *lp_ctx;
struct tevent_context *event_ctx;
TALLOC_CTX *frame = talloc_stackframe();
struct gensec_security *gensec_ctx;
struct imessaging_context *msg_ctx;
struct cli_credentials *server_credentials;
lp_ctx = loadparm_init_s3(frame, loadparm_s3_context());
if (lp_ctx == NULL) {
DEBUG(1, ("loadparm_init_s3 failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
event_ctx = s4_event_context_init(frame);
if (event_ctx == NULL) {
DEBUG(1, ("s4_event_context_init failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
msg_ctx = imessaging_client_init(frame,
lp_ctx,
event_ctx);
if (msg_ctx == NULL) {
DEBUG(1, ("imessaging_init failed\n"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
server_credentials
= cli_credentials_init(frame);
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials"));
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
cli_credentials_set_conf(server_credentials, lp_ctx);
status = cli_credentials_set_machine_account(server_credentials, lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
talloc_free(server_credentials);
server_credentials = NULL;
}
status = samba_server_gensec_start(mem_ctx,
event_ctx, msg_ctx,
lp_ctx, server_credentials, "cifs",
&gensec_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
TALLOC_FREE(frame);
return status;
}
talloc_reparent(frame, gensec_ctx, msg_ctx);
talloc_reparent(frame, gensec_ctx, event_ctx);
talloc_reparent(frame, gensec_ctx, lp_ctx);
talloc_reparent(frame, gensec_ctx, server_credentials);
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_UNIX_TOKEN);
*gensec_context = gensec_ctx;
TALLOC_FREE(frame);
return status;
}
/*
perform a sasl bind using the given credentials
*/
_PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
struct cli_credentials *creds,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
TALLOC_CTX *tmp_ctx = NULL;
DATA_BLOB input = data_blob(NULL, 0);
DATA_BLOB output = data_blob(NULL, 0);
struct ldap_message **sasl_mechs_msgs;
struct ldap_SearchResEntry *search;
int count, i;
bool first = true;
int wrap_flags = 0;
const char **sasl_names;
uint32_t old_gensec_features;
static const char *supported_sasl_mech_attrs[] = {
"supportedSASLMechanisms",
NULL
};
unsigned int logon_retries = 0;
size_t queue_length;
if (conn->sockets.active == NULL) {
status = NT_STATUS_CONNECTION_DISCONNECTED;
goto failed;
}
queue_length = tevent_queue_length(conn->sockets.send_queue);
if (queue_length != 0) {
status = NT_STATUS_INVALID_PARAMETER_MIX;
DEBUG(1, ("SASL bind triggered with non empty send_queue[%zu]: %s\n",
queue_length, nt_errstr(status)));
goto failed;
}
if (conn->pending != NULL) {
status = NT_STATUS_INVALID_PARAMETER_MIX;
DEBUG(1, ("SASL bind triggered with pending requests: %s\n",
nt_errstr(status)));
goto failed;
}
status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs,
false, NULL, NULL, &sasl_mechs_msgs);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n",
nt_errstr(status)));
goto failed;
}
count = ildap_count_entries(conn, sasl_mechs_msgs);
if (count != 1) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n",
count));
goto failed;
}
tmp_ctx = talloc_new(conn);
if (tmp_ctx == NULL) goto failed;
search = &sasl_mechs_msgs[0]->r.SearchResultEntry;
if (search->num_attributes != 1) {
DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n",
search->num_attributes));
goto failed;
}
sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1);
if (!sasl_names) {
DEBUG(1, ("talloc_arry(char *, %d) failed\n",
count));
goto failed;
}
for (i=0; i<search->attributes[0].num_values; i++) {
sasl_names[i] = (const char *)search->attributes[0].values[i].data;
}
sasl_names[i] = NULL;
gensec_init();
if (conn->sockets.active == conn->sockets.tls) {
/*
* require Kerberos SIGN/SEAL only if we don't use SSL
* Windows seem not to like double encryption
*/
wrap_flags = 0;
} else if (cli_credentials_is_anonymous(creds)) {
/*
* anonymous isn't protected
*/
wrap_flags = 0;
} else {
wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx);
}
try_logon_again:
/*
we loop back here on a logon failure, and re-create the
gensec session. The logon_retries counter ensures we don't
loop forever.
*/
data_blob_free(&input);
TALLOC_FREE(conn->gensec);
status = gensec_client_start(conn, &conn->gensec,
lpcfg_gensec_settings(conn, lp_ctx));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status)));
goto failed;
}
old_gensec_features = cli_credentials_get_gensec_features(creds);
if (wrap_flags == 0) {
cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
}
/* this call also sets the gensec_want_features */
status = gensec_set_credentials(conn->gensec, creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC creds: %s\n",
nt_errstr(status)));
goto failed;
}
/* reset the original gensec_features (on the credentials
* context, so we don't tatoo it ) */
cli_credentials_set_gensec_features(creds, old_gensec_features);
if (wrap_flags & ADS_AUTH_SASL_SEAL) {
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
}
if (wrap_flags & ADS_AUTH_SASL_SIGN) {
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
}
/*
* This is an indication for the NTLMSSP backend to
* also encrypt when only GENSEC_FEATURE_SIGN is requested
* in gensec_[un]wrap().
*/
gensec_want_feature(conn->gensec, GENSEC_FEATURE_LDAP_STYLE);
if (conn->host) {
status = gensec_set_target_hostname(conn->gensec, conn->host);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
nt_errstr(status)));
goto failed;
}
}
status = gensec_set_target_service(conn->gensec, "ldap");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC target service: %s\n",
nt_errstr(status)));
goto failed;
}
status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n",
count, nt_errstr(status)));
goto failed;
}
while (1) {
NTSTATUS gensec_status;
struct ldap_message *response;
struct ldap_message *msg;
struct ldap_request *req;
int result = LDAP_OTHER;
status = gensec_update_ev(conn->gensec, tmp_ctx,
conn->event.event_ctx,
input,
&output);
/* The status value here, from GENSEC is vital to the security
* of the system. Even if the other end accepts, if GENSEC
* claims 'MORE_PROCESSING_REQUIRED' then you must keep
* feeding it blobs, or else the remote host/attacker might
* avoid mutal authentication requirements.
*
* Likewise, you must not feed GENSEC too much (after the OK),
* it doesn't like that either.
*
* For SASL/EXTERNAL, there is no data to send, but we still
* must send the actual Bind request the first time around.
* Otherwise, a result of NT_STATUS_OK with 0 output means the
* end of a multi-step authentication, and no message must be
* sent.
*/
gensec_status = status;
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(status)) {
break;
}
if (NT_STATUS_IS_OK(status) && output.length == 0) {
if (!first)
break;
}
first = false;
/* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
if (msg == NULL) {
status = NT_STATUS_NO_MEMORY;
goto failed;
}
req = ldap_request_send(conn, msg);
if (req == NULL) {
status = NT_STATUS_NO_MEMORY;
goto failed;
}
talloc_reparent(conn, tmp_ctx, req);
status = ldap_result_n(req, 0, &response);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
if (response->type != LDAP_TAG_BindResponse) {
status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
goto failed;
}
result = response->r.BindResponse.response.resultcode;
if (result == LDAP_STRONG_AUTH_REQUIRED) {
if (wrap_flags == 0) {
wrap_flags = ADS_AUTH_SASL_SIGN;
goto try_logon_again;
}
}
if (result == LDAP_INVALID_CREDENTIALS) {
/*
try a second time on invalid credentials, to
give the user a chance to re-enter the
password and to handle the case where our
kerberos ticket is invalid as the server
password has changed
*/
const char *principal;
principal = gensec_get_target_principal(conn->gensec);
if (principal == NULL) {
const char *hostname = gensec_get_target_hostname(conn->gensec);
const char *service = gensec_get_target_service(conn->gensec);
if (hostname != NULL && service != NULL) {
principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname);
}
}
if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) ||
cli_credentials_wrong_password(creds)) {
/*
destroy our gensec session and loop
back up to the top to retry,
offering the user a chance to enter
new credentials, or get a new ticket
if using kerberos
*/
goto try_logon_again;
}
}
if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
status = ldap_check_response(conn,
&response->r.BindResponse.response);
break;
}
/* This is where we check if GENSEC wanted to be fed more data */
if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
break;
}
if (response->r.BindResponse.SASL.secblob) {
input = *response->r.BindResponse.SASL.secblob;
} else {
input = data_blob(NULL, 0);
}
}
TALLOC_FREE(tmp_ctx);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
conn->bind.type = LDAP_BIND_SASL;
conn->bind.creds = creds;
if (wrap_flags & ADS_AUTH_SASL_SEAL) {
if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
} else if (wrap_flags & ADS_AUTH_SASL_SIGN) {
if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
}
if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
return NT_STATUS_OK;
}
status = gensec_create_tstream(conn->sockets.raw,
conn->gensec,
conn->sockets.raw,
&conn->sockets.sasl);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
conn->sockets.active = conn->sockets.sasl;
return NT_STATUS_OK;
failed:
talloc_free(tmp_ctx);
talloc_free(conn->gensec);
conn->gensec = NULL;
return status;
}
