static void smbd_smb2_request_read_done(struct tevent_req *subreq) { struct smbd_smb2_request *req = tevent_req_callback_data(subreq, struct smbd_smb2_request); int i = req->current_idx; uint8_t *outhdr; DATA_BLOB outbody; DATA_BLOB outdyn; uint8_t out_data_offset; DATA_BLOB out_data_buffer = data_blob_null; uint32_t out_data_remaining = 0; NTSTATUS status; NTSTATUS error; /* transport error */ status = smbd_smb2_read_recv(subreq, req, &out_data_buffer, &out_data_remaining); TALLOC_FREE(subreq); if (!NT_STATUS_IS_OK(status)) { error = smbd_smb2_request_error(req, status); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } return; } out_data_offset = SMB2_HDR_BODY + 0x10; outhdr = (uint8_t *)req->out.vector[i].iov_base; outbody = data_blob_talloc(req->out.vector, NULL, 0x10); if (outbody.data == NULL) { error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } return; } SSVAL(outbody.data, 0x00, 0x10 + 1); /* struct size */ SCVAL(outbody.data, 0x02, out_data_offset); /* data offset */ SCVAL(outbody.data, 0x03, 0); /* reserved */ SIVAL(outbody.data, 0x04, out_data_buffer.length); /* data length */ SIVAL(outbody.data, 0x08, out_data_remaining); /* data remaining */ SIVAL(outbody.data, 0x0C, 0); /* reserved */ outdyn = out_data_buffer; error = smbd_smb2_request_done(req, outbody, &outdyn); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } }
static void smbd_smb2_request_create_done(struct tevent_req *tsubreq) { struct smbd_smb2_request *smb2req = tevent_req_callback_data(tsubreq, struct smbd_smb2_request); DATA_BLOB outbody; DATA_BLOB outdyn; uint8_t out_oplock_level = 0; uint32_t out_create_action = 0; NTTIME out_creation_time = 0; NTTIME out_last_access_time = 0; NTTIME out_last_write_time = 0; NTTIME out_change_time = 0; uint64_t out_allocation_size = 0; uint64_t out_end_of_file = 0; uint32_t out_file_attributes = 0; uint64_t out_file_id_persistent = 0; uint64_t out_file_id_volatile = 0; struct smb2_create_blobs out_context_blobs; DATA_BLOB out_context_buffer; uint16_t out_context_buffer_offset = 0; NTSTATUS status; NTSTATUS error; /* transport error */ status = smbd_smb2_create_recv(tsubreq, smb2req, &out_oplock_level, &out_create_action, &out_creation_time, &out_last_access_time, &out_last_write_time, &out_change_time, &out_allocation_size, &out_end_of_file, &out_file_attributes, &out_file_id_persistent, &out_file_id_volatile, &out_context_blobs); if (!NT_STATUS_IS_OK(status)) { error = smbd_smb2_request_error(smb2req, status); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(smb2req->sconn, nt_errstr(error)); return; } return; } status = smb2_create_blob_push(smb2req, &out_context_buffer, out_context_blobs); if (!NT_STATUS_IS_OK(status)) { error = smbd_smb2_request_error(smb2req, status); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(smb2req->sconn, nt_errstr(error)); return; } return; } if (out_context_buffer.length > 0) { out_context_buffer_offset = SMB2_HDR_BODY + 0x58; } outbody = data_blob_talloc(smb2req->out.vector, NULL, 0x58); if (outbody.data == NULL) { error = smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(smb2req->sconn, nt_errstr(error)); return; } return; } SSVAL(outbody.data, 0x00, 0x58 + 1); /* struct size */ SCVAL(outbody.data, 0x02, out_oplock_level); /* oplock level */ SCVAL(outbody.data, 0x03, 0); /* reserved */ SIVAL(outbody.data, 0x04, out_create_action); /* create action */ SBVAL(outbody.data, 0x08, out_creation_time); /* creation time */ SBVAL(outbody.data, 0x10, out_last_access_time); /* last access time */ SBVAL(outbody.data, 0x18, out_last_write_time); /* last write time */ SBVAL(outbody.data, 0x20, out_change_time); /* change time */ SBVAL(outbody.data, 0x28, out_allocation_size); /* allocation size */ SBVAL(outbody.data, 0x30, out_end_of_file); /* end of file */ SIVAL(outbody.data, 0x38, out_file_attributes); /* file attributes */ SIVAL(outbody.data, 0x3C, 0); /* reserved */ SBVAL(outbody.data, 0x40, out_file_id_persistent); /* file id (persistent) */ SBVAL(outbody.data, 0x48, out_file_id_volatile); /* file id (volatile) */ SIVAL(outbody.data, 0x50, out_context_buffer_offset); /* create contexts offset */ SIVAL(outbody.data, 0x54, out_context_buffer.length); /* create contexts length */ outdyn = out_context_buffer; error = smbd_smb2_request_done(smb2req, outbody, &outdyn); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(smb2req->sconn, nt_errstr(error)); return; } }
/* perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can we fit on one socket??) */ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, const char *sasl, enum credentials_use_kerberos krb5_state, const char *target_service, const char *target_hostname, const DATA_BLOB server_blob) { DATA_BLOB blob_in = data_blob_null; DATA_BLOB blob_out = data_blob_null; int rc; NTSTATUS nt_status; ADS_STATUS status; struct auth_generic_state *auth_generic_state; bool use_spnego_principal = lp_client_use_spnego_principal(); const char *sasl_list[] = { sasl, NULL }; NTTIME end_nt_time; nt_status = auth_generic_client_prepare(NULL, &auth_generic_state); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) { return ADS_ERROR_NT(nt_status); } if (server_blob.length == 0) { use_spnego_principal = false; } if (krb5_state == CRED_DONT_USE_KERBEROS) { use_spnego_principal = false; } cli_credentials_set_kerberos_state(auth_generic_state->credentials, krb5_state); if (target_service != NULL) { nt_status = gensec_set_target_service( auth_generic_state->gensec_security, target_service); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } } if (target_hostname != NULL) { nt_status = gensec_set_target_hostname( auth_generic_state->gensec_security, target_hostname); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } } if (target_service != NULL && target_hostname != NULL) { use_spnego_principal = false; } switch (ads->ldap.wrap_type) { case ADS_SASLWRAP_TYPE_SEAL: gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL); break; case ADS_SASLWRAP_TYPE_SIGN: if (ads->auth.flags & ADS_AUTH_SASL_FORCE) { gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); } else { /* * windows servers are broken with sign only, * so we let the NTLMSSP backend to seal here, * via GENSEC_FEATURE_LDAP_STYLE. */ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_LDAP_STYLE); } break; case ADS_SASLWRAP_TYPE_PLAIN: break; } nt_status = auth_generic_client_start_by_sasl(auth_generic_state, sasl_list); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } rc = LDAP_SASL_BIND_IN_PROGRESS; nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; if (use_spnego_principal) { blob_in = data_blob_dup_talloc(talloc_tos(), server_blob); if (blob_in.length == 0) { TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } } else { blob_in = data_blob_null; } blob_out = data_blob_null; while (true) { struct berval cred, *scred = NULL; nt_status = gensec_update(auth_generic_state->gensec_security, talloc_tos(), blob_in, &blob_out); data_blob_free(&blob_in); if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(auth_generic_state); data_blob_free(&blob_out); return ADS_ERROR_NT(nt_status); } if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_out.length == 0) { break; } cred.bv_val = (char *)blob_out.data; cred.bv_len = blob_out.length; scred = NULL; rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, sasl, &cred, NULL, NULL, &scred); data_blob_free(&blob_out); if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) { if (scred) { ber_bvfree(scred); } TALLOC_FREE(auth_generic_state); return ADS_ERROR(rc); } if (scred) { blob_in = data_blob_talloc(talloc_tos(), scred->bv_val, scred->bv_len); if (blob_in.length != scred->bv_len) { ber_bvfree(scred); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } ber_bvfree(scred); } else { blob_in = data_blob_null; } if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_in.length == 0) { break; } } data_blob_free(&blob_in); data_blob_free(&blob_out); if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) { bool ok; ok = gensec_have_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL); if (!ok) { DEBUG(0,("The gensec feature sealing request, but unavailable\n")); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); } ok = gensec_have_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); if (!ok) { DEBUG(0,("The gensec feature signing request, but unavailable\n")); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); } } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) { bool ok; ok = gensec_have_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); if (!ok) { DEBUG(0,("The gensec feature signing request, but unavailable\n")); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); } } ads->auth.tgs_expire = LONG_MAX; end_nt_time = gensec_expire_time(auth_generic_state->gensec_security); if (end_nt_time != GENSEC_EXPIRE_TIME_INFINITY) { struct timeval tv; nttime_to_timeval(&tv, end_nt_time); ads->auth.tgs_expire = tv.tv_sec; } if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) { size_t max_wrapped = gensec_max_wrapped_size(auth_generic_state->gensec_security); ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security); ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped; /* * Note that we have to truncate this to 0x2C * (taken from a capture with LDAP unbind), as the * signature size is not constant for Kerberos with * arcfour-hmac-md5. */ ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C); ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); if (!ADS_ERR_OK(status)) { DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", ads_errstr(status))); TALLOC_FREE(auth_generic_state); return status; } /* Only keep the gensec_security element around long-term */ talloc_steal(NULL, auth_generic_state->gensec_security); } TALLOC_FREE(auth_generic_state); return ADS_ERROR(rc); }
NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) { NTSTATUS status; const uint8_t *inbody; const uint8_t *indyn = NULL; int i = req->current_idx; DATA_BLOB outbody; DATA_BLOB outdyn; DATA_BLOB negprot_spnego_blob; uint16_t security_offset; DATA_BLOB security_buffer; size_t expected_dyn_size = 0; size_t c; uint16_t security_mode; uint16_t dialect_count; uint16_t dialect = 0; uint32_t capabilities; enum protocol_types protocol = PROTOCOL_NONE; uint32_t max_limit; uint32_t max_trans = lp_smb2_max_trans(); uint32_t max_read = lp_smb2_max_read(); uint32_t max_write = lp_smb2_max_write(); status = smbd_smb2_request_verify_sizes(req, 0x24); if (!NT_STATUS_IS_OK(status)) { return smbd_smb2_request_error(req, status); } inbody = (const uint8_t *)req->in.vector[i+1].iov_base; dialect_count = SVAL(inbody, 0x02); if (dialect_count == 0) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } expected_dyn_size = dialect_count * 2; if (req->in.vector[i+2].iov_len < expected_dyn_size) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } indyn = (const uint8_t *)req->in.vector[i+2].iov_base; for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) { if (lp_srv_maxprotocol() < PROTOCOL_SMB2_24) { break; } if (lp_srv_minprotocol() > PROTOCOL_SMB2_24) { break; } dialect = SVAL(indyn, c*2); if (dialect == SMB2_DIALECT_REVISION_224) { protocol = PROTOCOL_SMB2_24; break; } } for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) { if (lp_srv_maxprotocol() < PROTOCOL_SMB2_22) { break; } if (lp_srv_minprotocol() > PROTOCOL_SMB2_22) { break; } dialect = SVAL(indyn, c*2); if (dialect == SMB2_DIALECT_REVISION_222) { protocol = PROTOCOL_SMB2_22; break; } } for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) { if (lp_srv_maxprotocol() < PROTOCOL_SMB2_10) { break; } if (lp_srv_minprotocol() > PROTOCOL_SMB2_10) { break; } dialect = SVAL(indyn, c*2); if (dialect == SMB2_DIALECT_REVISION_210) { protocol = PROTOCOL_SMB2_10; break; } } for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) { if (lp_srv_maxprotocol() < PROTOCOL_SMB2_02) { break; } if (lp_srv_minprotocol() > PROTOCOL_SMB2_02) { break; } dialect = SVAL(indyn, c*2); if (dialect == SMB2_DIALECT_REVISION_202) { protocol = PROTOCOL_SMB2_02; break; } } for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) { if (lp_srv_maxprotocol() < PROTOCOL_SMB2_10) { break; } dialect = SVAL(indyn, c*2); if (dialect == SMB2_DIALECT_REVISION_2FF) { if (req->sconn->smb2.negprot_2ff) { req->sconn->smb2.negprot_2ff = false; protocol = PROTOCOL_SMB2_10; break; } } } if (protocol == PROTOCOL_NONE) { return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED); } if (dialect != SMB2_DIALECT_REVISION_2FF) { set_Protocol(protocol); } if (get_remote_arch() != RA_SAMBA) { set_remote_arch(RA_VISTA); } /* negprot_spnego() returns a the server guid in the first 16 bytes */ negprot_spnego_blob = negprot_spnego(req, req->sconn); if (negprot_spnego_blob.data == NULL) { return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); } if (negprot_spnego_blob.length < 16) { return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR); } security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED; if (lp_server_signing() == SMB_SIGNING_REQUIRED) { security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; } capabilities = 0; if (lp_host_msdfs()) { capabilities |= SMB2_CAP_DFS; } /* * Unless we implement SMB2_CAP_LARGE_MTU, * 0x10000 (65536) is the maximum allowed message size */ max_limit = 0x10000; max_trans = MIN(max_limit, max_trans); max_read = MIN(max_limit, max_read); max_write = MIN(max_limit, max_write); security_offset = SMB2_HDR_BODY + 0x40; #if 1 /* Try SPNEGO auth... */ security_buffer = data_blob_const(negprot_spnego_blob.data + 16, negprot_spnego_blob.length - 16); #else /* for now we want raw NTLMSSP */ security_buffer = data_blob_const(NULL, 0); #endif outbody = data_blob_talloc(req->out.vector, NULL, 0x40); if (outbody.data == NULL) { return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); } SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */ SSVAL(outbody.data, 0x02, security_mode); /* security mode */ SSVAL(outbody.data, 0x04, dialect); /* dialect revision */ SSVAL(outbody.data, 0x06, 0); /* reserved */ memcpy(outbody.data + 0x08, negprot_spnego_blob.data, 16); /* server guid */ SIVAL(outbody.data, 0x18, capabilities); /* capabilities */ SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */ SIVAL(outbody.data, 0x20, max_trans); /* max read size */ SIVAL(outbody.data, 0x24, max_trans); /* max write size */ SBVAL(outbody.data, 0x28, 0); /* system time */ SBVAL(outbody.data, 0x30, 0); /* server start time */ SSVAL(outbody.data, 0x38, security_offset); /* security buffer offset */ SSVAL(outbody.data, 0x3A, security_buffer.length); /* security buffer length */ SIVAL(outbody.data, 0x3C, 0); /* reserved */ outdyn = security_buffer; req->sconn->using_smb2 = true; req->sconn->smb2.max_trans = max_trans; req->sconn->smb2.max_read = max_read; req->sconn->smb2.max_write = max_write; return smbd_smb2_request_done(req, outbody, &outdyn); }
NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, const char *sent_nt_username, const char *domain, struct auth_serversupplied_info **server_info, struct netr_SamInfo3 *info3) { static const char zeros[16] = {0, }; NTSTATUS nt_status = NT_STATUS_OK; char *found_username = NULL; const char *nt_domain; const char *nt_username; struct dom_sid user_sid; struct dom_sid group_sid; bool username_was_mapped; struct passwd *pwd; struct auth_serversupplied_info *result; /* Here is where we should check the list of trusted domains, and verify that the SID matches. */ if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) { return NT_STATUS_INVALID_PARAMETER; } if (!sid_compose(&group_sid, info3->base.domain_sid, info3->base.primary_gid)) { return NT_STATUS_INVALID_PARAMETER; } nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string); if (!nt_username) { /* If the server didn't give us one, just use the one we sent * them */ nt_username = sent_nt_username; } nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string); if (!nt_domain) { /* If the server didn't give us one, just use the one we sent * them */ nt_domain = domain; } /* If getpwnam() fails try the add user script (2.2.x behavior). We use the _unmapped_ username here in an attempt to provide consistent username mapping behavior between kerberos and NTLM[SSP] authentication in domain mode security. I.E. Username mapping should be applied to the fully qualified username (e.g. DOMAIN\user) and not just the login name. Yes this means we called map_username() unnecessarily in make_user_info_map() but that is how the current code is designed. Making the change here is the least disruptive place. -- jerry */ /* this call will try to create the user if necessary */ nt_status = check_account(mem_ctx, nt_domain, sent_nt_username, &found_username, &pwd, &username_was_mapped); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } result = make_server_info(NULL); if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); return NT_STATUS_NO_MEMORY; } result->unix_name = talloc_strdup(result, found_username); result->sanitized_username = sanitize_username(result, result->unix_name); if (result->sanitized_username == NULL) { TALLOC_FREE(result); return NT_STATUS_NO_MEMORY; } /* copy in the info3 */ result->info3 = copy_netr_SamInfo3(result, info3); if (result->info3 == NULL) { TALLOC_FREE(result); return NT_STATUS_NO_MEMORY; } /* Fill in the unix info we found on the way */ result->utok.uid = pwd->pw_uid; result->utok.gid = pwd->pw_gid; /* ensure we are never given NULL session keys */ if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) { result->user_session_key = data_blob_null; } else { result->user_session_key = data_blob_talloc( result, info3->base.key.key, sizeof(info3->base.key.key)); } if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) { result->lm_session_key = data_blob_null; } else { result->lm_session_key = data_blob_talloc( result, info3->base.LMSessKey.key, sizeof(info3->base.LMSessKey.key)); } result->nss_token |= username_was_mapped; *server_info = result; return NT_STATUS_OK; }
static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq) { struct smbd_smb2_request *req = tevent_req_callback_data(subreq, struct smbd_smb2_request); int i = req->current_idx; uint8_t *outhdr; DATA_BLOB outbody; DATA_BLOB outdyn; uint16_t out_output_buffer_offset; DATA_BLOB out_output_buffer = data_blob_null; NTSTATUS status; NTSTATUS call_status = NT_STATUS_OK; NTSTATUS error; /* transport error */ status = smbd_smb2_getinfo_recv(subreq, req, &out_output_buffer, &call_status); TALLOC_FREE(subreq); if (!NT_STATUS_IS_OK(status)) { error = smbd_smb2_request_error(req, status); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } return; } /* some GetInfo responses set STATUS_BUFFER_OVERFLOW and return partial, but valid data */ if (!(NT_STATUS_IS_OK(call_status) || NT_STATUS_EQUAL(call_status, STATUS_BUFFER_OVERFLOW))) { /* Return a specific error with data. */ error = smbd_smb2_request_error_ex(req, call_status, &out_output_buffer, __location__); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } return; } out_output_buffer_offset = SMB2_HDR_BODY + 0x08; outhdr = (uint8_t *)req->out.vector[i].iov_base; outbody = data_blob_talloc(req->out.vector, NULL, 0x08); if (outbody.data == NULL) { error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } return; } SSVAL(outbody.data, 0x00, 0x08 + 1); /* struct size */ SSVAL(outbody.data, 0x02, out_output_buffer_offset); /* output buffer offset */ SIVAL(outbody.data, 0x04, out_output_buffer.length); /* output buffer length */ outdyn = out_output_buffer; error = smbd_smb2_request_done_ex(req, call_status, outbody, &outdyn, __location__); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } }
/* * Test for maximum ea size - more than one ea name is checked. * * Additional parameters can be passed, to allow further testing: * * default * maxeasize 65536 limit the max. size for a single EA name * maxeanames 101 limit of the number of tested names * maxeastart 1 this EA size is used to test for the 1st EA (atm) * maxeadebug 0 if set true, further debug output is done - in addition * the testfile is not deleted for further inspection! * * Set some/all of these options on the cmdline with: * --option torture:maxeasize=1024 --option torture:maxeadebug=1 ... * */ static bool test_max_eas(struct smbcli_state *cli, struct torture_context *tctx) { NTSTATUS status; union smb_open io; const char *fname = BASEDIR "\\ea_max.txt"; int fnum = -1; bool ret = true; bool err = false; int i, j, k, last, total; DATA_BLOB eablob; char *eaname = NULL; int maxeasize; int maxeanames; int maxeastart; printf("TESTING SETFILEINFO MAX. EA_SET\n"); maxeasize = torture_setting_int(tctx, "maxeasize", 65536); maxeanames = torture_setting_int(tctx, "maxeanames", 101); maxeastart = torture_setting_int(tctx, "maxeastart", 1); maxeadebug = torture_setting_int(tctx, "maxeadebug", 0); /* Do some sanity check on possibly passed parms */ if (maxeasize <= 0) { printf("Invalid parameter 'maxeasize=%d'",maxeasize); err = true; } if (maxeanames <= 0) { printf("Invalid parameter 'maxeanames=%d'",maxeanames); err = true; } if (maxeastart <= 0) { printf("Invalid parameter 'maxeastart=%d'",maxeastart); err = true; } if (maxeadebug < 0) { printf("Invalid parameter 'maxeadebug=%d'",maxeadebug); err = true; } if (err) { printf("\n\n"); goto done; } if (maxeastart > maxeasize) { maxeastart = maxeasize; printf ("'maxeastart' outside range - corrected to %d\n", maxeastart); } printf("MAXEA parms: maxeasize=%d maxeanames=%d maxeastart=%d" " maxeadebug=%d\n", maxeasize, maxeanames, maxeastart, maxeadebug); io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid = 0; io.ntcreatex.in.flags = 0; io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE; io.ntcreatex.in.alloc_size = 0; io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS; io.ntcreatex.in.security_flags = 0; io.ntcreatex.in.fname = fname; status = smb_raw_open(cli->tree, tctx, &io); CHECK_STATUS(status, NT_STATUS_OK); fnum = io.ntcreatex.out.file.fnum; eablob = data_blob_talloc(tctx, NULL, maxeasize); if (eablob.data == NULL) { goto done; } /* * Fill in some EA data - the offset could be easily checked * during a hexdump. */ for (i = 0, k = 0; i < eablob.length / 4; i++, k+=4) { eablob.data[k] = k & 0xff; eablob.data[k+1] = (k >> 8) & 0xff; eablob.data[k+2] = (k >> 16) & 0xff; eablob.data[k+3] = (k >> 24) & 0xff; } i = eablob.length % 4; if (i-- > 0) { eablob.data[k] = k & 0xff; if (i-- > 0) { eablob.data[k+1] = (k >> 8) & 0xff; if (i-- > 0) { eablob.data[k+2] = (k >> 16) & 0xff; }
NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req) { const uint8_t *inhdr; const uint8_t *inbody; int i = smb2req->current_idx; uint8_t *outhdr; DATA_BLOB outbody; DATA_BLOB outdyn; uint64_t in_session_id; uint8_t in_security_mode; uint16_t in_security_offset; uint16_t in_security_length; DATA_BLOB in_security_buffer; uint16_t out_session_flags; uint64_t out_session_id; uint16_t out_security_offset; DATA_BLOB out_security_buffer = data_blob_null; NTSTATUS status; status = smbd_smb2_request_verify_sizes(smb2req, 0x19); if (!NT_STATUS_IS_OK(status)) { return smbd_smb2_request_error(smb2req, status); } inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base; inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base; in_security_offset = SVAL(inbody, 0x0C); in_security_length = SVAL(inbody, 0x0E); if (in_security_offset != (SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } if (in_security_length > smb2req->in.vector[i+2].iov_len) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID); in_security_mode = CVAL(inbody, 0x03); in_security_buffer.data = (uint8_t *)smb2req->in.vector[i+2].iov_base; in_security_buffer.length = in_security_length; status = smbd_smb2_session_setup(smb2req, in_session_id, in_security_mode, in_security_buffer, &out_session_flags, &out_security_buffer, &out_session_id); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { status = nt_status_squash(status); return smbd_smb2_request_error(smb2req, status); } out_security_offset = SMB2_HDR_BODY + 0x08; outhdr = (uint8_t *)smb2req->out.vector[i].iov_base; outbody = data_blob_talloc(smb2req->out.vector, NULL, 0x08); if (outbody.data == NULL) { return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY); } SBVAL(outhdr, SMB2_HDR_SESSION_ID, out_session_id); SSVAL(outbody.data, 0x00, 0x08 + 1); /* struct size */ SSVAL(outbody.data, 0x02, out_session_flags); /* session flags */ SSVAL(outbody.data, 0x04, out_security_offset); /* security buffer offset */ SSVAL(outbody.data, 0x06, out_security_buffer.length); /* security buffer length */ outdyn = out_security_buffer; return smbd_smb2_request_done_ex(smb2req, status, outbody, &outdyn, __location__); }
static bool test_lease_v2_request(struct torture_context *tctx, struct smb2_tree *tree) { TALLOC_CTX *mem_ctx = talloc_new(tctx); struct smb2_create io; struct smb2_lease ls; struct smb2_handle h1, h2, h3, h4, h5; struct smb2_write w; NTSTATUS status; const char *fname = "lease.dat"; const char *dname = "lease.dir"; const char *dnamefname = "lease.dir\\lease.dat"; const char *dnamefname2 = "lease.dir\\lease2.dat"; bool ret = true; smb2_util_unlink(tree, fname); smb2_deltree(tree, dname); tree->session->transport->lease.handler = torture_lease_handler; tree->session->transport->lease.private_data = tree; tree->session->transport->oplock.handler = torture_oplock_handler; tree->session->transport->oplock.private_data = tree; ZERO_STRUCT(break_info); ZERO_STRUCT(io); smb2_lease_v2_create_share(&io, &ls, false, fname, smb2_util_share_access("RWD"), LEASE1, NULL, smb2_util_lease_state("RHW"), 0); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h1 = io.out.file.handle; CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE); CHECK_LEASE_V2(&io, "RHW", true, LEASE1, 0); ZERO_STRUCT(io); smb2_lease_v2_create_share(&io, &ls, true, dname, smb2_util_share_access("RWD"), LEASE2, NULL, smb2_util_lease_state("RHW"), 0); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h2 = io.out.file.handle; CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_DIRECTORY); CHECK_LEASE_V2(&io, "RH", true, LEASE2, 0); ZERO_STRUCT(io); smb2_lease_v2_create_share(&io, &ls, false, dnamefname, smb2_util_share_access("RWD"), LEASE3, &LEASE2, smb2_util_lease_state("RHW"), 0); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h3 = io.out.file.handle; CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE); CHECK_LEASE_V2(&io, "RHW", true, LEASE3, SMB2_LEASE_FLAG_PARENT_LEASE_KEY_SET); torture_wait_for_lease_break(tctx); CHECK_VAL(break_info.count, 0); CHECK_VAL(break_info.failures, 0); ZERO_STRUCT(io); smb2_lease_v2_create_share(&io, &ls, false, dnamefname2, smb2_util_share_access("RWD"), LEASE4, NULL, smb2_util_lease_state("RHW"), 0); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h4 = io.out.file.handle; CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE); CHECK_LEASE_V2(&io, "RHW", true, LEASE4, 0); torture_wait_for_lease_break(tctx); torture_wait_for_lease_break(tctx); CHECK_BREAK_INFO("RH", "", LEASE2); torture_wait_for_lease_break(tctx); ZERO_STRUCT(break_info); ZERO_STRUCT(io); smb2_lease_v2_create_share(&io, &ls, true, dname, smb2_util_share_access("RWD"), LEASE2, NULL, smb2_util_lease_state("RHW"), 0); io.in.create_disposition = NTCREATEX_DISP_OPEN; status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h5 = io.out.file.handle; CHECK_CREATED(&io, EXISTED, FILE_ATTRIBUTE_DIRECTORY); CHECK_LEASE_V2(&io, "RH", true, LEASE2, 0); smb2_util_close(tree, h5); ZERO_STRUCT(w); w.in.file.handle = h4; w.in.offset = 0; w.in.data = data_blob_talloc(mem_ctx, NULL, 4096); memset(w.in.data.data, 'o', w.in.data.length); status = smb2_write(tree, &w); CHECK_STATUS(status, NT_STATUS_OK); smb_msleep(2000); torture_wait_for_lease_break(tctx); CHECK_VAL(break_info.count, 0); CHECK_VAL(break_info.failures, 0); smb2_util_close(tree, h4); torture_wait_for_lease_break(tctx); torture_wait_for_lease_break(tctx); CHECK_BREAK_INFO("RH", "", LEASE2); torture_wait_for_lease_break(tctx); done: smb2_util_close(tree, h1); smb2_util_close(tree, h2); smb2_util_close(tree, h3); smb2_util_close(tree, h4); smb2_util_close(tree, h5); smb2_util_unlink(tree, fname); smb2_deltree(tree, dname); talloc_free(mem_ctx); return ret; }
NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, gss_ctx_id_t gssapi_context, gss_name_t gss_client_name, DATA_BLOB *pac_blob) { NTSTATUS status; OM_uint32 gss_maj, gss_min; #ifdef HAVE_GSS_GET_NAME_ATTRIBUTE /* * gss_get_name_attribute() in MIT krb5 1.10.0 can return unintialized pac_display_buffer * and later gss_release_buffer() will crash on attempting to release it. * * So always initialize the buffer descriptors. * * See following links for more details: * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514 * http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087 */ gss_buffer_desc pac_buffer = { .value = NULL, .length = 0 }; gss_buffer_desc pac_display_buffer = { .value = NULL, .length = 0 }; gss_buffer_desc pac_name = { .value = discard_const("urn:mspac:"), .length = sizeof("urn:mspac:")-1 }; int more = -1; int authenticated = false; int complete = false; gss_maj = gss_get_name_attribute( &gss_min, gss_client_name, &pac_name, &authenticated, &complete, &pac_buffer, &pac_display_buffer, &more); if (gss_maj != 0) { gss_OID oid = discard_const(gss_mech_krb5); DBG_NOTICE("obtaining PAC via GSSAPI gss_get_name_attribute " "failed: %s\n", gssapi_error_string(mem_ctx, gss_maj, gss_min, oid)); return NT_STATUS_ACCESS_DENIED; } else if (authenticated && complete) { /* The PAC blob is returned directly */ *pac_blob = data_blob_talloc(mem_ctx, pac_buffer.value, pac_buffer.length); if (!pac_blob->data) { status = NT_STATUS_NO_MEMORY; } else { status = NT_STATUS_OK; } gss_maj = gss_release_buffer(&gss_min, &pac_buffer); gss_maj = gss_release_buffer(&gss_min, &pac_display_buffer); return status; } else { DEBUG(0, ("obtaining PAC via GSSAPI failed: authenticated: %s, complete: %s, more: %s\n", authenticated ? "true" : "false", complete ? "true" : "false", more ? "true" : "false")); return NT_STATUS_ACCESS_DENIED; } #elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID) gss_OID_desc pac_data_oid = { .elements = discard_const(EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID), .length = EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH }; gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; /* If we didn't have the routine to get a verified, validated * PAC (supplied only by MIT at the time of writing), then try * with the Heimdal OID (fetches the PAC directly and always * validates) */ gss_maj = gss_inquire_sec_context_by_oid( &gss_min, gssapi_context, &pac_data_oid, &set); /* First check for the error MIT gives for an unknown OID */ if (gss_maj == GSS_S_UNAVAILABLE) { DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. " "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n")); } else if (gss_maj != 0) { DEBUG(2, ("obtaining PAC via GSSAPI gss_inqiure_sec_context_by_oid (Heimdal OID) failed: %s\n", gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5))); } else { if (set == GSS_C_NO_BUFFER_SET) { DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown " "data in results.\n")); return NT_STATUS_INTERNAL_ERROR; } /* The PAC blob is returned directly */ *pac_blob = data_blob_talloc(mem_ctx, set->elements[0].value, set->elements[0].length); if (!pac_blob->data) { status = NT_STATUS_NO_MEMORY; } else { status = NT_STATUS_OK; } gss_maj = gss_release_buffer_set(&gss_min, &set); return status; } #else DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. " "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n")); #endif return NT_STATUS_ACCESS_DENIED; } NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx, gss_ctx_id_t gssapi_context, DATA_BLOB *session_key, uint32_t *keytype) { OM_uint32 gss_min, gss_maj; gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; gss_maj = gss_inquire_sec_context_by_oid( &gss_min, gssapi_context, &gse_sesskey_inq_oid, &set); if (gss_maj) { DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n", gssapi_error_string(mem_ctx, gss_maj, gss_min, discard_const_p(struct gss_OID_desc_struct, gss_mech_krb5)))); return NT_STATUS_NO_USER_SESSION_KEY; } if ((set == GSS_C_NO_BUFFER_SET) || (set->count == 0)) { #ifdef HAVE_GSSKRB5_GET_SUBKEY krb5_keyblock *subkey; gss_maj = gsskrb5_get_subkey(&gss_min, gssapi_context, &subkey); if (gss_maj != 0) { DEBUG(1, ("NO session key for this mech\n")); return NT_STATUS_NO_USER_SESSION_KEY; } if (session_key) { *session_key = data_blob_talloc(mem_ctx, KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); } if (keytype) { *keytype = KRB5_KEY_TYPE(subkey); } krb5_free_keyblock(NULL /* should be krb5_context */, subkey); return NT_STATUS_OK; #else DEBUG(0, ("gss_inquire_sec_context_by_oid didn't return any session key (and no alternative method available)\n")); return NT_STATUS_NO_USER_SESSION_KEY; #endif } if (session_key) { *session_key = data_blob_talloc(mem_ctx, set->elements[0].value, set->elements[0].length); } if (keytype) { int diflen, i; const uint8_t *p; *keytype = 0; if (set->count < 2) { #ifdef HAVE_GSSKRB5_GET_SUBKEY krb5_keyblock *subkey; gss_maj = gsskrb5_get_subkey(&gss_min, gssapi_context, &subkey); if (gss_maj == 0) { *keytype = KRB5_KEY_TYPE(subkey); krb5_free_keyblock(NULL /* should be krb5_context */, subkey); } #endif gss_maj = gss_release_buffer_set(&gss_min, &set); return NT_STATUS_OK; } else if (memcmp(set->elements[1].value, gse_sesskeytype_oid.elements, gse_sesskeytype_oid.length) != 0) { /* Perhaps a non-krb5 session key */ gss_maj = gss_release_buffer_set(&gss_min, &set); return NT_STATUS_OK; } p = (const uint8_t *)set->elements[1].value + gse_sesskeytype_oid.length; diflen = set->elements[1].length - gse_sesskeytype_oid.length; if (diflen <= 0) { gss_maj = gss_release_buffer_set(&gss_min, &set); return NT_STATUS_INVALID_PARAMETER; } for (i = 0; i < diflen; i++) { *keytype = (*keytype << 7) | (p[i] & 0x7f); if (i + 1 != diflen && (p[i] & 0x80) == 0) { gss_maj = gss_release_buffer_set(&gss_min, &set); return NT_STATUS_INVALID_PARAMETER; } } } gss_maj = gss_release_buffer_set(&gss_min, &set); return NT_STATUS_OK; } char *gssapi_error_string(TALLOC_CTX *mem_ctx, OM_uint32 maj_stat, OM_uint32 min_stat, const gss_OID mech) { OM_uint32 disp_min_stat, disp_maj_stat; gss_buffer_desc maj_error_message; gss_buffer_desc min_error_message; char *maj_error_string, *min_error_string; OM_uint32 msg_ctx = 0; char *ret; maj_error_message.value = NULL; min_error_message.value = NULL; maj_error_message.length = 0; min_error_message.length = 0; disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE, mech, &msg_ctx, &maj_error_message); if (disp_maj_stat != 0) { maj_error_message.value = NULL; maj_error_message.length = 0; } disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE, mech, &msg_ctx, &min_error_message); if (disp_maj_stat != 0) { min_error_message.value = NULL; min_error_message.length = 0; } maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length); min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length); ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string); talloc_free(maj_error_string); talloc_free(min_error_string); gss_release_buffer(&disp_min_stat, &maj_error_message); gss_release_buffer(&disp_min_stat, &min_error_message); return ret; }
NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *out_mem_ctx, const DATA_BLOB request, DATA_BLOB *reply) { DATA_BLOB struct_blob; uint32_t neg_flags = 0; uint32_t ntlmssp_command, chal_flags; uint8_t cryptkey[8]; const char *target_name; NTSTATUS status; /* parse the NTLMSSP packet */ #if 0 file_save("ntlmssp_negotiate.dat", request.data, request.length); #endif if (request.length) { if ((request.length < 16) || !msrpc_parse(ntlmssp_state, &request, "Cdd", "NTLMSSP", &ntlmssp_command, &neg_flags)) { DEBUG(1, ("ntlmssp_server_negotiate: failed to parse NTLMSSP Negotiate of length %u\n", (unsigned int)request.length)); dump_data(2, request.data, request.length); return NT_STATUS_INVALID_PARAMETER; } debug_ntlmssp_flags(neg_flags); if (DEBUGLEVEL >= 10) { struct NEGOTIATE_MESSAGE *negotiate = talloc( ntlmssp_state, struct NEGOTIATE_MESSAGE); if (negotiate != NULL) { status = ntlmssp_pull_NEGOTIATE_MESSAGE( &request, negotiate, negotiate); if (NT_STATUS_IS_OK(status)) { NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE, negotiate); } TALLOC_FREE(negotiate); } } } ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, ntlmssp_state->allow_lm_key); /* Ask our caller what challenge they would like in the packet */ status = ntlmssp_state->get_challenge(ntlmssp_state, cryptkey); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n", nt_errstr(status))); return status; } /* Check if we may set the challenge */ if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) { ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2; } /* The flags we send back are not just the negotiated flags, * they are also 'what is in this packet'. Therfore, we * operate on 'chal_flags' from here on */ chal_flags = ntlmssp_state->neg_flags; /* get the right name to fill in as 'target' */ target_name = ntlmssp_target_name(ntlmssp_state, neg_flags, &chal_flags); if (target_name == NULL) return NT_STATUS_INVALID_PARAMETER; ntlmssp_state->chal = data_blob_talloc(ntlmssp_state, cryptkey, 8); ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state, cryptkey, 8); /* This creates the 'blob' of names that appears at the end of the packet */ if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) { status = msrpc_gen(ntlmssp_state, &struct_blob, "aaaaa", MsvAvNbDomainName, target_name, MsvAvNbComputerName, ntlmssp_state->server.netbios_name, MsvAvDnsDomainName, ntlmssp_state->server.dns_domain, MsvAvDnsComputerName, ntlmssp_state->server.dns_name, MsvAvEOL, ""); if (!NT_STATUS_IS_OK(status)) { return status; } } else { struct_blob = data_blob_null; } { /* Marshal the packet in the right format, be it unicode or ASCII */ const char *gen_string; DATA_BLOB version_blob = data_blob_null; if (chal_flags & NTLMSSP_NEGOTIATE_VERSION) { enum ndr_err_code err; struct ntlmssp_VERSION vers; /* "What Windows returns" as a version number. */ ZERO_STRUCT(vers); vers.ProductMajorVersion = NTLMSSP_WINDOWS_MAJOR_VERSION_6; vers.ProductMinorVersion = NTLMSSP_WINDOWS_MINOR_VERSION_1; vers.ProductBuild = 0; vers.NTLMRevisionCurrent = NTLMSSP_REVISION_W2K3; err = ndr_push_struct_blob(&version_blob, ntlmssp_state, &vers, (ndr_push_flags_fn_t)ndr_push_ntlmssp_VERSION); if (!NDR_ERR_CODE_IS_SUCCESS(err)) { data_blob_free(&struct_blob); return NT_STATUS_NO_MEMORY; } } if (ntlmssp_state->unicode) { gen_string = "CdUdbddBb"; } else { gen_string = "CdAdbddBb"; } status = msrpc_gen(out_mem_ctx, reply, gen_string, "NTLMSSP", NTLMSSP_CHALLENGE, target_name, chal_flags, cryptkey, 8, 0, 0, struct_blob.data, struct_blob.length, version_blob.data, version_blob.length); if (!NT_STATUS_IS_OK(status)) { data_blob_free(&version_blob); data_blob_free(&struct_blob); return status; } data_blob_free(&version_blob); if (DEBUGLEVEL >= 10) { struct CHALLENGE_MESSAGE *challenge = talloc( ntlmssp_state, struct CHALLENGE_MESSAGE); if (challenge != NULL) { challenge->NegotiateFlags = chal_flags; status = ntlmssp_pull_CHALLENGE_MESSAGE( reply, challenge, challenge); if (NT_STATUS_IS_OK(status)) { NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, challenge); } TALLOC_FREE(challenge); } } } data_blob_free(&struct_blob); ntlmssp_state->expected_state = NTLMSSP_AUTH; return NT_STATUS_MORE_PROCESSING_REQUIRED; }
static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, struct auth_session_info **_session_info) { NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; struct auth_session_info *session_info = NULL; krb5_principal client_principal; char *principal_string; DATA_BLOB pac_blob, *pac_blob_ptr = NULL; krb5_data pac_data; krb5_error_code ret; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal); if (ret) { DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", smb_get_krb5_error_message(context, ret, tmp_ctx))); talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, client_principal, &principal_string); if (ret) { DEBUG(1, ("Unable to parse client principal: %s\n", smb_get_krb5_error_message(context, ret, tmp_ctx))); krb5_free_principal(context, client_principal); talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket, KRB5_AUTHDATA_WIN2K_PAC, &pac_data); if (ret) { /* NO pac */ DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", smb_get_krb5_error_message(context, ret, tmp_ctx))); } else { /* Found pac */ pac_blob = data_blob_talloc(tmp_ctx, pac_data.data, pac_data.length); if (!pac_blob.data) { free(principal_string); krb5_free_principal(context, client_principal); talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } /* decode and verify the pac */ nt_status = kerberos_decode_pac(gensec_krb5_state, pac_blob, gensec_krb5_state->smb_krb5_context->krb5_context, NULL, gensec_krb5_state->keyblock, client_principal, gensec_krb5_state->ticket->ticket.authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); krb5_free_principal(context, client_principal); talloc_free(tmp_ctx); return nt_status; } pac_blob_ptr = &pac_blob; } nt_status = gensec_generate_session_info_pac(tmp_ctx, gensec_security, gensec_krb5_state->smb_krb5_context, pac_blob_ptr, principal_string, gensec_get_remote_address(gensec_security), &session_info); free(principal_string); krb5_free_principal(context, client_principal); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } nt_status = gensec_krb5_session_key(gensec_security, session_info, &session_info->session_key); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } *_session_info = talloc_steal(mem_ctx, session_info); talloc_free(tmp_ctx); return NT_STATUS_OK; }
static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, struct tevent_context *ev, const DATA_BLOB in, DATA_BLOB *out) { struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; krb5_error_code ret = 0; NTSTATUS nt_status; switch (gensec_krb5_state->state_position) { case GENSEC_KRB5_CLIENT_START: { DATA_BLOB unwrapped_out; nt_status = gensec_krb5_common_client_creds(gensec_security, ev, gensec_krb5_state->gssapi); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } if (gensec_krb5_state->gssapi) { unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length); /* wrap that up in a nice GSS-API wrapping */ *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ); } else { *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length); } if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) { gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH; nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; } else { gensec_krb5_state->state_position = GENSEC_KRB5_DONE; nt_status = NT_STATUS_OK; } return nt_status; } case GENSEC_KRB5_CLIENT_MUTUAL_AUTH: { DATA_BLOB unwrapped_in; krb5_data inbuf; krb5_ap_rep_enc_part *repl = NULL; uint8_t tok_id[2]; if (gensec_krb5_state->gssapi) { if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n")); dump_data_pw("Mutual authentication message:\n", in.data, in.length); return NT_STATUS_INVALID_PARAMETER; } } else { unwrapped_in = in; } /* TODO: check the tok_id */ inbuf.data = unwrapped_in.data; inbuf.length = unwrapped_in.length; ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context, gensec_krb5_state->auth_context, &inbuf, &repl); if (ret) { DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n", smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx))); dump_data_pw("Mutual authentication message:\n", (uint8_t *)inbuf.data, inbuf.length); nt_status = NT_STATUS_ACCESS_DENIED; } else { *out = data_blob(NULL, 0); nt_status = NT_STATUS_OK; gensec_krb5_state->state_position = GENSEC_KRB5_DONE; } if (repl) { krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl); } return nt_status; } case GENSEC_KRB5_SERVER_START: { DATA_BLOB unwrapped_in; DATA_BLOB unwrapped_out = data_blob(NULL, 0); krb5_data inbuf, outbuf; uint8_t tok_id[2]; struct keytab_container *keytab; krb5_principal server_in_keytab; const char *error_string; enum credentials_obtained obtained; if (!in.data) { return NT_STATUS_INVALID_PARAMETER; } /* Grab the keytab, however generated */ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), gensec_security->settings->lp_ctx, &keytab); if (ret) { return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } /* This ensures we lookup the correct entry in that * keytab. A NULL principal is acceptable, and means * that the krb5 libs should search the keytab at * accept time for any matching key */ ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), gensec_krb5_state->smb_krb5_context, &server_in_keytab, &obtained, &error_string); if (ret) { DEBUG(2,("Failed to make credentials from principal: %s\n", error_string)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */ if (gensec_krb5_state->gssapi && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { inbuf.data = unwrapped_in.data; inbuf.length = unwrapped_in.length; } else { inbuf.data = in.data; inbuf.length = in.length; } ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context, &inbuf, keytab->keytab, server_in_keytab, &outbuf, &gensec_krb5_state->ticket, &gensec_krb5_state->keyblock); if (ret) { return NT_STATUS_LOGON_FAILURE; } unwrapped_out.data = (uint8_t *)outbuf.data; unwrapped_out.length = outbuf.length; gensec_krb5_state->state_position = GENSEC_KRB5_DONE; /* wrap that up in a nice GSS-API wrapping */ if (gensec_krb5_state->gssapi) { *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP); } else { *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length); } krb5_data_free(&outbuf); return NT_STATUS_OK; } case GENSEC_KRB5_DONE: default: /* Asking too many times... */ return NT_STATUS_INVALID_PARAMETER; } }
static void smbd_smb2_request_notify_done(struct tevent_req *subreq) { struct smbd_smb2_request *req = tevent_req_callback_data(subreq, struct smbd_smb2_request); int i = req->current_idx; uint8_t *outhdr; DATA_BLOB outbody; DATA_BLOB outdyn; uint16_t out_output_buffer_offset; DATA_BLOB out_output_buffer = data_blob_null; NTSTATUS status; NTSTATUS error; /* transport error */ if (req->cancelled) { struct smbd_smb2_notify_state *state = tevent_req_data(subreq, struct smbd_smb2_notify_state); const uint8_t *inhdr = (const uint8_t *)req->in.vector[i].iov_base; uint64_t mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID); DEBUG(10,("smbd_smb2_request_notify_done: cancelled mid %llu\n", (unsigned long long)mid )); error = smbd_smb2_request_error(req, NT_STATUS_CANCELLED); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } TALLOC_FREE(state->im); return; } status = smbd_smb2_notify_recv(subreq, req, &out_output_buffer); TALLOC_FREE(subreq); if (!NT_STATUS_IS_OK(status)) { error = smbd_smb2_request_error(req, status); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } return; } out_output_buffer_offset = SMB2_HDR_BODY + 0x08; outhdr = (uint8_t *)req->out.vector[i].iov_base; outbody = data_blob_talloc(req->out.vector, NULL, 0x08); if (outbody.data == NULL) { error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } return; } SSVAL(outbody.data, 0x00, 0x08 + 1); /* struct size */ SSVAL(outbody.data, 0x02, out_output_buffer_offset); /* output buffer offset */ SIVAL(outbody.data, 0x04, out_output_buffer.length); /* output buffer length */ outdyn = out_output_buffer; error = smbd_smb2_request_done(req, outbody, &outdyn); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); return; } }
bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, struct eventlog_Record_tdb *entry, bool * eor ) { char *start = NULL, *stop = NULL; start = line; /* empty line signyfiying record delimeter, or we're at the end of the buffer */ if ( start == NULL || strlen( start ) == 0 ) { DEBUG( 6, ( "parse_logentry: found end-of-record indicator.\n" ) ); *eor = True; return True; } if ( !( stop = strchr( line, ':' ) ) ) { return False; } DEBUG( 6, ( "parse_logentry: trying to parse [%s].\n", line ) ); if ( 0 == strncmp( start, "LEN", stop - start ) ) { /* This will get recomputed later anyway -- probably not necessary */ entry->size = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "RS1", stop - start ) ) { /* For now all these reserved entries seem to have the same value, which can be hardcoded to int(1699505740) for now */ entry->reserved = talloc_strdup(mem_ctx, "eLfL"); } else if ( 0 == strncmp( start, "RCN", stop - start ) ) { entry->record_number = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "TMG", stop - start ) ) { entry->time_generated = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "TMW", stop - start ) ) { entry->time_written = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "EID", stop - start ) ) { entry->event_id = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "ETP", stop - start ) ) { if ( strstr( start, "ERROR" ) ) { entry->event_type = EVENTLOG_ERROR_TYPE; } else if ( strstr( start, "WARNING" ) ) { entry->event_type = EVENTLOG_WARNING_TYPE; } else if ( strstr( start, "INFO" ) ) { entry->event_type = EVENTLOG_INFORMATION_TYPE; } else if ( strstr( start, "AUDIT_SUCCESS" ) ) { entry->event_type = EVENTLOG_AUDIT_SUCCESS; } else if ( strstr( start, "AUDIT_FAILURE" ) ) { entry->event_type = EVENTLOG_AUDIT_FAILURE; } else if ( strstr( start, "SUCCESS" ) ) { entry->event_type = EVENTLOG_SUCCESS; } else { /* some other eventlog type -- currently not defined in MSDN docs, so error out */ return False; } } /* else if(0 == strncmp(start, "NST", stop - start)) { entry->num_of_strings = atoi(stop + 1); } */ else if ( 0 == strncmp( start, "ECT", stop - start ) ) { entry->event_category = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "RS2", stop - start ) ) { entry->reserved_flags = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "CRN", stop - start ) ) { entry->closing_record_number = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "USL", stop - start ) ) { entry->sid_length = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "SRC", stop - start ) ) { stop++; while ( isspace( stop[0] ) ) { stop++; } entry->source_name_len = strlen_m_term(stop); entry->source_name = talloc_strdup(mem_ctx, stop); if (entry->source_name_len == (uint32_t)-1 || entry->source_name == NULL) { return false; } } else if ( 0 == strncmp( start, "SRN", stop - start ) ) { stop++; while ( isspace( stop[0] ) ) { stop++; } entry->computer_name_len = strlen_m_term(stop); entry->computer_name = talloc_strdup(mem_ctx, stop); if (entry->computer_name_len == (uint32_t)-1 || entry->computer_name == NULL) { return false; } } else if ( 0 == strncmp( start, "SID", stop - start ) ) { smb_ucs2_t *dummy = NULL; stop++; while ( isspace( stop[0] ) ) { stop++; } entry->sid_length = rpcstr_push_talloc(mem_ctx, &dummy, stop); if (entry->sid_length == (uint32_t)-1) { return false; } entry->sid = data_blob_talloc(mem_ctx, dummy, entry->sid_length); if (entry->sid.data == NULL) { return false; } } else if ( 0 == strncmp( start, "STR", stop - start ) ) { size_t tmp_len; int num_of_strings; /* skip past initial ":" */ stop++; /* now skip any other leading whitespace */ while ( isspace(stop[0])) { stop++; } tmp_len = strlen_m_term(stop); if (tmp_len == (size_t)-1) { return false; } num_of_strings = entry->num_of_strings; if (!add_string_to_array(mem_ctx, stop, &entry->strings, &num_of_strings)) { return false; } if (num_of_strings > 0xffff) { return false; } entry->num_of_strings = num_of_strings; entry->strings_len += tmp_len; } else if ( 0 == strncmp( start, "DAT", stop - start ) ) { /* skip past initial ":" */ stop++; /* now skip any other leading whitespace */ while ( isspace( stop[0] ) ) { stop++; } entry->data_length = strlen_m(stop); entry->data = data_blob_talloc(mem_ctx, stop, entry->data_length); if (!entry->data.data) { return false; } } else { /* some other eventlog entry -- not implemented, so dropping on the floor */ DEBUG( 10, ( "Unknown entry [%s]. Ignoring.\n", line ) ); /* For now return true so that we can keep on parsing this mess. Eventually we will return False here. */ return true; } return true; }
static bool test_lease_multibreak(struct torture_context *tctx, struct smb2_tree *tree) { TALLOC_CTX *mem_ctx = talloc_new(tctx); struct smb2_create io; struct smb2_lease ls; struct smb2_handle h, h2, h3; struct smb2_write w; NTSTATUS status; const char *fname = "lease.dat"; bool ret = true; uint32_t caps; caps = smb2cli_conn_server_capabilities(tree->session->transport->conn); if (!(caps & SMB2_CAP_LEASING)) { torture_skip(tctx, "leases are not supported"); } tree->session->transport->lease.handler = torture_lease_handler; tree->session->transport->lease.private_data = tree; tree->session->transport->oplock.handler = torture_oplock_handler; tree->session->transport->oplock.private_data = tree; smb2_util_unlink(tree, fname); ZERO_STRUCT(break_info); /* Grab lease, upgrade to RHW .. */ smb2_lease_create(&io, &ls, false, fname, LEASE1, smb2_util_lease_state("RH")); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h = io.out.file.handle; CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE); CHECK_LEASE(&io, "RH", true, LEASE1); smb2_lease_create(&io, &ls, false, fname, LEASE1, smb2_util_lease_state("RHW")); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h2 = io.out.file.handle; CHECK_CREATED(&io, EXISTED, FILE_ATTRIBUTE_ARCHIVE); CHECK_LEASE(&io, "RHW", true, LEASE1); /* Contend with LEASE2. */ smb2_lease_create(&io, &ls, false, fname, LEASE2, smb2_util_lease_state("RHW")); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h3 = io.out.file.handle; CHECK_CREATED(&io, EXISTED, FILE_ATTRIBUTE_ARCHIVE); CHECK_LEASE(&io, "RH", true, LEASE2); /* Verify that we were only sent one break. */ CHECK_BREAK_INFO("RHW", "RH", LEASE1); /* Drop LEASE1 / LEASE2 */ status = smb2_util_close(tree, h); CHECK_STATUS(status, NT_STATUS_OK); status = smb2_util_close(tree, h2); CHECK_STATUS(status, NT_STATUS_OK); status = smb2_util_close(tree, h3); CHECK_STATUS(status, NT_STATUS_OK); ZERO_STRUCT(break_info); /* Grab an R lease. */ smb2_lease_create(&io, &ls, false, fname, LEASE1, smb2_util_lease_state("R")); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h = io.out.file.handle; CHECK_CREATED(&io, EXISTED, FILE_ATTRIBUTE_ARCHIVE); CHECK_LEASE(&io, "R", true, LEASE1); /* Grab a level-II oplock. */ smb2_oplock_create(&io, fname, smb2_util_oplock_level("s")); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h2 = io.out.file.handle; CHECK_CREATED(&io, EXISTED, FILE_ATTRIBUTE_ARCHIVE); CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("s")); break_info.held_oplock_level = io.out.oplock_level; /* Verify no breaks. */ CHECK_VAL(break_info.count, 0); CHECK_VAL(break_info.failures, 0); /* Open for truncate, force a break. */ smb2_generic_create(&io, NULL, false, fname, NTCREATEX_DISP_OVERWRITE_IF, smb2_util_oplock_level(""), 0, 0); status = smb2_create(tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); h3 = io.out.file.handle; CHECK_CREATED(&io, TRUNCATED, FILE_ATTRIBUTE_ARCHIVE); CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("")); break_info.held_oplock_level = io.out.oplock_level; /* Sleep, use a write to clear the recv queue. */ smb_msleep(250); ZERO_STRUCT(w); w.in.file.handle = h3; w.in.offset = 0; w.in.data = data_blob_talloc(mem_ctx, NULL, 4096); memset(w.in.data.data, 'o', w.in.data.length); status = smb2_write(tree, &w); CHECK_STATUS(status, NT_STATUS_OK); /* Verify one oplock break, one lease break. */ CHECK_VAL(break_info.oplock_count, 1); CHECK_VAL(break_info.oplock_failures, 0); CHECK_VAL(break_info.oplock_level, smb2_util_oplock_level("")); CHECK_BREAK_INFO("R", "", LEASE1); done: smb2_util_close(tree, h); smb2_util_close(tree, h2); smb2_util_close(tree, h3); smb2_util_unlink(tree, fname); talloc_free(mem_ctx); return ret; }
NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, enum auth_password_state to_state, const struct auth_usersupplied_info *user_info_in, const struct auth_usersupplied_info **user_info_encrypted) { NTSTATUS nt_status; struct auth_usersupplied_info *user_info_temp; switch (to_state) { case AUTH_PASSWORD_RESPONSE: switch (user_info_in->password_state) { case AUTH_PASSWORD_PLAIN: { const struct auth_usersupplied_info *user_info_temp2; nt_status = encrypt_user_info(mem_ctx, auth_context, AUTH_PASSWORD_HASH, user_info_in, &user_info_temp2); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } user_info_in = user_info_temp2; /* fall through */ } case AUTH_PASSWORD_HASH: { uint8_t chal[8]; DATA_BLOB chall_blob; user_info_temp = talloc_zero(mem_ctx, struct auth_usersupplied_info); if (!user_info_temp) { return NT_STATUS_NO_MEMORY; } if (!talloc_reference(user_info_temp, user_info_in)) { return NT_STATUS_NO_MEMORY; } *user_info_temp = *user_info_in; user_info_temp->mapped_state = to_state; nt_status = auth_get_challenge(auth_context, chal); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } chall_blob = data_blob_talloc(mem_ctx, chal, 8); if (lpcfg_client_ntlmv2_auth(auth_context->lp_ctx)) { DATA_BLOB names_blob = NTLMv2_generate_names_blob(mem_ctx, lpcfg_netbios_name(auth_context->lp_ctx), lpcfg_workgroup(auth_context->lp_ctx)); DATA_BLOB lmv2_response, ntlmv2_response, lmv2_session_key, ntlmv2_session_key; if (!SMBNTLMv2encrypt_hash(user_info_temp, user_info_in->client.account_name, user_info_in->client.domain_name, user_info_in->password.hash.nt->hash, &chall_blob, &names_blob, &lmv2_response, &ntlmv2_response, &lmv2_session_key, &ntlmv2_session_key)) { data_blob_free(&names_blob); return NT_STATUS_NO_MEMORY; } data_blob_free(&names_blob); user_info_temp->password.response.lanman = lmv2_response; user_info_temp->password.response.nt = ntlmv2_response; data_blob_free(&lmv2_session_key); data_blob_free(&ntlmv2_session_key); } else { DATA_BLOB blob = data_blob_talloc(mem_ctx, NULL, 24); SMBOWFencrypt(user_info_in->password.hash.nt->hash, chal, blob.data); user_info_temp->password.response.nt = blob; if (lpcfg_client_lanman_auth(auth_context->lp_ctx) && user_info_in->password.hash.lanman) { DATA_BLOB lm_blob = data_blob_talloc(mem_ctx, NULL, 24); SMBOWFencrypt(user_info_in->password.hash.lanman->hash, chal, blob.data); user_info_temp->password.response.lanman = lm_blob; } else { /* if not sending the LM password, send the NT password twice */ user_info_temp->password.response.lanman = user_info_temp->password.response.nt; } } user_info_in = user_info_temp; /* fall through */ } case AUTH_PASSWORD_RESPONSE: *user_info_encrypted = user_info_in; } break; case AUTH_PASSWORD_HASH: { switch (user_info_in->password_state) { case AUTH_PASSWORD_PLAIN: { struct samr_Password lanman; struct samr_Password nt; user_info_temp = talloc_zero(mem_ctx, struct auth_usersupplied_info); if (!user_info_temp) { return NT_STATUS_NO_MEMORY; } if (!talloc_reference(user_info_temp, user_info_in)) { return NT_STATUS_NO_MEMORY; } *user_info_temp = *user_info_in; user_info_temp->mapped_state = to_state; if (E_deshash(user_info_in->password.plaintext, lanman.hash)) { user_info_temp->password.hash.lanman = talloc(user_info_temp, struct samr_Password); *user_info_temp->password.hash.lanman = lanman; } else { user_info_temp->password.hash.lanman = NULL; } E_md4hash(user_info_in->password.plaintext, nt.hash); user_info_temp->password.hash.nt = talloc(user_info_temp, struct samr_Password); *user_info_temp->password.hash.nt = nt; user_info_in = user_info_temp; /* fall through */ } case AUTH_PASSWORD_HASH: *user_info_encrypted = user_info_in; break; default: return NT_STATUS_INVALID_PARAMETER; break; } break; }
static struct tevent_req *smbd_smb2_read_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct smbd_smb2_request *smb2req, struct files_struct *fsp, uint8_t in_flags, uint32_t in_length, uint64_t in_offset, uint32_t in_minimum, uint32_t in_remaining) { NTSTATUS status; struct tevent_req *req = NULL; struct smbd_smb2_read_state *state = NULL; struct smb_request *smbreq = NULL; connection_struct *conn = smb2req->tcon->compat; ssize_t nread = -1; struct lock_struct lock; int saved_errno; req = tevent_req_create(mem_ctx, &state, struct smbd_smb2_read_state); if (req == NULL) { return NULL; } state->smb2req = smb2req; state->in_flags = in_flags; state->in_length = in_length; state->in_offset = in_offset; state->in_minimum = in_minimum; state->out_data = data_blob_null; state->out_remaining = 0; DEBUG(10,("smbd_smb2_read: %s - %s\n", fsp_str_dbg(fsp), fsp_fnum_dbg(fsp))); smbreq = smbd_smb2_fake_smb_request(smb2req); if (tevent_req_nomem(smbreq, req)) { return tevent_req_post(req, ev); } state->smbreq = smbreq; if (fsp->is_directory) { tevent_req_nterror(req, NT_STATUS_INVALID_DEVICE_REQUEST); return tevent_req_post(req, ev); } state->fsp = fsp; if (IS_IPC(smbreq->conn)) { struct tevent_req *subreq = NULL; state->out_data = data_blob_talloc(state, NULL, in_length); if (in_length > 0 && tevent_req_nomem(state->out_data.data, req)) { return tevent_req_post(req, ev); } if (!fsp_is_np(fsp)) { tevent_req_nterror(req, NT_STATUS_FILE_CLOSED); return tevent_req_post(req, ev); } subreq = np_read_send(state, ev, fsp->fake_file_handle, state->out_data.data, state->out_data.length); if (tevent_req_nomem(subreq, req)) { return tevent_req_post(req, ev); } tevent_req_set_callback(subreq, smbd_smb2_read_pipe_done, req); return req; } if (!CHECK_READ(fsp, smbreq)) { tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED); return tevent_req_post(req, ev); } status = schedule_smb2_aio_read(fsp->conn, smbreq, fsp, state, &state->out_data, (off_t)in_offset, (size_t)in_length); if (NT_STATUS_IS_OK(status)) { /* * Doing an async read, allow this * request to be canceled */ tevent_req_set_cancel_fn(req, smbd_smb2_read_cancel); return req; } if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) { /* Real error in setting up aio. Fail. */ tevent_req_nterror(req, status); return tevent_req_post(req, ev); } /* Fallback to synchronous. */ init_strict_lock_struct(fsp, fsp->op->global->open_persistent_id, in_offset, in_length, READ_LOCK, &lock); if (!SMB_VFS_STRICT_LOCK(conn, fsp, &lock)) { tevent_req_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); return tevent_req_post(req, ev); } /* Try sendfile in preference. */ status = schedule_smb2_sendfile_read(smb2req, state); if (NT_STATUS_IS_OK(status)) { tevent_req_done(req); return tevent_req_post(req, ev); } else { if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) { SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); tevent_req_nterror(req, status); return tevent_req_post(req, ev); } } /* Ok, read into memory. Allocate the out buffer. */ state->out_data = data_blob_talloc(state, NULL, in_length); if (in_length > 0 && tevent_req_nomem(state->out_data.data, req)) { SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); return tevent_req_post(req, ev); } nread = read_file(fsp, (char *)state->out_data.data, in_offset, in_length); saved_errno = errno; SMB_VFS_STRICT_UNLOCK(conn, fsp, &lock); DEBUG(10,("smbd_smb2_read: file %s, %s, offset=%llu " "len=%llu returned %lld\n", fsp_str_dbg(fsp), fsp_fnum_dbg(fsp), (unsigned long long)in_offset, (unsigned long long)in_length, (long long)nread)); status = smb2_read_complete(req, nread, saved_errno); if (!NT_STATUS_IS_OK(status)) { tevent_req_nterror(req, status); } else { /* Success. */ tevent_req_done(req); } return tevent_req_post(req, ev); }
static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct smbd_smb2_request *smb2req, struct files_struct *fsp, uint8_t in_info_type, uint8_t in_file_info_class, uint32_t in_output_buffer_length, DATA_BLOB in_input_buffer, uint32_t in_additional_information, uint32_t in_flags) { struct tevent_req *req; struct smbd_smb2_getinfo_state *state; struct smb_request *smbreq; connection_struct *conn = smb2req->tcon->compat_conn; NTSTATUS status; req = tevent_req_create(mem_ctx, &state, struct smbd_smb2_getinfo_state); if (req == NULL) { return NULL; } state->smb2req = smb2req; state->status = NT_STATUS_OK; state->out_output_buffer = data_blob_null; DEBUG(10,("smbd_smb2_getinfo_send: %s - fnum[%d]\n", fsp_str_dbg(fsp), fsp->fnum)); smbreq = smbd_smb2_fake_smb_request(smb2req); if (tevent_req_nomem(smbreq, req)) { return tevent_req_post(req, ev); } if (IS_IPC(conn)) { smb2_ipc_getinfo(req, state, ev, in_info_type, in_file_info_class); return tevent_req_post(req, ev); } switch (in_info_type) { case SMB2_GETINFO_FILE: { uint16_t file_info_level; char *data = NULL; unsigned int data_size = 0; bool delete_pending = false; struct timespec write_time_ts; struct file_id fileid; struct ea_list *ea_list = NULL; int lock_data_count = 0; char *lock_data = NULL; size_t fixed_portion; ZERO_STRUCT(write_time_ts); switch (in_file_info_class) { case 0x0F:/* RAW_FILEINFO_SMB2_ALL_EAS */ file_info_level = 0xFF00 | in_file_info_class; break; case 0x12:/* RAW_FILEINFO_SMB2_ALL_INFORMATION */ file_info_level = 0xFF00 | in_file_info_class; break; default: /* the levels directly map to the passthru levels */ file_info_level = in_file_info_class + 1000; break; } if (fsp->fake_file_handle) { /* * This is actually for the QUOTA_FAKE_FILE --metze */ /* We know this name is ok, it's already passed the checks. */ } else if (fsp && fsp->fh->fd == -1) { /* * This is actually a QFILEINFO on a directory * handle (returned from an NT SMB). NT5.0 seems * to do this call. JRA. */ if (INFO_LEVEL_IS_UNIX(file_info_level)) { /* Always do lstat for UNIX calls. */ if (SMB_VFS_LSTAT(conn, fsp->fsp_name)) { DEBUG(3,("smbd_smb2_getinfo_send: " "SMB_VFS_LSTAT of %s failed " "(%s)\n", fsp_str_dbg(fsp), strerror(errno))); status = map_nt_error_from_unix(errno); tevent_req_nterror(req, status); return tevent_req_post(req, ev); } } else if (SMB_VFS_STAT(conn, fsp->fsp_name)) { DEBUG(3,("smbd_smb2_getinfo_send: " "SMB_VFS_STAT of %s failed (%s)\n", fsp_str_dbg(fsp), strerror(errno))); status = map_nt_error_from_unix(errno); tevent_req_nterror(req, status); return tevent_req_post(req, ev); } fileid = vfs_file_id_from_sbuf(conn, &fsp->fsp_name->st); get_file_infos(fileid, fsp->name_hash, &delete_pending, &write_time_ts); } else { /* * Original code - this is an open file. */ if (SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) != 0) { DEBUG(3, ("smbd_smb2_getinfo_send: " "fstat of fnum %d failed (%s)\n", fsp->fnum, strerror(errno))); status = map_nt_error_from_unix(errno); tevent_req_nterror(req, status); return tevent_req_post(req, ev); } fileid = vfs_file_id_from_sbuf(conn, &fsp->fsp_name->st); get_file_infos(fileid, fsp->name_hash, &delete_pending, &write_time_ts); } status = smbd_do_qfilepathinfo(conn, state, file_info_level, fsp, fsp->fsp_name, delete_pending, write_time_ts, ea_list, lock_data_count, lock_data, STR_UNICODE, in_output_buffer_length, &fixed_portion, &data, &data_size); if (!NT_STATUS_IS_OK(status)) { SAFE_FREE(data); if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL)) { status = NT_STATUS_INVALID_INFO_CLASS; } tevent_req_nterror(req, status); return tevent_req_post(req, ev); } if (in_output_buffer_length < fixed_portion) { SAFE_FREE(data); tevent_req_nterror( req, NT_STATUS_INFO_LENGTH_MISMATCH); return tevent_req_post(req, ev); } if (data_size > 0) { state->out_output_buffer = data_blob_talloc(state, data, data_size); SAFE_FREE(data); if (tevent_req_nomem(state->out_output_buffer.data, req)) { return tevent_req_post(req, ev); } if (data_size > in_output_buffer_length) { state->out_output_buffer.length = in_output_buffer_length; status = STATUS_BUFFER_OVERFLOW; } } SAFE_FREE(data); break; } case SMB2_GETINFO_FS: { uint16_t file_info_level; char *data = NULL; int data_size = 0; size_t fixed_portion; /* the levels directly map to the passthru levels */ file_info_level = in_file_info_class + 1000; status = smbd_do_qfsinfo(conn, state, file_info_level, STR_UNICODE, in_output_buffer_length, &fixed_portion, fsp->fsp_name, &data, &data_size); /* some responses set STATUS_BUFFER_OVERFLOW and return partial, but valid data */ if (!(NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW))) { SAFE_FREE(data); if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL)) { status = NT_STATUS_INVALID_INFO_CLASS; } tevent_req_nterror(req, status); return tevent_req_post(req, ev); } if (in_output_buffer_length < fixed_portion) { SAFE_FREE(data); tevent_req_nterror( req, NT_STATUS_INFO_LENGTH_MISMATCH); return tevent_req_post(req, ev); } if (data_size > 0) { state->out_output_buffer = data_blob_talloc(state, data, data_size); SAFE_FREE(data); if (tevent_req_nomem(state->out_output_buffer.data, req)) { return tevent_req_post(req, ev); } if (data_size > in_output_buffer_length) { state->out_output_buffer.length = in_output_buffer_length; status = STATUS_BUFFER_OVERFLOW; } } SAFE_FREE(data); break; } case SMB2_GETINFO_SECURITY: { uint8_t *p_marshalled_sd = NULL; size_t sd_size = 0; status = smbd_do_query_security_desc(conn, state, fsp, /* Security info wanted. */ in_additional_information, in_output_buffer_length, &p_marshalled_sd, &sd_size); if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) { /* Return needed size. */ state->out_output_buffer = data_blob_talloc(state, NULL, 4); if (tevent_req_nomem(state->out_output_buffer.data, req)) { return tevent_req_post(req, ev); } SIVAL(state->out_output_buffer.data,0,(uint32_t)sd_size); state->status = NT_STATUS_BUFFER_TOO_SMALL; break; } if (!NT_STATUS_IS_OK(status)) { DEBUG(10,("smbd_smb2_getinfo_send: " "smbd_do_query_security_desc of %s failed " "(%s)\n", fsp_str_dbg(fsp), nt_errstr(status))); tevent_req_nterror(req, status); return tevent_req_post(req, ev); } if (sd_size > 0) { state->out_output_buffer = data_blob_talloc(state, p_marshalled_sd, sd_size); if (tevent_req_nomem(state->out_output_buffer.data, req)) { return tevent_req_post(req, ev); } } break; } default: DEBUG(10,("smbd_smb2_getinfo_send: " "unknown in_info_type of %u " " for file %s\n", (unsigned int)in_info_type, fsp_str_dbg(fsp) )); tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); return tevent_req_post(req, ev); } state->status = status; tevent_req_done(req); return tevent_req_post(req, ev); }
/* pull a xattr as a blob, from either a file or a file descriptor */ NTSTATUS pull_xattr_blob_system(struct pvfs_state *pvfs, TALLOC_CTX *mem_ctx, const char *attr_name, const char *fname, int fd, size_t estimated_size, DATA_BLOB *blob) { int ret; *blob = data_blob_talloc(mem_ctx, NULL, estimated_size+16); if (blob->data == NULL) { return NT_STATUS_NO_MEMORY; } again: if (fd != -1) { ret = wrap_fgetxattr(fd, attr_name, blob->data, estimated_size); } else { ret = wrap_getxattr(fname, attr_name, blob->data, estimated_size); } if (ret == -1 && errno == ERANGE) { estimated_size *= 2; blob->data = talloc_realloc(mem_ctx, blob->data, uint8_t, estimated_size); if (blob->data == NULL) { return NT_STATUS_NO_MEMORY; } blob->length = estimated_size; goto again; } if (ret == -1 && errno == EPERM) { struct stat statbuf; if (fd != -1) { ret = fstat(fd, &statbuf); } else { ret = stat(fname, &statbuf); } if (ret == 0) { /* check if this is a directory and the sticky bit is set */ if (S_ISDIR(statbuf.st_mode) && (statbuf.st_mode & S_ISVTX)) { /* pretend we could not find the xattr */ data_blob_free(blob); return NT_STATUS_NOT_FOUND; } else { /* if not this was probably a legittimate error * reset ret and errno to the correct values */ errno = EPERM; ret = -1; } } } if (ret == -1) { data_blob_free(blob); return pvfs_map_errno(pvfs, errno); } blob->length = ret; return NT_STATUS_OK; }
_PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, struct auth_serversupplied_info **_server_info) { struct auth_serversupplied_info *server_info; server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); /* is this correct? */ server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS); NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); server_info->n_domain_groups = 0; server_info->domain_groups = NULL; /* annoying, but the Anonymous really does have a session key... */ server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16); NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); /* and it is all zeros! */ data_blob_clear(&server_info->user_session_key); data_blob_clear(&server_info->lm_session_key); server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON"); NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY"); NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); server_info->full_name = talloc_strdup(server_info, "Anonymous Logon"); NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); server_info->logon_script = talloc_strdup(server_info, ""); NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); server_info->profile_path = talloc_strdup(server_info, ""); NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); server_info->home_directory = talloc_strdup(server_info, ""); NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); server_info->home_drive = talloc_strdup(server_info, ""); NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); server_info->logon_server = talloc_strdup(server_info, netbios_name); NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); server_info->last_logon = 0; server_info->last_logoff = 0; server_info->acct_expiry = 0; server_info->last_password_change = 0; server_info->allow_password_change = 0; server_info->force_password_change = 0; server_info->logon_count = 0; server_info->bad_password_count = 0; server_info->acct_flags = ACB_NORMAL; server_info->authenticated = false; *_server_info = server_info; return NT_STATUS_OK; }
NTSTATUS smbd_smb2_request_process_tcon(struct smbd_smb2_request *req) { const uint8_t *inbody; int i = req->current_idx; uint8_t *outhdr; DATA_BLOB outbody; uint16_t in_path_offset; uint16_t in_path_length; DATA_BLOB in_path_buffer; char *in_path_string; size_t in_path_string_size; uint8_t out_share_type = 0; uint32_t out_share_flags = 0; uint32_t out_capabilities = 0; uint32_t out_maximal_access = 0; uint32_t out_tree_id = 0; NTSTATUS status; bool ok; status = smbd_smb2_request_verify_sizes(req, 0x09); if (!NT_STATUS_IS_OK(status)) { return smbd_smb2_request_error(req, status); } inbody = (const uint8_t *)req->in.vector[i+1].iov_base; in_path_offset = SVAL(inbody, 0x04); in_path_length = SVAL(inbody, 0x06); if (in_path_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len)) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } if (in_path_length > req->in.vector[i+2].iov_len) { return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER); } in_path_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base; in_path_buffer.length = in_path_length; ok = convert_string_talloc(req, CH_UTF16, CH_UNIX, in_path_buffer.data, in_path_buffer.length, &in_path_string, &in_path_string_size); if (!ok) { return smbd_smb2_request_error(req, NT_STATUS_ILLEGAL_CHARACTER); } if (in_path_buffer.length == 0) { in_path_string_size = 0; } if (strlen(in_path_string) != in_path_string_size) { return smbd_smb2_request_error(req, NT_STATUS_BAD_NETWORK_NAME); } status = smbd_smb2_tree_connect(req, in_path_string, &out_share_type, &out_share_flags, &out_capabilities, &out_maximal_access, &out_tree_id); if (!NT_STATUS_IS_OK(status)) { return smbd_smb2_request_error(req, status); } outhdr = (uint8_t *)req->out.vector[i].iov_base; outbody = data_blob_talloc(req->out.vector, NULL, 0x10); if (outbody.data == NULL) { return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY); } SIVAL(outhdr, SMB2_HDR_TID, out_tree_id); SSVAL(outbody.data, 0x00, 0x10); /* struct size */ SCVAL(outbody.data, 0x02, out_share_type); /* share type */ SCVAL(outbody.data, 0x03, 0); /* reserved */ SIVAL(outbody.data, 0x04, out_share_flags); /* share flags */ SIVAL(outbody.data, 0x08, out_capabilities); /* capabilities */ SIVAL(outbody.data, 0x0C, out_maximal_access); /* maximal access */ return smbd_smb2_request_done(req, outbody, NULL); }
static bool test_PACVerify(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials) { NTSTATUS status; struct netr_LogonSamLogon r; union netr_LogonLevel logon; union netr_Validation validation; uint8_t authoritative; struct netr_Authenticator return_authenticator; struct netr_GenericInfo generic; struct netr_Authenticator auth, auth2; struct netlogon_creds_CredentialState *creds; struct gensec_security *gensec_client_context; struct gensec_security *gensec_server_context; DATA_BLOB client_to_server, server_to_client, pac_wrapped, payload; struct PAC_Validate pac_wrapped_struct; enum ndr_err_code ndr_err; struct auth_session_info *session_info; char *tmp_dir; TALLOC_CTX *tmp_ctx = talloc_new(tctx); torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, credentials, SEC_CHAN_BDC, &creds)) { return false; } status = torture_temp_dir(tctx, "PACVerify", &tmp_dir); torture_assert_ntstatus_ok(tctx, status, "torture_temp_dir failed"); status = gensec_client_start(tctx, &gensec_client_context, tctx->ev, lp_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); status = gensec_set_target_hostname(gensec_client_context, TEST_MACHINE_NAME); status = gensec_set_credentials(gensec_client_context, cmdline_credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); status = gensec_server_start(tctx, tctx->ev, lp_gensec_settings(tctx, tctx->lp_ctx), NULL, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed"); status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed"); server_to_client = data_blob(NULL, 0); do { /* Do a client-server update dance */ status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ; torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed"); } if (NT_STATUS_IS_OK(status)) { break; } } while (1); /* Extract the PAC using Samba's code */ status = gensec_session_info(gensec_server_context, &session_info); torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], session_info->server_info->pac_srv_sig.signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], session_info->server_info->pac_kdc_sig.signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; /* Validate it over the netlogon pipe */ generic.identity_info.parameter_control = 0; generic.identity_info.logon_id_high = 0; generic.identity_info.logon_id_low = 0; generic.identity_info.domain_name.string = session_info->server_info->domain_name; generic.identity_info.account_name.string = session_info->server_info->account_name; generic.identity_info.workstation.string = TEST_MACHINE_NAME; generic.package_name.string = "Kerberos"; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon = &logon; r.in.logon_level = NetlogonGenericInformation; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; r.out.validation = &validation; r.out.authoritative = &authoritative; r.out.return_authenticator = &return_authenticator; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed"); /* This will break the signature nicely (even in the crypto wrapping), check we get a logon failure */ generic.data[generic.length-1]++; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; r.in.logon = &logon; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */ generic.length--; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; r.in.logon = &logon; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; /* Break the SignatureType */ pac_wrapped_struct.SignatureType++; pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], session_info->server_info->pac_srv_sig.signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], session_info->server_info->pac_kdc_sig.signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; r.in.logon = &logon; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], session_info->server_info->pac_srv_sig.signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], session_info->server_info->pac_kdc_sig.signature.data, pac_wrapped_struct.SignatureLength); /* Break the signature length */ pac_wrapped_struct.SignatureLength++; ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; r.in.logon = &logon; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); return true; }
/* handle recv events on a nbt dgram socket */ static void dgm_socket_recv(struct nbt_dgram_socket *dgmsock) { TALLOC_CTX *tmp_ctx = talloc_new(dgmsock); NTSTATUS status; struct socket_address *src; DATA_BLOB blob; size_t nread, dsize; struct nbt_dgram_packet *packet; const char *mailslot_name; enum ndr_err_code ndr_err; status = socket_pending(dgmsock->sock, &dsize); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return; } blob = data_blob_talloc(tmp_ctx, NULL, dsize); if (blob.data == NULL) { talloc_free(tmp_ctx); return; } status = socket_recvfrom(dgmsock->sock, blob.data, blob.length, &nread, tmp_ctx, &src); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return; } blob.length = nread; DEBUG(2,("Received dgram packet of length %d from %s:%d\n", (int)blob.length, src->addr, src->port)); packet = talloc(tmp_ctx, struct nbt_dgram_packet); if (packet == NULL) { talloc_free(tmp_ctx); return; } /* parse the request */ ndr_err = ndr_pull_struct_blob(&blob, packet, dgmsock->iconv_convenience, packet, (ndr_pull_flags_fn_t)ndr_pull_nbt_dgram_packet); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); DEBUG(2,("Failed to parse incoming NBT DGRAM packet - %s\n", nt_errstr(status))); talloc_free(tmp_ctx); return; } /* if this is a mailslot message, then see if we can dispatch it to a handler */ mailslot_name = dgram_mailslot_name(packet); if (mailslot_name) { struct dgram_mailslot_handler *dgmslot; dgmslot = dgram_mailslot_find(dgmsock, mailslot_name); if (dgmslot) { dgmslot->handler(dgmslot, packet, src); } else { DEBUG(2,("No mailslot handler for '%s'\n", mailslot_name)); } } else { /* dispatch if there is a general handler */ if (dgmsock->incoming.handler) { dgmsock->incoming.handler(dgmsock, packet, src); } } talloc_free(tmp_ctx); }
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **_session_info) { struct auth_session_info *session_info; NTSTATUS nt_status; unsigned int i, num_sids = 0; const char *filter; struct dom_sid *sids = NULL; const struct dom_sid *anonymous_sid, *system_sid; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); session_info = talloc_zero(tmp_ctx, struct auth_session_info); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx); session_info->info = talloc_reference(session_info, user_info_dc->info); session_info->torture = talloc_zero(session_info, struct auth_user_info_torture); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx); session_info->torture->num_dc_sids = user_info_dc->num_sids; session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx); /* unless set otherwise, the session key is the user session * key from the auth subsystem */ session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length); if (!session_info->session_key.data && session_info->session_key.length) { NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx); } anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx); system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx); sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx); if (!sids) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } num_sids = user_info_dc->num_sids; for (i=0; i < user_info_dc->num_sids; i++) { sids[i] = user_info_dc->sids[i]; } if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ } else if (sam_ctx) { filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP); /* Search for each group in the token */ for (i = 0; i < user_info_dc->num_sids; i++) { char *sid_string; const char *sid_dn; DATA_BLOB sid_blob; sid_string = dom_sid_string(tmp_ctx, &user_info_dc->sids[i]); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc); sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string); talloc_free(sid_string); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc); sid_blob = data_blob_string_const(sid_dn); /* This function takes in memberOf values and expands * them, as long as they meet the filter - so only * builtin groups * * We already have the SID in the token, so set * 'only childs' flag to true */ nt_status = dsdb_expand_nested_groups(sam_ctx, &sid_blob, true, filter, tmp_ctx, &sids, &num_sids); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } } } nt_status = security_token_create(session_info, lp_ctx, num_sids, sids, session_info_flags, &session_info->security_token); NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx); session_info->credentials = NULL; talloc_steal(mem_ctx, session_info); *_session_info = session_info; talloc_free(tmp_ctx); return NT_STATUS_OK; }
/* Check with a known 'well formed' PAC, from my test server */ static bool torture_pac_saved_check(struct torture_context *tctx) { NTSTATUS nt_status; enum ndr_err_code ndr_err; DATA_BLOB tmp_blob, validate_blob; struct PAC_DATA *pac_data, pac_data2; struct PAC_LOGON_INFO *logon_info; union netr_Validation validation; const char *pac_file, *pac_kdc_key, *pac_member_key; struct auth_user_info_dc *user_info_dc_out; krb5_keyblock server_keyblock; krb5_keyblock krbtgt_keyblock, *krbtgt_keyblock_p; struct samr_Password *krbtgt_bytes, *krbsrv_bytes; krb5_error_code ret; struct smb_krb5_context *smb_krb5_context; const char *principal_string; char *broken_principal_string; krb5_principal client_principal; const char *authtime_string; time_t authtime; TALLOC_CTX *mem_ctx = tctx; torture_assert(tctx, 0 == smb_krb5_init_context(mem_ctx, NULL, tctx->lp_ctx, &smb_krb5_context), "smb_krb5_init_context"); pac_kdc_key = torture_setting_string(tctx, "pac_kdc_key", "B286757148AF7FD252C53603A150B7E7"); pac_member_key = torture_setting_string(tctx, "pac_member_key", "D217FAEAE5E6B5F95CCC94077AB8A5FC"); torture_comment(tctx, "Using pac_kdc_key '%s'\n", pac_kdc_key); torture_comment(tctx, "Using pac_member_key '%s'\n", pac_member_key); /* The krbtgt key in use when the above PAC was generated. * This is an arcfour-hmac-md5 key, extracted with our 'net * samdump' tool. */ if (*pac_kdc_key == 0) { krbtgt_bytes = NULL; } else { krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key); if (!krbtgt_bytes) { torture_fail(tctx, "(saved test) Could not interpret krbtgt key"); } } krbsrv_bytes = smbpasswd_gethexpwd(mem_ctx, pac_member_key); if (!krbsrv_bytes) { torture_fail(tctx, "(saved test) Could not interpret krbsrv key"); } ret = krb5_keyblock_init(smb_krb5_context->krb5_context, ENCTYPE_ARCFOUR_HMAC, krbsrv_bytes->hash, sizeof(krbsrv_bytes->hash), &server_keyblock); torture_assert(tctx, !ret, talloc_asprintf(tctx, "(saved test) Server Keyblock encoding failed: %s", smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); if (krbtgt_bytes) { ret = krb5_keyblock_init(smb_krb5_context->krb5_context, ENCTYPE_ARCFOUR_HMAC, krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash), &krbtgt_keyblock); if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) Server Keyblock encoding failed: %s", smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); } krbtgt_keyblock_p = &krbtgt_keyblock; } else { krbtgt_keyblock_p = NULL; } pac_file = torture_setting_string(tctx, "pac_file", NULL); if (pac_file) { tmp_blob.data = (uint8_t *)file_load(pac_file, &tmp_blob.length, 0, mem_ctx); torture_comment(tctx, "(saved test) Loaded pac of size %ld from %s\n", (long)tmp_blob.length, pac_file); } else { tmp_blob = data_blob_talloc(mem_ctx, saved_pac, sizeof(saved_pac)); } dump_data(10,tmp_blob.data,tmp_blob.length); principal_string = torture_setting_string(tctx, "pac_client_principal", "[email protected]"); authtime_string = torture_setting_string(tctx, "pac_authtime", "1120440609"); authtime = strtoull(authtime_string, NULL, 0); ret = krb5_parse_name(smb_krb5_context->krb5_context, principal_string, &client_principal); if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) parsing of client principal [%s] failed: %s", principal_string, smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); } /* Decode and verify the signaure on the PAC */ nt_status = kerberos_decode_pac(mem_ctx, tmp_blob, smb_krb5_context->krb5_context, krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, &pac_data); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC decoding failed: %s", nt_errstr(nt_status))); } /* Now check we can read it back (using Heimdal's pac parsing) */ nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, tmp_blob, smb_krb5_context->krb5_context, &user_info_dc_out, NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) Heimdal PAC decoding failed: %s", nt_errstr(nt_status))); } if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), user_info_dc_out->sids)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", dom_sid_string(mem_ctx, user_info_dc_out->sids))); } talloc_free(user_info_dc_out); /* Parse the PAC again, for the logon info this time (using Samba4's parsing) */ nt_status = kerberos_pac_logon_info(mem_ctx, tmp_blob, smb_krb5_context->krb5_context, krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, &logon_info); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC decoding (for logon info) failed: %s", nt_errstr(nt_status))); } validation.sam3 = &logon_info->info3; nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, true, /* This user was authenticated */ &user_info_dc_out); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC decoding (make server info) failed: %s", nt_errstr(nt_status))); } if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), user_info_dc_out->sids)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", dom_sid_string(mem_ctx, user_info_dc_out->sids))); } if (krbtgt_bytes == NULL) { torture_comment(tctx, "skipping PAC encoding tests as non kdc key\n"); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); return true; } ret = kerberos_encode_pac(mem_ctx, pac_data, smb_krb5_context->krb5_context, krbtgt_keyblock_p, &server_keyblock, &validate_blob); if (ret != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, "(saved test) PAC push failed"); } dump_data(10, validate_blob.data, validate_blob.length); /* compare both the length and the data bytes after a * pull/push cycle. This ensures we use the exact same * pointer, padding etc algorithms as win2k3. */ if (tmp_blob.length != validate_blob.length) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC push failed: original buffer length[%u] != created buffer length[%u]", (unsigned)tmp_blob.length, (unsigned)validate_blob.length)); } if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); DEBUG(0, ("tmp_data:\n")); dump_data(0, tmp_blob.data, tmp_blob.length); DEBUG(0, ("validate_blob:\n")); dump_data(0, validate_blob.data, validate_blob.length); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC push failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length)); } ret = kerberos_create_pac(mem_ctx, user_info_dc_out, smb_krb5_context->krb5_context, krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, &validate_blob); if (ret != 0) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, "(saved test) regnerated PAC create failed"); } dump_data(10,validate_blob.data,validate_blob.length); /* compare both the length and the data bytes after a * pull/push cycle. This ensures we use the exact same * pointer, padding etc algorithms as win2k3. */ if (tmp_blob.length != validate_blob.length) { ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2, (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); nt_status = ndr_map_error2ntstatus(ndr_err); torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC"); NDR_PRINT_DEBUG(PAC_DATA, pac_data); NDR_PRINT_DEBUG(PAC_DATA, &pac_data2); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]", (unsigned)tmp_blob.length, (unsigned)validate_blob.length)); } if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) { ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx, &pac_data2, (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); nt_status = ndr_map_error2ntstatus(ndr_err); torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC"); NDR_PRINT_DEBUG(PAC_DATA, pac_data); NDR_PRINT_DEBUG(PAC_DATA, &pac_data2); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); DEBUG(0, ("tmp_data:\n")); dump_data(0, tmp_blob.data, tmp_blob.length); DEBUG(0, ("validate_blob:\n")); dump_data(0, validate_blob.data, validate_blob.length); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC regenerate failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length)); } /* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */ nt_status = kerberos_decode_pac(mem_ctx, tmp_blob, smb_krb5_context->krb5_context, krbtgt_keyblock_p, &server_keyblock, client_principal, authtime + 1, &pac_data); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_principal(smb_krb5_context->krb5_context, client_principal); torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken auth time (time + 1)"); } /* Break the client principal */ krb5_free_principal(smb_krb5_context->krb5_context, client_principal); broken_principal_string = talloc_strdup(mem_ctx, principal_string); broken_principal_string[0]++; ret = krb5_parse_name(smb_krb5_context->krb5_context, broken_principal_string, &client_principal); if (ret) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, talloc_asprintf(tctx, "(saved test) parsing of broken client principal failed: %s", smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); } nt_status = kerberos_decode_pac(mem_ctx, tmp_blob, smb_krb5_context->krb5_context, krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, &pac_data); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on modified principal"); } /* Finally... Bugger up the signature, and check we fail the checksum */ tmp_blob.data[tmp_blob.length - 2]++; nt_status = kerberos_decode_pac(mem_ctx, tmp_blob, smb_krb5_context->krb5_context, krbtgt_keyblock_p, &server_keyblock, client_principal, authtime, &pac_data); if (NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken checksum"); } krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); return true; }
bool kpasswdd_process(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, DATA_BLOB *input, DATA_BLOB *reply, struct socket_address *peer_addr, struct socket_address *my_addr, int datagram_reply) { bool ret; const uint16_t header_len = 6; uint16_t len; uint16_t ap_req_len; uint16_t krb_priv_len; uint16_t version; NTSTATUS nt_status; DATA_BLOB ap_req, krb_priv_req; DATA_BLOB krb_priv_rep = data_blob(NULL, 0); DATA_BLOB ap_rep = data_blob(NULL, 0); DATA_BLOB kpasswd_req, kpasswd_rep; struct cli_credentials *server_credentials; struct gensec_security *gensec_security; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); char *keytab_name; if (!tmp_ctx) { return false; } /* Be parinoid. We need to ensure we don't just let the * caller lead us into a buffer overflow */ if (input->length <= header_len) { talloc_free(tmp_ctx); return false; } len = RSVAL(input->data, 0); if (input->length != len) { talloc_free(tmp_ctx); return false; } /* There are two different versions of this protocol so far, * plus others in the standards pipe. Fortunetly they all * take a very similar framing */ version = RSVAL(input->data, 2); ap_req_len = RSVAL(input->data, 4); if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) { talloc_free(tmp_ctx); return false; } krb_priv_len = len - ap_req_len; ap_req = data_blob_const(&input->data[header_len], ap_req_len); krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len); server_credentials = cli_credentials_init(tmp_ctx); if (!server_credentials) { DEBUG(1, ("Failed to init server credentials\n")); return false; } /* We want the credentials subsystem to use the krb5 context * we already have, rather than a new context */ cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context); cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx); keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->hdb_samba4_context); cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED); ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED); if (ret != 0) { ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, talloc_asprintf(mem_ctx, "Failed to obtain server credentials for kadmin/changepw: %s\n", nt_errstr(nt_status)), &krb_priv_rep); ap_rep.length = 0; if (ret) { goto reply; } talloc_free(tmp_ctx); return ret; } /* We don't strictly need to call this wrapper, and could call * gensec_server_start directly, as we have no need for NTLM * and we have a PAC, but this ensures that the wrapper can be * safely extended for other helpful things in future */ nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx, kdc->task->msg_ctx, kdc->task->lp_ctx, server_credentials, "kpasswd", &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return false; } /* The kerberos PRIV packets include these addresses. MIT * clients check that they are present */ #if 0 /* Skip this part for now, it breaks with a NetAPP filer and * in any case where the client address is behind NAT. If * older MIT clients need this, we might have to insert more * complex code */ nt_status = gensec_set_peer_addr(gensec_security, peer_addr); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return false; } #endif nt_status = gensec_set_my_addr(gensec_security, my_addr); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return false; } /* We want the GENSEC wrap calls to generate PRIV tokens */ gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL); nt_status = gensec_start_mech_by_name(gensec_security, "krb5"); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return false; } /* Accept the AP-REQ and generate teh AP-REP we need for the reply */ nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep); if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, talloc_asprintf(mem_ctx, "gensec_update failed: %s", nt_errstr(nt_status)), &krb_priv_rep); ap_rep.length = 0; if (ret) { goto reply; } talloc_free(tmp_ctx); return ret; } /* Extract the data from the KRB-PRIV half of the message */ nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req); if (!NT_STATUS_IS_OK(nt_status)) { ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, talloc_asprintf(mem_ctx, "gensec_unwrap failed: %s", nt_errstr(nt_status)), &krb_priv_rep); ap_rep.length = 0; if (ret) { goto reply; } talloc_free(tmp_ctx); return ret; } /* Figure out something to do with it (probably changing a password...) */ ret = kpasswd_process_request(kdc, tmp_ctx, gensec_security, version, &kpasswd_req, &kpasswd_rep); if (!ret) { /* Argh! */ return false; } /* And wrap up the reply: This ensures that the error message * or success can be verified by the client */ nt_status = gensec_wrap(gensec_security, tmp_ctx, &kpasswd_rep, &krb_priv_rep); if (!NT_STATUS_IS_OK(nt_status)) { ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, talloc_asprintf(mem_ctx, "gensec_wrap failed: %s", nt_errstr(nt_status)), &krb_priv_rep); ap_rep.length = 0; if (ret) { goto reply; } talloc_free(tmp_ctx); return ret; } reply: *reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len); if (!reply->data) { return false; } RSSVAL(reply->data, 0, reply->length); RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */ RSSVAL(reply->data, 4, ap_rep.length); memcpy(reply->data + header_len, ap_rep.data, ap_rep.length); memcpy(reply->data + header_len + ap_rep.length, krb_priv_rep.data, krb_priv_rep.length); talloc_free(tmp_ctx); return ret; }
static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, struct smbXsrv_session_auth0 **_auth, struct smbd_smb2_request *smb2req, uint8_t in_security_mode, struct auth_session_info *session_info, uint16_t *out_session_flags, uint64_t *out_session_id) { NTSTATUS status; bool guest = false; uint8_t session_key[16]; struct smbXsrv_session *x = session; struct smbXsrv_session_auth0 *auth = *_auth; struct smbXsrv_connection *xconn = smb2req->xconn; size_t i; struct _derivation { DATA_BLOB label; DATA_BLOB context; }; struct { struct _derivation signing; struct _derivation encryption; struct _derivation decryption; struct _derivation application; } derivation = { }; *_auth = NULL; if (xconn->protocol >= PROTOCOL_SMB3_10) { struct smbXsrv_preauth *preauth; struct _derivation *d; DATA_BLOB p; struct hc_sha512state sctx; preauth = talloc_move(smb2req, &auth->preauth); samba_SHA512_Init(&sctx); samba_SHA512_Update(&sctx, preauth->sha512_value, sizeof(preauth->sha512_value)); for (i = 1; i < smb2req->in.vector_count; i++) { samba_SHA512_Update(&sctx, smb2req->in.vector[i].iov_base, smb2req->in.vector[i].iov_len); } samba_SHA512_Final(preauth->sha512_value, &sctx); p = data_blob_const(preauth->sha512_value, sizeof(preauth->sha512_value)); d = &derivation.signing; d->label = data_blob_string_const_null("SMBSigningKey"); d->context = p; d = &derivation.decryption; d->label = data_blob_string_const_null("SMBC2SCipherKey"); d->context = p; d = &derivation.encryption; d->label = data_blob_string_const_null("SMBS2CCipherKey"); d->context = p; d = &derivation.application; d->label = data_blob_string_const_null("SMBAppKey"); d->context = p; } else if (xconn->protocol >= PROTOCOL_SMB2_24) { struct _derivation *d; d = &derivation.signing; d->label = data_blob_string_const_null("SMB2AESCMAC"); d->context = data_blob_string_const_null("SmbSign"); d = &derivation.decryption; d->label = data_blob_string_const_null("SMB2AESCCM"); d->context = data_blob_string_const_null("ServerIn "); d = &derivation.encryption; d->label = data_blob_string_const_null("SMB2AESCCM"); d->context = data_blob_string_const_null("ServerOut"); d = &derivation.application; d->label = data_blob_string_const_null("SMB2APP"); d->context = data_blob_string_const_null("SmbRpc"); } if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) || lp_server_signing() == SMB_SIGNING_REQUIRED) { x->global->signing_required = true; } if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) && (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { x->encryption_desired = true; } if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) { x->encryption_desired = true; x->global->encryption_required = true; } if (security_session_user_level(session_info, NULL) < SECURITY_USER) { /* we map anonymous to guest internally */ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; /* force no signing */ x->global->signing_required = false; guest = true; } if (guest && x->global->encryption_required) { DEBUG(1,("reject guest session as encryption is required\n")); return NT_STATUS_ACCESS_DENIED; } if (xconn->smb2.server.cipher == 0) { if (x->global->encryption_required) { DEBUG(1,("reject session with dialect[0x%04X] " "as encryption is required\n", xconn->smb2.server.dialect)); return NT_STATUS_ACCESS_DENIED; } } if (x->encryption_desired) { *out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA; } ZERO_STRUCT(session_key); memcpy(session_key, session_info->session_key.data, MIN(session_info->session_key.length, sizeof(session_key))); x->global->signing_key = data_blob_talloc(x->global, session_key, sizeof(session_key)); if (x->global->signing_key.data == NULL) { ZERO_STRUCT(session_key); return NT_STATUS_NO_MEMORY; } if (xconn->protocol >= PROTOCOL_SMB2_24) { struct _derivation *d = &derivation.signing; smb2_key_derivation(session_key, sizeof(session_key), d->label.data, d->label.length, d->context.data, d->context.length, x->global->signing_key.data); } if (xconn->protocol >= PROTOCOL_SMB2_24) { struct _derivation *d = &derivation.decryption; x->global->decryption_key = data_blob_talloc(x->global, session_key, sizeof(session_key)); if (x->global->decryption_key.data == NULL) { ZERO_STRUCT(session_key); return NT_STATUS_NO_MEMORY; } smb2_key_derivation(session_key, sizeof(session_key), d->label.data, d->label.length, d->context.data, d->context.length, x->global->decryption_key.data); } if (xconn->protocol >= PROTOCOL_SMB2_24) { struct _derivation *d = &derivation.encryption; size_t nonce_size; x->global->encryption_key = data_blob_talloc(x->global, session_key, sizeof(session_key)); if (x->global->encryption_key.data == NULL) { ZERO_STRUCT(session_key); return NT_STATUS_NO_MEMORY; } smb2_key_derivation(session_key, sizeof(session_key), d->label.data, d->label.length, d->context.data, d->context.length, x->global->encryption_key.data); /* * CCM and GCM algorithms must never have their * nonce wrap, or the security of the whole * communication and the keys is destroyed. * We must drop the connection once we have * transfered too much data. * * NOTE: We assume nonces greater than 8 bytes. */ generate_random_buffer((uint8_t *)&x->nonce_high_random, sizeof(x->nonce_high_random)); switch (xconn->smb2.server.cipher) { case SMB2_ENCRYPTION_AES128_CCM: nonce_size = AES_CCM_128_NONCE_SIZE; break; case SMB2_ENCRYPTION_AES128_GCM: nonce_size = AES_GCM_128_IV_SIZE; break; default: nonce_size = 0; break; } x->nonce_high_max = SMB2_NONCE_HIGH_MAX(nonce_size); x->nonce_high = 0; x->nonce_low = 0; } x->global->application_key = data_blob_dup_talloc(x->global, x->global->signing_key); if (x->global->application_key.data == NULL) { ZERO_STRUCT(session_key); return NT_STATUS_NO_MEMORY; } if (xconn->protocol >= PROTOCOL_SMB2_24) { struct _derivation *d = &derivation.application; smb2_key_derivation(session_key, sizeof(session_key), d->label.data, d->label.length, d->context.data, d->context.length, x->global->application_key.data); } ZERO_STRUCT(session_key); x->global->channels[0].signing_key = data_blob_dup_talloc(x->global->channels, x->global->signing_key); if (x->global->channels[0].signing_key.data == NULL) { return NT_STATUS_NO_MEMORY; } data_blob_clear_free(&session_info->session_key); session_info->session_key = data_blob_dup_talloc(session_info, x->global->application_key); if (session_info->session_key.data == NULL) { return NT_STATUS_NO_MEMORY; } session->compat = talloc_zero(session, struct user_struct); if (session->compat == NULL) { return NT_STATUS_NO_MEMORY; } session->compat->session = session; session->compat->homes_snum = -1; session->compat->session_info = session_info; session->compat->session_keystr = NULL; session->compat->vuid = session->global->session_wire_id; DLIST_ADD(smb2req->sconn->users, session->compat); smb2req->sconn->num_users++; if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { session->compat->homes_snum = register_homes_share(session_info->unix_info->unix_name); } set_current_user_info(session_info->unix_info->sanitized_username, session_info->unix_info->unix_name, session_info->info->domain_name); reload_services(smb2req->sconn, conn_snum_used, true); session->status = NT_STATUS_OK; session->global->auth_session_info = talloc_move(session->global, &session_info); session->global->auth_session_info_seqnum += 1; for (i=0; i < session->global->num_channels; i++) { struct smbXsrv_channel_global0 *_c = &session->global->channels[i]; _c->auth_session_info_seqnum = session->global->auth_session_info_seqnum; } session->global->auth_time = timeval_to_nttime(&smb2req->request_time); session->global->expiration_time = gensec_expire_time(auth->gensec); if (!session_claim(session)) { DEBUG(1, ("smb2: Failed to claim session " "for vuid=%llu\n", (unsigned long long)session->compat->vuid)); return NT_STATUS_LOGON_FAILURE; } TALLOC_FREE(auth); status = smbXsrv_session_update(session); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n", (unsigned long long)session->compat->vuid, nt_errstr(status))); return NT_STATUS_LOGON_FAILURE; } /* * we attach the session to the request * so that the response can be signed */ if (!guest) { smb2req->do_signing = true; } global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32); *out_session_id = session->global->session_wire_id; return NT_STATUS_OK; }
/* This function MUST only used to create the cached server_info for * guest. * * This is a lossy conversion. Variables known to be lost so far * include: * * - nss_token (not needed because the only read doesn't happen * for the GUEST user, as this routine populates ->security_token * * - extra (not needed because the guest account must have valid RIDs per the output of get_guest_info3()) * * - The 'server_info' parameter allows the missing 'info3' to be copied across. */ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLOC_CTX *mem_ctx, const struct auth_session_info *src, struct auth_serversupplied_info *server_info) { struct auth_serversupplied_info *dst; dst = make_server_info(mem_ctx); if (dst == NULL) { return NULL; } /* This element must be provided to convert back to an auth_serversupplied_info */ SMB_ASSERT(src->unix_info); dst->guest = true; dst->system = false; /* This element must be provided to convert back to an * auth_serversupplied_info. This needs to be from the * auth_session_info because the group values in particular * may change during create_local_token() processing */ SMB_ASSERT(src->unix_token); dst->utok.uid = src->unix_token->uid; dst->utok.gid = src->unix_token->gid; dst->utok.ngroups = src->unix_token->ngroups; if (src->unix_token->ngroups != 0) { dst->utok.groups = (gid_t *)talloc_memdup( dst, src->unix_token->groups, sizeof(gid_t)*dst->utok.ngroups); } else { dst->utok.groups = NULL; } /* We must have a security_token as otherwise the lossy * conversion without nss_token would cause create_local_token * to take the wrong path */ SMB_ASSERT(src->security_token); dst->security_token = dup_nt_token(dst, src->security_token); if (!dst->security_token) { TALLOC_FREE(dst); return NULL; } dst->session_key = data_blob_talloc( dst, src->session_key.data, src->session_key.length); /* This is OK because this functions is only used for the * GUEST account, which has all-zero keys for both values */ dst->lm_session_key = data_blob_talloc(dst, src->session_key.data, src->session_key.length); dst->info3 = copy_netr_SamInfo3(dst, server_info->info3); if (!dst->info3) { TALLOC_FREE(dst); return NULL; } dst->unix_name = talloc_strdup(dst, src->unix_info->unix_name); if (!dst->unix_name) { TALLOC_FREE(dst); return NULL; } return dst; }
static NTSTATUS raw_smbcli_t2open(struct smbcli_tree *tree, const char *fname, int flags, int share_mode, int *fnum) { union smb_open io; uint_t openfn=0; uint_t accessmode=0; TALLOC_CTX *mem_ctx; NTSTATUS status; mem_ctx = talloc_init("raw_t2open"); if (!mem_ctx) return NT_STATUS_NO_MEMORY; if (flags & O_CREAT) { openfn |= OPENX_OPEN_FUNC_CREATE; } if (!(flags & O_EXCL)) { if (flags & O_TRUNC) { openfn |= OPENX_OPEN_FUNC_TRUNC; } else { openfn |= OPENX_OPEN_FUNC_OPEN; } } accessmode = (share_mode<<OPENX_MODE_DENY_SHIFT); if ((flags & O_ACCMODE) == O_RDWR) { accessmode |= OPENX_MODE_ACCESS_RDWR; } else if ((flags & O_ACCMODE) == O_WRONLY) { accessmode |= OPENX_MODE_ACCESS_WRITE; } else if ((flags & O_ACCMODE) == O_RDONLY) { accessmode |= OPENX_MODE_ACCESS_READ; } #if defined(O_SYNC) if ((flags & O_SYNC) == O_SYNC) { accessmode |= OPENX_MODE_WRITE_THRU; } #endif if (share_mode == DENY_FCB) { accessmode = OPENX_MODE_ACCESS_FCB | OPENX_MODE_DENY_FCB; } memset(&io, '\0', sizeof(io)); io.t2open.level = RAW_OPEN_T2OPEN; io.t2open.in.flags = 0; io.t2open.in.open_mode = accessmode; io.t2open.in.search_attrs = FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN; io.t2open.in.file_attrs = 0; io.t2open.in.write_time = 0; io.t2open.in.open_func = openfn; io.t2open.in.size = 0; io.t2open.in.timeout = 0; io.t2open.in.fname = fname; io.t2open.in.num_eas = 1; io.t2open.in.eas = talloc_array(mem_ctx, struct ea_struct, io.t2open.in.num_eas); io.t2open.in.eas[0].flags = 0; io.t2open.in.eas[0].name.s = ".CLASSINFO"; io.t2open.in.eas[0].value = data_blob_talloc(mem_ctx, "first value", 11); status = smb_raw_open(tree, mem_ctx, &io); talloc_free(mem_ctx); if (fnum && NT_STATUS_IS_OK(status)) { *fnum = io.openx.out.file.fnum; } return status; }