search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:torture/rpc/samba3rpc.c: make use of dcerpc_binding_handle stubs
[Samba/nascimento.git] / source3 / auth / auth_ntlmssp.c
blob88f0e694434833e1cefaa24a3a82c8e4300fb135
1 /*
2 Unix SMB/Netbios implementation.
3 Version 3.0
4 handle NLTMSSP, server side
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "ntlmssp.h"
25
26 /**
27 * Return the challenge as determined by the authentication subsystem
28 * @return an 8 byte random challenge
29 */
30
31 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
32 uint8_t chal[8])
33 {
34 AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
35 (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
36 auth_ntlmssp_state->auth_context->get_ntlm_challenge(
37 auth_ntlmssp_state->auth_context, chal);
38 return NT_STATUS_OK;
39 }
40
41 /**
42 * Some authentication methods 'fix' the challenge, so we may not be able to set it
43 *
44 * @return If the effective challenge used by the auth subsystem may be modified
45 */
46 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
47 {
48 AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
49 (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
50 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
51
52 return auth_context->challenge_may_be_modified;
53 }
54
55 /**
56 * NTLM2 authentication modifies the effective challenge,
57 * @param challenge The new challenge value
58 */
59 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
60 {
61 AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
62 (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
63 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
64
65 SMB_ASSERT(challenge->length == 8);
66
67 auth_context->challenge = data_blob_talloc(auth_context->mem_ctx,
68 challenge->data, challenge->length);
69
70 auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
71
72 DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
73 DEBUG(5, ("challenge is: \n"));
74 dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
75 return NT_STATUS_OK;
76 }
77
78 /**
79 * Check the password on an NTLMSSP login.
80 *
81 * Return the session keys used on the connection.
82 */
83
84 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
85 {
86 AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
87 (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
88 struct auth_usersupplied_info *user_info = NULL;
89 NTSTATUS nt_status;
90 bool username_was_mapped;
91
92 /* the client has given us its machine name (which we otherwise would not get on port 445).
93 we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
94
95 set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->workstation, True);
96
97 /* setup the string used by %U */
98 /* sub_set_smb_name checks for weird internally */
99 sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
100
101 reload_services(True);
102
103 nt_status = make_user_info_map(&user_info,
104 auth_ntlmssp_state->ntlmssp_state->user,
105 auth_ntlmssp_state->ntlmssp_state->domain,
106 auth_ntlmssp_state->ntlmssp_state->workstation,
107 auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
108 auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
109 NULL, NULL, NULL,
110 True);
111
112 user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
113
114 if (!NT_STATUS_IS_OK(nt_status)) {
115 return nt_status;
116 }
117
118 nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
119 user_info, &auth_ntlmssp_state->server_info);
120
121 username_was_mapped = user_info->was_mapped;
122
123 free_user_info(&user_info);
124
125 if (!NT_STATUS_IS_OK(nt_status)) {
126 return nt_status;
127 }
128
129 auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
130
131 nt_status = create_local_token(auth_ntlmssp_state->server_info);
132
133 if (!NT_STATUS_IS_OK(nt_status)) {
134 DEBUG(10, ("create_local_token failed: %s\n",
135 nt_errstr(nt_status)));
136 return nt_status;
137 }
138
139 if (auth_ntlmssp_state->server_info->user_session_key.length) {
140 DEBUG(10, ("Got NT session key of length %u\n",
141 (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
142 *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
143 auth_ntlmssp_state->server_info->user_session_key.data,
144 auth_ntlmssp_state->server_info->user_session_key.length);
145 }
146 if (auth_ntlmssp_state->server_info->lm_session_key.length) {
147 DEBUG(10, ("Got LM session key of length %u\n",
148 (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
149 *lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
150 auth_ntlmssp_state->server_info->lm_session_key.data,
151 auth_ntlmssp_state->server_info->lm_session_key.length);
152 }
153 return nt_status;
154 }
155
156 NTSTATUS auth_ntlmssp_start(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
157 {
158 NTSTATUS nt_status;
159 TALLOC_CTX *mem_ctx;
160
161 mem_ctx = talloc_init("AUTH NTLMSSP context");
162
163 *auth_ntlmssp_state = TALLOC_ZERO_P(mem_ctx, AUTH_NTLMSSP_STATE);
164 if (!*auth_ntlmssp_state) {
165 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
166 talloc_destroy(mem_ctx);
167 return NT_STATUS_NO_MEMORY;
168 }
169
170 ZERO_STRUCTP(*auth_ntlmssp_state);
171
172 (*auth_ntlmssp_state)->mem_ctx = mem_ctx;
173
174 if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_start(&(*auth_ntlmssp_state)->ntlmssp_state))) {
175 return nt_status;
176 }
177
178 if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*auth_ntlmssp_state)->auth_context))) {
179 return nt_status;
180 }
181
182 (*auth_ntlmssp_state)->ntlmssp_state->auth_context = (*auth_ntlmssp_state);
183 (*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
184 (*auth_ntlmssp_state)->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
185 (*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
186 (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password;
187 (*auth_ntlmssp_state)->ntlmssp_state->server_role = (enum server_types)lp_server_role();
188
189 return NT_STATUS_OK;
190 }
191
192 void auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
193 {
194 TALLOC_CTX *mem_ctx;
195
196 if (*auth_ntlmssp_state == NULL) {
197 return;
198 }
199
200 mem_ctx = (*auth_ntlmssp_state)->mem_ctx;
201 if ((*auth_ntlmssp_state)->ntlmssp_state) {
202 ntlmssp_end(&(*auth_ntlmssp_state)->ntlmssp_state);
203 }
204 if ((*auth_ntlmssp_state)->auth_context) {
205 ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context);
206 }
207 if ((*auth_ntlmssp_state)->server_info) {
208 TALLOC_FREE((*auth_ntlmssp_state)->server_info);
209 }
210 talloc_destroy(mem_ctx);
211 *auth_ntlmssp_state = NULL;
212 }
213
214 NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state,
215 const DATA_BLOB request, DATA_BLOB *reply)
216 {
217 return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
218 }