static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
TALLOC_CTX *mem_ctx,
DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
talloc_get_type_abort(ntlmssp_state->callback_private,
struct gensec_ntlmssp_context);
struct auth4_context *auth_context = gensec_ntlmssp->gensec_security->auth_context;
NTSTATUS nt_status;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
if (!user_info) {
return NT_STATUS_NO_MEMORY;
}
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
user_info->flags = 0;
user_info->mapped_state = false;
user_info->client.account_name = ntlmssp_state->user;
user_info->client.domain_name = ntlmssp_state->domain;
user_info->workstation_name = ntlmssp_state->client.netbios_name;
user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
user_info->password_state = AUTH_PASSWORD_RESPONSE;
user_info->password.response.lanman = ntlmssp_state->lm_resp;
user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
user_info->password.response.nt = ntlmssp_state->nt_resp;
user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
nt_status = auth_context->check_password(auth_context,
gensec_ntlmssp,
user_info,
&gensec_ntlmssp->user_info_dc);
talloc_free(user_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
if (gensec_ntlmssp->user_info_dc->user_session_key.length) {
DEBUG(10, ("Got NT session key of length %u\n",
(unsigned)gensec_ntlmssp->user_info_dc->user_session_key.length));
*user_session_key = gensec_ntlmssp->user_info_dc->user_session_key;
talloc_steal(mem_ctx, user_session_key->data);
gensec_ntlmssp->user_info_dc->user_session_key = data_blob_null;
}
if (gensec_ntlmssp->user_info_dc->lm_session_key.length) {
DEBUG(10, ("Got LM session key of length %u\n",
(unsigned)gensec_ntlmssp->user_info_dc->lm_session_key.length));
*lm_session_key = gensec_ntlmssp->user_info_dc->lm_session_key;
talloc_steal(mem_ctx, lm_session_key->data);
gensec_ntlmssp->user_info_dc->lm_session_key = data_blob_null;
}
return nt_status;
}
/* Get some basic (and authorization) information about the user on
* this session. This uses either the PAC (if present) or a local
* database lookup */
static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct auth_session_info **_session_info)
{
NTSTATUS nt_status;
TALLOC_CTX *tmp_ctx;
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
struct auth_session_info *session_info = NULL;
OM_uint32 maj_stat, min_stat;
DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
gss_buffer_desc name_token;
char *principal_string;
tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
maj_stat = gss_display_name (&min_stat,
gensec_gssapi_state->client_name,
&name_token,
NULL);
if (GSS_ERROR(maj_stat)) {
DEBUG(1, ("GSS display_name failed: %s\n",
gssapi_error_string(tmp_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
talloc_free(tmp_ctx);
return NT_STATUS_FOOBAR;
}
principal_string = talloc_strndup(tmp_ctx,
(const char *)name_token.value,
name_token.length);
gss_release_buffer(&min_stat, &name_token);
if (!principal_string) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
nt_status = gssapi_obtain_pac_blob(tmp_ctx, gensec_gssapi_state->gssapi_context,
gensec_gssapi_state->client_name,
&pac_blob);
/* IF we have the PAC - otherwise we need to get this
* data from elsewere - local ldb, or (TODO) lookup of some
* kind...
*/
if (NT_STATUS_IS_OK(nt_status)) {
pac_blob_ptr = &pac_blob;
}
nt_status = gensec_generate_session_info_pac(tmp_ctx,
gensec_security,
gensec_gssapi_state->smb_krb5_context,
pac_blob_ptr, principal_string,
gensec_get_remote_address(gensec_security),
&session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = gensec_gssapi_session_key(gensec_security, session_info, &session_info->session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
krb5_error_code ret;
const char *error_string;
DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
session_info->credentials = cli_credentials_init(session_info);
if (!session_info->credentials) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
/* Just so we don't segfault trying to get at a username */
cli_credentials_set_anonymous(session_info->credentials);
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
gensec_security->settings->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
CRED_SPECIFIED, &error_string);
if (ret) {
talloc_free(tmp_ctx);
DEBUG(2,("Failed to get gss creds: %s\n", error_string));
return NT_STATUS_NO_MEMORY;
}
/* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
/* It has been taken from this place... */
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
} else {
DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
}
*_session_info = talloc_steal(mem_ctx, session_info);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi)
{
krb5_error_code ret;
struct gensec_krb5_state *gensec_krb5_state;
struct cli_credentials *creds;
const struct tsocket_address *tlocal_addr, *tremote_addr;
krb5_address my_krb5_addr, peer_krb5_addr;
creds = gensec_get_credentials(gensec_security);
if (!creds) {
return NT_STATUS_INVALID_PARAMETER;
}
gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
if (!gensec_krb5_state) {
return NT_STATUS_NO_MEMORY;
}
gensec_security->private_data = gensec_krb5_state;
gensec_krb5_state->smb_krb5_context = NULL;
gensec_krb5_state->auth_context = NULL;
gensec_krb5_state->ticket = NULL;
ZERO_STRUCT(gensec_krb5_state->enc_ticket);
gensec_krb5_state->keyblock = NULL;
gensec_krb5_state->gssapi = gssapi;
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
if (cli_credentials_get_krb5_context(creds,
gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
tlocal_addr = gensec_get_local_address(gensec_security);
if (tlocal_addr) {
ssize_t socklen;
struct sockaddr_storage ss;
socklen = tsocket_address_bsd_sockaddr(tlocal_addr,
(struct sockaddr *) &ss,
sizeof(struct sockaddr_storage));
if (socklen < 0) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
(const struct sockaddr *) &ss, &my_krb5_addr);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
}
tremote_addr = gensec_get_remote_address(gensec_security);
if (tremote_addr) {
ssize_t socklen;
struct sockaddr_storage ss;
socklen = tsocket_address_bsd_sockaddr(tremote_addr,
(struct sockaddr *) &ss,
sizeof(struct sockaddr_storage));
if (socklen < 0) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
(const struct sockaddr *) &ss, &peer_krb5_addr);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
}
ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
tlocal_addr ? &my_krb5_addr : NULL,
tremote_addr ? &peer_krb5_addr : NULL);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
return NT_STATUS_OK;
}
static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct auth_session_info **_session_info)
{
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
struct auth_session_info *session_info = NULL;
krb5_principal client_principal;
char *principal_string;
DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
krb5_data pac_data;
krb5_error_code ret;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
if (ret) {
DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
smb_get_krb5_error_message(context,
ret, tmp_ctx)));
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
client_principal, &principal_string);
if (ret) {
DEBUG(1, ("Unable to parse client principal: %s\n",
smb_get_krb5_error_message(context,
ret, tmp_ctx)));
krb5_free_principal(context, client_principal);
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket,
KRB5_AUTHDATA_WIN2K_PAC,
&pac_data);
if (ret) {
/* NO pac */
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, tmp_ctx)));
} else {
/* Found pac */
pac_blob = data_blob_talloc(tmp_ctx, pac_data.data, pac_data.length);
if (!pac_blob.data) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
/* decode and verify the pac */
nt_status = kerberos_decode_pac(gensec_krb5_state,
pac_blob,
gensec_krb5_state->smb_krb5_context->krb5_context,
NULL, gensec_krb5_state->keyblock,
client_principal,
gensec_krb5_state->ticket->ticket.authtime, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(tmp_ctx);
return nt_status;
}
pac_blob_ptr = &pac_blob;
}
nt_status = gensec_generate_session_info_pac(tmp_ctx,
gensec_security,
gensec_krb5_state->smb_krb5_context,
pac_blob_ptr, principal_string,
gensec_get_remote_address(gensec_security),
&session_info);
free(principal_string);
krb5_free_principal(context, client_principal);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = gensec_krb5_session_key(gensec_security, session_info, &session_info->session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
*_session_info = talloc_steal(mem_ctx, session_info);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
(struct gensec_ntlmssp_context *)ntlmssp_state->callback_private;
struct auth_usersupplied_info *user_info = NULL;
NTSTATUS nt_status;
bool username_was_mapped;
/* the client has given us its machine name (which we otherwise would not get on port 445).
we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
set_remote_machine_name(gensec_ntlmssp->ntlmssp_state->client.netbios_name, True);
/* setup the string used by %U */
/* sub_set_smb_name checks for weird internally */
sub_set_smb_name(gensec_ntlmssp->ntlmssp_state->user);
lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
nt_status = make_user_info_map(&user_info,
gensec_ntlmssp->ntlmssp_state->user,
gensec_ntlmssp->ntlmssp_state->domain,
gensec_ntlmssp->ntlmssp_state->client.netbios_name,
gensec_get_remote_address(gensec_ntlmssp->gensec_security),
gensec_ntlmssp->ntlmssp_state->lm_resp.data ? &gensec_ntlmssp->ntlmssp_state->lm_resp : NULL,
gensec_ntlmssp->ntlmssp_state->nt_resp.data ? &gensec_ntlmssp->ntlmssp_state->nt_resp : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
nt_status = gensec_ntlmssp->auth_context->check_ntlm_password(gensec_ntlmssp->auth_context,
user_info, &gensec_ntlmssp->server_info);
username_was_mapped = user_info->was_mapped;
free_user_info(&user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
nt_status = do_map_to_guest_server_info(nt_status,
&gensec_ntlmssp->server_info,
gensec_ntlmssp->ntlmssp_state->user,
gensec_ntlmssp->ntlmssp_state->domain);
return nt_status;
}
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
gensec_ntlmssp->server_info->nss_token |= username_was_mapped;
/* Clear out the session keys, and pass them to the caller.
* They will not be used in this form again - instead the
* NTLMSSP code will decide on the final correct session key,
* and supply it to create_local_token() */
if (gensec_ntlmssp->server_info->session_key.length) {
DEBUG(10, ("Got NT session key of length %u\n",
(unsigned int)gensec_ntlmssp->server_info->session_key.length));
*session_key = gensec_ntlmssp->server_info->session_key;
talloc_steal(mem_ctx, gensec_ntlmssp->server_info->session_key.data);
gensec_ntlmssp->server_info->session_key = data_blob_null;
}
if (gensec_ntlmssp->server_info->lm_session_key.length) {
DEBUG(10, ("Got LM session key of length %u\n",
(unsigned int)gensec_ntlmssp->server_info->lm_session_key.length));
*lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
talloc_steal(mem_ctx, gensec_ntlmssp->server_info->lm_session_key.data);
gensec_ntlmssp->server_info->lm_session_key = data_blob_null;
}
return nt_status;
}
