search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
docs: Fix variable list in man vfs_crossrename.
[Samba.git] / source3 / smbd / sesssetup.c
blob75c2a1551d157f2b721081107155e2c58c8d997f
1 /*
2 Unix SMB/CIFS implementation.
3 handle SMBsessionsetup
4 Copyright (C) Andrew Tridgell 1998-2001
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7 Copyright (C) Luke Howard 2003
8 Copyright (C) Volker Lendecke 2007
9 Copyright (C) Jeremy Allison 2007
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "smbd/smbd.h"
28 #include "smbd/globals.h"
29 #include "../libcli/auth/spnego.h"
30 #include "../libcli/auth/ntlmssp.h"
31 #include "ntlmssp_wrap.h"
32 #include "../librpc/gen_ndr/krb5pac.h"
33 #include "libads/kerberos_proto.h"
34 #include "../lib/util/asn1.h"
35 #include "auth.h"
36 #include "messages.h"
37 #include "smbprofile.h"
38
39 /* For split krb5 SPNEGO blobs. */
40 struct pending_auth_data {
41 struct pending_auth_data *prev, *next;
42 uint16 vuid; /* Tag for this entry. */
43 uint16 smbpid; /* Alternate tag for this entry. */
44 size_t needed_len;
45 DATA_BLOB partial_data;
46 };
47
48 /*
49 on a logon error possibly map the error to success if "map to guest"
50 is set approriately
51 */
52 NTSTATUS do_map_to_guest(NTSTATUS status,
53 struct auth_serversupplied_info **server_info,
54 const char *user, const char *domain)
55 {
56 user = user ? user : "";
57 domain = domain ? domain : "";
58
59 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
60 if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
61 (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
62 DEBUG(3,("No such user %s [%s] - using guest account\n",
63 user, domain));
64 status = make_server_info_guest(NULL, server_info);
65 }
66 }
67
68 if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
69 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
70 DEBUG(3,("Registered username %s for guest access\n",
71 user));
72 status = make_server_info_guest(NULL, server_info);
73 }
74 }
75
76 return status;
77 }
78
79 /****************************************************************************
80 Add the standard 'Samba' signature to the end of the session setup.
81 ****************************************************************************/
82
83 static int push_signature(uint8 **outbuf)
84 {
85 char *lanman;
86 int result, tmp;
87
88 result = 0;
89
90 tmp = message_push_string(outbuf, "Unix", STR_TERMINATE);
91
92 if (tmp == -1) return -1;
93 result += tmp;
94
95 if (asprintf(&lanman, "Samba %s", samba_version_string()) != -1) {
96 tmp = message_push_string(outbuf, lanman, STR_TERMINATE);
97 SAFE_FREE(lanman);
98 }
99 else {
100 tmp = message_push_string(outbuf, "Samba", STR_TERMINATE);
101 }
102
103 if (tmp == -1) return -1;
104 result += tmp;
105
106 tmp = message_push_string(outbuf, lp_workgroup(), STR_TERMINATE);
107
108 if (tmp == -1) return -1;
109 result += tmp;
110
111 return result;
112 }
113
114 /****************************************************************************
115 Send a security blob via a session setup reply.
116 ****************************************************************************/
117
118 static void reply_sesssetup_blob(struct smb_request *req,
119 DATA_BLOB blob,
120 NTSTATUS nt_status)
121 {
122 if (!NT_STATUS_IS_OK(nt_status) &&
123 !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
124 reply_nterror(req, nt_status_squash(nt_status));
125 return;
126 }
127
128 nt_status = nt_status_squash(nt_status);
129 SIVAL(req->outbuf, smb_rcls, NT_STATUS_V(nt_status));
130 SSVAL(req->outbuf, smb_vwv0, 0xFF); /* no chaining possible */
131 SSVAL(req->outbuf, smb_vwv3, blob.length);
132
133 if ((message_push_blob(&req->outbuf, blob) == -1)
134 || (push_signature(&req->outbuf) == -1)) {
135 reply_nterror(req, NT_STATUS_NO_MEMORY);
136 }
137 }
138
139 /****************************************************************************
140 Do a 'guest' logon, getting back the
141 ****************************************************************************/
142
143 static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_info)
144 {
145 struct auth_context *auth_context;
146 struct auth_usersupplied_info *user_info = NULL;
147
148 NTSTATUS nt_status;
149 static unsigned char chal[8] = { 0, };
150
151 DEBUG(3,("Got anonymous request\n"));
152
153 nt_status = make_auth_context_fixed(talloc_tos(), &auth_context, chal);
154 if (!NT_STATUS_IS_OK(nt_status)) {
155 return nt_status;
156 }
157
158 if (!make_user_info_guest(&user_info)) {
159 TALLOC_FREE(auth_context);
160 return NT_STATUS_NO_MEMORY;
161 }
162
163 nt_status = auth_context->check_ntlm_password(auth_context,
164 user_info,
165 server_info);
166 TALLOC_FREE(auth_context);
167 free_user_info(&user_info);
168 return nt_status;
169 }
170
171
172 #ifdef HAVE_KRB5
173
174 #if 0
175 /* Experiment that failed. See "only happens with a KDC" comment below. */
176 /****************************************************************************
177 Cerate a clock skew error blob for a Windows client.
178 ****************************************************************************/
179
180 static bool make_krb5_skew_error(DATA_BLOB *pblob_out)
181 {
182 krb5_context context = NULL;
183 krb5_error_code kerr = 0;
184 krb5_data reply;
185 krb5_principal host_princ = NULL;
186 char *host_princ_s = NULL;
187 bool ret = False;
188
189 *pblob_out = data_blob_null;
190
191 initialize_krb5_error_table();
192 kerr = krb5_init_context(&context);
193 if (kerr) {
194 return False;
195 }
196 /* Create server principal. */
197 asprintf(&host_princ_s, "%s$@%s", global_myname(), lp_realm());
198 if (!host_princ_s) {
199 goto out;
200 }
201 strlower_m(host_princ_s);
202
203 kerr = smb_krb5_parse_name(context, host_princ_s, &host_princ);
204 if (kerr) {
205 DEBUG(10,("make_krb5_skew_error: smb_krb5_parse_name failed "
206 "for name %s: Error %s\n",
207 host_princ_s, error_message(kerr) ));
208 goto out;
209 }
210
211 kerr = smb_krb5_mk_error(context, KRB5KRB_AP_ERR_SKEW,
212 host_princ, &reply);
213 if (kerr) {
214 DEBUG(10,("make_krb5_skew_error: smb_krb5_mk_error "
215 "failed: Error %s\n",
216 error_message(kerr) ));
217 goto out;
218 }
219
220 *pblob_out = data_blob(reply.data, reply.length);
221 kerberos_free_data_contents(context,&reply);
222 ret = True;
223
224 out:
225
226 if (host_princ_s) {
227 SAFE_FREE(host_princ_s);
228 }
229 if (host_princ) {
230 krb5_free_principal(context, host_princ);
231 }
232 krb5_free_context(context);
233 return ret;
234 }
235 #endif
236
237 /****************************************************************************
238 Reply to a session setup spnego negotiate packet for kerberos.
239 ****************************************************************************/
240
241 static void reply_spnego_kerberos(struct smb_request *req,
242 DATA_BLOB *secblob,
243 const char *mechOID,
244 uint16 vuid,
245 bool *p_invalidate_vuid)
246 {
247 TALLOC_CTX *mem_ctx;
248 DATA_BLOB ticket;
249 struct passwd *pw;
250 int sess_vuid = req->vuid;
251 NTSTATUS ret = NT_STATUS_OK;
252 DATA_BLOB ap_rep, ap_rep_wrapped, response;
253 struct auth_serversupplied_info *server_info = NULL;
254 DATA_BLOB session_key = data_blob_null;
255 uint8 tok_id[2];
256 DATA_BLOB nullblob = data_blob_null;
257 bool map_domainuser_to_guest = False;
258 bool username_was_mapped;
259 struct PAC_LOGON_INFO *logon_info = NULL;
260 struct smbd_server_connection *sconn = req->sconn;
261 char *principal;
262 char *user;
263 char *domain;
264 char *real_username;
265
266 ZERO_STRUCT(ticket);
267 ZERO_STRUCT(ap_rep);
268 ZERO_STRUCT(ap_rep_wrapped);
269 ZERO_STRUCT(response);
270
271 /* Normally we will always invalidate the intermediate vuid. */
272 *p_invalidate_vuid = True;
273
274 mem_ctx = talloc_init("reply_spnego_kerberos");
275 if (mem_ctx == NULL) {
276 reply_nterror(req, nt_status_squash(NT_STATUS_NO_MEMORY));
277 return;
278 }
279
280 if (!spnego_parse_krb5_wrap(mem_ctx, *secblob, &ticket, tok_id)) {
281 talloc_destroy(mem_ctx);
282 reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
283 return;
284 }
285
286 ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket,
287 &principal, &logon_info, &ap_rep,
288 &session_key, True);
289
290 data_blob_free(&ticket);
291
292 if (!NT_STATUS_IS_OK(ret)) {
293 #if 0
294 /* Experiment that failed.
295 * See "only happens with a KDC" comment below. */
296
297 if (NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
298
299 /*
300 * Windows in this case returns
301 * NT_STATUS_MORE_PROCESSING_REQUIRED
302 * with a negTokenTarg blob containing an krb5_error
303 * struct ASN1 encoded containing KRB5KRB_AP_ERR_SKEW.
304 * The client then fixes its clock and continues rather
305 * than giving an error. JRA.
306 * -- Looks like this only happens with a KDC. JRA.
307 */
308
309 bool ok = make_krb5_skew_error(&ap_rep);
310 if (!ok) {
311 talloc_destroy(mem_ctx);
312 return ERROR_NT(nt_status_squash(
313 NT_STATUS_LOGON_FAILURE));
314 }
315 ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep,
316 TOK_ID_KRB_ERROR);
317 response = spnego_gen_auth_response(&ap_rep_wrapped,
318 ret, OID_KERBEROS5_OLD);
319 reply_sesssetup_blob(conn, inbuf, outbuf, response,
320 NT_STATUS_MORE_PROCESSING_REQUIRED);
321
322 /*
323 * In this one case we don't invalidate the
324 * intermediate vuid as we're expecting the client
325 * to re-use it for the next sessionsetupX packet. JRA.
326 */
327
328 *p_invalidate_vuid = False;
329
330 data_blob_free(&ap_rep);
331 data_blob_free(&ap_rep_wrapped);
332 data_blob_free(&response);
333 talloc_destroy(mem_ctx);
334 return -1; /* already replied */
335 }
336 #else
337 if (!NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
338 ret = NT_STATUS_LOGON_FAILURE;
339 }
340 #endif
341 DEBUG(1,("Failed to verify incoming ticket with error %s!\n",
342 nt_errstr(ret)));
343 talloc_destroy(mem_ctx);
344 reply_nterror(req, nt_status_squash(ret));
345 return;
346 }
347
348 ret = get_user_from_kerberos_info(talloc_tos(),
349 sconn->client_id.name,
350 principal, logon_info,
351 &username_was_mapped,
352 &map_domainuser_to_guest,
353 &user, &domain,
354 &real_username, &pw);
355 if (!NT_STATUS_IS_OK(ret)) {
356 data_blob_free(&ap_rep);
357 data_blob_free(&session_key);
358 talloc_destroy(mem_ctx);
359 reply_nterror(req,nt_status_squash(NT_STATUS_LOGON_FAILURE));
360 return;
361 }
362
363 /* save the PAC data if we have it */
364 if (logon_info) {
365 netsamlogon_cache_store(user, &logon_info->info3);
366 }
367
368 /* setup the string used by %U */
369 sub_set_smb_name(real_username);
370
371 /* reload services so that the new %U is taken into account */
372 reload_services(sconn->msg_ctx, sconn->sock, True);
373
374 ret = make_server_info_krb5(mem_ctx,
375 user, domain, real_username, pw,
376 logon_info, map_domainuser_to_guest,
377 &server_info);
378 if (!NT_STATUS_IS_OK(ret)) {
379 DEBUG(1, ("make_server_info_krb5 failed!\n"));
380 data_blob_free(&ap_rep);
381 data_blob_free(&session_key);
382 TALLOC_FREE(mem_ctx);
383 reply_nterror(req, nt_status_squash(ret));
384 return;
385 }
386
387 server_info->nss_token |= username_was_mapped;
388
389 /* we need to build the token for the user. make_server_info_guest()
390 already does this */
391
392 if ( !server_info->security_token ) {
393 ret = create_local_token( server_info );
394 if ( !NT_STATUS_IS_OK(ret) ) {
395 DEBUG(10,("failed to create local token: %s\n",
396 nt_errstr(ret)));
397 data_blob_free(&ap_rep);
398 data_blob_free(&session_key);
399 TALLOC_FREE( mem_ctx );
400 TALLOC_FREE( server_info );
401 reply_nterror(req, nt_status_squash(ret));
402 return;
403 }
404 }
405
406 if (!is_partial_auth_vuid(sconn, sess_vuid)) {
407 sess_vuid = register_initial_vuid(sconn);
408 }
409
410 data_blob_free(&server_info->user_session_key);
411 /* Set the kerberos-derived session key onto the server_info */
412 server_info->user_session_key = session_key;
413 talloc_steal(server_info, session_key.data);
414
415 session_key = data_blob_null;
416
417 /* register_existing_vuid keeps the server info */
418 /* register_existing_vuid takes ownership of session_key on success,
419 * no need to free after this on success. A better interface would copy
420 * it.... */
421
422 sess_vuid = register_existing_vuid(sconn, sess_vuid,
423 server_info, nullblob, user);
424
425 reply_outbuf(req, 4, 0);
426 SSVAL(req->outbuf,smb_uid,sess_vuid);
427
428 if (sess_vuid == UID_FIELD_INVALID ) {
429 ret = NT_STATUS_LOGON_FAILURE;
430 } else {
431 /* current_user_info is changed on new vuid */
432 reload_services(sconn->msg_ctx, sconn->sock, True);
433
434 SSVAL(req->outbuf, smb_vwv3, 0);
435
436 if (server_info->guest) {
437 SSVAL(req->outbuf,smb_vwv2,1);
438 }
439
440 SSVAL(req->outbuf, smb_uid, sess_vuid);
441
442 /* Successful logon. Keep this vuid. */
443 *p_invalidate_vuid = False;
444 }
445
446 /* wrap that up in a nice GSS-API wrapping */
447 if (NT_STATUS_IS_OK(ret)) {
448 ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
449 TOK_ID_KRB_AP_REP);
450 } else {
451 ap_rep_wrapped = data_blob_null;
452 }
453 response = spnego_gen_auth_response(talloc_tos(), &ap_rep_wrapped, ret,
454 mechOID);
455 reply_sesssetup_blob(req, response, ret);
456
457 data_blob_free(&ap_rep);
458 data_blob_free(&ap_rep_wrapped);
459 data_blob_free(&response);
460 TALLOC_FREE(mem_ctx);
461 }
462
463 #endif
464
465 /****************************************************************************
466 Send a session setup reply, wrapped in SPNEGO.
467 Get vuid and check first.
468 End the NTLMSSP exchange context if we are OK/complete fail
469 This should be split into two functions, one to handle each
470 leg of the NTLM auth steps.
471 ***************************************************************************/
472
473 static void reply_spnego_ntlmssp(struct smb_request *req,
474 uint16 vuid,
475 struct auth_ntlmssp_state **auth_ntlmssp_state,
476 DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status,
477 const char *OID,
478 bool wrap)
479 {
480 bool do_invalidate = true;
481 DATA_BLOB response;
482 struct auth_serversupplied_info *session_info = NULL;
483 struct smbd_server_connection *sconn = req->sconn;
484
485 if (NT_STATUS_IS_OK(nt_status)) {
486 nt_status = auth_ntlmssp_steal_session_info(talloc_tos(),
487 (*auth_ntlmssp_state), &session_info);
488 } else {
489 /* Note that this session_info won't have a session
490 * key. But for map to guest, that's exactly the right
491 * thing - we can't reasonably guess the key the
492 * client wants, as the password was wrong */
493 nt_status = do_map_to_guest(nt_status,
494 &session_info,
495 auth_ntlmssp_get_username(*auth_ntlmssp_state),
496 auth_ntlmssp_get_domain(*auth_ntlmssp_state));
497 }
498
499 reply_outbuf(req, 4, 0);
500
501 SSVAL(req->outbuf, smb_uid, vuid);
502
503 if (NT_STATUS_IS_OK(nt_status)) {
504 DATA_BLOB nullblob = data_blob_null;
505
506 if (!is_partial_auth_vuid(sconn, vuid)) {
507 nt_status = NT_STATUS_LOGON_FAILURE;
508 goto out;
509 }
510
511 /* register_existing_vuid keeps the server info */
512 if (register_existing_vuid(sconn, vuid,
513 session_info, nullblob,
514 auth_ntlmssp_get_username(*auth_ntlmssp_state)) !=
515 vuid) {
516 /* The problem is, *auth_ntlmssp_state points
517 * into the vuser this will have
518 * talloc_free()'ed in
519 * register_existing_vuid() */
520 do_invalidate = false;
521 nt_status = NT_STATUS_LOGON_FAILURE;
522 goto out;
523 }
524
525 /* current_user_info is changed on new vuid */
526 reload_services(sconn->msg_ctx, sconn->sock, True);
527
528 SSVAL(req->outbuf, smb_vwv3, 0);
529
530 if (session_info->guest) {
531 SSVAL(req->outbuf,smb_vwv2,1);
532 }
533 }
534
535 out:
536
537 if (wrap) {
538 response = spnego_gen_auth_response(talloc_tos(),
539 ntlmssp_blob,
540 nt_status, OID);
541 } else {
542 response = *ntlmssp_blob;
543 }
544
545 reply_sesssetup_blob(req, response, nt_status);
546 if (wrap) {
547 data_blob_free(&response);
548 }
549
550 /* NT_STATUS_MORE_PROCESSING_REQUIRED from our NTLMSSP code tells us,
551 and the other end, that we are not finished yet. */
552
553 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
554 /* NB. This is *NOT* an error case. JRA */
555 if (do_invalidate) {
556 TALLOC_FREE(*auth_ntlmssp_state);
557 if (!NT_STATUS_IS_OK(nt_status)) {
558 /* Kill the intermediate vuid */
559 invalidate_vuid(sconn, vuid);
560 }
561 }
562 }
563 }
564
565 /****************************************************************************
566 Is this a krb5 mechanism ?
567 ****************************************************************************/
568
569 NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx,
570 DATA_BLOB blob_in,
571 DATA_BLOB *pblob_out,
572 char **kerb_mechOID)
573 {
574 char *OIDs[ASN1_MAX_OIDS];
575 int i;
576 NTSTATUS ret = NT_STATUS_OK;
577
578 *kerb_mechOID = NULL;
579
580 /* parse out the OIDs and the first sec blob */
581 if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out) ||
582 (OIDs[0] == NULL)) {
583 return NT_STATUS_LOGON_FAILURE;
584 }
585
586 /* only look at the first OID for determining the mechToken --
587 according to RFC2478, we should choose the one we want
588 and renegotiate, but i smell a client bug here..
589
590 Problem observed when connecting to a member (samba box)
591 of an AD domain as a user in a Samba domain. Samba member
592 server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
593 client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
594 NTLMSSP mechtoken. --jerry */
595
596 #ifdef HAVE_KRB5
597 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 ||
598 strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
599 *kerb_mechOID = talloc_strdup(ctx, OIDs[0]);
600 if (*kerb_mechOID == NULL) {
601 ret = NT_STATUS_NO_MEMORY;
602 }
603 }
604 #endif
605
606 for (i=0;OIDs[i];i++) {
607 DEBUG(5,("parse_spnego_mechanisms: Got OID %s\n", OIDs[i]));
608 talloc_free(OIDs[i]);
609 }
610 return ret;
611 }
612
613 /****************************************************************************
614 Fall back from krb5 to NTLMSSP.
615 ****************************************************************************/
616
617 static void reply_spnego_downgrade_to_ntlmssp(struct smb_request *req,
618 uint16 vuid)
619 {
620 DATA_BLOB response;
621
622 reply_outbuf(req, 4, 0);
623 SSVAL(req->outbuf,smb_uid,vuid);
624
625 DEBUG(3,("reply_spnego_downgrade_to_ntlmssp: Got krb5 ticket in SPNEGO "
626 "but set to downgrade to NTLMSSP\n"));
627
628 response = spnego_gen_auth_response(talloc_tos(), NULL,
629 NT_STATUS_MORE_PROCESSING_REQUIRED,
630 OID_NTLMSSP);
631 reply_sesssetup_blob(req, response, NT_STATUS_MORE_PROCESSING_REQUIRED);
632 data_blob_free(&response);
633 }
634
635 /****************************************************************************
636 Reply to a session setup spnego negotiate packet.
637 ****************************************************************************/
638
639 static void reply_spnego_negotiate(struct smb_request *req,
640 uint16 vuid,
641 DATA_BLOB blob1,
642 struct auth_ntlmssp_state **auth_ntlmssp_state)
643 {
644 DATA_BLOB secblob;
645 DATA_BLOB chal;
646 char *kerb_mech = NULL;
647 NTSTATUS status;
648 struct smbd_server_connection *sconn = req->sconn;
649
650 status = parse_spnego_mechanisms(talloc_tos(),
651 blob1, &secblob, &kerb_mech);
652 if (!NT_STATUS_IS_OK(status)) {
653 /* Kill the intermediate vuid */
654 invalidate_vuid(sconn, vuid);
655 reply_nterror(req, nt_status_squash(status));
656 return;
657 }
658
659 DEBUG(3,("reply_spnego_negotiate: Got secblob of size %lu\n",
660 (unsigned long)secblob.length));
661
662 #ifdef HAVE_KRB5
663 if (kerb_mech && ((lp_security()==SEC_ADS) ||
664 USE_KERBEROS_KEYTAB) ) {
665 bool destroy_vuid = True;
666 reply_spnego_kerberos(req, &secblob, kerb_mech,
667 vuid, &destroy_vuid);
668 data_blob_free(&secblob);
669 if (destroy_vuid) {
670 /* Kill the intermediate vuid */
671 invalidate_vuid(sconn, vuid);
672 }
673 TALLOC_FREE(kerb_mech);
674 return;
675 }
676 #endif
677
678 TALLOC_FREE(*auth_ntlmssp_state);
679
680 if (kerb_mech) {
681 data_blob_free(&secblob);
682 /* The mechtoken is a krb5 ticket, but
683 * we need to fall back to NTLM. */
684 reply_spnego_downgrade_to_ntlmssp(req, vuid);
685 TALLOC_FREE(kerb_mech);
686 return;
687 }
688
689 status = auth_ntlmssp_start(auth_ntlmssp_state);
690 if (!NT_STATUS_IS_OK(status)) {
691 /* Kill the intermediate vuid */
692 invalidate_vuid(sconn, vuid);
693 reply_nterror(req, nt_status_squash(status));
694 return;
695 }
696
697 status = auth_ntlmssp_update(*auth_ntlmssp_state,
698 secblob, &chal);
699
700 data_blob_free(&secblob);
701
702 reply_spnego_ntlmssp(req, vuid, auth_ntlmssp_state,
703 &chal, status, OID_NTLMSSP, true);
704
705 data_blob_free(&chal);
706
707 /* already replied */
708 return;
709 }
710
711 /****************************************************************************
712 Reply to a session setup spnego auth packet.
713 ****************************************************************************/
714
715 static void reply_spnego_auth(struct smb_request *req,
716 uint16 vuid,
717 DATA_BLOB blob1,
718 struct auth_ntlmssp_state **auth_ntlmssp_state)
719 {
720 DATA_BLOB auth = data_blob_null;
721 DATA_BLOB auth_reply = data_blob_null;
722 DATA_BLOB secblob = data_blob_null;
723 NTSTATUS status = NT_STATUS_LOGON_FAILURE;
724 struct smbd_server_connection *sconn = req->sconn;
725
726 if (!spnego_parse_auth(talloc_tos(), blob1, &auth)) {
727 #if 0
728 file_save("auth.dat", blob1.data, blob1.length);
729 #endif
730 /* Kill the intermediate vuid */
731 invalidate_vuid(sconn, vuid);
732
733 reply_nterror(req, nt_status_squash(
734 NT_STATUS_LOGON_FAILURE));
735 return;
736 }
737
738 if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) {
739 /* Might be a second negTokenTarg packet */
740 char *kerb_mech = NULL;
741
742 status = parse_spnego_mechanisms(talloc_tos(),
743 auth, &secblob, &kerb_mech);
744
745 if (!NT_STATUS_IS_OK(status)) {
746 /* Kill the intermediate vuid */
747 invalidate_vuid(sconn, vuid);
748 reply_nterror(req, nt_status_squash(status));
749 return;
750 }
751
752 DEBUG(3,("reply_spnego_auth: Got secblob of size %lu\n",
753 (unsigned long)secblob.length));
754 #ifdef HAVE_KRB5
755 if (kerb_mech && ((lp_security()==SEC_ADS) ||
756 USE_KERBEROS_KEYTAB)) {
757 bool destroy_vuid = True;
758 reply_spnego_kerberos(req, &secblob, kerb_mech,
759 vuid, &destroy_vuid);
760 data_blob_free(&secblob);
761 data_blob_free(&auth);
762 if (destroy_vuid) {
763 /* Kill the intermediate vuid */
764 invalidate_vuid(sconn, vuid);
765 }
766 TALLOC_FREE(kerb_mech);
767 return;
768 }
769 #endif
770 /* Can't blunder into NTLMSSP auth if we have
771 * a krb5 ticket. */
772
773 if (kerb_mech) {
774 /* Kill the intermediate vuid */
775 invalidate_vuid(sconn, vuid);
776 DEBUG(3,("reply_spnego_auth: network "
777 "misconfiguration, client sent us a "
778 "krb5 ticket and kerberos security "
779 "not enabled\n"));
780 reply_nterror(req, nt_status_squash(
781 NT_STATUS_LOGON_FAILURE));
782 TALLOC_FREE(kerb_mech);
783 }
784 }
785
786 /* If we get here it wasn't a negTokenTarg auth packet. */
787 data_blob_free(&secblob);
788
789 if (!*auth_ntlmssp_state) {
790 status = auth_ntlmssp_start(auth_ntlmssp_state);
791 if (!NT_STATUS_IS_OK(status)) {
792 /* Kill the intermediate vuid */
793 invalidate_vuid(sconn, vuid);
794 reply_nterror(req, nt_status_squash(status));
795 return;
796 }
797 }
798
799 status = auth_ntlmssp_update(*auth_ntlmssp_state,
800 auth, &auth_reply);
801
802 data_blob_free(&auth);
803
804 /* Don't send the mechid as we've already sent this (RFC4178). */
805
806 reply_spnego_ntlmssp(req, vuid,
807 auth_ntlmssp_state,
808 &auth_reply, status, NULL, true);
809
810 data_blob_free(&auth_reply);
811
812 /* and tell smbd that we have already replied to this packet */
813 return;
814 }
815
816 /****************************************************************************
817 Delete an entry on the list.
818 ****************************************************************************/
819
820 static void delete_partial_auth(struct smbd_server_connection *sconn,
821 struct pending_auth_data *pad)
822 {
823 if (!pad) {
824 return;
825 }
826 DLIST_REMOVE(sconn->smb1.pd_list, pad);
827 data_blob_free(&pad->partial_data);
828 SAFE_FREE(pad);
829 }
830
831 /****************************************************************************
832 Search for a partial SPNEGO auth fragment matching an smbpid.
833 ****************************************************************************/
834
835 static struct pending_auth_data *get_pending_auth_data(
836 struct smbd_server_connection *sconn,
837 uint16_t smbpid)
838 {
839 struct pending_auth_data *pad;
840 /*
841 * NOTE: using the smbpid here is completely wrong...
842 * see [MS-SMB]
843 * 3.3.5.3 Receiving an SMB_COM_SESSION_SETUP_ANDX Request
844 */
845 for (pad = sconn->smb1.pd_list; pad; pad = pad->next) {
846 if (pad->smbpid == smbpid) {
847 break;
848 }
849 }
850 return pad;
851 }
852
853 /****************************************************************************
854 Check the size of an SPNEGO blob. If we need more return
855 NT_STATUS_MORE_PROCESSING_REQUIRED, else return NT_STATUS_OK. Don't allow
856 the blob to be more than 64k.
857 ****************************************************************************/
858
859 static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn,
860 uint16 smbpid, uint16 vuid,
861 DATA_BLOB *pblob)
862 {
863 struct pending_auth_data *pad = NULL;
864 ASN1_DATA *data;
865 size_t needed_len = 0;
866
867 pad = get_pending_auth_data(sconn, smbpid);
868
869 /* Ensure we have some data. */
870 if (pblob->length == 0) {
871 /* Caller can cope. */
872 DEBUG(2,("check_spnego_blob_complete: zero blob length !\n"));
873 delete_partial_auth(sconn, pad);
874 return NT_STATUS_OK;
875 }
876
877 /* Were we waiting for more data ? */
878 if (pad) {
879 DATA_BLOB tmp_blob;
880 size_t copy_len = MIN(65536, pblob->length);
881
882 /* Integer wrap paranoia.... */
883
884 if (pad->partial_data.length + copy_len <
885 pad->partial_data.length ||
886 pad->partial_data.length + copy_len < copy_len) {
887
888 DEBUG(2,("check_spnego_blob_complete: integer wrap "
889 "pad->partial_data.length = %u, "
890 "copy_len = %u\n",
891 (unsigned int)pad->partial_data.length,
892 (unsigned int)copy_len ));
893
894 delete_partial_auth(sconn, pad);
895 return NT_STATUS_INVALID_PARAMETER;
896 }
897
898 DEBUG(10,("check_spnego_blob_complete: "
899 "pad->partial_data.length = %u, "
900 "pad->needed_len = %u, "
901 "copy_len = %u, "
902 "pblob->length = %u,\n",
903 (unsigned int)pad->partial_data.length,
904 (unsigned int)pad->needed_len,
905 (unsigned int)copy_len,
906 (unsigned int)pblob->length ));
907
908 if (pblob->length > pad->needed_len) {
909 DEBUG(2, ("subsequent security token data length %u "
910 "exceeds expected length %u\n",
911 (unsigned int)pblob->length,
912 (unsigned int)pad->needed_len));
913 }
914
915 tmp_blob = data_blob(NULL,
916 pad->partial_data.length + copy_len);
917
918 /* Concatenate the two (up to copy_len) bytes. */
919 memcpy(tmp_blob.data,
920 pad->partial_data.data,
921 pad->partial_data.length);
922 memcpy(tmp_blob.data + pad->partial_data.length,
923 pblob->data,
924 copy_len);
925
926 /* Replace the partial data. */
927 data_blob_free(&pad->partial_data);
928 pad->partial_data = tmp_blob;
929 ZERO_STRUCT(tmp_blob);
930
931 /* Are we done ? */
932 if (pblob->length >= pad->needed_len) {
933 /* Yes, replace pblob. */
934 data_blob_free(pblob);
935 *pblob = pad->partial_data;
936 ZERO_STRUCT(pad->partial_data);
937 delete_partial_auth(sconn, pad);
938 return NT_STATUS_OK;
939 }
940
941 /* Still need more data. */
942 pad->needed_len -= copy_len;
943 return NT_STATUS_MORE_PROCESSING_REQUIRED;
944 }
945
946 if ((pblob->data[0] != ASN1_APPLICATION(0)) &&
947 (pblob->data[0] != ASN1_CONTEXT(1))) {
948 /* Not something we can determine the
949 * length of.
950 */
951 return NT_STATUS_OK;
952 }
953
954 /* This is a new SPNEGO sessionsetup - see if
955 * the data given in this blob is enough.
956 */
957
958 data = asn1_init(NULL);
959 if (data == NULL) {
960 return NT_STATUS_NO_MEMORY;
961 }
962
963 asn1_load(data, *pblob);
964 if (asn1_start_tag(data, pblob->data[0])) {
965 /* asn1_start_tag checks if the given
966 length of the blob is enough to complete
967 the tag. If it returns true we know
968 there is nothing to do - the blob is
969 complete. */
970 asn1_free(data);
971 return NT_STATUS_OK;
972 }
973
974 if (data->nesting == NULL) {
975 /* Incorrect tag, allocation failed,
976 or reading the tag length failed.
977 Let the caller catch. */
978 asn1_free(data);
979 return NT_STATUS_OK;
980 }
981
982 /* Here we know asn1_start_tag() has set data->has_error to true.
983 asn1_tag_remaining() will have failed due to the given blob
984 being too short. We need to work out how short. */
985
986 /* Integer wrap paranoia.... */
987
988 if (data->nesting->taglen + data->nesting->start < data->nesting->taglen ||
989 data->nesting->taglen + data->nesting->start < data->nesting->start) {
990
991 DEBUG(2,("check_spnego_blob_complete: integer wrap "
992 "data.nesting->taglen = %u, "
993 "data.nesting->start = %u\n",
994 (unsigned int)data->nesting->taglen,
995 (unsigned int)data->nesting->start ));
996
997 asn1_free(data);
998 return NT_STATUS_INVALID_PARAMETER;
999 }
1000
1001 /* Total length of the needed asn1 is the tag length
1002 * plus the current offset. */
1003
1004 needed_len = data->nesting->taglen + data->nesting->start;
1005 asn1_free(data);
1006
1007 DEBUG(10,("check_spnego_blob_complete: needed_len = %u, "
1008 "pblob->length = %u\n",
1009 (unsigned int)needed_len,
1010 (unsigned int)pblob->length ));
1011
1012 if (needed_len <= pblob->length) {
1013 /* Nothing to do - blob is complete. */
1014 /* THIS SHOULD NOT HAPPEN - asn1_start_tag()
1015 above should have caught this !!! */
1016 DEBUG(0,("check_spnego_blob_complete: logic "
1017 "error (needed_len = %u, "
1018 "pblob->length = %u).\n",
1019 (unsigned int)needed_len,
1020 (unsigned int)pblob->length ));
1021 return NT_STATUS_OK;
1022 }
1023
1024 /* Refuse the blob if it's bigger than 64k. */
1025 if (needed_len > 65536) {
1026 DEBUG(2,("check_spnego_blob_complete: needed_len "
1027 "too large (%u)\n",
1028 (unsigned int)needed_len ));
1029 return NT_STATUS_INVALID_PARAMETER;
1030 }
1031
1032 /* We must store this blob until complete. */
1033 if (!(pad = SMB_MALLOC_P(struct pending_auth_data))) {
1034 return NT_STATUS_NO_MEMORY;
1035 }
1036 pad->needed_len = needed_len - pblob->length;
1037 pad->partial_data = data_blob(pblob->data, pblob->length);
1038 if (pad->partial_data.data == NULL) {
1039 SAFE_FREE(pad);
1040 return NT_STATUS_NO_MEMORY;
1041 }
1042 pad->smbpid = smbpid;
1043 pad->vuid = vuid;
1044 DLIST_ADD(sconn->smb1.pd_list, pad);
1045
1046 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1047 }
1048
1049 /****************************************************************************
1050 Reply to a session setup command.
1051 conn POINTER CAN BE NULL HERE !
1052 ****************************************************************************/
1053
1054 static void reply_sesssetup_and_X_spnego(struct smb_request *req)
1055 {
1056 const uint8 *p;
1057 DATA_BLOB blob1;
1058 size_t bufrem;
1059 char *tmp;
1060 const char *native_os;
1061 const char *native_lanman;
1062 const char *primary_domain;
1063 const char *p2;
1064 uint16 data_blob_len = SVAL(req->vwv+7, 0);
1065 enum remote_arch_types ra_type = get_remote_arch();
1066 int vuid = req->vuid;
1067 user_struct *vuser = NULL;
1068 NTSTATUS status = NT_STATUS_OK;
1069 uint16 smbpid = req->smbpid;
1070 struct smbd_server_connection *sconn = req->sconn;
1071
1072 DEBUG(3,("Doing spnego session setup\n"));
1073
1074 if (global_client_caps == 0) {
1075 global_client_caps = IVAL(req->vwv+10, 0);
1076
1077 if (!(global_client_caps & CAP_STATUS32)) {
1078 remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
1079 }
1080
1081 }
1082
1083 p = req->buf;
1084
1085 if (data_blob_len == 0) {
1086 /* an invalid request */
1087 reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1088 return;
1089 }
1090
1091 bufrem = smbreq_bufrem(req, p);
1092 /* pull the spnego blob */
1093 blob1 = data_blob(p, MIN(bufrem, data_blob_len));
1094
1095 #if 0
1096 file_save("negotiate.dat", blob1.data, blob1.length);
1097 #endif
1098
1099 p2 = (char *)req->buf + blob1.length;
1100
1101 p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1102 STR_TERMINATE);
1103 native_os = tmp ? tmp : "";
1104
1105 p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1106 STR_TERMINATE);
1107 native_lanman = tmp ? tmp : "";
1108
1109 p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1110 STR_TERMINATE);
1111 primary_domain = tmp ? tmp : "";
1112
1113 DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n",
1114 native_os, native_lanman, primary_domain));
1115
1116 if ( ra_type == RA_WIN2K ) {
1117 /* Vista sets neither the OS or lanman strings */
1118
1119 if ( !strlen(native_os) && !strlen(native_lanman) )
1120 set_remote_arch(RA_VISTA);
1121
1122 /* Windows 2003 doesn't set the native lanman string,
1123 but does set primary domain which is a bug I think */
1124
1125 if ( !strlen(native_lanman) ) {
1126 ra_lanman_string( primary_domain );
1127 } else {
1128 ra_lanman_string( native_lanman );
1129 }
1130 } else if ( ra_type == RA_VISTA ) {
1131 if ( strncmp(native_os, "Mac OS X", 8) == 0 ) {
1132 set_remote_arch(RA_OSX);
1133 }
1134 }
1135
1136 /* Did we get a valid vuid ? */
1137 if (!is_partial_auth_vuid(sconn, vuid)) {
1138 /* No, then try and see if this is an intermediate sessionsetup
1139 * for a large SPNEGO packet. */
1140 struct pending_auth_data *pad;
1141 pad = get_pending_auth_data(sconn, smbpid);
1142 if (pad) {
1143 DEBUG(10,("reply_sesssetup_and_X_spnego: found "
1144 "pending vuid %u\n",
1145 (unsigned int)pad->vuid ));
1146 vuid = pad->vuid;
1147 }
1148 }
1149
1150 /* Do we have a valid vuid now ? */
1151 if (!is_partial_auth_vuid(sconn, vuid)) {
1152 /* No, start a new authentication setup. */
1153 vuid = register_initial_vuid(sconn);
1154 if (vuid == UID_FIELD_INVALID) {
1155 data_blob_free(&blob1);
1156 reply_nterror(req, nt_status_squash(
1157 NT_STATUS_INVALID_PARAMETER));
1158 return;
1159 }
1160 }
1161
1162 vuser = get_partial_auth_user_struct(sconn, vuid);
1163 /* This MUST be valid. */
1164 if (!vuser) {
1165 smb_panic("reply_sesssetup_and_X_spnego: invalid vuid.");
1166 }
1167
1168 /* Large (greater than 4k) SPNEGO blobs are split into multiple
1169 * sessionsetup requests as the Windows limit on the security blob
1170 * field is 4k. Bug #4400. JRA.
1171 */
1172
1173 status = check_spnego_blob_complete(sconn, smbpid, vuid, &blob1);
1174 if (!NT_STATUS_IS_OK(status)) {
1175 /*
1176 * Pack error response, ensuring to fill NativeOS, NativeLanMan
1177 * & PrimaryDomain fields on NT_STATUS_MORE_PROCESSING_REQUIRED
1178 */
1179 reply_outbuf(req, 4, 0);
1180 reply_sesssetup_blob(req, data_blob_null, status);
1181 if (!NT_STATUS_EQUAL(status,
1182 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1183 /* Real error - kill the intermediate vuid */
1184 invalidate_vuid(sconn, vuid);
1185 }
1186 data_blob_free(&blob1);
1187 return;
1188 }
1189
1190 if (blob1.data[0] == ASN1_APPLICATION(0)) {
1191
1192 /* its a negTokenTarg packet */
1193
1194 reply_spnego_negotiate(req, vuid, blob1,
1195 &vuser->auth_ntlmssp_state);
1196 data_blob_free(&blob1);
1197 return;
1198 }
1199
1200 if (blob1.data[0] == ASN1_CONTEXT(1)) {
1201
1202 /* its a auth packet */
1203
1204 reply_spnego_auth(req, vuid, blob1,
1205 &vuser->auth_ntlmssp_state);
1206 data_blob_free(&blob1);
1207 return;
1208 }
1209
1210 if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) {
1211 DATA_BLOB chal;
1212
1213 if (!vuser->auth_ntlmssp_state) {
1214 status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state);
1215 if (!NT_STATUS_IS_OK(status)) {
1216 /* Kill the intermediate vuid */
1217 invalidate_vuid(sconn, vuid);
1218 data_blob_free(&blob1);
1219 reply_nterror(req, nt_status_squash(status));
1220 return;
1221 }
1222 }
1223
1224 status = auth_ntlmssp_update(vuser->auth_ntlmssp_state,
1225 blob1, &chal);
1226
1227 data_blob_free(&blob1);
1228
1229 reply_spnego_ntlmssp(req, vuid,
1230 &vuser->auth_ntlmssp_state,
1231 &chal, status, OID_NTLMSSP, false);
1232 data_blob_free(&chal);
1233 return;
1234 }
1235
1236 /* what sort of packet is this? */
1237 DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n"));
1238
1239 data_blob_free(&blob1);
1240
1241 reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1242 }
1243
1244 /****************************************************************************
1245 On new VC == 0, shutdown *all* old connections and users.
1246 It seems that only NT4.x does this. At W2K and above (XP etc.).
1247 a new session setup with VC==0 is ignored.
1248 ****************************************************************************/
1249
1250 struct shutdown_state {
1251 const char *ip;
1252 struct messaging_context *msg_ctx;
1253 };
1254
1255 static int shutdown_other_smbds(const struct connections_key *key,
1256 const struct connections_data *crec,
1257 void *private_data)
1258 {
1259 struct shutdown_state *state = (struct shutdown_state *)private_data;
1260
1261 DEBUG(10, ("shutdown_other_smbds: %s, %s\n",
1262 procid_str(talloc_tos(), &crec->pid), crec->addr));
1263
1264 if (!process_exists(crec->pid)) {
1265 DEBUG(10, ("process does not exist\n"));
1266 return 0;
1267 }
1268
1269 if (procid_is_me(&crec->pid)) {
1270 DEBUG(10, ("It's me\n"));
1271 return 0;
1272 }
1273
1274 if (strcmp(state->ip, crec->addr) != 0) {
1275 DEBUG(10, ("%s does not match %s\n", state->ip, crec->addr));
1276 return 0;
1277 }
1278
1279 DEBUG(1, ("shutdown_other_smbds: shutting down pid %u "
1280 "(IP %s)\n", (unsigned int)procid_to_pid(&crec->pid),
1281 state->ip));
1282
1283 messaging_send(state->msg_ctx, crec->pid, MSG_SHUTDOWN,
1284 &data_blob_null);
1285 return 0;
1286 }
1287
1288 static void setup_new_vc_session(struct smbd_server_connection *sconn)
1289 {
1290 DEBUG(2,("setup_new_vc_session: New VC == 0, if NT4.x "
1291 "compatible we would close all old resources.\n"));
1292 #if 0
1293 conn_close_all();
1294 invalidate_all_vuids();
1295 #endif
1296 if (lp_reset_on_zero_vc()) {
1297 char *addr;
1298 struct shutdown_state state;
1299
1300 addr = tsocket_address_inet_addr_string(
1301 sconn->remote_address, talloc_tos());
1302 if (addr == NULL) {
1303 return;
1304 }
1305 state.ip = addr;
1306 state.msg_ctx = sconn->msg_ctx;
1307 connections_forall_read(shutdown_other_smbds, &state);
1308 TALLOC_FREE(addr);
1309 }
1310 }
1311
1312 /****************************************************************************
1313 Reply to a session setup command.
1314 ****************************************************************************/
1315
1316 void reply_sesssetup_and_X(struct smb_request *req)
1317 {
1318 int sess_vuid;
1319 int smb_bufsize;
1320 DATA_BLOB lm_resp;
1321 DATA_BLOB nt_resp;
1322 DATA_BLOB plaintext_password;
1323 char *tmp;
1324 const char *user;
1325 fstring sub_user; /* Sanitised username for substituion */
1326 const char *domain;
1327 const char *native_os;
1328 const char *native_lanman;
1329 const char *primary_domain;
1330 struct auth_usersupplied_info *user_info = NULL;
1331 struct auth_serversupplied_info *server_info = NULL;
1332 uint16 smb_flag2 = req->flags2;
1333
1334 NTSTATUS nt_status;
1335 struct smbd_server_connection *sconn = req->sconn;
1336
1337 bool doencrypt = sconn->smb1.negprot.encrypted_passwords;
1338
1339 START_PROFILE(SMBsesssetupX);
1340
1341 ZERO_STRUCT(lm_resp);
1342 ZERO_STRUCT(nt_resp);
1343 ZERO_STRUCT(plaintext_password);
1344
1345 DEBUG(3,("wct=%d flg2=0x%x\n", req->wct, req->flags2));
1346
1347 /* a SPNEGO session setup has 12 command words, whereas a normal
1348 NT1 session setup has 13. See the cifs spec. */
1349 if (req->wct == 12 &&
1350 (req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
1351
1352 if (!sconn->smb1.negprot.spnego) {
1353 DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt "
1354 "at SPNEGO session setup when it was not "
1355 "negotiated.\n"));
1356 reply_nterror(req, nt_status_squash(
1357 NT_STATUS_LOGON_FAILURE));
1358 END_PROFILE(SMBsesssetupX);
1359 return;
1360 }
1361
1362 if (SVAL(req->vwv+4, 0) == 0) {
1363 setup_new_vc_session(req->sconn);
1364 }
1365
1366 reply_sesssetup_and_X_spnego(req);
1367 END_PROFILE(SMBsesssetupX);
1368 return;
1369 }
1370
1371 smb_bufsize = SVAL(req->vwv+2, 0);
1372
1373 if (get_Protocol() < PROTOCOL_NT1) {
1374 uint16 passlen1 = SVAL(req->vwv+7, 0);
1375
1376 /* Never do NT status codes with protocols before NT1 as we
1377 * don't get client caps. */
1378 remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
1379
1380 if ((passlen1 > MAX_PASS_LEN) || (passlen1 > req->buflen)) {
1381 reply_nterror(req, nt_status_squash(
1382 NT_STATUS_INVALID_PARAMETER));
1383 END_PROFILE(SMBsesssetupX);
1384 return;
1385 }
1386
1387 if (doencrypt) {
1388 lm_resp = data_blob(req->buf, passlen1);
1389 } else {
1390 plaintext_password = data_blob(req->buf, passlen1+1);
1391 /* Ensure null termination */
1392 plaintext_password.data[passlen1] = 0;
1393 }
1394
1395 srvstr_pull_req_talloc(talloc_tos(), req, &tmp,
1396 req->buf + passlen1, STR_TERMINATE);
1397 user = tmp ? tmp : "";
1398
1399 domain = "";
1400
1401 } else {
1402 uint16 passlen1 = SVAL(req->vwv+7, 0);
1403 uint16 passlen2 = SVAL(req->vwv+8, 0);
1404 enum remote_arch_types ra_type = get_remote_arch();
1405 const uint8_t *p = req->buf;
1406 const uint8_t *save_p = req->buf;
1407 uint16 byte_count;
1408
1409
1410 if(global_client_caps == 0) {
1411 global_client_caps = IVAL(req->vwv+11, 0);
1412
1413 if (!(global_client_caps & CAP_STATUS32)) {
1414 remove_from_common_flags2(
1415 FLAGS2_32_BIT_ERROR_CODES);
1416 }
1417
1418 /* client_caps is used as final determination if
1419 * client is NT or Win95. This is needed to return
1420 * the correct error codes in some circumstances.
1421 */
1422
1423 if(ra_type == RA_WINNT || ra_type == RA_WIN2K ||
1424 ra_type == RA_WIN95) {
1425 if(!(global_client_caps & (CAP_NT_SMBS|
1426 CAP_STATUS32))) {
1427 set_remote_arch( RA_WIN95);
1428 }
1429 }
1430 }
1431
1432 if (!doencrypt) {
1433 /* both Win95 and WinNT stuff up the password
1434 * lengths for non-encrypting systems. Uggh.
1435
1436 if passlen1==24 its a win95 system, and its setting
1437 the password length incorrectly. Luckily it still
1438 works with the default code because Win95 will null
1439 terminate the password anyway
1440
1441 if passlen1>0 and passlen2>0 then maybe its a NT box
1442 and its setting passlen2 to some random value which
1443 really stuffs things up. we need to fix that one. */
1444
1445 if (passlen1 > 0 && passlen2 > 0 && passlen2 != 24 &&
1446 passlen2 != 1) {
1447 passlen2 = 0;
1448 }
1449 }
1450
1451 /* check for nasty tricks */
1452 if (passlen1 > MAX_PASS_LEN
1453 || passlen1 > smbreq_bufrem(req, p)) {
1454 reply_nterror(req, nt_status_squash(
1455 NT_STATUS_INVALID_PARAMETER));
1456 END_PROFILE(SMBsesssetupX);
1457 return;
1458 }
1459
1460 if (passlen2 > MAX_PASS_LEN
1461 || passlen2 > smbreq_bufrem(req, p+passlen1)) {
1462 reply_nterror(req, nt_status_squash(
1463 NT_STATUS_INVALID_PARAMETER));
1464 END_PROFILE(SMBsesssetupX);
1465 return;
1466 }
1467
1468 /* Save the lanman2 password and the NT md4 password. */
1469
1470 if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) {
1471 doencrypt = False;
1472 }
1473
1474 if (doencrypt) {
1475 lm_resp = data_blob(p, passlen1);
1476 nt_resp = data_blob(p+passlen1, passlen2);
1477 } else if (lp_security() != SEC_SHARE) {
1478 /*
1479 * In share level we should ignore any passwords, so
1480 * only read them if we're not.
1481 */
1482 char *pass = NULL;
1483 bool unic= smb_flag2 & FLAGS2_UNICODE_STRINGS;
1484
1485 if (unic && (passlen2 == 0) && passlen1) {
1486 /* Only a ascii plaintext password was sent. */
1487 (void)srvstr_pull_talloc(talloc_tos(),
1488 req->inbuf,
1489 req->flags2,
1490 &pass,
1491 req->buf,
1492 passlen1,
1493 STR_TERMINATE|STR_ASCII);
1494 } else {
1495 (void)srvstr_pull_talloc(talloc_tos(),
1496 req->inbuf,
1497 req->flags2,
1498 &pass,
1499 req->buf,
1500 unic ? passlen2 : passlen1,
1501 STR_TERMINATE);
1502 }
1503 if (!pass) {
1504 reply_nterror(req, nt_status_squash(
1505 NT_STATUS_INVALID_PARAMETER));
1506 END_PROFILE(SMBsesssetupX);
1507 return;
1508 }
1509 plaintext_password = data_blob(pass, strlen(pass)+1);
1510 }
1511
1512 p += passlen1 + passlen2;
1513
1514 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1515 STR_TERMINATE);
1516 user = tmp ? tmp : "";
1517
1518 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1519 STR_TERMINATE);
1520 domain = tmp ? tmp : "";
1521
1522 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1523 STR_TERMINATE);
1524 native_os = tmp ? tmp : "";
1525
1526 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1527 STR_TERMINATE);
1528 native_lanman = tmp ? tmp : "";
1529
1530 /* not documented or decoded by Ethereal but there is one more
1531 * string in the extra bytes which is the same as the
1532 * PrimaryDomain when using extended security. Windows NT 4
1533 * and 2003 use this string to store the native lanman string.
1534 * Windows 9x does not include a string here at all so we have
1535 * to check if we have any extra bytes left */
1536
1537 byte_count = SVAL(req->vwv+13, 0);
1538 if ( PTR_DIFF(p, save_p) < byte_count) {
1539 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1540 STR_TERMINATE);
1541 primary_domain = tmp ? tmp : "";
1542 } else {
1543 primary_domain = talloc_strdup(talloc_tos(), "null");
1544 }
1545
1546 DEBUG(3,("Domain=[%s] NativeOS=[%s] NativeLanMan=[%s] "
1547 "PrimaryDomain=[%s]\n",
1548 domain, native_os, native_lanman, primary_domain));
1549
1550 if ( ra_type == RA_WIN2K ) {
1551 if ( strlen(native_lanman) == 0 )
1552 ra_lanman_string( primary_domain );
1553 else
1554 ra_lanman_string( native_lanman );
1555 }
1556
1557 }
1558
1559 if (SVAL(req->vwv+4, 0) == 0) {
1560 setup_new_vc_session(req->sconn);
1561 }
1562
1563 DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n",
1564 domain, user, get_remote_machine_name()));
1565
1566 if (*user) {
1567 if (sconn->smb1.negprot.spnego) {
1568
1569 /* This has to be here, because this is a perfectly
1570 * valid behaviour for guest logons :-( */
1571
1572 DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt "
1573 "at 'normal' session setup after "
1574 "negotiating spnego.\n"));
1575 reply_nterror(req, nt_status_squash(
1576 NT_STATUS_LOGON_FAILURE));
1577 END_PROFILE(SMBsesssetupX);
1578 return;
1579 }
1580 fstrcpy(sub_user, user);
1581 } else {
1582 fstrcpy(sub_user, lp_guestaccount());
1583 }
1584
1585 sub_set_smb_name(sub_user);
1586
1587 reload_services(sconn->msg_ctx, sconn->sock, True);
1588
1589 if (lp_security() == SEC_SHARE) {
1590 char *sub_user_mapped = NULL;
1591 /* In share level we should ignore any passwords */
1592
1593 data_blob_free(&lm_resp);
1594 data_blob_free(&nt_resp);
1595 data_blob_clear_free(&plaintext_password);
1596
1597 (void)map_username(talloc_tos(), sub_user, &sub_user_mapped);
1598 if (!sub_user_mapped) {
1599 reply_nterror(req, NT_STATUS_NO_MEMORY);
1600 END_PROFILE(SMBsesssetupX);
1601 return;
1602 }
1603 fstrcpy(sub_user, sub_user_mapped);
1604 add_session_user(sconn, sub_user);
1605 add_session_workgroup(sconn, domain);
1606 /* Then force it to null for the benfit of the code below */
1607 user = "";
1608 }
1609
1610 if (!*user) {
1611
1612 nt_status = check_guest_password(&server_info);
1613
1614 } else if (doencrypt) {
1615 struct auth_context *negprot_auth_context = NULL;
1616 negprot_auth_context = sconn->smb1.negprot.auth_context;
1617 if (!negprot_auth_context) {
1618 DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted "
1619 "session setup without negprot denied!\n"));
1620 reply_nterror(req, nt_status_squash(
1621 NT_STATUS_LOGON_FAILURE));
1622 END_PROFILE(SMBsesssetupX);
1623 return;
1624 }
1625 nt_status = make_user_info_for_reply_enc(&user_info, user,
1626 domain,
1627 lm_resp, nt_resp);
1628 if (NT_STATUS_IS_OK(nt_status)) {
1629 nt_status = negprot_auth_context->check_ntlm_password(
1630 negprot_auth_context,
1631 user_info,
1632 &server_info);
1633 }
1634 } else {
1635 struct auth_context *plaintext_auth_context = NULL;
1636
1637 nt_status = make_auth_context_subsystem(
1638 talloc_tos(), &plaintext_auth_context);
1639
1640 if (NT_STATUS_IS_OK(nt_status)) {
1641 uint8_t chal[8];
1642
1643 plaintext_auth_context->get_ntlm_challenge(
1644 plaintext_auth_context, chal);
1645
1646 if (!make_user_info_for_reply(&user_info,
1647 user, domain, chal,
1648 plaintext_password)) {
1649 nt_status = NT_STATUS_NO_MEMORY;
1650 }
1651
1652 if (NT_STATUS_IS_OK(nt_status)) {
1653 nt_status = plaintext_auth_context->check_ntlm_password(
1654 plaintext_auth_context,
1655 user_info,
1656 &server_info);
1657
1658 TALLOC_FREE(plaintext_auth_context);
1659 }
1660 }
1661 }
1662
1663 free_user_info(&user_info);
1664
1665 if (!NT_STATUS_IS_OK(nt_status)) {
1666 nt_status = do_map_to_guest(nt_status, &server_info,
1667 user, domain);
1668 }
1669
1670 if (!NT_STATUS_IS_OK(nt_status)) {
1671 data_blob_free(&nt_resp);
1672 data_blob_free(&lm_resp);
1673 data_blob_clear_free(&plaintext_password);
1674 reply_nterror(req, nt_status_squash(nt_status));
1675 END_PROFILE(SMBsesssetupX);
1676 return;
1677 }
1678
1679 /* Ensure we can't possible take a code path leading to a
1680 * null defref. */
1681 if (!server_info) {
1682 reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1683 END_PROFILE(SMBsesssetupX);
1684 return;
1685 }
1686
1687 if (!server_info->security_token) {
1688 nt_status = create_local_token(server_info);
1689
1690 if (!NT_STATUS_IS_OK(nt_status)) {
1691 DEBUG(10, ("create_local_token failed: %s\n",
1692 nt_errstr(nt_status)));
1693 data_blob_free(&nt_resp);
1694 data_blob_free(&lm_resp);
1695 data_blob_clear_free(&plaintext_password);
1696 reply_nterror(req, nt_status_squash(nt_status));
1697 END_PROFILE(SMBsesssetupX);
1698 return;
1699 }
1700 }
1701
1702 data_blob_clear_free(&plaintext_password);
1703
1704 /* it's ok - setup a reply */
1705 reply_outbuf(req, 3, 0);
1706 if (get_Protocol() >= PROTOCOL_NT1) {
1707 push_signature(&req->outbuf);
1708 /* perhaps grab OS version here?? */
1709 }
1710
1711 if (server_info->guest) {
1712 SSVAL(req->outbuf,smb_vwv2,1);
1713 }
1714
1715 /* register the name and uid as being validated, so further connections
1716 to a uid can get through without a password, on the same VC */
1717
1718 if (lp_security() == SEC_SHARE) {
1719 sess_vuid = UID_FIELD_INVALID;
1720 TALLOC_FREE(server_info);
1721 } else {
1722 /* Ignore the initial vuid. */
1723 sess_vuid = register_initial_vuid(sconn);
1724 if (sess_vuid == UID_FIELD_INVALID) {
1725 data_blob_free(&nt_resp);
1726 data_blob_free(&lm_resp);
1727 reply_nterror(req, nt_status_squash(
1728 NT_STATUS_LOGON_FAILURE));
1729 END_PROFILE(SMBsesssetupX);
1730 return;
1731 }
1732 /* register_existing_vuid keeps the server info */
1733 sess_vuid = register_existing_vuid(sconn, sess_vuid,
1734 server_info,
1735 nt_resp.data ? nt_resp : lm_resp,
1736 sub_user);
1737 if (sess_vuid == UID_FIELD_INVALID) {
1738 data_blob_free(&nt_resp);
1739 data_blob_free(&lm_resp);
1740 reply_nterror(req, nt_status_squash(
1741 NT_STATUS_LOGON_FAILURE));
1742 END_PROFILE(SMBsesssetupX);
1743 return;
1744 }
1745
1746 /* current_user_info is changed on new vuid */
1747 reload_services(sconn->msg_ctx, sconn->sock, True);
1748 }
1749
1750 data_blob_free(&nt_resp);
1751 data_blob_free(&lm_resp);
1752
1753 SSVAL(req->outbuf,smb_uid,sess_vuid);
1754 SSVAL(req->inbuf,smb_uid,sess_vuid);
1755 req->vuid = sess_vuid;
1756
1757 if (!sconn->smb1.sessions.done_sesssetup) {
1758 sconn->smb1.sessions.max_send =
1759 MIN(sconn->smb1.sessions.max_send,smb_bufsize);
1760 }
1761 sconn->smb1.sessions.done_sesssetup = true;
1762
1763 END_PROFILE(SMBsesssetupX);
1764 chain_reply(req);
1765 return;
1766 }
Samba GIT mirror