/* * Test that a ticket obtained for the DNS service will be accepted on the Samba DLZ side * */ static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech) { NTSTATUS status; struct gensec_security *gensec_client_context; DATA_BLOB client_to_server, server_to_client; void *dbdata; const char *argv[] = { "samba_dlz", "-H", lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"), NULL }; tctx_static = tctx; torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, discard_const_p(char *, argv), &dbdata, "log", dlz_bind9_log_wrapper, "writeable_zone", dlz_bind9_writeable_zone_hook, NULL), ISC_R_SUCCESS, "Failed to create samba_dlz"); torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ISC_R_SUCCESS, "Failed to configure samba_dlz"); status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); status = gensec_set_target_hostname(gensec_client_context, torture_setting_string(tctx, "host", NULL)); torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed"); status = gensec_set_credentials(gensec_client_context, cmdline_credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); status = gensec_start_mech_by_sasl_name(gensec_client_context, mech); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); server_to_client = data_blob(NULL, 0); /* Do one step of the client-server update dance */ status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials), lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1", "type", "key", client_to_server.length, client_to_server.data, dbdata), ISC_R_SUCCESS, "Failed to check key for update rights samba_dlz"); dlz_destroy(dbdata); return true; }
/* Modern, all singing, all dancing extended security (and possibly SPNEGO) request */ static NTSTATUS session_setup_spnego(struct composite_context *c, struct smbcli_session *session, struct smb_composite_sesssetup *io, struct smbcli_request **req) { struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state); NTSTATUS status; const char *chosen_oid = NULL; state->setup.spnego.level = RAW_SESSSETUP_SPNEGO; state->setup.spnego.in.bufsize = session->transport->options.max_xmit; state->setup.spnego.in.mpx_max = session->transport->options.max_mux; state->setup.spnego.in.vc_num = 1; state->setup.spnego.in.sesskey = io->in.sesskey; state->setup.spnego.in.capabilities = io->in.capabilities; state->setup.spnego.in.os = "Unix"; state->setup.spnego.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING); state->setup.spnego.in.workgroup = io->in.workgroup; status = gensec_client_start(session, &session->gensec, io->in.gensec_settings); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status))); return status; } gensec_want_feature(session->gensec, GENSEC_FEATURE_SESSION_KEY); status = gensec_set_credentials(session->gensec, io->in.credentials); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n", nt_errstr(status))); return status; } status = gensec_set_target_hostname(session->gensec, smbXcli_conn_remote_name(session->transport->conn)); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", nt_errstr(status))); return status; } status = gensec_set_target_service(session->gensec, "cifs"); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC target service: %s\n", nt_errstr(status))); return status; } if (session->transport->negotiate.secblob.length) { chosen_oid = GENSEC_OID_SPNEGO; status = gensec_start_mech_by_oid(session->gensec, chosen_oid); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n", gensec_get_name_by_oid(session->gensec, chosen_oid), nt_errstr(status))); chosen_oid = GENSEC_OID_NTLMSSP; status = gensec_start_mech_by_oid(session->gensec, chosen_oid); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n", gensec_get_name_by_oid(session->gensec, chosen_oid), nt_errstr(status))); return status; } } } else { /* without a sec blob, means raw NTLMSSP */ chosen_oid = GENSEC_OID_NTLMSSP; status = gensec_start_mech_by_oid(session->gensec, chosen_oid); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n", gensec_get_name_by_oid(session->gensec, chosen_oid), nt_errstr(status))); } } if (strequal(chosen_oid, GENSEC_OID_SPNEGO)) { status = gensec_update(session->gensec, state, c->event_ctx, session->transport->negotiate.secblob, &state->setup.spnego.in.secblob); } else { status = gensec_update(session->gensec, state, c->event_ctx, data_blob(NULL, 0), &state->setup.spnego.in.secblob); } if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n", gensec_get_name_by_oid(session->gensec, chosen_oid), nt_errstr(status))); return status; } state->gensec_status = status; *req = smb_raw_sesssetup_send(session, &state->setup); if (!*req) { return NT_STATUS_NO_MEMORY; } /* * we need to check the signature ourself * as the session key might be the acceptor subkey * which comes within the response itself */ if (!smb1cli_conn_signing_is_active((*req)->transport->conn)) { (*req)->sign_caller_checks = true; } return (*req)->status; }
/* perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can we fit on one socket??) */ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, const char *sasl, enum credentials_use_kerberos krb5_state, const char *target_service, const char *target_hostname, const DATA_BLOB server_blob) { DATA_BLOB blob_in = data_blob_null; DATA_BLOB blob_out = data_blob_null; int rc; NTSTATUS nt_status; ADS_STATUS status; struct auth_generic_state *auth_generic_state; bool use_spnego_principal = lp_client_use_spnego_principal(); const char *sasl_list[] = { sasl, NULL }; NTTIME end_nt_time; struct ads_saslwrap *wrap = &ads->ldap_wrap_data; nt_status = auth_generic_client_prepare(NULL, &auth_generic_state); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) { return ADS_ERROR_NT(nt_status); } if (server_blob.length == 0) { use_spnego_principal = false; } if (krb5_state == CRED_DONT_USE_KERBEROS) { use_spnego_principal = false; } cli_credentials_set_kerberos_state(auth_generic_state->credentials, krb5_state); if (target_service != NULL) { nt_status = gensec_set_target_service( auth_generic_state->gensec_security, target_service); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } } if (target_hostname != NULL) { nt_status = gensec_set_target_hostname( auth_generic_state->gensec_security, target_hostname); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } } if (target_service != NULL && target_hostname != NULL) { use_spnego_principal = false; } switch (wrap->wrap_type) { case ADS_SASLWRAP_TYPE_SEAL: gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL); break; case ADS_SASLWRAP_TYPE_SIGN: if (ads->auth.flags & ADS_AUTH_SASL_FORCE) { gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); } else { /* * windows servers are broken with sign only, * so we let the NTLMSSP backend to seal here, * via GENSEC_FEATURE_LDAP_STYLE. */ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_LDAP_STYLE); } break; case ADS_SASLWRAP_TYPE_PLAIN: break; } nt_status = auth_generic_client_start_by_sasl(auth_generic_state, sasl_list); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } rc = LDAP_SASL_BIND_IN_PROGRESS; nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; if (use_spnego_principal) { blob_in = data_blob_dup_talloc(talloc_tos(), server_blob); if (blob_in.length == 0) { TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } } else { blob_in = data_blob_null; } blob_out = data_blob_null; while (true) { struct berval cred, *scred = NULL; nt_status = gensec_update(auth_generic_state->gensec_security, talloc_tos(), blob_in, &blob_out); data_blob_free(&blob_in); if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(auth_generic_state); data_blob_free(&blob_out); return ADS_ERROR_NT(nt_status); } if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_out.length == 0) { break; } cred.bv_val = (char *)blob_out.data; cred.bv_len = blob_out.length; scred = NULL; rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, sasl, &cred, NULL, NULL, &scred); data_blob_free(&blob_out); if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) { if (scred) { ber_bvfree(scred); } TALLOC_FREE(auth_generic_state); return ADS_ERROR(rc); } if (scred) { blob_in = data_blob_talloc(talloc_tos(), scred->bv_val, scred->bv_len); if (blob_in.length != scred->bv_len) { ber_bvfree(scred); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } ber_bvfree(scred); } else { blob_in = data_blob_null; } if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_in.length == 0) { break; } } data_blob_free(&blob_in); data_blob_free(&blob_out); if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SEAL) { bool ok; ok = gensec_have_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL); if (!ok) { DEBUG(0,("The gensec feature sealing request, but unavailable\n")); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); } ok = gensec_have_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); if (!ok) { DEBUG(0,("The gensec feature signing request, but unavailable\n")); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); } } else if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SIGN) { bool ok; ok = gensec_have_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); if (!ok) { DEBUG(0,("The gensec feature signing request, but unavailable\n")); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); } } ads->auth.tgs_expire = LONG_MAX; end_nt_time = gensec_expire_time(auth_generic_state->gensec_security); if (end_nt_time != GENSEC_EXPIRE_TIME_INFINITY) { struct timeval tv; nttime_to_timeval(&tv, end_nt_time); ads->auth.tgs_expire = tv.tv_sec; } if (wrap->wrap_type > ADS_SASLWRAP_TYPE_PLAIN) { size_t max_wrapped = gensec_max_wrapped_size(auth_generic_state->gensec_security); wrap->out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security); wrap->out.sig_size = max_wrapped - wrap->out.max_unwrapped; /* * Note that we have to truncate this to 0x2C * (taken from a capture with LDAP unbind), as the * signature size is not constant for Kerberos with * arcfour-hmac-md5. */ wrap->in.min_wrapped = MIN(wrap->out.sig_size, 0x2C); wrap->in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; status = ads_setup_sasl_wrapping(wrap, ads->ldap.ld, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); if (!ADS_ERR_OK(status)) { DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", ads_errstr(status))); TALLOC_FREE(auth_generic_state); return status; } /* Only keep the gensec_security element around long-term */ talloc_steal(NULL, auth_generic_state->gensec_security); } TALLOC_FREE(auth_generic_state); return ADS_ERROR(rc); }
/* * Test some updates */ static bool test_dlz_bind9_update01(struct torture_context *tctx) { NTSTATUS status; struct gensec_security *gensec_client_context; DATA_BLOB client_to_server, server_to_client; void *dbdata; void *version = NULL; const char *argv[] = { "samba_dlz", "-H", lpcfg_private_path(tctx, tctx->lp_ctx, "dns/sam.ldb"), NULL }; struct test_expected_rr *expected1 = NULL; char *name = NULL; char *data0 = NULL; char *data1 = NULL; char *data2 = NULL; bool ret = false; tctx_static = tctx; torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata, "log", dlz_bind9_log_wrapper, "writeable_zone", dlz_bind9_writeable_zone_hook, "putrr", dlz_bind9_putrr_hook, "putnamedrr", dlz_bind9_putnamedrr_hook, NULL), ISC_R_SUCCESS, "Failed to create samba_dlz"); torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ISC_R_SUCCESS, "Failed to configure samba_dlz"); expected1 = talloc_zero(tctx, struct test_expected_rr); torture_assert(tctx, expected1 != NULL, "talloc failed"); expected1->tctx = tctx; expected1->query_name = __func__; name = talloc_asprintf(expected1, "%s.%s", expected1->query_name, lpcfg_dnsdomain(tctx->lp_ctx)); torture_assert(tctx, name != NULL, "talloc failed"); expected1->num_records = 2; expected1->records = talloc_zero_array(expected1, struct test_expected_record, expected1->num_records); torture_assert(tctx, expected1->records != NULL, "talloc failed"); expected1->records[0].name = expected1->query_name; expected1->records[0].type = "a"; expected1->records[0].ttl = 3600; expected1->records[0].data = "127.1.2.3"; expected1->records[0].printed = false; data0 = talloc_asprintf(expected1, "%s.\t" "%u\t" "%s\t" "%s\t" "%s", name, (unsigned)expected1->records[0].ttl, "in", expected1->records[0].type, expected1->records[0].data); torture_assert(tctx, data0 != NULL, "talloc failed"); expected1->records[1].name = expected1->query_name; expected1->records[1].type = "a"; expected1->records[1].ttl = 3600; expected1->records[1].data = "127.3.2.1"; expected1->records[1].printed = false; data1 = talloc_asprintf(expected1, "%s.\t" "%u\t" "%s\t" "%s\t" "%s", name, (unsigned)expected1->records[1].ttl, "in", expected1->records[1].type, expected1->records[1].data); torture_assert(tctx, data1 != NULL, "talloc failed"); data2 = talloc_asprintf(expected1, "%s.\t" "0\t" "in\t" "a\t" "127.3.3.3", name); torture_assert(tctx, data2 != NULL, "talloc failed"); /* * Prepare session info */ status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); /* * dlz_bind9 use the special dns/host.domain account */ status = gensec_set_target_hostname(gensec_client_context, talloc_asprintf(tctx, "%s.%s", torture_setting_string(tctx, "host", NULL), lpcfg_dnsdomain(tctx->lp_ctx))); torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_hostname (client) failed"); status = gensec_set_target_service(gensec_client_context, "dns"); torture_assert_ntstatus_ok(tctx, status, "gensec_set_target_service failed"); status = gensec_set_credentials(gensec_client_context, cmdline_credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSS-SPNEGO"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); server_to_client = data_blob(NULL, 0); /* Do one step of the client-server update dance */ status = gensec_update(gensec_client_context, tctx, tctx->ev, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } torture_assert_int_equal(tctx, dlz_ssumatch(cli_credentials_get_username(cmdline_credentials), name, "127.0.0.1", expected1->records[0].type, "key", client_to_server.length, client_to_server.data, dbdata), ISC_TRUE, "Failed to check key for update rights samba_dlz"); /* * We test the following: * * 1. lookup the records => NOT_FOUND * 2. delete all records => NOT_FOUND * 3. delete 1st record => NOT_FOUND * 4. create 1st record => SUCCESS * 5. lookup the records => found 1st * 6. create 2nd record => SUCCESS * 7. lookup the records => found 1st and 2nd * 8. delete unknown record => NOT_FOUND * 9. lookup the records => found 1st and 2nd * 10. delete 1st record => SUCCESS * 11. lookup the records => found 2nd * 12. delete 2nd record => SUCCESS * 13. lookup the records => NOT_FOUND * 14. create 1st record => SUCCESS * 15. lookup the records => found 1st * 16. create 2nd record => SUCCESS * 17. lookup the records => found 1st and 2nd * 18. update 1st record => SUCCESS * 19. lookup the records => found 1st and 2nd * 20. delete all unknown type records => NOT_FOUND * 21. lookup the records => found 1st and 2nd * 22. delete all records => SUCCESS * 23. lookup the records => NOT_FOUND */ /* Step 1. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_NOTFOUND, "Found hostname"); torture_assert_int_equal(tctx, expected1->num_rr, 0, "Got wrong record count"); /* Step 2. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_delrdataset(name, expected1->records[0].type, dbdata, version), ISC_R_NOTFOUND, ret, cancel_version, talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n", name, expected1->records[0].type)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version); /* Step 3. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_subrdataset(name, data0, dbdata, version), ISC_R_NOTFOUND, ret, cancel_version, talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version); /* Step 4. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data0, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 5. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert_int_equal(tctx, expected1->num_rr, 1, "Got wrong record count"); /* Step 6. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data1, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n", name, data1)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 7. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 8. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_subrdataset(name, data2, dbdata, version), ISC_R_NOTFOUND, ret, cancel_version, talloc_asprintf(tctx, "Deleted name[%s] data[%s]\n", name, data2)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 9. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 10. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_subrdataset(name, data0, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 11. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 1, "Got wrong record count"); /* Step 12. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_subrdataset(name, data1, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to delete name[%s] data[%s]\n", name, data1)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 13. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_NOTFOUND, "Found hostname"); torture_assert_int_equal(tctx, expected1->num_rr, 0, "Got wrong record count"); /* Step 14. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data0, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 15. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert_int_equal(tctx, expected1->num_rr, 1, "Got wrong record count"); /* Step 16. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data1, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to add name[%s] data[%s]\n", name, data1)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 17. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 18. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_addrdataset(name, data0, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to update name[%s] data[%s]\n", name, data0)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 19. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 20. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_delrdataset(name, "txt", dbdata, version), ISC_R_FAILURE, ret, cancel_version, talloc_asprintf(tctx, "Deleted name[%s] type[%s]\n", name, "txt")); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version); /* Step 21. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_SUCCESS, "Not found hostname"); torture_assert(tctx, expected1->records[0].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[0].name, expected1->records[0].type)); torture_assert(tctx, expected1->records[1].printed, talloc_asprintf(tctx, "Failed to have putrr callback run name[%s] for type %s", expected1->records[1].name, expected1->records[1].type)); torture_assert_int_equal(tctx, expected1->num_rr, 2, "Got wrong record count"); /* Step 22. */ torture_assert_int_equal(tctx, dlz_newversion(lpcfg_dnsdomain(tctx->lp_ctx), dbdata, &version), ISC_R_SUCCESS, "Failed to start transaction"); torture_assert_int_equal_goto(tctx, dlz_delrdataset(name, expected1->records[0].type, dbdata, version), ISC_R_SUCCESS, ret, cancel_version, talloc_asprintf(tctx, "Failed to delete name[%s] type[%s]\n", name, expected1->records[0].type)); dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), true, dbdata, &version); /* Step 23. */ expected1->num_rr = 0; expected1->records[0].printed = false; expected1->records[1].printed = false; torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), expected1->query_name, dbdata, (dns_sdlzlookup_t *)expected1), ISC_R_NOTFOUND, "Found hostname"); torture_assert_int_equal(tctx, expected1->num_rr, 0, "Got wrong record count"); dlz_destroy(dbdata); return true; cancel_version: dlz_closeversion(lpcfg_dnsdomain(tctx->lp_ctx), false, dbdata, &version); return ret; }
/* perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can we fit on one socket??) */ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, const char *sasl, enum credentials_use_kerberos krb5_state, const char *target_service, const char *target_hostname, const DATA_BLOB server_blob) { DATA_BLOB blob_in = data_blob_null; DATA_BLOB blob_out = data_blob_null; int rc; NTSTATUS nt_status; ADS_STATUS status; struct auth_generic_state *auth_generic_state; bool use_spnego_principal = lp_client_use_spnego_principal(); const char *sasl_list[] = { sasl, NULL }; nt_status = auth_generic_client_prepare(NULL, &auth_generic_state); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) { return ADS_ERROR_NT(nt_status); } if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) { return ADS_ERROR_NT(nt_status); } if (server_blob.length == 0) { use_spnego_principal = false; } if (krb5_state == CRED_DONT_USE_KERBEROS) { use_spnego_principal = false; } cli_credentials_set_kerberos_state(auth_generic_state->credentials, krb5_state); if (target_service != NULL) { nt_status = gensec_set_target_service( auth_generic_state->gensec_security, target_service); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } } if (target_hostname != NULL) { nt_status = gensec_set_target_hostname( auth_generic_state->gensec_security, target_hostname); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } } if (target_service != NULL && target_hostname != NULL) { use_spnego_principal = false; } switch (ads->ldap.wrap_type) { case ADS_SASLWRAP_TYPE_SEAL: gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL); break; case ADS_SASLWRAP_TYPE_SIGN: if (ads->auth.flags & ADS_AUTH_SASL_FORCE) { gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); } else { /* * windows servers are broken with sign only, * so we let the NTLMSSP backend to seal here, * via GENSEC_FEATURE_LDAP_STYLE. */ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_LDAP_STYLE); } break; case ADS_SASLWRAP_TYPE_PLAIN: break; } nt_status = auth_generic_client_start_by_sasl(auth_generic_state, sasl_list); if (!NT_STATUS_IS_OK(nt_status)) { return ADS_ERROR_NT(nt_status); } rc = LDAP_SASL_BIND_IN_PROGRESS; nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; if (use_spnego_principal) { blob_in = data_blob_dup_talloc(talloc_tos(), server_blob); if (blob_in.length == 0) { TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } } else { blob_in = data_blob_null; } blob_out = data_blob_null; while (true) { struct berval cred, *scred = NULL; nt_status = gensec_update(auth_generic_state->gensec_security, talloc_tos(), blob_in, &blob_out); data_blob_free(&blob_in); if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(auth_generic_state); data_blob_free(&blob_out); return ADS_ERROR_NT(nt_status); } if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_out.length == 0) { break; } cred.bv_val = (char *)blob_out.data; cred.bv_len = blob_out.length; scred = NULL; rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, sasl, &cred, NULL, NULL, &scred); data_blob_free(&blob_out); if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) { if (scred) { ber_bvfree(scred); } TALLOC_FREE(auth_generic_state); return ADS_ERROR(rc); } if (scred) { blob_in = data_blob_talloc(talloc_tos(), scred->bv_val, scred->bv_len); if (blob_in.length != scred->bv_len) { ber_bvfree(scred); TALLOC_FREE(auth_generic_state); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } ber_bvfree(scred); } else { blob_in = data_blob_null; } if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_in.length == 0) { break; } } data_blob_free(&blob_in); data_blob_free(&blob_out); if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) { size_t max_wrapped = gensec_max_wrapped_size(auth_generic_state->gensec_security); ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security); ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped; ads->ldap.in.min_wrapped = ads->ldap.out.sig_size; ads->ldap.in.max_wrapped = max_wrapped; status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); if (!ADS_ERR_OK(status)) { DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", ads_errstr(status))); TALLOC_FREE(auth_generic_state); return status; } /* Only keep the gensec_security element around long-term */ talloc_steal(NULL, auth_generic_state->gensec_security); } TALLOC_FREE(auth_generic_state); return ADS_ERROR(rc); }
/* perform a sasl bind using the given credentials */ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds, struct loadparm_context *lp_ctx) { NTSTATUS status; TALLOC_CTX *tmp_ctx = NULL; DATA_BLOB input = data_blob(NULL, 0); DATA_BLOB output = data_blob(NULL, 0); struct ldap_message **sasl_mechs_msgs; struct ldap_SearchResEntry *search; int count, i; const char **sasl_names; uint32_t old_gensec_features; static const char *supported_sasl_mech_attrs[] = { "supportedSASLMechanisms", NULL }; unsigned int logon_retries = 0; status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs, false, NULL, NULL, &sasl_mechs_msgs); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n", nt_errstr(status))); goto failed; } count = ildap_count_entries(conn, sasl_mechs_msgs); if (count != 1) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n", count)); goto failed; } tmp_ctx = talloc_new(conn); if (tmp_ctx == NULL) goto failed; search = &sasl_mechs_msgs[0]->r.SearchResultEntry; if (search->num_attributes != 1) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n", search->num_attributes)); goto failed; } sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1); if (!sasl_names) { DEBUG(1, ("talloc_arry(char *, %d) failed\n", count)); goto failed; } for (i=0; i<search->attributes[0].num_values; i++) { sasl_names[i] = (const char *)search->attributes[0].values[i].data; } sasl_names[i] = NULL; gensec_init(); try_logon_again: /* we loop back here on a logon failure, and re-create the gensec session. The logon_retries counter ensures we don't loop forever. */ status = gensec_client_start(conn, &conn->gensec, lpcfg_gensec_settings(conn, lp_ctx)); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status))); goto failed; } /* require Kerberos SIGN/SEAL only if we don't use SSL * Windows seem not to like double encryption */ old_gensec_features = cli_credentials_get_gensec_features(creds); if (tls_enabled(conn->sock)) { cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)); } /* this call also sets the gensec_want_features */ status = gensec_set_credentials(conn->gensec, creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC creds: %s\n", nt_errstr(status))); goto failed; } /* reset the original gensec_features (on the credentials * context, so we don't tatoo it ) */ cli_credentials_set_gensec_features(creds, old_gensec_features); if (conn->host) { status = gensec_set_target_hostname(conn->gensec, conn->host); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC target hostname: %s\n", nt_errstr(status))); goto failed; } } status = gensec_set_target_service(conn->gensec, "ldap"); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC target service: %s\n", nt_errstr(status))); goto failed; } status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n", count, nt_errstr(status))); goto failed; } while (1) { NTSTATUS gensec_status; struct ldap_message *response; struct ldap_message *msg; struct ldap_request *req; int result = LDAP_OTHER; status = gensec_update(conn->gensec, tmp_ctx, conn->event.event_ctx, input, &output); /* The status value here, from GENSEC is vital to the security * of the system. Even if the other end accepts, if GENSEC * claims 'MORE_PROCESSING_REQUIRED' then you must keep * feeding it blobs, or else the remote host/attacker might * avoid mutal authentication requirements. * * Likewise, you must not feed GENSEC too much (after the OK), * it doesn't like that either */ gensec_status = status; if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { break; } if (NT_STATUS_IS_OK(status) && output.length == 0) { break; } /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */ msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL)); if (msg == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; } req = ldap_request_send(conn, msg); if (req == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; } talloc_reparent(conn, tmp_ctx, req); status = ldap_result_n(req, 0, &response); if (!NT_STATUS_IS_OK(status)) { goto failed; } if (response->type != LDAP_TAG_BindResponse) { status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; goto failed; } result = response->r.BindResponse.response.resultcode; if (result == LDAP_INVALID_CREDENTIALS) { /* try a second time on invalid credentials, to give the user a chance to re-enter the password and to handle the case where our kerberos ticket is invalid as the server password has changed */ const char *principal; principal = gensec_get_target_principal(conn->gensec); if (principal == NULL) { const char *hostname = gensec_get_target_hostname(conn->gensec); const char *service = gensec_get_target_service(conn->gensec); if (hostname != NULL && service != NULL) { principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname); } } if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) || cli_credentials_wrong_password(creds)) { /* destroy our gensec session and loop back up to the top to retry, offering the user a chance to enter new credentials, or get a new ticket if using kerberos */ talloc_free(conn->gensec); conn->gensec = NULL; goto try_logon_again; } } if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) { status = ldap_check_response(conn, &response->r.BindResponse.response); break; } /* This is where we check if GENSEC wanted to be fed more data */ if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { break; } if (response->r.BindResponse.SASL.secblob) { input = *response->r.BindResponse.SASL.secblob; } else { input = data_blob(NULL, 0); } } talloc_free(tmp_ctx); if (NT_STATUS_IS_OK(status)) { struct socket_context *sasl_socket; status = gensec_socket_init(conn->gensec, conn, conn->sock, conn->event.event_ctx, ldap_read_io_handler, conn, &sasl_socket); if (!NT_STATUS_IS_OK(status)) goto failed; conn->sock = sasl_socket; packet_set_socket(conn->packet, conn->sock); conn->bind.type = LDAP_BIND_SASL; conn->bind.creds = creds; } return status; failed: talloc_free(tmp_ctx); talloc_free(conn->gensec); conn->gensec = NULL; return status; }
/* perform a sasl bind using the given credentials */ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds, struct loadparm_context *lp_ctx) { NTSTATUS status; TALLOC_CTX *tmp_ctx = NULL; DATA_BLOB input = data_blob(NULL, 0); DATA_BLOB output = data_blob(NULL, 0); struct ldap_message **sasl_mechs_msgs; struct ldap_SearchResEntry *search; int count, i; bool first = true; int wrap_flags = 0; const char **sasl_names; uint32_t old_gensec_features; static const char *supported_sasl_mech_attrs[] = { "supportedSASLMechanisms", NULL }; unsigned int logon_retries = 0; size_t queue_length; if (conn->sockets.active == NULL) { status = NT_STATUS_CONNECTION_DISCONNECTED; goto failed; } queue_length = tevent_queue_length(conn->sockets.send_queue); if (queue_length != 0) { status = NT_STATUS_INVALID_PARAMETER_MIX; DEBUG(1, ("SASL bind triggered with non empty send_queue[%zu]: %s\n", queue_length, nt_errstr(status))); goto failed; } if (conn->pending != NULL) { status = NT_STATUS_INVALID_PARAMETER_MIX; DEBUG(1, ("SASL bind triggered with pending requests: %s\n", nt_errstr(status))); goto failed; } status = ildap_search(conn, "", LDAP_SEARCH_SCOPE_BASE, "", supported_sasl_mech_attrs, false, NULL, NULL, &sasl_mechs_msgs); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: %s\n", nt_errstr(status))); goto failed; } count = ildap_count_entries(conn, sasl_mechs_msgs); if (count != 1) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of replies: %d\n", count)); goto failed; } tmp_ctx = talloc_new(conn); if (tmp_ctx == NULL) goto failed; search = &sasl_mechs_msgs[0]->r.SearchResultEntry; if (search->num_attributes != 1) { DEBUG(1, ("Failed to inquire of target's available sasl mechs in rootdse search: wrong number of attributes: %d != 1\n", search->num_attributes)); goto failed; } sasl_names = talloc_array(tmp_ctx, const char *, search->attributes[0].num_values + 1); if (!sasl_names) { DEBUG(1, ("talloc_arry(char *, %d) failed\n", count)); goto failed; } for (i=0; i<search->attributes[0].num_values; i++) { sasl_names[i] = (const char *)search->attributes[0].values[i].data; } sasl_names[i] = NULL; gensec_init(); if (conn->sockets.active == conn->sockets.tls) { /* * require Kerberos SIGN/SEAL only if we don't use SSL * Windows seem not to like double encryption */ wrap_flags = 0; } else if (cli_credentials_is_anonymous(creds)) { /* * anonymous isn't protected */ wrap_flags = 0; } else { wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx); } try_logon_again: /* we loop back here on a logon failure, and re-create the gensec session. The logon_retries counter ensures we don't loop forever. */ data_blob_free(&input); TALLOC_FREE(conn->gensec); status = gensec_client_start(conn, &conn->gensec, lpcfg_gensec_settings(conn, lp_ctx)); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status))); goto failed; } old_gensec_features = cli_credentials_get_gensec_features(creds); if (wrap_flags == 0) { cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)); } /* this call also sets the gensec_want_features */ status = gensec_set_credentials(conn->gensec, creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC creds: %s\n", nt_errstr(status))); goto failed; } /* reset the original gensec_features (on the credentials * context, so we don't tatoo it ) */ cli_credentials_set_gensec_features(creds, old_gensec_features); if (wrap_flags & ADS_AUTH_SASL_SEAL) { gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL); } if (wrap_flags & ADS_AUTH_SASL_SIGN) { gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN); } /* * This is an indication for the NTLMSSP backend to * also encrypt when only GENSEC_FEATURE_SIGN is requested * in gensec_[un]wrap(). */ gensec_want_feature(conn->gensec, GENSEC_FEATURE_LDAP_STYLE); if (conn->host) { status = gensec_set_target_hostname(conn->gensec, conn->host); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC target hostname: %s\n", nt_errstr(status))); goto failed; } } status = gensec_set_target_service(conn->gensec, "ldap"); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to set GENSEC target service: %s\n", nt_errstr(status))); goto failed; } status = gensec_start_mech_by_sasl_list(conn->gensec, sasl_names); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("None of the %d proposed SASL mechs were acceptable: %s\n", count, nt_errstr(status))); goto failed; } while (1) { NTSTATUS gensec_status; struct ldap_message *response; struct ldap_message *msg; struct ldap_request *req; int result = LDAP_OTHER; status = gensec_update_ev(conn->gensec, tmp_ctx, conn->event.event_ctx, input, &output); /* The status value here, from GENSEC is vital to the security * of the system. Even if the other end accepts, if GENSEC * claims 'MORE_PROCESSING_REQUIRED' then you must keep * feeding it blobs, or else the remote host/attacker might * avoid mutal authentication requirements. * * Likewise, you must not feed GENSEC too much (after the OK), * it doesn't like that either. * * For SASL/EXTERNAL, there is no data to send, but we still * must send the actual Bind request the first time around. * Otherwise, a result of NT_STATUS_OK with 0 output means the * end of a multi-step authentication, and no message must be * sent. */ gensec_status = status; if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { break; } if (NT_STATUS_IS_OK(status) && output.length == 0) { if (!first) break; } first = false; /* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */ msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL)); if (msg == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; } req = ldap_request_send(conn, msg); if (req == NULL) { status = NT_STATUS_NO_MEMORY; goto failed; } talloc_reparent(conn, tmp_ctx, req); status = ldap_result_n(req, 0, &response); if (!NT_STATUS_IS_OK(status)) { goto failed; } if (response->type != LDAP_TAG_BindResponse) { status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; goto failed; } result = response->r.BindResponse.response.resultcode; if (result == LDAP_STRONG_AUTH_REQUIRED) { if (wrap_flags == 0) { wrap_flags = ADS_AUTH_SASL_SIGN; goto try_logon_again; } } if (result == LDAP_INVALID_CREDENTIALS) { /* try a second time on invalid credentials, to give the user a chance to re-enter the password and to handle the case where our kerberos ticket is invalid as the server password has changed */ const char *principal; principal = gensec_get_target_principal(conn->gensec); if (principal == NULL) { const char *hostname = gensec_get_target_hostname(conn->gensec); const char *service = gensec_get_target_service(conn->gensec); if (hostname != NULL && service != NULL) { principal = talloc_asprintf(tmp_ctx, "%s/%s", service, hostname); } } if (cli_credentials_failed_kerberos_login(creds, principal, &logon_retries) || cli_credentials_wrong_password(creds)) { /* destroy our gensec session and loop back up to the top to retry, offering the user a chance to enter new credentials, or get a new ticket if using kerberos */ goto try_logon_again; } } if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) { status = ldap_check_response(conn, &response->r.BindResponse.response); break; } /* This is where we check if GENSEC wanted to be fed more data */ if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { break; } if (response->r.BindResponse.SASL.secblob) { input = *response->r.BindResponse.SASL.secblob; } else { input = data_blob(NULL, 0); } } TALLOC_FREE(tmp_ctx); if (!NT_STATUS_IS_OK(status)) { goto failed; } conn->bind.type = LDAP_BIND_SASL; conn->bind.creds = creds; if (wrap_flags & ADS_AUTH_SASL_SEAL) { if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) { return NT_STATUS_INVALID_NETWORK_RESPONSE; } if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { return NT_STATUS_INVALID_NETWORK_RESPONSE; } } else if (wrap_flags & ADS_AUTH_SASL_SIGN) { if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) { return NT_STATUS_INVALID_NETWORK_RESPONSE; } } if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) && !gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) { return NT_STATUS_OK; } status = gensec_create_tstream(conn->sockets.raw, conn->gensec, conn->sockets.raw, &conn->sockets.sasl); if (!NT_STATUS_IS_OK(status)) { goto failed; } conn->sockets.active = conn->sockets.sasl; return NT_STATUS_OK; failed: talloc_free(tmp_ctx); talloc_free(conn->gensec); conn->gensec = NULL; return status; }
static bool test_PACVerify(struct torture_context *tctx, struct dcerpc_pipe *p, struct cli_credentials *credentials) { NTSTATUS status; struct netr_LogonSamLogon r; union netr_LogonLevel logon; union netr_Validation validation; uint8_t authoritative; struct netr_Authenticator return_authenticator; struct netr_GenericInfo generic; struct netr_Authenticator auth, auth2; struct netlogon_creds_CredentialState *creds; struct gensec_security *gensec_client_context; struct gensec_security *gensec_server_context; DATA_BLOB client_to_server, server_to_client, pac_wrapped, payload; struct PAC_Validate pac_wrapped_struct; enum ndr_err_code ndr_err; struct auth_session_info *session_info; char *tmp_dir; TALLOC_CTX *tmp_ctx = talloc_new(tctx); torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); if (!test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, credentials, SEC_CHAN_BDC, &creds)) { return false; } status = torture_temp_dir(tctx, "PACVerify", &tmp_dir); torture_assert_ntstatus_ok(tctx, status, "torture_temp_dir failed"); status = gensec_client_start(tctx, &gensec_client_context, tctx->ev, lp_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); status = gensec_set_target_hostname(gensec_client_context, TEST_MACHINE_NAME); status = gensec_set_credentials(gensec_client_context, cmdline_credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); status = gensec_server_start(tctx, tctx->ev, lp_gensec_settings(tctx, tctx->lp_ctx), NULL, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed"); status = gensec_start_mech_by_sasl_name(gensec_server_context, "GSSAPI"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (server) failed"); server_to_client = data_blob(NULL, 0); do { /* Do a client-server update dance */ status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ; torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed"); } if (NT_STATUS_IS_OK(status)) { break; } } while (1); /* Extract the PAC using Samba's code */ status = gensec_session_info(gensec_server_context, &session_info); torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], session_info->server_info->pac_srv_sig.signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], session_info->server_info->pac_kdc_sig.signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; /* Validate it over the netlogon pipe */ generic.identity_info.parameter_control = 0; generic.identity_info.logon_id_high = 0; generic.identity_info.logon_id_low = 0; generic.identity_info.domain_name.string = session_info->server_info->domain_name; generic.identity_info.account_name.string = session_info->server_info->account_name; generic.identity_info.workstation.string = TEST_MACHINE_NAME; generic.package_name.string = "Kerberos"; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon = &logon; r.in.logon_level = NetlogonGenericInformation; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; r.out.validation = &validation; r.out.authoritative = &authoritative; r.out.return_authenticator = &return_authenticator; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed"); /* This will break the signature nicely (even in the crypto wrapping), check we get a logon failure */ generic.data[generic.length-1]++; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; r.in.logon = &logon; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); /* This will break the parsing nicely (even in the crypto wrapping), check we get INVALID_PARAMETER */ generic.length--; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; r.in.logon = &logon; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; /* Break the SignatureType */ pac_wrapped_struct.SignatureType++; pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], session_info->server_info->pac_srv_sig.signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], session_info->server_info->pac_kdc_sig.signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; r.in.logon = &logon; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_equal(tctx, status, NT_STATUS_LOGON_FAILURE, "LogonSamLogon failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], session_info->server_info->pac_srv_sig.signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], session_info->server_info->pac_kdc_sig.signature.data, pac_wrapped_struct.SignatureLength); /* Break the signature length */ pac_wrapped_struct.SignatureLength++; ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct, (ndr_push_flags_fn_t)ndr_push_PAC_Validate); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_push_struct_blob of PACValidate structure failed"); torture_assert(tctx, (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR), "not willing to even try a PACValidate without RC4 encryption"); netlogon_creds_arcfour_crypt(creds, pac_wrapped.data, pac_wrapped.length); generic.length = pac_wrapped.length; generic.data = pac_wrapped.data; logon.generic = &generic; ZERO_STRUCT(auth2); netlogon_creds_client_authenticator(creds, &auth); r.in.credential = &auth; r.in.return_authenticator = &auth2; r.in.logon_level = NetlogonGenericInformation; r.in.logon = &logon; r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p)); r.in.computer_name = cli_credentials_get_workstation(credentials); r.in.validation_level = NetlogonValidationGenericInfo2; status = dcerpc_netr_LogonSamLogon(p, tctx, &r); torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER, "LogonSamLogon failed"); torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); return true; }