2 Unix SMB/Netbios implementation.
4 handle GENSEC authentication, server side
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003,2011
8 Copyright (C) Simo Sorce 2010.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../lib/tsocket/tsocket.h"
27 #include "auth/gensec/gensec.h"
28 #include "lib/param/param.h"
30 #include "auth/kerberos/pac_utils.h"
31 #include "nsswitch/libwbclient/wbclient.h"
33 #include "librpc/crypto/gse.h"
34 #include "auth/credentials/credentials.h"
35 #include "lib/param/loadparm.h"
36 #include "librpc/gen_ndr/dcerpc.h"
38 static NTSTATUS
auth3_generate_session_info_pac(struct auth4_context
*auth_ctx
,
40 struct smb_krb5_context
*smb_krb5_context
,
42 const char *princ_name
,
43 const struct tsocket_address
*remote_address
,
44 uint32_t session_info_flags
,
45 struct auth_session_info
**session_info
)
48 struct PAC_LOGON_INFO
*logon_info
= NULL
;
49 struct netr_SamInfo3
*info3_copy
= NULL
;
60 tmp_ctx
= talloc_new(mem_ctx
);
62 return NT_STATUS_NO_MEMORY
;
67 struct wbcAuthUserParams params
= {};
68 struct wbcAuthUserInfo
*info
= NULL
;
69 struct wbcAuthErrorInfo
*err
= NULL
;
73 * Let winbind decode the PAC.
74 * This will also store the user
75 * data in the netsamlogon cache.
77 * We need to do this *before* we
78 * call get_user_from_kerberos_info()
79 * as that does a user lookup that
80 * expects info in the netsamlogon cache.
82 * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
84 params
.level
= WBC_AUTH_USER_LEVEL_PAC
;
85 params
.password
.pac
.data
= pac_blob
->data
;
86 params
.password
.pac
.length
= pac_blob
->length
;
89 wbc_err
= wbcAuthenticateUserEx(¶ms
, &info
, &err
);
93 * As this is merely a cache prime
94 * WBC_ERR_WINBIND_NOT_AVAILABLE
95 * is not a fatal error, treat it
100 case WBC_ERR_WINBIND_NOT_AVAILABLE
:
101 case WBC_ERR_SUCCESS
:
103 case WBC_ERR_AUTH_ERROR
:
104 status
= NT_STATUS(err
->nt_status
);
108 status
= NT_STATUS_LOGON_FAILURE
;
112 status
= kerberos_pac_logon_info(tmp_ctx
, *pac_blob
, NULL
, NULL
,
113 NULL
, NULL
, 0, &logon_info
);
115 status
= NT_STATUS_ACCESS_DENIED
;
117 if (!NT_STATUS_IS_OK(status
)) {
122 rc
= get_remote_hostname(remote_address
,
126 status
= NT_STATUS_NO_MEMORY
;
129 if (strequal(rhost
, "UNKNOWN")) {
130 rhost
= tsocket_address_inet_addr_string(remote_address
,
133 status
= NT_STATUS_NO_MEMORY
;
138 status
= get_user_from_kerberos_info(tmp_ctx
, rhost
,
139 princ_name
, logon_info
,
140 &is_mapped
, &is_guest
,
143 if (!NT_STATUS_IS_OK(status
)) {
144 DBG_NOTICE("Failed to map kerberos principal to system user "
145 "(%s)\n", nt_errstr(status
));
146 status
= NT_STATUS_ACCESS_DENIED
;
150 /* Get the info3 from the PAC data if we have it */
152 status
= create_info3_from_pac_logon_info(tmp_ctx
,
155 if (!NT_STATUS_IS_OK(status
)) {
160 /* setup the string used by %U */
161 sub_set_smb_name(username
);
163 /* reload services so that the new %U is taken into account */
164 lp_load_with_shares(get_dyn_CONFIGFILE());
166 status
= make_session_info_krb5(mem_ctx
,
167 ntuser
, ntdomain
, username
, pw
,
168 info3_copy
, is_guest
, is_mapped
, NULL
/* No session key for now, caller will sort it out */,
170 if (!NT_STATUS_IS_OK(status
)) {
171 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
173 status
= NT_STATUS_ACCESS_DENIED
;
177 DEBUG(5, (__location__
"OK: user: %s domain: %s client: %s\n",
178 ntuser
, ntdomain
, rhost
));
180 status
= NT_STATUS_OK
;
183 TALLOC_FREE(tmp_ctx
);
187 static struct auth4_context
*make_auth4_context_s3(TALLOC_CTX
*mem_ctx
, struct auth_context
*auth_context
)
189 struct auth4_context
*auth4_context
= talloc_zero(mem_ctx
, struct auth4_context
);
190 if (auth4_context
== NULL
) {
191 DEBUG(10, ("failed to allocate auth4_context failed\n"));
194 auth4_context
->generate_session_info_pac
= auth3_generate_session_info_pac
;
195 auth4_context
->generate_session_info
= auth3_generate_session_info
;
196 auth4_context
->get_ntlm_challenge
= auth3_get_challenge
;
197 auth4_context
->set_ntlm_challenge
= auth3_set_challenge
;
198 auth4_context
->check_ntlm_password
= auth3_check_password
;
199 auth4_context
->private_data
= talloc_steal(auth4_context
, auth_context
);
200 return auth4_context
;
203 NTSTATUS
make_auth4_context(TALLOC_CTX
*mem_ctx
, struct auth4_context
**auth4_context_out
)
205 struct auth_context
*auth_context
;
208 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
209 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
211 nt_status
= make_auth_context_subsystem(tmp_ctx
, &auth_context
);
212 if (!NT_STATUS_IS_OK(nt_status
)) {
213 TALLOC_FREE(tmp_ctx
);
217 if (auth_context
->make_auth4_context
) {
218 nt_status
= auth_context
->make_auth4_context(auth_context
, mem_ctx
, auth4_context_out
);
219 TALLOC_FREE(tmp_ctx
);
223 struct auth4_context
*auth4_context
= make_auth4_context_s3(tmp_ctx
, auth_context
);
224 if (auth4_context
== NULL
) {
225 TALLOC_FREE(tmp_ctx
);
226 return NT_STATUS_NO_MEMORY
;
228 *auth4_context_out
= talloc_steal(mem_ctx
, auth4_context
);
229 TALLOC_FREE(tmp_ctx
);
234 NTSTATUS
auth_generic_prepare(TALLOC_CTX
*mem_ctx
,
235 const struct tsocket_address
*remote_address
,
236 struct gensec_security
**gensec_security_out
)
238 struct gensec_security
*gensec_security
;
239 struct auth_context
*auth_context
;
242 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
243 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
245 nt_status
= make_auth_context_subsystem(tmp_ctx
, &auth_context
);
246 if (!NT_STATUS_IS_OK(nt_status
)) {
247 TALLOC_FREE(tmp_ctx
);
251 if (auth_context
->prepare_gensec
) {
252 nt_status
= auth_context
->prepare_gensec(auth_context
, tmp_ctx
,
254 if (!NT_STATUS_IS_OK(nt_status
)) {
255 TALLOC_FREE(tmp_ctx
);
259 const struct gensec_security_ops
**backends
= NULL
;
260 struct gensec_settings
*gensec_settings
;
261 struct loadparm_context
*lp_ctx
;
263 struct cli_credentials
*server_credentials
;
264 const char *dns_name
;
265 const char *dns_domain
;
266 struct auth4_context
*auth4_context
= make_auth4_context_s3(tmp_ctx
, auth_context
);
267 if (auth4_context
== NULL
) {
268 TALLOC_FREE(tmp_ctx
);
269 return NT_STATUS_NO_MEMORY
;
272 lp_ctx
= loadparm_init_s3(tmp_ctx
, loadparm_s3_helpers());
273 if (lp_ctx
== NULL
) {
274 DEBUG(10, ("loadparm_init_s3 failed\n"));
275 TALLOC_FREE(tmp_ctx
);
276 return NT_STATUS_INVALID_SERVER_STATE
;
279 gensec_settings
= lpcfg_gensec_settings(tmp_ctx
, lp_ctx
);
280 if (lp_ctx
== NULL
) {
281 DEBUG(10, ("lpcfg_gensec_settings failed\n"));
282 TALLOC_FREE(tmp_ctx
);
283 return NT_STATUS_NO_MEMORY
;
287 * This should be a 'netbios domain -> DNS domain'
288 * mapping, and can currently validly return NULL on
289 * poorly configured systems.
291 * This is used for the NTLMSSP server
294 dns_name
= get_mydnsfullname();
295 if (dns_name
== NULL
) {
299 dns_domain
= get_mydnsdomname(tmp_ctx
);
300 if (dns_domain
== NULL
) {
304 gensec_settings
->server_dns_name
= strlower_talloc(gensec_settings
, dns_name
);
305 if (gensec_settings
->server_dns_name
== NULL
) {
306 TALLOC_FREE(tmp_ctx
);
307 return NT_STATUS_NO_MEMORY
;
310 gensec_settings
->server_dns_domain
= strlower_talloc(gensec_settings
, dns_domain
);
311 if (gensec_settings
->server_dns_domain
== NULL
) {
312 TALLOC_FREE(tmp_ctx
);
313 return NT_STATUS_NO_MEMORY
;
316 backends
= talloc_zero_array(gensec_settings
,
317 const struct gensec_security_ops
*, 6);
318 if (backends
== NULL
) {
319 TALLOC_FREE(tmp_ctx
);
320 return NT_STATUS_NO_MEMORY
;
322 gensec_settings
->backends
= backends
;
326 /* These need to be in priority order, krb5 before NTLMSSP */
327 #if defined(HAVE_KRB5)
328 backends
[idx
++] = &gensec_gse_krb5_security_ops
;
331 backends
[idx
++] = gensec_security_by_oid(NULL
, GENSEC_OID_NTLMSSP
);
333 backends
[idx
++] = gensec_security_by_oid(NULL
, GENSEC_OID_SPNEGO
);
335 backends
[idx
++] = gensec_security_by_auth_type(NULL
, DCERPC_AUTH_TYPE_SCHANNEL
);
337 backends
[idx
++] = gensec_security_by_auth_type(NULL
, DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM
);
340 * This is anonymous for now, because we just use it
341 * to set the kerberos state at the moment
343 server_credentials
= cli_credentials_init_anon(tmp_ctx
);
344 if (!server_credentials
) {
345 DEBUG(0, ("auth_generic_prepare: Failed to init server credentials\n"));
346 return NT_STATUS_NO_MEMORY
;
349 cli_credentials_set_conf(server_credentials
, lp_ctx
);
351 if (lp_security() == SEC_ADS
|| USE_KERBEROS_KEYTAB
) {
352 cli_credentials_set_kerberos_state(server_credentials
, CRED_AUTO_USE_KERBEROS
);
354 cli_credentials_set_kerberos_state(server_credentials
, CRED_DONT_USE_KERBEROS
);
357 nt_status
= gensec_server_start(tmp_ctx
, gensec_settings
,
358 auth4_context
, &gensec_security
);
360 if (!NT_STATUS_IS_OK(nt_status
)) {
361 TALLOC_FREE(tmp_ctx
);
365 gensec_set_credentials(gensec_security
, server_credentials
);
367 talloc_unlink(tmp_ctx
, lp_ctx
);
368 talloc_unlink(tmp_ctx
, server_credentials
);
369 talloc_unlink(tmp_ctx
, gensec_settings
);
370 talloc_unlink(tmp_ctx
, auth4_context
);
373 nt_status
= gensec_set_remote_address(gensec_security
,
375 if (!NT_STATUS_IS_OK(nt_status
)) {
376 TALLOC_FREE(tmp_ctx
);
380 *gensec_security_out
= talloc_steal(mem_ctx
, gensec_security
);
381 TALLOC_FREE(tmp_ctx
);
385 NTSTATUS
auth_check_password_session_info(struct auth4_context
*auth_context
,
387 struct auth_usersupplied_info
*user_info
,
388 struct auth_session_info
**session_info
)
393 nt_status
= auth_context
->check_ntlm_password(auth_context
,
396 &server_info
, NULL
, NULL
);
398 if (NT_STATUS_IS_OK(nt_status
)) {
399 nt_status
= auth_context
->generate_session_info(auth_context
,
402 user_info
->client
.account_name
,
403 AUTH_SESSION_INFO_UNIX_TOKEN
|
404 AUTH_SESSION_INFO_DEFAULT_GROUPS
,
406 TALLOC_FREE(server_info
);