NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
const char *username,
bool is_guest,
struct auth_serversupplied_info **presult)
{
struct auth_serversupplied_info *result;
struct passwd *pwd;
NTSTATUS status;
pwd = Get_Pwnam_alloc(talloc_tos(), username);
if (pwd == NULL) {
return NT_STATUS_NO_SUCH_USER;
}
status = make_server_info_pw(&result, pwd->pw_name, pwd);
TALLOC_FREE(pwd);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
result->nss_token = true;
result->guest = is_guest;
status = create_local_token(result);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return status;
}
*presult = talloc_steal(mem_ctx, result);
return NT_STATUS_OK;
}
NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
const char *username,
bool is_guest,
struct auth_session_info **session_info)
{
struct passwd *pwd;
NTSTATUS status;
struct auth_serversupplied_info *result;
pwd = Get_Pwnam_alloc(talloc_tos(), username);
if (pwd == NULL) {
return NT_STATUS_NO_SUCH_USER;
}
status = make_server_info_pw(&result, pwd->pw_name, pwd);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
result->nss_token = true;
result->guest = is_guest;
/* Now turn the server_info into a session_info with the full token etc */
status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
TALLOC_FREE(result);
TALLOC_FREE(pwd);
return status;
}
static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_info, struct auth_serversupplied_info **server_info)
{
static const char zeros[16] = {0};
const char *guest_account = lp_guestaccount();
const char *domain = lp_netbios_name();
struct netr_SamInfo3 info3;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCT(info3);
status = get_guest_info3(tmp_ctx, &info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("get_guest_info3 failed with %s\n",
nt_errstr(status)));
goto done;
}
status = make_server_info_info3(tmp_ctx,
guest_account,
domain,
server_info,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("make_server_info_info3 failed with %s\n",
nt_errstr(status)));
goto done;
}
(*server_info)->guest = true;
/* This should not be done here (we should produce a server
* info, and later construct a session info from it), but for
* now this does not change the previous behavior */
status = create_local_token(tmp_ctx, *server_info, NULL,
(*server_info)->info3->base.account_name.string,
session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
talloc_steal(NULL, *session_info);
talloc_steal(NULL, *server_info);
/* annoying, but the Guest really does have a session key, and it is
all zeros! */
(*session_info)->session_key = data_blob(zeros, sizeof(zeros));
status = NT_STATUS_OK;
done:
TALLOC_FREE(tmp_ctx);
return status;
}
static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
{
static const char zeros[16] = {0};
const char *guest_account = lp_guestaccount();
const char *domain = global_myname();
struct netr_SamInfo3 info3;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
fstring tmp;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCT(info3);
status = get_guest_info3(tmp_ctx, &info3);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = make_server_info_info3(tmp_ctx,
guest_account,
domain,
server_info,
&info3);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
(*server_info)->guest = True;
status = create_local_token(*server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
/* annoying, but the Guest really does have a session key, and it is
all zeros! */
(*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
(*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
". _-$", sizeof(tmp));
(*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
status = NT_STATUS_OK;
done:
TALLOC_FREE(tmp_ctx);
return status;
}
static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,
struct passwd *pwd,
struct auth_serversupplied_info **server_info)
{
const char *domain = global_myname();
struct netr_SamInfo3 info3;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCT(info3);
status = get_system_info3(tmp_ctx, pwd, &info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed creating system info3 with %s\n",
nt_errstr(status)));
goto done;
}
status = make_server_info_info3(mem_ctx,
pwd->pw_name,
domain,
server_info,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("make_server_info_info3 failed with %s\n",
nt_errstr(status)));
goto done;
}
(*server_info)->nss_token = true;
/* Now turn the server_info into a session_info with the full token etc */
status = create_local_token(*server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
status = NT_STATUS_OK;
done:
TALLOC_FREE(tmp_ctx);
return status;
}
NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
struct auth_serversupplied_info **session_info)
{
NTSTATUS nt_status = create_local_token(mem_ctx,
auth_ntlmssp_state->server_info,
&auth_ntlmssp_state->ntlmssp_state->session_key,
session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
}
return nt_status;
}
NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
const char *username,
bool is_guest,
struct auth_session_info **session_info)
{
struct passwd *pwd;
NTSTATUS status;
struct auth_serversupplied_info *result;
TALLOC_CTX *tmp_ctx;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
pwd = Get_Pwnam_alloc(tmp_ctx, username);
if (pwd == NULL) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
result->nss_token = true;
result->guest = is_guest;
/* Now turn the server_info into a session_info with the full token etc */
status = create_local_token(mem_ctx,
result,
NULL,
pwd->pw_name,
session_info);
done:
talloc_free(tmp_ctx);
return status;
}
static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
NTSTATUS nt_status;
nt_status = create_local_token(mem_ctx,
gensec_ntlmssp->server_info,
&gensec_ntlmssp->ntlmssp_state->session_key,
gensec_ntlmssp->ntlmssp_state->user,
session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
return NT_STATUS_OK;
}
NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
TALLOC_CTX *mem_ctx,
void *server_returned_info,
const char *original_user_name,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
struct auth_user_info_dc *user_info = NULL;
struct auth_serversupplied_info *server_info = NULL;
NTSTATUS nt_status;
/*
* This is a hack, some callers...
*
* Some callers pass auth_user_info_dc, the SCHANNEL and
* NCALRPC_AS_SYSTEM gensec modules.
*
* While the reset passes auth3_check_password() returned.
*/
user_info = talloc_get_type(server_returned_info,
struct auth_user_info_dc);
if (user_info != NULL) {
const struct dom_sid *sid;
int cmp;
/*
* This should only be called from SCHANNEL or NCALRPC_AS_SYSTEM
*/
if (user_info->num_sids != 1) {
return NT_STATUS_INTERNAL_ERROR;
}
sid = &user_info->sids[PRIMARY_USER_SID_INDEX];
cmp = dom_sid_compare(sid, &global_sid_System);
if (cmp == 0) {
return make_session_info_system(mem_ctx, session_info);
}
cmp = dom_sid_compare(sid, &global_sid_Anonymous);
if (cmp == 0) {
/*
* TODO: use auth_anonymous_session_info() here?
*/
return make_session_info_guest(mem_ctx, session_info);
}
return NT_STATUS_INTERNAL_ERROR;
}
server_info = talloc_get_type_abort(server_returned_info,
struct auth_serversupplied_info);
nt_status = create_local_token(mem_ctx,
server_info,
NULL,
original_user_name,
session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
return NT_STATUS_OK;
}
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
struct messaging_context *msg_ctx,
const char *pipe_name,
enum dcerpc_transport_t transport,
bool ncalrpc_as_system,
const struct tsocket_address *local_address,
const struct tsocket_address *remote_address,
struct auth_session_info *session_info,
struct pipes_struct **_p,
int *perrno)
{
struct pipes_struct *p;
NTSTATUS status;
int ret;
ret = make_base_pipes_struct(mem_ctx, msg_ctx, pipe_name,
transport, RPC_LITTLE_ENDIAN,
ncalrpc_as_system,
remote_address, local_address, &p);
if (ret) {
*perrno = ret;
return -1;
}
if (session_info->unix_token && session_info->unix_info && session_info->security_token) {
/* Don't call create_local_token(), we already have the full details here */
p->session_info = talloc_steal(p, session_info);
} else {
struct auth_user_info_dc *auth_user_info_dc;
struct auth_serversupplied_info *server_info;
struct netr_SamInfo3 *info3;
/* Fake up an auth_user_info_dc for now, to make an info3, to make the session_info structure */
auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc);
if (!auth_user_info_dc) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
auth_user_info_dc->num_sids = session_info->security_token->num_sids;
auth_user_info_dc->sids = session_info->security_token->sids;
auth_user_info_dc->info = session_info->info;
auth_user_info_dc->user_session_key = session_info->session_key;
/* This creates the input structure that make_server_info_info3 is looking for */
status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
status = make_server_info_info3(p,
info3->base.account_name.string,
info3->base.logon_domain.string,
&server_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init server info\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/*
* Some internal functions need a local token to determine access to
* resources.
*/
status = create_local_token(p, server_info, &session_info->session_key, info3->base.account_name.string,
&p->session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init local auth token\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
}
*_p = p;
return 0;
}
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
const char *pipe_name,
const struct ndr_syntax_id id,
enum dcerpc_transport_t transport,
bool ncalrpc_as_system,
const char *client_address,
const char *server_address,
struct auth_session_info_transport *session_info,
struct pipes_struct **_p,
int *perrno)
{
struct netr_SamInfo3 *info3;
struct auth_user_info_dc *auth_user_info_dc;
struct pipes_struct *p;
NTSTATUS status;
bool ok;
p = talloc_zero(mem_ctx, struct pipes_struct);
if (!p) {
*perrno = ENOMEM;
return -1;
}
p->syntax = id;
p->transport = transport;
p->ncalrpc_as_system = ncalrpc_as_system;
p->allow_bind = true;
p->mem_ctx = talloc_named(p, 0, "pipe %s %p", pipe_name, p);
if (!p->mem_ctx) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
ok = init_pipe_handles(p, &id);
if (!ok) {
DEBUG(1, ("Failed to init handles\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
data_blob_free(&p->in_data.data);
data_blob_free(&p->in_data.pdu);
p->endian = RPC_LITTLE_ENDIAN;
/* Fake up an auth_user_info_dc for now, to make an info3, to make the session_info structure */
auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc);
if (!auth_user_info_dc) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
auth_user_info_dc->num_sids = session_info->security_token->num_sids;
auth_user_info_dc->sids = session_info->security_token->sids;
auth_user_info_dc->info = session_info->info;
auth_user_info_dc->user_session_key = session_info->session_key;
/* This creates the input structure that make_server_info_info3 is looking for */
status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
status = make_server_info_info3(p,
info3->base.account_name.string,
info3->base.domain.string,
&p->session_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init server info\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/*
* Some internal functions need a local token to determine access to
* resoutrces.
*/
status = create_local_token(p->session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init local auth token\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/* Now override the session_info->security_token with the exact
* security_token we were given from the other side,
* regardless of what we just calculated */
p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token);
/* Also set the session key to the correct value */
p->session_info->user_session_key = session_info->session_key;
p->session_info->user_session_key.data = talloc_move(p->session_info, &session_info->session_key.data);
p->client_id = talloc_zero(p, struct client_address);
if (!p->client_id) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
strlcpy(p->client_id->addr,
client_address, sizeof(p->client_id->addr));
p->client_id->name = talloc_strdup(p->client_id, client_address);
if (p->client_id->name == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
if (server_address != NULL) {
p->server_id = talloc_zero(p, struct client_address);
if (p->client_id == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
strlcpy(p->server_id->addr,
server_address,
sizeof(p->server_id->addr));
p->server_id->name = talloc_strdup(p->server_id,
server_address);
if (p->server_id->name == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
}
NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntuser,
char *ntdomain,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info)
{
NTSTATUS status;
struct auth_serversupplied_info *server_info;
if (mapped_to_guest) {
status = make_server_info_guest(mem_ctx, &server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_guest failed: %s!\n",
nt_errstr(status)));
return status;
}
} else if (logon_info) {
/* pass the unmapped username here since map_username()
will be called again in make_server_info_info3() */
status = make_server_info_info3(mem_ctx,
ntuser, ntdomain,
&server_info,
&logon_info->info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_info3 failed: %s!\n",
nt_errstr(status)));
return status;
}
} else {
/*
* We didn't get a PAC, we have to make up the user
* ourselves. Try to ask the pdb backend to provide
* SID consistency with ntlmssp session setup
*/
struct samu *sampass;
/* The stupid make_server_info_XX functions here
don't take a talloc context. */
struct auth_serversupplied_info *tmp = NULL;
sampass = samu_new(talloc_tos());
if (sampass == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (pdb_getsampwnam(sampass, username)) {
DEBUG(10, ("found user %s in passdb, calling "
"make_server_info_sam\n", username));
status = make_server_info_sam(&tmp, sampass);
} else {
/*
* User not in passdb, make it up artificially
*/
DEBUG(10, ("didn't find user %s in passdb, calling "
"make_server_info_pw\n", username));
status = make_server_info_pw(&tmp, username, pw);
}
TALLOC_FREE(sampass);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_[sam|pw] failed: %s!\n",
nt_errstr(status)));
return status;
}
/* make_server_info_pw does not set the domain. Without this
* we end up with the local netbios name in substitutions for
* %D. */
if (server_info->info3 != NULL) {
server_info->info3->base.domain.string =
talloc_strdup(server_info->info3, ntdomain);
}
}
server_info->nss_token |= username_was_mapped;
status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("failed to create local token: %s\n",
nt_errstr(status)));
return status;
}
return NT_STATUS_OK;
}
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
const char *pipe_name,
enum dcerpc_transport_t transport,
bool ncalrpc_as_system,
const struct tsocket_address *local_address,
const struct tsocket_address *remote_address,
struct auth_session_info *session_info,
struct pipes_struct **_p,
int *perrno)
{
struct netr_SamInfo3 *info3;
struct auth_user_info_dc *auth_user_info_dc;
struct pipes_struct *p;
struct auth_serversupplied_info *server_info;
NTSTATUS status;
p = talloc_zero(mem_ctx, struct pipes_struct);
if (!p) {
*perrno = ENOMEM;
return -1;
}
p->transport = transport;
p->ncalrpc_as_system = ncalrpc_as_system;
p->mem_ctx = talloc_named(p, 0, "pipe %s %p", pipe_name, p);
if (!p->mem_ctx) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
data_blob_free(&p->in_data.data);
data_blob_free(&p->in_data.pdu);
p->endian = RPC_LITTLE_ENDIAN;
/* Fake up an auth_user_info_dc for now, to make an info3, to make the session_info structure */
auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc);
if (!auth_user_info_dc) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
auth_user_info_dc->num_sids = session_info->security_token->num_sids;
auth_user_info_dc->sids = session_info->security_token->sids;
auth_user_info_dc->info = session_info->info;
auth_user_info_dc->user_session_key = session_info->session_key;
/* This creates the input structure that make_server_info_info3 is looking for */
status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc,
&info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
status = make_server_info_info3(p,
info3->base.account_name.string,
info3->base.domain.string,
&server_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init server info\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/*
* Some internal functions need a local token to determine access to
* resoutrces.
*/
status = create_local_token(p, server_info, &session_info->session_key, &p->session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init local auth token\n"));
TALLOC_FREE(p);
*perrno = EINVAL;
return -1;
}
/* Now override the session_info->security_token with the exact
* security_token we were given from the other side,
* regardless of what we just calculated */
p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token);
p->remote_address = tsocket_address_copy(remote_address, p);
if (p->remote_address == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
if (local_address != NULL) {
p->local_address = tsocket_address_copy(local_address, p);
if (p->local_address == NULL) {
TALLOC_FREE(p);
*perrno = ENOMEM;
return -1;
}
}
talloc_set_destructor(p, close_internal_rpc_pipe_hnd);
*_p = p;
return 0;
}
static int reply_spnego_kerberos(connection_struct *conn,
char *inbuf, char *outbuf,
int length, int bufsize,
DATA_BLOB *secblob,
BOOL *p_invalidate_vuid)
{
TALLOC_CTX *mem_ctx;
DATA_BLOB ticket;
char *client, *p, *domain;
fstring netbios_domain_name;
struct passwd *pw;
fstring user;
int sess_vuid;
NTSTATUS ret;
PAC_DATA *pac_data;
DATA_BLOB ap_rep, ap_rep_wrapped, response;
auth_serversupplied_info *server_info = NULL;
DATA_BLOB session_key = data_blob(NULL, 0);
uint8 tok_id[2];
DATA_BLOB nullblob = data_blob(NULL, 0);
fstring real_username;
BOOL map_domainuser_to_guest = False;
BOOL username_was_mapped;
PAC_LOGON_INFO *logon_info = NULL;
ZERO_STRUCT(ticket);
ZERO_STRUCT(pac_data);
ZERO_STRUCT(ap_rep);
ZERO_STRUCT(ap_rep_wrapped);
ZERO_STRUCT(response);
/* Normally we will always invalidate the intermediate vuid. */
*p_invalidate_vuid = True;
mem_ctx = talloc_init("reply_spnego_kerberos");
if (mem_ctx == NULL) {
return ERROR_NT(nt_status_squash(NT_STATUS_NO_MEMORY));
}
if (!spnego_parse_krb5_wrap(*secblob, &ticket, tok_id)) {
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, &client, &pac_data, &ap_rep, &session_key);
data_blob_free(&ticket);
if (!NT_STATUS_IS_OK(ret)) {
#if 0
/* Experiment that failed. See "only happens with a KDC" comment below. */
if (NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
/*
* Windows in this case returns NT_STATUS_MORE_PROCESSING_REQUIRED
* with a negTokenTarg blob containing an krb5_error struct ASN1 encoded
* containing KRB5KRB_AP_ERR_SKEW. The client then fixes its
* clock and continues rather than giving an error. JRA.
* -- Looks like this only happens with a KDC. JRA.
*/
BOOL ok = make_krb5_skew_error(&ap_rep);
if (!ok) {
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep, TOK_ID_KRB_ERROR);
response = spnego_gen_auth_response(&ap_rep_wrapped, ret, OID_KERBEROS5_OLD);
reply_sesssetup_blob(conn, outbuf, response, NT_STATUS_MORE_PROCESSING_REQUIRED);
/*
* In this one case we don't invalidate the intermediate vuid.
* as we're expecting the client to re-use it for the next
* sessionsetupX packet. JRA.
*/
*p_invalidate_vuid = False;
data_blob_free(&ap_rep);
data_blob_free(&ap_rep_wrapped);
data_blob_free(&response);
talloc_destroy(mem_ctx);
return -1; /* already replied */
}
#else
if (!NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
ret = NT_STATUS_LOGON_FAILURE;
}
#endif
DEBUG(1,("Failed to verify incoming ticket with error %s!\n", nt_errstr(ret)));
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(ret));
}
DEBUG(3,("Ticket name is [%s]\n", client));
p = strchr_m(client, '@');
if (!p) {
DEBUG(3,("Doesn't look like a valid principal\n"));
data_blob_free(&ap_rep);
data_blob_free(&session_key);
SAFE_FREE(client);
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
*p = 0;
/* save the PAC data if we have it */
if (pac_data) {
logon_info = get_logon_info_from_pac(pac_data);
if (logon_info) {
netsamlogon_cache_store( client, &logon_info->info3 );
}
}
if (!strequal(p+1, lp_realm())) {
DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
if (!lp_allow_trusted_domains()) {
data_blob_free(&ap_rep);
data_blob_free(&session_key);
SAFE_FREE(client);
talloc_destroy(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
}
/* this gives a fully qualified user name (ie. with full realm).
that leads to very long usernames, but what else can we do? */
domain = p+1;
if (logon_info && logon_info->info3.hdr_logon_dom.uni_str_len) {
unistr2_to_ascii(netbios_domain_name, &logon_info->info3.uni_logon_dom, -1);
domain = netbios_domain_name;
DEBUG(10, ("Mapped to [%s] (using PAC)\n", domain));
} else {
/* If we have winbind running, we can (and must) shorten the
username by using the short netbios name. Otherwise we will
have inconsistent user names. With Kerberos, we get the
fully qualified realm, with ntlmssp we get the short
name. And even w2k3 does use ntlmssp if you for example
connect to an ip address. */
struct winbindd_request wb_request;
struct winbindd_response wb_response;
NSS_STATUS wb_result;
ZERO_STRUCT(wb_request);
ZERO_STRUCT(wb_response);
DEBUG(10, ("Mapping [%s] to short name\n", domain));
fstrcpy(wb_request.domain_name, domain);
wb_result = winbindd_request_response(WINBINDD_DOMAIN_INFO,
&wb_request, &wb_response);
if (wb_result == NSS_STATUS_SUCCESS) {
fstrcpy(netbios_domain_name,
wb_response.data.domain_info.name);
domain = netbios_domain_name;
DEBUG(10, ("Mapped to [%s] (using Winbind)\n", domain));
} else {
DEBUG(3, ("Could not find short name -- winbind "
"not running?\n"));
}
}
fstr_sprintf(user, "%s%c%s", domain, *lp_winbind_separator(), client);
/* lookup the passwd struct, create a new user if necessary */
username_was_mapped = map_username( user );
pw = smb_getpwnam( mem_ctx, user, real_username, True );
if (pw) {
/* if a real user check pam account restrictions */
/* only really perfomed if "obey pam restriction" is true */
/* do this before an eventual mappign to guest occurs */
ret = smb_pam_accountcheck(pw->pw_name);
if ( !NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("PAM account restriction prevents user login\n"));
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
return ERROR_NT(nt_status_squash(ret));
}
}
if (!pw) {
/* this was originally the behavior of Samba 2.2, if a user
did not have a local uid but has been authenticated, then
map them to a guest account */
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){
map_domainuser_to_guest = True;
fstrcpy(user,lp_guestaccount());
pw = smb_getpwnam( mem_ctx, user, real_username, True );
}
/* extra sanity check that the guest account is valid */
if ( !pw ) {
DEBUG(1,("Username %s is invalid on this system\n", user));
SAFE_FREE(client);
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
}
/* setup the string used by %U */
sub_set_smb_name( real_username );
reload_services(True);
if ( map_domainuser_to_guest ) {
make_server_info_guest(&server_info);
} else if (logon_info) {
/* pass the unmapped username here since map_username()
will be called again from inside make_server_info_info3() */
ret = make_server_info_info3(mem_ctx, client, domain,
&server_info, &logon_info->info3);
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("make_server_info_info3 failed: %s!\n",
nt_errstr(ret)));
SAFE_FREE(client);
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
return ERROR_NT(nt_status_squash(ret));
}
} else {
ret = make_server_info_pw(&server_info, real_username, pw);
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("make_server_info_pw failed: %s!\n",
nt_errstr(ret)));
SAFE_FREE(client);
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
return ERROR_NT(nt_status_squash(ret));
}
/* make_server_info_pw does not set the domain. Without this
* we end up with the local netbios name in substitutions for
* %D. */
if (server_info->sam_account != NULL) {
pdb_set_domain(server_info->sam_account, domain, PDB_SET);
}
}
server_info->was_mapped |= username_was_mapped;
/* we need to build the token for the user. make_server_info_guest()
already does this */
if ( !server_info->ptok ) {
ret = create_local_token( server_info );
if ( !NT_STATUS_IS_OK(ret) ) {
SAFE_FREE(client);
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE( mem_ctx );
TALLOC_FREE( server_info );
return ERROR_NT(nt_status_squash(ret));
}
}
/* register_vuid keeps the server info */
/* register_vuid takes ownership of session_key, no need to free after this.
A better interface would copy it.... */
sess_vuid = register_vuid(server_info, session_key, nullblob, client);
SAFE_FREE(client);
if (sess_vuid == UID_FIELD_INVALID ) {
ret = NT_STATUS_LOGON_FAILURE;
} else {
/* current_user_info is changed on new vuid */
reload_services( True );
set_message(outbuf,4,0,True);
SSVAL(outbuf, smb_vwv3, 0);
if (server_info->guest) {
SSVAL(outbuf,smb_vwv2,1);
}
SSVAL(outbuf, smb_uid, sess_vuid);
sessionsetup_start_signing_engine(server_info, inbuf);
}
/* wrap that up in a nice GSS-API wrapping */
if (NT_STATUS_IS_OK(ret)) {
ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep, TOK_ID_KRB_AP_REP);
} else {
ap_rep_wrapped = data_blob(NULL, 0);
}
response = spnego_gen_auth_response(&ap_rep_wrapped, ret, OID_KERBEROS5_OLD);
reply_sesssetup_blob(conn, outbuf, response, ret);
data_blob_free(&ap_rep);
data_blob_free(&ap_rep_wrapped);
data_blob_free(&response);
TALLOC_FREE(mem_ctx);
return -1; /* already replied */
}
static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
NTSTATUS status;
struct auth_serversupplied_info *server_info;
TALLOC_CTX *tmp_ctx;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
server_info = make_server_info(tmp_ctx);
if (!server_info) {
status = NT_STATUS_NO_MEMORY;
DEBUG(0, ("failed making server_info\n"));
goto done;
}
server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3);
if (!server_info->info3) {
status = NT_STATUS_NO_MEMORY;
DEBUG(0, ("talloc failed setting info3\n"));
goto done;
}
status = get_system_info3(server_info, server_info->info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed creating system info3 with %s\n",
nt_errstr(status)));
goto done;
}
server_info->utok.uid = sec_initial_uid();
server_info->utok.gid = sec_initial_gid();
server_info->unix_name = talloc_asprintf(server_info,
"NT AUTHORITY%cSYSTEM",
*lp_winbind_separator());
if (!server_info->unix_name) {
status = NT_STATUS_NO_MEMORY;
DEBUG(0, ("talloc_asprintf failed setting unix_name\n"));
goto done;
}
server_info->security_token = talloc_zero(server_info, struct security_token);
if (!server_info->security_token) {
status = NT_STATUS_NO_MEMORY;
DEBUG(0, ("talloc failed setting security token\n"));
goto done;
}
status = add_sid_to_array_unique(server_info->security_token->sids,
&global_sid_System,
&server_info->security_token->sids,
&server_info->security_token->num_sids);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
/* SYSTEM has all privilages */
server_info->security_token->privilege_mask = ~0;
/* Now turn the server_info into a session_info with the full token etc */
status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
talloc_steal(mem_ctx, *session_info);
done:
TALLOC_FREE(tmp_ctx);
return status;
}
static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
uint8_t in_security_mode,
const DATA_BLOB *secblob,
const char *mechOID,
uint16_t *out_session_flags,
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id)
{
DATA_BLOB ap_rep = data_blob_null;
DATA_BLOB ap_rep_wrapped = data_blob_null;
DATA_BLOB ticket = data_blob_null;
DATA_BLOB session_key = data_blob_null;
DATA_BLOB secblob_out = data_blob_null;
uint8 tok_id[2];
struct PAC_LOGON_INFO *logon_info = NULL;
char *principal = NULL;
char *user = NULL;
char *domain = NULL;
struct passwd *pw = NULL;
NTSTATUS status;
char *real_username;
fstring tmp;
bool username_was_mapped = false;
bool map_domainuser_to_guest = false;
bool guest = false;
if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
status = NT_STATUS_LOGON_FAILURE;
goto fail;
}
status = ads_verify_ticket(smb2req, lp_realm(), 0, &ticket,
&principal, &logon_info, &ap_rep,
&session_key, true);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("smb2: Failed to verify incoming ticket with error %s!\n",
nt_errstr(status)));
if (!NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
status = NT_STATUS_LOGON_FAILURE;
}
goto fail;
}
status = get_user_from_kerberos_info(talloc_tos(),
smb2req->sconn->client_id.name,
principal, logon_info,
&username_was_mapped,
&map_domainuser_to_guest,
&user, &domain,
&real_username, &pw);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
/* save the PAC data if we have it */
if (logon_info) {
netsamlogon_cache_store(user, &logon_info->info3);
}
/* setup the string used by %U */
sub_set_smb_name(real_username);
/* reload services so that the new %U is taken into account */
reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
status = make_server_info_krb5(session,
user, domain, real_username, pw,
logon_info, map_domainuser_to_guest,
&session->session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
goto fail;
}
session->session_info->nss_token |= username_was_mapped;
/* we need to build the token for the user. make_session_info_guest()
already does this */
if (!session->session_info->security_token ) {
status = create_local_token(session->session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("smb2: failed to create local token: %s\n",
nt_errstr(status)));
goto fail;
}
}
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == Required) {
session->do_signing = true;
}
if (session->session_info->guest) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
/* force no signing */
session->do_signing = false;
guest = true;
}
data_blob_free(&session->session_info->user_session_key);
session->session_info->user_session_key =
data_blob_talloc(
session->session_info,
session_key.data,
session_key.length);
if (session_key.length > 0) {
if (session->session_info->user_session_key.data == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
}
session->session_key = session->session_info->user_session_key;
session->compat_vuser = talloc_zero(session, user_struct);
if (session->compat_vuser == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
session->compat_vuser->auth_ntlmssp_state = NULL;
session->compat_vuser->homes_snum = -1;
session->compat_vuser->session_info = session->session_info;
session->compat_vuser->session_keystr = NULL;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
/* This is a potentially untrusted username */
alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
session->session_info->sanitized_username =
talloc_strdup(session->session_info, tmp);
if (!session->session_info->guest) {
session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_name);
}
if (!session_claim(session->sconn, session->compat_vuser)) {
DEBUG(1, ("smb2: Failed to claim session "
"for vuid=%d\n",
session->compat_vuser->vuid));
goto fail;
}
session->status = NT_STATUS_OK;
/*
* we attach the session to the request
* so that the response can be signed
*/
smb2req->session = session;
if (!guest) {
smb2req->do_signing = true;
}
global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
status = NT_STATUS_OK;
/* wrap that up in a nice GSS-API wrapping */
ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
TOK_ID_KRB_AP_REP);
secblob_out = spnego_gen_auth_response(
talloc_tos(),
&ap_rep_wrapped,
status,
mechOID);
*out_security_buffer = data_blob_talloc(smb2req,
secblob_out.data,
secblob_out.length);
if (secblob_out.data && out_security_buffer->data == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
data_blob_free(&ap_rep);
data_blob_free(&ap_rep_wrapped);
data_blob_free(&ticket);
data_blob_free(&session_key);
data_blob_free(&secblob_out);
*out_session_id = session->vuid;
return NT_STATUS_OK;
fail:
data_blob_free(&ap_rep);
data_blob_free(&ap_rep_wrapped);
data_blob_free(&ticket);
data_blob_free(&session_key);
data_blob_free(&secblob_out);
ap_rep_wrapped = data_blob_null;
secblob_out = spnego_gen_auth_response(
talloc_tos(),
&ap_rep_wrapped,
status,
mechOID);
*out_security_buffer = data_blob_talloc(smb2req,
secblob_out.data,
secblob_out.length);
data_blob_free(&secblob_out);
return status;
}
static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
(AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
struct auth_usersupplied_info *user_info = NULL;
NTSTATUS nt_status;
bool username_was_mapped;
/* the client has given us its machine name (which we otherwise would not get on port 445).
we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->workstation, True);
/* setup the string used by %U */
/* sub_set_smb_name checks for weird internally */
sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
reload_services(True);
nt_status = make_user_info_map(&user_info,
auth_ntlmssp_state->ntlmssp_state->user,
auth_ntlmssp_state->ntlmssp_state->domain,
auth_ntlmssp_state->ntlmssp_state->workstation,
auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
NULL, NULL, NULL,
True);
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
user_info, &auth_ntlmssp_state->server_info);
username_was_mapped = user_info->was_mapped;
free_user_info(&user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
nt_status = create_local_token(auth_ntlmssp_state->server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
if (auth_ntlmssp_state->server_info->user_session_key.length) {
DEBUG(10, ("Got NT session key of length %u\n",
(unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
*user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
auth_ntlmssp_state->server_info->user_session_key.data,
auth_ntlmssp_state->server_info->user_session_key.length);
}
if (auth_ntlmssp_state->server_info->lm_session_key.length) {
DEBUG(10, ("Got LM session key of length %u\n",
(unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
*lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
auth_ntlmssp_state->server_info->lm_session_key.data,
auth_ntlmssp_state->server_info->lm_session_key.length);
}
return nt_status;
}
int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
int length,int bufsize)
{
int sess_vuid;
int smb_bufsize;
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
DATA_BLOB plaintext_password;
fstring user;
fstring sub_user; /* Sainitised username for substituion */
fstring domain;
fstring native_os;
fstring native_lanman;
fstring primary_domain;
static BOOL done_sesssetup = False;
auth_usersupplied_info *user_info = NULL;
auth_serversupplied_info *server_info = NULL;
NTSTATUS nt_status;
BOOL doencrypt = global_encrypted_passwords_negotiated;
DATA_BLOB session_key;
START_PROFILE(SMBsesssetupX);
ZERO_STRUCT(lm_resp);
ZERO_STRUCT(nt_resp);
ZERO_STRUCT(plaintext_password);
DEBUG(3,("wct=%d flg2=0x%x\n", CVAL(inbuf, smb_wct), SVAL(inbuf, smb_flg2)));
/* a SPNEGO session setup has 12 command words, whereas a normal
NT1 session setup has 13. See the cifs spec. */
if (CVAL(inbuf, smb_wct) == 12 &&
(SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY)) {
if (!global_spnego_negotiated) {
DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at SPNEGO session setup when it was not negoitiated.\n"));
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
if (SVAL(inbuf,smb_vwv4) == 0) {
setup_new_vc_session();
}
return reply_sesssetup_and_X_spnego(conn, inbuf, outbuf, length, bufsize);
}
smb_bufsize = SVAL(inbuf,smb_vwv2);
if (Protocol < PROTOCOL_NT1) {
uint16 passlen1 = SVAL(inbuf,smb_vwv7);
/* Never do NT status codes with protocols before NT1 as we don't get client caps. */
remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
if ((passlen1 > MAX_PASS_LEN) || (passlen1 > smb_bufrem(inbuf, smb_buf(inbuf)))) {
return ERROR_NT(nt_status_squash(NT_STATUS_INVALID_PARAMETER));
}
if (doencrypt) {
lm_resp = data_blob(smb_buf(inbuf), passlen1);
} else {
plaintext_password = data_blob(smb_buf(inbuf), passlen1+1);
/* Ensure null termination */
plaintext_password.data[passlen1] = 0;
}
srvstr_pull_buf(inbuf, user, smb_buf(inbuf)+passlen1, sizeof(user), STR_TERMINATE);
*domain = 0;
} else {
uint16 passlen1 = SVAL(inbuf,smb_vwv7);
uint16 passlen2 = SVAL(inbuf,smb_vwv8);
enum remote_arch_types ra_type = get_remote_arch();
char *p = smb_buf(inbuf);
char *save_p = smb_buf(inbuf);
uint16 byte_count;
if(global_client_caps == 0) {
global_client_caps = IVAL(inbuf,smb_vwv11);
if (!(global_client_caps & CAP_STATUS32)) {
remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
}
/* client_caps is used as final determination if client is NT or Win95.
This is needed to return the correct error codes in some
circumstances.
*/
if(ra_type == RA_WINNT || ra_type == RA_WIN2K || ra_type == RA_WIN95) {
if(!(global_client_caps & (CAP_NT_SMBS | CAP_STATUS32))) {
set_remote_arch( RA_WIN95);
}
}
}
if (!doencrypt) {
/* both Win95 and WinNT stuff up the password lengths for
non-encrypting systems. Uggh.
if passlen1==24 its a win95 system, and its setting the
password length incorrectly. Luckily it still works with the
default code because Win95 will null terminate the password
anyway
if passlen1>0 and passlen2>0 then maybe its a NT box and its
setting passlen2 to some random value which really stuffs
things up. we need to fix that one. */
if (passlen1 > 0 && passlen2 > 0 && passlen2 != 24 && passlen2 != 1)
passlen2 = 0;
}
/* check for nasty tricks */
if (passlen1 > MAX_PASS_LEN || passlen1 > smb_bufrem(inbuf, p)) {
return ERROR_NT(nt_status_squash(NT_STATUS_INVALID_PARAMETER));
}
if (passlen2 > MAX_PASS_LEN || passlen2 > smb_bufrem(inbuf, p+passlen1)) {
return ERROR_NT(nt_status_squash(NT_STATUS_INVALID_PARAMETER));
}
/* Save the lanman2 password and the NT md4 password. */
if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) {
doencrypt = False;
}
if (doencrypt) {
lm_resp = data_blob(p, passlen1);
nt_resp = data_blob(p+passlen1, passlen2);
} else {
pstring pass;
BOOL unic=SVAL(inbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS;
#if 0
/* This was the previous fix. Not sure if it's still valid. JRA. */
if ((ra_type == RA_WINNT) && (passlen2 == 0) && unic && passlen1) {
/* NT4.0 stuffs up plaintext unicode password lengths... */
srvstr_pull(inbuf, pass, smb_buf(inbuf) + 1,
sizeof(pass), passlen1, STR_TERMINATE);
#endif
if (unic && (passlen2 == 0) && passlen1) {
/* Only a ascii plaintext password was sent. */
srvstr_pull(inbuf, pass, smb_buf(inbuf), sizeof(pass),
passlen1, STR_TERMINATE|STR_ASCII);
} else {
srvstr_pull(inbuf, pass, smb_buf(inbuf),
sizeof(pass), unic ? passlen2 : passlen1,
STR_TERMINATE);
}
plaintext_password = data_blob(pass, strlen(pass)+1);
}
p += passlen1 + passlen2;
p += srvstr_pull_buf(inbuf, user, p, sizeof(user), STR_TERMINATE);
p += srvstr_pull_buf(inbuf, domain, p, sizeof(domain), STR_TERMINATE);
p += srvstr_pull_buf(inbuf, native_os, p, sizeof(native_os), STR_TERMINATE);
p += srvstr_pull_buf(inbuf, native_lanman, p, sizeof(native_lanman), STR_TERMINATE);
/* not documented or decoded by Ethereal but there is one more string
in the extra bytes which is the same as the PrimaryDomain when using
extended security. Windows NT 4 and 2003 use this string to store
the native lanman string. Windows 9x does not include a string here
at all so we have to check if we have any extra bytes left */
byte_count = SVAL(inbuf, smb_vwv13);
if ( PTR_DIFF(p, save_p) < byte_count)
p += srvstr_pull_buf(inbuf, primary_domain, p, sizeof(primary_domain), STR_TERMINATE);
else
fstrcpy( primary_domain, "null" );
DEBUG(3,("Domain=[%s] NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n",
domain, native_os, native_lanman, primary_domain));
if ( ra_type == RA_WIN2K ) {
if ( strlen(native_lanman) == 0 )
ra_lanman_string( primary_domain );
else
ra_lanman_string( native_lanman );
}
}
if (SVAL(inbuf,smb_vwv4) == 0) {
setup_new_vc_session();
}
DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n", domain, user, get_remote_machine_name()));
if (*user) {
if (global_spnego_negotiated) {
/* This has to be here, because this is a perfectly valid behaviour for guest logons :-( */
DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.\n"));
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
fstrcpy(sub_user, user);
} else {
fstrcpy(sub_user, lp_guestaccount());
}
sub_set_smb_name(sub_user);
reload_services(True);
if (lp_security() == SEC_SHARE) {
/* in share level we should ignore any passwords */
data_blob_free(&lm_resp);
data_blob_free(&nt_resp);
data_blob_clear_free(&plaintext_password);
map_username(sub_user);
add_session_user(sub_user);
add_session_workgroup(domain);
/* Then force it to null for the benfit of the code below */
*user = 0;
}
if (!*user) {
nt_status = check_guest_password(&server_info);
} else if (doencrypt) {
if (!negprot_global_auth_context) {
DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted session setup without negprot denied!\n"));
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
nt_status = make_user_info_for_reply_enc(&user_info, user, domain,
lm_resp, nt_resp);
if (NT_STATUS_IS_OK(nt_status)) {
nt_status = negprot_global_auth_context->check_ntlm_password(negprot_global_auth_context,
user_info,
&server_info);
}
} else {
struct auth_context *plaintext_auth_context = NULL;
const uint8 *chal;
nt_status = make_auth_context_subsystem(&plaintext_auth_context);
if (NT_STATUS_IS_OK(nt_status)) {
chal = plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context);
if (!make_user_info_for_reply(&user_info,
user, domain, chal,
plaintext_password)) {
nt_status = NT_STATUS_NO_MEMORY;
}
if (NT_STATUS_IS_OK(nt_status)) {
nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context,
user_info,
&server_info);
(plaintext_auth_context->free)(&plaintext_auth_context);
}
}
}
free_user_info(&user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
nt_status = do_map_to_guest(nt_status, &server_info, user, domain);
}
if (!NT_STATUS_IS_OK(nt_status)) {
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
data_blob_clear_free(&plaintext_password);
return ERROR_NT(nt_status_squash(nt_status));
}
/* Ensure we can't possible take a code path leading to a null defref. */
if (!server_info) {
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
nt_status = create_local_token(server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
data_blob_clear_free(&plaintext_password);
return ERROR_NT(nt_status_squash(nt_status));
}
if (server_info->user_session_key.data) {
session_key = data_blob(server_info->user_session_key.data, server_info->user_session_key.length);
} else {
session_key = data_blob(NULL, 0);
}
data_blob_clear_free(&plaintext_password);
/* it's ok - setup a reply */
set_message(outbuf,3,0,True);
if (Protocol >= PROTOCOL_NT1) {
char *p = smb_buf( outbuf );
p += add_signature( outbuf, p );
set_message_end( outbuf, p );
/* perhaps grab OS version here?? */
}
if (server_info->guest) {
SSVAL(outbuf,smb_vwv2,1);
}
/* register the name and uid as being validated, so further connections
to a uid can get through without a password, on the same VC */
if (lp_security() == SEC_SHARE) {
sess_vuid = UID_FIELD_INVALID;
data_blob_free(&session_key);
TALLOC_FREE(server_info);
} else {
/* register_vuid keeps the server info */
sess_vuid = register_vuid(server_info, session_key,
nt_resp.data ? nt_resp : lm_resp,
sub_user);
if (sess_vuid == UID_FIELD_INVALID) {
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
}
/* current_user_info is changed on new vuid */
reload_services( True );
sessionsetup_start_signing_engine(server_info, inbuf);
}
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
SSVAL(outbuf,smb_uid,sess_vuid);
SSVAL(inbuf,smb_uid,sess_vuid);
if (!done_sesssetup)
max_send = MIN(max_send,smb_bufsize);
done_sesssetup = True;
END_PROFILE(SMBsesssetupX);
return chain_reply(inbuf,outbuf,length,bufsize);
}
